Updates
This commit is contained in:
parent
8787281ca2
commit
518cd0ad90
8 changed files with 14 additions and 102 deletions
|
@ -1,4 +1,4 @@
|
||||||
{ ... }: {
|
{ domainName, ... }: {
|
||||||
services.cron = {
|
services.cron = {
|
||||||
enable = true;
|
enable = true;
|
||||||
systemCronJobs = [
|
systemCronJobs = [
|
||||||
|
@ -13,15 +13,15 @@
|
||||||
DERP_ADDR = ":1443";
|
DERP_ADDR = ":1443";
|
||||||
DERP_CERT_DIR = "/app/certs";
|
DERP_CERT_DIR = "/app/certs";
|
||||||
DERP_CERT_MODE = "manual";
|
DERP_CERT_MODE = "manual";
|
||||||
DERP_DOMAIN = "milan.sysctl.io";
|
DERP_DOMAIN = domainName;
|
||||||
DERP_STUN = "true";
|
DERP_STUN = "true";
|
||||||
DERP_VERIFY_CLIENTS = "true";
|
DERP_VERIFY_CLIENTS = "true";
|
||||||
DERP_HTTP_PORT = "-1";
|
DERP_HTTP_PORT = "-1";
|
||||||
};
|
};
|
||||||
volumes = [
|
volumes = [
|
||||||
"/var/run/tailscale/tailscaled.sock:/var/run/tailscale/tailscaled.sock:ro"
|
"/var/run/tailscale/tailscaled.sock:/var/run/tailscale/tailscaled.sock:ro"
|
||||||
"/Storage/Data/Docker/sysctl.io/letsencrypt/external/*.sysctl.io/public.crt:/app/certs/milan.sysctl.io.crt:ro"
|
"/Storage/Data/Docker/sysctl.io/letsencrypt/external/*.sysctl.io/public.crt:/app/certs/${domainName}.crt:ro"
|
||||||
"/Storage/Data/Docker/sysctl.io/letsencrypt/external/*.sysctl.io/private.key:/app/certs/milan.sysctl.io.key:ro"
|
"/Storage/Data/Docker/sysctl.io/letsencrypt/external/*.sysctl.io/private.key:/app/certs/${domainName}.key:ro"
|
||||||
];
|
];
|
||||||
ports = [
|
ports = [
|
||||||
"3478:3478/udp"
|
"3478:3478/udp"
|
|
@ -9,12 +9,12 @@
|
||||||
../../common/modules/ssh-luks.nix
|
../../common/modules/ssh-luks.nix
|
||||||
../../common/services/docker.nix
|
../../common/services/docker.nix
|
||||||
../../common/services/tailscale-autoconnect.nix
|
../../common/services/tailscale-autoconnect.nix
|
||||||
|
../../common/modules/fail2ban/traefik.nix
|
||||||
./containers.nix
|
./containers.nix
|
||||||
./disks.nix
|
./disks.nix
|
||||||
./wireguard.nix
|
./wireguard.nix
|
||||||
./cron.nix
|
./cron.nix
|
||||||
./firewall.nix
|
./firewall.nix
|
||||||
./fail2ban/traefik.nix
|
|
||||||
];
|
];
|
||||||
|
|
||||||
environment.systemPackages = [
|
environment.systemPackages = [
|
||||||
|
|
|
@ -1,33 +0,0 @@
|
||||||
{ ... }: {
|
|
||||||
services.cron = {
|
|
||||||
enable = true;
|
|
||||||
systemCronJobs = [
|
|
||||||
''0 0 * * * root mkdir -p /Storage/Data/Docker/sysctl.io/letsencrypt/; rsync -avr --delete root@framework-server:/Storage/Data/Docker/sysctl.io/letsencrypt/ /Storage/Data/Docker/sysctl.io/letsencrypt/''
|
|
||||||
];
|
|
||||||
};
|
|
||||||
|
|
||||||
# Containers
|
|
||||||
virtualisation.oci-containers.containers."derp" = {
|
|
||||||
image = "docker.io/fredliang/derper";
|
|
||||||
environment = {
|
|
||||||
DERP_ADDR = ":1443";
|
|
||||||
DERP_CERT_DIR = "/app/certs";
|
|
||||||
DERP_CERT_MODE = "manual";
|
|
||||||
DERP_DOMAIN = "sysctl.io";
|
|
||||||
DERP_STUN = "true";
|
|
||||||
DERP_VERIFY_CLIENTS = "true";
|
|
||||||
DERP_HTTP_PORT = "-1";
|
|
||||||
};
|
|
||||||
volumes = [
|
|
||||||
"/var/run/tailscale/tailscaled.sock:/var/run/tailscale/tailscaled.sock:ro"
|
|
||||||
"/Storage/Data/Docker/sysctl.io/letsencrypt/external/*.sysctl.io/public.crt:/app/certs/sysctl.io.crt:ro"
|
|
||||||
"/Storage/Data/Docker/sysctl.io/letsencrypt/external/*.sysctl.io/private.key:/app/certs/sysctl.io.key:ro"
|
|
||||||
];
|
|
||||||
ports = [
|
|
||||||
"3478:3478/udp"
|
|
||||||
"1443:1443/tcp"
|
|
||||||
];
|
|
||||||
log-driver = "journald";
|
|
||||||
extraOptions = [ "--network=host" ];
|
|
||||||
};
|
|
