diff --git a/nixos/hosts/osaka-vultr-01/default.nix b/nixos/hosts/osaka-vultr-01/default.nix index d581c5b9..e3d7d56e 100644 --- a/nixos/hosts/osaka-vultr-01/default.nix +++ b/nixos/hosts/osaka-vultr-01/default.nix @@ -1,10 +1,11 @@ { config, lib, pkgs, modulesPath, desktop, username, ... }: { imports = [ ./disks.nix + ./xinetd.nix + ./wireguard.nix ]; # Enable distributed Builds nix.distributedBuilds = true; - nixpkgs.config.allowUnfree = false; boot.initrd.availableKernelModules = [ "ata_piix" "ohci_pci" "virtio_pci" "virtio_blk" "sr_mod" ]; @@ -18,83 +19,5 @@ time.timeZone = "Asia/Tokyo"; networking.hostName = "osaka-vultr-01"; - networking.firewall.allowedTCPPorts = [ - 22 - 80 - 443 - 2282 - ]; - networking.firewall.allowedUDPPorts = [ 51820 ]; - - # Set up the secrets file: - sops.secrets."wireguard_keys/osaka-vultr-01" = { - owner = "root"; - sopsFile = ../../../secrets/wireguard.yaml; - }; - sops.secrets."wireguard_keys/preshared_key" = { - owner = "root"; - sopsFile = ../../../secrets/wireguard.yaml; - }; - - # Wireguard Forwarder - boot.kernel.sysctl = { - "net.ipv4.ip_forward" = true; - "net.ipv4.conf.all.forwarding" = 1; - "net.ipv4.conf.default.forwarding" = 1; - }; - networking.firewall.allowPing = true; - networking.wireguard = { - enable = true; - interfaces = { - "wireguard0" = { - ips = [ "10.100.0.1/24" ]; - listenPort = 51820; - privateKeyFile = "/run/secrets/wireguard_keys/osaka-vultr-01"; - postSetup = '' - ${pkgs.iptables}/bin/iptables -t nat -A POSTROUTING -s 10.100.0.0/24 -o eno3 -j MASQUERADE - ''; - postShutdown = '' - ${pkgs.iptables}/bin/iptables -t nat -D POSTROUTING -s 10.100.0.0/24 -o eno3 -j MASQUERADE - ''; - peers = [ - { # nixos-rpi4-03 - publicKey = "trHvfNtQ7HKMiJjxEXo2Iubq5G6egjx7gHiBlDmJ5Ek="; - presharedKeyFile = "/run/secrets/wireguard_keys/preshared_key"; - persistentKeepalive = 5; - allowedIPs = [ "10.100.0.2/32" ]; - } - ]; - }; - }; - }; - - services.xinetd = { - enable = true; - services = [ - { - name = "http"; - port = 80; - server = "/usr/bin/env"; # Placeholder. - extraConfig = "redirect = 10.100.0.2 80"; - } - { - name = "https"; - server = "/usr/bin/env"; # Placeholder. - extraConfig = "redirect = 10.100.0.2 443"; - } - { - name = "ssh"; - port = 2282; - unlisted = true; - server = "/usr/bin/env"; # Placeholder. - extraConfig = "redirect = 10.100.0.2 22"; - } - ]; - }; - - networking.nat = { - enable = true; - internalInterfaces = [ "wireguard0" ]; - externalInterface = "eno3"; - }; + networking.firewall.allowedTCPPorts = [ 22 ]; } \ No newline at end of file diff --git a/nixos/hosts/osaka-vultr-01/wireguard.nix b/nixos/hosts/osaka-vultr-01/wireguard.nix new file mode 100644 index 00000000..0b57e217 --- /dev/null +++ b/nixos/hosts/osaka-vultr-01/wireguard.nix @@ -0,0 +1,52 @@ +{ pkgs, config, lib, ... }: { + networking.firewall.allowedUDPPorts = [ 51820 ]; + + # Set up the secrets file: + sops.secrets."wireguard_keys/osaka-vultr-01" = { + owner = "root"; + sopsFile = ../../../secrets/wireguard.yaml; + }; + + sops.secrets."wireguard_keys/preshared_key" = { + owner = "root"; + sopsFile = ../../../secrets/wireguard.yaml; + }; + + # Wireguard Forwarder + boot.kernel.sysctl = { + "net.ipv4.ip_forward" = true; + "net.ipv4.conf.all.forwarding" = 1; + "net.ipv4.conf.default.forwarding" = 1; + }; + networking.firewall.allowPing = true; + networking.wireguard = { + enable = true; + interfaces = { + "wireguard0" = { + ips = [ "10.100.0.1/24" ]; + listenPort = 51820; + privateKeyFile = "/run/secrets/wireguard_keys/osaka-vultr-01"; + postSetup = '' + ${pkgs.iptables}/bin/iptables -t nat -A POSTROUTING -s 10.100.0.0/24 -o eno3 -j MASQUERADE + ''; + postShutdown = '' + ${pkgs.iptables}/bin/iptables -t nat -D POSTROUTING -s 10.100.0.0/24 -o eno3 -j MASQUERADE + ''; + peers = [ + { # nixos-rpi4-03 + publicKey = "trHvfNtQ7HKMiJjxEXo2Iubq5G6egjx7gHiBlDmJ5Ek="; + presharedKeyFile = "/run/secrets/wireguard_keys/preshared_key"; + persistentKeepalive = 5; + allowedIPs = [ "10.100.0.2/32" ]; + } + ]; + }; + }; + }; + + networking.nat = { + enable = true; + internalInterfaces = [ "wireguard0" ]; + externalInterface = "eno3"; + }; +} \ No newline at end of file diff --git a/nixos/hosts/osaka-vultr-01/xinetd.nix b/nixos/hosts/osaka-vultr-01/xinetd.nix new file mode 100644 index 00000000..7f5084e7 --- /dev/null +++ b/nixos/hosts/osaka-vultr-01/xinetd.nix @@ -0,0 +1,29 @@ +{ config, lib, pkgs, ... }: { + networking.firewall.allowedTCPPorts = [ + 80 + 443 + ]; + + services.xinetd = { + enable = true; + services = [ + { + name = "http"; + server = "/usr/bin/env"; # Placeholder. + extraConfig = "redirect = 10.100.0.2 80"; + } + { + name = "https"; + server = "/usr/bin/env"; # Placeholder. + extraConfig = "redirect = 10.100.0.2 443"; + } + # { + # name = "ssh"; + # port = 2282; + # unlisted = true; + # server = "/usr/bin/env"; # Placeholder. + # extraConfig = "redirect = 10.100.0.2 22"; + # } + ]; + }; +} \ No newline at end of file