From eb14f92f1799d2f7e937faa21dfa85bb4e3350ff Mon Sep 17 00:00:00 2001 From: root Date: Sun, 16 Jun 2024 20:20:02 +0200 Subject: [PATCH 01/74] Initial Commit --- _diskos/simple_singleFullRoot.nix | 67 +++ _home/configuration.nix | 13 + _home/kube.nix | 6 + _system/configuration.nix | 98 ++++ _system/console.nix | 75 +++ _system/firewall.nix | 27 + _system/grub-boot.nix | 36 ++ _system/inputrc.nix | 24 + _system/laptop.nix | 175 ++++++ _system/openvpn.nix | 116 ++++ _system/pkgs.nix | 9 + _system/security.nix | 99 ++++ _system/serial-com.nix | 26 + _system/systemd-boot.nix | 28 + _system/wireguard.nix | 6 + flake.lock | 505 ++++++++++++++++++ flake.nix | 451 ++++++++++++++++ hosts/clients/configuration.nix | 1 + hosts/clients/default.nix | 10 + hosts/clients/laptaupe/configuration.nix | 63 +++ hosts/clients/laptaupe/default.nix | 10 + hosts/clients/laptaupe/disk-config.nix | 98 ++++ .../laptaupe/hardware-configuration.nix | 49 ++ hosts/default.nix | 28 + hosts/homerouters/_peers/KIT-IG1-RR91.nix | 49 ++ hosts/homerouters/_peers/default.nix | 5 + .../aure-home-kitrtr/configuration.nix | 98 ++++ .../homerouters/aure-home-kitrtr/default.nix | 30 ++ .../hardware-configuration.nix | 34 ++ .../aure-home-kitrtr/peers/KIT-IG1-RTR.nix | 30 ++ .../aure-home-kitrtr/peers/default.nix | 20 + hosts/homerouters/bird.nix | 318 +++++++++++ hosts/homerouters/bird_peers.nix | 199 +++++++ hosts/homerouters/configuration.nix | 55 ++ hosts/homerouters/default.nix | 14 + hosts/homerouters/firewall.nix | 136 +++++ .../toinux-home-kitrtr/configuration.nix | 98 ++++ .../toinux-home-kitrtr/default.nix | 27 + .../hardware-configuration.nix | 34 ++ .../toinux-home-kitrtr/peers/default.nix | 32 ++ hosts/homerouters/wireguard.nix | 135 +++++ .../aure-kit-bots-01/configuration.nix | 102 ++++ .../miscservers/aure-kit-bots-01/default.nix | 35 ++ .../hardware-configuration.nix | 34 ++ hosts/miscservers/configuration.nix | 51 ++ hosts/miscservers/default.nix | 11 + hosts/miscservers/firewall.nix | 34 ++ hosts/miscservers/options.nix | 50 ++ hosts/routereflectors/configuration.nix | 139 +++++ hosts/routereflectors/default.nix | 14 + hosts/routereflectors/firewall.nix | 35 ++ .../iguane-kit-rr91/configuration.nix | 104 ++++ .../iguane-kit-rr91/default.nix | 39 ++ .../hardware-configuration.nix | 34 ++ hosts/routereflectors/network.nix | 31 ++ hosts/routereflectors/options.nix | 44 ++ hosts/routers/_peers/KIT-IG1-RR91.nix | 49 ++ hosts/routers/_peers/default.nix | 5 + hosts/routers/bird.nix | 332 ++++++++++++ hosts/routers/bird_peers.nix | 195 +++++++ hosts/routers/configuration.nix | 55 ++ hosts/routers/default.nix | 17 + hosts/routers/firewall.nix | 150 ++++++ .../routers/iguane-kit-rtr/configuration.nix | 98 ++++ hosts/routers/iguane-kit-rtr/default.nix | 49 ++ .../iguane-kit-rtr/hardware-configuration.nix | 36 ++ .../iguane-kit-rtr/peers/KIT-VIRTUA-EDGE.nix | 33 ++ .../iguane-kit-rtr/peers/KIT-VULTR-EDGE.nix | 32 ++ .../iguane-kit-rtr/peers/KIT-aurelien-RBR.nix | 31 ++ .../iguane-kit-rtr/peers/KIT-roumain-NTE.nix | 32 ++ .../iguane-kit-rtr/peers/KIT-toinux-MEL1.nix | 32 ++ .../routers/iguane-kit-rtr/peers/default.nix | 20 + .../routers/virtua-kit-edge/configuration.nix | 91 ++++ hosts/routers/virtua-kit-edge/default.nix | 29 + .../hardware-configuration.nix | 24 + .../virtua-kit-edge/peers/KIT-IG1-RTR.nix | 30 ++ .../peers/KIT-VIRTUA-EDGE.legacy.nix | 50 ++ .../virtua-kit-edge/peers/KIT-vultr-edge.nix | 30 ++ .../peers/TRS-virtua6-RS01.nix | 19 + .../peers/TRS-virtua6-RS02.nix | 18 + .../routers/virtua-kit-edge/peers/default.nix | 16 + .../routers/vultr-kit-edge/configuration.nix | 82 +++ hosts/routers/vultr-kit-edge/default.nix | 32 ++ .../vultr-kit-edge/hardware-configuration.nix | 36 ++ .../vultr-kit-edge/peers/KIT-IG1-RTR.nix | 30 ++ .../peers/KIT-VIRTUA-EDGE.legacy.nix | 51 ++ .../peers/KIT-VULTR-EDGE.legacy.nix | 50 ++ .../vultr-kit-edge/peers/KIT-virtua-edge.nix | 30 ++ .../vultr-kit-edge/peers/TRS-vultr6-RTR.nix | 39 ++ .../routers/vultr-kit-edge/peers/default.nix | 15 + hosts/routers/wireguard.nix | 181 +++++++ hosts/stonkmembers/configuration.nix | 50 ++ hosts/stonkmembers/default.nix | 17 + hosts/stonkmembers/k3s.nix | 65 +++ .../stonkmembers/poubelle00/configuration.nix | 73 +++ hosts/stonkmembers/poubelle00/default.nix | 7 + hosts/stonkmembers/poubelle00/disk-config.nix | 63 +++ .../poubelle00/hardware-configuration.nix | 34 ++ hosts/stonkmembers/prodesk/configuration.nix | 97 ++++ hosts/stonkmembers/prodesk/default.nix | 7 + hosts/stonkmembers/prodesk/disk-config.nix | 62 +++ .../prodesk/hardware-configuration.nix | 34 ++ .../stonkstation/configuration.nix | 95 ++++ hosts/stonkmembers/stonkstation/default.nix | 7 + .../stonkmembers/stonkstation/disk-config.nix | 63 +++ .../stonkstation/hardware-configuration.nix | 34 ++ .../nixos/modules/services/ttys/kmscon.nix | 151 ++++++ modules/proxmox-backup-client.nix | 434 +++++++++++++++ targets.nix | 24 + 109 files changed, 7427 insertions(+) create mode 100644 _diskos/simple_singleFullRoot.nix create mode 100644 _home/configuration.nix create mode 100644 _home/kube.nix create mode 100644 _system/configuration.nix create mode 100644 _system/console.nix create mode 100644 _system/firewall.nix create mode 100644 _system/grub-boot.nix create mode 100644 _system/inputrc.nix create mode 100644 _system/laptop.nix create mode 100644 _system/openvpn.nix create mode 100644 _system/pkgs.nix create mode 100644 _system/security.nix create mode 100644 _system/serial-com.nix create mode 100644 _system/systemd-boot.nix create mode 100644 _system/wireguard.nix create mode 100644 flake.lock create mode 100644 flake.nix create mode 100644 hosts/clients/configuration.nix create mode 100644 hosts/clients/default.nix create mode 100644 hosts/clients/laptaupe/configuration.nix create mode 100644 hosts/clients/laptaupe/default.nix create mode 100644 hosts/clients/laptaupe/disk-config.nix create mode 100644 hosts/clients/laptaupe/hardware-configuration.nix create mode 100644 hosts/default.nix create mode 100644 hosts/homerouters/_peers/KIT-IG1-RR91.nix create mode 100644 hosts/homerouters/_peers/default.nix create mode 100644 hosts/homerouters/aure-home-kitrtr/configuration.nix create mode 100644 hosts/homerouters/aure-home-kitrtr/default.nix create mode 100644 hosts/homerouters/aure-home-kitrtr/hardware-configuration.nix create mode 100644 hosts/homerouters/aure-home-kitrtr/peers/KIT-IG1-RTR.nix create mode 100644 hosts/homerouters/aure-home-kitrtr/peers/default.nix create mode 100644 hosts/homerouters/bird.nix create mode 100644 hosts/homerouters/bird_peers.nix create mode 100644 hosts/homerouters/configuration.nix create mode 100644 hosts/homerouters/default.nix create mode 100644 hosts/homerouters/firewall.nix create mode 100644 hosts/homerouters/toinux-home-kitrtr/configuration.nix create mode 100644 hosts/homerouters/toinux-home-kitrtr/default.nix create mode 100644 hosts/homerouters/toinux-home-kitrtr/hardware-configuration.nix create mode 100644 hosts/homerouters/toinux-home-kitrtr/peers/default.nix create mode 100644 hosts/homerouters/wireguard.nix create mode 100644 hosts/miscservers/aure-kit-bots-01/configuration.nix create mode 100644 hosts/miscservers/aure-kit-bots-01/default.nix create mode 100644 hosts/miscservers/aure-kit-bots-01/hardware-configuration.nix create mode 100644 hosts/miscservers/configuration.nix create mode 100644 hosts/miscservers/default.nix create mode 100644 hosts/miscservers/firewall.nix create mode 100644 hosts/miscservers/options.nix create mode 100644 hosts/routereflectors/configuration.nix create mode 100644 hosts/routereflectors/default.nix create mode 100644 hosts/routereflectors/firewall.nix create mode 100644 hosts/routereflectors/iguane-kit-rr91/configuration.nix create mode 100644 hosts/routereflectors/iguane-kit-rr91/default.nix create mode 100644 hosts/routereflectors/iguane-kit-rr91/hardware-configuration.nix create mode 100644 hosts/routereflectors/network.nix create mode 100644 hosts/routereflectors/options.nix create mode 100644 hosts/routers/_peers/KIT-IG1-RR91.nix create mode 100644 hosts/routers/_peers/default.nix create mode 100644 hosts/routers/bird.nix create mode 100644 hosts/routers/bird_peers.nix create mode 100644 hosts/routers/configuration.nix create mode 100644 hosts/routers/default.nix create mode 100644 hosts/routers/firewall.nix create mode 100644 hosts/routers/iguane-kit-rtr/configuration.nix create mode 100644 hosts/routers/iguane-kit-rtr/default.nix create mode 100644 hosts/routers/iguane-kit-rtr/hardware-configuration.nix create mode 100644 hosts/routers/iguane-kit-rtr/peers/KIT-VIRTUA-EDGE.nix create mode 100644 hosts/routers/iguane-kit-rtr/peers/KIT-VULTR-EDGE.nix create mode 100644 hosts/routers/iguane-kit-rtr/peers/KIT-aurelien-RBR.nix create mode 100644 hosts/routers/iguane-kit-rtr/peers/KIT-roumain-NTE.nix create mode 100644 hosts/routers/iguane-kit-rtr/peers/KIT-toinux-MEL1.nix create mode 100644 hosts/routers/iguane-kit-rtr/peers/default.nix create mode 100644 hosts/routers/virtua-kit-edge/configuration.nix create mode 100644 hosts/routers/virtua-kit-edge/default.nix create mode 100644 hosts/routers/virtua-kit-edge/hardware-configuration.nix create mode 100644 hosts/routers/virtua-kit-edge/peers/KIT-IG1-RTR.nix create mode 100644 hosts/routers/virtua-kit-edge/peers/KIT-VIRTUA-EDGE.legacy.nix create mode 100644 hosts/routers/virtua-kit-edge/peers/KIT-vultr-edge.nix create mode 100644 hosts/routers/virtua-kit-edge/peers/TRS-virtua6-RS01.nix create mode 100644 hosts/routers/virtua-kit-edge/peers/TRS-virtua6-RS02.nix create mode 100644 hosts/routers/virtua-kit-edge/peers/default.nix create mode 100644 hosts/routers/vultr-kit-edge/configuration.nix create mode 100644 hosts/routers/vultr-kit-edge/default.nix create mode 100644 hosts/routers/vultr-kit-edge/hardware-configuration.nix create mode 100644 hosts/routers/vultr-kit-edge/peers/KIT-IG1-RTR.nix create mode 100644 hosts/routers/vultr-kit-edge/peers/KIT-VIRTUA-EDGE.legacy.nix create mode 100644 hosts/routers/vultr-kit-edge/peers/KIT-VULTR-EDGE.legacy.nix create mode 100644 hosts/routers/vultr-kit-edge/peers/KIT-virtua-edge.nix create mode 100644 hosts/routers/vultr-kit-edge/peers/TRS-vultr6-RTR.nix create mode 100644 hosts/routers/vultr-kit-edge/peers/default.nix create mode 100644 hosts/routers/wireguard.nix create mode 100644 hosts/stonkmembers/configuration.nix create mode 100644 hosts/stonkmembers/default.nix create mode 100644 hosts/stonkmembers/k3s.nix create mode 100644 hosts/stonkmembers/poubelle00/configuration.nix create mode 100644 hosts/stonkmembers/poubelle00/default.nix create mode 100644 hosts/stonkmembers/poubelle00/disk-config.nix create mode 100644 hosts/stonkmembers/poubelle00/hardware-configuration.nix create mode 100644 hosts/stonkmembers/prodesk/configuration.nix create mode 100644 hosts/stonkmembers/prodesk/default.nix create mode 100644 hosts/stonkmembers/prodesk/disk-config.nix create mode 100644 hosts/stonkmembers/prodesk/hardware-configuration.nix create mode 100644 hosts/stonkmembers/stonkstation/configuration.nix create mode 100644 hosts/stonkmembers/stonkstation/default.nix create mode 100644 hosts/stonkmembers/stonkstation/disk-config.nix create mode 100644 hosts/stonkmembers/stonkstation/hardware-configuration.nix create mode 100644 modules/nixos/modules/services/ttys/kmscon.nix create mode 100644 modules/proxmox-backup-client.nix create mode 100644 targets.nix diff --git a/_diskos/simple_singleFullRoot.nix b/_diskos/simple_singleFullRoot.nix new file mode 100644 index 0000000..4f6c628 --- /dev/null +++ b/_diskos/simple_singleFullRoot.nix @@ -0,0 +1,67 @@ +# Example to create a bios compatible gpt partition +{ lib, targetConfig, ... }: +{ + disko.memSize = 3072; + + disko.devices = { + disk.disk1 = { + imageSize = "5G"; + + device = lib.mkDefault "${targetConfig.bootdisk}"; + type = "disk"; + content = { + type = "gpt"; + partitions = { + boot = { + size = "1M"; + type = "EF02"; # for grub MBR + }; + + ESP = { + size = "512M"; + type = "EF00"; + content = { + type = "filesystem"; + format = "vfat"; + mountpoint = "/boot"; + }; + }; + + root = { + size = "100%"; + content = { + type = "lvm_pv"; + vg = "ROOT"; + }; + }; + }; + }; + }; + + lvm_vg = { + ROOT = { + type = "lvm_vg"; + lvs = { + + swap = lib.mkIf (targetConfig ? swap && targetConfig.swap) { + size = "2G"; + content = { + type = "swap"; + resumeDevice = (targetConfig ? swapResume && targetConfig.swapResume); # resume from hiberation from this device + }; + }; + + root = { + size = "100%FREE"; + content = { + type = "filesystem"; + format = "ext4"; + mountpoint = "/"; + mountOptions = [ "defaults" ]; + }; + }; + }; + }; + }; + }; +} diff --git a/_home/configuration.nix b/_home/configuration.nix new file mode 100644 index 0000000..50957f6 --- /dev/null +++ b/_home/configuration.nix @@ -0,0 +1,13 @@ +{ + pkgs, + lib, + config, + osConfig, + ... +}: +let + kubeCfg = osConfig.services.k3s; +in +{ + imports = [ ] ++ lib.optional (kubeCfg.enable && kubeCfg.role == "server") ./kube.nix; +} diff --git a/_home/kube.nix b/_home/kube.nix new file mode 100644 index 0000000..18e4b31 --- /dev/null +++ b/_home/kube.nix @@ -0,0 +1,6 @@ +{ ... }: + +{ + home.kubenv.enable = true; + home.sessionVariables.KUBECONFIG = "/etc/rancher/k3s/k3s.yaml"; +} diff --git a/_system/configuration.nix b/_system/configuration.nix new file mode 100644 index 0000000..400530e --- /dev/null +++ b/_system/configuration.nix @@ -0,0 +1,98 @@ +# Edit this configuration file to define what should be installed on +# your system. Help is available in the configuration.nix(5) man page, on +# https://search.nixos.org/options and in the NixOS manual (`nixos-help`). + +{ + config, + targetConfig, + lib, + pkgs, + ... +}: + +{ + + imports = [ + ./pkgs.nix + ./inputrc.nix # ReadLine config + ./security.nix # PAM + SSH + Keys + ./firewall.nix + + ./openvpn.nix + ./wireguard.nix + + ./console.nix + ./serial-com.nix + ./systemd-boot.nix + ./grub-boot.nix + ]; + + # Set your time zone. + time.timeZone = "Europe/Paris"; + + # Configure network proxy if necessary + # networking.proxy.default = "http://user:password@proxy:port/"; + # networking.proxy.noProxy = "127.0.0.1,localhost,internal.domain"; + + # Select internationalisation properties. + i18n.defaultLocale = "en_US.UTF-8"; + + boot.supportedFilesystems = [ "nfs" ]; + services.rpcbind.enable = true; # NFS - Client + + nix = { + package = pkgs.nixFlakes; + settings = { + auto-optimise-store = true; + }; + gc = { + automatic = false; # TODO: Implement static N generations + dates = "daily"; + options = + let + default = 10; # TODO: Find a better way to do it + + generations = builtins.toString ( + if config.boot.loader.systemd-boot.enable then + config.boot.loader.systemd-boot.configurationLimit + else if config.boot.loader.grub.enable then + config.boot.loader.grub.configurationLimit + else if config.boot.loader.generic-extlinux-compatible.enable then + config.boot.loader.generic-extlinux-compatible.configurationLimit + else + default + ); + in + "--delete-older-than +${generations}"; # Not supported + }; + extraOptions = '' + experimental-features = nix-command flakes + ''; + }; + + programs.zsh.enable = true; # Install System-Wide -> Config is done with home-manager + + environment.shells = with pkgs; [ zsh ]; + environment.pathsToLink = [ "/share/zsh" ]; # ZSH Completion + + # tmpFS on /tmp + boot.tmp.useTmpfs = lib.mkDefault true; + + # Enable the OpenSSH daemon. + services.openssh.enable = true; + + environment.systemPackages = with pkgs; [ + # Additional packages + # nix-inspect + ]; + + # Versions Dump + environment.etc."current-system-packages".text = + let + getName = (p: if p ? name then "${p.name}" else "${p}"); + packages = builtins.map getName config.environment.systemPackages; + sortedUnique = builtins.sort builtins.lessThan (lib.unique packages); + formatted = builtins.concatStringsSep "\n" sortedUnique; + in + formatted; +} diff --git a/_system/console.nix b/_system/console.nix new file mode 100644 index 0000000..463d424 --- /dev/null +++ b/_system/console.nix @@ -0,0 +1,75 @@ +{ + pkgs, + lib, + config, + targetConfig, + ... +}: +let + nerdFonts = true; + + palette = [ + "000000" + "CC0000" + "4E9A06" + "C4A000" + "3465A4" + "75507B" + "06989A" + "D3D7CF" + "555753" + "EF2929" + "8AE234" + "FCE94F" + "739FCF" + "AD7FA8" + "34E2E2" + "EEEEEC" + ]; + + inherit (lib) mkDefault; +in +{ + services.gpm.enable = mkDefault true; + + # systemd.units."kmsconvt@.service".ExecStart = lib.mkIf (nerdFonts) ( + # let + # autologinArg = lib.optionalString ( + # config.services.kmscon.autologinUser != null + # ) "-a ${config.services.kmscon.autologinUser}"; + + # extraOptions = config.services.kmscon.extraOptions; + # in + # ''${pkgs.kmscon}/bin/kmscon "--vt=%I" ${extraOptions} --seats=seat0 --no-switchvt --configdir ${configDir} --login -- ${pkgs.util-linux}/bin/agetty -o '-p ${autologinArg} -- \\u' - xterm-256color'' + # ); + + # conf.options.services.openssh.settings.value.Macs + + services.kmscon = lib.mkIf (nerdFonts) { + enable = true; + hwRender = false; + + fonts = [ + { + name = "Hack Nerd Font Mono"; + package = with pkgs; (nerdfonts.override { fonts = [ "Hack" ]; }); + } + ]; + + extraConfig = '' + font-size=16 + ''; + }; + + # config.systemd.units."kmsconvt@.service".unit.text + + # conf.options.services.openssh.settings.value.Macs + + console = { + earlySetup = true; + + font = with pkgs; "${powerline-fonts}/share/consolefonts/ter-powerline-v16b.psf.gz"; + + colors = palette; + }; +} diff --git a/_system/firewall.nix b/_system/firewall.nix new file mode 100644 index 0000000..a096e49 --- /dev/null +++ b/_system/firewall.nix @@ -0,0 +1,27 @@ +{ lib, ... }: +{ + # Open ports in the firewall. + # networking.firewall.allowedTCPPorts = [ ... ]; + # networking.firewall.allowedUDPPorts = [ ... ]; + # Or disable the firewall altogether. + # networking.firewall.enable = false; + + # TODO: Re-enable when tailscale is compatible + # -> Warning: XT target MASQUERADE not found + # networking.nftables.enable = true; # Cleaner approach, easier rules implementation + + networking.firewall = { + enable = lib.mkDefault false; # TODO: Enable IT + + allowedTCPPorts = [ + 22 + # 80 + # 443 + ]; + + # allowedUDPPortRanges = [ + # { from = 4000; to = 4007; } + # { from = 8000; to = 8010; } + # ]; + }; +} diff --git a/_system/grub-boot.nix b/_system/grub-boot.nix new file mode 100644 index 0000000..a343b8f --- /dev/null +++ b/_system/grub-boot.nix @@ -0,0 +1,36 @@ +{ + pkgs, + lib, + targetConfig, + ... +}: + +let + bootloader = if targetConfig ? bootloader then targetConfig.bootloader else ""; + grubBoot = (bootloader == "grub"); + serialPort = if targetConfig ? mainSerial then targetConfig.mainSerial else 0; +in +{ + config.boot.loader.grub = lib.mkIf (grubBoot) { + memtest86.enable = true; + + ipxe = { + netboot_xyz = '' + #!ipxe + dhcp + chain --autofree http://boot.netboot.xyz + ''; + }; + #extraEntries = '' + # # GRUB 2 with UEFI example, chainloading another distro + # menuentry "Memtest86+" { + # set root=($drive1)/ + # chainloader /efi/memtest86/memtest.efi + # } + #''; + + #extraFiles = { + # "efi/memtest86/memtest.efi" = "${pkgs.memtest86plus}/memtest.efi"; + #}; + }; +} diff --git a/_system/inputrc.nix b/_system/inputrc.nix new file mode 100644 index 0000000..ea47ec4 --- /dev/null +++ b/_system/inputrc.nix @@ -0,0 +1,24 @@ +{ lib, ... }: + +{ + environment.etc."inputrc".target = lib.mkForce "inputrc.orig"; # Important to re-use nixpkgs orig file + environment.etc."inputrc.modified" = { + target = "inputrc"; # Relative to /etc + text = '' + $include /etc/inputrc.orig # Import the Orig File + # Additional stuff + set completion-ignore-case On + set completion-map-case On + set completion-prefix-display-length 3 + set mark-symlinked-directories On + set show-all-if-ambiguous On + set show-all-if-unmodified On + set visible-stats On + + $if mode=emacs + "\e\e[C": forward-word + "\e\e[D": backward-word + $endif + ''; + }; +} diff --git a/_system/laptop.nix b/_system/laptop.nix new file mode 100644 index 0000000..cd83f14 --- /dev/null +++ b/_system/laptop.nix @@ -0,0 +1,175 @@ +# Edit this configuration file to define what should be installed on +# your system. Help is available in the configuration.nix(5) man page, on +# https://search.nixos.org/options and in the NixOS manual (`nixos-help`). + +{ + config, + targetConfig, + lib, + pkgs, + ... +}: + +{ + services.openssh.enable = lib.mkForce false; # Disable OpenSSH server on laptop + + boot.initrd.systemd.enable = true; # Cleaner plymouth integration but no YubiKey support + + boot.plymouth = lib.mkIf (config.specialisation != { }) { + enable = true; + theme = lib.mkIf (config.services.xserver.desktopManager.plasma5.enable) "breeze"; + }; + + boot.kernelParams = lib.mkIf (config.specialisation != { }) [ "quiet" ]; # Shut The Fuck Up on boot (plymouth will be interupted with boot logs if not set) + boot.consoleLogLevel = lib.mkDefault 0; + + specialisation.debug.configuration = { + boot.initrd.systemd.emergencyAccess = true; + + boot.consoleLogLevel = 7; + }; + systemd.services.NetworkManager-wait-online.enable = lib.mkIf (config.networking.networkmanager.enable) false; # Not a server, so we should be able to work offline + NM-WaitOnline is quite dumb + + networking = { + # FallBack to DHCPcd + WPASupplicant if NetworkManager is off ( eg: during installation ) + dhcpcd.enable = lib.mkIf (!config.networking.networkmanager.enable) true; + wireless.enable = lib.mkIf (!config.networking.networkmanager.enable) true; # Enables wireless support via wpa_supplicant. + }; + + # NonPackaged apps + services.flatpak.enable = true; + # Deezer + + environment.systemPackages = + with pkgs; + [ + vim # Usefull to fix a broken config from TTY + + # libinput-gestures + ] + ++ lib.optionals (config.virtualisation.libvirtd.enable) [ virt-manager ] + ++ [ + # Personal comfort Apps + parsec-bin # To play GTA at work + ]; + + # Password manager + programs._1password-gui.enable = true; + programs._1password.enable = true; + + # VirtManager + LibVirt + environment.sessionVariables.LIBVIRT_DEFAULT_URI = [ "qemu:///system" ]; + virtualisation.libvirtd = { + enable = true; + qemu.ovmf.enable = true; # UEFI + }; + + # Docker containers + virtualisation.docker = { + enable = true; + + autoPrune = { + enable = true; + }; + }; + + fonts.packages = with pkgs; [ + (nerdfonts.override { + fonts = [ + "DroidSansMono" + "FiraCode" + "Hack" + "IosevkaTerm" + "Terminus" + ]; + }) + ]; + + console.useXkbConfig = true; + i18n.extraLocaleSettings = { + LC_ADDRESS = "fr_FR.UTF-8"; + LC_IDENTIFICATION = "fr_FR.UTF-8"; + LC_MEASUREMENT = "fr_FR.UTF-8"; + LC_MONETARY = "fr_FR.UTF-8"; + LC_NAME = "fr_FR.UTF-8"; + LC_NUMERIC = "fr_FR.UTF-8"; + LC_PAPER = "fr_FR.UTF-8"; + LC_TELEPHONE = "fr_FR.UTF-8"; + LC_TIME = "fr_FR.UTF-8"; + }; + + programs.gnupg.agent.pinentryPackage = lib.mkForce pkgs.pinentry-qt; # cuz there's a conflict between xserver / desktop-manager + + # X - VideoServer - Not the porn website + services.xserver = { + enable = true; + + displayManager.sddm.enable = lib.mkIf (config.services.xserver.desktopManager.plasma5.enable) true; # Default DM for KDE/Plasma + + desktopManager.plasma5 = { + enable = true; # I miss windows look n feel + }; + + libinput = { + enable = true; # for touchpad support on many laptops + # touchpad.disableWhileTyping = true; # Plasma setting works better + }; + + videoDrivers = lib.mkOverride 40 [ + "cirrus" + "vesa" + "modesetting" + ]; + + xkb = { + layout = "us"; + variant = ""; + }; + }; + # Enable sound with pipewire. + sound.enable = true; + hardware.pulseaudio.enable = false; + security.rtkit.enable = true; + services.pipewire = { + enable = true; + alsa.enable = true; + alsa.support32Bit = true; + pulse.enable = true; + # If you want to use JACK applications, uncomment this + #jack.enable = true; + + # use the example session manager (no others are packaged yet so this is enabled by default, + # no need to redefine it in your config for now) + #media-session.enable = true; + }; + services.printing.enable = true; + + # BlueTooth + hardware.bluetooth = { + enable = true; + settings = { + General = { + ControllerMode = "dual"; # HessPods support + }; + }; + }; + + security.polkit.enable = true; # Else xRDP is black if user is logged-on locally + services.xrdp = { + enable = false; + defaultWindowManager = "startplasma-x11"; # xRDP works better with x11 + openFirewall = true; + }; + + services.autorandr = { + enable = false; + + hooks.postswitch = { + "notify" = '' + ( sleep 5; notify-send -i display "Display profile" "$AUTORANDR_CURRENT_PROFILE"; ) & + ''; + }; + + profiles = { }; + }; +} diff --git a/_system/openvpn.nix b/_system/openvpn.nix new file mode 100644 index 0000000..d1ce407 --- /dev/null +++ b/_system/openvpn.nix @@ -0,0 +1,116 @@ +# Edit this configuration file to define what should be installed on +# your system. Help is available in the configuration.nix(5) man page, on +# https://search.nixos.org/options and in the NixOS manual (`nixos-help`). + +{ + config, + targetConfig, + lib, + pkgs, + ... +}: + +let + cfg = config.services.ovpn; + + forEachCFG = ( + name: val: + builtins.listToAttrs ( + map (conf: { + name = if name == "" then conf else lib.trivial.toFunction name conf; + + value = lib.trivial.toFunction val conf; + }) cfg.configs + ) + ); + + openscPKCS11 = "${pkgs.opensc}/lib/opensc-pkcs11.so"; + showPKCS11 = "${pkgs.openvpn_show_pkcs11_ids}/bin/openvpn_show_pkcs11_ids.sh"; +in +{ + options.services.ovpn = { + configs = lib.mkOption { + type = lib.types.listOf lib.types.str; + default = [ ]; + example = [ "s3nsible" ]; + description = '' + List of OpenVPN configurations to generate. + ''; + }; + + ensureDevice = lib.mkEnableOption "YubiKey Forced Detection"; + + basePath = lib.mkOption { + type = lib.types.str; + default = "/root/openvpn"; + example = "/etc/openvpn/configs"; + description = '' + Folder where configurations can be found on disk. + ''; + }; + + autostart = lib.mkOption { + type = lib.types.listOf lib.types.str; + default = [ ]; + example = [ "s3nsible" ]; + description = '' + List of OpenVPN configurations to start on boot. + ''; + }; + }; + + config = lib.mkIf (cfg.configs != [ ]) { + nixpkgs.overlays = [ + (final: prev: { + # OpenVPN w/ OpenSC pkcs11 support + openvpn = ( + prev.openvpn.override { + pkcs11Support = true; + pkcs11helper = prev.pkcs11helper; + } + ); + + openvpn_show_pkcs11_ids = ( + pkgs.writeShellScriptBin "openvpn_show_pkcs11_ids.sh" '' + ${pkgs.openvpn}/bin/openvpn --show-pkcs11-ids ${openscPKCS11} + '' + ); + + openvpn_systemd_launcher = ( + pkgs.writeShellScriptBin "openvpn_systemd.sh" (builtins.readFile ../scripts/openvpn_systemd.sh) + ); + }) + ]; + + environment.systemPackages = with pkgs; [ + opensc + + openvpn_show_pkcs11_ids + openvpn_systemd_launcher + ]; + + systemd.services = ( + forEachCFG (name: "openvpn-${name}") { + serviceConfig = { + ExecStartPre = lib.mkIf (cfg.ensureDevice) "${pkgs.bash}/bin/bash -c '${showPKCS11}; [[ \$(${showPKCS11} | grep DN: | wc -l) -gt 0 ]] || { echo Missing YubiKey or Certificates not found; exit 1; }'"; # Ensure yubikey is detected + TimeoutStartSec = 90; + }; + } + ); + + services.openvpn.servers = forEachCFG "" (conf: { + autoStart = builtins.elem conf cfg.autostart; + + config = + let + iface = builtins.substring 0 15 conf; + in + '' + pkcs11-providers ${openscPKCS11} + + config ${cfg.basePath}/${conf}.ovpn + dev ${iface} + ''; + }); + }; +} diff --git a/_system/pkgs.nix b/_system/pkgs.nix new file mode 100644 index 0000000..867f624 --- /dev/null +++ b/_system/pkgs.nix @@ -0,0 +1,9 @@ +{ lib, pkgs, ... }: + +{ + environment.systemPackages = with pkgs; [ + krewfile + zsh + nixfmt-rfc-style + ]; +} diff --git a/_system/security.nix b/_system/security.nix new file mode 100644 index 0000000..e4ca381 --- /dev/null +++ b/_system/security.nix @@ -0,0 +1,99 @@ +{ + lib, + pkgs, + config, + ... +}: + +let + noPasswdCommands = [ + "/run/current-system/sw/bin/reboot" + "/run/current-system/sw/bin/poweroff" + + "/run/current-system/sw/bin/systemctl suspend" + + "/run/current-system/sw/bin/systemd-tty-ask-password-agent --query" + + "/run/current-system/sw/bin/nix profile wipe-history --profile /nix/var/nix/profiles/system" + "/run/current-system/sw/bin/nixos-rebuild *" + ]; + + noPasswdServices = [ "openvpn-*" ]; +in +{ + users.users.root = { + initialPassword = lib.mkDefault "toor"; + + openssh.authorizedKeys.keys = lib.mkDefault [ + # change this to your ssh key + "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPxJpIrlaMMuw+zqOlZa35ehViBytyROvdf73poXTlVz" + ]; + }; + + services.openssh.settings = { + PasswordAuthentication = false; + KbdInteractiveAuthentication = false; + }; + + security = { + sudo = { + enable = true; + extraRules = + [ + { + commands = map (cmd: { + command = cmd; + options = [ "NOPASSWD" ]; + }) (noPasswdCommands); + + groups = [ "wheel" ]; + } + ] + ++ map (svc: { + commands = + map + (cmd: { + command = cmd; + options = [ "NOPASSWD" ]; + }) + + [ + "/run/current-system/sw/bin/systemctl start ${svc}" + "/run/current-system/sw/bin/systemctl restart ${svc}" + "/run/current-system/sw/bin/systemctl stop ${svc}" + ]; + + groups = [ "wheel" ]; + }) noPasswdServices; + + # ++ lib.flatten ( + # map (svc: [ + # "/run/current-system/sw/bin/systemctl start ${svc}" + # "/run/current-system/sw/bin/systemctl restart ${svc}" + # "/run/current-system/sw/bin/systemctl stop ${svc}" + # ]) noPasswdServices + # ) + # extraConfig = with pkgs; '' + # Defaults:picloud secure_path="${lib.makeBinPath [ + # systemd + # ]}:/nix/var/nix/profiles/default/bin:/run/current-system/sw/bin" + # ''; + }; + + # pam.services.sudo = { + # rules.auth.rssh = { + # order = config.rules.auth.unix.order - 10; + # control = "sufficient"; + # modulePath = "${pkgs.pam_rssh}/lib/libpam_rssh.so"; + # #settings = { + # # authorized_keys_command = "/etc/ssh/authorized_keys_command"; + # # authorized_keys_command_user = "nobody"; + # #}; + # }; + # }; + + sudo.extraConfig = '' + Defaults env_keep+=SSH_AUTH_SOCK + ''; + }; +} diff --git a/_system/serial-com.nix b/_system/serial-com.nix new file mode 100644 index 0000000..894490d --- /dev/null +++ b/_system/serial-com.nix @@ -0,0 +1,26 @@ +{ + pkgs, + lib, + targetConfig, + ... +}: + +let + bootloader = if targetConfig ? bootloader then targetConfig.bootloader else ""; + grubBoot = (bootloader == "grub"); + serialPort = if targetConfig ? mainSerial then targetConfig.mainSerial else 0; +in +{ + config.boot.kernelParams = [ + "console=tty1" + "console=ttyS${toString serialPort},115200" + ] ++ lib.optionals (serialPort != 0) [ "console=ttyS0,115200" ]; + + config.boot.loader.grub = lib.mkIf (grubBoot) { + extraConfig = '' + serial --unit=${toString serialPort} --speed=115200 --word=8 --parity=no --stop=1 + terminal_input --append serial + terminal_output --append serial + ''; + }; +} diff --git a/_system/systemd-boot.nix b/_system/systemd-boot.nix new file mode 100644 index 0000000..4fcdd67 --- /dev/null +++ b/_system/systemd-boot.nix @@ -0,0 +1,28 @@ +{ + pkgs, + lib, + targetConfig, + ... +}: + +let + bootloader = if targetConfig ? bootloader then targetConfig.bootloader else ""; + systemdBoot = (bootloader == "systemd-boot"); +in +{ + config.boot.loader.systemd-boot = lib.mkIf (systemdBoot) { + netbootxyz.enable = true; + memtest86.enable = true; + + #extraEntries = { + # "memtest86.conf" = '' + # title Memtest86+ + # efi /efi/memtest86/memtest.efi + # ''; + #}; + + #extraFiles = { + # "efi/memtest86/memtest.efi" = "${pkgs.memtest86plus}/memtest.efi"; + #}; + }; +} diff --git a/_system/wireguard.nix b/_system/wireguard.nix new file mode 100644 index 0000000..ae862f7 --- /dev/null +++ b/_system/wireguard.nix @@ -0,0 +1,6 @@ +{ config, pkgs, ... }: + +{ + # boot.extraModulePackages = [ config.boot.kernelPackages.wireguard ]; + environment.systemPackages = with pkgs; [ wireguard-tools ]; +} diff --git a/flake.lock b/flake.lock new file mode 100644 index 0000000..572f3b5 --- /dev/null +++ b/flake.lock @@ -0,0 +1,505 @@ +{ + "nodes": { + "crane": { + "flake": false, + "locked": { + "lastModified": 1699217310, + "narHash": "sha256-xpW3VFUG7yE6UE6Wl0dhqencuENSkV7qpnpe9I8VbPw=", + "owner": "ipetkov", + "repo": "crane", + "rev": "d535642bbe6f377077f7c23f0febb78b1463f449", + "type": "github" + }, + "original": { + "owner": "ipetkov", + "ref": "v0.15.0", + "repo": "crane", + "type": "github" + } + }, + "disko": { + "inputs": { + "nixpkgs": [ + "nixpkgs" + ] + }, + "locked": { + "lastModified": 1717415925, + "narHash": "sha256-KhclrqEQFrDr6Z8WqtvCdqtR7Fg35aMyfk7ANtx34Ys=", + "owner": "nix-community", + "repo": "disko", + "rev": "b106b5df3654d83197aff4826e3e34a5a5335b1c", + "type": "github" + }, + "original": { + "owner": "nix-community", + "repo": "disko", + "type": "github" + } + }, + "dream2nix": { + "inputs": { + "nixpkgs": [ + "nix-inspect", + "nci", + "nixpkgs" + ], + "purescript-overlay": "purescript-overlay", + "pyproject-nix": "pyproject-nix" + }, + "locked": { + "lastModified": 1709959559, + "narHash": "sha256-Gb+tUU+clGKVBwiznTQf0emZZ+heALqoVwUgI0O13L8=", + "owner": "nix-community", + "repo": "dream2nix", + "rev": "42838c590971da17a4b6483962707b7fb7b8b9a7", + "type": "github" + }, + "original": { + "owner": "nix-community", + "repo": "dream2nix", + "type": "github" + } + }, + "flake-utils": { + "inputs": { + "systems": "systems" + }, + "locked": { + "lastModified": 1701680307, + "narHash": "sha256-kAuep2h5ajznlPMD9rnQyffWG8EM/C73lejGofXvdM8=", + "owner": "numtide", + "repo": "flake-utils", + "rev": "4022d587cbbfd70fe950c1e2083a02621806a725", + "type": "github" + }, + "original": { + "owner": "numtide", + "repo": "flake-utils", + "type": "github" + } + }, + "home-config": { + "inputs": { + "home-manager": [ + "home-manager" + ], + "nixpkgs": [ + "nixpkgs" + ] + }, + "locked": { + "lastModified": 1715301944, + "narHash": "sha256-Xp06wgWBU2aDP59gW/uH2m96N35WWh2IcvdX0lBkdYs=", + "owner": "toinux", + "repo": "homefiles", + "rev": "c087a612aec45ec2c556991ca560d9d49ff3d486", + "type": "gitlab" + }, + "original": { + "owner": "toinux", + "repo": "homefiles", + "type": "gitlab" + } + }, + "home-manager": { + "inputs": { + "nixpkgs": [ + "nixpkgs" + ] + }, + "locked": { + "lastModified": 1716736833, + "narHash": "sha256-rNObca6dm7Qs524O4st8VJH6pZ/Xe1gxl+Rx6mcWYo0=", + "owner": "nix-community", + "repo": "home-manager", + "rev": "a631666f5ec18271e86a5cde998cba68c33d9ac6", + "type": "github" + }, + "original": { + "owner": "nix-community", + "ref": "release-24.05", + "repo": "home-manager", + "type": "github" + } + }, + "krewfile": { + "inputs": { + "flake-utils": "flake-utils", + "nixpkgs": [ + "nixpkgs" + ] + }, + "locked": { + "lastModified": 1705078502, + "narHash": "sha256-qH6DtavbLqIpYIf3Zr2eWOcBpJfLFXbaOKQNkefv6tg=", + "owner": "brumhard", + "repo": "krewfile", + "rev": "02d04f38ea0d1b8de4da3b29bc861f8883c9b9e9", + "type": "github" + }, + "original": { + "owner": "brumhard", + "repo": "krewfile", + "type": "github" + } + }, + "mk-naked-shell": { + "flake": false, + "locked": { + "lastModified": 1681286841, + "narHash": "sha256-3XlJrwlR0nBiREnuogoa5i1b4+w/XPe0z8bbrJASw0g=", + "owner": "yusdacra", + "repo": "mk-naked-shell", + "rev": "7612f828dd6f22b7fb332cc69440e839d7ffe6bd", + "type": "github" + }, + "original": { + "owner": "yusdacra", + "repo": "mk-naked-shell", + "type": "github" + } + }, + "nci": { + "inputs": { + "crane": "crane", + "dream2nix": "dream2nix", + "mk-naked-shell": "mk-naked-shell", + "nixpkgs": [ + "nix-inspect", + "nixpkgs" + ], + "parts": "parts", + "rust-overlay": "rust-overlay", + "treefmt": "treefmt" + }, + "locked": { + "lastModified": 1710137478, + "narHash": "sha256-+hbUWY1PEItyx3CBOGsHlJEDO2wRY2N1mpBhiLBblck=", + "owner": "yusdacra", + "repo": "nix-cargo-integration", + "rev": "f3cc8751427e16ec48c0467357b3f3979a53ae9c", + "type": "github" + }, + "original": { + "owner": "yusdacra", + "repo": "nix-cargo-integration", + "type": "github" + } + }, + "nix-inspect": { + "inputs": { + "nci": "nci", + "nixpkgs": "nixpkgs", + "parts": "parts_2" + }, + "locked": { + "lastModified": 1717293583, + "narHash": "sha256-Upz+fnWJjzt5WokjO/iaiPbqiwSrqpWjrpcFOqQ4p0E=", + "owner": "bluskript", + "repo": "nix-inspect", + "rev": "c55921e1d1cf980ff6351273fde6cedd5d8fa320", + "type": "github" + }, + "original": { + "owner": "bluskript", + "repo": "nix-inspect", + "type": "github" + } + }, + "nixos-hardware": { + "locked": { + "lastModified": 1717248095, + "narHash": "sha256-e8X2eWjAHJQT82AAN+mCI0B68cIDBJpqJ156+VRrFO0=", + "owner": "NixOS", + "repo": "nixos-hardware", + "rev": "7b49d3967613d9aacac5b340ef158d493906ba79", + "type": "github" + }, + "original": { + "owner": "NixOS", + "ref": "master", + "repo": "nixos-hardware", + "type": "github" + } + }, + "nixpkgs": { + "locked": { + "lastModified": 1709961763, + "narHash": "sha256-6H95HGJHhEZtyYA3rIQpvamMKAGoa8Yh2rFV29QnuGw=", + "owner": "nixos", + "repo": "nixpkgs", + "rev": "3030f185ba6a4bf4f18b87f345f104e6a6961f34", + "type": "github" + }, + "original": { + "owner": "nixos", + "ref": "nixos-unstable", + "repo": "nixpkgs", + "type": "github" + } + }, + "nixpkgs-master": { + "locked": { + "lastModified": 1717450446, + "narHash": "sha256-jGT4u92vjH2/plvQbnt3A4VUq5XrmaEGuG1CCTqvQss=", + "owner": "NixOS", + "repo": "nixpkgs", + "rev": "58289729f2bd617af78dc111ea781e971f4f340c", + "type": "github" + }, + "original": { + "owner": "NixOS", + "ref": "master", + "repo": "nixpkgs", + "type": "github" + } + }, + "nixpkgs-stable": { + "locked": { + "lastModified": 1717265169, + "narHash": "sha256-IITcGd6xpNoyq9SZBigCkv4+qMHSqot0RDPR4xsZ2CA=", + "owner": "NixOS", + "repo": "nixpkgs", + "rev": "3b1b4895b2c5f9f5544d02132896aeb9ceea77bc", + "type": "github" + }, + "original": { + "owner": "NixOS", + "ref": "release-23.11", + "repo": "nixpkgs", + "type": "github" + } + }, + "nixpkgs-unstable": { + "locked": { + "lastModified": 1717399147, + "narHash": "sha256-eCWaE/q1VItpFAxxLVt171MdtDcjEnwi6QB/yuF73JU=", + "owner": "NixOS", + "repo": "nixpkgs", + "rev": "4a4ecb0ab415c9fccfb005567a215e6a9564cdf5", + "type": "github" + }, + "original": { + "owner": "NixOS", + "ref": "nixpkgs-unstable", + "repo": "nixpkgs", + "type": "github" + } + }, + "nixpkgs_2": { + "locked": { + "lastModified": 1717144377, + "narHash": "sha256-F/TKWETwB5RaR8owkPPi+SPJh83AQsm6KrQAlJ8v/uA=", + "owner": "NixOS", + "repo": "nixpkgs", + "rev": "805a384895c696f802a9bf5bf4720f37385df547", + "type": "github" + }, + "original": { + "owner": "NixOS", + "ref": "nixos-24.05", + "repo": "nixpkgs", + "type": "github" + } + }, + "parts": { + "inputs": { + "nixpkgs-lib": [ + "nix-inspect", + "nci", + "nixpkgs" + ] + }, + "locked": { + "lastModified": 1709336216, + "narHash": "sha256-Dt/wOWeW6Sqm11Yh+2+t0dfEWxoMxGBvv3JpIocFl9E=", + "owner": "hercules-ci", + "repo": "flake-parts", + "rev": "f7b3c975cf067e56e7cda6cb098ebe3fb4d74ca2", + "type": "github" + }, + "original": { + "owner": "hercules-ci", + "repo": "flake-parts", + "type": "github" + } + }, + "parts_2": { + "inputs": { + "nixpkgs-lib": [ + "nix-inspect", + "nixpkgs" + ] + }, + "locked": { + "lastModified": 1709336216, + "narHash": "sha256-Dt/wOWeW6Sqm11Yh+2+t0dfEWxoMxGBvv3JpIocFl9E=", + "owner": "hercules-ci", + "repo": "flake-parts", + "rev": "f7b3c975cf067e56e7cda6cb098ebe3fb4d74ca2", + "type": "github" + }, + "original": { + "owner": "hercules-ci", + "repo": "flake-parts", + "type": "github" + } + }, + "purescript-overlay": { + "inputs": { + "nixpkgs": [ + "nix-inspect", + "nci", + "dream2nix", + "nixpkgs" + ], + "slimlock": "slimlock" + }, + "locked": { + "lastModified": 1696022621, + "narHash": "sha256-eMjFmsj2G1E0Q5XiibUNgFjTiSz0GxIeSSzzVdoN730=", + "owner": "thomashoneyman", + "repo": "purescript-overlay", + "rev": "047c7933abd6da8aa239904422e22d190ce55ead", + "type": "github" + }, + "original": { + "owner": "thomashoneyman", + "repo": "purescript-overlay", + "type": "github" + } + }, + "pyproject-nix": { + "flake": false, + "locked": { + "lastModified": 1702448246, + "narHash": "sha256-hFg5s/hoJFv7tDpiGvEvXP0UfFvFEDgTdyHIjDVHu1I=", + "owner": "davhau", + "repo": "pyproject.nix", + "rev": "5a06a2697b228c04dd2f35659b4b659ca74f7aeb", + "type": "github" + }, + "original": { + "owner": "davhau", + "ref": "dream2nix", + "repo": "pyproject.nix", + "type": "github" + } + }, + "root": { + "inputs": { + "disko": "disko", + "home-config": "home-config", + "home-manager": "home-manager", + "krewfile": "krewfile", + "nix-inspect": "nix-inspect", + "nixos-hardware": "nixos-hardware", + "nixpkgs": "nixpkgs_2", + "nixpkgs-master": "nixpkgs-master", + "nixpkgs-unstable": "nixpkgs-unstable", + "sops-nix": "sops-nix" + } + }, + "rust-overlay": { + "flake": false, + "locked": { + "lastModified": 1710123130, + "narHash": "sha256-EoGL/WSM1M2L099Q91mPKO/FRV2iu2ZLOEp3y5sLfiE=", + "owner": "oxalica", + "repo": "rust-overlay", + "rev": "73aca260afe5d41d3ebce932c8d896399c9d5174", + "type": "github" + }, + "original": { + "owner": "oxalica", + "repo": "rust-overlay", + "type": "github" + } + }, + "slimlock": { + "inputs": { + "nixpkgs": [ + "nix-inspect", + "nci", + "dream2nix", + "purescript-overlay", + "nixpkgs" + ] + }, + "locked": { + "lastModified": 1688610262, + "narHash": "sha256-Wg0ViDotFWGWqKIQzyYCgayeH8s4U1OZcTiWTQYdAp4=", + "owner": "thomashoneyman", + "repo": "slimlock", + "rev": "b5c6cdcaf636ebbebd0a1f32520929394493f1a6", + "type": "github" + }, + "original": { + "owner": "thomashoneyman", + "repo": "slimlock", + "type": "github" + } + }, + "sops-nix": { + "inputs": { + "nixpkgs": [ + "nixpkgs" + ], + "nixpkgs-stable": "nixpkgs-stable" + }, + "locked": { + "lastModified": 1717297459, + "narHash": "sha256-cZC2f68w5UrJ1f+2NWGV9Gx0dEYmxwomWN2B0lx0QRA=", + "owner": "Mic92", + "repo": "sops-nix", + "rev": "ab2a43b0d21d1d37d4d5726a892f714eaeb4b075", + "type": "github" + }, + "original": { + "owner": "Mic92", + "repo": "sops-nix", + "type": "github" + } + }, + "systems": { + "locked": { + "lastModified": 1681028828, + "narHash": "sha256-Vy1rq5AaRuLzOxct8nz4T6wlgyUR7zLU309k9mBC768=", + "owner": "nix-systems", + "repo": "default", + "rev": "da67096a3b9bf56a91d16901293e51ba5b49a27e", + "type": "github" + }, + "original": { + "owner": "nix-systems", + "repo": "default", + "type": "github" + } + }, + "treefmt": { + "inputs": { + "nixpkgs": [ + "nix-inspect", + "nci", + "nixpkgs" + ] + }, + "locked": { + "lastModified": 1710088047, + "narHash": "sha256-eSqKs6ZCsX9xJyNYLeMDMrxzIDsYtaWClfZCOp0ok6Y=", + "owner": "numtide", + "repo": "treefmt-nix", + "rev": "720322c5352d7b7bd2cb3601a9176b0e91d1de7d", + "type": "github" + }, + "original": { + "owner": "numtide", + "repo": "treefmt-nix", + "type": "github" + } + } + }, + "root": "root", + "version": 7 +} diff --git a/flake.nix b/flake.nix new file mode 100644 index 0000000..a34c630 --- /dev/null +++ b/flake.nix @@ -0,0 +1,451 @@ +# https://nixos.wiki/wiki/Flakes +{ + description = "System configurations"; + + inputs = { + + nixpkgs = { + url = "github:NixOS/nixpkgs/nixos-24.05"; + }; + + # darwin = { + # url = "github:lnl7/nix-darwin"; + # inputs.nixpkgs.follows = "nixpkgs"; + # }; + + nixpkgs-unstable = { + url = "github:NixOS/nixpkgs/nixpkgs-unstable"; + }; + + nixpkgs-master = { + url = "github:NixOS/nixpkgs/master"; + }; + + nixos-hardware = { + url = "github:NixOS/nixos-hardware/master"; + }; + + disko = { + url = "github:nix-community/disko"; + inputs.nixpkgs.follows = "nixpkgs"; + }; + + sops-nix = { + url = "github:Mic92/sops-nix"; + inputs.nixpkgs.follows = "nixpkgs"; + }; + + home-config = { + url = "gitlab:toinux/homefiles"; + # url = "git+file:///home/toinux/Documents/homefiles"; + inputs = { + nixpkgs.follows = "nixpkgs"; + home-manager.follows = "home-manager"; + }; + }; + + home-manager = { + url = "github:nix-community/home-manager/release-24.05"; + inputs.nixpkgs.follows = "nixpkgs"; + }; + + krewfile = { + url = "github:brumhard/krewfile"; + inputs.nixpkgs.follows = "nixpkgs"; + }; + + nix-inspect = { + url = "github:bluskript/nix-inspect"; + }; + + # devenv = { + # url = "github:cachix/devenv/latest"; + # inputs.nixpkgs.follows = "nixpkgs"; + # inputs.nix.follows = "nix"; + # }; + }; + + outputs = + { + self, + nixpkgs, + nixpkgs-unstable, + nixpkgs-master, + nixos-hardware, + nix-inspect, + disko, + sops-nix, + home-manager, + home-config, + krewfile, + ... + # devenv, + # darwin, + }@args: + let + inherit (builtins) pathExists toJSON; + + inherit (nixpkgs.lib) + foldl' + mapAttrs + attrNames + filterAttrs + assertMsg + genAttrs + getBin + concatMapStringsSep + optionals + + nixosSystem + ; + + # TODO: Use flake-utils to do this well + mkLinuxSystem = + { + target, + targetConfig, + profile ? targetConfig.profile, + system ? "x86_64-linux", + kubeConfig ? { }, + }: + nixosSystem ( + # let + # inherit (nixpkgs.legacyPackages.${system}) writeShellScriptBin; + # in + { + inherit system; + + modules = [ + + (if targetConfig ? config then { config = targetConfig.config; } else { }) + + # Pass options + Args + { + _module.args = { + targetConfig = targetConfig; + targetProfile = profile; + target = target; + bootdisk = targetConfig.bootdisk; + kubeConfig = kubeConfig; + }; + } + + # Home + Users config + ( + { + config, + lib, + pkgs, + ... + }: + + let + userName = "toinux"; + homeDir = "/home/${userName}"; + in + { + config = { + networking.hostName = "${target}"; + + users.users.${userName} = { + isNormalUser = true; + home = homeDir; + # description = "Antoine '${userName}'"; + shell = pkgs.zsh; + extraGroups = + [ "wheel" ] + ++ optionals (config.services.xserver.enable) [ "input" ] + ++ optionals (config.networking.networkmanager.enable) [ "networkmanager" ] + ++ optionals (config.virtualisation.docker.enable) [ "docker" ] + ++ optionals (config.virtualisation.libvirtd.enable) [ "libvirtd" ]; + + initialPassword = "totofaitsestests"; + }; + + home-manager.users.${userName} = home-config.lib.mkHomeConfiguration userName homeDir [ + ./_home/configuration.nix + ]; + + users.users.root.shell = pkgs.zsh; + home-manager.users.root = home-config.lib.mkHomeConfiguration "root" "/root" [ + ./_home/configuration.nix + ]; + }; + } + ) + + ./_system/configuration.nix # Global System config + + (./hosts + "/${profile}/configuration.nix") + + # Disk Partitioning + disko.nixosModules.disko + ( + if targetConfig ? diskTemplate && targetConfig.diskTemplate != null then + ./_diskos + "/${targetConfig.diskTemplate}.nix" + else + let + diskoCfg = (./hosts + "/${profile}/${target}/disk-config.nix"); + in + assert assertMsg (pathExists diskoCfg) + "${target}: diskTemplate undefined and ${diskoCfg} inexistant, dunno what to do"; + diskoCfg + ) + + # Host-Specific config + (./hosts + "/${profile}/${target}/configuration.nix") # HostSpecific configuration + (./hosts + "/${profile}/${target}/hardware-configuration.nix") # Hardware Detection + + # Home-Manager + options + home-manager.nixosModules.home-manager + { + home-manager.useGlobalPkgs = true; + home-manager.useUserPackages = true; + # Optionally, use home-manager.extraSpecialArgs to pass arguments to home.nix + } + + # Use Mozilla SOPS as secrets manager + sops-nix.nixosModules.sops + { sops.defaultSopsFile = ./secrets/${target}.yaml; } + + # Overlays + ( + { ... }: + { + nixpkgs.overlays = [ + # https://github.com/NixOS/nixpkgs/issues/97855#issuecomment-1075818028 + #(self: super: { + # my-nixos-option = + # let + # flake-compact = super.fetchFromGitHub { + # owner = "edolstra"; + # repo = "flake-compat"; + # rev = "12c64ca55c1014cdc1b16ed5a804aa8576601ff2"; + # sha256 = "sha256-hY8g6H2KFL8ownSiFeMOjwPC8P0ueXpCVEbxgda3pko="; + # }; + # prefix = ''(import ${flake-compact} { src = ~/src/vidbina/nixos-configuration; }).defaultNix.nixosConfigurations.${target}''; + # in + # super.runCommand "nixos-option" { buildInputs = [ super.makeWrapper ]; } '' + # makeWrapper ${super.nixos-option}/bin/nixos-option $out/bin/nixos-option \ + # --add-flags --config_expr \ + # --add-flags "\"${prefix}.config\"" \ + # --add-flags --options_expr \ + # --add-flags "\"${prefix}.options\"" + # ''; + #}) + krewfile.overlay + + (final: prev: { + master = nixpkgs-master.legacyPackages.${prev.system}; + unstable = nixpkgs-unstable.legacyPackages.${prev.system}; + # devenv = devenv.packages.${prev.system}.devenv; + # nix-inspect = nix-inspect.packages.${prev.system}.default; + + # ferm = prev.ferm.overrideAttrs (oldAttrs: rec { + # patches = oldAttrs.patches or [ ] ++ [ ./patches/ferm_import-ferm_wrapped.patch ]; + # }); + }) + ]; + } + ) + ( + let + disableModules = [ ]; + + localModules = [ "nixos/modules/services/ttys/kmscon.nix" ]; + + masterModules = [ + # "nixos/modules/programs/kubeswitch.nix" + ]; + + unstableModules = [ ]; + # stableModules = [ ]; + + getModule = input: (x: "${input}/${x}"); + in + { + disabledModules = map (getModule args.nixpkgs) ( + disableModules ++ localModules ++ masterModules ++ unstableModules + # ++ stableModules + ); + + imports = + (map (getModule ./modules) localModules) + ++ (map (getModule args.nixpkgs-master) masterModules) + ++ (map (getModule args.nixpkgs-unstable) unstableModules) + # ++ (map (getModule args.nixpkgs-stable) stableModules) + ; + } + ) + ]; + }); + + targetConfigs = + let + hosts = import ./hosts (args // { lib = args.nixpkgs.lib; }); + in + foldl' ( + acc: profile: + let + configs = hosts.${profile}; + in + (mapAttrs (name: value: { inherit profile; } // value) configs) // acc + ) (import ./targets.nix { }) (attrNames hosts); + + # TODO: Move this + masterNodes = [ "stonkstation" ]; + controllers = [ "stonkstation" ]; + in + { + + # homeConfigurations = { + # "toinux" = home-config.lib.mkHomeConfiguration userName homeDir [ ./_home/configuration.nix ]; + # }; + + nixosConfigurations = ( + genAttrs (attrNames targetConfigs) ( + target: + mkLinuxSystem { + inherit target; + + # TODO: moveThis + kubeConfig = { + master = builtins.elem "${target}" masterNodes; + controller = builtins.elem "${target}" controllers; + }; + + # This good + targetConfig = targetConfigs.${target}; + } + ) + ); + + packages = + let + systems = [ "x86_64-linux" ]; + in + genAttrs systems ( + system: + let + inherit (nixpkgs.legacyPackages.${system}) writeShellScriptBin; + in + { + bootstrap = genAttrs (attrNames self.outputs.nixosConfigurations) ( + confName: + writeShellScriptBin "bootstrap-${confName}.sh" ( + let + package = nixpkgs.legacyPackages.${system}.nix; + in + '' + set -x + [[ $# -gt 0 ]] || set -- --help + + ${getBin package}/bin/nix --extra-experimental-features 'nix-command flakes' run github:nix-community/nixos-anywhere -- --option show-trace true --flake ${self.outPath}#${confName} $@ + '' + ) + ); + + rebuild = genAttrs (attrNames self.outputs.nixosConfigurations) ( + confName: + writeShellScriptBin "rebuild-${confName}.sh" ( + let + package = nixpkgs.legacyPackages.${system}.nixos-rebuild; + nomPackage = nixpkgs.legacyPackages.${system}.nix-output-monitor; + in + '' + set -x + [[ $# -gt 0 ]] || set -- --help + + ${getBin package}/bin/nixos-rebuild -L --show-trace --option extra-experimental-features 'nix-command flakes' --option eval-cache false --flake ${self.outPath}#${confName} $@ |& ${getBin nomPackage}/bin/nom + '' + ) + ); + + images = genAttrs (attrNames self.outputs.nixosConfigurations) ( + confName: + let + nixConf = self.outputs.nixosConfigurations.${confName}; + in + nixConf.config.system.build.diskoImages + ); + + compressedImages = genAttrs (attrNames self.outputs.nixosConfigurations) ( + confName: + let + pkgs = nixpkgs.legacyPackages.${system}; + nixConf = self.outputs.nixosConfigurations.${confName}; + diskoImages = nixConf.config.system.build.diskoImages; + in + pkgs.runCommand "compressed-disko-${confName}" { nativeBuildInput = [ diskoImages ]; } '' + pwd + + tree="${pkgs.tree}/bin/tree" + xz="${pkgs.xz}/bin/xz" + + $tree $nativeBuildInput . + + mkdir -pv $out + cd $nativeBuildInput + + echo Compressing disk images with xz + echo CAUTION: May take some times + + find . -name '*.raw' -print -exec bash -c "$xz -T0 --stdout '{}' > '$out/{}.xz'" \; + '' + + ); + + ddbootstrap = genAttrs (attrNames self.outputs.nixosConfigurations) ( + confName: + writeShellScriptBin "bootstrapImageWithDD-${confName}.sh" ( + let + pvPackage = nixpkgs.legacyPackages.${system}.pv; + + disks = self.outputs.nixosConfigurations.${confName}.config.disko.devices.disk; + images = self.outputs.packages.${system}.images.${confName}; + + devices = filterAttrs (n: v: v ? device && v.device != null) disks; + in + '' + set -eu -o pipefail + set -x + + REMOTE=$1 + echo "Bootstraping ${confName} via ssh on $REMOTE [ssh $@] ?" + echo "CAUTION: Dangerous action -> will erase disks on remote" + echo "Press [ENTER] to continue" + read + + ssh $@ lsblk + echo "CAUTION: Here are the disks found on the remote, is it correct ?" + echo "Press [ENTER] again to continue" + read + + ssh $@ xz --help + + + ${concatMapStringsSep "\n" ( + x: + let + disk = disks.${x}; + in + '' + echo "Pushing ${x} -> ''${REMOTE}:${disk.device}" + ${getBin pvPackage}/bin/pv ${images}/${x}.raw.xz | ssh $@ "xz -T0 -d -c - > ${disk.device}" + '' + ) (attrNames devices)} + '' + ) + ); + } + ); + + # darwinConfigurations = (nixpkgs.lib.genAttrs targets + # (target: mkLinuxSystem { + # inherit target; + + # targetConfig = targetConfigs.${target}; + # }) + # ); + }; +} diff --git a/hosts/clients/configuration.nix b/hosts/clients/configuration.nix new file mode 100644 index 0000000..c915eb0 --- /dev/null +++ b/hosts/clients/configuration.nix @@ -0,0 +1 @@ +{ ... }: { } diff --git a/hosts/clients/default.nix b/hosts/clients/default.nix new file mode 100644 index 0000000..03f9fbc --- /dev/null +++ b/hosts/clients/default.nix @@ -0,0 +1,10 @@ +args@{ lib, ... }: +let + blacklist = [ ]; + folders = builtins.attrNames ( + lib.filterAttrs (n: v: v == "directory" && !lib.hasPrefix "_" n && !builtins.elem n blacklist) ( + builtins.readDir ./. + ) + ); +in +lib.genAttrs folders (folder: (import (./. + "/${folder}") (args // { }))) diff --git a/hosts/clients/laptaupe/configuration.nix b/hosts/clients/laptaupe/configuration.nix new file mode 100644 index 0000000..286e26a --- /dev/null +++ b/hosts/clients/laptaupe/configuration.nix @@ -0,0 +1,63 @@ +# Edit this configuration file to define what should be installed on +# your system. Help is available in the configuration.nix(5) man page, on +# https://search.nixos.org/options and in the NixOS manual (`nixos-help`). + +{ + config, + targetConfig, + lib, + pkgs, + ... +}: + +{ + imports = [ + # ../../../very/secret/path/s3nsible_config.nix + ../../../_system/laptop.nix + ]; + + # Bootloader. + boot.loader.systemd-boot.enable = true; + boot.loader.systemd-boot.configurationLimit = 5; + boot.loader.efi.canTouchEfiVariables = true; + + # # Not compatible for the moment + # boot.initrd.luks.yubikeySupport = true; + # boot.initrd.luks.fido2Support = true; + + # boot.initrd.systemd.enable = lib.mkForce false; + # boot.plymouth.enable = lib.mkForce false; + + # better to enable it after first-install + + networking = { + # networkmanager.enable = true; + networkmanager = + { + enable = true; + } + // lib.mkIf (config.networking.networkmanager.enable) { + extraConfig = lib.concatStringsSep "\n" [ + "[device]" + "match-device=driver:iwlwifi" + "wifi.scan-rand-mac-address=no" + ]; + }; + }; + + # Set your time zone. + time.timeZone = "Europe/Paris"; + # Select internationalisation properties. + i18n.defaultLocale = "en_US.UTF-8"; + + # Allow unfree packages + nixpkgs.config.allowUnfree = true; + + # This value determines the NixOS release from which the default + # settings for stateful data, like file locations and database versions + # on your system were taken. It‘s perfectly fine and recommended to leave + # this value at the release version of the first install of this system. + # Before changing this value read the documentation for this option + # (e.g. man configuration.nix or on https://nixos.org/nixos/options.html). + system.stateVersion = lib.mkForce "23.11"; # Did you read the comment? +} diff --git a/hosts/clients/laptaupe/default.nix b/hosts/clients/laptaupe/default.nix new file mode 100644 index 0000000..73d7016 --- /dev/null +++ b/hosts/clients/laptaupe/default.nix @@ -0,0 +1,10 @@ +{ ... }: +{ + type = "targetConfig"; + + bootdisk = "/dev/nvme0n1"; + crypted = false; + # profile = "clients"; + # interface = ""; + # mainSerial = 0; +} diff --git a/hosts/clients/laptaupe/disk-config.nix b/hosts/clients/laptaupe/disk-config.nix new file mode 100644 index 0000000..6dffa34 --- /dev/null +++ b/hosts/clients/laptaupe/disk-config.nix @@ -0,0 +1,98 @@ +# Example to create a bios compatible gpt partition +{ lib, targetConfig, ... }: +{ + disko.devices = { + disk.disk1 = + let + crypted = targetConfig ? crypted && targetConfig.crypted; + + lv_PV = { + type = "lvm_pv"; + vg = "ROOT"; + }; + in + { + device = lib.mkDefault "${targetConfig.bootdisk}"; + type = "disk"; + content = { + type = "gpt"; + partitions = { + boot = { + size = "1M"; + type = "EF02"; # for grub MBR + }; + + ESP = { + size = "512M"; + type = "EF00"; + content = { + type = "filesystem"; + format = "vfat"; + mountpoint = "/boot"; + }; + }; + + root = lib.mkIf (!crypted) { + size = "100%"; + + content = lv_PV; + }; + + cryptroot = lib.mkIf (crypted) { + size = "100%"; + content = { + type = "luks"; + name = "crypted"; + extraOpenArgs = [ ]; + passwordFile = "/tmp/secret.key"; + settings = { + # if you want to use the key for interactive login be sure there is no trailing newline + # for example use `echo -n "password" > /tmp/secret.key` + # keyFile = "/tmp/secret.key"; + allowDiscards = true; + # crypttabExtraOpts = [ + # "fido2-device=auto" + # "token-timeout=5" + # ]; + # yubikey = { + # slot = 1; + # twoFactor = false; # Set to false for 1FA + # gracePeriod = 5; # Time in seconds to wait for Yubikey to be inserted + # # keyLength = 64; # Set to $KEY_LENGTH/8 + # # saltLength = 16; # Set to $SALT_LENGTH + + # storage = { + # device = "/dev/nvme0n1p1"; # Be sure to update this to the correct volume + # fsType = "vfat"; + # # path = "/crypt-storage/default"; + # }; + # }; + }; + + # additionalKeyFiles = [ "/tmp/additionalSecret.key" ]; + content = lv_PV; + }; + }; + }; + }; + }; + + lvm_vg = { + ROOT = { + type = "lvm_vg"; + lvs = { + + root = { + size = "100%FREE"; + content = { + type = "filesystem"; + format = "ext4"; + mountpoint = "/"; + mountOptions = [ "defaults" ]; + }; + }; + }; + }; + }; + }; +} diff --git a/hosts/clients/laptaupe/hardware-configuration.nix b/hosts/clients/laptaupe/hardware-configuration.nix new file mode 100644 index 0000000..80547cd --- /dev/null +++ b/hosts/clients/laptaupe/hardware-configuration.nix @@ -0,0 +1,49 @@ +# Do not modify this file! It was generated by ‘nixos-generate-config’ +# and may be overwritten by future invocations. Please make changes +# to /etc/nixos/configuration.nix instead. +{ + config, + lib, + pkgs, + modulesPath, + ... +}: + +{ + imports = [ (modulesPath + "/installer/scan/not-detected.nix") ]; + + boot.initrd = { + + availableKernelModules = [ + "xhci_pci" + "thunderbolt" + "nvme" + "usbhid" + ]; + + # Required to open the EFI partition and Yubikey + kernelModules = [ + "vfat" + "nls_cp437" + "nls_iso8859-1" + "usbhid" + ]; + }; + + boot.kernelModules = [ "kvm-intel" ]; + boot.extraModulePackages = [ ]; + + # Enables DHCP on each ethernet and wireless interface. In case of scripted networking + # (the default) this is the recommended approach. When using systemd-networkd it's + # still possible to use this option, but it's recommended to use it in conjunction + # with explicit per-interface declarations with `networking.interfaces..useDHCP`. + # networking.useDHCP = lib.mkDefault true; + # networking.interfaces.enp0s3.useDHCP = lib.mkDefault true; + # networking.interfaces.enp0s8.useDHCP = lib.mkDefault true; + + nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux"; + + hardware.cpu.intel.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware; + + # virtualisation.virtualbox.guest.enable = true; # TODO: remove +} diff --git a/hosts/default.nix b/hosts/default.nix new file mode 100644 index 0000000..699b88f --- /dev/null +++ b/hosts/default.nix @@ -0,0 +1,28 @@ +# { +# clients = import ./clients { }; +# miscservers = import ./miscservers { }; + +# homerouters = import ./homerouters { }; +# routers = import ./routers { }; +# routereflectors = import ./routereflectors { }; + +# stonkmembers = import ./stonkmembers { }; +# } + +args@{ lib, ... }: +let + blacklist = [ + + ]; + + filterFunc = ( + n: v: + v == "directory" + + && !lib.hasPrefix "_" n + && !builtins.elem n blacklist + ); + + folders = builtins.attrNames (lib.filterAttrs filterFunc (builtins.readDir ./.)); +in +lib.genAttrs folders (folder: (import (./. + "/${folder}") (args // { }))) diff --git a/hosts/homerouters/_peers/KIT-IG1-RR91.nix b/hosts/homerouters/_peers/KIT-IG1-RR91.nix new file mode 100644 index 0000000..2ea52dd --- /dev/null +++ b/hosts/homerouters/_peers/KIT-IG1-RR91.nix @@ -0,0 +1,49 @@ +{ ... }: +let + kittenASN = 4242421945; +in +{ + # vultr6 + # AS64515 + # Peer-IP : 2001:19f0:ffff::1 + + # protocol bgp TRANSIT_VULTR6 { + # + # multihop 2; + # + + # ipv6 { + # export filter { + # if ( net ~ [ 2a13:79c0:ff00::/40, 2a12:dd47:9330::/44 ] ) then { + # accept; + # } + # reject; + # }; + # import none; + # }; + # + # } + peerAS = kittenASN; + peerIP = "2a13:79c0:ffff:fefe::113:91"; + localAS = kittenASN; + + multihop = 5; + + # wireguard = { + # address = "2a13:79c0:ffff:feff::10c"; + # port = 51800; + # peerKey = "rMTaMWJYlgTKJoE0PnVOo9SKHTppEfYK5KtWjBI9mC8="; + # }; + template = "rrserver"; + ipv6 = { + #imports = null; + #imports = x: "filter filter6_IN_BGP_${toString x}"; + #exports = [ "2a12:dd47:9330::/44" ]; + + #exports = null; + }; + ipv4 = { + #imports = x: "filter filter4_IN_BGP_${toString x}"; + #exports = x: "filter6_IN_BGP_${toString x}"; + }; +} diff --git a/hosts/homerouters/_peers/default.nix b/hosts/homerouters/_peers/default.nix new file mode 100644 index 0000000..6b7d84e --- /dev/null +++ b/hosts/homerouters/_peers/default.nix @@ -0,0 +1,5 @@ +{ ... }: +{ + # Internal RR + IG1_RR91 = import ./KIT-IG1-RR91.nix { }; +} diff --git a/hosts/homerouters/aure-home-kitrtr/configuration.nix b/hosts/homerouters/aure-home-kitrtr/configuration.nix new file mode 100644 index 0000000..7e3fb17 --- /dev/null +++ b/hosts/homerouters/aure-home-kitrtr/configuration.nix @@ -0,0 +1,98 @@ +# Edit this configuration file to define what should be installed on +# your system. Help is available in the configuration.nix(5) man page, on +# https://search.nixos.org/options and in the NixOS manual (`nixos-help`). + +{ + config, + targetConfig, + lib, + pkgs, + ... +}: +let + iface = if targetConfig ? interface then targetConfig.interface else null; + kittenIFACE = "ens19"; +in +{ + #imports = [ ./wireguard.nix ]; + # Bootloader. + #boot.loader.systemd-boot.enable = true; + #boot.loader.systemd-boot.configurationLimit = 5; + #boot.loader.efi.canTouchEfiVariables = true; + boot.loader.grub.efiSupport = false; + boot.loader.grub.enable = true; + # boot.loader.grub.efiInstallAsRemovable = true; + # boot.loader.efi.efiSysMountPoint = "/boot/efi"; + # Define on which hard drive you want to install Grub. + #boot.loader.grub.devices = [ "${targetConfig.bootdisk}" ]; # or "nodev" for efi only + + # Pick only one of the below networking options. + # networking.wireless.enable = true; # Enables wireless support via wpa_supplicant. + # networking.networkmanager.enable = true; # Easiest to use and most distros use this by default. + networking = { + #nameservers = [ "1.3.3.7" ]; + interfaces = { + "${iface}".useDHCP = true; + + "${kittenIFACE}" = { + + # ipv4.addresses = [ + # { + # address = "185.10.17.209"; + # prefixLength = 24; + # } + # ]; + + ipv6.addresses = [ + { + address = "2a13:79c0:ffff:feff:b00b:caca:b173:25"; + prefixLength = 112; + } + ]; + }; + }; + + # defaultGateway = { + # address = "185.10.17.254"; + # metric = 42; + # interface = iface; + # }; + + # defaultGateway6 = { + # address = "fe80::1"; + # metric = 42; + # interface = iface; + # }; + + useDHCP = false; + #dhcpcd.enable = false; + }; + + systemd.network.enable = true; + + # Set your time zone. + time.timeZone = "Europe/Paris"; + + nixpkgs.config.allowUnfree = true; + # Configure network proxy if necessary + # networking.proxy.default = "http://user:password@proxy:port/"; + # networking.proxy.noProxy = "127.0.0.1,localhost,internal.domain"; + + # This option defines the first version of NixOS you have installed on this particular machine, + # and is used to maintain compatibility with application data (e.g. databases) created on older NixOS versions. + # + # Most users should NEVER change this value after the initial install, for any reason, + # even if you've upgraded your system to a new NixOS release. + # + # This value does NOT affect the Nixpkgs version your packages and OS are pulled from, + # so changing it will NOT upgrade your system. + # + # This value being lower than the current NixOS release does NOT mean your system is + # out of date, out of support, or vulnerable. + # + # Do NOT change this value unless you have manually inspected all the changes it would make to your configuration, + # and migrated your data accordingly. + # + # For more information, see `man configuration.nix` or https://nixos.org/manual/nixos/stable/options#opt-system.stateVersion . + system.stateVersion = "23.11"; # Did you read the comment? +} diff --git a/hosts/homerouters/aure-home-kitrtr/default.nix b/hosts/homerouters/aure-home-kitrtr/default.nix new file mode 100644 index 0000000..e9b588e --- /dev/null +++ b/hosts/homerouters/aure-home-kitrtr/default.nix @@ -0,0 +1,30 @@ +{ ... }: +{ + type = "targetConfig"; + + bootdisk = "/dev/vda"; + diskTemplate = "simple_singleFullRoot"; + + interface = "ens18"; + # mainSerial = 0; + + birdConfig = { + # inherit transitInterface; + + # router-id = ; + + # loopback4 = ""; + loopback6 = "2a13:79c0:ffff:fefe::22f0"; + + static6 = [ + "::/0 recursive 2a13:79c0:ffff:fefe::b00b" + + # "2a13:79c0:ffff:feff:b00b:caca:b173:0/112 unreachable" # Direct on ens19 + "2a13:79c0:fffe:100::/56 unreachable" + + #"2a13:79c0:ffff::/48 unreachable" # Networking stuff + #"2a13:79c0:ffff:fefe::/64 unreachable" # LoopBacks + #"2a13:79c0:ff00::/40 unreachable" # full range /40 + ]; + }; +} diff --git a/hosts/homerouters/aure-home-kitrtr/hardware-configuration.nix b/hosts/homerouters/aure-home-kitrtr/hardware-configuration.nix new file mode 100644 index 0000000..36b4585 --- /dev/null +++ b/hosts/homerouters/aure-home-kitrtr/hardware-configuration.nix @@ -0,0 +1,34 @@ +# Do not modify this file! It was generated by ‘nixos-generate-config’ +# and may be overwritten by future invocations. Please make changes +# to /etc/nixos/configuration.nix instead. +{ + config, + lib, + pkgs, + modulesPath, + ... +}: + +{ + imports = [ (modulesPath + "/profiles/qemu-guest.nix") ]; + + boot.initrd.availableKernelModules = [ + "ata_piix" + "uhci_hcd" + "virtio_pci" + "sr_mod" + "virtio_blk" + ]; + boot.initrd.kernelModules = [ ]; + boot.kernelModules = [ "kvm-intel" ]; + boot.extraModulePackages = [ ]; + + # Enables DHCP on each ethernet and wireless interface. In case of scripted networking + # (the default) this is the recommended approach. When using systemd-networkd it's + # still possible to use this option, but it's recommended to use it in conjunction + # with explicit per-interface declarations with `networking.interfaces..useDHCP`. + networking.useDHCP = lib.mkDefault true; + # networking.interfaces.ens18.useDHCP = lib.mkDefault true; + + nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux"; +} diff --git a/hosts/homerouters/aure-home-kitrtr/peers/KIT-IG1-RTR.nix b/hosts/homerouters/aure-home-kitrtr/peers/KIT-IG1-RTR.nix new file mode 100644 index 0000000..54a52dc --- /dev/null +++ b/hosts/homerouters/aure-home-kitrtr/peers/KIT-IG1-RTR.nix @@ -0,0 +1,30 @@ +{ ... }: +let + kittenASN = 4242421945; +in +{ + peerAS = kittenASN; + peerIP = "2a13:79c0:ffff:feff::53"; + localAS = kittenASN; + + wireguard = { + address = "2a13:79c0:ffff:feff::52"; + # port = 51842; + endpoint = "78.40.121.76:51842"; + peerKey = "gDriA5mhKKh44OHEIxmmevphoVRLK45TRJmFS1DV1i4="; + }; + + template = "kittunderlay"; + bgpMED = 100; + ipv6 = { + #imports = null; + imports = x: "filter filter6_IN_BGP_${toString x}"; + #exports = [ "2a12:dd47:9330::/44" ]; + + #exports = null; + }; + ipv4 = { + imports = x: "filter filter4_IN_BGP_${toString x}"; + #exports = x: "filter6_IN_BGP_${toString x}"; + }; +} diff --git a/hosts/homerouters/aure-home-kitrtr/peers/default.nix b/hosts/homerouters/aure-home-kitrtr/peers/default.nix new file mode 100644 index 0000000..309e3f2 --- /dev/null +++ b/hosts/homerouters/aure-home-kitrtr/peers/default.nix @@ -0,0 +1,20 @@ +{ ... }: +let + defaultPeers = import ../../_peers { }; +in +defaultPeers +// { + + # Transit + # TRS_virtua6_RS01 = import ./TRS-virtua6-RS01.nix { }; + # TRS_virtua6_RS02 = import ./TRS-virtua6-RS02.nix { }; + + # # Internal Tunnels + KIT_IG1_RTR = import ./KIT-IG1-RTR.nix { }; + # virtuaNix_PAR = import ./KIT-VIRTUA-EDGE.nix { }; + # vultrNix_PAR = import ./KIT-VULTR-EDGE.nix { }; + # # LGC_virtua_PAR = import ./KIT-VIRTUA-EDGE.legacy.nix { }; + + # toinuxMEL1 = import ./KIT-toinux-MEL1.nix { }; + # roumainNTE = import ./KIT-roumain-NTE.nix { }; +} diff --git a/hosts/homerouters/bird.nix b/hosts/homerouters/bird.nix new file mode 100644 index 0000000..5e8eef8 --- /dev/null +++ b/hosts/homerouters/bird.nix @@ -0,0 +1,318 @@ +{ + lib, + config, + target, + targetConfig, + ... +}: +let + inherit (lib) + optional + optionals + optionalString + mkOrder + attrNames + filterAttrs + concatStringsSep + concatMapStringsSep + ; + + birdCfg = config.services.bird2; + + srvCfg = + let + cfg = + if targetConfig ? birdConfig then + targetConfig.birdConfig + else + import (./. + "/${target}/birdconfig.nix") { inherit targetConfig; }; + in + if cfg ? peers then + cfg + else + let + peers = (import (./. + "/${target}/peers/") { }); + in + (cfg // { inherit peers; }); + + rrs = attrNames (filterAttrs (n: v: v ? template && v.template == "rrserver") srvCfg.peers); + + lo4 = + if (srvCfg ? loopback4 && srvCfg.loopback4 != null && srvCfg.loopback4 != "") then + srvCfg.loopback4 + else + null; + + lo6 = + if (srvCfg ? loopback6 && srvCfg.loopback6 != null && srvCfg.loopback6 != "") then + srvCfg.loopback6 + else + null; +in +{ + imports = [ + ./bird_peers.nix + # ./bird_statics.nix + ]; + + config = { + + sops.templates."bird_secrets.conf" = { + owner = "bird2"; + }; + + _module.args = { + birdConfig = srvCfg; + }; + + networking.firewall.allowedTCPPorts = [ + 179 # BGP + 1790 # Internal BGP + ]; + + networking.interfaces.lo = { + ipv4.addresses = lib.mkIf (lo4 != null) [ + { + address = "${toString srvCfg.loopback4}"; + prefixLength = 32; + } + ]; + ipv6.addresses = lib.mkIf (lo6 != null) [ + { + address = "${toString srvCfg.loopback6}"; + prefixLength = 128; + } + ]; + }; + + services.bird2.preCheckConfig = '' + echo "Bird configuration include these resources" + grep include bird2.conf + + LINE=$(grep -n include bird2.conf | grep bird_secrets.conf | head -1 | cut -d: -f1) + if [ ! -z "$LINE" ]; then + echo "Found secrets importing, will substitute it with placeholders values" + sed ''${LINE}d -i bird2.conf + sed "$(($LINE))i"'include "_secrets_substitute.conf";' -i bird2.conf + + cat > _secrets_substitute.conf <<< ' + ${config.sops.templates."bird_secrets.conf".content} + ' + + # cat _secrets_substitute.conf bird2.conf + fi + ''; + + services.bird2.config = mkOrder 0 ( + concatStringsSep "\n\n" ( + let + transitIFACE = if srvCfg ? transitInterface then srvCfg.transitInterface else null; + + quoteString = x: ''"${x}"''; + in + [ + "log syslog all;" + + ''include "${config.sops.templates."bird_secrets.conf".path}";'' + + '' + # The Device protocol is not a real routing protocol. It does not generate any + # routes and it only serves as a module for getting information about network + # interfaces from the kernel. It is necessary in almost any configuration. + protocol device DEV {} + + # The direct protocol is not a real routing protocol. It automatically generates + # direct routes to all network interfaces. Can exist in as many instances as you + # wish if you want to populate multiple routing tables with direct routes. + protocol direct DIRECT { + #disabled; + check link on; + ipv4; + ipv6; + interface "*"; + } + '' + + '' + #<== Générique + function is_valid4_network() { + return net ~ [ + 172.23.193.192/26, + 172.23.193.192/26{32,32} + ]; + } + + function is_valid6_network() { + return net ~ [ + 2a13:79c0:ff00::/40, + 2a13:79c0:ffff::/48{48,64}, + 2a13:79c0:ffff:fefe::/64{128,128}, + 2a13:79c0:ffff:feff::/64{112,112} + ]; + } + + + function is_rr_valid6_network() { + return net ~ [ + ${ + optionalString (transitIFACE != null) "::/0," + } # Announce (or not) default route [transitInterface = ${toString transitIFACE}] + 2a13:79c0:ff00::/40, + 2a13:79c0:ff00::/48+, # Special case for Toinux home + # 2a13:79c0:ffff:fefe::/64{128,128}, + # 2a13:79c0:ffff:feff::/64{112,112}, + 2a13:79c0:ffff::/48{48,64}, + 2a13:79c0:fffe::/48{56,56} + ]; + } + + '' + + '' + # The Kernel protocol is not a real routing protocol. Instead of communicating + # with other routers in the network, it performs synchronization of BIRD + # routing tables with the OS kernel. One instance per table. + protocol kernel KERNEL4 { + ipv4 { # Connect protocol to IPv4 table by channel + # table master4; # Default IPv4 table is master4 + # import all; # Import to table, default is import all + # export all; # Export to protocol. default is export none + export filter { + if ( is_valid4_network() || source ~ [RTS_STATIC] || proto ~ "(${concatStringsSep "|" rrs})" + ) then { + ${ + optionalString (lo4 != null) '' + if source ~ [RTS_BGP] || net ~ [ 0.0.0.0/0 ] then { + krt_prefsrc=${lo4}; + } + '' + } + accept; + } else reject; + }; + }; + merge paths on; + # learn; # Learn alien routes from the kernel + # kernel table 10; # Kernel table to synchronize with (default: main) + } + + # Another instance for IPv6, skipping default options + protocol kernel KERNEL6 { + # ipv6 { export all; }; + ipv6 { + export filter { + if ( is_valid6_network() || source ~ [RTS_STATIC] || proto ~ "(${concatStringsSep "|" rrs})" ) then { + ${ + optionalString (lo6 != null) '' + if source ~ [RTS_BGP] || net ~ [ ::/0 ] then { + krt_prefsrc=${lo6}; + } + '' + } + accept; + } else reject; + }; + }; + + merge paths on; + } + '' + + '' + + template bgp rrserver { + local port 1790; + neighbor port 179; + multihop 5; + + ipv4 { + gateway recursive; + extended next hop; + next hop self; + + import filter { accept; }; + + export none; + # export filter { if is_v4_network() && source ~ [RTS_STATIC, RTS_DEVICE, RTS_BGP, RTS_OSPF] then accept; else reject; }; + import limit 1000 action block; + igp table master4; # IGP table for routes with IPv4 nexthops + # igp table master6; # IGP table for routes with IPv4 nexthops + }; + + ipv6 { + gateway recursive; + next hop self; + + import filter { accept; }; + export filter { if is_rr_valid6_network() && source ~ [RTS_STATIC, RTS_DEVICE, RTS_BGP, RTS_OSPF] then accept; else reject; }; + import limit 1000 action block; + igp table master6; # IGP table for routes with IPv6 nexthops + }; + + } + '' + + '' + template bgp kittunderlay { + # local as 4242421945; + # neighbor as kittenASN; + local port 1790; + neighbor port 1790; + rr client; + path metric off; + ipv4 { + extended next hop; + next hop self; + import keep filtered; + + import filter { + if is_valid4_network() then { + if defined( bgp_med ) then + bgp_med = bgp_med + 1000; + else { + bgp_med = 1000; + } + accept; + } else reject; + }; + + export filter { if is_valid4_network() && source ~ [RTS_STATIC, RTS_DEVICE, RTS_BGP, RTS_OSPF] then accept; else reject; }; + import limit 1000 action block; + }; + + ipv6 { + next hop self; + import keep filtered; + + import filter { + if is_valid6_network() then { + if defined( bgp_med ) then + bgp_med = bgp_med + 1000; + else { + bgp_med = 1000; + } + accept; + } else reject; + }; + + export filter { if is_valid6_network() && source ~ [RTS_STATIC, RTS_DEVICE, RTS_BGP, RTS_OSPF] then accept; else reject; }; + import limit 1000 action block; + }; + + } + '' + ] + ++ + optionals (srvCfg ? static6 && builtins.typeOf srvCfg.static6 == "list" && srvCfg.static6 != [ ]) + [ + '' + protocol static STATIC6 { + ipv6; + ${concatStringsSep "\n" (map (x: " " + "route ${x};") srvCfg.static6)} + } + '' + ] + ) + ); + }; +} diff --git a/hosts/homerouters/bird_peers.nix b/hosts/homerouters/bird_peers.nix new file mode 100644 index 0000000..dc316bb --- /dev/null +++ b/hosts/homerouters/bird_peers.nix @@ -0,0 +1,199 @@ +{ + lib, + target, + config, + targetConfig, + birdConfig, + ... +}: +let + inherit (lib) listToAttrs nameValuePair; + + peers = birdConfig.peers; + + peersWithPasswordRef = lib.attrsets.filterAttrs (n: v: v ? passwordRef) peers; + + passwords = lib.unique (lib.attrsets.mapAttrsToList (n: v: v.passwordRef) peersWithPasswordRef); +in +{ + + sops.secrets = lib.mkIf (passwords != [ ]) ( + listToAttrs ( + map (n: lib.nameValuePair "bird_secrets/${n}" { reloadUnits = [ "bird2.service" ]; }) passwords + ) + ); + + sops.templates."bird_secrets.conf".content = lib.mkIf (passwords != [ ]) ( + lib.mkMerge ( + map (password: '' + define secretPassword_${password} = "${config.sops.placeholder."bird_secrets/${password}"}"; + '') passwords + ) + ); + + services.bird2.config = + let + mkPeersFuncArgs = (x: { peerName = x; } // peers.${x}); + + toLines = + nindent: + let + indent = lib.concatMapStrings (_: " ") (lib.range 1 nindent); + in + builtins.concatStringsSep "\n${indent}"; + + withType = types: x: lib.toFunction types.${builtins.typeOf x} x; + + peersFunc = + x@{ + peerName, + peerIP, + peerAS ? 65666, + + localIP ? "", + localAS ? 65666, + + multihop ? 0, + template ? "", + + password ? "", + passwordRef ? "", + + ipv4 ? { }, + ipv6 ? { }, + + bgpMED ? null, + + wireguard ? { }, + interface ? + if (wireguard != { }) then + (if wireguard ? interface then wireguard.interface else peerName) + else + null, + ... + }: + let + inherit (lib) optionalString; + inherit (builtins) concatStringsSep toJSON; + in + '' + ${optionalString (bgpMED != null) "define bgpMED_${toString peerName} = ${toString bgpMED};"} + ${optionalString (template == "kittunderlay") '' + filter filter4_IN_BGP_${toString peerName} { + if is_valid4_network() then { + if defined( bgp_med ) then + bgp_med = bgp_med + bgpMED_${toString peerName}; + else { + bgp_med = bgpMED_${toString peerName}; + } + accept; + } else reject; + } + + filter filter6_IN_BGP_${toString peerName} { + if is_valid6_network() then { + if defined( bgp_med ) then + bgp_med = bgp_med + bgpMED_${toString peerName}; + else { + bgp_med = bgpMED_${toString peerName}; + } + accept; + } else reject; + } + ''} + + # ${optionalString (x ? debug && x.debug == true) (toJSON x)} + # L: AS${toString localAS} | R: AS${toString peerAS} + protocol bgp ${toString peerName} ${optionalString (template != "") "from ${toString template}"} { + local ${ + optionalString (localIP != "") (toString localIP) + } as ${toString localAS}; # localIP: "${toString localIP}" + neighbor ${toString peerIP} as ${toString peerAS}; + ${optionalString (interface != null) ''interface "${interface}";''} + ${ + if multihop == 0 then + "direct;" + else + "multihop ${ + optionalString (multihop != -1) toString (if multihop < -1 then -1 * multihop else multihop) + };" + } # multihop: ${toString multihop} + + ${ + optionalString (password != "") + ''password "${ + assert lib.asserts.assertMsg ( + passwordRef == "" + ) "U defined a passwordRef, why do you still want to leak password ?"; + toString ( + lib.warn "bird2 peers password is insecure consider using passwordRef with a bird_secrets file" password + ) + }"; # Not-Secured cleartext access for @everyone'' + } + ${ + optionalString ( + passwordRef != "" + ) "password secretPassword_${toString passwordRef}; # Defined in secrets file" + } + + ${ + optionalString (ipv6 != { }) '' + ipv6 { + ${ + optionalString (ipv6 ? imports && ipv6.imports != "" && ipv6.imports != [ ]) ( + let + myType = withType { + string = x: " import ${x};"; + null = x: " import none;"; + lambda = f: myType (f peerName); + list = x: '' + # ${toJSON x} + import filter { + if ( net ~ [ ${concatStringsSep ", " x} ] ) then { + accept; + } + reject; + }; + ''; + }; + in + myType ipv6.imports + ) + } + ${ + optionalString (ipv6 ? exports && ipv6.exports != "" && ipv6.exports != [ ]) ( + let + myType = withType { + string = x: " export ${x};"; + null = x: " export none;"; + lambda = f: myType (f peerName); + list = x: '' + # ${toJSON x} + export filter { + if ( net ~ [ ${concatStringsSep ", " x} ] ) then { + accept; + } + reject; + }; + ''; + }; + in + myType ipv6.exports + ) + } + }; + '' + } + + } + '' + + ; + in + lib.mkOrder 50 ( + builtins.concatStringsSep "\n" ( + [ "# Nix-OS Generated for ${target}" ] + ++ (map (x: "# ${x}\n${peersFunc (mkPeersFuncArgs x)}") (builtins.attrNames peers)) + ) + ); +} diff --git a/hosts/homerouters/configuration.nix b/hosts/homerouters/configuration.nix new file mode 100644 index 0000000..23c5c16 --- /dev/null +++ b/hosts/homerouters/configuration.nix @@ -0,0 +1,55 @@ +# Edit this configuration file to define what should be installed on +# your system. Help is available in the configuration.nix(5) man page, on +# https://search.nixos.org/options and in the NixOS manual (`nixos-help`). + +{ + config, + lib, + pkgs, + ... +}: + +{ + imports = [ + # Include the results of the hardware scan. + ./bird.nix # Bird Routing + ./wireguard.nix + ./firewall.nix + ]; + + # Configure network proxy if necessary + # networking.proxy.default = "http://user:password@proxy:port/"; + # networking.proxy.noProxy = "127.0.0.1,localhost,internal.domain"; + + # Select internationalisation properties. + i18n.defaultLocale = "en_US.UTF-8"; + + # Net Basics + networking.useNetworkd = true; + systemd.network.enable = true; + systemd.network.wait-online.enable = false; + + # List services that you want to enable: + services.bird2 = { + enable = true; + autoReload = true; + }; + + # This option defines the first version of NixOS you have installed on this particular machine, + # and is used to maintain compatibility with application data (e.g. databases) created on older NixOS versions. + # + # Most users should NEVER change this value after the initial install, for any reason, + # even if you've upgraded your system to a new NixOS release. + # + # This value does NOT affect the Nixpkgs version your packages and OS are pulled from, + # so changing it will NOT upgrade your system. + # + # This value being lower than the current NixOS release does NOT mean your system is + # out of date, out of support, or vulnerable. + # + # Do NOT change this value unless you have manually inspected all the changes it would make to your configuration, + # and migrated your data accordingly. + # + # For more information, see `man configuration.nix` or https://nixos.org/manual/nixos/stable/options#opt-system.stateVersion . + system.stateVersion = "23.11"; # Did you read the comment? +} diff --git a/hosts/homerouters/default.nix b/hosts/homerouters/default.nix new file mode 100644 index 0000000..ea850cf --- /dev/null +++ b/hosts/homerouters/default.nix @@ -0,0 +1,14 @@ +# { +# # toinux-home-kitrtr = import ./toinux-home-kitrtr { }; +# aure-home-kitrtr = import ./aure-home-kitrtr { }; +# } +args@{ lib, ... }: +let + blacklist = [ ]; + folders = builtins.attrNames ( + lib.filterAttrs (n: v: v == "directory" && !lib.hasPrefix "_" n && !builtins.elem n blacklist) ( + builtins.readDir ./. + ) + ); +in +lib.genAttrs folders (folder: (import (./. + "/${folder}") (args // { }))) diff --git a/hosts/homerouters/firewall.nix b/hosts/homerouters/firewall.nix new file mode 100644 index 0000000..ac21204 --- /dev/null +++ b/hosts/homerouters/firewall.nix @@ -0,0 +1,136 @@ +# Edit this configuration file to define what should be installed on +# your system. Help is available in the configuration.nix(5) man page, on +# https://search.nixos.org/options and in the NixOS manual (`nixos-help`). + +{ + lib, + pkgs, + targetConfig, + birdConfig, + ... +}: +let + IFACE = if targetConfig ? interface then targetConfig.interface else null; + + transitedNetworks = + if (birdConfig ? transitNetworks && birdConfig.transitNetworks != null) then + birdConfig.transitNetworks + else + [ + "2a13:79c0:ff00::/44" # Transits Customer ranges: 2a13:79c0:{ff00-ff0f}::/48 + "2a13:79c0:ffff:fefe::/64" + "2a13:79c0:ffff:feff:b00b::/80" + ]; + + transitIFACEs = + [ ] + ++ lib.optionals (birdConfig ? transitInterfaces) birdConfig.transitInterfaces + ++ lib.optional (birdConfig ? transitInterface) birdConfig.transitInterface; + + wgPeers = filterAttrs (n: v: v ? wireguard && v.wireguard != { }) birdConfig.peers; + + inherit (lib) + mkAfter + optionalString + concatStringsSep + concatMapStringsSep + attrNames + filterAttrs + ; +in + +{ + + config = { + boot.kernel.sysctl = { + "net.ipv4.ip_forward" = 1; + "net.ipv6.conf.all.forwarding" = 1; + + "net.ipv4.conf.all.src_valid_mark" = 1; + + # "net.ipv4.conf.default.rp_filter" = 2; + # "net.ipv4.conf.all.rp_filter" = 2; + + # "net.ipv6.conf.all.keep_addr_on_down" = 1; + # "net.ipv4.raw_l3mdev_accept" = 1; + # "net.ipv4.tcp_l3mdev_accept" = 1; + # "net.ipv4.udp_l3mdev_accept" = 1; + }; + + # environment.systemPackages = with pkgs; [ ferm ]; # Prepare an eventual switch to FERM + + networking.nftables = { + enable = true; + + tables."nixos-fw".content = + let + quoteString = x: ''"${x}"''; + + defines = '' + define transitIFACEs = { ${concatMapStringsSep ", " quoteString transitIFACEs} } + define transitNETs = { ${concatStringsSep ", " transitedNetworks} } + + define wireguardIFACEs = { ${concatMapStringsSep ", " quoteString (attrNames wgPeers)} } + ''; + + extraForwardRules = '' + + ${optionalString (transitedNetworks != [ ] && transitIFACEs != [ ]) '' + # iifname $wireguardIFACEs oifname $transitIFACEs counter accept + ip6 saddr $transitNETs iifname $wireguardIFACEs oifname $transitIFACEs counter accept + ip6 daddr $transitNETs oifname $wireguardIFACEs iifname $transitIFACEs counter accept + ''} + + ${optionalString ( + wgPeers != { } + ) "iifname $wireguardIFACEs oifname $wireguardIFACEs counter accept"} + + # ip6 daddr 2a13:79c0:ff00::/48 counter accept + # ip6 daddr { 2a13:79c0:ffff:feff:b00b:3945:a51:b00b, 2a13:79c0:ffff:feff:b00b:3945:a51:dead } counter accept + + # ip6 daddr 2a13:79c0:ffff:fefe::113:91 tcp dport { 179, 1790 } counter accept + + # ip6 saddr 2a13:79c0:ffff:feff:b00b::/80 ip6 daddr 2a13:79c0:ffff:fefe::/64 counter accept + + # ip6 saddr { 2a13:79c0:ffff:fefe::/64, 2a13:79c0:ffff:feff::/64 } ip6 daddr { 2a13:79c0:ffff:fefe::/64, 2a13:79c0:ffff:feff::/64 } counter accept + ''; + in + mkAfter '' + # FireWall Test Configs + ${defines} + + chain forward { + type filter hook forward priority filter; policy drop; + # We want StateLess firewalling + # ct state vmap { + # invalid : jump forward-allow, + # established : accept, + # related : accept, + # new : jump forward-allow, + # untracked : jump forward-allow, + # } + jump forward-rules + } + + chain forward-rules { + icmpv6 type != { router-renumbering, 139 } accept comment "Accept all ICMPv6 messages except renumbering and node information queries (type 139). See RFC 4890, section 4.3." + ct status dnat accept comment "allow port forward" + ${extraForwardRules} + } + ''; + }; + + # Open ports in the firewall. + networking.firewall = { + enable = true; + + allowedTCPPorts = [ 22 ]; + # allowedUDPPorts = [ ... ]; + + # checkReversePath = "loose"; + checkReversePath = false; + + filterForward = false; + }; + }; +} diff --git a/hosts/homerouters/toinux-home-kitrtr/configuration.nix b/hosts/homerouters/toinux-home-kitrtr/configuration.nix new file mode 100644 index 0000000..3de8a5f --- /dev/null +++ b/hosts/homerouters/toinux-home-kitrtr/configuration.nix @@ -0,0 +1,98 @@ +# Edit this configuration file to define what should be installed on +# your system. Help is available in the configuration.nix(5) man page, on +# https://search.nixos.org/options and in the NixOS manual (`nixos-help`). + +{ + config, + targetConfig, + lib, + pkgs, + ... +}: +let + iface = if targetConfig ? interface then targetConfig.interface else null; +in +# kittenIFACE = "ens19"; +{ + #imports = [ ./wireguard.nix ]; + # Bootloader. + #boot.loader.systemd-boot.enable = true; + #boot.loader.systemd-boot.configurationLimit = 5; + #boot.loader.efi.canTouchEfiVariables = true; + boot.loader.grub.efiSupport = false; + boot.loader.grub.enable = true; + # boot.loader.grub.efiInstallAsRemovable = true; + # boot.loader.efi.efiSysMountPoint = "/boot/efi"; + # Define on which hard drive you want to install Grub. + #boot.loader.grub.devices = [ "${targetConfig.bootdisk}" ]; # or "nodev" for efi only + + # Pick only one of the below networking options. + # networking.wireless.enable = true; # Enables wireless support via wpa_supplicant. + # networking.networkmanager.enable = true; # Easiest to use and most distros use this by default. + networking = { + #nameservers = [ "1.3.3.7" ]; + interfaces = { + "${iface}".useDHCP = true; + + # "${kittenIFACE}" = { + + # # ipv4.addresses = [ + # # { + # # address = "185.10.17.209"; + # # prefixLength = 24; + # # } + # # ]; + + # ipv6.addresses = [ + # { + # address = "2a13:79c0:ffff:feff:b00b:3965:113:25"; + # prefixLength = 112; + # } + # ]; + # }; + }; + + # defaultGateway = { + # address = "185.10.17.254"; + # metric = 42; + # interface = iface; + # }; + + # defaultGateway6 = { + # address = "fe80::1"; + # metric = 42; + # interface = iface; + # }; + + useDHCP = false; + #dhcpcd.enable = false; + }; + + systemd.network.enable = true; + + # Set your time zone. + time.timeZone = "Europe/Paris"; + + nixpkgs.config.allowUnfree = true; + # Configure network proxy if necessary + # networking.proxy.default = "http://user:password@proxy:port/"; + # networking.proxy.noProxy = "127.0.0.1,localhost,internal.domain"; + + # This option defines the first version of NixOS you have installed on this particular machine, + # and is used to maintain compatibility with application data (e.g. databases) created on older NixOS versions. + # + # Most users should NEVER change this value after the initial install, for any reason, + # even if you've upgraded your system to a new NixOS release. + # + # This value does NOT affect the Nixpkgs version your packages and OS are pulled from, + # so changing it will NOT upgrade your system. + # + # This value being lower than the current NixOS release does NOT mean your system is + # out of date, out of support, or vulnerable. + # + # Do NOT change this value unless you have manually inspected all the changes it would make to your configuration, + # and migrated your data accordingly. + # + # For more information, see `man configuration.nix` or https://nixos.org/manual/nixos/stable/options#opt-system.stateVersion . + system.stateVersion = "23.11"; # Did you read the comment? +} diff --git a/hosts/homerouters/toinux-home-kitrtr/default.nix b/hosts/homerouters/toinux-home-kitrtr/default.nix new file mode 100644 index 0000000..fa65318 --- /dev/null +++ b/hosts/homerouters/toinux-home-kitrtr/default.nix @@ -0,0 +1,27 @@ +{ ... }: +{ + type = "targetConfig"; + + bootdisk = "/dev/vda"; + diskTemplate = "simple_singleFullRoot"; + + interface = "ens18"; + # mainSerial = 0; + + birdConfig = { + # inherit transitInterface; + + # router-id = ; + + # loopback4 = ""; + loopback6 = "2a13:79c0:ffff:fefe::69:25"; + + static6 = [ + "::/0 recursive 2a13:79c0:ffff:fefe::b00b" + + #"2a13:79c0:ffff::/48 unreachable" # Networking stuff + #"2a13:79c0:ffff:fefe::/64 unreachable" # LoopBacks + #"2a13:79c0:ff00::/40 unreachable" # full range /40 + ]; + }; +} diff --git a/hosts/homerouters/toinux-home-kitrtr/hardware-configuration.nix b/hosts/homerouters/toinux-home-kitrtr/hardware-configuration.nix new file mode 100644 index 0000000..36b4585 --- /dev/null +++ b/hosts/homerouters/toinux-home-kitrtr/hardware-configuration.nix @@ -0,0 +1,34 @@ +# Do not modify this file! It was generated by ‘nixos-generate-config’ +# and may be overwritten by future invocations. Please make changes +# to /etc/nixos/configuration.nix instead. +{ + config, + lib, + pkgs, + modulesPath, + ... +}: + +{ + imports = [ (modulesPath + "/profiles/qemu-guest.nix") ]; + + boot.initrd.availableKernelModules = [ + "ata_piix" + "uhci_hcd" + "virtio_pci" + "sr_mod" + "virtio_blk" + ]; + boot.initrd.kernelModules = [ ]; + boot.kernelModules = [ "kvm-intel" ]; + boot.extraModulePackages = [ ]; + + # Enables DHCP on each ethernet and wireless interface. In case of scripted networking + # (the default) this is the recommended approach. When using systemd-networkd it's + # still possible to use this option, but it's recommended to use it in conjunction + # with explicit per-interface declarations with `networking.interfaces..useDHCP`. + networking.useDHCP = lib.mkDefault true; + # networking.interfaces.ens18.useDHCP = lib.mkDefault true; + + nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux"; +} diff --git a/hosts/homerouters/toinux-home-kitrtr/peers/default.nix b/hosts/homerouters/toinux-home-kitrtr/peers/default.nix new file mode 100644 index 0000000..3e73db0 --- /dev/null +++ b/hosts/homerouters/toinux-home-kitrtr/peers/default.nix @@ -0,0 +1,32 @@ +# // { + +# # Transit +# # TRS_virtua6_RS01 = import ./TRS-virtua6-RS01.nix { }; +# # TRS_virtua6_RS02 = import ./TRS-virtua6-RS02.nix { }; + +# # # Internal Tunnels +# # virtuaNix_PAR = import ./KIT-VIRTUA-EDGE.nix { }; +# # vultrNix_PAR = import ./KIT-VULTR-EDGE.nix { }; +# # # LGC_virtua_PAR = import ./KIT-VIRTUA-EDGE.legacy.nix { }; + +# # aureG8 = import ./KIT-aurelien-RBR.nix { }; +# # toinuxMEL1 = import ./KIT-toinux-MEL1.nix { }; +# # roumainNTE = import ./KIT-roumain-NTE.nix { }; +# } +args@{ lib, ... }: +let + blacklist = [ ]; + + defaultPeers = import ../../_peers { }; + + peers = builtins.attrNames ( + lib.filterAttrs ( + n: v: + lib.hasSuffix ".nix" n + && !lib.hasPrefix "_" n + && !lib.hasPrefix "." n + && !builtins.elem (removeSuffix ".nix" x) blacklist + ) (builtins.readDir ./.) + ); +in +defaultPeers // (lib.genAttrs peers (peer: (import (./. + "/${peer}") (args // { })))) diff --git a/hosts/homerouters/wireguard.nix b/hosts/homerouters/wireguard.nix new file mode 100644 index 0000000..db96a56 --- /dev/null +++ b/hosts/homerouters/wireguard.nix @@ -0,0 +1,135 @@ +{ + lib, + pkgs, + config, + + target, + targetConfig, + birdConfig, + ... +}: +let + + # Imports Functions + inherit (lib.attrsets) + filterAttrs + mapAttrs + mapAttrsToList + genAttrs + zipAttrs + optionalAttrs + ; + + inherit (lib.asserts) assertMsg; + + inherit (lib.strings) hasPrefix optionalString; + + inherit (builtins) attrNames; + + # Variables / Functions + + IFACE = if targetConfig ? interface then targetConfig.interface else null; + + peers = filterAttrs (n: v: v ? wireguard && v.wireguard != { }) birdConfig.peers; + + hasPort = (n: v: v.wireguard ? port); + hasIface = (n: v: v.wireguard ? onIFACE); + + peersWithPort = filterAttrs hasPort peers; + + peersWithoutIFACE = filterAttrs (n: v: (!hasIface n v)) peersWithPort; + peersWithIFACE = filterAttrs hasIface peersWithPort; + + portsWithoutIFACE = mapAttrsToList (n: v: v.wireguard.port) peersWithoutIFACE; + portsWithIFACE = zipAttrs ( + mapAttrsToList (n: v: { ${v.wireguard.onIFACE} = v.wireguard.port; }) peersWithIFACE + ); + + mkFWConf = ports: { allowedUDPPorts = ports; }; + + genFWMarkStr = ( + mark: + { + "string" = + assert assertMsg (hasPrefix "0x" mark) "fwMark is string but does not start with 0x is it an int ?"; + mark; + + "int" = toString mark; + + "null" = null; + } + .