natto1784/dotfiles
1
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity

lib/network: init

Browse Source 
Signed-off-by: Amneesh Singh <natto@weirdnatto.in>
This commit is contained in:
Amneesh Singh
2023-01-23 21:31:19 +05:30
committed by natto1784
parent b3fac02b73
commit 950cf357d1
8 changed files with 88 additions and 74 deletions
Download Patch File Download Diff File Expand all files Collapse all files

7
hosts/default.nix
View File

@@ -1,8 +1,11 @@
{ self, inputs, ... }: { self, inputs, globalArgs, ... }:
let let
inherit (inputs) nixpkgs; inherit (inputs) nixpkgs;
commonModules = [ ./modules/nvim ]; commonModules = [
./modules/nvim
globalArgs
];
personalModules = [ ./modules/sound.nix ]; personalModules = [ ./modules/sound.nix ];
serverModules = [ ./modules/server.nix ]; serverModules = [ ./modules/server.nix ];
builders = [ ./modules/x86builder.nix ]; builders = [ ./modules/x86builder.nix ];

10
hosts/marisa/networking.nix
View File

@@ -1,4 +1,4 @@
{ config, pkgs, ... }: { config, pkgs, network, ... }:
{ {
networking = { networking = {
hostName = "marisa"; hostName = "marisa";
@@ -42,16 +42,16 @@
}]; }];
}; };
}; };
wireguard.interfaces.wg0 = { wireguard.interfaces.wg0 = with network.address.wireguard.ips; {
ips = [ "10.55.0.2/24" ]; ips = [ marisa ];
listenPort = 17840; listenPort = 17840;
privateKeyFile = "/var/secrets/wg.key"; privateKeyFile = "/var/secrets/wg.key";
peers = [ peers = [
{ {
#Oracle VM1 #Oracle VM1
publicKey = "z0Y2VNEWcyVQVSqRHiwmiJ5/0MgSPM+HZfEcwIccSxM="; publicKey = "z0Y2VNEWcyVQVSqRHiwmiJ5/0MgSPM+HZfEcwIccSxM=";
allowedIPs = [ "10.55.0.0/24" ]; allowedIPs = [ remilia ];
endpoint = "weirdnatto.in:17840"; endpoint = "${network.addresses.domain.natto}:17840";
persistentKeepalive = 25; persistentKeepalive = 25;
} }
]; ];

36
hosts/remilia/mailserver.nix
View File

@@ -1,21 +1,23 @@
{ config, pkgs, lib, ... }: { config, pkgs, lib, network, ... }:
{ {
mailserver = with lib; rec { mailserver =
enable = true; let domain = network.addresses.domain.natto; in
fqdn = "mail.weirdnatto.in"; rec {
sendingFqdn = fqdn; enable = true;
domains = singleton "weirdnatto.in"; fqdn = "mail.${domain}";
certificateDomains = singleton "mail.weirdnatto.in"; sendingFqdn = fqdn;
certificateScheme = 3; domains = [ domain ];
loginAccounts = { certificateDomains = [ "mail.${domain}" ];
"natto@weirdnatto.in" = { certificateScheme = 3;
hashedPasswordFile = "/var/secrets/natto@weirdnatto.in.key"; loginAccounts = {
}; "natto@${domain}" = {
"masti@weirdnatto.in" = { hashedPasswordFile = "/var/secrets/natto@${domain}.key";
hashedPasswordFile = "/var/secrets/masti@weirdnatto.in.key"; };
"masti@${domain}" = {
hashedPasswordFile = "/var/secrets/masti@${domain}.key";
};
}; };
enablePop3 = false;
enablePop3Ssl = false;
}; };
enablePop3 = false;
enablePop3Ssl = false;
};
} }

