Merge remote-tracking branch 'ni/master'
This commit is contained in:
commit
96f27d2db0
@ -43,10 +43,6 @@ let
|
|||||||
target = mkOption {
|
target = mkOption {
|
||||||
type = str;
|
type = str;
|
||||||
};
|
};
|
||||||
precedence = mkOption {
|
|
||||||
type = int;
|
|
||||||
default = 0;
|
|
||||||
};
|
|
||||||
v4 = mkOption {
|
v4 = mkOption {
|
||||||
type = bool;
|
type = bool;
|
||||||
default = true;
|
default = true;
|
||||||
@ -145,13 +141,11 @@ let
|
|||||||
buildChain = tn: cn:
|
buildChain = tn: cn:
|
||||||
let
|
let
|
||||||
filteredRules = filter (r: r."${v}") ts."${tn}"."${cn}".rules;
|
filteredRules = filter (r: r."${v}") ts."${tn}"."${cn}".rules;
|
||||||
sortedRules = sort (a: b: a.precedence > b.precedence) filteredRules;
|
|
||||||
|
|
||||||
in
|
in
|
||||||
#TODO: double check should be unneccessary, refactor!
|
#TODO: double check should be unneccessary, refactor!
|
||||||
if ts.${tn}.${cn}.rules or null != null then
|
if ts.${tn}.${cn}.rules or null != null then
|
||||||
concatMapStringsSep "\n" (rule: "\n-A ${cn} ${rule}") ([]
|
concatMapStringsSep "\n" (rule: "\n-A ${cn} ${rule}") ([]
|
||||||
++ map (buildRule tn cn) sortedRules
|
++ map (buildRule tn cn) filteredRules
|
||||||
)
|
)
|
||||||
else
|
else
|
||||||
""
|
""
|
||||||
|
@ -57,7 +57,7 @@ with import <stockholm/lib>;
|
|||||||
];
|
];
|
||||||
|
|
||||||
krebs.iptables.tables.nat.PREROUTING.rules = [
|
krebs.iptables.tables.nat.PREROUTING.rules = [
|
||||||
{ predicate = "-i eth0 -p tcp -m tcp --dport 22"; target = "ACCEPT"; precedence = 101; }
|
{ predicate = "-i eth0 -p tcp -m tcp --dport 22"; target = "ACCEPT"; }
|
||||||
];
|
];
|
||||||
|
|
||||||
# workaround for ssh access from yubikey via android
|
# workaround for ssh access from yubikey via android
|
||||||
|
@ -15,8 +15,8 @@
|
|||||||
];
|
];
|
||||||
};
|
};
|
||||||
# krebs.iptables.tables.filter.FORWARD.rules = [
|
# krebs.iptables.tables.filter.FORWARD.rules = [
|
||||||
# { v6 = false; precedence = 1000; predicate = "--destination 95.216.1.130"; target = "ACCEPT"; }
|
# { v6 = false; predicate = "--destination 95.216.1.130"; target = "ACCEPT"; }
|
||||||
# { v6 = false; precedence = 1000; predicate = "--source 95.216.1.130"; target = "ACCEPT"; }
|
# { v6 = false; predicate = "--source 95.216.1.130"; target = "ACCEPT"; }
|
||||||
# ];
|
# ];
|
||||||
}
|
}
|
||||||
];
|
];
|
||||||
|
@ -33,9 +33,9 @@ with import <stockholm/lib>;
|
|||||||
"ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQC6o6sdTu/CX1LW2Ff5bNDqGEAGwAsjf0iIe5DCdC7YikCct+7x4LTXxY+nDlPMeGcOF88X9/qFwdyh+9E4g0nUAZaeL14Uc14QDqDt/aiKjIXXTepxE/i4JD9YbTqStAnA/HYAExU15yqgUdj2dnHu7OZcGxk0ZR1OY18yclXq7Rq0Fd3pN3lPP1T4QHM9w66r83yJdFV9szvu5ral3/QuxQnCNohTkR6LoJ4Ny2RbMPTRtb+jPbTQYTWUWwV69mB8ot5nRTP4MRM9pu7vnoPF4I2S5DvSnx4C5zdKzsb7zmIvD4AmptZLrXj4UXUf00Xf7Js5W100Ne2yhYyhq+35 riot@lagrange"
|
"ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQC6o6sdTu/CX1LW2Ff5bNDqGEAGwAsjf0iIe5DCdC7YikCct+7x4LTXxY+nDlPMeGcOF88X9/qFwdyh+9E4g0nUAZaeL14Uc14QDqDt/aiKjIXXTepxE/i4JD9YbTqStAnA/HYAExU15yqgUdj2dnHu7OZcGxk0ZR1OY18yclXq7Rq0Fd3pN3lPP1T4QHM9w66r83yJdFV9szvu5ral3/QuxQnCNohTkR6LoJ4Ny2RbMPTRtb+jPbTQYTWUWwV69mB8ot5nRTP4MRM9pu7vnoPF4I2S5DvSnx4C5zdKzsb7zmIvD4AmptZLrXj4UXUf00Xf7Js5W100Ne2yhYyhq+35 riot@lagrange"
|
