New wireguard server
This commit is contained in:
parent
2b9739e82a
commit
815c2c295e
SSH Key Fingerprint:
SHA256:mf+pUTmK92Y57BuCjlkBdd82LqztTfDCQIUp0fCKABc
|
|
@ -181,11 +181,11 @@
|
|||
},
|
||||
"nixpkgs": {
|
||||
"locked": {
|
||||
"lastModified": 1745487689,
|
||||
"narHash": "sha256-FQoi3R0NjQeBAsEOo49b5tbDPcJSMWc3QhhaIi9eddw=",
|
||||
"lastModified": 1746557022,
|
||||
"narHash": "sha256-QkNoyEf6TbaTW5UZYX0OkwIJ/ZMeKSSoOMnSDPQuol0=",
|
||||
"owner": "nixos",
|
||||
"repo": "nixpkgs",
|
||||
"rev": "5630cf13cceac06cefe9fc607e8dfa8fb342dde3",
|
||||
"rev": "1d3aeb5a193b9ff13f63f4d9cc169fb88129f860",
|
||||
"type": "github"
|
||||
},
|
||||
"original": {
|
||||
|
|
|
|||
|
|
@ -48,6 +48,8 @@
|
|||
openssl
|
||||
# not included: age, age-plugin-yubikey, pcscd
|
||||
|
||||
wireguard-tools
|
||||
|
||||
deploy-rs
|
||||
nixos-anywhere
|
||||
|
||||
|
|
|
|||
|
|
@ -13,6 +13,7 @@
|
|||
./nebula.nix
|
||||
./zfs.nix
|
||||
./prometheus.nix
|
||||
./wireguard.nix
|
||||
];
|
||||
|
||||
networking.hostName = "eidola"; # Define your hostname.
|
||||
|
|
|
|||
|
|
@ -0,0 +1,23 @@
|
|||
{config, ...}: {
|
||||
sops.secrets."wireguard-key" = {};
|
||||
sops.secrets."wireguard-psk" = {};
|
||||
|
||||
networking.wireguard = {
|
||||
enable = true;
|
||||
|
||||
interfaces.wg0 = {
|
||||
ips = ["10.193.0.2/16"];
|
||||
privateKeyFile = config.sops.secrets."wireguard-key".path;
|
||||
|
||||
peers = [
|
||||
{
|
||||
publicKey = "OeIBzwOGYjQPU7co4MlNDqnARnJoICXMNam7TJWNBG0=";
|
||||
presharedKeyFile = config.sops.secrets."wireguard-psk".path;
|
||||
allowedIPs = ["10.193.0.0/16"];
|
||||
endpoint = "min.rip:49090";
|
||||
persistentKeepalive = 25;
|
||||
}
|
||||
];
|
||||
};
|
||||
};
|
||||
}
|
||||
|
|
@ -23,7 +23,7 @@ in {
|
|||
];
|
||||
|
||||
networking.hostName = "silver"; # Define your hostname.
|
||||
time.timeZone = "America/Chicago"; # Set your time zone.
|
||||
time.timeZone = "America/New_York"; # Set your time zone.
|
||||
|
||||
# Allow unfree packages (firmware)
|
||||
nixpkgs.config.allowUnfree = true;
|
||||
|
|
|
|||
|
|
@ -11,6 +11,7 @@
|
|||
./grafana.nix
|
||||
./vaultwarden.nix
|
||||
./shim-jellyfin.nix
|
||||
./wireguard.nix
|
||||
];
|
||||
|
||||
security.acme = {
|
||||
|
|
|
|||
|
|
@ -8,7 +8,7 @@ in {
|
|||
enableACME = true;
|
||||
|
||||
locations."/" = {
|
||||
proxyPass = "http://${toString httpIntAddr}:${toString httpIntPort}";
|
||||
proxyPass = "http://${httpIntAddr}:${toString httpIntPort}";
|
||||
proxyWebsockets = true;
|
||||
};
|
||||
};
|
||||
|
|
|
|||
|
|
@ -0,0 +1,57 @@
|
|||
{
|
||||
config,
|
||||
pkgs,
|
||||
...
