firewall migration

testing on lebubu
2026-02-05 12:45:39 -06:00 · 2026-02-05 12:06:28 -06:00
5 changed files with 70 additions and 19 deletions
--- a/hosts/vps/configuration.nix
+++ b/hosts/vps/configuration.nix
@@ -5,6 +5,10 @@
  pkgs,
  ...
 }:
+let
+  externalInterface = config.my.interfaces.${config.networking.hostName};
+  homeServer = config.my.ips.wg-server;
+in
 {
  imports = [
    ./hardware-configuration.nix
@@ -21,18 +25,64 @@
      ];
    };
  };
-  environment.etc."iptables.rules".source = ../../iptables;
-  networking.firewall.enable = lib.mkForce false;
-  networking.nftables.enable = false;
-  systemd.services.iptables-restore = {
-    description = "Apply iptables ruleset";
-    wantedBy = [ "multi-user.target" ];
-    after = [ "network-pre.target" ];
-    serviceConfig = {
-      Type = "oneshot";
-      RemainAfterExit = true;
-      ExecStart = "${pkgs.iptables}/bin/iptables-restore --wait /etc/iptables.rules";
-    };
+  networking.firewall = {
+    enable = true;
+    allowedTCPPorts = [
+      80
+      443
+      3456
+    ];
+    allowedUDPPorts = [ 51820 ];
+    extraForwardRules = ''
+      ct state established,related accept
+
+      ip daddr ${homeServer}/32 tcp dport { 22, 51412 } accept
+      ip daddr ${homeServer}/32 udp dport 51412 accept
+
+      ip saddr 10.8.0.2/32 ip daddr ${homeServer}/32 tcp dport 22000 accept
+      ip saddr 10.8.0.3/32 ip daddr ${homeServer}/32 tcp dport 22000 accept
+      ip saddr 10.8.0.4/32 ip daddr ${homeServer}/32 tcp dport 22000 accept
+      ip saddr 10.8.0.5/32 ip daddr ${homeServer}/32 tcp dport 22000 accept
+      ip saddr ${homeServer}/32 ip daddr 10.8.0.2/32 tcp dport 22000 accept
+      ip saddr ${homeServer}/32 ip daddr 10.8.0.3/32 tcp dport 22000 accept
+      ip saddr ${homeServer}/32 ip daddr 10.8.0.4/32 tcp dport 22000 accept
+      ip saddr ${homeServer}/32 ip daddr 10.8.0.5/32 tcp dport 22000 accept
+
+      ip saddr 10.8.0.0/24 ip daddr ${homeServer}/32 tcp dport { 8008, 8448, 8999 } accept
+
+      ip saddr 10.8.0.0/24 ip daddr ${homeServer}/32 icmp type echo-request accept
+      ip saddr ${homeServer}/32 ip daddr 10.8.0.0/24 icmp type echo-reply accept
+
+      ip saddr 10.9.0.0/24 ip daddr ${homeServer}/32 tcp dport 9999 accept
+      ip saddr 10.9.0.0/24 ip daddr ${homeServer}/32 icmp type echo-request accept
+      ip saddr ${homeServer}/32 ip daddr 10.9.0.0/24 icmp type echo-reply accept
+
+      ip saddr 10.8.0.0/24 oifname "${externalInterface}" accept
+      ip saddr 10.9.0.0/24 oifname "${externalInterface}" accept
+
+      ip saddr 10.8.0.0/24 ip daddr 10.77.0.0/24 drop
+      ip saddr 10.77.0.0/24 ip daddr 10.8.0.0/24 drop
+      ip saddr 10.9.0.0/24 ip daddr 10.77.0.0/24 drop
+      ip saddr 10.77.0.0/24 ip daddr 10.9.0.0/24 drop
+      ip saddr 10.9.0.0/24 ip daddr 10.8.0.0/24 drop
+      ip saddr 10.8.0.0/24 ip daddr 10.9.0.0/24 drop
+    '';
+    extraCommands = ''
+      iptables -t nat -A PREROUTING -p tcp --dport 22 -j DNAT --to-destination ${homeServer}:22
+      iptables -t nat -A PREROUTING -p tcp --dport 51412 -j DNAT --to-destination ${homeServer}:51412
+      iptables -t nat -A PREROUTING -p udp --dport 51412 -j DNAT --to-destination ${homeServer}:51412
+      iptables -t nat -A POSTROUTING -d ${homeServer}/32 -p tcp --dport 22 -j MASQUERADE
+      iptables -t nat -A POSTROUTING -d ${homeServer}/32 -p tcp --dport 51412 -j MASQUERADE
+      iptables -t nat -A POSTROUTING -d ${homeServer}/32 -p udp --dport 51412 -j MASQUERADE
+    '';
+    extraStopCommands = ''
+      iptables -t nat -D PREROUTING -p tcp --dport 22 -j DNAT --to-destination ${homeServer}:22 || true
+      iptables -t nat -D PREROUTING -p tcp --dport 51412 -j DNAT --to-destination ${homeServer}:51412 || true
+      iptables -t nat -D PREROUTING -p udp --dport 51412 -j DNAT --to-destination ${homeServer}:51412 || true
+      iptables -t nat -D POSTROUTING -d ${homeServer}/32 -p tcp --dport 22 -j MASQUERADE || true
+      iptables -t nat -D POSTROUTING -d ${homeServer}/32 -p tcp --dport 51412 -j MASQUERADE || true
+      iptables -t nat -D POSTROUTING -d ${homeServer}/32 -p udp --dport 51412 -j MASQUERADE || true
+    '';
  };
  image.modules.linode = { };
  networking.hostName = "vps";
--- a/hosts/vps/toggles.nix
+++ b/hosts/vps/toggles.nix
@@ -9,7 +9,6 @@ let
  mkEnabledProxyIp = inputs.self.lib.mkEnabledProxyIp wgServerIp;
 in
 {
-  domain = "servidos.lat";
  enableProxy = true;
  enableContainers = true;
  apps.dictionaries.enable = true;
--- a/modules/servers/nextcloud.nix
+++ b/modules/servers/nextcloud.nix
@@ -171,7 +171,6 @@ in
          enableACME = false;
          http2 = false;
          serverAliases = [
-            "cloud.servidos.lat"
            "cloud.rotehaare.art"
          ];
          listen = [
--- a/specs/004-vps-migration/quickstart.md
+++ b/specs/004-vps-migration/quickstart.md
@@ -60,9 +60,12 @@
 - `mb-report.lebubu.org` and `torrent.lebubu.org` are present in caddy but no matching Nix server host was found.

