kookie
/
nomicon
1
0
Fork 0
Code Issues Projects Releases 1 Activity
My personal project and infrastructure archive
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
259186 Commits
7 Branches
1 Tag
1.4 GiB
 
 
 
 
 
 
Tag: Branch: Tree: 2757a4e9d5
Branches Tags
${ item.name }
Create tag ${ searchTerm }
Create branch ${ searchTerm }
from '2757a4e9d5'
${ noResults }
nomicon/infra/libkookie/configuration/server/ferm2/gaia.nix

64 lines
2.0 KiB
Raw Blame History

/** Custom ferm2 configuration on gaia
*
* This set of configuration options is required to make the wireguard
* uplink to osmos.pbb.dev work. It does so by tagging all packets
* coming in over a particular interface (public-ip) with a mark, and
* then sorts replies to these connections into a special firewall
* table to send them out over this link again as well.
*
* This module assumes that wireguard is enabled and configured
*/
{ config, ... }:
{
# Main firewall configuration
services.ferm2 = {
enable = true;
extraConfig = ''
table mangle {
chain PREROUTING {
# Mark all connections coming in from public-ip with mark 1312
interface public-ip CONNMARK set-mark 1312;
}
chain OUTPUT {
# Mark all packets that are responses to incoming public-ip
# connetions with mark 1312 (we can filter this in the fw later)
CONNMARK restore-mark;
}
}
'';
};
# Additional ip commands to configure the firewall
#
# FIXME: create a firewall module that wraps around this
networking.localCommands = ''
set -x
ip -6 rule flush
ip -4 rule flush
ip -6 rule add lookup main prio 32000
ip -4 rule add lookup main prio 32000
# Take packets with fwmark and sort it into 1312 table
ip -6 rule add from all fwmark 1312 lookup 1312 pref 9000
ip -4 rule add from all fwmark 1312 lookup 1312 pref 9000
'';
networking.wireguard.interfaces."public-ip" = {
ips = [ "2a0f:4ac0::18" "195.39.247.18" ];
privateKeyFile = "/var/lib/wireguard/keys/milan.private";
allowedIPsAsRoutes = true;
table = "1312";
postSetup = "ip link set dev public-ip mtu 1500";
peers = [
{ publicKey = "kih/GnR4Bov/DM/7Rd21wK+PFQRUNH6sywVuNKkUAkk=";
allowedIPs = [ "0.0.0.0/0" "::/0" ];
# TODO: Currently telecom ipv6 handling is broken
# endpoint = "2a01:581:1:9::1:51820";
endpoint = "62.176.250.82:51820";
persistentKeepalive = 25; }
];
};
}