mirror of
https://git.sr.ht/~magic_rb/dotfiles
synced 2024-12-12 01:42:02 +01:00
61862bda34
Signed-off-by: magic_rb <magic_rb@redalder.org>
146 lines
3.3 KiB
Nix
146 lines
3.3 KiB
Nix
{
|
|
pkgs,
|
|
lib,
|
|
secret,
|
|
...
|
|
}: let
|
|
inherit
|
|
(lib)
|
|
getExe'
|
|
;
|
|
in {
|
|
# boot.kernel.sysctl = {"net.ipv4.ip_forward" = "1";};
|
|
|
|
# https://github.com/NixOS/nixpkgs/issues/76671
|
|
# the rpc.statd daemon is not running when not mounting any nfs filesystems on boot
|
|
# and can't be manually started...
|
|
boot.supportedFilesystems = ["nfs"];
|
|
services.rpcbind.enable = true;
|
|
|
|
services.openssh.openFirewall = false;
|
|
|
|
networking = {
|
|
hostName = "altra";
|
|
hostId = "4eb49917";
|
|
useDHCP = false;
|
|
interfaces.eth0.useDHCP = true;
|
|
firewall.enable = true;
|
|
|
|
# nameservers = [
|
|
# (secret.network.ips.blowhole.ip or "")
|
|
# "93.184.77.2"
|
|
# "67.207.67.3"
|
|
# ];
|
|
|
|
wireguard = {
|
|
enable = true;
|
|
interfaces."wg0" =
|
|
{
|
|
postSetup = ''
|
|
${getExe' pkgs.iptables "iptables"} -I FORWARD -i wg0 -o wg0 -j ACCEPT
|
|
'';
|
|
|
|
postShutdown = ''
|
|
${getExe' pkgs.iptables "iptables"} -D FORWARD -i wg0 -o wg0 -j ACCEPT
|
|
'';
|
|
}
|
|
// secret.wireguard."altra" or {privateKey = "";};
|
|
};
|
|
|
|
# defaultGateway = "64.225.96.1";
|
|
# defaultGateway6 = "";
|
|
# dhcpcd.enable = false;
|
|
# usePredictableInterfaceNames = lib.mkForce false;
|
|
|
|
firewall = {
|
|
extraCommands = ''
|
|
iptables -P FORWARD DROP
|
|
iptables -t nat -I PREROUTING -i eth0 -d 167.235.230.162/32 -p udp -m multiport --dports 500 -j REDIRECT --to-ports 6666
|
|
'';
|
|
|
|
interfaces."eth0" = {
|
|
# allowedTCPPorts = [
|
|
# 80
|
|
# 443
|
|
# 6001
|
|
# ];
|
|
allowedUDPPorts = [
|
|
6666
|
|
];
|
|
};
|
|
|
|
# interfaces."nomad" = {
|
|
# allowedTCPPorts = [
|
|
# 8500
|
|
# ];
|
|
# };
|
|
|
|
interfaces."wg0" = {
|
|
allowedTCPPorts = [
|
|
8883
|
|
22
|
|
# ## Consul
|
|
# 8600 # DNS
|
|
# 8500 # HTTP
|
|
# 8502 # gRPC
|
|
# 8300 # server
|
|
# 8301 # LAN serf
|
|
# 8302 # WAN serf
|
|
# 4646 # Nomad
|
|
# 4647
|
|
# 4648
|
|
# 10000
|
|
];
|
|
# allowedTCPPortRanges = [
|
|
# {
|
|
# from = 21000;
|
|
# to = 21255;
|
|
# }
|
|
# ];
|
|
# allowedUDPPorts = [
|
|
# ## Consul
|
|
# 8600 # DNS
|
|
# 8301 # LAN serf
|
|
# 8302 # WAN serf
|
|
# ];
|
|
# allowedUDPPortRanges = [
|
|
# {
|
|
# from = 21000;
|
|
# to = 21255;
|
|
# }
|
|
# ];
|
|
};
|
|
};
|
|
|
|
# interfaces = {
|
|
# eth0 = {
|
|
# ipv4.addresses = [
|
|
# {
|
|
# address = "64.225.104.221";
|
|
# prefixLength = 20;
|
|
# }
|
|
# {
|
|
# address = "10.19.0.6";
|
|
# prefixLength = 16;
|
|
# }
|
|
# ];
|
|
# ipv6.addresses = [
|
|
# {
|
|
# address = "fe80::8ce0:84ff:fefb:f981";
|
|
# prefixLength = 64;
|
|
# }
|
|
# ];
|
|
# ipv4.routes = [
|
|
# {
|
|
# address = "64.225.96.1";
|
|
# prefixLength = 32;
|
|
# }
|
|
# ];
|
|
# };
|
|
# };
|
|
};
|
|
|
|
services.udev.extraRules = ''
|
|
ATTR{address}=="96:00:02:4e:68:63", NAME="eth0"
|
|
'';
|
|
}
|