peperunas/nixos
1
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity

Removed old and unused VPN configs. Cleanup of firewall rules. Removed Giulio devices from WG

Browse Source
This commit is contained in:
Giulio De Pasquale 2023-02-15 00:30:26 +01:00
parent 3321ec122a
commit 650db37686
3 changed files with 3 additions and 91 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

9
hosts/architect/firewall.nix
View File

@ -60,7 +60,6 @@ in
iifname ${wan-if} ip saddr ${vpn-net} drop comment "bind any ip to intf ${wan-if}" iifname ${wan-if} ip saddr ${vpn-net} drop comment "bind any ip to intf ${wan-if}"
iifname ${wan-if} ip saddr 127.0.0.0/8 drop comment "bind any ip to intf ${wan-if}" iifname ${wan-if} ip saddr 127.0.0.0/8 drop comment "bind any ip to intf ${wan-if}"
iifname ${wan-if} accept comment "bind any ip to intf ${wan-if}" iifname ${wan-if} accept comment "bind any ip to intf ${wan-if}"
iifname ${proxy-if} ip saddr ${proxy-net} accept comment "bind ip ${proxy-net} to intf ${proxy-if}"
iifname ${vpn-if} ip saddr ${vpn-net} accept comment "bind ip ${vpn-net} to intf ${vpn-if}" iifname ${vpn-if} ip saddr ${vpn-net} accept comment "bind ip ${vpn-net} to intf ${vpn-if}"
iifname ${docker-if} ip saddr ${docker-net} accept comment "bind ip ${docker-net} to intf ${docker-if}" iifname ${docker-if} ip saddr ${docker-net} accept comment "bind ip ${docker-net} to intf ${docker-if}"
iifname ${tailscale-if} ip saddr ${tailscale-net} accept iifname ${tailscale-if} ip saddr ${tailscale-net} accept
@ -134,14 +133,6 @@ in
type filter hook forward priority filter; policy drop; type filter hook forward priority filter; policy drop;
ct state established,related accept ct state established,related accept
# gdevices talking to everyone in VPN
ip saddr {${
lib.concatStringsSep "," gdevices
}} ip daddr ${vpn-net} accept
ip saddr {${
lib.concatStringsSep "," gamenet-wg
}} ip daddr {${lib.concatStringsSep "," gamenet-wg}} accept
# nat to wan # nat to wan
oifname ${wan-if} ip saddr {${ oifname ${wan-if} ip saddr {${
lib.concatStringsSep "," towan-wg lib.concatStringsSep "," towan-wg

20
hosts/architect/network.nix
View File

@ -9,7 +9,6 @@ rec {
# nets # nets
lan-net = "10.0.0.0/24"; lan-net = "10.0.0.0/24";
vpn-net = "10.3.0.0/24"; vpn-net = "10.3.0.0/24";
proxy-net = "10.4.0.0/24";
external_lan-net = "192.168.1.0/24"; external_lan-net = "192.168.1.0/24";
docker-net = "172.17.0.0/16"; docker-net = "172.17.0.0/16";
tailscale-net = "100.64.0.0/10"; tailscale-net = "100.64.0.0/10";
@ -21,16 +20,10 @@ rec {
architect-lan = "10.0.0.250"; architect-lan = "10.0.0.250";
architect-wg = "10.3.0.1"; architect-wg = "10.3.0.1";
giuliopc-wg = "10.3.0.2";
giuliophone-wg = "10.3.0.3";
giuliodeck-wg = "10.3.0.4";
manduria-wg = "10.3.0.5"; manduria-wg = "10.3.0.5";
antonio-wg = "10.3.0.6"; antonio-wg = "10.3.0.6";
gbeast-wg = "10.3.0.7"; gbeast-wg = "10.3.0.7";
peppiniell-wg = "10.3.0.10";
padulino-wg = "10.3.0.11";
shield-wg = "10.3.0.12"; shield-wg = "10.3.0.12";
pepos-wg = "10.3.0.15";
salvatore-wg = "10.3.0.16"; salvatore-wg = "10.3.0.16";
papa-wg = "10.3.0.17"; papa-wg = "10.3.0.17";
defy-wg = "10.3.0.18"; defy-wg = "10.3.0.18";
@ -51,9 +44,6 @@ rec {
parina-ipad-wg = "10.3.0.33"; parina-ipad-wg = "10.3.0.33";
kclvm-wg = "10.3.0.34"; kclvm-wg = "10.3.0.34";
framecca-wg = "10.3.0.35"; framecca-wg = "10.3.0.35";
eleonora-wg = "10.3.0.100";
angellane-wg = "10.3.0.203";
hotpottino-wg = "10.3.0.201";
dodino-wg = "10.3.0.202"; dodino-wg = "10.3.0.202";
giuliophone-ts = "100.68.68.46"; giuliophone-ts = "100.68.68.46";
@ -64,14 +54,4 @@ rec {
# groups # groups
gdevices = [ giuliophone-ts architect-ts giuliopc-ts dodino-ts ]; gdevices = [ giuliophone-ts architect-ts giuliopc-ts dodino-ts ];
towan-wg = [ shield-wg parina-wg parina-ipad-wg germano-wg framecca-wg ]; towan-wg = [ shield-wg parina-wg parina-ipad-wg germano-wg framecca-wg ];
gamenet-wg = [
andrew-wg
giuliopc-wg
gbeast-wg
mikey-wg
andrewdesktop-wg
mikeylaptop-wg
flavio-wg
salvatore-wg
];
} }

