From 5b32b947de3ac1adb4317e9c92094d67561d1230 Mon Sep 17 00:00:00 2001 From: sinanmohd Date: Sat, 27 Dec 2025 09:01:13 +0530 Subject: chore(os/kay): refactor sops --- os/kay/modules/network/default.nix | 80 ---------- os/kay/modules/network/headscale.nix | 198 ------------------------ os/kay/modules/network/headscale/default.nix | 210 ++++++++++++++++++++++++++ os/kay/modules/network/headscale/secrets.yaml | 33 ++++ os/kay/modules/network/hurricane.nix | 132 ---------------- os/kay/modules/network/hurricane/default.nix | 132 ++++++++++++++++ os/kay/modules/network/hurricane/secrets.yaml | 28 ++++ os/kay/modules/network/ppp/default.nix | 74 +++++++++ os/kay/modules/network/ppp/secrets.yaml | 28 ++++ 9 files changed, 505 insertions(+), 410 deletions(-) delete mode 100644 os/kay/modules/network/default.nix delete mode 100644 os/kay/modules/network/headscale.nix create mode 100644 os/kay/modules/network/headscale/default.nix create mode 100644 os/kay/modules/network/headscale/secrets.yaml delete mode 100644 os/kay/modules/network/hurricane.nix create mode 100644 os/kay/modules/network/hurricane/default.nix create mode 100644 os/kay/modules/network/hurricane/secrets.yaml create mode 100644 os/kay/modules/network/ppp/default.nix create mode 100644 os/kay/modules/network/ppp/secrets.yaml (limited to 'os/kay/modules/network') diff --git a/os/kay/modules/network/default.nix b/os/kay/modules/network/default.nix deleted file mode 100644 index 281751a..0000000 --- a/os/kay/modules/network/default.nix +++ /dev/null @@ -1,80 +0,0 @@ -{ config, pkgs, ... }: - -let - inetVlan = 1003; - wanInterface = "enp3s0"; - nameServer = [ - "1.0.0.1" - "1.1.1.1" - ]; -in -{ - imports = [ - ./router.nix - ./hurricane.nix - ./headscale.nix - ]; - - sops.secrets = { - "ppp/chap-secrets" = { }; - "ppp/pap-secrets" = { }; - "ppp/username" = { }; - }; - - networking = { - tempAddresses = "disabled"; - vlans.wan = { - id = inetVlan; - interface = wanInterface; - }; - }; - - services = { - dnsmasq = { - enable = true; - settings = { - server = nameServer; - bind-interfaces = true; - }; - }; - - pppd = { - enable = true; - - config = '' - plugin pppoe.so - debug - - nic-wan - defaultroute - ipv6 ::1337, - noauth - - persist - lcp-echo-adaptive - lcp-echo-interval 1 - lcp-echo-failure 5 - ''; - - script."01-ipv6-ra" = { - type = "ip-up"; - runtimeInputs = [ pkgs.procps ]; - - text = '' - sysctl net.ipv6.conf.ppp0.accept_ra=2 - ''; - }; - - peers.keralavision = { - enable = true; - autostart = true; - configFile = config.sops.secrets."ppp/username".path; - }; - - secret = { - chap = config.sops.secrets."ppp/chap-secrets".path; - pap = config.sops.secrets."ppp/pap-secrets".path; - }; - }; - }; -} diff --git a/os/kay/modules/network/headscale.nix b/os/kay/modules/network/headscale.nix deleted file mode 100644 index 077aa8b..0000000 --- a/os/kay/modules/network/headscale.nix +++ /dev/null @@ -1,198 +0,0 @@ -{ - config, - pkgs, - lib, - headplane, - namescale, - ... -}: -let - url = "https://headscale.