Cleanup/Update

This commit is contained in:
iFargle 2023-12-13 13:08:29 +09:00
parent 95b34da889
commit 17e8380f7e
8 changed files with 32 additions and 146 deletions

View file

@ -39,13 +39,13 @@ sudo ssh-to-pgp \
echo ">>> Setting up SSH Keys..... " echo ">>> Setting up SSH Keys..... "
ssh-keygen -t ed25519 -f ~/.ssh/id_ed25519 -N "" ssh-keygen -t ed25519 -f ~/.ssh/id_ed25519 -N ""
echo "" >> ./keys/ssh/keys.txt echo "" >> ./keys/ssh/keys.txt
echo "# `whoami`@`hostname`" >> ./keys/ssh/keys.txt echo "# (`date`) `whoami`@`hostname`" >> ./keys/ssh/keys.txt
cat /home/albert/.ssh/id_ed25519.pub >> ./keys/ssh/keys.txt cat /home/albert/.ssh/id_ed25519.pub >> ./keys/ssh/keys.txt
echo ">>> Setting up Distributed Build SSH Keys..... " echo ">>> Setting up Distributed Build SSH Keys..... "
sudo ssh-keygen -t ed25519 -f /root/.ssh/id_ed25519 -N "" sudo ssh-keygen -t ed25519 -f /root/.ssh/id_ed25519 -N ""
echo "" >> ./keys/ssh/builder-keys.txt echo "" >> ./keys/ssh/builder-keys.txt
echo "# root@`hostname`" >> ./keys/ssh/builder-keys.txt echo "# (`date`) root@`hostname`" >> ./keys/ssh/builder-keys.txt
sudo cat /root/.ssh/id_ed25519.pub >> ./keys/ssh/builder-keys.txt sudo cat /root/.ssh/id_ed25519.pub >> ./keys/ssh/builder-keys.txt
# Add all changes to git and and push # Add all changes to git and and push

View file

@ -10,7 +10,7 @@
services.gitea-actions-runner.instances."${hostname}" = { services.gitea-actions-runner.instances."${hostname}" = {
enable = true; enable = true;
name = "${hostname}"; name = "${hostname}";
labels = [ "nixos" ]; labels = [ "host://-self-hosted" ];
url = "https://git.sysctl.io"; url = "https://git.sysctl.io";
tokenFile = "/run/secrets/services/forgejo_token"; tokenFile = "/run/secrets/services/forgejo_token";
}; };

View file

@ -1,5 +1,6 @@
{ inputs, config, lib, pkgs, modulesPath, desktop, username, ... }: { { inputs, config, lib, pkgs, modulesPath, desktop, username, ... }: {
# Testing remote builldings # For remote builds
# see home-manager: bash.nix: nixos-rebuild-remote
users.users.${username}.openssh.authorizedKeys.keyFiles = [ ../../../keys/ssh/builder-keys.txt ]; users.users.${username}.openssh.authorizedKeys.keyFiles = [ ../../../keys/ssh/builder-keys.txt ];
# For cross-architecture builds # For cross-architecture builds

View file

@ -6,4 +6,13 @@
networking.hostName = "nixos-iso-console"; networking.hostName = "nixos-iso-console";
networking.firewall.allowedTCPPorts = [ 22 ]; networking.firewall.allowedTCPPorts = [ 22 ];
# Allow passworded ssh
services.openssh = {
enable = true;
openFirewall = false;
settings = {
PermitRootLogin = "no";
PasswordAuthentication = mkForce true;
};
} }

View file

@ -6,4 +6,13 @@
networking.hostName = "nixos-iso-desktop"; networking.hostName = "nixos-iso-desktop";
networking.firewall.allowedTCPPorts = [ 22 ]; networking.firewall.allowedTCPPorts = [ 22 ];
# Allow passworded ssh
services.openssh = {
enable = true;
openFirewall = false;
settings = {
PermitRootLogin = "no";
PasswordAuthentication = mkForce true;
};
} }

View file

@ -6,4 +6,13 @@
# nixpkgs.crossSystem.system = "armv7l-linux"; # nixpkgs.crossSystem.system = "armv7l-linux";
networking.hostName = "nixos-rpi4-img"; networking.hostName = "nixos-rpi4-img";
networking.firewall.allowedTCPPorts = [ 22 ]; networking.firewall.allowedTCPPorts = [ 22 ];
# Allow passworded ssh
services.openssh = {
enable = true;
openFirewall = false;
settings = {
PermitRootLogin = "no";
PasswordAuthentication = mkForce true;
};
} }

