Add several NixOS hosts on Proxmox and Oracle Cloud

2025-12-06 09:07:21 +01:00 · 2023-12-22 01:15:04 +01:00 · 2023-12-22 01:15:04 +01:00 · acc0ad68e0
commit acc0ad68e0
parent 9afb9ec47e
43 changed files with 4356 additions and 187 deletions
--- a/scripts/server1/doublepuppet.yaml
+++ b/scripts/server1/doublepuppet.yaml
@ -0,0 +1,21 @@
+# The ID doesn't really matter, put whatever you want.
+id: doublepuppet
+# The URL is intentionally left empty (null), as the homeserver shouldn't
+# push events anywhere for this extra appservice. If you use a
+# non-spec-compliant server, you may need to put some fake URL here.
+url:
+# Generate random strings for these three fields. Only the as_token really
+# matters, hs_token is never used because there's no url, and the default
+# user (sender_localpart) is never used either.
+as_token: doublepuppet
+hs_token: notused
+sender_localpart: notused
+# Bridges don't like ratelimiting. This should only apply when using the
+# as_token, normal user tokens will still be ratelimited.
+rate_limited: false
+namespaces:
+  users:
+  # Replace your\.domain with your server name (escape dots for regex)
+  - regex: '@.*:matrix2\.swarsel\.win'
+    # This must be false so the appservice doesn't take over all users completely.
+    exclusive: false
--- a/scripts/server1/iptables.sh
+++ b/scripts/server1/iptables.sh
@ -0,0 +1,47 @@
+#! /usr/bin/env bash
+export INTERFACE="tun0"
+export VPNUSER="vpn"
+export LOCALIP="192.168.1.191"
+export NETIF="eth0"
+
+# flushes all the iptables rules, if you have other rules to use then add them into the script
+iptables -F -t nat
+iptables -F -t mangle
+iptables -F -t filter
+
+# mark packets from $VPNUSER
+iptables -t mangle -A OUTPUT -j CONNMARK --restore-mark
+iptables -t mangle -A OUTPUT ! --dest $LOCALIP -m owner --uid-owner $VPNUSER -j MARK --set-mark 0x1
+iptables -t mangle -A OUTPUT --dest $LOCALIP -p udp --dport 53 -m owner --uid-owner $VPNUSER -j MARK --set-mark 0x1
+iptables -t mangle -A OUTPUT --dest $LOCALIP -p tcp --dport 53 -m owner --uid-owner $VPNUSER -j MARK --set-mark 0x1
+iptables -t mangle -A OUTPUT ! --src $LOCALIP -j MARK --set-mark 0x1
+iptables -t mangle -A OUTPUT -j CONNMARK --save-mark
+
+# allow responses
+iptables -A INPUT -i $INTERFACE -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
+
+# block everything incoming on $INTERFACE to prevent accidental exposing of ports
+iptables -A INPUT -i $INTERFACE -j REJECT
+
+# let $VPNUSER access lo and $INTERFACE
+iptables -A OUTPUT -o lo -m owner --uid-owner $VPNUSER -j ACCEPT
+iptables -A OUTPUT -o $INTERFACE -m owner --uid-owner $VPNUSER -j ACCEPT
+
+# all packets on $INTERFACE needs to be masqueraded
+iptables -t nat -A POSTROUTING -o $INTERFACE -j MASQUERADE
+iptables -A OUTPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
+
+# reject connections from predator IP going over $NETIF
+iptables -A OUTPUT ! --src $LOCALIP -o $NETIF -j REJECT
+
+VPNIF="tun0"
+VPNUSER="vpn"
+GATEWAYIP=$(ifconfig $VPNIF | egrep -o '([0-9]{1,3}\.){3}[0-9]{1,3}' | egrep -v '255|(127\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3})' | tail -n1)
+if [[ `ip rule list | grep -c 0x1` == 0 ]]; then
+ip rule add from all fwmark 0x1 lookup $VPNUSER
+fi
+ip route replace default via $GATEWAYIP table $VPNUSER
+ip route append default via 127.0.0.1 dev lo table $VPNUSER
+ip route flush cache
+
+exit 0
--- a/scripts/server1/routing.sh
+++ b/scripts/server1/routing.sh
@ -0,0 +1,14 @@
+#! /usr/bin/env bash
+VPNIF="tun0"
+VPNUSER="vpn"
+GATEWAYIP=$(ifconfig $VPNIF | egrep -o '([0-9]{1,3}\.){3}[0-9]{1,3}' | egrep -v '255|(127\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3})' | tail -n1)
+if [[ `ip rule list | grep -c 0x1` == 0 ]]; then
+ip rule add from all fwmark 0x1 lookup $VPNUSER
+fi
+ip route replace default via $GATEWAYIP table $VPNUSER
+ip route append default via 127.0.0.1 dev lo table $VPNUSER
+ip route flush cache
+
+bash /etc/openvpn/update-resolv-conf
+
+exit 0
--- a/scripts/server1/update-resolv-conf
+++ b/scripts/server1/update-resolv-conf
@ -0,0 +1,45 @@
+#! /usr/bin/env bash
+foreign_option_1='dhcp-option DNS 209.222.18.222'
+foreign_option_2='dhcp-option DNS 209.222.18.218'
+foreign_option_3='dhcp-option DNS 8.8.8.8'
+
+[ -x /sbin/resolvconf ] || exit 0
+[ "$script_type" ] || exit 0
+[ "$dev" ] || exit 0
+
+split_into_parts()
+{
+        part1="$1"
+        part2="$2"
+        part3="$3"
+}
+
+case "$script_type" in
+  up)
+        NMSRVRS=""
+        SRCHS=""
+        for optionvarname in ${!foreign_option_*} ; do
+                option="${!optionvarname}"
+                echo "$option"
+                split_into_parts $option
+                if [ "$part1" = "dhcp-option" ] ; then
+                        if [ "$part2" = "DNS" ] ; then
+                                NMSRVRS="${NMSRVRS:+$NMSRVRS }$part3"
+                        elif [ "$part2" = "DOMAIN" ] ; then
+                                SRCHS="${SRCHS:+$SRCHS }$part3"
+                        fi
+                fi
+        done
+        R=""
+        [ "$SRCHS" ] && R="search $SRCHS
+"
+        for NS in $NMSRVRS ; do
+                R="${R}nameserver $NS
+"
+        done
+        echo -n "$R" | /sbin/resolvconf -a "${dev}.openvpn"
+        ;;
+  down)
+        /sbin/resolvconf -d "${dev}.openvpn"
+        ;;
+esac