lass/1systems/yellow/config.nix


1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45

{ config, lib, pkgs, ... }: let
  vpnPort = 1637;
  torrentport = 56709; # port forwarded in airvpn webinterface
in {
  imports = [
    <stockholm/lass>
    <stockholm/lass/2configs>
    <stockholm/lass/2configs/retiolum.nix>
    <stockholm/lass/2configs/services/flix>
  ];

  krebs.build.host = config.krebs.hosts.yellow;

  krebs.sync-containers3.inContainer = {
    enable = true;
    pubkey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIN737BAP36KiZO97mPKTIUGJUcr97ps8zjfFag6cUiYL";
  };

  networking.useHostResolvConf = false;
  networking.useNetworkd = true;

  networking.wg-quick.interfaces.airvpn.configFile = "/var/src/secrets/airvpn.conf";
  services.transmission.settings.peer-port = torrentport;

  # only allow traffic through openvpn
  krebs.iptables = {
    enable = true;
    tables.filter.INPUT.rules = [
      { predicate = "-i airvpn -p tcp --dport ${toString torrentport}"; target = "ACCEPT"; }
      { predicate = "-i airvpn -p udp --dport ${toString torrentport}"; target = "ACCEPT"; }
    ];
    tables.filter.OUTPUT = {
      policy = "DROP";
      rules = [
        { predicate = "-o lo"; target = "ACCEPT"; }
        { predicate = "-p udp --dport ${toString vpnPort}"; target = "ACCEPT"; }
        { predicate = "-o airvpn"; target = "ACCEPT"; }
        { predicate = "-o retiolum"; target = "ACCEPT"; }
        { v6 = false; predicate = "-d 1.1.1.1/32"; target = "ACCEPT"; }
        { v6 = false; predicate = "-d 1.0.0.1/32"; target = "ACCEPT"; }
        { v6 = false; predicate = "-o eth0 -d 10.233.2.0/24"; target = "ACCEPT"; }
      ];
    };
  };
}