feat: init roam01
This commit is contained in:
parent
bcaa9b2f4b
commit
39fd67c416
13 changed files with 459 additions and 35 deletions
|
@ -14,11 +14,18 @@ rec {
|
||||||
_keys = (import "${_sources.infrastructure}/keys")._keys // {
|
_keys = (import "${_sources.infrastructure}/keys")._keys // {
|
||||||
krz01 = [ "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIP4o65gWOgNrxbSd3kiQIGZUM+YD6kuZOQtblvzUGsfB" ];
|
krz01 = [ "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIP4o65gWOgNrxbSd3kiQIGZUM+YD6kuZOQtblvzUGsfB" ];
|
||||||
router02 = [ "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIE5t0InDV9nTLEqXrenqMJZAjkCAmfzHk6LLLHme3k3j" ];
|
router02 = [ "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIE5t0InDV9nTLEqXrenqMJZAjkCAmfzHk6LLLHme3k3j" ];
|
||||||
|
roam01 = [ "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIKXjzVxYs5v5+7N0tyqpBQERXKjXwTZUqVGkdye4S1LP" ];
|
||||||
status01 = [ "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIAQFCsn/8c46O7JLx0QYdbZsXnS+NYtsgUNHPd2Toksj" ];
|
status01 = [ "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIAQFCsn/8c46O7JLx0QYdbZsXnS+NYtsgUNHPd2Toksj" ];
|
||||||
};
|
};
|
||||||
|
|
||||||
|
_vpnKeys =
|
||||||
|
builtins.mapAttrs (_: v: v.vpnKeys) meta.organization.members
|
||||||
|
// builtins.mapAttrs (_: v: v.vpnKeys) meta.network;
|
||||||
|
|
||||||
getKeys = ls: builtins.concatLists (builtins.map (getAttr _keys) ls);
|
getKeys = ls: builtins.concatLists (builtins.map (getAttr _keys) ls);
|
||||||
|
|
||||||
|
getVpnKey = vpn: name: _vpnKeys.${name}.${vpn};
|
||||||
|
|
||||||
mkSecrets =
|
mkSecrets =
|
||||||
nodes: setDefault { publicKeys = unique (rootKeys ++ (builtins.concatMap getNodeKeys' nodes)); };
|
nodes: setDefault { publicKeys = unique (rootKeys ++ (builtins.concatMap getNodeKeys' nodes)); };
|
||||||
|
|
||||||
|
|
18
machines/roam01/_configuration.nix
Normal file
18
machines/roam01/_configuration.nix
Normal file
|
@ -0,0 +1,18 @@
|
||||||
|
{ lib, ... }:
|
||||||
|
|
||||||
|
lib.extra.mkConfig {
|
||||||
|
enabledModules = [
|
||||||
|
# List of modules to enable
|
||||||
|
];
|
||||||
|
|
||||||
|
enabledServices = [
|
||||||
|
# List of services to enable
|
||||||
|
"wireguard"
|
||||||
|
];
|
||||||
|
|
||||||
|
extraConfig = {
|
||||||
|
networking.interfaces.enp1s0.useDHCP = true;
|
||||||
|
};
|
||||||
|
|
||||||
|
root = ./.;
|
||||||
|
}
|
62
machines/roam01/_hardware-configuration.nix
Normal file
62
machines/roam01/_hardware-configuration.nix
Normal file
|
@ -0,0 +1,62 @@
|
||||||
|
# Do not modify this file! It was generated by ‘nixos-generate-config’
|
||||||
|
# and may be overwritten by future invocations. Please make changes
|
||||||
|
# to /etc/nixos/configuration.nix instead.
|
||||||
|
{
|
||||||
|
config,
|
||||||
|
lib,
|
||||||
|
modulesPath,
|
||||||
|
...
|
||||||
|
}:
|
||||||
|
|
||||||
|
{
|
||||||
|
imports = [
|
||||||
|
(modulesPath + "/installer/scan/not-detected.nix")
|
||||||
|
];
|
||||||
|
|
||||||
|
boot = {
|
||||||
|
initrd = {
|
||||||
|
availableKernelModules = [
|
||||||
|
"xhci_pci"
|
||||||
|
"usb_storage"
|
||||||
|
"usbhid"
|
||||||
|
"sd_mod"
|
||||||
|
"sdhci_pci"
|
||||||
|
];
|
||||||
|
kernelModules = [ ];
|
||||||
|
};
|
||||||
|
kernelModules = [ "kvm-intel" ];
|
||||||
|
extraModulePackages = [ ];
|
||||||
|
};
|
||||||
|
|
||||||
|
fileSystems."/" = {
|
||||||
|
device = "/dev/disk/by-uuid/bfb4359b-75b2-4fa0-bdb6-283658a0019a";
|
||||||
|
fsType = "xfs";
|
||||||
|
};
|
||||||
|
|
||||||
|
fileSystems."/boot" = {
|
||||||
|
device = "/dev/disk/by-uuid/1A70-E9AE";
|
||||||
|
fsType = "vfat";
|
||||||
|
options = [
|
||||||
|
"fmask=0022"
|
||||||
|
"dmask=0022"
|
||||||
|
];
|
||||||
|
};
|
||||||
|
|
||||||
|
swapDevices = [
|
||||||
|
{ device = "/dev/disk/by-uuid/6518c729-a0cb-41b4-acc8-ec219d0afba6"; }
|
||||||
|
];
