org: deploy ipv6 and vpn
This commit is contained in:
parent
dd370bdebb
commit
d52f45442e
7 changed files with 103 additions and 2 deletions
|
@ -1,8 +1,21 @@
|
||||||
{ pkgs, ... }:
|
{ pkgs, ... }:
|
||||||
{
|
{
|
||||||
|
imports = [
|
||||||
|
./wireguard.nix
|
||||||
|
];
|
||||||
networking.useDHCP = false;
|
networking.useDHCP = false;
|
||||||
systemd.network = {
|
systemd.network = {
|
||||||
enable = true;
|
enable = true;
|
||||||
|
netdevs."10-sit-he" = {
|
||||||
|
netdevConfig = {
|
||||||
|
Kind = "sit";
|
||||||
|
Name = "sit-he";
|
||||||
|
};
|
||||||
|
tunnelConfig = {
|
||||||
|
Local = "129.199.129.76";
|
||||||
|
Remote = "216.66.84.42";
|
||||||
|
};
|
||||||
|
};
|
||||||
networks = {
|
networks = {
|
||||||
"10-uplink" = {
|
"10-uplink" = {
|
||||||
name = "eth0";
|
name = "eth0";
|
||||||
|
@ -12,6 +25,15 @@
|
||||||
];
|
];
|
||||||
networkConfig = {
|
networkConfig = {
|
||||||
Gateway = "129.199.129.1";
|
Gateway = "129.199.129.1";
|
||||||
|
Tunnel = [ "sit-he" ];
|
||||||
|
};
|
||||||
|
};
|
||||||
|
"10-tun-he" = {
|
||||||
|
matchConfig.Name = "sit-he";
|
||||||
|
networkConfig = {
|
||||||
|
Gateway = [ "2001:470:1f12:d21::1" ];
|
||||||
|
Description = "HE.NET IPv6 Tunnel (owned by maurice)";
|
||||||
|
Address = [ "2001:470:1f12:d21::2/64" ];
|
||||||
};
|
};
|
||||||
};
|
};
|
||||||
};
|
};
|
||||||
|
|
|
@ -1,5 +1,4 @@
|
||||||
{ ... }: {
|
{ ... }: {
|
||||||
imports = [ <agenix/modules/age.nix> ];
|
|
||||||
age.secrets."django" = {
|
age.secrets."django" = {
|
||||||
file = ./django.age;
|
file = ./django.age;
|
||||||
owner = "django-hackens_orga";
|
owner = "django-hackens_orga";
|
||||||
|
@ -8,4 +7,7 @@
|
||||||
file = ./matterbridge-env.age;
|
file = ./matterbridge-env.age;
|
||||||
owner = "matterbridge";
|
owner = "matterbridge";
|
||||||
};
|
};
|
||||||
|
age.secrets."wg-key" = {
|
||||||
|
file = ./wg-key.age;
|
||||||
|
};
|
||||||
}
|
}
|
||||||
|
|
|
@ -2,7 +2,7 @@ let
|
||||||
lib = (import <nixpkgs> { }).lib;
|
lib = (import <nixpkgs> { }).lib;
|
||||||
readpubkeys = user:
|
readpubkeys = user:
|
||||||
builtins.filter (k: k != "")
|
builtins.filter (k: k != "")
|
||||||
(lib.splitString "\n" (builtins.readFile (../pubkeys + "/${user}.keys")));
|
(lib.splitString "\n" (builtins.readFile (../../../pubkeys + "/${user}.keys")));
|
||||||
in
|
in
|
||||||
{
|
{
|
||||||
"matterbridge-env.age".publicKeys = (readpubkeys "sinavir")
|
"matterbridge-env.age".publicKeys = (readpubkeys "sinavir")
