diff --git a/hosts/default.nix b/hosts/default.nix index 242fded..532097a 100644 --- a/hosts/default.nix +++ b/hosts/default.nix @@ -1,8 +1,11 @@ -{ self, inputs, ... }: +{ self, inputs, globalArgs, ... }: let inherit (inputs) nixpkgs; - commonModules = [ ./modules/nvim ]; + commonModules = [ + ./modules/nvim + globalArgs + ]; personalModules = [ ./modules/sound.nix ]; serverModules = [ ./modules/server.nix ]; builders = [ ./modules/x86builder.nix ]; diff --git a/hosts/marisa/networking.nix b/hosts/marisa/networking.nix index 27b8bc2..5d811c5 100644 --- a/hosts/marisa/networking.nix +++ b/hosts/marisa/networking.nix @@ -1,4 +1,4 @@ -{ config, pkgs, ... }: +{ config, pkgs, network, ... }: { networking = { hostName = "marisa"; @@ -42,16 +42,16 @@ }]; }; }; - wireguard.interfaces.wg0 = { - ips = [ "10.55.0.2/24" ]; + wireguard.interfaces.wg0 = with network.address.wireguard.ips; { + ips = [ marisa ]; listenPort = 17840; privateKeyFile = "/var/secrets/wg.key"; peers = [ { #Oracle VM1 publicKey = "z0Y2VNEWcyVQVSqRHiwmiJ5/0MgSPM+HZfEcwIccSxM="; - allowedIPs = [ "10.55.0.0/24" ]; - endpoint = "weirdnatto.in:17840"; + allowedIPs = [ remilia ]; + endpoint = "${network.addresses.domain.natto}:17840"; persistentKeepalive = 25; } ]; diff --git a/hosts/remilia/mailserver.nix b/hosts/remilia/mailserver.nix index bdcf8b3..b7b67d9 100644 --- a/hosts/remilia/mailserver.nix +++ b/hosts/remilia/mailserver.nix @@ -1,21 +1,23 @@ -{ config, pkgs, lib, ... }: +{ config, pkgs, lib, network, ... }: { - mailserver = with lib; rec { - enable = true; - fqdn = "mail.weirdnatto.in"; - sendingFqdn = fqdn; - domains = singleton "weirdnatto.in"; - certificateDomains = singleton "mail.weirdnatto.in"; - certificateScheme = 3; - loginAccounts = { - "natto@weirdnatto.in" = { - hashedPasswordFile = "/var/secrets/natto@weirdnatto.in.key"; - }; - "masti@weirdnatto.in" = { - hashedPasswordFile = "/var/secrets/masti@weirdnatto.in.key"; + mailserver = + let domain = network.addresses.domain.natto; in + rec { + enable = true; + fqdn = "mail.${domain}"; + sendingFqdn = fqdn; + domains = [ domain ]; + certificateDomains = [ "mail.${domain}" ]; + certificateScheme = 3; + loginAccounts = { + "natto@${domain}" = { + hashedPasswordFile = "/var/secrets/natto@${domain}.key"; + }; + "masti@${domain}" = { + hashedPasswordFile = "/var/secrets/masti@${domain}.key"; + }; }; + enablePop3 = false; + enablePop3Ssl = false; }; - enablePop3 = false; - enablePop3Ssl = false; - }; } diff --git a/hosts/remilia/networking.nix b/hosts/remilia/networking.nix index e913ad2..32931da 100644 --- a/hosts/remilia/networking.nix +++ b/hosts/remilia/networking.nix @@ -1,4 +1,4 @@ -{ lib, config, pkgs, ... }: +{ lib, config, network, pkgs, ... }: { networking = { useDHCP = false; @@ -7,21 +7,8 @@ { interfaces = { ens3 = { - allowedTCPPorts = [ - 80 - 81 - 443 - 444 - 993 - 465 - 143 - 25 - 22001 - 22002 - 9898 - 8999 - 99 - ] ++ (map (x: x.sourcePort) config.networking.nat.forwardPorts); + allowedTCPPorts = [ 80 81 443 444 993 465 143 25 22001 22002 9898 8999 99 5201 4444 ] + ++ (map (x: x.sourcePort) config.networking.nat.forwardPorts); allowedUDPPorts = [ 17840 ]; }; }; @@ -40,46 +27,46 @@ useDHCP = true; }; }; - nat = { + nat = with network.addresses.wireguard.ips; { enable = true; externalInterface = "ens3"; internalInterfaces = [ "wg0" ]; forwardPorts = [ { - destination = "10.55.0.2:2002"; + destination = "${marisa}:2002"; sourcePort = 22; } { - destination = "10.55.0.2:22"; - sourcePort = 23; + destination = "${satori}:6600"; + sourcePort = 6600; } { - destination = "10.55.0.3:6600"; - sourcePort = 6600; + destination = "${satori}:25565"; + sourcePort = 4444; } ]; }; - wireguard.interfaces = { + wireguard.interfaces = with network.addresses.wireguard; { wg0 = { - ips = [ "10.55.0.1/24" ]; + ips = [ ips.remilia ]; listenPort = 17840; postSetup = '' ${pkgs.iptables}/bin/iptables -A FORWARD -i wg0 -j ACCEPT - ${pkgs.iptables}/bin/iptables -t nat -A POSTROUTING -s 10.55.0.0/24 -o ${config.networking.nat.externalInterface} -j MASQUERADE + ${pkgs.iptables}/bin/iptables -t nat -A POSTROUTING -s ${ipsWithPrefixLength} -o ${config.networking.nat.externalInterface} -j MASQUERADE ''; postShutdown = '' ${pkgs.iptables}/bin/iptables -D FORWARD -i wg0 -j ACCEPT - ${pkgs.iptables}/bin/iptables -t nat -D POSTROUTING -s 10.55.0.0/24 -o ${config.networking.nat.externalInterface} -j MASQUERADE + ${pkgs.iptables}/bin/iptables -t nat -D POSTROUTING -s ${ipsWithPrefixLength} -o ${config.networking.nat.externalInterface} -j MASQUERADE ''; privateKeyFile = "/var/wg"; peers = [ { publicKey = "m9SSpkj+r2QY4YEUMEoTkbOI/L7C39Kh6m45QZ5mkw4="; - allowedIPs = [ "10.55.0.2/32" ]; + allowedIPs = [ ips.marisa ]; } { publicKey = "SqskEH7hz7Gv9ZS+FYLRFgKZyJCFbBFCyuvzBYnbfVU="; - allowedIPs = [ "10.55.0.3/32" ]; + allowedIPs = [ ips.satori ]; } ]; }; diff --git a/hosts/remilia/services.nix b/hosts/remilia/services.nix index 5d6274d..eed6db7 100644 --- a/hosts/remilia/services.nix +++ b/hosts/remilia/services.nix @@ -1,4 +1,7 @@ -{ config, pkgs, lib, ... }: +{ config, pkgs, lib, network, ... }: +let + domain = network.addresses.domain.natto; +in { services = { openssh = { @@ -20,7 +23,7 @@ appendHttpConfig = '' map $uri $expires { default off; - ~\.(jpg|jpeg|png|gif|ico|css|js|pdf)$ 30d; + ~\.(jpg|jpeg|png|gif|ico|css|js)$ 30d; } ''; virtualHosts = @@ -37,33 +40,34 @@ }; }; in - { - "weirdnatto.in" = { + with network.addresses.wireguard.ips; { + "${domain}" = { addSSL = true; enableACME = true; locations."/" = { root = "/var/lib/site"; index = "index.html"; }; - serverAliases = [ "www.weirdnatto.in" ]; + serverAliases = [ "www.${domain}" ]; }; - "vault.weirdnatto.in" = genericHttpRProxy { addr = "https://10.55.0.2:8800"; }; - "consul.weirdnatto.in" = genericHttpRProxy { addr = "http://10.55.0.2:8500"; }; - "f.weirdnatto.in" = genericHttpRProxy { addr = "http://10.55.0.2:8888"; }; - "radio.weirdnatto.in" = genericHttpRProxy { addr = "http://10.55.0.3:8001"; }; - "git.weirdnatto.in" = genericHttpRProxy { - addr = "http://10.55.0.2:5001"; + "znc.weirdnatto.in" = genericHttpRProxy { addr = "https://${marisa}:9898"; }; + "vault.