0xa/nix-config
1
0
Fork 0
Code Issues Pull requests Projects Releases Wiki Activity

oxalab: init

Browse source
This commit is contained in:
Grigory Shipunov 2022-06-18 11:49:27 +02:00
parent 16da95bca0
commit 121e2f5004
Signed by: 0xa
GPG key ID: 91FA5E5BF9AA901C
11 changed files with 170 additions and 14 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

7
.sops.yaml
View file

@ -2,6 +2,7 @@ keys:
- &admin_oxa DD0998E6CDF294537FC604F991FA5E5BF9AA901C
- &microwave age1eysr2m8ust6gq9jk88lpzzcy8gdrzlts69zlfqul766t6gvqw9qq24z68l
- &cirrus age1qm70jkg7us4ft4x3nh7kwxlul022kteescjj83ywvjhysj6nsq5sw7l6p8
- &dishwasher age1cxlskqynwl5njjm0qf363308dsjwxjq59rq7pn6ucpscpzpvry4qwtpx73
creation_rules:
- path_regex: secrets/microwave/[^/]+\.yaml$
key_groups:
@ -15,3 +16,9 @@ creation_rules:
- *admin_oxa
age:
- *cirrus
- path_regex: secrets/dishwasher/[^/]+\.yaml$
key_groups:
- pgp:
- *admin_oxa
age:
- *dishwasher

6
flake.nix
View file

@ -39,7 +39,7 @@
system = "x86_64-linux";
modules = [
sops-nix.nixosModules.sops
./hosts/cirrus/configuration.nix
./hosts/cirrus
./modules/basic-tools.nix
];
};
@ -47,8 +47,8 @@
system = "x86_64-linux";
modules = [
sops-nix.nixosModules.sops
#microvm.nixosModules.host
./hosts/dishwasher/configuration.nix
microvm.nixosModules.host
./hosts/dishwasher
./modules/basic-tools.nix
];
};

7
hosts/cirrus/configuration.nix
View file

@ -5,11 +5,6 @@
{ config, pkgs, ... }:
{
imports =
[ # Include the results of the hardware scan.
./hardware-configuration.nix
];
# Use the GRUB 2 boot loader.
boot.loader.grub.enable = true;
boot.loader.grub.version = 2;
@ -27,7 +22,7 @@
networks."uplink" = {
matchConfig = { Name = "enp1s0"; };
networkConfig = {
DHCP="yes";
DHCP="yes"; # hetzner suggests this as default
};
};
};

8
hosts/cirrus/default.nix Normal file
View file

@ -0,0 +1,8 @@
{
imports = [
./hardware-configuration.nix
./configuration.nix
./secrets.nix
./wireguard-server.nix
];
}

43
hosts/cirrus/wireguard-server.nix Normal file
View file

@ -0,0 +1,43 @@
{ config, ... }:
{
systemd.network = {
netdevs."oxalab" = {
netdevConfig = {
Kind = "wireguard";
Name = "oxalab";
Description = "oxa's enterprise network";
};
wireguardConfig = {
PrivateKeyFile = config.sops.secrets."wg/oxalab-seckey".path;
ListenPort = 51820;
# own pubkey: 5nCVC21BL+1r70OGwA4Q6Z/gcPLC3+ZF8sTurdn7N0E=
};
wireguardPeers = [
{
# microwave
wireguardPeerConfig = {
# nextcloud down, have to keep things in here: https://www.youtube.com/watch?v=1c6v7j1TUBI
PublicKey = "0zpfcNrmbsNwwbnDDX4SMl4BVTB0zuhGKixT9TJQoHc=";
AllowedIPs = [ "10.66.66.10/32" ];
PersistentKeepalive = 25;
};
}
{
# Dishwasher
wireguardPeerConfig = {
# nextcloud down, have to keep things in here: https://www.youtube.com/watch?v=1c6v7j1TUBI
PublicKey = "xrremJFIcxwR6snoTUK+mytjez60I91XE120OQGQ7gc=";
AllowedIPs = [ "10.66.66.100/32" ];
PersistentKeepalive = 25;
};
}
];
};
networks."oxalab" = {
matchConfig.Name = "oxalab";
networkConfig = {
Address = "10.13.37.1";
};
};
};
}

