move sigma-{public,p2p} to sigma

This commit is contained in:
Casper V. Kristensen 2024-03-29 20:38:51 +01:00
parent ed5a14a517
commit ac105f189d
3 changed files with 54 additions and 24 deletions

View file

@ -1,4 +1,4 @@
{pkgs, ...}: { {...}: {
imports = [ imports = [
../../overlays ../../overlays
../../modules/base ../../modules/base
@ -7,27 +7,9 @@
../../modules/syncthing.nix ../../modules/syncthing.nix
./hardware.nix ./hardware.nix
./borg.nix ./borg.nix
./network.nix
./sway.nix ./sway.nix
]; ];
systemd.services.qbittorrent = {
description = "qBittorrent service";
documentation = ["man:qbittorrent-nox(1)"];
wantedBy = ["multi-user.target"];
wants = ["multi-user.target"];
after = ["network-online.target" "nss-lookup.target"];
serviceConfig = {
Type = "exec";
User = "caspervk";
Group = "users";
ExecStart = pkgs.writers.writeBash "asd" ''
while true; do ${pkgs.curl}/bin/curl ip.caspervk.net; echo; sleep 1; done
'';
RestrictNetworkInterfaces = "wg-sigma-public";
};
};
networking.hostName = "omega"; networking.hostName = "omega";
boot = { boot = {

View file

@ -5,7 +5,7 @@
../../modules/server ../../modules/server
./hardware.nix ./hardware.nix
#./borg.nix #./borg.nix
#./network.nix ./network.nix
]; ];
networking.hostName = "sigma"; networking.hostName = "sigma";

View file

@ -3,6 +3,23 @@
secrets, secrets,
... ...
}: { }: {
# systemd.services.qbittorrent = {
# description = "qBittorrent service";
# documentation = ["man:qbittorrent-nox(1)"];
# wantedBy = ["multi-user.target"];
# wants = ["multi-user.target"];
# after = ["network-online.target" "nss-lookup.target"];
# serviceConfig = {
# Type = "exec";
# User = "flatpak";
# Group = "users";
# ExecStart = pkgs.writers.writeBash "asd" ''
# while true; do ${pkgs.curl}/bin/curl --connect-timeout 1 ip.caspervk.net; echo; sleep 1; done
# '';
# RestrictNetworkInterfaces = "wg-sigma-p2p";
# };
# };
systemd.network = { systemd.network = {
config = { config = {
routeTables = { routeTables = {
@ -20,7 +37,7 @@
Kind = "wireguard"; Kind = "wireguard";
}; };
wireguardConfig = { wireguardConfig = {
PrivateKeyFile = config.age.secrets.wireguard-private-key-file-omega.path; PrivateKeyFile = config.age.secrets.wireguard-private-key-file-sigma.path;
}; };
wireguardPeers = [ wireguardPeers = [
{ {
@ -50,6 +67,7 @@
address = ["49.13.33.75/32"]; address = ["49.13.33.75/32"];
routingPolicyRules = [ routingPolicyRules = [
{ {
# See the AllowedIPs comment above for why this is necessary
routingPolicyRuleConfig = { routingPolicyRuleConfig = {
From = "49.13.33.75/32"; From = "49.13.33.75/32";
Table = "wg-sigma-public"; Table = "wg-sigma-public";
@ -68,7 +86,7 @@
Kind = "wireguard"; Kind = "wireguard";
}; };
wireguardConfig = { wireguardConfig = {
PrivateKeyFile = config.age.secrets.wireguard-private-key-file-omega.path; PrivateKeyFile = config.age.secrets.wireguard-private-key-file-sigma.path;
}; };
wireguardPeers = [ wireguardPeers = [
{ {
@ -93,10 +111,40 @@
Table = "wg-sigma-p2p"; Table = "wg-sigma-p2p";
}; };
} }
{
# The deluge systemd service has
# RestrictNetworkInterfaces=wg-sigma-p2p, but that does not tell it
# to use the correct routing table.
routingPolicyRuleConfig = {
User = config.services.deluge.user;
Table = "wg-sigma-p2p";
};
}
]; ];
}; };
}; };
# Force explicit firewall configuration to ensure we allow the right services
# on the right interfaces.
networking.firewall = {
allowedTCPPorts = lib.mkForce [];
allowedUDPPorts = lib.mkForce [];
allowedTCPPortRanges = lib.mkForce [];
allowedUDPPortRanges = lib.mkForce [];
interfaces = {
"enp5s0" = {
allowedTCPPorts = [22];
};
"wg-sigma-public" = {
allowedTCPPorts = [22];
};
"wg-sigma-p2p" = {
allowedTCPPorts = [1337];
};
};
};
age.secrets.wireguard-preshared-key-file = { age.secrets.wireguard-preshared-key-file = {
file = "${secrets}/secrets/wireguard-preshared-key-file.age"; file = "${secrets}/secrets/wireguard-preshared-key-file.age";
mode = "640"; mode = "640";
@ -104,8 +152,8 @@
group = "systemd-network"; group = "systemd-network";
}; };
age.secrets.wireguard-private-key-file-omega = { age.secrets.wireguard-private-key-file-sigma = {
file = "${secrets}/secrets/wireguard-private-key-file-omega.age"; file = "${secrets}/secrets/wireguard-private-key-file-sigma.age";
mode = "640"; mode = "640";
owner = "root"; owner = "root";
group = "systemd-network"; group = "systemd-network";