Compare commits

...

3 commits

10 changed files with 69 additions and 113 deletions

View file

@ -609,16 +609,15 @@
] ]
}, },
"locked": { "locked": {
"lastModified": 1708706677, "lastModified": 1708750443,
"narHash": "sha256-fUIT9v5FGy9KbbPKBVcxw2rwxqLZUVElqTtZWM7FiNI=", "narHash": "sha256-fUIT9v5FGy9KbbPKBVcxw2rwxqLZUVElqTtZWM7FiNI=",
"owner": "b12f", "owner": "tfc",
"repo": "nixos-openstreetmap", "repo": "nixos-openstreetmap",
"rev": "9057f546a5762a6b1645a8d4c22f818e29908144", "rev": "0fd30b016eb838395d85948b9ecf00ff59b4581d",
"type": "github" "type": "github"
}, },
"original": { "original": {
"owner": "b12f", "owner": "tfc",
"ref": "flake-nixosmodule",
"repo": "nixos-openstreetmap", "repo": "nixos-openstreetmap",
"type": "github" "type": "github"
} }

View file

@ -39,7 +39,7 @@
adblock-unbound.url = "github:MayNiklas/nixos-adblock-unbound"; adblock-unbound.url = "github:MayNiklas/nixos-adblock-unbound";
adblock-unbound.inputs.nixpkgs.follows = "nixpkgs"; adblock-unbound.inputs.nixpkgs.follows = "nixpkgs";
openstreetmap.url = "github:b12f/nixos-openstreetmap/flake-nixosmodule"; openstreetmap.url = "github:tfc/nixos-openstreetmap";
openstreetmap.inputs.nixpkgs.follows = "nixpkgs"; openstreetmap.inputs.nixpkgs.follows = "nixpkgs";
deno2nix.url = "github:SnO2WMaN/deno2nix"; deno2nix.url = "github:SnO2WMaN/deno2nix";

View file

@ -6,7 +6,7 @@
... ...
}: { }: {
services.openstreetmap = { services.openstreetmap = {
enable = false; enable = true;
debug = true; debug = true;
totalRamGb = 14; totalRamGb = 14;
}; };

View file

@ -1,9 +1,4 @@
{ { ... }: {
lib,
config,
pkgs,
...
}: {
imports = [ imports = [
./private.nix ./private.nix
./tunnel.nix ./tunnel.nix

View file

@ -1,48 +1,30 @@
{ {
lib, lib,
config, config,
pkgs,
... ...
}: }:
with lib; let let
psCfg = config.pub-solar;
cfg = config.pub-solar.wireguard.ehex; cfg = config.pub-solar.wireguard.ehex;
in { in {
options.pub-solar.wireguard.ehex = { options.pub-solar.wireguard.ehex = {
ownIPs = mkOption { ownIPs = lib.mkOption {
description = "Internal ips in wireguard used for cluster control-plane communication."; description = "Internal ips in wireguard used for cluster control-plane communication.";
type = types.listOf types.str; type = lib.types.listOf lib.types.str;
default = []; default = [];
}; };
privateKeyFile = mkOption { privateKeyFile = lib.mkOption {
description = "Location of private key file"; description = "Location of private key file";
type = types.path; type = lib.types.path;
}; };
}; };
config = mkIf (length cfg.ownIPs != 0){ config = lib.mkIf (lib.length cfg.ownIPs != 0){
networking.firewall.allowedUDPPorts = [51822]; networking.firewall.allowedUDPPorts = [51822];
systemd.network.wait-online.ignoredInterfaces = [ "wg-ehex" ]; systemd.network.wait-online.ignoredInterfaces = [ "wg-ehex" ];
systemd.services.wireguard-wg-ehex = { systemd.services.wireguard-wg-ehex = import ./service-override.nix lib;
after = [
"network.target"
"network-online.target"
"nss-lookup.target"
];
serviceConfig = {
Type = mkForce "simple";
Restart = "on-failure";
RestartSec = "30";
};
environment = {
WG_ENDPOINT_RESOLUTION_RETRIES = "infinity";
};
};
networking.wireguard.interfaces = { networking.wireguard.interfaces = {
wg-ehex = { wg-ehex = {

