add new gateway configurations

2025-10-04 13:33:10 -05:00
parent a102326741
commit 6c5f3baeb7
1 changed files with 156 additions and 0 deletions
--- a/hosts/vaniville/configuration.nix
+++ b/hosts/vaniville/configuration.nix
@@ -0,0 +1,156 @@
+{ config, lib, pkgs, ... }:
+
+{
+  imports =
+    [ # Include the results of the hardware scan.
+      ./hardware-configuration.nix
+      ../../users/blake/blake.nix
+      ../../modules/system/system.nix
+    ];
+
+  modules = {
+    system = {
+      ssh.enable = true;
+      docker.enable = false;
+      syncthing.enable = false;
+      tailscale.enable = true;
+      nvidia.enable = false;
+    };
+  };
+
+  # enable user
+  users.blake.enable = true;
+
+  # use the systemd-boot EFI boot loader.
+  boot.loader.systemd-boot.enable = true;
+  boot.loader.efi.canTouchEfiVariables = true;
+
+  # setup hostname and networking stack
+  networking.hostName = "vaniville"; # Define your hostname.
+  networking.networkmanager.enable = true;  # Easiest to use and most distros use this by default.
+
+  # set timezone
+  time.timeZone = "America/Chicago";
+
+  # define shell
+  programs.zsh.enable = true;
+  users.defaultUserShell = pkgs.zsh;
+
+  # package install list
+  environment.systemPackages = with pkgs; [
+    vim 
+    rsync
+    wget
+    git
+    iptables
+    nettools
+    neofetch
+    btop
+  ];
+
+  # allow proprietary packages
+  nixpkgs.config.allowUnfree = true;
+
+  # enable flakes
+  nix.settings.experimental-features = [ "nix-command" "flakes" ];
+
+  # Open ports in the firewall.
+  networking.firewall.enable = true;
+  networking.firewall.extraCommands = ''
+    HOMELAB_IP="10.10.0.30"         # destination address
+    PUBLIC_IF="eth0"                # vps public interface
+    TAILSCALE_IF="tailscale0"       # tailscale interface
+    
+    # flush rules (avoid dupes)
+    iptables -F
+    iptables -t nat -F
+    iptables -t mangle -F
+    iptables -X
+    
+    # set defualt policies
+    iptables -P INPUT DROP
+    iptables -P FORWARD DROP
+    iptables -P OUTPUT ACCEPT
+    
+    # allow loopback
+    iptables -A INPUT -i lo -j ACCEPT
+    iptables -A OUTPUT -o lo -j ACCEPT
+    
+    # allow replys
+    iptables -A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
+    iptables -A OUTPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
+    
+    # allow vps outbound
+    iptables -A OUTPUT -o eth0 -j ACCEPT
+    
+    # general settings
+    sysctl -w net.ipv4.ip_forward=1                                 # enable ip forwarding
+    iptables -t nat -A POSTROUTING -o $TAILSCALE_IF -j MASQUERADE   # postrouting masquerade (outgoing packets appear to come from vps tailscale ip)
+    iptables -A INPUT -p icmp --icmp-type echo-request -j ACCEPT    # allows pings
+    iptables -A INPUT -p tcp --dport 22 -j ACCEPT                   # allows ssh
+    
+    
+    # --- minecraft ---
+    # port: 25777 tcp & udp
+    # prerouting:
+    iptables -t nat -A PREROUTING -i $PUBLIC_IF -p tcp --dport 25777 -j DNAT --to-destination $HOMELAB_IP:25777     # tcp packets on port 25777
+    iptables -t nat -A PREROUTING -i $PUBLIC_IF -p udp --dport 25777 -j DNAT --to-destination $HOMELAB_IP:25777     # udp packets on port 25777
+    # forwards:
+    iptables -A FORWARD -i $PUBLIC_IF -o $TAILSCALE_IF -p tcp --dport 25777 -j ACCEPT       # vps -> homelab: tcp on port 25777
+    iptables -A FORWARD -i $PUBLIC_IF -o $TAILSCALE_IF -p udp --dport 25777 -j ACCEPT       # vps -> homelab: udp on port 25777
+    iptables -A FORWARD -i $TAILSCALE_IF -o $PUBLIC_IF -p tcp --sport 25777 -j ACCEPT       # homelab -> vps: tcp on port 25777
+    iptables -A FORWARD -i $TAILSCALE_IF -o $PUBLIC_IF -p udp --sport 25777 -j ACCEPT       # homelab -> vps: udp on port 25777
+    
+    # --- reverse proxy ---
+    # ports: 80 & 443 tcp
+    # prerouting:
+    iptables -t nat -A PREROUTING -i $PUBLIC_IF -p tcp --dport 80  -j DNAT --to-destination $HOMELAB_IP:80          # tcp packets on port 80
+    iptables -t nat -A PREROUTING -i $PUBLIC_IF -p tcp --dport 443 -j DNAT --to-destination $HOMELAB_IP:443         # tcp packets on port 443
