From 0d74bc1e6b5c37c0be810ddb0e9bf4ef5024e98a Mon Sep 17 00:00:00 2001 From: Kopatz <7265381+Kropatz@users.noreply.github.com> Date: Fri, 27 Oct 2023 14:28:31 +0200 Subject: [PATCH] fix filesystem and try to add turn server --- server/configuration.nix | 2 + server/flake.lock | 18 ++++++++- server/flake.nix | 15 +++++++- server/hardware-configuration.nix | 7 +++- server/modules/coturn.nix | 61 +++++++++++++++++++++++++++++++ server/secrets/coturn-secret.age | 10 +++++ server/secrets/secrets.nix | 1 + 7 files changed, 109 insertions(+), 5 deletions(-) create mode 100644 server/modules/coturn.nix create mode 100644 server/secrets/coturn-secret.age diff --git a/server/configuration.nix b/server/configuration.nix index 5475c55..b4c0b37 100644 --- a/server/configuration.nix +++ b/server/configuration.nix @@ -17,6 +17,7 @@ in{ # Bootloader. boot.loader.systemd-boot.enable = true; boot.loader.efi.canTouchEfiVariables = true; + systemd.enableEmergencyMode = false; networking.hostName = "server"; # Define your hostname. @@ -102,6 +103,7 @@ in{ hdparm wireguard-tools openssl + unstable.e2fsprogs # vim # Do not forget to add an editor to edit configuration.nix! The Nano editor is also installed by default. # wget ]; diff --git a/server/flake.lock b/server/flake.lock index 5cd9b54..a286475 100644 --- a/server/flake.lock +++ b/server/flake.lock @@ -79,6 +79,21 @@ "type": "github" } }, + "nixpkgs-unstable": { + "locked": { + "lastModified": 1698134075, + "narHash": "sha256-foCD+nuKzfh49bIoiCBur4+Fx1nozo+4C/6k8BYk4sg=", + "owner": "NixOS", + "repo": "nixpkgs", + "rev": "8efd5d1e283604f75a808a20e6cde0ef313d07d4", + "type": "github" + }, + "original": { + "id": "nixpkgs", + "ref": "nixos-unstable", + "type": "indirect" + } + }, "nixpkgs_2": { "locked": { "lastModified": 1697957990, @@ -98,7 +113,8 @@ "root": { "inputs": { "agenix": "agenix", - "nixpkgs": "nixpkgs_2" + "nixpkgs": "nixpkgs_2", + "nixpkgs-unstable": "nixpkgs-unstable" } } }, diff --git a/server/flake.nix b/server/flake.nix index 3cdb87e..fb1bb79 100644 --- a/server/flake.nix +++ b/server/flake.nix @@ -4,19 +4,30 @@ # secrets management agenix.url = "github:ryantm/agenix"; nixpkgs.url = "github:nixos/nixpkgs/nixos-23.05"; + nixpkgs-unstable.url = "nixpkgs/nixos-unstable"; }; - outputs = { self, nixpkgs, agenix }@inputs: { - nixosConfigurations.server = nixpkgs.lib.nixosSystem { + outputs = { self, nixpkgs, nixpkgs-unstable, agenix }@inputs: + let system = "x86_64-linux"; + overlay-unstable = final: prev: { + unstable = nixpkgs-unstable.legacyPackages.${prev.system}; + }; + in { + nixosConfigurations.server = nixpkgs.lib.nixosSystem { + inherit system; modules = [ ./modules/static-ip-server.nix + ({ config, pkgs, ... }: { nixpkgs.overlays = [ overlay-unstable ]; }) ./configuration.nix ./modules/nix-settings.nix ./modules/adguard.nix ./modules/git.nix #./modules/vmware-guest.nix ./modules/github-runner.nix + ./modules/nextcloud.nix + ./modules/coturn.nix + ./modules/acme.nix ./modules/samba.nix ./modules/backup.nix diff --git a/server/hardware-configuration.nix b/server/hardware-configuration.nix index c249f74..2b17482 100644 --- a/server/hardware-configuration.nix +++ b/server/hardware-configuration.nix @@ -30,17 +30,20 @@ fileSystems."/mnt/2tb" = { device = "/dev/disk/by-uuid/99954059-3801-4abb-a536-0e7802a3e6b4"; fsType = "ext4"; + options = ["defaults" "nofail"]; }; fileSystems."/mnt/1tb" = { device = "/dev/disk/by-uuid/fb0a94c2-95df-4f62-904e-695d372363e9"; fsType = "ext4"; + options = ["defaults" "nofail"]; }; fileSystems."