BeiNacht/nixos-config
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

changed vps3

Browse Source
This commit is contained in:
Alexander Szczepanski
2022-12-04 13:02:11 +01:00
parent 4f78fda23b
commit b9ed0b1f29
2 changed files with 8 additions and 66 deletions
Download Patch File Download Diff File Expand all files Collapse all files

2
configs/common.nix
View File

@ -22,8 +22,6 @@ in {
"10MB" "10MB"
"-listen" "-listen"
"127.0.0.1:53" "127.0.0.1:53"
"-forwarder"
secrets.nextdnsforwarder
"-report-client-info" "-report-client-info"
]; ];
}; };

72
machine/vps3.nix
View File

@ -10,45 +10,20 @@ in {
time.timeZone = "Europe/Berlin"; time.timeZone = "Europe/Berlin";
networking = { networking = {
hostName = "vpse"; # Define your hostname. hostName = "vps3"; # Define your hostname.
useDHCP = false; useDHCP = false;
interfaces.ens18 = { useDHCP = true; }; interfaces.ens18 = { useDHCP = true; };
wireguard.interfaces = { wireguard.interfaces = {
wg0 = { wg0 = {
ips = [ "10.100.0.1/24" ]; ips = [ "10.100.0.100/32" ];
listenPort = 51820; privateKey = secrets.wireguard-vps3-private;
postSetup = ''
${pkgs.iptables}/bin/iptables -t nat -A POSTROUTING -s 10.100.0.0/24 -o ens3 -j MASQUERADE
'';
postShutdown = ''
${pkgs.iptables}/bin/iptables -t nat -D POSTROUTING -s 10.100.0.0/24 -o ens3 -j MASQUERADE
'';
privateKey = secrets.wireguard-vps-private;
peers = [ peers = [
{ {
publicKey = secrets.wireguard-desktop-public; publicKey = secrets.wireguard-vps-public;
presharedKey = secrets.wireguard-preshared; presharedKey = secrets.wireguard-preshared;
allowedIPs = [ "10.100.0.2/32" ]; allowedIPs = [ "10.100.0.0/24" ];
} endpoint = "szczepan.ski:51820";
{ persistentKeepalive = 25;
publicKey = secrets.wireguard-mini-public;
presharedKey = secrets.wireguard-preshared;
allowedIPs = [ "10.100.0.3/32" "192.168.178.0/24" ];
}
{
publicKey = secrets.wireguard-mbp-public;
presharedKey = secrets.wireguard-preshared;
allowedIPs = [ "10.100.0.4/32" ];
}
{
publicKey = secrets.wireguard-phone1-public;
presharedKey = secrets.wireguard-preshared;
allowedIPs = [ "10.100.0.5/32" ];
}
{
publicKey = secrets.wireguard-raspberrypi-public;
presharedKey = secrets.wireguard-preshared;
allowedIPs = [ "10.100.0.6/32" ];
} }
]; ];
}; };
@ -62,27 +37,17 @@ in {
allowedUDPPorts = [ allowedUDPPorts = [
80 # web 80 # web
443 # web 443 # web
51820 # wireguard
]; ];
# interfaces.wg0 = {
# allowedTCPPorts = [
# 2049
# 61208 # foo
# ];
# };
}; };
}; };
environment.systemPackages = with pkgs; [ goaccess xd nyx ]; environment.systemPackages = with pkgs; [ ];
programs = { programs = {
mtr.enable = true; mtr.enable = true;
fuse.userAllowOther = true; fuse.userAllowOther = true;
}; };
security.acme.defaults.email = "webmaster@szczepan.ski";
security.acme.acceptTerms = true;
services = { services = {
fail2ban = { fail2ban = {
enable = true; enable = true;
@ -98,27 +63,6 @@ in {
enabled = true enabled = true
''; '';
}; };
borgbackup.jobs.home = rec {
compression = "auto,zstd";
encryption = {
mode = "repokey-blake2";
passphrase = secrets.borg-key;
};
extraCreateArgs =
"--stats --verbose --checkpoint-interval 600 --exclude-caches";
environment.BORG_RSH = "ssh -i /home/alex/.ssh/id_borg_rsa";
paths = [ "/home/alex" "/var/lib" ];
repo = secrets.borg-repo;
startAt = "daily";
prune.keep = {
daily = 7;
weekly = 4;
monthly = 6;
};
extraPruneArgs = "--save-space --stats";
exclude = [ "/home/alex/.cache" ];
};
}; };
# Limit stack size to reduce memory usage # Limit stack size to reduce memory usage