erwin/nixos-config
1
0
Fork 0
Code Issues 1 Pull requests Projects 1 Releases Wiki Activity Actions

Heimdall is now a VM on Hetzner Cloud running headscale

Browse source
This commit is contained in:
Erwin Boskma 2023-04-09 22:01:32 +02:00
parent f7c44b0981
commit 05a5e6e130
Signed by: erwin
SSH key fingerprint: SHA256:9LmFDe1C6jSrEyqxxvX8NtJBmcbB105XoqyUZF092bg
3 changed files with 177 additions and 77 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

131
machines/heimdall/configuration.nix
View file

@ -1,99 +1,76 @@
{ self, ... } @ inputs:
{ modulesPath, ... }:
let
pkgs = self.inputs.nixpkgs.legacyPackages.x86_64-linux;
in
{ modulesPath, lib, ... }:
# let
# pkgs = self.inputs.nixpkgs.legacyPackages.x86_64-linux;
# in
{
imports = [
"${modulesPath}/virtualisation/proxmox-lxc.nix"
"${modulesPath}/profiles/qemu-guest.nix"
../../users/root
../../users/erwin
];
eboskma = {
users.erwin.enable = true;
users.erwin = {
enable = true;
server = true;
};
headscale = {
enable = true;
baseDomain = "asgard.datarift.nl";
serverUrl = "https://heimdall.datarift.nl";
};
nix-common = {
enable = true;
remote-builders = true;
};
};
proxmoxLXC = {
privileged = true;
};
networking = {
# hostName = "heimdall";
# useDHCP = false;
hostName = "heimdall";
domain = "datarift.nl";
nat = {
enable = true;
externalInterface = "br0";
internalInterfaces = [ "wg0" ];
nameservers = [ "8.8.8.8" ];
defaultGateway = "172.31.1.1";
defaultGateway6 = {
address = "fe80::1";
interface = "eth0";
};
dhcpcd.enable = false;
usePredictableInterfaceNames = lib.mkForce false;
interfaces = {
br0 = {
ipv4.addresses = [{ address = "10.0.0.250"; prefixLength = 24; }];
};
};
# firewall.trustedInterfaces = [ "eth1" ];
bridges = {
br0 = {
interfaces = [ "eth0" ];
rstp = true;
};
};
# defaultGateway = {
# address = "10.2.0.1";
# interface = "eth1";
# };
nameservers = [ "10.0.0.254" ];
wireguard.interfaces = {
wg0 = {
ips = [ "10.1.0.0/24" ];
listenPort = 51820;
privateKeyFile = "/run/secrets/wireguard_key";
postSetup = [
"${pkgs.iptables}/bin/iptables -A FORWARD -i %i -j ACCEPT"
"${pkgs.iptables}/bin/iptables -A FORWARD -o %i -j ACCEPT"
"${pkgs.iptables}/bin/iptables -t nat -A POSTROUTING -o br0 -j MASQUERADE"
eth0 = {
ipv4.addresses = [
{ address = "159.69.211.175"; prefixLength = 32; }
];
postShutdown = [
"${pkgs.iptables}/bin/iptables -D FORWARD -i %i -j ACCEPT"
"${pkgs.iptables}/bin/iptables -D FORWARD -o %i -j ACCEPT"
"${pkgs.iptables}/bin/iptables -t nat -D POSTROUTING -o br0 -j MASQUERADE"
];
peers = [
# horus
# {
# publicKey = "";
# persistentKeepalive = 25;
# allowedIPs = [
# "10.1.0.0/24"
# "10.0.0.0/24"
# ];
# }
# iphone
{
publicKey = "SlJSLRMaqoujNsTkzQRZlNLBGB0Q/tt3b8KijFEaH2s=";
persistentKeepalive = 25;
allowedIPs = [
"10.1.0.0/24"
"10.0.0.0/24"
];
}
ipv6.addresses = [
{ address = "2a01:4f8:1c1e:5fb2::1"; prefixLength = 64; }
{ address = "fe80::9400:2ff:fe12:a2eb"; prefixLength = 64; }
];
ipv4.routes = [{ address = "172.31.1.1"; prefixLength = 32; }];
ipv6.routes = [{ address = "fe80::1"; prefixLength = 128; }];
};
};
};
services.udev.extraRules = ''
ATTR{address}=="96:00:02:12:a2:eb", NAME="eth0"
'';
### Hetzner stuff
boot = {
cleanTmpDir = true;
loader.grub.device = "/dev/sda";
initrd = {
availableKernelModules = [ "ata_piix" "uhci_hcd" "xen_blkfront" "vmw_pvscsi" ];
kernelModules = [ "nvme" ];
};
};
boot.isContainer = true;
fileSystems."/" = { device = "/dev/sda1"; fsType = "ext4"; };
zramSwap.enable = true;
### END Hetzner stuff
time.timeZone = "Europe/Amsterdam";
@ -101,10 +78,10 @@ in
services.openssh.enable = true;
sops.defaultSopsFile = ./secrets.yaml;
sops.secrets = {
wireguard_key = { };
};
# sops.defaultSopsFile = ./secrets.yaml;
# sops.secrets = {
# wireguard_key = { };
# };
system.stateVersion = "22.05";
system.stateVersion = "23.05";
}

