From cfe26d87c348ca5d85007d1e07b03887296ac2b5 Mon Sep 17 00:00:00 2001 From: clerie Date: Wed, 26 Nov 2025 18:13:01 +0100 Subject: [PATCH 01/11] profiles/desktop: Add gnome-decoder --- profiles/desktop/gnome.nix | 1 + 1 file changed, 1 insertion(+) diff --git a/profiles/desktop/gnome.nix b/profiles/desktop/gnome.nix index bc7b90c..631c004 100644 --- a/profiles/desktop/gnome.nix +++ b/profiles/desktop/gnome.nix @@ -34,6 +34,7 @@ with lib; evolution gnome-terminal gnome-tweaks + gnome-decoder # scan qr codes ]; services.gnome.evolution-data-server.enable = true; From 90636b14b5c7ff5c9e25b2e1e1bf82dc7cb0d663 Mon Sep 17 00:00:00 2001 From: clerie Date: Wed, 3 Dec 2025 18:44:27 +0100 Subject: [PATCH 02/11] profiles/common-ssh: Configure GlobalKnownHosts manually so we avoid import from derivation --- profiles/common-ssh/default.nix | 31 +++++++++++++++++-- .../hetzner-storage-box-client/default.nix | 8 ++--- 2 files changed, 32 insertions(+), 7 deletions(-) diff --git a/profiles/common-ssh/default.nix b/profiles/common-ssh/default.nix index d97eff9..87cc397 100644 --- a/profiles/common-ssh/default.nix +++ b/profiles/common-ssh/default.nix @@ -2,13 +2,33 @@ with lib; -{ +let + + cfg = config.profiles.clerie.common-ssh; + + knownHostsFiles = [ + "/etc/ssh/ssh_known_hosts" + ] ++ cfg.knownHostsFiles; + +in { options.profiles.clerie.common-ssh = { enable = mkEnableOption "Common ssh config"; + knownHostsFiles = mkOption { + type = with types; listOf str; + default = []; + description = "List of paths to ssh known hosts files"; + }; }; - config = mkIf config.profiles.clerie.common-ssh.enable { + config = mkIf cfg.enable { + + assertions = [ + { + assertion = config.programs.ssh.knownHostsFiles == []; + message = "profiles.clerie.common-ssh sets a custom set of global known hosts file that is incompatible with the settings from the official NixOS module, use profiles.clerie.common-ssh.knownHostsFiles instead"; + } + ]; services.openssh.enable = true; services.openssh.settings = { @@ -21,11 +41,16 @@ with lib; { type = "ed25519"; path = "/etc/ssh/ssh_host_ed25519_key"; } ]; - programs.ssh.knownHostsFiles = [ + profiles.clerie.common-ssh.knownHostsFiles = [ (pkgs.clerie-ssh-known-hosts + "/known_hosts") (pkgs.fem-ssh-known-hosts + "/known_hosts") (pkgs.well-known-ssh-known-hosts + "/known_hosts") ]; + programs.ssh.extraConfig = '' + Host * + GlobalKnownHostsFile ${builtins.concatStringsSep " " knownHostsFiles} + ''; + }; } diff --git a/profiles/hetzner-storage-box-client/default.nix b/profiles/hetzner-storage-box-client/default.nix index 2875d58..e315fc3 100644 --- a/profiles/hetzner-storage-box-client/default.nix +++ b/profiles/hetzner-storage-box-client/default.nix @@ -1,4 +1,4 @@ -{ config, lib, ... }: +{ config, lib, pkgs, ... }: with lib; @@ -10,9 +10,9 @@ with lib; config = mkIf config.profiles.clerie.hetzner-storage-box-client.enable { - programs.ssh.knownHostsFiles = [ - ./hetzner-storage-box-ssh_known_hosts - ]; + profiles.clerie.common-ssh.knownHostsFiles = [ + (pkgs.copyPathToStore ./hetzner-storage-box-ssh_known_hosts) + ]; }; From b768bf6deb5aa44fd5ead10ce19c7e38b8ba5c25 Mon Sep 17 00:00:00 2001 From: