kfm/niveum
1
0
Fork 0
mirror of https://github.com/kmein/niveum synced 2026-03-20 12:01:06 +01:00
Code Releases Activity

Compare commits

base: kfm:feature/specus
Branches Tags
kfm:master kfm:update_flake_lock_action kfm:nethack kfm:wayland kfm:feature/hass-prometheus kfm:feature/itools kfm:feature/specus kfm:hass-nix-2 kfm:hass-nix kfm:grimm kfm:mympd kfm:tahina kfm:new-krops kfm:flakes kfm:flakes-2 kfm:20.09 kfm:mail
..
compare: kfm:feature/itools
Branches Tags
kfm:master kfm:update_flake_lock_action kfm:nethack kfm:wayland kfm:feature/hass-prometheus kfm:feature/itools kfm:feature/specus kfm:hass-nix-2 kfm:hass-nix kfm:grimm kfm:mympd kfm:tahina kfm:new-krops kfm:flakes kfm:flakes-2 kfm:20.09 kfm:mail

1 Commits
feature/sp ... feature/it

Author SHA1 Message Date
Kierán Meinhardt
2d063b0ac8 wip: package itools 2023-04-14 08:43:34 +02:00
7 changed files with 20 additions and 122 deletions
Expand all files Collapse all files

4
flake.nix
View File

@@ -49,7 +49,6 @@
passport = import modules/passport.nix; passport = import modules/passport.nix;
panoptikon = import modules/panoptikon.nix; panoptikon = import modules/panoptikon.nix;
power-action = import modules/power-action.nix; power-action = import modules/power-action.nix;
specus = import modules/specus.nix;
system-dependent = import modules/system-dependent.nix; system-dependent = import modules/system-dependent.nix;
telegram-bot = import modules/telegram-bot.nix; telegram-bot = import modules/telegram-bot.nix;
traadfri = import modules/traadfri.nix; traadfri = import modules/traadfri.nix;
@@ -80,7 +79,6 @@
systems/ful/configuration.nix systems/ful/configuration.nix
agenix.nixosModules.default agenix.nixosModules.default
inputs.self.nixosModules.passport inputs.self.nixosModules.passport
inputs.self.nixosModules.specus
inputs.self.nixosModules.panoptikon inputs.self.nixosModules.panoptikon
retiolum.nixosModules.retiolum retiolum.nixosModules.retiolum
nur.nixosModules.nur nur.nixosModules.nur
@@ -129,7 +127,6 @@
inputs.self.nixosModules.telegram-bot inputs.self.nixosModules.telegram-bot
inputs.self.nixosModules.htgen inputs.self.nixosModules.htgen
inputs.self.nixosModules.passport inputs.self.nixosModules.passport
inputs.self.nixosModules.specus
agenix.nixosModules.default agenix.nixosModules.default
retiolum.nixosModules.retiolum retiolum.nixosModules.retiolum
nur.nixosModules.nur nur.nixosModules.nur
@@ -193,7 +190,6 @@
systems/kabsa/configuration.nix systems/kabsa/configuration.nix
agenix.nixosModules.default agenix.nixosModules.default
retiolum.nixosModules.retiolum retiolum.nixosModules.retiolum
inputs.self.nixosModules.specus
home-manager.nixosModules.home-manager home-manager.nixosModules.home-manager
nur.nixosModules.nur nur.nixosModules.nur
]; ];

96
modules/specus.nix
View File

@@ -1,96 +0,0 @@
{
config,
lib,
pkgs,
...
}: let
specusMachines = {
servers = {
makanek = {
ipv4 = "10.100.0.1";
publicKey = "KhcScd4fBpdhQzK8Vc+1mEHQMQBpbKBUPB4oZ7skeSk=";
};
ful = {
ipv4 = "10.100.0.2";
publicKey = "0Y7+zoXkWJGVOWWnMjvYjtwP+WpggAlmkRbgMw0z8Dk=";
};
};
clients = {
kabsa = {
ipv4 = "10.100.0.101";
publicKey = "nRkzoRi9crKHF7263U37lt4GGL7/8637NBSKjifI9hY=";
};
};
};
in {
options.services.specus = {
server = {
enable = lib.mkEnableOption "Specus private VPN (server)";
};
client = {
enable = lib.mkEnableOption "Specus private VPN (client)";
};
privateKeyFile = lib.mkOption {
type = lib.types.path;
description = "Private key file of the server/client machine";
};
};
config = let
cfg = config.services.specus;
specusPort = 22;
in
{
assertions = [
{
assertion =
!(cfg.server.enable && cfg.client.enable);
message = "specus: systems cannot be client and server at the same time";
}
];
}
// lib.mkIf cfg.server.enable {
networking.nat = {
enable = true;
externalInterface = "eth0"; # TODO
internalInterfaces = ["specus"];
};
networking.firewall.allowedUDPPorts = [specusPort];
networking.wireguard.interfaces.specus = {
ips = ["${specusMachines.servers.${config.networking.hostName}.ipv4}/24"];
# For this to work you have to set the dnsserver IP of your router (or dnsserver of choice) in your clients
postSetup = ''
${pkgs.iptables}/bin/iptables -t nat -A POSTROUTING -s 10.100.0.0/24 -o eth0 -j MASQUERADE
'';
postShutdown = ''
${pkgs.iptables}/bin/iptables -t nat -D POSTROUTING -s 10.100.0.0/24 -o eth0 -j MASQUERADE
'';
listenPort = specusPort;
privateKeyFile = cfg.privateKeyFile;
peers =
lib.mapAttrsToList (clientName: clientConfig: {
publicKey = clientConfig.publicKey;
allowedIPs = ["${clientConfig.ipv4}/32"];
})
specusMachines.clients;
};
}
// lib.mkIf cfg.client.enable {
networking.firewall.allowedUDPPorts = [specusPort];
networking.wireguard.interfaces = lib.attrsets.mapAttrs' (serverName: serverConfig:
lib.nameValuePair "specus-${serverName}" {
ips = ["${specusMachines.clients.${config.networking.hostName}.ipv4}/24"];
listenPort = specusPort;
privateKeyFile = cfg.privateKeyFile;
peers = [
{
allowedIPs = ["0.0.0.0/0"];
endpoint = "${(import ../lib/external-network.nix).${serverName}}:${toString specusPort}";
persistentKeepalive = 25;
publicKey = serverConfig.publicKey;
}
];
})
specusMachines.servers;
};
}

