From 02006b1ff7a7f84893e71d930d34dc2b4c7af262 Mon Sep 17 00:00:00 2001 From: Dmitry Voronin Date: Sun, 24 Nov 2024 04:41:06 +0300 Subject: [PATCH] Vpn: Fix proxy access. --- container/Vpn.nix | 8 ++++++-- container/proxy/host/Camera.nix | 2 +- container/proxy/host/Change.nix | 2 +- container/proxy/host/Chat.nix | 2 +- container/proxy/host/Cloud.nix | 2 +- container/proxy/host/Download.nix | 2 +- container/proxy/host/Git.nix | 2 +- container/proxy/host/Home.nix | 2 +- container/proxy/host/Iot.nix | 2 +- container/proxy/host/Mail.nix | 2 +- container/proxy/host/Office.nix | 2 +- container/proxy/host/Paper.nix | 2 +- container/proxy/host/Pass.nix | 2 +- container/proxy/host/Print.nix | 2 +- container/proxy/host/Printer.nix | 2 +- container/proxy/host/Read.nix | 2 +- container/proxy/host/Router.nix | 2 +- container/proxy/host/Search.nix | 2 +- container/proxy/host/Status.nix | 4 ++-- container/proxy/host/Stock.nix | 2 +- container/proxy/host/Watch.nix | 2 +- container/proxy/host/Yt.nix | 2 +- host/x86_64-linux/home/Network.nix | 7 +++---- 23 files changed, 31 insertions(+), 28 deletions(-) diff --git a/container/Vpn.nix b/container/Vpn.nix index 73a15e0e..c214f977 100644 --- a/container/Vpn.nix +++ b/container/Vpn.nix @@ -30,6 +30,10 @@ in { default = "${config.container.storage}/vpn"; type = lib.types.str; }; + clients = lib.mkOption { + default = "10.1.1.0/24"; + type = lib.types.str; + }; }; config = lib.mkIf cfg.enable { @@ -38,14 +42,14 @@ in { ]; # HACK: When using `networking.interfaces.*` it breaks. This works tho. - systemd.services.vpn-route = { + systemd.services.vpn-route = util.mkStaticSystemdService { enable = true; description = "Hack vpn routes on host"; after = [ "container@vpn.service" ]; wants = [ "container@vpn.service" ]; wantedBy = [ "multi-user.target" ]; serviceConfig = { - ExecStart = "${pkgs.iproute2}/bin/ip route add 10.1.1.0/24 via ${cfg.address} dev ve-vpn"; + ExecStart = "${pkgs.iproute2}/bin/ip route add ${cfg.clients} via ${cfg.address} dev ve-vpn"; Type = "oneshot"; }; }; diff --git a/container/proxy/host/Camera.nix b/container/proxy/host/Camera.nix index 5fc97484..a3e95f13 100644 --- a/container/proxy/host/Camera.nix +++ b/container/proxy/host/Camera.nix @@ -15,7 +15,7 @@ in { location / { allow ${config.container.localAccess}; allow ${config.container.module.status.address}; - allow ${config.container.module.vpn.address}; + allow ${config.container.module.vpn.clients}; allow ${config.container.module.frkn.address}; deny all; return 301 rtsp://${address}:${toString port}/live/main; diff --git a/container/proxy/host/Change.nix b/container/proxy/host/Change.nix index 6e5e31fa..04a72c4e 100644 --- a/container/proxy/host/Change.nix +++ b/container/proxy/host/Change.nix @@ -15,7 +15,7 @@ in { location / { allow ${config.container.localAccess}; allow ${config.container.module.status.address}; - allow ${config.container.module.vpn.address}; + allow ${config.container.module.vpn.clients}; allow ${config.container.module.frkn.address}; deny all; diff --git a/container/proxy/host/Chat.nix b/container/proxy/host/Chat.nix index 6d95a0dd..b0bb83be 100644 --- a/container/proxy/host/Chat.nix +++ b/container/proxy/host/Chat.nix @@ -15,7 +15,7 @@ in { location / { allow ${config.container.localAccess}; allow ${config.container.module.status.address}; - allow ${config.container.module.vpn.address}; + allow ${config.container.module.vpn.clients}; allow ${config.container.module.frkn.address}; deny