194 lines
4.2 KiB
Nix
194 lines
4.2 KiB
Nix
{
|
|
pkgs,
|
|
lib,
|
|
meta,
|
|
kat-path,
|
|
ssh-keys,
|
|
sources,
|
|
self-meta,
|
|
...
|
|
}:
|
|
{
|
|
deployment.targetHost = "watcher.kat";
|
|
|
|
imports = [
|
|
./hardware-configuration.nix
|
|
./disks.nix
|
|
];
|
|
|
|
boot = {
|
|
loader.grub = {
|
|
enable = true;
|
|
efiSupport = true;
|
|
efiInstallAsRemovable = true;
|
|
};
|
|
kernel.sysctl."net.ipv4.ip_forward" = true;
|
|
};
|
|
|
|
kat = {
|
|
proxies.redirects = [ "kat-manah" ];
|
|
};
|
|
|
|
networking = {
|
|
useDHCP = false;
|
|
firewall.allowedUDPPorts = [ 1194 ];
|
|
nftables.tables = {
|
|
nat = {
|
|
family = "ip";
|
|
content = ''
|
|
chain postrouting {
|
|
type nat hook postrouting priority 100;
|
|
ip saddr 192.168.121.2 masquerade
|
|
};
|
|
'';
|
|
};
|
|
filter = {
|
|
family = "inet";
|
|
content = ''
|
|
set vpn {
|
|
type ipv4_addr
|
|
flags interval
|
|
auto-merge
|
|
elements = {
|
|
100.80.0.0/16,
|
|
10.42.0.0/16,
|
|
192.168.1.0/24,
|
|
192.168.122.0/24,
|
|
}
|
|
};
|
|
chain forward {
|
|
type filter hook forward priority filter; policy accept;
|
|
ct state vmap {
|
|
invalid: drop,
|
|
established: accept,
|
|
related: accept,
|
|
new: jump forward_decide,
|
|
untracked: jump forward_decide,
|
|
};
|
|
}
|
|
chain forward_decide {
|
|
# Allow vpn inside
|
|
ip saddr @vpn ip daddr @vpn accept;
|
|
|
|
ip saddr 192.168.121.2 ip daddr != @vpn accept;
|
|
|
|
jump forward_reject;
|
|
}
|
|
chain forward_reject {
|
|
reject with icmpx type admin-prohibited;
|
|
}
|
|
'';
|
|
};
|
|
};
|
|
};
|
|
systemd.network = {
|
|
enable = true;
|
|
networks = {
|
|
"10-ens3" = {
|
|
name = "ens3";
|
|
address = [
|
|
"51.83.69.54/32"
|
|
"2001:41d0:305:2100::5c52/56"
|
|
];
|
|
routes = [
|
|
{ Destination = "51.83.68.1/32"; }
|
|
{
|
|
Destination = "213.186.33.99/32";
|
|
Gateway = "51.83.68.1";
|
|
}
|
|
{ Gateway = "51.83.68.1"; }
|
|
{ Gateway = "2001:41d0:305:2100::1"; }
|
|
];
|
|
dns = [ "213.186.33.99" ];
|
|
};
|
|
"50-wg0" = {
|
|
name = "wg0";
|
|
address = [ "10.42.0.2/16" ];
|
|
};
|
|
"25-netbird" = {
|
|
name = "ve-dgnum-neoKM9";
|
|
routes = [
|
|
{
|
|
Destination = "100.80.0.0/16";
|
|
Gateway = "192.168.121.2";
|
|
}
|
|
];
|
|
};
|
|
};
|
|
netdevs = {
|
|
"50-wg0" = {
|
|
netdevConfig = {
|
|
Name = "wg0";
|
|
Kind = "wireguard";
|
|
};
|
|
wireguardConfig = {
|
|
ListenPort = 1194;
|
|
PrivateKeyFile = "/etc/wg/private.key";
|
|
RouteTable = "main";
|
|
RouteMetric = 2000;
|
|
};
|
|
|
|
wireguardPeers = meta.lib.mkPeers;
|
|
};
|
|
};
|
|
};
|
|
containers.dgnum-netbird = {
|
|
privateNetwork = true;
|
|
hostAddress = "192.168.121.1";
|
|
localAddress = "192.168.121.2";
|
|
autoStart = true;
|
|
specialArgs = {
|
|
inherit
|
|
kat-path
|
|
ssh-keys
|
|
sources
|
|
self-meta
|
|
;
|
|
};
|
|
config = {
|
|
imports = [ kat-path ];
|
|
kat.addArgs = false;
|
|
boot.kernel = {
|
|
enable = false;
|
|
sysctl."net.ipv4.ip_forward" = true;
|
|
};
|
|
systemd.network.networks."10-eth0" = {
|
|
name = "eth0";
|
|
dns = [
|
|
"8.8.8.8"
|
|
"1.1.1.1"
|
|
];
|
|
};
|
|
networking = {
|
|
useHostResolvConf = false;
|
|
firewall.allowedUDPPorts = [ 53 ];
|
|
nftables.tables.nat = {
|
|
family = "ip";
|
|
content = ''
|
|
chain postrouting {
|
|
type nat hook postrouting priority 100;
|
|
ip daddr 100.80.0.0/16 masquerade
|
|
};
|
|
'';
|
|
};
|
|
};
|
|
services = {
|
|
resolved.enable = lib.mkForce true;
|
|
openssh.enable = true;
|
|
netbird.enable = true;
|
|
};
|
|
system.stateVersion = "24.11";
|
|
};
|
|
};
|
|
|
|
security.acme = {
|
|
acceptTerms = true;
|
|
defaults.email = "root@katvayor.net";
|
|
};
|
|
|
|
environment.systemPackages = with pkgs; [ tcpdump ];
|
|
|
|
services.openssh.enable = true;
|
|
|
|
system.stateVersion = "23.11";
|
|
}
|