diff options
Diffstat (limited to 'nixos/modules/services/networking')
| -rw-r--r-- | nixos/modules/services/networking/firefox-syncserver.nix | 2 | ||||
| -rw-r--r-- | nixos/modules/services/networking/firefox-syncserver.xml | 79 | ||||
| -rw-r--r-- | nixos/modules/services/networking/mosquitto.nix | 2 | ||||
| -rw-r--r-- | nixos/modules/services/networking/mosquitto.xml | 149 | ||||
| -rw-r--r-- | nixos/modules/services/networking/pleroma.nix | 2 | ||||
| -rw-r--r-- | nixos/modules/services/networking/pleroma.xml | 244 | ||||
| -rw-r--r-- | nixos/modules/services/networking/prosody.nix | 2 | ||||
| -rw-r--r-- | nixos/modules/services/networking/prosody.xml | 92 | ||||
| -rw-r--r-- | nixos/modules/services/networking/yggdrasil.nix | 2 | ||||
| -rw-r--r-- | nixos/modules/services/networking/yggdrasil.xml | 157 |
10 files changed, 5 insertions, 726 deletions
diff --git a/nixos/modules/services/networking/firefox-syncserver.nix b/nixos/modules/services/networking/firefox-syncserver.nix index c26a6ae265ffe..a06b9573a850c 100644 --- a/nixos/modules/services/networking/firefox-syncserver.nix +++ b/nixos/modules/services/networking/firefox-syncserver.nix @@ -311,6 +311,6 @@ in meta = { maintainers = with lib.maintainers; [ pennae ]; - doc = ./firefox-syncserver.xml; + doc = ./firefox-syncserver.md; }; } diff --git a/nixos/modules/services/networking/firefox-syncserver.xml b/nixos/modules/services/networking/firefox-syncserver.xml deleted file mode 100644 index 440922cbba00f..0000000000000 --- a/nixos/modules/services/networking/firefox-syncserver.xml +++ /dev/null @@ -1,79 +0,0 @@ -<!-- Do not edit this file directly, edit its companion .md instead - and regenerate this file using nixos/doc/manual/md-to-db.sh --> -<chapter xmlns="http://docbook.org/ns/docbook" xmlns:xlink="http://www.w3.org/1999/xlink" xml:id="module-services-firefox-syncserver"> - <title>Firefox Sync server</title> - <para> - A storage server for Firefox Sync that you can easily host yourself. - </para> - <section xml:id="module-services-firefox-syncserver-quickstart"> - <title>Quickstart</title> - <para> - The absolute minimal configuration for the sync server looks like - this: - </para> - <programlisting language="nix"> -services.mysql.package = pkgs.mariadb; - -services.firefox-syncserver = { - enable = true; - secrets = builtins.toFile "sync-secrets" '' - SYNC_MASTER_SECRET=this-secret-is-actually-leaked-to-/nix/store - ''; - singleNode = { - enable = true; - hostname = "localhost"; - url = "http://localhost:5000"; - }; -}; -</programlisting> - <para> - This will start a sync server that is only accessible locally. - Once the services is running you can navigate to - <literal>about:config</literal> in your Firefox profile and set - <literal>identity.sync.tokenserver.uri</literal> to - <literal>http://localhost:5000/1.0/sync/1.5</literal>. Your - browser will now use your local sync server for data storage. - </para> - <warning> - <para> - This configuration should never be used in production. It is not - encrypted and stores its secrets in a world-readable location. - </para> - </warning> - </section> - <section xml:id="module-services-firefox-syncserver-configuration"> - <title>More detailed setup</title> - <para> - The <literal>firefox-syncserver</literal> service provides a - number of options to make setting up small deployment easier. - These are grouped under the <literal>singleNode</literal> element - of the option tree and allow simple configuration of the most - important parameters. - </para> - <para> - Single node setup is split into two kinds of options: those that - affect the sync server itself, and those that affect its - surroundings. Options that affect the sync server are - <literal>capacity</literal>, which configures how many accounts - may be active on this instance, and <literal>url</literal>, which - holds the URL under which the sync server can be accessed. The - <literal>url</literal> can be configured