Merge remote-tracking branch 'prism/master'
This commit is contained in:
commit
172a746c3a
@ -122,6 +122,7 @@ let
|
|||||||
shack = "hosts";
|
shack = "hosts";
|
||||||
i = "hosts";
|
i = "hosts";
|
||||||
r = "hosts";
|
r = "hosts";
|
||||||
|
w = "hosts";
|
||||||
};
|
};
|
||||||
|
|
||||||
krebs.users = {
|
krebs.users = {
|
||||||
|
@ -1,7 +1,11 @@
|
|||||||
{ config, ... }:
|
{ config, ... }:
|
||||||
|
|
||||||
with import <stockholm/lib>;
|
with import <stockholm/lib>;
|
||||||
|
let
|
||||||
|
|
||||||
|
rip6 = krebs.genipv6 "retiolum" "lass";
|
||||||
|
wip6 = krebs.genipv6 "wirelum" "lass";
|
||||||
|
|
||||||
|
in
|
||||||
{
|
{
|
||||||
dns.providers = {
|
dns.providers = {
|
||||||
"lassul.us" = "zones";
|
"lassul.us" = "zones";
|
||||||
@ -85,11 +89,22 @@ with import <stockholm/lib>;
|
|||||||
-----END RSA PUBLIC KEY-----
|
-----END RSA PUBLIC KEY-----
|
||||||
'';
|
'';
|
||||||
};
|
};
|
||||||
|
wirelum = {
|
||||||
|
via = internet;
|
||||||
|
ip4.addr = "10.244.1.1";
|
||||||
|
ip6.addr = (wip6 "1").address;
|
||||||
|
aliases = [
|
||||||
|
"prism.w"
|
||||||
|
];
|
||||||
|
wireguard = {
|
||||||
|
pubkey = "oKJotppdEJqQBjrqrommEUPw+VFryvEvNJr/WikXohk=";
|
||||||
|
subnets = [ "10.244.1.0/24" (wip6 "1").subnetCIDR ];
|
||||||
|
};
|
||||||
|
};
|
||||||
};
|
};
|
||||||
ssh.privkey.path = <secrets/ssh.id_ed25519>;
|
ssh.privkey.path = <secrets/ssh.id_ed25519>;
|
||||||
ssh.pubkey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIAsANFdMi825qWQXQbWLYuNZ6/fARt3lnh1KStQHQQMD";
|
ssh.pubkey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIAsANFdMi825qWQXQbWLYuNZ6/fARt3lnh1KStQHQQMD";
|
||||||
};
|
};
|
||||||
|
|
||||||
archprism = {
|
archprism = {
|
||||||
cores = 1;
|
cores = 1;
|
||||||
nets = rec {
|
nets = rec {
|
||||||
@ -177,6 +192,13 @@ with import <stockholm/lib>;
|
|||||||
-----END RSA PUBLIC KEY-----
|
-----END RSA PUBLIC KEY-----
|
||||||
'';
|
'';
|
||||||
};
|
};
|
||||||
|
wirelum = {
|
||||||
|
ip6.addr = (wip6 "dea7").address;
|
||||||
|
aliases = [
|
||||||
|
"mors.w"
|
||||||
|
];
|
||||||
|
wireguard.pubkey = "FkcxMathQzJYwuJBli/nibh0C0kHe9/T2xU0za3J3SQ=";
|
||||||
|
};
|
||||||
};
|
};
|
||||||
secure = true;
|
secure = true;
|
||||||
ssh.privkey.path = <secrets/ssh.id_ed25519>;
|
ssh.privkey.path = <secrets/ssh.id_ed25519>;
|
||||||
@ -203,6 +225,13 @@ with import <stockholm/lib>;
|
|||||||
-----END RSA PUBLIC KEY-----
|
-----END RSA PUBLIC KEY-----
|
||||||
'';
|
'';
|
||||||
};
|
};
|
||||||
|
wirelum = {
|
||||||
|
ip6.addr = (wip6 "50da").address;
|
||||||
|
aliases = [
|
||||||
|
"shodan.w"
|
||||||
|
];
|
||||||
|
wireguard.pubkey = "FkcxMathQzJYwuJBli/nibh0C0kHe9/T2xU0za4J3SQ=";
|
||||||
|
};
