From 67657a453e654811ed5adf45a4c7aab32dc30274 Mon Sep 17 00:00:00 2001 From: Gregor Kleen Date: Sun, 6 Feb 2022 17:19:58 +0100 Subject: bifrost: ... --- hosts/surtr/bifrost/default.nix | 66 +++++++++++++++++++++++++ hosts/surtr/bifrost/surtr.priv | 26 ++++++++++ hosts/surtr/bifrost/surtr.pub | 1 + hosts/surtr/default.nix | 2 +- hosts/surtr/dns/zones/li.141.soa | 4 +- hosts/surtr/dns/zones/li.yggdrasil.soa | 8 +++- hosts/surtr/dns/zones/org.praseodym.soa | 4 +- hosts/surtr/ruleset.nft | 14 ++++-- hosts/vidhar/borg.nix | 12 +++++ hosts/vidhar/default.nix | 2 +- hosts/vidhar/network/bifrost/default.nix | 82 ++++++++++++++++++++++++++++++++ hosts/vidhar/network/bifrost/vidhar.priv | 26 ++++++++++ hosts/vidhar/network/bifrost/vidhar.pub | 1 + hosts/vidhar/network/default.nix | 2 +- hosts/vidhar/network/ruleset.nft | 4 +- modules/yggdrasil-wg/default.nix | 2 +- 16 files changed, 239 insertions(+), 17 deletions(-) create mode 100644 hosts/surtr/bifrost/default.nix create mode 100644 hosts/surtr/bifrost/surtr.priv create mode 100644 hosts/surtr/bifrost/surtr.pub create mode 100644 hosts/vidhar/borg.nix create mode 100644 hosts/vidhar/network/bifrost/default.nix create mode 100644 hosts/vidhar/network/bifrost/vidhar.priv create mode 100644 hosts/vidhar/network/bifrost/vidhar.pub diff --git a/hosts/surtr/bifrost/default.nix b/hosts/surtr/bifrost/default.nix new file mode 100644 index 00000000..8f1e602d --- /dev/null +++ b/hosts/surtr/bifrost/default.nix @@ -0,0 +1,66 @@ +{ config, lib, ... }: + +with lib; + +let + trim = str: if hasSuffix "\n" str then trim (removeSuffix "\n" str) else str; +in { + config = { + systemd.network = { + netdevs = { + bifrost = { + netdevConfig = { + Name = "bifrost"; + Kind = "wireguard"; + }; + wireguardConfig = { + PrivateKeyFile = config.sops.secrets.bifrost.path; + ListenPort = 51822; + }; + wireguardPeers = [ + { wireguardPeerConfig = { + AllowedIPs = [ "2a03:4000:52:ada:4:1::/96" ]; + PublicKey = trim (readFile ../../vidhar/network/bifrost/vidhar.pub); + }; + } + ]; + }; + }; + networks = { + bifrost = { + name = "bifrost"; + matchConfig = { + Name = "bifrost"; + }; + address = ["2a03:4000:52:ada:4::/96"]; + routes = [ + { routeConfig = { + Destination = "2a03:4000:52:ada:4::/80"; + }; + } + ]; + linkConfig = { + RequiredForOnline = false; + }; + networkConfig = { + LLMNR = false; + MulticastDNS = false; + }; + }; + }; + }; + sops.secrets.bifrost = { + format = "binary"; + sopsFile = ./surtr.priv; + mode = "0640"; + owner = "root"; + group = "systemd-network"; + }; + environment.etc."systemd/networkd.conf" = { + text = '' + [Network] + RouteTable=bifrost:1026 + ''; + }; + }; +} diff --git a/hosts/surtr/bifrost/surtr.priv b/hosts/surtr/bifrost/surtr.priv new file mode 100644 index 00000000..e7f2aeb4 --- /dev/null +++ b/hosts/surtr/bifrost/surtr.priv @@ -0,0 +1,26 @@ +{ + "data": "ENC[AES256_GCM,data:Q3KFfWy4UQIbXfoR6jIb02r0735fvMMHqAWtqOE/BZfe/FuJUkb+HSSJbAkt,iv:YsaIx6eYfLOv1H3IammluRd9XDJAr6o4/HaHgtL8ZUc=,tag:uyINYQ0BGhi6TAuQkPCbBA==,type:str]", + "sops": { + "kms": null, + "gcp_kms": null, + "azure_kv": null, + "hc_vault": null, + "age": null, + "lastmodified": "2022-02-06T16:09:36Z", + "mac": "ENC[AES256_GCM,data:lzg4JDAyy1tL4dcuima26VWqQmCbr25+8AoecVIctX61V2STXiKzd938bEoJ02UVEPYAUzq+NP5fX6IrggYx2A0tII7oyo92EGBYJsvuCBpZWhZKpniXDsRcQo09PH3QJlJ9liSM8bCf6u//ubGU06xvLldt+g4xvvNOVfqMPSo=,iv:Ya2o/hhg18zp7PqLNSHJAAkyz/Lzibysylqsh0CvMzs=,tag:zeZZ0ilsCa/As7VOSCRgSQ==,type:str]", + "pgp": [ + { + "created_at": "2022-02-06T16:09:36Z", + "enc": "-----BEGIN PGP MESSAGE-----\n\nhF4DyFKFNkTVG5oSAQdAx1FJFTdMFdAzIAwO1rZ9ikD/cP1nTzfI1wLZf5ufB3Uw\nY8JVtL/aSLaO3tli5eZNuz6tEhTFA0GU8l3c/Ws6ocjC+l3IR5bS2CGZbMHjyIyT\n0l4BgxRFBMFJdpbgpIEPsthgZwJRGNQofSJ7A6/550ekM5b/n77CBZQOHwocuJ4q\n7LCSH6kFUH8GgkSC26OLC8f/QpWr9zTneZP0mBd2CiADDCg6oPI3rGwq6+jQKNny\n=wDDa\n-----END PGP MESSAGE-----\n", + "fp": "7ED22F4AA7BB55728B643DC5471B7D88E4EF66F8" + }, + { + "created_at": "2022-02-06T16:09:36Z", + "enc": "-----BEGIN PGP MESSAGE-----\n\nhF4DXxoViZlp6dISAQdActA18sJwR4mjwyilHzHHBBuReg88U8QVMLphsqFvHFIw\nV5OTgNNvwiCPHSvGiYQ41Fnxa3VVDu0b3HSsq1Xvf5aFf65cRW39t/JHruwkpd1M\n0l4BbBOw5pksAlRcX25PNIIg7WEq4mlJjCi41INKJ1lF5YEu9kVZHT/+ayU6N5Kf\nVH3I6bpZiIKMc4fnF+yiVbCTWNC3EYTeCpe/ZnM8Gd0WLJh0KsLS+QVzMYagMHNm\n=Cc3x\n-----END PGP MESSAGE-----\n", + "fp": "30D3453B8CD02FE2A3E7C78C0FB536FB87AE8F51" + } + ], + "unencrypted_suffix": "_unencrypted", + "version": "3.7.1" + } +} \ No newline at end of file diff --git a/hosts/surtr/bifrost/surtr.pub b/hosts/surtr/bifrost/surtr.pub new file mode 100644 index 00000000..2f6ec1b6 --- /dev/null +++ b/hosts/surtr/bifrost/surtr.pub @@ -0,0 +1 @@ +/s2yJlJKmy/vt+r/A4z2dof8CBs95KW7CeWLtOb0ERc= diff --git a/hosts/surtr/default.nix b/hosts/surtr/default.nix index be148b05..cfb218da 100644 --- a/hosts/surtr/default.nix +++ b/hosts/surtr/default.nix @@ -2,7 +2,7 @@ { imports = with flake.nixosModules.systemProfiles; [ qemu-guest openssh rebuild-machines zfs - ./zfs.nix ./dns ./tls.nix ./http.nix + ./zfs.nix ./dns ./tls.nix ./http.nix ./bifrost ]; config = { diff --git a/hosts/surtr/dns/zones/li.141.soa b/hosts/surtr/dns/zones/li.141.soa index 260a09b5..6620a0a3 100644 --- a/hosts/surtr/dns/zones/li.141.soa +++ b/hosts/surtr/dns/zones/li.141.soa @@ -1,7 +1,7 @@ $ORIGIN 141.li. $TTL 3600 @ IN SOA ns.yggdrasil.li. root.yggdrasil.li. ( - 2022020102 ; serial + 2022020600 ; serial 10800 ; refresh 3600 ; retry 604800 ; expire @@ -27,7 +27,7 @@ $TTL 3600 surtr IN A 202.61.241.61 surtr IN AAAA 2a03:4000:52:ada:: surtr IN MX 0 ymir.yggdrasil.li -surtr IN TXT "v=spf1 redirect=ullr.yggdrasil.li" +surtr IN TXT "v=spf1 redirect=yggdrasil.li" webdav IN CNAME surtr.yggdrasil.li. diff --git a/hosts/surtr/dns/zones/li.yggdrasil.soa b/hosts/surtr/dns/zones/li.yggdrasil.soa index ab89351f..a4fad7a7 100644 --- a/hosts/surtr/dns/zones/li.yggdrasil.soa +++ b/hosts/surtr/dns/zones/li.yggdrasil.soa @@ -1,7 +1,7 @@ $ORIGIN yggdrasil.li. $TTL 3600 @ IN SOA ns.yggdrasil.li. root.yggdrasil.li. ( - 2022020101 ; serial + 2022020600 ; serial 10800 ; refresh 3600 ; retry 604800 ; expire @@ -35,7 +35,11 @@ ymir IN TXT "v=spf1 redirect=yggdrasil.li" surtr IN A 202.61.241.61 surtr IN AAAA 2a03:4000:52:ada:: surtr IN MX 0 ymir.yggdrasil.li -surtr IN TXT "v=spf1 redirect=ullr.yggdrasil.li" +surtr IN TXT "v=spf1 redirect=yggdrasil.li" + +vidhar IN AAAA 2a03:4000:52:ada:4:1:: +vidhar IN MX 0 ymir.yggdrasil.li +vidhar IN TXT "v=spf1 redirect=yggdrasil.li" mailout IN A 188.68.51.254 mailout IN AAAA 2a03:4000:6:d004:: diff --git a/hosts/surtr/dns/zones/org.praseodym.soa b/hosts/surtr/dns/zones/org.praseodym.soa index 4bd6263f..f4fd0d8e 100644 --- a/hosts/surtr/dns/zones/org.praseodym.soa +++ b/hosts/surtr/dns/zones/org.praseodym.soa @@ -1,7 +1,7 @@ $ORIGIN praseodym.org. $TTL 3600 @ IN SOA ns.yggdrasil.li. root.yggdrasil.li. ( - 2022020102 ; serial + 2022020600 ; serial 10800 ; refresh 3600 ; retry 604800 ; expire @@ -27,7 +27,7 @@ $TTL 3600 surtr IN A 202.61.241.61 surtr IN AAAA 2a03:4000:52:ada:: surtr IN MX 0 ymir.yggdrasil.li -surtr IN TXT "v=spf1 redirect=ullr.yggdrasil.li" +surtr IN TXT "v=spf1 redirect=yggdrasil.li" ymir._domainkey IN TXT ( "v=DKIM1;k=rsa;p=MIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEAq3cCKlk+VPhyAanLZTM0BCzUT/+fmxHioZcFk0uJk1akBYj7BRofR7eVNcLKpm3rwYMQgE+9vJH9p8SV6tws9EcWc8SMCqqGZlREYM7PmLDiTSK/vjCzkygfgFCb0EBNsY2A/fpP4rTeoxrbcBSvMkq97iY5rwyw4wXZVZXLiDaCj23s8POoxTk1ClqUJZJQ5x2" diff --git a/hosts/surtr/ruleset.nft b/hosts/surtr/ruleset.nft index 132360b9..9d6fd373 100644 --- a/hosts/surtr/ruleset.nft +++ b/hosts/surtr/ruleset.nft @@ -1,4 +1,4 @@ -define icmp_protos = { ipv6-icmp, icmp, igmp } +define icmp_protos = {ipv6-icmp, icmp, igmp} table arp filter { limit lim_arp { @@ -44,12 +44,16 @@ table inet filter { iifname lo counter accept - meta