patrick/nix-config
1
1
Fork 0
Code Issues Pull requests Projects Wiki Activity

feat: port forwarding

Browse source
This commit is contained in:
Patrick 2024-12-21 23:32:42 +01:00
parent 9347751df7
commit 65e207d999
Signed by: patrick
GPG key ID: 451F95EFB8BECD0F
4 changed files with 55 additions and 13 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

2
config/services/nginx.nix
View file

@ -9,8 +9,6 @@ let
ipOf = name: nodes.${globals.services.${name}.host}.config.wireguard.services.ipv4; ipOf = name: nodes.${globals.services.${name}.host}.config.wireguard.services.ipv4;
in in
{ {
systemd.network.networks."10-static" = {
};
wireguard.services = { wireguard.services = {
client.via = "nucnix"; client.via = "nucnix";
}; };

15
hosts/nucnix/guests.nix
View file

@ -43,8 +43,12 @@
DHCP = "no"; DHCP = "no";
address = [ address = [
(lib.net.cidr.hostCidr globals.services.${guestName}.ip globals.net.vlans.${name}.cidrv4) (lib.net.cidr.hostCidr globals.services.${guestName}.ip globals.net.vlans.${name}.cidrv4)
(lib.net.cidr.hostCidr globals.services.${guestName}.ip globals.net.vlans.${name}.cidrv6)
];
gateway = [
(lib.net.cidr.hostCidr 1 globals.net.vlans.${name}.cidrv4)
(lib.net.cidr.hostCidr 1 globals.net.vlans.${name}.cidrv6)
]; ];
gateway = lib.net.cidr.hostCidr 1 globals.net.vlans.${name}.cidrv4;
} }
) )
) )
@ -90,12 +94,5 @@
]; ];
}; };
in in
{ } { } // mkContainer "adguardhome" { } // mkContainer "nginx" { };
// mkContainer "adguardhome" {
vlans = [
"services"
"home"
];
}
// mkContainer "nginx" { };
} }

2
hosts/nucnix/kea.nix
View file

@ -57,7 +57,7 @@ in
} }
{ {
name = "domain-name-servers"; name = "domain-name-servers";
data = "${net.cidr.host globals.services.adguardhome.ip subnet}"; data = "${net.cidr.host globals.services.adguardhome.ip globals.net.vlans.services.cidrv4}";
} }
]; ];
reservations = [ reservations = [

49
hosts/nucnix/net.nix
View file

@ -18,8 +18,17 @@ in
./hostapd.nix ./hostapd.nix
./kea.nix ./kea.nix
]; ];
boot.kernel.sysctl."net.ipv4.ip_forward" = 1;
networking.nftables.firewall.zones = mkMerge [ networking.nftables.firewall.zones = mkMerge [
{ fritz.interfaces = [ "vlan-fritz" ]; } {
fritz.interfaces = [ "vlan-fritz" ];
adguard.ipv4Addresses = [
(lib.net.cidr.host globals.services.adguardhome.ip globals.net.vlans.services.cidrv4)
];
nginx.ipv4Addresses = [
(lib.net.cidr.host globals.services.nginx.ip globals.net.vlans.services.cidrv4)
];
}
(genAttrs (attrNames globals.net.vlans) (name: { (genAttrs (attrNames globals.net.vlans) (name: {
interfaces = [ "lan-${name}" ]; interfaces = [ "lan-${name}" ];
})) }))
@ -125,9 +134,26 @@ in
} }
)) ))
); );
networking.nftables.chains = {
prerouting.port-forward = {
after = [ "hook" ];
rules = [
"iifname lan-fritz tcp dport { 80, 443 } dnat ip to ${lib.net.cidr.host globals.services.nginx.ip globals.net.vlans.services.cidrv4}"
"iifname lan-fritz tcp dport { 80, 443 } dnat ip6 to ${lib.net.cidr.host globals.services.nginx.ip globals.net.vlans.services.cidrv6}"
];
};
};
networking.nftables.firewall = { networking.nftables.firewall = {
snippets.nnf-ssh.enable = lib.mkForce false; snippets.nnf-ssh.enable = lib.mkForce false;
rules = { rules = {
forward-nginx = {
from = [ "fritz" ];
to = [ "nginx" ];
allowedTCPPorts = [
80
443
];
};
ssh = { ssh = {
from = [ from = [
"fritz" "fritz"
@ -136,6 +162,27 @@ in
to = [ "local" ]; to = [ "local" ];
allowedTCPPorts = [ 22 ]; allowedTCPPorts = [ 22 ];
}; };
services = {
from = [
"home"
];
to = [
"services"
"fritz"
];
late = true;
verdict = "accept";
};
dns = {
from = [
"home"
"devices"
"guests"
"services"
];
to = [ "adguard" ];
allowedUDPPorts = [ 53 ];
};
internet = { internet = {
from = [ from = [
"home" "home"