spoody/server-configuration
1
0
Fork 0
Code Issues Pull requests Actions Packages Projects Releases Wiki Activity

the fucking shitty fuck vpn in the vm is finally fucking working

Browse source
This commit is contained in:
baritone 2025-03-06 11:36:02 +01:00
parent dd76463953
commit 470ab2074d
15 changed files with 701 additions and 256 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

8
configuration.nix
View file

@ -7,20 +7,24 @@
./services/nginx.nix
./services/openssh.nix
./services/forgejo.nix
# ./services/nextcloud.nix
# ./services/seafile.nix
./services/vaultwarden.nix
./services/jellyfin.nix
./services/website.nix
./services/mailserver.nix
./services/fail2ban.nix
./services/sonarr.nix
./services/auto-torrent.nix
./services/misc.nix
./modules/age.nix
./modules/microvm.nix
./modules/git.nix
./modules/nix-settings.nix
./modules/zfs.nix
(import ./modules/microvm.nix {routed = true;})
(import ./modules/networking-shared.nix {hostname = "server";})
(import ./modules/users.nix {main-user = "baritone";})
];

1
modules/age.nix
View file

@ -1,3 +1,4 @@
{config, ...}: {
# This is where the age files go
# age.secrets.nextcloud.file = ../secrets/nextcloud.age;
}

61
modules/microvm.nix
View file

@ -1,37 +1,58 @@
{
{routed ? false}: {
pkgs,
config,
lib,
...
}: let
attrSet = lib.lists.imap1 (i: v: {
attrSet = pkgs.lib.lists.imap1 (i: v: {
name = v;
index = i;
}) (builtins.attrNames config.microvm.vms);
in {
config.systemd.network.networks = builtins.listToAttrs (builtins.map ({
name,
index,
}: {
name = "30-vm${toString index}";
value = {
matchConfig.Name = "vm${toString index}";
address = [
"10.0.0.0/32"
];
routes = [
systemd.network.networks =
if routed
then
builtins.listToAttrs (builtins.map ({
name,
index,
}: {
name = "30-vm${toString index}";
value = {
matchConfig.Name = "vm${toString index}";
address = [
"10.0.0.0/32"
];
routes = [
{
Destination = "10.0.0.${toString index}/32";
}
];
networkConfig = {IPv4Forwarding = true;};
};
})
attrSet)
else {
"10-microvm" = {
matchConfig.Name = "microvm";
networkConfig.DHCPServer = true;
networkConfig.IPv6SendRA = true;
addresses = [
{
Destination = "10.0.0.${toString index}/32";
Address = "10.0.0.1/24";
}
];
networkConfig = {IPv4Forwarding = true;};
};
})
attrSet);
"11-microvm" = pkgs.lib.mkIf (!routed) {
matchConfig.Name = "vm-*";
# Attach to bridge configured above
networkConfig.Bridge = "microvm";
};
};
# NAT (make vms accessible in host)
config.networking.nat = {
networking.nat = {
enable = true;
internalIPs = ["10.0.0.0/24"];
externalInterface = "enp2s0";
internalIPs = pkgs.lib.mkIf routed ["10.0.0.0/24"];
internalInterfaces = pkgs.lib.mkIf (!routed) ["microvm"];
};
}

5
secrets/nextcloud.age Normal file
View file

@ -0,0 +1,5 @@
age-encryption.org/v1
-> ssh-ed25519 rgw77A FBgTHsvCbpuhDFHCOQ4MtkSu3b9WmlSDboN4x3J/p1M
Mwts15GY7TwmWhB/wZPQ7EfBJ61aV+1QbjwZL8xRcgM
--- PI2311X1EC/csuMWV1Nx5Wnu4ajhh6e42NkDYW/fNgE
Sód†AIdä*}<7D>éw”À;Î]¥û7êÍÛ] <@¢ž)^Ô˜³ü÷

3
secrets/secrets.nix
View file

@ -1,4 +1,5 @@
let
public-key = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIC562Woe/yT/3dNVceN9rKPJQcvgTFzIhJVdVGv7sqn1 baritone@server";
public-keys = ["ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIC562Woe/yT/3dNVceN9rKPJQcvgTFzIhJVdVGv7sqn1 baritone@server"];
in {
"nextcloud.age".publicKeys = public-keys;
}

