try to migrate to nix

2026-04-14 22:31:46 +04:00 · 2025-01-11 20:48:22 +04:00 · 2025-01-11 20:48:22 +04:00 · 94da1ce936
commit 94da1ce936
parent f2f4ead62f
26 changed files with 830 additions and 181 deletions
--- a/vps/iptables.erb
+++ b/vps/iptables.erb
@ -0,0 +1,49 @@
+% # run it like this: `erb ports='[]' iptables.erb | iptables-restore`
+% # NOTE: it discards docker iptable rules
+*filter
+
+-N DOCKER-USER
+-N DOCKER-ISOLATION-STAGE-1
+
+# don't restrict output at all
+-A OUTPUT -j ACCEPT
+
+# allow all loopback
+-A INPUT -i lo -j ACCEPT
+-A FORWARD -i lo -j ACCEPT
+
+# allow all established
+-A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
+-A DOCKER-USER -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
+
+# allow wireguard
+-A INPUT -i wg0 -j ACCEPT
+-A FORWARD -i wg0 -j ACCEPT
+-A DOCKER-USER -i wg0 -j ACCEPT
+
+# allow all docker
+-A DOCKER-USER -i docker0 -j DOCKER-ISOLATION-STAGE-1
+
+% require 'json'
+% prts = [22, 80, 443] + JSON.parse(ports)
+# apply it with `iptables-restore < ./iptables`
+
+# allow all loopback
+-A INPUT -i lo -j ACCEPT
+
+# custom ports
+% prts.each { |port|
+%   ['tcp', 'udp'].each { |proto|
+-A FORWARD -p <%= proto %> --dport <%= port %> -j ACCEPT
+-A INPUT -p <%= proto %> --dport <%= port %> -j ACCEPT
+-A DOCKER-USER -p <%= proto %> -m conntrack --ctorigdstport <%= port %> --ctdir ORIGINAL -j ACCEPT
+%   }
+
+% }
+%
+# disallow all other
+-A INPUT -j DROP
+-A FORWARD -j DROP
+-A DOCKER-USER -j DROP
+
+COMMIT
--- a/vps/vpn/make-server.sh
+++ b/vps/vpn/make-server.sh
@ -0,0 +1,118 @@
+#!/usr/bin/env bash
+
+set -e
+
+SCRIPT_DIR=$( cd -- "$( dirname -- "${BASH_SOURCE[0]}" )" &> /dev/null && pwd )
+
+HOST=""
+PORT=""
+GENKEY=false
+
+function show_help {
+	echo "wireguard configurator"
+	echo "  --host host-name"
+	echo "  --port port"
+	echo "  [--gen-key]"
+}
+
+while [ $# -ne 0 ]
+do
+	ARG="$1"
+	shift
+	case "$ARG" in
+		--help)
+			show_help
+			exit 0
+			;;
+		--host)
+			HOST="$1"
+			shift
+			;;
+		--port)
+			PORT="$1"
+			shift
+			;;
+		--gen-keys)
+			GENKEY=true
+			;;
+		*)
+			echo "unknown argument $ARG"
+			show_help
+			exit 1
+			;;
+	esac
+done
+
+echo "Parsed:"
+echo "  --host $HOST"
+echo "  --port $PORTI"
+
+if [ "$HOST" == "" ]
+then
+	echo "host not set"
+	show_help
+	exit 1
+fi
+
+if [ "$PORT" == "" ]
+then
+	echo "port not set"
+	show_help
+	exit 1
+fi
+
+if [ ! -f .gitignore ]
+then
+	echo "INFO creating gitignore"
+	touch .gitignore
+fi
+
+if ! grep -Pq '^/key$' .gitignore
+then
+	echo "INFO adding key to .gitignore"
+	echo "/key" >> .gitignore
+fi
+
+if ! grep -Pq '^/wg0\.conf$' .gitignore
+then
+	echo "INFO adding wg0.conf to .gitignore"
+	echo "/wg0.conf" >> .gitignore
+fi
+
+if [ "$GENKEY" == "true" ]
+then
+	touch key
+	chmod 600 key
+	wg genkey > key
+	wg pubkey < key > key.pub
+fi
+
+touch wg0.conf
+chmod 600 wg0.conf
+KEY="$(cat key)"
+erb "private_key=$KEY" port="$PORT" "$SCRIPT_DIR/wg0.conf.erb" > wg0.conf
+KEY=""
+
+PUBKEY="$(cat key.pub)"
+
+echo ""
+echo "Run following to start wireguard:"
+echo "  wg-quick up ./wg0.conf"
+echo "You can add peers as follows:"
+echo "  wg set wg0 peer <pub key> allowed-ips IP"
+echo ""
+echo "Client's configuration is"
+echo "=================================="
+cat <<-EOF
+[Interface]
+Address = 10.30.30.@@/32
+PrivateKey = <Private key>
+DNS = 10.30.30.1
+
+[Peer]
+PublicKey = $PUBKEY
+Endpoint = $HOST:$PORT
+AllowedIPs = 10.30.30.0/24
+PersistentKeepalive = 25
+EOF
+echo "=================================="