colin/nix-files
1
0
Fork 1
Code Issues Pull Requests Projects Releases Wiki Activity

hosts/common: net: split upnp config into own file

Browse Source
This commit is contained in:
Colin
2024-01-15 01:12:09 +00:00
parent 006a7e9f72
commit a7964c4f0c
2 changed files with 22 additions and 19 deletions
Download Patch File Download Diff File Expand all files Collapse all files

21
hosts/common/net/default.nix
View File

@@ -1,8 +1,9 @@
{ lib, pkgs, ... }: { lib, ... }:
{ {
imports = [ imports = [
./hostnames.nix ./hostnames.nix
./upnp.nix
./vpn.nix ./vpn.nix
]; ];
# the default backend is "wpa_supplicant". # the default backend is "wpa_supplicant".
@@ -39,24 +40,6 @@
# e.g. openconnect drags in webkitgtk (for SSO)! # e.g. openconnect drags in webkitgtk (for SSO)!
networking.networkmanager.plugins = lib.mkForce []; networking.networkmanager.plugins = lib.mkForce [];
networking.firewall.allowedUDPPorts = [
# to receive UPnP advertisements. required by sane-ip-check.
# N.B. sane-ip-check isn't query/response based. it needs to receive on port 1900 -- not receive responses FROM port 1900.
1900
];
networking.firewall.extraCommands = with pkgs; ''
# after an outgoing SSDP query to the multicast address, open FW for incoming responses.
# necessary for anything DLNA, especially go2tv
# source: <https://serverfault.com/a/911286>
# context: <https://github.com/alexballas/go2tv/issues/72>
# ipset -! means "don't fail if set already exists"
${ipset}/bin/ipset create -! upnp hash:ip,port timeout 10
${iptables}/bin/iptables -A OUTPUT -d 239.255.255.250/32 -p udp -m udp --dport 1900 -j SET --add-set upnp src,src --exist
${iptables}/bin/iptables -A INPUT -p udp -m set --match-set upnp dst,dst -j ACCEPT
'';
# keyfile.path = where networkmanager should look for connection credentials # keyfile.path = where networkmanager should look for connection credentials
networking.networkmanager.extraConfig = '' networking.networkmanager.extraConfig = ''
[keyfile] [keyfile]

20
hosts/common/net/upnp.nix Normal file
View File

@@ -0,0 +1,20 @@
{ pkgs, ... }:
{
networking.firewall.allowedUDPPorts = [
# to receive UPnP advertisements. required by sane-ip-check.
# N.B. sane-ip-check isn't query/response based. it needs to receive on port 1900 -- not receive responses FROM port 1900.
1900
];
networking.firewall.extraCommands = with pkgs; ''
# after an outgoing SSDP query to the multicast address, open FW for incoming responses.
# necessary for anything DLNA, especially go2tv
# source: <https://serverfault.com/a/911286>
# context: <https://github.com/alexballas/go2tv/issues/72>
# ipset -! means "don't fail if set already exists"
${ipset}/bin/ipset create -! upnp hash:ip,port timeout 10
${iptables}/bin/iptables -A OUTPUT -d 239.255.255.250/32 -p udp -m udp --dport 1900 -j SET --add-set upnp src,src --exist
${iptables}/bin/iptables -A INPUT -p udp -m set --match-set upnp dst,dst -j ACCEPT
'';
}