automatically when using - nginx. - </para> - <para> - Options that affect the surroundings of the sync server are - <literal>enableNginx</literal>, <literal>enableTLS</literal> and - <literal>hostnam</literal>. If <literal>enableNginx</literal> is - set the sync server module will automatically add an nginx virtual - host to the system using <literal>hostname</literal> as the domain - and set <literal>url</literal> accordingly. If - <literal>enableTLS</literal> is set the module will also enable - ACME certificates on the new virtual host and force all - connections to be made via TLS. - </para> - <para> - For actual deployment it is also recommended to store the - <literal>secrets</literal> file in a secure location. - </para> - </section> -</chapter> diff --git a/nixos/modules/services/networking/mosquitto.nix b/nixos/modules/services/networking/mosquitto.nix index 563412025561f..a4fd2fd7c89f1 100644 --- a/nixos/modules/services/networking/mosquitto.nix +++ b/nixos/modules/services/networking/mosquitto.nix @@ -671,6 +671,6 @@ in meta = { maintainers = with lib.maintainers; [ pennae ]; - doc = ./mosquitto.xml; + doc = ./mosquitto.md; }; } diff --git a/nixos/modules/services/networking/mosquitto.xml b/nixos/modules/services/networking/mosquitto.xml deleted file mode 100644 index 91934617c56d5..0000000000000 --- a/nixos/modules/services/networking/mosquitto.xml +++ /dev/null @@ -1,149 +0,0 @@ -<!-- Do not edit this file directly, edit its companion .md instead - and regenerate this file using nixos/doc/manual/md-to-db.sh --> -<chapter xmlns="http://docbook.org/ns/docbook" xmlns:xlink="http://www.w3.org/1999/xlink" xml:id="module-services-mosquitto"> - <title>Mosquitto</title> - <para> - Mosquitto is a MQTT broker often used for IoT or home automation - data transport. - </para> - <section xml:id="module-services-mosquitto-quickstart"> - <title>Quickstart</title> - <para> - A minimal configuration for Mosquitto is - </para> - <programlisting language="nix"> -services.mosquitto = { - enable = true; - listeners = [ { - acl = [ "pattern readwrite #" ]; - omitPasswordAuth = true; - settings.allow_anonymous = true; - } ]; -}; -</programlisting> - <para> - This will start a broker on port 1883, listening on all interfaces - of the machine, allowing read/write access to all topics to any - user without password requirements. - </para> - <para> - User authentication can be configured with the - <literal>users</literal> key of listeners. A config that gives - full read access to a user <literal>monitor</literal> and - restricted write access to a user <literal>service</literal> could - look like - </para> - <programlisting language="nix"> -services.mosquitto = { - enable = true; - listeners = [ { - users = { - monitor = { - acl = [ "read #" ]; - password = "monitor"; - }; - service = { - acl = [ "write service/#" ]; - password = "service"; - }; - }; - } ]; -}; -</programlisting> - <para> - TLS authentication is configured by setting TLS-related options of - the listener: - </para> - <programlisting language="nix"> -services.mosquitto = { - enable = true; - listeners = [ { - port = 8883; # port change is not required, but helpful to avoid mistakes - # ... - settings = { - cafile = "/path/to/mqtt.ca.pem"; - certfile = "/path/to/mqtt.pem"; - keyfile = "/path/to/mqtt.key"; - }; - } ]; -</programlisting> - </section> - <section xml:id="module-services-mosquitto-config"> - <title>Configuration</title> - <para> - The Mosquitto configuration has four distinct types of settings: - the global settings of the daemon, listeners, plugins, and - bridges. Bridges and listeners are part of the global - configuration, plugins are part of listeners. Users of the broker - are configured as parts of listeners rather than globally, - allowing configurations in which a given user is only allowed to - log in to the broker using specific listeners (eg to configure an - admin user with full access to all topics, but restricted to - localhost). - </para> - <para> - Almost all options of Mosquitto are available for configuration at - their appropriate levels, some as NixOS options written in camel - case, the remainders under <literal>settings</literal> with their - exact names in the Mosquitto config file. The exceptions are - <literal>acl_file</literal> (which is always set according to the - <literal>acl</literal> attributes of a listener and its users) and - <literal>per_listener_settings</literal> (which is always set to - <literal>true</literal>). - </para> - <section xml:id="module-services-mosquitto-config-passwords"> - <title>Password authentication</title> - <para> - Mosquitto can be run in two modes, with a password file or - without. Each listener has its own password file, and different - listeners may use different password files. Password file - generation can be disabled by setting - <literal>omitPasswordAuth = true</literal> for a listener; in - this case it is necessary to either set - <literal>settings.allow_anonymous = true</literal> to allow all - logins, or to configure other authentication methods like TLS - client certificates with - <literal>settings.use_identity_as_username = true</literal>. - </para> - <para> - The default is to generate a password file for each listener - from the users configured to that listener. Users with no - configured password will not be added to the password file and - thus will not be able to use the broker. - </para> - </section> - <section xml:id="module-services-mosquitto-config-acl"> - <title>ACL format</title> - <para> - Every listener has a Mosquitto <literal>acl_file</literal> - attached to it. This ACL is configured via two attributes of the - config: - </para> - <itemizedlist spacing="compact"> - <listitem> - <para> - the <literal>acl</literal> attribute of the listener - configures pattern ACL entries and topic ACL entries for - anonymous users. Each entry must be prefixed with - <literal>pattern</literal> or <literal>topic</literal> to - distinguish between these two cases. - </para> - </listitem> - <listitem> - <para> - the <literal>acl</literal> attribute of every user - configures in the listener configured the ACL for that given - user. Only topic ACLs are supported by Mosquitto in this - setting, so no prefix is required or allowed. - </para> - </listitem> - </itemizedlist> - <para> - The default ACL for a listener is empty, disallowing all - accesses from all clients. To configure a completely open ACL, - set <literal>acl = [ "pattern readwrite #" ]</literal> - in the listener. - </para> - </section> - </section> -</chapter> diff --git a/nixos/modules/services/networking/pleroma.nix b/nixos/modules/services/networking/pleroma.nix index f317510258ba5..e9db7f3eab8ed 100644 --- a/nixos/modules/services/networking/pleroma.nix +++ b/nixos/modules/services/networking/pleroma.nix @@ -147,5 +147,5 @@ in { }; meta.maintainers = with lib.maintainers; [ ninjatrappeur ]; - meta.doc = ./pleroma.xml; + meta.doc = ./pleroma.md; } diff --git a/nixos/modules/services/networking/pleroma.xml b/nixos/modules/services/networking/pleroma.xml deleted file mode 100644 index 97954f4b95141..0000000000000 --- a/nixos/modules/services/networking/pleroma.xml +++ /dev/null @@ -1,244 +0,0 @@ -<!-- Do not edit this file directly, edit its companion .md instead - and regenerate this file using nixos/doc/manual/md-to-db.sh --> -<chapter xmlns="http://docbook.org/ns/docbook" xmlns:xlink="http://www.w3.org/1999/xlink" xml:id="module-services-pleroma"> - <title>Pleroma</title> - <para> - <link xlink:href="https://pleroma.social/">Pleroma</link> is a - lightweight activity pub server. - </para> - <section xml:id="module-services-pleroma-generate-config"> - <title>Generating the Pleroma config</title> - <para> - The <literal>pleroma_ctl</literal> CLI utility will prompt you - some questions and it will generate an initial config file. This - is an example of usage - </para> - <programlisting> -$ mkdir