makefu: move out to own repo, add vacation-note

3 files changed, 0 insertions, 196 deletions

diff --git a/makefu/2configs/wireguard/server.nix b/makefu/2configs/wireguard/server.nix
deleted file mode 100644
index bb3198178..000000000
--- a/makefu/2configs/wireguard/server.nix
+++ /dev/null
@@ -1,70 +0,0 @@
-{ config,pkgs, ... }:
-let
-  ext-if = config.makefu.server.primary-itf;
-in { # wireguard server
-
-  # opkg install wireguard luci-proto-wireguard
-
-  # boot.kernel.sysctl."net.ipv4.ip_forward" = 1;
-  # conf.all.proxy_arp =1
-  networking.firewall = {
-    allowedUDPPorts = [ 51820 ];
-  };
-  networking.nat = {
-    enable = true;
-    #externalIP = "144.76.26.247";
-    #internalIPs = [ "10.244.0.0/24" ];
-    externalInterface = ext-if;
-    internalInterfaces = [ "wg0" ];
-  };
-  networking.wireguard.interfaces.wg0 = {
-    ips = [ "10.244.0.1/24" ];
-    listenPort = 51820;
-    privateKeyFile = (toString <secrets>) + "/wireguard.key";
-    # allowedIPsAsRoutes = true;
-    postSetup = ''
-        ${pkgs.iptables}/bin/iptables -t nat -A POSTROUTING -s 10.244.0.0/24 -o ${ext-if} -j MASQUERADE
-    '';
-
-      # This undoes the above command
-    postShutdown = ''
-        ${pkgs.iptables}/bin/iptables -t nat -D POSTROUTING -s 10.244.0.0/24 -o ${ext-if} -j MASQUERADE
-    '';
-    peers = [
-      {
-        # x
-        allowedIPs = [ "10.244.0.2/32" ];
-        publicKey = "fe5smvKVy5GAn7EV4w4tav6mqIAKhGWQotm7dRuRt1g=";
-      }
-      {
-        # vbob
-        allowedIPs = [ "10.244.0.3/32" ];
-        publicKey = "Lju7EsCu1OWXhkhdNR7c/uiN60nr0TUPHQ+s8ULPQTw=";
-      }
-      {
-        # x-test
-        allowedIPs = [ "10.244.0.4/32" ];
-        publicKey = "vZ/AJpfDLJyU3DzvYeW70l4FNziVgSTumA89wGHG7XY=";
-      }
-      {
-        # work-router
-        persistentKeepalive = 25;
-        allowedIPs = [ "10.244.0.5/32" ];
-        publicKey = "QJMwwYu/92koCASbHnR/vqe/rN00EV6/o7BGwLockDw=";
-      }
-      {
-        # workr
-        persistentKeepalive = 25;
-        allowedIPs = [ "10.244.0.6/32" ];
-        publicKey = "OFhCF56BrV9tjqW1sxqXEKH/GdqamUT1SqZYSADl5GA=";
-      }
-      {
-        # mobile
-        allowedIPs = [ "10.244.0.7/32" ];
-        publicKey = "Y6fOW2QDt0SsHT7hSVzzJYQVB3JI/txO4/FDB54Z52A=";
-      }
-    ];
-  };
-  # TODO: this issue is related to the router which connects to the host but is
-  # unable to re-connect once restarted
-}
diff --git a/makefu/2configs/wireguard/thierry.nix b/makefu/2configs/wireguard/thierry.nix
deleted file mode 100644
index f1dfef192..000000000
--- a/makefu/2configs/wireguard/thierry.nix
+++ /dev/null
@@ -1,21 +0,0 @@
-{ lib, ... }:
-{
-  networking.wireguard.interfaces.thierry-wg = {
-    ips = [ "172.27.66.10/24" ]; # TODO: not dnyamic
-    privateKeyFile = (toString <secrets>) + "/wg-thierry.key";
-    allowedIPsAsRoutes = true;
-    # explicit route via eth0 to gum
-    peers = [
-    {
-      endpoint = "thierryhome.duckdns.org:51820";
-      allowedIPs = [ "172.27.66.0/24" ];
-      publicKey = "filYuG/xbb2YW8WT0xT26rzeZ/ZiM6NLnbxbsCR9rS0=";
-      persistentKeepalive = 25;
-    }
-    #{
-    #  allowedIPs = [ "172.27.66.3/32" ];
-    #  publicKey = "cDIf14LH4qleXNo889lS2ATIqDx9r//JNCkhHlHgc1Q=";
-    #}
-  ];
-  };
-}
diff --git a/makefu/2configs/wireguard/wiregrill.nix b/makefu/2configs/wireguard/wiregrill.nix
deleted file mode 100644
index 922dc8c0f..000000000
--- a/makefu/2configs/wireguard/wiregrill.nix
+++ /dev/null
@@ -1,105 +0,0 @@
-with import <stockholm/lib>;
-{ config, pkgs, ... }: let
-
-  self = config.krebs.build.host.nets.wiregrill;
-  isRouter = !isNull self.via; # via "internet" is not set
-  ext-if = config.makefu.server.primary-itf;
-
-in mkIf (hasAttr "wiregrill" config.krebs.build.host.nets) {
-  #hack for modprobe inside containers
-  systemd.services."wireguard-wiregrill".path = mkIf config.boot.isContainer (mkBefore [
