From e77030e772899bcc747568752cdb2a997a6972bf Mon Sep 17 00:00:00 2001 From: lassulus Date: Fri, 20 Apr 2018 23:30:19 +0200 Subject: l prism.r: use iptables for hackerfleet --- lass/1systems/prism/config.nix | 30 +++++++----------------------- 1 file changed, 7 insertions(+), 23 deletions(-) (limited to 'lass/1systems/prism/config.nix') diff --git a/lass/1systems/prism/config.nix b/lass/1systems/prism/config.nix index c0e4620c..e937db83 100644 --- a/lass/1systems/prism/config.nix +++ b/lass/1systems/prism/config.nix @@ -110,29 +110,13 @@ in { }; # TODO write function for proxy_pass (ssl/nonssl) - services.nginx.virtualHosts."hackerfleet.de" = { - serverAliases = [ - "*.hackerfleet.de" - ]; - locations."/".extraConfig = '' - proxy_pass http://192.168.122.92:80; - ''; - }; - services.nginx.virtualHosts."hackerfleet.de-s" = { - serverName = "hackerfleet.de"; - listen = [ - { - addr = "0.0.0.0"; - port = 443; - } - ]; - serverAliases = [ - "*.hackerfleet.de" - ]; - locations."/".extraConfig = '' - proxy_pass http://192.168.122.92:443; - ''; - }; + + krebs.iptables.tables.filter.FORWARD.rules = [ + { v6 = false; precedence = 1000; predicate = "-d 192.168.122.92"; target = "ACCEPT"; } + ]; + krebs.iptables.tables.nat.PREROUTING.rules = [ + { v6 = false; precedence = 1000; predicate = "-d 46.4.114.243"; target = "DNAT --to-destination 192.168.122.92"; } + ]; } { users.users.tv = { -- cgit v1.2.3 From c85c0f1b39aed212bb128c674f194f124a9454ce Mon Sep 17 00:00:00 2001 From: lassulus Date: Fri, 20 Apr 2018 23:31:08 +0200 Subject: l prism.r: fix deprecation warnings --- lass/1systems/prism/config.nix | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) (limited to 'lass/1systems/prism/config.nix') diff --git a/lass/1systems/prism/config.nix b/lass/1systems/prism/config.nix index e937db83..983604f8 100644 --- a/lass/1systems/prism/config.nix +++ b/lass/1systems/prism/config.nix @@ -8,11 +8,15 @@ in { imports = [ { - networking.interfaces.et0.ip4 = [ + networking.interfaces.et0.ipv4.addresses = [ { address = ip; prefixLength = 27; } + { + address = "46.4.114.243"; + prefixLength = 27; + } ]; networking.defaultGateway = "46.4.114.225"; networking.nameservers = [ -- cgit v1.2.3 From 817efa5f9d26effaa4c7a8efd6710fec4eb33300 Mon Sep 17 00:00:00 2001 From: lassulus Date: Fri, 27 Apr 2018 15:14:35 +0200 Subject: l prism.r: kill kaepsele container --- lass/1systems/prism/config.nix | 20 -------------------- 1 file changed, 20 deletions(-) (limited to 'lass/1systems/prism/config.nix') diff --git a/lass/1systems/prism/config.nix b/lass/1systems/prism/config.nix index 983604f8..68f1826b 100644 --- a/lass/1systems/prism/config.nix +++ b/lass/1systems/prism/config.nix @@ -189,26 +189,6 @@ in { localAddress = "10.233.2.2"; }; } - { - #kaepsele - systemd.services."container@kaepsele".reloadIfChanged = mkForce false; - containers.kaepsele = { - config = { ... }: { - imports = [ ]; - environment.systemPackages = [ pkgs.git ]; - services.openssh.enable = true; - users.users.root.openssh.authorizedKeys.keys = with config.krebs.users; [ - lass.pubkey - tv.pubkey - ]; - }; - autoStart = true; - enableTun = true; - privateNetwork = true; - hostAddress = "10.233.2.3"; - localAddress = "10.233.2.4"; - }; - } { #onondaga systemd.services."container@onondaga".reloadIfChanged = mkForce false; -- cgit v1.2.3 From 2701bdd97f0f2ea8681b1d66670eb68ea0f11017 Mon Sep 17 00:00:00 2001 From: lassulus Date: Fri, 27 Apr 2018 19:34:36 +0200 Subject: l: use prometheus as monitoring --- lass/1systems/prism/config.nix | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) (limited to 'lass/1systems/prism/config.nix') diff --git a/lass/1systems/prism/config.nix b/lass/1systems/prism/config.nix index 68f1826b..f8178a20 100644 --- a/lass/1systems/prism/config.nix +++ b/lass/1systems/prism/config.nix @@ -217,13 +217,12 @@ in { - - + { # quasi bepasty.nix imports = [ -- cgit v1.2.3 From 92c123397188ae6cf115197862e8d79015995356 Mon Sep 17 00:00:00 2001 From: lassulus Date: Sat, 28 Apr 2018 17:26:43 +0200 Subject: l prism.r: run go-shortener --- lass/1systems/prism/config.nix | 1 + 1 file changed, 1 insertion(+) (limited to 'lass/1systems/prism/config.nix') diff --git a/lass/1systems/prism/config.nix b/lass/1systems/prism/config.nix index f8178a20..7b581d90 100644 --- a/lass/1systems/prism/config.nix +++ b/lass/1systems/prism/config.nix @@ -303,6 +303,7 @@ in { { predicate = "-p tcp --dport 53589"; target = "ACCEPT"; } ]; } + ]; krebs.build.host = config.krebs.hosts.prism; -- cgit v1.2.3 From 1820b1753011eb42bb9be30011e6fbd11993b201 Mon Sep 17 00:00:00 2001 From: lassulus Date: Sat, 28 Apr 2018 23:18:05 +0200 Subject: l: add red.r --- lass/1systems/prism/config.nix | 28 ++++++++++++++++++++++++++++ 1 file changed, 28 insertions(+) (limited to 'lass/1systems/prism/config.nix') diff --git a/lass/1systems/prism/config.nix b/lass/1systems/prism/config.nix index 7b581d90..d1faf77b 100644 --- a/lass/1systems/prism/config.nix +++ b/lass/1systems/prism/config.nix @@ -304,6 +304,34 @@ in { ]; } + { + environment.systemPackages = [ pkgs.cryptsetup ]; + systemd.services."container@red".reloadIfChanged = mkForce false; + containers.red = { + config = { ... }: { + environment.systemPackages = [ pkgs.git ]; + services.openssh.enable = true; + users.users.root.openssh.authorizedKeys.keys = [ + config.krebs.users.lass.pubkey + ]; + }; + autoStart = false; + enableTun = true; + privateNetwork = true; + hostAddress = "10.233.2.3"; + localAddress = "10.233.2.4"; + }; + services.nginx.virtualHosts."rote-allez-fraktion.de" = { + enableACME = true; + addSSL = true; + locations."/" = { + extraConfig = '' + proxy_set_header Host rote-allez-fraktion.de; + proxy_pass http://10.233.2.4; + ''; + }; + }; + } ]; krebs.build.host = config.krebs.hosts.prism; -- cgit v1.2.3 From 02e24615adeac1ab6062ba83748eafe7418ac3ed Mon Sep 17 00:00:00 2001 From: lassulus Date: Tue, 1 May 2018 15:36:07 +0200 Subject: l prism.r: enable ipv4 forwarding --- lass/1systems/prism/config.nix | 1 + 1 file changed, 1 insertion(+) (limited to 'lass/1systems/prism/config.nix') diff --git a/lass/1systems/prism/config.nix b/lass/1systems/prism/config.nix index d1faf77b..89ea749c 100644 --- a/lass/1systems/prism/config.nix +++ b/lass/1systems/prism/config.nix @@ -104,6 +104,7 @@ in { ]; } { # TODO make new hfos.nix out of this vv + boot.kernel.sysctl."net.ipv4.ip_forward" = 