magic_rb/dotfiles
1
0
Fork 0
mirror of https://git.sr.ht/~magic_rb/dotfiles synced 2024-11-22 16:04:25 +01:00
Code Issues Packages Projects Releases Wiki Activity

Add codespace container

Browse source 
Signed-off-by: Magic_RB <magic_rb@redalder.org>
This commit is contained in:
Magic_RB 2023-04-03 18:37:57 +02:00
parent 41874fde15
commit 48066a7e0d
No known key found for this signature in database
GPG key ID: 08D5287CC5DDCA0E
4 changed files with 54 additions and 16 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

2
flake.nix
View file

@ -128,6 +128,8 @@
uterranix.url = "path:///home/main/uterranix";
uterranix.inputs.flake-parts.follows = "flake-parts";
uterranix.inputs.nixpkgs.follows = "nixpkgs";
vscode-server.url = "github:msteen/nixos-vscode-server";
};
outputs = inputs@{

3
nixos/systems/blowhole/default.nix
View file

@ -13,7 +13,7 @@
inputs,
...
}:
with lib; {
{
imports = [
(roots.nixos + "/profiles/vps.nix")
(roots.nixos + "/systems/blowhole/consul.nix")
@ -27,6 +27,7 @@
(roots.nixos + "/systems/blowhole/hostapd.nix")
(roots.nixos + "/systems/blowhole/klipper.nix")
(roots.nixos + "/systems/blowhole/monitoring.nix")
(roots.nixos + "/systems/blowhole/gcc-access.nix")
(roots.nixos + "/systems/blowhole/uterranix.nix")
];

