diff --git a/.github/workflows/nix-flake-check.yml b/.github/workflows/nix-flake-check.yml index 33671cc..1847f95 100644 --- a/.github/workflows/nix-flake-check.yml +++ b/.github/workflows/nix-flake-check.yml @@ -7,7 +7,7 @@ jobs: runs-on: ubuntu-latest steps: - uses: actions/checkout@v2 - - uses: cachix/install-nix-action@v13 + - uses: cachix/install-nix-action@v17 with: install_url: https://github.com/numtide/nix-flakes-installer/releases/download/nix-2.4pre20210604_8e6ee1b/install extra_nix_config: | diff --git a/.github/workflows/nix-flake-update.yml b/.github/workflows/nix-flake-update.yml index b73fbce..edc343d 100644 --- a/.github/workflows/nix-flake-update.yml +++ b/.github/workflows/nix-flake-update.yml @@ -9,7 +9,7 @@ jobs: runs-on: ubuntu-latest steps: - uses: actions/checkout@v2 - - uses: cachix/install-nix-action@v13 + - uses: cachix/install-nix-action@v17 with: install_url: https://github.com/numtide/nix-flakes-installer/releases/download/nix-2.4pre20210604_8e6ee1b/install extra_nix_config: | diff --git a/flake.lock b/flake.lock index 611954a..401ec76 100644 --- a/flake.lock +++ b/flake.lock @@ -131,11 +131,11 @@ }, "flake-utils": { "locked": { - "lastModified": 1649676176, - "narHash": "sha256-OWKJratjt2RW151VUlJPRALb7OU2S5s+f0vLj4o1bHM=", + "lastModified": 1648297722, + "narHash": "sha256-W+qlPsiZd8F3XkzXOzAoR+mpFqzm3ekQkJNa+PIh1BQ=", "owner": "numtide", "repo": "flake-utils", - "rev": "a4b154ebbdc88c8498a5c7b01589addc9e9cb678", + "rev": "0f8662f1319ad6abf89b3380dd2722369fc51ade", "type": "github" }, "original": { @@ -161,11 +161,11 @@ }, "flake-utils_3": { "locked": { - "lastModified": 1649676176, - "narHash": "sha256-OWKJratjt2RW151VUlJPRALb7OU2S5s+f0vLj4o1bHM=", + "lastModified": 1648297722, + "narHash": "sha256-W+qlPsiZd8F3XkzXOzAoR+mpFqzm3ekQkJNa+PIh1BQ=", "owner": "numtide", "repo": "flake-utils", - "rev": "a4b154ebbdc88c8498a5c7b01589addc9e9cb678", + "rev": "0f8662f1319ad6abf89b3380dd2722369fc51ade", "type": "github" }, "original": { @@ -228,11 +228,11 @@ ] }, "locked": { - "lastModified": 1649642044, - "narHash": "sha256-V9ZjTJcbDPgWG+H3rIC6XuPHZAPK1VupBbSsuDbptkQ=", + "lastModified": 1649392573, + "narHash": "sha256-dCPEJZzExz2+i7AjUuViZUgHC+JXDlBBG/IzuSYWCh8=", "owner": "nix-community", "repo": "home-manager", - "rev": "e39a9d0103e3b2e42059c986a8c633824b96c193", + "rev": "f911ebbec927e8e9b582f2e32e2b35f730074cfc", "type": "github" }, "original": { @@ -278,11 +278,11 @@ }, "myNixpkgs": { "locked": { - "lastModified": 1649673231, - "narHash": "sha256-1T3AFscfS7s9pkFA+UIDrHH3/RLVjRdYs5ImuLYpOlE=", + "lastModified": 1649408932, + "narHash": "sha256-JhTW1OtS5fACcRXLqcTTQyYO5vLkO+bceCqeRms13SY=", "owner": "NixOS", "repo": "nixpkgs", - "rev": "33772708c6d0e33f697426ba386aa0149cbcbecb", + "rev": "42948b300670223ca8286aaf916bc381f66a5313", "type": "github" }, "original": { @@ -349,11 +349,11 @@ }, "nixos-hardware": { "locked": { - "lastModified": 1649849514, - "narHash": "sha256-zQyTr2UebTKUh1KLyLtevhHsM8umPK1LfQLGUGjRjiQ=", + "lastModified": 1649488242, + "narHash": "sha256-GFahTvlMnqotZ8i1AO3J8OtVFrJe4QHcEPxpFH+DIEw=", "owner": "NixOS", "repo": "nixos-hardware", - "rev": "1a0ccdbf4583ed0fce37eea7955e8ef90f840a9f", + "rev": "850308db3ef0bcc7454155063b5fec28b4ffbc8c", "type": "github" }, "original": { diff --git a/nixos/agares/configuration.nix b/nixos/agares/configuration.nix