1; users.users.riot = { uid = genid "riot"; isNormalUser = true; -- cgit v1.2.3 From 7330cce0d46f23036a42e19421ca3b59dc21f9cf Mon Sep 17 00:00:00 2001 From: lassulus Date: Thu, 3 May 2018 18:21:39 +0200 Subject: l prism.r: add restic backups --- lass/1systems/prism/config.nix | 25 +++++++++++++++++++++++++ 1 file changed, 25 insertions(+) (limited to 'lass/1systems/prism/config.nix') diff --git a/lass/1systems/prism/config.nix b/lass/1systems/prism/config.nix index 89ea749c..564315e8 100644 --- a/lass/1systems/prism/config.nix +++ b/lass/1systems/prism/config.nix @@ -333,6 +333,31 @@ in { }; }; } + { + imports = [ ]; + lass.restic = genAttrs [ + "daedalus" + "icarus" + "littleT" + "mors" + "shodan" + "skynet" + ] (dest: { + dirs = [ + "/home/chat/.weechat" + "/bku/sql_dumps" + ]; + passwordFile = (toString ) + "/restic/${dest}"; + repo = "sftp:backup@${dest}.r:/backups/prism"; + extraArguments = [ + "sftp.command='ssh backup@${dest}.r -i ${config.krebs.build.host.ssh.privkey.path} -s sftp'" + ]; + timerConfig = { + OnCalendar = "00:05"; + RandomizedDelaySec = "5h"; + }; + }); + } ]; krebs.build.host = config.krebs.hosts.prism; -- cgit v1.2.3 From 67047f9e8dc18e43ce37927b19a6aae62c2ab4a1 Mon Sep 17 00:00:00 2001 From: lassulus Date: Fri, 4 May 2018 20:32:23 +0200 Subject: l prism.r: add pubkey to download --- lass/1systems/prism/config.nix | 5 +++++ 1 file changed, 5 insertions(+) (limited to 'lass/1systems/prism/config.nix') diff --git a/lass/1systems/prism/config.nix b/lass/1systems/prism/config.nix index 564315e8..76aaf0cd 100644 --- a/lass/1systems/prism/config.nix +++ b/lass/1systems/prism/config.nix @@ -358,6 +358,11 @@ in { }; }); } + { + users.users.download.openssh.authorizedKeys.keys = [ + "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQDB0d0JA20Vqn7I4lCte6Ne2EOmLZyMJyS9yIKJYXNLjbLwkQ4AYoQKantPBkTxR75M09E7d3j5heuWnCjWH45TrfQfe1EOSSC3ppCI6C6aIVlaNs+KhAYZS0m2Y8WkKn+TT5JLEa8yybYVN/RlZPOilpj/1QgjU6CQK+eJ1k/kK+QFXcwN82GDVh5kbTVcKUNp2tiyxFA+z9LY0xFDg/JHif2ROpjJVLQBJ+YPuOXZN5LDnVcuyLWKThjxy5srQ8iDjoxBg7dwLHjby5Mv41K4W61Gq6xM53gDEgfXk4cQhJnmx7jA/pUnsn2ZQDeww3hcc7vRf8soogXXz2KC9maiq0M/svaATsa9Ul4hrKnqPZP9Q8ScSEAUX+VI+x54iWrnW0p/yqBiRAzwsczdPzaQroUFTBxrq8R/n5TFdSHRMX7fYNOeVMjhfNca/gtfw9dYBVquCvuqUuFiRc0I7yK44rrMjjVQRcAbw6F8O7+04qWCmaJ8MPlmApwu2c05VMv9hiJo5p6PnzterRSLCqF6rIdhSnuOwrUIt1s/V+EEZXHCwSaNLaQJnYL0H9YjaIuGz4c8kVzxw4c0B6nl+hqW5y5/B2cuHiumnlRIDKOIzlv8ufhh21iN7QpIsPizahPezGoT1XqvzeXfH4qryo8O4yTN/PWoA+f7o9POU7L6hQ== lhebendanz@nixos" + ]; + } ]; krebs.build.host = config.krebs.hosts.prism; -- cgit v1.2.3 From 24a3d64301ccbc39bdc6e46d5b6201b48311ed80 Mon Sep 17 00:00:00 2001 From: lassulus Date: Fri, 4 May 2018 20:37:21 +0200 Subject: l prism.r: enable nichtparasoup --- lass/1systems/prism/config.nix | 16 ++++++++++++++++ 1 file changed, 16 insertions(+) (limited to 'lass/1systems/prism/config.nix') diff --git a/lass/1systems/prism/config.nix b/lass/1systems/prism/config.nix index 76aaf0cd..90decc35 100644 --- a/lass/1systems/prism/config.nix +++ b/lass/1systems/prism/config.nix @@ -363,6 +363,22 @@ in { "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQDB0d0JA20Vqn7I4lCte6Ne2EOmLZyMJyS9yIKJYXNLjbLwkQ4AYoQKantPBkTxR75M09E7d3j5heuWnCjWH45TrfQfe1EOSSC3ppCI6C6aIVlaNs+KhAYZS0m2Y8WkKn+TT5JLEa8yybYVN/RlZPOilpj/1QgjU6CQK+eJ1k/kK+QFXcwN82GDVh5kbTVcKUNp2tiyxFA+z9LY0xFDg/JHif2ROpjJVLQBJ+YPuOXZN5LDnVcuyLWKThjxy5srQ8iDjoxBg7dwLHjby5Mv41K4W61Gq6xM53gDEgfXk4cQhJnmx7jA/pUnsn2ZQDeww3hcc7vRf8soogXXz2KC9maiq0M/svaATsa9Ul4hrKnqPZP9Q8ScSEAUX+VI+x54iWrnW0p/yqBiRAzwsczdPzaQroUFTBxrq8R/n5TFdSHRMX7fYNOeVMjhfNca/gtfw9dYBVquCvuqUuFiRc0I7yK44rrMjjVQRcAbw6F8O7+04qWCmaJ8MPlmApwu2c05VMv9hiJo5p6PnzterRSLCqF6rIdhSnuOwrUIt1s/V+EEZXHCwSaNLaQJnYL0H9YjaIuGz4c8kVzxw4c0B6nl+hqW5y5/B2cuHiumnlRIDKOIzlv8ufhh21iN7QpIsPizahPezGoT1XqvzeXfH4qryo8O4yTN/PWoA+f7o9POU7L6hQ== lhebendanz@nixos" ]; } + { + lass.nichtparasoup.enable = true; + services.nginx = { + enable = true; + virtualHosts.lol = { + forceSSL = true; + enableACME = true; + locations."/".extraConfig = '' + proxy_pass http://localhost:5001; + ''; + serverAliases = [ + "lol.lassul.us" + ]; + }; + }; + } ]; krebs.build.host = config.krebs.hosts.prism; -- cgit v1.2.3 From 2dc18fb83a0c8fcd9c4cb04de9470e73c29fcedd Mon Sep 17 00:00:00 2001 From: lassulus Date: Mon, 7 May 2018 19:55:38 +0200 Subject: l prism.r: simplify lol.lassul.us nginx --- lass/1systems/prism/config.nix | 5 +---- 1 file changed, 1 insertion(+), 4 deletions(-) (limited to 'lass/1systems/prism/config.nix') diff --git a/lass/1systems/prism/config.nix b/lass/1systems/prism/config.nix index 90decc35..d4be2faa 100644 --- a/lass/1systems/prism/config.nix +++ b/lass/1systems/prism/config.nix @@ -367,15 +367,12 @@ in { lass.nichtparasoup.enable = true; services.nginx = { enable = true; - virtualHosts.lol = { + virtualHosts."lol.lassul.us" = { forceSSL = true; enableACME = true; locations."/".extraConfig = '' proxy_pass http://localhost:5001; ''; - serverAliases = [ - "lol.lassul.us" - ]; }; }; } -- cgit v1.2.3 From 0c0d527bec3a6a3d6435203253edb2ef27f9655b Mon Sep 17 00:00:00 2001 From: lassulus Date: Sat, 12 May 2018 15:51:24 +0200 Subject: l: hw config into physical.nix --- lass/1systems/prism/config.nix | 83 +----------------------------------------- 1 file changed, 1 insertion(+), 82 deletions(-) (limited to 'lass/1systems/prism/config.nix') diff --git a/lass/1systems/prism/config.nix b/lass/1systems/prism/config.nix index d4be2faa..c7b877de 100644 --- a/lass/1systems/prism/config.nix +++ b/lass/1systems/prism/config.nix @@ -1,90 +1,9 @@ { config, lib, pkgs, ... }: with import ; -let - ip = config.krebs.build.host.nets.internet.ip4.addr; - -in { +{ imports = [ - { - networking.interfaces.et0.ipv4.addresses = [ - { - address = ip; - prefixLength = 27; - } - { - address = "46.4.114.243"; - prefixLength = 27; - } - ]; - networking.defaultGateway = "46.4.114.225"; - networking.nameservers = [ - "8.8.8.8" - ]; - services.udev.extraRules = '' - SUBSYSTEM=="net", ATTR{address}=="08:60:6e:e7:87:04", NAME="et0" - ''; - } - { - imports = [ ]; - - boot.loader.grub = { - devices = [ - "/dev/sda" - "/dev/sdb" - ]; - splashImage = null; - }; - - boot.initrd.availableKernelModules = [ - "ata_piix" - "vmw_pvscsi" - "ahci" "sd_mod" - ]; - - boot.kernelModules = [ "kvm-intel" ]; - - fileSystems."/" = { - device = "/dev/pool/nix_root"; - fsType = "ext4"; - }; - - fileSystems."