stormwind-nixfiles/networking.nix

{ config, ... }:

{
  networking = {
    hostName = "Stormwind";
    networkmanager.enable = false;

    nftables = {
      enable = true;
      ruleset = ''
          table ip nat {
            chain PREROUTING {
              type nat hook prerouting priority dstnat; policy accept;
              iifname "enp4s0" tcp dport 8123 dnat to 10.46.32.153:8123
              iifname "enp4s0" tcp dport 80 dnat to 10.46.32.2:80
              iifname "enp4s0" tcp dport 443 dnat to 10.46.32.2:443
              iifname "enp4s0" tcp dport 20 dnat to 10.46.32.2:20
              iifname "enp4s0" tcp dport 21 dnat to 10.46.32.2:21
              iifname "enp4s0" tcp dport 22 dnat to 10.46.32.2:22
              iifname "enp4s0" tcp dport 2223 dnat to 10.46.32.2:2223
              iifname "enp4s0" tcp dport 990 dnat to 10.46.32.2:990
              iifname "enp4s0" tcp dport 989 dnat to 10.46.32.2:989
              iifname "enp4s0" tcp dport 445 dnat to 10.46.32.2:445
              iifname "enp4s0" tcp dport 111 dnat to 10.46.32.2:111
              iifname "enp4s0" udp dport 111 dnat to 10.46.32.2:111
              iifname "enp4s0" tcp dport 2049 dnat to 10.46.32.2:2049
              iifname "enp4s0" udp dport 2049 dnat to 10.46.32.2:2049
              iifname "enp4s0" tcp dport 32765 dnat to 10.46.32.2:32765
              iifname "enp4s0" udp dport 32765 dnat to 10.46.32.2:32765
              iifname "enp4s0" tcp dport 32768 dnat to 10.46.32.2:32768
              iifname "enp4s0" udp dport 32768 dnat to 10.46.32.2:32768
              iifname "enp4s0" tcp dport 20048 dnat to 10.46.32.2:20048
              iifname "enp4s0" udp dport 20048 dnat to 10.46.32.2:20048
            }
          }
      '';
    };

    firewall = {
      allowedTCPPorts = [ 80 443 8123 20 21 22 2223 990 989 445 111 2049 32765 32768 20048 ];
      allowedUDPPorts = [ 111 2049 20048 32765 32768 ];
    };

    bridges = {
      incusbr0 = {
        interfaces = [];
      };
      incusbr1 = {
        interfaces = [];
      };
    };

    interfaces = {
      incusbr0 = {
        ipv4.addresses = [
          { address = "10.46.32.1"; prefixLength = 24; }
        ];
      };
      incusbr1 = {
        ipv4.addresses = [
          { address = "10.46.33.1"; prefixLength = 24; }
        ];
      };
    };