View file

@ -1,136 +0,0 @@
{ config, lib, pkgs, ... }: {
networking.firewall.allowedUDPPorts = [
3478 # Headscale DERP UDP
10000 # Jitsi
];
networking.firewall.allowedTCPPorts = [
80 # HTTP
443 # HTTPS
25 # SMTP (explicit TLS => STARTTLS)
465 # ESMTP (implicit TLS)
587 # ESMTP (explicit TLS => STARTTLS)
143 # IMAP4 (explicit TLS => STARTTLS)
993 # IMAP4 (implicit TLS)
4190 # Sieve support
42420 # Vintage Story
25565 # Minecraft
1443 # Headscale DERP
4443 # jitsi-jvb
5222 # Jitsi
5347 # Jitsi
5280 # Jitsi
];
networking.firewall.extraCommands = ''
iptables -t nat -A PREROUTING -d 172.234.84.222 -j DNAT --to-destination 10.100.0.2
iptables -t nat -A POSTROUTING -s 10.100.0.2 -j SNAT --to-source 172.234.84.222
iptables -A FORWARD -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
# PORT 10000
iptables -t nat -A PREROUTING -p udp --dport 10000 -j DNAT --to-destination 10.100.0.2
iptables -t nat -A POSTROUTING -p udp --dport 10000 -j MASQUERADE
# PORT 3478
iptables -t nat -A PREROUTING -p udp --dport 3478 -j DNAT --to-destination 10.100.0.2
iptables -t nat -A POSTROUTING -p udp --dport 3478 -j MASQUERADE
# PORT 4443
iptables -t nat -A PREROUTING -p tcp --dport 4443 -j DNAT --to-destination 10.100.0.2
iptables -t nat -A POSTROUTING -p tcp --dport 4443 -j MASQUERADE
# PORT 5222
iptables -t nat -A PREROUTING -p tcp --dport 5222 -j DNAT --to-destination 10.100.0.2
iptables -t nat -A POSTROUTING -p tcp --dport 5222 -j MASQUERADE
# PORT 5347
iptables -t nat -A PREROUTING -p tcp --dport 5347 -j DNAT --to-destination 10.100.0.2
iptables -t nat -A POSTROUTING -p tcp --dport 5347 -j MASQUERADE
# PORT 5280
iptables -t nat -A PREROUTING -p tcp --dport 5280 -j DNAT --to-destination 10.100.0.2
iptables -t nat -A POSTROUTING -p tcp --dport 5280 -j MASQUERADE
'';
services.xinetd = {
enable = true;
services = [
{
name = "http";
server = "/usr/bin/env"; # Placeholder.
extraConfig = "redirect = 10.100.0.2 80";
}
{
name = "https";
server = "/usr/bin/env"; # Placeholder.
extraConfig = "redirect = 10.100.0.2 443";
}
{
name = "minecraft";
port = 25565;
protocol = "tcp";
unlisted = true;
server = "/usr/bin/env"; # Placeholder.
extraConfig = "redirect = 10.100.0.2 25565";
}
{
name = "vintage-story";
port = 42420;
protocol = "tcp";
unlisted = true;
server = "/usr/bin/env"; # Placeholder.
extraConfig = "redirect = 10.100.0.2 42420";
}
################################################ mail
{
name = "mail 25";
port = 25;
protocol = "tcp";
unlisted = true;
server = "/usr/bin/env"; # Placeholder.
extraConfig = "redirect = 10.100.0.2 25";
}
{
name = "mail 465";
port = 465;
protocol = "tcp";
unlisted = true;
server = "/usr/bin/env"; # Placeholder.
extraConfig = "redirect = 10.100.0.2 465";
}
{
name = "mail 587";
port = 587;
protocol = "tcp";
unlisted = true;
server = "/usr/bin/env"; # Placeholder.
extraConfig = "redirect = 10.100.0.2 587";
}
{
name = "mail 143";
port = 143;
protocol = "tcp";
unlisted = true;
server = "/usr/bin/env"; # Placeholder.
extraConfig = "redirect = 10.100.0.2 143";
}
{
name = "mail 993";
port = 993;
protocol = "tcp";
unlisted = true;
server = "/usr/bin/env"; # Placeholder.
extraConfig = "redirect = 10.100.0.2 993";
}
{
name = "mail 4190";
port = 4190;
protocol = "tcp";
unlisted = true;
server = "/usr/bin/env"; # Placeholder.
extraConfig = "redirect = 10.100.0.2 4190";
}
################################################ /mail
];
};
}

View file

@ -1,6 +0,0 @@
{ config, desktop, lib, pkgs, ... }: {
# Define a user account.
users.users.root = {
openssh.authorizedKeys.keyFiles = [ ../../../keys/ssh/keys.txt ];
};
}