From 408c24559d72831af72ff2dff615c621920975aa Mon Sep 17 00:00:00 2001 From: Fabian Hauser Date: Mon, 9 Dec 2024 16:20:35 +0200 Subject: [PATCH] Refactore backplane-net to module with hosts --- defaults/backplane-net/default.nix | 65 --------------- nixos-configurations/calanda/networking.nix | 4 +- .../cyprianspitz/networking.nix | 4 +- .../lindberg-build/default.nix | 1 - .../lindberg-build/networking.nix | 2 + .../lindberg-nextcloud/default.nix | 3 +- .../lindberg-webapps/default.nix | 1 - .../lindberg-webapps/networking.nix | 2 + nixos-configurations/lindberg/networking.nix | 4 +- nixos-configurations/stompert/default.nix | 6 +- nixos-configurations/tierberg/networking.nix | 4 +- .../qois/backplane-net.hosts/default.nix | 42 ++++++++++ .../qois}/backplane-net/README.md | 0 nixos-modules/qois/backplane-net/default.nix | 83 +++++++++++++++++++ nixos-modules/qois/vpn-server/default.nix | 2 +- 15 files changed, 144 insertions(+), 79 deletions(-) delete mode 100644 defaults/backplane-net/default.nix create mode 100644 nixos-modules/qois/backplane-net.hosts/default.nix rename {defaults => nixos-modules/qois}/backplane-net/README.md (100%) create mode 100644 nixos-modules/qois/backplane-net/default.nix diff --git a/defaults/backplane-net/default.nix b/defaults/backplane-net/default.nix deleted file mode 100644 index 62e4a82..0000000 --- a/defaults/backplane-net/default.nix +++ /dev/null @@ -1,65 +0,0 @@ -{ - pkgs, - lib, - config, - ... -}: -let - hostName = config.networking.hostName; - netName = "backplane"; - netConfig = config.qois.meta.network.virtual.${netName}; - hostNetConfig = netConfig.hosts.${hostName}; - wgDefaultPort = 51825; -in -{ - sops.secrets."wgautomesh/gossip-secret".restartUnits = [ "wgautomesh.service" ]; - - networking.wireguard.enable = true; - networking.wireguard.interfaces."wg-${netName}" = { - ips = [ "${hostNetConfig.v4.ip}/${builtins.toString netConfig.v4.prefixLength}" ]; - listenPort = if hostNetConfig.endpoint != null then hostNetConfig.endpoint.port else wgDefaultPort; - privateKeyFile = "/secrets/wireguard/private/${netName}"; - generatePrivateKeyFile = true; - }; - - systemd.network.wait-online.ignoredInterfaces = [ "wg-${netName}" ]; - - networking.firewall.allowedUDPPorts = - if hostNetConfig.endpoint != null then [ hostNetConfig.endpoint.port ] else [ wgDefaultPort ]; - - # Configure wgautomesh to setup peers. Make sure that the name is not used in the VPN module - services.wgautomesh = { - enable = true; - gossipSecretFile = builtins.toString config.sops.secrets."wgautomesh/gossip-secret".path; - openFirewall = true; - logLevel = "info"; - settings = { - interface = "wg-${netName}"; - - # Map meta network configuration to the format of wgautomesh and filter out peers with endpoints - peers = - let - reachableHosts = lib.filterAttrs ( - peerHostName: peerConfig: peerHostName != hostName # Not this host - ) netConfig.hosts; - in - lib.mapAttrsToList (_: peerConfig: { - address = peerConfig.v4.ip; - endpoint = - if peerConfig.endpoint != null then - with peerConfig.endpoint; "${fqdn}:${builtins.toString port}" - else - null; - pubkey = peerConfig.publicKey; - }) reachableHosts; - }; - }; - systemd.services.wgautomesh = - let - wgInterface = [ "wireguard-wg-backplane.service" ]; - in - { - requires = wgInterface; - after = wgInterface; - }; -} diff --git a/nixos-configurations/calanda/networking.nix