dev/nixfiles
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases 1 Wiki Activity

nixos/jackflix: Improve firewall

Browse Source
This commit is contained in:
Jack O'Sullivan 2022-06-12 14:03:44 +01:00
parent 46c9aa655a
commit 7e5c051bfc
2 changed files with 167 additions and 148 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

28
nixos/boxes/colony/vms/shill/containers/jackflix/default.nix
View File

@ -17,13 +17,12 @@
configuration = { lib, pkgs, config, ... }: configuration = { lib, pkgs, config, ... }:
let let
inherit (lib) mkMerge mkIf; inherit (lib);
in in
{ {
imports = [ ./networking.nix ]; imports = [ ./networking.nix ];
config = mkMerge [ config = {
{
my = { my = {
deploy.enable = false; deploy.enable = false;
server.enable = true; server.enable = true;
@ -53,8 +52,6 @@
services = { services = {
transmission = { transmission = {
enable = true; enable = true;
openPeerPorts = true;
openRPCPort = true;
downloadDirPermissions = null; downloadDirPermissions = null;
performanceNetParameters = true; performanceNetParameters = true;
settings = { settings = {
@ -63,7 +60,6 @@
incomplete-dir = "/mnt/media/downloads/torrents/.incomplete"; incomplete-dir = "/mnt/media/downloads/torrents/.incomplete";
umask = 002; umask = 002;
peer-port = 55471;
utp-enabled = true; utp-enabled = true;
port-forwarding-enabled = false; port-forwarding-enabled = false;
@ -76,26 +72,10 @@
}; };
}; };
jackett = { jackett.enable = true;
enable = true; radarr.enable = true;
openFirewall = true;
};
radarr = {
enable = true;
openFirewall = true;
}; };
}; };
}
(mkIf config.my.build.isDevVM {
virtualisation = {
forwardPorts = [
{ from = "host"; host.port = 9117; guest.port = 9117; }
{ from = "host"; host.port = 7878; guest.port = 7878; }
{ from = "host"; host.port = 8989; guest.port = 8989; }
];
};
})
];
}; };
}; };
} }

45
nixos/boxes/colony/vms/shill/containers/jackflix/networking.nix
View File

@ -1,6 +1,6 @@
{ lib, pkgs, config, assignments, ... }: { lib, pkgs, config, assignments, ... }:
let let
inherit (lib) mkMerge; inherit (lib) mkMerge mkIf;
inherit (lib.my) networkdAssignment; inherit (lib.my) networkdAssignment;
wg = { wg = {
@ -8,9 +8,13 @@ let
fwMark = 42; fwMark = 42;
routeTable = 51820; routeTable = 51820;
}; };
# Forwarded in Mullvad config
transmissionPeerPort = 55471;
in in
{ {
config = { config = mkMerge [
{
my = { my = {
secrets = { secrets = {
files."${wg.keyFile}" = { files."${wg.keyFile}" = {
@ -20,7 +24,21 @@ in
}; };
firewall = { firewall = {
tcp.allowed = [ ]; extraRules = ''
# Make sure that VPN connections are dropped (except for the Transmission port)
table inet filter {
chain tcp-ext {
tcp dport ${toString transmissionPeerPort} accept
iifname vpn return
tcp dport { 9091, 9117, 7878, 8989, 8096 } accept
return
}
chain input {
tcp flags & (fin|syn|rst|ack) == syn ct state new jump tcp-ext
}
}
'';
}; };
}; };
@ -28,6 +46,10 @@ in
wireguard-tools wireguard-tools
]; ];
services = {
transmission.settings.peer-port = transmissionPeerPort;
};
systemd = { systemd = {
network = { network = {
netdevs."30-vpn" = with wg; { netdevs."30-vpn" = with wg; {
@ -105,5 +127,22 @@ in
}; };
}; };
}; };
}
(mkIf config.my.build.isDevVM {
virtualisation = {
forwardPorts = [
# Transmission
{ from = "host"; host.port = 9091; guest.port = 9091; }
# Jackett
{ from = "host"; host.port = 9117; guest.port = 9117; }
# Radarr
{ from = "host"; host.port = 7878; guest.port = 7878; }
# Sonarr
{ from = "host"; host.port = 8989; guest.port = 8989; }
# Jellyfin
{ from = "host"; host.port = 8096; guest.port = 8096; }
];
}; };
})
];
} }