Compare commits
1 Commits
| Author | SHA1 | Date | |
|---|---|---|---|
| 00d8632870 |
36
flake.lock
36
flake.lock
@ -672,11 +672,11 @@
|
|||||||
]
|
]
|
||||||
},
|
},
|
||||||
"locked": {
|
"locked": {
|
||||||
"lastModified": 1725863684,
|
"lastModified": 1723986931,
|
||||||
"narHash": "sha256-HmdTBpuCsw35Ii35JUKO6AE6nae+kJliQb0XGd4hoLE=",
|
"narHash": "sha256-Fy+KEvDQ+Hc8lJAV3t6leXhZJ2ncU5/esxkgt3b8DEY=",
|
||||||
"owner": "nix-community",
|
"owner": "nix-community",
|
||||||
"repo": "home-manager",
|
"repo": "home-manager",
|
||||||
"rev": "be47a2bdf278c57c2d05e747a13ed31cef54a037",
|
"rev": "2598861031b78aadb4da7269df7ca9ddfc3e1671",
|
||||||
"type": "github"
|
"type": "github"
|
||||||
},
|
},
|
||||||
"original": {
|
"original": {
|
||||||
@ -737,11 +737,11 @@
|
|||||||
]
|
]
|
||||||
},
|
},
|
||||||
"locked": {
|
"locked": {
|
||||||
"lastModified": 1725674607,
|
"lastModified": 1724196987,
|
||||||
"narHash": "sha256-vTaoz2yRd9g3NZNKYufZeB8UJ381aBPmRV91lEmV37o=",
|
"narHash": "sha256-GhLSlmaEUMDImJCff+Zv9XUHFDRGa8uhdYsCmY0VKWw=",
|
||||||
"owner": "StevenBlack",
|
"owner": "StevenBlack",
|
||||||
"repo": "hosts",
|
"repo": "hosts",
|
||||||
"rev": "10b187280ec15374e4d2b28e7705046e7d535d91",
|
"rev": "797e73e01a43f2092cea7d54be5a160e8014f6ff",
|
||||||
"type": "github"
|
"type": "github"
|
||||||
},
|
},
|
||||||
"original": {
|
"original": {
|
||||||
@ -806,11 +806,11 @@
|
|||||||
]
|
]
|
||||||
},
|
},
|
||||||
"locked": {
|
"locked": {
|
||||||
"lastModified": 1725237485,
|
"lastModified": 1724050807,
|
||||||
"narHash": "sha256-POpzmA7+ecCUEZsu2a5fgwYhJ60POzve+lMhxebmTz4=",
|
"narHash": "sha256-Mdmsb/zw3JjVxQKSdiN3wVFnrqT6gunbs2T4EkQxfAI=",
|
||||||
"owner": "musnix",
|
"owner": "musnix",
|
||||||
"repo": "musnix",
|
"repo": "musnix",
|
||||||
"rev": "b5f3a47fd74193cb98c85cfeb6a25358150bdd90",
|
"rev": "b40964921d0f804f80480d050115bc089fe51128",
|
||||||
"type": "github"
|
"type": "github"
|
||||||
},
|
},
|
||||||
"original": {
|
"original": {
|
||||||
@ -951,11 +951,11 @@
|
|||||||
},
|
},
|
||||||
"nixpkgs": {
|
"nixpkgs": {
|
||||||
"locked": {
|
"locked": {
|
||||||
"lastModified": 1725634671,
|
"lastModified": 1723991338,
|
||||||
"narHash": "sha256-v3rIhsJBOMLR8e/RNWxr828tB+WywYIoajrZKFM+0Gg=",
|
"narHash": "sha256-Grh5PF0+gootJfOJFenTTxDTYPidA3V28dqJ/WV7iis=",
|
||||||
"owner": "NixOS",
|
"owner": "NixOS",
|
||||||
"repo": "nixpkgs",
|
"repo": "nixpkgs",
|
||||||
"rev": "574d1eac1c200690e27b8eb4e24887f8df7ac27c",
|
"rev": "8a3354191c0d7144db9756a74755672387b702ba",
|
||||||
"type": "github"
|
"type": "github"
|
||||||
},
|
},
|
||||||
"original": {
|
"original": {
|
||||||
@ -1068,11 +1068,11 @@
|
|||||||
]
|
]
|
||||||
},
|
},
|
||||||
"locked": {
|
"locked": {
|
||||||
"lastModified": 1725234343,
|
"lastModified": 1722555600,
|
||||||
"narHash": "sha256-+ebgonl3NbiKD2UD0x4BszCZQ6sTfL4xioaM49o5B3Y=",
|
"narHash": "sha256-XOQkdLafnb/p9ij77byFQjDf5m5QYl9b2REiVClC+x4=",
|
||||||
"owner": "hercules-ci",
|
"owner": "hercules-ci",
|
||||||
"repo": "flake-parts",
|
"repo": "flake-parts",
|
