leonetienne/stormwind-nixfiles
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
964131901a82b1b6143a3b95a81e30a121a8f490
stormwind-nixfiles/networking.nix

177 lines
4.2 KiB
Nix
Raw Normal View History

initial commit
2025-01-13 00:46:22 +01:00
{ config, ... }:
{
networking = {
hostName = "Stormwind";
drives helix and broot
2025-04-07 12:45:31 +02:00
networkmanager.enable = false;
implement local nat for truenas
2025-01-13 23:43:39 +01:00
firewall = {
add homeassistant webui port to allowed ports in firewall
2025-07-30 12:00:48 +02:00
allowedTCPPorts = [ 80 443 8123 20 21 22 2223 990 989 445 111 2049 32765 32768 20048 ];
drives helix and broot
2025-04-07 12:45:31 +02:00
allowedUDPPorts = [ 111 2049 20048 32765 32768 ];
cleanup network config
2025-07-31 08:59:16 +02:00
trustedInterfaces = [ "incusbr0" ];
implement local nat for truenas
2025-01-13 23:43:39 +01:00
};
cleanup network config
2025-07-31 08:59:16 +02:00
# heres the custom nftables filter ruleset for forwarded traffic:
nftables.ruleset = ''
table ip filter {
chain forward {
type filter hook forward priority 0; policy drop;
# allow established/related replies
ct state established,related accept
# allow new+established VM→Internet
iifname "incusbr0" oifname "enp4s0" ct state new,established accept
iifname "incusbr1" oifname "enp4s0" ct state new,established accept
# allow natted replies
iifname "enp4s0" oifname "incusbr0" tcp dport 8123 ct state new,established accept
iifname "enp4s0" oifname "incusbr0" tcp dport 80 ct state new,established accept
iifname "enp4s0" oifname "incusbr0" tcp dport 443 ct state new,established accept
}
}
'';
create special network for crusader which cannot ping lan
2025-07-22 10:25:34 +02:00
bridges = {
incusbr0 = {
interfaces = [];
};
incusbr1 = {
interfaces = [];
};
};
interfaces = {
incusbr0 = {
ipv4.addresses = [
{ address = "10.46.32.1"; prefixLength = 24; }
];
};
incusbr1 = {
ipv4.addresses = [
fix network settings for incusbr0 and add nat for home assistant to varian
2025-07-30 11:57:38 +02:00
{ address = "10.46.33.1"; prefixLength = 24; }
create special network for crusader which cannot ping lan
2025-07-22 10:25:34 +02:00
];
};
};
implement local nat for truenas
2025-01-13 23:43:39 +01:00
nat = {
enable = true;
create special network for crusader which cannot ping lan
2025-07-22 10:25:34 +02:00
internalInterfaces = [ "incusbr0" "incusbr1" ];
drives helix and broot
2025-04-07 12:45:31 +02:00
externalInterface = "enp4s0";
implement local nat for truenas
2025-01-13 23:43:39 +01:00
forwardPorts = [
fix network settings for incusbr0 and add nat for home assistant to varian
2025-07-30 11:57:38 +02:00
# Web-UI for home-assistant
{
sourcePort = 8123;
proto = "tcp";
destination = "10.46.32.153:8123";
}
# Web-UI for nas
implement local nat for truenas
2025-01-13 23:43:39 +01:00
{
sourcePort = 80;
proto = "tcp";
create special network for crusader which cannot ping lan
2025-07-22 10:25:34 +02:00
destination = "10.46.32.2:80";
implement local nat for truenas
2025-01-13 23:43:39 +01:00
}
{
sourcePort = 443;
proto = "tcp";
create special network for crusader which cannot ping lan
2025-07-22 10:25:34 +02:00
destination = "10.46.32.2:443";
drives helix and broot
2025-04-07 12:45:31 +02:00
}
# FTP
{
sourcePort = 20;
proto = "tcp";
create special network for crusader which cannot ping lan
2025-07-22 10:25:34 +02:00
destination = "10.46.32.2:20";
drives helix and broot
2025-04-07 12:45:31 +02:00
}
{
sourcePort = 21;
proto = "tcp";
create special network for crusader which cannot ping lan
2025-07-22 10:25:34 +02:00
