...

author: Gregor Kleen <gkleen@yggdrasil.li> 2023-03-04 19:23:36 +0100
committer: Gregor Kleen <gkleen@yggdrasil.li> 2023-03-04 19:23:36 +0100
commit: 29480b6e86ca6057d4151accdb5d4103f1657596 (patch)
tree: aad8ef8a38f2b679ff64039d6a2445eba9041d09 /hosts/vidhar/printing
parent: 7fcaba2d4cabc8d5dfd35648ec1b9b6795e490ec (diff)
download: nixos-29480b6e86ca6057d4151accdb5d4103f1657596.tar
nixos-29480b6e86ca6057d4151accdb5d4103f1657596.tar.gz
nixos-29480b6e86ca6057d4151accdb5d4103f1657596.tar.bz2
nixos-29480b6e86ca6057d4151accdb5d4103f1657596.tar.xz
nixos-29480b6e86ca6057d4151accdb5d4103f1657596.zip
2 files changed, 309 insertions, 0 deletions
diff --git a/hosts/vidhar/printing/default.nix b/hosts/vidhar/printing/default.nix
new file mode 100644
index 00000000..0e0dfcf7
--- /dev/null
+++ b/hosts/vidhar/printing/default.nix
@@ -0,0 +1,124 @@
+{ config, lib, ... }:
+with lib;
+let
+  containerConfig = config.containers.printing.config;
+in {
+  config = {
+    containers.printing = {
+      privateNetwork = true;
+      ephemeral = true;
+      autoStart = true;
+      hostAddress = "10.141.4.0";
+      hostAddress6 = "2a03:4000:52:ada:4::";
+      localAddress = "10.141.4.1";
+      localAddress6 = "2a03:4000:52:ada:4::1";
+      interfaces = [ "printer" ];
+      config = let
+        hostConfig = config;
+      in { ... }: {
+        config = {
+          services = {
+            kea = {
+              dhcp4 = {
+                enable = true;
+                settings = {
+                  valid-lifetime = 4000;
+                  rebind-timer = 2000;
+                  renew-timer = 1000;
+                  interfaces-config = {
+                    interfaces = [ "printer" ];
+                  };
+                  lease-database = {
+                    name = "/var/lib/kea/dhcp4.leases";
+                    persist = true;
+                    type = "memfile";
+                  };
+                  subnet4 = [
+                    { subnet = "10.141.3.0/24";
+                      option-data = [
+                        { name = "domain-name-servers";
+                          data = "10.141.4.0";
+                        }
+                        { name = "ntp-servers";
+                          data = "10.141.4.0";
+                        }
+                        { name = "broadcast-address";
+                          data = "10.141.3.255";
+                        }
+                        { name = "routers";
+                          data = "10.141.3.1";
+                        }
+                        { name = "domain-name";
+                          data = "yggdrasil";
+                        }
+                        { name = "domain-search";
+                          data = "printer.yggdrasil, yggdrasil";
+                        }
+                      ];
+                      pools = [ { pool = "10.141.3.128 - 10.141.3.254"; } ];
+                      reservations = [
+                        { hostname = "printer";
+                          hw-address = "30:cd:a7:b0:55:8d";
+                          ip-address = "10.141.3.2";
+                        }
+                      ];
+                    }
+                  ];
+                };
+              };
+            };
+            printing = {
+              enable = true;
+              listenAddresses = [
+                "*:631"
+              ];
+              allowFrom = [ "all" ];
