Squash changes containing private information

There were a lot of changes since the previous commit, but a lot of them contained personnal information about users. All thos changes got stashed into a single commit (history is kept in a different place) and private information was moved in a separate private repository
author: Ismaël Bouya <ismael.bouya@normalesup.org> 2023-10-04 01:35:06 +0200
committer: Ismaël Bouya <ismael.bouya@normalesup.org> 2023-10-04 02:11:48 +0200
commit: 1a64deeb894dc95e2645a75771732c6cc53a79ad (patch)
tree: 1b9df4838f894577a09b9b260151756272efeb53 /systems/eldiron/vpn
parent: fa25ffd4583cc362075cd5e1b4130f33306103f0 (diff)
download: Nix-1a64deeb894dc95e2645a75771732c6cc53a79ad.tar.gz
Nix-1a64deeb894dc95e2645a75771732c6cc53a79ad.tar.zst
Nix-1a64deeb894dc95e2645a75771732c6cc53a79ad.zip
6 files changed, 147 insertions, 0 deletions
diff --git a/systems/eldiron/vpn/default.nix b/systems/eldiron/vpn/default.nix
new file mode 100644
index 0000000..df56249
--- /dev/null
+++ b/systems/eldiron/vpn/default.nix
@@ -0,0 +1,92 @@
+{ config, pkgs, lib, ... }:
+let
+  cfg = config.myServices.vpn;
+in
+{
+  options.myServices = {
+    vpn.enable = lib.mkEnableOption "Enable vpn service";
+  };
+  config = lib.mkIf cfg.enable {
+    myServices.dns.zones."immae.eu".subdomains.vpn = with config.myServices.dns.helpers;
+      ips servers.eldiron.ips.main // {
+        subdomains.gw.AAAA = [ "${config.myEnv.vpn.eldiron.prefix}:0:ffff:1" ];
+        # Fake address to designate the subnet
+        subdomains.sn.AAAA = [ "${config.myEnv.vpn.eldiron.prefix}::" ];
+      };
+    myServices.chatonsProperties.hostings.vpn = {
+      file.datetime = "2022-08-27T18:00:00";
+      hosting = {
+        name = "VPN";
+        description = "VPN";
+        website = "https://vpn.immae.eu";
+        logo = "https://tinc-vpn.org/favicon.ico";
+        status.level = "OK";
+        status.description = "OK";
+        registration.load = "FULL";
+        install.type = "PACKAGE";
+      };
+      software = {
+        name = "tinc";
+        website = "https://tinc-vpn.org/";
+        license.url = "https://www.gnu.org/licenses/old-licenses/gpl-2.0.html";
+        license.name = "GNU General Public License v2.0";
+        version = pkgs.tinc.version;
+        source.url = "https://tinc-vpn.org/git/browse?p=tinc";
+      };
+    };
+    secrets.keys = {
+      "tinc/key.priv" = {
+        user = "root";
+        group = "root";
+        permissions = "0400";
+        text = config.myEnv.vpn.eldiron.privateKey;
+      };
+      "tinc/key.pub" = {
+        user = "root";
+        group = "root";
+        permissions = "0400";
+        text = config.myEnv.vpn.eldiron.publicKey;
+      };
+    };
+    networking.firewall.allowedTCPPorts = [ 655 1194 ];
+    system.activationScripts.tinc = let
+      configFiles = pkgs.runCommand "tinc-files" {
+        mainInterface = "eth0";
+        hostName = "ImmaeEu";
+        network = "Immae";
+        keyFile = config.secrets.fullPaths."tinc/key.priv";
+      } ''
+        mkdir -p $out
+        for i in ${./tinc}/*; do
+          substituteAll $i $out/$(basename $i)
+        done
+      '';
+    in ''
+      install -m750 -o root -g root -d /var/lib/tinc/ /var/lib/tinc/Immae
+      install -m700 -o root -g root -t /var/lib/tinc/Immae ${configFiles}/{host-*,tinc-*}
+      install -m400 -o root -g root -t /var/lib/tinc/Immae ${configFiles}/tinc.conf
+      if [ ! -d /var/lib/tinc/Immae/hosts ]; then
+        ${pkgs.git}/bin/git clone -b master https://git.immae.eu/perso/Immae/Config/tinc/hosts /var/lib/tinc/Immae/hosts
+      fi
+    '';
+    systemd.slices.tinc = {
+      description = "Tinc slice";
+    };
+    systemd.services.tinc-Immae = {
