diff options
Diffstat (limited to '')
| -rw-r--r-- | flake.lock | 25 | ||||
| -rw-r--r-- | flake.nix | 9 | ||||
| -rw-r--r-- | machines/test/default.nix | 9 | ||||
| -rw-r--r-- | machines/test2/default.nix | 8 | ||||
| -rw-r--r-- | modules/common/default.nix | 2 | ||||
| -rw-r--r-- | modules/image/default.nix | 8 | ||||
| -rw-r--r-- | modules/wireguard/default.nix | 11 |
7 files changed, 49 insertions, 23 deletions
@@ -109,11 +109,11 @@ }, "nixpkgs_2": { "locked": { - "lastModified": 1691421349, - "narHash": "sha256-RRJyX0CUrs4uW4gMhd/X4rcDG8PTgaaCQM5rXEJOx6g=", + "lastModified": 1691592289, + "narHash": "sha256-Lqpw7lrXlLkYra33tp57ms8tZ0StWhbcl80vk4D90F8=", "owner": "nixos", "repo": "nixpkgs", - "rev": "011567f35433879aae5024fc6ec53f2a0568a6c4", + "rev": "9034b46dc4c7596a87ab837bb8a07ef2d887e8c7", "type": "github" }, "original": { @@ -127,7 +127,24 @@ "inputs": { "flake-parts": "flake-parts", "nixinate": "nixinate", - "nixpkgs": "nixpkgs_2" + "nixpkgs": "nixpkgs_2", + "secrets": "secrets" + } + }, + "secrets": { + "flake": false, + "locked": { + "lastModified": 1691591003, + "narHash": "sha256-nerinKxLVgEvu+kw4d6Q2H4gSG8R9Ab0DLMcFSb4IrI=", + "ref": "refs/heads/main", + "rev": "c046615c7c2254a7b32d2e8969f068d163ab63ec", + "revCount": 11, + "type": "git", + "url": "ssh://git@gitlab.com/cocainefarm/k8s/secrets" + }, + "original": { + "type": "git", + "url": "ssh://git@gitlab.com/cocainefarm/k8s/secrets" } } }, @@ -3,6 +3,11 @@ nixpkgs.url = "github:nixos/nixpkgs/nixos-23.05"; flake-parts.url = "github:hercules-ci/flake-parts"; nixinate.url = "github:maxaudron/nixinate"; + + secrets = { + url = "git+ssh://git@gitlab.com/cocainefarm/k8s/secrets"; + flake = false; + }; }; outputs = inputs@{ self, nixpkgs, flake-parts, nixinate, ... }: @@ -11,7 +16,9 @@ flake = let system = "x86_64-linux"; - specialArgs = inputs // { nodes = self.nixosConfigurations; }; + specialArgs = inputs // { + nodes = self.nixosConfigurations; + }; mkSystem = modules: nixpkgs.lib.nixosSystem { inherit specialArgs system; modules = modules; diff --git a/machines/test/default.nix b/machines/test/default.nix index 30ccc3f..d730e3c 100644 --- a/machines/test/default.nix +++ b/machines/test/default.nix @@ -1,6 +1,7 @@ { config, lib, pkgs, ... }: -{ +let endpoint = "80.240.27.237"; +in { networking = { domain = "vapor.systems"; hostName = "test1"; @@ -10,20 +11,20 @@ wireguard = { enable = true; + inherit endpoint; v4 = { address = "10.10.0.1"; }; v6 = { address = "1"; }; publicKey = "kgb+qZvIHkMx0Rn1E9+zvKK8Qw5vBOkQ5wtO0O1Um1o="; allowedIPs = [ "10.102.5.0/24" "fd15:3d8c:d429:102:500::/72" ]; - endpoint = "80.240.27.237"; }; kubernetes = { role = "server"; - advertiseAddress = "80.240.27.237"; + advertiseAddress = endpoint; }; _module.args.nixinate = { - host = "80.240.27.237"; + host = endpoint; sshUser = "audron"; buildOn = "remote"; substituteOnTarget = true; diff --git a/machines/test2/default.nix b/machines/test2/default.nix index 11af08d..9782600 100644 --- a/machines/test2/default.nix +++ b/machines/test2/default.nix @@ -1,6 +1,7 @@ { config, lib, pkgs, ... }: -{ +let endpoint = "140.82.37.154"; +in { networking = { domain = "vapor.systems"; hostName = "test2"; @@ -10,11 +11,11 @@ wireguard = { enable = true; + inherit endpoint; v4 = { address = "10.10.0.2"; }; v6 = { address = "2"; }; publicKey = "oV+exEWmcU3UHS6iSK4rnPZg57D0R84EVJKZyVmEdUc="; allowedIPs = [ "10.102.5.0/24" "fd15:3d8c:d429:102:500::/72" ]; - endpoint = "140.82.37.154"; }; kubernetes = { @@ -22,8 +23,7 @@ }; _module.args.nixinate = { - host = "140.82.37.154"; - sshUser = "audron"; + host = endpoint; buildOn = "remote"; substituteOnTarget = true; hermetic = false; diff --git a/modules/common/default.nix b/modules/common/default.nix index b1df8b2..e6e68c5 100644 --- a/modules/common/default.nix +++ b/modules/common/default.nix @@ -12,7 +12,7 @@ }; # Default Packages Set - environment.systemPackages = with pkgs; [ vim htop wget nftables wireguard-tools git ]; + environment.systemPackages = with pkgs; [ git vim htop wget nftables wireguard-tools ]; # Security networking.firewall.enable = false; diff --git a/modules/image/default.nix b/modules/image/default.nix index f98afd9..d1d8543 100644 --- a/modules/image/default.nix +++ b/modules/image/default.nix @@ -1,13 +1,13 @@ -{ config, lib, pkgs, ... }: +{ config, lib, pkgs, modulesPath, ... }: { config = { networking = { - domain = "vapor.systems"; - hostName = "image"; + domain = lib.mkDefault "vapor.systems"; + hostName = lib.mkDefault "image"; }; - system.build.image = import <nixpkgs/nixos/lib/make-disk-image.nix> { + system.build.image = import (modulesPath + "/../lib/make-disk-image.nix") { name = "vapor-systems-image"; format = "raw"; diskSize = "auto"; diff --git a/modules/wireguard/default.nix b/modules/wireguard/default.nix index 73396dc..314d53d 100644 --- a/modules/wireguard/default.nix +++ b/modules/wireguard/default.nix @@ -1,8 +1,9 @@ -{ config, lib, pkgs, nodes, builtins, ... }: +{ config, lib, pkgs, nodes, builtins, secrets, ... }: with lib; { imports = [ ./options.nix ./roaming.nix ]; + config = mkIf config.wireguard.enable ( let cfg = config.wireguard; @@ -11,11 +12,13 @@ with lib; { let attrPeers = mapAttrs (n: node: - let peer = node.config.wireguard; + let + peer = node.config.wireguard; + endpointIP = node.config.wireguard.endpoint; in { endpoint = - "${node.config.wireguard.endpoint}:${toString peer.port}"; + "${endpointIP}:${toString peer.port}"; publicKey = peer.publicKey; persistentKeepalive = 25; allowedIPs = [ @@ -53,8 +56,6 @@ with lib; { ${pkgs.nftables}/bin/nft add rule ${ifname} postrouting ip saddr ${cfg.v4.network}/${ toString cfg.v4.prefixLength } oif ${cfg.natInterface} masquerade - - ${pkgs.iproute2}/bin/ip link set ${ifname} multicast on ''; postShutdown = '' ${pkgs.nftables}/bin/nft flush table ${ifname} |