feat: modularize hydrogen's services
This commit is contained in:
parent
5c35d5938c
commit
24c8bac4a1
|
@ -1,9 +1,10 @@
|
||||||
{ modulesPath, pkgs, lib, name, config, ... }:
|
{ modulesPath, pkgs, lib, name, ... }: {
|
||||||
|
|
||||||
{
|
|
||||||
imports =
|
imports =
|
||||||
lib.optional (builtins.pathExists ./do-userdata.nix) ./do-userdata.nix
|
lib.optional (builtins.pathExists ./do-userdata.nix) ./do-userdata.nix ++ [
|
||||||
++ [ (modulesPath + "/virtualisation/digital-ocean-config.nix") ];
|
(modulesPath + "/virtualisation/digital-ocean-config.nix")
|
||||||
|
|
||||||
|
./services
|
||||||
|
];
|
||||||
|
|
||||||
networking = {
|
networking = {
|
||||||
hostName = name;
|
hostName = name;
|
||||||
|
@ -14,12 +15,6 @@
|
||||||
80 # http
|
80 # http
|
||||||
443 # https
|
443 # https
|
||||||
];
|
];
|
||||||
allowedUDPPorts = [
|
|
||||||
5553 # wireguard
|
|
||||||
];
|
|
||||||
interfaces."wg0".allowedUDPPorts = [
|
|
||||||
53 # dns
|
|
||||||
];
|
|
||||||
};
|
};
|
||||||
};
|
};
|
||||||
|
|
||||||
|
@ -29,113 +24,6 @@
|
||||||
};
|
};
|
||||||
|
|
||||||
networking.nat.enable = true;
|
networking.nat.enable = true;
|
||||||
networking.nat.internalInterfaces = [ "wg0" ];
|
|
||||||
networking.wireguard.interfaces = {
|
|
||||||
wg0 = {
|
|
||||||
ips = [ "10.0.0.1/24" ];
|
|
||||||
listenPort = 5553;
|
|
||||||
privateKeyFile = "/root/wg-private";
|
|
||||||
peers = [
|
|
||||||
{ # pixel
|
|
||||||
publicKey = "HS2q+PpPPwxqT1jCD7D4puqr4ZyaXV5TostavlYWBx0=";
|
|
||||||
allowedIPs = [ "10.0.0.2/32" ];
|
|
||||||
}
|
|
||||||
{ # neodymium
|
|
||||||
publicKey = "IFeRvelEilNRLkhWgFKL9HrJ9XYsm+r4yvv23CigETk=";
|
|
||||||
allowedIPs = [ "10.0.0.3/32" ];
|
|
||||||
}
|
|
||||||
];
|
|
||||||
};
|
|
||||||
};
|
|
||||||
|
|
||||||
services.blocky = {
|
|
||||||
enable = true;
|
|
||||||
settings = {
|
|
||||||
upstream.default = [ "208.67.222.222" "208.67.220.220" ];
|
|
||||||
clientLookup.clients = {
|
|
||||||
hydrogen = [ "10.0.0.1" "127.0.0.1" ];
|
|
||||||
pixel5 = [ "10.0.0.2" ];
|
|
||||||
neodymium = [ "10.0.0.3" ];
|
|
||||||
};
|
|
||||||
blocking = {
|
|
||||||
refreshPeriod = "24h";
|
|
||||||
clientGroupsBlock.default =
|
|
||||||
[ "firebog-tick" "firebog-nocross" "regex" ];
|
|
||||||
blackLists = {
|
|
||||||
firebog-tick = [
|
|
||||||
# https://v.firebog.net/hosts/lists.php?type=tick
|
|
||||||
"https://adaway.org/hosts.txt"
|
|
||||||
"https://bitbucket.org/ethanr/dns-blacklists/raw/8575c9f96e5b4a1308f2f12394abd86d0927a4a0/bad_lists/Mandiant_APT1_Report_Appendix_D.txt"
|
|
||||||