|
||||||
|
|
||||||
|
# Enables DHCP on each ethernet and wireless interface. In case of scripted networking
|
||||||
|
# (the default) this is the recommended approach. When using systemd-networkd it's
|
||||||
|
# still possible to use this option, but it's recommended to use it in conjunction
|
||||||
|
# with explicit per-interface declarations with `networking.interfaces.<interface>.useDHCP`.
|
||||||
|
networking.useDHCP = lib.mkDefault true;
|
||||||
|
# networking.interfaces.enp1s0.useDHCP = lib.mkDefault true;
|
||||||
|
# networking.interfaces.enp2s0.useDHCP = lib.mkDefault true;
|
||||||
|
# networking.interfaces.enp3s0.useDHCP = lib.mkDefault true;
|
||||||
|
# networking.interfaces.enp4s0.useDHCP = lib.mkDefault true;
|
||||||
|
# networking.interfaces.enp4s0d1.useDHCP = lib.mkDefault true;
|
||||||
|
|
||||||
|
nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux";
|
||||||
|
hardware.cpu.intel.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware;
|
||||||
|
}
|
4
machines/roam01/secrets/secrets.nix
Normal file
4
machines/roam01/secrets/secrets.nix
Normal file
|
@ -0,0 +1,4 @@
|
||||||
|
(import ../../../keys).mkSecrets [ "roam01" ] [
|
||||||
|
# List of secrets for router02
|
||||||
|
"systemd-network-wg_key"
|
||||||
|
]
|
39
machines/roam01/secrets/systemd-network-wg_key
Normal file
39
machines/roam01/secrets/systemd-network-wg_key
Normal file
|
@ -0,0 +1,39 @@
|
||||||
|
age-encryption.org/v1
|
||||||
|
-> ssh-ed25519 jIXfPA eITDLS0bZ9nCNbcpXN2S2JK6+gy0V9Ix5anuz1DXpi8
|
||||||
|
h/3wu702P2+Mnrsh5EimLoLY6XPiyTvjytjVr2nVPU0
|
||||||
|
-> ssh-ed25519 QlRB9Q atT+Cb4dk/jH7uhQ7b8Qu1E4tFcrm7mUzqhwlvciCng
|
||||||
|
eZvsq5OsW7cxf4EmE7L4KhzmiCRhV72ILT5mOg3D7GY
|
||||||
|
-> ssh-ed25519 r+nK/Q RfAubzTOifMb9Pukkwkh7iUgOLxmIxkPCBhZqzohHA4
|
||||||
|
0rdpQrp7iSRjGCsi7EjOcuCx2YXXscJxIYv0vfpV9hw
|
||||||
|
-> ssh-rsa krWCLQ
|
||||||
|
tBs7XiMvJdAqbtZTaDxgyLrHxyUjgKU4amTtPdVxRUuqm4uSoxoHJj7N6NGBPhW4
|
||||||
|
ODB8ft5OoAwjtP/D12pNUn3fsIuo7DJGc57Dt74f0ge+MWTVI/tEC8I8EVOVYIpv
|
||||||
|
Udc1kW8n2CCdkAulSrvlfLQPuVFUcOYWGTvEVE05gPRoJ7NiXR9CW2ByyRjD12Fj
|
||||||
|
W+8c/H0/h8CmWGRFMZG+xlt9DmYNegz2TCKyTJPtWHRT6sYCqct13GQP/C8s8fJv
|
||||||
|
ZQjIUcF91EBTr6Gc0fGEYFmKQckOkEeAG3P92YuK9NLyHw5xHl9M+gFZlYsQ91kg
|
||||||
|
/uVW29GmK7qoyxpUP0GamA
|
||||||
|
-> ssh-ed25519 /vwQcQ 0y6bP+6t8EhcHs7ap/FmCDWxQLCkDF5KyeXlGZln9Qc
|
||||||
|
9xpybiFqQTxJ8Po0044HRhoBlmcFzqeXMG3IrZzKOdI
|
||||||
|
-> ssh-ed25519 0R97PA 1pn+9GwTf+AHsSCqI+xe0blM/6qJUgCgjCF3mlEV4k0
|
||||||
|
W278+7Qc5/QyALiy1Gt8WKqCw+MX4Ko0VLV+p1KoSjA
|
||||||
|
-> ssh-ed25519 JGx7Ng hrWsXtVn1DNQ86woVee66ljaMpgBBoJmHdS7qyESbz0
|
||||||
|
dRPPTNmGYFZ+VR9gPhfD5wutqIuJXXEtoMapnAShrHE
|
||||||
|
-> ssh-ed25519 bUjjig RzQTuUiEmKd9VqYMKz3cbaU7v4OncTK8N1VA+4M851w
|
||||||
|
49tmBO+NwrGfNyDwcyuk+7DFqK0yYfZoJ98qeYg0yBY
|
||||||
|
-> ssh-ed25519 5SY7Kg 9icmp/ZQKCNxep3mnqbJs3pfjaunJwpK9OP5PhXSvE4
