nas: set up wireguard and add missing services to firewall
All checks were successful
continuous-integration/drone/push Build is passing

This commit is contained in:
Sijmen 2022-08-08 02:12:56 +02:00
parent d95cb53e56
commit 9d6d31779e

View file

@ -55,10 +55,61 @@
prefixLength = 24;
}];
firewall.enable = false;
hostName = "nas";
hostId = "c9e40f42";
nat = {
enable = true;
externalInterface = "enp1s0";
internalInterfaces = [ "wg0" ];
};
firewall = {
enable = true;
allowedTCPPorts = [
22 # ssh
80 # http
139 # smb
443 # https
445 # smb
8096 # jellyfin
9091 # transmission webui
19999 # netdata
22000 # syncthing sync
51415 # transmission
51820 # wireguard
];
allowedUDPPorts = [
21027 # syncthing discovery
22000 # syncthing sync
51415 # transmission
51820 # wireguard
];
};
wireguard.interfaces.wg0 = {
ips = [ "10.100.0.1/32" ];
listenPort = 51820;
privateKeyFile = "/home/sijmen/wireguard-keys/private";
postSetup = ''
${pkgs.iptables}/bin/iptables -t nat -A POSTROUTING -s 10.100.0.0/24 -o eth0 -j MASQUERADE
'';
postShutdown = ''
${pkgs.iptables}/bin/iptables -t nat -D POSTROUTING -s 10.100.0.0/24 -o eth0 -j MASQUERADE
'';
peers = [
{
# thinkpad
publicKey = "Y2X8mT+LCXkjLjzRBcdglIKLYu68kvf5K0nKTEOWdGE=";
allowedIPs = [ "10.100.0.2/32" ];
}
];
};
};
i18n.defaultLocale = "en_US.UTF-8";
@ -215,7 +266,7 @@
server string = nas
netbios name = nas
security = user
hosts allow = 192.168.1.0/24, 10.2.0.0/24
hosts allow = 192.168.1.0/24, 10.2.0.0/24, 10.100.0.0/24
guest account = nobody
client min protocol = SMB3