dachxy/nix-conf
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

feat: wireguard meshnet in server

Browse source
This commit is contained in:
DACHXY 2025-03-26 13:20:28 +08:00
parent fc0035fb15
commit 43e206bd6d
13 changed files with 356 additions and 73 deletions
Download patch file Download diff file Expand all files Collapse all files

10
system/dev/dn-pre7780/default.nix
View file

@ -36,13 +36,14 @@ in
nvidia-bus-id = nvidia-bus-id;
})
../../modules/gaming.nix
# ../../modules/wireguard.nix
../../modules/wireguard.nix
../../modules/dn-ca.nix
(import ../../modules/wallpaper-engine.nix {
offload = nvidia-offload-enabled;
})
../../modules/wine.nix
../../modules/secure-boot.nix
../../modules/kubernetes.nix
];
# Overrides
@ -75,4 +76,11 @@ in
];
};
};
users.users = {
"${username}".openssh.authorizedKeys.keys = [
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJFQA42R3fZmjb9QnUgzzOTIXQBC+D2ravE/ZLvdjoOQ danny@lap.dn"
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAILSHkPa6vmr5WBPXAazY16+Ph1Mqv9E24uLIf32oC2oH danny@phone.dn"
];
};
}

2
system/dev/dn-server/boot.nix
View file

@ -1,7 +1,7 @@
{ pkgs, ... }:
{
boot.kernelPackages = pkgs.linuxPackages_latest;
boot.kernelPackages = pkgs.linuxPackages;
boot.loader.systemd-boot.enable = true;

4
system/dev/dn-server/default.nix
View file

@ -36,7 +36,7 @@ in
intel-bus-id = intel-bus-id;
nvidia-bus-id = nvidia-bus-id;
})
../../modules/wine.nix
# ../../modules/wine.nix
];
# Overrides
@ -64,7 +64,7 @@ in
};
users."${username}" = {
imports = [
../../../home
../../../home/server-default.nix
];
};
};

45
system/dev/dn-server/hardware-configuration.nix
View file

@ -1,28 +1,45 @@
# Do not modify this file! It was generated by nixos-generate-config
# and may be overwritten by future invocations. Please make changes
# to /etc/nixos/configuration.nix instead.
{ config, lib, pkgs, modulesPath, ... }:
{
config,
lib,
pkgs,
modulesPath,
...
}:
{
imports =
[ (modulesPath + "/installer/scan/not-detected.nix")
];
imports = [
(modulesPath + "/installer/scan/not-detected.nix")
];
boot.initrd.availableKernelModules = [ "vmd" "xhci_pci" "thunderbolt" "nvme" "usb_storage" "sd_mod" "rtsx_pci_sdmmc" ];
boot.initrd.availableKernelModules = [
"vmd"
"xhci_pci"
"thunderbolt"
"nvme"
"usb_storage"
"sd_mod"
"rtsx_pci_sdmmc"
];
boot.initrd.kernelModules = [ ];
boot.kernelModules = [ "kvm-intel" ];
boot.extraModulePackages = [ ];
fileSystems."/" =
{ device = "/dev/disk/by-uuid/6081efdb-aa4e-4f31-ac7e-bd4dffa768bc";
fsType = "ext4";
};
fileSystems."/" = {
device = "/dev/disk/by-label/NIXROOT";
fsType = "ext4";
};
fileSystems."/boot" =
{ device = "/dev/disk/by-uuid/0185-B3AA";
fsType = "vfat";
options = [ "fmask=0022" "dmask=0022" ];
};
fileSystems."/boot" = {
device = "/dev/disk/by-label/NIXBOOT";
fsType = "vfat";
options = [
"fmask=0022"
"dmask=0022"
];
};
swapDevices = [ ];

7
system/dev/dn-server/networking.nix
View file

@ -3,17 +3,12 @@
{
networking = {
networkmanager.enable = true;
enableIPv6 = false;
enableIPv6 = true;
firewall = {
enable = true;
allowedTCPPorts = [
22
443
80
30072
];
allowedUDPPorts = [
51820
];
};
};

3
system/dev/dn-server/packages.nix
View file

@ -1,5 +1,6 @@
{
pkgs,
inputs,
...
}:
{
@ -76,5 +77,7 @@
pkgs.gst_all_1.gst-libav
pkgs.gst_all_1.gstreamer
pkgs.gst_all_1.gst-plugins-good
inputs.ghostty.packages.${system}.default
];
}

