move sigma-{public,p2p} to sigma
This commit is contained in:
parent
6c947dca0c
commit
b07d4fc49e
3 changed files with 55 additions and 24 deletions
|
@ -1,4 +1,4 @@
|
||||||
{pkgs, ...}: {
|
{...}: {
|
||||||
imports = [
|
imports = [
|
||||||
../../overlays
|
../../overlays
|
||||||
../../modules/base
|
../../modules/base
|
||||||
|
@ -7,27 +7,9 @@
|
||||||
../../modules/syncthing.nix
|
../../modules/syncthing.nix
|
||||||
./hardware.nix
|
./hardware.nix
|
||||||
./borg.nix
|
./borg.nix
|
||||||
./network.nix
|
|
||||||
./sway.nix
|
./sway.nix
|
||||||
];
|
];
|
||||||
|
|
||||||
systemd.services.qbittorrent = {
|
|
||||||
description = "qBittorrent service";
|
|
||||||
documentation = ["man:qbittorrent-nox(1)"];
|
|
||||||
wantedBy = ["multi-user.target"];
|
|
||||||
wants = ["multi-user.target"];
|
|
||||||
after = ["network-online.target" "nss-lookup.target"];
|
|
||||||
serviceConfig = {
|
|
||||||
Type = "exec";
|
|
||||||
User = "caspervk";
|
|
||||||
Group = "users";
|
|
||||||
ExecStart = pkgs.writers.writeBash "asd" ''
|
|
||||||
while true; do ${pkgs.curl}/bin/curl ip.caspervk.net; echo; sleep 1; done
|
|
||||||
'';
|
|
||||||
RestrictNetworkInterfaces = "wg-sigma-public";
|
|
||||||
};
|
|
||||||
};
|
|
||||||
|
|
||||||
networking.hostName = "omega";
|
networking.hostName = "omega";
|
||||||
|
|
||||||
boot = {
|
boot = {
|
||||||
|
|
|
@ -5,7 +5,7 @@
|
||||||
../../modules/server
|
../../modules/server
|
||||||
./hardware.nix
|
./hardware.nix
|
||||||
#./borg.nix
|
#./borg.nix
|
||||||
#./network.nix
|
./network.nix
|
||||||
];
|
];
|
||||||
|
|
||||||
networking.hostName = "sigma";
|
networking.hostName = "sigma";
|
||||||
|
|
|
@ -1,8 +1,26 @@
|
||||||
{
|
{
|
||||||
config,
|
config,
|
||||||
|
lib,
|
||||||
secrets,
|
secrets,
|
||||||
...
|
...
|
||||||
}: {
|
}: {
|
||||||
|
# systemd.services.qbittorrent = {
|
||||||
|
# description = "qBittorrent service";
|
||||||
|
# documentation = ["man:qbittorrent-nox(1)"];
|
||||||
|
# wantedBy = ["multi-user.target"];
|
||||||
|
# wants = ["multi-user.target"];
|
||||||
|
# after = ["network-online.target" "nss-lookup.target"];
|
||||||
|
# serviceConfig = {
|
||||||
|
# Type = "exec";
|
||||||
|
# User = "flatpak";
|
||||||
|
# Group = "users";
|
||||||
|
# ExecStart = pkgs.writers.writeBash "asd" ''
|
||||||
|
# while true; do ${pkgs.curl}/bin/curl --connect-timeout 1 ip.caspervk.net; echo; sleep 1; done
|
||||||
|
# '';
|
||||||
|
# RestrictNetworkInterfaces = "wg-sigma-p2p";
|
||||||
|
# };
|
||||||
|
# };
|
||||||
|
|
||||||
systemd.network = {
|
systemd.network = {
|
||||||
config = {
|
config = {
|
||||||
routeTables = {
|
routeTables = {
|
||||||
|
@ -20,7 +38,7 @@
|
||||||
Kind = "wireguard";
|
Kind = "wireguard";
|
||||||
};
|
};
|
||||||
wireguardConfig = {
|
wireguardConfig = {
|
||||||
PrivateKeyFile = config.age.secrets.wireguard-private-key-file-omega.path;
|
PrivateKeyFile = config.age.secrets.wireguard-private-key-file-sigma.path;
