Merge branch 'main' of github.com:DarkGuibrine/NixConfig

2026-05-15 16:21:04 -03:00
parent cfe2ae761f cbd838fe21
commit b2410f2f4f
5 changed files with 32 additions and 71 deletions
@@ -22,6 +22,7 @@
    ## Segurança / rede
    bitwarden-desktop
    tailscale
+    netbird
    zerotierone
    cloudflared
    sunshine
@@ -12,5 +12,5 @@
    ./nix-helper.nix
    ./self-host/self-host.nix
    ./self-host/firewall.nix
-  ];
+    ];
 }
@@ -18,6 +18,10 @@
    unrar
    zerotierone
    ookla-speedtest
+    just
+    cargo
+    gcc
+    netbird

    ## Git
    gitFull
@@ -31,7 +35,6 @@
    python3

    ## Segurança
-    unbound
    dig
  ];
 }
@@ -6,22 +6,34 @@
  ...
 }:
 {
-
  # Open ports in the firewall.
  networking.firewall = {
-    enable = false;
+    enable = true;
    allowedTCPPorts = [
+      22
      80
+      81
      443
+      3000
      5335
      7777
+      9000
+      11000
    ];
-    allowedTCPPorts = [
-      5335
-      7777
-    ];
+
    trustedInterfaces = [ "tailscale0" "docker0" ];
-    allowedUDPPorts = [ config.services.tailscale.port ];
+    allowedUDPPorts = [
+      config.services.tailscale.port
+      53
+      5300
+      7777
+      40000
+    ];
+    extraCommands = ''
+      iptables -A PREROUTING -t nat -i eth0 -p TCP --dport 80 -j REDIRECT --to-port 8000
+      iptables -A PREROUTING -t nat -i eth0 -p TCP --dport 53 -j REDIRECT --to-port 5300
+      iptables -A PREROUTING -t nat -i eth0 -p UDP --dport 53 -j REDIRECT --to-port 5300
+    '';
  };

 }
@@ -16,35 +16,22 @@
    };
  };

-  # Open ports in the firewall.
-  networking.firewall = {
-    enable = false;
-    allowedTCPPorts = [
-      80
-      443
-    ];
-    allowedUDPPortRanges = [
-      {
-        from = 47998;
-        to = 48000;
-      }
-      {
-        from = 48002;
-        to = 48010;
-      }
-    ];
-    trustedInterfaces = [ "tailscale0" ];
-    allowedUDPPorts = [ config.services.tailscale.port ];
-  };

  boot.kernel.sysctl = {
    "net.ipv4.ip_unprivileged_port_start" = 53;
    "net.ipv6.conf.all.forwarding" = true;
+    "net.ipv6.conf.default.forwarding" = true;
  };

  users.groups.docker.gid = 131;
  virtualisation.docker = {
    enable = true;
+    daemon.settings = {
+        ipv6 = true;
+        fixed-cidr-v6 = "fd00:db8:1::/64";
+        ip6tables = true;
+        experimental = true;
+      };
  };

  services.tailscale = {
@@ -56,46 +43,4 @@
    ];
  };

-  services.unbound = {
-    enable = true;
-    settings = {
-      server = {
-        verbosity = 0;
-        interface = [ "0.0.0.0" "127.0.0.1" ];
-        port = 5335;
-
-        access-control = [
-          "127.0.0.0/8 allow"
-          "10.0.0.0/8 allow"
-          "172.16.0.0/12 allow"
-          "192.168.0.0/16 allow"
-        ];
-
-        do-ip4 = "yes";
-        do-udp = "yes";
-        do-tcp = "yes";
-        do-ip6 = "no";
-        prefer-ip6 = "no";
-
-        harden-glue = "yes";
-        harden-dnssec-stripped = "yes";
-        use-caps-for-id = "no";
-        edns-buffer-size = 1232;
-        prefetch = "yes";
-        num-threads = 1;
-        so-rcvbuf = "1m";
-
-        private-address = [
-          "192.168.0.0/16"
-          "169.254.0.0/16"
-          "172.16.0.0/12"
-          "10.0.0.0/8"
-          "fd00::/8"
-          "fe80::/10"
-          "100.0.0.0/8"
-        ];
-      };
-    };
-  };
-
 }