destination = "10.46.32.2:21";
drives helix and broot
2025-04-07 12:45:31 +02:00
}
{
sourcePort = 22;
proto = "tcp";
create special network for crusader which cannot ping lan
2025-07-22 10:25:34 +02:00
destination = "10.46.32.2:22";
drives helix and broot
2025-04-07 12:45:31 +02:00
}
networking rulez
2025-07-02 08:37:50 +02:00
{
sourcePort = 2223;
proto = "tcp";
create special network for crusader which cannot ping lan
2025-07-22 10:25:34 +02:00
destination = "10.46.32.2:2223";
networking rulez
2025-07-02 08:37:50 +02:00
}
drives helix and broot
2025-04-07 12:45:31 +02:00
{
sourcePort = 990;
proto = "tcp";
create special network for crusader which cannot ping lan
2025-07-22 10:25:34 +02:00
destination = "10.46.32.2:990";
drives helix and broot
2025-04-07 12:45:31 +02:00
}
{
sourcePort = 989;
proto = "tcp";
create special network for crusader which cannot ping lan
2025-07-22 10:25:34 +02:00
destination = "10.46.32.2:989";
drives helix and broot
2025-04-07 12:45:31 +02:00
}
{
sourcePort = 21;
proto = "tcp";
create special network for crusader which cannot ping lan
2025-07-22 10:25:34 +02:00
destination = "10.46.32.2:21";
drives helix and broot
2025-04-07 12:45:31 +02:00
}
# SMB
{
sourcePort = 445;
proto = "tcp";
create special network for crusader which cannot ping lan
2025-07-22 10:25:34 +02:00
destination = "10.46.32.2:445";
drives helix and broot
2025-04-07 12:45:31 +02:00
}
# NFS
{
sourcePort = 111;
proto = "tcp";
create special network for crusader which cannot ping lan
2025-07-22 10:25:34 +02:00
destination = "10.46.32.2:111";
drives helix and broot
2025-04-07 12:45:31 +02:00
}
{
sourcePort = 111;
proto = "udp";
create special network for crusader which cannot ping lan
2025-07-22 10:25:34 +02:00
destination = "10.46.32.2:111";
drives helix and broot
2025-04-07 12:45:31 +02:00
}
{
sourcePort = 2049;
proto = "tcp";
create special network for crusader which cannot ping lan
2025-07-22 10:25:34 +02:00
destination = "10.46.32.2:2049";
drives helix and broot
2025-04-07 12:45:31 +02:00
}
{
sourcePort = 2049;
proto = "udp";
create special network for crusader which cannot ping lan
2025-07-22 10:25:34 +02:00
destination = "10.46.32.2:2049";
drives helix and broot
2025-04-07 12:45:31 +02:00
}
{
sourcePort = 32765;
proto = "tcp";
create special network for crusader which cannot ping lan
2025-07-22 10:25:34 +02:00
destination = "10.46.32.2:32765";
drives helix and broot
2025-04-07 12:45:31 +02:00
}
{
sourcePort = 32765;
proto = "udp";
create special network for crusader which cannot ping lan
2025-07-22 10:25:34 +02:00
destination = "10.46.32.2:32765";
drives helix and broot
2025-04-07 12:45:31 +02:00
}
{
sourcePort = 32768;
proto = "tcp";
create special network for crusader which cannot ping lan
2025-07-22 10:25:34 +02:00
destination = "10.46.32.2:32768";
drives helix and broot
2025-04-07 12:45:31 +02:00
}
{
sourcePort = 32768;
proto = "udp";
create special network for crusader which cannot ping lan
2025-07-22 10:25:34 +02:00
destination = "10.46.32.2:32768";
drives helix and broot
2025-04-07 12:45:31 +02:00
}
{
sourcePort = 20048;
proto = "tcp";
create special network for crusader which cannot ping lan
2025-07-22 10:25:34 +02:00
destination = "10.46.32.2:20048";
drives helix and broot
2025-04-07 12:45:31 +02:00
}
{
sourcePort = 20048;
proto = "udp";
create special network for crusader which cannot ping lan
2025-07-22 10:25:34 +02:00
destination = "10.46.32.2:20048";
implement local nat for truenas
2025-01-13 23:43:39 +01:00
}
];
};
initial commit
2025-01-13 00:46:22 +01:00
};
}
Reference in New Issue Copy Permalink