diff --git a/hosts/plover/default.nix b/hosts/plover/default.nix index 4865c38d..17f75f5a 100644 --- a/hosts/plover/default.nix +++ b/hosts/plover/default.nix @@ -55,14 +55,21 @@ in }; }; - services.fail2ban.ignoreIP = [ - "172.16.0.0/12" - "fc00::/7" + services.fail2ban = { + ignoreIP = [ + # VPN clients. + "${interfaces.wireguard0.IPv4.address}/13" + "${interfaces.wireguard0.IPv6.address}/64" + ]; - # Those from the tunneling services. - "${interfaces.wireguard0.IPv4.address}/16" - "${interfaces.wireguard0.IPv6.address}/64" - ]; + # We're going to be unforgiving with this one since we only have key + # authentication and password authentication is disabled anyways. + jails.sshd = '' + enabled = true + maxretry = 1 + port = 22 + ''; + }; # TODO: Put the secrets to the respective service module. sops.secrets = diff --git a/hosts/plover/modules/hardware/hetzner-cloud-cx21.nix b/hosts/plover/modules/hardware/hetzner-cloud-cx21.nix index 739968bc..d55ce23c 100644 --- a/hosts/plover/modules/hardware/hetzner-cloud-cx21.nix +++ b/hosts/plover/modules/hardware/hetzner-cloud-cx21.nix @@ -50,11 +50,10 @@ in dhcpcd.enable = false; }; - # The main DNS server (not exactly by choice). - services.resolved = { - enable = true; - dnssec = "true"; - }; + # The local DNS resolver. This should be used in conjunction with an + # authoritative DNS server as a forwarder. Also, it should live in its + # default address at 127.0.0.53 (as of systemd v252). + services.resolved.enable = true; # The interface configuration is based from the following discussion: # https://discourse.nixos.org/t/nixos-on-hetzner-cloud-servers-ipv6/221/ @@ -98,6 +97,8 @@ in IPv6.gateway ]; + # Using the authoritative DNS server to enable accessing them nice + # internal services with domain names. networkConfig.DNS = [ "127.0.0.1" "::1" diff --git a/hosts/plover/modules/hardware/networks.nix b/hosts/plover/modules/hardware/networks.nix index 59a8a6cf..0143624f 100644 --- a/hosts/plover/modules/hardware/networks.nix +++ b/hosts/plover/modules/hardware/networks.nix @@ -5,22 +5,26 @@ let inherit (builtins) toString; in rec { - privateIPv6Prefix = "fdee:b0de:5685"; + privateIPv6Prefix = "fc00:b0de:5685::"; + # These blocks should be used sparingly with how wide these blocks cover. + # Plus, they shouldn't be treated as subnets. clientNetworks = [ "172.24.0.0/13" "10.128.0.0/9" + "fd00::/8" ]; serverNetworks = [ "172.16.0.0/13" "10.0.0.0/9" + "fc00::/8" ]; - interfaces = let - ploverInternalNetworkGateway = "172.16.0.1"; - widdeerLan = "10.0.0.1"; - ipv6Gateway = "fe80::1"; - in + interfaces = + let + ploverInternalNetworkGateway = "172.16.0.1"; + ipv6Gateway = "fe80::1"; + in { # This is the public-facing interface. Any interface name with a prime # symbol means it's a public-facing interface. @@ -34,55 +38,52 @@ rec { address = "65.109.224.213"; gateway = "172.31.1.1"; }; - IPv6 = { - address = "2a01:4f9:c012:607a::1"; - gateway = ipv6Gateway; - }; - }; - # /16 block for IPv4, /64 for IPv6. - internal = { - IPv4 = { - address = "172.27.0.1"; - gateway = ploverInternalNetworkGateway; + internal = { + IPv4 = { + address = "172.27.0.1"; + gateway = ploverInternalNetworkGateway; + }; + IPv6 = { + address = "${privateIPv6Prefix}1"; + gateway = ipv6Gateway; + }; }; - IPv6 = { - address = "${privateIPv6Prefix}:1::"; - gateway = ipv6Gateway; - }; - }; - # /16 BLOCK for IPv4, /64 for IPv6. - wireguard0 = { - IPv4 = { - address = "10.210.0.1"; - gateway = widdeerLan; - }; - IPv6 = { - address = "${privateIPv6Prefix}:12ae::"; - gateway = ipv6Gateway; + wireguard0 = { + IPv4 = { + address = "172.28.0.1"; + gateway = ploverInternalNetworkGateway; + }; + IPv6 = { + address = "${wireguardIPv6Prefix}1"; + gateway = ipv6Gateway; + }; }; }; - }; # Wireguard-related things. wireguardPort = 51820; - wireguardIPHostPart = "10.210.0"; - wireguardIPv6Prefix = interfaces.wireguard0.IPv6.address; - # These are all fixed IP addresses. They should be /32 IPv4 block and /128 - # IPv6 block. + # This IPv4 network block should have /13 for the Wireguard network. + wireguardIPv4Prefix = "172.28.0"; + + # This IPv6 network prefix should have /64 for the entire Wireguard network. + wireguardIPv6Prefix = "fd00:ffff::"; + + # These are all fixed IP addresses. However, they should be assigned in /16 + # and /64 for IPv4 and IPv6 block respectively. wireguardPeers = { server = with interfaces.wireguard0; { IPv4 = IPv4.address; IPv6 = IPv6.address; }; desktop = { - IPv4 = "${wireguardIPHostPart}.2"; + IPv4 = "${wireguardIPv4Prefix}.2"; IPv6 = "${wireguardIPv6Prefix}2"; }; phone = { - IPv4 = "${wireguardIPHostPart}.3"; + IPv4 = "${wireguardIPv4Prefix}.3"; IPv6 = "${wireguardIPv6Prefix}3"; }; }; diff --git a/hosts/plover/modules/services/wireguard.nix b/hosts/plover/modules/services/wireguard.nix index c35bd8d5..f1860ebe 100644 --- a/hosts/plover/modules/services/wireguard.nix +++ b/hosts/plover/modules/services/wireguard.nix @@ -9,8 +9,8 @@ let wireguardIFName = "wireguard0"; - desktopPeerAddresses = with wireguardPeers.desktop; [ "${IPv4}/24" "${IPv6}/96" ]; - phonePeerAddresses = with wireguardPeers.phone; [ "${IPv4}/24" "${IPv6}/96" ]; + desktopPeerAddresses = with wireguardPeers.desktop; [ "${IPv4}/14" "${IPv6}/64" ]; + phonePeerAddresses = with wireguardPeers.phone; [ "${IPv4}/14" "${IPv6}/64" ]; internalDomains = [ "~${config.networking.fqdn}" @@ -57,14 +57,10 @@ in networks."99-${wireguardIFName}" = { matchConfig.Name = wireguardIFName; - networkConfig = { - DNS = with interfaces.internal; [ - "127.0.0.1" - "::1" - ]; - Domains = lib.concatStringsSep " " internalDomains; - DNSDefaultRoute = false; - }; + networkConfig.DNS = with interfaces.internal; [ + "127.0.0.1" + "::1" + ]; address = with interfaces.wireguard0; [ "${IPv4.address}/32"