diff options
author | Gregor Kleen <gkleen@yggdrasil.li> | 2022-01-08 00:24:18 +0100 |
---|---|---|
committer | Gregor Kleen <gkleen@yggdrasil.li> | 2022-01-08 00:24:18 +0100 |
commit | c89e822a5d558b9f9bb9d1ac2a1dd76f3e64c595 (patch) | |
tree | a3d99e39387b21448d9e4d99a1dda75f10008c2e /hosts/vidhar | |
parent | 876c5c44867aec221a36c3b1319d96c8c3df9e44 (diff) | |
download | nixos-c89e822a5d558b9f9bb9d1ac2a1dd76f3e64c595.tar nixos-c89e822a5d558b9f9bb9d1ac2a1dd76f3e64c595.tar.gz nixos-c89e822a5d558b9f9bb9d1ac2a1dd76f3e64c595.tar.bz2 nixos-c89e822a5d558b9f9bb9d1ac2a1dd76f3e64c595.tar.xz nixos-c89e822a5d558b9f9bb9d1ac2a1dd76f3e64c595.zip |
vidhar: dmz01
Diffstat (limited to 'hosts/vidhar')
-rw-r--r-- | hosts/vidhar/network/default.nix | 18 | ||||
-rw-r--r-- | hosts/vidhar/network/dsl.nix | 27 | ||||
-rw-r--r-- | hosts/vidhar/network/ruleset.nft | 14 |
3 files changed, 47 insertions, 12 deletions
diff --git a/hosts/vidhar/network/default.nix b/hosts/vidhar/network/default.nix index 62539239..81dac652 100644 --- a/hosts/vidhar/network/default.nix +++ b/hosts/vidhar/network/default.nix | |||
@@ -21,6 +21,11 @@ | |||
21 | { address = "10.141.1.1"; prefixLength = 24; } | 21 | { address = "10.141.1.1"; prefixLength = 24; } |
22 | ]; | 22 | ]; |
23 | }; | 23 | }; |
24 | interfaces."dmz01" = { | ||
25 | ipv4.addresses = [ | ||
26 | { address = "10.141.2.1"; prefixLength = 24; } | ||
27 | ]; | ||
28 | }; | ||
24 | 29 | ||
25 | vlans = { | 30 | vlans = { |
26 | mgmt = { | 31 | mgmt = { |
@@ -31,6 +36,10 @@ | |||
31 | id = 3; | 36 | id = 3; |
32 | interface = "eno2"; | 37 | interface = "eno2"; |
33 | }; | 38 | }; |
39 | dmz01 = { | ||
40 | id = 4; | ||
41 | interface = "eno2"; | ||
42 | }; | ||
34 | }; | 43 | }; |
35 | 44 | ||
36 | firewall.enable = false; | 45 | firewall.enable = false; |
@@ -58,6 +67,15 @@ | |||
58 | 67 | ||
59 | subnet 10.141.1.0 netmask 255.255.255.0 { | 68 | subnet 10.141.1.0 netmask 255.255.255.0 { |
60 | range 10.141.1.128 10.141.1.254; | 69 | range 10.141.1.128 10.141.1.254; |
70 | option domain-name-servers 10.141.1.1; | ||
71 | option broadcast-address 10.141.1.255; | ||
72 | } | ||
73 | |||
74 | subnet 10.141.2.0 netmask 255.255.255.0 { | ||
75 | range 10.141.2.128 10.141.2.254; | ||
76 | option domain-name-servers 10.141.2.1; | ||
77 | option broadcast-address 10.141.2.255; | ||
78 | option routers 10.141.2.1; | ||
61 | } | 79 | } |
62 | ''; | 80 | ''; |
63 | machines = [ | 81 | machines = [ |
diff --git a/hosts/vidhar/network/dsl.nix b/hosts/vidhar/network/dsl.nix index 21554b58..0ad598e6 100644 --- a/hosts/vidhar/network/dsl.nix +++ b/hosts/vidhar/network/dsl.nix | |||
@@ -95,6 +95,13 @@ in { | |||
95 | rdnss = [{ servers = ["::"]; }]; | 95 | rdnss = [{ servers = ["::"]; }]; |
96 | dnssl = [{ domain_names = ["yggdrasil"]; }]; | 96 | dnssl = [{ domain_names = ["yggdrasil"]; }]; |
97 | } | 97 | } |
98 | { name = "dmz01"; | ||
99 | advertise = true; | ||
100 | verbose = true; | ||
101 | prefix = [{ prefix = "::/64"; }]; | ||
102 | route = [{ prefix = "::/0"; }]; | ||
103 | rdnss = [{ servers = ["::"]; }]; | ||
104 | } | ||
98 | ]; | 105 | ]; |
99 | 106 | ||
100 | debug = { | 107 | debug = { |
@@ -108,10 +115,17 @@ in { | |||
108 | proxies = { | 115 | proxies = { |
109 | ${pppInterface} = { | 116 | ${pppInterface} = { |
110 | router = true; | 117 | router = true; |
111 | rules.lan = { | 118 | rules = { |
112 | method = "iface"; | 119 | lan = { |
113 | interface = "lan"; | 120 | method = "iface"; |
114 | network = "::/0"; | 121 | interface = "lan"; |
122 | network = "::/0"; | ||
123 | }; | ||
124 | dmz01 = { | ||
125 | method = "iface"; | ||
126 | interface = "dmz01"; | ||
127 | network = "::/0"; | ||
128 | }; | ||
115 | }; | 129 | }; |