l4proto $icmp_protos iifname yggdrasil oifname ens3 limit name lim_icmp counter drop - meta l4proto $icmp_protos iifname yggdrasil oifname ens3 counter accept + meta l4proto $icmp_protos iifname {yggdrasil, bifrost} oifname ens3 limit name lim_icmp counter drop + meta l4proto $icmp_protos iifname {yggdrasil, bifrost} oifname ens3 counter accept meta l4proto $icmp_protos ct state {established, related} limit name lim_icmp counter drop meta l4proto $icmp_protos ct state {established, related} counter accept + oifname bifrost counter accept + iifname bifrost oifname ens3 counter accept + + limit name lim_reject log prefix "drop forward: " counter drop log prefix "reject forward: " counter meta l4proto tcp ct state new counter reject with tcp reset @@ -78,13 +82,13 @@ table inet filter { udp dport 60001-61000 counter accept meta protocol ip udp dport 51820 counter accept - meta protocol ip6 udp dport 51821 counter accept + meta protocol ip6 udp dport {51821, 51822} counter accept iifname "yggdrasil-wg-*" meta l4proto gre counter accept tcp dport 53 counter accept udp dport 53 counter accept - tcp dport { 80, 443 } counter accept + tcp dport {80, 443} counter accept ct state {established, related} counter accept diff --git a/hosts/vidhar/borg.nix b/hosts/vidhar/borg.nix new file mode 100644 index 00000000..0a0b37a5 --- /dev/null +++ b/hosts/vidhar/borg.nix @@ -0,0 +1,12 @@ +{ ... }: +{ + config = { + users.users.borg = { + isSystemUser = true; + createHome = false; + group = "borg"; + extraGroups = [ "ssh" ]; + }; + users.groups."borg" = {}; + }; +} diff --git a/hosts/vidhar/default.nix b/hosts/vidhar/default.nix index b647e472..09ae1e1e 100644 --- a/hosts/vidhar/default.nix +++ b/hosts/vidhar/default.nix @@ -1,7 +1,7 @@ { hostName, flake, config, pkgs, lib, ... }: { imports = with flake.nixosModules.systemProfiles; [ - ./zfs.nix ./network ./samba.nix ./dns.nix ./prometheus + ./zfs.nix ./network ./samba.nix ./dns.nix ./prometheus ./borg.nix initrd-all-crypto-modules default-locale openssh rebuild-machines build-server initrd-ssh diff --git a/hosts/vidhar/network/bifrost/default.nix b/hosts/vidhar/network/bifrost/default.nix new file mode 100644 index 00000000..40666f59 --- /dev/null +++ b/hosts/vidhar/network/bifrost/default.nix @@ -0,0 +1,82 @@ +{ config, lib, ... }: + +with lib; + +let + trim = str: if hasSuffix "\n" str then trim (removeSuffix "\n" str) else str; +in { + config = { + systemd.network = { + netdevs = { + bifrost = { + netdevConfig = { + Name = "bifrost"; + Kind = "wireguard"; + }; + wireguardConfig = { + PrivateKeyFile = config.sops.secrets.bifrost.path; + ListenPort = 51822; + }; + wireguardPeers = [ + { wireguardPeerConfig = { + AllowedIPs = [ "2a03:4000:52:ada:4::/96" ]; + PublicKey = trim (readFile ../../../surtr/bifrost/surtr.pub); + PersistentKeepalive = 5; + Endpoint = "2a03:4000:52:ada:::51822"; + }; + } + ]; + }; + }; + networks = { + bifrost = { + name = "bifrost"; + matchConfig = { + Name = "bifrost"; + }; + address = ["2a03:4000:52:ada:4:1::/96"]; + routes = [ + { routeConfig = { + Destination = "2a03:4000:52:ada:4::/80"; + }; + } + { routeConfig ={ + Gateway = "2a03:4000:52:ada:4::"; + GatewayOnLink = true; + Table = "bifrost"; + }; + } + ]; + routingPolicyRules = [ + { routingPolicyRuleConfig = { + Table = "bifrost"; + From = "2a03:4000:52:ada:4:1::/96"; + Priority = 200; + }; + } + ]; + linkConfig = { + RequiredForOnline = false; + }; + networkConfig = { + LLMNR = false; + MulticastDNS = false; + }; + }; + }; + }; + sops.secrets.bifrost = { + format = "binary"; + sopsFile = ./vidhar.priv; + mode = "0640"; + owner = "root"; + group = "systemd-network"; + }; + environment.etc."systemd/networkd.conf" = { + text = '' + [Network] + RouteTable=bifrost:1026 + ''; + }; + }; +} diff --git a/hosts/vidhar/network/bifrost/vidhar.priv b/hosts/vidhar/network/bifrost/vidhar.priv new file mode 100644 index 00000000..273e9ba7 --- /dev/null +++ b/hosts/vidhar/network/bifrost/vidhar.priv @@ -0,0 +1,26 @@ +{ + "data": "ENC[AES256_GCM,data:BSnTkjcVap00po3wV+hSXAi3BMDqwlW+PmhHAecVOl7RFxRAdqVLjIctkmDh,iv:CxKBDo81u1RegSq2lKRwRMlyNINyX3DxoFSqT97e5fM=,tag:Akdav4XxLeQnz2xFMjQ3yw==,type:str]", + "sops": { + "kms": null, + "gcp_kms": null, + "azure_kv": null, + "hc_vault": null, + "age": null, + "lastmodified": "2022-02-06T16:09:08Z", + "mac": "ENC[AES256_GCM,data:SXCQKrqkOoXlm8Mrs7UZ1CGJe/HnHhvNCuGpt8yhsnchWICfGGWEIrh99TrKkia2X1inoElwXQYYPfyKHFshLaoNjH2GduR287OXluxZs+Thnm1Fnq6oZUBO9mDDUlykZAB3Mjm4WmUnirKB87Q6DFtTRZjh26amt3oC6GwnEfE=,iv:NtPsuStBnJuVfnlbxunL9PxbPdlYktJtV+MYSa53Oc8=,tag:HKJayT/YNP8PJ/ZIlKdQSg==,type:str]", + "pgp": [ + { + "created_at": "2022-02-06T16:09:08Z", + "enc": "-----BEGIN PGP MESSAGE-----\n\nhF4DbYDvGI0HDr0SAQdAnjYlc0bHToon5ayDJk+08sRPPEww8MBOprZZswYU1V8w\n5+QzHJXtSbb4lEwKwdwxkkSg1wBiW+kwrV2L2yyYOvoMhWKQsntjQuzaK7I1Kjix\n0l4BOIcMVJEyJk49CEQQyFlqmgJrh9L/dMhl1D7pD842GcpGFxlB7OHRXsLo9axj\nFAuLUc35LyVgnHd2InqDwG0JKiySdI7fN3dXWiD5H3feoCDisBZvaH/5DlufdIl7\n=sLA+\n-----END PGP MESSAGE-----\n", + "fp": "A1C7C95E6CAF0A965CB47277BCF50A89C1B1F362" + }, + { + "created_at": "2022-02-06T16:09:08Z", + "enc": "-----BEGIN PGP