mirror of
https://github.com/CHN-beta/nixos.git
synced 2024-10-22 20:58:45 +08:00
modules.services.xray: fix firewall
This commit is contained in:
parent
17a5e27a49
commit
58bd1dd0b9
@ -105,7 +105,6 @@ inputs:
|
||||
++ [{ name = "4006024680.com"; value = "192.168.199.1"; }]
|
||||
);
|
||||
};
|
||||
firewall.trustedInterfaces = [ "virbr0" "waydroid0" ];
|
||||
acme.cert."debug.mirism.one" = {};
|
||||
frpClient =
|
||||
{
|
||||
|
@ -55,8 +55,5 @@ inputs:
|
||||
options = [ "rbind" ];
|
||||
};
|
||||
};
|
||||
# without this, tproxy does not work
|
||||
# TODO: why?
|
||||
networking.firewall.trustedInterfaces = [ "eno146" ];
|
||||
};
|
||||
}
|
||||
|
@ -43,7 +43,6 @@ inputs:
|
||||
"dispatchcnglobal.yuanshen.com"
|
||||
]);
|
||||
};
|
||||
firewall.trustedInterfaces = [ "virbr0" ];
|
||||
wireguard =
|
||||
{
|
||||
enable = true;
|
||||
|
@ -57,7 +57,6 @@ inputs:
|
||||
snapper.enable = true;
|
||||
sshd = { passwordAuthentication = true; groupBanner = true; };
|
||||
xray.client.enable = true;
|
||||
firewall.trustedInterfaces = [ "virbr0" ];
|
||||
smartd.enable = true;
|
||||
beesd.instances =
|
||||
{
|
||||
|
@ -60,7 +60,6 @@ inputs:
|
||||
snapper.enable = true;
|
||||
sshd = { passwordAuthentication = true; groupBanner = true; };
|
||||
xray.client.enable = true;
|
||||
firewall.trustedInterfaces = [ "virbr0" ];
|
||||
smartd.enable = true;
|
||||
beesd.instances.root = { device = "/"; hashTableSizeMB = 16384; threads = 4; };
|
||||
wireguard =
|
||||
|
@ -3,7 +3,6 @@ inputs:
|
||||
imports = inputs.localLib.findModules ./.;
|
||||
options.nixos.services = let inherit (inputs.lib) mkOption types; in
|
||||
{
|
||||
firewall.trustedInterfaces = mkOption { type = types.listOf types.nonEmptyStr; default = []; };
|
||||
smartd.enable = mkOption { type = types.bool; default = false; };
|
||||
wallabag.enable = mkOption { type = types.bool; default = false; };
|
||||
noisetorch.enable = mkOption { type = types.bool; default = inputs.config.nixos.system.gui.preferred; };
|
||||
@ -16,7 +15,6 @@ inputs:
|
||||
inherit (builtins) map listToAttrs toString;
|
||||
in mkMerge
|
||||
[
|
||||
{ networking.firewall.trustedInterfaces = services.firewall.trustedInterfaces; }
|
||||
(mkIf services.smartd.enable { services.smartd.enable = true; })
|
||||
(
|
||||
mkIf services.wallabag.enable
|
||||
|
@ -33,7 +33,6 @@ inputs:
|
||||
storageDriver = "overlay2";
|
||||
daemon.settings.dns = [ "1.1.1.1" ];
|
||||
};
|
||||
nixos.services.firewall.trustedInterfaces = [ "docker0" ];
|
||||
}
|
||||
];
|
||||
}
|
||||
|
@ -41,7 +41,6 @@ inputs:
|
||||
firewall =
|
||||
{
|
||||
allowedUDPPorts = inputs.lib.mkIf (!wireguard.behindNat) [ wireguard.listenPort ];
|
||||
trustedInterfaces = [ "wireguard" ];
|
||||
};
|
||||
wireguard.interfaces.wireguard =
|
||||
{
|
||||
|
@ -25,6 +25,8 @@ inputs:
|
||||
noproxyTcpPorts = mkOption { type = types.listOf types.ints.unsigned; default = []; };
|
||||
noproxyUdpPorts = mkOption { type = types.listOf types.ints.unsigned; default = []; };
|
||||
};
|
||||
# 是否允许代理来自其它机器的流量(相关端口会被放行)
|
||||
allowForward = mkOption { type = types.bool; default = true; };
|
||||
};
|
||||
server = mkOption
|
||||
{
|
||||
@ -329,6 +331,13 @@ inputs:
|
||||
groups.v2ray.gid = inputs.config.nixos.user.gid.v2ray;
|
||||
};
|
||||
environment.etc."resolv.conf".text = "nameserver 127.0.0.1";
|
||||
networking.firewall =
|
||||
{
|
||||
allowedTCPPorts = [ 53 ];
|
||||
allowedUDPPorts = [ 53 ];
|
||||
allowedTCPPortRanges = [{ from = 10880; to = 10884; }];
|
||||
allowedUDPPortRanges = [{ from = 10880; to = 10884; }];
|
||||
};
|
||||
}
|
||||
)
|
||||
(
|
||||
|
@ -43,5 +43,7 @@ inputs:
|
||||
sudo.extraConfig = "Defaults pwfeedback";
|
||||
};
|
||||
systemd.user.extraConfig = "DefaultLimitNOFILE=65536:524288";
|
||||
# needed by xray tproxy if we want to forward traffic from other machine
|
||||
networking.firewall.checkReversePath = false;
|
||||
};
|
||||
}
|
||||
|
Loading…
Reference in New Issue
Block a user