feat(rustdesk): add rustdesk

flake.nix

@@ -162,6 +162,17 @@
             sops-nix.nixosModules.sops
           ];
         };
+        rustdesk = nixpkgs.lib.nixosSystem {
+          system = "x86_64-linux";
+          specialArgs = {
+            inherit inputs upkgs;
+          };
+          modules = [
+            ./nix/machines/rustdesk
+
+            comin.nixosModules.comin
+          ];
+        };
       };
     };
 }

nix/machines/router/modules/bind.nix

@@ -259,6 +259,9 @@ in
         omada                IN  A   10.100.1.2
         s3                   IN  A   10.100.1.2
         *                    IN  A   10.99.20.1
+
+        ; untrusted
+        relay                IN  A   10.200.1.4
       '';
     };
 
@@ -288,6 +291,7 @@ in
         nas                  IN  A   10.100.10.1
         pbs                  IN  A   10.100.10.2
         piecyk               IN  A   10.100.100.10
+        rustdesk             IN  A   10.200.1.4
 
         ; extras
         $INCLUDE ${config.sops.secrets."bind/home_arpa_zone".path}

nix/machines/router/modules/firewall.nix

@@ -43,8 +43,12 @@ _: {
           iifname "untrst0" oifname "wan0" accept
           ip daddr 10.99.0.0/16 iifname "trst0" accept
 
-          # allow only wireguard connections from Internet
+          # allow wireguard connections from Internet
           udp dport 53201 iifname "wan0" accept
+
+          # allow rustdesk connections from Internet
+          tcp dport 21115-21117 iifname "wan0" accept
+          udp dport 21116 iifname "wan0" accept
         }
         chain OUTPUT {
           type filter hook output priority filter; policy accept;
@@ -60,6 +64,12 @@ _: {
 
           # port forward to wireguard daemon
           udp dport 53201 dnat to 10.42.1.2:53201
+
+          # port forward to rustdesk
+          tcp dport 21115 dnat to 10.200.1.4:21115
+          tcp dport 21116 dnat to 10.200.1.4:21116
+          tcp dport 21117 dnat to 10.200.1.4:21117
+          udp dport 21116 dnat to 10.200.1.4:21116
         }
 
         chain POSTROUTING {
@@ -73,8 +83,14 @@ _: {
           # port forward to main router
           ip daddr 192.168.100.1 masquerade
 
-          # port forward to wireguard daemon
-          udp dport 53201 masquerade
+          # port forward from wireguard daemon
+          udp sport 53201 masquerade
+
+          # port forward from rustdesk
+          tcp sport 21115 masquerade
+          tcp sport 21116 masquerade
+          tcp sport 21117 masquerade
+          udp sport 21116 masquerade
         };
       };
     '';

nix/machines/router/modules/kea.nix

@@ -205,6 +205,11 @@
                 "hw-address" = "02:00:0a:c8:01:02";
                 "ip-address" = "10.200.1.2";
               }
+              {
+                # rustdesk VM
+                "hw-address" = "02:00:0a:c8:01:04";
+                "ip-address" = "10.200.1.4";
+              }
             ];
             "option-data" = [
               {

nix/machines/rustdesk/default.nix

@@ -0,0 +1,32 @@
+{ pkgs, ... }:
+{
+  imports = [
+    ./hardware-configuration.nix
+    ./networking.nix
+
+    ../../modules/options.nix
+
+    ../../modules/attic-client.nix
+    ../../modules/cache.nix
+    ../../modules/comin.nix
+    ../../modules/locales.nix
+    ../../modules/os.nix
+    ../../modules/ssh.nix
+    ../../modules/users.nix
+    ../../modules/vm.nix
+
+    ./modules/boot.nix
+    ./modules/rustdesk.nix
+  ];
+
+  primaryUser = "ajgon";
+  currentHostname = "rustdesk";
+
+  # system packages
+  environment.systemPackages = with pkgs; [
+    git
+    vim
+  ];
+
+  system.stateVersion = "24.05";
+}

nix/machines/rustdesk/hardware-configuration.nix

@@ -0,0 +1,40 @@
+# Do not modify this file!  It was generated by ‘nixos-generate-config’
+# and may be overwritten by future invocations.  Please make changes
+# to /etc/nixos/configuration.nix instead.
+{ lib, modulesPath, ... }:
+
+{
+  imports = [ (modulesPath + "/profiles/qemu-guest.nix") ];
+
+  boot = {
+    initrd = {
+      availableKernelModules = [
+        "ata_piix"
+        "uhci_hcd"
+        "virtio_pci"
+        "virtio_scsi"
+        "sd_mod"
+        "sr_mod"
+      ];
+      kernelModules = [ ];
+    };
+    kernelModules = [ "kvm-intel" ];
+    extraModulePackages = [ ];
+  };
+
+  fileSystems."/" = {
+    device = "/dev/disk/by-label/NIXROOT";
+    fsType = "ext4";
+  };
+
+  swapDevices = [ { device = "/dev/disk/by-label/NIXSWAP"; } ];
+
+  # Enables DHCP on each ethernet and wireless interface. In case of scripted networking
+  # (the default) this is the recommended approach. When using systemd-networkd it's
+  # still possible to use this option, but it's recommended to use it in conjunction
+  # with explicit per-interface declarations with `networking.interfaces.<interface>.useDHCP`.
+  networking.useDHCP = lib.mkDefault true;
+  # networking.interfaces.ens18.useDHCP = lib.mkDefault true;
+
+  nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux";
+}

nix/machines/rustdesk/modules/boot.nix

@@ -0,0 +1,6 @@
+_: {
+  boot.loader = {
+    grub.enable = true;
+    grub.device = "/dev/sda";
+  };
+}

nix/machines/rustdesk/modules/rustdesk.nix

@@ -0,0 +1,8 @@
+{ config, ... }:
+{
+  services.rustdesk-server = {
+    enable = true;
+    openFirewall = true;
+    relayIP = "relay.${config.remoteDomain}";
+  };
+}

nix/machines/rustdesk/networking.nix

@@ -0,0 +1,12 @@
+{ config, lib, ... }:
+{
+  networking = {
+    hostName = config.currentHostname;
+    networkmanager.enable = true;
+    enableIPv6 = false;
+    useDHCP = lib.mkForce true;
+    extraHosts = ''
+      10.200.1.2 attic.${config.remoteDomain}
+    '';
+  };
+}

nix/modules/monitoring.nix

@@ -1,8 +1,14 @@
 { config, ... }:
 {
   services.prometheus.exporters = {
-    node.enable = true;
-    systemd.enable = true;
+    node = {
+      enable = true;
+      openFirewall = true;
+    };
+    systemd = {
+      enable = true;
+      openFirewall = true;
+    };
   };
 
   services.promtail = {