From 409c6c276be8ea085764b355f88874dd872d2894 Mon Sep 17 00:00:00 2001 From: Ivan Bushchik Date: Sun, 17 Dec 2023 10:57:18 +0300 Subject: [PATCH] Host private yggdrasil peer Signed-off-by: Ivan Bushchik --- machines/celerrime/default.nix | 1 + machines/periculo/default.nix | 1 + machines/rubusidaeus/default.nix | 2 +- machines/stella/default.nix | 3 ++- machines/vetus/default.nix | 1 + roles/default.nix | 1 + roles/yggdrasil-client.nix | 13 ++++++++----- roles/yggdrasil-peer.nix | 26 ++++++++++++++++++++++++++ secrets.nix | 2 ++ secrets/yggdrasil-password | Bin 0 -> 54 bytes secrets/yggdrasil-peer | Bin 0 -> 44 bytes 11 files changed, 43 insertions(+), 7 deletions(-) create mode 100644 roles/yggdrasil-peer.nix create mode 100644 secrets/yggdrasil-password create mode 100644 secrets/yggdrasil-peer diff --git a/machines/celerrime/default.nix b/machines/celerrime/default.nix index 037c79b..b5d1eaf 100644 --- a/machines/celerrime/default.nix +++ b/machines/celerrime/default.nix @@ -23,6 +23,7 @@ in { torrent.enable = true; virtualisation.enable = false; yggdrasil-client.enable = true; + yggdrasil-peer.enable = false; server = { ivabus-dev.enable = false; }; }; diff --git a/machines/periculo/default.nix b/machines/periculo/default.nix index 77a75e0..eb04958 100644 --- a/machines/periculo/default.nix +++ b/machines/periculo/default.nix @@ -22,6 +22,7 @@ in { torrent.enable = false; virtualisation.enable = false; yggdrasil-client.enable = false; + yggdrasil-peer.enable = false; server = { ivabus-dev.enable = false; }; }; diff --git a/machines/rubusidaeus/default.nix b/machines/rubusidaeus/default.nix index ead730d..4915451 100644 --- a/machines/rubusidaeus/default.nix +++ b/machines/rubusidaeus/default.nix @@ -25,7 +25,7 @@ in { ntp-server.enable = true; torrent.enable = false; virtualisation.enable = false; - yggdrasil-client.enable = true; + yggdrasil-peer.enable = true; server = { ivabus-dev.enable = true; }; }; diff --git a/machines/stella/default.nix b/machines/stella/default.nix index 14517d5..8676cb7 100644 --- a/machines/stella/default.nix +++ b/machines/stella/default.nix @@ -29,7 +29,8 @@ in { media-client.enable = true; torrent.enable = false; virtualisation.enable = false; - yggdrasil-client.enable = false; + yggdrasil-client.enable = true; + yggdrasil-peer.enable = false; }; my.users = { diff --git a/machines/vetus/default.nix b/machines/vetus/default.nix index 02641dc..955a984 100644 --- a/machines/vetus/default.nix +++ b/machines/vetus/default.nix @@ -19,6 +19,7 @@ in { latex.enable = true; virtualisation.enable = true; yggdrasil-client.enable = true; + yggdrasil-peer.enable = false; }; my.users = { diff --git a/roles/default.nix b/roles/default.nix index eff3e73..7d4c506 100644 --- a/roles/default.nix +++ b/roles/default.nix @@ -11,6 +11,7 @@ ./torrent.nix ./virtualisation.nix ./yggdrasil-client.nix + ./yggdrasil-peer.nix ./server/nginx.nix ./server/ivabus-dev.nix diff --git a/roles/yggdrasil-client.nix b/roles/yggdrasil-client.nix index 9a469fb..4fd9ade 100644 --- a/roles/yggdrasil-client.nix +++ b/roles/yggdrasil-client.nix @@ -1,17 +1,20 @@ -{ config, lib, ... }: +{ config, lib, secrets, ... }: let cfg = config.my.roles.yggdrasil-client; in { options.my.roles.yggdrasil-client.enable = lib.mkEnableOption "Enable yggdrasil"; config = lib.mkIf (cfg.enable) { + my.features.secrets = lib.mkForce true; services.yggdrasil = { enable = true; persistentKeys = true; - settings = { - Peers = [ - # TODO: Maybe add more peers, not only mine. But for now it's ok - "tls://ygg.iva.bz:50002" + settings = + { + # Not connecting to global ygg network + Peers = lib.mkDefault [ + "quic://${secrets.yggdrasil-peer}:60003?password=${secrets.yggdrasil-password}" + "tls://${secrets.yggdrasil-peer}:60002?password=${secrets.yggdrasil-password}" ]; }; }; diff --git a/roles/yggdrasil-peer.nix b/roles/yggdrasil-peer.nix new file mode 100644 index 0000000..38a6ce9 --- /dev/null +++ b/roles/yggdrasil-peer.nix @@ -0,0 +1,26 @@ +{ config, lib, secrets, ... }: + +let cfg = config.my.roles.yggdrasil-peer; +in { + options.my.roles.yggdrasil-peer.enable = + lib.mkEnableOption "Enable yggdrasil (semi-public) peer"; + config = lib.mkIf (cfg.enable) { + my.features.secrets = lib.mkForce true; + my.roles.yggdrasil-client.enable = true; + services.yggdrasil = { + enable = true; + persistentKeys = true; + settings = + { + # Not connecting to global ygg network + Peers = lib.mkForce []; + Listen = [ + "quic://[::]:60003?password=${secrets.yggdrasil-password}" + "tls://[::]:60002?password=${secrets.yggdrasil-password}" + ]; + }; + }; + networking.firewall.allowedTCPPorts = [ 60002 ]; + networking.firewall.allowedUDPPorts = [ 60003 ]; + }; +} diff --git a/secrets.nix b/secrets.nix index 4171464..6bf416f 100644 --- a/secrets.nix +++ b/secrets.nix @@ -8,4 +8,6 @@ in if (canaryHash != expectedHash && config.my.features.secrets) then else { hashed-password = builtins.readFile ./secrets/hashed-password; maas-address = builtins.readFile ./secrets/maas-address; + yggdrasil-peer = builtins.readFile ./secrets/yggdrasil-peer; + yggdrasil-password = builtins.readFile ./secrets/yggdrasil-password; } diff --git a/secrets/yggdrasil-password b/secrets/yggdrasil-password new file mode 100644 index 0000000000000000000000000000000000000000..39c03123e34afe7cb30ef9e42ac177aff9d93599 GIT binary patch literal 54 zcmV-60LlLVM@dveQdv+`0Ql6t?zN~*8RI9)4|h@HQ%&va9LHc^o4GYhT{a$CH8E#X MZMkay50Dg-q=>2)(EtDd literal 0 HcmV?d00001 diff --git a/secrets/yggdrasil-peer b/secrets/yggdrasil-peer new file mode 100644 index 0000000000000000000000000000000000000000..f6fcb50b32c45210545cb67b39bb2ba63902dd69 GIT binary patch literal 44 zcmV+{0Mq{fM@dveQdv+`0DVCpcNkbnuDaW^hUK(UvR0>)B{@Q&4p8aWk~fSviIwSi CWD_6& literal 0 HcmV?d00001