federez/nix
7
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

dual ip for forgejo, remove nft

Browse source
This commit is contained in:
asyncnomi 2025-06-23 00:45:00 +02:00
parent 18c721bd99
commit 19b2eb37e5
3 changed files with 30 additions and 73 deletions
Download patch file Download diff file Expand all files Collapse all files

4
hive.nix
View file

@ -213,7 +213,7 @@ in
deployment.tags = [ "postfix" ];
vogon.networking = {
last-octet = 163;
last-octet = [ 163 ];
wan-mac = "00:16:3e:c7:aa:78";
};
@ -228,7 +228,7 @@ in
deployment.tags = [ "git" "forgejo" ];
vogon.networking = {
last-octet = 164;
last-octet = [ 164 165 ];
wan-mac = "00:16:3e:cc:71:f3";
};

86
profiles/forgejo.nix
View file

@ -6,6 +6,9 @@ let
domain = "federez.net";
fqdn = "git.${domain}";
sys-ip = "193.54.193.164";
git-ip = "193.54.193.165";
in
{
age.secrets = lib.mapAttrs
@ -21,6 +24,14 @@ in
postgresqlDatabases = [ cfg.database.name ];
};
services.openssh = {
listenAddresses = [{
addr = "${sys-ip}";
port = 22;
}];
startWhenNeeded = false;
};
services.forgejo = {
enable = true;
user = "forgejo";
@ -39,8 +50,9 @@ in
DOMAIN = "${fqdn}";
ROOT_URL = "https://${fqdn}/";
HTTP_PORT = 3000;
SSH_PORT = 222;
SSH_LISTEN_PORT = 2222;
SSH_LISTEN_HOST = "${git-ip}";
SSH_PORT = 22;
SSH_LISTEN_PORT = 22;
START_SSH_SERVER = true;
# Forgejo is installed under the forgejo user
# The builtin ssh server user must match this
@ -90,6 +102,12 @@ in
${adminCmd} change-password --username ${user} --password "$(tr -d '\n' < ${pwd})" || true
'';
systemd.services.forgejo.serviceConfig = {
AmbientCapabilities = [ "CAP_NET_BIND_SERVICE" ];
CapabilityBoundingSet = [ "CAP_NET_BIND_SERVICE" ];
PrivateUsers = lib.mkForce false;
};
services.nginx = {
enable = true;
recommendedProxySettings = true;
@ -102,67 +120,5 @@ in
};
};
# Setup port redirection and input filtering
networking = {
nat.enable = false;
firewall.enable = false;
nftables = {
enable = true;
checkRuleset = false;
# NixOs add is own shit, YANK IT :)
flushRuleset = true;
tables = {
filter = {
content = ''
chain input {
type filter hook input priority 0
policy drop
# Authorized already setup connection
ct state related,established accept
# Reject sus stuff
ct state invalid counter drop
tcp flags & (fin|syn|rst|ack) != syn ct state new counter drop
# ICMP
icmp type { echo-request } limit rate 4/second accept
icmpv6 type { echo-request } limit rate 4/second accept
ip protocol icmp accept
icmpv6 type { nd-neighbor-solicit, nd-router-advert, nd-neighbor-advert } accept
# SSH
tcp dport 22 accept
# HTTP/HTTPS
tcp dport {443,80} accept
# Allow loopback
iif lo accept
# Log anything else
ip protocol tcp counter log prefix "tcp.in.dropped: "
ip protocol udp counter log prefix "udp.in.dropped: "
}
'';
family = "inet";
};
nat = {
content = ''
chain prerouting {
type nat hook prerouting priority -100
policy accept
# Port redirection
tcp dport 222 redirect to :2222
}
'';
family = "inet";
};
};
};
};
networking.firewall.allowedTCPPorts = [ 80 443 ];
}

11
profiles/vogon/guest.nix
View file

@ -8,11 +8,12 @@ in
options.vogon = {
networking = {
last-octet = mkOption {
type = types.ints.between 161 174;
description = '''
Dernier octet de l'IPv4 de la machine.
type = types.listOf (types.ints.between 161 174);
description = ''
Liste des derniers octets de l'IPv4 de la machine.
'';
example = 163;
example = [ 163 165 ];
};
wan-mac = mkOption {
type = types.str;
@ -32,7 +33,7 @@ in
};
networks."10-wan" = {
matchConfig.Name = "wan";
address = [ "193.54.193.${toString cfg.networking.last-octet}/28" ];
address = map (octet: "193.54.193.${toString octet}/28") cfg.networking.last-octet;
routes = [ { Gateway = "193.54.193.174"; } ];
linkConfig.RequiredForOnline = "routable";
};