qo.is/infrastructure
3
0
Fork 0
Code Issues 11 Pull requests Projects 1 Activity Actions

Compare commits

base: qo.is:8d0516bb8dab697d4043b74c6d11d5a5c2373a89
Branches Tags
qo.is:main
qo.is:18-caral
...
compare: qo.is:0572e44086528018aa19daff07409ae852d8b358
Branches Tags
qo.is:main
qo.is:18-caral

4 commits
8d0516bb8d ... 0572e44086

Author SHA1 Message Date
Fabian Hauser
0572e44086 TMP
Some checks failed
CI / build (push) Failing after 2m50s
Details
2024-12-10 15:47:28 +02:00
Fabian Hauser
bcf390e8a7 Remove CVE-2024-6387 ssh workaround
Some checks failed
CI / build (push) Has been cancelled
Details
2024-12-10 14:49:54 +02:00
Fabian Hauser
75ffd54e7d Update inputs 2024-12-10 14:49:54 +02:00
Fabian Hauser
5507106e41 Refactore backplane-net to module with hosts 2024-12-10 14:49:54 +02:00
19 changed files with 162 additions and 88 deletions
Show stats Expand all files Collapse all files

12
.github/workflows/ci.yml vendored
View file

@ -10,6 +10,14 @@ jobs:
build:
runs-on: nix
steps:
- name: Debug
run: |
cat /etc/hosts
nix run nixpkgs#curl -- -v https://heise.de
nix run nixpkgs#curl -- -v https://fh2.ch
nix run nixpkgs#curl -- -v https://git.qo.is
git clone https://git.qo.is/qo.is/infrastructure-private.git /tmp/private
- name: Initialize CI
uses: https://git.qo.is/qo.is/actions-nix-init@main
with:
@ -18,6 +26,10 @@ jobs:
- name: Add submodules to nix store to circumvent another nix bug
run: |
cat /etc/hosts
curl -v https://heise.de
curl -v https://fh2.ch
curl -v https://git.qo.is
git clone https://git.qo.is/qo.is/infrastructure-private.git /tmp/private
cd /tmp/private
nix flake prefetch

65
defaults/backplane-net/default.nix
View file

@ -1,65 +0,0 @@
{
pkgs,
lib,
config,
...
}:
let
hostName = config.networking.hostName;
netName = "backplane";
netConfig = config.qois.meta.network.virtual.${netName};
hostNetConfig = netConfig.hosts.${hostName};
wgDefaultPort = 51825;
in
{
sops.secrets."wgautomesh/gossip-secret".restartUnits = [ "wgautomesh.service" ];
networking.wireguard.enable = true;
networking.wireguard.interfaces."wg-${netName}" = {
ips = [ "${hostNetConfig.v4.ip}/${builtins.toString netConfig.v4.prefixLength}" ];
listenPort = if hostNetConfig.endpoint != null then hostNetConfig.endpoint.port else wgDefaultPort;
privateKeyFile = "/secrets/wireguard/private/${netName}";
generatePrivateKeyFile = true;
};
systemd.network.wait-online.ignoredInterfaces = [ "wg-${netName}" ];
networking.firewall.allowedUDPPorts =
if hostNetConfig.endpoint != null then [ hostNetConfig.endpoint.port ] else [ wgDefaultPort ];
# Configure wgautomesh to setup peers. Make sure that the name is not used in the VPN module
services.wgautomesh = {
enable = true;
gossipSecretFile = builtins.toString config.sops.secrets."wgautomesh/gossip-secret".path;
openFirewall = true;
logLevel = "info";
settings = {
interface = "wg-${netName}";
# Map meta network configuration to the format of wgautomesh and filter out peers with endpoints
peers =
let
reachableHosts = lib.filterAttrs (
peerHostName: peerConfig: peerHostName != hostName # Not this host
) netConfig.hosts;
in
lib.mapAttrsToList (_: peerConfig: {
address = peerConfig.v4.ip;
endpoint =
if peerConfig.endpoint != null then
with peerConfig.endpoint; "${fqdn}:${builtins.toString port}"
else
null;
pubkey = peerConfig.publicKey;
}) reachableHosts;
};
};
systemd.services.wgautomesh =
let
wgInterface = [ "wireguard-wg-backplane.service" ];
in
{
requires = wgInterface;
after = wgInterface;
};
}

4
defaults/base-minimal/default.nix
View file

@ -92,10 +92,6 @@
services.openssh = {
enable = true;
settings.PasswordAuthentication = false;
# temporary mitigation agains CVE-2024-6387 «regreSSHion» RCE
# See https://github.com/NixOS/nixpkgs/pull/323753#issuecomment-2199762128
settings.LoginGraceTime = 0;
};
security.acme = {

