diff --git a/configuration/dn42/default.nix b/configuration/dn42/default.nix deleted file mode 100644 index 93ae00e..0000000 --- a/configuration/dn42/default.nix +++ /dev/null @@ -1,22 +0,0 @@ -{ pkgs, ... }: - -{ - environment.systemPackages = with pkgs; [ - wireguard-tools - ]; - - boot.kernel.sysctl = { - "net.ipv4.ip_forward" = true; - "net.ipv6.conf.all.forwarding" = true; - }; - - networking.firewall.checkReversePath = false; - - # Open Firewall for BGP - networking.firewall.allowedTCPPorts = [ 179 ]; - # Open Fireall for OSPF - networking.firewall.extraCommands = '' - ip6tables -A INPUT -p ospfigp -j ACCEPT - iptables -A INPUT -p ospfigp -j ACCEPT - ''; -} diff --git a/configuration/hydra-build-machine/default.nix b/configuration/hydra-build-machine/default.nix deleted file mode 100644 index b27bef5..0000000 --- a/configuration/hydra-build-machine/default.nix +++ /dev/null @@ -1,16 +0,0 @@ -{ ... }: - -{ - - # Allow Hydra to fetch remote URLs in restricted mode - nix.settings.allowed-uris = "http: https: git+https: github:"; - - services.openssh.settings= { - PermitRootLogin = "yes"; - }; - - users.extraUsers.root.openssh.authorizedKeys.keys = [ - "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIMv8Lbca/CR4das3HJ2F/sQ9dA7kdGS1hSVTt5lX4diP root@hydra-1" - ]; - -} diff --git a/configuration/router/default.nix b/configuration/router/default.nix deleted file mode 100644 index afc974e..0000000 --- a/configuration/router/default.nix +++ /dev/null @@ -1,27 +0,0 @@ -{ pkgs, ... }: - -{ - environment.systemPackages = with pkgs; [ - wireguard-tools - tcpdump - ]; - - boot.kernel.sysctl = { - "net.ipv4.ip_forward" = true; - "net.ipv6.conf.all.forwarding" = true; - }; - - networking.firewall.checkReversePath = false; - - networking.firewall.allowedTCPPorts = [ - # Open Firewall for BGP - 179 - ]; - - networking.firewall.extraCommands = '' - # Open fireall for OSPF - ip46tables -A nixos-fw -p ospfigp -j nixos-fw-accept - # Open firewall for GRE - ip46tables -A nixos-fw -p gre -j nixos-fw-accept - ''; -} diff --git a/flake.lock b/flake.lock index 04c6399..996bbb3 100644 --- a/flake.lock +++ b/flake.lock @@ -440,11 +440,11 @@ ] }, "locked": { - "lastModified": 1683625533, - "narHash": "sha256-GvKE97JdQuEZ697TLSMRTNABbVJfGVnJ0vfzK4AIFyI=", + "lastModified": 1746733297, + "narHash": "sha256-CPo/F6oJq3tswg2YT6DsWDFPYXOjw00/3m45JN84PVY=", "ref": "refs/heads/main", - "rev": "5e86139ee4af27f84228708fd32903bb0c4230f0", - "revCount": 19, + "rev": "f1a832f445c9994d9729a6fa1862b8d4a123bd31", + "revCount": 22, "type": "git", "url": "https://git.clerie.de/clerie/nixos-exporter.git" }, @@ -551,11 +551,11 @@ }, "nixpkgs_3": { "locked": { - "lastModified": 1746461020, - "narHash": "sha256-7+pG1I9jvxNlmln4YgnlW4o+w0TZX24k688mibiFDUE=", + "lastModified": 1746663147, + "narHash": "sha256-Ua0drDHawlzNqJnclTJGf87dBmaO/tn7iZ+TCkTRpRc=", "owner": "NixOS", "repo": "nixpkgs", - "rev": "3730d8a308f94996a9ba7c7138ede69c1b9ac4ae", + "rev": "dda3dcd3fe03e991015e9a74b22d35950f264a54", "type": "github" }, "original": { diff --git a/hosts/carbon/configuration.nix b/hosts/carbon/configuration.nix index 5bf6cf3..b0fc794 100644 --- a/hosts/carbon/configuration.nix +++ b/hosts/carbon/configuration.nix @@ -4,7 +4,6 @@ imports = [ ./hardware-configuration.nix - ../../configuration/router ./dns.nix ./mdns.nix @@ -23,6 +22,7 @@ ]; profiles.clerie.common-networking.enable = false; + profiles.clerie.router.enable = true; boot.kernelParams = [ "console=ttyS0,115200n8" ]; diff --git a/hosts/gatekeeper/configuration.nix b/hosts/gatekeeper/configuration.nix index 7fe8de2..ed30b6d 100644 --- a/hosts/gatekeeper/configuration.nix +++ b/hosts/gatekeeper/configuration.nix @@ -4,10 +4,10 @@ imports = [ ./hardware-configuration.nix - ../../configuration/router ]; profiles.clerie.hetzner-cloud.enable = true; + profiles.clerie.router.enable = true; boot.loader.grub.enable = true; boot.loader.grub.device = "/dev/sda"; diff --git a/hosts/hydra-1/configuration.nix b/hosts/hydra-1/configuration.nix index 33958ac..4a3e8c2 100644 --- a/hosts/hydra-1/configuration.nix +++ b/hosts/hydra-1/configuration.nix @@ -4,7 +4,6 @@ imports = [ ./hardware-configuration.nix - ../../configuration/hydra-build-machine ./build-machines.nix ./hydra.nix @@ -12,6 +11,7 @@ ]; profiles.clerie.mercury-vm.enable = true; + profiles.clerie.hydra-build-machine.enable = true; boot.loader.grub.enable = true; boot.loader.grub.device = "/dev/vda"; diff --git a/hosts/hydra-2/configuration.nix b/hosts/hydra-2/configuration.nix index 753f77a..e09c071 100644 --- a/hosts/hydra-2/configuration.nix +++ b/hosts/hydra-2/configuration.nix @@ -4,10 +4,10 @@ imports = [ ./hardware-configuration.nix - ../../configuration/hydra-build-machine ]; profiles.clerie.cybercluster-vm.enable = true; + profiles.clerie.hydra-build-machine.enable = true; boot.loader.grub.enable = true; boot.loader.grub.device = "/dev/vda"; diff --git a/hosts/monitoring-3/prometheus.nix b/hosts/monitoring-3/prometheus.nix index dd7533b..cd130e9 100644 --- a/hosts/monitoring-3/prometheus.nix +++ b/hosts/monitoring-3/prometheus.nix @@ -200,7 +200,7 @@ in { relabelAddressToInstance { target_label = "__address__"; - replacement = "[::1]:9153"; + replacement = "monitoring-3.mon.clerie.de:9153"; } ]; } diff --git a/hosts/nonat/configuration.nix b/hosts/nonat/configuration.nix index 47d7495..dfee059 100644 --- a/hosts/nonat/configuration.nix +++ b/hosts/nonat/configuration.nix @@ -4,10 +4,10 @@ imports = [ ./hardware-configuration.nix - ../../configuration/router ]; profiles.clerie.mercury-vm.enable = true; + profiles.clerie.router.enable = true; boot.loader.grub.enable = true; boot.loader.grub.device = "/dev/vda"; diff --git a/hosts/porter/configuration.nix b/hosts/porter/configuration.nix index d4a24a3..2e236c2 100644 --- a/hosts/porter/configuration.nix +++ b/hosts/porter/configuration.nix @@ -4,10 +4,10 @@ imports = [ ./hardware-configuration.nix - ../../configuration/router ]; profiles.clerie.netcup.enable = true; + profiles.clerie.router.enable = true; boot.loader.grub.enable = true; boot.loader.grub.device = "/dev/sda"; diff --git a/modules/monitoring/default.nix b/modules/monitoring/default.nix index e543a5a..c24107f 100644 --- a/modules/monitoring/default.nix +++ b/modules/monitoring/default.nix @@ -61,9 +61,6 @@ in services.prometheus.exporters.node = { enable = true; - #listenAddress = "${monitoring-network-base}${cfg.id}"; - openFirewall = true; - firewallFilter = "-i wg-monitoring -p tcp -m tcp --dport 9100"; enabledCollectors = [ "systemd" ]; @@ -80,14 +77,10 @@ in services.prometheus.exporters.bird = mkIf cfg.bird { enable = true; - openFirewall = true; - firewallFilter = "-i wg-monitoring -p tcp -m tcp --dport 9324"; }; services.prometheus.exporters.blackbox = mkIf cfg.blackbox { enable = true; - openFirewall = true; - firewallFilter = "-i wg-monitoring -p tcp -m tcp --dport 9115"; configFile = pkgs.writeText "blackbox.yml" '' modules: icmp6: @@ -109,8 +102,13 @@ in listen = "[::]:9152"; }; - networking.firewall.extraCommands = '' - ip46tables -A nixos-fw -i wg-monitoring -p tcp -m tcp --dport 9152 -m comment --comment nixos-exporter -j nixos-fw-accept - ''; + networking.firewall.interfaces."wg-monitoring".allowedTCPPorts = [ + 9100 # node-exporter + 9152 # nixos-exporter + ] ++ (if cfg.bird then [ + 9324 # bird-exporter + ] else []) ++ (if cfg.blackbox then [ + 9115 # blackbox-exporter + ] else []); }; } diff --git a/profiles/default.nix b/profiles/default.nix index 52a6699..9052485 100644 --- a/profiles/default.nix +++ b/profiles/default.nix @@ -11,9 +11,11 @@ ./fem-net ./firefox ./hetzner-cloud + ./hydra-build-machine ./mercury-vm ./netcup ./network-fallback-dhcp + ./router ./ruby-vm ./serial-console ./wg-clerie diff --git a/profiles/hydra-build-machine/default.nix b/profiles/hydra-build-machine/default.nix new file mode 100644 index 0000000..c812f8b --- /dev/null +++ b/profiles/hydra-build-machine/default.nix @@ -0,0 +1,26 @@ +{ config, lib, pkgs, ... }: + +with lib; + +{ + + options.profiles.clerie.hydra-build-machine = { + enable = mkEnableOption "Set defaults for hydra build machines"; + }; + + config = mkIf config.profiles.clerie.hydra-build-machine.enable { + + # Allow Hydra to fetch remote URLs in restricted mode + nix.settings.allowed-uris = "http: https: git+https: github:"; + + services.openssh.settings= { + PermitRootLogin = "yes"; + }; + + users.extraUsers.root.openssh.authorizedKeys.keys = [ + "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIMv8Lbca/CR4das3HJ2F/sQ9dA7kdGS1hSVTt5lX4diP root@hydra-1" + ]; + + }; + +} diff --git a/profiles/router/default.nix b/profiles/router/default.nix new file mode 100644 index 0000000..11a7a51 --- /dev/null +++ b/profiles/router/default.nix @@ -0,0 +1,26 @@ +{ config, lib, pkgs, ... }: + +with lib; + +{ + + options.profiles.clerie.router = { + enable = mkEnableOption "Basic router setup"; + }; + + config = mkIf config.profiles.clerie.router.enable { + + environment.systemPackages = with pkgs; [ + wireguard-tools + tcpdump + ]; + + boot.kernel.sysctl = { + "net.ipv4.ip_forward" = true; + "net.ipv6.conf.all.forwarding" = true; + }; + + networking.firewall.checkReversePath = false; + + }; +} diff --git a/profiles/wg-clerie/default.nix b/profiles/wg-clerie/default.nix index 2d99082..1e2d2f4 100644 --- a/profiles/wg-clerie/default.nix +++ b/profiles/wg-clerie/default.nix @@ -180,45 +180,16 @@ in }; systemd.services."wg-clerie-endpoint-refresh" = { + wantedBy = [ "multi-user.target" ]; serviceConfig = { - Type = "oneshot"; + Type = "simple"; + Restart = "always"; + RestartSec = 5; }; path = [ pkgs.wireguard-tools pkgs.iproute2 ]; - script = '' - set -euo pipefail - - # Don't do anything as long as interface is not configured - if ! wg show wg-clerie endpoints > /dev/null; then - exit 0 - fi - - endpoint="" - - if ip route get 2a01:4f8:c0c:15f1::1 ipproto udp dport 51820 &>/dev/null; then - endpoint="[2a01:4f8:c0c:15f1::1]:51820" - else - endpoint="78.47.183.82:51820" - fi - - wg set wg-clerie peer "2p1Jqs3bkXbXHFWE6vp1yxHIFoUaZQEARS2nJzbkuBA=" endpoint "''${endpoint}" - ''; - - requires = [ "network-online.target" ]; - after = [ "network-online.target" ]; - }; - - systemd.timers."wg-clerie-endpoint-refresh" = { - wantedBy = [ "timers.target" ]; - - timerConfig = { - OnCalendar = "*-*-* *:*:0/5"; - RandomizedDelaySec = "5s"; - }; - - requires = [ "network-online.target" ]; - after = [ "network-online.target" ]; + script = builtins.readFile ./wg-clerie-endpoint-refresh.sh; }; environment.systemPackages = [ pkgs.wireguard-tools ]; diff --git a/profiles/wg-clerie/wg-clerie-endpoint-refresh.sh b/profiles/wg-clerie/wg-clerie-endpoint-refresh.sh new file mode 100755 index 0000000..b0c8833 --- /dev/null +++ b/profiles/wg-clerie/wg-clerie-endpoint-refresh.sh @@ -0,0 +1,31 @@ +#!/usr/bin/env bash + +set -euo pipefail + +prev_endpoint="" + +while true; do + if ! wg show wg-clerie endpoints &>/dev/null; then + if [[ "${prev_endpoint}" != "" ]]; then + echo "Interface wg-clerie unavailable, doing nothing" + prev_endpoint="" + fi + + sleep 5 + continue + fi + + if ip route get 2a01:4f8:c0c:15f1::1 ipproto udp dport 51820 &>/dev/null; then + new_endpoint="[2a01:4f8:c0c:15f1::1]:51820" + else + new_endpoint="78.47.183.82:51820" + fi + + if [[ "${new_endpoint}" != "${prev_endpoint}" ]]; then + echo "Switching endpoint for wg-clerie to ${new_endpoint}" + wg set wg-clerie peer "2p1Jqs3bkXbXHFWE6vp1yxHIFoUaZQEARS2nJzbkuBA=" endpoint "${new_endpoint}" + prev_endpoint="${new_endpoint}" + fi + + sleep 5 +done