From 7206622bec4e1c152eb95959f664b43be359ae8a Mon Sep 17 00:00:00 2001 From: Giulio De Pasquale Date: Mon, 11 Oct 2021 08:59:31 +0000 Subject: [PATCH] refactored proxy conf --- hosts/proxy/coturn.nix | 36 ++++++++++------- hosts/proxy/default.nix | 83 +++++++++++---------------------------- hosts/proxy/ssh.nix | 15 +++++++ hosts/proxy/wireguard.nix | 46 ++++++++++++++++++++++ 4 files changed, 105 insertions(+), 75 deletions(-) create mode 100644 hosts/proxy/ssh.nix create mode 100644 hosts/proxy/wireguard.nix diff --git a/hosts/proxy/coturn.nix b/hosts/proxy/coturn.nix index 3148bda..c88cb51 100644 --- a/hosts/proxy/coturn.nix +++ b/hosts/proxy/coturn.nix @@ -1,22 +1,28 @@ {pkgs, config, ...}: let + public_ip = "23.88.108.216"; realm = "turn.giugl.io"; static-auth-secret = "69duck duck fuck420"; in { services.coturn = rec { + inherit realm static-auth-secret; + + secure-stun = true; enable = true; no-cli = true; no-tcp-relay = true; min-port = 49000; max-port = 50000; use-auth-secret = true; -# cert = "${config.security.acme.certs.${realm}.directory}/full.pem"; -# pkey = "${config.security.acme.certs.${realm}.directory}/key.pem"; + relay-ips = [ public_ip ]; + listening-ips = [ public_ip ]; + cert = "${config.security.acme.certs.${realm}.directory}/full.pem"; + pkey = "${config.security.acme.certs.${realm}.directory}/key.pem"; extraConfig = '' - # for debugging verbose - # ban private IP ranges + + cipher-list=\"HIGH\" no-multicast-peers denied-peer-ip=0.0.0.0-0.255.255.255 denied-peer-ip=10.0.0.0-10.255.255.255 @@ -42,7 +48,6 @@ in { denied-peer-ip=fe80::-febf:ffff:ffff:ffff:ffff:ffff:ffff:ffff ''; }; - # open the firewall networking.firewall = { interfaces.ens3 = let range = with config.services.coturn; [ { @@ -52,15 +57,18 @@ in { in { allowedUDPPortRanges = range; - allowedUDPPorts = [ 3478 ]; - allowedTCPPortRanges = range; - allowedTCPPorts = [ 3478 ]; + allowedUDPPorts = [ 5349 ]; + #allowedTCPPortRanges = range; + allowedTCPPorts = [ 80 443 5349 ]; }; }; - # get a certificate -# security.acme.certs.${realm} = { -# webroot = "/var/lib/acme/acme-challenge"; -# postRun = "systemctl restart coturn.service"; -# group = "turnserver"; -# }; + + services.nginx.enable = true; + services.nginx.virtualHosts.${realm} = { + addSSL = true; + enableACME = true; + }; + + # to access the ACME files + users.groups.nginx.members = [ "turnserver" ]; } diff --git a/hosts/proxy/default.nix b/hosts/proxy/default.nix index 7c850de..3f88bb6 100644 --- a/hosts/proxy/default.nix +++ b/hosts/proxy/default.nix @@ -1,70 +1,31 @@ { config, pkgs, ... }: { - imports = - [ - ./hardware-configuration.nix - ./coturn.nix - ]; + imports = [ + ./hardware-configuration.nix + ./coturn.nix + ./wireguard.nix + ./ssh.nix + ]; - boot.loader.grub.enable = true; - boot.loader.grub.version = 2; + boot.loader.grub = { + enable = true; + version = 2; + devices = [ "/dev/sda" ]; + }; - system.stateVersion = "21.05"; # Did you read the comment? - boot.loader.grub.devices = [ "/dev/sda" ]; - services.openssh.permitRootLogin = "prohibit-password"; - services.openssh.passwordAuthentication = false; - services.openssh.enable = true; + system.stateVersion = "21.05"; - networking = { - useDHCP = false; - hostName = "proxy"; - nameservers = [ "10.4.0.2" "1.1.1.1" ]; - - firewall.allowedTCPPorts = [ 22 ]; - interfaces.ens3.useDHCP = true; + networking = { + useDHCP = false; + hostName = "proxy"; + nameservers = [ "10.4.0.2" "1.1.1.1" ]; - nat = { - enable = true; - externalInterface = "ens3"; - internalInterfaces = ["wg0"]; - forwardPorts = [ - { - destination = "10.4.0.2:1194"; - proto = "udp"; - sourcePort = 1194; - } - ]; - }; + interfaces.ens3.useDHCP = true; + }; - wireguard = { - interfaces."wg0" = { - listenPort = 1195; - ips = [ "10.4.0.1/24" ]; - privateKeyFile = "/secrets/wireguard/server.key"; - - postSetup = '' - /run/current-system/sw/bin/iptables -t nat -A POSTROUTING -o wg0 -j MASQUERADE - ''; - - postShutdown = '' - /run/current-system/sw/bin/iptables -t nat -D POSTROUTING -o wg0 -j MASQUERADE - ''; - peers = [ - { - allowedIPs = [ "10.4.0.2" "10.3.0.0/24" ]; - publicKey = "73oFhyQA3mgX4GmN6ul5HuOsgxa4INlzCPsyuXna0AA="; - } - ]; - }; - }; - }; - - services = { - fail2ban.enable = true; - }; - users.users.root.openssh.authorizedKeys.keys = [ - "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQCuURERnIFe2XbNu6AsPe2DO11RuaHxVGUcaoJUsIB1F+VOggOVLhxSenOPYLm6NvvGeXVi95G5Sm1UZRcJEEkvxus4bSViV4t/Q2azfYFE27yRH/IeMMoWNPGYNm5Bok2qFb4vHifra9FffwXnOzr0nDDTdHXCft4TO5nsenLJwqu5zOO1CR7J52otY7LheNPyzbGxgIkB3Y7LeOj1+/xXSOJ379NOL2RQBobsg7k442WCX7tU6AC1ct3W+93tcJUUdzJKTT9TJ+XmhdjXNWhDd+QZUNAMr+nKoEdExHp0H40/wIhcLD2OV95gX4i/YBzCg4OQOqZqWiibiEQfGTSAh5aD+nX/PqjXf0XSLEUOA81biLFu28oO8gocjwnhgqmlghvO4SG1rs6uZ8EyPyWsrVMjy8B9FX4aloKqua3aicgC+upjLl3x+KkMJizlMB5Ew7KOjPsjXwMqeJmeBOEd6TSEctttR+lIp+/368FtwXeBxzx9MBT4620mnjWtVKM= giulio@gAluminum" - ]; - } + users.users.root.openssh.authorizedKeys.keys = [ + "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQCuURERnIFe2XbNu6AsPe2DO11RuaHxVGUcaoJUsIB1F+VOggOVLhxSenOPYLm6NvvGeXVi95G5Sm1UZRcJEEkvxus4bSViV4t/Q2azfYFE27yRH/IeMMoWNPGYNm5Bok2qFb4vHifra9FffwXnOzr0nDDTdHXCft4TO5nsenLJwqu5zOO1CR7J52otY7LheNPyzbGxgIkB3Y7LeOj1+/xXSOJ379NOL2RQBobsg7k442WCX7tU6AC1ct3W+93tcJUUdzJKTT9TJ+XmhdjXNWhDd+QZUNAMr+nKoEdExHp0H40/wIhcLD2OV95gX4i/YBzCg4OQOqZqWiibiEQfGTSAh5aD+nX/PqjXf0XSLEUOA81biLFu28oO8gocjwnhgqmlghvO4SG1rs6uZ8EyPyWsrVMjy8B9FX4aloKqua3aicgC+upjLl3x+KkMJizlMB5Ew7KOjPsjXwMqeJmeBOEd6TSEctttR+lIp+/368FtwXeBxzx9MBT4620mnjWtVKM= giulio@gAluminum" + ]; +} diff --git a/hosts/proxy/ssh.nix b/hosts/proxy/ssh.nix new file mode 100644 index 0000000..c64a38a --- /dev/null +++ b/hosts/proxy/ssh.nix @@ -0,0 +1,15 @@ +{ config, ...}: + +{ + services = { + fail2ban.enable = true; + + openssh = { + permitRootLogin = "prohibit-password"; + passwordAuthentication = false; + enable = true; + }; + }; + + networking.firewall.allowedTCPPorts = [ 22 ]; +} diff --git a/hosts/proxy/wireguard.nix b/hosts/proxy/wireguard.nix new file mode 100644 index 0000000..6b904b5 --- /dev/null +++ b/hosts/proxy/wireguard.nix @@ -0,0 +1,46 @@ +{ config, ...}: + +let + wg_if = "wg0"; + wan_if = "ens3"; +in { + networking = { + firewall.allowedUDPPorts = [ 1195 ]; + + nat = { + enable = true; + externalInterface = wan_if; + internalInterfaces = [ wg_if ]; + forwardPorts = [ + { + destination = "10.4.0.2:1194"; + proto = "udp"; + sourcePort = 1194; + } + ]; + }; + + wireguard = { + interfaces.${wg_if} = { + listenPort = 1195; + ips = [ "10.4.0.1/24" ]; + privateKeyFile = "/secrets/wireguard/server.key"; + + postSetup = '' + /run/current-system/sw/bin/iptables -t nat -A POSTROUTING -o ${wg_if} -j MASQUERADE + ''; + + postShutdown = '' + /run/current-system/sw/bin/iptables -t nat -D POSTROUTING -o ${wg_if} -j MASQUERADE + ''; + + peers = [ + { + allowedIPs = [ "10.4.0.2" "10.3.0.0/24" ]; + publicKey = "73oFhyQA3mgX4GmN6ul5HuOsgxa4INlzCPsyuXna0AA="; + } + ]; + }; + }; + }; +}