||||||
];
|
];
|
||||||
};
|
};
|
||||||
krebs.iptables.tables.filter.FORWARD.rules = [
|
krebs.iptables.tables.filter.FORWARD.rules = mkBefore [
|
||||||
{ v6 = false; precedence = 1000; predicate = "--destination 95.216.1.130"; target = "ACCEPT"; }
|
{ v6 = false; predicate = "--destination 95.216.1.130"; target = "ACCEPT"; }
|
||||||
{ v6 = false; precedence = 1000; predicate = "--source 95.216.1.130"; target = "ACCEPT"; }
|
{ v6 = false; predicate = "--source 95.216.1.130"; target = "ACCEPT"; }
|
||||||
];
|
];
|
||||||
}
|
}
|
||||||
{
|
{
|
||||||
@ -227,13 +227,13 @@ with import <stockholm/lib>;
|
|||||||
imports = [
|
imports = [
|
||||||
<stockholm/lass/2configs/wiregrill.nix>
|
<stockholm/lass/2configs/wiregrill.nix>
|
||||||
];
|
];
|
||||||
krebs.iptables.tables.nat.PREROUTING.rules = [
|
krebs.iptables.tables.nat.PREROUTING.rules = mkOrder 999 [
|
||||||
{ v6 = false; precedence = 1000; predicate = "-s 10.244.1.0/24"; target = "ACCEPT"; }
|
{ v6 = false; predicate = "-s 10.244.1.0/24"; target = "ACCEPT"; }
|
||||||
{ v4 = false; precedence = 1000; predicate = "-s 42:1::/32"; target = "ACCEPT"; }
|
{ v4 = false; predicate = "-s 42:1::/32"; target = "ACCEPT"; }
|
||||||
];
|
];
|
||||||
krebs.iptables.tables.filter.FORWARD.rules = [
|
krebs.iptables.tables.filter.FORWARD.rules = mkBefore [
|
||||||
{ precedence = 1000; predicate = "-i wiregrill -o retiolum"; target = "ACCEPT"; }
|
{ predicate = "-i wiregrill -o retiolum"; target = "ACCEPT"; }
|
||||||
{ precedence = 1000; predicate = "-i retiolum -o wiregrill"; target = "ACCEPT"; }
|
{ predicate = "-i retiolum -o wiregrill"; target = "ACCEPT"; }
|
||||||
];
|
];
|
||||||
krebs.iptables.tables.nat.POSTROUTING.rules = [
|
krebs.iptables.tables.nat.POSTROUTING.rules = [
|
||||||
{ v4 = false; predicate = "-s 42:1::/32 ! -d 42:1::/48"; target = "MASQUERADE"; }
|
{ v4 = false; predicate = "-s 42:1::/32 ! -d 42:1::/48"; target = "MASQUERADE"; }
|
||||||
@ -252,7 +252,7 @@ with import <stockholm/lib>;
|
|||||||
}
|
}
|
||||||
{
|
{
|
||||||
krebs.iptables.tables.filter.INPUT.rules = [
|
krebs.iptables.tables.filter.INPUT.rules = [
|
||||||
{ predicate = "-p udp --dport 60000:61000"; target = "ACCEPT";}
|
{ predicate = "-p udp --dport 60000:61000"; target = "ACCEPT"; }
|
||||||
];
|
];
|
||||||
}
|
}
|
||||||
<stockholm/lass/2configs/murmur.nix>
|
<stockholm/lass/2configs/murmur.nix>
|
||||||
|
@ -68,8 +68,8 @@ in {
|
|||||||
{ v6 = false; predicate = "-o br0"; target = "REJECT --reject-with icmp-port-unreachable"; }
|
{ v6 = false; predicate = "-o br0"; target = "REJECT --reject-with icmp-port-unreachable"; }
|
||||||
{ v6 = false; predicate = "-i br0"; target = "REJECT --reject-with icmp-port-unreachable"; }
|
{ v6 = false; predicate = "-i br0"; target = "REJECT --reject-with icmp-port-unreachable"; }
|
||||||
];
|
];
|
||||||
krebs.iptables.tables.nat.PREROUTING.rules = [
|
krebs.iptables.tables.nat.PREROUTING.rules = mkBefore [
|
||||||
{ v6 = false; predicate = "-s 10.99.0.0/24"; target = "ACCEPT"; precedence = 1000; }
|
{ v6 = false; predicate = "-s 10.99.0.0/24"; target = "ACCEPT"; }
|
||||||
];
|
];
|
||||||
krebs.iptables.tables.nat.POSTROUTING.rules = [
|
krebs.iptables.tables.nat.POSTROUTING.rules = [
|
||||||
#TODO find out what this is about?