|
||||
}: let
|
||||
interface = "wg0";
|
||||
wgPort = 49090;
|
||||
in {
|
||||
sops.secrets."svc-wireguard-key" = {};
|
||||
sops.secrets."svc-wireguard-psk-0-2" = {};
|
||||
sops.secrets."svc-wireguard-psk-1-1" = {};
|
||||
|
||||
boot.kernel.sysctl."net.ipv4.ip_forward" = true;
|
||||
|
||||
networking = {
|
||||
firewall.allowedUDPPorts = [wgPort];
|
||||
|
||||
wireguard = let
|
||||
iptables = "${pkgs.iptables}/bin/iptables";
|
||||
in {
|
||||
enable = true;
|
||||
|
||||
interfaces.${interface} = {
|
||||
ips = ["10.193.0.1/16"];
|
||||
listenPort = wgPort;
|
||||
|
||||
privateKeyFile = config.sops.secrets."svc-wireguard-key".path;
|
||||
|
||||
postSetup = ''
|
||||
${iptables} -A FORWARD -i ${interface} -o ${interface} -d 10.193.0.2 -p tcp -m multiport --dports 139,445 -j ACCEPT
|
||||
${iptables} -A FORWARD -i ${interface} -o ${interface} -d 10.193.0.2 -p udp -m multiport --dports 139,445 -j ACCEPT
|
||||
${iptables} -A FORWARD -i ${interface} -o ${interface} -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
|
||||
${iptables} -A FORWARD -i ${interface} -o ${interface} -j DROP
|
||||
'';
|
||||
preShutdown = ''
|
||||
${iptables} -D FORWARD -i ${interface} -o ${interface} -d 10.193.0.2 -p tcp -m multiport --dports 139,445 -j ACCEPT
|
||||
${iptables} -D FORWARD -i ${interface} -o ${interface} -d 10.193.0.2 -p udp -m multiport --dports 139,445 -j ACCEPT
|
||||
${iptables} -D FORWARD -i ${interface} -o ${interface} -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
|
||||
${iptables} -D FORWARD -i ${interface} -o ${interface} -j DROP
|
||||
'';
|
||||
|
||||
peers = [
|
||||
{
|
||||
publicKey = "37FwgVhjem6QCSAzPtdYNwHMPC0YIKpsBOp4Ix23lGU=";
|
||||
allowedIPs = ["10.193.0.2/32"];
|
||||
presharedKeyFile = config.sops.secrets."svc-wireguard-psk-0-2".path;
|
||||
}
|
||||
{
|
||||
publicKey = "ayscoZwIMa9eNciYODZlILrXzfwn0t/2j/qa7/ftUQM=";
|
||||
allowedIPs = ["10.193.1.1/32"];
|
||||
presharedKeyFile = config.sops.secrets."svc-wireguard-psk-1-1".path;
|
||||
}
|
||||
];
|
||||
};
|
||||
};
|
||||
};
|
||||
}
|
||||
|
|
@ -8,7 +8,6 @@ with lib; let
