diff --git a/nixos/lib/vargen/main.go b/nixos/lib/vargen/main.go index fe19284..62ad83c 100644 --- a/nixos/lib/vargen/main.go +++ b/nixos/lib/vargen/main.go @@ -100,6 +100,7 @@ func main() { // TODO: this is a hack, we should make a Service type or similar. ServerIPv4: server.IPv4, ServerIPv6: server.IPv6.GUA, + DesktopIPv4: desktop.IPv4, DesktopIPv6: desktop.IPv6.GUA, Hosts: hosts{ Servers: []host{ @@ -257,6 +258,7 @@ func wanIPv6Prefix() netip.Prefix { type output struct { ServerIPv4 netip.Addr `json:"server_ipv4"` ServerIPv6 netip.Addr `json:"server_ipv6"` + DesktopIPv4 netip.Addr `json:"desktop_ipv4"` DesktopIPv6 netip.Addr `json:"desktop_ipv6"` Hosts hosts `json:"hosts"` Interfaces map[string]iface `json:"interfaces"` diff --git a/nixos/lib/vars.json b/nixos/lib/vars.json index 1057636..728011f 100644 --- a/nixos/lib/vars.json +++ b/nixos/lib/vars.json @@ -1,6 +1,7 @@ { "server_ipv4": "192.168.1.10", "server_ipv6": "2600:6c4a:787f:5e00:6d9:f5ff:fe7e:1c47", + "desktop_ipv4": "192.168.1.7", "desktop_ipv6": "2600:6c4a:787f:5e00:7656:3cff:fe43:7337", "hosts": { "servers": [ diff --git a/nixos/lib/vars.nix b/nixos/lib/vars.nix index 1988c56..097a8ed 100644 --- a/nixos/lib/vars.nix +++ b/nixos/lib/vars.nix @@ -8,6 +8,7 @@ let server_ipv4 = gen.server_ipv4; server_ipv6 = gen.server_ipv6; + desktop_ipv4 = gen.desktop_ipv4; desktop_ipv6 = gen.desktop_ipv6; in { @@ -17,6 +18,7 @@ in { inherit server_ipv4; inherit server_ipv6; + inherit desktop_ipv4; inherit desktop_ipv6; domain = "lan.servnerr.com"; diff --git a/nixos/routnerr-3/nftables.nix b/nixos/routnerr-3/nftables.nix index 8c20eee..48aa96b 100644 --- a/nixos/routnerr-3/nftables.nix +++ b/nixos/routnerr-3/nftables.nix @@ -15,7 +15,10 @@ let mdns = "5353"; plex = "32400"; ssh = "22"; - tailscale = "41461"; + # Different tailscaled ports for different devices to avoid messing with + # poking nftables firewall holes with miniupnpd or similar. + tailscale_router = "41461"; + tailscale_desktop = "41642"; wireguard = "51820"; }; @@ -119,7 +122,7 @@ in { # router UDP udp dport { - ${ports.tailscale}, + ${ports.tailscale_router}, ${ports.wireguard}, } counter accept comment "router WAN UDP" @@ -240,6 +243,10 @@ in { ip daddr ${vars.server_ipv4} tcp dport ${ports.plex} counter accept comment "server IPv4 Plex" ip6 daddr ${vars.server_ipv6} tcp dport ${ports.plex} counter accept comment "server IPv6 Plex" + # Tailscale running on desktop. + ip daddr ${vars.desktop_ipv4} udp dport ${ports.tailscale_desktop} counter accept comment "desktop IPv4 Tailscale" + ip6 daddr ${vars.desktop_ipv6} udp dport ${ports.tailscale_desktop} counter accept comment "desktop IPv6 Tailscale" + counter reject } @@ -267,6 +274,10 @@ in { ${ports.plex}, } dnat ${vars.server_ipv4} comment "server TCPv4 DNAT" + udp dport { + ${ports.tailscale_desktop}, + } dnat ${vars.desktop_ipv4} comment "desktop UDPv4 DNAT" + accept }