config wiregrill: split into server and client

This commit is contained in:
makefu 2023-10-02 21:28:05 +02:00
parent 2bccacd650
commit bcce7262a7
No known key found for this signature in database
GPG key ID: 36F7711F3FC0F225
8 changed files with 52 additions and 25 deletions

View file

@ -3,13 +3,8 @@ let
in { in {
services.nginx.recommendedProxySettings = true; services.nginx.recommendedProxySettings = true;
services.nginx.virtualHosts."hass" = { services.nginx.virtualHosts."hass" = {
serverAliases = [ "hass.lan" "ha" "ha.lan" ]; serverAliases = [ "hass.lan" "ha" "ha.lan" "hass.omo.w" "hass.omo.r" ];
locations."/".proxyPass = "http://localhost:8123"; locations."/".proxyPass = "http://localhost:8123";
locations."/".proxyWebsockets = true; locations."/".proxyWebsockets = true;
extraConfig = ''
if ( $server_addr != "${internal-ip}" ) {
return 403;
}
'';
}; };
} }

View file

@ -21,7 +21,6 @@ let
internal-ip = "192.168.111.11"; internal-ip = "192.168.111.11";
in in
{ {
sops.secrets."photoprism/envfile" = {};
virtualisation.oci-containers.backend = "docker"; virtualisation.oci-containers.backend = "docker";
services.nginx.virtualHosts."photos" = { services.nginx.virtualHosts."photos" = {
@ -100,7 +99,7 @@ in
}; };
environmentFiles = [ environmentFiles = [
config.sops.secrets."photoprism/envfile".path config.sops.secrets."omo-photoprism-envfile".path
]; ];
}; };
@ -122,7 +121,7 @@ in
#]; #];
volumes= [ "${db-dir}:/var/lib/mysql" ]; volumes= [ "${db-dir}:/var/lib/mysql" ];
environmentFiles = [ environmentFiles = [
config.sops.secrets."photoprism/envfile".path config.sops.secrets."omo-photoprism-envfile".path
]; ];
environment = { environment = {
MYSQL_DATABASE= "photoprism"; MYSQL_DATABASE= "photoprism";

View file

@ -6,9 +6,8 @@ let
webport = 8521; webport = 8521;
in in
{ {
sops.secrets."zigbee2mqtt" = { sops.secrets."omo-zigbee2mqtt" = {
owner = "zigbee2mqtt"; owner = "zigbee2mqtt";
path = "/var/lib/zigbee2mqtt/configuration.yaml"; path = "/var/lib/zigbee2mqtt/configuration.yaml";
}; };
# symlink the zigbee controller # symlink the zigbee controller

View file

@ -8,7 +8,6 @@ let
]; ];
host = "gum.w"; host = "gum.w";
in { in {
sops.secrets."download.smb" = {};
boot.extraModprobeConfig = '' boot.extraModprobeConfig = ''
options cifs CIFSMaxBufSize=130048 options cifs CIFSMaxBufSize=130048
''; '';

View file

@ -5,14 +5,12 @@
used_peer_names = unique (flatten (mapAttrsToList (n: v: v.devices) config.services.syncthing.folders)); used_peer_names = unique (flatten (mapAttrsToList (n: v: v.devices) config.services.syncthing.folders));
used_peers = filterAttrs (n: v: elem n used_peer_names) all_peers; used_peers = filterAttrs (n: v: elem n used_peer_names) all_peers;
in { in {
sops.secrets."syncthing.key" = {};
sops.secrets."syncthing.cert" = {};
services.syncthing = { services.syncthing = {
enable = true; enable = true;
configDir = "/var/lib/syncthing"; configDir = "/var/lib/syncthing";
devices = mk_peers used_peers; devices = mk_peers used_peers;
key = config.sops.secrets."syncthing.key".path; key = config.sops.secrets."${config.clanCore.machineName}-syncthing.key".path;
cert = config.sops.secrets."syncthing.cert".path; cert = config.sops.secrets."${config.clanCore.machineName}-syncthing.cert".path;
}; };
services.syncthing.folders.the_playlist = { services.syncthing.folders.the_playlist = {
path = "/home/lass/tmp/the_playlist"; path = "/home/lass/tmp/the_playlist";

View file

@ -7,6 +7,7 @@
# mirage - last time available in 19.09 # mirage - last time available in 19.09
inkscape inkscape
libreoffice libreoffice
guake
# skype # skype
# teams # teams
synergy synergy

View file

@ -0,0 +1,41 @@
{ config, pkgs, lib, ... }: with lib;
let
self = config.krebs.build.host.nets.wiregrill;
ext-if = config.makefu.server.primary-itf;
in mkIf (hasAttr "wiregrill" config.krebs.build.host.nets) {
#hack for modprobe inside containers
systemd.services."wireguard-wiregrill".path = mkIf config.boot.isContainer (mkBefore [
(pkgs.writeDashBin "modprobe" ":")
]);
networking.firewall = {
allowedUDPPorts = [ self.wireguard.port ];
};
networking.wireguard.interfaces.wiregrill = let
ipt = "${pkgs.iptables}/bin/iptables";
ip6 = "${pkgs.iptables}/bin/ip6tables";
in {
ips =
(optional (!isNull self.ip4) self.ip4.addr) ++
(optional (!isNull self.ip6) self.ip6.addr);
listenPort = self.wireguard.port;
privateKeyFile = config.sops.secrets."${config.clanCore.machineName}-wiregrill.key".path;
allowedIPsAsRoutes = true;
peers = let
host = config.krebs.hosts.gum;
in [
{
allowedIPs = host.nets.wiregrill.wireguard.subnets ;
endpoint = mkIf (!isNull host.nets.wiregrill.via) (host.nets.wiregrill.via.ip4.addr + ":${toString host.nets.wiregrill.wireguard.port}");
persistentKeepalive = mkIf (!isNull host.nets.wiregrill.via) 61;
publicKey = (replaceStrings ["\n"] [""] host.nets.wiregrill.wireguard.pubkey);
}
];
};
}

