wip: add vogon + many other things

Added lots of things done in a hurry following the dodecagon failure. Signed-off-by: Jeltz <jeltz@federez.net>
2025-03-31 15:58:12 +02:00 · 2025-03-31 15:58:12 +02:00 · 09d82c6b88
commit 09d82c6b88
parent a184d18f4b
9 changed files with 676 additions and 63 deletions
--- a/hive.nix
+++ b/hive.nix
@ -11,14 +11,14 @@ in
    nixpkgs = src.nixpkgs;
  };
  # FIXME
  nixpkgs.config.permittedInsecurePackage = [ "olm-3.2.16" ];
  defaults = { pkgs, lib, ... }: {
    imports = [
      ./profiles/sysadmin.nix
-      ./profiles/glucagon.nix
+      #./profiles/ldap.nix
      ./profiles/child-netdata.nix
      ./profiles/ldap.nix
      "${src.agenix}/modules/age.nix"
      (disko.config diskConfig)
    ];
    security.acme.defaults.email = "monitoring@federez.net";
@ -27,9 +27,7 @@ in
    systemd.network.enable = true;
    networking.useDHCP = false;
    services.openssh.enable = true;
-
+    networking.nftables.enable = true;
    # By default, everyone is a child except klington itself.
    federez.monitoring.enableChild = lib.mkDefault true;
    # Enable system diffs.
    system.activationScripts.system-diff = {
@ -44,84 +42,107 @@ in
    # Mot de passe classique qu'on trouvera dans le "trousseau" legacy.
    users.users.root.initialHashedPassword = "$y$j9T$RoSZj8ezgR7cI8Le6xqwW/$0BI6G1Nqy/G0g0sNhQhyEedqoHsEyMFVjQgc3TPqE.4";
    system.stateVersion = "24.05";
    system.build.diskoScript = disko.diskoScript diskConfig pkgs;
    time.timeZone = "Europe/Paris";
  };
-  estragon = { name, nodes, ... }: {
+  vogon = { name, nodes, ... }: {
    deployment.tags = [ "hypervisor" ];
    deployment.targetHost = "vogon.federez.net";
    networking.hostName = name;
    networking.hostId = "1751e2a7";
    imports = [
      ./profiles/vogon.nix
      ./profiles/incus.nix
    ];
  };
  estragon = { name, nodes, pkgs, ... }: {
    deployment.tags = [ "matrix" ];
    deployment.targetHost = "estragon.federez.net";
    networking.hostName = name;
-    federez.monitoring.apiKey = "3411043d-55b5-425e-af43-0932d6147148";
+
    environment.systemPackages = [ pkgs.tcpdump pkgs.openssl ];
    glucagon.networking = {
      nibble = 227;
      wan-mac = "BC:24:11:5C:A4:5A";
    };
    infra-net.leaf = {
      mac = "BC:24:11:AC:7B:59";
      id = 12;
    };
    imports = [
      (disko.config diskConfig)
      ./profiles/vm.nix
      ./profiles/glucagon.nix
      ./profiles/infra-net.nix
      ./profiles/matrix-server.nix
      ./profiles/element.nix
      ./profiles/telegram-bot.nix
      ./profiles/irc-bot.nix
    ];
    system.build.diskoScript = disko.diskoScript diskConfig pkgs;
  };
  wagon = { name, nodes, ... }: {
    deployment.tags = [ "vaultwarden" "pass" "passwords" ];
    deployment.targetHost = "wagon.federez.net";
    networking.hostName = name;
    federez.monitoring.apiKey = "a8bd7953-dfca-4393-b770-98c5ab11dea5";
    glucagon.networking = {
      nibble = 228;
      wan-mac = "BC:24:11:EA:6C:0B";
    };
    infra-net.leaf = {
      mac = "BC:24:11:5A:0F:44";
      id = 8;
    };
    imports = [
      (disko.config diskConfig)
      ./profiles/vm.nix
      ./profiles/glucagon.nix
