diff --git a/nixos/hosts/backups-rpi4/wireguard.nix b/nixos/hosts/backups-rpi4/wireguard.nix index 6070e0f0..ecf1ad9d 100644 --- a/nixos/hosts/backups-rpi4/wireguard.nix +++ b/nixos/hosts/backups-rpi4/wireguard.nix @@ -5,6 +5,7 @@ 10.100.0.1 osaka-linode-01 10.100.0.2 framework-server-wg 10.100.0.3 backups-rpi4 + 10.100.0.4 frankfurt-linode-01 ''; networking.firewall.interfaces.wireguard0.allowedTCPPorts = [ 22 ]; @@ -35,10 +36,16 @@ presharedKeyFile = "/run/secrets/preshared_key"; persistentKeepalive = 5; allowedIPs = [ "10.100.0.1/32" ]; - # endpoint = "172.234.84.222:51820"; # osaka-linode-01 - # endpoint = "172.232.204.45:51820"; # milan-linode-01 endpoint = "172.105.76.221:51820"; # frankfurt-linode-01 } + { # frankfurt-linode-01 + publicKey = "yPZ3EmmIqCkReXf1DRTxzVaKQ2k+ifGmYJHji5nnMmE="; + presharedKeyFile = "/run/secrets/preshared_key"; + persistentKeepalive = 5; + allowedIPs = [ "10.100.0.4/32" ]; + endpoint = "172.105.76.221:51820"; # frankfurt-linode-01 + } + ]; }; }; diff --git a/nixos/hosts/framework-server/wireguard.nix b/nixos/hosts/framework-server/wireguard.nix index 5ec65c1b..44d50971 100644 --- a/nixos/hosts/framework-server/wireguard.nix +++ b/nixos/hosts/framework-server/wireguard.nix @@ -33,8 +33,13 @@ presharedKeyFile = "/run/secrets/preshared_key"; persistentKeepalive = 5; allowedIPs = [ "10.100.0.1/32" ]; - # endpoint = "172.234.84.222:51820"; # osaka-linode-01 - # endpoint = "172.232.204.45:51820"; # milan-linode-01 + endpoint = "172.234.84.222:51820"; # osaka-linode-01 + } + { # frankfurt-linode-01 + publicKey = "9FCIy07RvR2dz8bbPUB9h2jdhFQHfDh0VdLf06n46QQ="; + presharedKeyFile = "/run/secrets/preshared_key"; + persistentKeepalive = 5; + allowedIPs = [ "10.100.0.4/32" ]; endpoint = "172.105.76.221:51820"; # frankfurt-linode-01 } ]; diff --git a/nixos/hosts/frankfurt-linode-01/wireguard.nix b/nixos/hosts/frankfurt-linode-01/wireguard.nix index 512f3c39..e0c5b23b 100644 --- a/nixos/hosts/frankfurt-linode-01/wireguard.nix +++ b/nixos/hosts/frankfurt-linode-01/wireguard.nix @@ -2,9 +2,10 @@ # Allow these hosts to directly communicate with their hostnames networking.extraHosts = '' - 10.100.0.1 ${hostname} - 10.100.0.3 backups-rpi4 + 10.100.0.1 osaka-linode-01 10.100.0.2 headscale.sysctl.io + 10.100.0.3 backups-rpi4 + 10.100.0.4 frankfurt-linode-01 ''; networking.firewall.allowedUDPPorts = [ 51820 ]; @@ -32,8 +33,8 @@ interfaces = { "wireguard0" = { ips = [ - "10.100.0.1/24" - "10.100.1.1/24" + "10.100.0.4/24" + "10.100.1.4/24" ]; listenPort = 51820; privateKeyFile = "/run/secrets/wireguard_key"; diff --git a/nixos/hosts/osaka-linode-01/default.nix b/nixos/hosts/osaka-linode-01/default.nix index 9de1aa70..41a910d5 100644 --- a/nixos/hosts/osaka-linode-01/default.nix +++ b/nixos/hosts/osaka-linode-01/default.nix @@ -5,7 +5,7 @@ ../../common/services/podman.nix ./containers/derp.nix ./firewall.nix - # ./wireguard.nix + ./wireguard.nix ]; boot.initrd.availableKernelModules = [ "virtio_pci" "virtio_scsi" "ahci" "sd_mod" ]; diff --git a/nixos/hosts/osaka-linode-01/wireguard.nix b/nixos/hosts/osaka-linode-01/wireguard.nix index 