daniel/dotfiles
1
0
Fork 0
Code Activity Actions

mediaserver: big wgns rework

Browse source
This commit is contained in:
Daniel Kempkens 2023-05-24 13:02:56 +02:00
parent 1908975e83
commit 75cc6e2834
Signed by: daniel
SSH key fingerprint: SHA256:Ks/MyhQYcPRQiwMKLAKquWCdCPe3JXlb1WttgnAoSeM
16 changed files with 303 additions and 185 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

BIN
agenix/hosts/sail/weewx/config.age
View file

Binary file not shown.

68
container/autobrr/default.nix
View file

@ -1,68 +0,0 @@
{ lib, ... }:
{
systemd.tmpfiles.rules = [
"d /var/lib/autobrr 0755 root root"
"d /var/lib/omegabrr 0755 root root"
];
virtualisation.oci-containers.containers.autobrr = {
image = "ghcr.io/autobrr/autobrr:latest";
ports = [ "192.168.42.2:7474:7474" ];
environment = {
"TZ" = "Europe/Berlin";
};
volumes = [
"/var/lib/autobrr:/config"
];
extraOptions = [
"--network=ns:/var/run/netns/wg"
"--label=com.centurylinklabs.watchtower.enable=true"
"--label=io.containers.autoupdate=registry"
];
};
virtualisation.oci-containers.containers.omegabrr = {
image = "ghcr.io/autobrr/omegabrr:latest";
ports = [ "192.168.42.2:7441:7441" ];
volumes = [
"/var/lib/omegabrr:/config"
];
extraOptions = [
"--network=ns:/var/run/netns/wg"
"--label=com.centurylinklabs.watchtower.enable=true"
"--label=io.containers.autoupdate=registry"
];
};
systemd.services.podman-autobrr = {
bindsTo = [ "wg.service" ];
after = lib.mkForce [ "wg.service" ];
serviceConfig = {
TimeoutStopSec = lib.mkForce 10;
};
};
systemd.services.podman-omegabrr = {
bindsTo = [ "wg.service" ];
after = lib.mkForce [ "wg.service" ];
serviceConfig = {
TimeoutStopSec = lib.mkForce 10;
};
};
services.nginx.virtualHosts."autobrr.internal.kempkens.network" = {
quic = true;
http3 = true;
onlySSL = true;
useACMEHost = "internal.kempkens.network";
locations."/" = {
recommendedProxySettings = true;
proxyPass = "http://192.168.42.2:7474";
};
};
}

27
container/flaresolverr/default.nix
View file

@ -1,27 +0,0 @@
{ lib, ... }:
{
virtualisation.oci-containers.containers.flaresolverr = {
image = "ghcr.io/flaresolverr/flaresolverr:latest";
ports = [ "192.168.42.2:8191:8191" ];
environment = {
"HOST" = "192.168.42.2";
"PORT" = "8191";
"LOG_LEVEL" = "info";
};
extraOptions = [
"--network=ns:/var/run/netns/wg"
"--label=com.centurylinklabs.watchtower.enable=true"
"--label=io.containers.autoupdate=registry"
];
};
systemd.services.podman-flaresolverr = {
bindsTo = [ "wg.service" ];
after = lib.mkForce [ "wg.service" ];
serviceConfig = {
TimeoutStopSec = lib.mkForce 10;
};
};
}

