aboutsummaryrefslogtreecommitdiffstats
path: root/hosts
diff options
context:
space:
mode:
Diffstat (limited to '')
-rw-r--r--hosts/arrakis/default.nix58
-rw-r--r--hosts/secrets/arrakis.yaml5
2 files changed, 61 insertions, 2 deletions
diff --git a/hosts/arrakis/default.nix b/hosts/arrakis/default.nix
index b8aa5e6..1e9641f 100644
--- a/hosts/arrakis/default.nix
+++ b/hosts/arrakis/default.nix
@@ -1,6 +1,10 @@
{ config, pkgs, ... }: {
boot = {
initrd.kernelModules = [ "zfs" ];
+ kernel.sysctl = {
+ "net.ipv4.ip_forward" = 1;
+ "net.ipv4.conf.all.proxy_arp" = 1;
+ };
kernelPackages = pkgs.linuxPackages_6_10;
loader = {
efi = {
@@ -18,6 +22,59 @@
supportedFilesystems = [ "zfs" ];
};
+ environment.etc."nftables-vpn.conf".text = ''
+ # VPN firewall
+
+ flush ruleset
+
+ table inet filter {
+ chain input {
+ type filter hook input priority filter; policy drop;
+
+ # established/related connections
+ ct state established,related accept
+
+ # invalid connections
+ ct state invalid drop
+
+ # loopback interface
+ iif lo accept
+
+ # ICMP (routers may also want: mld-listener-query, nd-router-solicit)
+ #ip6 nexthdr icmpv6 icmpv6 type { destination-unreachable, echo-reply, echo-request, nd-neighbor-advert, nd-neighbor-solicit, nd-router-advert, packet-too-big, parameter-problem, time-exceeded } accept
+ ip protocol icmp icmp type { destination-unreachable, echo-reply, echo-request, parameter-problem, router-advertisement, source-quench, time-exceeded } accept
+
+ # services
+ iif veth.vpn tcp dport 8080 accept # qBittorrent
+ iif veth.vpn tcp dport 9696 accept # Prowlarr
+ iifname wg1 tcp dport { 49152-65535 } accept # Transmission
+ }
+
+ chain output {
+ type filter hook output priority filter; policy drop;
+
+ # explicitly allow my DNS traffic without VPN
+ skuid nipsy ip daddr 192.168.1.1 tcp dport domain accept
+ skuid nipsy ip daddr 192.168.1.1 udp dport domain accept
+
+ # explicitly allow my traffic without VPN
+ oifname veth.vpn skuid nipsy tcp sport 8080 accept # qBittorrent
+ oifname veth.vpn skuid nipsy tcp sport 9696 accept # Prowlarr
+ oifname veth.vpn skuid nipsy ip daddr 192.168.1.2 tcp dport { 7878, 8686, 8787, 8989 } accept # Prowlarr to { Radarr, Lidarr, Readarr, Sonarr }
+
+ # allow any traffic out through VPN
+ oifname wg1 accept
+
+ # drop everything else
+ counter drop
+ }
+
+ chain forward {
+ type filter hook forward priority filter; policy drop;
+ }
+ }
+ '';
+
environment.systemPackages = with pkgs; [
signal-desktop
