This commit is contained in:
albert 2024-03-30 15:27:21 +09:00
parent 5f393d39f4
commit 21780fe17e
No known key found for this signature in database
GPG key ID: 64F6C4EB46C4543A
11 changed files with 95 additions and 48 deletions

View file

@ -3,6 +3,8 @@
programs.nixvim = {
plugins = {
lsp-lines.enable = true;
crates-nvim.enable = true;
lsp = {
enable = true;
servers = {

View file

@ -281,8 +281,8 @@
catppuccin.enable = true;
dracula.enable = true;
oxocarbon.enable = true;
};
extraPlugins = with pkgs.vimPlugins; [
awesome-vim-colorschemes
everforest

View file

@ -8,7 +8,7 @@
{
plugin = power-theme;
extraConfig = ''
set -g @tmux_power_theme '#${config.lib.stylix.colors.base09}'
set -g @tmux_power_theme '#${config.lib.stylix.colors.base01}'
set -g @tmux_power_right_arrow_icon ' '
set -g @tmux_power_left_arrow_icon ' '
set -g @tmux_power_prefix_highlight_pos 'R'

View file

@ -51,11 +51,10 @@
];
autoStart = true;
privateNetwork = true;
hostBridge = "br0";
localAddress = "192.168.2.2/24";
hostAddress = "192.168.2.1";
localAddress = "192.168.2.2";
restartIfChanged = true;
enableTun = true;
additionalCapabilities = [ "CAP_NET_ADMIN" "CAP_NET_RAW" ];
specialArgs = { inherit pkgs-unstable hostname username desktop theme system repo unfree stateVersion; };
config = { lib, config, pkgs-unstable, hostname, username, desktop, theme, system, repo, stateVersion, ... }: {
# Choose whether to pull from stable or unstable

View file

@ -1,4 +1,4 @@
{ lib, inputs, config, pkgs, username, hostname, gpu, ... }: {
{ pkgs, ... }: {
# Enable sound with pipewire.
sound.enable = true;
hardware.pulseaudio.enable = false;

View file

@ -1,5 +1,4 @@
{lib, ... }: {
# Enable networking with NetworkManager
networking = {
networkmanager = {

View file

@ -1,18 +1,26 @@
{ stateVersion, hostname, username, ... }: {
{ pkgs, lib, stateVersion, hostname, username, ... }: {
imports = [
./${hostname}
../users/${username}
../common/modules/nixos.nix
../common/modules/networking.nix
# Services
../common/services/promtail.nix
../common/services/telegraf.nix
../common/services/tailscale.nix
../common/services/openssh.nix
../common/modules/networking.nix
# Services
../common/services/promtail.nix
../common/services/telegraf.nix
../common/services/tailscale.nix
../common/services/openssh.nix
];
# Generic Tailscale configs are in /nixos/common/services/tailscale.nix
boot.isContainer = true;
networking.hostName = "${hostname}";
system.stateVersion = stateVersion;
# Workaround for bug https://github.com/NixOS/nixpkgs/issues/162686
networking.useHostResolvConf = lib.mkForce false;
services.resolved.enable = true;
# Set up the secrets file:
sops.secrets."tailscale_key" = {
sops.secrets."tailscale_key" = {
owner = "root";
sopsFile = ../../secrets/containers/${hostname}.yaml;
restartUnits = [
@ -21,8 +29,30 @@
];
};
boot.isContainer = true;
services.tailscale.authKeyFile = "/run/secrets/tailscale_key";
networking.hostName = "${hostname}";
system.stateVersion = stateVersion;
systemd.services.tailscaled.enable = lib.mkForce false;
services.tailscale = {
enable = true;
interfaceName = "tailscale0-${hostname}";
extraUpFlags = [
"--login-server=https://headscale.sysctl.io"
"--accept-dns"
"--accept-routes"
];
};
systemd.services = {
"tailscaled-custom" = {
enable = true;
path = [ pkgs.tailscale ];
script = ''tailscaled -no-logs-no-support -tun=userspace'';
after = [ "network.target" ];
wantedBy = [ "tailscaled-autoconnect.service" ];
serviceConfig.Restart = "on-failure";
serviceConfig.Type = "oneshot";
serviceConfig.User = "root";
serviceConfig.Group = "wheel";
};
};
}

View file

@ -11,8 +11,6 @@ in {
nat.enable = true;
nat.internalInterfaces = [ "ve-+" ];
nat.externalInterface = lanInterface;
nat.extraCommands = ''iptables -t nat -A POSTROUTING -o ${lanInterface} -j MASQUERADE'';
networkmanager.unmanaged = [ "interface-name:ve-*" ];
firewall.trustedInterfaces = [ "ve-+" ];
firewall.extraCommands = ''iptables -t nat -A POSTROUTING -o ${lanInterface} -j MASQUERADE'';
};
}

View file

@ -22,6 +22,8 @@
allowedUDPPorts = [
53 # DNS (udp)
10000 # Jitsi Meet (udp)
15635 # Enshrouded
15636 # Enshrouded
];
};
};

