mirror of
https://github.com/CHN-beta/nixos.git
synced 2024-10-23 02:38:44 +08:00
modules.services.xray: fix firewall
This commit is contained in:
parent
17a5e27a49
commit
58bd1dd0b9
@ -105,7 +105,6 @@ inputs:
|
|||||||
++ [{ name = "4006024680.com"; value = "192.168.199.1"; }]
|
++ [{ name = "4006024680.com"; value = "192.168.199.1"; }]
|
||||||
);
|
);
|
||||||
};
|
};
|
||||||
firewall.trustedInterfaces = [ "virbr0" "waydroid0" ];
|
|
||||||
acme.cert."debug.mirism.one" = {};
|
acme.cert."debug.mirism.one" = {};
|
||||||
frpClient =
|
frpClient =
|
||||||
{
|
{
|
||||||
|
@ -55,8 +55,5 @@ inputs:
|
|||||||
options = [ "rbind" ];
|
options = [ "rbind" ];
|
||||||
};
|
};
|
||||||
};
|
};
|
||||||
# without this, tproxy does not work
|
|
||||||
# TODO: why?
|
|
||||||
networking.firewall.trustedInterfaces = [ "eno146" ];
|
|
||||||
};
|
};
|
||||||
}
|
}
|
||||||
|
@ -43,7 +43,6 @@ inputs:
|
|||||||
"dispatchcnglobal.yuanshen.com"
|
"dispatchcnglobal.yuanshen.com"
|
||||||
]);
|
]);
|
||||||
};
|
};
|
||||||
firewall.trustedInterfaces = [ "virbr0" ];
|
|
||||||
wireguard =
|
wireguard =
|
||||||
{
|
{
|
||||||
enable = true;
|
enable = true;
|
||||||
|
@ -57,7 +57,6 @@ inputs:
|
|||||||
snapper.enable = true;
|
snapper.enable = true;
|
||||||
sshd = { passwordAuthentication = true; groupBanner = true; };
|
sshd = { passwordAuthentication = true; groupBanner = true; };
|
||||||
xray.client.enable = true;
|
xray.client.enable = true;
|
||||||
firewall.trustedInterfaces = [ "virbr0" ];
|
|
||||||
smartd.enable = true;
|
smartd.enable = true;
|
||||||
beesd.instances =
|
beesd.instances =
|
||||||
{
|
{
|
||||||
|
@ -60,7 +60,6 @@ inputs:
|
|||||||
snapper.enable = true;
|
snapper.enable = true;
|
||||||
sshd = { passwordAuthentication = true; groupBanner = true; };
|
sshd = { passwordAuthentication = true; groupBanner = true; };
|
||||||
xray.client.enable = true;
|
xray.client.enable = true;
|
||||||
firewall.trustedInterfaces = [ "virbr0" ];
|
|
||||||
smartd.enable = true;
|
smartd.enable = true;
|
||||||
beesd.instances.root = { device = "/"; hashTableSizeMB = 16384; threads = 4; };
|
beesd.instances.root = { device = "/"; hashTableSizeMB = 16384; threads = 4; };
|
||||||
wireguard =
|
wireguard =
|
||||||
|
@ -3,7 +3,6 @@ inputs:
|
|||||||
imports = inputs.localLib.findModules ./.;
|
imports = inputs.localLib.findModules ./.;
|
||||||
options.nixos.services = let inherit (inputs.lib) mkOption types; in
|
options.nixos.services = let inherit (inputs.lib) mkOption types; in
|
||||||
{
|
{
|
||||||
firewall.trustedInterfaces = mkOption { type = types.listOf types.nonEmptyStr; default = []; };
|
|
||||||
smartd.enable = mkOption { type = types.bool; default = false; };
|
smartd.enable = mkOption { type = types.bool; default = false; };
|
||||||
wallabag.enable = mkOption { type = types.bool; default = false; };
|
wallabag.enable = mkOption { type = types.bool; default = false; };
|
||||||
noisetorch.enable = mkOption { type = types.bool; default = inputs.config.nixos.system.gui.preferred; };
|