116 | }; | 130 | }; |
117 | }; | 131 | }; |
@@ -154,7 +168,9 @@ in { | |||
154 | ''; | 168 | ''; |
155 | 169 | ||
156 | postStop = '' | 170 | postStop = '' |
157 | ${pkgs.iproute2}/bin/ip -6 a show dev lan scope global | ${pkgs.coreutils}/bin/grep inet6 | ${pkgs.gawk}/bin/awk '{ print $2; }' | ${pkgs.findutils}/bin/xargs -I '{}' -- ${pkgs.iproute2}/bin/ip addr del '{}' dev lan | 171 | for dev in lan dmz01; do |
172 | ${pkgs.iproute2}/bin/ip -6 a show dev "''${dev}" scope global | ${pkgs.coreutils}/bin/grep inet6 | ${pkgs.gawk}/bin/awk '{ print $2; }' | ${pkgs.findutils}/bin/xargs -I '{}' -- ${pkgs.iproute2}/bin/ip addr del '{}' dev "''${dev}" | ||
173 | done | ||
158 | ''; | 174 | ''; |
159 | 175 | ||
160 | serviceConfig = let | 176 | serviceConfig = let |
@@ -177,6 +193,7 @@ in { | |||
177 | iaid 1195061668 | 193 | iaid 1195061668 |
178 | ipv6rs # enable routing solicitation for WAN adapter | 194 | ipv6rs # enable routing solicitation for WAN adapter |
179 | ia_pd 1 lan/0/64/0 # request a PD and assign it to the LAN | 195 | ia_pd 1 lan/0/64/0 # request a PD and assign it to the LAN |
196 | ia_pd 1 dmz01/1/64/0 # request a PD and assign it to dmz01 | ||
180 | 197 | ||
181 | reboot 0 | 198 | reboot 0 |
182 | 199 | ||
diff --git a/hosts/vidhar/network/ruleset.nft b/hosts/vidhar/network/ruleset.nft index 4d829355..f6a2175c 100644 --- a/hosts/vidhar/network/ruleset.nft +++ b/hosts/vidhar/network/ruleset.nft | |||
@@ -136,7 +136,7 @@ table inet filter { | |||
136 | oifname {lan, dsl} meta l4proto $icmp_protos jump forward_icmp_accept | 136 | oifname {lan, dsl} meta l4proto $icmp_protos jump forward_icmp_accept |
137 | 137 | ||
138 | iifname lan oifname dsl counter name fw-lan accept | 138 | iifname lan oifname dsl counter name fw-lan accept |
139 | iifname dsl oifname lan ct state {established, related} counter name fw-dsl accept | 139 | iifname dsl oifname { lan, dmz01 } ct state {established, related} counter name fw-dsl accept |
140 | 140 | ||
141 | 141 | ||
142 | 142 | ||
@@ -162,14 +162,14 @@ table inet filter { | |||
162 | iifname != dsl meta l4proto $icmp_protos limit name lim_icmp_local counter name icmp-ratelimit-local-rx drop | 162 | iifname != dsl meta l4proto $icmp_protos limit name lim_icmp_local counter name icmp-ratelimit-local-rx drop |
163 | meta l4proto $icmp_protos counter name icmp-rx accept | 163 | meta l4proto $icmp_protos counter name icmp-rx accept |
164 | 164 | ||
165 | tcp dport 22 counter name ssh-rx accept | 165 | iifname { lan, mgmt, dsl } tcp dport 22 counter name ssh-rx accept |
166 | udp dport 60001-61000 counter name mosh-rx accept | 166 | iifname { lan, mgmt, dsl } udp dport 60001-61000 counter name mosh-rx accept |
167 | 167 | ||
168 | iifname lan tcp dport 53 counter name dns-rx accept | 168 | iifname { lan, mgmt, dmz01 } tcp dport 53 counter name dns-rx accept |
169 | iifname lan udp dport 53 counter name dns-rx accept | 169 | iifname { lan, mgmt, dmz01 } udp dport 53 counter name dns-rx accept |
170 | 170 | ||
171 | meta protocol ip udp dport 51820 counter name wg-rx accept | 171 | iifname { lan, mgmt, dsl } meta protocol ip udp dport 51820 counter name wg-rx accept |
172 | meta protocol ip6 udp dport 51821 counter name wg-rx accept | 172 | iifname { lan, mgmt, dsl } meta protocol ip6 udp dport 51821 counter name wg-rx accept |
173 | iifname "yggdrasil-wg-*" meta l4proto gre counter name yggdrasil-gre-rx accept | 173 | iifname "yggdrasil-wg-*" meta l4proto gre counter name yggdrasil-gre-rx accept |
174 | 174 | ||
175 | iifname dsl meta protocol ip6 udp dport 546 udp sport 547 counter name ipv6-pd-rx accept | 175 | iifname dsl meta protocol ip6 udp dport 546 udp sport 547 counter name ipv6-pd-rx accept |