jawz/NixOS
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Compare commits

base: jawz:788ea5ad26f49a91bd47b869b1d57ba4f15a802a
Branches Tags
jawz:main jawz:keycloak
jawz:weekly-2026-02-06 jawz:weekly-2026-02-02 jawz:weekly-2026-01-30 jawz:weekly-2026-01-26 jawz:weekly-2026-01-24 jawz:weekly-2026-01-19 jawz:weekly-2026-01-16 jawz:weekly-2026-01-10 jawz:weekly-2026-01-05 jawz:weekly-2026-01-02 jawz:weekly-2025-12-29 jawz:weekly-2025-12-15 jawz:weekly-2025-12-08 jawz:weekly-2025-12-05 jawz:weekly-2025-12-01 jawz:weekly-2025-11-28
...
compare: jawz:229b989902a7f18d6590cfa7ea9af4d4243f3da9
Branches Tags
jawz:main jawz:keycloak
jawz:weekly-2026-02-06 jawz:weekly-2026-02-02 jawz:weekly-2026-01-30 jawz:weekly-2026-01-26 jawz:weekly-2026-01-24 jawz:weekly-2026-01-19 jawz:weekly-2026-01-16 jawz:weekly-2026-01-10 jawz:weekly-2026-01-05 jawz:weekly-2026-01-02 jawz:weekly-2025-12-29 jawz:weekly-2025-12-15 jawz:weekly-2025-12-08 jawz:weekly-2025-12-05 jawz:weekly-2025-12-01 jawz:weekly-2025-11-28

2 Commits
788ea5ad26 ... 229b989902

Author SHA1 Message Date
Danilo Reyes
229b989902 format document 2026-02-06 07:26:26 -06:00
Danilo Reyes
00a43a5a48 subnet parameters 2026-02-06 07:16:22 -06:00
4 changed files with 81 additions and 56 deletions
Expand all files Collapse all files

4
hosts/server/configuration.nix
View File

@@ -78,8 +78,8 @@ in
endpoint = "${config.my.ips.vps}:51820"; endpoint = "${config.my.ips.vps}:51820";
allowedIPs = [ allowedIPs = [
"${config.my.ips.wg-vps}/32" "${config.my.ips.wg-vps}/32"
"${config.my.ips.wg-friends}/24" # all friends config.my.subnets.wg-friends
"${config.my.ips.wg-gs}/24" # all friends config.my.subnets.wg-guests
]; ];
persistentKeepalive = 25; persistentKeepalive = 25;
} }

