feat: add zerotier

2024-10-22 16:56:21 -04:00
parent a9b68668c4
commit 31cb308044
9 changed files with 134 additions and 29 deletions
--- a/nixos/common/zerotier.nix
+++ b/nixos/common/zerotier.nix
@@ -0,0 +1,25 @@
+{config}: {
+  age.secrets.zerotier.file = ../../secrets/zerotier.age;
+
+  services.zerotierone = {
+    enable = true;
+    joinNetworks = [builtins.readFile config.age.secrets.zerotier.path]; # Is an antipattern, but idc if this is readable on the servers
+  };
+
+  networking = {
+    firewall = {
+      interfaces."zts23oi5io".allowedTCPPortRanges = [
+        {
+          from = 0;
+          to = 65535;
+        }
+      ];
+      interfaces."zts23oi5io".allowedUDPPortRanges = [
+        {
+          from = 0;
+          to = 65535;
+        }
+      ];
+    };
+  };
+}
--- a/nixos/flake.nix
+++ b/nixos/flake.nix
@@ -35,8 +35,8 @@
          specialArgs = {
            meta = {
              hostname = name;
-              ip = data.ip;
              private-ip = data.private-ip;
+              server-addr = (import ./server/nodes.nix).premhome-gc1.zt-ip;
            };
          };
          modules = [
@@ -50,6 +50,7 @@
      nodes
      // {
        premhome-gc1 = nixpkgs.lib.nixosSystem {
+          specialArgs.meta = (import ./server/nodes.nix).premhome-gc1;
          modules = [
            disko.nixosModules.disko
            agenix.nixosModules.default
--- a/nixos/secrets/keys.nix
+++ b/nixos/secrets/keys.nix
@@ -1,8 +1,5 @@
 {
  yadunut = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJXOpmWsAnl2RtOuJJMRUx+iJTwf2RWJ1iS3FqXJFzFG";
  yadunut-mbp = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOlXV+TevruoYChk2XbqG5+yqEklRJvOx7YdTGFfXY/f yadunut@yadunut-mbp";
-  premhome-falcon-1 = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIHim2wAW8m6rbFqo6oLBOeprbljAQqghYkFahtFFMNqV yadunut@premhome-falcon-1";
-  premhome-falcon-2 = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAILOjiTk60H5LMHkEG7MOaysa0BRlul7qvhuWYpnMtme6 yadunut@premhome-falcon-2";
-  premhome-falcon-3 = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIH4vBKSQyWYRmwuaYfIodOVc10veeH7V+EgobBI/5QHL yadunut@premhome-falcon-3";
-premhome-gc1 = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIA3I/bCyi6rBzgJkfCFa8T9F+y1eOuZDB7l2Ly67slX3 yadunut@premhome-gc1";
+  premhome-gc1 = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIA3I/bCyi6rBzgJkfCFa8T9F+y1eOuZDB7l2Ly67slX3 yadunut@premhome-gc1";
 }
--- a/nixos/secrets/secrets.nix
+++ b/nixos/secrets/secrets.nix
@@ -4,4 +4,5 @@ in {
  "tailscale.age".publicKeys = builtins.attrValues keys;
  "k3s.age".publicKeys = builtins.attrValues keys;
  "flux.age".publicKeys = [keys.yadunut keys.yadunut-mbp];
+  "zerotier-network.age".publicKeys = builtins.attrValues keys;
 }
--- a/nixos/secrets/zerotier-network.age
+++ b/nixos/secrets/zerotier-network.age
@@ -0,0 +1,16 @@
+age-encryption.org/v1
+-> ssh-ed25519 OOT7iQ jUogNJ9uREDJZEl4G5pb/2bNjiBHIB9IABgXQfo0g1M
+InYXkJls2Sdd+jnQ9Z8ifoUGznwktmstsM8avHFfTuU
+-> ssh-ed25519 7Lat4Q O6JMNKXRwRWjFZxJM/agtJ922KR+74u8a0WmWJdSaQM
+5tPV0awfn5djn2c50xloyDRkeu2Aon3/z+6kfoA/eHk
+-> ssh-ed25519 dPFwiQ HeOAeTzItJMkTPW2ODs/Z/E9nZycqtJnjGaKPigZ/CM
+MLTkDKg0hLOfDplWb33hvGQahvEgjqy+S9w+UCKZNXU
+-> ssh-ed25519 OV7A4A 4mxMknf9sJCZ8NiENMJqGd2lEBB7dmvzGqVLirHvWGo
+fJ+4MY9oSFEdvjGYm2NoWviC9J4ocSUhUWuGEa71pFc
+-> ssh-ed25519 Gc/MTQ pjuOkv7iMuSkrFccMGd5Usz/a0bcOJYikvHeuYg5ATA
+ydWemX28ZNygAYR/MsOezz81haHj2XhvHlFcZMwsgjo
+-> ssh-ed25519 0ckKSg hV+hpxVdfr2xOfNYZkbrGNMu5GOASlHDch4AYhqlWnQ
+MeZdLC12XrF9sSy1q28dpdqjYtIEKcTzJq7/vfhILf0
+--- 0rgW5rFnvhi1LMOcC3vl70s9Vq9S+PQ5Pu8Apgxu0v4
+<EFBFBD>ߡ<EFBFBD><EFBFBD>P<EFBFBD>7<>-9dq<64><02><>b>?2<><32><EFBFBD>}<7D>N<EFBFBD><4E>}<7D>5<EFBFBD><35>uu\<5C>w<EFBFBD><77><0C>
+O
--- a/nixos/server/premhome-gc1/configuration.nix
+++ b/nixos/server/premhome-gc1/configuration.nix
@@ -1,13 +1,16 @@
 {
  config,
+  meta,
  pkgs,
  ...
 }: {
-  imports = [../../common/users.nix];
+  imports = [../../common/users.nix ../../common/zerotier.nix];
  nix = {
    settings.experimental-features = ["nix-command" "flakes"];
  };