12
flake.lock generated
View file

@ -74,11 +74,11 @@
},
"nixpkgs-nixos-stable": {
"locked": {
"lastModified": 1733261153,
"narHash": "sha256-eq51hyiaIwtWo19fPEeE0Zr2s83DYMKJoukNLgGGpek=",
"lastModified": 1733550349,
"narHash": "sha256-NcGumB4Lr6KSDq+nIqXtNA8QwAQKDSZT7N9OTGWbTrs=",
"owner": "NixOS",
"repo": "nixpkgs",
"rev": "b681065d0919f7eb5309a93cea2cfa84dec9aa88",
"rev": "e2605d0744c2417b09f8bf850dfca42fcf537d34",
"type": "github"
},
"original": {
@ -90,11 +90,11 @@
},
"nixpkgs-nixos-unstable": {
"locked": {
"lastModified": 1733212471,
"narHash": "sha256-M1+uCoV5igihRfcUKrr1riygbe73/dzNnzPsmaLCmpo=",
"lastModified": 1733581040,
"narHash": "sha256-Qn3nPMSopRQJgmvHzVqPcE3I03zJyl8cSbgnnltfFDY=",
"owner": "NixOS",
"repo": "nixpkgs",
"rev": "55d15ad12a74eb7d4646254e13638ad0c4128776",
"rev": "22c3f2cf41a0e70184334a958e6b124fb0ce3e01",
"type": "github"
},
"original": {

4
nixos-configurations/calanda/networking.nix
View file

@ -7,8 +7,6 @@ let
getCalandaIp4 = net: net.hosts.calanda.v4.ip;
in
{
imports = [ ../../defaults/backplane-net ];
networking.hostName = meta.hosts.calanda.hostName;
networking.domain = "ilanz.fh2.ch";
networking.enableIPv6 = false; # TODO
@ -30,6 +28,8 @@ in
];
};
qois.backplane-net.enable = true;
# TODO: Metaize ips
services.qois.router = {
enable = true;

4
nixos-configurations/cyprianspitz/networking.nix
View file

@ -6,8 +6,6 @@ in
{
networking.hostName = meta.hosts.cyprianspitz.hostName;
imports = [ ../../defaults/backplane-net ];
networking.useDHCP = false;
networking.interfaces.enp0s31f6.useDHCP = true;
networking.interfaces.enp2s0.useDHCP = true;
@ -77,6 +75,8 @@ in
# TODO Solve sops dependency porblem: config.sops.secrets."system/initrd-ssh-key".path;
};
qois.backplane-net.enable = true;
# Configure this node to be used as an vpn exit node
qois.backup-client.includePaths = [ "/var/lib/tailscale" ];
services.tailscale = {

1
nixos-configurations/lindberg-build/default.nix
View file

@ -4,7 +4,6 @@
imports = [
../../defaults/base-vm
../../defaults/meta
../../defaults/backplane-net
./applications
./backup.nix

2
nixos-configurations/lindberg-build/networking.nix
View file

@ -6,6 +6,8 @@
networking.useDHCP = false;
networking.interfaces.enp11s0.useDHCP = true;
qois.backplane-net.enable = true;
networking.firewall.allowedTCPPorts = [
80
443

3
nixos-configurations/lindberg-nextcloud/default.nix
View file

@ -2,7 +2,6 @@
{
imports = [
../../defaults/backplane-net
../../defaults/base-vm
../../defaults/meta
./applications
@ -31,6 +30,8 @@
networking.useDHCP = false;
networking.interfaces.enp2s0.useDHCP = true;
qois.backplane-net.enable = true;
networking.firewall.allowedTCPPorts = [
80
443

1
nixos-configurations/lindberg-webapps/default.nix
View file

@ -4,7 +4,6 @@
imports = [
../../defaults/base-vm
../../defaults/meta
../../defaults/backplane-net
./applications
./disko-config.nix

2
nixos-configurations/lindberg-webapps/networking.nix
View file

@ -6,6 +6,8 @@
networking.useDHCP = false;
networking.interfaces.enp1s0.useDHCP = true;
qois.backplane-net.enable = true;
networking.firewall.allowedTCPPorts = [
80
443

4
nixos-configurations/lindberg/networking.nix
View file

@ -6,8 +6,6 @@ in
{
networking.hostName = meta.hosts.lindberg.hostName;
imports = [ ../../defaults/backplane-net ];
networking.useDHCP = false;
networking.interfaces.enp5s0.useDHCP = true;
@ -74,6 +72,8 @@ in
sshPort = 2222;
};
qois.backplane-net.enable = true;
# Use this node as vpn exit node
qois.backup-client.includePaths = [ "/var/lib/tailscale" ];
services.tailscale = {

3
nixos-configurations/stompert/default.nix
View file

@ -6,7 +6,6 @@
{
imports = [
../../defaults/backplane-net
../../defaults/hardware/apu.nix
../../defaults/base
../../defaults/meta
@ -52,6 +51,8 @@
networking.interfaces.enp3s0.useDHCP = true;
networking.tempAddresses = "disabled";
qois.backplane-net.enable = true;
# Set your time zone.
# time.timeZone = "Europe/Amsterdam";

