deploy: mross

Author: Tchekda

.gitignore

@@ -9,4 +9,5 @@ ssl/*pem
 **/**.key
 hgunderson/qrcode.config
 kbennett/fider/secrets.nix
-kbennett/cf-apikey
+kbennett/cf-apikey
+mross/client_id

home-manager/hspecter/ssh.nix

@@ -10,9 +10,9 @@
       user = "root";
       port = 22101;
     };
-    pve = {
-      hostname = "proxmox.tchekda.fr";
-      user = "tchekda";
+    mross = {
+      hostname = "mross.tchekda.fr";
+      user = "root";
       port = 9137;
     };
     llitt = {

iso.nix

@@ -37,6 +37,8 @@
       shell = pkgs.fish;
       openssh.authorizedKeys.keys = [
         "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDAavYBAIwKDDixRTBJbSHMpkCeN6OMfAMoypSVdYAgpY3OILAUj/HoIJp1uIiKlxJ+v4gLDPjaPWmPPiOW2O4EEiCTEV22DlhcFQZs7DY1Pf7WQnUW1g4PI35LUEWlBOghnB+D11ltU5odTBPVgu1HxNX6pbE1r2MLvox8xt+PHkqXvaPDX7QGPBuAAusK8trEUROObc6+umHPH1VeTK7H810kSGDy1JVPQgK28byh/yJcoHL53XGZ+nCYiuZVFfPmLofPP+LGzulGT2TwNcUiAA8Wv7skSNUdjzXJ4KRZlqIsYiey1vx0hq3+whfC3vLwMBvz90v0HTW+xtEnX4vqR4SeFfRaLpUXpY8rceICgo3XnBQyn/2NNpmbRIJWowK0ENA58psbxo4Z+2qa0is3XLvVc2yqcdd2dLRr+gk3qwEIRcY1m+oGw2u4kv4RkTvboVPTdQozUcTB5EfLKRPB3DnVwULIYbt3QJ5CnW+v+PqinHc2vmAeUaKOEwfufdE= tchekda@hspecter"
+        "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQDGY/SVAkoinPz2YLLKMb29Qgv2dqSgU/dFnaxHaMPaG/SH6wzw3+mcS11flaU1ZJa3Q46fVEqOfAxu/VzXSx64ZQDKWWf7LQ+D5xSsaYPUSAqLQZ3OwATd6ZK+AOXVDStiB6JiWf0A0gaYWVfeZn7cH13WL8Px6kKmMCXrsHbo84dKuFeTDTafizH2nMC12jnf8vm/lSCc/Q7SNyqu3sXE8iU7/s2inG9s4GH5R3Ait9AoX50JHDQo2268NyjfWp8EQcLpUVRj4ujtqMtKHFzVKQacBTdzjfFJTIDSZhzF2+Dik1ZfmOjCsX2zzpIk5yZ02bBjZAzrVPwh4YwZRwwGsspx0yAdlrWaMEYc2YjY+TmVJfvZU6dz92oR4dNms7iTSHOIMu9eyhsIWR7+fOpm5mMPd6FvTMeNsip9iQPbG4rLQscN+vWNOXt+BY18MFIRJfjVM7XckGtHyjvl8lsGXWA7v5v+Wf7IuPIYERXHuNt5Ryd2SDsYaqlf4XZHy1hw3A4YQrVyiwmPhRKIf1ko9tsmT0/S/0eCr7EorbZnSAHvpDIlJVZ4hyyMe86qroO+rX8U0LXYXovZIYfFSn9CKEuEPGtI+/pJLrlHe5E49j6Jgmog+4Zc35dpOX5QH7rLxPydRMRPCW6+Iu4tsJ6sO2tfZDOeK/j9fTZXxK2C3Q== tchekda@termius"
+        "[email protected] AAAAGnNrLXNzaC1lZDI1NTE5QG9wZW5zc2guY29tAAAAIBb+pk3fohcBQEldw9/bGZe6Q8SVdJ54Sy0E+I6juVyrAAAABHNzaDo= tchekda@hspecter"
       ];
     };
   };

llitt/dn42/bird2.nix

@@ -12,8 +12,6 @@ let
 in
 {
 
-  imports = [ /home/tchekda/Prog/NixOS/nixpkgs/nixos/modules/services/networking/bird-lg.nix ];
-
   systemd.timers.dn42-roa = {
     description = "Trigger a ROA table update";
 