all; diff --git a/container/proxy/host/Cloud.nix b/container/proxy/host/Cloud.nix index e9fbc244..ebc4f339 100644 --- a/container/proxy/host/Cloud.nix +++ b/container/proxy/host/Cloud.nix @@ -15,7 +15,7 @@ in { location ~ ^/(settings/admin|settings/users|settings/apps|login|api) { allow ${config.container.localAccess}; allow ${config.container.module.status.address}; - allow ${config.container.module.vpn.address}; + allow ${config.container.module.vpn.clients}; allow ${config.container.module.frkn.address}; deny all; proxy_pass http://''$${name}$request_uri; diff --git a/container/proxy/host/Download.nix b/container/proxy/host/Download.nix index a43bd70f..2e852952 100644 --- a/container/proxy/host/Download.nix +++ b/container/proxy/host/Download.nix @@ -15,7 +15,7 @@ in { location / { allow ${config.container.localAccess}; allow ${config.container.module.status.address}; - allow ${config.container.module.vpn.address}; + allow ${config.container.module.vpn.clients}; allow ${config.container.module.frkn.address}; deny all; proxy_pass http://''$${name}$request_uri; diff --git a/container/proxy/host/Git.nix b/container/proxy/host/Git.nix index 95440ea3..41617721 100644 --- a/container/proxy/host/Git.nix +++ b/container/proxy/host/Git.nix @@ -14,7 +14,7 @@ in { location ~ ^/(admin|api|user) { allow ${config.container.localAccess}; - allow ${config.container.module.vpn.address}; + allow ${config.container.module.vpn.clients}; allow ${config.container.module.frkn.address}; deny all; proxy_pass http://''$${name}$request_uri; diff --git a/container/proxy/host/Home.nix b/container/proxy/host/Home.nix index d2aa04ef..eaea0cd9 100644 --- a/container/proxy/host/Home.nix +++ b/container/proxy/host/Home.nix @@ -15,7 +15,7 @@ in { location / { allow ${config.container.localAccess}; allow ${config.container.module.status.address}; - allow ${config.container.module.vpn.address}; + allow ${config.container.module.vpn.clients}; allow ${config.container.module.frkn.address}; deny all; proxy_pass http://''$${name}$request_uri; diff --git a/container/proxy/host/Iot.nix b/container/proxy/host/Iot.nix index b572ce0a..9eb903f1 100644 --- a/container/proxy/host/Iot.nix +++ b/container/proxy/host/Iot.nix @@ -15,7 +15,7 @@ in { location / { allow ${config.container.localAccess}; allow ${config.container.module.status.address}; - allow ${config.container.module.vpn.address}; + allow ${config.container.module.vpn.clients}; allow ${config.container.module.frkn.address}; deny all; diff --git a/container/proxy/host/Mail.nix b/container/proxy/host/Mail.nix index abea01a8..ff3bd144 100644 --- a/container/proxy/host/Mail.nix +++ b/container/proxy/host/Mail.nix @@ -15,7 +15,7 @@ in { location / { allow ${config.container.localAccess}; allow ${config.container.module.status.address}; - allow ${config.container.module.vpn.address}; + allow ${config.container.module.vpn.clients}; allow ${config.container.module.frkn.address}; deny all; proxy_pass http://''$${name}$request_uri; diff --git a/container/proxy/host/Office.nix b/container/proxy/host/Office.nix index 2074f11b..22acea63 100644 --- a/container/proxy/host/Office.nix +++ b/container/proxy/host/Office.nix @@ -15,7 +15,7 @@ in { location / { # allow ${config.container.localAccess}; # allow ${config.container.module.status.address}; - # allow ${config.container.module.vpn.address}; + # allow ${config.container.module.vpn.clients}; # allow ${config.container.module.frkn.address}; # deny all; add_header X-Forwarded-Proto https; diff --git a/container/proxy/host/Paper.nix b/container/proxy/host/Paper.nix index 5c96ecf3..e1d1a2fd 100644 --- a/container/proxy/host/Paper.nix +++ b/container/proxy/host/Paper.nix @@ -15,7 +15,7 @@ in { location / { allow ${config.container.localAccess}; allow ${config.container.module.status.address}; - allow ${config.container.module.vpn.address}; + allow ${config.container.module.vpn.clients}; allow ${config.container.module.frkn.address}; deny all; proxy_pass http://''$${name}$request_uri; diff --git a/container/proxy/host/Pass.nix b/container/proxy/host/Pass.nix index 12cec10c..93aa07fa 100644 --- a/container/proxy/host/Pass.nix +++ b/container/proxy/host/Pass.nix @@ -15,7 +15,7 @@ in { location / { allow ${config.container.localAccess}; allow ${config.container.module.status.address}; - allow ${config.container.module.vpn.address}; + allow ${config.container.module.vpn.clients}; allow ${config.container.module.frkn.address}; deny all; proxy_pass http://''$${name}$request_uri; diff --git a/container/proxy/host/Print.nix b/container/proxy/host/Print.nix index fe923745..12bff3af 100644 --- a/container/proxy/host/Print.nix +++ b/container/proxy/host/Print.nix @@ -15,7 +15,7 @@ in { location / { allow ${config.container.localAccess}; allow ${config.container.module.status.address}; - allow ${config.container.module.vpn.address}; + allow ${config.container.module.vpn.clients}; allow ${config.container.module.frkn.address}; deny all; diff --git a/container/proxy/host/Printer.nix b/container/proxy/host/Printer.nix index 8661fc76..3268f764 100644 --- a/container/proxy/host/Printer.nix +++ b/container/proxy/host/Printer.nix @@ -17,7 +17,7 @@ in { location / { allow ${config.container.localAccess}; allow ${config.container.module.status.address}; - allow ${config.container.module.vpn.address}; + allow ${config.container.module.vpn.clients}; allow ${config.container.module.frkn.address}; deny all; proxy_pass http://''$${name}$request_uri; diff --git a/container/proxy/host/Read.nix b/container/proxy/host/Read.nix index a7dca677..bc0a5323 100644 --- a/container/proxy/host/Read.nix +++ b/container/proxy/host/Read.nix @@ -15,7 +15,7 @@ in { location / { allow ${config.container.localAccess}; allow ${config.container.module.status.address}; - allow ${config.container.module.vpn.address}; + allow ${config.container.module.vpn.clients}; allow ${config.container.module.frkn.address}; deny all; proxy_pass http://''$${name}$request_uri; diff --git a/container/proxy/host/Router.nix b/container/proxy/host/Router.nix index db1df5e1..425623a0 100644 --- a/container/proxy/host/Router.nix +++ b/container/proxy/host/Router.nix @@ -17,7 +17,7 @@ in { location / { allow ${config.container.localAccess}; allow ${config.container.module.status.address}; - allow ${config.container.module.vpn.address}; + allow ${config.container.module.vpn.clients}; allow ${config.container.module.frkn.address}; deny all; proxy_pass http://''$${name}$request_uri; diff --git a/container/proxy/host/Search.nix b/container/proxy/host/Search.nix index c5afc3be..e66a561c 100644 --- a/container/proxy/host/Search.nix +++ b/container/proxy/host/Search.nix @@ -15,7 +15,7 @@ in { location / { allow ${config.container.localAccess}; allow ${config.container.module.status.address}; - allow ${config.container.module.vpn.address}; + allow ${config.container.module.vpn.clients}; allow ${config.container.module.frkn.address}; deny all; proxy_pass http://''$${name}$request_uri; diff --git a/container/proxy/host/Status.nix b/container/proxy/host/Status.nix index bf53f3d0..5e5c4a1b 100644 --- a/container/proxy/host/Status.nix +++ b/container/proxy/host/Status.nix @@ -14,7 +14,7 @@ in { location ~ ^/(dashboard|settings) { allow ${config.container.localAccess}; - allow ${config.container.module.vpn.address}; + allow ${config.container.module.vpn.clients}; allow ${config.container.module.frkn.address}; deny all; proxy_pass http://''$${name}$request_uri; @@ -22,7 +22,7 @@ in { location / { allow ${config.container.localAccess}; - allow ${config.container.module.vpn.address}; + allow ${config.container.module.vpn.clients}; allow ${config.container.module.frkn.address}; deny all; proxy_pass http://''$${name}$request_uri; diff --git a/container/proxy/host/Stock.nix b/container/proxy/host/Stock.nix index 3d6cf9fc..904218c1 100644 --- a/container/proxy/host/Stock.nix +++ b/container/proxy/host/Stock.nix @@ -15,7 +15,7 @@ in { location / { allow ${config.container.localAccess}; allow ${config.container.module.status.address}; - allow ${config.container.module.vpn.address}; + allow ${config.container.module.vpn.clients}; allow ${config.container.module.frkn.address}; deny all; proxy_pass http://''$${name}$request_uri; diff --git a/container/proxy/host/Watch.nix b/container/proxy/host/Watch.nix index 6ca2e8ac..ceb4d3c7 100644 --- a/container/proxy/host/Watch.nix +++ b/container/proxy/host/Watch.nix @@ -15,7 +15,7 @@ in { location / { allow ${config.container.localAccess}; allow ${config.container.module.status.address}; - allow ${config.container.module.vpn.address}; + allow ${config.container.module.vpn.clients}; allow ${config.container.module.frkn.address}; deny all; proxy_pass http://''$${name}$request_uri; diff --git a/container/proxy/host/Yt.nix b/container/proxy/host/Yt.nix index aea0ce55..c466e329 100644 --- a/container/proxy/host/Yt.nix +++ b/container/proxy/host/Yt.nix @@ -15,7 +15,7 @@ in { location / { allow ${config.container.localAccess}; allow ${config.container.module.status.address}; - allow ${config.container.module.vpn.address}; + allow ${config.container.module.vpn.clients}; allow ${config.container.module.frkn.address}; deny all; diff --git a/host/x86_64-linux/home/Network.nix b/host/x86_64-linux/home/Network.nix index 491d2e70..1561a5f0 100644 --- a/host/x86_64-linux/home/Network.nix +++ b/host/x86_64-linux/home/Network.nix @@ -50,8 +50,7 @@ in { iptables -t nat -A POSTROUTING -s 10.0.0.0/24 -d 0/0 -o ${wan} -j MASQUERADE # Full access from VPN clients. - # iptables -I INPUT -j ACCEPT -s ${cfg.vpn.address} -d ${internal} - iptables -I INPUT -j ACCEPT -s 10.1.1.0/24 -d ${internal} + iptables -I INPUT -j ACCEPT -s ${cfg.vpn.clients} -d ${internal} iptables -I INPUT -j ACCEPT -s ${cfg.frkn.address} -d ${internal} # Full access from Lan. @@ -89,13 +88,13 @@ in { + (mkForward external 54631 cfg.download.address 54631 udp) # Git SSH connections. - # + (mkForward external cfg.git.portSsh cfg.git.address cfg.git.portSsh tcp) + + (mkForward external cfg.git.portSsh cfg.git.address cfg.git.portSsh tcp) + (mkForward internal cfg.git.portSsh cfg.git.address cfg.git.portSsh tcp) # Print serivce. + (mkForward internal cfg.print.port cfg.print.address cfg.print.port tcp); - # SSH access. + # SSH access from WAN. # + (mkForward external 22143 config.container.host 22143 tcp) };