From 3206ce36cb1232e176715973c9bd443fd462b54b Mon Sep 17 00:00:00 2001 From: Gregor Kleen Date: Sun, 5 Mar 2023 13:15:33 +0100 Subject: vidhar: remove printing --- hosts/vidhar/default.nix | 2 +- hosts/vidhar/dns/default.nix | 6 +- hosts/vidhar/dns/zones/arpa.in-addr.10.141.soa | 6 +- ...ip6.2.a.0.3.4.0.0.0.0.0.5.2.0.a.d.a.0.0.0.1.soa | 4 +- hosts/vidhar/dns/zones/yggdrasil.soa | 7 +- hosts/vidhar/network/ruleset.nft | 18 +- hosts/vidhar/printing/default.nix | 170 ------------------ hosts/vidhar/printing/ruleset.nft | 191 --------------------- hosts/vidhar/samba.nix | 15 +- 9 files changed, 13 insertions(+), 406 deletions(-) delete mode 100644 hosts/vidhar/printing/default.nix delete mode 100644 hosts/vidhar/printing/ruleset.nft diff --git a/hosts/vidhar/default.nix b/hosts/vidhar/default.nix index 5c70c669..d064e3da 100644 --- a/hosts/vidhar/default.nix +++ b/hosts/vidhar/default.nix @@ -4,7 +4,7 @@ with lib; { imports = with flake.nixosModules.systemProfiles; [ - ./zfs.nix ./network ./samba.nix ./dns ./prometheus ./borg ./pgbackrest ./printing + ./zfs.nix ./network ./samba.nix ./dns ./prometheus ./borg ./pgbackrest tmpfs-root zfs initrd-all-crypto-modules default-locale openssh rebuild-machines build-server diff --git a/hosts/vidhar/dns/default.nix b/hosts/vidhar/dns/default.nix index f942b3f9..ade884e7 100644 --- a/hosts/vidhar/dns/default.nix +++ b/hosts/vidhar/dns/default.nix @@ -20,7 +20,7 @@ in { enableRootTrustAnchor = false; settings = { server = { - interface = ["lo" "lan" "ve-printing"]; + interface = ["lo" "lan"]; prefer-ip6 = true; access-control = ["0.0.0.0/0 allow" "::/0 allow"]; root-hints = "${pkgs.dns-root-data}/root.hints"; @@ -79,10 +79,6 @@ in { }; }; - systemd.services.unbound = { - after = [ "container@printinp.service" ]; - }; - systemd.services.knot = { unitConfig.RequiresMountsFor = [ "/var/lib/knot" ]; serviceConfig.LoadCredential = map ({name, ...}: "${name}.yaml:${config.sops.secrets.${name}.path}") knotKeys; diff --git a/hosts/vidhar/dns/zones/arpa.in-addr.10.141.soa b/hosts/vidhar/dns/zones/arpa.in-addr.10.141.soa index b23f6fd4..6074296e 100644 --- a/hosts/vidhar/dns/zones/arpa.in-addr.10.141.soa +++ b/hosts/vidhar/dns/zones/arpa.in-addr.10.141.soa @@ -1,7 +1,7 @@ $ORIGIN 141.10.in-addr.arpa. $TTL 300 @ IN SOA vidhar.lan.yggdrasil. hostmaster.yggdrasil.li ( - 2023030500 ; serial + 2023030501 ; serial 300 ; refresh 300 ; retry 300 ; expire @@ -15,7 +15,3 @@ $TTL 300 1.1 IN PTR vidhar.mgmt.yggdrasil. 2.1 IN PTR switch01.mgmt.yggdrasil. 4.1 IN PTR ap01.mgmt.yggdrasil. - -3.2 IN PTR printer.printer.yggdrasil. - -1.5 IN PTR printing.vidhar.lan.yggdrasil. diff --git a/hosts/vidhar/dns/zones/arpa.ip6.2.a.0.3.4.0.0.0.0.0.5.2.0.a.d.a.0.0.0.1.soa b/hosts/vidhar/dns/zones/arpa.ip6.2.a.0.3.4.0.0.0.0.0.5.2.0.a.d.a.0.0.0.1.soa index 39d59939..2d94b1e1 100644 --- a/hosts/vidhar/dns/zones/arpa.ip6.2.a.0.3.4.0.0.0.0.0.5.2.0.a.d.a.0.0.0.1.soa +++ b/hosts/vidhar/dns/zones/arpa.ip6.2.a.0.3.4.0.0.0.0.0.5.2.0.a.d.a.0.0.0.1.soa @@ -1,7 +1,7 @@ $ORIGIN 1.0.0.0.a.d.a.0.2.5.0.0.0.0.0.4.3.0.a.2.ip6.arpa. $TTL 300 @ IN SOA vidhar.lan.yggdrasil. hostmaster.yggdrasil.li ( - 2023030500 ; serial + 2023030501 ; serial 300 ; refresh 300 ; retry 300 ; expire @@ -13,5 +13,3 @@ $TTL 300 0.0.0.0.0.0.0.0.0.0.0.0 IN PTR surtr.yggdrasil. 0.0.0.0.0.0.0.0.0.0.0.1 IN PTR vidhar.yggdrasil. 