config wiregrill: split into server and client
This commit is contained in:
parent
2bccacd650
commit
bcce7262a7
|
@ -3,13 +3,8 @@ let
|
||||||
in {
|
in {
|
||||||
services.nginx.recommendedProxySettings = true;
|
services.nginx.recommendedProxySettings = true;
|
||||||
services.nginx.virtualHosts."hass" = {
|
services.nginx.virtualHosts."hass" = {
|
||||||
serverAliases = [ "hass.lan" "ha" "ha.lan" ];
|
serverAliases = [ "hass.lan" "ha" "ha.lan" "hass.omo.w" "hass.omo.r" ];
|
||||||
locations."/".proxyPass = "http://localhost:8123";
|
locations."/".proxyPass = "http://localhost:8123";
|
||||||
locations."/".proxyWebsockets = true;
|
locations."/".proxyWebsockets = true;
|
||||||
extraConfig = ''
|
|
||||||
if ( $server_addr != "${internal-ip}" ) {
|
|
||||||
return 403;
|
|
||||||
}
|
|
||||||
'';
|
|
||||||
};
|
};
|
||||||
}
|
}
|
||||||
|
|
|
@ -21,7 +21,6 @@ let
|
||||||
internal-ip = "192.168.111.11";
|
internal-ip = "192.168.111.11";
|
||||||
in
|
in
|
||||||
{
|
{
|
||||||
sops.secrets."photoprism/envfile" = {};
|
|
||||||
virtualisation.oci-containers.backend = "docker";
|
virtualisation.oci-containers.backend = "docker";
|
||||||
|
|
||||||
services.nginx.virtualHosts."photos" = {
|
services.nginx.virtualHosts."photos" = {
|
||||||
|
@ -100,7 +99,7 @@ in
|
||||||
|
|
||||||
};
|
};
|
||||||
environmentFiles = [
|
environmentFiles = [
|
||||||
config.sops.secrets."photoprism/envfile".path
|
config.sops.secrets."omo-photoprism-envfile".path
|
||||||
];
|
];
|
||||||
};
|
};
|
||||||
|
|
||||||
|
@ -122,7 +121,7 @@ in
|
||||||
#];
|
#];
|
||||||
volumes= [ "${db-dir}:/var/lib/mysql" ];
|
volumes= [ "${db-dir}:/var/lib/mysql" ];
|
||||||
environmentFiles = [
|
environmentFiles = [
|
||||||
config.sops.secrets."photoprism/envfile".path
|
config.sops.secrets."omo-photoprism-envfile".path
|
||||||
];
|
];
|
||||||
environment = {
|
environment = {
|
||||||
MYSQL_DATABASE= "photoprism";
|
MYSQL_DATABASE= "photoprism";
|
||||||
|
|
|
@ -6,9 +6,8 @@ let
|
||||||
webport = 8521;
|
webport = 8521;
|
||||||
in
|
in
|
||||||
{
|
{
|
||||||
sops.secrets."zigbee2mqtt" = {
|
sops.secrets."omo-zigbee2mqtt" = {
|
||||||
owner = "zigbee2mqtt";
|
owner = "zigbee2mqtt";
|
||||||
|
|
||||||
path = "/var/lib/zigbee2mqtt/configuration.yaml";
|
path = "/var/lib/zigbee2mqtt/configuration.yaml";
|
||||||
};
|
};
|
||||||
# symlink the zigbee controller
|
# symlink the zigbee controller
|
||||||
|
|
|
@ -8,7 +8,6 @@ let
|
||||||
];
|
];
|
||||||
host = "gum.w";
|
host = "gum.w";
|
||||||
in {
|
in {
|
||||||
sops.secrets."download.smb" = {};
|
|
||||||
boot.extraModprobeConfig = ''
|
boot.extraModprobeConfig = ''
|
||||||
options cifs CIFSMaxBufSize=130048
|
options cifs CIFSMaxBufSize=130048
|
||||||
'';
|
'';
|
||||||
|
|
|
@ -5,14 +5,12 @@
|
||||||
used_peer_names = unique (flatten (mapAttrsToList (n: v: v.devices) config.services.syncthing.folders));
|
used_peer_names = unique (flatten (mapAttrsToList (n: v: v.devices) config.services.syncthing.folders));
|
||||||
used_peers = filterAttrs (n: v: elem n used_peer_names) all_peers;
|
used_peers = filterAttrs (n: v: elem n used_peer_names) all_peers;
|
||||||
in {
|
in {
|
||||||
sops.secrets."syncthing.key" = {};
|
|
||||||
sops.secrets."syncthing.cert" = {};
|
|
||||||
services.syncthing = {
|
services.syncthing = {
