peperunas/nixos
1
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity

Merge branch 'master' of ssh://git.giugl.io:10022/peperunas/nixos

Browse Source
This commit is contained in:
Giulio De Pasquale 2021-11-25 12:35:03 +01:00
commit 40b00f3eeb
7 changed files with 106 additions and 78 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
flake.nix
View File

@ -30,7 +30,7 @@
nixosConfigurations = { nixosConfigurations = {
architect = host.mkHost { name = "architect"; users = [ { user = "giulio"; roles = [ "git" ]; } ]; }; architect = host.mkHost { name = "architect"; users = [ { user = "giulio"; roles = [ "git" ]; } ]; };
gAluminum = host.mkHost { name = "gAluminum"; users = [ { user = "giulio"; roles = [ "desktop" "ssh" "git" ]; } ]; roles = [ "gnome" ]; }; gAluminum = host.mkHost { name = "gAluminum"; users = [ { user = "giulio"; roles = [ "desktop" "ssh" "git" ]; } ]; roles = [ "gnome" ]; };
proxy = host.mkHost { name = "proxy"; }; proxy = host.mkHost { name = "proxy"; users = []; };
}; };
}; };
} }

36
hosts/proxy/coturn.nix
View File

@ -1,22 +1,28 @@
{pkgs, config, ...}: {pkgs, config, ...}:
let let
public_ip = "23.88.108.216";
realm = "turn.giugl.io"; realm = "turn.giugl.io";
static-auth-secret = "69duck duck fuck420"; static-auth-secret = "69duck duck fuck420";
in { in {
services.coturn = rec { services.coturn = rec {
inherit realm static-auth-secret;
secure-stun = true;
enable = true; enable = true;
no-cli = true; no-cli = true;
no-tcp-relay = true; no-tcp-relay = true;
min-port = 49000; min-port = 49000;
max-port = 50000; max-port = 50000;
use-auth-secret = true; use-auth-secret = true;
# cert = "${config.security.acme.certs.${realm}.directory}/full.pem"; relay-ips = [ public_ip ];
# pkey = "${config.security.acme.certs.${realm}.directory}/key.pem"; listening-ips = [ public_ip ];
cert = "${config.security.acme.certs.${realm}.directory}/full.pem";
pkey = "${config.security.acme.certs.${realm}.directory}/key.pem";
extraConfig = '' extraConfig = ''
# for debugging
verbose verbose
# ban private IP ranges
cipher-list=\"HIGH\"
no-multicast-peers no-multicast-peers
denied-peer-ip=0.0.0.0-0.255.255.255 denied-peer-ip=0.0.0.0-0.255.255.255
denied-peer-ip=10.0.0.0-10.255.255.255 denied-peer-ip=10.0.0.0-10.255.255.255
@ -42,7 +48,6 @@ in {
denied-peer-ip=fe80::-febf:ffff:ffff:ffff:ffff:ffff:ffff:ffff denied-peer-ip=fe80::-febf:ffff:ffff:ffff:ffff:ffff:ffff:ffff
''; '';
}; };
# open the firewall
networking.firewall = { networking.firewall = {
interfaces.ens3 = let interfaces.ens3 = let
range = with config.services.coturn; [ { range = with config.services.coturn; [ {
@ -52,15 +57,18 @@ in {
in in
{ {
allowedUDPPortRanges = range; allowedUDPPortRanges = range;
allowedUDPPorts = [ 3478 ]; allowedUDPPorts = [ 5349 ];
allowedTCPPortRanges = range; #allowedTCPPortRanges = range;
allowedTCPPorts = [ 3478 ]; allowedTCPPorts = [ 80 443 5349 ];
}; };
}; };
# get a certificate
# security.acme.certs.${realm} = { services.nginx.enable = true;
# webroot = "/var/lib/acme/acme-challenge"; services.nginx.virtualHosts.${realm} = {
# postRun = "systemctl restart coturn.service"; addSSL = true;
# group = "turnserver"; enableACME = true;
# }; };
# to access the ACME files
users.groups.nginx.members = [ "turnserver" ];
} }

