peperunas/nixos
1
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity

architect: removed wireguard

Browse Source
This commit is contained in:
Giulio De Pasquale 2023-10-21 15:00:58 +02:00
parent 08d5181da8
commit 5d93c40c8f
26 changed files with 20 additions and 289 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

3
hosts/architect/bazarr.nix
View File

@ -10,13 +10,12 @@ in
};
architect.vhost.${domain} = with config.architect.networks; {
dnsInterfaces = [ "wireguard" "tailscale" ];
dnsInterfaces = [ "tailscale" ];
locations."/" = {
allowLan = true;
port = 6767;
allow = [
wireguard.net
tailscale.net
];
};

3
hosts/architect/calibre.nix
View File

@ -3,7 +3,7 @@
let
domain = "books.giugl.io";
auth_block = (import ./openid.nix { inherit lib; }).openresty_oidc_block;
utilities = import ./utilities.nix { inherit lib config; };
inherit (utilities) architectInterfaceAddress;
in
@ -32,7 +32,6 @@ in
networking.extraHosts = ''
${architectInterfaceAddress "lan"} ${domain}
${architectInterfaceAddress "wireguard"} ${domain}
${architectInterfaceAddress "tailscale"} ${domain}
'';

1
hosts/architect/default.nix
View File

@ -22,7 +22,6 @@ in
./bazarr.nix
./nzbget.nix
./nextcloud.nix
./wireguard.nix
./minio.nix
./matrix.nix
./fail2ban.nix

3
hosts/architect/deluge.nix
View File

@ -39,14 +39,13 @@ in
};
architect.vhost.${domain} = with config.architect.networks; {
dnsInterfaces = [ "lan" "wireguard" "tailscale" ];
dnsInterfaces = [ "lan" "tailscale" ];
locations = {
"/" = {
allowLan = true;
port = 8112;
allow = [
wireguard.net
tailscale.net
];
};

2
hosts/architect/dns.nix
View File

@ -8,7 +8,7 @@ in
firewall.openUDPVPN = [ 53 ];
vhost.${domain} = {
dnsInterfaces = [ "lan" "tailscale" "wireguard" ];
dnsInterfaces = [ "lan" "tailscale" ];
locations."/" = with config; {
port = services.adguardhome.settings.bind_port;

36
hosts/architect/firewall.nix
View File

@ -16,23 +16,6 @@ let
(deviceAddress "tailscale" "kmerr")
(deviceAddress "tailscale" "chuck")
];
wireguardToWAN = [
(deviceAddress "wireguard" "shield")
(deviceAddress "wireguard" "parina")
(deviceAddress "wireguard" "parina-ipad")
(deviceAddress "wireguard" "germano")
];
frameccaDevices = [
(deviceAddress "wireguard" "framecca")
(deviceAddress "wireguard" "framecca_one")
(deviceAddress "wireguard" "framecca_two")
(deviceAddress "wireguard" "framecca_three")
(deviceAddress "wireguard" "framecca_four")
];
clientToClientWireguard = frameccaDevices;
in
{
networking = {
@ -71,9 +54,6 @@ in
chain POSTROUTING {
type nat hook postrouting priority srcnat; policy accept;
oifname ${lan.interface} ip saddr {${
lib.concatStringsSep "," wireguardToWAN
}} masquerade
oifname ${lan.interface} ip saddr ${docker.net} masquerade
oifname ${lan.interface} ip saddr ${tailscale.net} masquerade
}
@ -85,10 +65,8 @@ in
ct state invalid,untracked drop comment "drop invalid"
ip daddr 255.255.255.255 accept comment "allow broadcast traffic"
ip daddr 224.0.0.0/4 accept comment "allow multicast traffic"
iifname ${lan.interface} ip saddr ${wireguard.net} drop comment "bind any ip to intf ${lan.interface}"
iifname ${lan.interface} ip saddr 127.0.0.0/8 drop comment "bind any ip to intf ${lan.interface}"
iifname ${lan.interface} accept comment "bind any ip to intf ${lan.interface}"
iifname ${wireguard.interface} ip saddr ${wireguard.net} accept comment "bind ip ${wireguard.net} to intf ${wireguard.interface}"
iifname ${docker.interface} ip saddr ${docker.net} accept comment "bind ip ${docker.net} to intf ${docker.interface}"
iifname ${tailscale.interface} ip saddr ${tailscale.net} accept
iifname ${tailscale.interface} ip saddr 100.100.100.100/32 accept
@ -151,10 +129,6 @@ in
iifname ${lan.interface} tcp dport {${openTCP}} accept
iifname ${lan.interface} udp dport {${openUDP}} accept
iifname ${wireguard.interface} tcp dport {${openTCPVPN}} accept
iifname ${wireguard.interface} udp dport {${openUDPVPN}} accept
iifname ${wireguard.interface} icmp type echo-request accept
jump filter_drop
}
@ -162,16 +136,6 @@ in
type filter hook forward priority filter; policy drop;
ct state established,related accept
# client to client
ip saddr {${lib.concatStringsSep "," clientToClientWireguard}} ip daddr {${
lib.concatStringsSep "," clientToClientWireguard
}} accept
# nat to wan
oifname ${lan.interface} ip saddr {${
lib.concatStringsSep "," wireguardToWAN
}} accept
oifname ${lan.interface} ip saddr ${docker.net} accept
oifname ${lan.interface} ip saddr ${tailscale.net} accept

