176 lines
4.1 KiB
Nix
176 lines
4.1 KiB
Nix
{
|
|
self,
|
|
config,
|
|
lib,
|
|
pkgs,
|
|
...
|
|
}:
|
|
{
|
|
imports = [
|
|
./hardware-configuration.nix
|
|
./hetzner-disk.nix
|
|
];
|
|
|
|
networking = {
|
|
hostName = "v6proxy";
|
|
interfaces.eth0 = {
|
|
ipv4.addresses = [
|
|
{
|
|
address = "178.104.18.93";
|
|
prefixLength = 32;
|
|
}
|
|
];
|
|
ipv6 = {
|
|
addresses = [
|
|
{
|
|
address = "2a01:4f8:1c19:96f8::1";
|
|
prefixLength = 64;
|
|
}
|
|
];
|
|
routes = [
|
|
{ address = "::"; prefixLength = 0; via = "fe80::1";}
|
|
];
|
|
};
|
|
};
|
|
defaultGateway.address = "172.31.1.1";
|
|
defaultGateway.interface = "eth0";
|
|
nameservers = [
|
|
"9.9.9.9"
|
|
"1.1.1.1"
|
|
];
|
|
firewall.enable = false;
|
|
nftables = {
|
|
enable = true;
|
|
ruleset = ''
|
|
table inet filter {
|
|
set blacklist4 {
|
|
type ipv4_addr
|
|
flags interval
|
|
# manage at runtime: nft add element inet filter blacklist4 { 1.2.3.0/24 }
|
|
}
|
|
|
|
set blacklist6 {
|
|
type ipv6_addr
|
|
flags interval
|
|
# manage at runtime: nft add element inet filter blacklist6 { 2001:db8::/32 }
|
|
}
|
|
|
|
chain input {
|
|
type filter hook input priority filter; policy drop;
|
|
|
|
iif "lo" accept
|
|
ct state established,related accept
|
|
|
|
ip saddr @blacklist4 drop
|
|
ip6 saddr @blacklist6 drop
|
|
|
|
tcp dport { 22, 80, 443 } accept
|
|
}
|
|
|
|
chain forward {
|
|
type filter hook forward priority filter; policy drop;
|
|
}
|
|
|
|
chain output {
|
|
type filter hook output priority filter; policy accept;
|
|
}
|
|
}
|
|
'';
|
|
};
|
|
};
|
|
|
|
# wenn instanzen in die flake migriert sind könnte man das autogenerierien
|
|
services ={
|
|
haproxy = {
|
|
enable = true;
|
|
config = ''
|
|
global
|
|
# schreibe globalen log ins journal ip -> app
|
|
log /dev/log format raw local0
|
|
maxconn 50000
|
|
# man könnte metriken über einen socket file statt einen lokalen port machen für user permission control
|
|
# stats socket /run/haproxy/admin.sock mode 660 level admin expose-fd listeners
|
|
tune.bufsize 32762
|
|
|
|
defaults
|
|
log global
|
|
mode tcp
|
|
option tcplog
|
|
timeout connect 5s
|
|
timeout client 30s
|
|
timeout server 30s
|
|
|
|
# stats seite zeigt backend connection status, wenn check gesetzt ist
|
|
frontend stats
|
|
bind 127.0.0.1:8404
|
|
mode http
|
|
stats enable
|
|
stats uri /stats
|
|
stats refresh 10s
|
|
stats show-legends
|
|
stats show-node
|
|
stats show-modules
|
|
|
|
frontend http-in
|
|
bind :::80
|
|
use_backend http_80
|
|
|
|
frontend sni_router
|
|
bind :::443
|
|
mode tcp
|
|
use_backend http_443
|
|
|
|
backend http_80
|
|
mode http
|
|
server proxy 141.56.51.1:80
|
|
backend http_443
|
|
mode tcp
|
|
server proxy 141.56.51.1:443 send-proxy-v2
|
|
'';
|
|
};
|
|
};
|
|
|
|
users.users.root.packages = [
|
|
(pkgs.writeShellScriptBin "nft-blacklist" ''
|
|
set -euo pipefail
|
|
|
|
usage() {
|
|
echo "Usage: nft-blacklist <add|del> <ip-or-cidr>"
|
|
echo " add - add entry to blacklist set"
|
|
echo " del - remove entry from blacklist set"
|
|
exit 1
|
|
}
|
|
|
|
[[ $# -ne 2 ]] && usage
|
|
|
|
ACTION="$1"
|
|
ADDR="$2"
|
|
|
|
if [[ "$ADDR" == *:* ]]; then
|
|
SET="blacklist6"
|
|
elif [[ "$ADDR" == *.* ]]; then
|
|
SET="blacklist4"
|
|
else
|
|
echo "Error: cannot determine address family for '$ADDR'" >&2
|
|
exit 1
|
|
fi
|
|
|
|
case "$ACTION" in
|
|
add)
|
|
${pkgs.nftables}/bin/nft add element inet filter "$SET" "{ $ADDR }"
|
|
echo "Added $ADDR to $SET"
|
|
;;
|
|
del)
|
|
${pkgs.nftables}/bin/nft delete element inet filter "$SET" "{ $ADDR }"
|
|
echo "Removed $ADDR from $SET"
|
|
;;
|
|
*)
|
|
usage
|
|
;;
|
|
esac
|
|
'')
|
|
];
|
|
|
|
system.stateVersion = "25.11";
|
|
|
|
}
|