5 files changed, 75 insertions, 16 deletions

diff --git a/makefu/1systems/darth.nix b/makefu/1systems/darth.nix
index 2f2358dd..08ac7e66 100644
--- a/makefu/1systems/darth.nix
+++ b/makefu/1systems/darth.nix
@@ -17,19 +17,37 @@ in {
       ../2configs/exim-retiolum.nix
       ../2configs/virtualization.nix
   ];
-
-  networking.firewall.allowedUDPPorts = [ 80 655 67 ];
-  networking.firewall.allowedTCPPorts = [ 80 655 ];
-  networking.firewall.checkReversePath = false;
+  services.tinc.networks.siem = {
+    name = "sdarth";
+    extraConfig = "ConnectTo = sjump";
+  };
   #networking.firewall.enable = false;
-  # virtualisation.nova.enableSingleNode = true;
   krebs.retiolum.enable = true;
 
   boot.kernelModules = [ "coretemp" "f71882fg" ];
 
   hardware.enableAllFirmware = true;
   nixpkgs.config.allowUnfree = true;
-  networking.wireless.enable = true;
+  networking = {
+    wireless.enable = true;
+    firewall = {
+      allowPing = true;
+      logRefusedConnections = false;
+      allowedUDPPorts = [ 80 655 67 ];
+      allowedTCPPorts = [ 80 655 ];
+    };
+    nat = {
+      enable = true;
+      internalIPs = [ "10.8.10.0/24" ];
+      #internalInterfaces = [ "tinc.siem" ];
+      externalIP = "10.8.8.2";
+      externalInterface = "virbr3";
+    };
+    interfaces.virbr3.ip4 =  [{
+      address = "10.8.8.2";
+      prefixLength = 24;
+    }];
+  };
 
   # TODO smartd omo darth gum all-in-one
   services.smartd.devices = builtins.map (x: { device = x; }) allDisks;
diff --git a/makefu/1systems/shoney.nix b/makefu/1systems/shoney.nix
index ebe5222c..48679fe5 100644
--- a/makefu/1systems/shoney.nix
+++ b/makefu/1systems/shoney.nix
@@ -1,15 +1,20 @@
 { config, pkgs, ... }:
 let
-  ip = "64.137.235.70";
-  gw = "64.137.235.1";
+  ip     = "64.137.234.215";
+  alt-ip = "64.137.234.210";
+  extra-ip = "64.137.234.114"; #currently unused
+  gw = "64.137.234.1";
 in {
   imports = [
     ../.
-    ../../tv/2configs/hw/CAC.nix
-    ../../tv/2configs/fs/CAC-CentOS-7-64bit.nix
+    ../2configs/hw/CAC.nix
+    ../2configs/fs/CAC-CentOS-7-64bit.nix
 
   ];
 
+
+  services.tinc.networks.siem.name = "sjump";
+
   # minimal resources
   services.nixosManual.enable = false;
   programs.man.enable = false;
@@ -21,10 +26,13 @@ in {
     retiolum.enable = true;
     build.host = config.krebs.hosts.shoney;
   };
-  networking.interfaces.enp2s1.ip4 = [ {
-    address = ip;
-    prefixLength = 24;
-  } ];
+  networking.interfaces.enp2s1.ip4 = [
+    { address = ip; prefixLength = 24; }
+    { address = alt-ip; prefixLength = 24; }
+  ];
+
   networking.defaultGateway = gw;
   networking.nameservers = [ "8.8.8.8" ];
+  networking.firewall.allowedUDPPorts = [ 655 1655 ];
+  networking.firewall.allowedTCPPorts = [ 655 1655 ];
 }
diff --git a/makefu/1systems/wry.nix b/makefu/1systems/wry.nix
index d9f8ded8..ed48c6ab 100644
--- a/makefu/1systems/wry.nix
+++ b/makefu/1systems/wry.nix
@@ -9,8 +9,8 @@ in {
   imports = [
       ../.
       # TODO: copy this config or move to krebs
-      ../../tv/2configs/hw/CAC.nix
-      ../../tv/2configs/fs/CAC-CentOS-7-64bit.nix
+      ../2configs/hw/CAC.nix
+      ../2configs/fs/CAC-CentOS-7-64bit.nix
       ../2configs/headless.nix
 
       ../2configs/bepasty-dual.nix
diff --git a/makefu/2configs/fs/CAC-CentOS-7-64bit.nix b/makefu/2configs/fs/CAC-CentOS-7-64bit.nix
new file mode 100644
index 00000000..c9eb97f4
--- /dev/null
+++ b/makefu/2configs/fs/CAC-CentOS-7-64bit.nix
@@ -0,0 +1,20 @@
+_:
+
+{
+  boot.loader.grub = {
+    device = "/dev/sda";
+  };
+  fileSystems = {
+    "/" = {
+      device = "/dev/centos/root";
+      fsType = "xfs";
+    };
+    "/boot" = {
+      device = "/dev/sda1";
+      fsType = "xfs";
+    };
+  };
+  swapDevices = [
+    { device = "/dev/centos/swap"; }
+  ];
+}
diff --git a/makefu/2configs/hw/CAC.nix b/makefu/2configs/hw/CAC.nix
new file mode 100644
index 00000000..9ed18344
--- /dev/null
+++ b/makefu/2configs/hw/CAC.nix
@@ -0,0 +1,13 @@
+_:
+{
+  boot.initrd.availableKernelModules = [
+    "ata_piix"
+    "vmw_pvscsi"
+  ];
+  boot.loader.grub.splashImage = null;
+  nix = {
+    daemonIONiceLevel = 1;
+    daemonNiceLevel = 1;
+  };
+  sound.enable = false;
+}