MESSAGE-----\n\nhF4DXxoViZlp6dISAQdAeG22AYCyEYq1Fvqj853ZE7oeuOWOrpDOXiAvnSl83EUw\nofhjhoZ9nMyZlsy+nD06hIvaYdcFeAuSV8iHwANAjarmKlnKicT7b7mBCkOjMJDX\n0l4BAox2QUqhcYbGUKT+/Ei7RXYMP8ht1N+iisBVnzN055VrGQhvDadpcpVzQGKH\n8Hbmmdi9O2PQWRYnvRK+0I7GJFiC4Q36Kzf8X9MojMhb/GIwiBKCU0ZK2BLM9FtA\n=WbKA\n-----END PGP MESSAGE-----\n", + "fp": "30D3453B8CD02FE2A3E7C78C0FB536FB87AE8F51" + } + ], + "unencrypted_suffix": "_unencrypted", + "version": "3.7.1" + } +} \ No newline at end of file diff --git a/hosts/vidhar/network/bifrost/vidhar.pub b/hosts/vidhar/network/bifrost/vidhar.pub new file mode 100644 index 00000000..ef05f832 --- /dev/null +++ b/hosts/vidhar/network/bifrost/vidhar.pub @@ -0,0 +1 @@ +moESFbO3qUTuoOv6lbzSLrNYSjHkM5hyvAs5XZtQzRA= diff --git a/hosts/vidhar/network/default.nix b/hosts/vidhar/network/default.nix index a1d1b172..e8c5ba9c 100644 --- a/hosts/vidhar/network/default.nix +++ b/hosts/vidhar/network/default.nix @@ -1,6 +1,6 @@ { config, lib, pkgs, ... }: { - imports = [ ./dsl.nix ]; + imports = [ ./dsl.nix ./bifrost ]; config = { networking = { diff --git a/hosts/vidhar/network/ruleset.nft b/hosts/vidhar/network/ruleset.nft index 4914777d..caa4863b 100644 --- a/hosts/vidhar/network/ruleset.nft +++ b/hosts/vidhar/network/ruleset.nft @@ -162,8 +162,8 @@ table inet filter { iifname != dsl meta l4proto $icmp_protos limit name lim_icmp_local counter name icmp-ratelimit-local-rx drop meta l4proto $icmp_protos counter name icmp-rx accept - iifname { lan, mgmt, dsl, yggdrasil } tcp dport 22 counter name ssh-rx accept - iifname { lan, mgmt, dsl, yggdrasil } udp dport 60001-61000 counter name mosh-rx accept + iifname { lan, mgmt, dsl, yggdrasil, bifrost } tcp dport 22 counter name ssh-rx accept + iifname { lan, mgmt, dsl, yggdrasil, bifrost } udp dport 60001-61000 counter name mosh-rx accept iifname { lan, mgmt, dmz01 } tcp dport 53 counter name dns-rx accept iifname { lan, mgmt, dmz01 } udp dport 53 counter name dns-rx accept diff --git a/modules/yggdrasil-wg/default.nix b/modules/yggdrasil-wg/default.nix index 2180711d..82002a05 100644 --- a/modules/yggdrasil-wg/default.nix +++ b/modules/yggdrasil-wg/default.nix @@ -95,7 +95,7 @@ let let other = if thisHost from then to else from; in { - AllowedIPs = if elem other routers then ["0.0.0.0/0" "::/0"] else wgHostIPs.${family}.${other}; + AllowedIPs = if elem other routers then ["::/0"] else wgHostIPs.${family}.${other}; PublicKey = trim (readFile (mkPublicKeyPath family other)); } // (optionalAttrs (thisHost from) (linkCfgFilterCustom opts // linkMkEndpointCfg family opts)); linkCfgFilterCustom = filterAttrs (n: _v: !(elem n ["from" "to" "endpointHost"])); -- cgit v1.2.3