||||||
}
|
|
|
@ -3,7 +3,7 @@
|
||||||
(modulesPath + "/profiles/qemu-guest.nix")
|
(modulesPath + "/profiles/qemu-guest.nix")
|
||||||
../../common/services/tailscale-autoconnect.nix
|
../../common/services/tailscale-autoconnect.nix
|
||||||
../../common/services/podman.nix
|
../../common/services/podman.nix
|
||||||
./containers/derp.nix
|
../../common/containers/derp.nix { domainName = "sysctl.io"; }
|
||||||
./firewall.nix
|
./firewall.nix
|
||||||
./wireguard.nix
|
./wireguard.nix
|
||||||
];
|
];
|
||||||
|
|
|
@ -1,30 +0,0 @@
|
||||||
{ lib, self, inputs, outputs, stateVersion, hmStateVersion, ... }:
|
|
||||||
let
|
|
||||||
libx = import ../../../lib { inherit lib self inputs outputs stateVersion hmStateVersion; };
|
|
||||||
in {
|
|
||||||
|
|
||||||
containers = {
|
|
||||||
rdesktop = libx.mkContainer { hostname = "rdesktop"; ip = "2"; desktop = "plasma6"; unfree = true; };
|
|
||||||
};
|
|
||||||
|
|
||||||
# Networking config
|
|
||||||
networking.bridges.nix-br0.interfaces = [];
|
|
||||||
|
|
||||||
# Add an IP address to the bridge interface.
|
|
||||||
networking.localCommands = ''ip address add 192.168.2.1/24 dev nix-br0'';
|
|
||||||
|
|
||||||
# Firewall commands allowing traffic to go in and out of the bridge interface
|
|
||||||
# (and to the guest LXD instance). Also sets up the actual NAT masquerade rule.
|
|
||||||
networking.firewall.extraCommands = ''
|
|
||||||
iptables -A INPUT -i nix-br0 -j ACCEPT
|
|
||||||
|
|
||||||
# These three technically aren't needed, since by default the FORWARD and
|
|
||||||
# OUTPUT firewalls accept everything everything, but lets keep them in just
|
|
||||||
# in case.
|
|
||||||
iptables -A FORWARD -o nix-br0 -j ACCEPT
|
|
||||||
iptables -A FORWARD -i nix-br0 -j ACCEPT
|
|
||||||
iptables -A OUTPUT -o nix-br0 -j ACCEPT
|
|
||||||
|
|
||||||
iptables -t nat -A POSTROUTING -s 192.168.2.0/24 ! -d 192.168.2.0/24 -j MASQUERADE
|
|
||||||
'';
|
|
||||||
}
|
|
|
@ -5,11 +5,16 @@
|
||||||
../../common/modules/builder.nix
|
../../common/modules/builder.nix
|
||||||
../../common/services/docker.nix
|
../../common/services/docker.nix
|
||||||
../../common/services/tailscale-autoconnect.nix
|
../../common/services/tailscale-autoconnect.nix
|
||||||
./containers.nix
|
../../common/modules/fail2ban/traefik.nix
|
||||||
|
|
||||||
|
# Copy from framework-server
|
||||||
|
../framework-server/cron.nix
|
||||||
|
../framework-server/firewall.nix
|
||||||
|
../framework-server/containers.nix
|
||||||
|
|
||||||
|
# Host Specific
|
||||||
./disks.nix
|
./disks.nix
|
||||||
./wireguard.nix
|
./wireguard.nix
|
||||||
./cron.nix
|
|
||||||
./firewall.nix
|
|
||||||
];
|
];
|
||||||
|
|
||||||
environment.systemPackages = [
|
environment.systemPackages = [
|
||||||
|
|
|
@ -1,30 +0,0 @@
|
||||||
{ ... }: {
|
|
||||||
networking = {
|
|
||||||
firewall = {
|
|
||||||
enable = true;
|
|
||||||
allowedTCPPorts = [
|
|
||||||
53 # DNS
|
|
||||||
80 # HTTP
|
|
||||||
443 # HTTPS
|
|
||||||
42420 # Vintage Story
|
|
||||||
25565 # Minecraft
|
|
||||||
1443 # Headscale DERP (tcp)
|
|
||||||
25 # Mailserver
|
|
||||||
143 # Mailserver
|
|
||||||
465 # Mailserver
|
|
||||||
587 # Mailserver
|
|
||||||
993 # Mailserver
|
|
||||||
4190 # Mailserver
|
|
||||||
5696 # dsm-kmip server
|
|
||||||
3389 # RDP
|
|
||||||
4443 # Jitsi
|
|
||||||
];
|
|
||||||
allowedUDPPorts = [
|
|
||||||
53 # DNS (udp)
|
|
||||||
10000 # Jitsi Meet (udp)
|
|
||||||
15636 # Enshrouded - Game
|
|
||||||
15637 # Enshrouded - Query Port
|
|
||||||
];
|
|
||||||
};
|
|
||||||
};
|
|
||||||
}
|
|
Loading…
Reference in a new issue