"https://gitlab.com/quidsup/notrack-blocklists/raw/master/notrack-malware.txt"
|
|
||||||
"https://hostfiles.frogeye.fr/firstparty-trackers-hosts.txt"
|
|
||||||
"https://osint.digitalside.it/Threat-Intel/lists/latestdomains.txt"
|
|
||||||
"https://pgl.yoyo.org/adservers/serverlist.php?hostformat=hosts&showintro=0&mimetype=plaintext"
|
|
||||||
"https://phishing.army/download/phishing_army_blocklist_extended.txt"
|
|
||||||
"https://raw.githubusercontent.com/anudeepND/blacklist/master/adservers.txt"
|
|
||||||
"https://raw.githubusercontent.com/AssoEchap/stalkerware-indicators/master/generated/hosts"
|
|
||||||
"https://raw.githubusercontent.com/bigdargon/hostsVN/master/hosts"
|
|
||||||
"https://raw.githubusercontent.com/crazy-max/WindowsSpyBlocker/master/data/hosts/spy.txt"
|
|
||||||
"https://raw.githubusercontent.com/DandelionSprout/adfilt/master/Alternate%20versions%20Anti-Malware%20List/AntiMalwareHosts.txt"
|
|
||||||
"https://raw.githubusercontent.com/FadeMind/hosts.extras/master/add.2o7Net/hosts"
|
|
||||||
"https://raw.githubusercontent.com/FadeMind/hosts.extras/master/add.Risk/hosts"
|
|
||||||
"https://raw.githubusercontent.com/FadeMind/hosts.extras/master/add.Spam/hosts"
|
|
||||||
"https://raw.githubusercontent.com/FadeMind/hosts.extras/master/UncheckyAds/hosts"
|
|
||||||
"https://raw.githubusercontent.com/PolishFiltersTeam/KADhosts/master/KADhosts.txt"
|
|
||||||
"https://raw.githubusercontent.com/Spam404/lists/master/main-blacklist.txt"
|
|
||||||
"https://s3.amazonaws.com/lists.disconnect.me/simple_ad.txt"
|
|
||||||
"https://s3.amazonaws.com/lists.disconnect.me/simple_malvertising.txt"
|
|
||||||
"https://urlhaus.abuse.ch/downloads/hostfile/"
|
|
||||||
"https://v.firebog.net/hosts/AdguardDNS.txt"
|
|
||||||
"https://v.firebog.net/hosts/Admiral.txt"
|
|
||||||
"https://v.firebog.net/hosts/Easylist.txt"
|
|
||||||
"https://v.firebog.net/hosts/Easyprivacy.txt"
|
|
||||||
"https://v.firebog.net/hosts/Prigent-Ads.txt"
|
|
||||||
"https://v.firebog.net/hosts/Prigent-Crypto.txt"
|
|
||||||
"https://v.firebog.net/hosts/RPiList-Malware.txt"
|
|
||||||
"https://v.firebog.net/hosts/RPiList-Phishing.txt"
|
|
||||||
"https://v.firebog.net/hosts/static/w3kbl.txt"
|
|
||||||
"https://zerodot1.gitlab.io/CoinBlockerLists/hosts_browser"
|
|
||||||
];
|
|
||||||
firebog-nocross = [
|
|
||||||
# https://v.firebog.net/hosts/lists.php?type=nocross
|
|
||||||
"https://gitlab.com/quidsup/notrack-blocklists/raw/master/notrack-blocklist.txt"
|
|
||||||
"https://malware-filter.gitlab.io/malware-filter/phishing-filter-hosts.txt"
|
|
||||||
"https://paulgb.github.io/BarbBlock/blacklists/hosts-file.txt"