214
services/auto-torrent.nix Normal file
View file

@ -0,0 +1,214 @@
{
config,
pkgs,
...
}: let
lib = pkgs.lib;
host = "10.0.0.${toString vm-index}";
port = 8989;
vm-index = 1;
vm-mac = "02:00:00:00:00:02";
vm-name = "auto-torrent";
in {
microvm.autostart = [vm-name];
users.extraUsers.microvm.extraGroups = [
"jellyfin" # access to media folder
];
system.activationScripts."make-${vm-name}-data-dir" = lib.stringAfter ["var"] ''
mkdir -p /var/lib/${vm-name}
chmod -R 777 /var/lib/${vm-name}
chown -R microvm /var/lib/${vm-name}
chmod -R 777 /media
'';
microvm.vms.${vm-name} = {
config = {...}: {
system.stateVersion = "25.05";
microvm.interfaces = [
{
id = "vm${toString vm-index}";
type = "tap";
mac = vm-mac;
}
];
microvm.shares = [
{
tag = "ro-store";
source = "/nix/store";
mountPoint = "/nix/.ro-store";
}
{
tag = "data-dir";
source = "/var/lib/${vm-name}";
mountPoint = "/mnt";
proto = "virtiofs";
}
{
tag = "media-dir";
source = "/media";
mountPoint = "/media";
proto = "virtiofs";
}
];
networking.useNetworkd = true;
networking.usePredictableInterfaceNames = false;
systemd.network.networks."10-eth" = {
matchConfig.MACAddress = vm-mac;
address = [
"10.0.0.${toString vm-index}/32"
];
routes = [
# Host Route
{
Destination = "10.0.0.0/32";
GatewayOnLink = true;
}
# Default route
{
Destination = "0.0.0.0/0";
Gateway = "10.0.0.0";
GatewayOnLink = true;
}
];
networkConfig = {
DNS = [
"9.9.9.9"
"8.8.8.8"
"8.8.4.4"
];
};
};
networking.useDHCP = false;
networking.nameservers = [
"10.0.101.1"
"8.8.8.8"
"8.8.4.4"
];
systemd.services."wireguard-kill-switch" = {
description = "Wireguard Kill Switch";
after = ["network-online.target"];
wants = ["network-online.target"];
wantedBy = ["multi-user.target"];
serviceConfig = {
type = "oneshot";
ExecStart = pkgs.writeShellScript "wgconf.sh" ''
# Stay a while and listen
# ${pkgs.toybox}/bin/sleep 5
# Route local traffic through wg0 except local traffic
${pkgs.iproute2}/bin/ip route add 10.0.0.0/32 dev eth0 && \
${pkgs.iproute2}/bin/ip route add 0.0.0.0/1 dev wg0
# Block all traffic that isnt local or through the vpn
${pkgs.iptables}/bin/iptables -I OUTPUT ! -o wg0 -m mark ! --mark 42 -m addrtype ! --dst-type LOCAL ! -d 10.0.0.0/32 -j REJECT
'';
RemainAfterExit = "yes";
};
};
networking.wireguard.enable = true;
systemd.network = {
netdevs."10-wg0" = {
netdevConfig = {
Kind = "wireguard";
Name = "wg0";
MTUBytes = "1300";
};
wireguardConfig = {
PrivateKeyFile = "${./wireguard-secret}";
FirewallMark = 42;
ListenPort = 51820;
};
wireguardPeers = [
{
PublicKey = "0qSP0VxoIhEhRK+fAHVvmfRdjPs2DmmpOCNLFP/7cGw=";
AllowedIPs = ["0.0.0.0/0"];
Endpoint = "193.32.248.66:51820";
# PersistentKeepalive = 25;
}
];
};
networks."wg0" = {
matchConfig.Name = "wg0";
address = [
" 10.65.241.123/32"
];
DHCP = "no";
dns = ["10.64.0.1"];
gateway = [
"10.0.0.0"
];
};
};
# Sleep them for a while to make sure everything is set up
systemd.services.sonarr.serviceConfig.ExecStartPre = "/run/current-system/sw/bin/sleep 5";
systemd.services.rutorrent.serviceConfig.ExecStartPre = "/run/current-system/sw/bin/sleep 5";
# fuck nano
programs.nano.enable = lib.mkForce false;
programs.vim.enable = true;
# Services
services.sonarr = {
enable = true;
openFirewall = true;
dataDir = "/mnt/sonarr";
};
services.radarr = {
enable = true;
openFirewall = false;
dataDir = "/mnt/radarr";
};
services.transmission = {
enable = true;
openFirewall = false;
settings.rpc-port = 9091;
};
# debugging
users.users.root = {
password = "1234";
};
services.openssh = {
enable = true;
settings = {
PermitRootLogin = "yes";
AllowUsers = null;
PasswordAuthentication = true;
KbdInteractiveAuthentication = true;
};
};
};
};
services.nginx.virtualHosts."sonarr.spoodythe.one" = {
addSSL = true;
enableACME = true;
listen = [
{
port = 8989;
addr = "0.0.0.0";
ssl = false;
}
{
port = 443;
addr = "0.0.0.0";
ssl = true;
}
];
locations."/" = {
proxyPass = "http://${host}:${toString port}";
};
};
networking.firewall.allowedTCPPorts = [port 80 433];
networking.firewall.allowedUDPPorts = [port 80 433];
}

