ivandimitrov8080/configuration.nix
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Compare commits

base: ivandimitrov8080:wireguard
Branches Tags
ivandimitrov8080:master
ivandimitrov8080:wireguard
ivandimitrov8080:test
ivandimitrov8080:feature/merge
ivandimitrov8080:refactor_home
ivandimitrov8080:feat_nixosHome
ivandimitrov8080:feat_vm
ivandimitrov8080:feat_parts
..
compare: ivandimitrov8080:master
Branches Tags
ivandimitrov8080:master
ivandimitrov8080:wireguard
ivandimitrov8080:test
ivandimitrov8080:feature/merge
ivandimitrov8080:refactor_home
ivandimitrov8080:feat_nixosHome
ivandimitrov8080:feat_vm
ivandimitrov8080:feat_parts

6 Commits
wireguard ... master

Author SHA1 Message Date
Ivan Kirilov Dimitrov
bc18255229
Update 2024-09-09 15:53:28 +02:00
Ivan Kirilov Dimitrov
91a32bfdeb
docker root mode 2024-09-05 11:56:46 +02:00
Ivan Kirilov Dimitrov
d2bd664f4e
docker 2024-09-05 10:43:53 +02:00
Ivan Kirilov Dimitrov
73b02b4589
network 2024-08-31 12:52:53 +02:00
Ivan Kirilov Dimitrov
075237ed6f
kaiser 2024-08-28 17:00:07 +02:00
Ivan Kirilov Dimitrov
c213f82d04
network 2024-08-28 12:53:47 +02:00
4 changed files with 78 additions and 85 deletions
Show Stats Expand all files Collapse all files

36
flake.lock
View File

@ -672,11 +672,11 @@
] ]
}, },
"locked": { "locked": {
"lastModified": 1723986931, "lastModified": 1725863684,
"narHash": "sha256-Fy+KEvDQ+Hc8lJAV3t6leXhZJ2ncU5/esxkgt3b8DEY=", "narHash": "sha256-HmdTBpuCsw35Ii35JUKO6AE6nae+kJliQb0XGd4hoLE=",
"owner": "nix-community", "owner": "nix-community",
"repo": "home-manager", "repo": "home-manager",
"rev": "2598861031b78aadb4da7269df7ca9ddfc3e1671", "rev": "be47a2bdf278c57c2d05e747a13ed31cef54a037",
"type": "github" "type": "github"
}, },
"original": { "original": {
@ -737,11 +737,11 @@
] ]
}, },
"locked": { "locked": {
"lastModified": 1724196987, "lastModified": 1725674607,
"narHash": "sha256-GhLSlmaEUMDImJCff+Zv9XUHFDRGa8uhdYsCmY0VKWw=", "narHash": "sha256-vTaoz2yRd9g3NZNKYufZeB8UJ381aBPmRV91lEmV37o=",
"owner": "StevenBlack", "owner": "StevenBlack",
"repo": "hosts", "repo": "hosts",
"rev": "797e73e01a43f2092cea7d54be5a160e8014f6ff", "rev": "10b187280ec15374e4d2b28e7705046e7d535d91",
"type": "github" "type": "github"
}, },
"original": { "original": {
@ -806,11 +806,11 @@
] ]
}, },
"locked": { "locked": {
"lastModified": 1724050807, "lastModified": 1725237485,
"narHash": "sha256-Mdmsb/zw3JjVxQKSdiN3wVFnrqT6gunbs2T4EkQxfAI=", "narHash": "sha256-POpzmA7+ecCUEZsu2a5fgwYhJ60POzve+lMhxebmTz4=",
"owner": "musnix", "owner": "musnix",
"repo": "musnix", "repo": "musnix",
"rev": "b40964921d0f804f80480d050115bc089fe51128", "rev": "b5f3a47fd74193cb98c85cfeb6a25358150bdd90",
"type": "github" "type": "github"
}, },
"original": { "original": {
@ -951,11 +951,11 @@
}, },
"nixpkgs": { "nixpkgs": {
"locked": { "locked": {
"lastModified": 1723991338, "lastModified": 1725634671,
"narHash": "sha256-Grh5PF0+gootJfOJFenTTxDTYPidA3V28dqJ/WV7iis=", "narHash": "sha256-v3rIhsJBOMLR8e/RNWxr828tB+WywYIoajrZKFM+0Gg=",
"owner": "NixOS", "owner": "NixOS",
"repo": "nixpkgs", "repo": "nixpkgs",
"rev": "8a3354191c0d7144db9756a74755672387b702ba", "rev": "574d1eac1c200690e27b8eb4e24887f8df7ac27c",
"type": "github" "type": "github"
}, },
"original": { "original": {
@ -1068,11 +1068,11 @@
] ]
}, },
"locked": { "locked": {
"lastModified": 1722555600, "lastModified": 1725234343,
"narHash": "sha256-XOQkdLafnb/p9ij77byFQjDf5m5QYl9b2REiVClC+x4=", "narHash": "sha256-+ebgonl3NbiKD2UD0x4BszCZQ6sTfL4xioaM49o5B3Y=",
"owner": "hercules-ci", "owner": "hercules-ci",
"repo": "flake-parts", "repo": "flake-parts",
"rev": "8471fe90ad337a8074e957b69ca4d0089218391d", "rev": "567b938d64d4b4112ee253b9274472dc3a346eb6",
"type": "github" "type": "github"
}, },
"original": { "original": {
@ -1248,11 +1248,11 @@
}, },
"vpsadminos": { "vpsadminos": {
"locked": { "locked": {
"lastModified": 1723930354, "lastModified": 1725810385,
"narHash": "sha256-CRrZECaoPudSPNGeaJB9AZEnXp0b43WIUGk1orKL2H4=", "narHash": "sha256-+6UULi05KMHmLfhlrNGhMdLZUoQeC5Dc1nLFdINyeyI=",
"owner": "vpsfreecz", "owner": "vpsfreecz",
"repo": "vpsadminos", "repo": "vpsadminos",
"rev": "4f31628e96762790f6aca71231d48d007cee7086", "rev": "37c5eb47ca3f11deac83e4ada20a6c21d5487f29",
"type": "github" "type": "github"
}, },
"original": { "original": {

