rpqt/flocon
rpqt/flocon
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

Compare commits

base: rpqt:599a0d92c7821ed0a47d9cc3f2fe9b2dda85fa3f
Branches Tags
rpqt:main
rpqt:clan
..
compare: rpqt:a895d32b60bdc07095e64c4e888585a82da87adf
Branches Tags
rpqt:main
rpqt:clan

No commits in common. "599a0d92c7821ed0a47d9cc3f2fe9b2dda85fa3f" and "a895d32b60bdc07095e64c4e888585a82da87adf" have entirely different histories.
599a0d92c7 ... a895d32b60

7 changed files with 411 additions and 43 deletions
Download patch file Download diff file Expand all files Collapse all files

73
clanServices/coredns/README.md Normal file
View file

@ -0,0 +1,73 @@
!!! Danger "Experimental"
This service is experimental and will change in the future.
This module enables hosting clan-internal services easily, which can be resolved
inside your VPN. This allows defining a custom top-level domain (e.g. `.clan`)
and exposing endpoints from a machine to others, which will be
accessible under `http://<service>.clan` in your browser.
The service consists of two roles:
- A `server` role: This is the DNS-server that will be queried when trying to
resolve clan-internal services. It defines the top-level domain.
- A `default` role: This does two things. First, it sets up the nameservers so
that clan-internal queries are resolved via the `server` machine, while
external queries are resolved as normal via DHCP. Second, it allows exposing
services (see example below).
## Example Usage
Here the machine `dnsserver` is designated as internal DNS-server for the TLD
`.foo`. `server01` will host an application that shall be reachable at
`http://one.foo` and `server02` is going to be reachable at `http://two.foo`.
`client` is any other machine that is part of the clan but does not host any
services.
When `client` tries to resolve `http://one.foo`, the DNS query will be
routed to `dnsserver`, which will answer with `192.168.1.3`. If it tries to
resolve some external domain (e.g. `https://clan.lol`), the query will not be
routed to `dnsserver` but resolved as before, via the nameservers advertised by
DHCP.
```nix
inventory = {
machines = {
dnsserver = { }; # 192.168.1.2
server01 = { }; # 192.168.1.3
server02 = { }; # 192.168.1.4
client = { }; # 192.168.1.5
};
instances = {
coredns = {
module.name = "@clan/coredns";
module.input = "self";
# Add the default role to all machines, including `client`
roles.default.tags.all = { };
# DNS server queries to http://<name>.foo are resolved here
roles.server.machines."dnsserver".settings = {
ip = "192.168.1.2";
tld = "foo";
};
# First service
# Registers http://one.foo will resolve to 192.168.1.3
# underlying service runs on server01
roles.default.machines."server01".settings = {
ip = "192.168.1.3";
services = [ "one" ];
};
# Second service
roles.default.machines."server02".settings = {
ip = "192.168.1.4";
services = [ "two" ];
};
};
};
};
```