|
#TODO find out what this is about?
|
||||||
|
@ -8,8 +8,8 @@
|
|||||||
{ v6 = false; predicate = "-o ve-+"; target = "REJECT --reject-with icmp-port-unreachable"; }
|
{ v6 = false; predicate = "-o ve-+"; target = "REJECT --reject-with icmp-port-unreachable"; }
|
||||||
{ v6 = false; predicate = "-i ve-+"; target = "REJECT --reject-with icmp-port-unreachable"; }
|
{ v6 = false; predicate = "-i ve-+"; target = "REJECT --reject-with icmp-port-unreachable"; }
|
||||||
];
|
];
|
||||||
krebs.iptables.tables.nat.PREROUTING.rules = [
|
krebs.iptables.tables.nat.PREROUTING.rules = lib.mkBefore [
|
||||||
{ v6 = false; predicate = "-s 10.233.2.0/24"; target = "ACCEPT"; precedence = 1000; }
|
{ v6 = false; predicate = "-s 10.233.2.0/24"; target = "ACCEPT"; }
|
||||||
];
|
];
|
||||||
krebs.iptables.tables.nat.POSTROUTING.rules = [
|
krebs.iptables.tables.nat.POSTROUTING.rules = [
|
||||||
{ v6 = false; predicate = "-s 10.233.2.0/24 -d 224.0.0.0/24"; target = "RETURN"; }
|
{ v6 = false; predicate = "-s 10.233.2.0/24 -d 224.0.0.0/24"; target = "RETURN"; }
|
||||||
|
@ -189,28 +189,34 @@ with import <stockholm/lib>;
|
|||||||
enable = true;
|
enable = true;
|
||||||
tables = {
|
tables = {
|
||||||
nat.PREROUTING.rules = [
|
nat.PREROUTING.rules = [
|
||||||
{ predicate = "-i retiolum -p tcp -m tcp --dport 22"; target = "ACCEPT"; precedence = 101; }
|
{ predicate = "-i retiolum -p tcp -m tcp --dport 22"; target = "ACCEPT"; }
|
||||||
{ predicate = "-i wiregrill -p tcp -m tcp --dport 22"; target = "ACCEPT"; precedence = 101; }
|
{ predicate = "-i wiregrill -p tcp -m tcp --dport 22"; target = "ACCEPT"; }
|
||||||
{ predicate = "-p tcp -m tcp --dport 22"; target = "REDIRECT --to-ports 0"; precedence = 100; }
|
{ predicate = "-p tcp -m tcp --dport 22"; target = "REDIRECT --to-ports 0"; }
|
||||||
{ predicate = "-p tcp -m tcp --dport 45621"; target = "REDIRECT --to-ports 22"; precedence = 99; }
|
{ predicate = "-p tcp -m tcp --dport 45621"; target = "REDIRECT --to-ports 22"; }
|
||||||
];
|
];
|
||||||
nat.OUTPUT.rules = [
|
nat.OUTPUT.rules = [
|
||||||
{ predicate = "-o lo -p tcp -m tcp --dport 45621"; target = "REDIRECT --to-ports 22"; precedence = 100; }
|
{ predicate = "-o lo -p tcp -m tcp --dport 45621"; target = "REDIRECT --to-ports 22"; }
|
||||||
];
|
];
|
||||||
filter.INPUT.policy = "DROP";
|
filter.INPUT.policy = "DROP";
|
||||||
filter.FORWARD.policy = "DROP";
|
filter.FORWARD.policy = "DROP";
|
||||||
filter.INPUT.rules = [
|
filter.INPUT.rules = mkMerge [
|
||||||
{ predicate = "-i retiolum -p udp --dport 60000:61000"; target = "ACCEPT";}
|
(mkBefore [
|
||||||
{ predicate = "-m conntrack --ctstate RELATED,ESTABLISHED"; target = "ACCEPT"; precedence = 10001; }
|
{ predicate = "-m conntrack --ctstate RELATED,ESTABLISHED"; target = "ACCEPT"; }
|
||||||
{ predicate = "-p icmp"; target = "ACCEPT"; precedence = 10000; }
|
{ predicate = "-p icmp"; target = "ACCEPT"; }
|
||||||
