dotfiles/nixos/systems/altra/networking.nix
magic_rb 61862bda34
Lock down SSH access from outside
Signed-off-by: magic_rb <magic_rb@redalder.org>
2024-03-30 23:09:27 +01:00

146 lines
3.3 KiB
Nix

{
pkgs,
lib,
secret,
...
}: let
inherit
(lib)
getExe'
;
in {
# boot.kernel.sysctl = {"net.ipv4.ip_forward" = "1";};
# https://github.com/NixOS/nixpkgs/issues/76671
# the rpc.statd daemon is not running when not mounting any nfs filesystems on boot
# and can't be manually started...
boot.supportedFilesystems = ["nfs"];
services.rpcbind.enable = true;
services.openssh.openFirewall = false;
networking = {
hostName = "altra";
hostId = "4eb49917";
useDHCP = false;
interfaces.eth0.useDHCP = true;
firewall.enable = true;
# nameservers = [
# (secret.network.ips.blowhole.ip or "")
# "93.184.77.2"
# "67.207.67.3"
# ];
wireguard = {
enable = true;
interfaces."wg0" =
{
postSetup = ''
${getExe' pkgs.iptables "iptables"} -I FORWARD -i wg0 -o wg0 -j ACCEPT
'';
postShutdown = ''
${getExe' pkgs.iptables "iptables"} -D FORWARD -i wg0 -o wg0 -j ACCEPT
'';
}
// secret.wireguard."altra" or {privateKey = "";};
};
# defaultGateway = "64.225.96.1";
# defaultGateway6 = "";
# dhcpcd.enable = false;
# usePredictableInterfaceNames = lib.mkForce false;
firewall = {
extraCommands = ''
iptables -P FORWARD DROP
iptables -t nat -I PREROUTING -i eth0 -d 167.235.230.162/32 -p udp -m multiport --dports 500 -j REDIRECT --to-ports 6666
'';
interfaces."eth0" = {
# allowedTCPPorts = [
# 80
# 443
# 6001
# ];
allowedUDPPorts = [
6666
];
};
# interfaces."nomad" = {
# allowedTCPPorts = [
# 8500
# ];
# };
interfaces."wg0" = {
allowedTCPPorts = [
8883
22
# ## Consul
# 8600 # DNS
# 8500 # HTTP
# 8502 # gRPC
# 8300 # server
# 8301 # LAN serf
# 8302 # WAN serf
# 4646 # Nomad
# 4647
# 4648
# 10000
];
# allowedTCPPortRanges = [
# {
# from = 21000;
# to = 21255;
# }
# ];
# allowedUDPPorts = [
# ## Consul
# 8600 # DNS
# 8301 # LAN serf
# 8302 # WAN serf
# ];
# allowedUDPPortRanges = [
# {
# from = 21000;
# to = 21255;
# }
# ];
};
};
# interfaces = {
# eth0 = {
# ipv4.addresses = [
# {
# address = "64.225.104.221";
# prefixLength = 20;
# }
# {
# address = "10.19.0.6";
# prefixLength = 16;
# }
# ];
# ipv6.addresses = [
# {
# address = "fe80::8ce0:84ff:fefb:f981";
# prefixLength = 64;
# }
# ];
# ipv4.routes = [
# {
# address = "64.225.96.1";
# prefixLength = 32;
# }
# ];
# };
# };
};
services.udev.extraRules = ''
ATTR{address}=="96:00:02:4e:68:63", NAME="eth0"
'';
}