From 5ddc18485b03ffdf0f435dd48a07d9a80cb837e3 Mon Sep 17 00:00:00 2001 From: mjallen18 Date: Fri, 18 Oct 2024 09:32:20 -0500 Subject: [PATCH] nas fixes --- cachix/cachix.nix | 13 ---- cachix/nix-community.nix | 8 --- .../desktop/hyprland/config/hypr/default.nix | 2 +- hosts/nas/boot.nix | 6 ++ hosts/nas/configuration.nix | 5 ++ hosts/nas/networking.nix | 66 +++++++++++++++++-- hosts/nas/services.nix | 61 ++++++++++++++++- hosts/nas/sops.nix | 12 ++++ secrets/secrets.yaml | 9 ++- 9 files changed, 150 insertions(+), 32 deletions(-) delete mode 100644 cachix/cachix.nix delete mode 100644 cachix/nix-community.nix diff --git a/cachix/cachix.nix b/cachix/cachix.nix deleted file mode 100644 index 7b880fa..0000000 --- a/cachix/cachix.nix +++ /dev/null @@ -1,13 +0,0 @@ -# WARN: this file will get overwritten by $ cachix use -{ pkgs, lib, ... }: - -let - folder = ../cachix; - toImport = name: value: folder + ("/" + name); - filterCaches = key: value: value == "regular" && lib.hasSuffix ".nix" key; - imports = lib.mapAttrsToList toImport (lib.filterAttrs filterCaches (builtins.readDir folder)); -in -{ - inherit imports; - nix.settings.substituters = [ "https://cache.nixos.org/" ]; -} diff --git a/cachix/nix-community.nix b/cachix/nix-community.nix deleted file mode 100644 index c6e569f..0000000 --- a/cachix/nix-community.nix +++ /dev/null @@ -1,8 +0,0 @@ -{ - nix = { - settings = { - substituters = [ "https://nix-community.cachix.org" ]; - trusted-public-keys = [ "nix-community.cachix.org-1:mB9FSh9qf2dCimDSUo8Zy7bkq5CX+/rkCWyvRCYg3Fs=" ]; - }; - }; -} diff --git a/hosts/desktop/hyprland/config/hypr/default.nix b/hosts/desktop/hyprland/config/hypr/default.nix index 7ea7695..e785fc0 100644 --- a/hosts/desktop/hyprland/config/hypr/default.nix +++ b/hosts/desktop/hyprland/config/hypr/default.nix @@ -175,7 +175,7 @@ in workspace = [ "name:firefox, monitor:DP-2, default:false, special, firefox" "name:discord, monitor:DP-2, default:true, special, vesktop, spotify" - "name:steam, monitor:DP-2, default:false, special, steam" + "name:steam, monitor:DP-1, default:false, special, steam" ]; windowrule = [ diff --git a/hosts/nas/boot.nix b/hosts/nas/boot.nix index fdc63e0..e53ebfd 100644 --- a/hosts/nas/boot.nix +++ b/hosts/nas/boot.nix @@ -19,6 +19,12 @@ in }; }; + kernel.sysctl = { + "net.ipv4.ip_forward" = 1; + "net.ipv6.conf.all.forwarding" = 1; + "vm.swappiness" = 60; + }; + # Override kernel to latest kernelPackages = kernel; diff --git a/hosts/nas/configuration.nix b/hosts/nas/configuration.nix index e56420a..3deacc8 100755 --- a/hosts/nas/configuration.nix +++ b/hosts/nas/configuration.nix @@ -106,6 +106,7 @@ in protonmail-bridge protonvpn-cli python3 + qrencode rcon sbctl speedtest-cli @@ -185,6 +186,7 @@ in aha papirus-icon-theme firefox + swtpm ]; }; @@ -258,6 +260,9 @@ in }; libvirtd.enable = true; + + # tpm.enable = true; + # useSecureBoot = true; }; # This option defines the first version of NixOS you have installed on this particular machine, diff --git a/hosts/nas/networking.nix b/hosts/nas/networking.nix index 8f746f4..2718ba5 100644 --- a/hosts/nas/networking.nix +++ b/hosts/nas/networking.nix @@ -1,9 +1,17 @@ -{ config, ... }: +{ config, pkgs, ... }: let hostname = "jallen-nas"; ipAddress = "10.0.1.18"; ipAddress2 = "10.0.1.19"; gateway = "10.0.1.1"; + ports = [ + 9000 # authentik + 2342 # grafana + 51820 # wireguard + ]; + + wireguard-private = config.sops.secrets."jallen-nas/wireguard/private".path; + wireguard-public = "r03IJPnTaSNmhVYIdQr+TGasox6NAUrgW8ycm/sac08="; in { # Networking configs @@ -65,10 +73,10 @@ in ieee80211w=2 ''; }; - "Joey's Jungle 5G" = { - pskRaw = "ext:PSK"; - priority = -100; - }; + # "Joey's Jungle 5G" = { + # pskRaw = "ext:PSK"; + # priority = -100; + # }; }; }; @@ -76,8 +84,56 @@ in enable = true; allowPing = true; + allowedTCPPorts = ports; + allowedUDPPorts = ports; + # always allow traffic from your Tailscale network trustedInterfaces = [ "tailscale0" ]; }; + + nat = { + enable = true; + externalInterface = "wlp7s0"; + internalInterfaces = [ "wg0" ]; + }; + + wireguard.interfaces = { + # "wg0" is the network interface name. You can name the interface arbitrarily. + wg0 = { + # Determines the IP address and subnet of the server's end of the tunnel interface. + ips = [ "10.0.100.1/24" ]; + + # The port that WireGuard listens to. Must be accessible by the client. + listenPort = 51820; + + # This allows the wireguard server to route your traffic to the internet and hence be like a VPN + # For this to work you have to set the dnsserver IP of your router (or dnsserver of choice) in your clients + postSetup = '' + ${pkgs.iptables}/bin/iptables -t nat -A POSTROUTING -s 10.0.100.0/24 -o wlp7s0 -j MASQUERADE + ''; + + # This undoes the above command + postShutdown = '' + ${pkgs.iptables}/bin/iptables -t nat -D POSTROUTING -s 10.0.100.0/24 -o wlp7s0 -j MASQUERADE + ''; + + # Path to the private key file. + # + # Note: The private key can also be included inline via the privateKey option, + # but this makes the private key world-readable; thus, using privateKeyFile is + # recommended. + privateKeyFile = wireguard-private; + + peers = [ + # List of allowed peers. + { # Feel free to give a meaning full name + # Public key of the peer (not a file path). + publicKey = wireguard-public; + # List of IPs assigned to this peer within the tunnel subnet. Used to configure routing. + allowedIPs = [ "10.0.100.2/32" ]; + } + ]; + }; + }; }; } diff --git a/hosts/nas/services.nix b/hosts/nas/services.nix index 0ffd350..7283564 100644 --- a/hosts/nas/services.nix +++ b/hosts/nas/services.nix @@ -1,4 +1,4 @@ -{ pkgs, ... }: +{ config, pkgs, ... }: let enableDisplayManager = true; in @@ -131,7 +131,11 @@ in enable = true; openFirewall = true; useRoutingFeatures = "client"; - extraUpFlags = [ "--advertise-exit-node" ]; + extraUpFlags = [ + "--advertise-exit-node" + "--accept-dns=false" + "--advertise-routes=10.0.1.0/24" + ]; extraSetFlags = [ "--advertise-exit-node" "--hostname=jallen-nas" @@ -194,6 +198,59 @@ in }; }; }; + + grafana = { + enable = true; + settings.server = { + http_port = 2342; + domain = "10.0.1.18"; + serve_from_sub_path = true; + http_addr = ""; + }; + dataDir = "/media/nas/ssd/nix-app-data/grafana"; + }; + + prometheus = { + enable = true; + port = 8000; + exporters = { + node = { + enable = true; + enabledCollectors = [ + "diskstats" + "systemd" + ]; + port = 8001; + }; + smartctl = { + enable = true; + group = "disk"; + devices = [ + "/dev/mapper/ssd1" + "/dev/mapper/ssd2" + "/dev/mapper/hdd1" + "/dev/mapper/hdd2" + "/dev/mapper/hdd3" + "/dev/mapper/hdd4" + "/dev/mapper/hdd5" + ]; + }; + }; + + scrapeConfigs = [ + { + job_name = "jallen-nas"; + static_configs = [ + { + targets = [ + "127.0.0.1:${toString