4
home/modules/default.nix
View File

@ -42,11 +42,11 @@ toplevel @ { moduleWithSystem, ... }: {
ssh = { ssh = {
matchBlocks = { matchBlocks = {
vpsfree-ivand = { vpsfree-ivand = {
hostname = "10.69.69.1"; hostname = "10.0.0.1";
user = "ivand"; user = "ivand";
}; };
vpsfree-root = { vpsfree-root = {
hostname = "10.69.69.1"; hostname = "10.0.0.1";
user = "root"; user = "root";
}; };
}; };

1
nixos/configs/default.nix
View File

@ -33,6 +33,7 @@ in
nova-crypto = novaConfig (with mods; [ ivand cryptocurrency ]); nova-crypto = novaConfig (with mods; [ ivand cryptocurrency ]);
nova-nonya = novaConfig (with mods; [ ivand anon cryptocurrency ]); nova-nonya = novaConfig (with mods; [ ivand anon cryptocurrency ]);
nova-ai = novaConfig (with mods; [ ivand ai ]); nova-ai = novaConfig (with mods; [ ivand ai ]);
nova-containers = novaConfig (with mods; [ ivand containers ]);
install-iso = configWithModules { modules = with mods; [ grub base shell wireless ]; }; install-iso = configWithModules { modules = with mods; [ grub base shell wireless ]; };
vps = configWithModules { modules = with mods; [ base shell security vps mailserver nginx wireguard-output anonymous-dns firewall rest ]; }; vps = configWithModules { modules = with mods; [ base shell security vps mailserver nginx wireguard-output anonymous-dns firewall rest ]; };
stara-miner = configWithModules { modules = essential ++ [ mods.monero-miner ]; }; stara-miner = configWithModules { modules = essential ++ [ mods.monero-miner ]; };

