diff options
| author | Gregor Kleen <gkleen@yggdrasil.li> | 2022-01-08 00:24:18 +0100 |
|---|---|---|
| committer | Gregor Kleen <gkleen@yggdrasil.li> | 2022-01-08 00:24:18 +0100 |
| commit | c89e822a5d558b9f9bb9d1ac2a1dd76f3e64c595 (patch) | |
| tree | a3d99e39387b21448d9e4d99a1dda75f10008c2e | |
| parent | 876c5c44867aec221a36c3b1319d96c8c3df9e44 (diff) | |
| download | nixos-c89e822a5d558b9f9bb9d1ac2a1dd76f3e64c595.tar nixos-c89e822a5d558b9f9bb9d1ac2a1dd76f3e64c595.tar.gz nixos-c89e822a5d558b9f9bb9d1ac2a1dd76f3e64c595.tar.bz2 nixos-c89e822a5d558b9f9bb9d1ac2a1dd76f3e64c595.tar.xz nixos-c89e822a5d558b9f9bb9d1ac2a1dd76f3e64c595.zip | |
vidhar: dmz01
| -rw-r--r-- | hosts/vidhar/network/default.nix | 18 | ||||
| -rw-r--r-- | hosts/vidhar/network/dsl.nix | 27 | ||||
| -rw-r--r-- | hosts/vidhar/network/ruleset.nft | 14 |
3 files changed, 47 insertions, 12 deletions
diff --git a/hosts/vidhar/network/default.nix b/hosts/vidhar/network/default.nix index 62539239..81dac652 100644 --- a/hosts/vidhar/network/default.nix +++ b/hosts/vidhar/network/default.nix | |||
| @@ -21,6 +21,11 @@ | |||
| 21 | { address = "10.141.1.1"; prefixLength = 24; } | 21 | { address = "10.141.1.1"; prefixLength = 24; } |
| 22 | ]; | 22 | ]; |
| 23 | }; | 23 | }; |
| 24 | interfaces."dmz01" = { | ||
| 25 | ipv4.addresses = [ | ||
| 26 | { address = "10.141.2.1"; prefixLength = 24; } | ||
| 27 | ]; | ||
| 28 | }; | ||
| 24 | 29 | ||
| 25 | vlans = { | 30 | vlans = { |
| 26 | mgmt = { | 31 | mgmt = { |
| @@ -31,6 +36,10 @@ | |||
| 31 | id = 3; | 36 | id = 3; |
| 32 | interface = "eno2"; | 37 | interface = "eno2"; |
| 33 | }; | 38 | }; |
| 39 | dmz01 = { | ||
| 40 | id = 4; | ||
| 41 | interface = "eno2"; | ||
| 42 | }; | ||
| 34 | }; | 43 | }; |
| 35 | 44 | ||
| 36 | firewall.enable = false; | 45 | firewall.enable = false; |
| @@ -58,6 +67,15 @@ | |||
| 58 | 67 | ||
| 59 | subnet 10.141.1.0 netmask 255.255.255.0 { | 68 | subnet 10.141.1.0 netmask 255.255.255.0 { |
| 60 | range 10.141.1.128 10.141.1.254; | 69 | range 10.141.1.128 10.141.1.254; |
| 70 | option domain-name-servers 10.141.1.1; | ||
| 71 | option broadcast-address 10.141.1.255; | ||
| 72 | } | ||
| 73 | |||
| 74 | subnet 10.141.2.0 netmask 255.255.255.0 { | ||
| 75 | range 10.141.2.128 10.141.2.254; | ||
| 76 | option domain-name-servers 10.141.2.1; | ||
| 77 | option broadcast-address 10.141.2.255; | ||
| 78 | option routers 10.141.2.1; | ||
| 61 | } | 79 | } |
| 62 | ''; | 80 | ''; |
| 63 | machines = [ | 81 | machines = [ |
diff --git a/hosts/vidhar/network/dsl.nix b/hosts/vidhar/network/dsl.nix index 21554b58..0ad598e6 100644 --- a/hosts/vidhar/network/dsl.nix +++ b/hosts/vidhar/network/dsl.nix | |||
| @@ -95,6 +95,13 @@ in { | |||
| 95 | rdnss = [{ servers = ["::"]; }]; | 95 | rdnss = [{ servers = ["::"]; }]; |
| 96 | dnssl = [{ domain_names = ["yggdrasil"]; }]; | 96 | dnssl = [{ domain_names = ["yggdrasil"]; }]; |
| 97 | } | 97 | } |
| 98 | { name = "dmz01"; | ||
| 99 | advertise = true; | ||
| 100 | verbose = true; | ||
| 101 | prefix = [{ prefix = "::/64"; }]; | ||
| 102 | route = [{ prefix = "::/0"; }]; | ||
| 103 | rdnss = [{ servers = ["::"]; }]; | ||
| 104 | } | ||
| 98 | ]; | 105 | ]; |
| 99 | 106 | ||
| 100 | debug = { | 107 | debug = { |
| @@ -108,10 +115,17 @@ in { | |||
| 108 | proxies = { | 115 | proxies = { |
| 109 | ${pppInterface} = { | 116 | ${pppInterface} = { |
| 110 | router = true; | 117 | router = true; |
| 111 | rules.lan = { | 118 | rules = { |
| 112 | method = "iface"; | 119 | lan = { |
| 113 | interface = "lan"; | 120 | method = "iface"; |
| 114 | network = "::/0"; | 121 | interface = "lan"; |
| 122 | network = "::/0"; | ||
| 123 | }; | ||
| 124 | dmz01 = { | ||
| 125 | method = "iface"; | ||
| 126 | interface = "dmz01"; | ||
| 127 | network = "::/0"; | ||
| 128 | }; | ||