${builtins.typeOf mark} + + ); + + mkWireguardConf = + name: + let + peer = peers.${name}; + + fwMarkString = ( + let + mark = + if peer.wireguard ? fwMark then + peer.wireguard.fwMark + + else if (peer.wireguard ? onIFACE && peer.wireguard.onIFACE != null) then + peer.wireguard.port + + else + null; + in + genFWMarkStr mark + + ); + in + { + table = "off"; + # Determines the IP/IPv6 address and subnet of the client's end of the tunnel interface + address = [ "${peer.wireguard.address}/127" ]; + # The port that WireGuard listens to - recommended that this be changed from default + listenPort = lib.mkIf (peer.wireguard ? port) peer.wireguard.port; + + postUp = '' + ${optionalString (fwMarkString != null) ''wg set ${name} fwmark ${fwMarkString}''} + ''; + + # Path to the server's private key + privateKeyFile = config.sops.secrets.wireguard_serverkey.path; + + peers = [ + { + publicKey = peer.wireguard.peerKey; + #presharedKeyFile = "/root/wireguard-keys/preshared_from_peer0_key"; + persistentKeepalive = 10; + endpoint = lib.mkIf (peer.wireguard ? endpoint) peer.wireguard.endpoint; + + allowedIPs = [ + "0.0.0.0/0" + "::/0" + ]; + } + ]; + }; +in +{ + # sops --set '["wireguard_serverkey"] "'"$(wg genkey | tee >(wg pubkey > /dev/stderr))"'"' secrets/vultr-kit-edge.yaml + sops.secrets.wireguard_serverkey = { }; + environment.systemPackages = with pkgs; [ wireguard-tools ]; + + # Open FireWall Ports + networking.firewall = lib.mkMerge [ + (optionalAttrs (portsWithoutIFACE != [ ]) ( + let + conf = mkFWConf portsWithoutIFACE; + in + if IFACE != null then { interfaces.${IFACE} = conf; } else conf + )) + + (optionalAttrs (portsWithIFACE != { }) { + interfaces = (mapAttrs (name: value: mkFWConf value) portsWithIFACE); + }) + ]; + + networking.wg-quick.interfaces = genAttrs (attrNames peers) mkWireguardConf; +} diff --git a/hosts/miscservers/aure-kit-bots-01/configuration.nix b/hosts/miscservers/aure-kit-bots-01/configuration.nix new file mode 100644 index 0000000..7d74853 --- /dev/null +++ b/hosts/miscservers/aure-kit-bots-01/configuration.nix @@ -0,0 +1,102 @@ +# Edit this configuration file to define what should be installed on +# your system. Help is available in the configuration.nix(5) man page, on +# https://search.nixos.org/options and in the NixOS manual (`nixos-help`). + +{ + config, + targetConfig, + targetProfile, + lib, + pkgs, + ... +}: +let + cfg = config.hostprofile.${targetProfile}; +in +{ + #imports = [ ./wireguard.nix ]; + # Bootloader. + #boot.loader.systemd-boot.enable = true; + #boot.loader.systemd-boot.configurationLimit = 5; + #boot.loader.efi.canTouchEfiVariables = true; + boot.loader.grub.efiSupport = false; + boot.loader.grub.enable = true; + # boot.loader.grub.efiInstallAsRemovable = true; + # boot.loader.efi.efiSysMountPoint = "/boot/efi"; + # Define on which hard drive you want to install Grub. + #boot.loader.grub.devices = [ "${targetConfig.bootdisk}" ]; # or "nodev" for efi only + + # Pick only one of the below networking options. + # networking.wireless.enable = true; # Enables wireless support via wpa_supplicant. + # networking.networkmanager.enable = true; # Easiest to use and most distros use this by default. + networking = { + #nameservers = [ "1.3.3.7" ]; + + interfaces = lib.mkMerge [ + (lib.mkIf (cfg.interface != null) { "${cfg.interface}".useDHCP = true; }) + + # (lib.mkIf (kittenIFACE != null) { + # "${kittenIFACE}" = { + + # # ipv4.addresses = [ + # # { + # # address = "185.10.17.209"; + # # prefixLength = 24; + # # } + # # ]; + + # ipv6.addresses = [ + # { + # # address = "2a13:79c0:ffff:feff:b00b:caca:b173:25"; + # address = "2a13:79c0:ffff:feff:b00b:3965:113:${lastByte}"; + # prefixLength = 112; + # } + # ]; + # }; + # }) + ]; + + # defaultGateway = { + # address = "185.10.17.254"; + # metric = 42; + # interface = iface; + # }; + + # defaultGateway6 = { + # address = "2a13:79c0:ffff:feff:b00b:3965:113:25"; + # metric = 42; + # interface = kittenIFACE; + # }; + + useDHCP = false; + #dhcpcd.enable = false; + }; + + systemd.network.enable = true; + + # Set your time zone. + time.timeZone = "Europe/Paris"; + + nixpkgs.config.allowUnfree = true; + # Configure network proxy if necessary + # networking.proxy.default = "http://user:password@proxy:port/"; + # networking.proxy.noProxy = "127.0.0.1,localhost,internal.domain"; + + # This option defines the first version of NixOS you have installed on this particular machine, + # and is used to maintain compatibility with application data (e.g. databases) created on older NixOS versions. + # + # Most users should NEVER change this value after the initial install, for any reason, + # even if you've upgraded your system to a new NixOS release. + # + # This value does NOT affect the Nixpkgs version your packages and OS are pulled from, + # so changing it will NOT upgrade your system. + # + # This value being lower than the current NixOS release does NOT mean your system is + # out of date, out of support, or vulnerable. + # + # Do NOT change this value unless you have manually inspected all the changes it would make to your configuration, + # and migrated your data accordingly. + # + # For more information, see `man configuration.nix` or https://nixos.org/manual/nixos/stable/options#opt-system.stateVersion . + system.stateVersion = "23.11"; # Did you read the comment? +} diff --git a/hosts/miscservers/aure-kit-bots-01/default.nix b/hosts/miscservers/aure-kit-bots-01/default.nix new file mode 100644 index 0000000..198947d --- /dev/null +++ b/hosts/miscservers/aure-kit-bots-01/default.nix @@ -0,0 +1,35 @@ +{ ... }: +{ + type = "targetConfig"; + + bootdisk = "/dev/vda"; + diskTemplate = "simple_singleFullRoot"; + + # mainSerial = 0; + + config = { + hostprofile.miscservers = { + interface = "ens18"; + }; + }; + + # birdConfig = { + # # inherit transitInterface; + + # # router-id = ; + + # # loopback4 = ""; + # loopback6 = "2a13:79c0:ffff:fefe::22f0"; + + # static6 = [ + # "::/0 recursive 2a13:79c0:ffff:fefe::b00b" + + # # "2a13:79c0:ffff:feff:b00b:caca:b173:0/112 unreachable" # Direct on ens19 + # "2a13:79c0:fffe:100::/56 unreachable" + + # #"2a13:79c0:ffff::/48 unreachable" # Networking stuff + # #"2a13:79c0:ffff:fefe::/64 unreachable" # LoopBacks + # #"2a13:79c0:ff00::/40 unreachable" # full range /40 + # ]; + # }; +} diff --git a/hosts/miscservers/aure-kit-bots-01/hardware-configuration.nix b/hosts/miscservers/aure-kit-bots-01/hardware-configuration.nix new file mode 100644 index 0000000..056601b --- /dev/null +++ b/hosts/miscservers/aure-kit-bots-01/hardware-configuration.nix @@ -0,0 +1,34 @@ +# Do not modify this file! It was generated by ‘nixos-generate-config’ +# and may be overwritten by future invocations. Please make changes +# to /etc/nixos/configuration.nix instead. +{ + config, + lib, + pkgs, + modulesPath, + ... +}: + +{ + imports = [ (modulesPath + "/profiles/qemu-guest.nix") ]; + + boot.initrd.availableKernelModules = [ + "ata_piix" + "uhci_hcd" + "virtio_pci" + "sr_mod" + "virtio_blk" + ]; + boot.initrd.kernelModules = [ ]; + boot.kernelModules = [ "kvm-intel" ]; + boot.extraModulePackages = [ ]; + + # Enables DHCP on each ethernet and wireless interface. In case of scripted networking + # (the default) this is the recommended approach. When using systemd-networkd it's + # still possible to use this option, but it's recommended to use it in conjunction + # with explicit per-interface declarations with `networking.interfaces..useDHCP`. + # networking.useDHCP = lib.mkDefault true; + # networking.interfaces.ens18.useDHCP = lib.mkDefault true; + + nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux"; +} diff --git a/hosts/miscservers/configuration.nix b/hosts/miscservers/configuration.nix new file mode 100644 index 0000000..f880dea --- /dev/null +++ b/hosts/miscservers/configuration.nix @@ -0,0 +1,51 @@ +# Edit this configuration file to define what should be installed on +# your system. Help is available in the configuration.nix(5) man page, on +# https://search.nixos.org/options and in the NixOS manual (`nixos-help`). + +{ + config, + lib, + pkgs, + ... +}: + +{ + imports = [ + # Include the results of the hardware scan. + ./options.nix # Options defined for this module + + ./firewall.nix + ]; + + # Configure network proxy if necessary + # networking.proxy.default = "http://user:password@proxy:port/"; + # networking.proxy.noProxy = "127.0.0.1,localhost,internal.domain"; + + # Select internationalisation properties. + i18n.defaultLocale = "en_US.UTF-8"; + + # Net Basics + networking.useNetworkd = true; + systemd.network.enable = true; + systemd.network.wait-online.enable = false; + + environment.systemPackages = with pkgs; [ ]; + + # This option defines the first version of NixOS you have installed on this particular machine, + # and is used to maintain compatibility with application data (e.g. databases) created on older NixOS versions. + # + # Most users should NEVER change this value after the initial install, for any reason, + # even if you've upgraded your system to a new NixOS release. + # + # This value does NOT affect the Nixpkgs version your packages and OS are pulled from, + # so changing it will NOT upgrade your system. + # + # This value being lower than the current NixOS release does NOT mean your system is + # out of date, out of support, or vulnerable. + # + # Do NOT change this value unless you have manually inspected all the changes it would make to your configuration, + # and migrated your data accordingly. + # + # For more information, see `man configuration.nix` or https://nixos.org/manual/nixos/stable/options#opt-system.stateVersion . + system.stateVersion = "23.11"; # Did you read the comment? +} diff --git a/hosts/miscservers/default.nix b/hosts/miscservers/default.nix new file mode 100644 index 0000000..ee59208 --- /dev/null +++ b/hosts/miscservers/default.nix @@ -0,0 +1,11 @@ +args@{ lib, ... }: +let + blacklist = [ ]; + + folders = builtins.attrNames ( + lib.filterAttrs (n: v: v == "directory" && !lib.hasPrefix "_" n && !builtins.elem n blacklist) ( + builtins.readDir ./. + ) + ); +in +lib.genAttrs folders (folder: (import (./. + "/${folder}") (args // { }))) diff --git a/hosts/miscservers/firewall.nix b/hosts/miscservers/firewall.nix new file mode 100644 index 0000000..4486ffc --- /dev/null +++ b/hosts/miscservers/firewall.nix @@ -0,0 +1,34 @@ +{ + lib, + pkgs, + config, + targetProfile, + ... +}: +let + cfg = config.hostprofile.${targetProfile}; +in +{ + + config = { + + # environment.systemPackages = with pkgs; [ ferm ]; # Prepare an eventual switch to FERM + + networking.nftables.enable = true; + + # Open ports in the firewall. + networking.firewall = { + enable = true; + + allowedTCPPorts = [ + 22 # SSH + ]; + # allowedUDPPorts = [ ... ]; + + # checkReversePath = "loose"; + checkReversePath = true; + + filterForward = false; + }; + }; +} diff --git a/hosts/miscservers/options.nix b/hosts/miscservers/options.nix new file mode 100644 index 0000000..5f42337 --- /dev/null +++ b/hosts/miscservers/options.nix @@ -0,0 +1,50 @@ +{ + lib, + pkgs, + targetConfig, + targetProfile ? "miscservers", + ... +}: +let + inherit (lib) mkOption genAttrs attrNames; +in +{ + options.hostprofile.${targetProfile} = { + # iface = if targetConfig ? interface then targetConfig.interface else null; + interface = mkOption { + type = lib.types.nullOr lib.types.str; + default = null; + example = "enp1s0"; + description = "device's principal interface (Management / UpLink)"; + }; + + loopbacks = + let + protos = { + ipv4 = { + examples = [ "1.2.3.4/32" ]; + pretty = "IPv4"; + }; + + ipv6 = { + examples = [ "::2/128" ]; + pretty = "IPv6"; + }; + }; + in + genAttrs (attrNames protos) ( + x: + let + proto = protos.${x}; + in + lib.mkOption { + type = lib.types.listOf lib.types.str; + default = [ ]; + example = proto.examples; + description = '' + List of ${proto.pretty} loopbacks assigned. + ''; + } + ); + }; +} diff --git a/hosts/routereflectors/configuration.nix b/hosts/routereflectors/configuration.nix new file mode 100644 index 0000000..e5bcd6c --- /dev/null +++ b/hosts/routereflectors/configuration.nix @@ -0,0 +1,139 @@ +# Edit this configuration file to define what should be installed on +# your system. Help is available in the configuration.nix(5) man page, on +# https://search.nixos.org/options and in the NixOS manual (`nixos-help`). + +{ + config, + lib, + pkgs, + ... +}: + +{ + imports = [ + # Include the results of the hardware scan. + ./options.nix # Options defined for this module + + ./network.nix + ./firewall.nix + ]; + + # Configure network proxy if necessary + # networking.proxy.default = "http://user:password@proxy:port/"; + # networking.proxy.noProxy = "127.0.0.1,localhost,internal.domain"; + + # Select internationalisation properties. + i18n.defaultLocale = "en_US.UTF-8"; + + # Net Basics + networking.useNetworkd = true; + systemd.network.enable = true; + systemd.network.wait-online.enable = false; + + environment.systemPackages = with pkgs; [ gobgp ]; + + # List services that you want to enable: + services.gobgpd = { + enable = true; + settings = { + dynamic-neighbors = [ + { + config = { + peer-group = "kitten"; + prefix = "2a13:79c0:ffff:fefe::/64"; + }; + } + { + config = { + peer-group = "kittevpn"; + prefix = "2a13:79c0:ffff:feff::/64"; + }; + } + ]; + global = { + config = { + as = 4242421945; + local-address-list = [ + "2a13:79c0:ffff:fefe::113:91" + # "172.23.193.197" + ]; + router-id = "172.23.193.197"; + }; + }; + peer-groups = [ + { + afi-safis = [ + { + config = { + afi-safi-name = "ipv4-unicast"; + }; + } + { + config = { + afi-safi-name = "ipv6-unicast"; + }; + } + { + config = { + afi-safi-name = "l2vpn-evpn"; + }; + } + ]; + config = { + peer-as = 4242421945; + peer-group-name = "kittevpn"; + }; + route-reflector = { + config = { + route-reflector-client = true; + route-reflector-cluster-id = "172.23.193.197"; + }; + }; + } + { + afi-safis = [ + { + config = { + afi-safi-name = "ipv4-unicast"; + }; + } + { + config = { + afi-safi-name = "ipv6-unicast"; + }; + } + ]; + config = { + peer-as = 4242421945; + peer-group-name = "kitten"; + }; + route-reflector = { + config = { + route-reflector-client = true; + route-reflector-cluster-id = "172.23.193.197"; + }; + }; + } + ]; + }; + # autoReload = true; + }; + + # This option defines the first version of NixOS you have installed on this particular machine, + # and is used to maintain compatibility with application data (e.g. databases) created on older NixOS versions. + # + # Most users should NEVER change this value after the initial install, for any reason, + # even if you've upgraded your system to a new NixOS release. + # + # This value does NOT affect the Nixpkgs version your packages and OS are pulled from, + # so changing it will NOT upgrade your system. + # + # This value being lower than the current NixOS release does NOT mean your system is + # out of date, out of support, or vulnerable. + # + # Do NOT change this value unless you have manually inspected all the changes it would make to your configuration, + # and migrated your data accordingly. + # + # For more information, see `man configuration.nix` or https://nixos.org/manual/nixos/stable/options#opt-system.stateVersion . + system.stateVersion = "23.11"; # Did you read the comment? +} diff --git a/hosts/routereflectors/default.nix b/hosts/routereflectors/default.nix new file mode 100644 index 0000000..7978eda --- /dev/null +++ b/hosts/routereflectors/default.nix @@ -0,0 +1,14 @@ +# { +# iguane-kit-rr91 = import ./iguane-kit-rr91 { }; +# } + +args@{ lib, ... }: +let + blacklist = [ ]; + folders = builtins.attrNames ( + lib.filterAttrs (n: v: v == "directory" && !lib.hasPrefix "_" n && !builtins.elem n blacklist) ( + builtins.readDir ./. + ) + ); +in +lib.genAttrs folders (folder: (import (./. + "/${folder}") (args // { }))) diff --git a/hosts/routereflectors/firewall.nix b/hosts/routereflectors/firewall.nix new file mode 100644 index 0000000..d41402d --- /dev/null +++ b/hosts/routereflectors/firewall.nix @@ -0,0 +1,35 @@ +{ + lib, + pkgs, + config, + ... +}: +let + cfg = config.hostprofile.rr; +in +{ + + config = { + + # environment.systemPackages = with pkgs; [ ferm ]; # Prepare an eventual switch to FERM + + networking.nftables.enable = true; + + # Open ports in the firewall. + networking.firewall = { + enable = true; + + allowedTCPPorts = [ + 22 # SSH + 179 # BGP + 1790 # Internal BGP + ]; + # allowedUDPPorts = [ ... ]; + + # checkReversePath = "loose"; + checkReversePath = false; + + filterForward = false; + }; + }; +} diff --git a/hosts/routereflectors/iguane-kit-rr91/configuration.nix b/hosts/routereflectors/iguane-kit-rr91/configuration.nix new file mode 100644 index 0000000..452d278 --- /dev/null +++ b/hosts/routereflectors/iguane-kit-rr91/configuration.nix @@ -0,0 +1,104 @@ +# Edit this configuration file to define what should be installed on +# your system. Help is available in the configuration.nix(5) man page, on +# https://search.nixos.org/options and in the NixOS manual (`nixos-help`). + +{ + config, + targetConfig, + lib, + pkgs, + ... +}: +let + cfg = config.hostprofile.rr; + + kittenIFACE = "ens19"; + lastByte = "92"; +in +{ + #imports = [ ./wireguard.nix ]; + # Bootloader. + #boot.loader.systemd-boot.enable = true; + #boot.loader.systemd-boot.configurationLimit = 5; + #boot.loader.efi.canTouchEfiVariables = true; + boot.loader.grub.efiSupport = false; + boot.loader.grub.enable = true; + # boot.loader.grub.efiInstallAsRemovable = true; + # boot.loader.efi.efiSysMountPoint = "/boot/efi"; + # Define on which hard drive you want to install Grub. + #boot.loader.grub.devices = [ "${targetConfig.bootdisk}" ]; # or "nodev" for efi only + + # Pick only one of the below networking options. + # networking.wireless.enable = true; # Enables wireless support via wpa_supplicant. + # networking.networkmanager.enable = true; # Easiest to use and most distros use this by default. + networking = { + #nameservers = [ "1.3.3.7" ]; + + interfaces = lib.mkMerge [ + (lib.mkIf (cfg.interface != null) { "${cfg.interface}".useDHCP = true; }) + + (lib.mkIf (kittenIFACE != null) { + "${kittenIFACE}" = { + + # ipv4.addresses = [ + # { + # address = "185.10.17.209"; + # prefixLength = 24; + # } + # ]; + + ipv6.addresses = [ + { + # address = "2a13:79c0:ffff:feff:b00b:caca:b173:25"; + address = "2a13:79c0:ffff:feff:b00b:3965:113:${lastByte}"; + prefixLength = 112; + } + ]; + }; + }) + ]; + + # defaultGateway = { + # address = "185.10.17.254"; + # metric = 42; + # interface = iface; + # }; + + defaultGateway6 = { + address = "2a13:79c0:ffff:feff:b00b:3965:113:25"; + metric = 42; + interface = kittenIFACE; + }; + + useDHCP = false; + #dhcpcd.enable = false; + }; + + systemd.network.enable = true; + + # Set your time zone. + time.timeZone = "Europe/Paris"; + + nixpkgs.config.allowUnfree = true; + # Configure network proxy if necessary + # networking.proxy.default = "http://user:password@proxy:port/"; + # networking.proxy.noProxy = "127.0.0.1,localhost,internal.domain"; + + # This option defines the first version of NixOS you have installed on this particular machine, + # and is used to maintain compatibility with application data (e.g. databases) created on older NixOS versions. + # + # Most users should NEVER change this value after the initial install, for any reason, + # even if you've upgraded your system to a new NixOS release. + # + # This value does NOT affect the Nixpkgs version your packages and OS are pulled from, + # so changing it will NOT upgrade your system. + # + # This value being lower than the current NixOS release does NOT mean your system is + # out of date, out of support, or vulnerable. + # + # Do NOT change this value unless you have manually inspected all the changes it would make to your configuration, + # and migrated your data accordingly. + # + # For more information, see `man configuration.nix` or https://nixos.org/manual/nixos/stable/options#opt-system.stateVersion . + system.stateVersion = "23.11"; # Did you read the comment? +} diff --git a/hosts/routereflectors/iguane-kit-rr91/default.nix b/hosts/routereflectors/iguane-kit-rr91/default.nix new file mode 100644 index 0000000..a5abf90 --- /dev/null +++ b/hosts/routereflectors/iguane-kit-rr91/default.nix @@ -0,0 +1,39 @@ +{ ... }: +{ + type = "targetConfig"; + + bootdisk = "/dev/vda"; + diskTemplate = "simple_singleFullRoot"; + + # mainSerial = 0; + + config = { + hostprofile.rr = { + interface = "ens18"; + + loopbacks = { + ipv6 = [ "2a13:79c0:ffff:fefe::113:91" ]; + }; + }; + }; + + # birdConfig = { + # # inherit transitInterface; + + # # router-id = ; + + # # loopback4 = ""; + # loopback6 = "2a13:79c0:ffff:fefe::22f0"; + + # static6 = [ + # "::/0 recursive 2a13:79c0:ffff:fefe::b00b" + + # # "2a13:79c0:ffff:feff:b00b:caca:b173:0/112 unreachable" # Direct on ens19 + # "2a13:79c0:fffe:100::/56 unreachable" + + # #"2a13:79c0:ffff::/48 unreachable" # Networking stuff + # #"2a13:79c0:ffff:fefe::/64 unreachable" # LoopBacks + # #"2a13:79c0:ff00::/40 unreachable" # full range /40 + # ]; + # }; +} diff --git a/hosts/routereflectors/iguane-kit-rr91/hardware-configuration.nix b/hosts/routereflectors/iguane-kit-rr91/hardware-configuration.nix new file mode 100644 index 0000000..36b4585 --- /dev/null +++ b/hosts/routereflectors/iguane-kit-rr91/hardware-configuration.nix @@ -0,0 +1,34 @@ +# Do not modify this file! It was generated by ‘nixos-generate-config’ +# and may be overwritten by future invocations. Please make changes +# to /etc/nixos/configuration.nix instead. +{ + config, + lib, + pkgs, + modulesPath, + ... +}: + +{ + imports = [ (modulesPath + "/profiles/qemu-guest.nix") ]; + + boot.initrd.availableKernelModules = [ + "ata_piix" + "uhci_hcd" + "virtio_pci" + "sr_mod" + "virtio_blk" + ]; + boot.initrd.kernelModules = [ ]; + boot.kernelModules = [ "kvm-intel" ]; + boot.extraModulePackages = [ ]; + + # Enables DHCP on each ethernet and wireless interface. In case of scripted networking + # (the default) this is the recommended approach. When using systemd-networkd it's + # still possible to use this option, but it's recommended to use it in conjunction + # with explicit per-interface declarations with `networking.interfaces..useDHCP`. + networking.useDHCP = lib.mkDefault true; + # networking.interfaces.ens18.useDHCP = lib.mkDefault true; + + nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux"; +} diff --git a/hosts/routereflectors/network.nix b/hosts/routereflectors/network.nix new file mode 100644 index 0000000..03ebab8 --- /dev/null +++ b/hosts/routereflectors/network.nix @@ -0,0 +1,31 @@ +{ + lib, + pkgs, + config, + ... +}: +let + cfg = config.hostprofile.rr; +in +{ + + config = { + + # LoopBacks + networking.interfaces.lo = + let + defPrefix = { + ipv4 = 32; + ipv6 = 128; + }; + mkLoopBack = proto: loopback: { + address = "${toString loopback}"; + prefixLength = defPrefix.${proto}; + }; + in + { + ipv4.addresses = lib.mkIf (cfg.loopbacks.ipv4 != [ ]) (map (mkLoopBack "ipv4") cfg.loopbacks.ipv4); + ipv6.addresses = lib.mkIf (cfg.loopbacks.ipv6 != [ ]) (map (mkLoopBack "ipv6") cfg.loopbacks.ipv6); + }; + }; +} diff --git a/hosts/routereflectors/options.nix b/hosts/routereflectors/options.nix new file mode 100644 index 0000000..129a70d --- /dev/null +++ b/hosts/routereflectors/options.nix @@ -0,0 +1,44 @@ +{ lib, pkgs, ... }: +let + inherit (lib) mkOption genAttrs attrNames; +in +{ + options.hostprofile.rr = { + # iface = if targetConfig ? interface then targetConfig.interface else null; + interface = mkOption { + type = lib.types.nullOr lib.types.str; + default = null; + example = "enp1s0"; + description = "device's principal interface (Management / UpLink)"; + }; + + loopbacks = + let + protos = { + ipv4 = { + examples = [ "1.2.3.4/32" ]; + pretty = "IPv4"; + }; + + ipv6 = { + examples = [ "::2/128" ]; + pretty = "IPv6"; + }; + }; + in + genAttrs (attrNames protos) ( + x: + let + proto = protos.${x}; + in + lib.mkOption { + type = lib.types.listOf lib.types.str; + default = [ ]; + example = proto.examples; + description = '' + List of ${proto.pretty} loopbacks assigned. + ''; + } + ); + }; +} diff --git a/hosts/routers/_peers/KIT-IG1-RR91.nix b/hosts/routers/_peers/KIT-IG1-RR91.nix new file mode 100644 index 0000000..2ea52dd --- /dev/null +++ b/hosts/routers/_peers/KIT-IG1-RR91.nix @@ -0,0 +1,49 @@ +{ ... }: +let + kittenASN = 4242421945; +in +{ + # vultr6 + # AS64515 + # Peer-IP : 2001:19f0:ffff::1 + + # protocol bgp TRANSIT_VULTR6 { + # + # multihop 2; + # + + # ipv6 { + # export filter { + # if ( net ~ [ 2a13:79c0:ff00::/40, 2a12:dd47:9330::/44 ] ) then { + # accept; + # } + # reject; + # }; + # import none; + # }; + # + # } + peerAS = kittenASN; + peerIP = "2a13:79c0:ffff:fefe::113:91"; + localAS = kittenASN; + + multihop = 5; + + # wireguard = { + # address = "2a13:79c0:ffff:feff::10c"; + # port = 51800; + # peerKey = "rMTaMWJYlgTKJoE0PnVOo9SKHTppEfYK5KtWjBI9mC8="; + # }; + template = "rrserver"; + ipv6 = { + #imports = null; + #imports = x: "filter filter6_IN_BGP_${toString x}"; + #exports = [ "2a12:dd47:9330::/44" ]; + + #exports = null; + }; + ipv4 = { + #imports = x: "filter filter4_IN_BGP_${toString x}"; + #exports = x: "filter6_IN_BGP_${toString x}"; + }; +} diff --git a/hosts/routers/_peers/default.nix b/hosts/routers/_peers/default.nix new file mode 100644 index 0000000..6b7d84e --- /dev/null +++ b/hosts/routers/_peers/default.nix @@ -0,0 +1,5 @@ +{ ... }: +{ + # Internal RR + IG1_RR91 = import ./KIT-IG1-RR91.nix { }; +} diff --git a/hosts/routers/bird.nix b/hosts/routers/bird.nix new file mode 100644 index 0000000..2f9c882 --- /dev/null +++ b/hosts/routers/bird.nix @@ -0,0 +1,332 @@ +{ + lib, + config, + target, + targetConfig, + ... +}: +let + inherit (lib) + optional + optionals + optionalString + mkOrder + attrNames + filterAttrs + concatStringsSep + concatMapStringsSep + ; + + birdCfg = config.services.bird2; + + srvCfg = + let + cfg = + if targetConfig ? birdConfig then + targetConfig.birdConfig + else + import (./. + "/${target}/birdconfig.nix") { inherit targetConfig; }; + in + if cfg ? peers then + cfg + else + let + peers = (import (./. + "/${target}/peers/") { }); + in + (cfg // { inherit peers; }); + + rrs = attrNames (filterAttrs (n: v: v ? template && v.template == "rrserver") srvCfg.peers); + + lo4 = + if (srvCfg ? loopback4 && srvCfg.loopback4 != null && srvCfg.loopback4 != "") then + srvCfg.loopback4 + else + null; + + lo6 = + if (srvCfg ? loopback6 && srvCfg.loopback6 != null && srvCfg.loopback6 != "") then + srvCfg.loopback6 + else + null; +in +{ + imports = [ + ./bird_peers.nix + # ./bird_statics.nix + ]; + + config = { + + sops.templates."bird_secrets.conf" = { + owner = "bird2"; + }; + + _module.args = { + birdConfig = srvCfg; + }; + + networking.firewall.allowedTCPPorts = [ + 179 # BGP + 1790 # Internal BGP + ]; + + networking.interfaces.lo = { + ipv4.addresses = lib.mkIf (lo4 != null) [ + { + address = "${toString srvCfg.loopback4}"; + prefixLength = 32; + } + ]; + ipv6.addresses = lib.mkIf (lo6 != null) [ + { + address = "${toString srvCfg.loopback6}"; + prefixLength = 128; + } + ]; + }; + + services.bird2.preCheckConfig = '' + echo "Bird configuration include these resources" + grep include bird2.conf + + LINE=$(grep -n include bird2.conf | grep bird_secrets.conf | head -1 | cut -d: -f1) + if [ ! -z "$LINE" ]; then + echo "Found secrets importing, will substitute it with placeholders values" + sed ''${LINE}d -i bird2.conf + sed "$(($LINE))i"'include "_secrets_substitute.conf";' -i bird2.conf + + cat > _secrets_substitute.conf <<< ' + ${config.sops.templates."bird_secrets.conf".content} + ' + + # cat _secrets_substitute.conf bird2.conf + fi + ''; + + services.bird2.config = mkOrder 0 ( + concatStringsSep "\n\n" ( + let + transitIFACE = if srvCfg ? transitInterface then srvCfg.transitInterface else null; + + quoteString = x: ''"${x}"''; + in + [ + "log syslog all;" + + ''include "${config.sops.templates."bird_secrets.conf".path}";'' + + '' + # The Device protocol is not a real routing protocol. It does not generate any + # routes and it only serves as a module for getting information about network + # interfaces from the kernel. It is necessary in almost any configuration. + protocol device DEV {} + + # The direct protocol is not a real routing protocol. It automatically generates + # direct routes to all network interfaces. Can exist in as many instances as you + # wish if you want to populate multiple routing tables with direct routes. + protocol direct DIRECT { + #disabled; + check link on; + ipv4; + ipv6; + interface "*"; + } + '' + + '' + #<== Générique + function is_valid4_network() { + return net ~ [ + 172.23.193.192/26, + 172.23.193.192/26{32,32} + ]; + } + + function is_valid6_network() { + return net ~ [ + 2a13:79c0:ff00::/40, + 2a13:79c0:ffff::/48{48,64}, + 2a13:79c0:ffff:fefe::/64{128,128}, + 2a13:79c0:ffff:feff::/64{112,112} + ]; + } + + + function is_rr_valid6_network() { + return net ~ [ + ${ + optionalString (transitIFACE != null) "# ::/0," + } # Announce (or not) default route [transitInterface = ${toString transitIFACE}] + 2a13:79c0:ff00::/40, + 2a13:79c0:ff00::/48+, # Special case for Toinux home + # 2a13:79c0:ffff:fefe::/64{128,128}, + # 2a13:79c0:ffff:feff::/64{112,112}, + 2a13:79c0:ffff::/48{48,64}, + 2a13:79c0:fffe::/48{56,56} + ]; + } + + '' + + '' + # The Kernel protocol is not a real routing protocol. Instead of communicating + # with other routers in the network, it performs synchronization of BIRD + # routing tables with the OS kernel. One instance per table. + protocol kernel KERNEL4 { + ipv4 { # Connect protocol to IPv4 table by channel + # table master4; # Default IPv4 table is master4 + # import all; # Import to table, default is import all + # export all; # Export to protocol. default is export none + export filter { + if ( is_valid4_network() || source ~ [RTS_STATIC] + ${ + let + sep = "|| proto ="; + in + optionalString (rrs != [ ]) sep + (concatMapStringsSep sep quoteString rrs) + } + ) then { + ${ + optionalString (lo4 != null) '' + if source ~ [RTS_BGP] || net ~ [ 0.0.0.0/0 ] then { + krt_prefsrc=${lo4}; + } + '' + } + accept; + } else reject; + }; + }; + merge paths on; + # learn; # Learn alien routes from the kernel + # kernel table 10; # Kernel table to synchronize with (default: main) + } + + # Another instance for IPv6, skipping default options + protocol kernel KERNEL6 { + # ipv6 { export all; }; + ipv6 { + export filter { + + if ( is_valid6_network() || source ~ [RTS_STATIC] + ${ + let + sep = "|| proto ="; + in + optionalString (rrs != [ ]) sep + (concatMapStringsSep sep quoteString rrs) + } + ) then { + ${ + optionalString (lo6 != null) '' + if source ~ [RTS_BGP] || net ~ [ ::/0 ] then { + krt_prefsrc=${lo6}; + } + '' + } + accept; + } else reject; + }; + }; + + merge paths on; + } + '' + + '' + + template bgp rrserver { + local port 1790; + neighbor port 179; + multihop 5; + + ipv4 { + gateway recursive; + extended next hop; + next hop self; + + import filter { accept; }; + + export none; + # export filter { if is_v4_network() && source ~ [RTS_STATIC, RTS_DEVICE, RTS_BGP, RTS_OSPF] then accept; else reject; }; + import limit 1000 action block; + igp table master4; # IGP table for routes with IPv4 nexthops + # igp table master6; # IGP table for routes with IPv4 nexthops + }; + + ipv6 { + gateway recursive; + next hop self; + + import filter { accept; }; + export filter { if is_rr_valid6_network() && source ~ [RTS_STATIC, RTS_DEVICE, RTS_BGP, RTS_OSPF] then accept; else reject; }; + import limit 1000 action block; + igp table master6; # IGP table for routes with IPv6 nexthops + }; + + } + '' + + '' + template bgp kittunderlay { + # local as 4242421945; + # neighbor as kittenASN; + local port 1790; + neighbor port 1790; + rr client; + path metric off; + ipv4 { + extended next hop; + next hop self; + import keep filtered; + + import filter { + if is_valid4_network() then { + if defined( bgp_med ) then + bgp_med = bgp_med + 1000; + else { + bgp_med = 1000; + } + accept; + } else reject; + }; + + export filter { if is_valid4_network() && source ~ [RTS_STATIC, RTS_DEVICE, RTS_BGP, RTS_OSPF] then accept; else reject; }; + import limit 1000 action block; + }; + + ipv6 { + next hop self; + import keep filtered; + + import filter { + if is_valid6_network() then { + if defined( bgp_med ) then + bgp_med = bgp_med + 1000; + else { + bgp_med = 1000; + } + accept; + } else reject; + }; + + export filter { if is_valid6_network() && source ~ [RTS_STATIC, RTS_DEVICE, RTS_BGP, RTS_OSPF] then accept; else reject; }; + import limit 1000 action block; + }; + + } + '' + ] + ++ + optionals (srvCfg ? static6 && builtins.typeOf srvCfg.static6 == "list" && srvCfg.static6 != [ ]) + [ + '' + protocol static STATIC6 { + ipv6; + ${concatStringsSep "\n" (map (x: " " + "route ${x};") srvCfg.static6)} + } + '' + ] + ) + ); + }; +} diff --git a/hosts/routers/bird_peers.nix b/hosts/routers/bird_peers.nix new file mode 100644 index 0000000..abc5627 --- /dev/null +++ b/hosts/routers/bird_peers.nix @@ -0,0 +1,195 @@ +{ + lib, + target, + config, + targetConfig, + birdConfig, + ... +}: +let + inherit (lib) listToAttrs nameValuePair; + + peers = birdConfig.peers; + + peersWithPasswordRef = lib.attrsets.filterAttrs (n: v: v ? passwordRef) peers; + + passwords = lib.unique (lib.attrsets.mapAttrsToList (n: v: v.passwordRef) peersWithPasswordRef); +in +{ + + sops.secrets = listToAttrs ( + map (n: lib.nameValuePair "bird_secrets/${n}" { reloadUnits = [ "bird2.service" ]; }) passwords + ); + + sops.templates."bird_secrets.conf".content = lib.mkMerge ( + map (password: '' + define secretPassword_${password} = "${config.sops.placeholder."bird_secrets/${password}"}"; + '') passwords + ); + + services.bird2.config = + let + mkPeersFuncArgs = (x: { peerName = x; } // peers.${x}); + + toLines = + nindent: + let + indent = lib.concatMapStrings (_: " ") (lib.range 1 nindent); + in + builtins.concatStringsSep "\n${indent}"; + + withType = types: x: lib.toFunction types.${builtins.typeOf x} x; + + peersFunc = + x@{ + peerName, + peerIP, + peerAS ? 65666, + + localIP ? "", + localAS ? 65666, + + multihop ? 0, + template ? "", + + password ? "", + passwordRef ? "", + + ipv4 ? { }, + ipv6 ? { }, + + bgpMED ? null, + + wireguard ? { }, + interface ? + if (wireguard != { }) then + (if wireguard ? interface then wireguard.interface else peerName) + else + null, + ... + }: + let + inherit (lib) optionalString; + inherit (builtins) concatStringsSep toJSON; + in + '' + ${optionalString (bgpMED != null) "define bgpMED_${toString peerName} = ${toString bgpMED};"} + ${optionalString (template == "kittunderlay") '' + filter filter4_IN_BGP_${toString peerName} { + if is_valid4_network() then { + if defined( bgp_med ) then + bgp_med = bgp_med + bgpMED_${toString peerName}; + else { + bgp_med = bgpMED_${toString peerName}; + } + accept; + } else reject; + } + + filter filter6_IN_BGP_${toString peerName} { + if is_valid6_network() then { + if defined( bgp_med ) then + bgp_med = bgp_med + bgpMED_${toString peerName}; + else { + bgp_med = bgpMED_${toString peerName}; + } + accept; + } else reject; + } + ''} + + # ${optionalString (x ? debug && x.debug == true) (toJSON x)} + # L: AS${toString localAS} | R: AS${toString peerAS} + protocol bgp ${toString peerName} ${optionalString (template != "") "from ${toString template}"} { + local ${ + optionalString (localIP != "") (toString localIP) + } as ${toString localAS}; # localIP: "${toString localIP}" + neighbor ${toString peerIP} as ${toString peerAS}; + ${optionalString (interface != null) ''interface "${interface}";''} + ${ + if multihop == 0 then + "direct;" + else + "multihop ${ + optionalString (multihop != -1) toString (if multihop < -1 then -1 * multihop else multihop) + };" + } # multihop: ${toString multihop} + + ${ + optionalString (password != "") + ''password "${ + assert lib.asserts.assertMsg ( + passwordRef == "" + ) "U defined a passwordRef, why do you still want to leak password ?"; + toString ( + lib.warn "bird2 peers password is insecure consider using passwordRef with a bird_secrets file" password + ) + }"; # Not-Secured cleartext access for @everyone'' + } + ${ + optionalString ( + passwordRef != "" + ) "password secretPassword_${toString passwordRef}; # Defined in secrets file" + } + + ${ + optionalString (ipv6 != { }) '' + ipv6 { + ${ + optionalString (ipv6 ? imports && ipv6.imports != "" && ipv6.imports != [ ]) ( + let + myType = withType { + string = x: " import ${x};"; + null = x: " import none;"; + lambda = f: myType (f peerName); + list = x: '' + # ${toJSON x} + import filter { + if ( net ~ [ ${concatStringsSep ", " x} ] ) then { + accept; + } + reject; + }; + ''; + }; + in + myType ipv6.imports + ) + } + ${ + optionalString (ipv6 ? exports && ipv6.exports != "" && ipv6.exports != [ ]) ( + let + myType = withType { + string = x: " export ${x};"; + null = x: " export none;"; + lambda = f: myType (f peerName); + list = x: '' + # ${toJSON x} + export filter { + if ( net ~ [ ${concatStringsSep ", " x} ] ) then { + accept; + } + reject; + }; + ''; + }; + in + myType ipv6.exports + ) + } + }; + '' + } + + } + '' + + ; + in + lib.mkOrder 50 ( + builtins.concatStringsSep "\n" ( + [ "# Nix-OS Generated for ${target}" ] + ++ (map (x: "# ${x}\n${peersFunc (mkPeersFuncArgs x)}") (builtins.attrNames peers)) + ) + ); +} diff --git a/hosts/routers/configuration.nix b/hosts/routers/configuration.nix new file mode 100644 index 0000000..23c5c16 --- /dev/null +++ b/hosts/routers/configuration.nix @@ -0,0 +1,55 @@ +# Edit this configuration file to define what should be installed on +# your system. Help is available in the configuration.nix(5) man page, on +# https://search.nixos.org/options and in the NixOS manual (`nixos-help`). + +{ + config, + lib, + pkgs, + ... +}: + +{ + imports = [ + # Include the results of the hardware scan. + ./bird.nix # Bird Routing + ./wireguard.nix + ./firewall.nix + ]; + + # Configure network proxy if necessary + # networking.proxy.default = "http://user:password@proxy:port/"; + # networking.proxy.noProxy = "127.0.0.1,localhost,internal.domain"; + + # Select internationalisation properties. + i18n.defaultLocale = "en_US.UTF-8"; + + # Net Basics + networking.useNetworkd = true; + systemd.network.enable = true; + systemd.network.wait-online.enable = false; + + # List services that you want to enable: + services.bird2 = { + enable = true; + autoReload = true; + }; + + # This option defines the first version of NixOS you have installed on this particular machine, + # and is used to maintain compatibility with application data (e.g. databases) created on older NixOS versions. + # + # Most users should NEVER change this value after the initial install, for any reason, + # even if you've upgraded your system to a new NixOS release. + # + # This value does NOT affect the Nixpkgs version your packages and OS are pulled from, + # so changing it will NOT upgrade your system. + # + # This value being lower than the current NixOS release does NOT mean your system is + # out of date, out of support, or vulnerable. + # + # Do NOT change this value unless you have manually inspected all the changes it would make to your configuration, + # and migrated your data accordingly. + # + # For more information, see `man configuration.nix` or https://nixos.org/manual/nixos/stable/options#opt-system.stateVersion . + system.stateVersion = "23.11"; # Did you read the comment? +} diff --git a/hosts/routers/default.nix b/hosts/routers/default.nix new file mode 100644 index 0000000..8e06297 --- /dev/null +++ b/hosts/routers/default.nix @@ -0,0 +1,17 @@ +# { +# iguane-kit-rtr = import ./iguane-kit-rtr { }; + +# vultr-kit-edge = import ./vultr-kit-edge { }; +# virtua-kit-edge = import ./virtua-kit-edge { }; +# } + +args@{ lib, ... }: +let + blacklist = [ ]; + folders = builtins.attrNames ( + lib.filterAttrs (n: v: v == "directory" && !lib.hasPrefix "_" n && !builtins.elem n blacklist) ( + builtins.readDir ./. + ) + ); +in +lib.genAttrs folders (folder: (import (./. + "/${folder}") (args // { }))) diff --git a/hosts/routers/firewall.nix b/hosts/routers/firewall.nix new file mode 100644 index 0000000..c1e5813 --- /dev/null +++ b/hosts/routers/firewall.nix @@ -0,0 +1,150 @@ +# Edit this configuration file to define what should be installed on +# your system. Help is available in the configuration.nix(5) man page, on +# https://search.nixos.org/options and in the NixOS manual (`nixos-help`). + +{ + lib, + pkgs, + targetConfig, + birdConfig, + ... +}: +let + IFACE = if targetConfig ? interface then targetConfig.interface else null; + + transitedNetworks = + if (birdConfig ? transitNetworks && birdConfig.transitNetworks != null) then + birdConfig.transitNetworks + else + [ + "2a13:79c0:ff00::/44" # Transits Customer ranges: 2a13:79c0:{ff00-ff0f}::/48 + "2a13:79c0:ffff:fefe::/64" + "2a13:79c0:ffff:feff:b00b::/80" + ]; + + wgPeers = filterAttrs (n: v: v ? wireguard && v.wireguard != { }) birdConfig.peers; + + transitIFACEs = + [ ] + ++ lib.optionals (birdConfig ? transitInterfaces) birdConfig.transitInterfaces + ++ lib.optional (birdConfig ? transitInterface) birdConfig.transitInterface; + + kittenIFACEs = ( + (attrNames wgPeers) ++ lib.optionals (birdConfig ? allowedInterfaces) birdConfig.allowedInterfaces + ); + + inherit (lib) + mkAfter + optional + optionals + optionalString + concatStringsSep + concatMapStringsSep + attrNames + filterAttrs + ; +in + +{ + + config = { + boot.kernel.sysctl = { + "net.ipv4.ip_forward" = 1; + "net.ipv6.conf.all.forwarding" = 1; + + "net.ipv4.conf.all.src_valid_mark" = 1; + + # "net.ipv4.conf.default.rp_filter" = 2; + # "net.ipv4.conf.all.rp_filter" = 2; + + # "net.ipv6.conf.all.keep_addr_on_down" = 1; + # "net.ipv4.raw_l3mdev_accept" = 1; + # "net.ipv4.tcp_l3mdev_accept" = 1; + # "net.ipv4.udp_l3mdev_accept" = 1; + }; + + # environment.systemPackages = with pkgs; [ ferm ]; # Prepare an eventual switch to FERM + + networking.nftables = { + enable = true; + + tables."nixos-fw".content = + let + quoteString = x: ''"${x}"''; + + defines = '' + define transitIFACEs = { ${concatMapStringsSep ", " quoteString transitIFACEs} } + define transitNETs = { ${concatStringsSep ", " transitedNetworks} } + + define kittenIFACEs = { ${concatMapStringsSep ", " quoteString kittenIFACEs} } + ''; + + extraForwardRules = lib.concatStringsSep "\n" ( + [ + + '' + # ip6 daddr 2a13:79c0:ff00::/48 counter accept + # ip6 daddr { 2a13:79c0:ffff:feff:b00b:3945:a51:b00b, 2a13:79c0:ffff:feff:b00b:3945:a51:dead } counter accept + + # ip6 saddr 2a13:79c0:ffff:feff:b00b::/80 ip6 daddr 2a13:79c0:ffff:fefe::/64 counter accept + + # ip6 saddr { 2a13:79c0:ffff:fefe::/64, 2a13:79c0:ffff:feff::/64 } ip6 daddr { 2a13:79c0:ffff:fefe::/64, 2a13:79c0:ffff:feff::/64 } counter accept + + ${optionalString (transitedNetworks != [ ] && transitIFACEs != [ ] && kittenIFACEs != [ ]) '' + # iifname $kittenIFACEs oifname $transitIFACEs counter accept + ip6 saddr $transitNETs iifname $kittenIFACEs oifname $transitIFACEs counter accept + ip6 daddr $transitNETs oifname $kittenIFACEs iifname $transitIFACEs counter accept + ''} + + ${optionalString (kittenIFACEs != [ ]) '' + iifname $kittenIFACEs oifname $kittenIFACEs counter accept + ''} + '' + ] + + ++ optional (birdConfig ? extraForwardRules) birdConfig.extraForwardRules + + ++ optional (kittenIFACEs != [ ]) '' + iifname $kittenIFACEs log prefix "refused connection: " level info reject comment "reject internal instead of drop" + '' + ); + in + mkAfter '' + # FireWall Test Configs + ${defines} + + chain forward { + type filter hook forward priority filter; policy drop; + # We want StateLess firewalling + # ct state vmap { + # invalid : jump forward-allow, + # established : accept, + # related : accept, + # new : jump forward-allow, + # untracked : jump forward-allow, + # } + jump forward-rules + } + + chain forward-rules { + icmpv6 type != { router-renumbering, 139 } accept comment "Accept all ICMPv6 messages except renumbering and node information queries (type 139). See RFC 4890, section 4.3." + ct status dnat accept comment "allow port forward" + ${extraForwardRules} + } + ''; + }; + + # Open ports in the firewall. + networking.firewall = { + enable = true; + + allowedTCPPorts = [ 22 ]; + # allowedUDPPorts = [ ... ]; + + # checkReversePath = "loose"; + checkReversePath = false; + + filterForward = false; + }; + }; +} diff --git a/hosts/routers/iguane-kit-rtr/configuration.nix b/hosts/routers/iguane-kit-rtr/configuration.nix new file mode 100644 index 0000000..3ff6c09 --- /dev/null +++ b/hosts/routers/iguane-kit-rtr/configuration.nix @@ -0,0 +1,98 @@ +# Edit this configuration file to define what should be installed on +# your system. Help is available in the configuration.nix(5) man page, on +# https://search.nixos.org/options and in the NixOS manual (`nixos-help`). + +{ + config, + targetConfig, + lib, + pkgs, + ... +}: +let + iface = if targetConfig ? interface then targetConfig.interface else null; + kittenIFACE = "ens19"; +in +{ + #imports = [ ./wireguard.nix ]; + # Bootloader. + #boot.loader.systemd-boot.enable = true; + #boot.loader.systemd-boot.configurationLimit = 5; + #boot.loader.efi.canTouchEfiVariables = true; + boot.loader.grub.efiSupport = false; + boot.loader.grub.enable = true; + # boot.loader.grub.efiInstallAsRemovable = true; + # boot.loader.efi.efiSysMountPoint = "/boot/efi"; + # Define on which hard drive you want to install Grub. + #boot.loader.grub.devices = [ "${targetConfig.bootdisk}" ]; # or "nodev" for efi only + + # Pick only one of the below networking options. + # networking.wireless.enable = true; # Enables wireless support via wpa_supplicant. + # networking.networkmanager.enable = true; # Easiest to use and most distros use this by default. + networking = { + #nameservers = [ "1.3.3.7" ]; + interfaces = { + "${iface}".useDHCP = true; + + "${kittenIFACE}" = { + + # ipv4.addresses = [ + # { + # address = "185.10.17.209"; + # prefixLength = 24; + # } + # ]; + + ipv6.addresses = [ + { + address = "2a13:79c0:ffff:feff:b00b:3965:113:25"; + prefixLength = 112; + } + ]; + }; + }; + + # defaultGateway = { + # address = "185.10.17.254"; + # metric = 42; + # interface = iface; + # }; + + # defaultGateway6 = { + # address = "fe80::1"; + # metric = 42; + # interface = iface; + # }; + + useDHCP = false; + #dhcpcd.enable = false; + }; + + systemd.network.enable = true; + + # Set your time zone. + time.timeZone = "Europe/Paris"; + + nixpkgs.config.allowUnfree = true; + # Configure network proxy if necessary + # networking.proxy.default = "http://user:password@proxy:port/"; + # networking.proxy.noProxy = "127.0.0.1,localhost,internal.domain"; + + # This option defines the first version of NixOS you have installed on this particular machine, + # and is used to maintain compatibility with application data (e.g. databases) created on older NixOS versions. + # + # Most users should NEVER change this value after the initial install, for any reason, + # even if you've upgraded your system to a new NixOS release. + # + # This value does NOT affect the Nixpkgs version your packages and OS are pulled from, + # so changing it will NOT upgrade your system. + # + # This value being lower than the current NixOS release does NOT mean your system is + # out of date, out of support, or vulnerable. + # + # Do NOT change this value unless you have manually inspected all the changes it would make to your configuration, + # and migrated your data accordingly. + # + # For more information, see `man configuration.nix` or https://nixos.org/manual/nixos/stable/options#opt-system.stateVersion . + system.stateVersion = "23.11"; # Did you read the comment? +} diff --git a/hosts/routers/iguane-kit-rtr/default.nix b/hosts/routers/iguane-kit-rtr/default.nix new file mode 100644 index 0000000..f8dbd72 --- /dev/null +++ b/hosts/routers/iguane-kit-rtr/default.nix @@ -0,0 +1,49 @@ +{ ... }: +{ + type = "targetConfig"; + + bootdisk = "/dev/vda"; + diskTemplate = "simple_singleFullRoot"; + # profile = "routers"; + interface = "ens18"; + # mainSerial = 0; + + birdConfig = { + # inherit transitInterface; + + # router-id = ; + + # loopback4 = ""; + loopback6 = "2a13:79c0:ffff:fefe::113:25"; + + static6 = [ + "::/0 recursive 2a13:79c0:ffff:fefe::b00b" + + "2a13:79c0:ffff:fefe::113:91/128 via 2a13:79c0:ffff:feff:b00b:3965:113:92" # Announce RouteReflector LoopBack + + #"2a13:79c0:ffff::/48 unreachable" # Networking stuff + #"2a13:79c0:ffff:fefe::/64 unreachable" # LoopBacks + #"2a13:79c0:ff00::/40 unreachable" # full range /40 + ]; + + # extra interfaces part of KittenNetwork (local-eth for ex) + # allowedInterfaces = []; + + extraForwardRules = '' + iifname $kittenIFACEs ip6 daddr 2a13:79c0:ffff:fefe::113:91 tcp dport { 179, 1790 } counter accept + + ip6 saddr 2a01:cb08:bbb:3700::/64 oifname ens19 counter accept + + iifname ens19 oifname $kittenIFACEs counter accept + ct state vmap { + established : accept, + related : accept, + # invalid : jump forward-allow, + # new : jump forward-allow, + # untracked : jump forward-allow, + } + + # oifname $kittenIFACEs ip6 saddr 2a13:79c0:ffff:fefe::113:91 tcp sport { 179, 1790 } counter accept + ''; + }; +} diff --git a/hosts/routers/iguane-kit-rtr/hardware-configuration.nix b/hosts/routers/iguane-kit-rtr/hardware-configuration.nix new file mode 100644 index 0000000..9809bde --- /dev/null +++ b/hosts/routers/iguane-kit-rtr/hardware-configuration.nix @@ -0,0 +1,36 @@ +# Do not modify this file! It was generated by ‘nixos-generate-config’ +# and may be overwritten by future invocations. Please make changes +# to /etc/nixos/configuration.nix instead. +{ + config, + lib, + pkgs, + modulesPath, + ... +}: + +{ + imports = [ (modulesPath + "/profiles/qemu-guest.nix") ]; + + boot.initrd.availableKernelModules = [ + "ata_piix" + "uhci_hcd" + "virtio_pci" + "sr_mod" + "virtio_blk" + ]; + + boot.initrd.kernelModules = [ ]; + boot.kernelModules = [ "kvm-intel" ]; + boot.extraModulePackages = [ ]; + + # Enables DHCP on each ethernet and wireless interface. In case of scripted networking + # (the default) this is the recommended approach. When using systemd-networkd it's + # still possible to use this option, but it's recommended to use it in conjunction + # with explicit per-interface declarations with `networking.interfaces..useDHCP`. + networking.useDHCP = lib.mkDefault true; + # networking.interfaces.ens18.useDHCP = lib.mkDefault true; + # networking.interfaces.ens19.useDHCP = lib.mkDefault true; + + nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux"; +} diff --git a/hosts/routers/iguane-kit-rtr/peers/KIT-VIRTUA-EDGE.nix b/hosts/routers/iguane-kit-rtr/peers/KIT-VIRTUA-EDGE.nix new file mode 100644 index 0000000..cc7bf11 --- /dev/null +++ b/hosts/routers/iguane-kit-rtr/peers/KIT-VIRTUA-EDGE.nix @@ -0,0 +1,33 @@ +{ ... }: +let + kittenASN = 4242421945; +in +{ + + peerAS = kittenASN; + peerIP = "2a13:79c0:ffff:feff::102"; + localAS = kittenASN; + + wireguard = { + address = "2a13:79c0:ffff:feff::103"; + port = 51800; + onIFACE = "ens18"; + # endpoint = "[2a07:8dc0:19:1cf::1]:6969"; + endpoint = "185.10.17.209:6969"; + + peerKey = "p200ujtoVhMNnbrdljxoHqAF7cbfRDRFTA+6ibGvIEg="; + }; + template = "kittunderlay"; + bgpMED = 100; + ipv6 = { + #imports = null; + imports = x: "filter filter6_IN_BGP_${toString x}"; + #exports = [ "2a12:dd47:9330::/44" ]; + + #exports = null; + }; + ipv4 = { + imports = x: "filter filter4_IN_BGP_${toString x}"; + #exports = x: "filter6_IN_BGP_${toString x}"; + }; +} diff --git a/hosts/routers/iguane-kit-rtr/peers/KIT-VULTR-EDGE.nix b/hosts/routers/iguane-kit-rtr/peers/KIT-VULTR-EDGE.nix new file mode 100644 index 0000000..7709698 --- /dev/null +++ b/hosts/routers/iguane-kit-rtr/peers/KIT-VULTR-EDGE.nix @@ -0,0 +1,32 @@ +{ ... }: +let + kittenASN = 4242421945; +in +{ + peerAS = kittenASN; + peerIP = "2a13:79c0:ffff:feff::105"; + localAS = kittenASN; + + wireguard = { + address = "2a13:79c0:ffff:feff::104"; + port = 51801; + onIFACE = "ens18"; + # endpoint = "[2001:19f0:6801:365:5400:4ff:fe82:5c6e]:6969"; + endpoint = "140.82.55.252:6969"; + peerKey = "H8z/i9mmbIukPwLJooVP/d+T4pi9IRFC/UYA7gcEzFM="; + }; + + template = "kittunderlay"; + bgpMED = 100; + ipv6 = { + #imports = null; + imports = x: "filter filter6_IN_BGP_${toString x}"; + #exports = [ "2a12:dd47:9330::/44" ]; + + #exports = null; + }; + ipv4 = { + imports = x: "filter filter4_IN_BGP_${toString x}"; + #exports = x: "filter6_IN_BGP_${toString x}"; + }; +} diff --git a/hosts/routers/iguane-kit-rtr/peers/KIT-aurelien-RBR.nix b/hosts/routers/iguane-kit-rtr/peers/KIT-aurelien-RBR.nix new file mode 100644 index 0000000..0536c9c --- /dev/null +++ b/hosts/routers/iguane-kit-rtr/peers/KIT-aurelien-RBR.nix @@ -0,0 +1,31 @@ +{ ... }: +let + kittenASN = 4242421945; +in +{ + peerAS = kittenASN; + peerIP = "2a13:79c0:ffff:feff::52"; + localAS = kittenASN; + + wireguard = { + address = "2a13:79c0:ffff:feff::53"; + port = 51842; + onIFACE = "ens18"; + + peerKey = "M/aH47ot5gjYcF2D3gG2uM087pq/FrbmBzd2s/Q0Uno="; + }; + + template = "kittunderlay"; + bgpMED = 100; + ipv6 = { + #imports = null; + imports = x: "filter filter6_IN_BGP_${toString x}"; + #exports = [ "2a12:dd47:9330::/44" ]; + + #exports = null; + }; + ipv4 = { + imports = x: "filter filter4_IN_BGP_${toString x}"; + #exports = x: "filter6_IN_BGP_${toString x}"; + }; +} diff --git a/hosts/routers/iguane-kit-rtr/peers/KIT-roumain-NTE.nix b/hosts/routers/iguane-kit-rtr/peers/KIT-roumain-NTE.nix new file mode 100644 index 0000000..bac4a45 --- /dev/null +++ b/hosts/routers/iguane-kit-rtr/peers/KIT-roumain-NTE.nix @@ -0,0 +1,32 @@ +{ ... }: +let + kittenASN = 4242421945; +in +{ + peerAS = kittenASN; + peerIP = "2a13:79c0:ffff:feff::36"; + localAS = kittenASN; + + wireguard = { + address = "2a13:79c0:ffff:feff::37"; + # port = 51801; + # onIFACE = "ens18"; + + endpoint = "82.65.74.170:6969"; + peerKey = "jPWPbIKshdOqdm8IdumAzgjI9yHgURLCTEfIU0v9KDc="; + }; + + template = "kittunderlay"; + bgpMED = 100; + ipv6 = { + #imports = null; + imports = x: "filter filter6_IN_BGP_${toString x}"; + #exports = [ "2a12:dd47:9330::/44" ]; + + #exports = null; + }; + ipv4 = { + imports = x: "filter filter4_IN_BGP_${toString x}"; + #exports = x: "filter6_IN_BGP_${toString x}"; + }; +} diff --git a/hosts/routers/iguane-kit-rtr/peers/KIT-toinux-MEL1.nix b/hosts/routers/iguane-kit-rtr/peers/KIT-toinux-MEL1.nix new file mode 100644 index 0000000..7a0763f --- /dev/null +++ b/hosts/routers/iguane-kit-rtr/peers/KIT-toinux-MEL1.nix @@ -0,0 +1,32 @@ +{ ... }: +let + kittenASN = 4242421945; + toinuxASN = 4242423692; +in +{ + peerAS = toinuxASN; + peerIP = "2a13:79c0:ffff:feff::3013"; + localAS = toinuxASN; + + wireguard = { + address = "2a13:79c0:ffff:feff::3012"; + port = 51851; + onIFACE = "ens18"; + + peerKey = "xFNmHprArmxWD0W0YhD8nQZR1EbpXNWU8Rr5puSrDyw="; + }; + + template = "kittunderlay"; + bgpMED = 100; + ipv6 = { + #imports = null; + imports = x: "filter filter6_IN_BGP_${toString x}"; + #exports = [ "2a12:dd47:9330::/44" ]; + + #exports = null; + }; + ipv4 = { + imports = x: "filter filter4_IN_BGP_${toString x}"; + #exports = x: "filter6_IN_BGP_${toString x}"; + }; +} diff --git a/hosts/routers/iguane-kit-rtr/peers/default.nix b/hosts/routers/iguane-kit-rtr/peers/default.nix new file mode 100644 index 0000000..8337dce --- /dev/null +++ b/hosts/routers/iguane-kit-rtr/peers/default.nix @@ -0,0 +1,20 @@ +{ ... }: +let + defaultPeers = import ../../_peers { }; +in +defaultPeers +// { + + # Transit + # TRS_virtua6_RS01 = import ./TRS-virtua6-RS01.nix { }; + # TRS_virtua6_RS02 = import ./TRS-virtua6-RS02.nix { }; + + # Internal Tunnels + virtuaNix_PAR = import ./KIT-VIRTUA-EDGE.nix { }; + vultrNix_PAR = import ./KIT-VULTR-EDGE.nix { }; + # LGC_virtua_PAR = import ./KIT-VIRTUA-EDGE.legacy.nix { }; + + aureG8 = import ./KIT-aurelien-RBR.nix { }; + toinuxMEL1 = import ./KIT-toinux-MEL1.nix { }; + roumainNTE = import ./KIT-roumain-NTE.nix { }; +} diff --git a/hosts/routers/virtua-kit-edge/configuration.nix b/hosts/routers/virtua-kit-edge/configuration.nix new file mode 100644 index 0000000..8afb1c0 --- /dev/null +++ b/hosts/routers/virtua-kit-edge/configuration.nix @@ -0,0 +1,91 @@ +# Edit this configuration file to define what should be installed on +# your system. Help is available in the configuration.nix(5) man page, on +# https://search.nixos.org/options and in the NixOS manual (`nixos-help`). + +{ + config, + targetConfig, + lib, + pkgs, + ... +}: +let + iface = if targetConfig ? interface then targetConfig.interface else null; +in +{ + #imports = [ ./wireguard.nix ]; + # Bootloader. + #boot.loader.systemd-boot.enable = true; + #boot.loader.systemd-boot.configurationLimit = 5; + #boot.loader.efi.canTouchEfiVariables = true; + boot.loader.grub.efiSupport = false; + boot.loader.grub.enable = true; + # boot.loader.grub.efiInstallAsRemovable = true; + # boot.loader.efi.efiSysMountPoint = "/boot/efi"; + # Define on which hard drive you want to install Grub. + #boot.loader.grub.devices = [ "${targetConfig.bootdisk}" ]; # or "nodev" for efi only + + # Pick only one of the below networking options. + # networking.wireless.enable = true; # Enables wireless support via wpa_supplicant. + # networking.networkmanager.enable = true; # Easiest to use and most distros use this by default. + networking = { + #nameservers = [ "1.3.3.7" ]; + interfaces = { + "${iface}" = { + ipv4.addresses = [ + { + address = "185.10.17.209"; + prefixLength = 24; + } + ]; + + ipv6.addresses = [ + { + address = "2a07:8dc0:19:1cf::1"; + prefixLength = 128; + } + ]; + }; + }; + defaultGateway = { + address = "185.10.17.254"; + metric = 42; + interface = iface; + }; + defaultGateway6 = { + address = "fe80::1"; + metric = 42; + interface = iface; + }; + useDHCP = false; + #dhcpcd.enable = false; + }; + + systemd.network.enable = true; + + # Set your time zone. + time.timeZone = "Europe/Paris"; + + nixpkgs.config.allowUnfree = true; + # Configure network proxy if necessary + # networking.proxy.default = "http://user:password@proxy:port/"; + # networking.proxy.noProxy = "127.0.0.1,localhost,internal.domain"; + + # This option defines the first version of NixOS you have installed on this particular machine, + # and is used to maintain compatibility with application data (e.g. databases) created on older NixOS versions. + # + # Most users should NEVER change this value after the initial install, for any reason, + # even if you've upgraded your system to a new NixOS release. + # + # This value does NOT affect the Nixpkgs version your packages and OS are pulled from, + # so changing it will NOT upgrade your system. + # + # This value being lower than the current NixOS release does NOT mean your system is + # out of date, out of support, or vulnerable. + # + # Do NOT change this value unless you have manually inspected all the changes it would make to your configuration, + # and migrated your data accordingly. + # + # For more information, see `man configuration.nix` or https://nixos.org/manual/nixos/stable/options#opt-system.stateVersion . + system.stateVersion = "23.11"; # Did you read the comment? +} diff --git a/hosts/routers/virtua-kit-edge/default.nix b/hosts/routers/virtua-kit-edge/default.nix new file mode 100644 index 0000000..bf225d8 --- /dev/null +++ b/hosts/routers/virtua-kit-edge/default.nix @@ -0,0 +1,29 @@ +{ ... }: +let + IFACE = "ens18"; +in +{ + type = "targetConfig"; + + bootdisk = "/dev/sda"; + diskTemplate = "simple_singleFullRoot"; + swap = true; + + interface = IFACE; + # mainSerial = 0; + birdConfig = { + transitInterface = IFACE; + # router-id = ; + + # loopback4 = ""; + loopback6 = "2a13:79c0:ffff:fefe::12:10"; + + static6 = [ + # ''2a0d:e680:0::b:1/128 via "enp1s0"'' # Vultr bgp neighbor + "2a13:79c0:ffff:fefe::b00b/128 unreachable" + #"2a13:79c0:ffff::/48 unreachable" # Networking stuff + #"2a13:79c0:ffff:fefe::/64 unreachable" # LoopBacks + "2a13:79c0:ff00::/40 unreachable" # full range /40 + ]; + }; +} diff --git a/hosts/routers/virtua-kit-edge/hardware-configuration.nix b/hosts/routers/virtua-kit-edge/hardware-configuration.nix new file mode 100644 index 0000000..9d82589 --- /dev/null +++ b/hosts/routers/virtua-kit-edge/hardware-configuration.nix @@ -0,0 +1,24 @@ +# Do not modify this file! It was generated by ‘nixos-generate-config’ +# and may be overwritten by future invocations. Please make changes +# to /etc/nixos/configuration.nix instead. +{ + config, + lib, + pkgs, + modulesPath, + ... +}: + +{ + imports = [ (modulesPath + "/profiles/qemu-guest.nix") ]; + + boot.initrd.availableKernelModules = [ + "ata_piix" + "uhci_hcd" + "sd_mod" + "sr_mod" + ]; + boot.initrd.kernelModules = [ ]; + boot.kernelModules = [ ]; + boot.extraModulePackages = [ ]; +} diff --git a/hosts/routers/virtua-kit-edge/peers/KIT-IG1-RTR.nix b/hosts/routers/virtua-kit-edge/peers/KIT-IG1-RTR.nix new file mode 100644 index 0000000..7be5a83 --- /dev/null +++ b/hosts/routers/virtua-kit-edge/peers/KIT-IG1-RTR.nix @@ -0,0 +1,30 @@ +{ ... }: +let + kittenASN = 4242421945; +in +{ + peerAS = kittenASN; + peerIP = "2a13:79c0:ffff:feff::103"; + localAS = kittenASN; + + wireguard = { + address = "2a13:79c0:ffff:feff::102"; + port = 6969; + + peerKey = "gDriA5mhKKh44OHEIxmmevphoVRLK45TRJmFS1DV1i4="; + }; + + template = "kittunderlay"; + bgpMED = 100; + ipv6 = { + #imports = null; + imports = x: "filter filter6_IN_BGP_${toString x}"; + #exports = [ "2a12:dd47:9330::/44" ]; + + #exports = null; + }; + ipv4 = { + imports = x: "filter filter4_IN_BGP_${toString x}"; + #exports = x: "filter6_IN_BGP_${toString x}"; + }; +} diff --git a/hosts/routers/virtua-kit-edge/peers/KIT-VIRTUA-EDGE.legacy.nix b/hosts/routers/virtua-kit-edge/peers/KIT-VIRTUA-EDGE.legacy.nix new file mode 100644 index 0000000..46ca905 --- /dev/null +++ b/hosts/routers/virtua-kit-edge/peers/KIT-VIRTUA-EDGE.legacy.nix @@ -0,0 +1,50 @@ +{ ... }: +let + kittenASN = 4242421945; +in +{ + # vultr6 + # AS64515 + # Peer-IP : 2001:19f0:ffff::1 + + # protocol bgp TRANSIT_VULTR6 { + # + # multihop 2; + # + + # ipv6 { + # export filter { + # if ( net ~ [ 2a13:79c0:ff00::/40, 2a12:dd47:9330::/44 ] ) then { + # accept; + # } + # reject; + # }; + # import none; + # }; + # + # } + peerAS = kittenASN; + peerIP = "2a13:79c0:ffff:feff::110"; + localAS = kittenASN; + + wireguard = { + address = "2a13:79c0:ffff:feff::111"; + port = 6978; + # endpoint = "[2a07:8dc0:19:1cf::1]:51800"; + # peerKey = "p200ujtoVhMNnbrdljxoHqAF7cbfRDRFTA+6ibGvIEg="; + peerKey = "rMTaMWJYlgTKJoE0PnVOo9SKHTppEfYK5KtWjBI9mC8="; + }; + template = "kittunderlay"; + bgpMED = 6666; + ipv6 = { + #imports = null; + imports = x: "filter filter6_IN_BGP_${toString x}"; + #exports = [ "2a12:dd47:9330::/44" ]; + + #exports = null; + }; + ipv4 = { + imports = x: "filter filter4_IN_BGP_${toString x}"; + #exports = x: "filter6_IN_BGP_${toString x}"; + }; +} diff --git a/hosts/routers/virtua-kit-edge/peers/KIT-vultr-edge.nix b/hosts/routers/virtua-kit-edge/peers/KIT-vultr-edge.nix new file mode 100644 index 0000000..68cf772 --- /dev/null +++ b/hosts/routers/virtua-kit-edge/peers/KIT-vultr-edge.nix @@ -0,0 +1,30 @@ +{ ... }: +let + kittenASN = 4242421945; +in +{ + peerAS = kittenASN; + peerIP = "2a13:79c0:ffff:feff::10f"; + localAS = kittenASN; + + wireguard = { + address = "2a13:79c0:ffff:feff::10e"; + port = 51801; + endpoint = "[2001:19f0:6801:365:5400:4ff:fe82:5c6e]:51801"; + peerKey = "H8z/i9mmbIukPwLJooVP/d+T4pi9IRFC/UYA7gcEzFM="; + }; + + template = "kittunderlay"; + bgpMED = 100; + ipv6 = { + #imports = null; + imports = x: "filter filter6_IN_BGP_${toString x}"; + #exports = [ "2a12:dd47:9330::/44" ]; + + #exports = null; + }; + ipv4 = { + imports = x: "filter filter4_IN_BGP_${toString x}"; + #exports = x: "filter6_IN_BGP_${toString x}"; + }; +} diff --git a/hosts/routers/virtua-kit-edge/peers/TRS-virtua6-RS01.nix b/hosts/routers/virtua-kit-edge/peers/TRS-virtua6-RS01.nix new file mode 100644 index 0000000..661413c --- /dev/null +++ b/hosts/routers/virtua-kit-edge/peers/TRS-virtua6-RS01.nix @@ -0,0 +1,19 @@ +{ ... }: +{ + localAS = 207175; + peerAS = 35661; + peerIP = "2a0d:e680:0::b:1"; + multihop = 5; + + passwordRef = "virtua"; + + ipv6 = { + imports = null; + exports = [ + "2a13:79c0:ff00::/40" # Prod /40 + + # "2a12:dd47:9330::/44" + ]; + #exports = null; + }; +} diff --git a/hosts/routers/virtua-kit-edge/peers/TRS-virtua6-RS02.nix b/hosts/routers/virtua-kit-edge/peers/TRS-virtua6-RS02.nix new file mode 100644 index 0000000..dc175e5 --- /dev/null +++ b/hosts/routers/virtua-kit-edge/peers/TRS-virtua6-RS02.nix @@ -0,0 +1,18 @@ +{ ... }: +{ + localAS = 207175; + peerAS = 35661; + peerIP = "2a0d:e680:0::b:2"; + multihop = 5; + + passwordRef = "virtua"; + + ipv6 = { + imports = null; + exports = [ + "2a13:79c0:ff00::/40" # Prod /40 + "2a12:dd47:9330::/44" + ]; + #exports = null; + }; +} diff --git a/hosts/routers/virtua-kit-edge/peers/default.nix b/hosts/routers/virtua-kit-edge/peers/default.nix new file mode 100644 index 0000000..a66d7be --- /dev/null +++ b/hosts/routers/virtua-kit-edge/peers/default.nix @@ -0,0 +1,16 @@ +{ ... }: +let + defaultPeers = import ../../_peers { }; +in +defaultPeers +// { + + # Transit + TRS_virtua6_RS01 = import ./TRS-virtua6-RS01.nix { }; + TRS_virtua6_RS02 = import ./TRS-virtua6-RS02.nix { }; + + # Internal Tunnels + KIT_IG1_RTR = import ./KIT-IG1-RTR.nix { }; + vultrNix_PAR = import ./KIT-vultr-edge.nix { }; + # LGC_virtua_PAR = import ./KIT-VIRTUA-EDGE.legacy.nix { }; +} diff --git a/hosts/routers/vultr-kit-edge/configuration.nix b/hosts/routers/vultr-kit-edge/configuration.nix new file mode 100644 index 0000000..2474a51 --- /dev/null +++ b/hosts/routers/vultr-kit-edge/configuration.nix @@ -0,0 +1,82 @@ +# Edit this configuration file to define what should be installed on +# your system. Help is available in the configuration.nix(5) man page, on +# https://search.nixos.org/options and in the NixOS manual (`nixos-help`). + +{ + config, + targetConfig, + lib, + pkgs, + ... +}: + +{ + #imports = [ ./wireguard.nix ]; + # Bootloader. + #boot.loader.systemd-boot.enable = true; + #boot.loader.systemd-boot.configurationLimit = 5; + #boot.loader.efi.canTouchEfiVariables = true; + boot.loader.grub.efiSupport = false; + boot.loader.grub.enable = true; + # boot.loader.grub.efiInstallAsRemovable = true; + # boot.loader.efi.efiSysMountPoint = "/boot/efi"; + # Define on which hard drive you want to install Grub. + #boot.loader.grub.devices = [ "${targetConfig.bootdisk}" ]; # or "nodev" for efi only + + # Pick only one of the below networking options. + # networking.wireless.enable = true; # Enables wireless support via wpa_supplicant. + # networking.networkmanager.enable = true; # Easiest to use and most distros use this by default. + networking = { + #dhcpcd.enable = false; + #useNetworkd = true; + useDHCP = false; + }; + + systemd.network.enable = true; + services.cloud-init = { + enable = true; + ext4.enable = true; + network.enable = true; + settings = { + datasource_list = [ "Vultr" ]; + disable_root = false; + ssh_pwauth = 0; + updates = { + network = { + when = [ + "boot" + "boot-legacy" + "boot-new-instance" + "hotplug" + ]; + }; + }; + }; + }; + + # Set your time zone. + time.timeZone = "Europe/Paris"; + + nixpkgs.config.allowUnfree = true; + # Configure network proxy if necessary + # networking.proxy.default = "http://user:password@proxy:port/"; + # networking.proxy.noProxy = "127.0.0.1,localhost,internal.domain"; + + # This option defines the first version of NixOS you have installed on this particular machine, + # and is used to maintain compatibility with application data (e.g. databases) created on older NixOS versions. + # + # Most users should NEVER change this value after the initial install, for any reason, + # even if you've upgraded your system to a new NixOS release. + # + # This value does NOT affect the Nixpkgs version your packages and OS are pulled from, + # so changing it will NOT upgrade your system. + # + # This value being lower than the current NixOS release does NOT mean your system is + # out of date, out of support, or vulnerable. + # + # Do NOT change this value unless you have manually inspected all the changes it would make to your configuration, + # and migrated your data accordingly. + # + # For more information, see `man configuration.nix` or https://nixos.org/manual/nixos/stable/options#opt-system.stateVersion . + system.stateVersion = "23.11"; # Did you read the comment? +} diff --git a/hosts/routers/vultr-kit-edge/default.nix b/hosts/routers/vultr-kit-edge/default.nix new file mode 100644 index 0000000..cb0e4c9 --- /dev/null +++ b/hosts/routers/vultr-kit-edge/default.nix @@ -0,0 +1,32 @@ +{ ... }: +let + IFACE = "enp1s0"; +in +{ + type = "targetConfig"; + + bootdisk = "/dev/vda"; + diskTemplate = "simple_singleFullRoot"; + + interface = IFACE; + # mainSerial = 0; + + birdConfig = { + transitInterface = IFACE; + + # router-id = ; + + # loopback4 = ""; + loopback6 = "2a13:79c0:ffff:fefe::b48d"; + + static6 = [ + ''2001:19f0:ffff::1/128 via "fe80::fc00:4ff:fe82:5c6e%${IFACE}"'' # Vultr bgp neighbor + + "2a13:79c0:ffff:fefe::b00b/128 unreachable" # Special Anycast "loopback" for default gateways + + #"2a13:79c0:ffff::/48 unreachable" # Networking stuff + #"2a13:79c0:ffff:fefe::/64 unreachable" # LoopBacks + "2a13:79c0:ff00::/40 unreachable" # full range /40 + ]; + }; +} diff --git a/hosts/routers/vultr-kit-edge/hardware-configuration.nix b/hosts/routers/vultr-kit-edge/hardware-configuration.nix new file mode 100644 index 0000000..288c237 --- /dev/null +++ b/hosts/routers/vultr-kit-edge/hardware-configuration.nix @@ -0,0 +1,36 @@ +# Do not modify this file! It was generated by ‘nixos-generate-config’ +# and may be overwritten by future invocations. Please make changes +# to /etc/nixos/configuration.nix instead. +{ + config, + lib, + pkgs, + modulesPath, + ... +}: + +{ + imports = [ ]; + + boot.initrd.availableKernelModules = [ + "ahci" + "xhci_pci" + "virtio_pci" + "sr_mod" + "virtio_blk" + ]; + boot.initrd.kernelModules = [ ]; + boot.kernelModules = [ ]; + boot.extraModulePackages = [ ]; + + # Enables DHCP on each ethernet and wireless interface. In case of scripted networking + # (the default) this is the recommended approach. When using systemd-networkd it's + # still possible to use this option, but it's recommended to use it in conjunction + # with explicit per-interface declarations with `networking.interfaces..useDHCP`. + # networking.useDHCP = lib.mkDefault true; + # networking.interfaces.enp1s0.useDHCP = lib.mkDefault true; + # networking.interfaces.enp8s0.useDHCP = lib.mkDefault true; + + nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux"; + virtualisation.hypervGuest.enable = true; +} diff --git a/hosts/routers/vultr-kit-edge/peers/KIT-IG1-RTR.nix b/hosts/routers/vultr-kit-edge/peers/KIT-IG1-RTR.nix new file mode 100644 index 0000000..62739e9 --- /dev/null +++ b/hosts/routers/vultr-kit-edge/peers/KIT-IG1-RTR.nix @@ -0,0 +1,30 @@ +{ ... }: +let + kittenASN = 4242421945; +in +{ + peerAS = kittenASN; + peerIP = "2a13:79c0:ffff:feff::104"; + localAS = kittenASN; + + wireguard = { + address = "2a13:79c0:ffff:feff::105"; + port = 6969; + + peerKey = "gDriA5mhKKh44OHEIxmmevphoVRLK45TRJmFS1DV1i4="; + }; + + template = "kittunderlay"; + bgpMED = 100; + ipv6 = { + #imports = null; + imports = x: "filter filter6_IN_BGP_${toString x}"; + #exports = [ "2a12:dd47:9330::/44" ]; + + #exports = null; + }; + ipv4 = { + imports = x: "filter filter4_IN_BGP_${toString x}"; + #exports = x: "filter6_IN_BGP_${toString x}"; + }; +} diff --git a/hosts/routers/vultr-kit-edge/peers/KIT-VIRTUA-EDGE.legacy.nix b/hosts/routers/vultr-kit-edge/peers/KIT-VIRTUA-EDGE.legacy.nix new file mode 100644 index 0000000..e6f5209 --- /dev/null +++ b/hosts/routers/vultr-kit-edge/peers/KIT-VIRTUA-EDGE.legacy.nix @@ -0,0 +1,51 @@ +{ ... }: +let + kittenASN = 4242421945; +in +{ + # vultr6 + # AS64515 + # Peer-IP : 2001:19f0:ffff::1 + + # protocol bgp TRANSIT_VULTR6 { + # + # multihop 2; + # + + # ipv6 { + # export filter { + # if ( net ~ [ 2a13:79c0:ff00::/40, 2a12:dd47:9330::/44 ] ) then { + # accept; + # } + # reject; + # }; + # import none; + # }; + # + # } + peerAS = kittenASN; + peerIP = "2a13:79c0:ffff:feff::10d"; + localAS = kittenASN; + + wireguard = { + # onIFACE = "enp1s0"; + address = "2a13:79c0:ffff:feff::10c"; + port = 51800; + # endpoint = "[2a07:8dc0:19:1cf::1]:51800"; + # peerKey = "p200ujtoVhMNnbrdljxoHqAF7cbfRDRFTA+6ibGvIEg="; + peerKey = "rMTaMWJYlgTKJoE0PnVOo9SKHTppEfYK5KtWjBI9mC8="; + }; + template = "kittunderlay"; + bgpMED = 6666; + ipv6 = { + #imports = null; + imports = x: "filter filter6_IN_BGP_${toString x}"; + #exports = [ "2a12:dd47:9330::/44" ]; + + #exports = null; + }; + ipv4 = { + imports = x: "filter filter4_IN_BGP_${toString x}"; + #exports = x: "filter6_IN_BGP_${toString x}"; + }; +} diff --git a/hosts/routers/vultr-kit-edge/peers/KIT-VULTR-EDGE.legacy.nix b/hosts/routers/vultr-kit-edge/peers/KIT-VULTR-EDGE.legacy.nix new file mode 100644 index 0000000..a325311 --- /dev/null +++ b/hosts/routers/vultr-kit-edge/peers/KIT-VULTR-EDGE.legacy.nix @@ -0,0 +1,50 @@ +{ ... }: +let + kittenASN = 4242421945; +in +{ + # vultr6 + # AS64515 + # Peer-IP : 2001:19f0:ffff::1 + + # protocol bgp TRANSIT_VULTR6 { + # + # multihop 2; + # + + # ipv6 { + # export filter { + # if ( net ~ [ 2a13:79c0:ff00::/40, 2a12:dd47:9330::/44 ] ) then { + # accept; + # } + # reject; + # }; + # import none; + # }; + # + # } + peerAS = kittenASN; + peerIP = "2a13:79c0:ffff:feff::113"; + localAS = kittenASN; + + wireguard = { + # onIFACE = "test"; + address = "2a13:79c0:ffff:feff::112"; + port = 51802; + endpoint = "[2a05:f480:1c00:5c0:5400:4ff:fe12:b47d]:51867"; + peerKey = "WYwm2mpTPQD5ZlKRI/l0GxJPUybN0cOyWxlTzNrZ7zY="; + }; + template = "kittunderlay"; + bgpMED = 6666; + ipv6 = { + #imports = null; + imports = x: "filter filter6_IN_BGP_${toString x}"; + #exports = [ "2a12:dd47:9330::/44" ]; + + #exports = null; + }; + ipv4 = { + imports = x: "filter filter4_IN_BGP_${toString x}"; + #exports = x: "filter6_IN_BGP_${toString x}"; + }; +} diff --git a/hosts/routers/vultr-kit-edge/peers/KIT-virtua-edge.nix b/hosts/routers/vultr-kit-edge/peers/KIT-virtua-edge.nix new file mode 100644 index 0000000..e4dee5e --- /dev/null +++ b/hosts/routers/vultr-kit-edge/peers/KIT-virtua-edge.nix @@ -0,0 +1,30 @@ +{ ... }: +let + kittenASN = 4242421945; +in +{ + peerAS = kittenASN; + peerIP = "2a13:79c0:ffff:feff::10e"; + localAS = kittenASN; + + wireguard = { + address = "2a13:79c0:ffff:feff::10f"; + port = 51801; + endpoint = "[2a07:8dc0:19:1cf::1]:51801"; + peerKey = "p200ujtoVhMNnbrdljxoHqAF7cbfRDRFTA+6ibGvIEg="; + }; + + template = "kittunderlay"; + bgpMED = 100; + ipv6 = { + #imports = null; + imports = x: "filter filter6_IN_BGP_${toString x}"; + #exports = [ "2a12:dd47:9330::/44" ]; + + #exports = null; + }; + ipv4 = { + imports = x: "filter filter4_IN_BGP_${toString x}"; + #exports = x: "filter6_IN_BGP_${toString x}"; + }; +} diff --git a/hosts/routers/vultr-kit-edge/peers/TRS-vultr6-RTR.nix b/hosts/routers/vultr-kit-edge/peers/TRS-vultr6-RTR.nix new file mode 100644 index 0000000..2de2704 --- /dev/null +++ b/hosts/routers/vultr-kit-edge/peers/TRS-vultr6-RTR.nix @@ -0,0 +1,39 @@ +{ ... }: +{ + # vultr6 + # AS64515 + # Peer-IP : 2001:19f0:ffff::1 + + # protocol bgp TRANSIT_VULTR6 { + # + # multihop 2; + # + + # ipv6 { + # export filter { + # if ( net ~ [ 2a13:79c0:ff00::/40, 2a12:dd47:9330::/44 ] ) then { + # accept; + # } + # reject; + # }; + # import none; + # }; + # + # } + localAS = 207175; + peerAS = 64515; + peerIP = "2001:19f0:ffff::1"; + multihop = 2; + + passwordRef = "vultr"; + + ipv6 = { + imports = null; + exports = [ + "2a13:79c0:ff00::/40" # Prod /40 + + # "2a12:dd47:9330::/44" + ]; + #exports = null; + }; +} diff --git a/hosts/routers/vultr-kit-edge/peers/default.nix b/hosts/routers/vultr-kit-edge/peers/default.nix new file mode 100644 index 0000000..3727c80 --- /dev/null +++ b/hosts/routers/vultr-kit-edge/peers/default.nix @@ -0,0 +1,15 @@ +{ ... }: +let + defaultPeers = import ../../_peers { }; +in +defaultPeers +// { + # Transit + TRS_vultr6_RTR = import ./TRS-vultr6-RTR.nix { }; + + # Internal Tunnels + KIT_IG1_RTR = import ./KIT-IG1-RTR.nix { }; + # LGC_virtua_PAR = import ./KIT-VIRTUA-EDGE.legacy.nix { }; + LGC_vultr_PAR = import ./KIT-VULTR-EDGE.legacy.nix { }; + virtuaNix_PAR = import ./KIT-virtua-edge.nix { }; +} diff --git a/hosts/routers/wireguard.nix b/hosts/routers/wireguard.nix new file mode 100644 index 0000000..a3db24c --- /dev/null +++ b/hosts/routers/wireguard.nix @@ -0,0 +1,181 @@ +{ + lib, + pkgs, + config, + + target, + targetConfig, + birdConfig, + ... +}: +let + + # Imports Functions + inherit (lib.attrsets) + filterAttrs + mapAttrs + mapAttrsToList + genAttrs + zipAttrs + optionalAttrs + ; + + inherit (lib.asserts) assertMsg; + + inherit (lib.strings) hasPrefix optionalString concatMapStringsSep; + + inherit (builtins) attrNames; + + # Variables / Functions + + IFACE = if targetConfig ? interface then targetConfig.interface else null; + + peers = filterAttrs (n: v: v ? wireguard && v.wireguard != { }) birdConfig.peers; + + hasPort = (n: v: v.wireguard ? port); + hasIface = (n: v: v.wireguard ? onIFACE); + + peersWithPort = filterAttrs hasPort peers; + + peersWithoutIFACE = filterAttrs (n: v: (!hasIface n v)) peersWithPort; + peersWithIFACE = filterAttrs hasIface peersWithPort; + + portsWithoutIFACE = mapAttrsToList (n: v: v.wireguard.port) peersWithoutIFACE; + portsWithIFACE = zipAttrs ( + mapAttrsToList (n: v: { ${v.wireguard.onIFACE} = v.wireguard.port; }) peersWithIFACE + ); + + mkFWConf = ports: { allowedUDPPorts = ports; }; + + genFWMarkStr = ( + mark: + { + "string" = + assert assertMsg (hasPrefix "0x" mark) "fwMark is string but does not start with 0x is it an int ?"; + mark; + + "int" = toString mark; + + "null" = null; + } + .${builtins.typeOf mark} + + ); + + mkWireguardConf = + name: + let + peer = peers.${name}; + + fwMarkString = ( + let + mark = + if peer.wireguard ? fwMark then + peer.wireguard.fwMark + + else if (peer.wireguard ? onIFACE && peer.wireguard.onIFACE != null) then + peer.wireguard.port + + else + null; + in + genFWMarkStr mark + + ); + in + { + table = "off"; + # Determines the IP/IPv6 address and subnet of the client's end of the tunnel interface + address = [ "${peer.wireguard.address}/127" ]; + # The port that WireGuard listens to - recommended that this be changed from default + listenPort = lib.mkIf (peer.wireguard ? port) peer.wireguard.port; + + postUp = '' + set - x + + ${optionalString (fwMarkString != null) ''wg set ${name} fwmark ${fwMarkString}''} + ${optionalString (peer.wireguard ? onIFACE && peer.wireguard.onIFACE != null) '' + echo "TABLE=${fwMarkString}" + for v in 4 6; do + echo "[#] IPv$v" + ip -$v route add unreachable default metric 4294967295 table ${fwMarkString} || true + ip -$v route add default $(ip -$v route show default dev ${peer.wireguard.onIFACE} | grep -oE 'via [^ ]+') dev ${peer.wireguard.onIFACE} metric 42 table ${fwMarkString} || true + ip -$v rule add fwmark ${fwMarkString} lookup main suppress_prefixlength 0 + ip -$v rule add fwmark ${fwMarkString} lookup ${fwMarkString} + done + ''} + ''; + + postDown = '' + set -x + + ${optionalString (peer.wireguard ? onIFACE && peer.wireguard.onIFACE != null) '' + echo "TABLE=${fwMarkString}" + for v in 4 6; do + echo "[#] IPv$v" + # ip -$v route del unreachable default metric 4294967295 table ${fwMarkString} || true + ip -$v route del default metric 42 table ${fwMarkString} || true + while ip -$v rule del fwmark ${fwMarkString} lookup main suppress_prefixlength 0; do echo -n .; sleep 0.1; done + while ip -$v rule del fwmark ${fwMarkString} lookup ${fwMarkString}; do echo -n .; sleep 0.1; done + done + ''} + ''; + + # Path to the server's private key + privateKeyFile = config.sops.secrets.wireguard_serverkey.path; + + peers = [ + { + publicKey = peer.wireguard.peerKey; + #presharedKeyFile = "/root/wireguard-keys/preshared_from_peer0_key"; + persistentKeepalive = 10; + endpoint = lib.mkIf (peer.wireguard ? endpoint) peer.wireguard.endpoint; + + allowedIPs = [ + "0.0.0.0/0" + "::/0" + ]; + } + ]; + }; +in +{ + # sops --set '["wireguard_serverkey"] "'"$(wg genkey | tee >(wg pubkey > /dev/stderr))"'"' secrets/[HOSTNAME].yaml + sops.secrets.wireguard_serverkey = { }; + environment.systemPackages = with pkgs; [ wireguard-tools ]; + + environment.etc."iproute2/rt_tables.d/wgnix.conf" = { + text = '' + ${concatMapStringsSep "\n" + ( + peerName: + let + peer = peers.${peerName}; + in + "${toString peer.wireguard.port} ${peerName}" + ) + ( + attrNames ( + filterAttrs (n: v: v ? wireguard && v.wireguard ? onIFACE && v.wireguard.onIFACE != null) peers + ) + ) + } + ''; + }; + + # Open FireWall Ports + networking.firewall = lib.mkMerge [ + (optionalAttrs (portsWithoutIFACE != [ ]) ( + let + conf = mkFWConf portsWithoutIFACE; + in + if IFACE != null then { interfaces.${IFACE} = conf; } else conf + )) + + (optionalAttrs (portsWithIFACE != { }) { + interfaces = (mapAttrs (name: value: mkFWConf value) portsWithIFACE); + }) + ]; + + networking.wg-quick.interfaces = genAttrs (attrNames peers) mkWireguardConf; +} diff --git a/hosts/stonkmembers/configuration.nix b/hosts/stonkmembers/configuration.nix new file mode 100644 index 0000000..6152acc --- /dev/null +++ b/hosts/stonkmembers/configuration.nix @@ -0,0 +1,50 @@ +# Edit this configuration file to define what should be installed on +# your system. Help is available in the configuration.nix(5) man page, on +# https://search.nixos.org/options and in the NixOS manual (`nixos-help`). + +{ + config, + lib, + pkgs, + ... +}: + +{ + imports = [ + # Include the results of the hardware scan. + ./k3s.nix # K3s + ]; + + # Configure network proxy if necessary + # networking.proxy.default = "http://user:password@proxy:port/"; + # networking.proxy.noProxy = "127.0.0.1,localhost,internal.domain"; + + # Select internationalisation properties. + i18n.defaultLocale = "en_US.UTF-8"; + + # List services that you want to enable: + + # Open ports in the firewall. + # networking.firewall.allowedTCPPorts = [ ... ]; + # networking.firewall.allowedUDPPorts = [ ... ]; + # Or disable the firewall altogether. + networking.firewall.enable = false; + + # This option defines the first version of NixOS you have installed on this particular machine, + # and is used to maintain compatibility with application data (e.g. databases) created on older NixOS versions. + # + # Most users should NEVER change this value after the initial install, for any reason, + # even if you've upgraded your system to a new NixOS release. + # + # This value does NOT affect the Nixpkgs version your packages and OS are pulled from, + # so changing it will NOT upgrade your system. + # + # This value being lower than the current NixOS release does NOT mean your system is + # out of date, out of support, or vulnerable. + # + # Do NOT change this value unless you have manually inspected all the changes it would make to your configuration, + # and migrated your data accordingly. + # + # For more information, see `man configuration.nix` or https://nixos.org/manual/nixos/stable/options#opt-system.stateVersion . + system.stateVersion = "24.05"; # Did you read the comment? +} diff --git a/hosts/stonkmembers/default.nix b/hosts/stonkmembers/default.nix new file mode 100644 index 0000000..8501b5c --- /dev/null +++ b/hosts/stonkmembers/default.nix @@ -0,0 +1,17 @@ +# { +# poubelle00 = import ./poubelle00 { }; + +# prodesk = import ./prodesk { }; +# stonkstation = import ./stonkstation { }; +# } + +args@{ lib, ... }: +let + blacklist = [ ]; + folders = builtins.attrNames ( + lib.filterAttrs (n: v: v == "directory" && !lib.hasPrefix "_" n && !builtins.elem n blacklist) ( + builtins.readDir ./. + ) + ); +in +lib.genAttrs folders (folder: (import (./. + "/${folder}") (args // { }))) diff --git a/hosts/stonkmembers/k3s.nix b/hosts/stonkmembers/k3s.nix new file mode 100644 index 0000000..11b3457 --- /dev/null +++ b/hosts/stonkmembers/k3s.nix @@ -0,0 +1,65 @@ +{ + config, + kubeConfig, + lib, + pkgs, + ... +}: + +let + deps = with pkgs; [ + ipset + iptables + nfs-utils + miniupnpc + ]; + + sopsFile = ../../secrets/_default.yaml; +in +{ + sops.secrets.k3s_cluster_token = { + inherit sopsFile; + }; + + sops.secrets.k3s_token = { + inherit sopsFile; + }; + + services.k3s = { + enable = true; + role = if kubeConfig.controller then "server" else "agent"; + + tokenFile = + if kubeConfig.controller then + config.sops.secrets.k3s_cluster_token.path + else + config.sops.secrets.k3s_token.path; + clusterInit = kubeConfig.master; + #serverAddr = lib.mkIf (master == false) "https://[2a13:79c0:ffff:feff:b00b:3945:a51:210]:6443"; + serverAddr = lib.mkIf (!kubeConfig.master) "https://stonkstation:6443"; + extraFlags = toString ( + [ "--flannel-iface=vlan91" ] + ++ lib.optionals (kubeConfig.controller) [ + # "--kubelet-arg=v=4" # Optionally add additional args to k3s + "--kubelet-arg=container-log-max-files=5" + "--kubelet-arg=container-log-max-size=10Mi" + "--kube-apiserver-arg enable-admission-plugins=PodNodeSelector,CertificateApproval,CertificateSigning,CertificateSubjectRestriction,DefaultIngressClass,DefaultStorageClass,DefaultTolerationSeconds,LimitRanger,MutatingAdmissionWebhook,NamespaceLifecycle,PersistentVolumeClaimResize,PodSecurity,Priority,ResourceQuota,RuntimeClass,ServiceAccount,StorageObjectInUseProtection,TaintNodesByCondition,ValidatingAdmissionPolicy,ValidatingAdmissionWebhook" + "--kube-apiserver-arg oidc-issuer-url=https://auth.home.kube.kittenconnect.net/" + "--kube-apiserver-arg oidc-client-id=KubernetesAPIClient" + "--kube-apiserver-arg oidc-username-claim=email" + "--kube-apiserver-arg oidc-groups-claim=groups" + "--cluster-cidr=10.42.0.0/16,fd42::/48" + "--service-cidr=10.43.0.0/16,fd43::/112" + "--flannel-ipv6-masq" + "--flannel-backend=wireguard-native" + "--flannel-external-ip" + + "--disable=servicelb,local-storage,traefik" + "--secrets-encryption" + ] + ); + }; + + environment.systemPackages = [ pkgs.k3s ] ++ deps; + systemd.services.k3s.path = deps; +} diff --git a/hosts/stonkmembers/poubelle00/configuration.nix b/hosts/stonkmembers/poubelle00/configuration.nix new file mode 100644 index 0000000..d3e173f --- /dev/null +++ b/hosts/stonkmembers/poubelle00/configuration.nix @@ -0,0 +1,73 @@ +# Edit this configuration file to define what should be installed on +# your system. Help is available in the configuration.nix(5) man page, on +# https://search.nixos.org/options and in the NixOS manual (`nixos-help`). + +{ + config, + targetConfig, + lib, + pkgs, + ... +}: + +{ + # Use the GRUB 2 boot loader. + boot.loader.grub.enable = true; + # boot.loader.grub.efiSupport = true; + # boot.loader.grub.efiInstallAsRemovable = true; + # boot.loader.efi.efiSysMountPoint = "/boot/efi"; + # Define on which hard drive you want to install Grub. + boot.loader.grub.device = "${targetConfig.bootdisk}"; # or "nodev" for efi only + + # Pick only one of the below networking options. + # networking.wireless.enable = true; # Enables wireless support via wpa_supplicant. + # networking.networkmanager.enable = true; # Easiest to use and most distros use this by default. + networking = { + #vlans = { + # vlan420 = { id=420; interface="eno1"; }; + # vlan91 = { id=91; interface="eno1"; }; + #}; + interfaces = { + ens18.ipv6.addresses = [ + { + address = "2a13:79c0:ffff:feff:b00b:3945:a51:200"; + prefixLength = 112; + } + ]; + # vlan420.ipv4.addresses = [{ + # address = "10.10.4.210"; + # prefixLength = 24; + # }]; + }; + defaultGateway6 = { + address = "2a13:79c0:ffff:feff:b00b:3945:a51:10"; + interface = "ens18"; + }; + dhcpcd.enable = true; + }; + + # Set your time zone. + time.timeZone = "Europe/Paris"; + + # Configure network proxy if necessary + # networking.proxy.default = "http://user:password@proxy:port/"; + # networking.proxy.noProxy = "127.0.0.1,localhost,internal.domain"; + + # This option defines the first version of NixOS you have installed on this particular machine, + # and is used to maintain compatibility with application data (e.g. databases) created on older NixOS versions. + # + # Most users should NEVER change this value after the initial install, for any reason, + # even if you've upgraded your system to a new NixOS release. + # + # This value does NOT affect the Nixpkgs version your packages and OS are pulled from, + # so changing it will NOT upgrade your system. + # + # This value being lower than the current NixOS release does NOT mean your system is + # out of date, out of support, or vulnerable. + # + # Do NOT change this value unless you have manually inspected all the changes it would make to your configuration, + # and migrated your data accordingly. + # + # For more information, see `man configuration.nix` or https://nixos.org/manual/nixos/stable/options#opt-system.stateVersion . + system.stateVersion = "24.05"; # Did you read the comment? +} diff --git a/hosts/stonkmembers/poubelle00/default.nix b/hosts/stonkmembers/poubelle00/default.nix new file mode 100644 index 0000000..3caea68 --- /dev/null +++ b/hosts/stonkmembers/poubelle00/default.nix @@ -0,0 +1,7 @@ +{ ... }: +{ + # need rework + bootdisk = "/dev/sda"; + interface = "ens18"; + mainSerial = "0"; +} diff --git a/hosts/stonkmembers/poubelle00/disk-config.nix b/hosts/stonkmembers/poubelle00/disk-config.nix new file mode 100644 index 0000000..7a014b7 --- /dev/null +++ b/hosts/stonkmembers/poubelle00/disk-config.nix @@ -0,0 +1,63 @@ +# Example to create a bios compatible gpt partition +{ lib, ... }: +{ + disko.devices = { + disk.disk1 = { + device = lib.mkDefault "/dev/vda"; + type = "disk"; + content = { + type = "table"; + format = "msdos"; + partitions = [ + { + name = "boot"; + start = "1M"; + end = "500M"; + part-type = "primary"; + bootable = true; + content = { + type = "filesystem"; + format = "ext3"; + mountpoint = "/boot"; + }; + } + { + name = "root"; + start = "500M"; + part-type = "primary"; + end = "100%"; + content = { + type = "lvm_pv"; + vg = "SSD"; + }; + } + ]; + }; + }; + lvm_vg = { + SSD = { + type = "lvm_vg"; + lvs = { + root = { + size = "15G"; + content = { + type = "filesystem"; + format = "ext4"; + mountpoint = "/"; + mountOptions = [ "defaults" ]; + }; + }; + k3s = { + size = "100%FREE"; + content = { + type = "filesystem"; + format = "ext4"; + mountpoint = "/var/lib/rancher"; + mountOptions = [ "defaults" ]; + }; + }; + }; + }; + }; + }; +} diff --git a/hosts/stonkmembers/poubelle00/hardware-configuration.nix b/hosts/stonkmembers/poubelle00/hardware-configuration.nix new file mode 100644 index 0000000..36b4585 --- /dev/null +++ b/hosts/stonkmembers/poubelle00/hardware-configuration.nix @@ -0,0 +1,34 @@ +# Do not modify this file! It was generated by ‘nixos-generate-config’ +# and may be overwritten by future invocations. Please make changes +# to /etc/nixos/configuration.nix instead. +{ + config, + lib, + pkgs, + modulesPath, + ... +}: + +{ + imports = [ (modulesPath + "/profiles/qemu-guest.nix") ]; + + boot.initrd.availableKernelModules = [ + "ata_piix" + "uhci_hcd" + "virtio_pci" + "sr_mod" + "virtio_blk" + ]; + boot.initrd.kernelModules = [ ]; + boot.kernelModules = [ "kvm-intel" ]; + boot.extraModulePackages = [ ]; + + # Enables DHCP on each ethernet and wireless interface. In case of scripted networking + # (the default) this is the recommended approach. When using systemd-networkd it's + # still possible to use this option, but it's recommended to use it in conjunction + # with explicit per-interface declarations with `networking.interfaces..useDHCP`. + networking.useDHCP = lib.mkDefault true; + # networking.interfaces.ens18.useDHCP = lib.mkDefault true; + + nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux"; +} diff --git a/hosts/stonkmembers/prodesk/configuration.nix b/hosts/stonkmembers/prodesk/configuration.nix new file mode 100644 index 0000000..2109f1b --- /dev/null +++ b/hosts/stonkmembers/prodesk/configuration.nix @@ -0,0 +1,97 @@ +# Edit this configuration file to define what should be installed on +# your system. Help is available in the configuration.nix(5) man page, on +# https://search.nixos.org/options and in the NixOS manual (`nixos-help`). + +{ + config, + targetConfig, + lib, + pkgs, + ... +}: + +{ + # Use the GRUB 2 boot loader. + #boot.loader.grub.enable = true; + # boot.loader.grub.efiSupport = true; + # boot.loader.grub.efiInstallAsRemovable = true; + boot.loader.efi.efiSysMountPoint = "/boot"; + boot.loader.grub.enable = true; + boot.loader.grub.efiSupport = true; + boot.loader.grub.efiInstallAsRemovable = true; + # Define on which hard drive you want to install Grub. + # boot.loader.grub.device = "${targetConfig.bootdisk}"; # or "nodev" for efi only + # Use the systemd-boot EFI boot loader. + + # Pick only one of the below networking options. + # networking.wireless.enable = true; # Enables wireless support via wpa_supplicant. + # networking.networkmanager.enable = true; # Easiest to use and most distros use this by default. + boot.kernel.sysctl."net.ipv6.conf.${targetConfig.interface}.disable_ipv6" = true; + networking = { + vlans = { + vlan420 = { + id = 420; + interface = "${targetConfig.interface}"; + }; + vlan91 = { + id = 91; + interface = "${targetConfig.interface}"; + }; + }; + interfaces = { + "${targetConfig.interface}".useDHCP = true; + vlan91.ipv4.addresses = [ + { + address = "100.100.91.106"; + prefixLength = 24; + } + ]; + vlan91.ipv6.addresses = [ + { + address = "2a13:79c0:ffff:feff:b00b:3945:a51:202"; + prefixLength = 112; + } + ]; + vlan420.ipv4.addresses = [ + { + address = "10.10.4.202"; + prefixLength = 24; + } + ]; + }; + defaultGateway = { + address = "100.100.91.10"; + metric = 1042; + }; + defaultGateway6 = { + address = "2a13:79c0:ffff:feff:b00b:3945:a51:10"; + }; + useDHCP = false; + #dhcpcd.enable = true; + }; + + # Set your time zone. + time.timeZone = "Europe/Paris"; + + # Configure network proxy if necessary + # networking.proxy.default = "http://user:password@proxy:port/"; + # networking.proxy.noProxy = "127.0.0.1,localhost,internal.domain"; + + # This option defines the first version of NixOS you have installed on this particular machine, + # and is used to maintain compatibility with application data (e.g. databases) created on older NixOS versions. + # + # Most users should NEVER change this value after the initial install, for any reason, + # even if you've upgraded your system to a new NixOS release. + # + # This value does NOT affect the Nixpkgs version your packages and OS are pulled from, + # so changing it will NOT upgrade your system. + # + # This value being lower than the current NixOS release does NOT mean your system is + # out of date, out of support, or vulnerable. + # + # Do NOT change this value unless you have manually inspected all the changes it would make to your configuration, + # and migrated your data accordingly. + # + # For more information, see `man configuration.nix` or https://nixos.org/manual/nixos/stable/options#opt-system.stateVersion . + system.stateVersion = "24.05"; # Did you read the comment? +} diff --git a/hosts/stonkmembers/prodesk/default.nix b/hosts/stonkmembers/prodesk/default.nix new file mode 100644 index 0000000..b91b6f3 --- /dev/null +++ b/hosts/stonkmembers/prodesk/default.nix @@ -0,0 +1,7 @@ +{ ... }: +{ + bootdisk = "/dev/sda"; + bootloader = "grub"; + interface = "eno1"; + mainSerial = "4"; +} diff --git a/hosts/stonkmembers/prodesk/disk-config.nix b/hosts/stonkmembers/prodesk/disk-config.nix new file mode 100644 index 0000000..25c1865 --- /dev/null +++ b/hosts/stonkmembers/prodesk/disk-config.nix @@ -0,0 +1,62 @@ +# Example to create a bios compatible gpt partition +{ lib, targetConfig, ... }: +{ + disko.devices = { + disk.disk1 = { + device = lib.mkDefault "${targetConfig.bootdisk}"; + type = "disk"; + content = { + type = "gpt"; + partitions = { + boot = { + size = "1M"; + type = "EF02"; # for grub MBR + }; + + ESP = { + size = "512M"; + type = "EF00"; + content = { + type = "filesystem"; + format = "vfat"; + mountpoint = "/boot"; + }; + }; + + root = { + size = "100%"; + content = { + type = "lvm_pv"; + vg = "SSD"; + }; + }; + }; + }; + }; + lvm_vg = { + SSD = { + type = "lvm_vg"; + lvs = { + root = { + size = "15G"; + content = { + type = "filesystem"; + format = "ext4"; + mountpoint = "/"; + mountOptions = [ "defaults" ]; + }; + }; + k3s = { + size = "100%FREE"; + content = { + type = "filesystem"; + format = "ext4"; + mountpoint = "/var/lib/rancher"; + mountOptions = [ "defaults" ]; + }; + }; + }; + }; + }; + }; +} diff --git a/hosts/stonkmembers/prodesk/hardware-configuration.nix b/hosts/stonkmembers/prodesk/hardware-configuration.nix new file mode 100644 index 0000000..b52df0e --- /dev/null +++ b/hosts/stonkmembers/prodesk/hardware-configuration.nix @@ -0,0 +1,34 @@ +# Do not modify this file! It was generated by ‘nixos-generate-config’ +# and may be overwritten by future invocations. Please make changes +# to /etc/nixos/configuration.nix instead. +{ + config, + lib, + pkgs, + modulesPath, + ... +}: + +{ + imports = [ (modulesPath + "/installer/scan/not-detected.nix") ]; + + boot.initrd.availableKernelModules = [ + "xhci_pci" + "ahci" + "usbhid" + "sd_mod" + ]; + boot.initrd.kernelModules = [ "dm-snapshot" ]; + boot.kernelModules = [ ]; + boot.extraModulePackages = [ ]; + + # Enables DHCP on each ethernet and wireless interface. In case of scripted networking + # (the default) this is the recommended approach. When using systemd-networkd it's + # still possible to use this option, but it's recommended to use it in conjunction + # with explicit per-interface declarations with `networking.interfaces..useDHCP`. + # networking.useDHCP = lib.mkDefault true; + # networking.interfaces.eno1.useDHCP = lib.mkDefault true; + + nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux"; + hardware.cpu.intel.