Update cloud services

Rebuilt email server, started wireguard setup.

3 files changed, 91 insertions, 10 deletions

diff --git a/Biz/Dev/Configuration.nix b/Biz/Dev/Configuration.nix
index 2dcc816..8eb4958 100644
--- a/Biz/Dev/Configuration.nix
+++ b/Biz/Dev/Configuration.nix
@@ -5,7 +5,7 @@ let
   ports = import ../Cloud/Ports.nix;
 in {
   networking = {
-    nameservers = [ "1.1.1.1" "8.8.8.8" ];
+    nameservers = [ "1.1.1.1" ];
     hostName = "lithium";
     hosts = {
       "::1" = [ "localhost" "ipv6-localhost" "ipv6-loopback" ];
@@ -13,17 +13,22 @@ in {
 
     firewall = {
       allowedTCPPorts = [
-        22 8000 8443 443 # standard ports
-        500 10000 # no idea
-        ports.jellyfin
+        ports.bitcoind
         ports.delugeWeb
-        ports.murmur
+        ports.et
+        ports.gemini
+        ports.git
+        ports.http
+        ports.https
+        ports.jellyfin
+        ports.jupyter
         ports.mpd
         ports.mpd-stream
+        ports.murmur
+        ports.radicale
+        ports.sabten
+        ports.ssh
         ports.tor
-        ports.et
-        ports.bitcoind
-        ports.jupyter
       ];
       allowedTCPPortRanges = [
         ports.torrents
@@ -61,6 +66,7 @@ in {
   environment.systemPackages = [
     pkgs.wemux
     pkgs.tmux
+    pkgs.wireguard
   ];
 
   nixpkgs = {
diff --git a/Biz/Dev/Hardware.nix b/Biz/Dev/Hardware.nix
index 9297d66..dc5b573 100644
--- a/Biz/Dev/Hardware.nix
+++ b/Biz/Dev/Hardware.nix
@@ -8,9 +8,12 @@
     [ (modulesPath + "/installer/scan/not-detected.nix")
     ];
 
-  boot.initrd.availableKernelModules = [ "xhci_pci" "ahci" "usb_storage" "usbhid" "sd_mod" ];
+  boot.initrd.availableKernelModules = [
+    "xhci_pci" "ahci" "usb_storage" "usbhid" "sd_mod"
+  ];
   boot.kernelModules = [ "kvm-intel" ];
-  boot.extraModulePackages = [ ];
+  boot.extraModulePackages = [
+  ];
 
   fileSystems."/" =
     { device = "/dev/disk/by-uuid/f08dd8f9-787c-4e2a-a0cc-7019edc2ce2b";
diff --git a/Biz/Dev/Wireguard.nix b/Biz/Dev/Wireguard.nix
new file mode 100644
index 0000000..5703f3d
--- /dev/null
+++ b/Biz/Dev/Wireguard.nix
@@ -0,0 +1,72 @@
+{ lib, config, pkgs, ... }:
+
+/*
+Wireguard VPN server
+
+References:
+
+- https://nixos.wiki/wiki/WireGuard
+- https://wireguard.how/client/ios/
+*/
+
+let
+  ports = import ../Cloud/Ports.nix;
+  ips = "10.100.0.1/24";
+
+  # a micro-library for creating iptables rules
+  iptables = rec {
+    bin = "${pkgs.iptables/bin/iptables}";
+    append = {source}: lib.concatSep " " [
+      bin
+      "--table" "nat"
+      "--append" "POSTROUTING"
+      "--source" source
+      "--out-interface" "eth0"
+      "--jump" "MASQUERADE"
+    ];
+    delete = {source}: lib.concatSep " " [
+      bin
+      "--table" "nat"
+      "--delete" "POSTROUTING"
+      "--source" source
+      "--out-interface" "eth0"
+      "--jump" "MASQUERADE"
+    ];
+
+  };
+in {
+  networking.nat.enable = true;
+  networking.nat.externalInterface = "eth0";
+  networking.nat.internalInterfaces = [ "wg0" ];
+  networking.firewall.allowedUDPPorts = [ ports.wireguard ];
+
+  networking.wireguard.enable = true;
+
+  networking.wireguard.interfaces = {
+    wg0 = {
+      ips = [ ips ];
+      allowedIPsAsRoutes = true;
+      listenPort = ports.wireguard;
+      postSetup = ''
+        ${pkgs.iptables}/bin/iptables -t nat -A POSTROUTING -s ${ips} -o eth0 -j MASQUERADE
+      '';
+
+      postShutdown = ''
+        ${pkgs.iptables}/bin/iptables -t nat -D POSTROUTING -s ${ips} -o eth0 -j MASQUERADE
+      '';
+
+      privateKeyFile = "/var/wireguard/private";
+
+      peers = [
+        #{ # helium
+        #  publicKey = "TODO";
+        #  allowedIPs = [ "10.100.0.2/32" ];
+        #}
+        { # ben's iPhone
+          publicKey = "SIBIfPLhzuV1S1FZtm5JQtDbl0ehnH+Y3CpoZ2eZ3gc=";
+          allowedIPs = [ "10.100.0.3/32" ];
+        }
+      ];
+    };
+  };
+}