gribse/nix-cluster
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

Modularize and fix wireguard

Browse source
This commit is contained in:
zuma 2025-11-06 22:08:45 +01:00
parent 127fc040a5
commit 7b6e8c49f1
6 changed files with 265 additions and 229 deletions
Download patch file Download diff file Expand all files Collapse all files

392
configuration.nix
View file

@ -7,207 +7,213 @@
...
}:
let
cfg = config.filouterie;
in
with builtins;
with pkgs.lib;
{
imports = [
# Include the results of the hardware scan.
./hardware-configuration.nix
./cluster.nix
./node.nix
./wgautomesh.nix
];
programs.nix-ld.enable = true; # for vscode server
# Set your time zone.
time.timeZone = "Europe/Paris";
# Select internationalisation properties.
i18n.defaultLocale = "en_US.UTF-8";
console = {
font = "Lat2-Terminus16";
#keyMap = "fr";
useXkbConfig = true; # use xkb.options in tty.
};
# Enable touchpad support (enabled default in most desktopManager).
# services.libinput.enable = true;
# Define a user account. Don't forget to set a password with passwd.
users.users = {
nixos = {
isNormalUser = true;
extraGroups = [ "wheel" ]; # Enable sudo for the user.
openssh.authorizedKeys.keys = [
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIHxRk3bAqq9sRuZD2rBecM9e2XXHnaUQVCkqNjkHrugv zuma@shenanigans.cc"
"ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQDgXUerUE+Q3nRP1NHfNYSFoKeNauYBxYXAQ9+CJy4ZBWbxnQ0lp9GEF/KM2Ww0jdpW0hRUh3UJsnTauseWgSG+wxa0+j+bRj64d44G+f7QEGJ6SxcXpJljxuEoIAkhs73bZ4oAdXDMrtcaNij/YAXy6llu1vQFTGu6OytktTsEOLzTDP0tWTdyVSToD4+lk7UR5yMbSDz8gXn8/J3C3kf3mefPDTCDzMXBCixEEctY8VXM32RjlCPdxrxLKr/v5CrY2YA4WjuRhillaLwYVabkm7s98kHUvYTN48fbB5DHfgkGK6WhbfEPfta4DorQf/2D4cXpMkBt+sG1f5r9xThsv649xQB5uTg9pGeOtYn5zH3mk5wJN/2/mdveEJeCWXsXrq0GNhq+f6SE4reUvL+7MBtdpzt06D5u59JKNfXH2dQCOiqnyl0+Ahv0LoYDetJCB1dxombrUqRZvNsyD5T6lIF0tyEoK/0CXSRjr4J3nldzjPpk1uTo7kuW/clNi3KuzpQo7V8dk6I3H+jlut2lL6h8Q/P1L3p9e7T8pVi5XxbRunJYcDsWdiAb/S0y0fb0vQfGsUbi7sqvZl4fBvxYoE2NkXkWsLCN7FiFRkaTxGDh6YIo3UNllvmOxpX7tiiCV3cNLVMhcsWpNcv/U/rlBbNihODQpy1de+U2f7H8Qw== maël@Laptop-Maël"
"ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQC870BBey886dVmSb8AoK3uMs1t1dsHW7Wy1MVbpsraAYY0U6QXzhCKvO1geRIuwf4Q8mj8i2iuDwI7p1KoN8NIAmvGBs5YdIM0b4OGlLgF/7qBT9Rj54TDi4uCt4RLzorfVIzO66uGghOJPfUGXBw2gPCEJDE091fShcV9RK6ByQUvSLDJMz0fTKC5Z+ejxgzT+ZPBRusC54SPMiXlpROh/ZQ+VyfH2DjDwrXtt2wYigEMTI3/KtCKypUwbZ2JMeG4qVLIjdHXCHppq7EZWKj8HYywLlmWC3FIhHccCPrwTU5tfs35s1uExz3/ffqBpmhQmsgVeVf9Yz8uIccUZlF9UbhtKj9IJ88X2Doy+YWjXZAKWba48bSblWDH9I7R1f/t1o5lPml5UnTNsaMAmXL1oX7je+pveTJ7VB349AW8tv5PoRxYKuHuSu/J9hq43u8RQVAveaYoFpLvwBYMBmc6K02Oj3cLIPPQhQQSZ26z8NazHpIgVyQxgWhrckCb/vAi5yxl5htTcJqONTLJBWdKOj2huG16kF7m6NsJ4m8mReoYDOAcaIR1UPVJKALHw82mKdgSlBP/YrN7rTU9woBXt/QoWnWMabNM4YYr1UssiR+NS6fs4yuNZ58MaYsJi1Zlv1Vjwm9bj+rNCmYoXTbpVesn+rXbWZxIAeMqNCsHRQ== achille.toupin@gadz.org"
];
};
zuma = {
isNormalUser = true;
extraGroups = [ "wheel" ]; # Enable sudo for the user.
