From caedfac5861ea347706b4dcd41e9f2036def6181 Mon Sep 17 00:00:00 2001 From: Giulio De Pasquale Date: Wed, 6 Oct 2021 17:17:06 +0000 Subject: [PATCH 1/2] added proxy, use mkHost function --- acme.nix | 5 ++ common.nix | 10 +--- flake.nix | 60 +++------------------- hosts/proxy/coturn.nix | 66 ++++++++++++++++++++++++ hosts/proxy/default.nix | 69 ++++++++++++++++++++++++++ hosts/proxy/hardware-configuration.nix | 23 +++++++++ utils.nix | 38 ++++++++++++++ 7 files changed, 211 insertions(+), 60 deletions(-) create mode 100644 acme.nix create mode 100644 hosts/proxy/coturn.nix create mode 100644 hosts/proxy/default.nix create mode 100644 hosts/proxy/hardware-configuration.nix create mode 100644 utils.nix diff --git a/acme.nix b/acme.nix new file mode 100644 index 0000000..e149b7f --- /dev/null +++ b/acme.nix @@ -0,0 +1,5 @@ +{ ... }: +{ + security.acme.acceptTerms = true; + security.acme.email = "sysadmin@giugl.io"; +} diff --git a/common.nix b/common.nix index e9efbde..cfe90da 100644 --- a/common.nix +++ b/common.nix @@ -1,4 +1,4 @@ -{ pkgs, variables, ... }: +{ config, pkgs, variables, lib, ... }: { console = { @@ -48,11 +48,5 @@ unzip tree smartmontools - ]; - - fileSystems."/var/cache" = { - device = "tmpfs"; - fsType = "tmpfs"; - options = ["size=3G"]; - }; + ]; } diff --git a/flake.nix b/flake.nix index 6237e1b..e217ad0 100644 --- a/flake.nix +++ b/flake.nix @@ -7,58 +7,14 @@ inputs.nixpkgs.follows = "nixpkgs"; }; }; - - outputs = { self, nixpkgs, nixos-unstable, home-manager }: - let - system = "x86_64-linux"; - - unstable = import nixos-unstable { - inherit system; - config.allowUnfree = true; - }; - - pkgs = import nixpkgs { - inherit system; - config.allowUnfree = true; - overlays = [ (final: prev: { inherit unstable; }) ]; - }; - in { - nixosConfigurations.architect = nixpkgs.lib.nixosSystem { - inherit system; - - modules = [ - { - nixpkgs.pkgs = pkgs; - nix.nixPath = [ - "nixpkgs=${nixpkgs}" - "unstable=${nixos-unstable}" - ]; - nix.registry.nixpkgs.flake = nixpkgs; - nix.registry.unstable.flake = nixos-unstable; - } - - home-manager.nixosModules.home-manager - ./hosts/architect/default.nix - ]; - }; - - nixosConfigurations.gAluminum = nixpkgs.lib.nixosSystem { - inherit system; - - modules = [ - { - nixpkgs.pkgs = pkgs; - nix.nixPath = [ - "nixpkgs=${nixpkgs}" - "unstable=${nixos-unstable}" - ]; - nix.registry.nixpkgs.flake = nixpkgs; - nix.registry.unstable.flake = nixos-unstable; - } - - home-manager.nixosModules.home-manager - ./hosts/gAluminum/default.nix - ]; + + outputs = { self, nixpkgs, nixos-unstable, home-manager }: let + util = import ./utils.nix { inherit nixpkgs nixos-unstable home-manager; }; + in { + nixosConfigurations = { + architect = util.mkHost { name = "architect"; }; + gAluminum = util.mkHost { name = "gAluminum"; }; + proxy = util.mkHost { name = "proxy"; }; }; }; } diff --git a/hosts/proxy/coturn.nix b/hosts/proxy/coturn.nix new file mode 100644 index 0000000..3148bda --- /dev/null +++ b/hosts/proxy/coturn.nix @@ -0,0 +1,66 @@ +{pkgs, config, ...}: + +let + realm = "turn.giugl.io"; + static-auth-secret = "69duck duck fuck420"; +in { + services.coturn = rec { + enable = true; + no-cli = true; + no-tcp-relay = true; + min-port = 49000; + max-port = 50000; + use-auth-secret = true; +# cert = "${config.security.acme.certs.