mirrors_public/oddlama_nix-config
1
1
Fork 1
mirror of https://github.com/oddlama/nix-config.git synced 2025-10-11 07:10:39 +02:00
Code Activity

feat: switch to DHCP based networking for microvms using mDNS for resolution

Browse source
This commit is contained in:
oddlama 2023-05-26 00:38:05 +02:00
parent 0e3d881887
commit e37601b486
No known key found for this signature in database
GPG key ID: 14EFE510775FE39A
8 changed files with 85 additions and 202 deletions
Download patch file Download diff file Expand all files Collapse all files

48
hosts/ward/default.nix
View file

@ -83,18 +83,6 @@ in {
}: {
rekey.hostPubkey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIN2TxWynLb8V9SP45kFqsoCWhe/dG8N1xWNuJG5VQndq";
rekey.secrets."kanidm-self-signed.crt" = {
file = ./secrets/kanidm-self-signed.crt.age;
mode = "440";
owner = "nginx";
group = "kanidm";
};
rekey.secrets."kanidm-self-signed.key" = {
file = ./secrets/kanidm-self-signed.key.age;
mode = "440";
owner = "nginx";
group = "kanidm";
};
rekey.secrets."dhparams.pem" = {
# TODO make own?
file = ../zackbiene/secrets/dhparams.pem.age;
@ -102,10 +90,6 @@ in {
group = "nginx";
};
networking.hosts = {
"192.168.100.12" = [auth.domain];
};
rekey.secrets.acme-credentials = {
file = ./secrets/acme-credentials.age;
mode = "440";
@ -125,10 +109,6 @@ in {
};
users.groups.acme.members = ["nginx"];
# TODO needed in my current testing network that has no ipv6 connectivity
# TODO but these should use fallback......... something's wrong
systemd.network.networks."10-wan".networkConfig.DNS = ["1.1.1.1" "8.8.8.8"];
# TODO reload nginx when acme is renewed
# TODO make default nginx config in core to reduce boilerplate?
@ -195,18 +175,16 @@ in {
local-vms-to-local.allowedTCPPorts = [8300];
};
# systemd.services.kanidm = let
# cfg = config.services.kanidm;
# certName = config.services.nginx.virtualHosts.${cfg.serverSettings.domain}.useACMEHost;
# in {
# requires = [ "acme-finished-${certName}.target" ];
# serviceConfig.LoadCredential = let
# certDir = config.security.acme.certs.${certName}.directory;
# in [
# "fullchain.pem:${certDir}/fullchain.pem"
# "key.pem:${certDir}/key.pem"
# ];
# };
rekey.secrets."kanidm-self-signed.crt" = {
file = ./secrets/kanidm-self-signed.crt.age;
mode = "440";
group = "kanidm";
};
rekey.secrets."kanidm-self-signed.key" = {
file = ./secrets/kanidm-self-signed.key.age;
mode = "440";
group = "kanidm";
};
services.kanidm = {
enableServer = true;
@ -221,7 +199,11 @@ in {
bindaddress = "${config.extra.wireguard."${parentNodeName}-local-vms".ipv4}:8300";
trust_x_forward_for = true;
};
};
environment.systemPackages = [pkgs.kanidm];
services.kanidm = {
enableClient = true;
clientSettings = {
uri = config.services.kanidm.serverSettings.origin;
@ -229,7 +211,5 @@ in {
verify_hostnames = true;
};
};
environment.systemPackages = [pkgs.kanidm];
};
}

16
hosts/ward/net.nix
View file

@ -6,7 +6,7 @@
inherit (config.lib.net) cidr;
lanCidrv4 = "192.168.100.0/24";
lanCidrv6 = "fd00::/64";
lanCidrv6 = "fd10::/64";
in {
networking.hostId = config.repo.secrets.local.networking.hostId;
@ -63,6 +63,7 @@ in {
IPForward = "yes";
IPv6PrivacyExtensions = "yes";
IPv6SendRA = true;
MulticastDNS = true;
};
# Announce a static prefix
ipv6Prefixes = [
@ -83,13 +84,6 @@ in {
};
linkConfig.RequiredForOnline = "routable";
};
# Remaining macvtap interfaces should not be touched.
"90-macvtap-no-ll" = {
matchConfig.Kind = "macvtap";
networkConfig.LinkLocalAddressing = "no";
linkConfig.ActivationPolicy = "manual";
linkConfig.Unmanaged = "yes";
};
};
# TODO mkForce nftables
@ -165,7 +159,7 @@ in {
interface = "lan-self";
subnet = lanCidrv4;
pools = [
{pool = "${cidr.host 40 lanCidrv4} - ${cidr.host (-6) lanCidrv4}";}
{pool = "${cidr.host 20 lanCidrv4} - ${cidr.host (-6) lanCidrv4}";}
];
option-data = [
{
@ -184,10 +178,6 @@ in {
extra.microvms.networking = {
baseMac = config.repo.secrets.local.networking.interfaces.lan.mac;
macvtapInterface = "lan";
static = {
baseCidrv4 = lanCidrv4;
baseCidrv6 = lanCidrv6;
};
wireguard.openFirewallRules = ["lan-to-local"];
};
}