|
||||||
enable = true;
|
enable = true;
|
||||||
configDir = "/var/lib/syncthing";
|
configDir = "/var/lib/syncthing";
|
||||||
devices = mk_peers used_peers;
|
devices = mk_peers used_peers;
|
||||||
key = config.sops.secrets."syncthing.key".path;
|
key = config.sops.secrets."${config.clanCore.machineName}-syncthing.key".path;
|
||||||
cert = config.sops.secrets."syncthing.cert".path;
|
cert = config.sops.secrets."${config.clanCore.machineName}-syncthing.cert".path;
|
||||||
};
|
};
|
||||||
services.syncthing.folders.the_playlist = {
|
services.syncthing.folders.the_playlist = {
|
||||||
path = "/home/lass/tmp/the_playlist";
|
path = "/home/lass/tmp/the_playlist";
|
||||||
|
|
|
@ -7,6 +7,7 @@
|
||||||
# mirage - last time available in 19.09
|
# mirage - last time available in 19.09
|
||||||
inkscape
|
inkscape
|
||||||
libreoffice
|
libreoffice
|
||||||
|
guake
|
||||||
# skype
|
# skype
|
||||||
# teams
|
# teams
|
||||||
synergy
|
synergy
|
||||||
|
|
41
2configs/wireguard/wiregrill-client.nix
Normal file
41
2configs/wireguard/wiregrill-client.nix
Normal file
|
@ -0,0 +1,41 @@
|
||||||
|
|
||||||
|
{ config, pkgs, lib, ... }: with lib;
|
||||||
|
let
|
||||||
|
|
||||||
|
self = config.krebs.build.host.nets.wiregrill;
|
||||||
|
ext-if = config.makefu.server.primary-itf;
|
||||||
|
|
||||||
|
in mkIf (hasAttr "wiregrill" config.krebs.build.host.nets) {
|
||||||
|
#hack for modprobe inside containers
|
||||||
|
systemd.services."wireguard-wiregrill".path = mkIf config.boot.isContainer (mkBefore [
|
||||||
|
(pkgs.writeDashBin "modprobe" ":")
|
||||||
|
]);
|
||||||
|
|
||||||
|
|
||||||
|
networking.firewall = {
|
||||||
|
allowedUDPPorts = [ self.wireguard.port ];
|
||||||
|
};
|
||||||
|
|
||||||
|
|
||||||
|
networking.wireguard.interfaces.wiregrill = let
|
||||||
|
ipt = "${pkgs.iptables}/bin/iptables";
|
||||||
|
ip6 = "${pkgs.iptables}/bin/ip6tables";
|
||||||
|
in {
|
||||||
|
ips =
|
||||||
|
(optional (!isNull self.ip4) self.ip4.addr) ++
|
||||||
|
(optional (!isNull self.ip6) self.ip6.addr);
|
||||||
|
listenPort = self.wireguard.port;
|
||||||
|
privateKeyFile = config.sops.secrets."${config.clanCore.machineName}-wiregrill.key".path;
|
||||||
|
allowedIPsAsRoutes = true;
|
||||||
|
peers = let
|
||||||
|
host = config.krebs.hosts.gum;
|
||||||
|
in [
|
||||||
|
{
|
||||||
|
allowedIPs = host.nets.wiregrill.wireguard.subnets ;
|
||||||
|
endpoint = mkIf (!isNull host.nets.wiregrill.via) (host.nets.wiregrill.via.ip4.addr + ":${toString host.nets.wiregrill.wireguard.port}");
|
||||||
|
persistentKeepalive = mkIf (!isNull host.nets.wiregrill.via) 61;
|
||||||
|
publicKey = (replaceStrings ["\n"] [""] host.nets.wiregrill.wireguard.pubkey);
|
||||||
|
}
|
||||||
|
];
|
||||||
|
};
|
||||||
|
}
|
|
@ -12,7 +12,7 @@ in mkIf (hasAttr "wiregrill" config.krebs.build.host.nets) {
|
||||||
(pkgs.writeDashBin "modprobe" ":")
|
(pkgs.writeDashBin "modprobe" ":")
|
||||||
]);
|
]);
|
||||||
|
|
||||||
boot.kernel.sysctl = mkIf isRouter {
|
boot.kernel.sysctl = {
|
||||||
"net.ipv6.conf.all.forwarding" = 1;
|
"net.ipv6.conf.all.forwarding" = 1;
|
||||||
"net.ipv4.conf.all.forwarding" = 1;
|
"net.ipv4.conf.all.forwarding" = 1;
|
||||||
};
|
};
|
||||||
|
@ -25,14 +25,14 @@ in mkIf (hasAttr "wiregrill" config.krebs.build.host.nets) {
|
||||||
|
|
||||||