+    # forwards:
+    iptables -A FORWARD -i $PUBLIC_IF -o $TAILSCALE_IF -p tcp --dport 80 -j ACCEPT          # vps -> homelab: tcp on port 80
+    iptables -A FORWARD -i $TAILSCALE_IF -o $PUBLIC_IF -p tcp --sport 80 -j ACCEPT          # homelab -> vps: tcp on port 80
+    iptables -A FORWARD -i $PUBLIC_IF -o $TAILSCALE_IF -p tcp --dport 443 -j ACCEPT         # vps -> homelab: tcp on port 443
+    iptables -A FORWARD -i $TAILSCALE_IF -o $PUBLIC_IF -p tcp --sport 443 -j ACCEPT         # homelab -> vps: tcp on port 443
+    
+    # --- gitea ssh ---
+    # port: 7567 tcp
+    # prerouting:
+    iptables -t nat -A PREROUTING -i $PUBLIC_IF -p tcp --dport 7567 -j DNAT --to-destination $HOMELAB_IP:7567       # tcp packets on port 7567
+    # forwards:
+    iptables -A FORWARD -i $PUBLIC_IF -o $TAILSCALE_IF -p tcp --dport 7567 -j ACCEPT        # vps -> homelab: tcp on port 7567
+    iptables -A FORWARD -i $TAILSCALE_IF -o $PUBLIC_IF -p tcp --sport 7567 -j ACCEPT        # homelab -> vps: tcp on port 7567
+    
+    # --- rustdesk ---
+    # ports 2114-2119
+    # hbbs ports
+    # 21115 tcp (nat type test)
+    iptables -t nat -A PREROUTING -i $PUBLIC_IF -p tcp --dport 21115 -j DNAT --to-destination $HOMELAB_IP:21115     # tcp packets on port 21115
+    iptables -A FORWARD -i $PUBLIC_IF -o $TAILSCALE_IF -p tcp --dport 21115 -j ACCEPT                               # vps -> homelab: tcp on port 21115
+    iptables -A FORWARD -i $TAILSCALE_IF -o $PUBLIC_IF -p tcp --sport 21115 -j ACCEPT                               # homelab -> vps: tcp on port 21115
+    # 21116 tcp&udp (id registration, heartbeat, TCP hole punching)
+    iptables -t nat -A PREROUTING -i $PUBLIC_IF -p tcp --dport 21116 -j DNAT --to-destination $HOMELAB_IP:21116     # tcp packets on port 21116
+    iptables -A FORWARD -i $PUBLIC_IF -o $TAILSCALE_IF -p tcp --dport 21116 -j ACCEPT                               # vps -> homelab: tcp on port 21116
+    iptables -A FORWARD -i $TAILSCALE_IF -o $PUBLIC_IF -p tcp --sport 21116 -j ACCEPT                               # homelab -> vps: tcp on port 21116
+    iptables -t nat -A PREROUTING -i $PUBLIC_IF -p udp --dport 21116 -j DNAT --to-destination $HOMELAB_IP:21116     # udp packets on port 21116
+    iptables -A FORWARD -i $PUBLIC_IF -o $TAILSCALE_IF -p udp --dport 21116 -j ACCEPT                               # vps -> homelab: tcp on port 21116
+    iptables -A FORWARD -i $TAILSCALE_IF -o $PUBLIC_IF -p udp --sport 21116 -j ACCEPT                               # homelab -> vps: tcp on port 21116
+    # 21118 tcp (web client support)
+    iptables -t nat -A PREROUTING -i $PUBLIC_IF -p tcp --dport 21118 -j DNAT --to-destination $HOMELAB_IP:21118     # tcp packets on port 21118
+    iptables -A FORWARD -i $PUBLIC_IF -o $TAILSCALE_IF -p tcp --dport 21118 -j ACCEPT                               # vps -> homelab: tcp on port 21118
+    iptables -A FORWARD -i $TAILSCALE_IF -o $PUBLIC_IF -p tcp --sport 21118 -j ACCEPT                               # homelab -> vps: tcp on port 21118
+    # hbbr ports
+    # 21117 tcp (relay services)
+    iptables -t nat -A PREROUTING -i $PUBLIC_IF -p tcp --dport 21117 -j DNAT --to-destination $HOMELAB_IP:21117     # tcp packets on port 21117
+    iptables -A FORWARD -i $PUBLIC_IF -o $TAILSCALE_IF -p tcp --dport 21117 -j ACCEPT                               # vps -> homelab: tcp on port 21117
+    iptables -A FORWARD -i $TAILSCALE_IF -o $PUBLIC_IF -p tcp --sport 21117 -j ACCEPT                               # homelab -> vps: tcp on port 21117
+    # 21119 tcp (web client support)
+    iptables -t nat -A PREROUTING -i $PUBLIC_IF -p tcp --dport 21119 -j DNAT --to-destination $HOMELAB_IP:21119     # tcp packets on port 21119
+    iptables -A FORWARD -i $PUBLIC_IF -o $TAILSCALE_IF -p tcp --dport 21119 -j ACCEPT                               # vps -> homelab: tcp on port 21119
+    iptables -A FORWARD -i $TAILSCALE_IF -o $PUBLIC_IF -p tcp --sport 21119 -j ACCEPT
+  '';
+
+
+  system.stateVersion = "25.05"; # Did you read the comment?
+
+}
+