chore(services): Disable garage and enable shadowsocks

fix(OVHCloud): Properly configure podman
feat(services): Added shadowsocks service
2024-10-02 15:03:21 +02:00 · 2024-10-02 15:03:00 +02:00 · 2024-10-02 15:02:13 +02:00 · 2024-10-02 09:18:41 +02:00
5 changed files with 61 additions and 5 deletions
--- a/hosts/OVHCloud/default.nix
+++ b/hosts/OVHCloud/default.nix
@ -31,6 +31,17 @@
    "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIHQyRXFQ6iA5p0vDuoGSHZfajiVZPAGIyqhTziM7QgBV gaspard@nixos"
  ];
  # Podman
  virtualisation = {
    containers.enable = true;
    oci-containers.backend = "podman";
    podman = {
      enable = true;
      # Required for containers under podman-compose to be able to talk to each other.
      defaultNetwork.settings.dns_enabled = true;
    };
  };
  environment.systemPackages = with pkgs; [
    helix
    git
--- a/secrets/OVHCloud.yaml
+++ b/secrets/OVHCloud.yaml
@ -5,6 +5,8 @@ caddy:
    ovh_consumer_key: ENC[AES256_GCM,data:oFLHB7obwz3F59Vt8LRxpKaHBjEaoYCrKLKPoqVHz4M=,iv:rXxR2Nv3YaT2QubZUqIi60RxaHe9ZaIT9hLiogbPVFw=,tag:5m+xXEUbN+a2fHCf+EXf9A==,type:str]
 garage:
    RPC_SECRET: ENC[AES256_GCM,data:OJbIST1mtpqMNk+MKnGFy6+tXjc6aEOMIWnfs8QY9ozpxN2apAN7ZrjAAZc3J7ORUIhUQh8Vjkb1EhxdqGxERA==,iv:NhREhGE0wz3/0sdXUxuDqWaPdjeeQFau2OEVsqpV3F0=,tag:yGYd5txtVQzIOchh2L/XXQ==,type:str]
 shadowsocks:
    password: ENC[AES256_GCM,data:IdAvKXKckwvZUetkYSFTIPxd8nrwm13Ngc3KVDSmiW3AE4Rhmjk2VHjdUyQ=,iv:LVeQcL7XIEQyMTsXpXIROGte2+Z9+7FpemfiwhA0Pw0=,tag:qt+8jgN5UqwMeCV+D3stEQ==,type:str]
 wireguard:
    private_key: ENC[AES256_GCM,data:fjaBcBplx4IOrbnT8PZwUl6m4j4sdiObJYJXSrzCOqXcL3Qyymj4HUPSBuM=,iv:4XVH1d0/PTfVHKtDoziOD3b+TGXafNEGNgqAUtQsoD8=,tag:c/9AQO5TmLPGvIRN59KMZg==,type:str]
    public_key: ENC[AES256_GCM,data:zHQkA3wu7Kn9wnODn65zHKGX3qBvhRa0H/cSlg/8TjyTNtaMgY3Y0RiQEr4=,iv:kaWxt11DR4jZzgfoA7PDg/wPc6VqSoyuFU4KllOzZjY=,tag:acA0M4Eq0AR4FjFJZ4l13w==,type:str]
@ -32,8 +34,8 @@ sops:
            MFpMemF4MGg1bmVUeWV5N25LTUtyczQKss0x4zT1kyeRu+qenhrdbcPlU/p+yjVN
            y3j4eGpnwgc2rxSL9vkrrkzx/atUqUkgGU/YstszUrP6XKbJ+9ydpQ==
            -----END AGE ENCRYPTED FILE-----
-    lastmodified: "2024-10-02T06:58:48Z"
+    lastmodified: "2024-10-02T07:32:18Z"
-    mac: ENC[AES256_GCM,data:REJysIueXjjxMVFMNNR3gyuRJgbDmerIo/Fb8I+QP4812sa7wAWCx7caaeUVXmbIjyX0qEVwMocav2vTgL4GnwSmKK9EpOUb8WoV3ZzTqzhbEGD5frE6fEVvvnOMwhtrh3K2KuMUmy4VkWI34naSel+pzvYa5Tfu7n+YvNyfhW4=,iv:onGPouQFfMO+X1q2rMsaV9oR3l86k3J7wY7bQNJp8wY=,tag:L4RM66rRWFQKpIeSC7mQyA==,type:str]
+    mac: ENC[AES256_GCM,data:0fwZxJO2LKpwV4+IYbBSyrqcQt4RrqlF/2OM8vP+3B/AI3Ny6LSP851IXdwzIMtMLiGBnvl787sXmZWPcUaizq3XmQR7t9lX/q4WkgVIDZ5JQtmHc4TSYDIxECBAQ5P4V6CNsUw3gjC5X4OSLtSfil/pAXbcMFKdlVLgP4S6wMU=,iv:UlJPlLFx2y/YJQWEDCY4NyqkZuQjNH8yCeELzoa3IoU=,tag:JI1tTnMSnQiWXVZmqb+ykA==,type:str]
