diff options
| author | Alex Auvolat <alex@adnab.me> | 2021-12-26 13:23:01 +0100 |
|---|---|---|
| committer | Alex Auvolat <alex@adnab.me> | 2021-12-26 13:23:01 +0100 |
| commit | 2f6d64a1a81de511c0b62dc2241dc08dc75e5283 (patch) | |
| tree | 7b5a0eecc6c3b523340fea5ee2d45c66f4a4f1c5 /configuration.nix | |
| parent | 05bb108323cd7a28968f38a21817443ce17a429a (diff) | |
| download | nixcfg-2f6d64a1a81de511c0b62dc2241dc08dc75e5283.tar.gz nixcfg-2f6d64a1a81de511c0b62dc2241dc08dc75e5283.zip | |
Cleanup
Diffstat (limited to 'configuration.nix')
| -rw-r--r-- | configuration.nix | 114 |
1 files changed, 48 insertions, 66 deletions
diff --git a/configuration.nix b/configuration.nix index 726e425..c9fecd0 100644 --- a/configuration.nix +++ b/configuration.nix @@ -25,10 +25,9 @@ in # networking.wireless.enable = true; # Enables wireless support via wpa_supplicant. # Networking configuration (static IPs for each node is defined in node/*.nix) - networking.nameservers = [ "9.9.9.9" "213.186.33.99" "172.104.136.243" ]; + networking.nameservers = [ "9.9.9.9" ]; # Wireguard VPN configuration - # TODO: Max dit qu'on peut monter persistentKeepalive à 25s car les NAT ne mettent pas de tiemout inférieur à 30s networking.wireguard.interfaces.wg0 = { privateKeyFile = "/root/wireguard-keys/private"; peers = [ @@ -36,49 +35,49 @@ in publicKey = "b5hF+GSTgg3oM6wnjL7jRbfyf1jtsWdVptPPbAh3Qic="; allowedIPs = [ "10.42.0.1/32" ]; endpoint = "5.135.179.11:51349"; - persistentKeepalive = 10; + persistentKeepalive = 25; } { # Spoutnik publicKey = "fO8qZOZmnug84cA8nvfjl5MUqyWljP0BAz/4tHRZyEg="; allowedIPs = [ "10.42.0.2/32" ]; endpoint = "77.141.67.109:42136"; - persistentKeepalive = 10; + persistentKeepalive = 25; } { # Robinson publicKey = "ETaZFil3mFXlJ0LaJZyWqJVLV2IZUF5PB/8M7WbQSTg="; allowedIPs = [ "10.42.0.42/32" ]; endpoint = "77.141.67.109:33742"; - persistentKeepalive = 10; + persistentKeepalive = 25; } { # Shiki publicKey = "QUiUNMk70TEQ75Ut7Uqikr5uGVSXmx8EGNkGM6tANlg="; allowedIPs = [ "10.42.0.206/32" ]; endpoint = "37.187.118.206:51820"; - persistentKeepalive = 10; + persistentKeepalive = 25; } { # Lindy publicKey = "wen9GnZy2iLT6RyHfn7ydS/wvdvow1XPmhZxIkrDbks="; allowedIPs = [ "10.42.0.66/32" ]; endpoint = "82.66.112.151:33766"; - persistentKeepalive = 10; + persistentKeepalive = 25; } { # Carcajou publicKey = "qxrtfn2zRVnN52Y5NYumyU3/FcRMnh3kJ2C37JfrczA="; allowedIPs = [ "10.42.0.21/32" ]; endpoint = "82.66.112.151:33721"; - persistentKeepalive = 10; + persistentKeepalive = 25; } { # Carcajou publicKey = "7Nm7pMmyS7Nts1MB+loyD8u84ODxHPTkDu+uqQR6yDk="; allowedIPs = [ "10.42.0.22/32" ]; endpoint = "82.66.112.151:33722"; - persistentKeepalive = 10; + persistentKeepalive = 25; } { # Caribou publicKey = "g6ZED/wPn5MPfytJKwPI19808CXtEad0IJUkEAAzwyY="; allowedIPs = [ "10.42.0.23/32" ]; endpoint = "82.66.112.151:33723"; - persistentKeepalive = 10; + persistentKeepalive = 25; } ]; }; @@ -90,8 +89,6 @@ in 192.168.1.21 cariacou.lan 192.168.1.22 carcajou.lan 192.168.1.23 caribou.lan -192.168.1.23 binarycache -192.168.1.23 binarycache.home.adnab.me 10.42.0.1 hammerhead 10.42.0.2 spoutnik 10.42.0.21 cariacou @@ -101,10 +98,6 @@ in 10.42.0.206 shiki ''; - # Configure network proxy if necessary - # networking.proxy.default = "http://user:password@proxy:port/"; - # networking.proxy.noProxy = "127.0.0.1,localhost,internal.domain"; - # Select internationalisation properties. # i18n.defaultLocale = "en_US.UTF-8"; console = { @@ -112,24 +105,11 @@ in keyMap = "fr"; }; - # Enable the X11 windowing system. - # services.xserver.enable = true; - - # Configure keymap in X11 - # services.xserver.layout = "us"; - # services.xserver.xkbOptions = "eurosign:e"; - - # Enable CUPS to print documents. - # services.printing.enable = true; - # Enable sound. # sound.enable = true; # hardware.pulseaudio.enable = true; - # Enable touchpad support (enabled default in most desktopManager). - # services.xserver.libinput.enable = true; - - # Define a user account. Don't forget to set a password with ‘passwd’. + # Define user accounts users.users.lx = { isNormalUser = true; extraGroups = [ @@ -183,6 +163,9 @@ in # List packages installed in system profile. To search, run: # $ nix search wget environment.systemPackages = with pkgs; [ + nmap + bind + inetutils vim tmux ncdu @@ -199,21 +182,14 @@ in programs.vim.defaultEditor = true; - # Some programs need SUID wrappers, can be configured further or are - # started in user sessions. - # programs.mtr.enable = true; - # programs.gnupg.agent = { - # enable = true; - # enableSSHSupport = true; - # }; - - # List services that you want to enable: - # Enable network time services.ntp.enable = true; - # Enable the OpenSSH daemon. + # Enable the OpenSSH daemon and disable password login. services.openssh.enable = true; + services.openssh.passwordAuthentication = false; + + # ---- CONFIG FOR DEUXFLEURS CLUSTER ---- # Enable Hashicorp Consul & Nomad services.consul.enable = true; @@ -232,6 +208,7 @@ in }; services.nomad.enable = true; + services.nomad.package = pkgs.nomad_1_1; services.nomad.settings = let public_ip = (builtins.head (builtins.split "/" (builtins.head node_config.networking.wireguard.interfaces.wg0.ips))); in @@ -257,7 +234,7 @@ in config = [ { volumes.enabled = true; - #allow_privileged = true; + allow_privileged = true; } ]; } @@ -268,60 +245,65 @@ in # Open ports in the firewall. networking.firewall = { + enable = true; + + # Allow anyone to connect on SSH port allowedTCPPorts = [ (builtins.head ({ openssh.ports = [22]; } // node_config.services).openssh.ports) ]; + + # Allow anyone to contact Wireguard VPN server allowedUDPPorts = [ node_config.networking.wireguard.interfaces.wg0.listenPort ]; - # Authorize nodes also on the Wireguard VPN to access services running here + # Allow specific hosts access to specific things in the cluster extraCommands = '' # Allow everything from router (usefull for UPnP/IGD) iptables -A INPUT -s 192.168.1.254 -j ACCEPT + # Allow Docker containers to access a few things + iptables -N CONTAINERS + iptables -A INPUT -s 172.17.0.0/16 -j CONTAINERS + + # Yugabyte YSQL + iptables -A CONTAINERS -p tcp --dport 5433 -j ACCEPT + + # Specific rules for VPN nodes iptables -N VPN iptables -A INPUT -s 10.42.0.0/16 -j VPN - # Nomad + # Allow server nodes to communicate between themselves on all ports + iptables -A VPN -s 10.42.0.2 -j ACCEPT + iptables -A VPN -s 10.42.0.21 -j ACCEPT + iptables -A VPN -s 10.42.0.22 -j ACCEPT + iptables -A VPN -s 10.42.0.23 -j ACCEPT + + # Allow all VPN users to access Nomad API iptables -A VPN -p tcp --dport 4646 -j ACCEPT - iptables -A VPN -p tcp --dport 4647 -j ACCEPT - iptables -A VPN -p tcp --dport 4648 -j ACCEPT - iptables -A VPN -p udp --dport 4648 -j ACCEPT - # Consul + # Same for Consul API iptables -A VPN -p tcp --dport 8500 -j ACCEPT - iptables -A VPN -p tcp --dport 8300 -j ACCEPT - iptables -A VPN -p tcp --dport 8301 -j ACCEPT - iptables -A VPN -p tcp --dport 8302 -j ACCEPT - iptables -A VPN -p udp --dport 8301 -j ACCEPT - iptables -A VPN -p udp --dport 8302 -j ACCEPT - - # Garage - iptables -A VPN -p tcp --dport 3990 -j ACCEPT - iptables -A VPN -p tcp --dport 3991 -j ACCEPT - iptables -A VPN -p tcp --dport 3992 -j ACCEPT - - # Yugabyte DB + + # Same for YugabyteDB YSQL and Admin ports iptables -A VPN -p tcp --dport 5433 -j ACCEPT iptables -A VPN -p tcp --dport 7000 -j ACCEPT - iptables -A VPN -p tcp --dport 7100 -j ACCEPT - iptables -A VPN -p tcp --dport 9100 -j ACCEPT - # Netdata monitoring + # Same for Netdata monitoring iptables -A VPN -p tcp --dport 19999 -j ACCEPT ''; - # When stopping firewall, delete filtering VPN chain + # When stopping firewall, delete all rules that were configured manually above extraStopCommands = '' iptables -D INPUT -s 192.168.1.254 -j ACCEPT iptables -D INPUT -s 10.42.0.0/16 -j VPN iptables -F VPN iptables -X VPN + iptables -D INPUT -s 172.17.0.0/16 -j CONTAINERS + iptables -F CONTAINERS + iptables -X CONTAINERS ''; }; - # Or disable the firewall altogether. - # networking.firewall.enable = false; # This value determines the NixOS release from which the default # settings for stateful data, like file locations and database versions |