|
||||||
};
|
};
|
||||||
secure = true;
|
secure = true;
|
||||||
ssh.privkey.path = <secrets/ssh.id_ed25519>;
|
ssh.privkey.path = <secrets/ssh.id_ed25519>;
|
||||||
@ -229,6 +258,13 @@ with import <stockholm/lib>;
|
|||||||
-----END RSA PUBLIC KEY-----
|
-----END RSA PUBLIC KEY-----
|
||||||
'';
|
'';
|
||||||
};
|
};
|
||||||
|
wirelum = {
|
||||||
|
ip6.addr = (wip6 "1205").address;
|
||||||
|
aliases = [
|
||||||
|
"icarus.w"
|
||||||
|
];
|
||||||
|
wireguard.pubkey = "mVe3YdlWOlVF5+YD5vgNha3s03dv6elmNVsARtPLXQQ=";
|
||||||
|
};
|
||||||
};
|
};
|
||||||
secure = true;
|
secure = true;
|
||||||
ssh.privkey.path = <secrets/ssh.id_ed25519>;
|
ssh.privkey.path = <secrets/ssh.id_ed25519>;
|
||||||
@ -425,6 +461,13 @@ with import <stockholm/lib>;
|
|||||||
-----END PUBLIC KEY-----
|
-----END PUBLIC KEY-----
|
||||||
'';
|
'';
|
||||||
};
|
};
|
||||||
|
wirelum = {
|
||||||
|
ip6.addr = (wip6 "e110").address;
|
||||||
|
aliases = [
|
||||||
|
"yellow.w"
|
||||||
|
];
|
||||||
|
wireguard.pubkey = "YeWbR3mW+nOVBE7bcNSzF5fjj9ppd8OGHBJqERAUVxU=";
|
||||||
|
};
|
||||||
};
|
};
|
||||||
ssh.privkey.path = <secrets/ssh.id_ed25519>;
|
ssh.privkey.path = <secrets/ssh.id_ed25519>;
|
||||||
ssh.pubkey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIC03TCO73NQZHo7NKZiVJp2iiUbe6PQP14Kg3Bnlkqje ";
|
ssh.pubkey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIC03TCO73NQZHo7NKZiVJp2iiUbe6PQP14Kg3Bnlkqje ";
|
||||||
@ -459,6 +502,49 @@ with import <stockholm/lib>;
|
|||||||
ssh.privkey.path = <secrets/ssh.id_ed25519>;
|
ssh.privkey.path = <secrets/ssh.id_ed25519>;
|
||||||
ssh.pubkey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAILSBxtPf8yJfzzI7/iYpoRSc/TT+zYmE/HM9XWS3MZlv";
|
ssh.pubkey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAILSBxtPf8yJfzzI7/iYpoRSc/TT+zYmE/HM9XWS3MZlv";
|
||||||
};
|
};
|
||||||
|
phone = {
|
||||||
|
nets = {
|
||||||
|
wirelum = {
|
||||||
|
ip6.addr = (wip6 "a").address;
|
||||||
|
ip4.addr = "10.244.1.2";
|
||||||
|
aliases = [
|
||||||
|
"phone.w"
|
||||||
|
];
|
||||||
|
wireguard.pubkey = "zVunBVOxsMETlnHkgjfH71HaZjjNUOeYNveAVv5z3jw=";
|
||||||
|
};
|
||||||
|
};
|
||||||
|
external = true;
|
||||||
|
ci = false;
|
||||||
|
};
|
||||||
|
morpheus = {
|
||||||
|
cores = 1;
|
||||||
|
nets = {
|
||||||
|
retiolum = {
|
||||||
|
ip4.addr = "10.243.0.19";
|
||||||
|
ip6.addr = "42::19";
|
||||||
|
aliases = [
|
||||||
|
"morpheus.r"
|
||||||
|
];
|
||||||
|
tinc.pubkey = ''
|
||||||
|
-----BEGIN RSA PUBLIC KEY-----
|
||||||
|
MIICCgKCAgEAptrlSKQKsBH2QMQxllZR94S/fXneajpJifRjXR5bi+7ME2ThdQXY
|
||||||
|
T7yWiKaUuBJThWged9PdPltLUEMmv+ubQqpWHZq442VWSS36r1yMSGpUeKK+oYMN
|
||||||
|
/Sfu+1yC4m2uXno95wpJZIcDfbbn26jT6ldJ4Yd97zyrXKljvcdrz3wZzQq0tojh
