2 files changed, 0 insertions, 361 deletions
diff --git a/hosts/vidhar/printing/default.nix b/hosts/vidhar/printing/default.nix
deleted file mode 100644
index 55c55b37..00000000
--- a/hosts/vidhar/printing/default.nix
+++ /dev/null
@@ -1,170 +0,0 @@
-{ config, lib, ... }:
-with lib;
-let
-  containerConfig = config.containers.printing.config;
-in {
-  config = {
-    containers.printing = {
-      privateNetwork = true;
-      ephemeral = true;
-      autoStart = true;
-      hostAddress = "10.141.5.0";
-      hostAddress6 = "2a03:4000:52:ada:5::";
-      localAddress = "10.141.5.1";
-      localAddress6 = "2a03:4000:52:ada:5::1";
-      interfaces = [ "printer" ];
-      config = let
-        hostConfig = config;
-      in { ... }: {
-        config = {
-          services = {
-            kea = {
-              dhcp4 = {
-                enable = true;
-                settings = {
-                  valid-lifetime = 4000;
-                  rebind-timer = 2000;
-                  renew-timer = 1000;
-                  interfaces-config = {
-                    interfaces = [ "printer" ];
-                  };
-                  lease-database = {
-                    name = "/var/lib/kea/dhcp4.leases";
-                    persist = true;
-                    type = "memfile";
-                  };
-                  subnet4 = [
-                    { subnet = "10.141.3.0/24";
-                      option-data = [
-                        { name = "domain-name-servers";
-                          data = "10.141.5.0";
-                        }
-                        { name = "ntp-servers";
-                          data = "10.141.5.0";
-                        }
-                        { name = "broadcast-address";
-                          data = "10.141.3.255";
-                        }
-                        { name = "routers";
-                          data = "10.141.3.1";
-                        }
-                        { name = "domain-name";
-                          data = "yggdrasil";
-                        }
-                        { name = "domain-search";
-                          data = "printer.yggdrasil, yggdrasil";
-                        }
-                      ];
-                      pools = [ { pool = "10.141.3.128 - 10.141.3.254"; } ];
-                      reservations = [
-                        { hostname = "printer";
-                          hw-address = "30:cd:a7:b0:55:8d";
-                          ip-address = "10.141.3.2";
-                        }
-                      ];
-                    }
-                  ];
-                };
-              };
-            };
-            printing = {
-              enable = true;
-              listenAddresses = [
-                "*:631"
-              ];
-              logLevel = "all";
-              extraConf = mkForce ''
-                ServerName printing
-                ServerAlias 10.141.5.1 2a03:4000:52:ada:5::1 printing.vidhar.yggdrasil printing.vidhar.lan.yggdrasil
-                DefaultEncryption Never
-                <Location />
-                  Order allow,deny
-                  Allow from 10.0.0.0/8
-                  Satisfy any
-                </Location>
-                <Location /admin>
-                  Order allow,deny
-                  Allow from 10.0.0.0/8
-                  Satisfy any
-                </Location>
-                <Location /admin/conf>
-                  Order allow,deny
-                  Allow from 10.0.0.0/8
-                  Satisfy any
-                </Location>
-                <Policy default>
-                  <Limit Send-Document Send-URI Hold-Job Release-Job Restart-Job Purge-Jobs Set-Job-Attributes Create-Job-Subscription Renew-Subscription Cancel-Subscription Get-Notifications Reprocess-Job Cancel-Current-Job Suspend-Current-Job Resume-Job CUPS-Move-Job>
