diff --git a/modules/nixos/system/network/wireguard/default.nix b/modules/nixos/system/network/wireguard/default.nix index d7f365c..95356a5 100644 --- a/modules/nixos/system/network/wireguard/default.nix +++ b/modules/nixos/system/network/wireguard/default.nix @@ -7,7 +7,6 @@ activePeers = builtins.filter isValidPeer config.syscfg.peers; in { - imports = [ ./forwarding.nix ]; config = lib.mkIf (config.syscfg.net.wg.enable) { networking.wireguard = { enable = true; @@ -19,7 +18,7 @@ in listenPort = 1515; mtu = 1340; peers = - if config.syscfg.net.wg.server.enable then + if config.syscfg.server ? wireguard then map (p: { name = p.syscfg.hostname; publicKey = p.syscfg.net.wg.pubkey; diff --git a/modules/server/arion/default.nix b/modules/server/arion/default.nix new file mode 100644 index 0000000..eac2ee3 --- /dev/null +++ b/modules/server/arion/default.nix @@ -0,0 +1,13 @@ +{ config, pkgs, lib, ... }:{ + config = lib.mkIf (config.syscfg.server ? arion) { + environment.systemPackages = with pkgs; [ arion ]; + virtualisation.arion = { + backend = "podman-socket"; + projects = { + cloud.settings = import ./docker/cloud.nix { inherit config pkgs lib; }; + authentik.settings = + import ./docker/authentik.nix { inherit config pkgs lib; }; + }; + }; + }; +} \ No newline at end of file diff --git a/modules/server/default.nix b/modules/server/default.nix index fe0ccb3..5d2c1f2 100644 --- a/modules/server/default.nix +++ b/modules/server/default.nix @@ -1,15 +1,3 @@ -{ config, pkgs, lib, ... }: -let -in { - imports = [ ./sops ]; - environment.systemPackages = with pkgs; [ arion ]; - virtualisation.arion = { - backend = "podman-socket"; - projects = { - cloud.settings = import ./docker/cloud.nix { inherit config pkgs lib; }; - authentik.settings = - import ./docker/authentik.nix { inherit config pkgs lib; }; - }; - }; - +{ config, pkgs, lib, ... }:{ + imports = [ ./sops ./nftables ./openssh ./arion ]; } diff --git a/modules/nixos/system/network/wireguard/forwarding.nix b/modules/server/nftables/default.nix similarity index 82% rename from modules/nixos/system/network/wireguard/forwarding.nix rename to modules/server/nftables/default.nix index 97aa96f..d35df24 100644 --- a/modules/nixos/system/network/wireguard/forwarding.nix +++ b/modules/server/nftables/default.nix @@ -1,8 +1,7 @@ -{ config, lib, pkgs, ... }: -{ - config = lib.mkIf (config.syscfg.net.wg.server.enable) { +{ config, lib, ... }:{ + config = lib.mkIf (config.syscfg.server.nftables.enable) { boot.kernel.sysctl = { "net.ipv4.ip_forward" = 1; "net.ipv6.conf.all.forwarding" = 1; @@ -28,12 +27,12 @@ iifname "${srcInt}" tcp dport ${srcPort} counter dnat ip6 to [${dstAddr6}]:${dstPort} iifname "${srcInt}" udp dport ${srcPort} counter dnat ip6 to [${dstAddr6}]:${dstPort} '' - ) config.syscfg.net.wg.server.forward} + ) config.syscfg.server.nftables.ports} } chain postrouting { type nat hook postrouting priority srcnat; policy accept; - oifname { "wg0", "ens3" } masquerade + oifname { ${lib.concatMapStringsSep ", " (iface: ''"${iface}"'') config.syscfg.server.nftables.ifs} } masquerade } } ''; diff --git a/modules/server/openssh/default.nix b/modules/server/openssh/default.nix new file mode 100644 index 0000000..5f96ac2 --- /dev/null +++ b/modules/server/openssh/default.nix @@ -0,0 +1,27 @@ +{ config, lib, ... }: +let + allUsers = lib.concatMap (peer: if peer.syscfg ? users then peer.syscfg.users else []) config.syscfg.peers; + groupedUsers = lib.groupBy (u: u.username) allUsers; + allowedUsernames = map (u: u.username) config.syscfg.users; + activeUsers = lib.filterAttrs (name: _: lib.elem name allowedUsernames) groupedUsers; +in { + config = lib.mkIf (config.syscfg.server.nftables.enable) { + services.openssh = { + enable = true; + ports = [ 422 ]; + banner = ""; + settings = { + PasswordAuthentication = false; + PermitRootLogin = "no"; + ClientAliveInterval = 60; + ClientAliveCountMax = 3; + TCPKeepAlive = true; + }; + }; + users.users = lib.mapAttrs (name: userList: { + openssh.authorizedKeys.keys = lib.unique ( + lib.concatMap (u: if u ? pubssh then [ u.pubssh ] else []) userList + ); + }) activeUsers; + }; +} \ No newline at end of file diff --git a/modules/shared/syscfg/default.nix b/modules/shared/syscfg/default.nix index e864150..e282498 100644 --- a/modules/shared/syscfg/default.nix +++ b/modules/shared/syscfg/default.nix @@ -52,26 +52,6 @@ let type = types.str; default = ""; }; - server = { - enable = mkOption { - type = types.bool; - default = false; - }; - peers = mkOption { - type = types.listOf types.str; - default = []; - }; - forward = mkOption { - type = types.listOf (types.listOf (types.oneOf [ types.str types.int ])); - default = []; - description = "Forwarding rules: [ [srcInterface dstAddr srcPort dstPort] ... ]"; - example = [ - [ "ens3" "10.10.1.2" "IPV6" 22 2222 ] - [ "ens3" "10.10.1.2" "IPV6" 80 80 ] - [ "ens3" "10.10.1.2" "IPV6" 443 443 ] - ]; - }; - }; }; }; makeOpt = with lib; { @@ -114,7 +94,6 @@ let type = types.str; default = "3306"; }; - configPath = mkOption { type = types.str; default = "/media/config"; @@ -123,6 +102,38 @@ let type = types.str; default = "/media/data"; }; + arion = mkOption { + type = type.bool; + default = false; + }; + openssh = mkOption { + type = type.bool; + default = false; + }; + wireguard = mkOption { + type = type.bool; + default = false; + }; + nftables = { + enable = mkOption { + type = type.bool; + default = false; + }; + ifs = mkOption { + type = types.listOf types.str; + default = [ ]; + }; + ports = mkOption { + type = types.listOf (types.listOf (types.oneOf [ types.str types.int ])); + default = []; + description = "Forwarding rules: [ [srcInterface dstAddr srcPort dstPort] ... ]"; + example = [ + [ "ens3" "10.10.1.2" "IPV6" 22 2222 ] + [ "ens3" "10.10.1.2" "IPV6" 80 80 ] + [ "ens3" "10.10.1.2" "IPV6" 443 443 ] + ]; + }; + }; }; in with lib; { diff --git a/systems/gateway/cfg.nix b/systems/gateway/cfg.nix index c784cfa..fdff7cb 100644 --- a/systems/gateway/cfg.nix +++ b/systems/gateway/cfg.nix @@ -24,15 +24,20 @@ ip4 = "10.10.1.1/32"; ip6 = "fd10:10:10::1/128"; pubkey = "NFBJvYXZC+bd62jhrKnM7/pugidWhgR6+C5qIiUiq3Q="; - server = { - enable = true; - forward = [ + }; + }; + server = { + openssh = true; + wireguard = true; + nftables = { + enable = true; + ifs = ["ens3" "wg0" ]; + ports = [ [ "ens3" "10.10.1.2" "fd10:10:10::2" 22 2222 ] # SSH/GIT [ "ens3" "10.10.1.2" "fd10:10:10::2" 80 80 ] # HTTP [ "ens3" "10.10.1.2" "fd10:10:10::2" 443 443 ] # HTTPS [ "ens3" "10.10.1.2" "fd10:10:10::2" 3979 3979 ] # OTTD - ]; - }; + ]; }; }; }; diff --git a/systems/gateway/default.nix b/systems/gateway/default.nix index 1106fd0..da7e024 100644 --- a/systems/gateway/default.nix +++ b/systems/gateway/default.nix @@ -1,27 +1,14 @@ -{ config, lib, inputs, ... }: -let - allUsers = lib.concatMap (peer: if peer.syscfg ? users then peer.syscfg.users else []) config.syscfg.peers; - groupedUsers = lib.groupBy (u: u.username) allUsers; - allowedUsernames = map (u: u.username) config.syscfg.users; - activeUsers = lib.filterAttrs (name: _: lib.elem name allowedUsernames) groupedUsers; -in { - imports = [ ./hardware.nix ]; +{ config, lib, inputs, ... }: { + imports = [ ./hardware.nix ../../modules/server ]; - services.openssh = { + system.autoUpgrade = { enable = true; - ports = [ 422 ]; - banner = ""; - settings = { - PasswordAuthentication = false; - PermitRootLogin = "prohibit-password"; - ClientAliveInterval = 60; - ClientAliveCountMax = 3; - TCPKeepAlive = true; - }; + flake = "git+https://git.helcel.net/sora/nixconfig"; + flags = [ + "--no-write-lock-file" + ]; + dates = "04:00"; + randomizedDelaySec = "30min"; + allowReboot = false; }; - users.users = lib.mapAttrs (name: userList: { - openssh.authorizedKeys.keys = lib.unique ( - lib.concatMap (u: if u ? pubssh then [ u.pubssh ] else []) userList - ); - }) activeUsers; }