    pgp: []
    unencrypted_suffix: _unencrypted
    version: 3.9.0
--- a/services/default.nix
+++ b/services/default.nix
@ -1,7 +1,7 @@
 {
  imports = [
    ./shadowsocks
    ./uptime-kuma
    ./garage
    ./wireguard
  ];
 }
--- a/services/shadowsocks/default.nix
+++ b/services/shadowsocks/default.nix
@ -0,0 +1,43 @@
 {
  config,
  pkgs,
  ...
 }: let
  port = "8388";
 in {
  sops.secrets."shadowsocks/password".owner = "root";
  sops.templates."shadowsocks/config.json" = {
    content = ''
      {
          "server": "0.0.0.0",
          "server_port": ${port},
          "password": "${config.sops.placeholder."shadowsocks/password"}",
          "method": "aes-256-gcm",
          "timeout": 300,
          "plugin": "${pkgs.shadowsocks-v2ray-plugin}/bin/v2ray-plugin",
          "plugin_opts":"server;loglevel=none",
          "local_port": ${port},
          "local_address": "127.0.0.1"
      }
    '';
    owner = "root";
  };
  services.caddy.virtualHosts."shadowsocks.gasdev.fr".extraConfig = ''
    reverse_proxy http://127.0.0.1:${port}
  '';
  systemd.services = {
    shadowsocks = {
      description = "Shadowsocks tunnel";
      after = ["network-online.target"];
      wants = ["network-online.target"];
      enable = true;
      serviceConfig = {
        Restart = "always";
        ExecStart = "${pkgs.shadowsocks-rust}/bin/ssserver -c ${config.sops.templates."shadowsocks/config.json".path}";
      };
    };
  };
 }
--- a/services/wireguard/default.nix
+++ b/services/wireguard/default.nix
@ -20,12 +20,12 @@
      # This allows the wireguard server to route your traffic to the internet and hence be like a VPN
      # For this to work you have to set the dnsserver IP of your router (or dnsserver of choice) in your clients
      postSetup = ''
-        ${pkgs.iptables}/bin/iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE
+        ${pkgs.iptables}/bin/iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o ens3 -j MASQUERADE
      '';
      # This undoes the above command
      postShutdown = ''
-        ${pkgs.iptables}/bin/iptables -t nat -D POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE
+        ${pkgs.iptables}/bin/iptables -t nat -D POSTROUTING -s 10.8.0.0/24 -o ens3 -j MASQUERADE
      '';
      # Path to the private key file.
Author	SHA1	Message	Date
GaspardCulis	c30a74895d	chore(services): Disable `garage` and enable `shadowsocks`	2024-10-02 15:03:21 +02:00
GaspardCulis	34c106dadc	fix(OVHCloud): Properly configure podman	2024-10-02 15:03:00 +02:00
GaspardCulis	f48456452b	feat(services): Added `shadowsocks` service	2024-10-02 15:02:13 +02:00
GaspardCulis	1e7b7e168e	fix(services -> wireguard): Fixed masquerade interface name	2024-10-02 09:18:41 +02:00