diff options
| author | Gregor Kleen <gkleen@yggdrasil.li> | 2023-03-04 19:23:36 +0100 |
|---|---|---|
| committer | Gregor Kleen <gkleen@yggdrasil.li> | 2023-03-04 19:23:36 +0100 |
| commit | 29480b6e86ca6057d4151accdb5d4103f1657596 (patch) | |
| tree | aad8ef8a38f2b679ff64039d6a2445eba9041d09 /hosts | |
| parent | 7fcaba2d4cabc8d5dfd35648ec1b9b6795e490ec (diff) | |
| download | nixos-29480b6e86ca6057d4151accdb5d4103f1657596.tar nixos-29480b6e86ca6057d4151accdb5d4103f1657596.tar.gz nixos-29480b6e86ca6057d4151accdb5d4103f1657596.tar.bz2 nixos-29480b6e86ca6057d4151accdb5d4103f1657596.tar.xz nixos-29480b6e86ca6057d4151accdb5d4103f1657596.zip | |
...
Diffstat (limited to 'hosts')
| -rw-r--r-- | hosts/vidhar/default.nix | 8 | ||||
| -rw-r--r-- | hosts/vidhar/dns/default.nix | 6 | ||||
| -rw-r--r-- | hosts/vidhar/dns/zones/arpa.in-addr.10.141.soa | 7 | ||||
| -rw-r--r-- | hosts/vidhar/dns/zones/arpa.ip6.2.a.0.3.4.0.0.0.0.0.5.2.0.a.d.a.0.0.0.1.soa | 4 | ||||
| -rw-r--r-- | hosts/vidhar/dns/zones/yggdrasil.soa | 8 | ||||
| -rw-r--r-- | hosts/vidhar/network/default.nix | 4 | ||||
| -rw-r--r-- | hosts/vidhar/network/dhcp/default.nix | 7 | ||||
| -rw-r--r-- | hosts/vidhar/network/dsl.nix | 15 | ||||
| -rw-r--r-- | hosts/vidhar/network/ruleset.nft | 22 | ||||
| -rw-r--r-- | hosts/vidhar/printing/default.nix | 124 | ||||
| -rw-r--r-- | hosts/vidhar/printing/ruleset.nft | 185 | ||||
| -rw-r--r-- | hosts/vidhar/samba.nix | 15 |
12 files changed, 366 insertions, 39 deletions
diff --git a/hosts/vidhar/default.nix b/hosts/vidhar/default.nix index 7f780d9a..5c70c669 100644 --- a/hosts/vidhar/default.nix +++ b/hosts/vidhar/default.nix | |||
| @@ -4,7 +4,7 @@ with lib; | |||
| 4 | 4 | ||
| 5 | { | 5 | { |
| 6 | imports = with flake.nixosModules.systemProfiles; [ | 6 | imports = with flake.nixosModules.systemProfiles; [ |
| 7 | ./zfs.nix ./network ./samba.nix ./dns ./prometheus ./borg ./pgbackrest | 7 | ./zfs.nix ./network ./samba.nix ./dns ./prometheus ./borg ./pgbackrest ./printing |
| 8 | tmpfs-root zfs | 8 | tmpfs-root zfs |
| 9 | initrd-all-crypto-modules default-locale openssh rebuild-machines | 9 | initrd-all-crypto-modules default-locale openssh rebuild-machines |
| 10 | build-server | 10 | build-server |
| @@ -82,8 +82,10 @@ with lib; | |||
| 82 | 82 | ||
| 83 | services.openssh = { | 83 | services.openssh = { |
| 84 | enable = true; | 84 | enable = true; |
| 85 | passwordAuthentication = false; | 85 | settings = { |
| 86 | kbdInteractiveAuthentication = false; | 86 | PasswordAuthentication = false; |
| 87 | KbdInteractiveAuthentication = false; | ||
| 88 | }; | ||
| 87 | extraConfig = '' | 89 | extraConfig = '' |
| 88 | AllowGroups ssh | 90 | AllowGroups ssh |
| 89 | ''; | 91 | ''; |
diff --git a/hosts/vidhar/dns/default.nix b/hosts/vidhar/dns/default.nix index ade884e7..f942b3f9 100644 --- a/hosts/vidhar/dns/default.nix +++ b/hosts/vidhar/dns/default.nix | |||
| @@ -20,7 +20,7 @@ in { | |||
| 20 | enableRootTrustAnchor = false; | 20 | enableRootTrustAnchor = false; |
| 21 | settings = { | 21 | settings = { |
| 22 | server = { | 22 | server = { |
| 23 | interface = ["lo" "lan"]; | 23 | interface = ["lo" "lan" "ve-printing"]; |
| 24 | prefer-ip6 = true; | 24 | prefer-ip6 = true; |
| 25 | access-control = ["0.0.0.0/0 allow" "::/0 allow"]; | 25 | access-control = ["0.0.0.0/0 allow" "::/0 allow"]; |
| 26 | root-hints = "${pkgs.dns-root-data}/root.hints"; | 26 | root-hints = "${pkgs.dns-root-data}/root.hints"; |
| @@ -79,6 +79,10 @@ in { | |||
| 79 | }; | 79 | }; |
| 80 | }; | 80 | }; |