4
nixos-configurations/tierberg/networking.nix
View file

@ -7,8 +7,6 @@ in
{
networking.hostName = meta.hosts.tierberg.hostName;
imports = [ ../../defaults/backplane-net ];
networking.enableIPv6 = false; # TODO
networking.useDHCP = false;
@ -21,6 +19,8 @@ in
];
networking.interfaces.enp3s0.useDHCP = true;
qois.backplane-net.enable = true;
services.qois.luks-ssh = {
enable = true;
interface = "eth0";

42
nixos-modules/qois/backplane-net.hosts/default.nix Normal file
View file

@ -0,0 +1,42 @@
{
config,
pkgs,
lib,
...
}:
with lib;
let
cfg = config.qois.backplane-net.hosts;
defaultDomains = attrNames config.qois.loadbalancer.domains;
defaultLoadbalancers = [ "lindberg" ];
in
{
options.qois.backplane-net.hosts = {
enable = mkOption {
default = true;
description = "Whether to enable hosts aliases for loadbalanced services. This prevents turnarounds over external networks for these services.";
type = types.bool;
};
domains = mkOption {
description = "Domains that are hosted by the backplane loadbalancer";
type = with types; listOf str;
default = defaultDomains;
};
loadbalancers = mkOption {
description = "List of Loadbalancer hostnames as listed in the backplane network";
type = with types; listOf str;
default = defaultLoadbalancers;
};
};
config = mkIf cfg.enable {
networking.hosts = pipe cfg.loadbalancers [
(map (hostname: config.qois.meta.network.virtual.backplane.hosts.${hostname}.v4.ip))
(flip genAttrs (lb: cfg.domains))
];
};
}

0
defaults/backplane-net/README.md → nixos-modules/qois/backplane-net/README.md
View file

83
nixos-modules/qois/backplane-net/default.nix Normal file
View file

@ -0,0 +1,83 @@
{
config,
lib,
pkgs,
...
}:
with lib;
let
cfg = config.qois.backplane-net;
hostName = config.networking.hostName;
netConfig = config.qois.meta.network.virtual.${cfg.netName};
hostNetConfig = netConfig.hosts.${hostName};
interface = "wg-${cfg.netName}";
wgService = [ "wireguard-${interface}.service" ];
in
{
options.qois.backplane-net = {
enable = mkEnableOption "Enable backplane server services";
netName = mkOption {
description = "Network Name";
type = types.str;
default = "backplane";
};
domain = mkOption {
description = "Domain";
type = types.str;
default = hostNetConfig;
};
port = mkOption {
description = "Wireguard Default Port";
type = types.number;
default = 51825;
};
};
config = {
sops.secrets."wgautomesh/gossip-secret".restartUnits = [ "wgautomesh.service" ];
networking.wireguard.enable = true;
networking.wireguard.interfaces."wg-${cfg.netName}" = {
ips = [ "${hostNetConfig.v4.ip}/${toString netConfig.v4.prefixLength}" ];
listenPort = if hostNetConfig.endpoint != null then hostNetConfig.endpoint.port else cfg.port;
privateKeyFile = "/secrets/wireguard/private/${cfg.netName}";
generatePrivateKeyFile = true;
};
systemd.network.wait-online.ignoredInterfaces = [ interface ];
networking.firewall.allowedUDPPorts =
if hostNetConfig.endpoint != null then [ hostNetConfig.endpoint.port ] else [ cfg.port ];
# Configure wgautomesh to setup peers. Make sure that the name is not used in the VPN module
services.wgautomesh = {
enable = true;
gossipSecretFile = config.sops.secrets."wgautomesh/gossip-secret".path;
openFirewall = true;
settings = {
inherit interface;
# Map meta network configuration to the format of wgautomesh and filter out peers with endpoints
peers = pipe netConfig.hosts [
(filterAttrs (peerHostName: _: peerHostName != hostName)) # Not this host
(mapAttrsToList (
_: peerConfig: {
address = peerConfig.v4.ip;
endpoint =
if (peerConfig.endpoint != null) then
with peerConfig.endpoint; "${fqdn}:${toString port}"
else
null;
pubkey = peerConfig.publicKey;
}
))
];
};
};
systemd.services.wgautomesh = {
requires = wgService;
after = wgService;
};
};
}

2
nixos-modules/qois/git-ci-runner/default.nix
View file

@ -110,6 +110,8 @@ with lib;
rpc: files
NSSWITCH
cp -f ${config.environment.etc.hosts.source} hosts
# list the content as it will be imported into the container
tar -cv . | tar -tvf -
tar -cv . | podman import - gitea-runner-nix

2
nixos-modules/qois/vpn-server/default.nix
View file

@ -58,7 +58,7 @@ in
let
vnet = config.qois.meta.network.virtual;
vpnNet = vnet.vpn;
vpnNetPrefix = "${vpnNet.v4.id}/${builtins.toString vpnNet.v4.prefixLength}";
vpnNetPrefix = "${vpnNet.v4.id}/${toString vpnNet.v4.prefixLength}";
backplaneNetPrefix = "${vnet.backplane.v4.id}/${builtins.toString vnet.backplane.v4.prefixLength}";
in
{