      ./profiles/infra-net.nix
      ./profiles/vaultwarden.nix
    ];
    system.build.diskoScript = disko.diskoScript diskConfig pkgs;
  };
  lagon = { name, nodes, ... }: {
    deployment.tags = [ "keycloak" "wayf" ];
    deployment.targetHost = "lagon.federez.net";
    networking.hostName = name;
    federez.monitoring.apiKey = "f85dcb12-970c-4ea1-99b4-01e2fc26bc6c";
    glucagon.networking = {
      nibble = 229;
      wan-mac = "BC:24:11:7F:19:60";
    };
-    imports = [
+    infra-net.leaf = {
-      ./profiles/vm.nix
+      mac = "BC:24:11:91:61:8E";
-      ./profiles/wayf.nix
+      id = 9;
    ];
  };
  klingon = { name, nodes, ... }: {
    deployment.tags = [ "monitoring" ];
    deployment.targetHost = "klingon.federez.net";
    networking.hostName = name;
    glucagon.networking = {
      nibble = 230;
      wan-mac = "BC:24:11:B7:AE:80";
    };
    imports = [
      (disko.config diskConfig)
      ./profiles/vm.nix
-      ./profiles/netdata.nix
+      ./profiles/glucagon.nix
      ./profiles/infra-net.nix
      ./profiles/wayf.nix
    ];
    system.build.diskoScript = disko.diskoScript diskConfig pkgs;
  };
  aragon = { name, nodes, ... }: {
    deployment.tags = [ "gitlab" ];
    deployment.targetHost = "aragon.federez.net";
    federez.monitoring.apiKey = "370a181d-6b00-4c3d-af27-ca65e6e4c1b0";
    networking.hostName = name;
    glucagon.networking = {
@ -129,16 +150,26 @@ in
      wan-mac = "BC:24:11:E3:12:4A";
    };
    infra-net.leaf = {
      mac = "BC:24:11:E4:C7:69";
      id = 10;
    };
    imports = [
      (disko.config diskConfig)
      ./profiles/vm.nix
      ./profiles/glucagon.nix
      ./profiles/infra-net.nix
      ./profiles/gitlab.nix
    ];
    system.build.diskoScript = disko.diskoScript diskConfig pkgs;
  };
  # FIXME can't update: discourse pkg is broken
  pendragon = { name, nodes, ... }: {
    deployment.tags = [ "discourse" ];
    deployment.targetHost = "pendragon.federez.net";
    federez.monitoring.apiKey = "370a181d-6b00-4c3d-af27-ca65e6e4c1b0";
    networking.hostName = name;
    glucagon.networking = {
@ -146,10 +177,20 @@ in
      wan-mac = "BC:24:11:C2:AA:47";
    };
    infra-net.leaf = {
      mac = "BC:24:11:31:B8:DD";
      id = 11;
    };
    imports = [
      (disko.config diskConfig)
      ./profiles/vm.nix
      ./profiles/glucagon.nix
      ./profiles/infra-net.nix
      ./profiles/discourse.nix
    ];
    system.build.diskoScript = disko.diskoScript diskConfig pkgs;
  };
  perdrigon = { name, nodes, ... }: {
--- a/npins/default.nix
+++ b/npins/default.nix
@ -1,47 +1,146 @@
 /*
  This file is provided under the MIT licence:
  Permission is hereby granted, free of charge, to any person obtaining a copy of this software and associated documentation files (the “Software”), to deal in the Software without restriction, including without limitation the rights to use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of the Software, and to permit persons to whom the Software is furnished to do so, subject to the following conditions:
  The above copyright notice and this permission notice shall be included in all copies or substantial portions of the Software.
