From 6776baa4daf501e51f232f4a850fb5d55c9917eb Mon Sep 17 00:00:00 2001 From: Sven Slootweg Date: Wed, 20 Jun 2018 23:52:30 +0200 Subject: [PATCH] Move out host connectivity information, move out service metric tracking preset, implement a Tinc VPN --- lib/hosts.nix | 18 +++++++++ lib/{ => presets}/low-ram-nix.nix | 0 lib/presets/track-service-metrics.nix | 23 +++++++++++ lib/tinc/default.nix | 46 ++++++++++++++++++++++ lib/vpn.nix | 29 ++++++++++++++ networks/default.nix | 55 +++++++++------------------ systems/nijaxor.nix | 7 +++- systems/osmium_.nix | 3 +- systems/workbot.nix | 7 +++- 9 files changed, 148 insertions(+), 40 deletions(-) create mode 100644 lib/hosts.nix rename lib/{ => presets}/low-ram-nix.nix (100%) create mode 100644 lib/presets/track-service-metrics.nix create mode 100644 lib/tinc/default.nix create mode 100644 lib/vpn.nix diff --git a/lib/hosts.nix b/lib/hosts.nix new file mode 100644 index 0000000..0f3a64c --- /dev/null +++ b/lib/hosts.nix @@ -0,0 +1,18 @@ +{ + /* FIXME: Should NixOps not expose public IPs automatically through /etc/hosts? Why doesn't it? */ + workbot = { + ipv4 = "148.251.195.23"; + internalIpv4 = "10.217.0.1"; + tincPublicKey = "OgsmaoK4WX0IYsH4QRnsYmX1ux0r9/UE7YrzOu2zW7K"; + }; + osmium = { + ipv4 = "80.255.0.137"; + internalIpv4 = "10.217.0.2"; + tincPublicKey = "6BxBIezR4htBFRqX8h5cG7ffbKrnoTeC2lIrFCiaxhF"; + }; + nijaxor = { + ipv4 = "64.187.233.73"; + internalIpv4 = "10.217.0.3"; + tincPublicKey = "jjhllUg3HeLpcU+XiWT5+FEl/moAZlUO7ll7J8n+5pG"; + }; +} diff --git a/lib/low-ram-nix.nix b/lib/presets/low-ram-nix.nix similarity index 100% rename from lib/low-ram-nix.nix rename to lib/presets/low-ram-nix.nix diff --git a/lib/presets/track-service-metrics.nix b/lib/presets/track-service-metrics.nix new file mode 100644 index 0000000..5cc8ed9 --- /dev/null +++ b/lib/presets/track-service-metrics.nix @@ -0,0 +1,23 @@ +{ + systemd.extraConfig = '' + DefaultCPUAccounting=yes + DefaultIOAccounting=yes + DefaultIPAccounting=yes + DefaultBlockIOAccounting=yes + DefaultMemoryAccounting=yes + DefaultTasksAccounting=yes + ''; + + services.cadvisor = { + enable = true; + port = 9333; + listenAddress = "0.0.0.0"; + storageDriver = "stdout"; + }; + + virtualisation.docker.enable = false; + + networking.firewall.allowedTCPPorts = [ + 9333 + ]; +} diff --git a/lib/tinc/default.nix b/lib/tinc/default.nix new file mode 100644 index 0000000..00ef8c4 --- /dev/null +++ b/lib/tinc/default.nix @@ -0,0 +1,46 @@ +networkConfiguration: + let + /* NOTE: We cannot just use simple string interpolation, because tinc's configuration format is not indentation-tolerant. Therefore, we do some programmatic concatenation magic to ensure that everything is indentation-free, without turning this file into a mess of wrong indentation. */ + generateConfiguration = options: + let + keys = builtins.attrNames options; + toPairs = map (key: {key = key; value = options.${key};}); + createConfigEntries = map (item: "${item.key} = ${item.value}"); + in + builtins.concatStringsSep "\n" (createConfigEntries (toPairs keys)); + mapAttrsetValues = mapper: attrset: builtins.listToAttrs (map (item: { + name = item; + value = mapper item attrset.