summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorBen Sima <ben@bsima.me>2021-10-17 11:52:47 -0400
committerBen Sima <ben@bsima.me>2021-11-26 13:47:38 -0500
commitf432b7057738cb5123c8e1b506a2a1199e71ee72 (patch)
treef9a1f2eda099530934ea1f56d58ea08ba25e304b
parent8e1340bda701171e3557840332c4f3c30e1afc28 (diff)
Update cloud services
Rebuilt email server, started wireguard setup.
-rw-r--r--Biz/Bild/Sources.json8
-rw-r--r--Biz/Cloud.nix11
-rw-r--r--Biz/Cloud/Git.nix2
-rw-r--r--Biz/Cloud/Hardware.nix7
-rw-r--r--Biz/Cloud/Mail.nix7
-rw-r--r--Biz/Cloud/Networking.nix45
-rw-r--r--Biz/Cloud/Ports.nix4
-rw-r--r--Biz/Cloud/Web.nix28
-rw-r--r--Biz/Cloud/Znc.nix12
-rw-r--r--Biz/Dev.nix1
-rw-r--r--Biz/Dev/Configuration.nix22
-rw-r--r--Biz/Dev/Hardware.nix7
-rw-r--r--Biz/Dev/Wireguard.nix72
-rw-r--r--Biz/OsBase.nix1
-rw-r--r--Biz/Packages.nix1
15 files changed, 157 insertions, 71 deletions
diff --git a/Biz/Bild/Sources.json b/Biz/Bild/Sources.json
index 0b2ab61..7659958 100644
--- a/Biz/Bild/Sources.json
+++ b/Biz/Bild/Sources.json
@@ -142,13 +142,13 @@
"description": "Nix Packages collection",
"homepage": "git://simatime.com/nixpkgs.git",
"name": "nixpkgs",
- "owner": "simatime",
- "repo": "git://simatime.com/nixpkgs.git",
+ "owner": "bsima",
+ "repo": "nixpkgs",
"rev": "11452e4fe3b4afe566b47f1f85c2cec863a4f5bb",
"sha256": "0csm6wxf1s6vx9kl0yl28lgiwnxans0023ib47qlrjbkmpaqy4b8",
"type": "tarball",
- "url": "https://simatime.com/archive/nixpkgs/biz/11452e4fe3b4afe566b47f1f85c2cec863a4f5bb.tar.gz",
- "url_template": "https://simatime.com/archive/<name>/<branch>/<rev>.tar.gz"
+ "url": "https://github.com/bsima/nixpkgs/archive/11452e4fe3b4afe566b47f1f85c2cec863a4f5bb.tar.gz",
+ "url_template": "https://github.com/<owner>/<repo>/archive/<rev>.tar.gz"