235
clanServices/coredns/default.nix Normal file
View file

@ -0,0 +1,235 @@
{ ... }:
{
_class = "clan.service";
manifest.name = "coredns";
manifest.description = "Clan-internal DNS and service exposure";
manifest.categories = [ "Network" ];
manifest.readme = builtins.readFile ./README.md;
roles.server = {
description = "A DNS server that resolves services in the clan network.";
interface =
{ lib, ... }:
{
options.tld = lib.mkOption {
type = lib.types.str;
default = "clan";
description = ''
Top-level domain for this instance. All services below this will be
resolved internally.
'';
};
options.ip = lib.mkOption {
type = lib.types.str;
# TODO: Set a default
description = "IP for the DNS to listen on";
};
options.dnsPort = lib.mkOption {
type = lib.types.int;
default = 1053;
description = "Port of the clan-internal DNS server";
};
};
perInstance =
{
roles,
settings,
...
}:
{
nixosModule =
{
lib,
pkgs,
...
}:
let
hostServiceEntries =
host:
lib.strings.concatStringsSep "\n" (
map (
service:
let
ip = roles.default.machines.${host}.settings.ip;
isIPv4 = addr: (builtins.match "\\." addr) != null;
recordType = if (isIPv4 ip) then "A" else "AAAA";
in
"${service} IN ${recordType} ${ip} ; ${host}"
) roles.default.machines.${host}.settings.services
);
hostnameEntries = ''
crocus 10800 IN AAAA fd28:387a:90:c400:6db2:dfc3:c376:9956
genepi 10800 IN AAAA fd28:387a:90:c400:ab23:3d38:a148:f539
verbena 10800 IN AAAA fd28:387a:90:c400::1
haze 10800 IN AAAA fd28:387a:90:c400:840e:e9db:4c08:b920
'';
zonefile = builtins.toFile "${settings.tld}.zone" (
''
$TTL 3600 ; 1 Hour
$ORIGIN ${settings.tld}.
${settings.tld}. IN SOA ns1 admin.rpqt.fr. (
2025112300 ; serial
10800 ; refresh
3600 ; retry
604800 ; expire
300 ; minimum
)
${builtins.concatStringsSep "\n" (
lib.lists.imap1 (i: _m: "@ 1D IN NS ns${toString i}.${settings.tld}.") (
lib.attrNames roles.server.machines
)
)}
${builtins.concatStringsSep "\n" (
lib.lists.imap1 (i: m: "ns${toString i} 10800 IN CNAME ${m}.${settings.tld}.") (
lib.attrNames roles.server.machines
)
)}
''
+ hostnameEntries
+ "\n"
+ (lib.strings.concatStringsSep "\n" (
map (host: hostServiceEntries host) (lib.attrNames roles.default.machines)
))
);
in
{
networking.firewall.interfaces.wireguard = {
allowedTCPPorts = [ settings.dnsPort ];
allowedUDPPorts = [ settings.dnsPort ];
};
services.coredns = {
enable = true;
config =
let
dnsPort = builtins.toString settings.dnsPort;
in
''
.:${dnsPort} {
bind wireguard
forward . 1.1.1.1
cache 30
}
${settings.tld}:${dnsPort} {
bind wireguard
file ${zonefile}
}
'';
};
};
};
};
roles.default = {
description = "A machine that registers the 'server' role as resolver and registers services under the configured TLD in the resolver.";
interface =
{ lib, ... }:
{
options.services = lib.mkOption {
type = lib.types.listOf lib.types.str;
default = [ ];
description = ''
Service endpoints this host exposes (without TLD). Each entry will
be resolved to <entry>.<tld> using the configured top-level domain.
'';
};
options.ip = lib.mkOption {
type = lib.types.str;
# TODO: Set a default
description = "IP on which the services will listen";
};
options.dnsPort = lib.mkOption {
type = lib.types.int;
default = 1053;
description = "Port of the clan-internal DNS server";
};
};
perInstance =
{ roles, settings, ... }:
{
nixosModule =
{ config, lib, ... }:
{
networking.nameservers = map (
m:
let
port = config.services.unbound.settings.server.port or 53;
in
"127.0.0.1:${toString port}#${roles.server.machines.${m}.settings.tld}"
) (lib.attrNames roles.server.machines);
services.resolved.domains = map (m: "~${roles.server.machines.${m}.settings.tld}") (
lib.attrNames roles.server.machines
);
services.unbound = {
enable = true;
# resolveLocalQueries = true;
checkconf = true;
settings = {
server = {
port = 5353;
verbosity = 2;
interface = [ "127.0.0.1" ];
access-control = [ "127.0.0.0/8 allow" ];
do-not-query-localhost = "no";
domain-insecure = map (m: "${roles.server.machines.${m}.settings.tld}.") (
lib.attrNames roles.server.machines
);
};
# Default: forward everything else to DHCP-provided resolvers
# forward-zone = [
# {
# name = ".";
# forward-addr = "127.0.0.53@53"; # Forward to systemd-resolved
# }
# ];
forward-zone = [
{
name = ".";
forward-tls-upstream = true;
forward-addr = [
"9.9.9.9#dns.quad9.net"
"149.112.112.112#dns.quad9.net"
"1.1.1.1@853#cloudflare-dns.com"
"1.0.0.1@853#cloudflare-dns.com"
"2606:4700:4700::1111@853#cloudflare-dns.com"
"2606:4700:4700::1001@853#cloudflare-dns.com"
"8.8.8.8#dns.google"
"8.8.4.4#dns.google"
"2001:4860:4860::8888#dns.google"
"2001:4860:4860::8844#dns.google"
];
}
];
stub-zone = {
name = "${roles.server.machines.${(lib.head (lib.attrNames roles.server.machines))}.settings.tld}.";
stub-addr = map (
m: "${roles.server.machines.${m}.settings.ip}@${builtins.toString settings.dnsPort}"
) (lib.attrNames roles.server.machines);
};
};
};
};
};
};
}

18
clanServices/coredns/flake-module.nix Normal file
View file

@ -0,0 +1,18 @@
{ ... }:
let
module = ./default.nix;
in
{
clan.modules = {
"@rpqt/coredns" = module;
};
# perSystem =
# { ... }:
# {
# clan.nixosTests.coredns = {
# imports = [ ./tests/vm/default.nix ];
# clan.modules."@rpqt/coredns" = module;
# };
# };
}