@@ -46,7 +44,7 @@ in
       proxy = {
         enable = true;
         listenAddress = "0.0.0.0:8000";
-        allowedIPs = [ "172.20.4.97" "172.20.4.98" ];
+        allowedIPs = [ "172.20.4.97" "172.20.4.98" "fd54:fe4b:9ed1:1::1" "fd54:fe4b:9ed1:2::1" ];
         birdSocket = "/var/run/bird/bird.ctl";
       };
       # frontend = {

mross/configuration.nix

@@ -0,0 +1,121 @@
+{ pkgs, ... }:
+let client_id = builtins.readFile ./client_id;
+in {
+  imports = [
+    ./hardware-configuration.nix
+    ../tchekda_user.nix
+    <home-manager/nixos>
+    (fetchTarball "https://github.com/msteen/nixos-vscode-server/tarball/master")
+    ./seedbox.nix
+    ./nginx.nix
+    ./containers.nix
+    ./wireguard.nix
+    ./dn42
+  ];
+
+  boot = {
+    cleanTmpDir = true;
+    kernelPackages = pkgs.linuxPackages_latest;
+    loader = {
+      grub = {
+        enable = true;
+        splashImage = null;
+        version = 2;
+      };
+    };
+  };
+
+  documentation.enable = false;
+
+  environment = {
+    etc."dhcpcd.duid".text = client_id;
+    systemPackages = with pkgs; [
+      dig
+      git
+      htop
+      iotop
+      lnav
+      nano
+      wget
+    ];
+  };
+
+  home-manager.users.tchekda = {
+    imports = [ ../home-manager/mross/default.nix ];
+  };
+
+  nix.gc = {
+    automatic = true;
+    dates = "daily";
+    options = "--delete-older-than 10d";
+  };
+
+  networking = {
+    dhcpcd = {
+      extraConfig = ''
+        allowinterfaces enp0s20f*
+        noarp
+        option rapid_commit
+        option host_name, routers
+        option interface_mtu
+        require dhcp_server_identifier
+        debug
+        clientid "${client_id}"
+        noipv6rs
+        interface enp0s20f0
+        ipv6rs
+        ia_pd 1/48 enp0s20f0
+        static ip6_address=2001:bc8:2e2a::1/48
+      '';
+      persistent = true;
+    };
+
+    firewall = {
+      logRefusedConnections = false;
+    };
+
+    hostName = "mross";
+
+    nameservers = [ "51.159.69.156" "51.159.69.162" "1.1.1.1" "1.0.0.1" "2606:4700:4700::1111" "2606:4700:4700::1001" ];
+
+    tempAddresses = "disabled";
+
+    useDHCP = true;
+  };
+
+  services = {
+    endlessh-go = {
+      enable = true;
+      openFirewall = true;
+      port = 22;
+    };
+    openssh = {
+      enable = true;
+      ports = [ 9137 ];
+    };
+    qemuGuest.enable = true;
+    vscode-server.enable = true;
+  };
+
+  system.stateVersion = "22.11"; # Did you read the comment?
+
+  systemd.services.dhcpcd.preStart = ''
+    cp ${pkgs.writeText "duid" client_id} /var/db/dhcpcd/duid
+  '';
+
+  time.timeZone = "Europe/Paris";
+
+  users.users = {
+    tchekda.extraGroups = [ "docker" ];
+    root = {
+      shell = pkgs.fish;
+      openssh.authorizedKeys.keys = [
+        "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQDGY/SVAkoinPz2YLLKMb29Qgv2dqSgU/dFnaxHaMPaG/SH6wzw3+mcS11flaU1ZJa3Q46fVEqOfAxu/VzXSx64ZQDKWWf7LQ+D5xSsaYPUSAqLQZ3OwATd6ZK+AOXVDStiB6JiWf0A0gaYWVfeZn7cH13WL8Px6kKmMCXrsHbo84dKuFeTDTafizH2nMC12jnf8vm/lSCc/Q7SNyqu3sXE8iU7/s2inG9s4GH5R3Ait9AoX50JHDQo2268NyjfWp8EQcLpUVRj4ujtqMtKHFzVKQacBTdzjfFJTIDSZhzF2+Dik1ZfmOjCsX2zzpIk5yZ02bBjZAzrVPwh4YwZRwwGsspx0yAdlrWaMEYc2YjY+TmVJfvZU6dz92oR4dNms7iTSHOIMu9eyhsIWR7+fOpm5mMPd6FvTMeNsip9iQPbG4rLQscN+vWNOXt+BY18MFIRJfjVM7XckGtHyjvl8lsGXWA7v5v+Wf7IuPIYERXHuNt5Ryd2SDsYaqlf4XZHy1hw3A4YQrVyiwmPhRKIf1ko9tsmT0/S/0eCr7EorbZnSAHvpDIlJVZ4hyyMe86qroO+rX8U0LXYXovZIYfFSn9CKEuEPGtI+/pJLrlHe5E49j6Jgmog+4Zc35dpOX5QH7rLxPydRMRPCW6+Iu4tsJ6sO2tfZDOeK/j9fTZXxK2C3Q== tchekda@termius"
+        "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDAavYBAIwKDDixRTBJbSHMpkCeN6OMfAMoypSVdYAgpY3OILAUj/HoIJp1uIiKlxJ+v4gLDPjaPWmPPiOW2O4EEiCTEV22DlhcFQZs7DY1Pf7WQnUW1g4PI35LUEWlBOghnB+D11ltU5odTBPVgu1HxNX6pbE1r2MLvox8xt+PHkqXvaPDX7QGPBuAAusK8trEUROObc6+umHPH1VeTK7H810kSGDy1JVPQgK28byh/yJcoHL53XGZ+nCYiuZVFfPmLofPP+LGzulGT2TwNcUiAA8Wv7skSNUdjzXJ4KRZlqIsYiey1vx0hq3+whfC3vLwMBvz90v0HTW+xtEnX4vqR4SeFfRaLpUXpY8rceICgo3XnBQyn/2NNpmbRIJWowK0ENA58psbxo4Z+2qa0is3XLvVc2yqcdd2dLRr+gk3qwEIRcY1m+oGw2u4kv4RkTvboVPTdQozUcTB5EfLKRPB3DnVwULIYbt3QJ5CnW+v+PqinHc2vmAeUaKOEwfufdE= tchekda@hspecter"
+        "[email protected] AAAAInNrLWVjZHNhLXNoYTItbmlzdHAyNTZAb3BlbnNzaC5jb20AAAAIbmlzdHAyNTYAAABBBLM62vg0tFzObsAm+dojYFqX2yOizoprSIhoMNLJe37QV8XI8BexoYr6W3FgPEtiI5U5U1nCFtt9Pyzmjwcole0AAAAEc3NoOg== [email protected]"
+      ];
+    };
+  };
+
+  zramSwap.enable = true;
+}

