Add beryllium and connect via VPN

I finally got everything setup for the new dev machine, but I ran into a
networking problem: I can't tell my home router to expose the ssh port 22 to
multiple hosts. I could have made beryllium use a different port, but instead I
decided to use tailscale, and this seems to work well. I still don't have
hostname routing working, but maybe that's a simple config in tailscale
somewhere.

Eventually I will get all intra-networking stuff to use a vpn, but for now just
using it for beryllium is fine.

9 files changed, 251 insertions, 81 deletions

diff --git a/Biz/Dev/Beryllium.nix b/Biz/Dev/Beryllium.nix
new file mode 100644
index 0000000..b2dad1e
--- /dev/null
+++ b/Biz/Dev/Beryllium.nix
@@ -0,0 +1,14 @@
+{ nixpkgs ? import ../Bild.nix {} }:
+with nixpkgs;
+bild.os {
+  imports = [
+    ../OsBase.nix
+    ../Packages.nix
+    ../Users.nix
+    ./Beryllium/Configuration.nix
+    ./Beryllium/Hardware.nix
+    ./Vpn.nix
+  ];
+  networking.hostName = "beryllium";
+  networking.domain = "beryl.simatime.com";
+}
diff --git a/Biz/Dev/Beryllium/Configuration.nix b/Biz/Dev/Beryllium/Configuration.nix
new file mode 100644
index 0000000..de88078
--- /dev/null
+++ b/Biz/Dev/Beryllium/Configuration.nix
@@ -0,0 +1,134 @@
+# Edit this configuration file to define what should be installed on
+# your system.  Help is available in the configuration.nix(5) man page
+# and in the NixOS manual (accessible by running ‘nixos-help’).
+
+{ config, pkgs, ... }:
+
+{
+  imports =
+    [ # Include the results of the hardware scan.
+      ./Hardware.nix
+    ];
+
+  # Bootloader.
+  boot.loader.systemd-boot.enable = true;
+  boot.loader.efi.canTouchEfiVariables = true;
+
+  # Enable networking
+  networking.networkmanager.enable = true;
+
+  # Set your time zone.
+  time.timeZone = "America/New_York";
+
+  # Select internationalisation properties.
+  i18n.defaultLocale = "en_US.UTF-8";
+
+  i18n.extraLocaleSettings = {
+    LC_ADDRESS = "en_US.UTF-8";
+    LC_IDENTIFICATION = "en_US.UTF-8";
+    LC_MEASUREMENT = "en_US.UTF-8";
+    LC_MONETARY = "en_US.UTF-8";
+    LC_NAME = "en_US.UTF-8";
+    LC_NUMERIC = "en_US.UTF-8";
+    LC_PAPER = "en_US.UTF-8";
+    LC_TELEPHONE = "en_US.UTF-8";
+    LC_TIME = "en_US.UTF-8";
+  };
+
+  # Enable the X11 windowing system.
+  services.xserver.enable = true;
+
+  # Enable the KDE Plasma Desktop Environment.
+  services.xserver.displayManager.sddm.enable = true;
+  services.xserver.desktopManager.plasma5.enable = true;
+
+  # Configure keymap in X11
+  services.xserver = {
+    layout = "us";
+    xkbVariant = "";
+  };
+
+  # Enable CUPS to print documents.
+  services.printing.enable = true;
+
+  # Enable sound with pipewire.
+  sound.enable = true;
+  hardware.pulseaudio.enable = false;
+  security.rtkit.enable = true;
+  services.pipewire = {
+    enable = true;
+    alsa.enable = true;
+    alsa.support32Bit = true;
+    pulse.enable = true;
+    # If you want to use JACK applications, uncomment this
+    #jack.enable = true;
+
+    # use the example session manager (no others are packaged yet so this is enabled by default,
+    # no need to redefine it in your config for now)
+    #media-session.enable = true;
+  };
+
+  # Enable touchpad support (enabled default in most desktopManager).
+  # services.xserver.libinput.enable = true;
+
+  #services.xserver.videoDrivers = [ "nvidia" ];
+  #hardware.nvidia.nvidiaPersistenced = true;
+  #hardware.nvidia.modesetting.enable = true;
+  #hardware.nvidia.powerManagement.enable = false;
+  #hardware.nvidia.open = true;
+  #hardware.nvidia.nvidiaSettings = true;
+
+  # Define a user account. Don't forget to set a password with ‘passwd’.
+  #users.users.ben = {
+  #  isNormalUser = true;
+  #  description = "Ben Sima";
+  #  extraGroups = [ "networkmanager" "wheel" ];
+  #  packages = with pkgs; [
+  #    firefox
+  #    kate
+  #  #  thunderbird
+  #  ];
+  #};
+
+  # Enable automatic login for the user.
+  services.xserver.displayManager.autoLogin.enable = true;
+  services.xserver.displayManager.autoLogin.user = "ben";
+
