summaryrefslogtreecommitdiff
path: root/os/lia/modules
diff options
context:
space:
mode:
Diffstat (limited to 'os/lia/modules')
-rw-r--r--os/lia/modules/headscale.nix23
-rw-r--r--os/lia/modules/lxc.nix15
-rw-r--r--os/lia/modules/network/default.nix13
-rw-r--r--os/lia/modules/network/router.nix31
-rw-r--r--os/lia/modules/sshfwd.nix53
-rw-r--r--os/lia/modules/users.nix18
6 files changed, 76 insertions, 77 deletions
diff --git a/os/lia/modules/headscale.nix b/os/lia/modules/headscale.nix
new file mode 100644
index 0000000..906080a
--- /dev/null
+++ b/os/lia/modules/headscale.nix
@@ -0,0 +1,23 @@
+{ config, ... }:
+let
+ headScaleUrl = "https://headscale.${config.global.userdata.domain}";
+ user = config.global.userdata.name;
+in
+{
+ sops.secrets."misc/headscale" = { };
+ networking.firewall.trustedInterfaces = [ config.services.tailscale.interfaceName ];
+
+ services.tailscale = {
+ enable = true;
+ interfaceName = "headscale";
+ openFirewall = true;
+
+ authKeyFile = config.sops.secrets."misc/headscale".path;
+ extraUpFlags = [
+ "--login-server=${headScaleUrl}"
+ "--operator=${user}"
+ "--accept-routes=false"
+ "--advertise-exit-node"
+ ];
+ };
+}
diff --git a/os/lia/modules/lxc.nix b/os/lia/modules/lxc.nix
index 259c316..012695d 100644
--- a/os/lia/modules/lxc.nix
+++ b/os/lia/modules/lxc.nix
@@ -1,4 +1,5 @@
-{ pkgs, ... }: let
+{ pkgs, ... }:
+let
container = {
name = "ubu";
distro = "ubuntu";
@@ -6,7 +7,8 @@
};
bridge = "lan";
-in {
+in
+{
virtualisation.lxc.enable = true;
environment.systemPackages = with pkgs; [ wget ];
@@ -22,7 +24,14 @@ in {
RemainAfterExit = true;
};
- path = with pkgs; [ wget lxc util-linux gnutar xz gawk ];
+ path = with pkgs; [
+ wget
+ lxc
+ util-linux
+ gnutar
+ xz
+ gawk
+ ];
script = ''
if ! lxc-ls | grep -q ${container.name}; then
lxc-create -n ${container.name} -t download -- \
diff --git a/os/lia/modules/network/default.nix b/os/lia/modules/network/default.nix
index c8d9059..3d58636 100644
--- a/os/lia/modules/network/default.nix
+++ b/os/lia/modules/network/default.nix
@@ -1,4 +1,5 @@
-{ ... }: let
+{ ... }:
+let
wan = "enp9s0";
in
{
@@ -7,10 +8,12 @@ in
];
networking = {
- interfaces.${wan}.ipv4.addresses = [{
- address = "172.16.148.20";
- prefixLength = 22;
- }];
+ interfaces.${wan}.ipv4.addresses = [
+ {
+ address = "172.16.148.20";
+ prefixLength = 22;
+ }
+ ];
defaultGateway = {
address = "172.16.148.1";
interface = wan;
diff --git a/os/lia/modules/network/router.nix b/os/lia/modules/network/router.nix
index b8cac8c..4f22e31 100644
--- a/os/lia/modules/network/router.nix
+++ b/os/lia/modules/network/router.nix
@@ -1,6 +1,10 @@
-{ ... }: let
+{ ... }:
+let
wanInterface = "enp9s0";
- lanInterfaces = [ "enp1s0f0" "enp1s0f1" ];
+ lanInterfaces = [
+ "enp1s0f0"
+ "enp1s0f1"
+ ];
prefix = 24;
subnet = "192.168.1.0";
@@ -8,7 +12,10 @@
leaseRangeStart = "192.168.1.100";
leaseRangeEnd = "192.168.1.254";
- nameServer = [ "10.0.0.2" "10.0.0.3" ];
+ nameServer = [
+ "10.0.0.2"
+ "10.0.0.3"
+ ];
in
{
networking = {
@@ -21,17 +28,21 @@ in
};