108
nixos/modules/default.nix
View File

@ -151,7 +151,7 @@ top @ { inputs, moduleWithSystem, ... }: {
intranet = { intranet = {
networking.wg-quick.interfaces = { networking.wg-quick.interfaces = {
wg0 = { wg0 = {
address = [ "10.69.69.2/24" ]; address = [ "10.0.0.2/32" ];
privateKeyFile = "/etc/wireguard/privatekey"; privateKeyFile = "/etc/wireguard/privatekey";
peers = [ peers = [
{ {
@ -214,6 +214,13 @@ top @ { inputs, moduleWithSystem, ... }: {
"Post120" = { "Post120" = {
psk = "9996663333"; psk = "9996663333";
}; };
"MOONLIGHT2019" = {
psk = "seacrets";
};
"Kaiser Terrasse" = {
psk = "Internet12";
};
"ATHENS-HAWKS" = { };
"3G" = { "3G" = {
hidden = true; hidden = true;
}; };
@ -284,6 +291,13 @@ top @ { inputs, moduleWithSystem, ... }: {
ai = moduleWithSystem (_: _: { ai = moduleWithSystem (_: _: {
services = { ollama.enable = true; }; services = { ollama.enable = true; };
}); });
containers = moduleWithSystem (_: _: {
virtualisation.docker = {
enable = true;
storageDriver = "btrfs";
};
users.users.ivand.extraGroups = [ "docker" ];
});
anon = moduleWithSystem (_: { pkgs, ... }: { anon = moduleWithSystem (_: { pkgs, ... }: {
environment.systemPackages = with pkgs; [ tor-browser ]; environment.systemPackages = with pkgs; [ tor-browser ];
}); });
@ -359,9 +373,9 @@ top @ { inputs, moduleWithSystem, ... }: {
nginx.virtualHosts = nginx.virtualHosts =
let let
restrictToVpn = '' restrictToVpn = ''
allow 10.69.69.2/24; allow 10.0.0.2/32;
allow 10.69.69.3/24; allow 10.0.0.3/32;
allow 10.69.69.4/24; allow 10.0.0.4/32;
deny all; deny all;
''; '';
in in
@ -475,72 +489,50 @@ top @ { inputs, moduleWithSystem, ... }: {
}); });
wireguard-output = moduleWithSystem (_: { pkgs, ... }: { wireguard-output = moduleWithSystem (_: { pkgs, ... }: {
networking = { networking = {
useNetworkd = true;
nat = { nat = {
enable = true; enable = true;
enableIPv6 = true; enableIPv6 = true;
externalInterface = "venet0"; externalInterface = "venet0";
internalInterfaces = [ "wg0" ]; internalInterfaces = [ "wg0" ];
}; };
# wg-quick.interfaces = { wg-quick.interfaces = {
# wg0 = wg0 =
# let let
# iptables = "${pkgs.iptables}/bin/iptables"; iptables = "${pkgs.iptables}/bin/iptables";
# ip6tables = "${pkgs.iptables}/bin/ip6tables"; ip6tables = "${pkgs.iptables}/bin/ip6tables";
# in in
# {
# privateKeyFile = "";
# postUp = ''
# ${iptables} -A FORWARD -i wg0 -j ACCEPT
# ${iptables} -t nat -A POSTROUTING -s 10.69.69.1/24 -o venet0 -j MASQUERADE
# ${ip6tables} -A FORWARD -i wg0 -j ACCEPT
# ${ip6tables} -t nat -A POSTROUTING -s fdc9:281f:04d7:9ee9::1/64 -o venet0 -j MASQUERADE
# '';
# preDown = ''
# ${iptables} -D FORWARD -i wg0 -j ACCEPT
# ${iptables} -t nat -D POSTROUTING -s 10.69.69.1/24 -o venet0 -j MASQUERADE
# ${ip6tables} -D FORWARD -i wg0 -j ACCEPT
# ${ip6tables} -t nat -D POSTROUTING -s fdc9:281f:04d7:9ee9::1/64 -o venet0 -j MASQUERADE
# '';
# };
# };
};
