Compare commits
6 Commits
Author | SHA1 | Date | |
---|---|---|---|
bc18255229 | |||
91a32bfdeb | |||
d2bd664f4e | |||
73b02b4589 | |||
075237ed6f | |||
c213f82d04 |
36
flake.lock
36
flake.lock
@ -672,11 +672,11 @@
|
||||
]
|
||||
},
|
||||
"locked": {
|
||||
"lastModified": 1723986931,
|
||||
"narHash": "sha256-Fy+KEvDQ+Hc8lJAV3t6leXhZJ2ncU5/esxkgt3b8DEY=",
|
||||
"lastModified": 1725863684,
|
||||
"narHash": "sha256-HmdTBpuCsw35Ii35JUKO6AE6nae+kJliQb0XGd4hoLE=",
|
||||
"owner": "nix-community",
|
||||
"repo": "home-manager",
|
||||
"rev": "2598861031b78aadb4da7269df7ca9ddfc3e1671",
|
||||
"rev": "be47a2bdf278c57c2d05e747a13ed31cef54a037",
|
||||
"type": "github"
|
||||
},
|
||||
"original": {
|
||||
@ -737,11 +737,11 @@
|
||||
]
|
||||
},
|
||||
"locked": {
|
||||
"lastModified": 1724196987,
|
||||
"narHash": "sha256-GhLSlmaEUMDImJCff+Zv9XUHFDRGa8uhdYsCmY0VKWw=",
|
||||
"lastModified": 1725674607,
|
||||
"narHash": "sha256-vTaoz2yRd9g3NZNKYufZeB8UJ381aBPmRV91lEmV37o=",
|
||||
"owner": "StevenBlack",
|
||||
"repo": "hosts",
|
||||
"rev": "797e73e01a43f2092cea7d54be5a160e8014f6ff",
|
||||
"rev": "10b187280ec15374e4d2b28e7705046e7d535d91",
|
||||
"type": "github"
|
||||
},
|
||||
"original": {
|
||||
@ -806,11 +806,11 @@
|
||||
]
|
||||
},
|
||||
"locked": {
|
||||
"lastModified": 1724050807,
|
||||
"narHash": "sha256-Mdmsb/zw3JjVxQKSdiN3wVFnrqT6gunbs2T4EkQxfAI=",
|
||||
"lastModified": 1725237485,
|
||||
"narHash": "sha256-POpzmA7+ecCUEZsu2a5fgwYhJ60POzve+lMhxebmTz4=",
|
||||
"owner": "musnix",
|
||||
"repo": "musnix",
|
||||
"rev": "b40964921d0f804f80480d050115bc089fe51128",
|
||||
"rev": "b5f3a47fd74193cb98c85cfeb6a25358150bdd90",
|
||||
"type": "github"
|
||||
},
|
||||
"original": {
|
||||
@ -951,11 +951,11 @@
|
||||
},
|
||||
"nixpkgs": {
|
||||
"locked": {
|
||||
"lastModified": 1723991338,
|
||||
"narHash": "sha256-Grh5PF0+gootJfOJFenTTxDTYPidA3V28dqJ/WV7iis=",
|
||||
"lastModified": 1725634671,
|
||||
"narHash": "sha256-v3rIhsJBOMLR8e/RNWxr828tB+WywYIoajrZKFM+0Gg=",
|
||||
"owner": "NixOS",
|
||||
"repo": "nixpkgs",
|
||||
"rev": "8a3354191c0d7144db9756a74755672387b702ba",
|
||||
"rev": "574d1eac1c200690e27b8eb4e24887f8df7ac27c",
|
||||
"type": "github"
|
||||
},
|
||||
"original": {
|
||||
@ -1068,11 +1068,11 @@
|
||||
]
|
||||
},
|
||||
"locked": {
|
||||
"lastModified": 1722555600,
|
||||
"narHash": "sha256-XOQkdLafnb/p9ij77byFQjDf5m5QYl9b2REiVClC+x4=",
|
||||
"lastModified": 1725234343,
|
||||