{ predicate = "-p ipv6-icmp"; target = "ACCEPT"; v4 = false; precedence = 10000; }
|
{ predicate = "-p ipv6-icmp"; target = "ACCEPT"; v4 = false; }
|
||||||
{ predicate = "-i lo"; target = "ACCEPT"; precedence = 9999; }
|
{ predicate = "-i lo"; target = "ACCEPT"; }
|
||||||
{ predicate = "-p tcp --dport 22"; target = "ACCEPT"; precedence = 9998; }
|
{ predicate = "-p tcp --dport 22"; target = "ACCEPT"; }
|
||||||
{ predicate = "-p tcp -i retiolum"; target = "REJECT --reject-with tcp-reset"; precedence = -10000; }
|
])
|
||||||
{ predicate = "-p udp -i retiolum"; target = "REJECT --reject-with icmp-port-unreachable"; v6 = false; precedence = -10000; }
|
(mkOrder 1000 [
|
||||||
{ predicate = "-i retiolum"; target = "REJECT --reject-with icmp-proto-unreachable"; v6 = false; precedence = -10000; }
|
{ predicate = "-i retiolum -p udp --dport 60000:61000"; target = "ACCEPT"; }
|
||||||
{ predicate = "-i retiolum -p udp -m udp --dport 53"; target = "ACCEPT"; }
|
{ predicate = "-i retiolum -p udp -m udp --dport 53"; target = "ACCEPT"; }
|
||||||
{ predicate = "-i retiolum -p tcp --dport 19999"; target = "ACCEPT"; }
|
{ predicate = "-i retiolum -p tcp --dport 19999"; target = "ACCEPT"; }
|
||||||
|
])
|
||||||
|
(mkAfter [
|
||||||
|
{ predicate = "-p tcp -i retiolum"; target = "REJECT --reject-with tcp-reset"; }
|
||||||
|
{ predicate = "-p udp -i retiolum"; target = "REJECT --reject-with icmp-port-unreachable"; v6 = false; }
|
||||||
|
{ predicate = "-i retiolum"; target = "REJECT --reject-with icmp-proto-unreachable"; v6 = false; }
|
||||||
|
])
|
||||||
];
|
];
|
||||||
};
|
};
|
||||||
};
|
};
|
||||||
|
@ -56,8 +56,8 @@ with import <stockholm/lib>;
|
|||||||
{ v6 = false; predicate = "-o int0"; target = "REJECT --reject-with icmp-port-unreachable"; }
|
{ v6 = false; predicate = "-o int0"; target = "REJECT --reject-with icmp-port-unreachable"; }
|
||||||
{ v6 = false; predicate = "-i int0"; target = "REJECT --reject-with icmp-port-unreachable"; }
|
{ v6 = false; predicate = "-i int0"; target = "REJECT --reject-with icmp-port-unreachable"; }
|
||||||
];
|
];
|
||||||
krebs.iptables.tables.nat.PREROUTING.rules = [
|
krebs.iptables.tables.nat.PREROUTING.rules = mkBefore [
|
||||||
{ v6 = false; predicate = "-s 10.42.0.0/24"; target = "ACCEPT"; precedence = 1000; }
|
{ v6 = false; predicate = "-s 10.42.0.0/24"; target = "ACCEPT"; }
|
||||||
];
|
];
|
||||||
krebs.iptables.tables.nat.POSTROUTING.rules = [
|
krebs.iptables.tables.nat.POSTROUTING.rules = [
|
||||||
{ v6 = false; predicate = "-s 10.42.0.0/24 ! -d 10.42.0.0/24"; target = "MASQUERADE"; }
|
{ v6 = false; predicate = "-s 10.42.0.0/24 ! -d 10.42.0.0/24"; target = "MASQUERADE"; }
|
||||||
|
@ -18,22 +18,22 @@ with import <stockholm/lib>;
|
|||||||
}
|
}
|
||||||
];
|
];
|
||||||
|
|
||||||
krebs.iptables.tables.nat.PREROUTING.rules = [
|
krebs.iptables.tables.nat.PREROUTING.rules = mkBefore [
|
||||||