|
||||||
|
Yx6OjFMMwg+MRsHSlg8DjBDF5jumxJcweaWPsy0TCNU
|
||||||
|
-> ssh-ed25519 p/Mg4Q yhvaDm7yq75qq2Sb5wmXqunG5sHoamAi0r/kBOFHJjw
|
||||||
|
ZnmJd4au4dGscs7HdW1TqqLjqniRT3EhivgllyuGp5s
|
||||||
|
-> ssh-ed25519 5rrg4g oQn9sbjixiuN02aDo/v4n6JWTT4MPbYVwni0OW04NFk
|
||||||
|
hhYoASjz7CPqNXwGCOydrzadudrvncUsv318zFFUB0A
|
||||||
|
-> ssh-ed25519 oRtTqQ holCshSmzD+N5BYaUOv00WZlFn0UOLTikddFPZpCw1o
|
||||||
|
XdPjWqs7UqmA4ZLbgNAlDuHcdEGeeGCryBLE0jUtRbM
|
||||||
|
-> ssh-ed25519 F2C+8w h7ncoDRcnH+pVcRAP5au111c47oRjg4ISn93qK912zk
|
||||||
|
7sisrDx+avRb9HE2WvYkgSErsvNMqsc+UESmRKt7xz8
|
||||||
|
-> ssh-ed25519 PMC4Bw oyKwRE22OV8RupaRKV6MgdL9sYK12NvhRDseQwo2MWE
|
||||||
|
oQOX7qy2Lo6eqmOBqgCjssu5mrd85NQDwmOdzIrj7yg
|
||||||
|
-> :1G-grease
|
||||||
|
krZ6nazBc8pS3EHxhcidv4uBigiek7jhODqwOoFQa3+31acCrziN8elOxd6gEa7B
|
||||||
|
a/xpMlN0
|
||||||
|
--- BZD889tFoBkFafKWHk0vfNhpP+YtdcU+wpmm0d9RV+Q
|
||||||
|
Ç„yz¥5Y7ùY}‡ˆ"·Q{±sy;âÇ“˜dÛü°”PX4¹Ï›Ã×c½Š1AÕv©ýJ›î<ž^fÁ¯ƒñv3U%eó]–P
|
58
machines/roam01/wireguard.nix
Normal file
58
machines/roam01/wireguard.nix
Normal file
|
@ -0,0 +1,58 @@
|
||||||
|
{
|
||||||
|
config,
|
||||||
|
lib,
|
||||||
|
dgn-keys,
|
||||||
|
name,
|
||||||
|
...
|
||||||
|
}:
|
||||||
|
let
|
||||||
|
mkPeer =
|
||||||
|
prefix: peerName:
|
||||||
|
let
|
||||||
|
peer = dgn-keys.getVpnKey "wg-mgmt" peerName;
|
||||||
|
in
|
||||||
|
{
|
||||||
|
Endpoint = "129.199.146.230:1194";
|
||||||
|
PersistentKeepalive = 25;
|
||||||
|
AllowedIPs = [
|
||||||
|
"fdaa::${prefix}:0/64"
|
||||||
|
];
|
||||||
|
PublicKey = peer.key;
|
||||||
|
};
|
||||||
|
in
|
||||||
|
|
||||||
|
{
|
||||||
|
age-secrets.autoMatch = [ "systemd-network" ];
|
||||||
|
networking.firewall.trustedInterfaces = [ "wg0" ];
|
||||||
|
systemd.network = {
|
||||||
|
networks = {
|
||||||
|
"50-wg-mgmt" = {
|
||||||
|
name = "wg-mgmt";
|
||||||
|
address = [
|
||||||
|
"fdaa::${lib.toHexString (dgn-keys.getVpnKey "wg-mgmt" name).id}/64"
|
||||||
|
];
|
||||||
|
routes = [
|
||||||
|
{
|
||||||
|
Destination = "fdaa::/64";
|
||||||
|
Scope = "link";
|
||||||
|
}
|
||||||
|
];
|
||||||
|
};
|
||||||
|
};
|
||||||
|
netdevs = {
|
||||||
|
"50-wg-mgmt" = {
|
||||||
|
netdevConfig = {
|
||||||
|
Name = "wg-mgmt";
|
||||||
|
Kind = "wireguard";
|
||||||
|
};
|
||||||
|
wireguardConfig = {
|
||||||
|
ListenPort = 1194;
|
||||||
|
PrivateKeyFile = config.age.secrets."systemd-network-wg_key".path;
|
||||||
|
};
|
||||||
|
|
||||||
|
wireguardPeers = builtins.map (mkPeer "0") [ "router02" ];
|
||||||
|
};
|
||||||
|
};
|
||||||
|
};
|
||||||
|
networking.firewall.allowedUDPPorts = [ 1194 ];
|
||||||
|
}
|
|
@ -8,6 +8,7 @@ lib.extra.mkConfig {
|
||||||
enabledServices = [
|
enabledServices = [
|
||||||
# List of services to enable
|
# List of services to enable
|
||||||
"networking"
|
"networking"
|
||||||
|
"wireguard"
|
||||||
];
|
];
|
||||||
|
|
||||||
extraConfig = { };