18
flake.lock
View file

@ -253,11 +253,11 @@
] ]
}, },
"locked": { "locked": {
"lastModified": 1684741999, "lastModified": 1684788503,
"narHash": "sha256-KZLKsFZ6cLjCdCNKZoT8bc1y+rYBuFgKatmIB38zqy4=", "narHash": "sha256-ewr/8U0/iCs8K+MP5Fw9Q1IQ1Pt57ZgC2k/dg1c+CMk=",
"owner": "nix-community", "owner": "nix-community",
"repo": "home-manager", "repo": "home-manager",
"rev": "ba006d7cca2cb871c6a31bdbc130c05cde5ca8e8", "rev": "d9995d94f194955d1f1af0e1ad5866a904196c20",
"type": "github" "type": "github"
}, },
"original": { "original": {
@ -300,11 +300,11 @@
] ]
}, },
"locked": { "locked": {
"lastModified": 1684743638, "lastModified": 1684800269,
"narHash": "sha256-S+qJm+KEP9MM6VHmp8613x3e4xcZ0584NjFNxjS+dW0=", "narHash": "sha256-xVzKIpw8a/VdZKRZUK7qwTQMTH6MO+ozme4Vmw9xgSA=",
"owner": "nifoc", "owner": "nifoc",
"repo": "nix-overlay", "repo": "nix-overlay",
"rev": "801010f1d3b6352992ff6e32cfdbe169e81bcb5c", "rev": "7566d2108487b63894e0437cc47926c446907994",
"type": "github" "type": "github"
}, },
"original": { "original": {
@ -315,11 +315,11 @@
}, },
"nixpkgs": { "nixpkgs": {
"locked": { "locked": {
"lastModified": 1684698729, "lastModified": 1684724044,
"narHash": "sha256-eFX+g0JNHYDuoGq3XvT+360UDIzRGFWcHh0il6rGz7g=", "narHash": "sha256-OysG4ORx60BcUyBVClbOBVybqZ4Ep8Xh8EIDvNam4WU=",
"owner": "nixos", "owner": "nixos",
"repo": "nixpkgs", "repo": "nixpkgs",
"rev": "9356eead97d8d16956b0226d78f76bd66e06cb60", "rev": "b31c968ff28927d477eed85012e8090578c70852",
"type": "github" "type": "github"
}, },
"original": { "original": {

12
home/programs/nvim/plugins.nix
View file

@ -308,12 +308,12 @@ in
}; };
friendly-snippets = buildVimPluginFrom2Nix { friendly-snippets = buildVimPluginFrom2Nix {
pname = "friendly-snippets"; pname = "friendly-snippets";
version = "2023-05-21"; version = "2023-05-23";
src = fetchFromGitHub { src = fetchFromGitHub {
owner = "rafamadriz"; owner = "rafamadriz";
repo = "friendly-snippets"; repo = "friendly-snippets";
rev = "2bb3958e1fe0a613e028f3c6fd2d2923fc23bd0c"; rev = "ef6547d2f586e08e071efeebac835e545f3015cc";
sha256 = "1nlbm7ji73ggg48pzvlbb32jfscnj71bgfzg4q1p3zfvssisz85c"; sha256 = "0xjcnx787kc1xc259czwn6masym2v2r4ixjb772cb3lb5bn9v73q";
fetchSubmodules = false; fetchSubmodules = false;
}; };
}; };
@ -473,12 +473,12 @@ in
}; };
nvim-surround = buildVimPluginFrom2Nix { nvim-surround = buildVimPluginFrom2Nix {
pname = "nvim-surround"; pname = "nvim-surround";
version = "2023-04-30"; version = "2023-05-22";
src = fetchFromGitHub { src = fetchFromGitHub {
owner = "kylechui"; owner = "kylechui";
repo = "nvim-surround"; repo = "nvim-surround";
rev = "219bd66585aa467b1c90fd01b54a2a423aaed4ab"; rev = "26b5067c3b56815eafbf41b7b830f1ab52819a45";
sha256 = "0aximc9fiicmhxkqrazjsqfr9mqw7llnfdc778acn5rkhwj1xms9"; sha256 = "17r7klq852wq3kwhjlpc6a5k6d6h4bm8rf9ivjxgc7b4whiris5n";
fetchSubmodules = false; fetchSubmodules = false;
}; };
}; };

2
system/flakes/adsb-antenna.nix
View file

@ -47,6 +47,8 @@ rec {
hostname = "adsb-antenna"; hostname = "adsb-antenna";
sshUser = "root"; sshUser = "root";
remoteBuild = true; remoteBuild = true;
autoRollback = false;
magicRollback = false;
profiles.system = { profiles.system = {
path = deploy-rs.lib.${default-system}.activate.nixos system; path = deploy-rs.lib.${default-system}.activate.nixos system;

