jawz/NixOS
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

ip declarations

Browse Source
This commit is contained in:
Danilo Reyes
2026-02-05 17:02:20 -06:00
parent c09268891e
commit afbffaa203
3 changed files with 75 additions and 74 deletions
Download Patch File Download Diff File Expand all files Collapse all files

134
hosts/vps/configuration.nix
View File

@@ -2,13 +2,8 @@
config,
lib,
inputs,
pkgs,
...
}:
let
externalInterface = config.my.interfaces.${config.networking.hostName};
homeServer = config.my.ips.wg-server;
in
{
imports = [
./hardware-configuration.nix
@@ -25,67 +20,77 @@ in
];
};
};
networking.firewall = {
enable = true;
allowedTCPPorts = [
80
443
3456
];
allowedUDPPorts = [ 51820 ];
extraForwardRules = ''
ct state established,related accept
ip daddr ${homeServer}/32 tcp dport { 22, 51412 } accept
ip daddr ${homeServer}/32 udp dport 51412 accept
ip saddr 10.8.0.2/32 ip daddr ${homeServer}/32 tcp dport 22000 accept
ip saddr 10.8.0.3/32 ip daddr ${homeServer}/32 tcp dport 22000 accept
ip saddr 10.8.0.4/32 ip daddr ${homeServer}/32 tcp dport 22000 accept
ip saddr 10.8.0.5/32 ip daddr ${homeServer}/32 tcp dport 22000 accept
ip saddr ${homeServer}/32 ip daddr 10.8.0.2/32 tcp dport 22000 accept
ip saddr ${homeServer}/32 ip daddr 10.8.0.3/32 tcp dport 22000 accept
ip saddr ${homeServer}/32 ip daddr 10.8.0.4/32 tcp dport 22000 accept
ip saddr ${homeServer}/32 ip daddr 10.8.0.5/32 tcp dport 22000 accept
ip saddr 10.8.0.0/24 ip daddr ${homeServer}/32 tcp dport { 8008, 8448, 8999 } accept
ip saddr 10.8.0.0/24 ip daddr ${homeServer}/32 icmp type echo-request accept
ip saddr ${homeServer}/32 ip daddr 10.8.0.0/24 icmp type echo-reply accept
ip saddr 10.9.0.0/24 ip daddr ${homeServer}/32 tcp dport 9999 accept
ip saddr 10.9.0.0/24 ip daddr ${homeServer}/32 icmp type echo-request accept
ip saddr ${homeServer}/32 ip daddr 10.9.0.0/24 icmp type echo-reply accept
ip saddr 10.8.0.0/24 oifname "${externalInterface}" accept
ip saddr 10.9.0.0/24 oifname "${externalInterface}" accept
ip saddr 10.8.0.0/24 ip daddr 10.77.0.0/24 drop
ip saddr 10.77.0.0/24 ip daddr 10.8.0.0/24 drop
ip saddr 10.9.0.0/24 ip daddr 10.77.0.0/24 drop
ip saddr 10.77.0.0/24 ip daddr 10.9.0.0/24 drop
ip saddr 10.9.0.0/24 ip daddr 10.8.0.0/24 drop
ip saddr 10.8.0.0/24 ip daddr 10.9.0.0/24 drop
'';
extraCommands = ''
iptables -t nat -A PREROUTING -p tcp --dport 22 -j DNAT --to-destination ${homeServer}:22
iptables -t nat -A PREROUTING -p tcp --dport 51412 -j DNAT --to-destination ${homeServer}:51412
iptables -t nat -A PREROUTING -p udp --dport 51412 -j DNAT --to-destination ${homeServer}:51412
iptables -t nat -A POSTROUTING -d ${homeServer}/32 -p tcp --dport 22 -j MASQUERADE
iptables -t nat -A POSTROUTING -d ${homeServer}/32 -p tcp --dport 51412 -j MASQUERADE
iptables -t nat -A POSTROUTING -d ${homeServer}/32 -p udp --dport 51412 -j MASQUERADE
'';
extraStopCommands = ''
iptables -t nat -D PREROUTING -p tcp --dport 22 -j DNAT --to-destination ${homeServer}:22 || true
iptables -t nat -D PREROUTING -p tcp --dport 51412 -j DNAT --to-destination ${homeServer}:51412 || true
iptables -t nat -D PREROUTING -p udp --dport 51412 -j DNAT --to-destination ${homeServer}:51412 || true
iptables -t nat -D POSTROUTING -d ${homeServer}/32 -p tcp --dport 22 -j MASQUERADE || true
iptables -t nat -D POSTROUTING -d ${homeServer}/32 -p tcp --dport 51412 -j MASQUERADE || true
iptables -t nat -D POSTROUTING -d ${homeServer}/32 -p udp --dport 51412 -j MASQUERADE || true
'';
};
image.modules.linode = { };
networking.hostName = "vps";
services.smartd.enable = lib.mkForce false;
environment.systemPackages = [ ];
networking.firewall =
let
externalInterface = config.my.interfaces.${config.networking.hostName};
homeServer = config.my.ips.wg-server;
wgSubnet = "${config.my.ips.wg-s}/24";
wgFriendsSubnet = "${config.my.ips.wg-friends}/24";
wgGuestsSubnet = "${config.my.ips.wg-gs}/24";
wgFriend1 = config.my.ips.wg-friend1;
wgFriend2 = config.my.ips.wg-friend2;
wgFriend3 = config.my.ips.wg-friend3;
wgFriend4 = config.my.ips.wg-friend4;
giteaSshPort = toString 22;
syncthingPort = toString 22000;
synapseFederationPort = toString 8448;
synapseClientPort = toString config.my.servers.synapse.port;
syncplayPort = toString config.my.servers.syncplay.port;
stashPort = toString config.my.servers.stash.port;
in
{
enable = true;
allowedTCPPorts = [
80
443
3456
];
allowedUDPPorts = [ 51820 ];
extraForwardRules = ''
ip saddr ${wgFriend1}/32 ip daddr ${homeServer}/32 tcp dport ${syncthingPort} accept
ip saddr ${wgFriend2}/32 ip daddr ${homeServer}/32 tcp dport ${syncthingPort} accept
ip saddr ${wgFriend3}/32 ip daddr ${homeServer}/32 tcp dport ${syncthingPort} accept
ip saddr ${wgFriend4}/32 ip daddr ${homeServer}/32 tcp dport ${syncthingPort} accept
ip saddr ${homeServer}/32 ip daddr ${wgFriend1}/32 tcp dport ${syncthingPort} accept
ip saddr ${homeServer}/32 ip daddr ${wgFriend2}/32 tcp dport ${syncthingPort} accept
ip saddr ${homeServer}/32 ip daddr ${wgFriend3}/32 tcp dport ${syncthingPort} accept
ip saddr ${homeServer}/32 ip daddr ${wgFriend4}/32 tcp dport ${syncthingPort} accept
ip saddr ${wgFriendsSubnet} ip daddr ${homeServer}/32 tcp dport { ${synapseClientPort}, ${synapseFederationPort}, ${syncplayPort} } accept
ip saddr ${wgFriendsSubnet} ip daddr ${homeServer}/32 icmp type echo-request accept
ip saddr ${homeServer}/32 ip daddr ${wgFriendsSubnet} icmp type echo-reply accept
ip saddr ${wgGuestsSubnet} ip daddr ${homeServer}/32 tcp dport ${stashPort} accept
ip saddr ${wgGuestsSubnet} ip daddr ${homeServer}/32 icmp type echo-request accept
ip saddr ${homeServer}/32 ip daddr ${wgGuestsSubnet} icmp type echo-reply accept
ip saddr ${wgFriendsSubnet} ip daddr ${wgSubnet} drop
ip saddr ${wgSubnet} ip daddr ${wgFriendsSubnet} drop
ip saddr ${wgGuestsSubnet} ip daddr ${wgSubnet} drop
ip saddr ${wgSubnet} ip daddr ${wgGuestsSubnet} drop
ip saddr ${wgGuestsSubnet} ip daddr ${wgFriendsSubnet} drop
ip saddr ${wgFriendsSubnet} ip daddr ${wgGuestsSubnet} drop
'';
extraCommands = ''
iptables -t nat -A PREROUTING -p tcp --dport ${giteaSshPort} -j DNAT --to-destination ${homeServer}:${giteaSshPort}
iptables -t nat -A POSTROUTING -d ${homeServer}/32 -p tcp --dport ${giteaSshPort} -j MASQUERADE
iptables -t nat -A POSTROUTING -s ${wgFriendsSubnet} -o ${externalInterface} -j MASQUERADE
iptables -t nat -A POSTROUTING -s ${wgGuestsSubnet} -o ${externalInterface} -j MASQUERADE
'';
extraStopCommands = ''
iptables -t nat -D PREROUTING -p tcp --dport ${giteaSshPort} -j DNAT --to-destination ${homeServer}:${giteaSshPort} || true
iptables -t nat -D POSTROUTING -d ${homeServer}/32 -p tcp --dport ${giteaSshPort} -j MASQUERADE || true
iptables -t nat -D POSTROUTING -s ${wgFriendsSubnet} -o ${externalInterface} -j MASQUERADE || true
iptables -t nat -D POSTROUTING -s ${wgGuestsSubnet} -o ${externalInterface} -j MASQUERADE || true
'';
};
security.sudo-rs.extraRules = [
{
users = [ "nixremote" ];
@@ -121,5 +126,4 @@ in
};
};
};
environment.systemPackages = [ ];
}

