From 0791356a3444a9d5584552f97f32a879dfad5519 Mon Sep 17 00:00:00 2001 From: Fabrice Bellamy <12b@distrilab.fr> Date: Thu, 19 Dec 2024 18:22:19 +0100 Subject: [PATCH] more configuration cleanup and modularization --- config/arachnide/configuration.nix | 60 ++++------------------------- config/dromadaire/configuration.nix | 49 +++-------------------- modules/nixin.nix | 43 +++++++++++++++++++++ modules/wireguard-client.nix | 37 ++++++++++++++++++ 4 files changed, 92 insertions(+), 97 deletions(-) create mode 100644 modules/wireguard-client.nix diff --git a/config/arachnide/configuration.nix b/config/arachnide/configuration.nix index 1759dbf..89c9b86 100644 --- a/config/arachnide/configuration.nix +++ b/config/arachnide/configuration.nix @@ -6,6 +6,7 @@ ./hardware-configuration.nix /var/src/modules/nixin.nix /var/src/modules/users.nix + /var/src/modules/wireguard-client.nix ]; # Bootloader. @@ -25,25 +26,11 @@ address = "10.0.0.1"; prefixLength = 24; } ]; - nameservers = [ "80.67.169.12" "80.67.169.40" "2001:910:800::12" "2001:910:800::40" ]; - enableIPv6 = true; - # wireguard VPN to be reachable from internet - wg-quick.interfaces = { - wg0 = { - address = [ "192.168.12.2/32" "2a01:4f9:1a:9a05::2/128" ]; - dns = [ "80.67.169.12" "80.67.169.40" "2001:910:800::12" "2001:910:800::40" ]; - privateKeyFile = "/var/src/secrets/wg-private.key"; + }; - peers = [ - { - publicKey = "cUmp55I20JEhxr+RMmOsX+6U9kcDiAq3grnvzjQ642w="; - allowedIPs = [ "0.0.0.0/0" "::/0" ]; - endpoint = "vpn.lab12.fr:51812"; - persistentKeepalive = 15; - } - ]; - }; - }; + nixin.wg.client = { + ipv4 = "192.168.12.2/32"; + ipv6 = "2a01:4f9:1a:9a05::2/128"; }; # Enable ip forwarding to route packets for the local network connected to enp3s0 @@ -53,32 +40,14 @@ }; # Open ports in the firewall. - # Or disable the firewall altogether. - # networking.firewall.enable = false; networking.firewall.allowedTCPPorts = [ 80 144 443 ]; #networking.firewall.allowedUDPPorts = [ 53 ]; # allow UDP port range for mosh networking.firewall.allowedUDPPortRanges = [ { from = 60000; to = 61000; } ]; - - # Set your time zone. - time.timeZone = "Etc/UTC"; - - # Select internationalisation properties. - i18n.defaultLocale = "fr_FR.UTF-8"; - - i18n.extraLocaleSettings = { - LC_ADDRESS = "fr_FR.UTF-8"; - LC_IDENTIFICATION = "fr_FR.UTF-8"; - LC_MEASUREMENT = "fr_FR.UTF-8"; - LC_MONETARY = "fr_FR.UTF-8"; - LC_NAME = "fr_FR.UTF-8"; - LC_NUMERIC = "fr_FR.UTF-8"; - LC_PAPER = "fr_FR.UTF-8"; - LC_TELEPHONE = "fr_FR.UTF-8"; - LC_TIME = "fr_FR.UTF-8"; - }; + # Or disable the firewall altogether. + # networking.firewall.enable = false; # Configure console keymap console.keyMap = "fr"; @@ -86,25 +55,10 @@ # Allow unfree packages nixpkgs.config.allowUnfree = true; - # List packages installed in system profile. To search, run: - # $ nix search wget environment.systemPackages = with pkgs; [ - # vim # Do not forget to add an editor to edit configuration.nix! The Nano editor is also installed by default. - git - wget - tmux - htop - mosh - dig mtr ]; - programs.neovim = { - enable = true; - viAlias = true; - vimAlias = true; - }; - # This value determines the NixOS release from which the default # settings for stateful data, like file locations and database versions # on your system were taken. It's perfectly fine and recommended to leave diff --git a/config/dromadaire/configuration.nix b/config/dromadaire/configuration.nix index 2adef34..dc95af5 100644 --- a/config/dromadaire/configuration.nix +++ b/config/dromadaire/configuration.nix @@ -10,6 +10,7 @@ ./hardware-configuration.nix /var/src/modules/nixin.nix /var/src/modules/users.nix + /var/src/modules/wireguard-client.nix ]; hardware.sensor.hddtemp.enable = true; @@ -29,48 +30,20 @@ prefixLength = 24; } ]; defaultGateway = "192.168.36.1"; - nameservers = [ "80.67.169.12" "80.67.169.40" "2001:910:800::12" "2001:910:800::40" ]; - enableIPv6 = true; - wg-quick.interfaces = { - wg0 = { - address = [ "192.168.12.3/32" "2a01:4f9:1a:9a05::3/128" ]; - dns = [ "80.67.169.12" "80.67.169.40" "2001:910:800::12" "2001:910:800::40" ]; - privateKeyFile = "/var/src/secrets/wg-private.key"; - - peers = [ - { - publicKey = "cUmp55I20JEhxr+RMmOsX+6U9kcDiAq3grnvzjQ642w="; - allowedIPs = [ "0.0.0.0/0" "::/0" ]; - endpoint = "vpn.lab12.fr:51812"; - persistentKeepalive = 15; - } - ]; - }; - }; }; - # Set your time zone. - time.timeZone = "Europe/Paris"; + nixin.wg.client = { + ipv4 = "192.168.12.3/32"; + ipv6 = "2a01:4f9:1a:9a05::3/128"; + }; - # Configure network proxy if necessary - # networking.proxy.default = "http://user:password@proxy:port/"; - # networking.proxy.noProxy = "127.0.0.1,localhost,internal.domain"; - - # Select internationalisation properties. - i18n.defaultLocale = "en_US.UTF-8"; console = { font = "Lat2-Terminus16"; keyMap = "fr"; #useXkbConfig = true; # use xkb.options in tty. }; - # List packages installed in system profile. To search, run: - # $ nix search wget environment.systemPackages = with pkgs; [ - git - wget - tmux - htop memtester # Useful podman development tools #dive # look into docker image layers @@ -83,12 +56,6 @@ # Some programs need SUID wrappers, can be configured further or are # started in user sessions. - programs.neovim = { - enable = true; - viAlias = true; - vimAlias = true; - }; - virtualisation.containers.enable = true; virtualisation.podman = { enable = true; @@ -99,12 +66,6 @@ # Required for containers under podman-compose to be able to talk to each other. defaultNetwork.settings.dns_enabled = true; }; - #virtualisation.oci-containers.containers = { - # nixos = { - # image = "nix:latest" - # extraOptions = [ "--network=host" ]; - # }; - #}; services.gitea-actions-runner = { package = pkgs.forgejo-runner; diff --git a/modules/nixin.nix b/modules/nixin.nix index 4d0c6c3..2511ba9 100644 --- a/modules/nixin.nix +++ b/modules/nixin.nix @@ -4,6 +4,11 @@ # Set NIX_PATH to use nixpkgs deployed with krops environment.variables.NIX_PATH = lib.mkForce "/var/src"; + networking = { + nameservers = [ "80.67.169.12" "80.67.169.40" "2001:910:800::12" "2001:910:800::40" ]; + enableIPv6 = true; + }; + environment.shellAliases = { tm = "tmux new -A -s shared" ; ll = "ls -al"; @@ -18,4 +23,42 @@ KbdInteractiveAuthentication = false; }; + # Set your time zone. + time.timeZone = "Etc/UTC"; + + # Select internationalisation properties. + i18n.defaultLocale = "en_US.UTF-8"; + + i18n.extraLocaleSettings = { + LC_ADDRESS = "en_US.UTF-8"; + LC_IDENTIFICATION = "en_US.UTF-8"; + LC_MEASUREMENT = "en_US.UTF-8"; + LC_MONETARY = "en_US.UTF-8"; + LC_NAME = "en_US.UTF-8"; + LC_NUMERIC = "en_US.UTF-8"; + LC_PAPER = "en_US.UTF-8"; + LC_TELEPHONE = "en_US.UTF-8"; + LC_TIME = "en_US.UTF-8"; + LANGUAGE = "en_US.UTF-8"; + LC_ALL = "en_US.UTF-8"; + LC_CTYPE = "en_US.UTF-8"; + LC_COLLATE = "en_US.UTF-8"; + LC_MESSAGES = "en_US.UTF-8"; + }; + + environment.systemPackages = with pkgs; [ + git + wget + tmux + htop + mosh + dig + ]; + + programs.neovim = { + enable = true; + viAlias = true; + vimAlias = true; + }; + } diff --git a/modules/wireguard-client.nix b/modules/wireguard-client.nix new file mode 100644 index 0000000..2784e21 --- /dev/null +++ b/modules/wireguard-client.nix @@ -0,0 +1,37 @@ +# Wireguard VPN client configuration +{ config, pkgs, lib, ... }: + +let + inherit (lib) mkOption mkDefault; + +in +{ + options = { + nixin.wg.client = { + ipv4 = mkOption { }; + ipv6 = mkOption { }; + }; + }; + + config = { + networking = { + wg-quick.interfaces = { + wg0 = { + address = [ config.nixin.wg.client.ipv4 config.nixin.wg.client.ipv6 ]; + dns = [ "80.67.169.12" "80.67.169.40" "2001:910:800::12" "2001:910:800::40" ]; + privateKeyFile = "/var/src/secrets/wg-private.key"; + + peers = [ + { + publicKey = "cUmp55I20JEhxr+RMmOsX+6U9kcDiAq3grnvzjQ642w="; + allowedIPs = [ "0.0.0.0/0" "::/0" ]; + endpoint = "vpn.lab12.fr:51812"; + persistentKeepalive = 15; + } + ]; + }; + }; + }; + }; + +}