gensokyo-zone/infrastructure
1
0
Fork 0
mirror of https://github.com/gensokyo-zone/infrastructure.git synced 2026-02-09 04:19:19 -08:00
Code Issues Projects Releases Packages Wiki Activity Actions

WIP migration to 0.4

Browse source
This commit is contained in:
kat witch 2021-10-21 18:41:07 +01:00
parent 24ee958950
commit 57a2373d5d
No known key found for this signature in database
GPG key ID: 1B477797DCA5EC72
11 changed files with 31 additions and 56 deletions
Download patch file Download diff file Expand all files Collapse all files

3
config/hosts/daiyousei.nix
View file

@ -30,7 +30,8 @@
network.yggdrasil = {
enable = true;
pubkey = "0db7838e7cbab0dc0694f09b683b3a064bf63665415f2af47d1269c2861ffc20";
pubkey = "edb7de263e6924b8c9446123979782420e5196317bffc75e9a6ca546551252da";
address = "206:d807:a98:309f:3bc0:de7a:411d:9d95";
};
services.nginx.virtualHosts =

3
config/hosts/goliath.nix
View file

@ -235,7 +235,8 @@
};
yggdrasil = {
enable = true;
pubkey = "a7110d0a1dc9ec963d6eb37bb6922838b8088b53932eae727a9136482ce45d47";
pubkey = "9604cc51760376fa111e931aad1a71ab91f240517a7d60932c6646104b99db47";
address = "200:d3f6:675d:13f9:120b:ddc2:d9ca:a5cb";
listen.enable = false;
listen.endpoints = [ "tcp://0.0.0.0:0" ];
};

3
config/hosts/koishi.nix
View file

@ -80,7 +80,8 @@
};
yggdrasil = {
enable = true;
pubkey = "9779fd6b5bdba6b9e0f53c96e141f4b11ce5ef749d1b9e77a759a3fdbd33a653";
pubkey = "f94d49458822a73d70306b249a39d4de8a292b13e12339b21010001133417be7";
address = "200:d65:6d74:efba:b185:1f9f:29b6:cb8c";
listen.enable = false;
listen.endpoints = [ "tcp://0.0.0.0:0" ];
};

3
config/hosts/kyouko.nix
View file

@ -102,7 +102,8 @@ with lib;
};
yggdrasil = {
enable = true;
pubkey = "55e3f29c252d16e73ac849a6039824f94df1dee670c030b9e29f90584f935575";
pubkey = "0da9fce0b282c63b449a813183e8fa15d1480b344228068f2af860afafa8928d";
address = "204:4ac0:63e9:afa7:3897:6caf:d9cf:82e0";
listen.enable = true;
listen.endpoints = [ "tcp://${config.network.addresses.public.nixos.ipv4.address}:52969" "tcp://[${config.network.addresses.public.nixos.ipv6.address}]:52969" ];
};

11
config/hosts/marisa.nix
View file

@ -67,14 +67,15 @@
};
yggdrasil = {
enable = true;
pubkey = "3b171319fbb6be1716c99f36b83a70346ec655d99afde410a50ca61a1c278c7c";
pubkey = "2134779f3e19e7df46113a814e9a87097839b9d557ebe3856423e148abcfe582";
address = "202:f65c:4306:f30:c105:cf76:2bf5:8b2b";
listen.enable = true;
listen.endpoints = [ "tcp://${config.network.addresses.public.nixos.ipv4.address}:52969" "tcp://[${config.network.addresses.public.nixos.ipv6.address}]:52969" ];
};
firewall = {
public = {
interfaces = singleton "ens3";
tcp.ports = singleton 62969;
tcp.ports = singleton 52969;
};
private.interfaces = singleton "yggdrasil";
};
@ -83,18 +84,18 @@
# Youko WG
networking.wireguard.interfaces.wg-youko = {
ips = [
"10.42.68.1/24"
"10.42.68.1/32"
];
listenPort = 51219;
peers = [
{
allowedIPs = [
"10.42.68.1/24"
"10.42.68.0/24"
];
publicKey = "nc7mpg2tbawWR9xjFsk/loxAMtRhEZ49PCJXNYk/Qm8=";
}
];
privateKeyFile = config.secrets.files.wg-youko-privkey.file;
privateKeyFile = config.secrets.files.wg-youko-privkey.path;
};
kw.secrets.variables.wg-youko-privkey = {

3
config/hosts/rinnosuke.nix
View file

@ -23,7 +23,8 @@
network = {
yggdrasil = {
enable = true;
pubkey = "d3db7b089f3cb2d33e18c77b8f9a5a08185798143822b219dbc938aa37d29310";
pubkey = "fc64ee574072ef7420ff98bc53856f881025de252081e661a78e04ebcf7c6b35";
address = "200:736:2351:7f1a:2117:be00:ce87:58f5";
};
};

3
config/hosts/shinmyoumaru.nix
View file

@ -44,7 +44,8 @@
};
yggdrasil = {
enable = true;
pubkey = "5ba8c9f8627b6e5da938e6dec6e0a66287490e28084e58125330b7a8812cc22e";
pubkey = "70c18030247e98fdffe4fd81f5fa8c7c4ed43fd6a4fb2b5ef7af0a010d08f63c";
address = "200:691b:b4fb:6987:711f:bde:9b5c:8af3";
listen.enable = false;
listen.endpoints = [ "tcp://0.0.0.0:0" ];
};

