This commit is contained in:
albert 2024-07-07 15:19:50 +09:00
parent e020d19d35
commit bf97c833d8
Signed by: albert
GPG key ID: 3895DD267CA11BA9
12 changed files with 28 additions and 343 deletions

View file

@ -5,6 +5,7 @@
10.100.0.1 osaka-linode-01
10.100.0.2 framework-server-wg
10.100.0.3 backups-rpi4
10.100.0.4 frankfurt-linode-01
'';
networking.firewall.interfaces.wireguard0.allowedTCPPorts = [ 22 ];
@ -35,10 +36,16 @@
presharedKeyFile = "/run/secrets/preshared_key";
persistentKeepalive = 5;
allowedIPs = [ "10.100.0.1/32" ];
# endpoint = "172.234.84.222:51820"; # osaka-linode-01
# endpoint = "172.232.204.45:51820"; # milan-linode-01
endpoint = "172.105.76.221:51820"; # frankfurt-linode-01
}
{ # frankfurt-linode-01
publicKey = "yPZ3EmmIqCkReXf1DRTxzVaKQ2k+ifGmYJHji5nnMmE=";
presharedKeyFile = "/run/secrets/preshared_key";
persistentKeepalive = 5;
allowedIPs = [ "10.100.0.4/32" ];
endpoint = "172.105.76.221:51820"; # frankfurt-linode-01
}
];
};
};

View file

@ -33,8 +33,13 @@
presharedKeyFile = "/run/secrets/preshared_key";
persistentKeepalive = 5;
allowedIPs = [ "10.100.0.1/32" ];
# endpoint = "172.234.84.222:51820"; # osaka-linode-01
# endpoint = "172.232.204.45:51820"; # milan-linode-01
endpoint = "172.234.84.222:51820"; # osaka-linode-01
}
{ # frankfurt-linode-01
publicKey = "9FCIy07RvR2dz8bbPUB9h2jdhFQHfDh0VdLf06n46QQ=";
presharedKeyFile = "/run/secrets/preshared_key";
persistentKeepalive = 5;
allowedIPs = [ "10.100.0.4/32" ];
endpoint = "172.105.76.221:51820"; # frankfurt-linode-01
}
];

View file

@ -2,9 +2,10 @@
# Allow these hosts to directly communicate with their hostnames
networking.extraHosts = ''
10.100.0.1 ${hostname}
10.100.0.3 backups-rpi4
10.100.0.1 osaka-linode-01
10.100.0.2 headscale.sysctl.io
10.100.0.3 backups-rpi4
10.100.0.4 frankfurt-linode-01
'';
networking.firewall.allowedUDPPorts = [ 51820 ];
@ -32,8 +33,8 @@
interfaces = {
"wireguard0" = {
ips = [
"10.100.0.1/24"
"10.100.1.1/24"
"10.100.0.4/24"
"10.100.1.4/24"
];
listenPort = 51820;
privateKeyFile = "/run/secrets/wireguard_key";

View file

@ -5,7 +5,7 @@
../../common/services/podman.nix
./containers/derp.nix
./firewall.nix
# ./wireguard.nix
./wireguard.nix
];
boot.initrd.availableKernelModules = [ "virtio_pci" "virtio_scsi" "ahci" "sd_mod" ];

View file

@ -2,9 +2,10 @@
# Allow these hosts to directly communicate with their hostnames
networking.extraHosts = ''
10.100.0.1 ${hostname}
10.100.0.3 backups-rpi4
10.100.0.1 osaka-linode-01
10.100.0.2 headscale.sysctl.io
10.100.0.3 backups-rpi4
10.100.0.4 frankfurt-linode-01
'';
networking.firewall.allowedUDPPorts = [ 51820 ];

