federez/nix
7
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

wip: add vogon + many other things

Browse source 
Added lots of things done in a hurry following the dodecagon failure.

Signed-off-by: Jeltz <jeltz@federez.net>
This commit is contained in:
jeltz 2025-03-31 15:58:12 +02:00
parent a184d18f4b
commit 09d82c6b88
Signed by: jeltz
GPG key ID: 800882B66C0C3326
9 changed files with 676 additions and 63 deletions
Download patch file Download diff file Expand all files Collapse all files

33
profiles/incus.nix Normal file
View file

@ -0,0 +1,33 @@
{ ... }:
{
virtualisation.incus = {
enable = true;
ui.enable = true;
preseed = {
config = {
"core.https_address" = "127.0.0.1:9999";
};
profiles = [
{
name = "default";
devices = {
eth0 = {
name = "eth0";
nictype = "bridged";
parent = "wan";
type = "nic";
};
};
}
];
storage_pools = [
{
name = "default";
driver = "zfs";
config = { source = "data/incus"; };
}
];
};
};
}

217
profiles/infra-net.nix Normal file
View file

@ -0,0 +1,217 @@
{ config, lib, ... }:
let
inherit (lib) mkOption types;
cfg = config.infra-net;
leafSubmodule = lib.types.submodule {
options = {
mac = mkOption {
type = types.str;
description = ''
Adresse MAC de l'interface préexistante sur le réseau INFRA.
'';
example = "AA:BB:CC:DD:EE:FF";
};
id = mkOption {
type = types.ints.between 1 65535;
description = ''
Identifiant de la machine dans le réseau INFRA.
'';
example = 194;
};
};
};
hubDefSubmodule = lib.type.submodule {
options = {
hid = mkOption {
type = types.ints.between 1 255;
description = ''
Identifiant du concentrateur sur la maille WireGuard.
'';
example = 12;
};
public-key = mkOption {
type = types.str;
description = ''
Clé publique WireGuard du concentrateur.
'';
example = "LwhiJgtHtYQT4Ug6tgD0RDlUhhNga5tIyiWN2A6dCnk=";
};
address = mkOption {
type = types.str;
description = ''
Adresse IP publique du concentrateur.
'';
example = "1.2.3.4";
};
port = mkOption {
type = types.port;
description = ''
Port WireGuard public du concentrateur.
'';
default = 51039;
example = 51039;
};
};
};
hubSubmodule = lib.types.submodule {
options = {
name = mkOption {
type = types.str;
description = ''
Nom d'hôte du concentrateur.
'';
default = config.networking.hostName;
};
all-hubs = mkOption {
type = types.attrsOf hubDefSubmodule;
description = ''
Définitions de l'ensemble des concentrateurs.
'';
};
private-key-path = mkOption {
type = types.path;
description = ''
Chemin vers la clé privée WireGuard du concentrateur.
'';
};
wg-port = mkOption {
type = types.port;
description = ''
Port d'écoute WireGuard du concentrateur.
'';
default = 51039;
example = 51039;
};
id = mkOption {
