diff options
| -rw-r--r-- | hosts/surtr/bifrost/default.nix | 66 | ||||
| -rw-r--r-- | hosts/surtr/bifrost/surtr.priv | 26 | ||||
| -rw-r--r-- | hosts/surtr/bifrost/surtr.pub | 1 | ||||
| -rw-r--r-- | hosts/surtr/default.nix | 2 | ||||
| -rw-r--r-- | hosts/surtr/dns/zones/li.141.soa | 4 | ||||
| -rw-r--r-- | hosts/surtr/dns/zones/li.yggdrasil.soa | 8 | ||||
| -rw-r--r-- | hosts/surtr/dns/zones/org.praseodym.soa | 4 | ||||
| -rw-r--r-- | hosts/surtr/ruleset.nft | 14 | ||||
| -rw-r--r-- | hosts/vidhar/borg.nix | 12 | ||||
| -rw-r--r-- | hosts/vidhar/default.nix | 2 | ||||
| -rw-r--r-- | hosts/vidhar/network/bifrost/default.nix | 82 | ||||
| -rw-r--r-- | hosts/vidhar/network/bifrost/vidhar.priv | 26 | ||||
| -rw-r--r-- | hosts/vidhar/network/bifrost/vidhar.pub | 1 | ||||
| -rw-r--r-- | hosts/vidhar/network/default.nix | 2 | ||||
| -rw-r--r-- | hosts/vidhar/network/ruleset.nft | 4 | ||||
| -rw-r--r-- | modules/yggdrasil-wg/default.nix | 2 |
16 files changed, 239 insertions, 17 deletions
diff --git a/hosts/surtr/bifrost/default.nix b/hosts/surtr/bifrost/default.nix new file mode 100644 index 00000000..8f1e602d --- /dev/null +++ b/hosts/surtr/bifrost/default.nix | |||
| @@ -0,0 +1,66 @@ | |||
| 1 | { config, lib, ... }: | ||
| 2 | |||
| 3 | with lib; | ||
| 4 | |||
| 5 | let | ||
| 6 | trim = str: if hasSuffix "\n" str then trim (removeSuffix "\n" str) else str; | ||
| 7 | in { | ||
| 8 | config = { | ||
| 9 | systemd.network = { | ||
| 10 | netdevs = { | ||
| 11 | bifrost = { | ||
| 12 | netdevConfig = { | ||
| 13 | Name = "bifrost"; | ||
| 14 | Kind = "wireguard"; | ||
| 15 | }; | ||
| 16 | wireguardConfig = { | ||
| 17 | PrivateKeyFile = config.sops.secrets.bifrost.path; | ||
| 18 | ListenPort = 51822; | ||
| 19 | }; | ||
| 20 | wireguardPeers = [ | ||
| 21 | { wireguardPeerConfig = { | ||
| 22 | AllowedIPs = [ "2a03:4000:52:ada:4:1::/96" ]; | ||
| 23 | PublicKey = trim (readFile ../../vidhar/network/bifrost/vidhar.pub); | ||
| 24 | }; | ||
| 25 | } | ||
| 26 | ]; | ||
| 27 | }; | ||
| 28 | }; | ||
| 29 | networks = { | ||
| 30 | bifrost = { | ||
| 31 | name = "bifrost"; | ||
| 32 | matchConfig = { | ||
| 33 | Name = "bifrost"; | ||
| 34 | }; | ||
| 35 | address = ["2a03:4000:52:ada:4::/96"]; | ||
| 36 | routes = [ | ||
| 37 | { routeConfig = { | ||
| 38 | Destination = "2a03:4000:52:ada:4::/80"; | ||
| 39 | }; | ||
| 40 | } | ||
| 41 | ]; | ||
| 42 | linkConfig = { | ||
| 43 | RequiredForOnline = false; | ||
| 44 | }; | ||
| 45 | networkConfig = { | ||
| 46 | LLMNR = false; | ||
| 47 | MulticastDNS = false; | ||
| 48 | }; | ||
| 49 | }; | ||
| 50 | }; | ||
| 51 | }; | ||
| 52 | sops.secrets.bifrost = { | ||
| 53 | format = "binary"; | ||
| 54 | sopsFile = ./surtr.priv; | ||
