Move the DERP relay directly to Linode
This commit is contained in:
parent
47afb016be
commit
1269eb6614
6 changed files with 125 additions and 13 deletions
|
@ -20,8 +20,12 @@
|
||||||
pkgs.distrobox
|
pkgs.distrobox
|
||||||
];
|
];
|
||||||
|
|
||||||
# backups-rpi4 cron job to back up sysctl.io's Docker files
|
# backups-rpi4 cron job to back up sysctl.io's Docker files
|
||||||
users.users.root.openssh.authorizedKeys.keys = [ ''ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIKp2wgqFcr0LGaUXbom88/zK2631pysePUWIaCMljT0K root@backups-rpi4'' ];
|
# osaka-linode-01 cron job to copy certs for the DERP relay
|
||||||
|
users.users.root.openssh.authorizedKeys.keys = [
|
||||||
|
''ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIKp2wgqFcr0LGaUXbom88/zK2631pysePUWIaCMljT0K root@backups-rpi4''
|
||||||
|
''ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIKkNFdEcYIrjss1Nz0tU/AX89hUMmxB/Vabvsa7A6E2K root@osaka-linode-01''
|
||||||
|
];
|
||||||
services.openssh.settings.PermitRootLogin = lib.mkForce "prohibit-password";
|
services.openssh.settings.PermitRootLogin = lib.mkForce "prohibit-password";
|
||||||
|
|
||||||
boot.initrd.availableKernelModules = [ "xhci_pci" "nvme" "thunderbolt" "sd_mod" "uas" ];
|
boot.initrd.availableKernelModules = [ "xhci_pci" "nvme" "thunderbolt" "sd_mod" "uas" ];
|
||||||
|
|
|
@ -4,6 +4,7 @@
|
||||||
../../common/services/tailscale-autoconnect.nix
|
../../common/services/tailscale-autoconnect.nix
|
||||||
./firewall.nix
|
./firewall.nix
|
||||||
./wireguard.nix
|
./wireguard.nix
|
||||||
|
./podman.nix
|
||||||
];
|
];
|
||||||
|
|
||||||
boot.initrd.availableKernelModules = [ "virtio_pci" "virtio_scsi" "ahci" "sd_mod" ];
|
boot.initrd.availableKernelModules = [ "virtio_pci" "virtio_scsi" "ahci" "sd_mod" ];
|
||||||
|
@ -38,4 +39,4 @@
|
||||||
networking.hostName = "osaka-linode-01";
|
networking.hostName = "osaka-linode-01";
|
||||||
|
|
||||||
services.tailscale.extraUpFlags = [ "--advertise-exit-node" ];
|
services.tailscale.extraUpFlags = [ "--advertise-exit-node" ];
|
||||||
}
|
}
|
||||||
|
|
|
@ -38,9 +38,9 @@
|
||||||
iifname "enp0s4" tcp dport 443 dnat to 10.100.0.2:443; # HTTPS
|
iifname "enp0s4" tcp dport 443 dnat to 10.100.0.2:443; # HTTPS
|
||||||
iifname "enp0s4" tcp dport 42420 dnat to 10.100.0.2:42420; # Vintage Story
|
iifname "enp0s4" tcp dport 42420 dnat to 10.100.0.2:42420; # Vintage Story
|
||||||
iifname "enp0s4" tcp dport 25565 dnat to 10.100.0.2:25565; # Minecraft
|
iifname "enp0s4" tcp dport 25565 dnat to 10.100.0.2:25565; # Minecraft
|
||||||
iifname "enp0s4" tcp dport 1443 dnat to 10.100.0.2:1443; # Headscale DERP (tcp)
|
# iifname "enp0s4" tcp dport 1443 dnat to 10.100.0.2:1443; # Headscale DERP (tcp)
|
||||||
iifname "enp0s4" udp dport 3478 dnat to 10.100.0.2:3478; # Headscale DERP (udp)
|
# iifname "enp0s4" udp dport 3478 dnat to 10.100.0.2:3478; # Headscale DERP (udp)
|
||||||
iifname "enp0s4" udp dport 10000 dnat to 10.100.0.2:10000; # Headscale DERP (udp)
|
