Merge branch 'nftables' into 'main'
Draft: init nftables See merge request infra/haccfiles!19
This commit is contained in:
commit
650ba77d7d
|
@ -7,6 +7,7 @@ in {
|
|||
../modules
|
||||
./users.nix
|
||||
(sources.home-manager + "/nixos")
|
||||
(sources.pbb-nixfiles + "/modules/nftables")
|
||||
];
|
||||
|
||||
boot.kernelPackages = lib.mkDefault pkgs.linuxPackages_latest;
|
||||
|
@ -77,4 +78,6 @@ in {
|
|||
services.nginx.appendHttpConfig = ''
|
||||
access_log off;
|
||||
'';
|
||||
|
||||
petabyte.nftables.enable = true;
|
||||
}
|
||||
|
|
|
@ -51,8 +51,9 @@
|
|||
interface = "enp6s0";
|
||||
};
|
||||
|
||||
networking.nat.enable = true;
|
||||
hacc.nftables.nat.enable = true;
|
||||
networking.nat.internalInterfaces = ["ve-+"];
|
||||
networking.nat.internalIPs = [ "192.168.100.0/24" "172.17.0.0/16" ];
|
||||
networking.nat.externalInterface = "enp6s0";
|
||||
|
||||
|
||||
|
|
|
@ -7,7 +7,7 @@
|
|||
localAddress = "192.168.100.3";
|
||||
autoStart = true;
|
||||
config = { config, lib, pkgs, ... }: {
|
||||
networking.firewall.allowedTCPPorts = [ 3000 ];
|
||||
networking.firewall.enable = false;
|
||||
services.coredns = {
|
||||
enable = true;
|
||||
config = ''
|
||||
|
|
|
@ -11,7 +11,7 @@ in {
|
|||
|
||||
config = {config, pkgs, ... }: {
|
||||
networking.hosts."::1" = [ "wiki.lantifa.org" ];
|
||||
networking.firewall.allowedTCPPorts = [ 80 ];
|
||||
networking.firewall.enable = false;
|
||||
users.users.mediawiki.extraGroups = [ "keys" ];
|
||||
|
||||
services.mediawiki = {
|
||||
|
|
|
@ -4,5 +4,6 @@ let
|
|||
in {
|
||||
imports = [
|
||||
"${sources.immae-nix}/modules/webapps/peertube.nix"
|
||||
./nftnat
|
||||
];
|
||||
}
|
||||
|
|
62
modules/nftnat/default.nix
Normal file
62
modules/nftnat/default.nix
Normal file
|
@ -0,0 +1,62 @@
|
|||
{ config, lib, pkgs, ... }:
|
||||
|
||||
with lib;
|
||||
|
||||
let
|
||||
cfg = config.hacc.nftables.nat;
|
||||
nats = config.networking.nat;
|
||||
in {
|
||||
options.hacc.nftables.nat = {
|
||||
enable = mkEnableOption "Wrap NAT into nftables.";
|
||||
forwardPorts = mkOption {
|
||||
type = with types; listOf (submodule {
|
||||
options = {
|
||||
ports = mkOption {
|
||||
type = types.listOf (types.either types.int (types.strMatching "[[:digit:]]+-[[:digit:]]+"));
|
||||
};
|
||||
destination = mkOption {
|
||||
type = types.str;
|
||||
example = "10.0.0.1";
|
||||
};
|
||||
proto = mkOption {
|
||||
type = types.str;
|
||||
default = "tcp";
|
||||
example = "udp";
|
||||
};
|
||||
};
|
||||
});
|
||||
default = [];
|
||||
example = [{ ports = [ 8080 "9100-9200" ]; destination = "192.168.100.2"; proto = "udp"; }];
|
||||
};
|
||||
};
|
||||
|
||||
config = mkIf cfg.enable {
|
||||
networking.nat.enable = mkOverride 99 false;
|
||||
|
||||
boot = {
|
||||
kernelModules = [ "nf_nat_ftp" ];
|
||||
kernel.sysctl = {
|
||||
"net.ipv4.conf.all.forwarding" = mkOverride 98 true;
|
||||
"net.ipv4.conf.default.forwarding" = mkOverride 98 true;
|
||||
};
|
||||
};
|
||||
|
||||
petabyte.nftables = {
|
||||
enable = true;
|
||||
|
||||
extraConfig = ''
|
||||
table ip nat {
|
||||
chain prerouting {
|
||||
type nat hook prerouting priority -100
|
||||
${concatMapStringsSep "\n" (rule: "iif ${nats.externalInterface} ${rule.proto} dport { ${concatStringsSep ", " (map (x: toString x) rule.ports)} } dnat ${rule.destination}") cfg.forwardPorts}
|
||||
}
|
||||
chain postrouting {
|
||||
type nat hook postrouting priority 100
|
||||
${concatMapStringsSep "\n" (iface: "iifname ${replaceStrings ["+"] ["*"] iface} oifname ${nats.externalInterface} masquerade") nats.internalInterfaces}
|
||||
${concatMapStringsSep "\n" (addr: "ip saddr ${addr} oifname ${nats.externalInterface} masquerade") nats.internalIPs}
|
||||
}
|
||||
}
|
||||
'';
|
||||
};
|
||||
};
|
||||
}
|
|
@ -67,5 +67,11 @@
|
|||
"type": "tarball",
|
||||
"url": "https://github.com/hexchen/nixpkgs/archive/b5f7683f8d7f99186dd4232f233d17ce1abd4e17.tar.gz",
|
||||
"url_template": "https://github.com/<owner>/<repo>/archive/<rev>.tar.gz"
|
||||
},
|
||||
"pbb-nixfiles": {
|
||||
"ref": "main",
|
||||
"repo": "https://git.petabyte.dev/petabyteboy/nixfiles.git",
|
||||
"rev": "0720c5dba283d782f2f887bf97aad339137d95dc",
|
||||
"type": "git"
|
||||
}
|
||||
}
|
||||
|
|
Loading…
Reference in a new issue