1
clanServices/flake-module.nix
View file

@ -1,6 +1,7 @@
{ {
imports = [ imports = [
./buildbot/flake-module.nix ./buildbot/flake-module.nix
./coredns/flake-module.nix
./prometheus/flake-module.nix ./prometheus/flake-module.nix
]; ];

98
flake.lock generated
View file

@ -10,11 +10,11 @@
"treefmt-nix": "treefmt-nix" "treefmt-nix": "treefmt-nix"
}, },
"locked": { "locked": {
"lastModified": 1771733760, "lastModified": 1771244661,
"narHash": "sha256-/cOjTl8VjPFFijyDLoWXXU+7lSbl8guotHOPL6OAysw=", "narHash": "sha256-SMPAkwTSsSkRktu2alihmOQvWdJ99Hy+oNFEnQrrSEI=",
"owner": "nix-community", "owner": "nix-community",
"repo": "buildbot-nix", "repo": "buildbot-nix",
"rev": "e9010d0937faf7a7b7e534e567cfd4ea5b209070", "rev": "cb4a75cc61446177491b00332285bfd6e57d5d8f",
"type": "github" "type": "github"
}, },
"original": { "original": {
@ -40,11 +40,11 @@
"treefmt-nix": "treefmt-nix_2" "treefmt-nix": "treefmt-nix_2"
}, },
"locked": { "locked": {
"lastModified": 1771945875, "lastModified": 1771457652,
"narHash": "sha256-/TgDXPTCDr3H/y+TRy80rsDquyjO5rTZob9HZdBKx3w=", "narHash": "sha256-FOquRYuE76l0vEYzMZNjsH7egD62nLW2foZ6azTBd/Q=",
"ref": "refs/heads/main", "ref": "refs/heads/main",
"rev": "1e54e4a55463239941f94116ad010ed497000274", "rev": "ea3e53509d04b60a3cc20608aae771eea426f773",
"revCount": 13148, "revCount": 13076,
"type": "git", "type": "git",
"url": "https://git.clan.lol/clan/clan-core" "url": "https://git.clan.lol/clan/clan-core"
}, },
@ -84,11 +84,11 @@
] ]
}, },
"locked": { "locked": {
"lastModified": 1771909837, "lastModified": 1771211199,
"narHash": "sha256-3mi2CJwfQ/ofn1TJZafFmETNnnR+tqMz0Yvafa3j3tQ=", "narHash": "sha256-1JHyii0rZzm9oyTgSxhW3v/t5XPEzqov+QN8bRUkxnk=",
"rev": "9fb339dde200d2aa7ed9f57fe0c678fbaf1b494c", "rev": "541e221be610c7e89a190ab2167d866a67cb815a",
"type": "tarball", "type": "tarball",
"url": "https://git.clan.lol/api/v1/repos/clan/data-mesher/archive/9fb339dde200d2aa7ed9f57fe0c678fbaf1b494c.tar.gz" "url": "https://git.clan.lol/api/v1/repos/clan/data-mesher/archive/541e221be610c7e89a190ab2167d866a67cb815a.tar.gz"
}, },
"original": { "original": {
"type": "tarball", "type": "tarball",
@ -127,11 +127,11 @@
] ]
}, },
"locked": { "locked": {
"lastModified": 1771881364, "lastModified": 1771355198,
"narHash": "sha256-A5uE/hMium5of/QGC6JwF5TGoDAfpNtW00T0s9u/PN8=", "narHash": "sha256-89m5VKxIs8QNiIvLsxHu5NpyhDsoXTtoN801IAurnW4=",
"owner": "nix-community", "owner": "nix-community",
"repo": "disko", "repo": "disko",
"rev": "a4cb7bf73f264d40560ba527f9280469f1f081c6", "rev": "92fceb111901a6f13e81199be4fab95fce86a5c9",
"type": "github" "type": "github"
}, },
"original": { "original": {
@ -147,11 +147,11 @@
] ]
}, },
"locked": { "locked": {
"lastModified": 1771881364, "lastModified": 1771355198,
"narHash": "sha256-A5uE/hMium5of/QGC6JwF5TGoDAfpNtW00T0s9u/PN8=", "narHash": "sha256-89m5VKxIs8QNiIvLsxHu5NpyhDsoXTtoN801IAurnW4=",
"owner": "nix-community", "owner": "nix-community",
"repo": "disko", "repo": "disko",
"rev": "a4cb7bf73f264d40560ba527f9280469f1f081c6", "rev": "92fceb111901a6f13e81199be4fab95fce86a5c9",
"type": "github" "type": "github"
}, },
"original": { "original": {
@ -251,11 +251,11 @@
] ]
}, },
"locked": { "locked": {
"lastModified": 1771131391, "lastModified": 1768476106,
"narHash": "sha256-HPBNYf7HiKtBVy7/69vKpLYHX6wTcUxndxmybzDlXP8=", "narHash": "sha256-V0YOJRum50gtKgwavsAfwXc9+XAsJCC7386YZx1sWGQ=",
"owner": "hercules-ci", "owner": "hercules-ci",
"repo": "hercules-ci-effects", "repo": "hercules-ci-effects",
"rev": "0b152e0f7c5cc265a529cd63374b80e2771b207b", "rev": "c19e263e6e22ec7379d972f19e6a322f943c73fb",
"type": "github" "type": "github"
}, },
"original": { "original": {
@ -271,11 +271,11 @@
] ]
}, },
"locked": { "locked": {
"lastModified": 1771851181, "lastModified": 1771422582,
