patrick/nix-config
1
1
Fork 0
Code Issues Pull requests Projects Wiki Activity

feat: cleaner port forwarding

Browse source
This commit is contained in:
Patrick 2024-12-22 00:10:37 +01:00
parent 65e207d999
commit 268bd66c76
Signed by: patrick
GPG key ID: 451F95EFB8BECD0F
5 changed files with 129 additions and 30 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

11
globals.nix
View file

@ -54,6 +54,7 @@ in
forgejo = {
domain = "forge.${globals.domains.web}";
host = "elisabeth-forgejo";
ip = 13;
};
immich = {
domain = "immich.${globals.domains.web}";
@ -118,6 +119,7 @@ in
netbird = {
domain = "netbird.${globals.domains.web}";
host = "elisabeth-netbird";
ip = 16;
};
nginx = {
domain = globals.domains.web;
@ -129,6 +131,15 @@ in
host = "elisabeth-samba";
ip = 12;
};
ddclient = {
domain = "";
host = "elisabeth-ddclient";
};
murmur = {
domain = "ts.${globals.domains.web}";
host = "elisabeth-murmur";
ip = 9;
};
};
};
}

46
hosts/elisabeth/guests.nix
View file

@ -1,5 +1,6 @@
{
config,
globals,
stateVersion,
inputs,
lib,
@ -17,6 +18,7 @@
enableRenaultFT ? false,
enableBunker ? false,
enableSharedPaperless ? false,
vlans ? [ "services" ],
...
}:
{
@ -54,6 +56,25 @@
networking.nftables.firewall.zones.untrusted.interfaces = lib.mkIf (
lib.length config.guests.${guestName}.networking.links == 1
) config.guests.${guestName}.networking.links;
systemd.network.networks = lib.mkIf (globals.services.${guestName}.ip != null) (
lib.listToAttrs (
lib.flip map vlans (
name:
lib.nameValuePair "09-mv-${name}" {
matchConfig.Name = "mv-${name}";
DHCP = "no";
address = [
(lib.net.cidr.hostCidr globals.services.${guestName}.ip globals.net.vlans.${name}.cidrv4)
(lib.net.cidr.hostCidr globals.services.${guestName}.ip globals.net.vlans.${name}.cidrv6)
];
gateway = [
(lib.net.cidr.hostCidr 1 globals.net.vlans.${name}.cidrv4)
(lib.net.cidr.hostCidr 1 globals.net.vlans.${name}.cidrv6)
];
}
)
)
);
}
];
};
@ -74,17 +95,23 @@
};
};
mkContainer = guestName: cfg: {
${guestName} = mkGuest guestName cfg // {
backend = "container";
container.macvlans = [ "lan-services" ];
extraSpecialArgs = {
inherit (inputs.self) nodes globals;
inherit (inputs.self.pkgs.x86_64-linux) lib;
inherit inputs minimal stateVersion;
mkContainer =
guestName:
{
vlans ? [ "services" ],
...
}@cfg:
{
${guestName} = mkGuest guestName cfg // {
backend = "container";
container.macvlans = lib.flip map vlans (x: "lan-${x}:mv-${x}");
extraSpecialArgs = {
inherit (inputs.self) nodes globals;
inherit (inputs.self.pkgs.x86_64-linux) lib;
inherit inputs minimal stateVersion;
};
};
};
};
in
{ }
// mkContainer "adguardhome" { }
@ -110,5 +137,6 @@
enableRenaultFT = true;
enableBunker = true;
enableSharedPaperless = true;
vlans = [ "home" ];
};
}

79
hosts/nucnix/forwarding.nix Normal file
View file

@ -0,0 +1,79 @@
{ globals, lib, ... }:
let
inherit (lib)
concatStringsSep
net
toUpper
mkMerge
;
forward =
{
service,
ports,
protocol,
...
}:
{
networking.nftables = {
chains = {
prerouting.port-forward = {
after = [ "hook" ];
rules = [
"iifname lan-fritz ${protocol} dport { ${concatStringsSep ", " (map toString ports)} } dnat ip to ${
net.cidr.host globals.services.${service}.ip globals.net.vlans.services.cidrv4
}"
"iifname lan-fritz ${protocol} dport { ${concatStringsSep ", " (map toString ports)} } dnat ip6 to ${
net.cidr.host globals.services.${service}.ip globals.net.vlans.services.cidrv6
}"
];
};
};
firewall = {
zones = {
${service}.ipv4Addresses = [
(lib.net.cidr.host globals.services.${service}.ip globals.net.vlans.services.cidrv4)
];
};
rules = {
"forward-${service}" = {
from = [ "fritz" ];
to = [ service ];
"allowed${toUpper protocol}Ports" = ports;
};
};
};
};
};
in
mkMerge [
(forward {
service = "nginx";
ports = [
80
443
];
protocol = "tcp";
})
(forward {
service = "forgejo";
ports = [
9922
];
protocol = "tcp";
})
(forward {
service = "murmur";
ports = [
9987
];
protocol = "udp";
})
(forward {
service = "netbird";
ports = [
3478
5349
];
protocol = "udp";
})
]

21
hosts/nucnix/net.nix
View file

@ -17,6 +17,7 @@ in
imports = [
./hostapd.nix
./kea.nix
./forwarding.nix
];
boot.kernel.sysctl."net.ipv4.ip_forward" = 1;
networking.nftables.firewall.zones = mkMerge [
@ -25,9 +26,6 @@ in
adguard.ipv4Addresses = [
(lib.net.cidr.host globals.services.adguardhome.ip globals.net.vlans.services.cidrv4)
];
nginx.ipv4Addresses = [
(lib.net.cidr.host globals.services.nginx.ip globals.net.vlans.services.cidrv4)
];
}
(genAttrs (attrNames globals.net.vlans) (name: {
interfaces = [ "lan-${name}" ];
@ -134,26 +132,9 @@ in
}
))
);
networking.nftables.chains = {
prerouting.port-forward = {
after = [ "hook" ];
rules = [
"iifname lan-fritz tcp dport { 80, 443 } dnat ip to ${lib.net.cidr.host globals.services.nginx.ip globals.net.vlans.services.cidrv4}"
"iifname lan-fritz tcp dport { 80, 443 } dnat ip6 to ${lib.net.cidr.host globals.services.nginx.ip globals.net.vlans.services.cidrv6}"
];
};
};
networking.nftables.firewall = {
snippets.nnf-ssh.enable = lib.mkForce false;
rules = {
forward-nginx = {
from = [ "fritz" ];
to = [ "nginx" ];
allowedTCPPorts = [
80
443
];
};
ssh = {
from = [
"fritz"

2
users/patrick/theme.nix
View file

@ -95,7 +95,7 @@
image = config.lib.stylix.pixel "base00";
base16Scheme = {
yaml = "${pkgs.base16-schemes}/share/themes/vice.yaml";
use-ifd = "auto";
use-ifd = "always";
};
# Has to be green
override.base0B = "#00CC99";