Update relay

2023-10-08 17:20:24 +09:00 · 2023-10-08 17:20:24 +09:00 · 905c9c1377
commit 905c9c1377
parent 594c109273
3 changed files with 84 additions and 80 deletions
--- a/nixos/hosts/osaka-vultr-01/default.nix
+++ b/nixos/hosts/osaka-vultr-01/default.nix
@ -1,10 +1,11 @@
 { config, lib, pkgs, modulesPath, desktop, username, ... }: {
  imports = [ 
    ./disks.nix
+    ./xinetd.nix
+    ./wireguard.nix
  ];
  # Enable distributed Builds
  nix.distributedBuilds = true;
-
  nixpkgs.config.allowUnfree = false;

  boot.initrd.availableKernelModules = [ "ata_piix" "ohci_pci" "virtio_pci" "virtio_blk" "sr_mod" ];
@ -18,83 +19,5 @@
  time.timeZone = "Asia/Tokyo";
  networking.hostName = "osaka-vultr-01";
  
-  networking.firewall.allowedTCPPorts = [ 
-    22 
-    80
-    443
-    2282
-  ];
-  networking.firewall.allowedUDPPorts = [ 51820 ];
-
-  # Set up the secrets file:
-  sops.secrets."wireguard_keys/osaka-vultr-01" = {
-    owner = "root";
-    sopsFile = ../../../secrets/wireguard.yaml;
-  };
-  sops.secrets."wireguard_keys/preshared_key" = {
-    owner = "root";
-    sopsFile = ../../../secrets/wireguard.yaml;
-  };
-
-  # Wireguard Forwarder
-  boot.kernel.sysctl = { 
-    "net.ipv4.ip_forward" = true; 
-    "net.ipv4.conf.all.forwarding" = 1;
-    "net.ipv4.conf.default.forwarding" = 1;
-  };
-  networking.firewall.allowPing = true;
-  networking.wireguard = {
-    enable = true;
-    interfaces = {
-      "wireguard0" = {
-        ips = [ "10.100.0.1/24" ];
-        listenPort = 51820;
-        privateKeyFile = "/run/secrets/wireguard_keys/osaka-vultr-01";
-        postSetup    = ''
-          ${pkgs.iptables}/bin/iptables -t nat -A POSTROUTING -s 10.100.0.0/24 -o eno3 -j MASQUERADE
-        '';
-        postShutdown = ''
-          ${pkgs.iptables}/bin/iptables -t nat -D POSTROUTING -s 10.100.0.0/24 -o eno3 -j MASQUERADE
-        '';
-        peers = [
-          { # nixos-rpi4-03
-            publicKey = "trHvfNtQ7HKMiJjxEXo2Iubq5G6egjx7gHiBlDmJ5Ek=";
-            presharedKeyFile = "/run/secrets/wireguard_keys/preshared_key";
-            persistentKeepalive = 5;
-            allowedIPs = [ "10.100.0.2/32" ];
-          }
-        ];
-      };
-    };
-  };
-
-  services.xinetd = {
-    enable = true;
-    services = [
-      {
-        name = "http";
-        port = 80;
-        server = "/usr/bin/env"; # Placeholder.
-        extraConfig = "redirect = 10.100.0.2 80";
-      }
-      {
-        name = "https";
-        server = "/usr/bin/env"; # Placeholder.
-        extraConfig = "redirect = 10.100.0.2 443";
-      }
-      {
-        name = "ssh";
-        port = 2282;
-        unlisted = true;
-        server = "/usr/bin/env"; # Placeholder.
-        extraConfig = "redirect = 10.100.0.2 22";
-      }
-    ];
-  };
-
-  networking.nat = {
-    enable = true;
-    internalInterfaces =  [ "wireguard0" ];
-    externalInterface  = "eno3";
-  };
+  networking.firewall.allowedTCPPorts = [ 22 ];
 }
--- a/nixos/hosts/osaka-vultr-01/wireguard.nix
+++ b/nixos/hosts/osaka-vultr-01/wireguard.nix
@ -0,0 +1,52 @@
+{ pkgs, config, lib, ... }: {
+  networking.firewall.allowedUDPPorts = [ 51820 ];
+
+  # Set up the secrets file:
+  sops.secrets."wireguard_keys/osaka-vultr-01" = {
+    owner = "root";
+    sopsFile = ../../../secrets/wireguard.yaml;
+  };
+
+  sops.secrets."wireguard_keys/preshared_key" = {
+    owner = "root";
+    sopsFile = ../../../secrets/wireguard.yaml;
+  };
+
+  # Wireguard Forwarder
+  boot.kernel.sysctl = { 
+    "net.ipv4.ip_forward" = true; 
+    "net.ipv4.conf.all.forwarding" = 1;
+    "net.ipv4.conf.default.forwarding" = 1;
+  };
+  networking.firewall.allowPing = true;
+  networking.wireguard = {
+    enable = true;
+    interfaces = {
+      "wireguard0" = {
+        ips = [ "10.100.0.1/24" ];
+        listenPort = 51820;
+        privateKeyFile = "/run/secrets/wireguard_keys/osaka-vultr-01";
+        postSetup    = ''
+          ${pkgs.iptables}/bin/iptables -t nat -A POSTROUTING -s 10.100.0.0/24 -o eno3 -j MASQUERADE
+        '';
+        postShutdown = ''
+          ${pkgs.iptables}/bin/iptables -t nat -D POSTROUTING -s 10.100.0.0/24 -o eno3 -j MASQUERADE
+        '';
+        peers = [
+          { # nixos-rpi4-03
+            publicKey = "trHvfNtQ7HKMiJjxEXo2Iubq5G6egjx7gHiBlDmJ5Ek=";
+            presharedKeyFile = "/run/secrets/wireguard_keys/preshared_key";
+            persistentKeepalive = 5;
+            allowedIPs = [ "10.100.0.2/32" ];
+          }
+        ];
+      };
+    };
+  };
+
+  networking.nat = {
+    enable = true;
+    internalInterfaces =  [ "wireguard0" ];
+    externalInterface  = "eno3";
+  };
+}
--- a/nixos/hosts/osaka-vultr-01/xinetd.nix
+++ b/nixos/hosts/osaka-vultr-01/xinetd.nix
@ -0,0 +1,29 @@
+{ config, lib, pkgs, ... }: {
+ networking.firewall.allowedTCPPorts = [
+    80
+    443
+ ];
+ 
+  services.xinetd = {
+    enable = true;
+    services = [
+      {
+        name = "http";
+        server = "/usr/bin/env"; # Placeholder.
+        extraConfig = "redirect = 10.100.0.2 80";
+      }
+      {
+        name = "https";
+        server = "/usr/bin/env"; # Placeholder.
+        extraConfig = "redirect = 10.100.0.2 443";
+      }
+      # {
+      #   name = "ssh";
+      #   port = 2282;
+      #   unlisted = true;
+      #   server = "/usr/bin/env"; # Placeholder.
+      #   extraConfig = "redirect = 10.100.0.2 22";
+      # }
+    ];
+  };
+}