| 55 | mode = "0640"; | ||
| 56 | owner = "root"; | ||
| 57 | group = "systemd-network"; | ||
| 58 | }; | ||
| 59 | environment.etc."systemd/networkd.conf" = { | ||
| 60 | text = '' | ||
| 61 | [Network] | ||
| 62 | RouteTable=bifrost:1026 | ||
| 63 | ''; | ||
| 64 | }; | ||
| 65 | }; | ||
| 66 | } | ||
diff --git a/hosts/surtr/bifrost/surtr.priv b/hosts/surtr/bifrost/surtr.priv new file mode 100644 index 00000000..e7f2aeb4 --- /dev/null +++ b/hosts/surtr/bifrost/surtr.priv | |||
| @@ -0,0 +1,26 @@ | |||
| 1 | { | ||
| 2 | "data": "ENC[AES256_GCM,data:Q3KFfWy4UQIbXfoR6jIb02r0735fvMMHqAWtqOE/BZfe/FuJUkb+HSSJbAkt,iv:YsaIx6eYfLOv1H3IammluRd9XDJAr6o4/HaHgtL8ZUc=,tag:uyINYQ0BGhi6TAuQkPCbBA==,type:str]", | ||
| 3 | "sops": { | ||
| 4 | "kms": null, | ||
| 5 | "gcp_kms": null, | ||
| 6 | "azure_kv": null, | ||
| 7 | "hc_vault": null, | ||
| 8 | "age": null, | ||
| 9 | "lastmodified": "2022-02-06T16:09:36Z", | ||
| 10 | "mac": "ENC[AES256_GCM,data:lzg4JDAyy1tL4dcuima26VWqQmCbr25+8AoecVIctX61V2STXiKzd938bEoJ02UVEPYAUzq+NP5fX6IrggYx2A0tII7oyo92EGBYJsvuCBpZWhZKpniXDsRcQo09PH3QJlJ9liSM8bCf6u//ubGU06xvLldt+g4xvvNOVfqMPSo=,iv:Ya2o/hhg18zp7PqLNSHJAAkyz/Lzibysylqsh0CvMzs=,tag:zeZZ0ilsCa/As7VOSCRgSQ==,type:str]", | ||
| 11 | "pgp": [ | ||
| 12 | { | ||
| 13 | "created_at": "2022-02-06T16:09:36Z", | ||
| 14 | "enc": "-----BEGIN PGP MESSAGE-----\n\nhF4DyFKFNkTVG5oSAQdAx1FJFTdMFdAzIAwO1rZ9ikD/cP1nTzfI1wLZf5ufB3Uw\nY8JVtL/aSLaO3tli5eZNuz6tEhTFA0GU8l3c/Ws6ocjC+l3IR5bS2CGZbMHjyIyT\n0l4BgxRFBMFJdpbgpIEPsthgZwJRGNQofSJ7A6/550ekM5b/n77CBZQOHwocuJ4q\n7LCSH6kFUH8GgkSC26OLC8f/QpWr9zTneZP0mBd2CiADDCg6oPI3rGwq6+jQKNny\n=wDDa\n-----END PGP MESSAGE-----\n", | ||
| 15 | "fp": "7ED22F4AA7BB55728B643DC5471B7D88E4EF66F8" | ||
| 16 | }, | ||
| 17 | { | ||
| 18 | "created_at": "2022-02-06T16:09:36Z", | ||
| 19 | "enc": "-----BEGIN PGP MESSAGE-----\n\nhF4DXxoViZlp6dISAQdActA18sJwR4mjwyilHzHHBBuReg88U8QVMLphsqFvHFIw\nV5OTgNNvwiCPHSvGiYQ41Fnxa3VVDu0b3HSsq1Xvf5aFf65cRW39t/JHruwkpd1M\n0l4BbBOw5pksAlRcX25PNIIg7WEq4mlJjCi41INKJ1lF5YEu9kVZHT/+ayU6N5Kf\nVH3I6bpZiIKMc4fnF+yiVbCTWNC3EYTeCpe/ZnM8Gd0WLJh0KsLS+QVzMYagMHNm\n=Cc3x\n-----END PGP MESSAGE-----\n", | ||
| 20 | "fp": "30D3453B8CD02FE2A3E7C78C0FB536FB87AE8F51" | ||
| 21 | } | ||
| 22 | ], | ||
| 23 | "unencrypted_suffix": "_unencrypted", | ||
| 24 | "version": "3.7.1" | ||
| 25 | } | ||
| 26 | } \ No newline at end of file | ||
diff --git a/hosts/surtr/bifrost/surtr.pub b/hosts/surtr/bifrost/surtr.pub new file mode 100644 index 00000000..2f6ec1b6 --- /dev/null +++ b/hosts/surtr/bifrost/surtr.pub | |||
| @@ -0,0 +1 @@ | |||
| /s2yJlJKmy/vt+r/A4z2dof8CBs95KW7CeWLtOb0ERc= | |||
diff --git a/hosts/surtr/default.nix b/hosts/surtr/default.nix index be148b05..cfb218da 100644 --- a/hosts/surtr/default.nix +++ b/hosts/surtr/default.nix | |||
