172 lines
5.5 KiB
Nix
172 lines
5.5 KiB
Nix
{
|
|
config,
|
|
lib,
|
|
pkgs,
|
|
inputs,
|
|
...
|
|
}:
|
|
let
|
|
externalInterface = config.my.interfaces.${config.networking.hostName};
|
|
wgInterface = "wg0";
|
|
ips = {
|
|
homeServer = config.my.ips.wg-server;
|
|
wgFriend1 = config.my.ips.wg-friend1;
|
|
wgGuest1 = config.my.ips.wg-guest1;
|
|
wgGuest2 = config.my.ips.wg-guest2;
|
|
};
|
|
subnets = {
|
|
wgFriends = config.my.subnets.wg-friends;
|
|
wgGuests = config.my.subnets.wg-guests;
|
|
wgHomelab = config.my.subnets.wg-homelab;
|
|
};
|
|
ports = {
|
|
giteaSsh = 22;
|
|
ssh = 3456;
|
|
web = [
|
|
80
|
|
443
|
|
];
|
|
wg = 51820;
|
|
syncthing = 22000;
|
|
synapseFederation = 8448;
|
|
};
|
|
portsStr = {
|
|
giteaSsh = toString ports.giteaSsh;
|
|
syncthing = toString ports.syncthing;
|
|
synapseFederation = toString ports.synapseFederation;
|
|
synapseClient = toString config.my.servers.synapse.port;
|
|
syncplay = toString config.my.servers.syncplay.port;
|
|
stash = toString config.my.servers.stash.port;
|
|
};
|
|
in
|
|
{
|
|
imports = [
|
|
./hardware-configuration.nix
|
|
../../config/base.nix
|
|
];
|
|
my = import ./toggles.nix { inherit config inputs; } // {
|
|
secureHost = true;
|
|
users.nixremote = {
|
|
enable = true;
|
|
authorizedKeys = inputs.self.lib.getSshKeys [
|
|
"nixworkstation"
|
|
"nixserver"
|
|
"nixminiserver"
|
|
];
|
|
};
|
|
};
|
|
sops.age = {
|
|
generateKey = true;
|
|
keyFile = "/var/lib/sops-nix/key.txt";
|
|
sshKeyPaths = [ "/etc/ssh/ssh_host_ed25519_key" ];
|
|
};
|
|
image.modules.linode = { };
|
|
environment.systemPackages = [ ];
|
|
networking = {
|
|
hostName = "vps";
|
|
nat = {
|
|
inherit externalInterface;
|
|
enable = true;
|
|
internalInterfaces = [ "wg0" ];
|
|
forwardPorts = [
|
|
{
|
|
sourcePort = ports.giteaSsh;
|
|
proto = "tcp";
|
|
destination = "${ips.homeServer}:${portsStr.giteaSsh}";
|
|
}
|
|
];
|
|
};
|
|
nftables = {
|
|
enable = true;
|
|
tables.vps-snat = {
|
|
family = "ip";
|
|
content = ''
|
|
chain postrouting {
|
|
type nat hook postrouting priority srcnat;
|
|
iifname "${externalInterface}" oifname "${wgInterface}" ip daddr ${ips.homeServer}/32 tcp dport ${portsStr.giteaSsh} masquerade comment "snat ssh forward"
|
|
}
|
|
'';
|
|
};
|
|
};
|
|
firewall = {
|
|
enable = true;
|
|
filterForward = true;
|
|
checkReversePath = "loose";
|
|
allowedTCPPorts = [ ports.ssh ] ++ ports.web;
|
|
allowedUDPPorts = [ ports.wg ];
|
|
extraForwardRules = ''
|
|
iifname "${wgInterface}" ip saddr ${subnets.wgFriends} ip daddr ${ips.homeServer}/32 tcp dport ${portsStr.syncthing} accept
|
|
iifname "${wgInterface}" ip saddr ${ips.homeServer}/32 ip daddr ${subnets.wgFriends} tcp dport ${portsStr.syncthing} accept
|
|
|
|
