caspervk/nixos
1
0
Fork 0
Code Actions Activity

sigma: routingPolicyRules priorities

Browse source 
Without this, the rule to allow local network hosts direct access to the
sigma-public address might be shadowed by the rule to send traffic from
that address out through wireguard.
This commit is contained in:
Casper V. Kristensen 2024-05-10 16:44:08 +02:00
parent c2dc5cb7aa
commit aec0ac95d5
1 changed files with 17 additions and 12 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

29
hosts/sigma/network.nix
View file

@ -51,9 +51,12 @@
address = ["49.13.33.75/32"]; address = ["49.13.33.75/32"];
routingPolicyRules = [ routingPolicyRules = [
{ {
# See the AllowedIPs comment above for why this is necessary # The postfix systemd service has
# RestrictNetworkInterfaces=wg-sigma-public, but that does not tell
# it to use the correct routing table.
routingPolicyRuleConfig = { routingPolicyRuleConfig = {
From = "49.13.33.75/32"; Priority = 10;
User = config.services.postfix.user;
Table = "wg-sigma-public"; Table = "wg-sigma-public";
}; };
} }
@ -62,17 +65,17 @@
# public address instead of routing the packet through Wireguard and # public address instead of routing the packet through Wireguard and
# back again. # back again.
routingPolicyRuleConfig = { routingPolicyRuleConfig = {
Priority = 500;
From = "49.13.33.75/32"; From = "49.13.33.75/32";
To = "192.168.0.0/24"; To = "192.168.0.0/24";
Table = "main"; Table = "main";
}; };
} }
{ {
# The postfix systemd service has # See the AllowedIPs comment above for why this is necessary
# RestrictNetworkInterfaces=wg-sigma-public, but that does not tell
# it to use the correct routing table.
routingPolicyRuleConfig = { routingPolicyRuleConfig = {
User = config.services.postfix.user; Priority = 1000;
From = "49.13.33.75/32";
Table = "wg-sigma-public"; Table = "wg-sigma-public";
}; };
} }
@ -108,21 +111,23 @@
name = "wg-sigma-p2p"; name = "wg-sigma-p2p";
address = ["${secrets.sigma.sigma-p2p-ip-address}/32"]; address = ["${secrets.sigma.sigma-p2p-ip-address}/32"];
routingPolicyRules = [ routingPolicyRules = [
{
routingPolicyRuleConfig = {
From = "${secrets.sigma.sigma-p2p-ip-address}/32";
Table = "wg-sigma-p2p";
};
}
{ {
# The deluge systemd service has # The deluge systemd service has
# RestrictNetworkInterfaces=wg-sigma-p2p, but that does not tell it # RestrictNetworkInterfaces=wg-sigma-p2p, but that does not tell it
# to use the correct routing table. # to use the correct routing table.
routingPolicyRuleConfig = { routingPolicyRuleConfig = {
Priority = 10;
User = config.services.deluge.user; User = config.services.deluge.user;
Table = "wg-sigma-p2p"; Table = "wg-sigma-p2p";
}; };
} }
{
routingPolicyRuleConfig = {
Priority = 1000;
From = "${secrets.sigma.sigma-p2p-ip-address}/32";
Table = "wg-sigma-p2p";
};
}
]; ];
}; };
}; };