|
extraConfig = { };
|
||||||
|
|
39
machines/router02/secrets/systemd-network-wg_key
Normal file
39
machines/router02/secrets/systemd-network-wg_key
Normal file
|
@ -0,0 +1,39 @@
|
||||||
|
age-encryption.org/v1
|
||||||
|
-> ssh-ed25519 jIXfPA 6v2v03EntXNNOnWAuZEcLybn6iWI+LB0kA/AbzszgQs
|
||||||
|
aqtydlqLgpfvC9rz0x0MshF+RfYJSpQaah5moS3CsGY
|
||||||
|
-> ssh-ed25519 QlRB9Q 8SqWmf7skeFnmT1HU43V7PwaqYl/hHTifx70qr05Y3c
|
||||||
|
W/b0CABozdoiSXWokOs+ChRL2pKCjL/b3kZHsBLBemw
|
||||||
|
-> ssh-ed25519 r+nK/Q TwRRJzM7q81lTdiMwINKYs5RqUaKR9odwTj0CaAUOFU
|
||||||
|
mYvyP/UeLFDgXFAUkCfZRNuRTJBL5t01nQ5a3U9BVrc
|
||||||
|
-> ssh-rsa krWCLQ
|
||||||
|
ssWV1ySMEEZJEsNUjss0U+rLVLYVLlPovyeqv3dWgRdbojFOboXZh7yo07KHOuu8
|
||||||
|
N3QU64Iy1B8VOoPPhkfRURJjsjEEt/48gwMm9Ff9lmF/rxuw8KOPlGgAF+HwGK0z
|
||||||
|
Y2gTJkehFuuBN70jsPpCGqlEpmbwLfw1BbYp8zYEq6OKXkhZjIWVEwfa3Ahiw0Z7
|
||||||
|
3VTC/9GVhpPu/s532TxYNsTZj6nBSp22jc8AZZvOxbPrV5Qk8yLb3JMfXBWn3bJv
|
||||||
|
N4A1x+ibCI6bnl+gYzmVjiquMuo8CMR1t+KAp6nNfv1dZT5UDBYKswYQ1AhQi7jh
|
||||||
|
KzBK3vInE18L3qWPxt4Zdw
|
||||||
|
-> ssh-ed25519 /vwQcQ YilslLDdIPQRNOr/ZA+WreHP5PNBiy/f6xz2UImsEQA
|
||||||
|
gjH2VsGYM/bJu+X5vwF1y+r0+pDC7EOjesuawUw5WAo
|
||||||
|
-> ssh-ed25519 0R97PA qFqvdP6/zg+/ruLrNmmFdi0ED43LVNtrfFISTVMLimA
|
||||||
|
YQyo/5tyH2JMPWiqV0bxWhMWVpyjcaQc9nr1WPUMygc
|
||||||
|
-> ssh-ed25519 JGx7Ng /SvvUDt/rDTaFOqaxL+d49pNyx7Wvkl0FMr36RIsxgQ
|
||||||
|
pF191qRavD24LSw2JHKpVKFGK281UitMTcLDV7Zw87M
|
||||||
|
-> ssh-ed25519 bUjjig +o1W/J1qFW96kC5SCz5azW4ar/bGglWOIST/VEBl0k8
|
||||||
|
mHPgOqZN5eLw5AG47TIXccckR1qhhr6Ix08l3CY2NF4
|
||||||
|
-> ssh-ed25519 5SY7Kg 53VjPE/xjun7Q1fKUaRKoEw1p5ble9fiunb/hX8sSns
|
||||||
|
5ro90MKLPz2rqdHghVBbrKXiRHHUEeRKkB+RZwxX1Ls
|
||||||
|
-> ssh-ed25519 p/Mg4Q tLc6UNchEe2AR/91gGauHIhD84UfKbIgS5MR77dhxhw
|
||||||
|
Q5/8BbmXj9wTv0oHr73Au3gNgMDPxT1btyRFhVZ+My8
|
||||||
|
-> ssh-ed25519 5rrg4g WVq0dsHIxZffMqbAgdtBoMZDpzWI2eSc/gYuohn2JHc
|
||||||
|
CXBXkFLl8ljpBZK3emGaj5D0lb07KfCBeHPLc0AuCFA
|
||||||
|
-> ssh-ed25519 oRtTqQ Zq/GevKIc0qaGd0jXWpkd88BxA6yPonFzvxqxtylCiw
|
||||||
|
KO0avMpoF1ICg+17xvsmBLGsZ4FVorjkcMl/adT2/IU
|
||||||
|
-> ssh-ed25519 F2C+8w b9E1FgolbSv9cbAKTwSUnUhcilOFC3mkX8zEgeYwJxs
|
||||||
|
vqh2UldeQQTkDuiRxrT8+Xxdpt2s16X+14J57rpZVKM
|
||||||
|
-> ssh-ed25519 Dk/ltw 9zNl1I2J0A99y6G2M4JHhUVgn/9xcCaDz+I1NQxJewg
|
||||||
|
GFQp+hYM9dyICmI5UmdnNftq7g3QyNH3MlkAoag8YtQ
|
||||||
|
-> jn$!zr-grease w#SDYrYf
|
||||||
|
tNm7A1/g1RMy3lwzsibb/VhsMojufa8iCJCfZ5PG13ikyKab/8GY2oBO282yzcGJ
|
||||||
|
NLDaG5WbIbese3Rxi+rC0ucRZYWlx/w
|
||||||
|
--- 8tELVgxGaIQsgC4NrrRbSh8Y8p+d8sQLG6pWZrc4b3o
|
||||||
|
<16>kÜèŽuûEõ¬4>7>«p<C2AB>KøÎH¶ê$8MÞŸ@¢’¢û„<C3BB>°º
fñ`ÿ°XÍÚLi½:”öû³&wè>
4€•,#q¿h™4
|
|
@ -1,13 +1,33 @@
|
||||||
{ config, ... }:
|
|
||||||
{
|
{
|
||||||
config.age-secrets.autoMatch = [ "systemd-network" ];
|
config,
|
||||||
|
lib,
|
||||||
|
dgn-keys,
|
||||||
|
name,
|
||||||
|
...
