diff --git a/config/arachnide/configuration.nix b/config/arachnide/configuration.nix index bd6942b..326558d 100644 --- a/config/arachnide/configuration.nix +++ b/config/arachnide/configuration.nix @@ -25,6 +25,9 @@ nixin.wg.client = { ipv4 = "192.168.12.2/32"; ipv6 = "2a01:4f9:1a:9a05::2/128"; + allowedIPs = [ "0.0.0.0/0" "::/0" ]; + endpoint = "vpn.lab12.fr:51812"; + endpointKey = "cUmp55I20JEhxr+RMmOsX+6U9kcDiAq3grnvzjQ642w="; }; nixin.traefik = { diff --git a/config/framboise/configuration.nix b/config/framboise/configuration.nix index 77d24d3..fcb653a 100644 --- a/config/framboise/configuration.nix +++ b/config/framboise/configuration.nix @@ -27,6 +27,9 @@ nixin.wg.client = { ipv4 = "192.168.12.2/32"; ipv6 = "2a01:4f9:1a:9a05::2/128"; + allowedIPs = [ "0.0.0.0/0" "::/0" ]; + endpoint = "vpn.lab12.fr:51812"; + endpointKey = "cUmp55I20JEhxr+RMmOsX+6U9kcDiAq3grnvzjQ642w="; }; nixin.traefik = { diff --git a/config/grille-pain/configuration.nix b/config/grille-pain/configuration.nix new file mode 100644 index 0000000..2b05df5 --- /dev/null +++ b/config/grille-pain/configuration.nix @@ -0,0 +1,60 @@ +{ config, pkgs, lib, ... }: + +{ + imports = + [ + ./hardware-configuration.nix + ./network-configuration.nix + /var/src/modules/nixin-base.nix + /var/src/modules/users.nix + /var/src/modules/wireguard-client.nix + ]; + + # Bootloader. + # Use the extlinux boot loader. (NixOS wants to enable GRUB by default) + boot.loader.grub.enable = false; + # Enables the generation of /boot/extlinux/extlinux.conf + boot.loader.generic-extlinux-compatible.enable = true; + + nixin.wg.client = { + ipv4 = "192.168.12.7/32"; + ipv6 = "2a01:4f9:1a:9a05::7/128"; + allowedIPs = [ "192.168.12.0/24" "2a01:4f9:1a:9a05::/64" ]; + endpoint = "vpn.lab12.fr:51812"; + endpointKey = "cUmp55I20JEhxr+RMmOsX+6U9kcDiAq3grnvzjQ642w="; + }; + + # Enable ip forwarding to route packets + boot.kernel.sysctl = { + "net.ipv4.ip_forward" = 1; + "net.ipv6.conf.all.forwarding" = 1; + }; + + # Open ports in the firewall. + networking.firewall.allowedTCPPorts = [ 80 144 443 ]; + #networking.firewall.allowedUDPPorts = [ 53 ]; + # allow UDP port range for mosh + networking.firewall.allowedUDPPortRanges = [ + { from = 60000; to = 61000; } + ]; + # Or disable the firewall altogether. + # networking.firewall.enable = false; + + # Configure console keymap + # console.keyMap = "fr"; + + # Allow unfree packages + nixpkgs.config.allowUnfree = true; + + environment.systemPackages = with pkgs; [ + mtr + ]; + + # This value determines the NixOS release from which the default + # settings for stateful data, like file locations and database versions + # on your system were taken. It's perfectly fine and recommended to leave + # this value at the release version of the first install of this system. + # Before changing this value read the documentation for this option + # (e.g. man configuration.nix or on https://nixos.org/nixos/options.html). + system.stateVersion = "24.11"; # Did you read the comment? +} diff --git a/config/grille-pain/hardware-configuration.nix b/config/grille-pain/hardware-configuration.nix new file mode 100644 index 0000000..405d3f2 --- /dev/null +++ b/config/grille-pain/hardware-configuration.nix @@ -0,0 +1,62 @@ +# Do not modify this file! It was generated by ‘nixos-generate-config’ +# and may be overwritten by future invocations. Please make changes +# to /etc/nixos/configuration.nix instead. +{ config, lib, pkgs, modulesPath, ... }: + +{ + imports = + [ (modulesPath + "/installer/scan/not-detected.nix") + ]; + + boot.initrd.availableKernelModules = [ ]; + boot.initrd.kernelModules = [ ]; + boot.kernelModules = [ ]; + boot.extraModulePackages = [ ]; + + fileSystems."