diff --git a/flake.nix b/flake.nix index c3a8674..cf6f32b 100644 --- a/flake.nix +++ b/flake.nix @@ -64,7 +64,7 @@ specialArgs = inputs; modules = [ # box-specific config - ./hosts/traffic-stop-box/${toString id}.nix + ./hosts/traffic-stop-box/${toString id} # default modules sops-nix.nixosModules.sops @@ -141,7 +141,7 @@ specialArgs = inputs; modules = [ microvm.nixosModules.microvm - ./hosts/data-hoarder/configuration.nix + ./hosts/data-hoarder ] ++ data-hoarder-modules; }; @@ -149,7 +149,7 @@ system = "x86_64-linux"; specialArgs = inputs; modules = [ - ./hosts/staging/configuration.nix + ./hosts/staging-data-hoarder microvm.nixosModules.microvm ] ++ data-hoarder-modules; }; diff --git a/hardware/dell-wyse-3040.nix b/hardware/dell-wyse-3040.nix index fbd5028..54244d1 100644 --- a/hardware/dell-wyse-3040.nix +++ b/hardware/dell-wyse-3040.nix @@ -1,13 +1,23 @@ -{ config, lib, ... }: +{ config, lib, dump-dvb, ... }: { # The global useDHCP flag is deprecated, therefore explicitly set to false here. # Per-interface useDHCP will be mandatory in the future, so this generated config # replicates the default behaviour. - + imports = [ + dump-dvb.nixosModules.disk-module + ]; networking = { - interfaces.enp1s0.useDHCP = true; - useDHCP = true; + interfaces.enp1s0.useDHCP = lib.mkDefault true; + useDHCP = lib.mkDefault true; + }; + + networking.useNetworkd = true; + networking.wireguard.enable = true; + + deployment-dvb.net.iface.uplink = { + name = lib.mkDefault "enp1s0"; + useDHCP = lib.mkDefault true; }; boot.tmpOnTmpfsSize = "25%"; diff --git a/hardware/rpi-3b-4b.nix b/hardware/rpi-3b-4b.nix index 12b33cf..88daad7 100644 --- a/hardware/rpi-3b-4b.nix +++ b/hardware/rpi-3b-4b.nix @@ -12,6 +12,11 @@ networking.useDHCP = lib.mkDefault true; networking.interfaces.eth0.useDHCP = lib.mkDefault true; + deployment-dvb.net.iface.uplink = { + name = lib.mkDefault "eth0"; + useDHCP = lib.mkDefault true; + }; + sdImage = lib.mkForce { populateFirmwareCommands = let diff --git a/hosts/data-hoarder/configuration.nix b/hosts/data-hoarder/configuration.nix index 93695c7..612c6c1 100644 --- a/hosts/data-hoarder/configuration.nix +++ b/hosts/data-hoarder/configuration.nix @@ -38,18 +38,21 @@ # Set your time zone. time.timeZone = "Europe/Berlin"; - networking.interfaces.eth0 = { - useDHCP = false; - ipv4.addresses = [ + + deployment-dvb.net.iface.uplink = { + name = "eth0"; + addr4 = "172.20.73.69/25"; + dns = [ "172.20.73.8" "9.9.9.9" ]; + routes = [ { - address = "172.20.73.69"; - prefixLength = 25; + routeConfig = { + Gateway = "172.20.73.1"; + Destination = "0.0.0.0/0"; + }; } ]; }; - networking.defaultGateway = "172.20.73.1"; - networking.nameservers = [ "172.20.73.8" "9.9.9.9" ]; sops.defaultSopsFile = self + /secrets/data-hoarder/secrets.yaml; diff --git a/hosts/data-hoarder/default.nix b/hosts/data-hoarder/default.nix new file mode 100644 index 0000000..30508ea --- /dev/null +++ b/hosts/data-hoarder/default.nix @@ -0,0 +1,6 @@ +{ + imports = [ + ./configuration.nix + ./wireguard_server.nix + ]; +} diff --git a/hosts/data-hoarder/wireguard_server.nix