|
||||||
|
}:
|
||||||
|
let
|
||||||
|
mkPeer =
|
||||||
|
prefix: peerName:
|
||||||
|
let
|
||||||
|
peer = dgn-keys.getVpnKey "wg-mgmt" peerName;
|
||||||
|
in
|
||||||
|
{
|
||||||
|
AllowedIPs = [
|
||||||
|
"fdaa::${prefix}:${lib.toHexString peer.id}/32"
|
||||||
|
];
|
||||||
|
PublicKey = peer.key;
|
||||||
|
};
|
||||||
|
in
|
||||||
|
|
||||||
|
{
|
||||||
|
age-secrets.autoMatch = [ "systemd-network" ];
|
||||||
networking.firewall.trustedInterfaces = [ "wg0" ];
|
networking.firewall.trustedInterfaces = [ "wg0" ];
|
||||||
systemd.network = {
|
systemd.network = {
|
||||||
networks = {
|
networks = {
|
||||||
"50-wg-mgmt" = {
|
"50-wg-mgmt" = {
|
||||||
name = "wg-mgmt";
|
name = "wg-mgmt";
|
||||||
address = [
|
address = [
|
||||||
"fdaa::1/64"
|
"fdaa::${lib.toHexString (dgn-keys.getVpnKey "wg-mgmt" name).id}/64"
|
||||||
];
|
];
|
||||||
routes = [
|
routes = [
|
||||||
{
|
{
|
||||||
|
@ -28,17 +48,14 @@
|
||||||
PrivateKeyFile = config.age.secrets."systemd-network-wg_key".path;
|
PrivateKeyFile = config.age.secrets."systemd-network-wg_key".path;
|
||||||
};
|
};
|
||||||
|
|
||||||
wireguardPeers = [
|
wireguardPeers =
|
||||||
{
|
builtins.map (mkPeer "1") [
|
||||||
AllowedIPs = [
|
"mdebray"
|
||||||
"fdaa::2/64"
|
"catvayor"
|
||||||
];
|
]
|
||||||
PublicKey = "h4Nf+e4JIjqOMuM5JtLN298BF/fym9fWKGtRZmS5MVA=";
|
++ builtins.map (mkPeer "0") [ "roam01" ];
|
||||||
}
|
|
||||||
];
|
|
||||||
};
|
};
|
||||||
};
|
};
|
||||||
};
|
};
|
||||||
networking.firewall.allowedUDPPorts = [ 1194 ];
|
networking.firewall.allowedUDPPorts = [ 1194 ];
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
|
@ -117,6 +117,13 @@ in
|
||||||
|
|
||||||
addresses.ipv4 = [ "129.199.146.230" ];
|
addresses.ipv4 = [ "129.199.146.230" ];
|
||||||
|
|
||||||
|
vpnKeys = {
|
||||||
|
wg-mgmt = {
|
||||||
|
id = 1;
|
||||||
|
key = "PN8/zo1Clue7jAnkvaUOg1ZdmcXmcTb6kIRpu5cplHs=";
|
||||||
|
};
|
||||||
|
};
|
||||||
|
|
||||||
hostId = "144d0f7a";
|
hostId = "144d0f7a";
|
||||||
};
|
};
|
||||||
photo01 = {
|
photo01 = {
|
||||||
|
@ -143,5 +150,17 @@ in
|
||||||
|
|
||||||
hostId = "7ce86f3d";
|
hostId = "7ce86f3d";
|
||||||
};
|
};
|
||||||
|
roam01 = {
|
||||||
|
interfaces = { };
|
||||||
|
|
||||||
|
vpnKeys = {
|
||||||
|
wg-mgmt = {
|
||||||
|
id = 2;
|
||||||
|
key = "Yg1GwHbJ7kwNbnjxI+5LtgDvzMPMiOm3EgI/saLI7FU=";
|
||||||
|
};
|
||||||
|
};
|
||||||
|
|
||||||
|
hostId = "999dc679";
|
||||||
|
};
|
||||||
}
|
}
|
||||||
// mkRoutexp (import ./routexp.nix)
|
// mkRoutexp (import ./routexp.nix)
|
||||||
|
|
|
@ -102,7 +102,7 @@ in
|
||||||
|
|
||||||
hashedPassword = "$y$j9T$5OchePm5POsgveGLY/bKy/$9XkkZq9aBycg.YImEzFSiYRbAfBO0A4G7qMGIF/WEo9";
|
hashedPassword = "$y$j9T$5OchePm5POsgveGLY/bKy/$9XkkZq9aBycg.YImEzFSiYRbAfBO0A4G7qMGIF/WEo9";
|
||||||
|
|
||||||
deployment.targetHost = "129.199.146.37";
|
deployment.targetHost = "129.199.146.39";
|
||||||
|
|
||||||
stateVersion = "24.11";
|
stateVersion = "24.11";
|
||||||
nixpkgs = "unstable";
|
nixpkgs = "unstable";
|
||||||
|
|
142
meta/options.nix
142
meta/options.nix
|
@ -14,11 +14,14 @@ let
|
||||||
ints
|
ints
|
||||||
listOf
|
listOf
|
||||||
nullOr
|
nullOr
|
||||||
|
singleLineStr
|
||||||
str
|
str
|
||||||
submodule
|
submodule
|
||||||
unspecified
|
unspecified
|
||||||
;
|
;
|
||||||
|
|
||||||
|
inherit (ints) positive;
|
||||||
|
|
||||||
addressType =
|
addressType =
|
||||||
max:
|
max:
|
||||||
submodule {
|
submodule {
|
||||||
|
@ -34,6 +37,22 @@ let
|
||||||
};
|
};
|
||||||
};
|
};
|
||||||
|
|
||||||
|
vpnKeyType = submodule {
|
||||||
|
options = {
|
||||||
|
id = mkOption {
|
||||||
|
type = positive;
|
||||||
|
description = ''
|
||||||
|
Unique ID that will be used to guess IP address
|
||||||
|
'';
|
||||||
|
};
|
||||||
|
key = mkOption {
|
||||||
|
type = str;
|
||||||
|
description = ''
|
||||||
|
Public key of the user for this VPN
|
||||||
|
'';
|
||||||
|
};
|
||||||
|
};
|
||||||
|
};
|
||||||
org = config.organization;
|
org = config.organization;
|
||||||
in
|
in
|
||||||
|
|
||||||
|
@ -41,23 +60,55 @@ in
|
||||||
options = {
|
options = {
|
||||||
organization = {
|
organization = {
|
||||||
members = mkOption {
|
members = mkOption {
|
||||||
type = attrsOf (submodule {
|
type = attrsOf (
|
||||||
options = {
|
submodule (
|
||||||
name = mkOption {
|
{ name, ... }:
|
||||||
type = str;
|
{
|
||||||
description = ''
|
options = {
|
||||||
Name of the member.
