ivandimitrov8080/configuration.nix
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Compare commits

base: ivandimitrov8080:wireguard
Branches Tags
ivandimitrov8080:master
ivandimitrov8080:wireguard
ivandimitrov8080:test
ivandimitrov8080:feature/merge
ivandimitrov8080:refactor_home
ivandimitrov8080:feat_nixosHome
ivandimitrov8080:feat_vm
ivandimitrov8080:feat_parts
..
compare: ivandimitrov8080:master
Branches Tags
ivandimitrov8080:master
ivandimitrov8080:wireguard
ivandimitrov8080:test
ivandimitrov8080:feature/merge
ivandimitrov8080:refactor_home
ivandimitrov8080:feat_nixosHome
ivandimitrov8080:feat_vm
ivandimitrov8080:feat_parts

6 Commits
wireguard ... master

Author SHA1 Message Date
Ivan Kirilov Dimitrov
bc18255229
Update 2024-09-09 15:53:28 +02:00
Ivan Kirilov Dimitrov
91a32bfdeb
docker root mode 2024-09-05 11:56:46 +02:00
Ivan Kirilov Dimitrov
d2bd664f4e
docker 2024-09-05 10:43:53 +02:00
Ivan Kirilov Dimitrov
73b02b4589
network 2024-08-31 12:52:53 +02:00
Ivan Kirilov Dimitrov
075237ed6f
kaiser 2024-08-28 17:00:07 +02:00
Ivan Kirilov Dimitrov
c213f82d04
network 2024-08-28 12:53:47 +02:00
4 changed files with 78 additions and 85 deletions
Show Stats Expand all files Collapse all files

36
flake.lock
View File

@ -672,11 +672,11 @@
]
},
"locked": {
"lastModified": 1723986931,
"narHash": "sha256-Fy+KEvDQ+Hc8lJAV3t6leXhZJ2ncU5/esxkgt3b8DEY=",
"lastModified": 1725863684,
"narHash": "sha256-HmdTBpuCsw35Ii35JUKO6AE6nae+kJliQb0XGd4hoLE=",
"owner": "nix-community",
"repo": "home-manager",
"rev": "2598861031b78aadb4da7269df7ca9ddfc3e1671",
"rev": "be47a2bdf278c57c2d05e747a13ed31cef54a037",
"type": "github"
},
"original": {
@ -737,11 +737,11 @@
]
},
"locked": {
"lastModified": 1724196987,
"narHash": "sha256-GhLSlmaEUMDImJCff+Zv9XUHFDRGa8uhdYsCmY0VKWw=",
"lastModified": 1725674607,
"narHash": "sha256-vTaoz2yRd9g3NZNKYufZeB8UJ381aBPmRV91lEmV37o=",
"owner": "StevenBlack",
"repo": "hosts",
"rev": "797e73e01a43f2092cea7d54be5a160e8014f6ff",
"rev": "10b187280ec15374e4d2b28e7705046e7d535d91",
"type": "github"
},
"original": {
@ -806,11 +806,11 @@
]
},
"locked": {
"lastModified": 1724050807,
"narHash": "sha256-Mdmsb/zw3JjVxQKSdiN3wVFnrqT6gunbs2T4EkQxfAI=",
"lastModified": 1725237485,
"narHash": "sha256-POpzmA7+ecCUEZsu2a5fgwYhJ60POzve+lMhxebmTz4=",
"owner": "musnix",
"repo": "musnix",
"rev": "b40964921d0f804f80480d050115bc089fe51128",
"rev": "b5f3a47fd74193cb98c85cfeb6a25358150bdd90",
"type": "github"
},
"original": {
@ -951,11 +951,11 @@
},
"nixpkgs": {
"locked": {
"lastModified": 1723991338,
"narHash": "sha256-Grh5PF0+gootJfOJFenTTxDTYPidA3V28dqJ/WV7iis=",
"lastModified": 1725634671,
"narHash": "sha256-v3rIhsJBOMLR8e/RNWxr828tB+WywYIoajrZKFM+0Gg=",
"owner": "NixOS",
"repo": "nixpkgs",
"rev": "8a3354191c0d7144db9756a74755672387b702ba",
"rev": "574d1eac1c200690e27b8eb4e24887f8df7ac27c",
"type": "github"
},
"original": {
@ -1068,11 +1068,11 @@
]
},
"locked": {
"lastModified": 1722555600,
"narHash": "sha256-XOQkdLafnb/p9ij77byFQjDf5m5QYl9b2REiVClC+x4=",
"lastModified": 1725234343,
"narHash": "sha256-+ebgonl3NbiKD2UD0x4BszCZQ6sTfL4xioaM49o5B3Y=",
"owner": "hercules-ci",
"repo": "flake-parts",
"rev": "8471fe90ad337a8074e957b69ca4d0089218391d",
"rev": "567b938d64d4b4112ee253b9274472dc3a346eb6",
"type": "github"
},
"original": {
@ -1248,11 +1248,11 @@
},
"vpsadminos": {
"locked": {
"lastModified": 1723930354,
"narHash": "sha256-CRrZECaoPudSPNGeaJB9AZEnXp0b43WIUGk1orKL2H4=",
"lastModified": 1725810385,
"narHash": "sha256-+6UULi05KMHmLfhlrNGhMdLZUoQeC5Dc1nLFdINyeyI=",
"owner": "vpsfreecz",
"repo": "vpsadminos",
"rev": "4f31628e96762790f6aca71231d48d007cee7086",
"rev": "37c5eb47ca3f11deac83e4ada20a6c21d5487f29",
"type": "github"
},
"original": {