  THE SOFTWARE IS PROVIDED “AS IS”, WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
 */
 # Generated by npins. Do not modify; will be overwritten regularly
 let
  data = builtins.fromJSON (builtins.readFile ./sources.json);
  version = data.version;
-  mkSource = spec:
+  # https://github.com/NixOS/nixpkgs/blob/0258808f5744ca980b9a1f24fe0b1e6f0fecee9c/lib/lists.nix#L295
-    assert spec ? type; let
+  range =
-      path =
+    first: last: if first > last then [ ] else builtins.genList (n: first + n) (last - first + 1);
        if spec.type == "Git" then mkGitSource spec
        else if spec.type == "GitRelease" then mkGitSource spec
        else if spec.type == "PyPi" then mkPyPiSource spec
        else if spec.type == "Channel" then mkChannelSource spec
        else builtins.throw "Unknown source type ${spec.type}";
    in
    spec // { outPath = path; };
-  mkGitSource = { repository, revision, url ? null, hash, ... }:
+  # https://github.com/NixOS/nixpkgs/blob/0258808f5744ca980b9a1f24fe0b1e6f0fecee9c/lib/strings.nix#L257
  stringToCharacters = s: map (p: builtins.substring p 1 s) (range 0 (builtins.stringLength s - 1));
  # https://github.com/NixOS/nixpkgs/blob/0258808f5744ca980b9a1f24fe0b1e6f0fecee9c/lib/strings.nix#L269
  stringAsChars = f: s: concatStrings (map f (stringToCharacters s));
  concatMapStrings = f: list: concatStrings (map f list);
  concatStrings = builtins.concatStringsSep "";
  # If the environment variable NPINS_OVERRIDE_${name} is set, then use
  # the path directly as opposed to the fetched source.
  # (Taken from Niv for compatibility)
  mayOverride =
    name: path:
    let
      envVarName = "NPINS_OVERRIDE_${saneName}";
      saneName = stringAsChars (c: if (builtins.match "[a-zA-Z0-9]" c) == null then "_" else c) name;
      ersatz = builtins.getEnv envVarName;
    in
    if ersatz == "" then
      path
    else
      # this turns the string into an actual Nix path (for both absolute and
      # relative paths)
      builtins.trace "Overriding path of \"${name}\" with \"${ersatz}\" due to set \"${envVarName}\"" (
        if builtins.substring 0 1 ersatz == "/" then
          /. + ersatz
        else
          /. + builtins.getEnv "PWD" + "/${ersatz}"
      );
  mkSource =
    name: spec:
    assert spec ? type;
    let
      path =
        if spec.type == "Git" then
          mkGitSource spec
        else if spec.type == "GitRelease" then
          mkGitSource spec
        else if spec.type == "PyPi" then
          mkPyPiSource spec
        else if spec.type == "Channel" then
          mkChannelSource spec
        else if spec.type == "Tarball" then
          mkTarballSource spec
        else
          builtins.throw "Unknown source type ${spec.type}";
    in
    spec // { outPath = mayOverride name path; };
  mkGitSource =
    {
      repository,
      revision,
      url ? null,
      submodules,
      hash,
      branch ? null,
      ...
    }:
    assert repository ? type;
    # At the moment, either it is a plain git repository (which has an url), or it is a GitHub/GitLab repository
    # In the latter case, there we will always be an url to the tarball
-    if url != null then
+    if url != null && !submodules then
-      (builtins.fetchTarball {
+      builtins.fetchTarball {
        inherit url;
        sha256 = hash; # FIXME: check nix version & use SRI hashes
-      })
+      }
-    else assert repository.type == "Git"; builtins.fetchGit {
+    else
-      url = repository.url;
+      let
-      rev = revision;
+        url =
-      # hash = hash;
+          if repository.type == "Git" then
-    };
+            repository.url
          else if repository.type == "GitHub" then
            "https://github.com/${repository.owner}/${repository.repo}.git"
          else if repository.type == "GitLab" then
            "${repository.server}/${repository.repo_path}.git"
          else
            throw "Unrecognized repository type ${repository.type}";
        urlToName =
          url: rev:
          let
            matched = builtins.match "^.*/([^/]*)(\\.git)?$" url;
-  mkPyPiSource = { url, hash, ... }:
+            short = builtins.substring 0 7 rev;
            appendShort = if (builtins.match "[a-f0-9]*" rev) != null then "-${short}" else "";
          in
          "${if matched == null then "source" else builtins.head matched}${appendShort}";
        name = urlToName url revision;
      in
      builtins.fetchGit {
        rev = revision;
        inherit name;
        # hash = hash;
        inherit url submodules;
      };
  mkPyPiSource =
    { url, hash, ... }:
    builtins.fetchurl {
      inherit url;
      sha256 = hash;
    };
-  mkChannelSource = { url, hash, ... }:
+  mkChannelSource =
    { url, hash, ... }:
    builtins.fetchTarball {
      inherit url;
      sha256 = hash;
    };
  mkTarballSource =
    {
      url,
      locked_url ? url,
      hash,
      ...