index 4fe1a3e..0dcb87b 100644 --- a/nixos/agares/configuration.nix +++ b/nixos/agares/configuration.nix @@ -31,34 +31,17 @@ "vfio_virqfd" ]; + networking.interfaces.enp2s0.useDHCP = false; + networking.interfaces.enp3s0.useDHCP = false; + + networking.interfaces.enp1s0.useDHCP = true; networking.vlans = { - lan = { - id = 11; - interface = "enp1s0"; - }; vpn = { id = 12; interface = "enp1s0"; }; - backup = { - id = 13; - interface = "enp1s0"; - }; }; - - networking.bridges = { - "br-lan" = { - interfaces = [ "lan" ]; - }; - "br-vpn" = { - interfaces = [ "vpn" ]; - }; - "br-backup" = { - interfaces = [ "backup" ]; - }; - }; - - networking.interfaces.enp1s0.useDHCP = true; + networking.interfaces.vpn.useDHCP = true; i18n.defaultLocale = "en_US.UTF-8"; console = { diff --git a/nixos/ifrit/configuration.nix b/nixos/ifrit/configuration.nix index ed63375..e94310f 100644 --- a/nixos/ifrit/configuration.nix +++ b/nixos/ifrit/configuration.nix @@ -2,9 +2,8 @@ let hostAliases = [ "ifrit.dadada.li" - "vpn.dadada.li" + "bs.vpn.dadada.li" "media.dadada.li" - "backup0.dadada.li" ]; backups = "/mnt/storage/backup"; in @@ -48,13 +47,8 @@ in key = "5EaLm7uC8XzoN8+BaGzgGRUU4q5shM7gQJcs/d7n+Vo="; }; }; - ddns.domains = [ - "vpn.dadada.li" - "backup0.dadada.li" - ]; }; - users.users.borg.home = "/mnt/storage/backup"; services.borgbackup.repos = { "metis" = { allowSubRepos = false; @@ -115,6 +109,14 @@ in "::1" = hostAliases; }; + networking.nameservers = [ + "1.1.1.1" + "1.0.0.1" + ]; + + # weird issues with crappy plastic router + networking.interfaces."ens3".tempAddress = "disabled"; + # Use the GRUB 2 boot loader. boot.loader.grub.enable = true; boot.loader.grub.version = 2; @@ -126,13 +128,8 @@ in keyMap = "us"; }; - # weird issues with crappy plastic router - networking.interfaces."ens3".tempAddress = "disabled"; - networking.interfaces."ens7".tempAddress = "disabled"; - networking.useDHCP = false; networking.interfaces.ens3.useDHCP = true; - networking.interfaces.ens7.useDHCP = false; fileSystems."/mnt/storage" = { device = "/dev/disk/by-uuid/a34e36fc-d7dd-4ceb-93c4-48f9c2727cb7"; @@ -146,9 +143,19 @@ in allowPing = true; allowedTCPPorts = [ 22 # SSH + 80 + 443 # HTTP(S) + 111 + 2049 # NFS + 139 + 445 # SMB ]; allowedUDPPorts = [ - 51234 + 137 + 138 + 111 + 2049 # NFS + 51234 # Wireguard ]; }; @@ -181,6 +188,30 @@ in }; environment.systemPackages = [ pkgs.curl ]; + systemd = { + timers.ddns-joker = { + wantedBy = [ "timers.target" ]; + partOf = [ "ddns-joker.service" ]; + timerConfig.OnCalendar = "hourly"; + }; + services.ddns-joker = { + serviceConfig.Type = "oneshot"; + script = '' + function url() { + echo "https://svc.joker.com/nic/update?username=$1&password=$2&hostname=$3" + } + + IFS=':' + read -r user password < /var/lib/ddns/credentials + unset IFS + + curl_url=$(url "$user" "$password" bs.vpn.dadada.li) + + ${pkgs.curl}/bin/curl -4 "$curl_url" + ${pkgs.curl}/bin/curl -6 "$curl_url" + ''; + }; + }; system.stateVersion = "20.03"; } diff --git a/nixos/modules/backup.nix b/nixos/modules/backup.nix index eecddd8..11c0908 100644 --- a/nixos/modules/backup.nix +++ b/nixos/modules/backup.nix @@ -60,10 +60,16 @@ in startAt = "monthly"; }; + networking.hosts = mkIf cfg.bs { + "fd42:dead:beef:0:5054:ff:fefb:7361" = [ + "media.dadada.li" + ]; + }; + services.borgbackup.jobs.bs = mkIf cfg.bs { paths = "/"; exclude = backupExcludes; - repo = "borg@backup0.dadada.li:${config.networking.hostName}"; + repo = "borg@media.dadada.li:/mnt/storage/backup/${config.networking.hostName}"; doInit = false; environment = { BORG_RSH = "ssh -i /var/lib/borgbackup/bs/id_ed25519 -o 'StrictHostKeyChecking accept-new'"; diff --git a/nixos/modules/ddns.nix b/nixos/modules/ddns.nix deleted file mode 100644 index 2c42ce4..0000000 --- a/nixos/modules/ddns.nix +++ /dev/null @@ -1,47 +0,0 @@ -{ config, pkgs, lib, ... }: -with lib; -let - cfg = config.dadada.ddns; - ddnsConfig = hostNames: { - systemd.timers = listToAttrs (forEach hostNames (hostname: nameValuePair "ddns-${hostname}" - { - wantedBy = [ "timers.target" ]; - partOf = [ "ddns-${hostname}.service" ]; - timerConfig.OnCalendar = "hourly"; - })); - - systemd.services = listToAttrs (forEach hostNames (hostname: nameValuePair "ddns-${hostname}" - { - serviceConfig.Type = "oneshot"; - script = '' - function url() { - echo "https://svc.joker.com/nic/update?username=$1&password=$2&hostname=$3" - } - - IFS=':' - read -r user password < /var/lib/ddns/credentials - unset IFS - - curl_url=$(url "$user" "$password" ${hostname}) - - ${pkgs.curl}/bin/curl -4 "$curl_url" - ${pkgs.curl}/bin/curl -6 "$curl_url" - ''; - })); - }; -in { - options = { - dadada.ddns.domains = mkOption { - type = types.listOf types.str; - description = '' - Enables DDNS for these domains. - ''; - example = '' - [ "example.com" ] - ''; - default = []; - }; - }; - - config = ddnsConfig cfg.domains; -} diff --git a/nixos/modules/default.nix b/nixos/modules/default.nix index bb3cf37..1930b23 100644 --- a/nixos/modules/default.nix +++ b/nixos/modules/default.nix @@ -2,7 +2,6 @@ { admin = import ./admin.nix; backup = import ./backup.nix; - ddns = import ./ddns.nix; element = import ./element.nix; fido2 = import ./fido2.nix; fileShare = import ./fileShare.nix; diff --git a/nixos/modules/networking.nix b/nixos/modules/networking.nix index e1ffb9f..5520bd7 100644 --- a/nixos/modules/networking.nix +++ b/nixos/modules/networking.nix @@ -114,7 +114,7 @@ in })); networking.wireguard.interfaces = mkIf (cfg.vpnExtension != null) { - dadada = { + bs = { ips = [ "fd42:9c3b:f96d:200::${cfg.vpnExtension}/64" ]; listenPort = 51234; @@ -124,7 +124,7 @@ in { publicKey = "lFB2DWtzp55ajV0Fk/OWdO9JlGvN9QsayYKQQHV3GEs="; allowedIPs = [ "fd42:9c3b:f96d::/48" ]; - endpoint = "vpn.dadada.li:51234"; + endpoint = "bs.vpn.dadada.li:51234"; persistentKeepalive = 25; } ]; @@ -140,8 +140,22 @@ in systemd.services.wg-reresolve-dns = mkIf (cfg.vpnExtension != null) { serviceConfig.Type = "oneshot"; script = '' - ${pkgs.wireguard-tools}/bin/wg set dadada peer lFB2DWtzp55ajV0Fk/OWdO9JlGvN9QsayYKQQHV3GEs= endpoint vpn.dadada.li:51234 persistent-keepalive 25 allowed-ips fd42:9c3b:f96d::/48 + ${pkgs.wireguard-tools}/bin/wg set bs peer lFB2DWtzp55ajV0Fk/OWdO9JlGvN9QsayYKQQHV3GEs= endpoint bs.vpn.dadada.li:51234 persistent-keepalive 25 allowed-ips fd42:9c3b:f96d::/48 ''; }; + + fileSystems."/mnt/media.dadada.li" = mkIf cfg.enableBsShare { + device = "media.dadada.li:/mnt/storage/share"; + fsType = "nfs"; + options = [ "x-systemd.automount" "noauto" "x-systemd.idle-timeout=600" ]; + }; + + networking.firewall = { + enable = true; + allowedUDPPorts = [ + 51234 # Wireguard + 5353 # mDNS + ]; + }; }; }