+      description = "Tinc Daemon - Immae";
+      wantedBy = [ "multi-user.target" ];
+      after = [ "network.target" ];
+      path = [ pkgs.getent pkgs.tinc pkgs.bashInteractive pkgs.iproute pkgs.gnused pkgs.gawk pkgs.git pkgs.glibc ];
+      serviceConfig = {
+        Slice = "tinc.slice";
+        Type = "simple";
+        Restart = "always";
+        RestartSec = "3";
+        ExecStart = "${pkgs.tinc}/bin/tincd -d1 -D -c /var/lib/tinc/Immae --pidfile /run/tinc.Immae.pid";
+      };
+    };
+  };
+}
diff --git a/systems/eldiron/vpn/tinc/host-down b/systems/eldiron/vpn/tinc/host-down
new file mode 100755
index 0000000..1e79bd3
--- /dev/null
+++ b/systems/eldiron/vpn/tinc/host-down
@@ -0,0 +1,7 @@
+#!/usr/bin/env bash
+SUBDOMAIN=$(echo "$NODE" | sed -e "s/\([A-Z][a-z0-9]*\)/\L\1 /g;" | awk '{ for (i=NF; i>1; i--) printf("%s.",$i); print $1; }')
+NODEIPS=`getent hosts ${SUBDOMAIN}.immae.eu | cut -d' ' -f1 | tr "\\n" ' '`
+for NODEIP in $NODEIPS; do
+  ip neigh del proxy $NODEIP dev @mainInterface@
+done
diff --git a/systems/eldiron/vpn/tinc/host-up b/systems/eldiron/vpn/tinc/host-up
new file mode 100755
index 0000000..2f7cee2
--- /dev/null
+++ b/systems/eldiron/vpn/tinc/host-up
@@ -0,0 +1,11 @@
+#!/usr/bin/env bash
+SUBDOMAIN=$(echo "$NODE" | sed -e "s/\([A-Z][a-z0-9]*\)/\L\1 /g;" | awk '{ for (i=NF; i>1; i--) printf("%s.",$i); print $1; }')
+while [ -z "$NODEIPS" ]; do
+  NODEIPS=`getent hosts ${SUBDOMAIN}.immae.eu | cut -d' ' -f1 | tr "\\n" ' '`
+  sleep 5
+done
+for NODEIP in $NODEIPS; do
+  ip neigh add proxy $NODEIP dev @mainInterface@
+done
+(cd /var/lib/tinc/@network@/hosts && git pull -q origin master) || true
diff --git a/systems/eldiron/vpn/tinc/tinc-down b/systems/eldiron/vpn/tinc/tinc-down
new file mode 100755
index 0000000..1cc45c0
--- /dev/null
+++ b/systems/eldiron/vpn/tinc/tinc-down
@@ -0,0 +1,12 @@
+#!/bin/sh
+# This file closes down the tap device.
+echo 0 > /proc/sys/net/ipv6/conf/@mainInterface@/proxy_ndp
+echo 0 > /proc/sys/net/ipv6/conf/all/forwarding
+GWIP=`getent hosts gw.vpn.immae.eu | head -n1 | cut -d' ' -f1`
+ip neigh del proxy $GWIP dev eth0
+ip -6 addr del $GWIP/96 dev $INTERFACE
+ip -6 link set $INTERFACE down
diff --git a/systems/eldiron/vpn/tinc/tinc-up b/systems/eldiron/vpn/tinc/tinc-up
new file mode 100755
index 0000000..26c1ec3
--- /dev/null
+++ b/systems/eldiron/vpn/tinc/tinc-up
@@ -0,0 +1,14 @@
+#!/usr/bin/env bash
+echo 1 > /proc/sys/net/ipv6/conf/@mainInterface@/proxy_ndp
+echo 1 > /proc/sys/net/ipv6/conf/all/forwarding
+SUBNET=`getent hosts sn.vpn.immae.eu | head -n1 | cut -d' ' -f1`
+GWIP=`getent hosts gw.vpn.immae.eu | head -n1 | cut -d' ' -f1`
+ip -6 link set $INTERFACE up mtu 1280 txqueuelen 1000
+ip -6 addr add $GWIP/96 dev $INTERFACE
+ip -6 route add $SUBNET/80 dev $INTERFACE
+ip neigh add proxy $GWIP dev @mainInterface@
diff --git a/systems/eldiron/vpn/tinc/tinc.conf b/systems/eldiron/vpn/tinc/tinc.conf
new file mode 100644
index 0000000..7a4f103
--- /dev/null
+++ b/systems/eldiron/vpn/tinc/tinc.conf
@@ -0,0 +1,11 @@
+BindToAddress = * 655
+BindToAddress = * 1194
+Name = @hostName@
+Interface = vpn6
+Mode = switch
+Device = /dev/net/tun
+GraphDumpFile = /var/lib/tinc/@network@/tinc_graph
+PrivateKeyFile = @keyFile@
author	Ismaël Bouya <ismael.bouya@normalesup.org>	2023-10-04 01:35:06 +0200
committer	Ismaël Bouya <ismael.bouya@normalesup.org>	2023-10-04 02:11:48 +0200
commit	1a64deeb894dc95e2645a75771732c6cc53a79ad (patch)
tree	1b9df4838f894577a09b9b260151756272efeb53 /systems/eldiron/vpn
parent	fa25ffd4583cc362075cd5e1b4130f33306103f0 (diff)
download	Nix-1a64deeb894dc95e2645a75771732c6cc53a79ad.tar.gz Nix-1a64deeb894dc95e2645a75771732c6cc53a79ad.tar.zst Nix-1a64deeb894dc95e2645a75771732c6cc53a79ad.zip