|
|
||||||
"https://raw.githubusercontent.com/jdlingyu/ad-wars/master/hosts"
|
|
||||||
"https://raw.githubusercontent.com/matomo-org/referrer-spam-blacklist/master/spammers.txt"
|
|
||||||
"https://raw.githubusercontent.com/Perflyst/PiHoleBlocklist/master/AmazonFireTV.txt"
|
|
||||||
"https://raw.githubusercontent.com/Perflyst/PiHoleBlocklist/master/android-tracking.txt"
|
|
||||||
"https://raw.githubusercontent.com/Perflyst/PiHoleBlocklist/master/SmartTV.txt"
|
|
||||||
"https://raw.githubusercontent.com/RooneyMcNibNug/pihole-stuff/master/SNAFU.txt"
|
|
||||||
"https://raw.githubusercontent.com/VeleSila/yhosts/master/hosts"
|
|
||||||
"https://someonewhocares.org/hosts/zero/hosts"
|
|
||||||
"https://v.firebog.net/hosts/neohostsbasic.txt"
|
|
||||||
"https://v.firebog.net/hosts/Prigent-Malware.txt"
|
|
||||||
"https://winhelp2002.mvps.org/hosts.txt"
|
|
||||||
"https://www.github.developerdan.com/hosts/lists/ads-and-tracking-extended.txt"
|
|
||||||
];
|
|
||||||
regex = [''
|
|
||||||
# https://github.com/mmotti/pihole-regex/blob/master/regex.list
|
|
||||||
/^ad([sxv]?[0-9]*|system)[_.-]([^.[:space:]]+\\.){1,}|[_.-]ad([sxv]?[0-9]*|system)[_.-]/
|
|
||||||
/^(.+[_.-])?adse?rv(er?|ice)?s?[0-9]*[_.-]/
|
|
||||||
/^(.+[_.-])?telemetry[_.-]/
|
|
||||||
/^adim(age|g)s?[0-9]*[_.-]/
|
|
||||||
/^adtrack(er|ing)?[0-9]*[_.-]/
|
|
||||||
/^advert(s|is(ing|ements?))?[0-9]*[_.-]/
|
|
||||||
/^aff(iliat(es?|ion))?[_.-]/
|
|
||||||
/^analytics?[_.-]/
|
|
||||||
/^banners?[_.-]/
|
|
||||||
/^beacons?[0-9]*[_.-]/
|
|
||||||
/^count(ers?)?[0-9]*[_.-]/
|
|
||||||
/^mads\\./
|
|
||||||
/^pixels?[-.]/
|
|
||||||
/^stat(s|istics)?[0-9]*[_.-]/
|
|
||||||
/.*\\.g[0-9]+\\..*/
|
|
||||||
''];
|
|
||||||
};
|
|
||||||
};
|
|
||||||
};
|
|
||||||
};
|
|
||||||
|
|
||||||
users.mutableUsers = false;
|
users.mutableUsers = false;
|
||||||
users.users.root.openssh.authorizedKeys.keys = [
|
users.users.root.openssh.authorizedKeys.keys = [
|
||||||
|
@ -144,42 +32,6 @@
|
||||||
|
|
||||||
environment.systemPackages = with pkgs; [ htop ];
|
environment.systemPackages = with pkgs; [ htop ];
|
||||||
|
|
||||||
age.secrets.gitea = {
|
|
||||||
file = ../../secrets/gitea.age;
|
|
||||||
owner = "gitea";
|
|
||||||
group = "gitea";
|
|
||||||
};
|
|
||||||
age.identityPaths = [ "/root/.ssh/id_ed25519" ];
|
|
||||||
|
|
||||||
services.gitea = {
|
|
||||||
enable = true;
|
|
||||||
domain = "git.fainsin.bzh";
|
|
||||||
rootUrl = "https://git.fainsin.bzh";
|
|
||||||
lfs.enable = true;
|
|
||||||
database = {
|
|
||||||
type = "postgres";
|
|
||||||