-                    Order allow,deny
-                    Allow from 10.0.0.0/8
-                    Satisfy any
-                  </Limit>
-                  <Limit Pause-Printer Resume-Printer Set-Printer-Attributes Enable-Printer Disable-Printer Pause-Printer-After-Current-Job Hold-New-Jobs Release-Held-New-Jobs Deactivate-Printer Activate-Printer Restart-Printer Shutdown-Printer Startup-Printer Promote-Job Schedule-Job-After CUPS-Add-Printer CUPS-Delete-Printer CUPS-Add-Class CUPS-Delete-Class CUPS-Accept-Jobs CUPS-Reject-Jobs CUPS-Set-Default>
-                    Order allow,deny
-                    Allow from 10.0.0.0/8
-                    Satisfy any
-                  </Limit>
-                  <Limit Cancel-Job CUPS-Authenticate-Job>
-                    Order allow,deny
-                    Allow from 10.0.0.0/8
-                    Satisfy any
-                  </Limit>
-                  <Limit All>
-                    Order allow,deny
-                    Allow from 10.0.0.0/8
-                    Satisfy any
-                  </Limit>
-                </Policy>
-              '';
-            };
-            resolved.enable = false;
-          };
-          networking = {
-            firewall.enable = false;
-            nftables = {
-              enable = true;
-              rulesetFile = ./ruleset.nft;
-            };
-            useDHCP = false;
-            useNetworkd = true;
-            interfaces."printer" = {
-              ipv4.addresses = [
-                { address = "10.141.3.1"; prefixLength = 24; }
-              ];
-            };
-          };
-          environment.etc."resolv.conf".text = ''
-            nameserver ${hostConfig.containers.printing.hostAddress6}
-          '';
-          system.stateVersion = hostConfig.system.stateVersion;
-        };
-      };
-    };
-    networking = {
-      vlans.printer = {
-        id = 5;
-        interface = "eno2";
-      };
-    };
-  };
-}
diff --git a/hosts/vidhar/printing/ruleset.nft b/hosts/vidhar/printing/ruleset.nft
deleted file mode 100644
index edf8597d..00000000
--- a/hosts/vidhar/printing/ruleset.nft
+++ /dev/null
@@ -1,191 +0,0 @@
-define icmp_protos = {ipv6-icmp, icmp, igmp}
-table arp filter {
-  limit lim_arp {
-    rate over 50 mbytes/second burst 50 mbytes
-  }
-  counter arp-rx {}
-  counter arp-tx {}
-  counter arp-ratelimit-rx {}
-  counter arp-ratelimit-tx {}
-  chain input {
-    type filter hook input priority filter
-    policy accept
-    limit name lim_arp counter name arp-ratelimit-rx drop
-    counter name arp-rx
-  }
-  chain output {
-    type filter hook output priority filter
-    policy accept
-    limit name lim_arp counter name arp-ratelimit-tx drop
-    counter name arp-tx
-  }
-}
-table inet filter {
-  limit lim_reject {
-    rate over 1000/second burst 1000 packets
-  }
-  limit lim_icmp {
-    rate over 50 mbytes/second burst 50 mbytes
-  }
-  counter invalid-fw {}
-  counter fw-lo {}
-  counter fw-printer {}
-  counter fw-host {}
-  counter icmp-fw {}
-  counter icmp-ratelimit-fw {}
-  counter reject-ratelimit-fw {}
-  counter reject-fw {}
-  counter reject-tcp-fw {}
-  counter reject-icmp-fw {}
-  counter drop-fw {}
-  counter invalid-rx {}
-  counter rx-lo {}
-  counter invalid-local4-rx {}
-  counter invalid-local6-rx {}
-  counter icmp-ratelimit-rx {}
-  counter icmp-rx {}
-  counter dhcp-rx {}
-  counter cups-rx {}
-  counter established-rx {}
-  counter reject-ratelimit-rx {}
-  counter reject-rx {}
-  counter reject-tcp-rx {}
-  counter reject-icmp-rx {}
-  counter drop-rx {}
-  counter tx-lo {}
-  counter icmp-ratelimit-tx {}
-  counter icmp-tx {}
-  counter cups-tx {}
-  counter dhcp-tx {}
-  counter tx {}
-  chain forward {
-    type filter hook forward priority filter
-    policy drop
-    ct state invalid log level debug prefix "drop invalid forward: " counter name invalid-fw drop