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware; +} diff --git a/hosts/stonkmembers/stonkstation/configuration.nix b/hosts/stonkmembers/stonkstation/configuration.nix new file mode 100644 index 0000000..305268c --- /dev/null +++ b/hosts/stonkmembers/stonkstation/configuration.nix @@ -0,0 +1,95 @@ +# Edit this configuration file to define what should be installed on +# your system. Help is available in the configuration.nix(5) man page, on +# https://search.nixos.org/options and in the NixOS manual (`nixos-help`). + +{ + config, + targetConfig, + lib, + pkgs, + ... +}: + +{ + # Use the GRUB 2 boot loader. + boot.loader.grub.enable = true; + # boot.loader.grub.efiSupport = true; + # boot.loader.grub.efiInstallAsRemovable = true; + # boot.loader.efi.efiSysMountPoint = "/boot/efi"; + # Define on which hard drive you want to install Grub. + boot.loader.grub.device = "${targetConfig.bootdisk}"; # or "nodev" for efi only + + # Pick only one of the below networking options. + # networking.wireless.enable = true; # Enables wireless support via wpa_supplicant. + # networking.networkmanager.enable = true; # Easiest to use and most distros use this by default. + boot.kernel.sysctl."net.ipv6.conf.${targetConfig.interface}.disable_ipv6" = true; + networking = { + #nameservers = [ "1.3.3.7" ]; + vlans = { + vlan420 = { + id = 420; + interface = "${targetConfig.interface}"; + }; + vlan91 = { + id = 91; + interface = "${targetConfig.interface}"; + }; + }; + interfaces = { + "${targetConfig.interface}".useDHCP = true; + vlan91.ipv4.addresses = [ + { + address = "100.100.91.104"; + prefixLength = 24; + } + ]; + vlan91.ipv6.addresses = [ + { + address = "2a13:79c0:ffff:feff:b00b:3945:a51:210"; + prefixLength = 112; + } + ]; + vlan420.ipv4.addresses = [ + { + address = "10.10.4.210"; + prefixLength = 24; + } + ]; + }; + defaultGateway = { + address = "100.100.91.10"; + metric = 1042; + }; + defaultGateway6 = { + address = "2a13:79c0:ffff:feff:b00b:3945:a51:10"; + metric = 1042; + }; + useDHCP = false; + #dhcpcd.enable = false; + }; + + # Set your time zone. + time.timeZone = "Europe/Paris"; + + # Configure network proxy if necessary + # networking.proxy.default = "http://user:password@proxy:port/"; + # networking.proxy.noProxy = "127.0.0.1,localhost,internal.domain"; + + # This option defines the first version of NixOS you have installed on this particular machine, + # and is used to maintain compatibility with application data (e.g. databases) created on older NixOS versions. + # + # Most users should NEVER change this value after the initial install, for any reason, + # even if you've upgraded your system to a new NixOS release. + # + # This value does NOT affect the Nixpkgs version your packages and OS are pulled from, + # so changing it will NOT upgrade your system. + # + # This value being lower than the current NixOS release does NOT mean your system is + # out of date, out of support, or vulnerable. + # + # Do NOT change this value unless you have manually inspected all the changes it would make to your configuration, + # and migrated your data accordingly. + # + # For more information, see `man configuration.nix` or https://nixos.org/manual/nixos/stable/options#opt-system.stateVersion . + system.stateVersion = "24.05"; # Did you read the comment? +} diff --git a/hosts/stonkmembers/stonkstation/default.nix b/hosts/stonkmembers/stonkstation/default.nix new file mode 100644 index 0000000..b91b6f3 --- /dev/null +++ b/hosts/stonkmembers/stonkstation/default.nix @@ -0,0 +1,7 @@ +{ ... }: +{ + bootdisk = "/dev/sda"; + bootloader = "grub"; + interface = "eno1"; + mainSerial = "4"; +} diff --git a/hosts/stonkmembers/stonkstation/disk-config.nix b/hosts/stonkmembers/stonkstation/disk-config.nix new file mode 100644 index 0000000..f4f31d9 --- /dev/null +++ b/hosts/stonkmembers/stonkstation/disk-config.nix @@ -0,0 +1,63 @@ +# Example to create a bios compatible gpt partition +{ lib, bootdisk, ... }: +{ + disko.devices = { + disk.disk1 = { + device = lib.mkDefault "${bootdisk}"; + type = "disk"; + content = { + type = "table"; + format = "msdos"; + partitions = [ + { + name = "boot"; + start = "1M"; + end = "500M"; + part-type = "primary"; + bootable = true; + content = { + type = "filesystem"; + format = "ext3"; + mountpoint = "/boot"; + }; + } + { + name = "root"; + start = "500M"; + part-type = "primary"; + end = "100%"; + content = { + type = "lvm_pv"; + vg = "SSD"; + }; + } + ]; + }; + }; + lvm_vg = { + SSD = { + type = "lvm_vg"; + lvs = { + root = { + size = "15G"; + content = { + type = "filesystem"; + format = "ext4"; + mountpoint = "/"; + mountOptions = [ "defaults" ]; + }; + }; + k3s = { + size = "20G"; + content = { + type = "filesystem"; + format = "ext4"; + mountpoint = "/var/lib/rancher"; + mountOptions = [ "defaults" ]; + }; + }; + }; + }; + }; + }; +} diff --git a/hosts/stonkmembers/stonkstation/hardware-configuration.nix b/hosts/stonkmembers/stonkstation/hardware-configuration.nix new file mode 100644 index 0000000..ef291f6 --- /dev/null +++ b/hosts/stonkmembers/stonkstation/hardware-configuration.nix @@ -0,0 +1,34 @@ +# Do not modify this file! It was generated by ‘nixos-generate-config’ +# and may be overwritten by future invocations. Please make changes +# to /etc/nixos/configuration.nix instead. +{ + config, + lib, + pkgs, + modulesPath, + ... +}: + +{ + imports = [ (modulesPath + "/installer/scan/not-detected.nix") ]; + + boot.initrd.availableKernelModules = [ + "xhci_pci" + "ehci_pci" + "ahci" + "sd_mod" + ]; + boot.initrd.kernelModules = [ "dm-snapshot" ]; + boot.kernelModules = [ "kvm-intel" ]; + boot.extraModulePackages = [ ]; + + # Enables DHCP on each ethernet and wireless interface. In case of scripted networking + # (the default) this is the recommended approach. When using systemd-networkd it's + # still possible to use this option, but it's recommended to use it in conjunction + # with explicit per-interface declarations with `networking.interfaces..useDHCP`. + networking.useDHCP = lib.mkDefault true; + # networking.interfaces.eno1.useDHCP = lib.mkDefault true; + + nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux"; + hardware.cpu.intel.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware; +} diff --git a/modules/nixos/modules/services/ttys/kmscon.nix b/modules/nixos/modules/services/ttys/kmscon.nix new file mode 100644 index 0000000..422d9a7 --- /dev/null +++ b/modules/nixos/modules/services/ttys/kmscon.nix @@ -0,0 +1,151 @@ +{ + config, + pkgs, + lib, + ... +}: +let + inherit (lib) + mapAttrs + mkIf + mkOption + optional + optionals + types + ; + + cfg = config.services.kmscon; + + autologinArg = lib.optionalString (cfg.autologinUser != null) "-a ${cfg.autologinUser}"; + + configDir = pkgs.writeTextFile { + name = "kmscon-config"; + destination = "/kmscon.conf"; + text = cfg.extraConfig; + }; +in +{ + options = { + services.kmscon = { + enable = mkOption { + description = '' + Use kmscon as the virtual console instead of gettys. + kmscon is a kms/dri-based userspace virtual terminal implementation. + It supports a richer feature set than the standard linux console VT, + including full unicode support, and when the video card supports drm + should be much faster. + ''; + type = types.bool; + default = false; + }; + + hwRender = mkOption { + description = "Whether to use 3D hardware acceleration to render the console."; + type = types.bool; + default = false; + }; + + fonts = mkOption { + description = "Fonts used by kmscon, in order of priority."; + default = null; + example = lib.literalExpression ''[ { name = "Source Code Pro"; package = pkgs.source-code-pro; } ]''; + type = + with types; + let + fontType = submodule { + options = { + name = mkOption { + type = str; + description = "Font name, as used by fontconfig."; + }; + package = mkOption { + type = package; + description = "Package providing the font."; + }; + }; + }; + in + nullOr (nonEmptyListOf fontType); + }; + + extraConfig = mkOption { + description = "Extra contents of the kmscon.conf file."; + type = types.lines; + default = ""; + example = "font-size=14"; + }; + + extraOptions = mkOption { + description = "Extra flags to pass to kmscon."; + type = types.separatedString " "; + default = ""; + example = "--term xterm-256color"; + }; + + autologinUser = mkOption { + type = types.nullOr types.str; + default = null; + description = '' + Username of the account that will be automatically logged in at the console. + If unspecified, a login prompt is shown as usual. + ''; + }; + }; + }; + + config = mkIf cfg.enable { + # Largely copied from unit provided with kmscon source + systemd.units."kmsconvt@.service".text = '' + [Unit] + Description=KMS System Console on %I + Documentation=man:kmscon(1) + After=systemd-user-sessions.service + After=plymouth-quit-wait.service + After=systemd-logind.service + After=systemd-vconsole-setup.service + Requires=systemd-logind.service + Before=getty.target + Conflicts=getty@%i.service + OnFailure=getty@%i.service + IgnoreOnIsolate=yes + ConditionPathExists=/dev/tty0 + + [Service] + ExecStart= + ExecStart=${pkgs.kmscon}/bin/kmscon "--vt=%I" ${cfg.extraOptions} --seats=seat0 --no-switchvt --configdir ${configDir} --login -- ${pkgs.util-linux}/sbin/agetty --login-program ${pkgs.shadow}/bin/login ${autologinArg} -o '-p -- \\u' - xterm-256color + + UtmpIdentifier=%I + TTYPath=/dev/%I + TTYReset=yes + TTYVHangup=yes + TTYVTDisallocate=yes + + X-RestartIfChanged=false + ''; + + systemd.suppressedSystemUnits = [ "autovt@.service" ]; + systemd.units."kmsconvt@.service".aliases = [ "autovt@.service" ]; + + systemd.services.systemd-vconsole-setup.enable = false; + systemd.services.reload-systemd-vconsole-setup.enable = false; + + services.kmscon.extraConfig = + let + render = optionals cfg.hwRender [ + "drm" + "hwaccel" + ]; + fonts = + optional (cfg.fonts != null) + "font-name=${lib.concatMapStringsSep ", " (f: f.name) cfg.fonts}"; + in + lib.concatStringsSep "\n" (render ++ fonts); + + hardware.opengl.enable = mkIf cfg.hwRender true; + + fonts = mkIf (cfg.fonts != null) { + fontconfig.enable = true; + packages = map (f: f.package) cfg.fonts; + }; + }; +} diff --git a/modules/proxmox-backup-client.nix b/modules/proxmox-backup-client.nix new file mode 100644 index 0000000..3d4388f --- /dev/null +++ b/modules/proxmox-backup-client.nix @@ -0,0 +1,434 @@ +{ + config, + lib, + pkgs, + utils, + ... +}: + +with lib; + +let + # Type for a valid systemd unit option. Needed for correctly passing "timerConfig" to "systemd.timers" + inherit (utils.systemdUtils.unitOptions) unitOption; +in +{ + options.services.proxmox-backup-client.backups = mkOption { + description = '' + Periodic backups to create with Proxmox Backup Client. + ''; + type = types.attrsOf ( + types.submodule ( + { name, ... }: + { + options = { + passwordFile = mkOption { + type = types.str; + description = '' + Read the repository password from a file. + ''; + example = "/etc/nixos/proxmox-backup-client-password"; + }; + + environmentFile = mkOption { + type = with types; nullOr str; + default = null; + description = '' + file containing the credentials to access the repository, in the + format of an EnvironmentFile as described by systemd.exec(5) + ''; + }; + + rcloneOptions = mkOption { + type = + with types; + nullOr ( + attrsOf (oneOf [ + str + bool + ]) + ); + default = null; + description = '' + Options to pass to rclone to control its behavior. + See for + available options. When specifying option names, strip the + leading `--`. To set a flag such as + `--drive-use-trash`, which does not take a value, + set the value to the Boolean `true`. + ''; + example = { + bwlimit = "10M"; + drive-use-trash = "true"; + }; + }; + + rcloneConfig = mkOption { + type = + with types; + nullOr ( + attrsOf (oneOf [ + str + bool + ]) + ); + default = null; + description = '' + Configuration for the rclone remote being used for backup. + See the remote's specific options under rclone's docs at + . When specifying + option names, use the "config" name specified in the docs. + For example, to set `--b2-hard-delete` for a B2 + remote, use `hard_delete = true` in the + attribute set. + Warning: Secrets set in here will be world-readable in the Nix + store! Consider using the `rcloneConfigFile` + option instead to specify secret values separately. Note that + options set here will override those set in the config file. + ''; + example = { + type = "b2"; + account = "xxx"; + key = "xxx"; + hard_delete = true; + }; + }; + + rcloneConfigFile = mkOption { + type = with types; nullOr path; + default = null; + description = '' + Path to the file containing rclone configuration. This file + must contain configuration for the remote specified in this backup + set and also must be readable by root. Options set in + `rcloneConfig` will override those set in this + file. + ''; + }; + + repository = mkOption { + type = with types; nullOr str; + default = null; + description = '' + repository to backup to. + ''; + example = "sftp:backup@192.168.1.100:/backups/${name}"; + }; + + repositoryFile = mkOption { + type = with types; nullOr path; + default = null; + description = '' + Path to the file containing the repository location to backup to. + ''; + }; + + paths = mkOption { + # This is nullable for legacy reasons only. We should consider making it a pure listOf + # after some time has passed since this comment was added. + type = types.nullOr (types.listOf types.str); + default = [ ]; + description = '' + Which paths to backup, in addition to ones specified via + `dynamicFilesFrom`. If null or an empty array and + `dynamicFilesFrom` is also null, no backup command will be run. + This can be used to create a prune-only job. + ''; + example = [ + "/var/lib/postgresql" + "/home/user/backup" + ]; + }; + + exclude = mkOption { + type = types.listOf types.str; + default = [ ]; + description = '' + Patterns to exclude when backing up. See + https://proxmox-backup-client.readthedocs.io/en/latest/040_backup.html#excluding-files for + details on syntax. + ''; + example = [ + "/var/cache" + "/home/*/.cache" + ".git" + ]; + }; + + timerConfig = mkOption { + type = types.nullOr (types.attrsOf unitOption); + default = { + OnCalendar = "daily"; + Persistent = true; + }; + description = '' + When to run the backup. See {manpage}`systemd.timer(5)` for + details. If null no timer is created and the backup will only + run when explicitly started. + ''; + example = { + OnCalendar = "00:05"; + RandomizedDelaySec = "5h"; + Persistent = true; + }; + }; + + user = mkOption { + type = types.str; + default = "root"; + description = '' + As which user the backup should run. + ''; + example = "postgresql"; + }; + + extraBackupArgs = mkOption { + type = types.listOf types.str; + default = [ ]; + description = '' + Extra arguments passed to proxmox-backup-client backup. + ''; + example = [ "--exclude-file=/etc/nixos/proxmox-backup-client-ignore" ]; + }; + + extraOptions = mkOption { + type = types.listOf types.str; + default = [ ]; + description = '' + Extra extended options to be passed to the proxmox-backup-client --option flag. + ''; + example = [ "sftp.command='ssh backup@192.168.1.100 -i /home/user/.ssh/id_rsa -s sftp'" ]; + }; + + initialize = mkOption { + type = types.bool; + default = false; + description = '' + Create the repository if it doesn't exist. + ''; + }; + + pruneOpts = mkOption { + type = types.listOf types.str; + default = [ ]; + description = '' + A list of options (--keep-\* et al.) for 'proxmox-backup-client forget + --prune', to automatically prune old snapshots. The + 'forget' command is run *after* the 'backup' command, so + keep that in mind when constructing the --keep-\* options. + ''; + example = [ + "--keep-daily 7" + "--keep-weekly 5" + "--keep-monthly 12" + "--keep-yearly 75" + ]; + }; + + runCheck = mkOption { + type = types.bool; + default = (builtins.length config.services.proxmox-backup-client.backups.${name}.checkOpts > 0); + defaultText = literalExpression ''builtins.length config.services.backups.${name}.checkOpts > 0''; + description = "Whether to run the `check` command with the provided `checkOpts` options."; + example = true; + }; + + checkOpts = mkOption { + type = types.listOf types.str; + default = [ ]; + description = '' + A list of options for 'proxmox-backup-client check'. + ''; + example = [ "--with-cache" ]; + }; + + dynamicFilesFrom = mkOption { + type = with types; nullOr str; + default = null; + description = '' + A script that produces a list of files to back up. The + results of this command are given to the '--files-from' + option. The result is merged with paths specified via `paths`. + ''; + example = "find /home/matt/git -type d -name .git"; + }; + + backupPrepareCommand = mkOption { + type = with types; nullOr str; + default = null; + description = '' + A script that must run before starting the backup process. + ''; + }; + + backupCleanupCommand = mkOption { + type = with types; nullOr str; + default = null; + description = '' + A script that must run after finishing the backup process. + ''; + }; + + package = mkPackageOption pkgs "proxmox-backup-client" { }; + + createWrapper = lib.mkOption { + type = lib.types.bool; + default = true; + description = '' + Whether to generate and add a script to the system path, that has the same environment variables set + as the systemd service. This can be used to e.g. mount snapshots or perform other opterations, without + having to manually specify most options. + ''; + }; + }; + } + ) + ); + default = { }; + example = { + remotebackup = { + paths = [ "/home" ]; + repository = "sftp:backup@host:/backups/home"; + passwordFile = "/etc/nixos/secrets/proxmox-backup-client-password"; + extraOptions = [ + "sftp.command='ssh backup@host -i /etc/nixos/secrets/backup-private-key -s sftp'" + ]; + timerConfig = { + OnCalendar = "00:05"; + RandomizedDelaySec = "5h"; + }; + }; + }; + }; + + config = { + assertions = mapAttrsToList (n: v: { + assertion = (v.repository == null) != (v.repositoryFile == null); + message = "services.proxmox-backup-client.backups.${n}: exactly one of repository or repositoryFile should be set"; + }) config.services.proxmox-backup-client.backups; + systemd.services = mapAttrs' ( + name: backup: + let + extraOptions = concatMapStrings (arg: " -o ${arg}") backup.extraOptions; + pbcCmd = "${backup.package}/bin/proxmox-backup-client${extraOptions}"; + excludeFlags = optional ( + backup.exclude != [ ] + ) "--exclude-file=${pkgs.writeText "exclude-patterns" (concatStringsSep "\n" backup.exclude)}"; + filesFromTmpFile = "/run/proxmox-backup-client-backups-${name}/includes"; + doBackup = (backup.dynamicFilesFrom != null) || (backup.paths != null && backup.paths != [ ]); + pruneCmd = optionals (builtins.length backup.pruneOpts > 0) [ + (pbcCmd + " forget --prune " + (concatStringsSep " " backup.pruneOpts)) + ]; + checkCmd = optionals backup.runCheck [ + (pbcCmd + " check " + (concatStringsSep " " backup.checkOpts)) + ]; + # Helper functions for rclone remotes + rcloneRemoteName = builtins.elemAt (splitString ":" backup.repository) 1; + rcloneAttrToOpt = v: "RCLONE_" + toUpper (builtins.replaceStrings [ "-" ] [ "_" ] v); + rcloneAttrToConf = v: "RCLONE_CONFIG_" + toUpper (rcloneRemoteName + "_" + v); + toRcloneVal = v: if lib.isBool v then lib.boolToString v else v; + in + nameValuePair "proxmox-backup-client-backups-${name}" ( + { + environment = + { + # not %C, because that wouldn't work in the wrapper script + RESTIC_CACHE_DIR = "/var/cache/proxmox-backup-client-backups-${name}"; + RESTIC_PASSWORD_FILE = backup.passwordFile; + RESTIC_REPOSITORY = backup.repository; + RESTIC_REPOSITORY_FILE = backup.repositoryFile; + } + // optionalAttrs (backup.rcloneOptions != null) ( + mapAttrs' ( + name: value: nameValuePair (rcloneAttrToOpt name) (toRcloneVal value) + ) backup.rcloneOptions + ) + // optionalAttrs (backup.rcloneConfigFile != null) { RCLONE_CONFIG = backup.rcloneConfigFile; } + // optionalAttrs (backup.rcloneConfig != null) ( + mapAttrs' ( + name: value: nameValuePair (rcloneAttrToConf name) (toRcloneVal value) + ) backup.rcloneConfig + ); + path = [ config.programs.ssh.package ]; + restartIfChanged = false; + wants = [ "network-online.target" ]; + after = [ "network-online.target" ]; + serviceConfig = { + Type = "oneshot"; + ExecStart = + (optionals doBackup [ + "${pbcCmd} backup ${ + concatStringsSep " " (backup.extraBackupArgs ++ excludeFlags) + } --files-from=${filesFromTmpFile}" + ]) + ++ pruneCmd + ++ checkCmd; + User = backup.user; + RuntimeDirectory = "proxmox-backup-client-backups-${name}"; + CacheDirectory = "proxmox-backup-client-backups-${name}"; + CacheDirectoryMode = "0700"; + PrivateTmp = true; + } // optionalAttrs (backup.environmentFile != null) { EnvironmentFile = backup.environmentFile; }; + } + // optionalAttrs (backup.initialize || doBackup || backup.backupPrepareCommand != null) { + preStart = '' + ${optionalString (backup.backupPrepareCommand != null) '' + ${pkgs.writeScript "backupPrepareCommand" backup.backupPrepareCommand} + ''} + ${optionalString (backup.initialize) '' + ${pbcCmd} snapshots || ${pbcCmd} init + ''} + ${optionalString (backup.paths != null && backup.paths != [ ]) '' + cat ${pkgs.writeText "staticPaths" (concatStringsSep "\n" backup.paths)} >> ${filesFromTmpFile} + ''} + ${optionalString (backup.dynamicFilesFrom != null) '' + ${pkgs.writeScript "dynamicFilesFromScript" backup.dynamicFilesFrom} >> ${filesFromTmpFile} + ''} + ''; + } + // optionalAttrs (doBackup || backup.backupCleanupCommand != null) { + postStop = '' + ${optionalString (backup.backupCleanupCommand != null) '' + ${pkgs.writeScript "backupCleanupCommand" backup.backupCleanupCommand} + ''} + ${optionalString doBackup '' + rm ${filesFromTmpFile} + ''} + ''; + } + ) + ) config.services.proxmox-backup-client.backups; + systemd.timers = + mapAttrs' + ( + name: backup: + nameValuePair "proxmox-backup-client-backups-${name}" { + wantedBy = [ "timers.target" ]; + timerConfig = backup.timerConfig; + } + ) + (filterAttrs (_: backup: backup.timerConfig != null) config.services.proxmox-backup-client.backups); + + # generate wrapper scripts, as described in the createWrapper option + environment.systemPackages = lib.mapAttrsToList ( + name: backup: + let + extraOptions = lib.concatMapStrings (arg: " -o ${arg}") backup.extraOptions; + pbcCmd = "${backup.package}/bin/proxmox-backup-client${extraOptions}"; + in + pkgs.writeShellScriptBin "proxmox-backup-client-${name}" '' + set -a # automatically export variables + ${lib.optionalString (backup.environmentFile != null) "source ${backup.environmentFile}"} + # set same environment variables as the systemd service + ${lib.pipe config.systemd.services."proxmox-backup-client-backups-${name}".environment [ + (lib.filterAttrs (n: v: v != null && n != "PATH")) + (lib.mapAttrsToList (n: v: "${n}=${v}")) + (lib.concatStringsSep "\n") + ]} + PATH=${config.systemd.services."proxmox-backup-client-backups-${name}".environment.PATH}:$PATH + + exec ${pbcCmd} $@ + '' + ) (lib.filterAttrs (_: v: v.createWrapper) config.services.proxmox-backup-client.backups); + }; +} diff --git a/targets.nix b/targets.nix new file mode 100644 index 0000000..9006ca3 --- /dev/null +++ b/targets.nix @@ -0,0 +1,24 @@ +{ ... }: +{ + # TODO: review this part : + # - Move in another file + # - Make it support multiple machine profiles [WIP] + # stonkstation = { + # bootdisk = "/dev/sda"; + # bootloader = "grub"; + # interface = "eno1"; + # mainSerial = "4"; + # }; + # prodesk = { + # bootdisk = "/dev/sda"; + # bootloader = "grub"; + # interface = "eno1"; + # mainSerial = "4"; + # }; + # poubelle00 = { + # # need rework + # bootdisk = "/dev/sda"; + # interface = "ens18"; + # mainSerial = "0"; + # }; +} From 5660961b7a554d96db44fc2d6d6e1dbacff7447b Mon Sep 17 00:00:00 2001 From: root Date: Sun, 30 Jun 2024 15:09:11 +0200 Subject: [PATCH 02/74] Xx D4RkModz xX --- flake.nix | 40 ++- .../aure-home-kitrtr/configuration.nix | 7 + .../homerouters/aure-home-kitrtr/default.nix | 14 + hosts/homerouters/bird.nix | 41 ++- hosts/homerouters/bird_peers.nix | 2 +- hosts/homerouters/configuration.nix | 7 + hosts/homerouters/firewall.nix | 36 +- .../romain-home-kitrtr/configuration.nix | 110 ++++++ .../romain-home-kitrtr/default.nix | 30 ++ .../hardware-configuration.nix | 34 ++ .../romain-home-kitrtr/peers/KIT-IG1-RTR.nix | 30 ++ .../romain-home-kitrtr/peers/default.nix | 20 ++ hosts/homerouters/wireguard.nix | 2 +- .../routers/iguane-kit-rtr/configuration.nix | 18 + hosts/routers/iguane-kit-rtr/default.nix | 3 +- .../peers/KIT-roumainNix-NTE.nix | 32 ++ .../routers/iguane-kit-rtr/peers/default.nix | 1 + modules/kitten/connect/bird.nix | 313 ++++++++++++++++++ modules/kitten/connect/bird_peers.nix | 199 +++++++++++ modules/kitten/connect/loopback0.nix | 93 ++++++ targets.nix | 24 -- 21 files changed, 996 insertions(+), 60 deletions(-) create mode 100644 hosts/homerouters/romain-home-kitrtr/configuration.nix create mode 100644 hosts/homerouters/romain-home-kitrtr/default.nix create mode 100644 hosts/homerouters/romain-home-kitrtr/hardware-configuration.nix create mode 100644 hosts/homerouters/romain-home-kitrtr/peers/KIT-IG1-RTR.nix create mode 100644 hosts/homerouters/romain-home-kitrtr/peers/default.nix create mode 100644 hosts/routers/iguane-kit-rtr/peers/KIT-roumainNix-NTE.nix create mode 100644 modules/kitten/connect/bird.nix create mode 100644 modules/kitten/connect/bird_peers.nix create mode 100644 modules/kitten/connect/loopback0.nix delete mode 100644 targets.nix diff --git a/flake.nix b/flake.nix index a34c630..ca1633b 100644 --- a/flake.nix +++ b/flake.nix @@ -95,6 +95,7 @@ getBin concatMapStringsSep optionals + hasSuffix nixosSystem ; @@ -252,7 +253,8 @@ let disableModules = [ ]; - localModules = [ "nixos/modules/services/ttys/kmscon.nix" ]; + customModules = [ "kitten/connect/loopback0" ]; + localModules = [ "nixos/modules/services/ttys/kmscon" ]; masterModules = [ # "nixos/modules/programs/kubeswitch.nix" @@ -261,7 +263,15 @@ unstableModules = [ ]; # stableModules = [ ]; - getModule = input: (x: "${input}/${x}"); + getModule = + input: + ( + x: + let + mod = if (hasSuffix ".nix" x) then x else "${x}.nix"; + in + "${input}/${mod}" + ); in { disabledModules = map (getModule args.nixpkgs) ( @@ -270,7 +280,7 @@ ); imports = - (map (getModule ./modules) localModules) + (map (getModule ./modules) (localModules ++ customModules)) ++ (map (getModule args.nixpkgs-master) masterModules) ++ (map (getModule args.nixpkgs-unstable) unstableModules) # ++ (map (getModule args.nixpkgs-stable) stableModules) @@ -290,7 +300,7 @@ configs = hosts.${profile}; in (mapAttrs (name: value: { inherit profile; } // value) configs) // acc - ) (import ./targets.nix { }) (attrNames hosts); + ) { } (attrNames hosts); # TODO: Move this masterNodes = [ "stonkstation" ]; @@ -301,6 +311,28 @@ # homeConfigurations = { # "toinux" = home-config.lib.mkHomeConfiguration userName homeDir [ ./_home/configuration.nix ]; # }; + # colmena = { + # meta = { + # nixpkgs = import nixpkgs { + # system = "x86_64-linux"; + # }; + # }; + + # # Also see the non-Flakes hive.nix example above. + # host-a = { name, nodes, pkgs, ... }: { + # boot.isContainer = true; + # time.timeZone = nodes.host-b.config.time.timeZone; + # }; + # host-b = { + # deployment = { + # targetHost = "somehost.tld"; + # targetPort = 1234; + # targetUser = "luser"; + # }; + # boot.isContainer = true; + # time.timeZone = "America/Los_Angeles"; + # }; + # }; nixosConfigurations = ( genAttrs (attrNames targetConfigs) ( diff --git a/hosts/homerouters/aure-home-kitrtr/configuration.nix b/hosts/homerouters/aure-home-kitrtr/configuration.nix index 7e3fb17..8e84f6f 100644 --- a/hosts/homerouters/aure-home-kitrtr/configuration.nix +++ b/hosts/homerouters/aure-home-kitrtr/configuration.nix @@ -26,6 +26,13 @@ in # Define on which hard drive you want to install Grub. #boot.loader.grub.devices = [ "${targetConfig.bootdisk}" ]; # or "nodev" for efi only + customModules = { + loopback0 = { + enable = true; + ipv6 = [ "2a13:79c0:ffff:fefe::22f0" ]; + }; + }; + # Pick only one of the below networking options. # networking.wireless.enable = true; # Enables wireless support via wpa_supplicant. # networking.networkmanager.enable = true; # Easiest to use and most distros use this by default. diff --git a/hosts/homerouters/aure-home-kitrtr/default.nix b/hosts/homerouters/aure-home-kitrtr/default.nix index e9b588e..a23b737 100644 --- a/hosts/homerouters/aure-home-kitrtr/default.nix +++ b/hosts/homerouters/aure-home-kitrtr/default.nix @@ -16,6 +16,20 @@ # loopback4 = ""; loopback6 = "2a13:79c0:ffff:fefe::22f0"; + # transitIFACEs = [ "ens19" ]; + + extraForwardRules = '' + iifname "ens19" ip6 saddr 2a13:79c0:ffff:feff:b00b:caca:b173:0/112 oifname "KIT_IG1_RTR" counter accept + + ct state vmap { + established : accept, + related : accept, + # invalid : jump forward-allow, + # new : jump forward-allow, + # untracked : jump forward-allow, + } + ''; + static6 = [ "::/0 recursive 2a13:79c0:ffff:fefe::b00b" diff --git a/hosts/homerouters/bird.nix b/hosts/homerouters/bird.nix index 5e8eef8..59a2898 100644 --- a/hosts/homerouters/bird.nix +++ b/hosts/homerouters/bird.nix @@ -25,7 +25,10 @@ let if targetConfig ? birdConfig then targetConfig.birdConfig else - import (./. + "/${target}/birdconfig.nix") { inherit targetConfig; }; + let + p = (./. + "/${target}/birdconfig.nix"); + in + if builtins.pathExists p then (import p { inherit targetConfig; }) else { }; in if cfg ? peers then cfg @@ -53,7 +56,7 @@ in imports = [ ./bird_peers.nix # ./bird_statics.nix - ]; + ]; config = { @@ -71,18 +74,28 @@ in ]; networking.interfaces.lo = { - ipv4.addresses = lib.mkIf (lo4 != null) [ - { - address = "${toString srvCfg.loopback4}"; - prefixLength = 32; - } - ]; - ipv6.addresses = lib.mkIf (lo6 != null) [ - { - address = "${toString srvCfg.loopback6}"; - prefixLength = 128; - } - ]; + ipv4.addresses = + lib.mkIf + ( + lo4 != null && config.customModules.loopback0.ipv4 == [ ] || !config.customModules.loopback0.enable + ) + [ + { + address = "${toString srvCfg.loopback4}"; + prefixLength = 32; + } + ]; + ipv6.addresses = + lib.mkIf + ( + lo6 != null && config.customModules.loopback0.ipv6 == [ ] || !config.customModules.loopback0.enable + ) + [ + { + address = "${toString srvCfg.loopback6}"; + prefixLength = 128; + } + ]; }; services.bird2.preCheckConfig = '' diff --git a/hosts/homerouters/bird_peers.nix b/hosts/homerouters/bird_peers.nix index dc316bb..0d86225 100644 --- a/hosts/homerouters/bird_peers.nix +++ b/hosts/homerouters/bird_peers.nix @@ -17,7 +17,7 @@ let in { - sops.secrets = lib.mkIf (passwords != [ ]) ( + sops.secrets = lib.mkIf (builtins.trace "Bird passwords = ${builtins.toJSON passwords}" passwords != [ ]) ( listToAttrs ( map (n: lib.nameValuePair "bird_secrets/${n}" { reloadUnits = [ "bird2.service" ]; }) passwords ) diff --git a/hosts/homerouters/configuration.nix b/hosts/homerouters/configuration.nix index 23c5c16..281de6c 100644 --- a/hosts/homerouters/configuration.nix +++ b/hosts/homerouters/configuration.nix @@ -17,6 +17,13 @@ ./firewall.nix ]; + + customModules = { + loopback0 = { + enable = true; + }; + }; + # Configure network proxy if necessary # networking.proxy.default = "http://user:password@proxy:port/"; # networking.proxy.noProxy = "127.0.0.1,localhost,internal.domain"; diff --git a/hosts/homerouters/firewall.nix b/hosts/homerouters/firewall.nix index ac21204..fb3ca83 100644 --- a/hosts/homerouters/firewall.nix +++ b/hosts/homerouters/firewall.nix @@ -36,6 +36,7 @@ let concatMapStringsSep attrNames filterAttrs + optional ; in @@ -73,27 +74,32 @@ in define wireguardIFACEs = { ${concatMapStringsSep ", " quoteString (attrNames wgPeers)} } ''; - extraForwardRules = '' + extraForwardRules = lib.concatStringsSep "\n" ( + [ + '' + ${optionalString (transitedNetworks != [ ] && transitIFACEs != [ ]) '' + # iifname $wireguardIFACEs oifname $transitIFACEs counter accept + ip6 saddr $transitNETs iifname $wireguardIFACEs oifname $transitIFACEs counter accept + ip6 daddr $transitNETs oifname $wireguardIFACEs iifname $transitIFACEs counter accept + ''} - ${optionalString (transitedNetworks != [ ] && transitIFACEs != [ ]) '' - # iifname $wireguardIFACEs oifname $transitIFACEs counter accept - ip6 saddr $transitNETs iifname $wireguardIFACEs oifname $transitIFACEs counter accept - ip6 daddr $transitNETs oifname $wireguardIFACEs iifname $transitIFACEs counter accept - ''} + ${optionalString ( + wgPeers != { } + ) "iifname $wireguardIFACEs oifname $wireguardIFACEs counter accept"} - ${optionalString ( - wgPeers != { } - ) "iifname $wireguardIFACEs oifname $wireguardIFACEs counter accept"} + # ip6 daddr 2a13:79c0:ff00::/48 counter accept + # ip6 daddr { 2a13:79c0:ffff:feff:b00b:3945:a51:b00b, 2a13:79c0:ffff:feff:b00b:3945:a51:dead } counter accept - # ip6 daddr 2a13:79c0:ff00::/48 counter accept - # ip6 daddr { 2a13:79c0:ffff:feff:b00b:3945:a51:b00b, 2a13:79c0:ffff:feff:b00b:3945:a51:dead } counter accept + # ip6 daddr 2a13:79c0:ffff:fefe::113:91 tcp dport { 179, 1790 } counter accept - # ip6 daddr 2a13:79c0:ffff:fefe::113:91 tcp dport { 179, 1790 } counter accept + # ip6 saddr 2a13:79c0:ffff:feff:b00b::/80 ip6 daddr 2a13:79c0:ffff:fefe::/64 counter accept - # ip6 saddr 2a13:79c0:ffff:feff:b00b::/80 ip6 daddr 2a13:79c0:ffff:fefe::/64 counter accept + # ip6 saddr { 2a13:79c0:ffff:fefe::/64, 2a13:79c0:ffff:feff::/64 } ip6 daddr { 2a13:79c0:ffff:fefe::/64, 2a13:79c0:ffff:feff::/64 } counter accept + '' + ] - # ip6 saddr { 2a13:79c0:ffff:fefe::/64, 2a13:79c0:ffff:feff::/64 } ip6 daddr { 2a13:79c0:ffff:fefe::/64, 2a13:79c0:ffff:feff::/64 } counter accept - ''; + ++ optional (birdConfig ? extraForwardRules) birdConfig.extraForwardRules + ); in mkAfter '' # FireWall Test Configs diff --git a/hosts/homerouters/romain-home-kitrtr/configuration.nix b/hosts/homerouters/romain-home-kitrtr/configuration.nix new file mode 100644 index 0000000..67a457f --- /dev/null +++ b/hosts/homerouters/romain-home-kitrtr/configuration.nix @@ -0,0 +1,110 @@ +# Edit this configuration file to define what should be installed on +# your system. Help is available in the configuration.nix(5) man page, on +# https://search.nixos.org/options and in the NixOS manual (`nixos-help`). + +{ + config, + targetConfig, + lib, + pkgs, + ... +}: +let + iface = if targetConfig ? interface then targetConfig.interface else null; + # kittenIFACE = "ens19"; +in +{ + services.xserver.xkb = { + layout = "fr"; + #variant = ""; + }; + + #imports = [ ./wireguard.nix ]; + # Bootloader. + #boot.loader.systemd-boot.enable = true; + #boot.loader.systemd-boot.configurationLimit = 5; + #boot.loader.efi.canTouchEfiVariables = true; + boot.loader.grub.efiSupport = false; + boot.loader.grub.enable = true; + # boot.loader.grub.efiInstallAsRemovable = true; + # boot.loader.efi.efiSysMountPoint = "/boot/efi"; + # Define on which hard drive you want to install Grub. + #boot.loader.grub.devices = [ "${targetConfig.bootdisk}" ]; # or "nodev" for efi only + + customModules = { + loopback0 = { + enable = true; + ipv6 = [ "2a13:79c0:ffff:fefe::2:256" ]; + }; + }; + + # Pick only one of the below networking options. + # networking.wireless.enable = true; # Enables wireless support via wpa_supplicant. + # networking.networkmanager.enable = true; # Easiest to use and most distros use this by default. + networking = { + #nameservers = [ "1.3.3.7" ]; + interfaces = { + "${iface}".useDHCP = true; + + # "${kittenIFACE}" = { + + # # ipv4.addresses = [ + # # { + # # address = "185.10.17.209"; + # # prefixLength = 24; + # # } + # # ]; + + # ipv6.addresses = [ + # { + # address = "2a13:79c0:ffff:feff:b00b:caca:b173:25"; + # prefixLength = 112; + # } + # ]; + # }; + }; + + # defaultGateway = { + # address = "185.10.17.254"; + # metric = 42; + # interface = iface; + # }; + + # defaultGateway6 = { + # address = "fe80::1"; + # metric = 42; + # interface = iface; + # }; + + useDHCP = false; + #dhcpcd.enable = false; + }; + + systemd.network.enable = true; + + # Set your time zone. + time.timeZone = "Europe/Paris"; + + nixpkgs.config.allowUnfree = true; + # Configure network proxy if necessary + # networking.proxy.default = "http://user:password@proxy:port/"; + # networking.proxy.noProxy = "127.0.0.1,localhost,internal.domain"; + + # This option defines the first version of NixOS you have installed on this particular machine, + # and is used to maintain compatibility with application data (e.g. databases) created on older NixOS versions. + # + # Most users should NEVER change this value after the initial install, for any reason, + # even if you've upgraded your system to a new NixOS release. + # + # This value does NOT affect the Nixpkgs version your packages and OS are pulled from, + # so changing it will NOT upgrade your system. + # + # This value being lower than the current NixOS release does NOT mean your system is + # out of date, out of support, or vulnerable. + # + # Do NOT change this value unless you have manually inspected all the changes it would make to your configuration, + # and migrated your data accordingly. + # + # For more information, see `man configuration.nix` or https://nixos.org/manual/nixos/stable/options#opt-system.stateVersion . + system.stateVersion = lib.mkForce "24.05"; # Did you read the comment? +} diff --git a/hosts/homerouters/romain-home-kitrtr/default.nix b/hosts/homerouters/romain-home-kitrtr/default.nix new file mode 100644 index 0000000..75c4162 --- /dev/null +++ b/hosts/homerouters/romain-home-kitrtr/default.nix @@ -0,0 +1,30 @@ +{ ... }: +{ + type = "targetConfig"; + + bootdisk = "/dev/vda"; + diskTemplate = "simple_singleFullRoot"; + + interface = "ens18"; + # mainSerial = 0; + + birdConfig = { + # # inherit transitInterface; + + # # router-id = ; + + # # loopback4 = ""; + # loopback6 = "2a13:79c0:ffff:fefe::22f0"; + + # static6 = [ + # "::/0 recursive 2a13:79c0:ffff:fefe::b00b" + + # # "2a13:79c0:ffff:feff:b00b:caca:b173:0/112 unreachable" # Direct on ens19 + # "2a13:79c0:fffe:100::/56 unreachable" + + # #"2a13:79c0:ffff::/48 unreachable" # Networking stuff + # #"2a13:79c0:ffff:fefe::/64 unreachable" # LoopBacks + # #"2a13:79c0:ff00::/40 unreachable" # full range /40 + # ]; + }; +} diff --git a/hosts/homerouters/romain-home-kitrtr/hardware-configuration.nix b/hosts/homerouters/romain-home-kitrtr/hardware-configuration.nix new file mode 100644 index 0000000..36b4585 --- /dev/null +++ b/hosts/homerouters/romain-home-kitrtr/hardware-configuration.nix @@ -0,0 +1,34 @@ +# Do not modify this file! It was generated by ‘nixos-generate-config’ +# and may be overwritten by future invocations. Please make changes +# to /etc/nixos/configuration.nix instead. +{ + config, + lib, + pkgs, + modulesPath, + ... +}: + +{ + imports = [ (modulesPath + "/profiles/qemu-guest.nix") ]; + + boot.initrd.availableKernelModules = [ + "ata_piix" + "uhci_hcd" + "virtio_pci" + "sr_mod" + "virtio_blk" + ]; + boot.initrd.kernelModules = [ ]; + boot.kernelModules = [ "kvm-intel" ]; + boot.extraModulePackages = [ ]; + + # Enables DHCP on each ethernet and wireless interface. In case of scripted networking + # (the default) this is the recommended approach. When using systemd-networkd it's + # still possible to use this option, but it's recommended to use it in conjunction + # with explicit per-interface declarations with `networking.interfaces..useDHCP`. + networking.useDHCP = lib.mkDefault true; + # networking.interfaces.ens18.useDHCP = lib.mkDefault true; + + nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux"; +} diff --git a/hosts/homerouters/romain-home-kitrtr/peers/KIT-IG1-RTR.nix b/hosts/homerouters/romain-home-kitrtr/peers/KIT-IG1-RTR.nix new file mode 100644 index 0000000..f408597 --- /dev/null +++ b/hosts/homerouters/romain-home-kitrtr/peers/KIT-IG1-RTR.nix @@ -0,0 +1,30 @@ +{ ... }: +let + kittenASN = 4242421945; +in +{ + peerAS = kittenASN; + peerIP = "2a13:79c0:ffff:feff::114"; + localAS = kittenASN; + + wireguard = { + address = "2a13:79c0:ffff:feff::115"; + # port = 51842; + endpoint = "78.40.121.76:51821"; + peerKey = "gDriA5mhKKh44OHEIxmmevphoVRLK45TRJmFS1DV1i4="; + }; + + template = "kittunderlay"; + bgpMED = 100; + ipv6 = { + #imports = null; + imports = x: "filter filter6_IN_BGP_${toString x}"; + #exports = [ "2a12:dd47:9330::/44" ]; + + #exports = null; + }; + ipv4 = { + imports = x: "filter filter4_IN_BGP_${toString x}"; + #exports = x: "filter6_IN_BGP_${toString x}"; + }; +} diff --git a/hosts/homerouters/romain-home-kitrtr/peers/default.nix b/hosts/homerouters/romain-home-kitrtr/peers/default.nix new file mode 100644 index 0000000..309e3f2 --- /dev/null +++ b/hosts/homerouters/romain-home-kitrtr/peers/default.nix @@ -0,0 +1,20 @@ +{ ... }: +let + defaultPeers = import ../../_peers { }; +in +defaultPeers +// { + + # Transit + # TRS_virtua6_RS01 = import ./TRS-virtua6-RS01.nix { }; + # TRS_virtua6_RS02 = import ./TRS-virtua6-RS02.nix { }; + + # # Internal Tunnels + KIT_IG1_RTR = import ./KIT-IG1-RTR.nix { }; + # virtuaNix_PAR = import ./KIT-VIRTUA-EDGE.nix { }; + # vultrNix_PAR = import ./KIT-VULTR-EDGE.nix { }; + # # LGC_virtua_PAR = import ./KIT-VIRTUA-EDGE.legacy.nix { }; + + # toinuxMEL1 = import ./KIT-toinux-MEL1.nix { }; + # roumainNTE = import ./KIT-roumain-NTE.nix { }; +} diff --git a/hosts/homerouters/wireguard.nix b/hosts/homerouters/wireguard.nix index db96a56..5448b54 100644 --- a/hosts/homerouters/wireguard.nix +++ b/hosts/homerouters/wireguard.nix @@ -113,7 +113,7 @@ let }; in { - # sops --set '["wireguard_serverkey"] "'"$(wg genkey | tee >(wg pubkey > /dev/stderr))"'"' secrets/vultr-kit-edge.yaml + # sops --set '["wireguard_serverkey"] "'"$(wg genkey | tee >(wg pubkey > /dev/stderr))"'"' secrets/.yaml sops.secrets.wireguard_serverkey = { }; environment.systemPackages = with pkgs; [ wireguard-tools ]; diff --git a/hosts/routers/iguane-kit-rtr/configuration.nix b/hosts/routers/iguane-kit-rtr/configuration.nix index 3ff6c09..869c910 100644 --- a/hosts/routers/iguane-kit-rtr/configuration.nix +++ b/hosts/routers/iguane-kit-rtr/configuration.nix @@ -30,6 +30,24 @@ in # networking.wireless.enable = true; # Enables wireless support via wpa_supplicant. # networking.networkmanager.enable = true; # Easiest to use and most distros use this by default. networking = { + + nftables.tables."nat" = { + family = "inet"; + name = "nat"; + + content = lib.mkAfter '' + chain postrouting { + type nat hook postrouting priority srcnat; policy accept; + ip6 daddr 2a13:79c0:ffff:feff:b00b:3965:222:0/112 oifname "bootstrap" counter masquerade # random,persistent + } + ''; + }; + + firewall = { + allowedTCPPorts = [ 51888 ]; + allowedUDPPorts = [ 51888 ]; + }; + #nameservers = [ "1.3.3.7" ]; interfaces = { "${iface}".useDHCP = true; diff --git a/hosts/routers/iguane-kit-rtr/default.nix b/hosts/routers/iguane-kit-rtr/default.nix index f8dbd72..24961c4 100644 --- a/hosts/routers/iguane-kit-rtr/default.nix +++ b/hosts/routers/iguane-kit-rtr/default.nix @@ -27,10 +27,11 @@ ]; # extra interfaces part of KittenNetwork (local-eth for ex) - # allowedInterfaces = []; + # allowedInterfaces = [ "bootstrap" ]; extraForwardRules = '' iifname $kittenIFACEs ip6 daddr 2a13:79c0:ffff:fefe::113:91 tcp dport { 179, 1790 } counter accept + oifname bootstrap ip6 daddr 2a13:79c0:ffff:feff:b00b:3965:222:0/112 counter accept ip6 saddr 2a01:cb08:bbb:3700::/64 oifname ens19 counter accept diff --git a/hosts/routers/iguane-kit-rtr/peers/KIT-roumainNix-NTE.nix b/hosts/routers/iguane-kit-rtr/peers/KIT-roumainNix-NTE.nix new file mode 100644 index 0000000..b5627dd --- /dev/null +++ b/hosts/routers/iguane-kit-rtr/peers/KIT-roumainNix-NTE.nix @@ -0,0 +1,32 @@ +{ ... }: +let + kittenASN = 4242421945; +in +{ + peerAS = kittenASN; + peerIP = "2a13:79c0:ffff:feff::115"; + localAS = kittenASN; + + wireguard = { + address = "2a13:79c0:ffff:feff::114"; + port = 51821; + # onIFACE = "ens18"; + + # endpoint = "82.65.74.170:6969"; + peerKey = "tTY05MJgkKXf8pEZ4kC1TLWWTeIrh3KzyZdsmlUHTVM="; + }; + + template = "kittunderlay"; + bgpMED = 100; + ipv6 = { + #imports = null; + imports = x: "filter filter6_IN_BGP_${toString x}"; + #exports = [ "2a12:dd47:9330::/44" ]; + + #exports = null; + }; + ipv4 = { + imports = x: "filter filter4_IN_BGP_${toString x}"; + #exports = x: "filter6_IN_BGP_${toString x}"; + }; +} diff --git a/hosts/routers/iguane-kit-rtr/peers/default.nix b/hosts/routers/iguane-kit-rtr/peers/default.nix index 8337dce..1c065af 100644 --- a/hosts/routers/iguane-kit-rtr/peers/default.nix +++ b/hosts/routers/iguane-kit-rtr/peers/default.nix @@ -17,4 +17,5 @@ defaultPeers aureG8 = import ./KIT-aurelien-RBR.nix { }; toinuxMEL1 = import ./KIT-toinux-MEL1.nix { }; roumainNTE = import ./KIT-roumain-NTE.nix { }; + roumaiNixNTE = import ./KIT-roumainNix-NTE.nix { }; } diff --git a/modules/kitten/connect/bird.nix b/modules/kitten/connect/bird.nix new file mode 100644 index 0000000..c0dad91 --- /dev/null +++ b/modules/kitten/connect/bird.nix @@ -0,0 +1,313 @@ +{ + lib, + config, + target, + targetConfig, + ... +}: +let + inherit (lib) + optional + optionals + optionalString + mkOrder + attrNames + filterAttrs + concatStringsSep + concatMapStringsSep + ; + + birdCfg = config.services.bird2; + srvCfg = config.customModules.bird; + + #srvCfg = + # let + # cfg = + # if targetConfig ? birdConfig then + # targetConfig.birdConfig + # else + # import (./. + "/${target}/birdconfig.nix") { inherit targetConfig; }; + # in + # if cfg ? peers then + # cfg + # else + # let + # peers = (import (./. + "/${target}/peers/") { }); + # in + # (cfg // { inherit peers; }); + + rrs = attrNames (filterAttrs (n: v: v ? template && v.template == "rrserver") srvCfg.peers); + + lo4 = + if (srvCfg ? loopback4 && srvCfg.loopback4 != null && srvCfg.loopback4 != "") then + srvCfg.loopback4 + else + null; + + lo6 = + if (srvCfg ? loopback6 && srvCfg.loopback6 != null && srvCfg.loopback6 != "") then + srvCfg.loopback6 + else + null; +in +{ + config = { + + sops.templates."bird_secrets.conf" = { + owner = "bird2"; + }; + + _module.args = { + birdConfig = srvCfg; + }; + + networking.firewall.allowedTCPPorts = [ + 179 # BGP + 1790 # Internal BGP + ]; + + services.bird2.preCheckConfig = '' + echo "Bird configuration include these resources" + grep include bird2.conf + + LINE=$(grep -n include bird2.conf | grep bird_secrets.conf | head -1 | cut -d: -f1) + if [ ! -z "$LINE" ]; then + echo "Found secrets importing, will substitute it with placeholders values" + sed ''${LINE}d -i bird2.conf + sed "$(($LINE))i"'include "_secrets_substitute.conf";' -i bird2.conf + + cat > _secrets_substitute.conf <<< ' + ${config.sops.templates."bird_secrets.conf".content} + ' + + # cat _secrets_substitute.conf bird2.conf + fi + ''; + + services.bird2.config = mkOrder 0 ( + concatStringsSep "\n\n" ( + let + transitIFACE = if srvCfg ? transitInterface then srvCfg.transitInterface else null; + + quoteString = x: ''"${x}"''; + in + [ + "log syslog all;" + + ''include "${config.sops.templates."bird_secrets.conf".path}";'' + + '' + # The Device protocol is not a real routing protocol. It does not generate any + # routes and it only serves as a module for getting information about network + # interfaces from the kernel. It is necessary in almost any configuration. + protocol device DEV {} + + # The direct protocol is not a real routing protocol. It automatically generates + # direct routes to all network interfaces. Can exist in as many instances as you + # wish if you want to populate multiple routing tables with direct routes. + protocol direct DIRECT { + #disabled; + check link on; + ipv4; + ipv6; + interface "*"; + } + '' + + '' + #<== Générique + function is_valid4_network() { + return net ~ [ + 172.23.193.192/26, + 172.23.193.192/26{32,32} + ]; + } + + function is_valid6_network() { + return net ~ [ + 2a13:79c0:ff00::/40, + 2a13:79c0:ffff::/48{48,64}, + 2a13:79c0:ffff:fefe::/64{128,128}, + 2a13:79c0:ffff:feff::/64{112,112} + ]; + } + + + function is_rr_valid6_network() { + return net ~ [ + ${ + optionalString (transitIFACE != null) "# ::/0," + } # Announce (or not) default route [transitInterface = ${toString transitIFACE}] + 2a13:79c0:ff00::/40, + 2a13:79c0:ff00::/48+, # Special case for Toinux home + # 2a13:79c0:ffff:fefe::/64{128,128}, + # 2a13:79c0:ffff:feff::/64{112,112}, + 2a13:79c0:ffff::/48{48,64}, + 2a13:79c0:fffe::/48{56,56} + ]; + } + + '' + + '' + # The Kernel protocol is not a real routing protocol. Instead of communicating + # with other routers in the network, it performs synchronization of BIRD + # routing tables with the OS kernel. One instance per table. + protocol kernel KERNEL4 { + ipv4 { # Connect protocol to IPv4 table by channel + # table master4; # Default IPv4 table is master4 + # import all; # Import to table, default is import all + # export all; # Export to protocol. default is export none + export filter { + if ( is_valid4_network() || source ~ [RTS_STATIC] + ${ + let + sep = "|| proto ="; + in + optionalString (rrs != [ ]) sep + (concatMapStringsSep sep quoteString rrs) + } + ) then { + ${ + optionalString (lo4 != null) '' + if source ~ [RTS_BGP] || net ~ [ 0.0.0.0/0 ] then { + krt_prefsrc=${lo4}; + } + '' + } + accept; + } else reject; + }; + }; + merge paths on; + # learn; # Learn alien routes from the kernel + # kernel table 10; # Kernel table to synchronize with (default: main) + } + + # Another instance for IPv6, skipping default options + protocol kernel KERNEL6 { + # ipv6 { export all; }; + ipv6 { + export filter { + + if ( is_valid6_network() || source ~ [RTS_STATIC] + ${ + let + sep = "|| proto ="; + in + optionalString (rrs != [ ]) sep + (concatMapStringsSep sep quoteString rrs) + } + ) then { + ${ + optionalString (lo6 != null) '' + if source ~ [RTS_BGP] || net ~ [ ::/0 ] then { + krt_prefsrc=${lo6}; + } + '' + } + accept; + } else reject; + }; + }; + + merge paths on; + } + '' + + '' + + template bgp rrserver { + local port 1790; + neighbor port 179; + multihop 5; + + ipv4 { + gateway recursive; + extended next hop; + next hop self; + + import filter { accept; }; + + export none; + # export filter { if is_v4_network() && source ~ [RTS_STATIC, RTS_DEVICE, RTS_BGP, RTS_OSPF] then accept; else reject; }; + import limit 1000 action block; + igp table master4; # IGP table for routes with IPv4 nexthops + # igp table master6; # IGP table for routes with IPv4 nexthops + }; + + ipv6 { + gateway recursive; + next hop self; + + import filter { accept; }; + export filter { if is_rr_valid6_network() && source ~ [RTS_STATIC, RTS_DEVICE, RTS_BGP, RTS_OSPF] then accept; else reject; }; + import limit 1000 action block; + igp table master6; # IGP table for routes with IPv6 nexthops + }; + + } + '' + + '' + template bgp kittunderlay { + # local as 4242421945; + # neighbor as kittenASN; + local port 1790; + neighbor port 1790; + rr client; + path metric off; + ipv4 { + extended next hop; + next hop self; + import keep filtered; + + import filter { + if is_valid4_network() then { + if defined( bgp_med ) then + bgp_med = bgp_med + 1000; + else { + bgp_med = 1000; + } + accept; + } else reject; + }; + + export filter { if is_valid4_network() && source ~ [RTS_STATIC, RTS_DEVICE, RTS_BGP, RTS_OSPF] then accept; else reject; }; + import limit 1000 action block; + }; + + ipv6 { + next hop self; + import keep filtered; + + import filter { + if is_valid6_network() then { + if defined( bgp_med ) then + bgp_med = bgp_med + 1000; + else { + bgp_med = 1000; + } + accept; + } else reject; + }; + + export filter { if is_valid6_network() && source ~ [RTS_STATIC, RTS_DEVICE, RTS_BGP, RTS_OSPF] then accept; else reject; }; + import limit 1000 action block; + }; + + } + '' + ] + ++ + optionals (srvCfg ? static6 && builtins.typeOf srvCfg.static6 == "list" && srvCfg.static6 != [ ]) + [ + '' + protocol static STATIC6 { + ipv6; + ${concatMapStringsSep "\n" (x: " " + "route ${x};") srvCfg.static6} + } + '' + ] + ) + ); + }; +} diff --git a/modules/kitten/connect/bird_peers.nix b/modules/kitten/connect/bird_peers.nix new file mode 100644 index 0000000..dc316bb --- /dev/null +++ b/modules/kitten/connect/bird_peers.nix @@ -0,0 +1,199 @@ +{ + lib, + target, + config, + targetConfig, + birdConfig, + ... +}: +let + inherit (lib) listToAttrs nameValuePair; + + peers = birdConfig.peers; + + peersWithPasswordRef = lib.attrsets.filterAttrs (n: v: v ? passwordRef) peers; + + passwords = lib.unique (lib.attrsets.mapAttrsToList (n: v: v.passwordRef) peersWithPasswordRef); +in +{ + + sops.secrets = lib.mkIf (passwords != [ ]) ( + listToAttrs ( + map (n: lib.nameValuePair "bird_secrets/${n}" { reloadUnits = [ "bird2.service" ]; }) passwords + ) + ); + + sops.templates."bird_secrets.conf".content = lib.mkIf (passwords != [ ]) ( + lib.mkMerge ( + map (password: '' + define secretPassword_${password} = "${config.sops.placeholder."bird_secrets/${password}"}"; + '') passwords + ) + ); + + services.bird2.config = + let + mkPeersFuncArgs = (x: { peerName = x; } // peers.${x}); + + toLines = + nindent: + let + indent = lib.concatMapStrings (_: " ") (lib.range 1 nindent); + in + builtins.concatStringsSep "\n${indent}"; + + withType = types: x: lib.toFunction types.${builtins.typeOf x} x; + + peersFunc = + x@{ + peerName, + peerIP, + peerAS ? 65666, + + localIP ? "", + localAS ? 65666, + + multihop ? 0, + template ? "", + + password ? "", + passwordRef ? "", + + ipv4 ? { }, + ipv6 ? { }, + + bgpMED ? null, + + wireguard ? { }, + interface ? + if (wireguard != { }) then + (if wireguard ? interface then wireguard.interface else peerName) + else + null, + ... + }: + let + inherit (lib) optionalString; + inherit (builtins) concatStringsSep toJSON; + in + '' + ${optionalString (bgpMED != null) "define bgpMED_${toString peerName} = ${toString bgpMED};"} + ${optionalString (template == "kittunderlay") '' + filter filter4_IN_BGP_${toString peerName} { + if is_valid4_network() then { + if defined( bgp_med ) then + bgp_med = bgp_med + bgpMED_${toString peerName}; + else { + bgp_med = bgpMED_${toString peerName}; + } + accept; + } else reject; + } + + filter filter6_IN_BGP_${toString peerName} { + if is_valid6_network() then { + if defined( bgp_med ) then + bgp_med = bgp_med + bgpMED_${toString peerName}; + else { + bgp_med = bgpMED_${toString peerName}; + } + accept; + } else reject; + } + ''} + + # ${optionalString (x ? debug && x.debug == true) (toJSON x)} + # L: AS${toString localAS} | R: AS${toString peerAS} + protocol bgp ${toString peerName} ${optionalString (template != "") "from ${toString template}"} { + local ${ + optionalString (localIP != "") (toString localIP) + } as ${toString localAS}; # localIP: "${toString localIP}" + neighbor ${toString peerIP} as ${toString peerAS}; + ${optionalString (interface != null) ''interface "${interface}";''} + ${ + if multihop == 0 then + "direct;" + else + "multihop ${ + optionalString (multihop != -1) toString (if multihop < -1 then -1 * multihop else multihop) + };" + } # multihop: ${toString multihop} + + ${ + optionalString (password != "") + ''password "${ + assert lib.asserts.assertMsg ( + passwordRef == "" + ) "U defined a passwordRef, why do you still want to leak password ?"; + toString ( + lib.warn "bird2 peers password is insecure consider using passwordRef with a bird_secrets file" password + ) + }"; # Not-Secured cleartext access for @everyone'' + } + ${ + optionalString ( + passwordRef != "" + ) "password secretPassword_${toString passwordRef}; # Defined in secrets file" + } + + ${ + optionalString (ipv6 != { }) '' + ipv6 { + ${ + optionalString (ipv6 ? imports && ipv6.imports != "" && ipv6.imports != [ ]) ( + let + myType = withType { + string = x: " import ${x};"; + null = x: " import none;"; + lambda = f: myType (f peerName); + list = x: '' + # ${toJSON x} + import filter { + if ( net ~ [ ${concatStringsSep ", " x} ] ) then { + accept; + } + reject; + }; + ''; + }; + in + myType ipv6.imports + ) + } + ${ + optionalString (ipv6 ? exports && ipv6.exports != "" && ipv6.exports != [ ]) ( + let + myType = withType { + string = x: " export ${x};"; + null = x: " export none;"; + lambda = f: myType (f peerName); + list = x: '' + # ${toJSON x} + export filter { + if ( net ~ [ ${concatStringsSep ", " x} ] ) then { + accept; + } + reject; + }; + ''; + }; + in + myType ipv6.exports + ) + } + }; + '' + } + + } + '' + + ; + in + lib.mkOrder 50 ( + builtins.concatStringsSep "\n" ( + [ "# Nix-OS Generated for ${target}" ] + ++ (map (x: "# ${x}\n${peersFunc (mkPeersFuncArgs x)}") (builtins.attrNames peers)) + ) + ); +} diff --git a/modules/kitten/connect/loopback0.nix b/modules/kitten/connect/loopback0.nix new file mode 100644 index 0000000..befba2b --- /dev/null +++ b/modules/kitten/connect/loopback0.nix @@ -0,0 +1,93 @@ +{ + lib, + config, + pkgs, + ... +}: + +let + inherit (lib) + mkOption + stringLength + types + ; + + + cfg = config.customModules.loopback0; + + canonicalizeIPs = ips: lib.unique ips; + + hasIPv4 = (cfg.ipv4 != [ ]); + isValidIPv4 = + ip: + let + parts = lib.splitString "." ip; + isByte = + part: + let + n = builtins.parseInt part; + in + n >= 0 && n <= 255; + in + builtins.length parts == 4 && lib.all isByte parts; + + hasIPv6 = (cfg.ipv6 != [ ]); + isValidIPv6 = + ip: + let + parts = lib.splitString ":" ip; + isHexPart = + part: stringLength part <= 4 && (part == "" || (builtins.match "[0-9a-fA-F]+" part != null)); + in + builtins.length parts <= 8 && lib.all isHexPart parts && ip != ""; + + validateIPv4s = ips: if lib.all isValidIPv4 ips then canonicalizeIPs ips else throw "Invalid IPv4 address in the list"; + + validateIPv6s = ips: if lib.all isValidIPv6 ips then builtins.trace "IPs: ${builtins.toJSON ips} -> ${builtins.toJSON (canonicalizeIPs ips)}" (canonicalizeIPs ips) else throw "Invalid IPv6 address in the list"; +in +{ + options.customModules.loopback0 = { + enable = lib.mkEnableOption "loopback IP addresses module"; + + ipv4 = mkOption { + type = types.listOf types.str; + description = "An array of IPv4 addresses."; + default = [ ]; + example = [ + "127.0.0.1" + "192.168.0.1" + ]; + apply = validateIPv4s; + }; + + ipv6 = mkOption { + type = types.listOf types.str; + description = "An array of IPv6 addresses."; + default = [ ]; + example = [ + "::1" + "fe80::1" + ]; + apply = validateIPv6s; + }; + }; + + config = lib.mkIf cfg.enable { + # Add any additional configuration here. + networking.extraHosts = lib.concatMapStringsSep "\n" (ip: "${ip} ${config.networking.hostName}") ( + cfg.ipv4 ++ cfg.ipv6 + ); + + networking.interfaces.lo = lib.mkIf (hasIPv4 || hasIPv6) { + ipv4.addresses = lib.mkIf (hasIPv4) (map (x: { + address = "${toString x}"; + prefixLength = 32; + }) cfg.ipv4); + + ipv6.addresses = lib.mkIf (hasIPv6) (map (x: { + address = "${toString x}"; + prefixLength = 128; + }) cfg.ipv6); + }; + }; +} diff --git a/targets.nix b/targets.nix deleted file mode 100644 index 9006ca3..0000000 --- a/targets.nix +++ /dev/null @@ -1,24 +0,0 @@ -{ ... }: -{ - # TODO: review this part : - # - Move in another file - # - Make it support multiple machine profiles [WIP] - # stonkstation = { - # bootdisk = "/dev/sda"; - # bootloader = "grub"; - # interface = "eno1"; - # mainSerial = "4"; - # }; - # prodesk = { - # bootdisk = "/dev/sda"; - # bootloader = "grub"; - # interface = "eno1"; - # mainSerial = "4"; - # }; - # poubelle00 = { - # # need rework - # bootdisk = "/dev/sda"; - # interface = "ens18"; - # mainSerial = "0"; - # }; -} From bb376ea774cb0120ff31995ac3f58fb26bece4c6 Mon Sep 17 00:00:00 2001 From: root Date: Sun, 30 Jun 2024 23:53:06 +0200 Subject: [PATCH 03/74] Lindt + Romain config --- hosts/homerouters/bird.nix | 2 +- hosts/homerouters/bird_peers.nix | 12 +++--- hosts/homerouters/configuration.nix | 1 - .../romain-home-kitrtr/configuration.nix | 40 ++++++++++++------- .../romain-home-kitrtr/default.nix | 28 +++++++------ 5 files changed, 49 insertions(+), 34 deletions(-) diff --git a/hosts/homerouters/bird.nix b/hosts/homerouters/bird.nix index 59a2898..b1ba667 100644 --- a/hosts/homerouters/bird.nix +++ b/hosts/homerouters/bird.nix @@ -56,7 +56,7 @@ in imports = [ ./bird_peers.nix # ./bird_statics.nix - ]; + ]; config = { diff --git a/hosts/homerouters/bird_peers.nix b/hosts/homerouters/bird_peers.nix index 0d86225..e956e5c 100644 --- a/hosts/homerouters/bird_peers.nix +++ b/hosts/homerouters/bird_peers.nix @@ -17,11 +17,13 @@ let in { - sops.secrets = lib.mkIf (builtins.trace "Bird passwords = ${builtins.toJSON passwords}" passwords != [ ]) ( - listToAttrs ( - map (n: lib.nameValuePair "bird_secrets/${n}" { reloadUnits = [ "bird2.service" ]; }) passwords - ) - ); + sops.secrets = + lib.mkIf (builtins.trace "Bird passwords = ${builtins.toJSON passwords}" passwords != [ ]) + ( + listToAttrs ( + map (n: lib.nameValuePair "bird_secrets/${n}" { reloadUnits = [ "bird2.service" ]; }) passwords + ) + ); sops.templates."bird_secrets.conf".content = lib.mkIf (passwords != [ ]) ( lib.mkMerge ( diff --git a/hosts/homerouters/configuration.nix b/hosts/homerouters/configuration.nix index 281de6c..e361949 100644 --- a/hosts/homerouters/configuration.nix +++ b/hosts/homerouters/configuration.nix @@ -17,7 +17,6 @@ ./firewall.nix ]; - customModules = { loopback0 = { enable = true; diff --git a/hosts/homerouters/romain-home-kitrtr/configuration.nix b/hosts/homerouters/romain-home-kitrtr/configuration.nix index 67a457f..854a80c 100644 --- a/hosts/homerouters/romain-home-kitrtr/configuration.nix +++ b/hosts/homerouters/romain-home-kitrtr/configuration.nix @@ -11,7 +11,7 @@ }: let iface = if targetConfig ? interface then targetConfig.interface else null; - # kittenIFACE = "ens19"; + kittenIFACE = "ens19"; in { services.xserver.xkb = { @@ -43,25 +43,35 @@ in # networking.networkmanager.enable = true; # Easiest to use and most distros use this by default. networking = { #nameservers = [ "1.3.3.7" ]; + vlans = { + vlan36 = { + id = 36; + interface = "${kittenIFACE}"; + }; + # vlan91 = { + # id = 91; + # interface = "${kittenIFACE}"; + # }; + }; interfaces = { "${iface}".useDHCP = true; - # "${kittenIFACE}" = { + vlan36 = { - # # ipv4.addresses = [ - # # { - # # address = "185.10.17.209"; - # # prefixLength = 24; - # # } - # # ]; + # ipv4.addresses = [ + # { + # address = "185.10.17.209"; + # prefixLength = 24; + # } + # ]; - # ipv6.addresses = [ - # { - # address = "2a13:79c0:ffff:feff:b00b:caca:b173:25"; - # prefixLength = 112; - # } - # ]; - # }; + ipv6.addresses = [ + { + address = "2a13:79c0:ffff:feff:b00b:3615:1:6969"; + prefixLength = 112; + } + ]; + }; }; # defaultGateway = { diff --git a/hosts/homerouters/romain-home-kitrtr/default.nix b/hosts/homerouters/romain-home-kitrtr/default.nix index 75c4162..64af35b 100644 --- a/hosts/homerouters/romain-home-kitrtr/default.nix +++ b/hosts/homerouters/romain-home-kitrtr/default.nix @@ -9,22 +9,26 @@ # mainSerial = 0; birdConfig = { - # # inherit transitInterface; + # # inherit transitInterface; + extraForwardRules = '' + iifname $wireguardIFACEs oifname "vlan36" ip6 daddr 2a13:79c0:ffff:feff:b00b:3615:1:0/112 counter accept + oifname $wireguardIFACEs iifname "vlan36" ip6 saddr 2a13:79c0:ffff:feff:b00b:3615:1:0/112 counter accept + ''; - # # router-id = ; + # # router-id = ; - # # loopback4 = ""; - # loopback6 = "2a13:79c0:ffff:fefe::22f0"; + # # loopback4 = ""; + # loopback6 = "2a13:79c0:ffff:fefe::22f0"; - # static6 = [ - # "::/0 recursive 2a13:79c0:ffff:fefe::b00b" + # static6 = [ + # "::/0 recursive 2a13:79c0:ffff:fefe::b00b" - # # "2a13:79c0:ffff:feff:b00b:caca:b173:0/112 unreachable" # Direct on ens19 - # "2a13:79c0:fffe:100::/56 unreachable" + # # "2a13:79c0:ffff:feff:b00b:caca:b173:0/112 unreachable" # Direct on ens19 + # "2a13:79c0:fffe:100::/56 unreachable" - # #"2a13:79c0:ffff::/48 unreachable" # Networking stuff - # #"2a13:79c0:ffff:fefe::/64 unreachable" # LoopBacks - # #"2a13:79c0:ff00::/40 unreachable" # full range /40 - # ]; + # #"2a13:79c0:ffff::/48 unreachable" # Networking stuff + # #"2a13:79c0:ffff:fefe::/64 unreachable" # LoopBacks + # #"2a13:79c0:ff00::/40 unreachable" # full range /40 + # ]; }; } From 81a82341a372f6fb6fc3398778e9b08cee125dd0 Mon Sep 17 00:00:00 2001 From: ConsoleW11 Date: Sun, 30 Jun 2024 23:59:36 +0200 Subject: [PATCH 04/74] AutoDisko --- flake.nix | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/flake.nix b/flake.nix index ca1633b..71669a6 100644 --- a/flake.nix +++ b/flake.nix @@ -253,7 +253,7 @@ let disableModules = [ ]; - customModules = [ "kitten/connect/loopback0" ]; + customModules = [ "kitten/connect/autodisko" "kitten/connect/loopback0" "kitten/connect/bird_peers" ]; localModules = [ "nixos/modules/services/ttys/kmscon" ]; masterModules = [ From 70f671ed96885add143eb112eb05013f644bc85c Mon Sep 17 00:00:00 2001 From: ConsoleW11 Date: Sun, 30 Jun 2024 23:59:56 +0200 Subject: [PATCH 05/74] Disko --- modules/kitten/connect/autodisko.nix | 3 +++ 1 file changed, 3 insertions(+) create mode 100644 modules/kitten/connect/autodisko.nix diff --git a/modules/kitten/connect/autodisko.nix b/modules/kitten/connect/autodisko.nix new file mode 100644 index 0000000..db2b384 --- /dev/null +++ b/modules/kitten/connect/autodisko.nix @@ -0,0 +1,3 @@ +{ ... }: { + +} \ No newline at end of file From 1ca290241b72a9156b1d7fe51f7cc7323c2e1f6b Mon Sep 17 00:00:00 2001 From: ConsoleW11 Date: Mon, 1 Jul 2024 00:00:41 +0200 Subject: [PATCH 06/74] bird --- modules/kitten/connect/bird.nix | 11 ++++++----- 1 file changed, 6 insertions(+), 5 deletions(-) diff --git a/modules/kitten/connect/bird.nix b/modules/kitten/connect/bird.nix index c0dad91..02feec0 100644 --- a/modules/kitten/connect/bird.nix +++ b/modules/kitten/connect/bird.nix @@ -51,7 +51,8 @@ let null; in { - config = { + + config = lib.mkIf (false) { sops.templates."bird_secrets.conf" = { owner = "bird2"; @@ -159,7 +160,7 @@ in # import all; # Import to table, default is import all # export all; # Export to protocol. default is export none export filter { - if ( is_valid4_network() || source ~ [RTS_STATIC] + if ( is_valid4_network() || source ~ [RTS_STATIC] ${ let sep = "|| proto ="; @@ -188,8 +189,8 @@ in # ipv6 { export all; }; ipv6 { export filter { - - if ( is_valid6_network() || source ~ [RTS_STATIC] + + if ( is_valid6_network() || source ~ [RTS_STATIC] ${ let sep = "|| proto ="; @@ -208,7 +209,7 @@ in } else reject; }; }; - + merge paths on; } '' From 9d8ef58d3ac10152539f0de6775c92d290627ed0 Mon Sep 17 00:00:00 2001 From: ConsoleW11 Date: Mon, 1 Jul 2024 00:01:05 +0200 Subject: [PATCH 07/74] peers --- modules/kitten/connect/bird_peers.nix | 286 +++++++++++++++++--------- 1 file changed, 189 insertions(+), 97 deletions(-) diff --git a/modules/kitten/connect/bird_peers.nix b/modules/kitten/connect/bird_peers.nix index dc316bb..3c396dc 100644 --- a/modules/kitten/connect/bird_peers.nix +++ b/modules/kitten/connect/bird_peers.nix @@ -1,84 +1,173 @@ -{ - lib, - target, - config, - targetConfig, - birdConfig, - ... -}: +{ lib, target, config, targetConfig, ... }: let - inherit (lib) listToAttrs nameValuePair; + inherit (lib) listToAttrs nameValuePair mkIf mkOption mkEnableOption types; - peers = birdConfig.peers; + # Options + + birdPeerSubmodule = { name, config, ... }: { + options = { + enable = mkEnableOption "${name} peer."; + + peerName = mkOption { + type = types.str; + default = name; + description = "Override name of the BGP peer."; + }; + + peerIP = mkOption { + type = types.str; + description = "IP address of the BGP peer."; + }; + + peerAS = mkOption { + type = types.int; + default = 65666; + description = "Autonomous System number of the BGP peer."; + }; + + localIP = mkOption { + type = types.str; + default = ""; + description = "Local IP address."; + }; + + localAS = mkOption { + type = types.int; + default = 65666; + description = "Local Autonomous System number."; + }; + + multihop = mkOption { + type = types.int; + default = 0; + description = "Multihop TTL value."; + }; + + template = mkOption { + type = types.str; + default = ""; + description = "Template string."; + }; + + password = mkOption { + type = types.str; + default = ""; + description = "Password for BGP session."; + }; + + passwordRef = mkOption { + type = types.str; + default = ""; + description = "Reference to a password for BGP session."; + }; + + ipv4 = mkOption { + type = types.attrs; + default = { }; + description = "IPv4 configuration."; + }; + + ipv6 = mkOption { + type = types.attrs; + default = { }; + description = "IPv6 configuration."; + }; + + bgpMED = mkOption { + type = types.nullOr types.int; + default = null; + description = "BGP Multi Exit Discriminator."; + }; + + # wireguard = mkOption { + # type = types.attrs; + # default = { }; + # description = "Wireguard configuration."; + # }; + + interface = mkOption { + type = types.nullOr types.str; + + description = "Network interface."; + default = if config.wireguard != { } then + (if config.wireguard ? interface then + config.wireguard.interface + else + config.peerName) + else + null; + }; + }; + }; + + # Values + + peers = config.customModules.bird_peers; peersWithPasswordRef = lib.attrsets.filterAttrs (n: v: v ? passwordRef) peers; - passwords = lib.unique (lib.attrsets.mapAttrsToList (n: v: v.passwordRef) peersWithPasswordRef); -in -{ - - sops.secrets = lib.mkIf (passwords != [ ]) ( - listToAttrs ( - map (n: lib.nameValuePair "bird_secrets/${n}" { reloadUnits = [ "bird2.service" ]; }) passwords - ) - ); - - sops.templates."bird_secrets.conf".content = lib.mkIf (passwords != [ ]) ( - lib.mkMerge ( - map (password: '' - define secretPassword_${password} = "${config.sops.placeholder."bird_secrets/${password}"}"; - '') passwords - ) - ); - - services.bird2.config = - let + passwords = lib.unique + (lib.attrsets.mapAttrsToList (n: v: v.passwordRef) peersWithPasswordRef); +in { + + options.customModules.bird_peers = mkOption { + default = {}; + type = with types; + attrsOf (submodule + birdPeerSubmodule); # types.submodule (mkNamedOptionModule birdPeerSubmodule); + description = "Configuration for BGP peers."; + }; + + config = mkIf (peers != {}) { + + sops.secrets = lib.mkIf (passwords != [ ]) (listToAttrs (map (n: + lib.nameValuePair "bird_secrets/${n}" { + reloadUnits = [ "bird2.service" ]; + }) passwords)); + + sops.templates."bird_secrets.conf".content = lib.mkIf (passwords != [ ]) + (lib.mkMerge (map (password: '' + define secretPassword_${password} = "${ + config.sops.placeholder."bird_secrets/${password}" + }"; + '') passwords)); + + services.bird2.config = let mkPeersFuncArgs = (x: { peerName = x; } // peers.${x}); - toLines = - nindent: - let - indent = lib.concatMapStrings (_: " ") (lib.range 1 nindent); - in - builtins.concatStringsSep "\n${indent}"; + toLines = nindent: + let indent = lib.concatMapStrings (_: " ") (lib.range 1 nindent); + in builtins.concatStringsSep '' + + ${indent}''; withType = types: x: lib.toFunction types.${builtins.typeOf x} x; - peersFunc = - x@{ - peerName, - peerIP, - peerAS ? 65666, + peersFunc = x@{ peerName, peerIP, peerAS ? 65666, - localIP ? "", - localAS ? 65666, + localIP ? "", localAS ? 65666, - multihop ? 0, - template ? "", + multihop ? 0, template ? "", - password ? "", - passwordRef ? "", + password ? "", passwordRef ? "", - ipv4 ? { }, - ipv6 ? { }, + ipv4 ? { }, ipv6 ? { }, - bgpMED ? null, + bgpMED ? null, - wireguard ? { }, - interface ? - if (wireguard != { }) then - (if wireguard ? interface then wireguard.interface else peerName) - else - null, - ... - }: + wireguard ? { }, interface ? if (wireguard != { }) then + (if wireguard ? interface then wireguard.interface else peerName) + else + null, ... }: let inherit (lib) optionalString; inherit (builtins) concatStringsSep toJSON; - in - '' - ${optionalString (bgpMED != null) "define bgpMED_${toString peerName} = ${toString bgpMED};"} + in '' + + ${optionalString (bgpMED != null) + "define bgpMED_${toString peerName} = ${toString bgpMED};"} ${optionalString (template == "kittunderlay") '' + filter filter4_IN_BGP_${toString peerName} { if is_valid4_network() then { if defined( bgp_med ) then @@ -102,12 +191,14 @@ in } ''} - # ${optionalString (x ? debug && x.debug == true) (toJSON x)} + # ${optionalString (x ? debug && x.debug == true) (toJSON x)} # L: AS${toString localAS} | R: AS${toString peerAS} - protocol bgp ${toString peerName} ${optionalString (template != "") "from ${toString template}"} { - local ${ - optionalString (localIP != "") (toString localIP) - } as ${toString localAS}; # localIP: "${toString localIP}" + protocol bgp ${toString peerName} ${ + optionalString (template != "") "from ${toString template}" + } { + local ${optionalString (localIP != "") (toString localIP)} as ${ + toString localAS + }; # localIP: "${toString localIP}" neighbor ${toString peerIP} as ${toString peerAS}; ${optionalString (interface != null) ''interface "${interface}";''} ${ @@ -115,71 +206,74 @@ in "direct;" else "multihop ${ - optionalString (multihop != -1) toString (if multihop < -1 then -1 * multihop else multihop) + optionalString (multihop != -1) toString + (if multihop < -1 then -1 * multihop else multihop) };" } # multihop: ${toString multihop} ${ - optionalString (password != "") - ''password "${ - assert lib.asserts.assertMsg ( - passwordRef == "" - ) "U defined a passwordRef, why do you still want to leak password ?"; - toString ( - lib.warn "bird2 peers password is insecure consider using passwordRef with a bird_secrets file" password - ) + optionalString (password != "") '' + password "${ + assert lib.asserts.assertMsg (passwordRef == "") + "U defined a passwordRef, why do you still want to leak password ?"; + toString (lib.warn + "bird2 peers password is insecure consider using passwordRef with a bird_secrets file" + password) }"; # Not-Secured cleartext access for @everyone'' } ${ - optionalString ( - passwordRef != "" - ) "password secretPassword_${toString passwordRef}; # Defined in secrets file" + optionalString (passwordRef != "") "password secretPassword_${ + toString passwordRef + }; # Defined in secrets file" } ${ optionalString (ipv6 != { }) '' + ipv6 { ${ - optionalString (ipv6 ? imports && ipv6.imports != "" && ipv6.imports != [ ]) ( - let + optionalString (ipv6 ? imports && ipv6.imports != "" + && ipv6.imports != [ ]) (let myType = withType { string = x: " import ${x};"; null = x: " import none;"; lambda = f: myType (f peerName); list = x: '' + # ${toJSON x} import filter { - if ( net ~ [ ${concatStringsSep ", " x} ] ) then { + if ( net ~ [ ${ + concatStringsSep ", " x + } ] ) then { accept; } reject; }; ''; }; - in - myType ipv6.imports - ) + in myType ipv6.imports) } ${ - optionalString (ipv6 ? exports && ipv6.exports != "" && ipv6.exports != [ ]) ( - let + optionalString (ipv6 ? exports && ipv6.exports != "" + && ipv6.exports != [ ]) (let myType = withType { string = x: " export ${x};"; null = x: " export none;"; lambda = f: myType (f peerName); list = x: '' + # ${toJSON x} export filter { - if ( net ~ [ ${concatStringsSep ", " x} ] ) then { + if ( net ~ [ ${ + concatStringsSep ", " x + } ] ) then { accept; } reject; }; ''; }; - in - myType ipv6.exports - ) + in myType ipv6.exports) } }; '' @@ -189,11 +283,9 @@ in '' ; - in - lib.mkOrder 50 ( - builtins.concatStringsSep "\n" ( - [ "# Nix-OS Generated for ${target}" ] - ++ (map (x: "# ${x}\n${peersFunc (mkPeersFuncArgs x)}") (builtins.attrNames peers)) - ) - ); + in lib.mkOrder 50 (builtins.concatStringsSep "\n" + ([ "# Nix-OS Generated for ${target}" ] ++ (map (x: '' + # ${x} + ${peersFunc (mkPeersFuncArgs x)}'') (builtins.attrNames peers)))); + }; } From db2cdb9428bab2daaefe0585b955ee94e263d064 Mon Sep 17 00:00:00 2001 From: Antoine 'Toinux' Wam Date: Sat, 28 Dec 2024 18:06:21 +0100 Subject: [PATCH 08/74] Big Renames --- _home/configuration.nix | 13 --- _home/kube.nix | 6 -- _system/configuration.nix | 98 --------------------- _system/console.nix | 75 ---------------- _system/firewall.nix | 27 ------ _system/grub-boot.nix | 36 -------- _system/inputrc.nix | 24 ------ _system/laptop.nix | 175 -------------------------------------- _system/openvpn.nix | 116 ------------------------- _system/pkgs.nix | 9 -- _system/security.nix | 99 --------------------- _system/serial-com.nix | 26 ------ _system/systemd-boot.nix | 28 ------ _system/wireguard.nix | 6 -- 14 files changed, 738 deletions(-) delete mode 100644 _home/configuration.nix delete mode 100644 _home/kube.nix delete mode 100644 _system/configuration.nix delete mode 100644 _system/console.nix delete mode 100644 _system/firewall.nix delete mode 100644 _system/grub-boot.nix delete mode 100644 _system/inputrc.nix delete mode 100644 _system/laptop.nix delete mode 100644 _system/openvpn.nix delete mode 100644 _system/pkgs.nix delete mode 100644 _system/security.nix delete mode 100644 _system/serial-com.nix delete mode 100644 _system/systemd-boot.nix delete mode 100644 _system/wireguard.nix diff --git a/_home/configuration.nix b/_home/configuration.nix deleted file mode 100644 index 50957f6..0000000 --- a/_home/configuration.nix +++ /dev/null @@ -1,13 +0,0 @@ -{ - pkgs, - lib, - config, - osConfig, - ... -}: -let - kubeCfg = osConfig.services.k3s; -in -{ - imports = [ ] ++ lib.optional (kubeCfg.enable && kubeCfg.role == "server") ./kube.nix; -} diff --git a/_home/kube.nix b/_home/kube.nix deleted file mode 100644 index 18e4b31..0000000 --- a/_home/kube.nix +++ /dev/null @@ -1,6 +0,0 @@ -{ ... }: - -{ - home.kubenv.enable = true; - home.sessionVariables.KUBECONFIG = "/etc/rancher/k3s/k3s.yaml"; -} diff --git a/_system/configuration.nix b/_system/configuration.nix deleted file mode 100644 index 400530e..0000000 --- a/_system/configuration.nix +++ /dev/null @@ -1,98 +0,0 @@ -# Edit this configuration file to define what should be installed on -# your system. Help is available in the configuration.nix(5) man page, on -# https://search.nixos.org/options and in the NixOS manual (`nixos-help`). - -{ - config, - targetConfig, - lib, - pkgs, - ... -}: - -{ - - imports = [ - ./pkgs.nix - ./inputrc.nix # ReadLine config - ./security.nix # PAM + SSH + Keys - ./firewall.nix - - ./openvpn.nix - ./wireguard.nix - - ./console.nix - ./serial-com.nix - ./systemd-boot.nix - ./grub-boot.nix - ]; - - # Set your time zone. - time.timeZone = "Europe/Paris"; - - # Configure network proxy if necessary - # networking.proxy.default = "http://user:password@proxy:port/"; - # networking.proxy.noProxy = "127.0.0.1,localhost,internal.domain"; - - # Select internationalisation properties. - i18n.defaultLocale = "en_US.UTF-8"; - - boot.supportedFilesystems = [ "nfs" ]; - services.rpcbind.enable = true; # NFS - Client - - nix = { - package = pkgs.nixFlakes; - settings = { - auto-optimise-store = true; - }; - gc = { - automatic = false; # TODO: Implement static N generations - dates = "daily"; - options = - let - default = 10; # TODO: Find a better way to do it - - generations = builtins.toString ( - if config.boot.loader.systemd-boot.enable then - config.boot.loader.systemd-boot.configurationLimit - else if config.boot.loader.grub.enable then - config.boot.loader.grub.configurationLimit - else if config.boot.loader.generic-extlinux-compatible.enable then - config.boot.loader.generic-extlinux-compatible.configurationLimit - else - default - ); - in - "--delete-older-than +${generations}"; # Not supported - }; - extraOptions = '' - experimental-features = nix-command flakes - ''; - }; - - programs.zsh.enable = true; # Install System-Wide -> Config is done with home-manager - - environment.shells = with pkgs; [ zsh ]; - environment.pathsToLink = [ "/share/zsh" ]; # ZSH Completion - - # tmpFS on /tmp - boot.tmp.useTmpfs = lib.mkDefault true; - - # Enable the OpenSSH daemon. - services.openssh.enable = true; - - environment.systemPackages = with pkgs; [ - # Additional packages - # nix-inspect - ]; - - # Versions Dump - environment.etc."current-system-packages".text = - let - getName = (p: if p ? name then "${p.name}" else "${p}"); - packages = builtins.map getName config.environment.systemPackages; - sortedUnique = builtins.sort builtins.lessThan (lib.unique packages); - formatted = builtins.concatStringsSep "\n" sortedUnique; - in - formatted; -} diff --git a/_system/console.nix b/_system/console.nix deleted file mode 100644 index 463d424..0000000 --- a/_system/console.nix +++ /dev/null @@ -1,75 +0,0 @@ -{ - pkgs, - lib, - config, - targetConfig, - ... -}: -let - nerdFonts = true; - - palette = [ - "000000" - "CC0000" - "4E9A06" - "C4A000" - "3465A4" - "75507B" - "06989A" - "D3D7CF" - "555753" - "EF2929" - "8AE234" - "FCE94F" - "739FCF" - "AD7FA8" - "34E2E2" - "EEEEEC" - ]; - - inherit (lib) mkDefault; -in -{ - services.gpm.enable = mkDefault true; - - # systemd.units."kmsconvt@.service".ExecStart = lib.mkIf (nerdFonts) ( - # let - # autologinArg = lib.optionalString ( - # config.services.kmscon.autologinUser != null - # ) "-a ${config.services.kmscon.autologinUser}"; - - # extraOptions = config.services.kmscon.extraOptions; - # in - # ''${pkgs.kmscon}/bin/kmscon "--vt=%I" ${extraOptions} --seats=seat0 --no-switchvt --configdir ${configDir} --login -- ${pkgs.util-linux}/bin/agetty -o '-p ${autologinArg} -- \\u' - xterm-256color'' - # ); - - # conf.options.services.openssh.settings.value.Macs - - services.kmscon = lib.mkIf (nerdFonts) { - enable = true; - hwRender = false; - - fonts = [ - { - name = "Hack Nerd Font Mono"; - package = with pkgs; (nerdfonts.override { fonts = [ "Hack" ]; }); - } - ]; - - extraConfig = '' - font-size=16 - ''; - }; - - # config.systemd.units."kmsconvt@.service".unit.text - - # conf.options.services.openssh.settings.value.Macs - - console = { - earlySetup = true; - - font = with pkgs; "${powerline-fonts}/share/consolefonts/ter-powerline-v16b.psf.gz"; - - colors = palette; - }; -} diff --git a/_system/firewall.nix b/_system/firewall.nix deleted file mode 100644 index a096e49..0000000 --- a/_system/firewall.nix +++ /dev/null @@ -1,27 +0,0 @@ -{ lib, ... }: -{ - # Open ports in the firewall. - # networking.firewall.allowedTCPPorts = [ ... ]; - # networking.firewall.allowedUDPPorts = [ ... ]; - # Or disable the firewall altogether. - # networking.firewall.enable = false; - - # TODO: Re-enable when tailscale is compatible - # -> Warning: XT target MASQUERADE not found - # networking.nftables.enable = true; # Cleaner approach, easier rules implementation - - networking.firewall = { - enable = lib.mkDefault false; # TODO: Enable IT - - allowedTCPPorts = [ - 22 - # 80 - # 443 - ]; - - # allowedUDPPortRanges = [ - # { from = 4000; to = 4007; } - # { from = 8000; to = 8010; } - # ]; - }; -} diff --git a/_system/grub-boot.nix b/_system/grub-boot.nix deleted file mode 100644 index a343b8f..0000000 --- a/_system/grub-boot.nix +++ /dev/null @@ -1,36 +0,0 @@ -{ - pkgs, - lib, - targetConfig, - ... -}: - -let - bootloader = if targetConfig ? bootloader then targetConfig.bootloader else ""; - grubBoot = (bootloader == "grub"); - serialPort = if targetConfig ? mainSerial then targetConfig.mainSerial else 0; -in -{ - config.boot.loader.grub = lib.mkIf (grubBoot) { - memtest86.enable = true; - - ipxe = { - netboot_xyz = '' - #!ipxe - dhcp - chain --autofree http://boot.netboot.xyz - ''; - }; - #extraEntries = '' - # # GRUB 2 with UEFI example, chainloading another distro - # menuentry "Memtest86+" { - # set root=($drive1)/ - # chainloader /efi/memtest86/memtest.efi - # } - #''; - - #extraFiles = { - # "efi/memtest86/memtest.efi" = "${pkgs.memtest86plus}/memtest.efi"; - #}; - }; -} diff --git a/_system/inputrc.nix b/_system/inputrc.nix deleted file mode 100644 index ea47ec4..0000000 --- a/_system/inputrc.nix +++ /dev/null @@ -1,24 +0,0 @@ -{ lib, ... }: - -{ - environment.etc."inputrc".target = lib.mkForce "inputrc.orig"; # Important to re-use nixpkgs orig file - environment.etc."inputrc.modified" = { - target = "inputrc"; # Relative to /etc - text = '' - $include /etc/inputrc.orig # Import the Orig File - # Additional stuff - set completion-ignore-case On - set completion-map-case On - set completion-prefix-display-length 3 - set mark-symlinked-directories On - set show-all-if-ambiguous On - set show-all-if-unmodified On - set visible-stats On - - $if mode=emacs - "\e\e[C": forward-word - "\e\e[D": backward-word - $endif - ''; - }; -} diff --git a/_system/laptop.nix b/_system/laptop.nix deleted file mode 100644 index cd83f14..0000000 --- a/_system/laptop.nix +++ /dev/null @@ -1,175 +0,0 @@ -# Edit this configuration file to define what should be installed on -# your system. Help is available in the configuration.nix(5) man page, on -# https://search.nixos.org/options and in the NixOS manual (`nixos-help`). - -{ - config, - targetConfig, - lib, - pkgs, - ... -}: - -{ - services.openssh.enable = lib.mkForce false; # Disable OpenSSH server on laptop - - boot.initrd.systemd.enable = true; # Cleaner plymouth integration but no YubiKey support - - boot.plymouth = lib.mkIf (config.specialisation != { }) { - enable = true; - theme = lib.mkIf (config.services.xserver.desktopManager.plasma5.enable) "breeze"; - }; - - boot.kernelParams = lib.mkIf (config.specialisation != { }) [ "quiet" ]; # Shut The Fuck Up on boot (plymouth will be interupted with boot logs if not set) - boot.consoleLogLevel = lib.mkDefault 0; - - specialisation.debug.configuration = { - boot.initrd.systemd.emergencyAccess = true; - - boot.consoleLogLevel = 7; - }; - systemd.services.NetworkManager-wait-online.enable = lib.mkIf (config.networking.networkmanager.enable) false; # Not a server, so we should be able to work offline + NM-WaitOnline is quite dumb - - networking = { - # FallBack to DHCPcd + WPASupplicant if NetworkManager is off ( eg: during installation ) - dhcpcd.enable = lib.mkIf (!config.networking.networkmanager.enable) true; - wireless.enable = lib.mkIf (!config.networking.networkmanager.enable) true; # Enables wireless support via wpa_supplicant. - }; - - # NonPackaged apps - services.flatpak.enable = true; - # Deezer - - environment.systemPackages = - with pkgs; - [ - vim # Usefull to fix a broken config from TTY - - # libinput-gestures - ] - ++ lib.optionals (config.virtualisation.libvirtd.enable) [ virt-manager ] - ++ [ - # Personal comfort Apps - parsec-bin # To play GTA at work - ]; - - # Password manager - programs._1password-gui.enable = true; - programs._1password.enable = true; - - # VirtManager + LibVirt - environment.sessionVariables.LIBVIRT_DEFAULT_URI = [ "qemu:///system" ]; - virtualisation.libvirtd = { - enable = true; - qemu.ovmf.enable = true; # UEFI - }; - - # Docker containers - virtualisation.docker = { - enable = true; - - autoPrune = { - enable = true; - }; - }; - - fonts.packages = with pkgs; [ - (nerdfonts.override { - fonts = [ - "DroidSansMono" - "FiraCode" - "Hack" - "IosevkaTerm" - "Terminus" - ]; - }) - ]; - - console.useXkbConfig = true; - i18n.extraLocaleSettings = { - LC_ADDRESS = "fr_FR.UTF-8"; - LC_IDENTIFICATION = "fr_FR.UTF-8"; - LC_MEASUREMENT = "fr_FR.UTF-8"; - LC_MONETARY = "fr_FR.UTF-8"; - LC_NAME = "fr_FR.UTF-8"; - LC_NUMERIC = "fr_FR.UTF-8"; - LC_PAPER = "fr_FR.UTF-8"; - LC_TELEPHONE = "fr_FR.UTF-8"; - LC_TIME = "fr_FR.UTF-8"; - }; - - programs.gnupg.agent.pinentryPackage = lib.mkForce pkgs.pinentry-qt; # cuz there's a conflict between xserver / desktop-manager - - # X - VideoServer - Not the porn website - services.xserver = { - enable = true; - - displayManager.sddm.enable = lib.mkIf (config.services.xserver.desktopManager.plasma5.enable) true; # Default DM for KDE/Plasma - - desktopManager.plasma5 = { - enable = true; # I miss windows look n feel - }; - - libinput = { - enable = true; # for touchpad support on many laptops - # touchpad.disableWhileTyping = true; # Plasma setting works better - }; - - videoDrivers = lib.mkOverride 40 [ - "cirrus" - "vesa" - "modesetting" - ]; - - xkb = { - layout = "us"; - variant = ""; - }; - }; - # Enable sound with pipewire. - sound.enable = true; - hardware.pulseaudio.enable = false; - security.rtkit.enable = true; - services.pipewire = { - enable = true; - alsa.enable = true; - alsa.support32Bit = true; - pulse.enable = true; - # If you want to use JACK applications, uncomment this - #jack.enable = true; - - # use the example session manager (no others are packaged yet so this is enabled by default, - # no need to redefine it in your config for now) - #media-session.enable = true; - }; - services.printing.enable = true; - - # BlueTooth - hardware.bluetooth = { - enable = true; - settings = { - General = { - ControllerMode = "dual"; # HessPods support - }; - }; - }; - - security.polkit.enable = true; # Else xRDP is black if user is logged-on locally - services.xrdp = { - enable = false; - defaultWindowManager = "startplasma-x11"; # xRDP works better with x11 - openFirewall = true; - }; - - services.autorandr = { - enable = false; - - hooks.postswitch = { - "notify" = '' - ( sleep 5; notify-send -i display "Display profile" "$AUTORANDR_CURRENT_PROFILE"; ) & - ''; - }; - - profiles = { }; - }; -} diff --git a/_system/openvpn.nix b/_system/openvpn.nix deleted file mode 100644 index d1ce407..0000000 --- a/_system/openvpn.nix +++ /dev/null @@ -1,116 +0,0 @@ -# Edit this configuration file to define what should be installed on -# your system. Help is available in the configuration.nix(5) man page, on -# https://search.nixos.org/options and in the NixOS manual (`nixos-help`). - -{ - config, - targetConfig, - lib, - pkgs, - ... -}: - -let - cfg = config.services.ovpn; - - forEachCFG = ( - name: val: - builtins.listToAttrs ( - map (conf: { - name = if name == "" then conf else lib.trivial.toFunction name conf; - - value = lib.trivial.toFunction val conf; - }) cfg.configs - ) - ); - - openscPKCS11 = "${pkgs.opensc}/lib/opensc-pkcs11.so"; - showPKCS11 = "${pkgs.openvpn_show_pkcs11_ids}/bin/openvpn_show_pkcs11_ids.sh"; -in -{ - options.services.ovpn = { - configs = lib.mkOption { - type = lib.types.listOf lib.types.str; - default = [ ]; - example = [ "s3nsible" ]; - description = '' - List of OpenVPN configurations to generate. - ''; - }; - - ensureDevice = lib.mkEnableOption "YubiKey Forced Detection"; - - basePath = lib.mkOption { - type = lib.types.str; - default = "/root/openvpn"; - example = "/etc/openvpn/configs"; - description = '' - Folder where configurations can be found on disk. - ''; - }; - - autostart = lib.mkOption { - type = lib.types.listOf lib.types.str; - default = [ ]; - example = [ "s3nsible" ]; - description = '' - List of OpenVPN configurations to start on boot. - ''; - }; - }; - - config = lib.mkIf (cfg.configs != [ ]) { - nixpkgs.overlays = [ - (final: prev: { - # OpenVPN w/ OpenSC pkcs11 support - openvpn = ( - prev.openvpn.override { - pkcs11Support = true; - pkcs11helper = prev.pkcs11helper; - } - ); - - openvpn_show_pkcs11_ids = ( - pkgs.writeShellScriptBin "openvpn_show_pkcs11_ids.sh" '' - ${pkgs.openvpn}/bin/openvpn --show-pkcs11-ids ${openscPKCS11} - '' - ); - - openvpn_systemd_launcher = ( - pkgs.writeShellScriptBin "openvpn_systemd.sh" (builtins.readFile ../scripts/openvpn_systemd.sh) - ); - }) - ]; - - environment.systemPackages = with pkgs; [ - opensc - - openvpn_show_pkcs11_ids - openvpn_systemd_launcher - ]; - - systemd.services = ( - forEachCFG (name: "openvpn-${name}") { - serviceConfig = { - ExecStartPre = lib.mkIf (cfg.ensureDevice) "${pkgs.bash}/bin/bash -c '${showPKCS11}; [[ \$(${showPKCS11} | grep DN: | wc -l) -gt 0 ]] || { echo Missing YubiKey or Certificates not found; exit 1; }'"; # Ensure yubikey is detected - TimeoutStartSec = 90; - }; - } - ); - - services.openvpn.servers = forEachCFG "" (conf: { - autoStart = builtins.elem conf cfg.autostart; - - config = - let - iface = builtins.substring 0 15 conf; - in - '' - pkcs11-providers ${openscPKCS11} - - config ${cfg.basePath}/${conf}.ovpn - dev ${iface} - ''; - }); - }; -} diff --git a/_system/pkgs.nix b/_system/pkgs.nix deleted file mode 100644 index 867f624..0000000 --- a/_system/pkgs.nix +++ /dev/null @@ -1,9 +0,0 @@ -{ lib, pkgs, ... }: - -{ - environment.systemPackages = with pkgs; [ - krewfile - zsh - nixfmt-rfc-style - ]; -} diff --git a/_system/security.nix b/_system/security.nix deleted file mode 100644 index e4ca381..0000000 --- a/_system/security.nix +++ /dev/null @@ -1,99 +0,0 @@ -{ - lib, - pkgs, - config, - ... -}: - -let - noPasswdCommands = [ - "/run/current-system/sw/bin/reboot" - "/run/current-system/sw/bin/poweroff" - - "/run/current-system/sw/bin/systemctl suspend" - - "/run/current-system/sw/bin/systemd-tty-ask-password-agent --query" - - "/run/current-system/sw/bin/nix profile wipe-history --profile /nix/var/nix/profiles/system" - "/run/current-system/sw/bin/nixos-rebuild *" - ]; - - noPasswdServices = [ "openvpn-*" ]; -in -{ - users.users.root = { - initialPassword = lib.mkDefault "toor"; - - openssh.authorizedKeys.keys = lib.mkDefault [ - # change this to your ssh key - "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPxJpIrlaMMuw+zqOlZa35ehViBytyROvdf73poXTlVz" - ]; - }; - - services.openssh.settings = { - PasswordAuthentication = false; - KbdInteractiveAuthentication = false; - }; - - security = { - sudo = { - enable = true; - extraRules = - [ - { - commands = map (cmd: { - command = cmd; - options = [ "NOPASSWD" ]; - }) (noPasswdCommands); - - groups = [ "wheel" ]; - } - ] - ++ map (svc: { - commands = - map - (cmd: { - command = cmd; - options = [ "NOPASSWD" ]; - }) - - [ - "/run/current-system/sw/bin/systemctl start ${svc}" - "/run/current-system/sw/bin/systemctl restart ${svc}" - "/run/current-system/sw/bin/systemctl stop ${svc}" - ]; - - groups = [ "wheel" ]; - }) noPasswdServices; - - # ++ lib.flatten ( - # map (svc: [ - # "/run/current-system/sw/bin/systemctl start ${svc}" - # "/run/current-system/sw/bin/systemctl restart ${svc}" - # "/run/current-system/sw/bin/systemctl stop ${svc}" - # ]) noPasswdServices - # ) - # extraConfig = with pkgs; '' - # Defaults:picloud secure_path="${lib.makeBinPath [ - # systemd - # ]}:/nix/var/nix/profiles/default/bin:/run/current-system/sw/bin" - # ''; - }; - - # pam.services.sudo = { - # rules.auth.rssh = { - # order = config.rules.auth.unix.order - 10; - # control = "sufficient"; - # modulePath = "${pkgs.pam_rssh}/lib/libpam_rssh.so"; - # #settings = { - # # authorized_keys_command = "/etc/ssh/authorized_keys_command"; - # # authorized_keys_command_user = "nobody"; - # #}; - # }; - # }; - - sudo.extraConfig = '' - Defaults env_keep+=SSH_AUTH_SOCK - ''; - }; -} diff --git a/_system/serial-com.nix b/_system/serial-com.nix deleted file mode 100644 index 894490d..0000000 --- a/_system/serial-com.nix +++ /dev/null @@ -1,26 +0,0 @@ -{ - pkgs, - lib, - targetConfig, - ... -}: - -let - bootloader = if targetConfig ? bootloader then targetConfig.bootloader else ""; - grubBoot = (bootloader == "grub"); - serialPort = if targetConfig ? mainSerial then targetConfig.mainSerial else 0; -in -{ - config.boot.kernelParams = [ - "console=tty1" - "console=ttyS${toString serialPort},115200" - ] ++ lib.optionals (serialPort != 0) [ "console=ttyS0,115200" ]; - - config.boot.loader.grub = lib.mkIf (grubBoot) { - extraConfig = '' - serial --unit=${toString serialPort} --speed=115200 --word=8 --parity=no --stop=1 - terminal_input --append serial - terminal_output --append serial - ''; - }; -} diff --git a/_system/systemd-boot.nix b/_system/systemd-boot.nix deleted file mode 100644 index 4fcdd67..0000000 --- a/_system/systemd-boot.nix +++ /dev/null @@ -1,28 +0,0 @@ -{ - pkgs, - lib, - targetConfig, - ... -}: - -let - bootloader = if targetConfig ? bootloader then targetConfig.bootloader else ""; - systemdBoot = (bootloader == "systemd-boot"); -in -{ - config.boot.loader.systemd-boot = lib.mkIf (systemdBoot) { - netbootxyz.enable = true; - memtest86.enable = true; - - #extraEntries = { - # "memtest86.conf" = '' - # title Memtest86+ - # efi /efi/memtest86/memtest.efi - # ''; - #}; - - #extraFiles = { - # "efi/memtest86/memtest.efi" = "${pkgs.memtest86plus}/memtest.efi"; - #}; - }; -} diff --git a/_system/wireguard.nix b/_system/wireguard.nix deleted file mode 100644 index ae862f7..0000000 --- a/_system/wireguard.nix +++ /dev/null @@ -1,6 +0,0 @@ -{ config, pkgs, ... }: - -{ - # boot.extraModulePackages = [ config.boot.kernelPackages.wireguard ]; - environment.systemPackages = with pkgs; [ wireguard-tools ]; -} From 34e7300d7a7073392446caedb344807972677e02 Mon Sep 17 00:00:00 2001 From: Antoine 'Toinux' Wam Date: Sat, 28 Dec 2024 18:06:44 +0100 Subject: [PATCH 09/74] Big Renames --- home/configuration.nix | 13 +++ home/kube.nix | 6 ++ system/configuration.nix | 98 ++++++++++++++++++++++ system/console.nix | 75 +++++++++++++++++ system/firewall.nix | 27 ++++++ system/grub-boot.nix | 36 ++++++++ system/inputrc.nix | 24 ++++++ system/laptop.nix | 175 +++++++++++++++++++++++++++++++++++++++ system/openvpn.nix | 116 ++++++++++++++++++++++++++ system/pkgs.nix | 9 ++ system/security.nix | 99 ++++++++++++++++++++++ system/serial-com.nix | 26 ++++++ system/systemd-boot.nix | 28 +++++++ system/wireguard.nix | 6 ++ 14 files changed, 738 insertions(+) create mode 100644 home/configuration.nix create mode 100644 home/kube.nix create mode 100644 system/configuration.nix create mode 100644 system/console.nix create mode 100644 system/firewall.nix create mode 100644 system/grub-boot.nix create mode 100644 system/inputrc.nix create mode 100644 system/laptop.nix create mode 100644 system/openvpn.nix create mode 100644 system/pkgs.nix create mode 100644 system/security.nix create mode 100644 system/serial-com.nix create mode 100644 system/systemd-boot.nix create mode 100644 system/wireguard.nix diff --git a/home/configuration.nix b/home/configuration.nix new file mode 100644 index 0000000..50957f6 --- /dev/null +++ b/home/configuration.nix @@ -0,0 +1,13 @@ +{ + pkgs, + lib, + config, + osConfig, + ... +}: +let + kubeCfg = osConfig.services.k3s; +in +{ + imports = [ ] ++ lib.optional (kubeCfg.enable && kubeCfg.role == "server") ./kube.nix; +} diff --git a/home/kube.nix b/home/kube.nix new file mode 100644 index 0000000..18e4b31 --- /dev/null +++ b/home/kube.nix @@ -0,0 +1,6 @@ +{ ... }: + +{ + home.kubenv.enable = true; + home.sessionVariables.KUBECONFIG = "/etc/rancher/k3s/k3s.yaml"; +} diff --git a/system/configuration.nix b/system/configuration.nix new file mode 100644 index 0000000..400530e --- /dev/null +++ b/system/configuration.nix @@ -0,0 +1,98 @@ +# Edit this configuration file to define what should be installed on +# your system. Help is available in the configuration.nix(5) man page, on +# https://search.nixos.org/options and in the NixOS manual (`nixos-help`). + +{ + config, + targetConfig, + lib, + pkgs, + ... +}: + +{ + + imports = [ + ./pkgs.nix + ./inputrc.nix # ReadLine config + ./security.nix # PAM + SSH + Keys + ./firewall.nix + + ./openvpn.nix + ./wireguard.nix + + ./console.nix + ./serial-com.nix + ./systemd-boot.nix + ./grub-boot.nix + ]; + + # Set your time zone. + time.timeZone = "Europe/Paris"; + + # Configure network proxy if necessary + # networking.proxy.default = "http://user:password@proxy:port/"; + # networking.proxy.noProxy = "127.0.0.1,localhost,internal.domain"; + + # Select internationalisation properties. + i18n.defaultLocale = "en_US.UTF-8"; + + boot.supportedFilesystems = [ "nfs" ]; + services.rpcbind.enable = true; # NFS - Client + + nix = { + package = pkgs.nixFlakes; + settings = { + auto-optimise-store = true; + }; + gc = { + automatic = false; # TODO: Implement static N generations + dates = "daily"; + options = + let + default = 10; # TODO: Find a better way to do it + + generations = builtins.toString ( + if config.boot.loader.systemd-boot.enable then + config.boot.loader.systemd-boot.configurationLimit + else if config.boot.loader.grub.enable then + config.boot.loader.grub.configurationLimit + else if config.boot.loader.generic-extlinux-compatible.enable then + config.boot.loader.generic-extlinux-compatible.configurationLimit + else + default + ); + in + "--delete-older-than +${generations}"; # Not supported + }; + extraOptions = '' + experimental-features = nix-command flakes + ''; + }; + + programs.zsh.enable = true; # Install System-Wide -> Config is done with home-manager + + environment.shells = with pkgs; [ zsh ]; + environment.pathsToLink = [ "/share/zsh" ]; # ZSH Completion + + # tmpFS on /tmp + boot.tmp.useTmpfs = lib.mkDefault true; + + # Enable the OpenSSH daemon. + services.openssh.enable = true; + + environment.systemPackages = with pkgs; [ + # Additional packages + # nix-inspect + ]; + + # Versions Dump + environment.etc."current-system-packages".text = + let + getName = (p: if p ? name then "${p.name}" else "${p}"); + packages = builtins.map getName config.environment.systemPackages; + sortedUnique = builtins.sort builtins.lessThan (lib.unique packages); + formatted = builtins.concatStringsSep "\n" sortedUnique; + in + formatted; +} diff --git a/system/console.nix b/system/console.nix new file mode 100644 index 0000000..463d424 --- /dev/null +++ b/system/console.nix @@ -0,0 +1,75 @@ +{ + pkgs, + lib, + config, + targetConfig, + ... +}: +let + nerdFonts = true; + + palette = [ + "000000" + "CC0000" + "4E9A06" + "C4A000" + "3465A4" + "75507B" + "06989A" + "D3D7CF" + "555753" + "EF2929" + "8AE234" + "FCE94F" + "739FCF" + "AD7FA8" + "34E2E2" + "EEEEEC" + ]; + + inherit (lib) mkDefault; +in +{ + services.gpm.enable = mkDefault true; + + # systemd.units."kmsconvt@.service".ExecStart = lib.mkIf (nerdFonts) ( + # let + # autologinArg = lib.optionalString ( + # config.services.kmscon.autologinUser != null + # ) "-a ${config.services.kmscon.autologinUser}"; + + # extraOptions = config.services.kmscon.extraOptions; + # in + # ''${pkgs.kmscon}/bin/kmscon "--vt=%I" ${extraOptions} --seats=seat0 --no-switchvt --configdir ${configDir} --login -- ${pkgs.util-linux}/bin/agetty -o '-p ${autologinArg} -- \\u' - xterm-256color'' + # ); + + # conf.options.services.openssh.settings.value.Macs + + services.kmscon = lib.mkIf (nerdFonts) { + enable = true; + hwRender = false; + + fonts = [ + { + name = "Hack Nerd Font Mono"; + package = with pkgs; (nerdfonts.override { fonts = [ "Hack" ]; }); + } + ]; + + extraConfig = '' + font-size=16 + ''; + }; + + # config.systemd.units."kmsconvt@.service".unit.text + + # conf.options.services.openssh.settings.value.Macs + + console = { + earlySetup = true; + + font = with pkgs; "${powerline-fonts}/share/consolefonts/ter-powerline-v16b.psf.gz"; + + colors = palette; + }; +} diff --git a/system/firewall.nix b/system/firewall.nix new file mode 100644 index 0000000..a096e49 --- /dev/null +++ b/system/firewall.nix @@ -0,0 +1,27 @@ +{ lib, ... }: +{ + # Open ports in the firewall. + # networking.firewall.allowedTCPPorts = [ ... ]; + # networking.firewall.allowedUDPPorts = [ ... ]; + # Or disable the firewall altogether. + # networking.firewall.enable = false; + + # TODO: Re-enable when tailscale is compatible + # -> Warning: XT target MASQUERADE not found + # networking.nftables.enable = true; # Cleaner approach, easier rules implementation + + networking.firewall = { + enable = lib.mkDefault false; # TODO: Enable IT + + allowedTCPPorts = [ + 22 + # 80 + # 443 + ]; + + # allowedUDPPortRanges = [ + # { from = 4000; to = 4007; } + # { from = 8000; to = 8010; } + # ]; + }; +} diff --git a/system/grub-boot.nix b/system/grub-boot.nix new file mode 100644 index 0000000..a343b8f --- /dev/null +++ b/system/grub-boot.nix @@ -0,0 +1,36 @@ +{ + pkgs, + lib, + targetConfig, + ... +}: + +let + bootloader = if targetConfig ? bootloader then targetConfig.bootloader else ""; + grubBoot = (bootloader == "grub"); + serialPort = if targetConfig ? mainSerial then targetConfig.mainSerial else 0; +in +{ + config.boot.loader.grub = lib.mkIf (grubBoot) { + memtest86.enable = true; + + ipxe = { + netboot_xyz = '' + #!ipxe + dhcp + chain --autofree http://boot.netboot.xyz + ''; + }; + #extraEntries = '' + # # GRUB 2 with UEFI example, chainloading another distro + # menuentry "Memtest86+" { + # set root=($drive1)/ + # chainloader /efi/memtest86/memtest.efi + # } + #''; + + #extraFiles = { + # "efi/memtest86/memtest.efi" = "${pkgs.memtest86plus}/memtest.efi"; + #}; + }; +} diff --git a/system/inputrc.nix b/system/inputrc.nix new file mode 100644 index 0000000..ea47ec4 --- /dev/null +++ b/system/inputrc.nix @@ -0,0 +1,24 @@ +{ lib, ... }: + +{ + environment.etc."inputrc".target = lib.mkForce "inputrc.orig"; # Important to re-use nixpkgs orig file + environment.etc."inputrc.modified" = { + target = "inputrc"; # Relative to /etc + text = '' + $include /etc/inputrc.orig # Import the Orig File + # Additional stuff + set completion-ignore-case On + set completion-map-case On + set completion-prefix-display-length 3 + set mark-symlinked-directories On + set show-all-if-ambiguous On + set show-all-if-unmodified On + set visible-stats On + + $if mode=emacs + "\e\e[C": forward-word + "\e\e[D": backward-word + $endif + ''; + }; +} diff --git a/system/laptop.nix b/system/laptop.nix new file mode 100644 index 0000000..cd83f14 --- /dev/null +++ b/system/laptop.nix @@ -0,0 +1,175 @@ +# Edit this configuration file to define what should be installed on +# your system. Help is available in the configuration.nix(5) man page, on +# https://search.nixos.org/options and in the NixOS manual (`nixos-help`). + +{ + config, + targetConfig, + lib, + pkgs, + ... +}: + +{ + services.openssh.enable = lib.mkForce false; # Disable OpenSSH server on laptop + + boot.initrd.systemd.enable = true; # Cleaner plymouth integration but no YubiKey support + + boot.plymouth = lib.mkIf (config.specialisation != { }) { + enable = true; + theme = lib.mkIf (config.services.xserver.desktopManager.plasma5.enable) "breeze"; + }; + + boot.kernelParams = lib.mkIf (config.specialisation != { }) [ "quiet" ]; # Shut The Fuck Up on boot (plymouth will be interupted with boot logs if not set) + boot.consoleLogLevel = lib.mkDefault 0; + + specialisation.debug.configuration = { + boot.initrd.systemd.emergencyAccess = true; + + boot.consoleLogLevel = 7; + }; + systemd.services.NetworkManager-wait-online.enable = lib.mkIf (config.networking.networkmanager.enable) false; # Not a server, so we should be able to work offline + NM-WaitOnline is quite dumb + + networking = { + # FallBack to DHCPcd + WPASupplicant if NetworkManager is off ( eg: during installation ) + dhcpcd.enable = lib.mkIf (!config.networking.networkmanager.enable) true; + wireless.enable = lib.mkIf (!config.networking.networkmanager.enable) true; # Enables wireless support via wpa_supplicant. + }; + + # NonPackaged apps + services.flatpak.enable = true; + # Deezer + + environment.systemPackages = + with pkgs; + [ + vim # Usefull to fix a broken config from TTY + + # libinput-gestures + ] + ++ lib.optionals (config.virtualisation.libvirtd.enable) [ virt-manager ] + ++ [ + # Personal comfort Apps + parsec-bin # To play GTA at work + ]; + + # Password manager + programs._1password-gui.enable = true; + programs._1password.enable = true; + + # VirtManager + LibVirt + environment.sessionVariables.LIBVIRT_DEFAULT_URI = [ "qemu:///system" ]; + virtualisation.libvirtd = { + enable = true; + qemu.ovmf.enable = true; # UEFI + }; + + # Docker containers + virtualisation.docker = { + enable = true; + + autoPrune = { + enable = true; + }; + }; + + fonts.packages = with pkgs; [ + (nerdfonts.override { + fonts = [ + "DroidSansMono" + "FiraCode" + "Hack" + "IosevkaTerm" + "Terminus" + ]; + }) + ]; + + console.useXkbConfig = true; + i18n.extraLocaleSettings = { + LC_ADDRESS = "fr_FR.UTF-8"; + LC_IDENTIFICATION = "fr_FR.UTF-8"; + LC_MEASUREMENT = "fr_FR.UTF-8"; + LC_MONETARY = "fr_FR.UTF-8"; + LC_NAME = "fr_FR.UTF-8"; + LC_NUMERIC = "fr_FR.UTF-8"; + LC_PAPER = "fr_FR.UTF-8"; + LC_TELEPHONE = "fr_FR.UTF-8"; + LC_TIME = "fr_FR.UTF-8"; + }; + + programs.gnupg.agent.pinentryPackage = lib.mkForce pkgs.pinentry-qt; # cuz there's a conflict between xserver / desktop-manager + + # X - VideoServer - Not the porn website + services.xserver = { + enable = true; + + displayManager.sddm.enable = lib.mkIf (config.services.xserver.desktopManager.plasma5.enable) true; # Default DM for KDE/Plasma + + desktopManager.plasma5 = { + enable = true; # I miss windows look n feel + }; + + libinput = { + enable = true; # for touchpad support on many laptops + # touchpad.disableWhileTyping = true; # Plasma setting works better + }; + + videoDrivers = lib.mkOverride 40 [ + "cirrus" + "vesa" + "modesetting" + ]; + + xkb = { + layout = "us"; + variant = ""; + }; + }; + # Enable sound with pipewire. + sound.enable = true; + hardware.pulseaudio.enable = false; + security.rtkit.enable = true; + services.pipewire = { + enable = true; + alsa.enable = true; + alsa.support32Bit = true; + pulse.enable = true; + # If you want to use JACK applications, uncomment this + #jack.enable = true; + + # use the example session manager (no others are packaged yet so this is enabled by default, + # no need to redefine it in your config for now) + #media-session.enable = true; + }; + services.printing.enable = true; + + # BlueTooth + hardware.bluetooth = { + enable = true; + settings = { + General = { + ControllerMode = "dual"; # HessPods support + }; + }; + }; + + security.polkit.enable = true; # Else xRDP is black if user is logged-on locally + services.xrdp = { + enable = false; + defaultWindowManager = "startplasma-x11"; # xRDP works better with x11 + openFirewall = true; + }; + + services.autorandr = { + enable = false; + + hooks.postswitch = { + "notify" = '' + ( sleep 5; notify-send -i display "Display profile" "$AUTORANDR_CURRENT_PROFILE"; ) & + ''; + }; + + profiles = { }; + }; +} diff --git a/system/openvpn.nix b/system/openvpn.nix new file mode 100644 index 0000000..d1ce407 --- /dev/null +++ b/system/openvpn.nix @@ -0,0 +1,116 @@ +# Edit this configuration file to define what should be installed on +# your system. Help is available in the configuration.nix(5) man page, on +# https://search.nixos.org/options and in the NixOS manual (`nixos-help`). + +{ + config, + targetConfig, + lib, + pkgs, + ... +}: + +let + cfg = config.services.ovpn; + + forEachCFG = ( + name: val: + builtins.listToAttrs ( + map (conf: { + name = if name == "" then conf else lib.trivial.toFunction name conf; + + value = lib.trivial.toFunction val conf; + }) cfg.configs + ) + ); + + openscPKCS11 = "${pkgs.opensc}/lib/opensc-pkcs11.so"; + showPKCS11 = "${pkgs.openvpn_show_pkcs11_ids}/bin/openvpn_show_pkcs11_ids.sh"; +in +{ + options.services.ovpn = { + configs = lib.mkOption { + type = lib.types.listOf lib.types.str; + default = [ ]; + example = [ "s3nsible" ]; + description = '' + List of OpenVPN configurations to generate. + ''; + }; + + ensureDevice = lib.mkEnableOption "YubiKey Forced Detection"; + + basePath = lib.mkOption { + type = lib.types.str; + default = "/root/openvpn"; + example = "/etc/openvpn/configs"; + description = '' + Folder where configurations can be found on disk. + ''; + }; + + autostart = lib.mkOption { + type = lib.types.listOf lib.types.str; + default = [ ]; + example = [ "s3nsible" ]; + description = '' + List of OpenVPN configurations to start on boot. + ''; + }; + }; + + config = lib.mkIf (cfg.configs != [ ]) { + nixpkgs.overlays = [ + (final: prev: { + # OpenVPN w/ OpenSC pkcs11 support + openvpn = ( + prev.openvpn.override { + pkcs11Support = true; + pkcs11helper = prev.pkcs11helper; + } + ); + + openvpn_show_pkcs11_ids = ( + pkgs.writeShellScriptBin "openvpn_show_pkcs11_ids.sh" '' + ${pkgs.openvpn}/bin/openvpn --show-pkcs11-ids ${openscPKCS11} + '' + ); + + openvpn_systemd_launcher = ( + pkgs.writeShellScriptBin "openvpn_systemd.sh" (builtins.readFile ../scripts/openvpn_systemd.sh) + ); + }) + ]; + + environment.systemPackages = with pkgs; [ + opensc + + openvpn_show_pkcs11_ids + openvpn_systemd_launcher + ]; + + systemd.services = ( + forEachCFG (name: "openvpn-${name}") { + serviceConfig = { + ExecStartPre = lib.mkIf (cfg.ensureDevice) "${pkgs.bash}/bin/bash -c '${showPKCS11}; [[ \$(${showPKCS11} | grep DN: | wc -l) -gt 0 ]] || { echo Missing YubiKey or Certificates not found; exit 1; }'"; # Ensure yubikey is detected + TimeoutStartSec = 90; + }; + } + ); + + services.openvpn.servers = forEachCFG "" (conf: { + autoStart = builtins.elem conf cfg.autostart; + + config = + let + iface = builtins.substring 0 15 conf; + in + '' + pkcs11-providers ${openscPKCS11} + + config ${cfg.basePath}/${conf}.ovpn + dev ${iface} + ''; + }); + }; +} diff --git a/system/pkgs.nix b/system/pkgs.nix new file mode 100644 index 0000000..867f624 --- /dev/null +++ b/system/pkgs.nix @@ -0,0 +1,9 @@ +{ lib, pkgs, ... }: + +{ + environment.systemPackages = with pkgs; [ + krewfile + zsh + nixfmt-rfc-style + ]; +} diff --git a/system/security.nix b/system/security.nix new file mode 100644 index 0000000..e4ca381 --- /dev/null +++ b/system/security.nix @@ -0,0 +1,99 @@ +{ + lib, + pkgs, + config, + ... +}: + +let + noPasswdCommands = [ + "/run/current-system/sw/bin/reboot" + "/run/current-system/sw/bin/poweroff" + + "/run/current-system/sw/bin/systemctl suspend" + + "/run/current-system/sw/bin/systemd-tty-ask-password-agent --query" + + "/run/current-system/sw/bin/nix profile wipe-history --profile /nix/var/nix/profiles/system" + "/run/current-system/sw/bin/nixos-rebuild *" + ]; + + noPasswdServices = [ "openvpn-*" ]; +in +{ + users.users.root = { + initialPassword = lib.mkDefault "toor"; + + openssh.authorizedKeys.keys = lib.mkDefault [ + # change this to your ssh key + "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPxJpIrlaMMuw+zqOlZa35ehViBytyROvdf73poXTlVz" + ]; + }; + + services.openssh.settings = { + PasswordAuthentication = false; + KbdInteractiveAuthentication = false; + }; + + security = { + sudo = { + enable = true; + extraRules = + [ + { + commands = map (cmd: { + command = cmd; + options = [ "NOPASSWD" ]; + }) (noPasswdCommands); + + groups = [ "wheel" ]; + } + ] + ++ map (svc: { + commands = + map + (cmd: { + command = cmd; + options = [ "NOPASSWD" ]; + }) + + [ + "/run/current-system/sw/bin/systemctl start ${svc}" + "/run/current-system/sw/bin/systemctl restart ${svc}" + "/run/current-system/sw/bin/systemctl stop ${svc}" + ]; + + groups = [ "wheel" ]; + }) noPasswdServices; + + # ++ lib.flatten ( + # map (svc: [ + # "/run/current-system/sw/bin/systemctl start ${svc}" + # "/run/current-system/sw/bin/systemctl restart ${svc}" + # "/run/current-system/sw/bin/systemctl stop ${svc}" + # ]) noPasswdServices + # ) + # extraConfig = with pkgs; '' + # Defaults:picloud secure_path="${lib.makeBinPath [ + # systemd + # ]}:/nix/var/nix/profiles/default/bin:/run/current-system/sw/bin" + # ''; + }; + + # pam.services.sudo = { + # rules.auth.rssh = { + # order = config.rules.auth.unix.order - 10; + # control = "sufficient"; + # modulePath = "${pkgs.pam_rssh}/lib/libpam_rssh.so"; + # #settings = { + # # authorized_keys_command = "/etc/ssh/authorized_keys_command"; + # # authorized_keys_command_user = "nobody"; + # #}; + # }; + # }; + + sudo.extraConfig = '' + Defaults env_keep+=SSH_AUTH_SOCK + ''; + }; +} diff --git a/system/serial-com.nix b/system/serial-com.nix new file mode 100644 index 0000000..894490d --- /dev/null +++ b/system/serial-com.nix @@ -0,0 +1,26 @@ +{ + pkgs, + lib, + targetConfig, + ... +}: + +let + bootloader = if targetConfig ? bootloader then targetConfig.bootloader else ""; + grubBoot = (bootloader == "grub"); + serialPort = if targetConfig ? mainSerial then targetConfig.mainSerial else 0; +in +{ + config.boot.kernelParams = [ + "console=tty1" + "console=ttyS${toString serialPort},115200" + ] ++ lib.optionals (serialPort != 0) [ "console=ttyS0,115200" ]; + + config.boot.loader.grub = lib.mkIf (grubBoot) { + extraConfig = '' + serial --unit=${toString serialPort} --speed=115200 --word=8 --parity=no --stop=1 + terminal_input --append serial + terminal_output --append serial + ''; + }; +} diff --git a/system/systemd-boot.nix b/system/systemd-boot.nix new file mode 100644 index 0000000..4fcdd67 --- /dev/null +++ b/system/systemd-boot.nix @@ -0,0 +1,28 @@ +{ + pkgs, + lib, + targetConfig, + ... +}: + +let + bootloader = if targetConfig ? bootloader then targetConfig.bootloader else ""; + systemdBoot = (bootloader == "systemd-boot"); +in +{ + config.boot.loader.systemd-boot = lib.mkIf (systemdBoot) { + netbootxyz.enable = true; + memtest86.enable = true; + + #extraEntries = { + # "memtest86.conf" = '' + # title Memtest86+ + # efi /efi/memtest86/memtest.efi + # ''; + #}; + + #extraFiles = { + # "efi/memtest86/memtest.efi" = "${pkgs.memtest86plus}/memtest.efi"; + #}; + }; +} diff --git a/system/wireguard.nix b/system/wireguard.nix new file mode 100644 index 0000000..ae862f7 --- /dev/null +++ b/system/wireguard.nix @@ -0,0 +1,6 @@ +{ config, pkgs, ... }: + +{ + # boot.extraModulePackages = [ config.boot.kernelPackages.wireguard ]; + environment.systemPackages = with pkgs; [ wireguard-tools ]; +} From fc8a89b99b96fcda7f1719619e70488d3f37fc57 Mon Sep 17 00:00:00 2001 From: Antoine 'Toinux' Wam Date: Sat, 28 Dec 2024 18:09:43 +0100 Subject: [PATCH 10/74] noDisko --- _diskos/simple_singleFullRoot.nix | 67 ------------------------------- 1 file changed, 67 deletions(-) delete mode 100644 _diskos/simple_singleFullRoot.nix diff --git a/_diskos/simple_singleFullRoot.nix b/_diskos/simple_singleFullRoot.nix deleted file mode 100644 index 4f6c628..0000000 --- a/_diskos/simple_singleFullRoot.nix +++ /dev/null @@ -1,67 +0,0 @@ -# Example to create a bios compatible gpt partition -{ lib, targetConfig, ... }: -{ - disko.memSize = 3072; - - disko.devices = { - disk.disk1 = { - imageSize = "5G"; - - device = lib.mkDefault "${targetConfig.bootdisk}"; - type = "disk"; - content = { - type = "gpt"; - partitions = { - boot = { - size = "1M"; - type = "EF02"; # for grub MBR - }; - - ESP = { - size = "512M"; - type = "EF00"; - content = { - type = "filesystem"; - format = "vfat"; - mountpoint = "/boot"; - }; - }; - - root = { - size = "100%"; - content = { - type = "lvm_pv"; - vg = "ROOT"; - }; - }; - }; - }; - }; - - lvm_vg = { - ROOT = { - type = "lvm_vg"; - lvs = { - - swap = lib.mkIf (targetConfig ? swap && targetConfig.swap) { - size = "2G"; - content = { - type = "swap"; - resumeDevice = (targetConfig ? swapResume && targetConfig.swapResume); # resume from hiberation from this device - }; - }; - - root = { - size = "100%FREE"; - content = { - type = "filesystem"; - format = "ext4"; - mountpoint = "/"; - mountOptions = [ "defaults" ]; - }; - }; - }; - }; - }; - }; -} From 1450407ed36fb31acb71eadbb086be64a2177b35 Mon Sep 17 00:00:00 2001 From: Antoine 'Toinux' Wam Date: Sat, 28 Dec 2024 18:31:32 +0100 Subject: [PATCH 11/74] added _configuration.nix: Manually Merge modules + NixConfigs --- _configuration.nix | 10 ++++++++++ 1 file changed, 10 insertions(+) create mode 100644 _configuration.nix diff --git a/_configuration.nix b/_configuration.nix new file mode 100644 index 0000000..6a92c97 --- /dev/null +++ b/_configuration.nix @@ -0,0 +1,10 @@ +let + sources = import ./npins; + + pkgs = import sources.nixpkgs { }; + lib = pkgs.lib; + + host = lib.removeSuffix "\n" (builtins.readFile /etc/hostname); + node = (import ./ci/_makeHive.nix (import ./hive.nix)).nodes.${host}; +in +node From 2071b09a3205a66690e8f01a99cf8f6b10686ad5 Mon Sep 17 00:00:00 2001 From: Antoine 'Toinux' Wam Date: Sat, 28 Dec 2024 18:31:32 +0100 Subject: [PATCH 12/74] added _overlays.nix: Manually Merge modules + NixConfigs --- _overlays.nix | 21 +++++++++++++++++++++ 1 file changed, 21 insertions(+) create mode 100644 _overlays.nix diff --git a/_overlays.nix b/_overlays.nix new file mode 100644 index 0000000..1854737 --- /dev/null +++ b/_overlays.nix @@ -0,0 +1,21 @@ +{ lib, ... }: +let + sources = import ../npins; + + inherit (builtins) readDir filter; + inherit (lib.strings) hasPrefix hasSuffix; + inherit (lib.attrsets) filterAttrs attrNames; + + isFile = n: v: v == "regular"; + + overlaysPath = ./overlays; + files = attrNames (filterAttrs isFile (readDir overlaysPath)); + + filterFunc = file: file != "default.nix" && hasSuffix ".nix" file && !hasPrefix "_" file; + overlays = map (file: import (overlaysPath + "/${file}")) (filter filterFunc files); + + baseConfig = import ./nixpkgs.config.nix; +in +{ + inherit overlaysPath overlays baseConfig sources; +} From 9b1540b4c3f7af98664776eba41b506ac4c866b8 Mon Sep 17 00:00:00 2001 From: Antoine 'Toinux' Wam Date: Sat, 28 Dec 2024 19:59:52 +0100 Subject: [PATCH 13/74] +++ Modules --- modules/kitten/connect/autodisko.nix | 3 - modules/kitten/connect/bird.nix | 314 ------------------ modules/kitten/connect/bird_peers.nix | 291 ---------------- modules/kitten/connect/loopback0.nix | 93 ------ .../nixos/modules/services/ttys/kmscon.nix | 151 --------- 5 files changed, 852 deletions(-) delete mode 100644 modules/kitten/connect/autodisko.nix delete mode 100644 modules/kitten/connect/bird.nix delete mode 100644 modules/kitten/connect/bird_peers.nix delete mode 100644 modules/kitten/connect/loopback0.nix delete mode 100644 modules/nixos/modules/services/ttys/kmscon.nix diff --git a/modules/kitten/connect/autodisko.nix b/modules/kitten/connect/autodisko.nix deleted file mode 100644 index db2b384..0000000 --- a/modules/kitten/connect/autodisko.nix +++ /dev/null @@ -1,3 +0,0 @@ -{ ... }: { - -} \ No newline at end of file diff --git a/modules/kitten/connect/bird.nix b/modules/kitten/connect/bird.nix deleted file mode 100644 index 02feec0..0000000 --- a/modules/kitten/connect/bird.nix +++ /dev/null @@ -1,314 +0,0 @@ -{ - lib, - config, - target, - targetConfig, - ... -}: -let - inherit (lib) - optional - optionals - optionalString - mkOrder - attrNames - filterAttrs - concatStringsSep - concatMapStringsSep - ; - - birdCfg = config.services.bird2; - srvCfg = config.customModules.bird; - - #srvCfg = - # let - # cfg = - # if targetConfig ? birdConfig then - # targetConfig.birdConfig - # else - # import (./. + "/${target}/birdconfig.nix") { inherit targetConfig; }; - # in - # if cfg ? peers then - # cfg - # else - # let - # peers = (import (./. + "/${target}/peers/") { }); - # in - # (cfg // { inherit peers; }); - - rrs = attrNames (filterAttrs (n: v: v ? template && v.template == "rrserver") srvCfg.peers); - - lo4 = - if (srvCfg ? loopback4 && srvCfg.loopback4 != null && srvCfg.loopback4 != "") then - srvCfg.loopback4 - else - null; - - lo6 = - if (srvCfg ? loopback6 && srvCfg.loopback6 != null && srvCfg.loopback6 != "") then - srvCfg.loopback6 - else - null; -in -{ - - config = lib.mkIf (false) { - - sops.templates."bird_secrets.conf" = { - owner = "bird2"; - }; - - _module.args = { - birdConfig = srvCfg; - }; - - networking.firewall.allowedTCPPorts = [ - 179 # BGP - 1790 # Internal BGP - ]; - - services.bird2.preCheckConfig = '' - echo "Bird configuration include these resources" - grep include bird2.conf - - LINE=$(grep -n include bird2.conf | grep bird_secrets.conf | head -1 | cut -d: -f1) - if [ ! -z "$LINE" ]; then - echo "Found secrets importing, will substitute it with placeholders values" - sed ''${LINE}d -i bird2.conf - sed "$(($LINE))i"'include "_secrets_substitute.conf";' -i bird2.conf - - cat > _secrets_substitute.conf <<< ' - ${config.sops.templates."bird_secrets.conf".content} - ' - - # cat _secrets_substitute.conf bird2.conf - fi - ''; - - services.bird2.config = mkOrder 0 ( - concatStringsSep "\n\n" ( - let - transitIFACE = if srvCfg ? transitInterface then srvCfg.transitInterface else null; - - quoteString = x: ''"${x}"''; - in - [ - "log syslog all;" - - ''include "${config.sops.templates."bird_secrets.conf".path}";'' - - '' - # The Device protocol is not a real routing protocol. It does not generate any - # routes and it only serves as a module for getting information about network - # interfaces from the kernel. It is necessary in almost any configuration. - protocol device DEV {} - - # The direct protocol is not a real routing protocol. It automatically generates - # direct routes to all network interfaces. Can exist in as many instances as you - # wish if you want to populate multiple routing tables with direct routes. - protocol direct DIRECT { - #disabled; - check link on; - ipv4; - ipv6; - interface "*"; - } - '' - - '' - #<== Générique - function is_valid4_network() { - return net ~ [ - 172.23.193.192/26, - 172.23.193.192/26{32,32} - ]; - } - - function is_valid6_network() { - return net ~ [ - 2a13:79c0:ff00::/40, - 2a13:79c0:ffff::/48{48,64}, - 2a13:79c0:ffff:fefe::/64{128,128}, - 2a13:79c0:ffff:feff::/64{112,112} - ]; - } - - - function is_rr_valid6_network() { - return net ~ [ - ${ - optionalString (transitIFACE != null) "# ::/0," - } # Announce (or not) default route [transitInterface = ${toString transitIFACE}] - 2a13:79c0:ff00::/40, - 2a13:79c0:ff00::/48+, # Special case for Toinux home - # 2a13:79c0:ffff:fefe::/64{128,128}, - # 2a13:79c0:ffff:feff::/64{112,112}, - 2a13:79c0:ffff::/48{48,64}, - 2a13:79c0:fffe::/48{56,56} - ]; - } - - '' - - '' - # The Kernel protocol is not a real routing protocol. Instead of communicating - # with other routers in the network, it performs synchronization of BIRD - # routing tables with the OS kernel. One instance per table. - protocol kernel KERNEL4 { - ipv4 { # Connect protocol to IPv4 table by channel - # table master4; # Default IPv4 table is master4 - # import all; # Import to table, default is import all - # export all; # Export to protocol. default is export none - export filter { - if ( is_valid4_network() || source ~ [RTS_STATIC] - ${ - let - sep = "|| proto ="; - in - optionalString (rrs != [ ]) sep + (concatMapStringsSep sep quoteString rrs) - } - ) then { - ${ - optionalString (lo4 != null) '' - if source ~ [RTS_BGP] || net ~ [ 0.0.0.0/0 ] then { - krt_prefsrc=${lo4}; - } - '' - } - accept; - } else reject; - }; - }; - merge paths on; - # learn; # Learn alien routes from the kernel - # kernel table 10; # Kernel table to synchronize with (default: main) - } - - # Another instance for IPv6, skipping default options - protocol kernel KERNEL6 { - # ipv6 { export all; }; - ipv6 { - export filter { - - if ( is_valid6_network() || source ~ [RTS_STATIC] - ${ - let - sep = "|| proto ="; - in - optionalString (rrs != [ ]) sep + (concatMapStringsSep sep quoteString rrs) - } - ) then { - ${ - optionalString (lo6 != null) '' - if source ~ [RTS_BGP] || net ~ [ ::/0 ] then { - krt_prefsrc=${lo6}; - } - '' - } - accept; - } else reject; - }; - }; - - merge paths on; - } - '' - - '' - - template bgp rrserver { - local port 1790; - neighbor port 179; - multihop 5; - - ipv4 { - gateway recursive; - extended next hop; - next hop self; - - import filter { accept; }; - - export none; - # export filter { if is_v4_network() && source ~ [RTS_STATIC, RTS_DEVICE, RTS_BGP, RTS_OSPF] then accept; else reject; }; - import limit 1000 action block; - igp table master4; # IGP table for routes with IPv4 nexthops - # igp table master6; # IGP table for routes with IPv4 nexthops - }; - - ipv6 { - gateway recursive; - next hop self; - - import filter { accept; }; - export filter { if is_rr_valid6_network() && source ~ [RTS_STATIC, RTS_DEVICE, RTS_BGP, RTS_OSPF] then accept; else reject; }; - import limit 1000 action block; - igp table master6; # IGP table for routes with IPv6 nexthops - }; - - } - '' - - '' - template bgp kittunderlay { - # local as 4242421945; - # neighbor as kittenASN; - local port 1790; - neighbor port 1790; - rr client; - path metric off; - ipv4 { - extended next hop; - next hop self; - import keep filtered; - - import filter { - if is_valid4_network() then { - if defined( bgp_med ) then - bgp_med = bgp_med + 1000; - else { - bgp_med = 1000; - } - accept; - } else reject; - }; - - export filter { if is_valid4_network() && source ~ [RTS_STATIC, RTS_DEVICE, RTS_BGP, RTS_OSPF] then accept; else reject; }; - import limit 1000 action block; - }; - - ipv6 { - next hop self; - import keep filtered; - - import filter { - if is_valid6_network() then { - if defined( bgp_med ) then - bgp_med = bgp_med + 1000; - else { - bgp_med = 1000; - } - accept; - } else reject; - }; - - export filter { if is_valid6_network() && source ~ [RTS_STATIC, RTS_DEVICE, RTS_BGP, RTS_OSPF] then accept; else reject; }; - import limit 1000 action block; - }; - - } - '' - ] - ++ - optionals (srvCfg ? static6 && builtins.typeOf srvCfg.static6 == "list" && srvCfg.static6 != [ ]) - [ - '' - protocol static STATIC6 { - ipv6; - ${concatMapStringsSep "\n" (x: " " + "route ${x};") srvCfg.static6} - } - '' - ] - ) - ); - }; -} diff --git a/modules/kitten/connect/bird_peers.nix b/modules/kitten/connect/bird_peers.nix deleted file mode 100644 index 3c396dc..0000000 --- a/modules/kitten/connect/bird_peers.nix +++ /dev/null @@ -1,291 +0,0 @@ -{ lib, target, config, targetConfig, ... }: -let - inherit (lib) listToAttrs nameValuePair mkIf mkOption mkEnableOption types; - - # Options - - birdPeerSubmodule = { name, config, ... }: { - options = { - enable = mkEnableOption "${name} peer."; - - peerName = mkOption { - type = types.str; - default = name; - description = "Override name of the BGP peer."; - }; - - peerIP = mkOption { - type = types.str; - description = "IP address of the BGP peer."; - }; - - peerAS = mkOption { - type = types.int; - default = 65666; - description = "Autonomous System number of the BGP peer."; - }; - - localIP = mkOption { - type = types.str; - default = ""; - description = "Local IP address."; - }; - - localAS = mkOption { - type = types.int; - default = 65666; - description = "Local Autonomous System number."; - }; - - multihop = mkOption { - type = types.int; - default = 0; - description = "Multihop TTL value."; - }; - - template = mkOption { - type = types.str; - default = ""; - description = "Template string."; - }; - - password = mkOption { - type = types.str; - default = ""; - description = "Password for BGP session."; - }; - - passwordRef = mkOption { - type = types.str; - default = ""; - description = "Reference to a password for BGP session."; - }; - - ipv4 = mkOption { - type = types.attrs; - default = { }; - description = "IPv4 configuration."; - }; - - ipv6 = mkOption { - type = types.attrs; - default = { }; - description = "IPv6 configuration."; - }; - - bgpMED = mkOption { - type = types.nullOr types.int; - default = null; - description = "BGP Multi Exit Discriminator."; - }; - - # wireguard = mkOption { - # type = types.attrs; - # default = { }; - # description = "Wireguard configuration."; - # }; - - interface = mkOption { - type = types.nullOr types.str; - - description = "Network interface."; - default = if config.wireguard != { } then - (if config.wireguard ? interface then - config.wireguard.interface - else - config.peerName) - else - null; - }; - }; - }; - - # Values - - peers = config.customModules.bird_peers; - - peersWithPasswordRef = lib.attrsets.filterAttrs (n: v: v ? passwordRef) peers; - - passwords = lib.unique - (lib.attrsets.mapAttrsToList (n: v: v.passwordRef) peersWithPasswordRef); -in { - - options.customModules.bird_peers = mkOption { - default = {}; - type = with types; - attrsOf (submodule - birdPeerSubmodule); # types.submodule (mkNamedOptionModule birdPeerSubmodule); - description = "Configuration for BGP peers."; - }; - - config = mkIf (peers != {}) { - - sops.secrets = lib.mkIf (passwords != [ ]) (listToAttrs (map (n: - lib.nameValuePair "bird_secrets/${n}" { - reloadUnits = [ "bird2.service" ]; - }) passwords)); - - sops.templates."bird_secrets.conf".content = lib.mkIf (passwords != [ ]) - (lib.mkMerge (map (password: '' - define secretPassword_${password} = "${ - config.sops.placeholder."bird_secrets/${password}" - }"; - '') passwords)); - - services.bird2.config = let - mkPeersFuncArgs = (x: { peerName = x; } // peers.${x}); - - toLines = nindent: - let indent = lib.concatMapStrings (_: " ") (lib.range 1 nindent); - in builtins.concatStringsSep '' - - ${indent}''; - - withType = types: x: lib.toFunction types.${builtins.typeOf x} x; - - peersFunc = x@{ peerName, peerIP, peerAS ? 65666, - - localIP ? "", localAS ? 65666, - - multihop ? 0, template ? "", - - password ? "", passwordRef ? "", - - ipv4 ? { }, ipv6 ? { }, - - bgpMED ? null, - - wireguard ? { }, interface ? if (wireguard != { }) then - (if wireguard ? interface then wireguard.interface else peerName) - else - null, ... }: - let - inherit (lib) optionalString; - inherit (builtins) concatStringsSep toJSON; - in '' - - ${optionalString (bgpMED != null) - "define bgpMED_${toString peerName} = ${toString bgpMED};"} - ${optionalString (template == "kittunderlay") '' - - filter filter4_IN_BGP_${toString peerName} { - if is_valid4_network() then { - if defined( bgp_med ) then - bgp_med = bgp_med + bgpMED_${toString peerName}; - else { - bgp_med = bgpMED_${toString peerName}; - } - accept; - } else reject; - } - - filter filter6_IN_BGP_${toString peerName} { - if is_valid6_network() then { - if defined( bgp_med ) then - bgp_med = bgp_med + bgpMED_${toString peerName}; - else { - bgp_med = bgpMED_${toString peerName}; - } - accept; - } else reject; - } - ''} - - # ${optionalString (x ? debug && x.debug == true) (toJSON x)} - # L: AS${toString localAS} | R: AS${toString peerAS} - protocol bgp ${toString peerName} ${ - optionalString (template != "") "from ${toString template}" - } { - local ${optionalString (localIP != "") (toString localIP)} as ${ - toString localAS - }; # localIP: "${toString localIP}" - neighbor ${toString peerIP} as ${toString peerAS}; - ${optionalString (interface != null) ''interface "${interface}";''} - ${ - if multihop == 0 then - "direct;" - else - "multihop ${ - optionalString (multihop != -1) toString - (if multihop < -1 then -1 * multihop else multihop) - };" - } # multihop: ${toString multihop} - - ${ - optionalString (password != "") '' - password "${ - assert lib.asserts.assertMsg (passwordRef == "") - "U defined a passwordRef, why do you still want to leak password ?"; - toString (lib.warn - "bird2 peers password is insecure consider using passwordRef with a bird_secrets file" - password) - }"; # Not-Secured cleartext access for @everyone'' - } - ${ - optionalString (passwordRef != "") "password secretPassword_${ - toString passwordRef - }; # Defined in secrets file" - } - - ${ - optionalString (ipv6 != { }) '' - - ipv6 { - ${ - optionalString (ipv6 ? imports && ipv6.imports != "" - && ipv6.imports != [ ]) (let - myType = withType { - string = x: " import ${x};"; - null = x: " import none;"; - lambda = f: myType (f peerName); - list = x: '' - - # ${toJSON x} - import filter { - if ( net ~ [ ${ - concatStringsSep ", " x - } ] ) then { - accept; - } - reject; - }; - ''; - }; - in myType ipv6.imports) - } - ${ - optionalString (ipv6 ? exports && ipv6.exports != "" - && ipv6.exports != [ ]) (let - myType = withType { - string = x: " export ${x};"; - null = x: " export none;"; - lambda = f: myType (f peerName); - list = x: '' - - # ${toJSON x} - export filter { - if ( net ~ [ ${ - concatStringsSep ", " x - } ] ) then { - accept; - } - reject; - }; - ''; - }; - in myType ipv6.exports) - } - }; - '' - } - - } - '' - - ; - in lib.mkOrder 50 (builtins.concatStringsSep "\n" - ([ "# Nix-OS Generated for ${target}" ] ++ (map (x: '' - # ${x} - ${peersFunc (mkPeersFuncArgs x)}'') (builtins.attrNames peers)))); - }; -} diff --git a/modules/kitten/connect/loopback0.nix b/modules/kitten/connect/loopback0.nix deleted file mode 100644 index befba2b..0000000 --- a/modules/kitten/connect/loopback0.nix +++ /dev/null @@ -1,93 +0,0 @@ -{ - lib, - config, - pkgs, - ... -}: - -let - inherit (lib) - mkOption - stringLength - types - ; - - - cfg = config.customModules.loopback0; - - canonicalizeIPs = ips: lib.unique ips; - - hasIPv4 = (cfg.ipv4 != [ ]); - isValidIPv4 = - ip: - let - parts = lib.splitString "." ip; - isByte = - part: - let - n = builtins.parseInt part; - in - n >= 0 && n <= 255; - in - builtins.length parts == 4 && lib.all isByte parts; - - hasIPv6 = (cfg.ipv6 != [ ]); - isValidIPv6 = - ip: - let - parts = lib.splitString ":" ip; - isHexPart = - part: stringLength part <= 4 && (part == "" || (builtins.match "[0-9a-fA-F]+" part != null)); - in - builtins.length parts <= 8 && lib.all isHexPart parts && ip != ""; - - validateIPv4s = ips: if lib.all isValidIPv4 ips then canonicalizeIPs ips else throw "Invalid IPv4 address in the list"; - - validateIPv6s = ips: if lib.all isValidIPv6 ips then builtins.trace "IPs: ${builtins.toJSON ips} -> ${builtins.toJSON (canonicalizeIPs ips)}" (canonicalizeIPs ips) else throw "Invalid IPv6 address in the list"; -in -{ - options.customModules.loopback0 = { - enable = lib.mkEnableOption "loopback IP addresses module"; - - ipv4 = mkOption { - type = types.listOf types.str; - description = "An array of IPv4 addresses."; - default = [ ]; - example = [ - "127.0.0.1" - "192.168.0.1" - ]; - apply = validateIPv4s; - }; - - ipv6 = mkOption { - type = types.listOf types.str; - description = "An array of IPv6 addresses."; - default = [ ]; - example = [ - "::1" - "fe80::1" - ]; - apply = validateIPv6s; - }; - }; - - config = lib.mkIf cfg.enable { - # Add any additional configuration here. - networking.extraHosts = lib.concatMapStringsSep "\n" (ip: "${ip} ${config.networking.hostName}") ( - cfg.ipv4 ++ cfg.ipv6 - ); - - networking.interfaces.lo = lib.mkIf (hasIPv4 || hasIPv6) { - ipv4.addresses = lib.mkIf (hasIPv4) (map (x: { - address = "${toString x}"; - prefixLength = 32; - }) cfg.ipv4); - - ipv6.addresses = lib.mkIf (hasIPv6) (map (x: { - address = "${toString x}"; - prefixLength = 128; - }) cfg.ipv6); - }; - }; -} diff --git a/modules/nixos/modules/services/ttys/kmscon.nix b/modules/nixos/modules/services/ttys/kmscon.nix deleted file mode 100644 index 422d9a7..0000000 --- a/modules/nixos/modules/services/ttys/kmscon.nix +++ /dev/null @@ -1,151 +0,0 @@ -{ - config, - pkgs, - lib, - ... -}: -let - inherit (lib) - mapAttrs - mkIf - mkOption - optional - optionals - types - ; - - cfg = config.services.kmscon; - - autologinArg = lib.optionalString (cfg.autologinUser != null) "-a ${cfg.autologinUser}"; - - configDir = pkgs.writeTextFile { - name = "kmscon-config"; - destination = "/kmscon.conf"; - text = cfg.extraConfig; - }; -in -{ - options = { - services.kmscon = { - enable = mkOption { - description = '' - Use kmscon as the virtual console instead of gettys. - kmscon is a kms/dri-based userspace virtual terminal implementation. - It supports a richer feature set than the standard linux console VT, - including full unicode support, and when the video card supports drm - should be much faster. - ''; - type = types.bool; - default = false; - }; - - hwRender = mkOption { - description = "Whether to use 3D hardware acceleration to render the console."; - type = types.bool; - default = false; - }; - - fonts = mkOption { - description = "Fonts used by kmscon, in order of priority."; - default = null; - example = lib.literalExpression ''[ { name = "Source Code Pro"; package = pkgs.source-code-pro; } ]''; - type = - with types; - let - fontType = submodule { - options = { - name = mkOption { - type = str; - description = "Font name, as used by fontconfig."; - }; - package = mkOption { - type = package; - description = "Package providing the font."; - }; - }; - }; - in - nullOr (nonEmptyListOf fontType); - }; - - extraConfig = mkOption { - description = "Extra contents of the kmscon.conf file."; - type = types.lines; - default = ""; - example = "font-size=14"; - }; - - extraOptions = mkOption { - description = "Extra flags to pass to kmscon."; - type = types.separatedString " "; - default = ""; - example = "--term xterm-256color"; - }; - - autologinUser = mkOption { - type = types.nullOr types.str; - default = null; - description = '' - Username of the account that will be automatically logged in at the console. - If unspecified, a login prompt is shown as usual. - ''; - }; - }; - }; - - config = mkIf cfg.enable { - # Largely copied from unit provided with kmscon source - systemd.units."kmsconvt@.service".text = '' - [Unit] - Description=KMS System Console on %I - Documentation=man:kmscon(1) - After=systemd-user-sessions.service - After=plymouth-quit-wait.service - After=systemd-logind.service - After=systemd-vconsole-setup.service - Requires=systemd-logind.service - Before=getty.target - Conflicts=getty@%i.service - OnFailure=getty@%i.service - IgnoreOnIsolate=yes - ConditionPathExists=/dev/tty0 - - [Service] - ExecStart= - ExecStart=${pkgs.kmscon}/bin/kmscon "--vt=%I" ${cfg.extraOptions} --seats=seat0 --no-switchvt --configdir ${configDir} --login -- ${pkgs.util-linux}/sbin/agetty --login-program ${pkgs.shadow}/bin/login ${autologinArg} -o '-p -- \\u' - xterm-256color - - UtmpIdentifier=%I - TTYPath=/dev/%I - TTYReset=yes - TTYVHangup=yes - TTYVTDisallocate=yes - - X-RestartIfChanged=false - ''; - - systemd.suppressedSystemUnits = [ "autovt@.service" ]; - systemd.units."kmsconvt@.service".aliases = [ "autovt@.service" ]; - - systemd.services.systemd-vconsole-setup.enable = false; - systemd.services.reload-systemd-vconsole-setup.enable = false; - - services.kmscon.extraConfig = - let - render = optionals cfg.hwRender [ - "drm" - "hwaccel" - ]; - fonts = - optional (cfg.fonts != null) - "font-name=${lib.concatMapStringsSep ", " (f: f.name) cfg.fonts}"; - in - lib.concatStringsSep "\n" (render ++ fonts); - - hardware.opengl.enable = mkIf cfg.hwRender true; - - fonts = mkIf (cfg.fonts != null) { - fontconfig.enable = true; - packages = map (f: f.package) cfg.fonts; - }; - }; -} From b880c0cfd0c6457042cb0a198b22cad3d4d6898d Mon Sep 17 00:00:00 2001 From: Antoine 'Toinux' Wam Date: Sat, 28 Dec 2024 19:02:57 +0100 Subject: [PATCH 14/74] + system/ ~ system/firewall.nix: ~ system/security.nix: --- system/default.nix | 73 +++++++++++++++++++++++++++++++++++++++++++++ system/firewall.nix | 2 +- system/security.nix | 3 +- 3 files changed, 76 insertions(+), 2 deletions(-) create mode 100644 system/default.nix diff --git a/system/default.nix b/system/default.nix new file mode 100644 index 0000000..6701ccc --- /dev/null +++ b/system/default.nix @@ -0,0 +1,73 @@ +# Edit this configuration file to define what should be installed on +# your system. Help is available in the configuration.nix(5) man page, on +# https://search.nixos.org/options and in the NixOS manual (`nixos-help`). + +{ + config, + lib, + pkgs, + ... +}: + +{ + + imports = [ + # ./nixConfig.nix + # ./packages.nix # Install system-wide pkgs + ./inputrc.nix # ReadLine config + ./security.nix # PAM + SSH + Keys + # ./firewall.nix + + # VPNs + ./openvpn.nix + ./wireguard.nix + + # Kernel / Bootloader + # ./serial-com.nix + # ./systemd-boot.nix + # ./grub-boot.nix + ]; + + # Set your time zone. + time.timeZone = "Europe/Paris"; + + # Configure network proxy if necessary + # networking.proxy.default = "http://user:password@proxy:port/"; + # networking.proxy.noProxy = "127.0.0.1,localhost,internal.domain"; + + # Select internationalisation properties. + i18n.defaultLocale = "en_US.UTF-8"; + + boot.supportedFilesystems = [ "nfs" ]; + services.rpcbind.enable = true; # NFS - Client + + services.chrony = { + enable = true; + }; + + programs.zsh.enable = true; # Install System-Wide -> Config is done with home-manager + + environment.shells = with pkgs; [ zsh ]; + environment.pathsToLink = [ "/share/zsh" ]; # ZSH Completion + + # tmpFS on /tmp + boot.tmp.useTmpfs = lib.mkDefault true; + + # Enable the OpenSSH daemon. + services.openssh.enable = true; + + environment.systemPackages = with pkgs; [ + # Additional packages + # nix-inspect + ]; + + # Versions Dump + environment.etc."current-system-packages".text = + let + getName = (p: if p ? name then "${p.name}" else "${p}"); + packages = builtins.map getName config.environment.systemPackages; + sortedUnique = builtins.sort builtins.lessThan (lib.unique packages); + formatted = builtins.concatStringsSep "\n" sortedUnique; + in + formatted; +} diff --git a/system/firewall.nix b/system/firewall.nix index a096e49..3c8db3a 100644 --- a/system/firewall.nix +++ b/system/firewall.nix @@ -13,7 +13,7 @@ networking.firewall = { enable = lib.mkDefault false; # TODO: Enable IT - allowedTCPPorts = [ + allowedTCPPorts = lib.mkDefault [ 22 # 80 # 443 diff --git a/system/security.nix b/system/security.nix index e4ca381..fc7a4bb 100644 --- a/system/security.nix +++ b/system/security.nix @@ -18,7 +18,7 @@ let "/run/current-system/sw/bin/nixos-rebuild *" ]; - noPasswdServices = [ "openvpn-*" ]; + noPasswdServices = [ ]; in { users.users.root = { @@ -27,6 +27,7 @@ in openssh.authorizedKeys.keys = lib.mkDefault [ # change this to your ssh key "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPxJpIrlaMMuw+zqOlZa35ehViBytyROvdf73poXTlVz" + "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAINC+U2GVzJm2vPdmeSwiImGuZ82prwMybkjmrfLdOsWu" ]; }; From b07a816772eb664c076ad11c36add1665e3df6d8 Mon Sep 17 00:00:00 2001 From: Antoine 'Toinux' Wam Date: Sat, 28 Dec 2024 19:02:55 +0100 Subject: [PATCH 15/74] + home/default.nix: --- home/default.nix | 13 +++++++++++++ 1 file changed, 13 insertions(+) create mode 100644 home/default.nix diff --git a/home/default.nix b/home/default.nix new file mode 100644 index 0000000..50957f6 --- /dev/null +++ b/home/default.nix @@ -0,0 +1,13 @@ +{ + pkgs, + lib, + config, + osConfig, + ... +}: +let + kubeCfg = osConfig.services.k3s; +in +{ + imports = [ ] ++ lib.optional (kubeCfg.enable && kubeCfg.role == "server") ./kube.nix; +} From 5c17dffe87361503d25ff83f7ebfcf93032411d0 Mon Sep 17 00:00:00 2001 From: Antoine 'Toinux' Wam Date: Sat, 28 Dec 2024 19:02:56 +0100 Subject: [PATCH 16/74] ~ hosts/default.nix: --- hosts/default.nix | 23 ++++++++++------------- 1 file changed, 10 insertions(+), 13 deletions(-) diff --git a/hosts/default.nix b/hosts/default.nix index 699b88f..8129167 100644 --- a/hosts/default.nix +++ b/hosts/default.nix @@ -1,15 +1,4 @@ -# { -# clients = import ./clients { }; -# miscservers = import ./miscservers { }; - -# homerouters = import ./homerouters { }; -# routers = import ./routers { }; -# routereflectors = import ./routereflectors { }; - -# stonkmembers = import ./stonkmembers { }; -# } - -args@{ lib, ... }: +{ lib, ... }: let blacklist = [ @@ -25,4 +14,12 @@ let folders = builtins.attrNames (lib.filterAttrs filterFunc (builtins.readDir ./.)); in -lib.genAttrs folders (folder: (import (./. + "/${folder}") (args // { }))) +lib.genAttrs folders ( + folder: + ( + let + configs = builtins.attrNames (lib.filterAttrs filterFunc (builtins.readDir (./. + "/${folder}"))); + in + lib.genAttrs configs (confName: (import (./. + "/${folder}/${confName}"))) + ) +) From a30d6436333a9e3b75cb7ee877a9c22da6852298 Mon Sep 17 00:00:00 2001 From: Antoine 'Toinux' Wam Date: Sat, 28 Dec 2024 19:02:55 +0100 Subject: [PATCH 17/74] + hosts/_defaults.nix: --- hosts/_defaults.nix | 25 +++++++++++++++++++++++++ 1 file changed, 25 insertions(+) create mode 100644 hosts/_defaults.nix diff --git a/hosts/_defaults.nix b/hosts/_defaults.nix new file mode 100644 index 0000000..2d59aee --- /dev/null +++ b/hosts/_defaults.nix @@ -0,0 +1,25 @@ +args@{ pkgs, sources, ... }: +{ + imports = [ + ../system + ../modules/system + + (import "${sources.lix-module}/module.nix" { lix = sources.lix; }) + "${sources.disko}/module.nix" + "${sources.sops-nix}/modules/sops" + ]; + + time.timeZone = "Europe/Paris"; + + nixpkgs.overlays = (import ../_overlays.nix args).overlays; + + # By default, Colmena will replace unknown remote profile + # (unknown means the profile isn't in the nix store on the + # host running Colmena) during apply (with the default goal, + # boot, and switch). + # If you share a hive with others, or use multiple machines, + # and are not careful to always commit/push/pull changes + # you can accidentaly overwrite a remote profile so in those + # scenarios you might want to change this default to false. + deployment.replaceUnknownProfiles = false; +} From 42d76da94b91ea7cb1dfc965a3737c8853b0e998 Mon Sep 17 00:00:00 2001 From: Antoine 'Toinux' Wam Date: Sat, 28 Dec 2024 19:02:55 +0100 Subject: [PATCH 18/74] hosts/_peers: Basic peers + hosts/_peers/default.nix: --- hosts/_peers/KIT-IG1-RR91.nix | 49 +++++++++++++++++++++++++++++++++++ hosts/_peers/default.nix | 5 ++++ 2 files changed, 54 insertions(+) create mode 100644 hosts/_peers/KIT-IG1-RR91.nix create mode 100644 hosts/_peers/default.nix diff --git a/hosts/_peers/KIT-IG1-RR91.nix b/hosts/_peers/KIT-IG1-RR91.nix new file mode 100644 index 0000000..2ea52dd --- /dev/null +++ b/hosts/_peers/KIT-IG1-RR91.nix @@ -0,0 +1,49 @@ +{ ... }: +let + kittenASN = 4242421945; +in +{ + # vultr6 + # AS64515 + # Peer-IP : 2001:19f0:ffff::1 + + # protocol bgp TRANSIT_VULTR6 { + # + # multihop 2; + # + + # ipv6 { + # export filter { + # if ( net ~ [ 2a13:79c0:ff00::/40, 2a12:dd47:9330::/44 ] ) then { + # accept; + # } + # reject; + # }; + # import none; + # }; + # + # } + peerAS = kittenASN; + peerIP = "2a13:79c0:ffff:fefe::113:91"; + localAS = kittenASN; + + multihop = 5; + + # wireguard = { + # address = "2a13:79c0:ffff:feff::10c"; + # port = 51800; + # peerKey = "rMTaMWJYlgTKJoE0PnVOo9SKHTppEfYK5KtWjBI9mC8="; + # }; + template = "rrserver"; + ipv6 = { + #imports = null; + #imports = x: "filter filter6_IN_BGP_${toString x}"; + #exports = [ "2a12:dd47:9330::/44" ]; + + #exports = null; + }; + ipv4 = { + #imports = x: "filter filter4_IN_BGP_${toString x}"; + #exports = x: "filter6_IN_BGP_${toString x}"; + }; +} diff --git a/hosts/_peers/default.nix b/hosts/_peers/default.nix new file mode 100644 index 0000000..6b7d84e --- /dev/null +++ b/hosts/_peers/default.nix @@ -0,0 +1,5 @@ +{ ... }: +{ + # Internal RR + IG1_RR91 = import ./KIT-IG1-RR91.nix { }; +} From 640bf39406ae63e0543f108f0bb588f8087c24d4 Mon Sep 17 00:00:00 2001 From: Antoine 'Toinux' Wam Date: Sat, 28 Dec 2024 19:02:56 +0100 Subject: [PATCH 19/74] + hosts/clients/NIXP --- hosts/clients/NIXP/default.nix | 171 ++++++++++++++++++ hosts/clients/NIXP/disk-config.nix | 98 ++++++++++ hosts/clients/NIXP/hardware-configuration.nix | 51 ++++++ hosts/clients/NIXP/network-configuration.nix | 55 ++++++ hosts/clients/NIXP/packages.nix | 23 +++ 5 files changed, 398 insertions(+) create mode 100644 hosts/clients/NIXP/default.nix create mode 100644 hosts/clients/NIXP/disk-config.nix create mode 100644 hosts/clients/NIXP/hardware-configuration.nix create mode 100644 hosts/clients/NIXP/network-configuration.nix create mode 100644 hosts/clients/NIXP/packages.nix diff --git a/hosts/clients/NIXP/default.nix b/hosts/clients/NIXP/default.nix new file mode 100644 index 0000000..8ce999a --- /dev/null +++ b/hosts/clients/NIXP/default.nix @@ -0,0 +1,171 @@ +# Edit this configuration file to define what should be installed on +# your system. Help is available in the configuration.nix(5) man page +# and in the NixOS manual (accessible by running ‘nixos-help’). + +{ + name, + nodes, + lib, + pkgs, + ... +}: +{ + imports = [ + # Include the results of the hardware scan. + ../default.nix + ./hardware-configuration.nix + ./network-configuration.nix + ./packages.nix + ]; + + deployment = { + # Allow local deployment with `colmena apply-local` + allowLocalDeployment = true; + + # Disable SSH deployment. This node will be skipped in a + # normal`colmena apply`. + targetHost = null; + }; + + + # system.includeBuildDependencies = true; + # system.extraDependencies = [ + # (../../..) + # ]; + # environment.etc."kittenconfig".source = ../../..; + + # Bootloader. + boot.loader.systemd-boot.enable = true; + boot.loader.efi.canTouchEfiVariables = true; + + # networking.wireless.enable = true; # Enables wireless support via wpa_supplicant. + + # Configure network proxy if necessary + # networking.proxy.default = "http://user:password@proxy:port/"; + # networking.proxy.noProxy = "127.0.0.1,localhost,internal.domain"; + + # Set your time zone. + time.timeZone = "Europe/Paris"; + + # Select internationalisation properties. + i18n.defaultLocale = "en_US.UTF-8"; + + i18n.extraLocaleSettings = { + LC_ADDRESS = "fr_FR.UTF-8"; + LC_IDENTIFICATION = "fr_FR.UTF-8"; + LC_MEASUREMENT = "fr_FR.UTF-8"; + LC_MONETARY = "fr_FR.UTF-8"; + LC_NAME = "fr_FR.UTF-8"; + LC_NUMERIC = "fr_FR.UTF-8"; + LC_PAPER = "fr_FR.UTF-8"; + LC_TELEPHONE = "fr_FR.UTF-8"; + LC_TIME = "fr_FR.UTF-8"; + }; + + # Enable the X11 windowing system. + services.xserver.enable = true; + + # Enable the XFCE Desktop Environment. + services.xserver.displayManager.lightdm.enable = true; + services.xserver.desktopManager.xfce.enable = true; + + # Configure keymap in X11 + services.xserver = { + xkb = { + layout = "us"; + variant = ""; + }; + }; + + # Enable CUPS to print documents. + services.printing.enable = true; + + # Enable sound with pipewire. + # sound.enable = true; + hardware.pulseaudio.enable = false; + security.rtkit.enable = true; + services.pipewire = { + enable = true; + alsa.enable = true; + alsa.support32Bit = true; + pulse.enable = true; + # If you want to use JACK applications, uncomment this + #jack.enable = true; + + # use the example session manager (no others are packaged yet so this is enabled by default, + # no need to redefine it in your config for now) + #media-session.enable = true; + }; + + # Enable touchpad support (enabled default in most desktopManager). + # services.xserver.libinput.enable = true; + + environment.variables = { + EDITOR = "vim"; + }; + + # Define a user account. Don't forget to set a password with ‘passwd’. + users.users.toinux = { + isNormalUser = true; + description = "toinux"; + extraGroups = [ + "networkmanager" + "docker" + "wheel" + ]; + packages = with pkgs; [ + # thunderbird + ]; + }; + + # Enable automatic login for the user. + services.displayManager.autoLogin = { + enable = true; + user = "toinux"; + }; + + services.code-server = { + enable = true; + host = "[::]"; + }; + + # Install firefox. + programs.firefox.enable = true; + programs.mtr.enable = true; + + # Some programs need SUID wrappers, can be configured further or are + # started in user sessions. + # programs.mtr.enable = true; + # programs.gnupg.agent = { + # enable = true; + # enableSSHSupport = true; + # }; + + # List services that you want to enable: + + services.hydra = { + enable = true; + hydraURL = "http://localhost:3000"; + notificationSender = "hydra@localhost"; + buildMachinesFiles = []; + useSubstitutes = true; + }; + + # Enable the OpenSSH daemon. + services.openssh.enable = true; + virtualisation.docker.enable = true; + + # Open ports in the firewall. + networking.firewall.allowedTCPPorts = [ 4444 ]; + networking.firewall.allowedUDPPorts = [ ]; + # Or disable the firewall altogether. + networking.firewall.enable = lib.mkDefault true; + + # This value determines the NixOS release from which the default + # settings for stateful data, like file locations and database versions + # on your system were taken. It‘s perfectly fine and recommended to leave + # this value at the release version of the first install of this system. + # Before changing this value read the documentation for this option + # (e.g. man configuration.nix or on https://nixos.org/nixos/options.html). + system.stateVersion = "23.11"; # Did you read the comment? +} diff --git a/hosts/clients/NIXP/disk-config.nix b/hosts/clients/NIXP/disk-config.nix new file mode 100644 index 0000000..6dffa34 --- /dev/null +++ b/hosts/clients/NIXP/disk-config.nix @@ -0,0 +1,98 @@ +# Example to create a bios compatible gpt partition +{ lib, targetConfig, ... }: +{ + disko.devices = { + disk.disk1 = + let + crypted = targetConfig ? crypted && targetConfig.crypted; + + lv_PV = { + type = "lvm_pv"; + vg = "ROOT"; + }; + in + { + device = lib.mkDefault "${targetConfig.bootdisk}"; + type = "disk"; + content = { + type = "gpt"; + partitions = { + boot = { + size = "1M"; + type = "EF02"; # for grub MBR + }; + + ESP = { + size = "512M"; + type = "EF00"; + content = { + type = "filesystem"; + format = "vfat"; + mountpoint = "/boot"; + }; + }; + + root = lib.mkIf (!crypted) { + size = "100%"; + + content = lv_PV; + }; + + cryptroot = lib.mkIf (crypted) { + size = "100%"; + content = { + type = "luks"; + name = "crypted"; + extraOpenArgs = [ ]; + passwordFile = "/tmp/secret.key"; + settings = { + # if you want to use the key for interactive login be sure there is no trailing newline + # for example use `echo -n "password" > /tmp/secret.key` + # keyFile = "/tmp/secret.key"; + allowDiscards = true; + # crypttabExtraOpts = [ + # "fido2-device=auto" + # "token-timeout=5" + # ]; + # yubikey = { + # slot = 1; + # twoFactor = false; # Set to false for 1FA + # gracePeriod = 5; # Time in seconds to wait for Yubikey to be inserted + # # keyLength = 64; # Set to $KEY_LENGTH/8 + # # saltLength = 16; # Set to $SALT_LENGTH + + # storage = { + # device = "/dev/nvme0n1p1"; # Be sure to update this to the correct volume + # fsType = "vfat"; + # # path = "/crypt-storage/default"; + # }; + # }; + }; + + # additionalKeyFiles = [ "/tmp/additionalSecret.key" ]; + content = lv_PV; + }; + }; + }; + }; + }; + + lvm_vg = { + ROOT = { + type = "lvm_vg"; + lvs = { + + root = { + size = "100%FREE"; + content = { + type = "filesystem"; + format = "ext4"; + mountpoint = "/"; + mountOptions = [ "defaults" ]; + }; + }; + }; + }; + }; + }; +} diff --git a/hosts/clients/NIXP/hardware-configuration.nix b/hosts/clients/NIXP/hardware-configuration.nix new file mode 100644 index 0000000..8fc0e08 --- /dev/null +++ b/hosts/clients/NIXP/hardware-configuration.nix @@ -0,0 +1,51 @@ +# Do not modify this file! It was generated by ‘nixos-generate-config’ +# and may be overwritten by future invocations. Please make changes +# to /etc/nixos/configuration.nix instead. +{ + config, + lib, + pkgs, + modulesPath, + ... +}: + +{ + imports = [ (modulesPath + "/profiles/qemu-guest.nix") ]; + + boot.initrd.availableKernelModules = [ + "ahci" + "xhci_pci" + "virtio_pci" + "virtio_scsi" + "sr_mod" + "virtio_blk" + ]; + boot.initrd.kernelModules = [ ]; + boot.kernelModules = [ "kvm-intel" ]; + boot.extraModulePackages = [ ]; + + fileSystems."/" = { + device = "/dev/disk/by-uuid/9b429ee7-a74a-4580-ab64-b7a66cb56424"; + fsType = "ext4"; + }; + + fileSystems."/boot" = { + device = "/dev/disk/by-uuid/F286-D1A0"; + fsType = "vfat"; + options = [ + "fmask=0022" + "dmask=0022" + ]; + }; + + swapDevices = [ ]; + + # Enables DHCP on each ethernet and wireless interface. In case of scripted networking + # (the default) this is the recommended approach. When using systemd-networkd it's + # still possible to use this option, but it's recommended to use it in conjunction + # with explicit per-interface declarations with `networking.interfaces..useDHCP`. + networking.useDHCP = lib.mkDefault true; + # networking.interfaces.enp1s0.useDHCP = lib.mkDefault true; + + nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux"; +} diff --git a/hosts/clients/NIXP/network-configuration.nix b/hosts/clients/NIXP/network-configuration.nix new file mode 100644 index 0000000..c91cc5c --- /dev/null +++ b/hosts/clients/NIXP/network-configuration.nix @@ -0,0 +1,55 @@ +{ ... }: +{ + networking = { + #nameservers = [ "1.3.3.7" ]; + + interfaces = { + ens18.useDHCP = true; + + ens19 = { + + # ipv4.addresses = [ + # { + # address = "185.10.17.209"; + # prefixLength = 24; + # } + # ]; + + ipv6 = { + routes = [ + { + address = "2a13:79c0:ff00::"; + prefixLength = 40; + via = "2a13:79c0:ffff:feff:b00b:caca:b173:25"; + } + ]; + addresses = [ + { + address = "2a13:79c0:ffff:feff:b00b:caca:b173:96"; + prefixLength = 112; + } + ]; + }; + }; + }; + + # defaultGateway = { + # address = "185.10.17.254"; + # metric = 42; + # interface = iface; + # }; + + # defaultGateway6 = { + # address = "2a13:79c0:ffff:feff:b00b:3965:113:25"; + # metric = 42; + # interface = kittenIFACE; + # }; + + useDHCP = false; + useNetworkd = true; + #dhcpcd.enable = false; + }; + + systemd.network.enable = true; + +} diff --git a/hosts/clients/NIXP/packages.nix b/hosts/clients/NIXP/packages.nix new file mode 100644 index 0000000..600cf96 --- /dev/null +++ b/hosts/clients/NIXP/packages.nix @@ -0,0 +1,23 @@ +{ config, pkgs, ... }: +{ + # kittenModules.rhabbit-consumer.enable = true; + # List packages installed in system profile. To search, run: + # $ nix search wget + environment.systemPackages = with pkgs; [ + vim # Do not forget to add an editor to edit configuration.nix! The Nano editor is also installed by default. + vscode + git + htop + tmux + # wget + unstable.nix-output-monitor + nixfmt + ripgrep + tree + tmate + colmena + npins + nix-top + unstable.sops + ]; +} From 949e000eba53b80d6f1ec6001b523eb4ce4a1507 Mon Sep 17 00:00:00 2001 From: Antoine 'Toinux' Wam Date: Sat, 28 Dec 2024 19:02:56 +0100 Subject: [PATCH 20/74] + hosts/postgres + hosts/postgres/default.nix: + hosts/postgres/kit-postgresql-nte/default.nix: + hosts/postgres/kit-postgresql-nte/hardware-configuration.nix: + hosts/postgres/kit-postgresql-nte/network-configuration.nix: + hosts/postgres/packages.nix: + hosts/postgres/postgres.nix: --- hosts/postgres/default.nix | 40 +++++++ hosts/postgres/kit-postgresql-nte/default.nix | 106 ++++++++++++++++++ .../hardware-configuration.nix | 36 ++++++ .../network-configuration.nix | 54 +++++++++ hosts/postgres/packages.nix | 17 +++ hosts/postgres/postgres.nix | 33 ++++++ 6 files changed, 286 insertions(+) create mode 100644 hosts/postgres/default.nix create mode 100644 hosts/postgres/kit-postgresql-nte/default.nix create mode 100644 hosts/postgres/kit-postgresql-nte/hardware-configuration.nix create mode 100644 hosts/postgres/kit-postgresql-nte/network-configuration.nix create mode 100644 hosts/postgres/packages.nix create mode 100644 hosts/postgres/postgres.nix diff --git a/hosts/postgres/default.nix b/hosts/postgres/default.nix new file mode 100644 index 0000000..2130780 --- /dev/null +++ b/hosts/postgres/default.nix @@ -0,0 +1,40 @@ +# Edit this configuration file to define what should be installed on +# your system. Help is available in the configuration.nix(5) man page, on +# https://search.nixos.org/options and in the NixOS manual (`nixos-help`). + +{ + config, + lib, + pkgs, + ... +}: + +{ + imports = [ + # ./firewall.nix # TODO: Remove + ./postgres.nix + ./packages.nix + ]; + + kittenModules = { + loopback0 = { + enable = lib.mkDefault true; + }; + }; + + # Configure network proxy if necessary + # networking.proxy.default = "http://user:password@proxy:port/"; + # networking.proxy.noProxy = "127.0.0.1,localhost,internal.domain"; + + # Select internationalisation properties. + i18n.defaultLocale = "en_US.UTF-8"; + + # FireWall + networking.firewall.allowedTCPPorts = [ 5432 ]; + networking.firewall.allowedUDPPorts = [ 5432 ]; + + # Net Basics + networking.useNetworkd = true; + systemd.network.enable = true; + systemd.network.wait-online.enable = false; +} diff --git a/hosts/postgres/kit-postgresql-nte/default.nix b/hosts/postgres/kit-postgresql-nte/default.nix new file mode 100644 index 0000000..b7067fe --- /dev/null +++ b/hosts/postgres/kit-postgresql-nte/default.nix @@ -0,0 +1,106 @@ +# Edit this configuration file to define what should be installed on +# your system. Help is available in the configuration.nix(5) man page +# and in the NixOS manual (accessible by running ‘nixos-help’). + +{ + name, + nodes, + lib, + pkgs, + ... +}: +let + diskoProfile = "simple"; + diskoConfig = { + bootdisk = "/dev/vda"; + }; +in +{ + imports = [ + # Include the results of the hardware scan. + ../default.nix + ./hardware-configuration.nix + ./network-configuration.nix + ]; + + deployment = { + # Disable SSH deployment. This node will be skipped in a + # normal`colmena apply`. + targetUser = "root"; + targetHost = "2a13:79c0:ffff:feff:b00b:3615:1:907"; # TODO: put HostName + }; + + # Bootloader. + boot.loader.systemd-boot.enable = true; + boot.loader.efi.canTouchEfiVariables = true; + + kittenModules = { + # network = { + # enable = true; + # interface = "ens18"; + # address = ""; + # }; + + disko = { + enable = true; + profile = diskoProfile; + ${diskoProfile} = diskoConfig; + }; + + # firewall = { + # enable = true; + # forward = { + # enable = true; + # # stateless = true; + # rules = '' + # iifname $wireguardIFACEs oifname "vlan36" ip6 daddr 2a13:79c0:ffff:feff:b00b:3615:1:0/112 counter accept + # oifname $wireguardIFACEs iifname "vlan36" ip6 saddr 2a13:79c0:ffff:feff:b00b:3615:1:0/112 counter accept + # ''; + # }; + # }; + }; + # networking.wireless.enable = true; # Enables wireless support via wpa_supplicant. + + # Configure network proxy if necessary + # networking.proxy.default = "http://user:password@proxy:port/"; + # networking.proxy.noProxy = "127.0.0.1,localhost,internal.domain"; + + # Set your time zone. + time.timeZone = "Europe/Paris"; + + # Select internationalisation properties. + i18n.defaultLocale = "en_US.UTF-8"; + + i18n.extraLocaleSettings = { + LC_ADDRESS = "fr_FR.UTF-8"; + LC_IDENTIFICATION = "fr_FR.UTF-8"; + LC_MEASUREMENT = "fr_FR.UTF-8"; + LC_MONETARY = "fr_FR.UTF-8"; + LC_NAME = "fr_FR.UTF-8"; + LC_NUMERIC = "fr_FR.UTF-8"; + LC_PAPER = "fr_FR.UTF-8"; + LC_TELEPHONE = "fr_FR.UTF-8"; + LC_TIME = "fr_FR.UTF-8"; + }; + + programs.mtr.enable = true; + + # List services that you want to enable: + + # Enable the OpenSSH daemon. + services.openssh.enable = true; + + # Open ports in the firewall. + networking.firewall.allowedTCPPorts = [ ]; + networking.firewall.allowedUDPPorts = [ ]; + # Or disable the firewall altogether. + networking.firewall.enable = lib.mkDefault true; + + # This value determines the NixOS release from which the default + # settings for stateful data, like file locations and database versions + # on your system were taken. It‘s perfectly fine and recommended to leave + # this value at the release version of the first install of this system. + # Before changing this value read the documentation for this option + # (e.g. man configuration.nix or on https://nixos.org/nixos/options.html). + # system.stateVersion = "23.11"; # Did you read the comment? +} diff --git a/hosts/postgres/kit-postgresql-nte/hardware-configuration.nix b/hosts/postgres/kit-postgresql-nte/hardware-configuration.nix new file mode 100644 index 0000000..4c7034d --- /dev/null +++ b/hosts/postgres/kit-postgresql-nte/hardware-configuration.nix @@ -0,0 +1,36 @@ +# Do not modify this file! It was generated by ‘nixos-generate-config’ +# and may be overwritten by future invocations. Please make changes +# to /etc/nixos/configuration.nix instead. +{ + config, + lib, + pkgs, + modulesPath, + ... +}: + +{ + imports = [ + (modulesPath + "/profiles/qemu-guest.nix") + ]; + + boot.initrd.availableKernelModules = [ + "ata_piix" + "uhci_hcd" + "virtio_pci" + "sr_mod" + "virtio_blk" + ]; + boot.initrd.kernelModules = [ ]; + boot.kernelModules = [ ]; + boot.extraModulePackages = [ ]; + + # Enables DHCP on each ethernet and wireless interface. In case of scripted networking + # (the default) this is the recommended approach. When using systemd-networkd it's + # still possible to use this option, but it's recommended to use it in conjunction + # with explicit per-interface declarations with `networking.interfaces..useDHCP`. + networking.useDHCP = lib.mkDefault true; + # networking.interfaces.ens18.useDHCP = lib.mkDefault true; + + nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux"; +} diff --git a/hosts/postgres/kit-postgresql-nte/network-configuration.nix b/hosts/postgres/kit-postgresql-nte/network-configuration.nix new file mode 100644 index 0000000..6a8d776 --- /dev/null +++ b/hosts/postgres/kit-postgresql-nte/network-configuration.nix @@ -0,0 +1,54 @@ +{ ... }: +let + kittenIface = "ens18"; +in +{ + networking = { + nameservers = [ "2620:fe::fe" ]; + + interfaces = { + # ens18.useDHCP = true; + + ens19 = { + ipv4 = { + addresses = [ + { + address = "10.200.2.110"; + prefixLength = 24; + } + ]; + }; + }; + + ${kittenIface} = { + ipv6 = { + routes = [ + { + address = "2a13:79c0:ff00::"; + prefixLength = 40; + via = "2a13:79c0:ffff:feff:b00b:3615:1:6969"; + } + ]; + addresses = [ + { + address = "2a13:79c0:ffff:feff:b00b:3615:1:907"; + prefixLength = 112; + } + ]; + }; + }; + }; + + defaultGateway6 = { + address = "2a13:79c0:ffff:feff:b00b:3615:1:6969"; + metric = 42; + interface = kittenIface; + }; + + useDHCP = false; + useNetworkd = true; + #dhcpcd.enable = false; + }; + + systemd.network.enable = true; +} diff --git a/hosts/postgres/packages.nix b/hosts/postgres/packages.nix new file mode 100644 index 0000000..a463cc3 --- /dev/null +++ b/hosts/postgres/packages.nix @@ -0,0 +1,17 @@ +{ config, pkgs, ... }: +let +in +#unstable = import { config = baseconfig; }; +{ + # kittenModules.rhabbit-consumer.enable = true; + # List packages installed in system profile. To search, run: + # $ nix search wget + environment.systemPackages = with pkgs; [ + vim # Do not forget to add an editor to edit configuration.nix! The Nano editor is also installed by default. + git + htop + tmux + tree + tmate + ]; +} diff --git a/hosts/postgres/postgres.nix b/hosts/postgres/postgres.nix new file mode 100644 index 0000000..143159a --- /dev/null +++ b/hosts/postgres/postgres.nix @@ -0,0 +1,33 @@ +{ lib, ... }: { + services.postgresql = { + enable = lib.mkDefault true; + # ... conf ... + + ensureDatabases = [ "netbox" ]; + + ensureUsers = [ + { + name = "superkitten"; + ensureClauses = { + # superuser = true; + createrole = true; + createdb = true; + login = true; + }; + } + { + name = "netbox"; + ensureDBOwnership = true; + ensureClauses = { + login = true; + }; + } + ]; + + enableTCPIP = lib.mkDefault true; + +# settings = { +# listen_addresses = ""; +# }; + }; +} From 230dfedcb1bdd30e16d19d2ac86dc24615605e5a Mon Sep 17 00:00:00 2001 From: Antoine 'Toinux' Wam Date: Sat, 28 Dec 2024 19:02:56 +0100 Subject: [PATCH 21/74] + hosts/homerouters + hosts/homerouters/aure-home-kitrtr/__default.nix: ~ hosts/homerouters/aure-home-kitrtr/default.nix: + hosts/homerouters/aure-home-kitrtr/network-configuration.nix: ~ hosts/homerouters/aure-home-kitrtr/peers/KIT-IG1-RTR.nix: ~ hosts/homerouters/default.nix: + hosts/homerouters/romain-home-kitrtr/_default.nix: ~ hosts/homerouters/romain-home-kitrtr/default.nix: + hosts/homerouters/romain-home-kitrtr/network-configuration.nix: ~ hosts/homerouters/romain-home-kitrtr/peers/KIT-IG1-RTR.nix: ~ hosts/homerouters/romain-home-kitrtr/peers/default.nix: + hosts/homerouters/toinux-home-kitrtr/__default.nix: ~ hosts/homerouters/toinux-home-kitrtr/default.nix: + hosts/homerouters/toinux-home-kitrtr/network-configuration.nix: ~ hosts/homerouters/toinux-home-kitrtr/peers/default.nix: --- .../aure-home-kitrtr/__default.nix | 43 +++++ .../homerouters/aure-home-kitrtr/default.nix | 147 ++++++++++++++---- .../network-configuration.nix | 50 ++++++ .../aure-home-kitrtr/peers/KIT-IG1-RTR.nix | 12 +- hosts/homerouters/default.nix | 71 +++++++-- .../romain-home-kitrtr/_default.nix | 34 ++++ .../romain-home-kitrtr/default.nix | 132 +++++++++++++--- .../network-configuration.nix | 54 +++++++ .../romain-home-kitrtr/peers/KIT-IG1-RTR.nix | 6 +- .../romain-home-kitrtr/peers/default.nix | 9 +- .../toinux-home-kitrtr/__default.nix | 24 +++ .../toinux-home-kitrtr/default.nix | 120 ++++++++++++-- .../network-configuration.nix | 54 +++++++ .../toinux-home-kitrtr/peers/default.nix | 5 +- 14 files changed, 663 insertions(+), 98 deletions(-) create mode 100644 hosts/homerouters/aure-home-kitrtr/__default.nix create mode 100644 hosts/homerouters/aure-home-kitrtr/network-configuration.nix create mode 100644 hosts/homerouters/romain-home-kitrtr/_default.nix create mode 100644 hosts/homerouters/romain-home-kitrtr/network-configuration.nix create mode 100644 hosts/homerouters/toinux-home-kitrtr/__default.nix create mode 100644 hosts/homerouters/toinux-home-kitrtr/network-configuration.nix diff --git a/hosts/homerouters/aure-home-kitrtr/__default.nix b/hosts/homerouters/aure-home-kitrtr/__default.nix new file mode 100644 index 0000000..ea98b9d --- /dev/null +++ b/hosts/homerouters/aure-home-kitrtr/__default.nix @@ -0,0 +1,43 @@ +{ ... }: +{ + type = "targetConfig"; + + bootdisk = "/dev/vda"; + diskTemplate = "simple_singleFullRoot"; + + # mainSerial = 0; + + birdConfig = { + # inherit transitInterface; + + # router-id = ; + + # loopback4 = ""; + # loopback6 = "2a13:79c0:ffff:fefe::22f0"; + + # transitIFACEs = [ "ens19" ]; + + extraForwardRules = '' + iifname "ens19" ip6 saddr 2a13:79c0:ffff:feff:b00b:caca:b173:0/112 oifname "KIT_IG1_RTR" counter accept + + ct state vmap { + established : accept, + related : accept, + # invalid : jump forward-allow, + # new : jump forward-allow, + # untracked : jump forward-allow, + } + ''; + + static6 = [ + "::/0 recursive 2a13:79c0:ffff:fefe::b00b" + + # "2a13:79c0:ffff:feff:b00b:caca:b173:0/112 unreachable" # Direct on ens19 + "2a13:79c0:fffe:100::/56 unreachable" + + #"2a13:79c0:ffff::/48 unreachable" # Networking stuff + #"2a13:79c0:ffff:fefe::/64 unreachable" # LoopBacks + #"2a13:79c0:ff00::/40 unreachable" # full range /40 + ]; + }; +} diff --git a/hosts/homerouters/aure-home-kitrtr/default.nix b/hosts/homerouters/aure-home-kitrtr/default.nix index a23b737..2a32755 100644 --- a/hosts/homerouters/aure-home-kitrtr/default.nix +++ b/hosts/homerouters/aure-home-kitrtr/default.nix @@ -1,44 +1,131 @@ -{ ... }: +# Edit this configuration file to define what should be installed on +# your system. Help is available in the configuration.nix(5) man page, on +# https://search.nixos.org/options and in the NixOS manual (`nixos-help`). + +args@{ + config, + # targetConfig, + lib, + pkgs, + ... +}: +let + iface = "ens18"; + kittenIFACE = "ens19"; + diskoProfile = "simple"; + diskoConfig = { + bootdisk = "/dev/vda"; + }; + + peers = (import ./peers (args // { })); + + wgPeers = ( + lib.mapAttrs (n: v: v.wireguard) (lib.filterAttrs (n: v: v ? wireguard && v.wireguard != { }) peers) + ); + + birdPeers = (lib.mapAttrs (n: v: builtins.removeAttrs v [ "wireguard" ]) peers); +in { - type = "targetConfig"; + #imports = [ ./wireguard.nix ]; + # Bootloader. + #boot.loader.systemd-boot.enable = true; + #boot.loader.systemd-boot.configurationLimit = 5; + #boot.loader.efi.canTouchEfiVariables = true; + boot.loader.grub.efiSupport = false; + boot.loader.grub.enable = true; + # boot.loader.grub.efiInstallAsRemovable = true; + # boot.loader.efi.efiSysMountPoint = "/boot/efi"; + # Define on which hard drive you want to install Grub. + #boot.loader.grub.devices = [ "${targetConfig.bootdisk}" ]; # or "nodev" for efi only + + imports = [ + # Include the results of the hardware scan. + ../default.nix + ./hardware-configuration.nix + ./network-configuration.nix + # ./packages.nix - bootdisk = "/dev/vda"; - diskTemplate = "simple_singleFullRoot"; + ../../../modules/system/kitten/connect/bird2/snippets/kittendefaults.nix + ]; - interface = "ens18"; - # mainSerial = 0; + kittenModules = { + disko = { + enable = true; + profile = diskoProfile; - birdConfig = { - # inherit transitInterface; + ${diskoProfile} = diskoConfig; + }; - # router-id = ; + loopback0 = { + enable = true; + ipv6 = [ "2a13:79c0:ffff:fefe::22f0" ]; + }; - # loopback4 = ""; - loopback6 = "2a13:79c0:ffff:fefe::22f0"; + bird = { + enable = true; + loopback6 = "2a13:79c0:ffff:fefe::22f0"; - # transitIFACEs = [ "ens19" ]; + static6 = [ + "::/0 recursive 2a13:79c0:ffff:fefe::b00b" - extraForwardRules = '' - iifname "ens19" ip6 saddr 2a13:79c0:ffff:feff:b00b:caca:b173:0/112 oifname "KIT_IG1_RTR" counter accept + # "2a13:79c0:ffff:feff:b00b:caca:b173:0/112 unreachable" # Direct on ens19 + "2a13:79c0:fffe:100::/56 unreachable" - ct state vmap { - established : accept, - related : accept, - # invalid : jump forward-allow, - # new : jump forward-allow, - # untracked : jump forward-allow, - } - ''; + #"2a13:79c0:ffff::/48 unreachable" # Networking stuff + #"2a13:79c0:ffff:fefe::/64 unreachable" # LoopBacks + #"2a13:79c0:ff00::/40 unreachable" # full range /40 + ]; - static6 = [ - "::/0 recursive 2a13:79c0:ffff:fefe::b00b" + peers = birdPeers; + }; - # "2a13:79c0:ffff:feff:b00b:caca:b173:0/112 unreachable" # Direct on ens19 - "2a13:79c0:fffe:100::/56 unreachable" + wireguard = { + enable = true; - #"2a13:79c0:ffff::/48 unreachable" # Networking stuff - #"2a13:79c0:ffff:fefe::/64 unreachable" # LoopBacks - #"2a13:79c0:ff00::/40 unreachable" # full range /40 - ]; + peers = wgPeers; + }; + + firewall = { + forward = { + enable = true; + rules = '' + iifname "${kittenIFACE}" ip6 saddr 2a13:79c0:ffff:feff:b00b:caca:b173:0/112 oifname $wireguardIFACEs counter accept + + ct state vmap { + established : accept, + related : accept, + # invalid : jump forward-allow, + # new : jump forward-allow, + # untracked : jump forward-allow, + } + ''; + }; + }; }; + + # Set your time zone. + time.timeZone = "Europe/Paris"; + + nixpkgs.config.allowUnfree = true; + # Configure network proxy if necessary + # networking.proxy.default = "http://user:password@proxy:port/"; + # networking.proxy.noProxy = "127.0.0.1,localhost,internal.domain"; + + # This option defines the first version of NixOS you have installed on this particular machine, + # and is used to maintain compatibility with application data (e.g. databases) created on older NixOS versions. + # + # Most users should NEVER change this value after the initial install, for any reason, + # even if you've upgraded your system to a new NixOS release. + # + # This value does NOT affect the Nixpkgs version your packages and OS are pulled from, + # so changing it will NOT upgrade your system. + # + # This value being lower than the current NixOS release does NOT mean your system is + # out of date, out of support, or vulnerable. + # + # Do NOT change this value unless you have manually inspected all the changes it would make to your configuration, + # and migrated your data accordingly. + # + # For more information, see `man configuration.nix` or https://nixos.org/manual/nixos/stable/options#opt-system.stateVersion . + system.stateVersion = "23.11"; # Did you read the comment? } diff --git a/hosts/homerouters/aure-home-kitrtr/network-configuration.nix b/hosts/homerouters/aure-home-kitrtr/network-configuration.nix new file mode 100644 index 0000000..4a1fe82 --- /dev/null +++ b/hosts/homerouters/aure-home-kitrtr/network-configuration.nix @@ -0,0 +1,50 @@ +{ ... }: +let + iface = "ens18"; + kittenIFACE = "ens19"; +in +{ + # Pick only one of the below networking options. + # networking.wireless.enable = true; # Enables wireless support via wpa_supplicant. + # networking.networkmanager.enable = true; # Easiest to use and most distros use this by default. + networking = { + #nameservers = [ "1.3.3.7" ]; + interfaces = { + "${iface}".useDHCP = true; + + "${kittenIFACE}" = { + + # ipv4.addresses = [ + # { + # address = "185.10.17.209"; + # prefixLength = 24; + # } + # ]; + + ipv6.addresses = [ + { + address = "2a13:79c0:ffff:feff:b00b:caca:b173:25"; + prefixLength = 112; + } + ]; + }; + }; + + # defaultGateway = { + # address = "185.10.17.254"; + # metric = 42; + # interface = iface; + # }; + + # defaultGateway6 = { + # address = "fe80::1"; + # metric = 42; + # interface = iface; + # }; + + useDHCP = false; + #dhcpcd.enable = false; + }; + + systemd.network.enable = true; +} diff --git a/hosts/homerouters/aure-home-kitrtr/peers/KIT-IG1-RTR.nix b/hosts/homerouters/aure-home-kitrtr/peers/KIT-IG1-RTR.nix index 54a52dc..5254198 100644 --- a/hosts/homerouters/aure-home-kitrtr/peers/KIT-IG1-RTR.nix +++ b/hosts/homerouters/aure-home-kitrtr/peers/KIT-IG1-RTR.nix @@ -17,14 +17,14 @@ in template = "kittunderlay"; bgpMED = 100; ipv6 = { - #imports = null; - imports = x: "filter filter6_IN_BGP_${toString x}"; - #exports = [ "2a12:dd47:9330::/44" ]; + #bgpImports = null; + bgpImports = "filter filter6_IN_BGP_%s"; + #bgpExports = [ "2a12:dd47:9330::/44" ]; - #exports = null; + #bgpExports = null; }; ipv4 = { - imports = x: "filter filter4_IN_BGP_${toString x}"; - #exports = x: "filter6_IN_BGP_${toString x}"; + bgpImports = "filter filter4_IN_BGP_%s"; + #bgpExports = "filter6_IN_BGP_${toString x}"; }; } diff --git a/hosts/homerouters/default.nix b/hosts/homerouters/default.nix index ea850cf..51ffedc 100644 --- a/hosts/homerouters/default.nix +++ b/hosts/homerouters/default.nix @@ -1,14 +1,57 @@ -# { -# # toinux-home-kitrtr = import ./toinux-home-kitrtr { }; -# aure-home-kitrtr = import ./aure-home-kitrtr { }; -# } -args@{ lib, ... }: -let - blacklist = [ ]; - folders = builtins.attrNames ( - lib.filterAttrs (n: v: v == "directory" && !lib.hasPrefix "_" n && !builtins.elem n blacklist) ( - builtins.readDir ./. - ) - ); -in -lib.genAttrs folders (folder: (import (./. + "/${folder}") (args // { }))) +# Edit this configuration file to define what should be installed on +# your system. Help is available in the configuration.nix(5) man page, on +# https://search.nixos.org/options and in the NixOS manual (`nixos-help`). + +{ + config, + lib, + pkgs, + ... +}: + +{ + imports = [ + # ./firewall.nix # TODO: Remove + ]; + + kittenModules = { + loopback0 = { + enable = lib.mkDefault true; + }; + }; + + # Configure network proxy if necessary + # networking.proxy.default = "http://user:password@proxy:port/"; + # networking.proxy.noProxy = "127.0.0.1,localhost,internal.domain"; + + # Select internationalisation properties. + i18n.defaultLocale = "en_US.UTF-8"; + + # Net Basics + networking.useNetworkd = true; + systemd.network.enable = true; + systemd.network.wait-online.enable = false; + + # List services that you want to enable: + services.bird2 = { + enable = true; + autoReload = true; + }; + + # This option defines the first version of NixOS you have installed on this particular machine, + # and is used to maintain compatibility with application data (e.g. databases) created on older NixOS versions. + # + # Most users should NEVER change this value after the initial install, for any reason, + # even if you've upgraded your system to a new NixOS release. + # + # This value does NOT affect the Nixpkgs version your packages and OS are pulled from, + # so changing it will NOT upgrade your system. + # + # This value being lower than the current NixOS release does NOT mean your system is + # out of date, out of support, or vulnerable. + # + # Do NOT change this value unless you have manually inspected all the changes it would make to your configuration, + # and migrated your data accordingly. + # + # For more information, see `man configuration.nix` or https://nixos.org/manual/nixos/stable/options#opt-system.stateVersion . +} diff --git a/hosts/homerouters/romain-home-kitrtr/_default.nix b/hosts/homerouters/romain-home-kitrtr/_default.nix new file mode 100644 index 0000000..8fa219d --- /dev/null +++ b/hosts/homerouters/romain-home-kitrtr/_default.nix @@ -0,0 +1,34 @@ +{ ... }: +{ + # type = "targetConfig"; + + # bootdisk = "/dev/vda"; + # diskTemplate = "simple_singleFullRoot"; + + # interface = "ens18"; + # mainSerial = 0; + + birdConfig = { + # # inherit transitInterface; + extraForwardRules = '' + iifname $wireguardIFACEs oifname "vlan36" ip6 daddr 2a13:79c0:ffff:feff:b00b:3615:1:0/112 counter accept + oifname $wireguardIFACEs iifname "vlan36" ip6 saddr 2a13:79c0:ffff:feff:b00b:3615:1:0/112 counter accept + ''; + + # # router-id = ; + + # # loopback4 = ""; + # loopback6 = "2a13:79c0:ffff:fefe::22f0"; + + # static6 = [ + # "::/0 recursive 2a13:79c0:ffff:fefe::b00b" + + # # "2a13:79c0:ffff:feff:b00b:caca:b173:0/112 unreachable" # Direct on ens19 + # "2a13:79c0:fffe:100::/56 unreachable" + + # #"2a13:79c0:ffff::/48 unreachable" # Networking stuff + # #"2a13:79c0:ffff:fefe::/64 unreachable" # LoopBacks + # #"2a13:79c0:ff00::/40 unreachable" # full range /40 + # ]; + }; +} diff --git a/hosts/homerouters/romain-home-kitrtr/default.nix b/hosts/homerouters/romain-home-kitrtr/default.nix index 64af35b..f01e2dc 100644 --- a/hosts/homerouters/romain-home-kitrtr/default.nix +++ b/hosts/homerouters/romain-home-kitrtr/default.nix @@ -1,34 +1,120 @@ -{ ... }: +# Edit this configuration file to define what should be installed on +# your system. Help is available in the configuration.nix(5) man page, on +# https://search.nixos.org/options and in the NixOS manual (`nixos-help`). + +args@{ + config, + lib, + pkgs, + ... +}: +let + # diskoProfile = "simple"; + # diskoConfig = { + # bootdisk = "/dev/vda"; + # }; + + peers = (import ./peers (args // { })); + + wgPeers = ( + lib.mapAttrs (n: v: v.wireguard) (lib.filterAttrs (n: v: v ? wireguard && v.wireguard != { }) peers) + ); + + birdPeers = (lib.mapAttrs (n: v: builtins.removeAttrs v [ "wireguard" ]) peers); +in { - type = "targetConfig"; + services.xserver.xkb = { + layout = "fr"; + #variant = ""; + }; - bootdisk = "/dev/vda"; - diskTemplate = "simple_singleFullRoot"; + imports = [ + # Include the results of the hardware scan. + ../default.nix + ./hardware-configuration.nix + ./network-configuration.nix + # ./packages.nix - interface = "ens18"; - # mainSerial = 0; + ../../../modules/system/kitten/connect/bird2/snippets/kittendefaults.nix + ]; - birdConfig = { - # # inherit transitInterface; - extraForwardRules = '' - iifname $wireguardIFACEs oifname "vlan36" ip6 daddr 2a13:79c0:ffff:feff:b00b:3615:1:0/112 counter accept - oifname $wireguardIFACEs iifname "vlan36" ip6 saddr 2a13:79c0:ffff:feff:b00b:3615:1:0/112 counter accept - ''; + # Bootloader. + #boot.loader.systemd-boot.enable = true; + #boot.loader.systemd-boot.configurationLimit = 5; + #boot.loader.efi.canTouchEfiVariables = true; + boot.loader.grub.efiSupport = false; + boot.loader.grub.enable = true; + # boot.loader.grub.efiInstallAsRemovable = true; + # boot.loader.efi.efiSysMountPoint = "/boot/efi"; + # Define on which hard drive you want to install Grub. + #boot.loader.grub.devices = [ "${targetConfig.bootdisk}" ]; # or "nodev" for efi only - # # router-id = ; + kittenModules = { + disko = + let + profile = "simple"; + in + { + enable = true; + inherit profile; - # # loopback4 = ""; - # loopback6 = "2a13:79c0:ffff:fefe::22f0"; + ${profile} = { + bootdisk = "/dev/vda"; + }; + }; - # static6 = [ - # "::/0 recursive 2a13:79c0:ffff:fefe::b00b" + firewall = { + enable = true; + forward = { + enable = true; + # stateless = true; + rules = '' + iifname $wireguardIFACEs oifname "vlan36" ip6 daddr 2a13:79c0:ffff:feff:b00b:3615:1:0/112 counter accept + oifname $wireguardIFACEs iifname "vlan36" ip6 saddr 2a13:79c0:ffff:feff:b00b:3615:1:0/112 counter accept + ''; + }; + }; - # # "2a13:79c0:ffff:feff:b00b:caca:b173:0/112 unreachable" # Direct on ens19 - # "2a13:79c0:fffe:100::/56 unreachable" + bird = { + enable = true; + loopback6 = "2a13:79c0:ffff:fefe::2:256"; - # #"2a13:79c0:ffff::/48 unreachable" # Networking stuff - # #"2a13:79c0:ffff:fefe::/64 unreachable" # LoopBacks - # #"2a13:79c0:ff00::/40 unreachable" # full range /40 - # ]; + peers = birdPeers; + }; + + wireguard = { + enable = true; + + peers = wgPeers; + }; + # loopback0 = { # Enabled by bird by default + # enable = true; + # }; }; + + # Set your time zone. + time.timeZone = "Europe/Paris"; + + nixpkgs.config.allowUnfree = true; + # Configure network proxy if necessary + # networking.proxy.default = "http://user:password@proxy:port/"; + # networking.proxy.noProxy = "127.0.0.1,localhost,internal.domain"; + + # This option defines the first version of NixOS you have installed on this particular machine, + # and is used to maintain compatibility with application data (e.g. databases) created on older NixOS versions. + # + # Most users should NEVER change this value after the initial install, for any reason, + # even if you've upgraded your system to a new NixOS release. + # + # This value does NOT affect the Nixpkgs version your packages and OS are pulled from, + # so changing it will NOT upgrade your system. + # + # This value being lower than the current NixOS release does NOT mean your system is + # out of date, out of support, or vulnerable. + # + # Do NOT change this value unless you have manually inspected all the changes it would make to your configuration, + # and migrated your data accordingly. + # + # For more information, see `man configuration.nix` or https://nixos.org/manual/nixos/stable/options#opt-system.stateVersion . + system.stateVersion = lib.mkForce "24.05"; # Did you read the comment? } diff --git a/hosts/homerouters/romain-home-kitrtr/network-configuration.nix b/hosts/homerouters/romain-home-kitrtr/network-configuration.nix new file mode 100644 index 0000000..4586f85 --- /dev/null +++ b/hosts/homerouters/romain-home-kitrtr/network-configuration.nix @@ -0,0 +1,54 @@ +{ ... }: +{ + # Pick only one of the below networking options. + # networking.wireless.enable = true; # Enables wireless support via wpa_supplicant. + # networking.networkmanager.enable = true; # Easiest to use and most distros use this by default. + networking = { + #nameservers = [ "1.3.3.7" ]; + + vlans = { + vlan36 = { + id = 36; + interface = "ens19"; + }; + }; + + interfaces = { + ens18.useDHCP = true; + + vlan36 = { + + # ipv4.addresses = [ + # { + # address = "185.10.17.209"; + # prefixLength = 24; + # } + # ]; + + ipv6.addresses = [ + { + address = "2a13:79c0:ffff:feff:b00b:3615:1:6969"; + prefixLength = 112; + } + ]; + }; + }; + + # defaultGateway = { + # address = "185.10.17.254"; + # metric = 42; + # interface = iface; + # }; + + # defaultGateway6 = { + # address = "fe80::1"; + # metric = 42; + # interface = iface; + # }; + + useDHCP = false; + #dhcpcd.enable = false; + }; + + systemd.network.enable = true; +} diff --git a/hosts/homerouters/romain-home-kitrtr/peers/KIT-IG1-RTR.nix b/hosts/homerouters/romain-home-kitrtr/peers/KIT-IG1-RTR.nix index f408597..fbaabf4 100644 --- a/hosts/homerouters/romain-home-kitrtr/peers/KIT-IG1-RTR.nix +++ b/hosts/homerouters/romain-home-kitrtr/peers/KIT-IG1-RTR.nix @@ -1,4 +1,4 @@ -{ ... }: +{ lib, ... }: let kittenASN = 4242421945; in @@ -18,13 +18,13 @@ in bgpMED = 100; ipv6 = { #imports = null; - imports = x: "filter filter6_IN_BGP_${toString x}"; + bgpImports = lib.mkForce "filter filter6_IN_BGP_%s"; #exports = [ "2a12:dd47:9330::/44" ]; #exports = null; }; ipv4 = { - imports = x: "filter filter4_IN_BGP_${toString x}"; + bgpImports = lib.mkForce "filter filter4_IN_BGP_%s"; #exports = x: "filter6_IN_BGP_${toString x}"; }; } diff --git a/hosts/homerouters/romain-home-kitrtr/peers/default.nix b/hosts/homerouters/romain-home-kitrtr/peers/default.nix