| 81 | 81 | ||
| 82 | systemd.services.unbound = { | ||
| 83 | after = [ "container@printinp.service" ]; | ||
| 84 | }; | ||
| 85 | |||
| 82 | systemd.services.knot = { | 86 | systemd.services.knot = { |
| 83 | unitConfig.RequiresMountsFor = [ "/var/lib/knot" ]; | 87 | unitConfig.RequiresMountsFor = [ "/var/lib/knot" ]; |
| 84 | serviceConfig.LoadCredential = map ({name, ...}: "${name}.yaml:${config.sops.secrets.${name}.path}") knotKeys; | 88 | serviceConfig.LoadCredential = map ({name, ...}: "${name}.yaml:${config.sops.secrets.${name}.path}") knotKeys; |
diff --git a/hosts/vidhar/dns/zones/arpa.in-addr.10.141.soa b/hosts/vidhar/dns/zones/arpa.in-addr.10.141.soa index 01941df6..5f98034e 100644 --- a/hosts/vidhar/dns/zones/arpa.in-addr.10.141.soa +++ b/hosts/vidhar/dns/zones/arpa.in-addr.10.141.soa | |||
| @@ -1,7 +1,7 @@ | |||
| 1 | $ORIGIN 141.10.in-addr.arpa. | 1 | $ORIGIN 141.10.in-addr.arpa. |
| 2 | $TTL 300 | 2 | $TTL 300 |
| 3 | @ IN SOA vidhar.lan.yggdrasil. hostmaster.yggdrasil.li ( | 3 | @ IN SOA vidhar.lan.yggdrasil. hostmaster.yggdrasil.li ( |
| 4 | 2023022700 ; serial | 4 | 2023030402 ; serial |
| 5 | 300 ; refresh | 5 | 300 ; refresh |
| 6 | 300 ; retry | 6 | 300 ; retry |
| 7 | 300 ; expire | 7 | 300 ; expire |
| @@ -11,8 +11,11 @@ $TTL 300 | |||
| 11 | IN NS vidhar.lan.yggdrasil. | 11 | IN NS vidhar.lan.yggdrasil. |
| 12 | 12 | ||
| 13 | 1.0 IN PTR vidhar.lan.yggdrasil. | 13 | 1.0 IN PTR vidhar.lan.yggdrasil. |
| 14 | 2.0 IN PTR printer.lan.yggdrasil. | ||
| 15 | 14 | ||
| 16 | 1.1 IN PTR vidhar.mgmt.yggdrasil. | 15 | 1.1 IN PTR vidhar.mgmt.yggdrasil. |
| 17 | 2.1 IN PTR switch01.mgmt.yggdrasil. | 16 | 2.1 IN PTR switch01.mgmt.yggdrasil. |
| 18 | 4.1 IN PTR ap01.mgmt.yggdrasil. | 17 | 4.1 IN PTR ap01.mgmt.yggdrasil. |
| 18 | |||
| 19 | 3.2 IN PTR printer.printer.yggdrasil. | ||
| 20 | |||
| 21 | 1.4 IN PTR printing.vidhar.lan.yggdrasil. | ||
diff --git a/hosts/vidhar/dns/zones/arpa.ip6.2.a.0.3.4.0.0.0.0.0.5.2.0.a.d.a.0.0.0.1.soa b/hosts/vidhar/dns/zones/arpa.ip6.2.a.0.3.4.0.0.0.0.0.5.2.0.a.d.a.0.0.0.1.soa index c1955ec7..bec3fd05 100644 --- a/hosts/vidhar/dns/zones/arpa.ip6.2.a.0.3.4.0.0.0.0.0.5.2.0.a.d.a.0.0.0.1.soa +++ b/hosts/vidhar/dns/zones/arpa.ip6.2.a.0.3.4.0.0.0.0.0.5.2.0.a.d.a.0.0.0.1.soa | |||
| @@ -1,7 +1,7 @@ | |||
| 1 | $ORIGIN 1.0.0.0.a.d.a.0.2.5.0.0.0.0.0.4.3.0.a.2.ip6.arpa. | 1 | $ORIGIN 1.0.0.0.a.d.a.0.2.5.0.0.0.0.0.4.3.0.a.2.ip6.arpa. |
| 2 | $TTL 300 | 2 | $TTL 300 |
| 3 | @ IN SOA vidhar.lan.yggdrasil. hostmaster.yggdrasil.li ( | 3 | @ IN SOA vidhar.lan.yggdrasil. hostmaster.yggdrasil.li ( |
| 4 | 2022031801 ; serial | 4 | 2023030400 ; serial |
| 5 | 300 ; refresh | 5 | 300 ; refresh |
| 6 | 300 ; retry | 6 | 300 ; retry |
| 7 | 300 ; expire | 7 | 300 ; expire |
| @@ -13,3 +13,5 @@ $TTL 300 | |||
| 13 | 0.0.0.0.0.0.0.0.0.0.0.0 IN PTR surtr.yggdrasil. | 13 | 0.0.0.0.0.0.0.0.0.0.0.0 IN PTR surtr.yggdrasil. |
| 14 | 0.0.0.0.0.0.0.0.0.0.0.1 IN PTR vidhar.yggdrasil. | 14 | 0.0.0.0.0.0.0.0.0.0.0.1 IN PTR vidhar.yggdrasil. |
| 15 | 0.0.0.0.0.0.0.0.0.0.0.2 IN PTR sif.yggdrasil. | 15 | 0.0.0.0.0.0.0.0.0.0.0.2 IN PTR sif.yggdrasil. |
| 16 | |||
| 17 | 0.0.0.0.0.4.0.0.0.0.0.1 IN PTR printing.vidhar.yggdrasil. | ||
diff --git a/hosts/vidhar/dns/zones/yggdrasil.soa b/hosts/vidhar/dns/zones/yggdrasil.soa index 49617c80..3d0daaac 100644 --- a/hosts/vidhar/dns/zones/yggdrasil.soa +++ b/hosts/vidhar/dns/zones/yggdrasil.soa | |||
| @@ -1,7 +1,7 @@ | |||
| 1 | $ORIGIN yggdrasil. | 1 | $ORIGIN yggdrasil. |
| 2 | $TTL 300 | 2 | $TTL 300 |
