diff --git a/hosts/vps/configuration.nix b/hosts/vps/configuration.nix index 8d807da..52065c9 100644 --- a/hosts/vps/configuration.nix +++ b/hosts/vps/configuration.nix @@ -6,16 +6,24 @@ }: let externalInterface = config.my.interfaces.${config.networking.hostName}; + wgInterface = "wg0"; homeServer = config.my.ips.wg-server; wgFriendsSubnet = "${config.my.ips.wg-friends}/24"; wgGuestsSubnet = "${config.my.ips.wg-gs}/24"; - wgServerSubnet = "10.77.0.0/24"; + wgServerSubnet = "${config.my.ips.wg-vps}/24"; wgFriend1 = config.my.ips.wg-friend1; wgFriend2 = config.my.ips.wg-friend2; wgFriend3 = config.my.ips.wg-friend3; wgFriend4 = config.my.ips.wg-friend4; + wgGuest1 = config.my.ips.wg-g1; giteaSshPort = 22; giteaSshPortStr = toString giteaSshPort; + sshPort = 3456; + webPorts = [ + 80 + 443 + ]; + wgPort = 51820; syncthingPort = toString 22000; synapseFederationPort = toString 8448; synapseClientPort = toString config.my.servers.synapse.port; @@ -41,36 +49,36 @@ in image.modules.linode = { }; networking.hostName = "vps"; services.smartd.enable = lib.mkForce false; + boot.kernel.sysctl."net.ipv4.ip_forward" = 1; environment.systemPackages = [ ]; networking.nftables.enable = true; networking.firewall = { enable = true; filterForward = true; checkReversePath = "loose"; - allowedTCPPorts = [ - 80 - 443 - 3456 - ]; - allowedUDPPorts = [ 51820 ]; + allowedTCPPorts = [ sshPort ] ++ webPorts; + allowedUDPPorts = [ wgPort ]; extraForwardRules = '' - iifname "wg0" ip saddr ${wgFriend1}/32 ip daddr ${homeServer}/32 tcp dport ${syncthingPort} accept - iifname "wg0" ip saddr ${wgFriend2}/32 ip daddr ${homeServer}/32 tcp dport ${syncthingPort} accept - iifname "wg0" ip saddr ${wgFriend3}/32 ip daddr ${homeServer}/32 tcp dport ${syncthingPort} accept - iifname "wg0" ip saddr ${wgFriend4}/32 ip daddr ${homeServer}/32 tcp dport ${syncthingPort} accept - iifname "wg0" ip saddr ${homeServer}/32 ip daddr ${wgFriend1}/32 tcp dport ${syncthingPort} accept - iifname "wg0" ip saddr ${homeServer}/32 ip daddr ${wgFriend2}/32 tcp dport ${syncthingPort} accept - iifname "wg0" ip saddr ${homeServer}/32 ip daddr ${wgFriend3}/32 tcp dport ${syncthingPort} accept - iifname "wg0" ip saddr ${homeServer}/32 ip daddr ${wgFriend4}/32 tcp dport ${syncthingPort} accept + iifname "${wgInterface}" ip saddr ${wgFriend1}/32 ip daddr ${homeServer}/32 tcp dport ${syncthingPort} accept + iifname "${wgInterface}" ip saddr ${wgFriend2}/32 ip daddr ${homeServer}/32 tcp dport ${syncthingPort} accept + iifname "${wgInterface}" ip saddr ${wgFriend3}/32 ip daddr ${homeServer}/32 tcp dport ${syncthingPort} accept + iifname "${wgInterface}" ip saddr ${wgFriend4}/32 ip daddr ${homeServer}/32 tcp dport ${syncthingPort} accept + iifname "${wgInterface}" ip saddr ${homeServer}/32 ip daddr ${wgFriend1}/32 tcp dport ${syncthingPort} accept + iifname "${wgInterface}" ip saddr ${homeServer}/32 ip daddr ${wgFriend2}/32 tcp dport ${syncthingPort} accept + iifname "${wgInterface}" ip saddr ${homeServer}/32 ip daddr ${wgFriend3}/32 tcp dport ${syncthingPort} accept + iifname "${wgInterface}" ip saddr ${homeServer}/32 ip daddr ${wgFriend4}/32 tcp dport ${syncthingPort} accept - iifname "wg0" ip saddr ${wgFriendsSubnet} ip daddr ${homeServer}/32 tcp dport { ${synapseClientPort}, ${synapseFederationPort}, ${syncplayPort} } accept + iifname "${wgInterface}" ip saddr ${wgFriendsSubnet} ip daddr ${homeServer}/32 tcp dport { ${synapseClientPort}, ${synapseFederationPort}, ${syncplayPort} } accept - iifname "wg0" ip saddr ${wgFriendsSubnet} ip daddr ${homeServer}/32 icmp type echo-request accept - iifname "wg0" ip saddr ${wgGuestsSubnet} ip daddr ${homeServer}/32 tcp dport ${stashPort} accept - iifname "wg0" ip saddr ${wgGuestsSubnet} ip daddr ${homeServer}/32 icmp type echo-request accept + iifname "${wgInterface}" ip saddr ${wgFriendsSubnet} ip daddr ${homeServer}/32 icmp type echo-request accept + iifname "${wgInterface}" ip saddr ${wgFriend1}/32 ip daddr ${homeServer}/32 tcp dport ${stashPort} accept + iifname "${wgInterface}" ip saddr ${wgGuest1}/32 ip daddr ${homeServer}/32 tcp dport ${stashPort} accept + iifname "${wgInterface}" ip saddr ${wgGuestsSubnet} ip daddr ${homeServer}/32 icmp type echo-request accept - iifname "wg0" ip saddr ${wgFriendsSubnet} oifname "${externalInterface}" accept - iifname "wg0" ip saddr ${wgGuestsSubnet} oifname "${externalInterface}" accept + iifname "${wgInterface}" ip saddr ${wgFriendsSubnet} oifname "${externalInterface}" accept + iifname "${wgInterface}" ip saddr ${wgGuestsSubnet} oifname "${externalInterface}" accept + + iifname "${externalInterface}" ip daddr ${homeServer}/32 tcp dport ${giteaSshPortStr} accept ip saddr ${wgFriendsSubnet} ip daddr ${wgServerSubnet} drop ip saddr ${wgServerSubnet} ip daddr ${wgFriendsSubnet} drop @@ -103,7 +111,7 @@ in ]; } ]; - services.openssh.ports = [ 3456 ]; + services.openssh.ports = [ sshPort ]; sops.age = { generateKey = true; keyFile = "/var/lib/sops-nix/key.txt"; diff --git a/hosts/vps/hardware-configuration.nix b/hosts/vps/hardware-configuration.nix index f18071b..e26f82b 100644 --- a/hosts/vps/hardware-configuration.nix +++ b/hosts/vps/hardware-configuration.nix @@ -9,7 +9,10 @@ kernelModules = [ ]; extraModulePackages = [ ]; kernelParams = [ "console=ttyS0,19200n8" ]; - kernel.sysctl."net.ipv4.conf.wg0.rp_filter" = 0; + kernel.sysctl = { + "net.ipv4.ip_forward" = 1; + "net.ipv4.conf.wg0.rp_filter" = 0; + }; initrd.availableKernelModules = [ "virtio_pci" "virtio_scsi"