{ self, config, lib, pkgs, ... }: { imports = [ ./hardware-configuration.nix ./hetzner-disk.nix ]; networking = { hostName = "v6proxy"; interfaces.eth0 = { ipv4.addresses = [ { address = "178.104.18.93"; prefixLength = 32; } ]; ipv6 = { addresses = [ { address = "2a01:4f8:1c19:96f8::1"; prefixLength = 64; } ]; routes = [ { address = "::"; prefixLength = 0; via = "fe80::1";} ]; }; }; defaultGateway.address = "172.31.1.1"; defaultGateway.interface = "eth0"; nameservers = [ "9.9.9.9" "1.1.1.1" ]; firewall.enable = false; nftables = { enable = true; ruleset = '' table inet filter { set blacklist4 { type ipv4_addr flags interval # manage at runtime: nft add element inet filter blacklist4 { 1.2.3.0/24 } } set blacklist6 { type ipv6_addr flags interval # manage at runtime: nft add element inet filter blacklist6 { 2001:db8::/32 } } chain input { type filter hook input priority filter; policy drop; iif "lo" accept ct state established,related accept ip saddr @blacklist4 drop ip6 saddr @blacklist6 drop tcp dport { 22, 80, 443 } accept } chain forward { type filter hook forward priority filter; policy drop; } chain output { type filter hook output priority filter; policy accept; } } ''; }; }; # wenn instanzen in die flake migriert sind könnte man das autogenerierien services ={ haproxy = { enable = true; config = '' global # schreibe globalen log ins journal ip -> app log /dev/log format raw local0 maxconn 50000 # man könnte metriken über einen socket file statt einen lokalen port machen für user permission control # stats socket /run/haproxy/admin.sock mode 660 level admin expose-fd listeners tune.bufsize 32762 defaults log global mode tcp option tcplog timeout connect 5s timeout client 30s timeout server 30s # stats seite zeigt backend connection status, wenn check gesetzt ist frontend stats bind 127.0.0.1:8404 mode http stats enable stats uri /stats stats refresh 10s stats show-legends stats show-node stats show-modules frontend http-in bind :::80 use_backend http_80 frontend sni_router bind :::443 mode tcp use_backend http_443 backend http_80 mode http server proxy 141.56.51.1:80 backend http_443 mode tcp server proxy 141.56.51.1:443 send-proxy-v2 ''; }; }; users.users.root.packages = [ (pkgs.writeShellScriptBin "nft-blacklist" '' set -euo pipefail usage() { echo "Usage: nft-blacklist " echo " add - add entry to blacklist set" echo " del - remove entry from blacklist set" exit 1 } [[ $# -ne 2 ]] && usage ACTION="$1" ADDR="$2" if [[ "$ADDR" == *:* ]]; then SET="blacklist6" elif [[ "$ADDR" == *.* ]]; then SET="blacklist4" else echo "Error: cannot determine address family for '$ADDR'" >&2 exit 1 fi case "$ACTION" in add) ${pkgs.nftables}/bin/nft add element inet filter "$SET" "{ $ADDR }" echo "Added $ADDR to $SET" ;; del) ${pkgs.nftables}/bin/nft delete element inet filter "$SET" "{ $ADDR }" echo "Removed $ADDR from $SET" ;; *) usage ;; esac '') ]; system.stateVersion = "25.11"; }