0.0.0.0.0.0.0.0.0.0.0.2 IN PTR sif.yggdrasil. - -0.0.0.0.0.5.0.0.0.0.0.1 IN PTR printing.vidhar.yggdrasil. diff --git a/hosts/vidhar/dns/zones/yggdrasil.soa b/hosts/vidhar/dns/zones/yggdrasil.soa index e2b1a61b..f679b741 100644 --- a/hosts/vidhar/dns/zones/yggdrasil.soa +++ b/hosts/vidhar/dns/zones/yggdrasil.soa @@ -1,7 +1,7 @@ $ORIGIN yggdrasil. $TTL 300 @ IN SOA vidhar.yggdrasil. hostmaster.yggdrasil.li ( - 2023030500 ; serial + 2023030501 ; serial 300 ; refresh 300 ; retry 300 ; expire @@ -28,8 +28,3 @@ vidhar.mgmt IN A 10.141.1.1 switch01.mgmt IN A 10.141.1.2 dsl01.mgmt IN A 10.141.1.3 ap01.mgmt IN A 10.141.1.4 - -printer.printer IN A 10.141.3.2 - -printing.vidhar.lan IN A 10.141.5.1 -printing.vidhar IN AAAA 2a03:4000:52:ada:5::1 diff --git a/hosts/vidhar/network/ruleset.nft b/hosts/vidhar/network/ruleset.nft index 2080cf64..833013e9 100644 --- a/hosts/vidhar/network/ruleset.nft +++ b/hosts/vidhar/network/ruleset.nft @@ -59,7 +59,6 @@ table inet filter { counter fw-lo {} counter fw-lan {} counter fw-dsl {} - counter fw-printing {} counter fw-cups {} @@ -140,16 +139,9 @@ table inet filter { iifname lo counter name fw-lo accept - oifname { lan, dsl, bifrost, ve-printing } meta l4proto $icmp_protos jump forward_icmp_accept + oifname { lan, dsl, bifrost } meta l4proto $icmp_protos jump forward_icmp_accept iifname lan oifname { dsl, bifrost } counter name fw-lan accept - iifname lan oifname ve-printing ip daddr 10.141.5.1 tcp dport 631 counter name fw-cups accept - iifname lan oifname ve-printing ip6 daddr 2a03:4000:52:ada:5::1 tcp dport 631 counter name fw-cups accept - - # iifname ve-printing oifname dsl meta l4proto . th dport { tcp . 80, tcp . 443 } counter name fw-printing accept - # iifname dsl oifname ve-printing ct state { established, related } counter name fw-dsl accept - - iifname ve-printing oifname lan ct state { established, related } counter name fw-printing accept iifname dsl oifname lan ct state { established, related } counter name fw-dsl accept @@ -178,7 +170,7 @@ table inet filter { iifname { lan, mgmt, dsl, yggdrasil, bifrost } tcp dport 22 counter name ssh-rx accept iifname { lan, mgmt, dsl, yggdrasil, bifrost } udp dport 60000-61000 counter name mosh-rx accept - iifname { lan, mgmt, wifibh, yggdrasil, ve-printing } meta l4proto { tcp, udp } th dport 53 counter name dns-rx accept + iifname { lan, mgmt, wifibh, yggdrasil } meta l4proto { tcp, udp } th dport 53 counter name dns-rx accept iifname { lan, yggdrasil } tcp dport 2049 counter name nfs-rx accept @@ -188,7 +180,7 @@ table inet filter { iifname dsl meta protocol ip6 udp dport 546 udp sport 547 counter name ipv6-pd-rx accept - iifname { mgmt, ve-printing } udp dport 123 counter name ntp-rx accept + iifname mgmt udp dport 123 counter name ntp-rx accept iifname { lan, mgmt, wifibh } udp dport 67 counter name dhcp-rx accept @@ -255,7 +247,7 @@ table inet filter { table inet nat { counter dsl-nat {} - counter container-nat {} + # counter container-nat {} chain postrouting { type nat hook postrouting priority srcnat @@ -263,7 +255,7 @@ table inet nat { meta nfproto ipv4 oifname dsl counter name dsl-nat masquerade - iifname ve-* oifname dsl counter name container-nat masquerade + # iifname ve-* oifname dsl counter name container-nat masquerade } } diff --git a/hosts/vidhar/printing/default.nix b/hosts/vidhar/printing/default.nix deleted file mode 100644 index 55c55b37..00000000 --- a/hosts/vidhar/printing/default.nix +++ /dev/null @@ -1,170 +0,0 @@ -{ config, lib, ... }: - -with lib; - -let - containerConfig = config.containers.printing.config; -in { - config = { - containers.printing = { - privateNetwork = true; - ephemeral = true; - autoStart = true; - hostAddress = "10.141.5.0"; - hostAddress6 = "2a03:4000:52:ada:5::"; - localAddress = "10.141.5.1"; - localAddress6 = "2a03:4000:52:ada:5::1"; - interfaces = [ "printer" ]; - config = let - hostConfig = config; - in { ... }: { - config = { - services = { - kea = { - dhcp4 = { - enable = true; - settings = { - valid-lifetime = 4000; - rebind-timer = 2000; - renew-timer = 1000; - - interfaces-config = { - interfaces = [ "printer" ]; - }; - - lease-database = { - name = "/var/lib/kea/dhcp4.leases"; - persist = true; - type = "memfile"; - }; - - subnet4 = [ - { subnet = "10.141.3.0/24"; - option-data = [ - { name = "domain-name-servers"; - data = "10.141.5.0"; - } - { name = "ntp-servers"; - data = "10.141.5.0"; - } - { name = "broadcast-address"; - data = "10.141.3.255"; - } - { name = "routers"; - data = "10.141.3.1"; - } - { name = "domain-name"; - data = "yggdrasil"; - } - { name = "domain-search"; - data = "printer.yggdrasil, yggdrasil"; - } - ]; - pools = [ { pool = "10.141.3.128 - 10.141.3.254"; } ]; - reservations = [ - { hostname = "printer"; - hw-address = "30:cd:a7:b0:55:8d"; - ip-address = "10.141.3.2"; - } - ]; - } - ]; - }; - }; - }; - - printing = { - enable = true; - listenAddresses = [ - "*:631" - ]; - logLevel = "all"; - extraConf = mkForce '' - ServerName printing - ServerAlias 10.141.5.1 2a03:4000:52:ada:5::1 printing.vidhar.yggdrasil printing.vidhar.lan.yggdrasil - - DefaultEncryption Never - - - Order allow,deny - Allow from 10.0.0.0/8 - Satisfy any - - - - Order allow,deny - Allow from 10.0.0.0/8 - Satisfy any - - - - Order allow,deny - Allow from 10.0.0.0/8 - Satisfy any - - - - - Order allow,deny - Allow from 10.0.0.0/8 - Satisfy any - - - - Order allow,deny - Allow from 10.0.0.0/8 - Satisfy any - - - - Order allow,deny - Allow from 10.0.0.0/8 - Satisfy any - - - - Order allow,deny - Allow from 10.0.0.0/8 - Satisfy any - - - ''; - }; - - resolved.enable = false; - }; - - networking = { - firewall.enable = false; - nftables = { - enable = true; - rulesetFile = ./ruleset.nft; - }; - - useDHCP = false; - useNetworkd = true; - - interfaces."printer" = { - ipv4.addresses = [ - { address = "10.141.3.1"; prefixLength = 24; } - ]; - }; - }; - - environment.etc."resolv.conf".text = '' - nameserver ${hostConfig.containers.printing.hostAddress6} - ''; - - system.stateVersion = hostConfig.system.stateVersion; - }; - }; - }; - - networking = { - vlans.printer = { - id = 5; - interface = "eno2"; - }; - }; - }; -} diff --git a/hosts/vidhar/printing/ruleset.nft b/hosts/vidhar/printing/ruleset.nft deleted file mode 100644 index edf8597d..00000000 --- a/hosts/vidhar/printing/ruleset.nft +++ /dev/null @@ -1,191 +0,0 @@ -define icmp_protos = {ipv6-icmp, icmp, igmp} - -table arp filter { - limit lim_arp { - rate over 50 mbytes/second burst 50 mbytes - } - - counter arp-rx {} - counter arp-tx {} - - counter arp-ratelimit-rx {} - counter arp-ratelimit-tx {} - - chain input { - type filter hook input priority filter - policy accept - - limit name lim_arp counter name arp-ratelimit-rx drop - - counter name arp-rx - } - - chain output { - type filter hook output priority filter - policy accept - - limit name lim_arp counter name arp-ratelimit-tx drop - - counter name arp-tx - } -} - -table inet filter { - limit lim_reject { - rate over 1000/second burst 1000 packets - } - - limit lim_icmp { - rate over 50 mbytes/second burst 50 mbytes - } - - counter invalid-fw {} - counter fw-lo {} - counter fw-printer {} - counter fw-host {} - - counter icmp-fw {} - counter icmp-ratelimit-fw {} - - counter reject-ratelimit-fw {} - counter reject-fw {} - counter reject-tcp-fw {} - counter reject-icmp-fw {} - - counter drop-fw {} - - counter invalid-rx {} - - counter rx-lo {} - counter invalid-local4-rx {} - counter invalid-local6-rx {} - - counter icmp-ratelimit-rx {} - counter icmp-rx {} - - counter dhcp-rx {} - counter cups-rx {} - - counter established-rx {} - - counter reject-ratelimit-rx {} - counter reject-rx {} - counter reject-tcp-rx {} - counter reject-icmp-rx {} - - counter drop-rx {} - - counter tx-lo {} - - counter icmp-ratelimit-tx {} - counter icmp-tx {} - - counter cups-tx {} - counter dhcp-tx {} - - counter tx {} - - chain forward { - type filter hook forward priority filter - policy drop - - - ct state invalid log level debug prefix "drop invalid forward: " counter name invalid-fw drop - - - iifname lo counter name fw-lo accept - - - meta l4proto $icmp_protos limit name lim_icmp counter name icmp-ratelimit-fw drop - meta l4proto $icmp_protos counter name icmp-fw accept - - - iifname printer oifname eth0 ip daddr 10.141.5.0 meta l4proto . th dport { tcp . 