${item}; + }) (builtins.attrNames attrset)); + in + nodeName: + { + services.tinc.networks = { + cryto = { + debugLevel = networkConfiguration.debugLevel; + ed25519PrivateKeyFile = networkConfiguration.nodes.${nodeName}.tincPrivateKeyFile; + extraConfig = generateConfiguration { + AutoConnect = "yes"; + PingInterval = toString networkConfiguration.pingInterval; + }; + hosts = mapAttrsetValues (node: nodeConfiguration: generateConfiguration { + Address = nodeConfiguration.ipv4; + Subnet = "${nodeConfiguration.internalIpv4}/32"; + Ed25519PublicKey = nodeConfiguration.tincPublicKey; + }) networkConfiguration.nodes; + }; + }; + + networking.interfaces."tinc.cryto".ipv4.addresses = [{ + address = networkConfiguration.nodes.${nodeName}.internalIpv4; + prefixLength = 24; + }]; + + networking.firewall.allowedTCPPorts = [ + 655 + ]; + + networking.firewall.allowedUDPPorts = [ + 655 + ]; + } diff --git a/lib/vpn.nix b/lib/vpn.nix new file mode 100644 index 0000000..c2cf8ae --- /dev/null +++ b/lib/vpn.nix @@ -0,0 +1,29 @@ +let + hosts = (import ./hosts.nix); + secrets = (import ../secrets.nix); + generateTincConfiguration = (import ./tinc); +in + generateTincConfiguration { + debugLevel = 3; + pingInterval = 10; + nodes = { + workbot = { + ipv4 = hosts.workbot.ipv4; + internalIpv4 = hosts.workbot.internalIpv4; + tincPublicKey = hosts.workbot.tincPublicKey; + tincPrivateKeyFile = secrets.workbot.tincPrivateKeyFile; + }; + osmium = { + ipv4 = hosts.osmium.ipv4; + internalIpv4 = hosts.osmium.internalIpv4; + tincPublicKey = hosts.osmium.tincPublicKey; + tincPrivateKeyFile = secrets.osmium.tincPrivateKeyFile; + }; + nijaxor = { + ipv4 = hosts.nijaxor.ipv4; + internalIpv4 = hosts.nijaxor.internalIpv4; + tincPublicKey = hosts.nijaxor.tincPublicKey; + tincPrivateKeyFile = secrets.nijaxor.tincPrivateKeyFile; + }; + }; + } diff --git a/networks/default.nix b/networks/default.nix index 672b5a4..1272667 100644 --- a/networks/default.nix +++ b/networks/default.nix @@ -1,36 +1,15 @@ let secrets = import ../secrets.nix; - - trackServiceMetrics = { - systemd.extraConfig = '' - DefaultCPUAccounting=yes - DefaultIOAccounting=yes - DefaultIPAccounting=yes - DefaultBlockIOAccounting=yes - DefaultMemoryAccounting=yes - DefaultTasksAccounting=yes - ''; - - services.cadvisor = { - enable = true; - port = 9333; - listenAddress = "0.0.0.0"; - storageDriver = "stdout"; - }; - - virtualisation.docker.enable = false; - - networking.firewall.allowedTCPPorts = [ - 9333 - ]; - }; + hosts = import ../lib/hosts.nix; + vpnConfiguration = import ../lib/vpn.nix; in { network.description = "Cryto"; workbot = {config, lib, pkgs, ...}@args: { imports = [ - trackServiceMetrics + (import ../lib/presets/track-service-metrics.nix) + (vpnConfiguration "workbot") ]; config = { @@ -142,14 +121,14 @@ in { static_configs = [{ targets = [ "localhost:9100" - "80.255.0.137:9100" - "64.187.233.73:9100" + "${hosts.osmium.ipv4}:9100" + "${hosts.nijaxor.ipv4}:9100" ]; }]; relabel_configs = [ (nameInstance "localhost:9100" "workbot") - (nameInstance "80.255.0.137:9100" "osmium") - (nameInstance "64.187.233.73:9100" "nijaxor") + (nameInstance "${hosts.osmium.ipv4}:9100" "osmium") + (nameInstance "${hosts.nijaxor.ipv4}:9100" "nijaxor") ]; } { job_name = "systemd"; @@ -157,14 +136,14 @@ in { static_configs = [{ targets = [ "localhost:9333" - "80.255.0.137:9333" - "64.187.233.73:9333" + "${hosts.osmium.ipv4}:9333" + "${hosts.nijaxor.ipv4}:9333" ]; }]; relabel_configs = [ (nameInstance "localhost:9333" "workbot") - (nameInstance "80.255.0.137:9333" "osmium") - (nameInstance "64.187.233.73:9333" "nijaxor") + (nameInstance "${hosts.osmium.ipv4}:9333" "osmium") + (nameInstance "${hosts.nijaxor.ipv4}:9333" "nijaxor") ]; } ]; @@ -204,8 +183,9 @@ in { rev = "d7a09deda0916fa99920156e928d281a5bd3d97a"; sha256 = "08xjcwmbzdmkzbz1al3vkryiix1y2zqc8yv4lsrw21dz0c5zl726"; }) - trackServiceMetrics - (import ../lib/low-ram-nix.nix) + (import ../lib/presets/track-service-metrics.nix) + (import ../lib/presets/low-ram-nix.nix) + (vpnConfiguration "osmium") ]; config = { @@ -266,8 +246,9 @@ in { nijaxor = { config, lib, pkgs, ... }@args: { imports = [ - (import ../lib/low-ram-nix.nix) - trackServiceMetrics + (import ../lib/presets/low-ram-nix.nix) + (import ../lib/presets/track-service-metrics.nix) + (vpnConfiguration "nijaxor") ]; config = { diff --git a/systems/nijaxor.nix b/systems/nijaxor.nix index ceadb56..f198420 100644 --- a/systems/nijaxor.nix +++ b/systems/nijaxor.nix @@ -1,4 +1,5 @@ let + hosts = (import ../lib/hosts.nix); removeNewlines = (import ../lib/util/remove-newlines.nix); presetRootSsh = (import ../lib/presets/root-ssh.nix); in { @@ -7,7 +8,7 @@ in { presetQemuGuest = (import ../lib/presets/qemu-guest.nix); in { - deployment.targetHost = "64.187.233.73"; + deployment.targetHost = hosts.nijaxor.ipv4; /* Begin hardware configuration section */ boot.kernelModules = [ ]; @@ -23,6 +24,10 @@ in { }; }; + networking = { + hostName = "nijaxor"; + }; + /* networking = { hostName = "osmium"; defaultGateway6 = "2a01:4a0:4a::1"; diff --git a/systems/osmium_.nix b/systems/osmium_.nix index a5f4075..469582c 100644 --- a/systems/osmium_.nix +++ b/systems/osmium_.nix @@ -1,4 +1,5 @@ let + hosts = (import ../lib/hosts.nix); removeNewlines = (import ../lib/util/remove-newlines.nix); presetRootSsh = (import ../lib/presets/root-ssh.nix); in { @@ -7,7 +8,7 @@ in { presetQemuGuest = (import ../lib/presets/qemu-guest.nix); in { - deployment.targetHost = "80.255.0.137"; + deployment.targetHost = hosts.osmium.ipv4; /* Begin hardware configuration section */ boot.kernelModules = [ ]; diff --git a/systems/workbot.nix b/systems/workbot.nix index bc90edf..7fb8b13 100644 --- a/systems/workbot.nix +++ b/systems/workbot.nix @@ -1,4 +1,5 @@ let + hosts = (import ../lib/hosts.nix); removeNewlines = (import ../lib/util/remove-newlines.nix); presetRootSsh = (import ../lib/presets/root-ssh.nix); in { @@ -6,7 +7,7 @@ in { presetTools = (import ../lib/presets/tools.nix) args; in { - deployment.targetHost = "148.251.195.23"; + deployment.targetHost = hosts.workbot.ipv4; /* Begin hardware configuration section */ boot.initrd.availableKernelModules = [ "xhci_pci" "ehci_pci" "ahci" "usbhid" "usb_storage" "sd_mod" "sr_mod" ]; @@ -35,6 +36,10 @@ in { }; }; + networking = { + hostName = "workbot"; + }; + system.stateVersion = "18.03"; } // presetRootSsh // presetTools; }