b/hosts/data-hoarder/wireguard_server.nix index 268ed88..03fe52f 100644 --- a/hosts/data-hoarder/wireguard_server.nix +++ b/hosts/data-hoarder/wireguard_server.nix @@ -7,71 +7,23 @@ in networking.firewall.allowedUDPPorts = [ port ]; - networking.wg-quick.interfaces = { - wg-dvb = { - address = [ "10.13.37.1/32" ]; + deployment-dvb.net.wg = { + ownEndpoint.host = "endpoint.dvb.solutions"; + ownEndpoint.port = port; + addr4 = "10.13.37.1"; + prefix4 = 24; privateKeyFile = config.sops.secrets.wg-seckey.path; - listenPort = port; - peers = [ + publicKey = "WDvCObJ0WgCCZ0ORV2q4sdXblBd8pOPZBmeWr97yphY="; + extraPeers = [ { # Tassilo publicKey = "vgo3le9xrFsIbbDZsAhQZpIlX+TuWjfEyUcwkoqUl2Y="; - allowedIPs = [ "10.13.37.2/32" ]; - persistentKeepalive = 25; + addr4 = "10.13.37.2"; } { # oxa publicKey = "QbaQaGqudRXIh03IbBNATfBZfpMLmwihlwLs6W9+P1c="; - allowedIPs = [ "10.13.37.3/32" ]; - persistentKeepalive = 25; - } - { - # data hoarder staging - publicKey = "48hc7DVnUh2DHYhrxrNtNzj05MRecJO52j2niPImvkU="; - allowedIPs = [ "10.13.37.5/32" ]; - persistentKeepalive = 25; - } - { - # traffic-stop-box-0 - publicKey = "qyStvzZdoqcjJJQckw4ZwvsQUa+8TBWtnsRxURqanno="; - allowedIPs = [ "10.13.37.100/32" ]; - persistentKeepalive = 25; - } - { - # traffic-stop-box-1 - publicKey = "dOPobdvfphx0EHmU7dd5ihslFzZi17XgRDQLMIUYa1w="; - allowedIPs = [ "10.13.37.101/32" ]; - persistentKeepalive = 25; - } - { - # traffic-stop-box-2 - publicKey = "4TUQCToGNhjsCgV9elYE/91Vd/RvMgvMXtF/1Dzlvxo="; - allowedIPs = [ "10.13.37.102/32" ]; - persistentKeepalive = 25; - } - { - # traffic-stop-box-3 - publicKey = "w3AT3EahW1sCK8ZsR7sDTcQj1McXYeWx7fnfQFA7i3o="; - allowedIPs = [ "10.13.37.103/32" ]; - persistentKeepalive = 25; - } - { - # traffic-stop-box-4 - publicKey = "B0wPH0jUxaatRncHMkgDEQ+DzvlbTBrVJY4etxqQgG8="; - allowedIPs = [ "10.13.37.104/32" ]; - persistentKeepalive = 25; - } - { - # traffic-stop-box-5 - publicKey = "bGMO3+BuMbNMnqgt+1lEKAwCVi3BrtpcZlVf9ULcmkw="; - allowedIPs = [ "10.13.37.105/32" ]; - persistentKeepalive = 25; - } - { - # traffic-stop-box-6 - publicKey = "NuLDNmxuHHzDXJSIOPSoihEhLWjARRtavuQvWirNR2I="; - allowedIPs = [ "10.13.37.106/32" ]; - persistentKeepalive = 25; + addr4 = "10.13.37.3"; } { # traffic-stop-box-7 @@ -82,10 +34,8 @@ in { # marenz publicKey = "XJddbPj6Zdtn4roi6UWGuR2EA81juMmlaUOuMSLi2FM="; - allowedIPs = [ "10.13.37.4/32" ]; - persistentKeepalive = 25; + addr4 = "10.13.37.4"; } ]; }; - }; } diff --git a/hosts/staging/configuration.nix b/hosts/staging-data-hoarder/default.nix similarity index 66% rename from hosts/staging/configuration.nix rename to hosts/staging-data-hoarder/default.nix index 4592d88..d5a6487 100644 --- a/hosts/staging/configuration.nix +++ b/hosts/staging-data-hoarder/default.nix @@ -40,39 +40,41 @@ }]; }; - networking.hostName = "staging-data-hoarder"; # Define your hostname. - # networking.wireless.enable = true; # Enables wireless support via wpa_supplicant. + networking.hostName = "staging-data-hoarder"; - # Set your time zone. time.timeZone = "Europe/Berlin"; - networking.interfaces.eth0 = { - useDHCP = false; - ipv4.addresses = [{ - address = "172.20.73.64"; - prefixLength = 25; - }]; - }; - networking.defaultGateway = "172.20.73.1"; - networking.nameservers = [ "172.20.73.8" "9.9.9.9" ]; + networking.useNetworkd = true; + sops.defaultSopsFile = self + /secrets/data-hoarder-staging/secrets.yaml; + deployment-dvb.net = { + iface.uplink = { + name = "eth0"; + useDHCP = false; + addr4 = "172.20.73.69/25"; + dns = [ "172.20.73.8" "9.9.9.9" ]; + routes = [ + { + routeConfig = { + Gateway = "172.20.73.1"; + Destination = "0.0.0.0/0"; + }; + } + ]; + }; + + wg = { + addr4 = "10.13.37.5"; + prefix4 = 24; + privateKeyFile = config.sops.secrets.wg-seckey.path; + publicKey = "48hc7DVnUh2DHYhrxrNtNzj05MRecJO52j2niPImvkU="; + }; - networking.wg-quick.interfaces.wg-dvb = { - address = [ "10.13.37.5/32" ]; - privateKeyFile = config.sops.secrets.wg-seckey.path; - postUp = '' ${pkgs.iputils}/bin/ping -c 10 10.13.37.1 || true ''; - peers = [ - { - publicKey = "WDvCObJ0WgCCZ0ORV2q4sdXblBd8pOPZBmeWr97yphY="; - allowedIPs = [ "10.13.37.0/24" ]; - endpoint = "academicstrokes.com:51820"; - persistentKeepalive = 25; - } - ]; }; deployment-dvb.domain = "staging.dvb.solutions"; + # This value determines the NixOS release from which the default # settings for stateful data, like file locations and database versions # on your system were taken. It‘s perfectly fine and recommended to leave diff --git a/hosts/traffic-stop-box/0.nix b/hosts/traffic-stop-box/0.nix deleted file mode 100644 index bf4f5e2..0000000 --- a/hosts/traffic-stop-box/0.nix +++ /dev/null @@ -1,5 +0,0 @@ -{ self, ... }: { - imports = [ - "${self}/hardware/dell-wyse-3040.nix" - ]; -} diff --git a/configs/config_0.json b/hosts/traffic-stop-box/0/config_0.json similarity index 100% rename from configs/config_0.json rename to hosts/traffic-stop-box/0/config_0.json diff --git a/hosts/traffic-stop-box/0/default.nix b/hosts/traffic-stop-box/0/default.nix new file mode 100644 index 0000000..e389145 --- /dev/null +++ b/hosts/traffic-stop-box/0/default.nix @@ -0,0 +1,7 @@ +{ self, ... }: { + imports = [ + "${self}/hardware/dell-wyse-3040.nix" + ]; + + deployment-dvb.net.wg.publicKey = "qyStvzZdoqcjJJQckw4ZwvsQUa+8TBWtnsRxURqanno="; +} diff --git a/hosts/traffic-stop-box/1.nix b/hosts/traffic-stop-box/1.nix deleted file mode 100644 index bf4f5e2..0000000 --- a/hosts/traffic-stop-box/1.nix +++ /dev/null @@ -1,5 +0,0 @@ -{ self, ... }: { - imports = [ - "${self}/hardware/dell-wyse-3040.nix" - ]; -} diff --git a/configs/config_1.json b/hosts/traffic-stop-box/1/config_1.json similarity index 100% rename from configs/config_1.json rename to hosts/traffic-stop-box/1/config_1.json diff --git a/hosts/traffic-stop-box/1/default.nix b/hosts/traffic-stop-box/1/default.nix new file mode 100644 index 0000000..aa07a7d --- /dev/null +++ b/hosts/traffic-stop-box/1/default.nix @@ -0,0 +1,7 @@ +{ self, ... }: { + imports = [ + "${self}/hardware/dell-wyse-3040.nix" + ]; + + deployment-dvb.net.wg.publicKey = "dOPobdvfphx0EHmU7dd5ihslFzZi17XgRDQLMIUYa1w="; +} diff --git a/hosts/traffic-stop-box/2.nix