    }:
    builtins.fetchTarball {
      url = locked_url;
      sha256 = hash;
    };
 in
-if version == 3 then
+if version == 5 then
-  builtins.mapAttrs (_: mkSource) data.pins
+  builtins.mapAttrs mkSource data.pins
 else
  throw "Unsupported format version ${toString version} in sources.json. Try running `npins upgrade`"
--- a/npins/sources.json
+++ b/npins/sources.json
@ -8,6 +8,7 @@
        "repo": "agenix"
      },
      "branch": "main",
      "submodules": false,
      "revision": "e600439ec4c273cf11e06fe4d9d906fb98fa097c",
      "url": "https://github.com/ryantm/agenix/archive/e600439ec4c273cf11e06fe4d9d906fb98fa097c.tar.gz",
      "hash": "006ngydiykjgqs85cl19h9klq8kaqm5zs0ng51dnwy7nzgqxzsdr"
@ -20,9 +21,10 @@
        "repo": "disko"
      },
      "branch": "master",
-      "revision": "15dbf8cebd8e2655a883b74547108e089f051bf0",
+      "submodules": false,
-      "url": "https://github.com/nix-community/disko/archive/15dbf8cebd8e2655a883b74547108e089f051bf0.tar.gz",
+      "revision": "0d8c6ad4a43906d14abd5c60e0ffe7b587b213de",
-      "hash": "1fw5vwz954s4pw1c1kr0j47pkvmzyngcdfrb96zkimxz0mv9f8wm"
+      "url": "https://github.com/nix-community/disko/archive/0d8c6ad4a43906d14abd5c60e0ffe7b587b213de.tar.gz",
      "hash": "0mwnd7vfyd2wqbrvlpjgxng83fp97lg1ihzzx9ipbj5c9l0bjgjm"
    },
    "nix-phps": {
      "type": "Git",
@ -32,16 +34,17 @@
        "repo": "nix-phps"
      },
      "branch": "master",
-      "revision": "a911d90c8f3a59cfa85a0a727638775a6e2314f5",
+      "submodules": false,
-      "url": "https://github.com/fossar/nix-phps/archive/a911d90c8f3a59cfa85a0a727638775a6e2314f5.tar.gz",
+      "revision": "87aa57df1dffc535756256efbd141c735852145f",
-      "hash": "1hxdm74hnwjwq246g2ysbakgb4fssci4rvb9p5z77g10xzd3470z"
+      "url": "https://github.com/fossar/nix-phps/archive/87aa57df1dffc535756256efbd141c735852145f.tar.gz",
      "hash": "0i8bp50hm55jxlgfmcfjql3lz8la0cipmdh1m73i8jag7p8mmrnl"
    },
    "nixpkgs": {
      "type": "Channel",
      "name": "nixos-unstable-small",
-      "url": "https://releases.nixos.org/nixos/unstable-small/nixos-25.05beta756601.e493a167e1e3/nixexprs.tar.xz",
+      "url": "https://releases.nixos.org/nixos/unstable-small/nixos-25.05pre777042.1d3a750cb7d8/nixexprs.tar.xz",
-      "hash": "1rcjgwb9f1dzzp4plvczi9qzzsfrv45y7grhwr8bx9wjkzl7cz16"
+      "hash": "0g2q7g6chpmaa0b6py8aqgwx71gvxlpirijlk6b0y5z15r0hdabk"
    }
  },
-  "version": 3
+  "version": 5
-}
+}
--- a/profiles/incus.nix
+++ b/profiles/incus.nix
@ -0,0 +1,33 @@
 { ... }:
 {
  virtualisation.incus = {
    enable = true;
    ui.enable = true;
    preseed = {
      config = {
        "core.https_address" = "127.0.0.1:9999";
      };
      profiles = [
        {
          name = "default";
          devices = {
            eth0 = {
              name = "eth0";
              nictype = "bridged";
              parent = "wan";
