dev/nixfiles
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases 1 Wiki Activity

nixos/jackflix: Improve firewall

Browse Source
This commit is contained in:
Jack O'Sullivan
2022-06-12 14:03:44 +01:00
parent 46c9aa655a
commit 7e5c051bfc
2 changed files with 167 additions and 148 deletions
Download Patch File Download Diff File Expand all files Collapse all files

104
nixos/boxes/colony/vms/shill/containers/jackflix/default.nix
View File

@@ -17,85 +17,65 @@
configuration = { lib, pkgs, config, ... }:
let
inherit (lib) mkMerge mkIf;
inherit (lib);
in
{
imports = [ ./networking.nix ];
config = mkMerge [
{
my = {
deploy.enable = false;
server.enable = true;
config = {
my = {
deploy.enable = false;
server.enable = true;
secrets = {
key = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIKzzAqa4821NlYfALYOlvR7YlOgxNuulTWo9Vm5L1mNU";
};
secrets = {
key = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIKzzAqa4821NlYfALYOlvR7YlOgxNuulTWo9Vm5L1mNU";
};
};
users = {
groups.media.gid = 2000;
users = {
groups.media.gid = 2000;
users = {
transmission.extraGroups = [ "media" ];
radarr.extraGroups = [ "media" ];
};
};
systemd = {
services = {
jackett.bindsTo = [ "systemd-networkd-wait-online@vpn.service" ];
transmission.bindsTo = [ "systemd-networkd-wait-online@vpn.service" ];
radarr.serviceConfig.UMask = "0002";
};
transmission.extraGroups = [ "media" ];
radarr.extraGroups = [ "media" ];
};
};
systemd = {
services = {
transmission = {
enable = true;
openPeerPorts = true;
openRPCPort = true;
downloadDirPermissions = null;
performanceNetParameters = true;
settings = {
download-dir = "/mnt/media/downloads/torrents";
incomplete-dir-enabled = true;
incomplete-dir = "/mnt/media/downloads/torrents/.incomplete";
umask = 002;
jackett.bindsTo = [ "systemd-networkd-wait-online@vpn.service" ];
transmission.bindsTo = [ "systemd-networkd-wait-online@vpn.service" ];
peer-port = 55471;
utp-enabled = true;
port-forwarding-enabled = false;
radarr.serviceConfig.UMask = "0002";
};
};
ratio-limit = 2.0;
ratio-limit-enabled = true;
services = {
transmission = {
enable = true;
downloadDirPermissions = null;
performanceNetParameters = true;
settings = {
download-dir = "/mnt/media/downloads/torrents";
incomplete-dir-enabled = true;
incomplete-dir = "/mnt/media/downloads/torrents/.incomplete";
umask = 002;
rpc-bind-address = "::";
rpc-whitelist-enabled = false;
rpc-host-whitelist-enabled = false;
};
};
utp-enabled = true;
port-forwarding-enabled = false;
jackett = {
enable = true;
openFirewall = true;
};
radarr = {
enable = true;
openFirewall = true;
ratio-limit = 2.0;
ratio-limit-enabled = true;
rpc-bind-address = "::";
rpc-whitelist-enabled = false;
rpc-host-whitelist-enabled = false;
};
};
}
(mkIf config.my.build.isDevVM {
virtualisation = {
forwardPorts = [
{ from = "host"; host.port = 9117; guest.port = 9117; }
{ from = "host"; host.port = 7878; guest.port = 7878; }
{ from = "host"; host.port = 8989; guest.port = 8989; }
];
};
})
];
jackett.enable = true;
radarr.enable = true;
};
};
};
};
}

