diff options
Diffstat (limited to '')
-rw-r--r-- | hosts/arrakis/default.nix | 58 | ||||
-rw-r--r-- | hosts/secrets/arrakis.yaml | 5 |
2 files changed, 61 insertions, 2 deletions
diff --git a/hosts/arrakis/default.nix b/hosts/arrakis/default.nix index b8aa5e6..1e9641f 100644 --- a/hosts/arrakis/default.nix +++ b/hosts/arrakis/default.nix @@ -1,6 +1,10 @@ { config, pkgs, ... }: { boot = { initrd.kernelModules = [ "zfs" ]; + kernel.sysctl = { + "net.ipv4.ip_forward" = 1; + "net.ipv4.conf.all.proxy_arp" = 1; + }; kernelPackages = pkgs.linuxPackages_6_10; loader = { efi = { @@ -18,6 +22,59 @@ supportedFilesystems = [ "zfs" ]; }; + environment.etc."nftables-vpn.conf".text = '' + # VPN firewall + + flush ruleset + + table inet filter { + chain input { + type filter hook input priority filter; policy drop; + + # established/related connections + ct state established,related accept + + # invalid connections + ct state invalid drop + + # loopback interface + iif lo accept + + # ICMP (routers may also want: mld-listener-query, nd-router-solicit) + #ip6 nexthdr icmpv6 icmpv6 type { destination-unreachable, echo-reply, echo-request, nd-neighbor-advert, nd-neighbor-solicit, nd-router-advert, packet-too-big, parameter-problem, time-exceeded } accept + ip protocol icmp icmp type { destination-unreachable, echo-reply, echo-request, parameter-problem, router-advertisement, source-quench, time-exceeded } accept + + # services + iif veth.vpn tcp dport 8080 accept # qBittorrent + iif veth.vpn tcp dport 9696 accept # Prowlarr + iifname wg1 tcp dport { 49152-65535 } accept # Transmission + } + + chain output { + type filter hook output priority filter; policy drop; + + # explicitly allow my DNS traffic without VPN + skuid nipsy ip daddr 192.168.1.1 tcp dport domain accept + skuid nipsy ip daddr 192.168.1.1 udp dport domain accept + + # explicitly allow my traffic without VPN + oifname veth.vpn skuid nipsy tcp sport 8080 accept # qBittorrent + oifname veth.vpn skuid nipsy tcp sport 9696 accept # Prowlarr + oifname veth.vpn skuid nipsy ip daddr 192.168.1.2 tcp dport { 7878, 8686, 8787, 8989 } accept # Prowlarr to { Radarr, Lidarr, Readarr, Sonarr } + + # allow any traffic out through VPN + oifname wg1 accept + + # drop everything else + counter drop + } + + chain forward { + type filter hook forward priority filter; policy drop; + } + } + ''; + environment.systemPackages = with pkgs; [ signal-desktop wpa_supplicant @@ -143,6 +200,7 @@ "wireguard/ramped_psk" = {}; "wireguard/timetrad_psk" = {}; "wireguard/treebeard_psk" = {}; + "wireguard/wg1_conf" = {}; "wpa_supplicant" = {}; }; }; diff --git a/hosts/secrets/arrakis.yaml b/hosts/secrets/arrakis.yaml index 57cb20d..60677e1 100644 --- a/hosts/secrets/arrakis.yaml +++ b/hosts/secrets/arrakis.yaml @@ -10,6 +10,7 @@ wireguard: ramped_psk: ENC[AES256_GCM,data:TCeXW9SWFEq7H7YdEE4E7gLoMC8F4GwSPBtvh8Zv6OQ3Ni0LdZBH9IHmPT4=,iv:U33J1eusuCiC41zla2ieIFKzmmgL/TlkLmH/5El3u4s=,tag:Z4QzImR0T2XzdI26nlX+/Q==,type:str] timetrad_psk: ENC[AES256_GCM,data:zAOHUlk6VJd+w6ePcDAPhpmPmlogwqUh5zhDpnW7cbXflIdLtFN9YQbOYtc=,iv:DpqIP+uTxRY7Dl0WwOvAr/dDFeARCVZKNKKKCrgOkYA=,tag:IP+nUZS3klUvHNzbgS4IjQ==,type:str] treebeard_psk: ENC[AES256_GCM,data:EjzdD4siZfCkwd6pX82C2HP8I0avKjStv6fleURD2cPkGmBFDH//MLYcY/k=,iv:yCc+U3+kAzOroOxO04EKVrbuqr85Y8cZ343UN4s3nBg=,tag:r5piVnM+Q5+0HRRMpVwmSA==,type:str] + wg1_conf: ENC[AES256_GCM,data:F1WdY74FFVkNcEiPDZkqDRWmzD61qzs46+J14d3WEenZSPLpQ0TYcDDOaN0zdy4Vm06Keyj/0r4LN8aYVLEkFAmx8n652q1m/XqeCMeavPBl+FsX67JtTuHo8R85CZoieF6XV74YYriqCLk/Iz8NV1oDQrC2SuCYMb1pO/P0hXgR63glSmjrM94klt9+Bte1aQYRLXlZe1Lou1Ifju5qnTa6VY6fOra6UYGjUpMP+HW0VzMVT8P4Yvmi4VhFOYeKJCdSGS3TBELv3jOdY/txrJRThe33FAWQfA/l6btKhV2iyyF7tPKdROSXgmJBd3kTYbyBWEWWICLIel3aChRElSazksRprF8TF7NDS2kYlA==,iv:xHk0ZceFzeSKHHdpRU6unquetUfdkJCzIC29HnQf3Fo=,tag:i/dvZsVkUUl0gmLyIRpSIA==,type:str] wpa_supplicant: ENC[AES256_GCM,data:HHs6g3qaaeinVGgteExQvhE0CEC94WjJ0tV7pyI=,iv:6F+DYHieaWWo+V1F9yjwWT7PcdiIpH48nv1SUrFHePk=,tag:cpimCP+YNmCI+t+wpuXwHg==,type:str] sops: kms: [] @@ -35,8 +36,8 @@ sops: ejRLb2Vkd1B3QmxLSE1wUzgrazZJT0UKz1IQxYm7hagYtBsWTpk+f6/79ArRUgNL MfhHMQAwuuXjBSmuFolyU3UoWnDYK6uGAv5nlTJxESqj5eQBafItSw== -----END AGE ENCRYPTED FILE----- - lastmodified: "2024-10-13T08:39:41Z" - mac: ENC[AES256_GCM,data:+MnJGp0Oi3eXCDgFa6Jl7v+U1X8iSvBTiZT/Et2O3Z5YKKSpjSyuOUp4wxvUKC1w7lwLCPil3TuanEmB5j9fCPFLd4vRqb1bwPy4x9AoJGCut1jDIT+ywSVjhN2jV4Mg1RbCXHRJN/QhSylXuBhDYIVF9mriGamY2ZiRra+Z7Is=,iv:STqOryc9DWJETRLYy6A1Z6DRdxK6/cDRurpmUYml3JU=,tag:rH+NLwBOiIoHc9HmzXthvA==,type:str] + lastmodified: "2024-10-13T09:11:08Z" + mac: ENC[AES256_GCM,data:WT5dVkvOFd8VH0s8INFIR6LBlxRFcTV34clbiYXZDziBXsffqOM6zABBEMM+a5frDtH3GRNVNPtX7mgYqUAtkTmAz/Nfhg1jSKbaA7bKTBJX3uqWn+03hojC0+whaji4nH5St70QY9rOOHzQ0J7prQZKvpBC1iBUJoRkqXnfqpo=,iv:qi1wliYqv1doBRqRj9vA8w3MxLF436qSK17OwqbCkUk=,tag:qiW8uXA8mW5u/lm1aaYuog==,type:str] pgp: [] unencrypted_suffix: _unencrypted version: 3.9.1 |