summaryrefslogtreecommitdiff
path: root/hosts/surtr
diff options
context:
space:
mode:
authorGregor Kleen <gkleen@yggdrasil.li>2022-02-06 17:19:58 +0100
committerGregor Kleen <gkleen@yggdrasil.li>2022-02-06 17:19:58 +0100
commit67657a453e654811ed5adf45a4c7aab32dc30274 (patch)
treeb94f3378117ca2b6bd2d43c8ef106855e52e6462 /hosts/surtr
parent93f07176317920ee881773519ee342f9c62ab9c9 (diff)
downloadnixos-67657a453e654811ed5adf45a4c7aab32dc30274.tar
nixos-67657a453e654811ed5adf45a4c7aab32dc30274.tar.gz
nixos-67657a453e654811ed5adf45a4c7aab32dc30274.tar.bz2
nixos-67657a453e654811ed5adf45a4c7aab32dc30274.tar.xz
nixos-67657a453e654811ed5adf45a4c7aab32dc30274.zip
bifrost: ...
Diffstat (limited to 'hosts/surtr')
-rw-r--r--hosts/surtr/bifrost/default.nix66
-rw-r--r--hosts/surtr/bifrost/surtr.priv26
-rw-r--r--hosts/surtr/bifrost/surtr.pub1
-rw-r--r--hosts/surtr/default.nix2
-rw-r--r--hosts/surtr/dns/zones/li.141.soa4
-rw-r--r--hosts/surtr/dns/zones/li.yggdrasil.soa8
-rw-r--r--hosts/surtr/dns/zones/org.praseodym.soa4
-rw-r--r--hosts/surtr/ruleset.nft14
8 files changed, 113 insertions, 12 deletions
diff --git a/hosts/surtr/bifrost/default.nix b/hosts/surtr/bifrost/default.nix
new file mode 100644
index 00000000..8f1e602d
--- /dev/null
+++ b/hosts/surtr/bifrost/default.nix
@@ -0,0 +1,66 @@
1{ config, lib, ... }:
2
3with lib;
4
5let
6 trim = str: if hasSuffix "\n" str then trim (removeSuffix "\n" str) else str;
7in {
8 config = {
9 systemd.network = {
10 netdevs = {
11 bifrost = {
12 netdevConfig = {
13 Name = "bifrost";
14 Kind = "wireguard";
15 };
16 wireguardConfig = {
17 PrivateKeyFile = config.sops.secrets.bifrost.path;
18 ListenPort = 51822;
19 };
20 wireguardPeers = [
21 { wireguardPeerConfig = {
22 AllowedIPs = [ "2a03:4000:52:ada:4:1::/96" ];
23 PublicKey = trim (readFile ../../vidhar/network/bifrost/vidhar.pub);
24 };
25 }
26 ];
27 };
28 };
29 networks = {
30 bifrost = {
31 name = "bifrost";
32 matchConfig = {
33 Name = "bifrost";
34 };
35 address = ["2a03:4000:52:ada:4::/96"];
36 routes = [
37 { routeConfig = {
38 Destination = "2a03:4000:52:ada:4::/80";
39 };
40 }
41 ];
42 linkConfig = {
43 RequiredForOnline = false;
44 };
45 networkConfig = {
46 LLMNR = false;
47 MulticastDNS = false;
48 };
49 };
50 };
51 };
52 sops.secrets.bifrost = {
53 format = "binary";
54 sopsFile = ./surtr.priv;
55 mode = "0640";
56 owner = "root";
57 group = "systemd-network";
58 };
59 environment.etc."systemd/networkd.conf" = {
60 text = ''
61 [Network]
62 RouteTable=bifrost:1026
63 '';
64 };
65 };
66}
diff --git a/hosts/surtr/bifrost/surtr.priv b/hosts/surtr/bifrost/surtr.priv
new file mode 100644
index 00000000..e7f2aeb4
--- /dev/null
