Configure firewall

configuration.nix

@@ -263,18 +263,44 @@ in
   };
 
   # Open ports in the firewall.
-  networking.firewall.allowedTCPPorts = [
-    (builtins.head ({ openssh.ports = [22]; } // node_config.services).openssh.ports)
-    3990 3991 3992          # Garage
-    4646 4647 4648          # Nomad
-    8500 8300 8301 8302     # Consul
-    19999                   # Netdata
-  ];
-  networking.firewall.allowedUDPPorts = [
-    4648                    # Nomad
-    8301 8302               # Consul
-    node_config.networking.wireguard.interfaces.wg0.listenPort
-  ];
+  networking.firewall = {
+    allowedTCPPorts = [
+      (builtins.head ({ openssh.ports = [22]; } // node_config.services).openssh.ports)
+      #3990 3991 3992          # Garage
+      #4646 4647 4648          # Nomad
+      #8500 8300 8301 8302     # Consul
+      #19999                   # Netdata
+    ];
+    allowedUDPPorts = [
+      #4648                    # Nomad
+      #8301 8302               # Consul
+      node_config.networking.wireguard.interfaces.wg0.listenPort
+    ];
+    extraCommands = ''
+      iptables -N VPN
+      iptables -A INPUT -s 10.42.0.0/16 -j VPN
+      iptables -A VPN -p tcp --dport 3990 -j ACCEPT
+      iptables -A VPN -p tcp --dport 3991 -j ACCEPT
+      iptables -A VPN -p tcp --dport 3992 -j ACCEPT
+      iptables -A VPN -p tcp --dport 4646 -j ACCEPT
+      iptables -A VPN -p tcp --dport 4647 -j ACCEPT
+      iptables -A VPN -p tcp --dport 4648 -j ACCEPT
+      iptables -A VPN -p udp --dport 4648 -j ACCEPT
+      iptables -A VPN -p tcp --dport 8500 -j ACCEPT
+      iptables -A VPN -p tcp --dport 8300 -j ACCEPT
+      iptables -A VPN -p tcp --dport 8301 -j ACCEPT
+      iptables -A VPN -p tcp --dport 8302 -j ACCEPT
+      iptables -A VPN -p udp --dport 8301 -j ACCEPT
+      iptables -A VPN -p udp --dport 8302 -j ACCEPT
+      iptables -A VPN -p tcp --dport 19999 -j ACCEPT
+    '';
+    #flush the chain then remove it
+    extraStopCommands = ''
+      iptables -D INPUT -s 10.42.0.0/16 -j VPN
+      iptables -F VPN
+      iptables -X VPN
+    '';
+  };
   # Or disable the firewall altogether.
   # networking.firewall.enable = false;
 

node/carcajou.nix

@@ -17,6 +17,12 @@
       prefixLength = 24;
     }
   ];
+  networking.interfaces.eno1.ipv6.addresses = [
+    {
+      address = "2a01:e0a:c:a720::22";
+      prefixLength = 64;
+    }
+  ];
 
   networking.wireguard.interfaces.wg0 = {
     ips = [ "10.42.0.22/16" ];

node/cariacou.nix

@@ -17,6 +17,12 @@
       prefixLength = 24;
     }
   ];
+  networking.interfaces.eno1.ipv6.addresses = [
+    {
+      address = "2a01:e0a:c:a720::21";
+      prefixLength = 64;
+    }
+  ];
 
   networking.wireguard.interfaces.wg0 = {
     ips = [ "10.42.0.21/16" ];

node/caribou.nix

@@ -17,6 +17,12 @@
       prefixLength = 24;
     }
   ];
+  networking.interfaces.eno1.ipv6.addresses = [
+    {
+      address = "2a01:e0a:c:a720::23";
+      prefixLength = 64;
+    }
+  ];
 
   networking.wireguard.interfaces.wg0 = {
     ips = [ "10.42.0.23/16" ];