org: deploy ipv6 and vpn

This commit is contained in:
sinavir 2024-01-12 18:07:38 +01:00
parent dd370bdebb
commit d52f45442e
7 changed files with 103 additions and 2 deletions

View file

@ -1,8 +1,21 @@
{ pkgs, ... }: { pkgs, ... }:
{ {
imports = [
./wireguard.nix
];
networking.useDHCP = false; networking.useDHCP = false;
systemd.network = { systemd.network = {
enable = true; enable = true;
netdevs."10-sit-he" = {
netdevConfig = {
Kind = "sit";
Name = "sit-he";
};
tunnelConfig = {
Local = "129.199.129.76";
Remote = "216.66.84.42";
};
};
networks = { networks = {
"10-uplink" = { "10-uplink" = {
name = "eth0"; name = "eth0";
@ -12,8 +25,17 @@
]; ];
networkConfig = { networkConfig = {
Gateway = "129.199.129.1"; Gateway = "129.199.129.1";
Tunnel = [ "sit-he" ];
}; };
}; };
"10-tun-he" = {
matchConfig.Name = "sit-he";
networkConfig = {
Gateway = [ "2001:470:1f12:d21::1" ];
Description = "HE.NET IPv6 Tunnel (owned by maurice)";
Address = [ "2001:470:1f12:d21::2/64" ];
};
};
}; };
}; };
networking.nameservers = [ "1.1.1.1" "8.8.8.8" ]; networking.nameservers = [ "1.1.1.1" "8.8.8.8" ];

View file

@ -1,5 +1,4 @@
{ ... }: { { ... }: {
imports = [ <agenix/modules/age.nix> ];
age.secrets."django" = { age.secrets."django" = {
file = ./django.age; file = ./django.age;
owner = "django-hackens_orga"; owner = "django-hackens_orga";
@ -8,4 +7,7 @@
file = ./matterbridge-env.age; file = ./matterbridge-env.age;
owner = "matterbridge"; owner = "matterbridge";
}; };
age.secrets."wg-key" = {
file = ./wg-key.age;
};
} }

View file

@ -2,7 +2,7 @@ let
lib = (import <nixpkgs> { }).lib; lib = (import <nixpkgs> { }).lib;
readpubkeys = user: readpubkeys = user:
builtins.filter (k: k != "") builtins.filter (k: k != "")
(lib.splitString "\n" (builtins.readFile (../pubkeys + "/${user}.keys"))); (lib.splitString "\n" (builtins.readFile (../../../pubkeys + "/${user}.keys")));
in in
{ {
"matterbridge-env.age".publicKeys = (readpubkeys "sinavir") "matterbridge-env.age".publicKeys = (readpubkeys "sinavir")
@ -11,4 +11,7 @@ in
"django.age".publicKeys = (readpubkeys "sinavir") "django.age".publicKeys = (readpubkeys "sinavir")
++ (readpubkeys "hackens-host") ++ (readpubkeys "raito") ++ (readpubkeys "hackens-host") ++ (readpubkeys "raito")
++ (readpubkeys "gdd") ++ (readpubkeys "backslash"); ++ (readpubkeys "gdd") ++ (readpubkeys "backslash");
"wg-key.age".publicKeys = (readpubkeys "sinavir")
++ (readpubkeys "hackens-host") ++ (readpubkeys "raito")
++ (readpubkeys "gdd") ++ (readpubkeys "backslash");
} }