${config.global.userdata.domain}"; - stunPort = 3478; - - # A workaround generate a valid Headscale config accepted by Headplane when `config_strict == true`. - settings = lib.recursiveUpdate config.services.headscale.settings { - tls_cert_path = "/dev/null"; - tls_key_path = "/dev/null"; - policy.path = "/dev/null"; - }; - format = pkgs.formats.yaml { }; - headscaleConfig = format.generate "headscale.yml" settings; - - policyFormat = pkgs.formats.json { }; - policy = { - groups = { - "group:owner" = [ "sinan@" ]; - "group:bud" = [ - "sinan@" - "ann@" - ]; - }; - tagOwners = { - "tag:internal" = [ "group:owner" ]; - "tag:bud_clients" = [ "group:bud" ]; - "tag:cusat" = [ "group:owner" ]; - "tag:gaijin" = [ "group:owner" ]; - }; - autoApprovers = { - routes = { - "192.168.43.0/24" = [ - "group:owner" - "tag:internal" - ]; - "192.168.38.0/24" = [ - "group:owner" - "tag:internal" - ]; - }; - exitNode = [ - "group:owner" - "tag:internal" - ]; - }; - acls = [ - { - action = "accept"; - src = [ "*" ]; - dst = [ "namescale@:53" ]; - } - { - action = "accept"; - src = [ "headplane@" ]; - dst = [ "*:*" ]; - } - - { - action = "accept"; - src = [ "group:owner" ]; - dst = [ "*:*" ]; - } - { - action = "accept"; - src = [ "nazer@" ]; - dst = [ "autogroup:internet:*" ]; - } - - { - action = "accept"; - src = [ "group:bud" ]; - dst = [ "tag:bud_clients:*" ]; - } - { - action = "accept"; - src = [ "tag:bud_clients" ]; - dst = [ "tag:bud_clients:80,443" ]; - } - ]; - }; -in -{ - imports = [ - headplane.nixosModules.headplane - namescale.nixosModules.namescale - ]; - - nixpkgs.overlays = [ headplane.overlays.default ]; - environment.systemPackages = [ config.services.headscale.package ]; - - sops.secrets = { - # server - "headplane/cookie_secret".owner = config.services.headscale.user; - "headplane/preauth_key".owner = config.services.headscale.user; - "namescale/preauth_key" = { }; - "headscale/noise_private_key".owner = config.services.headscale.user; - "headscale/derp_private_key".owner = config.services.headscale.user; - # client - "headscale/pre_auth_key" = { }; - }; - - networking = { - nameservers = [ "100.100.100.100" ]; - search = [ config.services.headscale.settings.dns.base_domain ]; - - firewall = { - interfaces.ppp0.allowedUDPPorts = [ stunPort ]; - trustedInterfaces = [ config.services.tailscale.interfaceName ]; - }; - }; - # for exit node only - boot.kernel.sysctl = { - "net.ipv4.ip_forward" = true; - "net.ipv6.conf.all.forwarding" = true; - }; - - services = { - headscale = { - enable = true; - port = 8139; - - settings = { - logtail.enabled = false; - server_url = url; - noise.private_key_path = config.sops.secrets."headscale/noise_private_key".path; - dns = { - base_domain = "tsnet.${config.global.userdata.domain}"; - override_local_dns = false; - nameservers.split."${config.services.headscale.settings.dns.base_domain}" = [ - "100.64.0.12" - "fd7a:115c:a1e0::c" - ]; - }; - derp = { - server = { - enabled = true; - private_key_path = config.sops.secrets."headscale/derp_private_key".path; - region_code = config.networking.hostName; - region_name = config.networking.hostName; - stun_listen_addr = "0.0.0.0:${toString stunPort}"; - region_id = 6969; - automatically_add_embedded_derp_region = true; - }; - urls = [ ]; - }; - policy = { - mode = "file"; - path = policyFormat.generate "acl.json" policy; - }; - }; - }; - - headplane = { - enable = true; - settings = { - server = { - port = 8140; - cookie_secret_path = config.sops.secrets."headplane/cookie_secret".path; - }; - headscale = { - inherit url; - config_path = "${headscaleConfig}"; - }; - integration.agent = { - enabled = true; - pre_authkey_path = config.sops.secrets."headplane/preauth_key".path; - }; - }; - }; - - tailscale = { - enable = true; - interfaceName = "headscale"; - openFirewall = true; - - authKeyFile = config.sops.secrets."headscale/pre_auth_key".path; - extraUpFlags = [ - "--login-server=${url}" - "--advertise-exit-node" - "--advertise-routes=192.168.43.0/24,192.168.38.0/24" - "--advertise-tags=tag:internal" - ]; - }; - - namescale = { - enable = true; - environmentFile = config.sops.secrets."namescale/preauth_key".path; - settings.tsnet.coordination_server_url = url; - }; - }; -} diff --git a/os/kay/modules/network/headscale/default.nix b/os/kay/modules/network/headscale/default.nix new file mode 100644 index 0000000..6f35c5d --- /dev/null +++ b/os/kay/modules/network/headscale/default.nix @@ -0,0 +1,210 @@ +{ + config, + pkgs, + lib, + headplane, + namescale, + ... +}: +let + url = "https://headscale.${config.global.userdata.domain}"; + stunPort = 3478; + + # A workaround generate a valid Headscale config accepted by Headplane when `config_strict == true`. + settings = lib.recursiveUpdate config.services.headscale.settings { + tls_cert_path = "/dev/null"; + tls_key_path = "/dev/null"; + policy.path = "/dev/null"; + }; + format = pkgs.formats.yaml { }; + headscaleConfig = format.generate "headscale.yml" settings; + + policyFormat = pkgs.formats.json { }; + policy = { + groups = { + "group:owner" = [ "sinan@" ]; + "group:bud" = [ + "sinan@" + "ann@" + ]; + }; + tagOwners = { + "tag:internal" = [ "group:owner" ]; + "tag:bud_clients" = [ "group:bud" ]; + "tag:cusat" = [ "group:owner" ]; + "tag:gaijin" = [ "group:owner" ]; + }; + autoApprovers = { + routes = { + "192.168.43.0/24" = [ + "group:owner" + "tag:internal" + ]; + "192.168.38.0/24" = [ + "group:owner" + "tag:internal" + ]; + }; + exitNode = [ + "group:owner" + "tag:internal" + ]; + }; + acls = [ + { + action = "accept"; + src = [ "*" ]; + dst = [ "namescale@:53" ]; + } + { + action = "accept"; + src = [ "headplane@" ]; + dst = [ "*:*" ]; + } + + { + action = "accept"; + src = [ "group:owner" ]; + dst = [ "*:*" ]; + } + { + action = "accept"; + src = [ "nazer@" ]; + dst = [ "autogroup:internet:*" ]; + } + + { + action = "accept"; + src = [ "group:bud" ]; + dst = [ "tag:bud_clients:*" ]; + } + { + action = "accept"; + src = [ "tag:bud_clients" ]; + dst = [ "tag:bud_clients:80,443" ]; + } + ]; + }; +in +{ + imports = [ + headplane.nixosModules.headplane + namescale.nixosModules.namescale + ]; + + nixpkgs.overlays = [ headplane.overlays.default ]; + environment.systemPackages = [ config.services.headscale.package ]; + + sops.secrets = { + # server + "headplane/cookie_secret" = { + owner = config.services.headscale.user; + sopsFile = ./secrets.yaml; + }; + "headplane/preauth_key" = { + owner = config.services.headscale.user; + sopsFile = ./secrets.yaml; + }; + "namescale/preauth_key".sopsFile = ./secrets.yaml; + "headscale/noise_private_key" = { + owner = config.services.headscale.user; + sopsFile = ./secrets.yaml; + }; + "headscale/derp_private_key" = { + owner = config.services.headscale.user; + sopsFile = ./secrets.yaml; + }; + # client + "headscale/pre_auth_key".sopsFile = ./secrets.yaml; + }; + + networking = { + nameservers = [ "100.100.100.100" ]; + search = [ config.services.headscale.settings.dns.base_domain ]; + + firewall = { + interfaces.ppp0.allowedUDPPorts = [ stunPort ]; + trustedInterfaces = [ config.services.tailscale.interfaceName ]; + }; + }; + # for exit node only + boot.kernel.sysctl = { + "net.ipv4.ip_forward" = true; + "net.ipv6.conf.all.forwarding" = true; + }; + + services = { + headscale = { + enable = true; + port = 8139; + + settings = { + logtail.enabled = false; + server_url = url; + noise.private_key_path = config.sops.secrets."headscale/noise_private_key".path; + dns = { + base_domain = "tsnet.${config.global.userdata.domain}"; + override_local_dns = false; + nameservers.split."${config.services.headscale.settings.dns.base_domain}" = [ + "100.64.0.12" + "fd7a:115c:a1e0::c" + ]; + }; + derp = { + server = { + enabled = true; + private_key_path = config.sops.secrets."headscale/derp_private_key".path; + region_code = config.networking.hostName; + region_name = config.networking.hostName; + stun_listen_addr = "0.0.0.0:${toString stunPort}"; + region_id = 6969; + automatically_add_embedded_derp_region = true; + }; + urls = [ ]; + }; + policy = { + mode = "file"; + path = policyFormat.generate "acl.json" policy; + }; + }; + }; + + headplane = { + enable = true; + settings = { + server = { + port = 8140; + cookie_secret_path = config.sops.secrets."headplane/cookie_secret".path; + }; + headscale = { + inherit url; + config_path = "${headscaleConfig}"; + }; + integration.agent = { + enabled = true; + pre_authkey_path = config.sops.secrets."headplane/preauth_key".path; + }; + }; + }; + + tailscale = { + enable = true; + interfaceName = "headscale"; + openFirewall = true; + + authKeyFile = config.sops.secrets."headscale/pre_auth_key".path; + extraUpFlags = [ + "--login-server=${url}" + "--advertise-exit-node" + "--advertise-routes=192.168.43.0/24,192.168.38.0/24" + "--advertise-tags=tag:internal" + ]; + }; + + namescale = { + enable = true; + environmentFile = config.sops.secrets."namescale/preauth_key".path; + settings.tsnet.coordination_server_url = url; + }; + }; +} diff --git a/os/kay/modules/network/headscale/secrets.yaml b/os/kay/modules/network/headscale/secrets.yaml new file mode 100644 index 0000000..d45ed72 --- /dev/null +++ b/os/kay/modules/network/headscale/secrets.yaml @@ -0,0 +1,33 @@ +headplane: + cookie_secret: ENC[AES256_GCM,data:lJxNpktCyTn99/6ihN+Igz+u3V5LRvh3QxjIiwZ25bU=,iv:YppMXzI2raebGkgyGnFl7jDWtvQgyc5YRmNesby6iOE=,tag:LRWMzUiXqPA7Q1qakeABhQ==,type:str] + preauth_key: ENC[AES256_GCM,data:UthaalTL3pw5YLvDGU/j7FoKWstsize+Z3TQ8EGwEBS2769HaZFGwjArPM5emXEV,iv:3hbdnFUeUMoRyEC9EcoxTpK9YPI0wbPT9dP70X2bsFo=,tag:ety2kbaCU0VsJj8d6rvSSQ==,type:str] +namescale: + preauth_key: ENC[AES256_GCM,data:4gLo5nknO081l4YZ8oa0/PPQNcB/Ef2hv3OgjTb90gHj6jC3pccMKxf0FBKxbQSii7GNQbSd9cYXHkHRBg==,iv:XnwajNYuBtRTyjP+QDzsjgLeq5qUM3O+PmHX4eIPWuY=,tag:Khp+LU0lovF2hF/Ak8Lpqg==,type:str] +headscale: + noise_private_key: ENC[AES256_GCM,data:Hh67ck/aaWmWSPmWpWG8op8kruhVUg32TzBs6TgNZxy/FuB5CUqbWZ9C86yq9awS8fgZDFmqPtSUWQdtNP2AglC2PjVcZVlP,iv:unfxTZ5WV1a01dYZWFYGeQh4ytmruWq7Ytb0xbPERDg=,tag:qK7O4tA/Y38pwyDE4gyN/w==,type:str] + derp_private_key: ENC[AES256_GCM,data:H154flCLVnRv8U3hOXyaEtKPQQo4UWAiZnLZxpf99Cmppp6VEt5hXsu+PQYiUERWWjL3Bry5Az2JBBENOk75S2cXXuHzehkY,iv:ALLHs2S1xkNf/tFYCKYFLHOV9AXeCFUjgq65LoKtMqA=,tag:MDRlnksrUwWOD1KO086VgA==,type:str] + pre_auth_key: ENC[AES256_GCM,data:lFAVurZSbAIGLX+C/Y9IWHUdBnAK2+r8gfyptYDxxM1vUjfZLysc2Znl8J6hOTt9,iv:KnqejSz5Dso6Qt6AUEHL5WaKFkPjzfKPKcFPrQ08vak=,tag:cj20F8xBlUt+7YIH0898UQ==,type:str] +sops: + age: + - recipient: age1q5sfy74d53n6jxlgsc2zrsz4wcl9d830nxuagc3wfmdkrrp55ckq9ev6nv + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBocjExRHZxTlBLQno5d0w1 + WjFuTnpRZjVDQTR0WnZxc1ZFVHVXZVpHVG1NCmVlbWdMS1RkeWtacE1rTTRaVE9h + RE1XRDhoU2JmbTJKR3RCMnMvZWZMWlkKLS0tIFIvVEtWb0F5QmRPRHNuU2xhcWdm + ZUpud0gveWlDNWl4andHTm85OWZuQ28KigPDOPCX3Q6LnTZAe8triJUpz0nhmJ+K + XD+VuUHhX/52GU7p3selEwn5O//Bc7zeneolniA79F69RDBpK4OYeA== + -----END AGE ENCRYPTED FILE----- + - recipient: age15989j5lkkf2kn5wa2p6qc8wlxjjksc63k5ync8rz8t4e87394pzqm7h4rm + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBCQmRMaGRBcmJwZVI0RWlT + ajl0WHZwTnBLdEcybHRHYzVjTWlkczlYVEVBCmxrQXNiM1dRSlJoRDdtVDZEZjVZ + WUVtZjMrbGhjdWFITElWa3VGZHpxYUUKLS0tIGJ5eUovbHE2R1JzcTRwdXBkNVM4 + NExtOUJrT3pvTmNndUlxekVhbXAxNDAKVYgJ3XNqWyJ5XHYbNnODMUdufFTBG+xE + Nkks0GuJCWMyho4jkksF+mWohGJz50DAZCcve38fGcD9Zkhp1gcYgw== + -----END AGE ENCRYPTED FILE----- + lastmodified: "2025-12-27T03:24:25Z" + mac: ENC[AES256_GCM,data:wDNxc6cPdUOILZKJ86dYdC+YuOYpC/tkrGQkFSaC84rjhYzYm5rSkwo4NNTqZVamNC5i+8IaFiR+zq8NJM88KUoiFij7FMda6yDdexhgeBLMwCdX6nrjIFavZpJEhwxyHfjuy2mBYO4TU5xGaAgG2Dr6N0eqBNDMJoZzlKmHgo0=,iv:09nC3k+fCCxp+u8qKba3m2mX7K5izUnPcmhGpXjDr7M=,tag:fQFMRFnIIUcmWJGQEfiBzQ==,type:str] + unencrypted_suffix: _unencrypted + version: 3.11.0 diff --git a/os/kay/modules/network/hurricane.nix b/os/kay/modules/network/hurricane.nix deleted file mode 100644 index e815136..0000000 --- a/os/kay/modules/network/hurricane.nix +++ /dev/null @@ -1,132 +0,0 @@ -{ - config, - pkgs, - lib, - ... -}: - -let - iface = "hurricane"; - remote = "216.218.221.42"; - - clinet = "2001:470:35:72a::2"; - server = "2001:470:35:72a::1"; - - prefix64 = "2001:470:36:72a::/64"; - prefix48 = "2001:470:ee65::/48"; - - makeAddr = - prefix: host: - let - split = lib.strings.splitString "/" prefix; - in - { - address = "${lib.head split}${host}"; - prefixLength = lib.toInt (lib.last split); - }; -in -{ - networking = { - sits.${iface} = { - inherit remote; - ttl = 225; - }; - interfaces.${iface} = { - mtu = 1472; # 1492(ppp0) - 20 - ipv6.addresses = [ - { - address = clinet; - prefixLength = 64; - } - - (makeAddr prefix64 "1") - (makeAddr prefix48 "1") - (makeAddr prefix48 "1337") - ]; - }; - - iproute2 = { - enable = true; - rttablesExtraConfig = "200 hurricane"; - }; - - firewall = { - extraCommands = "iptables -A INPUT --proto 41 --source ${remote} --jump ACCEPT"; - extraStopCommands = "iptables -D INPUT --proto 41 --source ${remote} --jump ACCEPT"; - }; - }; - - sops.secrets = { - "hurricane/username" = { }; - "hurricane/update_key" = { }; - "hurricane/tunnel_id" = { }; - }; - - systemd.services."network-route-${iface}" = { - description = "Routing configuration of ${iface}"; - wantedBy = [ - "network-setup.service" - "network.target" - ]; - before = [ "network-setup.service" ]; - bindsTo = [ "network-addresses-hurricane.service" ]; - after = [ - "network-pre.target" - "network-addresses-hurricane.service" - ]; - # restart rather than stop+start this unit to prevent the - # network from dying during switch-to-configuration. - stopIfChanged = false; - - serviceConfig = { - Type = "oneshot"; - RemainAfterExit = true; - }; - - path = [ pkgs.iproute2 ]; - script = '' - echo -n "adding route" - - ip -6 rule add from ${clinet}/64 table hurricane || exit 1 - ip -6 rule add from ${prefix64} table hurricane || exit 1 - ip -6 rule add from ${prefix48} table hurricane || exit 1 - - ip -6 route add default via ${server} dev hurricane table hurricane || exit 1 - ''; - preStop = '' - echo -n "deleting route" - - ip -6 route del default via ${server} dev hurricane table hurricane || exit 1 - - ip -6 rule del from ${prefix48} table hurricane || exit 1 - ip -6 rule del from ${prefix64} table hurricane || exit 1 - ip -6 rule del from ${clinet}/64 table hurricane || exit 1 - ''; - }; - - services.pppd.script."01-${iface}" = { - runtimeInputs = with pkgs; [ - curl - coreutils - iproute2 - iputils - ]; - text = '' - wan_ip="$4" - username="$(cat ${config.sops.secrets."hurricane/username".path})" - update_key="$(cat ${config.sops.secrets."hurricane/update_key".path})" - tunnel_id="$(cat ${config.sops.secrets."hurricane/tunnel_id".path})" - - auth_url="https://$username:$update_key@ipv4.tunnelbroker.net/nic/update?hostname=$tunnel_id" - until curl --silent "$auth_url"; do - sleep 1 - done - - while [ ! -e /sys/class/net/${iface} ]; do - sleep 1 # make sure ${iface} is up - done - - ip tunnel change ${iface} local "$wan_ip" mode sit - ''; - }; -} diff --git a/os/kay/modules/network/hurricane/default.nix b/os/kay/modules/network/hurricane/default.nix new file mode 100644 index 0000000..63be43e --- /dev/null +++ b/os/kay/modules/network/hurricane/default.nix @@ -0,0 +1,132 @@ +{ + config, + pkgs, + lib, + ... +}: + +let + iface = "hurricane"; + remote = "216.218.221.42"; + + clinet = "2001:470:35:72a::2"; + server = "2001:470:35:72a::1"; + + prefix64 = "2001:470:36:72a::/64"; + prefix48 = "2001:470:ee65::/48"; + + makeAddr = + prefix: host: + let + split = lib.strings.splitString "/" prefix; + in + { + address = "${lib.head split}${host}"; + prefixLength = lib.toInt (lib.last split); + }; +in +{ + networking = { + sits.${iface} = { + inherit remote; + ttl = 225; + }; + interfaces.${iface} = { + mtu = 1472; # 1492(ppp0) - 20 + ipv6.addresses = [ + { + address = clinet; + prefixLength = 64; + } + + (makeAddr prefix64 "1") + (makeAddr prefix48 "1") + (makeAddr prefix48 "1337") + ]; + }; + + iproute2 = { + enable = true; + rttablesExtraConfig = "200 hurricane"; + }; + + firewall = { + extraCommands = "iptables -A INPUT --proto 41 --source ${remote} --jump ACCEPT"; + extraStopCommands = "iptables -D INPUT --proto 41 --source ${remote} --jump ACCEPT"; + }; + }; + + sops.secrets = { + "hurricane/username".sopsFile = ./secrets.yaml; + "hurricane/update_key".sopsFile = ./secrets.yaml; + "hurricane/tunnel_id".sopsFile = ./secrets.yaml; + }; + + systemd.services."network-route-${iface}" = { + description = "Routing configuration of ${iface}"; + wantedBy = [ + "network-setup.service" + "network.target" + ]; + before = [ "network-setup.service" ]; + bindsTo = [ "network-addresses-hurricane.service" ]; + after = [ + "network-pre.target" + "network-addresses-hurricane.service" + ]; + # restart rather than stop+start this unit to prevent the + # network from dying during switch-to-configuration. + stopIfChanged = false; + + serviceConfig = { + Type = "oneshot"; + RemainAfterExit = true; + }; + + path = [ pkgs.iproute2 ]; + script = '' + echo -n "adding route" + + ip -6 rule add from ${clinet}/64 table hurricane || exit 1 + ip -6 rule add from ${prefix64} table hurricane || exit 1 + ip -6 rule add from ${prefix48} table hurricane || exit 1 + + ip -6 route add default via ${server} dev hurricane table hurricane || exit 1 + ''; + preStop = '' + echo -n "deleting route" + + ip -6 route del default via ${server} dev hurricane table hurricane || exit 1 + + ip -6 rule del from ${prefix48} table hurricane || exit 1 + ip -6 rule del from ${prefix64} table hurricane || exit 1 + ip -6 rule del from ${clinet}/64 table hurricane || exit 1 + ''; + }; + + services.pppd.script."01-${iface}" = { + runtimeInputs = with pkgs; [ + curl + coreutils + iproute2 + iputils + ]; + text = '' + wan_ip="$4" + username="$(cat ${config.sops.secrets."hurricane/username".path})" + update_key="$(cat ${config.sops.secrets."hurricane/update_key".path})" + tunnel_id="$(cat ${config.sops.secrets."hurricane/tunnel_id".path})" + + auth_url="https://$username:$update_key@ipv4.tunnelbroker.net/nic/update?hostname=$tunnel_id" + until curl --silent "$auth_url"; do + sleep 1 + done + + while [ ! -e /sys/class/net/${iface} ]; do + sleep 1 # make sure ${iface} is up + done + + ip tunnel change ${iface} local "$wan_ip" mode sit + ''; + }; +} diff --git a/os/kay/modules/network/hurricane/secrets.yaml b/os/kay/modules/network/hurricane/secrets.yaml new file mode 100644 index 0000000..bbb0b57 --- /dev/null +++ b/os/kay/modules/network/hurricane/secrets.yaml @@ -0,0 +1,28 @@ +hurricane: + username: ENC[AES256_GCM,data:qPZB7icdzaYt,iv:EeucYLIWUOTKeWsnbzc5KrNwXj3EGAECoz5wdPrfMiY=,tag:65zQIFgUL8jNejzIGN56zQ==,type:str] + update_key: ENC[AES256_GCM,data:q9tzqMMT9nI69KeC9utyiRQuzPuPnwwn4pEU01QF074m+J+FP53RDQ==,iv:8ZZ0Nc/8fIQYxC51Fsz5NwEXytgMYvLoqS2uqLDP5sw=,tag:QyKcz9IgOjcvSiEP8HrROQ==,type:str] + tunnel_id: ENC[AES256_GCM,data:at2gf+GP,iv:ilIJ+MUXUugRGZMJjHIs/E7nt/daDBxjmCODcldkCC8=,tag:qB3xE6WP4O4aQgyb+jO5SQ==,type:str] +sops: + age: + - recipient: age1q5sfy74d53n6jxlgsc2zrsz4wcl9d830nxuagc3wfmdkrrp55ckq9ev6nv + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB1M250TTZNT0U5TE14T1Ar + OGF3MzZKanFWeVJ6NDVyR0ptNWdqVmFQUDMwCmhESnVwTlpSaEJSRDg4dUo3d0Jp + M2ZzZmlYZ3BCcWpHcXYwU1NZbXFsejAKLS0tIDd3ZkdmRTczN3V1ZFN0VXhOM0hz + NC9IWU80RkdrTUFGTWhjOXpwTTdzK3cKX6P58b/Zf81CkQopzQgXEH38BVJ8dm3c + T3il1Di+oV4da29QOdgQPLthpoa8c/6Mfw70XC1pCqJViTYGQSV/ww== + -----END AGE ENCRYPTED FILE----- + - recipient: age15989j5lkkf2kn5wa2p6qc8wlxjjksc63k5ync8rz8t4e87394pzqm7h4rm + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBFd3dDTmFiRjkwSTNlY2lQ + bWpMTHpCNFhVei9EcUR1RkxteUtXdzRsMUUwCjNqYW5UdTFXdzFWMW1HL1pZL2pz + Q2lIbktpUGtVSStoekdrQUJkcDZGSFkKLS0tIFIwZUo1SDd5UUxvaHU5aDg2alFO + K1ZsMGtjb0ZJUzdRNllxc3lxRVpPb2MK7jYH9Vd/BQW6M2w4gpZ/7/Fvup2enPct + z8b9coCmFfYkQMOopar5Qq+1Tf+sXmt+e9T4XWdRTGer3si8/X+jmA== + -----END AGE ENCRYPTED FILE----- + lastmodified: "2025-12-27T03:19:40Z" + mac: ENC[AES256_GCM,data:kHw69RgfHhmMzaIUoPL0DziPOmY+7dBXWVzLO2Yo8fun7egtqPLqjmDT11BSvGO7SBBBJkzTUjoV/8kQuui2mEaNZ9Pu6yaLEuGoWU/yN8rwGyEAvMW/jsyRKI/featE1kUgmWrTrRdHw/oXCDUEABRGk51v67NwQef0nlGhjM8=,iv:GWRU/avtXRSJ3tjgt4tKH5A6srOp/N7jV0kZAC/GX8Q=,tag:2k/1UwWj56mUXMVQBBM5ng==,type:str] + unencrypted_suffix: _unencrypted + version: 3.11.0 diff --git a/os/kay/modules/network/ppp/default.nix