7
system/hosts/mediaserver.nix
View file

@ -22,10 +22,12 @@ in
../nixos/tailscale.nix ../nixos/tailscale.nix
../nixos/container.nix
../nixos/mediaserver-setup.nix ../nixos/mediaserver-setup.nix
(import ../nixos/wireguard-netns.nix (args // { inherit secret; })) (import ../nixos/wireguard-netns.nix (args // { inherit secret; }))
(import ../nixos/wireguard-firewall-mediaserver.nix (args // { inherit secret; })) (import ../nixos/wireguard-firewall-mediaserver.nix (args // { inherit secret; }))
../nixos/prowlarr.nix ../nixos/prowlarr.nix
../nixos/autobrr.nix
../nixos/unpackerr.nix ../nixos/unpackerr.nix
../nixos/sonarr.nix ../nixos/sonarr.nix
../nixos/radarr.nix ../nixos/radarr.nix
@ -34,10 +36,9 @@ in
../nixos/jellyfin.nix ../nixos/jellyfin.nix
../nixos/aria2.nix ../nixos/aria2.nix
../nixos/container.nix ../nixos/convos.nix
../../container/tubearchivist ../../container/tubearchivist
../../container/autobrr
../../container/flaresolverr
../../secret/container/additional-media ../../secret/container/additional-media
]; ];

80
system/nixos/autobrr.nix Normal file
View file

@ -0,0 +1,80 @@
{ lib, ... }:
{
systemd.tmpfiles.rules = [
"d /var/lib/autobrr 0755 root root"
"d /var/lib/omegabrr 0755 root root"
];
virtualisation.oci-containers.containers = {
autobrr = {
image = "ghcr.io/autobrr/autobrr:latest";
ports = [ "192.168.42.2:7474:7474" ];
environment = {
"TZ" = "Europe/Berlin";
};
volumes = [
"/var/lib/autobrr:/config"
];
extraOptions = [
"--network=ns:/var/run/netns/wg"
"--label=com.centurylinklabs.watchtower.enable=true"
"--label=io.containers.autoupdate=registry"
];
};
omegabrr = {
image = "ghcr.io/autobrr/omegabrr:latest";
ports = [ "192.168.42.2:7441:7441" ];
volumes = [
"/var/lib/omegabrr:/config"
];
extraOptions = [
"--network=ns:/var/run/netns/wg"
"--label=com.centurylinklabs.watchtower.enable=true"
"--label=io.containers.autoupdate=registry"
];
};
};
systemd.services.podman-autobrr =
let
depends = [ "podman-sonarr.service" "podman-radarr.service" ];
in
{
requires = lib.mkAfter depends;
bindsTo = [ "wg.service" ];
after = lib.mkForce ([ "wg.service" ] ++ depends);
serviceConfig = {
TimeoutStopSec = lib.mkForce 10;
};
};
systemd.services.podman-omegabrr =
let
depends = [ "podman-autobrr.service" ];
in
{
requires = lib.mkAfter depends;
bindsTo = [ "wg.service" ];
after = lib.mkForce ([ "wg.service" ] ++ depends);
serviceConfig = {
TimeoutStopSec = lib.mkForce 10;
};
};
services.nginx.virtualHosts."autobrr.internal.kempkens.network" = {
quic = true;
http3 = true;
onlySSL = true;
useACMEHost = "internal.kempkens.network";
locations."/" = {
recommendedProxySettings = true;
proxyPass = "http://192.168.42.2:7474";
};
};
}

51
system/nixos/convos.nix Normal file
View file

@ -0,0 +1,51 @@
{ pkgs, lib, ... }:
{
systemd.tmpfiles.rules = [
"d /var/lib/convos 0755 root root"
];
virtualisation.oci-containers.containers.convos = {
image = "docker.io/convos/convos:stable";
ports = [ "192.168.42.2:3000:3000" ];
environment = {
"CONVOS_REVERSE_PROXY" = "1";
"TZ" = "Etc/UTC";
};
volumes = [
"/var/lib/convos:/data"
];
extraOptions = [
"--network=ns:/var/run/netns/wg"
"--label=com.centurylinklabs.watchtower.enable=true"
"--label=io.containers.autoupdate=registry"
];
};
systemd.services.podman-convos = {
bindsTo = [ "wg.service" ];
after = lib.mkForce [ "wg.service" ];
serviceConfig = {
TimeoutStopSec = lib.mkForce 5;
};
};
services.nginx.virtualHosts."convos.internal.kempkens.network" = {
quic = true;
http3 = true;
onlySSL = true;
useACMEHost = "internal.kempkens.network";
locations."/" = {
recommendedProxySettings = true;
proxyPass = "http://192.168.42.2:3000";
proxyWebsockets = true;
extraConfig = ''
proxy_set_header X-Request-Base "$scheme://$host/";
'';
};
};
}