63
modules/headscale/default.nix Normal file
View file

@ -0,0 +1,63 @@
{ pkgs, config, lib, ... }:
with lib;
let
cfg = config.eboskma.headscale;
in
{
options.eboskma.headscale = {
enable = mkEnableOption "headscale";
serverUrl = mkOption {
description = "Server URL";
type = types.str;
};
baseDomain = mkOption {
description = "Tailscale MagicDNS base domain";
type = types.str;
default = null;
};
};
config = mkIf cfg.enable {
services.headscale = {
enable = true;
settings = {
dns_config = {
override_local_dns = true;
base_domain = cfg.baseDomain;
nameservers = [
"1.1.1.1"
];
};
server_url = cfg.serverUrl;
ip_prefixes = [
"fd7a:115c:a1e0::/48"
"100.64.0.0/10"
];
};
};
services.caddy = {
enable = true;
email = "erwin@datarift.nl";
virtualHosts = {
"${cfg.serverUrl}" = {
extraConfig = ''
reverse_proxy localhost:8080
'';
};
};
};
security.acme.acceptTerms = true;
networking.firewall.allowedTCPPorts = [ 80 443 ];
environment.systemPackages = [ pkgs.headscale ];
users.users.${config.eboskma.var.mainUser}.extraGroups = [ "headscale" ];
};
}

60
users/erwin/server.nix Normal file
View file

@ -0,0 +1,60 @@
{ pkgs, config, lib, inputs, ... }:
with lib;
let
cfg = config.eboskma.users.erwin;
in
{
config = mkIf cfg.server {
home-manager.users.erwin = {
_module.args.flake-inputs = inputs;
programs.home-manager.enable = true;
programs.command-not-found.enable = true;
home.username = "erwin";
home.homeDirectory = "/home/erwin";
nixpkgs.config.allowUnfree = true;
home.stateVersion = "23.05";
eboskma = {
programs = {
bat.enable = true;
git = {
enable = true;
name = "Erwin Boskma";
email = "erwin@datarift.nl";
};
neovim.enable = true;
nushell.enable = true;
ssh.enable = true;
starship.enable = true;
};
};
home.packages = with pkgs; [
atool
bottom
btop
fd
git
iotop
procs
ripgrep
units
];
xdg = {
enable = true;
};
imports = [
../../modules/options
] ++ (map (mod: (../../home-manager/modules + "/${mod}")) (builtins.attrNames (builtins.readDir ../../home-manager/modules)));
};
programs.bandwhich.enable = true;
};
}