diff options
Diffstat (limited to 'os/lia/modules')
-rw-r--r-- | os/lia/modules/lxc.nix | 41 | ||||
-rw-r--r-- | os/lia/modules/network/default.nix | 19 | ||||
-rw-r--r-- | os/lia/modules/network/router.nix | 47 | ||||
-rw-r--r-- | os/lia/modules/sshfwd.nix | 53 | ||||
-rw-r--r-- | os/lia/modules/users.nix | 18 |
5 files changed, 178 insertions, 0 deletions
diff --git a/os/lia/modules/lxc.nix b/os/lia/modules/lxc.nix new file mode 100644 index 0000000..259c316 --- /dev/null +++ b/os/lia/modules/lxc.nix @@ -0,0 +1,41 @@ +{ pkgs, ... }: let + container = { + name = "ubu"; + distro = "ubuntu"; + release = "jammy"; + }; + + bridge = "lan"; +in { + virtualisation.lxc.enable = true; + + environment.systemPackages = with pkgs; [ wget ]; + systemd.services."lxc-${container.name}-provision" = { + description = "auto provision ${container.name} lxc container"; + wantedBy = [ "multi-user.target" ]; + after = [ "network-online.target" ]; + wants = [ "network-online.target" ]; + stopIfChanged = false; + + serviceConfig = { + Type = "oneshot"; + RemainAfterExit = true; + }; + + path = with pkgs; [ wget lxc util-linux gnutar xz gawk ]; + script = '' + if ! lxc-ls | grep -q ${container.name}; then + lxc-create -n ${container.name} -t download -- \ + --arch amd64 \ + --release ${container.release} \ + --dist ${container.distro} + + sed 's/lxcbr0/${bridge}/g' -i /var/lib/lxc/${container.name}/config + fi + + lxc-start -n ${container.name} + ''; + + preStop = "lxc-stop --name ${container.name}"; + }; +} diff --git a/os/lia/modules/network/default.nix b/os/lia/modules/network/default.nix new file mode 100644 index 0000000..c8d9059 --- /dev/null +++ b/os/lia/modules/network/default.nix @@ -0,0 +1,19 @@ +{ ... }: let + wan = "enp9s0"; +in +{ + imports = [ + ./router.nix + ]; + + networking = { + interfaces.${wan}.ipv4.addresses = [{ + address = "172.16.148.20"; + prefixLength = 22; + }]; + defaultGateway = { + address = "172.16.148.1"; + interface = wan; + }; + }; +} diff --git a/os/lia/modules/network/router.nix b/os/lia/modules/network/router.nix new file mode 100644 index 0000000..b8cac8c --- /dev/null +++ b/os/lia/modules/network/router.nix @@ -0,0 +1,47 @@ +{ ... }: let + wanInterface = "enp9s0"; + lanInterfaces = [ "enp1s0f0" "enp1s0f1" ]; + + prefix = 24; + subnet = "192.168.1.0"; + host = "192.168.1.1"; + + leaseRangeStart = "192.168.1.100"; + leaseRangeEnd = "192.168.1.254"; + nameServer = [ "10.0.0.2" "10.0.0.3" ]; +in +{ + networking = { + bridges."lan".interfaces = lanInterfaces; + + nat = { + enable = true; + externalInterface = wanInterface; + internalInterfaces = [ "lan" ]; + }; + + interfaces.lan = { + ipv4.addresses = [{ + address = host; + prefixLength = prefix; + }]; + }; + + firewall = { + allowedUDPPorts = [ 53 67 ]; + allowedTCPPorts = [ 53 ]; + extraCommands = + "iptables -t nat -I POSTROUTING 1 -s ${subnet}/${toString prefix} -o ${wanInterface} -j MASQUERADE"; + }; + }; + + services.dnsmasq = { + enable = true; + + settings = { + server = nameServer; + dhcp-range = [ "${leaseRangeStart},${leaseRangeEnd}" ]; + interface = [ "lan" ]; + }; + }; +} diff --git a/os/lia/modules/sshfwd.nix b/os/lia/modules/sshfwd.nix new file mode 100644 index 0000000..3c7c006 --- /dev/null +++ b/os/lia/modules/sshfwd.nix @@ -0,0 +1,53 @@ +{ pkgs, config, ... }: let + mkFwdSrv = { + local_port, + remote_port, + remote_user, + remote ? "sinanmohd.com", + ssh_port ? 22, + key ? config.sops.secrets."sshfwd/${remote}".path, + }: { + "sshfwd-${toString local_port}-${remote}:${toString remote_port}" = { + description = "Forwarding port ${toString local_port} to ${remote}"; + + wantedBy = [ "multi-user.target" ]; + after = [ "network-online.target" ]; + wants = [ "network-online.target" ]; + # restart rather than stop+start this unit to prevent + # the ssh from dying during switch-to-configuration. + stopIfChanged = false; + + serviceConfig = { + ExecStart = '' + ${pkgs.openssh}/bin/ssh -N ${remote_user}@${remote} -p ${toString ssh_port} \ + -R '[::]:${toString remote_port}:127.0.0.1:${toString local_port}' \ + -o ServerAliveInterval=15 \ + -o ExitOnForwardFailure=yes \ + -i ${key} + ''; + + RestartSec = 3; + Restart = "always"; + }; + + }; + }; +in { + sops.secrets."sshfwd/sinanmohd.com" = {}; + sops.secrets."sshfwd/lia.sinanmohd.com" = {}; + + environment.systemPackages = with pkgs; [ openssh ]; + systemd.services + = (mkFwdSrv { + local_port = 22; + remote_user = "lia"; + remote_port = 2222; + }) // + (mkFwdSrv { + local_port = 22; + remote_port = 22; + ssh_port = 23; + remote_user = "root"; + remote = "lia.sinanmohd.com"; + }); +} diff --git a/os/lia/modules/users.nix b/os/lia/modules/users.nix new file mode 100644 index 0000000..26f5dc8 --- /dev/null +++ b/os/lia/modules/users.nix @@ -0,0 +1,18 @@ +{ pkgs, ... }: { + users.users = { + "rohit" = { + isNormalUser = true; + extraGroups = [ "wheel" ]; + + packages = with pkgs; [ git htop ]; + openssh.authorizedKeys.keys = + [ "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOZcWF1zVyxsCdZ/j+h+RlHZlyhgY2Bky03847bxFNSH rohit@victus" ]; + }; + + "sharu" = { + isNormalUser = true; + openssh.authorizedKeys.keys = + [ "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIMAAaAUTiM3YY7E/7lq44aX+2U0IYhp2Qntu7hINcTjF sharu@lappie" ]; + }; + }; +} |