+  # Allow unfree packages
+  nixpkgs.config.allowUnfree = true;
+
+  # List packages installed in system profile. To search, run:
+  # $ nix search wget
+  environment.systemPackages = with pkgs; [
+  #  vim # Do not forget to add an editor to edit configuration.nix! The Nano editor is also installed by default.
+  #  wget
+  ];
+
+  # Some programs need SUID wrappers, can be configured further or are
+  # started in user sessions.
+  # programs.mtr.enable = true;
+  # programs.gnupg.agent = {
+  #   enable = true;
+  #   enableSSHSupport = true;
+  # };
+
+  # List services that you want to enable:
+
+  # Enable the OpenSSH daemon.
+  # services.openssh.enable = true;
+
+  # Open ports in the firewall.
+  networking.firewall.allowedTCPPorts = [ 24800 ];
+  # networking.firewall.allowedUDPPorts = [ ... ];
+  # Or disable the firewall altogether.
+  # networking.firewall.enable = false;
+
+  # This value determines the NixOS release from which the default
+  # settings for stateful data, like file locations and database versions
+  # on your system were taken. It‘s perfectly fine and recommended to leave
+  # this value at the release version of the first install of this system.
+  # Before changing this value read the documentation for this option
+  # (e.g. man configuration.nix or on https://nixos.org/nixos/options.html).
+  system.stateVersion = "23.05"; # Did you read the comment?
+
+}
diff --git a/Biz/Dev/Beryllium/Hardware.nix b/Biz/Dev/Beryllium/Hardware.nix
new file mode 100644
index 0000000..8c74e10
--- /dev/null
+++ b/Biz/Dev/Beryllium/Hardware.nix
@@ -0,0 +1,38 @@
+# Do not modify this file!  It was generated by ‘nixos-generate-config’
+# and may be overwritten by future invocations.  Please make changes
+# to /etc/nixos/configuration.nix instead.
+{ config, lib, modulesPath, ... }:
+
+{
+  imports =
+    [ (modulesPath + "/installer/scan/not-detected.nix")
+    ];
+
+  boot.initrd.availableKernelModules = [ "xhci_pci" "ahci" "nvme" "usbhid" "usb_storage" "sd_mod" ];
+  boot.initrd.kernelModules = [ ];
+  boot.kernelModules = [ "kvm-amd" ];
+  boot.extraModulePackages = [ ];
+
+  fileSystems."/" =
+    { device = "/dev/disk/by-uuid/f96eaa16-d0e2-4230-aece-131ce7b630da";
+      fsType = "ext4";
+    };
+
+  fileSystems."/boot" =
+    { device = "/dev/disk/by-uuid/A34A-6527";
+      fsType = "vfat";
+    };
+
+  swapDevices = [ ];
+
+  # Enables DHCP on each ethernet and wireless interface. In case of scripted networking
+  # (the default) this is the recommended approach. When using systemd-networkd it's
+  # still possible to use this option, but it's recommended to use it in conjunction
+  # with explicit per-interface declarations with `networking.interfaces.<interface>.useDHCP`.
+  networking.useDHCP = lib.mkDefault true;
+  # networking.interfaces.enp97s0.useDHCP = lib.mkDefault true;
+  # networking.interfaces.enp99s0.useDHCP = lib.mkDefault true;
+
+  nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux";
+  hardware.cpu.amd.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware;
+}
diff --git a/Biz/Dev/Lithium.nix b/Biz/Dev/Lithium.nix
new file mode 100644
index 0000000..d3b17b7
--- /dev/null
+++ b/Biz/Dev/Lithium.nix
@@ -0,0 +1,28 @@
+{ nixpkgs ? import ../Bild.nix {} }:
+with nixpkgs;
+# Dev machine for work and building stuff.
+
+bild.os {
+  imports = [
+    ../OsBase.nix
+    ../Packages.nix
+    ../Users.nix
+    ./Lithium/Configuration.nix
+    ./Lithium/Hardware.nix
+    ./Hoogle.nix
+    ./Networking.nix
+    ./Dns.nix
+    ../Dragons.nix
+    #./Guix.nix # I need to package a bunch of guile libs first
+    ./Vpn.nix
+  ];
+  networking.hostName = "lithium";
+  networking.domain = "dev.simatime.com";
+  services.dragons = {
+    enable = true;
+    port = 8095;
+    package = bild.run ../Dragons.hs;
+    keep = "/var/dragons/keep";
+    depo = "/var/dragons/depo";
+  };
+}
diff --git a/Biz/Dev/Configuration.nix b/Biz/Dev/Lithium/Configuration.nix
index 7fdefa4..7434b3f 100644
--- a/Biz/Dev/Configuration.nix
+++ b/Biz/Dev/Lithium/Configuration.nix
@@ -1,8 +1,8 @@
 { config, lib, pkgs, ... }:
 
