From ad6d66f3da424c37eafc32dd94fa0b1717d96d21 Mon Sep 17 00:00:00 2001 From: Fabrice Bellamy <12b@distrilab.fr> Date: Thu, 26 Dec 2024 14:45:16 +0100 Subject: [PATCH] refactoring of network configuration and cleanup of configuration of secondary servers --- config/arachnide/configuration.nix | 20 +-- config/arachnide/network-configuration.nix | 4 +- config/dromadaire/configuration.nix | 130 +++++-------------- config/dromadaire/network-configuration.nix | 59 +++++++++ config/framboise/configuration.nix | 80 ++---------- config/framboise/network-configuration.nix | 2 +- config/grille-pain/configuration.nix | 12 +- config/grille-pain/network-configuration.nix | 6 +- krops.nix | 23 +--- 9 files changed, 132 insertions(+), 204 deletions(-) create mode 100644 config/dromadaire/network-configuration.nix diff --git a/config/arachnide/configuration.nix b/config/arachnide/configuration.nix index 326558d..91212ac 100644 --- a/config/arachnide/configuration.nix +++ b/config/arachnide/configuration.nix @@ -22,6 +22,12 @@ boot.loader.systemd-boot.enable = true; boot.loader.efi.canTouchEfiVariables = true; + # Enable ip forwarding to route packets + boot.kernel.sysctl = { + "net.ipv4.ip_forward" = 1; + "net.ipv6.conf.all.forwarding" = 1; + }; + nixin.wg.client = { ipv4 = "192.168.12.2/32"; ipv6 = "2a01:4f9:1a:9a05::2/128"; @@ -70,8 +76,8 @@ admin-pwd = let pwd = builtins.readFile ; in lib.strings.trim pwd; - host-address = "10.10.10.1"; - container-address = "10.10.10.2"; + host-address = "10.10.2.1"; + container-address = "10.10.2.2"; address-prefix = "/24"; }; @@ -84,15 +90,9 @@ }; - # Enable ip forwarding to route packets for the local network connected to enp3s0 - boot.kernel.sysctl = { - "net.ipv4.ip_forward" = 1; - "net.ipv6.conf.all.forwarding" = 1; - }; - # Open ports in the firewall. networking.firewall.allowedTCPPorts = [ 80 144 443 ]; - #networking.firewall.allowedUDPPorts = [ 53 ]; + networking.firewall.allowedUDPPorts = [ 53 ]; # allow UDP port range for mosh networking.firewall.allowedUDPPortRanges = [ { from = 60000; to = 61000; } @@ -101,7 +101,7 @@ # networking.firewall.enable = false; # Configure console keymap - console.keyMap = "fr"; + #console.keyMap = "fr"; # Allow unfree packages nixpkgs.config.allowUnfree = true; diff --git a/config/arachnide/network-configuration.nix b/config/arachnide/network-configuration.nix index ace0a36..bc96a6f 100644 --- a/config/arachnide/network-configuration.nix +++ b/config/arachnide/network-configuration.nix @@ -15,7 +15,7 @@ nat = { enable = true; #internalInterfaces = ["vb-+"]; - internalIPs = ["10.10.10.0/24"]; + internalIPs = ["10.10.2.0/24"]; externalInterface = "enp1s0"; # Lazy IPv6 connectivity for the containers #enableIPv6 = true; @@ -50,7 +50,7 @@ br0 = { useDHCP = false; ipv4.addresses = [ { - address = "10.10.10.1"; + address = "10.10.2.1"; prefixLength = 24; } ]; #ipv6.addresses = [ diff --git a/config/dromadaire/configuration.nix b/config/dromadaire/configuration.nix index dc95af5..21c01e9 100644 --- a/config/dromadaire/configuration.nix +++ b/config/dromadaire/configuration.nix @@ -1,117 +1,59 @@ -# Edit this configuration file to define what should be installed on -# your system. Help is available in the configuration.nix(5) man page, on -# https://search.nixos.org/options and in the NixOS manual (`nixos-help`). - -{ config, lib, pkgs, ... }: +{ config, pkgs, lib, ... }: { imports = - [ + [ ./hardware-configuration.nix - /var/src/modules/nixin.nix + ./network-configuration.nix + /var/src/modules/nixin-base.nix /var/src/modules/users.nix /var/src/modules/wireguard-client.nix ]; - hardware.sensor.hddtemp.enable = true; - - # Use the systemd-boot EFI boot loader. + # Bootloader. boot.loader.systemd-boot.enable = true; - boot.loader.systemd-boot.configurationLimit = 7; boot.loader.efi.canTouchEfiVariables = true; - networking = { - hostName = "dromadaire"; # Define your hostname. - # Pick only one of the below networking options. - # networking.wireless.enable = true; # Enables wireless support via wpa_supplicant. - # networking.networkmanager.enable = true; # Easiest to use and most distros use this by default. - interfaces.enp2s0.ipv4.addresses = [ { - address = "192.168.36.6"; - prefixLength = 24; - } ]; - defaultGateway = "192.168.36.1"; + # Enable ip forwarding to route packets + boot.kernel.sysctl = { + "net.ipv4.ip_forward" = 1; + "net.ipv6.conf.all.forwarding" = 1; }; nixin.wg.client = { - ipv4 = "192.168.12.3/32"; - ipv6 = "2a01:4f9:1a:9a05::3/128"; - }; - - console = { - font = "Lat2-Terminus16"; - keyMap = "fr"; - #useXkbConfig = true; # use xkb.options in tty. - }; - - environment.systemPackages = with pkgs; [ - memtester - # Useful podman development tools - #dive # look into docker image layers - podman-tui # status of containers in the terminal - #aardvark-dns - #docker-compose # start group of containers for dev - #podman-compose # start group of containers for dev - ]; - - # Some programs need SUID wrappers, can be configured further or are - # started in user sessions. - - virtualisation.containers.enable = true; - virtualisation.podman = { - enable = true; - - # Create a `docker` alias for podman, to use it as a drop-in replacement - dockerCompat = true; - - # Required for containers under podman-compose to be able to talk to each other. - defaultNetwork.settings.dns_enabled = true; - }; - - services.gitea-actions-runner = { - package = pkgs.forgejo-runner; - instances.default = { - enable = false; - name = "dromadaire"; - url = "https://git.distrilab.fr"; - # Obtaining the path to the runner token file may differ - tokenFile = "/etc/forgejo/runner.token"; - labels = [ - # provide a debian base with nodejs for actions - "debian-latest:docker://node:20-bookworm" - # fake the ubuntu name, because node provides no ubuntu builds - "ubuntu-latest:docker://node:20-bookworm" - # nixos - "nixos:docker://nixos/nix:latest" - # provide native execution on the host - #"native:host" - ]; - }; + ipv4 = "192.168.12.11/32"; + ipv6 = "2a01:4f9:1a:9a05::11/128"; + allowedIPs = [ "192.168.12.0/24" "2a01:4f9:1a:9a05::/64" ]; + endpoint = "vpn.lab12.fr:51812"; + endpointKey = "cUmp55I20JEhxr+RMmOsX+6U9kcDiAq3grnvzjQ642w="; }; # Open ports in the firewall. networking.firewall.allowedTCPPorts = [ 80 144 443 ]; - networking.firewall.allowedUDPPorts = [ 53 ]; + #networking.firewall.allowedUDPPorts = [ 53 ]; + # allow UDP port range for mosh + networking.firewall.allowedUDPPortRanges = [ + { from = 60000; to = 61000; } + ]; # Or disable the firewall altogether. # networking.firewall.enable = false; - # This option defines the first version of NixOS you have installed on this particular machine, - # and is used to maintain compatibility with application data (e.g. databases) created on older NixOS versions. - # - # Most users should NEVER change this value after the initial install, for any reason, - # even if you've upgraded your system to a new NixOS release. - # - # This value does NOT affect the Nixpkgs version your packages and OS are pulled from, - # so changing it will NOT upgrade your system - see https://nixos.org/manual/nixos/stable/#sec-upgrading for how - # to actually do that. - # - # This value being lower than the current NixOS release does NOT mean your system is - # out of date, out of support, or vulnerable. - # - # Do NOT change this value unless you have manually inspected all the changes it would make to your configuration, - # and migrated your data accordingly. - # - # For more information, see `man configuration.nix` or https://nixos.org/manual/nixos/stable/options#opt-system.stateVersion . + # Configure console keymap + # console.keyMap = "fr"; + + # Allow unfree packages + nixpkgs.config.allowUnfree = true; + + environment.systemPackages = with pkgs; [ + mtr + memtester + ]; + + # This value determines the NixOS release from which the default + # settings for stateful data, like file locations and database versions + # on your system were taken. It's