    nat = {
      enable = true;
      internalInterfaces = [ "incusbr0" "incusbr1" ];
      externalInterface = "enp4s0";
      forwardPorts = [
        # Web-UI for home-assistant
        {
          sourcePort = 8123;
          proto = "tcp";
          destination = "10.46.32.153:8123";
        }
        # Web-UI for nas
        {
          sourcePort = 80;
          proto = "tcp";
          destination = "10.46.32.2:80";
        }
        {
          sourcePort = 443;
          proto = "tcp";
          destination = "10.46.32.2:443";
        }
        # FTP
        {
          sourcePort = 20;
          proto = "tcp";
          destination = "10.46.32.2:20";
        }
        {
          sourcePort = 21;
          proto = "tcp";
          destination = "10.46.32.2:21";
        }
        {
          sourcePort = 22;
          proto = "tcp";
          destination = "10.46.32.2:22";
        }
        {
          sourcePort = 2223;
          proto = "tcp";
          destination = "10.46.32.2:2223";
        }
        {
          sourcePort = 990;
          proto = "tcp";
          destination = "10.46.32.2:990";
        }
        {
          sourcePort = 989;
          proto = "tcp";
          destination = "10.46.32.2:989";
        }
        {
          sourcePort = 21;
          proto = "tcp";
          destination = "10.46.32.2:21";
        }
        # SMB
        {
          sourcePort = 445;
          proto = "tcp";
          destination = "10.46.32.2:445";
        }
        # NFS
        {
          sourcePort = 111;
          proto = "tcp";
          destination = "10.46.32.2:111";
        }
        {
          sourcePort = 111;
          proto = "udp";
          destination = "10.46.32.2:111";
        }
        {
          sourcePort = 2049;
          proto = "tcp";
          destination = "10.46.32.2:2049";
        }
        {
          sourcePort = 2049;
          proto = "udp";
          destination = "10.46.32.2:2049";
        }
        {
          sourcePort = 32765;
          proto = "tcp";
          destination = "10.46.32.2:32765";
        }
        {
          sourcePort = 32765;
          proto = "udp";
          destination = "10.46.32.2:32765";
        }
        {
          sourcePort = 32768;
          proto = "tcp";
          destination = "10.46.32.2:32768";
        }
        {
          sourcePort = 32768;
          proto = "udp";
          destination = "10.46.32.2:32768";
        }
        {
          sourcePort = 20048;
          proto = "tcp";
          destination = "10.46.32.2:20048";
        }
        {
          sourcePort = 20048;
          proto = "udp";
          destination = "10.46.32.2:20048";
        }
      ];
    };
  };
}
initial commit 2025-01-13 00:46:22 +01:00			`{ config, ... }:`

			`{`
			`networking = {`
			`hostName = "Stormwind";`
drives helix and broot 2025-04-07 12:45:31 +02:00			`networkmanager.enable = false;`
implement local nat for truenas 2025-01-13 23:43:39 +01:00
			`nftables = {`
			`enable = true;`
			`ruleset = ''`
			`table ip nat {`
			`chain PREROUTING {`
			`type nat hook prerouting priority dstnat; policy accept;`
fix network settings for incusbr0 and add nat for home assistant to varian 2025-07-30 11:57:38 +02:00			`iifname "enp4s0" tcp dport 8123 dnat to 10.46.32.153:8123`
create special network for crusader which cannot ping lan 2025-07-22 10:25:34 +02:00			`iifname "enp4s0" tcp dport 80 dnat to 10.46.32.2:80`
			`iifname "enp4s0" tcp dport 443 dnat to 10.46.32.2:443`
			`iifname "enp4s0" tcp dport 20 dnat to 10.46.32.2:20`
			`iifname "enp4s0" tcp dport 21 dnat to 10.46.32.2:21`
			`iifname "enp4s0" tcp dport 22 dnat to 10.46.32.2:22`
			`iifname "enp4s0" tcp dport 2223 dnat to 10.46.32.2:2223`
			`iifname "enp4s0" tcp dport 990 dnat to 10.46.32.2:990`
			`iifname "enp4s0" tcp dport 989 dnat to 10.46.32.2:989`
			`iifname "enp4s0" tcp dport 445 dnat to 10.46.32.2:445`
			`iifname "enp4s0" tcp dport 111 dnat to 10.46.32.2:111`
			`iifname "enp4s0" udp dport 111 dnat to 10.46.32.2:111`
			`iifname "enp4s0" tcp dport 2049 dnat to 10.46.32.2:2049`
			`iifname "enp4s0" udp dport 2049 dnat to 10.46.32.2:2049`
			`iifname "enp4s0" tcp dport 32765 dnat to 10.46.32.2:32765`
			`iifname "enp4s0" udp dport 32765 dnat to 10.46.32.2:32765`
			`iifname "enp4s0" tcp dport 32768 dnat to 10.46.32.2:32768`
			`iifname "enp4s0" udp dport 32768 dnat to 10.46.32.2:32768`
			`iifname "enp4s0" tcp dport 20048 dnat to 10.46.32.2:20048`
			`iifname "enp4s0" udp dport 20048 dnat to 10.46.32.2:20048`
implement local nat for truenas 2025-01-13 23:43:39 +01:00			`}`
			`}`
			`'';`
			`};`