|
||||||
|
S5Q59x/aQMJbnQpnlFnMIEVgULuFPW16+vPGsXIPdYNggaF1avcBaFl8i3M0EZVz
|
||||||
|
Swn4hArDynDJhR7M0QdlwOpOh7O+1iOnmXqqei3LxMVHb+YtzfHgxOPxggUsy7CR
|
||||||
|
bj9uBR9loGwgmZwaxXd1Vfbw8kn/feOb9FcW73u+SZyzwEA9HFRV0jGQe3P9mGfI
|
||||||
|
Bwe02DOTVXEB8jTAGCw5T3bXLIOX8kqdlCECuAWFfrt8H+GjZDuGUWRcMn32orMz
|
||||||
|
sMvkab95ZOHK6Q31mrhILOIOdyZWKPZIabL3HF6CZtu52h6MDHbmGS0w0OJYhj2+
|
||||||
|
VnT9ZBoaeooVg8QOE43rCXvmL5vzhLKrj4s/53wTGG5SpzLs9Q9rrJVgAnz4YQ7j
|
||||||
|
3Ov5q3Zxyr+vO6O7Pb5X49vCQw/jzK41S0/15GEmKcoxXemzeZCpX1mbeeTUtLvA
|
||||||
|
U7OJwldrElzictBJ1gT94L4BDvoGZVqAkXJCJPamfsWaiw6SsMqtTfECAwEAAQ==
|
||||||
|
-----END RSA PUBLIC KEY-----
|
||||||
|
'';
|
||||||
|
};
|
||||||
|
};
|
||||||
|
ssh.privkey.path = <secrets/ssh.id_ed25519>;
|
||||||
|
ssh.pubkey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIHXS60mmNWMdMRvaPxGn91Cm/hm7zY8xn5rkI4n2KG/f ";
|
||||||
|
};
|
||||||
};
|
};
|
||||||
users = rec {
|
users = rec {
|
||||||
lass = lass-blue;
|
lass = lass-blue;
|
||||||
|
33
lass/1systems/morpheus/config.nix
Normal file
33
lass/1systems/morpheus/config.nix
Normal file
@ -0,0 +1,33 @@
|
|||||||
|
{ config, pkgs, ... }:
|
||||||
|
with import <stockholm/lib>;
|
||||||
|
{
|
||||||
|
imports = [
|
||||||
|
<stockholm/lass>
|
||||||
|
|
||||||
|
<stockholm/lass/2configs/retiolum.nix>
|
||||||
|
<stockholm/lass/2configs/power-action.nix>
|
||||||
|
<stockholm/lass/2configs/baseX.nix>
|
||||||
|
<stockholm/lass/2configs/games.nix>
|
||||||
|
<stockholm/lass/2configs/steam.nix>
|
||||||
|
];
|
||||||
|
|
||||||
|
krebs.build.host = config.krebs.hosts.morpheus;
|
||||||
|
|
||||||
|
networking.wireless.enable = false;
|
||||||
|
networking.networkmanager.enable = true;
|
||||||
|
|
||||||
|
services.logind.extraConfig = ''
|
||||||
|
HandleLidSwitch=ignore
|
||||||
|
'';
|
||||||
|
|
||||||
|
nixpkgs.config.packageOverrides = super: {
|
||||||
|
steam = super.steam.override {
|
||||||
|
withPrimus = true;
|
||||||
|
extraPkgs = p: with p; [
|
||||||
|
glxinfo
|
||||||
|
nettools
|
||||||
|
bumblebee
|
||||||
|
];
|
||||||
|
};
|
||||||
|
};
|
||||||
|
}
|
32
lass/1systems/morpheus/physical.nix
Normal file
32
lass/1systems/morpheus/physical.nix
Normal file
@ -0,0 +1,32 @@
|
|||||||
|
{ lib, ... }:
|
||||||
|
{
|
||||||
|
imports = [
|
||||||
|
<nixpkgs/nixos/modules/installer/scan/not-detected.nix>
|
||||||
|
./config.nix
|
||||||
|
];
|
||||||
|
|
||||||
|
boot.loader.systemd-boot.enable = true;
|
||||||
|
boot.loader.efi.canTouchEfiVariables = true;
|
||||||
|
|
||||||
|
networking.hostId = "60ce7e88";
|
||||||
|
|
||||||
|
boot.initrd.availableKernelModules = [ "xhci_pci" "nvme" "usb_storage" "sd_mod" ];
|
||||||
|
