Move the DERP relay directly to Linode
This commit is contained in:
parent
47afb016be
commit
1269eb6614
6 changed files with 125 additions and 13 deletions
|
@ -21,7 +21,11 @@
|
|||
];
|
||||
|
||||
# backups-rpi4 cron job to back up sysctl.io's Docker files
|
||||
users.users.root.openssh.authorizedKeys.keys = [ ''ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIKp2wgqFcr0LGaUXbom88/zK2631pysePUWIaCMljT0K root@backups-rpi4'' ];
|
||||
# osaka-linode-01 cron job to copy certs for the DERP relay
|
||||
users.users.root.openssh.authorizedKeys.keys = [
|
||||
''ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIKp2wgqFcr0LGaUXbom88/zK2631pysePUWIaCMljT0K root@backups-rpi4''
|
||||
''ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIKkNFdEcYIrjss1Nz0tU/AX89hUMmxB/Vabvsa7A6E2K root@osaka-linode-01''
|
||||
];
|
||||
services.openssh.settings.PermitRootLogin = lib.mkForce "prohibit-password";
|
||||
|
||||
boot.initrd.availableKernelModules = [ "xhci_pci" "nvme" "thunderbolt" "sd_mod" "uas" ];
|
||||
|
|
|
@ -4,6 +4,7 @@
|
|||
../../common/services/tailscale-autoconnect.nix
|
||||
./firewall.nix
|
||||
./wireguard.nix
|
||||
./podman.nix
|
||||
];
|
||||
|
||||
boot.initrd.availableKernelModules = [ "virtio_pci" "virtio_scsi" "ahci" "sd_mod" ];
|
||||
|
|
|
@ -38,9 +38,9 @@
|
|||
iifname "enp0s4" tcp dport 443 dnat to 10.100.0.2:443; # HTTPS
|
||||
iifname "enp0s4" tcp dport 42420 dnat to 10.100.0.2:42420; # Vintage Story
|
||||
iifname "enp0s4" tcp dport 25565 dnat to 10.100.0.2:25565; # Minecraft
|
||||
iifname "enp0s4" tcp dport 1443 dnat to 10.100.0.2:1443; # Headscale DERP (tcp)
|
||||
iifname "enp0s4" udp dport 3478 dnat to 10.100.0.2:3478; # Headscale DERP (udp)
|
||||
iifname "enp0s4" udp dport 10000 dnat to 10.100.0.2:10000; # Headscale DERP (udp)
|
||||
# iifname "enp0s4" tcp dport 1443 dnat to 10.100.0.2:1443; # Headscale DERP (tcp)
|
||||
# iifname "enp0s4" udp dport 3478 dnat to 10.100.0.2:3478; # Headscale DERP (udp)
|
||||
# iifname "enp0s4" udp dport 10000 dnat to 10.100.0.2:10000; # Headscale DERP (udp)
|
||||
iifname "enp0s4" tcp dport 4443 dnat to 10.100.0.2:4443; # Jitsi
|
||||
}
|
||||
}
|
||||
|
@ -62,9 +62,9 @@
|
|||
{ sourcePort = 443; proto = "tcp"; destination = "10.100.0.2:443"; } # HTTPS
|
||||
{ sourcePort = 42420; proto = "tcp"; destination = "10.100.0.2:42420"; } # Vintage Story
|
||||
{ sourcePort = 25565; proto = "tcp"; destination = "10.100.0.2:25565"; } # Minecraft
|
||||
{ sourcePort = 1443; proto = "tcp"; destination = "10.100.0.2:1443"; } # Headscale DERP (tcp)
|
||||
{ sourcePort = 3478; proto = "udp"; destination = "10.100.0.2:3478"; } # Headscale DERP (udp)
|
||||
{ sourcePort = 10000; proto = "udp"; destination = "10.100.0.2:10000"; } # Headscale DERP (udp)
|
||||
# { sourcePort = 1443; proto = "tcp"; destination = "10.100.0.2:1443"; } # Headscale DERP (tcp)
|
||||
# { sourcePort = 3478; proto = "udp"; destination = "10.100.0.2:3478"; } # Headscale DERP (udp)
|
||||
# { sourcePort = 10000; proto = "udp"; destination = "10.100.0.2:10000"; } # Headscale DERP (udp)
|
||||
{ sourcePort = 4443; proto = "tcp"; destination = "10.100.0.2:4443"; } # Jitsi
|
||||
];
|
||||
};
|
||||
|
|
21
nixos/hosts/osaka-linode-01/podman.nix
Normal file
21
nixos/hosts/osaka-linode-01/podman.nix
Normal file
|
@ -0,0 +1,21 @@
|
|||
{ lib, pkgs, ... }: {
|
||||
|
||||
# Runtime
|
||||
virtualisation.podman = {
|
||||
enable = true;
|
||||
autoPrune.enable = true;
|
||||
dockerCompat = true;