},
"regex-applicative": {
"branch": "master",
diff --git a/Biz/Cloud.nix b/Biz/Cloud.nix
index 2a30b48..95d0150 100644
--- a/Biz/Cloud.nix
+++ b/Biz/Cloud.nix
@@ -2,12 +2,6 @@
# Cloud infrastructure, always online. Mostly for messaging-related stuff.
-let
- #nixos-mailserver = let ver = "v2.3.0"; in builtins.fetchTarball {
- # url = "https://gitlab.com/simple-nixos-mailserver/nixos-mailserver/-/archive/${ver}/nixos-mailserver-${ver}.tar.gz";
- # sha256 = "0lpz08qviccvpfws2nm83n7m2r8add2wvfg9bljx9yxx8107r919";
- #};
-in
bild.os {
imports = [
./OsBase.nix
@@ -15,7 +9,6 @@ bild.os {
./Users.nix
./Cloud/Chat.nix
./Cloud/Git.nix
- ./Cloud/Grocy.nix
./Cloud/Hardware.nix
./Cloud/Mail.nix
./Cloud/Networking.nix
@@ -25,6 +18,6 @@ bild.os {
];
networking.hostName = "simatime";
networking.domain = "simatime.com";
- # the datacenter for this VM is in SF
- time.timeZone = "America/Los_Angeles";
+ # the datacenter for this VM is in NYC
+ time.timeZone = "America/New_York";
}
diff --git a/Biz/Cloud/Git.nix b/Biz/Cloud/Git.nix
index bc9812c..eb61a10 100644
--- a/Biz/Cloud/Git.nix
+++ b/Biz/Cloud/Git.nix
@@ -1,7 +1,7 @@
{ pkgs, lib, config, ... }:
let
- root = "/srv/git";
+ root = "/var/git";
in {
services = {
gitolite = {
diff --git a/Biz/Cloud/Hardware.nix b/Biz/Cloud/Hardware.nix
index 20eab30..ab775dc 100644
--- a/Biz/Cloud/Hardware.nix
+++ b/Biz/Cloud/Hardware.nix
@@ -1,8 +1,7 @@
-{ ... }:
+{ modulesPath, ... }:
{
+ imports = [ (modulesPath + "/profiles/qemu-guest.nix") ];
boot.loader.grub.device = "/dev/vda";
+ boot.initrd.kernelModules = [ "nvme" ];
fileSystems."/" = { device = "/dev/vda1"; fsType = "ext4"; };
- swapDevices = [
- { device = "/swapfile"; } # 4GB
- ];
}
diff --git a/Biz/Cloud/Mail.nix b/Biz/Cloud/Mail.nix
index e3ddc06..ecb64ff 100644
--- a/Biz/Cloud/Mail.nix
+++ b/Biz/Cloud/Mail.nix
@@ -20,7 +20,7 @@
loginAccounts = {
"ben@simatime.com" = {
- hashedPassword = "$6$Xr180W0PqprtaFB0$9S/Ug1Yz11CaWO7UdVJxQLZWfRUE3/rarB0driXkXALugEeQDLIjG2STGQBLU23//JtK3Mz8Kwsvg1/Zo0vD2/";
+ hashedPasswordFile = "/home/ben/hashed-mail-password";
aliases = [
# my default email
"ben@bsima.me"
@@ -31,6 +31,11 @@
catchAll = [ "simatime.com" "bsima.me" ];
quota = "10G";
};
+ "dev@simatime.com" = {
+ hashedPasswordFile = "/home/ben/hashed-mail-password";
+ aliases = [ "dev@bsima.me" ];
+ quota = "10G";
+ };
"nick@simatime.com" = {
hashedPassword = "$6$31P/Mg8k8Pezy1e$Fn1tDyssf.1EgxmLYFsQpSq6RP4wbEvP/UlBlXQhyKA9FnmFtJteXsbJM1naa8Kyylo8vZM9zmeoSthHS1slA1";
aliases = [
diff --git a/Biz/Cloud/Networking.nix b/Biz/Cloud/Networking.nix
index fa41650..05a1608 100644
--- a/Biz/Cloud/Networking.nix
+++ b/Biz/Cloud/Networking.nix
@@ -1,42 +1,31 @@
-{ lib, config, ... }:
-
-let
- ports = import ./Ports.nix;
-in {
+{ lib, ... }: {
+ # This file was populated at runtime with the networking
+ # details gathered from the active system.
