Cleanup/Update
This commit is contained in:
parent
95b34da889
commit
17e8380f7e
8 changed files with 32 additions and 146 deletions
|
@ -39,13 +39,13 @@ sudo ssh-to-pgp \
|
|||
echo ">>> Setting up SSH Keys..... "
|
||||
ssh-keygen -t ed25519 -f ~/.ssh/id_ed25519 -N ""
|
||||
echo "" >> ./keys/ssh/keys.txt
|
||||
echo "# `whoami`@`hostname`" >> ./keys/ssh/keys.txt
|
||||
echo "# (`date`) `whoami`@`hostname`" >> ./keys/ssh/keys.txt
|
||||
cat /home/albert/.ssh/id_ed25519.pub >> ./keys/ssh/keys.txt
|
||||
|
||||
echo ">>> Setting up Distributed Build SSH Keys..... "
|
||||
sudo ssh-keygen -t ed25519 -f /root/.ssh/id_ed25519 -N ""
|
||||
echo "" >> ./keys/ssh/builder-keys.txt
|
||||
echo "# root@`hostname`" >> ./keys/ssh/builder-keys.txt
|
||||
echo "# (`date`) root@`hostname`" >> ./keys/ssh/builder-keys.txt
|
||||
sudo cat /root/.ssh/id_ed25519.pub >> ./keys/ssh/builder-keys.txt
|
||||
|
||||
# Add all changes to git and and push
|
||||
|
|
|
@ -10,7 +10,7 @@
|
|||
services.gitea-actions-runner.instances."${hostname}" = {
|
||||
enable = true;
|
||||
name = "${hostname}";
|
||||
labels = [ "nixos" ];
|
||||
labels = [ "host://-self-hosted" ];
|
||||
url = "https://git.sysctl.io";
|
||||
tokenFile = "/run/secrets/services/forgejo_token";
|
||||
};
|
||||
|
|
|
@ -1,5 +1,6 @@
|
|||
{ inputs, config, lib, pkgs, modulesPath, desktop, username, ... }: {
|
||||
# Testing remote builldings
|
||||
# For remote builds
|
||||
# see home-manager: bash.nix: nixos-rebuild-remote
|
||||
users.users.${username}.openssh.authorizedKeys.keyFiles = [ ../../../keys/ssh/builder-keys.txt ];
|
||||
|
||||
# For cross-architecture builds
|
||||
|
|
|
@ -6,4 +6,13 @@
|
|||
networking.hostName = "nixos-iso-console";
|
||||
|
||||
networking.firewall.allowedTCPPorts = [ 22 ];
|
||||
|
||||
# Allow passworded ssh
|
||||
services.openssh = {
|
||||
enable = true;
|
||||
openFirewall = false;
|
||||
settings = {
|
||||
PermitRootLogin = "no";
|
||||
PasswordAuthentication = mkForce true;
|
||||
};
|
||||
}
|
||||
|
|
|
@ -6,4 +6,13 @@
|
|||
networking.hostName = "nixos-iso-desktop";
|
||||
|
||||
networking.firewall.allowedTCPPorts = [ 22 ];
|
||||
|
||||
# Allow passworded ssh
|
||||
services.openssh = {
|
||||
enable = true;
|
||||
openFirewall = false;
|
||||
settings = {
|
||||
PermitRootLogin = "no";
|
||||
PasswordAuthentication = mkForce true;
|
||||
};
|
||||
}
|
||||
|
|
|
@ -6,4 +6,13 @@
|
|||
# nixpkgs.crossSystem.system = "armv7l-linux";
|
||||
networking.hostName = "nixos-rpi4-img";
|
||||
networking.firewall.allowedTCPPorts = [ 22 ];
|
||||
|
||||
# Allow passworded ssh
|
||||
services.openssh = {
|
||||
enable = true;
|
||||
openFirewall = false;
|
||||
settings = {
|
||||
PermitRootLogin = "no";
|
||||
PasswordAuthentication = mkForce true;
|
||||
};
|
||||
}
|
|
@ -1,136 +0,0 @@
|
|||
{ config, lib, pkgs, ... }: {
|
||||
networking.firewall.allowedUDPPorts = [
|
||||
3478 # Headscale DERP UDP
|
||||
10000 # Jitsi
|
||||
];
|
||||
networking.firewall.allowedTCPPorts = [
|
||||
80 # HTTP
|
||||
443 # HTTPS
|
||||
25 # SMTP (explicit TLS => STARTTLS)
|
||||
465 # ESMTP (implicit TLS)
|
||||
587 # ESMTP (explicit TLS => STARTTLS)
|
||||
143 # IMAP4 (explicit TLS => STARTTLS)
|
||||
993 # IMAP4 (implicit TLS)
|
||||
4190 # Sieve support
|
||||
42420 # Vintage Story
|
||||
25565 # Minecraft
|
||||
1443 # Headscale DERP
|
||||
4443 # jitsi-jvb
|
||||
5222 # Jitsi
|
||||
5347 # Jitsi
|
||||
5280 # Jitsi
|
||||
];
|
||||
networking.firewall.extraCommands = ''
|
||||
iptables -t nat -A PREROUTING -d 172.234.84.222 -j DNAT --to-destination 10.100.0.2
|
||||
iptables -t nat -A POSTROUTING -s 10.100.0.2 -j SNAT --to-source 172.234.84.222
|
||||
