peperunas/nixos
1
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity

cleanup

Browse Source
This commit is contained in:
Giulio De Pasquale 2021-10-06 17:31:41 +00:00
parent caedfac586
commit ced9c72d4a
1 changed files with 49 additions and 48 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

95
hosts/proxy/default.nix
View File

@ -9,61 +9,62 @@
boot.loader.grub.enable = true;
boot.loader.grub.version = 2;
networking.useDHCP = false;
networking.interfaces.ens3.useDHCP = true;
networking.hostName = "proxy";
environment.systemPackages = with pkgs; [
neovim
git
tcpdump
];
networking.nameservers = [ "10.4.0.2" "1.1.1.1" ];
networking.firewall.allowedTCPPorts = [ 22 ];
system.stateVersion = "21.05"; # Did you read the comment?
boot.loader.grub.devices = [ "/dev/sda" ];
services.openssh.permitRootLogin = "prohibit-password";
services.openssh.passwordAuthentication = false;
services.openssh.enable = true;
networking.nat = {
enable = true;
externalInterface = "ens3";
internalInterfaces = ["wg0"];
forwardPorts = [
{
destination = "10.4.0.2:1194";
proto = "udp";
sourcePort = 1194;
}
];
};
networking = {
useDHCP = false;
hostName = "proxy";
nameservers = [ "10.4.0.2" "1.1.1.1" ];
networking.wireguard = {
interfaces."wg0" = {
listenPort = 1195;
ips = [ "10.4.0.1/24" ];
privateKeyFile = "/secrets/wireguard/server.key";
firewall.allowedTCPPorts = [ 22 ];
interfaces.ens3.useDHCP = true;
postSetup = ''
/run/current-system/sw/bin/iptables -t nat -A POSTROUTING -o wg0 -j MASQUERADE
'';
postShutdown = ''
/run/current-system/sw/bin/iptables -t nat -D POSTROUTING -o wg0 -j MASQUERADE
'';
peers = [
nat = {
enable = true;
externalInterface = "ens3";
internalInterfaces = ["wg0"];
forwardPorts = [
{
# architect
allowedIPs = [ "10.4.0.2" "10.3.0.0/24" ];
publicKey = "73oFhyQA3mgX4GmN6ul5HuOsgxa4INlzCPsyuXna0AA=";
}
];
};
};
users.users.root.openssh.authorizedKeys.keys = [
"ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQCuURERnIFe2XbNu6AsPe2DO11RuaHxVGUcaoJUsIB1F+VOggOVLhxSenOPYLm6NvvGeXVi95G5Sm1UZRcJEEkvxus4bSViV4t/Q2azfYFE27yRH/IeMMoWNPGYNm5Bok2qFb4vHifra9FffwXnOzr0nDDTdHXCft4TO5nsenLJwqu5zOO1CR7J52otY7LheNPyzbGxgIkB3Y7LeOj1+/xXSOJ379NOL2RQBobsg7k442WCX7tU6AC1ct3W+93tcJUUdzJKTT9TJ+XmhdjXNWhDd+QZUNAMr+nKoEdExHp0H40/wIhcLD2OV95gX4i/YBzCg4OQOqZqWiibiEQfGTSAh5aD+nX/PqjXf0XSLEUOA81biLFu28oO8gocjwnhgqmlghvO4SG1rs6uZ8EyPyWsrVMjy8B9FX4aloKqua3aicgC+upjLl3x+KkMJizlMB5Ew7KOjPsjXwMqeJmeBOEd6TSEctttR+lIp+/368FtwXeBxzx9MBT4620mnjWtVKM= giulio@gAluminum"
];
}
destination = "10.4.0.2:1194";
proto = "udp";
sourcePort = 1194;
}
];
};
wireguard = {
interfaces."wg0" = {
listenPort = 1195;
ips = [ "10.4.0.1/24" ];
privateKeyFile = "/secrets/wireguard/server.key";
postSetup = ''
/run/current-system/sw/bin/iptables -t nat -A POSTROUTING -o wg0 -j MASQUERADE
'';
postShutdown = ''
/run/current-system/sw/bin/iptables -t nat -D POSTROUTING -o wg0 -j MASQUERADE
'';
peers = [
{
allowedIPs = [ "10.4.0.2" "10.3.0.0/24" ];
publicKey = "73oFhyQA3mgX4GmN6ul5HuOsgxa4INlzCPsyuXna0AA=";
}
];
};
};
};
services = {
fail2ban.enable = true;
};
users.users.root.openssh.authorizedKeys.keys = [
"ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQCuURERnIFe2XbNu6AsPe2DO11RuaHxVGUcaoJUsIB1F+VOggOVLhxSenOPYLm6NvvGeXVi95G5Sm1UZRcJEEkvxus4bSViV4t/Q2azfYFE27yRH/IeMMoWNPGYNm5Bok2qFb4vHifra9FffwXnOzr0nDDTdHXCft4TO5nsenLJwqu5zOO1CR7J52otY7LheNPyzbGxgIkB3Y7LeOj1+/xXSOJ379NOL2RQBobsg7k442WCX7tU6AC1ct3W+93tcJUUdzJKTT9TJ+XmhdjXNWhDd+QZUNAMr+nKoEdExHp0H40/wIhcLD2OV95gX4i/YBzCg4OQOqZqWiibiEQfGTSAh5aD+nX/PqjXf0XSLEUOA81biLFu28oO8gocjwnhgqmlghvO4SG1rs6uZ8EyPyWsrVMjy8B9FX4aloKqua3aicgC+upjLl3x+KkMJizlMB5Ew7KOjPsjXwMqeJmeBOEd6TSEctttR+lIp+/368FtwXeBxzx9MBT4620mnjWtVKM= giulio@gAluminum"
];
}