about summary refs log tree commit diff
path: root/machines/profpatsch/haku.nix
diff options
context:
space:
mode:
Diffstat (limited to 'machines/profpatsch/haku.nix')
-rw-r--r--machines/profpatsch/haku.nix64
1 files changed, 58 insertions, 6 deletions
diff --git a/machines/profpatsch/haku.nix b/machines/profpatsch/haku.nix
index 8b81378b..866fc05b 100644
--- a/machines/profpatsch/haku.nix
+++ b/machines/profpatsch/haku.nix
@@ -5,6 +5,18 @@ let
   myPkgs = import ./pkgs.nix { inherit pkgs lib myLib; };
 
   warpspeedPort = 1338;
+  ethernetInterface = "enp0s20";
+  wireguard = {
+    port = 6889;
+    interface = "wg0";
+    internalNetwork =
+      let genIp = cidr: lastByte: "10.42.0.${toString lastByte}/${toString cidr}";
+      in {
+        addr = genIp 32;
+        range = genIp 24 0;
+        server = genIp 24 1;
+      };
+  };
 
   myKey = "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDNMQvmOfon956Z0ZVdp186YhPHtSBrXsBwaCt0JAbkf/U/P+4fG0OROA++fHDiFM4RrRHH6plsGY3W6L26mSsCM2LtlHJINFZtVILkI26MDEIKWEsfBatDW+XNAvkfYEahy16P5CBtTVNKEGsTcPD+VDistHseFNKiVlSLDCvJ0vMwOykHhq+rdJmjJ8tkUWC2bNqTIH26bU0UbhMAtJstWqaTUGnB0WVutKmkZbnylLMICAvnFoZLoMPmbvx8efgLYY2vD1pRd8Uwnq9MFV1EPbkJoinTf1XSo8VUo7WCjL79aYSIvHmXG+5qKB9ed2GWbBLolAoXkZ00E4WsVp9H philip@nyx";
 
@@ -69,6 +81,7 @@ in
           "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCUgS0VB5XayQobQfOi0tYeqpSSCXzftTKEyII4OYDhuF0/CdXSqOIvdqnWQ8933lPZ5234qCXCniIlRJpJQLBPJdJ7/XnC6W37asuft6yVYxTZnZat8edCuJETMvwZJZNttxHC04k3JPf9RMj25luICWabICH5XP9Mz3GoWSaOz7IOm7jiLQiF3UtiFOG06w76d3UfcIVbqjImwWv8nysphi9IQfL0XgC24zNE6LSeE7IN5xTOxoZxORQGsCEnFNCPevReNcSB0pI9xQ1iao7evaZkpzT4D4iQ/K7Ss8dsfFWN30NPMQS5ReQTUKtmGn1YlgkitiYTEXbMjkYbQaQr daniel@shadow"
           "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCtfWeIH7YZpWUUOZ3oC5FB2/J+P3scxm29gUQdVij/K0TuxW1yN/HtcvrO1mwSshS6sNZ2N6/Kb6+kuGyx1mEnaFt87K5ucxC7TNqiURh4eeZE1xX7B5Ob8TVegrBxoe+vcfaoyxn7sUzgF719H0aYC7PP6p3AIbhq3hRLcvY26u9/gZ39H79A71wCunauvpcnpb+rqyJMN6m2YoeOcoloe7wUDI8Xw5dUetHpNKn9k1vzS16CdwP4pAKI8aBtdNK7ZojVMe9LfBG8HHPr9K+cwcaxQuXkFBJzrfrtBCfQwrgWppsu/W/kGBs1ybku2bOFI5UXJBnsraXQqr1NLIfL phj@phj-X220"
           "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDj8dla7nOE7RSho2/9LAn+DANYkB1BmMoNryzTQ5mUJWukf5coCc+aNJcXYeu5dSTEicW2qQuD8mt8SDI5Qzv4oSpIYEsd0j4eW/BlC5XYd+4jS7Hfk/a1mJjMG7jdvOUtK3lLtrKaHxVUUjqdxKzzFBZlPov6FgHSJ//h1HxreV/Y0jL94qSvK39FZde5xlV/wQBvpglrMNu7FFWqyeKrOZ7U8D70scFliIuPok/02iQ31P+ncUfV3XrFyJodQq8J3hYEorGVKp3nNM1zaLlg8uqHk18Zt0GFnEAClBrC13yjM0jpMvaMyuXMaWuKeqsBZeUyaSo1j6BNsW/bFjiJ thomas-glamsch@gmx.de"
+          "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQCneS9f0u6sITEzKULgIK7LGKskPpyXlQoSLB6aYAS9ZUkZXHh97XwIQqv20/edsAwpKhSSw//n08bvlYjpUSDAg9V/iZzdEV1M7fxek1c0rxtFxbeCds5K67JV+wGEusVyQdtmVzyshBBg+Mk/66E3KgqMyjCyGPk/0qWaj6187DOxerbXI5QkO7lCPIa5jP2YR4yzmFomcGb4PqpPlWfOcjjEjtpenQkhy7iS0ukfkQ9jhIcppuvkZ9A8PL/ccHDNVg0YKNJbsviB5MwKm/6drK87fprP9SP0i7QZsdKhaaW3rQtzCiWup4Avwx91VfeLvef8JJnmDrx+tR7azdGCiiRQvLakT2aIyMSTcDG41PYsesFvqBhRidSgzdZ4I2jjT1iHL4XREQVSjB5voAFdXHrndZj9PT8mTMo1RsdM1YMspHD1ohn2a3YkzKHD6g1n0UM379lyJ2mBEA1w+Nb48s60Mecuy2MlFgN6MbwYXifJkm806nI09ExEfgan8JvWOUQLgCDtp4mGt62vYMmBb5UqyUpvTcPbxoAbpHx+LEAD9Q0OE8S8WGnmkXxnnP2fL1fkcL1wjwvDbW0q9ezl9SrMfxcd+n46kbkYnSJ8HwZSZPX3wn2FAqIAKR+46BSsXW5FTo0xwR9wEjaBC7/6PxcxmAivGJZzYUZ0cjCCOw== lisanne.wolters@gmx.net"
         ];
       };
     };
@@ -111,15 +124,54 @@ in
     };
 