b/hosts/traffic-stop-box/2.nix deleted file mode 100644 index bf4f5e2..0000000 --- a/hosts/traffic-stop-box/2.nix +++ /dev/null @@ -1,5 +0,0 @@ -{ self, ... }: { - imports = [ - "${self}/hardware/dell-wyse-3040.nix" - ]; -} diff --git a/configs/config_2.json b/hosts/traffic-stop-box/2/config_2.json similarity index 100% rename from configs/config_2.json rename to hosts/traffic-stop-box/2/config_2.json diff --git a/hosts/traffic-stop-box/2/default.nix b/hosts/traffic-stop-box/2/default.nix new file mode 100644 index 0000000..a1d1330 --- /dev/null +++ b/hosts/traffic-stop-box/2/default.nix @@ -0,0 +1,7 @@ +{ self, ... }: { + imports = [ + "${self}/hardware/dell-wyse-3040.nix" + ]; + + deployment-dvb.net.wg.publicKey = "4TUQCToGNhjsCgV9elYE/91Vd/RvMgvMXtF/1Dzlvxo="; +} diff --git a/hosts/traffic-stop-box/3.nix b/hosts/traffic-stop-box/3.nix deleted file mode 100644 index 96beeae..0000000 --- a/hosts/traffic-stop-box/3.nix +++ /dev/null @@ -1,5 +0,0 @@ -{ self, ... }: { - imports = [ - "${self}/hardware/rpi-3b-4b.nix" - ]; -} diff --git a/configs/config_3.json b/hosts/traffic-stop-box/3/config_3.json similarity index 100% rename from configs/config_3.json rename to hosts/traffic-stop-box/3/config_3.json diff --git a/hosts/traffic-stop-box/3/default.nix b/hosts/traffic-stop-box/3/default.nix new file mode 100644 index 0000000..775f04d --- /dev/null +++ b/hosts/traffic-stop-box/3/default.nix @@ -0,0 +1,7 @@ +{ self, ... }: { + imports = [ + "${self}/hardware/rpi-3b-4b.nix" + ]; + + deployment-dvb.net.wg.publicKey = "w3AT3EahW1sCK8ZsR7sDTcQj1McXYeWx7fnfQFA7i3o="; +} diff --git a/hosts/traffic-stop-box/4.nix b/hosts/traffic-stop-box/4.nix deleted file mode 100644 index 2083c30..0000000 --- a/hosts/traffic-stop-box/4.nix +++ /dev/null @@ -1,21 +0,0 @@ -{ self, ... }: { - imports = [ - "${self}/hardware/dell-wyse-3040.nix" - ]; - - networking = nixpkgs.lib.mkForce { - useDHCP = false; - defaultGateway = "141.30.30.129"; - nameservers = [ "141.30.1.1" ]; - interfaces.enp1s0 = { - useDHCP = false; - ipv4.addresses = [ - { - address = "141.30.30.149"; - prefixLength = 25; - } - ]; - }; - }; - -} diff --git a/configs/config_4.json b/hosts/traffic-stop-box/4/config_4.json similarity index 100% rename from configs/config_4.json rename to hosts/traffic-stop-box/4/config_4.json diff --git a/hosts/traffic-stop-box/4/default.nix b/hosts/traffic-stop-box/4/default.nix new file mode 100644 index 0000000..0218430 --- /dev/null +++ b/hosts/traffic-stop-box/4/default.nix @@ -0,0 +1,28 @@ +{ self, lib, ... }: +let eth = "enp1s0"; in +{ + imports = [ + "${self}/hardware/dell-wyse-3040.nix" + ]; + + networking.useDHCP = false; + networking.interfaces."