From 3206ce36cb1232e176715973c9bd443fd462b54b Mon Sep 17 00:00:00 2001 From: Gregor Kleen Date: Sun, 5 Mar 2023 13:15:33 +0100 Subject: vidhar: remove printing --- hosts/vidhar/printing/default.nix | 170 --------------------------------- hosts/vidhar/printing/ruleset.nft | 191 -------------------------------------- 2 files changed, 361 deletions(-) delete mode 100644 hosts/vidhar/printing/default.nix delete mode 100644 hosts/vidhar/printing/ruleset.nft (limited to 'hosts/vidhar/printing') diff --git a/hosts/vidhar/printing/default.nix b/hosts/vidhar/printing/default.nix deleted file mode 100644 index 55c55b37..00000000 --- a/hosts/vidhar/printing/default.nix +++ /dev/null @@ -1,170 +0,0 @@ -{ config, lib, ... }: - -with lib; - -let - containerConfig = config.containers.printing.config; -in { - config = { - containers.printing = { - privateNetwork = true; - ephemeral = true; - autoStart = true; - hostAddress = "10.141.5.0"; - hostAddress6 = "2a03:4000:52:ada:5::"; - localAddress = "10.141.5.1"; - localAddress6 = "2a03:4000:52:ada:5::1"; - interfaces = [ "printer" ]; - config = let - hostConfig = config; - in { ... }: { - config = { - services = { - kea = { - dhcp4 = { - enable = true; - settings = { - valid-lifetime = 4000; - rebind-timer = 2000; - renew-timer = 1000; - - interfaces-config = { - interfaces = [ "printer" ]; - }; - - lease-database = { - name = "/var/lib/kea/dhcp4.leases"; - persist = true; - type = "memfile"; - }; - - subnet4 = [ - { subnet = "10.141.3.0/24"; - option-data = [ - { name = "domain-name-servers"; - data = "10.141.5.0"; - } - { name = "ntp-servers"; - data = "10.141.5.0"; - } - { name = "broadcast-address"; - data = "10.141.3.255"; - } - { name = "routers"; - data = "10.141.3.1"; - } - { name = "domain-name"; - data = "yggdrasil"; - } - { name = "domain-search"; - data = "printer.yggdrasil, yggdrasil"; - } - ]; - pools = [ { pool = "10.141.3.128 - 10.141.3.254"; } ]; - reservations = [ - { hostname = "printer"; - hw-address = "30:cd:a7:b0:55:8d"; - ip-address = "10.141.3.2"; - } - ]; - } - ]; - }; - }; - }; - - printing = { - enable = true; - listenAddresses = [ - "*:631" - ]; - logLevel = "all"; - extraConf = mkForce '' - ServerName printing - ServerAlias 10.141.5.1 2a03:4000:52:ada:5::1 printing.vidhar.yggdrasil printing.vidhar.lan.yggdrasil - - DefaultEncryption Never - - - Order allow,deny - Allow from 10.0.0.0/8 - Satisfy any - - - - Order allow,deny - Allow from 10.0.0.0/8 - Satisfy any - - - - Order allow,deny - Allow from 10.0.0.0/8 - Satisfy any - - - - - Order allow,deny - Allow from 10.0.0.0/8 - Satisfy any - - - - Order allow,deny - Allow from 10.0.0.0/8 - Satisfy any - - - - Order allow,deny - Allow from 10.0.0.0/8 - Satisfy any - - - - Order allow,deny - Allow from 10.0.0.0/8 - Satisfy any - - - ''; - }; - - resolved.enable = false; - }; - - networking = { - firewall.enable = false; - nftables = { - enable = true; - rulesetFile = ./ruleset.nft; - }; - - useDHCP = false; - useNetworkd = true; - - interfaces."printer" = { - ipv4.addresses = [ - { address = "10.141.3.1"; prefixLength = 24; } - ]; - }; - }; - - environment.etc."resolv.conf".text = '' - nameserver ${hostConfig.containers.printing.hostAddress6} - ''; - - system.stateVersion = hostConfig.system.stateVersion; - }; - }; - }; - - networking = { - vlans.printer = { - id = 5; - interface = "eno2"; - }; - }; - }; -} diff --git a/hosts/vidhar/printing/ruleset.nft b/hosts/vidhar/printing/ruleset.nft deleted file mode 100644 index edf8597d..00000000 --- a/hosts/vidhar/printing/ruleset.nft +++ /dev/null @@ -1,191 +0,0 @@ -define icmp_protos = {ipv6-icmp, icmp, igmp} - -table arp filter { - limit lim_arp { - rate over 50 mbytes/second burst 50 mbytes - } - - counter arp-rx {} - counter arp-tx {} - - counter arp-ratelimit-rx {} - counter arp-ratelimit-tx {} - - chain input { - type filter hook input priority filter - policy accept - - limit name lim_arp counter name arp-ratelimit-rx drop - - counter name arp-rx - } - - chain output { - type filter hook output priority filter - policy accept - - limit name lim_arp counter name arp-ratelimit-tx drop - - counter name arp-tx - } -} - -table inet filter { - limit lim_reject { - rate over 1000/second burst 1000 packets - } - - limit lim_icmp { - rate over 50 mbytes/second burst 50 mbytes - } - - counter invalid-fw {} - counter fw-lo {} - counter fw-printer {} - counter fw-host {} - - counter icmp-fw {} - counter icmp-ratelimit-fw {} - - counter reject-ratelimit-fw {} - counter reject-fw {} - counter reject-tcp-fw {} - counter reject-icmp-fw {} - - counter drop-fw {} - - counter invalid-rx {} - - counter rx-lo {} - counter invalid-local4-rx {} - counter invalid-local6-rx {} - - counter icmp-ratelimit-rx {} - counter icmp-rx {} - - counter dhcp-rx {} - counter cups-rx {} - - counter established-rx {} - - counter reject-ratelimit-rx {} - counter reject-rx {} - counter reject-tcp-rx {} - counter reject-icmp-rx {} - - counter drop-rx {} - - counter tx-lo {} - - counter icmp-ratelimit-tx {} - counter icmp-tx {} - - counter cups-tx {} - counter dhcp-tx {} - - counter tx {} - - chain forward { - type filter hook forward priority filter - policy drop - - - ct state invalid log level debug prefix "drop invalid forward: " counter name invalid-fw drop - - - iifname lo counter name fw-lo accept - - - meta l4proto $icmp_protos limit name lim_icmp counter name icmp-ratelimit-fw drop - meta l4proto $icmp_protos counter name icmp-fw accept - - - iifname printer oifname eth0 ip daddr 10.141.5.0 meta l4proto . th dport { tcp . 53, udp . 53, udp . 123 } counter name fw-printer accept - iifname printer oifname eth0 ip6 daddr 2a03:4000:52:ada:5:: meta l4proto . th dport { tcp . 53, udp . 53, udp . 123 } counter name fw-printer accept - iifname eth0 oifname printer counter name fw-host accept - - - limit name lim_reject log level debug prefix "drop forward: " counter name reject-ratelimit-fw drop - log level debug prefix "reject forward: " counter name reject-fw - meta l4proto tcp ct state new counter name reject-tcp-fw reject with tcp reset - ct state new counter name reject-icmp-fw reject - - - counter name drop-fw - } - - chain input { - type filter hook input priority filter - policy drop - - - ct state invalid log level debug prefix "drop invalid input: " counter name invalid-rx drop - - - iifname lo counter name rx-lo accept - iif != lo ip daddr 127.0.0.1/8 counter name invalid-local4-rx reject - iif != lo ip6 daddr ::1/128 counter name invalid-local6-rx reject - - meta l4proto $icmp_protos limit name lim_icmp counter name icmp-ratelimit-rx drop - meta l4proto $icmp_protos counter name icmp-rx accept - - - tcp dport 631 counter name cups-rx accept - - iifname printer udp dport 67 counter name dhcp-rx accept - - ct state {established, related} counter name established-rx accept - - - limit name lim_reject log level debug prefix "drop input: " counter name reject-ratelimit-rx drop - log level debug prefix "reject input: " counter name reject-rx - meta l4proto tcp ct state new counter name reject-tcp-rx reject with tcp reset - ct state new counter name reject-icmp-rx reject - - - counter name drop-rx - } - - chain output { - type filter hook output priority filter - policy accept - - - oifname lo counter name tx-lo accept - - meta l4proto $icmp_protos limit name lim_icmp counter name icmp-ratelimit-tx drop - meta l4proto $icmp_protos counter name icmp-tx accept - - - tcp sport 631 counter name cups-tx accept - - udp sport 67 counter name dhcp-tx accept - - - counter name tx - } -} - -table ip nat { - counter host-nat {} - - chain postrouting { - type nat hook postrouting priority srcnat - policy accept - - - oifname eth0 counter name host-nat masquerade - } -} - -table ip mss_clamp { - counter host-mss-clamp {} - - chain postrouting { - type filter hook postrouting priority mangle - policy accept - - - oifname eth0 tcp flags & (syn|rst) == syn counter name host-mss-clamp tcp option maxseg size set rt mtu - } -} -- cgit v1.2.3