summaryrefslogtreecommitdiffstats
path: root/makefu
diff options
context:
space:
mode:
Diffstat (limited to 'makefu')
-rw-r--r--makefu/1systems/filepimp/config.nix5
-rw-r--r--makefu/1systems/gum/config.nix27
-rw-r--r--makefu/1systems/omo/config.nix5
-rw-r--r--makefu/1systems/vbob/config.nix26
-rw-r--r--makefu/5pkgs/gen-oath-safe/default.nix5
5 files changed, 57 insertions, 11 deletions
diff --git a/makefu/1systems/filepimp/config.nix b/makefu/1systems/filepimp/config.nix
index e9058ec85..30ba61a9b 100644
--- a/makefu/1systems/filepimp/config.nix
+++ b/makefu/1systems/filepimp/config.nix
@@ -71,7 +71,10 @@ in {
'') allDisks);
fileSystems = let
xfsmount = name: dev:
- { "/media/${name}" = { device = dev; fsType = "xfs"; }; };
+ { "/media/${name}" = {
+ device = dev; fsType = "xfs";
+ options = [ "nofail" ];
+ }; };
in
# (xfsmount "j0" (part1 jDisk0)) //
(xfsmount "j1" (part1 jDisk1)) //
diff --git a/makefu/1systems/gum/config.nix b/makefu/1systems/gum/config.nix
index 1fe0b62f9..6e5f3c2d4 100644
--- a/makefu/1systems/gum/config.nix
+++ b/makefu/1systems/gum/config.nix
@@ -108,16 +108,35 @@ in {
# };
#}
{ # wireguard server
- networking.firewall.allowedUDPPorts = [ 51820 ];
+
+ # TODO: networking.nat
+
+ # boot.kernel.sysctl."net.ipv4.ip_forward" = 1;
+ # conf.all.proxy_arp =1
+ networking.firewall = {
+ allowedUDPPorts = [ 51820 ];
+ extraCommands = ''
+ iptables -t nat -A POSTROUTING -s 10.244.0.0/24 -o ${ext-if} -j MASQUERADE
+ '';
+ };
+
networking.wireguard.interfaces.wg0 = {
ips = [ "10.244.0.1/24" ];
+ listenPort = 51820;
privateKeyFile = (toString <secrets>) + "/wireguard.key";
allowedIPsAsRoutes = true;
- peers = [{
- # allowedIPs = [ "0.0.0.0/0" "::/0" ];
+ peers = [
+ {
+ # x
allowedIPs = [ "10.244.0.2/32" ];
publicKey = "fe5smvKVy5GAn7EV4w4tav6mqIAKhGWQotm7dRuRt1g=";
- }];
+ }
+ {
+ # vbob
+ allowedIPs = [ "10.244.0.3/32" ];
+ publicKey = "Lju7EsCu1OWXhkhdNR7c/uiN60nr0TUPHQ+s8ULPQTw=";
+ }
+ ];
};
}
diff --git a/makefu/1systems/omo/config.nix b/makefu/1systems/omo/config.nix
index aaecebadc..ce3ffbcf3 100644
--- a/makefu/1systems/omo/config.nix
+++ b/makefu/1systems/omo/config.nix
@@ -143,7 +143,10 @@ in {
];
fileSystems = let
cryptMount = name:
- { "/media/${name}" = { device = "/dev/mapper/${name}"; fsType = "xfs"; };};
+ { "/media/${name}" = {
+ device = "/dev/mapper/${name}"; fsType = "xfs";
+ options = [ "nofail" ];
+ };};
in cryptMount "crypt0"
// cryptMount "crypt1"
// cryptMount "crypt2"
diff --git a/makefu/1systems/vbob/config.nix b/makefu/1systems/vbob/config.nix
index f318c0e61..ffd9deaee 100644
--- a/makefu/1systems/vbob/config.nix
+++ b/makefu/1systems/vbob/config.nix
@@ -7,7 +7,8 @@
<stockholm/makefu>
{
imports = [<stockholm/makefu/2configs/fs/single-partition-ext4.nix> ];
- boot.loader.grub.device = "/dev/vda";
+ boot.loader.grub.device = "/dev/sda";
+ virtualisation.virtualbox.guest.enable = true;
}
# {
# imports = [
@@ -49,6 +50,27 @@
# environment
<stockholm/makefu/2configs/tinc/retiolum.nix>
+ (let
+ gum-ip = config.krebs.hosts.gum.nets.internet.ip4.addr;
+ gateway = "10.0.2.2";
+ in {
+ # make sure the route to gum gets added after the network is online
+ systemd.services.wireguard-wg0.after = [ "network-online.target" ];
+ networking.wireguard.interfaces.wg0 = {
+ ips = [ "10.244.0.3/24" ];
+ privateKeyFile = (toString <secrets>) + "/wireguard.key";
+ # explicit route via eth0 to gum
+ preSetup = ["${pkgs.iproute}/bin/ip route add ${gum-ip} via ${gateway}"];
+ peers = [
+ { # gum
+ endpoint = "${gum-ip}:51820";
+ allowedIPs = [ "0.0.0.0/0" "10.244.0.0/24" ];
+ publicKey = "yAKvxTvcEVdn+MeKsmptZkR3XSEue+wSyLxwcjBYxxo=";
+ persistentKeepalive = 25;
+ }
+ ];
+ };
+ })
];
networking.extraHosts = import (toString <secrets/extra-hosts.nix>);
@@ -90,5 +112,5 @@
8010
];
-
+ systemd.services."serial-getty@ttyS0".enable = true;
}
diff --git a/makefu/5pkgs/gen-oath-safe/default.nix b/makefu/5pkgs/gen-oath-safe/default.nix
index 344dc1a02..bad4b08a8 100644
--- a/makefu/5pkgs/gen-oath-safe/default.nix
+++ b/makefu/5pkgs/gen-oath-safe/default.nix
@@ -1,7 +1,6 @@
{ coreutils, makeWrapper, openssl, libcaca, qrencode, fetchFromGitHub, yubikey-manager, python, stdenv, ... }:
-builtins.trace "Warning: HTOP mode of gen-oath-safe is currently broken"
- stdenv.mkDerivation {
+stdenv.mkDerivation {
name = "gen-oath-safe-2017-06-30";
src = fetchFromGitHub {
owner = "mcepl";
@@ -24,7 +23,7 @@ builtins.trace "Warning: HTOP mode of gen-oath-safe is currently broken"
coreutils
openssl
qrencode
- #yubikey-manager
+ yubikey-manager
libcaca
python
];