b12f/os
1
0
Fork 0
Code Issues Pull requests Packages Projects Releases Wiki Activity

chore: directly connect clients to pie for lower latency dns

Browse source
This commit is contained in:
Benjamin Bädorf 2023-11-06 21:43:48 +01:00
parent 27bfbde5b5
commit 540736c3ba
No known key found for this signature in database
GPG key ID: 4406E80E13CD656C
14 changed files with 147 additions and 73 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

2
hosts/chocolatebar/configuration.nix
View file

@ -24,7 +24,7 @@ in {
pub-solar.core.hibernation.enable = true; pub-solar.core.hibernation.enable = true;
pub-solar.core.hibernation.resumeDevice = "/dev/dm-0"; pub-solar.core.hibernation.resumeDevice = "/dev/dm-0";
pub-solar.core.hibernation.resumeOffset = 115075072; pub-solar.core.hibernation.resumeOffset = 77568000;
pub-solar.terminal-life.full = true; pub-solar.terminal-life.full = true;

1
hosts/default.nix
View file

@ -60,7 +60,6 @@
./pie ./pie
self.nixosModules.yule self.nixosModules.yule
self.nixosModules.docker self.nixosModules.docker
self.nixosModules.wireguard-client
self.nixosModules.invoiceplane self.nixosModules.invoiceplane
]; ];
}; };

16
hosts/droppie/restic-backup.nix → hosts/droppie/backup-autostop.nix
View file

@ -1,23 +1,7 @@
{pkgs, ...}: let {pkgs, ...}: let
shutdownWaitMinutes = 10; shutdownWaitMinutes = 10;
shutdownScript = pkgs.writeShellScriptBin "shutdown-wait" '' shutdownScript = pkgs.writeShellScriptBin "shutdown-wait" ''
STATUS_FILES="/media/internal/backups-pub-solar/status"
running=""
for f in $STATUS_FILES; do
declare started
declare finished
started=$(source $f ; echo ''${BACKUP_STARTED})
finished=$(source $f ; echo ''${BACKUP_FINISHED})
if [ -z "''${finished}" ]; then
echo "backup $(dirname $f) still running"
running="yes"
break
fi
done
if [ -n "''${running}" ] && [ "''${running}" = "yes" ]; then if [ -n "''${running}" ] && [ "''${running}" = "yes" ]; then
echo "backups are still running" echo "backups are still running"

3
hosts/droppie/default.nix
View file

@ -4,7 +4,6 @@
./hardware-configuration.nix ./hardware-configuration.nix
./networking.nix ./networking.nix
./nextcloud-web-tunnel.nix ./backup-autostop.nix
./restic-backup.nix
]; ];
} }

2
hosts/droppie/networking.nix
View file

@ -5,7 +5,7 @@
... ...
}: { }: {
networking.interfaces.enp2s0f0 = { networking.interfaces.enp2s0f0 = {
ipv6.addresses = [ { address = "2a02:908:5b1:e3c0:3077:3::"; prefixLength = 128; } ]; ipv6.addresses = [ { address = "2a02:908:5b1:e3c0:3::"; prefixLength = 64; } ];
}; };
age.secrets.wg-private-key.file = "${flake.self}/secrets/wg-private-droppie.age"; age.secrets.wg-private-key.file = "${flake.self}/secrets/wg-private-droppie.age";

30
hosts/droppie/nextcloud-web-tunnel.nix
View file

@ -1,30 +0,0 @@
{
pkgs,
config,
...
}: let
psCfg = config.pub-solar;
in {
config = {
services.openssh.knownHosts = {
"nachtigall.pub.solar".publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIGUJGAYFzgzpeEs5rYvBX9jBn6wkj4Q5VqnT4xkg3l// barkeeper@nachtigall";
};
systemd.services.ssh-tunnel-nachtigall-pub-solar = {
enable = false;
unitConfig = {
Description = "Reverse SSH connection to enable backups";
After = ["network.target"];
};
serviceConfig = {
Type = "simple";
ExecStart = "${pkgs.openssh}/bin/ssh -vvv -g -N -T -o ServerAliveInterval=10 -o ExitOnForwardFailure=yes -R 127.0.0.1:22022:localhost:22 hakkonaut@nachtigall.pub.solar";
User = psCfg.user.name;
Group = "users";
Restart = "always";
RestartSec = "5s";
};
wantedBy = ["default.target"];
};
};
}

