refactored proxy conf

2021-10-11 08:59:31 +00:00 · 2021-10-11 08:59:31 +00:00 · 7206622bec
commit 7206622bec
parent ced9c72d4a
4 changed files with 105 additions and 75 deletions
--- a/hosts/proxy/coturn.nix
+++ b/hosts/proxy/coturn.nix
@ -1,22 +1,28 @@
 {pkgs, config, ...}:
 let
   public_ip = "23.88.108.216";
   realm = "turn.giugl.io";
   static-auth-secret = "69duck duck fuck420";
 in {
  services.coturn = rec {
    inherit realm static-auth-secret;
    secure-stun = true;
    enable = true;
    no-cli = true;
    no-tcp-relay = true;
    min-port = 49000;
    max-port = 50000;
    use-auth-secret = true;
-#    cert = "${config.security.acme.certs.${realm}.directory}/full.pem";
+    relay-ips = [ public_ip ];
-#    pkey = "${config.security.acme.certs.${realm}.directory}/key.pem";
+    listening-ips = [ public_ip ];
    cert = "${config.security.acme.certs.${realm}.directory}/full.pem";
    pkey = "${config.security.acme.certs.${realm}.directory}/key.pem";
    extraConfig = ''
      # for debugging
      verbose
-      # ban private IP ranges
+      
      cipher-list=\"HIGH\"
      no-multicast-peers
      denied-peer-ip=0.0.0.0-0.255.255.255
      denied-peer-ip=10.0.0.0-10.255.255.255
@ -42,7 +48,6 @@ in {
      denied-peer-ip=fe80::-febf:ffff:ffff:ffff:ffff:ffff:ffff:ffff
    '';
  };
  # open the firewall
  networking.firewall = {
    interfaces.ens3 = let
      range = with config.services.coturn; [ {
@ -52,15 +57,18 @@ in {
    in
    {
      allowedUDPPortRanges = range;
-      allowedUDPPorts = [ 3478 ];
+      allowedUDPPorts = [ 5349 ];
-      allowedTCPPortRanges = range;
+      #allowedTCPPortRanges = range;
-      allowedTCPPorts = [ 3478 ];
+      allowedTCPPorts = [ 80 443 5349 ];
    };
  };
-  # get a certificate
+
-#  security.acme.certs.${realm} = {
+  services.nginx.enable = true;
-#    webroot = "/var/lib/acme/acme-challenge";
+  services.nginx.virtualHosts.${realm} = {
-#    postRun = "systemctl restart coturn.service";
+    addSSL = true;
-#    group = "turnserver";
+    enableACME = true;
-#  };
+  };
  # to access the ACME files
  users.groups.nginx.members = [ "turnserver" ];
 }
--- a/hosts/proxy/default.nix
+++ b/hosts/proxy/default.nix
@ -1,70 +1,31 @@
 { config, pkgs, ... }:
 {
-  imports =
+  imports = [ 
-    [ 
+    ./hardware-configuration.nix
-      ./hardware-configuration.nix
+    ./coturn.nix
-      ./coturn.nix
+    ./wireguard.nix
-    ];
+    ./ssh.nix
  ];
-    boot.loader.grub.enable = true;
+  boot.loader.grub = {
-    boot.loader.grub.version = 2;
+    enable = true;
    version = 2;
    devices = [ "/dev/sda" ];
  };
-    system.stateVersion = "21.05"; # Did you read the comment?