type = types.ints.between 1 65535;
description = ''
Identifiant de la machine dans le réseau INFRA.
'';
example = 194;
};
mac = mkOption {
type = types.str;
description = ''
Adresse MAC de l'interface virtuelle à du concentrateur sur
le réseau INFRA.
'';
example = "AA:BB:CC:DD:EE:FF";
};
};
};
mkAddresses = id: let
a = id / 256;
b = id - 256 * a;
in [
"fd0a:66d3:1c19:42::${toString a}:${toString b}/64"
"10.42.${toString a}.${toString b}/16"
];
mkHubAddress = hub: "fd0a:66d3:1c19:1000::${toString hub.hid}";
mkPeer = hub: {
PublicKey = hub.public-key;
Endpoint = "${hub.address}:${hub.port}";
AllowedIPs = mkHubAddress hub;
};
vxlanPort = 4789;
vni = 42;
selfHub = cfg.hub.all-hubs."${cfg.hub.name}";
otherHubs = lib.filterAttrs (n: _: n != cfg.hub.name) cfg.hub.all-hubs;
mkBridgeFDB = hub: {
MACAddress = "00:00:00:00:00:00";
Destination = "${mkHubAddress hub}";
VNI = vni;
};
in {
options.infra-net = {
leaf = mkOption {
type = types.nullOr leafSubmodule;
default = null;
description = ''
Configuration de l'interface d'une feuille du réseau INFRA.
'';
};
hub = lib.mkOption {
type = lib.types.nullOr hubSubmodule;
default = null;
description = ''
Configuration des interfaces d'un concentrateur du réseau INFRA.
'';
};
};
config = let
hubNetwork = {
links = {
"10-wg-infra" = {
netdevConfig = {
Name = "wg-infra";
Kind = "wireguard";
};
wireguardConfig = {
ListenPort = cfg.hub.wg-port;
PrivateKey = "@wg-infra-key";
};
wireguardPeers = map mkPeer otherHubs;
};
"10-vxl-infra" = {
netdevConfig = {
Name = "vxl-infra";
Kind = "vxlan";
};
vxlanConfig = {
Local = mkHubAddress selfHub;
VNI = vni;
MacLearning = true;
DestinationPort = vxlanPort;
};
};
"10-br-infra".netdevConfig = {
Name = "br-infra";
Kind = "bridge";
MACAddress = cfg.hub.mac;
};
};
networks = {
"10-wg-infra" = {
matchConfig.Name = "wg-infra";
networkConfig = {
Address = "${mkHubAddress selfHub}/64";
VXLAN = "vxl-infra";
};
};
"10-vxl-infra" = {
matchConfig.Name = "vxl-infra";
networkConfig = {
LinkLocalAddressing = false;
Bridge = "br-infra";
};
bridgeFDBs = map mkBridgeFDB otherHubs;
};
"10-br-infra" = {
matchConfig.Name = "br-infra";
address = mkAddresses cfg.hub.id;
};
};
};
leafNetwork = {
links."10-infra" = {
matchConfig.MACAddress = cfg.leaf.mac;
linkConfig.Name = "infra";
};
networks."10-infra" = {
matchConfig.Name = "infra";
address = mkAddresses cfg.leaf.id;
};
};
in {
systemd.network = lib.mkMerge [
(lib.mkIf (cfg.hub != null) hubNetwork)
(lib.mkIf (cfg.leaf != null) leafNetwork)
];
systemd.services.systemd-networkd.serviceConfig.LoadCredential =
lib.mkIf (cfg.hub != null)
[ "wg-infra-key:${cfg.hub.private-key-path}" ];
};
}