networking = {
- firewall = {
- allowedTCPPorts = [
- ports.ssh
- ports.git
- ports.http
- ports.https
- ports.sabten
- ports.gemini
- ports.radicale
- ];
- };
- nameservers = [
- "67.207.67.2"
- "67.207.67.3"
- ];
- defaultGateway = "159.89.128.1";
- defaultGateway6 = "2604:a880:2:d0::1";
+ nameservers = [ "8.8.8.8"
+ ];
+ defaultGateway = "143.198.112.1";
+ defaultGateway6 = "2604:a880:400:d0::1";
dhcpcd.enable = false;
- usePredictableInterfaceNames = lib.mkForce true;
+ usePredictableInterfaceNames = lib.mkForce false;
interfaces = {
eth0 = {
ipv4.addresses = [
- { address="159.89.128.69"; prefixLength=20; }
- { address="10.46.0.6"; prefixLength=16; }
+ { address="143.198.118.179"; prefixLength=20; }
+{ address="10.10.0.7"; prefixLength=16; }
];
ipv6.addresses = [
- { address="2604:a880:2:d0::35:c001"; prefixLength = 64; }
- { address="fe80::e899:c0ff:fe9c:e194"; prefixLength = 64; }
+ { address="2604:a880:400:d0::19f1:7001"; prefixLength=64; }
+{ address="fe80::a06e:26ff:fee1:941"; prefixLength=64; }
];
+ ipv4.routes = [ { address = "143.198.112.1"; prefixLength = 32; } ];
+ ipv6.routes = [ { address = "2604:a880:400:d0::1"; prefixLength = 128; } ];
};
+
};
};
services.udev.extraRules = ''
- ATTR{address}=="ea:99:c0:9c:e1:94", NAME="eth0"
+ ATTR{address}=="a2:6e:26:e1:09:41", NAME="eth0"
+ ATTR{address}=="f2:4e:52:1a:72:ef", NAME="eth1"
'';
}
diff --git a/Biz/Cloud/Ports.nix b/Biz/Cloud/Ports.nix
index 636c797..ad5ddc9 100644
--- a/Biz/Cloud/Ports.nix
+++ b/Biz/Cloud/Ports.nix
@@ -19,6 +19,8 @@
radicale = 5232;
sabten = 8080;
ssh = 22;
- tor = 143;
+ tor = 144;
torrents = { from = 3000; to = 3099; };
+ wireguard = 51820;
+ znc = 5000;
}
diff --git a/Biz/Cloud/Web.nix b/Biz/Cloud/Web.nix
index 9899258..68ff19e 100644
--- a/Biz/Cloud/Web.nix
+++ b/Biz/Cloud/Web.nix
@@ -5,6 +5,19 @@ let
ports = import ./Ports.nix;
in
{
+ networking.firewall = {
+ allowedTCPPorts = [
+ ports.ssh
+ ports.git
+ ports.http
+ ports.https
+ ports.sabten
+ ports.gemini
+ ports.radicale
+ ports.znc
+ ];
+ };
+
services = {
radicale = {
enable = true;
@@ -23,10 +36,10 @@ in
listen = "0.0.0.0:${toString ports.gemini} [::]:${toString ports.gemini}";
":tls" = { store = "/var/lib/gmnisrv"; };
"bsima.me" = {
- "root" = "/srv/www/ben";
+ "root" = "/var/web/ben";
};
"simatime.com" = {
- "root" = "/srv/www/simatime.com";
+ "root" = "/var/web/simatime.com";
"cgi" = "on";
};
};
@@ -49,14 +62,14 @@ in
enableACME = true;
locations = {
"/" = {
- root = "/srv/www/simatime.com";
+ root = "/var/web/simatime.com";
extraConfig = ''
autoindex on;
'';
};
# serve /~$USER paths
"~ ^/~(.+?)(/.*)?$" = {
- alias = "/srv/www/$1$2";
+ alias = "/var/web/$1$2";
index = "index.html index.htm";
extraConfig = ''
autoindex on;
