yee haw

newinfra/README.md

@@ -24,6 +24,18 @@ All records are fully static, generated in the NixOS config.
 
 ## HTTP(S)
 
-Right now, there's only a single server (`vps1`) serving Caddy.
+stuff.
 
-In the future, there might be a second one in a shared-storage HA setup (with a postgres cluster probably)?
+## provisioning
+
+NixOS is provisioned by running [nixos-infect](https://github.com/elitak/nixos-infect) over a default image.
+
+> Contabo sets the hostname to something like vmi######.contaboserver.net, Nixos only allows RFC 1035 compliant hostnames (see here).
+> Run `hostname something_without_dots` before running the script.
+> If you run the script before changing the hostname - remove the /etc/nixos/configuration.nix so it's regenerated with the new hostname.
+
+```
+hostname tmp
+curl -LO https://raw.githubusercontent.com/elitak/nixos-infect/master/nixos-infect
+bash nixos-infect
+```

newinfra/nix/hive.nix

@@ -23,7 +23,7 @@
           wg = {
             privateIP = "10.0.0.1";
             publicKey = "5tg3w/TiCuCeKIBJCd6lHUeNjGEA76abT1OXnhNVyFQ=";
-            peers = [ "vps3" ];
+            peers = [ "vps3" "vps4" ];
           };
         };
         vps3 = {
@@ -32,7 +32,16 @@
           wg = {
             privateIP = "10.0.0.3";
             publicKey = "pdUxG1vhmYraKzIIEFxTRAMhGwGztBL/Ly5icJUV3g0=";
-            peers = [ "vps1" ];
+            peers = [ "vps1" "vps4" ];
+          };
+        };
+        vps4 = {
+          publicIPv4 = "195.201.147.17";
+          publicIPv6 = "2a01:4f8:1c1c:cb18::";
+          wg = {
+            privateIP = "10.0.0.5";
+            publicKey = "+n2XKKaSFdCanEGRd41cvnuwJ0URY0HsnpBl6ZrSBRs=";
+            peers = [ "vps1" "vps3" ];
           };
         };
       };
@@ -62,7 +71,7 @@
 
     # The name and nodes parameters are supported in Colmena,
     # allowing you to reference configurations in other nodes.
-    deployment.tags = [ "dns" "us" ];
+    deployment.tags = [ "dns" "us" "contabo" ];
     system.stateVersion = "23.11";
   };
   dns2 = { name, nodes, modulesPath, lib, ... }: {
@@ -71,7 +80,7 @@
       ./modules/dns
     ];
 
-    deployment.tags = [ "dns" "eu" ];
+    deployment.tags = [ "dns" "eu" "hetzner" ];
     system.stateVersion = "23.11";
 
     boot.loader.grub.device = "/dev/sda";
@@ -123,7 +132,7 @@
 
     age.secrets.docker_registry_password.file = ./secrets/docker_registry_password.age;
 
-    deployment.tags = [ "ingress" "eu" "apps" "wg" ];
+    deployment.tags = [ "ingress" "eu" "apps" "wg" "contabo" ];
     system.stateVersion = "23.11";
   };
   vps3 = { name, nodes, modulesPath, config, ... }: {
@@ -131,9 +140,68 @@
       (modulesPath + "/profiles/qemu-guest.nix")
       ./modules/contabo
       ./modules/wg-mesh
+      ./modules/ingress
     ];
 
     deployment.tags = [ "eu" "apps" "wg" ];
     system.stateVersion = "23.11";
   };
+  vps4 = { lib, modulesPath, ... }: {
+    imports = [
+      (modulesPath + "/profiles/qemu-guest.nix")
+      ./modules/ingress
+      ./modules/wg-mesh
+    ];
+
+    deployment.tags = [ "eu" "apps" "hetzner" ];
+    system.stateVersion = "23.11";
+
+    boot.loader.grub.device = "/dev/sda";
+    boot.initrd.availableKernelModules = [ "ata_piix" "uhci_hcd" "xen_blkfront" "vmw_pvscsi" ];
+    boot.initrd.kernelModules = [ "nvme" ];
+    fileSystems."/" = { device = "/dev/sda1"; fsType = "ext4"; };
+
+    # This file was populated at runtime with the networking
+    # details gathered from the active system.
+    networking = {
+      nameservers = [
+        "8.8.8.8"
+      ];
+      defaultGateway = "172.31.1.1";
+      defaultGateway6 = {
+        address = "fe80::1";
+        interface = "eth0";
+      };
+      dhcpcd.enable = false;
+      usePredictableInterfaceNames = lib.mkForce false;
+      interfaces = {
+        eth0 = {
+          ipv4.addresses = [
+            { address = "195.201.147.17"; prefixLength = 32; }
+          ];
+          ipv6.addresses = [
+            { address = "2a01:4f8:1c1c:cb18::1"; prefixLength = 64; }
+            { address = "fe80::9400:3ff:fe95:a9e4"; prefixLength = 64; }
+          ];
+          ipv4.routes = [{ address = "172.31.1.1"; prefixLength = 32; }];
+          ipv6.routes = [{ address = "fe80::1"; prefixLength = 128; }];
+        };
+
+      };
+    };
+    services.udev.extraRules = ''
+      ATTR{address}=="96:00:03:95:a9:e4", NAME="eth0"
+    
+    '';
+  };
+  /*vps5 = { name, nodes, modulesPath, config, ... }: {
+    imports = [
+      (modulesPath + "/profiles/qemu-guest.nix")
+      ./modules/contabo
+      ./modules/ingress
+    ];
+
+    deployment.tags = [ "eu" "apps" "wg" ];
+    system.stateVersion = "23.11";
+  };*/
 }

