From 7b39418eb059a80b365beba867613ea0e378c189 Mon Sep 17 00:00:00 2001 From: makefu Date: Sat, 6 Jan 2018 20:50:37 +0100 Subject: ma filepimp.r: add nofail to disks --- makefu/1systems/filepimp/config.nix | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) (limited to 'makefu/1systems') diff --git a/makefu/1systems/filepimp/config.nix b/makefu/1systems/filepimp/config.nix index e9058ec85..30ba61a9b 100644 --- a/makefu/1systems/filepimp/config.nix +++ b/makefu/1systems/filepimp/config.nix @@ -71,7 +71,10 @@ in { '') allDisks); fileSystems = let xfsmount = name: dev: - { "/media/${name}" = { device = dev; fsType = "xfs"; }; }; + { "/media/${name}" = { + device = dev; fsType = "xfs"; + options = [ "nofail" ]; + }; }; in # (xfsmount "j0" (part1 jDisk0)) // (xfsmount "j1" (part1 jDisk1)) // -- cgit v1.2.3 From 72d8ea37cc19a0d09dedef55d540c6b06ebcdbd1 Mon Sep 17 00:00:00 2001 From: makefu Date: Sat, 6 Jan 2018 20:51:32 +0100 Subject: ma gum.r: add vbob to wireguard --- makefu/1systems/gum/config.nix | 27 +++++++++++++++++++++++---- 1 file changed, 23 insertions(+), 4 deletions(-) (limited to 'makefu/1systems') diff --git a/makefu/1systems/gum/config.nix b/makefu/1systems/gum/config.nix index 1fe0b62f9..6e5f3c2d4 100644 --- a/makefu/1systems/gum/config.nix +++ b/makefu/1systems/gum/config.nix @@ -108,16 +108,35 @@ in { # }; #} { # wireguard server - networking.firewall.allowedUDPPorts = [ 51820 ]; + + # TODO: networking.nat + + # boot.kernel.sysctl."net.ipv4.ip_forward" = 1; + # conf.all.proxy_arp =1 + networking.firewall = { + allowedUDPPorts = [ 51820 ]; + extraCommands = '' + iptables -t nat -A POSTROUTING -s 10.244.0.0/24 -o ${ext-if} -j MASQUERADE + ''; + }; + networking.wireguard.interfaces.wg0 = { ips = [ "10.244.0.1/24" ]; + listenPort = 51820; privateKeyFile = (toString ) + "/wireguard.key"; allowedIPsAsRoutes = true; - peers = [{ - # allowedIPs = [ "0.0.0.0/0" "::/0" ]; + peers = [ + { + # x allowedIPs = [ "10.244.0.2/32" ]; publicKey = "fe5smvKVy5GAn7EV4w4tav6mqIAKhGWQotm7dRuRt1g="; - }]; + } + { + # vbob + allowedIPs = [ "10.244.0.3/32" ]; + publicKey = "Lju7EsCu1OWXhkhdNR7c/uiN60nr0TUPHQ+s8ULPQTw="; + } + ]; }; } -- cgit v1.2.3 From 9cf88110a69b7f3902d29e9f252a0b40d2bc5f9f Mon Sep 17 00:00:00 2001 From: makefu Date: Sat, 6 Jan 2018 20:51:58 +0100 Subject: ma omo.r: add nofail to disk --- makefu/1systems/omo/config.nix | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) (limited to 'makefu/1systems') diff --git a/makefu/1systems/omo/config.nix b/makefu/1systems/omo/config.nix index aaecebadc..ce3ffbcf3 100644 --- a/makefu/1systems/omo/config.nix +++ b/makefu/1systems/omo/config.nix @@ -143,7 +143,10 @@ in { ]; fileSystems = let cryptMount = name: - { "/media/${name}" = { device = "/dev/mapper/${name}"; fsType = "xfs"; };}; + { "/media/${name}" = { + device = "/dev/mapper/${name}"; fsType = "xfs"; + options = [ "nofail" ]; + };}; in cryptMount "crypt0" // cryptMount "crypt1" // cryptMount "crypt2" -- cgit v1.2.3 From de01eae264ee72f1bddb42ae0a33defc66486f4f Mon Sep 17 00:00:00 2001 From: makefu Date: Sat, 6 Jan 2018 20:53:33 +0100 Subject: ma vbob.r: add default routing through wireguard --- makefu/1systems/vbob/config.nix | 32 ++++++++++++++++++++++++++++++-- 1 file changed, 30 insertions(+), 2 deletions(-) (limited to 'makefu/1systems') diff --git a/makefu/1systems/vbob/config.nix b/makefu/1systems/vbob/config.nix