211
nixos/boxes/colony/vms/shill/containers/jackflix/networking.nix
View File

@@ -1,6 +1,6 @@
{ lib, pkgs, config, assignments, ... }:
let
inherit (lib) mkMerge;
inherit (lib) mkMerge mkIf;
inherit (lib.my) networkdAssignment;
wg = {
@@ -8,102 +8,141 @@ let
fwMark = 42;
routeTable = 51820;
};
# Forwarded in Mullvad config
transmissionPeerPort = 55471;
in
{
config = {
my = {
secrets = {
files."${wg.keyFile}" = {
group = "systemd-network";
mode = "440";
config = mkMerge [
{
my = {
secrets = {
files."${wg.keyFile}" = {
group = "systemd-network";
mode = "440";
};
};
firewall = {
extraRules = ''
# Make sure that VPN connections are dropped (except for the Transmission port)
table inet filter {
chain tcp-ext {
tcp dport ${toString transmissionPeerPort} accept
iifname vpn return
tcp dport { 9091, 9117, 7878, 8989, 8096 } accept
return
}
chain input {
tcp flags & (fin|syn|rst|ack) == syn ct state new jump tcp-ext
}
}
'';
};
};
firewall = {
tcp.allowed = [ ];
environment.systemPackages = with pkgs; [
wireguard-tools
];
services = {
transmission.settings.peer-port = transmissionPeerPort;
};
};
environment.systemPackages = with pkgs; [
wireguard-tools
];
systemd = {
network = {
netdevs."30-vpn" = with wg; {
netdevConfig = {
Name = "vpn";
Kind = "wireguard";
};
wireguardConfig = {
PrivateKeyFile = config.age.secrets."${keyFile}".path;
FirewallMark = fwMark;
RouteTable = routeTable;
};
wireguardPeers = [
{
# mlvd-de32
wireguardPeerConfig = {
Endpoint = "146.70.107.194:51820";
PublicKey = "uKTC5oP/zfn6SSjayiXDDR9L82X0tGYJd5LVn5kzyCc=";
AllowedIPs = [ "0.0.0.0/0" "::/0" ];
};
}
];
};
networks = {
"80-container-host0" = mkMerge [
(networkdAssignment "host0" assignments.internal)
{
networkConfig.DNSDefaultRoute = false;
}
];
"90-vpn" = with wg; {
matchConfig.Name = "vpn";
address = [ "10.68.19.11/32" "fc00:bbbb:bbbb:bb01::5:130a/128" ];
dns = [ "10.64.0.1" ];
routingPolicyRules = map (r: { routingPolicyRuleConfig = r; }) [
systemd = {
network = {
netdevs."30-vpn" = with wg; {
netdevConfig = {
Name = "vpn";
Kind = "wireguard";
};
wireguardConfig = {
PrivateKeyFile = config.age.secrets."${keyFile}".path;
FirewallMark = fwMark;
RouteTable = routeTable;
};
wireguardPeers = [
{
Family = "both";
SuppressPrefixLength = 0;
Table = "main";
Priority = 100;
}
{
From = lib.my.colony.prefixes.all.v4;
Table = "main";
Priority = 100;
}
{
To = lib.my.colony.prefixes.all.v4;
Table = "main";
Priority = 100;
}
{
From = lib.my.colony.prefixes.all.v6;
Table = "main";
Priority = 100;
}
{
To = lib.my.colony.prefixes.all.v6;
Table = "main";
Priority = 100;
}
{
Family = "both";
InvertRule = true;
FirewallMark = fwMark;
Table = routeTable;
Priority = 110;
# mlvd-de32
wireguardPeerConfig = {
Endpoint = "146.70.107.194:51820";
PublicKey = "uKTC5oP/zfn6SSjayiXDDR9L82X0tGYJd5LVn5kzyCc=";
AllowedIPs = [ "0.0.0.0/0" "::/0" ];
};
}
];
};
networks = {
"80-container-host0" = mkMerge [
(networkdAssignment "host0" assignments.internal)
{
networkConfig.DNSDefaultRoute = false;
}
];
"90-vpn" = with wg; {
matchConfig.Name = "vpn";
address = [ "10.68.19.11/32" "fc00:bbbb:bbbb:bb01::5:130a/128" ];
dns = [ "10.64.0.1" ];
routingPolicyRules = map (r: { routingPolicyRuleConfig = r; }) [
{
Family = "both";
SuppressPrefixLength = 0;
Table = "main";
Priority = 100;
}
{
From = lib.my.colony.prefixes.all.v4;
Table = "main";
Priority = 100;
}
{
To = lib.my.colony.prefixes.all.v4;
Table = "main";
Priority = 100;
}
{
From = lib.my.colony.prefixes.all.v6;
Table = "main";
Priority = 100;
}
{
To = lib.my.colony.prefixes.all.v6;
Table = "main";
Priority = 100;
}
{
Family = "both";
InvertRule = true;
FirewallMark = fwMark;
Table = routeTable;
Priority = 110;
}
];
};
};
};
};
};
};
}
(mkIf config.my.build.isDevVM {
virtualisation = {
forwardPorts = [
# Transmission
{ from = "host"; host.port = 9091; guest.port = 9091; }
# Jackett
{ from = "host"; host.port = 9117; guest.port = 9117; }
# Radarr
{ from = "host"; host.port = 7878; guest.port = 7878; }
# Sonarr
{ from = "host"; host.port = 8989; guest.port = 8989; }
# Jellyfin
{ from = "host"; host.port = 8096; guest.port = 8096; }
];
};
})
];
}