diff --git a/flake.nix b/flake.nix index dcc63e5..125f36f 100644 --- a/flake.nix +++ b/flake.nix @@ -50,6 +50,7 @@ nix-serve-ng.nixosModules.default ./nix/application/containers.nix + ./nix/application/headscale.nix ./nix/application/miniflux.nix ./nix/application/nginx.nix ./nix/application/postgresql.nix @@ -68,7 +69,6 @@ ./nix/system/security.nix ./nix/system/system.nix ./nix/system/virtualisation.nix - ./nix/system/wireguard.nix ./nix/user/users.nix ]; diff --git a/nix/application/containers.nix b/nix/application/containers.nix index b178b66..31417b6 100644 --- a/nix/application/containers.nix +++ b/nix/application/containers.nix @@ -1,5 +1,13 @@ { config, lib, pkgs, ... }: { + environment.etc."containers/containers.conf".text = lib.mkForce '' + [engine] + init_path = "${pkgs.catatonit}/bin/catatonit" + + [network] + network_backend = "cni" + cni_plugin_dirs = ["${pkgs.cni-plugins}/bin"] + ''; virtualisation.oci-containers = { containers = { diff --git a/nix/application/headscale.nix b/nix/application/headscale.nix new file mode 100644 index 0000000..524554d --- /dev/null +++ b/nix/application/headscale.nix @@ -0,0 +1,23 @@ +{ pkgs, config, ...}: { + services.headscale = { + enable = true; + address = "0.0.0.0"; + port = 35893; + settings = { + dns.base_domain = "vpn.matri.cx"; + logtail.enabled = false; + noise.private_key_path = "/var/lib/headscale/noise_private.key"; + server_url = "https://vpn.matri.cx:443"; + }; + }; + services.tailscale = { + enable = true; + extraSetFlags = [ + "--advertise-exit-node" + ]; + extraUpFlags = [ + "--advertise-tags=tag:home-server" + ]; + useRoutingFeatures = "both"; + }; +} diff --git a/nix/application/nginx.nix b/nix/application/nginx.nix index 10e2ab9..88fd144 100644 --- a/nix/application/nginx.nix +++ b/nix/application/nginx.nix @@ -71,11 +71,19 @@ "jame.su" = static { dir = "/var/www/jame.su"; }; "matri.cx" = static { dir = "/var/www/matri.cx"; }; "media.matri.cx" = proxied { target = "http://127.0.0.1:8096"; }; + "purr.eversole.co" = proxied { target = "http://127.0.0.1:5195"; }; "pw.eversole.co" = proxied { target = "http://127.0.0.1:40080"; }; "sezycei.com" = static { dir = "/var/www/sezycei.com"; }; "snakebelmont.com" = static { dir = "/var/www/snakebelmont.com"; }; "transmission.matri.cx" = proxiedLAN { target = "http://127.0.0.1:9091"; }; - "purr.eversole.co" = proxied { target = "http://127.0.0.1:5195"; }; + "vpn.matri.cx" = { + forceSSL = true; + enableACME = true; + locations."