27
system/nixos/prowlarr.nix
View file

@ -1,21 +1,30 @@
{ pkgs, lib, ... }: { pkgs, lib, ... }:
{ {
services.prowlarr = { virtualisation.oci-containers.containers.prowlarr = {
enable = true; image = "lscr.io/linuxserver/prowlarr:latest";
openFirewall = false; ports = [ "192.168.42.2:9696:9696" ];
environment = {
"PUID" = "1001";
"PGID" = "2001";
"TZ" = "Etc/UTC";
};
volumes = [
"/var/lib/prowlarr:/config"
];
extraOptions = [
"--network=ns:/var/run/netns/wg"
"--label=com.centurylinklabs.watchtower.enable=true"
"--label=io.containers.autoupdate=registry"
];
}; };
systemd.services.prowlarr = { systemd.services.podman-prowlarr = {
bindsTo = [ "wg.service" ]; bindsTo = [ "wg.service" ];
after = lib.mkForce [ "wg.service" ]; after = lib.mkForce [ "wg.service" ];
serviceConfig = { serviceConfig = {
NetworkNamespacePath = "/var/run/netns/wg"; TimeoutStopSec = lib.mkForce 5;
BindReadOnlyPaths = [
"/etc/netns/wg/resolv.conf:/etc/resolv.conf:norbind"
"/etc/netns/wg/nsswitch.conf:/etc/nsswitch.conf:norbind"
];
}; };
}; };

47
system/nixos/qbittorrent.nix
View file

@ -1,32 +1,45 @@
{ pkgs, ... }: { pkgs, lib, ... }:
{ {
systemd.tmpfiles.rules = [ systemd.tmpfiles.rules = [
"d /var/lib/qbittorrent 0750 media_user media_group" "d /var/lib/qbittorrent 0750 media_user media_group"
]; ];
systemd.services.qbittorrent = virtualisation.oci-containers.containers.qbittorrent = {
image = "lscr.io/linuxserver/qbittorrent:latest";
ports = [ "192.168.42.2:8071:8071" ];
environment = {
"PUID" = "1001";
"PGID" = "2001";
"TZ" = "Etc/UTC";
"WEBUI_PORT" = "8071";
};
volumes = [
"/var/lib/qbittorrent:/config"
"/mnt/downloads:/mnt/downloads"
"${pkgs.vuetorrent}/share:/usr/local/share/vuetorrent"
];
extraOptions = [
"--network=ns:/var/run/netns/wg"
"--cap-add=CAP_NET_RAW"
"--label=com.centurylinklabs.watchtower.enable=true"
"--label=io.containers.autoupdate=registry"
];
};
systemd.services.podman-qbittorrent =
let let
mounts = [ "mnt-downloads.mount" ]; mounts = [
"mnt-downloads.mount"
];
in in
{ {
description = "qbittorrent instance"; requires = lib.mkAfter mounts;
requires = mounts;
bindsTo = [ "wg.service" ]; bindsTo = [ "wg.service" ];
after = [ "wg.service" ] ++ mounts; after = lib.mkForce ([ "wg.service" ] ++ mounts);
wantedBy = [ "multi-user.target" ];
serviceConfig = { serviceConfig = {
Type = "exec"; TimeoutStopSec = lib.mkForce 10;
User = "media_user";
Group = "media_group";
NetworkNamespacePath = "/var/run/netns/wg";
BindReadOnlyPaths = [
"/etc/netns/wg/resolv.conf:/etc/resolv.conf:norbind"
"/etc/netns/wg/nsswitch.conf:/etc/nsswitch.conf:norbind"
];
ExecStart = "${pkgs.qbittorrent-nox}/bin/qbittorrent-nox --profile=/var/lib/qbittorrent --webui-port=8071";
AmbientCapabilities = [ "CAP_NET_RAW" ];
}; };
}; };

