From 65e207d999ce0c44147818d4f9072f9c8f895d07 Mon Sep 17 00:00:00 2001 From: Patrick Date: Sat, 21 Dec 2024 23:32:42 +0100 Subject: [PATCH] feat: port forwarding --- config/services/nginx.nix | 2 -- hosts/nucnix/guests.nix | 15 +++++------- hosts/nucnix/kea.nix | 2 +- hosts/nucnix/net.nix | 49 ++++++++++++++++++++++++++++++++++++++- 4 files changed, 55 insertions(+), 13 deletions(-) diff --git a/config/services/nginx.nix b/config/services/nginx.nix index bb0f647..7705926 100644 --- a/config/services/nginx.nix +++ b/config/services/nginx.nix @@ -9,8 +9,6 @@ let ipOf = name: nodes.${globals.services.${name}.host}.config.wireguard.services.ipv4; in { - systemd.network.networks."10-static" = { - }; wireguard.services = { client.via = "nucnix"; }; diff --git a/hosts/nucnix/guests.nix b/hosts/nucnix/guests.nix index ea4d418..aee87ac 100644 --- a/hosts/nucnix/guests.nix +++ b/hosts/nucnix/guests.nix @@ -43,8 +43,12 @@ DHCP = "no"; address = [ (lib.net.cidr.hostCidr globals.services.${guestName}.ip globals.net.vlans.${name}.cidrv4) + (lib.net.cidr.hostCidr globals.services.${guestName}.ip globals.net.vlans.${name}.cidrv6) + ]; + gateway = [ + (lib.net.cidr.hostCidr 1 globals.net.vlans.${name}.cidrv4) + (lib.net.cidr.hostCidr 1 globals.net.vlans.${name}.cidrv6) ]; - gateway = lib.net.cidr.hostCidr 1 globals.net.vlans.${name}.cidrv4; } ) ) @@ -90,12 +94,5 @@ ]; }; in - { } - // mkContainer "adguardhome" { - vlans = [ - "services" - "home" - ]; - } - // mkContainer "nginx" { }; + { } // mkContainer "adguardhome" { } // mkContainer "nginx" { }; } diff --git a/hosts/nucnix/kea.nix b/hosts/nucnix/kea.nix index 4a7a19a..04106ff 100644 --- a/hosts/nucnix/kea.nix +++ b/hosts/nucnix/kea.nix @@ -57,7 +57,7 @@ in } { name = "domain-name-servers"; - data = "${net.cidr.host globals.services.adguardhome.ip subnet}"; + data = "${net.cidr.host globals.services.adguardhome.ip globals.net.vlans.services.cidrv4}"; } ]; reservations = [ diff --git a/hosts/nucnix/net.nix b/hosts/nucnix/net.nix index e2ae185..88a02b9 100644 --- a/hosts/nucnix/net.nix +++ b/hosts/nucnix/net.nix @@ -18,8 +18,17 @@ in ./hostapd.nix ./kea.nix ]; + boot.kernel.sysctl."net.ipv4.ip_forward" = 1; networking.nftables.firewall.zones = mkMerge [ - { fritz.interfaces = [ "vlan-fritz" ]; } + { + fritz.interfaces = [ "vlan-fritz" ]; + adguard.ipv4Addresses = [ + (lib.net.cidr.host globals.services.adguardhome.ip globals.net.vlans.services.cidrv4) + ]; + nginx.ipv4Addresses = [ + (lib.net.cidr.host globals.services.nginx.ip globals.net.vlans.services.cidrv4) + ]; + } (genAttrs (attrNames globals.net.vlans) (name: { interfaces = [ "lan-${name}" ]; })) @@ -125,9 +134,26 @@ in } )) ); + networking.nftables.chains = { + prerouting.port-forward = { + after = [ "hook" ]; + rules = [ + "iifname lan-fritz tcp dport { 80, 443 } dnat ip to ${lib.net.cidr.host globals.services.nginx.ip globals.net.vlans.services.cidrv4}" + "iifname lan-fritz tcp dport { 80, 443 } dnat ip6 to ${lib.net.cidr.host globals.services.nginx.ip globals.net.vlans.services.cidrv6}" + ]; + }; + }; networking.nftables.firewall = { snippets.nnf-ssh.enable = lib.mkForce false; rules = { + forward-nginx = { + from = [ "fritz" ]; + to = [ "nginx" ]; + allowedTCPPorts = [ + 80 + 443 + ]; + }; ssh = { from = [ "fritz" @@ -136,6 +162,27 @@ in to = [ "local" ]; allowedTCPPorts = [ 22 ]; }; + services = { + from = [ + "home" + ]; + to = [ + "services" + "fritz" + ]; + late = true; + verdict = "accept"; + }; + dns = { + from = [ + "home" + "devices" + "guests" + "services" + ]; + to = [ "adguard" ]; + allowedUDPPorts = [ 53 ]; + }; internet = { from = [ "home"