diff options
| -rw-r--r-- | hosts/darkstar/default.nix | 11 |
1 files changed, 7 insertions, 4 deletions
diff --git a/hosts/darkstar/default.nix b/hosts/darkstar/default.nix index 0c4596b..a3d82e1 100644 --- a/hosts/darkstar/default.nix +++ b/hosts/darkstar/default.nix @@ -87,7 +87,6 @@ "kea-dhcp4_conf" = {}; "nftables/forward" = {}; "nftables/ssh" = {}; - "nftables/voip" = {}; }; }; @@ -96,9 +95,15 @@ systemd.services."nftables-extra" = { description = "nftables extra firewall rules"; script = '' + ${pkgs.nftables}/bin/nft -a list chain inet nixos-fw input | ${pkgs.gnugrep}/bin/grep @anveo | ${pkgs.gnugrep}/bin/grep -Eo 'handle [[:digit:]]+$' | ${pkgs.gnused}/bin/sed -e 's/^handle //' | while read handle; do ${pkgs.nftables}/bin/nft delete rule inet nixos-fw input handle ${handle}; done + if ${pkgs.nftables}/bin/nft list set inet nixos-fw anveo 2>/dev/null; then ${pkgs.nftables}/bin/nft delete set inet nixos-fw anveo; fi + if ${pkgs.nftables}/bin/nft list ct helpers table inet nixos-fw | ${pkgs.gnugrep}/bin/grep -qE '^[[:space:]]*ct helper sip-5060 {$'; then ${pkgs.nftables}/bin/nft delete ct helper inet nixos-fw sip-5060; fi + ${pkgs.nftables}/bin/nft add ct helper inet nixos-fw sip-5060 '{type "sip" protocol udp;}' + ${pkgs.nftables}/bin/nft add set inet nixos-fw anveo '{type ipv4_addr; elements={ 72.9.149.25, 169.48.232.158, 176.9.39.206, 204.216.109.55 };}' + ${pkgs.nftables}/bin/nft insert rule inet nixos-fw input 'iifname "vlan201" udp dport sip ip saddr @anveo ct helper set "sip-5060"' + ${pkgs.nftables}/bin/nft insert rule inet nixos-fw input 'iifname "vlan201" udp dport sip ip saddr @anveo accept' ${pkgs.nftables}/bin/nft -f ${config.sops.secrets."nftables/forward".path} ${pkgs.nftables}/bin/nft -f ${config.sops.secrets."nftables/ssh".path} - ${pkgs.nftables}/bin/nft -f ${config.sops.secrets."nftables/voip".path} ''; serviceConfig = { RemainAfterExit = true; @@ -108,7 +113,6 @@ ConditionPathExists = [ config.sops.secrets."nftables/forward".path config.sops.secrets."nftables/ssh".path - config.sops.secrets."nftables/voip".path ]; }; wantedBy = [ "multi-user.target" ]; @@ -118,7 +122,6 @@ PathExists = [ config.sops.secrets."nftables/forward".path config.sops.secrets."nftables/ssh".path - config.sops.secrets."nftables/voip".path ]; }; wantedBy = [ "multi-user.target" ]; |