View file

@ -4,65 +4,48 @@
pkgs, pkgs,
... ...
}: }:
with lib; let let
psCfg = config.pub-solar;
cfg = config.pub-solar.wireguard.private; cfg = config.pub-solar.wireguard.private;
in { in {
options.pub-solar.wireguard.private = { options.pub-solar.wireguard.private = {
ownIPs = mkOption { ownIPs = lib.mkOption {
description = '' description = ''
Internal ips in wireguard used for cluster control-plane communication. Internal ips in wireguard used for cluster control-plane communication.
''; '';
type = types.listOf types.str; type = lib.types.listOf lib.types.str;
default = []; default = [];
}; };
privateKeyFile = mkOption { privateKeyFile = lib.mkOption {
description = '' description = ''
Location of private key file Location of private key file
''; '';
type = types.path; type = lib.types.path;
}; };
useDNS = mkOption { useDNS = lib.mkOption {
description = '' description = ''
Whether to use the wireguard DNS Whether to use the wireguard DNS
''; '';
default = true; default = true;
type = types.bool; type = lib.types.bool;
}; };
fullTunnel = mkOption { fullTunnel = lib.mkOption {
description = '' description = ''
Whether to tunnel all traffic through the wireguard VPN Whether to tunnel all traffic through the wireguard VPN
''; '';
default = false; default = false;
type = types.bool; type = lib.types.bool;
}; };
}; };
config = mkIf (builtins.length cfg.ownIPs != 0) { config = lib.mkIf (builtins.length cfg.ownIPs != 0) {
networking.firewall.allowedUDPPorts = [51899]; networking.firewall.allowedUDPPorts = [51899];
systemd.network.wait-online.ignoredInterfaces = [ "wg-private" ]; systemd.network.wait-online.ignoredInterfaces = [ "wg-private" ];
systemd.services.wireguard-wg-private = { systemd.services.wireguard-wg-private = import ./service-override.nix lib;
wantedBy = [
"network.target"
"network-online.target"
"nss-lookup.target"
];
serviceConfig = {
Type = mkForce "simple";
Restart = "on-failure";
RestartSec = "10";
};
environment = {
WG_ENDPOINT_RESOLUTION_RETRIES = "infinity";
};
};
networking.wireguard.interfaces = { networking.wireguard.interfaces = {
wg-private = { wg-private = {

View file

@ -1,48 +1,30 @@
{ {
lib, lib,
config, config,
pkgs,
... ...
}: }:
with lib; let let
psCfg = config.pub-solar;
cfg = config.pub-solar.wireguard.pub-solar; cfg = config.pub-solar.wireguard.pub-solar;
in { in {
options.pub-solar.wireguard.pub-solar = { options.pub-solar.wireguard.pub-solar = {
ownIPs = mkOption { ownIPs = lib.mkOption {
description = "Internal ips in wireguard used for cluster control-plane communication."; description = "Internal ips in wireguard used for cluster control-plane communication.";
type = types.listOf types.str; type = lib.types.listOf lib.types.str;
default = []; default = [];
}; };
privateKeyFile = mkOption { privateKeyFile = lib.mkOption {
description = "Location of private key file"; description = "Location of private key file";
type = types.path; type = lib.types.path;
}; };
}; };
config = mkIf (length cfg.ownIPs != 0){ config = lib.mkIf (lib.length cfg.ownIPs != 0){
networking.firewall.allowedUDPPorts = [51821]; networking.firewall.allowedUDPPorts = [51821];
systemd.network.wait-online.ignoredInterfaces = [ "wg-pub-solar" ]; systemd.network.wait-online.ignoredInterfaces = [ "wg-pub-solar" ];
systemd.services.wireguard-wg-pub-solar = { systemd.services.wireguard-wg-pub-solar = import ./service-override.nix lib;
after = [
"network.target"
"network-online.target"
"nss-lookup.target"
];
serviceConfig = {
Type = mkForce "simple";
Restart = "on-failure";
RestartSec = "30";
};
environment = {
WG_ENDPOINT_RESOLUTION_RETRIES = "infinity";
};
};
networking.wireguard.interfaces = { networking.wireguard.interfaces = {
wg-pub-solar = { wg-pub-solar = {

View file

@ -0,0 +1,17 @@
lib: {
wantedBy = [
"network.target"
"network-online.target"
"nss-lookup.target"
];
serviceConfig = {
Type = lib.mkForce "simple";
Restart = "on-failure";
RestartSec = "15";
};
environment = {
WG_ENDPOINT_RESOLUTION_RETRIES = "infinity";
};
}

