jawz/NixOS
1
0
Fork 0
Code Issues Pull Requests Actions 1 Packages Projects Releases Wiki Activity

Add Linode host configuration and WireGuard setup

Browse Source 
- Introduced new configuration files for Linode host, including hardware configuration, toggles, and WireGuard settings.
- Updated flake.nix to include the new images.nix file for Linode image generation.
- Adjusted SSH key paths and secrets management for WireGuard to ensure proper integration with the new host setup.
- Enhanced firewall rules and NAT configuration for WireGuard to improve security and connectivity.
This commit is contained in:
Danilo Reyes
2025-10-28 13:30:35 -06:00
parent fd2962c306
commit 431e145992
13 changed files with 225 additions and 19 deletions
Download Patch File Download Diff File Expand all files Collapse all files

50
hosts/linode/configuration.nix Normal file
View File

@@ -0,0 +1,50 @@
{
pkgs,
config,
inputs,
...
}:
{
imports = [
./hardware-configuration.nix
./wireguard-linode.nix
../../config/base.nix
];
my = import ./toggles.nix { inherit config inputs; } // {
nix.cores = 2;
users.nixremote.enable = false;
network.firewall = {
enabledServicePorts = true;
additionalPorts = [ ];
};
};
networking.hostName = "linode";
services.openssh = {
enable = true;
openFirewall = true;
startWhenNeeded = false;
settings = {
PasswordAuthentication = false;
PermitRootLogin = "prohibit-password";
KbdInteractiveAuthentication = false;
};
};
security.fail2ban = {
enable = true;
maxretry = 5;
bantime = "1h";
};
environment.systemPackages = builtins.attrValues {
inherit (pkgs)
htop
iotop
tcpdump
wireguard-tools
;
};
system.autoUpgrade = {
enable = true;
dates = "weekly";
allowReboot = true;
};
}

47
hosts/linode/hardware-configuration.nix Normal file
View File

@@ -0,0 +1,47 @@
{ lib, modulesPath, ... }:
{
imports = [ (modulesPath + "/profiles/qemu-guest.nix") ];
boot = {
tmp.cleanOnBoot = true;
kernel.sysctl = {
"net.core.default_qdisc" = "fq";
"net.ipv4.tcp_congestion_control" = "bbr";
"net.ipv4.conf.all.rp_filter" = 1;
"net.ipv4.conf.default.rp_filter" = 1;
"net.ipv4.icmp_echo_ignore_broadcasts" = 1;
"net.ipv4.conf.all.accept_source_route" = 0;
"net.ipv6.conf.all.accept_source_route" = 0;
"net.ipv4.conf.all.send_redirects" = 0;
"net.ipv4.tcp_syncookies" = 1;
};
loader.grub = {
enable = true;
device = "/dev/sda";
};
kernelModules = [
"virtio_pci"
"virtio_blk"
"virtio_net"
];
initrd = {
availableKernelModules = [
"virtio_pci"
"virtio_scsi"
"virtio_blk"
"virtio_net"
"9p"
"9pnet_virtio"
];
kernelModules = [ ];
};
extraModulePackages = [ ];
};
fileSystems."/" = {
device = "/dev/sda";
fsType = "ext4";
};
swapDevices = [ { device = "/dev/sdb"; } ];
networking.useDHCP = lib.mkDefault true;
nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux";
hardware.enableRedistributableFirmware = true;
}

25
hosts/linode/toggles.nix Normal file
View File

@@ -0,0 +1,25 @@
_: {
timeZone = "America/Mexico_City";
locale = "en_US.UTF-8";
wireguard.enable = true;
network.enable = true;
secureHost = true;
ips = {
vps = "51.222.141.104";
wg-vps = "10.77.0.1";
wg-server = "10.77.0.2";
wg-friend1 = "10.8.0.2";
wg-friends = "10.8.0.0";
};
interfaces = {
linode = "eth0";
};
dev = {
nix.enable = true;
sh.enable = true;
};
shell = {
tools.enable = true;
config.enable = true;
};
}