     networking = {
+      nat = {
+        enable = true;
+        externalInterface = ethernetInterface;
+        internalInterfaces = [ wireguard.interface ];
+      };
+
       hostName = "haku";
       firewall = {
-        allowedTCPPorts =
-          [ 80 443
-          ];
-        allowedTCPPortRanges =
-          # rtorrent
-          [{ from = 6881; to = 6889; }];
+        allowedTCPPorts = [
+          80 443
+          6882
+          1337 2342 4223
+          60100
+        ];
+        allowedUDPPorts = [
+          wireguard.port
+          60100
+        ];
+        # forward wireguard connections to ethernet device (VPN)
+        extraCommands = ''
+          iptables -t nat -A POSTROUTING -s ${wireguard.internalNetwork.range} -o ${ethernetInterface} -j MASQUERADE
+        ''
+        # drop every other kind of forwarding, except from wg0 to epn (and bridge wg)
+        + ''
+          iptables -P FORWARD DROP
+          iptables -A FORWARD -i ${wireguard.interface} -o ${ethernetInterface} -j ACCEPT
+          iptables -A FORWARD -o ${wireguard.interface} -i ${ethernetInterface} -j ACCEPT
+          iptables -A FORWARD -i ${wireguard.interface} -o ${wireguard.interface} -j ACCEPT
+        '';
       };
+
+      wireguard.interfaces.${wireguard.interface} = {
+        ips = [ wireguard.internalNetwork.server ];
+        listenPort = wireguard.port;
+        privateKeyFile = "/root/keys/wg/vpn.priv";
+
+        peers = [
+          { # shiki (TODO: factor out)
+            publicKey = "x3ko/R8PLzcyjVjqot9qmGBb3NrG/4JvgRkIOQMEsUA=";
+            allowedIPs = [ (wireguard.internalNetwork.addr 2) ];
+          }
+          { # mushu
+            publicKey = "Stx6N4/JurtAuYX+43WPOCLBqheE99O6WRvxW+sd3jw=";
+            allowedIPs = [ (wireguard.internalNetwork.addr 3) ];
+          }
+        ];
+      };
+
       nameservers = [
         "62.210.16.6"
         "62.210.16.7"
generated by cgit-pink 1.4.1 (git 2.36.1) at 2024-10-20 06:13:33 +0000