+++ b/hosts/surtr/bifrost/surtr.priv
@@ -0,0 +1,26 @@
1{
2 "data": "ENC[AES256_GCM,data:Q3KFfWy4UQIbXfoR6jIb02r0735fvMMHqAWtqOE/BZfe/FuJUkb+HSSJbAkt,iv:YsaIx6eYfLOv1H3IammluRd9XDJAr6o4/HaHgtL8ZUc=,tag:uyINYQ0BGhi6TAuQkPCbBA==,type:str]",
3 "sops": {
4 "kms": null,
5 "gcp_kms": null,
6 "azure_kv": null,
7 "hc_vault": null,
8 "age": null,
9 "lastmodified": "2022-02-06T16:09:36Z",
10 "mac": "ENC[AES256_GCM,data:lzg4JDAyy1tL4dcuima26VWqQmCbr25+8AoecVIctX61V2STXiKzd938bEoJ02UVEPYAUzq+NP5fX6IrggYx2A0tII7oyo92EGBYJsvuCBpZWhZKpniXDsRcQo09PH3QJlJ9liSM8bCf6u//ubGU06xvLldt+g4xvvNOVfqMPSo=,iv:Ya2o/hhg18zp7PqLNSHJAAkyz/Lzibysylqsh0CvMzs=,tag:zeZZ0ilsCa/As7VOSCRgSQ==,type:str]",
11 "pgp": [
12 {
13 "created_at": "2022-02-06T16:09:36Z",
14 "enc": "-----BEGIN PGP MESSAGE-----\n\nhF4DyFKFNkTVG5oSAQdAx1FJFTdMFdAzIAwO1rZ9ikD/cP1nTzfI1wLZf5ufB3Uw\nY8JVtL/aSLaO3tli5eZNuz6tEhTFA0GU8l3c/Ws6ocjC+l3IR5bS2CGZbMHjyIyT\n0l4BgxRFBMFJdpbgpIEPsthgZwJRGNQofSJ7A6/550ekM5b/n77CBZQOHwocuJ4q\n7LCSH6kFUH8GgkSC26OLC8f/QpWr9zTneZP0mBd2CiADDCg6oPI3rGwq6+jQKNny\n=wDDa\n-----END PGP MESSAGE-----\n",
15 "fp": "7ED22F4AA7BB55728B643DC5471B7D88E4EF66F8"
16 },
17 {
18 "created_at": "2022-02-06T16:09:36Z",
19 "enc": "-----BEGIN PGP MESSAGE-----\n\nhF4DXxoViZlp6dISAQdActA18sJwR4mjwyilHzHHBBuReg88U8QVMLphsqFvHFIw\nV5OTgNNvwiCPHSvGiYQ41Fnxa3VVDu0b3HSsq1Xvf5aFf65cRW39t/JHruwkpd1M\n0l4BbBOw5pksAlRcX25PNIIg7WEq4mlJjCi41INKJ1lF5YEu9kVZHT/+ayU6N5Kf\nVH3I6bpZiIKMc4fnF+yiVbCTWNC3EYTeCpe/ZnM8Gd0WLJh0KsLS+QVzMYagMHNm\n=Cc3x\n-----END PGP MESSAGE-----\n",
20 "fp": "30D3453B8CD02FE2A3E7C78C0FB536FB87AE8F51"
21 }
22 ],
23 "unencrypted_suffix": "_unencrypted",
24 "version": "3.7.1"
25 }
26} \ No newline at end of file
diff --git a/hosts/surtr/bifrost/surtr.pub b/hosts/surtr/bifrost/surtr.pub
new file mode 100644
index 00000000..2f6ec1b6
--- /dev/null
+++ b/hosts/surtr/bifrost/surtr.pub
@@ -0,0 +1 @@
/s2yJlJKmy/vt+r/A4z2dof8CBs95KW7CeWLtOb0ERc=
diff --git a/hosts/surtr/default.nix b/hosts/surtr/default.nix
index be148b05..cfb218da 100644
--- a/hosts/surtr/default.nix
+++ b/hosts/surtr/default.nix
@@ -2,7 +2,7 @@
2{ 2{
3 imports = with flake.nixosModules.systemProfiles; [ 3 imports = with flake.nixosModules.systemProfiles; [
4 qemu-guest openssh rebuild-machines zfs 4 qemu-guest openssh rebuild-machines zfs
5 ./zfs.nix ./dns ./tls.nix ./http.nix 5 ./zfs.nix ./dns ./tls.nix ./http.nix ./bifrost
6 ]; 6 ];
7 7
8 config = { 8 config = {
diff --git a/hosts/surtr/dns/zones/li.141.soa b/hosts/surtr/dns/zones/li.141.soa
index 260a09b5..6620a0a3 100644
--- a/hosts/surtr/dns/zones/li.141.soa
+++ b/hosts/surtr/dns/zones/li.141.soa
@@ -1,7 +1,7 @@
1$ORIGIN 141.li. 1$ORIGIN 141.li.