72
hosts/linode/wireguard-linode.nix Normal file
View File

@@ -0,0 +1,72 @@
{
config,
lib,
pkgs,
...
}:
{
config = lib.mkIf config.my.services.wireguard.enable {
sops.secrets."wireguard/linode/private" = {
sopsFile = ../../secrets/wireguard.yaml;
};
networking = {
nat = {
enable = true;
externalInterface = config.my.interfaces.${config.networking.hostName};
internalInterfaces = [ "wg0" ];
};
firewall = {
allowedUDPPorts = [ 51820 ];
extraCommands = ''
iptables -I FORWARD 1 -s ${config.my.ips.wg-friend1} -d ${config.my.ips.wg-server} -p tcp --dport 22000 -j ACCEPT
iptables -I FORWARD 2 -s ${config.my.ips.wg-server} -d ${config.my.ips.wg-friend1} -p tcp --sport 22000 -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -I FORWARD 3 -s ${config.my.ips.wg-friends}/24 -d 10.77.0.0/24 -j DROP
iptables -I FORWARD 4 -s 10.77.0.0/24 -d ${config.my.ips.wg-friends}/24 -j DROP
iptables -A FORWARD -s ${config.my.ips.wg-friends}/24 -o ${
config.my.interfaces.${config.networking.hostName}
} -j ACCEPT
iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
'';
extraStopCommands = ''
iptables -D FORWARD -s ${config.my.ips.wg-friend1} -d ${config.my.ips.wg-server} -p tcp --dport 22000 -j ACCEPT 2>/dev/null || true
iptables -D FORWARD -s ${config.my.ips.wg-server} -d ${config.my.ips.wg-friend1} -p tcp --sport 22000 -m state --state ESTABLISHED,RELATED -j ACCEPT 2>/dev/null || true
iptables -D FORWARD -s ${config.my.ips.wg-friends}/24 -d 10.77.0.0/24 -j DROP 2>/dev/null || true
iptables -D FORWARD -s 10.77.0.0/24 -d ${config.my.ips.wg-friends}/24 -j DROP 2>/dev/null || true
iptables -D FORWARD -s ${config.my.ips.wg-friends}/24 -o ${
config.my.interfaces.${config.networking.hostName}
} -j ACCEPT 2>/dev/null || true
iptables -D FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT 2>/dev/null || true
'';
};
wireguard.interfaces.wg0 = {
ips = [
"${config.my.ips.wg-vps}/24"
"${config.my.ips.wg-friends}/24"
];
listenPort = 51820;
privateKeyFile = config.sops.secrets."wireguard/linode/private".path;
postSetup = "${pkgs.iptables}/bin/iptables -t nat -A POSTROUTING -s ${config.my.ips.wg-friends}/24 -o ${
config.my.interfaces.${config.networking.hostName}
} -j MASQUERADE";
postShutdown = "${pkgs.iptables}/bin/iptables -t nat -D POSTROUTING -s ${config.my.ips.wg-friends}/24 -o ${
config.my.interfaces.${config.networking.hostName}
} -j MASQUERADE 2>/dev/null || true";
peers = [
{
publicKey = "OUiqluRaS4hmGvLJ3csQrnIM3Zzet50gsqtTABaUkH4=";
allowedIPs = [ "${config.my.ips.wg-server}/32" ];
}
{
publicKey = "rFgT6TXzRazK6GMazMNGjtOvzAAPST0LvCfN7QXsLho=";
allowedIPs = [ "${config.my.ips.wg-friend1}/32" ];
}
];
};
};
boot.kernel.sysctl = {
"net.ipv4.ip_forward" = 1;
"net.ipv6.conf.all.forwarding" = 1;
};
environment.systemPackages = [ pkgs.wireguard-tools ];
};
}