8
hosts/dishwasher/default.nix Normal file
View file

@ -0,0 +1,8 @@
{
imports = [
./configuration.nix
./hardware-configuration.nix
./secrets.nix
./oxalab.nix
];
}

32
hosts/dishwasher/oxalab.nix Normal file
View file

@ -0,0 +1,32 @@
{ config, ... }:
{
systemd.network = {
netdevs."oxalab" = {
netdevConfig = {
Kind = "wireguard";
Name = "oxalab";
Description = "oxa's enterprise network";
};
wireguardConfig = {
PrivateKeyFile = config.sops.secrets."wg/oxalab-seckey".path;
};
wireguardPeers = [
{
# cirrus
wireguardPeerConfig = {
PublicKey = "5nCVC21BL+1r70OGwA4Q6Z/gcPLC3+ZF8sTurdn7N0E=";
AllowedIPs = [ "10.66.66.0/24" ];
Endpoint = [ "95.216.166.21:51820" ];
PersistentKeepalive = 25;
};
}
];
};
networks."oxalab" = {
matchConfig.Name = "oxalab";
networkConfig = {
Address = "10.13.37.100";
};
};
};
}

9
hosts/dishwasher/secrets.nix Normal file
View file

@ -0,0 +1,9 @@
{ config, ... }:
{
sops.defaultSopsFile = ../../secrets/dishwasher/secrets.yaml;
sops.age.sshKeyPaths = [ "/etc/ssh/ssh_host_ed25519_key" ];
sops.secrets = {
"wg/oxalab-seckey" = { };
};
}

3
hosts/microwave/secrets.nix
View file

@ -1,11 +1,12 @@
{ config, ... }:
{
sops.defaultSopsFile = ../../secrets/secrets.yaml;
sops.defaultSopsFile = ../../secrets/microwave/secrets.yaml;
sops.age.sshKeyPaths = [ "/etc/ssh/ssh_host_ed25519_key" ];
sops.secrets = {
"wg/wg-zw-seckey" = { };
"wg/wg-dvb-seckey" = { };
"wg/mlwd-nl-seckey" = { };
"wg/oxalab-seckey" = { };
};
}

19
modules/wireguard.nix
View file

@ -14,18 +14,17 @@
}
];
};
wg-dvb = {
privateKeyFile = config.sops.secrets."wg/wg-dvb-seckey".path;
address = [ "10.13.37.3/32" ];
peers = [
{
peers = [ {
publicKey = "WDvCObJ0WgCCZ0ORV2q4sdXblBd8pOPZBmeWr97yphY=";
allowedIPs = [ "10.13.37.0/24" ];
endpoint = "academicstrokes.com:51820";
persistentKeepalive = 25;
}
];
} ];
};
mlwd-nl = {
@ -39,5 +38,17 @@
endpoint = "92.60.40.194:51820";
}];
};
oxalab = {
privateKeyFile = config.sops.secrets."wg/oxalab-seckey".path;
address = [ "10.66.66.10/32" ];
peers = [{
publicKey = "5nCVC21BL+1r70OGwA4Q6Z/gcPLC3+ZF8sTurdn7N0E=";
allowedIPs = [ "10.66.66.0/24" ];
endpoint = "95.216.166.21:51820";
persistentKeepalive = 25;
}];
};
};
}