tmp-pleroma -$ cd tmp-pleroma -$ nix-shell -p pleroma-otp -$ pleroma_ctl instance gen --output config.exs --output-psql setup.psql -</programlisting> - <para> - The <literal>config.exs</literal> file can be further customized - following the instructions on the - <link xlink:href="https://docs-develop.pleroma.social/backend/configuration/cheatsheet/">upstream - documentation</link>. Many refinements can be applied also after - the service is running. - </para> - </section> - <section xml:id="module-services-pleroma-initialize-db"> - <title>Initializing the database</title> - <para> - First, the Postgresql service must be enabled in the NixOS - configuration - </para> - <programlisting> -services.postgresql = { - enable = true; - package = pkgs.postgresql_13; -}; -</programlisting> - <para> - and activated with the usual - </para> - <programlisting> -$ nixos-rebuild switch -</programlisting> - <para> - Then you can create and seed the database, using the - <literal>setup.psql</literal> file that you generated in the - previous section, by running - </para> - <programlisting> -$ sudo -u postgres psql -f setup.psql -</programlisting> - </section> - <section xml:id="module-services-pleroma-enable"> - <title>Enabling the Pleroma service locally</title> - <para> - In this section we will enable the Pleroma service only locally, - so its configurations can be improved incrementally. - </para> - <para> - This is an example of configuration, where - <xref linkend="opt-services.pleroma.configs" /> option contains - the content of the file <literal>config.exs</literal>, generated - <link linkend="module-services-pleroma-generate-config">in the - first section</link>, but with the secrets (database password, - endpoint secret key, salts, etc.) removed. Removing secrets is - important, because otherwise they will be stored publicly in the - Nix store. - </para> - <programlisting> -services.pleroma = { - enable = true; - secretConfigFile = "/var/lib/pleroma/secrets.exs"; - configs = [ - '' - import Config - - config :pleroma, Pleroma.Web.Endpoint, - url: [host: "pleroma.example.net", scheme: "https", port: 443], - http: [ip: {127, 0, 0, 1}, port: 4000] - - config :pleroma, :instance, - name: "Test", - email: "admin@example.net", - notify_email: "admin@example.net", - limit: 5000, - registrations_open: true - - config :pleroma, :media_proxy, - enabled: false, - redirect_on_failure: true - - config :pleroma, Pleroma.Repo, - adapter: Ecto.Adapters.Postgres, - username: "pleroma", - database: "pleroma", - hostname: "localhost" - - # Configure web push notifications - config :web_push_encryption, :vapid_details, - subject: "mailto:admin@example.net" - - # ... TO CONTINUE ... - '' - ]; -}; -</programlisting> - <para> - Secrets must be moved into a file pointed by - <xref linkend="opt-services.pleroma.secretConfigFile" />, in our - case <literal>/var/lib/pleroma/secrets.exs</literal>. This file - can be created copying the previously generated - <literal>config.exs</literal> file and then removing all the - settings, except the secrets. This is an example - </para> - <programlisting> -# Pleroma instance passwords - -import Config - -config :pleroma, Pleroma.Web.Endpoint, - secret_key_base: "<the secret generated by pleroma_ctl>", - signing_salt: "<the secret generated by pleroma_ctl>" - -config :pleroma, Pleroma.Repo, - password: "<the secret generated by pleroma_ctl>" - -# Configure web push notifications -config :web_push_encryption, :vapid_details, - public_key: "<the secret generated by pleroma_ctl>", - private_key: "<the secret generated by pleroma_ctl>" - -# ... TO CONTINUE ... -</programlisting> - <para> - Note that the lines of the same configuration group are comma - separated (i.e. all the lines end with a comma, except the last - one), so when the lines with passwords are added or removed, - commas must be adjusted accordingly. - </para> - <para> - The service can be enabled with the usual - </para> - <programlisting> -$ nixos-rebuild switch -</programlisting> - <para> - The service is accessible only from the local - <literal>127.0.0.1:4000</literal> port. It can be tested using a - port forwarding like this - </para> - <programlisting> -$ ssh -L 4000:localhost:4000 myuser@example.net -</programlisting> - <para> - and then accessing - <link xlink:href="http://localhost:4000">http://localhost:4000</link> - from a web browser. - </para> - </section> - <section xml:id="module-services-pleroma-admin-user"> - <title>Creating the admin user</title> - <para> - After Pleroma service is running, all - <link xlink:href="https://docs-develop.pleroma.social/">Pleroma - administration utilities</link> can be used. In particular an - admin user can be created with - </para> - <programlisting> -$ pleroma_ctl user new <nickname> <email> --admin --moderator --password <password> -</programlisting> - </section> - <section xml:id="module-services-pleroma-nginx"> - <title>Configuring Nginx</title> - <para> - In this configuration, Pleroma is listening only on the local port - 4000. Nginx can be configured as a Reverse Proxy, for forwarding - requests from public ports to the Pleroma service. This is an - example of configuration, using - <link xlink:href="https://letsencrypt.org/">Let’s Encrypt</link> - for the TLS certificates - </para> - <programlisting> -security.acme = { - email = "root@example.net"; - acceptTerms = true; -}; - -services.nginx = { - enable = true; - addSSL = true; - - recommendedTlsSettings = true; - recommendedOptimisation = true; - recommendedGzipSettings = true; - - recommendedProxySettings = false; - # NOTE: if enabled, the NixOS proxy optimizations will override the Pleroma - # specific settings, and they will enter in conflict. - - virtualHosts = { - "pleroma.example.net" = { - http2 = true; - enableACME = true; - forceSSL = true; - - locations."/" = { - proxyPass = "http://127.0.0.1:4000"; - - extraConfig = '' - etag on; - gzip on; - - add_header 'Access-Control-Allow-Origin' '*' always; - add_header 'Access-Control-Allow-Methods' 'POST, PUT, DELETE, GET, PATCH, OPTIONS' always; - add_header 'Access-Control-Allow-Headers' 'Authorization, Content-Type, Idempotency-Key' always; - add_header 'Access-Control-Expose-Headers' 'Link, X-RateLimit-Reset, X-RateLimit-Limit, X-RateLimit-Remaining, X-Request-Id' always; - if ($request_method = OPTIONS) { - return 204; - } - add_header X-XSS-Protection "1; mode=block"; - add_header X-Permitted-Cross-Domain-Policies none; - add_header X-Frame-Options DENY; - add_header X-Content-Type-Options nosniff; - add_header Referrer-Policy same-origin; - add_header X-Download-Options noopen; - proxy_http_version 1.1; - proxy_set_header Upgrade $http_upgrade; - proxy_set_header Connection "upgrade"; - proxy_set_header Host $host; - - client_max_body_size 16m; - # NOTE: increase if users need to upload very big files - ''; - }; - }; - }; -}; -</programlisting> - </section> -</chapter> diff --git a/nixos/modules/services/networking/prosody.nix b/nixos/modules/services/networking/prosody.nix index 0746bbf184fce..9f68853f9fa83 100644 --- a/nixos/modules/services/networking/prosody.nix +++ b/nixos/modules/services/networking/prosody.nix @@ -905,5 +905,5 @@ in }; - meta.doc = ./prosody.xml; + meta.doc = ./prosody.md; } diff --git a/nixos/modules/services/networking/prosody.xml b/nixos/modules/services/networking/prosody.xml deleted file mode 100644 index 5df046f814591..0000000000000 --- a/nixos/modules/services/networking/prosody.xml +++ /dev/null @@ -1,92 +0,0 @@ -<!