|
|||
in {
|
||||
options.gen.hardening = {
|
||||
hardenBpf = mkEnableOption "place heavier restrictions on BPF";
|
||||
fullRpFilter = mkEnableOption "full reverse path filtering. (breaks dynamic routing, probably)";
|
||||
ignoreIcmpEcho = mkEnableOption "ignore icmp echos. (obviously, this makes pings unresponsive)";
|
||||
disableSack = mkEnableOption "disable tcp sack";
|
||||
disableConsole = mkEnableOption "disable console. (not recommended for test machines)";
|
||||
|
|
@ -35,10 +34,6 @@ in {
|
|||
"kernel.unprivileged_bpf_disabled" = 1;
|
||||
"net.core.bpf_jit_harden" = 2;
|
||||
})
|
||||
(mkIf cfg.fullRpFilter {
|
||||
"net.ipv4.conf.all.rp_filter" = 1;
|
||||
"net.ipv4.conf.default.rp_filter" = 1;
|
||||
})
|
||||
(mkIf cfg.disableSack {
|
||||
"net.ipv4.tcp_sack" = 0;
|
||||
"net.ipv4.tcp_dsack" = 0;
|
||||
|
|
|
|||
|
|
@ -2,6 +2,8 @@ root-pw: ENC[AES256_GCM,data:g/dIT5d5w+FCAbxgGRJoMISgVTySEqXoBCV/jopu9Cgm4db9zAF
|
|||
user-pw: ENC[AES256_GCM,data:gr+Dis3c5NWLWnfJG4eJUxwt574R3n40djeK68hukMNPx0qwGRAT5a7UQ5doxtDBgafcH1uCgqrsWwEmy9H5dS6WfLMivE5Uy213EcEk3YNUwI9d5vbdcbCcXWvPsyCu6sxS3x731EVVYA==,iv:4AHzVLoJD95d2UwwEAwxWP0G2gekHahBt4hDDA9ZSx0=,tag:03L3Ql070mt3oDV5YdrETg==,type:str]
|
||||
nebula-key: ENC[AES256_GCM,data:YnGtqqWXbwkMYFJAKcBXmbRE+lsW9DwRnsseocTAVVIAqw84o3Qny2LO1vzoErtP7Fx9vPaI2bzvJTICNSTBw2jH4thzLR71XpHZI7mo+FSXzpZx8pxv6pfVcCW4tNK7KXx/PyvzCU21npsPDoVlM1rE/LKPxu2PLoGBd6u+,iv:g5BIpHXXrHZovSWnLURhJzTCaZC6fjVNS1QXwnSlxVs=,tag:9D/wTzaJOd5Vls/l33jZSg==,type:str]
|
||||
terra-key: ENC[AES256_GCM,data:pQRlvltiRr83ndfSjX/I8n1WekS9jY2K1QyLTTcYn14TRupRVgvX47rsus1QA9QAbpT/9f0ZYld3aCrR5J0rxg==,iv:mkiu/+uLKOHG9gDjv72T7JGz6/3oaimDawAOqGs3Koo=,tag:c9Ubj3i5rDj5vaLBRpAUkQ==,type:str]
|
||||
wireguard-key: ENC[AES256_GCM,data:aM76YT/0gbfw87x3ThrwFMuf9DxC0IJ5aCeEFDtL+JWPGsZk3XtrN+kxW6w=,iv:ssh+sGPxMU55ubNZlWcWh+3fXvhjhJ6cNJhPZJVXEyw=,tag:2PdoFb2CyeTkV0EKfcpZiQ==,type:str]
|
||||
wireguard-psk: ENC[AES256_GCM,data:fEDfzuZVvEC8/HHbV4k0fSZHucRk3PLc/jaf/wl5Np+4OB1SiK6VnSyoW2o=,iv:2QnunJjHxt8V/DBG2KAuzwGQsJnmrspj6x01ufiJteY=,tag:teEVG+TuRg+QsY4jMg2DzQ==,type:str]
|