View file

@ -1,30 +0,0 @@
{ lib, self, inputs, outputs, stateVersion, hmStateVersion, ... }:
let
libx = import ../../../lib { inherit lib self inputs outputs stateVersion hmStateVersion; };
in {
containers = {
rdesktop = libx.mkContainer { hostname = "rdesktop"; ip = "2"; desktop = "plasma6"; unfree = true; };
};
# Networking config
networking.bridges.nix-br0.interfaces = [];
# Add an IP address to the bridge interface.
networking.localCommands = ''ip address add 192.168.2.1/24 dev nix-br0'';
# Firewall commands allowing traffic to go in and out of the bridge interface
# (and to the guest LXD instance). Also sets up the actual NAT masquerade rule.
networking.firewall.extraCommands = ''
iptables -A INPUT -i nix-br0 -j ACCEPT
# These three technically aren't needed, since by default the FORWARD and
# OUTPUT firewalls accept everything everything, but lets keep them in just
# in case.
iptables -A FORWARD -o nix-br0 -j ACCEPT
iptables -A FORWARD -i nix-br0 -j ACCEPT
iptables -A OUTPUT -o nix-br0 -j ACCEPT
iptables -t nat -A POSTROUTING -s 192.168.2.0/24 ! -d 192.168.2.0/24 -j MASQUERADE
'';
}

View file

@ -1,77 +0,0 @@
{ pkgs, ... }: {
services.cron = {
enable = true;
systemCronJobs = [
# Backups to nuc-docker01
''0 0 * * * root rsync --delete -avr /Storage/Data/Docker/sysctl.io/ root@nuc-docker01:/Storage/Data/Docker/sysctl.io/''
''0 3 * * * root rsync -avr /Storage/Data/Docker/sysctl.io/nextcloud/html/data/albert/files/InstantUpload/ root@nuc-docker01:/Storage/Media/Pictures/InstantUpload/''
''0 5 * * * root rsync -avr /Storage/Data/Docker/sysctl.io/nextcloud/html/data/albert/files/Wallpapers/ root@nuc-docker01:/Storage/Media/Pictures/Wallpapers''
# Back up the docker containers monthly:
''@monthly root ssh nuc-docker01 "rm -rf /Storage/Backups/Docker/sysctl.io/*"; for i in $(docker ps --format '{{.Names}}'); do docker export $i | gzip -cf | ssh root@nuc-docker01 "cat > /Storage/Backups/Docker/sysctl.io/$i.tar.gz"; done''
# Set a random Pi-Hole password
''* * * * * root docker exec pihole sudo pihole -a -p $(openssl rand -hex 128)''
# Run the ClamAV scan
''@monthly root /Storage/Data/docker-compose/sysctl.io/scripts/clamscan-cron.sh''
# Archive Loki logs monthly
''@monthly root /Storage/Data/docker-compose/sysctl.io/scripts/backup-logs.sh >> /Storage/Data/Temporary/log_backups.log''
# Run the Nextcloud cronjobs hourly
''@hourly root docker exec -uwww-data nextcloud php -f /var/www/html/cron.php''
# Run the Pixelfed scheduler
''* * * * * root docker exec pixelfed-app php artisan schedule:run''
# Update / CLean Mastodon caches
''@daily root docker exec mastodon-web tootctl preview_cards remove --days 7''
''@daily root docker exec mastodon-web tootctl media remove --days 7 --prune-profiles''
''@daily root docker exec mastodon-web tootctl accounts prune''
''@daily root docker exec mastodon-web tootctl statuses remove --days 7''
''@daily root docker exec mastodon-web tootctl media remove --remove-headers --include-follows --days 7''
''@daily root docker exec mastodon-web tootctl preview_cards remove --days 7''
''@daily root docker exec mastodon-web tootctl media remove-orphans''
];
};
}
# Old crontab:
# # At reboot, apply the ip_tables modprobe so Wireguard works
# @reboot /usr/sbin/modprobe ip_tables
#
# # At reboot, restart Docker. Otherwise, iptables / the firewall freaks out
# @reboot /usr/bin/systemctl stop docker; /usr/bin/systemctl start docker
#
# # Every day, get storage space for monitoring
# @daily source ~/.bashrc; for i in `ls /Storage/Data/Docker`; do echo echo "$(date): $(du -s /Storage/Data/Docker/$i)" | sed -e 's/\/Storage\/Data\/Docker\/\$i//' >> /root/sizes/$i.log; done
#
# # Clean up NextCloud files weekly to save space
# @weekly source ~/.bashrc; /usr/bin/docker exec -uwww-data nextcloud php occ versions:cleanup
# DONE # Run the Nextcloud cronjobs hourly
# DONE @hourly source ~/.bashrc; /usr/bin/docker exec -uwww-data nextcloud php -f /var/www/html/cron.php
#
#
# # Clear out Mastodon caches daily
# DONE @daily source ~/.bashrc; /usr/bin/docker exec mastodon-web tootctl preview_cards remove --days 1
# DONE @daily source ~/.bashrc; /usr/bin/docker exec mastodon-web tootctl media remove --days 1 --prune-profiles
# DONE @daily source ~/.bashrc; /usr/bin/docker exec mastodon-web tootctl accounts prune
# DONE @daily source ~/.bashrc; /usr/bin/docker exec mastodon-web tootctl statuses remove --days 1
# DONE @daily source ~/.bashrc; /usr/bin/docker exec mastodon-web tootctl media remove --remove-headers --include-follows --days 0
# DONE @daily source ~/.bashrc; /usr/bin/docker exec mastodon-web tootctl preview_cards remove --days 1
# DONE @daily source ~/.bashrc; /usr/bin/docker exec mastodon-web tootctl media remove-orphans
#
# DONE # Run the Pixelfed scheduler
# DONE * * * * * /usr/bin/docker exec pixelfed-app php artisan schedule:run
#
# DONE # Run the ClamAV scan
# DONE @monthly source ~/.bashrc; /Storage/Data/docker-compose/sysctl.io/scripts/clamscan-cron.sh
#
# DONE # Set a random PiHole password every minute
# DONE * * * * * /usr/bin/docker exec pihole sudo pihole -a -p $(openssl rand -hex 128)
#
# NOT NEEDED # back up crontab:
# NOT NEEDED # 0 0 * * * /usr/bin/crontab -l > /Storage/Data/Temporary/crontab
#
# # Back up and delete local copies of Loki logs monthly
# DONE @monthly source ~/.bashrc; /Storage/Data/docker-compose/sysctl.io/scripts/backup-logs.sh >> /Storage/Data/Temporary/log_backups.log
#
# DONE # Back up the docker containers weekly:
# DONE @weekly source ~/.bashrc; ssh nuc-docker01 "rm -rf /Storage/Backups/Docker/sysctl.io/*"; for i in $(docker ps --format '{{.Names}}'); do docker export $i | gzip -cf | ssh root@nuc-docker01 "cat > /Storage/Backups/Docker/sysctl.io/$i.tar.gz"; done
#
# # Set up DERP relay certs for headscale-derp:
# DONE @hourly cp /Storage/Data/Docker/letsencrypt/certs/certs/\*.sysctl.io.crt /Storage/Data/Docker/letsencrypt/certs/certs/derp.sysctl.io.crt
# DONE @hourly cp /Storage/Data/Docker/letsencrypt/certs/private/\*.sysctl.io.key /Storage/Data/Docker/letsencrypt/certs/private/derp.sysctl.io.key