276
system/dev/dn-server/services.nix
View file

@ -1,12 +1,208 @@
{ username, pkgs, ... }:
let
ethInterface = "enp0s31f6";
wlInterface = "wlp0s20f3";
sshPorts = [ 30072 ];
sshPortsString = builtins.concatStringsSep ", " (builtins.map (p: builtins.toString p) sshPorts);
personal = {
ip = "10.0.0.1/24";
interface = "wg0";
port = 51820;
range = "10.0.0.0/24";
full = "10.0.0.1/25";
restrict = "10.0.0.128/25";
};
kube = {
ip = "10.10.0.1/24";
range = "10.10.0.0/24";
interface = "wg1";
port = 51821;
};
allowedSSHIPs = builtins.concatStringsSep ", " [
"122.117.215.55"
"192.168.100.1/24"
personal.range
];
fullRoute = [
{
# Jonly
dns = "jonly";
publicKey = "GAayY6p8ST3I66kFSGY3seaHhfkrc6atcrFu2C9BDDs=";
allowedIPs = [ "10.0.0.5/32" ];
}
{
# YC
dns = "yc";
publicKey = "5LfmjAg07ixmBCcsEn319UHqMRO3AdusXsoibGUqfQE=";
allowedIPs = [ "10.0.0.7/32" ];
}
{
# Tommy
dns = "tommy";
publicKey = "AxujfkiHLj09LoAXZl7yUf3fzyjorKOg8CfcJJvr2HQ=";
allowedIPs = [ "10.0.0.8/32" ];
}
];
meshRoute = [
{
# pre7780.dn
dns = "pre7780";
publicKey = "WvvBRGbWUMUhSgodZNlhglacsWhMOTdHhJxcf81kTmQ=";
allowedIPs = [ "10.0.0.130/32" ];
}
{
# Skydrive
dns = "skydrive";
publicKey = "GceSQwI7XqYQw2oPmquuKdPqmt6KsYnoGuFoiaKRb0E=";
allowedIPs = [ "10.0.0.132/32" ];
}
{
# ken
dns = "ken";
publicKey = "iWjBGArok96mFzFHXYjTxwyRHGQ4U0V77txoi6WS2QU=";
allowedIPs = [ "10.0.0.134/32" ];
}
{
# lap.dn
dns = "lap";
publicKey = "Cm2AZU+zlv+ThMqah6WiLVxgPNvMHm9DEGd4PfywNWU=";
allowedIPs = [ "10.0.0.135/32" ];
}
{
# ahhaha
dns = "ahhaha";
publicKey = "PGBqCPLxaFd/+KqwrjF6B6lqxvpPKos0sst5gk8p8Bo=";
allowedIPs = [ "10.0.0.137/32" ];
}
{
# oreo
dns = "oreo";
publicKey = "GXHRZ9DmVg7VtuJdvcHOGFCuFqH2Kd/c+3unrq7e5SE=";
allowedIPs = [ "10.0.0.139/32" ];
}
{
# phone.dn
dns = "phone";
publicKey = "XiR4NZLdHyOvzt+fdYoFDW2s/Su8nlz8UgrVPLISdBY=";
allowedIPs = [ "10.0.0.140/32" ];
}
];
dnsRecords =
with builtins;
concatStringsSep "\n" (
map (r: ''
${r.dns} IN A ${replaceStrings [ "/32" ] [ "" ] (elemAt r.allowedIPs 0)}
'') (fullRoute ++ meshRoute)
);
in
{
systemd.services.flatpak-repo = {
wantedBy = [ "multi-user.target" ];
path = [ pkgs.flatpak ];
script = ''
flatpak remote-add --if-not-exists flathub https://flathub.org/repo/flathub.flatpakrepo
'';
networking = {
nat = {
enable = true;
enableIPv6 = true;
externalInterface = ethInterface;
internalInterfaces = [
personal.interface
kube.interface
];
};
firewall = {
allowedUDPPorts = [
53
personal.port
kube.port
];
allowedTCPPorts = sshPorts ++ [ 53 ];
};
nftables = {
enable = true;
ruleset = ''
table inet wg-filter {
chain input {
type filter hook input priority 0; policy drop;
iif lo accept
meta nftrace set 1
meta l4proto { icmp, ipv6-icmp } accept
ct state vmap { invalid : drop, established : accept, related : accept }
udp dport 53 accept
tcp dport 53 accept
tcp dport { ${sshPortsString} } jump ssh-filter
iifname { ${ethInterface}, ${personal.interface}, ${kube.interface} } udp dport { ${builtins.toString personal.port}, ${builtins.toString kube.port} } accept
iifname ${personal.interface} ip saddr ${personal.ip} jump wg-subnet
iifname ${kube.interface} ip saddr ${kube.ip} jump kube-filter
counter reject
}
chain ssh-filter {
ip saddr { ${allowedSSHIPs} } accept
counter reject
}