29
services/jellyfin.nix
View file

@ -6,6 +6,34 @@
}: let
host = "127.0.0.1";
port = 8096;
jellyfin =
if config.services.mullvad-vpn.enable == true
then
pkgs.callPackage ({...}:
pkgs.stdenv.mkDerivation {
pname = "jellyfin-excluded";
version = "1.0.0";
phases = ["installPhase"];
buildInputs = [pkgs.jellyfin];
# Define the install phase
installPhase = ''
mkdir -p $out/bin
# Create a wrapper script
echo "${pkgs.mullvad-vpn}/bin/mullvad-exclude ${pkgs.jellyfin}/bin/jellyfin \"$@\"" > $out/bin/jellyfin-excluded
chmod +x $out/bin/jellyfin-excluded
'';
# Specify the output
meta = with pkgs.lib; {
description = "A wrapper for the hello command";
mainProgram = "jellyfin-excluded";
license = licenses.mit;
};
}) {}
else pkgs.jellyfin;
in {
# Enable VAAPI
config.nixpkgs.config.packageOverrides = pkgs: {
@ -32,6 +60,7 @@ in {
# Enable Jellyfin
config.services.jellyfin = {
enable = true;
package = jellyfin;
openFirewall = false; # We want jellyfin behind a reverse proxy
};

17
services/nextcloud.nix
View file

@ -1,13 +1,24 @@
{pkgs, ...}: let
{
config,
pkgs,
...
}: let
nextcloud-pkg = pkgs.nextcloud30;
host = "127.0.0.1";
port = 8008;
lib = pkgs.lib;
in {
# system.activationScripts."make-nextcloud-dir" = lib.stringAfter ["var"] ''
# mkdir -p /var/lib/nextcloud
# chmod -R 770 /var/lib/nextcloud
# chown -R nextcloud:nextcloud /var/lib/nextcloud
# '';
services.nextcloud = {
enable = true;
package = nextcloud-pkg;
hostName = "localhost";
config.adminpassFile = "/var/lib/db/nextcloud/admin-password";
config.adminpassFile = "/etc/nextcloud-admin-password";
config.dbtype = "sqlite";
};
@ -19,7 +30,7 @@ in {
}
];
services.nginx.virtualHosts."nextcloud.spoodythe.one" = {
addSSL = true;
forceSSL = true;
enableACME = true;
locations."/" = {
proxyPass = "http://${host}:${toString port}";

4
services/nginx.nix
View file

@ -6,7 +6,9 @@
recommendedProxySettings = true;
recommendedTlsSettings = true;
virtualHosts."_" = {
virtualHosts."spoodythe.one" = {
forceSSL = true;
enableACME = true;
default = true;
locations."/" = {
return = 404;