systemd.network = {
enable = true;
netdevs = {
"50-wg0" = {
netdevConfig = {
Kind = "wireguard";
Name = "wg0";
MTUBytes = "1300";
};
wireguardConfig = {
PrivateKeyFile = "/etc/wireguard/privatekey";
ListenPort = 51820;
};
wireguardPeers = [
{ {
PublicKey = "kI93V0dVKSqX8hxMJHK5C0c1hEDPQTgPQDU8TKocVgo="; address = [ "10.0.0.1/32" ];
AllowedIPs = [ "10.69.69.2/24" ]; listenPort = 51820;
privateKeyFile = "/etc/wireguard/privatekey";
postUp = ''
${iptables} -A FORWARD -i wg0 -j ACCEPT
${iptables} -t nat -A POSTROUTING -s 10.0.0.1/24 -o venet0 -j MASQUERADE
${ip6tables} -A FORWARD -i wg0 -j ACCEPT
${ip6tables} -t nat -A POSTROUTING -s fdc9:281f:04d7:9ee9::1/64 -o venet0 -j MASQUERADE
'';
preDown = ''
${iptables} -D FORWARD -i wg0 -j ACCEPT
${iptables} -t nat -D POSTROUTING -s 10.0.0.1/24 -o venet0 -j MASQUERADE
${ip6tables} -D FORWARD -i wg0 -j ACCEPT
${ip6tables} -t nat -D POSTROUTING -s fdc9:281f:04d7:9ee9::1/64 -o venet0 -j MASQUERADE
'';
peers = [
{
publicKey = "kI93V0dVKSqX8hxMJHK5C0c1hEDPQTgPQDU8TKocVgo=";
allowedIPs = [ "10.0.0.2/32" ];
} }
{ {
PublicKey = "RqTsFxFCcgYsytcDr+jfEoOA5UNxa1ZzGlpx6iuTpXY="; publicKey = "RqTsFxFCcgYsytcDr+jfEoOA5UNxa1ZzGlpx6iuTpXY=";
AllowedIPs = [ "10.69.69.3/24" ]; allowedIPs = [ "10.0.0.3/32" ];
} }
{ {
PublicKey = "1e0mjluqXdLbzv681HlC9B8BfGN8sIXIw3huLyQqwXI="; publicKey = "1e0mjluqXdLbzv681HlC9B8BfGN8sIXIw3huLyQqwXI=";
AllowedIPs = [ "10.69.69.4/24" ]; allowedIPs = [ "10.0.0.4/32" ];
} }
]; ];
}; };
}; };
networks.wg0 = {
matchConfig.Name = "wg0";
address = [ "10.69.69.1/24" ];
networkConfig = {
IPMasquerade = "ipv4";
};
};
}; };
}); });
anonymous-dns = moduleWithSystem (_: _: { anonymous-dns = moduleWithSystem (_: _: {
@ -600,9 +592,9 @@ top @ { inputs, moduleWithSystem, ... }: {
]; ];
extraCommands = '' extraCommands = ''
iptables -N vpn # create a new chain named vpn iptables -N vpn # create a new chain named vpn
iptables -A vpn --src 10.69.69.2 -j ACCEPT # allow iptables -A vpn --src 10.0.0.2 -j ACCEPT # allow
iptables -A vpn --src 10.69.69.3 -j ACCEPT # allow iptables -A vpn --src 10.0.0.3 -j ACCEPT # allow
iptables -A vpn --src 10.69.69.4 -j ACCEPT # allow iptables -A vpn --src 10.0.0.4 -j ACCEPT # allow
iptables -A vpn -j DROP # drop everyone else iptables -A vpn -j DROP # drop everyone else
iptables -I INPUT -m tcp -p tcp --dport 22 -j vpn iptables -I INPUT -m tcp -p tcp --dport 22 -j vpn
''; '';