openssh.authorizedKeys.keys = [
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIHxRk3bAqq9sRuZD2rBecM9e2XXHnaUQVCkqNjkHrugv zuma@shenanigans.cc"
];
hashedPassword = "$y$j9T$Qc23q8HQZMELvYyubvEoF/$jauiBKEGb65K03/va632gKIuGSR2Cro/CQ1yq5mOjxB";
};
mayel = {
isNormalUser = true;
extraGroups = [ "wheel" ]; # Enable sudo for the user.
openssh.authorizedKeys.keys = [
"ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQDgXUerUE+Q3nRP1NHfNYSFoKeNauYBxYXAQ9+CJy4ZBWbxnQ0lp9GEF/KM2Ww0jdpW0hRUh3UJsnTauseWgSG+wxa0+j+bRj64d44G+f7QEGJ6SxcXpJljxuEoIAkhs73bZ4oAdXDMrtcaNij/YAXy6llu1vQFTGu6OytktTsEOLzTDP0tWTdyVSToD4+lk7UR5yMbSDz8gXn8/J3C3kf3mefPDTCDzMXBCixEEctY8VXM32RjlCPdxrxLKr/v5CrY2YA4WjuRhillaLwYVabkm7s98kHUvYTN48fbB5DHfgkGK6WhbfEPfta4DorQf/2D4cXpMkBt+sG1f5r9xThsv649xQB5uTg9pGeOtYn5zH3mk5wJN/2/mdveEJeCWXsXrq0GNhq+f6SE4reUvL+7MBtdpzt06D5u59JKNfXH2dQCOiqnyl0+Ahv0LoYDetJCB1dxombrUqRZvNsyD5T6lIF0tyEoK/0CXSRjr4J3nldzjPpk1uTo7kuW/clNi3KuzpQo7V8dk6I3H+jlut2lL6h8Q/P1L3p9e7T8pVi5XxbRunJYcDsWdiAb/S0y0fb0vQfGsUbi7sqvZl4fBvxYoE2NkXkWsLCN7FiFRkaTxGDh6YIo3UNllvmOxpX7tiiCV3cNLVMhcsWpNcv/U/rlBbNihODQpy1de+U2f7H8Qw== maël@Laptop-Maël"
];
hashedPassword = "$6$mgFgg9pJKiKQptad$CTMFJGuhl3Lk4MWRJrWgZox0bQPqObn0YpcG9Cnbg3Mvny.ZxAdJ/vKwHIvPai1jDQvFgNrKu4mx8PX4KBIu41";
};
gribse = {
isNormalUser = true;
extraGroups = [ "wheel" ]; # Enable sudo for the user.