b/nixos-configurations/calanda/networking.nix index 5aa0760..0f713b9 100644 --- a/nixos-configurations/calanda/networking.nix +++ b/nixos-configurations/calanda/networking.nix @@ -7,8 +7,6 @@ let getCalandaIp4 = net: net.hosts.calanda.v4.ip; in { - imports = [ ../../defaults/backplane-net ]; - networking.hostName = meta.hosts.calanda.hostName; networking.domain = "ilanz.fh2.ch"; networking.enableIPv6 = false; # TODO @@ -30,6 +28,8 @@ in ]; }; + qois.backplane-net.enable = true; + # TODO: Metaize ips services.qois.router = { enable = true; diff --git a/nixos-configurations/cyprianspitz/networking.nix b/nixos-configurations/cyprianspitz/networking.nix index 8147a3f..9f224b8 100644 --- a/nixos-configurations/cyprianspitz/networking.nix +++ b/nixos-configurations/cyprianspitz/networking.nix @@ -6,8 +6,6 @@ in { networking.hostName = meta.hosts.cyprianspitz.hostName; - imports = [ ../../defaults/backplane-net ]; - networking.useDHCP = false; networking.interfaces.enp0s31f6.useDHCP = true; networking.interfaces.enp2s0.useDHCP = true; @@ -77,6 +75,8 @@ in # TODO Solve sops dependency porblem: config.sops.secrets."system/initrd-ssh-key".path; }; + qois.backplane-net.enable = true; + # Configure this node to be used as an vpn exit node qois.backup-client.includePaths = [ "/var/lib/tailscale" ]; services.tailscale = { diff --git a/nixos-configurations/lindberg-build/default.nix b/nixos-configurations/lindberg-build/default.nix index f8cc617..f5b4bfd 100644 --- a/nixos-configurations/lindberg-build/default.nix +++ b/nixos-configurations/lindberg-build/default.nix @@ -4,7 +4,6 @@ imports = [ ../../defaults/base-vm ../../defaults/meta - ../../defaults/backplane-net ./applications ./backup.nix diff --git a/nixos-configurations/lindberg-build/networking.nix b/nixos-configurations/lindberg-build/networking.nix index 3cbe068..0e8f881 100644 --- a/nixos-configurations/lindberg-build/networking.nix +++ b/nixos-configurations/lindberg-build/networking.nix @@ -6,6 +6,8 @@ networking.useDHCP = false; networking.interfaces.enp11s0.useDHCP = true; + qois.backplane-net.enable = true; + networking.firewall.allowedTCPPorts = [ 80 443 diff --git a/nixos-configurations/lindberg-nextcloud/default.nix b/nixos-configurations/lindberg-nextcloud/default.nix index 08034a8..78fc78d 100644 --- a/nixos-configurations/lindberg-nextcloud/default.nix +++ b/nixos-configurations/lindberg-nextcloud/default.nix @@ -2,7 +2,6 @@ { imports = [ - ../../defaults/backplane-net ../../defaults/base-vm ../../defaults/meta ./applications @@ -31,6 +30,8 @@ networking.useDHCP = false; networking.interfaces.enp2s0.useDHCP = true; + qois.backplane-net.enable = true; + networking.firewall.allowedTCPPorts = [ 80 443 diff --git a/nixos-configurations/lindberg-webapps/default.nix b/nixos-configurations/lindberg-webapps/default.nix index 1daa20d..1cbfd2f 100644 --- a/nixos-configurations/lindberg-webapps/default.nix +++ b/nixos-configurations/lindberg-webapps/default.nix @@ -4,7 +4,6 @@ imports = [ ../../defaults/base-vm ../../defaults/meta - ../../defaults/backplane-net ./applications ./disko-config.nix diff --git a/nixos-configurations/lindberg-webapps/networking.nix b/nixos-configurations/lindberg-webapps/networking.nix index fd4b437..07f42ff 100644 --- a/nixos-configurations/lindberg-webapps/networking.nix +++ b/nixos-configurations/lindberg-webapps/networking.nix @@ -6,6 +6,8 @@ networking.useDHCP = false; networking.interfaces.enp1s0.useDHCP = true; + qois.backplane-net.enable = true; + networking.firewall.allowedTCPPorts = [ 80 443 diff --git a/nixos-configurations/lindberg/networking.nix b/nixos-configurations/lindberg/networking.nix index e46c3b5..50c631c 100644 --- a/nixos-configurations/lindberg/networking.nix +++ b/nixos-configurations/lindberg/networking.nix @@ -6,8 +6,6 @@ in { networking.hostName = meta.hosts.lindberg.hostName; - imports = [ ../../defaults/backplane-net ]; - networking.useDHCP = false; networking.interfaces.enp5s0.useDHCP = true; @@ -74,6 +72,8 @@ in sshPort = 2222; }; + qois.backplane-net.enable = true; + # Use this node as vpn exit node qois.backup-client.includePaths = [ "/var/lib/tailscale" ]; services.tailscale = { diff --git a/nixos-configurations/stompert/default.nix b/nixos-configurations/stompert/default.nix index d1855d2..5eea848 100644 --- a/nixos-configurations/stompert/default.nix +++ b/nixos-configurations/stompert/default.nix @@ -6,13 +6,13 @@ { imports = [ - ../../defaults/backplane-net ../../defaults/hardware/apu.nix ../../defaults/base ../../defaults/meta ]; - boot.initrd.luks.devices."systems".device = "/dev/disk/by-uuid/5718bd19-cb7a-4728-9ec4-6b2be48215fc"; + boot.initrd.luks.devices."systems".device = + "/dev/disk/by-uuid/5718bd19-cb7a-4728-9ec4-6b2be48215fc"; fileSystems."/" = { device = "/dev/mapper/vg_systems-hv_stompert"; @@ -52,6 +52,8 @@ networking.interfaces.enp3s0.useDHCP = true; networking.tempAddresses = "disabled"; + qois.backplane-net.enable = true; + # Set your time zone. # time.timeZone = "Europe/Amsterdam"; diff --git a/nixos-configurations/tierberg/networking.nix b/nixos-configurations/tierberg/networking.nix index 2d57100..e80eb9d 100644 --- a/nixos-configurations/tierberg/networking.nix +++ b/nixos-configurations/tierberg/networking.nix @@ -7,8 +7,6 @@ in { networking.hostName = meta.hosts.tierberg.hostName; - imports = [ ../../defaults/backplane-net ]; - networking.enableIPv6 = false; # TODO networking.useDHCP = false; @@ -21,6 +19,8 @@ in ]; networking.interfaces.enp3s0.useDHCP = true; + qois.backplane-net.enable = true; + services.qois.luks-ssh = { enable = true; interface = "eth0"; diff --git a/nixos-modules/qois/backplane-net.hosts/default.nix b/nixos-modules/qois/backplane-net.hosts/default.nix new file mode 100644 index 0000000..b249dac --- /dev/null +++ b/nixos-modules/qois/backplane-net.hosts/default.nix @@ -0,0 +1,42 @@ +{ + config, + pkgs, + lib, + ... +}: +with lib; +let + cfg = config.qois.backplane-net.hosts; + defaultDomains = attrNames config.qois.loadbalancer.domains; + defaultLoadbalancers = [ "lindberg" ]; +in +{ + + options.qois.backplane-net.hosts = { + enable = mkOption { + default = true; + description = "Whether to enable hosts aliases for loadbalanced services. This prevents turnarounds over external networks for these services."; + type = types.bool; + }; + + domains = mkOption { + description = "Domains that are hosted by the backplane loadbalancer"; + type = with types; listOf str; + default = defaultDomains; + }; + loadbalancers = mkOption { + description = "List of Loadbalancer hostnames as listed in the backplane network"; + type = with types; listOf str; + default = defaultLoadbalancers; + }; + }; + + config = mkIf cfg.enable { + + networking.hosts = pipe cfg.loadbalancers [ + (map (hostname: config.qois.meta.network.virtual.backplane.hosts.