leonetienne/stormwind-nixfiles
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Compare commits

base: leonetienne:62307984f5435b4a5c9709c35fae576169f7b55d
Branches Tags
leonetienne:master
..
compare: leonetienne:master
Branches Tags
leonetienne:master

2 Commits
62307984f5 ... master

Author SHA1 Message Date
RootHost-Stormwind
307db6c3a2 finalize netconfig simplification 2026-01-26 23:34:48 +01:00
RootHost-Stormwind
03a75c33e9 realize l2 bridge utilization in vhosts 2026-01-26 21:06:13 +01:00
4 changed files with 36 additions and 237 deletions
Expand all files Collapse all files

2
drives.nix
View File

@@ -6,7 +6,7 @@
# fsType = "nfs"; # fsType = "nfs";
#}; #};
"/mnt/nethergarde/leonhome" = { "/mnt/nethergarde/leonhome" = {
device = "10.46.32.2:/mnt/Nethergarde/Home"; device = "192.168.0.16:/mnt/Nethergarde/Home";
fsType = "nfs"; fsType = "nfs";
}; };
#"/mnt/nethergarde/bigdata" = { #"/mnt/nethergarde/bigdata" = {

7
hardware-configuration.nix
View File

@@ -39,7 +39,12 @@
RUN+="/bin/sh -c 'modprobe ahci; echo 0000:08:00.0 > /sys/bus/pci/drivers_probe'" RUN+="/bin/sh -c 'modprobe ahci; echo 0000:08:00.0 > /sys/bus/pci/drivers_probe'"
''; '';
boot.kernel.sysctl."net.ipv4.conf.all.forwarding" = true; boot.kernel.sysctl = {
"net.ipv4.conf.all.forwarding" = true;
"net.bridge.bridge-nf-call-iptables" = 0;
"net.bridge.bridge-nf-call-ip6tables" = 0;
"net.bridge.bridge-nf-call-arptables" = 0;
};
swapDevices = swapDevices =
[ { device = "/dev/disk/by-uuid/7e34cdc3-bd48-435a-8ea2-e1fe43926262"; } [ { device = "/dev/disk/by-uuid/7e34cdc3-bd48-435a-8ea2-e1fe43926262"; }

40
incus.nix
View File

@@ -3,29 +3,41 @@
{ {
virtualisation.incus.enable = true; virtualisation.incus.enable = true;
networking = { networking = {
nftables.enable = true; nftables = {
firewall = { enable = true;
trustedInterfaces = [ "incusbr1" ]; ruleset = ''
filterForward = true; table inet crusader_isolation {
chain fwd_pre {
type filter hook forward priority -200; policy accept;
extraForwardRules = '' # Crusader-Netz darf NICHT ins LAN
# if crusader tries to go to varian or truenas, BLOCK iifname "incusbr1" ip daddr 192.168.0.0/16 drop
iifname "incusbr1" oifname "incusbr0" drop }
iifname "incusbr1" oifname "incusbr2" ip daddr 192.168.0.0/16 drop }
''; '';
}
firewall = {
trustedInterfaces = [ "incusbr2" ];
filterForward = false;
interfaces = { interfaces = {
incusbr0 = {
allowedTCPPorts = [ 53 67 ];
allowedUDPPorts = [ 53 67 ];
};
incusbr1 = { incusbr1 = {
allowedTCPPorts = [ 53 ]; allowedTCPPorts = [ 53 ];
allowedUDPPorts = [ 53 67 68 ]; allowedUDPPorts = [
53
67
68
41641 # Tailscale / WireGuard
];
};
}; };
}; };
nat = {
enable = true;
externalInterface = "incusbr2";
internalInterfaces = [ "incusbr1" ];
internalIPs = [ "10.46.33.0/24" ];
}; };
}; };