+              extraConf = ''
+                ServerName printing
+                ServerAlias 10.141.4.1 2a03:4000:52:ada:4::1 printing.vidhar.yggdrasil printing.vidhar.lan.yggdrasil
+              '';
+            };
+            resolved.enable = false;
+          };
+          networking = {
+            firewall.enable = false;
+            nftables = {
+              enable = true;
+              rulesetFile = ./ruleset.nft;
+            };
+            useDHCP = false;
+            useNetworkd = true;
+            interfaces."printer" = {
+              ipv4.addresses = [
+                { address = "10.141.3.1"; prefixLength = 24; }
+              ];
+            };
+          };
+          environment.etc."resolv.conf".text = ''
+            nameserver ${hostConfig.containers.printing.hostAddress6}
+          '';
+          system.stateVersion = hostConfig.system.stateVersion;
+        };
+      };
+    };
+    networking = {
+      vlans.printer = {
+        id = 5;
+        interface = "eno2";
+      };
+    };
+  };
+}
diff --git a/hosts/vidhar/printing/ruleset.nft b/hosts/vidhar/printing/ruleset.nft
new file mode 100644
index 00000000..c3027567
--- /dev/null
+++ b/hosts/vidhar/printing/ruleset.nft
@@ -0,0 +1,185 @@
+define icmp_protos = {ipv6-icmp, icmp, igmp}
+table arp filter {
+  limit lim_arp {
+    rate over 50 mbytes/second burst 50 mbytes
+  }
+  counter arp-rx {}
+  counter arp-tx {}
+  counter arp-ratelimit-rx {}
+  counter arp-ratelimit-tx {}
+  chain input {
+    type filter hook input priority filter
+    policy accept
+    limit name lim_arp counter name arp-ratelimit-rx drop
+    counter name arp-rx
+  }
+  chain output {
+    type filter hook output priority filter
+    policy accept
+    limit name lim_arp counter name arp-ratelimit-tx drop
+    counter name arp-tx
+  }
+}
+table inet filter {
+  limit lim_reject {
+    rate over 1000/second burst 1000 packets
+  }
+  limit lim_icmp {
+    rate over 50 mbytes/second burst 50 mbytes
+  }
+  counter invalid-fw {}
+  counter fw-lo {}
+  counter fw-printer {}
+  counter fw-host {}
+  counter icmp-ratelimit-fw {}
+  counter reject-ratelimit-fw {}
+  counter reject-fw {}
+  counter reject-tcp-fw {}
+  counter reject-icmp-fw {}
+  counter drop-fw {}
+  counter invalid-rx {}
+  counter rx-lo {}
+  counter invalid-local4-rx {}
+  counter invalid-local6-rx {}
+  counter icmp-ratelimit-rx {}
+  counter icmp-rx {}
+  counter cups-rx {}
+  counter established-rx {}
+  counter reject-ratelimit-rx {}
+  counter reject-rx {}
+  counter reject-tcp-rx {}
+  counter reject-icmp-rx {}
+  counter drop-rx {}
+  counter tx-lo {}
+  counter icmp-ratelimit-tx {}
+  counter icmp-tx {}
+  counter cups-tx {}
+  counter tx {}
+  chain forward {
+    type filter hook forward priority filter
+    policy drop
+    ct state invalid log level debug prefix "drop invalid forward: " counter name invalid-fw drop
+    iifname lo counter name fw-lo accept
+    meta l4proto $icmp_protos limit name lim_icmp counter name icmp-ratelimit-fw drop
+    meta l4proto $icmp_protos counter name icmp-fw accept
+    iifname printer oifname eth0 ip daddr 10.141.4.0 meta l4proto . th dport { tcp . 53, udp . 53, udp . 123 } counter fw-printer accept
+    iifname printer oifname eth0 ip6 daddr 2a03:4000:52:ada:4:: meta l4proto . th dport { tcp . 53, udp . 53, udp . 123 } counter fw-printer accept
+    iifname eth0 oifname printer counter fw-host accept
