{ config, lib, inputs, ... }: let externalInterface = config.my.interfaces.${config.networking.hostName}; homeServer = config.my.ips.wg-server; wgFriendsSubnet = "${config.my.ips.wg-friends}/24"; wgGuestsSubnet = "${config.my.ips.wg-gs}/24"; wgServerSubnet = "10.77.0.0/24"; wgFriend1 = config.my.ips.wg-friend1; wgFriend2 = config.my.ips.wg-friend2; wgFriend3 = config.my.ips.wg-friend3; wgFriend4 = config.my.ips.wg-friend4; giteaSshPort = 22; giteaSshPortStr = toString giteaSshPort; syncthingPort = toString 22000; synapseFederationPort = toString 8448; synapseClientPort = toString config.my.servers.synapse.port; syncplayPort = toString config.my.servers.syncplay.port; stashPort = toString config.my.servers.stash.port; in { imports = [ ./hardware-configuration.nix ../../config/base.nix ]; my = import ./toggles.nix { inherit config inputs; } // { secureHost = true; users.nixremote = { enable = true; authorizedKeys = inputs.self.lib.getSshKeys [ "nixworkstation" "nixserver" "nixminiserver" ]; }; }; image.modules.linode = { }; networking.hostName = "vps"; services.smartd.enable = lib.mkForce false; environment.systemPackages = [ ]; networking.nftables.enable = true; networking.firewall = { enable = true; filterForward = true; checkReversePath = "loose"; allowedTCPPorts = [ 80 443 3456 ]; allowedUDPPorts = [ 51820 ]; extraForwardRules = '' iifname "wg0" ip saddr ${wgFriend1}/32 ip daddr ${homeServer}/32 tcp dport ${syncthingPort} accept iifname "wg0" ip saddr ${wgFriend2}/32 ip daddr ${homeServer}/32 tcp dport ${syncthingPort} accept iifname "wg0" ip saddr ${wgFriend3}/32 ip daddr ${homeServer}/32 tcp dport ${syncthingPort} accept iifname "wg0" ip saddr ${wgFriend4}/32 ip daddr ${homeServer}/32 tcp dport ${syncthingPort} accept iifname "wg0" ip saddr ${homeServer}/32 ip daddr ${wgFriend1}/32 tcp dport ${syncthingPort} accept iifname "wg0" ip saddr ${homeServer}/32 ip daddr ${wgFriend2}/32 tcp dport ${syncthingPort} accept iifname "wg0" ip saddr ${homeServer}/32 ip daddr ${wgFriend3}/32 tcp dport ${syncthingPort} accept iifname "wg0" ip saddr ${homeServer}/32 ip daddr ${wgFriend4}/32 tcp dport ${syncthingPort} accept iifname "wg0" ip saddr ${wgFriendsSubnet} ip daddr ${homeServer}/32 tcp dport { ${synapseClientPort}, ${synapseFederationPort}, ${syncplayPort} } accept iifname "wg0" ip saddr ${wgFriendsSubnet} ip daddr ${homeServer}/32 icmp type echo-request accept iifname "wg0" ip saddr ${wgGuestsSubnet} ip daddr ${homeServer}/32 tcp dport ${stashPort} accept iifname "wg0" ip saddr ${wgGuestsSubnet} ip daddr ${homeServer}/32 icmp type echo-request accept iifname "wg0" ip saddr ${wgFriendsSubnet} oifname "${externalInterface}" accept iifname "wg0" ip saddr ${wgGuestsSubnet} oifname "${externalInterface}" accept ip saddr ${wgFriendsSubnet} ip daddr ${wgServerSubnet} drop ip saddr ${wgServerSubnet} ip daddr ${wgFriendsSubnet} drop ip saddr ${wgGuestsSubnet} ip daddr ${wgServerSubnet} drop ip saddr ${wgServerSubnet} ip daddr ${wgGuestsSubnet} drop ip saddr ${wgGuestsSubnet} ip daddr ${wgFriendsSubnet} drop ip saddr ${wgFriendsSubnet} ip daddr ${wgGuestsSubnet} drop ''; }; networking.nat = { enable = true; inherit externalInterface; internalInterfaces = [ "wg0" ]; forwardPorts = [ { sourcePort = giteaSshPort; proto = "tcp"; destination = "${homeServer}:${giteaSshPortStr}"; } ]; }; security.sudo-rs.extraRules = [ { users = [ "nixremote" ]; commands = [ { command = "/run/current-system/sw/bin/nixos-rebuild"; options = [ "NOPASSWD" ]; } ]; } ]; services.openssh.ports = [ 3456 ]; sops.age = { generateKey = true; keyFile = "/var/lib/sops-nix/key.txt"; sshKeyPaths = [ "/etc/ssh/ssh_host_ed25519_key" ]; }; users = { groups = { deploy = { }; lidarr-reports = { }; }; users = { deploy = { isSystemUser = true; group = "deploy"; openssh.authorizedKeys.keyFiles = [ ../../secrets/ssh/ed25519_deploy.pub ]; }; lidarr-reports = { isSystemUser = true; group = "lidarr-reports"; openssh.authorizedKeys.keyFiles = [ ../../secrets/ssh/ed25519_lidarr-reports.pub ]; }; }; }; }