From ec704eb11dd93ef4918b7c2b5e8feeeaa2040fa3 Mon Sep 17 00:00:00 2001 From: revol-xut Date: Fri, 9 Dec 2022 16:18:57 +0100 Subject: [PATCH 1/4] updating network to networkd --- hosts/quitte/configuration.nix | 15 +------ hosts/quitte/network.nix | 81 ++++++++++++++++++++++++++++++++++ secrets/quitte.yaml | 6 +-- 3 files changed, 85 insertions(+), 17 deletions(-) create mode 100644 hosts/quitte/network.nix diff --git a/hosts/quitte/configuration.nix b/hosts/quitte/configuration.nix index b8ba887..d2db95f 100644 --- a/hosts/quitte/configuration.nix +++ b/hosts/quitte/configuration.nix @@ -4,6 +4,7 @@ imports = [ ./hardware-configuration.nix + ./network.nix ]; # Use the systemd-boot EFI boot loader. @@ -12,20 +13,6 @@ boot.loader.efi.canTouchEfiVariables = true; boot.supportedFilesystems = [ "zfs" ]; boot.zfs.devNodes = "/dev/"; - networking.hostId = "a41d87fc"; - - networking.interfaces.enp65s0f0np0 = { - useDHCP = false; - ipv4.addresses = [ - { - address = "141.30.30.169"; - prefixLength = 25; - } - ]; - }; - - networking.defaultGateway = "141.30.30.129"; - networking.nameservers = [ "141.30.1.1" ]; networking.hostName = "quitte"; # Define your hostname. diff --git a/hosts/quitte/network.nix b/hosts/quitte/network.nix new file mode 100644 index 0000000..3c8f25e --- /dev/null +++ b/hosts/quitte/network.nix @@ -0,0 +1,81 @@ +{ pkgs, config, lib, ... }: +let + wireguard_port = 51820; +in +{ + sops.secrets = { + "wg-fsr" = { + owner = config.users.users.systemd-network.name; + }; + }; + + networking = { + hostId = "a71c81fc"; + enableIPv6 = true; + useDHCP = true; + interfaces.enp65s0f0np0.useDHCP = true; + useNetworkd = true; + + firewall.allowedUDPPorts = [ wireguard_port ]; + wireguard.enable = true; + }; + + services.resolved = { + enable = true; + dnssec = "false"; + fallbackDns = [ "1.1.1.1" ]; + }; + + # workaround for networkd waiting for shit + systemd.services.systemd-networkd-wait-online.serviceConfig.ExecStart = [ + "" # clear old command + "${config.systemd.package}/lib/systemd/systemd-networkd-wait-online --any" + ]; + + systemd.network = { + enable = true; + + # Interfaces on the machine + networks."10-ether-bond" = { + matchConfig.Name = "enp65s0f0np0"; + networkConfig = { + Address = "141.30.30.169/25"; + Gateway = "141.30.30.129"; + DNS = "141.30.1.1"; + #IPv6AcceptRA = true; + }; + }; + + # defining network device for wireguard connections + netdevs."fsr-wg" = { + netdevConfig = { + Kind = "wireguard"; + Name = "fsr-wg"; + Description = "fsr enterprise wireguard"; + }; + wireguardConfig = { + PrivateKeyFile = config.sops.secrets."wg-fsr".path; + ListenPort = wireguard_port; + }; + wireguardPeers = [ + { + # tassilo + wireguardPeerConfig = { + PublicKey = "vgo3le9xrFsIbbDZsAhQZpIlX+TuWjfEyUcwkoqUl2Y="; + AllowedIPs = [ "10.66.66.100/32" ]; + PersistentKeepalive = 25; + }; + } + ]; + }; + + # fsr wireguard server + networks."fsr-wg" = { + matchConfig.Name = "fsr-wg"; + networkConfig = { + Address = "10.66.66.1/24"; + IPForward = "ipv4"; + }; + }; + }; +} diff --git a/secrets/quitte.yaml b/secrets/quitte.yaml index 5feab36..99ecdc2 100644 --- a/secrets/quitte.yaml +++ b/secrets/quitte.yaml @@ -3,7 +3,7 @@ postgres_hedgedoc: ENC[AES256_GCM,data:VCoWXZbNGWfmorTNZRFWkDUp0B5JMmsA+bJFVrURE postgres_nextcloud: ENC[AES256_GCM,data:Lv0Ld3sf+hoUE2qrsf9qGSYf5aVLqm5GIbK2hEoR5Uc=,iv:/4hqMV42J37byJgZZGhMqsHNtutikcXhun2uk2HhsHY=,tag:+L4scIHq2nopBlr64KJgjA==,type:str] nextcloud_adminpass: ENC[AES256_GCM,data:EMvcFOGJz45P4nvJ5Yy4SziWa2pUWBqt4ZZdde6wegk=,iv:tG9bhB7HPprZMnfV/uC/v7fqmjQd5d4Oj5avOtK2/0A=,tag:8jBDpnahwQsXsD2Ivf6jDw==,type:str] hedgedoc_session_secret: ENC[AES256_GCM,data:uz7KggZqeZ2eqiCnOcnYh2I1p5BBXTQbC8PUhB2kM2U=,iv:aJDHKCPkccCT/OF6AGZMfRESNmoV9muGHbuCUfLQhH8=,tag:uEVXylpE8MSebqRr+4mQOw==,type:str] -wg-seckey: ENC[AES256_GCM,data:NHk6E5uu3CshC/0//LoGk6iCGKWbx49wVVkjoMqF19gc7MhdHAn9aJD+0Zc=,iv:N3PuU7+QSW9aD0ZhTI7CmMI3drLIzO7XaW3mgEDp/sk=,tag:fxH4eRIboy9O15oul7JOTw==,type:str] +wg-fsr: ENC[AES256_GCM,data:0WViJp9fNKVxq8LsK5R0Ihn3r+S7CLBk5voKn55dABidlFSLpsA0q+KTxoY=,iv:rc4B8N2otqolSRLfpeRkIn7iNlED7XUjY//OCI2oQ5c=,tag:eWO6LniGnTd8KZ4pSyrR5A==,type:str] mediawiki: postgres: ENC[AES256_GCM,data:XRfUc2PRMJcoILAnm5MWr2Cg5u4e/IhGMUnz/oIQSzY=,iv:8U+qlD1SQzxUyD/6QK4SdwRCDyMODK/lP0IDrLlcQ4U=,tag:2spNMj9dY2wWilOusq24yQ==,type:str] initial_admin: ENC[AES256_GCM,data:iET5rz9rygx49NDBjKwqAlRgpeS+jq5iM5zmjnoKcyk=,iv:11iDbCrpzjCdyAB22R8NknJ6vzcpVZXCXB3iWsGWXw0=,tag:1RCyg1ysOWaXKdqqdHqRrw==,type:str] @@ -23,8 +23,8 @@ sops: Z212K3JDWmRsZmVpdjBaUE1kL3phMm8K/x3Ssn0LEO7BfTUoOJQ6h88vlwA/AvQj KsosHSWO7vsgqKPPO+OPbHV1y8OTAKubcrk5szTUWBNOvggIw3nWDA== -----END AGE ENCRYPTED FILE----- - lastmodified: "2022-11-18T15:28:28Z" - mac: ENC[AES256_GCM,data:+o08gLLG3tz9uheJOMeKWtdvcRjgdcpOFUjSW3sHdFWC/FM5dcwDgBAtTO3/pPB6+e//SfpZgIWq1EASpgChPmE61K0U1lnYK/5gBY1QMDZ9tLgl8VjQ1ShVSeTL/dLWopBEVeDT0cR8jhJ+MIaVTEzMLK8I2qn/LaZqEktMPSg=,iv:N5TPSuijpULToU4EoZ7P6bL0sMZ1Jfu10Jxmnpzh4Ec=,tag:UIHIM+CMNS70ivKtEzbR3w==,type:str] + lastmodified: "2022-12-09T15:15:33Z" + mac: ENC[AES256_GCM,data:8G4Kohgr0lF8G135/MNzcSRIrtfX+QRCfMtLRK+fNbc/NHHozlLaI8XDpiURfvgaWR5fVim7DgT5r59aU+G+F8O45C83hJ5LLLmeisWL78Ktm9vOUhWgoClCZ8l/603uPpIG3WlenLF1D5DTO11U60wcGdWv1RMQ9ovxJCXtRfs=,iv:0L4KQR1LYUW52Upv5sZWKquuLNhdaRQ2yoV4y0rs+R0=,tag:uBEfNmk5hmRqSUGhF+V3SQ==,type:str] pgp: - created_at: "2022-11-18T16:37:48Z" enc: | -- 2.47.1 From 3c1767045fbf86dab16abfea2590bd6b0bbcefba Mon Sep 17 00:00:00 2001 From: revol-xut Date: Fri, 20 Jan 2023 16:34:48 +0100 Subject: [PATCH 2/4] added to test key --- flake.lock | 24 ++++++++++++------------ secrets/test.yaml | 5 +++-- 2 files changed, 15 insertions(+), 14 deletions(-) diff --git a/flake.lock b/flake.lock index 7698a4f..c2baba1 100644 --- a/flake.lock +++ b/flake.lock @@ -69,29 +69,29 @@ "type": "github" } }, - "nixpkgs-22_05": { + "nixpkgs-stable": { "locked": { - "lastModified": 1668307144, - "narHash": "sha256-uY2StvGJvTfgtLaiz3uvX+EQeWZDkiLFiz2vekgJ9ZE=", + "lastModified": 1673740915, + "narHash": "sha256-MMH8zONfqahgHly3K8/A++X34800rajA/XgZ2DzNL/M=", "owner": "NixOS", "repo": "nixpkgs", - "rev": "eac99848dfd869e486573d8272b0c10729675ca2", + "rev": "7c65528c3f8462b902e09d1ccca23bb9034665c2", "type": "github" }, "original": { "owner": "NixOS", - "ref": "release-22.05", + "ref": "release-22.11", "repo": "nixpkgs", "type": "github" } }, "nixpkgs_2": { "locked": { - "lastModified": 1668595291, - "narHash": "sha256-j8cyfbtT5sAYPYwbERgTDzfD48ZernL0/V668eGpXAM=", + "lastModified": 1672580127, + "narHash": "sha256-3lW3xZslREhJogoOkjeZtlBtvFMyxHku7I/9IVehhT8=", "owner": "nixos", "repo": "nixpkgs", - "rev": "6474d93e007e4d165bcf48e7f87de2175c93d10b", + "rev": "0874168639713f547c05947c76124f78441ea46c", "type": "github" }, "original": { @@ -113,14 +113,14 @@ "nixpkgs": [ "nixpkgs" ], - "nixpkgs-22_05": "nixpkgs-22_05" + "nixpkgs-stable": "nixpkgs-stable" }, "locked": { - "lastModified": 1668311578, - "narHash": "sha256-nF6mwSbVyvnlIICWFZlADegWdTsgrk1pZnA/0VqByNw=", + "lastModified": 1673752321, + "narHash": "sha256-EFfXY1ZHJq4FNaNQA9x0djtu/jiOhBbT0Xi+BT06cJw=", "owner": "Mic92", "repo": "sops-nix", - "rev": "39f0fe57f1ef78764c1abc1de145f091fee1bbbb", + "rev": "e18eefd2b133a58309475298052c341c08470717", "type": "github" }, "original": { diff --git a/secrets/test.yaml b/secrets/test.yaml index 521db7f..620e16d 100644 --- a/secrets/test.yaml +++ b/secrets/test.yaml @@ -1,3 +1,4 @@ +wg-fsr: ENC[AES256_GCM,data:fvbVvT+0,iv:PG18bjnc/plz5gHBc7B1ukyKYx93KVPek0y2pCUnHYQ=,tag:0EkTJukQXI6IPfQRbxQNlA==,type:str] postgres_keycloak: ENC[AES256_GCM,data:dHuqrGcrJUE5GZhhWG5a4Ko=,iv:bvbyDXhkovtX5BQKw36WTGyUl3KR0Df2fB5qmMWbqqU=,tag:95XJCjKJjrITsHXK8ABF6A==,type:str] postgres_hedgedoc: ENC[AES256_GCM,data:XWbf3F1b00RBFS9NXytzVkQ=,iv:dTbRUncYKsqOh0y0MTEJCpPcwfvROkIiO8v9OxZiHPU=,tag:YUxAkmbYKbGdGbIMS/8mOw==,type:str] postgres_nextcloud: