diff --git a/flake.nix b/flake.nix index 73b50174..57e27f20 100644 --- a/flake.nix +++ b/flake.nix @@ -37,8 +37,9 @@ in { nixosConfigurations = { # Virtual - osaka-vultr-01 = libx.mkHost { hostname = "osaka-vultr-01"; type = "small";}; - nixos-vm-01 = libx.mkHost { hostname = "nixos-vm-01"; }; + osaka-vultr-01 = libx.mkHost { hostname = "osaka-vultr-01"; type = "small";}; + osaka-linode-01 = libx.mkHost { hostname = "osaka-linode-01"; type = "small";}; + nixos-vm-01 = libx.mkHost { hostname = "nixos-vm-01"; }; # Physical framework-server = libx.mkHost { hostname = "framework-server"; desktop = "gnome"; gpu = "intel"; }; nixos-desktop = libx.mkHost { hostname = "nixos-desktop"; desktop = "gnome"; gpu = "nvidia"; }; @@ -49,8 +50,9 @@ }; homeConfigurations = { # Virtual - "albert@osaka-vultr-01" = libx.mkHome { hostname = "osaka-vultr-01"; }; - "albert@nixos-vm-01" = libx.mkHome { hostname = "nixos-vm-01"; }; + "albert@osaka-vultr-01" = libx.mkHome { hostname = "osaka-vultr-01"; }; + "albert@osaka-linode-01" = libx.mkHome { hostname = "osaka-linode-01"; }; + "albert@nixos-vm-01" = libx.mkHome { hostname = "nixos-vm-01"; }; # Physical "albert@framework-server" = libx.mkHome { hostname = "framework-server"; }; "albert@nixos-desktop" = libx.mkHome { hostname = "nixos-desktop"; }; @@ -60,6 +62,7 @@ "albert@nixos-rpi4-03" = libx.mkHome { hostname = "nixos-rpi4-03"; platform = "aarch64-linux"; }; }; imageConfigurations = { + nixos-linode-img = libx.mkImage { hostname = "nixos-linode-img"; format = "linode"; type = "minimal"; }; nixos-rpi4-img = libx.mkImage { hostname = "nixos-rpi4-img"; format = "sd-aarch64"; platform = "aarch64-linux"; }; nixos-iso-console = libx.mkImage { hostname = "nixos-iso-console"; format = "iso"; }; nixos-iso-desktop = libx.mkImage { hostname = "nixos-iso-desktop"; format = "iso"; desktop = "gnome"; }; diff --git a/nixos/hosts/nixos-linode-img/default.nix b/nixos/hosts/nixos-linode-img/default.nix new file mode 100644 index 00000000..727cdbce --- /dev/null +++ b/nixos/hosts/nixos-linode-img/default.nix @@ -0,0 +1,18 @@ +{ config, lib, pkgs, modulesPath, desktop, username, ... }: { + # Distributed Builds + nix.distributedBuilds = true; + nixpkgs.config.allowUnfree = false; + + boot.initrd.availableKernelModules = [ "ata_piix" "ohci_pci" "virtio_pci" "virtio_blk" "sr_mod" ]; + boot.initrd.kernelModules = [ ]; + boot.kernelModules = [ "iptable_nat" "iptable_filter" "xt_nat" ]; + boot.extraModulePackages = [ ]; + virtualisation.hypervGuest.enable = true; + + networking.useDHCP = lib.mkDefault true; + nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux"; + time.timeZone = "Asia/Tokyo"; + networking.hostName = "nixos-linode-img"; + + networking.firewall.allowedTCPPorts = [ 22 ]; +} \ No newline at end of file diff --git a/nixos/hosts/osaka-linode-01/default.nix b/nixos/hosts/osaka-linode-01/default.nix new file mode 100644 index 00000000..157f1e77 --- /dev/null +++ b/nixos/hosts/osaka-linode-01/default.nix @@ -0,0 +1,36 @@ +{ config, lib, pkgs, modulesPath, desktop, username, ... }: { + imports = [ + ./firewall.nix + ./wireguard.nix + ]; + + # Distributed Builds + nix.distributedBuilds = true; + nixpkgs.config.allowUnfree = false; + + boot.initrd.availableKernelModules = [ "ata_piix" "ohci_pci" "virtio_pci" "virtio_blk" "sr_mod" ]; + boot.initrd.kernelModules = [ ]; + boot.kernelModules = [ "iptable_nat" "iptable_filter" "xt_nat" ]; + boot.extraModulePackages = [ ]; + virtualisation.hypervGuest.enable = true; + + networking.useDHCP = lib.mkDefault true; + nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux"; + time.timeZone = "Asia/Tokyo"; + networking.hostName = "osaka-linode-01"; + + # networking.firewall.allowedTCPPorts = [ 22 ]; + + # Generic Tailscale configs are in /nixos/common/services/tailscale.nix + # Set up the secrets file: + sops.secrets."tailscale_keys/osaka-linode-01" = { + owner = "root"; + sopsFile = ../../../secrets/tailscale.yaml; + restartUnits = [ + "tailscaled.service" + "tailscaled-autoconnect.service" + ]; + }; + services.tailscale.authKeyFile = "/run/secrets/tailscale_keys/osaka-linode-01"; + services.tailscale.extraUpFlags = [ "--advertise-exit-node" ]; +} \ No newline at end of file diff --git a/nixos/hosts/osaka-linode-01/disks.nix b/nixos/hosts/osaka-linode-01/disks.nix new file mode 100644 index 00000000..ebdd2834 --- /dev/null +++ b/nixos/hosts/osaka-linode-01/disks.nix @@ -0,0 +1,38 @@ +{ + boot.loader.grub.enableCryptodisk = true; + disko.devices.disk.vda = { + device = "/dev/vda"; + type = "disk"; + content = { + type = "gpt"; + partitions = { + boot = { + size = "1M"; + type = "EF02"; + }; # partitions.boot + ESP = { + size = "500M"; + type = "EF00"; + content = { + type = "filesystem"; + format = "vfat"; + mountpoint = "/boot"; + }; + }; # ESP + luks = { + size = "100%"; + content = { + type = "luks"; + name = "crypted"; + extraOpenArgs = [ "--allow-discards" ]; + content = { + type = "filesystem"; + format = "ext4"; + mountpoint = "/"; + }; # content + }; # content + }; # luks.partitions + }; # partitions + }; # content + }; # disko.devices.disk.vda +} \ No newline at end of file diff --git a/nixos/hosts/osaka-linode-01/firewall.nix b/nixos/hosts/osaka-linode-01/firewall.nix new file mode 100644 index 00000000..67f09f10 --- /dev/null +++ b/nixos/hosts/osaka-linode-01/firewall.nix @@ -0,0 +1,98 @@ +{ config, lib, pkgs, ... }: { + networking.firewall.allowedUDPPorts = [ + 3478 # Headscale DERP UDP + 10000 # Jitsi + ]; + networking.firewall.allowedTCPPorts = [ + 80 # HTTP + 443 # HTTPS + 25 # SMTP (explicit TLS => STARTTLS) + 465 # ESMTP (implicit TLS) + 587 # ESMTP (explicit TLS => STARTTLS) + 143 # IMAP4 (explicit TLS => STARTTLS) + 993 # IMAP4 (implicit TLS) + 4190 # Sieve support + 42420 # Vintage Story + 25565 # Minecraft + 1443 # Headscale DERP + 4443 # jitsi-jvb + 5222 # Jitsi + 5347 # Jitsi + 5280 # Jitsi + ]; + + networking.firewall.extraCommands = '' + iptables -A FORWARD -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT + iptables -A FORWARD -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT + + # TCP PORTS ################################################################################################## + # PORT 80 + iptables -t nat -A PREROUTING -p tcp --dport 80 -j DNAT --to-destination 10.100.0.2 + iptables -t nat -A POSTROUTING -p tcp --dport 80 -j MASQUERADE + + # PORT 443 + iptables -t nat -A PREROUTING -p tcp --dport 443 -j DNAT --to-destination 10.100.0.2 + iptables -t nat -A POSTROUTING -p tcp --dport 443 -j MASQUERADE + + # PORT 25 + iptables -t nat -A PREROUTING -p tcp --dport 25 -j DNAT --to-destination 10.100.0.2 + iptables -t nat -A POSTROUTING -p tcp --dport 25 -j MASQUERADE + + # PORT 465 + iptables -t nat -A PREROUTING -p tcp --dport 465 -j DNAT --to-destination 10.100.0.2 + iptables -t nat -A POSTROUTING -p tcp --dport 465 -j MASQUERADE + + # PORT 587 + iptables -t nat -A PREROUTING -p tcp --dport 587 -j DNAT --to-destination 10.100.0.2 + iptables -t nat -A POSTROUTING -p tcp --dport 587 -j MASQUERADE + + # PORT 143 + iptables -t nat -A PREROUTING -p tcp --dport 143 -j DNAT --to-destination 10.100.0.2 + iptables -t nat -A POSTROUTING -p tcp --dport 143 -j MASQUERADE + + # PORT 993 + iptables -t nat -A PREROUTING -p tcp --dport 993 -j DNAT --to-destination 10.100.0.2 + iptables -t nat -A POSTROUTING -p tcp --dport 993 -j MASQUERADE + + # PORT 4190 + iptables -t nat -A PREROUTING -p tcp --dport 4190 -j DNAT --to-destination 10.100.0.2 + iptables -t nat -A POSTROUTING -p tcp --dport 4190 -j MASQUERADE + + # PORT 42420 + iptables -t nat -A PREROUTING -p tcp --dport 42420 -j DNAT --to-destination 10.100.0.2 + iptables -t nat -A POSTROUTING -p tcp --dport 42420 -j MASQUERADE + + # PORT 25565 + iptables -t nat -A PREROUTING -p tcp --dport 25565 -j DNAT --to-destination 10.100.0.2 + iptables -t nat -A POSTROUTING -p tcp --dport 25565 -j MASQUERADE + + # PORT 1443 + iptables -t nat -A PREROUTING -p tcp --dport 1443 -j DNAT --to-destination 10.100.0.2 + iptables -t nat -A POSTROUTING -p tcp --dport 1443 -j MASQUERADE + + # PORT 4443 + iptables -t nat -A PREROUTING -p tcp --dport 4443 -j DNAT --to-destination 10.100.0.2 + iptables -t nat -A POSTROUTING -p tcp --dport 4443 -j MASQUERADE + + # PORT 5222 + iptables -t nat -A PREROUTING -p tcp --dport 5222 -j DNAT --to-destination 10.100.0.2 + iptables -t nat -A POSTROUTING -p tcp --dport 5222 -j MASQUERADE + + # PORT 5347 + iptables -t nat -A PREROUTING -p tcp --dport 5347 -j DNAT --to-destination 10.100.0.2 + iptables -t nat -A POSTROUTING -p tcp --dport 5347 -j MASQUERADE + + # PORT 5280 + iptables -t nat -A PREROUTING -p tcp --dport 5280 -j DNAT --to-destination 10.100.0.2 + iptables -t nat -A POSTROUTING -p tcp --dport 5280 -j MASQUERADE + + # UDP PORTS ################################################################################################## + # PORT 10000 + iptables -t nat -A PREROUTING -p udp --dport 10000 -j DNAT --to-destination 10.100.0.2 + iptables -t nat -A POSTROUTING -p udp --dport 10000 -j MASQUERADE + + # PORT 3478 + iptables -t nat -A PREROUTING -p udp --dport 3478 -j DNAT --to-destination 10.100.0.2 + iptables -t nat -A POSTROUTING -p udp --dport 3478 -j MASQUERADE + ''; +} \ No newline at end of file diff --git a/nixos/hosts/osaka-linode-01/wireguard.nix b/nixos/hosts/osaka-linode-01/wireguard.nix new file mode 100644 index 00000000..b165abfe --- /dev/null +++ b/nixos/hosts/osaka-linode-01/wireguard.nix @@ -0,0 +1,49 @@ +{ pkgs, config, lib, ... }: { + networking.firewall.allowedUDPPorts = [ 51820 ]; + networking.firewall.interfaces.wireguard0.allowedTCPPorts = [ 22 ]; + + # Set up the secrets file: + sops.secrets."wireguard_keys/osaka-linode-01" = { + owner = "root"; + sopsFile = ../../../secrets/wireguard.yaml; + }; + + sops.secrets."wireguard_keys/preshared_key" = { + owner = "root"; + sopsFile = ../../../secrets/wireguard.yaml; + }; + + # Wireguard Forwarder + boot.kernel.sysctl = { + "net.ipv4.ip_forward" = true; + "net.ipv4.conf.all.forwarding" = 1; + "net.ipv4.conf.default.forwarding" = 1; + }; + + networking.wireguard = { + enable = true; + interfaces = { + "wireguard0" = { + ips = [ "10.100.0.1/24" ]; + listenPort = 51820; + privateKeyFile = "/run/secrets/wireguard_keys/osaka-linode-01"; + postSetup = ''${pkgs.iptables}/bin/iptables -t nat -A POSTROUTING -s 10.100.0.0/24 -o eno3 -j MASQUERADE''; + postShutdown = ''${pkgs.iptables}/bin/iptables -t nat -D POSTROUTING -s 10.100.0.0/24 -o eno3 -j MASQUERADE''; + peers = [ + { # nixos-rpi4-03 + publicKey = "trHvfNtQ7HKMiJjxEXo2Iubq5G6egjx7gHiBlDmJ5Ek="; + presharedKeyFile = "/run/secrets/wireguard_keys/preshared_key"; + persistentKeepalive = 5; + allowedIPs = [ "10.100.0.2/32" ]; + } + ]; + }; + }; + }; + + networking.nat = { + enable = true; + internalInterfaces = [ "wireguard0" ]; + externalInterface = "eno3"; + }; +} \ No newline at end of file