From 7206622bec4e1c152eb95959f664b43be359ae8a Mon Sep 17 00:00:00 2001
From: Giulio De Pasquale <depasquale+git@giugl.io>
Date: Mon, 11 Oct 2021 08:59:31 +0000
Subject: [PATCH] refactored proxy conf

---
 hosts/proxy/coturn.nix    | 36 ++++++++++-------
 hosts/proxy/default.nix   | 83 +++++++++++----------------------------
 hosts/proxy/ssh.nix       | 15 +++++++
 hosts/proxy/wireguard.nix | 46 ++++++++++++++++++++++
 4 files changed, 105 insertions(+), 75 deletions(-)
 create mode 100644 hosts/proxy/ssh.nix
 create mode 100644 hosts/proxy/wireguard.nix

diff --git a/hosts/proxy/coturn.nix b/hosts/proxy/coturn.nix
index 3148bda..c88cb51 100644
--- a/hosts/proxy/coturn.nix
+++ b/hosts/proxy/coturn.nix
@@ -1,22 +1,28 @@
 {pkgs, config, ...}:
 
 let
+   public_ip = "23.88.108.216";
    realm = "turn.giugl.io";
    static-auth-secret = "69duck duck fuck420";
 in {
   services.coturn = rec {
+    inherit realm static-auth-secret;
+
+    secure-stun = true;
     enable = true;
     no-cli = true;
     no-tcp-relay = true;
     min-port = 49000;
     max-port = 50000;
     use-auth-secret = true;
-#    cert = "${config.security.acme.certs.${realm}.directory}/full.pem";
-#    pkey = "${config.security.acme.certs.${realm}.directory}/key.pem";
+    relay-ips = [ public_ip ];
+    listening-ips = [ public_ip ];
+    cert = "${config.security.acme.certs.${realm}.directory}/full.pem";
+    pkey = "${config.security.acme.certs.${realm}.directory}/key.pem";
     extraConfig = ''
-      # for debugging
       verbose
-      # ban private IP ranges
+      
+      cipher-list=\"HIGH\"
       no-multicast-peers
       denied-peer-ip=0.0.0.0-0.255.255.255
       denied-peer-ip=10.0.0.0-10.255.255.255
@@ -42,7 +48,6 @@ in {
       denied-peer-ip=fe80::-febf:ffff:ffff:ffff:ffff:ffff:ffff:ffff
     '';
   };
-  # open the firewall
   networking.firewall = {
     interfaces.ens3 = let
       range = with config.services.coturn; [ {
@@ -52,15 +57,18 @@ in {
     in
     {
       allowedUDPPortRanges = range;
-      allowedUDPPorts = [ 3478 ];
-      allowedTCPPortRanges = range;
-      allowedTCPPorts = [ 3478 ];
+      allowedUDPPorts = [ 5349 ];
+      #allowedTCPPortRanges = range;
+      allowedTCPPorts = [ 80 443 5349 ];
     };
   };
-  # get a certificate
-#  security.acme.certs.${realm} = {
-#    webroot = "/var/lib/acme/acme-challenge";
-#    postRun = "systemctl restart coturn.service";
-#    group = "turnserver";
-#  };
+
+  services.nginx.enable = true;
+  services.nginx.virtualHosts.${realm} = {
+    addSSL = true;
+    enableACME = true;
+  };
+
+  # to access the ACME files
+  users.groups.nginx.members = [ "turnserver" ];
 }
diff --git a/hosts/proxy/default.nix b/hosts/proxy/default.nix
index 7c850de..3f88bb6 100644
--- a/hosts/proxy/default.nix
+++ b/hosts/proxy/default.nix
@@ -1,70 +1,31 @@
 { config, pkgs, ... }:
 
 {
-  imports =
-    [ 
-      ./hardware-configuration.nix
-      ./coturn.nix
-    ];
+  imports = [ 
+    ./hardware-configuration.nix
+    ./coturn.nix
+    ./wireguard.nix
+    ./ssh.nix
+  ];
 
-    boot.loader.grub.enable = true;
-    boot.loader.grub.version = 2;
+  boot.loader.grub = {
+    enable = true;
+    version = 2;
+    devices = [ "/dev/sda" ];
+  };
 
-    system.stateVersion = "21.05"; # Did you read the comment?
-    boot.loader.grub.devices = [ "/dev/sda" ];
-    services.openssh.permitRootLogin = "prohibit-password";
-    services.openssh.passwordAuthentication = false;
-    services.openssh.enable = true;
+  system.stateVersion = "21.05";
 
-    networking = {
-      useDHCP = false;
-      hostName = "proxy";
-      nameservers = [ "10.4.0.2" "1.1.1.1" ];
-      
-      firewall.allowedTCPPorts = [ 22 ];
-      interfaces.ens3.useDHCP = true;
+  networking = {
+    useDHCP = false;
+    hostName = "proxy";
+    nameservers = [ "10.4.0.2" "1.1.1.1" ];
 
-      nat = {
-        enable = true;
-        externalInterface = "ens3";
-        internalInterfaces = ["wg0"];
-        forwardPorts = [
-          {
-            destination =  "10.4.0.2:1194";
-            proto = "udp";
-            sourcePort = 1194;
-          }
-        ];
-      };
+    interfaces.ens3.useDHCP = true;
+  };
 