clerie Date: Wed, 3 Dec 2025 19:10:38 +0100 Subject: [PATCH 03/11] hosts/dn42-il-gw1: Add prefixlabs peering --- hosts/dn42-il-gw1/configuration.nix | 54 +++++++++++++++++++++++++++++ hosts/dn42-il-gw1/secrets.json | 8 +++-- 2 files changed, 59 insertions(+), 3 deletions(-) diff --git a/hosts/dn42-il-gw1/configuration.nix b/hosts/dn42-il-gw1/configuration.nix index f7b22bf..5086572 100644 --- a/hosts/dn42-il-gw1/configuration.nix +++ b/hosts/dn42-il-gw1/configuration.nix @@ -62,6 +62,44 @@ ]; privateKeyFile = config.sops.secrets.wg0565.path; }; + # prefixlabs + # https://prefixlabs.net/ + wg1240 = { + ips = [ + "fe80::2574/128" + ]; + postSetup = '' + ip addr replace dev wg1718 fe80::2574/128 peer fe80::1240:11/128 + ''; + listenPort = 51240; + allowedIPsAsRoutes = false; + peers = [ + { + allowedIPs = [ "fe80::/10" "fd00::/8" ]; + endpoint = "de-01.prefixlabs.net:22574"; + publicKey = "ixeEBfac1BXpjNKbxcgL6Beg9HTgtmq6CjHIfMwNSDw="; + } + ]; + privateKeyFile = config.sops.secrets.wg1240.path; + }; + wg1241 = { + ips = [ + "fe80::2574/128" + ]; + postSetup = '' + ip addr replace dev wg1718 fe80::2574/128 peer fe80::1240:1/128 + ''; + listenPort = 51241; + allowedIPsAsRoutes = false; + peers = [ + { + allowedIPs = [ "fe80::/10" "fd00::/8" ]; + endpoint = "uk-01.prefixlabs.net:22574"; + publicKey = "Yu1Y4qdSaf+OWPbAoh7PvuM2eWCVbNg84+EX5Q2Zjl4="; + } + ]; + privateKeyFile = config.sops.secrets.wg1241.path; + }; # fooker wg1271 = { ips = [ @@ -164,6 +202,8 @@ networking.firewall.allowedUDPPorts = [ 50565 # wg0565 + 51240 # wg1240 + 51241 # wg1241 51271 # wg1271 51272 # wg1272 51280 # wg1280 @@ -199,6 +239,20 @@ remoteAsn = "4242420565"; localAddress = "fe80::2574"; } + { + peerName = "peer_1240_de_01"; + remoteAddress = "fe80::1240:11"; + interfaceName = "wg1240"; + remoteAsn = "4242421240"; + localAddress = "fe80::2574"; + } + { + peerName = "peer_1240_uk_01"; + remoteAddress = "fe80::1240:1"; + interfaceName = "wg1241"; + remoteAsn = "4242421240"; + localAddress = "fe80::2574"; + } { peerName = "peer_1271_north"; remoteAddress = "fe80::2"; diff --git a/hosts/dn42-il-gw1/secrets.json b/hosts/dn42-il-gw1/secrets.json index 7290601..3126b12 100644 --- a/hosts/dn42-il-gw1/secrets.json +++ b/hosts/dn42-il-gw1/secrets.json @@ -1,6 +1,8 @@ { "wg0197": "ENC[AES256_GCM,data:1QJ5GXLMLIOj6xNC4sMnShjyB1wqfTkhkPTlLJz6AJxMjA0BsBZvZ1Pdln4=,iv:nVRIQB8/Ged616ELhkGnDyAz6A+3HQ55+yG0vf0f7aQ=,tag:GtI8ICMCih1tN4Xoc+8RdQ==,type:str]", "wg0565": "ENC[AES256_GCM,data:kLgKOGDA+kPDB0SZ/yU7Ax7NYn28LiVT2W6zSsc0APfyoZWW6nF0fUQFv4s=,iv:6zjLGAOROifubQUMxRLvoFzN6GRYob841rzNiVyrt84=,tag:Gh15/ROPYiqqobcJcTzmGQ==,type:str]", + "wg1240": "ENC[AES256_GCM,data:ta0FRxhDGeta6TpWghWP2ogqymtiVsnWvuwzOhqhGN6zyK/GYd5b+SgSYAI=,iv:9gxEtK+ZOFj0D/SNWV7GyWHkBXjGgofJPmqcu3CMMKo=,tag:MFE/bhGk6oLeOK4TaEoXgQ==,type:str]", + "wg1241": "ENC[AES256_GCM,data:qjr50/KWJya8YiNQ2pymlUGMIZBdOY1Opt/rmM6Iill/B5jWiPOJuGQdKnc=,iv:WSoRv7wvLTmTX0lV9yhfenwLtTvVmPNK+Hqd6H3iFEU=,tag:SRwAWQa761PL8JqdVgTr3Q==,type:str]", "wg1271": "ENC[AES256_GCM,data:NPcFMxVNpwoPkLsb6NvZVxGxw+Og3RzlYx7TAL9nT95x6I8aDRpOnR5tY5w=,iv:gYuem6vX+jRQvirrt3lZQb5gKnN/z32W/MgmGuzQ/Ks=,tag:I9qZJSNKFEM3Vx4Yugxy1w==,type:str]", "wg1272": "ENC[AES256_GCM,data:LU6jtNkNn2Xs+0OH8cD1HJnbHsNNnqlY83lDFa11/dHwVgdFxMtDXMqIMEc=,iv:/A8rWGR6jExa4ms7jTYC0eZVGCvlKw1I58Co41gw3TU=,tag:tIBRkQzFFpEEzflnDrpcOA==,type:str]", "wg1280": "ENC[AES256_GCM,data:F4KLY6jiZNl52ko32nM0iTER0DyHvaCSmxeYAKB0MLUD8l9u1Ugk6kYZnUc=,iv:XcaxnvxM1kE/ahNFX+BH7Jmr9q2Py1vHHqOjFUqs5O8=,tag:a1up4gGFqyHz2lmDRJl3bA==,type:str]", @@ -15,8 +17,8 @@ "enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA3QWdFYjFjTmRVRlV3U3p4\nTSsyc1E0dWtiYjNtVkV2SXJEWkxnTDhLN1Y0Cng4aGlidjhydUVGaFcvK215aGdq\nN0FGajYwa1lPUCsva0tmNkErUGtlOWsKLS0tIG9pLzJEUDA2WWUzd1kzSVZrdVRX\nbUxjQzBCd3p0R1dWTTJaRmZNQjJEUVkKPz6OUQHpYrhRxMdQzpZRR3exVqkG2JvX\nI32PwvbeQK8cgpYwKLGar8U8aiPPm0Y64pID1wedDsNZzLqLOrS3wQ==\n-----END AGE ENCRYPTED FILE-----\n" } ], - "lastmodified": "2025-06-10T20:51:10Z", - "mac": "ENC[AES256_GCM,data:9lF4HV0oJyGHXdtYdMxR7+ev7JLAQVr6kE55nLoZcrbC92MHJzQpgM9XAhIynvwdAmC7ARd3orCn6eYkQJDdNX0JjMtebsBE+H4B7mEUCz8wtTN0iHS+oHmQxrqjnoSw2uHh9udgqAJa+sd6VGU3t2XUuuKtVHPwzROqVgvas9M=,iv:KT+BlFeXGZQc5pbBX+XOsmKEydUtir1LuPvseDkFeqw=,tag:hlRskY6b5EAZkUYs7ph/JA==,type:str]", + "lastmodified": "2025-12-03T17:59:59Z", + "mac": "ENC[AES256_GCM,data:v6Wpp641MvetzKj36sw422T5yZp3XssRXHMVMI0RA28dyZSeNSQ+YI0UBItUH1FXyieZSvHtpFf7LiY+xSCRuwZB8H9ofofwOxhJU3F5Abzb/aAL4rRnsbawYp1SZVWVhtt2FXBgvtWAJKn5iPHjpUU6ccdaW/OuHnudHfeQxZg=,iv:s8Z6r7tF9u3l1ygnX6rdU3xiU9TPG6qY2vTuR5fGCQQ=,tag:Jf93btCoTWIBTCMpHU864A==,type:str]", "pgp": [ { "created_at": "2024-04-28T09:25:37Z", @@ -25,6 +27,6 @@ } ], "unencrypted_suffix": "_unencrypted", - "version": "3.10.2" + "version": "3.11.0" } } From 74031597304bca9768534882b9c442d42567b845 Mon Sep 17 00:00:00 2001 From: clerie Date: Wed, 3 Dec 2025 20:23:44 +0100 Subject: [PATCH 04/11] profiles/dn42-router: Automatically generate peering documentation --- profiles/dn42-router/default.nix | 7 ++ profiles/dn42-router/documentation.nix | 88 ++++++++++++++++++++++++++ 2 files changed, 95 insertions(+) create mode 100644 profiles/dn42-router/documentation.nix diff --git a/profiles/dn42-router/default.nix b/profiles/dn42-router/default.nix index 463e552..dc353ea 100644 --- a/profiles/dn42-router/default.nix +++ b/profiles/dn42-router/default.nix @@ -11,6 +11,9 @@ let bgp6Table = 2342; in { + imports = [ + ./documentation.nix + ]; options.profiles.clerie.dn42-router = { enable = mkEnableOption "DN42 router base config"; @@ -93,6 +96,10 @@ in { type = types.str; default = ""; }; + htmlDocumentation = mkOption { + type = types.str; + description = "This option is set by the module itself and contains the documentation for this router setup"; + }; }; config = mkIf config.profiles.clerie.dn42-router.enable { diff --git a/profiles/dn42-router/documentation.nix b/profiles/dn42-router/documentation.nix new file mode 100644 index 0000000..b8fea65 --- /dev/null +++ b/profiles/dn42-router/documentation.nix @@ -0,0 +1,88 @@ +{ config, lib, ... }: + +with lib; + +let + + cfg = config.profiles.clerie.dn42-router; + +in { + + profiles.clerie.dn42-router.htmlDocumentation = '' + + + + + +

${config.networking.fqdn}

+ +

This is a router in the experimental decentralized network dn42.