/tmp" = { - device = "tmpfs"; - fsType = "tmpfs"; - options = ["nosuid" "nodev" "noatime"]; - }; - - fileSystems."/var/download" = { - device = "/dev/pool/download"; - fsType = "ext4"; - }; - - fileSystems."/srv/http" = { - device = "/dev/pool/http"; - fsType = "ext4"; - }; - - fileSystems."/home" = { - device = "/dev/pool/home"; - fsType = "ext4"; - }; - - fileSystems."/bku" = { - device = "/dev/pool/bku"; - fsType = "ext4"; - }; - - swapDevices = [ - { label = "swap1"; } - { label = "swap2"; } - ]; - - sound.enable = false; - nixpkgs.config.allowUnfree = true; - time.timeZone = "Europe/Berlin"; - } { -- cgit v1.2.3 From c7a49e7ac91eef1833992d9801b11febad726afe Mon Sep 17 00:00:00 2001 From: lassulus Date: Sun, 20 May 2018 10:09:54 +0200 Subject: l prism.r: forward weechat port to blue.r --- lass/1systems/prism/config.nix | 15 +++++++++++++++ 1 file changed, 15 insertions(+) (limited to 'lass/1systems/prism/config.nix') diff --git a/lass/1systems/prism/config.nix b/lass/1systems/prism/config.nix index c7b877de..9bfd90c1 100644 --- a/lass/1systems/prism/config.nix +++ b/lass/1systems/prism/config.nix @@ -295,6 +295,21 @@ with import ; }; }; } + { #weechat port forwarding to blue + krebs.iptables.tables.filter.INPUT.rules = [ + { predicate = "-p tcp --dport 9998"; target = "ACCEPT";} + ]; + krebs.iptables.tables.nat.PREROUTING.rules = [ + { v6 = false; precedence = 1000; predicate = "-d ${config.krebs.hosts.prism.nets.internet.ip4.addr} -p tcp --dport 9998"; target = "DNAT --to-destination ${config.krebs.hosts.blue.nets.retiolum.ip4.addr}:9999"; } + ]; + krebs.iptables.tables.filter.FORWARD.rules = [ + { v6 = false; precedence = 1000; predicate = "-d ${config.krebs.hosts.blue.nets.retiolum.ip4.addr} -p tcp --dport 9999"; target = "ACCEPT"; } + { v6 = false; precedence = 1000; predicate = "-s ${config.krebs.hosts.blue.nets.retiolum.ip4.addr}"; target = "ACCEPT"; } + ]; + krebs.iptables.tables.nat.POSTROUTING.rules = [ + { v6 = false; predicate = "-d ${config.krebs.hosts.blue.nets.retiolum.ip4.addr} -p tcp --dport 9999"; target = "MASQUERADE"; } + ]; + } ]; krebs.build.host = config.krebs.hosts.prism; -- cgit v1.2.3 From 5af3134c0084ac98fbd504865925aeba61f06d94 Mon Sep 17 00:00:00 2001 From: lassulus Date: Mon, 21 May 2018 08:25:11 +0200 Subject: l red: forceSSL --- lass/1systems/prism/config.nix | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'lass/1systems/prism/config.nix') diff --git a/lass/1systems/prism/config.nix b/lass/1systems/prism/config.nix index 9bfd90c1..b2669c4a 100644 --- a/lass/1systems/prism/config.nix +++ b/lass/1systems/prism/config.nix @@ -243,7 +243,7 @@ with import ; }; services.nginx.virtualHosts."rote-allez-fraktion.de" = { enableACME = true; - addSSL = true; + forceSSL = true; locations."