iptables -A FORWARD -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
|
||||
|
||||
# PORT 10000
|
||||
iptables -t nat -A PREROUTING -p udp --dport 10000 -j DNAT --to-destination 10.100.0.2
|
||||
iptables -t nat -A POSTROUTING -p udp --dport 10000 -j MASQUERADE
|
||||
|
||||
# PORT 3478
|
||||
iptables -t nat -A PREROUTING -p udp --dport 3478 -j DNAT --to-destination 10.100.0.2
|
||||
iptables -t nat -A POSTROUTING -p udp --dport 3478 -j MASQUERADE
|
||||
|
||||
# PORT 4443
|
||||
iptables -t nat -A PREROUTING -p tcp --dport 4443 -j DNAT --to-destination 10.100.0.2
|
||||
iptables -t nat -A POSTROUTING -p tcp --dport 4443 -j MASQUERADE
|
||||
|
||||
# PORT 5222
|
||||
iptables -t nat -A PREROUTING -p tcp --dport 5222 -j DNAT --to-destination 10.100.0.2
|
||||
iptables -t nat -A POSTROUTING -p tcp --dport 5222 -j MASQUERADE
|
||||
|
||||
# PORT 5347
|
||||
iptables -t nat -A PREROUTING -p tcp --dport 5347 -j DNAT --to-destination 10.100.0.2
|
||||
iptables -t nat -A POSTROUTING -p tcp --dport 5347 -j MASQUERADE
|
||||
|
||||
# PORT 5280
|
||||
iptables -t nat -A PREROUTING -p tcp --dport 5280 -j DNAT --to-destination 10.100.0.2
|
||||
iptables -t nat -A POSTROUTING -p tcp --dport 5280 -j MASQUERADE
|
||||
'';
|
||||
|
||||
services.xinetd = {
|
||||
enable = true;
|
||||
services = [
|
||||
{
|
||||
name = "http";
|
||||
server = "/usr/bin/env"; # Placeholder.
|
||||
extraConfig = "redirect = 10.100.0.2 80";
|
||||
}
|
||||
{
|
||||
name = "https";
|
||||
server = "/usr/bin/env"; # Placeholder.
|
||||
extraConfig = "redirect = 10.100.0.2 443";
|
||||
}
|
||||
{
|
||||
name = "minecraft";
|
||||
port = 25565;
|
||||
protocol = "tcp";
|
||||
unlisted = true;
|
||||
server = "/usr/bin/env"; # Placeholder.
|
||||
extraConfig = "redirect = 10.100.0.2 25565";
|
||||
}
|
||||
{
|
||||
name = "vintage-story";
|
||||
port = 42420;
|
||||
protocol = "tcp";
|
||||
unlisted = true;
|
||||
server = "/usr/bin/env"; # Placeholder.
|
||||
extraConfig = "redirect = 10.100.0.2 42420";
|
||||
}
|
||||
|
||||
################################################ mail
|
||||
{
|
||||
name = "mail 25";
|
||||
port = 25;
|
||||
protocol = "tcp";
|
||||
unlisted = true;
|
||||
server = "/usr/bin/env"; # Placeholder.
|
||||
extraConfig = "redirect = 10.100.0.2 25";
|
||||
}
|
||||
{
|
||||
name = "mail 465";
|
||||
port = 465;
|
||||
protocol = "tcp";
|
||||
unlisted = true;
|
||||
server = "/usr/bin/env"; # Placeholder.
|
||||
extraConfig = "redirect = 10.100.0.2 465";
|
||||
}
|
||||
{
|
||||
name = "mail 587";
|
||||
port = 587;
|
||||
protocol = "tcp";
|
||||
unlisted = true;
|
||||
server = "/usr/bin/env"; # Placeholder.
|
||||
extraConfig = "redirect = 10.100.0.2 587";
|
||||
}
|
||||
{
|
||||
name = "mail 143";
|
||||
port = 143;
|
||||
protocol = "tcp";
|
||||
unlisted = true;
|
||||
server = "/usr/bin/env"; # Placeholder.
|
||||
extraConfig = "redirect = 10.100.0.2 143";
|
||||
}
|
||||
{
|
||||
name = "mail 993";
|
||||
port = 993;
|
||||
protocol = "tcp";
|
||||
unlisted = true;
|
||||
server = "/usr/bin/env"; # Placeholder.
|
||||
extraConfig = "redirect = 10.100.0.2 993";
|
||||
}
|
||||
{
|
||||
name = "mail 4190";
|
||||
port = 4190;
|
||||
protocol = "tcp";
|
||||
unlisted = true;
|
||||
server = "/usr/bin/env"; # Placeholder.
|
||||
extraConfig = "redirect = 10.100.0.2 4190";
|
||||
}
|
||||
################################################ /mail
|
||||
|
||||
];
|
||||
};
|
||||
}
|
|
@ -1,6 +0,0 @@
|
|||
{ config, desktop, lib, pkgs, ... }: {
|
||||
# Define a user account.
|
||||
users.users.root = {
|
||||
openssh.authorizedKeys.keyFiles = [ ../../../keys/ssh/keys.txt ];
|
||||
};
|
||||
}
|
Loading…
Reference in a new issue