format document
This commit is contained in:
Danilo Reyes
@@ -7,25 +7,35 @@
|
|||||||
let
|
let
|
||||||
externalInterface = config.my.interfaces.${config.networking.hostName};
|
externalInterface = config.my.interfaces.${config.networking.hostName};
|
||||||
wgInterface = "wg0";
|
wgInterface = "wg0";
|
||||||
|
ips = {
|
||||||
homeServer = config.my.ips.wg-server;
|
homeServer = config.my.ips.wg-server;
|
||||||
wgFriendsSubnet = config.my.subnets.wg-friends;
|
|
||||||
wgGuestsSubnet = config.my.subnets.wg-guests;
|
|
||||||
wgServerSubnet = config.my.subnets.wg-homelab;
|
|
||||||
wgFriend1 = config.my.ips.wg-friend1;
|
wgFriend1 = config.my.ips.wg-friend1;
|
||||||
wgGuest1 = config.my.ips.wg-guest1;
|
wgGuest1 = config.my.ips.wg-guest1;
|
||||||
giteaSshPort = 22;
|
};
|
||||||
giteaSshPortStr = toString giteaSshPort;
|
subnets = {
|
||||||
sshPort = 3456;
|
wgFriends = config.my.subnets.wg-friends;
|
||||||
webPorts = [
|
wgGuests = config.my.subnets.wg-guests;
|
||||||
|
wgHomelab = config.my.subnets.wg-homelab;
|
||||||
|
};
|
||||||
|
ports = {
|
||||||
|
giteaSsh = 22;
|
||||||
|
ssh = 3456;
|
||||||
|
web = [
|
||||||
80
|
80
|
||||||
443
|
443
|
||||||
];
|
];
|
||||||
wgPort = 51820;
|
wg = 51820;
|
||||||
syncthingPort = toString 22000;
|
syncthing = 22000;
|
||||||
synapseFederationPort = toString 8448;
|
synapseFederation = 8448;
|
||||||
synapseClientPort = toString config.my.servers.synapse.port;
|
};
|
||||||
syncplayPort = toString config.my.servers.syncplay.port;
|
portsStr = {
|
||||||
stashPort = toString config.my.servers.stash.port;
|
giteaSsh = toString ports.giteaSsh;
|
||||||
|
syncthing = toString ports.syncthing;
|
||||||
|
synapseFederation = toString ports.synapseFederation;
|
||||||
|
synapseClient = toString config.my.servers.synapse.port;
|
||||||
|
syncplay = toString config.my.servers.syncplay.port;
|
||||||
|
stash = toString config.my.servers.stash.port;
|
||||||
|
};
|
||||||
in
|
in
|
||||||
{
|
{
|
||||||
imports = [
|
imports = [
|
||||||
@@ -43,8 +53,12 @@ in
|
|||||||
];
|
];
|
||||||
};
|
};
|
||||||
};
|
};
|
||||||
|
sops.age = {
|
||||||
|
generateKey = true;
|
||||||
|
keyFile = "/var/lib/sops-nix/key.txt";
|
||||||
|
sshKeyPaths = [ "/etc/ssh/ssh_host_ed25519_key" ];
|
||||||
|
};
|
||||||
image.modules.linode = { };
|
image.modules.linode = { };
|
||||||
services.smartd.enable = lib.mkForce false;
|
|
||||||
environment.systemPackages = [ ];
|
environment.systemPackages = [ ];
|
||||||
networking = {
|
networking = {
|
||||||
hostName = "vps";
|
hostName = "vps";
|
||||||
@@ -54,9 +68,9 @@ in
|
|||||||
internalInterfaces = [ "wg0" ];
|
internalInterfaces = [ "wg0" ];
|
||||||
forwardPorts = [
|
forwardPorts = [
|
||||||
{
|
{
|
||||||
sourcePort = giteaSshPort;
|
sourcePort = ports.giteaSsh;
|
||||||
proto = "tcp";
|
proto = "tcp";
|
||||||
destination = "${homeServer}:${giteaSshPortStr}";
|
destination = "${ips.homeServer}:${portsStr.giteaSsh}";
|
||||||
}
|
}
|
||||||
];
|
];
|
||||||
};
|
};
|
||||||
@@ -67,7 +81,7 @@ in
|
|||||||
content = ''
|
content = ''
|
||||||
chain postrouting {
|
chain postrouting {
|
||||||
type nat hook postrouting priority srcnat;
|
type nat hook postrouting priority srcnat;
|
||||||
iifname "${externalInterface}" oifname "${wgInterface}" ip daddr ${homeServer}/32 tcp dport ${giteaSshPortStr} masquerade comment "snat ssh forward"
|
iifname "${externalInterface}" oifname "${wgInterface}" ip daddr ${ips.homeServer}/32 tcp dport ${portsStr.giteaSsh} masquerade comment "snat ssh forward"
|
||||||
}
|
}
|
||||||
'';
|
'';
|
||||||
};
|
};
|
||||||
@@ -76,28 +90,28 @@ in
|
|||||||
enable = true;
|
enable = true;
|
||||||
filterForward = true;
|
filterForward = true;
|
||||||
checkReversePath = "loose";
|
checkReversePath = "loose";
|
||||||