boot.kernelModules = [ "kvm-intel" ];
|
||||||
|
boot.kernelParams = [ "acpi_osi=!" ''acpi_osi="Windows 2009"'' ];
|
||||||
|
|
||||||
|
hardware.bumblebee.enable = true;
|
||||||
|
hardware.bumblebee.group = "video";
|
||||||
|
|
||||||
|
fileSystems."/" =
|
||||||
|
{ device = "rpool/root";
|
||||||
|
fsType = "zfs";
|
||||||
|
};
|
||||||
|
|
||||||
|
fileSystems."/boot" =
|
||||||
|
{ device = "/dev/disk/by-uuid/DF3B-4528";
|
||||||
|
fsType = "vfat";
|
||||||
|
};
|
||||||
|
|
||||||
|
nix.maxJobs = lib.mkDefault 8;
|
||||||
|
powerManagement.cpuFreqGovernor = lib.mkDefault "powersave";
|
||||||
|
}
|
@ -297,37 +297,25 @@ with import <stockholm/lib>;
|
|||||||
};
|
};
|
||||||
}
|
}
|
||||||
{
|
{
|
||||||
krebs.iptables.tables.filter.INPUT.rules = [
|
imports = [
|
||||||
{ predicate = "-p udp --dport 51820"; target = "ACCEPT"; }
|
<stockholm/lass/2configs/wirelum.nix>
|
||||||
];
|
|
||||||
krebs.iptables.tables.nat.PREROUTING.rules = [
|
|
||||||
{ v6 = false; precedence = 1000; predicate = "-s 10.244.1.0/24"; target = "ACCEPT"; }
|
|
||||||
];
|
];
|
||||||
|
#krebs.iptables.tables.nat.PREROUTING.rules = [
|
||||||
|
# { v6 = false; precedence = 1000; predicate = "-s 10.244.1.0/24"; target = "ACCEPT"; }
|
||||||
|
#];
|
||||||
krebs.iptables.tables.filter.FORWARD.rules = [
|
krebs.iptables.tables.filter.FORWARD.rules = [
|
||||||
{ v6 = false; precedence = 1000; predicate = "-s 10.244.1.0/24"; target = "ACCEPT"; }
|
{ v6 = false; precedence = 1000; predicate = "-s 10.244.1.0/24 -d 10.243.0.0/16"; target = "ACCEPT"; }
|
||||||
{ v6 = false; precedence = 1000; predicate = "-s 10.243.0.0/16 -d 10.244.1.0/24"; target = "ACCEPT"; }
|
{ v6 = false; precedence = 1000; predicate = "-s 10.243.0.0/16 -d 10.244.1.0/24"; target = "ACCEPT"; }
|
||||||
];
|
];
|
||||||
krebs.iptables.tables.nat.POSTROUTING.rules = [
|
krebs.iptables.tables.nat.POSTROUTING.rules = [
|
||||||
{ v6 = false; predicate = "-s 10.244.1.0/24 ! -d 10.244.1.0/24"; target = "MASQUERADE"; }
|
{ v6 = false; predicate = "-s 10.244.1.0/24 ! -d 10.244.1.0/24"; target = "MASQUERADE"; }
|
||||||
];
|
];
|
||||||
networking.wireguard.interfaces.wg0 = {
|
|
||||||
ips = [ "10.244.1.1/24" ];
|
|
||||||
listenPort = 51820;
|
|
||||||
privateKeyFile = (toString <secrets>) + "/wireguard.key";
|
|
||||||
allowedIPsAsRoutes = true;
|
|
||||||
peers = [
|
|
||||||
{
|
|
||||||
# lass-android
|
|
||||||
allowedIPs = [ "10.244.1.2/32" ];
|
|
||||||
publicKey = "zVunBVOxsMETlnHkgjfH71HaZjjNUOeYNveAVv5z3jw=";
|
|
||||||
}
|
|
||||||
];
|
|
||||||
};
|
|
||||||
services.dnsmasq = {
|
services.dnsmasq = {
|
||||||
enable = true;
|
enable = true;
|
||||||
resolveLocalQueries = false;
|
resolveLocalQueries = false;
