maralorn/nixos-config
1
0
Fork 0
Code Wiki Activity

Fix nftables based firewall

Browse source
This commit is contained in:
Malte 2023-01-14 04:05:21 +01:00
parent d59e0ed14b
commit 37fbf0808e
5 changed files with 41 additions and 67 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

8
nixos/machines/hera/cloud.nix
View file

@ -104,16 +104,12 @@ with lib; let
address = hosts.hera-intern-v4; address = hosts.hera-intern-v4;
interface = "eth0"; interface = "eth0";
}; };
firewall.allowedTCPPorts = [80 443]; firewall.allowedTCPPorts = [80 443 9100 9113];
}; };
systemd.services = nextcloudServices hostname; systemd.services = nextcloudServices hostname;
services = { services = {
nextcloud = nextcloudConf hostname; nextcloud = nextcloudConf hostname;
prometheus.exporters = {
node.openFirewall = true;
nginx.openFirewall = true;
};
nginx.appendHttpConfig = "access_log off;"; nginx.appendHttpConfig = "access_log off;";
redis.servers."".enable = true; redis.servers."".enable = true;
@ -132,7 +128,7 @@ in {
services = services =
{ {
rss-server = { rss-server = {
serviceConfig.ExecStart = "${pkgs.python3}/bin/python -m http.server 8842 -d /var/www/rss"; serviceConfig.ExecStart = "${pkgs.python3}/bin/python -m http.server --bind ${hosts.vpn.hera} 8842 -d /var/www/rss";
wantedBy = ["multi-user.target"]; wantedBy = ["multi-user.target"];
}; };
} }

9
nixos/machines/hera/network.nix
View file

@ -35,15 +35,6 @@ in {
interface = "ens18"; interface = "ens18";
}; };
#firewall = {
# extraCommands = ''
# ip6tables -A INPUT -i m0wire -j ACCEPT
# ip6tables -A FORWARD -p ipv6-icmp -j ACCEPT
# ip6tables -A FORWARD -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
# ip6tables -A FORWARD ! -i m0wire -j nixos-fw-log-refuse
# '';
#};
bridges.bridge.interfaces = []; bridges.bridge.interfaces = [];
interfaces.bridge = { interfaces.bridge = {
proxyARP = true; proxyARP = true;

51
nixos/roles/default.nix
View file

@ -3,8 +3,29 @@
config, config,
lib, lib,
... ...
}: { }: let
inherit (import ../../nix/sources.nix) nixos-unstable;
networkingModule = name: "${nixos-unstable}/nixos/modules/services/networking/${name}.nix";
in {
# nftables using module not available in 22.11.
disabledModules = [
"services/networking/firewall.nix"
"services/networking/nftables.nix"
"services/networking/nat.nix"
"services/networking/redsocks.nix"
"services/networking/miniupnpd.nix"
"services/audio/roon-server.nix"
"services/audio/roon-bridge.nix"
];
imports = [ imports = [
(networkingModule "firewall-iptables")
(networkingModule "firewall-nftables")
(networkingModule "firewall")
(networkingModule "nat-iptables")
(networkingModule "nat-nftables")
(networkingModule "nat")
(networkingModule "nftables")
../../common ../../common
./admin.nix ./admin.nix
]; ];
@ -23,7 +44,12 @@
networking = { networking = {
resolvconf.dnsExtensionMechanism = false; # this breaks dnssec but is necessary for certain bad-behaved hotspots resolvconf.dnsExtensionMechanism = false; # this breaks dnssec but is necessary for certain bad-behaved hotspots
firewall.allowPing = true; firewall = {
enable = true; # Its the default, but better make sure.
allowPing = true;
extraInputRules = "meta iifname m0wire accept comment \"My VPN\"";
};
nftables.enable = true; # Uses firewall variables since 23.05
useDHCP = false; # enabled per interface useDHCP = false; # enabled per interface
hosts = hosts =
lib.zipAttrs lib.zipAttrs
@ -171,17 +197,16 @@
services = { services = {
logind.killUserProcesses = false; logind.killUserProcesses = false;
journald.extraConfig = "SystemMaxUse=5G"; journald.extraConfig = "SystemMaxUse=5G";
#prometheus.exporters = { prometheus.exporters = {
# node = { node = {
# enable = false; enable = true;
# enabledCollectors = ["systemd" "logind"]; enabledCollectors = ["systemd" "logind"];
# disabledCollectors = ["timex"]; disabledCollectors = ["timex"];
# }; };
# nginx = { nginx = {
# inherit (config.services.nginx) enable; inherit (config.services.nginx) enable;
# # openFirewall = true; };
# }; };
#};
nginx = { nginx = {
statusPage = true; statusPage = true;
recommendedOptimisation = true; recommendedOptimisation = true;

6
nixos/roles/monitoring/prometheus.nix
View file

@ -8,12 +8,6 @@
prometheus = { prometheus = {
enable = true; enable = true;
extraFlags = ["--query.lookback-delta=180m" "--storage.tsdb.retention.time=720d"]; extraFlags = ["--query.lookback-delta=180m" "--storage.tsdb.retention.time=720d"];
exporters = {
blackbox = {
enable = true;
configFile = ./blackbox_rules.yml;
};
};
ruleFiles = [./rules.yml]; ruleFiles = [./rules.yml];
scrapeConfigs = let scrapeConfigs = let
alert_type = "infrastructure"; alert_type = "infrastructure";

34
nixos/roles/standalone/default.nix
View file

@ -2,39 +2,7 @@
pkgs, pkgs,
config, config,
... ...
}: let }: {
inherit (import ../../../nix/sources.nix) nixos-unstable;
networkingModule = name: "${nixos-unstable}/nixos/modules/services/networking/${name}.nix";
in {
# nftables using module not available in 22.11.
disabledModules = [
"services/networking/firewall.nix"
"services/networking/nftables.nix"
"services/networking/nat.nix"
"services/networking/redsocks.nix"
"services/networking/miniupnpd.nix"
"services/monitoring/prometheus/exporters.nix"
"services/audio/roon-server.nix"
"services/audio/roon-bridge.nix"
];
imports = [
(networkingModule "firewall-iptables")
(networkingModule "firewall-nftables")
(networkingModule "firewall")
(networkingModule "nat-iptables")
(networkingModule "nat-nftables")
(networkingModule "nat")
(networkingModule "nftables")
];
networking = {
firewall = {
enable = true; # Its the default, but better make sure.
};
nftables.enable = true; # Uses firewall variables since 23.05
};
boot = { boot = {
plymouth.enable = true; plymouth.enable = true;
loader = { loader = {