View file

@ -1,63 +0,0 @@
{ hostname, inputs, config, lib, pkgs, modulesPath, system, ... }: {
imports = [
inputs.nixos-hardware.nixosModules.framework-13th-gen-intel
(modulesPath + "/installer/scan/not-detected.nix")
# ../../common/modules/secureboot.nix
../../common/modules/boot.nix
../../common/modules/udev-rules.nix
../../common/modules/builder.nix
../../common/services/fwupd.nix
# ../../common/modules/ssh-luks.nix
../../common/services/docker.nix
../../common/services/tailscale-autoconnect.nix
./containers.nix
./disks.nix
./wireguard.nix
./cron.nix
./firewall.nix
];
environment.systemPackages = [
inputs.deploy-rs.packages.${system}.deploy-rs
pkgs.distrobox
];
# backups-rpi4 cron job to back up sysctl.io's Docker files
# osaka-linode-01 cron job to copy certs for the DERP relay
# milan-linode-01 cron job to copy certs for the DERP relay
# frankfurt-linode-01 cron job to copy certs for the DERP relay
# TODO: Update servers that point here
users.users.root.openssh.authorizedKeys.keys = [
''ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIKp2wgqFcr0LGaUXbom88/zK2631pysePUWIaCMljT0K root@backups-rpi4''
''ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIKkNFdEcYIrjss1Nz0tU/AX89hUMmxB/Vabvsa7A6E2K root@osaka-linode-01''
''ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIORCrD/ZWXbAfi5eIN8b9dwuvMuPPTgpMiIFh1WagXV2 root@milan-linode-01''
''ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIBGXiWUR2T5HXQ4g/En+eJ9K6GSokl3tEK7RZcYb+0UA root@frankfurt-linode-01''
];
services.openssh.settings.PermitRootLogin = lib.mkForce "prohibit-password";
boot.initrd.availableKernelModules = [ "xhci_pci" "nvme" "thunderbolt" "sd_mod" "uas" ];
boot.initrd.kernelModules = [ "r8152" ];
boot.kernelModules = [ "kvm-intel" ];
boot.extraModulePackages = with config.boot.kernelPackages; [ acpi_call ];
networking.useDHCP = lib.mkDefault true;
powerManagement.cpuFreqGovernor = lib.mkDefault "performance";
hardware.cpu.intel.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware;
# Set your time zone.
time.timeZone = "Europe/Warsaw";
# Set the networking hostname:
networking.hostName = hostname;
networking.firewall.allowedTCPPorts = [ 22 ];
services.tailscale.extraUpFlags = [
"--advertise-exit-node"
"--advertise-routes=10.2.0.0/24"
];
boot.kernel.sysctl = {
"net.ipv4.ip_forward" = true;
};
}