chain forward {
type filter hook forward priority 0; policy drop;
meta l4proto { icmp, ipv6-icmp } accept
iifname ${personal.interface} ip saddr ${personal.ip} jump wg-subnet
iifname ${kube.interface} ip saddr ${kube.ip} jump kube-filter
counter
}
chain kube-filter {
ip saddr ${kube.ip} ip daddr ${kube.ip} accept
counter drop
}
chain wg-subnet {
ip saddr ${personal.full} accept
ip saddr ${personal.restrict} ip daddr ${personal.range} accept
counter drop
}
chain postrouting {
type nat hook postrouting priority 100; policy accept;
oifname ${ethInterface} masquerade
}
}
'';
};
wireguard = {
enable = true;
interfaces = {
${personal.interface} = {
ips = [ personal.ip ];
listenPort = personal.port;
privateKeyFile = "/etc/wireguard/privatekey";
peers = builtins.map (r: {
publicKey = r.publicKey;
allowedIPs = r.allowedIPs;
}) (fullRoute ++ meshRoute);
};
${kube.interface} = {
ips = [ kube.ip ];
listenPort = kube.port;
privateKeyFile = "/etc/wireguard/privatekey";
peers = [ ];
};
};
};
};
services = {
@ -16,18 +212,54 @@
openssh = {
enable = true;
ports = [
22
30072
];
ports = sshPorts;
settings = {
PasswordAuthentication = true;
AllowUsers = [ username ];
UseDns = true;
PasswordAuthentication = false;
UseDns = false;
PermitRootLogin = "yes";
};
};
bind = {
enable = true;
cacheNetworks = [
"127.0.0.0/24"
"::1/128"
personal.range
kube.range
];
zones = {
"net.dn" = {
master = true;
allowQuery = [
"127.0.0.0/24"
"::1/128"
personal.range
kube.range
];
file = pkgs.writeText "zone-net.dn" ''
$ORIGIN net.dn.
$TTL 1h
@ IN SOA server hostmaster (
1 ; Serial
3h ; Refresh
1h ; Retry
1w ; Expire
1h) ; Negative Cache TTL
IN NS server
IN NS phone
@ IN A 10.0.0.1
IN AAAA fe80::3319:e2bb:fc15:c9df
IN MX 10 mail
IN TXT "v=spf1 mx"
server IN A 10.0.0.1
${dnsRecords}
'';
};
};
};
xserver = {
enable = false;
xkb.layout = "us";
@ -37,11 +269,21 @@
gvfs.enable = true;
udisks2.enable = true;
devmon.enable = true;
flatpak.enable = true;
};
users.users.root.openssh.authorizedKeys.keys = [
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIBzLpMKn0Q24ACC6k/7lOX0FIdcFhq15NY6849yROeUK danny@dn-pre7780"
users.users = {
root.openssh.authorizedKeys.keys = [
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIBzLpMKn0Q24ACC6k/7lOX0FIdcFhq15NY6849yROeUK danny@dn-pre7780"
];
"${username}".openssh.authorizedKeys.keys = [
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJSAOufpee7f8D8ONIIGU3qsN+8+DGO7BfZnEOTYqtQ5 danny@pre7780.dn"
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJFQA42R3fZmjb9QnUgzzOTIXQBC+D2ravE/ZLvdjoOQ danny@lap.dn"
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAILSHkPa6vmr5WBPXAazY16+Ph1Mqv9E24uLIf32oC2oH danny@phone.dn"
];
};
nix.settings.trusted-users = [
username
];
}

10
system/modules/kubernetes.nix Normal file
View file

@ -0,0 +1,10 @@
{
pkgs,
...
}:
{
environment.systemPackages = with pkgs; [
minikube
kubectl
];
}

5
system/modules/server-default.nix
View file

@ -1,10 +1,8 @@
{ ... }:
{
imports = [
./plymouth.nix # Boot splash
./fonts.nix
./hardware.nix
./hyprland.nix
./internationalisation.nix
./misc.nix
./nixsettings.nix
@ -12,10 +10,7 @@
./security.nix
./sound.nix
./time.nix
./theme.nix
./users.nix
./environment.nix
./virtualization.nix
./gc.nix
./polkit.nix
./lsp.nix