92
hosts/vps/configuration.nix
View File

@@ -7,25 +7,35 @@
let let
externalInterface = config.my.interfaces.${config.networking.hostName}; externalInterface = config.my.interfaces.${config.networking.hostName};
wgInterface = "wg0"; wgInterface = "wg0";
ips = {
homeServer = config.my.ips.wg-server; homeServer = config.my.ips.wg-server;
wgFriendsSubnet = "${config.my.ips.wg-friends}/24";
wgGuestsSubnet = "${config.my.ips.wg-gs}/24";
wgServerSubnet = "${config.my.ips.wg-vps}/24";
wgFriend1 = config.my.ips.wg-friend1; wgFriend1 = config.my.ips.wg-friend1;
wgGuest1 = config.my.ips.wg-g1; wgGuest1 = config.my.ips.wg-guest1;
giteaSshPort = 22; };
giteaSshPortStr = toString giteaSshPort; subnets = {
sshPort = 3456; wgFriends = config.my.subnets.wg-friends;
webPorts = [ wgGuests = config.my.subnets.wg-guests;
wgHomelab = config.my.subnets.wg-homelab;
};
ports = {
giteaSsh = 22;
ssh = 3456;
web = [
80 80
443 443
]; ];
wgPort = 51820; wg = 51820;
syncthingPort = toString 22000; syncthing = 22000;
synapseFederationPort = toString 8448; synapseFederation = 8448;
synapseClientPort = toString config.my.servers.synapse.port; };
syncplayPort = toString config.my.servers.syncplay.port; portsStr = {
stashPort = toString config.my.servers.stash.port; giteaSsh = toString ports.giteaSsh;
syncthing = toString ports.syncthing;
synapseFederation = toString ports.synapseFederation;
synapseClient = toString config.my.servers.synapse.port;
syncplay = toString config.my.servers.syncplay.port;
stash = toString config.my.servers.stash.port;
};
in in
{ {
imports = [ imports = [
@@ -43,8 +53,12 @@ in
]; ];
}; };
}; };
sops.age = {
generateKey = true;
keyFile = "/var/lib/sops-nix/key.txt";
sshKeyPaths = [ "/etc/ssh/ssh_host_ed25519_key" ];
};
image.modules.linode = { }; image.modules.linode = { };
services.smartd.enable = lib.mkForce false;
environment.systemPackages = [ ]; environment.systemPackages = [ ];
networking = { networking = {
hostName = "vps"; hostName = "vps";
@@ -54,9 +68,9 @@ in
internalInterfaces = [ "wg0" ]; internalInterfaces = [ "wg0" ];
forwardPorts = [ forwardPorts = [
{ {
sourcePort = giteaSshPort; sourcePort = ports.giteaSsh;
proto = "tcp"; proto = "tcp";
destination = "${homeServer}:${giteaSshPortStr}"; destination = "${ips.homeServer}:${portsStr.giteaSsh}";
} }
]; ];
}; };
@@ -67,7 +81,7 @@ in
content = '' content = ''
chain postrouting { chain postrouting {
type nat hook postrouting priority srcnat; type nat hook postrouting priority srcnat;
iifname "${externalInterface}" oifname "${wgInterface}" ip daddr ${homeServer}/32 tcp dport ${giteaSshPortStr} masquerade comment "snat ssh forward" iifname "${externalInterface}" oifname "${wgInterface}" ip daddr ${ips.homeServer}/32 tcp dport ${portsStr.giteaSsh} masquerade comment "snat ssh forward"
} }
''; '';
}; };
@@ -76,28 +90,28 @@ in
enable = true; enable = true;
filterForward = true; filterForward = true;
checkReversePath = "loose"; checkReversePath = "loose";
allowedTCPPorts = [ sshPort ] ++ webPorts; allowedTCPPorts = [ ports.ssh ] ++ ports.web;
allowedUDPPorts = [ wgPort ]; allowedUDPPorts = [ ports.wg ];
extraForwardRules = '' extraForwardRules = ''
iifname "${wgInterface}" ip saddr ${wgFriendsSubnet} ip daddr ${homeServer}/32 tcp dport ${syncthingPort} accept iifname "${wgInterface}" ip saddr ${subnets.wgFriends} ip daddr ${ips.homeServer}/32 tcp dport ${portsStr.syncthing} accept
iifname "${wgInterface}" ip saddr ${homeServer}/32 ip daddr ${wgFriendsSubnet} tcp dport ${syncthingPort} accept iifname "${wgInterface}" ip saddr ${ips.homeServer}/32 ip daddr ${subnets.wgFriends} tcp dport ${portsStr.syncthing} accept
iifname "${wgInterface}" ip saddr ${wgFriendsSubnet} ip daddr ${homeServer}/32 tcp dport { ${synapseClientPort}, ${synapseFederationPort}, ${syncplayPort} } accept iifname "${wgInterface}" ip saddr ${subnets.wgFriends} ip daddr ${ips.homeServer}/32 tcp dport { ${portsStr.synapseClient}, ${portsStr.synapseFederation}, ${portsStr.syncplay} } accept
iifname "${wgInterface}" ip saddr ${wgFriendsSubnet} ip daddr ${homeServer}/32 icmp type echo-request accept iifname "${wgInterface}" ip saddr ${subnets.wgFriends} ip daddr ${ips.homeServer}/32 icmp type echo-request accept
iifname "${wgInterface}" ip saddr ${wgFriend1}/32 ip daddr ${homeServer}/32 tcp dport ${stashPort} accept iifname "${wgInterface}" ip saddr ${ips.wgFriend1}/32 ip daddr ${ips.homeServer}/32 tcp dport ${portsStr.stash} accept
iifname "${wgInterface}" ip saddr ${wgGuest1}/32 ip daddr ${homeServer}/32 tcp dport ${stashPort} accept iifname "${wgInterface}" ip saddr ${ips.wgGuest1}/32 ip daddr ${ips.homeServer}/32 tcp dport ${portsStr.stash} accept
iifname "${wgInterface}" ip saddr ${wgGuestsSubnet} ip daddr ${homeServer}/32 icmp type echo-request accept iifname "${wgInterface}" ip saddr ${subnets.wgGuests} ip daddr ${ips.homeServer}/32 icmp type echo-request accept
iifname "${wgInterface}" ip saddr ${wgFriendsSubnet} oifname "${externalInterface}" accept iifname "${wgInterface}" ip saddr ${subnets.wgFriends} oifname "${externalInterface}" accept
iifname "${wgInterface}" ip saddr ${wgGuestsSubnet} oifname "${externalInterface}" accept iifname "${wgInterface}" ip saddr ${subnets.wgGuests} oifname "${externalInterface}" accept
ip saddr ${wgFriendsSubnet} ip daddr ${wgServerSubnet} drop ip saddr ${subnets.wgFriends} ip daddr ${subnets.wgHomelab} drop
ip saddr ${wgServerSubnet} ip daddr ${wgFriendsSubnet} drop ip saddr ${subnets.wgHomelab} ip daddr ${subnets.wgFriends} drop
ip saddr ${wgGuestsSubnet} ip daddr ${wgServerSubnet} drop ip saddr ${subnets.wgGuests} ip daddr ${subnets.wgHomelab} drop
ip saddr ${wgServerSubnet} ip daddr ${wgGuestsSubnet} drop ip saddr ${subnets.wgHomelab} ip daddr ${subnets.wgGuests} drop
ip saddr ${wgGuestsSubnet} ip daddr ${wgFriendsSubnet} drop ip saddr ${subnets.wgGuests} ip daddr ${subnets.wgFriends} drop
ip saddr ${wgFriendsSubnet} ip daddr ${wgGuestsSubnet} drop ip saddr ${subnets.wgFriends} ip daddr ${subnets.wgGuests} drop
''; '';
}; };
}; };
@@ -112,11 +126,9 @@ in
]; ];
} }
]; ];
services.openssh.ports = [ sshPort ]; services = {
sops.age = { smartd.enable = lib.mkForce false;
generateKey = true; openssh.ports = [ ports.ssh ];
keyFile = "/var/lib/sops-nix/key.txt";
sshKeyPaths = [ "/etc/ssh/ssh_host_ed25519_key" ];
}; };
users = { users = {
groups = { groups = {