5
modules/modules.nix
View File

@@ -50,10 +50,13 @@ in
miniserver = "192.168.1.100";
workstation = "192.168.100.18";
vps = "45.33.0.228";
wg-s = "10.77.0.0";
wg-vps = "10.77.0.1";
wg-server = "10.77.0.2";
wg-g1 = "10.9.0.2";
wg-gs = "10.9.0.0";
wg-g0 = "10.9.0.1";
wg-g1 = "10.9.0.2";
wg-friend0 = "10.8.0.1";
wg-friend1 = "10.8.0.2";
wg-friend2 = "10.8.0.3";
wg-friend3 = "10.8.0.4";

10
modules/services/wireguard.nix
View File

@@ -5,7 +5,6 @@
}:
let
port = 51820;
interface = config.my.interfaces.${config.networking.hostName};
in
{
options.my.services.wireguard.enable = lib.mkEnableOption "WireGuard VPN configuration";
@@ -13,16 +12,11 @@ in
sops.secrets."vps/server/private".sopsFile = ../../secrets/wireguard.yaml;
networking = {
firewall.allowedUDPPorts = [ port ];
nat = {
enable = true;
externalInterface = interface;
internalInterfaces = [ "wg0" ];
};
wireguard.interfaces.wg0 = {
ips = [
"${config.my.ips.wg-vps}/24"
"10.8.0.1/24"
"10.9.0.1/24"
"${config.my.ips.wg-friend0}/24"
"${config.my.ips.wg-g0}/24"
];
listenPort = port;
postSetup = "";