b/os/kay/modules/network/ppp/default.nix new file mode 100644 index 0000000..43059b6 --- /dev/null +++ b/os/kay/modules/network/ppp/default.nix @@ -0,0 +1,74 @@ +{ config, pkgs, ... }: + +let + inetVlan = 1003; + wanInterface = "enp3s0"; + nameServer = [ + "1.0.0.1" + "1.1.1.1" + ]; +in +{ + sops.secrets = { + "ppp/chap-secrets".sopsFile = ./secrets.yaml; + "ppp/pap-secrets".sopsFile = ./secrets.yaml; + "ppp/username".sopsFile = ./secrets.yaml; + }; + + networking = { + tempAddresses = "disabled"; + vlans.wan = { + id = inetVlan; + interface = wanInterface; + }; + }; + + services = { + dnsmasq = { + enable = true; + settings = { + server = nameServer; + bind-interfaces = true; + }; + }; + + pppd = { + enable = true; + + config = '' + plugin pppoe.so + debug + + nic-wan + defaultroute + ipv6 ::1337, + noauth + + persist + lcp-echo-adaptive + lcp-echo-interval 1 + lcp-echo-failure 5 + ''; + + script."01-ipv6-ra" = { + type = "ip-up"; + runtimeInputs = [ pkgs.procps ]; + + text = '' + sysctl net.ipv6.conf.ppp0.accept_ra=2 + ''; + }; + + peers.keralavision = { + enable = true; + autostart = true; + configFile = config.sops.secrets."ppp/username".path; + }; + + secret = { + chap = config.sops.secrets."ppp/chap-secrets".path; + pap = config.sops.secrets."ppp/pap-secrets".path; + }; + }; + }; +} diff --git a/os/kay/modules/network/ppp/secrets.yaml b/os/kay/modules/network/ppp/secrets.yaml new file mode 100644 index 0000000..3df903a --- /dev/null +++ b/os/kay/modules/network/ppp/secrets.yaml @@ -0,0 +1,28 @@ +ppp: + chap-secrets: ENC[AES256_GCM,data:WAQwrIt66iL7rOPR0WQgRxTYHHjrMNXUqf/DoiE=,iv:ZOs3OQ0Lu9zr/6slG/q07jZ94VRx8XaomNFP1isHo9o=,tag:I1dzfINQvU2fiVku8IDK9A==,type:str] + pap-secrets: ENC[AES256_GCM,data:QWMpPeJSUd3KJa6c//3Zu3nlsnE4l0FBhEqFggw=,iv:uTziGG8dSaklA3uRn+JqfONde6oL/3q5wXS2TP2e264=,tag:R5+q4k2XAEW+8nYPMLVObg==,type:str] + username: ENC[AES256_GCM,data:PBZlPw8SgUfm0apbVf6GVNkn,iv:ivYn9irS7hwdvN8f3kDDGs8gGx+kWtW1YHheKgQMF2w=,tag:VPokCflGM4pDL/+VBfbTsA==,type:str] +sops: + age: + - recipient: age1q5sfy74d53n6jxlgsc2zrsz4wcl9d830nxuagc3wfmdkrrp55ckq9ev6nv + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBIcUt4blkrZzZHMjFjT1o2 + TDRUZ09DckRNQzhhNmgvZi9tRVQ0WUdIZXhjCmpXQ0craFRkQU5neFdnZTVmbHcx + STFSYk51cDVyZ3I2UmFwT1pHQnJKc2sKLS0tIFNhKzNKRzJ4OVBUVm00ZjJ5NHZi + RDNTZDVLM05heXh3cXdMZFF4TVhCeFEK0YogisCvzPS1KgQFGjziGFLpiqBtfIAx + 90qk4c/8Wmqnt2bW5GBCEl5iUHW7S7etCIZHTZp7WY6Y/y4KEQcFQA== + -----END AGE ENCRYPTED FILE----- + - recipient: age15989j5lkkf2kn5wa2p6qc8wlxjjksc63k5ync8rz8t4e87394pzqm7h4rm + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBWTkt0SjA1YXd6OGx0N2Ix + RmZzVHNOZUZ1V0taeGk4TDFrNi96bi9CTUhzClpDcGVQTFJqZWgzUWxLTmJXd0pT + UGhlUTlpS1QxRmFmbTIxYzlLbGxpTWMKLS0tIHIxTHduRXNJdHpkdm1xYWZlbjZ3 + bWdUcDlLVVljcTVoVEpaTWFIeDlUZGsKMFwWXXb0CsVdb2neSbZlPuKH4p+esW8u + fNzL8nrZmqqcRzncXFB0PHU4iNKhwzouHEC+6Ny4V7v5bbOSyb2jAg== + -----END AGE ENCRYPTED FILE----- + lastmodified: "2025-12-27T03:17:57Z" + mac: ENC[AES256_GCM,data:43K/T2qFlgHh9008KAiRoYDB9K0B+PqDQfy9pRconml37FuSQhFHowpsjGXEh/md78i6xr4B1wQal+G2BLlWNF5BEKFpZ59Bkpe3OUa/I8yTDUIHPjvoSLAMVdsRxpn3qgFUeLhEpYEycB0sYwQY3XS9Vu3cOx1T+5I9jn6K6d4=,iv:OGvhVzYUtncE1LaSDOFVLhDuD+uOKA1bgYUavgqgLf8=,tag:P9gKH394XXWggXgVBCcspg==,type:str] + unencrypted_suffix: _unencrypted + version: 3.11.0 -- cgit v1.2.3