34
nixos/systems/blowhole/firewall.nix
View file

@ -174,22 +174,26 @@ in
tcp dport 22 accept comment "Accept SSH traffic always"
iifname != "lo" tcp dport 5353 drop comment "Drop traffic to stubby always except for localhost to localhost traffic"
iifname "nomad" oifname "nomad" accept comment "Allow Nomad to do whatever it wants in its interface"
iifname { "nomad", "ve-monitor", "ve-klipper" } oifname { "nomad", "ve-monitor", "ve-klipper" } accept comment "Allow Nomad to do whatever it wants in its interface"
iifname { "${wlan}", "${lan}", "lo" } accept comment "Allow local network to access the router"
iifname { "${wan}", "${doVPN}", "nomad", "docker0" } jump input_out
iifname { "${wan}", "${doVPN}", "nomad", "docker0", "ve-monitor", "ve-daria", "ve-klipper" } jump input_out
iifname { "${doVPN}" } jump input_doVPN
# Allow containers to reach the DNS server
iifname { "nomad", "docker0" } tcp dport 53 accept
iifname { "nomad", "docker0" } udp dport 53 accept
iifname { "nomad", "docker0", "ve-monitor", "ve-daria", "ve-klipper" } tcp dport 53 accept
iifname { "nomad", "docker0", "ve-monitor", "ve-daria", "ve-klipper" } udp dport 53 accept
# Allow proxies to reach consul
iifname { "nomad" } tcp dport 8500 accept
iifname { "nomad", "ve-monitor", "ve-klipper" } tcp dport 8500 accept
iifname { "ve-monitor", "ve-klipper" } tcp dport 8502 accept
# Allow containers to reach the NFS server
iifname { "docker0" } tcp dport { 111, 2049, 4000, 4001, 4002, 20048 } accept comment "NFS traffic"
iifname { "docker0" } udp dport { 111, 2049, 4000, 4001, 4002, 20048 } accept comment "NFS traffic"
# Allow connections to daria container
iifname { "ve-daria" } tcp dport { 22 } accept comment "allow connections into container"
meta nftrace set 1
}
@ -225,18 +229,18 @@ in
iifname { "${lan}", "${wlan}" } oifname { "${doVPN}" } accept
# Allow containers to reach WAN
iifname { "nomad", "docker0" } oifname { "${wan}" } accept
iifname { "${wan}" } oifname { "nomad", "docker0" } ct state established, related accept
iifname { "nomad", "docker0", "ve-monitor", "ve-daria", "ve-klipper" } oifname { "${wan}" } accept
iifname { "${wan}" } oifname { "nomad", "docker0", "ve-monitor", "ve-daria", "ve-klipper" } ct state established, related accept
# Allow containers to reach the DNS and NFS server
iifname { "nomad", "docker0" } oifname { "${lan}" } ip daddr 10.64.2.1 tcp dport { 53 } accept
iifname { "nomad", "docker0" } oifname { "${lan}" } ip saddr 10.64.2.1 tcp sport { 53 } accept
iifname { "nomad", "docker0" } oifname { "${lan}" } ip daddr 10.64.2.1 tcp dport { 111, 2049, 4000, 4001, 4002, 20048 } accept
iifname { "nomad", "docker0" } oifname { "${lan}" } ip saddr 10.64.2.1 tcp sport { 111, 2049, 4000, 4001, 4002, 20048 } accept
iifname { "nomad", "docker0" } oifname { "${lan}" } ip daddr 10.64.2.1 udp dport { 53 } accept
iifname { "nomad", "docker0" } oifname { "${lan}" } ip saddr 10.64.2.1 udp sport { 53 } accept
iifname { "nomad", "docker0" } oifname { "${lan}" } ip daddr 10.64.2.1 udp dport { 111, 2049, 4000, 4001, 4002, 20048 } accept
iifname { "nomad", "docker0" } oifname { "${lan}" } ip saddr 10.64.2.1 udp sport { 111, 2049, 4000, 4001, 4002, 20048 } accept
iifname { "nomad", "docker0", "ve-monitor", "ve-klipper" } oifname { "${lan}" } ip daddr 10.64.2.1 tcp dport { 53 } accept
iifname { "nomad", "docker0", "ve-monitor", "ve-klipper" } oifname { "${lan}" } ip saddr 10.64.2.1 tcp sport { 53 } accept
iifname { "nomad", "docker0", "ve-monitor", "ve-klipper" } oifname { "${lan}" } ip daddr 10.64.2.1 tcp dport { 111, 2049, 4000, 4001, 4002, 20048 } accept
iifname { "nomad", "docker0", "ve-monitor", "ve-klipper" } oifname { "${lan}" } ip saddr 10.64.2.1 tcp sport { 111, 2049, 4000, 4001, 4002, 20048 } accept
iifname { "nomad", "docker0", "ve-monitor", "ve-klipper" } oifname { "${lan}" } ip daddr 10.64.2.1 udp dport { 53 } accept
iifname { "nomad", "docker0", "ve-monitor", "ve-klipper" } oifname { "${lan}" } ip saddr 10.64.2.1 udp sport { 53 } accept
iifname { "nomad", "docker0", "ve-monitor", "ve-klipper" } oifname { "${lan}" } ip daddr 10.64.2.1 udp dport { 111, 2049, 4000, 4001, 4002, 20048 } accept
iifname { "nomad", "docker0", "ve-monitor", "ve-klipper" } oifname { "${lan}" } ip saddr 10.64.2.1 udp sport { 111, 2049, 4000, 4001, 4002, 20048 } accept
# Rules to make CNI happy

31
nixos/systems/blowhole/gcc-access.nix Normal file
View file

@ -0,0 +1,31 @@
{ config, pkgs, inputs, ... }:
let
in
{
containers.daria = {
ephemeral = false;
autoStart = true;
privateNetwork = true;
localAddress = "10.64.99.10";
hostAddress = "10.64.99.9";
config = {
nixpkgs.overlays = config.nixpkgs.overlays;
services.openssh.enable = true;
services.openssh.startWhenNeeded = false;
users.users.daria = {
initialPassword = "daria";
isNormalUser = true;
};
users.mutableUsers = true;
environment.systemPackages = with pkgs; [ gcc gdb git ];
imports = [ inputs.vscode-server.nixosModule ];
services.vscode-server.enable = true;
};
};
}