pvsr.dev / nixfiles
NixOS system configurations + dotfiles via home-manager
fork atom

yggdrasil: enable

pvsr.dev 6c66dddc 67b8179a

options
unified split
Changed files
+89 -5
hosts
crossbell
default.nix
modules
machines.nix
nixos.nix
yggdrasil
hosts.nix
network.nix
+2 -4
hosts/crossbell/default.nix
··· 1 - { inputs, config, ... }: 2 - let 3 - hosts = config.flake.nixosConfigurations; 4 - in 1 + { inputs, ... }: 5 2 { 6 3 local.hosts.crossbell = { }; 7 4 ··· 9 6 { config, lib, ... }: 10 7 { 11 8 imports = [ 9 + inputs.self.modules.nixos.gateway 12 10 inputs.srvos.nixosModules.server 13 11 inputs.srvos.nixosModules.hardware-vultr-vm 14 12 ];
+1
modules/machines.nix
··· 39 39 { 40 40 disabledModules = [ { inherit key; } ]; 41 41 networking.hostName = lib.mkForce "${hostname}-c"; 42 + local.ip = "::"; 42 43 } 43 44 ]; 44 45 };
+1 -1
modules/nixos.nix
··· 93 93 services.openssh = { 94 94 enable = true; 95 95 startWhenNeeded = true; 96 - listenAddresses = [ { addr = "[::1]"; } ]; 96 + listenAddresses = [ { addr = "[${config.local.ip}]"; } ]; 97 97 }; 98 98 }; 99 99 }
+45
modules/yggdrasil/hosts.nix
··· 1 + { lib, ... }: 2 + let 3 + hosts = { 4 + grancel = { 5 + address = "201:a12b:2097:a213:47ed:1f0b:cce6:46dd"; 6 + publicKey = "57b537da177b2e04b83d0cc66e48b30dba54bbcd6d5f3188c84d7728700045c1"; 7 + }; 8 + ruan = { 9 + address = "200:dd90:24b:7a11:4a77:edd9:b7f0:747"; 10 + publicKey = "9137feda42f75ac409132407fc5c01cca29daaa843db1a28d05c8cd07f357d46"; 11 + }; 12 + crossbell = { 13 + address = "200:b270:40a1:984:2710:a9c7:b346:4b83"; 14 + publicKey = "a6c7dfaf7b3dec77ab1c265cda3e05410db6375fb7bc1ef89d6c6008ce5ef493"; 15 + }; 16 + jurai = { 17 + address = "202:7e31:de1a:ebed:efc:c07c:f6f2:abc3"; 18 + publicKey = "3039c43ca2825e2067f06121aa878fa25d5c0e3a1a7f74ed56afec67e4798e55"; 19 + }; 20 + }; 21 + in 22 + { 23 + flake.modules.nixos.core = 24 + { config, ... }: 25 + { 26 + options.local.ip = lib.mkOption { 27 + default = hosts."${config.networking.hostName}".address; 28 + }; 29 + 30 + config.networking = { 31 + hosts = lib.mapAttrs' ( 32 + hostname: 33 + { address, ... }: 34 + { 35 + name = address; 36 + value = [ "${hostname}.ygg.pvsr.dev" ]; 37 + } 38 + ) hosts; 39 + firewall.interfaces.ygg0.allowedTCPPorts = [ 22 ]; 40 + }; 41 + }; 42 + 43 + flake.modules.nixos.gateway.services.yggdrasil.settings.AllowedPublicKeys = 44 + map (builtins.getAttr "publicKey") (builtins.attrValues hosts); 45 + }
+40
modules/yggdrasil/network.nix
··· 1 + { lib, ... }: 2 + let 3 + peerPort = 33933; 4 + multicastPort = 48147; 5 + IfName = "ygg0"; 6 + PrivateKeyPath = "/private-key"; 7 + in 8 + { 9 + flake.modules.nixos.core = { 10 + services.yggdrasil = { 11 + enable = true; 12 + openMulticastPort = true; 13 + settings = lib.mkDefault { 14 + inherit IfName PrivateKeyPath; 15 + Peers = [ "tls://104.238.130.11:${toString peerPort}" ]; 16 + MulticastInterfaces = [ 17 + { 18 + Regex = "en.*"; 19 + Port = multicastPort; 20 + } 21 + ]; 22 + }; 23 + }; 24 + 25 + networking.firewall.allowedTCPPorts = [ multicastPort ]; 26 + environment.persistence.nixos.files = [ "/etc/yggdrasil/private.key" ]; 27 + systemd.services.yggdrasil.serviceConfig.LoadCredential = "private-key:/etc/yggdrasil/private.key"; 28 + systemd.services.yggdrasil.serviceConfig.BindReadOnlyPaths = "%d/private-key:/private-key"; 29 + }; 30 + 31 + flake.modules.nixos.gateway = { 32 + services.yggdrasil.settings = { 33 + inherit IfName PrivateKeyPath; 34 + Peers = [ ]; 35 + MulticastInterfaces = [ ]; 36 + Listen = [ "tls://[::]:${toString peerPort}" ]; 37 + }; 38 + networking.firewall.allowedTCPPorts = [ peerPort ]; 39 + }; 40 + }