||||
sops:
|
||||
age:
|
||||
- recipient: age1yubikey1qg5k0y844v5e79uwax3r00u7zdljwnjlrmwvdr3st9m5a3ra5098qy0sjdj
|
||||
|
|
@ -23,7 +25,7 @@ sops:
|
|||
VTJvaGtSZGpQMSs5N05pblQ4aEIzbkkKQiM+335AZC2+UmotonvM1nsyA/l9F5gr
|
||||
da9+ltLr5U88pXfcdpiXTmxrSnMzDgLuZLRKZ0S/ZllGDhlnwxsuOQ==
|
||||
-----END AGE ENCRYPTED FILE-----
|
||||
lastmodified: "2024-12-14T07:48:40Z"
|
||||
mac: ENC[AES256_GCM,data:1PUbru5HQynz5oC6AFcwreJdT7HupCZUuISsSTQkIY4fQHCeYDp5SqdNhGxjfjl9g7DeoNDCK3jCSY3HPnoz+34RfiC1Cf8lLjV139+jROHakG0gv05wrKqH2b8d52deX/OwDP5SV3mg3OFkiiDEroGF/1apAPs+FXeehnt4jQg=,iv:7E1i9ENR4ZEBYl2aSoNLBOmV7Xx3F7Fr8Ldr8SkWrlE=,tag:L0sCmeD8lCcxA/qtrHr7xg==,type:str]
|
||||
lastmodified: "2025-05-09T23:52:41Z"
|
||||
mac: ENC[AES256_GCM,data:38RF2ZBEN8bnldWusQNhpju9zPd/sWRG8LgNesarcuqyqHVJCbjOo3Wm2arXCmnQAFlcmrLCbyheD/bpNhgbVEP2JscrqsH1PFTAAi+iLUK6AT4VZ1q/cdhRVVnHlR+wtehxufJ1sEAp3LNBbDKeSKTk8jorEfEz8NdE0uPvvjg=,iv:u9F0nEKYO/0E51f4z46GNvgK8E7QwoVI+xn7do5sGRc=,tag:Ovv85eGJi037y9hh1KqzEg==,type:str]
|
||||
unencrypted_suffix: _unencrypted
|
||||
version: 3.8.1
|
||||
version: 3.10.2
|
||||
|
|
|
|||
|
|
@ -6,7 +6,10 @@ svc-breeze-upload_key: ENC[AES256_GCM,data:qNNH4/Q0rk2lsMImzpVe54+DbSAOiGjo,iv:r
|
|||
svc-sim-breeze-upload_key: ENC[AES256_GCM,data:qm93iBzGhqp7IuZ01uZ6PyL5bL45+W0oOeDyQRGEzZw=,iv:5F7BV5Sg6GUxIGQychaEZSeG7xDFF+JdRL83PJULWJA=,tag:W/Q8vGaPoLNnj1Wyvc9Cnw==,type:str]
|
||||
svc-synapse-synapse-config: ENC[AES256_GCM,data:r8ZYi67CfftGheassCFiLOVcFUho+sNNe0XCkyQETHT6Q/w2jqO9eAVA2EDJyK4Vk3S4MP6ppcGxwocMmTYzkAjmtwf6a7GzUyh14+Lj5VTybvIKOze0wuLlsEUUYgU=,iv:HTnPaS5/ZvdJIMKiTfPffZmemp5IGTo/mIWrpafk/Fk=,tag:2HusbhzmxqsTMz5/78WCRA==,type:str]
|
||||
svc-gitea-runner-env: ENC[AES256_GCM,data:M2hV8YM03dcBcgpJqbpiW6RGlhDvkfF/ExF+J1GF+39GnOsBWwPKteM5EAUB2Wrl/zRFifgfNLLdYgSEWhJsT1cBLhI3vwE5,iv:9/nvC3sS6XcLxgeKrEg/AaFhptXCm3uvGgSUMAz4p5Y=,tag:A1MnoJP6aekXuWHhlONnkw==,type:str]
|
||||
svc-nebula-key: ENC[AES256_GCM,data:kqVqnsEgEsMGz2Ud0CS4DnVDd7claVoFyB3grV8TWK/mGdtJwysIYsQRmpbwXcOTTfgdX6vLKxJvleLLHFQGTjf/7QwBrmhfUKryd7CEukaZUsmkJAx3fH5y0mMd84nJucyQk5NqXZhyXQNwg9zmyH20XdaLqrdr0dtkQzIf,iv:OHoIHRKJt4kqbQye6SHLD9wVbLl7wTvs5CheIeOObeg=,tag:4AG0sSlOdTrqtXj3UqzaHQ==,type:str]