+  system.stateVersion = "21.05";
    boot.loader.grub.devices = [ "/dev/sda" ];
    services.openssh.permitRootLogin = "prohibit-password";
    services.openssh.passwordAuthentication = false;
    services.openssh.enable = true;
-    networking = {
+  networking = {
-      useDHCP = false;
+    useDHCP = false;
-      hostName = "proxy";
+    hostName = "proxy";
-      nameservers = [ "10.4.0.2" "1.1.1.1" ];
+    nameservers = [ "10.4.0.2" "1.1.1.1" ];
      firewall.allowedTCPPorts = [ 22 ];
      interfaces.ens3.useDHCP = true;
-      nat = {
+    interfaces.ens3.useDHCP = true;
-        enable = true;
+  };
        externalInterface = "ens3";
        internalInterfaces = ["wg0"];
        forwardPorts = [
          {
            destination =  "10.4.0.2:1194";
            proto = "udp";
            sourcePort = 1194;
          }
        ];
      };
-      wireguard = {
+  users.users.root.openssh.authorizedKeys.keys = [
-        interfaces."wg0" = {
+    "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQCuURERnIFe2XbNu6AsPe2DO11RuaHxVGUcaoJUsIB1F+VOggOVLhxSenOPYLm6NvvGeXVi95G5Sm1UZRcJEEkvxus4bSViV4t/Q2azfYFE27yRH/IeMMoWNPGYNm5Bok2qFb4vHifra9FffwXnOzr0nDDTdHXCft4TO5nsenLJwqu5zOO1CR7J52otY7LheNPyzbGxgIkB3Y7LeOj1+/xXSOJ379NOL2RQBobsg7k442WCX7tU6AC1ct3W+93tcJUUdzJKTT9TJ+XmhdjXNWhDd+QZUNAMr+nKoEdExHp0H40/wIhcLD2OV95gX4i/YBzCg4OQOqZqWiibiEQfGTSAh5aD+nX/PqjXf0XSLEUOA81biLFu28oO8gocjwnhgqmlghvO4SG1rs6uZ8EyPyWsrVMjy8B9FX4aloKqua3aicgC+upjLl3x+KkMJizlMB5Ew7KOjPsjXwMqeJmeBOEd6TSEctttR+lIp+/368FtwXeBxzx9MBT4620mnjWtVKM= giulio@gAluminum"
-          listenPort = 1195;
+  ];
-          ips = [ "10.4.0.1/24" ];
+}
          privateKeyFile = "/secrets/wireguard/server.key";
          postSetup = ''
            /run/current-system/sw/bin/iptables -t nat -A POSTROUTING -o wg0 -j MASQUERADE
          '';
          postShutdown = ''
            /run/current-system/sw/bin/iptables -t nat -D POSTROUTING -o wg0 -j MASQUERADE
          '';
          peers = [
            {
              allowedIPs = [ "10.4.0.2" "10.3.0.0/24" ];
              publicKey = "73oFhyQA3mgX4GmN6ul5HuOsgxa4INlzCPsyuXna0AA=";
            }
          ];
        };
      };
    };
    services = {
      fail2ban.enable = true;
    };
    users.users.root.openssh.authorizedKeys.keys = [
      "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQCuURERnIFe2XbNu6AsPe2DO11RuaHxVGUcaoJUsIB1F+VOggOVLhxSenOPYLm6NvvGeXVi95G5Sm1UZRcJEEkvxus4bSViV4t/Q2azfYFE27yRH/IeMMoWNPGYNm5Bok2qFb4vHifra9FffwXnOzr0nDDTdHXCft4TO5nsenLJwqu5zOO1CR7J52otY7LheNPyzbGxgIkB3Y7LeOj1+/xXSOJ379NOL2RQBobsg7k442WCX7tU6AC1ct3W+93tcJUUdzJKTT9TJ+XmhdjXNWhDd+QZUNAMr+nKoEdExHp0H40/wIhcLD2OV95gX4i/YBzCg4OQOqZqWiibiEQfGTSAh5aD+nX/PqjXf0XSLEUOA81biLFu28oO8gocjwnhgqmlghvO4SG1rs6uZ8EyPyWsrVMjy8B9FX4aloKqua3aicgC+upjLl3x+KkMJizlMB5Ew7KOjPsjXwMqeJmeBOEd6TSEctttR+lIp+/368FtwXeBxzx9MBT4620mnjWtVKM= giulio@gAluminum"
    ];
  }
--- a/hosts/proxy/ssh.nix
+++ b/hosts/proxy/ssh.nix
@ -0,0 +1,15 @@
 { config, ...}:
 {
  services = {
    fail2ban.enable = true;
    openssh = {
      permitRootLogin = "prohibit-password";
      passwordAuthentication = false;
      enable = true;
    };
  };
  networking.firewall.allowedTCPPorts = [ 22 ];
 }
--- a/hosts/proxy/wireguard.nix
+++ b/hosts/proxy/wireguard.nix
@ -0,0 +1,46 @@
 { config, ...}:
 let
  wg_if = "wg0";
  wan_if = "ens3";
 in {
  networking = {
    firewall.allowedUDPPorts = [ 1195 ];
    nat = {
      enable = true;
      externalInterface = wan_if;
      internalInterfaces = [ wg_if ];
      forwardPorts = [
        {
          destination =  "10.4.0.2:1194";
          proto = "udp";
          sourcePort = 1194;
        }
      ];
    };
    wireguard = {
      interfaces.${wg_if} = {
        listenPort = 1195;
        ips = [ "10.4.0.1/24" ];
        privateKeyFile = "/secrets/wireguard/server.key";
        postSetup = ''
              /run/current-system/sw/bin/iptables -t nat -A POSTROUTING -o ${wg_if} -j MASQUERADE
        '';
        postShutdown = ''
              /run/current-system/sw/bin/iptables -t nat -D POSTROUTING -o ${wg_if} -j MASQUERADE
        '';
        peers = [
          {
            allowedIPs = [ "10.4.0.2" "10.3.0.0/24" ];
            publicKey = "73oFhyQA3mgX4GmN6ul5HuOsgxa4INlzCPsyuXna0AA=";
          }
        ];
      };
    };
  };
 }