move some stuff into hosts/hostname/profiles

2025-06-06 11:28:00 +02:00 · 2025-06-06 11:28:00 +02:00 · e2946e4a1f
commit e2946e4a1f
parent 9c9a3d543c
33 changed files with 14 additions and 14 deletions
--- a/hosts/rackserv/profiles/backups.nix
+++ b/hosts/rackserv/profiles/backups.nix
@ -0,0 +1,18 @@
+{config, ...}: {
+  services.restic.backups.rackserv = {
+    initialize = true;
+    inhibitsSleep = true;
+    repository = "rest:http://nixdesk:8000/rackserv";
+    passwordFile = config.sops.secrets.restic-password.path;
+    timerConfig = {
+      OnCalendar = "18:00";
+      Persistent = true;
+      RandomizedDelaySec = "1h";
+    };
+    pruneOpts = [
+      "--keep-daily 7"
+      "--keep-weekly 5"
+      "--keep-monthly 3"
+    ];
+  };
+}
--- a/hosts/rackserv/profiles/caddy.nix
+++ b/hosts/rackserv/profiles/caddy.nix
@ -0,0 +1,43 @@
+{
+  vars,
+  config,
+  ...
+}: let
+  inherit (vars) domain;
+  hopper = "10.0.0.2";
+in {
+  networking.firewall.allowedTCPPorts = [80 443];
+
+  security.acme = {
+    acceptTerms = true;
+    defaults.email = "xunuwu@gmail.com";
+    certs = {
+      "${domain}" = {
+        domain = "${domain}";
+        extraDomainNames = ["*.${domain}"];
+        dnsProvider = "cloudflare";
+        reloadServices = ["caddy.service"];
+        credentialFiles.CF_DNS_API_TOKEN_FILE = config.sops.secrets.cloudflare.path;
+      };
+    };
+  };
+
+  services.caddy = {
+    enable = true;
+    virtualHosts = {
+      misc = {
+        hostName = "${domain}";
+        serverAliases = ["*.${domain}"];
+        useACMEHost = domain;
+        extraConfig = ''
+          reverse_proxy ${hopper}
+        '';
+      };
+      other = {
+        extraConfig = ''
+          respond 404
+        '';
+      };
+    };
+  };
+}
--- a/hosts/rackserv/profiles/fail2ban.nix
+++ b/hosts/rackserv/profiles/fail2ban.nix
@ -0,0 +1,14 @@
+{
+  services.openssh.startWhenNeeded = false; # i dont think this works with fail2ban
+
+  services.fail2ban = {
+    enable = true;
+    ignoreIP = ["100.64.0.0/10"]; # tailscale
+    bantime = "1h";
+    bantime-increment = {
+      enable = true;
+      maxtime = "168h";
+      factor = "4";
+    };
+  };
+}
--- a/hosts/rackserv/profiles/wireguard-server.nix
+++ b/hosts/rackserv/profiles/wireguard-server.nix
@ -0,0 +1,111 @@
+{
+  pkgs,
+  config,
+  lib,
+  ...
+}: {
+  networking.firewall = let
+    forwardPorts = {
+      "10.0.0.2" =
+        [24001 24002 24003]
+        |> map (n: {
+          protocols = ["tcp"];
+          port = n;
+        });
+      "10.0.0.3" =
+        lib.range 23000 23010
+        |> map (n: {
+          protocols = ["tcp" "udp"];
+          port = n;
+        });
+      "10.0.0.4" = [
+        {
+          protocols = ["tcp"];
+          port = 22000;
+        }
+      ];
+    };
+    externalIp = "172.245.52.19";
+    b = builtins;
+    portsList = b.attrValues forwardPorts |> b.concatLists;
+    portsAndIpsList = lib.mapAttrsToList (n: v: map (x: x // {destinationIp = n;}) v) forwardPorts |> b.concatLists;
+  in {
+    allowedTCPPorts = b.filter (x: b.elem "tcp" x.protocols) portsList |> map (x: x.port);
+    allowedUDPPorts = [51820] ++ (b.filter (x: b.elem "udp" x.protocols) portsList |> map (x: x.port));
+    extraCommands =
+      portsAndIpsList
+      |> map (x:
+        x.protocols
+        |> map (protocol: ''
+          iptables -t nat -A PREROUTING -p ${protocol} -d ${externalIp} --dport ${toString x.port} -j DNAT --to-destination ${x.destinationIp}
+        ''))
+      |> b.concatLists
+      |> b.concatStringsSep "\n";
+
+    extraStopCommands =
+      portsAndIpsList
+      |> map (x:
+        x.protocols
+        |> map (protocol: ''
+          iptables -t nat -D PREROUTING  -p ${protocol} -d ${externalIp} --dport ${toString x.port} -j DNAT --to-destination ${x.destinationIp} || true
+        ''))
+      |> b.concatLists
+      |> b.concatStringsSep "\n";
+
+    interfaces.wg0 = {
+      allowedUDPPorts = [53];
+      allowedTCPPorts = [53];
+    };
+  };
+
+  systemd.network.netdevs = {
+    "50-wg0" = {
+      netdevConfig = {
+        Kind = "wireguard";
+        Name = "wg0";
+        MTUBytes = "1420";
+      };
+      wireguardConfig = {
+        ListenPort = 51820;
+        PrivateKeyFile = config.sops.secrets.wireguard-privatekey.path;
+        RouteTable = "main";
+      };
+      wireguardPeers = [
+        {
+          # hopper
+          PublicKey = "P5W5/m9VnWcbdR6e3rs4Yars4Qb2rPjkRmCAbgja4Ug=";
+          AllowedIPs = ["10.0.0.2" "fd12:1e51:ca23::2"];
+        }
+        {
+          # nixdesk
+          PublicKey = "DMauL/fv08yXvVtyStsUfg/OM+ZJwMNvguQ59X/KU2Q=";
+          AllowedIPs = ["10.0.0.3" "fd12:1e51:ca23::3"];
+        }
+        {
+          # alka
+          PublicKey = "Q90dKQtQTu8RLgkPau7/Y5fY3PVstP0bL6ey3zrdS18=";
+          AllowedIPs = ["10.0.0.4" "fd12:1e51:ca23::3"];
+        }
+      ];
+    };
+  };
+
+  systemd.network.networks.wg0 = {
+    matchConfig.Name = "wg0";
+    address = ["10.0.0.1/10" "fd12:1e51:ca23::1/64"];
+    networkConfig = {
+      IPMasquerade = "ipv4";
+      IPv4Forwarding = true;
+    };
+  };
+
+  services.dnsmasq = {
+    enable = true;
+    resolveLocalQueries = false;
+    settings = {
+      server = ["1.1.1.1" "8.8.8.8"];
+      interface = ["wg0"];
+      bind-interfaces = true;
+    };
+  };
+}