diff --git a/.forgejo/workflows/update-flake-lock.yml b/.forgejo/workflows/update-flake-lock.yml index 28eb8e2c..c20afa74 100644 --- a/.forgejo/workflows/update-flake-lock.yml +++ b/.forgejo/workflows/update-flake-lock.yml @@ -95,8 +95,8 @@ jobs: ssh-add env | grep SSH cd /etc/nixos/git - git commit -am '[ACTIONS] Flake Update (`date +%Y-%m-%d`)' - git push + git -c commit.gpgsign=false commit -am '[ACTIONS] Flake Update (`date +%Y-%m-%d`)' \ + && git push " - if: success() diff --git a/.sops.yaml b/.sops.yaml index aec28896..14f1ab58 100644 --- a/.sops.yaml +++ b/.sops.yaml @@ -11,6 +11,7 @@ keys: - &piaware-rpi4 4216b645667670a6130bb95a72a56f8269cd0818 - &backups-rpi4 8b37122bb46dc98c208002d65e94778ecd94bd4e - &bakersfield-rpi4 c93d5c2da5efe4ba4103c8f571faa392f202eed4 + - &ovh_server - &quitman-rpi4 - &nixos-desktop - &nuc-server @@ -68,7 +69,12 @@ creation_rules: - *albert - *framework-server - # Machines + # Hosts:; + - path_reges: secrets\/hosts\/ovh-server\.yaml$ + key_groups: + - pgp: + - *albert + - path_regex: secrets\/hosts\/frankfurt-linode-01\.yaml$ key_groups: - pgp: diff --git a/flake.lock b/flake.lock index 323cf810..465dc59c 100644 --- a/flake.lock +++ b/flake.lock @@ -186,11 +186,11 @@ ] }, "locked": { - "lastModified": 1719864345, - "narHash": "sha256-e4Pw+30vFAxuvkSTaTypd9zYemB/QlWcH186dsGT+Ms=", + "lastModified": 1720056646, + "narHash": "sha256-BymcV4HWtx2VFuabDCM4/nEJcfivCx0S02wUCz11mAY=", "owner": "nix-community", "repo": "disko", - "rev": "544a80a69d6e2da04e4df7ec8210a858de8c7533", + "rev": "64679cd7f318c9b6595902b47d4585b1d51d5f9e", "type": "github" }, "original": { @@ -776,11 +776,11 @@ ] }, "locked": { - "lastModified": 1719827385, - "narHash": "sha256-qs+nU20Sm8czHg3bhGCqiH+8e13BJyRrKONW34g3i50=", + "lastModified": 1720042825, + "narHash": "sha256-A0vrUB6x82/jvf17qPCpxaM+ulJnD8YZwH9Ci0BsAzE=", "owner": "nix-community", "repo": "home-manager", - "rev": "391ca6e950c2525b4f853cbe29922452c14eda82", + "rev": "e1391fb22e18a36f57e6999c7a9f966dc80ac073", "type": "github" }, "original": { @@ -894,11 +894,11 @@ "xdph": "xdph" }, "locked": { - "lastModified": 1719949580, - "narHash": "sha256-Ht6ZUjQ6HO9vllB0CxeGgLYUzZCw9Q/2Aaq21Og+3hM=", + "lastModified": 1720213509, + "narHash": "sha256-LXj38Y3H0+/YhOtz6tGrqgd6p9AyGFeq6EwLgYsE1KQ=", "owner": "hyprwm", "repo": "Hyprland", - "rev": "8bb75a223db3ea9471d05d74fbed3328334a9f78", + "rev": "cc98594c3aed0b542e03818371a4636f549f80e1", "type": "github" }, "original": { @@ -1019,11 +1019,11 @@ "nixpkgs": "nixpkgs_3" }, "locked": { - "lastModified": 1719982578, - "narHash": "sha256-NBI3jN7NH784t+6XiEWvfIzxZnCqOBLCIIe9mbXHJ10=", + "lastModified": 1720205505, + "narHash": "sha256-KqGnYAKWxwRgWxc/78HbL3PHeuDJOSS/9+Pkm5doUk8=", "owner": "Jovian-Experiments", "repo": "Jovian-NixOS", - "rev": "b4b7577219500b93d60d9d85781a8b6aeeff672c", + "rev": "fdcaab38857f221eea20a0073f891feb36ea8e99", "type": "github" }, "original": { @@ -1202,11 +1202,11 @@ ] }, "locked": { - "lastModified": 1719841141, - "narHash": "sha256-WOyohxFJJdfDvEB7N3eTcX44lNU2rZes1inHsyHL7mM=", + "lastModified": 1720055043, + "narHash": "sha256-SKizewU4UeYrkZWPUjur8EoxscGoNb0pGcrNL4YzAIg=", "owner": "nix-community", "repo": "nixos-generators", - "rev": "140dcc2b9a0eb87ba5e9011076a1a7af19179ab1", + "rev": "168b220231a70e47cc1f0919048fa5914415fb18", "type": "github" }, "original": { @@ -1279,27 +1279,27 @@ }, "nixpkgs-stable_2": { "locked": { - "lastModified": 