From 48b55af6959f7c764fc6785c515533d8ad29fadf Mon Sep 17 00:00:00 2001 From: Bun Date: Thu, 29 May 2025 23:29:05 -0400 Subject: [PATCH] Update all to mycelium ips --- hosts/kitty/filesystems/default.nix | 6 +++--- hosts/midas/filesystems/default.nix | 6 +++--- hosts/tower/filesystems/default.nix | 8 ++++---- .../home/programs/terminal/ssh/default.nix | 20 +++++-------------- .../devices/networking/mycelium/default.nix | 2 ++ .../networking/mycelium/ips/default.nix | 13 ++++++++++++ .../services/general/ssh/fail2ban/default.nix | 1 - .../system/services/server/nfs/default.nix | 4 +++- .../services/server/nginx/rtmp/default.nix | 5 ++++- .../services/server/owncast/default.nix | 4 +++- 10 files changed, 40 insertions(+), 29 deletions(-) create mode 100644 modules/system/devices/networking/mycelium/ips/default.nix diff --git a/hosts/kitty/filesystems/default.nix b/hosts/kitty/filesystems/default.nix index 8354a0ab..fff08fd7 100644 --- a/hosts/kitty/filesystems/default.nix +++ b/hosts/kitty/filesystems/default.nix @@ -1,6 +1,6 @@ { config, ... }: { - fileSystems = { + fileSystems = with config.services.mycelium.ips; { "/persist/storage" = { device = "/dev/disk/by-uuid/edd3e293-1aff-4fc0-96fa-4e17d6cccfca"; fsType = "btrfs"; @@ -12,7 +12,7 @@ # Network mounts "/home/${config.sysusers.main}/Network/Midas" = { - device = "11.0.0.1:/storage"; + device = "[${midas}]:/storage"; fsType = "nfs4"; options = [ "x-systemd.automount" @@ -21,7 +21,7 @@ ]; }; "/home/${config.sysusers.main}/Network/Prophet" = { - device = "mx.nixfox.ca:/storage"; + device = "[${prophet}]:/storage";; fsType = "nfs4"; options = [ "noauto" diff --git a/hosts/midas/filesystems/default.nix b/hosts/midas/filesystems/default.nix index 0abb186a..bdeba56d 100644 --- a/hosts/midas/filesystems/default.nix +++ b/hosts/midas/filesystems/default.nix @@ -1,6 +1,6 @@ -{ ... }: +{ config, ... }: { - fileSystems = { + fileSystems = with config.services.mycelium.ips; { "/persist" = { device = "/dev/disk/by-uuid/acf95700-8669-45c7-9a72-bf3215b3c325"; fsType = "btrfs"; @@ -11,7 +11,7 @@ ]; }; "/kitty" = { - device = "11.0.0.2:/storage/bun"; + device = "[${kitty}]:/storage/bun"; fsType = "nfs4"; options = [ "noauto" diff --git a/hosts/tower/filesystems/default.nix b/hosts/tower/filesystems/default.nix index 18b0e1ac..e8a8fc50 100644 --- a/hosts/tower/filesystems/default.nix +++ b/hosts/tower/filesystems/default.nix @@ -1,6 +1,6 @@ { config, ... }: { - fileSystems = { + fileSystems = with config.services.mycelium.ips; { # Games and such "/mnt/Linux1" = { device = "/dev/disk/by-uuid/b2901f8c-ffda-4b88-bb63-a9ea0c96ccb4"; @@ -40,7 +40,7 @@ # Network mounts "/home/${config.sysusers.main}/Network/Midas" = { - device = "11.0.0.1:/storage"; + device = "[${midas}]:/storage"; fsType = "nfs4"; options = [ "noauto" @@ -49,7 +49,7 @@ ]; }; "/home/${config.sysusers.main}/Network/Kitty" = { - device = "11.0.0.2:/storage/bun"; + device = "[${kitty}]:/storage/bun"; fsType = "nfs4"; options = [ "noauto" @@ -58,7 +58,7 @@ ]; }; "/home/${config.sysusers.main}/Network/Prophet" = { - device = "mx.nixfox.ca:/storage"; + device = "[${prophet}]:/storage"; fsType = "nfs4"; options = [ "noauto" diff --git a/modules/home/programs/terminal/ssh/default.nix b/modules/home/programs/terminal/ssh/default.nix index aa68a303..0e1f73e9 100644 --- a/modules/home/programs/terminal/ssh/default.nix +++ b/modules/home/programs/terminal/ssh/default.nix @@ -4,22 +4,12 @@ enable = true; addKeysToAgent = "yes"; compression = true; - matchBlocks = with lib.hm.dag; { + matchBlocks = { # Personal servers - nixfox = { - match = ''canonical host "*.nixfox.ca"''; - user = config.home.username; - }; - midas = { - hostname = "sv.nixfox.ca"; - }; - kitty = { - hostname = "sv.nixfox.ca"; - port = 2222; - }; - prophet = { - hostname = "mx.nixfox.ca"; - }; + tower.hostname = "577:84d1:b682:9ac3:b987:b78e:33d9:2060"; + midas.hostname = "538:e163:87ba:f847:3646:18b6:6b01:d8f8"; + kitty.hostname = "2607:fea8:431d:cba5:37b6:92f8:5be:7c56"; + prophet.hostname = "42f:2737:2aed:4dee:cbe4:3c73:1918:ad9b"; # Misc seneca = { diff --git a/modules/system/devices/networking/mycelium/default.nix b/modules/system/devices/networking/mycelium/default.nix index 0d178877..726b51de 100644 --- a/modules/system/devices/networking/mycelium/default.nix +++ b/modules/system/devices/networking/mycelium/default.nix @@ -1,5 +1,7 @@ { ... }: { + imports = [ ./ips ]; + services.mycelium = { enable = true; openFirewall = true; diff --git a/modules/system/devices/networking/mycelium/ips/default.nix b/modules/system/devices/networking/mycelium/ips/default.nix new file mode 100644 index 00000000..4d94e0cb --- /dev/null +++ b/modules/system/devices/networking/mycelium/ips/default.nix @@ -0,0 +1,13 @@ +{ config, lib, ... }: +{ + options.services.mycelium.ips = lib.mkOption { + type = lib.types.attrs; + }; + + config.services.mycelium.ips = { + tower = "577:84d1:b682:9ac3:b987:b78e:33d9:2060"; + midas = "538:e163:87ba:f847:3646:18b6:6b01:d8f8"; + kitty = "2607:fea8:431d:cba5:37b6:92f8:5be:7c56"; + prophet = "42f:2737:2aed:4dee:cbe4:3c73:1918:ad9b"; + }; +} diff --git a/modules/system/services/general/ssh/fail2ban/default.nix b/modules/system/services/general/ssh/fail2ban/default.nix index 15f4349d..acc00f8c 100644 --- a/modules/system/services/general/ssh/fail2ban/default.nix +++ b/modules/system/services/general/ssh/fail2ban/default.nix @@ -4,7 +4,6 @@ enable = true; maxretry = 5; bantime = "10m"; - ignoreIP = [ "11.0.0.0/8" ]; }; environment.persistence."/persist".directories = [ "/var/lib/fail2ban" ]; diff --git a/modules/system/services/server/nfs/default.nix b/modules/system/services/server/nfs/default.nix index b08ba2a4..4457c434 100644 --- a/modules/system/services/server/nfs/default.nix +++ b/modules/system/services/server/nfs/default.nix @@ -4,6 +4,8 @@ config = lib.mkIf config.services.nfs.server.enable { services.nfs.server.exports = "/storage *(rw)"; - networking.firewall.extraInputRules = "ip saddr { 10.0.0.0/8, 11.0.0.0/8, ${config.secrets.ips.bun} } tcp dport 2049 accept"; + networking.firewall.extraInputRules = with config.services.mycelium.ips; '' + ip6 saddr { ${tower}, ${midas}, ${kitty}, ${prophet} } tcp dport 2049 accept + ''; }; } diff --git a/modules/system/services/server/nginx/rtmp/default.nix b/modules/system/services/server/nginx/rtmp/default.nix index 4a619e05..faa91cf8 100644 --- a/modules/system/services/server/nginx/rtmp/default.nix +++ b/modules/system/services/server/nginx/rtmp/default.nix @@ -23,7 +23,10 @@ } ''; }; - networking.firewall.extraInputRules = "ip saddr { 11.0.0.0/8, ${config.secrets.ips.luna}, ${config.secrets.ips.corn} } tcp dport 1935 accept"; + networking.firewall.extraInputRules = with config.services.mycelium.ips; '' + ip6 saddr ${tower} tcp dport 1935 accept + ip saddr { ${config.secrets.ips.luna}, ${config.secrets.ips.corn} } tcp dport 1935 accept + ''; systemd.services.nginx.serviceConfig.ReadWritePaths = [ "/var/www/landing-page/streams/hls/" ]; }; } diff --git a/modules/system/services/server/owncast/default.nix b/modules/system/services/server/owncast/default.nix index b98f402c..a4337e34 100644 --- a/modules/system/services/server/owncast/default.nix +++ b/modules/system/services/server/owncast/default.nix @@ -7,7 +7,9 @@ port = 8060; rtmp-port = 1945; }; - networking.firewall.extraInputRules = "ip saddr 11.0.0.0/8 tcp dport 1945 accept"; + networking.firewall.extraInputRules = '' + ip6 saddr ${tower} tcp dport 1935 accept + ''; environment.persistence."/persist".directories = [ "/var/lib/owncast" ]; }; }