+    limit name lim_reject log level debug prefix "drop forward: " counter name reject-ratelimit-fw drop
+    log level debug prefix "reject forward: " counter name reject-fw
+    meta l4proto tcp ct state new counter name reject-tcp-fw reject with tcp reset
+    ct state new counter name reject-icmp-fw reject
+    counter name drop-fw
+  }
+  chain input {
+    type filter hook input priority filter
+    policy drop
+    ct state invalid log level debug prefix "drop invalid input: " counter name invalid-rx drop
+    iifname lo counter name rx-lo accept
+    iif != lo ip daddr 127.0.0.1/8 counter name invalid-local4-rx reject
+    iif != lo ip6 daddr ::1/128 counter name invalid-local6-rx reject
+    meta l4proto $icmp_protos limit name lim_icmp counter name icmp-ratelimit-rx drop
+    meta l4proto $icmp_protos counter name icmp-rx accept
+    ip6 saddr 2a03:4000:52:ada:4:: tcp dport 631 counter name cups-rx accept
+    ip saddr 10.141.4.0 tcp dport 631 counter name cups-rx accept
+    ct state {established, related} counter name established-rx accept
+    limit name lim_reject log level debug prefix "drop input: " counter name reject-ratelimit-rx drop
+    log level debug prefix "reject input: " counter name reject-rx
+    meta l4proto tcp ct state new counter name reject-tcp-rx reject with tcp reset
+    ct state new counter name reject-icmp-rx reject
+    counter name drop-rx
+  }
+  chain output {
+    type filter hook output priority filter
+    policy accept
+    oifname lo counter name tx-lo accept
+    meta l4proto $icmp_protos limit name lim_icmp counter name icmp-ratelimit-tx drop
+    meta l4proto $icmp_protos counter name icmp-tx accept
+    tcp sport 631 counter name cups-tx accept
+    counter name tx
+  }
+}
+table ip nat {
+  counter host-nat {}
+  chain postrouting {
+    type nat hook postrouting priority srcnat
+    policy accept
+    oifname eth0 counter name host-nat masquerade
+  }
+}
+table ip mss_clamp {
+  counter host-mss-clamp {}
+  chain postrouting {
+    type filter hook postrouting priority mangle
+    policy accept
+    oifname eth0 tcp flags & (syn|rst) == syn counter name host-mss-clamp tcp option maxseg size set rt mtu
+  }
+}
author	Gregor Kleen <gkleen@yggdrasil.li>	2023-03-04 19:23:36 +0100
committer	Gregor Kleen <gkleen@yggdrasil.li>	2023-03-04 19:23:36 +0100
commit	29480b6e86ca6057d4151accdb5d4103f1657596 (patch)
tree	aad8ef8a38f2b679ff64039d6a2445eba9041d09 /hosts/vidhar/printing
parent	7fcaba2d4cabc8d5dfd35648ec1b9b6795e490ec (diff)
download	nixos-29480b6e86ca6057d4151accdb5d4103f1657596.tar nixos-29480b6e86ca6057d4151accdb5d4103f1657596.tar.gz nixos-29480b6e86ca6057d4151accdb5d4103f1657596.tar.bz2 nixos-29480b6e86ca6057d4151accdb5d4103f1657596.tar.xz nixos-29480b6e86ca6057d4151accdb5d4103f1657596.zip

diff --git a/hosts/vidhar/printing/default.nix b/hosts/vidhar/printing/default.nix new file mode 100644 index 00000000..0e0dfcf7 --- /dev/null +++ b/hosts/vidhar/printing/default.nix
@@ -0,0 +1,124 @@
	1	{ config, lib, ... }:
	2
	3	with lib;
	4
	5	let
	6	containerConfig = config.containers.printing.config;
	7	in {
	8	config = {
	9	containers.printing = {
	10	privateNetwork = true;
	11	ephemeral = true;
	12	autoStart = true;
	13	hostAddress = "10.141.4.0";
	14	hostAddress6 = "2a03:4000:52:ada:4::";
	15	localAddress = "10.141.4.1";
	16	localAddress6 = "2a03:4000:52:ada:4::1";
	17	interfaces = [ "printer" ];
	18	config = let
	19	hostConfig = config;
	20	in { ... }: {
	21	config = {
	22	services = {
