foodogsquared/nixos-config
1
0
Fork 0
mirror of https://github.com/foo-dogsquared/nixos-config.git synced 2025-01-31 04:58:01 +00:00
Code Issues Actions 2 Packages Projects Releases Wiki Activity

hosts/plover: add local area network to firewall

Browse Source
This commit is contained in:
Gabriel Arazas 2023-02-14 11:01:29 +08:00
parent af9ddbe527
commit 2106292bbe
No known key found for this signature in database
GPG Key ID: ADE0C41DAB221FCC
1 changed files with 7 additions and 3 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

10
hosts/plover/modules/services/coredns.nix
View File

@ -6,7 +6,7 @@
# on you. Either that or we can easily move the resolver somewhere else. # on you. Either that or we can easily move the resolver somewhere else.
let let
inherit (config.networking) domain fqdn; inherit (config.networking) domain fqdn;
inherit (import ../hardware/networks.nix) interfaces clientNetworks serverNetworks secondaryNameServers; inherit (import ../hardware/networks.nix) privateIPv6Prefix interfaces clientNetworks serverNetworks secondaryNameServers;
dnsSubdomain = "ns1"; dnsSubdomain = "ns1";
dnsDomainName = "${dnsSubdomain}.${domain}"; dnsDomainName = "${dnsSubdomain}.${domain}";
@ -34,6 +34,10 @@ let
(lib.attrValues secondaryNameServers); (lib.attrValues secondaryNameServers);
secondaryNameServersIPs = secondaryNameServersIPv4 ++ secondaryNameServersIPv6; secondaryNameServersIPs = secondaryNameServersIPv4 ++ secondaryNameServersIPv6;
# The local network segments.
allowedIPs = secondaryNameServersIPv4 ++ [ "172.16.0.0/12" ];
allowedIPv6s = secondaryNameServersIPv6 ++ [ "${privateIPv6Prefix}::/64" ];
dnsListenAddresses = with interfaces; [ dnsListenAddresses = with interfaces; [
internal.IPv4.address internal.IPv4.address
internal.IPv6.address internal.IPv6.address
@ -69,8 +73,8 @@ in
# Setting up the firewall to make less things to screw up in case anything is # Setting up the firewall to make less things to screw up in case anything is
# screwed up. # screwed up.
networking.firewall.extraInputRules = '' networking.firewall.extraInputRules = ''
meta l4proto {tcp, udp} th dport 53 ip saddr { ${lib.concatStringsSep ", " secondaryNameServersIPv4} } accept comment "Accept DNS queries from secondary nameservers" meta l4proto {tcp, udp} th dport 53 ip saddr { ${lib.concatStringsSep ", " allowedIPs} } accept comment "Accept DNS queries from secondary nameservers"
meta l4proto {tcp, udp} th dport 53 ip6 saddr { ${lib.concatStringsSep ", " secondaryNameServersIPv6} } accept comment "Accept DNS queries from secondary nameservers" meta l4proto {tcp, udp} th dport 53 ip6 saddr { ${lib.concatStringsSep ", " allowedIPv6s} } accept comment "Accept DNS queries from secondary nameservers"
''; '';
# The main DNS server. # The main DNS server.