newinfra/nix/modules/default/default.nix

@@ -23,6 +23,7 @@
 
   services.openssh = {
     enable = true;
+    openFirewall = true;
     banner = "meoooooow!! 😼 :3\n";
     settings = {
       PasswordAuthentication = false;

newinfra/nix/modules/dns/default.nix

@@ -2,8 +2,8 @@
   # get the package for the debugging tools
   environment.systemPackages = with pkgs; [ knot-dns ];
 
-  networking.firewall.allowedUDPPortRanges = [
+  networking.firewall.allowedUDPPorts = [
-    { from = 53; to = 53; }
+    53
   ];
 
   nixpkgs.overlays = [

newinfra/nix/modules/ingress/default.nix

@@ -1,6 +1,5 @@
 { pkgs, config, ... }: {
   networking.firewall.allowedTCPPorts = [
-    22
     443
   ];
 

newinfra/nix/modules/wg-mesh/default.nix

@@ -19,6 +19,10 @@ in
     in
     builtins.listToAttrs wgHostEntries;
 
+  networking.firewall.allowedUDPPorts = [
+    listenPort
+  ];
+
   age.secrets.wg_private.file = ../../secrets/wg_private_${name}.age;
   networking.wg-quick.interfaces = {
     wg0 = {
@@ -33,6 +37,8 @@ in
             inherit (peerConfig) publicKey;
             endpoint = "${peer}.infra.noratrieb.dev:${toString listenPort}";
             allowedIPs = [ "${peerConfig.privateIP}/32" ];
+            # sometimes there's some weirdness....??
+            persistentKeepalive = 25;
           }
         )
         wgSettings.peers;

newinfra/nix/secrets/docker_registry_password.age

@@ -1,5 +1,5 @@
 age-encryption.org/v1
--> ssh-ed25519 qM6TYg Mi5DHbfLOMSQaKaB78XZbA273KGvj/HHF4vOiMRsMjA
+-> ssh-ed25519 qM6TYg YI3rrnP9953xk8JnzhJSZR+tKaD6C3sCXJBiX0+KCHE
-Zf7+IY93cTywmg7qjGyQ00YLJTc3MstQKyfFfpDqWic
+CIfSlpyqhS66umh4/nv7v6qH5mqz2xh2AeDW19CGbYs
---- KCKAhA7w141LPjEGSUI/azd8YFPn2EJWPGTyYXlnX+4
+--- 889zGO43+oX2nau25zROguc37dsi38Bnyzw/shG1x5g
-ś ćŘ
PÉ_íg$vCý˘ĂÜh/…Ęjz:chđíd#W¤ci ăjE3…ëkó>tű`đ
+Ïo]Ì—y§Næ<4E>ød_ÂÆ—ñæ¶+ÀwBiÈå¾s÷ÒE™<45>•	5 yœŠ^`[ƒ5ì

