diff options
author | Mark Nipper <nipsy@bitgnome.net> | 2024-10-13 00:22:04 -0700 |
---|---|---|
committer | Mark Nipper <nipsy@bitgnome.net> | 2024-10-13 00:22:04 -0700 |
commit | 07fcde7c34109d94a685b5e657ce24490a708529 (patch) | |
tree | 4e4a0102c91d111071b53d8c2f619a9dd615c17e /hosts/arrakis/default.nix | |
parent | 871c8e39545876e595910b51e3a85a5f826fdb03 (diff) | |
download | nix-07fcde7c34109d94a685b5e657ce24490a708529.tar nix-07fcde7c34109d94a685b5e657ce24490a708529.tar.gz nix-07fcde7c34109d94a685b5e657ce24490a708529.tar.bz2 nix-07fcde7c34109d94a685b5e657ce24490a708529.tar.lz nix-07fcde7c34109d94a685b5e657ce24490a708529.tar.xz nix-07fcde7c34109d94a685b5e657ce24490a708529.tar.zst nix-07fcde7c34109d94a685b5e657ce24490a708529.zip |
Add nginx and nftables rules to support Jellyfin
Diffstat (limited to '')
-rw-r--r-- | hosts/arrakis/default.nix | 60 |
1 files changed, 40 insertions, 20 deletions
diff --git a/hosts/arrakis/default.nix b/hosts/arrakis/default.nix index cb74fd9..073f2a0 100644 --- a/hosts/arrakis/default.nix +++ b/hosts/arrakis/default.nix @@ -82,30 +82,50 @@ defaultSopsFile = ../secrets/arrakis.yaml; secrets = { + "nftables/ssh" = {}; "wpa_supplicant" = {}; }; }; system.stateVersion = "23.11"; - #systemd.services."nftables-extra" = { - # description = "nftables extra firewall rules"; - # script = '' - # ${pkgs.nftables}/bin/nft -f ${config.sops.secrets."nftables/ssh".path} - # ''; - # serviceConfig = { - # RemainAfterExit = true; - # Type = "oneshot"; - # }; - # unitConfig = { - # ConditionPathExists = config.sops.secrets."nftables/ssh".path; - # }; - # wantedBy = [ "multi-user.target" ]; - #}; - #systemd.paths."nftables-extra" = { - # pathConfig = { - # PathExists = config.sops.secrets."nftables/ssh".path; - # }; - # wantedBy = [ "multi-user.target" ]; - #}; + systemd.services."nftables-extra" = { + description = "nftables extra firewall rules"; + script = '' + ${pkgs.nftables}/bin/nft insert rule inet nixos-fw input 'iifname "wlp5s0" tcp dport { http, https } counter accept # 80, 443' + ${pkgs.nftables}/bin/nft insert rule inet nixos-fw input 'iifname "wlp5s0" udp dport { netbios-ns, netbios-dgm } counter accept # 137, 138' + ${pkgs.nftables}/bin/nft insert rule inet nixos-fw input 'iifname "wlp5s0" tcp dport { netbios-ssn, microsoft-ds } counter accept # 139, 445' + ${pkgs.nftables}/bin/nft insert rule inet nixos-fw input 'iifname "wlp5s0" tcp dport 2049 counter accept' + ${pkgs.nftables}/bin/nft insert rule inet nixos-fw input 'iifname "wlp5s0" udp dport { 2456, 2457 } counter accept # Valheim dedicated server' + ${pkgs.nftables}/bin/nft insert rule inet nixos-fw input 'iifname "wlp5s0" udp dport 5121 counter accept # Neverwinter Nights Server' + ${pkgs.nftables}/bin/nft insert rule inet nixos-fw input 'iifname "wlp5s0" tcp dport { 7878, 8080, 8686, 8787, 8989 } counter accept # Radarr, Sabnzb, Lidarr, Sonarr, Readarr' + ${pkgs.nftables}/bin/nft insert rule inet nixos-fw input 'iifname "wlp5s0" udp dport 15637 counter accept # Enshrouded' + ${pkgs.nftables}/bin/nft insert rule inet nixos-fw input 'iifname "wlp5s0" ip saddr 192.168.1.0/24 udp dport { 27031, 27036 } counter accept # Steam Remote Play' + ${pkgs.nftables}/bin/nft insert rule inet nixos-fw input 'iifname "wlp5s0" ip saddr 192.168.1.0/24 tcp dport { 27036, 27037 } counter accept # Steam Remote Play' + ${pkgs.nftables}/bin/nft insert rule inet nixos-fw input 'iifname "wlp5s0" udp dport 51820 counter accept # WireGuard' + ${pkgs.nftables}/bin/nft -f ${config.sops.secrets."nftables/ssh".path} + ''; + serviceConfig = { + RemainAfterExit = true; + Type = "oneshot"; + }; + unitConfig = { + ConditionPathExists = [ + config.sops.secrets."nftables/forward".path + config.sops.secrets."nftables/ssh".path + ]; + }; + wantedBy = [ "multi-user.target" ]; + after = [ "nftables.service" ]; + partOf = [ "nftables.service" ]; + }; + systemd.paths."nftables-extra" = { + pathConfig = { + PathExists = [ + config.sops.secrets."nftables/forward".path + config.sops.secrets."nftables/ssh".path + ]; + }; + wantedBy = [ "multi-user.target" ]; + }; } |