2024-08-14 02:19:47 +03:00
|
|
|
{ util, config, lib, ... }: let
|
|
|
|
|
internal = "10.0.0.1";
|
|
|
|
|
external = "188.242.247.132";
|
|
|
|
|
wifi = "10.0.0.2";
|
|
|
|
|
|
|
|
|
|
lan = "br0";
|
|
|
|
|
wan = "enp8s0";
|
|
|
|
|
in {
|
|
|
|
|
boot.kernel.sysctl = {
|
|
|
|
|
"net.ipv4.conf.all.src_valid_mark" = 1;
|
|
|
|
|
"net.ipv4.ip_forward" = 1;
|
|
|
|
|
};
|
|
|
|
|
|
2024-08-02 23:45:19 +03:00
|
|
|
networking = {
|
|
|
|
|
networkmanager.insertNameservers = [
|
|
|
|
|
"1.1.1.1"
|
|
|
|
|
"8.8.8.8"
|
|
|
|
|
];
|
2024-08-14 02:19:47 +03:00
|
|
|
|
2024-08-02 23:45:19 +03:00
|
|
|
extraHosts = util.trimTabs ''
|
|
|
|
|
10.1.0.2 git.voronind.com
|
|
|
|
|
10.1.0.2 iot.voronind.com
|
|
|
|
|
10.1.0.2 pass.voronind.com
|
|
|
|
|
'';
|
2024-08-14 02:19:47 +03:00
|
|
|
|
|
|
|
|
firewall = {
|
|
|
|
|
enable = lib.mkForce true;
|
|
|
|
|
trustedInterfaces = [
|
|
|
|
|
lan
|
|
|
|
|
];
|
|
|
|
|
extraCommands = let
|
|
|
|
|
cfg = config.container.module;
|
|
|
|
|
|
|
|
|
|
mkForward = src: sport: dst: dport: proto: "iptables -t nat -I PREROUTING -d ${src} -p ${proto} --dport ${toString sport} -j DNAT --to-destination ${dst}:${toString dport}\n";
|
|
|
|
|
in ''
|
|
|
|
|
iptables -t nat -A POSTROUTING -s 10.0.0.0/24 -d 0/0 -o ${wan} -j MASQUERADE
|
2024-08-14 20:59:42 +03:00
|
|
|
iptables -I INPUT -j ACCEPT -s ${cfg.vpn.address} -d ${internal}
|
2024-08-14 02:19:47 +03:00
|
|
|
''
|
|
|
|
|
+ (mkForward internal cfg.dns.port cfg.dns.address cfg.dns.port "tcp")
|
|
|
|
|
+ (mkForward internal cfg.dns.port cfg.dns.address cfg.dns.port "udp")
|
|
|
|
|
|
|
|
|
|
+ (mkForward external 25 cfg.mail.address 25 "tcp")
|
|
|
|
|
+ (mkForward internal 25 cfg.mail.address 25 "tcp")
|
|
|
|
|
+ (mkForward internal 465 cfg.mail.address 465 "tcp")
|
|
|
|
|
+ (mkForward internal 993 cfg.mail.address 993 "tcp")
|
|
|
|
|
|
|
|
|
|
+ (mkForward internal cfg.zapret.port cfg.zapret.address cfg.zapret.port "tcp")
|
|
|
|
|
+ (mkForward internal cfg.zapret.torport cfg.zapret.address cfg.zapret.torport "tcp")
|
|
|
|
|
+ (mkForward internal cfg.zapret.port cfg.zapret.address cfg.zapret.port "udp")
|
|
|
|
|
+ (mkForward internal cfg.zapret.torport cfg.zapret.address cfg.zapret.torport "udp")
|
|
|
|
|
|
|
|
|
|
+ (mkForward external cfg.vpn.port cfg.vpn.address cfg.vpn.port "udp")
|
|
|
|
|
|
|
|
|
|
+ (mkForward external cfg.proxy.port cfg.proxy.address cfg.proxy.port "tcp")
|
|
|
|
|
+ (mkForward internal cfg.proxy.port cfg.proxy.address cfg.proxy.port "tcp")
|
|
|
|
|
|
|
|
|
|
+ (mkForward external 54630 cfg.download.address 54630 "tcp")
|
|
|
|
|
+ (mkForward external 54631 cfg.download.address 54631 "tcp")
|
|
|
|
|
+ (mkForward external 54630 cfg.download.address 54630 "udp")
|
|
|
|
|
+ (mkForward external 54631 cfg.download.address 54631 "udp")
|
|
|
|
|
;
|
|
|
|
|
|
|
|
|
|
interfaces = {
|
2024-08-14 20:59:42 +03:00
|
|
|
${wan} = {
|
2024-08-14 02:19:47 +03:00
|
|
|
allowedUDPPorts = [
|
|
|
|
|
];
|
|
|
|
|
allowedTCPPorts = [
|
|
|
|
|
# 22143
|
|
|
|
|
];
|
|
|
|
|
};
|
2024-08-14 20:59:42 +03:00
|
|
|
${lan} = {
|
2024-08-14 02:19:47 +03:00
|
|
|
allowedUDPPorts = [
|
|
|
|
|
];
|
|
|
|
|
allowedTCPPorts = [
|
|
|
|
|
22143
|
|
|
|
|
];
|
|
|
|
|
};
|
|
|
|
|
};
|
|
|
|
|
};
|
|
|
|
|
|
|
|
|
|
bridges."${lan}".interfaces = [
|
|
|
|
|
"enp6s0f0"
|
|
|
|
|
"enp6s0f1"
|
|
|
|
|
];
|
|
|
|
|
|
|
|
|
|
interfaces = {
|
2024-08-14 20:59:42 +03:00
|
|
|
${lan}.ipv4 = {
|
2024-08-14 02:19:47 +03:00
|
|
|
addresses = [{
|
|
|
|
|
address = internal;
|
|
|
|
|
prefixLength = 24;
|
|
|
|
|
}];
|
|
|
|
|
routes = [
|
|
|
|
|
{
|
|
|
|
|
address = "192.168.1.0";
|
|
|
|
|
prefixLength = 24;
|
|
|
|
|
via = wifi;
|
|
|
|
|
}
|
|
|
|
|
{
|
|
|
|
|
address = "192.168.2.0";
|
|
|
|
|
prefixLength = 24;
|
|
|
|
|
via = wifi;
|
|
|
|
|
}
|
|
|
|
|
];
|
|
|
|
|
};
|
|
|
|
|
};
|
2024-08-02 23:45:19 +03:00
|
|
|
};
|
2024-03-29 09:05:08 +03:00
|
|
|
}
|