||||||
"rev": "567b938d64d4b4112ee253b9274472dc3a346eb6",
|
"rev": "8471fe90ad337a8074e957b69ca4d0089218391d",
|
||||||
"type": "github"
|
"type": "github"
|
||||||
},
|
},
|
||||||
"original": {
|
"original": {
|
||||||
@ -1248,11 +1248,11 @@
|
|||||||
},
|
},
|
||||||
"vpsadminos": {
|
"vpsadminos": {
|
||||||
"locked": {
|
"locked": {
|
||||||
"lastModified": 1725810385,
|
"lastModified": 1723930354,
|
||||||
"narHash": "sha256-+6UULi05KMHmLfhlrNGhMdLZUoQeC5Dc1nLFdINyeyI=",
|
"narHash": "sha256-CRrZECaoPudSPNGeaJB9AZEnXp0b43WIUGk1orKL2H4=",
|
||||||
"owner": "vpsfreecz",
|
"owner": "vpsfreecz",
|
||||||
"repo": "vpsadminos",
|
"repo": "vpsadminos",
|
||||||
"rev": "37c5eb47ca3f11deac83e4ada20a6c21d5487f29",
|
"rev": "4f31628e96762790f6aca71231d48d007cee7086",
|
||||||
"type": "github"
|
"type": "github"
|
||||||
},
|
},
|
||||||
"original": {
|
"original": {
|
||||||
|
|||||||
@ -42,11 +42,11 @@ toplevel @ { moduleWithSystem, ... }: {
|
|||||||
ssh = {
|
ssh = {
|
||||||
matchBlocks = {
|
matchBlocks = {
|
||||||
vpsfree-ivand = {
|
vpsfree-ivand = {
|
||||||
hostname = "10.0.0.1";
|
hostname = "10.69.69.1";
|
||||||
user = "ivand";
|
user = "ivand";
|
||||||
};
|
};
|
||||||
vpsfree-root = {
|
vpsfree-root = {
|
||||||
hostname = "10.0.0.1";
|
hostname = "10.69.69.1";
|
||||||
user = "root";
|
user = "root";
|
||||||
};
|
};
|
||||||
};
|
};
|
||||||
|
|||||||
@ -33,7 +33,6 @@ in
|
|||||||
nova-crypto = novaConfig (with mods; [ ivand cryptocurrency ]);
|
nova-crypto = novaConfig (with mods; [ ivand cryptocurrency ]);
|
||||||
nova-nonya = novaConfig (with mods; [ ivand anon cryptocurrency ]);
|
nova-nonya = novaConfig (with mods; [ ivand anon cryptocurrency ]);
|
||||||
nova-ai = novaConfig (with mods; [ ivand ai ]);
|
nova-ai = novaConfig (with mods; [ ivand ai ]);
|
||||||
nova-containers = novaConfig (with mods; [ ivand containers ]);
|
|
||||||
install-iso = configWithModules { modules = with mods; [ grub base shell wireless ]; };
|
install-iso = configWithModules { modules = with mods; [ grub base shell wireless ]; };
|
||||||
vps = configWithModules { modules = with mods; [ base shell security vps mailserver nginx wireguard-output anonymous-dns firewall rest ]; };
|
vps = configWithModules { modules = with mods; [ base shell security vps mailserver nginx wireguard-output anonymous-dns firewall rest ]; };
|
||||||
stara-miner = configWithModules { modules = essential ++ [ mods.monero-miner ]; };
|
stara-miner = configWithModules { modules = essential ++ [ mods.monero-miner ]; };
|
||||||
|
|||||||
@ -151,7 +151,7 @@ top @ { inputs, moduleWithSystem, ... }: {
|
|||||||
intranet = {
|
intranet = {
|
||||||
networking.wg-quick.interfaces = {
|
networking.wg-quick.interfaces = {
|
||||||
wg0 = {
|
wg0 = {
|
||||||
address = [ "10.0.0.2/32" ];
|
address = [ "10.69.69.2/24" ];
|
||||||
privateKeyFile = "/etc/wireguard/privatekey";
|
privateKeyFile = "/etc/wireguard/privatekey";
|
||||||
peers = [
|
peers = [
|
||||||
{
|
{
|
||||||
@ -214,13 +214,6 @@ top @ { inputs, moduleWithSystem, ... }: {
|
|||||||
