devices.cross.tinc: init

2026-01-12 04:39:23 +08:00 · 2025-10-06 05:25:09 +08:00
parent be023ac1d5
commit e926fa0cf7
5 changed files with 114 additions and 8 deletions
--- a/devices/cross/tinc/default.nix
+++ b/devices/cross/tinc/default.nix
@@ -0,0 +1,102 @@
+inputs:
+let
+  configs =
+  {
+    pc =
+    {
+      settings =
+      {
+        # 如何连接到这个节点
+        addresses = [{ address = "192.168.1.3"; }];
+        # 通过这个节点可以访问哪些地址，用于路由
+        subnets = [{ address = "192.168.85.3"; weight = 1; }];
+        settings.Ed25519PublicKey = "soafMZ/0EViMhKYNc8g8pp4sbhR/2HnnXwGQln0BgCK";
+      };
+      # 这个接口的地址
+      address = "192.168.85.3";
+      useNetworkd = false;
+    };
+    nas =
+    {
+      settings =
+      {
+        addresses = [{ address = "192.168.1.2"; }];
+        subnets = [{ address = "192.168.85.4"; weight = 1; }];
+        settings.Ed25519PublicKey = "sSN3eeBgrMXF6/XYfEBe54TXmfHETOESX+SyrpGlmDK";
+      };
+      address = "192.168.85.4";
+      useNetworkd = true;
+    };
+    vps6 =
+    {
+      settings =
+      {
+        addresses = [{ address = "144.34.225.59"; }];
+        subnets =
+        [
+          { address = "192.168.85.1"; weight = 1; }
+          # { address = "192.168.85.0"; prefixLength = 24; weight = 10; }
+        ];
+        settings.Ed25519PublicKey = "rYOCGG+B4isTifKJQqsEdfhQuQRnUiIsvz7uI7vZiDN";
+      };
+      address = "192.168.85.1";
+      useNetworkd = true;
+    };
+    vps4 =
+    {
+      settings =
+      {
+        addresses = [{ address = "104.234.37.61"; }];
+        subnets =
+        [
+          { address = "192.168.85.2"; weight = 1; }
+          { address = "192.168.85.0"; prefixLength = 24; weight = 10; }
+        ];
+        settings.Ed25519PublicKey = "N03OoCyj4ADkeN3cimJI/bJrBw8g1kz3TJ+1BTe+oyA";
+      };
+      address = "192.168.85.2";
+      useNetworkd = true;
+    };
+  };
+in
+{
+  config = inputs.lib.mkIf (builtins.hasAttr inputs.config.nixos.model.hostname configs)
+  {
+    services.tinc.networks.tinc0 = 
+    {
+      settings =
+      {
+        Interface = "tinc0";
+        # Name = builtins.replaceStrings [ "-" ] [ "_" ] inputs.config.nixos.model.hostname;
+        Name = inputs.config.nixos.model.hostname;
