diff --git a/hosts/architect/docker.nix b/hosts/architect/docker.nix index 2d8070e..6e294da 100644 --- a/hosts/architect/docker.nix +++ b/hosts/architect/docker.nix @@ -1,4 +1,10 @@ { - virtualisation.docker.enable = true; + virtualisation.docker = { + enable = true; + extraOptions = '' + --dns 127.0.0.1 --dns 10.0.0.250 --data-root /docker + ''; + enableOnBoot = false; + }; users.users.giulio.extraGroups = [ "docker" ]; } diff --git a/hosts/architect/firewall.nix b/hosts/architect/firewall.nix index bf7435e..dc80d8c 100644 --- a/hosts/architect/firewall.nix +++ b/hosts/architect/firewall.nix @@ -64,6 +64,7 @@ in { oifname ${wan-if} ip saddr {${ lib.concatStringsSep "," towan-wg }} masquerade + oifname ${wan-if} ip saddr ${docker-net} masquerade } } @@ -78,6 +79,7 @@ in { iifname ${wan-if} accept comment "bind any ip to intf ${wan-if}" iifname ${proxy-if} ip saddr ${proxy-net} accept comment "bind ip ${proxy-net} to intf ${proxy-if}" iifname ${vpn-if} ip saddr ${vpn-net} accept comment "bind ip ${vpn-net} to intf ${vpn-if}" + iifname ${docker-if} ip saddr ${docker-net} accept comment "bind ip ${docker-net} to intf ${docker-if}" iifname "lo" accept comment "bind any ip to intf lo" jump mangle_drop } @@ -139,7 +141,7 @@ in { iifname ${vpn-if} tcp dport {${open_tcp_ports_vpn}} accept iifname ${vpn-if} udp dport {${open_udp_ports_vpn}} accept iifname ${vpn-if} icmp type echo-request accept - + iifname ${docker-if} udp dport 53 accept jump filter_drop } @@ -165,6 +167,8 @@ in { lib.concatStringsSep "," towan-wg }} accept + oifname ${wan-if} ip saddr ${docker-net} accept + jump filter_drop } diff --git a/hosts/architect/network.nix b/hosts/architect/network.nix index 722e155..45bb1ec 100644 --- a/hosts/architect/network.nix +++ b/hosts/architect/network.nix @@ -3,12 +3,14 @@ rec { wan-if = "enp5s0"; vpn-if = "wg0"; proxy-if = "proxy"; + docker-if = "docker0"; # nets lan-net = "10.0.0.0/24"; vpn-net = "10.3.0.0/24"; proxy-net = "10.4.0.0/24"; external_lan-net = "192.168.1.0/24"; + docker-net = "172.17.0.0/16"; # ips dvr-lan = "10.0.0.2";