ivabus/nixos
1
0
Fork 0
mirror of https://github.com/ivabus/nixos synced 2024-11-21 16:05:07 +03:00
Code Issues Projects Releases Packages Wiki Activity Actions

Add "tempore" machine - VPS for Wireguard

Browse source 
Signed-off-by: Ivan Bushchik <ivabus@ivabus.dev>
This commit is contained in:
Ivan Bushchik 2024-05-07 18:36:24 +03:00
parent 20c68aacf0
commit 48ed1068be
No known key found for this signature in database
GPG key ID: 2F16FBF3262E090C
6 changed files with 107 additions and 11 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

11
flake.nix
View file

@ -89,6 +89,17 @@
];
};
# VPS - Wireguard
nixosConfigurations."tempore" = nixpkgs.lib.nixosSystem {
system = "x86_64-linux";
specialArgs = inputs;
modules = [
nur.nixosModules.nur
home-manager.nixosModules.home-manager
./machines/tempore
];
};
# These machines will be configured later.
/* # Effundam = MacBook Air M1 (server usage). Will not be added to flake.nix until thunderbolt and apfs proper support
nixosConfigurations."effundam" = nixpkgs.lib.nixosSystem {

27
machines/example/default.nix
View file

@ -14,24 +14,29 @@ in {
networking.hostName = "MACHINE";
# All "my" options
my.laptop.enable = true;
my.git.enable = true;
my.laptop.enable = false;
my.git.enable = false;
my.roles = {
design.enable = true;
devel.enable = true;
gaming.enable = true;
graphical.enable = true;
design.enable = false;
devel.enable = false;
gaming.enable = false;
graphical.enable = false;
graphical.basic.enable = false;
latex.enable = true;
media-client.enable = true;
torrent.enable = true;
virtualisation.enable = true;
latex.enable = false;
media-client.enable = false;
torrent.enable = false;
virtualisation.enable = false;
yggdrasil-client.enable = true;
server = { ivabus-dev.enable = true; };
server = {
ivabus-dev.enable = false;
slides-ivabus-dev.enable = false;
urouter.enable = false;
};
};
my.users = {
ivabus.enable = true;
ivabus.dotfiles.enable = true;
user.enable = false;
};
my.features.secrets = true;

68
machines/tempore/default.nix Normal file
View file

@ -0,0 +1,68 @@
{ config, pkgs, lib, secrets, ... }:
let my = import ../..;
in {
imports = [
./hardware.nix # Use nixos-generate-config --show-hardware-config > /etc/nixos/machines/MACHINE/hardware.nix
my.modules
];
networking.hostName = "tempore";
services.qemuGuest.enable = true;
# All "my" options
my.laptop.enable = false;
my.git.enable = false;
my.roles = {
design.enable = false;
devel.enable = false;
gaming.enable = false;
graphical.enable = false;
graphical.basic.enable = false;
latex.enable = false;
media-client.enable = false;
torrent.enable = false;
virtualisation.enable = false;
yggdrasil-client.enable = true;
server = {
ivabus-dev.enable = false;
slides-ivabus-dev.enable = false;
urouter.enable = false;
};
};
my.users = {
ivabus.enable = true;
ivabus.dotfiles.enable = true;
user.enable = false;
};
my.features.secrets = true;
networking.useDHCP = true;
networking.nat.enable = true;
networking.nat.externalInterface = "ens3";
networking.nat.internalInterfaces = [ "wg0" ];
networking.firewall = { allowedUDPPorts = [ 51820 ]; };
networking.wireguard.interfaces = {
wg0 = {
ips = [ "10.100.0.1/24" ];
listenPort = 51820;
postSetup = ''
${pkgs.iptables}/bin/iptables -t nat -A POSTROUTING -s 10.100.0.0/24 -o ens3 -j MASQUERADE
'';
postShutdown = ''
${pkgs.iptables}/bin/iptables -t nat -D POSTROUTING -s 10.100.0.0/24 -o ens3 -j MASQUERADE
'';
privateKey = secrets.wireguard.privateKey;
peers = secrets.wireguard.peers;
};
};
system.stateVersion = "23.05";
}

11
machines/tempore/hardware.nix Normal file
View file

@ -0,0 +1,11 @@
{ modulesPath, ... }: {
imports = [ (modulesPath + "/profiles/qemu-guest.nix") ];
boot.loader.grub.device = "/dev/vda";
boot.initrd.availableKernelModules =
[ "ata_piix" "uhci_hcd" "xen_blkfront" "vmw_pvscsi" ];
boot.initrd.kernelModules = [ "nvme" ];
fileSystems."/" = {
device = "/dev/vda1";
fsType = "ext4";
};
}

1
secrets.nix
View file

@ -10,4 +10,5 @@ else {
maas-address = builtins.readFile ./secrets/maas-address;
yggdrasil-peer = builtins.readFile ./secrets/yggdrasil-peer;
yggdrasil-password = builtins.readFile ./secrets/yggdrasil-password;
wireguard = import ./secrets/wireguard.nix;
}

BIN
secrets/wireguard.nix Normal file
View file

Binary file not shown.