+      };
+      hostSettings = builtins.mapAttrs (n: v: v.settings) configs;
+      ed25519PrivateKeyFile = inputs.config.nixos.system.sops.secrets."tinc".path;
+    };
+    nixos.system =
+    {
+      sops.secrets."tinc".owner = "tinc-tinc0";
+      network = inputs.lib.mkIf (configs.${inputs.config.nixos.model.hostname}.useNetworkd)
+      {
+        static."tinc0" = { ip = configs.${inputs.config.nixos.model.hostname}.address; mask = 24; };
+      };
+    };
+    # systemd.network.networks = inputs.lib.mkIf (configs.${inputs.config.nixos.model.hostname}.useNetworkd)
+    # {
+    #   "10-custom" =
+    #   {
+    #     matchConfig.Name = "tinc0";
+    #     routes = [{ Destination = "192.168.85.0/0"; }];
+    #   };
+    # };
+    environment.etc = inputs.lib.mkIf (!configs.${inputs.config.nixos.model.hostname}.useNetworkd)
+    {
+      "tinc/tinc0/tinc-up".source = inputs.pkgs.writeShellScript "tinc-up"
+      ''
+        ${inputs.pkgs.iproute2}/bin/ip link set $INTERFACE up
+        ${inputs.pkgs.iproute2}/bin/ip addr add ${configs.${inputs.config.nixos.model.hostname}.address}/24 dev $INTERFACE
+      '';
+    };
+    networking.firewall = { allowedTCPPorts = [ 655 ]; allowedUDPPorts = [ 655 ]; };
+  };
+}
--- a/devices/nas/secrets.yaml
+++ b/devices/nas/secrets.yaml
@@ -82,6 +82,7 @@ open-webui:
    webui: ENC[AES256_GCM,data:6rpvA80i+HXkDQgYCDIHbXwDfxHq/5tXQRK4piI=,iv:vVIBHf/9LnY1z4zVZGB0ZRBRwLpdXKvNhsYWySxhsiY=,tag:JmbDJKlZ2dH13+drXyXXPg==,type:str]
 nixvirt:
    yumieko: ENC[AES256_GCM,data:tO+67mdCFH8=,iv:vl+PLSBfMDk7rGmpjuZ8TnEC1B8tni2pphC7cTmxQU0=,tag:RVW5UaUD0g0HDpoGp2/mAA==,type:str]
+tinc: ENC[AES256_GCM,data:IziBdx/fkWltRubpBYcCuZ/jwM7U6OUA8WAglvMRoCN3eFjQEm3GN+J30tfTt8P2ngwHmaKJ7ry7rB7nhLmIUzhNrLEHprwZwqhAIgpMHo4pcCfJBE5Y7ba+kTk3eOI4waxwmfRqFdccmmkDTtw0En0WtSj0/ysOM4n8mmgeYxc5KIUNfasc0IHfHVtNahljvFUpExeT6Tpu9Caa1cznnFQYlMXsEGkveUHNOcEq4DWCUEVCTOE4/jcSg2j3+dJre3/Qz1ELi78=,iv:PmkrR2nccHrKrXr5V+YBVP4eQHBxPIw16ePfgjP7wgY=,tag:jsAh/QfimQ4swHnEtQsiIQ==,type:str]
 sops:
    age:
        - recipient: age19ax6vm3pv8rph5tq3mmehd9sy9jk823tw8svsd790r0lkslycquqvlwz9m
@@ -102,7 +103,7 @@ sops:
            by9Rd0U0bzNiK21BQTNxN1RuQ09DQVkKJmSlzV5ppEkZFljsS17ZWmoI++fz4tJh
