diff --git a/nixos/hosts/milan-linode-01/containers/derp.nix b/nixos/common/containers/derp.nix similarity index 86% rename from nixos/hosts/milan-linode-01/containers/derp.nix rename to nixos/common/containers/derp.nix index e3a3b4a5..c95d21ec 100644 --- a/nixos/hosts/milan-linode-01/containers/derp.nix +++ b/nixos/common/containers/derp.nix @@ -1,4 +1,4 @@ -{ ... }: { +{ domainName, ... }: { services.cron = { enable = true; systemCronJobs = [ @@ -13,15 +13,15 @@ DERP_ADDR = ":1443"; DERP_CERT_DIR = "/app/certs"; DERP_CERT_MODE = "manual"; - DERP_DOMAIN = "milan.sysctl.io"; + DERP_DOMAIN = domainName; DERP_STUN = "true"; DERP_VERIFY_CLIENTS = "true"; DERP_HTTP_PORT = "-1"; }; volumes = [ "/var/run/tailscale/tailscaled.sock:/var/run/tailscale/tailscaled.sock:ro" - "/Storage/Data/Docker/sysctl.io/letsencrypt/external/*.sysctl.io/public.crt:/app/certs/milan.sysctl.io.crt:ro" - "/Storage/Data/Docker/sysctl.io/letsencrypt/external/*.sysctl.io/private.key:/app/certs/milan.sysctl.io.key:ro" + "/Storage/Data/Docker/sysctl.io/letsencrypt/external/*.sysctl.io/public.crt:/app/certs/${domainName}.crt:ro" + "/Storage/Data/Docker/sysctl.io/letsencrypt/external/*.sysctl.io/private.key:/app/certs/${domainName}.key:ro" ]; ports = [ "3478:3478/udp" diff --git a/nixos/hosts/framework-server/fail2ban/traefik.nix b/nixos/common/modules/fail2ban/traefik.nix similarity index 100% rename from nixos/hosts/framework-server/fail2ban/traefik.nix rename to nixos/common/modules/fail2ban/traefik.nix diff --git a/nixos/hosts/framework-server/default.nix b/nixos/hosts/framework-server/default.nix index 8b28def0..2de53afd 100644 --- a/nixos/hosts/framework-server/default.nix +++ b/nixos/hosts/framework-server/default.nix @@ -9,12 +9,12 @@ ../../common/modules/ssh-luks.nix ../../common/services/docker.nix ../../common/services/tailscale-autoconnect.nix + ../../common/modules/fail2ban/traefik.nix ./containers.nix ./disks.nix ./wireguard.nix ./cron.nix ./firewall.nix - ./fail2ban/traefik.nix ]; environment.systemPackages = [ diff --git a/nixos/hosts/osaka-linode-01/containers/derp.nix b/nixos/hosts/osaka-linode-01/containers/derp.nix deleted file mode 100644 index a8d5c5a5..00000000 --- a/nixos/hosts/osaka-linode-01/containers/derp.nix +++ /dev/null @@ -1,33 +0,0 @@ -{ ... }: { - services.cron = { - enable = true; - systemCronJobs = [ - ''0 0 * * * root mkdir -p /Storage/Data/Docker/sysctl.io/letsencrypt/; rsync -avr --delete root@framework-server:/Storage/Data/Docker/sysctl.io/letsencrypt/ /Storage/Data/Docker/sysctl.io/letsencrypt/'' - ]; - }; - - # Containers - virtualisation.oci-containers.containers."derp" = { - image = "docker.io/fredliang/derper"; - environment = { - DERP_ADDR = ":1443"; - DERP_CERT_DIR = "/app/certs"; - DERP_CERT_MODE = "manual"; - DERP_DOMAIN = "sysctl.io"; - DERP_STUN = "true"; - DERP_VERIFY_CLIENTS = "true"; - DERP_HTTP_PORT = "-1"; - }; - volumes = [ - "/var/run/tailscale/tailscaled.sock:/var/run/tailscale/tailscaled.sock:ro" - "/Storage/Data/Docker/sysctl.io/letsencrypt/external/*.sysctl.io/public.crt:/app/certs/sysctl.io.crt:ro" - "/Storage/Data/Docker/sysctl.io/letsencrypt/external/*.sysctl.io/private.key:/app/certs/sysctl.io.key:ro" - ]; - ports = [ - "3478:3478/udp" - "1443:1443/tcp" - ]; - log-driver = "journald"; - extraOptions = [ "--network=host" ]; - }; -} diff --git a/nixos/hosts/osaka-linode-01/default.nix b/nixos/hosts/osaka-linode-01/default.nix index 41a910d5..0e038604 100644 --- a/nixos/hosts/osaka-linode-01/default.nix +++ b/nixos/hosts/osaka-linode-01/default.nix @@ -3,7 +3,7 @@ (modulesPath + "/profiles/qemu-guest.nix") ../../common/services/tailscale-autoconnect.nix ../../common/services/podman.nix - ./containers/derp.nix + ../../common/containers/derp.nix { domainName = "sysctl.io"; } ./firewall.nix ./wireguard.nix ]; diff --git a/nixos/hosts/warsaw-ovh-01/containers.nix b/nixos/hosts/warsaw-ovh-01/containers.nix deleted file mode 100644 index e2605825..00000000 --- a/nixos/hosts/warsaw-ovh-01/containers.nix +++ /dev/null @@ -1,30 +0,0 @@ -{ lib, self, inputs, outputs, stateVersion, hmStateVersion, ... }: -let - libx = import ../../../lib { inherit lib self inputs outputs stateVersion hmStateVersion; }; -in { - - containers = { - rdesktop = libx.mkContainer { hostname = "rdesktop"; ip = "2"; desktop = "plasma6"; unfree = true; }; - }; - - # Networking config - networking.bridges.nix-br0.interfaces = []; - - # Add an IP address to the bridge interface. - networking.localCommands = ''ip address add 192.168.2.1/24 dev nix-br0''; - - # Firewall commands allowing traffic to go in and out of the bridge interface - # (and to the guest LXD instance). Also sets up the actual NAT masquerade rule. - networking.firewall.extraCommands = '' - iptables -A INPUT -i nix-br0 -j ACCEPT - - # These three technically aren't needed, since by default the FORWARD and - # OUTPUT firewalls accept everything everything, but lets keep them in just - # in case. - iptables -A FORWARD -o nix-br0 -j ACCEPT - iptables -A FORWARD -i nix-br0 -j ACCEPT - iptables -A OUTPUT -o nix-br0 -j ACCEPT - - iptables -t nat -A POSTROUTING -s 192.168.2.0/24 ! -d 192.168.2.0/24 -j MASQUERADE - ''; -} diff --git a/nixos/hosts/warsaw-ovh-01/default.nix b/nixos/hosts/warsaw-ovh-01/default.nix index 2c2d2f7d..5b160747 100644 --- a/nixos/hosts/warsaw-ovh-01/default.nix +++ b/nixos/hosts/warsaw-ovh-01/default.nix @@ -5,11 +5,16 @@ ../../common/modules/builder.nix ../../common/services/docker.nix ../../common/services/tailscale-autoconnect.nix - ./containers.nix + ../../common/modules/fail2ban/traefik.nix + + # Copy from framework-server + ../framework-server/cron.nix + ../framework-server/firewall.nix + ../framework-server/containers.nix + + # Host Specific ./disks.nix ./wireguard.nix - ./cron.nix - ./firewall.nix ]; environment.systemPackages = [ diff --git a/nixos/hosts/warsaw-ovh-01/firewall.nix b/nixos/hosts/warsaw-ovh-01/firewall.nix deleted file mode 100644 index 4397eedc..00000000 --- a/nixos/hosts/warsaw-ovh-01/firewall.nix +++ /dev/null @@ -1,30 +0,0 @@ -{ ... }: { - networking = { - firewall = { - enable = true; - allowedTCPPorts = [ - 53 # DNS - 80 # HTTP - 443 # HTTPS - 42420 # Vintage Story - 25565 # Minecraft - 1443 # Headscale DERP (tcp) - 25 # Mailserver - 143 # Mailserver - 465 # Mailserver - 587 # Mailserver - 993 # Mailserver - 4190 # Mailserver - 5696 # dsm-kmip server - 3389 # RDP - 4443 # Jitsi - ]; - allowedUDPPorts = [ - 53 # DNS (udp) - 10000 # Jitsi Meet (udp) - 15636 # Enshrouded - Game - 15637 # Enshrouded - Query Port - ]; - }; - }; -}