# packages = with pkgs; [
#];
openssh.authorizedKeys.keys = [
"ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQC870BBey886dVmSb8AoK3uMs1t1dsHW7Wy1MVbpsraAYY0U6QXzhCKvO1geRIuwf4Q8mj8i2iuDwI7p1KoN8NIAmvGBs5YdIM0b4OGlLgF/7qBT9Rj54TDi4uCt4RLzorfVIzO66uGghOJPfUGXBw2gPCEJDE091fShcV9RK6ByQUvSLDJMz0fTKC5Z+ejxgzT+ZPBRusC54SPMiXlpROh/ZQ+VyfH2DjDwrXtt2wYigEMTI3/KtCKypUwbZ2JMeG4qVLIjdHXCHppq7EZWKj8HYywLlmWC3FIhHccCPrwTU5tfs35s1uExz3/ffqBpmhQmsgVeVf9Yz8uIccUZlF9UbhtKj9IJ88X2Doy+YWjXZAKWba48bSblWDH9I7R1f/t1o5lPml5UnTNsaMAmXL1oX7je+pveTJ7VB349AW8tv5PoRxYKuHuSu/J9hq43u8RQVAveaYoFpLvwBYMBmc6K02Oj3cLIPPQhQQSZ26z8NazHpIgVyQxgWhrckCb/vAi5yxl5htTcJqONTLJBWdKOj2huG16kF7m6NsJ4m8mReoYDOAcaIR1UPVJKALHw82mKdgSlBP/YrN7rTU9woBXt/QoWnWMabNM4YYr1UssiR+NS6fs4yuNZ58MaYsJi1Zlv1Vjwm9bj+rNCmYoXTbpVesn+rXbWZxIAeMqNCsHRQ== achille.toupin@gadz.org"
];
hashedPassword = "$y$j9T$FzX.e82AopK/3Op8mx.iX1$DFP3vU5KIaU/0JyjrdUVuePSrvhm.zPqAN6i9E0FY04";
};
};
users.motd = ''
=============== Bienvenue dans la filouterie ====================
'';
# List packages installed in system profile.
# You can use https://search.nixos.org/ to find more packages (and options).
environment.systemPackages = with pkgs; [
vim
neovim
tree
git
btop
wget
neofetch
];
# Enable the OpenSSH daemon.
services.openssh.enable = true;
services.openssh.settings.PasswordAuthentication = false;
services.unbound = {
enable = true;
settings = {
server = {
interface = [
"127.0.0.1"
"172.17.0.1"
]; # 172.17.0.1 is docker container network mask
verbosity = 1;
access-control = [
"127.0.0.0/8 allow"
"172.17.0.1/16 allow"
"192.168.0.0/16 allow"
];
config =
let
clusterNodeCfg = getAttr cfg.hostName cfg.clusterNodes;
clusterAddress = clusterNodeCfg.address;
in
{
networking.hostName = cfg.hostName;
environment.sessionVariables = rec {
NODE = cfg.hostName;
};
programs.nix-ld.enable = true; # for vscode server
# Set your time zone.
time.timeZone = "Europe/Paris";
# Select internationalisation properties.
i18n.defaultLocale = "en_US.UTF-8";
console = {
font = "Lat2-Terminus16";
#keyMap = "fr";
useXkbConfig = true; # use xkb.options in tty.
};
# Define a user account. Don't forget to set a password with passwd.
users.users = {
nixos = {
isNormalUser = true;
extraGroups = [ "wheel" ]; # Enable sudo for the user.
openssh.authorizedKeys.keys = [
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIHxRk3bAqq9sRuZD2rBecM9e2XXHnaUQVCkqNjkHrugv zuma@shenanigans.cc"
"ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQDgXUerUE+Q3nRP1NHfNYSFoKeNauYBxYXAQ9+CJy4ZBWbxnQ0lp9GEF/KM2Ww0jdpW0hRUh3UJsnTauseWgSG+wxa0+j+bRj64d44G+f7QEGJ6SxcXpJljxuEoIAkhs73bZ4oAdXDMrtcaNij/YAXy6llu1vQFTGu6OytktTsEOLzTDP0tWTdyVSToD4+lk7UR5yMbSDz8gXn8/J3C3kf3mefPDTCDzMXBCixEEctY8VXM32RjlCPdxrxLKr/v5CrY2YA4WjuRhillaLwYVabkm7s98kHUvYTN48fbB5DHfgkGK6WhbfEPfta4DorQf/2D4cXpMkBt+sG1f5r9xThsv649xQB5uTg9pGeOtYn5zH3mk5wJN/2/mdveEJeCWXsXrq0GNhq+f6SE4reUvL+7MBtdpzt06D5u59JKNfXH2dQCOiqnyl0+Ahv0LoYDetJCB1dxombrUqRZvNsyD5T6lIF0tyEoK/0CXSRjr4J3nldzjPpk1uTo7kuW/clNi3KuzpQo7V8dk6I3H+jlut2lL6h8Q/P1L3p9e7T8pVi5XxbRunJYcDsWdiAb/S0y0fb0vQfGsUbi7sqvZl4fBvxYoE2NkXkWsLCN7FiFRkaTxGDh6YIo3UNllvmOxpX7tiiCV3cNLVMhcsWpNcv/U/rlBbNihODQpy1de+U2f7H8Qw== maël@Laptop-Maël"
"ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQC870BBey886dVmSb8AoK3uMs1t1dsHW7Wy1MVbpsraAYY0U6QXzhCKvO1geRIuwf4Q8mj8i2iuDwI7p1KoN8NIAmvGBs5YdIM0b4OGlLgF/7qBT9Rj54TDi4uCt4RLzorfVIzO66uGghOJPfUGXBw2gPCEJDE091fShcV9RK6ByQUvSLDJMz0fTKC5Z+ejxgzT+ZPBRusC54SPMiXlpROh/ZQ+VyfH2DjDwrXtt2wYigEMTI3/KtCKypUwbZ2JMeG4qVLIjdHXCHppq7EZWKj8HYywLlmWC3FIhHccCPrwTU5tfs35s1uExz3/ffqBpmhQmsgVeVf9Yz8uIccUZlF9UbhtKj9IJ88X2Doy+YWjXZAKWba48bSblWDH9I7R1f/t1o5lPml5UnTNsaMAmXL1oX7je+pveTJ7VB349AW8tv5PoRxYKuHuSu/J9hq43u8RQVAveaYoFpLvwBYMBmc6K02Oj3cLIPPQhQQSZ26z8NazHpIgVyQxgWhrckCb/vAi5yxl5htTcJqONTLJBWdKOj2huG16kF7m6NsJ4m8mReoYDOAcaIR1UPVJKALHw82mKdgSlBP/YrN7rTU9woBXt/QoWnWMabNM4YYr1UssiR+NS6fs4yuNZ58MaYsJi1Zlv1Vjwm9bj+rNCmYoXTbpVesn+rXbWZxIAeMqNCsHRQ== achille.toupin@gadz.org"
];
};
zuma = {
isNormalUser = true;
extraGroups = [ "wheel" ]; # Enable sudo for the user.
openssh.authorizedKeys.keys = [
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIHxRk3bAqq9sRuZD2rBecM9e2XXHnaUQVCkqNjkHrugv zuma@shenanigans.cc"
];
hashedPassword = "$y$j9T$Qc23q8HQZMELvYyubvEoF/$jauiBKEGb65K03/va632gKIuGSR2Cro/CQ1yq5mOjxB";
};
mayel = {
isNormalUser = true;
extraGroups = [ "wheel" ]; # Enable sudo for the user.
openssh.authorizedKeys.keys = [
"ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQDgXUerUE+Q3nRP1NHfNYSFoKeNauYBxYXAQ9+CJy4ZBWbxnQ0lp9GEF/KM2Ww0jdpW0hRUh3UJsnTauseWgSG+wxa0+j+bRj64d44G+f7QEGJ6SxcXpJljxuEoIAkhs73bZ4oAdXDMrtcaNij/YAXy6llu1vQFTGu6OytktTsEOLzTDP0tWTdyVSToD4+lk7UR5yMbSDz8gXn8/J3C3kf3mefPDTCDzMXBCixEEctY8VXM32RjlCPdxrxLKr/v5CrY2YA4WjuRhillaLwYVabkm7s98kHUvYTN48fbB5DHfgkGK6WhbfEPfta4DorQf/2D4cXpMkBt+sG1f5r9xThsv649xQB5uTg9pGeOtYn5zH3mk5wJN/2/mdveEJeCWXsXrq0GNhq+f6SE4reUvL+7MBtdpzt06D5u59JKNfXH2dQCOiqnyl0+Ahv0LoYDetJCB1dxombrUqRZvNsyD5T6lIF0tyEoK/0CXSRjr4J3nldzjPpk1uTo7kuW/clNi3KuzpQo7V8dk6I3H+jlut2lL6h8Q/P1L3p9e7T8pVi5XxbRunJYcDsWdiAb/S0y0fb0vQfGsUbi7sqvZl4fBvxYoE2NkXkWsLCN7FiFRkaTxGDh6YIo3UNllvmOxpX7tiiCV3cNLVMhcsWpNcv/U/rlBbNihODQpy1de+U2f7H8Qw== maël@Laptop-Maël"
];
hashedPassword = "$6$mgFgg9pJKiKQptad$CTMFJGuhl3Lk4MWRJrWgZox0bQPqObn0YpcG9Cnbg3Mvny.ZxAdJ/vKwHIvPai1jDQvFgNrKu4mx8PX4KBIu41";
};
gribse = {
isNormalUser = true;
extraGroups = [ "wheel" ]; # Enable sudo for the user.
