jawz/NixOS
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

004-vps-migration #5

Merged
jawz merged 47 commits from 004-vps-migration into main 2026-02-06 09:20:18 -06:00
Conversation 0 Commits 47 Files Changed 38 +34 -23
2 changed files with 34 additions and 23 deletions
Download Patch File Download Diff File Expand all files Collapse all files
Showing only changes of commit c50c98e7b2 - Show all commits

52
hosts/vps/configuration.nix
View File

@@ -6,16 +6,24 @@
}: }:
let let
externalInterface = config.my.interfaces.${config.networking.hostName}; externalInterface = config.my.interfaces.${config.networking.hostName};
wgInterface = "wg0";
homeServer = config.my.ips.wg-server; homeServer = config.my.ips.wg-server;
wgFriendsSubnet = "${config.my.ips.wg-friends}/24"; wgFriendsSubnet = "${config.my.ips.wg-friends}/24";
wgGuestsSubnet = "${config.my.ips.wg-gs}/24"; wgGuestsSubnet = "${config.my.ips.wg-gs}/24";
wgServerSubnet = "10.77.0.0/24"; wgServerSubnet = "${config.my.ips.wg-vps}/24";
wgFriend1 = config.my.ips.wg-friend1; wgFriend1 = config.my.ips.wg-friend1;
wgFriend2 = config.my.ips.wg-friend2; wgFriend2 = config.my.ips.wg-friend2;
wgFriend3 = config.my.ips.wg-friend3; wgFriend3 = config.my.ips.wg-friend3;
wgFriend4 = config.my.ips.wg-friend4; wgFriend4 = config.my.ips.wg-friend4;
wgGuest1 = config.my.ips.wg-g1;
giteaSshPort = 22; giteaSshPort = 22;
giteaSshPortStr = toString giteaSshPort; giteaSshPortStr = toString giteaSshPort;
sshPort = 3456;
webPorts = [
80
443
];
wgPort = 51820;
syncthingPort = toString 22000; syncthingPort = toString 22000;
synapseFederationPort = toString 8448; synapseFederationPort = toString 8448;
synapseClientPort = toString config.my.servers.synapse.port; synapseClientPort = toString config.my.servers.synapse.port;
@@ -41,36 +49,36 @@ in
image.modules.linode = { }; image.modules.linode = { };
networking.hostName = "vps"; networking.hostName = "vps";
services.smartd.enable = lib.mkForce false; services.smartd.enable = lib.mkForce false;
boot.kernel.sysctl."net.ipv4.ip_forward" = 1;
environment.systemPackages = [ ]; environment.systemPackages = [ ];
networking.nftables.enable = true; networking.nftables.enable = true;
networking.firewall = { networking.firewall = {
enable = true; enable = true;
filterForward = true; filterForward = true;
checkReversePath = "loose"; checkReversePath = "loose";
allowedTCPPorts = [ allowedTCPPorts = [ sshPort ] ++ webPorts;
80 allowedUDPPorts = [ wgPort ];
443
3456
];
allowedUDPPorts = [ 51820 ];
extraForwardRules = '' extraForwardRules = ''
iifname "wg0" ip saddr ${wgFriend1}/32 ip daddr ${homeServer}/32 tcp dport ${syncthingPort} accept iifname "${wgInterface}" ip saddr ${wgFriend1}/32 ip daddr ${homeServer}/32 tcp dport ${syncthingPort} accept
iifname "wg0" ip saddr ${wgFriend2}/32 ip daddr ${homeServer}/32 tcp dport ${syncthingPort} accept iifname "${wgInterface}" ip saddr ${wgFriend2}/32 ip daddr ${homeServer}/32 tcp dport ${syncthingPort} accept
iifname "wg0" ip saddr ${wgFriend3}/32 ip daddr ${homeServer}/32 tcp dport ${syncthingPort} accept iifname "${wgInterface}" ip saddr ${wgFriend3}/32 ip daddr ${homeServer}/32 tcp dport ${syncthingPort} accept
iifname "wg0" ip saddr ${wgFriend4}/32 ip daddr ${homeServer}/32 tcp dport ${syncthingPort} accept iifname "${wgInterface}" ip saddr ${wgFriend4}/32 ip daddr ${homeServer}/32 tcp dport ${syncthingPort} accept