newinfra/nix/secrets/hugochat_db_password.age

@@ -1,5 +1,5 @@
 age-encryption.org/v1
--> ssh-ed25519 qM6TYg f2NnXHIO+lzuRNlvp70HCjFET8cqwLrQjEdXkK4wVgg
+-> ssh-ed25519 qM6TYg vcUglH0m/mdME6tSzfZy3orW55ks1wZZAVqPe01ln0I
-HAUu/GGX/UHewWbCXfaiYx5h8xyLXN/Y3kTYHn+GT5M
+Pbei2lMfgS+6N148qggu3DYUTnusItfVDqXGFqD9l8g
---- tx0L90qNb6i1Bv1P5QsZUNu7FKQT3j09h/T1QDdwRZ8
+--- qnH/lD17esiKbMH5M1wwJiq7cMmXXh4SQneeRNDiMPk
-ž¯c³”ÖÜÿö¨aÿUòqb!ÊfFÇ”	UAiÁ{Ï”„²<E2809E>³|9Ã?Ð[bH<14>p›ÅA©ÓnÃê§^g	0œµÓ“;þÆœ¤:ûyu»‘ŸÞmúïó–îæ<>¸±ÒÒò
+Ýôt8i<>€~ß !®Þ¬s<C2AC>—‚?µt°ê¥/ªû1ã+¥Ö4:ý07ØR2ïwÝð²oühQB4Â<34>Öptæ÷!9#»ÊGdû#·d)÷3ïňШ¶Zï³¢åÖæ¸HòyKûÃ

newinfra/nix/secrets/secrets.nix

@@ -1,6 +1,7 @@
 let
   vps1 = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAII4Xj3TsDPStoHquTfOlyxShbA/kgMfQskKN8jpfiY4R";
   vps3 = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIHvupo7d9YMZw56qhjB+tZPijxiG1dKChLpkOWZN0Y7C";
+  vps4 = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIMpoLgBTWj1BcNxXVdM26jDBZl+BCtUTj20Wv4sZdCHz";
 in
 {
   "widetom_bot_token.age".publicKeys = [ vps1 ];
@@ -10,4 +11,5 @@ in
   "minio_env_file.age".publicKeys = [ vps1 vps3 ];
   "wg_private_vps1.age".publicKeys = [ vps1 ];
   "wg_private_vps3.age".publicKeys = [ vps3 ];
+  "wg_private_vps4.age".publicKeys = [ vps4 ];
 }

newinfra/nix/secrets/wg_private_vps4.age

@@ -0,0 +1,5 @@
+age-encryption.org/v1
+-> ssh-ed25519 51bcvA ZldYAoisAZWIno1rtaRlkMaBL6+wN2M+RsxSqdFS/Ww
+hAxVR0kTHdHh8VVXn1DA+pPrnTNe32/7hk7vG6BYFlA
+--- eY4N6LUcdlFI1fsc9QzOVt8eMZdC8/SReSaiEsk60YQ
+=$uCÚ%ºŒ`ÚƵ>ö§HˆÀ¦6,œŸ´]£cOí£–E|÷D‘<44>yÍ5ÍŠ10Üñõ¡t-<2D>€â©¼üì½+ž:¯Zf¿¹À<C2B9>Y

newinfra/nix/secrets/widetom_bot_token.age

@@ -1,5 +1,5 @@
 age-encryption.org/v1
--> ssh-ed25519 qM6TYg ftpW/zGgZcGI6jnmrkYlOO9bjMNHO7vk/WJIlCQzYTE
+-> ssh-ed25519 qM6TYg bHq26LyOxpLO6+kmuVS2eeRyX69kfX/iRRpGf7E9EQA
-LXRiwiUinl5HTt9ZfA+HQlSIL5K1TXFzLQXigEajU38
+6bmUzKiz+snI83v0ZhY8WkyIKMU1fkzs8Z4OEimeRrk
---- pE7CTJBICuROEQUVmK3hDad8yoiurMXvkizsAuZn6HA
+--- 9RLCCX/0iiNdeSN8gy1gsXBW17/YTKJStxFVo/i5+zw
-†ÐœŒ Nø&Ê‘ûã<04>‡Ò™iD4óéQ<C3A9>›ËSdZÚmSI	DÎÂ$ŽIÜßîýd<>C’Œ¿}¦Y À¥ŽjÌ.Í-¶»<C2B6>HüN­€Ô;[Ûñ}†¥ŸÄd»|
+ìî…‰(%…Bº½$ŽÇ‚àö•#gÁ™kV,aô¡ïJüîб4ek­Áq2\þÃw–ä)/Èßb~°5RVfÂÛ_¦ô:ج'Êôh½œâ†%[E<>X<t9µóŸ

newinfra/provision/README.md

@@ -1,13 +0,0 @@
-# provisioning
-
-NixOS is provisioned by running [nixos-infect](https://github.com/elitak/nixos-infect) over a default image.
-
-> Contabo sets the hostname to something like vmi######.contaboserver.net, Nixos only allows RFC 1035 compliant hostnames (see here).
-> Run `hostname something_without_dots` before running the script.
-> If you run the script before changing the hostname - remove the /etc/nixos/configuration.nix so it's regenerated with the new hostname.
-
-```
-hostname tmp
-curl -LO https://raw.githubusercontent.com/elitak/nixos-infect/master/nixos-infect
-bash nixos-infect
-```