diff --git a/systems/eldiron/vpn/default.nix b/systems/eldiron/vpn/default.nix new file mode 100644 index 0000000..df56249 --- /dev/null +++ b/systems/eldiron/vpn/default.nix
@@ -0,0 +1,92 @@
	1	{ config, pkgs, lib, ... }:
	2	let
	3	cfg = config.myServices.vpn;
	4	in
	5	{
	6	options.myServices = {
	7	vpn.enable = lib.mkEnableOption "Enable vpn service";
	8	};
	9
	10	config = lib.mkIf cfg.enable {
	11	myServices.dns.zones."immae.eu".subdomains.vpn = with config.myServices.dns.helpers;
	12	ips servers.eldiron.ips.main // {
	13	subdomains.gw.AAAA = [ "${config.myEnv.vpn.eldiron.prefix}:0:ffff:1" ];
	14	# Fake address to designate the subnet
	15	subdomains.sn.AAAA = [ "${config.myEnv.vpn.eldiron.prefix}::" ];
	16	};
	17	myServices.chatonsProperties.hostings.vpn = {
	18	file.datetime = "2022-08-27T18:00:00";
	19	hosting = {
	20	name = "VPN";
	21	description = "VPN";
	22	website = "https://vpn.immae.eu";
	23	logo = "https://tinc-vpn.org/favicon.ico";
	24	status.level = "OK";
	25	status.description = "OK";
	26	registration.load = "FULL";
	27	install.type = "PACKAGE";
	28	};
	29	software = {
	30	name = "tinc";
	31	website = "https://tinc-vpn.org/";
	32	license.url = "https://www.gnu.org/licenses/old-licenses/gpl-2.0.html";
	33	license.name = "GNU General Public License v2.0";
	34	version = pkgs.tinc.version;
	35	source.url = "https://tinc-vpn.org/git/browse?p=tinc";
	36	};
	37	};
	38	secrets.keys = {
	39	"tinc/key.priv" = {
	40	user = "root";
	41	group = "root";
	42	permissions = "0400";
	43	text = config.myEnv.vpn.eldiron.privateKey;
	44	};
	45	"tinc/key.pub" = {
	46	user = "root";
	47	group = "root";
	48	permissions = "0400";
	49	text = config.myEnv.vpn.eldiron.publicKey;
	50	};
	51	};
	52	networking.firewall.allowedTCPPorts = [ 655 1194 ];
	53	system.activationScripts.tinc = let
	54	configFiles = pkgs.runCommand "tinc-files" {
	55	mainInterface = "eth0";
	56	hostName = "ImmaeEu";
	57	network = "Immae";
	58	keyFile = config.secrets.fullPaths."tinc/key.priv";
	59	} ''
	60	mkdir -p $out
	61	for i in ${./tinc}/*; do
	62	substituteAll $i $out/$(basename $i)
	63	done
	64	'';
	65	in ''
	66	install -m750 -o root -g root -d /var/lib/tinc/ /var/lib/tinc/Immae
	67	install -m700 -o root -g root -t /var/lib/tinc/Immae ${configFiles}/{host-,tinc-}
	68	install -m400 -o root -g root -t /var/lib/tinc/Immae ${configFiles}/tinc.conf
	69	if [ ! -d /var/lib/tinc/Immae/hosts ]; then
	70	${pkgs.git}/bin/git clone -b master https://git.immae.eu/perso/Immae/Config/tinc/hosts /var/lib/tinc/Immae/hosts
	71	fi
	72	'';
	73
	74	systemd.slices.tinc = {
	75	description = "Tinc slice";
	76	};
	77
	78	systemd.services.tinc-Immae = {
	79	description = "Tinc Daemon - Immae";
	80	wantedBy = [ "multi-user.target" ];
	81	after = [ "network.target" ];
	82	path = [ pkgs.getent pkgs.tinc pkgs.bashInteractive pkgs.iproute pkgs.gnused pkgs.gawk pkgs.git pkgs.glibc ];
	83	serviceConfig = {
	84	Slice = "tinc.slice";
	85	Type = "simple";
	86	Restart = "always";
	87	RestartSec = "3";
	88	ExecStart = "${pkgs.tinc}/bin/tincd -d1 -D -c /var/lib/tinc/Immae --pidfile /run/tinc.Immae.pid";
	89	};
	90	};
	91	};
	92	}


