format document

subnet parameters
2026-02-06 07:26:26 -06:00 · 2026-02-06 07:16:22 -06:00
4 changed files with 81 additions and 56 deletions
--- a/hosts/server/configuration.nix
+++ b/hosts/server/configuration.nix
@@ -78,8 +78,8 @@ in
          endpoint = "${config.my.ips.vps}:51820";
          allowedIPs = [
            "${config.my.ips.wg-vps}/32"
-            "${config.my.ips.wg-friends}/24" # all friends
-            "${config.my.ips.wg-gs}/24" # all friends
+            config.my.subnets.wg-friends
+            config.my.subnets.wg-guests
          ];
          persistentKeepalive = 25;
        }
--- a/hosts/vps/configuration.nix
+++ b/hosts/vps/configuration.nix
@@ -7,25 +7,35 @@
 let
  externalInterface = config.my.interfaces.${config.networking.hostName};
  wgInterface = "wg0";
+  ips = {
    homeServer = config.my.ips.wg-server;
-  wgFriendsSubnet = "${config.my.ips.wg-friends}/24";
-  wgGuestsSubnet = "${config.my.ips.wg-gs}/24";
-  wgServerSubnet = "${config.my.ips.wg-vps}/24";
    wgFriend1 = config.my.ips.wg-friend1;
-  wgGuest1 = config.my.ips.wg-g1;
-  giteaSshPort = 22;
-  giteaSshPortStr = toString giteaSshPort;
-  sshPort = 3456;
-  webPorts = [
+    wgGuest1 = config.my.ips.wg-guest1;
+  };
+  subnets = {
+    wgFriends = config.my.subnets.wg-friends;
+    wgGuests = config.my.subnets.wg-guests;
+    wgHomelab = config.my.subnets.wg-homelab;
+  };
+  ports = {
+    giteaSsh = 22;
+    ssh = 3456;
+    web = [
      80
      443
    ];
-  wgPort = 51820;
-  syncthingPort = toString 22000;
-  synapseFederationPort = toString 8448;
-  synapseClientPort = toString config.my.servers.synapse.port;
-  syncplayPort = toString config.my.servers.syncplay.port;
-  stashPort = toString config.my.servers.stash.port;
+    wg = 51820;
+    syncthing = 22000;
+    synapseFederation = 8448;
+  };
+  portsStr = {
+    giteaSsh = toString ports.giteaSsh;
+    syncthing = toString ports.syncthing;
+    synapseFederation = toString ports.synapseFederation;
+    synapseClient = toString config.my.servers.synapse.port;
+    syncplay = toString config.my.servers.syncplay.port;
+    stash = toString config.my.servers.stash.port;
+  };
 in
 {
  imports = [
@@ -43,8 +53,12 @@ in
      ];
    };
  };
+  sops.age = {
+    generateKey = true;
+    keyFile = "/var/lib/sops-nix/key.txt";
+    sshKeyPaths = [ "/etc/ssh/ssh_host_ed25519_key" ];
+  };
  image.modules.linode = { };
-  services.smartd.enable = lib.mkForce false;
  environment.systemPackages = [ ];
  networking = {
    hostName = "vps";
@@ -54,9 +68,9 @@ in
      internalInterfaces = [ "wg0" ];
      forwardPorts = [
        {
-          sourcePort = giteaSshPort;
+          sourcePort = ports.giteaSsh;
          proto = "tcp";
-          destination = "${homeServer}:${giteaSshPortStr}";
+          destination = "${ips.homeServer}:${portsStr.giteaSsh}";
        }
      ];
    };
@@ -67,7 +81,7 @@ in
        content = ''
          chain postrouting {
            type nat hook postrouting priority srcnat;
-            iifname "${externalInterface}" oifname "${wgInterface}" ip daddr ${homeServer}/32 tcp dport ${giteaSshPortStr} masquerade comment "snat ssh forward"
+            iifname "${externalInterface}" oifname "${wgInterface}" ip daddr ${ips.homeServer}/32 tcp dport ${portsStr.giteaSsh} masquerade comment "snat ssh forward"
          }
        '';
      };
@@ -76,28 +90,28 @@ in
      enable = true;
      filterForward = true;
      checkReversePath = "loose";
-      allowedTCPPorts = [ sshPort ] ++ webPorts;
-      allowedUDPPorts = [ wgPort ];
+      allowedTCPPorts = [ ports.ssh ] ++ ports.web;
+      allowedUDPPorts = [ ports.wg ];
      extraForwardRules = ''
-        iifname "${wgInterface}" ip saddr ${wgFriendsSubnet} ip daddr ${homeServer}/32 tcp dport ${syncthingPort} accept
-        iifname "${wgInterface}" ip saddr ${homeServer}/32 ip daddr ${wgFriendsSubnet} tcp dport ${syncthingPort} accept
+        iifname "${wgInterface}" ip saddr ${subnets.wgFriends} ip daddr ${ips.homeServer}/32 tcp dport ${portsStr.syncthing} accept
+        iifname "${wgInterface}" ip saddr ${ips.homeServer}/32 ip daddr ${subnets.wgFriends} tcp dport ${portsStr.syncthing} accept

