jawz/NixOS
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
c09268891e43efa2efce657babf0c914f16ba8fe
NixOS/hosts/vps/configuration.nix
Danilo Reyes c09268891e firewall migration
2026-02-05 12:45:39 -06:00

126 lines
4.5 KiB
Nix
Raw Blame History

{
config,
lib,
inputs,
pkgs,
...
}:
let
externalInterface = config.my.interfaces.${config.networking.hostName};
homeServer = config.my.ips.wg-server;
in
{
imports = [
./hardware-configuration.nix
../../config/base.nix
];
my = import ./toggles.nix { inherit config inputs; } // {
secureHost = true;
users.nixremote = {
enable = true;
authorizedKeys = inputs.self.lib.getSshKeys [
"nixworkstation"
"nixserver"
"nixminiserver"
];
};
};
networking.firewall = {
enable = true;
allowedTCPPorts = [
80
443
3456
];
allowedUDPPorts = [ 51820 ];
extraForwardRules = ''
ct state established,related accept
ip daddr ${homeServer}/32 tcp dport { 22, 51412 } accept
ip daddr ${homeServer}/32 udp dport 51412 accept
ip saddr 10.8.0.2/32 ip daddr ${homeServer}/32 tcp dport 22000 accept
ip saddr 10.8.0.3/32 ip daddr ${homeServer}/32 tcp dport 22000 accept
ip saddr 10.8.0.4/32 ip daddr ${homeServer}/32 tcp dport 22000 accept
ip saddr 10.8.0.5/32 ip daddr ${homeServer}/32 tcp dport 22000 accept
ip saddr ${homeServer}/32 ip daddr 10.8.0.2/32 tcp dport 22000 accept
ip saddr ${homeServer}/32 ip daddr 10.8.0.3/32 tcp dport 22000 accept
ip saddr ${homeServer}/32 ip daddr 10.8.0.4/32 tcp dport 22000 accept
ip saddr ${homeServer}/32 ip daddr 10.8.0.5/32 tcp dport 22000 accept
ip saddr 10.8.0.0/24 ip daddr ${homeServer}/32 tcp dport { 8008, 8448, 8999 } accept
ip saddr 10.8.0.0/24 ip daddr ${homeServer}/32 icmp type echo-request accept
ip saddr ${homeServer}/32 ip daddr 10.8.0.0/24 icmp type echo-reply accept
ip saddr 10.9.0.0/24 ip daddr ${homeServer}/32 tcp dport 9999 accept
ip saddr 10.9.0.0/24 ip daddr ${homeServer}/32 icmp type echo-request accept
ip saddr ${homeServer}/32 ip daddr 10.9.0.0/24 icmp type echo-reply accept
ip saddr 10.8.0.0/24 oifname "${externalInterface}" accept
ip saddr 10.9.0.0/24 oifname "${externalInterface}" accept
ip saddr 10.8.0.0/24 ip daddr 10.77.0.0/24 drop
ip saddr 10.77.0.0/24 ip daddr 10.8.0.0/24 drop
ip saddr 10.9.0.0/24 ip daddr 10.77.0.0/24 drop
ip saddr 10.77.0.0/24 ip daddr 10.9.0.0/24 drop
ip saddr 10.9.0.0/24 ip daddr 10.8.0.0/24 drop
ip saddr 10.8.0.0/24 ip daddr 10.9.0.0/24 drop
'';
extraCommands = ''
iptables -t nat -A PREROUTING -p tcp --dport 22 -j DNAT --to-destination ${homeServer}:22
iptables -t nat -A PREROUTING -p tcp --dport 51412 -j DNAT --to-destination ${homeServer}:51412
iptables -t nat -A PREROUTING -p udp --dport 51412 -j DNAT --to-destination ${homeServer}:51412
iptables -t nat -A POSTROUTING -d ${homeServer}/32 -p tcp --dport 22 -j MASQUERADE
iptables -t nat -A POSTROUTING -d ${homeServer}/32 -p tcp --dport 51412 -j MASQUERADE
iptables -t nat -A POSTROUTING -d ${homeServer}/32 -p udp --dport 51412 -j MASQUERADE
'';
extraStopCommands = ''
iptables -t nat -D PREROUTING -p tcp --dport 22 -j DNAT --to-destination ${homeServer}:22 || true
iptables -t nat -D PREROUTING -p tcp --dport 51412 -j DNAT --to-destination ${homeServer}:51412 || true
iptables -t nat -D PREROUTING -p udp --dport 51412 -j DNAT --to-destination ${homeServer}:51412 || true
iptables -t nat -D POSTROUTING -d ${homeServer}/32 -p tcp --dport 22 -j MASQUERADE || true
iptables -t nat -D POSTROUTING -d ${homeServer}/32 -p tcp --dport 51412 -j MASQUERADE || true
iptables -t nat -D POSTROUTING -d ${homeServer}/32 -p udp --dport 51412 -j MASQUERADE || true
'';
};
image.modules.linode = { };
networking.hostName = "vps";
security.sudo-rs.extraRules = [
{
users = [ "nixremote" ];
commands = [
{
command = "/run/current-system/sw/bin/nixos-rebuild";
options = [ "NOPASSWD" ];
}
];
}
];
services.openssh.ports = [ 3456 ];
sops.age = {
generateKey = true;
keyFile = "/var/lib/sops-nix/key.txt";
sshKeyPaths = [ "/etc/ssh/ssh_host_ed25519_key" ];
};
users = {
groups = {
deploy = { };
lidarr-reports = { };
};
users = {
deploy = {
isSystemUser = true;
group = "deploy";
openssh.authorizedKeys.keyFiles = [ ../../secrets/ssh/ed25519_deploy.pub ];
};
lidarr-reports = {
isSystemUser = true;
group = "lidarr-reports";
openssh.authorizedKeys.keyFiles = [ ../../secrets/ssh/ed25519_lidarr-reports.pub ];
};
};
};
environment.systemPackages = [ ];
}
Reference in New Issue View Git Blame Copy Permalink