diff --git a/config/nixos/common/server.nix b/config/nixos/common/server.nix index da5d8c8..57c64e4 100644 --- a/config/nixos/common/server.nix +++ b/config/nixos/common/server.nix @@ -1,6 +1,5 @@ { config, pkgs, ... }: { - # OpenSSH server services.openssh = { enable = true; ports = [ 400 ]; @@ -16,74 +15,82 @@ }; }; - # Open ports in the firewall - networking.firewall = { - enable = true; + networking = { + nat.enable = true; + nat.enableIPv6 = true; - # Ports accessible from anywhere - allowedTCPPorts = [ - 80 # HTTP - 443 # HTTPS - 22 # Git over SSH - 400 # SSH - 25565 # Minecraft - 3456 # Minecraft (Bluemap) - 32400 # Plex - 8096 # Jellyfin - ]; - allowedUDPPorts = [ - 51820 # WireGuard - ]; + firewall = { + enable = true; - # Common internal ports for docker0, tailscale0, and LAN - interfaces = - let - internalPorts = [ - 81 # Nginx Proxy Manager - 5334 # Duplicati Notifications - 7788 # Sabnzbd - 8085 # Qbittorrent - 3030 # Gitea - 5080 # Factorio Server Manager - 5555 # Overseerr - 9696 # Prowlarr - 7878 # Radarr - 8686 # Lidarr - 8989 # Sonarr - 8386 # Whisparr - 8191 # Flaresolerr - 9999 # Stash - ]; - in - { - "docker0".allowedTCPPorts = internalPorts; - "tailscale0".allowedTCPPorts = internalPorts; - "enp39s0".allowedTCPPorts = internalPorts; - }; + # Only truly external ports + allowedTCPPorts = [ + 80 # HTTP + 443 # HTTPS + 22 # Git over SSH + 400 # SSH + 25565 # Minecraft + 3456 # Minecraft (Bluemap) + 32400 # Plex + 8096 # Jellyfin + ]; - extraCommands = '' - # Allow established connections - iptables -A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT + allowedUDPPorts = [ + 51820 # WireGuard + ]; - # Allow internal network traffic - iptables -A INPUT -i docker0 -j ACCEPT - iptables -A INPUT -i tailscale0 -j ACCEPT - iptables -A INPUT -s 192.168.0.0/16 -j ACCEPT + # Internal ports + interfaces = + let + internalPorts = [ + 81 # Nginx Proxy Manager + 5334 # Duplicati Notifications + 7788 # Sabnzbd + 8085 # Qbittorrent + 3030 # Gitea + 5080 # Factorio Server Manager + 5555 # Overseerr + 9696 # Prowlarr + 7878 # Radarr + 8686 # Lidarr + 8989 # Sonarr + 8386 # Whisparr + 8191 # Flaresolerr + 9999 # Stash + ]; + in + { + "docker0".allowedTCPPorts = internalPorts; + "tailscale0".allowedTCPPorts = internalPorts; + "enp39s0".allowedTCPPorts = internalPorts; + }; - # Allow all Docker-related traffic - iptables -A INPUT -s 172.16.0.0/12 -j ACCEPT # Covers all Docker network ranges - iptables -A FORWARD -s 172.16.0.0/12 -j ACCEPT - iptables -A FORWARD -d 172.16.0.0/12 -j ACCEPT + extraCommands = '' + # Allow established connections + iptables -A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT - # Allow Docker container communication - iptables -A DOCKER-USER -i docker0 -o docker0 -j ACCEPT + # Block WAN access to internal services + iptables -I INPUT -i enp39s0 ! -s 192.168.0.0/16 -j DROP - # Allow traffic between different Docker networks - iptables -A FORWARD -i br-* -o br-* -j ACCEPT - iptables -A FORWARD -i docker0 -o br-* -j ACCEPT - iptables -A FORWARD -i br-* -o docker0 -j ACCEPT - ''; - # Required for Tailscale - checkReversePath = "loose"; + # Allow internal network traffic + iptables -A INPUT -i docker0 -j ACCEPT + iptables -A INPUT -i tailscale0 -j ACCEPT + iptables -A INPUT -s 192.168.0.0/16 -j ACCEPT + + # Allow Docker inter-network communication + iptables -A FORWARD -i br-* -o br-* -j ACCEPT + iptables -A FORWARD -i docker0 -o br-* -j ACCEPT + iptables -A FORWARD -i br-* -o docker0 -j ACCEPT + + # Allow Docker subnet traffic but only internally + iptables -A INPUT -s 172.16.0.0/12 -i docker0 -j ACCEPT + iptables -A INPUT -s 172.16.0.0/12 -i br-+ -j ACCEPT + + # Allow Docker container communication + iptables -A DOCKER-USER -i docker0 -o docker0 -j ACCEPT + ''; + + # Required for Tailscale + checkReversePath = "loose"; + }; }; }