diff options
Diffstat (limited to 'Biz/Dev')
| -rw-r--r-- | Biz/Dev/Configuration.nix | 22 | ||||
| -rw-r--r-- | Biz/Dev/Hardware.nix | 7 | ||||
| -rw-r--r-- | Biz/Dev/Wireguard.nix | 72 |
3 files changed, 91 insertions, 10 deletions
diff --git a/Biz/Dev/Configuration.nix b/Biz/Dev/Configuration.nix index 2dcc816..8eb4958 100644 --- a/Biz/Dev/Configuration.nix +++ b/Biz/Dev/Configuration.nix @@ -5,7 +5,7 @@ let ports = import ../Cloud/Ports.nix; in { networking = { - nameservers = [ "1.1.1.1" "8.8.8.8" ]; + nameservers = [ "1.1.1.1" ]; hostName = "lithium"; hosts = { "::1" = [ "localhost" "ipv6-localhost" "ipv6-loopback" ]; @@ -13,17 +13,22 @@ in { firewall = { allowedTCPPorts = [ - 22 8000 8443 443 # standard ports - 500 10000 # no idea - ports.jellyfin + ports.bitcoind ports.delugeWeb - ports.murmur + ports.et + ports.gemini + ports.git + ports.http + ports.https + ports.jellyfin + ports.jupyter ports.mpd ports.mpd-stream + ports.murmur + ports.radicale + ports.sabten + ports.ssh ports.tor - ports.et - ports.bitcoind - ports.jupyter ]; allowedTCPPortRanges = [ ports.torrents @@ -61,6 +66,7 @@ in { environment.systemPackages = [ pkgs.wemux pkgs.tmux + pkgs.wireguard ]; nixpkgs = { diff --git a/Biz/Dev/Hardware.nix b/Biz/Dev/Hardware.nix index 9297d66..dc5b573 100644 --- a/Biz/Dev/Hardware.nix +++ b/Biz/Dev/Hardware.nix @@ -8,9 +8,12 @@ [ (modulesPath + "/installer/scan/not-detected.nix") ]; - boot.initrd.availableKernelModules = [ "xhci_pci" "ahci" "usb_storage" "usbhid" "sd_mod" ]; + boot.initrd.availableKernelModules = [ + "xhci_pci" "ahci" "usb_storage" "usbhid" "sd_mod" + ]; boot.kernelModules = [ "kvm-intel" ]; - boot.extraModulePackages = [ ]; + boot.extraModulePackages = [ + ]; fileSystems."/" = { device = "/dev/disk/by-uuid/f08dd8f9-787c-4e2a-a0cc-7019edc2ce2b"; diff --git a/Biz/Dev/Wireguard.nix b/Biz/Dev/Wireguard.nix new file mode 100644 index 0000000..5703f3d --- /dev/null +++ b/Biz/Dev/Wireguard.nix @@ -0,0 +1,72 @@ +{ lib, config, pkgs, ... }: + +/* +Wireguard VPN server + +References: + +- https://nixos.wiki/wiki/WireGuard +- https://wireguard.how/client/ios/ +*/ + +let + ports = import ../Cloud/Ports.nix; + ips = "10.100.0.1/24"; + + # a micro-library for creating iptables rules + iptables = rec { + bin = "${pkgs.iptables/bin/iptables}"; + append = {source}: lib.concatSep " " [ + bin + "--table" "nat" + "--append" "POSTROUTING" + "--source" source + "--out-interface" "eth0" + "--jump" "MASQUERADE" + ]; + delete = {source}: lib.concatSep " " [ + bin + "--table" "nat" + "--delete" "POSTROUTING" + "--source" source + "--out-interface" "eth0" + "--jump" "MASQUERADE" + ]; + + }; +in { + networking.nat.enable = true; + networking.nat.externalInterface = "eth0"; + networking.nat.internalInterfaces = [ "wg0" ]; + networking.firewall.allowedUDPPorts = [ ports.wireguard ]; + + networking.wireguard.enable = true; + + networking.wireguard.interfaces = { + wg0 = { + ips = [ ips ]; + allowedIPsAsRoutes = true; + listenPort = ports.wireguard; + postSetup = '' + ${pkgs.iptables}/bin/iptables -t nat -A POSTROUTING -s ${ips} -o eth0 -j MASQUERADE + ''; + + postShutdown = '' + ${pkgs.iptables}/bin/iptables -t nat -D POSTROUTING -s ${ips} -o eth0 -j MASQUERADE + ''; + + privateKeyFile = "/var/wireguard/private"; + + peers = [ + #{ # helium + # publicKey = "TODO"; + # allowedIPs = [ "10.100.0.2/32" ]; + #} + { # ben's iPhone + publicKey = "SIBIfPLhzuV1S1FZtm5JQtDbl0ehnH+Y3CpoZ2eZ3gc="; + allowedIPs = [ "10.100.0.3/32" ]; + } + ]; + }; + }; +} |