dadada/nix-config
dadada/nix-config
1
0
Fork 0
Code Issues 2 Pull requests 5 Projects Releases Packages Wiki Activity Actions

remove service VLAN and route to backup1 using wireguard

Browse source
This commit is contained in:
Tim Schubert 2024-03-04 22:10:18 +01:00
parent 72f8cf91bc
commit b7d12303a3
Signed by: dadada
SSH key fingerprint: SHA256:bFAjFH3hR8zRBaJjzQDjc3o4jqoq5EZ87l+KXEjxIz0
7 changed files with 30 additions and 76 deletions
Download patch file Download diff file Expand all files Collapse all files

1
nixos/agares/dns.nix
View file

@ -43,6 +43,7 @@
"\"ninurta.bs.dadada.li. 10800 IN A 192.168.101.184\"" "\"ninurta.bs.dadada.li. 10800 IN A 192.168.101.184\""
"\"agares.bs.dadada.li. 10800 IN AAAA fd42:9c3b:f96d:101::1\"" "\"agares.bs.dadada.li. 10800 IN AAAA fd42:9c3b:f96d:101::1\""
"\"ninurta.bs.dadada.li. 10800 IN AAAA fd42:9c3b:f96d:101:4a21:bff:fe3e:9cfe\"" "\"ninurta.bs.dadada.li. 10800 IN AAAA fd42:9c3b:f96d:101:4a21:bff:fe3e:9cfe\""
"\"backup1.dadada.li. 10800 IN AAAA fd42:9c3b:f96d:101:4a21:bff:fe3e:9cfe\""
]; ];
local-zone = [ local-zone = [
"\"168.192.in-addr.arpa.\" nodefault" "\"168.192.in-addr.arpa.\" nodefault"

13
nixos/agares/network.nix
View file

@ -40,15 +40,6 @@ in
Id = 11; Id = 11;
}; };
}; };
"20-srv" = {
netdevConfig = {
Kind = "vlan";
Name = "srv.13";
};
vlanConfig = {
Id = 13;
};
};
"20-roadw" = { "20-roadw" = {
netdevConfig = { netdevConfig = {
Kind = "wireguard"; Kind = "wireguard";
@ -124,7 +115,7 @@ in
in in
{ {
"10-mgmt" = subnet "enp1s0" "100" // { "10-mgmt" = subnet "enp1s0" "100" // {
networkConfig.VLAN = [ "lan.10" "ff.11" "srv.13" ]; networkConfig.VLAN = [ "lan.10" "ff.11" ];
dhcpServerStaticLeases = [ dhcpServerStaticLeases = [
{ {
# legion # legion
@ -163,8 +154,6 @@ in
"30-ff" = subnet "ff.11" "102"; "30-ff" = subnet "ff.11" "102";
"30-srv" = subnet "srv.13" "103";
"30-ifb4ppp0" = { "30-ifb4ppp0" = {
name = "ifb4ppp0"; name = "ifb4ppp0";
extraConfig = '' extraConfig = ''