passwordFile = config.age.secrets.gitea.path;
|
|
||||||
};
|
|
||||||
settings = {
|
|
||||||
service = {
|
|
||||||
"DEFAULT_KEEP_EMAIL_PRIVATE" = true;
|
|
||||||
"DISABLE_REGISTRATION" = true;
|
|
||||||
};
|
|
||||||
server = { "LANDING_PAGE" = "explore"; };
|
|
||||||
indexer = {
|
|
||||||
"REPO_INDEXER_ENABLED" = true;
|
|
||||||
"REPO_INDEXER_PATH" = "indexers/repos.bleve";
|
|
||||||
"UPDATE_BUFFER_LEN" = 20;
|
|
||||||
"MAX_FILE_SIZE" = 1048576;
|
|
||||||
"REPO_INDEXER_EXCLUDE" = "node_modules/**";
|
|
||||||
};
|
|
||||||
session = {
|
|
||||||
"PROVIDER" = "db";
|
|
||||||
"COOKIE_SECURE" = true;
|
|
||||||
};
|
|
||||||
};
|
|
||||||
};
|
|
||||||
|
|
||||||
services.nginx = {
|
services.nginx = {
|
||||||
enable = true;
|
enable = true;
|
||||||
|
|
||||||
|
@ -188,13 +40,6 @@
|
||||||
recommendedGzipSettings = true;
|
recommendedGzipSettings = true;
|
||||||
recommendedProxySettings = true;
|
recommendedProxySettings = true;
|
||||||
|
|
||||||
commonHttpConfig = ''
|
|
||||||
log_format vhosts '$host $remote_addr - $remote_user [$time_local] '
|
|
||||||
'$request $status $body_bytes_sent $http_referer '
|
|
||||||
'$http_user_agent $http_x_forwarded_for';
|
|
||||||
access_log /var/log/nginx/access.log vhosts;
|
|
||||||
'';
|
|
||||||
|
|
||||||
virtualHosts = {
|
virtualHosts = {
|
||||||
"fainsin.bzh" = {
|
"fainsin.bzh" = {
|
||||||
enableACME = true;
|
enableACME = true;
|
||||||
|
@ -207,14 +52,6 @@
|
||||||
forceSSL = true;
|
forceSSL = true;
|
||||||
root = "/srv/www/";
|
root = "/srv/www/";
|
||||||
};
|
};
|
||||||
"git.fainsin.bzh" = {
|
|
||||||
enableACME = true;
|
|
||||||
forceSSL = true;
|
|
||||||
locations."/" = {
|
|
||||||
proxyPass = "http://localhost:3000/";
|
|
||||||
proxyWebsockets = true;
|
|
||||||
};
|
|
||||||
};
|
|
||||||
default = {
|
default = {
|
||||||
default = true;
|
default = true;
|
||||||
locations."/".return = ''301 "$scheme://fainsin.bzh" '';
|
locations."/".return = ''301 "$scheme://fainsin.bzh" '';
|
||||||
|
|
103
hosts/hydrogen/services/blocky/default.nix
Normal file
103
hosts/hydrogen/services/blocky/default.nix
Normal file
|
@ -0,0 +1,103 @@
|
||||||
|
{ ... }: {
|
||||||
|
networking = {
|
||||||
|
firewall = {
|
||||||
|
# allow dns queries trough wireguard
|
||||||
|
interfaces."wg0".allowedUDPPorts = [
|
||||||
|
53 # dns default port
|
||||||
|
];
|
||||||
|
};
|
||||||
|
};
|
||||||
|
|
||||||
|
services.blocky = {
|
||||||
|
enable = true;
|
||||||
|
settings = {
|
||||||
|
upstream.default = [ "208.67.222.222" "208.67.220.220" ];
|
||||||
|
|
||||||
|
clientLookup.clients = {
|
