sokai/mynixos-config
1
1
Fork 0
forked from mirrors_public/oddlama_nix-config
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

feat(ward): open kanidm port only for sentinel

Browse source
This commit is contained in:
oddlama 2023-06-01 01:33:13 +02:00
parent c1fe238c75
commit df2657bb1c
No known key found for this signature in database
GPG key ID: 14EFE510775FE39A
5 changed files with 20 additions and 5 deletions
Download patch file Download diff file Expand all files Collapse all files

2
hosts/sentinel/default.nix
View file

@ -14,6 +14,4 @@
./net.nix ./net.nix
./nginx.nix ./nginx.nix
]; ];
boot.loader.grub.devices = ["/dev/disk/by-id/${config.repo.secrets.local.disk.main}"];
} }

1
hosts/sentinel/fs.nix
View file

@ -39,6 +39,7 @@
}; };
}; };
boot.loader.grub.devices = ["/dev/disk/by-id/${config.repo.secrets.local.disk.main}"];
boot.initrd.luks.devices.enc-rpool.allowDiscards = true; boot.initrd.luks.devices.enc-rpool.allowDiscards = true;
fileSystems."/persist".neededForBoot = true; fileSystems."/persist".neededForBoot = true;

1
hosts/sentinel/nginx.nix
View file

@ -49,6 +49,7 @@ in {
locations."/".proxyPass = "https://kanidm"; locations."/".proxyPass = "https://kanidm";
# Allow using self-signed certs to satisfy kanidm's requirement # Allow using self-signed certs to satisfy kanidm's requirement
# for TLS connections. (This is over wireguard anyway) # for TLS connections. (This is over wireguard anyway)
# TODO can we get rid of this?
extraConfig = '' extraConfig = ''
proxy_ssl_verify off; proxy_ssl_verify off;
''; '';

20
hosts/ward/default.nix
View file

@ -76,12 +76,26 @@ in {
networking.nftables.firewall = { networking.nftables.firewall = {
zones = lib.mkForce { zones = lib.mkForce {
local-vms.interfaces = ["local-vms"]; #local-vms.interfaces = ["local-vms"];
proxy-sentinel.interfaces = ["proxy-sentinel"];
sentinel = {
parent = "proxy-sentinel";
ipv4Addresses = [nodes.sentinel.config.extra.wireguard.proxy-sentinel.ipv4];
ipv6Addresses = [nodes.sentinel.config.extra.wireguard.proxy-sentinel.ipv6];
};
}; };
#rules = lib.mkForce {
# local-vms-to-local = {
# from = ["local-vms"];
# to = ["local"];
# allowedTCPPorts = [8300];
# };
#};
rules = lib.mkForce { rules = lib.mkForce {
local-vms-to-local = { sentinel-to-local = {
from = ["local-vms"]; from = ["sentinel"];
to = ["local"]; to = ["local"];
allowedTCPPorts = [8300]; allowedTCPPorts = [8300];
}; };

1
hosts/ward/net.nix
View file

@ -139,6 +139,7 @@ in {
renew-timer = 1000; renew-timer = 1000;
rebind-timer = 2000; rebind-timer = 2000;
interfaces-config = { interfaces-config = {
# TODO why does this bind other macvtaps?
interfaces = ["lan-self"]; interfaces = ["lan-self"];
service-sockets-max-retries = -1; service-sockets-max-retries = -1;
}; };