From 8ced91a2856076d0c3e7b63c2a1e992a516e4801 Mon Sep 17 00:00:00 2001 From: h7x4 Date: Thu, 30 Nov 2023 19:42:05 +0100 Subject: [PATCH] hosts/buskerud: init Co-authored-by: Felix Albrigtsen --- flake.nix | 6 ++ hosts/buskerud/configuration.nix | 50 ++++++++++ hosts/buskerud/hardware-configuration.nix | 37 +++++++ hosts/buskerud/services/openvpn-client.nix | 109 +++++++++++++++++++++ values.nix | 7 ++ 5 files changed, 209 insertions(+) create mode 100644 hosts/buskerud/configuration.nix create mode 100644 hosts/buskerud/hardware-configuration.nix create mode 100644 hosts/buskerud/services/openvpn-client.nix diff --git a/flake.nix b/flake.nix index 97eabd2..9cd4200 100644 --- a/flake.nix +++ b/flake.nix @@ -111,6 +111,12 @@ inputs.grzegorz-clients.nixosModules.grzegorz-webui ]; }; + buskerud = stableNixosConfig "buskerud" { + modules = [ + ./hosts/buskerud/configuration.nix + sops-nix.nixosModules.sops + ]; + }; }; devShells = forAllSystems (system: { diff --git a/hosts/buskerud/configuration.nix b/hosts/buskerud/configuration.nix new file mode 100644 index 0000000..0c0ffb0 --- /dev/null +++ b/hosts/buskerud/configuration.nix @@ -0,0 +1,50 @@ +{ config, pkgs, values, ... }: +{ + imports = [ + # Include the results of the hardware scan. + ./hardware-configuration.nix + ../../base.nix + ../../misc/metrics-exporters.nix + + ./services/openvpn-client.nix + ]; + + # buskerud does not support efi? + # boot.loader.systemd-boot.enable = true; + # boot.loader.efi.canTouchEfiVariables = true; + boot.loader.grub.enable = true; + boot.loader.grub.device = "/dev/sda"; + + networking.hostName = "buskerud"; + networking.search = [ "pvv.ntnu.no" "pvv.org" ]; + networking.nameservers = [ "129.241.0.200" "129.241.0.201" ]; + networking.tempAddresses = "disabled"; + + systemd.network.networks."enp3s0f0" = values.defaultNetworkConfig // { + matchConfig.Name = "enp3s0f0"; + address = with values.hosts.buskerud; [ (ipv4 + "/25") (ipv6 + "/64") ]; + }; + + # Buskerud should use the default gateway received from DHCP + networking.interfaces.enp14s0f1.useDHCP = true; + + # networking.interfaces.tun = { + # virtual = true; + # ipv4.adresses = [ {address="129.241.210.252"; prefixLength=25; } ]; + # }; + + # List packages installed in system profile + environment.systemPackages = with pkgs; [ + ]; + + # List services that you want to enable: + + # This value determines the NixOS release from which the default + # settings for stateful data, like file locations and database versions + # on your system were taken. It‘s perfectly fine and recommended to leave + # this value at the release version of the first install of this system. + # Before changing this value read the documentation for this option + # (e.g. man configuration.nix or on https://nixos.org/nixos/options.html). + system.stateVersion = "23.05"; # Did you read the comment? + +} diff --git a/hosts/buskerud/hardware-configuration.nix b/hosts/buskerud/hardware-configuration.nix new file mode 100644 index 0000000..da0c5b5 --- /dev/null +++ b/hosts/buskerud/hardware-configuration.nix @@ -0,0 +1,37 @@ +# Do not modify this file! It was generated by ‘nixos-generate-config’ +# and may be overwritten by future invocations. Please make changes +# to /etc/nixos/configuration.nix instead. +{ config, lib, pkgs, modulesPath, ... }: + +{ + imports = + [ (modulesPath + "/installer/scan/not-detected.nix") + ]; + + boot.initrd.availableKernelModules = [ "uhci_hcd" "ehci_pci" "ata_piix" "hpsa" "usb_storage" "usbhid" "sd_mod" "sr_mod" ]; + boot.initrd.kernelModules = [ ]; + boot.kernelModules = [ "kvm-intel" ]; + boot.extraModulePackages = [ ]; + + fileSystems."