felschr/nixos-config
1
1
Fork 0
Code Issues Pull requests Actions Packages Projects Releases Wiki Activity

fix: allow incoming traffic to web server to bypass tailscale

Browse source
This commit is contained in:
Felix Schröter 2024-01-25 02:15:35 +01:00
parent 41a222bc8f
commit 7bb4b02d52
Signed by: felschr
GPG key ID: 671E39E6744C807D
2 changed files with 21 additions and 2 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

18
system/server.nix
View file

@ -5,4 +5,22 @@
# use xserver without display manager # use xserver without display manager
services.xserver.displayManager.startx.enable = true; services.xserver.displayManager.startx.enable = true;
# Allow web server to be accessible when running Tailscale with exit node
networking.nftables.enable = true;
networking.nftables.ruleset = ''
table inet allow-incoming-traffic {
chain allow-incoming {
type filter hook input priority -100; policy accept;
tcp dport {80, 443} meta mark set 0x80000;
udp dport {80, 443} meta mark set 0x80000;
}
chain allow-outgoing {
type route hook output priority -100; policy accept;
tcp sport {80, 443} meta mark set 0x80000;
udp sport {80, 443} meta mark set 0x80000;
}
}
'';
} }

5
system/vpn.nix
View file

@ -36,10 +36,11 @@ in {
${cfg.package}/bin/tailscale up ${lib.escapeShellArgs cfg.extraUpFlags} ${cfg.package}/bin/tailscale up ${lib.escapeShellArgs cfg.extraUpFlags}
${cfg.package}/bin/tailscale cert ${tailnetHost} ${cfg.package}/bin/tailscale cert ${tailnetHost}
chown nginx:nginx /var/lib/tailscale/certs/${tailnetHost}.{key,crt}
''; '';
services.nginx.virtualHosts.${tailnetHost} = { services.nginx.virtualHosts.${tailnetHost} = {
sslCertificate = "/var/lib/tailscale/certs/${tailnetHost}.key"; sslCertificate = "/var/lib/tailscale/certs/${tailnetHost}.crt";
sslCertificateKey = "/var/lib/tailscale/certs/${tailnetHost}.crt"; sslCertificateKey = "/var/lib/tailscale/certs/${tailnetHost}.key";
}; };
} }