diff options
| -rw-r--r-- | modules/system/networking/default.nix | 3 | ||||
| -rw-r--r-- | modules/system/networking/firewall.nix | 15 | ||||
| -rw-r--r-- | modules/system/networking/firewall/default.nix | 11 | ||||
| -rw-r--r-- | modules/system/networking/firewall/fail2ban.nix (renamed from modules/system/networking/fail2ban.nix) | 0 | ||||
| -rw-r--r-- | modules/system/networking/vpn/tailscale.nix | 15 |
5 files changed, 25 insertions, 19 deletions
diff --git a/modules/system/networking/default.nix b/modules/system/networking/default.nix index 96f89d0..7478a17 100644 --- a/modules/system/networking/default.nix +++ b/modules/system/networking/default.nix @@ -1,9 +1,8 @@ { imports = [ + ./firewall ./vpn ./dhcpcd.nix - ./fail2ban.nix - ./firewall.nix ./ipv6.nix ./loopback.nix ./networkmanager.nix diff --git a/modules/system/networking/firewall.nix b/modules/system/networking/firewall.nix deleted file mode 100644 index 39c5b03..0000000 --- a/modules/system/networking/firewall.nix +++ /dev/null @@ -1,15 +0,0 @@ -{ lib, ... }: -let - inherit (lib) mkForce; -in -{ - networking.firewall = { - enable = true; - allowedUDPPorts = mkForce [ ]; - allowedTCPPorts = mkForce [ ]; - allowPing = mkForce false; - logReversePathDrops = true; - logRefusedConnections = false; - checkReversePath = mkForce false; - }; -} diff --git a/modules/system/networking/firewall/default.nix b/modules/system/networking/firewall/default.nix new file mode 100644 index 0000000..074f398 --- /dev/null +++ b/modules/system/networking/firewall/default.nix @@ -0,0 +1,11 @@ +{ + imports = [ ./fail2ban.nix ]; + + networking.firewall = { + enable = true; + allowPing = false; + logReversePathDrops = true; + logRefusedConnections = false; + checkReversePath = "loose"; + }; +} diff --git a/modules/system/networking/fail2ban.nix b/modules/system/networking/firewall/fail2ban.nix index 6311b14..6311b14 100644 --- a/modules/system/networking/fail2ban.nix +++ b/modules/system/networking/firewall/fail2ban.nix diff --git a/modules/system/networking/vpn/tailscale.nix b/modules/system/networking/vpn/tailscale.nix index 5d51594..21f471a 100644 --- a/modules/system/networking/vpn/tailscale.nix +++ b/modules/system/networking/vpn/tailscale.nix @@ -1,4 +1,15 @@ +{ config, ... }: { - services.tailscale.enable = true; - networking.firewall.trustedInterfaces = [ "tailscale0" ]; + networking.firewall.trustedInterfaces = [ "${config.services.tailscale.interfaceName}" ]; + + services.tailscale = { + enable = true; + useRoutingFeatures = "both"; + }; + + # <https://tailscale.com/kb/1019/subnets/?tab=linux#step-1-install-the-tailscale-client> + boot.kernel.sysctl = { + "net.ipv4.ip_forward" = true; + "net.ipv6.conf.all.forwarding" = true; + }; } |