| 3 | @ IN SOA vidhar.yggdrasil. hostmaster.yggdrasil.li ( | 3 | @ IN SOA vidhar.yggdrasil. hostmaster.yggdrasil.li ( |
| 4 | 2023022700 ; serial | 4 | 2023030405 ; serial |
| 5 | 300 ; refresh | 5 | 300 ; refresh |
| 6 | 300 ; retry | 6 | 300 ; retry |
| 7 | 300 ; expire | 7 | 300 ; expire |
| @@ -23,9 +23,13 @@ pgbackrest.surtr IN CNAME surtr.yggdrasil. | |||
| 23 | 23 | ||
| 24 | 24 | ||
| 25 | vidhar.lan IN A 10.141.0.1 | 25 | vidhar.lan IN A 10.141.0.1 |
| 26 | printer.lan IN A 10.141.0.2 | ||
| 27 | 26 | ||
| 28 | vidhar.mgmt IN A 10.141.1.1 | 27 | vidhar.mgmt IN A 10.141.1.1 |
| 29 | switch01.mgmt IN A 10.141.1.2 | 28 | switch01.mgmt IN A 10.141.1.2 |
| 30 | dsl01.mgmt IN A 10.141.1.3 | 29 | dsl01.mgmt IN A 10.141.1.3 |
| 31 | ap01.mgmt IN A 10.141.1.4 | 30 | ap01.mgmt IN A 10.141.1.4 |
| 31 | |||
| 32 | printer.printer IN A 10.141.3.2 | ||
| 33 | |||
| 34 | printing.vidhar.lan IN A 10.141.4.1 | ||
| 35 | printing.vidhar IN AAAA 2a03:4000:52:ada:4::1 | ||
diff --git a/hosts/vidhar/network/default.nix b/hosts/vidhar/network/default.nix index ddc5d78d..1d0f5465 100644 --- a/hosts/vidhar/network/default.nix +++ b/hosts/vidhar/network/default.nix | |||
| @@ -24,7 +24,7 @@ with lib; | |||
| 24 | { address = "10.141.1.1"; prefixLength = 24; } | 24 | { address = "10.141.1.1"; prefixLength = 24; } |
| 25 | ]; | 25 | ]; |
| 26 | }; | 26 | }; |
| 27 | interfaces."dmz01" = { | 27 | interfaces."wifibh" = { |
| 28 | ipv4.addresses = [ | 28 | ipv4.addresses = [ |
| 29 | { address = "10.141.2.1"; prefixLength = 24; } | 29 | { address = "10.141.2.1"; prefixLength = 24; } |
| 30 | ]; | 30 | ]; |
| @@ -39,7 +39,7 @@ with lib; | |||
| 39 | id = 3; | 39 | id = 3; |
| 40 | interface = "eno2"; | 40 | interface = "eno2"; |
| 41 | }; | 41 | }; |
| 42 | dmz01 = { | 42 | wifibh = { |
| 43 | id = 4; | 43 | id = 4; |
| 44 | interface = "eno2"; | 44 | interface = "eno2"; |
| 45 | }; | 45 | }; |
diff --git a/hosts/vidhar/network/dhcp/default.nix b/hosts/vidhar/network/dhcp/default.nix index af7a3545..4d8a54ae 100644 --- a/hosts/vidhar/network/dhcp/default.nix +++ b/hosts/vidhar/network/dhcp/default.nix | |||
| @@ -108,10 +108,6 @@ with lib; | |||
| 108 | { hostname = "geri"; | 108 | { hostname = "geri"; |
| 109 | hw-address = "0e:e6:43:5e:37:7b"; | 109 | hw-address = "0e:e6:43:5e:37:7b"; |
| 110 | } | 110 | } |
| 111 | { hostname = "printer"; | ||
| 112 | hw-address = "30:cd:a7:b0:55:8d"; | ||
| 113 | ip-address = "10.141.0.2"; | ||
| 114 | } | ||
| 115 | ]; | 111 | ]; |
| 116 | } | 112 | } |
| 117 | { subnet = "10.141.1.0/24"; | 113 | { subnet = "10.141.1.0/24"; |
| @@ -122,6 +118,9 @@ with lib; | |||
| 122 | { name = "broadcast-address"; | 118 | { name = "broadcast-address"; |
| 123 | data = "10.141.1.255"; | 119 | data = "10.141.1.255"; |
| 124 | } | 120 | } |
| 121 | { name = "ntp-servers"; | ||
| 122 | data = "10.141.1.1"; | ||
| 123 | } | ||
| 125 | { name = "domain-name"; | 124 | { name = "domain-name"; |
| 126 | data = "yggdrasil"; | 125 | data = "yggdrasil"; |
| 127 | } | 126 | } |
diff --git a/hosts/vidhar/network/dsl.nix b/hosts/vidhar/network/dsl.nix index 536e0e0d..5b7c5ac7 100644 --- a/hosts/vidhar/network/dsl.nix +++ b/hosts/vidhar/network/dsl.nix | |||
| @@ -97,13 +97,6 @@ in { | |||
| 97 | dnssl = [{ domain_names = ["yggdrasil"]; }]; | 97 | dnssl = [{ domain_names = ["yggdrasil"]; }]; |
| 98 | # other_config = true; | 98 | # other_config = true; |
| 99 | } | 99 | } |
| 100 | { name = "dmz01"; | ||
| 101 | advertise = true; | ||
| 102 | verbose = true; | ||