            kTdoAStG1zsKASHyZTsmdm3RBDO3qV1KhQC2gC7d4EiwNZngxOOZJg==
            -----END AGE ENCRYPTED FILE-----
-    lastmodified: "2025-09-07T00:23:06Z"
-    mac: ENC[AES256_GCM,data:Vmcv7Hof4ZR8uXOwbk8zeKSfVldCxJQ696m3mCe6ar5FKpGja0f2XbW8a7tpuYqfwNa5Z7OCovku40PZ/TSmq91hQlZ+zbXe66nPx3/ybbQUSu1rvujprv36kvp1BQwK5A2clLEX7Vo7fGsTq1jX1AFrNM7zTJABrET/7yqVdTE=,iv:IkODPE4AMMLpBNbgwbOpYLWpG7IkRPKVBiLfxKASmPs=,tag:9xfwdCvaWvVey24dLmkFSQ==,type:str]
+    lastmodified: "2025-10-05T21:18:59Z"
+    mac: ENC[AES256_GCM,data:U+wSrODDn5O75Vlm2zAZbeD637m6C46pv6eHrVgJgPcGiNPHe/zr0gBDws36hIzENI9MQXD+Nwr0qsBCL7MTpw1J0zDpk4xzDiCkzej2APL17/ogRVQQW7FoZTRmNf8VqiVHZc0SwaKflhjrFguoIcujSzrV6GOQgNHMx69hm7k=,iv:PavKa/VRBBLvohUU5PT5ZPpiHk9qRuL1ONE+j1tSZVw=,tag:k/gwpaCirLj9TxFHcsWJnw==,type:str]
    unencrypted_suffix: _unencrypted
    version: 3.10.2
--- a/devices/pc/secrets/default.yaml
+++ b/devices/pc/secrets/default.yaml
@@ -16,6 +16,7 @@ searx:
 xray-xmu-client:
    uuid: ENC[AES256_GCM,data:XiUkReTJLAxZNWFVeD6EiOtUX5tsyPLFi6QyDBdHyB4v5/mD,iv:QppdtP2CFDEVhlrmDJKYBGc1zYGJvpGYxLfsBAMxDSI=,tag:jzMSFRit+aBzWMkaa3+5hA==,type:str]
    cookie: ENC[AES256_GCM,data:0jqSEZloX2/c8Zg4WTKkLw==,iv:BKLm1KMoRrH0uO6hPMsv2a7sG0AwNRrdbpmABP4BszA=,tag:pBs+rQIhhNO4Qr6q1V3MUA==,type:str]
+tinc: ENC[AES256_GCM,data:qI2KAyJiC9m+IOzTQ7SFjWnjzzkxvNe6R2yxyK+C/YnEK4JdYqEETIMuqAUQxaSyHjKk9x6kDs3YPC2AyNKf+lc22YoB35Eo5ym+3+GDDPTL4wL4aI4xnGHVLH3JrSFHDyIbvu8R2NLnSy2j4O5Uj+jJmOz/b1xV8zeLbdoFwLgZCbcxvqkIwMlJdDGjAtjEb8eDkjtVzSRSPXohgYgmhxKZyA5/7c41e+/X6RIsHHeOD+Ppz5jlYAkRrsvAxGTfrMN2xTZopxc=,iv:E/8ys6ucmmaKawqrgumJdjTsC17F7Y0RgnHYfu3RIPQ=,tag:OZM/HG88gyF9TZXwHcd3nA==,type:str]
 sops:
    age:
        - recipient: age19ax6vm3pv8rph5tq3mmehd9sy9jk823tw8svsd790r0lkslycquqvlwz9m
@@ -36,7 +37,7 @@ sops:
            OUlxNjdQaXdXMkZ6bnV1ek4yZ2dpbkEKpKGOAxo5Eef2jtGrg4iSzmGCeg+vTgvu
            +K8b+O19MIkGMDBm6UbYUPtc/7eqoEZRiTUzNMTmfkLVS4ul5zou9A==
            -----END AGE ENCRYPTED FILE-----
-    lastmodified: "2025-08-01T07:22:50Z"
-    mac: ENC[AES256_GCM,data:f4fultak/52Gq6nn1hJJYw3AMeuR3J6gcxtPDG/WKkNV+B+gtabWp5R8J8wLWFJ4C1ZsGHDYMTvTfSUlDVdm1dGpxJtFzdfoBBdajj8s2mju6nMQUFoNFRmHDZEQBdIzfXpob1+7Rsr+bBmg7HnFvjR0ozuaQP9QHsHEZxJVbnU=,iv:xh4OIom1TFgKralXw6rrOR/1xpD5SpY2tHfJUq6v41o=,tag:0QOtWN6DcGf3/gorusbXtQ==,type:str]