40
system/nixos/radarr.nix
View file

@ -1,31 +1,45 @@
{ pkgs, lib, ... }: { pkgs, lib, ... }:
{ {
services.radarr = { virtualisation.oci-containers.containers.radarr = {
enable = true; image = "lscr.io/linuxserver/radarr:latest";
user = "media_user"; ports = [ "192.168.42.2:7878:7878" ];
group = "media_group"; environment = {
openFirewall = false; "PUID" = "1001";
"PGID" = "2001";
"TZ" = "Etc/UTC";
};
volumes = [
"/var/lib/radarr/.config/Radarr:/config"
"/mnt/downloads:/mnt/downloads"
"/mnt/media/Movies:/mnt/media/Movies"
];
extraOptions = [
"--network=ns:/var/run/netns/wg"
"--label=com.centurylinklabs.watchtower.enable=true"
"--label=io.containers.autoupdate=registry"
];
}; };
systemd.services.radarr = systemd.services.podman-radarr =
let let
mounts = [ mounts = [
"mnt-media-Movies.mount" "mnt-media-Movies.mount"
"mnt-downloads.mount" "mnt-downloads.mount"
]; ];
depends = [
"podman-sabnzbd.service"
"podman-qbittorrent.service"
];
in in
{ {
requires = mounts; requires = lib.mkAfter (mounts ++ depends);
bindsTo = [ "wg.service" ]; bindsTo = [ "wg.service" ];
after = lib.mkForce ([ "wg.service" ] ++ mounts); after = lib.mkForce ([ "wg.service" ] ++ mounts ++ depends);
serviceConfig = { serviceConfig = {
NetworkNamespacePath = "/var/run/netns/wg"; TimeoutStopSec = lib.mkForce 5;
BindReadOnlyPaths = [
"/etc/netns/wg/resolv.conf:/etc/resolv.conf:norbind"
"/etc/netns/wg/nsswitch.conf:/etc/nsswitch.conf:norbind"
];
}; };
}; };

45
system/nixos/sabnzbd.nix
View file

@ -1,33 +1,42 @@
{ pkgs, ... }: { pkgs, lib, ... }:
{ {
systemd.tmpfiles.rules = [ systemd.tmpfiles.rules = [
"d /var/lib/sabnzbd 0750 media_user media_group" "d /var/lib/sabnzbd 0750 media_user media_group"
]; ];
# The nix-provided options force a sabnzbd-user to a certain degree virtualisation.oci-containers.containers.sabnzbd = {
systemd.services.sabnzbd = image = "lscr.io/linuxserver/sabnzbd:latest";
ports = [ "192.168.42.2:8080:8080" ];
environment = {
"PUID" = "1001";
"PGID" = "2001";
"TZ" = "Etc/UTC";
};
volumes = [
"/var/lib/sabnzbd:/config"
"/mnt/downloads:/mnt/downloads"
];
extraOptions = [
"--network=ns:/var/run/netns/wg"
"--label=com.centurylinklabs.watchtower.enable=true"
"--label=io.containers.autoupdate=registry"
];
};
systemd.services.podman-sabnzbd =
let let
mounts = [ "mnt-downloads.mount" ]; mounts = [
"mnt-downloads.mount"
];
in in
{ {
description = "sabnzbd server"; requires = lib.mkAfter mounts;
requires = mounts;
bindsTo = [ "wg.service" ]; bindsTo = [ "wg.service" ];
after = [ "wg.service" ] ++ mounts; after = lib.mkForce ([ "wg.service" ] ++ mounts);
wantedBy = [ "multi-user.target" ];
serviceConfig = { serviceConfig = {
Type = "forking"; TimeoutStopSec = lib.mkForce 10;
GuessMainPID = "no";
User = "media_user";
Group = "media_group";
NetworkNamespacePath = "/var/run/netns/wg";
BindReadOnlyPaths = [
"/etc/netns/wg/resolv.conf:/etc/resolv.conf:norbind"
"/etc/netns/wg/nsswitch.conf:/etc/nsswitch.conf:norbind"
];
ExecStart = "${pkgs.sabnzbd}/bin/sabnzbd -d -f /var/lib/sabnzbd/sabnzbd.ini";
}; };
}; };