			`firewall = {`
add homeassistant webui port to allowed ports in firewall 2025-07-30 12:00:48 +02:00			`allowedTCPPorts = [ 80 443 8123 20 21 22 2223 990 989 445 111 2049 32765 32768 20048 ];`
drives helix and broot 2025-04-07 12:45:31 +02:00			`allowedUDPPorts = [ 111 2049 20048 32765 32768 ];`
implement local nat for truenas 2025-01-13 23:43:39 +01:00			`};`

create special network for crusader which cannot ping lan 2025-07-22 10:25:34 +02:00			`bridges = {`
			`incusbr0 = {`
			`interfaces = [];`
			`};`
			`incusbr1 = {`
			`interfaces = [];`
			`};`
			`};`

			`interfaces = {`
			`incusbr0 = {`
			`ipv4.addresses = [`
			`{ address = "10.46.32.1"; prefixLength = 24; }`
			`];`
			`};`
			`incusbr1 = {`
			`ipv4.addresses = [`
fix network settings for incusbr0 and add nat for home assistant to varian 2025-07-30 11:57:38 +02:00			`{ address = "10.46.33.1"; prefixLength = 24; }`
create special network for crusader which cannot ping lan 2025-07-22 10:25:34 +02:00			`];`
			`};`
			`};`

