diff --git a/common.nix b/common.nix index 6bdd6ec..d34e31e 100644 --- a/common.nix +++ b/common.nix @@ -81,13 +81,13 @@ systemd.services.nix-daemon.serviceConfig.LimitNOFILE = lib.mkForce 1048576000; system.autoUpgrade = { - enable = true; - dates = "hourly"; + enable = false; + dates = "minutely"; flake = "git+https://git.missing.ninja/lf3/server-conf.git"; }; networking.hosts = { - "192.168.88.251" = builtins.attrNames self.nixosConfigurations.mio-mio-mate.config.services.nginx.virtualHosts; + "192.168.88.251" = [ "wiki.it3" ]; "192.168.88.1" = [ "router" ]; }; diff --git a/router.nix b/router.nix index ba266cb..c676be2 100644 --- a/router.nix +++ b/router.nix @@ -1,5 +1,4 @@ { - # Resret router with /system reset-configuration keep-users no-defaults run-after-reset=router-config.rsc "/interface bridge" = [ { auto-mac = "no"; @@ -102,10 +101,8 @@ } ]; "/ip dns" = { - no_label = { - allow-remote-requests = "yes"; - servers = "1.1.1.1,1.0.0.1"; - }; + "allow-remote-requests" = "yes"; + servers = "1.1.1.1,1.0.0.1"; }; "/ip dns static" = [ { @@ -113,23 +110,69 @@ name = "router.lan"; } ]; - "/ip firewall address-list" = [ - { - address = "10.10.10.10-10.10.10.10.254"; - list = "allowed_to_router"; - } - ]; "/ip firewall filter" = [ { action = "accept"; chain = "input"; - src-address-list = "allowed_to_router"; + comment = "defconf: accept established,related,untracked"; + "connection-state" = "established,related,untracked"; + } + { + action = "drop"; + chain = "input"; + comment = "defconf: drop invalid"; + "connection-state" = "invalid"; } { action = "accept"; chain = "input"; + comment = "defconf: accept ICMP"; protocol = "icmp"; } + { + action = "drop"; + chain = "input"; + comment = "defconf: drop all not coming from LAN"; + "in-interface-list" = "!LAN"; + } + { + action = "accept"; + chain = "forward"; + comment = "defconf: accept in ipsec policy"; + "ipsec-policy" = "in,ipsec"; + } + { + action = "accept"; + chain = "forward"; + comment = "defconf: accept out ipsec policy"; + "ipsec-policy" = "out,ipsec"; + } + { + action = "fasttrack-connection"; + chain = "forward"; + comment = "defconf: fasttrack"; + "connection-state" = "established,related"; + } + { + action = "accept"; + chain = "forward"; + comment = "defconf: accept established,related, untracked"; + "connection-state" = "established,related,untracked"; + } + { + action = "drop"; + chain = "forward"; + comment = "defconf: drop invalid"; + "connection-state" = "invalid"; + } + { + action = "drop"; + chain = "forward"; + comment = "defconf: drop all from WAN not DSTNATed"; + "connection-nat-state" = "!dstnat"; + "connection-state" = "new"; + "in-interface-list" = "WAN"; + } ]; "/ip firewall nat" = [ { diff --git a/systems/mio-mio-mate/default.nix b/systems/mio-mio-mate/default.nix index 43e70a6..0c51bc5 100644 --- a/systems/mio-mio-mate/default.nix +++ b/systems/mio-mio-mate/default.nix @@ -49,13 +49,6 @@ services.nginx = { enable = true; - virtualHosts = { - "manga.it3" = { - locations."/" = { - proxyPass = "http://localhost:8080/"; - }; - }; - }; }; services.dnsmasq = { @@ -79,27 +72,4 @@ nginx.hostName = "wiki.it3"; passwordFile = "${../../init/mediawiki}"; }; - - services.suwayomi-server = { - enable = true; - settings = { - server = { - systemTrayEnabled = true; - extensionRepos = [ - "https://raw.githubusercontent.com/keiyoushi/extensions/repo/index.min.json" - ]; - webUIEnabled = true; - initialOpenInBrowserEnabled = true; - webUIInterface = "browser"; - webUIFlavor = "WebUI"; - }; - }; - }; - - services.freshrss = { - enable = true; - virtualHost = "rss.it3"; - authType = "none"; - baseUrl = "http://rss.it3"; - }; }