mross/containers.nix

@@ -0,0 +1,32 @@
+{ pkgs, config, ... }:
+{
+  users.users.tchekda.extraGroups = [ "docker" ];
+  virtualisation = {
+    docker = {
+      enable = true;
+      extraOptions = "--ipv6 --fixed-cidr-v6 2001:bc8:2e2a:1::/64";
+    };
+    oci-containers = {
+      backend = "docker";
+      containers = {
+        flood = {
+          image = "jesec/flood";
+          cmd = [ "--allowedpath /srv" ];
+          user = "995:994"; #rtorrent:media
+          ports = [
+            "127.0.0.1:3000:3000"
+          ];
+          volumes = [
+            # Do not forget to chown rtorrent:media /etc/flood
+            "/etc/flood/config:/config"
+            "/srv:/srv"
+            "/run/rtorrent/rpc.sock:/run/rtorrent/rpc.sock"
+          ];
+          environment = {
+            HOME = "/config";
+          };
+        };
+      };
+    };
+  };
+}

mross/ct/dn42/gre.nix

@@ -2,27 +2,13 @@
 
 {
   services.bind = {
-    enable = true;
     cacheNetworks = [
       "127.0.0.1/32"
       "172.20.0.0/14"
       "fd00::/8"
       "::1/128"
     ];
-    zones = {
-      "tchekda.dn42" = {
-        file = "/etc/zones/tchekda.dn42";
-        master = true;
-      };
-      "96/29.4.20.172.in-addr.arpa" = {
-        file = "/etc/zones/ipv4.reverse";
-        master = true;
-      };
-      "1.d.e.9.b.4.e.f.4.5.d.f.ip6.arpa" = {
-        file = "/etc/zones/ipv6.reverse";
-        master = true;
-      };
-    };
+    enable = true;
     extraOptions = ''
       empty-zones-enable no;
       recursion yes;
@@ -59,6 +45,20 @@
         forwarders { 172.20.0.53; fd42:d42:d42:54::1; };
       };
     '';
-
+    forward = "only";
+    zones = {
+      "tchekda.dn42" = {
+        file = "/etc/zones/tchekda.dn42";
+        master = true;
+      };
+      "96/29.4.20.172.in-addr.arpa" = {
+        file = "/etc/zones/ipv4.reverse";
+        master = true;
+      };
+      "1.d.e.9.b.4.e.f.4.5.d.f.ip6.arpa" = {
+        file = "/etc/zones/ipv6.reverse";
+        master = true;
+      };
+    };
   };
 }

mross/ct/dn42/peers/gre.nix

@@ -12,8 +12,6 @@ let
 in
 {
 
-  imports = [ <nixos-unstable/nixos/modules/services/networking/bird-lg.nix> ];
-
   systemd.timers.dn42-roa = {
     description = "Trigger a ROA table update";
 
@@ -42,11 +40,12 @@ in
 
   services = {
     bird-lg = {
-      package = unstable.bird-lg;
+      package = pkgs.bird-lg;
       proxy = {
-        enable = true;
         allowedIPs = [ "172.20.4.97" "172.20.4.98" "fd54:fe4b:9ed1:1::1" "fd54:fe4b:9ed1:2::1" ];
         birdSocket = "/var/run/bird/bird.ctl";
+        enable = true;
+        listenAddress = "[fd54:fe4b:9ed1:1::1]:8000";
       };
       frontend = {
         enable = true;

mross/vm/deluge-auth mross/deluge-auth

@@ -1,9 +1,9 @@
 {
   imports = [
-    # ./wireguard.nix
+    ./wireguard.nix
     ./bird2.nix
     ./bind.nix
-    # ./gre.nix
+    # ./gre.nix # Doesn't work
   ];
 
   boot.kernel.sysctl = {