index 309e3f2..a13cde2 100644 --- a/hosts/homerouters/romain-home-kitrtr/peers/default.nix +++ b/hosts/homerouters/romain-home-kitrtr/peers/default.nix @@ -1,6 +1,9 @@ -{ ... }: +x@{ ... }: let - defaultPeers = import ../../_peers { }; + args = x // { + + }; + defaultPeers = import ../../_peers args; in defaultPeers // { @@ -10,7 +13,7 @@ defaultPeers # TRS_virtua6_RS02 = import ./TRS-virtua6-RS02.nix { }; # # Internal Tunnels - KIT_IG1_RTR = import ./KIT-IG1-RTR.nix { }; + KIT_IG1_RTR = import ./KIT-IG1-RTR.nix args; # virtuaNix_PAR = import ./KIT-VIRTUA-EDGE.nix { }; # vultrNix_PAR = import ./KIT-VULTR-EDGE.nix { }; # # LGC_virtua_PAR = import ./KIT-VIRTUA-EDGE.legacy.nix { }; diff --git a/hosts/homerouters/toinux-home-kitrtr/__default.nix b/hosts/homerouters/toinux-home-kitrtr/__default.nix new file mode 100644 index 0000000..10b393e --- /dev/null +++ b/hosts/homerouters/toinux-home-kitrtr/__default.nix @@ -0,0 +1,24 @@ +{ ... }: +{ + bootdisk = "/dev/vda"; + diskTemplate = "simple_singleFullRoot"; + + interface = "ens18"; + # mainSerial = 0; + + birdConfig = { + # inherit transitInterface; + + # router-id = ; + + # loopback4 = ""; + + static6 = [ + "::/0 recursive 2a13:79c0:ffff:fefe::b00b" + + #"2a13:79c0:ffff::/48 unreachable" # Networking stuff + #"2a13:79c0:ffff:fefe::/64 unreachable" # LoopBacks + #"2a13:79c0:ff00::/40 unreachable" # full range /40 + ]; + }; +} diff --git a/hosts/homerouters/toinux-home-kitrtr/default.nix b/hosts/homerouters/toinux-home-kitrtr/default.nix index fa65318..60d2d86 100644 --- a/hosts/homerouters/toinux-home-kitrtr/default.nix +++ b/hosts/homerouters/toinux-home-kitrtr/default.nix @@ -1,27 +1,113 @@ -{ ... }: +# Edit this configuration file to define what should be installed on +# your system. Help is available in the configuration.nix(5) man page, on +# https://search.nixos.org/options and in the NixOS manual (`nixos-help`). + +args@{ + config, + lib, + pkgs, + ... +}: +let + diskoProfile = "simple"; + diskoConfig = { + bootdisk = "/dev/vda"; + }; + + peers = (import ./peers (args // { })); + + wgPeers = ( + lib.mapAttrs (n: v: v.wireguard) (lib.filterAttrs (n: v: v ? wireguard && v.wireguard != { }) peers) + ); + + birdPeers = (lib.mapAttrs (n: v: builtins.removeAttrs v [ "wireguard" ]) peers); +in { - type = "targetConfig"; + imports = [ + # Include the results of the hardware scan. + ../default.nix + ./hardware-configuration.nix + ./network-configuration.nix + # ./packages.nix + + ../../../modules/system/kitten/connect/bird2/snippets/kittendefaults.nix + ]; - bootdisk = "/dev/vda"; - diskTemplate = "simple_singleFullRoot"; + kittenModules = { + disko = { + enable = true; + profile = diskoProfile; - interface = "ens18"; - # mainSerial = 0; + ${diskoProfile} = diskoConfig; + }; - birdConfig = { - # inherit transitInterface; + firewall = { + enable = true; + forward = { + enable = true; + # stateless = true; + rules = '' + # iifname $wireguardIFACEs oifname "vlan36" ip6 daddr 2a13:79c0:ffff:feff:b00b:3615:1:0/112 counter accept + # oifname $wireguardIFACEs iifname "vlan36" ip6 saddr 2a13:79c0:ffff:feff:b00b:3615:1:0/112 counter accept + ''; + }; + }; - # router-id = ; + bird = { + enable = true; + loopback6 = "2a13:79c0:ffff:fefe::69:25"; - # loopback4 = ""; - loopback6 = "2a13:79c0:ffff:fefe::69:25"; + peers = birdPeers; + }; - static6 = [ - "::/0 recursive 2a13:79c0:ffff:fefe::b00b" + wireguard = { + enable = true; - #"2a13:79c0:ffff::/48 unreachable" # Networking stuff - #"2a13:79c0:ffff:fefe::/64 unreachable" # LoopBacks - #"2a13:79c0:ff00::/40 unreachable" # full range /40 - ]; + peers = wgPeers; + }; + + # loopback0 = { # Enabled by bird by default + # enable = true; + # }; }; + + # Bootloader. + #boot.loader.systemd-boot.enable = true; + #boot.loader.systemd-boot.configurationLimit = 5; + #boot.loader.efi.canTouchEfiVariables = true; + boot.loader.grub.efiSupport = false; + boot.loader.grub.enable = true; + # boot.loader.grub.efiInstallAsRemovable = true; + # boot.loader.efi.efiSysMountPoint = "/boot/efi"; + # Define on which hard drive you want to install Grub. + #boot.loader.grub.devices = [ "${targetConfig.bootdisk}" ]; # or "nodev" for efi only + + # Pick only one of the below networking options. + # networking.wireless.enable = true; # Enables wireless support via wpa_supplicant. + # networking.networkmanager.enable = true; # Easiest to use and most distros use this by default. + # Set your time zone. + time.timeZone = "Europe/Paris"; + + nixpkgs.config.allowUnfree = true; + # Configure network proxy if necessary + # networking.proxy.default = "http://user:password@proxy:port/"; + # networking.proxy.noProxy = "127.0.0.1,localhost,internal.domain"; + + # This option defines the first version of NixOS you have installed on this particular machine, + # and is used to maintain compatibility with application data (e.g. databases) created on older NixOS versions. + # + # Most users should NEVER change this value after the initial install, for any reason, + # even if you've upgraded your system to a new NixOS release. + # + # This value does NOT affect the Nixpkgs version your packages and OS are pulled from, + # so changing it will NOT upgrade your system. + # + # This value being lower than the current NixOS release does NOT mean your system is + # out of date, out of support, or vulnerable. + # + # Do NOT change this value unless you have manually inspected all the changes it would make to your configuration, + # and migrated your data accordingly. + # + # For more information, see `man configuration.nix` or https://nixos.org/manual/nixos/stable/options#opt-system.stateVersion . + system.stateVersion = "23.11"; # Did you read the comment? } diff --git a/hosts/homerouters/toinux-home-kitrtr/network-configuration.nix b/hosts/homerouters/toinux-home-kitrtr/network-configuration.nix new file mode 100644 index 0000000..f960eb6 --- /dev/null +++ b/hosts/homerouters/toinux-home-kitrtr/network-configuration.nix @@ -0,0 +1,54 @@ +{ ... }: +{ + # Pick only one of the below networking options. + # networking.wireless.enable = true; # Enables wireless support via wpa_supplicant. + # networking.networkmanager.enable = true; # Easiest to use and most distros use this by default. + networking = { + #nameservers = [ "1.3.3.7" ]; + + # vlans = { + # vlanXX = { + # id = XX; + # interface = "xxx"; + # }; + # }; + + interfaces = { + ens18.useDHCP = true; + + # vlanXX = { + + # # ipv4.addresses = [ + # # { + # # address = "xxx.xx.xx.xx"; + # # prefixLength = 24; + # # } + # # ]; + + # # ipv6.addresses = [ + # # { + # # address = "2a13:79c0:ffff:feff:b00b::xxx"; + # # prefixLength = 112; + # # } + # # ]; + # }; + }; + + # defaultGateway = { + # address = "xx.xx.xx.xx"; + # metric = 42; + # interface = iface; + # }; + + # defaultGateway6 = { + # address = "fe80::1"; + # metric = 42; + # interface = iface; + # }; + + useDHCP = false; + #dhcpcd.enable = false; + }; + + systemd.network.enable = true; +} diff --git a/hosts/homerouters/toinux-home-kitrtr/peers/default.nix b/hosts/homerouters/toinux-home-kitrtr/peers/default.nix index 3e73db0..fc14f7e 100644 --- a/hosts/homerouters/toinux-home-kitrtr/peers/default.nix +++ b/hosts/homerouters/toinux-home-kitrtr/peers/default.nix @@ -22,10 +22,11 @@ let peers = builtins.attrNames ( lib.filterAttrs ( n: v: - lib.hasSuffix ".nix" n + n != "default.nix" + && lib.hasSuffix ".nix" n && !lib.hasPrefix "_" n && !lib.hasPrefix "." n - && !builtins.elem (removeSuffix ".nix" x) blacklist + && !builtins.elem (lib.removeSuffix ".nix" n) blacklist ) (builtins.readDir ./.) ); in From 80c64898b9bd582eec09e743a4a47145d45eae29 Mon Sep 17 00:00:00 2001 From: Antoine 'Toinux' Wam Date: Sat, 28 Dec 2024 19:02:56 +0100 Subject: [PATCH 22/74] ~ hosts/routers/_peers/default.nix: --- hosts/routers/_peers/default.nix | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/hosts/routers/_peers/default.nix b/hosts/routers/_peers/default.nix index 6b7d84e..30562ad 100644 --- a/hosts/routers/_peers/default.nix +++ b/hosts/routers/_peers/default.nix @@ -1,5 +1,8 @@ { ... }: +let + globalPeers = import ../../_peers {}; +in { # Internal RR - IG1_RR91 = import ./KIT-IG1-RR91.nix { }; + inherit (globalPeers) IG1_RR91; } From 775118ba0496162a6d46908ceb02809f68e1ceac Mon Sep 17 00:00:00 2001 From: Antoine 'Toinux' Wam Date: Sat, 28 Dec 2024 19:02:56 +0100 Subject: [PATCH 23/74] + hosts/routers/iguane-kit-rtr/ ~ hosts/routers/iguane-kit-rtr/hardware-configuration.nix: + hosts/routers/iguane-kit-rtr/network-configuration.nix: ~ hosts/routers/iguane-kit-rtr/peers/KIT-VIRTUA-EDGE.nix: ~ hosts/routers/iguane-kit-rtr/peers/KIT-VULTR-EDGE.nix: ~ hosts/routers/iguane-kit-rtr/peers/KIT-aurelien-RBR.nix: ~ hosts/routers/iguane-kit-rtr/peers/KIT-roumain-NTE.nix: ~ hosts/routers/iguane-kit-rtr/peers/KIT-roumainNix-NTE.nix: ~ hosts/routers/iguane-kit-rtr/peers/KIT-toinux-MEL1.nix: ~ hosts/routers/iguane-kit-rtr/peers/default.nix: + hosts/routers/iguane-kit-rtr/__default.nix: --- hosts/routers/iguane-kit-rtr/__default.nix | 35 ++++ hosts/routers/iguane-kit-rtr/default.nix | 150 ++++++++++++++---- .../iguane-kit-rtr/hardware-configuration.nix | 2 +- .../iguane-kit-rtr/network-configuration.nix | 58 +++++++ .../iguane-kit-rtr/peers/KIT-VIRTUA-EDGE.nix | 12 +- .../iguane-kit-rtr/peers/KIT-VULTR-EDGE.nix | 12 +- .../iguane-kit-rtr/peers/KIT-aurelien-RBR.nix | 12 +- .../iguane-kit-rtr/peers/KIT-roumain-NTE.nix | 12 +- .../peers/KIT-roumainNix-NTE.nix | 14 +- .../iguane-kit-rtr/peers/KIT-toinux-MEL1.nix | 12 +- .../routers/iguane-kit-rtr/peers/default.nix | 4 +- 11 files changed, 248 insertions(+), 75 deletions(-) create mode 100644 hosts/routers/iguane-kit-rtr/__default.nix create mode 100644 hosts/routers/iguane-kit-rtr/network-configuration.nix diff --git a/hosts/routers/iguane-kit-rtr/__default.nix b/hosts/routers/iguane-kit-rtr/__default.nix new file mode 100644 index 0000000..40495f7 --- /dev/null +++ b/hosts/routers/iguane-kit-rtr/__default.nix @@ -0,0 +1,35 @@ +{ ... }: +{ + ### type = "targetConfig"; + + # mainSerial = 0; + + birdConfig = { + # inherit transitInterface; + + # router-id = ; + + # loopback4 = ""; + # extra interfaces part of KittenNetwork (local-eth for ex) + # allowedInterfaces = [ "bootstrap" ]; + + extraForwardRules = '' + + iifname $kittenIFACEs ip6 daddr 2a13:79c0:ffff:fefe::113:91 tcp dport { 179, 1790 } counter accept + oifname bootstrap ip6 daddr 2a13:79c0:ffff:feff:b00b:3965:222:0/112 counter accept + + ip6 saddr 2a01:cb08:bbb:3700::/64 oifname ens19 counter accept + + iifname ens19 oifname $kittenIFACEs counter accept + ct state vmap { + established : accept, + related : accept, + # invalid : jump forward-allow, + # new : jump forward-allow, + # untracked : jump forward-allow, + } + + # oifname $kittenIFACEs ip6 saddr 2a13:79c0:ffff:fefe::113:91 tcp sport { 179, 1790 } counter accept + ''; + }; +} diff --git a/hosts/routers/iguane-kit-rtr/default.nix b/hosts/routers/iguane-kit-rtr/default.nix index 24961c4..7e69be4 100644 --- a/hosts/routers/iguane-kit-rtr/default.nix +++ b/hosts/routers/iguane-kit-rtr/default.nix @@ -1,50 +1,130 @@ -{ ... }: +# Edit this configuration file to define what should be installed on +# your system. Help is available in the configuration.nix(5) man page, on +# https://search.nixos.org/options and in the NixOS manual (`nixos-help`). + +args@{ + config, + lib, + pkgs, + ... +}: +let + diskoProfile = "simple"; + diskoConfig = { + bootdisk = "/dev/vda"; + }; + + peers = (import ./peers (args // { })); + + wgPeers = ( + lib.mapAttrs (n: v: v.wireguard) (lib.filterAttrs (n: v: v ? wireguard && v.wireguard != { }) peers) + ); + + birdPeers = (lib.mapAttrs (n: v: builtins.removeAttrs v [ "wireguard" ]) peers); +in { - type = "targetConfig"; + imports = [ + ./hardware-configuration.nix + ./network-configuration.nix + + ../../../modules/system/kitten/connect/bird2/snippets/kittenCores.nix + ]; - bootdisk = "/dev/vda"; - diskTemplate = "simple_singleFullRoot"; - # profile = "routers"; - interface = "ens18"; - # mainSerial = 0; + deployment = { + # Disable SSH deployment. This node will be skipped in a + # normal`colmena apply`. + targetUser = "root"; + targetHost = "ig1nixrtr"; + }; - birdConfig = { - # inherit transitInterface; + virtualisation.vmVariant.virtualisation.graphics = false; + virtualisation.vmVariant.services.getty.autologinUser = "root"; - # router-id = ; + # Bootloader. + boot.loader.systemd-boot.enable = true; + boot.loader.systemd-boot.configurationLimit = 5; + boot.loader.efi.canTouchEfiVariables = true; - # loopback4 = ""; - loopback6 = "2a13:79c0:ffff:fefe::113:25"; + # boot.loader.grub.efiInstallAsRemovable = true; + # boot.loader.efi.efiSysMountPoint = "/boot/efi"; + # Define on which hard drive you want to install Grub. + #boot.loader.grub.devices = [ "${targetConfig.bootdisk}" ]; # or "nodev" for efi only + kittenModules = { + disko = { + enable = true; + profile = diskoProfile; - static6 = [ - "::/0 recursive 2a13:79c0:ffff:fefe::b00b" + ${diskoProfile} = diskoConfig; + }; - "2a13:79c0:ffff:fefe::113:91/128 via 2a13:79c0:ffff:feff:b00b:3965:113:92" # Announce RouteReflector LoopBack + # loopback0 = { + # enable = true; + # ipv6 = [ "2a13:79c0:ffff:fefe::22f0" ]; + # }; - #"2a13:79c0:ffff::/48 unreachable" # Networking stuff - #"2a13:79c0:ffff:fefe::/64 unreachable" # LoopBacks - #"2a13:79c0:ff00::/40 unreachable" # full range /40 - ]; + bird = { + enable = true; + loopback6 = "2a13:79c0:ffff:fefe::113:25"; - # extra interfaces part of KittenNetwork (local-eth for ex) - # allowedInterfaces = [ "bootstrap" ]; + static6 = [ + "::/0 recursive 2a13:79c0:ffff:fefe::b00b" - extraForwardRules = '' - iifname $kittenIFACEs ip6 daddr 2a13:79c0:ffff:fefe::113:91 tcp dport { 179, 1790 } counter accept - oifname bootstrap ip6 daddr 2a13:79c0:ffff:feff:b00b:3965:222:0/112 counter accept + "2a13:79c0:ffff:fefe::113:91/128 via 2a13:79c0:ffff:feff:b00b:3965:113:92" # Announce RouteReflector LoopBack - ip6 saddr 2a01:cb08:bbb:3700::/64 oifname ens19 counter accept + #"2a13:79c0:ffff::/48 unreachable" # Networking stuff + #"2a13:79c0:ffff:fefe::/64 unreachable" # LoopBacks + #"2a13:79c0:ff00::/40 unreachable" # full range /40 + ]; - iifname ens19 oifname $kittenIFACEs counter accept - ct state vmap { - established : accept, - related : accept, - # invalid : jump forward-allow, - # new : jump forward-allow, - # untracked : jump forward-allow, - } + peers = birdPeers; + }; - # oifname $kittenIFACEs ip6 saddr 2a13:79c0:ffff:fefe::113:91 tcp sport { 179, 1790 } counter accept - ''; + wireguard = { + enable = true; + # defaultIFACE = "ens18"; + peers = wgPeers; + }; + + firewall = { + forward = { + enable = true; + keepInvalidState = true; + rules = '' + # iifname "''${kittenIFACE}" ip6 saddr 2a13:79c0:ffff:feff:b00b:caca:b173:0/112 oifname $wireguardIFACEs counter accept + iifname $wireguardIFACEs ip6 daddr 2a13:79c0:ffff:fefe::113:91 tcp dport { 179, 1790 } counter accept + oifname bootstrap ip6 daddr 2a13:79c0:ffff:feff:b00b:3965:222:0/112 counter accept + + ip6 saddr 2a01:cb08:bbb:3700::/64 oifname ens19 counter accept + + iifname ens19 oifname $wireguardIFACEs counter accept + ''; + }; + }; }; + + # Set your time zone. + time.timeZone = "Europe/Paris"; + + nixpkgs.config.allowUnfree = true; + # Configure network proxy if necessary + # networking.proxy.default = "http://user:password@proxy:port/"; + # networking.proxy.noProxy = "127.0.0.1,localhost,internal.domain"; + + # This option defines the first version of NixOS you have installed on this particular machine, + # and is used to maintain compatibility with application data (e.g. databases) created on older NixOS versions. + # + # Most users should NEVER change this value after the initial install, for any reason, + # even if you've upgraded your system to a new NixOS release. + # + # This value does NOT affect the Nixpkgs version your packages and OS are pulled from, + # so changing it will NOT upgrade your system. + # + # This value being lower than the current NixOS release does NOT mean your system is + # out of date, out of support, or vulnerable. + # + # Do NOT change this value unless you have manually inspected all the changes it would make to your configuration, + # and migrated your data accordingly. + # + # For more information, see `man configuration.nix` or https://nixos.org/manual/nixos/stable/options#opt-system.stateVersion . + system.stateVersion = "23.11"; # Did you read the comment? } diff --git a/hosts/routers/iguane-kit-rtr/hardware-configuration.nix b/hosts/routers/iguane-kit-rtr/hardware-configuration.nix index 9809bde..a5d73d2 100644 --- a/hosts/routers/iguane-kit-rtr/hardware-configuration.nix +++ b/hosts/routers/iguane-kit-rtr/hardware-configuration.nix @@ -28,7 +28,7 @@ # (the default) this is the recommended approach. When using systemd-networkd it's # still possible to use this option, but it's recommended to use it in conjunction # with explicit per-interface declarations with `networking.interfaces..useDHCP`. - networking.useDHCP = lib.mkDefault true; + networking.useDHCP = false; # networking.interfaces.ens18.useDHCP = lib.mkDefault true; # networking.interfaces.ens19.useDHCP = lib.mkDefault true; diff --git a/hosts/routers/iguane-kit-rtr/network-configuration.nix b/hosts/routers/iguane-kit-rtr/network-configuration.nix new file mode 100644 index 0000000..7fa1654 --- /dev/null +++ b/hosts/routers/iguane-kit-rtr/network-configuration.nix @@ -0,0 +1,58 @@ +{ lib, ... }: +let + iface = "ens18"; + kittenIFACE = "ens19"; +in +{ + # Pick only one of the below networking options. + # networking.wireless.enable = true; # Enables wireless support via wpa_supplicant. + # networking.networkmanager.enable = true; # Easiest to use and most distros use this by default. + networking = { + useNetworkd = true; + + nftables.tables."nat" = { + family = "inet"; + name = "nat"; + + content = lib.mkAfter '' + chain postrouting { + type nat hook postrouting priority srcnat; policy accept; + ip6 daddr 2a13:79c0:ffff:feff:b00b:3965:222:0/112 oifname "bootstrap" counter masquerade # random,persistent + } + ''; + }; + + firewall = { + allowedTCPPorts = [ 51888 ]; + allowedUDPPorts = [ 51888 ]; + }; + + #nameservers = [ "1.3.3.7" ]; + interfaces = { + "${iface}".useDHCP = true; + + "${kittenIFACE}" = { + + # ipv4.addresses = [ + # { + # address = "185.10.17.209"; + # prefixLength = 24; + # } + # ]; + + ipv6.addresses = [ + { + address = "2a13:79c0:ffff:feff:b00b:3965:113:25"; + prefixLength = 112; + } + ]; + }; + }; + + # defaultGateway = { + # address = "185.10.17.254"; + # metric = 42; + # interface = iface; + # }; + }; +} diff --git a/hosts/routers/iguane-kit-rtr/peers/KIT-VIRTUA-EDGE.nix b/hosts/routers/iguane-kit-rtr/peers/KIT-VIRTUA-EDGE.nix index cc7bf11..56be0f3 100644 --- a/hosts/routers/iguane-kit-rtr/peers/KIT-VIRTUA-EDGE.nix +++ b/hosts/routers/iguane-kit-rtr/peers/KIT-VIRTUA-EDGE.nix @@ -20,14 +20,14 @@ in template = "kittunderlay"; bgpMED = 100; ipv6 = { - #imports = null; - imports = x: "filter filter6_IN_BGP_${toString x}"; - #exports = [ "2a12:dd47:9330::/44" ]; + #bgpImports = null; + bgpImports = "filter filter6_IN_BGP_%s"; + #bgpExportss = [ "2a12:dd47:9330::/44" ]; - #exports = null; + #bgpExportss = null; }; ipv4 = { - imports = x: "filter filter4_IN_BGP_${toString x}"; - #exports = x: "filter6_IN_BGP_${toString x}"; + bgpImports = "filter filter4_IN_BGP_%s"; + #bgpExportss = "filter6_IN_BGP_%s"; }; } diff --git a/hosts/routers/iguane-kit-rtr/peers/KIT-VULTR-EDGE.nix b/hosts/routers/iguane-kit-rtr/peers/KIT-VULTR-EDGE.nix index 7709698..bd91cb9 100644 --- a/hosts/routers/iguane-kit-rtr/peers/KIT-VULTR-EDGE.nix +++ b/hosts/routers/iguane-kit-rtr/peers/KIT-VULTR-EDGE.nix @@ -19,14 +19,14 @@ in template = "kittunderlay"; bgpMED = 100; ipv6 = { - #imports = null; - imports = x: "filter filter6_IN_BGP_${toString x}"; - #exports = [ "2a12:dd47:9330::/44" ]; + #bgpImports = null; + bgpImports = "filter filter6_IN_BGP_%s"; + #bgpExportss = [ "2a12:dd47:9330::/44" ]; - #exports = null; + #bgpExportss = null; }; ipv4 = { - imports = x: "filter filter4_IN_BGP_${toString x}"; - #exports = x: "filter6_IN_BGP_${toString x}"; + bgpImports = "filter filter4_IN_BGP_%s"; + #bgpExportss = "filter6_IN_BGP_%s"; }; } diff --git a/hosts/routers/iguane-kit-rtr/peers/KIT-aurelien-RBR.nix b/hosts/routers/iguane-kit-rtr/peers/KIT-aurelien-RBR.nix index 0536c9c..21a7235 100644 --- a/hosts/routers/iguane-kit-rtr/peers/KIT-aurelien-RBR.nix +++ b/hosts/routers/iguane-kit-rtr/peers/KIT-aurelien-RBR.nix @@ -18,14 +18,14 @@ in template = "kittunderlay"; bgpMED = 100; ipv6 = { - #imports = null; - imports = x: "filter filter6_IN_BGP_${toString x}"; - #exports = [ "2a12:dd47:9330::/44" ]; + #bgpImports = null; + bgpImports = "filter filter6_IN_BGP_%s"; + #bgpExportss = [ "2a12:dd47:9330::/44" ]; - #exports = null; + #bgpExportss = null; }; ipv4 = { - imports = x: "filter filter4_IN_BGP_${toString x}"; - #exports = x: "filter6_IN_BGP_${toString x}"; + bgpImports = "filter filter4_IN_BGP_%s"; + #bgpExportss = "filter6_IN_BGP_%s"; }; } diff --git a/hosts/routers/iguane-kit-rtr/peers/KIT-roumain-NTE.nix b/hosts/routers/iguane-kit-rtr/peers/KIT-roumain-NTE.nix index bac4a45..66bd13a 100644 --- a/hosts/routers/iguane-kit-rtr/peers/KIT-roumain-NTE.nix +++ b/hosts/routers/iguane-kit-rtr/peers/KIT-roumain-NTE.nix @@ -19,14 +19,14 @@ in template = "kittunderlay"; bgpMED = 100; ipv6 = { - #imports = null; - imports = x: "filter filter6_IN_BGP_${toString x}"; - #exports = [ "2a12:dd47:9330::/44" ]; + #bgpImports = null; + bgpImports = "filter filter6_IN_BGP_%s"; + #bgpExportss = [ "2a12:dd47:9330::/44" ]; - #exports = null; + #bgpExportss = null; }; ipv4 = { - imports = x: "filter filter4_IN_BGP_${toString x}"; - #exports = x: "filter6_IN_BGP_${toString x}"; + bgpImports = "filter filter4_IN_BGP_%s"; + #bgpExportss = "filter6_IN_BGP_%s"; }; } diff --git a/hosts/routers/iguane-kit-rtr/peers/KIT-roumainNix-NTE.nix b/hosts/routers/iguane-kit-rtr/peers/KIT-roumainNix-NTE.nix index b5627dd..b5c0e40 100644 --- a/hosts/routers/iguane-kit-rtr/peers/KIT-roumainNix-NTE.nix +++ b/hosts/routers/iguane-kit-rtr/peers/KIT-roumainNix-NTE.nix @@ -10,7 +10,7 @@ in wireguard = { address = "2a13:79c0:ffff:feff::114"; port = 51821; - # onIFACE = "ens18"; + onIFACE = "ens18"; # endpoint = "82.65.74.170:6969"; peerKey = "tTY05MJgkKXf8pEZ4kC1TLWWTeIrh3KzyZdsmlUHTVM="; @@ -19,14 +19,14 @@ in template = "kittunderlay"; bgpMED = 100; ipv6 = { - #imports = null; - imports = x: "filter filter6_IN_BGP_${toString x}"; - #exports = [ "2a12:dd47:9330::/44" ]; + #bgpImports = null; + bgpImports = "filter filter6_IN_BGP_%s"; + #bgpExportss = [ "2a12:dd47:9330::/44" ]; - #exports = null; + #bgpExportss = null; }; ipv4 = { - imports = x: "filter filter4_IN_BGP_${toString x}"; - #exports = x: "filter6_IN_BGP_${toString x}"; + bgpImports = "filter filter4_IN_BGP_%s"; + #bgpExportss = "filter6_IN_BGP_%s"; }; } diff --git a/hosts/routers/iguane-kit-rtr/peers/KIT-toinux-MEL1.nix b/hosts/routers/iguane-kit-rtr/peers/KIT-toinux-MEL1.nix index 7a0763f..ed5ceab 100644 --- a/hosts/routers/iguane-kit-rtr/peers/KIT-toinux-MEL1.nix +++ b/hosts/routers/iguane-kit-rtr/peers/KIT-toinux-MEL1.nix @@ -19,14 +19,14 @@ in template = "kittunderlay"; bgpMED = 100; ipv6 = { - #imports = null; - imports = x: "filter filter6_IN_BGP_${toString x}"; - #exports = [ "2a12:dd47:9330::/44" ]; + #bgpImports = null; + bgpImports = "filter filter6_IN_BGP_%s"; + #bgpExportss = [ "2a12:dd47:9330::/44" ]; - #exports = null; + #bgpExportss = null; }; ipv4 = { - imports = x: "filter filter4_IN_BGP_${toString x}"; - #exports = x: "filter6_IN_BGP_${toString x}"; + bgpImports = "filter filter4_IN_BGP_%s"; + #bgpExportss = "filter6_IN_BGP_%s"; }; } diff --git a/hosts/routers/iguane-kit-rtr/peers/default.nix b/hosts/routers/iguane-kit-rtr/peers/default.nix index 1c065af..abb7a48 100644 --- a/hosts/routers/iguane-kit-rtr/peers/default.nix +++ b/hosts/routers/iguane-kit-rtr/peers/default.nix @@ -1,8 +1,8 @@ { ... }: let - defaultPeers = import ../../_peers { }; + profilePeers = import ../../_peers { }; in -defaultPeers +profilePeers // { # Transit From 8ab5a41a14a7b8b63fe1ed869ab02641dd36f34d Mon Sep 17 00:00:00 2001 From: Antoine 'Toinux' Wam Date: Sat, 28 Dec 2024 22:46:02 +0100 Subject: [PATCH 24/74] profiles defaults --- hosts/clients/default.nix | 21 +++++++++++---------- hosts/miscservers/default.nix | 21 +++++++++++---------- hosts/routereflectors/default.nix | 21 +++++++++++---------- hosts/routers/default.nix | 21 +++++++++++---------- hosts/stonkmembers/default.nix | 21 +++++++++++---------- 5 files changed, 55 insertions(+), 50 deletions(-) diff --git a/hosts/clients/default.nix b/hosts/clients/default.nix index 03f9fbc..8807945 100644 --- a/hosts/clients/default.nix +++ b/hosts/clients/default.nix @@ -1,10 +1,11 @@ -args@{ lib, ... }: -let - blacklist = [ ]; - folders = builtins.attrNames ( - lib.filterAttrs (n: v: v == "directory" && !lib.hasPrefix "_" n && !builtins.elem n blacklist) ( - builtins.readDir ./. - ) - ); -in -lib.genAttrs folders (folder: (import (./. + "/${folder}") (args // { }))) +# args@{ lib, ... }: +# let +# blacklist = [ ]; +# folders = builtins.attrNames ( +# lib.filterAttrs (n: v: v == "directory" && !lib.hasPrefix "_" n && !builtins.elem n blacklist) ( +# builtins.readDir ./. +# ) +# ); +# in +# lib.genAttrs folders (folder: (import (./. + "/${folder}") (args // { }))) +{...}: {} \ No newline at end of file diff --git a/hosts/miscservers/default.nix b/hosts/miscservers/default.nix index ee59208..5f58569 100644 --- a/hosts/miscservers/default.nix +++ b/hosts/miscservers/default.nix @@ -1,11 +1,12 @@ -args@{ lib, ... }: -let - blacklist = [ ]; +# args@{ lib, ... }: +# let +# blacklist = [ ]; - folders = builtins.attrNames ( - lib.filterAttrs (n: v: v == "directory" && !lib.hasPrefix "_" n && !builtins.elem n blacklist) ( - builtins.readDir ./. - ) - ); -in -lib.genAttrs folders (folder: (import (./. + "/${folder}") (args // { }))) +# folders = builtins.attrNames ( +# lib.filterAttrs (n: v: v == "directory" && !lib.hasPrefix "_" n && !builtins.elem n blacklist) ( +# builtins.readDir ./. +# ) +# ); +# in +# lib.genAttrs folders (folder: (import (./. + "/${folder}") (args // { }))) +{...}: {} \ No newline at end of file diff --git a/hosts/routereflectors/default.nix b/hosts/routereflectors/default.nix index 7978eda..b7a5ad8 100644 --- a/hosts/routereflectors/default.nix +++ b/hosts/routereflectors/default.nix @@ -2,13 +2,14 @@ # iguane-kit-rr91 = import ./iguane-kit-rr91 { }; # } -args@{ lib, ... }: -let - blacklist = [ ]; - folders = builtins.attrNames ( - lib.filterAttrs (n: v: v == "directory" && !lib.hasPrefix "_" n && !builtins.elem n blacklist) ( - builtins.readDir ./. - ) - ); -in -lib.genAttrs folders (folder: (import (./. + "/${folder}") (args // { }))) +# args@{ lib, ... }: +# let +# blacklist = [ ]; +# folders = builtins.attrNames ( +# lib.filterAttrs (n: v: v == "directory" && !lib.hasPrefix "_" n && !builtins.elem n blacklist) ( +# builtins.readDir ./. +# ) +# ); +# in +# lib.genAttrs folders (folder: (import (./. + "/${folder}") (args // { }))) +{...}: {} \ No newline at end of file diff --git a/hosts/routers/default.nix b/hosts/routers/default.nix index 8e06297..426187a 100644 --- a/hosts/routers/default.nix +++ b/hosts/routers/default.nix @@ -5,13 +5,14 @@ # virtua-kit-edge = import ./virtua-kit-edge { }; # } -args@{ lib, ... }: -let - blacklist = [ ]; - folders = builtins.attrNames ( - lib.filterAttrs (n: v: v == "directory" && !lib.hasPrefix "_" n && !builtins.elem n blacklist) ( - builtins.readDir ./. - ) - ); -in -lib.genAttrs folders (folder: (import (./. + "/${folder}") (args // { }))) +# args@{ lib, ... }: +# let +# blacklist = [ ]; +# folders = builtins.attrNames ( +# lib.filterAttrs (n: v: v == "directory" && !lib.hasPrefix "_" n && !builtins.elem n blacklist) ( +# builtins.readDir ./. +# ) +# ); +# in +# lib.genAttrs folders (folder: (import (./. + "/${folder}") (args // { }))) +{...}: {} \ No newline at end of file diff --git a/hosts/stonkmembers/default.nix b/hosts/stonkmembers/default.nix index 8501b5c..84a7e65 100644 --- a/hosts/stonkmembers/default.nix +++ b/hosts/stonkmembers/default.nix @@ -5,13 +5,14 @@ # stonkstation = import ./stonkstation { }; # } -args@{ lib, ... }: -let - blacklist = [ ]; - folders = builtins.attrNames ( - lib.filterAttrs (n: v: v == "directory" && !lib.hasPrefix "_" n && !builtins.elem n blacklist) ( - builtins.readDir ./. - ) - ); -in -lib.genAttrs folders (folder: (import (./. + "/${folder}") (args // { }))) +# args@{ lib, ... }: +# let +# blacklist = [ ]; +# folders = builtins.attrNames ( +# lib.filterAttrs (n: v: v == "directory" && !lib.hasPrefix "_" n && !builtins.elem n blacklist) ( +# builtins.readDir ./. +# ) +# ); +# in +# lib.genAttrs folders (folder: (import (./. + "/${folder}") (args // { }))) +{...}: {} \ No newline at end of file From e602e1d4ecd2c73252327e818f5e451a5190a654 Mon Sep 17 00:00:00 2001 From: Antoine 'Toinux' Wam Date: Sat, 28 Dec 2024 23:02:49 +0100 Subject: [PATCH 25/74] ~ modules/proxmox-backup-client.nix: --- modules/proxmox-backup-client.nix | 44 +++++++++---------------------- 1 file changed, 13 insertions(+), 31 deletions(-) diff --git a/modules/proxmox-backup-client.nix b/modules/proxmox-backup-client.nix index 3d4388f..da73880 100644 --- a/modules/proxmox-backup-client.nix +++ b/modules/proxmox-backup-client.nix @@ -4,9 +4,9 @@ pkgs, utils, ... -}: +}: # TODO: Implement correctly -with lib; +with lib; # TODO: don't let # Type for a valid systemd unit option. Needed for correctly passing "timerConfig" to "systemd.timers" @@ -109,18 +109,14 @@ in repository = mkOption { type = with types; nullOr str; default = null; - description = '' - repository to backup to. - ''; + description = "Repository to backup to."; example = "sftp:backup@192.168.1.100:/backups/${name}"; }; repositoryFile = mkOption { type = with types; nullOr path; default = null; - description = '' - Path to the file containing the repository location to backup to. - ''; + description = "Path to the file containing the repository location to backup to."; }; paths = mkOption { @@ -132,7 +128,7 @@ in Which paths to backup, in addition to ones specified via `dynamicFilesFrom`. If null or an empty array and `dynamicFilesFrom` is also null, no backup command will be run. - This can be used to create a prune-only job. + This can be used to create a prune-only job. ''; example = [ "/var/lib/postgresql" @@ -176,36 +172,28 @@ in user = mkOption { type = types.str; default = "root"; - description = '' - As which user the backup should run. - ''; + description = "As which user the backup should run."; example = "postgresql"; }; extraBackupArgs = mkOption { type = types.listOf types.str; default = [ ]; - description = '' - Extra arguments passed to proxmox-backup-client backup. - ''; + description = "Extra arguments passed to proxmox-backup-client backup."; example = [ "--exclude-file=/etc/nixos/proxmox-backup-client-ignore" ]; }; extraOptions = mkOption { type = types.listOf types.str; default = [ ]; - description = '' - Extra extended options to be passed to the proxmox-backup-client --option flag. - ''; + description = "Extra extended options to be passed to the proxmox-backup-client --option flag."; example = [ "sftp.command='ssh backup@192.168.1.100 -i /home/user/.ssh/id_rsa -s sftp'" ]; }; initialize = mkOption { type = types.bool; default = false; - description = '' - Create the repository if it doesn't exist. - ''; + description = "Create the repository if it doesn't exist."; }; pruneOpts = mkOption { @@ -228,7 +216,7 @@ in runCheck = mkOption { type = types.bool; default = (builtins.length config.services.proxmox-backup-client.backups.${name}.checkOpts > 0); - defaultText = literalExpression ''builtins.length config.services.backups.${name}.checkOpts > 0''; + defaultText = literalExpression "builtins.length config.services.backups.${name}.checkOpts > 0"; description = "Whether to run the `check` command with the provided `checkOpts` options."; example = true; }; @@ -236,9 +224,7 @@ in checkOpts = mkOption { type = types.listOf types.str; default = [ ]; - description = '' - A list of options for 'proxmox-backup-client check'. - ''; + description = "A list of options for 'proxmox-backup-client check'."; example = [ "--with-cache" ]; }; @@ -256,17 +242,13 @@ in backupPrepareCommand = mkOption { type = with types; nullOr str; default = null; - description = '' - A script that must run before starting the backup process. - ''; + description = "A script that must run before starting the backup process."; }; backupCleanupCommand = mkOption { type = with types; nullOr str; default = null; - description = '' - A script that must run after finishing the backup process. - ''; + description = "A script that must run after finishing the backup process."; }; package = mkPackageOption pkgs "proxmox-backup-client" { }; From b4c031908c4fb7769c30ec9a7cf8761082b22b87 Mon Sep 17 00:00:00 2001 From: Antoine 'Toinux' Wam Date: Sun, 29 Dec 2024 16:48:37 +0100 Subject: [PATCH 26/74] ~ system/inputrc.nix: --- flake.nix | 483 ------------------ .../configuration.nix | 0 .../default.nix | 0 .../hardware-configuration.nix | 0 .../peers/KIT-IG1-RTR.nix | 0 .../peers/KIT-VIRTUA-EDGE.legacy.nix | 0 .../peers/KIT-VULTR-EDGE.legacy.nix | 0 .../peers/KIT-virtua-edge.nix | 0 .../peers/TRS-vultr6-RTR.nix | 0 .../peers/default.nix | 0 system/inputrc.nix | 3 +- 11 files changed, 2 insertions(+), 484 deletions(-) delete mode 100644 flake.nix rename hosts/routers/{vultr-kit-edge => _vultr-kit-edge}/configuration.nix (100%) rename hosts/routers/{vultr-kit-edge => _vultr-kit-edge}/default.nix (100%) rename hosts/routers/{vultr-kit-edge => _vultr-kit-edge}/hardware-configuration.nix (100%) rename hosts/routers/{vultr-kit-edge => _vultr-kit-edge}/peers/KIT-IG1-RTR.nix (100%) rename hosts/routers/{vultr-kit-edge => _vultr-kit-edge}/peers/KIT-VIRTUA-EDGE.legacy.nix (100%) rename hosts/routers/{vultr-kit-edge => _vultr-kit-edge}/peers/KIT-VULTR-EDGE.legacy.nix (100%) rename hosts/routers/{vultr-kit-edge => _vultr-kit-edge}/peers/KIT-virtua-edge.nix (100%) rename hosts/routers/{vultr-kit-edge => _vultr-kit-edge}/peers/TRS-vultr6-RTR.nix (100%) rename hosts/routers/{vultr-kit-edge => _vultr-kit-edge}/peers/default.nix (100%) diff --git a/flake.nix b/flake.nix deleted file mode 100644 index 71669a6..0000000 --- a/flake.nix +++ /dev/null @@ -1,483 +0,0 @@ -# https://nixos.wiki/wiki/Flakes -{ - description = "System configurations"; - - inputs = { - - nixpkgs = { - url = "github:NixOS/nixpkgs/nixos-24.05"; - }; - - # darwin = { - # url = "github:lnl7/nix-darwin"; - # inputs.nixpkgs.follows = "nixpkgs"; - # }; - - nixpkgs-unstable = { - url = "github:NixOS/nixpkgs/nixpkgs-unstable"; - }; - - nixpkgs-master = { - url = "github:NixOS/nixpkgs/master"; - }; - - nixos-hardware = { - url = "github:NixOS/nixos-hardware/master"; - }; - - disko = { - url = "github:nix-community/disko"; - inputs.nixpkgs.follows = "nixpkgs"; - }; - - sops-nix = { - url = "github:Mic92/sops-nix"; - inputs.nixpkgs.follows = "nixpkgs"; - }; - - home-config = { - url = "gitlab:toinux/homefiles"; - # url = "git+file:///home/toinux/Documents/homefiles"; - inputs = { - nixpkgs.follows = "nixpkgs"; - home-manager.follows = "home-manager"; - }; - }; - - home-manager = { - url = "github:nix-community/home-manager/release-24.05"; - inputs.nixpkgs.follows = "nixpkgs"; - }; - - krewfile = { - url = "github:brumhard/krewfile"; - inputs.nixpkgs.follows = "nixpkgs"; - }; - - nix-inspect = { - url = "github:bluskript/nix-inspect"; - }; - - # devenv = { - # url = "github:cachix/devenv/latest"; - # inputs.nixpkgs.follows = "nixpkgs"; - # inputs.nix.follows = "nix"; - # }; - }; - - outputs = - { - self, - nixpkgs, - nixpkgs-unstable, - nixpkgs-master, - nixos-hardware, - nix-inspect, - disko, - sops-nix, - home-manager, - home-config, - krewfile, - ... - # devenv, - # darwin, - }@args: - let - inherit (builtins) pathExists toJSON; - - inherit (nixpkgs.lib) - foldl' - mapAttrs - attrNames - filterAttrs - assertMsg - genAttrs - getBin - concatMapStringsSep - optionals - hasSuffix - - nixosSystem - ; - - # TODO: Use flake-utils to do this well - mkLinuxSystem = - { - target, - targetConfig, - profile ? targetConfig.profile, - system ? "x86_64-linux", - kubeConfig ? { }, - }: - nixosSystem ( - # let - # inherit (nixpkgs.legacyPackages.${system}) writeShellScriptBin; - # in - { - inherit system; - - modules = [ - - (if targetConfig ? config then { config = targetConfig.config; } else { }) - - # Pass options + Args - { - _module.args = { - targetConfig = targetConfig; - targetProfile = profile; - target = target; - bootdisk = targetConfig.bootdisk; - kubeConfig = kubeConfig; - }; - } - - # Home + Users config - ( - { - config, - lib, - pkgs, - ... - }: - - let - userName = "toinux"; - homeDir = "/home/${userName}"; - in - { - config = { - networking.hostName = "${target}"; - - users.users.${userName} = { - isNormalUser = true; - home = homeDir; - # description = "Antoine '${userName}'"; - shell = pkgs.zsh; - extraGroups = - [ "wheel" ] - ++ optionals (config.services.xserver.enable) [ "input" ] - ++ optionals (config.networking.networkmanager.enable) [ "networkmanager" ] - ++ optionals (config.virtualisation.docker.enable) [ "docker" ] - ++ optionals (config.virtualisation.libvirtd.enable) [ "libvirtd" ]; - - initialPassword = "totofaitsestests"; - }; - - home-manager.users.${userName} = home-config.lib.mkHomeConfiguration userName homeDir [ - ./_home/configuration.nix - ]; - - users.users.root.shell = pkgs.zsh; - home-manager.users.root = home-config.lib.mkHomeConfiguration "root" "/root" [ - ./_home/configuration.nix - ]; - }; - } - ) - - ./_system/configuration.nix # Global System config - - (./hosts + "/${profile}/configuration.nix") - - # Disk Partitioning - disko.nixosModules.disko - ( - if targetConfig ? diskTemplate && targetConfig.diskTemplate != null then - ./_diskos + "/${targetConfig.diskTemplate}.nix" - else - let - diskoCfg = (./hosts + "/${profile}/${target}/disk-config.nix"); - in - assert assertMsg (pathExists diskoCfg) - "${target}: diskTemplate undefined and ${diskoCfg} inexistant, dunno what to do"; - diskoCfg - ) - - # Host-Specific config - (./hosts + "/${profile}/${target}/configuration.nix") # HostSpecific configuration - (./hosts + "/${profile}/${target}/hardware-configuration.nix") # Hardware Detection - - # Home-Manager + options - home-manager.nixosModules.home-manager - { - home-manager.useGlobalPkgs = true; - home-manager.useUserPackages = true; - # Optionally, use home-manager.extraSpecialArgs to pass arguments to home.nix - } - - # Use Mozilla SOPS as secrets manager - sops-nix.nixosModules.sops - { sops.defaultSopsFile = ./secrets/${target}.yaml; } - - # Overlays - ( - { ... }: - { - nixpkgs.overlays = [ - # https://github.com/NixOS/nixpkgs/issues/97855#issuecomment-1075818028 - #(self: super: { - # my-nixos-option = - # let - # flake-compact = super.fetchFromGitHub { - # owner = "edolstra"; - # repo = "flake-compat"; - # rev = "12c64ca55c1014cdc1b16ed5a804aa8576601ff2"; - # sha256 = "sha256-hY8g6H2KFL8ownSiFeMOjwPC8P0ueXpCVEbxgda3pko="; - # }; - # prefix = ''(import ${flake-compact} { src = ~/src/vidbina/nixos-configuration; }).defaultNix.nixosConfigurations.${target}''; - # in - # super.runCommand "nixos-option" { buildInputs = [ super.makeWrapper ]; } '' - # makeWrapper ${super.nixos-option}/bin/nixos-option $out/bin/nixos-option \ - # --add-flags --config_expr \ - # --add-flags "\"${prefix}.config\"" \ - # --add-flags --options_expr \ - # --add-flags "\"${prefix}.options\"" - # ''; - #}) - krewfile.overlay - - (final: prev: { - master = nixpkgs-master.legacyPackages.${prev.system}; - unstable = nixpkgs-unstable.legacyPackages.${prev.system}; - # devenv = devenv.packages.${prev.system}.devenv; - # nix-inspect = nix-inspect.packages.${prev.system}.default; - - # ferm = prev.ferm.overrideAttrs (oldAttrs: rec { - # patches = oldAttrs.patches or [ ] ++ [ ./patches/ferm_import-ferm_wrapped.patch ]; - # }); - }) - ]; - } - ) - ( - let - disableModules = [ ]; - - customModules = [ "kitten/connect/autodisko" "kitten/connect/loopback0" "kitten/connect/bird_peers" ]; - localModules = [ "nixos/modules/services/ttys/kmscon" ]; - - masterModules = [ - # "nixos/modules/programs/kubeswitch.nix" - ]; - - unstableModules = [ ]; - # stableModules = [ ]; - - getModule = - input: - ( - x: - let - mod = if (hasSuffix ".nix" x) then x else "${x}.nix"; - in - "${input}/${mod}" - ); - in - { - disabledModules = map (getModule args.nixpkgs) ( - disableModules ++ localModules ++ masterModules ++ unstableModules - # ++ stableModules - ); - - imports = - (map (getModule ./modules) (localModules ++ customModules)) - ++ (map (getModule args.nixpkgs-master) masterModules) - ++ (map (getModule args.nixpkgs-unstable) unstableModules) - # ++ (map (getModule args.nixpkgs-stable) stableModules) - ; - } - ) - ]; - }); - - targetConfigs = - let - hosts = import ./hosts (args // { lib = args.nixpkgs.lib; }); - in - foldl' ( - acc: profile: - let - configs = hosts.${profile}; - in - (mapAttrs (name: value: { inherit profile; } // value) configs) // acc - ) { } (attrNames hosts); - - # TODO: Move this - masterNodes = [ "stonkstation" ]; - controllers = [ "stonkstation" ]; - in - { - - # homeConfigurations = { - # "toinux" = home-config.lib.mkHomeConfiguration userName homeDir [ ./_home/configuration.nix ]; - # }; - # colmena = { - # meta = { - # nixpkgs = import nixpkgs { - # system = "x86_64-linux"; - # }; - # }; - - # # Also see the non-Flakes hive.nix example above. - # host-a = { name, nodes, pkgs, ... }: { - # boot.isContainer = true; - # time.timeZone = nodes.host-b.config.time.timeZone; - # }; - # host-b = { - # deployment = { - # targetHost = "somehost.tld"; - # targetPort = 1234; - # targetUser = "luser"; - # }; - # boot.isContainer = true; - # time.timeZone = "America/Los_Angeles"; - # }; - # }; - - nixosConfigurations = ( - genAttrs (attrNames targetConfigs) ( - target: - mkLinuxSystem { - inherit target; - - # TODO: moveThis - kubeConfig = { - master = builtins.elem "${target}" masterNodes; - controller = builtins.elem "${target}" controllers; - }; - - # This good - targetConfig = targetConfigs.${target}; - } - ) - ); - - packages = - let - systems = [ "x86_64-linux" ]; - in - genAttrs systems ( - system: - let - inherit (nixpkgs.legacyPackages.${system}) writeShellScriptBin; - in - { - bootstrap = genAttrs (attrNames self.outputs.nixosConfigurations) ( - confName: - writeShellScriptBin "bootstrap-${confName}.sh" ( - let - package = nixpkgs.legacyPackages.${system}.nix; - in - '' - set -x - [[ $# -gt 0 ]] || set -- --help - - ${getBin package}/bin/nix --extra-experimental-features 'nix-command flakes' run github:nix-community/nixos-anywhere -- --option show-trace true --flake ${self.outPath}#${confName} $@ - '' - ) - ); - - rebuild = genAttrs (attrNames self.outputs.nixosConfigurations) ( - confName: - writeShellScriptBin "rebuild-${confName}.sh" ( - let - package = nixpkgs.legacyPackages.${system}.nixos-rebuild; - nomPackage = nixpkgs.legacyPackages.${system}.nix-output-monitor; - in - '' - set -x - [[ $# -gt 0 ]] || set -- --help - - ${getBin package}/bin/nixos-rebuild -L --show-trace --option extra-experimental-features 'nix-command flakes' --option eval-cache false --flake ${self.outPath}#${confName} $@ |& ${getBin nomPackage}/bin/nom - '' - ) - ); - - images = genAttrs (attrNames self.outputs.nixosConfigurations) ( - confName: - let - nixConf = self.outputs.nixosConfigurations.${confName}; - in - nixConf.config.system.build.diskoImages - ); - - compressedImages = genAttrs (attrNames self.outputs.nixosConfigurations) ( - confName: - let - pkgs = nixpkgs.legacyPackages.${system}; - nixConf = self.outputs.nixosConfigurations.${confName}; - diskoImages = nixConf.config.system.build.diskoImages; - in - pkgs.runCommand "compressed-disko-${confName}" { nativeBuildInput = [ diskoImages ]; } '' - pwd - - tree="${pkgs.tree}/bin/tree" - xz="${pkgs.xz}/bin/xz" - - $tree $nativeBuildInput . - - mkdir -pv $out - cd $nativeBuildInput - - echo Compressing disk images with xz - echo CAUTION: May take some times - - find . -name '*.raw' -print -exec bash -c "$xz -T0 --stdout '{}' > '$out/{}.xz'" \; - '' - - ); - - ddbootstrap = genAttrs (attrNames self.outputs.nixosConfigurations) ( - confName: - writeShellScriptBin "bootstrapImageWithDD-${confName}.sh" ( - let - pvPackage = nixpkgs.legacyPackages.${system}.pv; - - disks = self.outputs.nixosConfigurations.${confName}.config.disko.devices.disk; - images = self.outputs.packages.${system}.images.${confName}; - - devices = filterAttrs (n: v: v ? device && v.device != null) disks; - in - '' - set -eu -o pipefail - set -x - - REMOTE=$1 - echo "Bootstraping ${confName} via ssh on $REMOTE [ssh $@] ?" - echo "CAUTION: Dangerous action -> will erase disks on remote" - echo "Press [ENTER] to continue" - read - - ssh $@ lsblk - echo "CAUTION: Here are the disks found on the remote, is it correct ?" - echo "Press [ENTER] again to continue" - read - - ssh $@ xz --help - - - ${concatMapStringsSep "\n" ( - x: - let - disk = disks.${x}; - in - '' - echo "Pushing ${x} -> ''${REMOTE}:${disk.device}" - ${getBin pvPackage}/bin/pv ${images}/${x}.raw.xz | ssh $@ "xz -T0 -d -c - > ${disk.device}" - '' - ) (attrNames devices)} - '' - ) - ); - } - ); - - # darwinConfigurations = (nixpkgs.lib.genAttrs targets - # (target: mkLinuxSystem { - # inherit target; - - # targetConfig = targetConfigs.${target}; - # }) - # ); - }; -} diff --git a/hosts/routers/vultr-kit-edge/configuration.nix b/hosts/routers/_vultr-kit-edge/configuration.nix similarity index 100% rename from hosts/routers/vultr-kit-edge/configuration.nix rename to hosts/routers/_vultr-kit-edge/configuration.nix diff --git a/hosts/routers/vultr-kit-edge/default.nix b/hosts/routers/_vultr-kit-edge/default.nix similarity index 100% rename from hosts/routers/vultr-kit-edge/default.nix rename to hosts/routers/_vultr-kit-edge/default.nix diff --git a/hosts/routers/vultr-kit-edge/hardware-configuration.nix b/hosts/routers/_vultr-kit-edge/hardware-configuration.nix similarity index 100% rename from hosts/routers/vultr-kit-edge/hardware-configuration.nix rename to hosts/routers/_vultr-kit-edge/hardware-configuration.nix diff --git a/hosts/routers/vultr-kit-edge/peers/KIT-IG1-RTR.nix b/hosts/routers/_vultr-kit-edge/peers/KIT-IG1-RTR.nix similarity index 100% rename from hosts/routers/vultr-kit-edge/peers/KIT-IG1-RTR.nix rename to hosts/routers/_vultr-kit-edge/peers/KIT-IG1-RTR.nix diff --git a/hosts/routers/vultr-kit-edge/peers/KIT-VIRTUA-EDGE.legacy.nix b/hosts/routers/_vultr-kit-edge/peers/KIT-VIRTUA-EDGE.legacy.nix similarity index 100% rename from hosts/routers/vultr-kit-edge/peers/KIT-VIRTUA-EDGE.legacy.nix rename to hosts/routers/_vultr-kit-edge/peers/KIT-VIRTUA-EDGE.legacy.nix diff --git a/hosts/routers/vultr-kit-edge/peers/KIT-VULTR-EDGE.legacy.nix b/hosts/routers/_vultr-kit-edge/peers/KIT-VULTR-EDGE.legacy.nix similarity index 100% rename from hosts/routers/vultr-kit-edge/peers/KIT-VULTR-EDGE.legacy.nix rename to hosts/routers/_vultr-kit-edge/peers/KIT-VULTR-EDGE.legacy.nix diff --git a/hosts/routers/vultr-kit-edge/peers/KIT-virtua-edge.nix b/hosts/routers/_vultr-kit-edge/peers/KIT-virtua-edge.nix similarity index 100% rename from hosts/routers/vultr-kit-edge/peers/KIT-virtua-edge.nix rename to hosts/routers/_vultr-kit-edge/peers/KIT-virtua-edge.nix diff --git a/hosts/routers/vultr-kit-edge/peers/TRS-vultr6-RTR.nix b/hosts/routers/_vultr-kit-edge/peers/TRS-vultr6-RTR.nix similarity index 100% rename from hosts/routers/vultr-kit-edge/peers/TRS-vultr6-RTR.nix rename to hosts/routers/_vultr-kit-edge/peers/TRS-vultr6-RTR.nix diff --git a/hosts/routers/vultr-kit-edge/peers/default.nix b/hosts/routers/_vultr-kit-edge/peers/default.nix similarity index 100% rename from hosts/routers/vultr-kit-edge/peers/default.nix rename to hosts/routers/_vultr-kit-edge/peers/default.nix diff --git a/system/inputrc.nix b/system/inputrc.nix index ea47ec4..58a0b7d 100644 --- a/system/inputrc.nix +++ b/system/inputrc.nix @@ -5,6 +5,7 @@ environment.etc."inputrc.modified" = { target = "inputrc"; # Relative to /etc text = '' + $include /etc/inputrc.orig # Import the Orig File # Additional stuff set completion-ignore-case On @@ -14,7 +15,7 @@ set show-all-if-ambiguous On set show-all-if-unmodified On set visible-stats On - + $if mode=emacs "\e\e[C": forward-word "\e\e[D": backward-word From 68d346de94825c3579084768c481293151a9aab0 Mon Sep 17 00:00:00 2001 From: Antoine 'Toinux' Wam Date: Sun, 29 Dec 2024 16:48:37 +0100 Subject: [PATCH 27/74] - Cleanup --- home/configuration.nix | 13 - hosts/clients/configuration.nix | 1 - .../aure-home-kitrtr/configuration.nix | 105 ----- hosts/homerouters/bird.nix | 331 -------------- hosts/homerouters/bird_peers.nix | 201 --------- hosts/homerouters/wireguard.nix | 135 ------ hosts/miscservers/firewall.nix | 34 -- hosts/miscservers/options.nix | 50 --- hosts/routereflectors/configuration.nix | 139 ------ hosts/routereflectors/default.nix | 149 ++++++- hosts/routers/bird_peers.nix | 195 -------- modules/proxmox-backup-client.nix | 416 ------------------ system/configuration.nix | 98 ----- system/firewall.nix | 27 -- 14 files changed, 134 insertions(+), 1760 deletions(-) delete mode 100644 home/configuration.nix delete mode 100644 hosts/clients/configuration.nix delete mode 100644 hosts/homerouters/aure-home-kitrtr/configuration.nix delete mode 100644 hosts/homerouters/bird.nix delete mode 100644 hosts/homerouters/bird_peers.nix delete mode 100644 hosts/homerouters/wireguard.nix delete mode 100644 hosts/miscservers/firewall.nix delete mode 100644 hosts/miscservers/options.nix delete mode 100644 hosts/routereflectors/configuration.nix delete mode 100644 hosts/routers/bird_peers.nix delete mode 100644 modules/proxmox-backup-client.nix delete mode 100644 system/configuration.nix delete mode 100644 system/firewall.nix diff --git a/home/configuration.nix b/home/configuration.nix deleted file mode 100644 index 50957f6..0000000 --- a/home/configuration.nix +++ /dev/null @@ -1,13 +0,0 @@ -{ - pkgs, - lib, - config, - osConfig, - ... -}: -let - kubeCfg = osConfig.services.k3s; -in -{ - imports = [ ] ++ lib.optional (kubeCfg.enable && kubeCfg.role == "server") ./kube.nix; -} diff --git a/hosts/clients/configuration.nix b/hosts/clients/configuration.nix deleted file mode 100644 index c915eb0..0000000 --- a/hosts/clients/configuration.nix +++ /dev/null @@ -1 +0,0 @@ -{ ... }: { } diff --git a/hosts/homerouters/aure-home-kitrtr/configuration.nix b/hosts/homerouters/aure-home-kitrtr/configuration.nix deleted file mode 100644 index 8e84f6f..0000000 --- a/hosts/homerouters/aure-home-kitrtr/configuration.nix +++ /dev/null @@ -1,105 +0,0 @@ -# Edit this configuration file to define what should be installed on -# your system. Help is available in the configuration.nix(5) man page, on -# https://search.nixos.org/options and in the NixOS manual (`nixos-help`). - -{ - config, - targetConfig, - lib, - pkgs, - ... -}: -let - iface = if targetConfig ? interface then targetConfig.interface else null; - kittenIFACE = "ens19"; -in -{ - #imports = [ ./wireguard.nix ]; - # Bootloader. - #boot.loader.systemd-boot.enable = true; - #boot.loader.systemd-boot.configurationLimit = 5; - #boot.loader.efi.canTouchEfiVariables = true; - boot.loader.grub.efiSupport = false; - boot.loader.grub.enable = true; - # boot.loader.grub.efiInstallAsRemovable = true; - # boot.loader.efi.efiSysMountPoint = "/boot/efi"; - # Define on which hard drive you want to install Grub. - #boot.loader.grub.devices = [ "${targetConfig.bootdisk}" ]; # or "nodev" for efi only - - customModules = { - loopback0 = { - enable = true; - ipv6 = [ "2a13:79c0:ffff:fefe::22f0" ]; - }; - }; - - # Pick only one of the below networking options. - # networking.wireless.enable = true; # Enables wireless support via wpa_supplicant. - # networking.networkmanager.enable = true; # Easiest to use and most distros use this by default. - networking = { - #nameservers = [ "1.3.3.7" ]; - interfaces = { - "${iface}".useDHCP = true; - - "${kittenIFACE}" = { - - # ipv4.addresses = [ - # { - # address = "185.10.17.209"; - # prefixLength = 24; - # } - # ]; - - ipv6.addresses = [ - { - address = "2a13:79c0:ffff:feff:b00b:caca:b173:25"; - prefixLength = 112; - } - ]; - }; - }; - - # defaultGateway = { - # address = "185.10.17.254"; - # metric = 42; - # interface = iface; - # }; - - # defaultGateway6 = { - # address = "fe80::1"; - # metric = 42; - # interface = iface; - # }; - - useDHCP = false; - #dhcpcd.enable = false; - }; - - systemd.network.enable = true; - - # Set your time zone. - time.timeZone = "Europe/Paris"; - - nixpkgs.config.allowUnfree = true; - # Configure network proxy if necessary - # networking.proxy.default = "http://user:password@proxy:port/"; - # networking.proxy.noProxy = "127.0.0.1,localhost,internal.domain"; - - # This option defines the first version of NixOS you have installed on this particular machine, - # and is used to maintain compatibility with application data (e.g. databases) created on older NixOS versions. - # - # Most users should NEVER change this value after the initial install, for any reason, - # even if you've upgraded your system to a new NixOS release. - # - # This value does NOT affect the Nixpkgs version your packages and OS are pulled from, - # so changing it will NOT upgrade your system. - # - # This value being lower than the current NixOS release does NOT mean your system is - # out of date, out of support, or vulnerable. - # - # Do NOT change this value unless you have manually inspected all the changes it would make to your configuration, - # and migrated your data accordingly. - # - # For more information, see `man configuration.nix` or https://nixos.org/manual/nixos/stable/options#opt-system.stateVersion . - system.stateVersion = "23.11"; # Did you read the comment? -} diff --git a/hosts/homerouters/bird.nix b/hosts/homerouters/bird.nix deleted file mode 100644 index b1ba667..0000000 --- a/hosts/homerouters/bird.nix +++ /dev/null @@ -1,331 +0,0 @@ -{ - lib, - config, - target, - targetConfig, - ... -}: -let - inherit (lib) - optional - optionals - optionalString - mkOrder - attrNames - filterAttrs - concatStringsSep - concatMapStringsSep - ; - - birdCfg = config.services.bird2; - - srvCfg = - let - cfg = - if targetConfig ? birdConfig then - targetConfig.birdConfig - else - let - p = (./. + "/${target}/birdconfig.nix"); - in - if builtins.pathExists p then (import p { inherit targetConfig; }) else { }; - in - if cfg ? peers then - cfg - else - let - peers = (import (./. + "/${target}/peers/") { }); - in - (cfg // { inherit peers; }); - - rrs = attrNames (filterAttrs (n: v: v ? template && v.template == "rrserver") srvCfg.peers); - - lo4 = - if (srvCfg ? loopback4 && srvCfg.loopback4 != null && srvCfg.loopback4 != "") then - srvCfg.loopback4 - else - null; - - lo6 = - if (srvCfg ? loopback6 && srvCfg.loopback6 != null && srvCfg.loopback6 != "") then - srvCfg.loopback6 - else - null; -in -{ - imports = [ - ./bird_peers.nix - # ./bird_statics.nix - ]; - - config = { - - sops.templates."bird_secrets.conf" = { - owner = "bird2"; - }; - - _module.args = { - birdConfig = srvCfg; - }; - - networking.firewall.allowedTCPPorts = [ - 179 # BGP - 1790 # Internal BGP - ]; - - networking.interfaces.lo = { - ipv4.addresses = - lib.mkIf - ( - lo4 != null && config.customModules.loopback0.ipv4 == [ ] || !config.customModules.loopback0.enable - ) - [ - { - address = "${toString srvCfg.loopback4}"; - prefixLength = 32; - } - ]; - ipv6.addresses = - lib.mkIf - ( - lo6 != null && config.customModules.loopback0.ipv6 == [ ] || !config.customModules.loopback0.enable - ) - [ - { - address = "${toString srvCfg.loopback6}"; - prefixLength = 128; - } - ]; - }; - - services.bird2.preCheckConfig = '' - echo "Bird configuration include these resources" - grep include bird2.conf - - LINE=$(grep -n include bird2.conf | grep bird_secrets.conf | head -1 | cut -d: -f1) - if [ ! -z "$LINE" ]; then - echo "Found secrets importing, will substitute it with placeholders values" - sed ''${LINE}d -i bird2.conf - sed "$(($LINE))i"'include "_secrets_substitute.conf";' -i bird2.conf - - cat > _secrets_substitute.conf <<< ' - ${config.sops.templates."bird_secrets.conf".content} - ' - - # cat _secrets_substitute.conf bird2.conf - fi - ''; - - services.bird2.config = mkOrder 0 ( - concatStringsSep "\n\n" ( - let - transitIFACE = if srvCfg ? transitInterface then srvCfg.transitInterface else null; - - quoteString = x: ''"${x}"''; - in - [ - "log syslog all;" - - ''include "${config.sops.templates."bird_secrets.conf".path}";'' - - '' - # The Device protocol is not a real routing protocol. It does not generate any - # routes and it only serves as a module for getting information about network - # interfaces from the kernel. It is necessary in almost any configuration. - protocol device DEV {} - - # The direct protocol is not a real routing protocol. It automatically generates - # direct routes to all network interfaces. Can exist in as many instances as you - # wish if you want to populate multiple routing tables with direct routes. - protocol direct DIRECT { - #disabled; - check link on; - ipv4; - ipv6; - interface "*"; - } - '' - - '' - #<== Générique - function is_valid4_network() { - return net ~ [ - 172.23.193.192/26, - 172.23.193.192/26{32,32} - ]; - } - - function is_valid6_network() { - return net ~ [ - 2a13:79c0:ff00::/40, - 2a13:79c0:ffff::/48{48,64}, - 2a13:79c0:ffff:fefe::/64{128,128}, - 2a13:79c0:ffff:feff::/64{112,112} - ]; - } - - - function is_rr_valid6_network() { - return net ~ [ - ${ - optionalString (transitIFACE != null) "::/0," - } # Announce (or not) default route [transitInterface = ${toString transitIFACE}] - 2a13:79c0:ff00::/40, - 2a13:79c0:ff00::/48+, # Special case for Toinux home - # 2a13:79c0:ffff:fefe::/64{128,128}, - # 2a13:79c0:ffff:feff::/64{112,112}, - 2a13:79c0:ffff::/48{48,64}, - 2a13:79c0:fffe::/48{56,56} - ]; - } - - '' - - '' - # The Kernel protocol is not a real routing protocol. Instead of communicating - # with other routers in the network, it performs synchronization of BIRD - # routing tables with the OS kernel. One instance per table. - protocol kernel KERNEL4 { - ipv4 { # Connect protocol to IPv4 table by channel - # table master4; # Default IPv4 table is master4 - # import all; # Import to table, default is import all - # export all; # Export to protocol. default is export none - export filter { - if ( is_valid4_network() || source ~ [RTS_STATIC] || proto ~ "(${concatStringsSep "|" rrs})" - ) then { - ${ - optionalString (lo4 != null) '' - if source ~ [RTS_BGP] || net ~ [ 0.0.0.0/0 ] then { - krt_prefsrc=${lo4}; - } - '' - } - accept; - } else reject; - }; - }; - merge paths on; - # learn; # Learn alien routes from the kernel - # kernel table 10; # Kernel table to synchronize with (default: main) - } - - # Another instance for IPv6, skipping default options - protocol kernel KERNEL6 { - # ipv6 { export all; }; - ipv6 { - export filter { - if ( is_valid6_network() || source ~ [RTS_STATIC] || proto ~ "(${concatStringsSep "|" rrs})" ) then { - ${ - optionalString (lo6 != null) '' - if source ~ [RTS_BGP] || net ~ [ ::/0 ] then { - krt_prefsrc=${lo6}; - } - '' - } - accept; - } else reject; - }; - }; - - merge paths on; - } - '' - - '' - - template bgp rrserver { - local port 1790; - neighbor port 179; - multihop 5; - - ipv4 { - gateway recursive; - extended next hop; - next hop self; - - import filter { accept; }; - - export none; - # export filter { if is_v4_network() && source ~ [RTS_STATIC, RTS_DEVICE, RTS_BGP, RTS_OSPF] then accept; else reject; }; - import limit 1000 action block; - igp table master4; # IGP table for routes with IPv4 nexthops - # igp table master6; # IGP table for routes with IPv4 nexthops - }; - - ipv6 { - gateway recursive; - next hop self; - - import filter { accept; }; - export filter { if is_rr_valid6_network() && source ~ [RTS_STATIC, RTS_DEVICE, RTS_BGP, RTS_OSPF] then accept; else reject; }; - import limit 1000 action block; - igp table master6; # IGP table for routes with IPv6 nexthops - }; - - } - '' - - '' - template bgp kittunderlay { - # local as 4242421945; - # neighbor as kittenASN; - local port 1790; - neighbor port 1790; - rr client; - path metric off; - ipv4 { - extended next hop; - next hop self; - import keep filtered; - - import filter { - if is_valid4_network() then { - if defined( bgp_med ) then - bgp_med = bgp_med + 1000; - else { - bgp_med = 1000; - } - accept; - } else reject; - }; - - export filter { if is_valid4_network() && source ~ [RTS_STATIC, RTS_DEVICE, RTS_BGP, RTS_OSPF] then accept; else reject; }; - import limit 1000 action block; - }; - - ipv6 { - next hop self; - import keep filtered; - - import filter { - if is_valid6_network() then { - if defined( bgp_med ) then - bgp_med = bgp_med + 1000; - else { - bgp_med = 1000; - } - accept; - } else reject; - }; - - export filter { if is_valid6_network() && source ~ [RTS_STATIC, RTS_DEVICE, RTS_BGP, RTS_OSPF] then accept; else reject; }; - import limit 1000 action block; - }; - - } - '' - ] - ++ - optionals (srvCfg ? static6 && builtins.typeOf srvCfg.static6 == "list" && srvCfg.static6 != [ ]) - [ - '' - protocol static STATIC6 { - ipv6; - ${concatStringsSep "\n" (map (x: " " + "route ${x};") srvCfg.static6)} - } - '' - ] - ) - ); - }; -} diff --git a/hosts/homerouters/bird_peers.nix b/hosts/homerouters/bird_peers.nix deleted file mode 100644 index e956e5c..0000000 --- a/hosts/homerouters/bird_peers.nix +++ /dev/null @@ -1,201 +0,0 @@ -{ - lib, - target, - config, - targetConfig, - birdConfig, - ... -}: -let - inherit (lib) listToAttrs nameValuePair; - - peers = birdConfig.peers; - - peersWithPasswordRef = lib.attrsets.filterAttrs (n: v: v ? passwordRef) peers; - - passwords = lib.unique (lib.attrsets.mapAttrsToList (n: v: v.passwordRef) peersWithPasswordRef); -in -{ - - sops.secrets = - lib.mkIf (builtins.trace "Bird passwords = ${builtins.toJSON passwords}" passwords != [ ]) - ( - listToAttrs ( - map (n: lib.nameValuePair "bird_secrets/${n}" { reloadUnits = [ "bird2.service" ]; }) passwords - ) - ); - - sops.templates."bird_secrets.conf".content = lib.mkIf (passwords != [ ]) ( - lib.mkMerge ( - map (password: '' - define secretPassword_${password} = "${config.sops.placeholder."bird_secrets/${password}"}"; - '') passwords - ) - ); - - services.bird2.config = - let - mkPeersFuncArgs = (x: { peerName = x; } // peers.${x}); - - toLines = - nindent: - let - indent = lib.concatMapStrings (_: " ") (lib.range 1 nindent); - in - builtins.concatStringsSep "\n${indent}"; - - withType = types: x: lib.toFunction types.${builtins.typeOf x} x; - - peersFunc = - x@{ - peerName, - peerIP, - peerAS ? 65666, - - localIP ? "", - localAS ? 65666, - - multihop ? 0, - template ? "", - - password ? "", - passwordRef ? "", - - ipv4 ? { }, - ipv6 ? { }, - - bgpMED ? null, - - wireguard ? { }, - interface ? - if (wireguard != { }) then - (if wireguard ? interface then wireguard.interface else peerName) - else - null, - ... - }: - let - inherit (lib) optionalString; - inherit (builtins) concatStringsSep toJSON; - in - '' - ${optionalString (bgpMED != null) "define bgpMED_${toString peerName} = ${toString bgpMED};"} - ${optionalString (template == "kittunderlay") '' - filter filter4_IN_BGP_${toString peerName} { - if is_valid4_network() then { - if defined( bgp_med ) then - bgp_med = bgp_med + bgpMED_${toString peerName}; - else { - bgp_med = bgpMED_${toString peerName}; - } - accept; - } else reject; - } - - filter filter6_IN_BGP_${toString peerName} { - if is_valid6_network() then { - if defined( bgp_med ) then - bgp_med = bgp_med + bgpMED_${toString peerName}; - else { - bgp_med = bgpMED_${toString peerName}; - } - accept; - } else reject; - } - ''} - - # ${optionalString (x ? debug && x.debug == true) (toJSON x)} - # L: AS${toString localAS} | R: AS${toString peerAS} - protocol bgp ${toString peerName} ${optionalString (template != "") "from ${toString template}"} { - local ${ - optionalString (localIP != "") (toString localIP) - } as ${toString localAS}; # localIP: "${toString localIP}" - neighbor ${toString peerIP} as ${toString peerAS}; - ${optionalString (interface != null) ''interface "${interface}";''} - ${ - if multihop == 0 then - "direct;" - else - "multihop ${ - optionalString (multihop != -1) toString (if multihop < -1 then -1 * multihop else multihop) - };" - } # multihop: ${toString multihop} - - ${ - optionalString (password != "") - ''password "${ - assert lib.asserts.assertMsg ( - passwordRef == "" - ) "U defined a passwordRef, why do you still want to leak password ?"; - toString ( - lib.warn "bird2 peers password is insecure consider using passwordRef with a bird_secrets file" password - ) - }"; # Not-Secured cleartext access for @everyone'' - } - ${ - optionalString ( - passwordRef != "" - ) "password secretPassword_${toString passwordRef}; # Defined in secrets file" - } - - ${ - optionalString (ipv6 != { }) '' - ipv6 { - ${ - optionalString (ipv6 ? imports && ipv6.imports != "" && ipv6.imports != [ ]) ( - let - myType = withType { - string = x: " import ${x};"; - null = x: " import none;"; - lambda = f: myType (f peerName); - list = x: '' - # ${toJSON x} - import filter { - if ( net ~ [ ${concatStringsSep ", " x} ] ) then { - accept; - } - reject; - }; - ''; - }; - in - myType ipv6.imports - ) - } - ${ - optionalString (ipv6 ? exports && ipv6.exports != "" && ipv6.exports != [ ]) ( - let - myType = withType { - string = x: " export ${x};"; - null = x: " export none;"; - lambda = f: myType (f peerName); - list = x: '' - # ${toJSON x} - export filter { - if ( net ~ [ ${concatStringsSep ", " x} ] ) then { - accept; - } - reject; - }; - ''; - }; - in - myType ipv6.exports - ) - } - }; - '' - } - - } - '' - - ; - in - lib.mkOrder 50 ( - builtins.concatStringsSep "\n" ( - [ "# Nix-OS Generated for ${target}" ] - ++ (map (x: "# ${x}\n${peersFunc (mkPeersFuncArgs x)}") (builtins.attrNames peers)) - ) - ); -} diff --git a/hosts/homerouters/wireguard.nix b/hosts/homerouters/wireguard.nix deleted file mode 100644 index 5448b54..0000000 --- a/hosts/homerouters/wireguard.nix +++ /dev/null @@ -1,135 +0,0 @@ -{ - lib, - pkgs, - config, - - target, - targetConfig, - birdConfig, - ... -}: -let - - # Imports Functions - inherit (lib.attrsets) - filterAttrs - mapAttrs - mapAttrsToList - genAttrs - zipAttrs - optionalAttrs - ; - - inherit (lib.asserts) assertMsg; - - inherit (lib.strings) hasPrefix optionalString; - - inherit (builtins) attrNames; - - # Variables / Functions - - IFACE = if targetConfig ? interface then targetConfig.interface else null; - - peers = filterAttrs (n: v: v ? wireguard && v.wireguard != { }) birdConfig.peers; - - hasPort = (n: v: v.wireguard ? port); - hasIface = (n: v: v.wireguard ? onIFACE); - - peersWithPort = filterAttrs hasPort peers; - - peersWithoutIFACE = filterAttrs (n: v: (!hasIface n v)) peersWithPort; - peersWithIFACE = filterAttrs hasIface peersWithPort; - - portsWithoutIFACE = mapAttrsToList (n: v: v.wireguard.port) peersWithoutIFACE; - portsWithIFACE = zipAttrs ( - mapAttrsToList (n: v: { ${v.wireguard.onIFACE} = v.wireguard.port; }) peersWithIFACE - ); - - mkFWConf = ports: { allowedUDPPorts = ports; }; - - genFWMarkStr = ( - mark: - { - "string" = - assert assertMsg (hasPrefix "0x" mark) "fwMark is string but does not start with 0x is it an int ?"; - mark; - - "int" = toString mark; - - "null" = null; - } - .${builtins.typeOf mark} - - ); - - mkWireguardConf = - name: - let - peer = peers.${name}; - - fwMarkString = ( - let - mark = - if peer.wireguard ? fwMark then - peer.wireguard.fwMark - - else if (peer.wireguard ? onIFACE && peer.wireguard.onIFACE != null) then - peer.wireguard.port - - else - null; - in - genFWMarkStr mark - - ); - in - { - table = "off"; - # Determines the IP/IPv6 address and subnet of the client's end of the tunnel interface - address = [ "${peer.wireguard.address}/127" ]; - # The port that WireGuard listens to - recommended that this be changed from default - listenPort = lib.mkIf (peer.wireguard ? port) peer.wireguard.port; - - postUp = '' - ${optionalString (fwMarkString != null) ''wg set ${name} fwmark ${fwMarkString}''} - ''; - - # Path to the server's private key - privateKeyFile = config.sops.secrets.wireguard_serverkey.path; - - peers = [ - { - publicKey = peer.wireguard.peerKey; - #presharedKeyFile = "/root/wireguard-keys/preshared_from_peer0_key"; - persistentKeepalive = 10; - endpoint = lib.mkIf (peer.wireguard ? endpoint) peer.wireguard.endpoint; - - allowedIPs = [ - "0.0.0.0/0" - "::/0" - ]; - } - ]; - }; -in -{ - # sops --set '["wireguard_serverkey"] "'"$(wg genkey | tee >(wg pubkey > /dev/stderr))"'"' secrets/.yaml - sops.secrets.wireguard_serverkey = { }; - environment.systemPackages = with pkgs; [ wireguard-tools ]; - - # Open FireWall Ports - networking.firewall = lib.mkMerge [ - (optionalAttrs (portsWithoutIFACE != [ ]) ( - let - conf = mkFWConf portsWithoutIFACE; - in - if IFACE != null then { interfaces.${IFACE} = conf; } else conf - )) - - (optionalAttrs (portsWithIFACE != { }) { - interfaces = (mapAttrs (name: value: mkFWConf value) portsWithIFACE); - }) - ]; - - networking.wg-quick.interfaces = genAttrs (attrNames peers) mkWireguardConf; -} diff --git a/hosts/miscservers/firewall.nix b/hosts/miscservers/firewall.nix deleted file mode 100644 index 4486ffc..0000000 --- a/hosts/miscservers/firewall.nix +++ /dev/null @@ -1,34 +0,0 @@ -{ - lib, - pkgs, - config, - targetProfile, - ... -}: -let - cfg = config.hostprofile.${targetProfile}; -in -{ - - config = { - - # environment.systemPackages = with pkgs; [ ferm ]; # Prepare an eventual switch to FERM - - networking.nftables.enable = true; - - # Open ports in the firewall. - networking.firewall = { - enable = true; - - allowedTCPPorts = [ - 22 # SSH - ]; - # allowedUDPPorts = [ ... ]; - - # checkReversePath = "loose"; - checkReversePath = true; - - filterForward = false; - }; - }; -} diff --git a/hosts/miscservers/options.nix b/hosts/miscservers/options.nix deleted file mode 100644 index 5f42337..0000000 --- a/hosts/miscservers/options.nix +++ /dev/null @@ -1,50 +0,0 @@ -{ - lib, - pkgs, - targetConfig, - targetProfile ? "miscservers", - ... -}: -let - inherit (lib) mkOption genAttrs attrNames; -in -{ - options.hostprofile.${targetProfile} = { - # iface = if targetConfig ? interface then targetConfig.interface else null; - interface = mkOption { - type = lib.types.nullOr lib.types.str; - default = null; - example = "enp1s0"; - description = "device's principal interface (Management / UpLink)"; - }; - - loopbacks = - let - protos = { - ipv4 = { - examples = [ "1.2.3.4/32" ]; - pretty = "IPv4"; - }; - - ipv6 = { - examples = [ "::2/128" ]; - pretty = "IPv6"; - }; - }; - in - genAttrs (attrNames protos) ( - x: - let - proto = protos.${x}; - in - lib.mkOption { - type = lib.types.listOf lib.types.str; - default = [ ]; - example = proto.examples; - description = '' - List of ${proto.pretty} loopbacks assigned. - ''; - } - ); - }; -} diff --git a/hosts/routereflectors/configuration.nix b/hosts/routereflectors/configuration.nix deleted file mode 100644 index e5bcd6c..0000000 --- a/hosts/routereflectors/configuration.nix +++ /dev/null @@ -1,139 +0,0 @@ -# Edit this configuration file to define what should be installed on -# your system. Help is available in the configuration.nix(5) man page, on -# https://search.nixos.org/options and in the NixOS manual (`nixos-help`). - -{ - config, - lib, - pkgs, - ... -}: - -{ - imports = [ - # Include the results of the hardware scan. - ./options.nix # Options defined for this module - - ./network.nix - ./firewall.nix - ]; - - # Configure network proxy if necessary - # networking.proxy.default = "http://user:password@proxy:port/"; - # networking.proxy.noProxy = "127.0.0.1,localhost,internal.domain"; - - # Select internationalisation properties. - i18n.defaultLocale = "en_US.UTF-8"; - - # Net Basics - networking.useNetworkd = true; - systemd.network.enable = true; - systemd.network.wait-online.enable = false; - - environment.systemPackages = with pkgs; [ gobgp ]; - - # List services that you want to enable: - services.gobgpd = { - enable = true; - settings = { - dynamic-neighbors = [ - { - config = { - peer-group = "kitten"; - prefix = "2a13:79c0:ffff:fefe::/64"; - }; - } - { - config = { - peer-group = "kittevpn"; - prefix = "2a13:79c0:ffff:feff::/64"; - }; - } - ]; - global = { - config = { - as = 4242421945; - local-address-list = [ - "2a13:79c0:ffff:fefe::113:91" - # "172.23.193.197" - ]; - router-id = "172.23.193.197"; - }; - }; - peer-groups = [ - { - afi-safis = [ - { - config = { - afi-safi-name = "ipv4-unicast"; - }; - } - { - config = { - afi-safi-name = "ipv6-unicast"; - }; - } - { - config = { - afi-safi-name = "l2vpn-evpn"; - }; - } - ]; - config = { - peer-as = 4242421945; - peer-group-name = "kittevpn"; - }; - route-reflector = { - config = { - route-reflector-client = true; - route-reflector-cluster-id = "172.23.193.197"; - }; - }; - } - { - afi-safis = [ - { - config = { - afi-safi-name = "ipv4-unicast"; - }; - } - { - config = { - afi-safi-name = "ipv6-unicast"; - }; - } - ]; - config = { - peer-as = 4242421945; - peer-group-name = "kitten"; - }; - route-reflector = { - config = { - route-reflector-client = true; - route-reflector-cluster-id = "172.23.193.197"; - }; - }; - } - ]; - }; - # autoReload = true; - }; - - # This option defines the first version of NixOS you have installed on this particular machine, - # and is used to maintain compatibility with application data (e.g. databases) created on older NixOS versions. - # - # Most users should NEVER change this value after the initial install, for any reason, - # even if you've upgraded your system to a new NixOS release. - # - # This value does NOT affect the Nixpkgs version your packages and OS are pulled from, - # so changing it will NOT upgrade your system. - # - # This value being lower than the current NixOS release does NOT mean your system is - # out of date, out of support, or vulnerable. - # - # Do NOT change this value unless you have manually inspected all the changes it would make to your configuration, - # and migrated your data accordingly. - # - # For more information, see `man configuration.nix` or https://nixos.org/manual/nixos/stable/options#opt-system.stateVersion . - system.stateVersion = "23.11"; # Did you read the comment? -} diff --git a/hosts/routereflectors/default.nix b/hosts/routereflectors/default.nix index b7a5ad8..fb1d3f8 100644 --- a/hosts/routereflectors/default.nix +++ b/hosts/routereflectors/default.nix @@ -1,15 +1,134 @@ -# { -# iguane-kit-rr91 = import ./iguane-kit-rr91 { }; -# } - -# args@{ lib, ... }: -# let -# blacklist = [ ]; -# folders = builtins.attrNames ( -# lib.filterAttrs (n: v: v == "directory" && !lib.hasPrefix "_" n && !builtins.elem n blacklist) ( -# builtins.readDir ./. -# ) -# ); -# in -# lib.genAttrs folders (folder: (import (./. + "/${folder}") (args // { }))) -{...}: {} \ No newline at end of file +# Edit this configuration file to define what should be installed on +# your system. Help is available in the configuration.nix(5) man page, on +# https://search.nixos.org/options and in the NixOS manual (`nixos-help`). + +{ + config, + lib, + pkgs, + ... +}: + +{ + imports = [ + # Include the results of the hardware scan. + ]; + + # Configure network proxy if necessary + # networking.proxy.default = "http://user:password@proxy:port/"; + # networking.proxy.noProxy = "127.0.0.1,localhost,internal.domain"; + + # Select internationalisation properties. + i18n.defaultLocale = "en_US.UTF-8"; + + # Net Basics + networking.useNetworkd = true; + systemd.network.enable = true; + systemd.network.wait-online.enable = false; + + environment.systemPackages = with pkgs; [ gobgp ]; + + # List services that you want to enable: + services.gobgpd = { + enable = true; + settings = { + dynamic-neighbors = [ + { + config = { + peer-group = "kitten"; + prefix = "2a13:79c0:ffff:fefe::/64"; + }; + } + { + config = { + peer-group = "kittevpn"; + prefix = "2a13:79c0:ffff:feff::/64"; + }; + } + ]; + global = { + config = { + as = 4242421945; + local-address-list = [ + "2a13:79c0:ffff:fefe::113:91" + # "172.23.193.197" + ]; + router-id = "172.23.193.197"; + }; + }; + peer-groups = [ + { + afi-safis = [ + { + config = { + afi-safi-name = "ipv4-unicast"; + }; + } + { + config = { + afi-safi-name = "ipv6-unicast"; + }; + } + { + config = { + afi-safi-name = "l2vpn-evpn"; + }; + } + ]; + config = { + peer-as = 4242421945; + peer-group-name = "kittevpn"; + }; + route-reflector = { + config = { + route-reflector-client = true; + route-reflector-cluster-id = "172.23.193.197"; + }; + }; + } + { + afi-safis = [ + { + config = { + afi-safi-name = "ipv4-unicast"; + }; + } + { + config = { + afi-safi-name = "ipv6-unicast"; + }; + } + ]; + config = { + peer-as = 4242421945; + peer-group-name = "kitten"; + }; + route-reflector = { + config = { + route-reflector-client = true; + route-reflector-cluster-id = "172.23.193.197"; + }; + }; + } + ]; + }; + # autoReload = true; + }; + + # This option defines the first version of NixOS you have installed on this particular machine, + # and is used to maintain compatibility with application data (e.g. databases) created on older NixOS versions. + # + # Most users should NEVER change this value after the initial install, for any reason, + # even if you've upgraded your system to a new NixOS release. + # + # This value does NOT affect the Nixpkgs version your packages and OS are pulled from, + # so changing it will NOT upgrade your system. + # + # This value being lower than the current NixOS release does NOT mean your system is + # out of date, out of support, or vulnerable. + # + # Do NOT change this value unless you have manually inspected all the changes it would make to your configuration, + # and migrated your data accordingly. + # + # For more information, see `man configuration.nix` or https://nixos.org/manual/nixos/stable/options#opt-system.stateVersion . +} diff --git a/hosts/routers/bird_peers.nix b/hosts/routers/bird_peers.nix deleted file mode 100644 index abc5627..0000000 --- a/hosts/routers/bird_peers.nix +++ /dev/null @@ -1,195 +0,0 @@ -{ - lib, - target, - config, - targetConfig, - birdConfig, - ... -}: -let - inherit (lib) listToAttrs nameValuePair; - - peers = birdConfig.peers; - - peersWithPasswordRef = lib.attrsets.filterAttrs (n: v: v ? passwordRef) peers; - - passwords = lib.unique (lib.attrsets.mapAttrsToList (n: v: v.passwordRef) peersWithPasswordRef); -in -{ - - sops.secrets = listToAttrs ( - map (n: lib.nameValuePair "bird_secrets/${n}" { reloadUnits = [ "bird2.service" ]; }) passwords - ); - - sops.templates."bird_secrets.conf".content = lib.mkMerge ( - map (password: '' - define secretPassword_${password} = "${config.sops.placeholder."bird_secrets/${password}"}"; - '') passwords - ); - - services.bird2.config = - let - mkPeersFuncArgs = (x: { peerName = x; } // peers.${x}); - - toLines = - nindent: - let - indent = lib.concatMapStrings (_: " ") (lib.range 1 nindent); - in - builtins.concatStringsSep "\n${indent}"; - - withType = types: x: lib.toFunction types.${builtins.typeOf x} x; - - peersFunc = - x@{ - peerName, - peerIP, - peerAS ? 65666, - - localIP ? "", - localAS ? 65666, - - multihop ? 0, - template ? "", - - password ? "", - passwordRef ? "", - - ipv4 ? { }, - ipv6 ? { }, - - bgpMED ? null, - - wireguard ? { }, - interface ? - if (wireguard != { }) then - (if wireguard ? interface then wireguard.interface else peerName) - else - null, - ... - }: - let - inherit (lib) optionalString; - inherit (builtins) concatStringsSep toJSON; - in - '' - ${optionalString (bgpMED != null) "define bgpMED_${toString peerName} = ${toString bgpMED};"} - ${optionalString (template == "kittunderlay") '' - filter filter4_IN_BGP_${toString peerName} { - if is_valid4_network() then { - if defined( bgp_med ) then - bgp_med = bgp_med + bgpMED_${toString peerName}; - else { - bgp_med = bgpMED_${toString peerName}; - } - accept; - } else reject; - } - - filter filter6_IN_BGP_${toString peerName} { - if is_valid6_network() then { - if defined( bgp_med ) then - bgp_med = bgp_med + bgpMED_${toString peerName}; - else { - bgp_med = bgpMED_${toString peerName}; - } - accept; - } else reject; - } - ''} - - # ${optionalString (x ? debug && x.debug == true) (toJSON x)} - # L: AS${toString localAS} | R: AS${toString peerAS} - protocol bgp ${toString peerName} ${optionalString (template != "") "from ${toString template}"} { - local ${ - optionalString (localIP != "") (toString localIP) - } as ${toString localAS}; # localIP: "${toString localIP}" - neighbor ${toString peerIP} as ${toString peerAS}; - ${optionalString (interface != null) ''interface "${interface}";''} - ${ - if multihop == 0 then - "direct;" - else - "multihop ${ - optionalString (multihop != -1) toString (if multihop < -1 then -1 * multihop else multihop) - };" - } # multihop: ${toString multihop} - - ${ - optionalString (password != "") - ''password "${ - assert lib.asserts.assertMsg ( - passwordRef == "" - ) "U defined a passwordRef, why do you still want to leak password ?"; - toString ( - lib.warn "bird2 peers password is insecure consider using passwordRef with a bird_secrets file" password - ) - }"; # Not-Secured cleartext access for @everyone'' - } - ${ - optionalString ( - passwordRef != "" - ) "password secretPassword_${toString passwordRef}; # Defined in secrets file" - } - - ${ - optionalString (ipv6 != { }) '' - ipv6 { - ${ - optionalString (ipv6 ? imports && ipv6.imports != "" && ipv6.imports != [ ]) ( - let - myType = withType { - string = x: " import ${x};"; - null = x: " import none;"; - lambda = f: myType (f peerName); - list = x: '' - # ${toJSON x} - import filter { - if ( net ~ [ ${concatStringsSep ", " x} ] ) then { - accept; - } - reject; - }; - ''; - }; - in - myType ipv6.imports - ) - } - ${ - optionalString (ipv6 ? exports && ipv6.exports != "" && ipv6.exports != [ ]) ( - let - myType = withType { - string = x: " export ${x};"; - null = x: " export none;"; - lambda = f: myType (f peerName); - list = x: '' - # ${toJSON x} - export filter { - if ( net ~ [ ${concatStringsSep ", " x} ] ) then { - accept; - } - reject; - }; - ''; - }; - in - myType ipv6.exports - ) - } - }; - '' - } - - } - '' - - ; - in - lib.mkOrder 50 ( - builtins.concatStringsSep "\n" ( - [ "# Nix-OS Generated for ${target}" ] - ++ (map (x: "# ${x}\n${peersFunc (mkPeersFuncArgs x)}") (builtins.attrNames peers)) - ) - ); -} diff --git a/modules/proxmox-backup-client.nix b/modules/proxmox-backup-client.nix deleted file mode 100644 index da73880..0000000 --- a/modules/proxmox-backup-client.nix +++ /dev/null @@ -1,416 +0,0 @@ -{ - config, - lib, - pkgs, - utils, - ... -}: # TODO: Implement correctly - -with lib; # TODO: don't - -let - # Type for a valid systemd unit option. Needed for correctly passing "timerConfig" to "systemd.timers" - inherit (utils.systemdUtils.unitOptions) unitOption; -in -{ - options.services.proxmox-backup-client.backups = mkOption { - description = '' - Periodic backups to create with Proxmox Backup Client. - ''; - type = types.attrsOf ( - types.submodule ( - { name, ... }: - { - options = { - passwordFile = mkOption { - type = types.str; - description = '' - Read the repository password from a file. - ''; - example = "/etc/nixos/proxmox-backup-client-password"; - }; - - environmentFile = mkOption { - type = with types; nullOr str; - default = null; - description = '' - file containing the credentials to access the repository, in the - format of an EnvironmentFile as described by systemd.exec(5) - ''; - }; - - rcloneOptions = mkOption { - type = - with types; - nullOr ( - attrsOf (oneOf [ - str - bool - ]) - ); - default = null; - description = '' - Options to pass to rclone to control its behavior. - See for - available options. When specifying option names, strip the - leading `--`. To set a flag such as - `--drive-use-trash`, which does not take a value, - set the value to the Boolean `true`. - ''; - example = { - bwlimit = "10M"; - drive-use-trash = "true"; - }; - }; - - rcloneConfig = mkOption { - type = - with types; - nullOr ( - attrsOf (oneOf [ - str - bool - ]) - ); - default = null; - description = '' - Configuration for the rclone remote being used for backup. - See the remote's specific options under rclone's docs at - . When specifying - option names, use the "config" name specified in the docs. - For example, to set `--b2-hard-delete` for a B2 - remote, use `hard_delete = true` in the - attribute set. - Warning: Secrets set in here will be world-readable in the Nix - store! Consider using the `rcloneConfigFile` - option instead to specify secret values separately. Note that - options set here will override those set in the config file. - ''; - example = { - type = "b2"; - account = "xxx"; - key = "xxx"; - hard_delete = true; - }; - }; - - rcloneConfigFile = mkOption { - type = with types; nullOr path; - default = null; - description = '' - Path to the file containing rclone configuration. This file - must contain configuration for the remote specified in this backup - set and also must be readable by root. Options set in - `rcloneConfig` will override those set in this - file. - ''; - }; - - repository = mkOption { - type = with types; nullOr str; - default = null; - description = "Repository to backup to."; - example = "sftp:backup@192.168.1.100:/backups/${name}"; - }; - - repositoryFile = mkOption { - type = with types; nullOr path; - default = null; - description = "Path to the file containing the repository location to backup to."; - }; - - paths = mkOption { - # This is nullable for legacy reasons only. We should consider making it a pure listOf - # after some time has passed since this comment was added. - type = types.nullOr (types.listOf types.str); - default = [ ]; - description = '' - Which paths to backup, in addition to ones specified via - `dynamicFilesFrom`. If null or an empty array and - `dynamicFilesFrom` is also null, no backup command will be run. - This can be used to create a prune-only job. - ''; - example = [ - "/var/lib/postgresql" - "/home/user/backup" - ]; - }; - - exclude = mkOption { - type = types.listOf types.str; - default = [ ]; - description = '' - Patterns to exclude when backing up. See - https://proxmox-backup-client.readthedocs.io/en/latest/040_backup.html#excluding-files for - details on syntax. - ''; - example = [ - "/var/cache" - "/home/*/.cache" - ".git" - ]; - }; - - timerConfig = mkOption { - type = types.nullOr (types.attrsOf unitOption); - default = { - OnCalendar = "daily"; - Persistent = true; - }; - description = '' - When to run the backup. See {manpage}`systemd.timer(5)` for - details. If null no timer is created and the backup will only - run when explicitly started. - ''; - example = { - OnCalendar = "00:05"; - RandomizedDelaySec = "5h"; - Persistent = true; - }; - }; - - user = mkOption { - type = types.str; - default = "root"; - description = "As which user the backup should run."; - example = "postgresql"; - }; - - extraBackupArgs = mkOption { - type = types.listOf types.str; - default = [ ]; - description = "Extra arguments passed to proxmox-backup-client backup."; - example = [ "--exclude-file=/etc/nixos/proxmox-backup-client-ignore" ]; - }; - - extraOptions = mkOption { - type = types.listOf types.str; - default = [ ]; - description = "Extra extended options to be passed to the proxmox-backup-client --option flag."; - example = [ "sftp.command='ssh backup@192.168.1.100 -i /home/user/.ssh/id_rsa -s sftp'" ]; - }; - - initialize = mkOption { - type = types.bool; - default = false; - description = "Create the repository if it doesn't exist."; - }; - - pruneOpts = mkOption { - type = types.listOf types.str; - default = [ ]; - description = '' - A list of options (--keep-\* et al.) for 'proxmox-backup-client forget - --prune', to automatically prune old snapshots. The - 'forget' command is run *after* the 'backup' command, so - keep that in mind when constructing the --keep-\* options. - ''; - example = [ - "--keep-daily 7" - "--keep-weekly 5" - "--keep-monthly 12" - "--keep-yearly 75" - ]; - }; - - runCheck = mkOption { - type = types.bool; - default = (builtins.length config.services.proxmox-backup-client.backups.${name}.checkOpts > 0); - defaultText = literalExpression "builtins.length config.services.backups.${name}.checkOpts > 0"; - description = "Whether to run the `check` command with the provided `checkOpts` options."; - example = true; - }; - - checkOpts = mkOption { - type = types.listOf types.str; - default = [ ]; - description = "A list of options for 'proxmox-backup-client check'."; - example = [ "--with-cache" ]; - }; - - dynamicFilesFrom = mkOption { - type = with types; nullOr str; - default = null; - description = '' - A script that produces a list of files to back up. The - results of this command are given to the '--files-from' - option. The result is merged with paths specified via `paths`. - ''; - example = "find /home/matt/git -type d -name .git"; - }; - - backupPrepareCommand = mkOption { - type = with types; nullOr str; - default = null; - description = "A script that must run before starting the backup process."; - }; - - backupCleanupCommand = mkOption { - type = with types; nullOr str; - default = null; - description = "A script that must run after finishing the backup process."; - }; - - package = mkPackageOption pkgs "proxmox-backup-client" { }; - - createWrapper = lib.mkOption { - type = lib.types.bool; - default = true; - description = '' - Whether to generate and add a script to the system path, that has the same environment variables set - as the systemd service. This can be used to e.g. mount snapshots or perform other opterations, without - having to manually specify most options. - ''; - }; - }; - } - ) - ); - default = { }; - example = { - remotebackup = { - paths = [ "/home" ]; - repository = "sftp:backup@host:/backups/home"; - passwordFile = "/etc/nixos/secrets/proxmox-backup-client-password"; - extraOptions = [ - "sftp.command='ssh backup@host -i /etc/nixos/secrets/backup-private-key -s sftp'" - ]; - timerConfig = { - OnCalendar = "00:05"; - RandomizedDelaySec = "5h"; - }; - }; - }; - }; - - config = { - assertions = mapAttrsToList (n: v: { - assertion = (v.repository == null) != (v.repositoryFile == null); - message = "services.proxmox-backup-client.backups.