${realm}.directory}/full.pem"; +# pkey = "${config.security.acme.certs.${realm}.directory}/key.pem"; + extraConfig = '' + # for debugging + verbose + # ban private IP ranges + no-multicast-peers + denied-peer-ip=0.0.0.0-0.255.255.255 + denied-peer-ip=10.0.0.0-10.255.255.255 + denied-peer-ip=100.64.0.0-100.127.255.255 + denied-peer-ip=127.0.0.0-127.255.255.255 + denied-peer-ip=169.254.0.0-169.254.255.255 + denied-peer-ip=172.16.0.0-172.31.255.255 + denied-peer-ip=192.0.0.0-192.0.0.255 + denied-peer-ip=192.0.2.0-192.0.2.255 + denied-peer-ip=192.88.99.0-192.88.99.255 + denied-peer-ip=192.168.0.0-192.168.255.255 + denied-peer-ip=198.18.0.0-198.19.255.255 + denied-peer-ip=198.51.100.0-198.51.100.255 + denied-peer-ip=203.0.113.0-203.0.113.255 + denied-peer-ip=240.0.0.0-255.255.255.255 + denied-peer-ip=::1 + denied-peer-ip=64:ff9b::-64:ff9b::ffff:ffff + denied-peer-ip=::ffff:0.0.0.0-::ffff:255.255.255.255 + denied-peer-ip=100::-100::ffff:ffff:ffff:ffff + denied-peer-ip=2001::-2001:1ff:ffff:ffff:ffff:ffff:ffff:ffff + denied-peer-ip=2002::-2002:ffff:ffff:ffff:ffff:ffff:ffff:ffff + denied-peer-ip=fc00::-fdff:ffff:ffff:ffff:ffff:ffff:ffff:ffff + denied-peer-ip=fe80::-febf:ffff:ffff:ffff:ffff:ffff:ffff:ffff + ''; + }; + # open the firewall + networking.firewall = { + interfaces.ens3 = let + range = with config.services.coturn; [ { + from = min-port; + to = max-port; + } ]; + in + { + allowedUDPPortRanges = range; + allowedUDPPorts = [ 3478 ]; + allowedTCPPortRanges = range; + allowedTCPPorts = [ 3478 ]; + }; + }; + # get a certificate +# security.acme.certs.${realm} = { +# webroot = "/var/lib/acme/acme-challenge"; +# postRun = "systemctl restart coturn.service"; +# group = "turnserver"; +# }; +} diff --git a/hosts/proxy/default.nix b/hosts/proxy/default.nix new file mode 100644 index 0000000..9d0eac0 --- /dev/null +++ b/hosts/proxy/default.nix @@ -0,0 +1,69 @@ +{ config, pkgs, ... }: + +{ + imports = + [ + ./hardware-configuration.nix + ./coturn.nix + ]; + + boot.loader.grub.enable = true; + boot.loader.grub.version = 2; + networking.useDHCP = false; + networking.interfaces.ens3.useDHCP = true; + networking.hostName = "proxy"; + + environment.systemPackages = with pkgs; [ + neovim + git + tcpdump + ]; + + networking.nameservers = [ "10.4.0.2" "1.1.1.1" ]; + networking.firewall.allowedTCPPorts = [ 22 ]; + system.stateVersion = "21.05"; # Did you read the comment? + boot.loader.grub.devices = [ "/dev/sda" ]; + services.openssh.permitRootLogin = "prohibit-password"; + services.openssh.passwordAuthentication = false; + services.openssh.enable = true; + + networking.nat = { + enable = true; + externalInterface = "ens3"; + internalInterfaces = ["wg0"]; + forwardPorts = [ + { + destination = "10.4.0.2:1194"; + proto = "udp"; + sourcePort = 1194; + } + ]; + }; + + networking.wireguard = { + interfaces."wg0" = { + listenPort = 1195; + ips = [ "10.4.0.1/24" ]; + privateKeyFile = "/secrets/wireguard/server.key"; + + postSetup = '' + /run/current-system/sw/bin/iptables -t nat -A POSTROUTING -o wg0 -j MASQUERADE + ''; + + postShutdown = '' + /run/current-system/sw/bin/iptables -t nat -D POSTROUTING -o wg0 -j MASQUERADE + ''; + peers = [ + { + # architect + allowedIPs = [ "10.4.0.2" "10.3.0.0/24" ]; + publicKey = "73oFhyQA3mgX4GmN6ul5HuOsgxa4INlzCPsyuXna0AA="; + } +]; + }; + }; + users.users.root.openssh.authorizedKeys.keys = [ + "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQCuURERnIFe2XbNu6AsPe2DO11RuaHxVGUcaoJUsIB1F+VOggOVLhxSenOPYLm6NvvGeXVi95G5Sm1UZRcJEEkvxus4bSViV4t/Q2azfYFE27yRH/IeMMoWNPGYNm5Bok2qFb4vHifra9FffwXnOzr0nDDTdHXCft4TO5nsenLJwqu5zOO1CR7J52otY7LheNPyzbGxgIkB3Y7LeOj1+/xXSOJ379NOL2RQBobsg7k442WCX7tU6AC1ct3W+93tcJUUdzJKTT9TJ+XmhdjXNWhDd+QZUNAMr+nKoEdExHp0H40/wIhcLD2OV95gX4i/YBzCg4OQOqZqWiibiEQfGTSAh5aD+nX/PqjXf0XSLEUOA81biLFu28oO8gocjwnhgqmlghvO4SG1rs6uZ8EyPyWsrVMjy8B9FX4aloKqua3aicgC+upjLl3x+KkMJizlMB5Ew7KOjPsjXwMqeJmeBOEd6TSEctttR+lIp+/368FtwXeBxzx9MBT4620mnjWtVKM= giulio@gAluminum" + ]; +} + diff --git a/hosts/proxy/hardware-configuration.nix b/hosts/proxy/hardware-configuration.nix new file mode 100644 index 0000000..7a5d8f4 --- /dev/null +++ b/hosts/proxy/hardware-configuration.nix @@ -0,0 +1,23 @@ +# Do not modify this file! It was generated by ‘nixos-generate-config’ +# and may be overwritten by future invocations. Please make changes +# to /etc/nixos/configuration.nix instead. +{ config, lib, pkgs, modulesPath, ... }: + +{ + imports = + [ (modulesPath + "/profiles/qemu-guest.nix") + ]; + + boot.initrd.availableKernelModules = [ "ata_piix" "virtio_pci" "virtio_scsi" "xhci_pci" "sd_mod" "sr_mod" ]; + boot.initrd.kernelModules = [ ]; + boot.kernelModules = [ ]; + boot.extraModulePackages = [ ]; + + fileSystems."/" = + { device = "/dev/disk/by-uuid/8b5bcd4a-02b8-4e11-b856-eda792b8b7b8"; + fsType = "ext4"; + }; + + swapDevices = [ ]; + +} diff --git a/utils.nix b/utils.nix new file mode 100644 index 0000000..6a2c8e6 --- /dev/null +++ b/utils.nix @@ -0,0 +1,38 @@ +{ nixos-unstable, nixpkgs, home-manager, ... }: + +{ + mkHost = {name}: + let + system = "x86_64-linux"; + + unstable = import nixos-unstable { + inherit system; + config.allowUnfree = true; + }; + + pkgs = import nixpkgs { + inherit system; + config.allowUnfree = true; + overlays = [ (final: prev: { inherit unstable; }) ]; + }; + in nixpkgs.lib.nixosSystem { + inherit system; + modules = [ + { + nixpkgs.pkgs = pkgs; + nix.nixPath = [ + "nixpkgs=${nixpkgs}" + "unstable=${nixos-unstable}" + ]; + nix.registry.nixpkgs.flake = nixpkgs; + nix.registry.unstable.flake = nixos-unstable; + } + + ./common.nix + ./users.nix + home-manager.nixosModules.home-manager + ./hosts/${name}/default.nix + ./acme.nix + ]; + }; +} From ced9c72d4a17b0a6d5f03dc7cf7e34a853e11ff2 Mon Sep 17 00:00:00 2001 From: Giulio De Pasquale Date: Wed, 6 Oct 2021 17:31:41 +0000 Subject: [PATCH 2/2] cleanup --- hosts/proxy/default.nix | 97 +++++++++++++++++++++-------------------- 1 file changed, 49 insertions(+), 48 deletions(-) diff --git a/hosts/proxy/default.nix b/hosts/proxy/default.nix index 9d0eac0..7c850de 100644 --- a/hosts/proxy/default.nix +++ b/hosts/proxy/default.nix @@ -9,61 +9,62 @@ boot.loader.grub.enable = true; boot.loader.grub.version = 2; - networking.useDHCP = false; - networking.interfaces.ens3.useDHCP = true; - networking.hostName = "proxy"; - environment.systemPackages = with pkgs; [ - neovim - git - tcpdump - ]; - - networking.nameservers = [ "10.4.0.2" "1.1.1.1" ]; - networking.firewall.allowedTCPPorts = [ 22 ]; system.stateVersion = "21.05"; # Did you read the comment? boot.loader.grub.devices = [ "/dev/sda" ]; services.openssh.permitRootLogin = "prohibit-password"; services.openssh.passwordAuthentication = false; services.openssh.enable = true; - networking.nat = { - enable = true; - externalInterface = "ens3"; - internalInterfaces = ["wg0"]; - forwardPorts = [ - { - destination = "10.4.0.2:1194"; - proto = "udp"; - sourcePort = 1194; - } - ]; - }; + networking = { + useDHCP = false; + hostName = "proxy"; + nameservers = [ "10.4.0.2" "1.1.1.1" ]; + + firewall.allowedTCPPorts = [ 22 ]; + interfaces.ens3.useDHCP = true; - networking.wireguard = { - interfaces."wg0" = { - listenPort = 1195; - ips = [ "10.4.0.1/24" ]; - privateKeyFile = "/secrets/wireguard/server.key"; - - postSetup = '' - /run/current-system/sw/bin/iptables -t nat -A POSTROUTING -o wg0 -j MASQUERADE - ''; - - postShutdown = '' - /run/current-system/sw/bin/iptables -t nat -D POSTROUTING -o wg0 -j MASQUERADE - ''; - peers = [ + nat = { + enable = true; + externalInterface = "ens3"; + internalInterfaces = ["wg0"]; + forwardPorts = [ { - # architect - allowedIPs = [ "10.4.0.2" "10.3.0.0/24" ]; - publicKey = "73oFhyQA3mgX4GmN6ul5HuOsgxa4INlzCPsyuXna0AA="; - } -]; - }; - }; - users.users.root.openssh.authorizedKeys.keys = [ - "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQCuURERnIFe2XbNu6AsPe2DO11RuaHxVGUcaoJUsIB1F+VOggOVLhxSenOPYLm6NvvGeXVi95G5Sm1UZRcJEEkvxus4bSViV4t/Q2azfYFE27yRH/IeMMoWNPGYNm5Bok2qFb4vHifra9FffwXnOzr0nDDTdHXCft4TO5nsenLJwqu5zOO1CR7J52otY7LheNPyzbGxgIkB3Y7LeOj1+/xXSOJ379NOL2RQBobsg7k442WCX7tU6AC1ct3W+93tcJUUdzJKTT9TJ+XmhdjXNWhDd+QZUNAMr+nKoEdExHp0H40/wIhcLD2OV95gX4i/YBzCg4OQOqZqWiibiEQfGTSAh5aD+nX/PqjXf0XSLEUOA81biLFu28oO8gocjwnhgqmlghvO4SG1rs6uZ8EyPyWsrVMjy8B9FX4aloKqua3aicgC+upjLl3x+KkMJizlMB5Ew7KOjPsjXwMqeJmeBOEd6TSEctttR+lIp+/368FtwXeBxzx9MBT4620mnjWtVKM= giulio@gAluminum" - ]; -} + destination = "10.4.0.2:1194"; + proto = "udp"; + sourcePort = 1194; + } + ]; + }; + + wireguard = { + interfaces."wg0" = { + listenPort = 1195; + ips = [ "10.4.0.1/24" ]; + privateKeyFile = "/secrets/wireguard/server.key"; + + postSetup = '' + /run/current-system/sw/bin/iptables -t nat -A POSTROUTING -o wg0 -j MASQUERADE + ''; + + postShutdown = '' + /run/current-system/sw/bin/iptables -t nat -D POSTROUTING -o wg0 -j MASQUERADE + ''; + peers = [ + { + allowedIPs = [ "10.4.0.2" "10.3.0.0/24" ]; + publicKey = "73oFhyQA3mgX4GmN6ul5HuOsgxa4INlzCPsyuXna0AA="; + } + ]; + }; + }; + }; + + services = { + fail2ban.enable = true; + }; + users.users.root.openssh.authorizedKeys.keys = [ + "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQCuURERnIFe2XbNu6AsPe2DO11RuaHxVGUcaoJUsIB1F+VOggOVLhxSenOPYLm6NvvGeXVi95G5Sm1UZRcJEEkvxus4bSViV4t/Q2azfYFE27yRH/IeMMoWNPGYNm5Bok2qFb4vHifra9FffwXnOzr0nDDTdHXCft4TO5nsenLJwqu5zOO1CR7J52otY7LheNPyzbGxgIkB3Y7LeOj1+/xXSOJ379NOL2RQBobsg7k442WCX7tU6AC1ct3W+93tcJUUdzJKTT9TJ+XmhdjXNWhDd+QZUNAMr+nKoEdExHp0H40/wIhcLD2OV95gX4i/YBzCg4OQOqZqWiibiEQfGTSAh5aD+nX/PqjXf0XSLEUOA81biLFu28oO8gocjwnhgqmlghvO4SG1rs6uZ8EyPyWsrVMjy8B9FX4aloKqua3aicgC+upjLl3x+KkMJizlMB5Ew7KOjPsjXwMqeJmeBOEd6TSEctttR+lIp+/368FtwXeBxzx9MBT4620mnjWtVKM= giulio@gAluminum" + ]; + }