From b7d12303a3ec25c1099d9481e7e8ee7ff53228c2 Mon Sep 17 00:00:00 2001 From: dadada Date: Mon, 4 Mar 2024 22:10:18 +0100 Subject: [PATCH] remove service VLAN and route to backup1 using wireguard --- nixos/agares/dns.nix | 1 + nixos/agares/network.nix | 13 +---------- nixos/agares/rules.nft | 28 +++++------------------ nixos/gorgon/configuration.nix | 1 - nixos/modules/profiles/base.nix | 5 +++++ nixos/ninurta/configuration.nix | 40 ++++++++------------------------- nixos/surgat/configuration.nix | 18 +++++++-------- 7 files changed, 30 insertions(+), 76 deletions(-) diff --git a/nixos/agares/dns.nix b/nixos/agares/dns.nix index 075859d..bba7c55 100644 --- a/nixos/agares/dns.nix +++ b/nixos/agares/dns.nix @@ -43,6 +43,7 @@ "\"ninurta.bs.dadada.li. 10800 IN A 192.168.101.184\"" "\"agares.bs.dadada.li. 10800 IN AAAA fd42:9c3b:f96d:101::1\"" "\"ninurta.bs.dadada.li. 10800 IN AAAA fd42:9c3b:f96d:101:4a21:bff:fe3e:9cfe\"" + "\"backup1.dadada.li. 10800 IN AAAA fd42:9c3b:f96d:101:4a21:bff:fe3e:9cfe\"" ]; local-zone = [ "\"168.192.in-addr.arpa.\" nodefault" diff --git a/nixos/agares/network.nix b/nixos/agares/network.nix index f0950e2..0eeaa44 100644 --- a/nixos/agares/network.nix +++ b/nixos/agares/network.nix @@ -40,15 +40,6 @@ in Id = 11; }; }; - "20-srv" = { - netdevConfig = { - Kind = "vlan"; - Name = "srv.13"; - }; - vlanConfig = { - Id = 13; - }; - }; "20-roadw" = { netdevConfig = { Kind = "wireguard"; @@ -124,7 +115,7 @@ in in { "10-mgmt" = subnet "enp1s0" "100" // { - networkConfig.VLAN = [ "lan.10" "ff.11" "srv.13" ]; + networkConfig.VLAN = [ "lan.10" "ff.11" ]; dhcpServerStaticLeases = [ { # legion @@ -163,8 +154,6 @@ in "30-ff" = subnet "ff.11" "102"; - "30-srv" = subnet "srv.13" "103"; - "30-ifb4ppp0" = { name = "ifb4ppp0"; extraConfig = '' diff --git a/nixos/agares/rules.nft b/nixos/agares/rules.nft index ca574d7..a270aab 100644 --- a/nixos/agares/rules.nft +++ b/nixos/agares/rules.nft @@ -4,7 +4,6 @@ define IF_MGMT = "enp1s0" define IF_FF = "ff.11" define IF_LAN = "lan.10" define IF_WAN = "ppp0" -define IF_SRV = "srv.13" # Modem uses this for internet uplink via our WAN define IF_MODEM = "enp2s0" @@ -51,10 +50,6 @@ table inet filter { counter accept comment "Accept all traffic from MGMT" } - chain input_srv { - counter accept comment "Accept all traffic from services" - } - chain input_roadw { counter accept comment "Accept all traffic from roadwarriors" } @@ -69,23 +64,13 @@ table inet filter { udp dport { 53, 67 } accept comment "Allow DNS and DHCP from Freifunk" } - chain input_srv { - jump input_icmp_untrusted - - # DHCP - meta nfproto ipv6 udp dport 547 accept comment "Allow DHCPv6 client" - - # Allow DNS and DHCP from SRV - udp dport { 53, 67 } accept comment "Allow DNS and DHCP from services" - } - chain input { type filter hook input priority filter; policy drop; ct state {established, related} counter accept comment "Accept packets from established and related connections" ct state invalid counter drop comment "Early drop of invalid packets" - iifname vmap { lo : accept, $IF_WAN : jump input_wan, $IF_LAN : jump input_lan, $IF_FF : jump input_ff, $IF_ROADW : jump input_roadw, $IF_MODEM : jump