1719663039, - "narHash": "sha256-tXlrgAQygNIy49LDVFuPXlWD2zTQV9/F8pfoqwwPJyo=", + "lastModified": 1719720450, + "narHash": "sha256-57+R2Uj3wPeDeq8p8un19tzFFlgWiXJ8PbzgKtBgBX8=", "owner": "NixOS", "repo": "nixpkgs", - "rev": "4a1e673523344f6ccc84b37f4413ad74ea19a119", + "rev": "78f8641796edff3bfabbf1ef5029deadfe4a21d0", "type": "github" }, "original": { "owner": "NixOS", - "ref": "release-23.11", + "ref": "release-24.05", "repo": "nixpkgs", "type": "github" } }, "nixpkgs-unstable": { "locked": { - "lastModified": 1719848872, - "narHash": "sha256-H3+EC5cYuq+gQW8y0lSrrDZfH71LB4DAf+TDFyvwCNA=", + "lastModified": 1720031269, + "narHash": "sha256-rwz8NJZV+387rnWpTYcXaRNvzUSnnF9aHONoJIYmiUQ=", "owner": "NixOS", "repo": "nixpkgs", - "rev": "00d80d13810dbfea8ab4ed1009b09100cca86ba8", + "rev": "9f4128e00b0ae8ec65918efeba59db998750ead6", "type": "github" }, "original": { @@ -1316,11 +1316,11 @@ "nixpkgs": "nixpkgs_6" }, "locked": { - "lastModified": 1719983871, - "narHash": "sha256-+CtRYC7IixKUobzqnzlPCEhfCPmMhOPzBPix4kx855o=", + "lastModified": 1720275269, + "narHash": "sha256-B/WPzq9nPffFqgIBs/V8eVErdBZ/gFB18TVEjbm0OgE=", "owner": "nix-community", "repo": "nixpkgs-wayland", - "rev": "a61cab0e5ec097e1d46b9a3c6d5e3f2eea456062", + "rev": "e9d5643137c2ffb928d84e713fc15782ba7c7b22", "type": "github" }, "original": { @@ -1363,11 +1363,11 @@ }, "nixpkgs_4": { "locked": { - "lastModified": 1719838683, - "narHash": "sha256-Zw9rQjHz1ilNIimEXFeVa1ERNRBF8DoXDhLAZq5B4pE=", + "lastModified": 1720110830, + "narHash": "sha256-E5dN9GDV4LwMEduhBLSkyEz51zM17XkWZ3/9luvNOPs=", "owner": "NixOS", "repo": "nixpkgs", - "rev": "d032c1a6dfad4eedec7e35e91986becc699d7d69", + "rev": "c0d0be00d4ecc4b51d2d6948e37466194c1e6c51", "type": "github" }, "original": { @@ -1394,11 +1394,11 @@ }, "nixpkgs_6": { "locked": { - "lastModified": 1719848872, - "narHash": "sha256-H3+EC5cYuq+gQW8y0lSrrDZfH71LB4DAf+TDFyvwCNA=", + "lastModified": 1720031269, + "narHash": "sha256-rwz8NJZV+387rnWpTYcXaRNvzUSnnF9aHONoJIYmiUQ=", "owner": "nixos", "repo": "nixpkgs", - "rev": "00d80d13810dbfea8ab4ed1009b09100cca86ba8", + "rev": "9f4128e00b0ae8ec65918efeba59db998750ead6", "type": "github" }, "original": { @@ -1500,11 +1500,11 @@ }, "nur": { "locked": { - "lastModified": 1719981089, - "narHash": "sha256-2M5yTK6i/rzYLNilhr7wYzykhRVzaNs3frxqcpxBIwQ=", + "lastModified": 1720276401, + "narHash": "sha256-tWBXMGxAnR/iroW0JEVA1esOp6Ln0C7GhQ0AshxPqP4=", "owner": "nix-community", "repo": "NUR", - "rev": "ffd44bb409a81a84c2e9ea1236c1108ecff9dd90", + "rev": "fe3c458e7673f38d69542a3b9f66df01ff81c73c", "type": "github" }, "original": { @@ -1601,11 +1601,11 @@ ] }, "locked": { - "lastModified": 1719875930, - "narHash": "sha256-jQmdWLxRP6BzOxRF8hQEhDD7UKw7UrnYbmaAPOSaXWY=", + "lastModified": 1720168075, + "narHash": "sha256-Nb/8+zrOPbU9EBMterwQPTUonqwj6Czd0CCCNM4SROA=", "owner": "pjones", "repo": "plasma-manager", - "rev": "7e062fcd669e261fb06cf54fe0ef2e46c3db8e83", + "rev": "71c3fb6eb0767923335662aa33a06f983c2fbeae", "type": "github" }, "original": { @@ -1742,11 +1742,11 @@ "nixpkgs-stable": "nixpkgs-stable_2" }, "locked": { - "lastModified": 1719873517, - "narHash": "sha256-D1dxZmXf6M2h5lNE1m6orojuUawVPjogbGRsqSBX+1g=", + "lastModified": 1720187017, + "narHash": "sha256-Zq+T1Bvd0ShZB9XM+bP0VJK3HjsSVQBLolkaCLBQnfQ=", "owner": "Mic92", "repo": "sops-nix", - "rev": "a11224af8d824935f363928074b4717ca2e280db", + "rev": "1b11e208cee97c47677439625dc22e5289dcdead", "type": "github" }, "original": { diff --git a/nixos/hosts/backups-rpi4/wireguard.nix b/nixos/hosts/backups-rpi4/wireguard.nix index 3c4cc10d..6070e0f0 100644 --- a/nixos/hosts/backups-rpi4/wireguard.nix +++ b/nixos/hosts/backups-rpi4/wireguard.nix @@ -35,7 +35,9 @@ presharedKeyFile = "/run/secrets/preshared_key"; persistentKeepalive = 5; allowedIPs = [ "10.100.0.1/32" ]; - endpoint = "172.234.84.222:51820"; # osaka-linode-01 + # endpoint = "172.234.84.222:51820"; # osaka-linode-01 + # endpoint = "172.232.204.45:51820"; # milan-linode-01 + endpoint = "172.105.76.221:51820"; # frankfurt-linode-01 } ]; }; diff --git a/nixos/hosts/frankfurt-linode-01/default.nix b/nixos/hosts/frankfurt-linode-01/default.nix index 0a573c72..6d8bdc0b 100644 --- a/nixos/hosts/frankfurt-linode-01/default.nix +++ b/nixos/hosts/frankfurt-linode-01/default.nix @@ -5,6 +5,7 @@ ../../common/services/podman.nix ./containers/derp.nix ./firewall.nix + ./wireguard.nix ]; boot.initrd.availableKernelModules = [ "virtio_pci" "virtio_scsi" "ahci" "sd_mod" ]; diff --git a/nixos/hosts/frankfurt-linode-01/wireguard.nix b/nixos/hosts/frankfurt-linode-01/wireguard.nix new file mode 100644 index 00000000..0c784daa --- /dev/null +++ b/nixos/hosts/frankfurt-linode-01/wireguard.nix @@ -0,0 +1,79 @@ +{ hostname, pkgs, ... }: { + + # Allow these hosts to directly communicate with their hostnames + networking.extraHosts = '' + 10.100.0.1 ${hostname} + 10.100.0.3 backups-rpi4 + 10.100.0.2 headscale.sysctl.io + ''; + +# 10.100.0.2 framework-server +# 10.100.0.2 git.sysctl.io +# 10.100.0.2 loki.sysctl.io +# 10.100.0.2 telegraf.sysctl.io +# ''; + + networking.firewall.allowedUDPPorts = [ 51820 ]; + networking.firewall.interfaces.wireguard0.allowedTCPPorts = [ 22 ]; + + # Set up the secrets file: + sops.secrets."wireguard_key" = { + owner = "root"; + sopsFile = ../../../secrets/hosts/${hostname}.yaml; + }; + + sops.secrets."preshared_key" = { + owner = "root"; + sopsFile = ../../../secrets/wireguard.yaml; + }; + + # Wireguard Forwarder + boot.kernel.sysctl = { + "net.ipv4.ip_forward" = true; + "net.ipv4.conf.all.forwarding" = 1; + "net.ipv4.conf.default.forwarding" = 1; + }; + + networking.wireguard = { + enable = true; + interfaces = { + "wireguard0" = { + ips = [ + "10.100.0.1/24" + "10.100.1.1/24" + ]; + listenPort = 51820; + privateKeyFile = "/run/secrets/wireguard_key"; + postSetup = ''${pkgs.iptables}/bin/iptables -t nat -A POSTROUTING -o enp0s4 -j MASQUERADE''; + postShutdown = ''${pkgs.iptables}/bin/iptables -t nat -D POSTROUTING -o enp0s4 -j MASQUERADE''; + peers = [ + { # framework-server / ovh-server + publicKey = "trHvfNtQ7HKMiJjxEXo2Iubq5G6egjx7gHiBlDmJ5Ek="; + presharedKeyFile = "/run/secrets/preshared_key"; + allowedIPs = [ "10.100.0.2/32" ]; + persistentKeepalive = 5; + } + { # backups-rpi4 + publicKey = "cqocpMyY8Z0Jl0hoAdghn3dR3VhkkOYyeSwW6UKk9Fs="; + presharedKeyFile = "/run/secrets/preshared_key"; + allowedIPs = [ "10.100.0.3/32" ]; + persistentKeepalive = 5; + } + { # framewrk-server docker:wg-enshrouded + publicKey = "ucV6LgUwSbEyyxPlS83OayFPK6ysQKu6cVBV97S07mI="; + presharedKeyFile = "/run/secrets/preshared_key"; + allowedIPs = [ "10.100.1.2/32" ]; + persistentKeepalive = 5; + } + { # framewrk-server docker:wg-mailserver + publicKey = "5C1ft3LIGmyFwi00pyLeYjvJpqHLTQFNMRlXlva6uEI="; + presharedKeyFile = "/run/secrets/preshared_key"; + allowedIPs = [ "10.100.1.3/32" ]; + persistentKeepalive = 5; + } + ]; + }; + }; + }; +} + diff --git a/nixos/hosts/osaka-linode-01/default.nix b/nixos/hosts/osaka-linode-01/default.nix index dc08f252..3a71e4e4 100644 --- a/nixos/hosts/osaka-linode-01/default.nix +++ b/nixos/hosts/osaka-linode-01/default.nix @@ -5,7 +5,7 @@ ../../common/services/podman.nix ./containers/derp.nix ./firewall.nix - ./wireguard.nix + # ./wireguard.nix ]; boot.initrd.availableKernelModules = [ "virtio_pci" "virtio_scsi" "ahci" "sd_mod" ]; diff --git a/nixos/hosts/osaka-linode-01/wireguard.nix b/nixos/hosts/osaka-linode-01/wireguard.nix index 7f1ed2a5..0c784daa 100644 --- a/nixos/hosts/osaka-linode-01/wireguard.nix +++ b/nixos/hosts/osaka-linode-01/wireguard.nix @@ -1,8 +1,8 @@ -{ pkgs, ... }: { +{ hostname, pkgs, ... }: { # Allow these hosts to directly communicate with their hostnames networking.extraHosts = '' - 10.100.0.1 osaka-linode-01 + 10.100.0.1 ${hostname} 10.100.0.3 backups-rpi4 10.100.0.2 headscale.sysctl.io ''; @@ -19,7 +19,7 @@ # Set up the secrets file: sops.secrets."wireguard_key" = { owner = "root"; - sopsFile = ../../../secrets/hosts/osaka-linode-01.yaml; + sopsFile = ../../../secrets/hosts/${hostname}.yaml; }; sops.secrets."preshared_key" = { @@ -47,7 +47,7 @@ postSetup = ''${pkgs.iptables}/bin/iptables -t nat -A POSTROUTING -o enp0s4 -j MASQUERADE''; postShutdown = ''${pkgs.iptables}/bin/iptables -t nat -D POSTROUTING -o enp0s4 -j MASQUERADE''; peers = [ - { # framework-server + { # framework-server / ovh-server publicKey = "trHvfNtQ7HKMiJjxEXo2Iubq5G6egjx7gHiBlDmJ5Ek="; presharedKeyFile = "/run/secrets/preshared_key"; allowedIPs = [ "10.100.0.2/32" ]; diff --git a/nixos/hosts/ovh-server/containers.nix b/nixos/hosts/ovh-server/containers.nix new file mode 100644 index 00000000..e2605825 --- /dev/null +++ b/nixos/hosts/ovh-server/containers.nix @@ -0,0 +1,30 @@ +{ lib, self, inputs, outputs, stateVersion, hmStateVersion, ... }: +let + libx = import ../../../lib { inherit lib self inputs outputs stateVersion hmStateVersion; }; +in { + + containers = { + rdesktop = libx.mkContainer { hostname = "rdesktop"; ip = "2"; desktop = "plasma6"; unfree = true; }; + }; + + # Networking config + networking.bridges.nix-br0.interfaces = []; + + # Add an IP address to the bridge interface. + networking.localCommands = ''ip address add 192.168.2.1/24 dev nix-br0''; + + # Firewall commands allowing traffic to go in and out of the bridge interface + # (and to the guest LXD instance). Also sets up the actual NAT masquerade rule. + networking.firewall.extraCommands = '' + iptables -A INPUT -i nix-br0 -j ACCEPT + + # These three technically aren't needed, since by default the FORWARD and + # OUTPUT firewalls accept everything everything, but lets keep them in just + # in case. + iptables -A FORWARD -o nix-br0 -j ACCEPT + iptables -A FORWARD -i nix-br0 -j ACCEPT + iptables -A OUTPUT -o nix-br0 -j ACCEPT + + iptables -t nat -A POSTROUTING -s 192.168.2.0/24 ! -d 192.168.2.0/24 -j MASQUERADE + ''; +} diff --git a/nixos/hosts/ovh-server/cron.nix b/nixos/hosts/ovh-server/cron.nix new file mode 100644 index 00000000..97b4e90f --- /dev/null +++ b/nixos/hosts/ovh-server/cron.nix @@ -0,0 +1,77 @@ +{ pkgs, ... }: { + services.cron = { + enable = true; + systemCronJobs = [ + # Backups to nuc-docker01 + ''0 0 * * * root rsync --delete -avr /Storage/Data/Docker/sysctl.io/ root@nuc-docker01:/Storage/Data/Docker/sysctl.io/'' + ''0 3 * * * root rsync -avr /Storage/Data/Docker/sysctl.io/nextcloud/html/data/albert/files/InstantUpload/ root@nuc-docker01:/Storage/Media/Pictures/InstantUpload/'' + ''0 5 * * * root rsync -avr /Storage/Data/Docker/sysctl.io/nextcloud/html/data/albert/files/Wallpapers/ root@nuc-docker01:/Storage/Media/Pictures/Wallpapers'' + # Back up the docker containers monthly: + ''@monthly root ssh nuc-docker01 "rm -rf /Storage/Backups/Docker/sysctl.io/*"; for i in $(docker ps --format '{{.Names}}'); do docker export $i | gzip -cf | ssh root@nuc-docker01 "cat > /Storage/Backups/Docker/sysctl.io/$i.tar.gz"; done'' + # Set a random Pi-Hole password + ''* * * * * root docker exec pihole sudo pihole -a -p $(openssl rand -hex 128)'' + # Run the ClamAV scan + ''@monthly root /Storage/Data/docker-compose/sysctl.io/scripts/clamscan-cron.sh'' + # Archive Loki logs monthly + ''@monthly root /Storage/Data/docker-compose/sysctl.io/scripts/backup-logs.sh >> /Storage/Data/Temporary/log_backups.log'' + # Run the Nextcloud cronjobs hourly + ''@hourly root docker exec -uwww-data nextcloud php -f /var/www/html/cron.php'' + # Run the Pixelfed scheduler + ''* * * * * root docker exec pixelfed-app php artisan schedule:run'' + # Update / CLean Mastodon caches + ''@daily root docker exec mastodon-web tootctl preview_cards remove --days 7'' + ''@daily root docker exec mastodon-web tootctl media remove --days 7 --prune-profiles'' + ''@daily root docker exec mastodon-web tootctl accounts prune'' + ''@daily root docker exec mastodon-web tootctl statuses remove --days 7'' + ''@daily root docker exec mastodon-web tootctl media remove --remove-headers --include-follows --days 7'' + ''@daily root docker exec mastodon-web tootctl preview_cards remove --days 7'' + ''@daily root docker exec mastodon-web tootctl media remove-orphans'' + ]; + }; +} +# Old crontab: +# # At reboot, apply the ip_tables modprobe so Wireguard works +# @reboot /usr/sbin/modprobe ip_tables +# +# # At reboot, restart Docker. Otherwise, iptables / the firewall freaks out +# @reboot /usr/bin/systemctl stop docker; /usr/bin/systemctl start docker +# +# # Every day, get storage space for monitoring +# @daily source ~/.bashrc; for i in `ls /Storage/Data/Docker`; do echo echo "$(date): $(du -s /Storage/Data/Docker/$i)" | sed -e 's/\/Storage\/Data\/Docker\/\$i//' >> /root/sizes/$i.log; done +# +# # Clean up NextCloud files weekly to save space +# @weekly source ~/.bashrc; /usr/bin/docker exec -uwww-data nextcloud php occ versions:cleanup +# DONE # Run the Nextcloud cronjobs hourly +# DONE @hourly source ~/.bashrc; /usr/bin/docker exec -uwww-data nextcloud php -f /var/www/html/cron.php +# +# +# # Clear out Mastodon caches daily +# DONE @daily source ~/.bashrc; /usr/bin/docker exec mastodon-web tootctl preview_cards remove --days 1 +# DONE @daily source ~/.bashrc; /usr/bin/docker exec mastodon-web tootctl media remove --days 1 --prune-profiles +# DONE @daily source ~/.bashrc; /usr/bin/docker exec mastodon-web tootctl accounts prune +# DONE @daily source ~/.bashrc; /usr/bin/docker exec mastodon-web tootctl statuses remove --days 1 +# DONE @daily source ~/.bashrc; /usr/bin/docker exec mastodon-web tootctl media remove --remove-headers --include-follows --days 0 +# DONE @daily source ~/.bashrc; /usr/bin/docker exec mastodon-web tootctl preview_cards remove --days 1 +# DONE @daily source ~/.bashrc; /usr/bin/docker exec mastodon-web tootctl media remove-orphans +# +# DONE # Run