|
||||||
};
|
};
|
||||||
wireguardPeers = [
|
wireguardPeers = [
|
||||||
{
|
{
|
||||||
|
@ -50,6 +68,7 @@
|
||||||
address = ["49.13.33.75/32"];
|
address = ["49.13.33.75/32"];
|
||||||
routingPolicyRules = [
|
routingPolicyRules = [
|
||||||
{
|
{
|
||||||
|
# See the AllowedIPs comment above for why this is necessary
|
||||||
routingPolicyRuleConfig = {
|
routingPolicyRuleConfig = {
|
||||||
From = "49.13.33.75/32";
|
From = "49.13.33.75/32";
|
||||||
Table = "wg-sigma-public";
|
Table = "wg-sigma-public";
|
||||||
|
@ -68,7 +87,7 @@
|
||||||
Kind = "wireguard";
|
Kind = "wireguard";
|
||||||
};
|
};
|
||||||
wireguardConfig = {
|
wireguardConfig = {
|
||||||
PrivateKeyFile = config.age.secrets.wireguard-private-key-file-omega.path;
|
PrivateKeyFile = config.age.secrets.wireguard-private-key-file-sigma.path;
|
||||||
};
|
};
|
||||||
wireguardPeers = [
|
wireguardPeers = [
|
||||||
{
|
{
|
||||||
|
@ -93,10 +112,40 @@
|
||||||
Table = "wg-sigma-p2p";
|
Table = "wg-sigma-p2p";
|
||||||
};
|
};
|
||||||
}
|
}
|
||||||
|
{
|
||||||
|
# The deluge systemd service has
|
||||||
|
# RestrictNetworkInterfaces=wg-sigma-p2p, but that does not tell it
|
||||||
|
# to use the correct routing table.
|
||||||
|
routingPolicyRuleConfig = {
|
||||||
|
User = config.services.deluge.user;
|
||||||
|
Table = "wg-sigma-p2p";
|
||||||
|
};
|
||||||
|
}
|
||||||
];
|
];
|
||||||
};
|
};
|
||||||
};
|
};
|
||||||
|
|
||||||
|
# Force explicit firewall configuration to ensure we allow the right services
|
||||||
|
# on the right interfaces.
|
||||||
|
networking.firewall = {
|
||||||
|
allowedTCPPorts = lib.mkForce [];
|
||||||
|
allowedUDPPorts = lib.mkForce [];
|
||||||
|
allowedTCPPortRanges = lib.mkForce [];
|
||||||
|
allowedUDPPortRanges = lib.mkForce [];
|
||||||
|
|
||||||
|
interfaces = {
|
||||||
|
"enp5s0" = {
|
||||||
|
allowedTCPPorts = [22];
|
||||||
|
};
|
||||||
|
"wg-sigma-public" = {
|
||||||
|
allowedTCPPorts = [22];
|
||||||
|
};
|
||||||
|
"wg-sigma-p2p" = {
|
||||||
|
allowedTCPPorts = [1337];
|
||||||
|
};
|
||||||
|
};
|
||||||
|
};
|
||||||
|
|
||||||
age.secrets.wireguard-preshared-key-file = {
|
age.secrets.wireguard-preshared-key-file = {
|
||||||
file = "${secrets}/secrets/wireguard-preshared-key-file.age";
|
file = "${secrets}/secrets/wireguard-preshared-key-file.age";
|
||||||
mode = "640";
|
mode = "640";
|
||||||
|
@ -104,8 +153,8 @@
|
||||||
group = "systemd-network";
|
group = "systemd-network";
|
||||||
};
|
};
|
||||||
|
|
||||||
age.secrets.wireguard-private-key-file-omega = {
|
age.secrets.wireguard-private-key-file-sigma = {
|
||||||
file = "${secrets}/secrets/wireguard-private-key-file-omega.age";
|
file = "${secrets}/secrets/wireguard-private-key-file-sigma.age";
|
||||||
mode = "640";
|
mode = "640";
|
||||||
owner = "root";
|
owner = "root";
|
||||||
group = "systemd-network";
|
group = "systemd-network";
|
Loading…
Reference in a new issue