2$TTL 3600 2$TTL 3600
3@ IN SOA ns.yggdrasil.li. root.yggdrasil.li. ( 3@ IN SOA ns.yggdrasil.li. root.yggdrasil.li. (
4 2022020102 ; serial 4 2022020600 ; serial
5 10800 ; refresh 5 10800 ; refresh
6 3600 ; retry 6 3600 ; retry
7 604800 ; expire 7 604800 ; expire
@@ -27,7 +27,7 @@ $TTL 3600
27surtr IN A 202.61.241.61 27surtr IN A 202.61.241.61
28surtr IN AAAA 2a03:4000:52:ada:: 28surtr IN AAAA 2a03:4000:52:ada::
29surtr IN MX 0 ymir.yggdrasil.li 29surtr IN MX 0 ymir.yggdrasil.li
30surtr IN TXT "v=spf1 redirect=ullr.yggdrasil.li" 30surtr IN TXT "v=spf1 redirect=yggdrasil.li"
31 31
32webdav IN CNAME surtr.yggdrasil.li. 32webdav IN CNAME surtr.yggdrasil.li.
33 33
diff --git a/hosts/surtr/dns/zones/li.yggdrasil.soa b/hosts/surtr/dns/zones/li.yggdrasil.soa
index ab89351f..a4fad7a7 100644
--- a/hosts/surtr/dns/zones/li.yggdrasil.soa
+++ b/hosts/surtr/dns/zones/li.yggdrasil.soa
@@ -1,7 +1,7 @@
1$ORIGIN yggdrasil.li. 1$ORIGIN yggdrasil.li.
2$TTL 3600 2$TTL 3600
3@ IN SOA ns.yggdrasil.li. root.yggdrasil.li. ( 3@ IN SOA ns.yggdrasil.li. root.yggdrasil.li. (
4 2022020101 ; serial 4 2022020600 ; serial
5 10800 ; refresh 5 10800 ; refresh
6 3600 ; retry 6 3600 ; retry
7 604800 ; expire 7 604800 ; expire
@@ -35,7 +35,11 @@ ymir IN TXT "v=spf1 redirect=yggdrasil.li"
35surtr IN A 202.61.241.61 35surtr IN A 202.61.241.61
36surtr IN AAAA 2a03:4000:52:ada:: 36surtr IN AAAA 2a03:4000:52:ada::
37surtr IN MX 0 ymir.yggdrasil.li 37surtr IN MX 0 ymir.yggdrasil.li
38surtr IN TXT "v=spf1 redirect=ullr.yggdrasil.li" 38surtr IN TXT "v=spf1 redirect=yggdrasil.li"
39
40vidhar IN AAAA 2a03:4000:52:ada:4:1::
41vidhar IN MX 0 ymir.yggdrasil.li
42vidhar IN TXT "v=spf1 redirect=yggdrasil.li"
39 43
40mailout IN A 188.68.51.254 44mailout IN A 188.68.51.254
41mailout IN AAAA 2a03:4000:6:d004:: 45mailout IN AAAA 2a03:4000:6:d004::
diff --git a/hosts/surtr/dns/zones/org.praseodym.soa b/hosts/surtr/dns/zones/org.praseodym.soa
index 4bd6263f..f4fd0d8e 100644
--- a/hosts/surtr/dns/zones/org.praseodym.soa
+++ b/hosts/surtr/dns/zones/org.praseodym.soa
@@ -1,7 +1,7 @@
1$ORIGIN praseodym.org. 1$ORIGIN praseodym.org.
