Compare commits
3 commits
23af0457bb
...
eccda6cd08
Author | SHA1 | Date | |
---|---|---|---|
Benjamin Yule Bädorf | eccda6cd08 | ||
Benjamin Yule Bädorf | 45d6f56d1d | ||
Benjamin Yule Bädorf | ee611894f8 |
|
@ -609,16 +609,15 @@
|
||||||
]
|
]
|
||||||
},
|
},
|
||||||
"locked": {
|
"locked": {
|
||||||
"lastModified": 1708706677,
|
"lastModified": 1708750443,
|
||||||
"narHash": "sha256-fUIT9v5FGy9KbbPKBVcxw2rwxqLZUVElqTtZWM7FiNI=",
|
"narHash": "sha256-fUIT9v5FGy9KbbPKBVcxw2rwxqLZUVElqTtZWM7FiNI=",
|
||||||
"owner": "b12f",
|
"owner": "tfc",
|
||||||
"repo": "nixos-openstreetmap",
|
"repo": "nixos-openstreetmap",
|
||||||
"rev": "9057f546a5762a6b1645a8d4c22f818e29908144",
|
"rev": "0fd30b016eb838395d85948b9ecf00ff59b4581d",
|
||||||
"type": "github"
|
"type": "github"
|
||||||
},
|
},
|
||||||
"original": {
|
"original": {
|
||||||
"owner": "b12f",
|
"owner": "tfc",
|
||||||
"ref": "flake-nixosmodule",
|
|
||||||
"repo": "nixos-openstreetmap",
|
"repo": "nixos-openstreetmap",
|
||||||
"type": "github"
|
"type": "github"
|
||||||
}
|
}
|
||||||
|
|
|
@ -39,7 +39,7 @@
|
||||||
adblock-unbound.url = "github:MayNiklas/nixos-adblock-unbound";
|
adblock-unbound.url = "github:MayNiklas/nixos-adblock-unbound";
|
||||||
adblock-unbound.inputs.nixpkgs.follows = "nixpkgs";
|
adblock-unbound.inputs.nixpkgs.follows = "nixpkgs";
|
||||||
|
|
||||||
openstreetmap.url = "github:b12f/nixos-openstreetmap/flake-nixosmodule";
|
openstreetmap.url = "github:tfc/nixos-openstreetmap";
|
||||||
openstreetmap.inputs.nixpkgs.follows = "nixpkgs";
|
openstreetmap.inputs.nixpkgs.follows = "nixpkgs";
|
||||||
|
|
||||||
deno2nix.url = "github:SnO2WMaN/deno2nix";
|
deno2nix.url = "github:SnO2WMaN/deno2nix";
|
||||||
|
|
|
@ -6,7 +6,7 @@
|
||||||
...
|
...
|
||||||
}: {
|
}: {
|
||||||
services.openstreetmap = {
|
services.openstreetmap = {
|
||||||
enable = false;
|
enable = true;
|
||||||
debug = true;
|
debug = true;
|
||||||
totalRamGb = 14;
|
totalRamGb = 14;
|
||||||
};
|
};
|
||||||
|
|
|
@ -1,9 +1,4 @@
|
||||||
{
|
{ ... }: {
|
||||||
lib,
|
|
||||||
config,
|
|
||||||
pkgs,
|
|
||||||
...
|
|
||||||
}: {
|
|
||||||
imports = [
|
imports = [
|
||||||
./private.nix
|
./private.nix
|
||||||
./tunnel.nix
|
./tunnel.nix
|
||||||
|
|
|
@ -1,48 +1,30 @@
|
||||||
{
|
{
|
||||||
lib,
|
lib,
|
||||||
config,
|
config,
|
||||||
pkgs,
|
|
||||||
...
|
...
