Fix nftables based firewall
This commit is contained in:
parent
d59e0ed14b
commit
37fbf0808e
|
@ -104,16 +104,12 @@ with lib; let
|
||||||
address = hosts.hera-intern-v4;
|
address = hosts.hera-intern-v4;
|
||||||
interface = "eth0";
|
interface = "eth0";
|
||||||
};
|
};
|
||||||
firewall.allowedTCPPorts = [80 443];
|
firewall.allowedTCPPorts = [80 443 9100 9113];
|
||||||
};
|
};
|
||||||
|
|
||||||
systemd.services = nextcloudServices hostname;
|
systemd.services = nextcloudServices hostname;
|
||||||
services = {
|
services = {
|
||||||
nextcloud = nextcloudConf hostname;
|
nextcloud = nextcloudConf hostname;
|
||||||
prometheus.exporters = {
|
|
||||||
node.openFirewall = true;
|
|
||||||
nginx.openFirewall = true;
|
|
||||||
};
|
|
||||||
nginx.appendHttpConfig = "access_log off;";
|
nginx.appendHttpConfig = "access_log off;";
|
||||||
redis.servers."".enable = true;
|
redis.servers."".enable = true;
|
||||||
|
|
||||||
|
@ -132,7 +128,7 @@ in {
|
||||||
services =
|
services =
|
||||||
{
|
{
|
||||||
rss-server = {
|
rss-server = {
|
||||||
serviceConfig.ExecStart = "${pkgs.python3}/bin/python -m http.server 8842 -d /var/www/rss";
|
serviceConfig.ExecStart = "${pkgs.python3}/bin/python -m http.server --bind ${hosts.vpn.hera} 8842 -d /var/www/rss";
|
||||||
wantedBy = ["multi-user.target"];
|
wantedBy = ["multi-user.target"];
|
||||||
};
|
};
|
||||||
}
|
}
|
||||||
|
|
|
@ -35,15 +35,6 @@ in {
|
||||||
interface = "ens18";
|
interface = "ens18";
|
||||||
};
|
};
|
||||||
|
|
||||||
#firewall = {
|
|
||||||
# extraCommands = ''
|
|
||||||
# ip6tables -A INPUT -i m0wire -j ACCEPT
|
|
||||||
# ip6tables -A FORWARD -p ipv6-icmp -j ACCEPT
|
|
||||||
# ip6tables -A FORWARD -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
|
|
||||||
# ip6tables -A FORWARD ! -i m0wire -j nixos-fw-log-refuse
|
|
||||||
# '';
|
|
||||||
#};
|
|
||||||
|
|
||||||
bridges.bridge.interfaces = [];
|
bridges.bridge.interfaces = [];
|
||||||
interfaces.bridge = {
|
interfaces.bridge = {
|
||||||
proxyARP = true;
|
proxyARP = true;
|
||||||
|
|
|
@ -3,8 +3,29 @@
|
||||||
config,
|
config,
|
||||||
lib,
|
lib,
|
||||||
...
|
...
|
||||||
}: {
|
}: let
|
||||||
|
inherit (import ../../nix/sources.nix) nixos-unstable;
|
||||||
|
networkingModule = name: "${nixos-unstable}/nixos/modules/services/networking/${name}.nix";
|
||||||
|
in {
|
||||||
|
# nftables using module not available in 22.11.
|
||||||
|
disabledModules = [
|
||||||
|
"services/networking/firewall.nix"
|
||||||
|
"services/networking/nftables.nix"
|
||||||
|
"services/networking/nat.nix"
|
||||||
|
"services/networking/redsocks.nix"
|
||||||
|
"services/networking/miniupnpd.nix"
|
||||||
|
"services/audio/roon-server.nix"
|
||||||
|
"services/audio/roon-bridge.nix"
|
||||||
|
];
|
||||||
|
|
||||||
imports = [
|
imports = [
|
||||||
|
(networkingModule "firewall-iptables")
|
||||||
|
(networkingModule "firewall-nftables")
|
||||||
|
(networkingModule "firewall")
|
||||||
|
(networkingModule "nat-iptables")
|
||||||
|
(networkingModule "nat-nftables")
|
||||||
|
(networkingModule "nat")
|
||||||
|
(networkingModule "nftables")
|
||||||
../../common
|
../../common
|
||||||
./admin.nix
|
./admin.nix
|
||||||
];
|
];
|
||||||
|
@ -23,7 +44,12 @@
|
||||||
|
|
||||||
networking = {
|
networking = {
|
||||||
resolvconf.dnsExtensionMechanism = false; # this breaks dnssec but is necessary for certain bad-behaved hotspots
|
resolvconf.dnsExtensionMechanism = false; # this breaks dnssec but is necessary for certain bad-behaved hotspots
|
||||||
firewall.allowPing = true;
|
firewall = {
|
||||||
|
enable = true; # It’s the default, but better make sure.