2$TTL 3600 2$TTL 3600
3@ IN SOA ns.yggdrasil.li. root.yggdrasil.li. ( 3@ IN SOA ns.yggdrasil.li. root.yggdrasil.li. (
4 2022020102 ; serial 4 2022020600 ; serial
5 10800 ; refresh 5 10800 ; refresh
6 3600 ; retry 6 3600 ; retry
7 604800 ; expire 7 604800 ; expire
@@ -27,7 +27,7 @@ $TTL 3600
27surtr IN A 202.61.241.61 27surtr IN A 202.61.241.61
28surtr IN AAAA 2a03:4000:52:ada:: 28surtr IN AAAA 2a03:4000:52:ada::
29surtr IN MX 0 ymir.yggdrasil.li 29surtr IN MX 0 ymir.yggdrasil.li
30surtr IN TXT "v=spf1 redirect=ullr.yggdrasil.li" 30surtr IN TXT "v=spf1 redirect=yggdrasil.li"
31 31
32ymir._domainkey IN TXT ( 32ymir._domainkey IN TXT (
33 "v=DKIM1;k=rsa;p=MIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEAq3cCKlk+VPhyAanLZTM0BCzUT/+fmxHioZcFk0uJk1akBYj7BRofR7eVNcLKpm3rwYMQgE+9vJH9p8SV6tws9EcWc8SMCqqGZlREYM7PmLDiTSK/vjCzkygfgFCb0EBNsY2A/fpP4rTeoxrbcBSvMkq97iY5rwyw4wXZVZXLiDaCj23s8POoxTk1ClqUJZJQ5x2" 33 "v=DKIM1;k=rsa;p=MIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEAq3cCKlk+VPhyAanLZTM0BCzUT/+fmxHioZcFk0uJk1akBYj7BRofR7eVNcLKpm3rwYMQgE+9vJH9p8SV6tws9EcWc8SMCqqGZlREYM7PmLDiTSK/vjCzkygfgFCb0EBNsY2A/fpP4rTeoxrbcBSvMkq97iY5rwyw4wXZVZXLiDaCj23s8POoxTk1ClqUJZJQ5x2"
diff --git a/hosts/surtr/ruleset.nft b/hosts/surtr/ruleset.nft
index 132360b9..9d6fd373 100644
--- a/hosts/surtr/ruleset.nft
+++ b/hosts/surtr/ruleset.nft
@@ -1,4 +1,4 @@
1define icmp_protos = { ipv6-icmp, icmp, igmp } 1define icmp_protos = {ipv6-icmp, icmp, igmp}
2 2
3table arp filter { 3table arp filter {
4 limit lim_arp { 4 limit lim_arp {
@@ -44,12 +44,16 @@ table inet filter {
44 44
45 iifname lo counter accept 45 iifname lo counter accept
46 46
47 meta l4proto $icmp_protos iifname yggdrasil oifname ens3 limit name lim_icmp counter drop 47 meta l4proto $icmp_protos iifname {yggdrasil, bifrost} oifname ens3 limit name lim_icmp counter drop
48 meta l4proto $icmp_protos iifname yggdrasil oifname ens3 counter accept 48 meta l4proto $icmp_protos iifname {yggdrasil, bifrost} oifname ens3 counter accept
49 meta l4proto $icmp_protos ct state {established, related} limit name lim_icmp counter drop 49 meta l4proto $icmp_protos ct state {established, related} limit name lim_icmp counter drop
50 meta l4proto $icmp_protos ct state {established, related} counter accept 50 meta l4proto $icmp_protos ct state {established, related} counter accept
51 51
52 52
53 oifname bifrost counter accept
54 iifname bifrost oifname ens3 counter accept
55
56
53 limit name lim_reject log prefix "drop forward: " counter drop 57 limit name lim_reject log prefix "drop forward: " counter drop
54 log prefix "reject forward: " counter 58 log prefix "reject forward: " counter
55 meta l4proto tcp ct state new counter reject with tcp reset 59 meta l4proto tcp ct state new counter reject with tcp reset
@@ -78,13 +82,13 @@ table inet filter {
78 udp dport 60001-61000 counter accept 82 udp dport 60001-61000 counter accept
79 83
80 meta protocol ip udp dport 51820 counter accept 84 meta protocol ip udp dport 51820 counter accept
81 meta protocol ip6 udp dport 51821 counter accept 85 meta protocol ip6 udp dport {51821, 51822} counter accept
82 iifname "yggdrasil-wg-*" meta l4proto gre counter accept 86 iifname "yggdrasil-wg-*" meta l4proto gre counter accept
83 87
84 tcp dport 53 counter accept 88 tcp dport 53 counter accept
85 udp dport 53 counter accept 89 udp dport 53 counter accept
86 90
87 tcp dport { 80, 443 } counter accept 91 tcp dport {80, 443} counter accept
88 92
89 ct state {established, related} counter accept 93 ct state {established, related} counter accept
90 94