From afbffaa2031696455b71aea18545242880f873a4 Mon Sep 17 00:00:00 2001 From: Danilo Reyes Date: Thu, 5 Feb 2026 17:02:20 -0600 Subject: [PATCH] ip declarations --- hosts/vps/configuration.nix | 134 +++++++++++++++++---------------- modules/modules.nix | 5 +- modules/services/wireguard.nix | 10 +-- 3 files changed, 75 insertions(+), 74 deletions(-) diff --git a/hosts/vps/configuration.nix b/hosts/vps/configuration.nix index 2af6424..e908a76 100644 --- a/hosts/vps/configuration.nix +++ b/hosts/vps/configuration.nix @@ -2,13 +2,8 @@ config, lib, inputs, - pkgs, ... }: -let - externalInterface = config.my.interfaces.${config.networking.hostName}; - homeServer = config.my.ips.wg-server; -in { imports = [ ./hardware-configuration.nix @@ -25,67 +20,77 @@ in ]; }; }; - networking.firewall = { - enable = true; - allowedTCPPorts = [ - 80 - 443 - 3456 - ]; - allowedUDPPorts = [ 51820 ]; - extraForwardRules = '' - ct state established,related accept - - ip daddr ${homeServer}/32 tcp dport { 22, 51412 } accept - ip daddr ${homeServer}/32 udp dport 51412 accept - - ip saddr 10.8.0.2/32 ip daddr ${homeServer}/32 tcp dport 22000 accept - ip saddr 10.8.0.3/32 ip daddr ${homeServer}/32 tcp dport 22000 accept - ip saddr 10.8.0.4/32 ip daddr ${homeServer}/32 tcp dport 22000 accept - ip saddr 10.8.0.5/32 ip daddr ${homeServer}/32 tcp dport 22000 accept - ip saddr ${homeServer}/32 ip daddr 10.8.0.2/32 tcp dport 22000 accept - ip saddr ${homeServer}/32 ip daddr 10.8.0.3/32 tcp dport 22000 accept - ip saddr ${homeServer}/32 ip daddr 10.8.0.4/32 tcp dport 22000 accept - ip saddr ${homeServer}/32 ip daddr 10.8.0.5/32 tcp dport 22000 accept - - ip saddr 10.8.0.0/24 ip daddr ${homeServer}/32 tcp dport { 8008, 8448, 8999 } accept - - ip saddr 10.8.0.0/24 ip daddr ${homeServer}/32 icmp type echo-request accept - ip saddr ${homeServer}/32 ip daddr 10.8.0.0/24 icmp type echo-reply accept - - ip saddr 10.9.0.0/24 ip daddr ${homeServer}/32 tcp dport 9999 accept - ip saddr 10.9.0.0/24 ip daddr ${homeServer}/32 icmp type echo-request accept - ip saddr ${homeServer}/32 ip daddr 10.9.0.0/24 icmp type echo-reply accept - - ip saddr 10.8.0.0/24 oifname "${externalInterface}" accept - ip saddr 10.9.0.0/24 oifname "${externalInterface}" accept - - ip saddr 10.8.0.0/24 ip daddr 10.77.0.0/24 drop - ip saddr 10.77.0.0/24 ip daddr 10.8.0.0/24 drop - ip saddr 10.9.0.0/24 ip daddr 10.77.0.0/24 drop - ip saddr 10.77.0.0/24 ip daddr 10.9.0.0/24 drop - ip saddr 10.9.0.0/24 ip daddr 10.8.0.0/24 drop - ip saddr 10.8.0.0/24 ip daddr 10.9.0.0/24 drop - ''; - extraCommands = '' - iptables -t nat -A PREROUTING -p tcp --dport 22 -j DNAT --to-destination ${homeServer}:22 - iptables -t nat -A PREROUTING -p tcp --dport 51412 -j DNAT --to-destination ${homeServer}:51412 - iptables -t nat -A PREROUTING -p udp --dport 51412 -j DNAT --to-destination ${homeServer}:51412 - iptables -t nat -A POSTROUTING -d ${homeServer}/32 -p tcp --dport 22 -j MASQUERADE - iptables -t nat -A POSTROUTING -d ${homeServer}/32 -p tcp --dport 51412 -j MASQUERADE - iptables -t nat -A POSTROUTING -d ${homeServer}/32 -p udp --dport 51412 -j MASQUERADE - ''; - extraStopCommands = '' - iptables -t nat -D PREROUTING -p tcp --dport 22 -j DNAT --to-destination ${homeServer}:22 || true - iptables -t nat -D PREROUTING -p tcp --dport 51412 -j DNAT --to-destination ${homeServer}:51412 || true - iptables -t nat -D PREROUTING -p udp --dport 51412 -j DNAT --to-destination ${homeServer}:51412 || true - iptables -t nat -D POSTROUTING -d ${homeServer}/32 -p tcp --dport 22 -j MASQUERADE || true - iptables -t nat -D POSTROUTING -d ${homeServer}/32 -p tcp --dport 51412 -j MASQUERADE || true - iptables -t nat -D POSTROUTING -d ${homeServer}/32 -p udp --dport 51412 -j MASQUERADE || true - ''; - }; image.modules.linode = { }; networking.hostName = "vps"; + services.smartd.enable = lib.mkForce false; + environment.systemPackages = [ ]; + networking.firewall = + let + externalInterface = config.my.interfaces.${config.networking.hostName}; + + homeServer = config.my.ips.wg-server; + wgSubnet = "${config.my.ips.wg-s}/24"; + wgFriendsSubnet = "${config.my.ips.wg-friends}/24"; + wgGuestsSubnet = "${config.my.ips.wg-gs}/24"; + wgFriend1 = config.my.ips.wg-friend1; + wgFriend2 = config.my.ips.wg-friend2; + wgFriend3 = config.my.ips.wg-friend3; + wgFriend4 = config.my.ips.wg-friend4; + + giteaSshPort = toString 22; + syncthingPort = toString 22000; + synapseFederationPort = toString 8448; + synapseClientPort = toString config.my.servers.synapse.port; + syncplayPort = toString config.my.servers.syncplay.port; + stashPort = toString config.my.servers.stash.port; + in + { + enable = true; + allowedTCPPorts = [ + 80 + 443 + 3456 + ]; + allowedUDPPorts = [ 51820 ]; + extraForwardRules = '' + ip saddr ${wgFriend1}/32 ip daddr ${homeServer}/32 tcp dport ${syncthingPort} accept + ip saddr ${wgFriend2}/32 ip daddr ${homeServer}/32 tcp dport ${syncthingPort} accept + ip saddr ${wgFriend3}/32 ip daddr ${homeServer}/32 tcp dport ${syncthingPort} accept + ip saddr ${wgFriend4}/32 ip daddr ${homeServer}/32 tcp dport ${syncthingPort} accept + ip saddr ${homeServer}/32 ip daddr ${wgFriend1}/32 tcp dport ${syncthingPort} accept + ip saddr ${homeServer}/32 ip daddr ${wgFriend2}/32 tcp dport ${syncthingPort} accept + ip saddr ${homeServer}/32 ip daddr ${wgFriend3}/32 tcp dport ${syncthingPort} accept + ip saddr ${homeServer}/32 ip daddr ${wgFriend4}/32 tcp dport ${syncthingPort} accept + + ip saddr ${wgFriendsSubnet} ip daddr ${homeServer}/32 tcp dport { ${synapseClientPort}, ${synapseFederationPort}, ${syncplayPort} } accept + + ip saddr ${wgFriendsSubnet} ip daddr ${homeServer}/32 icmp type echo-request accept + ip saddr ${homeServer}/32 ip daddr ${wgFriendsSubnet} icmp type echo-reply accept + + ip saddr ${wgGuestsSubnet} ip daddr ${homeServer}/32 