xun/nixos-config
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

wireguard progress

Browse source
This commit is contained in:
xunuwu 2025-06-01 12:30:22 +02:00
parent 85962b9344
commit c87584c294
Signed by: xun
SSH key fingerprint: SHA256:Uot/1WoAjWAeqLOHA5vYy4phhVydsH7jCPmBjaPZfgI
12 changed files with 178 additions and 29 deletions
Download patch file Download diff file Expand all files Collapse all files

2
sys/machines/hopper/lab/slskd.nix
View file

@ -22,7 +22,7 @@
remote_file_management = true;
shares.directories = ["/media/library/music"];
soulseek = {
listen_port = 26449;
listen_port = 24001;
picture = pkgs.fetchurl {
url = "https://cdn.donmai.us/original/57/65/__kasane_teto_utau_drawn_by_nonounno__576558c9a54c63a268f9b584f1e84c9f.png";
hash = "sha256-7WOClBi4QgOfmcMaMorK/t8FGGO7dNUwxg3AVEjRemw=";

2
sys/machines/hopper/lab/transmission.nix
View file

@ -19,7 +19,7 @@
speed-limit-up = 50 * mbit;
speed-limit-down-enabled = true;
speed-limit-down = 150 * mbit;
peer-port = 11936;
peer-port = 24003;
rpc-authentication-required = false;
rpc-bind-address = "0.0.0.0";
rpc-host-whitelist = "transmission.hopper.xun.host";

6
sys/machines/hopper/lab/vpn-namespace.nix
View file

@ -38,15 +38,15 @@
protocol = "tcp";
}
{
port = config.services.slskd.settings.soulseek.listen_port;
port = 24001; # slskd
protocol = "both";
}
{
port = config.services.slskd.settings.soulseek.listen_port + 1;
port = 24002; # slskd
protocol = "both";
}
{
port = config.services.transmission.settings.peer-port;
port = 24003; # transmission
protocol = "both";
}
];

14
sys/machines/nixdesk/wireguard.nix
View file

@ -14,16 +14,12 @@
accessibleFrom = ["192.168.0.0/24"];
# Forwarded to my vpn, for making things accessible from outside
openVPNPorts = [
{
port = 26449;
openVPNPorts =
lib.range 23000 23010
|> map (num: {
port = num;
protocol = "both";
}
{
port = 26450;
protocol = "both";
}
];
});
# From inside of the vpn namespace to outside of it, for making things inside accessible to LAN
portMappings = [];

4
sys/machines/rackserv/default.nix
View file

@ -10,8 +10,12 @@
inputs.disko.nixosModules.disko
./disk-config.nix
./fail2ban.nix
./wireguard-server.nix
]
++ (map (x: systemProfiles + x) [
/secrets/default.nix
/secrets/rackserv/default.nix
/core/security.nix
/core/tools.nix
/core/ssh.nix

120
sys/machines/rackserv/wireguard-server.nix Normal file
View file

@ -0,0 +1,120 @@
{
pkgs,
config,
lib,
...
}: {
networking.firewall = let
forwardPorts = {
"10.0.0.3" =
lib.range 23000 23010
|> map (n: {
protocols = ["tcp" "udp"];
port = n;
});
"10.0.0.2" =
[24001 24002 24003]
|> map (n: {
protocols = ["tcp"];
port = n;
});
};
b = builtins;
portsList = b.attrValues forwardPorts |> b.concatLists;
portsAndIpsList = lib.mapAttrsToList (n: v: map (x: x // {destinationIp = n;}) v) forwardPorts |> b.concatLists;
in {
allowedTCPPorts = b.filter (x: b.elem "tcp" x.protocols) portsList |> map (x: x.port);
allowedUDPPorts = [51820] ++ (b.filter (x: b.elem "udp" x.protocols) portsList |> map (x: x.port));
extraCommands =
portsAndIpsList
|> map (x: ''
${x.protocols |> map (protocol: "iptables -t nat -A PREROUTING -p ${protocol} --dport ${toString x.port} -j DNAT --to-destination ${x.destinationIp}") |> b.concatStringsSep "\n"}
${x.protocols |> map (protocol: "iptables -t nat -A POSTROUTING -p ${protocol} -d ${x.destinationIp} --dport ${toString x.port} -j SNAT --to-source 172.245.52.19") |> b.concatStringsSep "\n"}
'')
|> b.concatStringsSep "\n";
extraStopCommands =
portsAndIpsList
|> map (x: ''
${x.protocols |> map (protocol: "iptables -t nat -D PREROUTING -t nat -p ${protocol} --dport ${toString x.port} -j DNAT --to-destination ${x.destinationIp}") |> b.concatStringsSep "\n"}
${x.protocols |> map (protocol: "iptables -t nat -D POSTROUTING -t nat -p ${protocol} -d ${x.destinationIp} --dport ${toString x.port} -j SNAT --to-source 172.245.52.19") |> b.concatStringsSep "\n"}
'')
|> b.concatStringsSep "\n";
interfaces.wg0 = {
allowedUDPPorts = [53];
allowedTCPPorts = [53];
};
};
systemd.network.netdevs = {
"50-wg0" = {
netdevConfig = {
Kind = "wireguard";
Name = "wg0";
MTUBytes = "1300";
};
wireguardConfig = {
ListenPort = 51820;
PrivateKeyFile = config.sops.secrets.wireguard-privatekey.path;
RouteTable = "main";
};
wireguardPeers = [
{
# hopper
PublicKey = "P5W5/m9VnWcbdR6e3rs4Yars4Qb2rPjkRmCAbgja4Ug=";
AllowedIPs = ["10.0.0.2" "fd12:1e51:ca23::2"];
}
{
# nixdesk
PublicKey = "DMauL/fv08yXvVtyStsUfg/OM+ZJwMNvguQ59X/KU2Q=";
AllowedIPs = ["10.0.0.3" "fd12:1e51:ca23::3"];
}
];
};
};
systemd.network.networks.wg0 = {
matchConfig.Name = "wg0";
address = ["10.0.0.1/10" "fd12:1e51:ca23::1/64"];
networkConfig = {
IPMasquerade = "ipv4";
IPv4Forwarding = true;
};
};
services.dnsmasq = {
enable = true;
resolveLocalQueries = false;
settings = {
server = ["1.1.1.1" "8.8.8.8"];
interface = ["wg0"];
bind-interfaces = true;
};
};
# networking.wireguard = {
# enable = true;
# interfaces.wg0 = {
# ips = ["10.0.0.0/10"];
# listenPort = 51820;
# postSetup = ''
# ${pkgs.iptables}/bin/iptables -t nat -A POSTROUTING -s 10.100.0.0/24 -o eth0 -j MASQUERADE
# '';
# postShutdown = ''
# ${pkgs.iptables}/bin/iptables -t nat -D POSTROUTING -s 10.100.0.0/24 -o eth0 -j MASQUERADE
# '';
#
# privateKeyFile = config.sops.secrets.wireguard-privatekey.path;
#
# peers = [
# {
# # hopper
# publicKey = "P5W5/m9VnWcbdR6e3rs4Yars4Qb2rPjkRmCAbgja4Ug=";
# allowedIPs = ["10.0.0.1/32"];
# }
# ];
# };
# };
}