              type = "nic";
            };
          };
        }
      ];
      storage_pools = [
        {
          name = "default";
          driver = "zfs";
          config = { source = "data/incus"; };
        }
      ];
    };
  };
 }
--- a/profiles/infra-net.nix
+++ b/profiles/infra-net.nix
@ -0,0 +1,217 @@
 { config, lib, ... }:
 let
  inherit (lib) mkOption types;
  cfg = config.infra-net;
  leafSubmodule = lib.types.submodule {
    options = {
      mac = mkOption {
        type = types.str;
        description = ''
          Adresse MAC de l'interface préexistante sur le réseau INFRA.
        '';
        example = "AA:BB:CC:DD:EE:FF";
      };
      id = mkOption {
        type = types.ints.between 1 65535;
        description = ''
          Identifiant de la machine dans le réseau INFRA.
        '';
        example = 194;
      };
    };
  };
  hubDefSubmodule = lib.type.submodule {
    options = {
      hid = mkOption {
        type = types.ints.between 1 255;
        description = ''
          Identifiant du concentrateur sur la maille WireGuard.
        '';
        example = 12;
      };
      public-key = mkOption {
        type = types.str;
        description = ''
          Clé publique WireGuard du concentrateur.
        '';
        example = "LwhiJgtHtYQT4Ug6tgD0RDlUhhNga5tIyiWN2A6dCnk=";
      };
      address = mkOption {
        type = types.str;
        description = ''
          Adresse IP publique du concentrateur.
        '';
        example = "1.2.3.4";
      };
      port = mkOption {
        type = types.port;
        description = ''
          Port WireGuard public du concentrateur.
        '';
        default = 51039;
        example = 51039;
      };
    };
  };
  hubSubmodule = lib.types.submodule {
    options = {
      name = mkOption {
        type = types.str;
        description = ''
          Nom d'hôte du concentrateur.
        '';
        default = config.networking.hostName;
      };
      all-hubs = mkOption {
        type = types.attrsOf hubDefSubmodule;
        description = ''
          Définitions de l'ensemble des concentrateurs.
        '';
      };
      private-key-path = mkOption {
        type = types.path;
        description = ''
          Chemin vers la clé privée WireGuard du concentrateur.
        '';
      };
      wg-port = mkOption {
        type = types.port;
        description = ''
          Port d'écoute WireGuard du concentrateur.
        '';
        default = 51039;
        example = 51039;
      };
      id = mkOption {
        type = types.ints.between 1 65535;
        description = ''
          Identifiant de la machine dans le réseau INFRA.
        '';
        example = 194;
      };
      mac = mkOption {
        type = types.str;
        description = ''
          Adresse MAC de l'interface virtuelle à du concentrateur sur
          le réseau INFRA.
