147 lines
3.3 KiB
Nix
147 lines
3.3 KiB
Nix
{
|
|
self,
|
|
config,
|
|
lib,
|
|
pkgs,
|
|
...
|
|
}:
|
|
{
|
|
sops = {
|
|
defaultSopsFile = ./secrets.sops.yml;
|
|
secrets = {
|
|
"wireguard-key".owner = "systemd-network";
|
|
};
|
|
};
|
|
imports = [
|
|
./hardware-configuration.nix
|
|
./hetzner-disk.nix
|
|
];
|
|
|
|
networking = {
|
|
hostName = "v6proxy";
|
|
interfaces.eth0 = {
|
|
ipv4.addresses = [
|
|
{
|
|
address = "178.104.18.93";
|
|
prefixLength = 32;
|
|
}
|
|
];
|
|
ipv6 = {
|
|
addresses = [
|
|
{
|
|
address = "2a01:4f8:1c19:96f8::1";
|
|
prefixLength = 64;
|
|
}
|
|
];
|
|
routes = [
|
|
{ address = "::"; prefixLength = 0; via = "fe80::1";}
|
|
];
|
|
};
|
|
};
|
|
defaultGateway.address = "172.31.1.1";
|
|
defaultGateway.interface = "eth0";
|
|
nameservers = [
|
|
"9.9.9.9"
|
|
"1.1.1.1"
|
|
];
|
|
firewall = {
|
|
allowedTCPPorts = [
|
|
22
|
|
80
|
|
443
|
|
];
|
|
};
|
|
nftables = {
|
|
enable = true;
|
|
};
|
|
wireguard = {
|
|
enable = true;
|
|
interfaces = {
|
|
sturauplink = {
|
|
listenPort = 51820;
|
|
privateKeyFile = config.sops.secrets."wireguard-key".path;
|
|
ips = [
|
|
"10.100.0.1/24"
|
|
"fd28:6691:1921:6299::1/64"
|
|
];
|
|
peers = [
|
|
# mail.test.htw.stura-dresden.de
|
|
{
|
|
allowedIPs = [
|
|
"10.100.0.20/32"
|
|
];
|
|
publicKey = "9Ep/YZLbnGEVWHgVmmwq2Sv/8awwGaHdwiSuIUkWtnk=";
|
|
}
|
|
# proxy.htw.stura-dresden.de
|
|
{
|
|
allowedIPs = [
|
|
"10.100.0.2/32"
|
|
"fd28:6691:1921:6299::2/64"
|
|
];
|
|
endpoint = "141.56.51.1:51820";
|
|
publicKey = "pUHtAHCDHVQBnqtlIgTkEMHbxXpQmVA0HhxiFUrUb0U=";
|
|
}
|
|
];
|
|
};
|
|
};
|
|
};
|
|
};
|
|
|
|
# wenn instanzen in die flake migriert sind könnte man das autogenerierien
|
|
services ={
|
|
haproxy = {
|
|
enable = true;
|
|
config = ''
|
|
global
|
|
# schreibe globalen log ins journal ip -> app
|
|
log /dev/log format raw local0
|
|
maxconn 50000
|
|
# man könnte metriken über einen socket file statt einen lokalen port machen für user permission control
|
|
# stats socket /run/haproxy/admin.sock mode 660 level admin expose-fd listeners
|
|
tune.bufsize 32762
|
|
|
|
defaults
|
|
log global
|
|
mode tcp
|
|
option tcplog
|
|
timeout connect 5s
|
|
timeout client 30s
|
|
timeout server 30s
|
|
|
|
# stats seite zeigt backend connection status, wenn check gesetzt ist
|
|
frontend stats
|
|
bind 127.0.0.1:8404
|
|
mode http
|
|
stats enable
|
|
stats uri /stats
|
|
stats refresh 10s
|
|
stats show-legends
|
|
stats show-node
|
|
stats show-modules
|
|
|
|
frontend http-in
|
|
bind :::80
|
|
use_backend http_80
|
|
|
|
frontend sni_router
|
|
bind :::443
|
|
mode tcp
|
|
use_backend http_443
|
|
|
|
backend http_80
|
|
mode http
|
|
server proxy 141.56.51.1:80
|
|
backend http_443
|
|
mode tcp
|
|
server proxy 141.56.51.1:443
|
|
'';
|
|
};
|
|
};
|
|
|
|
environment.systemPackages = with pkgs; [
|
|
wireguard-tools
|
|
];
|
|
|
|
system.stateVersion = "25.11";
|
|
|
|
}
|