diff options
| -rw-r--r-- | lass/1systems/prism.nix | 1 | ||||
| -rw-r--r-- | lass/2configs/hfos.nix | 33 |
2 files changed, 34 insertions, 0 deletions
diff --git a/lass/1systems/prism.nix b/lass/1systems/prism.nix index efe79052..39026d10 100644 --- a/lass/1systems/prism.nix +++ b/lass/1systems/prism.nix @@ -25,6 +25,7 @@ in { ../2configs/binary-cache/server.nix ../2configs/iodined.nix ../2configs/libvirt.nix + ../2configs/hfos.nix { users.extraGroups = { # ● systemd-tmpfiles-setup.service - Create Volatile Files and Directories diff --git a/lass/2configs/hfos.nix b/lass/2configs/hfos.nix new file mode 100644 index 00000000..05dd3ce2 --- /dev/null +++ b/lass/2configs/hfos.nix @@ -0,0 +1,33 @@ +{ config, lib, pkgs, ... }: + +with import <stockholm/lib>; +{ + users.users.riot = { + uid = genid "riot"; + isNormalUser = true; + extraGroups = [ "libvirtd" ]; + openssh.authorizedKeys.keys = [ + "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQC5NnADMRySix1kcxQwseHfem/SCDmkbvwc+ZZu7HFz4zss1k4Fh1knsukMY83zlno8p/8bBPWyixLTxuZHNy26af8GP95bvV3brnpRmrijkE4dOlpd+wvPcIyTKNunJvMzNDP/ry9g2GczEZKGWvQZudq/nI54HaCaRWM2kzEMEg8Rr9SGlZEKo8B+8HGVsz1a8USOnm8dqYP9dmfLdpy/s+7yWJSPh8wokvWeOOrahirOhO99ZfXm2gcdHqSKvbD2+4EYEm5w8iFrbYBT2wZ3u9ZOiooL/JuEBBdnDrcqZqeaTw0vOdKPvkUP8/rzRjvIwSkynMSD8fixpdGRNeIB riot@lagrange" + config.krebs.users.lass.pubkey + ]; + }; + + networking.interfaces.et0.ip4 = [ + { + address = "213.239.205.246"; + prefixLength = 24; + } + ]; + + krebs.iptables.tables.nat.PREROUTING.rules = [ + { v6 = false; precedence = 1000; predicate = "-d 213.239.205.246 -p tcp --dport 22"; target = "DNAT --to-destination 192.168.122.208:22"; } + { v6 = false; precedence = 1000; predicate = "-d 213.239.205.246 -p tcp --dport 80"; target = "DNAT --to-destination 192.168.122.208:80"; } + { v6 = false; precedence = 1000; predicate = "-d 213.239.205.246 -p tcp --dport 443"; target = "DNAT --to-destination 192.168.122.208:1443"; } + ]; + + krebs.iptables.tables.filter.FORWARD.rules = [ + { v6 = false; precedence = 1000; predicate = "-d 192.168.122.208 -p tcp --dport 22 -m state --state NEW,ESTABLISHED,RELATED"; target = "ACCEPT"; } + { v6 = false; precedence = 1000; predicate = "-d 192.168.122.208 -p tcp --dport 80 -m state --state NEW,ESTABLISHED,RELATED"; target = "ACCEPT"; } + { v6 = false; precedence = 1000; predicate = "-d 192.168.122.208 -p tcp --dport 1443 -m state --state NEW,ESTABLISHED,RELATED"; target = "ACCEPT"; } + ]; +} |