darkkirb/nixos-config
1
0
Fork 0
Code Issues 1 Pull requests 1 Projects Releases Packages Wiki Activity Actions

Make instance-20221213-1915 a public server

Browse source
This commit is contained in:
Charlotte 🦝 Delenk 2022-12-14 10:40:28 +01:00
parent 8694a3b772
commit a55a4b9f4c
Signed by: darkkirb
GPG key ID: AB2BD8DAF2E37122
5 changed files with 79 additions and 72 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

2
config/default.nix
View file

@ -9,7 +9,7 @@
./users/root.nix
./nix.nix
./sops.nix
./wireguard.nix
./wireguard
./home.nix
./services/restic.nix
./specialization.nix

1
config/instance-20221213-1915.nix
View file

@ -12,6 +12,7 @@
(modulesPath + "/profiles/qemu-guest.nix")
./systemd-boot.nix
./server.nix
./wireguard/public-server.nix
];
boot.initrd.availableKernelModules = ["xhci_pci" "virtio_pci" "usbhid"];

72
config/nixos-8gb-fsn1-1.nix
View file

@ -29,6 +29,7 @@
./services/akkoma
./services/peertube
./services/rspamd.nix
./wireguard/public-server.nix
];
boot.initrd.availableKernelModules = ["ata_piix" "virtio_pci" "virtio_scsi" "xhci_pci" "sd_mod" "sr_mod"];
@ -171,77 +172,6 @@
nix.daemonCPUSchedPolicy = "idle";
nix.daemonIOSchedClass = "idle";
networking.wireguard.interfaces.wg0 = {
postSetup = ''
${pkgs.iptables}/bin/iptables -A FORWARD -i wg0 -j ACCEPT
${pkgs.iptables}/bin/iptables -t nat -A POSTROUTING -s 10.0.0.0/8 -o ens3 -j MASQUERADE
${pkgs.iptables}/bin/ip6tables -A FORWARD -i wg0 -j ACCEPT
${pkgs.iptables}/bin/ip6tables -t nat -A POSTROUTING -s fc00::/7 -o ens3 -j MASQUERADE
'';
postShutdown = ''
${pkgs.iptables}/bin/iptables -D FORWARD -i wg0 -j ACCEPT
${pkgs.iptables}/bin/iptables -t nat -D POSTROUTING -s 10.0.0.0/8 -o ens3 -j MASQUERADE
${pkgs.iptables}/bin/ip6tables -D FORWARD -i wg0 -j ACCEPT
${pkgs.iptables}/bin/ip6tables -t nat -D POSTROUTING -s fc00::/7 -o ens3 -j MASQUERADE
'';
peers = [
{
publicKey = "/pQ86rAyPpM2tqzvk7NcKfEm72ENTVCSTTiHf6OrzDw=";
allowedIPs = [
"fd0d:a262:1fa6:e621:539c:94d8:30e1:fb8b/128"
"10.0.0.1/32"
];
}
{
publicKey = "YDh67pqmhWMPNWf1BYXeH4/GTScCWqoWuyIao3ZUcz4=";
allowedIPs = [
"fd0d:a262:1fa6:e621:480:b859:2a43:7101/128"
"10.0.0.2/32"
];
}
{
publicKey = "JZi7Lw8G5W2pnoqJWW6YfJm4OAaxhaneY8i3V9EO8X4=";
allowedIPs = [
"10.0.0.3/32"
"fd0d:a262:1fa6:e621:66b6:3f04:5583:db63/128"
];
}
# nutty-noon
{
publicKey = "YYQmSJwipRkZJUsPV5DxhfyRBMdj/O1XzN+cGYtUi1s=";
allowedIPs = [
"fd0d:a262:1fa6:e621:47e6:24d4:2acb:9437/128"
];
}
# thinkrac
{
publicKey = "iKW9nomLyLY2f90UY66POzY8CfDhQrqOLqchERlR3TY=";
allowedIPs = [
"fd0d:a262:1fa6:e621:f45a:db9f:eb7c:1a3f/128"
];
}
# nas
{
publicKey = "RuQImASPojufJMoJ+zZ4FceC+mMN5vhxNR+i+m7g9Bc=";
allowedIPs = [
"fd0d:a262:1fa6:e621:bc9b:6a33:86e4:873b/128"
];
}
# instance-20221213-1915
{
publicKey = "GHsVg8seCVIMYOidH5+/3EnoXRmi98NXtNTVu+nFcnw=";
allowedIPs = [
"fd0d:a262:1fa6:e621:746d:4523:5c04:1453/128"
];
}
];
};
boot.kernel.sysctl = {
"net.ipv4.conf.all.forwarding" = true;
"net.ipv6.conf.all.forwarding" = true;
};
nix.settings.system-features = [
"kvm"
"nixos-test"

