diff options
| author | Alejandro Soto <alejandro@34project.org> | 2025-01-18 13:36:50 -0600 |
|---|---|---|
| committer | Alejandro Soto <alejandro@34project.org> | 2025-01-22 20:53:35 -0600 |
| commit | 9bc15fd531da793bc2f15a486c40351974bd3f85 (patch) | |
| tree | 66bcde0d9fb7a3687c30194095862520fcf0aa0c /sys | |
| parent | f92d8e05e604f51f053c37ec47830ceae531bd38 (diff) | |
sys: remove IPv4 on dmz, gate; enable DNS64 for dmz
Diffstat (limited to '')
| -rw-r--r-- | sys/net/fail2ban.nix | 3 | ||||
| -rw-r--r-- | sys/nspawn/dmz.nix | 57 | ||||
| -rw-r--r-- | sys/preset/dmz.nix | 7 |
3 files changed, 30 insertions, 37 deletions
diff --git a/sys/net/fail2ban.nix b/sys/net/fail2ban.nix index 998de21..51aab32 100644 --- a/sys/net/fail2ban.nix +++ b/sys/net/fail2ban.nix @@ -23,8 +23,7 @@ in }; ignoreIP = [ - nets.vpn0.v4.cidr - nets.gate0.v4.cidr + nets.static-vpn.v6.cidr nets.gate0.v6.cidr nets.gate-public.hosts.gate.v4.address nets.gate-public.hosts.gate.v6.address diff --git a/sys/nspawn/dmz.nix b/sys/nspawn/dmz.nix index 905e491..52b588c 100644 --- a/sys/nspawn/dmz.nix +++ b/sys/nspawn/dmz.nix @@ -12,13 +12,12 @@ in options.local.nspawn.dmz = { enable = mkEnableOption "DMZ services in a container"; - netName = mkOption { + dns64 = mkOption { type = types.str; }; - net = mkOption { + netName = mkOption { type = types.str; - readOnly = true; }; net6 = mkOption { @@ -26,16 +25,6 @@ in readOnly = true; }; - dmzAddr = mkOption { - type = types.str; - readOnly = true; - }; - - hostAddr = mkOption { - type = types.str; - readOnly = true; - }; - hostAddr6 = mkOption { type = types.str; readOnly = true; @@ -66,11 +55,9 @@ in config = mkIf cfg.enable { local = { - mailHost.mdaListen = cfg.hostAddr; + mailHost.mdaListen = cfg.hostAddr6; nspawn.dmz = { - dmzAddr = dmzNet.hosts.dmz.v4.address; - hostAddr = dmzNet.hosts.gateway.v4.address; hostAddr6 = dmzNet.hosts.gateway.v6.address; system = @@ -85,14 +72,14 @@ in }; mta = { - mdaAddr = mailHost.mdaListen; + mdaAddr = "[${mailHost.mdaListen}]"; inherit (mailHost) saslPort lmtpPort; }; web.sites = { home = { enable = hassEnable; - proxyUrl = "http://${cfg.hostAddr}:${toString hassPort}"; + proxyUrl = "http://[${cfg.hostAddr6}]:${toString hassPort}"; }; }; }; @@ -117,17 +104,23 @@ in name = "host0"; networkConfig = { - DHCP = "ipv4"; + DNS = [ cfg.dns64 ]; + + DHCP = "no"; IPv6AcceptRA = "yes"; LinkLocalAddressing = "ipv6"; }; - ipv6AcceptRAConfig.Token = [ - "static:${dmzNet.hosts.dmz.v6.address}" - "eui64" - "static:${dmzNet.hosts.mta.v6.address}" - "static:${dmzNet.hosts.web.v6.address}" - ]; + ipv6AcceptRAConfig = { + Token = [ + "static:::${dmzNet.hosts.dmz.v6.suffix}" + "eui64" + "static:::${dmzNet.hosts.mta.v6.suffix}" + "static:::${dmzNet.hosts.web.v6.suffix}" + ]; + + UseDNS = false; + }; }; }; }; @@ -147,8 +140,8 @@ in services = { home-assistant.config.http = mkIf hassEnable { - server_host = [ cfg.hostAddr ]; - trusted_proxies = [ cfg.dmzAddr ]; + server_host = [ cfg.hostAddr6 ]; + trusted_proxies = [ dmzNet.hosts.web.v6.address ]; use_x_forwarded_for = true; }; }; @@ -172,21 +165,15 @@ in }; networkConfig = { - Address = [ dmzNet.hosts.gateway.v4.cidr dmzNet.hosts.gateway.v6.cidr ]; + Address = [ dmzNet.hosts.gateway.v6.cidr ]; LinkLocalAddressing = "yes"; - DHCPServer = "yes"; + DHCPServer = "no"; IPMasquerade = "no"; LLDP = "yes"; EmitLLDP = "customer-bridge"; IPv6SendRA = "yes"; }; - # IP de contenedor fijada en hostAddr + 1 - dhcpServerConfig = { - PoolOffset = 2; - PoolSize = 1; - }; - ipv6Prefixes = [ { Assign = "yes"; diff --git a/sys/preset/dmz.nix b/sys/preset/dmz.nix index eae58cc..4a3fc69 100644 --- a/sys/preset/dmz.nix +++ b/sys/preset/dmz.nix @@ -41,6 +41,13 @@ in web.sites.portal.enable = true; }; + services = { + resolved = { + llmnr = "false"; + fallbackDns = [ ]; # Disable the default systemd-resolved server list + }; + }; + users = { allowNoPasswordLogin = cfg.container; mutableUsers = false; |