diff --git a/hosts/Alfa/conf/GM/Pkgs/pkgs.nix b/hosts/Alfa/conf/GM/Pkgs/pkgs.nix index 0715a55..3a8e9c1 100644 --- a/hosts/Alfa/conf/GM/Pkgs/pkgs.nix +++ b/hosts/Alfa/conf/GM/Pkgs/pkgs.nix @@ -22,6 +22,7 @@ ## Segurança / rede bitwarden-desktop tailscale + netbird zerotierone cloudflared sunshine diff --git a/hosts/darkgui-vps/config/imp.nix b/hosts/darkgui-vps/config/imp.nix index 3847202..77ba4e0 100644 --- a/hosts/darkgui-vps/config/imp.nix +++ b/hosts/darkgui-vps/config/imp.nix @@ -12,5 +12,5 @@ ./nix-helper.nix ./self-host/self-host.nix ./self-host/firewall.nix - ]; + ]; } diff --git a/hosts/darkgui-vps/config/pkgs.nix b/hosts/darkgui-vps/config/pkgs.nix index dec1e31..f7358c7 100644 --- a/hosts/darkgui-vps/config/pkgs.nix +++ b/hosts/darkgui-vps/config/pkgs.nix @@ -18,6 +18,10 @@ unrar zerotierone ookla-speedtest + just + cargo + gcc + netbird ## Git gitFull @@ -31,7 +35,6 @@ python3 ## Segurança - unbound dig ]; } diff --git a/hosts/darkgui-vps/config/self-host/firewall.nix b/hosts/darkgui-vps/config/self-host/firewall.nix index 7088305..29c5456 100644 --- a/hosts/darkgui-vps/config/self-host/firewall.nix +++ b/hosts/darkgui-vps/config/self-host/firewall.nix @@ -6,22 +6,34 @@ ... }: { - # Open ports in the firewall. networking.firewall = { - enable = false; + enable = true; allowedTCPPorts = [ + 22 80 + 81 443 + 3000 5335 7777 + 9000 + 11000 ]; - allowedTCPPorts = [ - 5335 - 7777 - ]; + trustedInterfaces = [ "tailscale0" "docker0" ]; - allowedUDPPorts = [ config.services.tailscale.port ]; + allowedUDPPorts = [ + config.services.tailscale.port + 53 + 5300 + 7777 + 40000 + ]; + extraCommands = '' + iptables -A PREROUTING -t nat -i eth0 -p TCP --dport 80 -j REDIRECT --to-port 8000 + iptables -A PREROUTING -t nat -i eth0 -p TCP --dport 53 -j REDIRECT --to-port 5300 + iptables -A PREROUTING -t nat -i eth0 -p UDP --dport 53 -j REDIRECT --to-port 5300 + ''; }; } diff --git a/hosts/darkgui-vps/config/self-host/self-host.nix b/hosts/darkgui-vps/config/self-host/self-host.nix index d297a45..46a3e09 100644 --- a/hosts/darkgui-vps/config/self-host/self-host.nix +++ b/hosts/darkgui-vps/config/self-host/self-host.nix @@ -16,35 +16,22 @@ }; }; - # Open ports in the firewall. - networking.firewall = { - enable = false; - allowedTCPPorts = [ - 80 - 443 - ]; - allowedUDPPortRanges = [ - { - from = 47998; - to = 48000; - } - { - from = 48002; - to = 48010; - } - ]; - trustedInterfaces = [ "tailscale0" ]; - allowedUDPPorts = [ config.services.tailscale.port ]; - }; boot.kernel.sysctl = { "net.ipv4.ip_unprivileged_port_start" = 53; "net.ipv6.conf.all.forwarding" = true; + "net.ipv6.conf.default.forwarding" = true; }; users.groups.docker.gid = 131; virtualisation.docker = { enable = true; + daemon.settings = { + ipv6 = true; + fixed-cidr-v6 = "fd00:db8:1::/64"; + ip6tables = true; + experimental = true; + }; }; services.tailscale = { @@ -56,46 +43,4 @@ ]; }; - services.unbound = { - enable = true; - settings = { - server = { - verbosity = 0; - interface = [ "0.0.0.0" "127.0.0.1" ]; - port = 5335; - - access-control = [ - "127.0.0.0/8 allow" - "10.0.0.0/8 allow" - "172.16.0.0/12 allow" - "192.168.0.0/16 allow" - ]; - - do-ip4 = "yes"; - do-udp = "yes"; - do-tcp = "yes"; - do-ip6 = "no"; - prefer-ip6 = "no"; - - harden-glue = "yes"; - harden-dnssec-stripped = "yes"; - use-caps-for-id = "no"; - edns-buffer-size = 1232; - prefetch = "yes"; - num-threads = 1; - so-rcvbuf = "1m"; - - private-address = [ - "192.168.0.0/16" - "169.254.0.0/16" - "172.16.0.0/12" - "10.0.0.0/8" - "fd00::/8" - "fe80::/10" - "100.0.0.0/8" - ]; - }; - }; - }; - }