From f14a673f96b76a6f81ebc26840cd3d5e1e554778 Mon Sep 17 00:00:00 2001 From: Nathan McCarty Date: Fri, 13 May 2022 22:36:53 -0400 Subject: [PATCH] Migrate shadowchild to flake --- flake.nix | 19 +++++++++ hardware/shadowchild.nix | 14 +++++++ machines/shadowchild.nix | 83 ++++++++++++++++++++++++++++++++++++++++ 3 files changed, 116 insertions(+) create mode 100644 hardware/shadowchild.nix create mode 100644 machines/shadowchild.nix diff --git a/flake.nix b/flake.nix index 26e18f1..1640a08 100644 --- a/flake.nix +++ b/flake.nix @@ -171,6 +171,25 @@ ] ++ serverModules; }; + shadowchild = nixpkgs.lib.nixosSystem { + system = "x86_64-linux"; + specialArgs = { + unstable = import nixpkgs-unstable { + config = { allowUnfree = true; }; + overlays = [ ]; + system = "x86_64-linux"; + }; + fenix = fenix.packages.x86_64-linux; + }; + modules = [ + ./hardware/shadowchild.nix + ./machines/shadowchild.nix + ./home-linux.nix + ./applications/devel-rust.nix + ./modules/docker.nix + ] ++ serverModules; + }; + x86vm = nixpkgs.lib.nixosSystem { system = "x86_64-linux"; specialArgs = { diff --git a/hardware/shadowchild.nix b/hardware/shadowchild.nix new file mode 100644 index 0000000..aab4a00 --- /dev/null +++ b/hardware/shadowchild.nix @@ -0,0 +1,14 @@ +{ modulesPath, ... }: +{ + imports = [ (modulesPath + "/profiles/qemu-guest.nix") ]; + boot.loader.grub = { + efiSupport = true; + efiInstallAsRemovable = true; + device = "nodev"; + }; + fileSystems."/boot" = { device = "/dev/disk/by-uuid/94E8-7477"; fsType = "vfat"; }; + boot.initrd.kernelModules = [ "nvme" ]; + fileSystems."/" = { device = "/dev/sda1"; fsType = "ext4"; }; + + swapDevices = [{ device = "/swapfile"; }]; +} diff --git a/machines/shadowchild.nix b/machines/shadowchild.nix new file mode 100644 index 0000000..1635043 --- /dev/null +++ b/machines/shadowchild.nix @@ -0,0 +1,83 @@ +{ config, lib, pkgs, ... }: + +{ + boot.cleanTmpDir = true; + networking.hostName = "shadowchild"; + networking.domain = "mccarty.io"; + networking.firewall.allowPing = true; + + # Turn on nginx so we can get a lets encrypt cert + security.acme.email = "nathan@mccarty.io"; + security.acme.acceptTerms = true; + + services.nginx = { + enable = true; + recommendedTlsSettings = true; + recommendedOptimisation = true; + recommendedGzipSettings = true; + recommendedProxySettings = true; + virtualHosts."turn.community.rs" = { + enableACME = true; + forceSSL = true; + }; + }; + + services.coturn = rec { + enable = true; + no-cli = true; + no-tcp-relay = true; + min-port = 49000; + max-port = 50000; + use-auth-secret = true; + static-auth-secret = "5C1rbLi5pPJhEGTzkVR1"; + realm = "turn.community.rs"; + cert = "${config.security.acme.certs.${realm}.directory}/full.pem"; + pkey = "${config.security.acme.certs.${realm}.directory}/key.pem"; + extraConfig = '' + # for debugging + verbose + # ban private IP ranges + no-multicast-peers + denied-peer-ip=0.0.0.0-0.255.255.255 + denied-peer-ip=10.0.0.0-10.255.255.255 + denied-peer-ip=100.64.0.0-100.127.255.255 + denied-peer-ip=127.0.0.0-127.255.255.255 + denied-peer-ip=169.254.0.0-169.254.255.255 + denied-peer-ip=192.0.0.0-192.0.0.255 + denied-peer-ip=192.0.2.0-192.0.2.255 + denied-peer-ip=192.88.99.0-192.88.99.255 + denied-peer-ip=192.168.0.0-192.168.255.255 + denied-peer-ip=198.18.0.0-198.19.255.255 + denied-peer-ip=198.51.100.0-198.51.100.255 + denied-peer-ip=203.0.113.0-203.0.113.255 + denied-peer-ip=240.0.0.0-255.255.255.255 + denied-peer-ip=::1 + denied-peer-ip=64:ff9b::-64:ff9b::ffff:ffff + denied-peer-ip=::ffff:0.0.0.0-::ffff:255.255.255.255 + denied-peer-ip=100::-100::ffff:ffff:ffff:ffff + denied-peer-ip=2001::-2001:1ff:ffff:ffff:ffff:ffff:ffff:ffff + denied-peer-ip=2002::-2002:ffff:ffff:ffff:ffff:ffff:ffff:ffff + denied-peer-ip=fc00::-fdff:ffff:ffff:ffff:ffff:ffff:ffff:ffff + denied-peer-ip=fe80::-febf:ffff:ffff:ffff:ffff:ffff:ffff:ffff + ''; + }; + # open the firewall + networking.firewall = { + interfaces.enp2s0 = + let + range = with config.services.coturn; [{ + from = min-port; + to = max-port; + }]; + in + { + allowedUDPPortRanges = range; + allowedUDPPorts = [ 3478 ]; + allowedTCPPortRanges = range; + allowedTCPPorts = [ 3478 ]; + }; + }; + + networking.firewall.allowedTCPPorts = [ 80 443 ]; + networking.firewall.allowedUDPPorts = [ 80 443 ]; +}