# iifname "enp0s4" udp dport 10000 dnat to 10.100.0.2:10000; # Headscale DERP (udp)
|
||||||
iifname "enp0s4" tcp dport 4443 dnat to 10.100.0.2:4443; # Jitsi
|
iifname "enp0s4" tcp dport 4443 dnat to 10.100.0.2:4443; # Jitsi
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
@ -62,9 +62,9 @@
|
||||||
{ sourcePort = 443; proto = "tcp"; destination = "10.100.0.2:443"; } # HTTPS
|
{ sourcePort = 443; proto = "tcp"; destination = "10.100.0.2:443"; } # HTTPS
|
||||||
{ sourcePort = 42420; proto = "tcp"; destination = "10.100.0.2:42420"; } # Vintage Story
|
{ sourcePort = 42420; proto = "tcp"; destination = "10.100.0.2:42420"; } # Vintage Story
|
||||||
{ sourcePort = 25565; proto = "tcp"; destination = "10.100.0.2:25565"; } # Minecraft
|
{ sourcePort = 25565; proto = "tcp"; destination = "10.100.0.2:25565"; } # Minecraft
|
||||||
{ sourcePort = 1443; proto = "tcp"; destination = "10.100.0.2:1443"; } # Headscale DERP (tcp)
|
# { sourcePort = 1443; proto = "tcp"; destination = "10.100.0.2:1443"; } # Headscale DERP (tcp)
|
||||||
{ sourcePort = 3478; proto = "udp"; destination = "10.100.0.2:3478"; } # Headscale DERP (udp)
|
# { sourcePort = 3478; proto = "udp"; destination = "10.100.0.2:3478"; } # Headscale DERP (udp)
|
||||||
{ sourcePort = 10000; proto = "udp"; destination = "10.100.0.2:10000"; } # Headscale DERP (udp)
|
# { sourcePort = 10000; proto = "udp"; destination = "10.100.0.2:10000"; } # Headscale DERP (udp)
|
||||||
{ sourcePort = 4443; proto = "tcp"; destination = "10.100.0.2:4443"; } # Jitsi
|
{ sourcePort = 4443; proto = "tcp"; destination = "10.100.0.2:4443"; } # Jitsi
|
||||||
];
|
];
|
||||||
};
|
};
|
||||||
|
|
21
nixos/hosts/osaka-linode-01/podman.nix
Normal file
21
nixos/hosts/osaka-linode-01/podman.nix
Normal file
|
@ -0,0 +1,21 @@
|
||||||
|
{ lib, pkgs, ... }: {
|
||||||
|
|
||||||
|
# Runtime
|
||||||
|
virtualisation.podman = {
|
||||||
|
enable = true;
|
||||||
|
autoPrune.enable = true;
|
||||||
|
dockerCompat = true;
|
||||||
|
defaultNetwork.settings = {
|
||||||
|
# Required for container networking to be able to use names.
|
||||||
|
dns_enabled = true;
|
||||||
|
};
|
||||||
|
};
|
||||||
|
virtualisation.oci-containers.backend = "podman";
|
||||||
|
|
||||||
|
# Containers
|
||||||
|
imports = [
|
||||||
|
./podman/derp.nix
|
||||||
|
];
|
||||||
|
|
||||||
|
environment.systemPackages = [ pkgs.ctop ];
|
||||||
|
}
|
88
nixos/hosts/osaka-linode-01/podman/derp.nix
Normal file
88
nixos/hosts/osaka-linode-01/podman/derp.nix
Normal file
|
@ -0,0 +1,88 @@
|
||||||
|
# Auto-generated using compose2nix v0.1.7.
|
||||||
|
{ pkgs, lib, ... }: {
|
||||||
|
services.cron = {
|
||||||
|
enable = true;
|
||||||
|
systemCronJobs = [
|
||||||
|
''0 0 * * * root rsync -avr root@framework-server:/Storage/Data/Docker/sysctl.io/letsencrypt/ /Storage/Data/Docker/sysctl.io/letsencrypt/''
|
||||||
|
];
|
||||||
|
};
|
||||||
|
|
||||||
|
# Runtime
|
||||||
|
virtualisation.podman = {
|
||||||
|
enable = true;
|
||||||
|
autoPrune.enable = true;
|
||||||
|
dockerCompat = true;