57
hosts/proxy/default.nix
View File

@ -1,68 +1,29 @@
{ config, pkgs, ... }: { config, pkgs, ... }:
{ {
imports = imports = [
[
./hardware-configuration.nix ./hardware-configuration.nix
./coturn.nix ./coturn.nix
./wireguard.nix
./ssh.nix
]; ];
boot.loader.grub.enable = true; boot.loader.grub = {
boot.loader.grub.version = 2; enable = true;
version = 2;
devices = [ "/dev/sda" ];
};
system.stateVersion = "21.05"; # Did you read the comment? system.stateVersion = "21.05";
boot.loader.grub.devices = [ "/dev/sda" ];
services.openssh.permitRootLogin = "prohibit-password";
services.openssh.passwordAuthentication = false;
services.openssh.enable = true;
networking = { networking = {
useDHCP = false; useDHCP = false;
hostName = "proxy"; hostName = "proxy";
nameservers = [ "10.4.0.2" "1.1.1.1" ]; nameservers = [ "10.4.0.2" "1.1.1.1" ];
firewall.allowedTCPPorts = [ 22 ];
interfaces.ens3.useDHCP = true; interfaces.ens3.useDHCP = true;
nat = {
enable = true;
externalInterface = "ens3";
internalInterfaces = ["wg0"];
forwardPorts = [
{
destination = "10.4.0.2:1194";
proto = "udp";
sourcePort = 1194;
}
];
}; };
wireguard = {
interfaces."wg0" = {
listenPort = 1195;
ips = [ "10.4.0.1/24" ];
privateKeyFile = "/secrets/wireguard/server.key";
postSetup = ''
/run/current-system/sw/bin/iptables -t nat -A POSTROUTING -o wg0 -j MASQUERADE
'';
postShutdown = ''
/run/current-system/sw/bin/iptables -t nat -D POSTROUTING -o wg0 -j MASQUERADE
'';
peers = [
{
allowedIPs = [ "10.4.0.2" "10.3.0.0/24" ];
publicKey = "73oFhyQA3mgX4GmN6ul5HuOsgxa4INlzCPsyuXna0AA=";
}
];
};
};
};
services = {
fail2ban.enable = true;
};
users.users.root.openssh.authorizedKeys.keys = [ users.users.root.openssh.authorizedKeys.keys = [
"ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQCuURERnIFe2XbNu6AsPe2DO11RuaHxVGUcaoJUsIB1F+VOggOVLhxSenOPYLm6NvvGeXVi95G5Sm1UZRcJEEkvxus4bSViV4t/Q2azfYFE27yRH/IeMMoWNPGYNm5Bok2qFb4vHifra9FffwXnOzr0nDDTdHXCft4TO5nsenLJwqu5zOO1CR7J52otY7LheNPyzbGxgIkB3Y7LeOj1+/xXSOJ379NOL2RQBobsg7k442WCX7tU6AC1ct3W+93tcJUUdzJKTT9TJ+XmhdjXNWhDd+QZUNAMr+nKoEdExHp0H40/wIhcLD2OV95gX4i/YBzCg4OQOqZqWiibiEQfGTSAh5aD+nX/PqjXf0XSLEUOA81biLFu28oO8gocjwnhgqmlghvO4SG1rs6uZ8EyPyWsrVMjy8B9FX4aloKqua3aicgC+upjLl3x+KkMJizlMB5Ew7KOjPsjXwMqeJmeBOEd6TSEctttR+lIp+/368FtwXeBxzx9MBT4620mnjWtVKM= giulio@gAluminum" "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQCuURERnIFe2XbNu6AsPe2DO11RuaHxVGUcaoJUsIB1F+VOggOVLhxSenOPYLm6NvvGeXVi95G5Sm1UZRcJEEkvxus4bSViV4t/Q2azfYFE27yRH/IeMMoWNPGYNm5Bok2qFb4vHifra9FffwXnOzr0nDDTdHXCft4TO5nsenLJwqu5zOO1CR7J52otY7LheNPyzbGxgIkB3Y7LeOj1+/xXSOJ379NOL2RQBobsg7k442WCX7tU6AC1ct3W+93tcJUUdzJKTT9TJ+XmhdjXNWhDd+QZUNAMr+nKoEdExHp0H40/wIhcLD2OV95gX4i/YBzCg4OQOqZqWiibiEQfGTSAh5aD+nX/PqjXf0XSLEUOA81biLFu28oO8gocjwnhgqmlghvO4SG1rs6uZ8EyPyWsrVMjy8B9FX4aloKqua3aicgC+upjLl3x+KkMJizlMB5Ew7KOjPsjXwMqeJmeBOEd6TSEctttR+lIp+/368FtwXeBxzx9MBT4620mnjWtVKM= giulio@gAluminum"
]; ];

15
hosts/proxy/ssh.nix Normal file
View File

@ -0,0 +1,15 @@
{ config, ...}:
{
services = {
fail2ban.enable = true;
openssh = {
permitRootLogin = "prohibit-password";
passwordAuthentication = false;
enable = true;
};
};
networking.firewall.allowedTCPPorts = [ 22 ];
}

46
hosts/proxy/wireguard.nix Normal file
View File

@ -0,0 +1,46 @@
{ config, ...}:
let
wg_if = "wg0";
wan_if = "ens3";
in {
networking = {
firewall.allowedUDPPorts = [ 1195 ];
nat = {
enable = true;
externalInterface = wan_if;
internalInterfaces = [ wg_if ];
forwardPorts = [
{
destination = "10.4.0.2:1194";
proto = "udp";
sourcePort = 1194;
}
];
};
wireguard = {
interfaces.${wg_if} = {
listenPort = 1195;
ips = [ "10.4.0.1/24" ];
privateKeyFile = "/secrets/wireguard/server.key";
postSetup = ''
/run/current-system/sw/bin/iptables -t nat -A POSTROUTING -o ${wg_if} -j MASQUERADE
'';
postShutdown = ''
/run/current-system/sw/bin/iptables -t nat -D POSTROUTING -o ${wg_if} -j MASQUERADE
'';
peers = [
{
allowedIPs = [ "10.4.0.2" "10.3.0.0/24" ];
publicKey = "73oFhyQA3mgX4GmN6ul5HuOsgxa4INlzCPsyuXna0AA=";
}
];
};
};
};
}

1
pkgs/binaryninja

@ -1 +0,0 @@
Subproject commit 8ed0f28dc78dfc482c397056b73a6a1e680e8af0

1
pkgs/ida

@ -1 +0,0 @@
Subproject commit fe8eed08ff9f6e09abaa8216beaa45aa83767862