50 lines
1.7 KiB
Nix
50 lines
1.7 KiB
Nix
{ config, lib, pkgs, ... }:
|
|
|
|
{
|
|
imports = [
|
|
./hardware-configuration.nix
|
|
|
|
../../base.nix
|
|
../../common/auto-upgrade.nix
|
|
../../common/metrics-exporters.nix
|
|
|
|
./services/mysql.nix
|
|
./services/nginx.nix
|
|
./services/www-ctf-feal-no.nix
|
|
./services/www-kinealbrigtsen-no.nix
|
|
];
|
|
|
|
networking = {
|
|
hostName = "malcolm";
|
|
bridges.br0.interfaces = [ "ens18" ];
|
|
interfaces.br0.useDHCP = false;
|
|
interfaces.br0.ipv4.addresses = [
|
|
{ address = "192.168.11.106"; prefixLength = 24; }
|
|
];
|
|
|
|
hostId = "620c42d0";
|
|
defaultGateway = "192.168.11.1";
|
|
|
|
# Prepend the following output rules to disallow talking to other devices on LAN
|
|
firewall.extraCommands = lib.strings.concatLines ([
|
|
"iptables -F OUTPUT"
|
|
] ++ (map (addr: "iptables -A OUTPUT -p udp --dport 53 -d ${addr} -j nixos-fw-accept") config.networking.nameservers) ++ [ # Exception for DNS
|
|
"iptables -A OUTPUT -p tcp --dport 3100 -d 192.168.10.175 -j nixos-fw-accept" # Exception for loki logging
|
|
"iptables -A OUTPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT"
|
|
"iptables -A OUTPUT -d 192.168.10.0/24 -j nixos-fw-refuse"
|
|
"iptables -A OUTPUT -d 192.168.11.0/24 -j nixos-fw-refuse"
|
|
]);
|
|
};
|
|
|
|
# virtualisation.oci-containers.backend = "docker";
|
|
# systemd.services.docker.postStart = lib.concatMapStringsSep "\n" (rule: "${pkgs.iptables}/bin/iptables ${rule}") ([
|
|
# "-F DOCKER-USER"
|
|
# ] ++ (map (addr: "-A DOCKER-USER -p udp --dport 53 -d ${addr} -j RETURN") config.networking.nameservers) ++ [
|
|
# "-A DOCKER-USER -d 192.168.10.0/24 -j REJECT"
|
|
# "-A DOCKER-USER -d 192.168.11.0/24 -j REJECT"
|
|
# "-A DOCKER-USER -j RETURN"
|
|
# ]);
|
|
|
|
system.stateVersion = "24.05";
|
|
}
|