Compare commits

...

3 commits

10 changed files with 69 additions and 113 deletions

View file

@ -609,16 +609,15 @@
]
},
"locked": {
"lastModified": 1708706677,
"lastModified": 1708750443,
"narHash": "sha256-fUIT9v5FGy9KbbPKBVcxw2rwxqLZUVElqTtZWM7FiNI=",
"owner": "b12f",
"owner": "tfc",
"repo": "nixos-openstreetmap",
"rev": "9057f546a5762a6b1645a8d4c22f818e29908144",
"rev": "0fd30b016eb838395d85948b9ecf00ff59b4581d",
"type": "github"
},
"original": {
"owner": "b12f",
"ref": "flake-nixosmodule",
"owner": "tfc",
"repo": "nixos-openstreetmap",
"type": "github"
}

View file

@ -39,7 +39,7 @@
adblock-unbound.url = "github:MayNiklas/nixos-adblock-unbound";
adblock-unbound.inputs.nixpkgs.follows = "nixpkgs";
openstreetmap.url = "github:b12f/nixos-openstreetmap/flake-nixosmodule";
openstreetmap.url = "github:tfc/nixos-openstreetmap";
openstreetmap.inputs.nixpkgs.follows = "nixpkgs";
deno2nix.url = "github:SnO2WMaN/deno2nix";

View file

@ -6,7 +6,7 @@
...
}: {
services.openstreetmap = {
enable = false;
enable = true;
debug = true;
totalRamGb = 14;
};

View file

@ -1,9 +1,4 @@
{
lib,
config,
pkgs,
...
}: {
{ ... }: {
imports = [
./private.nix
./tunnel.nix

View file

@ -1,48 +1,30 @@
{
lib,
config,
pkgs,
...
}:
with lib; let
psCfg = config.pub-solar;
let
cfg = config.pub-solar.wireguard.ehex;
in {
options.pub-solar.wireguard.ehex = {
ownIPs = mkOption {
ownIPs = lib.mkOption {
description = "Internal ips in wireguard used for cluster control-plane communication.";
type = types.listOf types.str;
type = lib.types.listOf lib.types.str;
default = [];
};
privateKeyFile = mkOption {
privateKeyFile = lib.mkOption {
description = "Location of private key file";
type = types.path;
type = lib.types.path;
};
};
config = mkIf (length cfg.ownIPs != 0){
config = lib.mkIf (lib.length cfg.ownIPs != 0){
networking.firewall.allowedUDPPorts = [51822];
systemd.network.wait-online.ignoredInterfaces = [ "wg-ehex" ];
systemd.services.wireguard-wg-ehex = {
after = [
"network.target"
"network-online.target"
"nss-lookup.target"
];
serviceConfig = {
Type = mkForce "simple";
Restart = "on-failure";
RestartSec = "30";
};
environment = {
WG_ENDPOINT_RESOLUTION_RETRIES = "infinity";
};
};
systemd.services.wireguard-wg-ehex = import ./service-override.nix lib;
networking.wireguard.interfaces = {
wg-ehex = {
@ -50,7 +32,7 @@ in {
mtu = 1300;
ips = cfg.ownIPs;
privateKeyFile = cfg.privateKeyFile;
postSetup = ''
postSetup = ''
printf "nameserver 10.0.66.10\nnameserver 10.0.66.12" | resolvconf -a wg-ehex -m 0 -x
'';
postShutdown = ''

View file

@ -4,65 +4,48 @@
pkgs,
...
}:
with lib; let
psCfg = config.pub-solar;
let
cfg = config.pub-solar.wireguard.private;
in {
options.pub-solar.wireguard.private = {
ownIPs = mkOption {
ownIPs = lib.mkOption {
description = ''
Internal ips in wireguard used for cluster control-plane communication.
'';
type = types.listOf types.str;
type = lib.types.listOf lib.types.str;
default = [];
};
privateKeyFile = mkOption {
privateKeyFile = lib.mkOption {
description = ''
Location of private key file
'';
type = types.path;
type = lib.types.path;
};
useDNS = mkOption {
useDNS = lib.mkOption {
description = ''
Whether to use the wireguard DNS
'';
default = true;
type = types.bool;
type = lib.types.bool;
};
fullTunnel = mkOption {
fullTunnel = lib.mkOption {
description = ''
Whether to tunnel all traffic through the wireguard VPN
'';
default = false;
type = types.bool;
type = lib.types.bool;
};
};
config = mkIf (builtins.length cfg.ownIPs != 0) {
config = lib.mkIf (builtins.length cfg.ownIPs != 0) {
networking.firewall.allowedUDPPorts = [51899];
systemd.network.wait-online.ignoredInterfaces = [ "wg-private" ];
systemd.services.wireguard-wg-private = {
wantedBy = [
"network.target"
"network-online.target"
"nss-lookup.target"
];
serviceConfig = {
Type = mkForce "simple";
Restart = "on-failure";
RestartSec = "10";
};
environment = {
WG_ENDPOINT_RESOLUTION_RETRIES = "infinity";
};
};
systemd.services.wireguard-wg-private = import ./service-override.nix lib;
networking.wireguard.interfaces = {
wg-private = {

