From 07d9997fff01a691de0fcc8be620611495224cbf Mon Sep 17 00:00:00 2001 From: h7x4 Date: Sat, 4 Nov 2023 21:28:09 +0100 Subject: [PATCH] WIP: grevling/tuba: init --- flake.nix | 14 ++++ hosts/grevling/configuration.nix | 36 ++++++++++ hosts/grevling/hardware-configuration.nix | 40 +++++++++++ hosts/grevling/services/openvpn/default.nix | 77 +++++++++++++++++++++ hosts/grevling/services/openvpn/ipp.txt | 0 hosts/tuba/configuration.nix | 36 ++++++++++ hosts/tuba/hardware-configuration.nix | 40 +++++++++++ hosts/tuba/services/openvpn/default.nix | 54 +++++++++++++++ values.nix | 14 ++++ 9 files changed, 311 insertions(+) create mode 100644 hosts/grevling/configuration.nix create mode 100644 hosts/grevling/hardware-configuration.nix create mode 100644 hosts/grevling/services/openvpn/default.nix create mode 100644 hosts/grevling/services/openvpn/ipp.txt create mode 100644 hosts/tuba/configuration.nix create mode 100644 hosts/tuba/hardware-configuration.nix create mode 100644 hosts/tuba/services/openvpn/default.nix diff --git a/flake.nix b/flake.nix index ed131af..3a15e12 100644 --- a/flake.nix +++ b/flake.nix @@ -99,6 +99,20 @@ inputs.grzegorz-clients.nixosModules.grzegorz-webui ]; }; + + grevling = stableNixosConfig "grevling" { + modules = [ + ./hosts/grevling/configuration.nix + sops-nix.nixosModules.sops + ]; + }; + + tuba = stableNixosConfig "grevling" { + modules = [ + ./hosts/tuba/configuration.nix + sops-nix.nixosModules.sops + ]; + }; }; devShells = forAllSystems (system: { diff --git a/hosts/grevling/configuration.nix b/hosts/grevling/configuration.nix new file mode 100644 index 0000000..c387426 --- /dev/null +++ b/hosts/grevling/configuration.nix @@ -0,0 +1,36 @@ +{ config, pkgs, values, ... }: +{ + imports = [ + # Include the results of the hardware scan. + ./hardware-configuration.nix + ../../base.nix + ../../misc/metrics-exporters.nix + + ./services/openvpn + ]; + + boot.loader.systemd-boot.enable = true; + boot.loader.efi.canTouchEfiVariables = true; + + networking.hostName = "grevling"; + + # systemd.network.networks."30-eno1" = values.defaultNetworkConfig // { + # matchConfig.Name = "eno1"; + # address = with values.hosts.georg; [ (ipv4 + "/25") (ipv6 + "/64") ]; + # }; + + # List packages installed in system profile + environment.systemPackages = with pkgs; [ + ]; + + # List services that you want to enable: + + # This value determines the NixOS release from which the default + # settings for stateful data, like file locations and database versions + # on your system were taken. It‘s perfectly fine and recommended to leave + # this value at the release version of the first install of this system. + # Before changing this value read the documentation for this option + # (e.g. man configuration.nix or on https://nixos.org/nixos/options.html). + system.stateVersion = "23.05"; # Did you read the comment? + +} diff --git a/hosts/grevling/hardware-configuration.nix b/hosts/grevling/hardware-configuration.nix new file mode 100644 index 0000000..967d0ec --- /dev/null +++ b/hosts/grevling/hardware-configuration.nix @@ -0,0 +1,40 @@ +# Do not modify this file! It was generated by ‘nixos-generate-config’ +# and may be overwritten by future invocations. Please make changes +# to /etc/nixos/configuration.nix instead. +{ config, lib, pkgs, modulesPath, ... }: + +{ + imports = + [ (modulesPath + "/installer/scan/not-detected.nix") + ]; + + boot.initrd.availableKernelModules = [ "xhci_pci" "ehci_pci" "ahci" "usb_storage" "usbhid" "sd_mod" ]; + boot.initrd.kernelModules = [ ]; + boot.kernelModules = [ "kvm-intel" ]; + boot.extraModulePackages = [ ]; + + fileSystems."/" = + { device = "/dev/disk/by-uuid/33825f0d-5a63-40fc-83db-bfa1ebb72ba0"; + fsType = "ext4"; + }; + + fileSystems."