diff options
author | Ismaël Bouya <ismael.bouya@normalesup.org> | 2023-10-10 00:54:30 +0200 |
---|---|---|
committer | Ismaël Bouya <ismael.bouya@normalesup.org> | 2023-10-12 00:24:39 +0200 |
commit | 450e0db1a1ad900f93519c00f0ef132ec42a3728 (patch) | |
tree | a50ad5306b6c44238edc9d18fdcd09a7b94be4c1 | |
parent | a59f486863020816cbc0d3fc69ac7926134215d0 (diff) | |
download | Nix-450e0db1a1ad900f93519c00f0ef132ec42a3728.tar.gz Nix-450e0db1a1ad900f93519c00f0ef132ec42a3728.tar.zst Nix-450e0db1a1ad900f93519c00f0ef132ec42a3728.zip |
Add tinc configuration
-rw-r--r-- | deploy/flake.lock | 12 | ||||
-rw-r--r-- | flake.lock | 4 | ||||
-rw-r--r-- | flakes/flake.lock | 2 | ||||
-rw-r--r-- | systems/eldiron/vpn/default.nix | 61 | ||||
-rw-r--r-- | systems/eldiron/vpn/tinc/ImmaeEu | 10 | ||||
-rwxr-xr-x | systems/eldiron/vpn/tinc/ImmaeEu-down | 14 | ||||
-rwxr-xr-x | systems/eldiron/vpn/tinc/ImmaeEu-up | 27 | ||||
-rw-r--r-- | systems/eldiron/websites/vpn/default.nix | 5 |
8 files changed, 107 insertions, 28 deletions
diff --git a/deploy/flake.lock b/deploy/flake.lock index 07a5473..5cdf632 100644 --- a/deploy/flake.lock +++ b/deploy/flake.lock | |||
@@ -2783,7 +2783,7 @@ | |||
2783 | }, | 2783 | }, |
2784 | "locked": { | 2784 | "locked": { |
2785 | "lastModified": 1, | 2785 | "lastModified": 1, |
2786 | "narHash": "sha256-nEhIk4RloOuTKmJxzvJP3l4Ap1kqjg5YjnpjKHyE1N0=", | 2786 | "narHash": "sha256-nTSS6oSOmi4T40fXl2o8wfw1/6o2/PP4f8rHtVTGw2s=", |
2787 | "path": "../flakes", | 2787 | "path": "../flakes", |
2788 | "type": "path" | 2788 | "type": "path" |
2789 | }, | 2789 | }, |
@@ -3903,7 +3903,7 @@ | |||
3903 | }, | 3903 | }, |
3904 | "locked": { | 3904 | "locked": { |
3905 | "lastModified": 1, | 3905 | "lastModified": 1, |
3906 | "narHash": "sha256-5Cvss4/y9e4l3QMI3azrsjfqnKnKJcW79IviACOVpX8=", | 3906 | "narHash": "sha256-E88xTYPerBoKGo+EB6RThKwM1AxuhPWhs583WxwD8cA=", |
3907 | "path": "../systems/eldiron", | 3907 | "path": "../systems/eldiron", |
3908 | "type": "path" | 3908 | "type": "path" |
3909 | }, | 3909 | }, |
@@ -8888,11 +8888,11 @@ | |||
8888 | "nixpkgs": "nixpkgs_106" | 8888 | "nixpkgs": "nixpkgs_106" |
8889 | }, | 8889 | }, |
8890 | "locked": { | 8890 | "locked": { |
8891 | "lastModified": 1696596844, | 8891 | "lastModified": 1697062813, |
8892 | "narHash": "sha256-qtQL21ZF1N3EMqGo5RJq4ytWngsKYOv5mE/pSSxaJJM=", | 8892 | "narHash": "sha256-pbS3ZgZzCkbL3XO0DpoqQU4JHOMd980vTPX4seMH+U8=", |
8893 | "ref": "master", | 8893 | "ref": "master", |
8894 | "rev": "ac58ff30d8f1712ef115d3c8aaf8da2211662e90", | 8894 | "rev": "6f65e826f8baaf08a651366f8e05b58d6a7326ad", |
8895 | "revCount": 698, | 8895 | "revCount": 701, |
8896 | "type": "git", | 8896 | "type": "git", |
8897 | "url": "git+ssh://gitolite@git.immae.eu/perso/Immae/Config/Nix/Nixops/Secrets" | 8897 | "url": "git+ssh://gitolite@git.immae.eu/perso/Immae/Config/Nix/Nixops/Secrets" |
8898 | }, | 8898 | }, |
@@ -2664,7 +2664,7 @@ | |||
2664 | }, | 2664 | }, |
2665 | "locked": { | 2665 | "locked": { |
2666 | "lastModified": 1, | 2666 | "lastModified": 1, |