"Post120" = {
|
"Post120" = {
|
||||||
psk = "9996663333";
|
psk = "9996663333";
|
||||||
};
|
};
|
||||||
"MOONLIGHT2019" = {
|
|
||||||
psk = "seacrets";
|
|
||||||
};
|
|
||||||
"Kaiser Terrasse" = {
|
|
||||||
psk = "Internet12";
|
|
||||||
};
|
|
||||||
"ATHENS-HAWKS" = { };
|
|
||||||
"3G" = {
|
"3G" = {
|
||||||
hidden = true;
|
hidden = true;
|
||||||
};
|
};
|
||||||
@ -291,13 +284,6 @@ top @ { inputs, moduleWithSystem, ... }: {
|
|||||||
ai = moduleWithSystem (_: _: {
|
ai = moduleWithSystem (_: _: {
|
||||||
services = { ollama.enable = true; };
|
services = { ollama.enable = true; };
|
||||||
});
|
});
|
||||||
containers = moduleWithSystem (_: _: {
|
|
||||||
virtualisation.docker = {
|
|
||||||
enable = true;
|
|
||||||
storageDriver = "btrfs";
|
|
||||||
};
|
|
||||||
users.users.ivand.extraGroups = [ "docker" ];
|
|
||||||
});
|
|
||||||
anon = moduleWithSystem (_: { pkgs, ... }: {
|
anon = moduleWithSystem (_: { pkgs, ... }: {
|
||||||
environment.systemPackages = with pkgs; [ tor-browser ];
|
environment.systemPackages = with pkgs; [ tor-browser ];
|
||||||
});
|
});
|
||||||
@ -373,9 +359,9 @@ top @ { inputs, moduleWithSystem, ... }: {
|
|||||||
nginx.virtualHosts =
|
nginx.virtualHosts =
|
||||||
let
|
let
|
||||||
restrictToVpn = ''
|
restrictToVpn = ''
|
||||||
allow 10.0.0.2/32;
|
allow 10.69.69.2/24;
|
||||||
allow 10.0.0.3/32;
|
allow 10.69.69.3/24;
|
||||||
allow 10.0.0.4/32;
|
allow 10.69.69.4/24;
|
||||||
deny all;
|
deny all;
|
||||||
'';
|
'';
|
||||||
in
|
in
|
||||||
@ -489,49 +475,71 @@ top @ { inputs, moduleWithSystem, ... }: {
|
|||||||
});
|
});
|
||||||
wireguard-output = moduleWithSystem (_: { pkgs, ... }: {
|
wireguard-output = moduleWithSystem (_: { pkgs, ... }: {
|
||||||
networking = {
|
networking = {
|
||||||
|
useNetworkd = true;
|
||||||
nat = {
|
nat = {
|
||||||
enable = true;
|
enable = true;
|
||||||
enableIPv6 = true;
|
enableIPv6 = true;
|
||||||
externalInterface = "venet0";
|
externalInterface = "venet0";
|
||||||
internalInterfaces = [ "wg0" ];
|
internalInterfaces = [ "wg0" ];
|
||||||
};
|
};
|
||||||
wg-quick.interfaces = {
|
# wg-quick.interfaces = {
|
||||||
wg0 =
|
# wg0 =
|
||||||
let
|
# let
|
||||||
iptables = "${pkgs.iptables}/bin/iptables";
|
# iptables = "${pkgs.iptables}/bin/iptables";
|
||||||
ip6tables = "${pkgs.iptables}/bin/ip6tables";
|
# ip6tables = "${pkgs.iptables}/bin/ip6tables";
|
||||||
in
|
# in
|
||||||
{
|
# {
|
||||||
address = [ "10.0.0.1/32" ];
|
# privateKeyFile = "";
|
||||||
listenPort = 51820;
|
# postUp = ''
|
||||||
privateKeyFile = "/etc/wireguard/privatekey";
|
# ${iptables} -A FORWARD -i wg0 -j ACCEPT
|
||||||
postUp = ''
|
# ${iptables} -t nat -A POSTROUTING -s 10.69.69.1/24 -o venet0 -j MASQUERADE
|
||||||
${iptables} -A FORWARD -i wg0 -j ACCEPT
|
# ${ip6tables} -A FORWARD -i wg0 -j ACCEPT
|
||||||
${iptables} -t nat -A POSTROUTING -s 10.0.0.1/24 -o venet0 -j MASQUERADE
|
# ${ip6tables} -t nat -A POSTROUTING -s fdc9:281f:04d7:9ee9::1/64 -o venet0 -j MASQUERADE
|
||||||
${ip6tables} -A FORWARD -i wg0 -j ACCEPT
|
# '';
|