${eth}".useDHCP = false; + + deployment-dvb.net.iface.uplink = { + name = eth; + useDHCP = false; + addr4 = "141.30.30.149/25"; + dns = [ "141.30.1.1" "9.9.9.9" ]; + routes = [ + { + routeConfig = { + Gateway = "141.30.30.129"; + Destination = "0.0.0.0/0"; + }; + } + ]; + }; + + deployment-dvb.net.wg.publicKey = "B0wPH0jUxaatRncHMkgDEQ+DzvlbTBrVJY4etxqQgG8="; + +} diff --git a/configs/config_6.json b/hosts/traffic-stop-box/6/config_6.json similarity index 100% rename from configs/config_6.json rename to hosts/traffic-stop-box/6/config_6.json diff --git a/hosts/traffic-stop-box/7.nix b/hosts/traffic-stop-box/6/default.nix similarity index 87% rename from hosts/traffic-stop-box/7.nix rename to hosts/traffic-stop-box/6/default.nix index 5c4d5c3..51e2abe 100644 --- a/hosts/traffic-stop-box/7.nix +++ b/hosts/traffic-stop-box/6/default.nix @@ -10,4 +10,6 @@ "sk-ssh-ed25519@openssh.com aaaagnnrlxnzac1lzdi1nte5qg9wzw5zc2guy29taaaaili3ylty7fwvohtwx8511v+gbtlzzmuv505fi1pj53v6aaaabhnzado=" "sk-ssh-ed25519@openssh.com aaaagnnrlxnzac1lzdi1nte5qg9wzw5zc2guy29taaaaipzbd00cbfpxzuc8eb6sljaafnf1hgs6vci1rzcncyocaaaabhnzado=" ]; + + deployment-dvb.net.wg.publicKey = "NuLDNmxuHHzDXJSIOPSoihEhLWjARRtavuQvWirNR2I="; } diff --git a/configs/config_7.json b/hosts/traffic-stop-box/7/config_7.json similarity index 100% rename from configs/config_7.json rename to hosts/traffic-stop-box/7/config_7.json diff --git a/hosts/traffic-stop-box/6.nix b/hosts/traffic-stop-box/7/default.nix similarity index 100% rename from hosts/traffic-stop-box/6.nix rename to hosts/traffic-stop-box/7/default.nix diff --git a/modules/data-hoarder/secrets.nix b/modules/data-hoarder/secrets.nix index a880fad..2fc86d7 100644 --- a/modules/data-hoarder/secrets.nix +++ b/modules/data-hoarder/secrets.nix @@ -19,7 +19,9 @@ in }; sops.secrets = { - wg-seckey = { }; + wg-seckey = { + owner = config.users.users.systemd-network.name; + }; postgres_password_hash_salt = { owner = clicky-bunty-user; }; diff --git a/modules/dump-dvb/net.nix b/modules/dump-dvb/net.nix index 83ed7bb..81f3b34 100644 --- a/modules/dump-dvb/net.nix +++ b/modules/dump-dvb/net.nix @@ -1,4 +1,4 @@ -{ lib, config, ... }: +{ lib, config, checks, utils, ... }: let cfg = config.deployment-dvb.net; in @@ -6,16 +6,16 @@ in options.deployment-dvb.net = with lib; { iface.uplink = { name = mkOption { - type = types.str; - default = ""; + type = types.nullOr types.str; + default = null; }; useDHCP = mkOption { type = types.bool; default = true; }; addr4 = mkOption { - type = types.str; - default = ""; + type = types.nullOr types.str; + default = null; description = "address with prefix in CIDR notation"; }; routes = @@ -23,7 +23,8 @@ in with utils.systemdUtils.lib; with lib; mkOption { - type = with types; listOf (submodule routeOptions); + #type = with types; listOf (submodule routeOptions); + type = types.listOf (types.attrsOf unitOption); default = [ ]; description = "default gateway"; }; @@ -34,27 +35,24 @@ in }; }; - config = let upname = "30-${cfg.iface.uplink.name}"; upconf = if cfg.iface.uplink.useDHCP == false then { - MatchConfig = { Name = "${cfg.iface.uplink.name}"; }; + matchConfig = { Name = "${cfg.iface.uplink.name}"; }; networkConfig = { DHCP = "no"; Address = cfg.iface.uplink.addr4; - DNS = cfg.iface.uplink.DNS; + DNS = cfg.iface.uplink.dns; }; routes = cfg.iface.uplink.routes; } else { - MatchConfig = { Name = "${cfg.iface.uplink.name}"; }; + matchConfig = { Name = "${cfg.iface.uplink.name}"; }; networkConfig = { DHCP = "yes"; }; }; - in { - networking.useSystemd = true; - systemd.networks. + systemd.network.networks."