2023-06-11 23:09:59 +02:00
|
|
|
{ pkgs, lib, secret, ... }:
|
|
|
|
let
|
|
|
|
inherit (lib)
|
|
|
|
getExe;
|
|
|
|
in
|
|
|
|
{
|
|
|
|
boot.kernel.sysctl = {"net.ipv4.ip_forward" = "1";};
|
|
|
|
|
|
|
|
# https://github.com/NixOS/nixpkgs/issues/76671
|
|
|
|
# the rpc.statd daemon is not running when not mounting any nfs filesystems on boot
|
|
|
|
# and can't be manually started...
|
|
|
|
boot.supportedFilesystems = [ "nfs" ];
|
|
|
|
services.rpcbind.enable = true;
|
|
|
|
|
|
|
|
networking = {
|
|
|
|
hostName = "toothpick";
|
|
|
|
|
|
|
|
nameservers = [
|
|
|
|
(secret.network.ips.blowhole.ip or "")
|
|
|
|
"93.184.77.2"
|
|
|
|
"67.207.67.3"
|
|
|
|
];
|
|
|
|
|
|
|
|
wireguard = {
|
|
|
|
enable = true;
|
|
|
|
interfaces."wg0" =
|
|
|
|
{
|
|
|
|
postSetup = ''
|
|
|
|
${getExe pkgs.iptables} -I FORWARD -i wg0 -o wg0 -j ACCEPT
|
|
|
|
'';
|
|
|
|
|
|
|
|
postShutdown = ''
|
|
|
|
${getExe pkgs.iptables} -D FORWARD -i wg0 -o wg0 -j ACCEPT
|
|
|
|
'';
|
|
|
|
}
|
|
|
|
// secret.wireguard."toothpick" or { privateKey = ""; };
|
|
|
|
};
|
|
|
|
|
|
|
|
defaultGateway = "64.225.96.1";
|
|
|
|
defaultGateway6 = "";
|
|
|
|
dhcpcd.enable = false;
|
|
|
|
usePredictableInterfaceNames = lib.mkForce false;
|
|
|
|
|
2023-06-28 14:21:54 +02:00
|
|
|
nat.forwardPorts = [
|
|
|
|
{
|
2023-06-28 14:45:27 +02:00
|
|
|
destination = "64.225.104.221:6666";
|
2023-06-28 14:21:54 +02:00
|
|
|
proto = "udp";
|
|
|
|
sourcePort = 500;
|
|
|
|
}
|
|
|
|
];
|
|
|
|
|
2023-06-11 23:09:59 +02:00
|
|
|
firewall = {
|
|
|
|
extraCommands = ''
|
|
|
|
iptables -P FORWARD DROP
|
2023-06-28 14:45:27 +02:00
|
|
|
iptables -t nat -I PREROUTING -i eth0 -d 64.225.104.221/32 -p udp -m multiport --dports 500 -j REDIRECT --to-ports 6666
|
2023-06-11 23:09:59 +02:00
|
|
|
'';
|
|
|
|
|
|
|
|
interfaces."eth0" = {
|
|
|
|
allowedTCPPorts = [
|
|
|
|
80
|
|
|
|
443
|
|
|
|
6001
|
|
|
|
];
|
|
|
|
allowedUDPPorts = [
|
|
|
|
6666
|
2023-06-28 14:21:54 +02:00
|
|
|
500
|
2023-06-11 23:09:59 +02:00
|
|
|
];
|
|
|
|
};
|
|
|
|
|
|
|
|
interfaces."nomad" = {
|
|
|
|
allowedTCPPorts = [
|
|
|
|
8500
|
|
|
|
];
|
|
|
|
};
|
|
|
|
|
|
|
|
interfaces."wg0" = {
|
|
|
|
allowedTCPPorts = [
|
|
|
|
## Consul
|
|
|
|
8600 # DNS
|
|
|
|
8500 # HTTP
|
|
|
|
8502 # gRPC
|
|
|
|
8300 # server
|
|
|
|
8301 # LAN serf
|
|
|
|
8302 # WAN serf
|
|
|
|
4646 # Nomad
|
|
|
|
4647
|
|
|
|
4648
|
|
|
|
10000
|
|
|
|
];
|
|
|
|
allowedTCPPortRanges = [
|
|
|
|
{
|
|
|
|
from = 21000;
|
|
|
|
to = 21255;
|
|
|
|
}
|
|
|
|
];
|
|
|
|
allowedUDPPorts = [
|
|
|
|
## Consul
|
|
|
|
8600 # DNS
|
|
|
|
8301 # LAN serf
|
|
|
|
8302 # WAN serf
|
|
|
|
];
|
|
|
|
allowedUDPPortRanges = [
|
|
|
|
{
|
|
|
|
from = 21000;
|
|
|
|
to = 21255;
|
|
|
|
}
|
|
|
|
];
|
|
|
|
};
|
|
|
|
};
|
|
|
|
|
|
|
|
interfaces = {
|
|
|
|
eth0 = {
|
|
|
|
ipv4.addresses = [
|
|
|
|
{
|
|
|
|
address = "64.225.104.221";
|
|
|
|
prefixLength = 20;
|
|
|
|
}
|
|
|
|
{
|
|
|
|
address = "10.19.0.6";
|
|
|
|
prefixLength = 16;
|
|
|
|
}
|
|
|
|
];
|
|
|
|
ipv6.addresses = [
|
|
|
|
{
|
|
|
|
address = "fe80::8ce0:84ff:fefb:f981";
|
|
|
|
prefixLength = 64;
|
|
|
|
}
|
|
|
|
];
|
|
|
|
ipv4.routes = [
|
|
|
|
{
|
|
|
|
address = "64.225.96.1";
|
|
|
|
prefixLength = 32;
|
|
|
|
}
|
|
|
|
];
|
|
|
|
};
|
|
|
|
};
|
|
|
|
};
|
|
|
|
|
|
|
|
services.udev.extraRules = ''
|
|
|
|
ATTR{address}=="8e:e0:84:fb:f9:81", NAME="eth0"
|
|
|
|
'';
|
|
|
|
}
|