${domain}" = genericHttpRProxy { addr = "https://${marisa}:8800"; }; + "consul.${domain}" = genericHttpRProxy { addr = "http://${marisa}:8500"; }; + "f.${domain}" = genericHttpRProxy { addr = "http://${marisa}:8888"; }; + "radio.${domain}" = genericHttpRProxy { addr = "http://${satori}:8001"; }; + "git.${domain}" = genericHttpRProxy { + addr = "http://${marisa}:5001"; conf = "client_max_body_size 64M;"; }; - "nomad.weirdnatto.in" = genericHttpRProxy { - addr = "http://10.55.0.2:4646"; + "nomad.${domain}" = genericHttpRProxy { + addr = "http://${marisa}:4646"; conf = '' proxy_buffering off; proxy_read_timeout 310s; ''; }; - "alo.weirdnatto.in" = genericHttpRProxy { - addr = "http://10.55.0.2:4004"; + "alo.${domain}" = genericHttpRProxy { + addr = "http://${marisa}:4004"; conf = '' proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; @@ -82,9 +86,9 @@ security.acme = { acceptTerms = true; certs = { - "weirdnatto.in".extraDomainNames = lib.singleton "www.weirdnatto.in"; + "${domain}".extraDomainNames = lib.singleton "www.${domain}"; } // - lib.mapAttrs (n: _: { email = "natto@weirdnatto.in"; }) + lib.mapAttrs (n: _: { email = "natto@${domain}"; }) (lib.filterAttrs (_: v: v.enableACME) config.services.nginx.virtualHosts); }; security.pki.certificateFiles = [ ../../cert.pem ]; diff --git a/hosts/satori/networking.nix b/hosts/satori/networking.nix index b680a20..7959b12 100644 --- a/hosts/satori/networking.nix +++ b/hosts/satori/networking.nix @@ -1,4 +1,4 @@ -{ config, pkgs, ... }: +{ config, pkgs, network, ... }: { networking = { @@ -18,16 +18,16 @@ }; }; - wireguard.interfaces.wg0 = { - ips = [ "10.55.0.3/32" ]; + wireguard.interfaces.wg0 = with network.addresses.wireguard.ips; { + ips = [ satori ]; listenPort = 17840; privateKeyFile = "/var/secrets/wg.key"; peers = [ { #Oracle VM1 publicKey = "z0Y2VNEWcyVQVSqRHiwmiJ5/0MgSPM+HZfEcwIccSxM="; - allowedIPs = [ "10.55.0.0/24" ]; - endpoint = "weirdnatto.in:17840"; + allowedIPs = [ remilia ]; + endpoint = "${network.addresses.domain.natto}:17840"; persistentKeepalive = 25; } ]; diff --git a/lib/default.nix b/lib/default.nix index b63bc07..4022d53 100644 --- a/lib/default.nix +++ b/lib/default.nix @@ -7,6 +7,7 @@ inherit inputs self; flake = self; colors = import ./colors.nix; + network = import ./network.nix; }; }; } diff --git a/lib/network.nix b/lib/network.nix new file mode 100644 index 0000000..363f5ba --- /dev/null +++ b/lib/network.nix @@ -0,0 +1,17 @@ +{ + addresses = { + wireguard = rec { + ipPrefix = "10.55.0"; + prefixLength = 24; + ipsWithPrefixLength = "10.55.0.0/24"; + ips = { + remilia = "${ipPrefix}.1"; + marisa = "${ipPrefix}.2"; + satori = "${ipPrefix}.3"; + }; + }; + domain = { + natto = "weirdnatto.in"; + }; + }; +}