leonard: add www-feal-no. add www-kinealbrigtsen-no. configure outgoing firewall

2025-10-18 22:25:05 +02:00
parent 49a3c0211e
commit 483f30229f
7 changed files with 172 additions and 0 deletions
--- a/hosts/leonard/configuration.nix
+++ b/hosts/leonard/configuration.nix
@@ -7,6 +7,12 @@
      ../../common/metrics-exporters.nix
      ../../common/auto-upgrade.nix
      ./hardware-configuration.nix
+
+      ./services/nginx.nix
+      ./services/mysql.nix
+
+      ./services/www-feal-no
+      ./services/www-kinealbrigtsen-no.nix
  ];

  boot.loader.systemd-boot.enable = lib.mkForce false;
@@ -23,6 +29,16 @@
      ];
    };
    hostId = "b99c12d1";
+
+    # Prepend the following output rules to disallow talking to other devices on LAN
+    firewall.extraCommands = lib.strings.concatLines ([
+      "iptables -F OUTPUT"
+    ] ++ (map (addr: "iptables -A OUTPUT -p udp --dport 53 -d ${addr} -j nixos-fw-accept") config.networking.nameservers) ++ [ # Exception for DNS
+      "iptables -A OUTPUT -p tcp --dport 3100 -d 192.168.10.175 -j nixos-fw-accept" # Exception for loki logging
+      "iptables -A OUTPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT"
+      "iptables -A OUTPUT -d 192.168.10.0/24 -j nixos-fw-refuse"
+      "iptables -A OUTPUT -d 192.168.11.0/24 -j nixos-fw-refuse"
+    ]);
  };

  sops.defaultSopsFile = ../../secrets/leonard/leonard.yaml;