From ced9c72d4a17b0a6d5f03dc7cf7e34a853e11ff2 Mon Sep 17 00:00:00 2001 From: Giulio De Pasquale Date: Wed, 6 Oct 2021 17:31:41 +0000 Subject: [PATCH] cleanup --- hosts/proxy/default.nix | 97 +++++++++++++++++++++-------------------- 1 file changed, 49 insertions(+), 48 deletions(-) diff --git a/hosts/proxy/default.nix b/hosts/proxy/default.nix index 9d0eac0..7c850de 100644 --- a/hosts/proxy/default.nix +++ b/hosts/proxy/default.nix @@ -9,61 +9,62 @@ boot.loader.grub.enable = true; boot.loader.grub.version = 2; - networking.useDHCP = false; - networking.interfaces.ens3.useDHCP = true; - networking.hostName = "proxy"; - environment.systemPackages = with pkgs; [ - neovim - git - tcpdump - ]; - - networking.nameservers = [ "10.4.0.2" "1.1.1.1" ]; - networking.firewall.allowedTCPPorts = [ 22 ]; system.stateVersion = "21.05"; # Did you read the comment? boot.loader.grub.devices = [ "/dev/sda" ]; services.openssh.permitRootLogin = "prohibit-password"; services.openssh.passwordAuthentication = false; services.openssh.enable = true; - networking.nat = { - enable = true; - externalInterface = "ens3"; - internalInterfaces = ["wg0"]; - forwardPorts = [ - { - destination = "10.4.0.2:1194"; - proto = "udp"; - sourcePort = 1194; - } - ]; - }; + networking = { + useDHCP = false; + hostName = "proxy"; + nameservers = [ "10.4.0.2" "1.1.1.1" ]; + + firewall.allowedTCPPorts = [ 22 ]; + interfaces.ens3.useDHCP = true; - networking.wireguard = { - interfaces."wg0" = { - listenPort = 1195; - ips = [ "10.4.0.1/24" ]; - privateKeyFile = "/secrets/wireguard/server.key"; - - postSetup = '' - /run/current-system/sw/bin/iptables -t nat -A POSTROUTING -o wg0 -j MASQUERADE - ''; - - postShutdown = '' - /run/current-system/sw/bin/iptables -t nat -D POSTROUTING -o wg0 -j MASQUERADE - ''; - peers = [ + nat = { + enable = true; + externalInterface = "ens3"; + internalInterfaces = ["wg0"]; + forwardPorts = [ { - # architect - allowedIPs = [ "10.4.0.2" "10.3.0.0/24" ]; - publicKey = "73oFhyQA3mgX4GmN6ul5HuOsgxa4INlzCPsyuXna0AA="; - } -]; - }; - }; - users.users.root.openssh.authorizedKeys.keys = [ - "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQCuURERnIFe2XbNu6AsPe2DO11RuaHxVGUcaoJUsIB1F+VOggOVLhxSenOPYLm6NvvGeXVi95G5Sm1UZRcJEEkvxus4bSViV4t/Q2azfYFE27yRH/IeMMoWNPGYNm5Bok2qFb4vHifra9FffwXnOzr0nDDTdHXCft4TO5nsenLJwqu5zOO1CR7J52otY7LheNPyzbGxgIkB3Y7LeOj1+/xXSOJ379NOL2RQBobsg7k442WCX7tU6AC1ct3W+93tcJUUdzJKTT9TJ+XmhdjXNWhDd+QZUNAMr+nKoEdExHp0H40/wIhcLD2OV95gX4i/YBzCg4OQOqZqWiibiEQfGTSAh5aD+nX/PqjXf0XSLEUOA81biLFu28oO8gocjwnhgqmlghvO4SG1rs6uZ8EyPyWsrVMjy8B9FX4aloKqua3aicgC+upjLl3x+KkMJizlMB5Ew7KOjPsjXwMqeJmeBOEd6TSEctttR+lIp+/368FtwXeBxzx9MBT4620mnjWtVKM= giulio@gAluminum" - ]; -} + destination = "10.4.0.2:1194"; + proto = "udp"; + sourcePort = 1194; + } + ]; + }; + + wireguard = { + interfaces."wg0" = { + listenPort = 1195; + ips = [ "10.4.0.1/24" ]; + privateKeyFile = "/secrets/wireguard/server.key"; + + postSetup = '' + /run/current-system/sw/bin/iptables -t nat -A POSTROUTING -o wg0 -j MASQUERADE + ''; + + postShutdown = '' + /run/current-system/sw/bin/iptables -t nat -D POSTROUTING -o wg0 -j MASQUERADE + ''; + peers = [ + { + allowedIPs = [ "10.4.0.2" "10.3.0.0/24" ]; + publicKey = "73oFhyQA3mgX4GmN6ul5HuOsgxa4INlzCPsyuXna0AA="; + } + ]; + }; + }; + }; + + services = { + fail2ban.enable = true; + }; + users.users.root.openssh.authorizedKeys.keys = [ + "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQCuURERnIFe2XbNu6AsPe2DO11RuaHxVGUcaoJUsIB1F+VOggOVLhxSenOPYLm6NvvGeXVi95G5Sm1UZRcJEEkvxus4bSViV4t/Q2azfYFE27yRH/IeMMoWNPGYNm5Bok2qFb4vHifra9FffwXnOzr0nDDTdHXCft4TO5nsenLJwqu5zOO1CR7J52otY7LheNPyzbGxgIkB3Y7LeOj1+/xXSOJ379NOL2RQBobsg7k442WCX7tU6AC1ct3W+93tcJUUdzJKTT9TJ+XmhdjXNWhDd+QZUNAMr+nKoEdExHp0H40/wIhcLD2OV95gX4i/YBzCg4OQOqZqWiibiEQfGTSAh5aD+nX/PqjXf0XSLEUOA81biLFu28oO8gocjwnhgqmlghvO4SG1rs6uZ8EyPyWsrVMjy8B9FX4aloKqua3aicgC+upjLl3x+KkMJizlMB5Ew7KOjPsjXwMqeJmeBOEd6TSEctttR+lIp+/368FtwXeBxzx9MBT4620mnjWtVKM= giulio@gAluminum" + ]; + }