nix/nixos-config
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

various changes to procul

Browse Source
This commit is contained in:
root@procul 2020-07-24 00:38:48 -05:00
parent 7cc059c342
commit e196eeced4
7 changed files with 121 additions and 4 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

6
config/fudo/system.nix
View File

@ -20,6 +20,12 @@ in {
default = [];
example = ["redis.service"];
};
tmpOnTmpfs = mkOption {
type = types.bool;
description = "Put tmp filesystem on tmpfs (needs enough RAM).";
default = true;
};
};
config = mkIf cfg.disableTransparentHugePages {

79
config/fudo/vpn.nix Normal file
View File

@ -0,0 +1,79 @@
{ pkgs, lib, config, ... }:
with lib;
let
cfg = config.fudo.vpn;
peerOpts = { peer-name, ... }: {
options = with types; {
public-key = mkOption {
type = str;
description = "Peer public key.";
};
allowed-ips = mkOption {
type = listOf str;
description = "List of allowed IP ranges from which this peer can connect.";
example = [ "10.100.0.0/16" ];
default = [];
};
};
};
in {
options.fudo.vpn = with types; {
enable = mkEnableOption "Enable Fudo VPN";
ips = mkOption {
type = str;
description = "IP range to assign this interface.";
default = "10.100.0.0/16";
};
private-key-file = mkOption {
type = str;
description = "Path to the secret key (generated with wg [genkey/pubkey]).";
example = "/path/to/secret.key";
};
listen-port = mkOption {
type = port;
description = "Port on which to listen for incoming connections.";
default = 51820;
};
peers = mkOption {
type = listOf str;
description = "A list of peers for which to generate config files.";
default = [];
};
peers = mkOption {
type = loaOf (submodule peerOpts);
description = "A list of peers allowed to connect.";
default = {};
example = {
peer0 = {
public-key = "xyz";
allowed-ips = ["10.100.1.0/24"];
};
};
};
};
config = mkIf cfg.enable {
networking.wireguard = {
enable = true;
interfaces.wgtun0 = {
generatePrivateKeyFile = false;
ips = [ cfg.ips ];
listenPort = cfg.listen-port;
peers = mapAttrsToList (peer-name: peer-config: {
publicKey = peer-config.public-key;
allowedIPs = peer-config.allowed-ips;
}) cfg.peers;
privateKeyFile = cfg.private-key-file;
};
};
};
}

1
config/local.nix
View File

@ -22,6 +22,7 @@ with lib;
./fudo/secure-dns-proxy.nix
./fudo/slynk.nix
./fudo/system.nix
./fudo/vpn.nix
./fudo/webmail.nix
./informis/cl-gemini.nix

2
defaults.nix
View File

@ -53,6 +53,7 @@
lispPackages.cl-ppcre
lispPackages.clx
lispPackages.quicklisp
lsof
lshw
mkpasswd
ncurses5
@ -68,7 +69,6 @@
pinentry.curses
pv
pwgen
racket
ruby
rustc
sbcl

1
fudo/profiles/common-ui.nix
View File

@ -34,6 +34,7 @@ let
mplayer
mpv
pdftk
racket
redshift
rhythmbox
shotwell

7
fudo/profiles/server.nix
View File

@ -53,8 +53,9 @@ in {
systemPackages = with pkgs; [
ldns
ldns.examples
test-config
racket-minimal
reboot-if-necessary
test-config
];
noXlibs = true;
@ -66,8 +67,8 @@ in {
networking = {
networkmanager.enable = mkForce false;
};
}
;
boot.tmpOnTmpfs = true;
services.xserver.enable = false;

29
hosts/procul.nix
View File

@ -55,6 +55,13 @@ in {
};
};
# For WireGuard
nat = {
enable = true;
externalInterface = "extif0";
internalInterfaces = [ "wgtun0" ];
};
interfaces = {
extif0 = {
# result of:
@ -119,6 +126,8 @@ in {
];
};
system.tmpOnTmpfs = false;
secure-dns-proxy = {
enable = true;
upstream-dns = [ "https://cloudflare-dns.com/dns-query" ];
@ -263,6 +272,26 @@ in {
};
};
fudo.vpn = {
enable = true;
ips = "10.100.0.0/16";
private-key-file = "/srv/wireguard/secure/secret.key";
peers = {
peter = {
allowed-ips = [ "10.100.1.0/24" ];
public-key = "d1NfRFWRkcKq2gxvqfMy7Oe+JFYf5DjomnsTyisvgB4=";
};
ken = {
allowed-ips = [ "10.100.2.0/24" ];
public-key = "y294rTCK0iSRhA6EIOErPzEuqzJMuYAG4XbHasySMVU=";
};
helen = {
allowed-ips = [ "10.100.3.0/24" ];
public-key = "7Hdko6RibhIYdoPLWXGwmElY5vKvZ+rURmqFTDUfC2w=";
};
};
};
informis.cl-gemini = {
enable = true;