24
hosts/frikandel/wireguard.nix
View file

@ -2,8 +2,9 @@
flake, flake,
config, config,
pkgs, pkgs,
lib,
... ...
}: { }: with lib; {
age.secrets.wg-private-key-server.file = "${flake.self}/secrets/wg-private-frikandel-server.age"; age.secrets.wg-private-key-server.file = "${flake.self}/secrets/wg-private-frikandel-server.age";
boot.kernel.sysctl = { boot.kernel.sysctl = {
@ -25,6 +26,24 @@
"iifname wg0 accept" "iifname wg0 accept"
]; ];
systemd.services.wg-quick-wg0 = {
after = [
"network.target"
"network-online.target"
"nss-lookup.target"
];
serviceConfig = {
Type = mkForce "simple";
Restart = "on-failure";
RestartSec = "30";
};
environment = {
WG_ENDPOINT_RESOLUTION_RETRIES = "infinity";
};
};
# Enable WireGuard # Enable WireGuard
networking.wg-quick.interfaces = { networking.wg-quick.interfaces = {
wg0 = { wg0 = {
@ -32,7 +51,7 @@
address = [ address = [
"10.0.1.7/32" "10.0.1.7/32"
"fd00:b12f:acab:1312:acab:7::/32" "fd00:b12f:acab:1312:acab:7::/96"
]; ];
privateKeyFile = "/run/agenix/wg-private-key-server"; privateKeyFile = "/run/agenix/wg-private-key-server";
@ -44,6 +63,7 @@
"10.0.1.2/32" "10.0.1.2/32"
"fd00:b12f:acab:1312:acab:2::/96" "fd00:b12f:acab:1312:acab:2::/96"
]; ];
endpoint = "pie-wg.b12f.io:51899";
persistentKeepalive = 25; persistentKeepalive = 25;
} }
{ # droppie { # droppie

2
hosts/pie/ddclient.nix
View file

@ -13,7 +13,7 @@ with lib; let
${curl}/bin/curl -4 https://ipcheck-ds.wieistmeineip.de/callback/ | ${coreutils}/bin/tail -c +2 | ${coreutils}/bin/head -c -1 | ${jq}/bin/jq '.ip' -r ${curl}/bin/curl -4 https://ipcheck-ds.wieistmeineip.de/callback/ | ${coreutils}/bin/tail -c +2 | ${coreutils}/bin/head -c -1 | ${jq}/bin/jq '.ip' -r
''; '';
getIP6 = with pkgs; writeShellScriptBin "getIP" '' getIP6 = with pkgs; writeShellScriptBin "getIP" ''
echo "2a02:908:5b1:e3c0:3077:2::" echo "2a02:908:5b1:e3c0:2::"
''; '';
in { in {
imports = [ imports = [

1
hosts/pie/default.nix
View file

@ -4,6 +4,7 @@
./configuration.nix ./configuration.nix
./networking.nix ./networking.nix
./wireguard.nix
./backup.nix ./backup.nix
./unbound.nix ./unbound.nix
./dhcpd.nix ./dhcpd.nix

