natto1784/dotfiles
1
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity

lib/network: init

Browse Source 
Signed-off-by: Amneesh Singh <natto@weirdnatto.in>
This commit is contained in:
Amneesh Singh
2023-01-23 21:31:19 +05:30
committed by natto1784
parent b3fac02b73
commit 950cf357d1
8 changed files with 88 additions and 74 deletions
Download Patch File Download Diff File Expand all files Collapse all files

36
hosts/remilia/mailserver.nix
View File

@@ -1,21 +1,23 @@
{ config, pkgs, lib, ... }:
{ config, pkgs, lib, network, ... }:
{
mailserver = with lib; rec {
enable = true;
fqdn = "mail.weirdnatto.in";
sendingFqdn = fqdn;
domains = singleton "weirdnatto.in";
certificateDomains = singleton "mail.weirdnatto.in";
certificateScheme = 3;
loginAccounts = {
"natto@weirdnatto.in" = {
hashedPasswordFile = "/var/secrets/natto@weirdnatto.in.key";
};
"masti@weirdnatto.in" = {
hashedPasswordFile = "/var/secrets/masti@weirdnatto.in.key";
mailserver =
let domain = network.addresses.domain.natto; in
rec {
enable = true;
fqdn = "mail.${domain}";
sendingFqdn = fqdn;
domains = [ domain ];
certificateDomains = [ "mail.${domain}" ];
certificateScheme = 3;
loginAccounts = {
"natto@${domain}" = {
hashedPasswordFile = "/var/secrets/natto@${domain}.key";
};
"masti@${domain}" = {
hashedPasswordFile = "/var/secrets/masti@${domain}.key";
};
};
enablePop3 = false;
enablePop3Ssl = false;
};
enablePop3 = false;
enablePop3Ssl = false;
};
}

43
hosts/remilia/networking.nix
View File

@@ -1,4 +1,4 @@
{ lib, config, pkgs, ... }:
{ lib, config, network, pkgs, ... }:
{
networking = {
useDHCP = false;
@@ -7,21 +7,8 @@
{
interfaces = {
ens3 = {
allowedTCPPorts = [
80
81
443
444
993
465
143
25
22001
22002
9898
8999
99
] ++ (map (x: x.sourcePort) config.networking.nat.forwardPorts);
allowedTCPPorts = [ 80 81 443 444 993 465 143 25 22001 22002 9898 8999 99 5201 4444 ]
++ (map (x: x.sourcePort) config.networking.nat.forwardPorts);
allowedUDPPorts = [ 17840 ];
};
};
@@ -40,46 +27,46 @@
useDHCP = true;
};
};
nat = {
nat = with network.addresses.wireguard.ips; {
enable = true;
externalInterface = "ens3";
internalInterfaces = [ "wg0" ];
forwardPorts = [
{
destination = "10.55.0.2:2002";
destination = "${marisa}:2002";
sourcePort = 22;
}
{
destination = "10.55.0.2:22";
sourcePort = 23;
destination = "${satori}:6600";
sourcePort = 6600;
}
{
destination = "10.55.0.3:6600";
sourcePort = 6600;
destination = "${satori}:25565";
sourcePort = 4444;
}
];
};
wireguard.interfaces = {
wireguard.interfaces = with network.addresses.wireguard; {
wg0 = {
ips = [ "10.55.0.1/24" ];
ips = [ ips.remilia ];
listenPort = 17840;
postSetup = ''
${pkgs.iptables}/bin/iptables -A FORWARD -i wg0 -j ACCEPT
${pkgs.iptables}/bin/iptables -t nat -A POSTROUTING -s 10.55.0.0/24 -o ${config.networking.nat.externalInterface} -j MASQUERADE
${pkgs.iptables}/bin/iptables -t nat -A POSTROUTING -s ${ipsWithPrefixLength} -o ${config.networking.nat.externalInterface} -j MASQUERADE
'';
postShutdown = ''
${pkgs.iptables}/bin/iptables -D FORWARD -i wg0 -j ACCEPT
${pkgs.iptables}/bin/iptables -t nat -D POSTROUTING -s 10.55.0.0/24 -o ${config.networking.nat.externalInterface} -j MASQUERADE
${pkgs.iptables}/bin/iptables -t nat -D POSTROUTING -s ${ipsWithPrefixLength} -o ${config.networking.nat.externalInterface} -j MASQUERADE
'';
privateKeyFile = "/var/wg";
peers = [
{
publicKey = "m9SSpkj+r2QY4YEUMEoTkbOI/L7C39Kh6m45QZ5mkw4=";
allowedIPs = [ "10.55.0.2/32" ];
allowedIPs = [ ips.marisa ];
}
{
publicKey = "SqskEH7hz7Gv9ZS+FYLRFgKZyJCFbBFCyuvzBYnbfVU=";
allowedIPs = [ "10.55.0.3/32" ];
allowedIPs = [ ips.satori ];
}
];
};