|
name = mkOption {
|
||||||
'';
|
type = str;
|
||||||
};
|
description = ''
|
||||||
|
Name of the member.
|
||||||
|
'';
|
||||||
|
};
|
||||||
|
|
||||||
email = mkOption {
|
email = mkOption {
|
||||||
type = str;
|
type = str;
|
||||||
description = ''
|
description = ''
|
||||||
Main e-mail address of the member.
|
Main e-mail address of the member.
|
||||||
'';
|
'';
|
||||||
};
|
};
|
||||||
};
|
|
||||||
});
|
username = mkOption {
|
||||||
|
type = str;
|
||||||
|
default = name;
|
||||||
|
description = ''
|
||||||
|
The username used for authentication.
|
||||||
|
WARNING: Must be the same as the ens login!
|
||||||
|
'';
|
||||||
|
};
|
||||||
|
|
||||||
|
sshKeys = lib.mkOption {
|
||||||
|
type = listOf singleLineStr;
|
||||||
|
description = ''
|
||||||
|
A list of verbatim OpenSSH public keys that should be added to the
|
||||||
|
user's authorized keys.
|
||||||
|
'';
|
||||||
|
example = [
|
||||||
|
"ssh-rsa AAAAB3NzaC1yc2etc/etc/etcjwrsh8e596z6J0l7 example@host"
|
||||||
|
"ssh-ed25519 AAAAC3NzaCetcetera/etceteraJZMfk3QPfQ foo@bar"
|
||||||
|
];
|
||||||
|
};
|
||||||
|
|
||||||
|
vpnKeys = mkOption {
|
||||||
|
type = attrsOf vpnKeyType;
|
||||||
|
default = { };
|
||||||
|
description = "Attribute sets to define vpn keys of the user";
|
||||||
|
};
|
||||||
|
};
|
||||||
|
}
|
||||||
|
)
|
||||||
|
);
|
||||||
|
|
||||||
description = ''
|
description = ''
|
||||||
Members of the DGNum organization.
|
Members of the DGNum organization.
|
||||||
|
@ -70,6 +121,39 @@ in
|
||||||
Groups of the DGNum organization.
|
Groups of the DGNum organization.
|
||||||
'';
|
'';
|
||||||
};
|
};
|
||||||
|
|
||||||
|
external = mkOption {
|
||||||
|
type = attrsOf (listOf str);
|
||||||
|
description = ''
|
||||||
|
External services used by the DGNum organization.
|
||||||
|
'';
|
||||||
|
};
|
||||||
|
|
||||||
|
services = mkOption {
|
||||||
|
type = attrsOf (submodule {
|
||||||
|
options = {
|
||||||
|
admins = mkOption {
|
||||||
|
type = listOf str;
|
||||||
|
default = [ ];
|
||||||
|
description = ''
|
||||||
|
List of administrators of the service.
|
||||||
|
'';
|
||||||
|
};
|
||||||
|
|
||||||
|
adminGroups = mkOption {
|
||||||
|
type = listOf str;
|
||||||
|
default = [ ];
|
||||||
|
description = ''
|
||||||
|
List of administrator groups of the service.
|
||||||
|
'';
|
||||||
|
};
|
||||||
|
};
|
||||||
|
});
|
||||||
|
description = ''
|
||||||
|
Administrator access of the different DGNum services,
|
||||||
|
it is mainly indicative as most services cannot configure this statically.
|
||||||
|
'';
|
||||||
|
};
|
||||||
};
|
};
|
||||||
|
|
||||||
nodes = mkOption {
|
nodes = mkOption {
|
||||||
|
@ -256,6 +340,13 @@ in
|
||||||
IP address of the node in the netbird network.
|
IP address of the node in the netbird network.