-      wireguard = {
-        interfaces."wg0" = {
-          listenPort = 1195;
-          ips = [ "10.4.0.1/24" ];
-          privateKeyFile = "/secrets/wireguard/server.key";
-
-          postSetup = ''
-            /run/current-system/sw/bin/iptables -t nat -A POSTROUTING -o wg0 -j MASQUERADE
-          '';
-
-          postShutdown = ''
-            /run/current-system/sw/bin/iptables -t nat -D POSTROUTING -o wg0 -j MASQUERADE
-          '';
-          peers = [
-            {
-              allowedIPs = [ "10.4.0.2" "10.3.0.0/24" ];
-              publicKey = "73oFhyQA3mgX4GmN6ul5HuOsgxa4INlzCPsyuXna0AA=";
-            }
-          ];
-        };
-      };
-    };
-
-    services = {
-      fail2ban.enable = true;
-    };
-    users.users.root.openssh.authorizedKeys.keys = [
-      "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQCuURERnIFe2XbNu6AsPe2DO11RuaHxVGUcaoJUsIB1F+VOggOVLhxSenOPYLm6NvvGeXVi95G5Sm1UZRcJEEkvxus4bSViV4t/Q2azfYFE27yRH/IeMMoWNPGYNm5Bok2qFb4vHifra9FffwXnOzr0nDDTdHXCft4TO5nsenLJwqu5zOO1CR7J52otY7LheNPyzbGxgIkB3Y7LeOj1+/xXSOJ379NOL2RQBobsg7k442WCX7tU6AC1ct3W+93tcJUUdzJKTT9TJ+XmhdjXNWhDd+QZUNAMr+nKoEdExHp0H40/wIhcLD2OV95gX4i/YBzCg4OQOqZqWiibiEQfGTSAh5aD+nX/PqjXf0XSLEUOA81biLFu28oO8gocjwnhgqmlghvO4SG1rs6uZ8EyPyWsrVMjy8B9FX4aloKqua3aicgC+upjLl3x+KkMJizlMB5Ew7KOjPsjXwMqeJmeBOEd6TSEctttR+lIp+/368FtwXeBxzx9MBT4620mnjWtVKM= giulio@gAluminum"
-    ];
-  }
+  users.users.root.openssh.authorizedKeys.keys = [
+    "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQCuURERnIFe2XbNu6AsPe2DO11RuaHxVGUcaoJUsIB1F+VOggOVLhxSenOPYLm6NvvGeXVi95G5Sm1UZRcJEEkvxus4bSViV4t/Q2azfYFE27yRH/IeMMoWNPGYNm5Bok2qFb4vHifra9FffwXnOzr0nDDTdHXCft4TO5nsenLJwqu5zOO1CR7J52otY7LheNPyzbGxgIkB3Y7LeOj1+/xXSOJ379NOL2RQBobsg7k442WCX7tU6AC1ct3W+93tcJUUdzJKTT9TJ+XmhdjXNWhDd+QZUNAMr+nKoEdExHp0H40/wIhcLD2OV95gX4i/YBzCg4OQOqZqWiibiEQfGTSAh5aD+nX/PqjXf0XSLEUOA81biLFu28oO8gocjwnhgqmlghvO4SG1rs6uZ8EyPyWsrVMjy8B9FX4aloKqua3aicgC+upjLl3x+KkMJizlMB5Ew7KOjPsjXwMqeJmeBOEd6TSEctttR+lIp+/368FtwXeBxzx9MBT4620mnjWtVKM= giulio@gAluminum"
+  ];
+}
 
diff --git a/hosts/proxy/ssh.nix b/hosts/proxy/ssh.nix
new file mode 100644
index 0000000..c64a38a
--- /dev/null
+++ b/hosts/proxy/ssh.nix
@@ -0,0 +1,15 @@
+{ config, ...}:
+
+{
+  services = {
+    fail2ban.enable = true;
+
+    openssh = {
+      permitRootLogin = "prohibit-password";
+      passwordAuthentication = false;
+      enable = true;
+    };
+  };
+
+  networking.firewall.allowedTCPPorts = [ 22 ];
+}
diff --git a/hosts/proxy/wireguard.nix b/hosts/proxy/wireguard.nix
new file mode 100644
index 0000000..6b904b5
--- /dev/null
+++ b/hosts/proxy/wireguard.nix
@@ -0,0 +1,46 @@
+{ config, ...}:
+
+let
+  wg_if = "wg0";
+  wan_if = "ens3";
+in {
+  networking = {
+    firewall.allowedUDPPorts = [ 1195 ];
+
+    nat = {
+      enable = true;
+      externalInterface = wan_if;
+      internalInterfaces = [ wg_if ];
+      forwardPorts = [
+        {
+          destination =  "10.4.0.2:1194";
+          proto = "udp";
+          sourcePort = 1194;
+        }
+      ];
+    };
+
+    wireguard = {
+      interfaces.${wg_if} = {
+        listenPort = 1195;
+        ips = [ "10.4.0.1/24" ];
+        privateKeyFile = "/secrets/wireguard/server.key";
+
+        postSetup = ''
+              /run/current-system/sw/bin/iptables -t nat -A POSTROUTING -o ${wg_if} -j MASQUERADE
+        '';
+
+        postShutdown = ''
+              /run/current-system/sw/bin/iptables -t nat -D POSTROUTING -o ${wg_if} -j MASQUERADE
+        '';
+
+        peers = [
+          {
+            allowedIPs = [ "10.4.0.2" "10.3.0.0/24" ];
+            publicKey = "73oFhyQA3mgX4GmN6ul5HuOsgxa4INlzCPsyuXna0AA=";
+          }
+        ];
+      };
+    };
+  };
+}