        '';
        example = "AA:BB:CC:DD:EE:FF";
      };
    };
  };
  mkAddresses = id: let
    a = id / 256;
    b = id - 256 * a;
  in [
    "fd0a:66d3:1c19:42::${toString a}:${toString b}/64"
    "10.42.${toString a}.${toString b}/16"
  ];
  mkHubAddress = hub: "fd0a:66d3:1c19:1000::${toString hub.hid}";
  mkPeer = hub: {
    PublicKey = hub.public-key;
    Endpoint = "${hub.address}:${hub.port}";
    AllowedIPs = mkHubAddress hub;
  };
  vxlanPort = 4789;
  vni = 42;
  selfHub = cfg.hub.all-hubs."${cfg.hub.name}";
  otherHubs = lib.filterAttrs (n: _: n != cfg.hub.name) cfg.hub.all-hubs;
  mkBridgeFDB = hub: {
    MACAddress = "00:00:00:00:00:00";
    Destination = "${mkHubAddress hub}";
    VNI = vni;
  };
 in {
  options.infra-net = {
    leaf = mkOption {
      type = types.nullOr leafSubmodule;
      default = null;
      description = ''
        Configuration de l'interface d'une feuille du réseau INFRA.
      '';
    };
    hub = lib.mkOption {
      type = lib.types.nullOr hubSubmodule;
      default = null;
      description = ''
        Configuration des interfaces d'un concentrateur du réseau INFRA.
      '';
    };
  };
  config = let
    hubNetwork = {
      links = {
        "10-wg-infra" = {
          netdevConfig = {
            Name = "wg-infra";
            Kind = "wireguard";
          };
          wireguardConfig = {
            ListenPort = cfg.hub.wg-port;
            PrivateKey = "@wg-infra-key";
          };
          wireguardPeers = map mkPeer otherHubs;
        };
        "10-vxl-infra" = {
          netdevConfig = {
            Name = "vxl-infra";
            Kind = "vxlan";
          };
          vxlanConfig = {
            Local = mkHubAddress selfHub;
            VNI = vni;
            MacLearning = true;
            DestinationPort = vxlanPort;
          };
        };
        "10-br-infra".netdevConfig = {
          Name = "br-infra";
          Kind = "bridge";
          MACAddress = cfg.hub.mac;
        };
      };
      networks = {
        "10-wg-infra" = {
          matchConfig.Name = "wg-infra";
          networkConfig = {
            Address = "${mkHubAddress selfHub}/64";
            VXLAN = "vxl-infra";
          };
        };
        "10-vxl-infra" = {
          matchConfig.Name = "vxl-infra";
          networkConfig = {
            LinkLocalAddressing = false;
            Bridge = "br-infra";
          };
          bridgeFDBs = map mkBridgeFDB otherHubs;
        };
        "10-br-infra" = {
          matchConfig.Name = "br-infra";
          address = mkAddresses cfg.hub.id;
        };
      };
    };
    leafNetwork = {
      links."10-infra" = {
        matchConfig.MACAddress = cfg.leaf.mac;
        linkConfig.Name = "infra";
      };
      networks."10-infra" = {
        matchConfig.Name = "infra";
        address = mkAddresses cfg.leaf.id;
      };
    };
  in {
    systemd.network = lib.mkMerge [
      (lib.mkIf (cfg.hub != null) hubNetwork)
      (lib.mkIf (cfg.leaf != null) leafNetwork)
    ];
    systemd.services.systemd-networkd.serviceConfig.LoadCredential =
      lib.mkIf (cfg.hub != null)
      [ "wg-infra-key:${cfg.hub.private-key-path}" ];
  };
 }
--- a/profiles/irc-bot.nix
+++ b/profiles/irc-bot.nix
@ -1,4 +1,23 @@
-{ ... }: {
+{ config, ... }:
 let
  cfg = config.services.matrix-appservice-irc;
  bindPort = cfg.settings.ircService.mediaProxy.bindPort;
  upstreamUrl  = "http://127.0.0.1:${toString bindPort}";
 in {
