c3d2/nix-config
c3d2
/
nix-config
23
7
Fork 3
Code Issues 12 Pull Requests 2 Releases Wiki Activity

dn42: format

This commit is contained in:
Sandro - 2023-09-15 22:49:10 +02:00
parent 1373d78569
commit 83654b5a7b
Signed by: sandro
GPG Key ID: 3AF5A43A3EECC2E5
1 changed files with 176 additions and 154 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

66
hosts/dn42/default.nix
View File

@ -4,7 +4,8 @@ let
address4 = "172.22.99.253";
address6 = "fe80::deca:fbad";
inherit (pkgs) neighbors;
in {
in
{
networking = {
domain = "hq.c3d2.de";
hostName = "dn42";
@ -12,7 +13,7 @@ in {
# No Firewalling!
firewall.enable = false;
};
services.resolved.enable = false;
c3d2 = {
hq = {
interface = "c3d2";
@ -21,7 +22,8 @@ in {
deployment.server = "server10";
};
services.collectd.plugins.exec =
services = {
collectd.plugins.exec =
let
routecount = pkgs.writeScript "run-routecount" ''
#!${pkgs.bash}/bin/bash
@ -29,24 +31,31 @@ in {
export PATH=${lib.makeBinPath (with pkgs; [ ruby iproute ] )}
ruby ${./routecount.rb}
'';
in ''
in
''
Exec "collectd" "${routecount}"
'';
resolved.enable = false;
};
sops = {
age.sshKeyPaths = [ "/etc/ssh/ssh_host_ed25519_key" ];
defaultSopsFile = ./secrets.yaml;
secrets = builtins.foldl' (result: name:
secrets = builtins.foldl'
(result: name:
let
conf = neighbors.${name};
in result // (
in
result // (
if conf ? openvpn
then { "neighbors/${name}/openvpn/key" = {}; }
then { "neighbors/${name}/openvpn/key" = { }; }
else if conf ? wireguard
then { "neighbors/${name}/wireguard/privateKey" = {}; }
else {}
then { "neighbors/${name}/wireguard/privateKey" = { }; }
else { }
)
) {} (builtins.attrNames neighbors);
)
{ }
(builtins.attrNames neighbors);
};
boot.kernel.sysctl = {
@ -62,7 +71,8 @@ in {
mknod -m 666 /dev/net/tun c 10 200
fi
'';
services.openvpn = let
services.openvpn =
let
openvpnNeighbors = lib.filterAttrs (_: conf: conf ? openvpn) neighbors;
mkServer = name: conf: {
config = ''
@ -85,17 +95,21 @@ in {
${pkgs.iproute}/bin/ip addr add ${address6}/64 dev $1
'';
};
in {
in
{
servers =
builtins.mapAttrs mkServer openvpnNeighbors;
};
networking.wireguard = {
enable = true;
interfaces = let
interfaces =
let
wireguardNeighbors =
lib.filterAttrs (_: conf: conf ? wireguard) neighbors;
in builtins.mapAttrs (name: conf: {
in
builtins.mapAttrs
(name: conf: {
inherit (conf.wireguard) listenPort;
privateKeyFile = config.sops.secrets."neighbors/${name}/wireguard/privateKey".path;
ips = [ "${address4}/32" "${address6}/64" ];
@ -113,22 +127,27 @@ in {
inherit (conf.wireguard) endpoint;
}))
];
}) wireguardNeighbors;
})
wireguardNeighbors;
};
services.bird2 = {
enable = true;
config = let
bgpNeighbors = builtins.concatStringsSep "\n" (builtins.attrValues
(builtins.mapAttrs (name: conf@{ multiprotocol ? false, ... }:
config =
let
neighbor4 = if conf ? address4 && multiprotocol != "ipv6" then ''
bgpNeighbors = builtins.concatStringsSep "\n" (builtins.attrValues
(builtins.mapAttrs
(name: conf@{ multiprotocol ? false, ... }:
let
neighbor4 =
if conf ? address4 && multiprotocol != "ipv6" then ''
protocol bgp ${name}_4 from dnpeers {
neighbor ${conf.address4} as ${builtins.toString conf.asn};
}
'' else
"";
neighbor6 = if conf ? address6 && multiprotocol != "ipv4" then ''
neighbor6 =
if conf ? address6 && multiprotocol != "ipv4" then ''
protocol bgp ${name}_6 from dnpeers {
neighbor ${conf.address6}%${interface} as ${
builtins.toString conf.asn
@ -137,8 +156,11 @@ in {
'' else
"";
interface = conf.interface or name;
in "${neighbor4}${neighbor6}") neighbors));
in ''
in
"${neighbor4}${neighbor6}")
neighbors));
in
''
protocol kernel {
ipv4 {
export all;