diff options
| author | lassulus <lassulus@lassul.us> | 2022-12-11 19:07:58 +0100 |
|---|---|---|
| committer | lassulus <lassulus@lassul.us> | 2022-12-11 19:07:58 +0100 |
| commit | 85c76178209c506149b17c01218b89cc34a78966 (patch) | |
| tree | f94e04440aed864ea532a43114d7c11cf43449a5 | |
| parent | 4cb2771732108d16728021e17099dfda6e21f5fe (diff) | |
l yellow.r: allow traffic only through vpn
| -rw-r--r-- | lass/1systems/yellow/config.nix | 19 |
1 files changed, 15 insertions, 4 deletions
diff --git a/lass/1systems/yellow/config.nix b/lass/1systems/yellow/config.nix index f5071c4b..519665a3 100644 --- a/lass/1systems/yellow/config.nix +++ b/lass/1systems/yellow/config.nix @@ -1,6 +1,6 @@ -with import <stockholm/lib>; -{ config, lib, pkgs, ... }: -{ +{ config, lib, pkgs, ... }: let + vpnIp = "85.202.81.161"; +in { imports = [ <stockholm/lass> <stockholm/lass/2configs> @@ -11,6 +11,8 @@ with import <stockholm/lib>; users.groups.download.members = [ "transmission" ]; + networking.useHostResolvConf = false; + networking.useNetworkd = true; systemd.services.transmission.bindsTo = [ "openvpn-nordvpn.service" ]; systemd.services.transmission.after = [ "openvpn-nordvpn.service" ]; services.transmission = { @@ -159,13 +161,22 @@ with import <stockholm/lib>; { predicate = "-p udp --dport 51413"; target = "ACCEPT"; } # transmission-traffic { predicate = "-p tcp --dport 8096"; target = "ACCEPT"; } # jellyfin ]; + tables.filter.OUTPUT = { + policy = "DROP"; + rules = [ + { v6 = false; predicate = "-d ${vpnIp}/32"; target = "ACCEPT"; } + { predicate = "-o tun0"; target = "ACCEPT"; } + { predicate = "-o retiolum"; target = "ACCEPT"; } + { v6 = false; predicate = "-o eth0 -d 10.233.0.0/24"; target = "ACCEPT"; } + ]; + }; }; services.openvpn.servers.nordvpn.config = '' client dev tun proto udp - remote 194.110.84.106 1194 + remote ${vpnIp} 1194 resolv-retry infinite remote-random nobind |