| @@ -2,7 +2,7 @@ | |||
| 2 | { | 2 | { |
| 3 | imports = with flake.nixosModules.systemProfiles; [ | 3 | imports = with flake.nixosModules.systemProfiles; [ |
| 4 | qemu-guest openssh rebuild-machines zfs | 4 | qemu-guest openssh rebuild-machines zfs |
| 5 | ./zfs.nix ./dns ./tls.nix ./http.nix | 5 | ./zfs.nix ./dns ./tls.nix ./http.nix ./bifrost |
| 6 | ]; | 6 | ]; |
| 7 | 7 | ||
| 8 | config = { | 8 | config = { |
diff --git a/hosts/surtr/dns/zones/li.141.soa b/hosts/surtr/dns/zones/li.141.soa index 260a09b5..6620a0a3 100644 --- a/hosts/surtr/dns/zones/li.141.soa +++ b/hosts/surtr/dns/zones/li.141.soa | |||
| @@ -1,7 +1,7 @@ | |||
| 1 | $ORIGIN 141.li. | 1 | $ORIGIN 141.li. |
| 2 | $TTL 3600 | 2 | $TTL 3600 |
| 3 | @ IN SOA ns.yggdrasil.li. root.yggdrasil.li. ( | 3 | @ IN SOA ns.yggdrasil.li. root.yggdrasil.li. ( |
| 4 | 2022020102 ; serial | 4 | 2022020600 ; serial |
| 5 | 10800 ; refresh | 5 | 10800 ; refresh |
| 6 | 3600 ; retry | 6 | 3600 ; retry |
| 7 | 604800 ; expire | 7 | 604800 ; expire |
| @@ -27,7 +27,7 @@ $TTL 3600 | |||
| 27 | surtr IN A 202.61.241.61 | 27 | surtr IN A 202.61.241.61 |
| 28 | surtr IN AAAA 2a03:4000:52:ada:: | 28 | surtr IN AAAA 2a03:4000:52:ada:: |
| 29 | surtr IN MX 0 ymir.yggdrasil.li | 29 | surtr IN MX 0 ymir.yggdrasil.li |
| 30 | surtr IN TXT "v=spf1 redirect=ullr.yggdrasil.li" | 30 | surtr IN TXT "v=spf1 redirect=yggdrasil.li" |
| 31 | 31 | ||
| 32 | webdav IN CNAME surtr.yggdrasil.li. | 32 | webdav IN CNAME surtr.yggdrasil.li. |
| 33 | 33 | ||
diff --git a/hosts/surtr/dns/zones/li.yggdrasil.soa b/hosts/surtr/dns/zones/li.yggdrasil.soa index ab89351f..a4fad7a7 100644 --- a/hosts/surtr/dns/zones/li.yggdrasil.soa +++ b/hosts/surtr/dns/zones/li.yggdrasil.soa | |||
| @@ -1,7 +1,7 @@ | |||
| 1 | $ORIGIN yggdrasil.li. | 1 | $ORIGIN yggdrasil.li. |
| 2 | $TTL 3600 | 2 | $TTL 3600 |
| 3 | @ IN SOA ns.yggdrasil.li. root.yggdrasil.li. ( | 3 | @ IN SOA ns.yggdrasil.li. root.yggdrasil.li. ( |
| 4 | 2022020101 ; serial | 4 | 2022020600 ; serial |
| 5 | 10800 ; refresh | 5 | 10800 ; refresh |
| 6 | 3600 ; retry | 6 | 3600 ; retry |
| 7 | 604800 ; expire | 7 | 604800 ; expire |
| @@ -35,7 +35,11 @@ ymir IN TXT "v=spf1 redirect=yggdrasil.li" | |||
| 35 | surtr IN A 202.61.241.61 | 35 | surtr IN A 202.61.241.61 |
| 36 | surtr IN AAAA 2a03:4000:52:ada:: | 36 | surtr IN AAAA 2a03:4000:52:ada:: |
| 37 | surtr IN MX 0 ymir.yggdrasil.li | 37 | surtr IN MX 0 ymir.yggdrasil.li |
| 38 | surtr IN TXT "v=spf1 redirect=ullr.yggdrasil.li" | 38 | surtr IN TXT "v=spf1 redirect=yggdrasil.li" |
| 39 | |||
| 40 | vidhar IN AAAA 2a03:4000:52:ada:4:1:: | ||
| 41 | vidhar IN MX 0 ymir.yggdrasil.li | ||
| 42 | vidhar IN TXT "v=spf1 redirect=yggdrasil.li" | ||