||||||
|
hydrogen = [ "10.0.0.1" "127.0.0.1" ];
|
||||||
|
pixel5 = [ "10.0.0.2" ];
|
||||||
|
neodymium = [ "10.0.0.3" ];
|
||||||
|
};
|
||||||
|
|
||||||
|
blocking = {
|
||||||
|
refreshPeriod = "24h";
|
||||||
|
clientGroupsBlock.default =
|
||||||
|
[ "firebog-tick" "firebog-nocross" "regex" ];
|
||||||
|
blackLists = {
|
||||||
|
firebog-tick = [
|
||||||
|
# https://v.firebog.net/hosts/lists.php?type=tick
|
||||||
|
"https://adaway.org/hosts.txt"
|
||||||
|
"https://bitbucket.org/ethanr/dns-blacklists/raw/8575c9f96e5b4a1308f2f12394abd86d0927a4a0/bad_lists/Mandiant_APT1_Report_Appendix_D.txt"
|
||||||
|
"https://gitlab.com/quidsup/notrack-blocklists/raw/master/notrack-malware.txt"
|
||||||
|
"https://hostfiles.frogeye.fr/firstparty-trackers-hosts.txt"
|
||||||
|
"https://osint.digitalside.it/Threat-Intel/lists/latestdomains.txt"
|
||||||
|
"https://pgl.yoyo.org/adservers/serverlist.php?hostformat=hosts&showintro=0&mimetype=plaintext"
|
||||||
|
"https://phishing.army/download/phishing_army_blocklist_extended.txt"
|
||||||
|
"https://raw.githubusercontent.com/anudeepND/blacklist/master/adservers.txt"
|
||||||
|
"https://raw.githubusercontent.com/AssoEchap/stalkerware-indicators/master/generated/hosts"
|
||||||
|
"https://raw.githubusercontent.com/bigdargon/hostsVN/master/hosts"
|
||||||
|
"https://raw.githubusercontent.com/crazy-max/WindowsSpyBlocker/master/data/hosts/spy.txt"
|
||||||
|
"https://raw.githubusercontent.com/DandelionSprout/adfilt/master/Alternate%20versions%20Anti-Malware%20List/AntiMalwareHosts.txt"
|
||||||
|
"https://raw.githubusercontent.com/FadeMind/hosts.extras/master/add.2o7Net/hosts"
|
||||||
|
"https://raw.githubusercontent.com/FadeMind/hosts.extras/master/add.Risk/hosts"
|
||||||
|
"https://raw.githubusercontent.com/FadeMind/hosts.extras/master/add.Spam/hosts"
|
||||||
|
"https://raw.githubusercontent.com/FadeMind/hosts.extras/master/UncheckyAds/hosts"
|
||||||
|
"https://raw.githubusercontent.com/PolishFiltersTeam/KADhosts/master/KADhosts.txt"
|
||||||
|
"https://raw.githubusercontent.com/Spam404/lists/master/main-blacklist.txt"
|
||||||
|
"https://s3.amazonaws.com/lists.disconnect.me/simple_ad.txt"
|
||||||
|
"https://s3.amazonaws.com/lists.disconnect.me/simple_malvertising.txt"
|
||||||
|
"https://urlhaus.abuse.ch/downloads/hostfile/"
|
||||||
|
"https://v.firebog.net/hosts/AdguardDNS.txt"
|
||||||
|
"https://v.firebog.net/hosts/Admiral.txt"
|
||||||
|
"https://v.firebog.net/hosts/Easylist.txt"
|
||||||
|
"https://v.firebog.net/hosts/Easyprivacy.txt"
|
||||||
|
"https://v.firebog.net/hosts/Prigent-Ads.txt"
|
||||||