# packages = with pkgs; [
#];
openssh.authorizedKeys.keys = [
"ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQC870BBey886dVmSb8AoK3uMs1t1dsHW7Wy1MVbpsraAYY0U6QXzhCKvO1geRIuwf4Q8mj8i2iuDwI7p1KoN8NIAmvGBs5YdIM0b4OGlLgF/7qBT9Rj54TDi4uCt4RLzorfVIzO66uGghOJPfUGXBw2gPCEJDE091fShcV9RK6ByQUvSLDJMz0fTKC5Z+ejxgzT+ZPBRusC54SPMiXlpROh/ZQ+VyfH2DjDwrXtt2wYigEMTI3/KtCKypUwbZ2JMeG4qVLIjdHXCHppq7EZWKj8HYywLlmWC3FIhHccCPrwTU5tfs35s1uExz3/ffqBpmhQmsgVeVf9Yz8uIccUZlF9UbhtKj9IJ88X2Doy+YWjXZAKWba48bSblWDH9I7R1f/t1o5lPml5UnTNsaMAmXL1oX7je+pveTJ7VB349AW8tv5PoRxYKuHuSu/J9hq43u8RQVAveaYoFpLvwBYMBmc6K02Oj3cLIPPQhQQSZ26z8NazHpIgVyQxgWhrckCb/vAi5yxl5htTcJqONTLJBWdKOj2huG16kF7m6NsJ4m8mReoYDOAcaIR1UPVJKALHw82mKdgSlBP/YrN7rTU9woBXt/QoWnWMabNM4YYr1UssiR+NS6fs4yuNZ58MaYsJi1Zlv1Vjwm9bj+rNCmYoXTbpVesn+rXbWZxIAeMqNCsHRQ== achille.toupin@gadz.org"
];
hashedPassword = "$y$j9T$FzX.e82AopK/3Op8mx.iX1$DFP3vU5KIaU/0JyjrdUVuePSrvhm.zPqAN6i9E0FY04";
};
};
users.motd = ''
=============== Bienvenue dans la filouterie ====================
'';
# List packages installed in system profile.
# You can use https://search.nixos.org/ to find more packages (and options).
environment.systemPackages = with pkgs; [
vim
neovim
tree
git
btop
wget
neofetch
];
# Enable the OpenSSH daemon.
services.openssh.enable = true;
services.openssh.settings.PasswordAuthentication = false;
services.unbound = {
enable = true;
settings = {
server = {
interface = [
"127.0.0.1"
"172.17.0.1"
]; # 172.17.0.1 is docker container network mask
verbosity = 1;
access-control = [
"127.0.0.0/8 allow"
"172.17.0.1/16 allow"
"192.168.0.0/16 allow"
];
};
};
resolveLocalQueries = true;
};
services.resolved.enable = false;
networking.wireguard.interfaces.wg0 = {
ips = [ "${clusterAddress}/16" ];
listenPort = 19720;
privateKeyFile = "/var/lib/filouterie/wireguard-keys/private";
mtu = 1420;
};
filouterie.services.wgautomesh = {
enable = true;
interface = "wg0";
gossipPort = 1600;
peers = attrValues (
mapAttrs (
hostname:
{
pubkey,
endpoint,
address,
...