38
hosts/remilia/services.nix
View File

@@ -1,4 +1,7 @@
{ config, pkgs, lib, ... }:
{ config, pkgs, lib, network, ... }:
let
domain = network.addresses.domain.natto;
in
{
services = {
openssh = {
@@ -20,7 +23,7 @@
appendHttpConfig = ''
map $uri $expires {
default off;
~\.(jpg|jpeg|png|gif|ico|css|js|pdf)$ 30d;
~\.(jpg|jpeg|png|gif|ico|css|js)$ 30d;
}
'';
virtualHosts =
@@ -37,33 +40,34 @@
};
};
in
{
"weirdnatto.in" = {
with network.addresses.wireguard.ips; {
"${domain}" = {
addSSL = true;
enableACME = true;
locations."/" = {
root = "/var/lib/site";
index = "index.html";
};
serverAliases = [ "www.weirdnatto.in" ];
serverAliases = [ "www.${domain}" ];
};
"vault.weirdnatto.in" = genericHttpRProxy { addr = "https://10.55.0.2:8800"; };
"consul.weirdnatto.in" = genericHttpRProxy { addr = "http://10.55.0.2:8500"; };
"f.weirdnatto.in" = genericHttpRProxy { addr = "http://10.55.0.2:8888"; };
"radio.weirdnatto.in" = genericHttpRProxy { addr = "http://10.55.0.3:8001"; };
"git.weirdnatto.in" = genericHttpRProxy {
addr = "http://10.55.0.2:5001";
"znc.weirdnatto.in" = genericHttpRProxy { addr = "https://${marisa}:9898"; };
"vault.${domain}" = genericHttpRProxy { addr = "https://${marisa}:8800"; };
"consul.${domain}" = genericHttpRProxy { addr = "http://${marisa}:8500"; };
"f.${domain}" = genericHttpRProxy { addr = "http://${marisa}:8888"; };
"radio.${domain}" = genericHttpRProxy { addr = "http://${satori}:8001"; };
"git.${domain}" = genericHttpRProxy {
addr = "http://${marisa}:5001";
conf = "client_max_body_size 64M;";
};
"nomad.weirdnatto.in" = genericHttpRProxy {
addr = "http://10.55.0.2:4646";
"nomad.${domain}" = genericHttpRProxy {
addr = "http://${marisa}:4646";
conf = ''
proxy_buffering off;
proxy_read_timeout 310s;
'';
};
"alo.weirdnatto.in" = genericHttpRProxy {
addr = "http://10.55.0.2:4004";
"alo.${domain}" = genericHttpRProxy {
addr = "http://${marisa}:4004";
conf = ''
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
@@ -82,9 +86,9 @@
security.acme = {
acceptTerms = true;
certs = {
"weirdnatto.in".extraDomainNames = lib.singleton "www.weirdnatto.in";
"${domain}".extraDomainNames = lib.singleton "www.${domain}";
} //
lib.mapAttrs (n: _: { email = "natto@weirdnatto.in"; })
lib.mapAttrs (n: _: { email = "natto@${domain}"; })
(lib.filterAttrs (_: v: v.enableACME) config.services.nginx.virtualHosts);
};
security.pki.certificateFiles = [ ../../cert.pem ];