10
config/wireguard.nix → config/wireguard/default.nix
View file

@ -9,11 +9,21 @@
{
publicKey = "zQY9cAzbRO/FgV92pda7yk0NJFSXzHfi6+tgRq3g/SY=";
allowedIPs = [
"fd0d:a262:1fa6:e621:b4e1:08ff:e658:6f49/128"
"fd0d:a262:1fa6:e621:b4e1:08ff:e658:6f49/7"
];
endpoint = "138.201.155.128:51820";
persistentKeepalive = 25;
}
{
publicKey = "GHsVg8seCVIMYOidH5+/3EnoXRmi98NXtNTVu+nFcnw=";
allowedIPs = [
"fd0d:a262:1fa6:e621:746d:4523:5c04:1453/128"
"fd0d:a262:1fa6:e621:746d:4523:5c04:1453/7"
];
endpoint = "130.162.60.127:51820";
persistentKeepalive = 25;
}
];
};
};

66
config/wireguard/public-server.nix Normal file
View file

@ -0,0 +1,66 @@
{pkgs, ...}: {
networking.wireguard.interfaces.wg0 = {
postSetup = ''
${pkgs.iptables}/bin/iptables -A FORWARD -i wg0 -j ACCEPT
${pkgs.iptables}/bin/iptables -t nat -A POSTROUTING -s 10.0.0.0/8 -o ens3 -j MASQUERADE
${pkgs.iptables}/bin/ip6tables -A FORWARD -i wg0 -j ACCEPT
${pkgs.iptables}/bin/ip6tables -t nat -A POSTROUTING -s fc00::/7 -o ens3 -j MASQUERADE
'';
postShutdown = ''
${pkgs.iptables}/bin/iptables -D FORWARD -i wg0 -j ACCEPT
${pkgs.iptables}/bin/iptables -t nat -D POSTROUTING -s 10.0.0.0/8 -o ens3 -j MASQUERADE
${pkgs.iptables}/bin/ip6tables -D FORWARD -i wg0 -j ACCEPT
${pkgs.iptables}/bin/ip6tables -t nat -D POSTROUTING -s fc00::/7 -o ens3 -j MASQUERADE
'';
peers = [
{
publicKey = "/pQ86rAyPpM2tqzvk7NcKfEm72ENTVCSTTiHf6OrzDw=";
allowedIPs = [
"fd0d:a262:1fa6:e621:539c:94d8:30e1:fb8b/128"
"10.0.0.1/32"
];
}
{
publicKey = "YDh67pqmhWMPNWf1BYXeH4/GTScCWqoWuyIao3ZUcz4=";
allowedIPs = [
"fd0d:a262:1fa6:e621:480:b859:2a43:7101/128"
"10.0.0.2/32"
];
}
{
publicKey = "JZi7Lw8G5W2pnoqJWW6YfJm4OAaxhaneY8i3V9EO8X4=";
allowedIPs = [
"10.0.0.3/32"
"fd0d:a262:1fa6:e621:66b6:3f04:5583:db63/128"
];
}
# nutty-noon
{
publicKey = "YYQmSJwipRkZJUsPV5DxhfyRBMdj/O1XzN+cGYtUi1s=";
allowedIPs = [
"fd0d:a262:1fa6:e621:47e6:24d4:2acb:9437/128"
];
}
# thinkrac
{
publicKey = "iKW9nomLyLY2f90UY66POzY8CfDhQrqOLqchERlR3TY=";
allowedIPs = [
"fd0d:a262:1fa6:e621:f45a:db9f:eb7c:1a3f/128"
];
}
# nas
{
publicKey = "RuQImASPojufJMoJ+zZ4FceC+mMN5vhxNR+i+m7g9Bc=";
allowedIPs = [
"fd0d:a262:1fa6:e621:bc9b:6a33:86e4:873b/128"
];
}
];
};
boot.kernel.sysctl = {
"net.ipv4.conf.all.forwarding" = true;
"net.ipv6.conf.all.forwarding" = true;
};
}