VEGAS: add hyprspace service

hosts/VEGAS/default.nix

@@ -15,6 +15,11 @@ tools: {
     };
   };
 
+  hypr = {
+    id = "QmYs4xNBby2fTs8RnzfXEk161KD4mftBfCiR8yXtgGPj4J";
+    addr = "10.100.3.5";
+    listenPort = 10000;
+  };
 
   enterprise = {
     subdomain = "backbone";

hosts/VEGAS/services/hyprspace/default.nix

@@ -0,0 +1,75 @@
+{ pkgs, inputs, lib, hosts, config, ... }:
+let
+  inherit (config.networking) hostName;
+  inherit (inputs.self.packages.x86_64-linux) hyprspace;
+  hyprspaceCapableNodes = lib.filterAttrs (_: host: host ? hypr) hosts;
+  peersFormatted = builtins.mapAttrs (_: x: { "${x.hypr.addr}".id = x.hypr.id; }) hyprspaceCapableNodes;
+  peersFiltered = lib.filterAttrs (name: _: name != hostName) peersFormatted;
+  buildHyprspacePeerList = peers: pkgs.writeText "hyprspace-peers.yml" (builtins.toJSON peers);
+  peerList = buildHyprspacePeerList (lib.foldAttrs (n: _: n) null (builtins.attrValues peersFiltered));
+  myNode = hosts.${hostName};
+  listenPort = myNode.hypr.listenPort or 8001;
+
+  precedingConfig = pkgs.writeText "hyprspace-interface.yml" ''
+    interface:
+      name: hyprspace
+      listen_port: ${builtins.toString listenPort}
+      id: ${myNode.hypr.id}
+      address: ${myNode.hypr.addr}/24
+      private_key: !!binary |
+  '';
+
+  privateKeyFile = config.age.secrets.hyprspace-key.path;
+  discoverKey = config.age.secrets.hyprspace-discover-key.path;
+  runConfig = "/run/hyprspace.yml";
+in {
+  networking.hosts = lib.mapAttrs' (k: v: lib.nameValuePair (v.hypr.addr) ([k "${k}.hypr"])) hyprspaceCapableNodes;
+  age.secrets.hyprspace-key = {
+    file = ../../../../secrets/hyprspace-key- + "${hostName}.age";
+    mode = "0400";
+  };
+  systemd.services.hyprspace = {
+    enable = true;
+    wantedBy = [ "multi-user.target" ];
+    preStart = ''
+      test -e ${runConfig} && rm ${runConfig}
+      touch ${runConfig}
+      chmod 0600 ${runConfig}
+
+      cat ${precedingConfig} >> ${runConfig}
+      sed 's/^/    /g' ${privateKeyFile} >> ${runConfig}
+      echo -n 'peers: ' >> ${runConfig}
+      cat ${peerList} >> ${runConfig}
+
+      chmod 0400 ${runConfig}
+    '';
+    path = [ pkgs.iproute2 ];
+    serviceConfig = {
+      ExecStart = "${hyprspace}/bin/hyprspace up hyprspace -f -c ${runConfig}";
+      ExecStop = "${hyprspace}/bin/hyprspace down hyprspace";
+      IPAddressDeny = [
+        "10.0.0.0/8"
+        "100.64.0.0/10"
+        "169.254.0.0/16"
+        "172.16.0.0/12"
+        "192.0.0.0/24"
+        "192.0.2.0/24"
+        "192.168.0.0/16"
+        "198.18.0.0/15"
+        "198.51.100.0/24"
+        "203.0.113.0/24"
+        "240.0.0.0/4"
+        "100::/64"
+        "2001:2::/48"
+        "2001:db8::/32"
+        "fc00::/7"
+        "fe80::/10"
+      ];
+    };
+  };
+  networking.firewall = {
+    allowedTCPPorts = [ listenPort ];
+    allowedUDPPorts = [ listenPort ];
+    trustedInterfaces = [ "hyprspace" ];
+  };
+}

hosts/VEGAS/services/ipfs/default.nix

@@ -52,6 +52,11 @@ in
     };
   };
 
+  systemd.sockets = {
+    ipfs-api.enable = false;
+    ipfs-gateway.enable = false;
+  };
+
   systemd.services.ipfs = {
     environment.LIBP2P_FORCE_PNET = "1";
     serviceConfig.Slice = "remotefshost.slice";

hosts/VEGAS/system.nix

@@ -24,6 +24,7 @@
       # TODO: fix this one
       ./services/forum
       ./services/git
+      ./services/hyprspace
       ./services/ipfs
       ./services/jokes
       ./services/meet

hosts/default.nix

@@ -16,4 +16,16 @@ in with tools.dns; {
     };
     ssh.extraConfig = tools.ssh.extraConfig hostNames [ "Port 69" ];
   };
+
+  # peering
+
+  # max
+  TITAN.hypr = {
+    id = "QmfJ5Tv2z9jFv9Aocevyn6QqRcfm9eYQZhvYvmAVfACfuM";
+    addr = "10.100.3.7";
+  };
+  jericho.hypr = {
+    id = "QmccBLgGP3HR36tTkwSYZX3KDv2EXb1MvYwGVs6PbpbHv9";
+    addr = "10.100.3.13";
+  };
 }

packages/networking/hyprspace/default.nix

@@ -0,0 +1,25 @@
+{ lib, stdenv, buildGoModule, fetchFromGitHub, iproute2mac }:
+
+buildGoModule rec {
+  pname = "hyprspace";
+  version = "0.1.7";
+
+  propagatedBuildInputs = lib.optional stdenv.isDarwin iproute2mac;
+
+  src = fetchFromGitHub {
+    owner = pname;
+    repo = pname;
+    rev = "v${version}";
+    sha256 = "sha256-Ecdxs6see4uexY6DatZ/VSGgWR81zRjo3AeAsXSjJ4A=";
+  };
+
+  vendorSha256 = "sha256-nFiBHhtvTu9Ya6n1KUF+pOXrksHMOph7ABVtGSWVWlo=";
+
+  meta = with lib; {
+    description = "A Lightweight VPN Built on top of Libp2p for Truly Distributed Networks.";
+    homepage = "https://github.com/hyprspace/hyprspace";
+    license = licenses.asl20;
+    maintainers = with maintainers; [ yusdacra ];
+    platforms = platforms.linux ++ platforms.darwin;
+  };
+}

packages/packages.nix

@@ -1,3 +1,5 @@
 { pkgs, ... }: {
+  hyprspace = pkgs.callPackage ./networking/hyprspace { iproute2mac = null; };
+
   privatevoid-smart-card-ca-bundle = pkgs.callPackage ./data/privatevoid-smart-card-certificate-authority-bundle.nix { };
 }

secrets/secrets.nix

@@ -11,6 +11,7 @@ in with hosts;
   "gitea-db-credentials.age".publicKeys = max ++ map systemKeys [ VEGAS ];
   "hydra-db-credentials.age".publicKeys = max ++ map systemKeys [ styx ];
   "hydra-s3.age".publicKeys = max ++ map systemKeys [ styx ];
+  "hyprspace-key-VEGAS.age".publicKeys = max ++ map systemKeys [ VEGAS ];
   "keycloak-dbpass.age".publicKeys = max ++ map systemKeys [ VEGAS ];
   "matrix-appservice-discord-token.age".publicKeys = max ++ map systemKeys [ VEGAS ];
   "minio-console-secrets.age".publicKeys = max ++ map systemKeys [ VEGAS ];