25
modules/modules.nix
View File

@@ -50,14 +50,9 @@ in
miniserver = "192.168.1.100"; miniserver = "192.168.1.100";
workstation = "192.168.100.18"; workstation = "192.168.100.18";
vps = "45.33.0.228"; vps = "45.33.0.228";
wg-s = "10.77.0.0";
wg-vps = "10.77.0.1"; wg-vps = "10.77.0.1";
wg-server = "10.77.0.2"; wg-server = "10.77.0.2";
wg-gs = "10.9.0.0"; wg-guest1 = "10.9.0.2";
wg-g0 = "10.9.0.1";
wg-g1 = "10.9.0.2";
wg-friends = "10.8.0.0";
wg-friend0 = "10.8.0.1";
wg-friend1 = "10.8.0.2"; wg-friend1 = "10.8.0.2";
wg-friend2 = "10.8.0.3"; wg-friend2 = "10.8.0.3";
wg-friend3 = "10.8.0.4"; wg-friend3 = "10.8.0.4";
@@ -65,6 +60,24 @@ in
}; };
description = "Set of IP's for all my computers."; description = "Set of IP's for all my computers.";
}; };
subnets = lib.mkOption {
type = lib.types.attrsOf lib.types.str;
default = {
wg-homelab = "10.77.0.0/24";
wg-friends = "10.8.0.0/24";
wg-guests = "10.9.0.0/24";
};
description = "Set of subnets for WireGuard networks.";
};
wgInterfaces = lib.mkOption {
type = lib.types.attrsOf lib.types.str;
default = {
wg-homelab = "10.77.0.1/24";
wg-friends = "10.8.0.1/24";
wg-guests = "10.9.0.1/24";
};
description = "WireGuard interface IPs for the VPS.";
};
interfaces = lib.mkOption { interfaces = lib.mkOption {
type = lib.types.attrsOf lib.types.str; type = lib.types.attrsOf lib.types.str;
default = { default = {

6
modules/services/wireguard.nix
View File

@@ -14,9 +14,9 @@ in
firewall.allowedUDPPorts = [ port ]; firewall.allowedUDPPorts = [ port ];
wireguard.interfaces.wg0 = { wireguard.interfaces.wg0 = {
ips = [ ips = [
"${config.my.ips.wg-vps}/24" config.my.wgInterfaces.wg-homelab
"${config.my.ips.wg-friend0}/24" config.my.wgInterfaces.wg-friends
"${config.my.ips.wg-g0}/24" config.my.wgInterfaces.wg-guests
]; ];
listenPort = port; listenPort = port;
postSetup = ""; postSetup = "";