diff options
Diffstat (limited to 'hosts/arrakis/default.nix')
| -rw-r--r-- | hosts/arrakis/default.nix | 58 |
1 files changed, 58 insertions, 0 deletions
diff --git a/hosts/arrakis/default.nix b/hosts/arrakis/default.nix index b8aa5e6..1e9641f 100644 --- a/hosts/arrakis/default.nix +++ b/hosts/arrakis/default.nix @@ -1,6 +1,10 @@ { config, pkgs, ... }: { boot = { initrd.kernelModules = [ "zfs" ]; + kernel.sysctl = { + "net.ipv4.ip_forward" = 1; + "net.ipv4.conf.all.proxy_arp" = 1; + }; kernelPackages = pkgs.linuxPackages_6_10; loader = { efi = { @@ -18,6 +22,59 @@ supportedFilesystems = [ "zfs" ]; }; + environment.etc."nftables-vpn.conf".text = '' + # VPN firewall + + flush ruleset + + table inet filter { + chain input { + type filter hook input priority filter; policy drop; + + # established/related connections + ct state established,related accept + + # invalid connections + ct state invalid drop + + # loopback interface + iif lo accept + + # ICMP (routers may also want: mld-listener-query, nd-router-solicit) + #ip6 nexthdr icmpv6 icmpv6 type { destination-unreachable, echo-reply, echo-request, nd-neighbor-advert, nd-neighbor-solicit, nd-router-advert, packet-too-big, parameter-problem, time-exceeded } accept + ip protocol icmp icmp type { destination-unreachable, echo-reply, echo-request, parameter-problem, router-advertisement, source-quench, time-exceeded } accept + + # services + iif veth.vpn tcp dport 8080 accept # qBittorrent + iif veth.vpn tcp dport 9696 accept # Prowlarr + iifname wg1 tcp dport { 49152-65535 } accept # Transmission + } + + chain output { + type filter hook output priority filter; policy drop; + + # explicitly allow my DNS traffic without VPN + skuid nipsy ip daddr 192.168.1.1 tcp dport domain accept + skuid nipsy ip daddr 192.168.1.1 udp dport domain accept + + # explicitly allow my traffic without VPN + oifname veth.vpn skuid nipsy tcp sport 8080 accept # qBittorrent + oifname veth.vpn skuid nipsy tcp sport 9696 accept # Prowlarr + oifname veth.vpn skuid nipsy ip daddr 192.168.1.2 tcp dport { 7878, 8686, 8787, 8989 } accept # Prowlarr to { Radarr, Lidarr, Readarr, Sonarr } + + # allow any traffic out through VPN + oifname wg1 accept + + # drop everything else + counter drop + } + + chain forward { + type filter hook forward priority filter; policy drop; + } + } + ''; + environment.systemPackages = with pkgs; [ signal-desktop wpa_supplicant @@ -143,6 +200,7 @@ "wireguard/ramped_psk" = {}; "wireguard/timetrad_psk" = {}; "wireguard/treebeard_psk" = {}; + "wireguard/wg1_conf" = {}; "wpa_supplicant" = {}; }; }; |