	23	kea = {
	24	dhcp4 = {
	25	enable = true;
	26	settings = {
	27	valid-lifetime = 4000;
	28	rebind-timer = 2000;
	29	renew-timer = 1000;
	30
	31	interfaces-config = {
	32	interfaces = [ "printer" ];
	33	};
	34
	35	lease-database = {
	36	name = "/var/lib/kea/dhcp4.leases";
	37	persist = true;
	38	type = "memfile";
	39	};
	40
	41	subnet4 = [
	42	{ subnet = "10.141.3.0/24";
	43	option-data = [
	44	{ name = "domain-name-servers";
	45	data = "10.141.4.0";
	46	}
	47	{ name = "ntp-servers";
	48	data = "10.141.4.0";
	49	}
	50	{ name = "broadcast-address";
	51	data = "10.141.3.255";
	52	}
	53	{ name = "routers";
	54	data = "10.141.3.1";
	55	}
	56	{ name = "domain-name";
	57	data = "yggdrasil";
	58	}
	59	{ name = "domain-search";
	60	data = "printer.yggdrasil, yggdrasil";
	61	}
	62	];
	63	pools = [ { pool = "10.141.3.128 - 10.141.3.254"; } ];
	64	reservations = [
	65	{ hostname = "printer";
	66	hw-address = "30:cd:a7:b0:55:8d";
	67	ip-address = "10.141.3.2";
	68	}
	69	];
	70	}
	71	];
	72	};
	73	};
	74	};
	75
	76	printing = {
	77	enable = true;
	78	listenAddresses = [
	79	"*:631"
	80	];
	81	allowFrom = [ "all" ];
	82	extraConf = ''
	83	ServerName printing
	84	ServerAlias 10.141.4.1 2a03:4000:52:ada:4::1 printing.vidhar.yggdrasil printing.vidhar.lan.yggdrasil
	85	'';
	86	};
	87
	88	resolved.enable = false;
	89	};
	90
	91	networking = {
	92	firewall.enable = false;
	93	nftables = {
	94	enable = true;
	95	rulesetFile = ./ruleset.nft;
	96	};
	97
	98	useDHCP = false;
	99	useNetworkd = true;
	100
	101	interfaces."printer" = {
	102	ipv4.addresses = [
	103	{ address = "10.141.3.1"; prefixLength = 24; }
	104	];
	105	};
	106	};
	107
	108	environment.etc."resolv.conf".text = ''
	109	nameserver ${hostConfig.containers.printing.hostAddress6}
	110	'';
	111
	112	system.stateVersion = hostConfig.system.stateVersion;
	113	};
	114	};
	115	};
	116
	117	networking = {
	118	vlans.printer = {
	119	id = 5;
	120	interface = "eno2";
	121	};
	122	};
	123	};
	124	}


diff --git a/hosts/vidhar/printing/ruleset.nft b/hosts/vidhar/printing/ruleset.nft new file mode 100644 index 00000000..c3027567 --- /dev/null +++ b/hosts/vidhar/printing/ruleset.nft
@@ -0,0 +1,185 @@
	1	define icmp_protos = {ipv6-icmp, icmp, igmp}
	2
	3	table arp filter {
	4	limit lim_arp {
	5	rate over 50 mbytes/second burst 50 mbytes
	6	}
	7
	8	counter arp-rx {}
	9	counter arp-tx {}
	10
	11	counter arp-ratelimit-rx {}
	12	counter arp-ratelimit-tx {}
	13
	14	chain input {
	15	type filter hook input priority filter
	16	policy accept
	17
	18	limit name lim_arp counter name arp-ratelimit-rx drop
	19
	20	counter name arp-rx
	21	}
	22
	23	chain output {
	24	type filter hook output priority filter
	25	policy accept
	26
	27	limit name lim_arp counter name arp-ratelimit-tx drop
	28
	29	counter name arp-tx
	30	}
	31	}
	32
	33	table inet filter {
	34	limit lim_reject {
	35	rate over 1000/second burst 1000 packets
	36	}
	37
	38	limit lim_icmp {
	39	rate over 50 mbytes/second burst 50 mbytes
	40	}
	41
	42	counter invalid-fw {}
	43	counter fw-lo {}
	44	counter fw-printer {}
	45	counter fw-host {}
	46
	47	counter icmp-ratelimit-fw {}
	48
	49	counter reject-ratelimit-fw {}
	50	counter reject-fw {}
	51	counter reject-tcp-fw {}
	52	counter reject-icmp-fw {}
	53
	54	counter drop-fw {}
	55
	56	counter invalid-rx {}
	57
	58	counter rx-lo {}
	59	counter invalid-local4-rx {}
	60	counter invalid-local6-rx {}
	61
	62	counter icmp-ratelimit-rx {}
	63	counter icmp-rx {}
	64
	65	counter cups-rx {}
	66