${upname}" = upconf; }; } diff --git a/modules/dump-dvb/wg.nix b/modules/dump-dvb/wg.nix index c7f920f..bd1c0ae 100644 --- a/modules/dump-dvb/wg.nix +++ b/modules/dump-dvb/wg.nix @@ -1,41 +1,122 @@ -{ lib, config, ... }: +{ lib, config, self, ... }: let cfg = config.deployment-dvb.net.wg; -in - { - options.deployment-dvb.net.wg = { - _enable = mkOption { - type = types.bool; - default = true; - }; +in { + options.deployment-dvb.net.wg = with lib; { + ownEndpoint.host = mkOption { - type = types.str; - default = ""; + type = types.nullOr types.str; + default = null; }; ownEndpoint.port = mkOption { type = types.port; + default = 51820; }; - ownPubkey = mkOption { + + publicKey = mkOption { type = types.str; default = ""; + description = "own public key"; }; privateKeyFile = mkOption { type = types.either types.str types.path; }; addr4 = mkOption { - type = types.str; - default = ""; - description = "address with prefix in CIDR notation"; + type = types.nullOr types.str; + default = null; + }; + + prefix4 = mkOption { + type = types.int; + default = 24; + description = "network prefix"; + }; + + extraPeers = mkOption { + description = "extra peers that are not part of the deployment"; + type = types.listOf (types.submodule { + options.addr4 = mkOption { + type = types.str; + description = "ip _without_ a network prefix"; + }; + options.publicKey = mkOption { + type = types.str; + description = "public key"; + }; + }); }; }; config = let - in { - netoworking.useNetworkd = true; + # move out as options? + dvbwg-name = "wg-ddvb"; + keepalive = 25; - systemd.network.netdev.wg-dvb = { - type = "wireguard"; - + # helpers + peer-systems = (lib.filter (x: (x.config.deployment-dvb.net.wg.addr4 != cfg.addr4) && (!isNull x.config.deployment-dvb.net.wg.addr4)) + (lib.attrValues self.nixosConfigurations)); + + endpoint = + let + ep = (lib.filter (x: + x.config.deployment-dvb.net.wg.addr4 != cfg.addr4 + && (!isNull x.config.deployment-dvb.net.wg.ownEndpoint.host)) + (lib.attrValues self.nixosConfigurations)); + in + assert lib.assertMsg (lib.length ep == 1) "there should be exactly one endpoint"; ep; + + peers = map (x: { + wireguardPeerConfig = { + PublicKey = x.config.deployment-dvb.net.wg.publicKey; + AllowedIPs = [ "${x.config.deployment-dvb.net.wg.addr4}/32" ]; + PersistentKeepalive = keepalive; + }; + }) peer-systems; + + ep = [ { + wireguardPeerConfig = + let x = lib.elemAt endpoint 0; in { + PublicKey = x.config.deployment-dvb.net.wg.publicKey; + AllowedIPs = [ "${x.config.deployment-dvb.net.wg.addr4}/${toString cfg.prefix4}" ]; + Endpoint = with x.config.deployment-dvb.net.wg.ownEndpoint; "${host}:${toString port}"; + PersistentKeepalive = keepalive; + }; + } ]; + + # stuff proper + dvbwg-netdev = { + Kind = "wireguard"; + Name = dvbwg-name; + Description = "dump-dvb enterprise, highly available, biocomputing-neural-network maintained, converged network"; + }; + + dvbwg-wireguard = { + PrivateKeyFile = cfg.privateKeyFile; + }; + + expeers = map (x: { + wireguardPeerConfig = { + PublicKey = x.publicKey; + AllowedIPs = [ "${x.addr4}/32" ]; + PersistentKeepalive = keepalive; + }; + }) cfg.extraPeers; + + peerconf = if isNull cfg.ownEndpoint.host then ep else (peers ++ expeers); + in + lib.mkIf (!isNull cfg.addr4) { + networking.wireguard.enable = true; + + systemd.network.netdevs."30-${dvbwg-name}" = { + netdevConfig = dvbwg-netdev; + wireguardConfig = dvbwg-wireguard; + wireguardPeers = peerconf; + }; + systemd.network.networks."30-${dvbwg-name}" = { + matchConfig.Name = dvbwg-name; + networkConfig = { + Address = "${cfg.addr4}/${toString cfg.prefix4}"; }; }; - } + }; +} diff --git a/modules/traffic-stop-box/radio-config.nix b/modules/traffic-stop-box/radio-config.nix index bdc7395..0497757 100644 --- a/modules/traffic-stop-box/radio-config.nix +++ b/modules/traffic-stop-box/radio-config.nix @@ -1,7 +1,7 @@ { config, lib, self, ... }: let - file = "${self}/configs/config_${toString config.deployment-dvb.systemNumber}.json"; + file = with config.deployment-dvb; "${self}/hosts/traffic-stop-box/${toString systemNumber}/config_${toString systemNumber}.json"; receiver_configs = [ { frequency = 170795000; offset = 19550; device = "hackrf=0"; RF = 14; IF = 8; BB = 42; } # dresden - barkhausen { frequency = 170795000; offset = 19400; device = "hackrf=0"; RF = 14; IF = 8; BB = 42; } # dresden - zentralwerk diff --git a/modules/traffic-stop-box/secrets.nix b/modules/traffic-stop-box/secrets.nix index 68b9fcb..5630aee 100644 --- a/modules/traffic-stop-box/secrets.nix +++ b/modules/traffic-stop-box/secrets.nix @@ -3,6 +3,5 @@ sops.defaultSopsFile = self + /secrets/traffic-stop-box-${toString config.deployment-dvb.systemNumber}/secrets.yaml; sops.age.sshKeyPaths = [ "/etc/ssh/ssh_host_ed25519_key" ]; - sops.secrets.wg-seckey = { }; sops.secrets.telegram-decoder-token.owner = config.users.users.telegram-decoder.name; } diff --git a/modules/traffic-stop-box/wireguard-client.nix b/modules/traffic-stop-box/wireguard-client.nix index c71fe29..03343db 100644 --- a/modules/traffic-stop-box/wireguard-client.nix +++ b/modules/traffic-stop-box/wireguard-client.nix @@ -1,19 +1,14 @@ -{ config, pkgs, ... }: - +{ config, pkgs, lib, ... }: +# pubkey of the box goes to hosts/traffic-stop-box/${id}.nix! { - networking.wg-quick.interfaces.wg-dvb = { - address = [ "10.13.37.${toString (config.deployment-dvb.systemNumber + 100)}/32" ]; - privateKeyFile = config.sops.secrets.wg-seckey.path; - postUp = '' - ${pkgs.iputils}/bin/ping -c 10 10.13.37.1 || true - ''; - - peers = [{ - publicKey = "WDvCObJ0WgCCZ0ORV2q4sdXblBd8pOPZBmeWr97yphY="; - allowedIPs = [ "10.13.37.0/24" ]; - endpoint = "81.201.149.152:51820"; - persistentKeepalive = 25; - }]; + networking.useNetworkd = lib.mkForce true; + sops.secrets.wg-seckey = { + owner = config.users.users.systemd-network.name; + }; + deployment-dvb.net.wg = { + addr4 = lib.mkDefault "10.13.37.${toString (config.deployment-dvb.systemNumber + 100)}"; + prefix4 = 24; + privateKeyFile = lib.mkDefault config.sops.secrets.wg-seckey.path; }; }