| 103 | prefix = [{ prefix = "::/64"; }]; | ||
| 104 | route = [{ prefix = "::/0"; }]; | ||
| 105 | rdnss = [{ servers = ["::"]; }]; | ||
| 106 | } | ||
| 107 | ]; | 100 | ]; |
| 108 | 101 | ||
| 109 | debug = { | 102 | debug = { |
| @@ -123,11 +116,6 @@ in { | |||
| 123 | interface = "lan"; | 116 | interface = "lan"; |
| 124 | network = "::/0"; | 117 | network = "::/0"; |
| 125 | }; | 118 | }; |
| 126 | dmz01 = { | ||
| 127 | method = "iface"; | ||
| 128 | interface = "dmz01"; | ||
| 129 | network = "::/0"; | ||
| 130 | }; | ||
| 131 | }; | 119 | }; |
| 132 | }; | 120 | }; |
| 133 | }; | 121 | }; |
| @@ -170,7 +158,7 @@ in { | |||
| 170 | ''; | 158 | ''; |
| 171 | 159 | ||
| 172 | postStop = '' | 160 | postStop = '' |
| 173 | for dev in lan dmz01; do | 161 | for dev in lan; do |
| 174 | ${pkgs.iproute2}/bin/ip -6 a show dev "''${dev}" scope global | ${pkgs.gnugrep}/bin/grep inet6 | ${pkgs.gawk}/bin/awk '{ print $2; }' | ${pkgs.findutils}/bin/xargs -I '{}' -- ${pkgs.iproute2}/bin/ip addr del '{}' dev "''${dev}" | 162 | ${pkgs.iproute2}/bin/ip -6 a show dev "''${dev}" scope global | ${pkgs.gnugrep}/bin/grep inet6 | ${pkgs.gawk}/bin/awk '{ print $2; }' | ${pkgs.findutils}/bin/xargs -I '{}' -- ${pkgs.iproute2}/bin/ip addr del '{}' dev "''${dev}" |
| 175 | done | 163 | done |
| 176 | ''; | 164 | ''; |
| @@ -195,7 +183,6 @@ in { | |||
| 195 | iaid 1195061668 | 183 | iaid 1195061668 |
| 196 | ipv6rs # enable routing solicitation for WAN adapter | 184 | ipv6rs # enable routing solicitation for WAN adapter |
| 197 | ia_pd 1 lan/0/64/0 # request a PD and assign it to the LAN | 185 | ia_pd 1 lan/0/64/0 # request a PD and assign it to the LAN |
| 198 | ia_pd 1 dmz01/1/64/0 # request a PD and assign it to dmz01 | ||
| 199 | 186 | ||
| 200 | reboot 0 | 187 | reboot 0 |
| 201 | 188 | ||
diff --git a/hosts/vidhar/network/ruleset.nft b/hosts/vidhar/network/ruleset.nft index da3a9048..d2c88008 100644 --- a/hosts/vidhar/network/ruleset.nft +++ b/hosts/vidhar/network/ruleset.nft | |||
| @@ -59,6 +59,9 @@ table inet filter { | |||
| 59 | counter fw-lo {} | 59 | counter fw-lo {} |
| 60 | counter fw-lan {} | 60 | counter fw-lan {} |
| 61 | counter fw-dsl {} | 61 | counter fw-dsl {} |
| 62 | counter fw-printing {} | ||
| 63 | |||
| 64 | counter fw-cups {} | ||
| 62 | 65 | ||
| 63 | counter reject-ratelimit-fw {} | 66 | counter reject-ratelimit-fw {} |
| 64 | counter reject-fw {} | 67 | counter reject-fw {} |
| @@ -137,12 +140,17 @@ table inet filter { | |||
| 137 | 140 | ||
| 138 | iifname lo counter name fw-lo accept | 141 | iifname lo counter name fw-lo accept |
| 139 | 142 | ||
| 140 | oifname { lan, dsl, bifrost } meta l4proto $icmp_protos jump forward_icmp_accept | 143 | oifname { lan, dsl, bifrost, ve-printing } meta l4proto $icmp_protos jump forward_icmp_accept |
| 141 | |||
| 142 | iifname lan oifname { dsl, bifrost } counter name fw-lan accept | 144 | iifname lan oifname { dsl, bifrost } counter name fw-lan accept |
| 143 | iifname dsl oifname { lan, dmz01 } ct state {established, related} counter name fw-dsl accept | ||
| 144 | 145 | ||
| 145 | 146 | ||
| 147 | iifname lan oifname ve-printing ip daddr 10.141.4.1 tcp dport 631 counter name fw-cups accept | ||
| 148 | iifname lan oifname ve-printing ip6 daddr 2a03:4000:52:ada:4::1 tcp dport 631 counter name fw-cups accept | ||
| 149 | |||
| 150 | |||
| 151 | iifname ve-printing oifname lan ct state {established, related} counter name fw-printing accept | ||
| 152 | iifname dsl oifname lan ct state {established, related} counter name fw-dsl accept | ||