+ +

If you like to peer, please drop me an email to dn42@clerie.de.

+ +

Happy peering!

+ +

Router Information

+ +
    +
  • ASN: AS4242422574
    • +
  • Loopback IP: ${cfg.loopbackIp}
    • +
  • Router ID: ${cfg.routerId}
    • +
+ +

Wireguard Peers

+ + + ${concatMapStringsSep "\n" (peer: '' + + + + + + + '') cfg.wireguardPeers} +
${peer.peerName}AS${peer.remoteAsn} +
+ Peering config +
    +
  • Local Endpoint: ${config.networking.fqdn}:???
    • +
  • Local Address: ${peer.localAddress}
    • +
  • Local ASN: AS4242422574
    • +
+
    +
  • Remote Endpoint: ???
    • +
  • Remote Address: ${peer.remoteAddress}
    • +
  • Remote ASN: AS${peer.remoteAsn}
    • +
+
+ 		[Map]
+ +

BGP Peers

+ + + ${concatMapStringsSep "\n" (peer: '' + + + + + + + '') cfg.bgpPeers} +
${peer.peerName}AS${peer.remoteAsn} +
+ Peering config +
    +
  • Local Address: ${peer.localAddress}
    • +
  • Local ASN: AS4242422574
    • +
+
    +
  • Remote Address: ${peer.remoteAddress}
    • +
  • Remote ASN: AS${peer.remoteAsn}
    • +
+
+ 		[Map]
+ + + ''; + +} From 4fb86e3e1e4e302ab72d1377c80890c4c716845b Mon Sep 17 00:00:00 2001 From: clerie Date: Wed, 3 Dec 2025 20:34:51 +0100 Subject: [PATCH 05/11] hosts/dn42-il-gw1: Display dn42 peering page --- hosts/dn42-il-gw1/configuration.nix | 2 ++ hosts/dn42-il-gw1/documentation.nix | 21 +++++++++++++++++++++ 2 files changed, 23 insertions(+) create mode 100644 hosts/dn42-il-gw1/documentation.nix diff --git a/hosts/dn42-il-gw1/configuration.nix b/hosts/dn42-il-gw1/configuration.nix index 5086572..12a0b38 100644 --- a/hosts/dn42-il-gw1/configuration.nix +++ b/hosts/dn42-il-gw1/configuration.nix @@ -4,6 +4,8 @@ imports = [ ./hardware-configuration.nix + + ./documentation.nix ]; profiles.clerie.mercury-vm.enable = true; diff --git a/hosts/dn42-il-gw1/documentation.nix b/hosts/dn42-il-gw1/documentation.nix new file mode 100644 index 0000000..03283d8 --- /dev/null +++ b/hosts/dn42-il-gw1/documentation.nix @@ -0,0 +1,21 @@ +{ config, lib, pkgs, ... }: + +{ + + services.nginx.enable = true; + + networking.firewall.allowedTCPPorts = [ 80 443 ]; + + services.nginx.virtualHosts = { + "${config.networking.fqdn}" = { + enableACME = true; + forceSSL = true; + root = pkgs.writeTextFile { + name = "dn42-router-documentation"; + text = config.profiles.clerie.dn42-router.htmlDocumentation; + destination = "/index.html"; + }; + }; + }; + +} From 7cf15e05bd059546cc97b3f2367f330db1c3a798 Mon Sep 17 00:00:00 2001 From: clerie Date: Wed, 3 Dec 2025 21:13:19 +0100 