Cleanup/Update
This commit is contained in:
parent
95b34da889
commit
17e8380f7e
8 changed files with 32 additions and 146 deletions
|
@ -39,13 +39,13 @@ sudo ssh-to-pgp \
|
||||||
echo ">>> Setting up SSH Keys..... "
|
echo ">>> Setting up SSH Keys..... "
|
||||||
ssh-keygen -t ed25519 -f ~/.ssh/id_ed25519 -N ""
|
ssh-keygen -t ed25519 -f ~/.ssh/id_ed25519 -N ""
|
||||||
echo "" >> ./keys/ssh/keys.txt
|
echo "" >> ./keys/ssh/keys.txt
|
||||||
echo "# `whoami`@`hostname`" >> ./keys/ssh/keys.txt
|
echo "# (`date`) `whoami`@`hostname`" >> ./keys/ssh/keys.txt
|
||||||
cat /home/albert/.ssh/id_ed25519.pub >> ./keys/ssh/keys.txt
|
cat /home/albert/.ssh/id_ed25519.pub >> ./keys/ssh/keys.txt
|
||||||
|
|
||||||
echo ">>> Setting up Distributed Build SSH Keys..... "
|
echo ">>> Setting up Distributed Build SSH Keys..... "
|
||||||
sudo ssh-keygen -t ed25519 -f /root/.ssh/id_ed25519 -N ""
|
sudo ssh-keygen -t ed25519 -f /root/.ssh/id_ed25519 -N ""
|
||||||
echo "" >> ./keys/ssh/builder-keys.txt
|
echo "" >> ./keys/ssh/builder-keys.txt
|
||||||
echo "# root@`hostname`" >> ./keys/ssh/builder-keys.txt
|
echo "# (`date`) root@`hostname`" >> ./keys/ssh/builder-keys.txt
|
||||||
sudo cat /root/.ssh/id_ed25519.pub >> ./keys/ssh/builder-keys.txt
|
sudo cat /root/.ssh/id_ed25519.pub >> ./keys/ssh/builder-keys.txt
|
||||||
|
|
||||||
# Add all changes to git and and push
|
# Add all changes to git and and push
|
||||||
|
|
|
@ -10,7 +10,7 @@
|
||||||
services.gitea-actions-runner.instances."${hostname}" = {
|
services.gitea-actions-runner.instances."${hostname}" = {
|
||||||
enable = true;
|
enable = true;
|
||||||
name = "${hostname}";
|
name = "${hostname}";
|
||||||
labels = [ "nixos" ];
|
labels = [ "host://-self-hosted" ];
|
||||||
url = "https://git.sysctl.io";
|
url = "https://git.sysctl.io";
|
||||||
tokenFile = "/run/secrets/services/forgejo_token";
|
tokenFile = "/run/secrets/services/forgejo_token";
|
||||||
};
|
};
|
||||||
|
|
|
@ -1,5 +1,6 @@
|
||||||
{ inputs, config, lib, pkgs, modulesPath, desktop, username, ... }: {
|
{ inputs, config, lib, pkgs, modulesPath, desktop, username, ... }: {
|
||||||
# Testing remote builldings
|
# For remote builds
|
||||||
|
# see home-manager: bash.nix: nixos-rebuild-remote
|
||||||
users.users.${username}.openssh.authorizedKeys.keyFiles = [ ../../../keys/ssh/builder-keys.txt ];
|
users.users.${username}.openssh.authorizedKeys.keyFiles = [ ../../../keys/ssh/builder-keys.txt ];
|
||||||
|
|
||||||
# For cross-architecture builds
|
# For cross-architecture builds
|
||||||
|
|
|
@ -6,4 +6,13 @@
|
||||||
networking.hostName = "nixos-iso-console";
|
networking.hostName = "nixos-iso-console";
|
||||||
|
|
||||||
networking.firewall.allowedTCPPorts = [ 22 ];
|
networking.firewall.allowedTCPPorts = [ 22 ];
|
||||||
|
|
||||||
|
# Allow passworded ssh
|
||||||
|
services.openssh = {
|
||||||
|
enable = true;
|
||||||
|
openFirewall = false;
|
||||||
|
settings = {
|
||||||
|
PermitRootLogin = "no";
|
||||||
|
PasswordAuthentication = mkForce true;
|
||||||
|
};
|
||||||
}
|
}
|
||||||
|
|
|
@ -6,4 +6,13 @@
|
||||||
networking.hostName = "nixos-iso-desktop";
|
networking.hostName = "nixos-iso-desktop";
|
||||||
|
|
||||||
networking.firewall.allowedTCPPorts = [ 22 ];
|
networking.firewall.allowedTCPPorts = [ 22 ];
|
||||||
|
|
||||||
|
# Allow passworded ssh
|