|
"https://v.firebog.net/hosts/Prigent-Crypto.txt"
|
||||||
|
"https://v.firebog.net/hosts/RPiList-Malware.txt"
|
||||||
|
"https://v.firebog.net/hosts/RPiList-Phishing.txt"
|
||||||
|
"https://v.firebog.net/hosts/static/w3kbl.txt"
|
||||||
|
"https://zerodot1.gitlab.io/CoinBlockerLists/hosts_browser"
|
||||||
|
];
|
||||||
|
firebog-nocross = [
|
||||||
|
# https://v.firebog.net/hosts/lists.php?type=nocross
|
||||||
|
"https://gitlab.com/quidsup/notrack-blocklists/raw/master/notrack-blocklist.txt"
|
||||||
|
"https://malware-filter.gitlab.io/malware-filter/phishing-filter-hosts.txt"
|
||||||
|
"https://paulgb.github.io/BarbBlock/blacklists/hosts-file.txt"
|
||||||
|
"https://raw.githubusercontent.com/jdlingyu/ad-wars/master/hosts"
|
||||||
|
"https://raw.githubusercontent.com/matomo-org/referrer-spam-blacklist/master/spammers.txt"
|
||||||
|
"https://raw.githubusercontent.com/Perflyst/PiHoleBlocklist/master/AmazonFireTV.txt"
|
||||||
|
"https://raw.githubusercontent.com/Perflyst/PiHoleBlocklist/master/android-tracking.txt"
|
||||||
|
"https://raw.githubusercontent.com/Perflyst/PiHoleBlocklist/master/SmartTV.txt"
|
||||||
|
"https://raw.githubusercontent.com/RooneyMcNibNug/pihole-stuff/master/SNAFU.txt"
|
||||||
|
"https://raw.githubusercontent.com/VeleSila/yhosts/master/hosts"
|
||||||
|
"https://someonewhocares.org/hosts/zero/hosts"
|
||||||
|
"https://v.firebog.net/hosts/neohostsbasic.txt"
|
||||||
|
"https://v.firebog.net/hosts/Prigent-Malware.txt"
|
||||||
|
"https://winhelp2002.mvps.org/hosts.txt"
|
||||||
|
"https://www.github.developerdan.com/hosts/lists/ads-and-tracking-extended.txt"
|
||||||
|
];
|
||||||
|
regex = [
|
||||||
|
# https://github.com/mmotti/pihole-regex/blob/master/regex.list
|
||||||
|
''
|
||||||
|
/^ad([sxv]?[0-9]*|system)[_.-]([^.[:space:]]+\\.){1,}|[_.-]ad([sxv]?[0-9]*|system)[_.-]/
|
||||||
|
/^(.+[_.-])?adse?rv(er?|ice)?s?[0-9]*[_.-]/
|
||||||
|
/^(.+[_.-])?telemetry[_.-]/
|
||||||
|
/^adim(age|g)s?[0-9]*[_.-]/
|
||||||
|
/^adtrack(er|ing)?[0-9]*[_.-]/
|
||||||
|
/^advert(s|is(ing|ements?))?[0-9]*[_.-]/
|
||||||
|
/^aff(iliat(es?|ion))?[_.-]/
|
||||||
|
/^analytics?[_.-]/
|
||||||
|
/^banners?[_.-]/
|
||||||
|
/^beacons?[0-9]*[_.-]/
|
||||||
|
/^count(ers?)?[0-9]*[_.-]/
|
||||||
|
/^mads\\./
|
||||||
|
/^pixels?[-.]/
|
||||||
|
/^stat(s|istics)?[0-9]*[_.-]/
|
||||||
|
/.*\\.g[0-9]+\\..*/
|
||||||
|
''
|
||||||
|
];
|
||||||
|
};
|
||||||
|
};
|
||||||
|
};
|
||||||
|
};
|
||||||
|
}
|
1
hosts/hydrogen/services/default.nix
Normal file
1
hosts/hydrogen/services/default.nix
Normal file
|
@ -0,0 +1 @@
|
||||||
|