18
services/rtorrent.nix Normal file
View file

@ -0,0 +1,18 @@
{pkgs, ...}: let
port = 9091;
in {
# services.rtorrent = {
# enable = true;
# dataDir = "/mnt/rtorrent";
# user = "rtorrent";
# group = "rtorrent";
# package = pkgs.jesec-rtorrent;
# inherit port;
# };
services.transmission = {
enable = true;
openFirewall = false;
settings.rpc-port = port;
};
}

28
services/seafile.nix Normal file
View file

@ -0,0 +1,28 @@
{
config,
pkgs,
...
}: let
host = "127.0.0.1";
port = 8008;
in {
services.seafile = {
enable = true;
adminEmail = "snorre@altschul.dk";
seahubAddress = "http://${host}:${toString port}";
# seafileSettings.fileserver = {
# inherit host port;
# };
};
services.nginx.virtualHosts."files.spoodythe.one" = {
forceSSL = true;
enableACME = true;
locations."/" = {
proxyPass = "http://${host}:${toString port}";
};
};
# Open port 80 and 443 for reverse proxy
networking.firewall.allowedTCPPorts = [80 443];
networking.firewall.allowedUDPPorts = [80 443];
}

189
services/sonarr-old.nix Executable file
View file

@ -0,0 +1,189 @@
{
pkgs,
lib,
config,
...
}: let
host = "127.0.0.1";
port = 8989;
vm-index = 1;
vm-mac = "00:00:00:00:00:01";
vm-name = "necoarc";
in {
config.microvm.autostart = [vm-name];
config.users.extraUsers.microvm.extraGroups = [
"jellyfin" # access to media folder
];
config.system.activationScripts."make${vm-name}DataDir" = lib.stringAfter ["var"] ''
mkdir -p /var/lib/${vm-name}
chmod -R 777 /var/lib/${vm-name}
chown -R microvm /var/lib/${vm-name}
chmod -R 777 /media
'';
# config.networking.wireguard.enable = true;
# # config.boot.extraModulePackages = [config.boot.kernelPackages.wireguard];
# config.networking.wireguard.interfaces.wg0 = {
# ips = ["10.75.60.108/32"];
# listenPort = 51820;
# privateKeyFile = "${./wireguard-secret}";
# peers = [
# {
# publicKey = "TPAIPTgu9jIitgX1Bz5xMCZJ9pRRZTdtZEOIxArO0Hc=";
# endpoint = "185.254.75.4:51820";
# allowedIPs = ["0.0.0.0/0"];
# persistentKeepalive = 25;
# }
# ];
# };
# config.systemd.network.networks.wg0 = {
# matchConfig.Name = "wg0";
# address = ["10.0.1.${toString vm-index}/24"];
# networkConfig = {
# IPMasquerade = "ipv4";
# IPv4Forwarding = true;
# };
# };
config.microvm.vms.${vm-name} = {
config = {config, ...}: {
system.stateVersion = "24.11";
# Storage share configuration
microvm.shares = [
{
tag = "ro-store";
source = "/nix/store";
mountPoint = "/nix/.ro-store";
}
{
tag = "data-dir";
source = "/var/lib/${vm-name}";
mountPoint = "/mnt";
proto = "virtiofs";
}
{
tag = "media-dir";
source = "/media/shows";
mountPoint = "/media/shows";
proto = "virtiofs";
}
];
# Allow the service to use the share
system.activationScripts."chownDataDir" = lib.stringAfter ["var"] ''
mkdir -p /mnt
chmod -R 770 /mnt
chown -R sonarr:sonarr /mnt
'';
systemd.services.sonarr.serviceConfig.ExecStartPre = "/run/current-system/sw/bin/sleep 5";
systemd.services.rutorrent.serviceConfig.ExecStartPre = "/run/current-system/sw/bin/sleep 5";
microvm.hypervisor = "qemu";
# VM Networking
microvm.interfaces = [
{
id = "vm${toString vm-index}";
type = "tap";
mac = vm-mac;
}
];
networking.useNetworkd = true;
systemd.network.networks."10-eth" = {
matchConfig.MACAddress = vm-mac;
address = [
"10.0.0.${toString vm-index}/32"
];
routes = [
# Host Route
{
Destination = "10.0.0.0/32";
GatewayOnLink = true;
}
# Default route
{
Destination = "0.0.0.0/0";
Gateway = "10.0.0.0";
GatewayOnLink = true;
}
];
networkConfig = {
DNS = [
"9.9.9.9"
"8.8.8.8"
"8.8.4.4"
];
};
};
networking.useDHCP = false;
networking.nameservers = [
"10.0.101.1"
"8.8.8.8"
"8.8.4.4"
];
programs.nano.enable = lib.mkForce false;
programs.vim.enable = true;
# Services
services.sonarr = {
enable = true;
openFirewall = true;
dataDir = "/mnt/sonarr";
};
services.rtorrent = {
enable = true;
dataDir = "/mnt/rtorrent";
user = "rtorrent";
group = "rtorrent";
port = 9999;
};
# Debug user
users.users."root" = {
password = "1234";
};
environment.systemPackages = [pkgs.dig];
services.openssh = {
enable = true;
settings = {
PermitRootLogin = "yes";
AllowUsers = null;
PasswordAuthentication = true;
KbdInteractiveAuthentication = true;
};
};
};
};
config.networking.firewall.allowedTCPPorts = [port 80 433];
config.networking.firewall.allowedUDPPorts = [port 80 433];
config.services.nginx.virtualHosts."sonarr.spoodythe.one" = {
addSSL = true;
enableACME = true;
listen = [
{
port = 8989;
addr = "0.0.0.0";
ssl = false;
}
{
port = 443;
addr = "0.0.0.0";
ssl = true;
}
];
locations."/" = {
proxyPass = "http://10.0.0.${toString vm-index}:${toString port}";
};
};
}

