ellmau/nixos
1
0
Fork 0
mirror of https://github.com/ellmau/nixos.git synced 2025-12-19 09:29:36 +01:00
Code Issues Projects Releases Wiki Activity

Add network functionality

Browse Source 
- added network manager sops module
- added wireguard skelleton (wip)
This commit is contained in:
Stefan Ellmauthaler 2022-07-19 14:07:07 +02:00
parent a75c2ae69a
commit 7c3729693f
Signed by: ellmau
GPG Key ID: C804A9C1B7AF8256
9 changed files with 208 additions and 8 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

8
.sops.yaml
View File

@ -9,14 +9,18 @@ creation_rules:
- *stefan_ellmauthaler - *stefan_ellmauthaler
- *stel-xps - *stel-xps
- *nucturne - *nucturne
- path_regex: secrets/networks\.yaml
key_groups:
- pgp:
- *stefan_ellmauthaler
- *stel-xps
- *nucturne
- path_regex: secrets/server\.yaml - path_regex: secrets/server\.yaml
key_groups: key_groups:
- pgp: - pgp:
- *stefan_ellmauthaler - *stefan_ellmauthaler
- *nucturne - *nucturne
- path_regex: machines/metis/secrets/[^/]+\.yaml - path_regex: machines/metis/secrets/[^/]+\.yaml
key_groups: key_groups:
- pgp: - pgp:
- *stefan_ellmauthaler - *stefan_ellmauthaler

15
common/wireguard.nix Normal file
View File

@ -0,0 +1,15 @@
{ config, pkgs, lib, ... }:
with lib; {
config.elss.wireguard.interfaces = {
sellnet = {
# cough @ name
servers = {
metis = {
localIP = "1";
publicKey = "bla";
};
};
peers = { };
};
};
}

1
flake.nix
View File

@ -102,6 +102,7 @@
inputs.sops-nix.nixosModules.sops inputs.sops-nix.nixosModules.sops
inputs.dwarffs.nixosModules.dwarffs inputs.dwarffs.nixosModules.dwarffs
inputs.simple-nixos-mailserver.nixosModules.mailserver inputs.simple-nixos-mailserver.nixosModules.mailserver
./common/wireguard.nix
] ++ (map (name: ./modules + "/${name}") (moduleNames ./modules)); ] ++ (map (name: ./modules + "/${name}") (moduleNames ./modules));
specialArgs = { specialArgs = {
nixos-hardware = inputs.nixos-hardware.nixosModules; nixos-hardware = inputs.nixos-hardware.nixosModules;

5
machines/metis/default.nix
View File

@ -35,10 +35,13 @@
# enable server services # enable server services
server = { server = {
enable = true; enable = true;
nextcloud.enable = true; smailserver.enable = false;
acme.staging = true; acme.staging = true;
}; };
# enable wireguard
wireguard.enable = true;
# user setup # user setup
users = { users = {

2
modules/graphical.nix
View File

@ -25,7 +25,7 @@ with lib; {
in in
mkIf cfg.enable { mkIf cfg.enable {
elss.users.x11.enable = true; elss.users.x11.enable = true;
networking.networkmanager.enable = true; elss.networking.useNetworkManager = true;
services = { services = {
xserver = { xserver = {

27
modules/network-manager/default.nix Normal file
View File

@ -0,0 +1,27 @@
{ config, pkgs, lib, ...}:
with lib; {
options.elss.networking.useNetworkManager = mkEnableOption "enable networkmanager";
config =
let
connections = [
# "tartaros"
# "eduroam"
];
mkSopsSecrets = connection: {
"${connection}" = {
sopsFile = ../../secrets/networks.yaml;
path = "/run/NetworkManager/system-connections/${connection}.nmconnection";
};
};
in
mkIf config.elss.networking.useNetworkManager {
networking.networkmanager = {
enable = true;
};
sops.secrets = mkMerge (map mkSopsSecrets connections);
};
}