Subject: [PATCH 06/11] profiles/common-webserver: Terminate http sessions for unknown vhosts immediately --- profiles/common-webserver/default.nix | 6 ++---- 1 file changed, 2 insertions(+), 4 deletions(-) diff --git a/profiles/common-webserver/default.nix b/profiles/common-webserver/default.nix index 7033c1e..c38d51f 100644 --- a/profiles/common-webserver/default.nix +++ b/profiles/common-webserver/default.nix @@ -53,10 +53,8 @@ in { default = true; rejectSSL = true; locations."/" = { - return = ''200 "Some piece of infrastructure\n"''; - extraConfig = '' - types { } default_type "text/plain; charset=utf-8"; - ''; + # Terminate connection without response + return = ''444''; }; }; }; From 241ea69e1109bc408c7a5c7aa311603baf9a4c0d Mon Sep 17 00:00:00 2001 From: clerie Date: Wed, 3 Dec 2025 21:27:36 +0100 Subject: [PATCH 07/11] hosts/dn42-il-gw1: Fix ip address assignment for wg1240 --- hosts/dn42-il-gw1/configuration.nix | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/hosts/dn42-il-gw1/configuration.nix b/hosts/dn42-il-gw1/configuration.nix index 12a0b38..f8e81c8 100644 --- a/hosts/dn42-il-gw1/configuration.nix +++ b/hosts/dn42-il-gw1/configuration.nix @@ -71,7 +71,7 @@ "fe80::2574/128" ]; postSetup = '' - ip addr replace dev wg1718 fe80::2574/128 peer fe80::1240:11/128 + ip addr replace dev wg1240 fe80::2574/128 peer fe80::1240:11/128 ''; listenPort = 51240; allowedIPsAsRoutes = false; From 0d5d98a5ba9c08b8ae3dfc9947d150c00caf6da1 Mon Sep 17 00:00:00 2001 From: clerie Date: Wed, 3 Dec 2025 21:27:58 +0100 Subject: [PATCH 08/11] hosts/dn42-il-gw1: Remote second peering of prefixlabs --- hosts/dn42-il-gw1/configuration.nix | 25 ------------------------- 1 file changed, 25 deletions(-) diff --git a/hosts/dn42-il-gw1/configuration.nix b/hosts/dn42-il-gw1/configuration.nix index f8e81c8..32d7481 100644 --- a/hosts/dn42-il-gw1/configuration.nix +++ b/hosts/dn42-il-gw1/configuration.nix @@ -84,24 +84,6 @@ ]; privateKeyFile = config.sops.secrets.wg1240.path; }; - wg1241 = { - ips = [ - "fe80::2574/128" - ]; - postSetup = '' - ip addr replace dev wg1718 fe80::2574/128 peer fe80::1240:1/128 - ''; - listenPort = 51241; - allowedIPsAsRoutes = false; - peers = [ - { - allowedIPs = [ "fe80::/10" "fd00::/8" ]; - endpoint = "uk-01.prefixlabs.net:22574"; - publicKey = "Yu1Y4qdSaf+OWPbAoh7PvuM2eWCVbNg84+EX5Q2Zjl4="; - } - ]; - privateKeyFile = config.sops.secrets.wg1241.path; - }; # fooker wg1271 = { ips = [ @@ -248,13 +230,6 @@ remoteAsn = "4242421240"; localAddress = "fe80::2574"; } - { - peerName = "peer_1240_uk_01"; - remoteAddress = "fe80::1240:1"; - interfaceName = "wg1241"; - remoteAsn = "4242421240"; - localAddress = "fe80::2574"; - } { peerName = "peer_1271_north"; remoteAddress = "fe80::2"; From 8b947f26adf89dce52782507ed264ab8ae5320b4 Mon Sep 17 00:00:00 2001 From: clerie Date: Wed, 3 Dec 2025 21:39:23 +0100 Subject: [PATCH 09/11] hosts/dn42-il-gw1: Remove obsolte wireguard private key --- hosts/dn42-il-gw1/secrets.json | 5 ++--- 1 file changed, 2 insertions(+), 3 deletions(-) diff --git a/hosts/dn42-il-gw1/secrets.json b/hosts/dn42-il-gw1/secrets.json index 3126b12..b7d0fa2 100644 --- a/hosts/dn42-il-gw1/secrets.json +++ b/hosts/dn42-il-gw1/secrets.json @@ -2,7 +2,6 @@ "wg0197": "ENC[AES256_GCM,data:1QJ5GXLMLIOj6xNC4sMnShjyB1wqfTkhkPTlLJz6AJxMjA0BsBZvZ1Pdln4=,iv:nVRIQB8/Ged616ELhkGnDyAz6A+3HQ55+yG0vf0f7aQ=,tag:GtI8ICMCih1tN4Xoc+8RdQ==,type:str]", "wg0565": "ENC[AES256_GCM,data:kLgKOGDA+kPDB0SZ/yU7Ax7NYn28LiVT2W6zSsc0APfyoZWW6nF0fUQFv4s=,iv:6zjLGAOROifubQUMxRLvoFzN6GRYob841rzNiVyrt84=,tag:Gh15/ROPYiqqobcJcTzmGQ==,type:str]", "wg1240": "ENC[AES256_GCM,data:ta0FRxhDGeta6TpWghWP2ogqymtiVsnWvuwzOhqhGN6zyK/GYd5b+SgSYAI=,iv:9gxEtK+ZOFj0D/SNWV7GyWHkBXjGgofJPmqcu3CMMKo=,tag:MFE/bhGk6oLeOK4TaEoXgQ==,type:str]", - "wg1241": "ENC[AES256_GCM,data:qjr50/KWJya8YiNQ2pymlUGMIZBdOY1Opt/rmM6Iill/B5jWiPOJuGQdKnc=,iv:WSoRv7wvLTmTX0lV9yhfenwLtTvVmPNK+Hqd6H3iFEU=,tag:SRwAWQa761PL8JqdVgTr3Q==,type:str]", "wg1271": "ENC[AES256_GCM,data:NPcFMxVNpwoPkLsb6NvZVxGxw+Og3RzlYx7TAL9nT95x6I8aDRpOnR5tY5w=,iv:gYuem6vX+jRQvirrt3lZQb5gKnN/z32W/MgmGuzQ/Ks=,tag:I9qZJSNKFEM3Vx4Yugxy1w==,type:str]", "wg1272": "ENC[AES256_GCM,data:LU6jtNkNn2Xs+0OH8cD1HJnbHsNNnqlY83lDFa11/dHwVgdFxMtDXMqIMEc=,iv:/A8rWGR6jExa4ms7jTYC0eZVGCvlKw1I58Co41gw3TU=,tag:tIBRkQzFFpEEzflnDrpcOA==,type:str]", "wg1280": "ENC[AES256_GCM,data:F4KLY6jiZNl52ko32nM0iTER0DyHvaCSmxeYAKB0MLUD8l9u1Ugk6kYZnUc=,iv:XcaxnvxM1kE/ahNFX+BH7Jmr9q2Py1vHHqOjFUqs5O8=,tag:a1up4gGFqyHz2lmDRJl3bA==,type:str]", @@ -17,8 +16,8 @@ "enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA3QWdFYjFjTmRVRlV3U3p4\nTSsyc1E0dWtiYjNtVkV2SXJEWkxnTDhLN1Y0Cng4aGlidjhydUVGaFcvK215aGdq\nN0FGajYwa1lPUCsva0tmNkErUGtlOWsKLS0tIG9pLzJEUDA2WWUzd1kzSVZrdVRX\nbUxjQzBCd3p0R1dWTTJaRmZNQjJEUVkKPz6OUQHpYrhRxMdQzpZRR3exVqkG2JvX\nI32PwvbeQK8cgpYwKLGar8U8aiPPm0Y64pID1wedDsNZzLqLOrS3wQ==\n-----END AGE ENCRYPTED