diff options
| -rw-r--r-- | mugam-machine.scm | 10 | ||||
| -rw-r--r-- | mugam-nftables-rules.conf | 39 | ||||
| -rw-r--r-- | mugam.scm | 211 | ||||
| -rw-r--r-- | ssh-keys/arunisaac.pub | 1 | ||||
| -rw-r--r-- | ssh-keys/cosmovpndns.pub | 1 | ||||
| -rw-r--r-- | ssh-keys/ragulkanth.pub | 1 |
6 files changed, 263 insertions, 0 deletions
diff --git a/mugam-machine.scm b/mugam-machine.scm new file mode 100644 index 0000000..1a521f1 --- /dev/null +++ b/mugam-machine.scm @@ -0,0 +1,10 @@ +(define mugam + (load "mugam.scm")) + +(list (machine + (operating-system mugam) + (environment managed-host-environment-type) + (configuration (machine-ssh-configuration + (host-name "188.166.169.68") + (system "x86_64-linux") + (host-key "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAILWSaGfhaFyD+UqRq0cl+zbBkzAc7msit+GNa8+GE+XO"))))) diff --git a/mugam-nftables-rules.conf b/mugam-nftables-rules.conf new file mode 100644 index 0000000..261a98b --- /dev/null +++ b/mugam-nftables-rules.conf @@ -0,0 +1,39 @@ +table inet firewall { + chain input { + # Drop all traffic by default. + type filter hook input priority filter; policy drop; + # Allow traffic from established connections, drop invalid. + ct state vmap { established: accept, related: accept, invalid: drop } + # Allow ping. + icmp type echo-request accept + # Allow loopback traffic. + iifname lo accept + # Allow + # - ssh, http and https (for mugam itself) + # - mumble for ragulkanth (5033) + # - ssh for ragulkanth (10101) + tcp dport {ssh, http, https, 5033, 10101} accept + # Allow dns and wireguard. + udp dport {domain, 51820} accept + } +} + +table ip nat { + chain prerouting { + type nat hook prerouting priority dstnat; + # Forward ports to various services. + # E-mail + iifname eth0 tcp dport smtp dnat to $hrrol:8025 + iifname eth0 tcp dport pop3s dnat to $hrrol:8995 + iifname eth0 tcp dport smtps dnat to $hrrol:8465 + iifname eth0 tcp dport submission dnat to $hrrol:8587 + # XMPP + iifname eth0 tcp dport {xmpp-client, xmpp-server} dnat to $hrrol + } + chain postrouting { + type nat hook postrouting priority srcnat; + # For all packets to and from the VPN and the WAN, replace source + # address with public IP of WAN interface. + oifname {eth0, wg0} masquerade + } +} \ No newline at end of file diff --git a/mugam.scm b/mugam.scm new file mode 100644 index 0000000..441f7cb --- /dev/null +++ b/mugam.scm @@ -0,0 +1,211 @@ +(use-modules (arunisaac powerdns) + (gnu) + ((gnu packages admin) #:select (nmap)) + ((gnu packages curl) #:select (curl)) + ((gnu packages dns) #:select (knot)) + ((gnu packages linux) #:select (nftables)) + ((gnu packages ssh) #:select (openssh-sans-x)) + (gnu services networking) + (gnu services ssh) + (gnu services sysctl) + (gnu services vpn) + (gnu services web) + (guix records)) + +(load "mugam-private.scm") + +(define %hrrol-wg-ip + "192.168.2.12") + +(define %ragulkanth-wg-ip + "192.168.2.4") + +(define %wireguard-peers + (cons* (wireguard-peer + (name 'ragulkanth) + (public-key "2FSShF/tVYoPYmIjZQk3Uqv53QFKoXb78kD4vyLVVmM=") + (allowed-ips (list (string-append %ragulkanth-wg-ip "/32")))) + (wireguard-peer + (name 'hrrol) + (public-key "QfPQwNHMr6o6iqt/EzPm1JZOrZRik6LGRpdJOyIiK3g=") + (allowed-ips (list (string-append %hrrol-wg-ip "/32")))) + %wireguard-private-peers)) + + +;;; +;;; DNS Server +;;; + +(define-record-type* <zone> + zone make-zone + zone? + (name zone-name) + (file zone-file)) + +;; TODO: Backup zone files. +(define %zones + (list (zone + (name "arohonline.in") + (file "/etc/powerdns/zones/arohonline.in")) + (zone + (name "arohonline.org") + (file "/etc/powerdns/zones/arohonline.org")) + (zone + (name "cosmobird.me") + (file "/etc/powerdns/zones/cosmobird.me")) + (zone + (name "issuesofconcern.in") + (file "/etc/powerdns/zones/issuesofconcern.in")) + (zone + (name "ragulkanth.dev") + (file "/etc/powerdns/zones/ragulkanth.dev")) + (zone + (name "solariiknight.org") + (file "/etc/powerdns/zones/solariiknight.org")) + (zone + (name "systemreboot.net") + (file "/etc/powerdns/zones/systemreboot.net")))) + +(define (named.conf-gexp zones) + "Return a G-expression that computes a named.conf with ZONES, a list +of <zone> records." + #~(begin + (call-with-output-file #$output + (lambda (port) + (for-each (lambda (name file) + (format port "zone ~s { + file ~s; +}; +" + name file)) + '#$(map zone-name zones) + '#$(map zone-file zones)))))) + + +;;; +;;; operating-system definition +;;; + +(operating-system + (host-name "mugam") + (timezone "Europe/London") + (locale "ta_IN.utf8") + (bootloader (bootloader-configuration + (bootloader grub-bootloader))) + (file-systems (cons (file-system + (mount-point "/") + (device "/dev/vda1") + (type "ext4")) + %base-file-systems)) + (users (cons* (user-account + (name "arunisaac") + (comment "Arun Isaac") + (group "users")) + (user-account + (name "cosmovpndns") + (comment "Ganesh") + (group "users")) + (user-account + (name "ragulkanth") + (comment "Ragulkanth") + (group "users")) + %base-user-accounts)) + (packages + (cons* curl + (list knot "tools") + nftables + nmap + %base-packages)) + (services + (cons* (service dhcpcd-service-type) + (service nftables-service-type + (nftables-configuration + (ruleset (mixed-text-file "mugam-nftables.conf" + "define hrrol = " %hrrol-wg-ip "\n" + "define ragulkanth = " %ragulkanth-wg-ip "\n" "\n" + "include \"" (local-file "mugam-nftables-rules.conf") "\"\n")))) + (service wireguard-service-type + (wireguard-configuration + (addresses (list "192.168.2.1/24")) + (peers %wireguard-peers))) + (service openssh-service-type + (openssh-configuration + (openssh openssh-sans-x) + (password-authentication? #f) + (permit-root-login #t) + (allow-agent-forwarding? #f) + (authorized-keys + `(("root" ,(local-file "ssh-keys/arunisaac.pub")) + ("arunisaac" ,(local-file "ssh-keys/arunisaac.pub")) + ("cosmovpndns" ,(local-file "ssh-keys/cosmovpndns.pub")) + ("ragulkanth" ,(local-file "ssh-keys/ragulkanth.pub")))))) + (service powerdns-service-type + (powerdns-configuration + (backends (list "bind")) + (bind-config + (computed-file "named.conf" + (named.conf-gexp %zones))) + (bind-check-interval 60))) + (service nginx-service-type + (nginx-configuration + (server-blocks + (list (nginx-server-configuration + (listen (list "80")) + (server-name (list ".arohonline.in" + ".arohonline.org" + ".issuesofconcern.in" + ".solariiknight.org" + ".systemreboot.net")) + (locations + (list (nginx-location-configuration + (uri "/") + (body (list (string-append "proxy_pass http://" + %hrrol-wg-ip + ":8081;") + "proxy_set_header Host $http_host;")))))) + (nginx-server-configuration + (listen (list "80")) + (server-name (list ".dev-il.xyz" + ".ragulkanth.dev")) + (locations + (list (nginx-location-configuration + (uri "/") + (body (list (string-append "proxy_pass http://" + %ragulkanth-wg-ip + ";") + "proxy_set_header Host $http_host;")))))))) + (stream + (nginx-stream-configuration + (upstream-blocks + (list (nginx-upstream-configuration + (name "hrrol_https") + (servers (list (string-append %hrrol-wg-ip ":8080")))) + (nginx-upstream-configuration + (name "ragulkanth_https") + (servers (list (string-append %ragulkanth-wg-ip ":443")))))) + (server-blocks + (list (nginx-server-configuration + (listen (list "443")) + (raw-content (list "ssl_preread on;" + "proxy_pass $upstream;"))))) + (extra-content + (list "map $ssl_preread_server_name $upstream { + hostnames; + .arohonline.in hrrol_https; + .arohonline.org hrrol_https; + .issuesofconcern.in hrrol_https; + .solariiknight.org hrrol_https; + .systemreboot.net hrrol_https; + .dev-il.xyz ragulkanth_https; + .ragulkanth.dev ragulkanth_https; +} +")))))) + (modify-services %base-services + (guix-service-type + config => (guix-configuration + (inherit config) + (authorized-keys (cons (local-file "/etc/guix/signing-key.pub") + %default-authorized-guix-keys)))) + (sysctl-service-type + config => (sysctl-configuration + (settings '(("net.ipv4.ip_forward" . "1"))))))))) diff --git a/ssh-keys/arunisaac.pub b/ssh-keys/arunisaac.pub new file mode 100644 index 0000000..e332918 --- /dev/null +++ b/ssh-keys/arunisaac.pub @@ -0,0 +1 @@ +ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDIUuJw4v0tHr4BMZ0JAybh5IPSCBRq1DnJrxLkJ0BqGQCx7QLo0EvfaDzQEKRKReR0/v2gIoBWR7zRtfeTixlaWlABCwVE/lszIW1sZg2aj3njhS8JSm9cUhDaGSbQFaN2in7/fW5L586FNftlZT1s6eUAZVI7rT4dARa4dH3rbzPEYgnVEoL0rc9Tjd8WtD/17Q7UzpaTH6Jqui49FV1uj+GT+XTk7S1X+7XepgULcOzphbECRG9bAZF+A8gHkcVGOXsz9GyPNpkhPoERSe6EYPPg8NGXjk4wamgpVSFjwQhvM+O/WpaeriagNNx1ktQ1hJlPW8ANI7mL9xop7w1V arunisaac@systemreboot.net diff --git a/ssh-keys/cosmovpndns.pub b/ssh-keys/cosmovpndns.pub new file mode 100644 index 0000000..7b1d75f --- /dev/null +++ b/ssh-keys/cosmovpndns.pub @@ -0,0 +1 @@ +ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDZkQqo2BJVnFTzMplauqApK5pW7hc2UuxQLAftUOhvQepdrKG0LtuLvvhmYYpL7sNktQuNOeTyPJcXcHDAwDVh33uE83SrkbO8LggrP6spa5ocAhL4lkSOtXjCU/RhEZZma4XDQm6B97fZIESaedvjfBaYXAX34uTILQH4bTWhAvaOPCuSrGSkP3tytPDQRRnuMmiicG9xxaDoasn6GEJOuldDwIIK8wLzlLr+MCk0GB4w7ANvN9SQ8r4BaXWb2qHZohnO2ZiC7m3YqVw++jhjZXV+mHxvPwcfUgapdzv+xLt9G0fyLH7nHkMWx8W8V5MEibgc9aZgcZxkYhMqDPg9 cosmobird@cosmobird.me diff --git a/ssh-keys/ragulkanth.pub b/ssh-keys/ragulkanth.pub new file mode 100644 index 0000000..405ec5e --- /dev/null +++ b/ssh-keys/ragulkanth.pub @@ -0,0 +1 @@ +ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQC7xno0CYJ8T+K2/1rDlFWMkyYHiOWegXHuZ4btI4ey4GChQoFCQ6yfl6Pp7PQ+lBnrZ2od4lDm0g9soBSF3B7KnjAVUvHRu1E5JXmE0NmPxAkwmKC7tCheGlhtv1LKO8RicV7cmD6yrYrQMob+DRYAZ1uxVHxh9PpTz4C5UZHyuoAIHL984jXtSNE+/WNb0/F7NSChI/A0GuDcH4cJGhYCSqwJvJJpdxR2knqHeGow2O4jXRPkd8PugXesNKrPBnoaxm+Smn43F9wZmz39aleClj/pxei8GzFq06lmMrEUiY3kXtEZ/bHGuRYLnltSORIH+Aah2nyD5d3j6kpMrNV1 ragulkanth@aaru \ No newline at end of file |