2
hosts/architect/gitea.nix
View File

@ -7,7 +7,7 @@ in
architect = {
firewall.openTCP = [ config.services.gitea.settings.server.SSH_PORT ];
vhost.${domain} = {
dnsInterfaces = [ "lan" "tailscale" "wireguard" ];
dnsInterfaces = [ "lan" "tailscale" ];
locations."/".port = config.services.gitea.settings.server.HTTP_PORT;
};
};

4
hosts/architect/invidious.nix
View File

@ -11,9 +11,9 @@ in
hmac_key = "a2a91eca269d26de1221285e8981879834045bff";
};
};
architect.vhost.${domain} = {
dnsInterfaces = [ "lan" "tailscale" "wireguard" ];
dnsInterfaces = [ "lan" "tailscale" ];
locations."/".port = config.services.invidious.port;
};
}

4
hosts/architect/jellyfin.nix
View File

@ -10,13 +10,12 @@ in
systemd.services.jellyfin.serviceConfig.StateDirectory = lib.mkForce "";
architect.vhost.${domain} = with config.architect.networks; {
dnsInterfaces = [ "lan" "wireguard" "tailscale" ];
dnsInterfaces = [ "lan" "tailscale" ];
locations = {
"/" = {
inherit port allowLan;
allow = [
wireguard.net
tailscale.net
];
};
@ -26,7 +25,6 @@ in
proxyWebsockets = true;
allow = [
wireguard.net
tailscale.net
];
};

1
hosts/architect/keycloak.nix
View File

@ -76,7 +76,6 @@ in
networking.extraHosts = ''
${architectInterfaceAddress "lan"} ${domain}
${architectInterfaceAddress "wireguard"} ${domain}
${architectInterfaceAddress "tailscale"} ${domain}
'';
}

4
hosts/architect/libreddit.nix
View File

@ -8,9 +8,9 @@ in
enable = true;
port = 9090;
};
architect.vhost.${domain} = {
dnsInterfaces = [ "lan" "tailscale" "wireguard" ];
dnsInterfaces = [ "lan" "tailscale" ];
locations."/".port = config.services.libreddit.port;
};
}

1
hosts/architect/lidarr.nix
View File

@ -28,7 +28,6 @@ in
networking.extraHosts = ''
${architectInterfaceAddress "lan"} ${domain}
${architectInterfaceAddress "wireguard"} ${domain}
${architectInterfaceAddress "tailscale"} ${domain}
'';

1
hosts/architect/matrix.nix
View File

@ -111,7 +111,6 @@ in
networking.extraHosts = ''
${architectInterfaceAddress "lan"} ${domain}
${architectInterfaceAddress "wireguard"} ${domain}
${architectInterfaceAddress "tailscale"} ${domain}
'';
}

1
hosts/architect/minecraft.nix
View File

@ -19,7 +19,6 @@ in
networking.extraHosts = ''
${architectInterfaceAddress "lan"} ${domain}
${architectInterfaceAddress "wireguard"} ${domain}
${architectInterfaceAddress "tailscale"} ${domain}
'';
}

1
hosts/architect/minio.nix
View File

@ -30,7 +30,6 @@ in
networking.extraHosts = ''
${architectInterfaceAddress "lan"} ${domain}
${architectInterfaceAddress "wireguard"} ${domain}
${architectInterfaceAddress "tailscale"} ${domain}
'';
}