View file

@ -1,85 +0,0 @@
{
imports = [ ../../common/services/snapper.nix ];
# extra configs not present in the standard config above
services.snapper.configs.Storage = {
TIMELINE_CREATE = true;
TIMELINE_CLEANUP = true;
SUBVOLUME = "/Storage";
};
services.btrfs.autoScrub.enable = true;
services.btrfs.autoScrub.interval = "weekly";
disko.devices.disk.nvme0 = {
type = "disk";
device = "/dev/nvme0n1";
content = {
type = "gpt";
partitions = {
BOOT = {
priority = 1;
name = "BOOT";
start = "0%";
end = "550MiB";
type = "EF00";
content = {
type = "filesystem";
format = "vfat";
# https://github.com/nix-community/disko/issues/527
mountOptions = [ "umask=0077" ];
mountpoint = "/boot";
};
}; # partition 1 (ESP)
LUKS-ROOT = {
start = "550MiB";
end = "100%";
content = {
type = "luks";
name = "ROOT";
extraOpenArgs = [ "--allow-discards" ];
content = {
type = "btrfs";
extraArgs = [ "-f" ];
subvolumes = {
"/root" = {
mountpoint = "/";
mountOptions = [ "compress=zstd" "noatime" ];
}; # root
"/home" = {
mountpoint = "/home";
mountOptions = [ "compress=zstd" "noatime" ];
}; # home
"/nix" = {
mountpoint = "/nix";
mountOptions = [ "compress=zstd" "noatime" ];
}; # nix
"/Storage" = {
mountpoint = "/Storage";
mountOptions = [ "compress=zstd" "noatime" ];
}; # Storage
# SNAPSHOT SUBVOLS
"/root/.snapshots" = {
mountpoint = "/.snapshots";
mountOptions = [ "compress=zstd" "noatime" ];
}; # root
"/home/.snapshots" = {
mountpoint = "/home/.snapshots";
mountOptions = [ "compress=zstd" "noatime" ];
}; # home
"/nix/.snapshots" = {
mountpoint = "/nix/.snapshots";
mountOptions = [ "compress=zstd" "noatime" ];
}; # nix
"/Storage/.snapshots" = {
mountpoint = "/Storage/.snapshots";
mountOptions = [ "compress=zstd" "noatime" ];
}; # Storage
}; # subvolumes
}; # content.content
}; # content
}; # partition 2 (/ BTRFS)
}; # partitions
}; # content
}; # disko.devices.disk.nvme0
} # root

View file

@ -1,30 +0,0 @@
{ ... }: {
networking = {
firewall = {
enable = true;
allowedTCPPorts = [
53 # DNS
80 # HTTP
443 # HTTPS
42420 # Vintage Story
25565 # Minecraft
1443 # Headscale DERP (tcp)
25 # Mailserver
143 # Mailserver
465 # Mailserver
587 # Mailserver
993 # Mailserver
4190 # Mailserver
5696 # dsm-kmip server
3389 # RDP
4443 # Jitsi
];
allowedUDPPorts = [
53 # DNS (udp)
10000 # Jitsi Meet (udp)
15636 # Enshrouded - Game
15637 # Enshrouded - Query Port
];
};
};
}

