B4L/cnx-network-clan
5
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Format tree with treefmt

Browse Source
This commit is contained in:
Berwn
2026-06-16 16:46:17 +07:00
parent cf0d796bee
commit de7d950596
9 changed files with 104 additions and 40 deletions
Download Patch File Download Diff File Expand all files Collapse all files
clan.nix
+2 -1
View File
@@ -15,7 +15,8 @@
roles.default.tags.all = { }; roles.default.tags.all = { };
roles.default.settings.allowedKeys = { roles.default.settings.allowedKeys = {
"berwn" = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIENAjhGQGraQoAjJzsomKP8GAmQPeGL1rNRNHgRcLqtT"; "berwn" = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIENAjhGQGraQoAjJzsomKP8GAmQPeGL1rNRNHgRcLqtT";
"kurogeek" = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIEcZ/p1Ofa9liwIzPWzNtONhJ7+FUWd2lCz33r81t8+w kurogeek@kurogeek"; "kurogeek" =
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIEcZ/p1Ofa9liwIzPWzNtONhJ7+FUWd2lCz33r81t8+w kurogeek@kurogeek";
}; };
}; };
machines/ns1/configuration.nix
+4 -1
View File
@@ -70,6 +70,9 @@ in
"dnssec-signing" = true; "dnssec-signing" = true;
"dnssec-policy" = "cnx"; "dnssec-policy" = "cnx";
notify = [ "ns2" ]; notify = [ "ns2" ];
acl = [ "acl_ns2" "acl_acme" ]; # ns2 transfers; acme_ddns key does DNS-01 updates acl = [
"acl_ns2"
"acl_acme"
]; # ns2 transfers; acme_ddns key does DNS-01 updates
}) domains; }) domains;
} }
modules/dns/authoritative.nix
+38 -6
View File
@@ -33,17 +33,49 @@ in
# Including the key via keyFiles keeps the secret out of the Nix store. # Including the key via keyFiles keeps the secret out of the Nix store.
keyFiles = [ config.clan.core.vars.generators.dns-tsig.files."tsig.conf".path ]; keyFiles = [ config.clan.core.vars.generators.dns-tsig.files."tsig.conf".path ];
settings = { settings = {
server.listen = [ "0.0.0.0@53" "::@53" ]; server.listen = [
log = [ { target = "syslog"; any = "info"; } ]; "0.0.0.0@53"
"::@53"
];
log = [
{
target = "syslog";
any = "info";
}
];
remote = [ remote = [
{ id = "ns1"; address = [ ns1zt ]; key = "cnx_xfr"; } {
{ id = "ns2"; address = [ ns2zt ]; key = "cnx_xfr"; } id = "ns1";
address = [ ns1zt ];
key = "cnx_xfr";
}
{
id = "ns2";
address = [ ns2zt ];
key = "cnx_xfr";
}
]; ];
acl = [ acl = [
{ id = "acl_ns1"; address = [ ns1zt ]; key = "cnx_xfr"; action = [ "transfer" "notify" ]; } {
{ id = "acl_ns2"; address = [ ns2zt ]; key = "cnx_xfr"; action = [ "transfer" "notify" ]; } id = "acl_ns1";
address = [ ns1zt ];
key = "cnx_xfr";
action = [
"transfer"
"notify"
];
}
{
id = "acl_ns2";
address = [ ns2zt ];
key = "cnx_xfr";
action = [
"transfer"
"notify"
];
}
]; ];
}; };
}; };
modules/hetzner-firewall-rules.nix
+22 -4
View File
@@ -4,7 +4,10 @@
# Public SSH (22) is intentionally absent: admin access rides the ZeroTier mesh # Public SSH (22) is intentionally absent: admin access rides the ZeroTier mesh
# (inside UDP 9993), with emergency-access as the console fallback. # (inside UDP 9993), with emergency-access as the console fallback.