2
hosts/architect/navidrome.nix
View File

@ -22,7 +22,7 @@ in
};
architect.vhost.${domain} = {
dnsInterfaces = [ "lan" "tailscale" "wireguard" ];
dnsInterfaces = [ "lan" "tailscale" ];
locations."/" = {
port = 4533;
allowLan = true;

1
hosts/architect/nextcloud.nix
View File

@ -78,7 +78,6 @@ in
networking.extraHosts = ''
${architectInterfaceAddress "lan"} ${domain}
${architectInterfaceAddress "wireguard"} ${domain}
${architectInterfaceAddress "tailscale"} ${domain}
'';

2
hosts/architect/nzbget.nix
View File

@ -10,7 +10,7 @@ in
};
architect.vhost.${domain} = {
dnsInterfaces = [ "tailscale" "wireguard" "lan" ];
dnsInterfaces = [ "tailscale" "lan" ];
locations."/" = {
port = 6789;

3
hosts/architect/plex.nix
View File

@ -17,7 +17,7 @@ in
};
architect.vhost.${domain} = with config.architect.networks; {
dnsInterfaces = [ "lan" "wireguard" "tailscale" ];
dnsInterfaces = [ "lan" "tailscale" ];
locations = {
"/" = {
inherit port;
@ -25,7 +25,6 @@ in
proxyWebsockets = true;
# allowLan = true;
# allow = [
# wireguard.net
# tailscale.net
# ];
extraConfig = ''

1
hosts/architect/prosody.nix
View File

@ -45,7 +45,6 @@ in
networking.extraHosts = ''
${architectInterfaceAddress "lan"} ${domain}
${architectInterfaceAddress "wireguard"} ${domain}
${architectInterfaceAddress "tailscale"} ${domain}
'';

2
hosts/architect/prowlarr.nix
View File

@ -7,7 +7,7 @@ in
services.prowlarr.enable = true;
architect.vhost.${domain} = {
dnsInterfaces = [ "tailscale" "wireguard" ];
dnsInterfaces = [ "tailscale" ];
locations."/" = {
port = 9696;

3
hosts/architect/radarr.nix
View File

@ -10,13 +10,12 @@ in
};
architect.vhost.${domain} = with config.architect.networks; {
dnsInterfaces = [ "wireguard" "tailscale" ];
dnsInterfaces = [ "tailscale" ];
locations."/" = {
port = 7878;
allowLan = true;
allow = [
wireguard.net
tailscale.net
];
};

1
hosts/architect/runas.nix
View File

@ -43,7 +43,6 @@ in
networking.extraHosts = ''
${architectInterfaceAddress "lan"} ${domain}
${architectInterfaceAddress "wireguard"} ${domain}
${architectInterfaceAddress "tailscale"} ${domain}
'';
}

6
hosts/architect/sonarr.nix
View File

@ -8,15 +8,15 @@ in
enable = true;
group = "media";
};
architect.vhost.${domain} = {
dnsInterfaces = [ "tailscale" "wireguard" ];
dnsInterfaces = [ "tailscale" ];
locations."/" = {
port = 6969;
allowLan = true;
};
};
users.groups.media.members = [ "sonarr" ];
}

3
hosts/architect/tailscale.nix
View File

@ -19,7 +19,8 @@ in
dodino = { address = "100.64.0.5"; hostname = "dodino.${domain}"; };
manduria = { address = "100.64.0.6"; hostname = "manduria.${domain}"; };
tommy = { address = "100.64.0.7"; hostname = "tommy.${domain}"; };
ucsb-workstation = { address = "100.64.0.8"; hostname = "ucsb-workstation.${domain}"; };
# ucsb-workstation = { address = "100.64.0.8"; hostname = "ucsb-workstation.${domain}"; };
ucsb-workstation = { address = "100.64.0.10"; hostname = "ucsb-workstation.${domain}"; };
alfredo = { address = "100.64.0.9"; hostname = "alfredo.${domain}"; };
parallels = { address = "100.64.0.3"; hostname = "parallels.${domain}"; };
};