4
home/modules/default.nix
View File

@ -42,11 +42,11 @@ toplevel @ { moduleWithSystem, ... }: {
ssh = {
matchBlocks = {
vpsfree-ivand = {
hostname = "10.69.69.1";
hostname = "10.0.0.1";
user = "ivand";
};
vpsfree-root = {
hostname = "10.69.69.1";
hostname = "10.0.0.1";
user = "root";
};
};

1
nixos/configs/default.nix
View File

@ -33,6 +33,7 @@ in
nova-crypto = novaConfig (with mods; [ ivand cryptocurrency ]);
nova-nonya = novaConfig (with mods; [ ivand anon cryptocurrency ]);
nova-ai = novaConfig (with mods; [ ivand ai ]);
nova-containers = novaConfig (with mods; [ ivand containers ]);
install-iso = configWithModules { modules = with mods; [ grub base shell wireless ]; };
vps = configWithModules { modules = with mods; [ base shell security vps mailserver nginx wireguard-output anonymous-dns firewall rest ]; };
stara-miner = configWithModules { modules = essential ++ [ mods.monero-miner ]; };

108
nixos/modules/default.nix
View File

@ -151,7 +151,7 @@ top @ { inputs, moduleWithSystem, ... }: {
intranet = {
networking.wg-quick.interfaces = {
wg0 = {
address = [ "10.69.69.2/24" ];
address = [ "10.0.0.2/32" ];
privateKeyFile = "/etc/wireguard/privatekey";
peers = [
{
@ -214,6 +214,13 @@ top @ { inputs, moduleWithSystem, ... }: {
"Post120" = {
psk = "9996663333";
};
"MOONLIGHT2019" = {
psk = "seacrets";
};
"Kaiser Terrasse" = {
psk = "Internet12";
};
"ATHENS-HAWKS" = { };
"3G" = {
hidden = true;
};
@ -284,6 +291,13 @@ top @ { inputs, moduleWithSystem, ... }: {
ai = moduleWithSystem (_: _: {
services = { ollama.enable = true; };
});
containers = moduleWithSystem (_: _: {
virtualisation.docker = {
enable = true;
storageDriver = "btrfs";
};
users.users.ivand.extraGroups = [ "docker" ];
});
anon = moduleWithSystem (_: { pkgs, ... }: {
environment.systemPackages = with pkgs; [ tor-browser ];
});
@ -359,9 +373,9 @@ top @ { inputs, moduleWithSystem, ... }: {
nginx.virtualHosts =
let
restrictToVpn = ''
allow 10.69.69.2/24;
allow 10.69.69.3/24;
allow 10.69.69.4/24;
allow 10.0.0.2/32;
allow 10.0.0.3/32;
allow 10.0.0.4/32;
deny all;
'';
in
@ -475,72 +489,50 @@ top @ { inputs, moduleWithSystem, ... }: {
});
wireguard-output = moduleWithSystem (_: { pkgs, ... }: {
networking = {
useNetworkd = true;
nat = {
enable = true;
enableIPv6 = true;
externalInterface = "venet0";
internalInterfaces = [ "wg0" ];
};