2
modules/server/default.nix
View File

@ -2,7 +2,7 @@
with lib; { with lib; {
options.elss.server.enable = mkEnableOption "Enable Mail, Web, and DB"; options.elss.server.enable = mkEnableOption "Enable Mail, Web, and DB";
options.elss.server.nginx.enable = mkEnableOption "Set up nginx"; options.elss.server.nginx.enable = mkEnableOption "Set up nginx";
options.elss.server.sql.enable = mkEnableOption "Set up sql (mariadb)"; options.elss.server.sql.enable = mkEnableOption "Set up sql (postresql)";
options.elss.server.nextcloud.enable = mkEnableOption "Set up nextcloud"; options.elss.server.nextcloud.enable = mkEnableOption "Set up nextcloud";
options.elss.server.smailserver.enable = mkEnableOption "Set up simple mail server"; options.elss.server.smailserver.enable = mkEnableOption "Set up simple mail server";

80
modules/wireguard.nix
View File

@ -2,14 +2,90 @@
with lib; { with lib; {
options.elss.wireguard = { options.elss.wireguard = {
enable = mkEnableOption "Setup wireguard"; enable = mkEnableOption "Setup wireguard";
interfaces = mkOption {
default = { };
type = types.attrsOf
(types.submodule {
options = {
servers = mkOption {
type = types.attrsOf (types.submodule {
options = {
localIP = mkOption {
type = types.str;
description = "local IP for the interface";
};
port = mkOption {
type = types.port;
description = "Port to use";
default = 51820;
};
publickey = mkOption {
type = types.str;
description = "Wireguard public key for the server";
};
};
});
};
peers = mkOption {
type = types.attrsOf (types.submodule {
options = {
localIp = mkOption {
type = types.str;
description = "local IP for the peer";
};
publickey = mkOption {
type = types.str;
description = "Wireguard public key for the peer";
};
setup = mkOption {
type = types.enum [
"none"
"key"
"wg"
"nm"
];
description = "How to setup this peer. none does nothing, key only exports the secret, wg sets up wireguard for local cloud and nm adds a tunnel option";
};
};
});
};
prefix = {
ipv4 = mkOption {
type = types.str;
description = "IPv4 prefix for wireguard address room";
};
};
};
});
};
}; };
config = config =
let let
cfg = config.elss; cfg = config.elss;
hostname = cfg.hostName; hostName = config.system.name;
secrets = ../machines secrets = ../machines
+ builtins.toPath "/${hostName}/secrets/wireguard.yaml"; + builtins.toPath "/${hostName}/secrets/wireguard.yaml";
mkRemoveEmpty = lib.filter (interface: interface != "");
mkInterfaces = input: mkRemoveEmpty
((expr:
lib.mapAttrsToList
(interface: value: if (expr interface value) then interface else "")
cfg.wireguard.interfaces)
input);
mkPeerInterface = mkInterfaces (interface: value: builtins.hasAttr hostName value.peers);
mkServInterface = mkInterfaces (interface: value: builtins.hasAttr hostName value.servers);
interfaces = mkServInterface ++ mkPeerInterface;
mkInterfacename = interface: "wg-${interface}";
mkInterfaceSops = interface: {
"wireguard-${interface}" = { sopsFile = secrets; };
};
in in
mkIf cfg.wireguard.enable { }; mkIf cfg.wireguard.enable {
sops.secrets = lib.mkMerge (map mkInterfaceSops interfaces);
};
} }

