Removed old and unused VPN configs. Cleanup of firewall rules. Removed Giulio devices from WG

2023-02-15 00:30:26 +01:00 · 2023-02-15 00:30:26 +01:00 · 650db37686
commit 650db37686
parent 3321ec122a
3 changed files with 3 additions and 91 deletions
--- a/hosts/architect/firewall.nix
+++ b/hosts/architect/firewall.nix
@ -60,7 +60,6 @@ in
            iifname ${wan-if} ip saddr ${vpn-net} drop comment "bind any ip to intf ${wan-if}"
            iifname ${wan-if} ip saddr 127.0.0.0/8 drop comment "bind any ip to intf ${wan-if}"
            iifname ${wan-if} accept comment "bind any ip to intf ${wan-if}"
-            iifname ${proxy-if} ip saddr ${proxy-net} accept comment "bind ip ${proxy-net} to intf ${proxy-if}"
            iifname ${vpn-if} ip saddr ${vpn-net} accept comment "bind ip ${vpn-net} to intf ${vpn-if}"
            iifname ${docker-if} ip saddr ${docker-net} accept comment "bind ip ${docker-net} to intf ${docker-if}"
            iifname ${tailscale-if} ip saddr ${tailscale-net} accept
@ -134,14 +133,6 @@ in
            type filter hook forward priority filter; policy drop;
            ct state established,related accept
                    
-            # gdevices talking to everyone in VPN
-            ip saddr {${
-              lib.concatStringsSep "," gdevices
-            }} ip daddr ${vpn-net} accept
-            ip saddr {${
-              lib.concatStringsSep "," gamenet-wg
-            }} ip daddr {${lib.concatStringsSep "," gamenet-wg}} accept
-                    
            # nat to wan
            oifname ${wan-if} ip saddr {${
              lib.concatStringsSep "," towan-wg
--- a/hosts/architect/network.nix
+++ b/hosts/architect/network.nix
@ -9,7 +9,6 @@ rec {
  # nets
  lan-net = "10.0.0.0/24";
  vpn-net = "10.3.0.0/24";
-  proxy-net = "10.4.0.0/24";
  external_lan-net = "192.168.1.0/24";
  docker-net = "172.17.0.0/16";
  tailscale-net = "100.64.0.0/10";
@ -21,16 +20,10 @@ rec {
  architect-lan = "10.0.0.250";

  architect-wg = "10.3.0.1";
-  giuliopc-wg = "10.3.0.2";
-  giuliophone-wg = "10.3.0.3";
-  giuliodeck-wg = "10.3.0.4";
  manduria-wg = "10.3.0.5";
  antonio-wg = "10.3.0.6";
  gbeast-wg = "10.3.0.7";
-  peppiniell-wg = "10.3.0.10";
-  padulino-wg = "10.3.0.11";
  shield-wg = "10.3.0.12";
-  pepos-wg = "10.3.0.15";
  salvatore-wg = "10.3.0.16";
  papa-wg = "10.3.0.17";
  defy-wg = "10.3.0.18";
@ -51,9 +44,6 @@ rec {
  parina-ipad-wg = "10.3.0.33";
  kclvm-wg = "10.3.0.34";
  framecca-wg = "10.3.0.35";
-  eleonora-wg = "10.3.0.100";
-  angellane-wg = "10.3.0.203";
-  hotpottino-wg = "10.3.0.201";
  dodino-wg = "10.3.0.202";

  giuliophone-ts = "100.68.68.46";
@ -64,14 +54,4 @@ rec {
  # groups
  gdevices = [ giuliophone-ts architect-ts giuliopc-ts dodino-ts ];
  towan-wg = [ shield-wg parina-wg parina-ipad-wg germano-wg framecca-wg ];
-  gamenet-wg = [
-    andrew-wg
-    giuliopc-wg
-    gbeast-wg
-    mikey-wg
-    andrewdesktop-wg
-    mikeylaptop-wg
-    flavio-wg
-    salvatore-wg
-  ];
 }
--- a/hosts/architect/wireguard.nix
+++ b/hosts/architect/wireguard.nix
@ -1,5 +1,7 @@
 { config, lib, ... }:
+
 with import ./network.nix;
+
 let
  listenPort = 1194;
 in
@ -12,18 +14,10 @@ in
  networking = {
    extraHosts = ''
      ${architect-wg} architect.devs.giugl.io
-      ${giuliopc-wg}     kmerr.devs.giugl.io
-      ${giuliophone-wg}  chuck.devs.giugl.io
      ${manduria-wg} manduria.devs.giugl.io
      ${antonio-wg}  antonio.devs.giugl.io
      ${gbeast-wg}   gbeast.devs.giugl.io
-      ${peppiniell-wg}       peppiniell.devs.giugl.io
-      ${padulino-wg} padulino.devs.giugl.io
      ${shield-wg}   shield.devs.giugl.io
-      ${pepos-wg}        pepos.devs.giugl.io
-      ${eleonora-wg} eleonora.devs.giugl.io
-      ${angellane-wg}       angellane.devs.giugl.io
-      ${hotpottino-wg}       hotpottino.devs.giugl.io
      ${salvatore-wg}         salvatore.devs.giugl.io
      ${papa-wg}            papa.devs.giugl.io
      ${defy-wg}            defy.devs.giugl.io
@ -41,7 +35,6 @@ in
      ${parina-ipad-wg}     parinaipad.devs.giugl.io
      ${nilo-wg}            nilo.devs.giugl.io
      ${kclvm-wg}           kclvm.devs.giugl.io
-      ${giuliodeck-wg}      giuliodeck.devs.giugl.io
      ${framecca-wg}        framecca.devs.giugl.io
    '';