| 153 | |||
| 146 | 154 | ||
| 147 | limit name lim_reject log level debug prefix "drop forward: " counter name reject-ratelimit-fw drop | 155 | limit name lim_reject log level debug prefix "drop forward: " counter name reject-ratelimit-fw drop |
| 148 | log level debug prefix "reject forward: " counter name reject-fw | 156 | log level debug prefix "reject forward: " counter name reject-fw |
| @@ -169,7 +177,7 @@ table inet filter { | |||
| 169 | iifname { lan, mgmt, dsl, yggdrasil, bifrost } tcp dport 22 counter name ssh-rx accept | 177 | iifname { lan, mgmt, dsl, yggdrasil, bifrost } tcp dport 22 counter name ssh-rx accept |
| 170 | iifname { lan, mgmt, dsl, yggdrasil, bifrost } udp dport 60000-61000 counter name mosh-rx accept | 178 | iifname { lan, mgmt, dsl, yggdrasil, bifrost } udp dport 60000-61000 counter name mosh-rx accept |
| 171 | 179 | ||
| 172 | iifname { lan, mgmt, dmz01, yggdrasil } meta l4proto { tcp, udp } th dport 53 counter name dns-rx accept | 180 | iifname { lan, mgmt, wifibh, yggdrasil, ve-printing } meta l4proto { tcp, udp } th dport 53 counter name dns-rx accept |
| 173 | 181 | ||
| 174 | iifname { lan, yggdrasil } tcp dport 2049 counter name nfs-rx accept | 182 | iifname { lan, yggdrasil } tcp dport 2049 counter name nfs-rx accept |
| 175 | 183 | ||
| @@ -179,9 +187,9 @@ table inet filter { | |||
| 179 | 187 | ||
| 180 | iifname dsl meta protocol ip6 udp dport 546 udp sport 547 counter name ipv6-pd-rx accept | 188 | iifname dsl meta protocol ip6 udp dport 546 udp sport 547 counter name ipv6-pd-rx accept |
| 181 | 189 | ||
| 182 | iifname mgmt udp dport 123 counter name ntp-rx accept | 190 | iifname { mgmt, ve-printing } udp dport 123 counter name ntp-rx accept |
| 183 | 191 | ||
| 184 | iifname { lan, mgmt, dmz01 } udp dport 67 counter name dhcp-rx accept | 192 | iifname { lan, mgmt, wifibh } udp dport 67 counter name dhcp-rx accept |
| 185 | 193 | ||
| 186 | iifname lan udp dport { 137, 138, 3702 } counter name samba-rx accept | 194 | iifname lan udp dport { 137, 138, 3702 } counter name samba-rx accept |
| 187 | iifname lan tcp dport { 445, 139, 5357 } counter name samba-rx accept | 195 | iifname lan tcp dport { 445, 139, 5357 } counter name samba-rx accept |
| @@ -268,4 +276,4 @@ table ip mss_clamp { | |||
| 268 | 276 | ||
| 269 | oifname dsl tcp flags & (syn|rst) == syn counter name dsl-mss-clamp tcp option maxseg size set rt mtu | 277 | oifname dsl tcp flags & (syn|rst) == syn counter name dsl-mss-clamp tcp option maxseg size set rt mtu |
| 270 | } | 278 | } |
| 271 | } \ No newline at end of file | 279 | } |
diff --git a/hosts/vidhar/printing/default.nix b/hosts/vidhar/printing/default.nix new file mode 100644 index 00000000..0e0dfcf7 --- /dev/null +++ b/hosts/vidhar/printing/default.nix | |||
| @@ -0,0 +1,124 @@ | |||
| 1 | { config, lib, ... }: | ||
| 2 | |||
| 3 | with lib; | ||
| 4 | |||
| 5 | let | ||
| 6 | containerConfig = config.containers.printing.config; | ||
| 7 | in { | ||
| 8 | config = { | ||
| 9 | containers.printing = { | ||
| 10 | privateNetwork = true; | ||
| 11 | ephemeral = true; | ||
| 12 | autoStart = true; | ||
| 13 | hostAddress = "10.141.4.0"; | ||
| 14 | hostAddress6 = "2a03:4000:52:ada:4::"; | ||
| 15 | localAddress = "10.141.4.1"; | ||
| 16 | localAddress6 = "2a03:4000:52:ada:4::1"; | ||
| 17 | interfaces = [ "printer" ]; | ||
| 18 | config = let | ||
| 19 | hostConfig = config; | ||
| 20 | in { ... }: { | ||
| 21 | config = { | ||
| 22 | services = { | ||
| 23 | kea = { | ||
| 24 | dhcp4 = { | ||