|
||||||
}:
|
}:
|
||||||
with lib; let
|
let
|
||||||
psCfg = config.pub-solar;
|
|
||||||
cfg = config.pub-solar.wireguard.ehex;
|
cfg = config.pub-solar.wireguard.ehex;
|
||||||
in {
|
in {
|
||||||
options.pub-solar.wireguard.ehex = {
|
options.pub-solar.wireguard.ehex = {
|
||||||
ownIPs = mkOption {
|
ownIPs = lib.mkOption {
|
||||||
description = "Internal ips in wireguard used for cluster control-plane communication.";
|
description = "Internal ips in wireguard used for cluster control-plane communication.";
|
||||||
type = types.listOf types.str;
|
type = lib.types.listOf lib.types.str;
|
||||||
default = [];
|
default = [];
|
||||||
};
|
};
|
||||||
|
|
||||||
privateKeyFile = mkOption {
|
privateKeyFile = lib.mkOption {
|
||||||
description = "Location of private key file";
|
description = "Location of private key file";
|
||||||
type = types.path;
|
type = lib.types.path;
|
||||||
};
|
};
|
||||||
};
|
};
|
||||||
|
|
||||||
config = mkIf (length cfg.ownIPs != 0){
|
config = lib.mkIf (lib.length cfg.ownIPs != 0){
|
||||||
networking.firewall.allowedUDPPorts = [51822];
|
networking.firewall.allowedUDPPorts = [51822];
|
||||||
|
|
||||||
systemd.network.wait-online.ignoredInterfaces = [ "wg-ehex" ];
|
systemd.network.wait-online.ignoredInterfaces = [ "wg-ehex" ];
|
||||||
|
|
||||||
systemd.services.wireguard-wg-ehex = {
|
systemd.services.wireguard-wg-ehex = import ./service-override.nix lib;
|
||||||
after = [
|
|
||||||
"network.target"
|
|
||||||
"network-online.target"
|
|
||||||
"nss-lookup.target"
|
|
||||||
];
|
|
||||||
|
|
||||||
serviceConfig = {
|
|
||||||
Type = mkForce "simple";
|
|
||||||
Restart = "on-failure";
|
|
||||||
RestartSec = "30";
|
|
||||||
};
|
|
||||||
|
|
||||||
environment = {
|
|
||||||
WG_ENDPOINT_RESOLUTION_RETRIES = "infinity";
|
|
||||||
};
|
|
||||||
};
|
|
||||||
|
|
||||||
networking.wireguard.interfaces = {
|
networking.wireguard.interfaces = {
|
||||||
wg-ehex = {
|
wg-ehex = {
|
||||||
|
@ -50,7 +32,7 @@ in {
|
||||||
mtu = 1300;
|
mtu = 1300;
|
||||||
ips = cfg.ownIPs;
|
ips = cfg.ownIPs;
|
||||||
privateKeyFile = cfg.privateKeyFile;
|
privateKeyFile = cfg.privateKeyFile;
|
||||||
postSetup = ''
|
postSetup = ''
|
||||||
printf "nameserver 10.0.66.10\nnameserver 10.0.66.12" | resolvconf -a wg-ehex -m 0 -x
|
printf "nameserver 10.0.66.10\nnameserver 10.0.66.12" | resolvconf -a wg-ehex -m 0 -x
|
||||||
'';
|
'';
|
||||||
postShutdown = ''
|
postShutdown = ''
|
||||||
|
|
|
@ -4,65 +4,48 @@
|
||||||
pkgs,
|
pkgs,
|
||||||
...
|
...
|
||||||
}:
|
}:
|
||||||
with lib; let
|
let
|
||||||
psCfg = config.pub-solar;
|
|
||||||
cfg = config.pub-solar.wireguard.private;
|
cfg = config.pub-solar.wireguard.private;
|
||||||
in {
|
in {
|
||||||
options.pub-solar.wireguard.private = {
|
options.pub-solar.wireguard.private = {
|
||||||
ownIPs = mkOption {
|
ownIPs = lib.mkOption {
|
||||||
description = ''
|
description = ''
|
||||||
Internal ips in wireguard used for cluster control-plane communication.
|
Internal ips in wireguard used for cluster control-plane communication.