@ -53,18 +46,6 @@ in
        privateKeyFile = "/secrets/wireguard/server.key";

        peers = [
-          {
-            # giuliopc
-            allowedIPs = [ giuliopc-wg ];
-            publicKey = "pEEgSs7xmO0cfyvoQlU8lfwqdYM1ISgmPAunPtF+0xw=";
-          }
-
-          {
-            # giuliophone
-            allowedIPs = [ giuliophone-wg ];
-            publicKey = "zynSERy6VhxN5zBf1ih3BOAHxvigDixHB9YKnSBgYFs=";
-          }
-
          {
            # Manduria
            allowedIPs = [ manduria-wg ];
@ -77,48 +58,18 @@ in
            publicKey = "SPndCvEzuLHtGAQV8u/4dfLlFHoPcXS3L98oFOwTljc=";
          }

-          {
-            # Eleonora
-            allowedIPs = [ eleonora-wg ];
-            publicKey = "SL54f1ZeieFyn5X5UAPmypP10GV/c419O94vCzGHFhg=";
-          }
-
-          {
-            # padulino
-            allowedIPs = [ padulino-wg ];
-            publicKey = "sk2Wr2OesND9jcuP/8k7BirSpR4pNNbS9gBkbOxZxwg=";
-          }
-
          {
            # GBEAST
            allowedIPs = [ gbeast-wg ];
            publicKey = "XiK+wk+DErz0RmCWRxuaJN1cvdj+3DoiU6tcR+uZfAI=";
          }

-          {
-            # peppiniell
-            allowedIPs = [ peppiniell-wg ];
-            publicKey = "bzoW3Rx+7Un9hx/2opgBQJmmnZ/hgj1lQ2FnonCHjTc=";
-          }
-
-          {
-            # hotpottino
-            allowedIPs = [ hotpottino-wg ];
-            publicKey = "YqtzTWqGBs2GwSPNO0aRSV4nvJDW3UHHt6fV4UC7vnU=";
-          }
-
          {
            # shield
            allowedIPs = [ shield-wg ];
            publicKey = "1GaV/M48sHqQTrBVRQ+jrFU2pUMmv2xkguncVcwPCFs=";
          }

-          {
-            # pepos
-            allowedIPs = [ pepos-wg ];
-            publicKey = "mb1VaMLML5J24oCMBuhqvBrT6S4tAqWERn30z+h/LwM=";
-          }
-
          {
            # salvatore
            allowedIPs = [ salvatore-wg ];
@ -173,12 +124,6 @@ in
            publicKey = "svzWYIZ6v+cLCp/emGG7mx2YpBJqw2fqjVuHZy7b6H0=";
          }

-          {
-            # angel-lane
-            allowedIPs = [ angellane-wg ];
-            publicKey = "UJRJcAOcnEjEB3o4K2I7gEM97SrhENEesZNf28z+EBQ=";
-          }
-
          {
            # mikey
            allowedIPs = [ mikey-wg ];
@ -244,11 +189,7 @@ in
            allowedIPs = [ kclvm-wg ];
            publicKey = "jVBaY8AhgAA7myVjU/PJPDUCOjsCi23LT+pGZUoNEkE=";
          }
-          {
-            # Giulio's Deck
-            allowedIPs = [ giuliodeck-wg ];
-            publicKey = "7TGYsYvElTLY3V7qJfggkF+kFG7Y5sUsHA88h0cYJx0=";
-          }
+
          {
            allowedIPs = [ framecca-wg ];
            publicKey = "w0XPu5GcDA2vpNk3KCFRdWNVVQHRtAPApEsK1h3Ovyk=";