/" = { + proxyPass = "http://localhost:${toString config.services.headscale.port}"; + proxyWebsockets = true; + }; + }; }; }; } diff --git a/nix/system/age.nix b/nix/system/age.nix index 65ee55e..b87982e 100644 --- a/nix/system/age.nix +++ b/nix/system/age.nix @@ -22,7 +22,6 @@ "restic/env".file = ../../secrets/restic/env.age; "restic/password".file = ../../secrets/restic/env.age; "restic/repo".file = ../../secrets/restic/env.age; - "wireguard/server-private".file = ../../secrets/wireguard/server-private.age; }; identityPaths = [ "/etc/ssh/ssh_host_ed25519_key" ]; }; diff --git a/nix/system/network.nix b/nix/system/network.nix index 709cfe9..dac3abb 100644 --- a/nix/system/network.nix +++ b/nix/system/network.nix @@ -1,15 +1,16 @@ -{ ... }: { +{ config, ... }: { networking = { hostName = "eve-psr-nix0"; firewall = { allowedTCPPorts = [ 22 80 443 5000 23231 23232 23233 ]; - allowedUDPPorts = [ 53 51820 ]; - trustedInterfaces = [ "tun0" ]; - }; - nat = { - enable = true; - externalInterface = "enp1s0"; - internalInterfaces = [ "tun0" "wg0" ]; + allowedUDPPorts = [ 53 51820 config.services.tailscale.port ]; + extraCommands = '' + iptables -t nat -A POSTROUTING -s 100.64.0.0/10 -o enp1s0 -j MASQUERADE + ''; + extraStopCommands = '' + iptables -t nat -D POSTROUTING -s 100.64.0.0/10 -o enp1s0 -j MASQUERADE + ''; }; + nat.enable = true; }; } diff --git a/nix/system/wireguard.nix b/nix/system/wireguard.nix deleted file mode 100644 index c0a5b33..0000000 --- a/nix/system/wireguard.nix +++ /dev/null @@ -1,33 +0,0 @@ -{ pkgs, config, lib, ...}: { - networking.wireguard.interfaces = { - wg0 = { - ips = [ "192.168.3.1/24" ]; - listenPort = 51820; - privateKeyFile = "/run/agenix/wireguard/server-private"; - - peers = [ - # - # James - # - { # Primary Cell - publicKey = "jko+bd/y1+3X40/AGX9OpV2H/Wlb9C2Jwkfs4Knjljg="; - allowedIPs = [ "192.168.3.2/32" ]; - } - # - # Caitlynn - # - { # Primary Cell - publicKey = "Xbp3+huOWE0sTcWtk5BA2Qc4gk5vjFVgE6+qYJBpgkY="; - allowedIPs = [ "192.168.3.3/32" ]; - } - ]; - - postSetup = '' - ${pkgs.iptables}/bin/iptables -t nat -A POSTROUTING -s 192.168.3.0/24 -o eth0 -j MASQUERADE - ''; - postShutdown = '' - ${pkgs.iptables}/bin/iptables -t nat -D POSTROUTING -s 192.168.3.0/24 -o eth0 -j MASQUERADE - ''; - }; - }; -} diff --git a/secrets.nix b/secrets.nix index b816b04..73f2c40 100644 --- a/secrets.nix +++ b/secrets.nix @@ -17,5 +17,4 @@ in "secrets/restic/env.age" = { publicKeys = all; }; "secrets/restic/repo.age" = { publicKeys = all; }; "secrets/restic/password.age" = { publicKeys = all; }; - "secrets/wireguard/server-private.age" = { publicKeys = all; }; } diff --git a/secrets/wireguard/server-private.age b/secrets/wireguard/server-private.age deleted file mode 100644 index 9d319dd..0000000 --- a/secrets/wireguard/server-private.age +++ /dev/null @@ -1,8 +0,0 @@ -age-encryption.org/v1 --> ssh-ed25519 dQ70Fw ZqaqvUw6odr77kBeC+N9p8bFMYzD7MLCSAVi302J2VQ -BUJX5uq5cd3jOFNOUnDHdcxV8OPkcY+W/aJnY3XaLCI --> ssh-ed25519 ZIoeGg y4LMGxFwIpd96YK7HjOQoHumpYqTklh1i3utAUTrMgg -37dz1lwZoHwCwrTsaCnX9mrQzGrEoP5RHjNV0Kasid4 ---- 4tniCsqDuqZYGNn98GmgV8BS18E+0ANnjKWQU4wWHOs -¹Â?;HŠª ˜&{û Ńt•c«y8<#É༄ªm¾±äk8 -šPèKH¬ÆÁ±Ow˜Ôéf¶}¿Pº`¯¾+…ßÝ5wÉot \ No newline at end of file