From 69b05190afb2ffdff270d4e2adad511df2988335 Mon Sep 17 00:00:00 2001 From: Jimbo Date: Thu, 12 Sep 2024 01:31:59 -0400 Subject: [PATCH] Some experiments --- nixos/modules/ips.nix | 3 +++ nixos/server/firewall.nix | 12 +++++++----- nixos/server/wireguard.nix | 8 ++++---- 3 files changed, 14 insertions(+), 9 deletions(-) diff --git a/nixos/modules/ips.nix b/nixos/modules/ips.nix index 8e9d6a6..0d30dfe 100644 --- a/nixos/modules/ips.nix +++ b/nixos/modules/ips.nix @@ -5,4 +5,7 @@ rec { pc = "${localSpan}.3"; vm = "${localSpan}.4"; hx = "${localSpan}.70"; + + wgInt = "wg0"; + wgSpan = "10.100.0"; } diff --git a/nixos/server/firewall.nix b/nixos/server/firewall.nix index ed99afa..f7a3478 100644 --- a/nixos/server/firewall.nix +++ b/nixos/server/firewall.nix @@ -26,23 +26,25 @@ chain PREROUTING { type nat hook prerouting priority dstnat; policy accept; tcp dport 2211 dnat to ${ips.pc}:22 comment "SSH to PC" + tcp dport 2233 dnat to ${ips.wgSpan}.3:22 comment "SSH to Oracle VM" + udp dport { 27005, 27015, 7777 } dnat to ${ips.pc} comment "PC Hosted Games" - + tcp dport { 58010, 57989, 57984 } dnat to ${ips.pc} comment "PC Sunshine TCP" udp dport { 57998, 57999, 58000 } dnat to ${ips.pc} comment "PC Sunshine UDP" - + tcp dport { 38010, 37989, 37984 } dnat to ${ips.vm} comment "VM Sunshine TCP" udp dport { 37998, 37999, 38000 } dnat to ${ips.vm} comment "VM Sunshine UDP" - + udp dport { 7790, 7791, 7792 } dnat to ${ips.hx} comment "Deus Ex" - + ip saddr ${outputs.secrets.cornIP} tcp dport { 9943, 9944 } dnat to ${ips.vm} comment "VM ALVR TCP" ip saddr ${outputs.secrets.cornIP} udp dport { 9943, 9944 } dnat to ${ips.vm} comment "VM ALVR UDP" } chain POSTROUTING { type nat hook postrouting priority 100; policy accept; oifname "${ips.netInt}" masquerade - ip saddr 10.100.0.0/24 oifname "${ips.netInt}" masquerade comment "WireGuard" + ip saddr ${ips.wgSpan}.0/24 oifname "${ips.netInt}" masquerade comment "WireGuard" } ''; }; diff --git a/nixos/server/wireguard.nix b/nixos/server/wireguard.nix index 93a4ad4..2b617f5 100644 --- a/nixos/server/wireguard.nix +++ b/nixos/server/wireguard.nix @@ -6,7 +6,7 @@ in { nat = { enable = true; externalInterface = "${ips.netInt}"; - internalInterfaces = [ "wg0" ]; + internalInterfaces = [ "${ips.wgInt}" ]; }; firewall.allowedUDPPorts = [ 51820 ]; }; @@ -17,17 +17,17 @@ in { # Wireguard interface name can be arbitrary wg0 = { # Determines the IP address and subnet of the server's end of the tunnel interface. - ips = [ "10.100.0.1/24" ]; + ips = [ "${ips.wgSpan}.1/24" ]; listenPort = 51820; privateKey = outputs.secrets.wireguardPriv; peers = [ { # Jimbo Pixel 9 publicKey = outputs.secrets.wirePixel9Pub; - allowedIPs = [ "10.100.0.2/32" ]; + allowedIPs = [ "${ips.wgSpan}.2/32" ]; } { # Oracle VM publicKey = outputs.secrets.wireOraclePub; - allowedIPs = [ "10.100.0.3/32" ]; + allowedIPs = [ "${ips.wgSpan}.3/32" ]; } ]; };