jawz/NixOS
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Compare commits

base: jawz:c09268891e43efa2efce657babf0c914f16ba8fe
Branches Tags
jawz:main jawz:keycloak
jawz:weekly-2026-02-06 jawz:weekly-2026-02-02 jawz:weekly-2026-01-30 jawz:weekly-2026-01-26 jawz:weekly-2026-01-24 jawz:weekly-2026-01-19 jawz:weekly-2026-01-16 jawz:weekly-2026-01-10 jawz:weekly-2026-01-05 jawz:weekly-2026-01-02 jawz:weekly-2025-12-29 jawz:weekly-2025-12-15 jawz:weekly-2025-12-08 jawz:weekly-2025-12-05 jawz:weekly-2025-12-01 jawz:weekly-2025-11-28
...
compare: jawz:c50c98e7b2358a82cd82dc30abf317719602f49e
Branches Tags
jawz:main jawz:keycloak
jawz:weekly-2026-02-06 jawz:weekly-2026-02-02 jawz:weekly-2026-01-30 jawz:weekly-2026-01-26 jawz:weekly-2026-01-24 jawz:weekly-2026-01-19 jawz:weekly-2026-01-16 jawz:weekly-2026-01-10 jawz:weekly-2026-01-05 jawz:weekly-2026-01-02 jawz:weekly-2025-12-29 jawz:weekly-2025-12-15 jawz:weekly-2025-12-08 jawz:weekly-2025-12-05 jawz:weekly-2025-12-01 jawz:weekly-2025-11-28

3 Commits
c09268891e ... c50c98e7b2

Author SHA1 Message Date
Danilo Reyes
c50c98e7b2 firewall tweaks 2026-02-05 18:25:45 -06:00
Danilo Reyes
6079e6446c working version firewall 2026-02-05 17:49:11 -06:00
Danilo Reyes
afbffaa203 ip declarations 2026-02-05 17:02:20 -06:00
4 changed files with 85 additions and 72 deletions
Expand all files Collapse all files