19
hosts/pie/networking.nix
View file

@ -14,12 +14,7 @@
networking.interfaces.enabcm6e4ei0 = { networking.interfaces.enabcm6e4ei0 = {
ipv4.addresses = [ { address = "192.168.178.2"; prefixLength = 32; } ]; ipv4.addresses = [ { address = "192.168.178.2"; prefixLength = 32; } ];
ipv6.addresses = [ { address = "2a02:908:5b1:e3c0:3077:2::"; prefixLength = 128; } ]; ipv6.addresses = [ { address = "2a02:908:5b1:e3c0:2::"; prefixLength = 128; } ];
};
networking.hosts = (flake.self.lib.addLocalHostname ["caddy.local"]) // {
"128.140.109.213" = [ "vpn.b12f.io" ];
"2a01:4f8:c2c:b60::" = [ "vpn.b12f.io" ];
}; };
networking.firewall.allowedTCPPorts = [ 80 443 ]; networking.firewall.allowedTCPPorts = [ 80 443 ];
@ -29,20 +24,10 @@
# Caddy reverse proxy for local services like cups # Caddy reverse proxy for local services like cups
services.caddy = { services.caddy = {
globalConfig = '' globalConfig = ''
default_bind 192.168.178.2 2a02:908:5b1:e3c0:3077:2:: 10.0.1.2 fd00:b12f:acab:1312:acab:2:: default_bind 192.168.178.2 2a02:908:5b1:e3c0:2:: 10.0.1.2 fd00:b12f:acab:1312:acab:2::
# auto_https off # auto_https off
email acme@benjaminbaedorf.eu email acme@benjaminbaedorf.eu
# acme_ca https://acme-staging-v02.api.letsencrypt.org/directory # acme_ca https://acme-staging-v02.api.letsencrypt.org/directory
''; '';
}; };
age.secrets.wg-private-key.file = "${flake.self}/secrets/wg-private-pie.age";
pub-solar.wireguard-client = {
ownIPs = [
"10.0.1.2/32"
"fd00:b12f:acab:1312:acab:2::/96"
];
wireguardPrivateKeyFile = "/run/agenix/wg-private-key";
};
} }

4
hosts/pie/unbound.nix
View file

@ -30,7 +30,7 @@
"\"brwb8763f64a364.local. 10800 IN A 192.168.178.4\"" "\"brwb8763f64a364.local. 10800 IN A 192.168.178.4\""
"\"droppie.local. 10800 IN A 192.168.178.3\"" "\"droppie.local. 10800 IN A 192.168.178.3\""
"\"droppie.local. 10800 IN AAAA 2a02:908:5b1:e3c0:3077:3::\"" "\"droppie.local. 10800 IN AAAA 2a02:908:5b1:e3c0:3::\""
"\"droppie.b12f.io. 10800 IN A 10.0.1.3\"" "\"droppie.b12f.io. 10800 IN A 10.0.1.3\""
"\"droppie.b12f.io. 10800 IN AAAA fd00:b12f:acab:1312:acab:3::\"" "\"droppie.b12f.io. 10800 IN AAAA fd00:b12f:acab:1312:acab:3::\""
@ -38,7 +38,7 @@
"\"backup.b12f.io. 10800 IN AAAA fd00:b12f:acab:1312:acab:3::\"" "\"backup.b12f.io. 10800 IN AAAA fd00:b12f:acab:1312:acab:3::\""
"\"pie.local. 10800 IN A 192.168.178.2\"" "\"pie.local. 10800 IN A 192.168.178.2\""
"\"pie.local. 10800 IN AAAA 2a02:908:5b1:e3c0:3077:2::\"" "\"pie.local. 10800 IN AAAA 2a02:908:5b1:e3c0:2::\""
"\"pie.b12f.io. 10800 IN A 10.0.1.2\"" "\"pie.b12f.io. 10800 IN A 10.0.1.2\""
"\"pie.b12f.io. 10800 IN AAAA fd00:b12f:acab:1312:acab:2::\"" "\"pie.b12f.io. 10800 IN AAAA fd00:b12f:acab:1312:acab:2::\""

