diff --git a/nixos/hosts/framework-server/default.nix b/nixos/hosts/framework-server/default.nix index 8cdb1a99..ec74382a 100644 --- a/nixos/hosts/framework-server/default.nix +++ b/nixos/hosts/framework-server/default.nix @@ -9,8 +9,14 @@ ./builder.nix ./ssh-luks.nix ./docker.nix + ./wireguard.nix ]; + # open ports for traefik + networking.firewall.interfaces.wireguard0.allowedTCPPorts = [ 80 443 ]; + networking.firewall.interfaces.enp0s13f0u2c2.allowedTCPPorts = [ 80 443 ]; + + # steam , etc nixpkgs.config.allowUnfree = false; @@ -41,6 +47,6 @@ "tailscaled-autoconnect.service" ]; }; - + services.tailscale.authKeyFile = "/run/secrets/tailscale_keys/framework-server"; } \ No newline at end of file diff --git a/nixos/hosts/framework-server/wireguard.nix b/nixos/hosts/framework-server/wireguard.nix new file mode 100644 index 00000000..9fb85e8f --- /dev/null +++ b/nixos/hosts/framework-server/wireguard.nix @@ -0,0 +1,35 @@ +{ pkgs, config, lib, ... }: { + + # Set up the secrets file: + sops.secrets."wireguard_keys/framework-server" = { + owner = "root"; + sopsFile = ../../../secrets/wireguard.yaml; + }; + sops.secrets."wireguard_keys/preshared_key" = { + owner = "root"; + sopsFile = ../../../secrets/wireguard.yaml; + }; + + # Wireguard Forwarder + networking.firewall.allowPing = true; + networking.wireguard = { + enable = true; + interfaces = { + "wireguard0" = { + ips = [ "10.100.0.2/24" ]; + listenPort = 51820; + privateKeyFile = "/run/secrets/wireguard_keys/framework-server"; + # Testing + peers = [ + { # osaka-vultr-01 + publicKey = "yPZ3EmmIqCkReXf1DRTxzVaKQ2k+ifGmYJHji5nnMmE="; + presharedKeyFile = "/run/secrets/wireguard_keys/preshared_key"; + persistentKeepalive = 5; + allowedIPs = [ "10.100.0.1/32" ]; + endpoint = "64.176.54.57:51820"; + } + ]; + }; + }; + }; +} \ No newline at end of file diff --git a/nixos/hosts/nixos-rpi4-03/default.nix b/nixos/hosts/nixos-rpi4-03/default.nix index f2b076f3..5ced2a78 100644 --- a/nixos/hosts/nixos-rpi4-03/default.nix +++ b/nixos/hosts/nixos-rpi4-03/default.nix @@ -4,15 +4,10 @@ { config, lib, pkgs, modulesPath, ... }: { imports = [ (modulesPath + "/installer/scan/not-detected.nix") - ./temp.nix ]; # Enable distributed Builds nix.distributedBuilds = true; - # Enablet docker and docker-compose - environment.systemPackages = [ pkgs.docker-compose ]; - virtualisation.docker.enable = true; - ##################################################################################### # BEGIN hardware config ##################################################################################### @@ -54,41 +49,4 @@ services.tailscale.authKeyFile = "/run/secrets/tailscale_keys/nixos-rpi4-03"; services.tailscale.extraUpFlags = [ "--advertise-exit-node" ]; boot.kernel.sysctl = { "net.ipv4.ip_forward" = true; }; - - # Temporary - # networking.firewall.allowedTCPPorts = [ 22 ]; - # networking.firewall.allowedUDPPorts = [ 51820 ]; - - # Set up the secrets file: - sops.secrets."wireguard_keys/nixos-rpi4-03" = { - owner = "root"; - sopsFile = ../../../secrets/wireguard.yaml; - }; - sops.secrets."wireguard_keys/preshared_key" = { - owner = "root"; - sopsFile = ../../../secrets/wireguard.yaml; - }; - - # Wireguard Forwarder - networking.firewall.allowPing = true; - networking.wireguard = { - enable = true; - interfaces = { - "wireguard0" = { - ips = [ "10.100.0.2/24" ]; - listenPort = 51820; - privateKeyFile = "/run/secrets/wireguard_keys/nixos-rpi4-03"; - # Testing - peers = [ - { # osaka-vultr-01 - publicKey = "yPZ3EmmIqCkReXf1DRTxzVaKQ2k+ifGmYJHji5nnMmE="; - presharedKeyFile = "/run/secrets/wireguard_keys/preshared_key"; - persistentKeepalive = 5; - allowedIPs = [ "10.100.0.1/32" ]; - endpoint = "64.176.54.57:51820"; - } - ]; - }; - }; - }; } \ No newline at end of file diff --git a/nixos/hosts/nixos-rpi4-03/temp.nix b/nixos/hosts/nixos-rpi4-03/temp.nix deleted file mode 100644 index 2eed84bf..00000000 --- a/nixos/hosts/nixos-rpi4-03/temp.nix +++ /dev/null @@ -1,29 +0,0 @@ -{pkgs, lib, config, ...}: { - networking.firewall.interfaces.wireguard0.allowedTCPPorts = [ 80 443 ]; - - # Generate a test cert - # sudo openssl req -x509 -newkey rsa:4096 -sha256 -days 3650 \ - # -nodes -keyout test-ssl.key -out test-ssl.crt -subj "/CN=test-ssl" \ - # -addext "subjectAltName=DNS:test-ssl,DNS:*.test-ssl,IP:10.100.0.2" - - services.nginx = { - enable = true; - httpConfig = '' - index index.html; - server { - listen 80 default_server; - server_name _; - server_name_in_redirect off; - root /var/www/test; - } - server { - listen 443 ssl; - server_name _; - server_name_in_redirect off; - root /var/www/test-ssl; - ssl_certificate /etc/ssl/nginx/test-ssl.crt; - ssl_certificate_key /etc/ssl/nginx/test-ssl.key; - } - ''; - }; -} \ No newline at end of file diff --git a/nixos/users/albert/default.nix b/nixos/users/albert/default.nix index 349028bf..c86bc380 100644 --- a/nixos/users/albert/default.nix +++ b/nixos/users/albert/default.nix @@ -10,7 +10,7 @@ in { description = "Albert J. Copeland"; # video is required for the "light" command to work extraGroups = [ "networkmanager" "wheel" ] - ++ ifExists [ "video" ] + ++ ifExists [ "video" ] ++ ifExists [ "docker" ]; # mkpasswd -m sha-512 hashedPassword = "$y$j9T$wKLsIWaA4Gf63RvjedwLJ0$EHKL6BBJV0CAxEKcHHjaBqW085KJ/MGvmbyWzmcWOy6";