{ imports = [ ./gitea ./blocky ./wireguard ]; }
|
46
hosts/hydrogen/services/gitea/default.nix
Normal file
46
hosts/hydrogen/services/gitea/default.nix
Normal file
|
@ -0,0 +1,46 @@
|
||||||
|
{ config, ... }: {
|
||||||
|
age.secrets.gitea = {
|
||||||
|
file = ../../../../secrets/gitea.age;
|
||||||
|
owner = "gitea";
|
||||||
|
group = "gitea";
|
||||||
|
};
|
||||||
|
age.identityPaths = [ "/root/.ssh/id_ed25519" ];
|
||||||
|
|
||||||
|
services.gitea = {
|
||||||
|
enable = true;
|
||||||
|
domain = "git.fainsin.bzh";
|
||||||
|
rootUrl = "https://git.fainsin.bzh";
|
||||||
|
lfs.enable = true;
|
||||||
|
database = {
|
||||||
|
type = "postgres";
|
||||||
|
passwordFile = config.age.secrets.gitea.path;
|
||||||
|
};
|
||||||
|
settings = {
|
||||||
|
service = {
|
||||||
|
"DEFAULT_KEEP_EMAIL_PRIVATE" = true;
|
||||||
|
"DISABLE_REGISTRATION" = true;
|
||||||
|
};
|
||||||
|
server = { "LANDING_PAGE" = "explore"; };
|
||||||
|
indexer = {
|
||||||
|
"REPO_INDEXER_ENABLED" = true;
|
||||||
|
"REPO_INDEXER_PATH" = "indexers/repos.bleve";
|
||||||
|
"UPDATE_BUFFER_LEN" = 20;
|
||||||
|
"MAX_FILE_SIZE" = 1048576;
|
||||||
|
"REPO_INDEXER_EXCLUDE" = "node_modules/**";
|
||||||
|
};
|
||||||
|
session = {
|
||||||
|
"PROVIDER" = "db";
|
||||||
|
"COOKIE_SECURE" = true;
|
||||||
|
};
|
||||||
|
};
|
||||||
|
};
|
||||||
|
|
||||||
|
services.nginx.virtualHosts."git.fainsin.bzh" = {
|
||||||
|
enableACME = true;
|
||||||
|
forceSSL = true;
|
||||||
|
locations."/" = {
|
||||||
|
proxyPass = "http://localhost:3000/";
|
||||||
|
proxyWebsockets = true;
|
||||||
|
};
|
||||||
|
};
|
||||||
|
}
|
29
hosts/hydrogen/services/wireguard/default.nix
Normal file
29
hosts/hydrogen/services/wireguard/default.nix
Normal file
|
@ -0,0 +1,29 @@
|
||||||
|
{ ... }: {
|
||||||
|
networking = {
|
||||||
|
firewall = {
|
||||||
|
allowedUDPPorts = [
|
||||||
|
5553 # default wireguard port
|
||||||
|
];
|
||||||
|
};
|
||||||
|
|
||||||
|
nat.internalInterfaces = [ "wg0" ];
|
||||||
|
|
||||||
|
wireguard.interfaces = {
|
||||||
|
wg0 = {
|
||||||
|
ips = [ "10.0.0.1/24" ];
|
||||||
|
listenPort = 5553;
|
||||||
|
privateKeyFile = "/root/wg-private";
|
||||||
|
peers = [
|
||||||
|
{ # pixel
|
||||||
|
publicKey = "HS2q+PpPPwxqT1jCD7D4puqr4ZyaXV5TostavlYWBx0=";
|
||||||
|
allowedIPs = [ "10.0.0.2/32" ];
|
||||||
|
}
|
||||||
|
{ # neodymium
|
||||||
|
publicKey = "IFeRvelEilNRLkhWgFKL9HrJ9XYsm+r4yvv23CigETk=";
|
||||||
|
allowedIPs = [ "10.0.0.3/32" ];
|
||||||
|
}
|
||||||
|
];
|
||||||
|
};
|
||||||
|
};
|
||||||
|
};
|
||||||
|
}
|
Loading…
Reference in a new issue