||||||
${ip6tables} -t nat -A POSTROUTING -s fdc9:281f:04d7:9ee9::1/64 -o venet0 -j MASQUERADE
|
# preDown = ''
|
||||||
'';
|
# ${iptables} -D FORWARD -i wg0 -j ACCEPT
|
||||||
preDown = ''
|
# ${iptables} -t nat -D POSTROUTING -s 10.69.69.1/24 -o venet0 -j MASQUERADE
|
||||||
${iptables} -D FORWARD -i wg0 -j ACCEPT
|
# ${ip6tables} -D FORWARD -i wg0 -j ACCEPT
|
||||||
${iptables} -t nat -D POSTROUTING -s 10.0.0.1/24 -o venet0 -j MASQUERADE
|
# ${ip6tables} -t nat -D POSTROUTING -s fdc9:281f:04d7:9ee9::1/64 -o venet0 -j MASQUERADE
|
||||||
${ip6tables} -D FORWARD -i wg0 -j ACCEPT
|
# '';
|
||||||
${ip6tables} -t nat -D POSTROUTING -s fdc9:281f:04d7:9ee9::1/64 -o venet0 -j MASQUERADE
|
# };
|
||||||
'';
|
# };
|
||||||
peers = [
|
};
|
||||||
{
|
systemd.network = {
|
||||||
publicKey = "kI93V0dVKSqX8hxMJHK5C0c1hEDPQTgPQDU8TKocVgo=";
|
enable = true;
|
||||||
allowedIPs = [ "10.0.0.2/32" ];
|
netdevs = {
|
||||||
}
|
"50-wg0" = {
|
||||||
{
|
netdevConfig = {
|
||||||
publicKey = "RqTsFxFCcgYsytcDr+jfEoOA5UNxa1ZzGlpx6iuTpXY=";
|
Kind = "wireguard";
|
||||||
allowedIPs = [ "10.0.0.3/32" ];
|
Name = "wg0";
|
||||||
}
|
MTUBytes = "1300";
|
||||||
{
|
|
||||||
publicKey = "1e0mjluqXdLbzv681HlC9B8BfGN8sIXIw3huLyQqwXI=";
|
|
||||||
allowedIPs = [ "10.0.0.4/32" ];
|
|
||||||
}
|
|
||||||
];
|
|
||||||
};
|
};
|
||||||
|
wireguardConfig = {
|
||||||
|
PrivateKeyFile = "/etc/wireguard/privatekey";
|
||||||
|
ListenPort = 51820;
|
||||||
|
};
|
||||||
|
wireguardPeers = [
|
||||||
|
{
|
||||||
|
PublicKey = "kI93V0dVKSqX8hxMJHK5C0c1hEDPQTgPQDU8TKocVgo=";
|
||||||
|
AllowedIPs = [ "10.69.69.2/24" ];
|
||||||
|
}
|
||||||
|
{
|
||||||
|
PublicKey = "RqTsFxFCcgYsytcDr+jfEoOA5UNxa1ZzGlpx6iuTpXY=";
|
||||||
|
AllowedIPs = [ "10.69.69.3/24" ];
|
||||||
|
}
|
||||||
|
{
|
||||||
|
PublicKey = "1e0mjluqXdLbzv681HlC9B8BfGN8sIXIw3huLyQqwXI=";
|
||||||
|
AllowedIPs = [ "10.69.69.4/24" ];
|
||||||
|
}
|
||||||
|
];
|
||||||
|
};
|
||||||
|
};
|
||||||
|
networks.wg0 = {
|
||||||
|
matchConfig.Name = "wg0";
|
||||||
|
address = [ "10.69.69.1/24" ];
|
||||||
|
networkConfig = {
|
||||||
|
IPMasquerade = "ipv4";
|
||||||
|
};
|
||||||
};
|
};
|
||||||
};
|
};
|
||||||
});
|
});
|
||||||
@ -592,9 +600,9 @@ top @ { inputs, moduleWithSystem, ... }: {
|
|||||||
];
|
];
|
||||||
extraCommands = ''
|
extraCommands = ''
|
||||||
iptables -N vpn # create a new chain named vpn
|
iptables -N vpn # create a new chain named vpn
|
||||||
iptables -A vpn --src 10.0.0.2 -j ACCEPT # allow
|
iptables -A vpn --src 10.69.69.2 -j ACCEPT # allow
|
||||||
iptables -A vpn --src 10.0.0.3 -j ACCEPT # allow
|
iptables -A vpn --src 10.69.69.3 -j ACCEPT # allow
|
||||||
iptables -A vpn --src 10.0.0.4 -j ACCEPT # allow
|
iptables -A vpn --src 10.69.69.4 -j ACCEPT # allow
|
||||||
iptables -A vpn -j DROP # drop everyone else
|
iptables -A vpn -j DROP # drop everyone else
|
||||||
iptables -I INPUT -m tcp -p tcp --dport 22 -j vpn
|
iptables -I INPUT -m tcp -p tcp --dport 22 -j vpn
|
||||||
'';
|
'';
|
||||||
|
|||||||
Loading…
Reference in New Issue
Block a user