| 25 | enable = true; | ||
| 26 | settings = { | ||
| 27 | valid-lifetime = 4000; | ||
| 28 | rebind-timer = 2000; | ||
| 29 | renew-timer = 1000; | ||
| 30 | |||
| 31 | interfaces-config = { | ||
| 32 | interfaces = [ "printer" ]; | ||
| 33 | }; | ||
| 34 | |||
| 35 | lease-database = { | ||
| 36 | name = "/var/lib/kea/dhcp4.leases"; | ||
| 37 | persist = true; | ||
| 38 | type = "memfile"; | ||
| 39 | }; | ||
| 40 | |||
| 41 | subnet4 = [ | ||
| 42 | { subnet = "10.141.3.0/24"; | ||
| 43 | option-data = [ | ||
| 44 | { name = "domain-name-servers"; | ||
| 45 | data = "10.141.4.0"; | ||
| 46 | } | ||
| 47 | { name = "ntp-servers"; | ||
| 48 | data = "10.141.4.0"; | ||
| 49 | } | ||
| 50 | { name = "broadcast-address"; | ||
| 51 | data = "10.141.3.255"; | ||
| 52 | } | ||
| 53 | { name = "routers"; | ||
| 54 | data = "10.141.3.1"; | ||
| 55 | } | ||
| 56 | { name = "domain-name"; | ||
| 57 | data = "yggdrasil"; | ||
| 58 | } | ||
| 59 | { name = "domain-search"; | ||
| 60 | data = "printer.yggdrasil, yggdrasil"; | ||
| 61 | } | ||
| 62 | ]; | ||
| 63 | pools = [ { pool = "10.141.3.128 - 10.141.3.254"; } ]; | ||
| 64 | reservations = [ | ||
| 65 | { hostname = "printer"; | ||
| 66 | hw-address = "30:cd:a7:b0:55:8d"; | ||
| 67 | ip-address = "10.141.3.2"; | ||
| 68 | } | ||
| 69 | ]; | ||
| 70 | } | ||
| 71 | ]; | ||
| 72 | }; | ||
| 73 | }; | ||
| 74 | }; | ||
| 75 | |||
| 76 | printing = { | ||
| 77 | enable = true; | ||
| 78 | listenAddresses = [ | ||
| 79 | "*:631" | ||
| 80 | ]; | ||
| 81 | allowFrom = [ "all" ]; | ||
| 82 | extraConf = '' | ||
| 83 | ServerName printing | ||
| 84 | ServerAlias 10.141.4.1 2a03:4000:52:ada:4::1 printing.vidhar.yggdrasil printing.vidhar.lan.yggdrasil | ||
| 85 | ''; | ||
| 86 | }; | ||
| 87 | |||
| 88 | resolved.enable = false; | ||
| 89 | }; | ||
| 90 | |||
| 91 | networking = { | ||
| 92 | firewall.enable = false; | ||
| 93 | nftables = { | ||
| 94 | enable = true; | ||
| 95 | rulesetFile = ./ruleset.nft; | ||
| 96 | }; | ||
| 97 | |||
| 98 | useDHCP = false; | ||
| 99 | useNetworkd = true; | ||
| 100 | |||
| 101 | interfaces."printer" = { | ||
| 102 | ipv4.addresses = [ | ||
| 103 | { address = "10.141.3.1"; prefixLength = 24; } | ||
| 104 | ]; | ||
| 105 | }; | ||
| 106 | }; | ||
| 107 | |||
| 108 | environment.etc."resolv.conf".text = '' | ||
| 109 | nameserver ${hostConfig.containers.printing.hostAddress6} | ||
| 110 | ''; | ||
| 111 | |||
| 112 | system.stateVersion = hostConfig.system.stateVersion; | ||
| 113 | }; | ||
| 114 | }; | ||
| 115 | }; | ||
| 116 | |||
| 117 | networking = { | ||
| 118 | vlans.printer = { | ||
| 119 | id = 5; | ||
| 120 | interface = "eno2"; | ||
| 121 | }; | ||
| 122 | }; | ||
| 123 | }; | ||
| 124 | } | ||
diff --git a/hosts/vidhar/printing/ruleset.nft b/hosts/vidhar/printing/ruleset.nft new file mode 100644 index 00000000..c3027567 --- /dev/null +++ b/hosts/vidhar/printing/ruleset.nft | |||
| @@ -0,0 +1,185 @@ | |||
| 1 | define icmp_protos = {ipv6-icmp, icmp, igmp} | ||
| 2 | |||
| 3 | table arp filter { | ||
| 4 | limit lim_arp { | ||
| 5 | rate over 50 mbytes/second burst 50 mbytes | ||
| 6 | } | ||
| 7 | |||
| 8 | counter arp-rx {} | ||
| 9 | counter arp-tx {} | ||
| 10 | |||
| 11 | counter arp-ratelimit-rx {} | ||
| 12 | counter arp-ratelimit-tx {} | ||
| 13 | |||
| 14 | chain input { | ||
| 15 | type filter hook input priority filter | ||
| 16 | policy accept | ||
| 17 | |||
| 18 | limit name lim_arp counter name arp-ratelimit-rx drop | ||
| 19 | |||
| 20 | counter name arp-rx | ||
| 21 | } | ||
