B4L/cnx-network-clan
5
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
1c779d80139724b4866692e4a6af181fd9a2c792
cnx-network-clan/clan.nix
T
Berwn 6e4178df04 Onboard mx1 mail host and factor out per-host public IPs 
- Register mx1 in the inventory and as a direct-SSH `internet` host; give it
  a static public IPv6 (2a01:4ff:2f0:1963::1).
- Point the cnx.email MX (plus SPF/DMARC) at mx1 and add its A record.
- Bring mx1 into monitoring: import exporters, add it to the mesh map and the
  node scrape job so its host metrics and journald reach control.
- Add a clan-mx1 Hetzner firewall: inbound SMTP + ZeroTier + ICMP, no public
  SSH (admin rides the mesh like the other hosts). 587/465/993 held for now.
- Extract per-host public IPv4/IPv6 into modules/hosts.nix, consumed by
  clan.nix's internet hosts and each machine's cnx.staticIPv6, so each address
  is declared once instead of being duplicated across configs.
- docs: add mx1 to the machines table.
2026-06-18 11:53:14 +07:00

83 lines
2.8 KiB
Nix
Raw Blame History

let
hosts = import ./modules/hosts.nix;
# This clan-core pins the zerotier `allowedIps` interface (admit by network
# IPv6), but node IDs are the stable per-device handle (what `zerotier-cli
# info` prints). Derive a member's IP on THIS network from the controller's
# network id so external members can be listed by node id, as below.
ztNetworkId = builtins.readFile ./vars/per-machine/control/zerotier/zerotier-network-id/value;
ztMemberIp =
nodeId:
let
full = "fd" + ztNetworkId + "9993" + nodeId;
h = i: builtins.substring (i * 4) 4 full;
in
"${h 0}:${h 1}:${h 2}:${h 3}:${h 4}:${h 5}:${h 6}:${h 7}";
in
{
# Ensure this is unique among all clans you want to use.
meta.name = "cnx-network-clan";
meta.domain = "cnx-network.internal";
inventory.machines = {
control = { };
ns1 = { };
ns2 = { };
mx1 = { };
};
inventory.instances = {
admin = {
roles.default.tags.all = { };
roles.default.settings.allowedKeys = {
"berwn" = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIENAjhGQGraQoAjJzsomKP8GAmQPeGL1rNRNHgRcLqtT";
"kurogeek" =
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIEcZ/p1Ofa9liwIzPWzNtONhJ7+FUWd2lCz33r81t8+w kurogeek@kurogeek";
};
};
zerotier = {
roles.controller.machines."control" = { };
roles.peer.tags.all = { };
# External members admitted by ZeroTier node id (stable per device).
# Inventory machines are auto-accepted; this is only for peers outside the
# clan. Node id comes from `zerotier-cli info` on the joining device.
roles.controller.settings.allowedIps = map ztMemberIp [
"8802c8d7e0" # alex-nixos
"2bd36db8cc" # kurogeek-thinkpad
];
};
tor = {
roles.server.tags.nixos = { };
};
# Direct SSH to public IPs — clan's priority-1 connection path, with the
# ZeroTier mesh and Tor kept as automatic fallbacks. Raw IPs (from
# modules/hosts.nix, not the ns1/ns2 DNS names) so reaching these hosts never
# depends on their own DNS being up.
internet.roles.default.machines = builtins.mapAttrs (_: h: {
settings.host = h.ipv4;
}) hosts;
# Recovery root password for console access when a machine fails to boot.
emergency-access = {
roles.default.tags.nixos = { };
};
# Encrypted, deduplicating backups. control hosts the repos; ns1 is the
# only client, backing up its declared clan.core.state (the Knot DNSSEC
# keystore) over the mesh. Repo lives at /var/lib/borgbackup/ns1 on control.
# Cross-host so an ns1 loss is recoverable; repokey encryption means control
# never holds plaintext. Run `clan vars generate ns1` (YubiKey) before deploy.
borgbackup = {
roles.server.machines.control = { };
roles.client.machines.ns1 = { };
};
};
machines = {
};
}
Reference in New Issue View Git Blame Copy Permalink