input_modem, $IF_MGMT : jump input_mgmt, $IF_SRV : jump input_srv } + iifname vmap { lo : accept, $IF_WAN : jump input_wan, $IF_LAN : jump input_lan, $IF_FF : jump input_ff, $IF_ROADW : jump input_roadw, $IF_MODEM : jump input_modem, $IF_MGMT : jump input_mgmt } } # Only works if hardware flow offloading is available @@ -117,13 +102,10 @@ table inet filter { iifname { $IF_LAN, $IF_ROADW } counter accept comment "Allow all traffic forwarding from LAN and roadwarrior to all interfaces, except to mgmt" # FF -> WAN - iifname { $IF_FF, $IF_SRV } oifname $IF_WAN counter accept comment "Allow all traffic forwarding from Freifunk and services to WAN" + iifname { $IF_FF } oifname $IF_WAN counter accept comment "Allow all traffic forwarding from Freifunk and services to WAN" - # { WAN, SRV } -> { FF, LAN, RW, SRV } - iifname { $IF_WAN, $IF_SRV } oifname { $IF_FF, $IF_LAN, $IF_ROADW, $IF_SRV } ct state established,related counter accept comment "Allow established back from WAN and SRV" - - # WAN -> SRV - iifname $IF_WAN oifname $IF_SRV tcp dport ssh accept comment "Allow all SSH traffic forwarding from WAN to services" + # { WAN } -> { FF, LAN, RW } + iifname { $IF_WAN } oifname { $IF_FF, $IF_LAN, $IF_ROADW } ct state established,related counter accept comment "Allow established back from WAN" } chain output { @@ -145,6 +127,6 @@ table ip nat { table arp filter { chain input { type filter hook input priority filter; policy drop; - iifname { $IF_MGMT, $IF_LAN, $IF_FF, $IF_SRV, $IF_MODEM } limit rate 1/second burst 2 packets accept comment "Limit number of ARP messages from LAN, FF, MGMT, SRV, modem" + iifname { $IF_MGMT, $IF_LAN, $IF_FF, $IF_MODEM } limit rate 1/second burst 2 packets accept comment "Limit number of ARP messages from LAN, FF, MGMT, modem" } } diff --git a/nixos/gorgon/configuration.nix b/nixos/gorgon/configuration.nix index ff84f55..360b612 100644 --- a/nixos/gorgon/configuration.nix +++ b/nixos/gorgon/configuration.nix @@ -158,7 +158,6 @@ in }; networking.hosts = { - "10.1.2.9" = [ "fgprinter.fginfo.tu-bs.de" ]; "127.0.0.2" = [ "kanboard.dadada.li" ]; }; diff --git a/nixos/modules/profiles/base.nix b/nixos/modules/profiles/base.nix index ca22bec..d2930a7 100644 --- a/nixos/modules/profiles/base.nix +++ b/nixos/modules/profiles/base.nix @@ -54,6 +54,11 @@ in }; networking.networkmanager.dns = mkDefault "systemd-resolved"; + + networking.hosts = { + "fd42:9c3b:f96d:101:4a21:bff:fe3e:9cfe" = [ "backup1.dadada.li" ]; + }; + services.resolved = { enable = mkDefault true; fallbackDns = [ "9.9.9.9#dns.quad9.net" "2620:fe::fe:11#dns11.quad9.net" ]; diff --git a/nixos/ninurta/configuration.nix b/nixos/ninurta/configuration.nix index 00b1c26..7a8b3c1 100644 --- a/nixos/ninurta/configuration.nix +++ b/nixos/ninurta/configuration.nix @@ -103,10 +103,6 @@ in }; }; - dadada.ddns.domains = [ "backup1.dadada.li" "soft-serve.dadada.li" ]; - dadada.ddns.credentialsPath = config.age.secrets."ddns-credentials".path; - dadada.ddns.interface = "backup"; - dadada.borgServer = { enable = true; path = "/mnt/storage/backups"; @@ -148,11 +144,6 @@ in location = "/var/backup/postgresql"; }; - age.secrets."ddns-credentials" = { - file = "${secretsPath}/ddns-credentials.age"; - mode = "400"; - }; - age.secrets."ninurta-backup-passphrase" = { file = "${secretsPath}/ninurta-backup-passphrase.age"; mode = "400"; @@ -281,7 +272,7 @@ in matchConfig.Name = "enp*"; networkConfig.DHCP = "ipv4"; networkConfig.Domains = [ "bs.dadada.li" ]; - networkConfig.VLAN = [ "backup" ]; + networkConfig.VLAN = [ ]; networkConfig.IPv6PrivacyExtensions = false; linkConfig.RequiredForOnline = "routable"; dhcpV4Config = { @@ -294,22 +285,15 @@ in UseDNS = true; }; }; - "20-backup" = { - matchConfig.Name = "backup"; - networkConfig = { - DHCP = "ipv4"; - IPv6PrivacyExtensions = false; - }; - linkConfig.RequiredForOnline = false; - }; - "10-hydra" = { - matchConfig.Name = "hydra"; - address = [ "10.3.3.3/24" ]; + "10-surgat" = { + matchConfig.Name = "surgat"; + address = [ "10.3.3.3/32" "fd42:9c3b:f96d:121::3/128"]; DHCP = "no"; networkConfig.IPv6AcceptRA = false; linkConfig.RequiredForOnline = false; routes = [ { routeConfig = { Destination = "10.3.3.1/24"; }; } + { routeConfig = { Destination = "fd42:9c3b:f96d:121::1/64"; }; } ]; }; "10-uwu" = { @@ -327,10 +311,10 @@ in }; }; netdevs = { - "10-hydra" = { + "10-surgat" = { netdevConfig = { Kind = "wireguard"; - Name = "hydra"; + Name = "surgat"; }; wireguardConfig = { PrivateKeyFile = config.age.secrets.${wgHydraPrivKey}.path; @@ -339,7 +323,7 @@ in wireguardPeers = [{ wireguardPeerConfig = { PublicKey = "KzL+PKlv4LktIqqTqC9Esw8dkSZN2qSn/vq76UHbOlY="; - AllowedIPs = [ "10.3.3.1/32" ]; + AllowedIPs = [ "10.3.3.1/32" "fd42:9c3b:f96d:121::1/128" ]; PersistentKeepalive = 25; Endpoint = "surgat.dadada.li:51235"; }; @@ -363,13 +347,6 @@ in }; }]; }; - "20-backup" = { - netdevConfig = { - Name = "backup"; - Kind = "vlan"; - }; - vlanConfig.Id = 13; - }; }; }; @@ -388,6 +365,7 @@ in 51234 # Wireguard 51235 # Wireguard ]; + logReversePathDrops = true; }; services.resolved.enable = true; diff --git a/nixos/surgat/configuration.nix b/nixos/surgat/configuration.nix index 937afa4..86f15c9 100644 --- a/nixos/surgat/configuration.nix +++ b/nixos/surgat/configuration.nix @@ -83,24 +83,24 @@ in ]; linkConfig.RequiredForOnline = "routable"; }; - "10-hydra" = { - matchConfig.Name = "hydra"; - address = [ "10.3.3.1/24" ]; + "10-ninurta" = { + matchConfig.Name = "ninurta"; + address = [ "10.3.3.1/32" "fd42:9c3b:f96d:121::1/128" ]; DHCP = "no"; networkConfig.IPv6AcceptRA = false; linkConfig.RequiredForOnline = "no"; routes = [ - { - routeConfig = { Destination = "10.3.3.0/24"; }; - } + { routeConfig = { Destination = "10.3.3.3/24"; }; } + { routeConfig = { Destination = "fd42:9c3b:f96d:121::/64"; }; } + { routeConfig = { Destination = "fd42:9c3b:f96d:101::/64"; }; } ]; }; }; netdevs = { - "10-hydra" = { + "10-ninurta" = { netdevConfig = { Kind = "wireguard"; - Name = "hydra"; + Name = "ninurta"; }; wireguardConfig = { PrivateKeyFile = "/var/lib/wireguard/hydra"; @@ -109,7 +109,7 @@ in wireguardPeers = [{ wireguardPeerConfig = { PublicKey = "Kw2HVRb1zeA7NAzBvI3UzmOj45VqM358EBuZWdlAUDE="; - AllowedIPs = [ "10.3.3.3/32" ]; + AllowedIPs = [ "10.3.3.3/32" "fd42:9c3b:f96d:121::3/128" "fd42:9c3b:f96d:101:4a21:bff:fe3e:9cfe/128"] ; }; }]; };