View file

@ -1,44 +0,0 @@
{ ... }: {
# Allow these hosts to directly communicate with their hostnames
networking.extraHosts = ''
10.100.0.1 osaka-linode-01
10.100.0.2 framework-server
'';
networking.firewall.interfaces.wireguard0.allowedTCPPorts = [ 22 ];
# Set up the secrets file:
sops.secrets."wireguard_key" = {
owner = "root";
sopsFile = ../../../secrets/hosts/framework-server.yaml;
};
sops.secrets."preshared_key" = {
owner = "root";
sopsFile = ../../../secrets/wireguard.yaml;
};
# Wireguard Forwarder
networking.wireguard = {
enable = true;
interfaces = {
"wireguard0" = {
ips = [ "10.100.0.2/24" ];
listenPort = 51820;
privateKeyFile = "/run/secrets/wireguard_key";
# Testing
peers = [
{ # osaka-linode-01
publicKey = "yPZ3EmmIqCkReXf1DRTxzVaKQ2k+ifGmYJHji5nnMmE=";
presharedKeyFile = "/run/secrets/preshared_key";
persistentKeepalive = 5;
allowedIPs = [ "10.100.0.1/32" ];
# endpoint = "172.234.84.222:51820"; # osaka-linode-01
# endpoint = "172.232.204.45:51820"; # milan-linode-01
endpoint = "172.105.76.221:51820"; # frankfurt-linode-01
}
];
};
};
};
}

View file

@ -1,13 +1,13 @@
tailscale_key: ENC[AES256_GCM,data:xiTPyDIBuGFHfmzNqEoxoxePieDdClz0t+afTTY+ztPgp6uusqhvoaXb0D6mLM/u,iv:E1xqhEGdZqQeWyE0m59sxcbumD/nMff4d63GEwCBnD4=,tag:BNgrpXWeGSopJc1fjNqCIQ==,type:str]
wireguard_key: ENC[AES256_GCM,data:3C6LylnHvFB2lnQsg90UCltwpGapW+wM6rtOa8eBYu6JagCVIHJxEmUWCUE=,iv:nCCtMlS743VGvcC5JJqSCKUDPFpAtzkBOS7EJIe5Jck=,tag:Jhum2ihd/clnd8xbOL4UJA==,type:str]
wireguard_key: ENC[AES256_GCM,data:YCDneZBDCh2/iCk+ldz3ZE9c9WhCdPw8jF9tiNf9Ez0gnl8RpP34sC+9bFQ=,iv:mm/SjoWS5AlynEQavBIchYBecOnX3U74RsmGQsqTy+4=,tag:djqxJgnq+KACUhfsqLyvpA==,type:str]
sops:
kms: []
gcp_kms: []
azure_kv: []
hc_vault: []
age: []
lastmodified: "2024-07-07T02:19:56Z"
mac: ENC[AES256_GCM,data:rhAo5Dy5Qz4IaL90Djn0p1FzGqjOwNf98VPX8R4GOFbcQLY+xYub3PnQcnt8a40ioQQRw0cPOi24j2rlV0GPfjdGFVKI561XTxvSRSzWbXHGa3WtnZXj7LMqIhioiGo18U/yqaScylryHqbypHBWJrGk+N9AwuOUjhrFuarjT2I=,iv:iDYSUg0mLMGT9ZEuVr+fbRK1YP2ylXTMTCpckQWnUXk=,tag:KRO0S8HSHrjfnnqwlUlcRA==,type:str]
lastmodified: "2024-07-07T04:35:16Z"
mac: ENC[AES256_GCM,data:yW0psTzRiuXPciDpqapdzjJGSpWQCzocrS3cTb0fZvgounMmyHskDThdYdjW5FFsv9G5/JYD5OLnXjzQLcYepK2Ad+SLzQcg15LxM/p81aHjIbYh6xUK1rK4tnhS5A+DdlC94HiuNLSooE37VAXgPeVz4N5ETj09h590fL50HlA=,iv:5LjttLS96RS51D7uT3qVOz3/WzaPkDUVwZXsX90dYH0=,tag:6Y0W4L2Qe5lpwGelkd4Z6A==,type:str]
pgp:
- created_at: "2024-07-07T03:20:02Z"
enc: |-