| 39 | 43 | ||
| 40 | mailout IN A 188.68.51.254 | 44 | mailout IN A 188.68.51.254 |
| 41 | mailout IN AAAA 2a03:4000:6:d004:: | 45 | mailout IN AAAA 2a03:4000:6:d004:: |
diff --git a/hosts/surtr/dns/zones/org.praseodym.soa b/hosts/surtr/dns/zones/org.praseodym.soa index 4bd6263f..f4fd0d8e 100644 --- a/hosts/surtr/dns/zones/org.praseodym.soa +++ b/hosts/surtr/dns/zones/org.praseodym.soa | |||
| @@ -1,7 +1,7 @@ | |||
| 1 | $ORIGIN praseodym.org. | 1 | $ORIGIN praseodym.org. |
| 2 | $TTL 3600 | 2 | $TTL 3600 |
| 3 | @ IN SOA ns.yggdrasil.li. root.yggdrasil.li. ( | 3 | @ IN SOA ns.yggdrasil.li. root.yggdrasil.li. ( |
| 4 | 2022020102 ; serial | 4 | 2022020600 ; serial |
| 5 | 10800 ; refresh | 5 | 10800 ; refresh |
| 6 | 3600 ; retry | 6 | 3600 ; retry |
| 7 | 604800 ; expire | 7 | 604800 ; expire |
| @@ -27,7 +27,7 @@ $TTL 3600 | |||
| 27 | surtr IN A 202.61.241.61 | 27 | surtr IN A 202.61.241.61 |
| 28 | surtr IN AAAA 2a03:4000:52:ada:: | 28 | surtr IN AAAA 2a03:4000:52:ada:: |
| 29 | surtr IN MX 0 ymir.yggdrasil.li | 29 | surtr IN MX 0 ymir.yggdrasil.li |
| 30 | surtr IN TXT "v=spf1 redirect=ullr.yggdrasil.li" | 30 | surtr IN TXT "v=spf1 redirect=yggdrasil.li" |
| 31 | 31 | ||
| 32 | ymir._domainkey IN TXT ( | 32 | ymir._domainkey IN TXT ( |
| 33 | "v=DKIM1;k=rsa;p=MIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEAq3cCKlk+VPhyAanLZTM0BCzUT/+fmxHioZcFk0uJk1akBYj7BRofR7eVNcLKpm3rwYMQgE+9vJH9p8SV6tws9EcWc8SMCqqGZlREYM7PmLDiTSK/vjCzkygfgFCb0EBNsY2A/fpP4rTeoxrbcBSvMkq97iY5rwyw4wXZVZXLiDaCj23s8POoxTk1ClqUJZJQ5x2" | 33 | "v=DKIM1;k=rsa;p=MIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEAq3cCKlk+VPhyAanLZTM0BCzUT/+fmxHioZcFk0uJk1akBYj7BRofR7eVNcLKpm3rwYMQgE+9vJH9p8SV6tws9EcWc8SMCqqGZlREYM7PmLDiTSK/vjCzkygfgFCb0EBNsY2A/fpP4rTeoxrbcBSvMkq97iY5rwyw4wXZVZXLiDaCj23s8POoxTk1ClqUJZJQ5x2" |
diff --git a/hosts/surtr/ruleset.nft b/hosts/surtr/ruleset.nft index 132360b9..9d6fd373 100644 --- a/hosts/surtr/ruleset.nft +++ b/hosts/surtr/ruleset.nft | |||
| @@ -1,4 +1,4 @@ | |||
| 1 | define icmp_protos = { ipv6-icmp, icmp, igmp } | 1 | define icmp_protos = {ipv6-icmp, icmp, igmp} |
| 2 | 2 | ||
| 3 | table arp filter { | 3 | table arp filter { |
| 4 | limit lim_arp { | 4 | limit lim_arp { |
| @@ -44,12 +44,16 @@ table inet filter { | |||
| 44 | 44 | ||
| 45 | iifname lo counter accept | 45 | iifname lo counter accept |
| 46 | 46 | ||
| 47 | meta l4proto $icmp_protos iifname yggdrasil oifname ens3 limit name lim_icmp counter drop | 47 | meta l4proto $icmp_protos iifname {yggdrasil, bifrost} oifname ens3 limit name lim_icmp counter drop |
| 48 | meta l4proto $icmp_protos iifname yggdrasil oifname ens3 counter accept | 48 | meta l4proto $icmp_protos iifname {yggdrasil, bifrost} oifname ens3 counter accept |