/boot" = + { device = "/dev/disk/by-uuid/145E-7362"; + fsType = "vfat"; + }; + + swapDevices = + [ { device = "/dev/disk/by-uuid/7ed27e21-3247-44cd-8bcc-5d4a2efebf57"; } + ]; + + # Enables DHCP on each ethernet and wireless interface. In case of scripted networking + # (the default) this is the recommended approach. When using systemd-networkd it's + # still possible to use this option, but it's recommended to use it in conjunction + # with explicit per-interface declarations with `networking.interfaces..useDHCP`. + networking.useDHCP = lib.mkDefault true; + # networking.interfaces.eno1.useDHCP = lib.mkDefault true; + # networking.interfaces.enp2s2.useDHCP = lib.mkDefault true; + + nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux"; + hardware.cpu.intel.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware; +} diff --git a/hosts/grevling/services/openvpn/default.nix b/hosts/grevling/services/openvpn/default.nix new file mode 100644 index 0000000..ecd4251 --- /dev/null +++ b/hosts/grevling/services/openvpn/default.nix @@ -0,0 +1,77 @@ +{ pkgs, lib, values, ... }: +{ + services.openvpn.servers."ov-tunnel" = { + config = let + conf = { + # TODO: use aliases + local = "129.241.210.191"; + port = 1194; + proto = "udp"; + dev = "tap"; + + # TODO: set up + ca = ""; + cert = ""; + key = ""; + dh = ""; + + # Maintain a record of client <-> virtual IP address + # associations in this file. If OpenVPN goes down or + # is restarted, reconnecting clients can be assigned + # the same virtual IP address from the pool that was + # previously assigned. + ifconfig-pool-persist = ./ipp.txt; + + server-bridge = builtins.concatStringsSep " " [ + "129.241.210.129" + "255.255.255.128" + "129.241.210.253" + "129.241.210.254" + ]; + + keepalive = "10 120"; + cipher = "none"; + + user = "nobody"; + group = "nobody"; + + status = "/var/log/openvpn-status.log"; + + client-config-dir = pkgs.writeTextDir "tuba" '' + # Sett IP-adr. for tap0 til tubas PVV-adr. + ifconfig-push ${values.services.tuba-tap} 255.255.255.128 + # Hvordan skal man faa dette til aa funke, tro? + #ifconfig-ipv6-push 2001:700:300:1900::xxx/64 + + # La tuba bruke std. PVV-gateway til all trafikk (unntatt + # VPN-tunnellen). + push "redirect-gateway" + ''; + + persist-key = true; + persist-tun = true; + + verb = 5; + + explicit-exit-notify = 1; + }; + in lib.pipe conf [ + (lib.filterAttrs (_: value: !(builtins.isNull value || value == false))) + (builtins.mapAttrs (_: value: + if builtins.isList value then builtins.concatStringsSep " " (map toString value) + else if value == true then value + else if builtins.any (f: f value) [ + builtins.isString + builtins.isInt + builtins.isFloat + lib.isPath + lib.isDerivation + ] then toString value + else throw "Unknown value in grevling openvpn config, deading now\n${value}" + )) + (lib.mapAttrsToList (name: value: if value == true then name else "${name} ${value}")) + (builtins.concatStringsSep "\n") + (x: x + "\n\n") + ]; + }; +} diff --git a/hosts/grevling/services/openvpn/ipp.txt b/hosts/grevling/services/openvpn/ipp.txt new file mode 100644 index 0000000..e69de29 diff --git a/hosts/tuba/configuration.nix b/hosts/tuba/configuration.nix new file mode 100644 index 0000000..4af7ea5 --- /dev/null +++ b/hosts/tuba/configuration.nix @@ -0,0 +1,36 @@ +{ config, pkgs, values, ... }: +{ + imports = [ + # Include the results of the hardware scan. + ./hardware-configuration.nix + ../../base.nix + ../../misc/metrics-exporters.nix + + ./services/openvpn + ]; + + boot.loader.systemd-boot.enable = true; + boot.loader.efi.canTouchEfiVariables = true; + + networking.hostName = "tuba"; + + # systemd.network.networks."30-eno1" = values.defaultNetworkConfig // { + # matchConfig.Name = "eno1"; + # address = with values.hosts.georg; [ (ipv4 + "/25") (ipv6 + "/64") ]; + # }; + + # List packages installed in system profile + environment.systemPackages = with pkgs; [ + ]; + + # List services that you want to enable: + + # This value determines the NixOS release from which the default + # settings for stateful data, like file locations and database versions + # on your system were taken. It‘s perfectly fine and