|
||||||
'';
|
'';
|
||||||
type = types.listOf types.str;
|
type = lib.types.listOf lib.types.str;
|
||||||
default = [];
|
default = [];
|
||||||
};
|
};
|
||||||
|
|
||||||
privateKeyFile = mkOption {
|
privateKeyFile = lib.mkOption {
|
||||||
description = ''
|
description = ''
|
||||||
Location of private key file
|
Location of private key file
|
||||||
'';
|
'';
|
||||||
type = types.path;
|
type = lib.types.path;
|
||||||
};
|
};
|
||||||
|
|
||||||
useDNS = mkOption {
|
useDNS = lib.mkOption {
|
||||||
description = ''
|
description = ''
|
||||||
Whether to use the wireguard DNS
|
Whether to use the wireguard DNS
|
||||||
'';
|
'';
|
||||||
default = true;
|
default = true;
|
||||||
type = types.bool;
|
type = lib.types.bool;
|
||||||
};
|
};
|
||||||
|
|
||||||
fullTunnel = mkOption {
|
fullTunnel = lib.mkOption {
|
||||||
description = ''
|
description = ''
|
||||||
Whether to tunnel all traffic through the wireguard VPN
|
Whether to tunnel all traffic through the wireguard VPN
|
||||||
'';
|
'';
|
||||||
default = false;
|
default = false;
|
||||||
type = types.bool;
|
type = lib.types.bool;
|
||||||
};
|
};
|
||||||
};
|
};
|
||||||
|
|
||||||
config = mkIf (builtins.length cfg.ownIPs != 0) {
|
config = lib.mkIf (builtins.length cfg.ownIPs != 0) {
|
||||||
networking.firewall.allowedUDPPorts = [51899];
|
networking.firewall.allowedUDPPorts = [51899];
|
||||||
|
|
||||||
systemd.network.wait-online.ignoredInterfaces = [ "wg-private" ];
|
systemd.network.wait-online.ignoredInterfaces = [ "wg-private" ];
|
||||||
|
|
||||||
systemd.services.wireguard-wg-private = {
|
systemd.services.wireguard-wg-private = import ./service-override.nix lib;
|
||||||
wantedBy = [
|
|
||||||
"network.target"
|
|
||||||
"network-online.target"
|
|
||||||
"nss-lookup.target"
|
|
||||||
];
|
|
||||||
|
|
||||||
serviceConfig = {
|
|
||||||
Type = mkForce "simple";
|
|
||||||
Restart = "on-failure";
|
|
||||||
RestartSec = "10";
|
|
||||||
};
|
|
||||||
|
|
||||||
environment = {
|
|
||||||
WG_ENDPOINT_RESOLUTION_RETRIES = "infinity";
|
|
||||||
};
|
|
||||||
};
|
|
||||||
|
|
||||||
networking.wireguard.interfaces = {
|
networking.wireguard.interfaces = {
|
||||||
wg-private = {
|
wg-private = {
|
||||||
|
|
|
@ -1,48 +1,30 @@
|
||||||
{
|
{
|
||||||
lib,
|
lib,
|
||||||
config,
|
config,
|
||||||
pkgs,
|
|
||||||
...
|
...
