From 97dbb873731c13fe4a64384312a45619bce631fa Mon Sep 17 00:00:00 2001 From: Victor Date: Fri, 6 May 2022 17:41:05 +0200 Subject: [PATCH] added wireguard --- flake.lock | 24 ++++----- flake.nix | 5 +- hosts.nix | 10 ++++ nixos/hosts/headscale/configuration.nix | 72 +++++++++++++++++++++++++ nixos/hosts/minecraft/configuration.nix | 5 +- nixos/hosts/minio/configuration.nix | 9 +++- nixos/hosts/mosquitto/configuration.nix | 7 ++- nixos/hosts/nginx/configuration.nix | 46 +++++++++++++++- nixos/hosts/plausible/configuration.nix | 5 +- nixos/hosts/wireguard/configuration.nix | 50 +++++++++++++++++ 10 files changed, 204 insertions(+), 29 deletions(-) create mode 100644 nixos/hosts/headscale/configuration.nix create mode 100644 nixos/hosts/wireguard/configuration.nix diff --git a/flake.lock b/flake.lock index e00e185..cd70f4b 100644 --- a/flake.lock +++ b/flake.lock @@ -163,11 +163,11 @@ "utils": "utils_2" }, "locked": { - "lastModified": 1651222568, - "narHash": "sha256-7qdugZJHKcGIv+KPPTpY7wZhw3pNJ3zR4lVOuf0LduI=", + "lastModified": 1651799536, + "narHash": "sha256-+y4oD+E3PseG5jRhlfpBCSLOs1TKKtCWL/AsFCPXQYU=", "owner": "jyooru", "repo": "nix-minecraft-servers", - "rev": "62fe6124dc65a84144f83cdbdbc2aa4c0a8cc29f", + "rev": "1d9335ce68b66262a25037c81e81f49363e5cb04", "type": "github" }, "original": { @@ -246,16 +246,16 @@ }, "nixpkgs_3": { "locked": { - "lastModified": 1651233872, - "narHash": "sha256-87MbbcxR/lvRVFp+peNqWBcrbrGFmRlbnzskeZkvuNY=", - "owner": "NULLx76", + "lastModified": 1651827164, + "narHash": "sha256-w1niZCq4rhXX+23xLvrA5KR9OqT/72e5Mx/pfz/bZYU=", + "owner": "nixos", "repo": "nixpkgs", - "rev": "85f977180abcb7a89bc9cc7c8f325026f3fb4b9e", + "rev": "98000933d72a97632caf0db0027ea3eb2e5e7f29", "type": "github" }, "original": { - "owner": "NULLx76", - "ref": "papermc-update-1.18.2-313", + "owner": "nixos", + "ref": "nixos-unstable-small", "repo": "nixpkgs", "type": "github" } @@ -336,11 +336,11 @@ "nixpkgs": "nixpkgs_5" }, "locked": { - "lastModified": 1650983357, - "narHash": "sha256-gejH/rmDTcTvQeWrYzamFLvi0tXd2nDDBCA7/bHIhxE=", + "lastModified": 1651674183, + "narHash": "sha256-voNo/SzDmjXdk77gq2PRe7E+yJlw/zNuyHij8lNiZDE=", "owner": "serokell", "repo": "serokell.nix", - "rev": "621f2698ec1c870c65a408a9470caa73adc3ca87", + "rev": "826a2c4c8987766640885f4dc8af344e90abb149", "type": "github" }, "original": { diff --git a/flake.nix b/flake.nix index 72a0c1f..e0a378d 100644 --- a/flake.nix +++ b/flake.nix @@ -7,7 +7,7 @@ inputs = { deploy-rs.url = "github:serokell/deploy-rs"; - nixpkgs.url = "github:NULLx76/nixpkgs/papermc-update-1.18.2-313"; + nixpkgs.url = "github:nixos/nixpkgs/nixos-unstable-small"; serokell-nix.url = "github:serokell/serokell.nix"; vault-secrets.url = "github:serokell/vault-secrets"; minecraft-servers.url = "github:jyooru/nix-minecraft-servers"; @@ -28,9 +28,6 @@ modules = [ ./nixos/common "${./.}/nixos/hosts/${profile}/configuration.nix" - ({ pkgs, ... }: { - nixpkgs.overlays = [ ]; - }) ] ++ (if lxc then [ "${nixpkgs}/nixos/modules/virtualisation/lxc-container.nix" ./nixos/common/generic-lxc.nix diff --git a/hosts.nix b/hosts.nix index 9fd728d..ac78c54 100644 --- a/hosts.nix +++ b/hosts.nix @@ -108,12 +108,22 @@ ip = "10.42.42.22"; mac = "DE:5F:B0:83:6F:34"; } + { + hostname = "headscale"; + ip = "10.42.42.23"; + mac = "76:31:39:8B:2D:43"; + } { hostname = "zmeura"; ip = "10.42.42.24"; mac = "b8:27:eb:d5:e0:f5"; nix = false; } + { + hostname = "wireguard"; + ip = "10.42.42.25"; + mac = "1E:ED:97:2C:C3:9D"; + } { hostname = "nuc"; ip = "10.42.42.42"; diff --git a/nixos/hosts/headscale/configuration.nix b/nixos/hosts/headscale/configuration.nix new file mode 100644 index 0000000..db44609 --- /dev/null +++ b/nixos/hosts/headscale/configuration.nix @@ -0,0 +1,72 @@ +# Edit this configuration file to define what should be installed on +# your system. Help is available in the configuration.nix(5) man page +# and in the NixOS manual (accessible by running ‘nixos-help’). + +{ lib, config, pkgs, inputs, ... }: +{ + imports = [ ]; + + networking.hostName = "headscale"; + + # This value determines the NixOS release from which the default + # settings for stateful data, like file locations and database versions + # on your system were taken. It‘s perfectly fine and recommended to leave + # this value at the release version of the first install of this system. + # Before changing this value read the documentation for this option + # (e.g. man configuration.nix or on https://nixos.org/nixos/options.html). + system.stateVersion = "21.11"; # Did you read the comment? + + # Additional packages + environment.systemPackages = with pkgs; [ ]; + + environment.noXlibs = lib.mkForce false; + + networking.firewall.allowedTCPPorts = [ config.services.headscale.port 50443 ]; + + services.postgresql = + let + db_name = config.services.headscale.database.name; + db_user = config.services.headscale.database.user; + in + { + enable = false; + package = pkgs.postgresql_13; + ensureDatabases = [ db_name ]; + authentication = "host ${db_name} ${db_user} 127.0.0.1/32 trust"; + ensureUsers = [ + { + name = db_user; + ensurePermissions = { "DATABASE ${db_name}" = "ALL PRIVILEGES"; }; + } + ]; + }; + + services.headscale = { + enable = false; + address = "0.0.0.0"; + serverUrl = "https://vpn.0x76.dev"; + logLevel = "debug"; + + settings = { + grpc_listen_addr = "0.0.0.0:50443"; + grpc_allow_insecure = true; + + ip_prefixes = [ + "fd7a:115c:a1e0::/48" + "100.64.0.0/10" + ]; + }; + + database = { + type = "postgres"; + port = config.services.postgresql.port; + name = "headscale"; + user = "headscale"; + host = "127.0.0.1"; + }; + }; + + systemd.services.headscale.environment = { + GIN_MODE = "release"; + }; +} diff --git a/nixos/hosts/minecraft/configuration.nix b/nixos/hosts/minecraft/configuration.nix index 53ccfae..1b0bba5 100644 --- a/nixos/hosts/minecraft/configuration.nix +++ b/nixos/hosts/minecraft/configuration.nix @@ -21,11 +21,11 @@ environment.noXlibs = lib.mkForce false; - networking.firewall.allowedTCPPorts = [ config.services.minecraft-server.serverProperties."rcon.port"]; + networking.firewall.allowedTCPPorts = [ ]; services.minecraft-server = { enable = true; - package = pkgs.minecraftServers.purpur_1_18_2; + package = pkgs.minecraftServers.purpur_1_18; jvmOpts = "--add-modules=jdk.incubator.vector -Xmx2048M -Xms2048M"; declarative = true; @@ -43,6 +43,5 @@ red_shifts = "e0afdee5-e776-49a9-a0cd-c8753faf4255"; iampilot = "4055515e-0567-4610-972e-8e530a5a9ccb"; }; - }; } diff --git a/nixos/hosts/minio/configuration.nix b/nixos/hosts/minio/configuration.nix index 35df691..ad3b26d 100644 --- a/nixos/hosts/minio/configuration.nix +++ b/nixos/hosts/minio/configuration.nix @@ -3,7 +3,10 @@ # and in the NixOS manual (accessible by running ‘nixos-help’). { config, pkgs, ... }: -let vs = config.vault-secrets.secrets; +let + vs = config.vault-secrets.secrets; + listenPort = 9000; + consolePort = 9001; in { imports = [ ]; @@ -20,12 +23,14 @@ in { # Additional packages environment.systemPackages = with pkgs; [ ]; - networking.firewall.allowedTCPPorts = [ 9000 9001 ]; + networking.firewall.allowedTCPPorts = [ listenPort consolePort ]; vault-secrets.secrets.minio = { }; services.minio = { enable = true; rootCredentialsFile = "${vs.minio}/environment"; + listenAddress = ":${toString listenPort}"; + consoleAddress = ":${toString consolePort}"; }; } diff --git a/nixos/hosts/mosquitto/configuration.nix b/nixos/hosts/mosquitto/configuration.nix index 5a13ba5..1fbe8b3 100644 --- a/nixos/hosts/mosquitto/configuration.nix +++ b/nixos/hosts/mosquitto/configuration.nix @@ -4,7 +4,8 @@ { config, pkgs, ... }: let mosquittoPort = 1883; -in { +in +{ imports = [ ]; networking.hostName = "mosquitto"; @@ -21,11 +22,9 @@ in { environment.systemPackages = with pkgs; [ ]; services.mosquitto = { - enable = true; - listeners = [{ - port = 1883; + port = mosquittoPort; settings.allow_anonymous = true; acl = [ "topic readwrite #" ]; users = { diff --git a/nixos/hosts/nginx/configuration.nix