"narHash": "sha256-+ebgonl3NbiKD2UD0x4BszCZQ6sTfL4xioaM49o5B3Y=",
|
||||
"owner": "hercules-ci",
|
||||
"repo": "flake-parts",
|
||||
"rev": "8471fe90ad337a8074e957b69ca4d0089218391d",
|
||||
"rev": "567b938d64d4b4112ee253b9274472dc3a346eb6",
|
||||
"type": "github"
|
||||
},
|
||||
"original": {
|
||||
@ -1248,11 +1248,11 @@
|
||||
},
|
||||
"vpsadminos": {
|
||||
"locked": {
|
||||
"lastModified": 1723930354,
|
||||
"narHash": "sha256-CRrZECaoPudSPNGeaJB9AZEnXp0b43WIUGk1orKL2H4=",
|
||||
"lastModified": 1725810385,
|
||||
"narHash": "sha256-+6UULi05KMHmLfhlrNGhMdLZUoQeC5Dc1nLFdINyeyI=",
|
||||
"owner": "vpsfreecz",
|
||||
"repo": "vpsadminos",
|
||||
"rev": "4f31628e96762790f6aca71231d48d007cee7086",
|
||||
"rev": "37c5eb47ca3f11deac83e4ada20a6c21d5487f29",
|
||||
"type": "github"
|
||||
},
|
||||
"original": {
|
||||
|
@ -42,11 +42,11 @@ toplevel @ { moduleWithSystem, ... }: {
|
||||
ssh = {
|
||||
matchBlocks = {
|
||||
vpsfree-ivand = {
|
||||
hostname = "10.69.69.1";
|
||||
hostname = "10.0.0.1";
|
||||
user = "ivand";
|
||||
};
|
||||
vpsfree-root = {
|
||||
hostname = "10.69.69.1";
|
||||
hostname = "10.0.0.1";
|
||||
user = "root";
|
||||
};
|
||||
};
|
||||
|
@ -33,6 +33,7 @@ in
|
||||
nova-crypto = novaConfig (with mods; [ ivand cryptocurrency ]);
|
||||
nova-nonya = novaConfig (with mods; [ ivand anon cryptocurrency ]);
|
||||
nova-ai = novaConfig (with mods; [ ivand ai ]);
|
||||
nova-containers = novaConfig (with mods; [ ivand containers ]);
|
||||
install-iso = configWithModules { modules = with mods; [ grub base shell wireless ]; };
|
||||
vps = configWithModules { modules = with mods; [ base shell security vps mailserver nginx wireguard-output anonymous-dns firewall rest ]; };
|
||||
stara-miner = configWithModules { modules = essential ++ [ mods.monero-miner ]; };
|
||||
|
@ -151,7 +151,7 @@ top @ { inputs, moduleWithSystem, ... }: {
|
||||
intranet = {
|
||||
networking.wg-quick.interfaces = {
|
||||
wg0 = {
|
||||
address = [ "10.69.69.2/24" ];
|
||||
address = [ "10.0.0.2/32" ];
|
||||
privateKeyFile = "/etc/wireguard/privatekey";
|
||||
peers = [
|
||||
{
|
||||
@ -214,6 +214,13 @@ top @ { inputs, moduleWithSystem, ... }: {
|
||||
"Post120" = {
|
||||
psk = "9996663333";
|
||||
};
|
||||
"MOONLIGHT2019" = {
|
||||
psk = "seacrets";
|
||||
};
|
||||
"Kaiser Terrasse" = {
|
||||
psk = "Internet12";
|
||||
};
|
||||
"ATHENS-HAWKS" = { };
|
||||
"3G" = {
|
||||
hidden = true;
|
||||
};
|
||||
