Merge pull request #11 from fsr/network

This commit is contained in:
Tassilo Tanneberger 2023-02-15 13:36:34 +01:00 committed by GitHub
commit bb13619248
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
5 changed files with 98 additions and 23 deletions

View file

@ -71,11 +71,11 @@
}, },
"nixpkgs-stable": { "nixpkgs-stable": {
"locked": { "locked": {
"lastModified": 1675265860, "lastModified": 1676162277,
"narHash": "sha256-PZNqc4ZnTRT34NsHJYbXn+Yhghh56l8HEXn39SMpGNc=", "narHash": "sha256-GK3cnvKNo1l0skGYXXiLJ/TLqdKyIYXd7jOlo0gN+Qw=",
"owner": "NixOS", "owner": "NixOS",
"repo": "nixpkgs", "repo": "nixpkgs",
"rev": "a3a1400571e3b9ccc270c2e8d36194cf05aab6ce", "rev": "d863ca850a06d91365c01620dcac342574ecf46f",
"type": "github" "type": "github"
}, },
"original": { "original": {
@ -87,11 +87,11 @@
}, },
"nixpkgs_2": { "nixpkgs_2": {
"locked": { "locked": {
"lastModified": 1675237434, "lastModified": 1676375384,
"narHash": "sha256-YoFR0vyEa1HXufLNIFgOGhIFMRnY6aZ0IepZF5cYemo=", "narHash": "sha256-6HI3jZiuJX+KLz05cocYy2mBAWlISEKHU84ftYfxHZ8=",
"owner": "nixos", "owner": "nixos",
"repo": "nixpkgs", "repo": "nixpkgs",
"rev": "285b3ff0660640575186a4086e1f8dc0df2874b5", "rev": "c43f676c938662072772339be6269226c77b51b8",
"type": "github" "type": "github"
}, },
"original": { "original": {
@ -116,11 +116,11 @@
"nixpkgs-stable": "nixpkgs-stable" "nixpkgs-stable": "nixpkgs-stable"
}, },
"locked": { "locked": {
"lastModified": 1675288837, "lastModified": 1676171095,
"narHash": "sha256-76s8TLENa4PzWDeuIpEF78gqeUrXi6rEJJaKEAaJsXw=", "narHash": "sha256-2laeSjBAAJ9e/C3uTIPb287iX8qeVLtWiilw1uxqG+A=",
"owner": "Mic92", "owner": "Mic92",
"repo": "sops-nix", "repo": "sops-nix",
"rev": "a81ce6c961480b3b93498507074000c589bd9d60", "rev": "c5dab21d8706afc7ceb05c23d4244dcb48d6aade",
"type": "github" "type": "github"
}, },
"original": { "original": {

View file

@ -4,6 +4,7 @@
imports = imports =
[ [
./hardware-configuration.nix ./hardware-configuration.nix
./network.nix
]; ];
# Use the systemd-boot EFI boot loader. # Use the systemd-boot EFI boot loader.
@ -12,20 +13,6 @@
boot.loader.efi.canTouchEfiVariables = true; boot.loader.efi.canTouchEfiVariables = true;
boot.supportedFilesystems = [ "zfs" ]; boot.supportedFilesystems = [ "zfs" ];
boot.zfs.devNodes = "/dev/"; boot.zfs.devNodes = "/dev/";
networking.hostId = "a41d87fc";
networking.interfaces.enp65s0f0np0 = {
useDHCP = false;
ipv4.addresses = [
{
address = "141.30.30.169";
prefixLength = 25;
}
];
};
networking.defaultGateway = "141.30.30.129";
networking.nameservers = [ "141.30.1.1" ];
networking.hostName = "quitte"; # Define your hostname. networking.hostName = "quitte"; # Define your hostname.