28
nixos/agares/rules.nft
View file

@ -4,7 +4,6 @@ define IF_MGMT = "enp1s0"
define IF_FF = "ff.11" define IF_FF = "ff.11"
define IF_LAN = "lan.10" define IF_LAN = "lan.10"
define IF_WAN = "ppp0" define IF_WAN = "ppp0"
define IF_SRV = "srv.13"
# Modem uses this for internet uplink via our WAN # Modem uses this for internet uplink via our WAN
define IF_MODEM = "enp2s0" define IF_MODEM = "enp2s0"
@ -51,10 +50,6 @@ table inet filter {
counter accept comment "Accept all traffic from MGMT" counter accept comment "Accept all traffic from MGMT"
} }
chain input_srv {
counter accept comment "Accept all traffic from services"
}
chain input_roadw { chain input_roadw {
counter accept comment "Accept all traffic from roadwarriors" counter accept comment "Accept all traffic from roadwarriors"
} }
@ -69,23 +64,13 @@ table inet filter {
udp dport { 53, 67 } accept comment "Allow DNS and DHCP from Freifunk" udp dport { 53, 67 } accept comment "Allow DNS and DHCP from Freifunk"
} }
chain input_srv {
jump input_icmp_untrusted
# DHCP
meta nfproto ipv6 udp dport 547 accept comment "Allow DHCPv6 client"
# Allow DNS and DHCP from SRV
udp dport { 53, 67 } accept comment "Allow DNS and DHCP from services"
}
chain input { chain input {
type filter hook input priority filter; policy drop; type filter hook input priority filter; policy drop;
ct state {established, related} counter accept comment "Accept packets from established and related connections" ct state {established, related} counter accept comment "Accept packets from established and related connections"
ct state invalid counter drop comment "Early drop of invalid packets" ct state invalid counter drop comment "Early drop of invalid packets"
iifname vmap { lo : accept, $IF_WAN : jump input_wan, $IF_LAN : jump input_lan, $IF_FF : jump input_ff, $IF_ROADW : jump input_roadw, $IF_MODEM : jump input_modem, $IF_MGMT : jump input_mgmt, $IF_SRV : jump input_srv } iifname vmap { lo : accept, $IF_WAN : jump input_wan, $IF_LAN : jump input_lan, $IF_FF : jump input_ff, $IF_ROADW : jump input_roadw, $IF_MODEM : jump input_modem, $IF_MGMT : jump input_mgmt }
} }
# Only works if hardware flow offloading is available # Only works if hardware flow offloading is available
@ -117,13 +102,10 @@ table inet filter {
iifname { $IF_LAN, $IF_ROADW } counter accept comment "Allow all traffic forwarding from LAN and roadwarrior to all interfaces, except to mgmt" iifname { $IF_LAN, $IF_ROADW } counter accept comment "Allow all traffic forwarding from LAN and roadwarrior to all interfaces, except to mgmt"
# FF -> WAN # FF -> WAN
iifname { $IF_FF, $IF_SRV } oifname $IF_WAN counter accept comment "Allow all traffic forwarding from Freifunk and services to WAN" iifname { $IF_FF } oifname $IF_WAN counter accept comment "Allow all traffic forwarding from Freifunk and services to WAN"
# { WAN, SRV } -> { FF, LAN, RW, SRV } # { WAN } -> { FF, LAN, RW }
iifname { $IF_WAN, $IF_SRV } oifname { $IF_FF, $IF_LAN, $IF_ROADW, $IF_SRV } ct state established,related counter accept comment "Allow established back from WAN and SRV" iifname { $IF_WAN } oifname { $IF_FF, $IF_LAN, $IF_ROADW } ct state established,related counter accept comment "Allow established back from WAN"
# WAN -> SRV
iifname $IF_WAN oifname $IF_SRV tcp dport ssh accept comment "Allow all SSH traffic forwarding from WAN to services"
} }
chain output { chain output {
@ -145,6 +127,6 @@ table ip nat {
table arp filter { table arp filter {
chain input { chain input {
type filter hook input priority filter; policy drop; type filter hook input priority filter; policy drop;
iifname { $IF_MGMT, $IF_LAN, $IF_FF, $IF_SRV, $IF_MODEM } limit rate 1/second burst 2 packets accept comment "Limit number of ARP messages from LAN, FF, MGMT, SRV, modem" iifname { $IF_MGMT, $IF_LAN, $IF_FF, $IF_MODEM } limit rate 1/second burst 2 packets accept comment "Limit number of ARP messages from LAN, FF, MGMT, modem"
} }
} }

1
nixos/gorgon/configuration.nix
View file

@ -158,7 +158,6 @@ in
}; };
networking.hosts = { networking.hosts = {
"10.1.2.9" = [ "fgprinter.fginfo.tu-bs.de" ];
"127.0.0.2" = [ "kanboard.dadada.li" ]; "127.0.0.2" = [ "kanboard.dadada.li" ];
}; };