+    lastmodified: "2025-10-05T21:05:21Z"
+    mac: ENC[AES256_GCM,data:Z19OHcqCj6SUj1apsdEq6EfeDsQRjglxY7MHWfH+yys5q4+uPLp1XMx2qOIf4K0UUU1OlKQTIQFdssC3HlPz2qNcVDVgMTtG1YcPSLC2DtevOXUH68TyPAszk5SUE25MywcCwF3b9MVigo5s7TxALlkkT03vI57AsXoLHcBo6iY=,iv:dp0elIyXrkaOG5wv20ZiVk+lfxHmztG9GvO9ReDvDjA=,tag:ysI9LoUG449y08ki+KnQGQ==,type:str]
    unencrypted_suffix: _unencrypted
    version: 3.10.2
--- a/devices/vps4/secrets.yaml
+++ b/devices/vps4/secrets.yaml
@@ -40,6 +40,7 @@ xray-server:
        user22: ENC[AES256_GCM,data:ee0naewdOjIxA0QEpmUyOSu++sUJQneEufhJBHiyOR7jAPTU,iv:09fZ0dLUZHp9wM2lCiIcTzFey2AkWBmnUCfq8W3FM6Y=,tag:dHBVo/Ok3Q9vy1pIbWC1Kw==,type:str]
    private-key: ENC[AES256_GCM,data:akNIeVp2bfKvnzlS6KLAdqAo7qsGfPatzCZpN1tNRLhRVXmJCcUDVSmVoA==,iv:2Rny8ioDJ2x+NR+n7/Aluv7JZ+Om3MuJKsXiwONYntg=,tag:a3xubIr7hpVjRiHjFL/q5Q==,type:str]
 wireguard: ENC[AES256_GCM,data:3h+cpSHULgwlI/zOI0IL4t4diDzm7qWW1sOWZqkFRWCB0CAfGyydGNlZkqA=,iv:pVpmw0aEDssQSr724h9NvJqFMHu0NupDfCSt1RWVnUk=,tag:fonuszujTzeo2HqO1OokEw==,type:str]
+tinc: ENC[AES256_GCM,data:MO+GKj5Ma1weblDjViBXUR5JS8fKoc5XQp6jVimhgip1MiulkUTgJ0Z+ecazAdBh9WnaI65SnLMXLMzk5wiJfblE5KJ+UlSvn7TXKvFPoWw9WXsU96to7D+IZNAYRXj6eMJ6g9j/u01Q348s5F9RE30C9jtk2mwM1n8yyAP/BuwcyyVZK6jOwtE5zsZyinGzLTCyD8pZqhVQ63qdrNMAdvNowl38cVm5pKYsiZiU9r8fzQJXS+5R65rJPxNKJ9CYBI3ca8OGJbY=,iv:bJgHF4CFagARNXFvkNFznzyUit6LsO75RiDTxZGsmr0=,tag:zDX6N6tDoooRUmovhgKsZw==,type:str]
 sops:
    age:
        - recipient: age19ax6vm3pv8rph5tq3mmehd9sy9jk823tw8svsd790r0lkslycquqvlwz9m
@@ -60,7 +61,7 @@ sops:
            Ri9hM3NRTkM4Q1lDdmdPemEweEFBUmcKNLL5qH+JeFWX0GovkPFVVAnz+4tmfG6/
            1jN8YqbMIxf5/L8tauXPf0iIiHa6pUcjtDZPr/OEmeXebmF6Bh9u9Q==
            -----END AGE ENCRYPTED FILE-----
-    lastmodified: "2025-06-09T07:42:38Z"
-    mac: ENC[AES256_GCM,data:fQm8aI6KdoJVxcl4MQP7Q6EZVqmmLFo9A3Hjo/tKZA+VOYvQWFBxIKwy5Cj0SBi4pWsSjwG6pJZ7m6Wh/dDK4KlgkoaXgAYj+efHtScOH5Gkb0sTpAkHNL+/CJ/cO1doXiXRGj47fn1QB9o9WBaomtOWQbzDts4eFs9pdm8TAq4=,iv:91Ilig4j0ELHEatTY7ALKwwr8AzYnRwhKbdWDcufZF4=,tag:UfwaudQTNKu+uryCZjo3mw==,type:str]
+    lastmodified: "2025-10-05T21:10:30Z"
