Update all to mycelium ips

2025-05-29 23:29:05 -04:00 · 2025-05-29 23:29:05 -04:00 · 48b55af695
commit 48b55af695
parent 200bf7e711
10 changed files with 40 additions and 29 deletions
--- a/modules/home/programs/terminal/ssh/default.nix
+++ b/modules/home/programs/terminal/ssh/default.nix
@ -4,22 +4,12 @@
    enable = true;
    addKeysToAgent = "yes";
    compression = true;
-    matchBlocks = with lib.hm.dag; {
+    matchBlocks = {
      # Personal servers
-      nixfox = {
-        match = ''canonical host "*.nixfox.ca"'';
-        user = config.home.username;
-      };
-      midas = {
-        hostname = "sv.nixfox.ca";
-      };
-      kitty = {
-        hostname = "sv.nixfox.ca";
-        port = 2222;
-      };
-      prophet = {
-        hostname = "mx.nixfox.ca";
-      };
+      tower.hostname = "577:84d1:b682:9ac3:b987:b78e:33d9:2060";
+      midas.hostname = "538:e163:87ba:f847:3646:18b6:6b01:d8f8";
+      kitty.hostname = "2607:fea8:431d:cba5:37b6:92f8:5be:7c56";
+      prophet.hostname = "42f:2737:2aed:4dee:cbe4:3c73:1918:ad9b";

      # Misc
      seneca = {
--- a/modules/system/devices/networking/mycelium/default.nix
+++ b/modules/system/devices/networking/mycelium/default.nix
@ -1,5 +1,7 @@
 { ... }:
 {
+  imports = [ ./ips ];
+
  services.mycelium = {
    enable = true;
    openFirewall = true;
--- a/modules/system/devices/networking/mycelium/ips/default.nix
+++ b/modules/system/devices/networking/mycelium/ips/default.nix
@ -0,0 +1,13 @@
+{ config, lib, ... }:
+{
+  options.services.mycelium.ips = lib.mkOption {
+    type = lib.types.attrs;
+  };
+
+  config.services.mycelium.ips = {
+    tower = "577:84d1:b682:9ac3:b987:b78e:33d9:2060";
+    midas = "538:e163:87ba:f847:3646:18b6:6b01:d8f8";
+    kitty = "2607:fea8:431d:cba5:37b6:92f8:5be:7c56";
+    prophet = "42f:2737:2aed:4dee:cbe4:3c73:1918:ad9b";
+  };
+}
--- a/modules/system/services/general/ssh/fail2ban/default.nix
+++ b/modules/system/services/general/ssh/fail2ban/default.nix
@ -4,7 +4,6 @@
    enable = true;
    maxretry = 5;
    bantime = "10m";
-    ignoreIP = [ "11.0.0.0/8" ];
  };

  environment.persistence."/persist".directories = [ "/var/lib/fail2ban" ];
--- a/modules/system/services/server/nfs/default.nix
+++ b/modules/system/services/server/nfs/default.nix
@ -4,6 +4,8 @@

  config = lib.mkIf config.services.nfs.server.enable {
    services.nfs.server.exports = "/storage *(rw)";
-    networking.firewall.extraInputRules = "ip saddr { 10.0.0.0/8, 11.0.0.0/8, ${config.secrets.ips.bun} } tcp dport 2049 accept";
+    networking.firewall.extraInputRules = with config.services.mycelium.ips; ''
+      ip6 saddr { ${tower}, ${midas}, ${kitty}, ${prophet} } tcp dport 2049 accept
+    '';
  };
 }
--- a/modules/system/services/server/nginx/rtmp/default.nix
+++ b/modules/system/services/server/nginx/rtmp/default.nix
@ -23,7 +23,10 @@
        }
      '';
    };
-    networking.firewall.extraInputRules = "ip saddr { 11.0.0.0/8, ${config.secrets.ips.luna}, ${config.secrets.ips.corn} } tcp dport 1935 accept";
+    networking.firewall.extraInputRules = with config.services.mycelium.ips; ''
+      ip6 saddr ${tower} tcp dport 1935 accept
+      ip saddr { ${config.secrets.ips.luna}, ${config.secrets.ips.corn} } tcp dport 1935 accept
+    '';
    systemd.services.nginx.serviceConfig.ReadWritePaths = [ "/var/www/landing-page/streams/hls/" ];
  };
 }
--- a/modules/system/services/server/owncast/default.nix
+++ b/modules/system/services/server/owncast/default.nix
@ -7,7 +7,9 @@
      port = 8060;
      rtmp-port = 1945;
    };
-    networking.firewall.extraInputRules = "ip saddr 11.0.0.0/8 tcp dport 1945 accept";
+    networking.firewall.extraInputRules = ''
+      ip6 saddr ${tower} tcp dport 1935 accept
+    '';
    environment.persistence."/persist".directories = [ "/var/lib/owncast" ];
  };
 }