From 4354a2149b99031ce203ba44daf32265ee6e980f Mon Sep 17 00:00:00 2001 From: Nikolaos Karaolidis Date: Mon, 3 Mar 2025 17:30:23 +0000 Subject: [PATCH] Add dedicated jupiter ip Signed-off-by: Nikolaos Karaolidis --- hosts/jupiter-vps/configs/haproxy/default.nix | 26 -------- hosts/jupiter-vps/configs/sshd/default.nix | 8 --- .../jupiter-vps/configs/wireguard/default.nix | 11 +++- hosts/jupiter-vps/default.nix | 6 +- hosts/jupiter/configs/mmproxy/default.nix | 42 ------------- hosts/jupiter/configs/wireguard/default.nix | 63 +++++++++++++------ hosts/jupiter/default.nix | 5 +- 7 files changed, 62 insertions(+), 99 deletions(-) delete mode 100644 hosts/jupiter-vps/configs/haproxy/default.nix delete mode 100644 hosts/jupiter-vps/configs/sshd/default.nix delete mode 100644 hosts/jupiter/configs/mmproxy/default.nix diff --git a/hosts/jupiter-vps/configs/haproxy/default.nix b/hosts/jupiter-vps/configs/haproxy/default.nix deleted file mode 100644 index f4ba9e8..0000000 --- a/hosts/jupiter-vps/configs/haproxy/default.nix +++ /dev/null @@ -1,26 +0,0 @@ -{ ... }: -{ - # TODO: Some way to automatically configure? - services.haproxy = { - enable = true; - config = '' - global - maxconn 4096 - - defaults - mode tcp - timeout connect 5s - timeout client 30s - timeout server 30s - - frontend http - bind *:80 - bind *:443 - default_backend main - - backend main - server jupiter 10.0.0.2:80 send-proxy-v2 - server jupiter_ssl 10.0.0.2:443 send-proxy-v2 - ''; - }; -} diff --git a/hosts/jupiter-vps/configs/sshd/default.nix b/hosts/jupiter-vps/configs/sshd/default.nix deleted file mode 100644 index 624a47d..0000000 --- a/hosts/jupiter-vps/configs/sshd/default.nix +++ /dev/null @@ -1,8 +0,0 @@ -{ lib, ... }: -{ - services.openssh.settings.PermitRootLogin = lib.mkForce "prohibit-password"; - - users.users.root.openssh.authorizedKeys.keys = [ - "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIEWDA5vnIB7KE2VG28Ovg5rXtQqxFwMXsfozLsH0BNZS nick@karaolidis.com" - ]; -} diff --git a/hosts/jupiter-vps/configs/wireguard/default.nix b/hosts/jupiter-vps/configs/wireguard/default.nix index 814abce..c2be895 100644 --- a/hosts/jupiter-vps/configs/wireguard/default.nix +++ b/hosts/jupiter-vps/configs/wireguard/default.nix @@ -2,9 +2,13 @@ let jupiterConfig = inputs.self.nixosConfigurations.jupiter.config; wireguardPort = 51820; + jupiterPublicIPv4 = "51.89.210.124"; in { - boot.kernel.sysctl."net.ipv4.ip_forward" = 1; + boot.kernel.sysctl = { + "net.ipv4.ip_forward" = 1; + "net.ipv4.conf.all.proxy_arp" = 1; + }; sops.secrets."wireguard" = { }; @@ -22,7 +26,10 @@ in peers = [ { name = "jupiter"; - allowedIPs = [ "10.0.0.2/32" ]; + allowedIPs = [ + "10.0.0.2/32" + "${jupiterPublicIPv4}/32" + ]; publicKey = "Lvx7bpyqI8rUrxYVDolz7T+EPuRWDohJAAToq7kH7EU="; } ]; diff --git a/hosts/jupiter-vps/default.nix b/hosts/jupiter-vps/default.nix index 9b92d04..0a073cc 100644 --- a/hosts/jupiter-vps/default.nix +++ b/hosts/jupiter-vps/default.nix @@ -17,12 +17,14 @@ ../common/configs/system/zsh ./configs/boot - ./configs/haproxy - ./configs/sshd ./configs/wireguard ]; networking.hostName = "jupiter-vps"; environment.impermanence.enable = lib.mkForce false; + + users.users.root.openssh.authorizedKeys.keys = [ + "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIEWDA5vnIB7KE2VG28Ovg5rXtQqxFwMXsfozLsH0BNZS nick@karaolidis.com" + ]; } diff --git a/hosts/jupiter/configs/mmproxy/default.nix b/hosts/jupiter/configs/mmproxy/default.nix deleted file mode 100644 index e4ceae6..0000000 --- a/hosts/jupiter/configs/mmproxy/default.nix +++ /dev/null @@ -1,42 +0,0 @@ -{ - inputs, - system, - pkgs, - ... -}: -let - selfPkgs = inputs.self.packages.