allowedTCPPorts = [ sshPort ] ++ webPorts;
|
allowedTCPPorts = [ ports.ssh ] ++ ports.web;
|
||||||
allowedUDPPorts = [ wgPort ];
|
allowedUDPPorts = [ ports.wg ];
|
||||||
extraForwardRules = ''
|
extraForwardRules = ''
|
||||||
iifname "${wgInterface}" ip saddr ${wgFriendsSubnet} ip daddr ${homeServer}/32 tcp dport ${syncthingPort} accept
|
iifname "${wgInterface}" ip saddr ${subnets.wgFriends} ip daddr ${ips.homeServer}/32 tcp dport ${portsStr.syncthing} accept
|
||||||
iifname "${wgInterface}" ip saddr ${homeServer}/32 ip daddr ${wgFriendsSubnet} tcp dport ${syncthingPort} accept
|
iifname "${wgInterface}" ip saddr ${ips.homeServer}/32 ip daddr ${subnets.wgFriends} tcp dport ${portsStr.syncthing} accept
|
||||||
|
|
||||||
iifname "${wgInterface}" ip saddr ${wgFriendsSubnet} ip daddr ${homeServer}/32 tcp dport { ${synapseClientPort}, ${synapseFederationPort}, ${syncplayPort} } accept
|
iifname "${wgInterface}" ip saddr ${subnets.wgFriends} ip daddr ${ips.homeServer}/32 tcp dport { ${portsStr.synapseClient}, ${portsStr.synapseFederation}, ${portsStr.syncplay} } accept
|
||||||
|
|
||||||
iifname "${wgInterface}" ip saddr ${wgFriendsSubnet} ip daddr ${homeServer}/32 icmp type echo-request accept
|
iifname "${wgInterface}" ip saddr ${subnets.wgFriends} ip daddr ${ips.homeServer}/32 icmp type echo-request accept
|
||||||
iifname "${wgInterface}" ip saddr ${wgFriend1}/32 ip daddr ${homeServer}/32 tcp dport ${stashPort} accept
|
iifname "${wgInterface}" ip saddr ${ips.wgFriend1}/32 ip daddr ${ips.homeServer}/32 tcp dport ${portsStr.stash} accept
|
||||||
iifname "${wgInterface}" ip saddr ${wgGuest1}/32 ip daddr ${homeServer}/32 tcp dport ${stashPort} accept
|
iifname "${wgInterface}" ip saddr ${ips.wgGuest1}/32 ip daddr ${ips.homeServer}/32 tcp dport ${portsStr.stash} accept
|
||||||
iifname "${wgInterface}" ip saddr ${wgGuestsSubnet} ip daddr ${homeServer}/32 icmp type echo-request accept
|
iifname "${wgInterface}" ip saddr ${subnets.wgGuests} ip daddr ${ips.homeServer}/32 icmp type echo-request accept
|
||||||
|
|
||||||
iifname "${wgInterface}" ip saddr ${wgFriendsSubnet} oifname "${externalInterface}" accept
|
iifname "${wgInterface}" ip saddr ${subnets.wgFriends} oifname "${externalInterface}" accept
|
||||||
iifname "${wgInterface}" ip saddr ${wgGuestsSubnet} oifname "${externalInterface}" accept
|
iifname "${wgInterface}" ip saddr ${subnets.wgGuests} oifname "${externalInterface}" accept
|
||||||
|
|
||||||
ip saddr ${wgFriendsSubnet} ip daddr ${wgServerSubnet} drop
|
ip saddr ${subnets.wgFriends} ip daddr ${subnets.wgHomelab} drop
|
||||||
ip saddr ${wgServerSubnet} ip daddr ${wgFriendsSubnet} drop
|
ip saddr ${subnets.wgHomelab} ip daddr ${subnets.wgFriends} drop
|
||||||
ip saddr ${wgGuestsSubnet} ip daddr ${wgServerSubnet} drop
|
ip saddr ${subnets.wgGuests} ip daddr ${subnets.wgHomelab} drop
|
||||||
ip saddr ${wgServerSubnet} ip daddr ${wgGuestsSubnet} drop
|
ip saddr ${subnets.wgHomelab} ip daddr ${subnets.wgGuests} drop
|
||||||
ip saddr ${wgGuestsSubnet} ip daddr ${wgFriendsSubnet} drop
|
ip saddr ${subnets.wgGuests} ip daddr ${subnets.wgFriends} drop
|
||||||
ip saddr ${wgFriendsSubnet} ip daddr ${wgGuestsSubnet} drop
|
ip saddr ${subnets.wgFriends} ip daddr ${subnets.wgGuests} drop
|
||||||
'';
|
'';
|
||||||
};
|
};
|
||||||
};
|
};
|
||||||
@@ -112,11 +126,9 @@ in
|
|||||||
];
|
];
|
||||||
}
|
}
|
||||||
];
|
];
|
||||||
services.openssh.ports = [ sshPort ];
|
services = {
|
||||||
sops.age = {
|
smartd.enable = lib.mkForce false;
|
||||||
generateKey = true;
|
openssh.ports = [ ports.ssh ];
|
||||||
keyFile = "/var/lib/sops-nix/key.txt";
|
|
||||||
sshKeyPaths = [ "/etc/ssh/ssh_host_ed25519_key" ];
|
|
||||||
};
|
};
|
||||||
users = {
|
users = {
|
||||||
groups = {
|
groups = {
|
||||||
|
|||||||
Reference in New Issue
Block a user