config.services.prometheus.exporters.node.port}" + "127.0.0.1:${toString config.services.prometheus.exporters.smartctl.port}" + ]; + } + ]; + } + ]; + }; }; systemd.user.services = { diff --git a/hosts/nas/sops.nix b/hosts/nas/sops.nix index f0189b2..33702f5 100644 --- a/hosts/nas/sops.nix +++ b/hosts/nas/sops.nix @@ -61,6 +61,18 @@ restartUnits = [ "podman-immich-server.service" ]; }; + sops.secrets."jallen-nas/wireguard/private" = { + # restartUnits = [ "podman-immich-server.service" ]; + }; + + sops.secrets."jallen-nas/wireguard/public" = { + # restartUnits = [ "podman-immich-server.service" ]; + }; + + sops.templates."wireguard-public".content = '' + "${config.sops.placeholder."jallen-nas/wireguard/public"}" + ''; + # Permission modes are in octal representation (same as chmod), # the digits represent: user|group|others # 7 - full (rwx) diff --git a/secrets/secrets.yaml b/secrets/secrets.yaml index d1ac708..2ccccb2 100644 --- a/secrets/secrets.yaml +++ b/secrets/secrets.yaml @@ -21,6 +21,9 @@ jallen-nas: server-db-password: ENC[AES256_GCM,data:NtNMYemg+Se0CKT7yF7Yqso+33gCZn4=,iv:9lp0GoQY+I+2u/O/PFEu97H++HXDWgL1bxlOYqWfzyY=,tag:kILw1T9Ne7nSoIET4SSrOA==,type:str] server-db-name: ENC[AES256_GCM,data:bMXo9Jds5l0p9eYEPmquHQ8wwxbM+c0=,iv:fkb0P9uD9oMTOl5OuK7QDOxgJVfquKLaMfoPhRTwsAk=,tag:2Kat49n3odcVhn34c7+rig==,type:str] server-db-user: ENC[AES256_GCM,data:od8C91VJVK/cWCl824gCRqnOAC7mGA==,iv:mHJnrpKoD3c0z/XuUwFMHm8pDrOHoVzIloOS2U4IHzg=,tag:xE44Svdg/RWTe1i9Q43QQQ==,type:str] + wireguard: + private: ENC[AES256_GCM,data:/nOkn5nMrEEeKi1ySo9fAp+r1lQL02k0FZA99hUIKq7THvVWNaQ/Z6paoJU=,iv:iCTfGSdjJ0wMwv/34dv2ygKSm3qAJq6czOErMaFqHtg=,tag:EJZzBlVB5FSvveo5MWtC1g==,type:str] + public: ENC[AES256_GCM,data:rOmyhwpolxNV2JroLdh90gYAuCGNZu/gY5NBxkHHNJ+qEblmDsom9alNHMQ=,iv:bF+XCO9lPHopLCEILTT4gA349d/Sa5qReSKN70EA3d4=,tag:Yx2TL/37n5Uohlwnlx97vg==,type:str] desktop: matt_password: ENC[AES256_GCM,data:z/Jjzr+/PREpNEQsAVl4soeKAwW3sdteIqjhZT2txQDiR0FvGvEBoE/aYCM9NS7XSCgTeTuOqgBGfq4xDLc5/ZBAl7KoGHmKIQ==,iv:qVONkw8PDI2ydqybqGIU2XFq4+qC1BeXnfwxbxbWBww=,tag:eYOD2EoBn9XMiYOaBDFlRw==,type:str] hass_token: ENC[AES256_GCM,data:un4uyUPcr6g8IIWlXvTCpQ5hXms9FZxaVQz+fk1HMNRdfToTI7OLv8XyYOZ4NOZk5OJcLUUcu2S6zDKL0nc6PUqKD/8X8Rc4wVxEPoAZHiH3EBwuj3LSQac9m2Qlgs17vdfRGkpCt52h5ayPwItop1eb222MXHnQWPsslWT7RIN+kuzQ8prj7MU3ag6lqH8dDZjYQutskF1VkXWolQZkAG8gGZPK+C0BXB5Kxlpx4nYD/pQs2eKr,iv:qR5Jn4QcDISEcLzwmPa7hj9+u5JcQuzdB0qLxlYeK8s=,tag:tSN0CaQz6WsFSw+0fVrDYA==,type:str] @@ -57,8 +60,8 @@ sops: UGhsN2N0Mjl3UEJvUVlGRlJiN05WaUkKW37lU4G4CLTo6JoHC2OyhKsG/FuO+BiN pzlVJwzRnmAqwklRbc6RMbQLl2EQrp6KQcgYsUxCMH9OQ/9WJ98dxQ== -----END AGE ENCRYPTED FILE----- - lastmodified: "2024-09-21T01:05:24Z" - mac: ENC[AES256_GCM,data:pXhGu8BXKulc4wqmQY6JFUhM5X3rm8W4/jR/DQ33+7E8Yuf9zIfDXOdZ/aIwKkOeF/lxKG4ca8knwZBxpuApH8NKzjVW3cMESM0vK+N2EsoNjv08HhDtnlc9vcGKAeBXLqZDxcbHNnd0P8mCDgJM3Ybl4pCH310mqtsSvoEtByE=,iv:tzFlOp/5775lj2yKfPjEan/G98H5FO0vqENoVK1qDdQ=,tag:2tIl8WGH/3NCeP85y/4lUA==,type:str] + lastmodified: "2024-10-17T19:16:19Z" + mac: ENC[AES256_GCM,data:d2xWXNFCgb7egUOJSXRC4lDBbPhRoNrhM5iz0JSCW4chmQuqW0JabwDLzW0PubSqsde2pw2fx7A2mgrhib/1zyyPG8ViYijO3xyBn0EX78vJuJoikVV/KE7c3ffzxuRCB6kwCJ+6mZEYeRR+daoCfJ/ZI48DiCYuGP1rMOAjtTs=,iv:s2riiffa/qyzaJLGfLEQG52z/fdLFb4pC/Gdb/yfbWI=,tag:8JjcN78FbTJzizi/jO3irw==,type:str] pgp: [] unencrypted_suffix: _unencrypted - version: 3.9.0 + version: 3.9.1