2667 | "narHash": "sha256-nEhIk4RloOuTKmJxzvJP3l4Ap1kqjg5YjnpjKHyE1N0=", | 2667 | "narHash": "sha256-nTSS6oSOmi4T40fXl2o8wfw1/6o2/PP4f8rHtVTGw2s=", |
2668 | "path": "./flakes", | 2668 | "path": "./flakes", |
2669 | "type": "path" | 2669 | "type": "path" |
2670 | }, | 2670 | }, |
@@ -3919,7 +3919,7 @@ | |||
3919 | }, | 3919 | }, |
3920 | "locked": { | 3920 | "locked": { |
3921 | "lastModified": 1, | 3921 | "lastModified": 1, |
3922 | "narHash": "sha256-5Cvss4/y9e4l3QMI3azrsjfqnKnKJcW79IviACOVpX8=", | 3922 | "narHash": "sha256-E88xTYPerBoKGo+EB6RThKwM1AxuhPWhs583WxwD8cA=", |
3923 | "path": "../systems/eldiron", | 3923 | "path": "../systems/eldiron", |
3924 | "type": "path" | 3924 | "type": "path" |
3925 | }, | 3925 | }, |
diff --git a/flakes/flake.lock b/flakes/flake.lock index 677625d..751316c 100644 --- a/flakes/flake.lock +++ b/flakes/flake.lock | |||
@@ -3824,7 +3824,7 @@ | |||
3824 | }, | 3824 | }, |
3825 | "locked": { | 3825 | "locked": { |
3826 | "lastModified": 1, | 3826 | "lastModified": 1, |
3827 | "narHash": "sha256-5Cvss4/y9e4l3QMI3azrsjfqnKnKJcW79IviACOVpX8=", | 3827 | "narHash": "sha256-E88xTYPerBoKGo+EB6RThKwM1AxuhPWhs583WxwD8cA=", |
3828 | "path": "../systems/eldiron", | 3828 | "path": "../systems/eldiron", |
3829 | "type": "path" | 3829 | "type": "path" |
3830 | }, | 3830 | }, |
diff --git a/systems/eldiron/vpn/default.nix b/systems/eldiron/vpn/default.nix index df56249..a5cc423 100644 --- a/systems/eldiron/vpn/default.nix +++ b/systems/eldiron/vpn/default.nix | |||
@@ -1,10 +1,50 @@ | |||
1 | { config, pkgs, lib, ... }: | 1 | { config, pkgs, lib, ... }: |
2 | let | 2 | let |
3 | cfg = config.myServices.vpn; | 3 | cfg = config.myServices.vpn; |
4 | configFiles = pkgs.runCommand "tinc-files" { | ||
5 | mainInterface = "eth0"; | ||
6 | hostName = "ImmaeEu"; | ||
7 | network = "Immae"; | ||
8 | keyFile = config.secrets.fullPaths."tinc/key.priv"; | ||
9 | } '' | ||
10 | mkdir -p $out | ||
11 | for i in ${./tinc}/*; do | ||
12 | substituteAll $i $out/$(basename $i) | ||
13 | done | ||
14 | ''; | ||
15 | keyPaths = lib.flatten (lib.mapAttrsToList | ||
16 | (ns: lib.mapAttrsToList | ||
17 | (name: s: | ||
18 | lib.nameValuePair | ||
19 | "${ns}${name}" | ||
20 | (if builtins.isPath s then s else pkgs.writeText "${ns}${name}" s) | ||
21 | ) | ||
22 | ) config.myServices.vpn.keys); | ||
23 | keysDir = pkgs.runCommand "tinc-config" {} ('' | ||
24 | install -m755 -d $out $out/hosts | ||
25 | install -m755 -t $out ${configFiles}/{host-*,tinc-*} | ||
26 | install -m444 -t $out ${configFiles}/tinc.conf | ||
27 | install -m755 -t $out/hosts ${configFiles}/ImmaeEu-* | ||
28 | install -m444 -t $out/hosts ${configFiles}/ImmaeEu | ||
29 | '' + builtins.concatStringsSep "\n" (builtins.map (p: "cp ${p.value} $out/hosts/${p.name}") keyPaths) + '' | ||
30 | |||
31 | cd $out | ||
32 | tar -czf $out/hosts.tar.gz hosts/ | ||
33 | ''); | ||
4 | in | 34 | in |
5 | { | 35 | { |
6 | options.myServices = { | 36 | options.myServices = { |
7 | vpn.enable = lib.mkEnableOption "Enable vpn service"; | 37 | vpn.enable = lib.mkEnableOption "Enable vpn service"; |
