Disable legacy wireguard tunnel
This commit is contained in:
parent
7721e1333a
commit
8c23908235
|
@ -84,26 +84,12 @@ with lib; {
|
|||
default = let
|
||||
p = config.m-0.prefix;
|
||||
hera-p = "${p}::3";
|
||||
wg-p = "${p}::100";
|
||||
v4-p = "10.0.0";
|
||||
in {
|
||||
hera = "${p}::1";
|
||||
vpn = rec {
|
||||
prefix = "fdc0:7";
|
||||
hera = "${prefix}::1";
|
||||
fluffy = "${prefix}::2";
|
||||
apollo = "${prefix}::5";
|
||||
zeus = "${prefix}::4";
|
||||
pegasus = "${prefix}::6";
|
||||
};
|
||||
hera-wg-host = "${p}::100:0:1";
|
||||
|
||||
hera-v4 = "213.136.94.190";
|
||||
|
||||
hera-wg = "${wg-p}:1";
|
||||
apollo-wg = "${wg-p}:2";
|
||||
zeus-wg = "${wg-p}:3";
|
||||
|
||||
hera-intern = "${hera-p}:1";
|
||||
chor-cloud = "${hera-p}:b";
|
||||
|
||||
|
|
|
@ -40,25 +40,25 @@ in {
|
|||
hostName = "apollo";
|
||||
domain = "m-0.eu";
|
||||
networkmanager.enable = true;
|
||||
wireguard.interfaces = {
|
||||
m0wire = {
|
||||
allowedIPsAsRoutes = false;
|
||||
ips = ["${hosts.apollo-wg}/112" "${hosts.vpn.apollo}/64"];
|
||||
privateKeyFile = config.age.secrets."wireguard/apollo-private".path;
|
||||
peers = [
|
||||
{
|
||||
publicKey = wireguard.pub.hera;
|
||||
allowedIPs = ["::/0"];
|
||||
# endpoint =
|
||||
# "[${hosts.hera-wg-host}]:${builtins.toString wireguard.port}";
|
||||
endpoint = "[${hosts.hera-v4}]:${builtins.toString wireguard.port}";
|
||||
presharedKeyFile = config.age.secrets."wireguard/psk".path;
|
||||
persistentKeepalive = 25;
|
||||
}
|
||||
];
|
||||
postSetup = ["${pkgs.iproute}/bin/ip route add ${prefix}::/96 dev m0wire"];
|
||||
};
|
||||
};
|
||||
#wireguard.interfaces = {
|
||||
# m0wire = {
|
||||
# allowedIPsAsRoutes = false;
|
||||
# ips = ["${hosts.apollo-wg}/112" "${hosts.vpn.apollo}/64"];
|
||||
# privateKeyFile = config.age.secrets."wireguard/apollo-private".path;
|
||||
# peers = [
|
||||
# {
|
||||
# publicKey = wireguard.pub.hera;
|
||||
# allowedIPs = ["::/0"];
|
||||
# # endpoint =
|
||||
# # "[${hosts.hera-wg-host}]:${builtins.toString wireguard.port}";
|
||||
# endpoint = "[${hosts.hera-v4}]:${builtins.toString wireguard.port}";
|
||||
# presharedKeyFile = config.age.secrets."wireguard/psk".path;
|
||||
# persistentKeepalive = 25;
|
||||
# }
|
||||
# ];
|
||||
# postSetup = ["${pkgs.iproute}/bin/ip route add ${prefix}::/96 dev m0wire"];
|
||||
# };
|
||||
#};
|
||||
};
|
||||
|
||||
services = {
|
||||
|
|
|
@ -83,9 +83,16 @@ in {
|
|||
hostName = "fluffy";
|
||||
domain = "lo.m-0.eu";
|
||||
firewall = {
|
||||
allowedUDPPorts = [631];
|
||||
allowedTCPPorts = [21 80 631];
|
||||
allowedUDPPorts = [
|
||||
631 # cups
|
||||
];
|
||||
allowedTCPPorts = [
|
||||
21 # ftp for scanner
|
||||
80 # http
|
||||
631 # cups
|
||||
];
|
||||
allowedTCPPortRanges = [
|
||||
# also ftp
|
||||
{
|
||||
from = 51000;
|
||||
to = 51999;
|
||||
|
@ -101,21 +108,21 @@ in {
|
|||
];
|
||||
useDHCP = true;
|
||||
};
|
||||
wireguard.interfaces = {
|
||||
m0wire = {
|
||||
ips = ["${hosts.vpn.fluffy}/64"];
|
||||
privateKeyFile = "/disk/persist/wireguard-private-key";
|
||||
peers = [
