Fix nftables based firewall
This commit is contained in:
parent
d59e0ed14b
commit
37fbf0808e
|
@ -104,16 +104,12 @@ with lib; let
|
|||
address = hosts.hera-intern-v4;
|
||||
interface = "eth0";
|
||||
};
|
||||
firewall.allowedTCPPorts = [80 443];
|
||||
firewall.allowedTCPPorts = [80 443 9100 9113];
|
||||
};
|
||||
|
||||
systemd.services = nextcloudServices hostname;
|
||||
services = {
|
||||
nextcloud = nextcloudConf hostname;
|
||||
prometheus.exporters = {
|
||||
node.openFirewall = true;
|
||||
nginx.openFirewall = true;
|
||||
};
|
||||
nginx.appendHttpConfig = "access_log off;";
|
||||
redis.servers."".enable = true;
|
||||
|
||||
|
@ -132,7 +128,7 @@ in {
|
|||
services =
|
||||
{
|
||||
rss-server = {
|
||||
serviceConfig.ExecStart = "${pkgs.python3}/bin/python -m http.server 8842 -d /var/www/rss";
|
||||
serviceConfig.ExecStart = "${pkgs.python3}/bin/python -m http.server --bind ${hosts.vpn.hera} 8842 -d /var/www/rss";
|
||||
wantedBy = ["multi-user.target"];
|
||||
};
|
||||
}
|
||||
|
|
|
@ -35,15 +35,6 @@ in {
|
|||
interface = "ens18";
|
||||
};
|
||||
|
||||
#firewall = {
|
||||
# extraCommands = ''
|
||||
# ip6tables -A INPUT -i m0wire -j ACCEPT
|
||||
# ip6tables -A FORWARD -p ipv6-icmp -j ACCEPT
|
||||
# ip6tables -A FORWARD -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
|
||||
# ip6tables -A FORWARD ! -i m0wire -j nixos-fw-log-refuse
|
||||
# '';
|
||||
#};
|
||||
|
||||
bridges.bridge.interfaces = [];
|
||||
interfaces.bridge = {
|
||||
proxyARP = true;
|
||||
|
|
|
@ -3,8 +3,29 @@
|
|||
config,
|
||||
lib,
|
||||
...
|
||||
}: {
|
||||
}: let
|
||||
inherit (import ../../nix/sources.nix) nixos-unstable;
|
||||
networkingModule = name: "${nixos-unstable}/nixos/modules/services/networking/${name}.nix";
|
||||
in {
|
||||
# nftables using module not available in 22.11.
|
||||
disabledModules = [
|
||||
"services/networking/firewall.nix"
|
||||
"services/networking/nftables.nix"
|
||||
"services/networking/nat.nix"
|
||||
"services/networking/redsocks.nix"
|
||||
"services/networking/miniupnpd.nix"
|
||||
"services/audio/roon-server.nix"
|
||||
"services/audio/roon-bridge.nix"
|
||||
];
|
||||
|
||||
imports = [
|
||||
(networkingModule "firewall-iptables")
|
||||
(networkingModule "firewall-nftables")
|
||||
(networkingModule "firewall")
|
||||
(networkingModule "nat-iptables")
|
||||
(networkingModule "nat-nftables")
|
||||
(networkingModule "nat")
|
||||
(networkingModule "nftables")
|
||||
../../common
|
||||
./admin.nix
|
||||
];
|
||||
|
@ -23,7 +44,12 @@
|
|||
|
||||
networking = {
|
||||
resolvconf.dnsExtensionMechanism = false; # this breaks dnssec but is necessary for certain bad-behaved hotspots
|
||||
firewall.allowPing = true;
|
||||
firewall = {
|
||||
enable = true; # It’s the default, but better make sure.
|
||||
allowPing = true;
|
||||
extraInputRules = "meta iifname m0wire accept comment \"My VPN\"";
|
||||
};
|
||||
nftables.enable = true; # Uses firewall variables since 23.05
|
||||
useDHCP = false; # enabled per interface
|
||||
hosts =
|
||||
lib.zipAttrs
|
||||
|
@ -171,17 +197,16 @@
|
|||
services = {
|
||||
logind.killUserProcesses = false;
|
||||
journald.extraConfig = "SystemMaxUse=5G";
|
||||
#prometheus.exporters = {
|
||||
# node = {
|
||||
# enable = false;
|
||||
# enabledCollectors = ["systemd" "logind"];
|
||||
# disabledCollectors = ["timex"];
|
||||
# };
|
||||
# nginx = {
|
||||
# inherit (config.services.nginx) enable;
|
||||
# # openFirewall = true;
|
||||
# };
|
||||
#};
|
||||
prometheus.exporters = {
|
||||
node = {
|
||||
enable = true;
|
||||
enabledCollectors = ["systemd" "logind"];
|
||||
disabledCollectors = ["timex"];
|
||||
};
|
||||
nginx = {
|
||||
inherit (config.services.nginx) enable;
|
||||
};
|
||||
};
|
||||
nginx = {
|
||||
statusPage = true;
|
||||
recommendedOptimisation = true;
|
||||
|
|
|
@ -8,12 +8,6 @@
|
|||
prometheus = {
|
||||
enable = true;
|
||||
extraFlags = ["--query.lookback-delta=180m" "--storage.tsdb.retention.time=720d"];
|
||||
exporters = {
|
||||
blackbox = {
|
||||
enable = true;
|
||||
configFile = ./blackbox_rules.yml;
|
||||
};
|
||||
};
|
||||
ruleFiles = [./rules.yml];
|
||||
scrapeConfigs = let
|
||||
alert_type = "infrastructure";
|
||||
|
|
|
@ -2,39 +2,7 @@
|
|||
pkgs,
|
||||
config,
|
||||
...
|
||||
}: let
|
||||
inherit (import ../../../nix/sources.nix) nixos-unstable;
|
||||
networkingModule = name: "${nixos-unstable}/nixos/modules/services/networking/${name}.nix";
|
||||
in {
|
||||
# nftables using module not available in 22.11.
|
||||
disabledModules = [
|
||||
"services/networking/firewall.nix"
|
||||
"services/networking/nftables.nix"
|
||||
"services/networking/nat.nix"
|
||||
"services/networking/redsocks.nix"
|
||||
"services/networking/miniupnpd.nix"
|
||||
"services/monitoring/prometheus/exporters.nix"
|
||||
"services/audio/roon-server.nix"
|
||||
"services/audio/roon-bridge.nix"
|
||||
];
|
||||
|
||||
imports = [
|
||||
(networkingModule "firewall-iptables")
|
||||
(networkingModule "firewall-nftables")
|
||||
(networkingModule "firewall")
|
||||
(networkingModule "nat-iptables")
|
||||
(networkingModule "nat-nftables")
|
||||
(networkingModule "nat")
|
||||
(networkingModule "nftables")
|
||||
];
|
||||
|
||||
networking = {
|
||||
firewall = {
|
||||
enable = true; # It’s the default, but better make sure.
|
||||
};
|
||||
nftables.enable = true; # Uses firewall variables since 23.05
|
||||
};
|
||||
|
||||
}: {
|
||||
boot = {
|
||||
plymouth.enable = true;
|
||||
loader = {
|
||||
|
|
Loading…
Reference in a new issue