| 22 | |||
| 23 | chain output { | ||
| 24 | type filter hook output priority filter | ||
| 25 | policy accept | ||
| 26 | |||
| 27 | limit name lim_arp counter name arp-ratelimit-tx drop | ||
| 28 | |||
| 29 | counter name arp-tx | ||
| 30 | } | ||
| 31 | } | ||
| 32 | |||
| 33 | table inet filter { | ||
| 34 | limit lim_reject { | ||
| 35 | rate over 1000/second burst 1000 packets | ||
| 36 | } | ||
| 37 | |||
| 38 | limit lim_icmp { | ||
| 39 | rate over 50 mbytes/second burst 50 mbytes | ||
| 40 | } | ||
| 41 | |||
| 42 | counter invalid-fw {} | ||
| 43 | counter fw-lo {} | ||
| 44 | counter fw-printer {} | ||
| 45 | counter fw-host {} | ||
| 46 | |||
| 47 | counter icmp-ratelimit-fw {} | ||
| 48 | |||
| 49 | counter reject-ratelimit-fw {} | ||
| 50 | counter reject-fw {} | ||
| 51 | counter reject-tcp-fw {} | ||
| 52 | counter reject-icmp-fw {} | ||
| 53 | |||
| 54 | counter drop-fw {} | ||
| 55 | |||
| 56 | counter invalid-rx {} | ||
| 57 | |||
| 58 | counter rx-lo {} | ||
| 59 | counter invalid-local4-rx {} | ||
| 60 | counter invalid-local6-rx {} | ||
| 61 | |||
| 62 | counter icmp-ratelimit-rx {} | ||
| 63 | counter icmp-rx {} | ||
| 64 | |||
| 65 | counter cups-rx {} | ||
| 66 | |||
| 67 | counter established-rx {} | ||
| 68 | |||
| 69 | counter reject-ratelimit-rx {} | ||
| 70 | counter reject-rx {} | ||
| 71 | counter reject-tcp-rx {} | ||
| 72 | counter reject-icmp-rx {} | ||
| 73 | |||
| 74 | counter drop-rx {} | ||
| 75 | |||
| 76 | counter tx-lo {} | ||
| 77 | |||
| 78 | counter icmp-ratelimit-tx {} | ||
| 79 | counter icmp-tx {} | ||
| 80 | |||
| 81 | counter cups-tx {} | ||
| 82 | |||
| 83 | counter tx {} | ||
| 84 | |||
| 85 | chain forward { | ||
| 86 | type filter hook forward priority filter | ||
| 87 | policy drop | ||
| 88 | |||
| 89 | |||
| 90 | ct state invalid log level debug prefix "drop invalid forward: " counter name invalid-fw drop | ||
| 91 | |||
| 92 | |||
| 93 | iifname lo counter name fw-lo accept | ||
| 94 | |||
| 95 | |||
| 96 | meta l4proto $icmp_protos limit name lim_icmp counter name icmp-ratelimit-fw drop | ||
| 97 | meta l4proto $icmp_protos counter name icmp-fw accept | ||
| 98 | |||
| 99 | |||
| 100 | iifname printer oifname eth0 ip daddr 10.141.4.0 meta l4proto . th dport { tcp . 53, udp . 53, udp . 123 } counter fw-printer accept | ||
| 101 | iifname printer oifname eth0 ip6 daddr 2a03:4000:52:ada:4:: meta l4proto . th dport { tcp . 53, udp . 53, udp . 123 } counter fw-printer accept | ||
| 102 | iifname eth0 oifname printer counter fw-host accept | ||
| 103 | |||
| 104 | |||
| 105 | limit name lim_reject log level debug prefix "drop forward: " counter name reject-ratelimit-fw drop | ||
| 106 | log level debug prefix "reject forward: " counter name reject-fw | ||
| 107 | meta l4proto tcp ct state new counter name reject-tcp-fw reject with tcp reset | ||
| 108 | ct state new counter name reject-icmp-fw reject | ||
| 109 | |||
| 110 | |||
| 111 | counter name drop-fw | ||
| 112 | } | ||
| 113 | |||
| 114 | chain input { | ||
| 115 | type filter hook input priority filter | ||
| 116 | policy drop | ||
| 117 | |||
| 118 | |||
| 119 | ct state invalid log level debug prefix "drop invalid input: " counter name invalid-rx drop | ||
| 120 | |||
| 121 | |||
| 122 | iifname lo counter name rx-lo accept | ||
| 123 | iif != lo ip daddr 127.0.0.1/8 counter name invalid-local4-rx reject | ||
| 124 | iif != lo ip6 daddr ::1/128 counter name invalid-local6-rx reject | ||
| 125 | |||
| 126 | meta l4proto $icmp_protos limit name lim_icmp counter name icmp-ratelimit-rx drop | ||
