diff --git a/SwarselSystems.org b/SwarselSystems.org index 8e8a375..e97076e 100644 --- a/SwarselSystems.org +++ b/SwarselSystems.org @@ -3872,6 +3872,7 @@ My work machine. Built for more security, this is the gold standard of my config personal = true; }; + networking.nftables.firewall.zones.untrusted.interfaces = [ "wlan*" "enp*" ]; # networking.nftables = { # enable = lib.mkForce false; # firewall.enable = lib.mkForce false; @@ -20033,10 +20034,42 @@ When setting up a new machine: }; - firewall = { - enable = lib.mkDefault true; - trustedInterfaces = [ "virbr0" ]; + nftables = { + firewall = { + zones = { + virbr = { + interfaces = [ "virbr*" ]; + }; + }; + rules = { + virbr-dns-dhcp = { + from = [ "virbr" ]; + to = [ "local" ]; + allowedTCPPorts = [ 53 ]; + allowedUDPPorts = [ 53 67 547 ]; + }; + virbr-forward = { + from = [ "virbr" ]; + to = [ "untrusted" ]; + verdict = "accept"; + }; + virbr-forward-return = { + from = [ "untrusted" ]; + to = [ "virbr" ]; + extraLines = [ + "ct state { established, related } accept" + ]; + }; + }; + }; + chains.postrouting.libvirt-masq = { + after = [ "dnat" ]; + rules = [ + "iifname \"virbr*\" masquerade" + ]; + }; }; + search = [ "vbc.ac.at" "clip.vbc.ac.at" @@ -20044,6 +20077,24 @@ When setting up a new machine: ]; }; + systemd.services = { + virtqemud.path = with pkgs; [ + qemu_kvm + libvirt + ]; + + virtstoraged.path = with pkgs; [ + qemu_kvm + libvirt + ]; + + virtnetworkd.path = with pkgs; [ + dnsmasq + iproute2 + nftables + ]; + }; + virtualisation = { docker.enable = lib.mkIf (!config.virtualisation.podman.dockerCompat) true; spiceUSBRedirection.enable = true; @@ -20054,22 +20105,12 @@ When setting up a new machine: runAsRoot = true; swtpm.enable = true; vhostUserPackages = with pkgs; [ virtiofsd ]; - # ovmf = { - # enable = true; - # packages = [ - # (pkgs.OVMFFull.override { - # secureBoot = true; - # tpmSupport = true; - # }).fd - # ]; - # }; }; }; }; environment.systemPackages = with pkgs; [ remmina - # gp-onsaml-gui python39 qemu packer @@ -20078,7 +20119,6 @@ When setting up a new machine: govc terraform opentofu - # dev.terragrunt terragrunt graphviz azure-cli @@ -20102,7 +20142,7 @@ When setting up a new machine: openssh = { enable = true; extraConfig = '' - ''; + ''; }; syncthing = { @@ -20123,10 +20163,9 @@ When setting up a new machine: }; }; - # ACTION=="remove", ENV{PRODUCT}=="3/1050/407/110", RUN+="${pkgs.kanshi}/bin/kanshictl switch laptoponly" udev.extraRules = '' # lock screen when yubikey removed - ACTION=="remove", ENV{PRODUCT}=="3/1050/407/110", RUN+="${pkgs.systemd}/bin/systemctl suspend" + ACTION=="remove", ENV{PRODUCT}=="3/1050/407/110", RUN+="${pkgs.systemd}/bin/systemctl suspend" ''; }; diff --git a/hosts/nixos/x86_64-linux/pyramid/default.nix b/hosts/nixos/x86_64-linux/pyramid/default.nix index 60d2522..25f8485 100644 --- a/hosts/nixos/x86_64-linux/pyramid/default.nix +++ b/hosts/nixos/x86_64-linux/pyramid/default.nix @@ -79,6 +79,7 @@ in personal = true; }; + networking.nftables.firewall.zones.untrusted.interfaces = [ "wlan*" "enp*" ]; # networking.nftables = { # enable = lib.mkForce false; # firewall.enable = lib.mkForce false; diff --git a/modules/nixos/optional/work.nix b/modules/nixos/optional/work.nix index b75c41e..2cec98f 100644 --- a/modules/nixos/optional/work.nix +++ b/modules/nixos/optional/work.nix @@ -123,10 +123,42 @@ in }; - firewall = { - enable = lib.mkDefault true; - trustedInterfaces = [ "virbr0" ]; + nftables = { + firewall = { + zones = { + virbr = { + interfaces = [ "virbr*" ]; + }; + }; + rules = { + virbr-dns-dhcp = { + from = [ "virbr" ]; + to = [ "local" ]; + allowedTCPPorts = [ 53 ]; + allowedUDPPorts = [ 53 67 547 ]; + }; + virbr-forward = { + from = [ "virbr" ]; + to = [ "untrusted" ]; + verdict = "accept"; + }; + virbr-forward-return = { + from = [ "untrusted" ]; + to = [ "virbr" ]; + extraLines = [ + "ct state { established, related } accept" + ]; + }; + }; + }; + chains.postrouting.libvirt-masq = { + after = [ "dnat" ]; + rules = [ + "iifname \"virbr*\" masquerade" + ]; + }; }; + search = [ "vbc.ac.at" "clip.vbc.ac.at" @@ -134,6 +166,24 @@ in ]; }; + systemd.services = { + virtqemud.path = with pkgs; [ + qemu_kvm + libvirt + ]; + + virtstoraged.path = with pkgs; [ + qemu_kvm + libvirt + ]; + + virtnetworkd.path = with pkgs; [ + dnsmasq + iproute2 + nftables + ]; + }; + virtualisation = { docker.enable = lib.mkIf (!config.virtualisation.podman.dockerCompat) true; spiceUSBRedirection.enable = true; @@ -144,22 +194,12 @@ in runAsRoot = true; swtpm.enable = true; vhostUserPackages = with pkgs; [ virtiofsd ]; - # ovmf = { - # enable = true; - # packages = [ - # (pkgs.OVMFFull.override { - # secureBoot = true; - # tpmSupport = true; - # }).fd - # ]; - # }; }; }; }; environment.systemPackages = with pkgs; [ remmina - # gp-onsaml-gui python39 qemu packer @@ -168,7 +208,6 @@ in govc terraform opentofu - # dev.terragrunt terragrunt graphviz azure-cli @@ -192,7 +231,7 @@ in openssh = { enable = true; extraConfig = '' - ''; + ''; }; syncthing = { @@ -213,10 +252,9 @@ in }; }; - # ACTION=="remove", ENV{PRODUCT}=="3/1050/407/110", RUN+="${pkgs.kanshi}/bin/kanshictl switch laptoponly" udev.extraRules = '' # lock screen when yubikey removed - ACTION=="remove", ENV{PRODUCT}=="3/1050/407/110", RUN+="${pkgs.systemd}/bin/systemctl suspend" + ACTION=="remove", ENV{PRODUCT}=="3/1050/407/110", RUN+="${pkgs.systemd}/bin/systemctl suspend" ''; };