View file

@ -0,0 +1,31 @@
age-encryption.org/v1
-> ssh-ed25519 JGx7Ng JuynqiiXmLBIlGc6o6HEwsFS8FLiFo86iTWr3kpxEQ0
KjFX3rP7RjvXK42+8qiyRfITDppi7jg9+WPt2afsCuo
-> ssh-ed25519 kXobKQ 8jEmn9hh3I2JeE+l8EZ9npJPGDXr6QcZvtsJhjrmpXE
69W+pHMdgmBOhLw8Hnp+l/IZLvzFtqatYoEKn3nqiSo
-> ssh-ed25519 7hZk0g XSZkyOjMqXtVthQTj8KmDCgM6+ilpktgk8ha1wu/23U
N0IUwdftKBzma5EXfUyswn/RT6RWoXo8hOYH451H2Lg
-> ssh-rsa krWCLQ
JwqNEu6Xr9fwov++Ct/8Jfxaz6Z2F0KpxqJHTZ6PLt5weOVul83AdINfIzq7dJUo
gR4KZJrwM27iY7aTHdbiImzmVSD0KPUeM0KoWjmLcU0xtLIXpoiBAEn0w9YXKTOF
n4wTvpNtXCMkgQPtAYsPOBIdIgQKdEm9Q877mtjHPDlyppn8y7U4z7S1zp71ugc5
B68HyMh1lzDWh43aqYOr5WIanscBjJNHRK1XqM0IhtuWg84cl0EsQ1wOKJxHwwJQ
vjHLoaBulqTxRentvi//4eRz+fKFZ1uJmeHlySlqSYKCN55QZgIFJHGxpSb8kEhl
CFqRx6v+uHeKhBK3yftSQA
-> ssh-ed25519 /vwQcQ ZfgSXru0ZABSLKkyAxdxM4cPs5A1wmNJVqK67UmfdH4
exrZlcFV0BZEnPrT+aRuCSyIKTS0Nbvdd7zWPqepQrc
-> ssh-ed25519 0R97PA VNBEjlLbNQixIXvrkyWVpQ3cWbKQW5XcLcI3Aniy93Y
WXt/rWJYI0mqELcS9+4t1y+cWXyvD4mSudoT/K0da1c
-> ssh-ed25519 cvTB5g 2FWQYQkoMxWf7lf6ZCgF5hL46fmR1zKAmDKw/qGtnjU
xwe9JcDzGLPW+jJwNkMssO21A/pr2baWoQUBYcO5pjk
-> ssh-ed25519 Wu8JLQ ukKMgxBbbHa9TBXo0PGKkk5K1zdQvrk2Qp6BRYguumo
l5k71S4x1VlLCm8BHadDrMMvvJ2927EkTtH8Hu1KNEE
-> ssh-ed25519 EIt1vA yEpFCXXu6iayLUQKj9vgiQGwuRgyduceks6LMFXRGmI
I4iGlWSVye16ZnwHYOfFWWbg6oLYmA1k9LcMyzWoBKA
-> ssh-ed25519 X51wxg 8vkI4rsB3ETq1zMpqkFUr0u6s1OerUjEN1wnz/onjX8
XvbOSMD58qI/yO03zwCg67R1H36AWM8MfT0FVFJnE34
-> DP.[|9G-grease 1H80A YV&\ uG'R";.
DtOW39f0bJ6uFAmxiXhmq3bpV5qnJ3TTb7BjCXND8LtgCj9HcyaOpt4HtNFqAZd9
5hPJeoyr6AMB6TYVAMIKoCfmq2zRe4ilDe3Q5TOL5A
--- yZCsgaQ3oxOkOyyP96+znN03pbyVfqc8ZP0S0x1JZc4
žbl3¹(Š“:¨¾uÚ®Ôº!Ô–$5í]AŽñ)§šß,VJØQC—·†;Qõ§Ô¦ˆMtj.<2E>Àq*ˆüþN™¶š<C2B6>z

View file

@ -0,0 +1,40 @@
{
config,
lib,
pkgs,
...
}: {
systemd.network = {
enable = true;
networks = {
"50-wg0" = {
name = "wg0";
address = [
"10.10.10.1/24"
];
routes = [{
routeConfig = {
Destination = "10.10.10.0/24";
Scope = "link";
};
}];
};
};
netdevs = {
"50-wg0" = {
netdevConfig = {
Name = "wg0";
Kind = "wireguard";
};
wireguardConfig = {
ListenPort = 1194;
PrivateKeyFile = config.age.secrets."wg-key".path;
};
wireguardPeers = [
];
};
};
};
networking.firewall.allowedUDPPorts = [ 1194 ];
}

View file

@ -10,12 +10,14 @@ let
targetHost = null; #"milieu.cave.hackens.org"; targetHost = null; #"milieu.cave.hackens.org";
# targetPort = 4243; # targetPort = 4243;
allowLocalDeployment = true; allowLocalDeployment = true;
tags = [ "desktop" ];
}; };
imports = [agenix]; imports = [agenix];
}; };
hackens-org = { hackens-org = {
deployment = { deployment = {
targetHost = "server1.hackens.org"; # todo make something with ens firewall targetHost = "server1.hackens.org"; # todo make something with ens firewall
tags = [ "server" ];
targetPort = 2222; targetPort = 2222;
}; };
imports = [agenix]; imports = [agenix];

1
wg-keys/hackens-org.pub Normal file
View file

@ -0,0 +1 @@
CzUK0RPHsoG9N1NisOG0u7xwyGhTZnjhl7Cus3X76Es=