||||||
|
services.openssh = {
|
||||||
|
enable = true;
|
||||||
|
openFirewall = false;
|
||||||
|
settings = {
|
||||||
|
PermitRootLogin = "no";
|
||||||
|
PasswordAuthentication = mkForce true;
|
||||||
|
};
|
||||||
}
|
}
|
||||||
|
|
|
@ -6,4 +6,13 @@
|
||||||
# nixpkgs.crossSystem.system = "armv7l-linux";
|
# nixpkgs.crossSystem.system = "armv7l-linux";
|
||||||
networking.hostName = "nixos-rpi4-img";
|
networking.hostName = "nixos-rpi4-img";
|
||||||
networking.firewall.allowedTCPPorts = [ 22 ];
|
networking.firewall.allowedTCPPorts = [ 22 ];
|
||||||
|
|
||||||
|
# Allow passworded ssh
|
||||||
|
services.openssh = {
|
||||||
|
enable = true;
|
||||||
|
openFirewall = false;
|
||||||
|
settings = {
|
||||||
|
PermitRootLogin = "no";
|
||||||
|
PasswordAuthentication = mkForce true;
|
||||||
|
};
|
||||||
}
|
}
|
|
@ -1,136 +0,0 @@
|
||||||
{ config, lib, pkgs, ... }: {
|
|
||||||
networking.firewall.allowedUDPPorts = [
|
|
||||||
3478 # Headscale DERP UDP
|
|
||||||
10000 # Jitsi
|
|
||||||
];
|
|
||||||
networking.firewall.allowedTCPPorts = [
|
|
||||||
80 # HTTP
|
|
||||||
443 # HTTPS
|
|
||||||
25 # SMTP (explicit TLS => STARTTLS)
|
|
||||||
465 # ESMTP (implicit TLS)
|
|
||||||
587 # ESMTP (explicit TLS => STARTTLS)
|
|
||||||
143 # IMAP4 (explicit TLS => STARTTLS)
|
|
||||||
993 # IMAP4 (implicit TLS)
|
|
||||||
4190 # Sieve support
|
|
||||||
42420 # Vintage Story
|
|
||||||
25565 # Minecraft
|
|
||||||
1443 # Headscale DERP
|
|
||||||
4443 # jitsi-jvb
|
|
||||||
5222 # Jitsi
|
|
||||||
5347 # Jitsi
|
|
||||||
5280 # Jitsi
|
|
||||||
];
|
|
||||||
networking.firewall.extraCommands = ''
|
|
||||||
iptables -t nat -A PREROUTING -d 172.234.84.222 -j DNAT --to-destination 10.100.0.2
|
|
||||||
iptables -t nat -A POSTROUTING -s 10.100.0.2 -j SNAT --to-source 172.234.84.222
|
|
||||||
iptables -A FORWARD -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
|
|
||||||
|
|
||||||
# PORT 10000
|
|
||||||
iptables -t nat -A PREROUTING -p udp --dport 10000 -j DNAT --to-destination 10.100.0.2
|
|
||||||
iptables -t nat -A POSTROUTING -p udp --dport 10000 -j MASQUERADE
|
|
||||||
|
|
||||||
# PORT 3478
|
|
||||||
iptables -t nat -A PREROUTING -p udp --dport 3478 -j DNAT --to-destination 10.100.0.2
|
|
||||||
iptables -t nat -A POSTROUTING -p udp --dport 3478 -j MASQUERADE
|
|
||||||
|
|
||||||
# PORT 4443
|
|
||||||
iptables -t nat -A PREROUTING -p tcp --dport 4443 -j DNAT --to-destination 10.100.0.2
|
|
||||||
iptables -t nat -A POSTROUTING -p tcp --dport 4443 -j MASQUERADE
|
|
||||||
|
|
||||||
# PORT 5222
|
|
||||||
iptables -t nat -A PREROUTING -p tcp --dport 5222 -j DNAT --to-destination 10.100.0.2
|
|
||||||
iptables -t nat -A POSTROUTING -p tcp --dport 5222 -j MASQUERADE
|
|
||||||
|
|
||||||
# PORT 5347
|
|
||||||
iptables -t nat -A PREROUTING -p tcp --dport 5347 -j DNAT --to-destination 10.100.0.2
|
|
||||||
iptables -t nat -A POSTROUTING -p tcp --dport 5347 -j MASQUERADE
|
|
||||||
|
|
||||||
# PORT 5280
|
|
||||||
iptables -t nat -A PREROUTING -p tcp --dport 5280 -j DNAT --to-destination 10.100.0.2
|
|
||||||
iptables -t nat -A POSTROUTING -p tcp --dport 5280 -j MASQUERADE
|
|
||||||
'';
|
|
||||||
|
|
||||||
services.xinetd = {
|
|
||||||
enable = true;
|
|
||||||
services = [
|
|
||||||
{
|
|
||||||
name = "http";
|
|
||||||
server = "/usr/bin/env"; # Placeholder.
