54 lines
1.4 KiB
Nix
54 lines
1.4 KiB
Nix
{ config, pkgs, ... }:
|
|
|
|
let
|
|
settings = import ../settings.nix;
|
|
in
|
|
{
|
|
networking.hostName = settings.hostname;
|
|
|
|
networking.networkmanager = {
|
|
enable = true;
|
|
wifi.scanRandMacAddress = true;
|
|
};
|
|
|
|
networking.firewall = {
|
|
enable = true;
|
|
|
|
# Allowed ports
|
|
allowedTCPPorts = [
|
|
# Sunshine
|
|
47984 47989 48010
|
|
];
|
|
allowedUDPPorts = [
|
|
# Sunshine
|
|
47998 47999 48000 48010
|
|
];
|
|
|
|
# Firewall
|
|
logReversePathDrops = true;
|
|
logRefusedConnections = true;
|
|
|
|
# Connection tracking
|
|
connectionTrackingModules = [];
|
|
autoLoadConntrackHelpers = false;
|
|
|
|
extraCommands = ''
|
|
iptables -A INPUT -p tcp --syn -m connlimit --connlimit-above 50 -j DROP
|
|
iptables -A INPUT -p tcp --dport 22 -m state --state NEW -m recent --set
|
|
iptables -A INPUT -p tcp --dport 22 -m state --state NEW -m recent --update --seconds 60 --hitcount 4 -j DROP
|
|
'';
|
|
extraStopCommands = ''
|
|
iptables -D INPUT -p tcp --syn -m connlimit --connlimit-above 50 -j DROP 2>/dev/null || true
|
|
iptables -D INPUT -p tcp --dport 22 -m state --state NEW -m recent --set 2>/dev/null || true
|
|
iptables -D INPUT -p tcp --dport 22 -m state --state NEW -m recent --update --seconds 60 --hitcount 4 -j DROP 2>/dev/null || true
|
|
'';
|
|
};
|
|
|
|
networking.nameservers = [ "1.1.1.1" "9.9.9.9" ];
|
|
services.resolved = {
|
|
enable = true;
|
|
dnsovertls = "opportunistic";
|
|
fallbackDns = [ "1.0.0.1" "149.112.112.112" ];
|
|
};
|
|
}
|