|
||||||
|
@ -11,4 +11,7 @@ in
|
||||||
"django.age".publicKeys = (readpubkeys "sinavir")
|
"django.age".publicKeys = (readpubkeys "sinavir")
|
||||||
++ (readpubkeys "hackens-host") ++ (readpubkeys "raito")
|
++ (readpubkeys "hackens-host") ++ (readpubkeys "raito")
|
||||||
++ (readpubkeys "gdd") ++ (readpubkeys "backslash");
|
++ (readpubkeys "gdd") ++ (readpubkeys "backslash");
|
||||||
|
"wg-key.age".publicKeys = (readpubkeys "sinavir")
|
||||||
|
++ (readpubkeys "hackens-host") ++ (readpubkeys "raito")
|
||||||
|
++ (readpubkeys "gdd") ++ (readpubkeys "backslash");
|
||||||
}
|
}
|
||||||
|
|
31
machines/hackens-org/secrets/wg-key.age
Normal file
31
machines/hackens-org/secrets/wg-key.age
Normal file
|
@ -0,0 +1,31 @@
|
||||||
|
age-encryption.org/v1
|
||||||
|
-> ssh-ed25519 JGx7Ng JuynqiiXmLBIlGc6o6HEwsFS8FLiFo86iTWr3kpxEQ0
|
||||||
|
KjFX3rP7RjvXK42+8qiyRfITDppi7jg9+WPt2afsCuo
|
||||||
|
-> ssh-ed25519 kXobKQ 8jEmn9hh3I2JeE+l8EZ9npJPGDXr6QcZvtsJhjrmpXE
|
||||||
|
69W+pHMdgmBOhLw8Hnp+l/IZLvzFtqatYoEKn3nqiSo
|
||||||
|
-> ssh-ed25519 7hZk0g XSZkyOjMqXtVthQTj8KmDCgM6+ilpktgk8ha1wu/23U
|
||||||
|
N0IUwdftKBzma5EXfUyswn/RT6RWoXo8hOYH451H2Lg
|
||||||
|
-> ssh-rsa krWCLQ
|
||||||
|
JwqNEu6Xr9fwov++Ct/8Jfxaz6Z2F0KpxqJHTZ6PLt5weOVul83AdINfIzq7dJUo
|
||||||
|
gR4KZJrwM27iY7aTHdbiImzmVSD0KPUeM0KoWjmLcU0xtLIXpoiBAEn0w9YXKTOF
|
||||||
|
n4wTvpNtXCMkgQPtAYsPOBIdIgQKdEm9Q877mtjHPDlyppn8y7U4z7S1zp71ugc5
|
||||||
|
B68HyMh1lzDWh43aqYOr5WIanscBjJNHRK1XqM0IhtuWg84cl0EsQ1wOKJxHwwJQ
|
||||||
|
vjHLoaBulqTxRentvi//4eRz+fKFZ1uJmeHlySlqSYKCN55QZgIFJHGxpSb8kEhl
|
||||||
|
CFqRx6v+uHeKhBK3yftSQA
|
||||||
|
-> ssh-ed25519 /vwQcQ ZfgSXru0ZABSLKkyAxdxM4cPs5A1wmNJVqK67UmfdH4
|
||||||
|
exrZlcFV0BZEnPrT+aRuCSyIKTS0Nbvdd7zWPqepQrc
|
||||||
|
-> ssh-ed25519 0R97PA VNBEjlLbNQixIXvrkyWVpQ3cWbKQW5XcLcI3Aniy93Y
|
||||||
|
WXt/rWJYI0mqELcS9+4t1y+cWXyvD4mSudoT/K0da1c
|
||||||
|
-> ssh-ed25519 cvTB5g 2FWQYQkoMxWf7lf6ZCgF5hL46fmR1zKAmDKw/qGtnjU
|
||||||
|
xwe9JcDzGLPW+jJwNkMssO21A/pr2baWoQUBYcO5pjk
|
||||||
|
-> ssh-ed25519 Wu8JLQ ukKMgxBbbHa9TBXo0PGKkk5K1zdQvrk2Qp6BRYguumo
|
||||||
|
l5k71S4x1VlLCm8BHadDrMMvvJ2927EkTtH8Hu1KNEE
|
||||||
|
-> ssh-ed25519 EIt1vA yEpFCXXu6iayLUQKj9vgiQGwuRgyduceks6LMFXRGmI
|
||||||
|
I4iGlWSVye16ZnwHYOfFWWbg6oLYmA1k9LcMyzWoBKA
|
||||||
|
-> ssh-ed25519 X51wxg 8vkI4rsB3ETq1zMpqkFUr0u6s1OerUjEN1wnz/onjX8
|
||||||
|
XvbOSMD58qI/yO03zwCg67R1H36AWM8MfT0FVFJnE34
|
||||||
|
-> DP.[|9G-grease 1H80A YV&\ uG'R";.
