diff options
author | lassulus <lassulus@lassul.us> | 2018-12-09 16:55:00 +0100 |
---|---|---|
committer | lassulus <lassulus@lassul.us> | 2018-12-09 16:55:00 +0100 |
commit | 5d321689af3fd207a72ea73280add7689dc8d8c5 (patch) | |
tree | 107c48bee4393e2b0defd0645feeac480707a80e | |
parent | 9e632ce4905fe46d285ad36f0e5b8a90f5d53dfd (diff) |
l prism.r: dedup with wirelum.nix
-rw-r--r-- | lass/1systems/prism/config.nix | 26 |
1 files changed, 7 insertions, 19 deletions
diff --git a/lass/1systems/prism/config.nix b/lass/1systems/prism/config.nix index 83cc96771..ec3976519 100644 --- a/lass/1systems/prism/config.nix +++ b/lass/1systems/prism/config.nix @@ -297,37 +297,25 @@ with import <stockholm/lib>; }; } { - krebs.iptables.tables.filter.INPUT.rules = [ - { predicate = "-p udp --dport 51820"; target = "ACCEPT"; } - ]; - krebs.iptables.tables.nat.PREROUTING.rules = [ - { v6 = false; precedence = 1000; predicate = "-s 10.244.1.0/24"; target = "ACCEPT"; } + imports = [ + <stockholm/lass/2configs/wirelum.nix> ]; + #krebs.iptables.tables.nat.PREROUTING.rules = [ + # { v6 = false; precedence = 1000; predicate = "-s 10.244.1.0/24"; target = "ACCEPT"; } + #]; krebs.iptables.tables.filter.FORWARD.rules = [ - { v6 = false; precedence = 1000; predicate = "-s 10.244.1.0/24"; target = "ACCEPT"; } + { v6 = false; precedence = 1000; predicate = "-s 10.244.1.0/24 -d 10.243.0.0/16"; target = "ACCEPT"; } { v6 = false; precedence = 1000; predicate = "-s 10.243.0.0/16 -d 10.244.1.0/24"; target = "ACCEPT"; } ]; krebs.iptables.tables.nat.POSTROUTING.rules = [ { v6 = false; predicate = "-s 10.244.1.0/24 ! -d 10.244.1.0/24"; target = "MASQUERADE"; } ]; - networking.wireguard.interfaces.wg0 = { - ips = [ "10.244.1.1/24" ]; - listenPort = 51820; - privateKeyFile = (toString <secrets>) + "/wireguard.key"; - allowedIPsAsRoutes = true; - peers = [ - { - # lass-android - allowedIPs = [ "10.244.1.2/32" ]; - publicKey = "zVunBVOxsMETlnHkgjfH71HaZjjNUOeYNveAVv5z3jw="; - } - ]; - }; services.dnsmasq = { enable = true; resolveLocalQueries = false; extraConfig= '' + listen-address=10.244.1.1 except-interface=lo interface=wg0 ''; |