/mnt/250ssd" = { device = "/dev/disk/by-uuid/80163cf9-2030-4757-ada2-03db96184961"; fsType = "ext4"; - }; + options = ["defaults" "nofail"]; + }; # Enables DHCP on each ethernet and wireless interface. In case of scripted networking # (the default) this is the recommended approach. When using systemd-networkd it's @@ -53,4 +56,4 @@ nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux"; powerManagement.cpuFreqGovernor = lib.mkDefault "powersave"; hardware.cpu.intel.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware; -} \ No newline at end of file +} diff --git a/server/modules/coturn.nix b/server/modules/coturn.nix new file mode 100644 index 0000000..3323f91 --- /dev/null +++ b/server/modules/coturn.nix @@ -0,0 +1,61 @@ +{ config, pkgs, lib, inputs, ... }: +{ + age.secrets.coturn-secret = { + file = ../secrets/coturn-secret.age; + }; + + networking.firewall.allowedUDPPortRanges = [ { from = 49000; to=50000; } ]; + networking.firewall.allowedUDPPorts = [ 3478 5349 ]; + networking.firewall.allowedTCPPorts = [ 3478 5349 ]; + + + services.coturn = { + enable = true; + no-cli = true; + no-tcp-relay = true; + tls-listening-port = 5349; + listening-port = 3478; + min-port = 49000; + max-port = 50000; + use-auth-secret = true; + static-auth-secret = config.age.secrets.coturn-secret.path; + relay-ips = [ + "192.168.2.1" + ]; + listening-ips = [ + "192.168.2.1" + ]; + realm = "kopatz.ddns.net"; + cert = "${config.security.acme.certs."kopatz.ddns.net".directory}/full.pem"; + pkey = "${config.security.acme.certs."kopatz.ddns.net".directory}/key.pem"; + extraConfig = '' + # for debugging + verbose + # ban private IP ranges + no-multicast-peers + allowed-peer-ip=192.168.2.0-192.168.2.255 + denied-peer-ip=0.0.0.0-0.255.255.255 + denied-peer-ip=10.0.0.0-10.255.255.255 + denied-peer-ip=100.64.0.0-100.127.255.255 + denied-peer-ip=127.0.0.0-127.255.255.255 + denied-peer-ip=169.254.0.0-169.254.255.255 + denied-peer-ip=172.16.0.0-172.31.255.255 + denied-peer-ip=192.0.0.0-192.0.0.255 + denied-peer-ip=192.0.2.0-192.0.2.255 + denied-peer-ip=192.168.0.0-192.168.255.255 + denied-peer-ip=192.88.99.0-192.88.99.255 + denied-peer-ip=198.18.0.0-198.19.255.255 + denied-peer-ip=198.51.100.0-198.51.100.255 + denied-peer-ip=203.0.113.0-203.0.113.255 + denied-peer-ip=240.0.0.0-255.255.255.255 + denied-peer-ip=::1 + denied-peer-ip=64:ff9b::-64:ff9b::ffff:ffff + denied-peer-ip=::ffff:0.0.0.0-::ffff:255.255.255.255 + denied-peer-ip=100::-100::ffff:ffff:ffff:ffff + denied-peer-ip=2001::-2001:1ff:ffff:ffff:ffff:ffff:ffff:ffff + denied-peer-ip=2002::-2002:ffff:ffff:ffff:ffff:ffff:ffff:ffff + denied-peer-ip=fc00::-fdff:ffff:ffff:ffff:ffff:ffff:ffff:ffff + denied-peer-ip=fe80::-febf:ffff:ffff:ffff:ffff:ffff:ffff:ffff + ''; + }; +} diff --git a/server/secrets/coturn-secret.age b/server/secrets/coturn-secret.age new file mode 100644 index 0000000..216ee08 --- /dev/null +++ b/server/secrets/coturn-secret.age @@ -0,0 +1,10 @@ +age-encryption.org/v1 +-> ssh-ed25519 yfCCMw 4ZpkTSszkAJIbBs211PZAuWyYlsbYGx+kh+fIa/X8Q4 +zlDBNm+2ykfiugTcPWGgLKsBBCVRDiLkp/GSX8stVnQ +-> ssh-ed25519 IV3DkQ jvo0WmLvaOpAHASPs5Qb4HblklPs7l+wuiZIIapbm2c +KiPkiZMwPF4q5s2Ity1DBiPxDrEpMNEW6p9P7DOBVIY +-> NJJFW+-grease +vUz0h2kED8aYuu4hT4AJw89LzscD0jiKUVlkrhO0IN7n5do6dUkXm5h7wNwnybTl +FoV3HBxV3xAr6tD++Uv8/ej/XqG0jBhd +--- h2fQyC4ajeEOyuzxzt7gf23wJMBoLQSXcc8uKewGyuY +ըUD6j==(>8"#d`ԆbmU߭kk&䛦D譀`1m?WӨLjְ5{Lϩ.D:vtQK \ No newline at end of file diff --git a/server/secrets/secrets.nix b/server/secrets/secrets.nix index d340d32..27e69dd 100644 --- a/server/secrets/secrets.nix +++ b/server/secrets/secrets.nix @@ -13,4 +13,5 @@ in "restic-pw.age".publicKeys = [ nix-test-vm server ]; "restic-s3.age".publicKeys = [ nix-test-vm server ]; "wireguard-private.age".publicKeys = [ nix-test-vm server ]; + "coturn-secret.age".publicKeys = [ nix-test-vm server ]; }