@ -284,6 +291,13 @@ top @ { inputs, moduleWithSystem, ... }: {
|
||||
ai = moduleWithSystem (_: _: {
|
||||
services = { ollama.enable = true; };
|
||||
});
|
||||
containers = moduleWithSystem (_: _: {
|
||||
virtualisation.docker = {
|
||||
enable = true;
|
||||
storageDriver = "btrfs";
|
||||
};
|
||||
users.users.ivand.extraGroups = [ "docker" ];
|
||||
});
|
||||
anon = moduleWithSystem (_: { pkgs, ... }: {
|
||||
environment.systemPackages = with pkgs; [ tor-browser ];
|
||||
});
|
||||
@ -359,9 +373,9 @@ top @ { inputs, moduleWithSystem, ... }: {
|
||||
nginx.virtualHosts =
|
||||
let
|
||||
restrictToVpn = ''
|
||||
allow 10.69.69.2/24;
|
||||
allow 10.69.69.3/24;
|
||||
allow 10.69.69.4/24;
|
||||
allow 10.0.0.2/32;
|
||||
allow 10.0.0.3/32;
|
||||
allow 10.0.0.4/32;
|
||||
deny all;
|
||||
'';
|
||||
in
|
||||
@ -475,71 +489,49 @@ top @ { inputs, moduleWithSystem, ... }: {
|
||||
});
|
||||
wireguard-output = moduleWithSystem (_: { pkgs, ... }: {
|
||||
networking = {
|
||||
useNetworkd = true;
|
||||
nat = {
|
||||
enable = true;
|
||||
enableIPv6 = true;
|
||||
externalInterface = "venet0";
|
||||
internalInterfaces = [ "wg0" ];
|
||||
};
|
||||
# wg-quick.interfaces = {
|
||||
# wg0 =
|
||||
# let
|
||||
# iptables = "${pkgs.iptables}/bin/iptables";
|
||||
# ip6tables = "${pkgs.iptables}/bin/ip6tables";
|
||||
# in
|
||||
# {
|
||||
# privateKeyFile = "";
|
||||
# postUp = ''
|
||||
# ${iptables} -A FORWARD -i wg0 -j ACCEPT
|
||||
# ${iptables} -t nat -A POSTROUTING -s 10.69.69.1/24 -o venet0 -j MASQUERADE
|
||||
# ${ip6tables} -A FORWARD -i wg0 -j ACCEPT
|
||||
# ${ip6tables} -t nat -A POSTROUTING -s fdc9:281f:04d7:9ee9::1/64 -o venet0 -j MASQUERADE
|
||||
# '';
|
||||
# preDown = ''
|
||||
# ${iptables} -D FORWARD -i wg0 -j ACCEPT
|
||||
# ${iptables} -t nat -D POSTROUTING -s 10.69.69.1/24 -o venet0 -j MASQUERADE
|
||||
# ${ip6tables} -D FORWARD -i wg0 -j ACCEPT
|
||||
# ${ip6tables} -t nat -D POSTROUTING -s fdc9:281f:04d7:9ee9::1/64 -o venet0 -j MASQUERADE
|
||||
# '';
|
||||
# };
|
||||
# };
|
||||
};
|
||||
systemd.network = {
|
||||
enable = true;
|
||||
netdevs = {
|
||||
"50-wg0" = {
|
||||
netdevConfig = {
|
||||
Kind = "wireguard";
|
||||
Name = "wg0";
|
||||
MTUBytes = "1300";
|
||||
wg-quick.interfaces = {
|
||||
wg0 =
|
||||
let
|
||||
iptables = "${pkgs.iptables}/bin/iptables";
|
||||
ip6tables = "${pkgs.iptables}/bin/ip6tables";
|
||||
in
|
||||
{
|
||||
address = [ "10.0.0.1/32" ];
|
||||
listenPort = 51820;
|
||||