|
||||||
|
defaultNetwork.settings = {
|
||||||
|
# Required for container networking to be able to use names.
|
||||||
|
dns_enabled = true;
|
||||||
|
};
|
||||||
|
};
|
||||||
|
virtualisation.oci-containers.backend = "podman";
|
||||||
|
|
||||||
|
# Containers
|
||||||
|
virtualisation.oci-containers.containers."headscale-derp" = {
|
||||||
|
image = "fredliang/derper";
|
||||||
|
environment = {
|
||||||
|
DERP_ADDR = ":1443";
|
||||||
|
DERP_CERT_DIR = "/app/certs";
|
||||||
|
DERP_CERT_MODE = "manual";
|
||||||
|
DERP_DOMAIN = "sysctl.io";
|
||||||
|
DERP_STUN = "true";
|
||||||
|
};
|
||||||
|
volumes = [
|
||||||
|
"/Storage/Data/Docker/sysctl.io/letsencrypt/external/certificates/certs/*.sysctl.io.crt:/app/certs/sysctl.io.crt:ro"
|
||||||
|
"/Storage/Data/Docker/sysctl.io/letsencrypt/external/certificates/private/*.sysctl.io.key:/app/certs/sysctl.io.key:ro"
|
||||||
|
];
|
||||||
|
ports = [
|
||||||
|
"3478:3478/udp"
|
||||||
|
"1443:1443/tcp"
|
||||||
|
];
|
||||||
|
log-driver = "journald";
|
||||||
|
extraOptions = [
|
||||||
|
"--network-alias=headscale-derp"
|
||||||
|
"--network=headscale-default"
|
||||||
|
];
|
||||||
|
};
|
||||||
|
systemd.services."podman-headscale-derp" = {
|
||||||
|
serviceConfig = {
|
||||||
|
Restart = lib.mkOverride 500 "always";
|
||||||
|
};
|
||||||
|
after = [
|
||||||
|
"podman-network-headscale-default.service"
|
||||||
|
];
|
||||||
|
requires = [
|
||||||
|
"podman-network-headscale-default.service"
|
||||||
|
];
|
||||||
|
partOf = [
|
||||||
|
"podman-compose-headscale-root.target"
|
||||||
|
];
|
||||||
|
wantedBy = [
|
||||||
|
"podman-compose-headscale-root.target"
|
||||||
|
];
|
||||||
|
};
|
||||||
|
|
||||||
|
# Networks
|
||||||
|
systemd.services."podman-network-headscale-default" = {
|
||||||
|
path = [ pkgs.podman ];
|
||||||
|
serviceConfig = {
|
||||||
|
Type = "oneshot";
|
||||||
|
RemainAfterExit = true;
|
||||||
|
ExecStop = "${pkgs.podman}/bin/podman network rm -f headscale-default";
|
||||||
|
};
|
||||||
|
script = ''
|
||||||
|
podman network inspect headscale-default || podman network create headscale-default --opt isolate=true
|
||||||
|
'';
|
||||||
|
partOf = [ "podman-compose-headscale-root.target" ];
|
||||||
|
wantedBy = [ "podman-compose-headscale-root.target" ];
|
||||||
|
};
|
||||||
|
|
||||||
|
# Root service
|
||||||
|
# When started, this will automatically create all resources and start
|
||||||
|
# the containers. When stopped, this will teardown all resources.
|
||||||
|
systemd.targets."podman-compose-headscale-root" = {
|
||||||
|
unitConfig = {
|
||||||
|
Description = "Root target generated by compose2nix.";
|
||||||
|
};
|
||||||
|
wantedBy = [ "multi-user.target" ];
|
||||||
|
};
|
||||||
|
}
|
|
@ -1,7 +1,5 @@
|
||||||
# Auto-generated using compose2nix v0.1.6.
|
# Auto-generated using compose2nix v0.1.6.
|
||||||
{ pkgs, lib, ... }:
|
{ pkgs, lib, ... }: {
|
||||||
|
|
||||||
{
|
|
||||||
# Containers
|
# Containers
|
||||||
virtualisation.oci-containers.containers."piaware" = {
|
virtualisation.oci-containers.containers."piaware" = {
|
||||||
image = "ghcr.io/sdr-enthusiasts/docker-piaware:latest";
|
image = "ghcr.io/sdr-enthusiasts/docker-piaware:latest";
|
||||||
|
@ -54,4 +52,4 @@
|
||||||
};
|
};
|
||||||
wantedBy = [ "multi-user.target" ];
|
wantedBy = [ "multi-user.target" ];
|
||||||
};
|
};
|
||||||
}
|
}
|
||||||
|
|
Loading…
Reference in a new issue