42
secrets/dishwasher/secrets.yaml Normal file
View file

@ -0,0 +1,42 @@
wg:
oxalab-seckey: ENC[AES256_GCM,data:CEUuCAiWBWk/Elxx9B/SerbwYUrQ8Eai0/TGr+yOf6YWBrbOwEJROFrFmrQ=,iv:g5gjJtWYRnxZ9WOwaj0xHV9Zz0E1hFdPZxLhL4ctxnE=,tag:vXkUzWxCI4AnKCauFEyCaA==,type:str]
sops:
kms: []
gcp_kms: []
azure_kv: []
hc_vault: []
age:
- recipient: age1cxlskqynwl5njjm0qf363308dsjwxjq59rq7pn6ucpscpzpvry4qwtpx73
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBNejc1V2U5OWZIU0VJNE5U
dzRsK1FzY2QrQWlmVHRIRVBpNS9RS0ZBR1ZJClFMKzk5VjZNREFGb3BPODJVNUhz
c2x4V2tlQXhLTXRSU2VsdVpuUk1Hd2cKLS0tIEZPbW9VWkJtTzdwV1d5RklabXdw
SU4vSm1IOXdrWUZHeThlS1Z3UlJOaE0KB62h4F8qu/ZSkCcRMTJxtJXgv5VX7ZyB
pKSCDwtQWP/t38j2AlXMaeGag4lRchZZ0+MiVMn8cAXlq8OJGz4w/g==
-----END AGE ENCRYPTED FILE-----
lastmodified: "2022-06-18T09:32:06Z"
mac: ENC[AES256_GCM,data:CkFQvw8s16Z6XDDiJKZftxImoVLcTlEQWfebpjy+zkuyps+AU7B7sFQmbTJkmDrjCc/rYYJz+ktrwBRxIApOyYGiG9kW5FxhgViBX+F8cTxbITp/Z2Pv/51/v+x/expF3OO6dTXqZHzlnx9Zl++5RZwvejHfakkHgsABdJlXs+w=,iv:WKIuAK/fuh7uyVxuRVtoum4H+8Ludl12wqy48ni0D7c=,tag:IC7F/sqghYnOgy/xeHTtGw==,type:str]
pgp:
- created_at: "2022-06-18T09:31:26Z"
enc: |-
-----BEGIN PGP MESSAGE-----
wcFMA7zUOKwzpAE7ARAAh8M1g7HlNSYQq91QgFmhdGGN5EkG1dD87jMmWODdPDl9
7Vks3LobDHymAhz1dOweYOwk1GdUHYOsst14fEilYjVDeXHblbxm9Js4fcBSinyh
3KBOrFM/2Zb8nYor1mK5hFQDSFG3jxyaYRzCkCAR2Xfa6vpVftTezDQQY3oFZk5C
nB0SHnoR91LBQpsX+VRfMf/hKib5vXCxsOmmV3fgZ3pp9M/xNABf9gqCVCO12pSb
jvOOEQ11fgTBDQ8xX0nooHHUe1HAz5/lp7k6XqY4SgaFozPABCmB8RUEmQSFvs5F
mkhGnoyT9RSYnn1Ekgnm0pldPLo0wsgI3A5LqDaZt8b+ulhaobEIy5vLCLbTP08V
XgL7Jl1rzQ8qpARRpsyBM0qdqPSkqK5slTLulgms2Q9CPgYhTI4MQ7pE8R4hEjrx
4Z+Bi0LxtIfVWaC7OtbFXiIFreLSZnyBlQF0H/c+KLa4iSwtK6rF5//gd01VE1We
be0AisVxq1SsMxl6RwX8rQ5FMnkO/RY6C1gbjl1890wXFixGIPFWN4qS82xFXOI4
SWgFtXc13fHigN/Skp+QSSMqx6aAeq94iXvAhiGYIBVCGDsZDk33z3xmSnnarQL3
WXZBeczzyzHSeMNFrZFZLTssT1ap2gAOW2G86Fgo89yPRGP2ES8QSANsN3Y8eJ/S
5gHvzx9cw/NwNiqmugIVJ2lB3Oz3YTDLNR5EILs11V8lLfCHH2RlqYsHamfldDCm
0wsWiAbzGeW3RkoM90YhI8XkVsIX9WgX5I2fVqQMMj68nuI0eAEBAA==
=lhTv
-----END PGP MESSAGE-----
fp: DD0998E6CDF294537FC604F991FA5E5BF9AA901C
unencrypted_suffix: _unencrypted
version: 3.7.2