peperunas/nixos
1
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity

Allow docker interface to network on WAN

Browse Source
This commit is contained in:
Giulio De Pasquale 2022-04-05 17:00:25 +02:00
parent 8312f69c98
commit 895d17ab68
3 changed files with 14 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

8
hosts/architect/docker.nix
View File

@ -1,4 +1,10 @@
{ {
virtualisation.docker.enable = true; virtualisation.docker = {
enable = true;
extraOptions = ''
--dns 127.0.0.1 --dns 10.0.0.250 --data-root /docker
'';
enableOnBoot = false;
};
users.users.giulio.extraGroups = [ "docker" ]; users.users.giulio.extraGroups = [ "docker" ];
} }

6
hosts/architect/firewall.nix
View File

@ -64,6 +64,7 @@ in {
oifname ${wan-if} ip saddr {${ oifname ${wan-if} ip saddr {${
lib.concatStringsSep "," towan-wg lib.concatStringsSep "," towan-wg
}} masquerade }} masquerade
oifname ${wan-if} ip saddr ${docker-net} masquerade
} }
} }
@ -78,6 +79,7 @@ in {
iifname ${wan-if} accept comment "bind any ip to intf ${wan-if}" iifname ${wan-if} accept comment "bind any ip to intf ${wan-if}"
iifname ${proxy-if} ip saddr ${proxy-net} accept comment "bind ip ${proxy-net} to intf ${proxy-if}" iifname ${proxy-if} ip saddr ${proxy-net} accept comment "bind ip ${proxy-net} to intf ${proxy-if}"
iifname ${vpn-if} ip saddr ${vpn-net} accept comment "bind ip ${vpn-net} to intf ${vpn-if}" iifname ${vpn-if} ip saddr ${vpn-net} accept comment "bind ip ${vpn-net} to intf ${vpn-if}"
iifname ${docker-if} ip saddr ${docker-net} accept comment "bind ip ${docker-net} to intf ${docker-if}"
iifname "lo" accept comment "bind any ip to intf lo" iifname "lo" accept comment "bind any ip to intf lo"
jump mangle_drop jump mangle_drop
} }
@ -139,7 +141,7 @@ in {
iifname ${vpn-if} tcp dport {${open_tcp_ports_vpn}} accept iifname ${vpn-if} tcp dport {${open_tcp_ports_vpn}} accept
iifname ${vpn-if} udp dport {${open_udp_ports_vpn}} accept iifname ${vpn-if} udp dport {${open_udp_ports_vpn}} accept
iifname ${vpn-if} icmp type echo-request accept iifname ${vpn-if} icmp type echo-request accept
iifname ${docker-if} udp dport 53 accept
jump filter_drop jump filter_drop
} }
@ -165,6 +167,8 @@ in {
lib.concatStringsSep "," towan-wg lib.concatStringsSep "," towan-wg
}} accept }} accept
oifname ${wan-if} ip saddr ${docker-net} accept
jump filter_drop jump filter_drop
} }

2
hosts/architect/network.nix
View File

@ -3,12 +3,14 @@ rec {
wan-if = "enp5s0"; wan-if = "enp5s0";
vpn-if = "wg0"; vpn-if = "wg0";
proxy-if = "proxy"; proxy-if = "proxy";
docker-if = "docker0";
# nets # nets
lan-net = "10.0.0.0/24"; lan-net = "10.0.0.0/24";
vpn-net = "10.3.0.0/24"; vpn-net = "10.3.0.0/24";
proxy-net = "10.4.0.0/24"; proxy-net = "10.4.0.0/24";
external_lan-net = "192.168.1.0/24"; external_lan-net = "192.168.1.0/24";
docker-net = "172.17.0.0/16";
# ips # ips
dvr-lan = "10.0.0.2"; dvr-lan = "10.0.0.2";