| 49 | meta l4proto $icmp_protos ct state {established, related} limit name lim_icmp counter drop | 49 | meta l4proto $icmp_protos ct state {established, related} limit name lim_icmp counter drop |
| 50 | meta l4proto $icmp_protos ct state {established, related} counter accept | 50 | meta l4proto $icmp_protos ct state {established, related} counter accept |
| 51 | 51 | ||
| 52 | 52 | ||
| 53 | oifname bifrost counter accept | ||
| 54 | iifname bifrost oifname ens3 counter accept | ||
| 55 | |||
| 56 | |||
| 53 | limit name lim_reject log prefix "drop forward: " counter drop | 57 | limit name lim_reject log prefix "drop forward: " counter drop |
| 54 | log prefix "reject forward: " counter | 58 | log prefix "reject forward: " counter |
| 55 | meta l4proto tcp ct state new counter reject with tcp reset | 59 | meta l4proto tcp ct state new counter reject with tcp reset |
| @@ -78,13 +82,13 @@ table inet filter { | |||
| 78 | udp dport 60001-61000 counter accept | 82 | udp dport 60001-61000 counter accept |
| 79 | 83 | ||
| 80 | meta protocol ip udp dport 51820 counter accept | 84 | meta protocol ip udp dport 51820 counter accept |
| 81 | meta protocol ip6 udp dport 51821 counter accept | 85 | meta protocol ip6 udp dport {51821, 51822} counter accept |
| 82 | iifname "yggdrasil-wg-*" meta l4proto gre counter accept | 86 | iifname "yggdrasil-wg-*" meta l4proto gre counter accept |
| 83 | 87 | ||
| 84 | tcp dport 53 counter accept | 88 | tcp dport 53 counter accept |
| 85 | udp dport 53 counter accept | 89 | udp dport 53 counter accept |
| 86 | 90 | ||
| 87 | tcp dport { 80, 443 } counter accept | 91 | tcp dport {80, 443} counter accept |
| 88 | 92 | ||
| 89 | ct state {established, related} counter accept | 93 | ct state {established, related} counter accept |
| 90 | 94 | ||
diff --git a/hosts/vidhar/borg.nix b/hosts/vidhar/borg.nix new file mode 100644 index 00000000..0a0b37a5 --- /dev/null +++ b/hosts/vidhar/borg.nix | |||
| @@ -0,0 +1,12 @@ | |||
| 1 | { ... }: | ||
| 2 | { | ||
| 3 | config = { | ||
| 4 | users.users.borg = { | ||
| 5 | isSystemUser = true; | ||
| 6 | createHome = false; | ||
| 7 | group = "borg"; | ||
| 8 | extraGroups = [ "ssh" ]; | ||
| 9 | }; | ||
| 10 | users.groups."borg" = {}; | ||
| 11 | }; | ||
| 12 | } | ||
diff --git a/hosts/vidhar/default.nix b/hosts/vidhar/default.nix index b647e472..09ae1e1e 100644 --- a/hosts/vidhar/default.nix +++ b/hosts/vidhar/default.nix | |||
| @@ -1,7 +1,7 @@ | |||
| 1 | { hostName, flake, config, pkgs, lib, ... }: | 1 | { hostName, flake, config, pkgs, lib, ... }: |
| 2 | { | 2 | { |
| 3 | imports = with flake.nixosModules.systemProfiles; [ | 3 | imports = with flake.nixosModules.systemProfiles; [ |
