From 0ac3bbfbe20df09c8f31eab792d2d32819cb1d94 Mon Sep 17 00:00:00 2001 From: Clara Dautermann Date: Sun, 6 Apr 2025 07:50:37 +0200 Subject: [PATCH] flake cleanup and wg setup persistence --- configs/container_config.nix | 24 +++++++++++++++++----- configs/containers/mc_container.nix | 19 +++++++++++++++++ configs/containers/wg_container.nix | 12 +++++++++++ configs/containers/zammad_container.nix | 17 ++++++++++++++++ configs/services/minecraft-server.nix | 2 -- configs/services/wireguard.nix | 11 +++++++++- flake.nix | 27 +++---------------------- 7 files changed, 80 insertions(+), 32 deletions(-) create mode 100644 configs/containers/mc_container.nix create mode 100644 configs/containers/wg_container.nix create mode 100644 configs/containers/zammad_container.nix diff --git a/configs/container_config.nix b/configs/container_config.nix index dc8541e..a848ec8 100644 --- a/configs/container_config.nix +++ b/configs/container_config.nix @@ -1,4 +1,4 @@ -{ modulesPath, pkgs, ... }: { +{ modulesPath, pkgs, lib, ... }: { imports = [ (modulesPath + "/virtualisation/proxmox-lxc.nix") ]; time.timeZone = "Europe/Berlin"; @@ -43,7 +43,24 @@ }; # Enable networking - networking.networkmanager.enable = true; + networking = { + networkmanager.enable = true; + + # configure firewall + firewall = { + enable = true; + allowedTCPPorts = [ 22 ]; + }; + + # enable routing of wireguard reachable subnet via wgbr + interfaces.wgbr.ipv4.routes = lib.mkDefault [ + { + address = "10.8.0.0"; + prefixLength = 16; + via = "10.8.1.1"; + } + ]; + }; # enable ssh access services.openssh = { @@ -58,9 +75,6 @@ }; }; - # configure firewall - networking.firewall.enable = true; - networking.firewall.allowedTCPPorts = [ 22 ]; # This value determines the NixOS release from which the default # settings for stateful data, like file locations and database versions diff --git a/configs/containers/mc_container.nix b/configs/containers/mc_container.nix new file mode 100644 index 0000000..ca83913 --- /dev/null +++ b/configs/containers/mc_container.nix @@ -0,0 +1,19 @@ +{ lib, pkgs, config, ... }: { + + deployment = { + targetHost = "192.168.178.56"; + targetPort = 22; + targetUser = "root"; + }; + networking.hostName = "mcserver"; + networking.interfaces.wgbr.ipv4.addresses = [ + { + address = "10.8.1.2"; + prefixLength = 24; + } + ]; + imports = [ + ../container_config.nix + ../services/minecraft-server.nix + ]; +} diff --git a/configs/containers/wg_container.nix b/configs/containers/wg_container.nix new file mode 100644 index 0000000..b42b448 --- /dev/null +++ b/configs/containers/wg_container.nix @@ -0,0 +1,12 @@ +{ lib, pkgs, config, ... }: { + deployment = { + targetHost = "192.168.178.44"; + targetPort = 22; + targetUser = "root"; + }; + networking.hostName = "wireguard"; + imports = [ + ../container_config.nix + ../services/wireguard.nix + ]; +} diff --git a/configs/containers/zammad_container.nix b/configs/containers/zammad_container.nix new file mode 100644 index 0000000..04c3e4d --- /dev/null +++ b/configs/containers/zammad_container.nix @@ -0,0 +1,17 @@ +{ lib, pkgs, config, ... }: { + deployment = { + targetHost = "192.168.178.50"; + targetPort = 22; + targetUser = "root"; + }; + networking.hostName = "zammad"; + networking.interfaces.wgbr.ipv4.addresses = [ + { + address = "10.8.1.3"; + prefixLength = 24; + } + ]; + imports = [ + ../container_config.nix + ]; +} diff --git a/configs/services/minecraft-server.nix b/configs/services/minecraft-server.nix index ad0a175..69b35d5 100644 --- a/configs/services/minecraft-server.nix +++ b/configs/services/minecraft-server.nix @@ -35,6 +35,4 @@ }; networking.firewall.allowedTCPPorts = [ 8080 ]; - - } diff --git a/configs/services/wireguard.nix b/configs/services/wireguard.nix index 76455d5..002bf04 100644 --- a/configs/services/wireguard.nix +++ b/configs/services/wireguard.nix @@ -9,6 +9,15 @@ in { firewall.allowedUDPPorts = [ wg_port ]; firewall.rejectPackets = true; firewall.trustedInterfaces = [ "wgbr" "wg0" ]; + interfaces.wgbr.ipv4 = { + routes = [ ]; + addresses = [ + { + address = "10.8.1.1"; + prefixLength = 24; + } + ]; + }; wg-quick.interfaces = { wg0 = { @@ -27,7 +36,7 @@ in { publicKey = "AJ1nr0/w8OvsNq5Ju//m4856u7yY0hlPGMEGeZtlhlY="; # Forward all the traffic via VPN. - allowedIPs = [ "10.8.0.0/24" ]; + allowedIPs = [ "10.8.0.0/16" ]; # Set this to the server IP and port. endpoint = "202.61.230.52:51820"; diff --git a/flake.nix b/flake.nix index 70afb14..9ce2413 100644 --- a/flake.nix +++ b/flake.nix @@ -10,32 +10,11 @@ }; }; - mcserver = { - deployment = { - targetHost = "192.168.178.50"; - targetPort = 22; - targetUser = "root"; - }; - networking.hostName = "mcserver"; - imports = [ - ./configs/container_config.nix - ./configs/services/minecraft-server.nix - ]; - }; + mcserver = import ./configs/containers/mc_container.nix; - wireguard = { - deployment = { - targetHost = "192.168.178.44"; - targetPort = 22; - targetUser = "root"; - }; - networking.hostName = "wireguard"; - imports = [ - ./configs/container_config.nix - ./configs/services/wireguard.nix - ]; + wireguard = import ./configs/containers/wg_container.nix; - }; + zammad = import ./configs/containers/zammad_container.nix; }; }; }