diff --git a/hosts/vps/mailserver/default.nix b/hosts/vps/mailserver/default.nix index da92c36..89b09a6 100644 --- a/hosts/vps/mailserver/default.nix +++ b/hosts/vps/mailserver/default.nix @@ -38,45 +38,6 @@ iptables -X vpn ''; }; - nat = { - enable = true; - enableIPv6 = true; - externalInterface = "venet0"; - internalInterfaces = [ "wg0" ]; - }; - wg-quick.interfaces = { - wg0 = { - address = [ "10.0.0.1/32" ]; - listenPort = 51820; - privateKeyFile = "/etc/wireguard/privatekey"; - postUp = '' - ${pkgs.iptables}/bin/iptables -A FORWARD -i wg0 -j ACCEPT - ${pkgs.iptables}/bin/iptables -t nat -A POSTROUTING -s 10.0.0.1/24 -o venet0 -j MASQUERADE - ${pkgs.iptables}/bin/ip6tables -A FORWARD -i wg0 -j ACCEPT - ${pkgs.iptables}/bin/ip6tables -t nat -A POSTROUTING -s fdc9:281f:04d7:9ee9::1/64 -o venet0 -j MASQUERADE - ''; - preDown = '' - ${pkgs.iptables}/bin/iptables -D FORWARD -i wg0 -j ACCEPT - ${pkgs.iptables}/bin/iptables -t nat -D POSTROUTING -s 10.0.0.1/24 -o venet0 -j MASQUERADE - ${pkgs.iptables}/bin/ip6tables -D FORWARD -i wg0 -j ACCEPT - ${pkgs.iptables}/bin/ip6tables -t nat -D POSTROUTING -s fdc9:281f:04d7:9ee9::1/64 -o venet0 -j MASQUERADE - ''; - peers = [ - { - publicKey = "kI93V0dVKSqX8hxMJHK5C0c1hEDPQTgPQDU8TKocVgo="; - allowedIPs = [ "10.0.0.2/32" ]; - } - { - publicKey = "RqTsFxFCcgYsytcDr+jfEoOA5UNxa1ZzGlpx6iuTpXY="; - allowedIPs = [ "10.0.0.3/32" ]; - } - { - publicKey = "1e0mjluqXdLbzv681HlC9B8BfGN8sIXIw3huLyQqwXI="; - allowedIPs = [ "10.0.0.4/32" ]; - } - ]; - }; - }; }; users = { diff --git a/nixos/configs/default.nix b/nixos/configs/default.nix index 958bc62..17bf71b 100644 --- a/nixos/configs/default.nix +++ b/nixos/configs/default.nix @@ -22,7 +22,7 @@ in nova-nonya = novaConfig (with mods; [ ivand anon cryptocurrency ]); nova-ai = novaConfig (with mods; [ ivand ai ]); install-iso = configWithModules { modules = (with mods; [ grub base shell wireless ]); }; - vps = configWithModules { modules = (with mods; [ base shell security vps mailserver nginx ]); }; + vps = configWithModules { modules = (with mods; [ base shell security vps mailserver nginx wireguard-output ]); }; stara-miner = configWithModules { modules = (essential ++ [ mods.monero-miner ]); }; }; } diff --git a/nixos/modules/default.nix b/nixos/modules/default.nix index e84de0d..a2f304a 100644 --- a/nixos/modules/default.nix +++ b/nixos/modules/default.nix @@ -314,7 +314,7 @@ top@{ inputs, moduleWithSystem, ... }: { }; }; }); - nginx = moduleWithSystem (toplevel@{ ... }: perSystem@{ config, pkgs, ... }: { + nginx = moduleWithSystem (toplevel@{ ... }: perSystem@{ pkgs, ... }: { services = { nginx = let @@ -408,5 +408,48 @@ top@{ inputs, moduleWithSystem, ... }: { }; }; }); + wireguard-output = moduleWithSystem (toplevel@{ ... }: perSystem@{ pkgs, ... }: { + networking = { + nat = { + enable = true; + enableIPv6 = true; + externalInterface = "venet0"; + internalInterfaces = [ "wg0" ]; + }; + wg-quick.interfaces = { + wg0 = let iptables = "${pkgs.iptables}/bin/iptables"; ip6tables = "${pkgs.iptables}/bin/ip6tables"; in { + address = [ "10.0.0.1/32" ]; + listenPort = 51820; + privateKeyFile = "/etc/wireguard/privatekey"; + postUp = '' + ${iptables} -A FORWARD -i wg0 -j ACCEPT + ${iptables} -t nat -A POSTROUTING -s 10.0.0.1/24 -o venet0 -j MASQUERADE + ${ip6tables} -A FORWARD -i wg0 -j ACCEPT + ${ip6tables} -t nat -A POSTROUTING -s fdc9:281f:04d7:9ee9::1/64 -o venet0 -j MASQUERADE + ''; + preDown = '' + ${iptables} -D FORWARD -i wg0 -j ACCEPT + ${iptables} -t nat -D POSTROUTING -s 10.0.0.1/24 -o venet0 -j MASQUERADE + ${ip6tables} -D FORWARD -i wg0 -j ACCEPT + ${ip6tables} -t nat -D POSTROUTING -s fdc9:281f:04d7:9ee9::1/64 -o venet0 -j MASQUERADE + ''; + peers = [ + { + publicKey = "kI93V0dVKSqX8hxMJHK5C0c1hEDPQTgPQDU8TKocVgo="; + allowedIPs = [ "10.0.0.2/32" ]; + } + { + publicKey = "RqTsFxFCcgYsytcDr+jfEoOA5UNxa1ZzGlpx6iuTpXY="; + allowedIPs = [ "10.0.0.3/32" ]; + } + { + publicKey = "1e0mjluqXdLbzv681HlC9B8BfGN8sIXIw3huLyQqwXI="; + allowedIPs = [ "10.0.0.4/32" ]; + } + ]; + }; + }; + }; + }); }; }