noisetorch.enable = mkOption { type = types.bool; default = inputs.config.nixos.system.gui.preferred; };
|
||||||
@ -16,7 +15,6 @@ inputs:
|
|||||||
inherit (builtins) map listToAttrs toString;
|
inherit (builtins) map listToAttrs toString;
|
||||||
in mkMerge
|
in mkMerge
|
||||||
[
|
[
|
||||||
{ networking.firewall.trustedInterfaces = services.firewall.trustedInterfaces; }
|
|
||||||
(mkIf services.smartd.enable { services.smartd.enable = true; })
|
(mkIf services.smartd.enable { services.smartd.enable = true; })
|
||||||
(
|
(
|
||||||
mkIf services.wallabag.enable
|
mkIf services.wallabag.enable
|
||||||
|
@ -33,7 +33,6 @@ inputs:
|
|||||||
storageDriver = "overlay2";
|
storageDriver = "overlay2";
|
||||||
daemon.settings.dns = [ "1.1.1.1" ];
|
daemon.settings.dns = [ "1.1.1.1" ];
|
||||||
};
|
};
|
||||||
nixos.services.firewall.trustedInterfaces = [ "docker0" ];
|
|
||||||
}
|
}
|
||||||
];
|
];
|
||||||
}
|
}
|
||||||
|
@ -41,7 +41,6 @@ inputs:
|
|||||||
firewall =
|
firewall =
|
||||||
{
|
{
|
||||||
allowedUDPPorts = inputs.lib.mkIf (!wireguard.behindNat) [ wireguard.listenPort ];
|
allowedUDPPorts = inputs.lib.mkIf (!wireguard.behindNat) [ wireguard.listenPort ];
|
||||||
trustedInterfaces = [ "wireguard" ];
|
|
||||||
};
|
};
|
||||||
wireguard.interfaces.wireguard =
|
wireguard.interfaces.wireguard =
|
||||||
{
|
{
|
||||||
|
@ -25,6 +25,8 @@ inputs:
|
|||||||
noproxyTcpPorts = mkOption { type = types.listOf types.ints.unsigned; default = []; };
|
noproxyTcpPorts = mkOption { type = types.listOf types.ints.unsigned; default = []; };
|
||||||
noproxyUdpPorts = mkOption { type = types.listOf types.ints.unsigned; default = []; };
|
noproxyUdpPorts = mkOption { type = types.listOf types.ints.unsigned; default = []; };
|
||||||
};
|
};
|
||||||
|
# 是否允许代理来自其它机器的流量(相关端口会被放行)
|
||||||
|
allowForward = mkOption { type = types.bool; default = true; };
|
||||||
};
|
};
|
||||||
server = mkOption
|
server = mkOption
|
||||||
{
|
{
|
||||||
@ -329,6 +331,13 @@ inputs:
|
|||||||
groups.v2ray.gid = inputs.config.nixos.user.gid.v2ray;
|
groups.v2ray.gid = inputs.config.nixos.user.gid.v2ray;
|
||||||
};
|
};
|
||||||
environment.etc."resolv.conf".text = "nameserver 127.0.0.1";
|
environment.etc."resolv.conf".text = "nameserver 127.0.0.1";
|
||||||
|
networking.firewall =
|
||||||
|
{
|
||||||
|
allowedTCPPorts = [ 53 ];
|
||||||
|
allowedUDPPorts = [ 53 ];
|
||||||
|
allowedTCPPortRanges = [{ from = 10880; to = 10884; }];
|
||||||
|
allowedUDPPortRanges = [{ from = 10880; to = 10884; }];
|
||||||
|
};
|
||||||
}
|
}
|
||||||
)
|
)
|
||||||
(
|
(
|
||||||
|
@ -43,5 +43,7 @@ inputs:
|
|||||||
sudo.extraConfig = "Defaults pwfeedback";
|
sudo.extraConfig = "Defaults pwfeedback";
|
||||||
};
|
};
|
||||||
systemd.user.extraConfig = "DefaultLimitNOFILE=65536:524288";
|
systemd.user.extraConfig = "DefaultLimitNOFILE=65536:524288";
|
||||||
|
# needed by xray tproxy if we want to forward traffic from other machine
|
||||||
|
networking.firewall.checkReversePath = false;
|
||||||
};
|
};
|
||||||
}
|
}
|
||||||
|
Loading…
Reference in New Issue
Block a user