clerie/nixfiles
1
0
Fork 0
Code Activity

Update from updated-inputs-2025-05-09-01-03

Browse Source
This commit is contained in:
Flake Update Bot
2025-05-09 03:04:05 +02:00
parent 95031766cb a6f1881389
commit 866a3df0f8
17 changed files with 112 additions and 123 deletions
Download Patch File Download Diff File Expand all files Collapse all files

22
configuration/dn42/default.nix
View File

@@ -1,22 +0,0 @@
{ pkgs, ... }:
{
environment.systemPackages = with pkgs; [
wireguard-tools
];
boot.kernel.sysctl = {
"net.ipv4.ip_forward" = true;
"net.ipv6.conf.all.forwarding" = true;
};
networking.firewall.checkReversePath = false;
# Open Firewall for BGP
networking.firewall.allowedTCPPorts = [ 179 ];
# Open Fireall for OSPF
networking.firewall.extraCommands = ''
ip6tables -A INPUT -p ospfigp -j ACCEPT
iptables -A INPUT -p ospfigp -j ACCEPT
'';
}

16
configuration/hydra-build-machine/default.nix
View File

@@ -1,16 +0,0 @@
{ ... }:
{
# Allow Hydra to fetch remote URLs in restricted mode
nix.settings.allowed-uris = "http: https: git+https: github:";
services.openssh.settings= {
PermitRootLogin = "yes";
};
users.extraUsers.root.openssh.authorizedKeys.keys = [
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIMv8Lbca/CR4das3HJ2F/sQ9dA7kdGS1hSVTt5lX4diP root@hydra-1"
];
}

27
configuration/router/default.nix
View File

@@ -1,27 +0,0 @@
{ pkgs, ... }:
{
environment.systemPackages = with pkgs; [
wireguard-tools
tcpdump
];
boot.kernel.sysctl = {
"net.ipv4.ip_forward" = true;
"net.ipv6.conf.all.forwarding" = true;
};
networking.firewall.checkReversePath = false;
networking.firewall.allowedTCPPorts = [
# Open Firewall for BGP
179
];
networking.firewall.extraCommands = ''
# Open fireall for OSPF
ip46tables -A nixos-fw -p ospfigp -j nixos-fw-accept
# Open firewall for GRE
ip46tables -A nixos-fw -p gre -j nixos-fw-accept
'';
}

14
flake.lock generated
View File

@@ -440,11 +440,11 @@
] ]
}, },
"locked": { "locked": {
"lastModified": 1683625533, "lastModified": 1746733297,
"narHash": "sha256-GvKE97JdQuEZ697TLSMRTNABbVJfGVnJ0vfzK4AIFyI=", "narHash": "sha256-CPo/F6oJq3tswg2YT6DsWDFPYXOjw00/3m45JN84PVY=",
"ref": "refs/heads/main", "ref": "refs/heads/main",
"rev": "5e86139ee4af27f84228708fd32903bb0c4230f0", "rev": "f1a832f445c9994d9729a6fa1862b8d4a123bd31",
"revCount": 19, "revCount": 22,
"type": "git", "type": "git",
"url": "https://git.clerie.de/clerie/nixos-exporter.git" "url": "https://git.clerie.de/clerie/nixos-exporter.git"
}, },
@@ -551,11 +551,11 @@
}, },
"nixpkgs_3": { "nixpkgs_3": {
"locked": { "locked": {
"lastModified": 1746461020, "lastModified": 1746663147,
"narHash": "sha256-7+pG1I9jvxNlmln4YgnlW4o+w0TZX24k688mibiFDUE=", "narHash": "sha256-Ua0drDHawlzNqJnclTJGf87dBmaO/tn7iZ+TCkTRpRc=",
"owner": "NixOS", "owner": "NixOS",
"repo": "nixpkgs", "repo": "nixpkgs",
"rev": "3730d8a308f94996a9ba7c7138ede69c1b9ac4ae", "rev": "dda3dcd3fe03e991015e9a74b22d35950f264a54",
"type": "github" "type": "github"
}, },
"original": { "original": {

2
hosts/carbon/configuration.nix
View File

@@ -4,7 +4,6 @@
imports = imports =
[ [
./hardware-configuration.nix ./hardware-configuration.nix
../../configuration/router
./dns.nix ./dns.nix
./mdns.nix ./mdns.nix
@@ -23,6 +22,7 @@
]; ];
profiles.clerie.common-networking.enable = false; profiles.clerie.common-networking.enable = false;
profiles.clerie.router.enable = true;
boot.kernelParams = [ "console=ttyS0,115200n8" ]; boot.kernelParams = [ "console=ttyS0,115200n8" ];