512f3c39..358d8bb6 100644 --- a/nixos/hosts/osaka-linode-01/wireguard.nix +++ b/nixos/hosts/osaka-linode-01/wireguard.nix @@ -2,9 +2,10 @@ # Allow these hosts to directly communicate with their hostnames networking.extraHosts = '' - 10.100.0.1 ${hostname} - 10.100.0.3 backups-rpi4 + 10.100.0.1 osaka-linode-01 10.100.0.2 headscale.sysctl.io + 10.100.0.3 backups-rpi4 + 10.100.0.4 frankfurt-linode-01 ''; networking.firewall.allowedUDPPorts = [ 51820 ]; diff --git a/nixos/hosts/ovh-server/containers.nix b/nixos/hosts/ovh-server/containers.nix deleted file mode 100644 index e2605825..00000000 --- a/nixos/hosts/ovh-server/containers.nix +++ /dev/null @@ -1,30 +0,0 @@ -{ lib, self, inputs, outputs, stateVersion, hmStateVersion, ... }: -let - libx = import ../../../lib { inherit lib self inputs outputs stateVersion hmStateVersion; }; -in { - - containers = { - rdesktop = libx.mkContainer { hostname = "rdesktop"; ip = "2"; desktop = "plasma6"; unfree = true; }; - }; - - # Networking config - networking.bridges.nix-br0.interfaces = []; - - # Add an IP address to the bridge interface. - networking.localCommands = ''ip address add 192.168.2.1/24 dev nix-br0''; - - # Firewall commands allowing traffic to go in and out of the bridge interface - # (and to the guest LXD instance). Also sets up the actual NAT masquerade rule. - networking.firewall.extraCommands = '' - iptables -A INPUT -i nix-br0 -j ACCEPT - - # These three technically aren't needed, since by default the FORWARD and - # OUTPUT firewalls accept everything everything, but lets keep them in just - # in case. - iptables -A FORWARD -o nix-br0 -j ACCEPT - iptables -A FORWARD -i nix-br0 -j ACCEPT - iptables -A OUTPUT -o nix-br0 -j ACCEPT - - iptables -t nat -A POSTROUTING -s 192.168.2.0/24 ! -d 192.168.2.0/24 -j MASQUERADE - ''; -} diff --git a/nixos/hosts/ovh-server/cron.nix b/nixos/hosts/ovh-server/cron.nix deleted file mode 100644 index 97b4e90f..00000000 --- a/nixos/hosts/ovh-server/cron.nix +++ /dev/null @@ -1,77 +0,0 @@ -{ pkgs, ... }: { - services.cron = { - enable = true; - systemCronJobs = [ - # Backups to nuc-docker01 - ''0 0 * * * root rsync --delete -avr /Storage/Data/Docker/sysctl.io/ root@nuc-docker01:/Storage/Data/Docker/sysctl.io/'' - ''0 3 * * * root rsync -avr /Storage/Data/Docker/sysctl.io/nextcloud/html/data/albert/files/InstantUpload/ root@nuc-docker01:/Storage/Media/Pictures/InstantUpload/'' - ''0 5 * * * root rsync -avr /Storage/Data/Docker/sysctl.io/nextcloud/html/data/albert/files/Wallpapers/ root@nuc-docker01:/Storage/Media/Pictures/Wallpapers'' - # Back up the docker containers monthly: - ''@monthly root ssh nuc-docker01 "rm -rf /Storage/Backups/Docker/sysctl.io/*"; for i in $(docker ps --format '{{.Names}}'); do docker export $i | gzip -cf | ssh root@nuc-docker01 "cat > /Storage/Backups/Docker/sysctl.io/$i.tar.gz"; done'' - # Set a random Pi-Hole password - ''* * * * * root docker exec pihole sudo pihole -a -p $(openssl rand -hex 128)'' - # Run the ClamAV scan - ''@monthly root /Storage/Data/docker-compose/sysctl.io/scripts/clamscan-cron.sh'' - # Archive Loki logs monthly - ''@monthly root /Storage/Data/docker-compose/sysctl.io/scripts/backup-logs.sh >> /Storage/Data/Temporary/log_backups.log'' - # Run the Nextcloud cronjobs hourly - ''@hourly root docker exec -uwww-data nextcloud php -f /var/www/html/cron.php'' - # Run the Pixelfed scheduler - ''* * * * * root docker exec pixelfed-app php artisan schedule:run'' - # Update / CLean Mastodon caches - ''@daily root docker exec mastodon-web tootctl preview_cards remove --days 7'' - ''@daily root docker exec mastodon-web tootctl media remove --days 7 --prune-profiles'' - ''@daily root docker exec mastodon-web tootctl accounts prune'' - ''@daily root docker exec mastodon-web tootctl statuses remove --days 7'' - ''@daily root docker exec mastodon-web tootctl media remove --remove-headers --include-follows --days 7'' - ''@daily root docker exec mastodon-web tootctl preview_cards remove --days 7'' - ''@daily root docker exec mastodon-web tootctl media remove-orphans'' - ]; - }; -} -# Old crontab: -# # At reboot, apply the ip_tables modprobe so Wireguard works -# @reboot /usr/sbin/modprobe ip_tables -# -# # At reboot, restart Docker. Otherwise, iptables / the firewall freaks out -# @reboot /usr/bin/systemctl stop docker; /usr/bin/systemctl start docker -# -# # Every day, get storage space for monitoring -# @daily source ~/.bashrc; for i in `ls /Storage/Data/Docker`; do echo echo "$(date): $(du -s /Storage/Data/Docker/$i)" | sed -e 's/\/Storage\/Data\/Docker\/\$i//' >> /root/sizes/$i.log; done -# -# # Clean up NextCloud files weekly to save space -# @weekly source ~/.bashrc; /usr/bin/docker exec -uwww-data nextcloud php occ versions:cleanup -# DONE # Run the Nextcloud cronjobs hourly -# DONE @hourly source ~/.bashrc; /usr/bin/docker exec -uwww-data nextcloud php -f /var/www/html/cron.php -# -# -# # Clear out Mastodon caches daily -# DONE @daily source ~/.bashrc; /usr/bin/docker exec mastodon-web tootctl preview_cards remove --days 1 -# DONE @daily source ~/.bashrc; /usr/bin/docker exec mastodon-web tootctl media remove --days 1 --prune-profiles -# DONE @daily source ~/.bashrc; /usr/bin/docker exec mastodon-web tootctl accounts prune -# DONE @daily source ~/.bashrc; /usr/bin/docker exec mastodon-web tootctl statuses remove --days 1 -# DONE @daily source ~/.bashrc; /usr/bin/docker exec mastodon-web tootctl media remove --remove-headers --include-follows --days 0 -# DONE @daily source ~/.bashrc; /usr/bin/docker exec mastodon-web tootctl preview_cards remove --days 1 -# DONE @daily source ~/.bashrc; /usr/bin/docker exec mastodon-web tootctl media remove-orphans -# -# DONE # Run the Pixelfed scheduler -# DONE * * * * * /usr/bin/docker exec pixelfed-app php artisan schedule:run -# -# DONE # Run the ClamAV scan -# DONE @monthly source ~/.bashrc; /Storage/Data/docker-compose/sysctl.io/scripts/clamscan-cron.sh -# -# DONE # Set a random PiHole password every minute -# DONE * * * * * /usr/bin/docker exec pihole sudo pihole -a -p $(openssl rand -hex 128) -# -# NOT NEEDED # back up crontab: -# NOT NEEDED # 0 0 * * * /usr/bin/crontab -l > /Storage/Data/Temporary/crontab -# -# # Back