{ v6 = false; precedence = 1000; predicate = "-d 213.239.205.246 -p tcp --dport 22"; target = "DNAT --to-destination 192.168.122.208:22"; }
|
{ v6 = false; predicate = "-d 213.239.205.246 -p tcp --dport 22"; target = "DNAT --to-destination 192.168.122.208:22"; }
|
||||||
{ v6 = false; precedence = 1000; predicate = "-d 213.239.205.246 -p tcp --dport 25"; target = "DNAT --to-destination 192.168.122.208:25"; }
|
{ v6 = false; predicate = "-d 213.239.205.246 -p tcp --dport 25"; target = "DNAT --to-destination 192.168.122.208:25"; }
|
||||||
{ v6 = false; precedence = 1000; predicate = "-d 213.239.205.246 -p tcp --dport 80"; target = "DNAT --to-destination 192.168.122.208:1080"; }
|
{ v6 = false; predicate = "-d 213.239.205.246 -p tcp --dport 80"; target = "DNAT --to-destination 192.168.122.208:1080"; }
|
||||||
{ v6 = false; precedence = 1000; predicate = "-d 213.239.205.246 -p tcp --dport 443"; target = "DNAT --to-destination 192.168.122.208:1443"; }
|
{ v6 = false; predicate = "-d 213.239.205.246 -p tcp --dport 443"; target = "DNAT --to-destination 192.168.122.208:1443"; }
|
||||||
];
|
];
|
||||||
|
|
||||||
krebs.iptables.tables.filter.FORWARD.rules = [
|
krebs.iptables.tables.filter.FORWARD.rules = mkBefore [
|
||||||
{ v6 = false; precedence = 1000; predicate = "-d 192.168.122.208 -p tcp --dport 22 -m state --state NEW,ESTABLISHED,RELATED"; target = "ACCEPT"; }
|
{ v6 = false; predicate = "-d 192.168.122.208 -p tcp --dport 22 -m state --state NEW,ESTABLISHED,RELATED"; target = "ACCEPT"; }
|
||||||
{ v6 = false; precedence = 1000; predicate = "-d 192.168.122.208 -p tcp --dport 25 -m state --state NEW,ESTABLISHED,RELATED"; target = "ACCEPT"; }
|
{ v6 = false; predicate = "-d 192.168.122.208 -p tcp --dport 25 -m state --state NEW,ESTABLISHED,RELATED"; target = "ACCEPT"; }
|
||||||
{ v6 = false; precedence = 1000; predicate = "-d 192.168.122.208 -p tcp --dport 1080 -m state --state NEW,ESTABLISHED,RELATED"; target = "ACCEPT"; }
|
{ v6 = false; predicate = "-d 192.168.122.208 -p tcp --dport 1080 -m state --state NEW,ESTABLISHED,RELATED"; target = "ACCEPT"; }
|
||||||
{ v6 = false; precedence = 1000; predicate = "-d 192.168.122.208 -p tcp --dport 1443 -m state --state NEW,ESTABLISHED,RELATED"; target = "ACCEPT"; }
|
{ v6 = false; predicate = "-d 192.168.122.208 -p tcp --dport 1443 -m state --state NEW,ESTABLISHED,RELATED"; target = "ACCEPT"; }
|
||||||
];
|
];
|
||||||
|
|
||||||
krebs.iptables.tables.nat.OUTPUT.rules = [
|
krebs.iptables.tables.nat.OUTPUT.rules = mkBefore [
|
||||||
{ v6 = false; precedence = 1000; predicate = "-d 213.239.205.246 -p tcp --dport 443"; target = "DNAT --to-destination 192.168.122.208:1443"; }
|
{ v6 = false; predicate = "-d 213.239.205.246 -p tcp --dport 443"; target = "DNAT --to-destination 192.168.122.208:1443"; }
|
||||||
];
|
];
|
||||||
|
|
||||||
# TODO use bridge interfaces instead of this crap
|
# TODO use bridge interfaces instead of this crap
|
||||||
|
@ -20,8 +20,8 @@