${n}: exactly one of repository or repositoryFile should be set"; - }) config.services.proxmox-backup-client.backups; - systemd.services = mapAttrs' ( - name: backup: - let - extraOptions = concatMapStrings (arg: " -o ${arg}") backup.extraOptions; - pbcCmd = "${backup.package}/bin/proxmox-backup-client${extraOptions}"; - excludeFlags = optional ( - backup.exclude != [ ] - ) "--exclude-file=${pkgs.writeText "exclude-patterns" (concatStringsSep "\n" backup.exclude)}"; - filesFromTmpFile = "/run/proxmox-backup-client-backups-${name}/includes"; - doBackup = (backup.dynamicFilesFrom != null) || (backup.paths != null && backup.paths != [ ]); - pruneCmd = optionals (builtins.length backup.pruneOpts > 0) [ - (pbcCmd + " forget --prune " + (concatStringsSep " " backup.pruneOpts)) - ]; - checkCmd = optionals backup.runCheck [ - (pbcCmd + " check " + (concatStringsSep " " backup.checkOpts)) - ]; - # Helper functions for rclone remotes - rcloneRemoteName = builtins.elemAt (splitString ":" backup.repository) 1; - rcloneAttrToOpt = v: "RCLONE_" + toUpper (builtins.replaceStrings [ "-" ] [ "_" ] v); - rcloneAttrToConf = v: "RCLONE_CONFIG_" + toUpper (rcloneRemoteName + "_" + v); - toRcloneVal = v: if lib.isBool v then lib.boolToString v else v; - in - nameValuePair "proxmox-backup-client-backups-${name}" ( - { - environment = - { - # not %C, because that wouldn't work in the wrapper script - RESTIC_CACHE_DIR = "/var/cache/proxmox-backup-client-backups-${name}"; - RESTIC_PASSWORD_FILE = backup.passwordFile; - RESTIC_REPOSITORY = backup.repository; - RESTIC_REPOSITORY_FILE = backup.repositoryFile; - } - // optionalAttrs (backup.rcloneOptions != null) ( - mapAttrs' ( - name: value: nameValuePair (rcloneAttrToOpt name) (toRcloneVal value) - ) backup.rcloneOptions - ) - // optionalAttrs (backup.rcloneConfigFile != null) { RCLONE_CONFIG = backup.rcloneConfigFile; } - // optionalAttrs (backup.rcloneConfig != null) ( - mapAttrs' ( - name: value: nameValuePair (rcloneAttrToConf name) (toRcloneVal value) - ) backup.rcloneConfig - ); - path = [ config.programs.ssh.package ]; - restartIfChanged = false; - wants = [ "network-online.target" ]; - after = [ "network-online.target" ]; - serviceConfig = { - Type = "oneshot"; - ExecStart = - (optionals doBackup [ - "${pbcCmd} backup ${ - concatStringsSep " " (backup.extraBackupArgs ++ excludeFlags) - } --files-from=${filesFromTmpFile}" - ]) - ++ pruneCmd - ++ checkCmd; - User = backup.user; - RuntimeDirectory = "proxmox-backup-client-backups-${name}"; - CacheDirectory = "proxmox-backup-client-backups-${name}"; - CacheDirectoryMode = "0700"; - PrivateTmp = true; - } // optionalAttrs (backup.environmentFile != null) { EnvironmentFile = backup.environmentFile; }; - } - // optionalAttrs (backup.initialize || doBackup || backup.backupPrepareCommand != null) { - preStart = '' - ${optionalString (backup.backupPrepareCommand != null) '' - ${pkgs.writeScript "backupPrepareCommand" backup.backupPrepareCommand} - ''} - ${optionalString (backup.initialize) '' - ${pbcCmd} snapshots || ${pbcCmd} init - ''} - ${optionalString (backup.paths != null && backup.paths != [ ]) '' - cat ${pkgs.writeText "staticPaths" (concatStringsSep "\n" backup.paths)} >> ${filesFromTmpFile} - ''} - ${optionalString (backup.dynamicFilesFrom != null) '' - ${pkgs.writeScript "dynamicFilesFromScript" backup.dynamicFilesFrom} >> ${filesFromTmpFile} - ''} - ''; - } - // optionalAttrs (doBackup || backup.backupCleanupCommand != null) { - postStop = '' - ${optionalString (backup.backupCleanupCommand != null) '' - ${pkgs.writeScript "backupCleanupCommand" backup.backupCleanupCommand} - ''} - ${optionalString doBackup '' - rm ${filesFromTmpFile} - ''} - ''; - } - ) - ) config.services.proxmox-backup-client.backups; - systemd.timers = - mapAttrs' - ( - name: backup: - nameValuePair "proxmox-backup-client-backups-${name}" { - wantedBy = [ "timers.target" ]; - timerConfig = backup.timerConfig; - } - ) - (filterAttrs (_: backup: backup.timerConfig != null) config.services.proxmox-backup-client.backups); - - # generate wrapper scripts, as described in the createWrapper option - environment.systemPackages = lib.mapAttrsToList ( - name: backup: - let - extraOptions = lib.concatMapStrings (arg: " -o ${arg}") backup.extraOptions; - pbcCmd = "${backup.package}/bin/proxmox-backup-client${extraOptions}"; - in - pkgs.writeShellScriptBin "proxmox-backup-client-${name}" '' - set -a # automatically export variables - ${lib.optionalString (backup.environmentFile != null) "source ${backup.environmentFile}"} - # set same environment variables as the systemd service - ${lib.pipe config.systemd.services."proxmox-backup-client-backups-${name}".environment [ - (lib.filterAttrs (n: v: v != null && n != "PATH")) - (lib.mapAttrsToList (n: v: "${n}=${v}")) - (lib.concatStringsSep "\n") - ]} - PATH=${config.systemd.services."proxmox-backup-client-backups-${name}".environment.PATH}:$PATH - - exec ${pbcCmd} $@ - '' - ) (lib.filterAttrs (_: v: v.createWrapper) config.services.proxmox-backup-client.backups); - }; -} diff --git a/system/configuration.nix b/system/configuration.nix deleted file mode 100644 index 400530e..0000000 --- a/system/configuration.nix +++ /dev/null @@ -1,98 +0,0 @@ -# Edit this configuration file to define what should be installed on -# your system. Help is available in the configuration.nix(5) man page, on -# https://search.nixos.org/options and in the NixOS manual (`nixos-help`). - -{ - config, - targetConfig, - lib, - pkgs, - ... -}: - -{ - - imports = [ - ./pkgs.nix - ./inputrc.nix # ReadLine config - ./security.nix # PAM + SSH + Keys - ./firewall.nix - - ./openvpn.nix - ./wireguard.nix - - ./console.nix - ./serial-com.nix - ./systemd-boot.nix - ./grub-boot.nix - ]; - - # Set your time zone. - time.timeZone = "Europe/Paris"; - - # Configure network proxy if necessary - # networking.proxy.default = "http://user:password@proxy:port/"; - # networking.proxy.noProxy = "127.0.0.1,localhost,internal.domain"; - - # Select internationalisation properties. - i18n.defaultLocale = "en_US.UTF-8"; - - boot.supportedFilesystems = [ "nfs" ]; - services.rpcbind.enable = true; # NFS - Client - - nix = { - package = pkgs.nixFlakes; - settings = { - auto-optimise-store = true; - }; - gc = { - automatic = false; # TODO: Implement static N generations - dates = "daily"; - options = - let - default = 10; # TODO: Find a better way to do it - - generations = builtins.toString ( - if config.boot.loader.systemd-boot.enable then - config.boot.loader.systemd-boot.configurationLimit - else if config.boot.loader.grub.enable then - config.boot.loader.grub.configurationLimit - else if config.boot.loader.generic-extlinux-compatible.enable then - config.boot.loader.generic-extlinux-compatible.configurationLimit - else - default - ); - in - "--delete-older-than +${generations}"; # Not supported - }; - extraOptions = '' - experimental-features = nix-command flakes - ''; - }; - - programs.zsh.enable = true; # Install System-Wide -> Config is done with home-manager - - environment.shells = with pkgs; [ zsh ]; - environment.pathsToLink = [ "/share/zsh" ]; # ZSH Completion - - # tmpFS on /tmp - boot.tmp.useTmpfs = lib.mkDefault true; - - # Enable the OpenSSH daemon. - services.openssh.enable = true; - - environment.systemPackages = with pkgs; [ - # Additional packages - # nix-inspect - ]; - - # Versions Dump - environment.etc."current-system-packages".text = - let - getName = (p: if p ? name then "${p.name}" else "${p}"); - packages = builtins.map getName config.environment.systemPackages; - sortedUnique = builtins.sort builtins.lessThan (lib.unique packages); - formatted = builtins.concatStringsSep "\n" sortedUnique; - in - formatted; -} diff --git a/system/firewall.nix b/system/firewall.nix deleted file mode 100644 index 3c8db3a..0000000 --- a/system/firewall.nix +++ /dev/null @@ -1,27 +0,0 @@ -{ lib, ... }: -{ - # Open ports in the firewall. - # networking.firewall.allowedTCPPorts = [ ... ]; - # networking.firewall.allowedUDPPorts = [ ... ]; - # Or disable the firewall altogether. - # networking.firewall.enable = false; - - # TODO: Re-enable when tailscale is compatible - # -> Warning: XT target MASQUERADE not found - # networking.nftables.enable = true; # Cleaner approach, easier rules implementation - - networking.firewall = { - enable = lib.mkDefault false; # TODO: Enable IT - - allowedTCPPorts = lib.mkDefault [ - 22 - # 80 - # 443 - ]; - - # allowedUDPPortRanges = [ - # { from = 4000; to = 4007; } - # { from = 8000; to = 8010; } - # ]; - }; -} From 9bce113f5c7b25427795cf633213625426d417eb Mon Sep 17 00:00:00 2001 From: Antoine 'Toinux' Wam Date: Sun, 29 Dec 2024 16:48:37 +0100 Subject: [PATCH 28/74] - hosts/routers/configuration.nix: --- hosts/routers/configuration.nix | 55 --------------------------------- 1 file changed, 55 deletions(-) delete mode 100644 hosts/routers/configuration.nix diff --git a/hosts/routers/configuration.nix b/hosts/routers/configuration.nix deleted file mode 100644 index 23c5c16..0000000 --- a/hosts/routers/configuration.nix +++ /dev/null @@ -1,55 +0,0 @@ -# Edit this configuration file to define what should be installed on -# your system. Help is available in the configuration.nix(5) man page, on -# https://search.nixos.org/options and in the NixOS manual (`nixos-help`). - -{ - config, - lib, - pkgs, - ... -}: - -{ - imports = [ - # Include the results of the hardware scan. - ./bird.nix # Bird Routing - ./wireguard.nix - ./firewall.nix - ]; - - # Configure network proxy if necessary - # networking.proxy.default = "http://user:password@proxy:port/"; - # networking.proxy.noProxy = "127.0.0.1,localhost,internal.domain"; - - # Select internationalisation properties. - i18n.defaultLocale = "en_US.UTF-8"; - - # Net Basics - networking.useNetworkd = true; - systemd.network.enable = true; - systemd.network.wait-online.enable = false; - - # List services that you want to enable: - services.bird2 = { - enable = true; - autoReload = true; - }; - - # This option defines the first version of NixOS you have installed on this particular machine, - # and is used to maintain compatibility with application data (e.g. databases) created on older NixOS versions. - # - # Most users should NEVER change this value after the initial install, for any reason, - # even if you've upgraded your system to a new NixOS release. - # - # This value does NOT affect the Nixpkgs version your packages and OS are pulled from, - # so changing it will NOT upgrade your system. - # - # This value being lower than the current NixOS release does NOT mean your system is - # out of date, out of support, or vulnerable. - # - # Do NOT change this value unless you have manually inspected all the changes it would make to your configuration, - # and migrated your data accordingly. - # - # For more information, see `man configuration.nix` or https://nixos.org/manual/nixos/stable/options#opt-system.stateVersion . - system.stateVersion = "23.11"; # Did you read the comment? -} From 4e6490825c296e255d5bff9abb3237a01f453297 Mon Sep 17 00:00:00 2001 From: Antoine 'Toinux' Wam Date: Sun, 29 Dec 2024 17:04:13 +0100 Subject: [PATCH 29/74] Cleanup --- hosts/routers/bird.nix | 332 -------------------------------------- hosts/routers/default.nix | 69 ++++++-- system/default.nix | 1 - system/wireguard.nix | 6 - 4 files changed, 53 insertions(+), 355 deletions(-) delete mode 100644 hosts/routers/bird.nix delete mode 100644 system/wireguard.nix diff --git a/hosts/routers/bird.nix b/hosts/routers/bird.nix deleted file mode 100644 index 2f9c882..0000000 --- a/hosts/routers/bird.nix +++ /dev/null @@ -1,332 +0,0 @@ -{ - lib, - config, - target, - targetConfig, - ... -}: -let - inherit (lib) - optional - optionals - optionalString - mkOrder - attrNames - filterAttrs - concatStringsSep - concatMapStringsSep - ; - - birdCfg = config.services.bird2; - - srvCfg = - let - cfg = - if targetConfig ? birdConfig then - targetConfig.birdConfig - else - import (./. + "/${target}/birdconfig.nix") { inherit targetConfig; }; - in - if cfg ? peers then - cfg - else - let - peers = (import (./. + "/${target}/peers/") { }); - in - (cfg // { inherit peers; }); - - rrs = attrNames (filterAttrs (n: v: v ? template && v.template == "rrserver") srvCfg.peers); - - lo4 = - if (srvCfg ? loopback4 && srvCfg.loopback4 != null && srvCfg.loopback4 != "") then - srvCfg.loopback4 - else - null; - - lo6 = - if (srvCfg ? loopback6 && srvCfg.loopback6 != null && srvCfg.loopback6 != "") then - srvCfg.loopback6 - else - null; -in -{ - imports = [ - ./bird_peers.nix - # ./bird_statics.nix - ]; - - config = { - - sops.templates."bird_secrets.conf" = { - owner = "bird2"; - }; - - _module.args = { - birdConfig = srvCfg; - }; - - networking.firewall.allowedTCPPorts = [ - 179 # BGP - 1790 # Internal BGP - ]; - - networking.interfaces.lo = { - ipv4.addresses = lib.mkIf (lo4 != null) [ - { - address = "${toString srvCfg.loopback4}"; - prefixLength = 32; - } - ]; - ipv6.addresses = lib.mkIf (lo6 != null) [ - { - address = "${toString srvCfg.loopback6}"; - prefixLength = 128; - } - ]; - }; - - services.bird2.preCheckConfig = '' - echo "Bird configuration include these resources" - grep include bird2.conf - - LINE=$(grep -n include bird2.conf | grep bird_secrets.conf | head -1 | cut -d: -f1) - if [ ! -z "$LINE" ]; then - echo "Found secrets importing, will substitute it with placeholders values" - sed ''${LINE}d -i bird2.conf - sed "$(($LINE))i"'include "_secrets_substitute.conf";' -i bird2.conf - - cat > _secrets_substitute.conf <<< ' - ${config.sops.templates."bird_secrets.conf".content} - ' - - # cat _secrets_substitute.conf bird2.conf - fi - ''; - - services.bird2.config = mkOrder 0 ( - concatStringsSep "\n\n" ( - let - transitIFACE = if srvCfg ? transitInterface then srvCfg.transitInterface else null; - - quoteString = x: ''"${x}"''; - in - [ - "log syslog all;" - - ''include "${config.sops.templates."bird_secrets.conf".path}";'' - - '' - # The Device protocol is not a real routing protocol. It does not generate any - # routes and it only serves as a module for getting information about network - # interfaces from the kernel. It is necessary in almost any configuration. - protocol device DEV {} - - # The direct protocol is not a real routing protocol. It automatically generates - # direct routes to all network interfaces. Can exist in as many instances as you - # wish if you want to populate multiple routing tables with direct routes. - protocol direct DIRECT { - #disabled; - check link on; - ipv4; - ipv6; - interface "*"; - } - '' - - '' - #<== Générique - function is_valid4_network() { - return net ~ [ - 172.23.193.192/26, - 172.23.193.192/26{32,32} - ]; - } - - function is_valid6_network() { - return net ~ [ - 2a13:79c0:ff00::/40, - 2a13:79c0:ffff::/48{48,64}, - 2a13:79c0:ffff:fefe::/64{128,128}, - 2a13:79c0:ffff:feff::/64{112,112} - ]; - } - - - function is_rr_valid6_network() { - return net ~ [ - ${ - optionalString (transitIFACE != null) "# ::/0," - } # Announce (or not) default route [transitInterface = ${toString transitIFACE}] - 2a13:79c0:ff00::/40, - 2a13:79c0:ff00::/48+, # Special case for Toinux home - # 2a13:79c0:ffff:fefe::/64{128,128}, - # 2a13:79c0:ffff:feff::/64{112,112}, - 2a13:79c0:ffff::/48{48,64}, - 2a13:79c0:fffe::/48{56,56} - ]; - } - - '' - - '' - # The Kernel protocol is not a real routing protocol. Instead of communicating - # with other routers in the network, it performs synchronization of BIRD - # routing tables with the OS kernel. One instance per table. - protocol kernel KERNEL4 { - ipv4 { # Connect protocol to IPv4 table by channel - # table master4; # Default IPv4 table is master4 - # import all; # Import to table, default is import all - # export all; # Export to protocol. default is export none - export filter { - if ( is_valid4_network() || source ~ [RTS_STATIC] - ${ - let - sep = "|| proto ="; - in - optionalString (rrs != [ ]) sep + (concatMapStringsSep sep quoteString rrs) - } - ) then { - ${ - optionalString (lo4 != null) '' - if source ~ [RTS_BGP] || net ~ [ 0.0.0.0/0 ] then { - krt_prefsrc=${lo4}; - } - '' - } - accept; - } else reject; - }; - }; - merge paths on; - # learn; # Learn alien routes from the kernel - # kernel table 10; # Kernel table to synchronize with (default: main) - } - - # Another instance for IPv6, skipping default options - protocol kernel KERNEL6 { - # ipv6 { export all; }; - ipv6 { - export filter { - - if ( is_valid6_network() || source ~ [RTS_STATIC] - ${ - let - sep = "|| proto ="; - in - optionalString (rrs != [ ]) sep + (concatMapStringsSep sep quoteString rrs) - } - ) then { - ${ - optionalString (lo6 != null) '' - if source ~ [RTS_BGP] || net ~ [ ::/0 ] then { - krt_prefsrc=${lo6}; - } - '' - } - accept; - } else reject; - }; - }; - - merge paths on; - } - '' - - '' - - template bgp rrserver { - local port 1790; - neighbor port 179; - multihop 5; - - ipv4 { - gateway recursive; - extended next hop; - next hop self; - - import filter { accept; }; - - export none; - # export filter { if is_v4_network() && source ~ [RTS_STATIC, RTS_DEVICE, RTS_BGP, RTS_OSPF] then accept; else reject; }; - import limit 1000 action block; - igp table master4; # IGP table for routes with IPv4 nexthops - # igp table master6; # IGP table for routes with IPv4 nexthops - }; - - ipv6 { - gateway recursive; - next hop self; - - import filter { accept; }; - export filter { if is_rr_valid6_network() && source ~ [RTS_STATIC, RTS_DEVICE, RTS_BGP, RTS_OSPF] then accept; else reject; }; - import limit 1000 action block; - igp table master6; # IGP table for routes with IPv6 nexthops - }; - - } - '' - - '' - template bgp kittunderlay { - # local as 4242421945; - # neighbor as kittenASN; - local port 1790; - neighbor port 1790; - rr client; - path metric off; - ipv4 { - extended next hop; - next hop self; - import keep filtered; - - import filter { - if is_valid4_network() then { - if defined( bgp_med ) then - bgp_med = bgp_med + 1000; - else { - bgp_med = 1000; - } - accept; - } else reject; - }; - - export filter { if is_valid4_network() && source ~ [RTS_STATIC, RTS_DEVICE, RTS_BGP, RTS_OSPF] then accept; else reject; }; - import limit 1000 action block; - }; - - ipv6 { - next hop self; - import keep filtered; - - import filter { - if is_valid6_network() then { - if defined( bgp_med ) then - bgp_med = bgp_med + 1000; - else { - bgp_med = 1000; - } - accept; - } else reject; - }; - - export filter { if is_valid6_network() && source ~ [RTS_STATIC, RTS_DEVICE, RTS_BGP, RTS_OSPF] then accept; else reject; }; - import limit 1000 action block; - }; - - } - '' - ] - ++ - optionals (srvCfg ? static6 && builtins.typeOf srvCfg.static6 == "list" && srvCfg.static6 != [ ]) - [ - '' - protocol static STATIC6 { - ipv6; - ${concatStringsSep "\n" (map (x: " " + "route ${x};") srvCfg.static6)} - } - '' - ] - ) - ); - }; -} diff --git a/hosts/routers/default.nix b/hosts/routers/default.nix index 426187a..f2379af 100644 --- a/hosts/routers/default.nix +++ b/hosts/routers/default.nix @@ -1,18 +1,55 @@ -# { -# iguane-kit-rtr = import ./iguane-kit-rtr { }; +# Edit this configuration file to define what should be installed on +# your system. Help is available in the configuration.nix(5) man page, on +# https://search.nixos.org/options and in the NixOS manual (`nixos-help`). -# vultr-kit-edge = import ./vultr-kit-edge { }; -# virtua-kit-edge = import ./virtua-kit-edge { }; -# } +{ + config, + lib, + pkgs, + ... +}: -# args@{ lib, ... }: -# let -# blacklist = [ ]; -# folders = builtins.attrNames ( -# lib.filterAttrs (n: v: v == "directory" && !lib.hasPrefix "_" n && !builtins.elem n blacklist) ( -# builtins.readDir ./. -# ) -# ); -# in -# lib.genAttrs folders (folder: (import (./. + "/${folder}") (args // { }))) -{...}: {} \ No newline at end of file +{ + imports = [ + # Include the results of the hardware scan. + # ./bird.nix # Bird Routing + # ./wireguard.nix + # ./firewall.nix + ]; + + # Configure network proxy if necessary + # networking.proxy.default = "http://user:password@proxy:port/"; + # networking.proxy.noProxy = "127.0.0.1,localhost,internal.domain"; + + # Select internationalisation properties. + i18n.defaultLocale = "en_US.UTF-8"; + + # Net Basics + networking.useNetworkd = true; + systemd.network.enable = true; + systemd.network.wait-online.enable = false; + + # List services that you want to enable: + services.bird2 = { + enable = true; + autoReload = true; + }; + + # This option defines the first version of NixOS you have installed on this particular machine, + # and is used to maintain compatibility with application data (e.g. databases) created on older NixOS versions. + # + # Most users should NEVER change this value after the initial install, for any reason, + # even if you've upgraded your system to a new NixOS release. + # + # This value does NOT affect the Nixpkgs version your packages and OS are pulled from, + # so changing it will NOT upgrade your system. + # + # This value being lower than the current NixOS release does NOT mean your system is + # out of date, out of support, or vulnerable. + # + # Do NOT change this value unless you have manually inspected all the changes it would make to your configuration, + # and migrated your data accordingly. + # + # For more information, see `man configuration.nix` or https://nixos.org/manual/nixos/stable/options#opt-system.stateVersion . + system.stateVersion = "23.11"; # Did you read the comment? +} diff --git a/system/default.nix b/system/default.nix index 6701ccc..52fc3a7 100644 --- a/system/default.nix +++ b/system/default.nix @@ -20,7 +20,6 @@ # VPNs ./openvpn.nix - ./wireguard.nix # Kernel / Bootloader # ./serial-com.nix diff --git a/system/wireguard.nix b/system/wireguard.nix deleted file mode 100644 index ae862f7..0000000 --- a/system/wireguard.nix +++ /dev/null @@ -1,6 +0,0 @@ -{ config, pkgs, ... }: - -{ - # boot.extraModulePackages = [ config.boot.kernelPackages.wireguard ]; - environment.systemPackages = with pkgs; [ wireguard-tools ]; -} From 32e5340d45fa3d1f1d3f6ba2833e681e95026b88 Mon Sep 17 00:00:00 2001 From: Antoine 'Toinux' Wam Date: Sun, 29 Dec 2024 16:48:37 +0100 Subject: [PATCH 30/74] ~ hosts/clients/NIXP/default.nix: --- hosts/clients/NIXP/default.nix | 21 +++++++++++++++------ 1 file changed, 15 insertions(+), 6 deletions(-) diff --git a/hosts/clients/NIXP/default.nix b/hosts/clients/NIXP/default.nix index 8ce999a..2bc0006 100644 --- a/hosts/clients/NIXP/default.nix +++ b/hosts/clients/NIXP/default.nix @@ -9,6 +9,13 @@ pkgs, ... }: +let + diskoProfile = "simple"; + diskoConfig = { + bootdisk = "/dev/vda"; + # crypted = true; + }; +in { imports = [ # Include the results of the hardware scan. @@ -27,12 +34,14 @@ targetHost = null; }; + kittenModules = { + disko = { + enable = true; + profile = diskoProfile; - # system.includeBuildDependencies = true; - # system.extraDependencies = [ - # (../../..) - # ]; - # environment.etc."kittenconfig".source = ../../..; + ${diskoProfile} = diskoConfig; + }; + }; # Bootloader. boot.loader.systemd-boot.enable = true; @@ -147,7 +156,7 @@ enable = true; hydraURL = "http://localhost:3000"; notificationSender = "hydra@localhost"; - buildMachinesFiles = []; + buildMachinesFiles = [ ]; useSubstitutes = true; }; From 57194233782d7faff286f0993a6f21f65e2f76fc Mon Sep 17 00:00:00 2001 From: Antoine 'Toinux' Wam Date: Sun, 29 Dec 2024 16:48:37 +0100 Subject: [PATCH 31/74] - hosts/clients/laptaupe/configuration.nix: --- hosts/clients/laptaupe/configuration.nix | 63 ------------------------ 1 file changed, 63 deletions(-) delete mode 100644 hosts/clients/laptaupe/configuration.nix diff --git a/hosts/clients/laptaupe/configuration.nix b/hosts/clients/laptaupe/configuration.nix deleted file mode 100644 index 286e26a..0000000 --- a/hosts/clients/laptaupe/configuration.nix +++ /dev/null @@ -1,63 +0,0 @@ -# Edit this configuration file to define what should be installed on -# your system. Help is available in the configuration.nix(5) man page, on -# https://search.nixos.org/options and in the NixOS manual (`nixos-help`). - -{ - config, - targetConfig, - lib, - pkgs, - ... -}: - -{ - imports = [ - # ../../../very/secret/path/s3nsible_config.nix - ../../../_system/laptop.nix - ]; - - # Bootloader. - boot.loader.systemd-boot.enable = true; - boot.loader.systemd-boot.configurationLimit = 5; - boot.loader.efi.canTouchEfiVariables = true; - - # # Not compatible for the moment - # boot.initrd.luks.yubikeySupport = true; - # boot.initrd.luks.fido2Support = true; - - # boot.initrd.systemd.enable = lib.mkForce false; - # boot.plymouth.enable = lib.mkForce false; - - # better to enable it after first-install - - networking = { - # networkmanager.enable = true; - networkmanager = - { - enable = true; - } - // lib.mkIf (config.networking.networkmanager.enable) { - extraConfig = lib.concatStringsSep "\n" [ - "[device]" - "match-device=driver:iwlwifi" - "wifi.scan-rand-mac-address=no" - ]; - }; - }; - - # Set your time zone. - time.timeZone = "Europe/Paris"; - # Select internationalisation properties. - i18n.defaultLocale = "en_US.UTF-8"; - - # Allow unfree packages - nixpkgs.config.allowUnfree = true; - - # This value determines the NixOS release from which the default - # settings for stateful data, like file locations and database versions - # on your system were taken. It‘s perfectly fine and recommended to leave - # this value at the release version of the first install of this system. - # Before changing this value read the documentation for this option - # (e.g. man configuration.nix or on https://nixos.org/nixos/options.html). - system.stateVersion = lib.mkForce "23.11"; # Did you read the comment? -} From e7df2e61c1011c0a968054b9546daa9451affa2f Mon Sep 17 00:00:00 2001 From: Antoine 'Toinux' Wam Date: Sun, 29 Dec 2024 16:48:37 +0100 Subject: [PATCH 32/74] ~ hosts/clients/laptaupe/default.nix: --- hosts/clients/laptaupe/default.nix | 94 +++++++++++++++++++++++++++--- 1 file changed, 87 insertions(+), 7 deletions(-) diff --git a/hosts/clients/laptaupe/default.nix b/hosts/clients/laptaupe/default.nix index 73d7016..71eb619 100644 --- a/hosts/clients/laptaupe/default.nix +++ b/hosts/clients/laptaupe/default.nix @@ -1,10 +1,90 @@ -{ ... }: +# Edit this configuration file to define what should be installed on +# your system. Help is available in the configuration.nix(5) man page, on +# https://search.nixos.org/options and in the NixOS manual (`nixos-help`). + +{ + config, + lib, + pkgs, + ... +}: +let + diskoProfile = "simple"; + diskoConfig = { + bootdisk = "/dev/nvme0n1"; + crypted = true; + }; +in { - type = "targetConfig"; + imports = [ + ../../../system/laptop.nix + ../default.nix + # Include the results of the hardware scan. + ./hardware-configuration.nix + # ./network-configuration.nix + # ./packages.nix + ]; + + deployment = { + # Allow local deployment with `colmena apply-local` + allowLocalDeployment = true; + + # Disable SSH deployment. This node will be skipped in a + # normal`colmena apply`. + targetHost = null; + }; + + kittenModules = { + disko = { + enable = true; + profile = diskoProfile; + + ${diskoProfile} = diskoConfig; + }; + }; + + # Bootloader. + boot.loader.systemd-boot.enable = true; + boot.loader.systemd-boot.configurationLimit = 5; + boot.loader.efi.canTouchEfiVariables = true; + + # # Not compatible for the moment + # boot.initrd.luks.yubikeySupport = true; + # boot.initrd.luks.fido2Support = true; + + # boot.initrd.systemd.enable = lib.mkForce false; + # boot.plymouth.enable = lib.mkForce false; + + # better to enable it after first-install + + networking = { + # networkmanager.enable = true; + networkmanager = + { + enable = true; + } + // lib.mkIf (config.networking.networkmanager.enable) { + extraConfig = lib.concatStringsSep "\n" [ + "[device]" + "match-device=driver:iwlwifi" + "wifi.scan-rand-mac-address=no" + ]; + }; + }; + + # Set your time zone. + time.timeZone = "Europe/Paris"; + # Select internationalisation properties. + i18n.defaultLocale = "en_US.UTF-8"; + + # Allow unfree packages + nixpkgs.config.allowUnfree = true; - bootdisk = "/dev/nvme0n1"; - crypted = false; - # profile = "clients"; - # interface = ""; - # mainSerial = 0; + # This value determines the NixOS release from which the default + # settings for stateful data, like file locations and database versions + # on your system were taken. It‘s perfectly fine and recommended to leave + # this value at the release version of the first install of this system. + # Before changing this value read the documentation for this option + # (e.g. man configuration.nix or on https://nixos.org/nixos/options.html). + system.stateVersion = lib.mkForce "23.11"; # Did you read the comment? } From c5d75c6d78f4d812d3489f9cb4c24dbc6d800ba5 Mon Sep 17 00:00:00 2001 From: Antoine 'Toinux' Wam Date: Sun, 29 Dec 2024 16:48:37 +0100 Subject: [PATCH 33/74] - hosts/clients/laptaupe/disk-config.nix: --- hosts/clients/laptaupe/disk-config.nix | 98 -------------------------- 1 file changed, 98 deletions(-) delete mode 100644 hosts/clients/laptaupe/disk-config.nix diff --git a/hosts/clients/laptaupe/disk-config.nix b/hosts/clients/laptaupe/disk-config.nix deleted file mode 100644 index 6dffa34..0000000 --- a/hosts/clients/laptaupe/disk-config.nix +++ /dev/null @@ -1,98 +0,0 @@ -# Example to create a bios compatible gpt partition -{ lib, targetConfig, ... }: -{ - disko.devices = { - disk.disk1 = - let - crypted = targetConfig ? crypted && targetConfig.crypted; - - lv_PV = { - type = "lvm_pv"; - vg = "ROOT"; - }; - in - { - device = lib.mkDefault "${targetConfig.bootdisk}"; - type = "disk"; - content = { - type = "gpt"; - partitions = { - boot = { - size = "1M"; - type = "EF02"; # for grub MBR - }; - - ESP = { - size = "512M"; - type = "EF00"; - content = { - type = "filesystem"; - format = "vfat"; - mountpoint = "/boot"; - }; - }; - - root = lib.mkIf (!crypted) { - size = "100%"; - - content = lv_PV; - }; - - cryptroot = lib.mkIf (crypted) { - size = "100%"; - content = { - type = "luks"; - name = "crypted"; - extraOpenArgs = [ ]; - passwordFile = "/tmp/secret.key"; - settings = { - # if you want to use the key for interactive login be sure there is no trailing newline - # for example use `echo -n "password" > /tmp/secret.key` - # keyFile = "/tmp/secret.key"; - allowDiscards = true; - # crypttabExtraOpts = [ - # "fido2-device=auto" - # "token-timeout=5" - # ]; - # yubikey = { - # slot = 1; - # twoFactor = false; # Set to false for 1FA - # gracePeriod = 5; # Time in seconds to wait for Yubikey to be inserted - # # keyLength = 64; # Set to $KEY_LENGTH/8 - # # saltLength = 16; # Set to $SALT_LENGTH - - # storage = { - # device = "/dev/nvme0n1p1"; # Be sure to update this to the correct volume - # fsType = "vfat"; - # # path = "/crypt-storage/default"; - # }; - # }; - }; - - # additionalKeyFiles = [ "/tmp/additionalSecret.key" ]; - content = lv_PV; - }; - }; - }; - }; - }; - - lvm_vg = { - ROOT = { - type = "lvm_vg"; - lvs = { - - root = { - size = "100%FREE"; - content = { - type = "filesystem"; - format = "ext4"; - mountpoint = "/"; - mountOptions = [ "defaults" ]; - }; - }; - }; - }; - }; - }; -} From 18ade2b64c4a0ea66da26a9c564fde2cd1ce3be0 Mon Sep 17 00:00:00 2001 From: Antoine 'Toinux' Wam Date: Sun, 29 Dec 2024 16:48:37 +0100 Subject: [PATCH 34/74] ~ hosts/_defaults.nix: --- hosts/_defaults.nix | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/hosts/_defaults.nix b/hosts/_defaults.nix index 2d59aee..a3ff4be 100644 --- a/hosts/_defaults.nix +++ b/hosts/_defaults.nix @@ -4,7 +4,7 @@ args@{ pkgs, sources, ... }: ../system ../modules/system - (import "${sources.lix-module}/module.nix" { lix = sources.lix; }) + # (import "${sources.lix-module}/module.nix" { lix = sources.lix; }) "${sources.disko}/module.nix" "${sources.sops-nix}/modules/sops" ]; From 08ee8f999b58ec2beb24926459e03e3f273e1eab Mon Sep 17 00:00:00 2001 From: Antoine 'Toinux' Wam Date: Sun, 29 Dec 2024 16:48:37 +0100 Subject: [PATCH 35/74] - hosts/stonkmembers/configuration.nix: --- hosts/stonkmembers/configuration.nix | 50 ---------------------------- hosts/stonkmembers/default.nix | 46 ++++++++++++++++--------- 2 files changed, 30 insertions(+), 66 deletions(-) delete mode 100644 hosts/stonkmembers/configuration.nix diff --git a/hosts/stonkmembers/configuration.nix b/hosts/stonkmembers/configuration.nix deleted file mode 100644 index 6152acc..0000000 --- a/hosts/stonkmembers/configuration.nix +++ /dev/null @@ -1,50 +0,0 @@ -# Edit this configuration file to define what should be installed on -# your system. Help is available in the configuration.nix(5) man page, on -# https://search.nixos.org/options and in the NixOS manual (`nixos-help`). - -{ - config, - lib, - pkgs, - ... -}: - -{ - imports = [ - # Include the results of the hardware scan. - ./k3s.nix # K3s - ]; - - # Configure network proxy if necessary - # networking.proxy.default = "http://user:password@proxy:port/"; - # networking.proxy.noProxy = "127.0.0.1,localhost,internal.domain"; - - # Select internationalisation properties. - i18n.defaultLocale = "en_US.UTF-8"; - - # List services that you want to enable: - - # Open ports in the firewall. - # networking.firewall.allowedTCPPorts = [ ... ]; - # networking.firewall.allowedUDPPorts = [ ... ]; - # Or disable the firewall altogether. - networking.firewall.enable = false; - - # This option defines the first version of NixOS you have installed on this particular machine, - # and is used to maintain compatibility with application data (e.g. databases) created on older NixOS versions. - # - # Most users should NEVER change this value after the initial install, for any reason, - # even if you've upgraded your system to a new NixOS release. - # - # This value does NOT affect the Nixpkgs version your packages and OS are pulled from, - # so changing it will NOT upgrade your system. - # - # This value being lower than the current NixOS release does NOT mean your system is - # out of date, out of support, or vulnerable. - # - # Do NOT change this value unless you have manually inspected all the changes it would make to your configuration, - # and migrated your data accordingly. - # - # For more information, see `man configuration.nix` or https://nixos.org/manual/nixos/stable/options#opt-system.stateVersion . - system.stateVersion = "24.05"; # Did you read the comment? -} diff --git a/hosts/stonkmembers/default.nix b/hosts/stonkmembers/default.nix index 84a7e65..191f564 100644 --- a/hosts/stonkmembers/default.nix +++ b/hosts/stonkmembers/default.nix @@ -1,18 +1,32 @@ -# { -# poubelle00 = import ./poubelle00 { }; +# Edit this configuration file to define what should be installed on +# your system. Help is available in the configuration.nix(5) man page, on +# https://search.nixos.org/options and in the NixOS manual (`nixos-help`). -# prodesk = import ./prodesk { }; -# stonkstation = import ./stonkstation { }; -# } +{ + config, + lib, + pkgs, + ... +}: -# args@{ lib, ... }: -# let -# blacklist = [ ]; -# folders = builtins.attrNames ( -# lib.filterAttrs (n: v: v == "directory" && !lib.hasPrefix "_" n && !builtins.elem n blacklist) ( -# builtins.readDir ./. -# ) -# ); -# in -# lib.genAttrs folders (folder: (import (./. + "/${folder}") (args // { }))) -{...}: {} \ No newline at end of file +{ + imports = [ + # Include the results of the hardware scan. + ./k3s.nix # K3s + ]; + + # Configure network proxy if necessary + # networking.proxy.default = "http://user:password@proxy:port/"; + # networking.proxy.noProxy = "127.0.0.1,localhost,internal.domain"; + + # Select internationalisation properties. + i18n.defaultLocale = "en_US.UTF-8"; + + # List services that you want to enable: + + # Open ports in the firewall. + # networking.firewall.allowedTCPPorts = [ ... ]; + # networking.firewall.allowedUDPPorts = [ ... ]; + # Or disable the firewall altogether. + networking.firewall.enable = false; +} From 45b0634516e6b6ff4fe519faa05cdbe0ab2a3c75 Mon Sep 17 00:00:00 2001 From: Antoine 'Toinux' Wam Date: Sun, 29 Dec 2024 16:48:37 +0100 Subject: [PATCH 36/74] ~ hosts/homerouters/firewall.nix: --- hosts/homerouters/firewall.nix | 32 +++++++++++++++++++++----------- 1 file changed, 21 insertions(+), 11 deletions(-) diff --git a/hosts/homerouters/firewall.nix b/hosts/homerouters/firewall.nix index fb3ca83..7e27bd9 100644 --- a/hosts/homerouters/firewall.nix +++ b/hosts/homerouters/firewall.nix @@ -7,6 +7,7 @@ pkgs, targetConfig, birdConfig, + wgPeers, ... }: let @@ -21,13 +22,15 @@ let "2a13:79c0:ffff:fefe::/64" "2a13:79c0:ffff:feff:b00b::/80" ]; + # wgPeers = filterAttrs (n: v: v ? wireguard && v.wireguard != { }) birdConfig.peers; transitIFACEs = [ ] - ++ lib.optionals (birdConfig ? transitInterfaces) birdConfig.transitInterfaces - ++ lib.optional (birdConfig ? transitInterface) birdConfig.transitInterface; - - wgPeers = filterAttrs (n: v: v ? wireguard && v.wireguard != { }) birdConfig.peers; + ++ lib.optionals (birdConfig.transitInterfaces != [ ]) birdConfig.transitInterfaces; + kittenIFACEs = [ ]; + # ( + # (attrNames wgPeers) ++ lib.optionals (birdConfig.allowedInterfaces != []) birdConfig.allowedInterfaces + # ); inherit (lib) mkAfter @@ -39,7 +42,6 @@ let optional ; in - { config = { @@ -67,12 +69,20 @@ in let quoteString = x: ''"${x}"''; - defines = '' - define transitIFACEs = { ${concatMapStringsSep ", " quoteString transitIFACEs} } - define transitNETs = { ${concatStringsSep ", " transitedNetworks} } - - define wireguardIFACEs = { ${concatMapStringsSep ", " quoteString (attrNames wgPeers)} } - ''; + defines = lib.concatStringsSep "\n" ([ + (optionalString (transitIFACEs != [ ]) + "define transitIFACEs = { ${concatMapStringsSep ", " quoteString transitIFACEs} }" + ) + (optionalString ( + transitedNetworks != [ ] + ) "define transitNETs = { ${concatStringsSep ", " transitedNetworks} }") + (optionalString (wgPeers != { }) + "define wireguardIFACEs = { ${concatMapStringsSep ", " quoteString (attrNames wgPeers)} }" + ) + (optionalString (kittenIFACEs != [ ]) + "define kittenIFACEs = { ${concatMapStringsSep ", " quoteString kittenIFACEs} }" + ) + ]); extraForwardRules = lib.concatStringsSep "\n" ( [ From a36f5fb93fd7fa74cfe570810686e0ee9c707716 Mon Sep 17 00:00:00 2001 From: Antoine 'Toinux' Wam Date: Sun, 29 Dec 2024 16:48:37 +0100 Subject: [PATCH 37/74] ~ hosts/routers/firewall.nix: --- hosts/routers/firewall.nix | 38 +++++++++++++++++++++++--------------- 1 file changed, 23 insertions(+), 15 deletions(-) diff --git a/hosts/routers/firewall.nix b/hosts/routers/firewall.nix index c1e5813..1aa4f9f 100644 --- a/hosts/routers/firewall.nix +++ b/hosts/routers/firewall.nix @@ -26,11 +26,12 @@ let transitIFACEs = [ ] - ++ lib.optionals (birdConfig ? transitInterfaces) birdConfig.transitInterfaces - ++ lib.optional (birdConfig ? transitInterface) birdConfig.transitInterface; + ++ lib.optionals (birdConfig.transitInterfaces != [ ]) birdConfig.transitInterfaces; + # ++ lib.optional (birdConfig ? transitInterface) birdConfig.transitInterface; kittenIFACEs = ( - (attrNames wgPeers) ++ lib.optionals (birdConfig ? allowedInterfaces) birdConfig.allowedInterfaces + (attrNames wgPeers) + ++ lib.optionals (birdConfig.allowedInterfaces != [ ]) birdConfig.allowedInterfaces ); inherit (lib) @@ -44,7 +45,6 @@ let filterAttrs ; in - { config = { @@ -72,17 +72,30 @@ in let quoteString = x: ''"${x}"''; - defines = '' - define transitIFACEs = { ${concatMapStringsSep ", " quoteString transitIFACEs} } - define transitNETs = { ${concatStringsSep ", " transitedNetworks} } - - define kittenIFACEs = { ${concatMapStringsSep ", " quoteString kittenIFACEs} } - ''; + defines = lib.concatStringsSep "\n" ([ + (optionalString (transitIFACEs != [ ]) + "define transitIFACEs = { ${concatMapStringsSep ", " quoteString transitIFACEs} }" + ) + (optionalString ( + transitedNetworks != [ ] + ) "define transitNETs = { ${concatStringsSep ", " transitedNetworks} }") + (optionalString (wgPeers != { }) + "define wireguardIFACEs = { ${concatMapStringsSep ", " quoteString (attrNames wgPeers)} }" + ) + (optionalString (kittenIFACEs != [ ]) + "define kittenIFACEs = { ${concatMapStringsSep ", " quoteString kittenIFACEs} }" + ) + ]); extraForwardRules = lib.concatStringsSep "\n" ( [ '' + ${optionalString (transitedNetworks != [ ] && transitIFACEs != [ ] && kittenIFACEs != [ ]) '' + # iifname $kittenIFACEs oifname $transitIFACEs counter accept + ip6 saddr $transitNETs iifname $kittenIFACEs oifname $transitIFACEs counter accept + ip6 daddr $transitNETs oifname $kittenIFACEs iifname $transitIFACEs counter accept + ''} # ip6 daddr 2a13:79c0:ff00::/48 counter accept # ip6 daddr { 2a13:79c0:ffff:feff:b00b:3945:a51:b00b, 2a13:79c0:ffff:feff:b00b:3945:a51:dead } counter accept @@ -90,11 +103,6 @@ in # ip6 saddr { 2a13:79c0:ffff:fefe::/64, 2a13:79c0:ffff:feff::/64 } ip6 daddr { 2a13:79c0:ffff:fefe::/64, 2a13:79c0:ffff:feff::/64 } counter accept - ${optionalString (transitedNetworks != [ ] && transitIFACEs != [ ] && kittenIFACEs != [ ]) '' - # iifname $kittenIFACEs oifname $transitIFACEs counter accept - ip6 saddr $transitNETs iifname $kittenIFACEs oifname $transitIFACEs counter accept - ip6 daddr $transitNETs oifname $kittenIFACEs iifname $transitIFACEs counter accept - ''} ${optionalString (kittenIFACEs != [ ]) '' iifname $kittenIFACEs oifname $kittenIFACEs counter accept From c21b902e9f2d07a4436c617e14bfdaa66d216414 Mon Sep 17 00:00:00 2001 From: Antoine 'Toinux' Wam Date: Sun, 29 Dec 2024 16:48:37 +0100 Subject: [PATCH 38/74] ~ hosts/routers/virtua-kit-edge/peers/KIT-VIRTUA-EDGE.legacy.nix: --- .../routers/virtua-kit-edge/peers/KIT-VIRTUA-EDGE.legacy.nix | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/hosts/routers/virtua-kit-edge/peers/KIT-VIRTUA-EDGE.legacy.nix b/hosts/routers/virtua-kit-edge/peers/KIT-VIRTUA-EDGE.legacy.nix index 46ca905..d96bb2a 100644 --- a/hosts/routers/virtua-kit-edge/peers/KIT-VIRTUA-EDGE.legacy.nix +++ b/hosts/routers/virtua-kit-edge/peers/KIT-VIRTUA-EDGE.legacy.nix @@ -38,13 +38,13 @@ in bgpMED = 6666; ipv6 = { #imports = null; - imports = x: "filter filter6_IN_BGP_${toString x}"; + bgpImports = "filter filter6_IN_BGP_%s"; #exports = [ "2a12:dd47:9330::/44" ]; #exports = null; }; ipv4 = { - imports = x: "filter filter4_IN_BGP_${toString x}"; + bgpImports = "filter filter4_IN_BGP_%s"; #exports = x: "filter6_IN_BGP_${toString x}"; }; } From e6d789126164cddc65a29d3a88fd36c1b45bd44b Mon Sep 17 00:00:00 2001 From: Antoine 'Toinux' Wam Date: Sun, 29 Dec 2024 16:48:37 +0100 Subject: [PATCH 39/74] ~ hosts/routers/virtua-kit-edge/peers/TRS-virtua6-RS01.nix: --- hosts/routers/virtua-kit-edge/peers/TRS-virtua6-RS01.nix | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/hosts/routers/virtua-kit-edge/peers/TRS-virtua6-RS01.nix b/hosts/routers/virtua-kit-edge/peers/TRS-virtua6-RS01.nix index 661413c..7d3d13b 100644 --- a/hosts/routers/virtua-kit-edge/peers/TRS-virtua6-RS01.nix +++ b/hosts/routers/virtua-kit-edge/peers/TRS-virtua6-RS01.nix @@ -8,8 +8,8 @@ passwordRef = "virtua"; ipv6 = { - imports = null; - exports = [ + bgpImports = null; + bgpExports = [ "2a13:79c0:ff00::/40" # Prod /40 # "2a12:dd47:9330::/44" From cebbd5da674c7d6216ca761b6cd90707420eb193 Mon Sep 17 00:00:00 2001 From: Antoine 'Toinux' Wam Date: Sun, 29 Dec 2024 16:48:37 +0100 Subject: [PATCH 40/74] ~ hosts/routers/virtua-kit-edge/peers/TRS-virtua6-RS02.nix: --- hosts/routers/virtua-kit-edge/peers/TRS-virtua6-RS02.nix | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/hosts/routers/virtua-kit-edge/peers/TRS-virtua6-RS02.nix b/hosts/routers/virtua-kit-edge/peers/TRS-virtua6-RS02.nix index dc175e5..ecab9a7 100644 --- a/hosts/routers/virtua-kit-edge/peers/TRS-virtua6-RS02.nix +++ b/hosts/routers/virtua-kit-edge/peers/TRS-virtua6-RS02.nix @@ -8,8 +8,8 @@ passwordRef = "virtua"; ipv6 = { - imports = null; - exports = [ + bgpImports = null; + bgpExports = [ "2a13:79c0:ff00::/40" # Prod /40 "2a12:dd47:9330::/44" ]; From 94c7f222fbfb2769ec02143f71af1950f05ae816 Mon Sep 17 00:00:00 2001 From: Antoine 'Toinux' Wam Date: Sun, 29 Dec 2024 16:48:37 +0100 Subject: [PATCH 41/74] ~ hosts/routers/virtua-kit-edge/peers/KIT-vultr-edge.nix: --- hosts/routers/virtua-kit-edge/peers/KIT-vultr-edge.nix | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/hosts/routers/virtua-kit-edge/peers/KIT-vultr-edge.nix b/hosts/routers/virtua-kit-edge/peers/KIT-vultr-edge.nix index 68cf772..47bf774 100644 --- a/hosts/routers/virtua-kit-edge/peers/KIT-vultr-edge.nix +++ b/hosts/routers/virtua-kit-edge/peers/KIT-vultr-edge.nix @@ -18,13 +18,13 @@ in bgpMED = 100; ipv6 = { #imports = null; - imports = x: "filter filter6_IN_BGP_${toString x}"; + bgpImports = "filter filter6_IN_BGP_%s"; #exports = [ "2a12:dd47:9330::/44" ]; #exports = null; }; ipv4 = { - imports = x: "filter filter4_IN_BGP_${toString x}"; + bgpImports = "filter filter4_IN_BGP_%s"; #exports = x: "filter6_IN_BGP_${toString x}"; }; } From d85a730a7e09676f9cf7970245b5df67f10a9ce9 Mon Sep 17 00:00:00 2001 From: Antoine 'Toinux' Wam Date: Sun, 29 Dec 2024 16:48:37 +0100 Subject: [PATCH 42/74] ~ hosts/routers/virtua-kit-edge/peers/KIT-IG1-RTR.nix: --- hosts/routers/virtua-kit-edge/peers/KIT-IG1-RTR.nix | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/hosts/routers/virtua-kit-edge/peers/KIT-IG1-RTR.nix b/hosts/routers/virtua-kit-edge/peers/KIT-IG1-RTR.nix index 7be5a83..599f480 100644 --- a/hosts/routers/virtua-kit-edge/peers/KIT-IG1-RTR.nix +++ b/hosts/routers/virtua-kit-edge/peers/KIT-IG1-RTR.nix @@ -18,13 +18,13 @@ in bgpMED = 100; ipv6 = { #imports = null; - imports = x: "filter filter6_IN_BGP_${toString x}"; + bgpImports = "filter filter6_IN_BGP_%s"; #exports = [ "2a12:dd47:9330::/44" ]; #exports = null; }; ipv4 = { - imports = x: "filter filter4_IN_BGP_${toString x}"; + bgpImports = "filter filter4_IN_BGP_%s"; #exports = x: "filter6_IN_BGP_${toString x}"; }; } From 914da28f3ab8d67851b5abdd6b4da4a8fee502df Mon Sep 17 00:00:00 2001 From: Antoine 'Toinux' Wam Date: Sun, 29 Dec 2024 16:48:37 +0100 Subject: [PATCH 43/74] ~ hosts/routers/virtua-kit-edge/peers/default.nix: --- .../routers/virtua-kit-edge/peers/default.nix | 27 ++++++++++--------- 1 file changed, 14 insertions(+), 13 deletions(-) diff --git a/hosts/routers/virtua-kit-edge/peers/default.nix b/hosts/routers/virtua-kit-edge/peers/default.nix index a66d7be..423b2b5 100644 --- a/hosts/routers/virtua-kit-edge/peers/default.nix +++ b/hosts/routers/virtua-kit-edge/peers/default.nix @@ -1,16 +1,17 @@ -{ ... }: -let - defaultPeers = import ../../_peers { }; -in -defaultPeers -// { +{ kittenLib, ... }: +kittenLib.peers { + host = ./.; + profile = ../..; - # Transit - TRS_virtua6_RS01 = import ./TRS-virtua6-RS01.nix { }; - TRS_virtua6_RS02 = import ./TRS-virtua6-RS02.nix { }; + blacklist = [ "KIT-VIRTUA-EDGE.legacy" ]; + manual = { + # Transit + TRS_virtua6_RS01 = ./TRS-virtua6-RS01.nix; + TRS_virtua6_RS02 = ./TRS-virtua6-RS02.nix; - # Internal Tunnels - KIT_IG1_RTR = import ./KIT-IG1-RTR.nix { }; - vultrNix_PAR = import ./KIT-vultr-edge.nix { }; - # LGC_virtua_PAR = import ./KIT-VIRTUA-EDGE.legacy.nix { }; + # Internal Tunnels + KIT_IG1_RTR = ./KIT-IG1-RTR.nix; + vultrNix_PAR = ./KIT-vultr-edge.nix; + # LGC_virtua_PAR = ./KIT-VIRTUA-EDGE.legacy.nix; + }; } From 11432b9d3b221aad4b2195d80a3abb25be9c6b8a Mon Sep 17 00:00:00 2001 From: Antoine 'Toinux' Wam Date: Sun, 29 Dec 2024 16:48:37 +0100 Subject: [PATCH 44/74] ~ hosts/routers/iguane-kit-rtr/peers/default.nix: --- .../routers/iguane-kit-rtr/peers/default.nix | 33 +++++++++---------- 1 file changed, 15 insertions(+), 18 deletions(-) diff --git a/hosts/routers/iguane-kit-rtr/peers/default.nix b/hosts/routers/iguane-kit-rtr/peers/default.nix index abb7a48..35ee870 100644 --- a/hosts/routers/iguane-kit-rtr/peers/default.nix +++ b/hosts/routers/iguane-kit-rtr/peers/default.nix @@ -1,21 +1,18 @@ -{ ... }: -let - profilePeers = import ../../_peers { }; -in -profilePeers -// { +{ kittenLib, ... }: +kittenLib.peers { + host = ./.; + profile = ../..; - # Transit - # TRS_virtua6_RS01 = import ./TRS-virtua6-RS01.nix { }; - # TRS_virtua6_RS02 = import ./TRS-virtua6-RS02.nix { }; + blacklist = [ ]; + manual = { + # Internal Tunnels + virtuaNix_PAR = ./KIT-VIRTUA-EDGE.nix; + vultrNix_PAR = ./KIT-VULTR-EDGE.nix; + # LGC_virtua_PAR = ./KIT-VIRTUA-EDGE.legacy.nix; - # Internal Tunnels - virtuaNix_PAR = import ./KIT-VIRTUA-EDGE.nix { }; - vultrNix_PAR = import ./KIT-VULTR-EDGE.nix { }; - # LGC_virtua_PAR = import ./KIT-VIRTUA-EDGE.legacy.nix { }; - - aureG8 = import ./KIT-aurelien-RBR.nix { }; - toinuxMEL1 = import ./KIT-toinux-MEL1.nix { }; - roumainNTE = import ./KIT-roumain-NTE.nix { }; - roumaiNixNTE = import ./KIT-roumainNix-NTE.nix { }; + aureG8 = ./KIT-aurelien-RBR.nix; + toinuxMEL1 = ./KIT-toinux-MEL1.nix; + roumainNTE = ./KIT-roumain-NTE.nix; + roumaiNixNTE = ./KIT-roumainNix-NTE.nix; + }; } From ef23d56747ac9dd6dc035c6355fa57ab447ad169 Mon Sep 17 00:00:00 2001 From: Antoine 'Toinux' Wam Date: Sun, 29 Dec 2024 16:48:37 +0100 Subject: [PATCH 45/74] - hosts/homerouters/configuration.nix: --- hosts/homerouters/configuration.nix | 61 ----------------------------- 1 file changed, 61 deletions(-) delete mode 100644 hosts/homerouters/configuration.nix diff --git a/hosts/homerouters/configuration.nix b/hosts/homerouters/configuration.nix deleted file mode 100644 index e361949..0000000 --- a/hosts/homerouters/configuration.nix +++ /dev/null @@ -1,61 +0,0 @@ -# Edit this configuration file to define what should be installed on -# your system. Help is available in the configuration.nix(5) man page, on -# https://search.nixos.org/options and in the NixOS manual (`nixos-help`). - -{ - config, - lib, - pkgs, - ... -}: - -{ - imports = [ - # Include the results of the hardware scan. - ./bird.nix # Bird Routing - ./wireguard.nix - ./firewall.nix - ]; - - customModules = { - loopback0 = { - enable = true; - }; - }; - - # Configure network proxy if necessary - # networking.proxy.default = "http://user:password@proxy:port/"; - # networking.proxy.noProxy = "127.0.0.1,localhost,internal.domain"; - - # Select internationalisation properties. - i18n.defaultLocale = "en_US.UTF-8"; - - # Net Basics - networking.useNetworkd = true; - systemd.network.enable = true; - systemd.network.wait-online.enable = false; - - # List services that you want to enable: - services.bird2 = { - enable = true; - autoReload = true; - }; - - # This option defines the first version of NixOS you have installed on this particular machine, - # and is used to maintain compatibility with application data (e.g. databases) created on older NixOS versions. - # - # Most users should NEVER change this value after the initial install, for any reason, - # even if you've upgraded your system to a new NixOS release. - # - # This value does NOT affect the Nixpkgs version your packages and OS are pulled from, - # so changing it will NOT upgrade your system. - # - # This value being lower than the current NixOS release does NOT mean your system is - # out of date, out of support, or vulnerable. - # - # Do NOT change this value unless you have manually inspected all the changes it would make to your configuration, - # and migrated your data accordingly. - # - # For more information, see `man configuration.nix` or https://nixos.org/manual/nixos/stable/options#opt-system.stateVersion . - system.stateVersion = "23.11"; # Did you read the comment? -} From d54a6e360300d6381d4be96e5fd0b7b204e899ba Mon Sep 17 00:00:00 2001 From: Antoine 'Toinux' Wam Date: Sun, 29 Dec 2024 16:48:37 +0100 Subject: [PATCH 46/74] ~ hosts/homerouters/_peers/default.nix: --- hosts/homerouters/_peers/default.nix | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/hosts/homerouters/_peers/default.nix b/hosts/homerouters/_peers/default.nix index 6b7d84e..30562ad 100644 --- a/hosts/homerouters/_peers/default.nix +++ b/hosts/homerouters/_peers/default.nix @@ -1,5 +1,8 @@ { ... }: +let + globalPeers = import ../../_peers {}; +in { # Internal RR - IG1_RR91 = import ./KIT-IG1-RR91.nix { }; + inherit (globalPeers) IG1_RR91; } From 76dc26f045b48d0467b9c853818392b76f4899be Mon Sep 17 00:00:00 2001 From: Antoine 'Toinux' Wam Date: Sun, 29 Dec 2024 16:48:37 +0100 Subject: [PATCH 47/74] - hosts/homerouters/romain-home-kitrtr/configuration.nix: --- .../romain-home-kitrtr/configuration.nix | 120 ------------------ 1 file changed, 120 deletions(-) delete mode 100644 hosts/homerouters/romain-home-kitrtr/configuration.nix diff --git a/hosts/homerouters/romain-home-kitrtr/configuration.nix b/hosts/homerouters/romain-home-kitrtr/configuration.nix deleted file mode 100644 index 854a80c..0000000 --- a/hosts/homerouters/romain-home-kitrtr/configuration.nix +++ /dev/null @@ -1,120 +0,0 @@ -# Edit this configuration file to define what should be installed on -# your system. Help is available in the configuration.nix(5) man page, on -# https://search.nixos.org/options and in the NixOS manual (`nixos-help`). - -{ - config, - targetConfig, - lib, - pkgs, - ... -}: -let - iface = if targetConfig ? interface then targetConfig.interface else null; - kittenIFACE = "ens19"; -in -{ - services.xserver.xkb = { - layout = "fr"; - #variant = ""; - }; - - #imports = [ ./wireguard.nix ]; - # Bootloader. - #boot.loader.systemd-boot.enable = true; - #boot.loader.systemd-boot.configurationLimit = 5; - #boot.loader.efi.canTouchEfiVariables = true; - boot.loader.grub.efiSupport = false; - boot.loader.grub.enable = true; - # boot.loader.grub.efiInstallAsRemovable = true; - # boot.loader.efi.efiSysMountPoint = "/boot/efi"; - # Define on which hard drive you want to install Grub. - #boot.loader.grub.devices = [ "${targetConfig.bootdisk}" ]; # or "nodev" for efi only - - customModules = { - loopback0 = { - enable = true; - ipv6 = [ "2a13:79c0:ffff:fefe::2:256" ]; - }; - }; - - # Pick only one of the below networking options. - # networking.wireless.enable = true; # Enables wireless support via wpa_supplicant. - # networking.networkmanager.enable = true; # Easiest to use and most distros use this by default. - networking = { - #nameservers = [ "1.3.3.7" ]; - vlans = { - vlan36 = { - id = 36; - interface = "${kittenIFACE}"; - }; - # vlan91 = { - # id = 91; - # interface = "${kittenIFACE}"; - # }; - }; - interfaces = { - "${iface}".useDHCP = true; - - vlan36 = { - - # ipv4.addresses = [ - # { - # address = "185.10.17.209"; - # prefixLength = 24; - # } - # ]; - - ipv6.addresses = [ - { - address = "2a13:79c0:ffff:feff:b00b:3615:1:6969"; - prefixLength = 112; - } - ]; - }; - }; - - # defaultGateway = { - # address = "185.10.17.254"; - # metric = 42; - # interface = iface; - # }; - - # defaultGateway6 = { - # address = "fe80::1"; - # metric = 42; - # interface = iface; - # }; - - useDHCP = false; - #dhcpcd.enable = false; - }; - - systemd.network.enable = true; - - # Set your time zone. - time.timeZone = "Europe/Paris"; - - nixpkgs.config.allowUnfree = true; - # Configure network proxy if necessary - # networking.proxy.default = "http://user:password@proxy:port/"; - # networking.proxy.noProxy = "127.0.0.1,localhost,internal.domain"; - - # This option defines the first version of NixOS you have installed on this particular machine, - # and is used to maintain compatibility with application data (e.g. databases) created on older NixOS versions. - # - # Most users should NEVER change this value after the initial install, for any reason, - # even if you've upgraded your system to a new NixOS release. - # - # This value does NOT affect the Nixpkgs version your packages and OS are pulled from, - # so changing it will NOT upgrade your system. - # - # This value being lower than the current NixOS release does NOT mean your system is - # out of date, out of support, or vulnerable. - # - # Do NOT change this value unless you have manually inspected all the changes it would make to your configuration, - # and migrated your data accordingly. - # - # For more information, see `man configuration.nix` or https://nixos.org/manual/nixos/stable/options#opt-system.stateVersion . - system.stateVersion = lib.mkForce "24.05"; # Did you read the comment? -} From c68d3ca1a762d3ed0ab5ddc965a2b88b8e4665e4 Mon Sep 17 00:00:00 2001 From: Antoine 'Toinux' Wam Date: Sun, 29 Dec 2024 16:48:37 +0100 Subject: [PATCH 48/74] ~ hosts/homerouters/romain-home-kitrtr/peers/default.nix: --- .../romain-home-kitrtr/peers/default.nix | 27 +++++-------------- 1 file changed, 6 insertions(+), 21 deletions(-) diff --git a/hosts/homerouters/romain-home-kitrtr/peers/default.nix b/hosts/homerouters/romain-home-kitrtr/peers/default.nix index a13cde2..d422fcd 100644 --- a/hosts/homerouters/romain-home-kitrtr/peers/default.nix +++ b/hosts/homerouters/romain-home-kitrtr/peers/default.nix @@ -1,23 +1,8 @@ -x@{ ... }: -let - args = x // { +{ kittenLib, ... }: +kittenLib.peers { + host = ./.; + profile = ../..; - }; - defaultPeers = import ../../_peers args; -in -defaultPeers -// { - - # Transit - # TRS_virtua6_RS01 = import ./TRS-virtua6-RS01.nix { }; - # TRS_virtua6_RS02 = import ./TRS-virtua6-RS02.nix { }; - - # # Internal Tunnels - KIT_IG1_RTR = import ./KIT-IG1-RTR.nix args; - # virtuaNix_PAR = import ./KIT-VIRTUA-EDGE.nix { }; - # vultrNix_PAR = import ./KIT-VULTR-EDGE.nix { }; - # # LGC_virtua_PAR = import ./KIT-VIRTUA-EDGE.legacy.nix { }; - - # toinuxMEL1 = import ./KIT-toinux-MEL1.nix { }; - # roumainNTE = import ./KIT-roumain-NTE.nix { }; + blacklist = [ ]; + manual = { }; } From 52e2540144fa1a9d0d1a1eceb3cbc4ae5abf558b Mon Sep 17 00:00:00 2001 From: Antoine 'Toinux' Wam Date: Sun, 29 Dec 2024 16:48:37 +0100 Subject: [PATCH 49/74] ~ hosts/default.nix: --- hosts/default.nix | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/hosts/default.nix b/hosts/default.nix index 8129167..f3a257d 100644 --- a/hosts/default.nix +++ b/hosts/default.nix @@ -1,7 +1,7 @@ { lib, ... }: let blacklist = [ - + "stonkmembers" ]; filterFunc = ( From 3f42e2d20ed162a4de79f35683134775155097c1 Mon Sep 17 00:00:00 2001 From: Antoine 'Toinux' Wam Date: Sun, 29 Dec 2024 16:48:37 +0100 Subject: [PATCH 50/74] - hosts/homerouters/toinux-home-kitrtr/configuration.nix: --- .../toinux-home-kitrtr/configuration.nix | 98 ------------------- 1 file changed, 98 deletions(-) delete mode 100644 hosts/homerouters/toinux-home-kitrtr/configuration.nix diff --git a/hosts/homerouters/toinux-home-kitrtr/configuration.nix b/hosts/homerouters/toinux-home-kitrtr/configuration.nix deleted file mode 100644 index 3de8a5f..0000000 --- a/hosts/homerouters/toinux-home-kitrtr/configuration.nix +++ /dev/null @@ -1,98 +0,0 @@ -# Edit this configuration file to define what should be installed on -# your system. Help is available in the configuration.nix(5) man page, on -# https://search.nixos.org/options and in the NixOS manual (`nixos-help`). - -{ - config, - targetConfig, - lib, - pkgs, - ... -}: -let - iface = if targetConfig ? interface then targetConfig.interface else null; -in -# kittenIFACE = "ens19"; -{ - #imports = [ ./wireguard.nix ]; - # Bootloader. - #boot.loader.systemd-boot.enable = true; - #boot.loader.systemd-boot.configurationLimit = 5; - #boot.loader.efi.canTouchEfiVariables = true; - boot.loader.grub.efiSupport = false; - boot.loader.grub.enable = true; - # boot.loader.grub.efiInstallAsRemovable = true; - # boot.loader.efi.efiSysMountPoint = "/boot/efi"; - # Define on which hard drive you want to install Grub. - #boot.loader.grub.devices = [ "${targetConfig.bootdisk}" ]; # or "nodev" for efi only - - # Pick only one of the below networking options. - # networking.wireless.enable = true; # Enables wireless support via wpa_supplicant. - # networking.networkmanager.enable = true; # Easiest to use and most distros use this by default. - networking = { - #nameservers = [ "1.3.3.7" ]; - interfaces = { - "${iface}".useDHCP = true; - - # "${kittenIFACE}" = { - - # # ipv4.addresses = [ - # # { - # # address = "185.10.17.209"; - # # prefixLength = 24; - # # } - # # ]; - - # ipv6.addresses = [ - # { - # address = "2a13:79c0:ffff:feff:b00b:3965:113:25"; - # prefixLength = 112; - # } - # ]; - # }; - }; - - # defaultGateway = { - # address = "185.10.17.254"; - # metric = 42; - # interface = iface; - # }; - - # defaultGateway6 = { - # address = "fe80::1"; - # metric = 42; - # interface = iface; - # }; - - useDHCP = false; - #dhcpcd.enable = false; - }; - - systemd.network.enable = true; - - # Set your time zone. - time.timeZone = "Europe/Paris"; - - nixpkgs.config.allowUnfree = true; - # Configure network proxy if necessary - # networking.proxy.default = "http://user:password@proxy:port/"; - # networking.proxy.noProxy = "127.0.0.1,localhost,internal.domain"; - - # This option defines the first version of NixOS you have installed on this particular machine, - # and is used to maintain compatibility with application data (e.g. databases) created on older NixOS versions. - # - # Most users should NEVER change this value after the initial install, for any reason, - # even if you've upgraded your system to a new NixOS release. - # - # This value does NOT affect the Nixpkgs version your packages and OS are pulled from, - # so changing it will NOT upgrade your system. - # - # This value being lower than the current NixOS release does NOT mean your system is - # out of date, out of support, or vulnerable. - # - # Do NOT change this value unless you have manually inspected all the changes it would make to your configuration, - # and migrated your data accordingly. - # - # For more information, see `man configuration.nix` or https://nixos.org/manual/nixos/stable/options#opt-system.stateVersion . - system.stateVersion = "23.11"; # Did you read the comment? -} From bf9585fe7d2af3c35b75a5811055ce02100552fd Mon Sep 17 00:00:00 2001 From: Antoine 'Toinux' Wam Date: Sun, 29 Dec 2024 16:48:37 +0100 Subject: [PATCH 51/74] ~ hosts/homerouters/toinux-home-kitrtr/peers/default.nix: --- .../toinux-home-kitrtr/peers/default.nix | 37 +++---------------- 1 file changed, 6 insertions(+), 31 deletions(-) diff --git a/hosts/homerouters/toinux-home-kitrtr/peers/default.nix b/hosts/homerouters/toinux-home-kitrtr/peers/default.nix index fc14f7e..d422fcd 100644 --- a/hosts/homerouters/toinux-home-kitrtr/peers/default.nix +++ b/hosts/homerouters/toinux-home-kitrtr/peers/default.nix @@ -1,33 +1,8 @@ -# // { +{ kittenLib, ... }: +kittenLib.peers { + host = ./.; + profile = ../..; -# # Transit -# # TRS_virtua6_RS01 = import ./TRS-virtua6-RS01.nix { }; -# # TRS_virtua6_RS02 = import ./TRS-virtua6-RS02.nix { }; - -# # # Internal Tunnels -# # virtuaNix_PAR = import ./KIT-VIRTUA-EDGE.nix { }; -# # vultrNix_PAR = import ./KIT-VULTR-EDGE.nix { }; -# # # LGC_virtua_PAR = import ./KIT-VIRTUA-EDGE.legacy.nix { }; - -# # aureG8 = import ./KIT-aurelien-RBR.nix { }; -# # toinuxMEL1 = import ./KIT-toinux-MEL1.nix { }; -# # roumainNTE = import ./KIT-roumain-NTE.nix { }; -# } -args@{ lib, ... }: -let blacklist = [ ]; - - defaultPeers = import ../../_peers { }; - - peers = builtins.attrNames ( - lib.filterAttrs ( - n: v: - n != "default.nix" - && lib.hasSuffix ".nix" n - && !lib.hasPrefix "_" n - && !lib.hasPrefix "." n - && !builtins.elem (lib.removeSuffix ".nix" n) blacklist - ) (builtins.readDir ./.) - ); -in -defaultPeers // (lib.genAttrs peers (peer: (import (./. + "/${peer}") (args // { })))) + manual = { }; +} From dd6c68c19f09ae1384980d198d702fbe20c9a75f Mon Sep 17 00:00:00 2001 From: Antoine 'Toinux' Wam Date: Sun, 29 Dec 2024 16:48:37 +0100 Subject: [PATCH 52/74] - hosts/miscservers/configuration.nix: --- hosts/miscservers/configuration.nix | 51 ----------------------------- hosts/miscservers/default.nix | 40 +++++++++++++++------- 2 files changed, 28 insertions(+), 63 deletions(-) delete mode 100644 hosts/miscservers/configuration.nix diff --git a/hosts/miscservers/configuration.nix b/hosts/miscservers/configuration.nix deleted file mode 100644 index f880dea..0000000 --- a/hosts/miscservers/configuration.nix +++ /dev/null @@ -1,51 +0,0 @@ -# Edit this configuration file to define what should be installed on -# your system. Help is available in the configuration.nix(5) man page, on -# https://search.nixos.org/options and in the NixOS manual (`nixos-help`). - -{ - config, - lib, - pkgs, - ... -}: - -{ - imports = [ - # Include the results of the hardware scan. - ./options.nix # Options defined for this module - - ./firewall.nix - ]; - - # Configure network proxy if necessary - # networking.proxy.default = "http://user:password@proxy:port/"; - # networking.proxy.noProxy = "127.0.0.1,localhost,internal.domain"; - - # Select internationalisation properties. - i18n.defaultLocale = "en_US.UTF-8"; - - # Net Basics - networking.useNetworkd = true; - systemd.network.enable = true; - systemd.network.wait-online.enable = false; - - environment.systemPackages = with pkgs; [ ]; - - # This option defines the first version of NixOS you have installed on this particular machine, - # and is used to maintain compatibility with application data (e.g. databases) created on older NixOS versions. - # - # Most users should NEVER change this value after the initial install, for any reason, - # even if you've upgraded your system to a new NixOS release. - # - # This value does NOT affect the Nixpkgs version your packages and OS are pulled from, - # so changing it will NOT upgrade your system. - # - # This value being lower than the current NixOS release does NOT mean your system is - # out of date, out of support, or vulnerable. - # - # Do NOT change this value unless you have manually inspected all the changes it would make to your configuration, - # and migrated your data accordingly. - # - # For more information, see `man configuration.nix` or https://nixos.org/manual/nixos/stable/options#opt-system.stateVersion . - system.stateVersion = "23.11"; # Did you read the comment? -} diff --git a/hosts/miscservers/default.nix b/hosts/miscservers/default.nix index 5f58569..ecffc3a 100644 --- a/hosts/miscservers/default.nix +++ b/hosts/miscservers/default.nix @@ -1,12 +1,28 @@ -# args@{ lib, ... }: -# let -# blacklist = [ ]; - -# folders = builtins.attrNames ( -# lib.filterAttrs (n: v: v == "directory" && !lib.hasPrefix "_" n && !builtins.elem n blacklist) ( -# builtins.readDir ./. -# ) -# ); -# in -# lib.genAttrs folders (folder: (import (./. + "/${folder}") (args // { }))) -{...}: {} \ No newline at end of file +# Edit this configuration file to define what should be installed on +# your system. Help is available in the configuration.nix(5) man page, on +# https://search.nixos.org/options and in the NixOS manual (`nixos-help`). + +{ + config, + lib, + pkgs, + ... +}: + +{ + imports = [ ]; + + # Configure network proxy if necessary + # networking.proxy.default = "http://user:password@proxy:port/"; + # networking.proxy.noProxy = "127.0.0.1,localhost,internal.domain"; + + # Select internationalisation properties. + i18n.defaultLocale = "en_US.UTF-8"; + + # Net Basics + networking.useNetworkd = true; + systemd.network.enable = true; + systemd.network.wait-online.enable = false; + + # environment.systemPackages = with pkgs; [ ]; +} From 98ffcdfb657a76a78384d45a6093a7e8ac248560 Mon Sep 17 00:00:00 2001 From: Antoine 'Toinux' Wam Date: Sun, 29 Dec 2024 16:48:37 +0100 Subject: [PATCH 53/74] ~ hosts/routers/virtua-kit-edge/default.nix: --- hosts/routers/virtua-kit-edge/default.nix | 143 ++++++++++++++++++---- 1 file changed, 119 insertions(+), 24 deletions(-) diff --git a/hosts/routers/virtua-kit-edge/default.nix b/hosts/routers/virtua-kit-edge/default.nix index bf225d8..9592646 100644 --- a/hosts/routers/virtua-kit-edge/default.nix +++ b/hosts/routers/virtua-kit-edge/default.nix @@ -1,29 +1,124 @@ -{ ... }: +# Edit this configuration file to define what should be installed on +# your system. Help is available in the configuration.nix(5) man page, on +# https://search.nixos.org/options and in the NixOS manual (`nixos-help`). + +args@{ + config, + kittenLib, + lib, + pkgs, + ... +}: let - IFACE = "ens18"; + diskoProfile = "simple"; + diskoConfig = { + bootdisk = "/dev/sda"; + swapSize = 1024; + }; + + peers = import ./peers args; + + wgPeers = ( + lib.mapAttrs (n: v: v.wireguard) (lib.filterAttrs (n: v: v ? wireguard && v.wireguard != { }) peers) + ); + + birdPeers = (lib.mapAttrs (n: v: builtins.removeAttrs v [ "wireguard" ]) peers); in { - type = "targetConfig"; - - bootdisk = "/dev/sda"; - diskTemplate = "simple_singleFullRoot"; - swap = true; - - interface = IFACE; - # mainSerial = 0; - birdConfig = { - transitInterface = IFACE; - # router-id = ; - - # loopback4 = ""; - loopback6 = "2a13:79c0:ffff:fefe::12:10"; - - static6 = [ - # ''2a0d:e680:0::b:1/128 via "enp1s0"'' # Vultr bgp neighbor - "2a13:79c0:ffff:fefe::b00b/128 unreachable" - #"2a13:79c0:ffff::/48 unreachable" # Networking stuff - #"2a13:79c0:ffff:fefe::/64 unreachable" # LoopBacks - "2a13:79c0:ff00::/40 unreachable" # full range /40 - ]; + imports = [ + ./hardware-configuration.nix + ./network-configuration.nix + + ../../../modules/system/kitten/connect/bird2/snippets/kittenCores.nix + ]; + + deployment = { + # Disable SSH deployment. This node will be skipped in a + # normal`colmena apply`. + targetUser = "root"; + targetHost = null; # TODO: implement }; + + # Bootloader. + boot.loader.grub.efiSupport = false; + boot.loader.grub.enable = true; + + kittenModules = { + disko = { + enable = true; + profile = diskoProfile; + + ${diskoProfile} = diskoConfig; + }; + + # loopback0 = { + # enable = true; + # ipv6 = [ "2a13:79c0:ffff:fefe::12:10" ]; + # }; + + bird = { + enable = true; + + loopback6 = "2a13:79c0:ffff:fefe::12:10"; + + static6 = [ + # "::/0 recursive 2a13:79c0:ffff:fefe::b00b" + # ''2a0d:e680:0::b:1/128 via "enp1s0"'' # Vultr bgp neighbor + "2a13:79c0:ffff:fefe::b00b/128 unreachable" + #"2a13:79c0:ffff::/48 unreachable" # Networking stuff + #"2a13:79c0:ffff:fefe::/64 unreachable" # LoopBacks + "2a13:79c0:ff00::/40 unreachable" # full range /40 + ]; + + peers = birdPeers; + }; + + wireguard = { + enable = true; + # defaultIFACE = "ens18"; + peers = wgPeers; + }; + + firewall = { + forward = { + enable = true; + keepInvalidState = true; + # rules = '' + # # iifname "''${kittenIFACE}" ip6 saddr 2a13:79c0:ffff:feff:b00b:caca:b173:0/112 oifname $wireguardIFACEs counter accept + # iifname $wireguardIFACEs ip6 daddr 2a13:79c0:ffff:fefe::113:91 tcp dport { 179, 1790 } counter accept + # oifname bootstrap ip6 daddr 2a13:79c0:ffff:feff:b00b:3965:222:0/112 counter accept + + # ip6 saddr 2a01:cb08:bbb:3700::/64 oifname ens19 counter accept + + # iifname ens19 oifname $wireguardIFACEs counter accept + # ''; + }; + }; + }; + + # Set your time zone. + time.timeZone = "Europe/Paris"; + + nixpkgs.config.allowUnfree = true; + # Configure network proxy if necessary + # networking.proxy.default = "http://user:password@proxy:port/"; + # networking.proxy.noProxy = "127.0.0.1,localhost,internal.domain"; + + # This option defines the first version of NixOS you have installed on this particular machine, + # and is used to maintain compatibility with application data (e.g. databases) created on older NixOS versions. + # + # Most users should NEVER change this value after the initial install, for any reason, + # even if you've upgraded your system to a new NixOS release. + # + # This value does NOT affect the Nixpkgs version your packages and OS are pulled from, + # so changing it will NOT upgrade your system. + # + # This value being lower than the current NixOS release does NOT mean your system is + # out of date, out of support, or vulnerable. + # + # Do NOT change this value unless you have manually inspected all the changes it would make to your configuration, + # and migrated your data accordingly. + # + # For more information, see `man configuration.nix` or https://nixos.org/manual/nixos/stable/options#opt-system.stateVersion . + system.stateVersion = "23.11"; # Did you read the comment? } From 306d124e91bdc3bfce205c582d5a5225ec7c51f7 Mon Sep 17 00:00:00 2001 From: Antoine 'Toinux' Wam Date: Sun, 29 Dec 2024 16:48:37 +0100 Subject: [PATCH 54/74] + hosts/routers/virtua-kit-edge/network-configuration.nix: --- .../virtua-kit-edge/network-configuration.nix | 45 +++++++++++++++++++ 1 file changed, 45 insertions(+) create mode 100644 hosts/routers/virtua-kit-edge/network-configuration.nix diff --git a/hosts/routers/virtua-kit-edge/network-configuration.nix b/hosts/routers/virtua-kit-edge/network-configuration.nix new file mode 100644 index 0000000..6de2848 --- /dev/null +++ b/hosts/routers/virtua-kit-edge/network-configuration.nix @@ -0,0 +1,45 @@ +{ ... }: +let + iface = "ens18"; + # kittenIFACE = "ens19"; +in +{ + kittenModules = { + bird.transitInterfaces = [ iface ]; + }; + + networking = { + #nameservers = [ "1.3.3.7" ]; + interfaces = { + "${iface}" = { + ipv4.addresses = [ + { + address = "185.10.17.209"; + prefixLength = 24; + } + ]; + + ipv6.addresses = [ + { + address = "2a07:8dc0:19:1cf::1"; + prefixLength = 128; + } + ]; + }; + }; + defaultGateway = { + address = "185.10.17.254"; + metric = 42; + interface = iface; + }; + defaultGateway6 = { + address = "fe80::1"; + metric = 42; + interface = iface; + }; + useDHCP = false; + #dhcpcd.enable = false; + }; + + systemd.network.enable = true; +} From dabbcdc7c460bd00be471930216e139ae054973b Mon Sep 17 00:00:00 2001 From: Antoine 'Toinux' Wam Date: Sun, 29 Dec 2024 16:48:37 +0100 Subject: [PATCH 55/74] - hosts/routers/virtua-kit-edge/configuration.nix: --- .../routers/virtua-kit-edge/configuration.nix | 91 ------------------- 1 file changed, 91 deletions(-) delete mode 100644 hosts/routers/virtua-kit-edge/configuration.nix diff --git a/hosts/routers/virtua-kit-edge/configuration.nix b/hosts/routers/virtua-kit-edge/configuration.nix deleted file mode 100644 index 8afb1c0..0000000 --- a/hosts/routers/virtua-kit-edge/configuration.nix +++ /dev/null @@ -1,91 +0,0 @@ -# Edit this configuration file to define what should be installed on -# your system. Help is available in the configuration.nix(5) man page, on -# https://search.nixos.org/options and in the NixOS manual (`nixos-help`). - -{ - config, - targetConfig, - lib, - pkgs, - ... -}: -let - iface = if targetConfig ? interface then targetConfig.interface else null; -in -{ - #imports = [ ./wireguard.nix ]; - # Bootloader. - #boot.loader.systemd-boot.enable = true; - #boot.loader.systemd-boot.configurationLimit = 5; - #boot.loader.efi.canTouchEfiVariables = true; - boot.loader.grub.efiSupport = false; - boot.loader.grub.enable = true; - # boot.loader.grub.efiInstallAsRemovable = true; - # boot.loader.efi.efiSysMountPoint = "/boot/efi"; - # Define on which hard drive you want to install Grub. - #boot.loader.grub.devices = [ "${targetConfig.bootdisk}" ]; # or "nodev" for efi only - - # Pick only one of the below networking options. - # networking.wireless.enable = true; # Enables wireless support via wpa_supplicant. - # networking.networkmanager.enable = true; # Easiest to use and most distros use this by default. - networking = { - #nameservers = [ "1.3.3.7" ]; - interfaces = { - "${iface}" = { - ipv4.addresses = [ - { - address = "185.10.17.209"; - prefixLength = 24; - } - ]; - - ipv6.addresses = [ - { - address = "2a07:8dc0:19:1cf::1"; - prefixLength = 128; - } - ]; - }; - }; - defaultGateway = { - address = "185.10.17.254"; - metric = 42; - interface = iface; - }; - defaultGateway6 = { - address = "fe80::1"; - metric = 42; - interface = iface; - }; - useDHCP = false; - #dhcpcd.enable = false; - }; - - systemd.network.enable = true; - - # Set your time zone. - time.timeZone = "Europe/Paris"; - - nixpkgs.config.allowUnfree = true; - # Configure network proxy if necessary - # networking.proxy.default = "http://user:password@proxy:port/"; - # networking.proxy.noProxy = "127.0.0.1,localhost,internal.domain"; - - # This option defines the first version of NixOS you have installed on this particular machine, - # and is used to maintain compatibility with application data (e.g. databases) created on older NixOS versions. - # - # Most users should NEVER change this value after the initial install, for any reason, - # even if you've upgraded your system to a new NixOS release. - # - # This value does NOT affect the Nixpkgs version your packages and OS are pulled from, - # so changing it will NOT upgrade your system. - # - # This value being lower than the current NixOS release does NOT mean your system is - # out of date, out of support, or vulnerable. - # - # Do NOT change this value unless you have manually inspected all the changes it would make to your configuration, - # and migrated your data accordingly. - # - # For more information, see `man configuration.nix` or https://nixos.org/manual/nixos/stable/options#opt-system.stateVersion . - system.stateVersion = "23.11"; # Did you read the comment? -} From e653fd630c495d24ee6a6d7d11856ab098b1f27f Mon Sep 17 00:00:00 2001 From: Antoine 'Toinux' Wam Date: Sun, 29 Dec 2024 17:39:09 +0100 Subject: [PATCH 56/74] hosts/routers --- hosts/routers/default.nix | 18 ---- hosts/routers/wireguard.nix | 181 ------------------------------------ 2 files changed, 199 deletions(-) delete mode 100644 hosts/routers/wireguard.nix diff --git a/hosts/routers/default.nix b/hosts/routers/default.nix index f2379af..b9715a3 100644 --- a/hosts/routers/default.nix +++ b/hosts/routers/default.nix @@ -34,22 +34,4 @@ enable = true; autoReload = true; }; - - # This option defines the first version of NixOS you have installed on this particular machine, - # and is used to maintain compatibility with application data (e.g. databases) created on older NixOS versions. - # - # Most users should NEVER change this value after the initial install, for any reason, - # even if you've upgraded your system to a new NixOS release. - # - # This value does NOT affect the Nixpkgs version your packages and OS are pulled from, - # so changing it will NOT upgrade your system. - # - # This value being lower than the current NixOS release does NOT mean your system is - # out of date, out of support, or vulnerable. - # - # Do NOT change this value unless you have manually inspected all the changes it would make to your configuration, - # and migrated your data accordingly. - # - # For more information, see `man configuration.nix` or https://nixos.org/manual/nixos/stable/options#opt-system.stateVersion . - system.stateVersion = "23.11"; # Did you read the comment? } diff --git a/hosts/routers/wireguard.nix b/hosts/routers/wireguard.nix deleted file mode 100644 index a3db24c..0000000 --- a/hosts/routers/wireguard.nix +++ /dev/null @@ -1,181 +0,0 @@ -{ - lib, - pkgs, - config, - - target, - targetConfig, - birdConfig, - ... -}: -let - - # Imports Functions - inherit (lib.attrsets) - filterAttrs - mapAttrs - mapAttrsToList - genAttrs - zipAttrs - optionalAttrs - ; - - inherit (lib.asserts) assertMsg; - - inherit (lib.strings) hasPrefix optionalString concatMapStringsSep; - - inherit (builtins) attrNames; - - # Variables / Functions - - IFACE = if targetConfig ? interface then targetConfig.interface else null; - - peers = filterAttrs (n: v: v ? wireguard && v.wireguard != { }) birdConfig.peers; - - hasPort = (n: v: v.wireguard ? port); - hasIface = (n: v: v.wireguard ? onIFACE); - - peersWithPort = filterAttrs hasPort peers; - - peersWithoutIFACE = filterAttrs (n: v: (!hasIface n v)) peersWithPort; - peersWithIFACE = filterAttrs hasIface peersWithPort; - - portsWithoutIFACE = mapAttrsToList (n: v: v.wireguard.port) peersWithoutIFACE; - portsWithIFACE = zipAttrs ( - mapAttrsToList (n: v: { ${v.wireguard.onIFACE} = v.wireguard.port; }) peersWithIFACE - ); - - mkFWConf = ports: { allowedUDPPorts = ports; }; - - genFWMarkStr = ( - mark: - { - "string" = - assert assertMsg (hasPrefix "0x" mark) "fwMark is string but does not start with 0x is it an int ?"; - mark; - - "int" = toString mark; - - "null" = null; - } - .${builtins.typeOf mark} - - ); - - mkWireguardConf = - name: - let - peer = peers.${name}; - - fwMarkString = ( - let - mark = - if peer.wireguard ? fwMark then - peer.wireguard.fwMark - - else if (peer.wireguard ? onIFACE && peer.wireguard.onIFACE != null) then - peer.wireguard.port - - else - null; - in - genFWMarkStr mark - - ); - in - { - table = "off"; - # Determines the IP/IPv6 address and subnet of the client's end of the tunnel interface - address = [ "${peer.wireguard.address}/127" ]; - # The port that WireGuard listens to - recommended that this be changed from default - listenPort = lib.mkIf (peer.wireguard ? port) peer.wireguard.port; - - postUp = '' - set - x - - ${optionalString (fwMarkString != null) ''wg set ${name} fwmark ${fwMarkString}''} - ${optionalString (peer.wireguard ? onIFACE && peer.wireguard.onIFACE != null) '' - echo "TABLE=${fwMarkString}" - for v in 4 6; do - echo "[#] IPv$v" - ip -$v route add unreachable default metric 4294967295 table ${fwMarkString} || true - ip -$v route add default $(ip -$v route show default dev ${peer.wireguard.onIFACE} | grep -oE 'via [^ ]+') dev ${peer.wireguard.onIFACE} metric 42 table ${fwMarkString} || true - ip -$v rule add fwmark ${fwMarkString} lookup main suppress_prefixlength 0 - ip -$v rule add fwmark ${fwMarkString} lookup ${fwMarkString} - done - ''} - ''; - - postDown = '' - set -x - - ${optionalString (peer.wireguard ? onIFACE && peer.wireguard.onIFACE != null) '' - echo "TABLE=${fwMarkString}" - for v in 4 6; do - echo "[#] IPv$v" - # ip -$v route del unreachable default metric 4294967295 table ${fwMarkString} || true - ip -$v route del default metric 42 table ${fwMarkString} || true - while ip -$v rule del fwmark ${fwMarkString} lookup main suppress_prefixlength 0; do echo -n .; sleep 0.1; done - while ip -$v rule del fwmark ${fwMarkString} lookup ${fwMarkString}; do echo -n .; sleep 0.1; done - done - ''} - ''; - - # Path to the server's private key - privateKeyFile = config.sops.secrets.wireguard_serverkey.path; - - peers = [ - { - publicKey = peer.wireguard.peerKey; - #presharedKeyFile = "/root/wireguard-keys/preshared_from_peer0_key"; - persistentKeepalive = 10; - endpoint = lib.mkIf (peer.wireguard ? endpoint) peer.wireguard.endpoint; - - allowedIPs = [ - "0.0.0.0/0" - "::/0" - ]; - } - ]; - }; -in -{ - # sops --set '["wireguard_serverkey"] "'"$(wg genkey | tee >(wg pubkey > /dev/stderr))"'"' secrets/[HOSTNAME].yaml - sops.secrets.wireguard_serverkey = { }; - environment.systemPackages = with pkgs; [ wireguard-tools ]; - - environment.etc."iproute2/rt_tables.d/wgnix.conf" = { - text = '' - ${concatMapStringsSep "\n" - ( - peerName: - let - peer = peers.${peerName}; - in - "${toString peer.wireguard.port} ${peerName}" - ) - ( - attrNames ( - filterAttrs (n: v: v ? wireguard && v.wireguard ? onIFACE && v.wireguard.onIFACE != null) peers - ) - ) - } - ''; - }; - - # Open FireWall Ports - networking.firewall = lib.mkMerge [ - (optionalAttrs (portsWithoutIFACE != [ ]) ( - let - conf = mkFWConf portsWithoutIFACE; - in - if IFACE != null then { interfaces.${IFACE} = conf; } else conf - )) - - (optionalAttrs (portsWithIFACE != { }) { - interfaces = (mapAttrs (name: value: mkFWConf value) portsWithIFACE); - }) - ]; - - networking.wg-quick.interfaces = genAttrs (attrNames peers) mkWireguardConf; -} From 23c149bf491dda74395c2b8678d17310533f0320 Mon Sep 17 00:00:00 2001 From: Antoine 'Toinux' Wam Date: Sun, 29 Dec 2024 16:48:37 +0100 Subject: [PATCH 57/74] ~ hosts/miscservers/aure-kit-bots-01/default.nix: --- .../miscservers/aure-kit-bots-01/default.nix | 117 ++++++++++++++---- 1 file changed, 95 insertions(+), 22 deletions(-) diff --git a/hosts/miscservers/aure-kit-bots-01/default.nix b/hosts/miscservers/aure-kit-bots-01/default.nix index 198947d..82beed7 100644 --- a/hosts/miscservers/aure-kit-bots-01/default.nix +++ b/hosts/miscservers/aure-kit-bots-01/default.nix @@ -1,35 +1,108 @@ -{ ... }: +# Edit this configuration file to define what should be installed on +# your system. Help is available in the configuration.nix(5) man page +# and in the NixOS manual (accessible by running ‘nixos-help’). + +{ + name, + nodes, + lib, + pkgs, + ... +}: +let + diskoProfile = "simple"; + diskoConfig = { + bootdisk = "/dev/vda"; + }; +in { - type = "targetConfig"; + imports = [ + # Include the results of the hardware scan. + ../default.nix + ./hardware-configuration.nix + # ./network-configuration.nix # TODO: implement + ]; + + deployment = { + # Disable SSH deployment. This node will be skipped in a + # normal`colmena apply`. + targetUser = "root"; + targetHost = null; # TODO: define me + }; + + # Bootloader. + boot.loader.grub.efiSupport = false; + boot.loader.grub.enable = true; - bootdisk = "/dev/vda"; - diskTemplate = "simple_singleFullRoot"; - # mainSerial = 0; + kittenModules = { + # network = { + # enable = true; + # interface = "ens18"; + # address = ""; + # }; - config = { - hostprofile.miscservers = { - interface = "ens18"; + disko = { + enable = true; + profile = diskoProfile; + ${diskoProfile} = diskoConfig; }; + + # firewall = { + # enable = true; + # forward = { + # enable = true; + # # stateless = true; + # rules = '' + # iifname $wireguardIFACEs oifname "vlan36" ip6 daddr 2a13:79c0:ffff:feff:b00b:3615:1:0/112 counter accept + # oifname $wireguardIFACEs iifname "vlan36" ip6 saddr 2a13:79c0:ffff:feff:b00b:3615:1:0/112 counter accept + # ''; + # }; + # }; }; + systemd.network.enable = true; + + nixpkgs.config.allowUnfree = true; + # Configure network proxy if necessary + # networking.proxy.default = "http://user:password@proxy:port/"; + # networking.proxy.noProxy = "127.0.0.1,localhost,internal.domain"; + + # Set your time zone. + time.timeZone = "Europe/Paris"; - # birdConfig = { - # # inherit transitInterface; + # Select internationalisation properties. + i18n.defaultLocale = "en_US.UTF-8"; + + i18n.extraLocaleSettings = { + LC_ADDRESS = "fr_FR.UTF-8"; + LC_IDENTIFICATION = "fr_FR.UTF-8"; + LC_MEASUREMENT = "fr_FR.UTF-8"; + LC_MONETARY = "fr_FR.UTF-8"; + LC_NAME = "fr_FR.UTF-8"; + LC_NUMERIC = "fr_FR.UTF-8"; + LC_PAPER = "fr_FR.UTF-8"; + LC_TELEPHONE = "fr_FR.UTF-8"; + LC_TIME = "fr_FR.UTF-8"; + }; - # # router-id = ; + programs.mtr.enable = true; - # # loopback4 = ""; - # loopback6 = "2a13:79c0:ffff:fefe::22f0"; + # List services that you want to enable: - # static6 = [ - # "::/0 recursive 2a13:79c0:ffff:fefe::b00b" + # Enable the OpenSSH daemon. + services.openssh.enable = true; - # # "2a13:79c0:ffff:feff:b00b:caca:b173:0/112 unreachable" # Direct on ens19 - # "2a13:79c0:fffe:100::/56 unreachable" + # Open ports in the firewall. + networking.firewall.allowedTCPPorts = [ ]; + networking.firewall.allowedUDPPorts = [ ]; + # Or disable the firewall altogether. + networking.firewall.enable = lib.mkDefault true; - # #"2a13:79c0:ffff::/48 unreachable" # Networking stuff - # #"2a13:79c0:ffff:fefe::/64 unreachable" # LoopBacks - # #"2a13:79c0:ff00::/40 unreachable" # full range /40 - # ]; - # }; + # This value determines the NixOS release from which the default + # settings for stateful data, like file locations and database versions + # on your system were taken. It‘s perfectly fine and recommended to leave + # this value at the release version of the first install of this system. + # Before changing this value read the documentation for this option + # (e.g. man configuration.nix or on https://nixos.org/nixos/options.html). + system.stateVersion = "23.11"; # Did you read the comment? } From 31e2bdc89b50d4b96168d8207f348394f8b224fc Mon Sep 17 00:00:00 2001 From: Antoine 'Toinux' Wam Date: Sun, 29 Dec 2024 16:48:37 +0100 Subject: [PATCH 58/74] ~ hosts/miscservers/aure-kit-bots-01/hardware-configuration.nix: --- hosts/miscservers/aure-kit-bots-01/hardware-configuration.nix | 1 + 1 file changed, 1 insertion(+) diff --git a/hosts/miscservers/aure-kit-bots-01/hardware-configuration.nix b/hosts/miscservers/aure-kit-bots-01/hardware-configuration.nix index 056601b..dfabf43 100644 --- a/hosts/miscservers/aure-kit-bots-01/hardware-configuration.nix +++ b/hosts/miscservers/aure-kit-bots-01/hardware-configuration.nix @@ -29,6 +29,7 @@ # with explicit per-interface declarations with `networking.interfaces..useDHCP`. # networking.useDHCP = lib.mkDefault true; # networking.interfaces.ens18.useDHCP = lib.mkDefault true; + networking.useDHCP = lib.mkDefault true; nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux"; } From 0b1bb75739f7368df859f7ae9901a39e4e39f07c Mon Sep 17 00:00:00 2001 From: Antoine 'Toinux' Wam Date: Sun, 29 Dec 2024 16:48:37 +0100 Subject: [PATCH 59/74] - hosts/miscservers/aure-kit-bots-01/configuration.nix: --- .../aure-kit-bots-01/configuration.nix | 102 ------------------ 1 file changed, 102 deletions(-) delete mode 100644 hosts/miscservers/aure-kit-bots-01/configuration.nix diff --git a/hosts/miscservers/aure-kit-bots-01/configuration.nix b/hosts/miscservers/aure-kit-bots-01/configuration.nix deleted file mode 100644 index 7d74853..0000000 --- a/hosts/miscservers/aure-kit-bots-01/configuration.nix +++ /dev/null @@ -1,102 +0,0 @@ -# Edit this configuration file to define what should be installed on -# your system. Help is available in the configuration.nix(5) man page, on -# https://search.nixos.org/options and in the NixOS manual (`nixos-help`). - -{ - config, - targetConfig, - targetProfile, - lib, - pkgs, - ... -}: -let - cfg = config.hostprofile.