-    (pkgs.writeDashBin "modprobe" ":")
-  ]);
-
-  boot.kernel.sysctl = mkIf isRouter {
-    "net.ipv6.conf.all.forwarding" = 1;
-    "net.ipv4.conf.all.forwarding" = 1;
-  };
-  #networking.nat =  mkIf isRouter {
-  #  enable = true;
-  #  enableIPv6 = true;
-  #  externalInterface = ext-if;
-  #  internalInterfaces = [ "wiregrill" ];
-  #};
-
-  networking.firewall = {
-    allowedUDPPorts = [ self.wireguard.port ];
-    interfaces.wiregrill = mkIf isRouter {
-      allowedUDPPorts = [ 53 ];
-      allowedTCPPorts = [ 53 ];
-    };
-  };
-
-  services.dnsmasq = mkIf isRouter {
-    enable = true;
-    resolveLocalQueries = false;
-    extraConfig = /* dnsmasq */ ''
-      bind-interfaces
-      interface=retiolum,wiregrill
-    '';
-    servers = [ "1.1.1.1" ];
-  };
-
-  networking.wireguard.interfaces.wiregrill = let 
-    ipt = "${pkgs.iptables}/bin/iptables";
-    ip6 = "${pkgs.iptables}/bin/ip6tables";
-  in {
-    postSetup = ''
-        ${ipt} -A FORWARD -i wiregrill -o retiolum -j ACCEPT
-        ${ipt} -A FORWARD -i wiregrill -o wiregrill -j ACCEPT
-        ${ipt} -A FORWARD -o wiregrill -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-        ${ip6} -A FORWARD -i wiregrill -o retiolum -j ACCEPT
-        ${ip6} -A FORWARD -i retiolum -o wiregrill -j ACCEPT
-        ${ip6} -A FORWARD -i wiregrill -o wiregrill -j ACCEPT
-        ${ip6} -A FORWARD -o wiregrill -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-
-    '' + (optionalString isRouter ''
-        #${ipt} -t nat -A PREROUTING -s 10.244.245.0/24 -j ACCEPT
-        #${ipt} -t nat -A POSTROUTING -s 10.244.245.0/24 ! -d 10.244.245.0/24 -j MASQUERADE
-
-        #${ip6} -t nat -A PREROUTING -s 42:1::/32 -j ACCEPT
-        #${ip6} -t nat -A POSTROUTING -s 42:1::/32 ! -d 42:1::/48 -j MASQUERADE
-    '');
-
-      # This undoes the above command
-      postShutdown = ''
-        ${ipt} -D FORWARD -i wiregrill -o retiolum -j ACCEPT
-        ${ipt} -D FORWARD -i retiolum -o wiregrill -j ACCEPT
-        ${ipt} -D FORWARD -i wiregrill -o wiregrill -j ACCEPT
-        ${ipt} -D FORWARD -i wiregrill -o wiregrill -j ACCEPT
-        ${ipt} -D FORWARD -o wiregrill -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-
-        ${ip6} -D FORWARD -i wiregrill -o retiolum -j ACCEPT
-        ${ip6} -D FORWARD -i retiolum -o wiregrill -j ACCEPT
-        ${ip6} -D FORWARD -i wiregrill -o wiregrill -j ACCEPT
-        ${ip6} -D FORWARD -o wiregrill -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-
-      '' + (optionalString isRouter ''
-
-        ${ipt} -t nat -D PREROUTING -s 10.244.245.0/24 -j ACCEPT
-        ${ipt} -t nat -D POSTROUTING -s 10.244.245.0/24 -j MASQUERADE
-
-        #${ip6} -t nat -D PREROUTING -s 42:1::/32 -j ACCEPT
-        #${ip6} -t nat -D POSTROUTING -s 42:1::/32 ! -d 42:1::/48 -j MASQUERADE
-    '' );
-    ips =
-      (optional (!isNull self.ip4) self.ip4.addr) ++
-      (optional (!isNull self.ip6) self.ip6.addr);
-    listenPort = self.wireguard.port;
-    privateKeyFile = (toString <secrets>) + "/wiregrill.key";
-    allowedIPsAsRoutes = true;
-    peers = mapAttrsToList
-      (_: host: {
-        allowedIPs = if isRouter then
-          (optional (!isNull host.nets.wiregrill.ip4) host.nets.wiregrill.ip4.addr) ++
-          (optional (!isNull host.nets.wiregrill.ip6) host.nets.wiregrill.ip6.addr)
-        else
-          host.nets.wiregrill.wireguard.subnets
-        ;
-        endpoint = mkIf (!isNull host.nets.wiregrill.via) (host.nets.wiregrill.via.ip4.addr + ":${toString host.nets.wiregrill.wireguard.port}");
-        persistentKeepalive = mkIf (!isNull host.nets.wiregrill.via) 61;
-        publicKey = (replaceStrings ["\n"] [""] host.nets.wiregrill.wireguard.pubkey);
-      })
-      (filterAttrs (_: h: hasAttr "wiregrill" h.nets) config.krebs.hosts);
-  };
-}