up and delete local copies of Loki logs monthly -# DONE @monthly source ~/.bashrc; /Storage/Data/docker-compose/sysctl.io/scripts/backup-logs.sh >> /Storage/Data/Temporary/log_backups.log -# -# DONE # Back up the docker containers weekly: -# DONE @weekly source ~/.bashrc; ssh nuc-docker01 "rm -rf /Storage/Backups/Docker/sysctl.io/*"; for i in $(docker ps --format '{{.Names}}'); do docker export $i | gzip -cf | ssh root@nuc-docker01 "cat > /Storage/Backups/Docker/sysctl.io/$i.tar.gz"; done -# -# # Set up DERP relay certs for headscale-derp: -# DONE @hourly cp /Storage/Data/Docker/letsencrypt/certs/certs/\*.sysctl.io.crt /Storage/Data/Docker/letsencrypt/certs/certs/derp.sysctl.io.crt -# DONE @hourly cp /Storage/Data/Docker/letsencrypt/certs/private/\*.sysctl.io.key /Storage/Data/Docker/letsencrypt/certs/private/derp.sysctl.io.key diff --git a/nixos/hosts/ovh-server/default.nix b/nixos/hosts/ovh-server/default.nix deleted file mode 100644 index 556898fd..00000000 --- a/nixos/hosts/ovh-server/default.nix +++ /dev/null @@ -1,63 +0,0 @@ -{ hostname, inputs, config, lib, pkgs, modulesPath, system, ... }: { - imports = [ - inputs.nixos-hardware.nixosModules.framework-13th-gen-intel - (modulesPath + "/installer/scan/not-detected.nix") - # ../../common/modules/secureboot.nix - ../../common/modules/boot.nix - ../../common/modules/udev-rules.nix - ../../common/modules/builder.nix - ../../common/services/fwupd.nix - # ../../common/modules/ssh-luks.nix - ../../common/services/docker.nix - ../../common/services/tailscale-autoconnect.nix - ./containers.nix - ./disks.nix - ./wireguard.nix - ./cron.nix - ./firewall.nix - ]; - - environment.systemPackages = [ - inputs.deploy-rs.packages.${system}.deploy-rs - pkgs.distrobox - ]; - - # backups-rpi4 cron job to back up sysctl.io's Docker files - # osaka-linode-01 cron job to copy certs for the DERP relay - # milan-linode-01 cron job to copy certs for the DERP relay - # frankfurt-linode-01 cron job to copy certs for the DERP relay - - # TODO: Update servers that point here - users.users.root.openssh.authorizedKeys.keys = [ - ''ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIKp2wgqFcr0LGaUXbom88/zK2631pysePUWIaCMljT0K root@backups-rpi4'' - ''ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIKkNFdEcYIrjss1Nz0tU/AX89hUMmxB/Vabvsa7A6E2K root@osaka-linode-01'' - ''ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIORCrD/ZWXbAfi5eIN8b9dwuvMuPPTgpMiIFh1WagXV2 root@milan-linode-01'' - ''ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIBGXiWUR2T5HXQ4g/En+eJ9K6GSokl3tEK7RZcYb+0UA root@frankfurt-linode-01'' - ]; - services.openssh.settings.PermitRootLogin = lib.mkForce "prohibit-password"; - - boot.initrd.availableKernelModules = [ "xhci_pci" "nvme" "thunderbolt" "sd_mod" "uas" ]; - boot.initrd.kernelModules = [ "r8152" ]; - boot.kernelModules = [ "kvm-intel" ]; - boot.extraModulePackages = with config.boot.kernelPackages; [ acpi_call ]; - - networking.useDHCP = lib.mkDefault true; - powerManagement.cpuFreqGovernor = lib.mkDefault "performance"; - hardware.cpu.intel.