86
hosts/quitte/network.nix Normal file
View file

@ -0,0 +1,86 @@
{ pkgs, config, lib, ... }:
let
wireguard_port = 51820;
in
{
sops.secrets = {
"wg-fsr" = {
owner = config.users.users.systemd-network.name;
};
};
networking = {
hostId = "a71c81fc";
enableIPv6 = true;
useDHCP = true;
interfaces.enp65s0f0np0.useDHCP = true;
useNetworkd = true;
firewall.allowedUDPPorts = [ wireguard_port ];
wireguard.enable = true;
};
services.resolved = {
enable = true;
#dnssec = "false";
fallbackDns = [ "1.1.1.1" ];
};
# workaround for networkd waiting for shit
systemd.services.systemd-networkd-wait-online.serviceConfig.ExecStart = [
"" # clear old command
"${config.systemd.package}/lib/systemd/systemd-networkd-wait-online --any"
];
systemd.network = {
enable = true;
# Interfaces on the machine
networks."10-ether-bond" = {
matchConfig.Name = "enp65s0f0np0";
address = [ "141.30.30.169/25" ];
routes = [
{
routeConfig.Gateway = "141.30.30.129";
}
];
networkConfig = {
DNS = "141.30.1.1";
#IPv6AcceptRA = true;
};
};
# defining network device for wireguard connections
netdevs."fsr-wg" = {
netdevConfig = {
Kind = "wireguard";
Name = "fsr-wg";
Description = "fsr enterprise wireguard";
};
wireguardConfig = {
PrivateKeyFile = config.sops.secrets."wg-fsr".path;
ListenPort = wireguard_port;
};
wireguardPeers = [
{
# tassilo
wireguardPeerConfig = {
PublicKey = "vgo3le9xrFsIbbDZsAhQZpIlX+TuWjfEyUcwkoqUl2Y=";
AllowedIPs = [ "10.66.66.100/32" ];
PersistentKeepalive = 25;
};
}
];
};
# fsr wireguard server
networks."fsr-wg" = {
matchConfig.Name = "fsr-wg";
networkConfig = {
Address = "10.66.66.1/24";
IPForward = "ipv4";
};
};
};
}

View file

@ -3,6 +3,7 @@ postgres_hedgedoc: ENC[AES256_GCM,data:VCoWXZbNGWfmorTNZRFWkDUp0B5JMmsA+bJFVrURE
postgres_nextcloud: ENC[AES256_GCM,data:Lv0Ld3sf+hoUE2qrsf9qGSYf5aVLqm5GIbK2hEoR5Uc=,iv:/4hqMV42J37byJgZZGhMqsHNtutikcXhun2uk2HhsHY=,tag:+L4scIHq2nopBlr64KJgjA==,type:str] postgres_nextcloud: ENC[AES256_GCM,data:Lv0Ld3sf+hoUE2qrsf9qGSYf5aVLqm5GIbK2hEoR5Uc=,iv:/4hqMV42J37byJgZZGhMqsHNtutikcXhun2uk2HhsHY=,tag:+L4scIHq2nopBlr64KJgjA==,type:str]
nextcloud_adminpass: ENC[AES256_GCM,data:EMvcFOGJz45P4nvJ5Yy4SziWa2pUWBqt4ZZdde6wegk=,iv:tG9bhB7HPprZMnfV/uC/v7fqmjQd5d4Oj5avOtK2/0A=,tag:8jBDpnahwQsXsD2Ivf6jDw==,type:str] nextcloud_adminpass: ENC[AES256_GCM,data:EMvcFOGJz45P4nvJ5Yy4SziWa2pUWBqt4ZZdde6wegk=,iv:tG9bhB7HPprZMnfV/uC/v7fqmjQd5d4Oj5avOtK2/0A=,tag:8jBDpnahwQsXsD2Ivf6jDw==,type:str]
hedgedoc_session_secret: ENC[AES256_GCM,data:uz7KggZqeZ2eqiCnOcnYh2I1p5BBXTQbC8PUhB2kM2U=,iv:aJDHKCPkccCT/OF6AGZMfRESNmoV9muGHbuCUfLQhH8=,tag:uEVXylpE8MSebqRr+4mQOw==,type:str] hedgedoc_session_secret: ENC[AES256_GCM,data:uz7KggZqeZ2eqiCnOcnYh2I1p5BBXTQbC8PUhB2kM2U=,iv:aJDHKCPkccCT/OF6AGZMfRESNmoV9muGHbuCUfLQhH8=,tag:uEVXylpE8MSebqRr+4mQOw==,type:str]
wg-fsr: ENC[AES256_GCM,data:0WViJp9fNKVxq8LsK5R0Ihn3r+S7CLBk5voKn55dABidlFSLpsA0q+KTxoY=,iv:rc4B8N2otqolSRLfpeRkIn7iNlED7XUjY//OCI2oQ5c=,tag:eWO6LniGnTd8KZ4pSyrR5A==,type:str]
wg-seckey: ENC[AES256_GCM,data:NHk6E5uu3CshC/0//LoGk6iCGKWbx49wVVkjoMqF19gc7MhdHAn9aJD+0Zc=,iv:N3PuU7+QSW9aD0ZhTI7CmMI3drLIzO7XaW3mgEDp/sk=,tag:fxH4eRIboy9O15oul7JOTw==,type:str] wg-seckey: ENC[AES256_GCM,data:NHk6E5uu3CshC/0//LoGk6iCGKWbx49wVVkjoMqF19gc7MhdHAn9aJD+0Zc=,iv:N3PuU7+QSW9aD0ZhTI7CmMI3drLIzO7XaW3mgEDp/sk=,tag:fxH4eRIboy9O15oul7JOTw==,type:str]
portunus_admin: ENC[AES256_GCM,data:bPuYdfpWJtYib9lUcXHVZeGerskd5vs5IOe+DE9Q7OOPkAwp,iv:6ZjjfQ3E1xxYjmEg7o849RZzUt8dyXjI84DSfPYGUWQ=,tag:JJpOLjPs8YdEBl3xGGAzbg==,type:str] portunus_admin: ENC[AES256_GCM,data:bPuYdfpWJtYib9lUcXHVZeGerskd5vs5IOe+DE9Q7OOPkAwp,iv:6ZjjfQ3E1xxYjmEg7o849RZzUt8dyXjI84DSfPYGUWQ=,tag:JJpOLjPs8YdEBl3xGGAzbg==,type:str]
portunus_search: ENC[AES256_GCM,data:J1GRvVOCcOcAz4qZypa/XbcMCGQSFS6yyg1eGfNIBA4=,iv:zFf90vpMW3aqpstZVEno5TDCVwV2vi3SyA7BrX2R3/A=,tag:HJauUh36/5qmr8sGmgH1dw==,type:str] portunus_search: ENC[AES256_GCM,data:J1GRvVOCcOcAz4qZypa/XbcMCGQSFS6yyg1eGfNIBA4=,iv:zFf90vpMW3aqpstZVEno5TDCVwV2vi3SyA7BrX2R3/A=,tag:HJauUh36/5qmr8sGmgH1dw==,type:str]