|
||||||
'';
|
'';
|
||||||
};
|
};
|
||||||
|
|
||||||
|
vpnKeys = mkOption {
|
||||||
|
type = attrsOf vpnKeyType;
|
||||||
|
default = { };
|
||||||
|
description = "Attribute sets to define vpn keys of the machine";
|
||||||
|
|
||||||
|
};
|
||||||
};
|
};
|
||||||
|
|
||||||
config =
|
config =
|
||||||
|
@ -327,11 +418,20 @@ in
|
||||||
extract "adminGroups" config.nodes
|
extract "adminGroups" config.nodes
|
||||||
))
|
))
|
||||||
|
|
||||||
# Check that all members have ssh keys
|
# Check that all services admins exist
|
||||||
(builtins.map (name: {
|
(membersExists (name: "A member of the service ${name} admins was not found in the members list.") (
|
||||||
assertion = ((import ../keys)._keys.${name} or [ ]) != [ ];
|
extract "admins" org.services
|
||||||
message = "No ssh keys found for ${name}.";
|
))
|
||||||
}) members)
|
|
||||||
|
# Check that all services adminGroups exist
|
||||||
|
(groupsExists (
|
||||||
|
name: "A member of the service ${name} adminGroups was not found in the groups list."
|
||||||
|
) (extract "adminGroups" org.services))
|
||||||
|
|
||||||
|
# Check that all external services admins exist
|
||||||
|
(membersExists (
|
||||||
|
name: "A member of the external service ${name} admins was not found in the members list."
|
||||||
|
) org.external)
|
||||||
];
|
];
|
||||||
};
|
};
|
||||||
}
|
}
|
||||||
|
|
|
@ -5,44 +5,104 @@
|
||||||
|
|
||||||
{
|
{
|
||||||
members = {
|
members = {
|
||||||
|
agroudiev = {
|
||||||
|
name = "Antoine Groudiev";
|
||||||
|
email = "antoine.groudiev@dgnum.eu";
|
||||||
|
sshKeys = [
|
||||||
|
"ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDgyt3ntpcoI/I2n97R1hzjBiNL6R98S73fSi7pkSE/8mQbI8r9GzsPUBcxQ+tIg0FgwkLxTwF8DwLf0E+Le/rPznxBS5LUQaAktSQSrxz/IIID1+jN8b03vf5PjfKS8H2Tu3Q8jZXa8HNsj3cpySpGMqGrE3ieUmknd/YfppRRf+wM4CsGKZeS3ZhB9oZi3Jn22A0U/17AOJTnv4seq+mRZWRQt3pvQvpp8/2M7kEqizie/gTr/DnwxUr45wisqYYH4tat9Cw6iDr7LK10VCrK37BfFagMIZ08Hkh3c46jghjYNQWe+mBUWJByWYhTJ0AtYrbaYeUV1HVYbsRJ6bNx25K6794QQPaE/vc2Z/VK/ILgvJ+9myFSAWVylCWdyYpwUu07RH/jDBl2aqH62ESwAG7SDUUcte6h9N+EryAQLWc8OhsGAYLpshhBpiqZwzX90m+nkbhx1SqMbtt6TS+RPDEHKFYn8E6FBrf1FK34482ndq/hHXZ88mqzGb1nOnM="
|
||||||
|
];
|
||||||
|
};
|
||||||
|
|
||||||
catvayor = {
|
catvayor = {
|
||||||
name = "Lubin Bailly";
|
name = "Lubin Bailly";
|
||||||
email = "catvayor@dgnum.eu";
|
email = "catvayor@dgnum.eu";
|
||||||
|
username = "lbailly";
|
||||||
|
sshKeys = [
|
||||||
|
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIAA16foz+XzwKwyIR4wFgNIAE3Y7AfXyEsUZFVVz8Rie catvayor@katvayor"
|
||||||
|
];
|
||||||
|
vpnKeys = {
|
||||||
|
wg-mgmt = {
|
||||||
|
id = 1;
|
||||||
|
key = "zIHvCSzk5a94jvnXU4iscbp9RUGzbWpARDMRgHNtMl4=";
|
||||||
|
};
|
||||||
|
};
|
||||||
};
|
};
|
||||||
|
|
||||||
cst1 = {
|
cst1 = {
|
||||||
name = "Constantin Gierczak--Galle";
|
name = "Constantin Gierczak--Galle";
|
||||||
email = "cst1@dgnum.eu";
|
email = "cst1@dgnum.eu";
|
||||||
|
username = "cgierczakgalle";
|
||||||
|
sshKeys = [
|
||||||
|
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIKrijwPlb7KQkYPLznMPVzPPT69cLzhEsJzZi9tmxzTh cst1@x270"
|
||||||
|
];
|
||||||
};
|
};
|
||||||
|
|
||||||
ecoppens = {
|
ecoppens = {
|
||||||
name = "Elias Coppens";
|
name = "Elias Coppens";
|
||||||
email = "ecoppens@dgnum.eu";
|
email = "ecoppens@dgnum.eu";
|
||||||
|
sshKeys = [ "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIIGmU7yEOCGuGNt4PlQbzd0Cms1RePpo8yEA7Ij/+TdA" ];
|
||||||
};
|
};
|
||||||
|
|
||||||
jemagius = {
|
jemagius = {
|
||||||
name = "Jean-Marc Gailis";
|
name = "Jean-Marc Gailis";
|
||||||
email = "jm@dgnum.eu";
|
email = "jm@dgnum.eu";
|
||||||
|
username = "jgailis";
|
||||||