"narHash": "sha256-gFgE6mGUftwseV3DUENMb0k0EiHd739lZexPo5O/sdQ=", "narHash": "sha256-xK5kl3OBZaF1VwziVMX+SZ2LT9Fbu5o8vRDt78uR7no=",
"owner": "nix-community", "owner": "nix-community",
"repo": "home-manager", "repo": "home-manager",
"rev": "9a4b494b1aa1b93d8edf167f46dc8e0c0011280c", "rev": "b3ccd4bb262f4e6d3248b46cede92b90c4a42094",
"type": "github" "type": "github"
}, },
"original": { "original": {
@ -316,11 +316,11 @@
] ]
}, },
"locked": { "locked": {
"lastModified": 1771520882, "lastModified": 1771371916,
"narHash": "sha256-9SeTZ4Pwr730YfT7V8Azb8GFbwk1ZwiQDAwft3qAD+o=", "narHash": "sha256-G14VTfmzzRYxAhtEBNanQgCNA++Cv0/9iV4h/lkqX9U=",
"owner": "nix-darwin", "owner": "nix-darwin",
"repo": "nix-darwin", "repo": "nix-darwin",
"rev": "6a7fdcd5839ec8b135821179eea3b58092171bcf", "rev": "aff4c008cec17d6a6760949df641ca0ea9179cac",
"type": "github" "type": "github"
}, },
"original": { "original": {
@ -360,9 +360,7 @@
"nixos-generators": { "nixos-generators": {
"inputs": { "inputs": {
"nixlib": "nixlib", "nixlib": "nixlib",
"nixpkgs": [ "nixpkgs": "nixpkgs"
"nixpkgs"
]
}, },
"locked": { "locked": {
"lastModified": 1769813415, "lastModified": 1769813415,
@ -396,11 +394,27 @@
}, },
"nixpkgs": { "nixpkgs": {
"locked": { "locked": {
"lastModified": 1771848320, "lastModified": 1736657626,
"narHash": "sha256-0MAd+0mun3K/Ns8JATeHT1sX28faLII5hVLq0L3BdZU=", "narHash": "sha256-FWlPMUzp0lkQBdhKlPqtQdqmp+/C+1MBiEytaYfrCTY=",
"owner": "NixOS",
"repo": "nixpkgs",
"rev": "2f9e2f85cb14a46410a1399aa9ea7ecf433e422e",
"type": "github"
},
"original": {
"owner": "NixOS",
"ref": "nixpkgs-unstable",
"repo": "nixpkgs",
"type": "github"
}
},
"nixpkgs_2": {
"locked": {
"lastModified": 1771369470,
"narHash": "sha256-0NBlEBKkN3lufyvFegY4TYv5mCNHbi5OmBDrzihbBMQ=",
"owner": "nixos", "owner": "nixos",
"repo": "nixpkgs", "repo": "nixpkgs",
"rev": "2fc6539b481e1d2569f25f8799236694180c0993", "rev": "0182a361324364ae3f436a63005877674cf45efb",
"type": "github" "type": "github"
}, },
"original": { "original": {
@ -444,7 +458,7 @@
"lanzaboote": "lanzaboote", "lanzaboote": "lanzaboote",
"nixos-generators": "nixos-generators", "nixos-generators": "nixos-generators",
"nixos-hardware": "nixos-hardware", "nixos-hardware": "nixos-hardware",
"nixpkgs": "nixpkgs", "nixpkgs": "nixpkgs_2",
"srvos": "srvos", "srvos": "srvos",
"terranix": "terranix" "terranix": "terranix"
} }
@ -478,11 +492,11 @@
] ]
}, },
"locked": { "locked": {
"lastModified": 1771889317, "lastModified": 1771166946,
"narHash": "sha256-YV17Q5lEU0S9ppw08Y+cs4eEQJBuc79AzblFoHORLMU=", "narHash": "sha256-UFc4lfGBr+wJmwgDGJDn1cVD6DTr0/8TdronNUiyXlU=",
"owner": "Mic92", "owner": "Mic92",
"repo": "sops-nix", "repo": "sops-nix",
"rev": "b027513c32e5b39b59f64626b87fbe168ae02094", "rev": "2d0cf89b4404529778bc82de7e42b5754e0fe4fa",
"type": "github" "type": "github"
}, },
"original": { "original": {
@ -498,11 +512,11 @@
] ]
}, },
"locked": { "locked": {
"lastModified": 1771812348, "lastModified": 1771207491,
"narHash": "sha256-d8LL7nSpFueYtZhK29t7j3JiaKLA4lqW8neJv/uZGQc=", "narHash": "sha256-08s9LKq9Et4y9r6FSJLJUnRCyJHZMauAIok45ulQo0k=",
"owner": "nix-community", "owner": "nix-community",
"repo": "srvos", "repo": "srvos",
"rev": "ffc8fceb1e3cad06b5074cda30f88132b4fb4869", "rev": "434ed3900e9a7b23638da97ebe16ab0e0be7fef5",
"type": "github" "type": "github"
}, },
"original": { "original": {
@ -552,11 +566,11 @@
"systems": "systems_2" "systems": "systems_2"
}, },
"locked": { "locked": {
"lastModified": 1771504637, "lastModified": 1762472226,
"narHash": "sha256-qPYBCcvws0cqVf4blYyxQ6JNxOdvUPK41s2sfqk6wL0=", "narHash": "sha256-iVS4sxVgGn+T74rGJjEJbzx+kjsuaP3wdQVXBNJ79A0=",
"owner": "terranix", "owner": "terranix",
"repo": "terranix", "repo": "terranix",
"rev": "f3d77064bd135823a30916a1e63b90b7fe4453ac", "rev": "3b5947a48da5694094b301a3b1ef7b22ec8b19fc",
"type": "github" "type": "github"
}, },
"original": { "original": {

