# .--. # `. \ # \ \ # . \ # : . # | . # | : # | | # ..._ ___ | | # `."".`''''""--..___ | | # ,-\ \ ""-...__ _____________/ | # / ` " ' `"""""""" . # \ L # (> \ #/ \ #\_ ___..---. MEOW OS \ # `--' '. \ # . \_ # _/`. `.._ # .' -. `. # / __.-Y /''''''-...___,...--------.._ | # / _." | / ' . \ '---..._ | # / / / / _,. ' ,/ | | # \_,' _.' / /'' _,-' _| | # ' / `-----'' / | # `...-' `...-' #-------------------------------------------------------------------------------- { zentralwerk, config, pkgs, ... }: let netConfig = zentralwerk.lib.config.site.net.serv; mac = { serv = "e2:e9:bb:f4:49:fe"; pub = "e2:e9:bb:f4:49:ff"; }; in { microvm = { mem = 2048; }; c3d2.deployment = { server = "nomad"; mounts = [ "etc" "home" "var"]; mountBase = "/glusterfs/fast/microvms/${config.networking.hostName}"; autoNetSetup = false; }; microvm.interfaces = [ { type = "tap"; id = "pub-leon"; mac = mac.pub; } { type = "tap"; id = "serv-leon"; mac = mac.serv; } ]; networking = { hostName = "leon"; firewall.enable = true; }; systemd.network = { enable = true; # On the serv network I have a static IPv4 and only a route to the # rest of the network so that I am reachable by # public-access-proxy. links."00-serv" = { matchConfig.MACAddress = mac.serv; linkConfig.Name = "serv"; }; networks."00-serv" = { matchConfig.MACAddress = mac.serv; networkConfig.IPv6AcceptRA = false; # try harder disabling global ipv6 networkConfig.LinkLocalAddressing = "no"; addresses = [ { addressConfig.Address = "${config.c3d2.hosts.leon.ip4}/${toString zentralwerk.lib.config.site.net.serv.subnet4Len}"; } ]; routes = [ { routeConfig = { Destination = "172.20.0.0/14"; Gateway = config.c3d2.hosts.serv-gw.ip4; }; } { # for port forwardings routeConfig = { Destination = "${zentralwerk.lib.config.site.hosts.upstream4.interfaces.up4-pppoe.upstream.staticIpv4Address}/32"; Gateway = config.c3d2.hosts.serv-gw.ip4; }; } ]; }; # On the pub network I am a normal client. links."00-pub" = { matchConfig.MACAddress = mac.pub; linkConfig.Name = "pub"; }; networks."01-pub" = { matchConfig.MACAddress = mac.pub; networkConfig.DHCP = "ipv4"; networkConfig.IPv6AcceptRA = true; }; }; security.sudo = { enable = true; wheelNeedsPassword = false; }; # List packages installed in system profile. To search, run: # $ nix search wget environment.systemPackages = with pkgs; [ wget vim python3Full nmap htop wireguard-tools ]; users.users.leon = { isNormalUser = true; extraGroups = [ "wheel" ]; createHome = true; openssh.authorizedKeys.keys = [ "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIM2zpmWA3Z9zshWaU8k1SWyJnbAyasOu9pV+9BvTY0XE leon@¯\_(ツ)_/¯" ]; }; networking.firewall = { allowedTCPPorts = [ 5000 22 53 80 8080 ]; allowedUDPPorts = [ 5000 22 53 80 8080 19800]; }; #-------------------------------VPN--------------------------------- # enable NAT # networking.nat.enable = true; # networking.nat.externalInterface = "eth0"; # networking.nat.internalInterfaces = [ "wg0" ]; # networking.firewall = { # allowedUDPPorts = [ 51820 ]; # }; #_______________________________Begin-VPN1-Server____________________________________ networking.wireguard.interfaces = { #Interface. Trusted VPN vpn1 = { #IP address && Subnet. ips = [ "10.10.11.1/24" ]; #VPN Port. listenPort = 19800; # This allows the wireguard server to route your traffic to the internet and hence be like a VPN # For this to work you have to set the dnsserver IP of your router (or dnsserver of choice) in your clients #----------------------Start-Routing---------------------------- postSetup = '' ${pkgs.iptables}/bin/iptables -t nat -A POSTROUTING -s 10.10.11.1/24 -o pub -j MASQUERADE ''; # This undoes the above command postShutdown = '' ${pkgs.iptables}/bin/iptables -t nat -D POSTROUTING -s 10.10.11.1/24 -o pub -j MASQUERADE ''; #----------------------End-Routing---------------------------- # Path to the private key file. # # Note: The private key can also be included inline via the privateKey option, # but this makes the private key world-readable; thus, using privateKeyFile is # recommended. privateKeyFile = "/etc/wireguard/privatekey"; peers = [ # -----------------leon-Mac-------------------------. { publicKey = "okZuIQ90J49IJ3s+/dZyLthvo4rR2kclmTL54Ykglio="; allowedIPs = [ "10.10.11.0/24" ]; } ]; }; }; #-----------------------------END-VPN--------------------------------- #__________________________Begin-VPN2-Server_____________________ networking.wireguard.interfaces = { #Interface. Untrusted VPN vpn2 = { #IP address && Subnet. ips = [ "10.10.100.1/24" ]; #VPN Port. listenPort = 19800; # Path to the private key file. # privateKeyFile = "/etc/wireguard/privatekey"; peers = [ # -----------------leon-Mac-------------------------. { publicKey = "6GRIp7SjHyu5sgqudtgZdN9CKbV3GYtMnwgo06F4ylo="; allowedIPs = [ "10.10.100.0/24" ]; } ]; }; }; #-----------------------------END-VPN--------------------------------- system.stateVersion = "22.05"; }