-- Do not edit this file directly, edit its companion .md instead - and regenerate this file using nixos/doc/manual/md-to-db.sh --> -<chapter xmlns="http://docbook.org/ns/docbook" xmlns:xlink="http://www.w3.org/1999/xlink" xml:id="module-services-prosody"> - <title>Prosody</title> - <para> - <link xlink:href="https://prosody.im/">Prosody</link> is an - open-source, modern XMPP server. - </para> - <section xml:id="module-services-prosody-basic-usage"> - <title>Basic usage</title> - <para> - A common struggle for most XMPP newcomers is to find the right set - of XMPP Extensions (XEPs) to setup. Forget to activate a few of - those and your XMPP experience might turn into a nightmare! - </para> - <para> - The XMPP community tackles this problem by creating a meta-XEP - listing a decent set of XEPs you should implement. This meta-XEP - is issued every year, the 2020 edition being - <link xlink:href="https://xmpp.org/extensions/xep-0423.html">XEP-0423</link>. - </para> - <para> - The NixOS Prosody module will implement most of these recommendend - XEPs out of the box. That being said, two components still require - some manual configuration: the - <link xlink:href="https://xmpp.org/extensions/xep-0045.html">Multi - User Chat (MUC)</link> and the - <link xlink:href="https://xmpp.org/extensions/xep-0363.html">HTTP - File Upload</link> ones. You’ll need to create a DNS subdomain for - each of those. The current convention is to name your MUC endpoint - <literal>conference.example.org</literal> and your HTTP upload - domain <literal>upload.example.org</literal>. - </para> - <para> - A good configuration to start with, including a - <link xlink:href="https://xmpp.org/extensions/xep-0045.html">Multi - User Chat (MUC)</link> endpoint as well as a - <link xlink:href="https://xmpp.org/extensions/xep-0363.html">HTTP - File Upload</link> endpoint will look like this: - </para> - <programlisting> -services.prosody = { - enable = true; - admins = [ "root@example.org" ]; - ssl.cert = "/var/lib/acme/example.org/fullchain.pem"; - ssl.key = "/var/lib/acme/example.org/key.pem"; - virtualHosts."example.org" = { - enabled = true; - domain = "example.org"; - ssl.cert = "/var/lib/acme/example.org/fullchain.pem"; - ssl.key = "/var/lib/acme/example.org/key.pem"; - }; - muc = [ { - domain = "conference.example.org"; - } ]; - uploadHttp = { - domain = "upload.example.org"; - }; -}; -</programlisting> - </section> - <section xml:id="module-services-prosody-letsencrypt"> - <title>Let’s Encrypt Configuration</title> - <para> - As you can see in the code snippet from the - <link linkend="module-services-prosody-basic-usage">previous - section</link>, you’ll need a single TLS certificate covering your - main endpoint, the MUC one as well as the HTTP Upload one. We can - generate such a certificate by leveraging the ACME - <link linkend="opt-security.acme.certs._name_.extraDomainNames">extraDomainNames</link> - module option. - </para> - <para> - Provided the setup detailed in the previous section, you’ll need - the following acme configuration to generate a TLS certificate for - the three endponits: - </para> - <programlisting> -security.acme = { - email = "root@example.org"; - acceptTerms = true; - certs = { - "example.org" = { - webroot = "/var/www/example.org"; - email = "root@example.org"; - extraDomainNames = [ "conference.example.org" "upload.example.org" ]; - }; - }; -}; -</programlisting> - </section> -</chapter> diff --git a/nixos/modules/services/networking/yggdrasil.nix b/nixos/modules/services/networking/yggdrasil.nix index 3d5cbdd2dc3ed..fd7193154c6c7 100644 --- a/nixos/modules/services/networking/yggdrasil.nix +++ b/nixos/modules/services/networking/yggdrasil.nix @@ -193,7 +193,7 @@ in { environment.systemPackages = [ cfg.package ]; }); meta = { - doc = ./yggdrasil.xml; + doc = ./yggdrasil.md; maintainers = with lib.maintainers; [ gazally ehmry ]; }; } diff --git a/nixos/modules/services/networking/yggdrasil.xml b/nixos/modules/services/networking/yggdrasil.xml deleted file mode 100644 index 39faacbf30efe..0000000000000 --- a/nixos/modules/services/networking/yggdrasil.xml +++ /dev/null @@ -1,157 +0,0 @@ -<!