diff --git a/nixos/hosts/framework-server/default.nix b/nixos/hosts/framework-server/default.nix index bba13209..768a0e4d 100644 --- a/nixos/hosts/framework-server/default.nix +++ b/nixos/hosts/framework-server/default.nix @@ -20,8 +20,12 @@ pkgs.distrobox ]; - # backups-rpi4 cron job to back up sysctl.io's Docker files - users.users.root.openssh.authorizedKeys.keys = [ ''ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIKp2wgqFcr0LGaUXbom88/zK2631pysePUWIaCMljT0K root@backups-rpi4'' ]; + # backups-rpi4 cron job to back up sysctl.io's Docker files + # osaka-linode-01 cron job to copy certs for the DERP relay + users.users.root.openssh.authorizedKeys.keys = [ + ''ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIKp2wgqFcr0LGaUXbom88/zK2631pysePUWIaCMljT0K root@backups-rpi4'' + ''ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIKkNFdEcYIrjss1Nz0tU/AX89hUMmxB/Vabvsa7A6E2K root@osaka-linode-01'' + ]; services.openssh.settings.PermitRootLogin = lib.mkForce "prohibit-password"; boot.initrd.availableKernelModules = [ "xhci_pci" "nvme" "thunderbolt" "sd_mod" "uas" ]; diff --git a/nixos/hosts/osaka-linode-01/default.nix b/nixos/hosts/osaka-linode-01/default.nix index 3e007484..6362760a 100644 --- a/nixos/hosts/osaka-linode-01/default.nix +++ b/nixos/hosts/osaka-linode-01/default.nix @@ -4,6 +4,7 @@ ../../common/services/tailscale-autoconnect.nix ./firewall.nix ./wireguard.nix + ./podman.nix ]; boot.initrd.availableKernelModules = [ "virtio_pci" "virtio_scsi" "ahci" "sd_mod" ]; @@ -38,4 +39,4 @@ networking.hostName = "osaka-linode-01"; services.tailscale.extraUpFlags = [ "--advertise-exit-node" ]; -} \ No newline at end of file +} diff --git a/nixos/hosts/osaka-linode-01/firewall.nix b/nixos/hosts/osaka-linode-01/firewall.nix index 86b865db..88ad4ac6 100644 --- a/nixos/hosts/osaka-linode-01/firewall.nix +++ b/nixos/hosts/osaka-linode-01/firewall.nix @@ -38,9 +38,9 @@ iifname "enp0s4" tcp dport 443 dnat to 10.100.0.2:443; # HTTPS iifname "enp0s4" tcp dport 42420 dnat to 10.100.0.2:42420; # Vintage Story iifname "enp0s4" tcp dport 25565 dnat to 10.100.0.2:25565; # Minecraft - iifname "enp0s4" tcp dport 1443 dnat to 10.100.0.2:1443; # Headscale DERP (tcp) - iifname "enp0s4" udp dport 3478 dnat to 10.100.0.2:3478; # Headscale DERP (udp) - iifname "enp0s4" udp dport 10000 dnat to 10.100.0.2:10000; # Headscale DERP (udp) + # iifname "enp0s4" tcp dport 1443 dnat to 10.100.0.2:1443; # Headscale DERP (tcp) + # iifname "enp0s4" udp dport 3478 dnat to 10.100.0.2:3478; # Headscale DERP (udp) + # iifname "enp0s4" udp dport 10000 dnat to 10.100.0.2:10000; # Headscale DERP (udp) iifname "enp0s4" tcp dport 4443 dnat to 10.100.0.2:4443; # Jitsi } } @@ -62,9 +62,9 @@ { sourcePort = 443; proto = "tcp"; destination = "10.100.0.2:443"; } # HTTPS { sourcePort = 42420; proto = "tcp"; destination = "10.100.0.2:42420"; } # Vintage Story { sourcePort = 25565; proto = "tcp"; destination = "10.100.0.2:25565"; } # Minecraft - { sourcePort = 1443; proto = "tcp"; destination = "10.100.0.2:1443"; } # Headscale DERP (tcp) - { sourcePort = 3478; proto = "udp"; destination = "10.100.0.2:3478"; } # Headscale DERP (udp) - { sourcePort = 10000; proto = "udp"; destination = "10.100.0.2:10000"; } # Headscale DERP (udp) + # { sourcePort = 1443; proto = "tcp"; destination = "10.100.0.2:1443"; } # Headscale DERP (tcp) + # { sourcePort = 3478; proto = "udp"; destination = "10.100.0.2:3478"; } # Headscale DERP (udp) + # { sourcePort = 10000; proto = "udp"; destination = "10.100.0.2:10000"; } # Headscale DERP (udp) { sourcePort = 4443; proto = "tcp"; destination = "10.100.0.2:4443"; } # Jitsi ]; }; diff --git a/nixos/hosts/osaka-linode-01/podman.nix b/nixos/hosts/osaka-linode-01/podman.nix new file mode 100644 index 