privateKeyFile = "/etc/wireguard/privatekey";
|
||||
postUp = ''
|
||||
${iptables} -A FORWARD -i wg0 -j ACCEPT
|
||||
${iptables} -t nat -A POSTROUTING -s 10.0.0.1/24 -o venet0 -j MASQUERADE
|
||||
${ip6tables} -A FORWARD -i wg0 -j ACCEPT
|
||||
${ip6tables} -t nat -A POSTROUTING -s fdc9:281f:04d7:9ee9::1/64 -o venet0 -j MASQUERADE
|
||||
'';
|
||||
preDown = ''
|
||||
${iptables} -D FORWARD -i wg0 -j ACCEPT
|
||||
${iptables} -t nat -D POSTROUTING -s 10.0.0.1/24 -o venet0 -j MASQUERADE
|
||||
${ip6tables} -D FORWARD -i wg0 -j ACCEPT
|
||||
${ip6tables} -t nat -D POSTROUTING -s fdc9:281f:04d7:9ee9::1/64 -o venet0 -j MASQUERADE
|
||||
'';
|
||||
peers = [
|
||||
{
|
||||
publicKey = "kI93V0dVKSqX8hxMJHK5C0c1hEDPQTgPQDU8TKocVgo=";
|
||||
allowedIPs = [ "10.0.0.2/32" ];
|
||||
}
|
||||
{
|
||||
publicKey = "RqTsFxFCcgYsytcDr+jfEoOA5UNxa1ZzGlpx6iuTpXY=";
|
||||
allowedIPs = [ "10.0.0.3/32" ];
|
||||
}
|
||||
{
|
||||
publicKey = "1e0mjluqXdLbzv681HlC9B8BfGN8sIXIw3huLyQqwXI=";
|
||||
allowedIPs = [ "10.0.0.4/32" ];
|
||||
}
|
||||
];
|
||||
};
|
||||
wireguardConfig = {
|
||||
PrivateKeyFile = "/etc/wireguard/privatekey";
|
||||
ListenPort = 51820;
|
||||
};
|
||||
wireguardPeers = [
|
||||
{
|
||||
PublicKey = "kI93V0dVKSqX8hxMJHK5C0c1hEDPQTgPQDU8TKocVgo=";
|
||||
AllowedIPs = [ "10.69.69.2/24" ];
|
||||
}
|
||||
{
|
||||
PublicKey = "RqTsFxFCcgYsytcDr+jfEoOA5UNxa1ZzGlpx6iuTpXY=";
|
||||
AllowedIPs = [ "10.69.69.3/24" ];
|
||||
}
|
||||
{
|
||||
PublicKey = "1e0mjluqXdLbzv681HlC9B8BfGN8sIXIw3huLyQqwXI=";
|
||||
AllowedIPs = [ "10.69.69.4/24" ];
|
||||
}
|
||||
];
|
||||
};
|
||||
};
|
||||
networks.wg0 = {
|
||||
matchConfig.Name = "wg0";
|
||||
address = [ "10.69.69.1/24" ];
|
||||
networkConfig = {
|
||||
IPMasquerade = "ipv4";
|
||||
};
|
||||
};
|
||||
};
|
||||
});
|
||||
@ -600,9 +592,9 @@ top @ { inputs, moduleWithSystem, ... }: {
|
||||
];
|
||||
extraCommands = ''
|
||||
iptables -N vpn # create a new chain named vpn
|
||||
iptables -A vpn --src 10.69.69.2 -j ACCEPT # allow
|
||||
iptables -A vpn --src 10.69.69.3 -j ACCEPT # allow
|
||||
iptables -A vpn --src 10.69.69.4 -j ACCEPT # allow
|
||||
iptables -A vpn --src 10.0.0.2 -j ACCEPT # allow
|
||||
iptables -A vpn --src 10.0.0.3 -j ACCEPT # allow
|
||||
iptables -A vpn --src 10.0.0.4 -j ACCEPT # allow
|
||||
iptables -A vpn -j DROP # drop everyone else
|
||||
iptables -I INPUT -m tcp -p tcp --dport 22 -j vpn
|
||||
'';
|
||||
|
Loading…
Reference in New Issue
Block a user