65
hosts/architect/wireguard.nix
View File

@ -1,5 +1,7 @@
{ config, lib, ... }: { config, lib, ... }:
with import ./network.nix; with import ./network.nix;
let let
listenPort = 1194; listenPort = 1194;
in in
@ -12,18 +14,10 @@ in
networking = { networking = {
extraHosts = '' extraHosts = ''
${architect-wg} architect.devs.giugl.io ${architect-wg} architect.devs.giugl.io
${giuliopc-wg} kmerr.devs.giugl.io
${giuliophone-wg} chuck.devs.giugl.io
${manduria-wg} manduria.devs.giugl.io ${manduria-wg} manduria.devs.giugl.io
${antonio-wg} antonio.devs.giugl.io ${antonio-wg} antonio.devs.giugl.io
${gbeast-wg} gbeast.devs.giugl.io ${gbeast-wg} gbeast.devs.giugl.io
${peppiniell-wg} peppiniell.devs.giugl.io
${padulino-wg} padulino.devs.giugl.io
${shield-wg} shield.devs.giugl.io ${shield-wg} shield.devs.giugl.io
${pepos-wg} pepos.devs.giugl.io
${eleonora-wg} eleonora.devs.giugl.io
${angellane-wg} angellane.devs.giugl.io
${hotpottino-wg} hotpottino.devs.giugl.io
${salvatore-wg} salvatore.devs.giugl.io ${salvatore-wg} salvatore.devs.giugl.io
${papa-wg} papa.devs.giugl.io ${papa-wg} papa.devs.giugl.io
${defy-wg} defy.devs.giugl.io ${defy-wg} defy.devs.giugl.io
@ -41,7 +35,6 @@ in
${parina-ipad-wg} parinaipad.devs.giugl.io ${parina-ipad-wg} parinaipad.devs.giugl.io
${nilo-wg} nilo.devs.giugl.io ${nilo-wg} nilo.devs.giugl.io
${kclvm-wg} kclvm.devs.giugl.io ${kclvm-wg} kclvm.devs.giugl.io
${giuliodeck-wg} giuliodeck.devs.giugl.io
${framecca-wg} framecca.devs.giugl.io ${framecca-wg} framecca.devs.giugl.io
''; '';
@ -53,18 +46,6 @@ in
privateKeyFile = "/secrets/wireguard/server.key"; privateKeyFile = "/secrets/wireguard/server.key";
peers = [ peers = [
{
# giuliopc
allowedIPs = [ giuliopc-wg ];
publicKey = "pEEgSs7xmO0cfyvoQlU8lfwqdYM1ISgmPAunPtF+0xw=";
}
{
# giuliophone
allowedIPs = [ giuliophone-wg ];
publicKey = "zynSERy6VhxN5zBf1ih3BOAHxvigDixHB9YKnSBgYFs=";
}
{ {
# Manduria # Manduria
allowedIPs = [ manduria-wg ]; allowedIPs = [ manduria-wg ];
@ -77,48 +58,18 @@ in