View file

@ -4,41 +4,40 @@
pkgs, pkgs,
... ...
}: }:
with lib; let let
psCfg = config.pub-solar;
cfg = config.pub-solar.wireguard.tunnel; cfg = config.pub-solar.wireguard.tunnel;
in { in {
options.pub-solar.wireguard.tunnel = { options.pub-solar.wireguard.tunnel = {
ownIPs = mkOption { ownIPs = lib.mkOption {
description = "Internal ips in wireguard used for cluster control-plane communication."; description = "Internal ips in wireguard used for cluster control-plane communication.";
type = types.listOf types.str; type = lib.types.listOf lib.types.str;
default = []; default = [];
}; };
privateKeyFile = mkOption { privateKeyFile = lib.mkOption {
description = "Location of private key file"; description = "Location of private key file";
type = types.path; type = lib.types.path;
}; };
peer = { peer = {
publicKey = mkOption { publicKey = lib.mkOption {
description = "Public key of the peer"; description = "Public key of the peer";
type = types.str; type = lib.types.str;
}; };
endpoint = mkOption { endpoint = lib.mkOption {
description = "Peer endpoint address"; description = "Peer endpoint address";
type = types.str; type = lib.types.str;
}; };
}; };
useDNS = mkOption { useDNS = lib.mkOption {
description = "Whether to use the DNS of the interface as default"; description = "Whether to use the DNS of the interface as default";
default = false; default = false;
type = types.bool; type = lib.types.bool;
}; };
}; };
config = mkIf (length cfg.ownIPs != 0){ config = lib.mkIf (lib.length cfg.ownIPs != 0){
networking.firewall.allowedUDPPorts = [51820]; networking.firewall.allowedUDPPorts = [51820];
systemd.network.wait-online.ignoredInterfaces = [ "wg-tunnel" ]; systemd.network.wait-online.ignoredInterfaces = [ "wg-tunnel" ];
@ -63,7 +62,7 @@ in {
''; '';
serviceConfig = { serviceConfig = {
Type = mkForce "simple"; Type = lib.mkForce "simple";
Restart = "on-failure"; Restart = "on-failure";
RestartSec = "30"; RestartSec = "30";
}; };
@ -74,15 +73,15 @@ in {
}; };
networking.wireguard.interfaces = let networking.wireguard.interfaces = let
splitEndpoint = (strings.splitString ":" cfg.peer.endpoint); splitEndpoint = (lib.strings.splitString ":" cfg.peer.endpoint);
joinIPV6 = p: ip: p + (if (stringLength ip > 0) then ":" else "") + ip; joinIPV6 = p: ip: p + (if (lib.stringLength ip > 0) then ":" else "") + ip;
isIPV4 = length splitEndpoint < 3; isIPV4 = lib.length splitEndpoint < 3;
ipFlag = if isIPV4 then "-4" else "-6"; ipFlag = if isIPV4 then "-4" else "-6";
endpointIP = (if isIPV4 endpointIP = (if isIPV4
then elemAt splitEndpoint 0 then lib.elemAt splitEndpoint 0
else lists.fold joinIPV6 "" ((lists.take ((length splitEndpoint) - 1)) splitEndpoint) else lib.lists.fold joinIPV6 "" ((lib.lists.take ((lib.length splitEndpoint) - 1)) splitEndpoint)
); );
endpointIPStripped = strings.removePrefix "[" (strings.removeSuffix "]" endpointIP); endpointIPStripped = lib.strings.removePrefix "[" (lib.strings.removeSuffix "]" endpointIP);
in { in {
wg-tunnel = { wg-tunnel = {
listenPort = 51820; listenPort = 51820;

View file

@ -19,7 +19,6 @@
factorio-headless = master.factorio-headless; factorio-headless = master.factorio-headless;
paperless-ngx = unstable.paperless-ngx; paperless-ngx = unstable.paperless-ngx;
waybar = master.waybar; waybar = master.waybar;
ungoogled-chromium = unstable.ungoogled-chromium;
nix-inspect = unstable.nix-inspect; nix-inspect = unstable.nix-inspect;
authelia = authelia-438.authelia; authelia = authelia-438.authelia;