-        iifname "${wgInterface}" ip saddr ${wgFriendsSubnet} ip daddr ${homeServer}/32 tcp dport { ${synapseClientPort}, ${synapseFederationPort}, ${syncplayPort} } accept
+        iifname "${wgInterface}" ip saddr ${subnets.wgFriends} ip daddr ${ips.homeServer}/32 tcp dport { ${portsStr.synapseClient}, ${portsStr.synapseFederation}, ${portsStr.syncplay} } accept

-        iifname "${wgInterface}" ip saddr ${wgFriendsSubnet} ip daddr ${homeServer}/32 icmp type echo-request accept
-        iifname "${wgInterface}" ip saddr ${wgFriend1}/32 ip daddr ${homeServer}/32 tcp dport ${stashPort} accept
-        iifname "${wgInterface}" ip saddr ${wgGuest1}/32 ip daddr ${homeServer}/32 tcp dport ${stashPort} accept
-        iifname "${wgInterface}" ip saddr ${wgGuestsSubnet} ip daddr ${homeServer}/32 icmp type echo-request accept
+        iifname "${wgInterface}" ip saddr ${subnets.wgFriends} ip daddr ${ips.homeServer}/32 icmp type echo-request accept
+        iifname "${wgInterface}" ip saddr ${ips.wgFriend1}/32 ip daddr ${ips.homeServer}/32 tcp dport ${portsStr.stash} accept
+        iifname "${wgInterface}" ip saddr ${ips.wgGuest1}/32 ip daddr ${ips.homeServer}/32 tcp dport ${portsStr.stash} accept
+        iifname "${wgInterface}" ip saddr ${subnets.wgGuests} ip daddr ${ips.homeServer}/32 icmp type echo-request accept

-        iifname "${wgInterface}" ip saddr ${wgFriendsSubnet} oifname "${externalInterface}" accept
-        iifname "${wgInterface}" ip saddr ${wgGuestsSubnet} oifname "${externalInterface}" accept
+        iifname "${wgInterface}" ip saddr ${subnets.wgFriends} oifname "${externalInterface}" accept
+        iifname "${wgInterface}" ip saddr ${subnets.wgGuests} oifname "${externalInterface}" accept