| 115 | }; | 129 | }; |
| 116 | }; | 130 | }; |
| 117 | }; | 131 | }; |
| @@ -154,7 +168,9 @@ in { | |||
| 154 | ''; | 168 | ''; |
| 155 | 169 | ||
| 156 | postStop = '' | 170 | postStop = '' |
| 157 | ${pkgs.iproute2}/bin/ip -6 a show dev lan scope global | ${pkgs.coreutils}/bin/grep inet6 | ${pkgs.gawk}/bin/awk '{ print $2; }' | ${pkgs.findutils}/bin/xargs -I '{}' -- ${pkgs.iproute2}/bin/ip addr del '{}' dev lan | 171 | for dev in lan dmz01; do |
| 172 | ${pkgs.iproute2}/bin/ip -6 a show dev "''${dev}" scope global | ${pkgs.coreutils}/bin/grep inet6 | ${pkgs.gawk}/bin/awk '{ print $2; }' | ${pkgs.findutils}/bin/xargs -I '{}' -- ${pkgs.iproute2}/bin/ip addr del '{}' dev "''${dev}" | ||
| 173 | done | ||
| 158 | ''; | 174 | ''; |
| 159 | 175 | ||
| 160 | serviceConfig = let | 176 | serviceConfig = let |
| @@ -177,6 +193,7 @@ in { | |||
| 177 | iaid 1195061668 | 193 | iaid 1195061668 |
| 178 | ipv6rs # enable routing solicitation for WAN adapter | 194 | ipv6rs # enable routing solicitation for WAN adapter |
| 179 | ia_pd 1 lan/0/64/0 # request a PD and assign it to the LAN | 195 | ia_pd 1 lan/0/64/0 # request a PD and assign it to the LAN |
| 196 | ia_pd 1 dmz01/1/64/0 # request a PD and assign it to dmz01 | ||
| 180 | 197 | ||
| 181 | reboot 0 | 198 | reboot 0 |
| 182 | 199 | ||
diff --git a/hosts/vidhar/network/ruleset.nft b/hosts/vidhar/network/ruleset.nft index 4d829355..f6a2175c 100644 --- a/hosts/vidhar/network/ruleset.nft +++ b/hosts/vidhar/network/ruleset.nft | |||
| @@ -136,7 +136,7 @@ table inet filter { | |||
| 136 | oifname {lan, dsl} meta l4proto $icmp_protos jump forward_icmp_accept | 136 | oifname {lan, dsl} meta l4proto $icmp_protos jump forward_icmp_accept |
| 137 | 137 | ||
| 138 | iifname lan oifname dsl counter name fw-lan accept | 138 | iifname lan oifname dsl counter name fw-lan accept |
| 139 | iifname dsl oifname lan ct state {established, related} counter name fw-dsl accept | 139 | iifname dsl oifname { lan, dmz01 } ct state {established, related} counter name fw-dsl accept |
| 140 | 140 | ||
| 141 | 141 | ||
| 142 | 142 | ||
| @@ -162,14 +162,14 @@ table inet filter { | |||
| 162 | iifname != dsl meta l4proto $icmp_protos limit name lim_icmp_local counter name icmp-ratelimit-local-rx drop | 162 | iifname != dsl meta l4proto $icmp_protos limit name lim_icmp_local counter name icmp-ratelimit-local-rx drop |
| 163 | meta l4proto $icmp_protos counter name icmp-rx accept | 163 | meta l4proto $icmp_protos counter name icmp-rx accept |
| 164 | 164 | ||
| 165 | tcp dport 22 counter name ssh-rx accept | 165 | iifname { lan, mgmt, dsl } tcp dport 22 counter name ssh-rx accept |
| 166 | udp dport 60001-61000 counter name mosh-rx accept | 166 | iifname { lan, mgmt, dsl } udp dport 60001-61000 counter name mosh-rx accept |
| 167 | 167 | ||
| 168 | iifname lan tcp dport 53 counter name dns-rx accept | 168 | iifname { lan, mgmt, dmz01 } tcp dport 53 counter name dns-rx accept |
| 169 | iifname lan udp dport 53 counter name dns-rx accept | 169 | iifname { lan, mgmt, dmz01 } udp dport 53 counter name dns-rx accept |
| 170 | 170 | ||
| 171 | meta protocol ip udp dport 51820 counter name wg-rx accept | 171 | iifname { lan, mgmt, dsl } meta protocol ip udp dport 51820 counter name wg-rx accept |
| 172 | meta protocol ip6 udp dport 51821 counter name wg-rx accept | 172 | iifname { lan, mgmt, dsl } meta protocol ip6 udp dport 51821 counter name wg-rx accept |
| 173 | iifname "yggdrasil-wg-*" meta l4proto gre counter name yggdrasil-gre-rx accept | 173 | iifname "yggdrasil-wg-*" meta l4proto gre counter name yggdrasil-gre-rx accept |
| 174 | 174 | ||
| 175 | iifname dsl meta protocol ip6 udp dport 546 udp sport 547 counter name ipv6-pd-rx accept | 175 | iifname dsl meta protocol ip6 udp dport 546 udp sport 547 counter name ipv6-pd-rx accept |