 5. Migrate analytics data:
-   - Export data from existing server
-   - Import into new server
-   - Validate historical data is present
+   - Identify the analytics system (e.g., Plausible) and its data store location or database
+   - Freeze writes during export (stop the analytics service or enable maintenance mode)
+   - Export analytics data from the existing server (db dump or data directory archive)
+   - Transfer the export to the new server using the secure path already used for secrets/config
+   - Import the data on the new server and restart the analytics service
+   - Validate historical data is present (date range coverage, dashboard counts, and sample events)

 6. Run verification steps for each task (per spec FR-012).

@@ -97,7 +100,7 @@
 - **T020**: `rg -n "45\\.33\\.0\\.228" modules/modules.nix config/jawz.nix`
 - **T021**: `rg -n "endpoint = .*my\\.ips\\.vps" hosts/server/configuration.nix`
 - **T022**: verify "Clarification Candidates From History Review" section exists in this file
- **T023**: intentionally skipped by operator for this implementation pass
+- **T023**: `rg -n "Migrate analytics data|Export analytics|Import.*analytics|Validate historical data" /home/jawz/Development/NixOS/specs/004-vps-migration/quickstart.md`
 - **T024**: verify each task from T001-T026 has a corresponding verification line in this section
 - **T025**: `rg -n "caddy|Caddy" README.org docs || true` and confirm no active-proxy references remain outside legacy migration notes
 - **T026**: `rg -n "T0[0-2][0-9]" /home/jawz/Development/NixOS/specs/004-vps-migration/tasks.md` and confirm each task mentions at least one concrete path
--- a/specs/004-vps-migration/tasks.md
+++ b/specs/004-vps-migration/tasks.md
@@ -64,7 +64,7 @@ Deliver MVP as User Story 1 (primary host reverse proxy + keep services on host
 **Independent test criteria**: Clarification list exists and each task has a verification step.

 - [x] T022 [US4] Review sudo_hist and jawz_hist for missing configuration; record clarification list in specs/004-vps-migration/quickstart.md
- [ ] T023 [US4] Document analytics data migration steps (export, import, validate) in specs/004-vps-migration/quickstart.md
+- [x] T023 [US4] Document analytics data migration steps (export, import, validate) in specs/004-vps-migration/quickstart.md
 - [x] T024 [US4] Add verification steps for each task in specs/004-vps-migration/quickstart.md

 ## Phase 7: Polish & Cross-Cutting Concerns
Author	SHA1	Message	Date
Danilo Reyes	c09268891e	firewall migration	2026-02-05 12:45:39 -06:00
Danilo Reyes	e1f7c2291a	testing on lebubu	2026-02-05 12:06:28 -06:00