| 4 | ./zfs.nix ./network ./samba.nix ./dns.nix ./prometheus | 4 | ./zfs.nix ./network ./samba.nix ./dns.nix ./prometheus ./borg.nix |
| 5 | initrd-all-crypto-modules default-locale openssh rebuild-machines | 5 | initrd-all-crypto-modules default-locale openssh rebuild-machines |
| 6 | build-server | 6 | build-server |
| 7 | initrd-ssh | 7 | initrd-ssh |
diff --git a/hosts/vidhar/network/bifrost/default.nix b/hosts/vidhar/network/bifrost/default.nix new file mode 100644 index 00000000..40666f59 --- /dev/null +++ b/hosts/vidhar/network/bifrost/default.nix | |||
| @@ -0,0 +1,82 @@ | |||
| 1 | { config, lib, ... }: | ||
| 2 | |||
| 3 | with lib; | ||
| 4 | |||
| 5 | let | ||
| 6 | trim = str: if hasSuffix "\n" str then trim (removeSuffix "\n" str) else str; | ||
| 7 | in { | ||
| 8 | config = { | ||
| 9 | systemd.network = { | ||
| 10 | netdevs = { | ||
| 11 | bifrost = { | ||
| 12 | netdevConfig = { | ||
| 13 | Name = "bifrost"; | ||
| 14 | Kind = "wireguard"; | ||
| 15 | }; | ||
| 16 | wireguardConfig = { | ||
| 17 | PrivateKeyFile = config.sops.secrets.bifrost.path; | ||
| 18 | ListenPort = 51822; | ||
| 19 | }; | ||
| 20 | wireguardPeers = [ | ||
| 21 | { wireguardPeerConfig = { | ||
| 22 | AllowedIPs = [ "2a03:4000:52:ada:4::/96" ]; | ||
| 23 | PublicKey = trim (readFile ../../../surtr/bifrost/surtr.pub); | ||
| 24 | PersistentKeepalive = 5; | ||
| 25 | Endpoint = "2a03:4000:52:ada:::51822"; | ||
| 26 | }; | ||
| 27 | } | ||
| 28 | ]; | ||
| 29 | }; | ||
| 30 | }; | ||
| 31 | networks = { | ||
| 32 | bifrost = { | ||
| 33 | name = "bifrost"; | ||
| 34 | matchConfig = { | ||
| 35 | Name = "bifrost"; | ||
| 36 | }; | ||
| 37 | address = ["2a03:4000:52:ada:4:1::/96"]; | ||
| 38 | routes = [ | ||
| 39 | { routeConfig = { | ||
| 40 | Destination = "2a03:4000:52:ada:4::/80"; | ||
| 41 | }; | ||
| 42 | } | ||
| 43 | { routeConfig ={ | ||
| 44 | Gateway = "2a03:4000:52:ada:4::"; | ||
| 45 | GatewayOnLink = true; | ||
| 46 | Table = "bifrost"; | ||
| 47 | }; | ||
| 48 | } | ||
| 49 | ]; | ||
| 50 | routingPolicyRules = [ | ||
| 51 | { routingPolicyRuleConfig = { | ||
| 52 | Table = "bifrost"; | ||
| 53 | From = "2a03:4000:52:ada:4:1::/96"; | ||
| 54 | Priority = 200; | ||
| 55 | }; | ||
| 56 | } | ||
| 57 | ]; | ||
| 58 | linkConfig = { | ||
| 59 | RequiredForOnline = false; | ||
| 60 | }; | ||
| 61 | networkConfig = { | ||
| 62 | LLMNR = false; | ||
| 63 | MulticastDNS = false; | ||
| 64 | }; | ||
| 65 | }; | ||
| 66 | }; | ||
| 67 | }; | ||
| 68 | sops.secrets.bifrost = { | ||
| 69 | format = "binary"; | ||
| 70 | sopsFile = ./vidhar.priv; | ||
| 71 | mode = "0640"; | ||
| 72 | owner = "root"; | ||
| 73 | group = "systemd-network"; | ||
| 74 | }; | ||
| 75 | environment.etc."systemd/networkd.conf" = { | ||