00000000..fb77cb10 --- /dev/null +++ b/nixos/hosts/osaka-linode-01/podman.nix @@ -0,0 +1,21 @@ +{ lib, pkgs, ... }: { + + # Runtime + virtualisation.podman = { + enable = true; + autoPrune.enable = true; + dockerCompat = true; + defaultNetwork.settings = { + # Required for container networking to be able to use names. + dns_enabled = true; + }; + }; + virtualisation.oci-containers.backend = "podman"; + + # Containers + imports = [ + ./podman/derp.nix + ]; + + environment.systemPackages = [ pkgs.ctop ]; +} diff --git a/nixos/hosts/osaka-linode-01/podman/derp.nix b/nixos/hosts/osaka-linode-01/podman/derp.nix new file mode 100644 index 00000000..eadb21d9 --- /dev/null +++ b/nixos/hosts/osaka-linode-01/podman/derp.nix @@ -0,0 +1,88 @@ +# Auto-generated using compose2nix v0.1.7. +{ pkgs, lib, ... }: { + services.cron = { + enable = true; + systemCronJobs = [ + ''0 0 * * * root rsync -avr root@framework-server:/Storage/Data/Docker/sysctl.io/letsencrypt/ /Storage/Data/Docker/sysctl.io/letsencrypt/'' + ]; + }; + + # Runtime + virtualisation.podman = { + enable = true; + autoPrune.enable = true; + dockerCompat = true; + defaultNetwork.settings = { + # Required for container networking to be able to use names. + dns_enabled = true; + }; + }; + virtualisation.oci-containers.backend = "podman"; + + # Containers + virtualisation.oci-containers.containers."headscale-derp" = { + image = "fredliang/derper"; + environment = { + DERP_ADDR = ":1443"; + DERP_CERT_DIR = "/app/certs"; + DERP_CERT_MODE = "manual"; + DERP_DOMAIN = "sysctl.io"; + DERP_STUN = "true"; + }; + volumes = [ + "/Storage/Data/Docker/sysctl.io/letsencrypt/external/certificates/certs/*.sysctl.io.crt:/app/certs/sysctl.io.crt:ro" + "/Storage/Data/Docker/sysctl.io/letsencrypt/external/certificates/private/*.sysctl.io.key:/app/certs/sysctl.io.key:ro" + ]; + ports = [ + "3478:3478/udp" + "1443:1443/tcp" + ]; + log-driver = "journald"; + extraOptions = [ + "--network-alias=headscale-derp" + "--network=headscale-default" + ]; + }; + systemd.services."podman-headscale-derp" = { + serviceConfig = { + Restart = lib.mkOverride 500 "always"; + }; + after = [ + "podman-network-headscale-default.service" + ]; + requires = [ + "podman-network-headscale-default.service" + ]; + partOf = [ + "podman-compose-headscale-root.target" + ]; + wantedBy = [ + "podman-compose-headscale-root.target" + ]; + }; + + # Networks + systemd.services."podman-network-headscale-default" = { + path = [ pkgs.podman ]; + serviceConfig = { + Type = "oneshot"; + RemainAfterExit = true; + ExecStop = "${pkgs.podman}/bin/podman network rm -f headscale-default"; + }; + script = '' + podman network inspect headscale-default || podman network create headscale-default --opt isolate=true + ''; + partOf = [ "podman-compose-headscale-root.target" ]; + wantedBy = [ "podman-compose-headscale-root.target" ]; + }; + + # Root service + # When started, this will automatically create all resources and start + # the containers. When stopped, this will teardown all resources. + systemd.targets."podman-compose-headscale-root" = { + unitConfig = { + Description = "Root target generated by compose2nix."; + }; + wantedBy = [ "multi-user.target" ]; + }; +} diff --git a/nixos/hosts/piaware-rpi4/podman/piaware.nix b/nixos/hosts/piaware-rpi4/podman/piaware.nix index f17a694d..aa6d66d5 100644 --- a/nixos/hosts/piaware-rpi4/podman/piaware.nix +++ b/nixos/hosts/piaware-rpi4/podman/piaware.nix @@ -1,7 +1,5 @@ # Auto-generated using compose2nix v0.1.6. -{ pkgs, lib, ... }: - -{ +{ pkgs, lib, ... }: { # Containers virtualisation.oci-containers.containers."piaware" = { image = "ghcr.io/sdr-enthusiasts/docker-piaware:latest"; @@ -54,4 +52,4 @@ }; wantedBy = [ "multi-user.target" ]; }; -} \ No newline at end of file +}