View file

@ -1,48 +1,30 @@
{
lib,
config,
pkgs,
...
}:
with lib; let
psCfg = config.pub-solar;
let
cfg = config.pub-solar.wireguard.pub-solar;
in {
options.pub-solar.wireguard.pub-solar = {
ownIPs = mkOption {
ownIPs = lib.mkOption {
description = "Internal ips in wireguard used for cluster control-plane communication.";
type = types.listOf types.str;
type = lib.types.listOf lib.types.str;
default = [];
};
privateKeyFile = mkOption {
privateKeyFile = lib.mkOption {
description = "Location of private key file";
type = types.path;
type = lib.types.path;
};
};
config = mkIf (length cfg.ownIPs != 0){
config = lib.mkIf (lib.length cfg.ownIPs != 0){
networking.firewall.allowedUDPPorts = [51821];
systemd.network.wait-online.ignoredInterfaces = [ "wg-pub-solar" ];
systemd.services.wireguard-wg-pub-solar = {
after = [
"network.target"
"network-online.target"
"nss-lookup.target"
];
serviceConfig = {
Type = mkForce "simple";
Restart = "on-failure";
RestartSec = "30";
};
environment = {
WG_ENDPOINT_RESOLUTION_RETRIES = "infinity";
};
};
systemd.services.wireguard-wg-pub-solar = import ./service-override.nix lib;
networking.wireguard.interfaces = {
wg-pub-solar = {

View file

@ -0,0 +1,17 @@
lib: {
wantedBy = [
"network.target"
"network-online.target"
"nss-lookup.target"
];
serviceConfig = {
Type = lib.mkForce "simple";
Restart = "on-failure";
RestartSec = "15";
};
environment = {
WG_ENDPOINT_RESOLUTION_RETRIES = "infinity";
};
}

View file

@ -4,41 +4,40 @@
pkgs,
...
}:
with lib; let
psCfg = config.pub-solar;
let
cfg = config.pub-solar.wireguard.tunnel;
in {
options.pub-solar.wireguard.tunnel = {
ownIPs = mkOption {
ownIPs = lib.mkOption {
description = "Internal ips in wireguard used for cluster control-plane communication.";
type = types.listOf types.str;
type = lib.types.listOf lib.types.str;
default = [];
};
privateKeyFile = mkOption {
privateKeyFile = lib.mkOption {
description = "Location of private key file";
type = types.path;
type = lib.types.path;
};
peer = {
publicKey = mkOption {
publicKey = lib.mkOption {
description = "Public key of the peer";
type = types.str;
type = lib.types.str;
};
endpoint = mkOption {
endpoint = lib.mkOption {
description = "Peer endpoint address";
type = types.str;
type = lib.types.str;
};
};
useDNS = mkOption {
useDNS = lib.mkOption {
description = "Whether to use the DNS of the interface as default";
default = false;
type = types.bool;
type = lib.types.bool;
};
};
config = mkIf (length cfg.ownIPs != 0){
config = lib.mkIf (lib.length cfg.ownIPs != 0){
networking.firewall.allowedUDPPorts = [51820];
systemd.network.wait-online.ignoredInterfaces = [ "wg-tunnel" ];
@ -63,7 +62,7 @@ in {
'';
serviceConfig = {
Type = mkForce "simple";
Type = lib.mkForce "simple";
Restart = "on-failure";
RestartSec = "30";
};
@ -74,15 +73,15 @@ in {
};
networking.wireguard.interfaces = let
splitEndpoint = (strings.splitString ":" cfg.peer.endpoint);
joinIPV6 = p: ip: p + (if (stringLength ip > 0) then ":" else "") + ip;
isIPV4 = length splitEndpoint < 3;
splitEndpoint = (lib.strings.splitString ":" cfg.peer.endpoint);
joinIPV6 = p: ip: p + (if (lib.stringLength ip > 0) then ":" else "") + ip;
isIPV4 = lib.length splitEndpoint < 3;
ipFlag = if isIPV4 then "-4" else "-6";
endpointIP = (if isIPV4
then elemAt splitEndpoint 0
else lists.fold joinIPV6 "" ((lists.take ((length splitEndpoint) - 1)) splitEndpoint)
then lib.elemAt splitEndpoint 0
else lib.lists.fold joinIPV6 "" ((lib.lists.take ((lib.length splitEndpoint) - 1)) splitEndpoint)
);
endpointIPStripped = strings.removePrefix "[" (strings.removeSuffix "]" endpointIP);
endpointIPStripped = lib.strings.removePrefix "[" (lib.strings.removeSuffix "]" endpointIP);
in {
wg-tunnel = {
listenPort = 51820;

View file

@ -19,7 +19,6 @@
factorio-headless = master.factorio-headless;
paperless-ngx = unstable.paperless-ngx;
waybar = master.waybar;
ungoogled-chromium = unstable.ungoogled-chromium;
nix-inspect = unstable.nix-inspect;
authelia = authelia-438.authelia;