|
||||
{
|
||||
publicKey = wireguard.pub.hera;
|
||||
allowedIPs = ["${hosts.vpn.prefix}::/64"];
|
||||
endpoint = "[${hosts.hera-wg-host}]:${builtins.toString wireguard.port}";
|
||||
presharedKeyFile = config.age.secrets."wireguard/psk".path;
|
||||
persistentKeepalive = 25;
|
||||
}
|
||||
];
|
||||
};
|
||||
};
|
||||
#wireguard.interfaces = {
|
||||
# m0wire = {
|
||||
# ips = ["${hosts.vpn.fluffy}/64"];
|
||||
# privateKeyFile = "/disk/persist/wireguard-private-key";
|
||||
# peers = [
|
||||
# {
|
||||
# publicKey = wireguard.pub.hera;
|
||||
# allowedIPs = ["${hosts.vpn.prefix}::/64"];
|
||||
# endpoint = "[${hosts.hera-wg-host}]:${builtins.toString wireguard.port}";
|
||||
# presharedKeyFile = config.age.secrets."wireguard/psk".path;
|
||||
# persistentKeepalive = 25;
|
||||
# }
|
||||
# ];
|
||||
# };
|
||||
#};
|
||||
};
|
||||
programs = {
|
||||
ssh = {
|
||||
|
|
|
@ -73,7 +73,7 @@ in {
|
|||
};
|
||||
};
|
||||
postfix = {
|
||||
networks = ["[::1]/128" "127.0.0.1/32" "[${config.m-0.prefix}::]/64" "[${hosts.vpn.prefix}::]/64" "10.0.0.0/24"];
|
||||
networks = ["[::1]/128" "127.0.0.1/32" "[${config.m-0.prefix}::]/64" "10.0.0.0/24"];
|
||||
transport = "email2matrix.maralorn.de smtp:[::1]:2525";
|
||||
config = {
|
||||
# Allow TLSv1 because we need to be able to receive mail from legacy servers.
|
||||
|
|
|
@ -1,10 +1,9 @@
|
|||
{
|
||||
pkgs,
|
||||
config,
|
||||
lib,
|
||||
...
|
||||
}: let
|
||||
wireguard = import ../../../common/wireguard.nix;
|
||||
#wireguard = import ../../../common/wireguard.nix;
|
||||
inherit (config.m-0) hosts;
|
||||
in {
|
||||
boot.kernel.sysctl."net.ipv6.conf.all.forwarding" = 1;
|
||||
|
@ -24,10 +23,6 @@ in {
|
|||
address = hosts.hera;
|
||||
prefixLength = 128;
|
||||
}
|
||||
{
|
||||
address = hosts.hera-wg-host;
|
||||
prefixLength = 128;
|
||||
}
|
||||
];
|
||||
};
|
||||
defaultGateway = "213.136.94.1";
|
||||
|
@ -59,36 +54,36 @@ in {
|
|||
};
|
||||
nameservers = ["213.136.95.10" "2a02:c207::1:53" "2a02:c207::2:53"];
|
||||
firewall.allowedTCPPorts = [8666];
|
||||
firewall.allowedUDPPorts = [wireguard.port];
|
||||
wireguard.interfaces = {
|
||||
m0wire = {
|
||||
ips = ["${hosts.hera-wg}/112" "${hosts.vpn.hera}/64"];
|
||||
privateKeyFile = config.age.secrets."wireguard/hera-private".path;
|
||||
listenPort = wireguard.port;
|
||||
peers = [
|
||||
{
|
||||
publicKey = wireguard.pub.zeus;
|
||||
allowedIPs = ["${hosts.zeus-wg}/128" "${hosts.vpn.zeus}/128"];
|
||||
presharedKeyFile = config.age.secrets."wireguard/psk".path;
|
||||
}
|
||||
{
|
||||
publicKey = wireguard.pub.apollo;
|
||||
allowedIPs = ["${hosts.apollo-wg}/128" "${hosts.vpn.apollo}/128"];
|
||||
presharedKeyFile = config.age.secrets."wireguard/psk".path;
|
||||
}
|
||||
{
|
||||
publicKey = wireguard.pub.fluffy;
|
||||
allowedIPs = ["${hosts.vpn.fluffy}/128"];
|
||||
presharedKeyFile = config.age.secrets."wireguard/psk".path;
|
||||
}
|
||||
{
|
||||
publicKey = wireguard.pub.pegasus;
|
||||
allowedIPs = ["${hosts.vpn.pegasus}/128"];
|
||||
presharedKeyFile = config.age.secrets."wireguard/psk".path;