@@ -89,7 +102,7 @@ in
"bsima.me" = {
locations."/" = {
- root = "/srv/www/ben";
+ root = "/var/web/ben";
index = "index.html index.htm";
extraConfig = ''
autoindex on;
@@ -161,10 +174,6 @@ in
};
};
- "grocy.${rootDomain}" = {
- useACMEHost = rootDomain;
- forceSSL = true;
- };
};
};
};
@@ -182,6 +191,5 @@ in
"sabten"
"cal"
"notebook"
- "grocy"
];
}
diff --git a/Biz/Cloud/Znc.nix b/Biz/Cloud/Znc.nix
index 0ba8d6a..5ec4e56 100644
--- a/Biz/Cloud/Znc.nix
+++ b/Biz/Cloud/Znc.nix
@@ -19,13 +19,13 @@ N.B.: generate znc passwords with 'nix-shell -p znc --command "znc --makepass"'
];
useLegacyConfig = false;
config = {
- LoadModule = [ "adminlog" "sasl" ];
+ LoadModule = [ "adminlog" ];
Motd = "welcome to znc.simatime.com";
User.bsima = {
Admin = true;
Nick = "bsima";
AltNick = "bsima1";
- LoadModule = [ "chansaver" "controlpanel" "log" "sasl" ];
+ LoadModule = [ "chansaver" "controlpanel" "log" ];
Network = {
#efnet = {
# Server = "irc.efnet.info +6697";
@@ -57,6 +57,14 @@ N.B.: generate znc passwords with 'nix-shell -p znc --command "znc --makepass"'
"#home-manager" = {};
};
};
+ zeronode = {
+ Server = "irc.zeronode.net +6667";
+ LoadModule = [ "simple_away" "nickserv" ];
+ Nick = "ben";
+ Chan = {
+ "#NoAgenda" = {};
+ };
+ };
#sorcery = {
# Server = "irc.sorcery.net +6697";
#};
diff --git a/Biz/Dev.nix b/Biz/Dev.nix
index 0f9b07c..e0eb89a 100644
--- a/Biz/Dev.nix
+++ b/Biz/Dev.nix
@@ -11,6 +11,7 @@ bild.os {
./Dev/Hardware.nix
./Dev/Hoogle.nix
./Dragons.nix
+ ./Dev/Wireguard.nix
# ./Dev/Guix.nix # I need to package a bunch of guile libs first
];
networking.hostName = "lithium";
diff --git a/Biz/Dev/Configuration.nix b/Biz/Dev/Configuration.nix
index 2dcc816..8eb4958 100644
--- a/Biz/Dev/Configuration.nix
+++ b/Biz/Dev/Configuration.nix
@@ -5,7 +5,7 @@ let
ports = import ../Cloud/Ports.nix;
in {
networking = {
- nameservers = [ "1.1.1.1" "8.8.8.8" ];
+ nameservers = [ "1.1.1.1" ];
hostName = "lithium";
hosts = {
"::1" = [ "localhost" "ipv6-localhost" "ipv6-loopback" ];
@@ -13,17 +13,22 @@ in {
firewall = {
allowedTCPPorts = [
- 22 8000 8443 443 # standard ports
- 500 10000 # no idea
- ports.jellyfin
+ ports.bitcoind
ports.delugeWeb
- ports.murmur
+ ports.et
+ ports.gemini
+ ports.git
+ ports.http
+ ports.https
+ ports.jellyfin
+ ports.jupyter
ports.mpd
ports.mpd-stream
+ ports.murmur
+ ports.radicale
+ ports.sabten
+ ports.ssh
ports.tor
- ports.et
- ports.bitcoind
- ports.jupyter
];
allowedTCPPortRanges = [
ports.torrents
@@ -61,6 +66,7 @@ in {
environment.systemPackages = [
pkgs.wemux
pkgs.tmux
+ pkgs.wireguard
];
nixpkgs = {
diff --git a/Biz/Dev/Hardware.nix b/Biz/Dev/Hardware.nix
index 9297d66..dc5b573 100644
--- a/Biz/Dev/Hardware.nix
+++ b/Biz/Dev/Hardware.nix
@@ -8,9 +8,12 @@