-- Do not edit this file directly, edit its companion .md instead - and regenerate this file using nixos/doc/manual/md-to-db.sh --> -<chapter xmlns="http://docbook.org/ns/docbook" xmlns:xlink="http://www.w3.org/1999/xlink" xml:id="module-services-networking-yggdrasil"> - <title>Yggdrasil</title> - <para> - <emphasis>Source:</emphasis> - <filename>modules/services/networking/yggdrasil/default.nix</filename> - </para> - <para> - <emphasis>Upstream documentation:</emphasis> - <link xlink:href="https://yggdrasil-network.github.io/">https://yggdrasil-network.github.io/</link> - </para> - <para> - Yggdrasil is an early-stage implementation of a fully end-to-end - encrypted, self-arranging IPv6 network. - </para> - <section xml:id="module-services-networking-yggdrasil-configuration"> - <title>Configuration</title> - <section xml:id="module-services-networking-yggdrasil-configuration-simple"> - <title>Simple ephemeral node</title> - <para> - An annotated example of a simple configuration: - </para> - <programlisting> -{ - services.yggdrasil = { - enable = true; - persistentKeys = false; - # The NixOS module will generate new keys and a new IPv6 address each time - # it is started if persistentKeys is not enabled. - - settings = { - Peers = [ - # Yggdrasil will automatically connect and "peer" with other nodes it - # discovers via link-local multicast announcements. Unless this is the - # case (it probably isn't) a node needs peers within the existing - # network that it can tunnel to. - "tcp://1.2.3.4:1024" - "tcp://1.2.3.5:1024" - # Public peers can be found at - # https://github.com/yggdrasil-network/public-peers - ]; - }; - }; -} -</programlisting> - </section> - <section xml:id="module-services-networking-yggdrasil-configuration-prefix"> - <title>Persistent node with prefix</title> - <para> - A node with a fixed address that announces a prefix: - </para> - <programlisting> -let - address = "210:5217:69c0:9afc:1b95:b9f:8718:c3d2"; - prefix = "310:5217:69c0:9afc"; - # taken from the output of "yggdrasilctl getself". -in { - - services.yggdrasil = { - enable = true; - persistentKeys = true; # Maintain a fixed public key and IPv6 address. - settings = { - Peers = [ "tcp://1.2.3.4:1024" "tcp://1.2.3.5:1024" ]; - NodeInfo = { - # This information is visible to the network. - name = config.networking.hostName; - location = "The North Pole"; - }; - }; - }; - - boot.kernel.sysctl."net.ipv6.conf.all.forwarding" = 1; - # Forward traffic under the prefix. - - networking.interfaces.${eth0}.ipv6.addresses = [{ - # Set a 300::/8 address on the local physical device. - address = prefix + "::1"; - prefixLength = 64; - }]; - - services.radvd = { - # Announce the 300::/8 prefix to eth0. - enable = true; - config = '' - interface eth0 - { - AdvSendAdvert on; - prefix ${prefix}::/64 { - AdvOnLink on; - AdvAutonomous on; - }; - route 200::/8 {}; - }; - ''; - }; -} -</programlisting> - </section> - <section xml:id="module-services-networking-yggdrasil-configuration-container"> - <title>Yggdrasil attached Container</title> - <para> - A NixOS container attached to the Yggdrasil network via a node - running on the host: - </para> - <programlisting> -let - yggPrefix64 = "310:5217:69c0:9afc"; - # Again, taken from the output of "yggdrasilctl getself". -in -{ - boot.kernel.sysctl."net.ipv6.conf.all.forwarding" = 1; - # Enable IPv6 forwarding. - - networking = { - bridges.br0.interfaces = [ ]; - # A bridge only to containers… - - interfaces.br0 = { - # … configured with a prefix address. - ipv6.addresses = [{ - address = "${yggPrefix64}::1"; - prefixLength = 64; - }]; - }; - }; - - containers.foo = { - autoStart = true; - privateNetwork = true; - hostBridge = "br0"; - # Attach the container to the bridge only. - config = { config, pkgs, ... }: { - networking.interfaces.eth0.ipv6 = { - addresses = [{ - # Configure a prefix address. - address = "${yggPrefix64}::2"; - prefixLength = 64; - }]; - routes = [{ - # Configure the prefix route. - address = "200::"; - prefixLength = 7; - via = "${yggPrefix64}::1"; - }]; - }; - - services.httpd.enable = true; - networking.firewall.allowedTCPPorts = [ 80 ]; - }; - }; - -} -</programlisting> - </section> - </section> -</chapter> |