| 76 | text = '' | ||
| 77 | [Network] | ||
| 78 | RouteTable=bifrost:1026 | ||
| 79 | ''; | ||
| 80 | }; | ||
| 81 | }; | ||
| 82 | } | ||
diff --git a/hosts/vidhar/network/bifrost/vidhar.priv b/hosts/vidhar/network/bifrost/vidhar.priv new file mode 100644 index 00000000..273e9ba7 --- /dev/null +++ b/hosts/vidhar/network/bifrost/vidhar.priv | |||
| @@ -0,0 +1,26 @@ | |||
| 1 | { | ||
| 2 | "data": "ENC[AES256_GCM,data:BSnTkjcVap00po3wV+hSXAi3BMDqwlW+PmhHAecVOl7RFxRAdqVLjIctkmDh,iv:CxKBDo81u1RegSq2lKRwRMlyNINyX3DxoFSqT97e5fM=,tag:Akdav4XxLeQnz2xFMjQ3yw==,type:str]", | ||
| 3 | "sops": { | ||
| 4 | "kms": null, | ||
| 5 | "gcp_kms": null, | ||
| 6 | "azure_kv": null, | ||
| 7 | "hc_vault": null, | ||
| 8 | "age": null, | ||
| 9 | "lastmodified": "2022-02-06T16:09:08Z", | ||
| 10 | "mac": "ENC[AES256_GCM,data:SXCQKrqkOoXlm8Mrs7UZ1CGJe/HnHhvNCuGpt8yhsnchWICfGGWEIrh99TrKkia2X1inoElwXQYYPfyKHFshLaoNjH2GduR287OXluxZs+Thnm1Fnq6oZUBO9mDDUlykZAB3Mjm4WmUnirKB87Q6DFtTRZjh26amt3oC6GwnEfE=,iv:NtPsuStBnJuVfnlbxunL9PxbPdlYktJtV+MYSa53Oc8=,tag:HKJayT/YNP8PJ/ZIlKdQSg==,type:str]", | ||
| 11 | "pgp": [ | ||
| 12 | { | ||
| 13 | "created_at": "2022-02-06T16:09:08Z", | ||
| 14 | "enc": "-----BEGIN PGP MESSAGE-----\n\nhF4DbYDvGI0HDr0SAQdAnjYlc0bHToon5ayDJk+08sRPPEww8MBOprZZswYU1V8w\n5+QzHJXtSbb4lEwKwdwxkkSg1wBiW+kwrV2L2yyYOvoMhWKQsntjQuzaK7I1Kjix\n0l4BOIcMVJEyJk49CEQQyFlqmgJrh9L/dMhl1D7pD842GcpGFxlB7OHRXsLo9axj\nFAuLUc35LyVgnHd2InqDwG0JKiySdI7fN3dXWiD5H3feoCDisBZvaH/5DlufdIl7\n=sLA+\n-----END PGP MESSAGE-----\n", | ||
| 15 | "fp": "A1C7C95E6CAF0A965CB47277BCF50A89C1B1F362" | ||
| 16 | }, | ||
| 17 | { | ||
| 18 | "created_at": "2022-02-06T16:09:08Z", | ||
| 19 | "enc": "-----BEGIN PGP MESSAGE-----\n\nhF4DXxoViZlp6dISAQdAeG22AYCyEYq1Fvqj853ZE7oeuOWOrpDOXiAvnSl83EUw\nofhjhoZ9nMyZlsy+nD06hIvaYdcFeAuSV8iHwANAjarmKlnKicT7b7mBCkOjMJDX\n0l4BAox2QUqhcYbGUKT+/Ei7RXYMP8ht1N+iisBVnzN055VrGQhvDadpcpVzQGKH\n8Hbmmdi9O2PQWRYnvRK+0I7GJFiC4Q36Kzf8X9MojMhb/GIwiBKCU0ZK2BLM9FtA\n=WbKA\n-----END PGP MESSAGE-----\n", | ||
| 20 | "fp": "30D3453B8CD02FE2A3E7C78C0FB536FB87AE8F51" | ||
| 21 | } | ||
| 22 | ], | ||
| 23 | "unencrypted_suffix": "_unencrypted", | ||
| 24 | "version": "3.7.1" | ||
| 25 | } | ||
| 26 | } \ No newline at end of file | ||
diff --git a/hosts/vidhar/network/bifrost/vidhar.pub b/hosts/vidhar/network/bifrost/vidhar.pub new file mode 100644 index 00000000..ef05f832 --- /dev/null +++ b/hosts/vidhar/network/bifrost/vidhar.pub | |||
| @@ -0,0 +1 @@ | |||
| moESFbO3qUTuoOv6lbzSLrNYSjHkM5hyvAs5XZtQzRA= | |||
diff --git a/hosts/vidhar/network/default.nix b/hosts/vidhar/network/default.nix index a1d1b172..e8c5ba9c 100644 --- a/hosts/vidhar/network/default.nix +++ b/hosts/vidhar/network/default.nix | |||