218
hosts/architect/wireguard.nix
View File

@ -1,218 +0,0 @@
{ config, lib, ... }:
let
listenPort = 1194;
domain = "devs.giugl.io";
interface = "wireguard";
utilities = import ./utilities.nix { inherit lib config; };
inherit (utilities) generateDeviceStrings getDeviceAddress;
getWireguardDeviceAddress = getDeviceAddress "wireguard";
in
{
architect = {
firewall = {
openUDP = lib.singleton listenPort;
openUDPVPN = lib.singleton listenPort;
};
networks.${interface} = {
interface = "wg0";
net = "10.3.0.0/24";
devices = {
architect = { address = "10.3.0.1"; hostname = "architect.${domain}"; };
antonio = { address = "10.3.0.6"; hostname = "antonio.${domain}"; };
gbeast = { address = "10.3.0.7"; hostname = "gbeast.${domain}"; };
shield = { address = "10.3.0.12"; hostname = "shield.${domain}"; };
salvatore = { address = "10.3.0.16"; hostname = "salvatore.${domain}"; };
papa = { address = "10.3.0.17"; hostname = "papa.${domain}"; };
defy = { address = "10.3.0.18"; hostname = "defy.${domain}"; };
germano = { address = "10.3.0.19"; hostname = "germano.${domain}"; };
flavio = { address = "10.3.0.20"; hostname = "flavio.${domain}"; };
alain = { address = "10.3.0.22"; hostname = "alain.${domain}"; };
dima = { address = "10.3.0.23"; hostname = "dima.${domain}"; };
mikey = { address = "10.3.0.24"; hostname = "mikey.${domain}"; };
andrew = { address = "10.3.0.25"; hostname = "andrew.${domain}"; };
mikeylaptop = { address = "10.3.0.26"; hostname = "mikeylaptop.${domain}"; };
andrewdesktop = { address = "10.3.0.27"; hostname = "andrewdesktop.${domain}"; };
jacopo = { address = "10.3.0.28"; hostname = "jacopo.${domain}"; };
frznn = { address = "10.3.0.29"; hostname = "frznn.${domain}"; };
ludo = { address = "10.3.0.30"; hostname = "ludo.${domain}"; };
parina = { address = "10.3.0.31"; hostname = "parina.${domain}"; };
nilo = { address = "10.3.0.32"; hostname = "nilo.${domain}"; };
parina-ipad = { address = "10.3.0.33"; hostname = "parina-ipad.${domain}"; };
kclvm = { address = "10.3.0.34"; hostname = "kclvm.${domain}"; };
framecca = { address = "10.3.0.35"; hostname = "framecca.${domain}"; };
framecca_one = { address = "10.3.0.36"; hostname = "framecca_one.${domain}"; };
framecca_two = { address = "10.3.0.37"; hostname = "framecca_two.${domain}"; };
framecca_three = { address = "10.3.0.38"; hostname = "framecca_three.${domain}"; };
framecca_four = { address = "10.3.0.39"; hostname = "framecca_four.${domain}"; };
};
};
};
networking = {
extraHosts = generateDeviceStrings config.architect.networks.wireguard.devices;
wireguard = {
interfaces.${config.architect.networks.wireguard.interface} = {
inherit listenPort;
ips = [ "${config.architect.networks.wireguard.devices.architect.address}/24" ];
privateKeyFile = "/secrets/wireguard/server.key";
peers = [
{
# Antonio
allowedIPs = [ (getWireguardDeviceAddress "antonio") ];
publicKey = "SPndCvEzuLHtGAQV8u/4dfLlFHoPcXS3L98oFOwTljc=";
}
{
# GBEAST
allowedIPs = [ (getWireguardDeviceAddress "gbeast") ];
publicKey = "XiK+wk+DErz0RmCWRxuaJN1cvdj+3DoiU6tcR+uZfAI=";
}
{