53, udp . 53, udp . 123 } counter name fw-printer accept - iifname printer oifname eth0 ip6 daddr 2a03:4000:52:ada:5:: meta l4proto . th dport { tcp . 53, udp . 53, udp . 123 } counter name fw-printer accept - iifname eth0 oifname printer counter name fw-host accept - - - limit name lim_reject log level debug prefix "drop forward: " counter name reject-ratelimit-fw drop - log level debug prefix "reject forward: " counter name reject-fw - meta l4proto tcp ct state new counter name reject-tcp-fw reject with tcp reset - ct state new counter name reject-icmp-fw reject - - - counter name drop-fw - } - - chain input { - type filter hook input priority filter - policy drop - - - ct state invalid log level debug prefix "drop invalid input: " counter name invalid-rx drop - - - iifname lo counter name rx-lo accept - iif != lo ip daddr 127.0.0.1/8 counter name invalid-local4-rx reject - iif != lo ip6 daddr ::1/128 counter name invalid-local6-rx reject - - meta l4proto $icmp_protos limit name lim_icmp counter name icmp-ratelimit-rx drop - meta l4proto $icmp_protos counter name icmp-rx accept - - - tcp dport 631 counter name cups-rx accept - - iifname printer udp dport 67 counter name dhcp-rx accept - - ct state {established, related} counter name established-rx accept - - - limit name lim_reject log level debug prefix "drop input: " counter name reject-ratelimit-rx drop - log level debug prefix "reject input: " counter name reject-rx - meta l4proto tcp ct state new counter name reject-tcp-rx reject with tcp reset - ct state new counter name reject-icmp-rx reject - - - counter name drop-rx - } - - chain output { - type filter hook output priority filter - policy accept - - - oifname lo counter name tx-lo accept - - meta l4proto $icmp_protos limit name lim_icmp counter name icmp-ratelimit-tx drop - meta l4proto $icmp_protos counter name icmp-tx accept - - - tcp sport 631 counter name cups-tx accept - - udp sport 67 counter name dhcp-tx accept - - - counter name tx - } -} - -table ip nat { - counter host-nat {} - - chain postrouting { - type nat hook postrouting priority srcnat - policy accept - - - oifname eth0 counter name host-nat masquerade - } -} - -table ip mss_clamp { - counter host-mss-clamp {} - - chain postrouting { - type filter hook postrouting priority mangle - policy accept - - - oifname eth0 tcp flags & (syn|rst) == syn counter name host-mss-clamp tcp option maxseg size set rt mtu - } -} diff --git a/hosts/vidhar/samba.nix b/hosts/vidhar/samba.nix index cbe158a9..89d9f12e 100644 --- a/hosts/vidhar/samba.nix +++ b/hosts/vidhar/samba.nix @@ -4,28 +4,19 @@ services.samba = { enable = true; securityType = "user"; - package = pkgs.samba4.override { - enablePrinting = true; - }; extraConfig = '' domain master = yes workgroup = WORKGROUP load printers = no - printing = cups - cups server = 10.141.4.1 + printing = bsd + printcap name = /dev/null + disable spoolss = yes guest account = nobody bind interfaces only = yes interfaces = lo lan server signing = mandatory server min protocol = SMB3 server smb encrypt = required - - [printers] - path = /srv/samba-printing - browseable = yes - printable = yes - writable = no - create mode = 0700 ''; shares = { homes = { -- cgit v1.2.3