43
hosts/remilia/networking.nix
View File

@@ -1,4 +1,4 @@
{ lib, config, pkgs, ... }: { lib, config, network, pkgs, ... }:
{ {
networking = { networking = {
useDHCP = false; useDHCP = false;
@@ -7,21 +7,8 @@
{ {
interfaces = { interfaces = {
ens3 = { ens3 = {
allowedTCPPorts = [ allowedTCPPorts = [ 80 81 443 444 993 465 143 25 22001 22002 9898 8999 99 5201 4444 ]
80 ++ (map (x: x.sourcePort) config.networking.nat.forwardPorts);
81
443
444
993
465
143
25
22001
22002
9898
8999
99
] ++ (map (x: x.sourcePort) config.networking.nat.forwardPorts);
allowedUDPPorts = [ 17840 ]; allowedUDPPorts = [ 17840 ];
}; };
}; };
@@ -40,46 +27,46 @@
useDHCP = true; useDHCP = true;
}; };
}; };
nat = { nat = with network.addresses.wireguard.ips; {
enable = true; enable = true;
externalInterface = "ens3"; externalInterface = "ens3";
internalInterfaces = [ "wg0" ]; internalInterfaces = [ "wg0" ];
forwardPorts = [ forwardPorts = [
{ {
destination = "10.55.0.2:2002"; destination = "${marisa}:2002";
sourcePort = 22; sourcePort = 22;
} }
{ {
destination = "10.55.0.2:22"; destination = "${satori}:6600";
sourcePort = 23; sourcePort = 6600;
} }
{ {
destination = "10.55.0.3:6600"; destination = "${satori}:25565";
sourcePort = 6600; sourcePort = 4444;
} }
]; ];
}; };
wireguard.interfaces = { wireguard.interfaces = with network.addresses.wireguard; {
wg0 = { wg0 = {
ips = [ "10.55.0.1/24" ]; ips = [ ips.remilia ];
listenPort = 17840; listenPort = 17840;
postSetup = '' postSetup = ''
${pkgs.iptables}/bin/iptables -A FORWARD -i wg0 -j ACCEPT ${pkgs.iptables}/bin/iptables -A FORWARD -i wg0 -j ACCEPT
${pkgs.iptables}/bin/iptables -t nat -A POSTROUTING -s 10.55.0.0/24 -o ${config.networking.nat.externalInterface} -j MASQUERADE ${pkgs.iptables}/bin/iptables -t nat -A POSTROUTING -s ${ipsWithPrefixLength} -o ${config.networking.nat.externalInterface} -j MASQUERADE
''; '';
postShutdown = '' postShutdown = ''
${pkgs.iptables}/bin/iptables -D FORWARD -i wg0 -j ACCEPT ${pkgs.iptables}/bin/iptables -D FORWARD -i wg0 -j ACCEPT
${pkgs.iptables}/bin/iptables -t nat -D POSTROUTING -s 10.55.0.0/24 -o ${config.networking.nat.externalInterface} -j MASQUERADE ${pkgs.iptables}/bin/iptables -t nat -D POSTROUTING -s ${ipsWithPrefixLength} -o ${config.networking.nat.externalInterface} -j MASQUERADE
''; '';
privateKeyFile = "/var/wg"; privateKeyFile = "/var/wg";
peers = [ peers = [
{ {
publicKey = "m9SSpkj+r2QY4YEUMEoTkbOI/L7C39Kh6m45QZ5mkw4="; publicKey = "m9SSpkj+r2QY4YEUMEoTkbOI/L7C39Kh6m45QZ5mkw4=";
allowedIPs = [ "10.55.0.2/32" ]; allowedIPs = [ ips.marisa ];
} }
{ {
publicKey = "SqskEH7hz7Gv9ZS+FYLRFgKZyJCFbBFCyuvzBYnbfVU="; publicKey = "SqskEH7hz7Gv9ZS+FYLRFgKZyJCFbBFCyuvzBYnbfVU=";
allowedIPs = [ "10.55.0.3/32" ]; allowedIPs = [ ips.satori ];
} }
]; ];
}; };

