Bump version + minor cleanups

Signed-off-by: jeltz@federez.net
2025-04-02 15:46:38 +02:00 · 2025-04-02 15:46:38 +02:00 · 01b5a0fe25
commit 01b5a0fe25
parent 09d82c6b88
7 changed files with 44 additions and 34 deletions
--- a/hive.nix
+++ b/hive.nix
@ -1,6 +1,8 @@
 let
  src = import ./npins;
-  pkgs = import src.nixpkgs { };
+  pkgs = import src.nixpkgs {
+    config.permittedInsecurePackages = [ "olm-3.2.16" ];
+  };
  disko = (import src.disko { inherit (pkgs) lib; });
  diskConfig = import ./disks/ext4.nix {
    inherit (pkgs) lib;
@ -8,7 +10,11 @@ let
 in
 {
  meta = {
-    nixpkgs = src.nixpkgs;
+    nixpkgs = pkgs;
+    nodeNixpkgs = {
+      # FIXME discourse est cassé en unstable
+      pendragon = src."nixpkgs-24.11";
+    };
  };

  # FIXME
@ -21,6 +27,9 @@ in
      "${src.agenix}/modules/age.nix"
    ];

+    deployment.targetHost = "${name}.federez.net";
+    networking.hostName = name;
+
    security.acme.defaults.email = "monitoring@federez.net";
    security.acme.acceptTerms = true;

@ -45,10 +54,8 @@ in
    time.timeZone = "Europe/Paris";
  };

-  vogon = { name, nodes, ... }: {
+  vogon = { ... }: {
    deployment.tags = [ "hypervisor" ];
-    deployment.targetHost = "vogon.federez.net";
-    networking.hostName = name;
    networking.hostId = "1751e2a7";

    imports = [
@ -57,12 +64,8 @@ in
    ];
  };

-  estragon = { name, nodes, pkgs, ... }: {
+  estragon = { pkgs, ... }: {
    deployment.tags = [ "matrix" ];
-    deployment.targetHost = "estragon.federez.net";
-    networking.hostName = name;
-
-    environment.systemPackages = [ pkgs.tcpdump pkgs.openssl ];

    glucagon.networking = {
      nibble = 227;
@ -88,10 +91,8 @@ in
    system.build.diskoScript = disko.diskoScript diskConfig pkgs;
  };

-  wagon = { name, nodes, ... }: {
+  wagon = { pkgs, ... }: {
    deployment.tags = [ "vaultwarden" "pass" "passwords" ];
-    deployment.targetHost = "wagon.federez.net";
-    networking.hostName = name;

    glucagon.networking = {
      nibble = 228;
@ -114,10 +115,8 @@ in
    system.build.diskoScript = disko.diskoScript diskConfig pkgs;
  };

-  lagon = { name, nodes, ... }: {
+  lagon = { pkgs, ... }: {
    deployment.tags = [ "keycloak" "wayf" ];
-    deployment.targetHost = "lagon.federez.net";
-    networking.hostName = name;

    glucagon.networking = {
      nibble = 229;
@ -140,10 +139,8 @@ in
    system.build.diskoScript = disko.diskoScript diskConfig pkgs;
  };

-  aragon = { name, nodes, ... }: {
+  aragon = { pkgs, ... }: {
    deployment.tags = [ "gitlab" ];
-    deployment.targetHost = "aragon.federez.net";
-    networking.hostName = name;

    glucagon.networking = {
      nibble = 231;
@ -166,11 +163,8 @@ in
    system.build.diskoScript = disko.diskoScript diskConfig pkgs;
  };

-  # FIXME can't update: discourse pkg is broken
-  pendragon = { name, nodes, ... }: {
+  pendragon = { pkgs, ... }: {
    deployment.tags = [ "discourse" ];
-    deployment.targetHost = "pendragon.federez.net";
-    networking.hostName = name;

    glucagon.networking = {
      nibble = 233;
@ -193,18 +187,21 @@ in
    system.build.diskoScript = disko.diskoScript diskConfig pkgs;
  };

-  perdrigon = { name, nodes, ... }: {
+  perdrigon = { pkgs, ... }: {
    deployment.tags = [ "indico" ];
-    deployment.targetHost = "perdrigon.federez.net";
-    federez.monitoring.apiKey = "370a181d-6b00-4c3d-af27-ca65e6e4c1b0";
-    networking.hostName = name;

    glucagon.networking = {
      nibble = 234;
      wan-mac = "BC:24:11:04:9B:51";
    };