 let
-  ghcCompiler = (import ../Bild/Constants.nix).ghcCompiler;
-  ports = import ../Cloud/Ports.nix;
+  ghcCompiler = (import ../../Bild/Constants.nix).ghcCompiler;
+  ports = import ../../Cloud/Ports.nix;
 in {
   # Use the systemd-boot EFI boot loader.
   boot.loader.systemd-boot.enable = true;
@@ -63,7 +63,7 @@ in {
   services.my-hoogle.enable = true;
   services.my-hoogle.port = ports.hoogle;
   services.my-hoogle.home = "//hoogle.simatime.com";
-  services.my-hoogle.packages = pkgset: lib.attrsets.attrVals (import ../Bild/Deps/Haskell.nix) pkgset;
+  services.my-hoogle.packages = pkgset: lib.attrsets.attrVals (import ../../Bild/Deps/Haskell.nix) pkgset;
   services.my-hoogle.haskellPackages = pkgs.haskell.packages.${ghcCompiler};
   services.my-hoogle.host = "0.0.0.0";
 
@@ -195,7 +195,7 @@ in {
   # 1 job * 2 cores = 2 maximum cores used at any one time
   nix.settings.max-jobs = 1;
   nix.sshServe.enable = true;
-  nix.sshServe.keys = lib.trivial.pipe ../Keys/Ben.pub [
+  nix.sshServe.keys = lib.trivial.pipe ../../Keys/Ben.pub [
     builtins.readFile
     (lib.strings.splitString "\n")
     (lib.filter (s: s != ""))
diff --git a/Biz/Dev/Hardware.nix b/Biz/Dev/Lithium/Hardware.nix
index 4d835aa..4d835aa 100644
--- a/Biz/Dev/Hardware.nix
+++ b/Biz/Dev/Lithium/Hardware.nix
diff --git a/Biz/Dev/Networking.nix b/Biz/Dev/Networking.nix
index ac80b71..1a28b56 100644
--- a/Biz/Dev/Networking.nix
+++ b/Biz/Dev/Networking.nix
@@ -44,11 +44,6 @@ in {
       allowedUDPPortRanges = [
         ports.torrents
       ];
-      checkReversePath = false;
-      #extraCommands = lib.mkMerge [ (lib.mkAfter ''
-      #  iptables -w -t filter -A nixos-fw -s 192.168.0.0/24 -p udp --dport 53 -i enp1s0 -j nixos-fw-accept
-      #  iptables -w -t filter -A nixos-fw -s 192.168.0.0/24 -p tcp --dport 53 -i enp1s0 -j nixos-fw-accept
-      #'') ];
     };
 
