diff --git a/flake.lock b/flake.lock index 446b09b..ea8d41c 100644 --- a/flake.lock +++ b/flake.lock @@ -100,11 +100,11 @@ "nixpkgs-lib": "nixpkgs-lib" }, "locked": { - "lastModified": 1727826117, - "narHash": "sha256-K5ZLCyfO/Zj9mPFldf3iwS6oZStJcU4tSpiXTMYaaL0=", + "lastModified": 1730504689, + "narHash": "sha256-hgmguH29K2fvs9szpq2r3pz2/8cJd2LPS+b4tfNFCwE=", "owner": "hercules-ci", "repo": "flake-parts", - "rev": "3d04084d54bedc3d6b8b736c70ef449225c361b1", + "rev": "506278e768c2a08bec68eb62932193e341f55c90", "type": "github" }, "original": { @@ -149,11 +149,11 @@ "min-rip": { "flake": false, "locked": { - "lastModified": 1730496934, - "narHash": "sha256-W982rhZkCaadeHaDR17h0ROZ8tUibm209+QVw43cN98=", + "lastModified": 1730603510, + "narHash": "sha256-+oUMM43mVaXpf0yv7niHf6Q/2Vv8iuIESxwYEDxYt3A=", "ref": "refs/heads/main", - "rev": "a213353fbe2badb541a2906da5d92e0a79315847", - "revCount": 27, + "rev": "2f2e6f840237ac0a3664b51958f5070d5945fce5", + "revCount": 30, "type": "git", "url": "ssh://git@git.min.rip/min/min.rip.git" }, @@ -180,14 +180,14 @@ }, "nixpkgs-lib": { "locked": { - "lastModified": 1727825735, - "narHash": "sha256-0xHYkMkeLVQAMa7gvkddbPqpxph+hDzdu1XdGPJR+Os=", + "lastModified": 1730504152, + "narHash": "sha256-lXvH/vOfb4aGYyvFmZK/HlsNsr/0CVWlwYvo2rxJk3s=", "type": "tarball", - "url": "https://github.com/NixOS/nixpkgs/archive/fb192fec7cc7a4c26d51779e9bab07ce6fa5597a.tar.gz" + "url": "https://github.com/NixOS/nixpkgs/archive/cc2f28000298e1269cea6612cd06ec9979dd5d7f.tar.gz" }, "original": { "type": "tarball", - "url": "https://github.com/NixOS/nixpkgs/archive/fb192fec7cc7a4c26d51779e9bab07ce6fa5597a.tar.gz" + "url": "https://github.com/NixOS/nixpkgs/archive/cc2f28000298e1269cea6612cd06ec9979dd5d7f.tar.gz" } }, "nixpkgs-stable": { diff --git a/nixos/hosts/eidola/configuration.nix b/nixos/hosts/eidola/configuration.nix index 9c43149..88bf7ee 100644 --- a/nixos/hosts/eidola/configuration.nix +++ b/nixos/hosts/eidola/configuration.nix @@ -18,7 +18,6 @@ nixpkgs.config.allowUnfree = true; # Basic networking - networking.networkmanager.enable = true; networking.firewall.enable = true; # Locales @@ -33,7 +32,7 @@ eidola = { isNormalUser = true; - extraGroups = ["networkmanager" "wheel"]; + extraGroups = ["wheel"]; hashedPasswordFile = config.sops.secrets."user-pw".path; openssh.authorizedKeys.keys = import ../../keys/ssh.nix; }; @@ -70,6 +69,7 @@ port = 48722; hostKeys = ["/persist/etc/secrets/initrd/ssh_host_ed25519_key"]; }; + boot.initrd.network.udhcpc.enable = true; system.stateVersion = "24.05"; } diff --git a/nixos/hosts/eidola/default.nix b/nixos/hosts/eidola/default.nix index 8bdb2b6..5b7035e 100644 --- a/nixos/hosts/eidola/default.nix +++ b/nixos/hosts/eidola/default.nix @@ -6,7 +6,7 @@ }; deployment = { - host = "10.13.1.1"; + host = "eidola.int.min.rip"; user = "root"; port = 22; diff --git a/nixos/hosts/eidola/nebula.nix b/nixos/hosts/eidola/nebula.nix index 0645dd3..b221a35 100644 --- a/nixos/hosts/eidola/nebula.nix +++ b/nixos/hosts/eidola/nebula.nix @@ -2,6 +2,7 @@ netName = "m-infra"; # https://github.com/NixOS/nixpkgs/blob/nixos-24.05/nixos/modules/services/networking/nebula.nix#L12 userGroup = "nebula-${netName}"; + interface = "nebula.${netName}"; lhs = {"10.13.0.1" = ["min.rip:4242"];}; # TODO: hardcoding lhsInt = builtins.attrNames lhs; in { @@ -11,6 +12,8 @@ in { group = userGroup; }; + networking.firewall.trustedInterfaces = [interface]; + services.nebula.networks.${netName} = { ca = ../../keys/ca.crt; cert = ../../keys/n-srv-eidola.crt; @@ -37,11 +40,17 @@ in { proto = "icmp"; host = "any"; } - # Allow SSH from `internal` group + # Allow anything from `internal` group + { + port = "any"; + proto = "any"; + groups = ["internal"]; + } + # Allow SSH from anyone { port = 22; proto = "tcp"; - groups = ["internal"]; + host = "any"; } ]; }; diff --git a/nixos/hosts/silver/configuration.nix b/nixos/hosts/silver/configuration.nix index 2528c45..60ee786 100644 --- a/nixos/hosts/silver/configuration.nix +++ b/nixos/hosts/silver/configuration.nix @@ -3,7 +3,8 @@ pkgs, ... }: let - net = { # TODO: hardcoding (this module *may* be a good place to store values like this, though) + net = { + # TODO: hardcoding (this module *may* be a good place to store values like this, though) address = "107.152.41.67"; prefixLength = 24; subnet = "255.255.255.0"; @@ -26,7 +27,6 @@ in { nixpkgs.config.allowUnfree = true; # Basic networking - networking.networkmanager.enable = true; networking.firewall.enable = true; # Networking - IP configuration @@ -62,7 +62,7 @@ in { silver = { isNormalUser = true; - extraGroups = ["networkmanager" "wheel"]; + extraGroups = ["wheel"]; hashedPasswordFile = config.sops.secrets."user-pw".path; openssh.authorizedKeys.keys = import ../../keys/ssh.nix; }; @@ -84,7 +84,12 @@ in { enable = true; settings.PasswordAuthentication = false; settings.KbdInteractiveAuthentication = false; - ports = [12208]; + listenAddresses = [ + { + addr = "10.13.0.1"; + port = 22; + } + ]; }; # My modules diff --git a/nixos/hosts/silver/default.nix b/nixos/hosts/silver/default.nix index 2c4a3f1..2e0bcaf 100644 --- a/nixos/hosts/silver/default.nix +++ b/nixos/hosts/silver/default.nix @@ -6,9 +6,9 @@ }; deployment = { - host = "10.13.0.1"; + host = "silver.int.min.rip"; user = "root"; - port = 12208; + port = 22; buildOnTarget = false; }; diff --git a/nixos/hosts/silver/mounts.nix b/nixos/hosts/silver/mounts.nix index a1d6739..81203a6 100644 --- a/nixos/hosts/silver/mounts.nix +++ b/nixos/hosts/silver/mounts.nix @@ -15,12 +15,6 @@ "/var/lib/acme" "/srv" - - # k8s - "/var/lib/containerd" - "/var/lib/kubernetes" - "/var/lib/kubelet" - "/var/lib/kube-proxy" ]; files = [ "/etc/machine-id" diff --git a/nixos/hosts/silver/services/default.nix b/nixos/hosts/silver/services/default.nix index 31e43aa..1850d78 100644 --- a/nixos/hosts/silver/services/default.nix +++ b/nixos/hosts/silver/services/default.nix @@ -7,7 +7,6 @@ ./gitea.nix ./synapse.nix ./nebula.nix - ./k8s.nix ]; security.acme = { diff --git a/nixos/hosts/silver/services/gitea.nix b/nixos/hosts/silver/services/gitea.nix index 64667f0..96a50a6 100644 --- a/nixos/hosts/silver/services/gitea.nix +++ b/nixos/hosts/silver/services/gitea.nix @@ -1,5 +1,5 @@ {config, ...}: let - sshExposeIp = "0.0.0.0"; # TODO: change this to the public-facing IP for prod (and ideally hardcode it somewhere else) + sshExposeIp = "107.152.41.67"; # TODO: hardcoding sshIntPort = 14022; httpIntPort = 14020; dom = "git.min.rip"; # TODO: hardcoding diff --git a/nixos/hosts/silver/services/k8s.nix b/nixos/hosts/silver/services/k8s.nix deleted file mode 100644 index 8bbc66a..0000000 --- a/nixos/hosts/silver/services/k8s.nix +++ /dev/null @@ -1,30 +0,0 @@ -{pkgs, ...}: let - kMasterIp = "10.13.0.1"; - kMasterHostname = "silver"; - kMasterApiServerPort = 6443; -in { - networking.extraHosts = "${kMasterIp} ${kMasterHostname}"; - - systemd.services.etcd.preStart = ''${pkgs.writeShellScript "etcd-wait" '' - while [ ! -f /var/lib/kubernetes/secrets/etcd.pem ]; do sleep 1; done - ''}''; - - services.kubernetes = { - roles = ["master" "node"]; - masterAddress = kMasterHostname; - apiserverAddress = "https://${kMasterHostname}:${toString kMasterApiServerPort}"; - - apiserver = { - securePort = kMasterApiServerPort; - advertiseAddress = kMasterIp; - }; - - easyCerts = true; - - # use coredns - addons.dns.enable = true; - - # needed if you use swap - kubelet.extraOpts = "--fail-swap-on=false"; - }; -} diff --git a/nixos/hosts/silver/services/nebula.nix b/nixos/hosts/silver/services/nebula.nix index 4f4ca30..a1d2b78 100644 --- a/nixos/hosts/silver/services/nebula.nix +++ b/nixos/hosts/silver/services/nebula.nix @@ -2,6 +2,7 @@ netName = "m-infra"; # TODO: hardcoding # https://github.com/NixOS/nixpkgs/blob/nixos-24.05/nixos/modules/services/networking/nebula.nix#L12 userGroup = "nebula-${netName}"; + interface = "nebula.${netName}"; in { sops.secrets."svc-nebula-key" = { mode = "0440"; @@ -9,6 +10,11 @@ in { group = userGroup; }; + networking.firewall = { + trustedInterfaces = [interface]; + allowedUDPPorts = [4242]; + }; + services.nebula.networks.${netName} = { ca = ../../../keys/ca.crt; cert = ../../../keys/lh-silver.crt; @@ -37,14 +43,18 @@ in { proto = "icmp"; host = "any"; } - # Allow SSH from `internal` group + # Allow anything from `internal` group { - port = 12208; - proto = "tcp"; + port = "any"; + proto = "any"; groups = ["internal"]; } + # Allow SSH from anyone + { + port = 22; + proto = "tcp"; + host = "any"; + } ]; }; - - networking.firewall.allowedUDPPorts = [4242]; }