74
secrets/networks.yaml Normal file
View File

@ -0,0 +1,74 @@
test: ENC[AES256_GCM,data:fQRavA/TeWqaDijLXv/YnOcu/UGwYSs+oNEzZnUn8w==,iv:6FnmmdSSpI2aOh7sj8z8q6Oje0FZI9qYVzrR+wbSUcw=,tag:dTsWAAdLc6YnznQBhcD0/w==,type:str]
tartaros: ENC[AES256_GCM,data:cOVJ9w==,iv:u2YZ7T1l9HzZvDvI6P3+K1EoUmHovBzuzHipAn5CFH8=,tag:WtrbBLWbaSMnu9Dewns+Cw==,type:str]
eduroam: ENC[AES256_GCM,data:OnicOA==,iv:Pob0QSsXMiQ10sJo7V6AbAW29Xl9EG9lNiCS0mQ7Zik=,tag:CbkTJFsFikhTGP+IuBjgUw==,type:str]
sops:
kms: []
gcp_kms: []
azure_kv: []
hc_vault: []
age: []
lastmodified: "2022-07-19T10:29:10Z"
mac: ENC[AES256_GCM,data:/lUc2tnmIpLvjBjABvSdwjxZWmu2FRY5Uf16eOEnMD0za06gMys48VejlqHuuO8YSAuCahpp+lj5/Vnzah7k+m7kUExrGHvLHCDLGh2w0cHqCGkx3+M0S7Xm9sP2KFZoSrB2EJ1EJFpfRa7VZhV/LGUk+e5V4pzf4VvWEqn6YRY=,iv:fzJ5CoOyUI+q+N7w1yBgM2Ye9Jh1YDYasYT+LvozkHY=,tag:pJiXiu15gcZgM7SsPrTZvA==,type:str]
pgp:
- created_at: "2022-07-19T10:12:50Z"
enc: |
-----BEGIN PGP MESSAGE-----
hQIMAzhsLR+kpSPjARAAikLYpsLF6GZsqOjL9ycfuClIGMazi94n+RAJmzeM22Xx
rKdkddVysoi4a8Ksh/4VbJTI78yLJccNfsU/8acbCvEkCZZQtToHxGj/lS2/OFrx
TJqATUTENfcaRqFrPOfmVzmSNhfL2W/v7v1g0umi8gdVXCzGY1gj2Qsj7kHkWGOB
UdN8DVonMtSVaAlUGmKizzPLglnlrVfmTfxw5KXxKUwSb3LKGdT5f83X0FIWLNV6
4LMExTf0WvXnw5DvuAlWmGjI8sm/pmp/QSpWRLTbermgTgeKn6aNdNtHRTZC0Zl5
3hjjNrnT8UbiUznHz3EoJIPPWctH4H5TnKLGaWHKZwd0C5kPIgg2iC615M2FBgtU
4Ap2URnK6QwVMqQXO4wsAAksoqLJ0NtVGfA9H7AZDQpu8RR0D1L4yBotgDCjzAIU
J32y/twMt4Yo1xzgeBz2PQKCv/rp70EvQnVW66IChNyaAu57eRW0THJr+GC94+po
9a7HkfktUb3UGjEXqDG8bBKABYWXx2GYg3uCPSLvmmLTqoYcN8HwGp1HX2pp/qez
5pezOf4wzLVvnjUvlyWEIwrlc2xh+QHZGRCEgALb4hw0s2uxVxdGHtgdm+fPPJdF
96UL16i86+0TEwvDpfEhSHBhdJREiNtKpnfRkJz/5df8lNiDwjVpuHKOuGUTSQnS
XgGjNGAouXnM+diVgGdaOkUGQU2cFFKDwWxd7wvyVDO5foi6eEhs31AoEyRhAi2x
ARBCJ5T9n8i+/uxIHO9Q37vl/4pyTZQkGbyS1jHMpWLG+XzubRSHKtGGYt8CrF4=
=25Yf
-----END PGP MESSAGE-----
fp: 3B398B086C410264A14FB353B1E6F03030A4AEAA
- created_at: "2022-07-19T10:12:50Z"
enc: |
-----BEGIN PGP MESSAGE-----