View file

@ -12,7 +12,7 @@ in mkIf (hasAttr "wiregrill" config.krebs.build.host.nets) {
(pkgs.writeDashBin "modprobe" ":") (pkgs.writeDashBin "modprobe" ":")
]); ]);
boot.kernel.sysctl = mkIf isRouter { boot.kernel.sysctl = {
"net.ipv6.conf.all.forwarding" = 1; "net.ipv6.conf.all.forwarding" = 1;
"net.ipv4.conf.all.forwarding" = 1; "net.ipv4.conf.all.forwarding" = 1;
}; };
@ -25,14 +25,14 @@ in mkIf (hasAttr "wiregrill" config.krebs.build.host.nets) {
networking.firewall = { networking.firewall = {
allowedUDPPorts = [ self.wireguard.port ]; allowedUDPPorts = [ self.wireguard.port ];
interfaces.wiregrill = mkIf isRouter { interfaces.wiregrill = {
allowedUDPPorts = [ 53 ]; allowedUDPPorts = [ 53 ];
allowedTCPPorts = [ 53 ]; allowedTCPPorts = [ 53 ];
}; };
}; };
services.dnsmasq = mkIf isRouter { services.dnsmasq = {
enable = true; enable = true;
resolveLocalQueries = false; resolveLocalQueries = false;
extraConfig = /* dnsmasq */ '' extraConfig = /* dnsmasq */ ''
@ -55,7 +55,6 @@ in mkIf (hasAttr "wiregrill" config.krebs.build.host.nets) {
${ip6} -A FORWARD -i wiregrill -o wiregrill -j ACCEPT ${ip6} -A FORWARD -i wiregrill -o wiregrill -j ACCEPT
${ip6} -A FORWARD -o wiregrill -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT ${ip6} -A FORWARD -o wiregrill -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
'' + (optionalString isRouter ''
#${ipt} -t nat -A PREROUTING -s 10.244.245.0/24 -j ACCEPT #${ipt} -t nat -A PREROUTING -s 10.244.245.0/24 -j ACCEPT
#${ipt} -t nat -A POSTROUTING -s 10.244.245.0/24 ! -d 10.244.245.0/24 -j MASQUERADE #${ipt} -t nat -A POSTROUTING -s 10.244.245.0/24 ! -d 10.244.245.0/24 -j MASQUERADE
@ -76,8 +75,6 @@ in mkIf (hasAttr "wiregrill" config.krebs.build.host.nets) {
${ip6} -D FORWARD -i wiregrill -o wiregrill -j ACCEPT ${ip6} -D FORWARD -i wiregrill -o wiregrill -j ACCEPT
${ip6} -D FORWARD -o wiregrill -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT ${ip6} -D FORWARD -o wiregrill -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
'' + (optionalString isRouter ''
${ipt} -t nat -D PREROUTING -s 10.244.245.0/24 -j ACCEPT ${ipt} -t nat -D PREROUTING -s 10.244.245.0/24 -j ACCEPT
${ipt} -t nat -D POSTROUTING -s 10.244.245.0/24 -j MASQUERADE ${ipt} -t nat -D POSTROUTING -s 10.244.245.0/24 -j MASQUERADE
@ -92,11 +89,9 @@ in mkIf (hasAttr "wiregrill" config.krebs.build.host.nets) {
allowedIPsAsRoutes = true; allowedIPsAsRoutes = true;
peers = mapAttrsToList peers = mapAttrsToList
(_: host: { (_: host: {
allowedIPs = if isRouter then allowedIPs =
(optional (!isNull host.nets.wiregrill.ip4) host.nets.wiregrill.ip4.addr) ++ (optional (!isNull host.nets.wiregrill.ip4) host.nets.wiregrill.ip4.addr) ++
(optional (!isNull host.nets.wiregrill.ip6) host.nets.wiregrill.ip6.addr) (optional (!isNull host.nets.wiregrill.ip6) host.nets.wiregrill.ip6.addr)
else
host.nets.wiregrill.wireguard.subnets
; ;
endpoint = mkIf (!isNull host.nets.wiregrill.via) (host.nets.wiregrill.via.ip4.addr + ":${toString host.nets.wiregrill.wireguard.port}"); endpoint = mkIf (!isNull host.nets.wiregrill.via) (host.nets.wiregrill.via.ip4.addr + ":${toString host.nets.wiregrill.wireguard.port}");
persistentKeepalive = mkIf (!isNull host.nets.wiregrill.via) 61; persistentKeepalive = mkIf (!isNull host.nets.wiregrill.via) 61;