-    iifname lo counter name fw-lo accept
-    meta l4proto $icmp_protos limit name lim_icmp counter name icmp-ratelimit-fw drop
-    meta l4proto $icmp_protos counter name icmp-fw accept
-    iifname printer oifname eth0 ip daddr 10.141.5.0 meta l4proto . th dport { tcp . 53, udp . 53, udp . 123 } counter name fw-printer accept
-    iifname printer oifname eth0 ip6 daddr 2a03:4000:52:ada:5:: meta l4proto . th dport { tcp . 53, udp . 53, udp . 123 } counter name fw-printer accept
-    iifname eth0 oifname printer counter name fw-host accept
-    limit name lim_reject log level debug prefix "drop forward: " counter name reject-ratelimit-fw drop
-    log level debug prefix "reject forward: " counter name reject-fw
-    meta l4proto tcp ct state new counter name reject-tcp-fw reject with tcp reset
-    ct state new counter name reject-icmp-fw reject
-    counter name drop-fw
-  }
-  chain input {
-    type filter hook input priority filter
-    policy drop
-    ct state invalid log level debug prefix "drop invalid input: " counter name invalid-rx drop
-    iifname lo counter name rx-lo accept
-    iif != lo ip daddr 127.0.0.1/8 counter name invalid-local4-rx reject
-    iif != lo ip6 daddr ::1/128 counter name invalid-local6-rx reject
-    meta l4proto $icmp_protos limit name lim_icmp counter name icmp-ratelimit-rx drop
-    meta l4proto $icmp_protos counter name icmp-rx accept
-    tcp dport 631 counter name cups-rx accept
-    iifname printer udp dport 67 counter name dhcp-rx accept
-    ct state {established, related} counter name established-rx accept
-    limit name lim_reject log level debug prefix "drop input: " counter name reject-ratelimit-rx drop
-    log level debug prefix "reject input: " counter name reject-rx
-    meta l4proto tcp ct state new counter name reject-tcp-rx reject with tcp reset
-    ct state new counter name reject-icmp-rx reject
-    counter name drop-rx
-  }
-  chain output {
-    type filter hook output priority filter
-    policy accept
-    oifname lo counter name tx-lo accept
-    meta l4proto $icmp_protos limit name lim_icmp counter name icmp-ratelimit-tx drop
-    meta l4proto $icmp_protos counter name icmp-tx accept
-    tcp sport 631 counter name cups-tx accept
-    udp sport 67 counter name dhcp-tx accept
-    counter name tx
-  }
-}
-table ip nat {
-  counter host-nat {}
-  chain postrouting {
-    type nat hook postrouting priority srcnat
-    policy accept
-    oifname eth0 counter name host-nat masquerade
-  }
-}
-table ip mss_clamp {
-  counter host-mss-clamp {}
-  chain postrouting {
-    type filter hook postrouting priority mangle
-    policy accept
-    oifname eth0 tcp flags & (syn|rst) == syn counter name host-mss-clamp tcp option maxseg size set rt mtu
-  }
-}

diff --git a/hosts/vidhar/printing/default.nix b/hosts/vidhar/printing/default.nix deleted file mode 100644 index 55c55b37..00000000 --- a/hosts/vidhar/printing/default.nix +++ /dev/null
@@ -1,170 +0,0 @@
1	{ config, lib, ... }:
2
3	with lib;
4
5	let
6	containerConfig = config.containers.printing.config;
7	in {
8	config = {
9	containers.printing = {
10	privateNetwork = true;
11	ephemeral = true;
12	autoStart = true;
13	hostAddress = "10.141.5.0";
14	hostAddress6 = "2a03:4000:52:ada:5::";
15	localAddress = "10.141.5.1";
16	localAddress6 = "2a03:4000:52:ada:5::1";
17	interfaces = [ "printer" ];
18	config = let
19	hostConfig = config;
20	in { ... }: {
21	config = {
22	services = {
23	kea = {
24	dhcp4 = {
25	enable = true;
26	settings = {
27	valid-lifetime = 4000;
28	rebind-timer = 2000;
29	renew-timer = 1000;
30
31	interfaces-config = {
32	interfaces = [ "printer" ];
33	};
34
35	lease-database = {
36	name = "/var/lib/kea/dhcp4.leases";
37	persist = true;
38	type = "memfile";
39	};
40
41	subnet4 = [
42	{ subnet = "10.141.3.0/24";
43	option-data = [
44	{ name = "domain-name-servers";