23
profiles/irc-bot.nix
View file

@ -1,4 +1,23 @@
{ ... }: {
{ config, ... }:
let
cfg = config.services.matrix-appservice-irc;
bindPort = cfg.settings.ircService.mediaProxy.bindPort;
upstreamUrl = "http://127.0.0.1:${toString bindPort}";
in {
services.nginx = {
enable = true;
recommendedProxySettings = true;
recommendedOptimisation = true;
recommendedTlsSettings = true;
recommendedGzipSettings = true;
upstreams.matrix-irc.servers.${upstreamUrl} = { };
virtualHosts."matrix-irc.federez.net" = {
enableACME = true;
forceSSL = true;
locations."/".proxyPass = "http://matrix-irc";
};
};
services.matrix-appservice-irc = {
enable = true;
registrationUrl = "http://127.0.0.1:8009";
@ -7,6 +26,8 @@
homeserver.url = "https://matrix.federez.net";
homeserver.domain = "federez.net";
ircService.mediaProxy.publicUrl = "https://matrix-irc.federez.net/media";
ircService.servers."irc.rezosup.org" = {
name = "RezoSup";
additionalAddresses = [ ];

196
profiles/vogon.nix Normal file
View file

@ -0,0 +1,196 @@
{ config, pkgs, ... }:
{
age.secrets = {
vogon-wg-infra-key = {
file = ../secrets/vogon-wg-infra-key.age;
owner = "root";
group = "root";
};
};
systemd.services.systemd-networkd.serviceConfig.LoadCredential = [
"wg-infra-key:${config.age.secrets.vogon-wg-infra-key.path}"
];
environment.systemPackages = [ pkgs.wireguard-tools ];
# FIXME I suck. I didn't manage to configure a working ZFS rootfs with disko
# It was 1 AM, and the server had to be up and running quickly, so I
# partitioned the server manually
fileSystems = {
"/" = {
device = "rpool/root";
fsType = "zfs";
};
"/boot1" = {
device = "/dev/disk/by-uuid/F121-2F47";
fsType = "vfat";
options = [ "fmask=0077" "dmask=0077" ];
};
"/boot2" = {
device = "/dev/disk/by-uuid/F167-8DD8";
fsType = "vfat";
options = [ "fmask=0077" "dmask=0077" ];
};
};
boot.zfs.extraPools = [ "data" ];
# We use Grub because systemd-boot does not seem to have a simple equivalent
# of mirroredBoots
boot.loader.grub = {
enable = true;
efiSupport = true;
zfsSupport = true; # FIXME useless?
mirroredBoots = [
{ devices = [ "nodev" ]; path = "/boot1"; efiSysMountPoint = "/boot1"; }
{ devices = [ "nodev" ]; path = "/boot2"; efiSysMountPoint = "/boot2"; }
];
};
boot.loader.efi.canTouchEfiVariables = true;
boot.initrd.kernelModules = [ ];
boot.initrd.availableKernelModules = [
"ahci"
"ehci_pci"
"megaraid_sas"
"usbhid"
"usb_storage"
"sd_mod"
"sr_mod"
];
systemd.network.links = {
"10-phy1" = {
matchConfig.MACAddress = "18:66:da:75:da:04";
linkConfig.Name = "phy1";
};
"10-phy2" = {
matchConfig.MACAddress = "18:66:da:75:da:05";
linkConfig.Name = "phy2";
};
};
systemd.network.netdevs = {
"10-wan".netdevConfig = {
Name = "wan";
Kind = "bridge";
};
"10-bond" = {
netdevConfig = {
Name = "bond";
Kind = "bond";
};
bondConfig.Mode = "802.3ad";
};
"10-br-infra".netdevConfig = {
Name = "br-infra";
Kind = "bridge";
};
"10-vxl-infra" = {
netdevConfig = {
Name = "vxl-infra";
Kind = "vxlan";
};
vxlanConfig = {
Local = "fd0a:66d3:1c19:1000::1";
VNI = 42;
MacLearning = true;
DestinationPort = 4789;
};
};
"10-wg-infra" = {
netdevConfig = {
Name = "wg-infra";
Kind = "wireguard";
};
wireguardConfig = {
ListenPort = 51039;
PrivateKey = "@wg-infra-key";
};
wireguardPeers = [
{
PublicKey = "A+tXWigWNzrj0zAyg0MCSgP53ngH3kNsP5m8E+JbDmA=";
Endpoint = "89.234.162.224:51039";
AllowedIPs = [ "fd0a:66d3:1c19:1000::2" ];
}
{
PublicKey = "77IPc//p+mSl1yeapuDd4tIZDRp5acOTmBF5V7dG4BA=";
Endpoint = "137.194.12.129:51039";
AllowedIPs = [ "fd0a:66d3:1c19:1000::3" ];
}
{
PublicKey = "tUonMgyYxE5l1aee7iSBR6AwmuhITk3ystPhouUAMBc=";
Endpoint = "193.48.225.201:51039";
AllowedIPs = [ "fd0a:66d3:1c19:1000::4" ];
}
];
};
};
systemd.network.networks = {
"10-phy1" = {
matchConfig.Name = "phy1";
networkConfig.Bond = "bond";
};
"10-phy2" = {
matchConfig.Name = "phy2";
networkConfig.Bond = "bond";
};
"10-bond" = {
matchConfig.Name = "bond";
networkConfig.Bridge = "wan";
};
"10-wan" = {
matchConfig.Name = "wan";
address = [ "193.54.193.161/28" ];
routes = [
{
Gateway = "193.54.193.174";
}
];
};
"10-br-infra" = {
matchConfig.Name = "br-infra";
address = [
"fd0a:66d3:1c19:42::1/64"
"10.42.0.1/16"
];
};
"10-vxl-infra" = {
matchConfig.Name = "vxl-infra";
networkConfig = {
Bridge = "br-infra";
LinkLocalAddressing = false;
};
bridgeFDBs = [
{
MACAddress = "00:00:00:00:00:00";
Destination = "fd0a:66d3:1c19:1000::2";
VNI = 42;
}
{
MACAddress = "00:00:00:00:00:00";
Destination = "fd0a:66d3:1c19:1000::3";
VNI = 42;
}
{
MACAddress = "00:00:00:00:00:00";
Destination = "fd0a:66d3:1c19:1000::4";
VNI = 42;
}
];
};
"10-wg-infra" = {
matchConfig.Name = "wg-infra";
networkConfig = {
Address = "fd0a:66d3:1c19:1000::1/64";
VXLAN = "vxl-infra";
};
};
};
}