perfectly fine and recommended to leave + # this value at the release version of the first install of this system. + # Before changing this value read the documentation for this option + # (e.g. man configuration.nix or on https://nixos.org/nixos/options.html). system.stateVersion = "24.05"; # Did you read the comment? - } - diff --git a/config/dromadaire/network-configuration.nix b/config/dromadaire/network-configuration.nix new file mode 100644 index 0000000..132e079 --- /dev/null +++ b/config/dromadaire/network-configuration.nix @@ -0,0 +1,59 @@ +# Do not modify this file! It was generated by ‘nixos-generate-config’ +# and may be overwritten by future invocations. Please make changes +# to /etc/nixos/configuration.nix instead. +{ config, lib, pkgs, ... }: + +{ + #virtualisation.writableStore = true; + #virtualisation.additionalPaths = [ pkgs.stdenv ]; + + networking = { + hostName = "dromadaire"; + useDHCP = false; + defaultGateway = "192.168.36.1"; + + nat = { + enable = true; + #internalInterfaces = ["vb-+"]; + internalIPs = ["10.10.11.0/24"]; + externalInterface = "enp2s0"; + # Lazy IPv6 connectivity for the containers + #enableIPv6 = true; + }; + + # bridge for containers + bridges = { + "br0" = { + #interfaces = [ "enp4s0" ]; + interfaces = [ ]; + }; + }; + + interfaces = { + # primary network interface, connected to WAN through a router + enp2s0 = { + useDHCP = false; + ipv4.addresses = [ { + address = "192.168.36.6"; + prefixLength = 24; + } ]; + }; + # interface for containers virtual network + br0 = { + useDHCP = false; + ipv4.addresses = [ { + address = "10.10.11.1"; + prefixLength = 24; + } ]; + #ipv6.addresses = [ + # { + # address = hostIp6; + # prefixLength = 7; + # } + #]; + }; + }; + + }; + +} diff --git a/config/framboise/configuration.nix b/config/framboise/configuration.nix index fcb653a..544ed4a 100644 --- a/config/framboise/configuration.nix +++ b/config/framboise/configuration.nix @@ -8,14 +8,6 @@ /var/src/modules/nixin-base.nix /var/src/modules/users.nix /var/src/modules/wireguard-client.nix - /var/src/modules/reverse-proxy-traefik.nix - /var/src/modules/nginx.nix - /var/src/modules/nixin-web.nix - /var/src/modules/forgejo.nix - /var/src/modules/forgejo-runner.nix - /var/src/modules/nextcloud.nix - /var/src/modules/etherpad.nix - /var/src/modules/excalidraw.nix ]; # Bootloader. @@ -24,74 +16,20 @@ # Enables the generation of /boot/extlinux/extlinux.conf boot.loader.generic-extlinux-compatible.enable = true; - nixin.wg.client = { - ipv4 = "192.168.12.2/32"; - ipv6 = "2a01:4f9:1a:9a05::2/128"; - allowedIPs = [ "0.0.0.0/0" "::/0" ]; - endpoint = "vpn.lab12.fr:51812"; - endpointKey = "cUmp55I20JEhxr+RMmOsX+6U9kcDiAq3grnvzjQ642w="; - }; - - nixin.traefik = { - dashboard-domain = "traefik.lab12.fr"; - }; - - nixin.web = { - domain = "nixin.lab12.fr"; - http-port = 8081; - }; - - nixin.forgejo = { - http-port = 8082; - domain = "forge.lab12.fr"; - smtp-addr = "lab12.org"; - smtp-user = "mr.robot@lab12.org"; - smtp-from = "no-reply@lab12.org"; - smtp-pwd-file = toString ; - #smtp-pwd = let - # pwd = builtins.readFile ; - #in lib.strings.trim pwd; - admin-email = "sysadmin@lab12.fr"; - admin-user = "operator"; - admin-pwd = let - pwd = builtins.readFile ; - in lib.strings.trim pwd; - }; - - nixin.forgejo-runner = { - token-file = "/etc/forgejo/runner.token"; - #token = let - # pwd = builtins.readFile ; - #in lib.strings.trim pwd; - url = "https://forge.lab12.fr"; - }; - - nixin.nextcloud = { - domain = "nuage.lab12.fr"; - admin-user = "operator"; - admin-pwd = let - pwd = builtins.readFile ; - in lib.strings.trim pwd; - host-address = "10.10.10.1"; - container-address = "10.10.10.2"; - address-prefix = "/24"; - }; - - nixin.etherpad = { - domain = "pad.lab12.fr"; - }; - - nixin.excalidraw = { - domain = "draw.lab12.fr"; - }; - - - # Enable ip forwarding to route packets for the local network connected to enp3s0 + # Enable ip forwarding to route packets boot.kernel.sysctl = { "net.ipv4.ip_forward" = 