243
services/sonarr.nix Executable file → Normal file
View file

@ -1,240 +1,25 @@
{
pkgs,
lib,
config,
...
}: let
{...}: let
host = "127.0.0.1";
port = 8989;
vm-index = 1;
vm-mac = "00:00:00:00:00:01";
vm-name = "necoarc";
in {
config.microvm.autostart = [vm-name];
config.users.extraUsers.microvm.extraGroups = [
"jellyfin" # access to media folder
];
config.system.activationScripts."make${vm-name}DataDir" = lib.stringAfter ["var"] ''
mkdir -p /var/lib/${vm-name}
chmod -R 777 /var/lib/${vm-name}
chown -R microvm /var/lib/${vm-name}
chmod -R 777 /media
'';
# config.networking.wireguard.enable = true;
# # config.boot.extraModulePackages = [config.boot.kernelPackages.wireguard];
# config.networking.wireguard.interfaces.wg0 = {
# ips = ["10.75.60.108/32"];
# listenPort = 51820;
# privateKeyFile = "${./wireguard-secret}";
# peers = [
# {
# publicKey = "TPAIPTgu9jIitgX1Bz5xMCZJ9pRRZTdtZEOIxArO0Hc=";
# endpoint = "185.254.75.4:51820";
# allowedIPs = ["0.0.0.0/0"];
# persistentKeepalive = 25;
# }
# ];
# };
# config.systemd.network.networks.wg0 = {
# matchConfig.Name = "wg0";
# address = ["10.0.1.${toString vm-index}/24"];
# networkConfig = {
# IPMasquerade = "ipv4";
# IPv4Forwarding = true;
# };
# };
config.microvm.vms.${vm-name} = {
config = {config, ...}: {
system.stateVersion = "24.11";
# Storage share configuration
microvm.shares = [
{
tag = "ro-store";
source = "/nix/store";
mountPoint = "/nix/.ro-store";
}
{
tag = "data-dir";
source = "/var/lib/${vm-name}";
mountPoint = "/mnt";
proto = "virtiofs";
}
{
tag = "media-dir";
source = "/media/shows";
mountPoint = "/media/shows";
proto = "virtiofs";
}
];
# Allow the service to use the share
system.activationScripts."chownDataDir" = lib.stringAfter ["var"] ''
mkdir -p /mnt
chmod -R 770 /mnt
chown -R sonarr:sonarr /mnt
'';
systemd.services.sonarr.serviceConfig.ExecStartPre = "/run/current-system/sw/bin/sleep 5";
systemd.services.rutorrent.serviceConfig.ExecStartPre = "/run/current-system/sw/bin/sleep 5";
microvm.hypervisor = "qemu";
# VM Networking
microvm.interfaces = [
{
id = "vm${toString vm-index}";
type = "tap";
mac = vm-mac;
}
];
networking.useNetworkd = true;
systemd.network.networks."10-eth" = {
matchConfig.MACAddress = vm-mac;
address = [
"10.0.0.${toString vm-index}/32"
];
routes = [
# Host Route
{
Destination = "10.0.0.0/32";
GatewayOnLink = true;
}
# Default route
{
Destination = "0.0.0.0/0";
Gateway = "10.0.0.0";
GatewayOnLink = true;
}
];
networkConfig = {
DNS = [
# "9.9.9.9"
# "8.8.8.8"
# "8.8.4.4"
# Only allow mullvad DNS server
"10.64.0.1"
];
};
};
networking.useDHCP = false;
networking.nameservers = [
"10.0.101.1"
"8.8.8.8"
"8.8.4.4"
];