2
hosts/gatekeeper/configuration.nix
View File

@@ -4,10 +4,10 @@
imports = imports =
[ [
./hardware-configuration.nix ./hardware-configuration.nix
../../configuration/router
]; ];
profiles.clerie.hetzner-cloud.enable = true; profiles.clerie.hetzner-cloud.enable = true;
profiles.clerie.router.enable = true;
boot.loader.grub.enable = true; boot.loader.grub.enable = true;
boot.loader.grub.device = "/dev/sda"; boot.loader.grub.device = "/dev/sda";

2
hosts/hydra-1/configuration.nix
View File

@@ -4,7 +4,6 @@
imports = imports =
[ [
./hardware-configuration.nix ./hardware-configuration.nix
../../configuration/hydra-build-machine
./build-machines.nix ./build-machines.nix
./hydra.nix ./hydra.nix
@@ -12,6 +11,7 @@
]; ];
profiles.clerie.mercury-vm.enable = true; profiles.clerie.mercury-vm.enable = true;
profiles.clerie.hydra-build-machine.enable = true;
boot.loader.grub.enable = true; boot.loader.grub.enable = true;
boot.loader.grub.device = "/dev/vda"; boot.loader.grub.device = "/dev/vda";

2
hosts/hydra-2/configuration.nix
View File

@@ -4,10 +4,10 @@
imports = imports =
[ [
./hardware-configuration.nix ./hardware-configuration.nix
../../configuration/hydra-build-machine
]; ];
profiles.clerie.cybercluster-vm.enable = true; profiles.clerie.cybercluster-vm.enable = true;
profiles.clerie.hydra-build-machine.enable = true;
boot.loader.grub.enable = true; boot.loader.grub.enable = true;
boot.loader.grub.device = "/dev/vda"; boot.loader.grub.device = "/dev/vda";

2
hosts/monitoring-3/prometheus.nix
View File

@@ -200,7 +200,7 @@ in {
relabelAddressToInstance relabelAddressToInstance
{ {
target_label = "__address__"; target_label = "__address__";
replacement = "[::1]:9153"; replacement = "monitoring-3.mon.clerie.de:9153";
} }
]; ];
} }

2
hosts/nonat/configuration.nix
View File

@@ -4,10 +4,10 @@
imports = imports =
[ [
./hardware-configuration.nix ./hardware-configuration.nix
../../configuration/router
]; ];
profiles.clerie.mercury-vm.enable = true; profiles.clerie.mercury-vm.enable = true;
profiles.clerie.router.enable = true;
boot.loader.grub.enable = true; boot.loader.grub.enable = true;
boot.loader.grub.device = "/dev/vda"; boot.loader.grub.device = "/dev/vda";

2
hosts/porter/configuration.nix
View File

@@ -4,10 +4,10 @@
imports = imports =
[ [
./hardware-configuration.nix ./hardware-configuration.nix
../../configuration/router
]; ];
profiles.clerie.netcup.enable = true; profiles.clerie.netcup.enable = true;
profiles.clerie.router.enable = true;
boot.loader.grub.enable = true; boot.loader.grub.enable = true;
boot.loader.grub.device = "/dev/sda"; boot.loader.grub.device = "/dev/sda";

18
modules/monitoring/default.nix
View File

@@ -61,9 +61,6 @@ in
services.prometheus.exporters.node = { services.prometheus.exporters.node = {
enable = true; enable = true;
#listenAddress = "${monitoring-network-base}${cfg.id}";
openFirewall = true;
firewallFilter = "-i wg-monitoring -p tcp -m tcp --dport 9100";
enabledCollectors = [ enabledCollectors = [
"systemd" "systemd"
]; ];
@@ -80,14 +77,10 @@ in
services.prometheus.exporters.bird = mkIf cfg.bird { services.prometheus.exporters.bird = mkIf cfg.bird {
enable = true; enable = true;
openFirewall = true;
firewallFilter = "-i wg-monitoring -p tcp -m tcp --dport 9324";
}; };
services.prometheus.exporters.blackbox = mkIf cfg.blackbox { services.prometheus.exporters.blackbox = mkIf cfg.blackbox {
enable = true; enable = true;
openFirewall = true;
firewallFilter = "-i wg-monitoring -p tcp -m tcp --dport 9115";
configFile = pkgs.writeText "blackbox.yml" '' configFile = pkgs.writeText "blackbox.yml" ''
modules: modules:
icmp6: icmp6:
@@ -109,8 +102,13 @@ in
listen = "[::]:9152"; listen = "[::]:9152";
}; };
networking.firewall.extraCommands = '' networking.firewall.interfaces."wg-monitoring".allowedTCPPorts = [
ip46tables -A nixos-fw -i wg-monitoring -p tcp -m tcp --dport 9152 -m comment --comment nixos-exporter -j nixos-fw-accept 9100 # node-exporter
''; 9152 # nixos-exporter
] ++ (if cfg.bird then [
9324 # bird-exporter
] else []) ++ (if cfg.blackbox then [
9115 # blackbox-exporter
] else []);
}; };
} }

