modules.packages.server: add megacli

modules.services.xray: fix firewall
2024-10-22 21:38:44 +08:00 · 2024-09-20 12:53:45 +08:00 · 2024-09-20 01:43:27 +08:00
11 changed files with 12 additions and 12 deletions
--- a/devices/pc/default.nix
+++ b/devices/pc/default.nix
@ -105,7 +105,6 @@ inputs:
            ++ [{ name = "4006024680.com"; value = "192.168.199.1"; }]
          );
        };
-        firewall.trustedInterfaces = [ "virbr0" "waydroid0" ];
        acme.cert."debug.mirism.one" = {};
        frpClient =
        {
--- a/devices/srv1/node0/default.nix
+++ b/devices/srv1/node0/default.nix
@ -55,8 +55,5 @@ inputs:
        options = [ "rbind" ];
      };
    };
-    # without this, tproxy does not work
-    # TODO: why?
-    networking.firewall.trustedInterfaces = [ "eno146" ];
  };
 }
--- a/devices/surface/default.nix
+++ b/devices/surface/default.nix
@ -43,7 +43,6 @@ inputs:
              "dispatchcnglobal.yuanshen.com"
            ]);
        };
-        firewall.trustedInterfaces = [ "virbr0" ];
        wireguard =
        {
          enable = true;
--- a/devices/xmupc1/default.nix
+++ b/devices/xmupc1/default.nix
@ -57,7 +57,6 @@ inputs:
        snapper.enable = true;
        sshd = { passwordAuthentication = true; groupBanner = true; };
        xray.client.enable = true;
-        firewall.trustedInterfaces = [ "virbr0" ];
        smartd.enable = true;
        beesd.instances =
        {
--- a/devices/xmupc2/default.nix
+++ b/devices/xmupc2/default.nix
@ -60,7 +60,6 @@ inputs:
        snapper.enable = true;
        sshd = { passwordAuthentication = true; groupBanner = true; };
        xray.client.enable = true;
-        firewall.trustedInterfaces = [ "virbr0" ];
        smartd.enable = true;
        beesd.instances.root = { device = "/"; hashTableSizeMB = 16384; threads = 4; };
        wireguard =
--- a/modules/packages/server.nix
+++ b/modules/packages/server.nix
@ -26,7 +26,7 @@ inputs:
        # file system management
        sshfs e2fsprogs duperemove compsize exfatprogs
        # disk management
-        smartmontools hdparm
+        smartmontools hdparm megacli
        # encryption and authentication
        apacheHttpd openssl ssh-to-age gnupg age sops pam_u2f yubico-piv-tool
        # networking
--- a/modules/services/default.nix
+++ b/modules/services/default.nix
@ -3,7 +3,6 @@ inputs:
  imports = inputs.localLib.findModules ./.;
  options.nixos.services = let inherit (inputs.lib) mkOption types; in
  {
-    firewall.trustedInterfaces = mkOption { type = types.listOf types.nonEmptyStr; default = []; };
    smartd.enable = mkOption { type = types.bool; default = false; };
    wallabag.enable = mkOption { type = types.bool; default = false; };
    noisetorch.enable = mkOption { type = types.bool; default = inputs.config.nixos.system.gui.preferred; };
@ -16,7 +15,6 @@ inputs:
      inherit (builtins) map listToAttrs toString;
    in mkMerge
    [
-      { networking.firewall.trustedInterfaces = services.firewall.trustedInterfaces; }
      (mkIf services.smartd.enable { services.smartd.enable = true; })
      (
        mkIf services.wallabag.enable
--- a/modules/services/docker.nix
+++ b/modules/services/docker.nix
@ -33,7 +33,6 @@ inputs:
        storageDriver = "overlay2";
        daemon.settings.dns = [ "1.1.1.1" ];
      };
-      nixos.services.firewall.trustedInterfaces = [ "docker0" ];
    }
  ];
 }
--- a/modules/services/wireguard.nix
+++ b/modules/services/wireguard.nix
@ -41,7 +41,6 @@ inputs:
          firewall =
          {
            allowedUDPPorts = inputs.lib.mkIf (!wireguard.behindNat) [ wireguard.listenPort ];
-            trustedInterfaces = [ "wireguard" ];
          };
          wireguard.interfaces.wireguard =
          {
--- a/modules/services/xray/default.nix
+++ b/modules/services/xray/default.nix
@ -25,6 +25,8 @@ inputs:
        noproxyTcpPorts = mkOption { type = types.listOf types.ints.unsigned; default = []; };
        noproxyUdpPorts = mkOption { type = types.listOf types.ints.unsigned; default = []; };
      };
+      # 是否允许代理来自其它机器的流量（相关端口会被放行）
+      allowForward = mkOption { type = types.bool; default = true; };
    };
    server = mkOption
    {
@ -329,6 +331,13 @@ inputs:
          groups.v2ray.gid = inputs.config.nixos.user.gid.v2ray;
        };
        environment.etc."resolv.conf".text = "nameserver 127.0.0.1";
+        networking.firewall =
+        {
+          allowedTCPPorts = [ 53 ];
+          allowedUDPPorts = [ 53 ];
+          allowedTCPPortRanges = [{ from = 10880; to = 10884; }];
+          allowedUDPPortRanges = [{ from = 10880; to = 10884; }];
+        };
      }
    )
    (
--- a/modules/system/security.nix
+++ b/modules/system/security.nix
@ -43,5 +43,7 @@ inputs:
      sudo.extraConfig = "Defaults pwfeedback";
    };
    systemd.user.extraConfig = "DefaultLimitNOFILE=65536:524288";
+    # needed by xray tproxy if we want to forward traffic from other machine
+    networking.firewall.checkReversePath = false;
  };
 }
Author	SHA1	Message	Date
chn	e403148132	modules.packages.server: add megacli	2024-09-20 12:53:45 +08:00
chn	58bd1dd0b9	modules.services.xray: fix firewall	2024-09-20 01:43:27 +08:00