Getting there...

This commit is contained in:
Daniel Flanagan 2024-07-17 16:27:54 -05:00
parent 8c140dd3db
commit a0b505e226

View file

@ -33,12 +33,24 @@
}; };
beefcake = { beefcake = {
ip = "192.168.0.9"; ip = "192.168.0.9";
additionalHosts = [
"nix.h.lyte.dev"
"git.lyte.dev"
"video.lyte.dev"
"bw.lyte.dev"
"files.lyte.dev"
"vpn.h.lyte.dev"
];
}; };
}; };
sysctl-entries = { sysctl-entries = {
"net.ipv4.conf.all.forwarding" = true; "net.ipv4.conf.all.forwarding" = true;
"net.ipv6.conf.all.forwarding" = true; "net.ipv6.conf.all.forwarding" = true;
"net.ipv4.conf.default.rp_filter" = 1;
"net.ipv4.conf.${interfaces.wan.name}.rp_filter" = 1;
"net.ipv4.conf.${interfaces.lan.name}.rp_filter" = 0;
# TODO: may want to disable this once it's working # TODO: may want to disable this once it's working
# "net.ipv6.conf.all.accept_ra" = 0; # "net.ipv6.conf.all.accept_ra" = 0;
# "net.ipv6.conf.all.autoconf" = 0; # "net.ipv6.conf.all.autoconf" = 0;
@ -146,6 +158,8 @@ in {
udp dport mdns ip daddr 224.0.0.251 accept comment "Accept mDNS" udp dport mdns ip daddr 224.0.0.251 accept comment "Accept mDNS"
tcp dport 2201 accept comment "Accept SSH on port 2201" tcp dport 2201 accept comment "Accept SSH on port 2201"
tcp dport 53 accept comment "Accept DNS"
udp dport 53 accept comment "Accept DNS"
ip6 saddr @LANv6 jump my_input_lan comment "Connections from private IP address ranges" ip6 saddr @LANv6 jump my_input_lan comment "Connections from private IP address ranges"
ip saddr @LANv4 jump my_input_lan comment "Connections from private IP address ranges" ip saddr @LANv4 jump my_input_lan comment "Connections from private IP address ranges"
@ -163,6 +177,15 @@ in {
} }
table ip nat { table ip nat {
chain prerouting {
type nat hook prerouting priority dstnat;
iifname ${lan} accept
iifname ${wan} tcp dport {22} dnat to ${hosts.beefcake.ip} comment "Allow SSH to server"
iifname ${wan} tcp dport {80, 443} dnat to ${hosts.beefcake.ip} comment "Allow HTTP/HTTPS to server"
}
chain postrouting { chain postrouting {
type nat hook postrouting priority 100; policy accept; type nat hook postrouting priority 100; policy accept;
oifname "${wan}" masquerade oifname "${wan}" masquerade
@ -225,10 +248,10 @@ in {
systemd.network = { systemd.network = {
enable = true; enable = true;
wait-online.anyInterface = true; # wait-online.anyInterface = true;
links = { links = {
"10-${interfaces.wan.name}" = { "20-${interfaces.wan.name}" = {
enable = true; enable = true;
matchConfig = { matchConfig = {
MACAddress = interfaces.wan.mac; MACAddress = interfaces.wan.mac;
@ -237,7 +260,7 @@ in {
Name = interfaces.wan.name; Name = interfaces.wan.name;
}; };
}; };
"10-${interfaces.lan.name}" = { "30-${interfaces.lan.name}" = {
enable = true; enable = true;
matchConfig = { matchConfig = {
MACAddress = interfaces.lan.mac; MACAddress = interfaces.lan.mac;
@ -248,7 +271,7 @@ in {
}; };
}; };
networks = { networks = {
"30-${interfaces.lan.name}" = { "50-${interfaces.lan.name}" = {
matchConfig.Name = "${interfaces.lan.name}"; matchConfig.Name = "${interfaces.lan.name}";
linkConfig = { linkConfig = {
RequiredForOnline = "enslaved"; RequiredForOnline = "enslaved";
@ -262,7 +285,7 @@ in {
ConfigureWithoutCarrier = true; ConfigureWithoutCarrier = true;
}; };
}; };
"20-${interfaces.wan.name}" = { "40-${interfaces.wan.name}" = {
matchConfig.Name = "${interfaces.wan.name}"; matchConfig.Name = "${interfaces.wan.name}";
networkConfig = { networkConfig = {
DHCP = true; DHCP = true;
@ -291,7 +314,7 @@ in {
# dnssec = true; # dnssec = true;
# enable-ra = true; # enable-ra = true;
server = ["::1" "127.0.0.1" "1.1.1.1" "9.9.9.9" "8.8.8.8"]; server = ["1.1.1.1" "9.9.9.9" "8.8.8.8"];
domain-needed = true; domain-needed = true;
bogus-priv = true; bogus-priv = true;
@ -309,6 +332,7 @@ in {
ip, ip,
identifier ? name, identifier ? name,
time ? "12h", time ? "12h",
...
}: "${name},${ip},${identifier},${time}") }: "${name},${ip},${identifier},${time}")
hosts); hosts);
@ -316,12 +340,16 @@ in {
[ [
"/${hostname}.${domain}/${ip}" "/${hostname}.${domain}/${ip}"
] ]
++ (lib.attrsets.mapAttrsToList (name: { ++ (lib.lists.flatten (lib.attrsets.mapAttrsToList (name: {
ip, ip,
identifier ? name, additionalHosts ? [],
time ? "12h", identifier ? name,
}: "/${name}.${domain}/${ip}") time ? "12h",
hosts); }: [
"/${name}.${domain}/${ip}"
(lib.lists.forEach additionalHosts (h: "/${h}/${ip}"))
])
hosts));
# local domains # local domains
local = "/lan/"; local = "/lan/";