|
||||||
|
|
||||||
extraConfig= ''
|
extraConfig= ''
|
||||||
|
listen-address=10.244.1.1
|
||||||
except-interface=lo
|
except-interface=lo
|
||||||
interface=wg0
|
interface=wg0
|
||||||
'';
|
'';
|
||||||
|
@ -19,7 +19,11 @@ with import <stockholm/lib>;
|
|||||||
users.groups.download.members = [ "transmission" ];
|
users.groups.download.members = [ "transmission" ];
|
||||||
users.users.transmission.group = mkForce "download";
|
users.users.transmission.group = mkForce "download";
|
||||||
|
|
||||||
systemd.services.transmission.serviceConfig.bindsTo = [ "openvpn-nordvpn.service" ];
|
systemd.services.transmission.bindsTo = [ "openvpn-nordvpn.service" ];
|
||||||
|
systemd.services.transmission.after = [ "openvpn-nordvpn.service" ];
|
||||||
|
systemd.services.transmission.postStart = ''
|
||||||
|
chmod 775 /var/download/finished
|
||||||
|
'';
|
||||||
services.transmission = {
|
services.transmission = {
|
||||||
enable = true;
|
enable = true;
|
||||||
settings = {
|
settings = {
|
||||||
@ -52,6 +56,9 @@ with import <stockholm/lib>;
|
|||||||
autoindex on;
|
autoindex on;
|
||||||
'';
|
'';
|
||||||
};
|
};
|
||||||
|
locations."/dl".extraConfig = ''
|
||||||
|
return 301 /;
|
||||||
|
'';
|
||||||
locations."/" = {
|
locations."/" = {
|
||||||
root = "/var/download/finished";
|
root = "/var/download/finished";
|
||||||
extraConfig = ''
|
extraConfig = ''
|
||||||
|
@ -97,9 +97,9 @@ in {
|
|||||||
enable = true;
|
enable = true;
|
||||||
layout = "us";
|
layout = "us";
|
||||||
display = mkForce 0;
|
display = mkForce 0;
|
||||||
xkbModel = "evdev";
|
|
||||||
xkbVariant = "altgr-intl";
|
xkbVariant = "altgr-intl";
|
||||||
xkbOptions = "caps:backspace";
|
xkbOptions = "caps:escape";
|
||||||
|
libinput.enable = true;
|
||||||
displayManager.lightdm.enable = true;
|
displayManager.lightdm.enable = true;
|
||||||
windowManager.default = "xmonad";
|
windowManager.default = "xmonad";
|
||||||
windowManager.session = [{
|
windowManager.session = [{
|
||||||
|
@ -10,6 +10,7 @@ with import <stockholm/lib>;
|
|||||||
./zsh.nix
|
./zsh.nix
|
||||||
./htop.nix
|
./htop.nix
|
||||||
./security-workarounds.nix
|
./security-workarounds.nix
|
||||||
|
./wirelum.nix
|
||||||
{
|
{
|
||||||
users.extraUsers =
|
users.extraUsers =
|
||||||
mapAttrs (_: h: { hashedPassword = h; })
|
mapAttrs (_: h: { hashedPassword = h; })
|
||||||
|
@ -94,6 +94,7 @@ with import <stockholm/lib>;
|
|||||||
{ from = "osmocom@lassul.us"; to = lass.mail; }
|
{ from = "osmocom@lassul.us"; to = lass.mail; }
|
||||||
{ from = "lesswrong@lassul.us"; to = lass.mail; }
|
{ from = "lesswrong@lassul.us"; to = lass.mail; }
|
||||||
{ from = "nordvpn@lassul.us"; to = lass.mail; }