View file

@ -1,3 +1,4 @@
wg-fsr: ENC[AES256_GCM,data:fvbVvT+0,iv:PG18bjnc/plz5gHBc7B1ukyKYx93KVPek0y2pCUnHYQ=,tag:0EkTJukQXI6IPfQRbxQNlA==,type:str]
postgres_keycloak: ENC[AES256_GCM,data:dHuqrGcrJUE5GZhhWG5a4Ko=,iv:bvbyDXhkovtX5BQKw36WTGyUl3KR0Df2fB5qmMWbqqU=,tag:95XJCjKJjrITsHXK8ABF6A==,type:str] postgres_keycloak: ENC[AES256_GCM,data:dHuqrGcrJUE5GZhhWG5a4Ko=,iv:bvbyDXhkovtX5BQKw36WTGyUl3KR0Df2fB5qmMWbqqU=,tag:95XJCjKJjrITsHXK8ABF6A==,type:str]
postgres_hedgedoc: ENC[AES256_GCM,data:XWbf3F1b00RBFS9NXytzVkQ=,iv:dTbRUncYKsqOh0y0MTEJCpPcwfvROkIiO8v9OxZiHPU=,tag:YUxAkmbYKbGdGbIMS/8mOw==,type:str] postgres_hedgedoc: ENC[AES256_GCM,data:XWbf3F1b00RBFS9NXytzVkQ=,iv:dTbRUncYKsqOh0y0MTEJCpPcwfvROkIiO8v9OxZiHPU=,tag:YUxAkmbYKbGdGbIMS/8mOw==,type:str]
postgres_nextcloud: ENC[AES256_GCM,data:ySjpkMh1/6JuU2JwjlJcXh0D,iv:7CWZPjX7NZt4v1V3vbm42Iw7glz5/9F4TK9GUqTNsl8=,tag:701TSuhzyR4AnDHB4bG48Q==,type:str] postgres_nextcloud: ENC[AES256_GCM,data:ySjpkMh1/6JuU2JwjlJcXh0D,iv:7CWZPjX7NZt4v1V3vbm42Iw7glz5/9F4TK9GUqTNsl8=,tag:701TSuhzyR4AnDHB4bG48Q==,type:str]