${targetProfile}; -in -{ - #imports = [ ./wireguard.nix ]; - # Bootloader. - #boot.loader.systemd-boot.enable = true; - #boot.loader.systemd-boot.configurationLimit = 5; - #boot.loader.efi.canTouchEfiVariables = true; - boot.loader.grub.efiSupport = false; - boot.loader.grub.enable = true; - # boot.loader.grub.efiInstallAsRemovable = true; - # boot.loader.efi.efiSysMountPoint = "/boot/efi"; - # Define on which hard drive you want to install Grub. - #boot.loader.grub.devices = [ "${targetConfig.bootdisk}" ]; # or "nodev" for efi only - - # Pick only one of the below networking options. - # networking.wireless.enable = true; # Enables wireless support via wpa_supplicant. - # networking.networkmanager.enable = true; # Easiest to use and most distros use this by default. - networking = { - #nameservers = [ "1.3.3.7" ]; - - interfaces = lib.mkMerge [ - (lib.mkIf (cfg.interface != null) { "${cfg.interface}".useDHCP = true; }) - - # (lib.mkIf (kittenIFACE != null) { - # "${kittenIFACE}" = { - - # # ipv4.addresses = [ - # # { - # # address = "185.10.17.209"; - # # prefixLength = 24; - # # } - # # ]; - - # ipv6.addresses = [ - # { - # # address = "2a13:79c0:ffff:feff:b00b:caca:b173:25"; - # address = "2a13:79c0:ffff:feff:b00b:3965:113:${lastByte}"; - # prefixLength = 112; - # } - # ]; - # }; - # }) - ]; - - # defaultGateway = { - # address = "185.10.17.254"; - # metric = 42; - # interface = iface; - # }; - - # defaultGateway6 = { - # address = "2a13:79c0:ffff:feff:b00b:3965:113:25"; - # metric = 42; - # interface = kittenIFACE; - # }; - - useDHCP = false; - #dhcpcd.enable = false; - }; - - systemd.network.enable = true; - - # Set your time zone. - time.timeZone = "Europe/Paris"; - - nixpkgs.config.allowUnfree = true; - # Configure network proxy if necessary - # networking.proxy.default = "http://user:password@proxy:port/"; - # networking.proxy.noProxy = "127.0.0.1,localhost,internal.domain"; - - # This option defines the first version of NixOS you have installed on this particular machine, - # and is used to maintain compatibility with application data (e.g. databases) created on older NixOS versions. - # - # Most users should NEVER change this value after the initial install, for any reason, - # even if you've upgraded your system to a new NixOS release. - # - # This value does NOT affect the Nixpkgs version your packages and OS are pulled from, - # so changing it will NOT upgrade your system. - # - # This value being lower than the current NixOS release does NOT mean your system is - # out of date, out of support, or vulnerable. - # - # Do NOT change this value unless you have manually inspected all the changes it would make to your configuration, - # and migrated your data accordingly. - # - # For more information, see `man configuration.nix` or https://nixos.org/manual/nixos/stable/options#opt-system.stateVersion . - system.stateVersion = "23.11"; # Did you read the comment? -} From 09c9acd3f503f2cc42658dd5de23f4687ce7aae2 Mon Sep 17 00:00:00 2001 From: Antoine 'Toinux' Wam Date: Sun, 29 Dec 2024 16:48:37 +0100 Subject: [PATCH 60/74] ~ hosts/routereflectors/iguane-kit-rr91/default.nix: --- .../iguane-kit-rr91/default.nix | 136 ++++++++++++++---- 1 file changed, 111 insertions(+), 25 deletions(-) diff --git a/hosts/routereflectors/iguane-kit-rr91/default.nix b/hosts/routereflectors/iguane-kit-rr91/default.nix index a5abf90..84cc907 100644 --- a/hosts/routereflectors/iguane-kit-rr91/default.nix +++ b/hosts/routereflectors/iguane-kit-rr91/default.nix @@ -1,39 +1,125 @@ -{ ... }: +# Edit this configuration file to define what should be installed on +# your system. Help is available in the configuration.nix(5) man page, on +# https://search.nixos.org/options and in the NixOS manual (`nixos-help`). + +{ + config, + lib, + pkgs, + ... +}: +let + # cfg = config.hostprofile.rr; + + diskoProfile = "simple"; + diskoConfig = { + bootdisk = "/dev/vda"; + }; + + kittenIFACE = "ens19"; + lastByte = "92"; +in +# config = { +# mainSerial = 0; +# hostprofile.rr = { +# interface = "ens18"; +# }; +# }; { - type = "targetConfig"; + imports = [ + # Include the results of the hardware scan. + ../default.nix + ./hardware-configuration.nix + # ./network-configuration.nix # TODO: implement + ]; + # Bootloader. + boot.loader.grub.efiSupport = false; + boot.loader.grub.enable = true; + + # Pick only one of the below networking options. + networking = { + #nameservers = [ "1.3.3.7" ]; - bootdisk = "/dev/vda"; - diskTemplate = "simple_singleFullRoot"; + interfaces = lib.mkMerge [ + # (lib.mkIf (cfg.interface != null) { "${cfg.interface}".useDHCP = true; }) - # mainSerial = 0; + # (lib.mkIf (kittenIFACE != null) { + # "${kittenIFACE}" = { + # # ipv4.addresses = [ + # # { + # # address = "185.10.17.209"; + # # prefixLength = 24; + # # } + # # ]; + # + # ipv6.addresses = [ + # { + # # address = "2a13:79c0:ffff:feff:b00b:caca:b173:25"; + # address = "2a13:79c0:ffff:feff:b00b:3965:113:${lastByte}"; + # prefixLength = 112; + # } + # ]; + # }; + # }) + ]; - config = { - hostprofile.rr = { - interface = "ens18"; + # defaultGateway = { + # address = "185.10.17.254"; + # metric = 42; + # interface = iface; + # }; - loopbacks = { - ipv6 = [ "2a13:79c0:ffff:fefe::113:91" ]; - }; + defaultGateway6 = { + address = "2a13:79c0:ffff:feff:b00b:3965:113:25"; + metric = 42; + interface = kittenIFACE; }; + + useDHCP = false; + #dhcpcd.enable = false; }; - # birdConfig = { - # # inherit transitInterface; + kittenModules = { + # network = { + # enable = true; + # interface = "ens18"; + # address = ""; + # }; + + disko = { + enable = true; + profile = diskoProfile; + ${diskoProfile} = diskoConfig; + }; - # # router-id = ; + loopback0 = { # Enabled by bird by default + enable = true; + ipv6 = ["2a13:79c0:ffff:fefe::113:91"]; + }; + }; - # # loopback4 = ""; - # loopback6 = "2a13:79c0:ffff:fefe::22f0"; + systemd.network.enable = true; - # static6 = [ - # "::/0 recursive 2a13:79c0:ffff:fefe::b00b" + # Set your time zone. + time.timeZone = "Europe/Paris"; - # # "2a13:79c0:ffff:feff:b00b:caca:b173:0/112 unreachable" # Direct on ens19 - # "2a13:79c0:fffe:100::/56 unreachable" + nixpkgs.config.allowUnfree = true; - # #"2a13:79c0:ffff::/48 unreachable" # Networking stuff - # #"2a13:79c0:ffff:fefe::/64 unreachable" # LoopBacks - # #"2a13:79c0:ff00::/40 unreachable" # full range /40 - # ]; - # }; + # This option defines the first version of NixOS you have installed on this particular machine, + # and is used to maintain compatibility with application data (e.g. databases) created on older NixOS versions. + # + # Most users should NEVER change this value after the initial install, for any reason, + # even if you've upgraded your system to a new NixOS release. + # + # This value does NOT affect the Nixpkgs version your packages and OS are pulled from, + # so changing it will NOT upgrade your system. + # + # This value being lower than the current NixOS release does NOT mean your system is + # out of date, out of support, or vulnerable. + # + # Do NOT change this value unless you have manually inspected all the changes it would make to your configuration, + # and migrated your data accordingly. + # + # For more information, see `man configuration.nix` or https://nixos.org/manual/nixos/stable/options#opt-system.stateVersion . + system.stateVersion = "23.11"; # Did you read the comment? } From 8ccf49a3ed4a7a2d811ef5eb41ce1dd6df26b7ea Mon Sep 17 00:00:00 2001 From: Antoine 'Toinux' Wam Date: Sun, 29 Dec 2024 16:48:37 +0100 Subject: [PATCH 61/74] - hosts/routereflectors/iguane-kit-rr91/configuration.nix: --- .../iguane-kit-rr91/configuration.nix | 104 ------------------ 1 file changed, 104 deletions(-) delete mode 100644 hosts/routereflectors/iguane-kit-rr91/configuration.nix diff --git a/hosts/routereflectors/iguane-kit-rr91/configuration.nix b/hosts/routereflectors/iguane-kit-rr91/configuration.nix deleted file mode 100644 index 452d278..0000000 --- a/hosts/routereflectors/iguane-kit-rr91/configuration.nix +++ /dev/null @@ -1,104 +0,0 @@ -# Edit this configuration file to define what should be installed on -# your system. Help is available in the configuration.nix(5) man page, on -# https://search.nixos.org/options and in the NixOS manual (`nixos-help`). - -{ - config, - targetConfig, - lib, - pkgs, - ... -}: -let - cfg = config.hostprofile.rr; - - kittenIFACE = "ens19"; - lastByte = "92"; -in -{ - #imports = [ ./wireguard.nix ]; - # Bootloader. - #boot.loader.systemd-boot.enable = true; - #boot.loader.systemd-boot.configurationLimit = 5; - #boot.loader.efi.canTouchEfiVariables = true; - boot.loader.grub.efiSupport = false; - boot.loader.grub.enable = true; - # boot.loader.grub.efiInstallAsRemovable = true; - # boot.loader.efi.efiSysMountPoint = "/boot/efi"; - # Define on which hard drive you want to install Grub. - #boot.loader.grub.devices = [ "${targetConfig.bootdisk}" ]; # or "nodev" for efi only - - # Pick only one of the below networking options. - # networking.wireless.enable = true; # Enables wireless support via wpa_supplicant. - # networking.networkmanager.enable = true; # Easiest to use and most distros use this by default. - networking = { - #nameservers = [ "1.3.3.7" ]; - - interfaces = lib.mkMerge [ - (lib.mkIf (cfg.interface != null) { "${cfg.interface}".useDHCP = true; }) - - (lib.mkIf (kittenIFACE != null) { - "${kittenIFACE}" = { - - # ipv4.addresses = [ - # { - # address = "185.10.17.209"; - # prefixLength = 24; - # } - # ]; - - ipv6.addresses = [ - { - # address = "2a13:79c0:ffff:feff:b00b:caca:b173:25"; - address = "2a13:79c0:ffff:feff:b00b:3965:113:${lastByte}"; - prefixLength = 112; - } - ]; - }; - }) - ]; - - # defaultGateway = { - # address = "185.10.17.254"; - # metric = 42; - # interface = iface; - # }; - - defaultGateway6 = { - address = "2a13:79c0:ffff:feff:b00b:3965:113:25"; - metric = 42; - interface = kittenIFACE; - }; - - useDHCP = false; - #dhcpcd.enable = false; - }; - - systemd.network.enable = true; - - # Set your time zone. - time.timeZone = "Europe/Paris"; - - nixpkgs.config.allowUnfree = true; - # Configure network proxy if necessary - # networking.proxy.default = "http://user:password@proxy:port/"; - # networking.proxy.noProxy = "127.0.0.1,localhost,internal.domain"; - - # This option defines the first version of NixOS you have installed on this particular machine, - # and is used to maintain compatibility with application data (e.g. databases) created on older NixOS versions. - # - # Most users should NEVER change this value after the initial install, for any reason, - # even if you've upgraded your system to a new NixOS release. - # - # This value does NOT affect the Nixpkgs version your packages and OS are pulled from, - # so changing it will NOT upgrade your system. - # - # This value being lower than the current NixOS release does NOT mean your system is - # out of date, out of support, or vulnerable. - # - # Do NOT change this value unless you have manually inspected all the changes it would make to your configuration, - # and migrated your data accordingly. - # - # For more information, see `man configuration.nix` or https://nixos.org/manual/nixos/stable/options#opt-system.stateVersion . - system.stateVersion = "23.11"; # Did you read the comment? -} From ef10fbf78f096982cb32cda0a9b0dc9dc1f5720e Mon Sep 17 00:00:00 2001 From: Antoine 'Toinux' Wam Date: Sun, 29 Dec 2024 16:48:37 +0100 Subject: [PATCH 62/74] ~ hosts/routers/iguane-kit-rtr/default.nix: --- hosts/routers/iguane-kit-rtr/default.nix | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/hosts/routers/iguane-kit-rtr/default.nix b/hosts/routers/iguane-kit-rtr/default.nix index 7e69be4..a30f70d 100644 --- a/hosts/routers/iguane-kit-rtr/default.nix +++ b/hosts/routers/iguane-kit-rtr/default.nix @@ -5,6 +5,7 @@ args@{ config, lib, + kittenLib, pkgs, ... }: @@ -14,7 +15,7 @@ let bootdisk = "/dev/vda"; }; - peers = (import ./peers (args // { })); + peers = import ./peers args; wgPeers = ( lib.mapAttrs (n: v: v.wireguard) (lib.filterAttrs (n: v: v ? wireguard && v.wireguard != { }) peers) From 33dc9388368b4f4476b5d2ee1c210eb9ca46ce56 Mon Sep 17 00:00:00 2001 From: Antoine 'Toinux' Wam Date: Sun, 29 Dec 2024 16:48:37 +0100 Subject: [PATCH 63/74] - hosts/routers/iguane-kit-rtr/configuration.nix: --- .../routers/iguane-kit-rtr/configuration.nix | 116 ------------------ 1 file changed, 116 deletions(-) delete mode 100644 hosts/routers/iguane-kit-rtr/configuration.nix diff --git a/hosts/routers/iguane-kit-rtr/configuration.nix b/hosts/routers/iguane-kit-rtr/configuration.nix deleted file mode 100644 index 869c910..0000000 --- a/hosts/routers/iguane-kit-rtr/configuration.nix +++ /dev/null @@ -1,116 +0,0 @@ -# Edit this configuration file to define what should be installed on -# your system. Help is available in the configuration.nix(5) man page, on -# https://search.nixos.org/options and in the NixOS manual (`nixos-help`). - -{ - config, - targetConfig, - lib, - pkgs, - ... -}: -let - iface = if targetConfig ? interface then targetConfig.interface else null; - kittenIFACE = "ens19"; -in -{ - #imports = [ ./wireguard.nix ]; - # Bootloader. - #boot.loader.systemd-boot.enable = true; - #boot.loader.systemd-boot.configurationLimit = 5; - #boot.loader.efi.canTouchEfiVariables = true; - boot.loader.grub.efiSupport = false; - boot.loader.grub.enable = true; - # boot.loader.grub.efiInstallAsRemovable = true; - # boot.loader.efi.efiSysMountPoint = "/boot/efi"; - # Define on which hard drive you want to install Grub. - #boot.loader.grub.devices = [ "${targetConfig.bootdisk}" ]; # or "nodev" for efi only - - # Pick only one of the below networking options. - # networking.wireless.enable = true; # Enables wireless support via wpa_supplicant. - # networking.networkmanager.enable = true; # Easiest to use and most distros use this by default. - networking = { - - nftables.tables."nat" = { - family = "inet"; - name = "nat"; - - content = lib.mkAfter '' - chain postrouting { - type nat hook postrouting priority srcnat; policy accept; - ip6 daddr 2a13:79c0:ffff:feff:b00b:3965:222:0/112 oifname "bootstrap" counter masquerade # random,persistent - } - ''; - }; - - firewall = { - allowedTCPPorts = [ 51888 ]; - allowedUDPPorts = [ 51888 ]; - }; - - #nameservers = [ "1.3.3.7" ]; - interfaces = { - "${iface}".useDHCP = true; - - "${kittenIFACE}" = { - - # ipv4.addresses = [ - # { - # address = "185.10.17.209"; - # prefixLength = 24; - # } - # ]; - - ipv6.addresses = [ - { - address = "2a13:79c0:ffff:feff:b00b:3965:113:25"; - prefixLength = 112; - } - ]; - }; - }; - - # defaultGateway = { - # address = "185.10.17.254"; - # metric = 42; - # interface = iface; - # }; - - # defaultGateway6 = { - # address = "fe80::1"; - # metric = 42; - # interface = iface; - # }; - - useDHCP = false; - #dhcpcd.enable = false; - }; - - systemd.network.enable = true; - - # Set your time zone. - time.timeZone = "Europe/Paris"; - - nixpkgs.config.allowUnfree = true; - # Configure network proxy if necessary - # networking.proxy.default = "http://user:password@proxy:port/"; - # networking.proxy.noProxy = "127.0.0.1,localhost,internal.domain"; - - # This option defines the first version of NixOS you have installed on this particular machine, - # and is used to maintain compatibility with application data (e.g. databases) created on older NixOS versions. - # - # Most users should NEVER change this value after the initial install, for any reason, - # even if you've upgraded your system to a new NixOS release. - # - # This value does NOT affect the Nixpkgs version your packages and OS are pulled from, - # so changing it will NOT upgrade your system. - # - # This value being lower than the current NixOS release does NOT mean your system is - # out of date, out of support, or vulnerable. - # - # Do NOT change this value unless you have manually inspected all the changes it would make to your configuration, - # and migrated your data accordingly. - # - # For more information, see `man configuration.nix` or https://nixos.org/manual/nixos/stable/options#opt-system.stateVersion . - system.stateVersion = "23.11"; # Did you read the comment? -} From d684145afad2cbf3941e181532a0d3b710dc1493 Mon Sep 17 00:00:00 2001 From: Antoine 'Toinux' Wam Date: Sun, 29 Dec 2024 18:02:36 +0100 Subject: [PATCH 64/74] Fix NIXP --- hosts/clients/NIXP/default.nix | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/hosts/clients/NIXP/default.nix b/hosts/clients/NIXP/default.nix index 2bc0006..738632f 100644 --- a/hosts/clients/NIXP/default.nix +++ b/hosts/clients/NIXP/default.nix @@ -36,7 +36,7 @@ in kittenModules = { disko = { - enable = true; + enable = false; profile = diskoProfile; ${diskoProfile} = diskoConfig; From 39308fe878f7119e062064573e64f808487546b6 Mon Sep 17 00:00:00 2001 From: Antoine 'Toinux' Wam Date: Sun, 29 Dec 2024 18:34:05 +0100 Subject: [PATCH 65/74] currentSystemPackages in /etc includes npins versions/commits --- system/default.nix | 23 +++++++++++++++++++++-- 1 file changed, 21 insertions(+), 2 deletions(-) diff --git a/system/default.nix b/system/default.nix index 52fc3a7..7d5bf0c 100644 --- a/system/default.nix +++ b/system/default.nix @@ -6,6 +6,7 @@ config, lib, pkgs, + sources, ... }: @@ -63,10 +64,28 @@ # Versions Dump environment.etc."current-system-packages".text = let + channelUrlRev = + s: + lib.replaceStrings [ "/" ] [ "_" ] ( + lib.removePrefix "https://releases.nixos.org/" (lib.removeSuffix "/nixexprs.tar.xz" s) + ); + + sourceRevision = + source: + if source ? revision then + "${source.version or source.branch}_${source.revision}" + else + (if source.type == "Channel" then channelUrlRev source.url else source.hash); + getName = (p: if p ? name then "${p.name}" else "${p}"); packages = builtins.map getName config.environment.systemPackages; - sortedUnique = builtins.sort builtins.lessThan (lib.unique packages); - formatted = builtins.concatStringsSep "\n" sortedUnique; + sortedUnique = l: builtins.sort builtins.lessThan (lib.unique l); + + npinSources = builtins.sort builtins.lessThan ( + lib.mapAttrsToList (n: v: "npins-sources-${n}-${sourceRevision v}") sources + ); + + formatted = builtins.concatStringsSep "\n" ((sortedUnique npinSources) ++ [] ++ (sortedUnique packages)); in formatted; } From f473b6b2b3a20bdac610c2a2b2abee8b386d5911 Mon Sep 17 00:00:00 2001 From: Antoine 'Toinux' Wam Date: Tue, 31 Dec 2024 17:08:17 +0100 Subject: [PATCH 66/74] add modules/home --- home/default.nix | 13 ------------- home/kube.nix | 6 ------ 2 files changed, 19 deletions(-) delete mode 100644 home/default.nix delete mode 100644 home/kube.nix diff --git a/home/default.nix b/home/default.nix deleted file mode 100644 index 50957f6..0000000 --- a/home/default.nix +++ /dev/null @@ -1,13 +0,0 @@ -{ - pkgs, - lib, - config, - osConfig, - ... -}: -let - kubeCfg = osConfig.services.k3s; -in -{ - imports = [ ] ++ lib.optional (kubeCfg.enable && kubeCfg.role == "server") ./kube.nix; -} diff --git a/home/kube.nix b/home/kube.nix deleted file mode 100644 index 18e4b31..0000000 --- a/home/kube.nix +++ /dev/null @@ -1,6 +0,0 @@ -{ ... }: - -{ - home.kubenv.enable = true; - home.sessionVariables.KUBECONFIG = "/etc/rancher/k3s/k3s.yaml"; -} From a95602533635547920fa0e3815e696b66610a20d Mon Sep 17 00:00:00 2001 From: Antoine 'Toinux' Wam Date: Tue, 31 Dec 2024 17:10:05 +0100 Subject: [PATCH 67/74] no Flake lock --- flake.lock | 505 ----------------------------------------------------- 1 file changed, 505 deletions(-) delete mode 100644 flake.lock diff --git a/flake.lock b/flake.lock deleted file mode 100644 index 572f3b5..0000000 --- a/flake.lock +++ /dev/null @@ -1,505 +0,0 @@ -{ - "nodes": { - "crane": { - "flake": false, - "locked": { - "lastModified": 1699217310, - "narHash": "sha256-xpW3VFUG7yE6UE6Wl0dhqencuENSkV7qpnpe9I8VbPw=", - "owner": "ipetkov", - "repo": "crane", - "rev": "d535642bbe6f377077f7c23f0febb78b1463f449", - "type": "github" - }, - "original": { - "owner": "ipetkov", - "ref": "v0.15.0", - "repo": "crane", - "type": "github" - } - }, - "disko": { - "inputs": { - "nixpkgs": [ - "nixpkgs" - ] - }, - "locked": { - "lastModified": 1717415925, - "narHash": "sha256-KhclrqEQFrDr6Z8WqtvCdqtR7Fg35aMyfk7ANtx34Ys=", - "owner": "nix-community", - "repo": "disko", - "rev": "b106b5df3654d83197aff4826e3e34a5a5335b1c", - "type": "github" - }, - "original": { - "owner": "nix-community", - "repo": "disko", - "type": "github" - } - }, - "dream2nix": { - "inputs": { - "nixpkgs": [ - "nix-inspect", - "nci", - "nixpkgs" - ], - "purescript-overlay": "purescript-overlay", - "pyproject-nix": "pyproject-nix" - }, - "locked": { - "lastModified": 1709959559, - "narHash": "sha256-Gb+tUU+clGKVBwiznTQf0emZZ+heALqoVwUgI0O13L8=", - "owner": "nix-community", - "repo": "dream2nix", - "rev": "42838c590971da17a4b6483962707b7fb7b8b9a7", - "type": "github" - }, - "original": { - "owner": "nix-community", - "repo": "dream2nix", - "type": "github" - } - }, - "flake-utils": { - "inputs": { - "systems": "systems" - }, - "locked": { - "lastModified": 1701680307, - "narHash": "sha256-kAuep2h5ajznlPMD9rnQyffWG8EM/C73lejGofXvdM8=", - "owner": "numtide", - "repo": "flake-utils", - "rev": "4022d587cbbfd70fe950c1e2083a02621806a725", - "type": "github" - }, - "original": { - "owner": "numtide", - "repo": "flake-utils", - "type": "github" - } - }, - "home-config": { - "inputs": { - "home-manager": [ - "home-manager" - ], - "nixpkgs": [ - "nixpkgs" - ] - }, - "locked": { - "lastModified": 1715301944, - "narHash": "sha256-Xp06wgWBU2aDP59gW/uH2m96N35WWh2IcvdX0lBkdYs=", - "owner": "toinux", - "repo": "homefiles", - "rev": "c087a612aec45ec2c556991ca560d9d49ff3d486", - "type": "gitlab" - }, - "original": { - "owner": "toinux", - "repo": "homefiles", - "type": "gitlab" - } - }, - "home-manager": { - "inputs": { - "nixpkgs": [ - "nixpkgs" - ] - }, - "locked": { - "lastModified": 1716736833, - "narHash": "sha256-rNObca6dm7Qs524O4st8VJH6pZ/Xe1gxl+Rx6mcWYo0=", - "owner": "nix-community", - "repo": "home-manager", - "rev": "a631666f5ec18271e86a5cde998cba68c33d9ac6", - "type": "github" - }, - "original": { - "owner": "nix-community", - "ref": "release-24.05", - "repo": "home-manager", - "type": "github" - } - }, - "krewfile": { - "inputs": { - "flake-utils": "flake-utils", - "nixpkgs": [ - "nixpkgs" - ] - }, - "locked": { - "lastModified": 1705078502, - "narHash": "sha256-qH6DtavbLqIpYIf3Zr2eWOcBpJfLFXbaOKQNkefv6tg=", - "owner": "brumhard", - "repo": "krewfile", - "rev": "02d04f38ea0d1b8de4da3b29bc861f8883c9b9e9", - "type": "github" - }, - "original": { - "owner": "brumhard", - "repo": "krewfile", - "type": "github" - } - }, - "mk-naked-shell": { - "flake": false, - "locked": { - "lastModified": 1681286841, - "narHash": "sha256-3XlJrwlR0nBiREnuogoa5i1b4+w/XPe0z8bbrJASw0g=", - "owner": "yusdacra", - "repo": "mk-naked-shell", - "rev": "7612f828dd6f22b7fb332cc69440e839d7ffe6bd", - "type": "github" - }, - "original": { - "owner": "yusdacra", - "repo": "mk-naked-shell", - "type": "github" - } - }, - "nci": { - "inputs": { - "crane": "crane", - "dream2nix": "dream2nix", - "mk-naked-shell": "mk-naked-shell", - "nixpkgs": [ - "nix-inspect", - "nixpkgs" - ], - "parts": "parts", - "rust-overlay": "rust-overlay", - "treefmt": "treefmt" - }, - "locked": { - "lastModified": 1710137478, - "narHash": "sha256-+hbUWY1PEItyx3CBOGsHlJEDO2wRY2N1mpBhiLBblck=", - "owner": "yusdacra", - "repo": "nix-cargo-integration", - "rev": "f3cc8751427e16ec48c0467357b3f3979a53ae9c", - "type": "github" - }, - "original": { - "owner": "yusdacra", - "repo": "nix-cargo-integration", - "type": "github" - } - }, - "nix-inspect": { - "inputs": { - "nci": "nci", - "nixpkgs": "nixpkgs", - "parts": "parts_2" - }, - "locked": { - "lastModified": 1717293583, - "narHash": "sha256-Upz+fnWJjzt5WokjO/iaiPbqiwSrqpWjrpcFOqQ4p0E=", - "owner": "bluskript", - "repo": "nix-inspect", - "rev": "c55921e1d1cf980ff6351273fde6cedd5d8fa320", - "type": "github" - }, - "original": { - "owner": "bluskript", - "repo": "nix-inspect", - "type": "github" - } - }, - "nixos-hardware": { - "locked": { - "lastModified": 1717248095, - "narHash": "sha256-e8X2eWjAHJQT82AAN+mCI0B68cIDBJpqJ156+VRrFO0=", - "owner": "NixOS", - "repo": "nixos-hardware", - "rev": "7b49d3967613d9aacac5b340ef158d493906ba79", - "type": "github" - }, - "original": { - "owner": "NixOS", - "ref": "master", - "repo": "nixos-hardware", - "type": "github" - } - }, - "nixpkgs": { - "locked": { - "lastModified": 1709961763, - "narHash": "sha256-6H95HGJHhEZtyYA3rIQpvamMKAGoa8Yh2rFV29QnuGw=", - "owner": "nixos", - "repo": "nixpkgs", - "rev": "3030f185ba6a4bf4f18b87f345f104e6a6961f34", - "type": "github" - }, - "original": { - "owner": "nixos", - "ref": "nixos-unstable", - "repo": "nixpkgs", - "type": "github" - } - }, - "nixpkgs-master": { - "locked": { - "lastModified": 1717450446, - "narHash": "sha256-jGT4u92vjH2/plvQbnt3A4VUq5XrmaEGuG1CCTqvQss=", - "owner": "NixOS", - "repo": "nixpkgs", - "rev": "58289729f2bd617af78dc111ea781e971f4f340c", - "type": "github" - }, - "original": { - "owner": "NixOS", - "ref": "master", - "repo": "nixpkgs", - "type": "github" - } - }, - "nixpkgs-stable": { - "locked": { - "lastModified": 1717265169, - "narHash": "sha256-IITcGd6xpNoyq9SZBigCkv4+qMHSqot0RDPR4xsZ2CA=", - "owner": "NixOS", - "repo": "nixpkgs", - "rev": "3b1b4895b2c5f9f5544d02132896aeb9ceea77bc", - "type": "github" - }, - "original": { - "owner": "NixOS", - "ref": "release-23.11", - "repo": "nixpkgs", - "type": "github" - } - }, - "nixpkgs-unstable": { - "locked": { - "lastModified": 1717399147, - "narHash": "sha256-eCWaE/q1VItpFAxxLVt171MdtDcjEnwi6QB/yuF73JU=", - "owner": "NixOS", - "repo": "nixpkgs", - "rev": "4a4ecb0ab415c9fccfb005567a215e6a9564cdf5", - "type": "github" - }, - "original": { - "owner": "NixOS", - "ref": "nixpkgs-unstable", - "repo": "nixpkgs", - "type": "github" - } - }, - "nixpkgs_2": { - "locked": { - "lastModified": 1717144377, - "narHash": "sha256-F/TKWETwB5RaR8owkPPi+SPJh83AQsm6KrQAlJ8v/uA=", - "owner": "NixOS", - "repo": "nixpkgs", - "rev": "805a384895c696f802a9bf5bf4720f37385df547", - "type": "github" - }, - "original": { - "owner": "NixOS", - "ref": "nixos-24.05", - "repo": "nixpkgs", - "type": "github" - } - }, - "parts": { - "inputs": { - "nixpkgs-lib": [ - "nix-inspect", - "nci", - "nixpkgs" - ] - }, - "locked": { - "lastModified": 1709336216, - "narHash": "sha256-Dt/wOWeW6Sqm11Yh+2+t0dfEWxoMxGBvv3JpIocFl9E=", - "owner": "hercules-ci", - "repo": "flake-parts", - "rev": "f7b3c975cf067e56e7cda6cb098ebe3fb4d74ca2", - "type": "github" - }, - "original": { - "owner": "hercules-ci", - "repo": "flake-parts", - "type": "github" - } - }, - "parts_2": { - "inputs": { - "nixpkgs-lib": [ - "nix-inspect", - "nixpkgs" - ] - }, - "locked": { - "lastModified": 1709336216, - "narHash": "sha256-Dt/wOWeW6Sqm11Yh+2+t0dfEWxoMxGBvv3JpIocFl9E=", - "owner": "hercules-ci", - "repo": "flake-parts", - "rev": "f7b3c975cf067e56e7cda6cb098ebe3fb4d74ca2", - "type": "github" - }, - "original": { - "owner": "hercules-ci", - "repo": "flake-parts", - "type": "github" - } - }, - "purescript-overlay": { - "inputs": { - "nixpkgs": [ - "nix-inspect", - "nci", - "dream2nix", - "nixpkgs" - ], - "slimlock": "slimlock" - }, - "locked": { - "lastModified": 1696022621, - "narHash": "sha256-eMjFmsj2G1E0Q5XiibUNgFjTiSz0GxIeSSzzVdoN730=", - "owner": "thomashoneyman", - "repo": "purescript-overlay", - "rev": "047c7933abd6da8aa239904422e22d190ce55ead", - "type": "github" - }, - "original": { - "owner": "thomashoneyman", - "repo": "purescript-overlay", - "type": "github" - } - }, - "pyproject-nix": { - "flake": false, - "locked": { - "lastModified": 1702448246, - "narHash": "sha256-hFg5s/hoJFv7tDpiGvEvXP0UfFvFEDgTdyHIjDVHu1I=", - "owner": "davhau", - "repo": "pyproject.nix", - "rev": "5a06a2697b228c04dd2f35659b4b659ca74f7aeb", - "type": "github" - }, - "original": { - "owner": "davhau", - "ref": "dream2nix", - "repo": "pyproject.nix", - "type": "github" - } - }, - "root": { - "inputs": { - "disko": "disko", - "home-config": "home-config", - "home-manager": "home-manager", - "krewfile": "krewfile", - "nix-inspect": "nix-inspect", - "nixos-hardware": "nixos-hardware", - "nixpkgs": "nixpkgs_2", - "nixpkgs-master": "nixpkgs-master", - "nixpkgs-unstable": "nixpkgs-unstable", - "sops-nix": "sops-nix" - } - }, - "rust-overlay": { - "flake": false, - "locked": { - "lastModified": 1710123130, - "narHash": "sha256-EoGL/WSM1M2L099Q91mPKO/FRV2iu2ZLOEp3y5sLfiE=", - "owner": "oxalica", - "repo": "rust-overlay", - "rev": "73aca260afe5d41d3ebce932c8d896399c9d5174", - "type": "github" - }, - "original": { - "owner": "oxalica", - "repo": "rust-overlay", - "type": "github" - } - }, - "slimlock": { - "inputs": { - "nixpkgs": [ - "nix-inspect", - "nci", - "dream2nix", - "purescript-overlay", - "nixpkgs" - ] - }, - "locked": { - "lastModified": 1688610262, - "narHash": "sha256-Wg0ViDotFWGWqKIQzyYCgayeH8s4U1OZcTiWTQYdAp4=", - "owner": "thomashoneyman", - "repo": "slimlock", - "rev": "b5c6cdcaf636ebbebd0a1f32520929394493f1a6", - "type": "github" - }, - "original": { - "owner": "thomashoneyman", - "repo": "slimlock", - "type": "github" - } - }, - "sops-nix": { - "inputs": { - "nixpkgs": [ - "nixpkgs" - ], - "nixpkgs-stable": "nixpkgs-stable" - }, - "locked": { - "lastModified": 1717297459, - "narHash": "sha256-cZC2f68w5UrJ1f+2NWGV9Gx0dEYmxwomWN2B0lx0QRA=", - "owner": "Mic92", - "repo": "sops-nix", - "rev": "ab2a43b0d21d1d37d4d5726a892f714eaeb4b075", - "type": "github" - }, - "original": { - "owner": "Mic92", - "repo": "sops-nix", - "type": "github" - } - }, - "systems": { - "locked": { - "lastModified": 1681028828, - "narHash": "sha256-Vy1rq5AaRuLzOxct8nz4T6wlgyUR7zLU309k9mBC768=", - "owner": "nix-systems", - "repo": "default", - "rev": "da67096a3b9bf56a91d16901293e51ba5b49a27e", - "type": "github" - }, - "original": { - "owner": "nix-systems", - "repo": "default", - "type": "github" - } - }, - "treefmt": { - "inputs": { - "nixpkgs": [ - "nix-inspect", - "nci", - "nixpkgs" - ] - }, - "locked": { - "lastModified": 1710088047, - "narHash": "sha256-eSqKs6ZCsX9xJyNYLeMDMrxzIDsYtaWClfZCOp0ok6Y=", - "owner": "numtide", - "repo": "treefmt-nix", - "rev": "720322c5352d7b7bd2cb3601a9176b0e91d1de7d", - "type": "github" - }, - "original": { - "owner": "numtide", - "repo": "treefmt-nix", - "type": "github" - } - } - }, - "root": "root", - "version": 7 -} From a8c732760156675e5b971e0ebbdf0883964a26aa Mon Sep 17 00:00:00 2001 From: Antoine 'Toinux' Wam Date: Tue, 31 Dec 2024 17:11:51 +0100 Subject: [PATCH 68/74] CI/_Configuration --- _configuration.nix | 10 ---------- 1 file changed, 10 deletions(-) delete mode 100644 _configuration.nix diff --git a/_configuration.nix b/_configuration.nix deleted file mode 100644 index 6a92c97..0000000 --- a/_configuration.nix +++ /dev/null @@ -1,10 +0,0 @@ -let - sources = import ./npins; - - pkgs = import sources.nixpkgs { }; - lib = pkgs.lib; - - host = lib.removeSuffix "\n" (builtins.readFile /etc/hostname); - node = (import ./ci/_makeHive.nix (import ./hive.nix)).nodes.${host}; -in -node From 323af31b56ad4d2debce2f4aa7a04882bc6cfacb Mon Sep 17 00:00:00 2001 From: Antoine 'Toinux' Wam Date: Tue, 31 Dec 2024 17:20:06 +0100 Subject: [PATCH 69/74] Overlays cleaner --- _overlays.nix | 21 --------------------- hosts/_defaults.nix | 2 +- 2 files changed, 1 insertion(+), 22 deletions(-) diff --git a/_overlays.nix b/_overlays.nix index 1854737..e69de29 100644 --- a/_overlays.nix +++ b/_overlays.nix @@ -1,21 +0,0 @@ -{ lib, ... }: -let - sources = import ../npins; - - inherit (builtins) readDir filter; - inherit (lib.strings) hasPrefix hasSuffix; - inherit (lib.attrsets) filterAttrs attrNames; - - isFile = n: v: v == "regular"; - - overlaysPath = ./overlays; - files = attrNames (filterAttrs isFile (readDir overlaysPath)); - - filterFunc = file: file != "default.nix" && hasSuffix ".nix" file && !hasPrefix "_" file; - overlays = map (file: import (overlaysPath + "/${file}")) (filter filterFunc files); - - baseConfig = import ./nixpkgs.config.nix; -in -{ - inherit overlaysPath overlays baseConfig sources; -} diff --git a/hosts/_defaults.nix b/hosts/_defaults.nix index a3ff4be..74ef546 100644 --- a/hosts/_defaults.nix +++ b/hosts/_defaults.nix @@ -11,7 +11,7 @@ args@{ pkgs, sources, ... }: time.timeZone = "Europe/Paris"; - nixpkgs.overlays = (import ../_overlays.nix args).overlays; + nixpkgs.overlays = import ../overlays args; # By default, Colmena will replace unknown remote profile # (unknown means the profile isn't in the nix store on the From 3cf415273409998e41bc1e5f3b15259f5a0fad49 Mon Sep 17 00:00:00 2001 From: Antoine 'Toinux' Wam Date: Tue, 31 Dec 2024 17:21:24 +0100 Subject: [PATCH 70/74] system -> modules/system/kitten/legacy --- system/console.nix | 75 ----------------- system/default.nix | 91 --------------------- system/grub-boot.nix | 36 --------- system/inputrc.nix | 25 ------ system/laptop.nix | 175 ---------------------------------------- system/openvpn.nix | 116 -------------------------- system/pkgs.nix | 9 --- system/security.nix | 100 ----------------------- system/serial-com.nix | 26 ------ system/systemd-boot.nix | 28 ------- 10 files changed, 681 deletions(-) delete mode 100644 system/console.nix delete mode 100644 system/default.nix delete mode 100644 system/grub-boot.nix delete mode 100644 system/inputrc.nix delete mode 100644 system/laptop.nix delete mode 100644 system/openvpn.nix delete mode 100644 system/pkgs.nix delete mode 100644 system/security.nix delete mode 100644 system/serial-com.nix delete mode 100644 system/systemd-boot.nix diff --git a/system/console.nix b/system/console.nix deleted file mode 100644 index 463d424..0000000 --- a/system/console.nix +++ /dev/null @@ -1,75 +0,0 @@ -{ - pkgs, - lib, - config, - targetConfig, - ... -}: -let - nerdFonts = true; - - palette = [ - "000000" - "CC0000" - "4E9A06" - "C4A000" - "3465A4" - "75507B" - "06989A" - "D3D7CF" - "555753" - "EF2929" - "8AE234" - "FCE94F" - "739FCF" - "AD7FA8" - "34E2E2" - "EEEEEC" - ]; - - inherit (lib) mkDefault; -in -{ - services.gpm.enable = mkDefault true; - - # systemd.units."kmsconvt@.service".ExecStart = lib.mkIf (nerdFonts) ( - # let - # autologinArg = lib.optionalString ( - # config.services.kmscon.autologinUser != null - # ) "-a ${config.services.kmscon.autologinUser}"; - - # extraOptions = config.services.kmscon.extraOptions; - # in - # ''${pkgs.kmscon}/bin/kmscon "--vt=%I" ${extraOptions} --seats=seat0 --no-switchvt --configdir ${configDir} --login -- ${pkgs.util-linux}/bin/agetty -o '-p ${autologinArg} -- \\u' - xterm-256color'' - # ); - - # conf.options.services.openssh.settings.value.Macs - - services.kmscon = lib.mkIf (nerdFonts) { - enable = true; - hwRender = false; - - fonts = [ - { - name = "Hack Nerd Font Mono"; - package = with pkgs; (nerdfonts.override { fonts = [ "Hack" ]; }); - } - ]; - - extraConfig = '' - font-size=16 - ''; - }; - - # config.systemd.units."kmsconvt@.service".unit.text - - # conf.options.services.openssh.settings.value.Macs - - console = { - earlySetup = true; - - font = with pkgs; "${powerline-fonts}/share/consolefonts/ter-powerline-v16b.psf.gz"; - - colors = palette; - }; -} diff --git a/system/default.nix b/system/default.nix deleted file mode 100644 index 7d5bf0c..0000000 --- a/system/default.nix +++ /dev/null @@ -1,91 +0,0 @@ -# Edit this configuration file to define what should be installed on -# your system. Help is available in the configuration.nix(5) man page, on -# https://search.nixos.org/options and in the NixOS manual (`nixos-help`). - -{ - config, - lib, - pkgs, - sources, - ... -}: - -{ - - imports = [ - # ./nixConfig.nix - # ./packages.nix # Install system-wide pkgs - ./inputrc.nix # ReadLine config - ./security.nix # PAM + SSH + Keys - # ./firewall.nix - - # VPNs - ./openvpn.nix - - # Kernel / Bootloader - # ./serial-com.nix - # ./systemd-boot.nix - # ./grub-boot.nix - ]; - - # Set your time zone. - time.timeZone = "Europe/Paris"; - - # Configure network proxy if necessary - # networking.proxy.default = "http://user:password@proxy:port/"; - # networking.proxy.noProxy = "127.0.0.1,localhost,internal.domain"; - - # Select internationalisation properties. - i18n.defaultLocale = "en_US.UTF-8"; - - boot.supportedFilesystems = [ "nfs" ]; - services.rpcbind.enable = true; # NFS - Client - - services.chrony = { - enable = true; - }; - - programs.zsh.enable = true; # Install System-Wide -> Config is done with home-manager - - environment.shells = with pkgs; [ zsh ]; - environment.pathsToLink = [ "/share/zsh" ]; # ZSH Completion - - # tmpFS on /tmp - boot.tmp.useTmpfs = lib.mkDefault true; - - # Enable the OpenSSH daemon. - services.openssh.enable = true; - - environment.systemPackages = with pkgs; [ - # Additional packages - # nix-inspect - ]; - - # Versions Dump - environment.etc."current-system-packages".text = - let - channelUrlRev = - s: - lib.replaceStrings [ "/" ] [ "_" ] ( - lib.removePrefix "https://releases.nixos.org/" (lib.removeSuffix "/nixexprs.tar.xz" s) - ); - - sourceRevision = - source: - if source ? revision then - "${source.version or source.branch}_${source.revision}" - else - (if source.type == "Channel" then channelUrlRev source.url else source.hash); - - getName = (p: if p ? name then "${p.name}" else "${p}"); - packages = builtins.map getName config.environment.systemPackages; - sortedUnique = l: builtins.sort builtins.lessThan (lib.unique l); - - npinSources = builtins.sort builtins.lessThan ( - lib.mapAttrsToList (n: v: "npins-sources-${n}-${sourceRevision v}") sources - ); - - formatted = builtins.concatStringsSep "\n" ((sortedUnique npinSources) ++ [] ++ (sortedUnique packages)); - in - formatted; -} diff --git a/system/grub-boot.nix b/system/grub-boot.nix deleted file mode 100644 index a343b8f..0000000 --- a/system/grub-boot.nix +++ /dev/null @@ -1,36 +0,0 @@ -{ - pkgs, - lib, - targetConfig, - ... -}: - -let - bootloader = if targetConfig ? bootloader then targetConfig.bootloader else ""; - grubBoot = (bootloader == "grub"); - serialPort = if targetConfig ? mainSerial then targetConfig.mainSerial else 0; -in -{ - config.boot.loader.grub = lib.mkIf (grubBoot) { - memtest86.enable = true; - - ipxe = { - netboot_xyz = '' - #!ipxe - dhcp - chain --autofree http://boot.netboot.xyz - ''; - }; - #extraEntries = '' - # # GRUB 2 with UEFI example, chainloading another distro - # menuentry "Memtest86+" { - # set root=($drive1)/ - # chainloader /efi/memtest86/memtest.efi - # } - #''; - - #extraFiles = { - # "efi/memtest86/memtest.efi" = "${pkgs.memtest86plus}/memtest.efi"; - #}; - }; -} diff --git a/system/inputrc.nix b/system/inputrc.nix deleted file mode 100644 index 58a0b7d..0000000 --- a/system/inputrc.nix +++ /dev/null @@ -1,25 +0,0 @@ -{ lib, ... }: - -{ - environment.etc."inputrc".target = lib.mkForce "inputrc.orig"; # Important to re-use nixpkgs orig file - environment.etc."inputrc.modified" = { - target = "inputrc"; # Relative to /etc - text = '' - - $include /etc/inputrc.orig # Import the Orig File - # Additional stuff - set completion-ignore-case On - set completion-map-case On - set completion-prefix-display-length 3 - set mark-symlinked-directories On - set show-all-if-ambiguous On - set show-all-if-unmodified On - set visible-stats On - - $if mode=emacs - "\e\e[C": forward-word - "\e\e[D": backward-word - $endif - ''; - }; -} diff --git a/system/laptop.nix b/system/laptop.nix deleted file mode 100644 index cd83f14..0000000 --- a/system/laptop.nix +++ /dev/null @@ -1,175 +0,0 @@ -# Edit this configuration file to define what should be installed on -# your system. Help is available in the configuration.nix(5) man page, on -# https://search.nixos.org/options and in the NixOS manual (`nixos-help`). - -{ - config, - targetConfig, - lib, - pkgs, - ... -}: - -{ - services.openssh.enable = lib.mkForce false; # Disable OpenSSH server on laptop - - boot.initrd.systemd.enable = true; # Cleaner plymouth integration but no YubiKey support - - boot.plymouth = lib.mkIf (config.specialisation != { }) { - enable = true; - theme = lib.mkIf (config.services.xserver.desktopManager.plasma5.enable) "breeze"; - }; - - boot.kernelParams = lib.mkIf (config.specialisation != { }) [ "quiet" ]; # Shut The Fuck Up on boot (plymouth will be interupted with boot logs if not set) - boot.consoleLogLevel = lib.mkDefault 0; - - specialisation.debug.configuration = { - boot.initrd.systemd.emergencyAccess = true; - - boot.consoleLogLevel = 7; - }; - systemd.services.NetworkManager-wait-online.enable = lib.mkIf (config.networking.networkmanager.enable) false; # Not a server, so we should be able to work offline + NM-WaitOnline is quite dumb - - networking = { - # FallBack to DHCPcd + WPASupplicant if NetworkManager is off ( eg: during installation ) - dhcpcd.enable = lib.mkIf (!config.networking.networkmanager.enable) true; - wireless.enable = lib.mkIf (!config.networking.networkmanager.enable) true; # Enables wireless support via wpa_supplicant. - }; - - # NonPackaged apps - services.flatpak.enable = true; - # Deezer - - environment.systemPackages = - with pkgs; - [ - vim # Usefull to fix a broken config from TTY - - # libinput-gestures - ] - ++ lib.optionals (config.virtualisation.libvirtd.enable) [ virt-manager ] - ++ [ - # Personal comfort Apps - parsec-bin # To play GTA at work - ]; - - # Password manager - programs._1password-gui.enable = true; - programs._1password.enable = true; - - # VirtManager + LibVirt - environment.sessionVariables.LIBVIRT_DEFAULT_URI = [ "qemu:///system" ]; - virtualisation.libvirtd = { - enable = true; - qemu.ovmf.enable = true; # UEFI - }; - - # Docker containers - virtualisation.docker = { - enable = true; - - autoPrune = { - enable = true; - }; - }; - - fonts.packages = with pkgs; [ - (nerdfonts.override { - fonts = [ - "DroidSansMono" - "FiraCode" - "Hack" - "IosevkaTerm" - "Terminus" - ]; - }) - ]; - - console.useXkbConfig = true; - i18n.extraLocaleSettings = { - LC_ADDRESS = "fr_FR.UTF-8"; - LC_IDENTIFICATION = "fr_FR.UTF-8"; - LC_MEASUREMENT = "fr_FR.UTF-8"; - LC_MONETARY = "fr_FR.UTF-8"; - LC_NAME = "fr_FR.UTF-8"; - LC_NUMERIC = "fr_FR.UTF-8"; - LC_PAPER = "fr_FR.UTF-8"; - LC_TELEPHONE = "fr_FR.UTF-8"; - LC_TIME = "fr_FR.UTF-8"; - }; - - programs.gnupg.agent.pinentryPackage = lib.mkForce pkgs.pinentry-qt; # cuz there's a conflict between xserver / desktop-manager - - # X - VideoServer - Not the porn website - services.xserver = { - enable = true; - - displayManager.sddm.enable = lib.mkIf (config.services.xserver.desktopManager.plasma5.enable) true; # Default DM for KDE/Plasma - - desktopManager.plasma5 = { - enable = true; # I miss windows look n feel - }; - - libinput = { - enable = true; # for touchpad support on many laptops - # touchpad.disableWhileTyping = true; # Plasma setting works better - }; - - videoDrivers = lib.mkOverride 40 [ - "cirrus" - "vesa" - "modesetting" - ]; - - xkb = { - layout = "us"; - variant = ""; - }; - }; - # Enable sound with pipewire. - sound.enable = true; - hardware.pulseaudio.enable = false; - security.rtkit.enable = true; - services.pipewire = { - enable = true; - alsa.enable = true; - alsa.support32Bit = true; - pulse.enable = true; - # If you want to use JACK applications, uncomment this - #jack.enable = true; - - # use the example session manager (no others are packaged yet so this is enabled by default, - # no need to redefine it in your config for now) - #media-session.enable = true; - }; - services.printing.enable = true; - - # BlueTooth - hardware.bluetooth = { - enable = true; - settings = { - General = { - ControllerMode = "dual"; # HessPods support - }; - }; - }; - - security.polkit.enable = true; # Else xRDP is black if user is logged-on locally - services.xrdp = { - enable = false; - defaultWindowManager = "startplasma-x11"; # xRDP works better with x11 - openFirewall = true; - }; - - services.autorandr = { - enable = false; - - hooks.postswitch = { - "notify" = '' - ( sleep 5; notify-send -i display "Display profile" "$AUTORANDR_CURRENT_PROFILE"; ) & - ''; - }; - - profiles = { }; - }; -} diff --git a/system/openvpn.nix b/system/openvpn.nix deleted file mode 100644 index d1ce407..0000000 --- a/system/openvpn.nix +++ /dev/null @@ -1,116 +0,0 @@ -# Edit this configuration file to define what should be installed on -# your system. Help is available in the configuration.nix(5) man page, on -# https://search.nixos.org/options and in the NixOS manual (`nixos-help`). - -{ - config, - targetConfig, - lib, - pkgs, - ... -}: - -let - cfg = config.services.ovpn; - - forEachCFG = ( - name: val: - builtins.listToAttrs ( - map (conf: { - name = if name == "" then conf else lib.trivial.toFunction name conf; - - value = lib.trivial.toFunction val conf; - }) cfg.configs - ) - ); - - openscPKCS11 = "${pkgs.opensc}/lib/opensc-pkcs11.so"; - showPKCS11 = "${pkgs.openvpn_show_pkcs11_ids}/bin/openvpn_show_pkcs11_ids.sh"; -in -{ - options.services.ovpn = { - configs = lib.mkOption { - type = lib.types.listOf lib.types.str; - default = [ ]; - example = [ "s3nsible" ]; - description = '' - List of OpenVPN configurations to generate. - ''; - }; - - ensureDevice = lib.mkEnableOption "YubiKey Forced Detection"; - - basePath = lib.mkOption { - type = lib.types.str; - default = "/root/openvpn"; - example = "/etc/openvpn/configs"; - description = '' - Folder where configurations can be found on disk. - ''; - }; - - autostart = lib.mkOption { - type = lib.types.listOf lib.types.str; - default = [ ]; - example = [ "s3nsible" ]; - description = '' - List of OpenVPN configurations to start on boot. - ''; - }; - }; - - config = lib.mkIf (cfg.configs != [ ]) { - nixpkgs.overlays = [ - (final: prev: { - # OpenVPN w/ OpenSC pkcs11 support - openvpn = ( - prev.openvpn.override { - pkcs11Support = true; - pkcs11helper = prev.pkcs11helper; - } - ); - - openvpn_show_pkcs11_ids = ( - pkgs.writeShellScriptBin "openvpn_show_pkcs11_ids.sh" '' - ${pkgs.openvpn}/bin/openvpn --show-pkcs11-ids ${openscPKCS11} - '' - ); - - openvpn_systemd_launcher = ( - pkgs.writeShellScriptBin "openvpn_systemd.sh" (builtins.readFile ../scripts/openvpn_systemd.sh) - ); - }) - ]; - - environment.systemPackages = with pkgs; [ - opensc - - openvpn_show_pkcs11_ids - openvpn_systemd_launcher - ]; - - systemd.services = ( - forEachCFG (name: "openvpn-${name}") { - serviceConfig = { - ExecStartPre = lib.mkIf (cfg.ensureDevice) "${pkgs.bash}/bin/bash -c '${showPKCS11}; [[ \$(${showPKCS11} | grep DN: | wc -l) -gt 0 ]] || { echo Missing YubiKey or Certificates not found; exit 1; }'"; # Ensure yubikey is detected - TimeoutStartSec = 90; - }; - } - ); - - services.openvpn.servers = forEachCFG "" (conf: { - autoStart = builtins.elem conf cfg.autostart; - - config = - let - iface = builtins.substring 0 15 conf; - in - '' - pkcs11-providers ${openscPKCS11} - - config ${cfg.basePath}/${conf}.ovpn - dev ${iface} - ''; - }); - }; -} diff --git a/system/pkgs.nix b/system/pkgs.nix deleted file mode 100644 index 867f624..0000000 --- a/system/pkgs.nix +++ /dev/null @@ -1,9 +0,0 @@ -{ lib, pkgs, ... }: - -{ - environment.systemPackages = with pkgs; [ - krewfile - zsh - nixfmt-rfc-style - ]; -} diff --git a/system/security.nix b/system/security.nix deleted file mode 100644 index fc7a4bb..0000000 --- a/system/security.nix +++ /dev/null @@ -1,100 +0,0 @@ -{ - lib, - pkgs, - config, - ... -}: - -let - noPasswdCommands = [ - "/run/current-system/sw/bin/reboot" - "/run/current-system/sw/bin/poweroff" - - "/run/current-system/sw/bin/systemctl suspend" - - "/run/current-system/sw/bin/systemd-tty-ask-password-agent --query" - - "/run/current-system/sw/bin/nix profile wipe-history --profile /nix/var/nix/profiles/system" - "/run/current-system/sw/bin/nixos-rebuild *" - ]; - - noPasswdServices = [ ]; -in -{ - users.users.root = { - initialPassword = lib.mkDefault "toor"; - - openssh.authorizedKeys.keys = lib.mkDefault [ - # change this to your ssh key - "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPxJpIrlaMMuw+zqOlZa35ehViBytyROvdf73poXTlVz" - "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAINC+U2GVzJm2vPdmeSwiImGuZ82prwMybkjmrfLdOsWu" - ]; - }; - - services.openssh.settings = { - PasswordAuthentication = false; - KbdInteractiveAuthentication = false; - }; - - security = { - sudo = { - enable = true; - extraRules = - [ - { - commands = map (cmd: { - command = cmd; - options = [ "NOPASSWD" ]; - }) (noPasswdCommands); - - groups = [ "wheel" ]; - } - ] - ++ map (svc: { - commands = - map - (cmd: { - command = cmd; - options = [ "NOPASSWD" ]; - }) - - [ - "/run/current-system/sw/bin/systemctl start ${svc}" - "/run/current-system/sw/bin/systemctl restart ${svc}" - "/run/current-system/sw/bin/systemctl stop ${svc}" - ]; - - groups = [ "wheel" ]; - }) noPasswdServices; - - # ++ lib.flatten ( - # map (svc: [ - # "/run/current-system/sw/bin/systemctl start ${svc}" - # "/run/current-system/sw/bin/systemctl restart ${svc}" - # "/run/current-system/sw/bin/systemctl stop ${svc}" - # ]) noPasswdServices - # ) - # extraConfig = with pkgs; '' - # Defaults:picloud secure_path="${lib.makeBinPath [ - # systemd - # ]}:/nix/var/nix/profiles/default/bin:/run/current-system/sw/bin" - # ''; - }; - - # pam.services.sudo = { - # rules.auth.rssh = { - # order = config.rules.auth.unix.order - 10; - # control = "sufficient"; - # modulePath = "${pkgs.pam_rssh}/lib/libpam_rssh.so"; - # #settings = { - # # authorized_keys_command = "/etc/ssh/authorized_keys_command"; - # # authorized_keys_command_user = "nobody"; - # #}; - # }; - # }; - - sudo.extraConfig = '' - Defaults env_keep+=SSH_AUTH_SOCK - ''; - }; -} diff --git a/system/serial-com.nix b/system/serial-com.nix deleted file mode 100644 index 894490d..0000000 --- a/system/serial-com.nix +++ /dev/null @@ -1,26 +0,0 @@ -{ - pkgs, - lib, - targetConfig, - ... -}: - -let - bootloader = if targetConfig ? bootloader then targetConfig.bootloader else ""; - grubBoot = (bootloader == "grub"); - serialPort = if targetConfig ? mainSerial then targetConfig.mainSerial else 0; -in -{ - config.boot.kernelParams = [ - "console=tty1" - "console=ttyS${toString serialPort},115200" - ] ++ lib.optionals (serialPort != 0) [ "console=ttyS0,115200" ]; - - config.boot.loader.grub = lib.mkIf (grubBoot) { - extraConfig = '' - serial --unit=${toString serialPort} --speed=115200 --word=8 --parity=no --stop=1 - terminal_input --append serial - terminal_output --append serial - ''; - }; -} diff --git a/system/systemd-boot.nix b/system/systemd-boot.nix deleted file mode 100644 index 4fcdd67..0000000 --- a/system/systemd-boot.nix +++ /dev/null @@ -1,28 +0,0 @@ -{ - pkgs, - lib, - targetConfig, - ... -}: - -let - bootloader = if targetConfig ? bootloader then targetConfig.bootloader else ""; - systemdBoot = (bootloader == "systemd-boot"); -in -{ - config.boot.loader.systemd-boot = lib.mkIf (systemdBoot) { - netbootxyz.enable = true; - memtest86.enable = true; - - #extraEntries = { - # "memtest86.conf" = '' - # title Memtest86+ - # efi /efi/memtest86/memtest.efi - # ''; - #}; - - #extraFiles = { - # "efi/memtest86/memtest.efi" = "${pkgs.memtest86plus}/memtest.efi"; - #}; - }; -} From 831fa551f2f23211466c3ed42ad7d7528f9a27b6 Mon Sep 17 00:00:00 2001 From: Antoine 'Toinux' Wam Date: Tue, 31 Dec 2024 17:25:11 +0100 Subject: [PATCH 71/74] system -> modules/system/kitten/legacy --- hosts/_defaults.nix | 2 +- hosts/clients/laptaupe/default.nix | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/hosts/_defaults.nix b/hosts/_defaults.nix index 74ef546..1974374 100644 --- a/hosts/_defaults.nix +++ b/hosts/_defaults.nix @@ -1,7 +1,7 @@ args@{ pkgs, sources, ... }: { imports = [ - ../system + ../modules/system/kitten/legacy ../modules/system # (import "${sources.lix-module}/module.nix" { lix = sources.lix; }) diff --git a/hosts/clients/laptaupe/default.nix b/hosts/clients/laptaupe/default.nix index 71eb619..a53882c 100644 --- a/hosts/clients/laptaupe/default.nix +++ b/hosts/clients/laptaupe/default.nix @@ -17,7 +17,7 @@ let in { imports = [ - ../../../system/laptop.nix + ../../../modules/system/kitten/legacy/laptop.nix ../default.nix # Include the results of the hardware scan. ./hardware-configuration.nix From b7de028a86f740a6f96ce6108f1c733c931e47ac Mon Sep 17 00:00:00 2001 From: Antoine 'Toinux' Wam Date: Tue, 31 Dec 2024 17:27:33 +0100 Subject: [PATCH 72/74] hosts -> systems --- hosts/_defaults.nix | 25 --- hosts/_peers/KIT-IG1-RR91.nix | 49 ----- hosts/_peers/default.nix | 5 - hosts/clients/NIXP/default.nix | 180 ------------------ hosts/clients/NIXP/disk-config.nix | 98 ---------- hosts/clients/NIXP/hardware-configuration.nix | 51 ----- hosts/clients/NIXP/network-configuration.nix | 55 ------ hosts/clients/NIXP/packages.nix | 23 --- hosts/clients/default.nix | 11 -- hosts/clients/laptaupe/default.nix | 90 --------- .../laptaupe/hardware-configuration.nix | 49 ----- hosts/default.nix | 25 --- hosts/homerouters/_peers/KIT-IG1-RR91.nix | 49 ----- hosts/homerouters/_peers/default.nix | 8 - .../aure-home-kitrtr/__default.nix | 43 ----- .../homerouters/aure-home-kitrtr/default.nix | 131 ------------- .../hardware-configuration.nix | 34 ---- .../network-configuration.nix | 50 ----- .../aure-home-kitrtr/peers/KIT-IG1-RTR.nix | 30 --- .../aure-home-kitrtr/peers/default.nix | 20 -- hosts/homerouters/default.nix | 57 ------ hosts/homerouters/firewall.nix | 152 --------------- .../romain-home-kitrtr/_default.nix | 34 ---- .../romain-home-kitrtr/default.nix | 120 ------------ .../hardware-configuration.nix | 34 ---- .../network-configuration.nix | 54 ------ .../romain-home-kitrtr/peers/KIT-IG1-RTR.nix | 30 --- .../romain-home-kitrtr/peers/default.nix | 8 - .../toinux-home-kitrtr/__default.nix | 24 --- .../toinux-home-kitrtr/default.nix | 113 ----------- .../hardware-configuration.nix | 34 ---- .../network-configuration.nix | 54 ------ .../toinux-home-kitrtr/peers/default.nix | 8 - .../miscservers/aure-kit-bots-01/default.nix | 108 ----------- .../hardware-configuration.nix | 35 ---- hosts/miscservers/default.nix | 28 --- hosts/postgres/default.nix | 40 ---- hosts/postgres/kit-postgresql-nte/default.nix | 106 ----------- .../hardware-configuration.nix | 36 ---- .../network-configuration.nix | 54 ------ hosts/postgres/packages.nix | 17 -- hosts/postgres/postgres.nix | 33 ---- hosts/routereflectors/default.nix | 134 ------------- hosts/routereflectors/firewall.nix | 35 ---- .../iguane-kit-rr91/default.nix | 125 ------------ .../hardware-configuration.nix | 34 ---- hosts/routereflectors/network.nix | 31 --- hosts/routereflectors/options.nix | 44 ----- hosts/routers/_peers/KIT-IG1-RR91.nix | 49 ----- hosts/routers/_peers/default.nix | 8 - .../routers/_vultr-kit-edge/configuration.nix | 82 -------- hosts/routers/_vultr-kit-edge/default.nix | 32 ---- .../hardware-configuration.nix | 36 ---- .../_vultr-kit-edge/peers/KIT-IG1-RTR.nix | 30 --- .../peers/KIT-VIRTUA-EDGE.legacy.nix | 51 ----- .../peers/KIT-VULTR-EDGE.legacy.nix | 50 ----- .../_vultr-kit-edge/peers/KIT-virtua-edge.nix | 30 --- .../_vultr-kit-edge/peers/TRS-vultr6-RTR.nix | 39 ---- .../routers/_vultr-kit-edge/peers/default.nix | 15 -- hosts/routers/default.nix | 37 ---- hosts/routers/firewall.nix | 158 --------------- hosts/routers/iguane-kit-rtr/__default.nix | 35 ---- hosts/routers/iguane-kit-rtr/default.nix | 131 ------------- .../iguane-kit-rtr/hardware-configuration.nix | 36 ---- .../iguane-kit-rtr/network-configuration.nix | 58 ------ .../iguane-kit-rtr/peers/KIT-VIRTUA-EDGE.nix | 33 ---- .../iguane-kit-rtr/peers/KIT-VULTR-EDGE.nix | 32 ---- .../iguane-kit-rtr/peers/KIT-aurelien-RBR.nix | 31 --- .../iguane-kit-rtr/peers/KIT-roumain-NTE.nix | 32 ---- .../peers/KIT-roumainNix-NTE.nix | 32 ---- .../iguane-kit-rtr/peers/KIT-toinux-MEL1.nix | 32 ---- .../routers/iguane-kit-rtr/peers/default.nix | 18 -- hosts/routers/virtua-kit-edge/default.nix | 124 ------------ .../hardware-configuration.nix | 24 --- .../virtua-kit-edge/network-configuration.nix | 45 ----- .../virtua-kit-edge/peers/KIT-IG1-RTR.nix | 30 --- .../peers/KIT-VIRTUA-EDGE.legacy.nix | 50 ----- .../virtua-kit-edge/peers/KIT-vultr-edge.nix | 30 --- .../peers/TRS-virtua6-RS01.nix | 19 -- .../peers/TRS-virtua6-RS02.nix | 18 -- .../routers/virtua-kit-edge/peers/default.nix | 17 -- hosts/stonkmembers/default.nix | 32 ---- hosts/stonkmembers/k3s.nix | 65 ------- .../stonkmembers/poubelle00/configuration.nix | 73 ------- hosts/stonkmembers/poubelle00/default.nix | 7 - hosts/stonkmembers/poubelle00/disk-config.nix | 63 ------ .../poubelle00/hardware-configuration.nix | 34 ---- hosts/stonkmembers/prodesk/configuration.nix | 97 ---------- hosts/stonkmembers/prodesk/default.nix | 7 - hosts/stonkmembers/prodesk/disk-config.nix | 62 ------ .../prodesk/hardware-configuration.nix | 34 ---- .../stonkstation/configuration.nix | 95 --------- hosts/stonkmembers/stonkstation/default.nix | 7 - .../stonkmembers/stonkstation/disk-config.nix | 63 ------ .../stonkstation/hardware-configuration.nix | 34 ---- 95 files changed, 4725 deletions(-) delete mode 100644 hosts/_defaults.nix delete mode 100644 hosts/_peers/KIT-IG1-RR91.nix delete mode 100644 hosts/_peers/default.nix delete mode 100644 hosts/clients/NIXP/default.nix delete mode 100644 hosts/clients/NIXP/disk-config.nix delete mode 100644 hosts/clients/NIXP/hardware-configuration.nix delete mode 100644 hosts/clients/NIXP/network-configuration.nix delete mode 100644 hosts/clients/NIXP/packages.nix delete mode 100644 hosts/clients/default.nix delete mode 100644 hosts/clients/laptaupe/default.nix delete mode 100644 hosts/clients/laptaupe/hardware-configuration.nix delete mode 100644 hosts/default.nix delete mode 100644 hosts/homerouters/_peers/KIT-IG1-RR91.nix delete mode 100644 hosts/homerouters/_peers/default.nix delete mode 100644 hosts/homerouters/aure-home-kitrtr/__default.nix delete mode 100644 hosts/homerouters/aure-home-kitrtr/default.nix delete mode 100644 hosts/homerouters/aure-home-kitrtr/hardware-configuration.nix delete mode 100644 hosts/homerouters/aure-home-kitrtr/network-configuration.nix delete mode 100644 hosts/homerouters/aure-home-kitrtr/peers/KIT-IG1-RTR.nix delete mode 100644 hosts/homerouters/aure-home-kitrtr/peers/default.nix delete mode 100644 hosts/homerouters/default.nix delete mode 100644 hosts/homerouters/firewall.nix delete mode 100644 hosts/homerouters/romain-home-kitrtr/_default.nix delete mode 100644 hosts/homerouters/romain-home-kitrtr/default.nix delete mode 100644 hosts/homerouters/romain-home-kitrtr/hardware-configuration.nix delete mode 100644 hosts/homerouters/romain-home-kitrtr/network-configuration.nix delete mode 100644 hosts/homerouters/romain-home-kitrtr/peers/KIT-IG1-RTR.nix delete mode 100644 hosts/homerouters/romain-home-kitrtr/peers/default.nix delete mode 100644 hosts/homerouters/toinux-home-kitrtr/__default.nix delete mode 100644 hosts/homerouters/toinux-home-kitrtr/default.nix delete mode 100644 hosts/homerouters/toinux-home-kitrtr/hardware-configuration.nix delete mode 100644 hosts/homerouters/toinux-home-kitrtr/network-configuration.nix delete mode 100644 hosts/homerouters/toinux-home-kitrtr/peers/default.nix delete mode 100644 hosts/miscservers/aure-kit-bots-01/default.nix delete mode 100644 hosts/miscservers/aure-kit-bots-01/hardware-configuration.nix delete mode 100644 hosts/miscservers/default.nix delete mode 100644 hosts/postgres/default.nix delete mode 100644 hosts/postgres/kit-postgresql-nte/default.nix delete mode 100644 hosts/postgres/kit-postgresql-nte/hardware-configuration.nix delete mode 100644 hosts/postgres/kit-postgresql-nte/network-configuration.nix delete mode 100644 hosts/postgres/packages.nix delete mode 100644 hosts/postgres/postgres.nix delete mode 100644 hosts/routereflectors/default.nix delete mode 100644 hosts/routereflectors/firewall.nix delete mode 100644 hosts/routereflectors/iguane-kit-rr91/default.nix delete mode 100644 hosts/routereflectors/iguane-kit-rr91/hardware-configuration.nix delete mode 100644 hosts/routereflectors/network.nix delete mode 100644 hosts/routereflectors/options.nix delete mode 100644 hosts/routers/_peers/KIT-IG1-RR91.nix delete mode 100644 hosts/routers/_peers/default.nix delete mode 100644 hosts/routers/_vultr-kit-edge/configuration.nix delete mode 100644 hosts/routers/_vultr-kit-edge/default.nix delete mode 100644 hosts/routers/_vultr-kit-edge/hardware-configuration.nix delete mode 100644 hosts/routers/_vultr-kit-edge/peers/KIT-IG1-RTR.nix delete mode 100644 hosts/routers/_vultr-kit-edge/peers/KIT-VIRTUA-EDGE.legacy.nix delete mode 100644 hosts/routers/_vultr-kit-edge/peers/KIT-VULTR-EDGE.legacy.nix delete mode 100644 hosts/routers/_vultr-kit-edge/peers/KIT-virtua-edge.nix delete mode 100644 hosts/routers/_vultr-kit-edge/peers/TRS-vultr6-RTR.nix delete mode 100644 hosts/routers/_vultr-kit-edge/peers/default.nix delete mode 100644 hosts/routers/default.nix delete mode 100644 hosts/routers/firewall.nix delete mode 100644 hosts/routers/iguane-kit-rtr/__default.nix delete mode 100644 hosts/routers/iguane-kit-rtr/default.nix delete mode 100644 hosts/routers/iguane-kit-rtr/hardware-configuration.nix delete mode 100644 hosts/routers/iguane-kit-rtr/network-configuration.nix delete mode 100644 hosts/routers/iguane-kit-rtr/peers/KIT-VIRTUA-EDGE.nix delete mode 100644 hosts/routers/iguane-kit-rtr/peers/KIT-VULTR-EDGE.nix delete mode 100644 hosts/routers/iguane-kit-rtr/peers/KIT-aurelien-RBR.nix delete mode 100644 hosts/routers/iguane-kit-rtr/peers/KIT-roumain-NTE.nix delete mode 100644 hosts/routers/iguane-kit-rtr/peers/KIT-roumainNix-NTE.nix delete mode 100644 hosts/routers/iguane-kit-rtr/peers/KIT-toinux-MEL1.nix delete mode 100644 hosts/routers/iguane-kit-rtr/peers/default.nix delete mode 100644 hosts/routers/virtua-kit-edge/default.nix delete mode 100644 hosts/routers/virtua-kit-edge/hardware-configuration.nix delete mode 100644 hosts/routers/virtua-kit-edge/network-configuration.nix delete mode 100644 hosts/routers/virtua-kit-edge/peers/KIT-IG1-RTR.nix delete mode 100644 hosts/routers/virtua-kit-edge/peers/KIT-VIRTUA-EDGE.legacy.nix delete mode 100644 hosts/routers/virtua-kit-edge/peers/KIT-vultr-edge.nix delete mode 100644 hosts/routers/virtua-kit-edge/peers/TRS-virtua6-RS01.nix delete mode 100644 hosts/routers/virtua-kit-edge/peers/TRS-virtua6-RS02.nix delete mode 100644 hosts/routers/virtua-kit-edge/peers/default.nix delete mode 100644 hosts/stonkmembers/default.nix delete mode 100644 hosts/stonkmembers/k3s.nix delete mode 100644 hosts/stonkmembers/poubelle00/configuration.nix delete mode 100644 hosts/stonkmembers/poubelle00/default.nix delete mode 100644 hosts/stonkmembers/poubelle00/disk-config.nix delete mode 100644 hosts/stonkmembers/poubelle00/hardware-configuration.nix delete mode 100644 hosts/stonkmembers/prodesk/configuration.nix delete mode 100644 hosts/stonkmembers/prodesk/default.nix delete mode 100644 hosts/stonkmembers/prodesk/disk-config.nix delete mode 100644 hosts/stonkmembers/prodesk/hardware-configuration.nix delete mode 100644 hosts/stonkmembers/stonkstation/configuration.nix delete mode 100644 hosts/stonkmembers/stonkstation/default.nix delete mode 100644 hosts/stonkmembers/stonkstation/disk-config.nix delete mode 100644 hosts/stonkmembers/stonkstation/hardware-configuration.nix diff --git a/hosts/_defaults.nix b/hosts/_defaults.nix deleted file mode 100644 index 1974374..0000000 --- a/hosts/_defaults.nix +++ /dev/null @@ -1,25 +0,0 @@ -args@{ pkgs, sources, ... }: -{ - imports = [ - ../modules/system/kitten/legacy - ../modules/system - - # (import "${sources.lix-module}/module.nix" { lix = sources.lix; }) - "${sources.disko}/module.nix" - "${sources.sops-nix}/modules/sops" - ]; - - time.timeZone = "Europe/Paris"; - - nixpkgs.overlays = import ../overlays args; - - # By default, Colmena will replace unknown remote profile - # (unknown means the profile isn't in the nix store on the - # host running Colmena) during apply (with the default goal, - # boot, and switch). - # If you share a hive with others, or use multiple machines, - # and are not careful to always commit/push/pull changes - # you can accidentaly overwrite a remote profile so in those - # scenarios you might want to change this default to false. - deployment.replaceUnknownProfiles = false; -} diff --git a/hosts/_peers/KIT-IG1-RR91.nix b/hosts/_peers/KIT-IG1-RR91.nix deleted file mode 100644 index 2ea52dd..0000000 --- a/hosts/_peers/KIT-IG1-RR91.nix +++ /dev/null @@ -1,49 +0,0 @@ -{ ... }: -let - kittenASN = 4242421945; -in -{ - # vultr6 - # AS64515 - # Peer-IP : 2001:19f0:ffff::1 - - # protocol bgp TRANSIT_VULTR6 { - # - # multihop 2; - # - - # ipv6 { - # export filter { - # if ( net ~ [ 2a13:79c0:ff00::/40, 2a12:dd47:9330::/44 ] ) then { - # accept; - # } - # reject; - # }; - # import none; - # }; - # - # } - peerAS = kittenASN; - peerIP = "2a13:79c0:ffff:fefe::113:91"; - localAS = kittenASN; - - multihop = 5; - - # wireguard = { - # address = "2a13:79c0:ffff:feff::10c"; - # port = 51800; - # peerKey = "rMTaMWJYlgTKJoE0PnVOo9SKHTppEfYK5KtWjBI9mC8="; - # }; - template = "rrserver"; - ipv6 = { - #imports = null; - #imports = x: "filter filter6_IN_BGP_${toString x}"; - #exports = [ "2a12:dd47:9330::/44" ]; - - #exports = null; - }; - ipv4 = { - #imports = x: "filter filter4_IN_BGP_${toString x}"; - #exports = x: "filter6_IN_BGP_${toString x}"; - }; -} diff --git a/hosts/_peers/default.nix b/hosts/_peers/default.nix deleted file mode 100644 index 6b7d84e..0000000 --- a/hosts/_peers/default.nix +++ /dev/null @@ -1,5 +0,0 @@ -{ ... }: -{ - # Internal RR - IG1_RR91 = import ./KIT-IG1-RR91.nix { }; -} diff --git a/hosts/clients/NIXP/default.nix b/hosts/clients/NIXP/default.nix deleted file mode 100644 index 738632f..0000000 --- a/hosts/clients/NIXP/default.nix +++ /dev/null @@ -1,180 +0,0 @@ -# Edit this configuration file to define what should be installed on -# your system. Help is available in the configuration.nix(5) man page -# and in the NixOS manual (accessible by running ‘nixos-help’). - -{ - name, - nodes, - lib, - pkgs, - ... -}: -let - diskoProfile = "simple"; - diskoConfig = { - bootdisk = "/dev/vda"; - # crypted = true; - }; -in -{ - imports = [ - # Include the results of the hardware scan. - ../default.nix - ./hardware-configuration.nix - ./network-configuration.nix - ./packages.nix - ]; - - deployment = { - # Allow local deployment with `colmena apply-local` - allowLocalDeployment = true; - - # Disable SSH deployment. This node will be skipped in a - # normal`colmena apply`. - targetHost = null; - }; - - kittenModules = { - disko = { - enable = false; - profile = diskoProfile; - - ${diskoProfile} = diskoConfig; - }; - }; - - # Bootloader. - boot.loader.systemd-boot.enable = true; - boot.loader.efi.canTouchEfiVariables = true; - - # networking.wireless.enable = true; # Enables wireless support via wpa_supplicant. - - # Configure network proxy if necessary - # networking.proxy.default = "http://user:password@proxy:port/"; - # networking.proxy.noProxy = "127.0.0.1,localhost,internal.domain"; - - # Set your time zone. - time.timeZone = "Europe/Paris"; - - # Select internationalisation properties. - i18n.defaultLocale = "en_US.UTF-8"; - - i18n.extraLocaleSettings = { - LC_ADDRESS = "fr_FR.UTF-8"; - LC_IDENTIFICATION = "fr_FR.UTF-8"; - LC_MEASUREMENT = "fr_FR.UTF-8"; - LC_MONETARY = "fr_FR.UTF-8"; - LC_NAME = "fr_FR.UTF-8"; - LC_NUMERIC = "fr_FR.UTF-8"; - LC_PAPER = "fr_FR.UTF-8"; - LC_TELEPHONE = "fr_FR.UTF-8"; - LC_TIME = "fr_FR.UTF-8"; - }; - - # Enable the X11 windowing system. - services.xserver.enable = true; - - # Enable the XFCE Desktop Environment. - services.xserver.displayManager.lightdm.enable = true; - services.xserver.desktopManager.xfce.enable = true; - - # Configure keymap in X11 - services.xserver = { - xkb = { - layout = "us"; - variant = ""; - }; - }; - - # Enable CUPS to print documents. - services.printing.enable = true; - - # Enable sound with pipewire. - # sound.enable = true; - hardware.pulseaudio.enable = false; - security.rtkit.enable = true; - services.pipewire = { - enable = true; - alsa.enable = true; - alsa.support32Bit = true; - pulse.enable = true; - # If you want to use JACK applications, uncomment this - #jack.enable = true; - - # use the example session manager (no others are packaged yet so this is enabled by default, - # no need to redefine it in your config for now) - #media-session.enable = true; - }; - - # Enable touchpad support (enabled default in most desktopManager). - # services.xserver.libinput.enable = true; - - environment.variables = { - EDITOR = "vim"; - }; - - # Define a user account. Don't forget to set a password with ‘passwd’. - users.users.toinux = { - isNormalUser = true; - description = "toinux"; - extraGroups = [ - "networkmanager" - "docker" - "wheel" - ]; - packages = with pkgs; [ - # thunderbird - ]; - }; - - # Enable automatic login for the user. - services.displayManager.autoLogin = { - enable = true; - user = "toinux"; - }; - - services.code-server = { - enable = true; - host = "[::]"; - }; - - # Install firefox. - programs.firefox.enable = true; - programs.mtr.enable = true; - - # Some programs need SUID wrappers, can be configured further or are - # started in user sessions. - # programs.mtr.enable = true; - # programs.gnupg.agent = { - # enable = true; - # enableSSHSupport = true; - # }; - - # List services that you want to enable: - - services.hydra = { - enable = true; - hydraURL = "http://localhost:3000"; - notificationSender = "hydra@localhost"; - buildMachinesFiles = [ ]; - useSubstitutes = true; - }; - - # Enable the OpenSSH daemon. - services.openssh.enable = true; - virtualisation.docker.enable = true; - - # Open ports in the firewall. - networking.firewall.allowedTCPPorts = [ 4444 ]; - networking.firewall.allowedUDPPorts = [ ]; - # Or disable the firewall altogether. - networking.firewall.enable = lib.mkDefault true; - - # This value determines the NixOS release from which the default - # settings for stateful data, like file locations and database versions - # on your system were taken. It‘s perfectly fine and recommended to leave - # this value at the release version of the first install of this system. - # Before changing this value read the documentation for this option - # (e.g. man configuration.nix or on https://nixos.org/nixos/options.html). - system.stateVersion = "23.11"; # Did you read the comment? -} diff --git a/hosts/clients/NIXP/disk-config.nix b/hosts/clients/NIXP/disk-config.nix deleted file mode 100644 index 6dffa34..0000000 --- a/hosts/clients/NIXP/disk-config.nix +++ /dev/null @@ -1,98 +0,0 @@ -# Example to create a bios compatible gpt partition -{ lib, targetConfig, ... }: -{ - disko.devices = { - disk.disk1 = - let - crypted = targetConfig ? crypted && targetConfig.crypted; - - lv_PV = { - type = "lvm_pv"; - vg = "ROOT"; - }; - in - { - device = lib.mkDefault "${targetConfig.bootdisk}"; - type = "disk"; - content = { - type = "gpt"; - partitions = { - boot = { - size = "1M"; - type = "EF02"; # for grub MBR - }; - - ESP = { - size = "512M"; - type = "EF00"; - content = { - type = "filesystem"; - format = "vfat"; - mountpoint = "/boot"; - }; - }; - - root = lib.mkIf (!crypted) { - size = "100%"; - - content = lv_PV; - }; - - cryptroot = lib.mkIf (crypted) { - size = "100%"; - content = { - type = "luks"; - name = "crypted"; - extraOpenArgs = [ ]; - passwordFile = "/tmp/secret.key"; - settings = { - # if you want to use the key for interactive login be sure there is no trailing newline - # for example use `echo -n "password" > /tmp/secret.key` - # keyFile = "/tmp/secret.key"; - allowDiscards = true; - # crypttabExtraOpts = [ - # "fido2-device=auto" - # "token-timeout=5" - # ]; - # yubikey = { - # slot = 1; - # twoFactor = false; # Set to false for 1FA - # gracePeriod = 5; # Time in seconds to wait for Yubikey to be inserted - # # keyLength = 64; # Set to $KEY_LENGTH/8 - # # saltLength = 16; # Set to $SALT_LENGTH - - # storage = { - # device = "/dev/nvme0n1p1"; # Be sure to update this to the correct volume - # fsType = "vfat"; - # # path = "/crypt-storage/default"; - # }; - # }; - }; - - # additionalKeyFiles = [ "/tmp/additionalSecret.key" ]; - content = lv_PV; - }; - }; - }; - }; - }; - - lvm_vg = { - ROOT = { - type = "lvm_vg"; - lvs = { - - root = { - size = "100%FREE"; - content = { - type = "filesystem"; - format = "ext4"; - mountpoint = "/"; - mountOptions = [ "defaults" ]; - }; - }; - }; - }; - }; - }; -} diff --git a/hosts/clients/NIXP/hardware-configuration.nix b/hosts/clients/NIXP/hardware-configuration.nix deleted file mode 100644 index 8fc0e08..0000000 --- a/hosts/clients/NIXP/hardware-configuration.nix +++ /dev/null @@ -1,51 +0,0 @@ -# Do not modify this file! It was generated by ‘nixos-generate-config’ -# and may be overwritten by future invocations. Please make changes -# to /etc/nixos/configuration.nix instead. -{ - config, - lib, - pkgs, - modulesPath, - ... -}: - -{ - imports = [ (modulesPath + "/profiles/qemu-guest.nix") ]; - - boot.initrd.availableKernelModules = [ - "ahci" - "xhci_pci" - "virtio_pci" - "virtio_scsi" - "sr_mod" - "virtio_blk" - ]; - boot.initrd.kernelModules = [ ]; - boot.kernelModules = [ "kvm-intel" ]; - boot.extraModulePackages = [ ]; - - fileSystems."/" = { - device = "/dev/disk/by-uuid/9b429ee7-a74a-4580-ab64-b7a66cb56424"; - fsType = "ext4"; - }; - - fileSystems."/boot" = { - device = "/dev/disk/by-uuid/F286-D1A0"; - fsType = "vfat"; - options = [ - "fmask=0022" - "dmask=0022" - ]; - }; - - swapDevices = [ ]; - - # Enables DHCP on each ethernet and wireless interface. In case of scripted networking - # (the default) this is the recommended approach. When using systemd-networkd it's - # still possible to use this option, but it's recommended to use it in conjunction - # with explicit per-interface declarations with `networking.interfaces..useDHCP`. - networking.useDHCP = lib.mkDefault true; - # networking.interfaces.enp1s0.useDHCP = lib.mkDefault true; - - nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux"; -} diff --git a/hosts/clients/NIXP/network-configuration.nix b/hosts/clients/NIXP/network-configuration.nix deleted file mode 100644 index c91cc5c..0000000 --- a/hosts/clients/NIXP/network-configuration.nix +++ /dev/null @@ -1,55 +0,0 @@ -{ ... }: -{ - networking = { - #nameservers = [ "1.3.3.7" ]; - - interfaces = { - ens18.useDHCP = true; - - ens19 = { - - # ipv4.addresses = [ - # { - # address = "185.10.17.209"; - # prefixLength = 24; - # } - # ]; - - ipv6 = { - routes = [ - { - address = "2a13:79c0:ff00::"; - prefixLength = 40; - via = "2a13:79c0:ffff:feff:b00b:caca:b173:25"; - } - ]; - addresses = [ - { - address = "2a13:79c0:ffff:feff:b00b:caca:b173:96"; - prefixLength = 112; - } - ]; - }; - }; - }; - - # defaultGateway = { - # address = "185.10.17.254"; - # metric = 42; - # interface = iface; - # }; - - # defaultGateway6 = { - # address = "2a13:79c0:ffff:feff:b00b:3965:113:25"; - # metric = 42; - # interface = kittenIFACE; - # }; - - useDHCP = false; - useNetworkd = true; - #dhcpcd.enable = false; - }; - - systemd.network.enable = true; - -} diff --git a/hosts/clients/NIXP/packages.nix b/hosts/clients/NIXP/packages.nix deleted file mode 100644 index 600cf96..0000000 --- a/hosts/clients/NIXP/packages.nix +++ /dev/null @@ -1,23 +0,0 @@ -{ config, pkgs, ... }: -{ - # kittenModules.rhabbit-consumer.enable = true; - # List packages installed in system profile. To search, run: - # $ nix search wget - environment.systemPackages = with pkgs; [ - vim # Do not forget to add an editor to edit configuration.nix! The Nano editor is also installed by default. - vscode - git - htop - tmux - # wget - unstable.nix-output-monitor - nixfmt - ripgrep - tree - tmate - colmena - npins - nix-top - unstable.sops - ]; -} diff --git a/hosts/clients/default.nix b/hosts/clients/default.nix deleted file mode 100644 index 8807945..0000000 --- a/hosts/clients/default.nix +++ /dev/null @@ -1,11 +0,0 @@ -# args@{ lib, ... }: -# let -# blacklist = [ ]; -# folders = builtins.attrNames ( -# lib.filterAttrs (n: v: v == "directory" && !lib.hasPrefix "_" n && !builtins.elem n blacklist) ( -# builtins.readDir ./. -# ) -# ); -# in -# lib.genAttrs folders (folder: (import (./. + "/${folder}") (args // { }))) -{...}: {} \ No newline at end of file diff --git a/hosts/clients/laptaupe/default.nix b/hosts/clients/laptaupe/default.nix deleted file mode 100644 index a53882c..0000000 --- a/hosts/clients/laptaupe/default.nix +++ /dev/null @@ -1,90 +0,0 @@ -# Edit this configuration file to define what should be installed on -# your system. Help is available in the configuration.nix(5) man page, on -# https://search.nixos.org/options and in the NixOS manual (`nixos-help`). - -{ - config, - lib, - pkgs, - ... -}: -let - diskoProfile = "simple"; - diskoConfig = { - bootdisk = "/dev/nvme0n1"; - crypted = true; - }; -in -{ - imports = [ - ../../../modules/system/kitten/legacy/laptop.nix - ../default.nix - # Include the results of the hardware scan. - ./hardware-configuration.nix - # ./network-configuration.nix - # ./packages.nix - ]; - - deployment = { - # Allow local deployment with `colmena apply-local` - allowLocalDeployment = true; - - # Disable SSH deployment. This node will be skipped in a - # normal`colmena apply`. - targetHost = null; - }; - - kittenModules = { - disko = { - enable = true; - profile = diskoProfile; - - ${diskoProfile} = diskoConfig; - }; - }; - - # Bootloader. - boot.loader.systemd-boot.enable = true; - boot.loader.systemd-boot.configurationLimit = 5; - boot.loader.efi.canTouchEfiVariables = true; - - # # Not compatible for the moment - # boot.initrd.luks.yubikeySupport = true; - # boot.initrd.luks.fido2Support = true; - - # boot.initrd.systemd.enable = lib.mkForce false; - # boot.plymouth.enable = lib.mkForce false; - - # better to enable it after first-install - - networking = { - # networkmanager.enable = true; - networkmanager = - { - enable = true; - } - // lib.mkIf (config.networking.networkmanager.enable) { - extraConfig = lib.concatStringsSep "\n" [ - "[device]" - "match-device=driver:iwlwifi" - "wifi.scan-rand-mac-address=no" - ]; - }; - }; - - # Set your time zone. - time.timeZone = "Europe/Paris"; - # Select internationalisation properties. - i18n.defaultLocale = "en_US.UTF-8"; - - # Allow unfree packages - nixpkgs.config.allowUnfree = true; - - # This value determines the NixOS release from which the default - # settings for stateful data, like file locations and database versions - # on your system were taken. It‘s perfectly fine and recommended to leave - # this value at the release version of the first install of this system. - # Before changing this value read the documentation for this option - # (e.g. man configuration.nix or on https://nixos.org/nixos/options.html). - system.stateVersion = lib.mkForce "23.11"; # Did you read the comment? -} diff --git a/hosts/clients/laptaupe/hardware-configuration.nix b/hosts/clients/laptaupe/hardware-configuration.nix deleted file mode 100644 index 80547cd..0000000 --- a/hosts/clients/laptaupe/hardware-configuration.nix +++ /dev/null @@ -1,49 +0,0 @@ -# Do not modify this file! It was generated by ‘nixos-generate-config’ -# and may be overwritten by future invocations. Please make changes -# to /etc/nixos/configuration.nix instead. -{ - config, - lib, - pkgs, - modulesPath, - ... -}: - -{ - imports = [ (modulesPath + "/installer/scan/not-detected.nix") ]; - - boot.initrd = { - - availableKernelModules = [ - "xhci_pci" - "thunderbolt" - "nvme" - "usbhid" - ]; - - # Required to open the EFI partition and Yubikey - kernelModules = [ - "vfat" - "nls_cp437" - "nls_iso8859-1" - "usbhid" - ]; - }; - - boot.kernelModules = [ "kvm-intel" ]; - boot.extraModulePackages = [ ]; - - # Enables DHCP on each ethernet and wireless interface. In case of scripted networking - # (the default) this is the recommended approach. When using systemd-networkd it's - # still possible to use this option, but it's recommended to use it in conjunction - # with explicit per-interface declarations with `networking.interfaces..useDHCP`. - # networking.useDHCP = lib.mkDefault true; - # networking.interfaces.enp0s3.useDHCP = lib.mkDefault true; - # networking.interfaces.enp0s8.useDHCP = lib.mkDefault true; - - nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux"; - - hardware.cpu.intel.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware; - - # virtualisation.virtualbox.guest.enable = true; # TODO: remove -} diff --git a/hosts/default.nix b/hosts/default.nix deleted file mode 100644 index f3a257d..0000000 --- a/hosts/default.nix +++ /dev/null @@ -1,25 +0,0 @@ -{ lib, ... }: -let - blacklist = [ - "stonkmembers" - ]; - - filterFunc = ( - n: v: - v == "directory" - - && !lib.hasPrefix "_" n - && !builtins.elem n blacklist - ); - - folders = builtins.attrNames (lib.filterAttrs filterFunc (builtins.readDir ./.)); -in -lib.genAttrs folders ( - folder: - ( - let - configs = builtins.attrNames (lib.filterAttrs filterFunc (builtins.readDir (./. + "/${folder}"))); - in - lib.genAttrs configs (confName: (import (./. + "/${folder}/${confName}"))) - ) -) diff --git a/hosts/homerouters/_peers/KIT-IG1-RR91.nix b/hosts/homerouters/_peers/KIT-IG1-RR91.nix deleted file mode 100644 index 2ea52dd..0000000 --- a/hosts/homerouters/_peers/KIT-IG1-RR91.nix +++ /dev/null @@ -1,49 +0,0 @@ -{ ... }: -let - kittenASN = 4242421945; -in -{ - # vultr6 - # AS64515 - # Peer-IP : 2001:19f0:ffff::1 - - # protocol bgp TRANSIT_VULTR6 { - # - # multihop 2; - # - - # ipv6 { - # export filter { - # if ( net ~ [ 2a13:79c0:ff00::/40, 2a12:dd47:9330::/44 ] ) then { - # accept; - # } - # reject; - # }; - # import none; - # }; - # - # } - peerAS = kittenASN; - peerIP = "2a13:79c0:ffff:fefe::113:91"; - localAS = kittenASN; - - multihop = 5; - - # wireguard = { - # address = "2a13:79c0:ffff:feff::10c"; - # port = 51800; - # peerKey = "rMTaMWJYlgTKJoE0PnVOo9SKHTppEfYK5KtWjBI9mC8="; - # }; - template = "rrserver"; - ipv6 = { - #imports = null; - #imports = x: "filter filter6_IN_BGP_${toString x}"; - #exports = [ "2a12:dd47:9330::/44" ]; - - #exports = null; - }; - ipv4 = { - #imports = x: "filter filter4_IN_BGP_${toString x}"; - #exports = x: "filter6_IN_BGP_${toString x}"; - }; -} diff --git a/hosts/homerouters/_peers/default.nix b/hosts/homerouters/_peers/default.nix deleted file mode 100644 index 30562ad..0000000 --- a/hosts/homerouters/_peers/default.nix +++ /dev/null @@ -1,8 +0,0 @@ -{ ... }: -let - globalPeers = import ../../_peers {}; -in -{ - # Internal RR - inherit (globalPeers) IG1_RR91; -} diff --git a/hosts/homerouters/aure-home-kitrtr/__default.nix b/hosts/homerouters/aure-home-kitrtr/__default.nix deleted file mode 100644 index ea98b9d..0000000 --- a/hosts/homerouters/aure-home-kitrtr/__default.nix +++ /dev/null @@ -1,43 +0,0 @@ -{ ... }: -{ - type = "targetConfig"; - - bootdisk = "/dev/vda"; - diskTemplate = "simple_singleFullRoot"; - - # mainSerial = 0; - - birdConfig = { - # inherit transitInterface; - - # router-id = ; - - # loopback4 = ""; - # loopback6 = "2a13:79c0:ffff:fefe::22f0"; - - # transitIFACEs = [ "ens19" ]; - - extraForwardRules = '' - iifname "ens19" ip6 saddr 2a13:79c0:ffff:feff:b00b:caca:b173:0/112 oifname "KIT_IG1_RTR" counter accept - - ct state vmap { - established : accept, - related : accept, - # invalid : jump forward-allow, - # new : jump forward-allow, - # untracked : jump forward-allow, - } - ''; - - static6 = [ - "::/0 recursive 2a13:79c0:ffff:fefe::b00b" - - # "2a13:79c0:ffff:feff:b00b:caca:b173:0/112 unreachable" # Direct on ens19 - "2a13:79c0:fffe:100::/56 unreachable" - - #"2a13:79c0:ffff::/48 unreachable" # Networking stuff - #"2a13:79c0:ffff:fefe::/64 unreachable" # LoopBacks - #"2a13:79c0:ff00::/40 unreachable" # full range /40 - ]; - }; -} diff --git a/hosts/homerouters/aure-home-kitrtr/default.nix b/hosts/homerouters/aure-home-kitrtr/default.nix deleted file mode 100644 index 2a32755..0000000 --- a/hosts/homerouters/aure-home-kitrtr/default.nix +++ /dev/null @@ -1,131 +0,0 @@ -# Edit this configuration file to define what should be installed on -# your system. Help is available in the configuration.nix(5) man page, on -# https://search.nixos.org/options and in the NixOS manual (`nixos-help`). - -args@{ - config, - # targetConfig, - lib, - pkgs, - ... -}: -let - iface = "ens18"; - kittenIFACE = "ens19"; - diskoProfile = "simple"; - diskoConfig = { - bootdisk = "/dev/vda"; - }; - - peers = (import ./peers (args // { })); - - wgPeers = ( - lib.mapAttrs (n: v: v.wireguard) (lib.filterAttrs (n: v: v ? wireguard && v.wireguard != { }) peers) - ); - - birdPeers = (lib.mapAttrs (n: v: builtins.removeAttrs v [ "wireguard" ]) peers); -in -{ - #imports = [ ./wireguard.nix ]; - # Bootloader. - #boot.loader.systemd-boot.enable = true; - #boot.loader.systemd-boot.configurationLimit = 5; - #boot.loader.efi.canTouchEfiVariables = true; - boot.loader.grub.efiSupport = false; - boot.loader.grub.enable = true; - # boot.loader.grub.efiInstallAsRemovable = true; - # boot.loader.efi.efiSysMountPoint = "/boot/efi"; - # Define on which hard drive you want to install Grub. - #boot.loader.grub.devices = [ "${targetConfig.bootdisk}" ]; # or "nodev" for efi only - - imports = [ - # Include the results of the hardware scan. - ../default.nix - ./hardware-configuration.nix - ./network-configuration.nix - # ./packages.nix - - ../../../modules/system/kitten/connect/bird2/snippets/kittendefaults.nix - ]; - - kittenModules = { - disko = { - enable = true; - profile = diskoProfile; - - ${diskoProfile} = diskoConfig; - }; - - loopback0 = { - enable = true; - ipv6 = [ "2a13:79c0:ffff:fefe::22f0" ]; - }; - - bird = { - enable = true; - loopback6 = "2a13:79c0:ffff:fefe::22f0"; - - static6 = [ - "::/0 recursive 2a13:79c0:ffff:fefe::b00b" - - # "2a13:79c0:ffff:feff:b00b:caca:b173:0/112 unreachable" # Direct on ens19 - "2a13:79c0:fffe:100::/56 unreachable" - - #"2a13:79c0:ffff::/48 unreachable" # Networking stuff - #"2a13:79c0:ffff:fefe::/64 unreachable" # LoopBacks - #"2a13:79c0:ff00::/40 unreachable" # full range /40 - ]; - - peers = birdPeers; - }; - - wireguard = { - enable = true; - - peers = wgPeers; - }; - - firewall = { - forward = { - enable = true; - rules = '' - iifname "${kittenIFACE}" ip6 saddr 2a13:79c0:ffff:feff:b00b:caca:b173:0/112 oifname $wireguardIFACEs counter accept - - ct state vmap { - established : accept, - related : accept, - # invalid : jump forward-allow, - # new : jump forward-allow, - # untracked : jump forward-allow, - } - ''; - }; - }; - }; - - # Set your time zone. - time.timeZone = "Europe/Paris"; - - nixpkgs.config.allowUnfree = true; - # Configure network proxy if necessary - # networking.proxy.default = "http://user:password@proxy:port/"; - # networking.proxy.noProxy = "127.0.0.1,localhost,internal.domain"; - - # This option defines the first version of NixOS you have installed on this particular machine, - # and is used to maintain compatibility with application data (e.g. databases) created on older NixOS versions. - # - # Most users should NEVER change this value after the initial install, for any reason, - # even if you've upgraded your system to a new NixOS release. - # - # This value does NOT affect the Nixpkgs version your packages and OS are pulled from, - # so changing it will NOT upgrade your system. - # - # This value being lower than the current NixOS release does NOT mean your system is - # out of date, out of support, or vulnerable. - # - # Do NOT change this value unless you have manually inspected all the changes it would make to your configuration, - # and migrated your data accordingly. - # - # For more information, see `man configuration.nix` or https://nixos.org/manual/nixos/stable/options#opt-system.stateVersion . - system.stateVersion = "23.11"; # Did you read the comment? -} diff --git a/hosts/homerouters/aure-home-kitrtr/hardware-configuration.nix b/hosts/homerouters/aure-home-kitrtr/hardware-configuration.nix deleted file mode 100644 index 36b4585..0000000 --- a/hosts/homerouters/aure-home-kitrtr/hardware-configuration.nix +++ /dev/null @@ -1,34 +0,0 @@ -# Do not modify this file! It was generated by ‘nixos-generate-config’ -# and may be overwritten by future invocations. Please make changes -# to /etc/nixos/configuration.nix instead. -{ - config, - lib, - pkgs, - modulesPath, - ... -}: - -{ - imports = [ (modulesPath + "/profiles/qemu-guest.nix") ]; - - boot.initrd.availableKernelModules = [ - "ata_piix" - "uhci_hcd" - "virtio_pci" - "sr_mod" - "virtio_blk" - ]; - boot.initrd.kernelModules = [ ]; - boot.kernelModules = [ "kvm-intel" ]; - boot.extraModulePackages = [ ]; - - # Enables DHCP on each ethernet and wireless interface. In case of scripted networking - # (the default) this is the recommended approach. When using systemd-networkd it's - # still possible to use this option, but it's recommended to use it in conjunction - # with explicit per-interface declarations with `networking.interfaces..useDHCP`. - networking.useDHCP = lib.mkDefault true; - # networking.interfaces.ens18.useDHCP = lib.mkDefault true; - - nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux"; -} diff --git a/hosts/homerouters/aure-home-kitrtr/network-configuration.nix b/hosts/homerouters/aure-home-kitrtr/network-configuration.nix deleted file mode 100644 index 4a1fe82..0000000 --- a/hosts/homerouters/aure-home-kitrtr/network-configuration.nix +++ /dev/null @@ -1,50 +0,0 @@ -{ ... }: -let - iface = "ens18"; - kittenIFACE = "ens19"; -in -{ - # Pick only one of the below networking options. - # networking.wireless.enable = true; # Enables wireless support via wpa_supplicant. - # networking.networkmanager.enable = true; # Easiest to use and most distros use this by default. - networking = { - #nameservers = [ "1.3.3.7" ]; - interfaces = { - "${iface}".useDHCP = true; - - "${kittenIFACE}" = { - - # ipv4.addresses = [ - # { - # address = "185.10.17.209"; - # prefixLength = 24; - # } - # ]; - - ipv6.addresses = [ - { - address = "2a13:79c0:ffff:feff:b00b:caca:b173:25"; - prefixLength = 112; - } - ]; - }; - }; - - # defaultGateway = { - # address = "185.10.17.254"; - # metric = 42; - # interface = iface; - # }; - - # defaultGateway6 = { - # address = "fe80::1"; - # metric = 42; - # interface = iface; - # }; - - useDHCP = false; - #dhcpcd.enable = false; - }; - - systemd.network.enable = true; -} diff --git a/hosts/homerouters/aure-home-kitrtr/peers/KIT-IG1-RTR.nix b/hosts/homerouters/aure-home-kitrtr/peers/KIT-IG1-RTR.nix deleted file mode 100644 index 5254198..0000000 --- a/hosts/homerouters/aure-home-kitrtr/peers/KIT-IG1-RTR.nix +++ /dev/null @@ -1,30 +0,0 @@ -{ ... }: -let - kittenASN = 4242421945; -in -{ - peerAS = kittenASN; - peerIP = "2a13:79c0:ffff:feff::53"; - localAS = kittenASN; - - wireguard = { - address = "2a13:79c0:ffff:feff::52"; - # port = 51842; - endpoint = "78.40.121.76:51842"; - peerKey = "gDriA5mhKKh44OHEIxmmevphoVRLK45TRJmFS1DV1i4="; - }; - - template = "kittunderlay"; - bgpMED = 100; - ipv6 = { - #bgpImports = null; - bgpImports = "filter filter6_IN_BGP_%s"; - #bgpExports = [ "2a12:dd47:9330::/44" ]; - - #bgpExports = null; - }; - ipv4 = { - bgpImports = "filter filter4_IN_BGP_%s"; - #bgpExports = "filter6_IN_BGP_${toString x}"; - }; -} diff --git a/hosts/homerouters/aure-home-kitrtr/peers/default.nix b/hosts/homerouters/aure-home-kitrtr/peers/default.nix deleted file mode 100644 index 309e3f2..0000000 --- a/hosts/homerouters/aure-home-kitrtr/peers/default.nix +++ /dev/null @@ -1,20 +0,0 @@ -{ ... }: -let - defaultPeers = import ../../_peers { }; -in -defaultPeers -// { - - # Transit - # TRS_virtua6_RS01 = import ./TRS-virtua6-RS01.nix { }; - # TRS_virtua6_RS02 = import ./TRS-virtua6-RS02.nix { }; - - # # Internal Tunnels - KIT_IG1_RTR = import ./KIT-IG1-RTR.nix { }; - # virtuaNix_PAR = import ./KIT-VIRTUA-EDGE.nix { }; - # vultrNix_PAR = import ./KIT-VULTR-EDGE.nix { }; - # # LGC_virtua_PAR = import ./KIT-VIRTUA-EDGE.legacy.nix { }; - - # toinuxMEL1 = import ./KIT-toinux-MEL1.nix { }; - # roumainNTE = import ./KIT-roumain-NTE.nix { }; -} diff --git a/hosts/homerouters/default.nix b/hosts/homerouters/default.nix deleted file mode 100644 index 51ffedc..0000000 --- a/hosts/homerouters/default.nix +++ /dev/null @@ -1,57 +0,0 @@ -# Edit this configuration file to define what should be installed on -# your system. Help is available in the configuration.nix(5) man page, on -# https://search.nixos.org/options and in the NixOS manual (`nixos-help`). - -{ - config, - lib, - pkgs, - ... -}: - -{ - imports = [ - # ./firewall.nix # TODO: Remove - ]; - - kittenModules = { - loopback0 = { - enable = lib.mkDefault true; - }; - }; - - # Configure network proxy if necessary - # networking.proxy.default = "http://user:password@proxy:port/"; - # networking.proxy.noProxy = "127.0.0.1,localhost,internal.domain"; - - # Select internationalisation properties. - i18n.defaultLocale = "en_US.UTF-8"; - - # Net Basics - networking.useNetworkd = true; - systemd.network.enable = true; - systemd.network.wait-online.enable = false; - - # List services that you want to enable: - services.bird2 = { - enable = true; - autoReload = true; - }; - - # This option defines the first version of NixOS you have installed on this particular machine, - # and is used to maintain compatibility with application data (e.g. databases) created on older NixOS versions. - # - # Most users should NEVER change this value after the initial install, for any reason, - # even if you've upgraded your system to a new NixOS release. - # - # This value does NOT affect the Nixpkgs version your packages and OS are pulled from, - # so changing it will NOT upgrade your system. - # - # This value being lower than the current NixOS release does NOT mean your system is - # out of date, out of support, or vulnerable. - # - # Do NOT change this value unless you have manually inspected all the changes it would make to your configuration, - # and migrated your data accordingly. - # - # For more information, see `man configuration.nix` or https://nixos.org/manual/nixos/stable/options#opt-system.stateVersion . -} diff --git a/hosts/homerouters/firewall.nix b/hosts/homerouters/firewall.nix deleted file mode 100644 index 7e27bd9..0000000 --- a/hosts/homerouters/firewall.nix +++ /dev/null @@ -1,152 +0,0 @@ -# Edit this configuration file to define what should be installed on -# your system. Help is available in the configuration.nix(5) man page, on -# https://search.nixos.org/options and in the NixOS manual (`nixos-help`). - -{ - lib, - pkgs, - targetConfig, - birdConfig, - wgPeers, - ... -}: -let - IFACE = if targetConfig ? interface then targetConfig.interface else null; - - transitedNetworks = - if (birdConfig ? transitNetworks && birdConfig.transitNetworks != null) then - birdConfig.transitNetworks - else - [ - "2a13:79c0:ff00::/44" # Transits Customer ranges: 2a13:79c0:{ff00-ff0f}::/48 - "2a13:79c0:ffff:fefe::/64" - "2a13:79c0:ffff:feff:b00b::/80" - ]; - # wgPeers = filterAttrs (n: v: v ? wireguard && v.wireguard != { }) birdConfig.peers; - - transitIFACEs = - [ ] - ++ lib.optionals (birdConfig.transitInterfaces != [ ]) birdConfig.transitInterfaces; - kittenIFACEs = [ ]; - # ( - # (attrNames wgPeers) ++ lib.optionals (birdConfig.allowedInterfaces != []) birdConfig.allowedInterfaces - # ); - - inherit (lib) - mkAfter - optionalString - concatStringsSep - concatMapStringsSep - attrNames - filterAttrs - optional - ; -in -{ - - config = { - boot.kernel.sysctl = { - "net.ipv4.ip_forward" = 1; - "net.ipv6.conf.all.forwarding" = 1; - - "net.ipv4.conf.all.src_valid_mark" = 1; - - # "net.ipv4.conf.default.rp_filter" = 2; - # "net.ipv4.conf.all.rp_filter" = 2; - - # "net.ipv6.conf.all.keep_addr_on_down" = 1; - # "net.ipv4.raw_l3mdev_accept" = 1; - # "net.ipv4.tcp_l3mdev_accept" = 1; - # "net.ipv4.udp_l3mdev_accept" = 1; - }; - - # environment.systemPackages = with pkgs; [ ferm ]; # Prepare an eventual switch to FERM - - networking.nftables = { - enable = true; - - tables."nixos-fw".content = - let - quoteString = x: ''"${x}"''; - - defines = lib.concatStringsSep "\n" ([ - (optionalString (transitIFACEs != [ ]) - "define transitIFACEs = { ${concatMapStringsSep ", " quoteString transitIFACEs} }" - ) - (optionalString ( - transitedNetworks != [ ] - ) "define transitNETs = { ${concatStringsSep ", " transitedNetworks} }") - (optionalString (wgPeers != { }) - "define wireguardIFACEs = { ${concatMapStringsSep ", " quoteString (attrNames wgPeers)} }" - ) - (optionalString (kittenIFACEs != [ ]) - "define kittenIFACEs = { ${concatMapStringsSep ", " quoteString kittenIFACEs} }" - ) - ]); - - extraForwardRules = lib.concatStringsSep "\n" ( - [ - '' - ${optionalString (transitedNetworks != [ ] && transitIFACEs != [ ]) '' - # iifname $wireguardIFACEs oifname $transitIFACEs counter accept - ip6 saddr $transitNETs iifname $wireguardIFACEs oifname $transitIFACEs counter accept - ip6 daddr $transitNETs oifname $wireguardIFACEs iifname $transitIFACEs counter accept - ''} - - ${optionalString ( - wgPeers != { } - ) "iifname $wireguardIFACEs oifname $wireguardIFACEs counter accept"} - - # ip6 daddr 2a13:79c0:ff00::/48 counter accept - # ip6 daddr { 2a13:79c0:ffff:feff:b00b:3945:a51:b00b, 2a13:79c0:ffff:feff:b00b:3945:a51:dead } counter accept - - # ip6 daddr 2a13:79c0:ffff:fefe::113:91 tcp dport { 179, 1790 } counter accept - - # ip6 saddr 2a13:79c0:ffff:feff:b00b::/80 ip6 daddr 2a13:79c0:ffff:fefe::/64 counter accept - - # ip6 saddr { 2a13:79c0:ffff:fefe::/64, 2a13:79c0:ffff:feff::/64 } ip6 daddr { 2a13:79c0:ffff:fefe::/64, 2a13:79c0:ffff:feff::/64 } counter accept - '' - ] - - ++ optional (birdConfig ? extraForwardRules) birdConfig.extraForwardRules - ); - in - mkAfter '' - # FireWall Test Configs - ${defines} - - chain forward { - type filter hook forward priority filter; policy drop; - # We want StateLess firewalling - # ct state vmap { - # invalid : jump forward-allow, - # established : accept, - # related : accept, - # new : jump forward-allow, - # untracked : jump forward-allow, - # } - jump forward-rules - } - - chain forward-rules { - icmpv6 type != { router-renumbering, 139 } accept comment "Accept all ICMPv6 messages except renumbering and node information queries (type 139). See RFC 4890, section 4.3." - ct status dnat accept comment "allow port forward" - ${extraForwardRules} - } - ''; - }; - - # Open ports in the firewall. - networking.firewall = { - enable = true; - - allowedTCPPorts = [ 22 ]; - # allowedUDPPorts = [ ... ]; - - # checkReversePath = "loose"; - checkReversePath = false; - - filterForward = false; - }; - }; -} diff --git a/hosts/homerouters/romain-home-kitrtr/_default.nix b/hosts/homerouters/romain-home-kitrtr/_default.nix deleted file mode 100644 index 8fa219d..0000000 --- a/hosts/homerouters/romain-home-kitrtr/_default.nix +++ /dev/null @@ -1,34 +0,0 @@ -{ ... }: -{ - # type = "targetConfig"; - - # bootdisk = "/dev/vda"; - # diskTemplate = "simple_singleFullRoot"; - - # interface = "ens18"; - # mainSerial = 0; - - birdConfig = { - # # inherit transitInterface; - extraForwardRules = '' - iifname $wireguardIFACEs oifname "vlan36" ip6 daddr 2a13:79c0:ffff:feff:b00b:3615:1:0/112 counter accept - oifname $wireguardIFACEs iifname "vlan36" ip6 saddr 2a13:79c0:ffff:feff:b00b:3615:1:0/112 counter accept - ''; - - # # router-id = ; - - # # loopback4 = ""; - # loopback6 = "2a13:79c0:ffff:fefe::22f0"; - - # static6 = [ - # "::/0 recursive 2a13:79c0:ffff:fefe::b00b" - - # # "2a13:79c0:ffff:feff:b00b:caca:b173:0/112 unreachable" # Direct on ens19 - # "2a13:79c0:fffe:100::/56 unreachable" - - # #"2a13:79c0:ffff::/48 unreachable" # Networking stuff - # #"2a13:79c0:ffff:fefe::/64 unreachable" # LoopBacks - # #"2a13:79c0:ff00::/40 unreachable" # full range /40 - # ]; - }; -} diff --git a/hosts/homerouters/romain-home-kitrtr/default.nix b/hosts/homerouters/romain-home-kitrtr/default.nix deleted file mode 100644 index f01e2dc..0000000 --- a/hosts/homerouters/romain-home-kitrtr/default.nix +++ /dev/null @@ -1,120 +0,0 @@ -# Edit this configuration file to define what should be installed on -# your system. Help is available in the configuration.nix(5) man page, on -# https://search.nixos.org/options and in the NixOS manual (`nixos-help`). - -args@{ - config, - lib, - pkgs, - ... -}: -let - # diskoProfile = "simple"; - # diskoConfig = { - # bootdisk = "/dev/vda"; - # }; - - peers = (import ./peers (args // { })); - - wgPeers = ( - lib.mapAttrs (n: v: v.wireguard) (lib.filterAttrs (n: v: v ? wireguard && v.wireguard != { }) peers) - ); - - birdPeers = (lib.mapAttrs (n: v: builtins.removeAttrs v [ "wireguard" ]) peers); -in -{ - services.xserver.xkb = { - layout = "fr"; - #variant = ""; - }; - - imports = [ - # Include the results of the hardware scan. - ../default.nix - ./hardware-configuration.nix - ./network-configuration.nix - # ./packages.nix - - ../../../modules/system/kitten/connect/bird2/snippets/kittendefaults.nix - ]; - - # Bootloader. - #boot.loader.systemd-boot.enable = true; - #boot.loader.systemd-boot.configurationLimit = 5; - #boot.loader.efi.canTouchEfiVariables = true; - boot.loader.grub.efiSupport = false; - boot.loader.grub.enable = true; - # boot.loader.grub.efiInstallAsRemovable = true; - # boot.loader.efi.efiSysMountPoint = "/boot/efi"; - # Define on which hard drive you want to install Grub. - #boot.loader.grub.devices = [ "${targetConfig.bootdisk}" ]; # or "nodev" for efi only - - kittenModules = { - disko = - let - profile = "simple"; - in - { - enable = true; - inherit profile; - - ${profile} = { - bootdisk = "/dev/vda"; - }; - }; - - firewall = { - enable = true; - forward = { - enable = true; - # stateless = true; - rules = '' - iifname $wireguardIFACEs oifname "vlan36" ip6 daddr 2a13:79c0:ffff:feff:b00b:3615:1:0/112 counter accept - oifname $wireguardIFACEs iifname "vlan36" ip6 saddr 2a13:79c0:ffff:feff:b00b:3615:1:0/112 counter accept - ''; - }; - }; - - bird = { - enable = true; - loopback6 = "2a13:79c0:ffff:fefe::2:256"; - - peers = birdPeers; - }; - - wireguard = { - enable = true; - - peers = wgPeers; - }; - # loopback0 = { # Enabled by bird by default - # enable = true; - # }; - }; - - # Set your time zone. - time.timeZone = "Europe/Paris"; - - nixpkgs.config.allowUnfree = true; - # Configure network proxy if necessary - # networking.proxy.default = "http://user:password@proxy:port/"; - # networking.proxy.noProxy = "127.0.0.1,localhost,internal.domain"; - - # This option defines the first version of NixOS you have installed on this particular machine, - # and is used to maintain compatibility with application data (e.g. databases) created on older NixOS versions. - # - # Most users should NEVER change this value after the initial install, for any reason, - # even if you've upgraded your system to a new NixOS release. - # - # This value does NOT affect the Nixpkgs version your packages and OS are pulled from, - # so changing it will NOT upgrade your system. - # - # This value being lower than the current NixOS release does NOT mean your system is - # out of date, out of support, or vulnerable. - # - # Do NOT change this value unless you have manually inspected all the changes it would make to your configuration, - # and migrated your data accordingly. - # - # For more information, see `man configuration.nix` or https://nixos.org/manual/nixos/stable/options#opt-system.stateVersion . - system.stateVersion = lib.mkForce "24.05"; # Did you read the comment? -} diff --git a/hosts/homerouters/romain-home-kitrtr/hardware-configuration.nix b/hosts/homerouters/romain-home-kitrtr/hardware-configuration.nix deleted file mode 100644 index 36b4585..0000000 --- a/hosts/homerouters/romain-home-kitrtr/hardware-configuration.nix +++ /dev/null @@ -1,34 +0,0 @@ -# Do not modify this file! It was generated by ‘nixos-generate-config’ -# and may be overwritten by future invocations. Please make changes -# to /etc/nixos/configuration.nix instead. -{ - config, - lib, - pkgs, - modulesPath, - ... -}: - -{ - imports = [ (modulesPath + "/profiles/qemu-guest.nix") ]; - - boot.initrd.availableKernelModules = [ - "ata_piix" - "uhci_hcd" - "virtio_pci" - "sr_mod" - "virtio_blk" - ]; - boot.initrd.kernelModules = [ ]; - boot.kernelModules = [ "kvm-intel" ]; - boot.extraModulePackages = [ ]; - - # Enables DHCP on each ethernet and wireless interface. In case of scripted networking - # (the default) this is the recommended approach. When using systemd-networkd it's - # still possible to use this option, but it's recommended to use it in conjunction - # with explicit per-interface declarations with `networking.interfaces..useDHCP`. - networking.useDHCP = lib.mkDefault true; - # networking.interfaces.ens18.useDHCP = lib.mkDefault true; - - nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux"; -} diff --git a/hosts/homerouters/romain-home-kitrtr/network-configuration.nix b/hosts/homerouters/romain-home-kitrtr/network-configuration.nix deleted file mode 100644 index 4586f85..0000000 --- a/hosts/homerouters/romain-home-kitrtr/network-configuration.nix +++ /dev/null @@ -1,54 +0,0 @@ -{ ... }: -{ - # Pick only one of the below networking options. - # networking.wireless.enable = true; # Enables wireless support via wpa_supplicant. - # networking.networkmanager.enable = true; # Easiest to use and most distros use this by default. - networking = { - #nameservers = [ "1.3.3.7" ]; - - vlans = { - vlan36 = { - id = 36; - interface = "ens19"; - }; - }; - - interfaces = { - ens18.useDHCP = true; - - vlan36 = { - - # ipv4.addresses = [ - # { - # address = "185.10.17.209"; - # prefixLength = 24; - # } - # ]; - - ipv6.addresses = [ - { - address = "2a13:79c0:ffff:feff:b00b:3615:1:6969"; - prefixLength = 112; - } - ]; - }; - }; - - # defaultGateway = { - # address = "185.10.17.254"; - # metric = 42; - # interface = iface; - # }; - - # defaultGateway6 = { - # address = "fe80::1"; - # metric = 42; - # interface = iface; - # }; - - useDHCP = false; - #dhcpcd.enable = false; - }; - - systemd.network.enable = true; -} diff --git a/hosts/homerouters/romain-home-kitrtr/peers/KIT-IG1-RTR.nix b/hosts/homerouters/romain-home-kitrtr/peers/KIT-IG1-RTR.nix deleted file mode 100644 index fbaabf4..0000000 --- a/hosts/homerouters/romain-home-kitrtr/peers/KIT-IG1-RTR.nix +++ /dev/null @@ -1,30 +0,0 @@ -{ lib, ... }: -let - kittenASN = 4242421945; -in -{ - peerAS = kittenASN; - peerIP = "2a13:79c0:ffff:feff::114"; - localAS = kittenASN; - - wireguard = { - address = "2a13:79c0:ffff:feff::115"; - # port = 51842; - endpoint = "78.40.121.76:51821"; - peerKey = "gDriA5mhKKh44OHEIxmmevphoVRLK45TRJmFS1DV1i4="; - }; - - template = "kittunderlay"; - bgpMED = 100; - ipv6 = { - #imports = null; - bgpImports = lib.mkForce "filter filter6_IN_BGP_%s"; - #exports = [ "2a12:dd47:9330::/44" ]; - - #exports = null; - }; - ipv4 = { - bgpImports = lib.mkForce "filter filter4_IN_BGP_%s"; - #exports = x: "filter6_IN_BGP_${toString x}"; - }; -} diff --git a/hosts/homerouters/romain-home-kitrtr/peers/default.nix b/hosts/homerouters/romain-home-kitrtr/peers/default.nix deleted file mode 100644 index d422fcd..0000000 --- a/hosts/homerouters/romain-home-kitrtr/peers/default.nix +++ /dev/null @@ -1,8 +0,0 @@ -{ kittenLib, ... }: -kittenLib.peers { - host = ./.; - profile = ../..; - - blacklist = [ ]; - manual = { }; -} diff --git a/hosts/homerouters/toinux-home-kitrtr/__default.nix b/hosts/homerouters/toinux-home-kitrtr/__default.nix deleted file mode 100644 index 10b393e..0000000 --- a/hosts/homerouters/toinux-home-kitrtr/__default.nix +++ /dev/null @@ -1,24 +0,0 @@ -{ ... }: -{ - bootdisk = "/dev/vda"; - diskTemplate = "simple_singleFullRoot"; - - interface = "ens18"; - # mainSerial = 0; - - birdConfig = { - # inherit transitInterface; - - # router-id = ; - - # loopback4 = ""; - - static6 = [ - "::/0 recursive 2a13:79c0:ffff:fefe::b00b" - - #"2a13:79c0:ffff::/48 unreachable" # Networking stuff - #"2a13:79c0:ffff:fefe::/64 unreachable" # LoopBacks - #"2a13:79c0:ff00::/40 unreachable" # full range /40 - ]; - }; -} diff --git a/hosts/homerouters/toinux-home-kitrtr/default.nix b/hosts/homerouters/toinux-home-kitrtr/default.nix deleted file mode 100644 index 60d2d86..0000000 --- a/hosts/homerouters/toinux-home-kitrtr/default.nix +++ /dev/null @@ -1,113 +0,0 @@ -# Edit this configuration file to define what should be installed on -# your system. Help is available in the configuration.nix(5) man page, on -# https://search.nixos.org/options