}:
{
inherit pubkey address endpoint;
}
) cfg.clusterNodes
);
};
system.activationScripts.generate_filouterie_wg_key = ''
if [ ! -f /var/lib/filouterie/wireguard-keys/private ]; then
mkdir -p /var/lib/filouterie/wireguard-keys
(umask 077; ${pkgs.wireguard-tools}/bin/wg genkey > /var/lib/filouterie/wireguard-keys/private)
echo "New Wireguard key was generated."
echo "This node's Wireguard public key is: $(${pkgs.wireguard-tools}/bin/wg pubkey < /var/lib/filouterie/wireguard-keys/private)"
fi
'';
# Open ports in the firewall.
networking.firewall = {
enable = true;
allowedTCPPorts = [
22 # SSH
];
allowedUDPPorts = [
19720 # Wireguard
];
extraCommands = ''
# Allow other nodes on VPN to access all ports
iptables -A INPUT -s ${cfg.clusterPrefix} -j ACCEPT
'';
extraStopCommands = ''
iptables -D INPUT -s ${cfg.clusterPrefix} -j ACCEPT
'';
};
# Garbage collection to remove old NixOs iterations
nix.gc = {
automatic = true;
dates = "weekly";
options = "--delete-older-than 30d";
};
# Copy the NixOS configuration file and link it from the resulting system
# (/run/current-system/configuration.nix). This is useful in case you
# accidentally delete configuration.nix.
# system.copySystemConfiguration = true;
system.stateVersion = "25.05"; # Never bloody change this value, got it lads ?
};
resolveLocalQueries = true;
};
services.resolved.enable = false;
networking.wireguard.interfaces.wg0 = {
ips = [ "10.0.0.0/16" ];
listenPort = 19720;
privateKeyFile = "/var/lib/filouterie/wireguard-keys/private";
mtu = 1420;
};
filouterie.services.wgautomesh = {
enable = true;
interface = "wg0";
gossipPort = 1600;
peers = [
# Fifi
{
address = "10.0.1.1";
endpoint = "92.179.73.254:19720";
pubkey = "/TJVF6aLEvqngjd8Gq3QkH5esEQSIL+ryz/uKdJaZEQ=";
}
# Riri
{
address = "10.0.2.1";
endpoint = "176.159.248.209:19720";
pubkey = "lUUTv85m7vtIKY7+s//AWL5r/epjXSBZNJCrgjRfQj0=";
}
# Fifi
{
address = "10.0.3.1";
endpoint = "82.67.117.71:19720";
pubkey = "J/liQaChv4ZBjwlLmobM0NA/Wwgl8nDcQEcGdsC5Exc=";
}
];
};
system.activationScripts.generate_filouterie_wg_key = ''
if [ ! -f /var/lib/filouterie/wireguard-keys/private ]; then
mkdir -p /var/lib/filouterie/wireguard-keys
(umask 077; ${pkgs.wireguard-tools}/bin/wg genkey > /var/lib/filouterie/wireguard-keys/private)
echo "New Wireguard key was generated."
echo "This node's Wireguard public key is: $(${pkgs.wireguard-tools}/bin/wg pubkey < /var/lib/filouterie/wireguard-keys/private)"
fi
'';
# Open ports in the firewall.
networking.firewall = {
enable = true;
allowedTCPPorts = [
22 # SSH
];
allowedUDPPorts = [
19720 #Wireguard
];
extraCommands = ''
# Allow other nodes on VPN to access all ports
iptables -A INPUT -s 10.0.0.0/16 -j ACCEPT
'';
extraStopCommands = ''
iptables -D INPUT -s 10.0.0.0/16 -j ACCEPT
'';
};
# Garbage collection to remove old NixOs iterations
nix.gc = {
automatic = true;
dates = "weekly";
options = "--delete-older-than 30d";
};
# Copy the NixOS configuration file and link it from the resulting system
# (/run/current-system/configuration.nix). This is useful in case you
# accidentally delete configuration.nix.
# system.copySystemConfiguration = true;
system.stateVersion = "25.05"; # Never bloody change this value, got it lads ?
}