feat: port forwarding

2024-12-21 23:32:42 +01:00 · 2024-12-21 23:32:42 +01:00 · 65e207d999
parent 9347751df7
commit 65e207d999
4 changed files with 55 additions and 13 deletions
--- a/config/services/nginx.nix
+++ b/config/services/nginx.nix
@ -9,8 +9,6 @@ let
  ipOf = name: nodes.${globals.services.${name}.host}.config.wireguard.services.ipv4;
 in
 {
-  systemd.network.networks."10-static" = {
-  };
  wireguard.services = {
    client.via = "nucnix";
  };
--- a/hosts/nucnix/guests.nix
+++ b/hosts/nucnix/guests.nix
@ -43,8 +43,12 @@
                      DHCP = "no";
                      address = [
                        (lib.net.cidr.hostCidr globals.services.${guestName}.ip globals.net.vlans.${name}.cidrv4)
+                        (lib.net.cidr.hostCidr globals.services.${guestName}.ip globals.net.vlans.${name}.cidrv6)
+                      ];
+                      gateway = [
+                        (lib.net.cidr.hostCidr 1 globals.net.vlans.${name}.cidrv4)
+                        (lib.net.cidr.hostCidr 1 globals.net.vlans.${name}.cidrv6)
                      ];
-                      gateway = lib.net.cidr.hostCidr 1 globals.net.vlans.${name}.cidrv4;
                    }
                  )
                )
@ -90,12 +94,5 @@
          ];
        };
    in
-    { }
-    // mkContainer "adguardhome" {
-      vlans = [
-        "services"
-        "home"
-      ];
-    }
-    // mkContainer "nginx" { };
+    { } // mkContainer "adguardhome" { } // mkContainer "nginx" { };
 }
--- a/hosts/nucnix/kea.nix
+++ b/hosts/nucnix/kea.nix
@ -57,7 +57,7 @@ in
            }
            {
              name = "domain-name-servers";
-              data = "${net.cidr.host globals.services.adguardhome.ip subnet}";
+              data = "${net.cidr.host globals.services.adguardhome.ip globals.net.vlans.services.cidrv4}";
            }
          ];
          reservations = [
--- a/hosts/nucnix/net.nix
+++ b/hosts/nucnix/net.nix
@ -18,8 +18,17 @@ in
    ./hostapd.nix
    ./kea.nix
  ];
+  boot.kernel.sysctl."net.ipv4.ip_forward" = 1;
  networking.nftables.firewall.zones = mkMerge [
-    { fritz.interfaces = [ "vlan-fritz" ]; }
+    {
+      fritz.interfaces = [ "vlan-fritz" ];
+      adguard.ipv4Addresses = [
+        (lib.net.cidr.host globals.services.adguardhome.ip globals.net.vlans.services.cidrv4)
+      ];
+      nginx.ipv4Addresses = [
+        (lib.net.cidr.host globals.services.nginx.ip globals.net.vlans.services.cidrv4)
+      ];
+    }
    (genAttrs (attrNames globals.net.vlans) (name: {
      interfaces = [ "lan-${name}" ];
    }))
@ -125,9 +134,26 @@ in
      }
    ))
  );
+  networking.nftables.chains = {
+    prerouting.port-forward = {
+      after = [ "hook" ];
+      rules = [
+        "iifname lan-fritz tcp dport { 80, 443 } dnat ip to ${lib.net.cidr.host globals.services.nginx.ip globals.net.vlans.services.cidrv4}"
+        "iifname lan-fritz tcp dport { 80, 443 } dnat ip6 to ${lib.net.cidr.host globals.services.nginx.ip globals.net.vlans.services.cidrv6}"
+      ];
+    };
+  };
  networking.nftables.firewall = {
    snippets.nnf-ssh.enable = lib.mkForce false;
    rules = {
+      forward-nginx = {
+        from = [ "fritz" ];
+        to = [ "nginx" ];
+        allowedTCPPorts = [
+          80
+          443
+        ];
+      };
      ssh = {
        from = [
          "fritz"
@ -136,6 +162,27 @@ in
        to = [ "local" ];
        allowedTCPPorts = [ 22 ];
      };
+      services = {
+        from = [
+          "home"
+        ];
+        to = [
+          "services"
+          "fritz"
+        ];
+        late = true;
+        verdict = "accept";
+      };
+      dns = {
+        from = [
+          "home"
+          "devices"
+          "guests"
+          "services"
+        ];
+        to = [ "adguard" ];
+        allowedUDPPorts = [ 53 ];
+      };
      internet = {
        from = [
          "home"