|
|||||||
krebs.iptables.tables.filter.OUTPUT.rules = [
|
krebs.iptables.tables.filter.OUTPUT.rules = [
|
||||||
{ v6 = false; predicate = "-o virbr0 -p udp -m udp --dport 68"; target = "ACCEPT"; }
|
{ v6 = false; predicate = "-o virbr0 -p udp -m udp --dport 68"; target = "ACCEPT"; }
|
||||||
];
|
];
|
||||||
krebs.iptables.tables.nat.PREROUTING.rules = [
|
krebs.iptables.tables.nat.PREROUTING.rules = lib.mkBefore [
|
||||||
{ v6 = false; predicate = "-s 192.168.122.0/24"; target = "ACCEPT"; precedence = 1000; }
|
{ v6 = false; predicate = "-s 192.168.122.0/24"; target = "ACCEPT"; }
|
||||||
];
|
];
|
||||||
krebs.iptables.tables.nat.POSTROUTING.rules = [
|
krebs.iptables.tables.nat.POSTROUTING.rules = [
|
||||||
{ v6 = false; predicate = "-s 192.168.122.0/24 -d 224.0.0.0/24"; target = "RETURN"; }
|
{ v6 = false; predicate = "-s 192.168.122.0/24 -d 224.0.0.0/24"; target = "RETURN"; }
|
||||||
|
@ -16,13 +16,13 @@ in mkIf (hasAttr "wiregrill" config.krebs.build.host.nets) {
|
|||||||
krebs.iptables.tables.filter.INPUT.rules = [
|
krebs.iptables.tables.filter.INPUT.rules = [
|
||||||
{ predicate = "-p udp --dport ${toString self.wireguard.port}"; target = "ACCEPT"; }
|
{ predicate = "-p udp --dport ${toString self.wireguard.port}"; target = "ACCEPT"; }
|
||||||
];
|
];
|
||||||
krebs.iptables.tables.filter.FORWARD.rules = mkIf isRouter [
|
krebs.iptables.tables.filter.FORWARD.rules = mkIf isRouter (mkBefore [
|
||||||
{ precedence = 1000; predicate = "-i wiregrill -o wiregrill"; target = "ACCEPT"; }
|
{ predicate = "-i wiregrill -o wiregrill"; target = "ACCEPT"; }
|
||||||
{ precedence = 1000; predicate = "-i wiregrill -o retiolum"; target = "ACCEPT"; }
|
{ predicate = "-i wiregrill -o retiolum"; target = "ACCEPT"; }
|
||||||
{ precedence = 1000; predicate = "-i retiolum -o wiregrill"; target = "ACCEPT"; }
|
{ predicate = "-i retiolum -o wiregrill"; target = "ACCEPT"; }
|
||||||
{ precedence = 1000; predicate = "-i wiregrill -o eth0"; target = "ACCEPT"; }
|
{ predicate = "-i wiregrill -o eth0"; target = "ACCEPT"; }
|
||||||
{ precedence = 1000; predicate = "-o wiregrill -m conntrack --ctstate RELATED,ESTABLISHED"; target = "ACCEPT"; }
|
{ predicate = "-o wiregrill -m conntrack --ctstate RELATED,ESTABLISHED"; target = "ACCEPT"; }
|
||||||
];
|
]);
|
||||||
systemd.network.networks.wiregrill = {
|
systemd.network.networks.wiregrill = {
|
||||||
matchConfig.Name = "wiregrill";
|
matchConfig.Name = "wiregrill";
|
||||||
address =
|
address =
|
||||||
|
@ -146,6 +146,14 @@ rec {
|
|||||||
}.${config._module.args.name} or {
|
}.${config._module.args.name} or {
|
||||||
default = "${ip4.config.addr}/32";
|
default = "${ip4.config.addr}/32";
|
||||||
});
|
});
|
||||||
|
prefixLength = mkOption ({
|
||||||
|
type = uint;
|
||||||
|
} // {
|
||||||
|
retiolum.default = 16;
|
||||||
|
wiregrill.default = 16;
|
||||||
|
}.${config._module.args.name} or {
|
||||||
|
default = 32;
|
