From efe9b578677ef854a6a5fe493411d8839ca2b17a Mon Sep 17 00:00:00 2001 From: Pim Kunis Date: Mon, 8 Jan 2024 23:17:37 +0100 Subject: [PATCH] create global module for machine-independent custom configuration parameterize various IP addresses --- nixos/default.nix | 1 + nixos/lab.nix | 8 +++++ nixos/machines/default.nix | 32 +++++++++++-------- nixos/modules/backups.nix | 2 +- nixos/modules/networking/default.nix | 28 ++++++++++++++++ nixos/modules/networking/dmz/default.nix | 9 +++--- nixos/modules/networking/dmz/dnsmasq.nix | 29 ++++++++--------- .../networking/dmz/zones/geokunis2.nl.nix | 16 ++++++---- nixos/modules/networking/dmz/zones/kun.is.nix | 14 ++++---- 9 files changed, 90 insertions(+), 49 deletions(-) create mode 100644 nixos/lab.nix diff --git a/nixos/default.nix b/nixos/default.nix index 3b95896..be7077e 100644 --- a/nixos/default.nix +++ b/nixos/default.nix @@ -2,6 +2,7 @@ imports = [ (modulesPath + "/installer/scan/not-detected.nix") ./modules + ./lab.nix ]; boot = { diff --git a/nixos/lab.nix b/nixos/lab.nix new file mode 100644 index 0000000..1611d66 --- /dev/null +++ b/nixos/lab.nix @@ -0,0 +1,8 @@ +{ + lab.networking = { + publicIPv4 = "192.145.57.90"; + dockerSwarmInternalIPv4 = "192.168.30.8"; + dmzRouterIPv4 = "192.168.30.1"; + dmzDHCPIPv4 = "192.168.30.7"; + }; +} diff --git a/nixos/machines/default.nix b/nixos/machines/default.nix index c75664c..7eba420 100644 --- a/nixos/machines/default.nix +++ b/nixos/machines/default.nix @@ -23,23 +23,27 @@ name = "atlas"; hostName = "atlas.hyp"; - nixosModule.lab = { - networking = { - staticDMZIpv4Address = "192.168.30.7/24"; - dmzServices.enable = true; - }; + nixosModule = { config, ... }: + let inherit (config.lab.networking) dmzDHCPIPv4; in + { + lab = { + networking = { + staticDMZIpv4Address = "${dmzDHCPIPv4}/24"; + dmzServices.enable = true; + }; - storage = { - osDisk = "/dev/sda"; - dataPartition = "/dev/nvme0n1p1"; - }; + storage = { + osDisk = "/dev/sda"; + dataPartition = "/dev/nvme0n1p1"; + }; - ssh = { - useCertificates = true; - hostCert = builtins.readFile ./atlas_host_ed25519-cert.pub; - userCert = builtins.readFile ./atlas_user_ed25519-cert.pub; + ssh = { + useCertificates = true; + hostCert = builtins.readFile ./atlas_host_ed25519-cert.pub; + userCert = builtins.readFile ./atlas_user_ed25519-cert.pub; + }; + }; }; - }; }; lewis = { diff --git a/nixos/modules/backups.nix b/nixos/modules/backups.nix index 4e4beae..a10a790 100644 --- a/nixos/modules/backups.nix +++ b/nixos/modules/backups.nix @@ -76,7 +76,7 @@ in }; config = lib.mkIf cfg.enable { - environment.systemPackages = with pkgs; [ postgresql ]; + environment.systemPackages = with pkgs; [ borgbackup postgresql ]; # Converted from: # https://github.com/borgmatic-collective/borgmatic/tree/84823dfb912db650936e3492f6ead7e0e0d32a0f/sample/systemd systemd.services.borgmatic = { diff --git a/nixos/modules/networking/default.nix b/nixos/modules/networking/default.nix index bd19fe0..88505bb 100644 --- a/nixos/modules/networking/default.nix +++ b/nixos/modules/networking/default.nix @@ -19,6 +19,34 @@ in { Assign a static IPv4 on the DMZ interface. ''; }; + + publicIPv4 = lib.mkOption { + type = lib.types.str; + description = '' + Public IPv4 address of our home. + ''; + }; + + dockerSwarmInternalIPv4 = lib.mkOption { + type = lib.types.str; + description = '' + Internal IPv4 address of the Docker Swarm. + ''; + }; + + dmzRouterIPv4 = lib.mkOption { + type = lib.types.str; + description = '' + The router's IPv4 address on the DMZ network. + ''; + }; + + dmzDHCPIPv4 = lib.mkOption { + type = lib.types.str; + description = '' + The IPv4 address of the DHCP server on the DMZ network. + ''; + }; }; config = { diff --git a/nixos/modules/networking/dmz/default.nix b/nixos/modules/networking/dmz/default.nix index 8e4e2e5..b73e5eb 100644 --- a/nixos/modules/networking/dmz/default.nix +++ b/nixos/modules/networking/dmz/default.nix @@ -1,15 +1,14 @@ -{ pkgs, lib, config, dns, ... }: +{ pkgs, lib, config, dns, ... }@inputs: let cfg = config.lab.networking.dmzServices; - publicIpv4 = "192.145.57.90"; kunisZoneFile = pkgs.writeTextFile { name = "kunis-zone-file"; - text = (dns.lib.toString "kun.is" (import ./zones/kun.is.nix { inherit dns publicIpv4; })); + text = (dns.lib.toString "kun.is" (import ./zones/kun.is.nix inputs)); }; geokunis2nlZoneFile = pkgs.writeTextFile { name = "geokunis2nl-zone-file"; - text = (dns.lib.toString "geokunis2.nl" (import ./zones/geokunis2.nl.nix { inherit dns publicIpv4; })); + text = (dns.lib.toString "geokunis2.nl" (import ./zones/geokunis2.nl.nix inputs)); }; in { @@ -65,7 +64,7 @@ in dnsmasq = { enable = true; - settings = import ./dnsmasq.nix; + settings = import ./dnsmasq.nix inputs; }; }; }; diff --git a/nixos/modules/networking/dmz/dnsmasq.nix b/nixos/modules/networking/dmz/dnsmasq.nix index 532464d..e78f9c9 100644 --- a/nixos/modules/networking/dmz/dnsmasq.nix +++ b/nixos/modules/networking/dmz/dnsmasq.nix @@ -1,9 +1,13 @@ +{ config, ... }: +let + inherit (config.lab.networking) publicIPv4 dockerSwarmInternalIPv4 dmzDHCPIPv4 dmzRouterIPv4; +in { no-resolv = true; server = [ - "192.168.30.1" - "/geokunis2.nl/192.168.30.7" - "/kun.is/192.168.30.7" + dmzRouterIPv4 + "/geokunis2.nl/${dmzDHCPIPv4}" + "/kun.is/${dmzDHCPIPv4}" ]; local = "/dmz/"; dhcp-fqdn = true; @@ -13,29 +17,22 @@ dhcp-authoritative = true; dhcp-range = [ "192.168.30.50,192.168.30.127,15m" - "2a02:58:19a:f730::, ra-stateless, ra-names" ]; dhcp-host = [ "b8:27:eb:b9:ab:e2,esrom" - "ca:fe:c0:ff:ee:03,max,192.168.30.3" - "ca:fe:c0:ff:ee:08,maestro,192.168.30.8" - "dc:a6:32:7b:e2:11,iris,192.168.30.9" - "ca:fe:c0:ff:ee:0a,thecloud,192.168.30.10" - "52:54:00:72:e0:9a,forum,192.168.30.11" + "ca:fe:c0:ff:ee:08,maestro,${dockerSwarmInternalIPv4}" ]; dhcp-option = [ - "3,192.168.30.1" - "option6:dns-server,[2a02:58:19a:f730::1]" - "option:dns-server,192.168.30.1" + "3,${dmzRouterIPv4}" + "option:dns-server,${dmzRouterIPv4}" ]; ra-param = "*,0,0"; - alias = "192.145.57.90,192.168.30.8"; + alias = "${publicIPv4},${dockerSwarmInternalIPv4}"; log-dhcp = true; log-queries = true; - interface-name = "hermes.dmz,ens3"; + # interface-name = "hermes.dmz,ens3"; port = "5353"; address = [ - "/ns.pizzapim.nl/ns.geokunis2.nl/ns.pim.kunis.nl/192.168.30.7" - "/ns.pizzapim.nl/ns.geokunis2.nl/ns.pim.kunis.nl/2a02:58:19a:f730:c8fe:c0ff:feff:ee07" + "/ns.pizzapim.nl/ns.geokunis2.nl/${dmzDHCPIPv4}" ]; } diff --git a/nixos/modules/networking/dmz/zones/geokunis2.nl.nix b/nixos/modules/networking/dmz/zones/geokunis2.nl.nix index 0033ba6..971bab2 100644 --- a/nixos/modules/networking/dmz/zones/geokunis2.nl.nix +++ b/nixos/modules/networking/dmz/zones/geokunis2.nl.nix @@ -1,6 +1,8 @@ -{ publicIpv4, dns }: +{ config, dns, ... }: with dns.lib.combinators; - +let + inherit (config.lab.networking) publicIPv4; +in { SOA = { nameServer = "ns"; @@ -17,13 +19,13 @@ with dns.lib.combinators; MX = [ (mx.mx 10 "mail.geokunis2.nl.") ]; - A = [ publicIpv4 ]; + A = [ publicIPv4 ]; CAA = letsEncrypt "caa@geokunis2.nl"; subdomains = { - ns.A = [ publicIpv4 ]; - ns1.A = [ publicIpv4 ]; - ns2.A = [ publicIpv4 ]; - "*".A = [ publicIpv4 ]; + ns.A = [ publicIPv4 ]; + ns1.A = [ publicIPv4 ]; + ns2.A = [ publicIPv4 ]; + "*".A = [ publicIPv4 ]; }; } diff --git a/nixos/modules/networking/dmz/zones/kun.is.nix b/nixos/modules/networking/dmz/zones/kun.is.nix index d734902..a98705a 100644 --- a/nixos/modules/networking/dmz/zones/kun.is.nix +++ b/nixos/modules/networking/dmz/zones/kun.is.nix @@ -1,6 +1,8 @@ -{ publicIpv4, dns }: +{ config, dns, ... }: with dns.lib.combinators; - +let + inherit (config.lab.networking) publicIPv4; +in { CAA = letsEncrypt "caa@kun.is"; @@ -20,9 +22,9 @@ with dns.lib.combinators; ]; subdomains = { - ns.A = [ publicIpv4 ]; - ns1.A = [ publicIpv4 ]; - ns2.A = [ publicIpv4 ]; - "*".A = [ publicIpv4 ]; + ns.A = [ publicIPv4 ]; + ns1.A = [ publicIPv4 ]; + ns2.A = [ publicIPv4 ]; + "*".A = [ publicIPv4 ]; }; }