|
sshKeys = [
|
||||||
|
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOoxmou5OU74GgpIUkhVt6GiB+O9Jy4ge0TwK5MDFJ2F"
|
||||||
|
"ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQCxQX0JLRah3GfIOkua4ZhEJhp5Ykv55RO0SPrSUwCBs5arnALg8gq12YLr09t4bzW/NA9/jn7flhh4S54l4RwBUhmV4JSQhGu71KGhfOj5ZBkDoSyYqzbu206DfZP5eQonSmjfP6XghcWOr/jlBzw9YAAQkFxsQgXEkr4kdn0ZXfZGz6b0t3YUjYIuDNbptFsGz2V9iQVy1vnxrjnLSfc25j4et8z729Vpy4M7oCaE6a6hgon4V1jhVbg43NAE5gu2eYFAPIzO3E7ZI8WjyLu1wtOBClk1f+HMen3Tr+SX2PXmpPGb+I2fAkbzu/C4X/M3+2bL1dYjxuvQhvvpAjxFwmdoXW4gWJ3J/FRiFrKsiAY0rYC+yi8SfacJWCv4EEcV/yQ4gYwpmU9xImLaro6w5cOHGCqrzYqjZc4Wi6AWFGeBSNzNs9PXLgMRWeUyiIDOFnSep2ebZeVjTB16m+o/YDEhE10uX9kCCx3Dy/41iJ1ps7V4JWGFsr0Fqaz8mu8="
|
||||||
|
];
|
||||||
};
|
};
|
||||||
|
|
||||||
luj = {
|
luj = {
|
||||||
name = "Julien Malka";
|
name = "Julien Malka";
|
||||||
email = "luj@dgnum.eu";
|
email = "luj@dgnum.eu";
|
||||||
|
username = "jmalka";
|
||||||
|
sshKeys = [
|
||||||
|
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIDMBW7rTtfZL9wtrpCVgariKdpN60/VeAzXkh9w3MwbO julien@enigma"
|
||||||
|
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIGa+7n7kNzb86pTqaMn554KiPrkHRGeTJ0asY1NjSbpr julien@tower"
|
||||||
|
];
|
||||||
|
};
|
||||||
|
|
||||||
|
mboyer = {
|
||||||
|
name = "Matthieu Boyer";
|
||||||
|
email = "matthieu.boyer@dgnum.eu";
|
||||||
|
username = "mboyer02";
|
||||||
|
sshKeys = [ "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIGYnwZaFYvUxtJeNvpaA20rLfq8fOO4dFp7cIXsD8YNx" ];
|
||||||
};
|
};
|
||||||
|
|
||||||
mdebray = {
|
mdebray = {
|
||||||
name = "Maurice Debray";
|
name = "Maurice Debray";
|
||||||
email = "maurice.debray@dgnum.eu";
|
email = "maurice.debray@dgnum.eu";
|
||||||
|
sshKeys = [
|
||||||
|
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIEpwF+XD3HgX64kqD42pcEZRNYAWoO4YNiOm5KO4tH6o maurice@polaris"
|
||||||
|
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIFdDnSl3cyWil+S5JiyGqOvBR3wVh+lduw58S5WvraoL maurice@fekda"
|
||||||
|
];
|
||||||
|
vpnKeys = {
|
||||||
|
wg-mgmt = {
|
||||||
|
id = 2;
|
||||||
|
key = "+nTxD4ZAzk+9LHGwEfK0t2cMQf0ognBYmhybNbCzW38=";
|
||||||
|
};
|
||||||
|
};
|
||||||
};
|
};
|
||||||
|
|
||||||
raito = {
|
raito = {
|
||||||
name = "Ryan Lahfa";
|
name = "Ryan Lahfa";
|
||||||
email = "ryan@dgnum.eu";
|
email = "ryan@dgnum.eu";
|
||||||
|
username = "rlahfa";
|
||||||
|
sshKeys = [
|
||||||
|
"ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDcEkYM1r8QVNM/G5CxJInEdoBCWjEHHDdHlzDYNSUIdHHsn04QY+XI67AdMCm8w30GZnLUIj5RiJEWXREUApby0GrfxGGcy8otforygfgtmuUKAUEHdU2MMwrQI7RtTZ8oQ0USRGuqvmegxz3l5caVU7qGvBllJ4NUHXrkZSja2/51vq80RF4MKkDGiz7xUTixI2UcBwQBCA/kQedKV9G28EH+1XfvePqmMivZjl+7VyHsgUVj9eRGA1XWFw59UPZG8a7VkxO/Eb3K9NF297HUAcFMcbY6cPFi9AaBgu3VC4eetDnoN/+xT1owiHi7BReQhGAy/6cdf7C/my5ehZwD"
|
||||||
|
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIE0xMwWedkKosax9+7D2OlnMxFL/eV4CvFZLsbLptpXr"
|
||||||
|
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIKiXXYkhRh+s7ixZ8rvG8ntIqd6FELQ9hh7HoaHQJRPU"
|
||||||
|
];
|
||||||
};
|
};
|
||||||
|
|
||||||
thubrecht = {
|
thubrecht = {
|
||||||
name = "Tom Hubrecht";
|
name = "Tom Hubrecht";
|
||||||
email = "tom.hubrecht@dgnum.eu";
|
email = "tom.hubrecht@dgnum.eu";
|
||||||
|
sshKeys = [
|
||||||
|
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIL+EZXYziiaynJX99EW8KesnmRTZMof3BoIs3mdEl8L3"
|
||||||
|
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIHL4M4HKjs4cjRAYRk9pmmI8U0R4+T/jQh6Fxp/i1Eoy"
|
||||||
|
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPM1jpXR7BWQa7Sed7ii3SbvIPRRlKb3G91qC0vOwfJn"
|
||||||
|
];
|
||||||
};
|
};
|
||||||
};
|
};
|
||||||
|
|
||||||
|
|
Loading…
Reference in a new issue