/" = + { device = "/dev/disk/by-uuid/44444444-4444-4444-8888-888888888888"; + fsType = "ext4"; + }; + + swapDevices = [ ]; + + # Enables DHCP on each ethernet and wireless interface. In case of scripted networking + # (the default) this is the recommended approach. When using systemd-networkd it's + # still possible to use this option, but it's recommended to use it in conjunction + # with explicit per-interface declarations with `networking.interfaces..useDHCP`. + networking.useDHCP = lib.mkDefault true; + # networking.interfaces.end0.useDHCP = lib.mkDefault true; + + nixpkgs.hostPlatform = lib.mkDefault "aarch64-linux"; + + # Based on the config from https://www.armbian.com/odroid-hc4/ + hardware.fancontrol = { + enable = lib.mkDefault true; + config = let + # According to https://www.armbian.com/odroid-hc4/ the FCFANS line should be removed on kernel 5.15. + kernelVersion = config.boot.kernelPackages.kernel.version; + needFcFans = lib.versions.majorMinor kernelVersion != "5.15"; + in lib.mkDefault ('' + INTERVAL=10 + DEVPATH=hwmon0=devices/virtual/thermal/thermal_zone0 hwmon2=devices/platform/pwm-fan + DEVNAME=hwmon0=cpu_thermal hwmon2=pwmfan + FCTEMPS=hwmon2/pwm1=hwmon0/temp1_input + '' + lib.optionalString needFcFans '' + FCFANS= hwmon2/pwm1=hwmon2/fan1_input + '' + '' + MINTEMP=hwmon2/pwm1=50 + MAXTEMP=hwmon2/pwm1=60 + MINSTART=hwmon2/pwm1=20 + MINSTOP=hwmon2/pwm1=28 + MINPWM=hwmon2/pwm1=0 + MAXPWM=hwmon2/pwm1=255 + ''); + }; + + # Linux 5.15 sometimes crash under heavy network usage + systemd.watchdog.runtimeTime = lib.mkDefault "1min"; + + hardware.deviceTree.filter = "meson-sm1-odroid-hc4.dtb"; + +} + diff --git a/config/grille-pain/network-configuration.nix b/config/grille-pain/network-configuration.nix new file mode 100644 index 0000000..e19dff5 --- /dev/null +++ b/config/grille-pain/network-configuration.nix @@ -0,0 +1,59 @@ +# Do not modify this file! It was generated by ‘nixos-generate-config’ +# and may be overwritten by future invocations. Please make changes +# to /etc/nixos/configuration.nix instead. +{ config, lib, pkgs, ... }: + +{ + #virtualisation.writableStore = true; + #virtualisation.additionalPaths = [ pkgs.stdenv ]; + + networking = { + hostName = "grille-pain"; + useDHCP = false; + defaultGateway = "192.168.36.1"; + + nat = { + enable = true; + #internalInterfaces = ["vb-+"]; + internalIPs = ["10.10.10.0/24"]; + externalInterface = "enp1s0"; + # Lazy IPv6 connectivity for the containers + #enableIPv6 = true; + }; + + # bridge for containers + bridges = { + "br0" = { + #interfaces = [ "enp4s0" ]; + interfaces = [ ]; + }; + }; + + interfaces = { + # primary network interface, connected to WAN through a router + end0 = { + useDHCP = false; + ipv4.addresses = [ { + address = "192.168.36.15"; + prefixLength = 24; + } ]; + }; + # interface for containers virtual network + br0 = { + useDHCP = false; + ipv4.addresses = [ { + address = "10.10.10.1"; + prefixLength = 24; + } ]; + #ipv6.addresses = [ + # { + # address = hostIp6; + # prefixLength = 7; + # } + #]; + }; + }; + + }; + +} diff --git a/krops.nix b/krops.nix index 72a19ff..ebf77c9 100644 --- a/krops.nix +++ b/krops.nix @@ -37,8 +37,14 @@ let port = "144"; sudo = true; }; - # only build the configuration and do not activate it for now (could also use writeTest instead of writeDeploy for doing that) - # operation = "build"; + }; + + grille-pain = pkgs.krops.writeDeploy "deploy-server-grille-pain" { + source = source "grille-pain"; + target = lib.mkTarget "douzeb@192.168.36.15" // { + port = "144"; + sudo = true; + }; }; dromadaire = pkgs.krops.writeDeploy "deploy-server-dromadaire" { @@ -86,9 +92,10 @@ let in { arachnide = arachnide; framboise = framboise; + grille-pain = grille-pain; dromadaire = dromadaire; all = pkgs.writeScript "deploy-all-servers" - (lib.concatStringsSep "\n" [ arachnide framboise dromadaire ]); + (lib.concatStringsSep "\n" [ arachnide framboise grille-pain dromadaire ]); register-runner = register-runner; gen-token-arachnide = gen-token-arachnide; gen-token-framboise = gen-token-framboise; diff --git a/modules/wireguard-client.nix b/modules/wireguard-client.nix index 99e9975..0f43b8e 100644 --- a/modules/wireguard-client.nix +++ b/modules/wireguard-client.nix @@ -10,6 +10,9 @@ in nixin.wg.client = { ipv4 = mkOption { type = lib.types.str; }; ipv6 = mkOption { type = lib.types.str; }; + allowedIPs = mkOption { type = lib.types.listOf lib.types.str; }; + endpoint = mkOption { type = lib.types.str; }; + endpointKey = mkOption { type = lib.types.str; }; }; }; @@ -23,9 +26,9 @@ in peers = [ { - publicKey = "cUmp55I20JEhxr+RMmOsX+6U9kcDiAq3grnvzjQ642w="; - allowedIPs = [ "0.0.0.0/0" "::/0" ]; - endpoint = "vpn.lab12.fr:51812"; + publicKey = config.nixin.wg.client.endpointKey; + allowedIPs = config.nixin.wg.client.allowedIPs; + endpoint = config.nixin.wg.client.endpoint; persistentKeepalive = 15; } ];