  services.nginx = {
    enable = true;
    recommendedProxySettings = true;
    recommendedOptimisation = true;
    recommendedTlsSettings = true;
    recommendedGzipSettings = true;
    upstreams.matrix-irc.servers.${upstreamUrl} = { };
    virtualHosts."matrix-irc.federez.net" = {
      enableACME = true;
      forceSSL = true;
      locations."/".proxyPass = "http://matrix-irc";
    };
  };
  services.matrix-appservice-irc = {
    enable = true;
    registrationUrl = "http://127.0.0.1:8009";
@ -7,6 +26,8 @@
      homeserver.url = "https://matrix.federez.net";
      homeserver.domain = "federez.net";
      ircService.mediaProxy.publicUrl = "https://matrix-irc.federez.net/media";
      ircService.servers."irc.rezosup.org" = {
        name = "RezoSup";
        additionalAddresses = [ ];
--- a/profiles/vogon.nix
+++ b/profiles/vogon.nix
@ -0,0 +1,196 @@
 { config, pkgs, ... }:
 {
  age.secrets = {
    vogon-wg-infra-key = {
      file = ../secrets/vogon-wg-infra-key.age;
      owner = "root";
      group = "root";
    };
  };
  systemd.services.systemd-networkd.serviceConfig.LoadCredential = [
    "wg-infra-key:${config.age.secrets.vogon-wg-infra-key.path}"
  ];
  environment.systemPackages = [ pkgs.wireguard-tools ];
  # FIXME I suck. I didn't manage to configure a working ZFS rootfs with disko
  # It was 1 AM, and the server had to be up and running quickly, so I
  # partitioned the server manually
  fileSystems = {
    "/" = {
      device = "rpool/root";
      fsType = "zfs";
    };
    "/boot1" = {
      device = "/dev/disk/by-uuid/F121-2F47";
      fsType = "vfat";
      options = [ "fmask=0077" "dmask=0077" ];
    };
    "/boot2" = {
      device = "/dev/disk/by-uuid/F167-8DD8";
      fsType = "vfat";
      options = [ "fmask=0077" "dmask=0077" ];
    };
  };
  boot.zfs.extraPools = [ "data" ];
  # We use Grub because systemd-boot does not seem to have a simple equivalent
  # of mirroredBoots
  boot.loader.grub = {
    enable = true;
    efiSupport = true;
    zfsSupport = true; # FIXME useless?
    mirroredBoots = [
      { devices = [ "nodev" ]; path = "/boot1"; efiSysMountPoint = "/boot1"; }
      { devices = [ "nodev" ]; path = "/boot2"; efiSysMountPoint = "/boot2"; }
    ];
  };
  boot.loader.efi.canTouchEfiVariables = true;
  boot.initrd.kernelModules = [ ];
  boot.initrd.availableKernelModules = [
    "ahci"
    "ehci_pci"
    "megaraid_sas"
    "usbhid"
    "usb_storage"
    "sd_mod"
    "sr_mod"
  ];
  systemd.network.links = {
    "10-phy1" = {
      matchConfig.MACAddress = "18:66:da:75:da:04";
      linkConfig.Name = "phy1";
    };
    "10-phy2" = {
      matchConfig.MACAddress = "18:66:da:75:da:05";
      linkConfig.Name = "phy2";
    };
  };
  systemd.network.netdevs = {
    "10-wan".netdevConfig = {
      Name = "wan";
      Kind = "bridge";
    };
    "10-bond" = {
      netdevConfig = {
        Name = "bond";
        Kind = "bond";
      };
      bondConfig.Mode = "802.3ad";
    };
    "10-br-infra".netdevConfig = {
      Name = "br-infra";
      Kind = "bridge";
    };
    "10-vxl-infra" = {
      netdevConfig = {
        Name = "vxl-infra";
        Kind = "vxlan";
      };
      vxlanConfig = {
        Local = "fd0a:66d3:1c19:1000::1";
        VNI = 42;
        MacLearning = true;
        DestinationPort = 4789;
      };
    };
    "10-wg-infra" = {
      netdevConfig = {
        Name = "wg-infra";
        Kind = "wireguard";
      };
      wireguardConfig = {