[ (modulesPath + "/installer/scan/not-detected.nix")
];
- boot.initrd.availableKernelModules = [ "xhci_pci" "ahci" "usb_storage" "usbhid" "sd_mod" ];
+ boot.initrd.availableKernelModules = [
+ "xhci_pci" "ahci" "usb_storage" "usbhid" "sd_mod"
+ ];
boot.kernelModules = [ "kvm-intel" ];
- boot.extraModulePackages = [ ];
+ boot.extraModulePackages = [
+ ];
fileSystems."/" =
{ device = "/dev/disk/by-uuid/f08dd8f9-787c-4e2a-a0cc-7019edc2ce2b";
diff --git a/Biz/Dev/Wireguard.nix b/Biz/Dev/Wireguard.nix
new file mode 100644
index 0000000..5703f3d
--- /dev/null
+++ b/Biz/Dev/Wireguard.nix
@@ -0,0 +1,72 @@
+{ lib, config, pkgs, ... }:
+
+/*
+Wireguard VPN server
+
+References:
+
+- https://nixos.wiki/wiki/WireGuard
+- https://wireguard.how/client/ios/
+*/
+
+let
+ ports = import ../Cloud/Ports.nix;
+ ips = "10.100.0.1/24";
+
+ # a micro-library for creating iptables rules
+ iptables = rec {
+ bin = "${pkgs.iptables/bin/iptables}";
+ append = {source}: lib.concatSep " " [
+ bin
+ "--table" "nat"
+ "--append" "POSTROUTING"
+ "--source" source
+ "--out-interface" "eth0"
+ "--jump" "MASQUERADE"
+ ];
+ delete = {source}: lib.concatSep " " [
+ bin
+ "--table" "nat"
+ "--delete" "POSTROUTING"
+ "--source" source
+ "--out-interface" "eth0"
+ "--jump" "MASQUERADE"
+ ];
+
+ };
+in {
+ networking.nat.enable = true;
+ networking.nat.externalInterface = "eth0";
+ networking.nat.internalInterfaces = [ "wg0" ];
+ networking.firewall.allowedUDPPorts = [ ports.wireguard ];
+
+ networking.wireguard.enable = true;
+
+ networking.wireguard.interfaces = {
+ wg0 = {
+ ips = [ ips ];
+ allowedIPsAsRoutes = true;
+ listenPort = ports.wireguard;
+ postSetup = ''
+ ${pkgs.iptables}/bin/iptables -t nat -A POSTROUTING -s ${ips} -o eth0 -j MASQUERADE
+ '';
+
+ postShutdown = ''
+ ${pkgs.iptables}/bin/iptables -t nat -D POSTROUTING -s ${ips} -o eth0 -j MASQUERADE
+ '';
+
+ privateKeyFile = "/var/wireguard/private";
+
+ peers = [
+ #{ # helium
+ # publicKey = "TODO";
+ # allowedIPs = [ "10.100.0.2/32" ];
+ #}
+ { # ben's iPhone
+ publicKey = "SIBIfPLhzuV1S1FZtm5JQtDbl0ehnH+Y3CpoZ2eZ3gc=";
+ allowedIPs = [ "10.100.0.3/32" ];
+ }
+ ];
+ };
+ };
+}
diff --git a/Biz/OsBase.nix b/Biz/OsBase.nix
index 095b9ad..c9f9f9a 100644
--- a/Biz/OsBase.nix
+++ b/Biz/OsBase.nix
@@ -7,7 +7,6 @@
nix.gc.dates = "Sunday 02:15";
nix.optimise.automatic = true;
nix.optimise.dates = [ "Sunday 02:30" ];
- #nixpkgs.overlays = overlays;
programs.mosh.enable = true;
programs.mosh.withUtempter = true;
security.acme.email = "ben@bsima.me";
diff --git a/Biz/Packages.nix b/Biz/Packages.nix
index 4de578f..2538546 100644
--- a/Biz/Packages.nix
+++ b/Biz/Packages.nix
@@ -16,6 +16,7 @@ with pkgs;
traceroute
vim
vnstat
+ wireguard
wget
];
}