b/nixos/hosts/nginx/configuration.nix index 3a462ef..5a15535 100644 --- a/nixos/hosts/nginx/configuration.nix +++ b/nixos/hosts/nginx/configuration.nix @@ -9,7 +9,8 @@ let }; }; k8s_proxy = proxy "http://10.42.42.150:8000/"; -in { +in +{ networking.hostName = "nginx"; # This value determines the NixOS release from which the default @@ -33,7 +34,7 @@ in { # Reverse Proxies virtualHosts."ha.0x76.dev" = proxy "http://home-assistant.olympus:8123/"; virtualHosts."zookeeper-dev.0x76.dev" = proxy "http://eevee.olympus:8085/"; - virtualHosts."analytics.0x76.dev" = proxy "http://plausible.olympus:8000/"; + # virtualHosts."analytics.0x76.dev" = proxy "http://plausible.olympus:8000/"; virtualHosts."git.0x76.dev" = proxy "http://gitea.olympus:3000"; # Kubernetes endpoints @@ -41,6 +42,47 @@ in { virtualHosts."zookeeper.0x76.dev" = k8s_proxy; virtualHosts."wooloofan.club" = k8s_proxy; virtualHosts."whoami.wooloofan.club" = k8s_proxy; + + # Headscale + virtualHosts."vpn.0x76.dev" = { + enableACME = true; + forceSSL = true; + + locations = { + "/headscale." = { + extraConfig = '' + grpc_pass grpc://headscale.olympus:50443; + ''; + priority = 1; + }; + + # "/metrics" = { + # proxyPass = "http://plausible.olympus:9090"; + # extraConfig = '' + # allow 10.0.0.0/8; + # allow 100.64.0.0/16; + # deny all; + # ''; + # priority = 2; + # }; + + "/" = { + proxyPass = "http://headscale.olympus:8080"; + proxyWebsockets = true; + extraConfig = '' + keepalive_requests 100000; + keepalive_timeout 160s; + proxy_buffering off; + proxy_connect_timeout 75; + proxy_ignore_client_abort on; + proxy_read_timeout 900s; + proxy_send_timeout 600; + send_timeout 600; + ''; + priority = 99; + }; + }; + }; }; security.acme.defaults.email = "victorheld12@gmail.com"; diff --git a/nixos/hosts/plausible/configuration.nix b/nixos/hosts/plausible/configuration.nix index 20ca059..999c2ef 100644 --- a/nixos/hosts/plausible/configuration.nix +++ b/nixos/hosts/plausible/configuration.nix @@ -3,10 +3,11 @@ # and in the NixOS manual (accessible by running ‘nixos-help’). { config, pkgs, ... }: -let +let vs = config.vault-secrets.secrets; cfg = config.services.plausible; -in { +in +{ imports = [ ]; networking.hostName = "plausible"; diff --git a/nixos/hosts/wireguard/configuration.nix b/nixos/hosts/wireguard/configuration.nix new file mode 100644 index 0000000..68c4554 --- /dev/null +++ b/nixos/hosts/wireguard/configuration.nix @@ -0,0 +1,50 @@ +# Edit this configuration file to define what should be installed on +# your system. Help is available in the configuration.nix(5) man page +# and in the NixOS manual (accessible by running ‘nixos-help’). + +{ lib, config, pkgs, inputs, ... }: +let vs = config.vault-secrets.secrets; in +{ + imports = [ ]; + + networking.hostName = "wireguard"; + + # This value determines the NixOS release from which the default + # settings for stateful data, like file locations and database versions + # on your system were taken. It‘s perfectly fine and recommended to leave + # this value at the release version of the first install of this system. + # Before changing this value read the documentation for this option + # (e.g. man configuration.nix or on https://nixos.org/nixos/options.html). + system.stateVersion = "21.11"; # Did you read the comment? + + # Additional packages + environment.systemPackages = with pkgs; [ wireguard-tools ]; + + environment.noXlibs = lib.mkForce false; + + networking.firewall.allowedUDPPorts = [ config.networking.wireguard.interfaces.wg0.listenPort ]; + + vault-secrets.secrets.wireguard = { + services = [ "wireguard-wg0" ]; + }; + + networking.nat = { + enable = true; + internalInterfaces = [ "wg0" ]; + externalInterface = "eth0"; + }; + + networking.wireguard.interfaces.wg0 = { + ips = [ "10.100.0.1/24" ]; + listenPort = 51820; + privateKeyFile = "${vs.wireguard}/privateKey"; + + peers = [ + { + # Phone + publicKey = "K+99mvSYs4urcclreQDLA1pekD4xtu/mpS2uVWw8Bws="; + allowedIPs = [ "10.100.0.2/32" ]; + } + ]; + }; +}