FILE-----\n" } ], - "lastmodified": "2025-12-03T17:59:59Z", - "mac": "ENC[AES256_GCM,data:v6Wpp641MvetzKj36sw422T5yZp3XssRXHMVMI0RA28dyZSeNSQ+YI0UBItUH1FXyieZSvHtpFf7LiY+xSCRuwZB8H9ofofwOxhJU3F5Abzb/aAL4rRnsbawYp1SZVWVhtt2FXBgvtWAJKn5iPHjpUU6ccdaW/OuHnudHfeQxZg=,iv:s8Z6r7tF9u3l1ygnX6rdU3xiU9TPG6qY2vTuR5fGCQQ=,tag:Jf93btCoTWIBTCMpHU864A==,type:str]", + "lastmodified": "2025-12-03T20:38:54Z", + "mac": "ENC[AES256_GCM,data:2UqSo78YZrdIZBcVyBsArjFobl7BZ3hoZ3FayIMkXQX2HQMBWRDkNSoJRvTPTD9rjdqjVugGE02RzTikSxiw8MYAP7oyZbF4EdP9yk25yOEJQTSu6eTajkqstugAS+ojs28m93UXTzbDI0korb2cmTyxNt0X5YVeQRld3ntEJH8=,iv:lEbuuQEC5KIYgbJg4Qv8U1PaF0KE6LQYiwks3ZwwEQA=,tag:BAr7/EFsq7yeeO8MMXsAGQ==,type:str]", "pgp": [ { "created_at": "2024-04-28T09:25:37Z", From eb20ced361dd443d5400e9a9bc25e6ff8cd86f55 Mon Sep 17 00:00:00 2001 From: clerie Date: Wed, 3 Dec 2025 21:51:12 +0100 Subject: [PATCH 10/11] hosts/dn42-il-gw1: Add peering with pilz --- hosts/dn42-il-gw1/configuration.nix | 29 +++++++++++++++++++++++++++++ hosts/dn42-il-gw1/secrets.json | 5 +++-- 2 files changed, 32 insertions(+), 2 deletions(-) diff --git a/hosts/dn42-il-gw1/configuration.nix b/hosts/dn42-il-gw1/configuration.nix index 32d7481..4332f4c 100644 --- a/hosts/dn42-il-gw1/configuration.nix +++ b/hosts/dn42-il-gw1/configuration.nix @@ -43,6 +43,9 @@ networking.wireguard.enable = true; networking.wireguard.interfaces = { + # dn42-router-general-wireguard-key public key: + # r38qvXqu26x4f6yUGxg44Ji4db/g2HK7RZwG7Boh+38= + # e1mo wg0565 = { ips = [ @@ -64,6 +67,25 @@ ]; privateKeyFile = config.sops.secrets.wg0565.path; }; + # pilz + wg0663 = { + ips = [ + "fe80::1111/128" + ]; + postSetup = '' + ip addr replace dev wg0663 fe80::1111/128 peer fe80::acab/128 + ''; + listenPort = 50663; + allowedIPsAsRoutes = false; + peers = [ + { + allowedIPs = [ "fe80::/10" "fd00::/8" ]; + endpoint = "dn42.ams1.as214958.net:163"; + publicKey = "NxHkdwZPVL+3HdrHTFOslUpUckTf0dzEG9qpZ0FTBnA="; + } + ]; + privateKeyFile = config.sops.secrets.dn42-router-general-wireguard-key.path; + }; # prefixlabs # https://prefixlabs.net/ wg1240 = { @@ -223,6 +245,13 @@ remoteAsn = "4242420565"; localAddress = "fe80::2574"; } + { + peerName = "peer_0663"; + remoteAddress = "fe80::acab"; + interfaceName = "wg0663"; + remoteAsn = "4242420663"; + localAddress = "fe80::1111"; + } { peerName = "peer_1240_de_01"; remoteAddress = "fe80::1240:11"; diff --git a/hosts/dn42-il-gw1/secrets.json b/hosts/dn42-il-gw1/secrets.json index b7d0fa2..8f79812 100644 --- a/hosts/dn42-il-gw1/secrets.json +++ b/hosts/dn42-il-gw1/secrets.json @@ -1,4 +1,5 @@ { + "dn42-router-general-wireguard-key": "ENC[AES256_GCM,data:z1qOABBiObnWgcJDSnCHCfttJdDXQ3LO+Y/uHblJg49wrxTostamnP6GuvE=,iv:0KTyNqMOLQue8UODWXF2I+sY4pVKVe0aNiVETC9zOzk=,tag:KOzS9HaR6plPA0HlMT8jhQ==,type:str]", "wg0197": "ENC[AES256_GCM,data:1QJ5GXLMLIOj6xNC4sMnShjyB1wqfTkhkPTlLJz6AJxMjA0BsBZvZ1Pdln4=,iv:nVRIQB8/Ged616ELhkGnDyAz6A+3HQ55+yG0vf0f7aQ=,tag:GtI8ICMCih1tN4Xoc+8RdQ==,type:str]", "wg0565": "ENC[AES256_GCM,data:kLgKOGDA+kPDB0SZ/yU7Ax7NYn28LiVT2W6zSsc0APfyoZWW6nF0fUQFv4s=,iv:6zjLGAOROifubQUMxRLvoFzN6GRYob841rzNiVyrt84=,tag:Gh15/ROPYiqqobcJcTzmGQ==,type:str]", "wg1240": "ENC[AES256_GCM,data:ta0FRxhDGeta6TpWghWP2ogqymtiVsnWvuwzOhqhGN6zyK/GYd5b+SgSYAI=,iv:9gxEtK+ZOFj0D/SNWV7GyWHkBXjGgofJPmqcu3CMMKo=,tag:MFE/bhGk6oLeOK4TaEoXgQ==,type:str]", @@ -16,8 +17,8 @@ "enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA3QWdFYjFjTmRVRlV3U3p4\nTSsyc1E0dWtiYjNtVkV2SXJEWkxnTDhLN1Y0Cng4aGlidjhydUVGaFcvK215aGdq\nN0FGajYwa1lPUCsva0tmNkErUGtlOWsKLS0tIG9pLzJEUDA2WWUzd1kzSVZrdVRX\nbUxjQzBCd3p0R1dWTTJaRmZNQjJEUVkKPz6OUQHpYrhRxMdQzpZRR3exVqkG2JvX\nI32PwvbeQK8cgpYwKLGar8U8aiPPm0Y64pID1wedDsNZzLqLOrS3wQ==\n-----END AGE ENCRYPTED FILE-----\n" } ], - "lastmodified": "2025-12-03T20:38:54Z", - "mac": "ENC[AES256_GCM,data:2UqSo78YZrdIZBcVyBsArjFobl7BZ3hoZ3FayIMkXQX2HQMBWRDkNSoJRvTPTD9rjdqjVugGE02RzTikSxiw8MYAP7oyZbF4EdP9yk25yOEJQTSu6eTajkqstugAS+ojs28m93UXTzbDI0korb2cmTyxNt0X5YVeQRld3ntEJH8=,iv:lEbuuQEC5KIYgbJg4Qv8U1PaF0KE6LQYiwks3ZwwEQA=,tag:BAr7/EFsq7yeeO8MMXsAGQ==,type:str]", + "lastmodified": "2025-12-03T20:44:07Z", + "mac": "ENC[AES256_GCM,data:GL2GWM7YcGxfKWh9Vt0wm6YqbXTgqskkVHzsTTWqcQWhzbtqyWfFebli77UsDYoCYSR+yiPhi2opF1oMJl6Jr44PtmpPk+WGPUrcjuVDuf0NueaW8j++nzJzSFEnHeTbIg8qNpb9FwapWM0jlHVkGo6RVwVa9E597U/AKdES9ww=,iv:s3ABxKoCcEUOjtnvDGcrJoEiwXC0imLLO0kEXT+/69s=,tag:Vzk6aKDRwD6T60G0pDF9Jw==,type:str]", "pgp": [ { "created_at": "2024-04-28T09:25:37Z", From 02e016ae550be79d0a01322a65725075c1acf5e0 Mon Sep 17 00:00:00 2001 From: Flake Update Bot Date: Thu, 4 Dec 2025 03:04:01 +0100 Subject: [PATCH 11/11] Update nixpkgs 2025-12-04-02-03 --- flake.lock | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/flake.lock b/flake.lock index 22e9b1c..1320ada 100644 --- a/flake.lock +++ b/flake.lock @@ -650,11 +650,11 @@ }, "nixpkgs_5": { "locked": { - "lastModified": 1763421233, - "narHash": "sha256-Stk9ZYRkGrnnpyJ4eqt9eQtdFWRRIvMxpNRf4sIegnw=", + "lastModified": 1764667669, + "narHash": "sha256-7WUCZfmqLAssbDqwg9cUDAXrSoXN79eEEq17qhTNM/Y=", "owner": "NixOS", "repo": "nixpkgs", - "rev": "89c2b2330e733d6cdb5eae7b899326930c2c0648", + "rev": "418468ac9527e799809c900eda37cbff999199b6", "type": "github" }, "original": {