-        ip saddr ${wgFriendsSubnet} ip daddr ${wgServerSubnet} drop
-        ip saddr ${wgServerSubnet} ip daddr ${wgFriendsSubnet} drop
-        ip saddr ${wgGuestsSubnet} ip daddr ${wgServerSubnet} drop
-        ip saddr ${wgServerSubnet} ip daddr ${wgGuestsSubnet} drop
-        ip saddr ${wgGuestsSubnet} ip daddr ${wgFriendsSubnet} drop
-        ip saddr ${wgFriendsSubnet} ip daddr ${wgGuestsSubnet} drop
+        ip saddr ${subnets.wgFriends} ip daddr ${subnets.wgHomelab} drop
+        ip saddr ${subnets.wgHomelab} ip daddr ${subnets.wgFriends} drop
+        ip saddr ${subnets.wgGuests} ip daddr ${subnets.wgHomelab} drop
+        ip saddr ${subnets.wgHomelab} ip daddr ${subnets.wgGuests} drop
+        ip saddr ${subnets.wgGuests} ip daddr ${subnets.wgFriends} drop
+        ip saddr ${subnets.wgFriends} ip daddr ${subnets.wgGuests} drop
      '';
    };
  };
@@ -112,11 +126,9 @@ in
      ];
    }
  ];
-  services.openssh.ports = [ sshPort ];
-  sops.age = {
-    generateKey = true;
-    keyFile = "/var/lib/sops-nix/key.txt";
-    sshKeyPaths = [ "/etc/ssh/ssh_host_ed25519_key" ];
+  services = {
+    smartd.enable = lib.mkForce false;
+    openssh.ports = [ ports.ssh ];
  };
  users = {
    groups = {
--- a/modules/modules.nix
+++ b/modules/modules.nix
@@ -50,14 +50,9 @@ in
        miniserver = "192.168.1.100";
        workstation = "192.168.100.18";
        vps = "45.33.0.228";
-        wg-s = "10.77.0.0";
        wg-vps = "10.77.0.1";
        wg-server = "10.77.0.2";
-        wg-gs = "10.9.0.0";
-        wg-g0 = "10.9.0.1";
-        wg-g1 = "10.9.0.2";
-        wg-friends = "10.8.0.0";
-        wg-friend0 = "10.8.0.1";
+        wg-guest1 = "10.9.0.2";
        wg-friend1 = "10.8.0.2";
        wg-friend2 = "10.8.0.3";
        wg-friend3 = "10.8.0.4";
@@ -65,6 +60,24 @@ in
      };
      description = "Set of IP's for all my computers.";
    };
+    subnets = lib.mkOption {
+      type = lib.types.attrsOf lib.types.str;
+      default = {
+        wg-homelab = "10.77.0.0/24";
+        wg-friends = "10.8.0.0/24";
+        wg-guests = "10.9.0.0/24";
+      };
+      description = "Set of subnets for WireGuard networks.";
+    };
+    wgInterfaces = lib.mkOption {
+      type = lib.types.attrsOf lib.types.str;
+      default = {
+        wg-homelab = "10.77.0.1/24";
+        wg-friends = "10.8.0.1/24";
+        wg-guests = "10.9.0.1/24";
+      };
+      description = "WireGuard interface IPs for the VPS.";
+    };
    interfaces = lib.mkOption {
      type = lib.types.attrsOf lib.types.str;
      default = {
--- a/modules/services/wireguard.nix
+++ b/modules/services/wireguard.nix
@@ -14,9 +14,9 @@ in
      firewall.allowedUDPPorts = [ port ];
      wireguard.interfaces.wg0 = {
        ips = [
-          "${config.my.ips.wg-vps}/24"
-          "${config.my.ips.wg-friend0}/24"
-          "${config.my.ips.wg-g0}/24"
+          config.my.wgInterfaces.wg-homelab
+          config.my.wgInterfaces.wg-friends
+          config.my.wgInterfaces.wg-guests
        ];
        listenPort = port;
        postSetup = "";
Author	SHA1	Message	Date
Danilo Reyes	229b989902	format document	2026-02-06 07:26:26 -06:00
Danilo Reyes	00a43a5a48	subnet parameters	2026-02-06 07:16:22 -06:00