${system}; -in -{ - environment.systemPackages = [ selfPkgs.go-mmproxy ]; - - boot.kernel.sysctl."net.ipv4.conf.all.route_localnet" = 1; - - networking = { - iproute2 = { - enable = true; - rttablesExtraConfig = '' - 100 mmproxy - ''; - }; - - localCommands = - let - ip = "${pkgs.iproute2}/bin/ip"; - iptables = "${pkgs.iptables}/bin/iptables"; - in - '' - ${iptables} -t mangle -D PREROUTING -m mark --mark 100 -m comment --comment mmproxy -j CONNMARK --save-mark || true - ${iptables} -t mangle -I PREROUTING -m mark --mark 100 -m comment --comment mmproxy -j CONNMARK --save-mark - - ${iptables} -t mangle -D OUTPUT -m connmark --mark 100 -m comment --comment mmproxy -j CONNMARK --restore-mark || true - ${iptables} -t mangle -I OUTPUT -m connmark --mark 100 -m comment --comment mmproxy -j CONNMARK --restore-mark - - ${ip} rule del fwmark 100 lookup 100 || true - ${ip} rule add fwmark 100 lookup 100 - - ${ip} route del local 0.0.0.0/0 dev lo table 100 || true - ${ip} route add local 0.0.0.0/0 dev lo table 100 - ''; - }; -} diff --git a/hosts/jupiter/configs/wireguard/default.nix b/hosts/jupiter/configs/wireguard/default.nix index d6a3354..26f548c 100644 --- a/hosts/jupiter/configs/wireguard/default.nix +++ b/hosts/jupiter/configs/wireguard/default.nix @@ -1,31 +1,58 @@ -{ config, inputs, ... }: +{ + config, + inputs, + pkgs, + ... +}: let jupiterVpsConfig = inputs.self.nixosConfigurations.jupiter-vps.config; - jupiterVpsPublicIPv4 = "51.75.170.190"; wireguardPort = jupiterVpsConfig.networking.wireguard.interfaces.wg0.listenPort; + jupiterVpsPublicIPv4 = "51.75.170.190"; + jupiterPublicIPv4 = "51.89.210.124"; in { - boot.kernel.sysctl."net.ipv4.ip_forward" = 1; - sops.secrets."wireguard" = { }; networking = { firewall.allowedUDPPorts = [ wireguardPort ]; - wireguard.interfaces.wg0 = { - ips = [ "10.0.0.2/24" ]; - listenPort = wireguardPort; - privateKeyFile = config.sops.secrets."wireguard".path; - - peers = [ - { - name = "jupiter-vps"; - allowedIPs = [ "10.0.0.1/32" ]; - publicKey = "BCTr2uWYFr5nAy+VxVQ5SIly6w60dOXY91DpXAMiHjI="; - endpoint = "${jupiterVpsPublicIPv4}:${builtins.toString wireguardPort}"; - persistentKeepalive = 25; - } - ]; + iproute2 = { + enable = true; + rttablesExtraConfig = '' + 100 wireguard + ''; }; + + wireguard.interfaces.wg0 = + let + ip = "${pkgs.iproute2}/bin/ip"; + in + rec { + ips = [ + "10.0.0.2/24" + "${jupiterPublicIPv4}/32" + ]; + listenPort = wireguardPort; + privateKeyFile = config.sops.secrets."wireguard".path; + table = "wireguard"; + + postSetup = [ + "${ip} rule add from ${jupiterPublicIPv4} table ${table}" + ]; + + postShutdown = [ + "${ip} rule del from ${jupiterPublicIPv4} table ${table}" + ]; + + peers = [ + { + name = "jupiter-vps"; + allowedIPs = [ "0.0.0.0/0" ]; + publicKey = "BCTr2uWYFr5nAy+VxVQ5SIly6w60dOXY91DpXAMiHjI="; + endpoint = "${jupiterVpsPublicIPv4}:${builtins.toString wireguardPort}"; + persistentKeepalive = 25; + } + ]; + }; }; } diff --git a/hosts/jupiter/default.nix b/hosts/jupiter/default.nix index 082e20c..4f300d6 100644 --- a/hosts/jupiter/default.nix +++ b/hosts/jupiter/default.nix @@ -26,7 +26,6 @@ ../common/configs/system/users ../common/configs/system/zsh - ./configs/mmproxy ./configs/wireguard ./users/storm @@ -49,4 +48,8 @@ "noatime" ]; }; + + users.users.root.openssh.authorizedKeys.keys = [ + "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIEWDA5vnIB7KE2VG28Ovg5rXtQqxFwMXsfozLsH0BNZS nick@karaolidis.com" + ]; }