38
hosts/remilia/services.nix
View File

@@ -1,4 +1,7 @@
{ config, pkgs, lib, ... }: { config, pkgs, lib, network, ... }:
let
domain = network.addresses.domain.natto;
in
{ {
services = { services = {
openssh = { openssh = {
@@ -20,7 +23,7 @@
appendHttpConfig = '' appendHttpConfig = ''
map $uri $expires { map $uri $expires {
default off; default off;
~\.(jpg|jpeg|png|gif|ico|css|js|pdf)$ 30d; ~\.(jpg|jpeg|png|gif|ico|css|js)$ 30d;
} }
''; '';
virtualHosts = virtualHosts =
@@ -37,33 +40,34 @@
}; };
}; };
in in
{ with network.addresses.wireguard.ips; {
"weirdnatto.in" = { "${domain}" = {
addSSL = true; addSSL = true;
enableACME = true; enableACME = true;
locations."/" = { locations."/" = {
root = "/var/lib/site"; root = "/var/lib/site";
index = "index.html"; index = "index.html";
}; };
serverAliases = [ "www.weirdnatto.in" ]; serverAliases = [ "www.${domain}" ];
}; };
"vault.weirdnatto.in" = genericHttpRProxy { addr = "https://10.55.0.2:8800"; }; "znc.weirdnatto.in" = genericHttpRProxy { addr = "https://${marisa}:9898"; };
"consul.weirdnatto.in" = genericHttpRProxy { addr = "http://10.55.0.2:8500"; }; "vault.${domain}" = genericHttpRProxy { addr = "https://${marisa}:8800"; };
"f.weirdnatto.in" = genericHttpRProxy { addr = "http://10.55.0.2:8888"; }; "consul.${domain}" = genericHttpRProxy { addr = "http://${marisa}:8500"; };
"radio.weirdnatto.in" = genericHttpRProxy { addr = "http://10.55.0.3:8001"; }; "f.${domain}" = genericHttpRProxy { addr = "http://${marisa}:8888"; };
"git.weirdnatto.in" = genericHttpRProxy { "radio.${domain}" = genericHttpRProxy { addr = "http://${satori}:8001"; };
addr = "http://10.55.0.2:5001"; "git.${domain}" = genericHttpRProxy {
addr = "http://${marisa}:5001";
conf = "client_max_body_size 64M;"; conf = "client_max_body_size 64M;";
}; };
"nomad.weirdnatto.in" = genericHttpRProxy { "nomad.${domain}" = genericHttpRProxy {
addr = "http://10.55.0.2:4646"; addr = "http://${marisa}:4646";
conf = '' conf = ''
proxy_buffering off; proxy_buffering off;
proxy_read_timeout 310s; proxy_read_timeout 310s;
''; '';
}; };
"alo.weirdnatto.in" = genericHttpRProxy { "alo.${domain}" = genericHttpRProxy {
addr = "http://10.55.0.2:4004"; addr = "http://${marisa}:4004";
conf = '' conf = ''
proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
@@ -82,9 +86,9 @@
security.acme = { security.acme = {
acceptTerms = true; acceptTerms = true;
certs = { certs = {
"weirdnatto.in".extraDomainNames = lib.singleton "www.weirdnatto.in"; "${domain}".extraDomainNames = lib.singleton "www.${domain}";
} // } //
lib.mapAttrs (n: _: { email = "natto@weirdnatto.in"; }) lib.mapAttrs (n: _: { email = "natto@${domain}"; })
(lib.filterAttrs (_: v: v.enableACME) config.services.nginx.virtualHosts); (lib.filterAttrs (_: v: v.enableACME) config.services.nginx.virtualHosts);
}; };
security.pki.certificateFiles = [ ../../cert.pem ]; security.pki.certificateFiles = [ ../../cert.pem ];

10
hosts/satori/networking.nix
View File

@@ -1,4 +1,4 @@
{ config, pkgs, ... }: { config, pkgs, network, ... }:
{ {
networking = { networking = {
@@ -18,16 +18,16 @@
}; };
}; };
wireguard.interfaces.wg0 = { wireguard.interfaces.wg0 = with network.addresses.wireguard.ips; {
ips = [ "10.55.0.3/32" ]; ips = [ satori ];
listenPort = 17840; listenPort = 17840;
privateKeyFile = "/var/secrets/wg.key"; privateKeyFile = "/var/secrets/wg.key";
peers = [ peers = [
{ {
#Oracle VM1 #Oracle VM1
publicKey = "z0Y2VNEWcyVQVSqRHiwmiJ5/0MgSPM+HZfEcwIccSxM="; publicKey = "z0Y2VNEWcyVQVSqRHiwmiJ5/0MgSPM+HZfEcwIccSxM=";
allowedIPs = [ "10.55.0.0/24" ]; allowedIPs = [ remilia ];
endpoint = "weirdnatto.in:17840"; endpoint = "${network.addresses.domain.natto}:17840";
persistentKeepalive = 25; persistentKeepalive = 25;
} }
]; ];

1
lib/default.nix
View File

@@ -7,6 +7,7 @@
inherit inputs self; inherit inputs self;
flake = self; flake = self;
colors = import ./colors.nix; colors = import ./colors.nix;
network = import ./network.nix;
}; };
}; };
} }

17
lib/network.nix Normal file
View File

@@ -0,0 +1,17 @@
{
addresses = {
wireguard = rec {
ipPrefix = "10.55.0";
prefixLength = 24;
ipsWithPrefixLength = "10.55.0.0/24";
ips = {
remilia = "${ipPrefix}.1";
marisa = "${ipPrefix}.2";
satori = "${ipPrefix}.3";
};
};
domain = {
natto = "weirdnatto.in";
};
};
}