tcp dport ${stashPort} accept + ip saddr ${wgGuestsSubnet} ip daddr ${homeServer}/32 icmp type echo-request accept + ip saddr ${homeServer}/32 ip daddr ${wgGuestsSubnet} icmp type echo-reply accept + + ip saddr ${wgFriendsSubnet} ip daddr ${wgSubnet} drop + ip saddr ${wgSubnet} ip daddr ${wgFriendsSubnet} drop + ip saddr ${wgGuestsSubnet} ip daddr ${wgSubnet} drop + ip saddr ${wgSubnet} ip daddr ${wgGuestsSubnet} drop + ip saddr ${wgGuestsSubnet} ip daddr ${wgFriendsSubnet} drop + ip saddr ${wgFriendsSubnet} ip daddr ${wgGuestsSubnet} drop + ''; + extraCommands = '' + iptables -t nat -A PREROUTING -p tcp --dport ${giteaSshPort} -j DNAT --to-destination ${homeServer}:${giteaSshPort} + iptables -t nat -A POSTROUTING -d ${homeServer}/32 -p tcp --dport ${giteaSshPort} -j MASQUERADE + iptables -t nat -A POSTROUTING -s ${wgFriendsSubnet} -o ${externalInterface} -j MASQUERADE + iptables -t nat -A POSTROUTING -s ${wgGuestsSubnet} -o ${externalInterface} -j MASQUERADE + ''; + extraStopCommands = '' + iptables -t nat -D PREROUTING -p tcp --dport ${giteaSshPort} -j DNAT --to-destination ${homeServer}:${giteaSshPort} || true + iptables -t nat -D POSTROUTING -d ${homeServer}/32 -p tcp --dport ${giteaSshPort} -j MASQUERADE || true + iptables -t nat -D POSTROUTING -s ${wgFriendsSubnet} -o ${externalInterface} -j MASQUERADE || true + iptables -t nat -D POSTROUTING -s ${wgGuestsSubnet} -o ${externalInterface} -j MASQUERADE || true + ''; + }; security.sudo-rs.extraRules = [ { users = [ "nixremote" ]; @@ -121,5 +126,4 @@ in }; }; }; - environment.systemPackages = [ ]; } diff --git a/modules/modules.nix b/modules/modules.nix index c1318fa..7fc4f5e 100644 --- a/modules/modules.nix +++ b/modules/modules.nix @@ -50,10 +50,13 @@ in miniserver = "192.168.1.100"; workstation = "192.168.100.18"; vps = "45.33.0.228"; + wg-s = "10.77.0.0"; wg-vps = "10.77.0.1"; wg-server = "10.77.0.2"; - wg-g1 = "10.9.0.2"; wg-gs = "10.9.0.0"; + wg-g0 = "10.9.0.1"; + wg-g1 = "10.9.0.2"; + wg-friend0 = "10.8.0.1"; wg-friend1 = "10.8.0.2"; wg-friend2 = "10.8.0.3"; wg-friend3 = "10.8.0.4"; diff --git a/modules/services/wireguard.nix b/modules/services/wireguard.nix index 9595e21..ee6a686 100644 --- a/modules/services/wireguard.nix +++ b/modules/services/wireguard.nix @@ -5,7 +5,6 @@ }: let port = 51820; - interface = config.my.interfaces.${config.networking.hostName}; in { options.my.services.wireguard.enable = lib.mkEnableOption "WireGuard VPN configuration"; @@ -13,16 +12,11 @@ in sops.secrets."vps/server/private".sopsFile = ../../secrets/wireguard.yaml; networking = { firewall.allowedUDPPorts = [ port ]; - nat = { - enable = true; - externalInterface = interface; - internalInterfaces = [ "wg0" ]; - }; wireguard.interfaces.wg0 = { ips = [ "${config.my.ips.wg-vps}/24" - "10.8.0.1/24" - "10.9.0.1/24" + "${config.my.ips.wg-friend0}/24" + "${config.my.ips.wg-g0}/24" ]; listenPort = port; postSetup = "";