nas: set up wireguard and add missing services to firewall

2022-08-08 02:12:56 +02:00 · 2022-08-08 02:12:56 +02:00 · 9d6d31779e
parent d95cb53e56
commit 9d6d31779e
1 changed files with 54 additions and 3 deletions
--- a/nas/configuration.nix
+++ b/nas/configuration.nix
@ -55,10 +55,61 @@
      prefixLength = 24;
    }];

-    firewall.enable = false;
-
    hostName = "nas";
    hostId = "c9e40f42";
+
+    nat = {
+      enable = true;
+      externalInterface = "enp1s0";
+      internalInterfaces = [ "wg0" ];
+    };
+
+    firewall = {
+      enable = true;
+
+      allowedTCPPorts = [
+        22      # ssh
+        80      # http
+        139     # smb
+        443     # https
+        445     # smb
+        8096    # jellyfin
+        9091    # transmission webui
+        19999   # netdata
+        22000   # syncthing sync
+        51415   # transmission
+        51820   # wireguard
+      ];
+
+      allowedUDPPorts = [
+        21027   # syncthing discovery
+        22000   # syncthing sync
+        51415   # transmission
+        51820   # wireguard
+      ];
+    };
+
+    wireguard.interfaces.wg0 = {
+      ips = [ "10.100.0.1/32" ];
+      listenPort = 51820;
+      privateKeyFile = "/home/sijmen/wireguard-keys/private";
+
+      postSetup = ''
+        ${pkgs.iptables}/bin/iptables -t nat -A POSTROUTING -s 10.100.0.0/24 -o eth0 -j MASQUERADE
+      '';
+
+      postShutdown = ''
+        ${pkgs.iptables}/bin/iptables -t nat -D POSTROUTING -s 10.100.0.0/24 -o eth0 -j MASQUERADE
+      '';
+
+      peers = [
+        {
+          # thinkpad
+          publicKey = "Y2X8mT+LCXkjLjzRBcdglIKLYu68kvf5K0nKTEOWdGE=";
+          allowedIPs = [ "10.100.0.2/32" ];
+        }
+      ];
+    };
  };

  i18n.defaultLocale = "en_US.UTF-8";
@ -215,7 +266,7 @@
      server string = nas
      netbios name = nas
      security = user
-      hosts allow = 192.168.1.0/24, 10.2.0.0/24
+      hosts allow = 192.168.1.0/24, 10.2.0.0/24, 10.100.0.0/24
      guest account = nobody

      client min protocol = SMB3