summaryrefslogtreecommitdiffstats
path: root/old/modules/lass/base.nix
diff options
context:
space:
mode:
Diffstat (limited to 'old/modules/lass/base.nix')
-rw-r--r--old/modules/lass/base.nix61
1 files changed, 40 insertions, 21 deletions
diff --git a/old/modules/lass/base.nix b/old/modules/lass/base.nix
index 3a8d879eb..159372a24 100644
--- a/old/modules/lass/base.nix
+++ b/old/modules/lass/base.nix
@@ -3,6 +3,7 @@
{
imports = [
./sshkeys.nix
+ ./iptables
];
nix.useChroot = true;
@@ -65,6 +66,10 @@
'';
};
+ security.setuidPrograms = [
+ "sendmail"
+ ];
+
services.gitolite = {
enable = true;
dataDir = "/home/gitolite";
@@ -84,27 +89,41 @@
RuntimeMaxUse=128M
'';
- networking.firewall = {
+ lass.iptables = {
enable = true;
-
- allowedTCPPorts = [
- 22
- ];
-
- extraCommands = ''
- iptables -A INPUT -j ACCEPT -m conntrack --ctstate RELATED,ESTABLISHED
- iptables -A INPUT -j ACCEPT -i lo
- iptables -A INPUT -j ACCEPT -p icmp
-
- #iptables -N Retiolum
- iptables -A INPUT -j Retiolum -i retiolum
- iptables -A Retiolum -j ACCEPT -m conntrack --ctstate RELATED,ESTABLISHED
- iptables -A Retiolum -j REJECT -p tcp --reject-with tcp-reset
- iptables -A Retiolum -j REJECT -p udp --reject-with icmp-port-unreachable
- iptables -A Retiolum -j REJECT --reject-with icmp-proto-unreachable
- iptables -A Retiolum -j REJECT
- '';
-
- extraStopCommands = "iptables -F";
+ tables = {
+ filter.INPUT.policy = "DROP";
+ filter.FORWARD.policy = "DROP";
+ filter.INPUT.rules = [
+ { predicate = "-i lo"; target = "ACCEPT"; }
+ { predicate = "-m conntrack --ctstate RELATED,ESTABLISHED"; target = "ACCEPT"; }
+ { predicate = "-p icmp"; target = "ACCEPT"; }
+ { predicate = "-p tcp --dport 22"; target = "ACCEPT"; }
+ ];
+ };
};
+
+ #Networking.firewall = {
+ # enable = true;
+
+ # allowedTCPPorts = [
+ # 22
+ # ];
+
+ # extraCommands = ''
+ # iptables -A INPUT -j ACCEPT -m conntrack --ctstate RELATED,ESTABLISHED
+ # iptables -A INPUT -j ACCEPT -i lo
+ # #http://serverfault.com/questions/84963/why-not-block-icmp
+ # iptables -A INPUT -j ACCEPT -p icmp
+
+ # #TODO: fix Retiolum firewall
+ # #iptables -N RETIOLUM
+ # #iptables -A INPUT -j RETIOLUM -i retiolum
+ # #iptables -A RETIOLUM -j ACCEPT -m conntrack --ctstate RELATED,ESTABLISHED
+ # #iptables -A RETIOLUM -j REJECT -p tcp --reject-with tcp-reset
+ # #iptables -A RETIOLUM -j REJECT -p udp --reject-with icmp-port-unreachable
+ # #iptables -A RETIOLUM -j REJECT --reject-with icmp-proto-unreachable
+ # #iptables -A RETIOLUM -j REJECT
+ # '';
+ #};
}
generated by cgit v1.2.3 (git 2.25.1) at 2024-07-01 07:46:09 +0000
[cgit] Unable to lock slot /tmp/cgit/b0000000.lock: No such file or directory (2)