iifname "${wgInterface}" ip saddr ${subnets.wgFriends} ip daddr ${ips.homeServer}/32 tcp dport { ${portsStr.synapseClient}, ${portsStr.synapseFederation}, ${portsStr.syncplay} } accept
|
|
|
|
iifname "${wgInterface}" ip saddr ${subnets.wgFriends} ip daddr ${ips.homeServer}/32 icmp type echo-request accept
|
|
iifname "${wgInterface}" ip saddr ${ips.wgFriend1}/32 ip daddr ${ips.homeServer}/32 tcp dport ${portsStr.stash} accept
|
|
iifname "${wgInterface}" ip saddr ${ips.wgGuest1}/32 ip daddr ${ips.homeServer}/32 tcp dport ${portsStr.stash} accept
|
|
iifname "${wgInterface}" ip saddr ${ips.wgGuest2}/32 ip daddr ${ips.homeServer}/32 tcp dport ${portsStr.stash} accept
|
|
iifname "${wgInterface}" ip saddr ${subnets.wgGuests} ip daddr ${ips.homeServer}/32 icmp type echo-request accept
|
|
|
|
iifname "${wgInterface}" ip saddr ${subnets.wgHomelab} ip daddr ${ips.homeServer}/32 accept
|
|
|
|
iifname "${wgInterface}" ip saddr ${subnets.wgFriends} oifname "${externalInterface}" accept
|
|
iifname "${wgInterface}" ip saddr ${subnets.wgGuests} oifname "${externalInterface}" accept
|
|
|
|
ip saddr ${subnets.wgFriends} ip daddr ${subnets.wgHomelab} drop
|
|
ip saddr ${subnets.wgHomelab} ip daddr ${subnets.wgFriends} drop
|
|
ip saddr ${subnets.wgGuests} ip daddr ${subnets.wgHomelab} drop
|
|
ip saddr ${subnets.wgHomelab} ip daddr ${subnets.wgGuests} drop
|
|
ip saddr ${subnets.wgGuests} ip daddr ${subnets.wgFriends} drop
|
|
ip saddr ${subnets.wgFriends} ip daddr ${subnets.wgGuests} drop
|
|
'';
|
|
};
|
|
};
|
|
security.sudo-rs.extraRules = [
|
|
{
|
|
users = [ "nixremote" ];
|
|
commands = [
|
|
{
|
|
command = "/run/current-system/sw/bin/nixos-rebuild";
|
|
options = [ "NOPASSWD" ];
|
|
}
|
|
];
|
|
}
|
|
];
|
|
systemd.tmpfiles.rules = [
|
|
"d /var/www/html 2775 deploy www-data -"
|
|
"d /var/www/html/portfolio 2775 deploy www-data -"
|
|
"d /var/www/html/blog 2775 deploy www-data -"
|
|
"d /var/www/html/lidarr-mb-gap 2775 lidarr-reports lidarr-reports -"
|
|
];
|
|
services = {
|
|
smartd.enable = lib.mkForce false;
|
|
openssh.ports = [ ports.ssh ];
|
|
};
|
|
users = {
|
|
groups = {
|
|
deploy = { };
|
|
lidarr-reports = { };
|
|
www-data = { };
|
|
};
|
|
users = {
|
|
nginx.extraGroups = [ "www-data" ];
|
|
deploy = {
|
|
isSystemUser = true;
|
|
group = "deploy";
|
|
home = "/var/lib/deploy";
|
|
createHome = true;
|
|
shell = pkgs.bashInteractive;
|
|
extraGroups = [ "www-data" ];
|
|
openssh.authorizedKeys.keyFiles = [ ../../secrets/ssh/ed25519_deploy.pub ];
|
|
};
|
|
lidarr-reports = {
|
|
isSystemUser = true;
|
|
group = "lidarr-reports";
|
|
home = "/var/lib/lidarr-reports";
|
|
createHome = true;
|
|
shell = pkgs.bashInteractive;
|
|
openssh.authorizedKeys.keyFiles = [ ../../secrets/ssh/ed25519_lidarr-reports.pub ];
|
|
};
|
|
};
|
|
};
|
|
}
|