albert/nix
albert/nix
1
0
Fork 0
Code Issues Pull requests Activity Actions

Merge remote-tracking branch 'refs/remotes/origin/main'

Browse source
This commit is contained in:
albert 2023-12-01 21:28:11 +09:00
commit 9c2673cc6c
No known key found for this signature in database
GPG key ID: 64F6C4EB46C4543A
5 changed files with 43 additions and 73 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

6
nixos/hosts/framework-server/default.nix
View file

@ -9,8 +9,14 @@
./builder.nix
./ssh-luks.nix
./docker.nix
./wireguard.nix
];
# open ports for traefik
networking.firewall.interfaces.wireguard0.allowedTCPPorts = [ 80 443 ];
networking.firewall.interfaces.enp0s13f0u2c2.allowedTCPPorts = [ 80 443 ];
# steam , etc
nixpkgs.config.allowUnfree = false;

35
nixos/hosts/framework-server/wireguard.nix Normal file
View file

@ -0,0 +1,35 @@
{ pkgs, config, lib, ... }: {
# Set up the secrets file:
sops.secrets."wireguard_keys/framework-server" = {
owner = "root";
sopsFile = ../../../secrets/wireguard.yaml;
};
sops.secrets."wireguard_keys/preshared_key" = {
owner = "root";
sopsFile = ../../../secrets/wireguard.yaml;
};
# Wireguard Forwarder
networking.firewall.allowPing = true;
networking.wireguard = {
enable = true;
interfaces = {
"wireguard0" = {
ips = [ "10.100.0.2/24" ];
listenPort = 51820;
privateKeyFile = "/run/secrets/wireguard_keys/framework-server";
# Testing
peers = [
{ # osaka-vultr-01
publicKey = "yPZ3EmmIqCkReXf1DRTxzVaKQ2k+ifGmYJHji5nnMmE=";
presharedKeyFile = "/run/secrets/wireguard_keys/preshared_key";
persistentKeepalive = 5;
allowedIPs = [ "10.100.0.1/32" ];
endpoint = "64.176.54.57:51820";
}
];
};
};
};
}

42
nixos/hosts/nixos-rpi4-03/default.nix
View file

@ -4,15 +4,10 @@
{ config, lib, pkgs, modulesPath, ... }: {
imports = [
(modulesPath + "/installer/scan/not-detected.nix")
./temp.nix
];
# Enable distributed Builds
nix.distributedBuilds = true;
# Enablet docker and docker-compose
environment.systemPackages = [ pkgs.docker-compose ];
virtualisation.docker.enable = true;
#####################################################################################
# BEGIN hardware config
#####################################################################################
@ -54,41 +49,4 @@
services.tailscale.authKeyFile = "/run/secrets/tailscale_keys/nixos-rpi4-03";
services.tailscale.extraUpFlags = [ "--advertise-exit-node" ];
boot.kernel.sysctl = { "net.ipv4.ip_forward" = true; };
# Temporary
# networking.firewall.allowedTCPPorts = [ 22 ];
# networking.firewall.allowedUDPPorts = [ 51820 ];
# Set up the secrets file:
sops.secrets."wireguard_keys/nixos-rpi4-03" = {
owner = "root";
sopsFile = ../../../secrets/wireguard.yaml;
};
sops.secrets."wireguard_keys/preshared_key" = {
owner = "root";
sopsFile = ../../../secrets/wireguard.yaml;
};
# Wireguard Forwarder
networking.firewall.allowPing = true;
networking.wireguard = {
enable = true;
interfaces = {
"wireguard0" = {
ips = [ "10.100.0.2/24" ];
listenPort = 51820;
privateKeyFile = "/run/secrets/wireguard_keys/nixos-rpi4-03";
# Testing
peers = [
{ # osaka-vultr-01
publicKey = "yPZ3EmmIqCkReXf1DRTxzVaKQ2k+ifGmYJHji5nnMmE=";
presharedKeyFile = "/run/secrets/wireguard_keys/preshared_key";
persistentKeepalive = 5;
allowedIPs = [ "10.100.0.1/32" ];
endpoint = "64.176.54.57:51820";
}
];
};
};
};
}

29
nixos/hosts/nixos-rpi4-03/temp.nix
View file

@ -1,29 +0,0 @@
{pkgs, lib, config, ...}: {
networking.firewall.interfaces.wireguard0.allowedTCPPorts = [ 80 443 ];
# Generate a test cert
# sudo openssl req -x509 -newkey rsa:4096 -sha256 -days 3650 \
# -nodes -keyout test-ssl.key -out test-ssl.crt -subj "/CN=test-ssl" \
# -addext "subjectAltName=DNS:test-ssl,DNS:*.test-ssl,IP:10.100.0.2"
services.nginx = {
enable = true;
httpConfig = ''
index index.html;
server {
listen 80 default_server;
server_name _;
server_name_in_redirect off;
root /var/www/test;
}
server {
listen 443 ssl;
server_name _;
server_name_in_redirect off;
root /var/www/test-ssl;
ssl_certificate /etc/ssl/nginx/test-ssl.crt;
ssl_certificate_key /etc/ssl/nginx/test-ssl.key;
}
'';
};
}