Browse Source

prepare for haku outage

main
Leo Maroni 2 months ago
parent
commit
039e226fb8
Signed by: em0lar GPG Key ID: B1ADA545CD2CBACD
  1. 9
      flake.nix
  2. 49
      hosts/rechaku/configuration.nix
  3. 28
      hosts/rechaku/hardware-configuration.nix
  4. 65
      hosts/rechaku/wireguard.nix
  5. 1
      secrets/all/.gpg-id
  6. BIN
      secrets/all/user-em0lar-password.gpg
  7. BIN
      secrets/all/user-root-password.gpg
  8. 1257
      secrets/rechaku/.gpg-id
  9. BIN
      secrets/rechaku/wireguard_wg-public_privatekey.gpg

9
flake.nix

@ -152,6 +152,15 @@
];
};
};
rechaku = {
nixosSystem = {
system = "x86_64-linux";
modules = defaultModules ++ [
./hosts/rechaku/configuration.nix
];
};
deploy.hostname = "188.34.167.131";
};
};
in {
nixosConfigurations = (nixpkgs.lib.mapAttrs (name: config: (nixpkgs.lib.nixosSystem rec {

49
hosts/rechaku/configuration.nix

@ -0,0 +1,49 @@
{ config, pkgs, ... }:
{
imports =
[
./hardware-configuration.nix
./wireguard.nix
../../common
];
boot.loader.grub.enable = true;
boot.loader.grub.version = 2;
boot.loader.grub.efiSupport = true;
# boot.loader.grub.efiInstallAsRemovable = true;
# boot.loader.efi.efiSysMountPoint = "/boot/efi";
# Define on which hard drive you want to install Grub.
boot.loader.grub.device = "/dev/sda"; # or "nodev" for efi only
networking.hostName = "rechaku";
networking.domain = "het.fks.de.em0lar.dev";
boot.kernel.sysctl."net.ipv6.conf.all.forwarding" = true;
boot.kernel.sysctl."net.ipv4.conf.all.forwarding" = true;
networking.useHostResolvConf = false;
system.stateVersion = "20.09";
systemd.network = {
links."10-ens3" = {
linkConfig.Name = "ens3";
};
networks."10-ens3" = {
DHCP = "ipv4";
matchConfig = {
Name = "ens3";
};
address = [ "2a01:4f8:c010:9e88::1/128" ];
routes = [
{
routeConfig = {
Destination = "::/0";
Gateway = "fe80::1";
GatewayOnLink = true;
};
}
];
};
};
}

28
hosts/rechaku/hardware-configuration.nix

@ -0,0 +1,28 @@
# Do not modify this file! It was generated by ‘nixos-generate-config’
# and may be overwritten by future invocations. Please make changes
# to /etc/nixos/configuration.nix instead.
{ config, lib, pkgs, modulesPath, ... }:
{
imports =
[ (modulesPath + "/profiles/qemu-guest.nix")
];
boot.initrd.availableKernelModules = [ "ata_piix" "virtio_pci" "xhci_pci" "sd_mod" "sr_mod" ];
boot.initrd.kernelModules = [ ];
boot.kernelModules = [ ];
boot.extraModulePackages = [ ];
fileSystems."/" =
{ device = "/dev/disk/by-uuid/ee220048-14c4-43dd-8522-c4f5c7416dde";
fsType = "ext4";
};
fileSystems."/boot" =
{ device = "/dev/disk/by-uuid/175E-2886";
fsType = "vfat";
};
swapDevices = [ ];
}

65
hosts/rechaku/wireguard.nix

@ -0,0 +1,65 @@
{ config, ... }:
{
networking.firewall.allowedUDPPorts = [
51440
51441
51442
];
em0lar.secrets = {
"wireguard_wg-public_privatekey".owner = "systemd-network";
};
em0lar.nftables.extraForward = ''
ct state invalid drop
ct state established,related accept
iifname wg-public ct state new accept
oifname wg-public ct state new accept
'';
systemd.network = {
netdevs."30-wg-public" = {
netdevConfig = {
Kind = "wireguard";
Name = "wg-public";
};
wireguardConfig = {
ListenPort = 51440;
PrivateKeyFile = config.em0lar.secrets."wireguard_wg-public_privatekey".path;
};
wireguardPeers = [
{ # foros
wireguardPeerConfig = {
AllowedIPs = [
"2a01:4f8:c010:9e88:1000::2/128"
];
PublicKey = "CnswutrDvUJdDIsopjkvjO/SiOrKdx3ob0jvDf0LLFI=";
PersistentKeepalive = 21;
};
}
{ # beryl
wireguardPeerConfig = {
AllowedIPs = [
"2a01:4f8:c010:9e88:1000::3/128"
];
PublicKey = "DBfzjdPqk5Ee8OYsqNy2LoM7kvbh8ppmK836jlGz43s=";
PersistentKeepalive = 21;
};
}
];
};
networks."30-wg-public" = {
name = "wg-public";
linkConfig = { RequiredForOnline = "no"; };
address = [
"2a01:4f8:c010:9e88:1000::1/128"
];
networkConfig = {
IPForward = true;
};
routes = [
{ routeConfig.Destination = "2a01:4f8:c010:9e88:1000::/68"; }
];
};
};
}

1
secrets/all/.gpg-id

@ -10,3 +10,4 @@ BE92A1BC2708F3527BFD967A81B858A16E3EDFC4
836676BB933683177F07D64CBA0F4FC6E133E44F
430411806903447FF65FCBCBB1ADA545CD2CBACD
4C42E71BB77A21507BEE760E5233F8122D75B48E
7B5052FCBB95D9EF85E79F9143A561C9B0C27867

BIN
secrets/all/user-em0lar-password.gpg

Binary file not shown.

BIN
secrets/all/user-root-password.gpg

Binary file not shown.

1257
secrets/rechaku/.gpg-id

File diff suppressed because one or more lines are too long

BIN
secrets/rechaku/wireguard_wg-public_privatekey.gpg

Binary file not shown.
Loading…
Cancel
Save