jawz/NixOS
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

nat table

Browse Source
This commit is contained in:
Danilo Reyes
2026-02-06 06:44:47 -06:00
parent a15db616b4
commit 1fd29a5f4f
3 changed files with 59 additions and 45 deletions
Download Patch File Download Diff File Expand all files Collapse all files

1
hosts/server/configuration.nix
View File

@@ -79,6 +79,7 @@ in
allowedIPs = [ allowedIPs = [
"${config.my.ips.wg-vps}/32" "${config.my.ips.wg-vps}/32"
"${config.my.ips.wg-friends}/24" # all friends "${config.my.ips.wg-friends}/24" # all friends
"${config.my.ips.wg-gs}/24" # all friends
]; ];
persistentKeepalive = 25; persistentKeepalive = 25;
} }

41
hosts/vps/configuration.nix
View File

@@ -47,11 +47,35 @@ in
}; };
}; };
image.modules.linode = { }; image.modules.linode = { };
networking.hostName = "vps";
services.smartd.enable = lib.mkForce false; services.smartd.enable = lib.mkForce false;
environment.systemPackages = [ ]; environment.systemPackages = [ ];
networking.nftables.enable = true; networking = {
networking.firewall = { hostName = "vps";
nat = {
inherit externalInterface;
enable = true;
internalInterfaces = [ "wg0" ];
forwardPorts = [
{
sourcePort = giteaSshPort;
proto = "tcp";
destination = "${homeServer}:${giteaSshPortStr}";
}
];
};
nftables = {
enable = true;
tables."vps-snat" = {
family = "ip";
content = ''
chain postrouting {
type nat hook postrouting priority srcnat;
iifname "${externalInterface}" oifname "${wgInterface}" ip daddr ${homeServer}/32 tcp dport ${giteaSshPortStr} masquerade comment "snat ssh forward"
}
'';
};
};
firewall = {
enable = true; enable = true;
filterForward = true; filterForward = true;
checkReversePath = "loose"; checkReversePath = "loose";
@@ -87,17 +111,6 @@ in
ip saddr ${wgFriendsSubnet} ip daddr ${wgGuestsSubnet} drop ip saddr ${wgFriendsSubnet} ip daddr ${wgGuestsSubnet} drop
''; '';
}; };
networking.nat = {
enable = true;
inherit externalInterface;
internalInterfaces = [ "wg0" ];
forwardPorts = [
{
sourcePort = giteaSshPort;
proto = "tcp";
destination = "${homeServer}:${giteaSshPortStr}";
}
];
}; };
security.sudo-rs.extraRules = [ security.sudo-rs.extraRules = [
{ {

2
modules/modules.nix
View File

@@ -56,12 +56,12 @@ in
wg-gs = "10.9.0.0"; wg-gs = "10.9.0.0";
wg-g0 = "10.9.0.1"; wg-g0 = "10.9.0.1";
wg-g1 = "10.9.0.2"; wg-g1 = "10.9.0.2";
wg-friends = "10.8.0.0";
wg-friend0 = "10.8.0.1"; wg-friend0 = "10.8.0.1";
wg-friend1 = "10.8.0.2"; wg-friend1 = "10.8.0.2";
wg-friend2 = "10.8.0.3"; wg-friend2 = "10.8.0.3";
wg-friend3 = "10.8.0.4"; wg-friend3 = "10.8.0.4";
wg-friend4 = "10.8.0.5"; wg-friend4 = "10.8.0.5";
wg-friends = "10.8.0.0";
}; };
description = "Set of IP's for all my computers."; description = "Set of IP's for all my computers.";
}; };