|
|
||||||
extraConfig = "redirect = 10.100.0.2 80";
|
|
||||||
}
|
|
||||||
{
|
|
||||||
name = "https";
|
|
||||||
server = "/usr/bin/env"; # Placeholder.
|
|
||||||
extraConfig = "redirect = 10.100.0.2 443";
|
|
||||||
}
|
|
||||||
{
|
|
||||||
name = "minecraft";
|
|
||||||
port = 25565;
|
|
||||||
protocol = "tcp";
|
|
||||||
unlisted = true;
|
|
||||||
server = "/usr/bin/env"; # Placeholder.
|
|
||||||
extraConfig = "redirect = 10.100.0.2 25565";
|
|
||||||
}
|
|
||||||
{
|
|
||||||
name = "vintage-story";
|
|
||||||
port = 42420;
|
|
||||||
protocol = "tcp";
|
|
||||||
unlisted = true;
|
|
||||||
server = "/usr/bin/env"; # Placeholder.
|
|
||||||
extraConfig = "redirect = 10.100.0.2 42420";
|
|
||||||
}
|
|
||||||
|
|
||||||
################################################ mail
|
|
||||||
{
|
|
||||||
name = "mail 25";
|
|
||||||
port = 25;
|
|
||||||
protocol = "tcp";
|
|
||||||
unlisted = true;
|
|
||||||
server = "/usr/bin/env"; # Placeholder.
|
|
||||||
extraConfig = "redirect = 10.100.0.2 25";
|
|
||||||
}
|
|
||||||
{
|
|
||||||
name = "mail 465";
|
|
||||||
port = 465;
|
|
||||||
protocol = "tcp";
|
|
||||||
unlisted = true;
|
|
||||||
server = "/usr/bin/env"; # Placeholder.
|
|
||||||
extraConfig = "redirect = 10.100.0.2 465";
|
|
||||||
}
|
|
||||||
{
|
|
||||||
name = "mail 587";
|
|
||||||
port = 587;
|
|
||||||
protocol = "tcp";
|
|
||||||
unlisted = true;
|
|
||||||
server = "/usr/bin/env"; # Placeholder.
|
|
||||||
extraConfig = "redirect = 10.100.0.2 587";
|
|
||||||
}
|
|
||||||
{
|
|
||||||
name = "mail 143";
|
|
||||||
port = 143;
|
|
||||||
protocol = "tcp";
|
|
||||||
unlisted = true;
|
|
||||||
server = "/usr/bin/env"; # Placeholder.
|
|
||||||
extraConfig = "redirect = 10.100.0.2 143";
|
|
||||||
}
|
|
||||||
{
|
|
||||||
name = "mail 993";
|
|
||||||
port = 993;
|
|
||||||
protocol = "tcp";
|
|
||||||
unlisted = true;
|
|
||||||
server = "/usr/bin/env"; # Placeholder.
|
|
||||||
extraConfig = "redirect = 10.100.0.2 993";
|
|
||||||
}
|
|
||||||
{
|
|
||||||
name = "mail 4190";
|
|
||||||
port = 4190;
|
|
||||||
protocol = "tcp";
|
|
||||||
unlisted = true;
|
|
||||||
server = "/usr/bin/env"; # Placeholder.
|
|
||||||
extraConfig = "redirect = 10.100.0.2 4190";
|
|
||||||
}
|
|
||||||
################################################ /mail
|
|
||||||
|
|
||||||
];
|
|
||||||
};
|
|
||||||
}
|
|
|
@ -1,6 +0,0 @@
|
||||||
{ config, desktop, lib, pkgs, ... }: {
|
|
||||||
# Define a user account.
|
|
||||||
users.users.root = {
|
|
||||||
openssh.authorizedKeys.keyFiles = [ ../../../keys/ssh/keys.txt ];
|
|
||||||
};
|
|
||||||
}
|
|
Loading…
Reference in a new issue