# shield
allowedIPs = [ (getWireguardDeviceAddress "shield") ];
publicKey = "1GaV/M48sHqQTrBVRQ+jrFU2pUMmv2xkguncVcwPCFs=";
}
{
# salvatore
allowedIPs = [ (getWireguardDeviceAddress "salvatore") ];
publicKey = "fhlnBHeMyHZKLUCTSA9kmkKoM5x/qzz/rnCJrUh3Gzs=";
}
{
# papa
allowedIPs = [ (getWireguardDeviceAddress "papa") ];
publicKey = "oGHygt02Oni3IFbScKD0NVEfHKCp6bpw68aq5g4RrAA=";
}
{
# defy
allowedIPs = [ (getWireguardDeviceAddress "defy") ];
publicKey = "Cvi/eto7E6Ef+aiL81ou7x12fJCeuXrf/go9fxEqXG4=";
}
{
# germano
allowedIPs = [ (getWireguardDeviceAddress "germano") ];
publicKey = "LJ0DHY1sFVLQb3ngUGGH0HxbDOPb9KCUPSaYcjr5Uiw=";
}
{
# flavio
allowedIPs = [ (getWireguardDeviceAddress "flavio") ];
publicKey = "Yg0P+yHi/9SZHyoel8jT9fmmu+irLYmT8yMp/CZoaSg=";
}
{
# alain
allowedIPs = [ (getWireguardDeviceAddress "alain") ];
publicKey = "/o2msFJoUL4yovcIQJTU8c1faFtekrjSBBWJABouWno=";
}
{
# dima
allowedIPs = [ (getWireguardDeviceAddress "dima") ];
publicKey = "svzWYIZ6v+cLCp/emGG7mx2YpBJqw2fqjVuHZy7b6H0=";
}
{
# mikey
allowedIPs = [ (getWireguardDeviceAddress "mikey") ];
publicKey = "ewbDdX3z7nxG2aPIf9TogXkhxPlGipLFcy6XfyDC6gI=";
}
{
# andrew
allowedIPs = [ (getWireguardDeviceAddress "andrew") ];
publicKey = "LP/FgST9fmBQSoKQFq9sFGvjRFOtRooMcuEcjuqaoWM=";
}
{
# mikey laptop
allowedIPs = [ (getWireguardDeviceAddress "mikeylaptop") ];
publicKey = "kz/pY/PgV+dwF1JZ2It4r5B5QfRSQM7HkbFCdvd5Yxk=";
}
{
# andrew desktop
allowedIPs = [ (getWireguardDeviceAddress "andrewdesktop") ];
publicKey = "rpYr3JNLIzxpxzFuQuaHFEl/XvPEPfwLbDETBP8KYXI=";
}
{
# laptop desktop
allowedIPs = [ (getWireguardDeviceAddress "jacopo") ];
publicKey = "W/taWI79bPIKOolVVu5xZfiJnPw9K91Xn1zhcM0+4g0=";
}
{
# frznn
allowedIPs = [ (getWireguardDeviceAddress "frznn") ];
publicKey = "dXcrdME6VnnE5PBYwvUmayf7cn2wpcExeCR9gIXOO0o=";
}
{
# ludo
allowedIPs = [ (getWireguardDeviceAddress "ludo") ];
publicKey = "ecrxdzx7tQZwMPxZOjHUvxZT2xY79B6XEDIW+fhEtEM=";
}
{
# parina
allowedIPs = [ (getWireguardDeviceAddress "parina") ];
publicKey = "7nubNnfGsg4/7KemMDn9r99mNK8RFU9uOFFqaYv6rUA=";
}
{
# nilo
allowedIPs = [ (getWireguardDeviceAddress "nilo") ];
publicKey = "lhTEDJ9WnizvEHTd5kN21fTHF27HNk+fPLQnB1B3LW0=";
}
{
# parina ipad
allowedIPs = [ (getWireguardDeviceAddress "parina-ipad") ];
publicKey = "ezkCzl2qC7Hd7rFKfqMa0JXDKRhVqy79H52rA06x7mU=";
}
{
# kcl vm
allowedIPs = [ (getWireguardDeviceAddress "kclvm") ];
publicKey = "jVBaY8AhgAA7myVjU/PJPDUCOjsCi23LT+pGZUoNEkE=";
}
{
allowedIPs = [ (getWireguardDeviceAddress "framecca") ];
publicKey = "w0XPu5GcDA2vpNk3KCFRdWNVVQHRtAPApEsK1h3Ovyk=";
}
{
allowedIPs = [ (getWireguardDeviceAddress "framecca_one") ];
publicKey = "5PnmExv78fU3SS8liUWY/oBCcJ48wzmz/70O0U7K/xs=";
}
{
allowedIPs = [ (getWireguardDeviceAddress "framecca_two") ];
publicKey = "FbWfh2rL3OYLTDIte+MgctqL/bphn38eqpNy/chc3wM=";
}
{
allowedIPs = [ (getWireguardDeviceAddress "framecca_three") ];
publicKey = "Z3LRFs6CO0kUh4J3pf+HcPsWch3hUAwJBG8/b0Kqnxs=";
}
{
allowedIPs = [ (getWireguardDeviceAddress "framecca_four") ];
publicKey = "g/Ta12igzxSlCxy7KP865qf+l3+r1LjOo6UXjulmPBc=";
}
];
};
};
};
}