From 650db3768641053117acf934954d2e813b975083 Mon Sep 17 00:00:00 2001 From: Giulio De Pasquale Date: Wed, 15 Feb 2023 00:30:26 +0100 Subject: [PATCH] Removed old and unused VPN configs. Cleanup of firewall rules. Removed Giulio devices from WG --- hosts/architect/firewall.nix | 9 ----- hosts/architect/network.nix | 20 ----------- hosts/architect/wireguard.nix | 65 ++--------------------------------- 3 files changed, 3 insertions(+), 91 deletions(-) diff --git a/hosts/architect/firewall.nix b/hosts/architect/firewall.nix index 0d09838..1b0151b 100644 --- a/hosts/architect/firewall.nix +++ b/hosts/architect/firewall.nix @@ -60,7 +60,6 @@ in iifname ${wan-if} ip saddr ${vpn-net} drop comment "bind any ip to intf ${wan-if}" iifname ${wan-if} ip saddr 127.0.0.0/8 drop comment "bind any ip to intf ${wan-if}" iifname ${wan-if} accept comment "bind any ip to intf ${wan-if}" - iifname ${proxy-if} ip saddr ${proxy-net} accept comment "bind ip ${proxy-net} to intf ${proxy-if}" iifname ${vpn-if} ip saddr ${vpn-net} accept comment "bind ip ${vpn-net} to intf ${vpn-if}" iifname ${docker-if} ip saddr ${docker-net} accept comment "bind ip ${docker-net} to intf ${docker-if}" iifname ${tailscale-if} ip saddr ${tailscale-net} accept @@ -134,14 +133,6 @@ in type filter hook forward priority filter; policy drop; ct state established,related accept - # gdevices talking to everyone in VPN - ip saddr {${ - lib.concatStringsSep "," gdevices - }} ip daddr ${vpn-net} accept - ip saddr {${ - lib.concatStringsSep "," gamenet-wg - }} ip daddr {${lib.concatStringsSep "," gamenet-wg}} accept - # nat to wan oifname ${wan-if} ip saddr {${ lib.concatStringsSep "," towan-wg diff --git a/hosts/architect/network.nix b/hosts/architect/network.nix index 9dd39a9..890c6a3 100644 --- a/hosts/architect/network.nix +++ b/hosts/architect/network.nix @@ -9,7 +9,6 @@ rec { # nets lan-net = "10.0.0.0/24"; vpn-net = "10.3.0.0/24"; - proxy-net = "10.4.0.0/24"; external_lan-net = "192.168.1.0/24"; docker-net = "172.17.0.0/16"; tailscale-net = "100.64.0.0/10"; @@ -21,16 +20,10 @@ rec { architect-lan = "10.0.0.250"; architect-wg = "10.3.0.1"; - giuliopc-wg = "10.3.0.2"; - giuliophone-wg = "10.3.0.3"; - giuliodeck-wg = "10.3.0.4"; manduria-wg = "10.3.0.5"; antonio-wg = "10.3.0.6"; gbeast-wg = "10.3.0.7"; - peppiniell-wg = "10.3.0.10"; - padulino-wg = "10.3.0.11"; shield-wg = "10.3.0.12"; - pepos-wg = "10.3.0.15"; salvatore-wg = "10.3.0.16"; papa-wg = "10.3.0.17"; defy-wg = "10.3.0.18"; @@ -51,9 +44,6 @@ rec { parina-ipad-wg = "10.3.0.33"; kclvm-wg = "10.3.0.34"; framecca-wg = "10.3.0.35"; - eleonora-wg = "10.3.0.100"; - angellane-wg = "10.3.0.203"; - hotpottino-wg = "10.3.0.201"; dodino-wg = "10.3.0.202"; giuliophone-ts = "100.68.68.46"; @@ -64,14 +54,4 @@ rec { # groups gdevices = [ giuliophone-ts architect-ts giuliopc-ts dodino-ts ]; towan-wg = [ shield-wg parina-wg parina-ipad-wg germano-wg framecca-wg ]; - gamenet-wg = [ - andrew-wg - giuliopc-wg - gbeast-wg - mikey-wg - andrewdesktop-wg - mikeylaptop-wg - flavio-wg - salvatore-wg - ]; } diff --git a/hosts/architect/wireguard.nix b/hosts/architect/wireguard.nix index bb8b5f9..d305cce 100644 --- a/hosts/architect/wireguard.nix +++ b/hosts/architect/wireguard.nix @@ -1,5 +1,7 @@ { config, lib, ... }: + with import ./network.nix; + let listenPort = 1194; in @@ -12,18 +14,10 @@ in networking = { extraHosts = '' ${architect-wg} architect.devs.giugl.io - ${giuliopc-wg} kmerr.devs.giugl.io - ${giuliophone-wg} chuck.devs.giugl.io ${manduria-wg} manduria.devs.giugl.io ${antonio-wg} antonio.devs.giugl.io ${gbeast-wg} gbeast.devs.giugl.io - ${peppiniell-wg} peppiniell.devs.giugl.io - ${padulino-wg} padulino.devs.giugl.io ${shield-wg} shield.devs.giugl.io - ${pepos-wg} pepos.devs.giugl.io - ${eleonora-wg} eleonora.devs.giugl.io - ${angellane-wg} angellane.devs.giugl.io - ${hotpottino-wg} hotpottino.devs.giugl.io ${salvatore-wg} salvatore.devs.giugl.io ${papa-wg} papa.devs.giugl.io ${defy-wg} defy.devs.giugl.io @@ -41,7 +35,6 @@ in ${parina-ipad-wg} parinaipad.devs.giugl.io ${nilo-wg} nilo.devs.giugl.io ${kclvm-wg} kclvm.devs.giugl.io - ${giuliodeck-wg} giuliodeck.devs.giugl.io ${framecca-wg} framecca.devs.giugl.io ''; @@ -53,18 +46,6 @@ in privateKeyFile = "/secrets/wireguard/server.key"; peers = [ - { - # giuliopc - allowedIPs = [ giuliopc-wg ]; - publicKey = "pEEgSs7xmO0cfyvoQlU8lfwqdYM1ISgmPAunPtF+0xw="; - } - - { - # giuliophone - allowedIPs = [ giuliophone-wg ]; - publicKey = "zynSERy6VhxN5zBf1ih3BOAHxvigDixHB9YKnSBgYFs="; - } - { # Manduria allowedIPs = [ manduria-wg ]; @@ -77,48 +58,18 @@ in publicKey = "SPndCvEzuLHtGAQV8u/4dfLlFHoPcXS3L98oFOwTljc="; } - { - # Eleonora - allowedIPs = [ eleonora-wg ]; - publicKey = "SL54f1ZeieFyn5X5UAPmypP10GV/c419O94vCzGHFhg="; - } - - { - # padulino - allowedIPs = [ padulino-wg ]; - publicKey = "sk2Wr2OesND9jcuP/8k7BirSpR4pNNbS9gBkbOxZxwg="; - } - { # GBEAST allowedIPs = [ gbeast-wg ]; publicKey = "XiK+wk+DErz0RmCWRxuaJN1cvdj+3DoiU6tcR+uZfAI="; } - { - # peppiniell - allowedIPs = [ peppiniell-wg ]; - publicKey = "bzoW3Rx+7Un9hx/2opgBQJmmnZ/hgj1lQ2FnonCHjTc="; - } - - { - # hotpottino - allowedIPs = [ hotpottino-wg ]; - publicKey = "YqtzTWqGBs2GwSPNO0aRSV4nvJDW3UHHt6fV4UC7vnU="; - } - { # shield allowedIPs = [ shield-wg ]; publicKey = "1GaV/M48sHqQTrBVRQ+jrFU2pUMmv2xkguncVcwPCFs="; } - { - # pepos - allowedIPs = [ pepos-wg ]; - publicKey = "mb1VaMLML5J24oCMBuhqvBrT6S4tAqWERn30z+h/LwM="; - } - { # salvatore allowedIPs = [ salvatore-wg ]; @@ -173,12 +124,6 @@ in publicKey = "svzWYIZ6v+cLCp/emGG7mx2YpBJqw2fqjVuHZy7b6H0="; } - { - # angel-lane - allowedIPs = [ angellane-wg ]; - publicKey = "UJRJcAOcnEjEB3o4K2I7gEM97SrhENEesZNf28z+EBQ="; - } - { # mikey allowedIPs = [ mikey-wg ]; @@ -244,11 +189,7 @@ in allowedIPs = [ kclvm-wg ]; publicKey = "jVBaY8AhgAA7myVjU/PJPDUCOjsCi23LT+pGZUoNEkE="; } - { - # Giulio's Deck - allowedIPs = [ giuliodeck-wg ]; - publicKey = "7TGYsYvElTLY3V7qJfggkF+kFG7Y5sUsHA88h0cYJx0="; - } + { allowedIPs = [ framecca-wg ]; publicKey = "w0XPu5GcDA2vpNk3KCFRdWNVVQHRtAPApEsK1h3Ovyk=";