ENC[AES256_GCM,data:ySjpkMh1/6JuU2JwjlJcXh0D,iv:7CWZPjX7NZt4v1V3vbm42Iw7glz5/9F4TK9GUqTNsl8=,tag:701TSuhzyR4AnDHB4bG48Q==,type:str] @@ -23,8 +24,8 @@ sops: MERVUkh2ck9YWnJ5TXJDVmxpem1kTXMKCeOyjV/se1nRXsi15m/3i48hP7As6SEk ygtLt+UueHStX/b/OzrXk8IC5dj/mARGIJI5S61IKln6SZFbJGT6cQ== -----END AGE ENCRYPTED FILE----- - lastmodified: "2022-11-18T15:23:26Z" - mac: ENC[AES256_GCM,data:meFon3NJLJ3E7pxGFvmol2WThaTPlPUKdRzeLnPhcLeJ2cGzj/DlnjTBmsk9hKhhTsQ4osdFo/DchId0MyV7Xi5ZmMVD0lyRZEPzguIbkg3UezRiNlosm21DpQ7Pl/yEXd02x/5kLast/Ud3zF1ZNGeGTxNriZvm5XY3KFiMCSY=,iv:oPPQnA82IbMTCsivp1fh4k9hS2keyh7Zm1C1jRkYUMU=,tag:vOkON7/N4v3yXu8kYkAEMg==,type:str] + lastmodified: "2023-01-20T15:34:41Z" + mac: ENC[AES256_GCM,data:YjrmGxH7DCf4HP2GKMb+2XThSTnvcNgIaM4uvuEK/Nb4ZuVKvF4usKvsHXuy0lJEtghfw1wd9ao9pEKbcCMTkkhjXmXe8LuprT72CQl5+qVLfchfgmYdwkx2H3pN9rWXR0jQnF/d6djAwvm7c2bepioUa2IamJx+++CWjttB0Ds=,iv:Ds6KZzSppATyo/jsWxeiuVP2jXDGiTHEk3XaSy2xgLA=,tag:zaPwS8jfKrom3JAncg6UXQ==,type:str] pgp: - created_at: "2022-11-18T16:37:58Z" enc: | -- 2.47.1 From d3113be6932a15b1077441a14bccc09ef5635260 Mon Sep 17 00:00:00 2001 From: revol-xut Date: Wed, 15 Feb 2023 13:34:14 +0100 Subject: [PATCH 3/4] changing config for static ip --- hosts/quitte/network.nix | 11 ++++++++--- 1 file changed, 8 insertions(+), 3 deletions(-) diff --git a/hosts/quitte/network.nix b/hosts/quitte/network.nix index 3c8f25e..59494a9 100644 --- a/hosts/quitte/network.nix +++ b/hosts/quitte/network.nix @@ -22,7 +22,7 @@ in services.resolved = { enable = true; - dnssec = "false"; + #dnssec = "false"; fallbackDns = [ "1.1.1.1" ]; }; @@ -38,9 +38,14 @@ in # Interfaces on the machine networks."10-ether-bond" = { matchConfig.Name = "enp65s0f0np0"; + + address = [ "141.30.30.169/25" ]; + routes = [ + { + routeConfig.Gateway = "141.30.30.129"; + } + ]; networkConfig = { - Address = "141.30.30.169/25"; - Gateway = "141.30.30.129"; DNS = "141.30.1.1"; #IPv6AcceptRA = true; }; -- 2.47.1 From c137ef004dcb6b7f54a079df8b1ded84e182a6fe Mon Sep 17 00:00:00 2001 From: revol-xut Date: Wed, 15 Feb 2023 13:35:32 +0100 Subject: [PATCH 4/4] formatting --- hosts/quitte/network.nix | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/hosts/quitte/network.nix b/hosts/quitte/network.nix index 59494a9..d0671ec 100644 --- a/hosts/quitte/network.nix +++ b/hosts/quitte/network.nix @@ -41,9 +41,9 @@ in address = [ "141.30.30.169/25" ]; routes = [ - { - routeConfig.Gateway = "141.30.30.129"; - } + { + routeConfig.Gateway = "141.30.30.129"; + } ]; networkConfig = { DNS = "141.30.1.1"; -- 2.47.1