||||||
|
});
|
||||||
};
|
};
|
||||||
}));
|
}));
|
||||||
default = null;
|
default = null;
|
||||||
@ -165,6 +173,14 @@ rec {
|
|||||||
}.${config._module.args.name} or {
|
}.${config._module.args.name} or {
|
||||||
default = "${ip6.config.addr}/128";
|
default = "${ip6.config.addr}/128";
|
||||||
});
|
});
|
||||||
|
prefixLength = mkOption ({
|
||||||
|
type = uint;
|
||||||
|
} // {
|
||||||
|
retiolum.default = 32;
|
||||||
|
wiregrill.default = 32;
|
||||||
|
}.${config._module.args.name} or {
|
||||||
|
default = 128;
|
||||||
|
});
|
||||||
};
|
};
|
||||||
}));
|
}));
|
||||||
default = null;
|
default = null;
|
||||||
|
@ -4,6 +4,7 @@ with import ./lib;
|
|||||||
|
|
||||||
imports = [
|
imports = [
|
||||||
<stockholm/tv>
|
<stockholm/tv>
|
||||||
|
../../2configs/autotether.nix
|
||||||
<stockholm/tv/2configs/hw/x220.nix>
|
<stockholm/tv/2configs/hw/x220.nix>
|
||||||
<stockholm/tv/2configs/exim-retiolum.nix>
|
<stockholm/tv/2configs/exim-retiolum.nix>
|
||||||
<stockholm/tv/2configs/gitconfig.nix>
|
<stockholm/tv/2configs/gitconfig.nix>
|
||||||
|
19
tv/2configs/autotether.nix
Normal file
19
tv/2configs/autotether.nix
Normal file
@ -0,0 +1,19 @@
|
|||||||
|
{ config, pkgs, ... }: let
|
||||||
|
cfg.serial = "17e064850405";
|
||||||
|
in {
|
||||||
|
systemd.services.usb_tether.serviceConfig = {
|
||||||
|
SyslogIdentifier = "usb_tether";
|
||||||
|
ExecStartPre = "${pkgs.android-tools}/bin/adb -s ${cfg.serial} wait-for-device";
|
||||||
|
ExecStart = "${pkgs.android-tools}/bin/adb -s ${cfg.serial} shell svc usb setFunctions rndis";
|
||||||
|
};
|
||||||
|
services.udev.extraRules = /* sh */ ''
|
||||||
|
ACTION=="add", SUBSYSTEM=="net", KERNEL=="usb*", NAME="android"
|
||||||
|
|
||||||
|
ACTION=="add", SUBSYSTEM=="usb", ATTR{serial}=="${cfg.serial}", \
|
||||||
|
TAG+="systemd", ENV{SYSTEMD_WANTS}="usb_tether.service"
|
||||||
|
'';
|
||||||
|
systemd.network.networks.android = {
|
||||||
|
matchConfig.Name = "android";
|
||||||
|
DHCP = "yes";
|
||||||
|
};
|
||||||
|
}
|
@ -11,6 +11,16 @@ with import ./lib;
|
|||||||
LocalDiscovery = yes
|
LocalDiscovery = yes
|
||||||
'';
|
'';
|
||||||
tincPackage = pkgs.tinc_pre;
|
tincPackage = pkgs.tinc_pre;
|
||||||
|
tincUp = lib.mkIf config.systemd.network.enable "";
|
||||||
|
};
|
||||||
|
systemd.network.networks.retiolum = {
|
||||||
|
matchConfig.Name = "retiolum";
|
||||||
|
address = let
|
||||||
|
inherit (config.krebs.build.host.nets.retiolum) ip4 ip6;
|
||||||
|
in [
|
||||||
|
"${ip4.addr}/${toString ip4.prefixLength}"
|
||||||
|
"${ip6.addr}/${toString ip6.prefixLength}"
|
||||||
|
];
|
||||||
};
|
};
|
||||||
tv.iptables.input-internet-accept-tcp = singleton "tinc";
|
tv.iptables.input-internet-accept-tcp = singleton "tinc";
|
||||||
tv.iptables.input-internet-accept-udp = singleton "tinc";
|
tv.iptables.input-internet-accept-udp = singleton "tinc";
|
||||||
|
Loading…
Reference in New Issue
Block a user