From 29480b6e86ca6057d4151accdb5d4103f1657596 Mon Sep 17 00:00:00 2001 From: Gregor Kleen Date: Sat, 4 Mar 2023 19:23:36 +0100 Subject: ... --- hosts/vidhar/default.nix | 8 +- hosts/vidhar/dns/default.nix | 6 +- hosts/vidhar/dns/zones/arpa.in-addr.10.141.soa | 7 +- ...ip6.2.a.0.3.4.0.0.0.0.0.5.2.0.a.d.a.0.0.0.1.soa | 4 +- hosts/vidhar/dns/zones/yggdrasil.soa | 8 +- hosts/vidhar/network/default.nix | 4 +- hosts/vidhar/network/dhcp/default.nix | 7 +- hosts/vidhar/network/dsl.nix | 15 +- hosts/vidhar/network/ruleset.nft | 22 ++- hosts/vidhar/printing/default.nix | 124 ++++++++++++++ hosts/vidhar/printing/ruleset.nft | 185 +++++++++++++++++++++ hosts/vidhar/samba.nix | 15 +- 12 files changed, 366 insertions(+), 39 deletions(-) create mode 100644 hosts/vidhar/printing/default.nix create mode 100644 hosts/vidhar/printing/ruleset.nft (limited to 'hosts') diff --git a/hosts/vidhar/default.nix b/hosts/vidhar/default.nix index 7f780d9a..5c70c669 100644 --- a/hosts/vidhar/default.nix +++ b/hosts/vidhar/default.nix @@ -4,7 +4,7 @@ with lib; { imports = with flake.nixosModules.systemProfiles; [ - ./zfs.nix ./network ./samba.nix ./dns ./prometheus ./borg ./pgbackrest + ./zfs.nix ./network ./samba.nix ./dns ./prometheus ./borg ./pgbackrest ./printing tmpfs-root zfs initrd-all-crypto-modules default-locale openssh rebuild-machines build-server @@ -82,8 +82,10 @@ with lib; services.openssh = { enable = true; - passwordAuthentication = false; - kbdInteractiveAuthentication = false; + settings = { + PasswordAuthentication = false; + KbdInteractiveAuthentication = false; + }; extraConfig = '' AllowGroups ssh ''; diff --git a/hosts/vidhar/dns/default.nix b/hosts/vidhar/dns/default.nix index ade884e7..f942b3f9 100644 --- a/hosts/vidhar/dns/default.nix +++ b/hosts/vidhar/dns/default.nix @@ -20,7 +20,7 @@ in { enableRootTrustAnchor = false; settings = { server = { - interface = ["lo" "lan"]; + interface = ["lo" "lan" "ve-printing"]; prefer-ip6 = true; access-control = ["0.0.0.0/0 allow" "::/0 allow"]; root-hints = "${pkgs.dns-root-data}/root.hints"; @@ -79,6 +79,10 @@ in { }; }; + systemd.services.unbound = { + after = [ "container@printinp.service" ]; + }; + systemd.services.knot = { unitConfig.RequiresMountsFor = [ "/var/lib/knot" ]; serviceConfig.LoadCredential = map ({name, ...}: "${name}.yaml:${config.sops.secrets.${name}.path}") knotKeys; diff --git a/hosts/vidhar/dns/zones/arpa.in-addr.10.141.soa b/hosts/vidhar/dns/zones/arpa.in-addr.10.141.soa index 01941df6..5f98034e 100644 --- a/hosts/vidhar/dns/zones/arpa.in-addr.10.141.soa +++ b/hosts/vidhar/dns/zones/arpa.in-addr.10.141.soa @@ -1,7 +1,7 @@ $ORIGIN 141.10.in-addr.arpa. $TTL 300 @ IN SOA vidhar.lan.yggdrasil. hostmaster.yggdrasil.li ( - 2023022700 ; serial + 2023030402 ; serial 300 ; refresh 300 ; retry 300 ; expire @@ -11,8 +11,11 @@ $TTL 300 IN NS vidhar.lan.yggdrasil. 1.0 IN PTR vidhar.lan.yggdrasil. -2.0 IN PTR printer.lan.yggdrasil. 1.1 IN PTR vidhar.mgmt.yggdrasil. 2.1 IN PTR switch01.mgmt.yggdrasil. 4.1 IN PTR ap01.mgmt.yggdrasil. + +3.2 IN PTR printer.printer.yggdrasil. + +1.4 IN PTR printing.vidhar.lan.yggdrasil. diff --git a/hosts/vidhar/dns/zones/arpa.ip6.2.a.0.3.4.0.0.0.0.0.5.2.0.a.d.a.0.0.0.1.soa b/hosts/vidhar/dns/zones/arpa.ip6.2.a.0.3.4.0.0.0.0.0.5.2.0.a.d.a.0.0.0.1.soa index c1955ec7..bec3fd05 100644 --- a/hosts/vidhar/dns/zones/arpa.ip6.2.a.0.3.4.0.0.0.0.0.5.2.0.a.d.a.0.0.0.1.soa +++ b/hosts/vidhar/dns/zones/arpa.ip6.2.a.0.3.4.0.0.0.0.0.5.2.0.a.d.a.0.0.0.1.soa @@ -1,7 +1,7 @@ $ORIGIN 1.0.0.0.a.d.a.0.2.5.0.0.0.0.0.4.3.0.a.2.ip6.arpa. $TTL 300 @ IN SOA vidhar.lan.yggdrasil. hostmaster.yggdrasil.li ( - 2022031801 ; serial + 2023030400 ; serial 300 ; refresh 300 ; retry 300 ; expire @@ -13,3 +13,5 @@ $TTL 300 0.0.0.0.0.0.0.0.0.0.0.0 IN PTR surtr.yggdrasil. 