diff options
author | makefu <github@syntax-fehler.de> | 2023-09-09 19:42:08 +0200 |
---|---|---|
committer | makefu <github@syntax-fehler.de> | 2023-09-09 19:42:08 +0200 |
commit | 29d72c898d674d2c18fc0f4a76b5e623de0c3dfe (patch) | |
tree | fc4b0695c986a1cda6f1fbbbcbe716e203c54fa3 /lass/1systems/yellow/config.nix | |
parent | e157ffa72856e4378aa23b096b2efff233f3cb3d (diff) | |
parent | 083229d0211096daec08673f743ccc45b1d8a0ac (diff) |
Merge remote-tracking branch 'lass/master'
Diffstat (limited to 'lass/1systems/yellow/config.nix')
-rw-r--r-- | lass/1systems/yellow/config.nix | 45 |
1 files changed, 0 insertions, 45 deletions
diff --git a/lass/1systems/yellow/config.nix b/lass/1systems/yellow/config.nix deleted file mode 100644 index 2da93b8fd..000000000 --- a/lass/1systems/yellow/config.nix +++ /dev/null @@ -1,45 +0,0 @@ -{ config, lib, pkgs, ... }: let - vpnPort = 1637; - torrentport = 56709; # port forwarded in airvpn webinterface -in { - imports = [ - <stockholm/lass> - <stockholm/lass/2configs> - <stockholm/lass/2configs/retiolum.nix> - <stockholm/lass/2configs/services/flix> - ]; - - krebs.build.host = config.krebs.hosts.yellow; - - krebs.sync-containers3.inContainer = { - enable = true; - pubkey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIN737BAP36KiZO97mPKTIUGJUcr97ps8zjfFag6cUiYL"; - }; - - networking.useHostResolvConf = false; - networking.useNetworkd = true; - - networking.wg-quick.interfaces.airvpn.configFile = "/var/src/secrets/airvpn.conf"; - services.transmission.settings.peer-port = torrentport; - - # only allow traffic through openvpn - krebs.iptables = { - enable = true; - tables.filter.INPUT.rules = [ - { predicate = "-i airvpn -p tcp --dport ${toString torrentport}"; target = "ACCEPT"; } - { predicate = "-i airvpn -p udp --dport ${toString torrentport}"; target = "ACCEPT"; } - ]; - tables.filter.OUTPUT = { - policy = "DROP"; - rules = [ - { predicate = "-o lo"; target = "ACCEPT"; } - { predicate = "-p udp --dport ${toString vpnPort}"; target = "ACCEPT"; } - { predicate = "-o airvpn"; target = "ACCEPT"; } - { predicate = "-o retiolum"; target = "ACCEPT"; } - { v6 = false; predicate = "-d 1.1.1.1/32"; target = "ACCEPT"; } - { v6 = false; predicate = "-d 1.0.0.1/32"; target = "ACCEPT"; } - { v6 = false; predicate = "-o eth0 -d 10.233.2.0/24"; target = "ACCEPT"; } - ]; - }; - }; -} |