|
||||
defaultNetwork.settings = {
|
||||
# Required for container networking to be able to use names.
|
||||
dns_enabled = true;
|
||||
};
|
||||
};
|
||||
virtualisation.oci-containers.backend = "podman";
|
||||
|
||||
# Containers
|
||||
imports = [
|
||||
./podman/derp.nix
|
||||
];
|
||||
|
||||
environment.systemPackages = [ pkgs.ctop ];
|
||||
}
|
88
nixos/hosts/osaka-linode-01/podman/derp.nix
Normal file
88
nixos/hosts/osaka-linode-01/podman/derp.nix
Normal file
|
@ -0,0 +1,88 @@
|
|||
# Auto-generated using compose2nix v0.1.7.
|
||||
{ pkgs, lib, ... }: {
|
||||
services.cron = {
|
||||
enable = true;
|
||||
systemCronJobs = [
|
||||
''0 0 * * * root rsync -avr root@framework-server:/Storage/Data/Docker/sysctl.io/letsencrypt/ /Storage/Data/Docker/sysctl.io/letsencrypt/''
|
||||
];
|
||||
};
|
||||
|
||||
# Runtime
|
||||
virtualisation.podman = {
|
||||
enable = true;
|
||||
autoPrune.enable = true;
|
||||
dockerCompat = true;
|
||||
defaultNetwork.settings = {
|
||||
# Required for container networking to be able to use names.
|
||||
dns_enabled = true;
|
||||
};
|
||||
};
|
||||
virtualisation.oci-containers.backend = "podman";
|
||||
|
||||
# Containers
|
||||
virtualisation.oci-containers.containers."headscale-derp" = {
|
||||
image = "fredliang/derper";
|
||||
environment = {
|
||||
DERP_ADDR = ":1443";
|
||||
DERP_CERT_DIR = "/app/certs";
|
||||
DERP_CERT_MODE = "manual";
|
||||
DERP_DOMAIN = "sysctl.io";
|
||||
DERP_STUN = "true";
|
||||
};
|
||||
volumes = [
|
||||
"/Storage/Data/Docker/sysctl.io/letsencrypt/external/certificates/certs/*.sysctl.io.crt:/app/certs/sysctl.io.crt:ro"
|
||||
"/Storage/Data/Docker/sysctl.io/letsencrypt/external/certificates/private/*.sysctl.io.key:/app/certs/sysctl.io.key:ro"
|
||||
];
|
||||
ports = [
|
||||
"3478:3478/udp"
|
||||
"1443:1443/tcp"
|
||||
];
|
||||
log-driver = "journald";
|
||||
extraOptions = [
|
||||
"--network-alias=headscale-derp"
|
||||
"--network=headscale-default"
|
||||
];
|
||||
};
|
||||
systemd.services."podman-headscale-derp" = {
|
||||
serviceConfig = {
|
||||
Restart = lib.mkOverride 500 "always";
|
||||
};
|
||||
after = [
|
||||
"podman-network-headscale-default.service"
|
||||
];
|
||||
requires = [
|
||||
"podman-network-headscale-default.service"
|
||||
];
|
||||
partOf = [
|
||||
"podman-compose-headscale-root.target"
|
||||
];
|
||||
wantedBy = [
|
||||
"podman-compose-headscale-root.target"
|
||||
];
|
||||
};
|
||||
|
||||
# Networks
|
||||
systemd.services."podman-network-headscale-default" = {
|
||||
path = [ pkgs.podman ];
|
||||
serviceConfig = {
|
||||
Type = "oneshot";
|
||||
RemainAfterExit = true;
|
||||
ExecStop = "${pkgs.podman}/bin/podman network rm -f headscale-default";
|
||||
};
|
||||
script = ''
|
||||
podman network inspect headscale-default || podman network create headscale-default --opt isolate=true
|
||||
'';
|
||||
partOf = [ "podman-compose-headscale-root.target" ];
|
||||
wantedBy = [ "podman-compose-headscale-root.target" ];
|
||||
};
|
||||
|
||||
# Root service
|
||||
# When started, this will automatically create all resources and start
|
||||
# the containers. When stopped, this will teardown all resources.
|
||||
systemd.targets."podman-compose-headscale-root" = {
|
||||
unitConfig = {
|
||||
Description = "Root target generated by compose2nix.";
|
||||
};
|
||||
wantedBy = [ "multi-user.target" ];
|
||||
};
|
||||
}
|
|
@ -1,7 +1,5 @@
|
|||
# Auto-generated using compose2nix v0.1.6.
|
||||
{ pkgs, lib, ... }:
|
||||
|
||||
{
|
||||
{ pkgs, lib, ... }: {
|
||||
# Containers
|
||||
virtualisation.oci-containers.containers."piaware" = {
|
||||
image = "ghcr.io/sdr-enthusiasts/docker-piaware:latest";
|
||||
|
|
Loading…
Reference in a new issue