networking.firewall = {
|
networking.firewall = {
|
||||||
allowedUDPPorts = [ self.wireguard.port ];
|
allowedUDPPorts = [ self.wireguard.port ];
|
||||||
interfaces.wiregrill = mkIf isRouter {
|
interfaces.wiregrill = {
|
||||||
allowedUDPPorts = [ 53 ];
|
allowedUDPPorts = [ 53 ];
|
||||||
allowedTCPPorts = [ 53 ];
|
allowedTCPPorts = [ 53 ];
|
||||||
};
|
};
|
||||||
};
|
};
|
||||||
|
|
||||||
|
|
||||||
services.dnsmasq = mkIf isRouter {
|
services.dnsmasq = {
|
||||||
enable = true;
|
enable = true;
|
||||||
resolveLocalQueries = false;
|
resolveLocalQueries = false;
|
||||||
extraConfig = /* dnsmasq */ ''
|
extraConfig = /* dnsmasq */ ''
|
||||||
|
@ -55,7 +55,6 @@ in mkIf (hasAttr "wiregrill" config.krebs.build.host.nets) {
|
||||||
${ip6} -A FORWARD -i wiregrill -o wiregrill -j ACCEPT
|
${ip6} -A FORWARD -i wiregrill -o wiregrill -j ACCEPT
|
||||||
${ip6} -A FORWARD -o wiregrill -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
|
${ip6} -A FORWARD -o wiregrill -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
|
||||||
|
|
||||||
'' + (optionalString isRouter ''
|
|
||||||
#${ipt} -t nat -A PREROUTING -s 10.244.245.0/24 -j ACCEPT
|
#${ipt} -t nat -A PREROUTING -s 10.244.245.0/24 -j ACCEPT
|
||||||
#${ipt} -t nat -A POSTROUTING -s 10.244.245.0/24 ! -d 10.244.245.0/24 -j MASQUERADE
|
#${ipt} -t nat -A POSTROUTING -s 10.244.245.0/24 ! -d 10.244.245.0/24 -j MASQUERADE
|
||||||
|
|
||||||
|
@ -76,8 +75,6 @@ in mkIf (hasAttr "wiregrill" config.krebs.build.host.nets) {
|
||||||
${ip6} -D FORWARD -i wiregrill -o wiregrill -j ACCEPT
|
${ip6} -D FORWARD -i wiregrill -o wiregrill -j ACCEPT
|
||||||
${ip6} -D FORWARD -o wiregrill -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
|
${ip6} -D FORWARD -o wiregrill -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
|
||||||
|
|
||||||
'' + (optionalString isRouter ''
|
|
||||||
|
|
||||||
${ipt} -t nat -D PREROUTING -s 10.244.245.0/24 -j ACCEPT
|
${ipt} -t nat -D PREROUTING -s 10.244.245.0/24 -j ACCEPT
|
||||||
${ipt} -t nat -D POSTROUTING -s 10.244.245.0/24 -j MASQUERADE
|
${ipt} -t nat -D POSTROUTING -s 10.244.245.0/24 -j MASQUERADE
|
||||||
|
|
||||||
|
@ -92,11 +89,9 @@ in mkIf (hasAttr "wiregrill" config.krebs.build.host.nets) {
|
||||||
allowedIPsAsRoutes = true;
|
allowedIPsAsRoutes = true;
|
||||||
peers = mapAttrsToList
|
peers = mapAttrsToList
|
||||||
(_: host: {
|
(_: host: {
|
||||||
allowedIPs = if isRouter then
|
allowedIPs =
|
||||||
(optional (!isNull host.nets.wiregrill.ip4) host.nets.wiregrill.ip4.addr) ++
|
(optional (!isNull host.nets.wiregrill.ip4) host.nets.wiregrill.ip4.addr) ++
|
||||||
(optional (!isNull host.nets.wiregrill.ip6) host.nets.wiregrill.ip6.addr)
|
(optional (!isNull host.nets.wiregrill.ip6) host.nets.wiregrill.ip6.addr)
|
||||||
else
|
|
||||||
host.nets.wiregrill.wireguard.subnets
|
|
||||||
;
|
;
|
||||||
endpoint = mkIf (!isNull host.nets.wiregrill.via) (host.nets.wiregrill.via.ip4.addr + ":${toString host.nets.wiregrill.wireguard.port}");
|
endpoint = mkIf (!isNull host.nets.wiregrill.via) (host.nets.wiregrill.via.ip4.addr + ":${toString host.nets.wiregrill.wireguard.port}");
|
||||||
persistentKeepalive = mkIf (!isNull host.nets.wiregrill.via) 61;
|
persistentKeepalive = mkIf (!isNull host.nets.wiregrill.via) 61;
|
Loading…
Reference in a new issue