iifname "wg0" ip saddr ${homeServer}/32 ip daddr ${wgFriend1}/32 tcp dport ${syncthingPort} accept iifname "${wgInterface}" ip saddr ${homeServer}/32 ip daddr ${wgFriend1}/32 tcp dport ${syncthingPort} accept
iifname "wg0" ip saddr ${homeServer}/32 ip daddr ${wgFriend2}/32 tcp dport ${syncthingPort} accept iifname "${wgInterface}" ip saddr ${homeServer}/32 ip daddr ${wgFriend2}/32 tcp dport ${syncthingPort} accept
iifname "wg0" ip saddr ${homeServer}/32 ip daddr ${wgFriend3}/32 tcp dport ${syncthingPort} accept iifname "${wgInterface}" ip saddr ${homeServer}/32 ip daddr ${wgFriend3}/32 tcp dport ${syncthingPort} accept
iifname "wg0" ip saddr ${homeServer}/32 ip daddr ${wgFriend4}/32 tcp dport ${syncthingPort} accept iifname "${wgInterface}" ip saddr ${homeServer}/32 ip daddr ${wgFriend4}/32 tcp dport ${syncthingPort} accept
iifname "wg0" ip saddr ${wgFriendsSubnet} ip daddr ${homeServer}/32 tcp dport { ${synapseClientPort}, ${synapseFederationPort}, ${syncplayPort} } accept iifname "${wgInterface}" ip saddr ${wgFriendsSubnet} ip daddr ${homeServer}/32 tcp dport { ${synapseClientPort}, ${synapseFederationPort}, ${syncplayPort} } accept
iifname "wg0" ip saddr ${wgFriendsSubnet} ip daddr ${homeServer}/32 icmp type echo-request accept iifname "${wgInterface}" ip saddr ${wgFriendsSubnet} ip daddr ${homeServer}/32 icmp type echo-request accept
iifname "wg0" ip saddr ${wgGuestsSubnet} ip daddr ${homeServer}/32 tcp dport ${stashPort} accept iifname "${wgInterface}" ip saddr ${wgFriend1}/32 ip daddr ${homeServer}/32 tcp dport ${stashPort} accept
iifname "wg0" ip saddr ${wgGuestsSubnet} ip daddr ${homeServer}/32 icmp type echo-request accept iifname "${wgInterface}" ip saddr ${wgGuest1}/32 ip daddr ${homeServer}/32 tcp dport ${stashPort} accept
iifname "${wgInterface}" ip saddr ${wgGuestsSubnet} ip daddr ${homeServer}/32 icmp type echo-request accept
iifname "wg0" ip saddr ${wgFriendsSubnet} oifname "${externalInterface}" accept iifname "${wgInterface}" ip saddr ${wgFriendsSubnet} oifname "${externalInterface}" accept
iifname "wg0" ip saddr ${wgGuestsSubnet} oifname "${externalInterface}" accept iifname "${wgInterface}" ip saddr ${wgGuestsSubnet} oifname "${externalInterface}" accept
iifname "${externalInterface}" ip daddr ${homeServer}/32 tcp dport ${giteaSshPortStr} accept
ip saddr ${wgFriendsSubnet} ip daddr ${wgServerSubnet} drop ip saddr ${wgFriendsSubnet} ip daddr ${wgServerSubnet} drop
ip saddr ${wgServerSubnet} ip daddr ${wgFriendsSubnet} drop ip saddr ${wgServerSubnet} ip daddr ${wgFriendsSubnet} drop
@@ -103,7 +111,7 @@ in
]; ];
} }
]; ];
services.openssh.ports = [ 3456 ]; services.openssh.ports = [ sshPort ];
sops.age = { sops.age = {
generateKey = true; generateKey = true;
keyFile = "/var/lib/sops-nix/key.txt"; keyFile = "/var/lib/sops-nix/key.txt";

5
hosts/vps/hardware-configuration.nix
View File

@@ -9,7 +9,10 @@
kernelModules = [ ]; kernelModules = [ ];
extraModulePackages = [ ]; extraModulePackages = [ ];
kernelParams = [ "console=ttyS0,19200n8" ]; kernelParams = [ "console=ttyS0,19200n8" ];
kernel.sysctl."net.ipv4.conf.wg0.rp_filter" = 0; kernel.sysctl = {
"net.ipv4.ip_forward" = 1;
"net.ipv4.conf.wg0.rp_filter" = 0;
};
initrd.availableKernelModules = [ initrd.availableKernelModules = [
"virtio_pci" "virtio_pci"
"virtio_scsi" "virtio_scsi"