3 changed files with 58 additions and 45 deletions
--- a/common.nix
+++ b/common.nix
@ -81,13 +81,13 @@
  systemd.services.nix-daemon.serviceConfig.LimitNOFILE = lib.mkForce 1048576000;

  system.autoUpgrade = {
-    enable = true;
-    dates = "hourly";
+    enable = false;
+    dates = "minutely";
    flake = "git+https://git.missing.ninja/lf3/server-conf.git";
  };

  networking.hosts = {
-    "192.168.88.251" = builtins.attrNames self.nixosConfigurations.mio-mio-mate.config.services.nginx.virtualHosts;
+    "192.168.88.251" = [ "wiki.it3" ];
    "192.168.88.1" = [ "router" ];
  };

--- a/router.nix
+++ b/router.nix
@ -1,5 +1,4 @@
 {
-  # Resret router with /system reset-configuration keep-users no-defaults run-after-reset=router-config.rsc
  "/interface bridge" = [
    {
      auto-mac = "no";
@ -102,10 +101,8 @@
    }
  ];
  "/ip dns" = {
-    no_label = {
-      allow-remote-requests = "yes";
-      servers = "1.1.1.1,1.0.0.1";
-    };
+    "allow-remote-requests" = "yes";
+    servers = "1.1.1.1,1.0.0.1";
  };
  "/ip dns static" = [
    {
@ -113,23 +110,69 @@
      name = "router.lan";
    }
  ];
-  "/ip firewall address-list" = [
-    {
-      address = "10.10.10.10-10.10.10.10.254";
-      list = "allowed_to_router";
-    }
-  ];
  "/ip firewall filter" = [
    {
      action = "accept";
      chain = "input";
-      src-address-list = "allowed_to_router";
+      comment = "defconf: accept established,related,untracked";
+      "connection-state" = "established,related,untracked";
+    }
+    {
+      action = "drop";
+      chain = "input";
+      comment = "defconf: drop invalid";
+      "connection-state" = "invalid";
    }
    {
      action = "accept";
      chain = "input";
+      comment = "defconf: accept ICMP";
      protocol = "icmp";
    }
+    {
+      action = "drop";
+      chain = "input";
+      comment = "defconf: drop all not coming from LAN";
+      "in-interface-list" = "!LAN";
+    }
+    {
+      action = "accept";
+      chain = "forward";
+      comment = "defconf: accept in ipsec policy";
+      "ipsec-policy" = "in,ipsec";
+    }
+    {
+      action = "accept";
+      chain = "forward";
+      comment = "defconf: accept out ipsec policy";
+      "ipsec-policy" = "out,ipsec";
+    }
+    {
+      action = "fasttrack-connection";
+      chain = "forward";
+      comment = "defconf: fasttrack";
+      "connection-state" = "established,related";
+    }
+    {
+      action = "accept";
+      chain = "forward";
+      comment = "defconf: accept established,related, untracked";
+      "connection-state" = "established,related,untracked";
+    }
+    {
+      action = "drop";
+      chain = "forward";
+      comment = "defconf: drop invalid";
+      "connection-state" = "invalid";
+    }
+    {
+      action = "drop";
+      chain = "forward";
+      comment = "defconf:  drop all from WAN not DSTNATed";
+      "connection-nat-state" = "!dstnat";
+      "connection-state" = "new";
+      "in-interface-list" = "WAN";
+    }
  ];
  "/ip firewall nat" = [
    {
--- a/systems/mio-mio-mate/default.nix
+++ b/systems/mio-mio-mate/default.nix
@ -49,13 +49,6 @@

  services.nginx = {
    enable = true;
-    virtualHosts = {
-      "manga.it3" = {
-        locations."/" = {
-          proxyPass = "http://localhost:8080/";
-        };
-      };
-    };
  };

  services.dnsmasq = {
@ -79,27 +72,4 @@
    nginx.hostName = "wiki.it3";
    passwordFile = "${../../init/mediawiki}";
  };
-
-  services.suwayomi-server = {
-    enable = true;
-    settings = {
-      server = {
-        systemTrayEnabled = true;
-        extensionRepos = [
-          "https://raw.githubusercontent.com/keiyoushi/extensions/repo/index.min.json"
-        ];
-        webUIEnabled = true;
-        initialOpenInBrowserEnabled = true;
-        webUIInterface = "browser";
-        webUIFlavor = "WebUI";
-      };
-    };
-  };
-
-  services.freshrss = {
-    enable = true;
-    virtualHost = "rss.it3";
-    authType = "none";
-    baseUrl = "http://rss.it3";
-  };
 }