/" = { extraConfig = '' proxy_set_header Host rote-allez-fraktion.de; -- cgit v1.2.3 From 9173c08145836c1ee34674a15a488c7099f203af Mon Sep 17 00:00:00 2001 From: lassulus Date: Mon, 21 May 2018 08:26:20 +0200 Subject: l: remove IM.nix --- lass/1systems/prism/config.nix | 1 - 1 file changed, 1 deletion(-) (limited to 'lass/1systems/prism/config.nix') diff --git a/lass/1systems/prism/config.nix b/lass/1systems/prism/config.nix index b2669c4a..6d03a269 100644 --- a/lass/1systems/prism/config.nix +++ b/lass/1systems/prism/config.nix @@ -131,7 +131,6 @@ with import ; } - -- cgit v1.2.3 From 4277c251906100bc103808af7a674fe2fbb3851b Mon Sep 17 00:00:00 2001 From: lassulus Date: Mon, 21 May 2018 08:28:08 +0200 Subject: l prism.r: add wireguard config --- lass/1systems/prism/config.nix | 28 ++++++++++++++++++++++++++++ 1 file changed, 28 insertions(+) (limited to 'lass/1systems/prism/config.nix') diff --git a/lass/1systems/prism/config.nix b/lass/1systems/prism/config.nix index 6d03a269..7a9537b6 100644 --- a/lass/1systems/prism/config.nix +++ b/lass/1systems/prism/config.nix @@ -309,6 +309,34 @@ with import ; { v6 = false; predicate = "-d ${config.krebs.hosts.blue.nets.retiolum.ip4.addr} -p tcp --dport 9999"; target = "MASQUERADE"; } ]; } + { + krebs.iptables.tables.filter.INPUT.rules = [ + { predicate = "-p udp --dport 51820"; target = "ACCEPT"; } + ]; + krebs.iptables.tables.nat.PREROUTING.rules = [ + { v6 = false; precedence = 1000; predicate = "-s 10.244.1.0/24"; target = "ACCEPT"; } + ]; + krebs.iptables.tables.filter.FORWARD.rules = [ + { v6 = false; precedence = 1000; predicate = "-s 10.244.1.0/24"; target = "ACCEPT"; } + { v6 = false; precedence = 1000; predicate = "-s 10.243.0.0/16 -d 10.244.1.0/24"; target = "ACCEPT"; } + ]; + krebs.iptables.tables.nat.POSTROUTING.rules = [ + { v6 = false; predicate = "-s 10.244.1.0/24 ! -d 10.244.1.0/24"; target = "MASQUERADE"; } + ]; + networking.wireguard.interfaces.wg0 = { + ips = [ "10.244.1.1/24" ]; + listenPort = 51820; + privateKeyFile = (toString ) + "/wireguard.key"; + allowedIPsAsRoutes = true; + peers = [ + { + # lass-android + allowedIPs = [ "10.244.1.2/32" ]; + publicKey = "63+ns9AGv6e6a8WgxiZNFEt1xQT0YKFlEHzRaYJWtmk="; + } + ]; + }; + } ]; krebs.build.host = config.krebs.hosts.prism; -- cgit v1.2.3 From bc0cd03da463c9cf67ba47b034bbbe32d9391beb Mon Sep 17 00:00:00 2001 From: lassulus Date: Fri, 8 Jun 2018 04:57:52 +0200 Subject: move Reaktor|krebs from prism to hotdog --- lass/1systems/prism/config.nix | 1 - 1 file changed, 1 deletion(-) (limited to 'lass/1systems/prism/config.nix') diff --git a/lass/1systems/prism/config.nix b/lass/1systems/prism/config.nix index 7a9537b6..285dbfa9 100644 --- a/lass/1systems/prism/config.nix +++ b/lass/1systems/prism/config.nix @@ -175,7 +175,6 @@ with import ; alias /var/realwallpaper/realwallpaper.png; ''; } - { users.users.jeschli = { -- cgit v1.2.3 From e34ca32676d1fe6a4aab3cca1518b111a36ef8cd Mon Sep 17 00:00:00 2001 From: lassulus Date: Fri, 8 Jun 2018 04:59:14 +0200 Subject: l prism.r: remove unnecessary iptables forward --- lass/1systems/prism/config.nix | 15 --------------- 1 file changed, 15 deletions(-) (limited to 'lass/1systems/prism/config.nix') diff --git a/lass/1systems/prism/config.nix b/lass/1systems/prism/config.nix index 285dbfa9..d6d1ce2e 100644 --- a/lass/1systems/prism/config.nix +++ b/lass/1systems/prism/config.nix @@ -293,21 +293,6 @@ with import ; }; }; } - { #weechat port forwarding to blue - krebs.iptables.tables.filter.INPUT.rules = [ - { predicate = "-p tcp --dport 9998"; target = "ACCEPT";} - ]; - krebs.iptables.tables.nat.PREROUTING.rules = [ - { v6 = false; precedence = 1000; predicate = "-d ${config.krebs.hosts.prism.nets.internet.ip4.addr} -p tcp --dport 9998"; target = "DNAT --to-destination ${config.krebs.hosts.blue.nets.retiolum.ip4.addr}:9999"; } - ]; - krebs.iptables.tables.filter.FORWARD.rules = [ - { v6 = false; precedence = 1000; predicate = "-d ${config.krebs.hosts.blue.nets.retiolum.ip4.addr} -p tcp --dport 9999"; target = "ACCEPT"; } - { v6 = false; precedence = 1000; predicate = "-s ${config.krebs.hosts.blue.nets.retiolum.ip4.addr}"; target = "ACCEPT"; } - ]; - krebs.iptables.tables.nat.POSTROUTING.rules = [ - { v6 = false; predicate = "-d ${config.krebs.hosts.blue.nets.retiolum.ip4.addr} -p tcp --dport 9999"; target = "MASQUERADE"; } - ]; - } { krebs.iptables.tables.filter.INPUT.rules = [ { predicate = "-p udp --dport 51820"; target = "ACCEPT"; } -- cgit v1.2.3 From d7d39081d0c3866696e38fb42ae7e2ae28f28c69 Mon Sep 17 00:00:00 2001 From: lassulus Date: Fri, 8 Jun 2018 05:04:21 +0200 Subject: l prism.r: open ports for mosh --- lass/1systems/prism/config.nix | 5 +++++ 1 file changed, 5 insertions(+) (limited to 'lass/1systems/prism/config.nix') diff --git a/lass/1systems/prism/config.nix b/lass/1systems/prism/config.nix index d6d1ce2e..61d147c5 100644 --- a/lass/1systems/prism/config.nix +++ b/lass/1systems/prism/config.nix @@ -321,6 +321,11 @@ with import ; ]; }; } + { + krebs.iptables.tables.filter.INPUT.rules = [ + { predicate = "-p udp --dport 60000:61000"; target = "ACCEPT";} + ]; + } ]; krebs.build.host = config.krebs.hosts.prism; -- cgit v1.2.3 From 9b389fd6644a71c0fb8fdc7764727d771d54e221 Mon Sep 17 00:00:00 2001 From: lassulus Date: Mon, 11 Jun 2018 15:45:12 +0200 Subject: Revert "l prism.r: remove unnecessary iptables forward" This reverts commit e34ca32676d1fe6a4aab3cca1518b111a36ef8cd. --- lass/1systems/prism/config.nix | 15 +++++++++++++++ 1 file changed, 15 insertions(+) (limited to 'lass/1systems/prism/config.nix') diff --git a/lass/1systems/prism/config.nix b/lass/1systems/prism/config.nix index 61d147c5..9a0bb49e 100644 --- a/lass/1systems/prism/config.nix +++ b/lass/1systems/prism/config.nix @@ -293,6 +293,21 @@ with import ; }; }; } + { #weechat port forwarding to blue + krebs.iptables.tables.filter.INPUT.rules = [ + { predicate = "-p tcp --dport 9998"; target = "ACCEPT";} + ]; + krebs.iptables.tables.nat.PREROUTING.rules = [ + { v6 = false; precedence = 1000; predicate = "-d ${config.krebs.hosts.prism.nets.internet.ip4.addr} -p tcp --dport 9998"; target = "DNAT --to-destination ${config.krebs.hosts.blue.nets.retiolum.ip4.addr}:9999"; } + ]; + krebs.iptables.tables.filter.FORWARD.rules = [ + { v6 = false; precedence = 1000; predicate = "-d ${config.krebs.hosts.blue.nets.retiolum.ip4.addr} -p tcp --dport 9999"; target = "ACCEPT"; } + { v6 = false; precedence = 1000; predicate = "-s ${config.krebs.hosts.blue.nets.retiolum.ip4.addr}"; target = "ACCEPT"; } + ]; + krebs.iptables.tables.nat.POSTROUTING.rules = [ + { v6 = false; predicate = "-d ${config.krebs.hosts.blue.nets.retiolum.ip4.addr} -p tcp --dport 9999"; target = "MASQUERADE"; } + ]; + } { krebs.iptables.tables.filter.INPUT.rules = [ { predicate = "-p udp --dport 51820"; target = "ACCEPT"; } -- cgit v1.2.3