38 | vpn.keys = lib.mkOption { | ||
39 | type = lib.types.attrsOf (lib.types.attrsOf (lib.types.either lib.types.path lib.types.str)); | ||
40 | description = "Keys sorted by namespaces and names"; | ||
41 | default = {}; | ||
42 | }; | ||
43 | vpn.hostsPath = lib.mkOption { | ||
44 | type = lib.types.path; | ||
45 | default = "${keysDir}/hosts.tar.gz"; | ||
46 | readOnly = true; | ||
47 | }; | ||
8 | }; | 48 | }; |
9 | 49 | ||
10 | config = lib.mkIf cfg.enable { | 50 | config = lib.mkIf cfg.enable { |
@@ -50,25 +90,8 @@ in | |||
50 | }; | 90 | }; |
51 | }; | 91 | }; |
52 | networking.firewall.allowedTCPPorts = [ 655 1194 ]; | 92 | networking.firewall.allowedTCPPorts = [ 655 1194 ]; |
53 | system.activationScripts.tinc = let | 93 | system.activationScripts.tinc = '' |
54 | configFiles = pkgs.runCommand "tinc-files" { | ||
55 | mainInterface = "eth0"; | ||
56 | hostName = "ImmaeEu"; | ||
57 | network = "Immae"; | ||
58 | keyFile = config.secrets.fullPaths."tinc/key.priv"; | ||
59 | } '' | ||
60 | mkdir -p $out | ||
61 | for i in ${./tinc}/*; do | ||
62 | substituteAll $i $out/$(basename $i) | ||
63 | done | ||
64 | ''; | ||
65 | in '' | ||
66 | install -m750 -o root -g root -d /var/lib/tinc/ /var/lib/tinc/Immae | 94 | install -m750 -o root -g root -d /var/lib/tinc/ /var/lib/tinc/Immae |
67 | install -m700 -o root -g root -t /var/lib/tinc/Immae ${configFiles}/{host-*,tinc-*} | ||
68 | install -m400 -o root -g root -t /var/lib/tinc/Immae ${configFiles}/tinc.conf | ||
69 | if [ ! -d /var/lib/tinc/Immae/hosts ]; then | ||
70 | ${pkgs.git}/bin/git clone -b master https://git.immae.eu/perso/Immae/Config/tinc/hosts /var/lib/tinc/Immae/hosts | ||
71 | fi | ||
72 | ''; | 95 | ''; |
73 | 96 | ||
74 | systemd.slices.tinc = { | 97 | systemd.slices.tinc = { |
@@ -85,7 +108,7 @@ in | |||
85 | Type = "simple"; | 108 | Type = "simple"; |
86 | Restart = "always"; | 109 | Restart = "always"; |
87 | RestartSec = "3"; | 110 | RestartSec = "3"; |
88 | ExecStart = "${pkgs.tinc}/bin/tincd -d1 -D -c /var/lib/tinc/Immae --pidfile /run/tinc.Immae.pid"; | 111 | ExecStart = "${pkgs.tinc}/bin/tincd -d1 -D -c ${keysDir} --pidfile /run/tinc.Immae.pid"; |
89 | }; | 112 | }; |
90 | }; | 113 | }; |
91 | }; | 114 | }; |
diff --git a/systems/eldiron/vpn/tinc/ImmaeEu b/systems/eldiron/vpn/tinc/ImmaeEu new file mode 100644 index 0000000..db9949b --- /dev/null +++ b/systems/eldiron/vpn/tinc/ImmaeEu | |||
@@ -0,0 +1,10 @@ | |||
1 | Address = vpn.immae.eu | ||
2 | Address = vpn.immae.eu 1194 | ||
3 | -----BEGIN RSA PUBLIC KEY----- | ||
4 | MIIBCgKCAQEA6sJagBYTGUNjtiaPm3Se3BAa1nWbnHS7feTQ1C+L9WifgGkQICkr | ||
5 | TXkQpGKIN+1mVD3Tl/Mx3BWtGGUMNgJhZ3p7rJgEXNuiWptEpG7BmujW61gVxQ2v | ||
6 | 0FJuGwgT8GvNI9s2BeWtxQKdmX6MOOdtRMmd33F8Zffw6TdJtPuj1dvTwGmkBl71 | ||
7 | RNd6TXi5LR5r1A01Z88TPeZJo1BNkl8P9qkMGv+fTYmX9lnd9brQ0MDVNldJwGhI | ||
8 | /KU7J7tW20KizhgOdkYJU75JgWX+7QKJMjvOc6nv8ORWk5jLfv6MNKoG3UirBV4t | ||
9 | ariPo+Gb/u7BU3R2mPHhxKMrC7NVdp+JNQIDAQAB | ||
10 | -----END RSA PUBLIC KEY----- | ||