/" = + { device = "/dev/disk/by-uuid/ed9654fe-575a-4fb3-b6ff-1b059479acff"; + fsType = "ext4"; + }; + + swapDevices = [ ]; + + # Enables DHCP on each ethernet and wireless interface. In case of scripted networking + # (the default) this is the recommended approach. When using systemd-networkd it's + # still possible to use this option, but it's recommended to use it in conjunction + # with explicit per-interface declarations with `networking.interfaces..useDHCP`. + networking.useDHCP = lib.mkDefault true; + # networking.interfaces.enp14s0f0.useDHCP = lib.mkDefault true; + # networking.interfaces.enp14s0f1.useDHCP = lib.mkDefault true; + # networking.interfaces.enp3s0f0.useDHCP = lib.mkDefault true; + # networking.interfaces.enp3s0f1.useDHCP = lib.mkDefault true; + # networking.interfaces.enp4s0f0.useDHCP = lib.mkDefault true; + # networking.interfaces.enp4s0f1.useDHCP = lib.mkDefault true; + + nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux"; + hardware.cpu.intel.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware; +} diff --git a/hosts/buskerud/services/openvpn-client.nix b/hosts/buskerud/services/openvpn-client.nix new file mode 100644 index 0000000..8b22425 --- /dev/null +++ b/hosts/buskerud/services/openvpn-client.nix @@ -0,0 +1,109 @@ +{ lib, values, ... }: +{ + services.openvpn.servers."ov-tunnel" = { + config = let + conf = { + # TODO: use aliases + client = true; + dev = "tap"; + proto = "udp"; + #remote = "129.241.210.253 1194"; + remote = "129.241.210.191 1194"; + + resolv-retry = "infinite"; + nobind = true; + + ca = "/etc/openvpn/ca.pem"; + cert = "/etc/openvpn/crt.pem"; + key = "/etc/openvpn/key.pem"; + remote-cert-tls = "server"; + cipher = "none"; + + user = "nobody"; + group = "nobody"; + + status = "/var/log/openvpn-status.log"; + + persist-key = true; + persist-tun = true; + + verb = 5; + + # script-security = 2; + # up = "systemctl restart rwhod"; + }; + in lib.pipe conf [ + (lib.filterAttrs (_: value: !(builtins.isNull value || value == false))) + (builtins.mapAttrs (_: value: + if builtins.isList value then builtins.concatStringsSep " " (map toString value) + else if value == true then value + else if builtins.any (f: f value) [ + builtins.isString + builtins.isInt + builtins.isFloat + lib.isPath + lib.isDerivation + ] then toString value + else throw "Unknown value in buskerud openvpn config, deading now\n${value}" + )) + (lib.mapAttrsToList (name: value: if value == true then name else "${name} ${value}")) + (builtins.concatStringsSep "\n") + (x: x + "\n\n") + ]; + }; + + systemd.network.networks."enp14s0f1" = { + matchConfig.Name = "enp14s0f1"; + networkConfig = { + DefaultRouteOnDevice = true; + }; + routes = [ + { routeConfig = { + Type = "unicast"; + Destination = values.hosts.knutsen.ipv4 + "/32"; + Metric = 50; + }; + } + ]; + }; + + systemd.network.netdevs."br0" = { + netdevConfig = { + Kind = "bridge"; + Name = "br0"; + }; + }; + + systemd.network.networks."br0" = { + matchConfig.Name = "br0"; + routes = [ + { routeConfig = { + Type = "unicast"; + Destination = values.ipv4-space; + Metric = 100; + }; + } + ]; + }; + + systemd.network.networks."enp3s0f0" = { + matchConfig.Name = "enp3s0f0"; + networkConfig.DefaultRouteOnDevice = false; + }; + + systemd.network.networks."enp3s0f1" = { + matchConfig.Name = "enp3s0f1"; + bridge = [ "br0" ]; + }; + + systemd.network.networks."tap0" = { + matchConfig.Name = "tap0"; + bridge = [ "br0" ]; + }; + + #networking.nat = { + # enable = true; + # externalInterface = "enp14s0f1"; + # internalInterfaces = [ "tun" ]; + #}; +} diff --git a/values.nix b/values.nix index d69cdee..2ff1c51 100644 --- a/values.nix +++ b/values.nix @@ -41,6 +41,9 @@ in rec { ipv4 = "129.241.152.254"; # ipv6 = ; }; + knutsen = { + ipv4 = pvv-ipv4 191; + }; shark = { ipv4 = pvv-ipv4 196; ipv6 = pvv-ipv6 196; @@ -53,6 +56,10 @@ in rec { ipv4 = pvv-ipv4 204; ipv6 = pvv-ipv6 "1:4f"; # Wtf øystein og daniel why }; + buskerud = { + ipv4 = pvv-ipv4 231; + ipv6 = pvv-ipv6 231; + }; }; defaultNetworkConfig = {