diff --git a/systems/eldiron/vpn/tinc/host-down b/systems/eldiron/vpn/tinc/host-down new file mode 100755 index 0000000..1e79bd3 --- /dev/null +++ b/systems/eldiron/vpn/tinc/host-down
@@ -0,0 +1,7 @@
	1	#!/usr/bin/env bash
	2
	3	SUBDOMAIN=$(echo "$NODE" \| sed -e "s/\([A-Z][a-z0-9]*\)/\L\1 /g;" \| awk '{ for (i=NF; i>1; i--) printf("%s.",$i); print $1; }')
	4	NODEIPS=`getent hosts ${SUBDOMAIN}.immae.eu \| cut -d' ' -f1 \| tr "\\n" ' '`
	5	for NODEIP in $NODEIPS; do
	6	ip neigh del proxy $NODEIP dev @mainInterface@
	7	done


diff --git a/systems/eldiron/vpn/tinc/host-up b/systems/eldiron/vpn/tinc/host-up new file mode 100755 index 0000000..2f7cee2 --- /dev/null +++ b/systems/eldiron/vpn/tinc/host-up
@@ -0,0 +1,11 @@
	1	#!/usr/bin/env bash
	2
	3	SUBDOMAIN=$(echo "$NODE" \| sed -e "s/\([A-Z][a-z0-9]*\)/\L\1 /g;" \| awk '{ for (i=NF; i>1; i--) printf("%s.",$i); print $1; }')
	4	while [ -z "$NODEIPS" ]; do
	5	NODEIPS=`getent hosts ${SUBDOMAIN}.immae.eu \| cut -d' ' -f1 \| tr "\\n" ' '`
	6	sleep 5
	7	done
	8	for NODEIP in $NODEIPS; do
	9	ip neigh add proxy $NODEIP dev @mainInterface@
	10	done
	11	(cd /var/lib/tinc/@network@/hosts && git pull -q origin master) \|\| true


diff --git a/systems/eldiron/vpn/tinc/tinc-down b/systems/eldiron/vpn/tinc/tinc-down new file mode 100755 index 0000000..1cc45c0 --- /dev/null +++ b/systems/eldiron/vpn/tinc/tinc-down
@@ -0,0 +1,12 @@
	1	#!/bin/sh
	2	# This file closes down the tap device.
	3
	4	echo 0 > /proc/sys/net/ipv6/conf/@mainInterface@/proxy_ndp
	5	echo 0 > /proc/sys/net/ipv6/conf/all/forwarding
	6
	7	GWIP=`getent hosts gw.vpn.immae.eu \| head -n1 \| cut -d' ' -f1`
	8
	9	ip neigh del proxy $GWIP dev eth0
	10
	11	ip -6 addr del $GWIP/96 dev $INTERFACE
	12	ip -6 link set $INTERFACE down


diff --git a/systems/eldiron/vpn/tinc/tinc-up b/systems/eldiron/vpn/tinc/tinc-up new file mode 100755 index 0000000..26c1ec3 --- /dev/null +++ b/systems/eldiron/vpn/tinc/tinc-up
@@ -0,0 +1,14 @@
	1	#!/usr/bin/env bash
	2
	3	echo 1 > /proc/sys/net/ipv6/conf/@mainInterface@/proxy_ndp
	4	echo 1 > /proc/sys/net/ipv6/conf/all/forwarding
	5
	6	SUBNET=`getent hosts sn.vpn.immae.eu \| head -n1 \| cut -d' ' -f1`
	7	GWIP=`getent hosts gw.vpn.immae.eu \| head -n1 \| cut -d' ' -f1`
	8
	9	ip -6 link set $INTERFACE up mtu 1280 txqueuelen 1000
	10
	11	ip -6 addr add $GWIP/96 dev $INTERFACE
	12	ip -6 route add $SUBNET/80 dev $INTERFACE
	13
	14	ip neigh add proxy $GWIP dev @mainInterface@


diff --git a/systems/eldiron/vpn/tinc/tinc.conf b/systems/eldiron/vpn/tinc/tinc.conf new file mode 100644 index 0000000..7a4f103 --- /dev/null +++ b/systems/eldiron/vpn/tinc/tinc.conf
@@ -0,0 +1,11 @@
	1	BindToAddress = * 655
	2	BindToAddress = * 1194
	3
	4	Name = @hostName@
	5	Interface = vpn6
	6
	7	Mode = switch
	8
	9	Device = /dev/net/tun
	10	GraphDumpFile = /var/lib/tinc/@network@/tinc_graph
	11	PrivateKeyFile = @keyFile@