35
system/nixos/sonarr.nix
View file

@ -1,14 +1,29 @@
{ pkgs, lib, ... }: { pkgs, lib, ... }:
{ {
services.sonarr = { virtualisation.oci-containers.containers.sonarr = {
enable = true; image = "lscr.io/linuxserver/sonarr:latest";
user = "media_user"; ports = [ "192.168.42.2:8989:8989" ];
group = "media_group"; environment = {
openFirewall = false; "PUID" = "1001";
"PGID" = "2001";
"TZ" = "Etc/UTC";
};
volumes = [
"/var/lib/sonarr/.config/NzbDrone:/config"
"/mnt/downloads:/mnt/downloads"
"/mnt/media/TV Shows:/mnt/media/TV Shows"
"/mnt/media/Documentaries:/mnt/media/Documentaries"
"/mnt/media/Anime:/mnt/media/Anime"
];
extraOptions = [
"--network=ns:/var/run/netns/wg"
"--label=com.centurylinklabs.watchtower.enable=true"
"--label=io.containers.autoupdate=registry"
];
}; };
systemd.services.sonarr = systemd.services.podman-sonarr =
let let
mounts = [ mounts = [
"mnt-media-TV\\x20Shows.mount" "mnt-media-TV\\x20Shows.mount"
@ -18,16 +33,12 @@
]; ];
in in
{ {
requires = mounts; requires = lib.mkAfter mounts;
bindsTo = [ "wg.service" ]; bindsTo = [ "wg.service" ];
after = lib.mkForce ([ "wg.service" ] ++ mounts); after = lib.mkForce ([ "wg.service" ] ++ mounts);
serviceConfig = { serviceConfig = {
NetworkNamespacePath = "/var/run/netns/wg"; TimeoutStopSec = lib.mkForce 5;
BindReadOnlyPaths = [
"/etc/netns/wg/resolv.conf:/etc/resolv.conf:norbind"
"/etc/netns/wg/nsswitch.conf:/etc/nsswitch.conf:norbind"
];
}; };
}; };