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware; - - # Set your time zone. - time.timeZone = "Europe/Warsaw"; - - # Set the networking hostname: - networking.hostName = hostname; - networking.firewall.allowedTCPPorts = [ 22 ]; - - services.tailscale.extraUpFlags = [ - "--advertise-exit-node" - "--advertise-routes=10.2.0.0/24" - ]; - - boot.kernel.sysctl = { - "net.ipv4.ip_forward" = true; - }; -} diff --git a/nixos/hosts/ovh-server/disks.nix b/nixos/hosts/ovh-server/disks.nix deleted file mode 100644 index 9397341c..00000000 --- a/nixos/hosts/ovh-server/disks.nix +++ /dev/null @@ -1,85 +0,0 @@ -{ - imports = [ ../../common/services/snapper.nix ]; - - # extra configs not present in the standard config above - services.snapper.configs.Storage = { - TIMELINE_CREATE = true; - TIMELINE_CLEANUP = true; - SUBVOLUME = "/Storage"; - }; - - services.btrfs.autoScrub.enable = true; - services.btrfs.autoScrub.interval = "weekly"; - - disko.devices.disk.nvme0 = { - type = "disk"; - device = "/dev/nvme0n1"; - content = { - type = "gpt"; - partitions = { - BOOT = { - priority = 1; - name = "BOOT"; - start = "0%"; - end = "550MiB"; - type = "EF00"; - content = { - type = "filesystem"; - format = "vfat"; - # https://github.com/nix-community/disko/issues/527 - mountOptions = [ "umask=0077" ]; - mountpoint = "/boot"; - }; - }; # partition 1 (ESP) - LUKS-ROOT = { - start = "550MiB"; - end = "100%"; - content = { - type = "luks"; - name = "ROOT"; - extraOpenArgs = [ "--allow-discards" ]; - content = { - type = "btrfs"; - extraArgs = [ "-f" ]; - subvolumes = { - "/root" = { - mountpoint = "/"; - mountOptions = [ "compress=zstd" "noatime" ]; - }; # root - "/home" = { - mountpoint = "/home"; - mountOptions = [ "compress=zstd" "noatime" ]; - }; # home - "/nix" = { - mountpoint = "/nix"; - mountOptions = [ "compress=zstd" "noatime" ]; - }; # nix - "/Storage" = { - mountpoint = "/Storage"; - mountOptions = [ "compress=zstd" "noatime" ]; - }; # Storage - # SNAPSHOT SUBVOLS - "/root/.snapshots" = { - mountpoint = "/.snapshots"; - mountOptions = [ "compress=zstd" "noatime" ]; - }; # root - "/home/.snapshots" = { - mountpoint = "/home/.snapshots"; - mountOptions = [ "compress=zstd" "noatime" ]; - }; # home - "/nix/.snapshots" = { - mountpoint = "/nix/.snapshots"; - mountOptions = [ "compress=zstd" "noatime" ]; - }; # nix - "/Storage/.snapshots" = { - mountpoint = "/Storage/.snapshots"; - mountOptions = [ "compress=zstd" "noatime" ]; - }; # Storage - }; # subvolumes - }; # content.content - }; # content - }; # partition 2 (/ BTRFS) - }; # partitions - }; # content - }; # disko.devices.disk.nvme0 -} # root diff --git a/nixos/hosts/ovh-server/firewall.nix b/nixos/hosts/ovh-server/firewall.nix deleted file mode 100644 index 4397eedc..00000000 --- a/nixos/hosts/ovh-server/firewall.nix +++ /dev/null @@ -1,30 +0,0 @@ -{ ... }: { - networking = { - firewall = { - enable = true; - allowedTCPPorts = [ - 53 # DNS - 80 # HTTP - 443 # HTTPS - 42420 # Vintage Story - 25565 # Minecraft - 1443 # Headscale DERP (tcp) - 25 # Mailserver - 143 # Mailserver - 465 # Mailserver - 587 # Mailserver - 993 # Mailserver - 4190 # Mailserver - 5696 # dsm-kmip server - 3389 # RDP - 4443 # Jitsi - ]; - allowedUDPPorts = [ - 53 # DNS (udp) - 10000 # Jitsi Meet (udp) - 15636 # Enshrouded - Game - 15637 # Enshrouded - Query Port - ]; - }; - }; -} diff --git a/nixos/hosts/ovh-server/wireguard.nix b/nixos/hosts/ovh-server/wireguard.nix deleted file mode 100644 index 5ec65c1b..00000000 --- a/nixos/hosts/ovh-server/wireguard.nix +++ /dev/null @@ -1,44 +0,0 @@ -{ ... }: { - - # Allow these hosts to directly communicate with their hostnames - networking.extraHosts = '' - 10.100.0.1 osaka-linode-01 - 10.100.0.2 framework-server - ''; - - networking.firewall.interfaces.wireguard0.allowedTCPPorts = [ 22 ]; - - # Set up the secrets file: - sops.secrets."wireguard_key" = { - owner = "root"; - sopsFile = ../../../secrets/hosts/framework-server.yaml; - }; - sops.secrets."preshared_key" = { - owner = "root"; - sopsFile = ../../../secrets/wireguard.yaml; - }; - - # Wireguard Forwarder - networking.wireguard = { - enable = true; - interfaces = { - "wireguard0" = { - ips = [ "10.100.0.2/24" ]; - listenPort = 51820; - privateKeyFile = "/run/secrets/wireguard_key"; - # Testing - peers = [ - { # osaka-linode-01 - publicKey = "yPZ3EmmIqCkReXf1DRTxzVaKQ2k+ifGmYJHji5nnMmE="; - presharedKeyFile = "/run/secrets/preshared_key"; - persistentKeepalive = 5; - allowedIPs = [ "10.100.0.1/32" ]; - # endpoint = "172.234.84.222:51820"; # osaka-linode-01 - # endpoint = "172.232.204.45:51820"; # milan-linode-01 - endpoint = "172.105.76.221:51820"; # frankfurt-linode-01 - } - ]; - }; - }; - }; -} diff --git a/secrets/hosts/frankfurt-linode-01.yaml b/secrets/hosts/frankfurt-linode-01.yaml index aa65cd63..08fb1273 100644 --- a/secrets/hosts/frankfurt-linode-01.yaml +++ b/secrets/hosts/frankfurt-linode-01.yaml @@ -1,13 +1,13 @@ tailscale_key: ENC[AES256_GCM,data:xiTPyDIBuGFHfmzNqEoxoxePieDdClz0t+afTTY+ztPgp6uusqhvoaXb0D6mLM/u,iv:E1xqhEGdZqQeWyE0m59sxcbumD/nMff4d63GEwCBnD4=,tag:BNgrpXWeGSopJc1fjNqCIQ==,type:str] -wireguard_key: ENC[AES256_GCM,data:3C6LylnHvFB2lnQsg90UCltwpGapW+wM6rtOa8eBYu6JagCVIHJxEmUWCUE=,iv:nCCtMlS743VGvcC5JJqSCKUDPFpAtzkBOS7EJIe5Jck=,tag:Jhum2ihd/clnd8xbOL4UJA==,type:str] +wireguard_key: ENC[AES256_GCM,data:YCDneZBDCh2/iCk+ldz3ZE9c9WhCdPw8jF9tiNf9Ez0gnl8RpP34sC+9bFQ=,iv:mm/SjoWS5AlynEQavBIchYBecOnX3U74RsmGQsqTy+4=,tag:djqxJgnq+KACUhfsqLyvpA==,type:str] sops: kms: [] gcp_kms: [] azure_kv: [] hc_vault: [] age: [] - lastmodified: "2024-07-07T02:19:56Z" - mac: ENC[AES256_GCM,data:rhAo5Dy5Qz4IaL90Djn0p1FzGqjOwNf98VPX8R4GOFbcQLY+xYub3PnQcnt8a40ioQQRw0cPOi24j2rlV0GPfjdGFVKI561XTxvSRSzWbXHGa3WtnZXj7LMqIhioiGo18U/yqaScylryHqbypHBWJrGk+N9AwuOUjhrFuarjT2I=,iv:iDYSUg0mLMGT9ZEuVr+fbRK1YP2ylXTMTCpckQWnUXk=,tag:KRO0S8HSHrjfnnqwlUlcRA==,type:str] + lastmodified: "2024-07-07T04:35:16Z" + mac: ENC[AES256_GCM,data:yW0psTzRiuXPciDpqapdzjJGSpWQCzocrS3cTb0fZvgounMmyHskDThdYdjW5FFsv9G5/JYD5OLnXjzQLcYepK2Ad+SLzQcg15LxM/p81aHjIbYh6xUK1rK4tnhS5A+DdlC94HiuNLSooE37VAXgPeVz4N5ETj09h590fL50HlA=,iv:5LjttLS96RS51D7uT3qVOz3/WzaPkDUVwZXsX90dYH0=,tag:6Y0W4L2Qe5lpwGelkd4Z6A==,type:str] pgp: - created_at: "2024-07-07T03:20:02Z" enc: |-