Compare commits
3 Commits
83380a6125
...
5c79cbf694
| Author | SHA1 | Date | |
|---|---|---|---|
5c79cbf694
|
|||
|
cfe8ffa759
|
|||
|
ff2f6d28bb
|
@ -85,8 +85,10 @@ in
|
|||||||
family = "inet";
|
family = "inet";
|
||||||
content = ''
|
content = ''
|
||||||
${nftIdentifiers}
|
${nftIdentifiers}
|
||||||
define ALLOWED_TCP_PORTS = { ssh, https }
|
define ALLOWED_TCP_PORTS = { ssh }
|
||||||
define ALLOWED_UDP_PORTS = { bootps, dhcpv6-server, domain, https }
|
define ALLOWED_UDP_PORTS = { 18596 }
|
||||||
|
define ALLOWED_TCP_LAN_PORTS = { ssh, https }
|
||||||
|
define ALLOWED_UDP_LAN_PORTS = { bootps, dhcpv6-server, domain, https }
|
||||||
set port_forward_v6 {
|
set port_forward_v6 {
|
||||||
type inet_proto . ipv6_addr . inet_service
|
type inet_proto . ipv6_addr . inet_service
|
||||||
elements = {
|
elements = {
|
||||||
@ -133,6 +135,10 @@ in
|
|||||||
# but apparently not.
|
# but apparently not.
|
||||||
ip6 daddr { fe80::/10, ff02::/16 } th dport { dhcpv6-client, dhcpv6-server } accept
|
ip6 daddr { fe80::/10, ff02::/16 } th dport { dhcpv6-client, dhcpv6-server } accept
|
||||||
|
|
||||||
|
# Global input rules
|
||||||
|
tcp dport $ALLOWED_TCP_PORTS accept
|
||||||
|
udp dport $ALLOWED_UDP_PORTS accept
|
||||||
|
|
||||||
# WAN zone input rules
|
# WAN zone input rules
|
||||||
iifname $ZONE_WAN_IFS jump zone_wan_input
|
iifname $ZONE_WAN_IFS jump zone_wan_input
|
||||||
# LAN zone input rules
|
# LAN zone input rules
|
||||||
@ -157,8 +163,7 @@ in
|
|||||||
}
|
}
|
||||||
|
|
||||||
chain zone_wan_input {
|
chain zone_wan_input {
|
||||||
# Allow SSH from WAN (if needed)
|
# Allow specific stuff from WAN
|
||||||
tcp dport ssh accept
|
|
||||||
}
|
}
|
||||||
|
|
||||||
chain zone_wan_forward {
|
chain zone_wan_forward {
|
||||||
@ -180,8 +185,8 @@ in
|
|||||||
ip protocol icmp accept
|
ip protocol icmp accept
|
||||||
|
|
||||||
# Allow specific services from LAN
|
# Allow specific services from LAN
|
||||||
tcp dport $ALLOWED_TCP_PORTS accept
|
tcp dport $ALLOWED_TCP_LAN_PORTS accept
|
||||||
udp dport $ALLOWED_UDP_PORTS accept
|
udp dport $ALLOWED_UDP_LAN_PORTS accept
|
||||||
}
|
}
|
||||||
|
|
||||||
chain zone_lan_forward {
|
chain zone_lan_forward {
|
||||||
|
|||||||
@ -24,7 +24,7 @@ let
|
|||||||
];
|
];
|
||||||
in
|
in
|
||||||
{
|
{
|
||||||
secrix.system.secrets = let
|
secrix.services.systemd-networkd.secrets = let
|
||||||
pskEnabledPeers = builtins.filter (peer: peer.pskEnabled) wg0Peers;
|
pskEnabledPeers = builtins.filter (peer: peer.pskEnabled) wg0Peers;
|
||||||
peerToSecretAttrs = peer: {
|
peerToSecretAttrs = peer: {
|
||||||
name = "wg0-peer-${peer.name}-psk";
|
name = "wg0-peer-${peer.name}-psk";
|
||||||
@ -44,13 +44,13 @@ in
|
|||||||
Name = "wg0";
|
Name = "wg0";
|
||||||
};
|
};
|
||||||
wireguardConfig = {
|
wireguardConfig = {
|
||||||
PrivateKeyFile = config.secrix.system.secrets.wg0-private-key.decrypted.path;
|
PrivateKeyFile = config.secrix.services.systemd-networkd.secrets.wg0-private-key.decrypted.path;
|
||||||
ListenPort = 18596;
|
ListenPort = 18596;
|
||||||
};
|
};
|
||||||
wireguardPeers = map (peer: {
|
wireguardPeers = map (peer: {
|
||||||
AllowedIPs = peer.allowedIPs;
|
AllowedIPs = lib.strings.concatStringsSep "," peer.allowedIPs;
|
||||||
PublicKey = peer.publicKey;
|
PublicKey = peer.publicKey;
|
||||||
PresharedKeyFile = if peer.pskEnabled then config.secrix.system.secrets."wg0-peer-${peer.name}-psk".decrypted.path else null;
|
PresharedKeyFile = if peer.pskEnabled then config.secrix.services.systemd-networkd.secrets."wg0-peer-${peer.name}-psk".decrypted.path else null;
|
||||||
}) wg0Peers;
|
}) wg0Peers;
|
||||||
};
|
};
|
||||||
};
|
};
|
||||||
|
|||||||
Loading…
x
Reference in New Issue
Block a user