+    infra-net.leaf = {
+      mac = "BC:24:11:09:B8:76";
+      id = 17;
+    };
+
    imports = [
+      (disko.config diskConfig)
      ./profiles/vm.nix
      ./profiles/indico.nix
    ];
--- a/npins/sources.json
+++ b/npins/sources.json
@ -39,6 +39,12 @@
      "url": "https://github.com/fossar/nix-phps/archive/87aa57df1dffc535756256efbd141c735852145f.tar.gz",
      "hash": "0i8bp50hm55jxlgfmcfjql3lz8la0cipmdh1m73i8jag7p8mmrnl"
    },
+    "nixpkgs-24.11": {
+      "type": "Channel",
+      "name": "nixos-24.11",
+      "url": "https://releases.nixos.org/nixos/24.11/nixos-24.11.716438.7ffe0edc685f/nixexprs.tar.xz",
+      "hash": "1i99256170lllhdy8z1agvb4hgim20zs7i2qvikw5x9ldzh4q7zv"
+    },
    "nixpkgs": {
      "type": "Channel",
      "name": "nixos-unstable-small",
--- a/profiles/irc-bot.nix
+++ b/profiles/irc-bot.nix
@ -2,7 +2,7 @@
 let
  cfg = config.services.matrix-appservice-irc;
  bindPort = cfg.settings.ircService.mediaProxy.bindPort;
-  upstreamUrl  = "http://127.0.0.1:${toString bindPort}";
+  upstreamUrl  = "127.0.0.1:${toString bindPort}";
 in {
  services.nginx = {
    enable = true;
--- a/profiles/matrix-server.nix
+++ b/profiles/matrix-server.nix
@ -50,7 +50,7 @@ in {
    # in client applications.
    settings.public_baseurl = baseUrl;
    settings.app_service_config_files = [
-      "/var/lib/matrix-synapse/telegram-registration.yaml"
+      #"/var/lib/matrix-synapse/telegram-registration.yaml"
      "/var/lib/matrix-synapse/irc-registration.yml"
    ];
    settings.listeners = [
--- a/profiles/vogon.nix
+++ b/profiles/vogon.nix
@ -64,6 +64,9 @@
    "sr_mod"
  ];

+  # FIXME
+  networking.firewall.trustedInterfaces = [ "wg-infra" "vxl-infra" "br-infra" ];
+
  systemd.network.links = {
    "10-phy1" = {
      matchConfig.MACAddress = "18:66:da:75:da:04";
@ -114,19 +117,22 @@
      };
      wireguardPeers = [
        {
-          PublicKey = "A+tXWigWNzrj0zAyg0MCSgP53ngH3kNsP5m8E+JbDmA=";
+          PublicKey = "JfTsY3+jPTDgLDrECoSvoYs+6+GpjII0ookjhFhd5SY=";
          Endpoint = "89.234.162.224:51039";
          AllowedIPs = [ "fd0a:66d3:1c19:1000::2" ];
+          PersistentKeepalive = 10;
        }
        {
-          PublicKey = "77IPc//p+mSl1yeapuDd4tIZDRp5acOTmBF5V7dG4BA=";
+          PublicKey = "nOeLgmE1U6nY3UNxltQKwlID9lD7fvpEwij2XUvEGgg=";
          Endpoint = "137.194.12.129:51039";
          AllowedIPs = [ "fd0a:66d3:1c19:1000::3" ];
+          PersistentKeepalive = 10;
        }
        {
-          PublicKey = "tUonMgyYxE5l1aee7iSBR6AwmuhITk3ystPhouUAMBc=";
+          PublicKey = "9pGyE4+CQl+f8sFJ/Mkvp14yxDQJ0SJmGnher5Tgzjc=";
          Endpoint = "193.48.225.201:51039";
          AllowedIPs = [ "fd0a:66d3:1c19:1000::4" ];
+          PersistentKeepalive = 10;
        }
      ];
    };
@ -156,6 +162,7 @@
    };
    "10-br-infra" = {
      matchConfig.Name = "br-infra";
+      linkConfig.MACAddress = "9E:D8:78:A1:CE:22";
      address = [
        "fd0a:66d3:1c19:42::1/64"
        "10.42.0.1/16"
--- a/secrets/secrets.nix
+++ b/secrets/secrets.nix
@ -22,10 +22,10 @@ let
  keycloak-admins = active-admins;
  ldap-bind-admins = active-admins;
  discourse-admins = active-admins;
+  wg-admins = active-admins;
  indico-admins = active-admins;
  grafana-admins = active-admins;
-  wg-admins = active-admins;
-  servers = [ estragon wagon lagon klingon aragon pendragon perdrigon martagon ];
+  servers = [ estragon wagon lagon klingon aragon pendragon vogon perdrigon martagon ];
 in
  {
    "matrix-shared-secret.age".publicKeys = [ estragon ] ++ matrix-admins;
--- a/secrets/vogon-wg-infra-key.age
+++ b/secrets/vogon-wg-infra-key.age