7
packages/itl.nix
View File

@@ -1,4 +1,9 @@
{ stdenv, fetchFromGitHub, cmake, lib }: {
stdenv,
fetchFromGitHub,
cmake,
lib,
}:
stdenv.mkDerivation rec { stdenv.mkDerivation rec {
pname = "itl"; pname = "itl";
version = "0.8.0"; version = "0.8.0";

17
packages/itools.nix
View File

@@ -1,4 +1,11 @@
{ stdenv, fetchFromGitHub, itl, lib, autoreconfHook }: {
stdenv,
fetchFromGitHub,
itl,
lib,
# autoreconfHook,
automake,
}:
stdenv.mkDerivation rec { stdenv.mkDerivation rec {
pname = "itools"; pname = "itools";
version = "1.0"; version = "1.0";
@@ -8,8 +15,12 @@ stdenv.mkDerivation rec {
rev = version; rev = version;
sha256 = "sha256-g9bsjupC4Sb5ywAgUNbjYLbHZ/i994lbNSnX2JyaP3g="; sha256 = "sha256-g9bsjupC4Sb5ywAgUNbjYLbHZ/i994lbNSnX2JyaP3g=";
}; };
preAutoreconf = "autoupdate"; # nativeBuildInputs = [autoreconfHook];
nativeBuildInputs = [autoreconfHook]; buildPhase = ''
touch ChangeLog
./configure
make
'';
buildInputs = [itl]; buildInputs = [itl];
meta = { meta = {
homepage = "https://www.arabeyes.org/ITL"; homepage = "https://www.arabeyes.org/ITL";

6
systems/ful/configuration.nix
View File

@@ -49,12 +49,6 @@ in {
}; };
root.file = ../../secrets/ful-root.age; root.file = ../../secrets/ful-root.age;
restic.file = ../../secrets/restic.age; restic.file = ../../secrets/restic.age;
specus.file = ../../secrets/ful-specus-privateKey.age;
};
services.specus = {
privateKeyFile = config.age.secrets.specus.path;
server.enable = true;
}; };
services.restic.backups.niveum = { services.restic.backups.niveum = {

6
systems/kabsa/configuration.nix
View File

@@ -40,16 +40,10 @@ in {
restic.file = ../../secrets/restic.age; restic.file = ../../secrets/restic.age;
syncthing-cert.file = ../../secrets/kabsa-syncthing-cert.age; syncthing-cert.file = ../../secrets/kabsa-syncthing-cert.age;
syncthing-key.file = ../../secrets/kabsa-syncthing-key.age; syncthing-key.file = ../../secrets/kabsa-syncthing-key.age;
specus.file = ../../secrets/kabsa-specus-privateKey.age;
}; };
environment.systemPackages = [pkgs.minecraft pkgs.zeroad]; environment.systemPackages = [pkgs.minecraft pkgs.zeroad];
services.specus = {
privateKeyFile = config.age.secrets.specus.path;
client.enable = false;
};
networking = { networking = {
hostName = "kabsa"; hostName = "kabsa";
wireless.interfaces = ["wlp3s0"]; wireless.interfaces = ["wlp3s0"];

6
systems/makanek/configuration.nix
View File

@@ -95,12 +95,6 @@ in {
group = "tinc.retiolum"; group = "tinc.retiolum";
}; };
restic.file = ../../secrets/restic.age; restic.file = ../../secrets/restic.age;
specus.file = ../../secrets/makanek-specus-privateKey.age;
};
services.specus = {
privateKeyFile = config.age.secrets.specus.path;
server.enable = true;
}; };
system.stateVersion = "20.03"; system.stateVersion = "20.03";