Switch to nftables
This commit is contained in:
parent
1b7fa65915
commit
d59e0ed14b
|
@ -35,14 +35,14 @@ in {
|
|||
interface = "ens18";
|
||||
};
|
||||
|
||||
firewall = {
|
||||
extraCommands = ''
|
||||
ip6tables -A INPUT -i m0wire -j ACCEPT
|
||||
ip6tables -A FORWARD -p ipv6-icmp -j ACCEPT
|
||||
ip6tables -A FORWARD -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
|
||||
ip6tables -A FORWARD ! -i m0wire -j nixos-fw-log-refuse
|
||||
'';
|
||||
};
|
||||
#firewall = {
|
||||
# extraCommands = ''
|
||||
# ip6tables -A INPUT -i m0wire -j ACCEPT
|
||||
# ip6tables -A FORWARD -p ipv6-icmp -j ACCEPT
|
||||
# ip6tables -A FORWARD -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
|
||||
# ip6tables -A FORWARD ! -i m0wire -j nixos-fw-log-refuse
|
||||
# '';
|
||||
#};
|
||||
|
||||
bridges.bridge.interfaces = [];
|
||||
interfaces.bridge = {
|
||||
|
|
|
@ -161,10 +161,10 @@ in {
|
|||
cleanupInterval = "15m";
|
||||
snapshotInterval = "*:00/3:00";
|
||||
};
|
||||
prometheus.exporters.node = {
|
||||
firewallFilter = "-i m0wire -p tcp -m tcp -m multiport --dports 9100,9558";
|
||||
openFirewall = true;
|
||||
};
|
||||
#prometheus.exporters.node = {
|
||||
# firewallFilter = "-i m0wire -p tcp -m tcp -m multiport --dports 9100,9558";
|
||||
# openFirewall = lib.mkForce false;
|
||||
#};
|
||||
syncthing =
|
||||
{
|
||||
enable = true;
|
||||
|
|
|
@ -171,17 +171,17 @@
|
|||
services = {
|
||||
logind.killUserProcesses = false;
|
||||
journald.extraConfig = "SystemMaxUse=5G";
|
||||
prometheus.exporters = {
|
||||
node = {
|
||||
enable = true;
|
||||
enabledCollectors = ["systemd" "logind"];
|
||||
disabledCollectors = ["timex"];
|
||||
};
|
||||
nginx = {
|
||||
inherit (config.services.nginx) enable;
|
||||
openFirewall = true;
|
||||
};
|
||||
};
|
||||
#prometheus.exporters = {
|
||||
# node = {
|
||||
# enable = false;
|
||||
# enabledCollectors = ["systemd" "logind"];
|
||||
# disabledCollectors = ["timex"];
|
||||
# };
|
||||
# nginx = {
|
||||
# inherit (config.services.nginx) enable;
|
||||
# # openFirewall = true;
|
||||
# };
|
||||
#};
|
||||
nginx = {
|
||||
statusPage = true;
|
||||
recommendedOptimisation = true;
|
||||
|
|
|
@ -5,7 +5,7 @@
|
|||
}: let
|
||||
textfilesDir = "/var/cache/prometheus-textfiles";
|
||||
in {
|
||||
services.prometheus.exporters.node.extraFlags = ["--collector.textfile.directory /var/cache/prometheus-textfiles"];
|
||||
# services.prometheus.exporters.node.extraFlags = ["--collector.textfile.directory /var/cache/prometheus-textfiles"];
|
||||
systemd = {
|
||||
services.folder-size-exporter = {
|
||||
description = "Write folder size for promtext exporter";
|
||||
|
|
|
@ -2,7 +2,39 @@
|
|||
pkgs,
|
||||
config,
|
||||
...
|
||||
}: {
|
||||
}: let
|
||||
inherit (import ../../../nix/sources.nix) nixos-unstable;
|
||||
networkingModule = name: "${nixos-unstable}/nixos/modules/services/networking/${name}.nix";
|
||||
in {
|
||||
# nftables using module not available in 22.11.
|
||||
disabledModules = [
|
||||
"services/networking/firewall.nix"
|
||||
"services/networking/nftables.nix"
|
||||
"services/networking/nat.nix"
|
||||
"services/networking/redsocks.nix"
|
||||
"services/networking/miniupnpd.nix"
|
||||
"services/monitoring/prometheus/exporters.nix"
|
||||
"services/audio/roon-server.nix"
|
||||
"services/audio/roon-bridge.nix"
|
||||
];
|
||||
|
||||
imports = [
|
||||
(networkingModule "firewall-iptables")
|
||||
(networkingModule "firewall-nftables")
|
||||
(networkingModule "firewall")
|
||||
(networkingModule "nat-iptables")
|
||||
(networkingModule "nat-nftables")
|
||||
(networkingModule "nat")
|
||||
(networkingModule "nftables")
|
||||
];
|
||||
|
||||
networking = {
|
||||
firewall = {
|
||||
enable = true; # It’s the default, but better make sure.
|
||||
};
|
||||
nftables.enable = true; # Uses firewall variables since 23.05
|
||||
};
|
||||
|
||||
boot = {
|
||||
plymouth.enable = true;
|
||||
loader = {
|
||||
|
|
Loading…
Reference in a new issue