${hostname}.v4.ip)) + (flip genAttrs (lb: cfg.domains)) + ]; + + }; +} diff --git a/defaults/backplane-net/README.md b/nixos-modules/qois/backplane-net/README.md similarity index 100% rename from defaults/backplane-net/README.md rename to nixos-modules/qois/backplane-net/README.md diff --git a/nixos-modules/qois/backplane-net/default.nix b/nixos-modules/qois/backplane-net/default.nix new file mode 100644 index 0000000..08fb31e --- /dev/null +++ b/nixos-modules/qois/backplane-net/default.nix @@ -0,0 +1,83 @@ +{ + config, + lib, + pkgs, + ... +}: +with lib; +let + cfg = config.qois.backplane-net; + hostName = config.networking.hostName; + netConfig = config.qois.meta.network.virtual.${cfg.netName}; + hostNetConfig = netConfig.hosts.${hostName}; + interface = "wg-${cfg.netName}"; + wgService = [ "wireguard-${interface}.service" ]; +in + +{ + options.qois.backplane-net = { + enable = mkEnableOption "Enable backplane server services"; + netName = mkOption { + description = "Network Name"; + type = types.str; + default = "backplane"; + }; + domain = mkOption { + description = "Domain"; + type = types.str; + default = hostNetConfig; + }; + port = mkOption { + description = "Wireguard Default Port"; + type = types.number; + default = 51825; + }; + }; + + config = { + sops.secrets."wgautomesh/gossip-secret".restartUnits = [ "wgautomesh.service" ]; + + networking.wireguard.enable = true; + networking.wireguard.interfaces."wg-${cfg.netName}" = { + ips = [ "${hostNetConfig.v4.ip}/${toString netConfig.v4.prefixLength}" ]; + listenPort = if hostNetConfig.endpoint != null then hostNetConfig.endpoint.port else cfg.port; + privateKeyFile = "/secrets/wireguard/private/${cfg.netName}"; + generatePrivateKeyFile = true; + }; + + systemd.network.wait-online.ignoredInterfaces = [ interface ]; + + networking.firewall.allowedUDPPorts = + if hostNetConfig.endpoint != null then [ hostNetConfig.endpoint.port ] else [ cfg.port ]; + + # Configure wgautomesh to setup peers. Make sure that the name is not used in the VPN module + services.wgautomesh = { + enable = true; + gossipSecretFile = config.sops.secrets."wgautomesh/gossip-secret".path; + openFirewall = true; + settings = { + inherit interface; + + # Map meta network configuration to the format of wgautomesh and filter out peers with endpoints + peers = pipe netConfig.hosts [ + (filterAttrs (peerHostName: _: peerHostName != hostName)) # Not this host + (mapAttrsToList ( + _: peerConfig: { + address = peerConfig.v4.ip; + endpoint = + if (peerConfig.endpoint != null) then + with peerConfig.endpoint; "${fqdn}:${toString port}" + else + null; + pubkey = peerConfig.publicKey; + } + )) + ]; + }; + }; + systemd.services.wgautomesh = { + requires = wgService; + after = wgService; + }; + }; +} diff --git a/nixos-modules/qois/vpn-server/default.nix b/nixos-modules/qois/vpn-server/default.nix index 427f35c..e57060e 100644 --- a/nixos-modules/qois/vpn-server/default.nix +++ b/nixos-modules/qois/vpn-server/default.nix @@ -58,7 +58,7 @@ in let vnet = config.qois.meta.network.virtual; vpnNet = vnet.vpn; - vpnNetPrefix = "${vpnNet.v4.id}/${builtins.toString vpnNet.v4.prefixLength}"; + vpnNetPrefix = "${vpnNet.v4.id}/${toString vpnNet.v4.prefixLength}"; backplaneNetPrefix = "${vnet.backplane.v4.id}/${builtins.toString vnet.backplane.v4.prefixLength}"; in {