137
hosts/vps/configuration.nix
View File

@@ -2,12 +2,33 @@
config, config,
lib, lib,
inputs, inputs,
pkgs,
... ...
}: }:
let let
externalInterface = config.my.interfaces.${config.networking.hostName}; externalInterface = config.my.interfaces.${config.networking.hostName};
wgInterface = "wg0";
homeServer = config.my.ips.wg-server; homeServer = config.my.ips.wg-server;
wgFriendsSubnet = "${config.my.ips.wg-friends}/24";
wgGuestsSubnet = "${config.my.ips.wg-gs}/24";
wgServerSubnet = "${config.my.ips.wg-vps}/24";
wgFriend1 = config.my.ips.wg-friend1;
wgFriend2 = config.my.ips.wg-friend2;
wgFriend3 = config.my.ips.wg-friend3;
wgFriend4 = config.my.ips.wg-friend4;
wgGuest1 = config.my.ips.wg-g1;
giteaSshPort = 22;
giteaSshPortStr = toString giteaSshPort;
sshPort = 3456;
webPorts = [
80
443
];
wgPort = 51820;
syncthingPort = toString 22000;
synapseFederationPort = toString 8448;
synapseClientPort = toString config.my.servers.synapse.port;
syncplayPort = toString config.my.servers.syncplay.port;
stashPort = toString config.my.servers.stash.port;
in in
{ {
imports = [ imports = [
@@ -25,67 +46,60 @@ in
]; ];
}; };
}; };
networking.firewall = {
enable = true;
allowedTCPPorts = [
80
443
3456
];
allowedUDPPorts = [ 51820 ];
extraForwardRules = ''
ct state established,related accept
ip daddr ${homeServer}/32 tcp dport { 22, 51412 } accept
ip daddr ${homeServer}/32 udp dport 51412 accept
ip saddr 10.8.0.2/32 ip daddr ${homeServer}/32 tcp dport 22000 accept
ip saddr 10.8.0.3/32 ip daddr ${homeServer}/32 tcp dport 22000 accept
ip saddr 10.8.0.4/32 ip daddr ${homeServer}/32 tcp dport 22000 accept
ip saddr 10.8.0.5/32 ip daddr ${homeServer}/32 tcp dport 22000 accept
ip saddr ${homeServer}/32 ip daddr 10.8.0.2/32 tcp dport 22000 accept
ip saddr ${homeServer}/32 ip daddr 10.8.0.3/32 tcp dport 22000 accept
ip saddr ${homeServer}/32 ip daddr 10.8.0.4/32 tcp dport 22000 accept
ip saddr ${homeServer}/32 ip daddr 10.8.0.5/32 tcp dport 22000 accept
ip saddr 10.8.0.0/24 ip daddr ${homeServer}/32 tcp dport { 8008, 8448, 8999 } accept
ip saddr 10.8.0.0/24 ip daddr ${homeServer}/32 icmp type echo-request accept
ip saddr ${homeServer}/32 ip daddr 10.8.0.0/24 icmp type echo-reply accept
ip saddr 10.9.0.0/24 ip daddr ${homeServer}/32 tcp dport 9999 accept
ip saddr 10.9.0.0/24 ip daddr ${homeServer}/32 icmp type echo-request accept
ip saddr ${homeServer}/32 ip daddr 10.9.0.0/24 icmp type echo-reply accept
ip saddr 10.8.0.0/24 oifname "${externalInterface}" accept
ip saddr 10.9.0.0/24 oifname "${externalInterface}" accept
ip saddr 10.8.0.0/24 ip daddr 10.77.0.0/24 drop
ip saddr 10.77.0.0/24 ip daddr 10.8.0.0/24 drop
ip saddr 10.9.0.0/24 ip daddr 10.77.0.0/24 drop
ip saddr 10.77.0.0/24 ip daddr 10.9.0.0/24 drop
ip saddr 10.9.0.0/24 ip daddr 10.8.0.0/24 drop
ip saddr 10.8.0.0/24 ip daddr 10.9.0.0/24 drop
'';
extraCommands = ''
iptables -t nat -A PREROUTING -p tcp --dport 22 -j DNAT --to-destination ${homeServer}:22
iptables -t nat -A PREROUTING -p tcp --dport 51412 -j DNAT --to-destination ${homeServer}:51412
iptables -t nat -A PREROUTING -p udp --dport 51412 -j DNAT --to-destination ${homeServer}:51412
iptables -t nat -A POSTROUTING -d ${homeServer}/32 -p tcp --dport 22 -j MASQUERADE
iptables -t nat -A POSTROUTING -d ${homeServer}/32 -p tcp --dport 51412 -j MASQUERADE
iptables -t nat -A POSTROUTING -d ${homeServer}/32 -p udp --dport 51412 -j MASQUERADE
'';
extraStopCommands = ''
iptables -t nat -D PREROUTING -p tcp --dport 22 -j DNAT --to-destination ${homeServer}:22 || true
iptables -t nat -D PREROUTING -p tcp --dport 51412 -j DNAT --to-destination ${homeServer}:51412 || true
iptables -t nat -D PREROUTING -p udp --dport 51412 -j DNAT --to-destination ${homeServer}:51412 || true
iptables -t nat -D POSTROUTING -d ${homeServer}/32 -p tcp --dport 22 -j MASQUERADE || true
iptables -t nat -D POSTROUTING -d ${homeServer}/32 -p tcp --dport 51412 -j MASQUERADE || true
iptables -t nat -D POSTROUTING -d ${homeServer}/32 -p udp --dport 51412 -j MASQUERADE || true
'';
};
image.modules.linode = { }; image.modules.linode = { };
networking.hostName = "vps"; networking.hostName = "vps";
services.smartd.enable = lib.mkForce false;
boot.kernel.sysctl."net.ipv4.ip_forward" = 1;
environment.systemPackages = [ ];
networking.nftables.enable = true;
networking.firewall = {
enable = true;
filterForward = true;
checkReversePath = "loose";
allowedTCPPorts = [ sshPort ] ++ webPorts;
allowedUDPPorts = [ wgPort ];
extraForwardRules = ''
iifname "${wgInterface}" ip saddr ${wgFriend1}/32 ip daddr ${homeServer}/32 tcp dport ${syncthingPort} accept
iifname "${wgInterface}" ip saddr ${wgFriend2}/32 ip daddr ${homeServer}/32 tcp dport ${syncthingPort} accept
iifname "${wgInterface}" ip saddr ${wgFriend3}/32 ip daddr ${homeServer}/32 tcp dport ${syncthingPort} accept
iifname "${wgInterface}" ip saddr ${wgFriend4}/32 ip daddr ${homeServer}/32 tcp dport ${syncthingPort} accept
iifname "${wgInterface}" ip saddr ${homeServer}/32 ip daddr ${wgFriend1}/32 tcp dport ${syncthingPort} accept
iifname "${wgInterface}" ip saddr ${homeServer}/32 ip daddr ${wgFriend2}/32 tcp dport ${syncthingPort} accept
iifname "${wgInterface}" ip saddr ${homeServer}/32 ip daddr ${wgFriend3}/32 tcp dport ${syncthingPort} accept
iifname "${wgInterface}" ip saddr ${homeServer}/32 ip daddr ${wgFriend4}/32 tcp dport ${syncthingPort} accept
iifname "${wgInterface}" ip saddr ${wgFriendsSubnet} ip daddr ${homeServer}/32 tcp dport { ${synapseClientPort}, ${synapseFederationPort}, ${syncplayPort} } accept
iifname "${wgInterface}" ip saddr ${wgFriendsSubnet} ip daddr ${homeServer}/32 icmp type echo-request accept
iifname "${wgInterface}" ip saddr ${wgFriend1}/32 ip daddr ${homeServer}/32 tcp dport ${stashPort} accept
iifname "${wgInterface}" ip saddr ${wgGuest1}/32 ip daddr ${homeServer}/32 tcp dport ${stashPort} accept
iifname "${wgInterface}" ip saddr ${wgGuestsSubnet} ip daddr ${homeServer}/32 icmp type echo-request accept
iifname "${wgInterface}" ip saddr ${wgFriendsSubnet} oifname "${externalInterface}" accept
iifname "${wgInterface}" ip saddr ${wgGuestsSubnet} oifname "${externalInterface}" accept
iifname "${externalInterface}" ip daddr ${homeServer}/32 tcp dport ${giteaSshPortStr} accept
ip saddr ${wgFriendsSubnet} ip daddr ${wgServerSubnet} drop
ip saddr ${wgServerSubnet} ip daddr ${wgFriendsSubnet} drop
ip saddr ${wgGuestsSubnet} ip daddr ${wgServerSubnet} drop
ip saddr ${wgServerSubnet} ip daddr ${wgGuestsSubnet} drop
ip saddr ${wgGuestsSubnet} ip daddr ${wgFriendsSubnet} drop
ip saddr ${wgFriendsSubnet} ip daddr ${wgGuestsSubnet} drop
'';
};
networking.nat = {
enable = true;
inherit externalInterface;
internalInterfaces = [ "wg0" ];
forwardPorts = [
{
sourcePort = giteaSshPort;
proto = "tcp";
destination = "${homeServer}:${giteaSshPortStr}";
}
];
};
security.sudo-rs.extraRules = [ security.sudo-rs.extraRules = [
{ {
users = [ "nixremote" ]; users = [ "nixremote" ];
@@ -97,7 +111,7 @@ in
]; ];
} }
]; ];
services.openssh.ports = [ 3456 ]; services.openssh.ports = [ sshPort ];
sops.age = { sops.age = {
generateKey = true; generateKey = true;
keyFile = "/var/lib/sops-nix/key.txt"; keyFile = "/var/lib/sops-nix/key.txt";
@@ -121,5 +135,4 @@ in
}; };
}; };
}; };
environment.systemPackages = [ ];
} }

