kitten.sh / system
Personal Nix setup
0
fork

Configure Feed

Select the types of activity you want to include in your feed.

Expose selective services

Phil Pluckthun 6c21018d e8352a8a

+25 -5
+11 -1
modules/router/nftables.nix
··· 58 58 59 59 tables.filter = { 60 60 family = "inet"; 61 - content = '' 61 + content = let 62 + inherit (config.networking.firewall) allowedTCPPorts allowedUDPPorts; 63 + tcpAccept = optionalString (allowedTCPPorts != []) '' 64 + tcp dport {${concatMapStringsSep ", " (x: toString x) allowedTCPPorts}} ct state new accept 65 + ''; 66 + udpAccept = optionalString (allowedTCPPorts != []) '' 67 + udp dport {${concatMapStringsSep ", " (x: toString x) allowedUDPPorts}} ct state new accept 68 + ''; 69 + in '' 62 70 chain prerouting { 63 71 type nat hook prerouting priority 0; policy accept; 64 72 ${capturePortsRules} ··· 85 93 ip6 ecn not-ect accept 86 94 udp dport dhcpv6-client ct state { new, untracked } accept 87 95 udp dport 41641 ct state new accept 96 + ${tcpAccept} 97 + ${udpAccept} 88 98 reject with icmpx type port-unreachable 89 99 } 90 100
+12 -2
modules/server/caddy.nix
··· 1 - { lib, config, hostname, helpers, ... }: 1 + { lib, config, hostname, helpers, ... } @ inputs: 2 2 3 3 with lib; 4 4 let 5 + inherit (import ../../lib/ipv4.nix inputs) ipv4; 6 + 5 7 cfg = config.modules.server; 6 8 7 9 domain = config.networking.domain; ··· 99 101 services.caddy = { 100 102 enable = true; 101 103 email = "phil@kitten.sh"; 102 - extraConfig = '' 104 + extraConfig = let 105 + intern = config.modules.router.interfaces.internal; 106 + gateway = if config.modules.router.enable && intern != null 107 + then ipv4.prettyIp (ipv4.cidrToIpAddress intern.cidr) 108 + else null; 109 + addresses = filter (x: x != null) [ gateway "127.0.0.1" "[::1]" ]; 110 + in '' 103 111 (network_paths) { 104 112 ${vaultwardenHandlerConfig} 105 113 ${jellyfinHandlerConfig} ··· 111 119 ${knotConfig} 112 120 113 121 :80 { 122 + bind ${concatStringsSep " " addresses} 114 123 import network_paths 115 124 } 116 125 117 126 :443 { 127 + bind ${concatStringsSep " " addresses} 118 128 import network_paths 119 129 } 120 130 '';
+2 -2
modules/server/sshd.nix
··· 22 22 enable = true; 23 23 } // helpers.linuxAttrs { 24 24 settings.PermitRootLogin = mkDefault "no"; 25 - openFirewall = mkDefault (!config.modules.router.enable); 26 - ports = [ 22 2222 ]; 25 + openFirewall = mkDefault true; 26 + ports = [ 22 ]; 27 27 }; 28 28 }; 29 29 }