45	data = "10.141.5.0";
46	}
47	{ name = "ntp-servers";
48	data = "10.141.5.0";
49	}
50	{ name = "broadcast-address";
51	data = "10.141.3.255";
52	}
53	{ name = "routers";
54	data = "10.141.3.1";
55	}
56	{ name = "domain-name";
57	data = "yggdrasil";
58	}
59	{ name = "domain-search";
60	data = "printer.yggdrasil, yggdrasil";
61	}
62	];
63	pools = [ { pool = "10.141.3.128 - 10.141.3.254"; } ];
64	reservations = [
65	{ hostname = "printer";
66	hw-address = "30:cd:a7:b0:55:8d";
67	ip-address = "10.141.3.2";
68	}
69	];
70	}
71	];
72	};
73	};
74	};
75
76	printing = {
77	enable = true;
78	listenAddresses = [
79	"*:631"
80	];
81	logLevel = "all";
82	extraConf = mkForce ''
83	ServerName printing
84	ServerAlias 10.141.5.1 2a03:4000:52:ada:5::1 printing.vidhar.yggdrasil printing.vidhar.lan.yggdrasil
85
86	DefaultEncryption Never
87
88	<Location />
89	Order allow,deny
90	Allow from 10.0.0.0/8
91	Satisfy any
92	</Location>
93
94	<Location /admin>
95	Order allow,deny
96	Allow from 10.0.0.0/8
97	Satisfy any
98	</Location>
99
100	<Location /admin/conf>
101	Order allow,deny
102	Allow from 10.0.0.0/8
103	Satisfy any
104	</Location>
105
106	<Policy default>
107	<Limit Send-Document Send-URI Hold-Job Release-Job Restart-Job Purge-Jobs Set-Job-Attributes Create-Job-Subscription Renew-Subscription Cancel-Subscription Get-Notifications Reprocess-Job Cancel-Current-Job Suspend-Current-Job Resume-Job CUPS-Move-Job>
108	Order allow,deny
109	Allow from 10.0.0.0/8
110	Satisfy any
111	</Limit>
112
113	<Limit Pause-Printer Resume-Printer Set-Printer-Attributes Enable-Printer Disable-Printer Pause-Printer-After-Current-Job Hold-New-Jobs Release-Held-New-Jobs Deactivate-Printer Activate-Printer Restart-Printer Shutdown-Printer Startup-Printer Promote-Job Schedule-Job-After CUPS-Add-Printer CUPS-Delete-Printer CUPS-Add-Class CUPS-Delete-Class CUPS-Accept-Jobs CUPS-Reject-Jobs CUPS-Set-Default>
114	Order allow,deny
115	Allow from 10.0.0.0/8
116	Satisfy any
117	</Limit>
118
119	<Limit Cancel-Job CUPS-Authenticate-Job>
120	Order allow,deny
121	Allow from 10.0.0.0/8
122	Satisfy any
123	</Limit>
124
125	<Limit All>
126	Order allow,deny
127	Allow from 10.0.0.0/8
128	Satisfy any
129	</Limit>
130	</Policy>
131	'';
132	};
133
134	resolved.enable = false;
135	};
136
137	networking = {
138	firewall.enable = false;
139	nftables = {
140	enable = true;
141	rulesetFile = ./ruleset.nft;
142	};
143
144	useDHCP = false;
145	useNetworkd = true;
146
147	interfaces."printer" = {
148	ipv4.addresses = [
149	{ address = "10.141.3.1"; prefixLength = 24; }
150	];
151	};
152	};
153
154	environment.etc."resolv.conf".text = ''
155	nameserver ${hostConfig.containers.printing.hostAddress6}
156	'';
157
158	system.stateVersion = hostConfig.system.stateVersion;
159	};
160	};
161	};
162
163	networking = {
164	vlans.printer = {
165	id = 5;
166	interface = "eno2";
167	};
168	};
169	};
170	}


diff --git a/hosts/vidhar/printing/ruleset.nft b/hosts/vidhar/printing/ruleset.nft deleted file mode 100644 index edf8597d..00000000 --- a/hosts/vidhar/printing/ruleset.nft +++ /dev/null
@@ -1,191 +0,0 @@
1	define icmp_protos = {ipv6-icmp, icmp, igmp}
2
3	table arp filter {
4	limit lim_arp {
5	rate over 50 mbytes/second burst 50 mbytes
6	}
7
8	counter arp-rx {}
9	counter arp-tx {}
10
11	counter arp-ratelimit-rx {}
12	counter arp-ratelimit-tx {}
13
14	chain input {
15	type filter hook input priority filter
16	policy accept
17
18	limit name lim_arp counter name arp-ratelimit-rx drop
19
20	counter name arp-rx
21	}
22
23	chain output {
24	type filter hook output priority filter
25	policy accept
26
27	limit name lim_arp counter name arp-ratelimit-tx drop
28
29	counter name arp-tx
30	}
31	}
32
33	table inet filter {
34	limit lim_reject {
35	rate over 1000/second burst 1000 packets
36	}
37
38	limit lim_icmp {
39	rate over 50 mbytes/second burst 50 mbytes
40	}
41
42	counter invalid-fw {}
