mirror of
https://git.sr.ht/~magic_rb/dotfiles
synced 2024-11-26 10:06:13 +01:00
151 lines
3 KiB
Nix
151 lines
3 KiB
Nix
{
|
|
pkgs,
|
|
lib,
|
|
secret,
|
|
...
|
|
}: let
|
|
inherit
|
|
(lib)
|
|
getExe'
|
|
;
|
|
in {
|
|
boot.kernel.sysctl = {"net.ipv4.ip_forward" = "1";};
|
|
|
|
# https://github.com/NixOS/nixpkgs/issues/76671
|
|
# the rpc.statd daemon is not running when not mounting any nfs filesystems on boot
|
|
# and can't be manually started...
|
|
boot.supportedFilesystems = ["nfs"];
|
|
services.rpcbind.enable = true;
|
|
|
|
services.openssh.openFirewall = false;
|
|
|
|
networking = {
|
|
hostName = "toothpick";
|
|
|
|
nameservers = [
|
|
(secret.network.ips.blowhole.ip or "")
|
|
"93.184.77.2"
|
|
"67.207.67.3"
|
|
];
|
|
|
|
wireguard = {
|
|
enable = true;
|
|
interfaces."wg0" =
|
|
{
|
|
postSetup = ''
|
|
${getExe' pkgs.iptables "iptables"} -I FORWARD -i wg0 -o wg0 -j ACCEPT
|
|
'';
|
|
|
|
postShutdown = ''
|
|
${getExe' pkgs.iptables "iptables"} -D FORWARD -i wg0 -o wg0 -j ACCEPT
|
|
'';
|
|
}
|
|
// secret.wireguard."toothpick" or {privateKey = "";};
|
|
};
|
|
|
|
defaultGateway = "64.225.96.1";
|
|
defaultGateway6 = "";
|
|
dhcpcd.enable = false;
|
|
usePredictableInterfaceNames = lib.mkForce false;
|
|
|
|
nat.forwardPorts = [
|
|
{
|
|
destination = "64.225.104.221:6666";
|
|
proto = "udp";
|
|
sourcePort = 500;
|
|
}
|
|
];
|
|
|
|
firewall = {
|
|
extraCommands = ''
|
|
iptables -P FORWARD DROP
|
|
iptables -t nat -I PREROUTING -i eth0 -d 64.225.104.221/32 -p udp -m multiport --dports 500 -j REDIRECT --to-ports 6666
|
|
'';
|
|
|
|
interfaces."eth0" = {
|
|
allowedTCPPorts = [
|
|
80
|
|
443
|
|
6001
|
|
];
|
|
allowedUDPPorts = [
|
|
6666
|
|
500
|
|
];
|
|
};
|
|
|
|
interfaces."nomad" = {
|
|
allowedTCPPorts = [
|
|
8500
|
|
];
|
|
};
|
|
|
|
interfaces."wg0" = {
|
|
allowedTCPPorts = [
|
|
## Consul
|
|
8600 # DNS
|
|
8500 # HTTP
|
|
8502 # gRPC
|
|
8300 # server
|
|
8301 # LAN serf
|
|
8302 # WAN serf
|
|
4646 # Nomad
|
|
4647
|
|
4648
|
|
10000
|
|
22 # SSH
|
|
];
|
|
allowedTCPPortRanges = [
|
|
{
|
|
from = 21000;
|
|
to = 21255;
|
|
}
|
|
];
|
|
allowedUDPPorts = [
|
|
## Consul
|
|
8600 # DNS
|
|
8301 # LAN serf
|
|
8302 # WAN serf
|
|
];
|
|
allowedUDPPortRanges = [
|
|
{
|
|
from = 21000;
|
|
to = 21255;
|
|
}
|
|
];
|
|
};
|
|
};
|
|
|
|
interfaces = {
|
|
eth0 = {
|
|
ipv4.addresses = [
|
|
{
|
|
address = "64.225.104.221";
|
|
prefixLength = 20;
|
|
}
|
|
{
|
|
address = "10.19.0.6";
|
|
prefixLength = 16;
|
|
}
|
|
];
|
|
ipv6.addresses = [
|
|
{
|
|
address = "fe80::8ce0:84ff:fefb:f981";
|
|
prefixLength = 64;
|
|
}
|
|
];
|
|
ipv4.routes = [
|
|
{
|
|
address = "64.225.96.1";
|
|
prefixLength = 32;
|
|
}
|
|
];
|
|
};
|
|
};
|
|
};
|
|
|
|
services.udev.extraRules = ''
|
|
ATTR{address}=="8e:e0:84:fb:f9:81", NAME="eth0"
|
|
'';
|
|
}
|