|
{ from = "nordvpn@lassul.us"; to = lass.mail; }
|
||||||
|
{ from = "csv-direct@lassul.us"; to = lass.mail; }
|
||||||
];
|
];
|
||||||
system-aliases = [
|
system-aliases = [
|
||||||
{ from = "mailer-daemon"; to = "postmaster"; }
|
{ from = "mailer-daemon"; to = "postmaster"; }
|
||||||
|
@ -57,6 +57,7 @@ let
|
|||||||
|
|
||||||
in {
|
in {
|
||||||
environment.systemPackages = with pkgs; [
|
environment.systemPackages = with pkgs; [
|
||||||
|
dolphinEmu
|
||||||
doom1
|
doom1
|
||||||
doom2
|
doom2
|
||||||
vdoom1
|
vdoom1
|
||||||
|
@ -1,4 +1,4 @@
|
|||||||
{ ... }:
|
{ lib, ... }:
|
||||||
{
|
{
|
||||||
hardware.trackpoint = {
|
hardware.trackpoint = {
|
||||||
enable = true;
|
enable = true;
|
||||||
@ -7,6 +7,7 @@
|
|||||||
emulateWheel = true;
|
emulateWheel = true;
|
||||||
};
|
};
|
||||||
|
|
||||||
|
services.xserver.libinput.enable = lib.mkForce false;
|
||||||
services.xserver.synaptics = {
|
services.xserver.synaptics = {
|
||||||
enable = true;
|
enable = true;
|
||||||
horizEdgeScroll = false;
|
horizEdgeScroll = false;
|
||||||
|
44
lass/2configs/wirelum.nix
Normal file
44
lass/2configs/wirelum.nix
Normal file
@ -0,0 +1,44 @@
|
|||||||
|
with import <stockholm/lib>;
|
||||||
|
{ config, pkgs, ... }: let
|
||||||
|
|
||||||
|
self = config.krebs.build.host.nets.wirelum;
|
||||||
|
isRouter = !isNull self.via;
|
||||||
|
|
||||||
|
in mkIf (hasAttr "wirelum" config.krebs.build.host.nets) {
|
||||||
|
#hack for modprobe inside containers
|
||||||
|
systemd.services."wireguard-wirelum".path = mkIf config.boot.isContainer (mkBefore [
|
||||||
|
(pkgs.writeDashBin "modprobe" ":")
|
||||||
|
]);
|
||||||
|
|
||||||
|
boot.kernel.sysctl = mkIf isRouter {
|
||||||
|
"net.ipv6.conf.all.forwarding" = 1;
|
||||||
|
};
|
||||||
|
krebs.iptables.tables.filter.INPUT.rules = [
|
||||||
|
{ predicate = "-p udp --dport ${toString self.wireguard.port}"; target = "ACCEPT"; }
|
||||||
|
];
|
||||||
|
krebs.iptables.tables.filter.FORWARD.rules = mkIf isRouter [
|
||||||
|
{ precedence = 1000; predicate = "-i wirelum -o wirelum"; target = "ACCEPT"; }
|
||||||
|
];
|
||||||
|
|
||||||
|
networking.wireguard.interfaces.wirelum = {
|
||||||
|
ips =
|
||||||
|
(optional (!isNull self.ip4) self.ip4.addr) ++
|
||||||
|
(optional (!isNull self.ip6) self.ip6.addr);
|
||||||
|
listenPort = 51820;
|
||||||
|
privateKeyFile = (toString <secrets>) + "/wirelum.key";
|
||||||
|
allowedIPsAsRoutes = true;
|
||||||
|
peers = mapAttrsToList
|
||||||
|
(_: host: {
|
||||||
|
allowedIPs = if isRouter then
|
||||||
|
(optional (!isNull host.nets.wirelum.ip4) host.nets.wirelum.ip4.addr) ++
|
||||||
|
(optional (!isNull host.nets.wirelum.ip6) host.nets.wirelum.ip6.addr)