|
||||||
|
DtOW39f0bJ6uFAmxiXhmq3bpV5qnJ3TTb7BjCXND8LtgCj9HcyaOpt4HtNFqAZd9
|
||||||
|
5hPJeoyr6AMB6TYVAMIKoCfmq2zRe4ilDe3Q5TOL5A
|
||||||
|
--- yZCsgaQ3oxOkOyyP96+znN03pbyVfqc8ZP0S0x1JZc4
|
||||||
|
žbl3¹(Š“:¨¾uÚ®Ôº!Ô–$5í]AŽñ)§šß,VJØQC—·†;Qõ§Ô¦›ˆMtj.<2E>Àq*ˆüþN$²™¶š<C2B6>z
|
40
machines/hackens-org/wireguard.nix
Normal file
40
machines/hackens-org/wireguard.nix
Normal file
|
@ -0,0 +1,40 @@
|
||||||
|
{
|
||||||
|
config,
|
||||||
|
lib,
|
||||||
|
pkgs,
|
||||||
|
...
|
||||||
|
}: {
|
||||||
|
systemd.network = {
|
||||||
|
enable = true;
|
||||||
|
networks = {
|
||||||
|
"50-wg0" = {
|
||||||
|
name = "wg0";
|
||||||
|
address = [
|
||||||
|
"10.10.10.1/24"
|
||||||
|
];
|
||||||
|
routes = [{
|
||||||
|
routeConfig = {
|
||||||
|
Destination = "10.10.10.0/24";
|
||||||
|
Scope = "link";
|
||||||
|
};
|
||||||
|
}];
|
||||||
|
};
|
||||||
|
};
|
||||||
|
netdevs = {
|
||||||
|
"50-wg0" = {
|
||||||
|
netdevConfig = {
|
||||||
|
Name = "wg0";
|
||||||
|
Kind = "wireguard";
|
||||||
|
};
|
||||||
|
wireguardConfig = {
|
||||||
|
ListenPort = 1194;
|
||||||
|
PrivateKeyFile = config.age.secrets."wg-key".path;
|
||||||
|
};
|
||||||
|
|
||||||
|
wireguardPeers = [
|
||||||
|
];
|
||||||
|
};
|
||||||
|
};
|
||||||
|
};
|
||||||
|
networking.firewall.allowedUDPPorts = [ 1194 ];
|
||||||
|
}
|
2
meta.nix
2
meta.nix
|
@ -10,12 +10,14 @@ let
|
||||||
targetHost = null; #"milieu.cave.hackens.org";
|
targetHost = null; #"milieu.cave.hackens.org";
|
||||||
# targetPort = 4243;
|
# targetPort = 4243;
|
||||||
allowLocalDeployment = true;
|
allowLocalDeployment = true;
|
||||||
|
tags = [ "desktop" ];
|
||||||
};
|
};
|
||||||
imports = [agenix];
|
imports = [agenix];
|
||||||
};
|
};
|
||||||
hackens-org = {
|
hackens-org = {
|
||||||
deployment = {
|
deployment = {
|
||||||
targetHost = "server1.hackens.org"; # todo make something with ens firewall
|
targetHost = "server1.hackens.org"; # todo make something with ens firewall
|
||||||
|
tags = [ "server" ];
|
||||||
targetPort = 2222;
|
targetPort = 2222;
|
||||||
};
|
};
|
||||||
imports = [agenix];
|
imports = [agenix];
|
||||||
|
|
1
wg-keys/hackens-org.pub
Normal file
1
wg-keys/hackens-org.pub
Normal file
|
@ -0,0 +1 @@
|
||||||
|
CzUK0RPHsoG9N1NisOG0u7xwyGhTZnjhl7Cus3X76Es=
|
Loading…
Reference in a new issue