mirror of
https://github.com/phfroidmont/self-hosting.git
synced 2026-03-28 06:26:08 +01:00
a6571d5f39
Replace the OpenVPN/OCServ path with a cleaner wstunnel-terminated WireGuard relay on :443, advertise/approve corporate subnet routes through Headscale, and add wsl DNS/route plumbing for tailnet access.
161 lines
3.5 KiB
Nix
161 lines
3.5 KiB
Nix
{
|
|
modulesPath,
|
|
...
|
|
}:
|
|
{
|
|
imports = [
|
|
(modulesPath + "/installer/scan/not-detected.nix")
|
|
(modulesPath + "/profiles/qemu-guest.nix")
|
|
../environment.nix
|
|
../modules/openssh.nix
|
|
];
|
|
|
|
networking.useDHCP = true;
|
|
nixpkgs.hostPlatform = "x86_64-linux";
|
|
|
|
boot.loader.grub = {
|
|
efiSupport = true;
|
|
efiInstallAsRemovable = true;
|
|
};
|
|
|
|
time.timeZone = "Europe/Amsterdam";
|
|
|
|
boot.tmp.cleanOnBoot = true;
|
|
networking.firewall.allowPing = true;
|
|
networking.firewall.allowedTCPPorts = [
|
|
80
|
|
443
|
|
];
|
|
networking.usePredictableInterfaceNames = false;
|
|
custom.services.openssh.enable = true;
|
|
services.openssh.openFirewall = true;
|
|
|
|
services.nscd.enableNsncd = true;
|
|
zramSwap.enable = true;
|
|
|
|
security.acme = {
|
|
acceptTerms = true;
|
|
defaults.email = "letsencrypt.account@banditlair.com";
|
|
certs."ws.banditlair.com" = {
|
|
listenHTTP = "0.0.0.0:80";
|
|
reloadServices = [ "wstunnel-server-relay.service" ];
|
|
};
|
|
};
|
|
|
|
services.wstunnel = {
|
|
enable = true;
|
|
servers.relay = {
|
|
listen = {
|
|
host = "0.0.0.0";
|
|
port = 443;
|
|
enableHTTPS = true;
|
|
};
|
|
useACMEHost = "ws.banditlair.com";
|
|
settings = {
|
|
log-lvl = "INFO";
|
|
restrict-to = [
|
|
{
|
|
host = "127.0.0.1";
|
|
port = 51820;
|
|
}
|
|
];
|
|
};
|
|
};
|
|
};
|
|
|
|
systemd.services.wstunnel-server-relay = {
|
|
after = [ "acme-ws.banditlair.com.service" ];
|
|
wants = [ "acme-ws.banditlair.com.service" ];
|
|
};
|
|
|
|
networking.wireguard.enable = true;
|
|
networking.wireguard.interfaces.wg-relay = {
|
|
ips = [ "10.250.250.1/30" ];
|
|
listenPort = 51820;
|
|
privateKeyFile = "/var/lib/wireguard/wg-relay.key";
|
|
generatePrivateKeyFile = true;
|
|
peers = [
|
|
{
|
|
publicKey = "EX3QEJYNzs3sA3FUEIc9YGAhEup20qOCzUe+nMRrljQ=";
|
|
allowedIPs = [
|
|
"10.250.250.2/32"
|
|
"10.33.0.0/16"
|
|
"10.46.0.0/16"
|
|
"10.133.0.0/16"
|
|
"10.134.0.0/16"
|
|
"10.161.0.0/16"
|
|
"10.200.0.0/16"
|
|
];
|
|
}
|
|
];
|
|
};
|
|
|
|
services.tailscale = {
|
|
enable = true;
|
|
useRoutingFeatures = "server";
|
|
extraSetFlags = [
|
|
"--advertise-routes=10.250.250.2/32,10.33.0.0/16,10.46.0.0/16,10.133.0.0/16,10.134.0.0/16,10.161.0.0/16,10.200.0.0/16"
|
|
];
|
|
};
|
|
|
|
boot.kernel.sysctl."net.ipv4.ip_forward" = true;
|
|
|
|
networking.nat = {
|
|
enable = true;
|
|
internalInterfaces = [ "tailscale0" ];
|
|
externalInterface = "wg-relay";
|
|
};
|
|
|
|
disko.devices = {
|
|
disk.disk1 = {
|
|
device = "/dev/sda";
|
|
type = "disk";
|
|
content = {
|
|
type = "gpt";
|
|
partitions = {
|
|
boot = {
|
|
name = "boot";
|
|
size = "1M";
|
|
type = "EF02";
|
|
};
|
|
esp = {
|
|
name = "ESP";
|
|
size = "500M";
|
|
type = "EF00";
|
|
content = {
|
|
type = "filesystem";
|
|
format = "vfat";
|
|
mountpoint = "/boot";
|
|
};
|
|
};
|
|
root = {
|
|
name = "root";
|
|
size = "100%";
|
|
content = {
|
|
type = "lvm_pv";
|
|
vg = "pool";
|
|
};
|
|
};
|
|
};
|
|
};
|
|
};
|
|
lvm_vg = {
|
|
pool = {
|
|
type = "lvm_vg";
|
|
lvs = {
|
|
root = {
|
|
size = "100%FREE";
|
|
content = {
|
|
type = "filesystem";
|
|
format = "ext4";
|
|
mountpoint = "/";
|
|
mountOptions = [
|
|
"defaults"
|
|
];
|
|
};
|
|
};
|
|
};
|
|
};
|
|
};
|
|
};
|
|
}
|