5
hosts/vps/hardware-configuration.nix
View File

@@ -9,7 +9,10 @@
kernelModules = [ ]; kernelModules = [ ];
extraModulePackages = [ ]; extraModulePackages = [ ];
kernelParams = [ "console=ttyS0,19200n8" ]; kernelParams = [ "console=ttyS0,19200n8" ];
kernel.sysctl."net.ipv4.conf.wg0.rp_filter" = 0; kernel.sysctl = {
"net.ipv4.ip_forward" = 1;
"net.ipv4.conf.wg0.rp_filter" = 0;
};
initrd.availableKernelModules = [ initrd.availableKernelModules = [
"virtio_pci" "virtio_pci"
"virtio_scsi" "virtio_scsi"

5
modules/modules.nix
View File

@@ -50,10 +50,13 @@ in
miniserver = "192.168.1.100"; miniserver = "192.168.1.100";
workstation = "192.168.100.18"; workstation = "192.168.100.18";
vps = "45.33.0.228"; vps = "45.33.0.228";
wg-s = "10.77.0.0";
wg-vps = "10.77.0.1"; wg-vps = "10.77.0.1";
wg-server = "10.77.0.2"; wg-server = "10.77.0.2";
wg-g1 = "10.9.0.2";
wg-gs = "10.9.0.0"; wg-gs = "10.9.0.0";
wg-g0 = "10.9.0.1";
wg-g1 = "10.9.0.2";
wg-friend0 = "10.8.0.1";
wg-friend1 = "10.8.0.2"; wg-friend1 = "10.8.0.2";
wg-friend2 = "10.8.0.3"; wg-friend2 = "10.8.0.3";
wg-friend3 = "10.8.0.4"; wg-friend3 = "10.8.0.4";

10
modules/services/wireguard.nix
View File

@@ -5,7 +5,6 @@
}: }:
let let
port = 51820; port = 51820;
interface = config.my.interfaces.${config.networking.hostName};
in in
{ {
options.my.services.wireguard.enable = lib.mkEnableOption "WireGuard VPN configuration"; options.my.services.wireguard.enable = lib.mkEnableOption "WireGuard VPN configuration";
@@ -13,16 +12,11 @@ in
sops.secrets."vps/server/private".sopsFile = ../../secrets/wireguard.yaml; sops.secrets."vps/server/private".sopsFile = ../../secrets/wireguard.yaml;
networking = { networking = {
firewall.allowedUDPPorts = [ port ]; firewall.allowedUDPPorts = [ port ];
nat = {
enable = true;
externalInterface = interface;
internalInterfaces = [ "wg0" ];
};
wireguard.interfaces.wg0 = { wireguard.interfaces.wg0 = {
ips = [ ips = [
"${config.my.ips.wg-vps}/24" "${config.my.ips.wg-vps}/24"
"10.8.0.1/24" "${config.my.ips.wg-friend0}/24"
"10.9.0.1/24" "${config.my.ips.wg-g0}/24"
]; ];
listenPort = port; listenPort = port;
postSetup = ""; postSetup = "";