recommended to leave + # this value at the release version of the first install of this system. + # Before changing this value read the documentation for this option + # (e.g. man configuration.nix or on https://nixos.org/nixos/options.html). + system.stateVersion = "23.05"; # Did you read the comment? + +} diff --git a/hosts/tuba/hardware-configuration.nix b/hosts/tuba/hardware-configuration.nix new file mode 100644 index 0000000..967d0ec --- /dev/null +++ b/hosts/tuba/hardware-configuration.nix @@ -0,0 +1,40 @@ +# Do not modify this file! It was generated by ‘nixos-generate-config’ +# and may be overwritten by future invocations. Please make changes +# to /etc/nixos/configuration.nix instead. +{ config, lib, pkgs, modulesPath, ... }: + +{ + imports = + [ (modulesPath + "/installer/scan/not-detected.nix") + ]; + + boot.initrd.availableKernelModules = [ "xhci_pci" "ehci_pci" "ahci" "usb_storage" "usbhid" "sd_mod" ]; + boot.initrd.kernelModules = [ ]; + boot.kernelModules = [ "kvm-intel" ]; + boot.extraModulePackages = [ ]; + + fileSystems."/" = + { device = "/dev/disk/by-uuid/33825f0d-5a63-40fc-83db-bfa1ebb72ba0"; + fsType = "ext4"; + }; + + fileSystems."/boot" = + { device = "/dev/disk/by-uuid/145E-7362"; + fsType = "vfat"; + }; + + swapDevices = + [ { device = "/dev/disk/by-uuid/7ed27e21-3247-44cd-8bcc-5d4a2efebf57"; } + ]; + + # Enables DHCP on each ethernet and wireless interface. In case of scripted networking + # (the default) this is the recommended approach. When using systemd-networkd it's + # still possible to use this option, but it's recommended to use it in conjunction + # with explicit per-interface declarations with `networking.interfaces..useDHCP`. + networking.useDHCP = lib.mkDefault true; + # networking.interfaces.eno1.useDHCP = lib.mkDefault true; + # networking.interfaces.enp2s2.useDHCP = lib.mkDefault true; + + nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux"; + hardware.cpu.intel.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware; +} diff --git a/hosts/tuba/services/openvpn/default.nix b/hosts/tuba/services/openvpn/default.nix new file mode 100644 index 0000000..d3fea99 --- /dev/null +++ b/hosts/tuba/services/openvpn/default.nix @@ -0,0 +1,54 @@ +{ lib, values, ... }: +{ + services.openvpn.servers."ov-tunnel" = { + config = let + conf = { + # TODO: use aliases + client = true; + dev = "tap"; + proto = "udp"; + remote = "129.241.210.191 1194"; + + resolv-retry = "infinite"; + nobind = true; + + # # TODO: set up + ca = ""; + cert = ""; + key = ""; + remote-cert-tls = "server"; + cipher = "none"; + + user = "nobody"; + group = "nobody"; + + status = "/var/log/openvpn-status.log"; + + persist-key = true; + persist-tun = true; + + verb = 5; + + # script-security = 2; + # up = "systemctl restart rwhod"; + }; + in lib.pipe conf [ + (lib.filterAttrs (_: value: !(builtins.isNull value || value == false))) + (builtins.mapAttrs (_: value: + if builtins.isList value then builtins.concatStringsSep " " (map toString value) + else if value == true then value + else if builtins.any (f: f value) [ + builtins.isString + builtins.isInt + builtins.isFloat + lib.isPath + lib.isDerivation + ] then toString value + else throw "Unknown value in tuba openvpn config, deading now\n${value}" + )) + (lib.mapAttrsToList (name: value: if value == true then name else "${name} ${value}")) + (builtins.concatStringsSep "\n") + (x: x + "\n\n") + ]; + }; +} diff --git a/values.nix b/values.nix index fdd9093..2ee10cb 100644 --- a/values.nix +++ b/values.nix @@ -21,6 +21,12 @@ in rec { ipv4 = pvv-ipv4 213; ipv6 = pvv-ipv6 213; }; + grevling-tap = { + ipv4 = pvv-ipv4 251; + }; + tuba-tap = { + ipv4 = pvv-ipv4 252; + }; }; hosts = { @@ -49,6 +55,14 @@ in rec { ipv4 = pvv-ipv4 204; ipv6 = pvv-ipv6 "1:4f"; # Wtf øystein og daniel why }; + grevling = { + ipv4 = pvv-ipv4 198; + ipv6 = pvv-ipv6 198; + }; + tuba = { + ipv4 = pvv-ipv4 199; + ipv6 = pvv-ipv6 199; + }; }; defaultNetworkConfig = {