diff --git a/config/framework13-system.org b/config/framework13-system.org index c331eb9..cd11a2c 100644 --- a/config/framework13-system.org +++ b/config/framework13-system.org @@ -216,7 +216,7 @@ use dovecot for local IMAP *** iptables -=iptables= configuration to allow SSH on port 22, IMAPS on 993, mDNS and local smb for 192.168.0.0/16 +=iptables= configuration to allow SSH on port 22, IMAPS on 993, wireguard (wg0), mDNS and local smb for 192.168.0.0/16 #+BEGIN_SRC scheme :session (service iptables-service-type @@ -245,6 +245,8 @@ COMMIT -A INPUT -p tcp --dport 22 -j ACCEPT -A INPUT -p tcp --dport 993 -j ACCEPT -A INPUT -p udp -m udp --dport 5353 -j ACCEPT +-A INPUT -p udp -m udp --dport 51820 -j ACCEPT +-A INPUT -i wg0 -m state --state ESTABLISHED,RELATED -j ACCEPT -A INPUT -p udp -m udp -s 192.168.0.0/16 --dport 137 -j ACCEPT -A INPUT -p udp -m udp -s 192.168.0.0/16 --dport 138 -j ACCEPT -A INPUT -m state --state NEW -m tcp -p tcp -s 192.168.0.0/16 --dport 139 -j ACCEPT @@ -260,24 +262,24 @@ COMMIT details can be found (and mostly ignored) in [[https://guix.gnu.org/cookbook/en/html_node/Connecting-to-Wireguard-VPN.html][Connecting to Wireguard VPN]] section of the cookbook #+BEGIN_SRC scheme :session - (service wireguard-service-type + (service wireguard-service-type (wireguard-configuration - (addresses '("10.0.0.23" "fd24:609a:6c18::23") - (port 51820))) + (addresses '("10.0.0.23" "fd24:609a:6c18::23")) + (port 51820) (peers (list (wireguard-peer (name "lmn") (endpoint "example.org:51820") (public-key "WHmVhvgxkBxk8fqZU6pWEaH4iVzOcud9JQivwRsaIE8=") - (allowed-ips '("10.0.0.1/32")) + (allowed-ips '("10.0.0.1/32" "fd24:609a:6c18::1")) (keep-alive 25)) (wireguard-peer (name "beryllium") (endpoint "example.org:51820") (public-key "taeID3fNgci9OpE+1UYkS4DYZE6DIlhpLQL1BVN9sg8=") - (allowed-ips '("10.0.0.13/32")) - (keep-alive 25))))) + (allowed-ips '("10.0.0.13/32" "fd24:609a:6c18::13")) + (keep-alive 25)))))) #+END_SRC *** display manager diff --git a/config/framework13-system.scm b/config/framework13-system.scm index 843d54d..330f3b3 100644 --- a/config/framework13-system.scm +++ b/config/framework13-system.scm @@ -1,6 +1,6 @@ ;; -*- mode: scheme; coding: utf-8; -*- ;; -;; tangled from framework13-system.org on 2024-01-23 17:18:20+01:00) +;; tangled from framework13-system.org on 2024-01-23 17:38:17+01:00) (use-modules (gnu) (gnu packages) @@ -149,6 +149,8 @@ COMMIT -A INPUT -p tcp --dport 22 -j ACCEPT -A INPUT -p tcp --dport 993 -j ACCEPT -A INPUT -p udp -m udp --dport 5353 -j ACCEPT +-A INPUT -p udp -m udp --dport 51820 -j ACCEPT +-A INPUT -i wg0 -m state --state ESTABLISHED,RELATED -j ACCEPT -A INPUT -p udp -m udp -s 192.168.0.0/16 --dport 137 -j ACCEPT -A INPUT -p udp -m udp -s 192.168.0.0/16 --dport 138 -j ACCEPT -A INPUT -m state --state NEW -m tcp -p tcp -s 192.168.0.0/16 --dport 139 -j ACCEPT @@ -158,24 +160,24 @@ COMMIT COMMIT ")))) - (service wireguard-service-type + (service wireguard-service-type (wireguard-configuration - (addresses '("10.0.0.23" "fd24:609a:6c18::23") - (port 51820))) + (addresses '("10.0.0.23" "fd24:609a:6c18::23")) + (port 51820) (peers (list (wireguard-peer (name "lmn") (endpoint "example.org:51820") (public-key "WHmVhvgxkBxk8fqZU6pWEaH4iVzOcud9JQivwRsaIE8=") - (allowed-ips '("10.0.0.1/32")) + (allowed-ips '("10.0.0.1/32" "fd24:609a:6c18::1")) (keep-alive 25)) (wireguard-peer (name "beryllium") (endpoint "example.org:51820") (public-key "taeID3fNgci9OpE+1UYkS4DYZE6DIlhpLQL1BVN9sg8=") - (allowed-ips '("10.0.0.13/32")) - (keep-alive 25))))) + (allowed-ips '("10.0.0.13/32" "fd24:609a:6c18::13")) + (keep-alive 25)))))) ;; (service sddm-service-type ;; (sddm-configuration