the Pixelfed scheduler +# DONE * * * * * /usr/bin/docker exec pixelfed-app php artisan schedule:run +# +# DONE # Run the ClamAV scan +# DONE @monthly source ~/.bashrc; /Storage/Data/docker-compose/sysctl.io/scripts/clamscan-cron.sh +# +# DONE # Set a random PiHole password every minute +# DONE * * * * * /usr/bin/docker exec pihole sudo pihole -a -p $(openssl rand -hex 128) +# +# NOT NEEDED # back up crontab: +# NOT NEEDED # 0 0 * * * /usr/bin/crontab -l > /Storage/Data/Temporary/crontab +# +# # Back up and delete local copies of Loki logs monthly +# DONE @monthly source ~/.bashrc; /Storage/Data/docker-compose/sysctl.io/scripts/backup-logs.sh >> /Storage/Data/Temporary/log_backups.log +# +# DONE # Back up the docker containers weekly: +# DONE @weekly source ~/.bashrc; ssh nuc-docker01 "rm -rf /Storage/Backups/Docker/sysctl.io/*"; for i in $(docker ps --format '{{.Names}}'); do docker export $i | gzip -cf | ssh root@nuc-docker01 "cat > /Storage/Backups/Docker/sysctl.io/$i.tar.gz"; done +# +# # Set up DERP relay certs for headscale-derp: +# DONE @hourly cp /Storage/Data/Docker/letsencrypt/certs/certs/\*.sysctl.io.crt /Storage/Data/Docker/letsencrypt/certs/certs/derp.sysctl.io.crt +# DONE @hourly cp /Storage/Data/Docker/letsencrypt/certs/private/\*.sysctl.io.key /Storage/Data/Docker/letsencrypt/certs/private/derp.sysctl.io.key diff --git a/nixos/hosts/ovh-server/default.nix b/nixos/hosts/ovh-server/default.nix new file mode 100644 index 00000000..556898fd --- /dev/null +++ b/nixos/hosts/ovh-server/default.nix @@ -0,0 +1,63 @@ +{ hostname, inputs, config, lib, pkgs, modulesPath, system, ... }: { + imports = [ + inputs.nixos-hardware.nixosModules.framework-13th-gen-intel + (modulesPath + "/installer/scan/not-detected.nix") + # ../../common/modules/secureboot.nix + ../../common/modules/boot.nix + ../../common/modules/udev-rules.nix + ../../common/modules/builder.nix + ../../common/services/fwupd.nix + # ../../common/modules/ssh-luks.nix + ../../common/services/docker.nix + ../../common/services/tailscale-autoconnect.nix + ./containers.nix + ./disks.nix + ./wireguard.nix + ./cron.nix + ./firewall.nix + ]; + + environment.systemPackages = [ + inputs.deploy-rs.packages.${system}.deploy-rs + pkgs.distrobox + ]; + + # backups-rpi4 cron job to back up sysctl.io's Docker files + # osaka-linode-01 cron job to copy certs for the DERP relay + # milan-linode-01 cron job to copy certs for the DERP relay + # frankfurt-linode-01 cron job to copy certs for the DERP relay + + # TODO: Update servers that point here + users.users.root.openssh.authorizedKeys.keys = [ + ''ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIKp2wgqFcr0LGaUXbom88/zK2631pysePUWIaCMljT0K root@backups-rpi4'' + ''ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIKkNFdEcYIrjss1Nz0tU/AX89hUMmxB/Vabvsa7A6E2K root@osaka-linode-01'' + ''ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIORCrD/ZWXbAfi5eIN8b9dwuvMuPPTgpMiIFh1WagXV2 root@milan-linode-01'' + ''ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIBGXiWUR2T5HXQ4g/En+eJ9K6GSokl3tEK7RZcYb+0UA root@frankfurt-linode-01'' + ]; + services.openssh.settings.PermitRootLogin = lib.mkForce "prohibit-password"; + + boot.initrd.availableKernelModules = [ "xhci_pci" "nvme" "thunderbolt" "sd_mod" "uas" ]; + boot.initrd.kernelModules = [ "r8152" ]; + boot.kernelModules = [ "kvm-intel" ]; + boot.extraModulePackages = with config.boot.kernelPackages; [ acpi_call ]; + + networking.useDHCP = lib.mkDefault true; + powerManagement.cpuFreqGovernor = lib.mkDefault "performance"; + hardware.cpu.intel.