1; "net.ipv6.conf.all.forwarding" = 1; }; + nixin.wg.client = { + ipv4 = "192.168.12.10/32"; + ipv6 = "2a01:4f9:1a:9a05::10/128"; + allowedIPs = [ "192.168.12.0/24" "2a01:4f9:1a:9a05::/64" ]; + endpoint = "vpn.lab12.fr:51812"; + endpointKey = "cUmp55I20JEhxr+RMmOsX+6U9kcDiAq3grnvzjQ642w="; + }; + # Open ports in the firewall. networking.firewall.allowedTCPPorts = [ 80 144 443 ]; #networking.firewall.allowedUDPPorts = [ 53 ]; diff --git a/config/framboise/network-configuration.nix b/config/framboise/network-configuration.nix index 250c489..c994fa6 100644 --- a/config/framboise/network-configuration.nix +++ b/config/framboise/network-configuration.nix @@ -16,7 +16,7 @@ enable = true; #internalInterfaces = ["vb-+"]; internalIPs = ["10.10.10.0/24"]; - externalInterface = "enp1s0"; + externalInterface = "end0"; # Lazy IPv6 connectivity for the containers #enableIPv6 = true; }; diff --git a/config/grille-pain/configuration.nix b/config/grille-pain/configuration.nix index 2b05df5..751cab1 100644 --- a/config/grille-pain/configuration.nix +++ b/config/grille-pain/configuration.nix @@ -16,6 +16,12 @@ # Enables the generation of /boot/extlinux/extlinux.conf boot.loader.generic-extlinux-compatible.enable = true; + # Enable ip forwarding to route packets + boot.kernel.sysctl = { + "net.ipv4.ip_forward" = 1; + "net.ipv6.conf.all.forwarding" = 1; + }; + nixin.wg.client = { ipv4 = "192.168.12.7/32"; ipv6 = "2a01:4f9:1a:9a05::7/128"; @@ -24,12 +30,6 @@ endpointKey = "cUmp55I20JEhxr+RMmOsX+6U9kcDiAq3grnvzjQ642w="; }; - # Enable ip forwarding to route packets - boot.kernel.sysctl = { - "net.ipv4.ip_forward" = 1; - "net.ipv6.conf.all.forwarding" = 1; - }; - # Open ports in the firewall. networking.firewall.allowedTCPPorts = [ 80 144 443 ]; #networking.firewall.allowedUDPPorts = [ 53 ]; diff --git a/config/grille-pain/network-configuration.nix b/config/grille-pain/network-configuration.nix index e19dff5..228872d 100644 --- a/config/grille-pain/network-configuration.nix +++ b/config/grille-pain/network-configuration.nix @@ -15,8 +15,8 @@ nat = { enable = true; #internalInterfaces = ["vb-+"]; - internalIPs = ["10.10.10.0/24"]; - externalInterface = "enp1s0"; + internalIPs = ["10.10.7.0/24"]; + externalInterface = "end0"; # Lazy IPv6 connectivity for the containers #enableIPv6 = true; }; @@ -42,7 +42,7 @@ br0 = { useDHCP = false; ipv4.addresses = [ { - address = "10.10.10.1"; + address = "10.10.7.1"; prefixLength = 24; } ]; #ipv6.addresses = [ diff --git a/krops.nix b/krops.nix index 2adacfe..f8f6618 100644 --- a/krops.nix +++ b/krops.nix @@ -35,7 +35,7 @@ let framboise = pkgs.krops.writeDeploy "deploy-server-framboise" { source = source "framboise"; - target = lib.mkTarget "douzeb@192.168.36.14" // { + target = lib.mkTarget "operator@192.168.12.10" // { port = "144"; sudo = true; }; @@ -43,7 +43,7 @@ let grille-pain = pkgs.krops.writeDeploy "deploy-server-grille-pain" { source = source "grille-pain"; - target = lib.mkTarget "douzeb@192.168.36.15" // { + target = lib.mkTarget "operator@192.168.12.7" // { port = "144"; sudo = true; }; @@ -51,7 +51,10 @@ let dromadaire = pkgs.krops.writeDeploy "deploy-server-dromadaire" { source = source "dromadaire"; - target = "root@192.168.36.6"; + target = lib.mkTarget "operator@192.168.12.11" // { + port = "144"; + sudo = true; + }; }; register-runner = pkgs.krops.writeCommand "register-forgejo-runner" { @@ -78,19 +81,6 @@ let ''; }; - gen-token-framboise = pkgs.krops.writeCommand "generate-token-framboise" { - source = source "arachnide"; - target = lib.mkTarget "douzeb@192.168.36.14" // { - port = "144"; - sudo = true; - }; - command = targetPath: '' - mkdir -p /etc/forgejo - echo "TOKEN=$(forgejo forgejo-cli actions generate-runner-token)" > /etc/forgejo/runner.token - cat /etc/forgejo/runner.token - ''; - }; - in { arachnide = arachnide; @@ -107,5 +97,4 @@ in ); register-runner = register-runner; gen-token-arachnide = gen-token-arachnide; - gen-token-framboise = gen-token-framboise; }