diff --git a/nixos/hosts/frankfurt-linode-01/containers/derp.nix b/nixos/hosts/frankfurt-linode-01/containers/derp.nix new file mode 100644 index 00000000..e16f4c0b --- /dev/null +++ b/nixos/hosts/frankfurt-linode-01/containers/derp.nix @@ -0,0 +1,31 @@ +{ ... }: { + services.cron = { + enable = true; + systemCronJobs = [ + ''0 0 * * * root rsync -avr root@framework-server:/Storage/Data/Docker/sysctl.io/letsencrypt/ /Storage/Data/Docker/sysctl.io/letsencrypt/'' + ]; + }; + + # Containers + virtualisation.oci-containers.containers."derp" = { + image = "docker.io/fredliang/derper"; + environment = { + DERP_ADDR = ":1443"; + DERP_CERT_DIR = "/app/certs"; + DERP_CERT_MODE = "manual"; + DERP_DOMAIN = "milan.sysctl.io"; + DERP_STUN = "true"; + DERP_VERIFY_CLIENTS = "true"; + }; + volumes = [ + "/var/run/tailscale/tailscaled.sock:/var/run/tailscale/tailscaled.sock:ro" + "/Storage/Data/Docker/sysctl.io/letsencrypt/external/certificates/certs/*.sysctl.io.crt:/app/certs/milan.sysctl.io.crt:ro" + "/Storage/Data/Docker/sysctl.io/letsencrypt/external/certificates/private/*.sysctl.io.key:/app/certs/milan.sysctl.io.key:ro" + ]; + ports = [ + "3478:3478/udp" + "1443:1443/tcp" + ]; + log-driver = "journald"; + }; +} diff --git a/nixos/hosts/frankfurt-linode-01/default.nix b/nixos/hosts/frankfurt-linode-01/default.nix new file mode 100644 index 00000000..6a39457f --- /dev/null +++ b/nixos/hosts/frankfurt-linode-01/default.nix @@ -0,0 +1,43 @@ +{ lib, modulesPath, ... }: { + imports = [ + (modulesPath + "/profiles/qemu-guest.nix") + ../../common/services/tailscale-autoconnect.nix + ../../common/services/podman.nix + ./containers/derp.nix + ./firewall.nix + ]; + + boot.initrd.availableKernelModules = [ "virtio_pci" "virtio_scsi" "ahci" "sd_mod" ]; + boot.initrd.kernelModules = [ ]; + boot.kernelModules = [ ]; + boot.extraModulePackages = [ ]; + + # Enable LISH + boot.kernelParams = [ "console=ttyS0,19200n8" ]; + boot.loader.grub.extraConfig = '' + serial --speed=19200 --unit=0 --word=8 --parity=no --stop=1; + terminal_input serial; + terminal_output serial + ''; + + boot.loader.grub.forceInstall = true; + boot.loader.grub.device = "nodev"; + boot.loader.timeout = 10; + + fileSystems."/" = { + device = "/dev/disk/by-label/nixos"; + fsType = "ext4"; + }; + + swapDevices = [ { device = "/dev/disk/by-label/linode-swap"; } ]; + + # Distributed Builds + nix.distributedBuilds = true; + + networking.useDHCP = lib.mkDefault true; + time.timeZone = "Europe/Rome"; + networking.hostName = "milan-linode-01"; + + services.tailscale.extraUpFlags = [ "--advertise-exit-node" ]; + boot.kernel.sysctl = { "net.ipv4.ip_forward" = true; }; +} diff --git a/nixos/hosts/frankfurt-linode-01/firewall.nix b/nixos/hosts/frankfurt-linode-01/firewall.nix new file mode 100644 index 00000000..6152094c --- /dev/null +++ b/nixos/hosts/frankfurt-linode-01/firewall.nix @@ -0,0 +1,13 @@ +{ ... }: { + networking = { + firewall = { + enable = true; + allowedTCPPorts = [ + 1443 # Headscale DERP (tcp) + ]; + allowedUDPPorts = [ + 3478 # Headscale DERP (udp) + ]; + }; + }; +}