|
||||
svc-nebula-key: ENC[AES256_GCM,data:FV5KD4pMAXN1VBh93M3sDN5qb/B2SCGXKnfi+IMLcCKLyoUeQXfie79xv/XVzgFGGUcDgnxCsVEkMiraOlqeLWaiYRMBI6DF7Q+xtpNDqPTmUeq92njmbabruMBpp83FkcgF1jr8vaS7d8HnPgoQEBHGISAE2e8iAtMPGew=,iv:CZsHcvYPGqouKnOgraP4dhI7zK7POgnuvxYiZjYnwKs=,tag:8d9APnFVR1yvBvIG56OETg==,type:str]
|
||||
svc-wireguard-key: ENC[AES256_GCM,data:dmxJ07UnQAtet4RtlVXEMFLVKxOU44XQcUW7h7UPbLG9chiQeXGkZkkTihs=,iv:bEA9+DYDBLo1dgrCSrIpa1ig9JJEtXeJF5ZmtdsAO3s=,tag:tyLB5Dd9uolalSzddC608A==,type:str]
|
||||
svc-wireguard-psk-0-2: ENC[AES256_GCM,data:0sTGYa3HUe70hYJZnPy9w0iG37aRDTplmdvGdc5C8KN8Dg5XbVc2CmVS1r4=,iv:9Dnr3BYhzKKOZ7S565HY4CkhgPv1JEd3Zk7662/cd9s=,tag:Dd0BLrIjfX0F2lBan59jUg==,type:str]
|
||||
svc-wireguard-psk-1-1: ENC[AES256_GCM,data:YbxjRleUWTr1+rZyzZ+5vB9Po/V0T1mYhH+H8igjascGV/Oo4lPn1xoYqLg=,iv:+fcWdpRqR7GU5UXug+6GCX9Be5DoE944T5PIm0csgEU=,tag:3mGEL3KYjfSJ9uM+i6Wirg==,type:str]
|
||||
sops:
|
||||
age:
|
||||
- recipient: age1yubikey1qg5k0y844v5e79uwax3r00u7zdljwnjlrmwvdr3st9m5a3ra5098qy0sjdj
|
||||
|
|
@ -28,7 +31,7 @@ sops:
|
|||
MXdERWkyRitkbWtHMnpQaGxhbTRma2cK75S4x9TdquXAV00m9EQ1vJno14YTmPD4
|
||||
K8ne37brRWWi3gW6JsaOQOshNE19u4uwkAXZ2IQ+NdAq7Kt/qrcU8w==
|
||||
-----END AGE ENCRYPTED FILE-----
|
||||
lastmodified: "2025-03-01T04:01:15Z"
|
||||
mac: ENC[AES256_GCM,data:1eMZuUzXH1fPIWh32J6RUntb/ki7OTovX/dtQ5uaf6J6r+B6nLR+TvpAdw4P+XLnxtTeVGIZEHb0sXSA9WXcEE90MHIYOPxG/rb/zf0IOGtg/iwfgLFTacaDJsqX4+WwQJgACJ98SbtznyXr0NnP2d4SudIOjkj05subfrOcPYo=,iv:Fzp1iLEtfxhvy14SG1l06mSDplD2KQoOV+t4rUMX9Qw=,tag:6JRywlTUw6V7yajm6lar8g==,type:str]
|
||||
lastmodified: "2025-05-10T00:53:55Z"
|
||||
mac: ENC[AES256_GCM,data:KOs621LpjHZCoMhcTv1r5XQn3wGv18HSBIuGOsgqx8V9SZQE8a5mFKqPHw7eVRhD0sXa0tZrsdRGyjuYBrQ/W1Ay5iiehg00RICfthx9ON0sAxam8nJpUAV5fnmW57yj3OQfNQWgivsRy18bTUMUZ2WxNTGTk7iUW1oLuKXZW6Y=,iv:BYonX1N3Rdg8FNtkRmd+kGNhg/j9kN5fyG7NQRz4V+U=,tag:8Lc/Ql5Azl4el0ZvHm7Zag==,type:str]
|
||||
unencrypted_suffix: _unencrypted
|
||||
version: 3.9.4
|
||||
version: 3.10.2
|
||||
|
|
|
|||
Loading…
Reference in New Issue