        ListenPort = 51039;
        PrivateKey = "@wg-infra-key";
      };
      wireguardPeers = [
        {
          PublicKey = "A+tXWigWNzrj0zAyg0MCSgP53ngH3kNsP5m8E+JbDmA=";
          Endpoint = "89.234.162.224:51039";
          AllowedIPs = [ "fd0a:66d3:1c19:1000::2" ];
        }
        {
          PublicKey = "77IPc//p+mSl1yeapuDd4tIZDRp5acOTmBF5V7dG4BA=";
          Endpoint = "137.194.12.129:51039";
          AllowedIPs = [ "fd0a:66d3:1c19:1000::3" ];
        }
        {
          PublicKey = "tUonMgyYxE5l1aee7iSBR6AwmuhITk3ystPhouUAMBc=";
          Endpoint = "193.48.225.201:51039";
          AllowedIPs = [ "fd0a:66d3:1c19:1000::4" ];
        }
      ];
    };
  };
  systemd.network.networks = {
    "10-phy1" = {
      matchConfig.Name = "phy1";
      networkConfig.Bond = "bond";
    };
    "10-phy2" = {
      matchConfig.Name = "phy2";
      networkConfig.Bond = "bond";
    };
    "10-bond" = {
      matchConfig.Name = "bond";
      networkConfig.Bridge = "wan";
    };
    "10-wan" = {
      matchConfig.Name = "wan";
      address = [ "193.54.193.161/28" ];
      routes = [
        {
          Gateway = "193.54.193.174";
        }
      ];
    };
    "10-br-infra" = {
      matchConfig.Name = "br-infra";
      address = [
        "fd0a:66d3:1c19:42::1/64"
        "10.42.0.1/16"
      ];
    };
    "10-vxl-infra" = {
      matchConfig.Name = "vxl-infra";
      networkConfig = {
        Bridge = "br-infra";
        LinkLocalAddressing = false;
      };
      bridgeFDBs = [
        {
          MACAddress = "00:00:00:00:00:00";
          Destination = "fd0a:66d3:1c19:1000::2";
          VNI = 42;
        }
        {
          MACAddress = "00:00:00:00:00:00";
          Destination = "fd0a:66d3:1c19:1000::3";
          VNI = 42;
        }
        {
          MACAddress = "00:00:00:00:00:00";
          Destination = "fd0a:66d3:1c19:1000::4";
          VNI = 42;
        }
      ];
    };
    "10-wg-infra" = {
      matchConfig.Name = "wg-infra";
      networkConfig = {
        Address = "fd0a:66d3:1c19:1000::1/64";
        VXLAN = "vxl-infra";
      };
    };
  };
 }
--- a/secrets/secrets.nix
+++ b/secrets/secrets.nix
@ -8,6 +8,7 @@ let
  pendragon = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAILrJwgqLnGuUpUFacXLphiu8vUthVD4mA4a3Uytl5eSD root@pendragon";
  perdrigon = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIChtLzQ2YhAzJWFhuq4rdenxMFCNGD00PTwmmyjE8PM0 root@perdrigon";
  martagon = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAINX93idUkaicbyQMOS6EurPdzHpxeza1z7vP6n3+W+mK root@martagon";
  vogon = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIN4ScFlg1WgXiSOwP0DZRuJ4/BwTsHapDTR1U7/+xQT7 root@vogon";
  # Add yourself.
  raito = readKeyFile ../pubkeys/raito.keys;
  bensmrs = readKeyFile ../pubkeys/bensmrs.keys;
@ -23,6 +24,7 @@ let
  discourse-admins = active-admins;
  indico-admins = active-admins;
  grafana-admins = active-admins;
  wg-admins = active-admins;
  servers = [ estragon wagon lagon klingon aragon pendragon perdrigon martagon ];
 in
  {
@ -38,4 +40,5 @@ in
    "indico-mail-password.age".publicKeys = [ perdrigon ] ++ indico-admins;
    "grafana-admin-password.age".publicKeys = [ martagon ] ++ grafana-admins;
    "grafana-secret-key.age".publicKeys = [ martagon ] ++ grafana-admins;
    "vogon-wg-infra-key.age".publicKeys = [ vogon ] ++ wg-admins;
  }
--- a/secrets/vogon-wg-infra-key.age
+++ b/secrets/vogon-wg-infra-key.age