{ config, lib, inputs, ... }: let externalInterface = config.my.interfaces.${config.networking.hostName}; wgInterface = "wg0"; ips = { homeServer = config.my.ips.wg-server; wgFriend1 = config.my.ips.wg-friend1; wgGuest1 = config.my.ips.wg-guest1; }; subnets = { wgFriends = config.my.subnets.wg-friends; wgGuests = config.my.subnets.wg-guests; wgHomelab = config.my.subnets.wg-homelab; }; ports = { giteaSsh = 22; ssh = 3456; web = [ 80 443 ]; wg = 51820; syncthing = 22000; synapseFederation = 8448; }; portsStr = { giteaSsh = toString ports.giteaSsh; syncthing = toString ports.syncthing; synapseFederation = toString ports.synapseFederation; synapseClient = toString config.my.servers.synapse.port; syncplay = toString config.my.servers.syncplay.port; stash = toString config.my.servers.stash.port; }; in { imports = [ ./hardware-configuration.nix ../../config/base.nix ]; my = import ./toggles.nix { inherit config inputs; } // { secureHost = true; users.nixremote = { enable = true; authorizedKeys = inputs.self.lib.getSshKeys [ "nixworkstation" "nixserver" "nixminiserver" ]; }; }; sops.age = { generateKey = true; keyFile = "/var/lib/sops-nix/key.txt"; sshKeyPaths = [ "/etc/ssh/ssh_host_ed25519_key" ]; }; image.modules.linode = { }; environment.systemPackages = [ ]; networking = { hostName = "vps"; nat = { inherit externalInterface; enable = true; internalInterfaces = [ "wg0" ]; forwardPorts = [ { sourcePort = ports.giteaSsh; proto = "tcp"; destination = "${ips.homeServer}:${portsStr.giteaSsh}"; } ]; }; nftables = { enable = true; tables.vps-snat = { family = "ip"; content = '' chain postrouting { type nat hook postrouting priority srcnat; iifname "${externalInterface}" oifname "${wgInterface}" ip daddr ${ips.homeServer}/32 tcp dport ${portsStr.giteaSsh} masquerade comment "snat ssh forward" } ''; }; }; firewall = { enable = true; filterForward = true; checkReversePath = "loose"; allowedTCPPorts = [ ports.ssh ] ++ ports.web; allowedUDPPorts = [ ports.wg ]; extraForwardRules = '' iifname "${wgInterface}" ip saddr ${subnets.wgFriends} ip daddr ${ips.homeServer}/32 tcp dport ${portsStr.syncthing} accept iifname "${wgInterface}" ip saddr ${ips.homeServer}/32 ip daddr ${subnets.wgFriends} tcp dport ${portsStr.syncthing} accept iifname "${wgInterface}" ip saddr ${subnets.wgFriends} ip daddr ${ips.homeServer}/32 tcp dport { ${portsStr.synapseClient}, ${portsStr.synapseFederation}, ${portsStr.syncplay} } accept iifname "${wgInterface}" ip saddr ${subnets.wgFriends} ip daddr ${ips.homeServer}/32 icmp type echo-request accept iifname "${wgInterface}" ip saddr ${ips.wgFriend1}/32 ip daddr ${ips.homeServer}/32 tcp dport ${portsStr.stash} accept iifname "${wgInterface}" ip saddr ${ips.wgGuest1}/32 ip daddr ${ips.homeServer}/32 tcp dport ${portsStr.stash} accept iifname "${wgInterface}" ip saddr ${subnets.wgGuests} ip daddr ${ips.homeServer}/32 icmp type echo-request accept iifname "${wgInterface}" ip saddr ${subnets.wgFriends} oifname "${externalInterface}" accept iifname "${wgInterface}" ip saddr ${subnets.wgGuests} oifname "${externalInterface}" accept ip saddr ${subnets.wgFriends} ip daddr ${subnets.wgHomelab} drop ip saddr ${subnets.wgHomelab} ip daddr ${subnets.wgFriends} drop ip saddr ${subnets.wgGuests} ip daddr ${subnets.wgHomelab} drop ip saddr ${subnets.wgHomelab} ip daddr ${subnets.wgGuests} drop ip saddr ${subnets.wgGuests} ip daddr ${subnets.wgFriends} drop ip saddr ${subnets.wgFriends} ip daddr ${subnets.wgGuests} drop ''; }; }; security.sudo-rs.extraRules = [ { users = [ "nixremote" ]; commands = [ { command = "/run/current-system/sw/bin/nixos-rebuild"; options = [ "NOPASSWD" ]; } ]; } ]; services = { smartd.enable = lib.mkForce false; openssh.ports = [ ports.ssh ]; }; users = { groups = { deploy = { }; lidarr-reports = { }; }; users = { deploy = { isSystemUser = true; group = "deploy"; openssh.authorizedKeys.keyFiles = [ ../../secrets/ssh/ed25519_deploy.pub ]; }; lidarr-reports = { isSystemUser = true; group = "lidarr-reports"; openssh.authorizedKeys.keyFiles = [ ../../secrets/ssh/ed25519_lidarr-reports.pub ]; }; }; }; }