c3d2/nix-config
c3d2
/
nix-config
23
7
Fork 3
Code Issues 12 Pull Requests 2 Releases Wiki Activity

Compare commits

base: c3d2:e780a3d4c549e65e7c673a6da596bf8785d1d6a1
Branches Tags
c3d2:master
c3d2:flake-update
c3d2:gitea-actions-runner
c3d2:nixos-23.11
c3d2:ds-future
c3d2:container/radius
...
compare: c3d2:4ddaa002b03e00dd42686a0e042873df5dac818d
Branches Tags
c3d2:flake-update
c3d2:master
c3d2:gitea-actions-runner
c3d2:nixos-23.11
c3d2:ds-future
c3d2:container/radius

3 Commits
e780a3d4c5 ... 4ddaa002b0

Author SHA1 Message Date
Astro 4ddaa002b0 freifunk: fix /run/nginx creation 2023-06-27 02:48:34 +02:00
Astro dae9fcd0ff freifunk: move ospf secret to sops 2023-06-27 02:48:25 +02:00
Astro fe6490b081 freifunk: disable firewall 
sigh
 2023-06-27 02:47:59 +02:00
2 changed files with 17 additions and 12 deletions
Show Stats Expand all files Collapse all files

22
hosts/freifunk/default.nix
View File

@ -86,6 +86,7 @@ in {
networking.hostName = "freifunk";
networking.useNetworkd = true;
networking.nameservers = [ "172.20.73.8" "9.9.9.9" ];
networking.firewall.enable = false;
networking.nat = {
enable = true;
# This doesn't really work, hence the `extraCommands`
@ -124,6 +125,9 @@ in {
group = "systemd-network";
mode = "0440";
};
secrets."bird/ospf/auth" = {
owner = "bird2";
};
};
# unbreak wg-vpn6 ingress path
@ -317,6 +321,7 @@ in {
systemd.services.sysinfo-json = {
script = ''
${sysinfo-json}/bin/bmxddump.sh
mkdir /run/nginx
${sysinfo-json}/bin/sysinfo-json.cgi > /run/nginx/sysinfo.json
'';
};
@ -329,6 +334,8 @@ in {
# Advertise Freifunk routes to ZW core
services.bird2 = {
enable = true;
# nix-build cannot access /run/secrets/
checkConfig = false;
config = ''
protocol kernel K4 {
ipv4 {
@ -386,8 +393,7 @@ in {
interface "core" {
hello 10;
wait 20;
authentication cryptographic;
password "${pkgs.zentralwerk-ospf-message-digest-key}";
include "${config.sops.secrets."bird/ospf/auth".path}";
};
};
}
@ -400,8 +406,7 @@ in {
interface "core" instance ${toString zentralwerk.lib.config.site.hosts.freifunk.ospf.upstreamInstance} {
hello 10;
wait 20;
authentication cryptographic;
password "${pkgs.zentralwerk-ospf-message-digest-key}";
include "${config.sops.secrets."bird/ospf/auth".path}";
};
};
}
@ -414,8 +419,7 @@ in {
interface "core" {
hello 10;
wait 20;
authentication cryptographic;
password "${pkgs.zentralwerk-ospf-message-digest-key}";
include "${config.sops.secrets."bird/ospf/auth".path}";
};
};
}
@ -434,8 +438,7 @@ in {
interface "core" instance ${toString zentralwerk.lib.config.site.hosts.${upstream}.ospf.upstreamInstance} {
hello 10;
wait 20;
authentication cryptographic;
password "${pkgs.zentralwerk-ospf-message-digest-key}";
include "${config.sops.secrets."bird/ospf/auth".path}";
};
};
};
@ -454,8 +457,7 @@ in {
interface "core" instance ${toString zentralwerk.lib.config.site.hosts.${upstream}.ospf.upstreamInstance} {
hello 10;
wait 20;
authentication cryptographic;
password "${pkgs.zentralwerk-ospf-message-digest-key}";
include "${config.sops.secrets."bird/ospf/auth".path}";
};
};
};

7
hosts/freifunk/secrets.yaml
View File

@ -1,6 +1,9 @@
wireguard:
vpn6:
privateKey: ENC[AES256_GCM,data:5xvDSbVz2r1D8MZVMgKxIeXD5oRTfXD1RfBukHaOxBz6QaDiUjK7IfZRFlw=,iv:jXZSguJofezFvOplCrRokH9vUGP67fQPkb3fea9uKYU=,tag:JXCD+ngAtAFRmf7NhP0wCQ==,type:str]
bird:
ospf:
auth: ENC[AES256_GCM,data:a3lfAIOZhm8oD2bcOsb3vfIh47EqRVsyuPp8EbVYqzCbTLDADj2R0D7C9E0a/vxIXa0ibrBHdFliLG8=,iv:91lsSop8QBT/rlmxE11gcU/voKkV8HJ9ESZEco5i2DU=,tag:ytzqbP75vzt0JiHW1mvD6w==,type:str]
sops:
kms: []
gcp_kms: []
@ -25,8 +28,8 @@ sops:
YklwNTFsUVZCU1RwZXlPeUJ6VW5iZ00KQqK0K0sizbBsKoZdfjo2QL3+syc5DQJq
lL77+ChtwzssaX6d0zCwsoES28n1bNDN65n39K3gBmjTiSFSouvmtA==
-----END AGE ENCRYPTED FILE-----
lastmodified: "2022-06-13T19:00:35Z"
mac: ENC[AES256_GCM,data:RhGB+CNoIAGr6W1WxDpquG76FLZ0REF5OZwvD3DyfNxNai8XzqqDEsY6XneQ0Ac992kAcXdxleYDYC6keokvkOgnNmr+Buc4+rnASAReyRN19lIUWNjAB6oZWjqwEY2lrwklJc/yi+2LOuaigVsOLxOiMtpTs+QVtofRlmNpbGU=,iv:IqZGKWXKYTGP6m+9wb6j7sSVrSJZ++F/CcL/r2LaSYQ=,tag:6MLFHzcEayEGKtIxWZoljg==,type:str]
lastmodified: "2023-06-26T23:30:17Z"
mac: ENC[AES256_GCM,data:XmY5EdBpYIcg917fhafs4PyNQZU8qxAiSIf8oe8KUXl4//ZEuS8O4hUd21XExRlBa9hQEP2W6J7FFRkfNZLHF6xtYWVWo0qWWe+twwZ/tt/LEygZspYu5G+AH/uoPRmL5XWXzKhO4p80BUxIZzLT9hvgwSMNIYFnliBecP9R7i4=,iv:5uRHki4OpT+BmxtdOzpbvdBwYDLEB7sX0yvi/R9W0dY=,tag:taeVkVqSoy13dNDSduKbIQ==,type:str]
pgp:
- created_at: "2022-12-26T19:09:40Z"
enc: |