|
||||||
}:
|
}:
|
||||||
with lib; let
|
let
|
||||||
psCfg = config.pub-solar;
|
|
||||||
cfg = config.pub-solar.wireguard.pub-solar;
|
cfg = config.pub-solar.wireguard.pub-solar;
|
||||||
in {
|
in {
|
||||||
options.pub-solar.wireguard.pub-solar = {
|
options.pub-solar.wireguard.pub-solar = {
|
||||||
ownIPs = mkOption {
|
ownIPs = lib.mkOption {
|
||||||
description = "Internal ips in wireguard used for cluster control-plane communication.";
|
description = "Internal ips in wireguard used for cluster control-plane communication.";
|
||||||
type = types.listOf types.str;
|
type = lib.types.listOf lib.types.str;
|
||||||
default = [];
|
default = [];
|
||||||
};
|
};
|
||||||
|
|
||||||
privateKeyFile = mkOption {
|
privateKeyFile = lib.mkOption {
|
||||||
description = "Location of private key file";
|
description = "Location of private key file";
|
||||||
type = types.path;
|
type = lib.types.path;
|
||||||
};
|
};
|
||||||
};
|
};
|
||||||
|
|
||||||
config = mkIf (length cfg.ownIPs != 0){
|
config = lib.mkIf (lib.length cfg.ownIPs != 0){
|
||||||
networking.firewall.allowedUDPPorts = [51821];
|
networking.firewall.allowedUDPPorts = [51821];
|
||||||
|
|
||||||
systemd.network.wait-online.ignoredInterfaces = [ "wg-pub-solar" ];
|
systemd.network.wait-online.ignoredInterfaces = [ "wg-pub-solar" ];
|
||||||
|
|
||||||
systemd.services.wireguard-wg-pub-solar = {
|
systemd.services.wireguard-wg-pub-solar = import ./service-override.nix lib;
|
||||||
after = [
|
|
||||||
"network.target"
|
|
||||||
"network-online.target"
|
|
||||||
"nss-lookup.target"
|
|
||||||
];
|
|
||||||
|
|
||||||
serviceConfig = {
|
|
||||||
Type = mkForce "simple";
|
|
||||||
Restart = "on-failure";
|
|
||||||
RestartSec = "30";
|
|
||||||
};
|
|
||||||
|
|
||||||
environment = {
|
|
||||||
WG_ENDPOINT_RESOLUTION_RETRIES = "infinity";
|
|
||||||
};
|
|
||||||
};
|
|
||||||
|
|
||||||
networking.wireguard.interfaces = {
|
networking.wireguard.interfaces = {
|
||||||
wg-pub-solar = {
|
wg-pub-solar = {
|
||||||
|
|
17
modules/wireguard/service-override.nix
Normal file
17
modules/wireguard/service-override.nix
Normal file
|
@ -0,0 +1,17 @@
|
||||||
|
lib: {
|
||||||
|
wantedBy = [
|
||||||
|
"network.target"
|
||||||
|
"network-online.target"
|
||||||
|
"nss-lookup.target"
|
||||||
|
];
|
||||||
|
|
||||||
|
serviceConfig = {
|
||||||
|
Type = lib.mkForce "simple";
|
||||||
|
Restart = "on-failure";
|
||||||
|
RestartSec = "15";
|
||||||
|
};
|
||||||
|
|
||||||
|
environment = {
|
||||||
|
WG_ENDPOINT_RESOLUTION_RETRIES = "infinity";
|
||||||
|
};
|
||||||
|
}
|
|
@ -4,41 +4,40 @@
|
||||||
pkgs,
|
pkgs,
|
||||||
...
|
...
|
||||||
}:
|
}:
|
||||||
with lib; let
|
let
|
||||||
psCfg = config.pub-solar;
|
|
||||||
cfg = config.pub-solar.wireguard.tunnel;
|
cfg = config.pub-solar.wireguard.tunnel;
|
||||||
in {
|
in {
|
||||||
options.pub-solar.wireguard.tunnel = {
|
options.pub-solar.wireguard.tunnel = {
|
||||||
ownIPs = mkOption {
|
ownIPs = lib.mkOption {
|
||||||
description = "Internal ips in wireguard used for cluster control-plane communication.";
|
description = "Internal ips in wireguard used for cluster control-plane communication.";
|
||||||
type = types.listOf types.str;
|
type = lib.types.listOf lib.types.str;
|
||||||
default = [];
|
default = [];
|
||||||
};
|
};
|
||||||
|
|
||||||
privateKeyFile = mkOption {
|
privateKeyFile = lib.mkOption {
|
||||||
description = "Location of private key file";
|