index f318c0e61..7552c6982 100644 --- a/makefu/1systems/vbob/config.nix +++ b/makefu/1systems/vbob/config.nix @@ -7,7 +7,8 @@ { imports = [ ]; - boot.loader.grub.device = "/dev/vda"; + boot.loader.grub.device = "/dev/sda"; + virtualisation.virtualbox.guest.enable = true; } # { # imports = [ @@ -49,6 +50,33 @@ # environment + (let + gum-ip = config.krebs.hosts.gum.nets.internet.ip4.addr; + Gateway = "10.0.2.2"; + in { + networking.localCommands = '' + ip route add ${gum-ip} via ${Gateway} + ''; + systemd.network.networks.enp0s3.routes = [{ + inherit Gateway; # TODO + Destination = gum-ip; + }]; + networking.wireguard.interfaces.wg0 = { + ips = [ "10.244.0.3/24" ]; + privateKeyFile = (toString ) + "/wireguard.key"; + allowedIPsAsRoutes = true; + # explicit route via eth0 to gum + peers = [ + { + # gum + endpoint = "${gum-ip}:51820"; + # allowedIPs = [ "10.244.0.0/24" ]; + allowedIPs = [ "0.0.0.0/0" ]; + publicKey = "yAKvxTvcEVdn+MeKsmptZkR3XSEue+wSyLxwcjBYxxo="; + } + ]; + }; + }) ]; networking.extraHosts = import (toString ); @@ -90,5 +118,5 @@ 8010 ]; - + systemd.services."serial-getty@ttyS0".enable = true; } -- cgit v1.2.3 From 149aad4cb79de44e095b82ffdf7fa65cc95c2f93 Mon Sep 17 00:00:00 2001 From: makefu Date: Sat, 6 Jan 2018 21:07:46 +0100 Subject: ma vbob.r: remove explicit route via systemd does not work --- makefu/1systems/vbob/config.nix | 5 +---- 1 file changed, 1 insertion(+), 4 deletions(-) (limited to 'makefu/1systems') diff --git a/makefu/1systems/vbob/config.nix b/makefu/1systems/vbob/config.nix index 7552c6982..d4b80c90e 100644 --- a/makefu/1systems/vbob/config.nix +++ b/makefu/1systems/vbob/config.nix @@ -57,10 +57,7 @@ networking.localCommands = '' ip route add ${gum-ip} via ${Gateway} ''; - systemd.network.networks.enp0s3.routes = [{ - inherit Gateway; # TODO - Destination = gum-ip; - }]; + networking.wireguard.interfaces.wg0 = { ips = [ "10.244.0.3/24" ]; privateKeyFile = (toString ) + "/wireguard.key"; -- cgit v1.2.3 From 17883f68dd0ddcb9813add65559bcc95009148fc Mon Sep 17 00:00:00 2001 From: makefu Date: Sat, 6 Jan 2018 23:44:03 +0100 Subject: ma vbob.r: set route after network online --- makefu/1systems/vbob/config.nix | 17 +++++++---------- 1 file changed, 7 insertions(+), 10 deletions(-) (limited to 'makefu/1systems') diff --git a/makefu/1systems/vbob/config.nix b/makefu/1systems/vbob/config.nix index d4b80c90e..ffd9deaee 100644 --- a/makefu/1systems/vbob/config.nix +++ b/makefu/1systems/vbob/config.nix @@ -52,24 +52,21 @@ (let gum-ip = config.krebs.hosts.gum.nets.internet.ip4.addr; - Gateway = "10.0.2.2"; + gateway = "10.0.2.2"; in { - networking.localCommands = '' - ip route add ${gum-ip} via ${Gateway} - ''; - + # make sure the route to gum gets added after the network is online + systemd.services.wireguard-wg0.after = [ "network-online.target" ]; networking.wireguard.interfaces.wg0 = { ips = [ "10.244.0.3/24" ]; privateKeyFile = (toString ) + "/wireguard.key"; - allowedIPsAsRoutes = true; # explicit route via eth0 to gum + preSetup = ["${pkgs.iproute}/bin/ip route add ${gum-ip} via ${gateway}"]; peers = [ - { - # gum + { # gum endpoint = "${gum-ip}:51820"; - # allowedIPs = [ "10.244.0.0/24" ]; - allowedIPs = [ "0.0.0.0/0" ]; + allowedIPs = [ "0.0.0.0/0" "10.244.0.0/24" ]; publicKey = "yAKvxTvcEVdn+MeKsmptZkR3XSEue+wSyLxwcjBYxxo="; + persistentKeepalive = 25; } ]; }; -- cgit v1.2.3