43	counter fw-lo {}
44	counter fw-printer {}
45	counter fw-host {}
46
47	counter icmp-fw {}
48	counter icmp-ratelimit-fw {}
49
50	counter reject-ratelimit-fw {}
51	counter reject-fw {}
52	counter reject-tcp-fw {}
53	counter reject-icmp-fw {}
54
55	counter drop-fw {}
56
57	counter invalid-rx {}
58
59	counter rx-lo {}
60	counter invalid-local4-rx {}
61	counter invalid-local6-rx {}
62
63	counter icmp-ratelimit-rx {}
64	counter icmp-rx {}
65
66	counter dhcp-rx {}
67	counter cups-rx {}
68
69	counter established-rx {}
70
71	counter reject-ratelimit-rx {}
72	counter reject-rx {}
73	counter reject-tcp-rx {}
74	counter reject-icmp-rx {}
75
76	counter drop-rx {}
77
78	counter tx-lo {}
79
80	counter icmp-ratelimit-tx {}
81	counter icmp-tx {}
82
83	counter cups-tx {}
84	counter dhcp-tx {}
85
86	counter tx {}
87
88	chain forward {
89	type filter hook forward priority filter
90	policy drop
91
92
93	ct state invalid log level debug prefix "drop invalid forward: " counter name invalid-fw drop
94
95
96	iifname lo counter name fw-lo accept
97
98
99	meta l4proto $icmp_protos limit name lim_icmp counter name icmp-ratelimit-fw drop
100	meta l4proto $icmp_protos counter name icmp-fw accept
101
102
103	iifname printer oifname eth0 ip daddr 10.141.5.0 meta l4proto . th dport { tcp . 53, udp . 53, udp . 123 } counter name fw-printer accept
104	iifname printer oifname eth0 ip6 daddr 2a03:4000:52:ada:5:: meta l4proto . th dport { tcp . 53, udp . 53, udp . 123 } counter name fw-printer accept
105	iifname eth0 oifname printer counter name fw-host accept
106
107
108	limit name lim_reject log level debug prefix "drop forward: " counter name reject-ratelimit-fw drop
109	log level debug prefix "reject forward: " counter name reject-fw
110	meta l4proto tcp ct state new counter name reject-tcp-fw reject with tcp reset
111	ct state new counter name reject-icmp-fw reject
112
113
114	counter name drop-fw
115	}
116
117	chain input {
118	type filter hook input priority filter
119	policy drop
120
121
122	ct state invalid log level debug prefix "drop invalid input: " counter name invalid-rx drop
123
124
125	iifname lo counter name rx-lo accept
126	iif != lo ip daddr 127.0.0.1/8 counter name invalid-local4-rx reject
127	iif != lo ip6 daddr ::1/128 counter name invalid-local6-rx reject
128
129	meta l4proto $icmp_protos limit name lim_icmp counter name icmp-ratelimit-rx drop
130	meta l4proto $icmp_protos counter name icmp-rx accept
131
132
133	tcp dport 631 counter name cups-rx accept
134
135	iifname printer udp dport 67 counter name dhcp-rx accept
136
137	ct state {established, related} counter name established-rx accept
138
139
140	limit name lim_reject log level debug prefix "drop input: " counter name reject-ratelimit-rx drop
141	log level debug prefix "reject input: " counter name reject-rx
142	meta l4proto tcp ct state new counter name reject-tcp-rx reject with tcp reset
143	ct state new counter name reject-icmp-rx reject
144
145
146	counter name drop-rx
147	}
148
149	chain output {
150	type filter hook output priority filter
151	policy accept
152
153
154	oifname lo counter name tx-lo accept
155
156	meta l4proto $icmp_protos limit name lim_icmp counter name icmp-ratelimit-tx drop
157	meta l4proto $icmp_protos counter name icmp-tx accept
158
159
160	tcp sport 631 counter name cups-tx accept
161
162	udp sport 67 counter name dhcp-tx accept
163
164
165	counter name tx
166	}
167	}
168
169	table ip nat {
170	counter host-nat {}
171
172	chain postrouting {
173	type nat hook postrouting priority srcnat
174	policy accept
175
176
177	oifname eth0 counter name host-nat masquerade
178	}
179	}
180
181	table ip mss_clamp {
182	counter host-mss-clamp {}
183
184	chain postrouting {
185	type filter hook postrouting priority mangle
186	policy accept
187
188
189	oifname eth0 tcp flags & (syn\|rst) == syn counter name host-mss-clamp tcp option maxseg size set rt mtu
190	}
191	}