publicKey = "SPndCvEzuLHtGAQV8u/4dfLlFHoPcXS3L98oFOwTljc="; publicKey = "SPndCvEzuLHtGAQV8u/4dfLlFHoPcXS3L98oFOwTljc=";
} }
{
# Eleonora
allowedIPs = [ eleonora-wg ];
publicKey = "SL54f1ZeieFyn5X5UAPmypP10GV/c419O94vCzGHFhg=";
}
{
# padulino
allowedIPs = [ padulino-wg ];
publicKey = "sk2Wr2OesND9jcuP/8k7BirSpR4pNNbS9gBkbOxZxwg=";
}
{ {
# GBEAST # GBEAST
allowedIPs = [ gbeast-wg ]; allowedIPs = [ gbeast-wg ];
publicKey = "XiK+wk+DErz0RmCWRxuaJN1cvdj+3DoiU6tcR+uZfAI="; publicKey = "XiK+wk+DErz0RmCWRxuaJN1cvdj+3DoiU6tcR+uZfAI=";
} }
{
# peppiniell
allowedIPs = [ peppiniell-wg ];
publicKey = "bzoW3Rx+7Un9hx/2opgBQJmmnZ/hgj1lQ2FnonCHjTc=";
}
{
# hotpottino
allowedIPs = [ hotpottino-wg ];
publicKey = "YqtzTWqGBs2GwSPNO0aRSV4nvJDW3UHHt6fV4UC7vnU=";
}
{ {
# shield # shield
allowedIPs = [ shield-wg ]; allowedIPs = [ shield-wg ];
publicKey = "1GaV/M48sHqQTrBVRQ+jrFU2pUMmv2xkguncVcwPCFs="; publicKey = "1GaV/M48sHqQTrBVRQ+jrFU2pUMmv2xkguncVcwPCFs=";
} }
{
# pepos
allowedIPs = [ pepos-wg ];
publicKey = "mb1VaMLML5J24oCMBuhqvBrT6S4tAqWERn30z+h/LwM=";
}
{ {
# salvatore # salvatore
allowedIPs = [ salvatore-wg ]; allowedIPs = [ salvatore-wg ];
@ -173,12 +124,6 @@ in
publicKey = "svzWYIZ6v+cLCp/emGG7mx2YpBJqw2fqjVuHZy7b6H0="; publicKey = "svzWYIZ6v+cLCp/emGG7mx2YpBJqw2fqjVuHZy7b6H0=";
} }
{
# angel-lane
allowedIPs = [ angellane-wg ];
publicKey = "UJRJcAOcnEjEB3o4K2I7gEM97SrhENEesZNf28z+EBQ=";
}
{ {
# mikey # mikey
allowedIPs = [ mikey-wg ]; allowedIPs = [ mikey-wg ];
@ -244,11 +189,7 @@ in
allowedIPs = [ kclvm-wg ]; allowedIPs = [ kclvm-wg ];
publicKey = "jVBaY8AhgAA7myVjU/PJPDUCOjsCi23LT+pGZUoNEkE="; publicKey = "jVBaY8AhgAA7myVjU/PJPDUCOjsCi23LT+pGZUoNEkE=";
} }
{
# Giulio's Deck
allowedIPs = [ giuliodeck-wg ];
publicKey = "7TGYsYvElTLY3V7qJfggkF+kFG7Y5sUsHA88h0cYJx0=";
}
{ {
allowedIPs = [ framecca-wg ]; allowedIPs = [ framecca-wg ];
publicKey = "w0XPu5GcDA2vpNk3KCFRdWNVVQHRtAPApEsK1h3Ovyk="; publicKey = "w0XPu5GcDA2vpNk3KCFRdWNVVQHRtAPApEsK1h3Ovyk=";