and in the NixOS manual (`nixos-help`). - -args@{ - config, - lib, - pkgs, - ... -}: -let - diskoProfile = "simple"; - diskoConfig = { - bootdisk = "/dev/vda"; - }; - - peers = (import ./peers (args // { })); - - wgPeers = ( - lib.mapAttrs (n: v: v.wireguard) (lib.filterAttrs (n: v: v ? wireguard && v.wireguard != { }) peers) - ); - - birdPeers = (lib.mapAttrs (n: v: builtins.removeAttrs v [ "wireguard" ]) peers); -in -{ - imports = [ - # Include the results of the hardware scan. - ../default.nix - ./hardware-configuration.nix - ./network-configuration.nix - # ./packages.nix - - ../../../modules/system/kitten/connect/bird2/snippets/kittendefaults.nix - ]; - - kittenModules = { - disko = { - enable = true; - profile = diskoProfile; - - ${diskoProfile} = diskoConfig; - }; - - firewall = { - enable = true; - forward = { - enable = true; - # stateless = true; - rules = '' - # iifname $wireguardIFACEs oifname "vlan36" ip6 daddr 2a13:79c0:ffff:feff:b00b:3615:1:0/112 counter accept - # oifname $wireguardIFACEs iifname "vlan36" ip6 saddr 2a13:79c0:ffff:feff:b00b:3615:1:0/112 counter accept - ''; - }; - }; - - bird = { - enable = true; - loopback6 = "2a13:79c0:ffff:fefe::69:25"; - - peers = birdPeers; - }; - - wireguard = { - enable = true; - - peers = wgPeers; - }; - - # loopback0 = { # Enabled by bird by default - # enable = true; - # }; - }; - - # Bootloader. - #boot.loader.systemd-boot.enable = true; - #boot.loader.systemd-boot.configurationLimit = 5; - #boot.loader.efi.canTouchEfiVariables = true; - boot.loader.grub.efiSupport = false; - boot.loader.grub.enable = true; - # boot.loader.grub.efiInstallAsRemovable = true; - # boot.loader.efi.efiSysMountPoint = "/boot/efi"; - # Define on which hard drive you want to install Grub. - #boot.loader.grub.devices = [ "${targetConfig.bootdisk}" ]; # or "nodev" for efi only - - # Pick only one of the below networking options. - # networking.wireless.enable = true; # Enables wireless support via wpa_supplicant. - # networking.networkmanager.enable = true; # Easiest to use and most distros use this by default. - # Set your time zone. - time.timeZone = "Europe/Paris"; - - nixpkgs.config.allowUnfree = true; - # Configure network proxy if necessary - # networking.proxy.default = "http://user:password@proxy:port/"; - # networking.proxy.noProxy = "127.0.0.1,localhost,internal.domain"; - - # This option defines the first version of NixOS you have installed on this particular machine, - # and is used to maintain compatibility with application data (e.g. databases) created on older NixOS versions. - # - # Most users should NEVER change this value after the initial install, for any reason, - # even if you've upgraded your system to a new NixOS release. - # - # This value does NOT affect the Nixpkgs version your packages and OS are pulled from, - # so changing it will NOT upgrade your system. - # - # This value being lower than the current NixOS release does NOT mean your system is - # out of date, out of support, or vulnerable. - # - # Do NOT change this value unless you have manually inspected all the changes it would make to your configuration, - # and migrated your data accordingly. - # - # For more information, see `man configuration.nix` or https://nixos.org/manual/nixos/stable/options#opt-system.stateVersion . - system.stateVersion = "23.11"; # Did you read the comment? -} diff --git a/hosts/homerouters/toinux-home-kitrtr/hardware-configuration.nix b/hosts/homerouters/toinux-home-kitrtr/hardware-configuration.nix deleted file mode 100644 index 36b4585..0000000 --- a/hosts/homerouters/toinux-home-kitrtr/hardware-configuration.nix +++ /dev/null @@ -1,34 +0,0 @@ -# Do not modify this file! It was generated by ‘nixos-generate-config’ -# and may be overwritten by future invocations. Please make changes -# to /etc/nixos/configuration.nix instead. -{ - config, - lib, - pkgs, - modulesPath, - ... -}: - -{ - imports = [ (modulesPath + "/profiles/qemu-guest.nix") ]; - - boot.initrd.availableKernelModules = [ - "ata_piix" - "uhci_hcd" - "virtio_pci" - "sr_mod" - "virtio_blk" - ]; - boot.initrd.kernelModules = [ ]; - boot.kernelModules = [ "kvm-intel" ]; - boot.extraModulePackages = [ ]; - - # Enables DHCP on each ethernet and wireless interface. In case of scripted networking - # (the default) this is the recommended approach. When using systemd-networkd it's - # still possible to use this option, but it's recommended to use it in conjunction - # with explicit per-interface declarations with `networking.interfaces..useDHCP`. - networking.useDHCP = lib.mkDefault true; - # networking.interfaces.ens18.useDHCP = lib.mkDefault true; - - nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux"; -} diff --git a/hosts/homerouters/toinux-home-kitrtr/network-configuration.nix b/hosts/homerouters/toinux-home-kitrtr/network-configuration.nix deleted file mode 100644 index f960eb6..0000000 --- a/hosts/homerouters/toinux-home-kitrtr/network-configuration.nix +++ /dev/null @@ -1,54 +0,0 @@ -{ ... }: -{ - # Pick only one of the below networking options. - # networking.wireless.enable = true; # Enables wireless support via wpa_supplicant. - # networking.networkmanager.enable = true; # Easiest to use and most distros use this by default. - networking = { - #nameservers = [ "1.3.3.7" ]; - - # vlans = { - # vlanXX = { - # id = XX; - # interface = "xxx"; - # }; - # }; - - interfaces = { - ens18.useDHCP = true; - - # vlanXX = { - - # # ipv4.addresses = [ - # # { - # # address = "xxx.xx.xx.xx"; - # # prefixLength = 24; - # # } - # # ]; - - # # ipv6.addresses = [ - # # { - # # address = "2a13:79c0:ffff:feff:b00b::xxx"; - # # prefixLength = 112; - # # } - # # ]; - # }; - }; - - # defaultGateway = { - # address = "xx.xx.xx.xx"; - # metric = 42; - # interface = iface; - # }; - - # defaultGateway6 = { - # address = "fe80::1"; - # metric = 42; - # interface = iface; - # }; - - useDHCP = false; - #dhcpcd.enable = false; - }; - - systemd.network.enable = true; -} diff --git a/hosts/homerouters/toinux-home-kitrtr/peers/default.nix b/hosts/homerouters/toinux-home-kitrtr/peers/default.nix deleted file mode 100644 index d422fcd..0000000 --- a/hosts/homerouters/toinux-home-kitrtr/peers/default.nix +++ /dev/null @@ -1,8 +0,0 @@ -{ kittenLib, ... }: -kittenLib.peers { - host = ./.; - profile = ../..; - - blacklist = [ ]; - manual = { }; -} diff --git a/hosts/miscservers/aure-kit-bots-01/default.nix b/hosts/miscservers/aure-kit-bots-01/default.nix deleted file mode 100644 index 82beed7..0000000 --- a/hosts/miscservers/aure-kit-bots-01/default.nix +++ /dev/null @@ -1,108 +0,0 @@ -# Edit this configuration file to define what should be installed on -# your system. Help is available in the configuration.nix(5) man page -# and in the NixOS manual (accessible by running ‘nixos-help’). - -{ - name, - nodes, - lib, - pkgs, - ... -}: -let - diskoProfile = "simple"; - diskoConfig = { - bootdisk = "/dev/vda"; - }; -in -{ - imports = [ - # Include the results of the hardware scan. - ../default.nix - ./hardware-configuration.nix - # ./network-configuration.nix # TODO: implement - ]; - - deployment = { - # Disable SSH deployment. This node will be skipped in a - # normal`colmena apply`. - targetUser = "root"; - targetHost = null; # TODO: define me - }; - - # Bootloader. - boot.loader.grub.efiSupport = false; - boot.loader.grub.enable = true; - - - kittenModules = { - # network = { - # enable = true; - # interface = "ens18"; - # address = ""; - # }; - - disko = { - enable = true; - profile = diskoProfile; - ${diskoProfile} = diskoConfig; - }; - - # firewall = { - # enable = true; - # forward = { - # enable = true; - # # stateless = true; - # rules = '' - # iifname $wireguardIFACEs oifname "vlan36" ip6 daddr 2a13:79c0:ffff:feff:b00b:3615:1:0/112 counter accept - # oifname $wireguardIFACEs iifname "vlan36" ip6 saddr 2a13:79c0:ffff:feff:b00b:3615:1:0/112 counter accept - # ''; - # }; - # }; - }; - systemd.network.enable = true; - - nixpkgs.config.allowUnfree = true; - # Configure network proxy if necessary - # networking.proxy.default = "http://user:password@proxy:port/"; - # networking.proxy.noProxy = "127.0.0.1,localhost,internal.domain"; - - # Set your time zone. - time.timeZone = "Europe/Paris"; - - # Select internationalisation properties. - i18n.defaultLocale = "en_US.UTF-8"; - - i18n.extraLocaleSettings = { - LC_ADDRESS = "fr_FR.UTF-8"; - LC_IDENTIFICATION = "fr_FR.UTF-8"; - LC_MEASUREMENT = "fr_FR.UTF-8"; - LC_MONETARY = "fr_FR.UTF-8"; - LC_NAME = "fr_FR.UTF-8"; - LC_NUMERIC = "fr_FR.UTF-8"; - LC_PAPER = "fr_FR.UTF-8"; - LC_TELEPHONE = "fr_FR.UTF-8"; - LC_TIME = "fr_FR.UTF-8"; - }; - - programs.mtr.enable = true; - - # List services that you want to enable: - - # Enable the OpenSSH daemon. - services.openssh.enable = true; - - # Open ports in the firewall. - networking.firewall.allowedTCPPorts = [ ]; - networking.firewall.allowedUDPPorts = [ ]; - # Or disable the firewall altogether. - networking.firewall.enable = lib.mkDefault true; - - # This value determines the NixOS release from which the default - # settings for stateful data, like file locations and database versions - # on your system were taken. It‘s perfectly fine and recommended to leave - # this value at the release version of the first install of this system. - # Before changing this value read the documentation for this option - # (e.g. man configuration.nix or on https://nixos.org/nixos/options.html). - system.stateVersion = "23.11"; # Did you read the comment? -} diff --git a/hosts/miscservers/aure-kit-bots-01/hardware-configuration.nix b/hosts/miscservers/aure-kit-bots-01/hardware-configuration.nix deleted file mode 100644 index dfabf43..0000000 --- a/hosts/miscservers/aure-kit-bots-01/hardware-configuration.nix +++ /dev/null @@ -1,35 +0,0 @@ -# Do not modify this file! It was generated by ‘nixos-generate-config’ -# and may be overwritten by future invocations. Please make changes -# to /etc/nixos/configuration.nix instead. -{ - config, - lib, - pkgs, - modulesPath, - ... -}: - -{ - imports = [ (modulesPath + "/profiles/qemu-guest.nix") ]; - - boot.initrd.availableKernelModules = [ - "ata_piix" - "uhci_hcd" - "virtio_pci" - "sr_mod" - "virtio_blk" - ]; - boot.initrd.kernelModules = [ ]; - boot.kernelModules = [ "kvm-intel" ]; - boot.extraModulePackages = [ ]; - - # Enables DHCP on each ethernet and wireless interface. In case of scripted networking - # (the default) this is the recommended approach. When using systemd-networkd it's - # still possible to use this option, but it's recommended to use it in conjunction - # with explicit per-interface declarations with `networking.interfaces..useDHCP`. - # networking.useDHCP = lib.mkDefault true; - # networking.interfaces.ens18.useDHCP = lib.mkDefault true; - networking.useDHCP = lib.mkDefault true; - - nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux"; -} diff --git a/hosts/miscservers/default.nix b/hosts/miscservers/default.nix deleted file mode 100644 index ecffc3a..0000000 --- a/hosts/miscservers/default.nix +++ /dev/null @@ -1,28 +0,0 @@ -# Edit this configuration file to define what should be installed on -# your system. Help is available in the configuration.nix(5) man page, on -# https://search.nixos.org/options and in the NixOS manual (`nixos-help`). - -{ - config, - lib, - pkgs, - ... -}: - -{ - imports = [ ]; - - # Configure network proxy if necessary - # networking.proxy.default = "http://user:password@proxy:port/"; - # networking.proxy.noProxy = "127.0.0.1,localhost,internal.domain"; - - # Select internationalisation properties. - i18n.defaultLocale = "en_US.UTF-8"; - - # Net Basics - networking.useNetworkd = true; - systemd.network.enable = true; - systemd.network.wait-online.enable = false; - - # environment.systemPackages = with pkgs; [ ]; -} diff --git a/hosts/postgres/default.nix b/hosts/postgres/default.nix deleted file mode 100644 index 2130780..0000000 --- a/hosts/postgres/default.nix +++ /dev/null @@ -1,40 +0,0 @@ -# Edit this configuration file to define what should be installed on -# your system. Help is available in the configuration.nix(5) man page, on -# https://search.nixos.org/options and in the NixOS manual (`nixos-help`). - -{ - config, - lib, - pkgs, - ... -}: - -{ - imports = [ - # ./firewall.nix # TODO: Remove - ./postgres.nix - ./packages.nix - ]; - - kittenModules = { - loopback0 = { - enable = lib.mkDefault true; - }; - }; - - # Configure network proxy if necessary - # networking.proxy.default = "http://user:password@proxy:port/"; - # networking.proxy.noProxy = "127.0.0.1,localhost,internal.domain"; - - # Select internationalisation properties. - i18n.defaultLocale = "en_US.UTF-8"; - - # FireWall - networking.firewall.allowedTCPPorts = [ 5432 ]; - networking.firewall.allowedUDPPorts = [ 5432 ]; - - # Net Basics - networking.useNetworkd = true; - systemd.network.enable = true; - systemd.network.wait-online.enable = false; -} diff --git a/hosts/postgres/kit-postgresql-nte/default.nix b/hosts/postgres/kit-postgresql-nte/default.nix deleted file mode 100644 index b7067fe..0000000 --- a/hosts/postgres/kit-postgresql-nte/default.nix +++ /dev/null @@ -1,106 +0,0 @@ -# Edit this configuration file to define what should be installed on -# your system. Help is available in the configuration.nix(5) man page -# and in the NixOS manual (accessible by running ‘nixos-help’). - -{ - name, - nodes, - lib, - pkgs, - ... -}: -let - diskoProfile = "simple"; - diskoConfig = { - bootdisk = "/dev/vda"; - }; -in -{ - imports = [ - # Include the results of the hardware scan. - ../default.nix - ./hardware-configuration.nix - ./network-configuration.nix - ]; - - deployment = { - # Disable SSH deployment. This node will be skipped in a - # normal`colmena apply`. - targetUser = "root"; - targetHost = "2a13:79c0:ffff:feff:b00b:3615:1:907"; # TODO: put HostName - }; - - # Bootloader. - boot.loader.systemd-boot.enable = true; - boot.loader.efi.canTouchEfiVariables = true; - - kittenModules = { - # network = { - # enable = true; - # interface = "ens18"; - # address = ""; - # }; - - disko = { - enable = true; - profile = diskoProfile; - ${diskoProfile} = diskoConfig; - }; - - # firewall = { - # enable = true; - # forward = { - # enable = true; - # # stateless = true; - # rules = '' - # iifname $wireguardIFACEs oifname "vlan36" ip6 daddr 2a13:79c0:ffff:feff:b00b:3615:1:0/112 counter accept - # oifname $wireguardIFACEs iifname "vlan36" ip6 saddr 2a13:79c0:ffff:feff:b00b:3615:1:0/112 counter accept - # ''; - # }; - # }; - }; - # networking.wireless.enable = true; # Enables wireless support via wpa_supplicant. - - # Configure network proxy if necessary - # networking.proxy.default = "http://user:password@proxy:port/"; - # networking.proxy.noProxy = "127.0.0.1,localhost,internal.domain"; - - # Set your time zone. - time.timeZone = "Europe/Paris"; - - # Select internationalisation properties. - i18n.defaultLocale = "en_US.UTF-8"; - - i18n.extraLocaleSettings = { - LC_ADDRESS = "fr_FR.UTF-8"; - LC_IDENTIFICATION = "fr_FR.UTF-8"; - LC_MEASUREMENT = "fr_FR.UTF-8"; - LC_MONETARY = "fr_FR.UTF-8"; - LC_NAME = "fr_FR.UTF-8"; - LC_NUMERIC = "fr_FR.UTF-8"; - LC_PAPER = "fr_FR.UTF-8"; - LC_TELEPHONE = "fr_FR.UTF-8"; - LC_TIME = "fr_FR.UTF-8"; - }; - - programs.mtr.enable = true; - - # List services that you want to enable: - - # Enable the OpenSSH daemon. - services.openssh.enable = true; - - # Open ports in the firewall. - networking.firewall.allowedTCPPorts = [ ]; - networking.firewall.allowedUDPPorts = [ ]; - # Or disable the firewall altogether. - networking.firewall.enable = lib.mkDefault true; - - # This value determines the NixOS release from which the default - # settings for stateful data, like file locations and database versions - # on your system were taken. It‘s perfectly fine and recommended to leave - # this value at the release version of the first install of this system. - # Before changing this value read the documentation for this option - # (e.g. man configuration.nix or on https://nixos.org/nixos/options.html). - # system.stateVersion = "23.11"; # Did you read the comment? -} diff --git a/hosts/postgres/kit-postgresql-nte/hardware-configuration.nix b/hosts/postgres/kit-postgresql-nte/hardware-configuration.nix deleted file mode 100644 index 4c7034d..0000000 --- a/hosts/postgres/kit-postgresql-nte/hardware-configuration.nix +++ /dev/null @@ -1,36 +0,0 @@ -# Do not modify this file! It was generated by ‘nixos-generate-config’ -# and may be overwritten by future invocations. Please make changes -# to /etc/nixos/configuration.nix instead. -{ - config, - lib, - pkgs, - modulesPath, - ... -}: - -{ - imports = [ - (modulesPath + "/profiles/qemu-guest.nix") - ]; - - boot.initrd.availableKernelModules = [ - "ata_piix" - "uhci_hcd" - "virtio_pci" - "sr_mod" - "virtio_blk" - ]; - boot.initrd.kernelModules = [ ]; - boot.kernelModules = [ ]; - boot.extraModulePackages = [ ]; - - # Enables DHCP on each ethernet and wireless interface. In case of scripted networking - # (the default) this is the recommended approach. When using systemd-networkd it's - # still possible to use this option, but it's recommended to use it in conjunction - # with explicit per-interface declarations with `networking.interfaces..useDHCP`. - networking.useDHCP = lib.mkDefault true; - # networking.interfaces.ens18.useDHCP = lib.mkDefault true; - - nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux"; -} diff --git a/hosts/postgres/kit-postgresql-nte/network-configuration.nix b/hosts/postgres/kit-postgresql-nte/network-configuration.nix deleted file mode 100644 index 6a8d776..0000000 --- a/hosts/postgres/kit-postgresql-nte/network-configuration.nix +++ /dev/null @@ -1,54 +0,0 @@ -{ ... }: -let - kittenIface = "ens18"; -in -{ - networking = { - nameservers = [ "2620:fe::fe" ]; - - interfaces = { - # ens18.useDHCP = true; - - ens19 = { - ipv4 = { - addresses = [ - { - address = "10.200.2.110"; - prefixLength = 24; - } - ]; - }; - }; - - ${kittenIface} = { - ipv6 = { - routes = [ - { - address = "2a13:79c0:ff00::"; - prefixLength = 40; - via = "2a13:79c0:ffff:feff:b00b:3615:1:6969"; - } - ]; - addresses = [ - { - address = "2a13:79c0:ffff:feff:b00b:3615:1:907"; - prefixLength = 112; - } - ]; - }; - }; - }; - - defaultGateway6 = { - address = "2a13:79c0:ffff:feff:b00b:3615:1:6969"; - metric = 42; - interface = kittenIface; - }; - - useDHCP = false; - useNetworkd = true; - #dhcpcd.enable = false; - }; - - systemd.network.enable = true; -} diff --git a/hosts/postgres/packages.nix b/hosts/postgres/packages.nix deleted file mode 100644 index a463cc3..0000000 --- a/hosts/postgres/packages.nix +++ /dev/null @@ -1,17 +0,0 @@ -{ config, pkgs, ... }: -let -in -#unstable = import { config = baseconfig; }; -{ - # kittenModules.rhabbit-consumer.enable = true; - # List packages installed in system profile. To search, run: - # $ nix search wget - environment.systemPackages = with pkgs; [ - vim # Do not forget to add an editor to edit configuration.nix! The Nano editor is also installed by default. - git - htop - tmux - tree - tmate - ]; -} diff --git a/hosts/postgres/postgres.nix b/hosts/postgres/postgres.nix deleted file mode 100644 index 143159a..0000000 --- a/hosts/postgres/postgres.nix +++ /dev/null @@ -1,33 +0,0 @@ -{ lib, ... }: { - services.postgresql = { - enable = lib.mkDefault true; - # ... conf ... - - ensureDatabases = [ "netbox" ]; - - ensureUsers = [ - { - name = "superkitten"; - ensureClauses = { - # superuser = true; - createrole = true; - createdb = true; - login = true; - }; - } - { - name = "netbox"; - ensureDBOwnership = true; - ensureClauses = { - login = true; - }; - } - ]; - - enableTCPIP = lib.mkDefault true; - -# settings = { -# listen_addresses = ""; -# }; - }; -} diff --git a/hosts/routereflectors/default.nix b/hosts/routereflectors/default.nix deleted file mode 100644 index fb1d3f8..0000000 --- a/hosts/routereflectors/default.nix +++ /dev/null @@ -1,134 +0,0 @@ -# Edit this configuration file to define what should be installed on -# your system. Help is available in the configuration.nix(5) man page, on -# https://search.nixos.org/options and in the NixOS manual (`nixos-help`). - -{ - config, - lib, - pkgs, - ... -}: - -{ - imports = [ - # Include the results of the hardware scan. - ]; - - # Configure network proxy if necessary - # networking.proxy.default = "http://user:password@proxy:port/"; - # networking.proxy.noProxy = "127.0.0.1,localhost,internal.domain"; - - # Select internationalisation properties. - i18n.defaultLocale = "en_US.UTF-8"; - - # Net Basics - networking.useNetworkd = true; - systemd.network.enable = true; - systemd.network.wait-online.enable = false; - - environment.systemPackages = with pkgs; [ gobgp ]; - - # List services that you want to enable: - services.gobgpd = { - enable = true; - settings = { - dynamic-neighbors = [ - { - config = { - peer-group = "kitten"; - prefix = "2a13:79c0:ffff:fefe::/64"; - }; - } - { - config = { - peer-group = "kittevpn"; - prefix = "2a13:79c0:ffff:feff::/64"; - }; - } - ]; - global = { - config = { - as = 4242421945; - local-address-list = [ - "2a13:79c0:ffff:fefe::113:91" - # "172.23.193.197" - ]; - router-id = "172.23.193.197"; - }; - }; - peer-groups = [ - { - afi-safis = [ - { - config = { - afi-safi-name = "ipv4-unicast"; - }; - } - { - config = { - afi-safi-name = "ipv6-unicast"; - }; - } - { - config = { - afi-safi-name = "l2vpn-evpn"; - }; - } - ]; - config = { - peer-as = 4242421945; - peer-group-name = "kittevpn"; - }; - route-reflector = { - config = { - route-reflector-client = true; - route-reflector-cluster-id = "172.23.193.197"; - }; - }; - } - { - afi-safis = [ - { - config = { - afi-safi-name = "ipv4-unicast"; - }; - } - { - config = { - afi-safi-name = "ipv6-unicast"; - }; - } - ]; - config = { - peer-as = 4242421945; - peer-group-name = "kitten"; - }; - route-reflector = { - config = { - route-reflector-client = true; - route-reflector-cluster-id = "172.23.193.197"; - }; - }; - } - ]; - }; - # autoReload = true; - }; - - # This option defines the first version of NixOS you have installed on this particular machine, - # and is used to maintain compatibility with application data (e.g. databases) created on older NixOS versions. - # - # Most users should NEVER change this value after the initial install, for any reason, - # even if you've upgraded your system to a new NixOS release. - # - # This value does NOT affect the Nixpkgs version your packages and OS are pulled from, - # so changing it will NOT upgrade your system. - # - # This value being lower than the current NixOS release does NOT mean your system is - # out of date, out of support, or vulnerable. - # - # Do NOT change this value unless you have manually inspected all the changes it would make to your configuration, - # and migrated your data accordingly. - # - # For more information, see `man configuration.nix` or https://nixos.org/manual/nixos/stable/options#opt-system.stateVersion . -} diff --git a/hosts/routereflectors/firewall.nix b/hosts/routereflectors/firewall.nix deleted file mode 100644 index d41402d..0000000 --- a/hosts/routereflectors/firewall.nix +++ /dev/null @@ -1,35 +0,0 @@ -{ - lib, - pkgs, - config, - ... -}: -let - cfg = config.hostprofile.rr; -in -{ - - config = { - - # environment.systemPackages = with pkgs; [ ferm ]; # Prepare an eventual switch to FERM - - networking.nftables.enable = true; - - # Open ports in the firewall. - networking.firewall = { - enable = true; - - allowedTCPPorts = [ - 22 # SSH - 179 # BGP - 1790 # Internal BGP - ]; - # allowedUDPPorts = [ ... ]; - - # checkReversePath = "loose"; - checkReversePath = false; - - filterForward = false; - }; - }; -} diff --git a/hosts/routereflectors/iguane-kit-rr91/default.nix b/hosts/routereflectors/iguane-kit-rr91/default.nix deleted file mode 100644 index 84cc907..0000000 --- a/hosts/routereflectors/iguane-kit-rr91/default.nix +++ /dev/null @@ -1,125 +0,0 @@ -# Edit this configuration file to define what should be installed on -# your system. Help is available in the configuration.nix(5) man page, on -# https://search.nixos.org/options and in the NixOS manual (`nixos-help`). - -{ - config, - lib, - pkgs, - ... -}: -let - # cfg = config.hostprofile.rr; - - diskoProfile = "simple"; - diskoConfig = { - bootdisk = "/dev/vda"; - }; - - kittenIFACE = "ens19"; - lastByte = "92"; -in -# config = { -# mainSerial = 0; -# hostprofile.rr = { -# interface = "ens18"; -# }; -# }; -{ - imports = [ - # Include the results of the hardware scan. - ../default.nix - ./hardware-configuration.nix - # ./network-configuration.nix # TODO: implement - ]; - # Bootloader. - boot.loader.grub.efiSupport = false; - boot.loader.grub.enable = true; - - # Pick only one of the below networking options. - networking = { - #nameservers = [ "1.3.3.7" ]; - - interfaces = lib.mkMerge [ - # (lib.mkIf (cfg.interface != null) { "${cfg.interface}".useDHCP = true; }) - - # (lib.mkIf (kittenIFACE != null) { - # "${kittenIFACE}" = { - # # ipv4.addresses = [ - # # { - # # address = "185.10.17.209"; - # # prefixLength = 24; - # # } - # # ]; - # - # ipv6.addresses = [ - # { - # # address = "2a13:79c0:ffff:feff:b00b:caca:b173:25"; - # address = "2a13:79c0:ffff:feff:b00b:3965:113:${lastByte}"; - # prefixLength = 112; - # } - # ]; - # }; - # }) - ]; - - # defaultGateway = { - # address = "185.10.17.254"; - # metric = 42; - # interface = iface; - # }; - - defaultGateway6 = { - address = "2a13:79c0:ffff:feff:b00b:3965:113:25"; - metric = 42; - interface = kittenIFACE; - }; - - useDHCP = false; - #dhcpcd.enable = false; - }; - - kittenModules = { - # network = { - # enable = true; - # interface = "ens18"; - # address = ""; - # }; - - disko = { - enable = true; - profile = diskoProfile; - ${diskoProfile} = diskoConfig; - }; - - loopback0 = { # Enabled by bird by default - enable = true; - ipv6 = ["2a13:79c0:ffff:fefe::113:91"]; - }; - }; - - systemd.network.enable = true; - - # Set your time zone. - time.timeZone = "Europe/Paris"; - - nixpkgs.config.allowUnfree = true; - - # This option defines the first version of NixOS you have installed on this particular machine, - # and is used to maintain compatibility with application data (e.g. databases) created on older NixOS versions. - # - # Most users should NEVER change this value after the initial install, for any reason, - # even if you've upgraded your system to a new NixOS release. - # - # This value does NOT affect the Nixpkgs version your packages and OS are pulled from, - # so changing it will NOT upgrade your system. - # - # This value being lower than the current NixOS release does NOT mean your system is - # out of date, out of support, or vulnerable. - # - # Do NOT change this value unless you have manually inspected all the changes it would make to your configuration, - # and migrated your data accordingly. - # - # For more information, see `man configuration.nix` or https://nixos.org/manual/nixos/stable/options#opt-system.stateVersion . - system.stateVersion = "23.11"; # Did you read the comment? -} diff --git a/hosts/routereflectors/iguane-kit-rr91/hardware-configuration.nix b/hosts/routereflectors/iguane-kit-rr91/hardware-configuration.nix deleted file mode 100644 index 36b4585..0000000 --- a/hosts/routereflectors/iguane-kit-rr91/hardware-configuration.nix +++ /dev/null @@ -1,34 +0,0 @@ -# Do not modify this file! It was generated by ‘nixos-generate-config’ -# and may be overwritten by future invocations. Please make changes -# to /etc/nixos/configuration.nix instead. -{ - config, - lib, - pkgs, - modulesPath, - ... -}: - -{ - imports = [ (modulesPath + "/profiles/qemu-guest.nix") ]; - - boot.initrd.availableKernelModules = [ - "ata_piix" - "uhci_hcd" - "virtio_pci" - "sr_mod" - "virtio_blk" - ]; - boot.initrd.kernelModules = [ ]; - boot.kernelModules = [ "kvm-intel" ]; - boot.extraModulePackages = [ ]; - - # Enables DHCP on each ethernet and wireless interface. In case of scripted networking - # (the default) this is the recommended approach. When using systemd-networkd it's - # still possible to use this option, but it's recommended to use it in conjunction - # with explicit per-interface declarations with `networking.interfaces..useDHCP`. - networking.useDHCP = lib.mkDefault true; - # networking.interfaces.ens18.useDHCP = lib.mkDefault true; - - nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux"; -} diff --git a/hosts/routereflectors/network.nix b/hosts/routereflectors/network.nix deleted file mode 100644 index 03ebab8..0000000 --- a/hosts/routereflectors/network.nix +++ /dev/null @@ -1,31 +0,0 @@ -{ - lib, - pkgs, - config, - ... -}: -let - cfg = config.hostprofile.rr; -in -{ - - config = { - - # LoopBacks - networking.interfaces.lo = - let - defPrefix = { - ipv4 = 32; - ipv6 = 128; - }; - mkLoopBack = proto: loopback: { - address = "${toString loopback}"; - prefixLength = defPrefix.${proto}; - }; - in - { - ipv4.addresses = lib.mkIf (cfg.loopbacks.ipv4 != [ ]) (map (mkLoopBack "ipv4") cfg.loopbacks.ipv4); - ipv6.addresses = lib.mkIf (cfg.loopbacks.ipv6 != [ ]) (map (mkLoopBack "ipv6") cfg.loopbacks.ipv6); - }; - }; -} diff --git a/hosts/routereflectors/options.nix b/hosts/routereflectors/options.nix deleted file mode 100644 index 129a70d..0000000 --- a/hosts/routereflectors/options.nix +++ /dev/null @@ -1,44 +0,0 @@ -{ lib, pkgs, ... }: -let - inherit (lib) mkOption genAttrs attrNames; -in -{ - options.hostprofile.rr = { - # iface = if targetConfig ? interface then targetConfig.interface else null; - interface = mkOption { - type = lib.types.nullOr lib.types.str; - default = null; - example = "enp1s0"; - description = "device's principal interface (Management / UpLink)"; - }; - - loopbacks = - let - protos = { - ipv4 = { - examples = [ "1.2.3.4/32" ]; - pretty = "IPv4"; - }; - - ipv6 = { - examples = [ "::2/128" ]; - pretty = "IPv6"; - }; - }; - in - genAttrs (attrNames protos) ( - x: - let - proto = protos.${x}; - in - lib.mkOption { - type = lib.types.listOf lib.types.str; - default = [ ]; - example = proto.examples; - description = '' - List of ${proto.pretty} loopbacks assigned. - ''; - } - ); - }; -} diff --git a/hosts/routers/_peers/KIT-IG1-RR91.nix b/hosts/routers/_peers/KIT-IG1-RR91.nix deleted file mode 100644 index 2ea52dd..0000000 --- a/hosts/routers/_peers/KIT-IG1-RR91.nix +++ /dev/null @@ -1,49 +0,0 @@ -{ ... }: -let - kittenASN = 4242421945; -in -{ - # vultr6 - # AS64515 - # Peer-IP : 2001:19f0:ffff::1 - - # protocol bgp TRANSIT_VULTR6 { - # - # multihop 2; - # - - # ipv6 { - # export filter { - # if ( net ~ [ 2a13:79c0:ff00::/40, 2a12:dd47:9330::/44 ] ) then { - # accept; - # } - # reject; - # }; - # import none; - # }; - # - # } - peerAS = kittenASN; - peerIP = "2a13:79c0:ffff:fefe::113:91"; - localAS = kittenASN; - - multihop = 5; - - # wireguard = { - # address = "2a13:79c0:ffff:feff::10c"; - # port = 51800; - # peerKey = "rMTaMWJYlgTKJoE0PnVOo9SKHTppEfYK5KtWjBI9mC8="; - # }; - template = "rrserver"; - ipv6 = { - #imports = null; - #imports = x: "filter filter6_IN_BGP_${toString x}"; - #exports = [ "2a12:dd47:9330::/44" ]; - - #exports = null; - }; - ipv4 = { - #imports = x: "filter filter4_IN_BGP_${toString x}"; - #exports = x: "filter6_IN_BGP_${toString x}"; - }; -} diff --git a/hosts/routers/_peers/default.nix b/hosts/routers/_peers/default.nix deleted file mode 100644 index 30562ad..0000000 --- a/hosts/routers/_peers/default.nix +++ /dev/null @@ -1,8 +0,0 @@ -{ ... }: -let - globalPeers = import ../../_peers {}; -in -{ - # Internal RR - inherit (globalPeers) IG1_RR91; -} diff --git a/hosts/routers/_vultr-kit-edge/configuration.nix b/hosts/routers/_vultr-kit-edge/configuration.nix deleted file mode 100644 index 2474a51..0000000 --- a/hosts/routers/_vultr-kit-edge/configuration.nix +++ /dev/null @@ -1,82 +0,0 @@ -# Edit this configuration file to define what should be installed on -# your system. Help is available in the configuration.nix(5) man page, on -# https://search.nixos.org/options and in the NixOS manual (`nixos-help`). - -{ - config, - targetConfig, - lib, - pkgs, - ... -}: - -{ - #imports = [ ./wireguard.nix ]; - # Bootloader. - #boot.loader.systemd-boot.enable = true; - #boot.loader.systemd-boot.configurationLimit = 5; - #boot.loader.efi.canTouchEfiVariables = true; - boot.loader.grub.efiSupport = false; - boot.loader.grub.enable = true; - # boot.loader.grub.efiInstallAsRemovable = true; - # boot.loader.efi.efiSysMountPoint = "/boot/efi"; - # Define on which hard drive you want to install Grub. - #boot.loader.grub.devices = [ "${targetConfig.bootdisk}" ]; # or "nodev" for efi only - - # Pick only one of the below networking options. - # networking.wireless.enable = true; # Enables wireless support via wpa_supplicant. - # networking.networkmanager.enable = true; # Easiest to use and most distros use this by default. - networking = { - #dhcpcd.enable = false; - #useNetworkd = true; - useDHCP = false; - }; - - systemd.network.enable = true; - services.cloud-init = { - enable = true; - ext4.enable = true; - network.enable = true; - settings = { - datasource_list = [ "Vultr" ]; - disable_root = false; - ssh_pwauth = 0; - updates = { - network = { - when = [ - "boot" - "boot-legacy" - "boot-new-instance" - "hotplug" - ]; - }; - }; - }; - }; - - # Set your time zone. - time.timeZone = "Europe/Paris"; - - nixpkgs.config.allowUnfree = true; - # Configure network proxy if necessary - # networking.proxy.default = "http://user:password@proxy:port/"; - # networking.proxy.noProxy = "127.0.0.1,localhost,internal.domain"; - - # This option defines the first version of NixOS you have installed on this particular machine, - # and is used to maintain compatibility with application data (e.g. databases) created on older NixOS versions. - # - # Most users should NEVER change this value after the initial install, for any reason, - # even if you've upgraded your system to a new NixOS release. - # - # This value does NOT affect the Nixpkgs version your packages and OS are pulled from, - # so changing it will NOT upgrade your system. - # - # This value being lower than the current NixOS release does NOT mean your system is - # out of date, out of support, or vulnerable. - # - # Do NOT change this value unless you have manually inspected all the changes it would make to your configuration, - # and migrated your data accordingly. - # - # For more information, see `man configuration.nix` or https://nixos.org/manual/nixos/stable/options#opt-system.stateVersion . - system.stateVersion = "23.11"; # Did you read the comment? -} diff --git a/hosts/routers/_vultr-kit-edge/default.nix b/hosts/routers/_vultr-kit-edge/default.nix deleted file mode 100644 index cb0e4c9..0000000 --- a/hosts/routers/_vultr-kit-edge/default.nix +++ /dev/null @@ -1,32 +0,0 @@ -{ ... }: -let - IFACE = "enp1s0"; -in -{ - type = "targetConfig"; - - bootdisk = "/dev/vda"; - diskTemplate = "simple_singleFullRoot"; - - interface = IFACE; - # mainSerial = 0; - - birdConfig = { - transitInterface = IFACE; - - # router-id = ; - - # loopback4 = ""; - loopback6 = "2a13:79c0:ffff:fefe::b48d"; - - static6 = [ - ''2001:19f0:ffff::1/128 via "fe80::fc00:4ff:fe82:5c6e%${IFACE}"'' # Vultr bgp neighbor - - "2a13:79c0:ffff:fefe::b00b/128 unreachable" # Special Anycast "loopback" for default gateways - - #"2a13:79c0:ffff::/48 unreachable" # Networking stuff - #"2a13:79c0:ffff:fefe::/64 unreachable" # LoopBacks - "2a13:79c0:ff00::/40 unreachable" # full range /40 - ]; - }; -} diff --git a/hosts/routers/_vultr-kit-edge/hardware-configuration.nix b/hosts/routers/_vultr-kit-edge/hardware-configuration.nix deleted file mode 100644 index 288c237..0000000 --- a/hosts/routers/_vultr-kit-edge/hardware-configuration.nix +++ /dev/null @@ -1,36 +0,0 @@ -# Do not modify this file! It was generated by ‘nixos-generate-config’ -# and may be overwritten by future invocations. Please make changes -# to /etc/nixos/configuration.nix instead. -{ - config, - lib, - pkgs, - modulesPath, - ... -}: - -{ - imports = [ ]; - - boot.initrd.availableKernelModules = [ - "ahci" - "xhci_pci" - "virtio_pci" - "sr_mod" - "virtio_blk" - ]; - boot.initrd.kernelModules = [ ]; - boot.kernelModules = [ ]; - boot.extraModulePackages = [ ]; - - # Enables DHCP on each ethernet and wireless interface. In case of scripted networking - # (the default) this is the recommended approach. When using systemd-networkd it's - # still possible to use this option, but it's recommended to use it in conjunction - # with explicit per-interface declarations with `networking.interfaces..useDHCP`. - # networking.useDHCP = lib.mkDefault true; - # networking.interfaces.enp1s0.useDHCP = lib.mkDefault true; - # networking.interfaces.enp8s0.useDHCP = lib.mkDefault true; - - nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux"; - virtualisation.hypervGuest.enable = true; -} diff --git a/hosts/routers/_vultr-kit-edge/peers/KIT-IG1-RTR.nix b/hosts/routers/_vultr-kit-edge/peers/KIT-IG1-RTR.nix deleted file mode 100644 index 62739e9..0000000 --- a/hosts/routers/_vultr-kit-edge/peers/KIT-IG1-RTR.nix +++ /dev/null @@ -1,30 +0,0 @@ -{ ... }: -let - kittenASN = 4242421945; -in -{ - peerAS = kittenASN; - peerIP = "2a13:79c0:ffff:feff::104"; - localAS = kittenASN; - - wireguard = { - address = "2a13:79c0:ffff:feff::105"; - port = 6969; - - peerKey = "gDriA5mhKKh44OHEIxmmevphoVRLK45TRJmFS1DV1i4="; - }; - - template = "kittunderlay"; - bgpMED = 100; - ipv6 = { - #imports = null; - imports = x: "filter filter6_IN_BGP_${toString x}"; - #exports = [ "2a12:dd47:9330::/44" ]; - - #exports = null; - }; - ipv4 = { - imports = x: "filter filter4_IN_BGP_${toString x}"; - #exports = x: "filter6_IN_BGP_${toString x}"; - }; -} diff --git a/hosts/routers/_vultr-kit-edge/peers/KIT-VIRTUA-EDGE.legacy.nix b/hosts/routers/_vultr-kit-edge/peers/KIT-VIRTUA-EDGE.legacy.nix deleted file mode 100644 index e6f5209..0000000 --- a/hosts/routers/_vultr-kit-edge/peers/KIT-VIRTUA-EDGE.legacy.nix +++ /dev/null @@ -1,51 +0,0 @@ -{ ... }: -let - kittenASN = 4242421945; -in -{ - # vultr6 - # AS64515 - # Peer-IP : 2001:19f0:ffff::1 - - # protocol bgp TRANSIT_VULTR6 { - # - # multihop 2; - # - - # ipv6 { - # export filter { - # if ( net ~ [ 2a13:79c0:ff00::/40, 2a12:dd47:9330::/44 ] ) then { - # accept; - # } - # reject; - # }; - # import none; - # }; - # - # } - peerAS = kittenASN; - peerIP = "2a13:79c0:ffff:feff::10d"; - localAS = kittenASN; - - wireguard = { - # onIFACE = "enp1s0"; - address = "2a13:79c0:ffff:feff::10c"; - port = 51800; - # endpoint = "[2a07:8dc0:19:1cf::1]:51800"; - # peerKey = "p200ujtoVhMNnbrdljxoHqAF7cbfRDRFTA+6ibGvIEg="; - peerKey = "rMTaMWJYlgTKJoE0PnVOo9SKHTppEfYK5KtWjBI9mC8="; - }; - template = "kittunderlay"; - bgpMED = 6666; - ipv6 = { - #imports = null; - imports = x: "filter filter6_IN_BGP_${toString x}"; - #exports = [ "2a12:dd47:9330::/44" ]; - - #exports = null; - }; - ipv4 = { - imports = x: "filter filter4_IN_BGP_${toString x}"; - #exports = x: "filter6_IN_BGP_${toString x}"; - }; -} diff --git a/hosts/routers/_vultr-kit-edge/peers/KIT-VULTR-EDGE.legacy.nix b/hosts/routers/_vultr-kit-edge/peers/KIT-VULTR-EDGE.legacy.nix deleted file mode 100644 index a325311..0000000 --- a/hosts/routers/_vultr-kit-edge/peers/KIT-VULTR-EDGE.legacy.nix +++ /dev/null @@ -1,50 +0,0 @@ -{ ... }: -let - kittenASN = 4242421945; -in -{ - # vultr6 - # AS64515 - # Peer-IP : 2001:19f0:ffff::1 - - # protocol bgp TRANSIT_VULTR6 { - # - # multihop 2; - # - - # ipv6 { - # export filter { - # if ( net ~ [ 2a13:79c0:ff00::/40, 2a12:dd47:9330::/44 ] ) then { - # accept; - # } - # reject; - # }; - # import none; - # }; - # - # } - peerAS = kittenASN; - peerIP = "2a13:79c0:ffff:feff::113"; - localAS = kittenASN; - - wireguard = { - # onIFACE = "test"; - address = "2a13:79c0:ffff:feff::112"; - port = 51802; - endpoint = "[2a05:f480:1c00:5c0:5400:4ff:fe12:b47d]:51867"; - peerKey = "WYwm2mpTPQD5ZlKRI/l0GxJPUybN0cOyWxlTzNrZ7zY="; - }; - template = "kittunderlay"; - bgpMED = 6666; - ipv6 = { - #imports = null; - imports = x: "filter filter6_IN_BGP_${toString x}"; - #exports = [ "2a12:dd47:9330::/44" ]; - - #exports = null; - }; - ipv4 = { - imports = x: "filter filter4_IN_BGP_${toString x}"; - #exports = x: "filter6_IN_BGP_${toString x}"; - }; -} diff --git a/hosts/routers/_vultr-kit-edge/peers/KIT-virtua-edge.nix b/hosts/routers/_vultr-kit-edge/peers/KIT-virtua-edge.nix deleted file mode 100644 index e4dee5e..0000000 --- a/hosts/routers/_vultr-kit-edge/peers/KIT-virtua-edge.nix +++ /dev/null @@ -1,30 +0,0 @@ -{ ... }: -let - kittenASN = 4242421945; -in -{ - peerAS = kittenASN; - peerIP = "2a13:79c0:ffff:feff::10e"; - localAS = kittenASN; - - wireguard = { - address = "2a13:79c0:ffff:feff::10f"; - port = 51801; - endpoint = "[2a07:8dc0:19:1cf::1]:51801"; - peerKey = "p200ujtoVhMNnbrdljxoHqAF7cbfRDRFTA+6ibGvIEg="; - }; - - template = "kittunderlay"; - bgpMED = 100; - ipv6 = { - #imports = null; - imports = x: "filter filter6_IN_BGP_${toString x}"; - #exports = [ "2a12:dd47:9330::/44" ]; - - #exports = null; - }; - ipv4 = { - imports = x: "filter filter4_IN_BGP_${toString x}"; - #exports = x: "filter6_IN_BGP_${toString x}"; - }; -} diff --git a/hosts/routers/_vultr-kit-edge/peers/TRS-vultr6-RTR.nix b/hosts/routers/_vultr-kit-edge/peers/TRS-vultr6-RTR.nix deleted file mode 100644 index 2de2704..0000000 --- a/hosts/routers/_vultr-kit-edge/peers/TRS-vultr6-RTR.nix +++ /dev/null @@ -1,39 +0,0 @@ -{ ... }: -{ - # vultr6 - # AS64515 - # Peer-IP : 2001:19f0:ffff::1 - - # protocol bgp TRANSIT_VULTR6 { - # - # multihop 2; - # - - # ipv6 { - # export filter { - # if ( net ~ [ 2a13:79c0:ff00::/40, 2a12:dd47:9330::/44 ] ) then { - # accept; - # } - # reject; - # }; - # import none; - # }; - # - # } - localAS = 207175; - peerAS = 64515; - peerIP = "2001:19f0:ffff::1"; - multihop = 2; - - passwordRef = "vultr"; - - ipv6 = { - imports = null; - exports = [ - "2a13:79c0:ff00::/40" # Prod /40 - - # "2a12:dd47:9330::/44" - ]; - #exports = null; - }; -} diff --git a/hosts/routers/_vultr-kit-edge/peers/default.nix b/hosts/routers/_vultr-kit-edge/peers/default.nix deleted file mode 100644 index 3727c80..0000000 --- a/hosts/routers/_vultr-kit-edge/peers/default.nix +++ /dev/null @@ -1,15 +0,0 @@ -{ ... }: -let - defaultPeers = import ../../_peers { }; -in -defaultPeers -// { - # Transit - TRS_vultr6_RTR = import ./TRS-vultr6-RTR.nix { }; - - # Internal Tunnels - KIT_IG1_RTR = import ./KIT-IG1-RTR.nix { }; - # LGC_virtua_PAR = import ./KIT-VIRTUA-EDGE.legacy.nix { }; - LGC_vultr_PAR = import ./KIT-VULTR-EDGE.legacy.nix { }; - virtuaNix_PAR = import ./KIT-virtua-edge.nix { }; -} diff --git a/hosts/routers/default.nix b/hosts/routers/default.nix deleted file mode 100644 index b9715a3..0000000 --- a/hosts/routers/default.nix +++ /dev/null @@ -1,37 +0,0 @@ -# Edit this configuration file to define what should be installed on -# your system. Help is available in the configuration.nix(5) man page, on -# https://search.nixos.org/options and in the NixOS manual (`nixos-help`). - -{ - config, - lib, - pkgs, - ... -}: - -{ - imports = [ - # Include the results of the hardware scan. - # ./bird.nix # Bird Routing - # ./wireguard.nix - # ./firewall.nix - ]; - - # Configure network proxy if necessary - # networking.proxy.default = "http://user:password@proxy:port/"; - # networking.proxy.noProxy = "127.0.0.1,localhost,internal.domain"; - - # Select internationalisation properties. - i18n.defaultLocale = "en_US.UTF-8"; - - # Net Basics - networking.useNetworkd = true; - systemd.network.enable = true; - systemd.network.wait-online.enable = false; - - # List services that you want to enable: - services.bird2 = { - enable = true; - autoReload = true; - }; -} diff --git a/hosts/routers/firewall.nix b/hosts/routers/firewall.nix deleted file mode 100644 index 1aa4f9f..0000000 --- a/hosts/routers/firewall.nix +++ /dev/null @@ -1,158 +0,0 @@ -# Edit this configuration file to define what should be installed on -# your system. Help is available in the configuration.nix(5) man page, on -# https://search.nixos.org/options and in the NixOS manual (`nixos-help`). - -{ - lib, - pkgs, - targetConfig, - birdConfig, - ... -}: -let - IFACE = if targetConfig ? interface then targetConfig.interface else null; - - transitedNetworks = - if (birdConfig ? transitNetworks && birdConfig.transitNetworks != null) then - birdConfig.transitNetworks - else - [ - "2a13:79c0:ff00::/44" # Transits Customer ranges: 2a13:79c0:{ff00-ff0f}::/48 - "2a13:79c0:ffff:fefe::/64" - "2a13:79c0:ffff:feff:b00b::/80" - ]; - - wgPeers = filterAttrs (n: v: v ? wireguard && v.wireguard != { }) birdConfig.peers; - - transitIFACEs = - [ ] - ++ lib.optionals (birdConfig.transitInterfaces != [ ]) birdConfig.transitInterfaces; - # ++ lib.optional (birdConfig ? transitInterface) birdConfig.transitInterface; - - kittenIFACEs = ( - (attrNames wgPeers) - ++ lib.optionals (birdConfig.allowedInterfaces != [ ]) birdConfig.allowedInterfaces - ); - - inherit (lib) - mkAfter - optional - optionals - optionalString - concatStringsSep - concatMapStringsSep - attrNames - filterAttrs - ; -in -{ - - config = { - boot.kernel.sysctl = { - "net.ipv4.ip_forward" = 1; - "net.ipv6.conf.all.forwarding" = 1; - - "net.ipv4.conf.all.src_valid_mark" = 1; - - # "net.ipv4.conf.default.rp_filter" = 2; - # "net.ipv4.conf.all.rp_filter" = 2; - - # "net.ipv6.conf.all.keep_addr_on_down" = 1; - # "net.ipv4.raw_l3mdev_accept" = 1; - # "net.ipv4.tcp_l3mdev_accept" = 1; - # "net.ipv4.udp_l3mdev_accept" = 1; - }; - - # environment.systemPackages = with pkgs; [ ferm ]; # Prepare an eventual switch to FERM - - networking.nftables = { - enable = true; - - tables."nixos-fw".content = - let - quoteString = x: ''"${x}"''; - - defines = lib.concatStringsSep "\n" ([ - (optionalString (transitIFACEs != [ ]) - "define transitIFACEs = { ${concatMapStringsSep ", " quoteString transitIFACEs} }" - ) - (optionalString ( - transitedNetworks != [ ] - ) "define transitNETs = { ${concatStringsSep ", " transitedNetworks} }") - (optionalString (wgPeers != { }) - "define wireguardIFACEs = { ${concatMapStringsSep ", " quoteString (attrNames wgPeers)} }" - ) - (optionalString (kittenIFACEs != [ ]) - "define kittenIFACEs = { ${concatMapStringsSep ", " quoteString kittenIFACEs} }" - ) - ]); - - extraForwardRules = lib.concatStringsSep "\n" ( - [ - - '' - ${optionalString (transitedNetworks != [ ] && transitIFACEs != [ ] && kittenIFACEs != [ ]) '' - # iifname $kittenIFACEs oifname $transitIFACEs counter accept - ip6 saddr $transitNETs iifname $kittenIFACEs oifname $transitIFACEs counter accept - ip6 daddr $transitNETs oifname $kittenIFACEs iifname $transitIFACEs counter accept - ''} - # ip6 daddr 2a13:79c0:ff00::/48 counter accept - # ip6 daddr { 2a13:79c0:ffff:feff:b00b:3945:a51:b00b, 2a13:79c0:ffff:feff:b00b:3945:a51:dead } counter accept - - # ip6 saddr 2a13:79c0:ffff:feff:b00b::/80 ip6 daddr 2a13:79c0:ffff:fefe::/64 counter accept - - # ip6 saddr { 2a13:79c0:ffff:fefe::/64, 2a13:79c0:ffff:feff::/64 } ip6 daddr { 2a13:79c0:ffff:fefe::/64, 2a13:79c0:ffff:feff::/64 } counter accept - - - ${optionalString (kittenIFACEs != [ ]) '' - iifname $kittenIFACEs oifname $kittenIFACEs counter accept - ''} - '' - ] - - ++ optional (birdConfig ? extraForwardRules) birdConfig.extraForwardRules - - ++ optional (kittenIFACEs != [ ]) '' - iifname $kittenIFACEs log prefix "refused connection: " level info reject comment "reject internal instead of drop" - '' - ); - in - mkAfter '' - # FireWall Test Configs - ${defines} - - chain forward { - type filter hook forward priority filter; policy drop; - # We want StateLess firewalling - # ct state vmap { - # invalid : jump forward-allow, - # established : accept, - # related : accept, - # new : jump forward-allow, - # untracked : jump forward-allow, - # } - jump forward-rules - } - - chain forward-rules { - icmpv6 type != { router-renumbering, 139 } accept comment "Accept all ICMPv6 messages except renumbering and node information queries (type 139). See RFC 4890, section 4.3." - ct status dnat accept comment "allow port forward" - ${extraForwardRules} - } - ''; - }; - - # Open ports in the firewall. - networking.firewall = { - enable = true; - - allowedTCPPorts = [ 22 ]; - # allowedUDPPorts = [ ... ]; - - # checkReversePath = "loose"; - checkReversePath = false; - - filterForward = false; - }; - }; -} diff --git a/hosts/routers/iguane-kit-rtr/__default.nix b/hosts/routers/iguane-kit-rtr/__default.nix deleted file mode 100644 index 40495f7..0000000 --- a/hosts/routers/iguane-kit-rtr/__default.nix +++ /dev/null @@ -1,35 +0,0 @@ -{ ... }: -{ - ### type = "targetConfig"; - - # mainSerial = 0; - - birdConfig = { - # inherit transitInterface; - - # router-id = ; - - # loopback4 = ""; - # extra interfaces part of KittenNetwork (local-eth for ex) - # allowedInterfaces = [ "bootstrap" ]; - - extraForwardRules = '' - - iifname $kittenIFACEs ip6 daddr 2a13:79c0:ffff:fefe::113:91 tcp dport { 179, 1790 } counter accept - oifname bootstrap ip6 daddr 2a13:79c0:ffff:feff:b00b:3965:222:0/112 counter accept - - ip6 saddr 2a01:cb08:bbb:3700::/64 oifname ens19 counter accept - - iifname ens19 oifname $kittenIFACEs counter accept - ct state vmap { - established : accept, - related : accept, - # invalid : jump forward-allow, - # new : jump forward-allow, - # untracked : jump forward-allow, - } - - # oifname $kittenIFACEs ip6 saddr 2a13:79c0:ffff:fefe::113:91 tcp sport { 179, 1790 } counter accept - ''; - }; -} diff --git a/hosts/routers/iguane-kit-rtr/default.nix b/hosts/routers/iguane-kit-rtr/default.nix deleted file mode 100644 index a30f70d..0000000 --- a/hosts/routers/iguane-kit-rtr/default.nix +++ /dev/null @@ -1,131 +0,0 @@ -# Edit this configuration file to define what should be installed on -# your system. Help is available in the configuration.nix(5) man page, on -# https://search.nixos.org/options and in the NixOS manual (`nixos-help`). - -args@{ - config, - lib, - kittenLib, - pkgs, - ... -}: -let - diskoProfile = "simple"; - diskoConfig = { - bootdisk = "/dev/vda"; - }; - - peers = import ./peers args; - - wgPeers = ( - lib.mapAttrs (n: v: v.wireguard) (lib.filterAttrs (n: v: v ? wireguard && v.wireguard != { }) peers) - ); - - birdPeers = (lib.mapAttrs (n: v: builtins.removeAttrs v [ "wireguard" ]) peers); -in -{ - imports = [ - ./hardware-configuration.nix - ./network-configuration.nix - - ../../../modules/system/kitten/connect/bird2/snippets/kittenCores.nix - ]; - - deployment = { - # Disable SSH deployment. This node will be skipped in a - # normal`colmena apply`. - targetUser = "root"; - targetHost = "ig1nixrtr"; - }; - - virtualisation.vmVariant.virtualisation.graphics = false; - virtualisation.vmVariant.services.getty.autologinUser = "root"; - - # Bootloader. - boot.loader.systemd-boot.enable = true; - boot.loader.systemd-boot.configurationLimit = 5; - boot.loader.efi.canTouchEfiVariables = true; - - # boot.loader.grub.efiInstallAsRemovable = true; - # boot.loader.efi.efiSysMountPoint = "/boot/efi"; - # Define on which hard drive you want to install Grub. - #boot.loader.grub.devices = [ "${targetConfig.bootdisk}" ]; # or "nodev" for efi only - kittenModules = { - disko = { - enable = true; - profile = diskoProfile; - - ${diskoProfile} = diskoConfig; - }; - - # loopback0 = { - # enable = true; - # ipv6 = [ "2a13:79c0:ffff:fefe::22f0" ]; - # }; - - bird = { - enable = true; - loopback6 = "2a13:79c0:ffff:fefe::113:25"; - - static6 = [ - "::/0 recursive 2a13:79c0:ffff:fefe::b00b" - - "2a13:79c0:ffff:fefe::113:91/128 via 2a13:79c0:ffff:feff:b00b:3965:113:92" # Announce RouteReflector LoopBack - - #"2a13:79c0:ffff::/48 unreachable" # Networking stuff - #"2a13:79c0:ffff:fefe::/64 unreachable" # LoopBacks - #"2a13:79c0:ff00::/40 unreachable" # full range /40 - ]; - - peers = birdPeers; - }; - - wireguard = { - enable = true; - # defaultIFACE = "ens18"; - peers = wgPeers; - }; - - firewall = { - forward = { - enable = true; - keepInvalidState = true; - rules = '' - # iifname "''${kittenIFACE}" ip6 saddr 2a13:79c0:ffff:feff:b00b:caca:b173:0/112 oifname $wireguardIFACEs counter accept - iifname $wireguardIFACEs ip6 daddr 2a13:79c0:ffff:fefe::113:91 tcp dport { 179, 1790 } counter accept - oifname bootstrap ip6 daddr 2a13:79c0:ffff:feff:b00b:3965:222:0/112 counter accept - - ip6 saddr 2a01:cb08:bbb:3700::/64 oifname ens19 counter accept - - iifname ens19 oifname $wireguardIFACEs counter accept - ''; - }; - }; - }; - - # Set your time zone. - time.timeZone = "Europe/Paris"; - - nixpkgs.config.allowUnfree = true; - # Configure network proxy if necessary - # networking.proxy.default = "http://user:password@proxy:port/"; - # networking.proxy.noProxy = "127.0.0.1,localhost,internal.domain"; - - # This option defines the first version of NixOS you have installed on this particular machine, - # and is used to maintain compatibility with application data (e.g. databases) created on older NixOS versions. - # - # Most users should NEVER change this value after the initial install, for any reason, - # even if you've upgraded your system to a new NixOS release. - # - # This value does NOT affect the Nixpkgs version your packages and OS are pulled from, - # so changing it will NOT upgrade your system. - # - # This value being lower than the current NixOS release does NOT mean your system is - # out of date, out of support, or vulnerable. - # - # Do NOT change this value unless you have manually inspected all the changes it would make to your configuration, - # and migrated your data accordingly. - # - # For more information, see `man configuration.nix` or https://nixos.org/manual/nixos/stable/options#opt-system.stateVersion . - system.stateVersion = "23.11"; # Did you read the comment? -} diff --git a/hosts/routers/iguane-kit-rtr/hardware-configuration.nix b/hosts/routers/iguane-kit-rtr/hardware-configuration.nix deleted file mode 100644 index a5d73d2..0000000 --- a/hosts/routers/iguane-kit-rtr/hardware-configuration.nix +++ /dev/null @@ -1,36 +0,0 @@ -# Do not modify this file! It was generated by ‘nixos-generate-config’ -# and may be overwritten by future invocations. Please make changes -# to /etc/nixos/configuration.nix instead. -{ - config, - lib, - pkgs, - modulesPath, - ... -}: - -{ - imports = [ (modulesPath + "/profiles/qemu-guest.nix") ]; - - boot.initrd.availableKernelModules = [ - "ata_piix" - "uhci_hcd" - "virtio_pci" - "sr_mod" - "virtio_blk" - ]; - - boot.initrd.kernelModules = [ ]; - boot.kernelModules = [ "kvm-intel" ]; - boot.extraModulePackages = [ ]; - - # Enables DHCP on each ethernet and wireless interface. In case of scripted networking - # (the default) this is the recommended approach. When using systemd-networkd it's - # still possible to use this option, but it's recommended to use it in conjunction - # with explicit per-interface declarations with `networking.interfaces..useDHCP`. - networking.useDHCP = false; - # networking.interfaces.ens18.useDHCP = lib.mkDefault true; - # networking.interfaces.ens19.useDHCP = lib.mkDefault true; - - nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux"; -} diff --git a/hosts/routers/iguane-kit-rtr/network-configuration.nix b/hosts/routers/iguane-kit-rtr/network-configuration.nix deleted file mode 100644 index 7fa1654..0000000 --- a/hosts/routers/iguane-kit-rtr/network-configuration.nix +++ /dev/null @@ -1,58 +0,0 @@ -{ lib, ... }: -let - iface = "ens18"; - kittenIFACE = "ens19"; -in -{ - # Pick only one of the below networking options. - # networking.wireless.enable = true; # Enables wireless support via wpa_supplicant. - # networking.networkmanager.enable = true; # Easiest to use and most distros use this by default. - networking = { - useNetworkd = true; - - nftables.tables."nat" = { - family = "inet"; - name = "nat"; - - content = lib.mkAfter '' - chain postrouting { - type nat hook postrouting priority srcnat; policy accept; - ip6 daddr 2a13:79c0:ffff:feff:b00b:3965:222:0/112 oifname "bootstrap" counter masquerade # random,persistent - } - ''; - }; - - firewall = { - allowedTCPPorts = [ 51888 ]; - allowedUDPPorts = [ 51888 ]; - }; - - #nameservers = [ "1.3.3.7" ]; - interfaces = { - "${iface}".useDHCP = true; - - "${kittenIFACE}" = { - - # ipv4.addresses = [ - # { - # address = "185.10.17.209"; - # prefixLength = 24; - # } - # ]; - - ipv6.addresses = [ - { - address = "2a13:79c0:ffff:feff:b00b:3965:113:25"; - prefixLength = 112; - } - ]; - }; - }; - - # defaultGateway = { - # address = "185.10.17.254"; - # metric = 42; - # interface = iface; - # }; - }; -} diff --git a/hosts/routers/iguane-kit-rtr/peers/KIT-VIRTUA-EDGE.nix b/hosts/routers/iguane-kit-rtr/peers/KIT-VIRTUA-EDGE.nix deleted file mode 100644 index 56be0f3..0000000 --- a/hosts/routers/iguane-kit-rtr/peers/KIT-VIRTUA-EDGE.nix +++ /dev/null @@ -1,33 +0,0 @@ -{ ... }: -let - kittenASN = 4242421945; -in -{ - - peerAS = kittenASN; - peerIP = "2a13:79c0:ffff:feff::102"; - localAS = kittenASN; - - wireguard = { - address = "2a13:79c0:ffff:feff::103"; - port = 51800; - onIFACE = "ens18"; - # endpoint = "[2a07:8dc0:19:1cf::1]:6969"; - endpoint = "185.10.17.209:6969"; - - peerKey = "p200ujtoVhMNnbrdljxoHqAF7cbfRDRFTA+6ibGvIEg="; - }; - template = "kittunderlay"; - bgpMED = 100; - ipv6 = { - #bgpImports = null; - bgpImports = "filter filter6_IN_BGP_%s"; - #bgpExportss = [ "2a12:dd47:9330::/44" ]; - - #bgpExportss = null; - }; - ipv4 = { - bgpImports = "filter filter4_IN_BGP_%s"; - #bgpExportss = "filter6_IN_BGP_%s"; - }; -} diff --git a/hosts/routers/iguane-kit-rtr/peers/KIT-VULTR-EDGE.nix b/hosts/routers/iguane-kit-rtr/peers/KIT-VULTR-EDGE.nix deleted file mode 100644 index bd91cb9..0000000 --- a/hosts/routers/iguane-kit-rtr/peers/KIT-VULTR-EDGE.nix +++ /dev/null @@ -1,32 +0,0 @@ -{ ... }: -let - kittenASN = 4242421945; -in -{ - peerAS = kittenASN; - peerIP = "2a13:79c0:ffff:feff::105"; - localAS = kittenASN; - - wireguard = { - address = "2a13:79c0:ffff:feff::104"; - port = 51801; - onIFACE = "ens18"; - # endpoint = "[2001:19f0:6801:365:5400:4ff:fe82:5c6e]:6969"; - endpoint = "140.82.55.252:6969"; - peerKey = "H8z/i9mmbIukPwLJooVP/d+T4pi9IRFC/UYA7gcEzFM="; - }; - - template = "kittunderlay"; - bgpMED = 100; - ipv6 = { - #bgpImports = null; - bgpImports = "filter filter6_IN_BGP_%s"; - #bgpExportss = [ "2a12:dd47:9330::/44" ]; - - #bgpExportss = null; - }; - ipv4 = { - bgpImports = "filter filter4_IN_BGP_%s"; - #bgpExportss = "filter6_IN_BGP_%s"; - }; -} diff --git a/hosts/routers/iguane-kit-rtr/peers/KIT-aurelien-RBR.nix b/hosts/routers/iguane-kit-rtr/peers/KIT-aurelien-RBR.nix deleted file mode 100644 index 21a7235..0000000 --- a/hosts/routers/iguane-kit-rtr/peers/KIT-aurelien-RBR.nix +++ /dev/null @@ -1,31 +0,0 @@ -{ ... }: -let - kittenASN = 4242421945; -in -{ - peerAS = kittenASN; - peerIP = "2a13:79c0:ffff:feff::52"; - localAS = kittenASN; - - wireguard = { - address = "2a13:79c0:ffff:feff::53"; - port = 51842; - onIFACE = "ens18"; - - peerKey = "M/aH47ot5gjYcF2D3gG2uM087pq/FrbmBzd2s/Q0Uno="; - }; - - template = "kittunderlay"; - bgpMED = 100; - ipv6 = { - #bgpImports = null; - bgpImports = "filter filter6_IN_BGP_%s"; - #bgpExportss = [ "2a12:dd47:9330::/44" ]; - - #bgpExportss = null; - }; - ipv4 = { - bgpImports = "filter filter4_IN_BGP_%s"; - #bgpExportss = "filter6_IN_BGP_%s"; - }; -} diff --git a/hosts/routers/iguane-kit-rtr/peers/KIT-roumain-NTE.nix b/hosts/routers/iguane-kit-rtr/peers/KIT-roumain-NTE.nix deleted file mode 100644 index 66bd13a..0000000 --- a/hosts/routers/iguane-kit-rtr/peers/KIT-roumain-NTE.nix +++ /dev/null @@ -1,32 +0,0 @@ -{ ... }: -let - kittenASN = 4242421945; -in -{ - peerAS = kittenASN; - peerIP = "2a13:79c0:ffff:feff::36"; - localAS = kittenASN; - - wireguard = { - address = "2a13:79c0:ffff:feff::37"; - # port = 51801; - # onIFACE = "ens18"; - - endpoint = "82.65.74.170:6969"; - peerKey = "jPWPbIKshdOqdm8IdumAzgjI9yHgURLCTEfIU0v9KDc="; - }; - - template = "kittunderlay"; - bgpMED = 100; - ipv6 = { - #bgpImports = null; - bgpImports = "filter filter6_IN_BGP_%s"; - #bgpExportss = [ "2a12:dd47:9330::/44" ]; - - #bgpExportss = null; - }; - ipv4 = { - bgpImports = "filter filter4_IN_BGP_%s"; - #bgpExportss = "filter6_IN_BGP_%s"; - }; -} diff --git a/hosts/routers/iguane-kit-rtr/peers/KIT-roumainNix-NTE.nix b/hosts/routers/iguane-kit-rtr/peers/KIT-roumainNix-NTE.nix deleted file mode 100644 index b5c0e40..0000000 --- a/hosts/routers/iguane-kit-rtr/peers/KIT-roumainNix-NTE.nix +++ /dev/null @@ -1,32 +0,0 @@ -{ ... }: -let - kittenASN = 4242421945; -in -{ - peerAS = kittenASN; - peerIP = "2a13:79c0:ffff:feff::115"; - localAS = kittenASN; - - wireguard = { - address = "2a13:79c0:ffff:feff::114"; - port = 51821; - onIFACE = "ens18"; - - # endpoint = "82.65.74.170:6969"; - peerKey = "tTY05MJgkKXf8pEZ4kC1TLWWTeIrh3KzyZdsmlUHTVM="; - }; - - template = "kittunderlay"; - bgpMED = 100; - ipv6 = { - #bgpImports = null; - bgpImports = "filter filter6_IN_BGP_%s"; - #bgpExportss = [ "2a12:dd47:9330::/44" ]; - - #bgpExportss = null; - }; - ipv4 = { - bgpImports = "filter filter4_IN_BGP_%s"; - #bgpExportss = "filter6_IN_BGP_%s"; - }; -} diff --git a/hosts/routers/iguane-kit-rtr/peers/KIT-toinux-MEL1.nix b/hosts/routers/iguane-kit-rtr/peers/KIT-toinux-MEL1.nix deleted file mode 100644 index ed5ceab..0000000 --- a/hosts/routers/iguane-kit-rtr/peers/KIT-toinux-MEL1.nix +++ /dev/null @@ -1,32 +0,0 @@ -{ ... }: -let - kittenASN = 4242421945; - toinuxASN = 4242423692; -in -{ - peerAS = toinuxASN; - peerIP = "2a13:79c0:ffff:feff::3013"; - localAS = toinuxASN; - - wireguard = { - address = "2a13:79c0:ffff:feff::3012"; - port = 51851; - onIFACE = "ens18"; - - peerKey = "xFNmHprArmxWD0W0YhD8nQZR1EbpXNWU8Rr5puSrDyw="; - }; - - template = "kittunderlay"; - bgpMED = 100; - ipv6 = { - #bgpImports = null; - bgpImports = "filter filter6_IN_BGP_%s"; - #bgpExportss = [ "2a12:dd47:9330::/44" ]; - - #bgpExportss = null; - }; - ipv4 = { - bgpImports = "filter filter4_IN_BGP_%s"; - #bgpExportss = "filter6_IN_BGP_%s"; - }; -} diff --git a/hosts/routers/iguane-kit-rtr/peers/default.nix b/hosts/routers/iguane-kit-rtr/peers/default.nix deleted file mode 100644 index 35ee870..0000000 --- a/hosts/routers/iguane-kit-rtr/peers/default.nix +++ /dev/null @@ -1,18 +0,0 @@ -{ kittenLib, ... }: -kittenLib.peers { - host = ./.; - profile = ../..; - - blacklist = [ ]; - manual = { - # Internal Tunnels - virtuaNix_PAR = ./KIT-VIRTUA-EDGE.nix; - vultrNix_PAR = ./KIT-VULTR-EDGE.nix; - # LGC_virtua_PAR = ./KIT-VIRTUA-EDGE.legacy.nix; - - aureG8 = ./KIT-aurelien-RBR.nix; - toinuxMEL1 = ./KIT-toinux-MEL1.nix; - roumainNTE = ./KIT-roumain-NTE.nix; - roumaiNixNTE = ./KIT-roumainNix-NTE.nix; - }; -} diff --git a/hosts/routers/virtua-kit-edge/default.nix b/hosts/routers/virtua-kit-edge/default.nix deleted file mode 100644 index 9592646..0000000 --- a/hosts/routers/virtua-kit-edge/default.nix +++ /dev/null @@ -1,124 +0,0 @@ -# Edit this configuration file to define what should be installed on -# your system. Help is available in the configuration.nix(5) man page, on -# https://search.nixos.org/options and in the NixOS manual (`nixos-help`). - -args@{ - config, - kittenLib, - lib, - pkgs, - ... -}: -let - diskoProfile = "simple"; - diskoConfig = { - bootdisk = "/dev/sda"; - swapSize = 1024; - }; - - peers = import ./peers args; - - wgPeers = ( - lib.mapAttrs (n: v: v.wireguard) (lib.filterAttrs (n: v: v ? wireguard && v.wireguard != { }) peers) - ); - - birdPeers = (lib.mapAttrs (n: v: builtins.removeAttrs v [ "wireguard" ]) peers); -in -{ - imports = [ - ./hardware-configuration.nix - ./network-configuration.nix - - ../../../modules/system/kitten/connect/bird2/snippets/kittenCores.nix - ]; - - deployment = { - # Disable SSH deployment. This node will be skipped in a - # normal`colmena apply`. - targetUser = "root"; - targetHost = null; # TODO: implement - }; - - # Bootloader. - boot.loader.grub.efiSupport = false; - boot.loader.grub.enable = true; - - kittenModules = { - disko = { - enable = true; - profile = diskoProfile; - - ${diskoProfile} = diskoConfig; - }; - - # loopback0 = { - # enable = true; - # ipv6 = [ "2a13:79c0:ffff:fefe::12:10" ]; - # }; - - bird = { - enable = true; - - loopback6 = "2a13:79c0:ffff:fefe::12:10"; - - static6 = [ - # "::/0 recursive 2a13:79c0:ffff:fefe::b00b" - # ''2a0d:e680:0::b:1/128 via "enp1s0"'' # Vultr bgp neighbor - "2a13:79c0:ffff:fefe::b00b/128 unreachable" - #"2a13:79c0:ffff::/48 unreachable" # Networking stuff - #"2a13:79c0:ffff:fefe::/64 unreachable" # LoopBacks - "2a13:79c0:ff00::/40 unreachable" # full range /40 - ]; - - peers = birdPeers; - }; - - wireguard = { - enable = true; - # defaultIFACE = "ens18"; - peers = wgPeers; - }; - - firewall = { - forward = { - enable = true; - keepInvalidState = true; - # rules = '' - # # iifname "''${kittenIFACE}" ip6 saddr 2a13:79c0:ffff:feff:b00b:caca:b173:0/112 oifname $wireguardIFACEs counter accept - # iifname $wireguardIFACEs ip6 daddr 2a13:79c0:ffff:fefe::113:91 tcp dport { 179, 1790 } counter accept - # oifname bootstrap ip6 daddr 2a13:79c0:ffff:feff:b00b:3965:222:0/112 counter accept - - # ip6 saddr 2a01:cb08:bbb:3700::/64 oifname ens19 counter accept - - # iifname ens19 oifname $wireguardIFACEs counter accept - # ''; - }; - }; - }; - - # Set your time zone. - time.timeZone = "Europe/Paris"; - - nixpkgs.config.allowUnfree = true; - # Configure network proxy if necessary - # networking.proxy.default = "http://user:password@proxy:port/"; - # networking.proxy.noProxy = "127.0.0.1,localhost,internal.domain"; - - # This option defines the first version of NixOS you have installed on this particular machine, - # and is used to maintain compatibility with application data (e.g. databases) created on older NixOS versions. - # - # Most users should NEVER change this value after the initial install, for any reason, - # even if you've upgraded your system to a new NixOS release. - # - # This value does NOT affect the Nixpkgs version your packages and OS are pulled from, - # so changing it will NOT upgrade your system. - # - # This value being lower than the current NixOS release does NOT mean your system is - # out of date, out of support, or vulnerable. - # - # Do NOT change this value unless you have manually inspected all the changes it would make to your configuration, - # and migrated your data accordingly. - # - # For more information, see `man configuration.nix` or https://nixos.org/manual/nixos/stable/options#opt-system.stateVersion . - system.stateVersion = "23.11"; # Did you read the comment? -} diff --git a/hosts/routers/virtua-kit-edge/hardware-configuration.nix b/hosts/routers/virtua-kit-edge/hardware-configuration.nix deleted file mode 100644 index 9d82589..0000000 --- a/hosts/routers/virtua-kit-edge/hardware-configuration.nix +++ /dev/null @@ -1,24 +0,0 @@ -# Do not modify this file! It was generated by ‘nixos-generate-config’ -# and may be overwritten by future invocations. Please make changes -# to /etc/nixos/configuration.nix instead. -{ - config, - lib, - pkgs, - modulesPath, - ... -}: - -{ - imports = [ (modulesPath + "/profiles/qemu-guest.nix") ]; - - boot.initrd.availableKernelModules = [ - "ata_piix" - "uhci_hcd" - "sd_mod" - "sr_mod" - ]; - boot.initrd.kernelModules = [ ]; - boot.kernelModules = [ ]; - boot.extraModulePackages = [ ]; -} diff --git a/hosts/routers/virtua-kit-edge/network-configuration.nix b/hosts/routers/virtua-kit-edge/network-configuration.nix deleted file mode 100644 index 6de2848..0000000 --- a/hosts/routers/virtua-kit-edge/network-configuration.nix +++ /dev/null @@ -1,45 +0,0 @@ -{ ... }: -let - iface = "ens18"; - # kittenIFACE = "ens19"; -in -{ - kittenModules = { - bird.transitInterfaces = [ iface ]; - }; - - networking = { - #nameservers = [ "1.3.3.7" ]; - interfaces = { - "${iface}" = { - ipv4.addresses = [ - { - address = "185.10.17.209"; - prefixLength = 24; - } - ]; - - ipv6.addresses = [ - { - address = "2a07:8dc0:19:1cf::1"; - prefixLength = 128; - } - ]; - }; - }; - defaultGateway = { - address = "185.10.17.254"; - metric = 42; - interface = iface; - }; - defaultGateway6 = { - address = "fe80::1"; - metric = 42; - interface = iface; - }; - useDHCP = false; - #dhcpcd.enable = false; - }; - - systemd.network.enable = true; -} diff --git a/hosts/routers/virtua-kit-edge/peers/KIT-IG1-RTR.nix b/hosts/routers/virtua-kit-edge/peers/KIT-IG1-RTR.nix deleted file mode 100644 index 599f480..0000000 --- a/hosts/routers/virtua-kit-edge/peers/KIT-IG1-RTR.nix +++ /dev/null @@ -1,30 +0,0 @@ -{ ... }: -let - kittenASN = 4242421945; -in -{ - peerAS = kittenASN; - peerIP = "2a13:79c0:ffff:feff::103"; - localAS = kittenASN; - - wireguard = { - address = "2a13:79c0:ffff:feff::102"; - port = 6969; - - peerKey = "gDriA5mhKKh44OHEIxmmevphoVRLK45TRJmFS1DV1i4="; - }; - - template = "kittunderlay"; - bgpMED = 100; - ipv6 = { - #imports = null; - bgpImports = "filter filter6_IN_BGP_%s"; - #exports = [ "2a12:dd47:9330::/44" ]; - - #exports = null; - }; - ipv4 = { - bgpImports = "filter filter4_IN_BGP_%s"; - #exports = x: "filter6_IN_BGP_${toString x}"; - }; -} diff --git a/hosts/routers/virtua-kit-edge/peers/KIT-VIRTUA-EDGE.legacy.nix b/hosts/routers/virtua-kit-edge/peers/KIT-VIRTUA-EDGE.legacy.nix deleted file mode 100644 index d96bb2a..0000000 --- a/hosts/routers/virtua-kit-edge/peers/KIT-VIRTUA-EDGE.legacy.nix +++ /dev/null @@ -1,50 +0,0 @@ -{ ... }: -let - kittenASN = 4242421945; -in -{ - # vultr6 - # AS64515 - # Peer-IP : 2001:19f0:ffff::1 - - # protocol bgp TRANSIT_VULTR6 { - # - # multihop 2; - # - - # ipv6 { - # export filter { - # if ( net ~ [ 2a13:79c0:ff00::/40, 2a12:dd47:9330::/44 ] ) then { - # accept; - # } - # reject; - # }; - # import none; - # }; - # - # } - peerAS = kittenASN; - peerIP = "2a13:79c0:ffff:feff::110"; - localAS = kittenASN; - - wireguard = { - address = "2a13:79c0:ffff:feff::111"; - port = 6978; - # endpoint = "[2a07:8dc0:19:1cf::1]:51800"; - # peerKey = "p200ujtoVhMNnbrdljxoHqAF7cbfRDRFTA+6ibGvIEg="; - peerKey = "rMTaMWJYlgTKJoE0PnVOo9SKHTppEfYK5KtWjBI9mC8="; - }; - template = "kittunderlay"; - bgpMED = 6666; - ipv6 = { - #imports = null; - bgpImports = "filter filter6_IN_BGP_%s"; - #exports = [ "2a12:dd47:9330::/44" ]; - - #exports = null; - }; - ipv4 = { - bgpImports = "filter filter4_IN_BGP_%s"; - #exports = x: "filter6_IN_BGP_${toString x}"; - }; -} diff --git a/hosts/routers/virtua-kit-edge/peers/KIT-vultr-edge.nix b/hosts/routers/virtua-kit-edge/peers/KIT-vultr-edge.nix deleted file mode 100644 index 47bf774..0000000 --- a/hosts/routers/virtua-kit-edge/peers/KIT-vultr-edge.nix +++ /dev/null @@ -1,30 +0,0 @@ -{ ... }: -let - kittenASN = 4242421945; -in -{ - peerAS = kittenASN; - peerIP = "2a13:79c0:ffff:feff::10f"; - localAS = kittenASN; - - wireguard = { - address = "2a13:79c0:ffff:feff::10e"; - port = 51801; - endpoint = "[2001:19f0:6801:365:5400:4ff:fe82:5c6e]:51801"; - peerKey = "H8z/i9mmbIukPwLJooVP/d+T4pi9IRFC/UYA7gcEzFM="; - }; - - template = "kittunderlay"; - bgpMED = 100; - ipv6 = { - #imports = null; - bgpImports = "filter filter6_IN_BGP_%s"; - #exports = [ "2a12:dd47:9330::/44" ]; - - #exports = null; - }; - ipv4 = { - bgpImports = "filter filter4_IN_BGP_%s"; - #exports = x: "filter6_IN_BGP_${toString x}"; - }; -} diff --git a/hosts/routers/virtua-kit-edge/peers/TRS-virtua6-RS01.nix b/hosts/routers/virtua-kit-edge/peers/TRS-virtua6-RS01.nix deleted file mode 100644 index 7d3d13b..0000000 --- a/hosts/routers/virtua-kit-edge/peers/TRS-virtua6-RS01.nix +++ /dev/null @@ -1,19 +0,0 @@ -{ ... }: -{ - localAS = 207175; - peerAS = 35661; - peerIP = "2a0d:e680:0::b:1"; - multihop = 5; - - passwordRef = "virtua"; - - ipv6 = { - bgpImports = null; - bgpExports = [ - "2a13:79c0:ff00::/40" # Prod /40 - - # "2a12:dd47:9330::/44" - ]; - #exports = null; - }; -} diff --git a/hosts/routers/virtua-kit-edge/peers/TRS-virtua6-RS02.nix b/hosts/routers/virtua-kit-edge/peers/TRS-virtua6-RS02.nix deleted file mode 100644 index ecab9a7..0000000 --- a/hosts/routers/virtua-kit-edge/peers/TRS-virtua6-RS02.nix +++ /dev/null @@ -1,18 +0,0 @@ -{ ... }: -{ - localAS = 207175; - peerAS = 35661; - peerIP = "2a0d:e680:0::b:2"; - multihop = 5; - - passwordRef = "virtua"; - - ipv6 = { - bgpImports = null; - bgpExports = [ - "2a13:79c0:ff00::/40" # Prod /40 - "2a12:dd47:9330::/44" - ]; - #exports = null; - }; -} diff --git a/hosts/routers/virtua-kit-edge/peers/default.nix b/hosts/routers/virtua-kit-edge/peers/default.nix deleted file mode 100644 index 423b2b5..0000000 --- a/hosts/routers/virtua-kit-edge/peers/default.nix +++ /dev/null @@ -1,17 +0,0 @@ -{ kittenLib, ... }: -kittenLib.peers { - host = ./.; - profile = ../..; - - blacklist = [ "KIT-VIRTUA-EDGE.legacy" ]; - manual = { - # Transit - TRS_virtua6_RS01 = ./TRS-virtua6-RS01.nix; - TRS_virtua6_RS02 = ./TRS-virtua6-RS02.nix; - - # Internal Tunnels - KIT_IG1_RTR = ./KIT-IG1-RTR.nix; - vultrNix_PAR = ./KIT-vultr-edge.nix; - # LGC_virtua_PAR = ./KIT-VIRTUA-EDGE.legacy.nix; - }; -} diff --git a/hosts/stonkmembers/default.nix b/hosts/stonkmembers/default.nix deleted file mode 100644 index 191f564..0000000 --- a/hosts/stonkmembers/default.nix +++ /dev/null @@ -1,32 +0,0 @@ -# Edit this configuration file to define what should be installed on -# your system. Help is available in the configuration.nix(5) man page, on -# https://search.nixos.org/options and in the NixOS manual (`nixos-help`). - -{ - config, - lib, - pkgs, - ... -}: - -{ - imports = [ - # Include the results of the hardware scan. - ./k3s.nix # K3s - ]; - - # Configure network proxy if necessary - # networking.proxy.default = "http://user:password@proxy:port/"; - # networking.proxy.noProxy = "127.0.0.1,localhost,internal.domain"; - - # Select internationalisation properties. - i18n.defaultLocale = "en_US.UTF-8"; - - # List services that you want to enable: - - # Open ports in the firewall. - # networking.firewall.allowedTCPPorts = [ ... ]; - # networking.firewall.allowedUDPPorts = [ ... ]; - # Or disable the firewall altogether. - networking.firewall.enable = false; -} diff --git a/hosts/stonkmembers/k3s.nix b/hosts/stonkmembers/k3s.nix deleted file mode 100644 index 11b3457..0000000 --- a/hosts/stonkmembers/k3s.nix +++ /dev/null @@ -1,65 +0,0 @@ -{ - config, - kubeConfig, - lib, - pkgs, - ... -}: - -let - deps = with pkgs; [ - ipset - iptables - nfs-utils - miniupnpc - ]; - - sopsFile = ../../secrets/_default.yaml; -in -{ - sops.secrets.k3s_cluster_token = { - inherit sopsFile; - }; - - sops.secrets.k3s_token = { - inherit sopsFile; - }; - - services.k3s = { - enable = true; - role = if kubeConfig.controller then "server" else "agent"; - - tokenFile = - if kubeConfig.controller then - config.sops.secrets.k3s_cluster_token.path - else - config.sops.secrets.k3s_token.path; - clusterInit = kubeConfig.master; - #serverAddr = lib.mkIf (master == false) "https://[2a13:79c0:ffff:feff:b00b:3945:a51:210]:6443"; - serverAddr = lib.mkIf (!kubeConfig.master) "https://stonkstation:6443"; - extraFlags = toString ( - [ "--flannel-iface=vlan91" ] - ++ lib.optionals (kubeConfig.controller) [ - # "--kubelet-arg=v=4" # Optionally add additional args to k3s - "--kubelet-arg=container-log-max-files=5" - "--kubelet-arg=container-log-max-size=10Mi" - "--kube-apiserver-arg enable-admission-plugins=PodNodeSelector,CertificateApproval,CertificateSigning,CertificateSubjectRestriction,DefaultIngressClass,DefaultStorageClass,DefaultTolerationSeconds,LimitRanger,MutatingAdmissionWebhook,NamespaceLifecycle,PersistentVolumeClaimResize,PodSecurity,Priority,ResourceQuota,RuntimeClass,ServiceAccount,StorageObjectInUseProtection,TaintNodesByCondition,ValidatingAdmissionPolicy,ValidatingAdmissionWebhook" - "--kube-apiserver-arg oidc-issuer-url=https://auth.home.kube.kittenconnect.net/" - "--kube-apiserver-arg oidc-client-id=KubernetesAPIClient" - "--kube-apiserver-arg oidc-username-claim=email" - "--kube-apiserver-arg oidc-groups-claim=groups" - "--cluster-cidr=10.42.0.0/16,fd42::/48" - "--service-cidr=10.43.0.0/16,fd43::/112" - "--flannel-ipv6-masq" - "--flannel-backend=wireguard-native" - "--flannel-external-ip" - - "--disable=servicelb,local-storage,traefik" - "--secrets-encryption" - ] - ); - }; - - environment.systemPackages = [ pkgs.k3s ] ++ deps; - systemd.services.k3s.path = deps; -} diff --git a/hosts/stonkmembers/poubelle00/configuration.nix b/hosts/stonkmembers/poubelle00/configuration.nix deleted file mode 100644 index d3e173f..0000000 --- a/hosts/stonkmembers/poubelle00/configuration.nix +++ /dev/null @@ -1,73 +0,0 @@ -# Edit this configuration file to define what should be installed on -# your system. Help is available in the configuration.nix(5) man page, on -# https://search.nixos.org/options and in the NixOS manual (`nixos-help`). - -{ - config, - targetConfig, - lib, - pkgs, - ... -}: - -{ - # Use the GRUB 2 boot loader. - boot.loader.grub.enable = true; - # boot.loader.grub.efiSupport = true; - # boot.loader.grub.efiInstallAsRemovable = true; - # boot.loader.efi.efiSysMountPoint = "/boot/efi"; - # Define on which hard drive you want to install Grub. - boot.loader.grub.device = "${targetConfig.bootdisk}"; # or "nodev" for efi only - - # Pick only one of the below networking options. - # networking.wireless.enable = true; # Enables wireless support via wpa_supplicant. - # networking.networkmanager.enable = true; # Easiest to use and most distros use this by default. - networking = { - #vlans = { - # vlan420 = { id=420; interface="eno1"; }; - # vlan91 = { id=91; interface="eno1"; }; - #}; - interfaces = { - ens18.ipv6.addresses = [ - { - address = "2a13:79c0:ffff:feff:b00b:3945:a51:200"; - prefixLength = 112; - } - ]; - # vlan420.ipv4.addresses = [{ - # address = "10.10.4.210"; - # prefixLength = 24; - # }]; - }; - defaultGateway6 = { - address = "2a13:79c0:ffff:feff:b00b:3945:a51:10"; - interface = "ens18"; - }; - dhcpcd.enable = true; - }; - - # Set your time zone. - time.timeZone = "Europe/Paris"; - - # Configure network proxy if necessary - # networking.proxy.default = "http://user:password@proxy:port/"; - # networking.proxy.noProxy = "127.0.0.1,localhost,internal.domain"; - - # This option defines the first version of NixOS you have installed on this particular machine, - # and is used to maintain compatibility with application data (e.g. databases) created on older NixOS versions. - # - # Most users should NEVER change this value after the initial install, for any reason, - # even if you've upgraded your system to a new NixOS release. - # - # This value does NOT affect the Nixpkgs version your packages and OS are pulled from, - # so changing it will NOT upgrade your system. - # - # This value being lower than the current NixOS release does NOT mean your system is - # out of date, out of support, or vulnerable. - # - # Do NOT change this value unless you have manually inspected all the changes it would make to your configuration, - # and migrated your data accordingly. - # - # For more information, see `man configuration.nix` or https://nixos.org/manual/nixos/stable/options#opt-system.stateVersion . - system.stateVersion = "24.05"; # Did you read the comment? -} diff --git a/hosts/stonkmembers/poubelle00/default.nix b/hosts/stonkmembers/poubelle00/default.nix deleted file mode 100644 index 3caea68..0000000 --- a/hosts/stonkmembers/poubelle00/default.nix +++ /dev/null @@ -1,7 +0,0 @@ -{ ... }: -{ - # need rework - bootdisk = "/dev/sda"; - interface = "ens18"; - mainSerial = "0"; -} diff --git a/hosts/stonkmembers/poubelle00/disk-config.nix b/hosts/stonkmembers/poubelle00/disk-config.nix deleted file mode 100644 index 7a014b7..0000000 --- a/hosts/stonkmembers/poubelle00/disk-config.nix +++ /dev/null @@ -1,63 +0,0 @@ -# Example to create a bios compatible gpt partition -{ lib, ... }: -{ - disko.devices = { - disk.disk1 = { - device = lib.mkDefault "/dev/vda"; - type = "disk"; - content = { - type = "table"; - format = "msdos"; - partitions = [ - { - name = "boot"; - start = "1M"; - end = "500M"; - part-type = "primary"; - bootable = true; - content = { - type = "filesystem"; - format = "ext3"; - mountpoint = "/boot"; - }; - } - { - name = "root"; - start = "500M"; - part-type = "primary"; - end = "100%"; - content = { - type = "lvm_pv"; - vg = "SSD"; - }; - } - ]; - }; - }; - lvm_vg = { - SSD = { - type = "lvm_vg"; - lvs = { - root = { - size = "15G"; - content = { - type = "filesystem"; - format = "ext4"; - mountpoint = "/"; - mountOptions = [ "defaults" ]; - }; - }; - k3s = { - size = "100%FREE"; - content = { - type = "filesystem"; - format = "ext4"; - mountpoint = "/var/lib/rancher"; - mountOptions = [ "defaults" ]; - }; - }; - }; - }; - }; - }; -} diff --git a/hosts/stonkmembers/poubelle00/hardware-configuration.nix b/hosts/stonkmembers/poubelle00/hardware-configuration.nix deleted file mode 100644 index 36b4585..0000000 --- a/hosts/stonkmembers/poubelle00/hardware-configuration.nix +++ /dev/null @@ -1,34 +0,0 @@ -# Do not modify this file! It was generated by ‘nixos-generate-config’ -# and may be overwritten by future invocations. Please make changes -# to /etc/nixos/configuration.nix instead. -{ - config, - lib, - pkgs, - modulesPath, - ... -}: - -{ - imports = [ (modulesPath + "/profiles/qemu-guest.nix") ]; - - boot.initrd.availableKernelModules = [ - "ata_piix" - "uhci_hcd" - "virtio_pci" - "sr_mod" - "virtio_blk" - ]; - boot.initrd.kernelModules = [ ]; - boot.kernelModules = [ "kvm-intel" ]; - boot.extraModulePackages = [ ]; - - # Enables DHCP on each ethernet and wireless interface. In case of scripted networking - # (the default) this is the recommended approach. When using systemd-networkd it's - # still possible to use this option, but it's recommended to use it in conjunction - # with explicit per-interface declarations with `networking.interfaces..useDHCP`. - networking.useDHCP = lib.mkDefault true; - # networking.interfaces.ens18.useDHCP = lib.mkDefault true; - - nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux"; -} diff --git a/hosts/stonkmembers/prodesk/configuration.nix b/hosts/stonkmembers/prodesk/configuration.nix deleted file mode 100644 index 2109f1b..0000000 --- a/hosts/stonkmembers/prodesk/configuration.nix +++ /dev/null @@ -1,97 +0,0 @@ -# Edit this configuration file to define what should be installed on -# your system. Help is available in the configuration.nix(5) man page, on -# https://search.nixos.org/options and in the NixOS manual (`nixos-help`). - -{ - config, - targetConfig, - lib, - pkgs, - ... -}: - -{ - # Use the GRUB 2 boot loader. - #boot.loader.grub.enable = true; - # boot.loader.grub.efiSupport = true; - # boot.loader.grub.efiInstallAsRemovable = true; - boot.loader.efi.efiSysMountPoint = "/boot"; - boot.loader.grub.enable = true; - boot.loader.grub.efiSupport = true; - boot.loader.grub.efiInstallAsRemovable = true; - # Define on which hard drive you want to install Grub. - # boot.loader.grub.device = "${targetConfig.bootdisk}"; # or "nodev" for efi only - # Use the systemd-boot EFI boot loader. - - # Pick only one of the below networking options. - # networking.wireless.enable = true; # Enables wireless support via wpa_supplicant. - # networking.networkmanager.enable = true; # Easiest to use and most distros use this by default. - boot.kernel.sysctl."net.ipv6.conf.${targetConfig.interface}.disable_ipv6" = true; - networking = { - vlans = { - vlan420 = { - id = 420; - interface = "${targetConfig.interface}"; - }; - vlan91 = { - id = 91; - interface = "${targetConfig.interface}"; - }; - }; - interfaces = { - "${targetConfig.interface}".useDHCP = true; - vlan91.ipv4.addresses = [ - { - address = "100.100.91.106"; - prefixLength = 24; - } - ]; - vlan91.ipv6.addresses = [ - { - address = "2a13:79c0:ffff:feff:b00b:3945:a51:202"; - prefixLength = 112; - } - ]; - vlan420.ipv4.addresses = [ - { - address = "10.10.4.202"; - prefixLength = 24; - } - ]; - }; - defaultGateway = { - address = "100.100.91.10"; - metric = 1042; - }; - defaultGateway6 = { - address = "2a13:79c0:ffff:feff:b00b:3945:a51:10"; - }; - useDHCP = false; - #dhcpcd.enable = true; - }; - - # Set your time zone. - time.timeZone = "Europe/Paris"; - - # Configure network proxy if necessary - # networking.proxy.default = "http://user:password@proxy:port/"; - # networking.proxy.noProxy = "127.0.0.1,localhost,internal.domain"; - - # This option defines the first version of NixOS you have installed on this particular machine, - # and is used to maintain compatibility with application data (e.g. databases) created on older NixOS versions. - # - # Most users should NEVER change this value after the initial install, for any reason, - # even if you've upgraded your system to a new NixOS release. - # - # This value does NOT affect the Nixpkgs version your packages and OS are pulled from, - # so changing it will NOT upgrade your system. - # - # This value being lower than the current NixOS release does NOT mean your system is - # out of date, out of support, or vulnerable. - # - # Do NOT change this value unless you have manually inspected all the changes it would make to your configuration, - # and migrated your data accordingly. - # - # For more information, see `man configuration.nix` or https://nixos.org/manual/nixos/stable/options#opt-system.stateVersion . - system.stateVersion = "24.05"; # Did you read the comment? -} diff --git a/hosts/stonkmembers/prodesk/default.nix b/hosts/stonkmembers/prodesk/default.nix deleted file mode 100644 index b91b6f3..0000000 --- a/hosts/stonkmembers/prodesk/default.nix +++ /dev/null @@ -1,7 +0,0 @@ -{ ... }: -{ - bootdisk = "/dev/sda"; - bootloader = "grub"; - interface = "eno1"; - mainSerial = "4"; -} diff --git a/hosts/stonkmembers/prodesk/disk-config.nix b/hosts/stonkmembers/prodesk/disk-config.nix deleted file mode 100644 index 25c1865..0000000 --- a/hosts/stonkmembers/prodesk/disk-config.nix +++ /dev/null @@ -1,62 +0,0 @@ -# Example to create a bios compatible gpt partition -{ lib, targetConfig, ... }: -{ - disko.devices = { - disk.disk1 = { - device = lib.mkDefault "${targetConfig.bootdisk}"; - type = "disk"; - content = { - type = "gpt"; - partitions = { - boot = { - size = "1M"; - type = "EF02"; # for grub MBR - }; - - ESP = { - size = "512M"; - type = "EF00"; - content = { - type = "filesystem"; - format = "vfat"; - mountpoint = "/boot"; - }; - }; - - root = { - size = "100%"; - content = { - type = "lvm_pv"; - vg = "SSD"; - }; - }; - }; - }; - }; - lvm_vg = { - SSD = { - type = "lvm_vg"; - lvs = { - root = { - size = "15G"; - content = { - type = "filesystem"; - format = "ext4"; - mountpoint = "/"; - mountOptions = [ "defaults" ]; - }; - }; - k3s = { - size = "100%FREE"; - content = { - type = "filesystem"; - format = "ext4"; - mountpoint = "/var/lib/rancher"; - mountOptions = [ "defaults" ]; - }; - }; - }; - }; - }; - }; -} diff --git a/hosts/stonkmembers/prodesk/hardware-configuration.nix b/hosts/stonkmembers/prodesk/hardware-configuration.nix deleted file mode 100644 index b52df0e..0000000 --- a/hosts/stonkmembers/prodesk/hardware-configuration.nix +++ /dev/null @@ -1,34 +0,0 @@ -# Do not modify this file! It was generated by ‘nixos-generate-config’ -# and may be overwritten by future invocations. Please make changes -# to /etc/nixos/configuration.nix instead. -{ - config, - lib, - pkgs, - modulesPath, - ... -}: - -{ - imports = [ (modulesPath + "/installer/scan/not-detected.nix") ]; - - boot.initrd.availableKernelModules = [ - "xhci_pci" - "ahci" - "usbhid" - "sd_mod" - ]; - boot.initrd.kernelModules = [ "dm-snapshot" ]; - boot.kernelModules = [ ]; - boot.extraModulePackages = [ ]; - - # Enables DHCP on each ethernet and wireless interface. In case of scripted networking - # (the default) this is the recommended approach. When using systemd-networkd it's - # still possible to use this option, but it's recommended to use it in conjunction - # with explicit per-interface declarations with `networking.interfaces..useDHCP`. - # networking.useDHCP = lib.mkDefault true; - # networking.interfaces.eno1.useDHCP = lib.mkDefault true; - - nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux"; - hardware.cpu.intel.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware; -} diff --git a/hosts/stonkmembers/stonkstation/configuration.nix b/hosts/stonkmembers/stonkstation/configuration.nix deleted file mode 100644 index 305268c..0000000 --- a/hosts/stonkmembers/stonkstation/configuration.nix +++ /dev/null @@ -1,95 +0,0 @@ -# Edit this configuration file to define what should be installed on -# your system. Help is available in the configuration.nix(5) man page, on -# https://search.nixos.org/options and in the NixOS manual (`nixos-help`). - -{ - config, - targetConfig, - lib, - pkgs, - ... -}: - -{ - # Use the GRUB 2 boot loader. - boot.loader.grub.enable = true; - # boot.loader.grub.efiSupport = true; - # boot.loader.grub.efiInstallAsRemovable = true; - # boot.loader.efi.efiSysMountPoint = "/boot/efi"; - # Define on which hard drive you want to install Grub. - boot.loader.grub.device = "${targetConfig.bootdisk}"; # or "nodev" for efi only - - # Pick only one of the below networking options. - # networking.wireless.enable = true; # Enables wireless support via wpa_supplicant. - # networking.networkmanager.enable = true; # Easiest to use and most distros use this by default. - boot.kernel.sysctl."net.ipv6.conf.${targetConfig.interface}.disable_ipv6" = true; - networking = { - #nameservers = [ "1.3.3.7" ]; - vlans = { - vlan420 = { - id = 420; - interface = "${targetConfig.interface}"; - }; - vlan91 = { - id = 91; - interface = "${targetConfig.interface}"; - }; - }; - interfaces = { - "${targetConfig.interface}".useDHCP = true; - vlan91.ipv4.addresses = [ - { - address = "100.100.91.104"; - prefixLength = 24; - } - ]; - vlan91.ipv6.addresses = [ - { - address = "2a13:79c0:ffff:feff:b00b:3945:a51:210"; - prefixLength = 112; - } - ]; - vlan420.ipv4.addresses = [ - { - address = "10.10.4.210"; - prefixLength = 24; - } - ]; - }; - defaultGateway = { - address = "100.100.91.10"; - metric = 1042; - }; - defaultGateway6 = { - address = "2a13:79c0:ffff:feff:b00b:3945:a51:10"; - metric = 1042; - }; - useDHCP = false; - #dhcpcd.enable = false; - }; - - # Set your time zone. - time.timeZone = "Europe/Paris"; - - # Configure network proxy if necessary - # networking.proxy.default = "http://user:password@proxy:port/"; - # networking.proxy.noProxy = "127.0.0.1,localhost,internal.domain"; - - # This option defines the first version of NixOS you have installed on this particular machine, - # and is used to maintain compatibility with application data (e.g. databases) created on older NixOS versions. - # - # Most users should NEVER change this value after the initial install, for any reason, - # even if you've upgraded your system to a new NixOS release. - # - # This value does NOT affect the Nixpkgs version your packages and OS are pulled from, - # so changing it will NOT upgrade your system. - # - # This value being lower than the current NixOS release does NOT mean your system is - # out of date, out of support, or vulnerable. - # - # Do NOT change this value unless you have manually inspected all the changes it would make to your configuration, - # and migrated your data accordingly. - # - # For more information, see `man configuration.nix` or https://nixos.org/manual/nixos/stable/options#opt-system.stateVersion . - system.stateVersion = "24.05"; # Did you read the comment? -} diff --git a/hosts/stonkmembers/stonkstation/default.nix b/hosts/stonkmembers/stonkstation/default.nix deleted file mode 100644 index b91b6f3..0000000 --- a/hosts/stonkmembers/stonkstation/default.nix +++ /dev/null @@ -1,7 +0,0 @@ -{ ... }: -{ - bootdisk = "/dev/sda"; - bootloader = "grub"; - interface = "eno1"; - mainSerial = "4"; -} diff --git a/hosts/stonkmembers/stonkstation/disk-config.nix b/hosts/stonkmembers/stonkstation/disk-config.nix deleted file mode 100644 index f4f31d9..0000000 --- a/hosts/stonkmembers/stonkstation/disk-config.nix +++ /dev/null @@ -1,63 +0,0 @@ -# Example to create a bios compatible gpt partition -{ lib, bootdisk, ... }: -{ - disko.devices = { - disk.disk1 = { - device = lib.mkDefault "${bootdisk}"; - type = "disk"; - content = { - type = "table"; - format = "msdos"; - partitions = [ - { - name = "boot"; - start = "1M"; - end = "500M"; - part-type = "primary"; - bootable = true; - content = { - type = "filesystem"; - format = "ext3"; - mountpoint = "/boot"; - }; - } - { - name = "root"; - start = "500M"; - part-type = "primary"; - end = "100%"; - content = { - type = "lvm_pv"; - vg = "SSD"; - }; - } - ]; - }; - }; - lvm_vg = { - SSD = { - type = "lvm_vg"; - lvs = { - root = { - size = "15G"; - content = { - type = "filesystem"; - format = "ext4"; - mountpoint = "/"; - mountOptions = [ "defaults" ]; - }; - }; - k3s = { - size = "20G"; - content = { - type = "filesystem"; - format = "ext4"; - mountpoint = "/var/lib/rancher"; - mountOptions = [ "defaults" ]; - }; - }; - }; - }; - }; - }; -} diff --git a/hosts/stonkmembers/stonkstation/hardware-configuration.nix b/hosts/stonkmembers/stonkstation/hardware-configuration.nix deleted file mode 100644 index ef291f6..0000000 --- a/hosts/stonkmembers/stonkstation/hardware-configuration.nix +++ /dev/null @@ -1,34 +0,0 @@ -# Do not modify this file! It was generated by ‘nixos-generate-config’ -# and may be overwritten by future invocations. Please make changes -# to /etc/nixos/configuration.nix instead. -{ - config, - lib, - pkgs, - modulesPath, - ... -}: - -{ - imports = [ (modulesPath + "/installer/scan/not-detected.nix") ]; - - boot.initrd.availableKernelModules = [ - "xhci_pci" - "ehci_pci" - "ahci" - "sd_mod" - ]; - boot.initrd.kernelModules = [ "dm-snapshot" ]; - boot.kernelModules = [ "kvm-intel" ]; - boot.extraModulePackages = [ ]; - - # Enables DHCP on each ethernet and wireless interface. In case of scripted networking - # (the default) this is the recommended approach. When using systemd-networkd it's - # still possible to use this option, but it's recommended to use it in conjunction - # with explicit per-interface declarations with `networking.interfaces..useDHCP`. - networking.useDHCP = lib.mkDefault true; - # networking.interfaces.eno1.useDHCP = lib.mkDefault true; - - nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux"; - hardware.cpu.intel.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware; -} From 5ca9c5fdbaf2c1bdd68b080a044b5905574425e8 Mon Sep 17 00:00:00 2001 From: Antoine 'Toinux' Wam Date: Tue, 31 Dec 2024 17:32:48 +0100 Subject: [PATCH 73/74] no _overlays --- _overlays.nix | 0 1 file changed, 0 insertions(+), 0 deletions(-) delete mode 100644 _overlays.nix diff --git a/_overlays.nix b/_overlays.nix deleted file mode 100644 index e69de29..0000000 From c153a97b154ccc860591a4e713b6cb3367e48501 Mon Sep 17 00:00:00 2001 From: Romain Neil Date: Mon, 19 Jan 2026 18:40:48 +0100 Subject: [PATCH 74/74] feat: update pgsql to par --- .../{kit-postgresql-nte => kit-postgresql-par}/default.nix | 0 .../hardware-configuration.nix | 0 .../network-configuration.nix | 0 3 files changed, 0 insertions(+), 0 deletions(-) rename systems/postgres/{kit-postgresql-nte => kit-postgresql-par}/default.nix (100%) rename systems/postgres/{kit-postgresql-nte => kit-postgresql-par}/hardware-configuration.nix (100%) rename systems/postgres/{kit-postgresql-nte => kit-postgresql-par}/network-configuration.nix (100%) diff --git a/systems/postgres/kit-postgresql-nte/default.nix b/systems/postgres/kit-postgresql-par/default.nix similarity index 100% rename from systems/postgres/kit-postgresql-nte/default.nix rename to systems/postgres/kit-postgresql-par/default.nix diff --git a/systems/postgres/kit-postgresql-nte/hardware-configuration.nix b/systems/postgres/kit-postgresql-par/hardware-configuration.nix similarity index 100% rename from systems/postgres/kit-postgresql-nte/hardware-configuration.nix rename to systems/postgres/kit-postgresql-par/hardware-configuration.nix diff --git a/systems/postgres/kit-postgresql-nte/network-configuration.nix b/systems/postgres/kit-postgresql-par/network-configuration.nix similarity index 100% rename from systems/postgres/kit-postgresql-nte/network-configuration.nix rename to systems/postgres/kit-postgresql-par/network-configuration.nix