diff options
| author | quentin@aristote.fr <quentin@aristote.fr> | 2023-06-26 22:01:08 +0200 |
|---|---|---|
| committer | quentin@aristote.fr <quentin@aristote.fr> | 2023-06-26 22:23:29 +0200 |
| commit | c7b7efb30112ce492569f8ddea591f14a5040f57 (patch) | |
| tree | 65032e1a3dbebc1b3b351515f419e7c7cfc27879 /config/networking/services | |
| parent | ffa8760638e20eee785f7ed4df9e2d56c18ffe53 (diff) | |
networking: detach enp3s0 from wan
Diffstat (limited to 'config/networking/services')
| -rw-r--r-- | config/networking/services/dhcp.nix | 2 | ||||
| -rw-r--r-- | config/networking/services/dns.nix | 13 | ||||
| -rw-r--r-- | config/networking/services/firewall/ruleset.nix | 14 |
3 files changed, 18 insertions, 11 deletions
diff --git a/config/networking/services/dhcp.nix b/config/networking/services/dhcp.nix index 360eb66..e625a4d 100644 --- a/config/networking/services/dhcp.nix +++ b/config/networking/services/dhcp.nix @@ -4,7 +4,7 @@ let nets = config.personal.networking.networks; in { services.kea.dhcp4 = { enable = true; - settings = let subnets = with nets; [ wan iot ]; + settings = let subnets = with nets; [ wan iot eth0 ]; in { interfaces-config.interfaces = builtins.map (network: network.interface) subnets; diff --git a/config/networking/services/dns.nix b/config/networking/services/dns.nix index cce2f17..9e70958 100644 --- a/config/networking/services/dns.nix +++ b/config/networking/services/dns.nix @@ -7,18 +7,21 @@ in { settings = { server = { module-config = ''"respip validator iterator"''; - interface = - [ "127.0.0.1" "${nets.wan.subnet}.1" "${nets.iot.subnet}.1" ]; + interface = [ + "127.0.0.1" + "${nets.wan.subnet}.1" + "${nets.iot.subnet}.1" + "${nets.eth0.subnet}.1" + ]; access-control = [ "0.0.0.0/0 refuse" "127.0.0.0/8 allow" "${nets.wan.subnet}.0/24 allow" "${nets.iot.subnet}.0/24 allow" + "${nets.eth0.subnet}.0/24 allow" ]; }; - rpz = { - name = "rpz.oisd.nl"; - }; + rpz = { name = "rpz.oisd.nl"; }; }; }; } diff --git a/config/networking/services/firewall/ruleset.nix b/config/networking/services/firewall/ruleset.nix index 7184de7..5871385 100644 --- a/config/networking/services/firewall/ruleset.nix +++ b/config/networking/services/firewall/ruleset.nix @@ -101,12 +101,14 @@ in { chains = { wan_in.rules = with rulesCommon; dns + dhcp + ssh + ssdp; iot_in.rules = with rulesCommon; dns + dhcp + igmp; + eth0_in.rules = with rulesCommon; dns + dhcp; input = makeBaseChain "filter" "input" { rules = with rulesCommon; conntrack + ping + '' - meta iifname vmap { lo : accept \ - , ${nets.wan.interface} : goto wan_in \ - , ${nets.iot.interface} : goto iot_in } + meta iifname vmap { lo : accept \ + , ${nets.wan.interface} : goto wan_in \ + , ${nets.iot.interface} : goto iot_in \ + , ${nets.eth0.interface} : goto eth0_in } ''; }; iot_wan.rules = rulesCommon.sonos.player-controller; @@ -118,8 +120,10 @@ in { '' + conntrack + '' meta oifname ${nets.lan.interface} accept meta iifname . meta oifname vmap \ - { ${nets.wan.interface} . ${nets.iot.interface} : goto wan_iot \ - , ${nets.iot.interface} . ${nets.wan.interface} : goto iot_wan } + { ${nets.wan.interface} . ${nets.iot.interface} \ + : goto wan_iot \ + , ${nets.iot.interface} . ${nets.wan.interface} \ + : goto iot_wan } ''; }; }; |