# Services
services.sonarr = {
enable = true;
openFirewall = true;
dataDir = "/mnt/sonarr";
};
services.rtorrent = {
enable = true;
dataDir = "/mnt/rtorrent";
user = "rtorrent";
group = "rtorrent";
port = 9999;
};
# networking.wireguard.enable = true;
# boot.extraModulePackages = [config.boot.kernelPackages.wireguard];
# networking.wireguard.interfaces.wg0 = {
# ips = ["10.75.60.108/32"];
# listenPort = 51820;
# privateKeyFile = "${./wireguard-secret}";
# peers = [
# {
# publicKey = "TPAIPTgu9jIitgX1Bz5xMCZJ9pRRZTdtZEOIxArO0Hc=";
# endpoint = "185.254.75.4:51820";
# allowedIPs = ["0.0.0.0/0"];
# persistentKeepalive = 25;
# }
# ];
# };
# networking.firewall.extraCommands = ''
# ${pkgs.iptables}/bin/iptables -I OUTPUT ! -o %i -m mark ! --mark $(wg show %i fwmark) -m addrtype ! --dst-type LOCAL ! -d 10.0.0.0/8 -j REJECT && ${pkgs.iptables}/bin/ip6tables -I OUTPUT ! -o %i -m mark ! --mark $(wg show %i fwmark) -m addrtype ! --dst-type LOCAL -j REJECT
# '';
# services.openvpn.servers.mullvad = {
# config = ''
# client
# dev tun
# resolv-retry infinite
# nobind
# persist-key
# persist-tun
# verb 3
# remote-cert-tls server
# ping 10
# ping-restart 60
# sndbuf 524288
# rcvbuf 524288
# cipher AES-256-GCM
# tls-cipher TLS-DHE-RSA-WITH-AES-256-GCM-SHA384
# proto udp
# auth-user-pass mullvad_userpass.txt
# ca mullvad_ca.crt
# script-security 2
# up /etc/openvpn/update-resolv-conf
# down /etc/openvpn/update-resolv-conf
# fast-io
# remote 193.32.248.72 1301 # de-ber-ovpn-001
# '';
# authUserPass.username = "9898431198930064";
# authUserPass.password = "m";
# updateResolvConf = true;
# };
# Debug user
users.users."root" = {
password = "1234";
};
environment.systemPackages = [pkgs.dig];
services.openssh = {
enable = true;
settings = {
PermitRootLogin = "yes";
AllowUsers = null;
PasswordAuthentication = true;
KbdInteractiveAuthentication = true;
};
};
};
users.extraUsers.sonarr.extraGroups = ["jellyfin"]; # Access to the media folder
services.sonarr = {
enable = true;
openFirewall = true;
};
services.rtorrent = {
enable = true;
dataDir = "/mnt/rtorrent";
user = "rtorrent";
group = "rtorrent";
port = 9999;
};
config.networking.firewall.allowedTCPPorts = [port 80 433];
config.networking.firewall.allowedUDPPorts = [port 80 433];
config.services.nginx.virtualHosts."sonarr.spoodythe.one" = {
services.nginx.virtualHosts."sonarr.spoodythe.one" = {
addSSL = true;
enableACME = true;
listen = [
{
port = 8989;
addr = "0.0.0.0";
ssl = false;
}
{
port = 443;
addr = "0.0.0.0";
ssl = true;
}
];
locations."/" = {
proxyPass = "http://10.0.0.${toString vm-index}:${toString port}";
proxyPass = "http://${host}:${toString port}";
};
};
}