implement local nat for truenas 2025-01-13 23:43:39 +01:00			`nat = {`
			`enable = true;`
create special network for crusader which cannot ping lan 2025-07-22 10:25:34 +02:00			`internalInterfaces = [ "incusbr0" "incusbr1" ];`
drives helix and broot 2025-04-07 12:45:31 +02:00			`externalInterface = "enp4s0";`
implement local nat for truenas 2025-01-13 23:43:39 +01:00			`forwardPorts = [`
fix network settings for incusbr0 and add nat for home assistant to varian 2025-07-30 11:57:38 +02:00			`# Web-UI for home-assistant`
			`{`
			`sourcePort = 8123;`
			`proto = "tcp";`
			`destination = "10.46.32.153:8123";`
			`}`
			`# Web-UI for nas`
implement local nat for truenas 2025-01-13 23:43:39 +01:00			`{`
			`sourcePort = 80;`
			`proto = "tcp";`
create special network for crusader which cannot ping lan 2025-07-22 10:25:34 +02:00			`destination = "10.46.32.2:80";`
implement local nat for truenas 2025-01-13 23:43:39 +01:00			`}`
			`{`
			`sourcePort = 443;`
			`proto = "tcp";`
create special network for crusader which cannot ping lan 2025-07-22 10:25:34 +02:00			`destination = "10.46.32.2:443";`
drives helix and broot 2025-04-07 12:45:31 +02:00			`}`
			`# FTP`
			`{`
			`sourcePort = 20;`
			`proto = "tcp";`
create special network for crusader which cannot ping lan 2025-07-22 10:25:34 +02:00			`destination = "10.46.32.2:20";`
drives helix and broot 2025-04-07 12:45:31 +02:00			`}`
			`{`
			`sourcePort = 21;`
			`proto = "tcp";`
create special network for crusader which cannot ping lan 2025-07-22 10:25:34 +02:00			`destination = "10.46.32.2:21";`
drives helix and broot 2025-04-07 12:45:31 +02:00			`}`
			`{`
			`sourcePort = 22;`
			`proto = "tcp";`
create special network for crusader which cannot ping lan 2025-07-22 10:25:34 +02:00			`destination = "10.46.32.2:22";`
drives helix and broot 2025-04-07 12:45:31 +02:00			`}`
networking rulez 2025-07-02 08:37:50 +02:00			`{`
			`sourcePort = 2223;`
			`proto = "tcp";`
create special network for crusader which cannot ping lan 2025-07-22 10:25:34 +02:00			`destination = "10.46.32.2:2223";`
networking rulez 2025-07-02 08:37:50 +02:00			`}`
drives helix and broot 2025-04-07 12:45:31 +02:00			`{`
			`sourcePort = 990;`
			`proto = "tcp";`
create special network for crusader which cannot ping lan 2025-07-22 10:25:34 +02:00			`destination = "10.46.32.2:990";`
drives helix and broot 2025-04-07 12:45:31 +02:00			`}`
			`{`
			`sourcePort = 989;`
			`proto = "tcp";`
create special network for crusader which cannot ping lan 2025-07-22 10:25:34 +02:00			`destination = "10.46.32.2:989";`
drives helix and broot 2025-04-07 12:45:31 +02:00			`}`
			`{`
			`sourcePort = 21;`
			`proto = "tcp";`
create special network for crusader which cannot ping lan 2025-07-22 10:25:34 +02:00			`destination = "10.46.32.2:21";`
drives helix and broot 2025-04-07 12:45:31 +02:00			`}`
			`# SMB`
			`{`
			`sourcePort = 445;`
			`proto = "tcp";`
create special network for crusader which cannot ping lan 2025-07-22 10:25:34 +02:00			`destination = "10.46.32.2:445";`
drives helix and broot 2025-04-07 12:45:31 +02:00			`}`
			`# NFS`
			`{`
			`sourcePort = 111;`
			`proto = "tcp";`
create special network for crusader which cannot ping lan 2025-07-22 10:25:34 +02:00			`destination = "10.46.32.2:111";`
drives helix and broot 2025-04-07 12:45:31 +02:00			`}`
			`{`
			`sourcePort = 111;`
			`proto = "udp";`
create special network for crusader which cannot ping lan 2025-07-22 10:25:34 +02:00			`destination = "10.46.32.2:111";`
drives helix and broot 2025-04-07 12:45:31 +02:00			`}`
			`{`
			`sourcePort = 2049;`
			`proto = "tcp";`
create special network for crusader which cannot ping lan 2025-07-22 10:25:34 +02:00			`destination = "10.46.32.2:2049";`
drives helix and broot 2025-04-07 12:45:31 +02:00			`}`
			`{`
			`sourcePort = 2049;`
			`proto = "udp";`
create special network for crusader which cannot ping lan 2025-07-22 10:25:34 +02:00			`destination = "10.46.32.2:2049";`
drives helix and broot 2025-04-07 12:45:31 +02:00			`}`
			`{`
			`sourcePort = 32765;`
			`proto = "tcp";`
create special network for crusader which cannot ping lan 2025-07-22 10:25:34 +02:00			`destination = "10.46.32.2:32765";`
drives helix and broot 2025-04-07 12:45:31 +02:00			`}`
			`{`
			`sourcePort = 32765;`
			`proto = "udp";`
create special network for crusader which cannot ping lan 2025-07-22 10:25:34 +02:00			`destination = "10.46.32.2:32765";`
drives helix and broot 2025-04-07 12:45:31 +02:00			`}`
			`{`
			`sourcePort = 32768;`
			`proto = "tcp";`
create special network for crusader which cannot ping lan 2025-07-22 10:25:34 +02:00			`destination = "10.46.32.2:32768";`
drives helix and broot 2025-04-07 12:45:31 +02:00			`}`
			`{`
			`sourcePort = 32768;`
			`proto = "udp";`
create special network for crusader which cannot ping lan 2025-07-22 10:25:34 +02:00			`destination = "10.46.32.2:32768";`
drives helix and broot 2025-04-07 12:45:31 +02:00			`}`
			`{`
			`sourcePort = 20048;`
			`proto = "tcp";`
create special network for crusader which cannot ping lan 2025-07-22 10:25:34 +02:00			`destination = "10.46.32.2:20048";`
drives helix and broot 2025-04-07 12:45:31 +02:00			`}`
			`{`
			`sourcePort = 20048;`
			`proto = "udp";`
create special network for crusader which cannot ping lan 2025-07-22 10:25:34 +02:00			`destination = "10.46.32.2:20048";`
implement local nat for truenas 2025-01-13 23:43:39 +01:00			`}`
			`];`
			`};`
initial commit 2025-01-13 00:46:22 +01:00			`};`
			`}`