5
nixos/modules/profiles/base.nix
View file

@ -54,6 +54,11 @@ in
}; };
networking.networkmanager.dns = mkDefault "systemd-resolved"; networking.networkmanager.dns = mkDefault "systemd-resolved";
networking.hosts = {
"fd42:9c3b:f96d:101:4a21:bff:fe3e:9cfe" = [ "backup1.dadada.li" ];
};
services.resolved = { services.resolved = {
enable = mkDefault true; enable = mkDefault true;
fallbackDns = [ "9.9.9.9#dns.quad9.net" "2620:fe::fe:11#dns11.quad9.net" ]; fallbackDns = [ "9.9.9.9#dns.quad9.net" "2620:fe::fe:11#dns11.quad9.net" ];

40
nixos/ninurta/configuration.nix
View file

@ -103,10 +103,6 @@ in
}; };
}; };
dadada.ddns.domains = [ "backup1.dadada.li" "soft-serve.dadada.li" ];
dadada.ddns.credentialsPath = config.age.secrets."ddns-credentials".path;
dadada.ddns.interface = "backup";
dadada.borgServer = { dadada.borgServer = {
enable = true; enable = true;
path = "/mnt/storage/backups"; path = "/mnt/storage/backups";
@ -148,11 +144,6 @@ in
location = "/var/backup/postgresql"; location = "/var/backup/postgresql";
}; };
age.secrets."ddns-credentials" = {
file = "${secretsPath}/ddns-credentials.age";
mode = "400";
};
age.secrets."ninurta-backup-passphrase" = { age.secrets."ninurta-backup-passphrase" = {
file = "${secretsPath}/ninurta-backup-passphrase.age"; file = "${secretsPath}/ninurta-backup-passphrase.age";
mode = "400"; mode = "400";
@ -281,7 +272,7 @@ in
matchConfig.Name = "enp*"; matchConfig.Name = "enp*";
networkConfig.DHCP = "ipv4"; networkConfig.DHCP = "ipv4";
networkConfig.Domains = [ "bs.dadada.li" ]; networkConfig.Domains = [ "bs.dadada.li" ];
networkConfig.VLAN = [ "backup" ]; networkConfig.VLAN = [ ];
networkConfig.IPv6PrivacyExtensions = false; networkConfig.IPv6PrivacyExtensions = false;
linkConfig.RequiredForOnline = "routable"; linkConfig.RequiredForOnline = "routable";
dhcpV4Config = { dhcpV4Config = {
@ -294,22 +285,15 @@ in
UseDNS = true; UseDNS = true;
}; };
}; };
"20-backup" = { "10-surgat" = {
matchConfig.Name = "backup"; matchConfig.Name = "surgat";
networkConfig = { address = [ "10.3.3.3/32" "fd42:9c3b:f96d:121::3/128"];
DHCP = "ipv4";
IPv6PrivacyExtensions = false;
};
linkConfig.RequiredForOnline = false;
};
"10-hydra" = {
matchConfig.Name = "hydra";
address = [ "10.3.3.3/24" ];
DHCP = "no"; DHCP = "no";
networkConfig.IPv6AcceptRA = false; networkConfig.IPv6AcceptRA = false;
linkConfig.RequiredForOnline = false; linkConfig.RequiredForOnline = false;
routes = [ routes = [
{ routeConfig = { Destination = "10.3.3.1/24"; }; } { routeConfig = { Destination = "10.3.3.1/24"; }; }
{ routeConfig = { Destination = "fd42:9c3b:f96d:121::1/64"; }; }
]; ];
}; };
"10-uwu" = { "10-uwu" = {
@ -327,10 +311,10 @@ in
}; };
}; };
netdevs = { netdevs = {
"10-hydra" = { "10-surgat" = {
netdevConfig = { netdevConfig = {
Kind = "wireguard"; Kind = "wireguard";
Name = "hydra"; Name = "surgat";
}; };
wireguardConfig = { wireguardConfig = {
PrivateKeyFile = config.age.secrets.${wgHydraPrivKey}.path; PrivateKeyFile = config.age.secrets.${wgHydraPrivKey}.path;
@ -339,7 +323,7 @@ in
wireguardPeers = [{ wireguardPeers = [{
wireguardPeerConfig = { wireguardPeerConfig = {
PublicKey = "KzL+PKlv4LktIqqTqC9Esw8dkSZN2qSn/vq76UHbOlY="; PublicKey = "KzL+PKlv4LktIqqTqC9Esw8dkSZN2qSn/vq76UHbOlY=";
AllowedIPs = [ "10.3.3.1/32" ]; AllowedIPs = [ "10.3.3.1/32" "fd42:9c3b:f96d:121::1/128" ];
PersistentKeepalive = 25; PersistentKeepalive = 25;
Endpoint = "surgat.dadada.li:51235"; Endpoint = "surgat.dadada.li:51235";
}; };
@ -363,13 +347,6 @@ in
}; };
}]; }];
}; };
"20-backup" = {
netdevConfig = {
Name = "backup";
Kind = "vlan";
};
vlanConfig.Id = 13;
};
}; };
}; };
@ -388,6 +365,7 @@ in
51234 # Wireguard 51234 # Wireguard
51235 # Wireguard 51235 # Wireguard
]; ];
logReversePathDrops = true;
}; };
services.resolved.enable = true; services.resolved.enable = true;