description = "Location of private key file";
|
||||||
type = types.path;
|
type = lib.types.path;
|
||||||
};
|
};
|
||||||
|
|
||||||
peer = {
|
peer = {
|
||||||
publicKey = mkOption {
|
publicKey = lib.mkOption {
|
||||||
description = "Public key of the peer";
|
description = "Public key of the peer";
|
||||||
type = types.str;
|
type = lib.types.str;
|
||||||
};
|
};
|
||||||
endpoint = mkOption {
|
endpoint = lib.mkOption {
|
||||||
description = "Peer endpoint address";
|
description = "Peer endpoint address";
|
||||||
type = types.str;
|
type = lib.types.str;
|
||||||
};
|
};
|
||||||
};
|
};
|
||||||
|
|
||||||
useDNS = mkOption {
|
useDNS = lib.mkOption {
|
||||||
description = "Whether to use the DNS of the interface as default";
|
description = "Whether to use the DNS of the interface as default";
|
||||||
default = false;
|
default = false;
|
||||||
type = types.bool;
|
type = lib.types.bool;
|
||||||
};
|
};
|
||||||
};
|
};
|
||||||
|
|
||||||
config = mkIf (length cfg.ownIPs != 0){
|
config = lib.mkIf (lib.length cfg.ownIPs != 0){
|
||||||
networking.firewall.allowedUDPPorts = [51820];
|
networking.firewall.allowedUDPPorts = [51820];
|
||||||
|
|
||||||
systemd.network.wait-online.ignoredInterfaces = [ "wg-tunnel" ];
|
systemd.network.wait-online.ignoredInterfaces = [ "wg-tunnel" ];
|
||||||
|
@ -63,7 +62,7 @@ in {
|
||||||
'';
|
'';
|
||||||
|
|
||||||
serviceConfig = {
|
serviceConfig = {
|
||||||
Type = mkForce "simple";
|
Type = lib.mkForce "simple";
|
||||||
Restart = "on-failure";
|
Restart = "on-failure";
|
||||||
RestartSec = "30";
|
RestartSec = "30";
|
||||||
};
|
};
|
||||||
|
@ -74,15 +73,15 @@ in {
|
||||||
};
|
};
|
||||||
|
|
||||||
networking.wireguard.interfaces = let
|
networking.wireguard.interfaces = let
|
||||||
splitEndpoint = (strings.splitString ":" cfg.peer.endpoint);
|
splitEndpoint = (lib.strings.splitString ":" cfg.peer.endpoint);
|
||||||
joinIPV6 = p: ip: p + (if (stringLength ip > 0) then ":" else "") + ip;
|
joinIPV6 = p: ip: p + (if (lib.stringLength ip > 0) then ":" else "") + ip;
|
||||||
isIPV4 = length splitEndpoint < 3;
|
isIPV4 = lib.length splitEndpoint < 3;
|
||||||
ipFlag = if isIPV4 then "-4" else "-6";
|
ipFlag = if isIPV4 then "-4" else "-6";
|
||||||
endpointIP = (if isIPV4
|
endpointIP = (if isIPV4
|
||||||
then elemAt splitEndpoint 0
|
then lib.elemAt splitEndpoint 0
|
||||||
else lists.fold joinIPV6 "" ((lists.take ((length splitEndpoint) - 1)) splitEndpoint)
|
else lib.lists.fold joinIPV6 "" ((lib.lists.take ((lib.length splitEndpoint) - 1)) splitEndpoint)
|
||||||
);
|
);
|
||||||
endpointIPStripped = strings.removePrefix "[" (strings.removeSuffix "]" endpointIP);
|
endpointIPStripped = lib.strings.removePrefix "[" (lib.strings.removeSuffix "]" endpointIP);
|
||||||
in {
|
in {
|
||||||
wg-tunnel = {
|
wg-tunnel = {
|
||||||
listenPort = 51820;
|
listenPort = 51820;
|
||||||
|
|
|
@ -19,7 +19,6 @@
|
||||||
factorio-headless = master.factorio-headless;
|
factorio-headless = master.factorio-headless;
|
||||||
paperless-ngx = unstable.paperless-ngx;
|
paperless-ngx = unstable.paperless-ngx;
|
||||||
waybar = master.waybar;
|
waybar = master.waybar;
|
||||||
ungoogled-chromium = unstable.ungoogled-chromium;
|
|
||||||
nix-inspect = unstable.nix-inspect;
|
nix-inspect = unstable.nix-inspect;
|
||||||
authelia = authelia-438.authelia;
|
authelia = authelia-438.authelia;
|
||||||
|
|
||||||
|
|
Loading…
Reference in a new issue