3
config/hosts/yukari.nix
View file

@ -106,7 +106,8 @@
};
yggdrasil = {
enable = true;
pubkey = "d3e488574367056d3ae809b678f799c29ebfd5c7151bb1f4051775b3953e5f52";
pubkey = "4f8fb0817afcd6211fb6a2cac2893df7d3f12c5c99eed106718d7223468473b2";
address = "201:c1c1:3dfa:140c:a77b:8125:74d4:f5db";
listen.enable = false;
listen.endpoints = [ "tcp://0.0.0.0:0" ];
};

40
config/modules/nixos/yggdrasil.nix
View file

@ -5,7 +5,7 @@ with lib;
let
cfg = config.network.yggdrasil;
calcAddr = pubkey: lib.readFile (pkgs.runCommandNoCC "calcaddr-${pubkey}" { } ''
echo '{ EncryptionPublicKey: "${pubkey}" }' | ${config.services.yggdrasil.package}/bin/yggdrasil -useconf -address | tr -d '\n' > $out
echo '{ SigningPublicKey: "${pubkey}" }' | ${config.services.yggdrasil.package}/bin/yggdrasil -useconf -address | tr -d '\n' > $out
'').outPath;
in
{
@ -17,8 +17,9 @@ in
};
address = mkOption {
type = types.str;
description = "Main Yggdrasil address. Set automatically";
default = calcAddr cfg.pubkey;
#description = "Main Yggdrasil address. Set automatically";
#default = calcAddr cfg.signingPubkey;
default = "";
};
trust = mkOption {
type = types.bool;
@ -122,46 +123,19 @@ in
enable = true;
persistentKeys = true;
config = {
AllowedEncryptionPublicKeys = pubkeys;
AllowedPublicKeys = pubkeys;
IfName = "yggdrasil";
Listen = cfg.listen.endpoints;
Peers = lib.flatten (cfg.extern.endpoints ++ (map (c: c.listen.endpoints) (filter (c: c.listen.enable) yggConfigs)));
SessionFirewall = {
Enable = true;
AllowFromRemote = false;
WhitelistEncryptionPublicKeys = pubkeys;
};
TunnelRouting =
let
subnets = v: (
listToAttrs (flatten (map (c: map (net: nameValuePair net c.pubkey) c.tunnel."localV${toString v}") yggConfigs))
) // cfg.tunnel."remoteV${toString v}";
in
{
Enable = true;
IPv4LocalSubnets = cfg.tunnel.localV4 ++ cfg.extra.localV4;
IPv6LocalSubnets = cfg.tunnel.localV6 ++ cfg.extra.localV6;
IPv4RemoteSubnets = subnets 4;
IPv6RemoteSubnets = subnets 6;
};
};
};
systemd.services.yggdrasil.postStart =
let
yggTun = config.services.yggdrasil.config.TunnelRouting;
addNets = v: nets: concatMapStringsSep "\n" (net: "${pkgs.iproute}/bin/ip -${toString v} route add ${net} dev yggdrasil") (attrNames nets);
in
"sleep 1\n" + (concatMapStringsSep "\n" (v: addNets v yggTun."IPv${toString v}RemoteSubnets") [ 4 6 ]);
system.build.yggdrasilTemplate =
let
json = builtins.toJSON {
inherit (config.services.yggdrasil.config) Peers SessionFirewall TunnelRouting;
EncryptionPublicKey = "";
EncryptionPrivateKey = "";
SigningPublicKey = "";
SigningPrivateKey = "";
PublicKey = "";
PrivateKey = "";
};
in
pkgs.runCommandNoCC "yggdrasil-template.json" { }

3
config/profiles/gui/nfs.nix
View file

@ -3,13 +3,12 @@
{
boot.supportedFilesystems = [ "nfs" ];
/*
fileSystems."/mnt/kat-nas" = lib.mkIf (config.networking.hostName != "yukari") {
device = "${meta.network.nodes.yukari.network.addresses.wireguard.domain}:/mnt/zraw/media";
fsType = "nfs";
options = [ "x-systemd.automount" "noauto" "nfsvers=4" "soft" "retrans=2" "timeo=60" ];
};
*/
/*
fileSystems."/mnt/hex-corn" = {

12
config/profiles/network.nix
View file

@ -10,15 +10,7 @@
config = {
network.yggdrasil.extern = let
hexchen = (import sources.hexchen) { };
hexYgg = filterAttrs (_: c: c.enable)
(mapAttrs (_: host: host.config.network.yggdrasil) hexchen.hosts);
in {
endpoints = flatten (map (c: c.listen.endpoints) (filter
(c:
c.listen.enable && (c.pubkey
!= "0000000000000000000000000000000000000000000000000000000000000000"))
(attrValues hexYgg)));
pubkeys = {
satorin =
"53d99a74a648ff7bd5bc9ba68ef4f472fb4fb8b2e26dfecea33c781f0d5c9525";
@ -28,7 +20,9 @@
"2a1567a2848540070328c9e938c58d40f2b1a3f08982c15c7edc5dcabfde3330";
boline =
"89684441745467da0d1bf7f47dc74ec3ca65e05c72f752298ef3c22a22024d43";
} // (mapAttrs (_: c: c.pubkey) hexYgg);
okami =
"f8fd12c6ed924048e93a7bd7dd63c2464813c9edddfef7415c4574518ecd4757";
};
};
networking.firewall.extraCommands = "ip6tables -A INPUT -p 89 -i wgmesh-+ -j ACCEPT";