18
nixos/surgat/configuration.nix
View file

@ -83,24 +83,24 @@ in
]; ];
linkConfig.RequiredForOnline = "routable"; linkConfig.RequiredForOnline = "routable";
}; };
"10-hydra" = { "10-ninurta" = {
matchConfig.Name = "hydra"; matchConfig.Name = "ninurta";
address = [ "10.3.3.1/24" ]; address = [ "10.3.3.1/32" "fd42:9c3b:f96d:121::1/128" ];
DHCP = "no"; DHCP = "no";
networkConfig.IPv6AcceptRA = false; networkConfig.IPv6AcceptRA = false;
linkConfig.RequiredForOnline = "no"; linkConfig.RequiredForOnline = "no";
routes = [ routes = [
{ { routeConfig = { Destination = "10.3.3.3/24"; }; }
routeConfig = { Destination = "10.3.3.0/24"; }; { routeConfig = { Destination = "fd42:9c3b:f96d:121::/64"; }; }
} { routeConfig = { Destination = "fd42:9c3b:f96d:101::/64"; }; }
]; ];
}; };
}; };
netdevs = { netdevs = {
"10-hydra" = { "10-ninurta" = {
netdevConfig = { netdevConfig = {
Kind = "wireguard"; Kind = "wireguard";
Name = "hydra"; Name = "ninurta";
}; };
wireguardConfig = { wireguardConfig = {
PrivateKeyFile = "/var/lib/wireguard/hydra"; PrivateKeyFile = "/var/lib/wireguard/hydra";
@ -109,7 +109,7 @@ in
wireguardPeers = [{ wireguardPeers = [{
wireguardPeerConfig = { wireguardPeerConfig = {
PublicKey = "Kw2HVRb1zeA7NAzBvI3UzmOj45VqM358EBuZWdlAUDE="; PublicKey = "Kw2HVRb1zeA7NAzBvI3UzmOj45VqM358EBuZWdlAUDE=";
AllowedIPs = [ "10.3.3.3/32" ]; AllowedIPs = [ "10.3.3.3/32" "fd42:9c3b:f96d:121::3/128" "fd42:9c3b:f96d:101:4a21:bff:fe3e:9cfe/128"] ;
}; };
}]; }];
}; };