hQIMA1NKtoXYguTKAQ/9H51xlmZ69anfiiqUcfYJDKgdXPCpjQHIF0xNB/GBLSMq
cgCq6ZOZQc65nEVAyNWfWZyuGoibIlh6BFgiA/Sbuo6RViE4TRZ123o7goXeD/IB
QQ/gETZI69KOJKDaVKKF41nitJ05b4jk1r7NAj/o7ALpIirqB3xT67rvpME77cA9
BqHvhXz0wBp2JYjozTPOBTN6OulK06vzI8m6f68Tnt1i8Qkt/nxyI+6PI+ULJvE1
kArHzLy0JduzRG5DjG8pZm6WyhwMWaN2qm/WYRFou1QQiuJlZfyGB4o5LfyMgY28
0hbbBMvP0Ugoo/ePtNauvrFSoYLZiISyGwk2ONEGj+cN/0Ha7uttSQX0ij3yubR7
6HkplkaxstUAlja9jX0aRP8u0XumENBE9FkLIi0gOTMx4RnnGYuTXExkO4C8keWA
ygF+j8o5oqojB9oGRN3Wa8WEb9WZhGTMhRnwnWuqL8JmLIBwEfGgI33oXB5OwNXe
v2ksrOfiHRwJ71QZeyeyMR8pMDDfTIujEjMpLxRWwkmq923GXON30jYBst7gX918
666ru61jBIq8tyNcpJmcFwak7pAzycG7dRzbNrLM7FQ+n6rSRSsSgWPzfo/PD31A
FByTyhDcMGwz/5c8uwFfnaYLS+MzaZu2H4eU2M2/0j6d5dxcx0+CxirNwD6sRinS
WAGikPnxIkIFHT9+BgoI7ctDdc1U2NABes8CyCOVhSPYSelbm9CaD/cu4H48QNVA
GFHxe4sXb43YIKlrUHKQmAju4CtN5EmFT+/I7m3P/6KFWURRTliWYCg=
=NaZS
-----END PGP MESSAGE-----
fp: e8dfcfbac0c3e65bbdfd62ab534ab685d882e4ca
- created_at: "2022-07-19T10:12:50Z"
enc: |
-----BEGIN PGP MESSAGE-----
hQIMA8COMi97/ZKxAQ//ZPIPKWnTlThJG64iryrjc7/mWmH5W5TSr6w5Ar+eiy5Q
ZjQ9l1jM9UAayHHkag5gjYbkYdePmBpZarpEzgSuIXWOOjeexh4YUGv0WDgi5v2d
wrNzjh16EK4Vl8KiVLmKUodKIHbvpGeBgHsoYDRXo1NmCYN9z3xtRsIbRqPfAkgN
6X0Yz6rtEWM6t1SBQSPQzB3VzFUMFEJWnI6no5U+nbrHDAxowCxShZfqgtamEIom
QDsSU7L4NE6Kw6Fp7PcWskn5fcoyyX22g9jVlDPltkIS/HpQ4ur3qk8JBXggXZwv
mXVENZSWK3VeWqceOtryycczg/wCJ+7cIVX/M/jAZpVou6smjUy7ALoXWXYFPEl6
QKyz3jCIWxSEwqH82hnpVePW9fArVmXMsBEUuXepH3wR437ixy6Ry1/VJrCipbqK
xeFLUFNEyRh91f/15SK8D4vEFhCWT7qHw1iB8pxF4R17DCHiXYM4uR6AZsIYTz6R
u/sKP+P5wR3Rzm3uRvdz7Po+nqjaR/7U3+rJ9Rvx912Nhyhd/P/s6rEz93ABI2CT
JSVdqtKICPc3aP+W1N+RoPDjX0FcVstea4Rz/F4DakL4rMlVecj9KLdpHUKpSa8m
S/tTGzqUSSFVWUYpuYzw4X0BmXQZXQqcAZ2faupdzlKNHbtBBy522DYPr+K7KxnS
WAFpt5Q8S9sM+LvTzBFQmv5JeZEqKBykofrGOmGv/TC911KQrBXxumCyo1A6KdYq
JStGyTNHnwNDLckx+bC57ztfKrlwMwYygoIuIc1Kk0AvTsip3REquJ8=
=3sPu
-----END PGP MESSAGE-----
fp: 9b6a58764eddd81d07180d6dc08e322f7bfd92b1
unencrypted_suffix: _unencrypted
version: 3.7.3