| @@ -1,6 +1,6 @@ | |||
| 1 | { config, lib, pkgs, ... }: | 1 | { config, lib, pkgs, ... }: |
| 2 | { | 2 | { |
| 3 | imports = [ ./dsl.nix ]; | 3 | imports = [ ./dsl.nix ./bifrost ]; |
| 4 | 4 | ||
| 5 | config = { | 5 | config = { |
| 6 | networking = { | 6 | networking = { |
diff --git a/hosts/vidhar/network/ruleset.nft b/hosts/vidhar/network/ruleset.nft index 4914777d..caa4863b 100644 --- a/hosts/vidhar/network/ruleset.nft +++ b/hosts/vidhar/network/ruleset.nft | |||
| @@ -162,8 +162,8 @@ table inet filter { | |||
| 162 | iifname != dsl meta l4proto $icmp_protos limit name lim_icmp_local counter name icmp-ratelimit-local-rx drop | 162 | iifname != dsl meta l4proto $icmp_protos limit name lim_icmp_local counter name icmp-ratelimit-local-rx drop |
| 163 | meta l4proto $icmp_protos counter name icmp-rx accept | 163 | meta l4proto $icmp_protos counter name icmp-rx accept |
| 164 | 164 | ||
| 165 | iifname { lan, mgmt, dsl, yggdrasil } tcp dport 22 counter name ssh-rx accept | 165 | iifname { lan, mgmt, dsl, yggdrasil, bifrost } tcp dport 22 counter name ssh-rx accept |
| 166 | iifname { lan, mgmt, dsl, yggdrasil } udp dport 60001-61000 counter name mosh-rx accept | 166 | iifname { lan, mgmt, dsl, yggdrasil, bifrost } udp dport 60001-61000 counter name mosh-rx accept |
| 167 | 167 | ||
| 168 | iifname { lan, mgmt, dmz01 } tcp dport 53 counter name dns-rx accept | 168 | iifname { lan, mgmt, dmz01 } tcp dport 53 counter name dns-rx accept |
| 169 | iifname { lan, mgmt, dmz01 } udp dport 53 counter name dns-rx accept | 169 | iifname { lan, mgmt, dmz01 } udp dport 53 counter name dns-rx accept |
diff --git a/modules/yggdrasil-wg/default.nix b/modules/yggdrasil-wg/default.nix index 2180711d..82002a05 100644 --- a/modules/yggdrasil-wg/default.nix +++ b/modules/yggdrasil-wg/default.nix | |||
| @@ -95,7 +95,7 @@ let | |||
| 95 | let | 95 | let |
| 96 | other = if thisHost from then to else from; | 96 | other = if thisHost from then to else from; |
| 97 | in { | 97 | in { |
| 98 | AllowedIPs = if elem other routers then ["0.0.0.0/0" "::/0"] else wgHostIPs.${family}.${other}; | 98 | AllowedIPs = if elem other routers then ["::/0"] else wgHostIPs.${family}.${other}; |
| 99 | PublicKey = trim (readFile (mkPublicKeyPath family other)); | 99 | PublicKey = trim (readFile (mkPublicKeyPath family other)); |
| 100 | } // (optionalAttrs (thisHost from) (linkCfgFilterCustom opts // linkMkEndpointCfg family opts)); | 100 | } // (optionalAttrs (thisHost from) (linkCfgFilterCustom opts // linkMkEndpointCfg family opts)); |
| 101 | linkCfgFilterCustom = filterAttrs (n: _v: !(elem n ["from" "to" "endpointHost"])); | 101 | linkCfgFilterCustom = filterAttrs (n: _v: !(elem n ["from" "to" "endpointHost"])); |