From c90efc40f8080265c92d9c3625e6d45ca3023e4b Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Felix=20Schr=C3=B6ter?= Date: Sat, 29 Apr 2023 21:13:21 +0200 Subject: [PATCH] feat(system): enable Mullvad VPN for server Configure it to exclude incoming traffic for web server. --- home-server.nix | 1 - system/server.nix | 23 ++++++++++++++++++++++- 2 files changed, 22 insertions(+), 2 deletions(-) diff --git a/home-server.nix b/home-server.nix index 3847689..c5c0d00 100644 --- a/home-server.nix +++ b/home-server.nix @@ -106,7 +106,6 @@ in with builtins; { services.nginx = { enable = true; - recommendedTlsSettings = true; recommendedOptimisation = true; recommendedGzipSettings = true; diff --git a/system/server.nix b/system/server.nix index b2337d3..f961f3f 100644 --- a/system/server.nix +++ b/system/server.nix @@ -1,8 +1,29 @@ { config, pkgs, ... }: { - imports = [ ./common.nix ]; + imports = [ ./common.nix ./vpn.nix ]; # use xserver without display manager services.xserver.displayManager.startx.enable = true; + + # Allow web server to be accessible outside of Mullvad VPN + networking.firewall.extraCommands = '' + ${pkgs.nftables}/bin/nft -f ${ + pkgs.writeText "mullvad-incoming" '' + table inet allow-incoming-traffic { + chain allow-incoming { + type filter hook input priority -100; policy accept; + tcp dport {80, 443} ct mark set 0x00000f41 meta mark set 0x6d6f6c65; + udp dport {80, 443} ct mark set 0x00000f41 meta mark set 0x6d6f6c65; + } + + chain allow-outgoing { + type route hook output priority -100; policy accept; + tcp sport {80, 443} ct mark set 0x00000f41 meta mark set 0x6d6f6c65; + udp sport {80, 443} ct mark set 0x00000f41 meta mark set 0x6d6f6c65; + } + } + '' + } + ''; }