This commit is contained in:
albert 2024-08-12 13:19:07 +09:00
parent 8787281ca2
commit 518cd0ad90
Signed by: albert
GPG key ID: 3895DD267CA11BA9
8 changed files with 14 additions and 102 deletions

View file

@ -1,4 +1,4 @@
{ ... }: { { domainName, ... }: {
services.cron = { services.cron = {
enable = true; enable = true;
systemCronJobs = [ systemCronJobs = [
@ -13,15 +13,15 @@
DERP_ADDR = ":1443"; DERP_ADDR = ":1443";
DERP_CERT_DIR = "/app/certs"; DERP_CERT_DIR = "/app/certs";
DERP_CERT_MODE = "manual"; DERP_CERT_MODE = "manual";
DERP_DOMAIN = "milan.sysctl.io"; DERP_DOMAIN = domainName;
DERP_STUN = "true"; DERP_STUN = "true";
DERP_VERIFY_CLIENTS = "true"; DERP_VERIFY_CLIENTS = "true";
DERP_HTTP_PORT = "-1"; DERP_HTTP_PORT = "-1";
}; };
volumes = [ volumes = [
"/var/run/tailscale/tailscaled.sock:/var/run/tailscale/tailscaled.sock:ro" "/var/run/tailscale/tailscaled.sock:/var/run/tailscale/tailscaled.sock:ro"
"/Storage/Data/Docker/sysctl.io/letsencrypt/external/*.sysctl.io/public.crt:/app/certs/milan.sysctl.io.crt:ro" "/Storage/Data/Docker/sysctl.io/letsencrypt/external/*.sysctl.io/public.crt:/app/certs/${domainName}.crt:ro"
"/Storage/Data/Docker/sysctl.io/letsencrypt/external/*.sysctl.io/private.key:/app/certs/milan.sysctl.io.key:ro" "/Storage/Data/Docker/sysctl.io/letsencrypt/external/*.sysctl.io/private.key:/app/certs/${domainName}.key:ro"
]; ];
ports = [ ports = [
"3478:3478/udp" "3478:3478/udp"

View file

@ -9,12 +9,12 @@
../../common/modules/ssh-luks.nix ../../common/modules/ssh-luks.nix
../../common/services/docker.nix ../../common/services/docker.nix
../../common/services/tailscale-autoconnect.nix ../../common/services/tailscale-autoconnect.nix
../../common/modules/fail2ban/traefik.nix
./containers.nix ./containers.nix
./disks.nix ./disks.nix
./wireguard.nix ./wireguard.nix
./cron.nix ./cron.nix
./firewall.nix ./firewall.nix
./fail2ban/traefik.nix
]; ];
environment.systemPackages = [ environment.systemPackages = [

View file

@ -1,33 +0,0 @@
{ ... }: {
services.cron = {
enable = true;
systemCronJobs = [
''0 0 * * * root mkdir -p /Storage/Data/Docker/sysctl.io/letsencrypt/; rsync -avr --delete root@framework-server:/Storage/Data/Docker/sysctl.io/letsencrypt/ /Storage/Data/Docker/sysctl.io/letsencrypt/''
];
};
# Containers
virtualisation.oci-containers.containers."derp" = {
image = "docker.io/fredliang/derper";
environment = {
DERP_ADDR = ":1443";
DERP_CERT_DIR = "/app/certs";
DERP_CERT_MODE = "manual";
DERP_DOMAIN = "sysctl.io";
DERP_STUN = "true";
DERP_VERIFY_CLIENTS = "true";
DERP_HTTP_PORT = "-1";
};
volumes = [
"/var/run/tailscale/tailscaled.sock:/var/run/tailscale/tailscaled.sock:ro"
"/Storage/Data/Docker/sysctl.io/letsencrypt/external/*.sysctl.io/public.crt:/app/certs/sysctl.io.crt:ro"
"/Storage/Data/Docker/sysctl.io/letsencrypt/external/*.sysctl.io/private.key:/app/certs/sysctl.io.key:ro"
];
ports = [
"3478:3478/udp"
"1443:1443/tcp"
];
log-driver = "journald";
extraOptions = [ "--network=host" ];
};
}

View file

@ -3,7 +3,7 @@
(modulesPath + "/profiles/qemu-guest.nix") (modulesPath + "/profiles/qemu-guest.nix")
../../common/services/tailscale-autoconnect.nix ../../common/services/tailscale-autoconnect.nix
../../common/services/podman.nix ../../common/services/podman.nix
./containers/derp.nix ../../common/containers/derp.nix { domainName = "sysctl.io"; }
./firewall.nix ./firewall.nix
./wireguard.nix ./wireguard.nix
]; ];

View file

@ -1,30 +0,0 @@
{ lib, self, inputs, outputs, stateVersion, hmStateVersion, ... }:
let
libx = import ../../../lib { inherit lib self inputs outputs stateVersion hmStateVersion; };
in {
containers = {
rdesktop = libx.mkContainer { hostname = "rdesktop"; ip = "2"; desktop = "plasma6"; unfree = true; };
};
# Networking config
networking.bridges.nix-br0.interfaces = [];
# Add an IP address to the bridge interface.
networking.localCommands = ''ip address add 192.168.2.1/24 dev nix-br0'';
# Firewall commands allowing traffic to go in and out of the bridge interface
# (and to the guest LXD instance). Also sets up the actual NAT masquerade rule.
networking.firewall.extraCommands = ''
iptables -A INPUT -i nix-br0 -j ACCEPT
# These three technically aren't needed, since by default the FORWARD and
# OUTPUT firewalls accept everything everything, but lets keep them in just
# in case.
iptables -A FORWARD -o nix-br0 -j ACCEPT
iptables -A FORWARD -i nix-br0 -j ACCEPT
iptables -A OUTPUT -o nix-br0 -j ACCEPT
iptables -t nat -A POSTROUTING -s 192.168.2.0/24 ! -d 192.168.2.0/24 -j MASQUERADE
'';
}

View file

@ -5,11 +5,16 @@
../../common/modules/builder.nix ../../common/modules/builder.nix
../../common/services/docker.nix ../../common/services/docker.nix
../../common/services/tailscale-autoconnect.nix ../../common/services/tailscale-autoconnect.nix
./containers.nix ../../common/modules/fail2ban/traefik.nix
# Copy from framework-server
../framework-server/cron.nix
../framework-server/firewall.nix
../framework-server/containers.nix
# Host Specific
./disks.nix ./disks.nix
./wireguard.nix ./wireguard.nix
./cron.nix
./firewall.nix
]; ];
environment.systemPackages = [ environment.systemPackages = [

View file

@ -1,30 +0,0 @@
{ ... }: {
networking = {
firewall = {
enable = true;
allowedTCPPorts = [
53 # DNS
80 # HTTP
443 # HTTPS
42420 # Vintage Story
25565 # Minecraft
1443 # Headscale DERP (tcp)
25 # Mailserver
143 # Mailserver
465 # Mailserver
587 # Mailserver
993 # Mailserver
4190 # Mailserver
5696 # dsm-kmip server
3389 # RDP
4443 # Jitsi
];
allowedUDPPorts = [
53 # DNS (udp)
10000 # Jitsi Meet (udp)
15636 # Enshrouded - Game
15637 # Enshrouded - Query Port
];
};
};
}