# wg-quick.interfaces = {
# wg0 =
# let
# iptables = "${pkgs.iptables}/bin/iptables";
# ip6tables = "${pkgs.iptables}/bin/ip6tables";
# in
# {
# privateKeyFile = "";
# postUp = ''
# ${iptables} -A FORWARD -i wg0 -j ACCEPT
# ${iptables} -t nat -A POSTROUTING -s 10.69.69.1/24 -o venet0 -j MASQUERADE
# ${ip6tables} -A FORWARD -i wg0 -j ACCEPT
# ${ip6tables} -t nat -A POSTROUTING -s fdc9:281f:04d7:9ee9::1/64 -o venet0 -j MASQUERADE
# '';
# preDown = ''
# ${iptables} -D FORWARD -i wg0 -j ACCEPT
# ${iptables} -t nat -D POSTROUTING -s 10.69.69.1/24 -o venet0 -j MASQUERADE
# ${ip6tables} -D FORWARD -i wg0 -j ACCEPT
# ${ip6tables} -t nat -D POSTROUTING -s fdc9:281f:04d7:9ee9::1/64 -o venet0 -j MASQUERADE
# '';
# };
# };
};
systemd.network = {
enable = true;
netdevs = {
"50-wg0" = {
netdevConfig = {
Kind = "wireguard";
Name = "wg0";
MTUBytes = "1300";
};
wireguardConfig = {
PrivateKeyFile = "/etc/wireguard/privatekey";
ListenPort = 51820;
};
wireguardPeers = [
wg-quick.interfaces = {
wg0 =
let
iptables = "${pkgs.iptables}/bin/iptables";
ip6tables = "${pkgs.iptables}/bin/ip6tables";
in
{
PublicKey = "kI93V0dVKSqX8hxMJHK5C0c1hEDPQTgPQDU8TKocVgo=";
AllowedIPs = [ "10.69.69.2/24" ];
address = [ "10.0.0.1/32" ];
listenPort = 51820;
privateKeyFile = "/etc/wireguard/privatekey";
postUp = ''
${iptables} -A FORWARD -i wg0 -j ACCEPT
${iptables} -t nat -A POSTROUTING -s 10.0.0.1/24 -o venet0 -j MASQUERADE
${ip6tables} -A FORWARD -i wg0 -j ACCEPT
${ip6tables} -t nat -A POSTROUTING -s fdc9:281f:04d7:9ee9::1/64 -o venet0 -j MASQUERADE
'';
preDown = ''
${iptables} -D FORWARD -i wg0 -j ACCEPT
${iptables} -t nat -D POSTROUTING -s 10.0.0.1/24 -o venet0 -j MASQUERADE
${ip6tables} -D FORWARD -i wg0 -j ACCEPT
${ip6tables} -t nat -D POSTROUTING -s fdc9:281f:04d7:9ee9::1/64 -o venet0 -j MASQUERADE
'';
peers = [
{
publicKey = "kI93V0dVKSqX8hxMJHK5C0c1hEDPQTgPQDU8TKocVgo=";
allowedIPs = [ "10.0.0.2/32" ];
}
{
PublicKey = "RqTsFxFCcgYsytcDr+jfEoOA5UNxa1ZzGlpx6iuTpXY=";
AllowedIPs = [ "10.69.69.3/24" ];
publicKey = "RqTsFxFCcgYsytcDr+jfEoOA5UNxa1ZzGlpx6iuTpXY=";
allowedIPs = [ "10.0.0.3/32" ];
}
{
PublicKey = "1e0mjluqXdLbzv681HlC9B8BfGN8sIXIw3huLyQqwXI=";
AllowedIPs = [ "10.69.69.4/24" ];
publicKey = "1e0mjluqXdLbzv681HlC9B8BfGN8sIXIw3huLyQqwXI=";
allowedIPs = [ "10.0.0.4/32" ];
}
];
};
};
networks.wg0 = {
matchConfig.Name = "wg0";
address = [ "10.69.69.1/24" ];
networkConfig = {
IPMasquerade = "ipv4";
};
};
};
});
anonymous-dns = moduleWithSystem (_: _: {
@ -600,9 +592,9 @@ top @ { inputs, moduleWithSystem, ... }: {
];
extraCommands = ''
iptables -N vpn # create a new chain named vpn
iptables -A vpn --src 10.69.69.2 -j ACCEPT # allow
iptables -A vpn --src 10.69.69.3 -j ACCEPT # allow
iptables -A vpn --src 10.69.69.4 -j ACCEPT # allow
iptables -A vpn --src 10.0.0.2 -j ACCEPT # allow
iptables -A vpn --src 10.0.0.3 -j ACCEPT # allow
iptables -A vpn --src 10.0.0.4 -j ACCEPT # allow
iptables -A vpn -j DROP # drop everyone else
iptables -I INPUT -m tcp -p tcp --dport 22 -j vpn
'';