diff options
Diffstat (limited to 'hosts')
-rw-r--r-- | hosts/kay/modules/hurricane.nix | 47 | ||||
-rw-r--r-- | hosts/kay/modules/network.nix | 5 | ||||
-rw-r--r-- | hosts/kay/secrets.yaml | 10 |
3 files changed, 58 insertions, 4 deletions
diff --git a/hosts/kay/modules/hurricane.nix b/hosts/kay/modules/hurricane.nix new file mode 100644 index 0000000..9d350ac --- /dev/null +++ b/hosts/kay/modules/hurricane.nix @@ -0,0 +1,47 @@ +{ config, pkgs, ... }: + +let + iface = "hurricane"; + tunEndIface = "ppp0"; + remote = "216.218.221.42"; + address = "2001:470:35:72a::2"; + prefixLength = 64; +in +{ + networking.sits.${iface} = { + inherit remote; + local = "127.0.0.1"; + ttl = 225; + dev = tunEndIface; + }; + networking.interfaces.${iface}.ipv6.addresses = [{ + inherit prefixLength address; + }]; + + sops.secrets = { + "hurricane/username" = {}; + "hurricane/update_key" = {}; + "hurricane/tunnel_id" = {}; + }; + + services.pppd.script."02-${iface}" = { + runtimeInputs = with pkgs; [ curl coreutils iproute2 ]; + text = '' + wan_ip="$4" + username="$(cat ${config.sops.secrets."hurricane/username".path})" + update_key="$(cat ${config.sops.secrets."hurricane/update_key".path})" + tunnel_id="$(cat ${config.sops.secrets."hurricane/tunnel_id".path})" + + auth_url="https://$username:$update_key@ipv4.tunnelbroker.net/nic/update?hostname=$tunnel_id" + until curl --silent "$auth_url"; do + sleep 5 + done + + while [ ! -e /sys/class/net/${iface} ]; do + sleep 1 # make sure ${iface} is up + done + + ip tunnel change ${iface} local "$wan_ip" mode sit + ''; + }; +} diff --git a/hosts/kay/modules/network.nix b/hosts/kay/modules/network.nix index cd90268..4714295 100644 --- a/hosts/kay/modules/network.nix +++ b/hosts/kay/modules/network.nix @@ -7,7 +7,10 @@ let domain = config.userdata.domain; in { - imports = [ ./router.nix ]; + imports = [ + ./router.nix + ./hurricane.nix + ]; sops.secrets = { "ppp/chap-secrets" = {}; diff --git a/hosts/kay/secrets.yaml b/hosts/kay/secrets.yaml index 6a6c81d..d23526d 100644 --- a/hosts/kay/secrets.yaml +++ b/hosts/kay/secrets.yaml @@ -2,6 +2,10 @@ ppp: chap-secrets: ENC[AES256_GCM,data:4POH1o4VOKg0ZGYOZ+gIZJGlSxaRq101zMjjp/+BSlmZAz+cOc9+Kw==,iv:IC1Ii+rnTvFa0F2bi0fnEAEO7XWV7Wues9T+28bhDnc=,tag:Yatte1K8N3rrTFppc0p7Qw==,type:str] pap-secrets: ENC[AES256_GCM,data:K92+nAzZtBEUijXUq26eidWNJL38VvoCx8PlCtWxxgAcZCA/CW1DVg==,iv:4kNHSZ3+FMA9ROLEgrU38IWd+MBt+vf8CV3WGHkRCCc=,tag:YLiRrrCiymVOCcVzs+AVFw==,type:str] username: ENC[AES256_GCM,data:Xa6wBxpAtaKwsbEeudVvkpsX6CPG8E3Aku1zTi0o6Kdy9Q==,iv:yTRruKpMda4N2J3Z8MEesrFxqV4g1usbYoxTeKlWf4M=,tag:gTsn7HzgE3tHTIo2MVN12g==,type:str] +hurricane: + username: ENC[AES256_GCM,data:NXfBArIE7B40,iv:stBkppjkDC9nvV/fHaEtfs6KskoiqqEKxCp/KC+Xxeo=,tag:UeSZc20JghP8oT+R8RubXw==,type:str] + update_key: ENC[AES256_GCM,data:5qYBHLJngitUoy1vzEho/MJtXUxKY8imsjW0trvyl37LdnVZs3ZKPQ==,iv:b93JvsfWppqlJtZxGAa3xbXgLEFs0A5Seq5pNjTnRW4=,tag:6ZlWGmgaMuxHsR3rSpV0fw==,type:str] + tunnel_id: ENC[AES256_GCM,data:Fb8qazGD,iv:W8k0pyrAQz+UWtm76uvmzodJ2lZG4ioxrVMWjX1kIVM=,tag:DpmLdvR1oOC4TKmQv/VqIw==,type:str] misc: namecheap.com: ENC[AES256_GCM,data:8sN1/APumZDclTAeYEy4nidGbvooDK6Us0yOZBbG4oU=,iv:WGof33ezbBpFmnWTWS9gzDayJpz2BVMTPsShYY+nuXY=,tag:ky/ucGEHWBtWwGcwK+1nhw==,type:str] wireguard: ENC[AES256_GCM,data:4GIb92p8VE/TUqLc7AztSKRc6soS7n+O/i4v1ltSqZkU8cEPyZMNRpIvXRQ=,iv:yB4UIyMDNRS+JmSnt9XuBhNRTLz+k0FqkK4ofjosRto=,tag:wr1YJbcG1L5wI01rCwv1zQ==,type:str] @@ -21,8 +25,8 @@ sops: bUY4eisvWDIxdWplQjlod0hIcjVGNlUKYkA9hUTHuWgST3UUr7ACtmgC9s5SGEAp ker5KUGGi1fHgGlsPKHmnJSvikkVFlOVAhVa8R6X02l8FJf0lcjOYA== -----END AGE ENCRYPTED FILE----- - lastmodified: "2023-09-11T09:19:36Z" - mac: ENC[AES256_GCM,data:AD8zSHtdhNiRxas3N5EDnkdW2G5Eo3dChX99B2w6zPN5MhspS6CMY03whQkRkvPiWOxfMNE321lqlPvPgsqsfcyKeZuGWj902K1DFpz4YlrfqKZfmCk8xzd8OEMOAflpHGQ8lt0oSg96k/yXZ3bee/AEdpgeHmhOTzWTkaXGIOk=,iv:j4WhRUjOmOA3/AiIsOgjiRvm7GTT4Xi8MrLQloZAv24=,tag:u+Jp4GF42u3wm+6gMiP+eQ==,type:str] + lastmodified: "2023-12-01T04:04:29Z" + mac: ENC[AES256_GCM,data:H/UBa9IBJGjnUhfdOfaUsVpUN/P1bF+RgXXsV+TMvhDo9qX0VsjGV3F+dmzMdEeleTYUGSBL8vxudKaE2aZwXgAmz3ViuRqwAGCQa76twv4CwFBNIBMiZe9ljJe4GoHT2GGzeVhDnkuQuhkjrNKOqfX5jz4BUYby3Ku5UuBakxA=,iv:sjfMuqYgnfekK3SqYH6zKsAkmgj9nB7DFC1OnobdbCs=,tag:l0ndfqus1l12KSzCi+77Ig==,type:str] pgp: [] unencrypted_suffix: _unencrypted - version: 3.7.3 + version: 3.8.1 |