Move out host connectivity information, move out service metric tracking preset, implement a Tinc VPN
parent
8b857f8f1e
commit
6776baa4da
@ -0,0 +1,18 @@
|
||||
{
|
||||
/* FIXME: Should NixOps not expose public IPs automatically through /etc/hosts? Why doesn't it? */
|
||||
workbot = {
|
||||
ipv4 = "148.251.195.23";
|
||||
internalIpv4 = "10.217.0.1";
|
||||
tincPublicKey = "OgsmaoK4WX0IYsH4QRnsYmX1ux0r9/UE7YrzOu2zW7K";
|
||||
};
|
||||
osmium = {
|
||||
ipv4 = "80.255.0.137";
|
||||
internalIpv4 = "10.217.0.2";
|
||||
tincPublicKey = "6BxBIezR4htBFRqX8h5cG7ffbKrnoTeC2lIrFCiaxhF";
|
||||
};
|
||||
nijaxor = {
|
||||
ipv4 = "64.187.233.73";
|
||||
internalIpv4 = "10.217.0.3";
|
||||
tincPublicKey = "jjhllUg3HeLpcU+XiWT5+FEl/moAZlUO7ll7J8n+5pG";
|
||||
};
|
||||
}
|
@ -0,0 +1,23 @@
|
||||
{
|
||||
systemd.extraConfig = ''
|
||||
DefaultCPUAccounting=yes
|
||||
DefaultIOAccounting=yes
|
||||
DefaultIPAccounting=yes
|
||||
DefaultBlockIOAccounting=yes
|
||||
DefaultMemoryAccounting=yes
|
||||
DefaultTasksAccounting=yes
|
||||
'';
|
||||
|
||||
services.cadvisor = {
|
||||
enable = true;
|
||||
port = 9333;
|
||||
listenAddress = "0.0.0.0";
|
||||
storageDriver = "stdout";
|
||||
};
|
||||
|
||||
virtualisation.docker.enable = false;
|
||||
|
||||
networking.firewall.allowedTCPPorts = [
|
||||
9333
|
||||
];
|
||||
}
|
@ -0,0 +1,46 @@
|
||||
networkConfiguration:
|
||||
let
|
||||
/* NOTE: We cannot just use simple string interpolation, because tinc's configuration format is not indentation-tolerant. Therefore, we do some programmatic concatenation magic to ensure that everything is indentation-free, without turning this file into a mess of wrong indentation. */
|
||||
generateConfiguration = options:
|
||||
let
|
||||
keys = builtins.attrNames options;
|
||||
toPairs = map (key: {key = key; value = options.${key};});
|
||||
createConfigEntries = map (item: "${item.key} = ${item.value}");
|
||||
in
|
||||
builtins.concatStringsSep "\n" (createConfigEntries (toPairs keys));
|
||||
mapAttrsetValues = mapper: attrset: builtins.listToAttrs (map (item: {
|
||||
name = item;
|
||||
value = mapper item attrset.${item};
|
||||
}) (builtins.attrNames attrset));
|
||||
in
|
||||
nodeName:
|
||||
{
|
||||
services.tinc.networks = {
|
||||
cryto = {
|
||||
debugLevel = networkConfiguration.debugLevel;
|
||||
ed25519PrivateKeyFile = networkConfiguration.nodes.${nodeName}.tincPrivateKeyFile;
|
||||
extraConfig = generateConfiguration {
|
||||
AutoConnect = "yes";
|
||||
PingInterval = toString networkConfiguration.pingInterval;
|
||||
};
|
||||
hosts = mapAttrsetValues (node: nodeConfiguration: generateConfiguration {
|
||||
Address = nodeConfiguration.ipv4;
|
||||
Subnet = "${nodeConfiguration.internalIpv4}/32";
|
||||
Ed25519PublicKey = nodeConfiguration.tincPublicKey;
|
||||
}) networkConfiguration.nodes;
|
||||
};
|
||||
};
|
||||
|
||||
networking.interfaces."tinc.cryto".ipv4.addresses = [{
|
||||
address = networkConfiguration.nodes.${nodeName}.internalIpv4;
|
||||
prefixLength = 24;
|
||||
}];
|
||||
|
||||
networking.firewall.allowedTCPPorts = [
|
||||
655
|
||||
];
|
||||
|
||||
networking.firewall.allowedUDPPorts = [
|
||||
655
|
||||
];
|
||||
}
|
@ -0,0 +1,29 @@
|
||||
let
|
||||
hosts = (import ./hosts.nix);
|
||||
secrets = (import ../secrets.nix);
|
||||
generateTincConfiguration = (import ./tinc);
|
||||
in
|
||||
generateTincConfiguration {
|
||||
debugLevel = 3;
|
||||
pingInterval = 10;
|
||||
nodes = {
|
||||
workbot = {
|
||||
ipv4 = hosts.workbot.ipv4;
|
||||
internalIpv4 = hosts.workbot.internalIpv4;
|
||||
tincPublicKey = hosts.workbot.tincPublicKey;
|
||||
tincPrivateKeyFile = secrets.workbot.tincPrivateKeyFile;
|
||||
};
|
||||
osmium = {
|
||||
ipv4 = hosts.osmium.ipv4;
|
||||
internalIpv4 = hosts.osmium.internalIpv4;
|
||||
tincPublicKey = hosts.osmium.tincPublicKey;
|
||||
tincPrivateKeyFile = secrets.osmium.tincPrivateKeyFile;
|
||||
};
|
||||
nijaxor = {
|
||||
ipv4 = hosts.nijaxor.ipv4;
|
||||
internalIpv4 = hosts.nijaxor.internalIpv4;
|
||||
tincPublicKey = hosts.nijaxor.tincPublicKey;
|
||||
tincPrivateKeyFile = secrets.nijaxor.tincPrivateKeyFile;
|
||||
};
|
||||
};
|
||||
}
|
Loading…
Reference in New Issue