summaryrefslogtreecommitdiff
path: root/os/lia/modules
diff options
context:
space:
mode:
Diffstat (limited to 'os/lia/modules')
-rw-r--r--os/lia/modules/lxc.nix41
-rw-r--r--os/lia/modules/network/default.nix19
-rw-r--r--os/lia/modules/network/router.nix47
-rw-r--r--os/lia/modules/sshfwd.nix53
-rw-r--r--os/lia/modules/users.nix18
5 files changed, 178 insertions, 0 deletions
diff --git a/os/lia/modules/lxc.nix b/os/lia/modules/lxc.nix
new file mode 100644
index 0000000..259c316
--- /dev/null
+++ b/os/lia/modules/lxc.nix
@@ -0,0 +1,41 @@
+{ pkgs, ... }: let
+ container = {
+ name = "ubu";
+ distro = "ubuntu";
+ release = "jammy";
+ };
+
+ bridge = "lan";
+in {
+ virtualisation.lxc.enable = true;
+
+ environment.systemPackages = with pkgs; [ wget ];
+ systemd.services."lxc-${container.name}-provision" = {
+ description = "auto provision ${container.name} lxc container";
+ wantedBy = [ "multi-user.target" ];
+ after = [ "network-online.target" ];
+ wants = [ "network-online.target" ];
+ stopIfChanged = false;
+
+ serviceConfig = {
+ Type = "oneshot";
+ RemainAfterExit = true;
+ };
+
+ path = with pkgs; [ wget lxc util-linux gnutar xz gawk ];
+ script = ''
+ if ! lxc-ls | grep -q ${container.name}; then
+ lxc-create -n ${container.name} -t download -- \
+ --arch amd64 \
+ --release ${container.release} \
+ --dist ${container.distro}
+
+ sed 's/lxcbr0/${bridge}/g' -i /var/lib/lxc/${container.name}/config
+ fi
+
+ lxc-start -n ${container.name}
+ '';
+
+ preStop = "lxc-stop --name ${container.name}";
+ };
+}
diff --git a/os/lia/modules/network/default.nix b/os/lia/modules/network/default.nix
new file mode 100644
index 0000000..c8d9059
--- /dev/null
+++ b/os/lia/modules/network/default.nix
@@ -0,0 +1,19 @@
+{ ... }: let
+ wan = "enp9s0";
+in
+{
+ imports = [
+ ./router.nix
+ ];
+
+ networking = {
+ interfaces.${wan}.ipv4.addresses = [{
+ address = "172.16.148.20";
+ prefixLength = 22;
+ }];
+ defaultGateway = {
+ address = "172.16.148.1";
+ interface = wan;
+ };
+ };
+}
diff --git a/os/lia/modules/network/router.nix b/os/lia/modules/network/router.nix
new file mode 100644
index 0000000..b8cac8c
--- /dev/null
+++ b/os/lia/modules/network/router.nix
@@ -0,0 +1,47 @@
+{ ... }: let
+ wanInterface = "enp9s0";
+ lanInterfaces = [ "enp1s0f0" "enp1s0f1" ];
+
+ prefix = 24;
+ subnet = "192.168.1.0";
+ host = "192.168.1.1";
+
+ leaseRangeStart = "192.168.1.100";
+ leaseRangeEnd = "192.168.1.254";
+ nameServer = [ "10.0.0.2" "10.0.0.3" ];
+in
+{
+ networking = {
+ bridges."lan".interfaces = lanInterfaces;
+
+ nat = {
+ enable = true;
+ externalInterface = wanInterface;
+ internalInterfaces = [ "lan" ];
+ };
+
+ interfaces.lan = {
+ ipv4.addresses = [{
+ address = host;
+ prefixLength = prefix;
+ }];
+ };
+
+ firewall = {
+ allowedUDPPorts = [ 53 67 ];
+ allowedTCPPorts = [ 53 ];
+ extraCommands =
+ "iptables -t nat -I POSTROUTING 1 -s ${subnet}/${toString prefix} -o ${wanInterface} -j MASQUERADE";
+ };
+ };
+
+ services.dnsmasq = {
+ enable = true;
+
+ settings = {
+ server = nameServer;
+ dhcp-range = [ "${leaseRangeStart},${leaseRangeEnd}" ];
+ interface = [ "lan" ];
+ };
+ };
+}
diff --git a/os/lia/modules/sshfwd.nix b/os/lia/modules/sshfwd.nix
new file mode 100644
index 0000000..3c7c006
--- /dev/null
+++ b/os/lia/modules/sshfwd.nix
@@ -0,0 +1,53 @@
+{ pkgs, config, ... }: let
+ mkFwdSrv = {
+ local_port,
+ remote_port,
+ remote_user,
+ remote ? "sinanmohd.com",
+ ssh_port ? 22,
+ key ? config.sops.secrets."sshfwd/${remote}".path,
+ }: {
+ "sshfwd-${toString local_port}-${remote}:${toString remote_port}" = {
+ description = "Forwarding port ${toString local_port} to ${remote}";
+
+ wantedBy = [ "multi-user.target" ];
+ after = [ "network-online.target" ];
+ wants = [ "network-online.target" ];
+ # restart rather than stop+start this unit to prevent
+ # the ssh from dying during switch-to-configuration.
+ stopIfChanged = false;
+
+ serviceConfig = {
+ ExecStart = ''
+ ${pkgs.openssh}/bin/ssh -N ${remote_user}@${remote} -p ${toString ssh_port} \
+ -R '[::]:${toString remote_port}:127.0.0.1:${toString local_port}' \
+ -o ServerAliveInterval=15 \
+ -o ExitOnForwardFailure=yes \
+ -i ${key}
+ '';
+
+ RestartSec = 3;
+ Restart = "always";
+ };
+
+ };
+ };
+in {
+ sops.secrets."sshfwd/sinanmohd.com" = {};
+ sops.secrets."sshfwd/lia.sinanmohd.com" = {};
+
+ environment.systemPackages = with pkgs; [ openssh ];
+ systemd.services
+ = (mkFwdSrv {
+ local_port = 22;
+ remote_user = "lia";
+ remote_port = 2222;
+ }) //
+ (mkFwdSrv {
+ local_port = 22;
+ remote_port = 22;
+ ssh_port = 23;
+ remote_user = "root";
+ remote = "lia.sinanmohd.com";
+ });
+}
diff --git a/os/lia/modules/users.nix b/os/lia/modules/users.nix
new file mode 100644
index 0000000..26f5dc8
--- /dev/null
+++ b/os/lia/modules/users.nix
@@ -0,0 +1,18 @@
+{ pkgs, ... }: {
+ users.users = {
+ "rohit" = {
+ isNormalUser = true;
+ extraGroups = [ "wheel" ];
+
+ packages = with pkgs; [ git htop ];
+ openssh.authorizedKeys.keys =
+ [ "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOZcWF1zVyxsCdZ/j+h+RlHZlyhgY2Bky03847bxFNSH rohit@victus" ];
+ };
+
+ "sharu" = {
+ isNormalUser = true;
+ openssh.authorizedKeys.keys =
+ [ "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIMAAaAUTiM3YY7E/7lq44aX+2U0IYhp2Qntu7hINcTjF sharu@lappie" ];
+ };
+ };
+}