Move out host connectivity information, move out service metric tracking preset, implement a Tinc VPN
parent
8b857f8f1e
commit
6776baa4da
@ -0,0 +1,18 @@
|
|||||||
|
{
|
||||||
|
/* FIXME: Should NixOps not expose public IPs automatically through /etc/hosts? Why doesn't it? */
|
||||||
|
workbot = {
|
||||||
|
ipv4 = "148.251.195.23";
|
||||||
|
internalIpv4 = "10.217.0.1";
|
||||||
|
tincPublicKey = "OgsmaoK4WX0IYsH4QRnsYmX1ux0r9/UE7YrzOu2zW7K";
|
||||||
|
};
|
||||||
|
osmium = {
|
||||||
|
ipv4 = "80.255.0.137";
|
||||||
|
internalIpv4 = "10.217.0.2";
|
||||||
|
tincPublicKey = "6BxBIezR4htBFRqX8h5cG7ffbKrnoTeC2lIrFCiaxhF";
|
||||||
|
};
|
||||||
|
nijaxor = {
|
||||||
|
ipv4 = "64.187.233.73";
|
||||||
|
internalIpv4 = "10.217.0.3";
|
||||||
|
tincPublicKey = "jjhllUg3HeLpcU+XiWT5+FEl/moAZlUO7ll7J8n+5pG";
|
||||||
|
};
|
||||||
|
}
|
@ -0,0 +1,23 @@
|
|||||||
|
{
|
||||||
|
systemd.extraConfig = ''
|
||||||
|
DefaultCPUAccounting=yes
|
||||||
|
DefaultIOAccounting=yes
|
||||||
|
DefaultIPAccounting=yes
|
||||||
|
DefaultBlockIOAccounting=yes
|
||||||
|
DefaultMemoryAccounting=yes
|
||||||
|
DefaultTasksAccounting=yes
|
||||||
|
'';
|
||||||
|
|
||||||
|
services.cadvisor = {
|
||||||
|
enable = true;
|
||||||
|
port = 9333;
|
||||||
|
listenAddress = "0.0.0.0";
|
||||||
|
storageDriver = "stdout";
|
||||||
|
};
|
||||||
|
|
||||||
|
virtualisation.docker.enable = false;
|
||||||
|
|
||||||
|
networking.firewall.allowedTCPPorts = [
|
||||||
|
9333
|
||||||
|
];
|
||||||
|
}
|
@ -0,0 +1,46 @@
|
|||||||
|
networkConfiguration:
|
||||||
|
let
|
||||||
|
/* NOTE: We cannot just use simple string interpolation, because tinc's configuration format is not indentation-tolerant. Therefore, we do some programmatic concatenation magic to ensure that everything is indentation-free, without turning this file into a mess of wrong indentation. */
|
||||||
|
generateConfiguration = options:
|
||||||
|
let
|
||||||
|
keys = builtins.attrNames options;
|
||||||
|
toPairs = map (key: {key = key; value = options.${key};});
|
||||||
|
createConfigEntries = map (item: "${item.key} = ${item.value}");
|
||||||
|
in
|
||||||
|
builtins.concatStringsSep "\n" (createConfigEntries (toPairs keys));
|
||||||
|
mapAttrsetValues = mapper: attrset: builtins.listToAttrs (map (item: {
|
||||||
|
name = item;
|
||||||
|
value = mapper item attrset.${item};
|
||||||
|
}) (builtins.attrNames attrset));
|
||||||
|
in
|
||||||
|
nodeName:
|
||||||
|
{
|
||||||
|
services.tinc.networks = {
|
||||||
|
cryto = {
|
||||||
|
debugLevel = networkConfiguration.debugLevel;
|
||||||
|
ed25519PrivateKeyFile = networkConfiguration.nodes.${nodeName}.tincPrivateKeyFile;
|
||||||
|
extraConfig = generateConfiguration {
|
||||||
|
AutoConnect = "yes";
|
||||||
|
PingInterval = toString networkConfiguration.pingInterval;
|
||||||
|
};
|
||||||
|
hosts = mapAttrsetValues (node: nodeConfiguration: generateConfiguration {
|
||||||
|
Address = nodeConfiguration.ipv4;
|
||||||
|
Subnet = "${nodeConfiguration.internalIpv4}/32";
|
||||||
|
Ed25519PublicKey = nodeConfiguration.tincPublicKey;
|
||||||
|
}) networkConfiguration.nodes;
|
||||||
|
};
|
||||||
|
};
|
||||||
|
|
||||||
|
networking.interfaces."tinc.cryto".ipv4.addresses = [{
|
||||||
|
address = networkConfiguration.nodes.${nodeName}.internalIpv4;
|
||||||
|
prefixLength = 24;
|
||||||
|
}];
|
||||||
|
|
||||||
|
networking.firewall.allowedTCPPorts = [
|
||||||
|
655
|
||||||
|
];
|
||||||
|
|
||||||
|
networking.firewall.allowedUDPPorts = [
|
||||||
|
655
|
||||||
|
];
|
||||||
|
}
|
@ -0,0 +1,29 @@
|
|||||||
|
let
|
||||||
|
hosts = (import ./hosts.nix);
|
||||||
|
secrets = (import ../secrets.nix);
|
||||||
|
generateTincConfiguration = (import ./tinc);
|
||||||
|
in
|
||||||
|
generateTincConfiguration {
|
||||||
|
debugLevel = 3;
|
||||||
|
pingInterval = 10;
|
||||||
|
nodes = {
|
||||||
|
workbot = {
|
||||||
|
ipv4 = hosts.workbot.ipv4;
|
||||||
|
internalIpv4 = hosts.workbot.internalIpv4;
|
||||||
|
tincPublicKey = hosts.workbot.tincPublicKey;
|
||||||
|
tincPrivateKeyFile = secrets.workbot.tincPrivateKeyFile;
|
||||||
|
};
|
||||||
|
osmium = {
|
||||||
|
ipv4 = hosts.osmium.ipv4;
|
||||||
|
internalIpv4 = hosts.osmium.internalIpv4;
|
||||||
|
tincPublicKey = hosts.osmium.tincPublicKey;
|
||||||
|
tincPrivateKeyFile = secrets.osmium.tincPrivateKeyFile;
|
||||||
|
};
|
||||||
|
nijaxor = {
|
||||||
|
ipv4 = hosts.nijaxor.ipv4;
|
||||||
|
internalIpv4 = hosts.nijaxor.internalIpv4;
|
||||||
|
tincPublicKey = hosts.nijaxor.tincPublicKey;
|
||||||
|
tincPrivateKeyFile = secrets.nijaxor.tincPrivateKeyFile;
|
||||||
|
};
|
||||||
|
};
|
||||||
|
}
|
Loading…
Reference in New Issue