222
networking.nix
View File

@@ -9,63 +9,11 @@
firewall = { firewall = {
enable = true; enable = true;
allowedTCPPorts = [ 80 443 8123 1883 8883 9001 20 21 50000 50001 50002 50003 50004 50005 22 2222 2223 990 989 445 111 2049 32765 32768 20048 ]; allowedTCPPorts = [ 53 2222 ];
allowedUDPPorts = [ 111 2049 20048 32765 32768 ]; allowedUDPPorts = [ 53 67 68 ];
trustedInterfaces = [ "incusbr0" "incusbr2" ];
}; };
nftables.ruleset = ''
table ip filter {
chain forward {
type filter hook forward priority 0; policy drop;
# allow established/related replies
ct state established,related accept
# allow new+established VMInternet
iifname "incusbr0" oifname "incusbr2" ct state new,established accept
iifname "incusbr1" oifname "incusbr2" ct state new,established accept
# allow vm to vm communication
iifname "tap*" oifname "tap*" accept
# allow natted replies
iifname "incusbr2" oifname "incusbr0" tcp dport 8123 ct state new,established accept
iifname "incusbr2" oifname "incusbr0" tcp dport 80 ct state new,established accept
iifname "incusbr2" oifname "incusbr0" tcp dport 443 ct state new,established accept
iifname "incusbr2" oifname "incusbr0" tcp dport 1883 ct state new,established accept
iifname "incusbr2" oifname "incusbr0" tcp dport 8883 ct state new,established accept
iifname "incusbr2" oifname "incusbr0" tcp dport 9001 ct state new,established accept
iifname "incusbr2" oifname "incusbr0" tcp dport 20 ct state new,established accept
iifname "incusbr2" oifname "incusbr0" tcp dport 21 ct state new,established accept
iifname "incusbr2" oifname "incusbr0" tcp dport 50000 ct state new,established accept
iifname "incusbr2" oifname "incusbr0" tcp dport 50001 ct state new,established accept
iifname "incusbr2" oifname "incusbr0" tcp dport 50002 ct state new,established accept
iifname "incusbr2" oifname "incusbr0" tcp dport 50003 ct state new,established accept
iifname "incusbr2" oifname "incusbr0" tcp dport 50004 ct state new,established accept
iifname "incusbr2" oifname "incusbr0" tcp dport 50005 ct state new,established accept
iifname "incusbr2" oifname "incusbr0" tcp dport 22 ct state new,established accept
iifname "incusbr2" oifname "incusbr0" tcp dport 2223 ct state new,established accept
iifname "incusbr2" oifname "incusbr0" tcp dport 990 ct state new,established accept
iifname "incusbr2" oifname "incusbr0" tcp dport 989 ct state new,established accept
iifname "incusbr2" oifname "incusbr0" tcp dport 445 ct state new,established accept
iifname "incusbr2" oifname "incusbr0" tcp dport 111 ct state new,established accept
iifname "incusbr2" oifname "incusbr0" udp dport 111 ct state new,established accept
iifname "incusbr2" oifname "incusbr0" tcp dport 2049 ct state new,established accept
iifname "incusbr2" oifname "incusbr0" udp dport 2049 ct state new,established accept
iifname "incusbr2" oifname "incusbr0" tcp dport 32765 ct state new,established accept
iifname "incusbr2" oifname "incusbr0" udp dport 32765 ct state new,established accept
iifname "incusbr2" oifname "incusbr0" tcp dport 32768 ct state new,established accept
iifname "incusbr2" oifname "incusbr0" udp dport 32768 ct state new,established accept