25
system/nixos/wireguard-firewall-mediaserver.nix
View file

@ -20,7 +20,8 @@ let
startScript = writeShScript "wg-firewall-start" '' startScript = writeShScript "wg-firewall-start" ''
ip46tables -D INPUT -j wg-fw 2> /dev/null || true ip46tables -D INPUT -j wg-fw 2> /dev/null || true
for chain in wg-fw wg-fw-accept wg-fw-log-refuse wg-fw-refuse; do ip46tables -D OUTPUT -j wg-fw-out 2> /dev/null || true
for chain in wg-fw wg-fw-out wg-fw-accept wg-fw-log-refuse wg-fw-refuse; do
ip46tables -F "$chain" 2> /dev/null || true ip46tables -F "$chain" 2> /dev/null || true
ip46tables -X "$chain" 2> /dev/null || true ip46tables -X "$chain" 2> /dev/null || true
done done
@ -36,6 +37,8 @@ let
ip46tables -A wg-fw-log-refuse -m pkttype ! --pkt-type unicast -j wg-fw-refuse ip46tables -A wg-fw-log-refuse -m pkttype ! --pkt-type unicast -j wg-fw-refuse
ip46tables -A wg-fw-log-refuse -j wg-fw-refuse ip46tables -A wg-fw-log-refuse -j wg-fw-refuse
## IN
ip46tables -N wg-fw ip46tables -N wg-fw
ip46tables -A wg-fw -i lo -j wg-fw-accept ip46tables -A wg-fw -i lo -j wg-fw-accept
@ -43,6 +46,7 @@ let
ip46tables -A wg-fw -m conntrack --ctstate ESTABLISHED,RELATED -j wg-fw-accept ip46tables -A wg-fw -m conntrack --ctstate ESTABLISHED,RELATED -j wg-fw-accept
# Ports # Ports
ip46tables -A wg-fw -p tcp --dport 3000 -j wg-fw-accept -i vethwgns0
ip46tables -A wg-fw -p tcp --dport 6801 -j wg-fw-accept -i vethwgns0 ip46tables -A wg-fw -p tcp --dport 6801 -j wg-fw-accept -i vethwgns0
ip46tables -A wg-fw -p tcp --dport 7441 -j wg-fw-accept -i vethwgns0 ip46tables -A wg-fw -p tcp --dport 7441 -j wg-fw-accept -i vethwgns0
ip46tables -A wg-fw -p tcp --dport 7474 -j wg-fw-accept -i vethwgns0 ip46tables -A wg-fw -p tcp --dport 7474 -j wg-fw-accept -i vethwgns0
@ -63,26 +67,45 @@ let
ip6tables -A wg-fw -p icmpv6 -j wg-fw-accept ip6tables -A wg-fw -p icmpv6 -j wg-fw-accept
ip46tables -A wg-fw -j wg-fw-log-refuse ip46tables -A wg-fw -j wg-fw-log-refuse
## OUT
ip46tables -N wg-fw-out
# Block non-local traffic
iptables -A wg-fw-out -i vethwgns0 ! -d 192.168.42.0/24 -j wg-fw-refuse
ip6tables -A wg-fw-out -i vethwgns0 -j wg-fw-refuse
ip46tables -A wg-fw-out -j wg-fw-accept
## SETUP
ip46tables -A INPUT -j wg-fw ip46tables -A INPUT -j wg-fw
ip46tables -A OUTPUT -j wg-fw-out
''; '';
stopScript = writeShScript "wg-firewall-stop" '' stopScript = writeShScript "wg-firewall-stop" ''
ip46tables -D INPUT -j wg-drop 2>/dev/null || true ip46tables -D INPUT -j wg-drop 2>/dev/null || true
ip46tables -D OUTPUT -j wg-drop 2>/dev/null || true
ip46tables -D INPUT -j wg-fw 2>/dev/null || true ip46tables -D INPUT -j wg-fw 2>/dev/null || true
ip46tables -D OUTPUT -j wg-fw-out 2>/dev/null || true
''; '';
reloadScript = writeShScript "wg-firewall-reload" '' reloadScript = writeShScript "wg-firewall-reload" ''
ip46tables -D INPUT -j wg-drop 2>/dev/null || true ip46tables -D INPUT -j wg-drop 2>/dev/null || true
ip46tables -D OUTPUT -j wg-drop 2>/dev/null || true
ip46tables -F wg-drop 2>/dev/null || true ip46tables -F wg-drop 2>/dev/null || true
ip46tables -X wg-drop 2>/dev/null || true ip46tables -X wg-drop 2>/dev/null || true
ip46tables -N wg-drop ip46tables -N wg-drop
ip46tables -A wg-drop -j DROP ip46tables -A wg-drop -j DROP
ip46tables -A INPUT -j wg-drop ip46tables -A INPUT -j wg-drop
ip46tables -A OUTPUT -j wg-drop
if ${startScript}; then if ${startScript}; then
ip46tables -D INPUT -j wg-drop 2>/dev/null || true ip46tables -D INPUT -j wg-drop 2>/dev/null || true
ip46tables -D OUTPUT -j wg-drop 2>/dev/null || true
else else
echo "Failed to reload firewall... Stopping" echo "Failed to reload firewall... Stopping"
${stopScript} ${stopScript}

4
system/nixos/wireguard-netns.nix
View file

@ -1,4 +1,4 @@
{ pkgs, config, secret, ... }: { pkgs, lib, config, secret, ... }:
{ {
environment.systemPackages = with pkgs; [ ldns tcpdump wireguard-tools ]; environment.systemPackages = with pkgs; [ ldns tcpdump wireguard-tools ];
@ -17,7 +17,7 @@
group: files [success=merge] systemd group: files [success=merge] systemd
shadow: files shadow: files
hosts: files mymachines myhostname dns hosts: dns [!UNAVAIL=return] files
networks: files networks: files
ethers: files ethers: files