|
||||
}
|
||||
];
|
||||
};
|
||||
};
|
||||
#firewall.allowedUDPPorts = [wireguard.port];
|
||||
#wireguard.interfaces = {
|
||||
# m0wire = {
|
||||
# ips = ["${hosts.hera-wg}/112" "${hosts.vpn.hera}/64"];
|
||||
# privateKeyFile = config.age.secrets."wireguard/hera-private".path;
|
||||
# listenPort = wireguard.port;
|
||||
# peers = [
|
||||
# {
|
||||
# publicKey = wireguard.pub.zeus;
|
||||
# allowedIPs = ["${hosts.zeus-wg}/128" "${hosts.vpn.zeus}/128"];
|
||||
# presharedKeyFile = config.age.secrets."wireguard/psk".path;
|
||||
# }
|
||||
# {
|
||||
# publicKey = wireguard.pub.apollo;
|
||||
# allowedIPs = ["${hosts.apollo-wg}/128" "${hosts.vpn.apollo}/128"];
|
||||
# presharedKeyFile = config.age.secrets."wireguard/psk".path;
|
||||
# }
|
||||
# {
|
||||
# publicKey = wireguard.pub.fluffy;
|
||||
# allowedIPs = ["${hosts.vpn.fluffy}/128"];
|
||||
# presharedKeyFile = config.age.secrets."wireguard/psk".path;
|
||||
# }
|
||||
# {
|
||||
# publicKey = wireguard.pub.pegasus;
|
||||
# allowedIPs = ["${hosts.vpn.pegasus}/128"];
|
||||
# presharedKeyFile = config.age.secrets."wireguard/psk".path;
|
||||
# }
|
||||
# ];
|
||||
# };
|
||||
#};
|
||||
};
|
||||
|
||||
services.ndppd = {
|
||||
|
|
|
@ -133,23 +133,23 @@ in {
|
|||
firewall.allowedUDPPorts = [
|
||||
34197 # factorio
|
||||
];
|
||||
wireguard.interfaces = {
|
||||
m0wire = {
|
||||
allowedIPsAsRoutes = false;
|
||||
ips = ["${hosts.zeus-wg}/112" "${hosts.vpn.zeus}/64"];
|
||||
privateKeyFile = config.age.secrets."wireguard/zeus-private".path;
|
||||
peers = [
|
||||
{
|
||||
publicKey = wireguard.pub.hera;
|
||||
allowedIPs = ["::/0"];
|
||||
endpoint = "[${hosts.hera-wg-host}]:${builtins.toString wireguard.port}";
|
||||
presharedKeyFile = config.age.secrets."wireguard/psk".path;
|
||||
persistentKeepalive = 25;
|
||||
}
|
||||
];
|
||||
postSetup = ["${pkgs.iproute}/bin/ip route add ${prefix}::/96 dev m0wire"];
|
||||
};
|
||||
};
|
||||
#wireguard.interfaces = {
|
||||
# m0wire = {
|
||||
# allowedIPsAsRoutes = false;
|
||||
# ips = ["${hosts.zeus-wg}/112" "${hosts.vpn.zeus}/64"];
|
||||
# privateKeyFile = config.age.secrets."wireguard/zeus-private".path;
|
||||
# peers = [
|
||||
# {
|
||||
# publicKey = wireguard.pub.hera;
|
||||
# allowedIPs = ["::/0"];
|
||||
# endpoint = "[${hosts.hera-wg-host}]:${builtins.toString wireguard.port}";
|
||||
# presharedKeyFile = config.age.secrets."wireguard/psk".path;
|
||||
# persistentKeepalive = 25;
|
||||
# }
|
||||
# ];
|
||||
# postSetup = ["${pkgs.iproute}/bin/ip route add ${prefix}::/96 dev m0wire"];
|
||||
# };
|
||||
#};
|
||||
};
|
||||
services = {
|
||||
snapper = {
|
||||
|
|
|
@ -8,9 +8,9 @@
|
|||
networking = {
|
||||
firewall = {
|
||||
extraInputRules = ''
|
||||
meta iifname m0wire accept comment "wireguard vpn"
|
||||
meta iifname tailscale0 accept comment "headscale vpn"
|
||||
'';
|
||||
# meta iifname m0wire accept comment "wireguard vpn"
|
||||
checkReversePath = "loose";
|
||||
allowedUDPPorts = [config.services.tailscale.port];
|
||||
};
|
||||
|
|
Loading…
Reference in a new issue