albert/nix
albert/nix
1
0
Fork 0
Code Issues Pull requests Activity Actions

Merge remote-tracking branch 'refs/remotes/origin/main'

Browse source
This commit is contained in:
albert 2023-12-01 21:28:11 +09:00
commit 9c2673cc6c
No known key found for this signature in database
GPG key ID: 64F6C4EB46C4543A
5 changed files with 43 additions and 73 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

8
nixos/hosts/framework-server/default.nix
View file

@ -9,8 +9,14 @@
./builder.nix ./builder.nix
./ssh-luks.nix ./ssh-luks.nix
./docker.nix ./docker.nix
./wireguard.nix
]; ];
# open ports for traefik
networking.firewall.interfaces.wireguard0.allowedTCPPorts = [ 80 443 ];
networking.firewall.interfaces.enp0s13f0u2c2.allowedTCPPorts = [ 80 443 ];
# steam , etc # steam , etc
nixpkgs.config.allowUnfree = false; nixpkgs.config.allowUnfree = false;
@ -41,6 +47,6 @@
"tailscaled-autoconnect.service" "tailscaled-autoconnect.service"
]; ];
}; };
services.tailscale.authKeyFile = "/run/secrets/tailscale_keys/framework-server"; services.tailscale.authKeyFile = "/run/secrets/tailscale_keys/framework-server";
} }

35
nixos/hosts/framework-server/wireguard.nix Normal file
View file

@ -0,0 +1,35 @@
{ pkgs, config, lib, ... }: {
# Set up the secrets file:
sops.secrets."wireguard_keys/framework-server" = {
owner = "root";
sopsFile = ../../../secrets/wireguard.yaml;
};
sops.secrets."wireguard_keys/preshared_key" = {
owner = "root";
sopsFile = ../../../secrets/wireguard.yaml;
};
# Wireguard Forwarder
networking.firewall.allowPing = true;
networking.wireguard = {
enable = true;
interfaces = {
"wireguard0" = {
ips = [ "10.100.0.2/24" ];
listenPort = 51820;
privateKeyFile = "/run/secrets/wireguard_keys/framework-server";
# Testing
peers = [
{ # osaka-vultr-01
publicKey = "yPZ3EmmIqCkReXf1DRTxzVaKQ2k+ifGmYJHji5nnMmE=";
presharedKeyFile = "/run/secrets/wireguard_keys/preshared_key";
persistentKeepalive = 5;
allowedIPs = [ "10.100.0.1/32" ];
endpoint = "64.176.54.57:51820";
}
];
};
};
};
}

42
nixos/hosts/nixos-rpi4-03/default.nix
View file

@ -4,15 +4,10 @@
{ config, lib, pkgs, modulesPath, ... }: { { config, lib, pkgs, modulesPath, ... }: {
imports = [ imports = [
(modulesPath + "/installer/scan/not-detected.nix") (modulesPath + "/installer/scan/not-detected.nix")
./temp.nix
]; ];
# Enable distributed Builds # Enable distributed Builds
nix.distributedBuilds = true; nix.distributedBuilds = true;
# Enablet docker and docker-compose
environment.systemPackages = [ pkgs.docker-compose ];
virtualisation.docker.enable = true;
##################################################################################### #####################################################################################
# BEGIN hardware config # BEGIN hardware config
##################################################################################### #####################################################################################
@ -54,41 +49,4 @@
services.tailscale.authKeyFile = "/run/secrets/tailscale_keys/nixos-rpi4-03"; services.tailscale.authKeyFile = "/run/secrets/tailscale_keys/nixos-rpi4-03";
services.tailscale.extraUpFlags = [ "--advertise-exit-node" ]; services.tailscale.extraUpFlags = [ "--advertise-exit-node" ];
boot.kernel.sysctl = { "net.ipv4.ip_forward" = true; }; boot.kernel.sysctl = { "net.ipv4.ip_forward" = true; };
# Temporary
# networking.firewall.allowedTCPPorts = [ 22 ];
# networking.firewall.allowedUDPPorts = [ 51820 ];
# Set up the secrets file:
sops.secrets."wireguard_keys/nixos-rpi4-03" = {
owner = "root";
sopsFile = ../../../secrets/wireguard.yaml;
};
sops.secrets."wireguard_keys/preshared_key" = {
owner = "root";
sopsFile = ../../../secrets/wireguard.yaml;
};
# Wireguard Forwarder
networking.firewall.allowPing = true;
networking.wireguard = {
enable = true;
interfaces = {
"wireguard0" = {
ips = [ "10.100.0.2/24" ];
listenPort = 51820;
privateKeyFile = "/run/secrets/wireguard_keys/nixos-rpi4-03";
# Testing
peers = [
{ # osaka-vultr-01
publicKey = "yPZ3EmmIqCkReXf1DRTxzVaKQ2k+ifGmYJHji5nnMmE=";
presharedKeyFile = "/run/secrets/wireguard_keys/preshared_key";
persistentKeepalive = 5;
allowedIPs = [ "10.100.0.1/32" ];
endpoint = "64.176.54.57:51820";
}
];
};
};
};
} }

29
nixos/hosts/nixos-rpi4-03/temp.nix
View file

@ -1,29 +0,0 @@
{pkgs, lib, config, ...}: {
networking.firewall.interfaces.wireguard0.allowedTCPPorts = [ 80 443 ];
# Generate a test cert
# sudo openssl req -x509 -newkey rsa:4096 -sha256 -days 3650 \
# -nodes -keyout test-ssl.key -out test-ssl.crt -subj "/CN=test-ssl" \
# -addext "subjectAltName=DNS:test-ssl,DNS:*.test-ssl,IP:10.100.0.2"
services.nginx = {
enable = true;
httpConfig = ''
index index.html;
server {
listen 80 default_server;
server_name _;
server_name_in_redirect off;
root /var/www/test;
}
server {
listen 443 ssl;
server_name _;
server_name_in_redirect off;
root /var/www/test-ssl;
ssl_certificate /etc/ssl/nginx/test-ssl.crt;
ssl_certificate_key /etc/ssl/nginx/test-ssl.key;
}
'';
};
}

2
nixos/users/albert/default.nix
View file

@ -10,7 +10,7 @@ in {
description = "Albert J. Copeland"; description = "Albert J. Copeland";
# video is required for the "light" command to work # video is required for the "light" command to work
extraGroups = [ "networkmanager" "wheel" ] extraGroups = [ "networkmanager" "wheel" ]
++ ifExists [ "video" ] ++ ifExists [ "video" ]
++ ifExists [ "docker" ]; ++ ifExists [ "docker" ];
# mkpasswd -m sha-512 # mkpasswd -m sha-512
hashedPassword = "$y$j9T$wKLsIWaA4Gf63RvjedwLJ0$EHKL6BBJV0CAxEKcHHjaBqW085KJ/MGvmbyWzmcWOy6"; hashedPassword = "$y$j9T$wKLsIWaA4Gf63RvjedwLJ0$EHKL6BBJV0CAxEKcHHjaBqW085KJ/MGvmbyWzmcWOy6";