View file

@ -19,6 +19,7 @@
allowedUDPPorts = [
3478 # Headscale DERP (udp)
10000 # Jitsi Meet (udp)
15636 # Enshrouded
];
};
@ -28,18 +29,8 @@
table ip nat {
chain PREROUTING {
type nat hook prerouting priority dstnat; policy accept;
iifname "enp0s4" tcp dport 25 dnat to 10.100.0.2:25; # Mailserver
iifname "enp0s4" tcp dport 143 dnat to 10.100.0.2:143; # Mailserver
iifname "enp0s4" tcp dport 465 dnat to 10.100.0.2:465; # Mailserver
iifname "enp0s4" tcp dport 587 dnat to 10.100.0.2:587; # Mailserver
iifname "enp0s4" tcp dport 993 dnat to 10.100.0.2:993; # Mailserver
iifname "enp0s4" tcp dport 4190 dnat to 10.100.0.2:4190; # Mailserver
iifname "enp0s4" tcp dport 80 dnat to 10.100.0.2:80; # HTTP
iifname "enp0s4" tcp dport 443 dnat to 10.100.0.2:443; # HTTPS
iifname "enp0s4" tcp dport 42420 dnat to 10.100.0.2:42420; # Vintage Story
iifname "enp0s4" tcp dport 25565 dnat to 10.100.0.2:25565; # Minecraft
iifname "enp0s4" tcp dport 4443 dnat to 10.100.0.2:4443; # Jitsi
iifname "enp0s4" udp dport 10000 dnat to 10.100.0.2:10000; # Jitsi
iifname "enp0s4" udp dport 10000 dnat to 10.100.0.2:10000;
iifname "enp0s4" udp dport 10000 dnat to 10.100.0.2:15636;
}
}
'';
@ -50,19 +41,45 @@
internalInterfaces = [ "enp0s4" ];
externalInterface = "wireguard0";
forwardPorts = [
{ sourcePort = 25; proto = "tcp"; destination = "10.100.0.2:25"; } # Mailserver
{ sourcePort = 143; proto = "tcp"; destination = "10.100.0.2:143"; } # Mailserver
{ sourcePort = 465; proto = "tcp"; destination = "10.100.0.2:465"; } # Mailserver
{ sourcePort = 587; proto = "tcp"; destination = "10.100.0.2:587"; } # Mailserver
{ sourcePort = 993; proto = "tcp"; destination = "10.100.0.2:993"; } # Mailserver
{ sourcePort = 4190; proto = "tcp"; destination = "10.100.0.2:4190"; } # Mailserver
{ sourcePort = 80; proto = "tcp"; destination = "10.100.0.2:80"; } # HTTP
{ sourcePort = 443; proto = "tcp"; destination = "10.100.0.2:443"; } # HTTPS
{ sourcePort = 42420; proto = "tcp"; destination = "10.100.0.2:42420"; } # Vintage Story
{ sourcePort = 25565; proto = "tcp"; destination = "10.100.0.2:25565"; } # Minecraft
{ sourcePort = 4443; proto = "tcp"; destination = "10.100.0.2:4443"; } # Jitsi
{ sourcePort = 10000; proto = "udp"; destination = "10.100.0.2:10000"; } # Jitsi
{ sourcePort = 10000; proto = "udp"; destination = "10.100.0.2:10000"; }
{ sourcePort = 15636; proto = "udp"; destination = "10.100.0.2:15636"; }
];
};
};
services.haproxy = {
enable = true;
config = ''
frontend http
mode http
bind :80
default_backend backend_http
frontend tcp
mode tcp
bind :443
bind :42420
bind :25565
bind :25
bind :143
bind :465
bind :587
bind :993
bind :4190
bind :4443
default_backend backend_tcp
backend backend_tcp
mode tcp
option forwarded
option forwardfor if-none
server framework-server 10.100.0.2
backend backend_http
mode http
option forwarded
option forwardfor if-none
server framework-server 10.100.0.2
'';
};
}

View file

@ -41,8 +41,8 @@
ips = [ "10.100.0.1/24" ];
listenPort = 51820;
privateKeyFile = "/run/secrets/wireguard_key";
postSetup = ''${pkgs.iptables}/bin/iptables -t nat -A POSTROUTING -s 10.100.0.0/24 -o enp0s4 -j MASQUERADE'';
postShutdown = ''${pkgs.iptables}/bin/iptables -t nat -D POSTROUTING -s 10.100.0.0/24 -o enp0s4 -j MASQUERADE'';
postSetup = ''${pkgs.iptables}/bin/iptables -t nat -A POSTROUTING -o enp0s4 -j MASQUERADE'';
postShutdown = ''${pkgs.iptables}/bin/iptables -t nat -D POSTROUTING -o enp0s4 -j MASQUERADE'';
peers = [
{ # framework-server
publicKey = "trHvfNtQ7HKMiJjxEXo2Iubq5G6egjx7gHiBlDmJ5Ek=";