let let
world = [ "0.0.0.0/0" "::/0" ]; world = [
"0.0.0.0/0"
"::/0"
];
zerotier = { zerotier = {
direction = "in"; direction = "in";
@@ -22,14 +25,29 @@ let
}; };
dnsRules = [ dnsRules = [
{ direction = "in"; protocol = "udp"; port = "53"; source_ips = world; description = "DNS (UDP)"; } {
{ direction = "in"; protocol = "tcp"; port = "53"; source_ips = world; description = "DNS (TCP)"; } direction = "in";
protocol = "udp";
port = "53";
source_ips = world;
description = "DNS (UDP)";
}
{
direction = "in";
protocol = "tcp";
port = "53";
source_ips = world;
description = "DNS (TCP)";
}
zerotier zerotier
ping ping
]; ];
in in
{ {
"clan-control" = [ zerotier ping ]; "clan-control" = [
zerotier
ping
];
"clan-ns1" = dnsRules; "clan-ns1" = dnsRules;
"clan-ns2" = dnsRules; "clan-ns2" = dnsRules;
} }
modules/hetzner-firewall.nix
+16 -6
View File
@@ -1,4 +1,9 @@
{ config, lib, pkgs, ... }: {
config,
lib,
pkgs,
...
}:
let let
cfg = config.cnx.hetznerFirewall; cfg = config.cnx.hetznerFirewall;
in in
@@ -29,8 +34,7 @@ in
tokenFile = lib.mkOption { tokenFile = lib.mkOption {
type = lib.types.path; type = lib.types.path;
default = config.clan.core.vars.generators.hetzner-firewall.files.token.path; default = config.clan.core.vars.generators.hetzner-firewall.files.token.path;
defaultText = lib.literalExpression defaultText = lib.literalExpression "config.clan.core.vars.generators.hetzner-firewall.files.token.path";
"config.clan.core.vars.generators.hetzner-firewall.files.token.path";
description = "File holding the Hetzner Cloud API token (Read & Write)."; description = "File holding the Hetzner Cloud API token (Read & Write).";
}; };
}; };
@@ -48,7 +52,11 @@ in
description = "Sync Hetzner Cloud firewall rules from Nix config"; description = "Sync Hetzner Cloud firewall rules from Nix config";
after = [ "network-online.target" ]; after = [ "network-online.target" ];
wants = [ "network-online.target" ]; wants = [ "network-online.target" ];
path = [ pkgs.curl pkgs.jq pkgs.coreutils ]; path = [
pkgs.curl
pkgs.jq
pkgs.coreutils
];
environment.SSL_CERT_FILE = "/etc/ssl/certs/ca-certificates.crt"; environment.SSL_CERT_FILE = "/etc/ssl/certs/ca-certificates.crt";
serviceConfig = { serviceConfig = {
Type = "oneshot"; Type = "oneshot";
@@ -71,7 +79,8 @@ in
curl -fsS -H @"$hdr" -H "Content-Type: application/json" "$@" curl -fsS -H @"$hdr" -H "Content-Type: application/json" "$@"
} }
${lib.concatStringsSep "\n" (lib.mapAttrsToList (fwName: rules: '' ${lib.concatStringsSep "\n" (
lib.mapAttrsToList (fwName: rules: ''
name=${lib.escapeShellArg fwName} name=${lib.escapeShellArg fwName}
rules=${lib.escapeShellArg (builtins.toJSON rules)} rules=${lib.escapeShellArg (builtins.toJSON rules)}
id="$(hapi "$api/firewalls?name=$name" | jq -r '.firewalls[0].id // empty')" id="$(hapi "$api/firewalls?name=$name" | jq -r '.firewalls[0].id // empty')"
@@ -84,7 +93,8 @@ in
jq -n --argjson rules "$rules" '{rules: $rules}' \ jq -n --argjson rules "$rules" '{rules: $rules}' \
| hapi -X POST --data-binary @- "$api/firewalls/$id/actions/set_rules" > /dev/null | hapi -X POST --data-binary @- "$api/firewalls/$id/actions/set_rules" > /dev/null
fi fi
'') cfg.firewalls)} '') cfg.firewalls
)}
''; '';
}; };