From 67657a453e654811ed5adf45a4c7aab32dc30274 Mon Sep 17 00:00:00 2001 From: Gregor Kleen Date: Sun, 6 Feb 2022 17:19:58 +0100 Subject: bifrost: ... --- hosts/vidhar/network/bifrost/default.nix | 82 ++++++++++++++++++++++++++++++++ hosts/vidhar/network/bifrost/vidhar.priv | 26 ++++++++++ hosts/vidhar/network/bifrost/vidhar.pub | 1 + hosts/vidhar/network/default.nix | 2 +- hosts/vidhar/network/ruleset.nft | 4 +- 5 files changed, 112 insertions(+), 3 deletions(-) create mode 100644 hosts/vidhar/network/bifrost/default.nix create mode 100644 hosts/vidhar/network/bifrost/vidhar.priv create mode 100644 hosts/vidhar/network/bifrost/vidhar.pub (limited to 'hosts/vidhar/network') diff --git a/hosts/vidhar/network/bifrost/default.nix b/hosts/vidhar/network/bifrost/default.nix new file mode 100644 index 00000000..40666f59 --- /dev/null +++ b/hosts/vidhar/network/bifrost/default.nix @@ -0,0 +1,82 @@ +{ config, lib, ... }: + +with lib; + +let + trim = str: if hasSuffix "\n" str then trim (removeSuffix "\n" str) else str; +in { + config = { + systemd.network = { + netdevs = { + bifrost = { + netdevConfig = { + Name = "bifrost"; + Kind = "wireguard"; + }; + wireguardConfig = { + PrivateKeyFile = config.sops.secrets.bifrost.path; + ListenPort = 51822; + }; + wireguardPeers = [ + { wireguardPeerConfig = { + AllowedIPs = [ "2a03:4000:52:ada:4::/96" ]; + PublicKey = trim (readFile ../../../surtr/bifrost/surtr.pub); + PersistentKeepalive = 5; + Endpoint = "2a03:4000:52:ada:::51822"; + }; + } + ]; + }; + }; + networks = { + bifrost = { + name = "bifrost"; + matchConfig = { + Name = "bifrost"; + }; + address = ["2a03:4000:52:ada:4:1::/96"]; + routes = [ + { routeConfig = { + Destination = "2a03:4000:52:ada:4::/80"; + }; + } + { routeConfig ={ + Gateway = "2a03:4000:52:ada:4::"; + GatewayOnLink = true; + Table = "bifrost"; + }; + } + ]; + routingPolicyRules = [ + { routingPolicyRuleConfig = { + Table = "bifrost"; + From = "2a03:4000:52:ada:4:1::/96"; + Priority = 200; + }; + } + ]; + linkConfig = { + RequiredForOnline = false; + }; + networkConfig = { + LLMNR = false; + MulticastDNS = false; + }; + }; + }; + }; + sops.secrets.bifrost = { + format = "binary"; + sopsFile = ./vidhar.priv; + mode = "0640"; + owner = "root"; + group = "systemd-network"; + }; + environment.etc."systemd/networkd.conf" = { + text = '' + [Network] + RouteTable=bifrost:1026 + ''; + }; + }; +} diff --git a/hosts/vidhar/network/bifrost/vidhar.priv b/hosts/vidhar/network/bifrost/vidhar.priv new file mode 100644 index 00000000..273e9ba7 --- /dev/null +++ b/hosts/vidhar/network/bifrost/vidhar.priv @@ -0,0 +1,26 @@ +{ + "data": "ENC[AES256_GCM,data:BSnTkjcVap00po3wV+hSXAi3BMDqwlW+PmhHAecVOl7RFxRAdqVLjIctkmDh,iv:CxKBDo81u1RegSq2lKRwRMlyNINyX3DxoFSqT97e5fM=,tag:Akdav4XxLeQnz2xFMjQ3yw==,type:str]", + "sops": { + "kms": null, + "gcp_kms": null, + "azure_kv": null, + "hc_vault": null, + "age": null, + "lastmodified": "2022-02-06T16:09:08Z", + "mac": "ENC[AES256_GCM,data:SXCQKrqkOoXlm8Mrs7UZ1CGJe/HnHhvNCuGpt8yhsnchWICfGGWEIrh99TrKkia2X1inoElwXQYYPfyKHFshLaoNjH2GduR287OXluxZs+Thnm1Fnq6oZUBO9mDDUlykZAB3Mjm4WmUnirKB87Q6DFtTRZjh26amt3oC6GwnEfE=,iv:NtPsuStBnJuVfnlbxunL9PxbPdlYktJtV+MYSa53Oc8=,tag:HKJayT/YNP8PJ/ZIlKdQSg==,type:str]", + "pgp": [ + { + "created_at": "2022-02-06T16:09:08Z", + "enc": "-----BEGIN PGP MESSAGE-----\n\nhF4DbYDvGI0HDr0SAQdAnjYlc0bHToon5ayDJk+08sRPPEww8MBOprZZswYU1V8w\n5+QzHJXtSbb4lEwKwdwxkkSg1wBiW+kwrV2L2yyYOvoMhWKQsntjQuzaK7I1Kjix\n0l4BOIcMVJEyJk49CEQQyFlqmgJrh9L/dMhl1D7pD842GcpGFxlB7OHRXsLo9axj\nFAuLUc35LyVgnHd2InqDwG0JKiySdI7fN3dXWiD5H3feoCDisBZvaH/5DlufdIl7\n=sLA+\n-----END PGP MESSAGE-----\n", + "fp": "A1C7C95E6CAF0A965CB47277BCF50A89C1B1F362" + }, + { + "created_at": "2022-02-06T16:09:08Z", + "enc": "-----BEGIN PGP MESSAGE-----\n\nhF4DXxoViZlp6dISAQdAeG22AYCyEYq1Fvqj853ZE7oeuOWOrpDOXiAvnSl83EUw\nofhjhoZ9nMyZlsy+nD06hIvaYdcFeAuSV8iHwANAjarmKlnKicT7b7mBCkOjMJDX\n0l4BAox2QUqhcYbGUKT+/Ei7RXYMP8ht1N+iisBVnzN055VrGQhvDadpcpVzQGKH\n8Hbmmdi9O2PQWRYnvRK+0I7GJFiC4Q36Kzf8X9MojMhb/GIwiBKCU0ZK2BLM9FtA\n=WbKA\n-----END PGP MESSAGE-----\n", + "fp": "30D3453B8CD02FE2A3E7C78C0FB536FB87AE8F51" + } + ], + "unencrypted_suffix": "_unencrypted", + "version": "3.7.1" + } +} \ No newline at end of file diff --git a/hosts/vidhar/network/bifrost/vidhar.pub b/hosts/vidhar/network/bifrost/vidhar.pub new file mode 100644 index 00000000..ef05f832 --- /dev/null +++ b/hosts/vidhar/network/bifrost/vidhar.pub @@ -0,0 +1 @@ +moESFbO3qUTuoOv6lbzSLrNYSjHkM5hyvAs5XZtQzRA= diff --git a/hosts/vidhar/network/default.nix b/hosts/vidhar/network/default.nix index a1d1b172..e8c5ba9c 100644 --- a/hosts/vidhar/network/default.nix +++ b/hosts/vidhar/network/default.nix @@ -1,6 +1,6 @@ { config, lib, pkgs, ... }: { - imports = [ ./dsl.nix ]; + imports = [ ./dsl.nix ./bifrost ]; config = { networking = { diff --git a/hosts/vidhar/network/ruleset.nft b/hosts/vidhar/network/ruleset.nft index 4914777d..caa4863b 100644 --- a/hosts/vidhar/network/ruleset.nft +++ b/hosts/vidhar/network/ruleset.nft @@ -162,8 +162,8 @@ table inet filter { iifname != dsl meta l4proto $icmp_protos limit name lim_icmp_local counter name icmp-ratelimit-local-rx drop meta l4proto $icmp_protos counter name icmp-rx accept - iifname { lan, mgmt, dsl, yggdrasil } tcp dport 22 counter name ssh-rx accept - iifname { lan, mgmt, dsl, yggdrasil } udp dport 60001-61000 counter name mosh-rx accept + iifname { lan, mgmt, dsl, yggdrasil, bifrost } tcp dport 22 counter name ssh-rx accept + iifname { lan, mgmt, dsl, yggdrasil, bifrost } udp dport 60001-61000 counter name mosh-rx accept iifname { lan, mgmt, dmz01 } tcp dport 53 counter name dns-rx accept iifname { lan, mgmt, dmz01 } udp dport 53 counter name dns-rx accept -- cgit v1.2.3