From 21780fe17e60d1a0e7e264949b184a98b2c339db Mon Sep 17 00:00:00 2001 From: albert Date: Sat, 30 Mar 2024 15:27:21 +0900 Subject: [PATCH] Test --- home-manager/common/software/cli/nixvim.nix | 2 + .../common/software/cli/nixvim/base.nix | 2 +- home-manager/common/software/cli/tmux.nix | 2 +- lib/default.nix | 5 +- nixos/common/desktops/plasma6/default.nix | 2 +- nixos/common/modules/networking.nix | 1 - nixos/containers/default.nix | 54 +++++++++++---- nixos/hosts/framework-server/containers.nix | 4 +- nixos/hosts/framework-server/firewall.nix | 2 + nixos/hosts/osaka-linode-01/firewall.nix | 65 ++++++++++++------- nixos/hosts/osaka-linode-01/wireguard.nix | 4 +- 11 files changed, 95 insertions(+), 48 deletions(-) diff --git a/home-manager/common/software/cli/nixvim.nix b/home-manager/common/software/cli/nixvim.nix index d28ae404..9b6a3c59 100644 --- a/home-manager/common/software/cli/nixvim.nix +++ b/home-manager/common/software/cli/nixvim.nix @@ -3,6 +3,8 @@ programs.nixvim = { plugins = { + lsp-lines.enable = true; + crates-nvim.enable = true; lsp = { enable = true; servers = { diff --git a/home-manager/common/software/cli/nixvim/base.nix b/home-manager/common/software/cli/nixvim/base.nix index 694b5bca..ebd4f795 100644 --- a/home-manager/common/software/cli/nixvim/base.nix +++ b/home-manager/common/software/cli/nixvim/base.nix @@ -281,8 +281,8 @@ catppuccin.enable = true; dracula.enable = true; oxocarbon.enable = true; - }; + extraPlugins = with pkgs.vimPlugins; [ awesome-vim-colorschemes everforest diff --git a/home-manager/common/software/cli/tmux.nix b/home-manager/common/software/cli/tmux.nix index 86e030d0..6a4cf5c6 100644 --- a/home-manager/common/software/cli/tmux.nix +++ b/home-manager/common/software/cli/tmux.nix @@ -8,7 +8,7 @@ { plugin = power-theme; extraConfig = '' - set -g @tmux_power_theme '#${config.lib.stylix.colors.base09}' + set -g @tmux_power_theme '#${config.lib.stylix.colors.base01}' set -g @tmux_power_right_arrow_icon ' ' set -g @tmux_power_left_arrow_icon ' ' set -g @tmux_power_prefix_highlight_pos 'R' diff --git a/lib/default.nix b/lib/default.nix index 0ae1808e..48e63fa6 100644 --- a/lib/default.nix +++ b/lib/default.nix @@ -51,11 +51,10 @@ ]; autoStart = true; privateNetwork = true; - hostBridge = "br0"; - localAddress = "192.168.2.2/24"; + hostAddress = "192.168.2.1"; + localAddress = "192.168.2.2"; restartIfChanged = true; enableTun = true; - additionalCapabilities = [ "CAP_NET_ADMIN" "CAP_NET_RAW" ]; specialArgs = { inherit pkgs-unstable hostname username desktop theme system repo unfree stateVersion; }; config = { lib, config, pkgs-unstable, hostname, username, desktop, theme, system, repo, stateVersion, ... }: { # Choose whether to pull from stable or unstable diff --git a/nixos/common/desktops/plasma6/default.nix b/nixos/common/desktops/plasma6/default.nix index 166349de..575782b0 100644 --- a/nixos/common/desktops/plasma6/default.nix +++ b/nixos/common/desktops/plasma6/default.nix @@ -1,4 +1,4 @@ -{ lib, inputs, config, pkgs, username, hostname, gpu, ... }: { +{ pkgs, ... }: { # Enable sound with pipewire. sound.enable = true; hardware.pulseaudio.enable = false; diff --git a/nixos/common/modules/networking.nix b/nixos/common/modules/networking.nix index 41f81e6a..3da38f86 100644 --- a/nixos/common/modules/networking.nix +++ b/nixos/common/modules/networking.nix @@ -1,5 +1,4 @@ {lib, ... }: { - # Enable networking with NetworkManager networking = { networkmanager = { diff --git a/nixos/containers/default.nix b/nixos/containers/default.nix index c2fd2a1d..e0f99a05 