133
services/vm-test.nix Normal file
View file

@ -0,0 +1,133 @@
{
config,
pkgs,
...
}: let
vm-index = 1;
vm-mac = "02:00:00:00:00:02";
in {
config.microvm.vms."vm-test" = {
config = {...}: {
microvm.interfaces = [
{
id = "vm${toString vm-index}";
type = "tap";
mac = vm-mac;
}
];
microvm.shares = [
{
tag = "ro-store";
source = "/nix/store";
mountPoint = "/nix/.ro-store";
}
];
networking.useNetworkd = true;
networking.usePredictableInterfaceNames = false;
systemd.network.networks."10-eth" = {
matchConfig.MACAddress = vm-mac;
address = [
"10.0.0.${toString vm-index}/32"
];
routes = [
# Host Route
{
Destination = "10.0.0.0/32";
GatewayOnLink = true;
}
# Default route
{
Destination = "0.0.0.0/0";
Gateway = "10.0.0.0";
GatewayOnLink = true;
}
];
networkConfig = {
DNS = [
"9.9.9.9"
"8.8.8.8"
"8.8.4.4"
];
};
};
networking.useDHCP = false;
networking.nameservers = [
"10.0.101.1"
"8.8.8.8"
"8.8.4.4"
];
systemd.services."wireguard-kill-switch" = {
description = "Wireguard Kill Switch";
after = ["network-online.target"];
wants = ["network-online.target"];
wantedBy = ["multi-user.target"];
serviceConfig = {
type = "oneshot";
ExecStart = pkgs.writeShellScript "wgconf.sh" ''
# Stay a while and listen
# ${pkgs.toybox}/bin/sleep 5
# Route local traffic through wg0 except local traffic
${pkgs.iproute2}/bin/ip route add 10.0.0.0/32 dev eth0 && \
${pkgs.iproute2}/bin/ip route add 0.0.0.0/1 dev wg0
# Block all traffic that isnt local or through the vpn
${pkgs.iptables}/bin/iptables -I OUTPUT ! -o wg0 -m mark ! --mark 42 -m addrtype ! --dst-type LOCAL ! -d 10.0.0.0/32 -j REJECT
'';
RemainAfterExit = "yes";
};
};
networking.wireguard.enable = true;
systemd.network = {
netdevs."10-wg0" = {
netdevConfig = {
Kind = "wireguard";
Name = "wg0";
MTUBytes = "1300";
};
wireguardConfig = {
PrivateKeyFile = "${./wireguard-secret}";
FirewallMark = 42;
ListenPort = 51820;
};
wireguardPeers = [
{
PublicKey = "0qSP0VxoIhEhRK+fAHVvmfRdjPs2DmmpOCNLFP/7cGw=";
AllowedIPs = ["0.0.0.0/0"];
Endpoint = "193.32.248.66:51820";
# PersistentKeepalive = 25;
}
];
};
networks."wg0" = {
matchConfig.Name = "wg0";
address = [
" 10.65.241.123/32"
];
DHCP = "no";
dns = ["10.64.0.1"];
gateway = [
"10.0.0.0"
];
};
};
users.users.root = {
password = "1234";
};
services.openssh = {
enable = true;
settings = {
PermitRootLogin = "yes";
AllowUsers = null;
PasswordAuthentication = true;
KbdInteractiveAuthentication = true;
};
};
};
};
}

4
services/vpn.nix Normal file
View file

@ -0,0 +1,4 @@
{pkgs, ...}: {
services.mullvad-vpn.enable = true;
environment.systemPackages = [pkgs.wireguard-tools];
}