82
hosts/pie/wireguard.nix Normal file
View file

@ -0,0 +1,82 @@
{
flake,
config,
pkgs,
lib,
...
}: with lib; {
age.secrets.wg-private-key-server.file = "${flake.self}/secrets/wg-private-pie.age";
networking.firewall.allowedUDPPorts = [ 51899 ];
systemd.services.wg-quick-wg0 = {
after = [
"network.target"
"network-online.target"
"nss-lookup.target"
];
serviceConfig = {
Type = mkForce "simple";
Restart = "on-failure";
RestartSec = "30";
};
environment = {
WG_ENDPOINT_RESOLUTION_RETRIES = "infinity";
};
};
# Enable WireGuard
networking.wg-quick.interfaces = {
wg0 = {
listenPort = 51899;
address = [
"10.0.1.2/32"
"fd00:b12f:acab:1312:acab:2::/96"
];
privateKeyFile = "/run/agenix/wg-private-key-server";
peers = [
{ # frikandel
publicKey = "p6YKNYBlySKfhTN+wbSsKdoNjzko/XSAiTAlCJzP1jA=";
allowedIPs = [
"10.0.1.0/24"
"fd00:b12f:acab:1312::/64"
];
endpoint = "vpn.b12f.io:51899";
persistentKeepalive = 25;
}
{ # droppie
publicKey = "qsnBMoj9Z16D8PJ5ummRtIfT5AiMpoF3SoOCo4sbyiw=";
allowedIPs = [
"10.0.1.3/32"
"fd00:b12f:acab:1312:acab:3::/96"
];
persistentKeepalive = 25;
}
{ # chocolatebar
publicKey = "nk8EtGE/QsnSEm1lhLS3/w83nOBD2OGYhODIf92G91A=";
allowedIPs = [
"10.0.1.5/32"
"fd00:b12f:acab:1312:acab:5::/96"
];
persistentKeepalive = 25;
}
{ # biolimo
publicKey = "4ymN7wwBuhF+h+5fFN0TqXmVyOe1AsWiTqRL0jJ3CDc=";
allowedIPs = [
"10.0.1.6/32"
"fd00:b12f:acab:1312:acab:6::/96"
];
persistentKeepalive = 25;
}
];
};
};
}

6
modules/core/networking.nix
View file

@ -9,6 +9,12 @@
systemd.services.NetworkManager-wait-online.enable = lib.mkDefault false; systemd.services.NetworkManager-wait-online.enable = lib.mkDefault false;
systemd.services.systemd-networkd-wait-online.enable = lib.mkDefault false; systemd.services.systemd-networkd-wait-online.enable = lib.mkDefault false;
networking.hosts = (flake.self.lib.addLocalHostname ["caddy.local"]) // {
"128.140.109.213" = [ "vpn.b12f.io" ];
"2a01:4f8:c2c:b60::" = [ "vpn.b12f.io" ];
"2a02:908:5b1:e3c0:2::" = [ "pie-wg.b12f.io" ];
};
networking.networkmanager = { networking.networkmanager = {
# Enable networkmanager. REMEMBER to add yourself to group in order to use nm related stuff. # Enable networkmanager. REMEMBER to add yourself to group in order to use nm related stuff.
enable = lib.mkDefault true; enable = lib.mkDefault true;

28
modules/wireguard-client/default.nix
View file

@ -27,6 +27,24 @@ in {
config = { config = {
networking.firewall.allowedUDPPorts = [51899]; networking.firewall.allowedUDPPorts = [51899];
systemd.services.wg-quick-wg0 = {
after = [
"network.target"
"network-online.target"
"nss-lookup.target"
];
serviceConfig = {
Type = mkForce "simple";
Restart = "on-failure";
RestartSec = "30";
};
environment = {
WG_ENDPOINT_RESOLUTION_RETRIES = "infinity";
};
};
networking.wg-quick.interfaces = { networking.wg-quick.interfaces = {
wg0 = { wg0 = {
listenPort = 51899; listenPort = 51899;
@ -47,6 +65,16 @@ in {
endpoint = "vpn.b12f.io:51899"; endpoint = "vpn.b12f.io:51899";
persistentKeepalive = 25; persistentKeepalive = 25;
} }
{
# pie
publicKey = "hPTXEqQ2GYEywdPNdZBacwB9KKcoFZ/heClxnqmizyw=";
allowedIPs = [
"10.0.1.2/32"
"fd00:b12f:acab:1312:acab:2::/96"
];
endpoint = "pie-wg.b12f.io:51899";
persistentKeepalive = 25;
}
]; ];
}; };
}; };