iifname "incusbr2" oifname "incusbr0" tcp dport 20048 ct state new,established accept
iifname "incusbr2" oifname "incusbr0" udp dport 20048 ct state new,established accept
}
}
'';
bridges = { bridges = {
incusbr0 = {
interfaces = [];
};
incusbr1 = { incusbr1 = {
interfaces = []; interfaces = [];
}; };
@@ -75,11 +23,6 @@
}; };
interfaces = { interfaces = {
incusbr0 = {
ipv4.addresses = [
{ address = "10.46.32.1"; prefixLength = 24; }
];
};
incusbr1 = { incusbr1 = {
ipv4.addresses = [ ipv4.addresses = [
{ address = "10.46.33.1"; prefixLength = 24; } { address = "10.46.33.1"; prefixLength = 24; }
@@ -90,7 +33,6 @@
{ address = "192.168.0.19"; prefixLength = 24; } { address = "192.168.0.19"; prefixLength = 24; }
]; ];
macAddress = "2c:fd:a1:c1:13:b0"; macAddress = "2c:fd:a1:c1:13:b0";
mtu = 1280;
}; };
}; };
@@ -98,166 +40,6 @@
address = "192.168.0.1"; address = "192.168.0.1";
interface = "incusbr2"; interface = "incusbr2";
}; };
nat = {
enable = true;
internalInterfaces = [ "incusbr0" "incusbr1" ];
externalInterface = "incusbr2";
forwardPorts = [
# Web-UI for home-assistant
{
sourcePort = 8123;
proto = "tcp";
destination = "10.46.32.153:8123";
}
# Web-UI for nas
{
sourcePort = 80;
proto = "tcp";
destination = "10.46.32.2:80";
}
{
sourcePort = 443;
proto = "tcp";
destination = "10.46.32.2:443";
}
# MQTT
{
sourcePort = 1883;
proto = "tcp";
destination = "10.46.32.153:1883";
}
{
sourcePort = 8883;
proto = "tcp";
destination = "10.46.32.153:8883";
}
{
sourcePort = 9001;
proto = "tcp";
destination = "10.46.32.153:9001";
}
# FTP
{
sourcePort = 20;
proto = "tcp";
destination = "10.46.32.2:20";
}
{
sourcePort = 21;
proto = "tcp";
destination = "10.46.32.2:21";
}
# FTP Passive Ports
{
sourcePort = 50000;
proto = "tcp";
destination = "10.46.32.2:50000";
}
{
sourcePort = 50001;
proto = "tcp";
destination = "10.46.32.2:50001";
}
{
sourcePort = 50002;
proto = "tcp";
destination = "10.46.32.2:50002";
}
{
sourcePort = 50003;
proto = "tcp";
destination = "10.46.32.2:50003";
}
{
sourcePort = 50004;
proto = "tcp";
destination = "10.46.32.2:50004";
}
{
sourcePort = 50005;
proto = "tcp";
destination = "10.46.32.2:50005";
}
{
sourcePort = 22;
proto = "tcp";
destination = "10.46.32.2:22";
}
{
sourcePort = 2223;
proto = "tcp";
destination = "10.46.32.2:2223";
}
{
sourcePort = 990;
proto = "tcp";
destination = "10.46.32.2:990";
}
{
sourcePort = 989;
proto = "tcp";
destination = "10.46.32.2:989";
}
# SMB
{
sourcePort = 445;
proto = "tcp";
destination = "10.46.32.2:445";
}
# NFS
{
sourcePort = 111;
proto = "tcp";
destination = "10.46.32.2:111";
}
{
sourcePort = 111;
proto = "udp";
destination = "10.46.32.2:111";
}
{
sourcePort = 2049;
proto = "tcp";
destination = "10.46.32.2:2049";
}
{
sourcePort = 2049;
proto = "udp";
destination = "10.46.32.2:2049";
}
{
sourcePort = 32765;
proto = "tcp";
destination = "10.46.32.2:32765";
}
{
sourcePort = 32765;
proto = "udp";
destination = "10.46.32.2:32765";
}
{
sourcePort = 32768;
proto = "tcp";
destination = "10.46.32.2:32768";
}
{
sourcePort = 32768;
proto = "udp";
destination = "10.46.32.2:32768";
}
{
sourcePort = 20048;
proto = "tcp";
destination = "10.46.32.2:20048";
}
{
sourcePort = 20048;
proto = "udp";
destination = "10.46.32.2:20048";
}
];
};
}; };
} }