interfaces.lan = {
- ipv4.addresses = [{
- address = host;
- prefixLength = prefix;
- }];
+ ipv4.addresses = [
+ {
+ address = host;
+ prefixLength = prefix;
+ }
+ ];
};
firewall = {
- allowedUDPPorts = [ 53 67 ];
+ allowedUDPPorts = [
+ 53
+ 67
+ ];
allowedTCPPorts = [ 53 ];
- extraCommands =
- "iptables -t nat -I POSTROUTING 1 -s ${subnet}/${toString prefix} -o ${wanInterface} -j MASQUERADE";
+ extraCommands = "iptables -t nat -I POSTROUTING 1 -s ${subnet}/${toString prefix} -o ${wanInterface} -j MASQUERADE";
};
};
diff --git a/os/lia/modules/sshfwd.nix b/os/lia/modules/sshfwd.nix
deleted file mode 100644
index 3c7c006..0000000
--- a/os/lia/modules/sshfwd.nix
+++ /dev/null
@@ -1,53 +0,0 @@
-{ pkgs, config, ... }: let
- mkFwdSrv = {
- local_port,
- remote_port,
- remote_user,
- remote ? "sinanmohd.com",
- ssh_port ? 22,
- key ? config.sops.secrets."sshfwd/${remote}".path,
- }: {
- "sshfwd-${toString local_port}-${remote}:${toString remote_port}" = {
- description = "Forwarding port ${toString local_port} to ${remote}";
-
- wantedBy = [ "multi-user.target" ];
- after = [ "network-online.target" ];
- wants = [ "network-online.target" ];
- # restart rather than stop+start this unit to prevent
- # the ssh from dying during switch-to-configuration.
- stopIfChanged = false;
-
- serviceConfig = {
- ExecStart = ''
- ${pkgs.openssh}/bin/ssh -N ${remote_user}@${remote} -p ${toString ssh_port} \
- -R '[::]:${toString remote_port}:127.0.0.1:${toString local_port}' \
- -o ServerAliveInterval=15 \
- -o ExitOnForwardFailure=yes \
- -i ${key}
- '';
-
- RestartSec = 3;
- Restart = "always";
- };
-
- };
- };
-in {
- sops.secrets."sshfwd/sinanmohd.com" = {};
- sops.secrets."sshfwd/lia.sinanmohd.com" = {};
-
- environment.systemPackages = with pkgs; [ openssh ];
- systemd.services
- = (mkFwdSrv {
- local_port = 22;
- remote_user = "lia";
- remote_port = 2222;
- }) //
- (mkFwdSrv {
- local_port = 22;
- remote_port = 22;
- ssh_port = 23;
- remote_user = "root";
- remote = "lia.sinanmohd.com";
- });
-}
diff --git a/os/lia/modules/users.nix b/os/lia/modules/users.nix
index 26f5dc8..3a44104 100644
--- a/os/lia/modules/users.nix
+++ b/os/lia/modules/users.nix
@@ -1,18 +1,24 @@
-{ pkgs, ... }: {
+{ pkgs, ... }:
+{
users.users = {
"rohit" = {
isNormalUser = true;
extraGroups = [ "wheel" ];
- packages = with pkgs; [ git htop ];
- openssh.authorizedKeys.keys =
- [ "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOZcWF1zVyxsCdZ/j+h+RlHZlyhgY2Bky03847bxFNSH rohit@victus" ];
+ packages = with pkgs; [
+ git
+ htop
+ ];
+ openssh.authorizedKeys.keys = [
+ "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOZcWF1zVyxsCdZ/j+h+RlHZlyhgY2Bky03847bxFNSH rohit@victus"
+ ];
};
"sharu" = {
isNormalUser = true;
- openssh.authorizedKeys.keys =
- [ "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIMAAaAUTiM3YY7E/7lq44aX+2U0IYhp2Qntu7hINcTjF sharu@lappie" ];
+ openssh.authorizedKeys.keys = [
+ "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIMAAaAUTiM3YY7E/7lq44aX+2U0IYhp2Qntu7hINcTjF sharu@lappie"
+ ];
};
};
}