2
profiles/default.nix
View File

@@ -11,9 +11,11 @@
./fem-net ./fem-net
./firefox ./firefox
./hetzner-cloud ./hetzner-cloud
./hydra-build-machine
./mercury-vm ./mercury-vm
./netcup ./netcup
./network-fallback-dhcp ./network-fallback-dhcp
./router
./ruby-vm ./ruby-vm
./serial-console ./serial-console
./wg-clerie ./wg-clerie

26
profiles/hydra-build-machine/default.nix Normal file
View File

@@ -0,0 +1,26 @@
{ config, lib, pkgs, ... }:
with lib;
{
options.profiles.clerie.hydra-build-machine = {
enable = mkEnableOption "Set defaults for hydra build machines";
};
config = mkIf config.profiles.clerie.hydra-build-machine.enable {
# Allow Hydra to fetch remote URLs in restricted mode
nix.settings.allowed-uris = "http: https: git+https: github:";
services.openssh.settings= {
PermitRootLogin = "yes";
};
users.extraUsers.root.openssh.authorizedKeys.keys = [
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIMv8Lbca/CR4das3HJ2F/sQ9dA7kdGS1hSVTt5lX4diP root@hydra-1"
];
};
}

26
profiles/router/default.nix Normal file
View File

@@ -0,0 +1,26 @@
{ config, lib, pkgs, ... }:
with lib;
{
options.profiles.clerie.router = {
enable = mkEnableOption "Basic router setup";
};
config = mkIf config.profiles.clerie.router.enable {
environment.systemPackages = with pkgs; [
wireguard-tools
tcpdump
];
boot.kernel.sysctl = {
"net.ipv4.ip_forward" = true;
"net.ipv6.conf.all.forwarding" = true;
};
networking.firewall.checkReversePath = false;
};
}

39
profiles/wg-clerie/default.nix
View File

@@ -180,45 +180,16 @@ in
}; };
systemd.services."wg-clerie-endpoint-refresh" = { systemd.services."wg-clerie-endpoint-refresh" = {
wantedBy = [ "multi-user.target" ];
serviceConfig = { serviceConfig = {
Type = "oneshot"; Type = "simple";
Restart = "always";
RestartSec = 5;
}; };
path = [ pkgs.wireguard-tools pkgs.iproute2 ]; path = [ pkgs.wireguard-tools pkgs.iproute2 ];
script = '' script = builtins.readFile ./wg-clerie-endpoint-refresh.sh;
set -euo pipefail
# Don't do anything as long as interface is not configured
if ! wg show wg-clerie endpoints > /dev/null; then
exit 0
fi
endpoint=""
if ip route get 2a01:4f8:c0c:15f1::1 ipproto udp dport 51820 &>/dev/null; then
endpoint="[2a01:4f8:c0c:15f1::1]:51820"
else
endpoint="78.47.183.82:51820"
fi
wg set wg-clerie peer "2p1Jqs3bkXbXHFWE6vp1yxHIFoUaZQEARS2nJzbkuBA=" endpoint "''${endpoint}"
'';
requires = [ "network-online.target" ];
after = [ "network-online.target" ];
};
systemd.timers."wg-clerie-endpoint-refresh" = {
wantedBy = [ "timers.target" ];
timerConfig = {
OnCalendar = "*-*-* *:*:0/5";
RandomizedDelaySec = "5s";
};
requires = [ "network-online.target" ];
after = [ "network-online.target" ];
}; };
environment.systemPackages = [ pkgs.wireguard-tools ]; environment.systemPackages = [ pkgs.wireguard-tools ];

31
profiles/wg-clerie/wg-clerie-endpoint-refresh.sh Executable file
View File

@@ -0,0 +1,31 @@
#!/usr/bin/env bash
set -euo pipefail
prev_endpoint=""
while true; do
if ! wg show wg-clerie endpoints &>/dev/null; then
if [[ "${prev_endpoint}" != "" ]]; then
echo "Interface wg-clerie unavailable, doing nothing"
prev_endpoint=""
fi
sleep 5
continue
fi
if ip route get 2a01:4f8:c0c:15f1::1 ipproto udp dport 51820 &>/dev/null; then
new_endpoint="[2a01:4f8:c0c:15f1::1]:51820"
else
new_endpoint="78.47.183.82:51820"
fi
if [[ "${new_endpoint}" != "${prev_endpoint}" ]]; then
echo "Switching endpoint for wg-clerie to ${new_endpoint}"
wg set wg-clerie peer "2p1Jqs3bkXbXHFWE6vp1yxHIFoUaZQEARS2nJzbkuBA=" endpoint "${new_endpoint}"
prev_endpoint="${new_endpoint}"
fi
sleep 5
done