|
||||||
|
allowPing = true;
|
||||||
|
extraInputRules = "meta iifname m0wire accept comment \"My VPN\"";
|
||||||
|
};
|
||||||
|
nftables.enable = true; # Uses firewall variables since 23.05
|
||||||
useDHCP = false; # enabled per interface
|
useDHCP = false; # enabled per interface
|
||||||
hosts =
|
hosts =
|
||||||
lib.zipAttrs
|
lib.zipAttrs
|
||||||
|
@ -171,17 +197,16 @@
|
||||||
services = {
|
services = {
|
||||||
logind.killUserProcesses = false;
|
logind.killUserProcesses = false;
|
||||||
journald.extraConfig = "SystemMaxUse=5G";
|
journald.extraConfig = "SystemMaxUse=5G";
|
||||||
#prometheus.exporters = {
|
prometheus.exporters = {
|
||||||
# node = {
|
node = {
|
||||||
# enable = false;
|
enable = true;
|
||||||
# enabledCollectors = ["systemd" "logind"];
|
enabledCollectors = ["systemd" "logind"];
|
||||||
# disabledCollectors = ["timex"];
|
disabledCollectors = ["timex"];
|
||||||
# };
|
};
|
||||||
# nginx = {
|
nginx = {
|
||||||
# inherit (config.services.nginx) enable;
|
inherit (config.services.nginx) enable;
|
||||||
# # openFirewall = true;
|
};
|
||||||
# };
|
};
|
||||||
#};
|
|
||||||
nginx = {
|
nginx = {
|
||||||
statusPage = true;
|
statusPage = true;
|
||||||
recommendedOptimisation = true;
|
recommendedOptimisation = true;
|
||||||
|
|
|
@ -8,12 +8,6 @@
|
||||||
prometheus = {
|
prometheus = {
|
||||||
enable = true;
|
enable = true;
|
||||||
extraFlags = ["--query.lookback-delta=180m" "--storage.tsdb.retention.time=720d"];
|
extraFlags = ["--query.lookback-delta=180m" "--storage.tsdb.retention.time=720d"];
|
||||||
exporters = {
|
|
||||||
blackbox = {
|
|
||||||
enable = true;
|
|
||||||
configFile = ./blackbox_rules.yml;
|
|
||||||
};
|
|
||||||
};
|
|
||||||
ruleFiles = [./rules.yml];
|
ruleFiles = [./rules.yml];
|
||||||
scrapeConfigs = let
|
scrapeConfigs = let
|
||||||
alert_type = "infrastructure";
|
alert_type = "infrastructure";
|
||||||
|
|
|
@ -2,39 +2,7 @@
|
||||||
pkgs,
|
pkgs,
|
||||||
config,
|
config,
|
||||||
...
|
...
|
||||||
}: let
|
}: {
|
||||||
inherit (import ../../../nix/sources.nix) nixos-unstable;
|
|
||||||
networkingModule = name: "${nixos-unstable}/nixos/modules/services/networking/${name}.nix";
|
|
||||||
in {
|
|
||||||
# nftables using module not available in 22.11.
|
|
||||||
disabledModules = [
|
|
||||||
"services/networking/firewall.nix"
|
|
||||||
"services/networking/nftables.nix"
|
|
||||||
"services/networking/nat.nix"
|
|
||||||
"services/networking/redsocks.nix"
|
|
||||||
"services/networking/miniupnpd.nix"
|
|
||||||
"services/monitoring/prometheus/exporters.nix"
|
|
||||||
"services/audio/roon-server.nix"
|
|
||||||
"services/audio/roon-bridge.nix"
|
|
||||||
];
|
|
||||||
|
|
||||||
imports = [
|
|
||||||
(networkingModule "firewall-iptables")
|
|
||||||
(networkingModule "firewall-nftables")
|
|
||||||
(networkingModule "firewall")
|
|
||||||
(networkingModule "nat-iptables")
|
|
||||||
(networkingModule "nat-nftables")
|
|
||||||
(networkingModule "nat")
|
|
||||||
(networkingModule "nftables")
|
|
||||||
];
|
|
||||||
|
|
||||||
networking = {
|
|
||||||
firewall = {
|
|
||||||
enable = true; # It’s the default, but better make sure.
|
|
||||||
};
|
|
||||||
nftables.enable = true; # Uses firewall variables since 23.05
|
|
||||||
};
|
|
||||||
|
|
||||||
boot = {
|
boot = {
|
||||||
plymouth.enable = true;
|
plymouth.enable = true;
|
||||||
loader = {
|
loader = {
|
||||||
|
|
Loading…
Reference in a new issue