diff --git a/systems/eldiron/vpn/tinc/ImmaeEu-down b/systems/eldiron/vpn/tinc/ImmaeEu-down new file mode 100755 index 0000000..d983a3b --- /dev/null +++ b/systems/eldiron/vpn/tinc/ImmaeEu-down | |||
@@ -0,0 +1,14 @@ | |||
1 | #!/bin/sh | ||
2 | # This file closes down the tap device. | ||
3 | |||
4 | [ -e /tmp/tinc_$NETNAME ] && . /tmp/tinc_$NETNAME | ||
5 | [ -e /run/tinc_$NETNAME.vars ] && . /run/tinc_$NETNAME.vars | ||
6 | rm -f /tmp/tinc_$NETNAME /run/tinc_$NETNAME.vars || true | ||
7 | [ -n "$GWIP" ] && ip -6 route del default via $GWIP table 655 | ||
8 | for MYIP in $MYIPS; do | ||
9 | ip -6 addr del $MYIP/96 dev $INTERFACE | ||
10 | ip -6 rule del from $MYIP/96 table 655 | ||
11 | ip -6 rule del to $MYIP/96 table 655 | ||
12 | done | ||
13 | ip -6 link set $INTERFACE down | ||
14 | |||
diff --git a/systems/eldiron/vpn/tinc/ImmaeEu-up b/systems/eldiron/vpn/tinc/ImmaeEu-up new file mode 100755 index 0000000..e14fd5a --- /dev/null +++ b/systems/eldiron/vpn/tinc/ImmaeEu-up | |||
@@ -0,0 +1,27 @@ | |||
1 | #!/bin/sh | ||
2 | # This file sets up the tap device. | ||
3 | # It gives you the freedom to do anything you want with it. | ||
4 | # Use the correct name for the tap device: | ||
5 | # The environment variable $INTERFACE is set to the right name | ||
6 | # on most platforms, but if it doesn't work try to set it manually. | ||
7 | |||
8 | # Give it the right ip and netmask. Remember, the subnet of the | ||
9 | # tap device must be larger than that of the individual Subnets | ||
10 | # as defined in the host configuration file! | ||
11 | SCRIPT_DIR=$(dirname -- "$( readlink -f -- "$0"; )") | ||
12 | SUBDOMAIN=$(echo "$NAME" | sed -e "s/\([A-Z][a-z0-9]*\)/\L\1 /g;" | awk '{ for (i=NF; i>1; i--) printf("%s.",$i); print $1; }') | ||
13 | while [ -z "$MYIPS" -o -z "$GWIP" ]; do | ||
14 | MYIPS=`getent hosts ${SUBDOMAIN}.immae.eu | cut -d' ' -f1 | tr "\\n" ' '` | ||
15 | GWIP=`getent hosts gw.vpn.immae.eu | head -n1 | cut -d' ' -f1` | ||
16 | sleep 5 | ||
17 | done | ||
18 | rm -f /run/tinc_$NETNAME.vars | ||
19 | echo -e "MYIPS=\"$MYIPS\"\nGWIP=\"$GWIP\"" > /run/tinc_$NETNAME.vars | ||
20 | ip -6 link set $INTERFACE up mtu 1280 | ||
21 | for MYIP in $MYIPS; do | ||
22 | ip -6 addr add $MYIP/96 dev $INTERFACE | ||
23 | ip -6 rule add from $MYIP/96 table 655 | ||
24 | ip -6 rule add to $MYIP/96 table 655 | ||
25 | done | ||
26 | ip -6 route add default via $GWIP dev $INTERFACE table 655 | ||
27 | (cd "$SCRIPT_DIR" && (curl -s https://vpn.immae.eu/hosts.tar.gz | tar -xz --strip-components=1)) || true | ||
diff --git a/systems/eldiron/websites/vpn/default.nix b/systems/eldiron/websites/vpn/default.nix index ea54691..3ee0a20 100644 --- a/systems/eldiron/websites/vpn/default.nix +++ b/systems/eldiron/websites/vpn/default.nix | |||
@@ -8,6 +8,11 @@ in { | |||
8 | certName = "eldiron"; | 8 | certName = "eldiron"; |
9 | hosts = [ "vpn.immae.eu" ]; | 9 | hosts = [ "vpn.immae.eu" ]; |
10 | root = ./www; | 10 | root = ./www; |
11 | extraConfig = [ | ||
12 | '' | ||
13 | Alias /hosts.tar.gz "${config.myServices.vpn.hostsPath}" | ||
14 | '' | ||
15 | ]; | ||
11 | }; | 16 | }; |
12 | }; | 17 | }; |
13 | } | 18 | } |