mirror of
https://gitlab.com/upRootNutrition/dotfiles.git
synced 2025-12-06 21:17:14 -06:00
96 lines
1.9 KiB
Nix
Executable file
96 lines
1.9 KiB
Nix
Executable file
{
|
|
flake,
|
|
...
|
|
}:
|
|
let
|
|
inherit (flake.config.machines.devices) ceres;
|
|
inherit (flake.config.services) instances;
|
|
wireguardService = instances.wireGuard;
|
|
in
|
|
{
|
|
microvm.host.enable = true;
|
|
|
|
systemd.network = {
|
|
enable = true;
|
|
netdevs."10-br-vms" = {
|
|
netdevConfig = {
|
|
Name = "br-vms";
|
|
Kind = "bridge";
|
|
};
|
|
};
|
|
|
|
networks = {
|
|
"20-lan" = {
|
|
matchConfig.Name = [
|
|
"enp10s0"
|
|
"vm-*"
|
|
];
|
|
networkConfig = {
|
|
Bridge = "br-vms";
|
|
};
|
|
};
|
|
"30-br-vms" = {
|
|
matchConfig.Name = "br-vms";
|
|
networkConfig = {
|
|
Address = "192.168.50.240/24";
|
|
Gateway = "192.168.50.1";
|
|
DNS = [ "192.168.50.1" ];
|
|
};
|
|
linkConfig.RequiredForOnline = "routable";
|
|
};
|
|
};
|
|
};
|
|
|
|
networking = {
|
|
hostName = ceres.name;
|
|
networkmanager.enable = false;
|
|
nftables.enable = true;
|
|
useDHCP = false;
|
|
firewall = {
|
|
enable = true;
|
|
allowedTCPPorts = [
|
|
22 # SSH
|
|
25 # SMTP
|
|
139 # SMTP
|
|
587 # SMTP
|
|
2525 # SMTP
|
|
9999 # NC
|
|
wireguardService.ports.port0 # WireGuard
|
|
];
|
|
allowedUDPPorts = [
|
|
wireguardService.ports.port0 # WireGuard
|
|
wireguardService.ports.port1 # WireGuard
|
|
];
|
|
# Add port ranges for VPN dynamic port forwarding
|
|
allowedTCPPortRanges = [
|
|
{
|
|
from = 30000;
|
|
to = 65535;
|
|
}
|
|
];
|
|
allowedUDPPortRanges = [
|
|
{
|
|
from = 30000;
|
|
to = 65535;
|
|
}
|
|
];
|
|
};
|
|
};
|
|
|
|
services = {
|
|
avahi = {
|
|
enable = true;
|
|
openFirewall = true;
|
|
nssmdns4 = true;
|
|
publish = {
|
|
enable = true;
|
|
userServices = true;
|
|
};
|
|
};
|
|
sshd.enable = true;
|
|
openssh = {
|
|
enable = true;
|
|
settings.PasswordAuthentication = false;
|
|
};
|
|
};
|
|
}
|