wpa_supplicant
@@ -143,6 +200,7 @@
"wireguard/ramped_psk" = {};
"wireguard/timetrad_psk" = {};
"wireguard/treebeard_psk" = {};
+ "wireguard/wg1_conf" = {};
"wpa_supplicant" = {};
};
};
diff --git a/hosts/secrets/arrakis.yaml b/hosts/secrets/arrakis.yaml
index 57cb20d..60677e1 100644
--- a/hosts/secrets/arrakis.yaml
+++ b/hosts/secrets/arrakis.yaml
@@ -10,6 +10,7 @@ wireguard:
ramped_psk: ENC[AES256_GCM,data:TCeXW9SWFEq7H7YdEE4E7gLoMC8F4GwSPBtvh8Zv6OQ3Ni0LdZBH9IHmPT4=,iv:U33J1eusuCiC41zla2ieIFKzmmgL/TlkLmH/5El3u4s=,tag:Z4QzImR0T2XzdI26nlX+/Q==,type:str]
timetrad_psk: ENC[AES256_GCM,data:zAOHUlk6VJd+w6ePcDAPhpmPmlogwqUh5zhDpnW7cbXflIdLtFN9YQbOYtc=,iv:DpqIP+uTxRY7Dl0WwOvAr/dDFeARCVZKNKKKCrgOkYA=,tag:IP+nUZS3klUvHNzbgS4IjQ==,type:str]
treebeard_psk: ENC[AES256_GCM,data:EjzdD4siZfCkwd6pX82C2HP8I0avKjStv6fleURD2cPkGmBFDH//MLYcY/k=,iv:yCc+U3+kAzOroOxO04EKVrbuqr85Y8cZ343UN4s3nBg=,tag:r5piVnM+Q5+0HRRMpVwmSA==,type:str]
+ wg1_conf: ENC[AES256_GCM,data:F1WdY74FFVkNcEiPDZkqDRWmzD61qzs46+J14d3WEenZSPLpQ0TYcDDOaN0zdy4Vm06Keyj/0r4LN8aYVLEkFAmx8n652q1m/XqeCMeavPBl+FsX67JtTuHo8R85CZoieF6XV74YYriqCLk/Iz8NV1oDQrC2SuCYMb1pO/P0hXgR63glSmjrM94klt9+Bte1aQYRLXlZe1Lou1Ifju5qnTa6VY6fOra6UYGjUpMP+HW0VzMVT8P4Yvmi4VhFOYeKJCdSGS3TBELv3jOdY/txrJRThe33FAWQfA/l6btKhV2iyyF7tPKdROSXgmJBd3kTYbyBWEWWICLIel3aChRElSazksRprF8TF7NDS2kYlA==,iv:xHk0ZceFzeSKHHdpRU6unquetUfdkJCzIC29HnQf3Fo=,tag:i/dvZsVkUUl0gmLyIRpSIA==,type:str]
wpa_supplicant: ENC[AES256_GCM,data:HHs6g3qaaeinVGgteExQvhE0CEC94WjJ0tV7pyI=,iv:6F+DYHieaWWo+V1F9yjwWT7PcdiIpH48nv1SUrFHePk=,tag:cpimCP+YNmCI+t+wpuXwHg==,type:str]
sops:
kms: []
@@ -35,8 +36,8 @@ sops:
ejRLb2Vkd1B3QmxLSE1wUzgrazZJT0UKz1IQxYm7hagYtBsWTpk+f6/79ArRUgNL
MfhHMQAwuuXjBSmuFolyU3UoWnDYK6uGAv5nlTJxESqj5eQBafItSw==
-----END AGE ENCRYPTED FILE-----
- lastmodified: "2024-10-13T08:39:41Z"
- mac: ENC[AES256_GCM,data:+MnJGp0Oi3eXCDgFa6Jl7v+U1X8iSvBTiZT/Et2O3Z5YKKSpjSyuOUp4wxvUKC1w7lwLCPil3TuanEmB5j9fCPFLd4vRqb1bwPy4x9AoJGCut1jDIT+ywSVjhN2jV4Mg1RbCXHRJN/QhSylXuBhDYIVF9mriGamY2ZiRra+Z7Is=,iv:STqOryc9DWJETRLYy6A1Z6DRdxK6/cDRurpmUYml3JU=,tag:rH+NLwBOiIoHc9HmzXthvA==,type:str]
+ lastmodified: "2024-10-13T09:11:08Z"
+ mac: ENC[AES256_GCM,data:WT5dVkvOFd8VH0s8INFIR6LBlxRFcTV34clbiYXZDziBXsffqOM6zABBEMM+a5frDtH3GRNVNPtX7mgYqUAtkTmAz/Nfhg1jSKbaA7bKTBJX3uqWn+03hojC0+whaji4nH5St70QY9rOOHzQ0J7prQZKvpBC1iBUJoRkqXnfqpo=,iv:qi1wliYqv1doBRqRj9vA8w3MxLF436qSK17OwqbCkUk=,tag:qiW8uXA8mW5u/lm1aaYuog==,type:str]
pgp: []
unencrypted_suffix: _unencrypted
version: 3.9.1