|
||||||
|
else
|
||||||
|
host.nets.wirelum.wireguard.subnets
|
||||||
|
;
|
||||||
|
endpoint = mkIf (!isNull host.nets.wirelum.via) (host.nets.wirelum.via.ip4.addr + ":${toString host.nets.wirelum.wireguard.port}");
|
||||||
|
persistentKeepalive = mkIf (!isNull host.nets.wirelum.via) 61;
|
||||||
|
publicKey = host.nets.wirelum.wireguard.pubkey;
|
||||||
|
})
|
||||||
|
(filterAttrs (_: h: hasAttr "wirelum" h.nets) config.krebs.hosts);
|
||||||
|
};
|
||||||
|
}
|
92
lib/krebs/genipv6.nix
Normal file
92
lib/krebs/genipv6.nix
Normal file
@ -0,0 +1,92 @@
|
|||||||
|
lib:
|
||||||
|
with lib;
|
||||||
|
let {
|
||||||
|
body = netname: subnetname: suffix: rec {
|
||||||
|
address = let
|
||||||
|
suffix' =
|
||||||
|
if hasEmptyGroup (parseAddress suffix)
|
||||||
|
then suffix
|
||||||
|
else joinAddress "::" suffix;
|
||||||
|
in
|
||||||
|
checkAddress addressLength (joinAddress subnetPrefix suffix');
|
||||||
|
addressCIDR = "${address}/${toString addressLength}";
|
||||||
|
addressLength = 128;
|
||||||
|
|
||||||
|
inherit netname;
|
||||||
|
netCIDR = "${netAddress}/${toString netPrefixLength}";
|
||||||
|
netAddress = joinAddress netPrefix "::";
|
||||||
|
netHash = toString {
|
||||||
|
retiolum = 0;
|
||||||
|
wirelum = 1;
|
||||||
|
}.${netname};
|
||||||
|
netPrefix = "42:${netHash}";
|
||||||
|
netPrefixLength = {
|
||||||
|
retiolum = 32;
|
||||||
|
wirelum = 32;
|
||||||
|
}.${netname};
|
||||||
|
|
||||||
|
inherit subnetname;
|
||||||
|
subnetCIDR = "${subnetAddress}/${toString subnetPrefixLength}";
|
||||||
|
subnetAddress = joinAddress subnetPrefix "::";
|
||||||
|
subnetHash = hash subnetname;
|
||||||
|
subnetPrefix = joinAddress netPrefix subnetHash;
|
||||||
|
subnetPrefixLength = netPrefixLength + 16;
|
||||||
|
|
||||||
|
inherit suffix;
|
||||||
|
suffixLength = addressLength - subnetPrefixLength;
|
||||||
|
};
|
||||||
|
|
||||||
|
hash = s: head (match "0*(.*)" (substring 0 4 (hashString "sha256" s)));
|
||||||
|
|
||||||
|
dropLast = n: xs: reverseList (drop n (reverseList xs));
|
||||||
|
takeLast = n: xs: reverseList (take n (reverseList xs));
|
||||||
|
|
||||||
|
hasEmptyPrefix = xs: take 2 xs == ["" ""];
|
||||||
|
hasEmptySuffix = xs: takeLast 2 xs == ["" ""];
|
||||||
|
hasEmptyInfix = xs: any (x: x == "") (trimEmpty 2 xs);
|
||||||
|
|
||||||
|
hasEmptyGroup = xs:
|
||||||
|
any (p: p xs) [hasEmptyPrefix hasEmptyInfix hasEmptySuffix];
|
||||||
|
|
||||||
|
ltrimEmpty = n: xs: if hasEmptyPrefix xs then drop n xs else xs;
|
||||||
|
rtrimEmpty = n: xs: if hasEmptySuffix xs then dropLast n xs else xs;
|
||||||
|
trimEmpty = n: xs: rtrimEmpty n (ltrimEmpty n xs);
|
||||||
|
|
||||||
|
parseAddress = splitString ":";