+  nixpkgs.config.allowUnfree = true;
+
  networking.hostName = "premhome-gc1";

  age.secrets.k3s.file = ../../secrets/k3s.age;
@@ -16,6 +19,10 @@
  # grub.device is set by disko
  boot.tmp.cleanOnBoot = true;

+  boot.kernel.sysctl = {
+    "net.ipv4.ip_forward" = 1;
+  };
+
  services.openssh.enable = true;
  services.qemuGuest.enable = true;

@@ -23,7 +30,27 @@
    git
    neovim
    wget
+    jq
+    ripgrep
+    fd
  ];

+  networking = {
+    nftables.enable = true;
+    firewall = {
+      enable = true;
+      allowedTCPPorts = [22 80 443];
+      trustedInterfaces = ["zts23oi5io"];
+    };
+  };
+
+  services.k3s = {
+    enable = true;
+    role = "server";
+    tokenFile = config.age.secrets.k3s.path;
+    clusterInit = true;
+    extraFlags = ["--disable=servicelb" "--disable=traefik" "--node-ip ${meta.zt-ip}" "--flannel-iface zts23oi5io"];
+  };
+
  system.stateVersion = "24.11";
 }
--- a/nixos/server/proxmox/configuration.nix
+++ b/nixos/server/proxmox/configuration.nix
@@ -1,27 +1,17 @@
 {
-  config,
  meta,
  pkgs,
  ...
 }: {
-  imports = [../../common/users.nix];
+  imports = [../../common/users.nix ../../common/zerotier.nix];
  nix = {
    settings.experimental-features = ["nix-command" "flakes"];
  };

  networking.hostName = meta.hostname;

-  age.secrets.tailscale.file = ../../secrets/tailscale.age;
  age.secrets.k3s.file = ../../secrets/k3s.age;

-  services.tailscale = {
-    enable = true;
-    authKeyFile = config.age.secrets.tailscale.path;
-    useRoutingFeatures = "both";
-    extraUpFlags = ["--advertise-routes=10.0.1.0/24" "--login-server=http://ts.yadunut.com:444" "--accept-routes"];
-    interfaceName = "tailscale0";
-  };
-
  boot.loader.systemd-boot.enable = true;
  boot.loader.efi.canTouchEfiVariables = true;
  boot.tmp.cleanOnBoot = true;
@@ -44,20 +34,23 @@
    wget
  ];

-  services.k3s = {
-    enable = true;
-    role = "server";
-    tokenFile = config.age.secrets.k3s.path;
-    clusterInit = meta.hostname == "premhome-falcon-1";
-    serverAddr =
-      if meta.hostname == "premhome-falcon-1"
-      then ""
-      else "https://premhome-falcon-1:6443";
-    extraFlags = ["--disable=servicelb" "--disable=traefik"];
+  networking = {
+    nftables.enable = true;
+    firewall = {
+      enable = true;
+      allowedTCPPorts = [22];
+      trustedInterfaces = ["zts23oi5io"];
+    };
  };

-  networking.firewall.trustedInterfaces = ["tailscale0"];
-  networking.firewall.enable = false;
+  # services.k3s = {
+  #   enable = true;
+  #   role = "server";
+  #   tokenFile = config.age.secrets.k3s.path;
+  #   clusterInit = false;
+  #   serverAddr = "https://${meta.server-addr}:6443";
+  #   extraFlags = ["--disable=servicelb" "--disable=traefik" "--node-ip ${meta.zt-ip}" "--flannel-iface zts23oi5io"];
+  # };

  system.stateVersion = "24.11";
 }