Update

2023-12-01 21:25:48 +09:00 · 2023-12-01 21:25:48 +09:00 · f577077dce
commit f577077dce
parent 184d65682d
4 changed files with 42 additions and 72 deletions
--- a/nixos/hosts/framework-server/default.nix
+++ b/nixos/hosts/framework-server/default.nix
@ -9,8 +9,14 @@
    ./builder.nix
    ./ssh-luks.nix
    ./docker.nix
+    ./wireguard.nix
  ];

+  # open ports for traefik
+  networking.firewall.interfaces.wireguard0.allowedTCPPorts =    [ 80 443 ];
+  networking.firewall.interfaces.enp0s13f0u2c2.allowedTCPPorts = [ 80 443 ];
+
+
  # steam , etc
  nixpkgs.config.allowUnfree = false;

@ -41,6 +47,6 @@
      "tailscaled-autoconnect.service"
    ];
  };
-  
+
  services.tailscale.authKeyFile = "/run/secrets/tailscale_keys/framework-server";
 }
--- a/nixos/hosts/framework-server/wireguard.nix
+++ b/nixos/hosts/framework-server/wireguard.nix
@ -0,0 +1,35 @@
+{ pkgs, config, lib, ... }: {
+
+  # Set up the secrets file:
+  sops.secrets."wireguard_keys/framework-server" = {
+    owner = "root";
+    sopsFile = ../../../secrets/wireguard.yaml;
+  };
+  sops.secrets."wireguard_keys/preshared_key" = {
+    owner = "root";
+    sopsFile = ../../../secrets/wireguard.yaml;
+  };
+
+  # Wireguard Forwarder
+  networking.firewall.allowPing = true;
+  networking.wireguard = {
+    enable = true;
+    interfaces = {
+      "wireguard0" = {
+        ips = [ "10.100.0.2/24" ];
+        listenPort = 51820;
+        privateKeyFile = "/run/secrets/wireguard_keys/framework-server";
+        # Testing
+        peers = [
+          { # osaka-vultr-01
+            publicKey = "yPZ3EmmIqCkReXf1DRTxzVaKQ2k+ifGmYJHji5nnMmE=";
+            presharedKeyFile = "/run/secrets/wireguard_keys/preshared_key";
+            persistentKeepalive = 5;
+            allowedIPs = [ "10.100.0.1/32" ];
+            endpoint = "64.176.54.57:51820";
+          }
+        ];
+      };
+    };
+  };
+}
--- a/nixos/hosts/nixos-rpi4-03/default.nix
+++ b/nixos/hosts/nixos-rpi4-03/default.nix
@ -4,15 +4,10 @@
 { config, lib, pkgs, modulesPath, ... }: {
  imports = [ 
    (modulesPath + "/installer/scan/not-detected.nix")
-    ./temp.nix
  ];
  # Enable distributed Builds
  nix.distributedBuilds = true;

-  # Enablet docker and docker-compose
-  environment.systemPackages = [ pkgs.docker-compose ];
-  virtualisation.docker.enable = true;
-
  #####################################################################################
  # BEGIN hardware config
  #####################################################################################
@ -54,41 +49,4 @@
  services.tailscale.authKeyFile = "/run/secrets/tailscale_keys/nixos-rpi4-03";
  services.tailscale.extraUpFlags = [ "--advertise-exit-node" ];
  boot.kernel.sysctl = { "net.ipv4.ip_forward" = true; };
-  
-  # Temporary
-  # networking.firewall.allowedTCPPorts = [ 22 ];
-  # networking.firewall.allowedUDPPorts = [ 51820 ];
-
-  # Set up the secrets file:
-  sops.secrets."wireguard_keys/nixos-rpi4-03" = {
-    owner = "root";
-    sopsFile = ../../../secrets/wireguard.yaml;
-  };
-  sops.secrets."wireguard_keys/preshared_key" = {
-    owner = "root";
-    sopsFile = ../../../secrets/wireguard.yaml;
-  };
-
-  # Wireguard Forwarder
-  networking.firewall.allowPing = true;
-  networking.wireguard = {
-    enable = true;
-    interfaces = {
-      "wireguard0" = {
-        ips = [ "10.100.0.2/24" ];
-        listenPort = 51820;
-        privateKeyFile = "/run/secrets/wireguard_keys/nixos-rpi4-03";
-        # Testing
-        peers = [
-          { # osaka-vultr-01
-            publicKey = "yPZ3EmmIqCkReXf1DRTxzVaKQ2k+ifGmYJHji5nnMmE=";
-            presharedKeyFile = "/run/secrets/wireguard_keys/preshared_key";
-            persistentKeepalive = 5;
-            allowedIPs = [ "10.100.0.1/32" ];
-            endpoint = "64.176.54.57:51820";
-          }
-        ];
-      };
-    };
-  };
 }
--- a/nixos/hosts/nixos-rpi4-03/temp.nix
+++ b/nixos/hosts/nixos-rpi4-03/temp.nix
@ -1,29 +0,0 @@
-{pkgs, lib, config, ...}: {
-    networking.firewall.interfaces.wireguard0.allowedTCPPorts = [ 80 443 ];
-
-    # Generate a test cert
-    # sudo openssl req -x509 -newkey rsa:4096 -sha256 -days 3650 \
-    #   -nodes -keyout test-ssl.key -out test-ssl.crt -subj "/CN=test-ssl" \
-    #   -addext "subjectAltName=DNS:test-ssl,DNS:*.test-ssl,IP:10.100.0.2"
-
-    services.nginx = {
-        enable = true;
-        httpConfig = ''
-            index index.html;
-            server {
-                listen 80 default_server;
-                server_name _;
-                server_name_in_redirect off;
-                root  /var/www/test;
-            }
-            server {
-                listen 443 ssl;
-                server_name _;
-                server_name_in_redirect off;
-                root /var/www/test-ssl;
-                ssl_certificate     /etc/ssl/nginx/test-ssl.crt;
-                ssl_certificate_key /etc/ssl/nginx/test-ssl.key;
-            }
-        '';
-    };
-}