|
||||||
|
formatAddress = concatStringsSep ":";
|
||||||
|
|
||||||
|
check = s: c: if !c then throw "${s}" else true;
|
||||||
|
|
||||||
|
checkAddress = maxaddrlen: addr: let
|
||||||
|
parsedaddr = parseAddress addr;
|
||||||
|
normalizedaddr = trimEmpty 1 parsedaddr;
|
||||||
|
in
|
||||||
|
assert (check "address malformed; lone leading colon: ${addr}" (
|
||||||
|
head parsedaddr == "" -> tail (take 2 parsedaddr) == ""
|
||||||
|
));
|
||||||
|
assert (check "address malformed; lone trailing colon ${addr}" (
|
||||||
|
last parsedaddr == "" -> head (takeLast 2 parsedaddr) == ""
|
||||||
|
));
|
||||||
|
assert (check "address malformed; too many successive colons: ${addr}" (
|
||||||
|
length (filter (x: x == "") normalizedaddr) > 1 -> addr == [""]
|
||||||
|
));
|
||||||
|
assert (check "address malformed: ${addr}" (
|
||||||
|
all (test "[0-9a-f]{0,4}") parsedaddr
|
||||||
|
));
|
||||||
|
assert (check "address is too long: ${addr}" (
|
||||||
|
length normalizedaddr * 16 <= maxaddrlen
|
||||||
|
));
|
||||||
|
addr;
|
||||||
|
|
||||||
|
joinAddress = prefix: suffix: let
|
||||||
|
parsedPrefix = parseAddress prefix;
|
||||||
|
parsedSuffix = parseAddress suffix;
|
||||||
|
normalizePrefix = rtrimEmpty 2 parsedPrefix;
|
||||||
|
normalizeSuffix = ltrimEmpty 2 parsedSuffix;
|
||||||
|
delimiter =
|
||||||
|
optional (length (normalizePrefix ++ normalizeSuffix) < 8 &&
|
||||||
|
(hasEmptySuffix parsedPrefix || hasEmptyPrefix parsedSuffix))
|
||||||
|
"";
|
||||||
|
in
|
||||||
|
formatAddress (normalizePrefix ++ delimiter ++ normalizeSuffix);
|
||||||
|
}
|
@ -192,6 +192,28 @@ rec {
|
|||||||
}));
|
}));
|
||||||
default = null;
|
default = null;
|
||||||
};
|
};
|
||||||
|
wireguard = mkOption {
|
||||||
|
type = nullOr (submodule ({ config, ... }: {
|
||||||
|
options = {
|
||||||
|
port = mkOption {
|
||||||
|
type = int;
|
||||||
|
description = "tinc port to use to connect to host";
|
||||||
|
default = 51820;
|
||||||
|
};
|
||||||
|
pubkey = mkOption {
|
||||||
|
type = wireguard-pubkey;
|
||||||
|
};
|
||||||
|
subnets = mkOption {
|
||||||
|
type = listOf cidr;
|
||||||
|
description = ''
|
||||||
|
wireguard subnets,
|
||||||
|
this defines how routing behaves for hosts that can't reach each other.
|
||||||
|
'';
|
||||||
|
default = [];
|
||||||
|
};
|
||||||
|
};
|
||||||
|
}));
|
||||||
|
};
|
||||||
};
|
};
|
||||||
});
|
});
|
||||||
|
|
||||||
@ -548,4 +570,6 @@ rec {
|
|||||||
check = filename.check;
|
check = filename.check;
|
||||||
merge = mergeOneOption;
|
merge = mergeOneOption;
|
||||||
};
|
};
|
||||||
|
|
||||||
|
wireguard-pubkey = str;
|
||||||
}
|
}
|
||||||
|
Loading…
Reference in New Issue
Block a user