100644 --- a/nixos/containers/default.nix +++ b/nixos/containers/default.nix @@ -1,18 +1,26 @@ -{ stateVersion, hostname, username, ... }: { +{ pkgs, lib, stateVersion, hostname, username, ... }: { imports = [ ./${hostname} ../users/${username} ../common/modules/nixos.nix - ../common/modules/networking.nix - # Services - ../common/services/promtail.nix - ../common/services/telegraf.nix - ../common/services/tailscale.nix - ../common/services/openssh.nix + ../common/modules/networking.nix + # Services + ../common/services/promtail.nix + ../common/services/telegraf.nix + ../common/services/tailscale.nix + ../common/services/openssh.nix ]; - # Generic Tailscale configs are in /nixos/common/services/tailscale.nix + + boot.isContainer = true; + networking.hostName = "${hostname}"; + system.stateVersion = stateVersion; + + # Workaround for bug https://github.com/NixOS/nixpkgs/issues/162686 + networking.useHostResolvConf = lib.mkForce false; + services.resolved.enable = true; + # Set up the secrets file: - sops.secrets."tailscale_key" = { + sops.secrets."tailscale_key" = { owner = "root"; sopsFile = ../../secrets/containers/${hostname}.yaml; restartUnits = [ @@ -21,8 +29,30 @@ ]; }; - boot.isContainer = true; services.tailscale.authKeyFile = "/run/secrets/tailscale_key"; - networking.hostName = "${hostname}"; - system.stateVersion = stateVersion; + systemd.services.tailscaled.enable = lib.mkForce false; + + services.tailscale = { + enable = true; + interfaceName = "tailscale0-${hostname}"; + extraUpFlags = [ + "--login-server=https://headscale.sysctl.io" + "--accept-dns" + "--accept-routes" + ]; + }; + + systemd.services = { + "tailscaled-custom" = { + enable = true; + path = [ pkgs.tailscale ]; + script = ''tailscaled -no-logs-no-support -tun=userspace''; + after = [ "network.target" ]; + wantedBy = [ "tailscaled-autoconnect.service" ]; + serviceConfig.Restart = "on-failure"; + serviceConfig.Type = "oneshot"; + serviceConfig.User = "root"; + serviceConfig.Group = "wheel"; + }; + }; } diff --git a/nixos/hosts/framework-server/containers.nix b/nixos/hosts/framework-server/containers.nix index 8bd0fff6..ba9b1765 100644 --- a/nixos/hosts/framework-server/containers.nix +++ b/nixos/hosts/framework-server/containers.nix @@ -11,8 +11,6 @@ in { nat.enable = true; nat.internalInterfaces = [ "ve-+" ]; nat.externalInterface = lanInterface; - nat.extraCommands = ''iptables -t nat -A POSTROUTING -o ${lanInterface} -j MASQUERADE''; - networkmanager.unmanaged = [ "interface-name:ve-*" ]; - firewall.trustedInterfaces = [ "ve-+" ]; + firewall.extraCommands = ''iptables -t nat -A POSTROUTING -o ${lanInterface} -j MASQUERADE''; }; } diff --git a/nixos/hosts/framework-server/firewall.nix b/nixos/hosts/framework-server/firewall.nix index 66242e68..562659f9 100644 --- a/nixos/hosts/framework-server/firewall.nix +++ b/nixos/hosts/framework-server/firewall.nix @@ -22,6 +22,8 @@ allowedUDPPorts = [ 53 # DNS (udp) 10000 # Jitsi Meet (udp) + 15635 # Enshrouded + 15636 # Enshrouded ]; }; }; diff --git a/nixos/hosts/osaka-linode-01/firewall.nix b/nixos/hosts/osaka-linode-01/firewall.nix index 2f7c40cb..a836726a 100644 --- a/nixos/hosts/osaka-linode-01/firewall.nix +++ b/nixos/hosts/osaka-linode-01/firewall.nix @@ -19,6 +19,7 @@ allowedUDPPorts = [ 3478 # Headscale DERP (udp) 10000 # Jitsi Meet (udp) + 15636 # Enshrouded ]; }; @@ -28,18 +29,8 @@ table ip nat { chain PREROUTING { type nat hook prerouting priority dstnat; policy accept; - iifname "enp0s4" tcp dport 25 dnat to 10.100.0.2:25; # Mailserver - iifname "enp0s4" tcp dport 143 dnat to 10.100.0.2:143; # Mailserver - iifname "enp0s4" tcp dport 465 dnat to 10.100.0.2:465; # Mailserver - iifname "enp0s4" tcp dport 587 dnat to 10.100.0.2:587; # Mailserver - iifname "enp0s4" tcp dport 993 dnat to 10.100.0.2:993; # Mailserver - iifname "enp0s4" tcp dport 4190 dnat to 10.100.0.2:4190; # Mailserver - iifname "enp0s4" tcp dport 80 dnat to 10.100.0.2:80; # HTTP - iifname "enp0s4" tcp dport 443 dnat to 10.100.0.2:443; # HTTPS - iifname "enp0s4" tcp dport 42420 dnat to 10.100.0.2:42420; # Vintage Story - iifname "enp0s4" tcp dport 25565 dnat to 10.100.0.2:25565; # Minecraft - iifname "enp0s4" tcp dport 4443 dnat to 10.100.0.2:4443; # Jitsi - iifname "enp0s4" udp dport 10000 dnat to 10.100.0.2:10000; # Jitsi + iifname "enp0s4" udp dport 10000 dnat to 10.100.0.2:10000; + iifname "enp0s4" udp dport 10000 dnat to 10.100.0.2:15636; } } ''; @@ -50,19 +41,45 @@ internalInterfaces = [ "enp0s4" ]; externalInterface = "wireguard0"; forwardPorts = [ - { sourcePort = 25; proto = "tcp"; destination = "10.100.0.2:25"; } # Mailserver - { sourcePort = 143; proto = "tcp"; destination = "10.100.0.2:143"; } # Mailserver - { sourcePort = 465; proto = "tcp"; destination = "10.100.0.2:465"; } # Mailserver - { sourcePort = 587; proto = "tcp"; destination = "10.100.0.2:587"; } # Mailserver - { sourcePort = 993; proto = "tcp"; destination = "10.100.0.2:993"; } # Mailserver - { sourcePort = 4190; proto = "tcp"; destination = "10.100.0.2:4190"; } # Mailserver - { sourcePort = 80; proto = "tcp"; destination = "10.100.0.2:80"; } # HTTP - { sourcePort = 443; proto = "tcp"; destination = "10.100.0.2:443"; } # HTTPS - { sourcePort = 42420; proto = "tcp"; destination = "10.100.0.2:42420"; } # Vintage Story - { sourcePort = 25565; proto = "tcp"; destination = "10.100.0.2:25565"; } # Minecraft - { sourcePort = 4443; proto = "tcp"; destination = "10.100.0.2:4443"; } # Jitsi - { sourcePort = 10000; proto = "udp"; destination = "10.100.0.2:10000"; } # Jitsi + { sourcePort = 10000; proto = "udp"; destination = "10.100.0.2:10000"; } + { sourcePort = 15636; proto = "udp"; destination = "10.100.0.2:15636"; } ]; }; }; + + services.haproxy = { + enable = true; + config = '' + frontend http + mode http + bind :80 + default_backend backend_http + + frontend tcp + mode tcp + bind :443 + bind :42420 + bind :25565 + bind :25 + bind :143 + bind :465 + bind :587 + bind :993 + bind :4190 + bind :4443 + default_backend backend_tcp + + backend backend_tcp + mode tcp + option forwarded + option forwardfor if-none + server framework-server 10.100.0.2 + + backend backend_http + mode http + option forwarded + option forwardfor if-none + server framework-server 10.100.0.2 + ''; + }; } diff --git a/nixos/hosts/osaka-linode-01/wireguard.nix b/nixos/hosts/osaka-linode-01/wireguard.nix index 0753d133..8b7383a3 100644 --- a/nixos/hosts/osaka-linode-01/wireguard.nix +++ b/nixos/hosts/osaka-linode-01/wireguard.nix @@ -41,8 +41,8 @@ ips = [ "10.100.0.1/24" ]; listenPort = 51820; privateKeyFile = "/run/secrets/wireguard_key"; - postSetup = ''${pkgs.iptables}/bin/iptables -t nat -A POSTROUTING -s 10.100.0.0/24 -o enp0s4 -j MASQUERADE''; - postShutdown = ''${pkgs.iptables}/bin/iptables -t nat -D POSTROUTING -s 10.100.0.0/24 -o enp0s4 -j MASQUERADE''; + postSetup = ''${pkgs.iptables}/bin/iptables -t nat -A POSTROUTING -o enp0s4 -j MASQUERADE''; + postShutdown = ''${pkgs.iptables}/bin/iptables -t nat -D POSTROUTING -o enp0s4 -j MASQUERADE''; peers = [ { # framework-server publicKey = "trHvfNtQ7HKMiJjxEXo2Iubq5G6egjx7gHiBlDmJ5Ek=";