1
flake.nix
View file

@ -40,7 +40,6 @@
nixos-hardware.url = "github:NixOS/nixos-hardware/master"; nixos-hardware.url = "github:NixOS/nixos-hardware/master";
nixos-generators.url = "github:nix-community/nixos-generators"; nixos-generators.url = "github:nix-community/nixos-generators";
nixos-generators.inputs.nixpkgs.follows = "nixpkgs";
clan-core.url = "git+https://git.clan.lol/clan/clan-core"; clan-core.url = "git+https://git.clan.lol/clan/clan-core";
clan-core.inputs.nixpkgs.follows = "nixpkgs"; clan-core.inputs.nixpkgs.follows = "nixpkgs";

28
homeModules/cli.nix
View file

@ -1,6 +1,7 @@
{ {
self, self,
config, config,
osConfig,
pkgs, pkgs,
... ...
}: }:
@ -63,6 +64,33 @@ in
inherit shellAliases; inherit shellAliases;
}; };
programs.zellij.enable = true;
# programs.khal = {
# enable = true;
# };
# accounts.calendar.basePath = ".calendar";
# programs.pimsync.enable = true;
# accounts.calendar.accounts.personal = {
# pimsync.enable = true;
# khal.enable = true;
# thunderbird.enable = true;
# remote = {
# url = "https://cloud.rpqt.fr/remote.php/dav/calendars/rpqt/personal/";
# type = "caldav";
# userName = "rpqt@rpqt.fr";
# passwordCommand = [
# "sh"
# "-c"
# "passage web/cloud.rpqt.fr | head -n 1"
# ];
# };
# };
xdg.configFile."git".source = "${config.dotfiles.path}/.config/git"; xdg.configFile."git".source = "${config.dotfiles.path}/.config/git";
xdg.configFile."jj/config.toml".source = "${config.dotfiles.path}/.config/jj/config.toml"; xdg.configFile."jj/config.toml".source = "${config.dotfiles.path}/.config/jj/config.toml";
xdg.configFile."task/taskrc".source = "${config.dotfiles.path}/.config/task/taskrc"; xdg.configFile."task/taskrc".source = "${config.dotfiles.path}/.config/task/taskrc";