From 518cd0ad906d8f8f142829732c5b740caeff9d07 Mon Sep 17 00:00:00 2001 From: albert Date: Mon, 12 Aug 2024 13:19:07 +0900 Subject: [PATCH] Updates --- .../containers/derp.nix | 8 ++--- .../modules}/fail2ban/traefik.nix | 0 nixos/hosts/framework-server/default.nix | 2 +- .../hosts/osaka-linode-01/containers/derp.nix | 33 ------------------- nixos/hosts/osaka-linode-01/default.nix | 2 +- nixos/hosts/warsaw-ovh-01/containers.nix | 30 ----------------- nixos/hosts/warsaw-ovh-01/default.nix | 11 +++++-- nixos/hosts/warsaw-ovh-01/firewall.nix | 30 ----------------- 8 files changed, 14 insertions(+), 102 deletions(-) rename nixos/{hosts/milan-linode-01 => common}/containers/derp.nix (86%) rename nixos/{hosts/framework-server => common/modules}/fail2ban/traefik.nix (100%) delete mode 100644 nixos/hosts/osaka-linode-01/containers/derp.nix delete mode 100644 nixos/hosts/warsaw-ovh-01/containers.nix delete mode 100644 nixos/hosts/warsaw-ovh-01/firewall.nix diff --git a/nixos/hosts/milan-linode-01/containers/derp.nix b/nixos/common/containers/derp.nix similarity index 86% rename from nixos/hosts/milan-linode-01/containers/derp.nix rename to nixos/common/containers/derp.nix index e3a3b4a5..c95d21ec 100644 --- a/nixos/hosts/milan-linode-01/containers/derp.nix +++ b/nixos/common/containers/derp.nix @@ -1,4 +1,4 @@ -{ ... }: { +{ domainName, ... }: { services.cron = { enable = true; systemCronJobs = [ @@ -13,15 +13,15 @@ DERP_ADDR = ":1443"; DERP_CERT_DIR = "/app/certs"; DERP_CERT_MODE = "manual"; - DERP_DOMAIN = "milan.sysctl.io"; + DERP_DOMAIN = domainName; DERP_STUN = "true"; DERP_VERIFY_CLIENTS = "true"; DERP_HTTP_PORT = "-1"; }; volumes = [ "/var/run/tailscale/tailscaled.sock:/var/run/tailscale/tailscaled.sock:ro" - "/Storage/Data/Docker/sysctl.io/letsencrypt/external/*.sysctl.io/public.crt:/app/certs/milan.sysctl.io.crt:ro" - "/Storage/Data/Docker/sysctl.io/letsencrypt/external/*.sysctl.io/private.key:/app/certs/milan.sysctl.io.key:ro" + "/Storage/Data/Docker/sysctl.io/letsencrypt/external/*.sysctl.io/public.crt:/app/certs/${domainName}.crt:ro" + "/Storage/Data/Docker/sysctl.io/letsencrypt/external/*.sysctl.io/private.key:/app/certs/${domainName}.key:ro" ]; ports = [ "3478:3478/udp" diff --git a/nixos/hosts/framework-server/fail2ban/traefik.nix b/nixos/common/modules/fail2ban/traefik.nix similarity index 100% rename from nixos/hosts/framework-server/fail2ban/traefik.nix rename to nixos/common/modules/fail2ban/traefik.nix diff --git a/nixos/hosts/framework-server/default.nix b/nixos/hosts/framework-server/default.nix index 8b28def0..2de53afd 100644 --- a/nixos/hosts/framework-server/default.nix +++ b/nixos/hosts/framework-server/default.nix @@ -9,12 +9,12 @@ ../../common/modules/ssh-luks.nix ../../common/services/docker.nix ../../common/services/tailscale-autoconnect.nix + ../../common/modules/fail2ban/traefik.nix ./containers.nix ./disks.nix ./wireguard.nix ./cron.nix ./firewall.nix - ./fail2ban/traefik.nix ]; environment.systemPackages = [ diff --git a/nixos/hosts/osaka-linode-01/containers/derp.nix b/nixos/hosts/osaka-linode-01/containers/derp.nix deleted file mode 100644 index a8d5c5a5..00000000 --- a/nixos/hosts/osaka-linode-01/containers/derp.nix +++ /dev/null @@ -1,33 +0,0 @@ -{ ... }: { - services.cron = { - enable = true; - systemCronJobs = [ - ''0 0 * * * root mkdir -p /Storage/Data/Docker/sysctl.io/letsencrypt/; rsync -avr --delete root@framework-server:/Storage/Data/Docker/sysctl.io/letsencrypt/ /Storage/Data/Docker/sysctl.io/letsencrypt/'' - ]; - }; - - # Containers - virtualisation.oci-containers.containers."derp" = { - image = "docker.io/fredliang/derper"; - environment = { - DERP_ADDR = ":1443"; - DERP_CERT_DIR = "/app/certs"; - DERP_CERT_MODE = "manual"; - DERP_DOMAIN = "sysctl.io"; - DERP_STUN = "true"; - DERP_VERIFY_CLIENTS = "true"; - DERP_HTTP_PORT = "-1"; - }; - volumes = [ - "/var/run/tailscale/tailscaled.sock:/var/run/tailscale/tailscaled.sock:ro" - "/Storage/Data/Docker/sysctl.io/letsencrypt/external/*.sysctl.io/public.crt:/app/certs/sysctl.io.crt:ro" - "/Storage/Data/Docker/sysctl.io/letsencrypt/external/*.sysctl.io/private.key:/app/certs/sysctl.io.key:ro" - ]; - ports = [ - "3478:3478/udp" - "1443:1443/tcp" - ]; - log-driver = "journald"; - extraOptions = [ "--network=host" ]; - }; -} diff --git a/nixos/hosts/osaka-linode-01/default.nix b/nixos/hosts/osaka-linode-01/default.nix index 41a910d5..0e038604 100644 --- a/nixos/hosts/osaka-linode-01/default.nix +++ b/nixos/hosts/osaka-linode-01/default.nix @@ -3,7 +3,7 @@ (modulesPath + "/profiles/qemu-guest.nix") ../../common/services/tailscale-autoconnect.nix ../../common/services/podman.nix - ./containers/derp.nix + ../../common/containers/derp.nix { domainName = "sysctl.io"; } ./firewall.nix ./wireguard.nix ]; diff --git a/nixos/hosts/warsaw-ovh-01/containers.nix b/nixos/hosts/warsaw-ovh-01/containers.nix deleted file mode 100644 index e2605825..00000000 --- a/nixos/hosts/warsaw-ovh-01/containers.nix +++ /dev/null @@ -1,30 +0,0 @@ -{ lib, self, inputs, outputs, stateVersion, hmStateVersion, ... }: -let - libx = import ../../../lib { inherit lib self inputs outputs stateVersion hmStateVersion; }; -in { - - containers = { - rdesktop = libx.mkContainer { hostname = "rdesktop"; ip = "2"; desktop = "plasma6"; unfree = true; }; - }; - - # Networking config - networking.bridges.nix-br0.interfaces = []; - - # Add an IP address to the bridge interface. - networking.localCommands = ''ip address add 192.168.2.1/24 dev nix-br0''; - - # Firewall commands allowing traffic to go in and out of the bridge interface - # (and to the guest LXD instance). Also sets up the actual NAT masquerade rule. - networking.firewall.extraCommands = '' - iptables -A INPUT -i nix-br0 -j ACCEPT - - # These three technically aren't needed, since by default the FORWARD and - # OUTPUT firewalls accept everything everything, but lets keep them in just - # in case. - iptables -A FORWARD -o nix-br0 -j ACCEPT - iptables -A FORWARD -i nix-br0 -j ACCEPT - iptables -A OUTPUT -o nix-br0 -j ACCEPT - - iptables -t nat -A POSTROUTING -s 192.168.2.0/24 ! -d 192.168.2.0/24 -j MASQUERADE - ''; -} diff --git a/nixos/hosts/warsaw-ovh-01/default.nix b/nixos/hosts/warsaw-ovh-01/default.nix index 2c2d2f7d..5b160747 100644 --- a/nixos/hosts/warsaw-ovh-01/default.nix +++ b/nixos/hosts/warsaw-ovh-01/default.nix @@ -5,11 +5,16 @@ ../../common/modules/builder.nix ../../common/services/docker.nix ../../common/services/tailscale-autoconnect.nix - ./containers.nix + ../../common/modules/fail2ban/traefik.nix + + # Copy from framework-server + ../framework-server/cron.nix + ../framework-server/firewall.nix + ../framework-server/containers.nix + + # Host Specific ./disks.nix ./wireguard.nix - ./cron.nix - ./firewall.nix ]; environment.systemPackages = [ diff --git a/nixos/hosts/warsaw-ovh-01/firewall.nix b/nixos/hosts/warsaw-ovh-01/firewall.nix deleted file mode 100644 index 4397eedc..00000000 --- a/nixos/hosts/warsaw-ovh-01/firewall.nix +++ /dev/null @@ -1,30 +0,0 @@ -{ ... }: { - networking = { - firewall = { - enable = true; - allowedTCPPorts = [ - 53 # DNS - 80 # HTTP - 443 # HTTPS - 42420 # Vintage Story - 25565 # Minecraft - 1443 # Headscale DERP (tcp) - 25 # Mailserver - 143 # Mailserver - 465 # Mailserver - 587 # Mailserver - 993 # Mailserver - 4190 # Mailserver - 5696 # dsm-kmip server - 3389 # RDP - 4443 # Jitsi - ]; - allowedUDPPorts = [ - 53 # DNS (udp) - 10000 # Jitsi Meet (udp) - 15636 # Enshrouded - Game - 15637 # Enshrouded - Query Port - ]; - }; - }; -}