	67	counter established-rx {}
	68
	69	counter reject-ratelimit-rx {}
	70	counter reject-rx {}
	71	counter reject-tcp-rx {}
	72	counter reject-icmp-rx {}
	73
	74	counter drop-rx {}
	75
	76	counter tx-lo {}
	77
	78	counter icmp-ratelimit-tx {}
	79	counter icmp-tx {}
	80
	81	counter cups-tx {}
	82
	83	counter tx {}
	84
	85	chain forward {
	86	type filter hook forward priority filter
	87	policy drop
	88
	89
	90	ct state invalid log level debug prefix "drop invalid forward: " counter name invalid-fw drop
	91
	92
	93	iifname lo counter name fw-lo accept
	94
	95
	96	meta l4proto $icmp_protos limit name lim_icmp counter name icmp-ratelimit-fw drop
	97	meta l4proto $icmp_protos counter name icmp-fw accept
	98
	99
	100	iifname printer oifname eth0 ip daddr 10.141.4.0 meta l4proto . th dport { tcp . 53, udp . 53, udp . 123 } counter fw-printer accept
	101	iifname printer oifname eth0 ip6 daddr 2a03:4000:52:ada:4:: meta l4proto . th dport { tcp . 53, udp . 53, udp . 123 } counter fw-printer accept
	102	iifname eth0 oifname printer counter fw-host accept
	103
	104
	105	limit name lim_reject log level debug prefix "drop forward: " counter name reject-ratelimit-fw drop
	106	log level debug prefix "reject forward: " counter name reject-fw
	107	meta l4proto tcp ct state new counter name reject-tcp-fw reject with tcp reset
	108	ct state new counter name reject-icmp-fw reject
	109
	110
	111	counter name drop-fw
	112	}
	113
	114	chain input {
	115	type filter hook input priority filter
	116	policy drop
	117
	118
	119	ct state invalid log level debug prefix "drop invalid input: " counter name invalid-rx drop
	120
	121
	122	iifname lo counter name rx-lo accept
	123	iif != lo ip daddr 127.0.0.1/8 counter name invalid-local4-rx reject
	124	iif != lo ip6 daddr ::1/128 counter name invalid-local6-rx reject
	125
	126	meta l4proto $icmp_protos limit name lim_icmp counter name icmp-ratelimit-rx drop
	127	meta l4proto $icmp_protos counter name icmp-rx accept
	128
	129
	130	ip6 saddr 2a03:4000:52:ada:4:: tcp dport 631 counter name cups-rx accept
	131	ip saddr 10.141.4.0 tcp dport 631 counter name cups-rx accept
	132
	133	ct state {established, related} counter name established-rx accept
	134
	135
	136	limit name lim_reject log level debug prefix "drop input: " counter name reject-ratelimit-rx drop
	137	log level debug prefix "reject input: " counter name reject-rx
	138	meta l4proto tcp ct state new counter name reject-tcp-rx reject with tcp reset
	139	ct state new counter name reject-icmp-rx reject
	140
	141
	142	counter name drop-rx
	143	}
	144
	145	chain output {
	146	type filter hook output priority filter
	147	policy accept
	148
	149
	150	oifname lo counter name tx-lo accept
	151
	152	meta l4proto $icmp_protos limit name lim_icmp counter name icmp-ratelimit-tx drop
	153	meta l4proto $icmp_protos counter name icmp-tx accept
	154
	155
	156	tcp sport 631 counter name cups-tx accept
	157
	158
	159	counter name tx
	160	}
	161	}
	162
	163	table ip nat {
	164	counter host-nat {}
	165
	166	chain postrouting {
	167	type nat hook postrouting priority srcnat
	168	policy accept
	169
	170
	171	oifname eth0 counter name host-nat masquerade
	172	}
	173	}
	174
	175	table ip mss_clamp {
	176	counter host-mss-clamp {}
	177
	178	chain postrouting {
	179	type filter hook postrouting priority mangle
	180	policy accept
	181
	182
	183	oifname eth0 tcp flags & (syn\|rst) == syn counter name host-mss-clamp tcp option maxseg size set rt mtu
	184	}
	185	}