     # The global useDHCP flag is deprecated, therefore explicitly set to false here.
diff --git a/Biz/Dev/Vpn.nix b/Biz/Dev/Vpn.nix
new file mode 100644
index 0000000..5a3c3e6
--- /dev/null
+++ b/Biz/Dev/Vpn.nix
@@ -0,0 +1,33 @@
+{ config, ... }:
+
+let
+  ports = import ../Cloud/Ports.nix;
+  domain = "headscale.simatime.com";
+in {
+  services.headscale = {
+    enable = true;
+    address = "0.0.0.0";
+    port = ports.headscale;
+    settings = {};
+  };
+
+  services.nginx.virtualHosts.${domain} = {
+    forceSSL = true;
+    enableAcme = true;
+    locations."/" = {
+      proxyPass = "http://localhost:${toString ports.headscale}";
+      proxyWebsockets = true;
+    };
+  };
+
+  environment.systemPackages = [ config.services.headscale.package ];
+
+  services.tailscale.enable = true;
+
+  networking.firewall = {
+    checkReversePath = "loose";
+    trustedInterfaces = [ "tailscale0" ];
+    allowedUDPPorts = [ config.services.tailscale.port ];
+  };
+
+}
diff --git a/Biz/Dev/Wireguard.nix b/Biz/Dev/Wireguard.nix
deleted file mode 100644
index 90f425e..0000000
--- a/Biz/Dev/Wireguard.nix
+++ /dev/null
@@ -1,72 +0,0 @@
-{ lib, pkgs, ... }:
-
-/*
-Wireguard VPN server
-
-References:
-
-- https://nixos.wiki/wiki/WireGuard
-- https://wireguard.how/client/ios/
-*/
-
-let
-  ports = import ../Cloud/Ports.nix;
-  ips = "10.100.0.1/24";
-
-  # a micro-library for creating iptables rules
-  iptables = rec {
-    bin = "${pkgs.iptables/bin/iptables}";
-    append = {source}: lib.concatSep " " [
-      bin
-      "--table" "nat"
-      "--append" "POSTROUTING"
-      "--source" source
-      "--out-interface" "eth0"
-      "--jump" "MASQUERADE"
-    ];
-    delete = {source}: lib.concatSep " " [
-      bin
-      "--table" "nat"
-      "--delete" "POSTROUTING"
-      "--source" source
-      "--out-interface" "eth0"
-      "--jump" "MASQUERADE"
-    ];
-
-  };
-in {
-  networking.nat.enable = true;
-  networking.nat.externalInterface = "eth0";
-  networking.nat.internalInterfaces = [ "wg0" ];
-  networking.firewall.allowedUDPPorts = [ ports.wireguard ];
-
-  networking.wireguard-tools.enable = true;
-
-  networking.wireguard-tools.interfaces = {
-    wg0 = {
-      ips = [ ips ];
-      allowedIPsAsRoutes = true;
-      listenPort = ports.wireguard;
-      postSetup = ''
-        ${pkgs.iptables}/bin/iptables -t nat -A POSTROUTING -s ${ips} -o eth0 -j MASQUERADE
-      '';
-
-      postShutdown = ''
-        ${pkgs.iptables}/bin/iptables -t nat -D POSTROUTING -s ${ips} -o eth0 -j MASQUERADE
-      '';
-
-      privateKeyFile = "/var/wireguard/private";
-
-      peers = [
-        #{ # helium
-        #  publicKey = "";
-        #  allowedIPs = [ "10.100.0.2/32" ];
-        #}
-        { # ben's iPhone
-          publicKey = "SIBIfPLhzuV1S1FZtm5JQtDbl0ehnH+Y3CpoZ2eZ3gc=";
-          allowedIPs = [ "10.100.0.3/32" ];
-        }
-      ];
-    };
-  };
-}