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware; + + # Set your time zone. + time.timeZone = "Europe/Warsaw"; + + # Set the networking hostname: + networking.hostName = hostname; + networking.firewall.allowedTCPPorts = [ 22 ]; + + services.tailscale.extraUpFlags = [ + "--advertise-exit-node" + "--advertise-routes=10.2.0.0/24" + ]; + + boot.kernel.sysctl = { + "net.ipv4.ip_forward" = true; + }; +} diff --git a/nixos/hosts/ovh-server/disks.nix b/nixos/hosts/ovh-server/disks.nix new file mode 100644 index 00000000..9397341c --- /dev/null +++ b/nixos/hosts/ovh-server/disks.nix @@ -0,0 +1,85 @@ +{ + imports = [ ../../common/services/snapper.nix ]; + + # extra configs not present in the standard config above + services.snapper.configs.Storage = { + TIMELINE_CREATE = true; + TIMELINE_CLEANUP = true; + SUBVOLUME = "/Storage"; + }; + + services.btrfs.autoScrub.enable = true; + services.btrfs.autoScrub.interval = "weekly"; + + disko.devices.disk.nvme0 = { + type = "disk"; + device = "/dev/nvme0n1"; + content = { + type = "gpt"; + partitions = { + BOOT = { + priority = 1; + name = "BOOT"; + start = "0%"; + end = "550MiB"; + type = "EF00"; + content = { + type = "filesystem"; + format = "vfat"; + # https://github.com/nix-community/disko/issues/527 + mountOptions = [ "umask=0077" ]; + mountpoint = "/boot"; + }; + }; # partition 1 (ESP) + LUKS-ROOT = { + start = "550MiB"; + end = "100%"; + content = { + type = "luks"; + name = "ROOT"; + extraOpenArgs = [ "--allow-discards" ]; + content = { + type = "btrfs"; + extraArgs = [ "-f" ]; + subvolumes = { + "/root" = { + mountpoint = "/"; + mountOptions = [ "compress=zstd" "noatime" ]; + }; # root + "/home" = { + mountpoint = "/home"; + mountOptions = [ "compress=zstd" "noatime" ]; + }; # home + "/nix" = { + mountpoint = "/nix"; + mountOptions = [ "compress=zstd" "noatime" ]; + }; # nix + "/Storage" = { + mountpoint = "/Storage"; + mountOptions = [ "compress=zstd" "noatime" ]; + }; # Storage + # SNAPSHOT SUBVOLS + "/root/.snapshots" = { + mountpoint = "/.snapshots"; + mountOptions = [ "compress=zstd" "noatime" ]; + }; # root + "/home/.snapshots" = { + mountpoint = "/home/.snapshots"; + mountOptions = [ "compress=zstd" "noatime" ]; + }; # home + "/nix/.snapshots" = { + mountpoint = "/nix/.snapshots"; + mountOptions = [ "compress=zstd" "noatime" ]; + }; # nix + "/Storage/.snapshots" = { + mountpoint = "/Storage/.snapshots"; + mountOptions = [ "compress=zstd" "noatime" ]; + }; # Storage + }; # subvolumes + }; # content.content + }; # content + }; # partition 2 (/ BTRFS) + }; # partitions + }; # content + }; # disko.devices.disk.nvme0 +} # root diff --git a/nixos/hosts/ovh-server/firewall.nix b/nixos/hosts/ovh-server/firewall.nix new file mode 100644 index 00000000..4397eedc --- /dev/null +++ b/nixos/hosts/ovh-server/firewall.nix @@ -0,0 +1,30 @@ +{ ... }: { + networking = { + firewall = { + enable = true; + allowedTCPPorts = [ + 53 # DNS + 80 # HTTP + 443 # HTTPS + 42420 # Vintage Story + 25565 # Minecraft + 1443 # Headscale DERP (tcp) + 25 # Mailserver + 143 # Mailserver + 465 # Mailserver + 587 # Mailserver + 993 # Mailserver + 4190 # Mailserver + 5696 # dsm-kmip server + 3389 # RDP + 4443 # Jitsi + ]; + allowedUDPPorts = [ + 53 # DNS (udp) + 10000 # Jitsi Meet (udp) + 15636 # Enshrouded - Game + 15637 # Enshrouded - Query Port + ]; + }; + }; +} diff --git a/nixos/hosts/ovh-server/wireguard.nix b/nixos/hosts/ovh-server/wireguard.nix new file mode 100644 index 00000000..5ec65c1b --- /dev/null +++ b/nixos/hosts/ovh-server/wireguard.nix @@ -0,0 +1,44 @@ +{ ... }: { + + # Allow these hosts to directly communicate with their hostnames + networking.extraHosts = '' + 10.100.0.1 osaka-linode-01 + 10.100.0.2 framework-server + ''; + + networking.firewall.interfaces.wireguard0.allowedTCPPorts = [ 22 ]; + + # Set up the secrets file: + sops.secrets."wireguard_key" = { + owner = "root"; + sopsFile = ../../../secrets/hosts/framework-server.yaml; + }; + sops.secrets."preshared_key" = { + owner = "root"; + sopsFile = ../../../secrets/wireguard.yaml; + }; + + # Wireguard Forwarder + networking.wireguard = { + enable = true; + interfaces = { + "wireguard0" = { + ips = [ "10.100.0.2/24" ]; + listenPort = 51820; + privateKeyFile = "/run/secrets/wireguard_key"; + # Testing + peers = [ + { # osaka-linode-01 + publicKey = "yPZ3EmmIqCkReXf1DRTxzVaKQ2k+ifGmYJHji5nnMmE="; + presharedKeyFile = "/run/secrets/preshared_key"; + persistentKeepalive = 5; + allowedIPs = [ "10.100.0.1/32" ]; + # endpoint = "172.234.84.222:51820"; # osaka-linode-01 + # endpoint = "172.232.204.45:51820"; # milan-linode-01 + endpoint = "172.105.76.221:51820"; # frankfurt-linode-01 + } + ]; + }; + }; + }; +} diff --git a/secrets/hosts/ovh-server.yaml b/secrets/hosts/ovh-server.yaml new file mode 100644 index 00000000..8b94407f --- /dev/null +++ b/secrets/hosts/ovh-server.yaml @@ -0,0 +1,33 @@ +tailscale_key: ENC[AES256_GCM,data:5hiD/rr51T20IfB3cvZTEbq7rCYrgyuyC0Qf/meJvjMPv9icw7RL8068+9OHQ5ui,iv:es966UYBmaD1/k7ImCQFsep3fukzbthCSpdQvYJfRJk=,tag:kKGuWxbPAO03in2lakViKw==,type:str] +wireguard_key: ENC[AES256_GCM,data:VZnRhMQJFqQ0TeaTJAZQpMC8sZUXQnr0kPHvLOz/GuhEzZbHhs7UX6Dqadc=,iv:qYe6Gecc+HCL4VWpv8MRMc1LR0PvxGqTPE4X5z1r7LM=,tag:UP9RoVeO94JfPlnIsc/7cA==,type:str] +sops: + kms: [] + gcp_kms: [] + azure_kv: [] + hc_vault: [] + age: [] + lastmodified: "2024-07-07T01:01:40Z" + mac: ENC[AES256_GCM,data:SWodY4LBR+SCDfWnATuEMJQE56jHcKd8deIXKBCUHGwsKKkxXZ1tODnY4RMEoy/r97/Rd2fCHN+0rC4TQ0/I2n2SHOp7biHR7D/dw79shVSVthzYYk6RV9fHNgeMmEg69agEIYyIN5vpO9xSpYy2NkRuNKFSK1MKYoXtUwoJfEc=,iv:MokMAgmEnbBkTSIA11aE/KmWYChUlBfIHOcSuNknovA=,tag:VzoFPRHVoHJdWCHQ6FiyXA==,type:str] + pgp: + - created_at: "2024-07-07T01:00:34Z" + enc: |- + -----BEGIN PGP MESSAGE----- + + hQIMAwAAAAAAAAAAAQ/+NEqO1RibIRBj8jSoOem0lMbUILbLj3RREsY9dBT5ipGC + Hi/gZSy0LsPi3WZgSNE1AFoy+g/zEBEWRNQcy5nIB0B/XUPiucP3WRsucKNckB0H + F4tK9kLvWpOPTejn67r14QTbhIZyy1sHAKi+xQ29R6vuLs9eTy1MeMqcsMzfaCG2 + a2nBGUqRryhHHe+6Pu3R3iPxYVlujyLUeEE85oO9+onrsNu/7G71JZaAi24/iLr4 + QoqH3Auy5qBUio4DMWwO2emns1496B6q5MfAdhBB7wPHoJwsDvLqZ3TiIMuD5So6 + UU3JDuLf8qCj+PUozpMy80sDR6tVc1sWTAmmP0nsd+NqAKnmAh6Gw88+ib16wH0l + HwDedoDaEBh+Ii4L0JFyyiCWaRi2SMm3ctnZ8kEixvwec2N6O4mO4nnvmVlbCWxp + GSS1Of8o7LZt5UJRXywVf+qHJJaq4h72NogUehwp7c+NLlRA/RKjRyT5LMxzTjpW + kDUmhd5ApPdAlLvY6K8OtOZVa5nixdbonjQ+AmP7UL5NR47DH23CZqQMFib3Zg4R + +HI4XSzEaQYON1+Q4Hjm1R8rr3AKQT9zDYB9RQ/9McWguBAjYeFkMwQ5QSpcXSvm + aYYsKj5V1Vg2LNNqOLGorgPf2FVyw/tRA6MzFl8c556Q987Gmt69UNem8AI2o1fS + XgHT8wU887w8rz+xgabJ4BgtrDLvhCSdUAG9vNmeNa2843nM8dmdfZ6V5FohVcAD + /3k4XXZUj8zxYw/H5IfE9tHqhsnvNxw+xTzrV+i44EMgZAWVrrwC6vXp2AYWhQg= + =twlA + -----END PGP MESSAGE----- + fp: 4A89D6B44B7E423B647C7AE848FBC3335A26DED6 + unencrypted_suffix: _unencrypted + version: 3.8.1