| 127 | meta l4proto $icmp_protos counter name icmp-rx accept | ||
| 128 | |||
| 129 | |||
| 130 | ip6 saddr 2a03:4000:52:ada:4:: tcp dport 631 counter name cups-rx accept | ||
| 131 | ip saddr 10.141.4.0 tcp dport 631 counter name cups-rx accept | ||
| 132 | |||
| 133 | ct state {established, related} counter name established-rx accept | ||
| 134 | |||
| 135 | |||
| 136 | limit name lim_reject log level debug prefix "drop input: " counter name reject-ratelimit-rx drop | ||
| 137 | log level debug prefix "reject input: " counter name reject-rx | ||
| 138 | meta l4proto tcp ct state new counter name reject-tcp-rx reject with tcp reset | ||
| 139 | ct state new counter name reject-icmp-rx reject | ||
| 140 | |||
| 141 | |||
| 142 | counter name drop-rx | ||
| 143 | } | ||
| 144 | |||
| 145 | chain output { | ||
| 146 | type filter hook output priority filter | ||
| 147 | policy accept | ||
| 148 | |||
| 149 | |||
| 150 | oifname lo counter name tx-lo accept | ||
| 151 | |||
| 152 | meta l4proto $icmp_protos limit name lim_icmp counter name icmp-ratelimit-tx drop | ||
| 153 | meta l4proto $icmp_protos counter name icmp-tx accept | ||
| 154 | |||
| 155 | |||
| 156 | tcp sport 631 counter name cups-tx accept | ||
| 157 | |||
| 158 | |||
| 159 | counter name tx | ||
| 160 | } | ||
| 161 | } | ||
| 162 | |||
| 163 | table ip nat { | ||
| 164 | counter host-nat {} | ||
| 165 | |||
| 166 | chain postrouting { | ||
| 167 | type nat hook postrouting priority srcnat | ||
| 168 | policy accept | ||
| 169 | |||
| 170 | |||
| 171 | oifname eth0 counter name host-nat masquerade | ||
| 172 | } | ||
| 173 | } | ||
| 174 | |||
| 175 | table ip mss_clamp { | ||
| 176 | counter host-mss-clamp {} | ||
| 177 | |||
| 178 | chain postrouting { | ||
| 179 | type filter hook postrouting priority mangle | ||
| 180 | policy accept | ||
| 181 | |||
| 182 | |||
| 183 | oifname eth0 tcp flags & (syn|rst) == syn counter name host-mss-clamp tcp option maxseg size set rt mtu | ||
| 184 | } | ||
| 185 | } | ||
diff --git a/hosts/vidhar/samba.nix b/hosts/vidhar/samba.nix index 89d9f12e..cbe158a9 100644 --- a/hosts/vidhar/samba.nix +++ b/hosts/vidhar/samba.nix | |||
| @@ -4,19 +4,28 @@ | |||
| 4 | services.samba = { | 4 | services.samba = { |
| 5 | enable = true; | 5 | enable = true; |
| 6 | securityType = "user"; | 6 | securityType = "user"; |
| 7 | package = pkgs.samba4.override { | ||
| 8 | enablePrinting = true; | ||
| 9 | }; | ||
| 7 | extraConfig = '' | 10 | extraConfig = '' |
| 8 | domain master = yes | 11 | domain master = yes |
| 9 | workgroup = WORKGROUP | 12 | workgroup = WORKGROUP |
| 10 | load printers = no | 13 | load printers = no |
| 11 | printing = bsd | 14 | printing = cups |
| 12 | printcap name = /dev/null | 15 | cups server = 10.141.4.1 |
| 13 | disable spoolss = yes | ||
| 14 | guest account = nobody | 16 | guest account = nobody |
| 15 | bind interfaces only = yes | 17 | bind interfaces only = yes |
| 16 | interfaces = lo lan | 18 | interfaces = lo lan |
| 17 | server signing = mandatory | 19 | server signing = mandatory |
| 18 | server min protocol = SMB3 | 20 | server min protocol = SMB3 |
| 19 | server smb encrypt = required | 21 | server smb encrypt = required |
| 22 | |||
| 23 | [printers] | ||
| 24 | path = /srv/samba-printing | ||
| 25 | browseable = yes | ||
| 26 | printable = yes | ||
| 27 | writable = no | ||
| 28 | create mode = 0700 | ||
| 20 | ''; | 29 | ''; |
| 21 | shares = { | 30 | shares = { |
| 22 | homes = { | 31 | homes = { |