diff options
Diffstat (limited to 'hosts/arrakis/default.nix')
| -rw-r--r-- | hosts/arrakis/default.nix | 151 |
1 files changed, 75 insertions, 76 deletions
diff --git a/hosts/arrakis/default.nix b/hosts/arrakis/default.nix index 58c7ee9..dd2cf84 100644 --- a/hosts/arrakis/default.nix +++ b/hosts/arrakis/default.nix @@ -2,10 +2,12 @@ boot = { initrd.kernelModules = [ "zfs" ]; kernel.sysctl = { + "kernel.hostname" = "arrakis.bitgnome.net"; "net.ipv4.ip_forward" = 1; + "net.netfilter.nf_log_all_netns" = 1; #"net.ipv4.conf.all.proxy_arp" = 1; }; - kernelPackages = pkgs.master.linuxPackages_6_14; + kernelPackages = pkgs.linuxPackages_6_18; loader = { efi = { canTouchEfiVariables = true; @@ -16,98 +18,91 @@ extraInstallCommands = '' ${pkgs.rsync}/bin/rsync -av --delete /efiboot/efi1/ /efiboot/efi2 ''; + memtest86.enable = true; }; timeout = 3; }; supportedFilesystems = [ "zfs" ]; - zfs.package = pkgs.master.zfs; + zfs.package = pkgs.zfs_unstable; }; - environment.etc."nftables-vpn.conf".text = '' - # VPN firewall - - flush ruleset - - table inet filter { - chain input { - type filter hook input priority filter; policy drop; - - # established/related connections - ct state established,related accept - - # invalid connections - ct state invalid drop - - # loopback interface - iif lo accept - - # ICMP (routers may also want: mld-listener-query, nd-router-solicit) - #ip6 nexthdr icmpv6 icmpv6 type { destination-unreachable, echo-reply, echo-request, nd-neighbor-advert, nd-neighbor-solicit, nd-router-advert, packet-too-big, parameter-problem, time-exceeded } accept - ip protocol icmp icmp type { destination-unreachable, echo-reply, echo-request, parameter-problem, router-advertisement, source-quench, time-exceeded } accept - - # services - iif veth.vpn tcp dport 8080 accept # qBittorrent - iif veth.vpn tcp dport 9696 accept # Prowlarr - iifname wg1 tcp dport { 49152-65535 } accept # Transmission - } - - chain output { - type filter hook output priority filter; policy drop; - - # explicitly allow my DNS traffic without VPN - skuid nipsy ip daddr 192.168.1.1 tcp dport domain accept - skuid nipsy ip daddr 192.168.1.1 udp dport domain accept - - # explicitly allow my traffic without VPN - oifname veth.vpn skuid nipsy tcp sport 8080 accept # qBittorrent - oifname veth.vpn skuid nipsy tcp sport 9696 accept # Prowlarr - oifname veth.vpn skuid nipsy ip daddr 192.168.1.2 tcp dport { 7878, 8686, 8787, 8989 } accept # Prowlarr to { Radarr, Lidarr, Readarr, Sonarr } - - # allow any traffic out through VPN - oifname wg1 accept - - # drop everything else - counter drop - } - - chain forward { - type filter hook forward priority filter; policy drop; - } - } - ''; + environment.etc = { + "netns/vpn/resolv.conf".text = '' + nameserver 10.64.0.1 + options edns0 + ''; + + "nftables-vpn.conf".text = '' + # VPN firewall + + flush ruleset + + table inet filter { + chain input { + type filter hook input priority filter; policy drop; + + # established/related connections + ct state established,related accept + + # invalid connections + ct state invalid drop + + # loopback interface + iif lo accept + + # ICMP (routers may also want: mld-listener-query, nd-router-solicit) + #ip6 nexthdr icmpv6 icmpv6 type { destination-unreachable, echo-reply, echo-request, nd-neighbor-advert, nd-neighbor-solicit, nd-router-advert, packet-too-big, parameter-problem, time-exceeded } accept + ip protocol icmp icmp type { destination-unreachable, echo-reply, echo-request, parameter-problem, router-advertisement, source-quench, time-exceeded } accept + + # services + iif veth.vpn tcp dport 8080 accept # qBittorrent + iif veth.vpn tcp dport 9696 accept # Prowlarr + iifname wg1 tcp dport { 49152-65535 } accept # Transmission + + # drop everything else + counter drop + } + + chain output { + type filter hook output priority filter; policy drop; + + # explicitly allow my DNS traffic without VPN + skuid nipsy ip daddr 192.168.1.1 tcp dport domain accept + skuid nipsy ip daddr 192.168.1.1 udp dport domain accept + + # explicitly allow my traffic without VPN + oifname veth.vpn skuid nipsy tcp sport 8080 accept # qBittorrent + oifname veth.vpn skuid nipsy tcp sport 9696 accept # Prowlarr + oifname veth.vpn skuid nipsy ip daddr 192.168.1.2 tcp dport { 7878, 8686, 8787, 8989 } accept # Prowlarr to { Radarr, Lidarr, Readarr, Sonarr } + oif lo skuid nipsy ip daddr 192.168.1.3 tcp dport 8080 accept # Prowlarr to qBittorrent + + # allow any traffic out through VPN + oifname wg1 accept + + # drop everything else + counter drop + } + + chain forward { + type filter hook forward priority filter; policy drop; + } + } + ''; + }; environment.systemPackages = [ - pkgs.angband - #pkgs.assaultcube - pkgs.bsdgames - pkgs.bzflag - pkgs.extremetuxracer - #pkgs.frozen-bubble - pkgs.hedgewars - pkgs.kobodeluxe + pkgs.bitcoind + #pkgs.igir pkgs.lidarr pkgs.mailutils pkgs.megacmd - pkgs.moc - pkgs.nethack - #pkgs.openttd pkgs.prowlarr pkgs.qbittorrent-nox pkgs.radarr pkgs.rdiff-backup pkgs.readarr - #pkgs.scorched3d - pkgs.signal-desktop pkgs.sonarr - pkgs.superTux - pkgs.superTuxKart - pkgs.umoria - pkgs.vial - pkgs.warzone2100 - #pkgs.wine9_22.wineWowPackages.stagingFull pkgs.wpa_supplicant - pkgs.xonotic-sdl - #pkgs.xpilot-ng ]; imports = [ @@ -140,7 +135,6 @@ address = "192.168.1.1"; interface = "enp6s0"; }; - domain = "bitgnome.net"; hostId = "2ae4c89f"; hostName = "arrakis"; interfaces = { @@ -152,6 +146,9 @@ }; nameservers = [ "192.168.1.1" ]; nftables.enable = true; + search = [ + "bitgnome.net" + ]; useDHCP = false; wg-quick.interfaces = { wg0 = { @@ -288,6 +285,8 @@ after = [ "zfs-import-data.service" ]; description = "Bind NFS exports to ZFS paths"; script = '' + ${pkgs.util-linux}/bin/mount --onlyonce /srv/caladan/downloads || ${pkgs.coreutils}/bin/true + ${pkgs.util-linux}/bin/mount --onlyonce /srv/caladan/www || ${pkgs.coreutils}/bin/true ${pkgs.util-linux}/bin/mount --onlyonce /srv/nfs/keepers || ${pkgs.coreutils}/bin/true ${pkgs.util-linux}/bin/mount --onlyonce /srv/nfs/movies || ${pkgs.coreutils}/bin/true ${pkgs.util-linux}/bin/mount --onlyonce /srv/nfs/tv || ${pkgs.coreutils}/bin/true |