+    mac: ENC[AES256_GCM,data:yy+mbLJ0kjmNxonwFt1wxZck4AeCEKa8iW6JvhrDnCnvxvSw8DHRc5xvNT/m+lZemqVbkCy5ipnS72rHCf3V6kswdCvgIqhLK5ECkppHaeSr4M2n097Zf56o69S7BYw4MC0oQ8XNT322SHD0zyJCC2fE6Wgs7+PS89QczxO3ch8=,iv:H3fpKlJ7vS5kUow3zgqsF/9DZtsG+b3NpBcKUAjhVGo=,tag:/FhgegbibNY99CuANbSEsw==,type:str]
    unencrypted_suffix: _unencrypted
    version: 3.10.2
--- a/devices/vps6/secrets.yaml
+++ b/devices/vps6/secrets.yaml
@@ -46,6 +46,7 @@ coturn:
 wireguard: ENC[AES256_GCM,data:5M7EAy/6+2UASWkjxE0Jrxwl0aNdAVZaUjQnD1wU3YvOAQ/c2DSL8hVtKf8=,iv:a2tXFf1+aP0JhdNtzP8e82KJ71m2o8nx+G0wIx4VMig=,tag:l4TS4QBz2fIkC9/GnZgHnQ==,type:str]
 xray-xmu-client:
    cookie: ENC[AES256_GCM,data:RZ2WFnsX7s/PVqA7ZKhGqw==,iv:CknFoAcHIiIwJI1IEXkFdWXcOCAZr50pfwmQN72OI8o=,tag:w2pNU1APxlSQsGMIEdE2OA==,type:str]
+tinc: ENC[AES256_GCM,data:E3OrPA67R48x5FJUW0ZbERlclz8Z/XokAaGTeBQLPEHSeqEArHYSZkdJRZejFrBruJPlGZMPNBQzlIBXOfXKwMnlBDaGJIIJHIzPDGG9W7QF4IIRK/BjVZHFwfKvZtbUDGsqLcCSe5+ttmyucBaFGquXhnD/Tu09uyWtRvS10KAJLY0Z2/16CFB1+8egJIcYw2TFXObo+KR92Va0qwiDSepKaJtYLimDGRKk04QGj+BYa5y8PjIG6bz8UG82mmCiV7XM3EPlSMA=,iv:kawsklNGFbRhxKuUwvNL2WyBxuYu2T/uks1cJ4i8NhA=,tag:V+jAaxQX7JCiR5+wIVW4Nw==,type:str]
 sops:
    age:
        - recipient: age19ax6vm3pv8rph5tq3mmehd9sy9jk823tw8svsd790r0lkslycquqvlwz9m
@@ -66,7 +67,7 @@ sops:
            ZXFTU3ZCaW1pTVh0RUJzdDdGdHlPYTgK2mlgcX2kEc8+2UDdBnhUm6IIuh8V6agW
            ooxH9OEPXUVI/4JcDo4v8ZUhAyU1ehLH0Ef7PJCChOZe2KZmWSNbhA==
            -----END AGE ENCRYPTED FILE-----
-    lastmodified: "2025-08-01T05:54:47Z"
-    mac: ENC[AES256_GCM,data:OtHwr58A1UOfYxQR88ay76fWmAyWPl5YtNbAiv0LXPLZPRtLGBJKuTjMaHr17AMepFZ+u5IPV2r8z1AUDj0opLXlv3Ik/DJ2PCcQTOBH+/lnSgzJKWfdCip9/wFR6N3dT0PKKLuBiURB9ZCYmtnq6E5+Guadc6ATYDSEpwbENZQ=,iv:kXsYMGjAtUlv1UqFU8Xv0zagohnpHkzSI72mq5HKY7k=,tag:KR+1A8l2VvbzDZV/00hbJg==,type:str]
+    lastmodified: "2025-10-05T21:17:49Z"
+    mac: ENC[AES256_GCM,data:Pp87u4oiU3gljDn9tg//eH2jyQA4CS9yog/ms/iDNO9Ov2T1Bw2Y1ImDjaTrk6pjsJflZin6T/FFb3t6mmjC2raHJy2iasu93/fWJDFeFr27SykRGgew4x9hOWFB3a1lXqlpARskerXhFIucLZVv0m1EMJJ9rBb1G6tPz/XreDE=,iv:Zeo1FrWAvICfY4j7wFgVfjryiiSYD2igXWOkpvwU1VI=,tag:kO3a0hcXS/Bzw7QqsyMiQA==,type:str]
    unencrypted_suffix: _unencrypted
    version: 3.10.2