0.0.0.0.0.0.0.0.0.0.0.1 IN PTR vidhar.yggdrasil. 0.0.0.0.0.0.0.0.0.0.0.2 IN PTR sif.yggdrasil. + +0.0.0.0.0.4.0.0.0.0.0.1 IN PTR printing.vidhar.yggdrasil. diff --git a/hosts/vidhar/dns/zones/yggdrasil.soa b/hosts/vidhar/dns/zones/yggdrasil.soa index 49617c80..3d0daaac 100644 --- a/hosts/vidhar/dns/zones/yggdrasil.soa +++ b/hosts/vidhar/dns/zones/yggdrasil.soa @@ -1,7 +1,7 @@ $ORIGIN yggdrasil. $TTL 300 @ IN SOA vidhar.yggdrasil. hostmaster.yggdrasil.li ( - 2023022700 ; serial + 2023030405 ; serial 300 ; refresh 300 ; retry 300 ; expire @@ -23,9 +23,13 @@ pgbackrest.surtr IN CNAME surtr.yggdrasil. vidhar.lan IN A 10.141.0.1 -printer.lan IN A 10.141.0.2 vidhar.mgmt IN A 10.141.1.1 switch01.mgmt IN A 10.141.1.2 dsl01.mgmt IN A 10.141.1.3 ap01.mgmt IN A 10.141.1.4 + +printer.printer IN A 10.141.3.2 + +printing.vidhar.lan IN A 10.141.4.1 +printing.vidhar IN AAAA 2a03:4000:52:ada:4::1 diff --git a/hosts/vidhar/network/default.nix b/hosts/vidhar/network/default.nix index ddc5d78d..1d0f5465 100644 --- a/hosts/vidhar/network/default.nix +++ b/hosts/vidhar/network/default.nix @@ -24,7 +24,7 @@ with lib; { address = "10.141.1.1"; prefixLength = 24; } ]; }; - interfaces."dmz01" = { + interfaces."wifibh" = { ipv4.addresses = [ { address = "10.141.2.1"; prefixLength = 24; } ]; @@ -39,7 +39,7 @@ with lib; id = 3; interface = "eno2"; }; - dmz01 = { + wifibh = { id = 4; interface = "eno2"; }; diff --git a/hosts/vidhar/network/dhcp/default.nix b/hosts/vidhar/network/dhcp/default.nix index af7a3545..4d8a54ae 100644 --- a/hosts/vidhar/network/dhcp/default.nix +++ b/hosts/vidhar/network/dhcp/default.nix @@ -108,10 +108,6 @@ with lib; { hostname = "geri"; hw-address = "0e:e6:43:5e:37:7b"; } - { hostname = "printer"; - hw-address = "30:cd:a7:b0:55:8d"; - ip-address = "10.141.0.2"; - } ]; } { subnet = "10.141.1.0/24"; @@ -122,6 +118,9 @@ with lib; { name = "broadcast-address"; data = "10.141.1.255"; } + { name = "ntp-servers"; + data = "10.141.1.1"; + } { name = "domain-name"; data = "yggdrasil"; } diff --git a/hosts/vidhar/network/dsl.nix b/hosts/vidhar/network/dsl.nix index 536e0e0d..5b7c5ac7 100644 --- a/hosts/vidhar/network/dsl.nix +++ b/hosts/vidhar/network/dsl.nix @@ -97,13 +97,6 @@ in { dnssl = [{ domain_names = ["yggdrasil"]; }]; # other_config = true; } - { name = "dmz01"; - advertise = true; - verbose = true; - prefix = [{ prefix = "::/64"; }]; - route = [{ prefix = "::/0"; }]; - rdnss = [{ servers = ["::"]; }]; - } ]; debug = { @@ -123,11 +116,6 @@ in { interface = "lan"; network = "::/0"; }; - dmz01 = { - method = "iface"; - interface = "dmz01"; - network = "::/0"; - }; }; }; }; @@ -170,7 +158,7 @@ in { ''; postStop = '' - for dev in lan dmz01; do + for dev in lan; do ${pkgs.iproute2}/bin/ip -6 a show dev "''${dev}" scope global | ${pkgs.gnugrep}/bin/grep inet6 | ${pkgs.gawk}/bin/awk '{ print $2; }' | ${pkgs.findutils}/bin/xargs -I '{}' -- ${pkgs.iproute2}/bin/ip addr del '{}' dev "''${dev}" done ''; @@ -195,7 +183,6 @@ in { iaid 1195061668 ipv6rs # enable routing solicitation for WAN adapter ia_pd 1 lan/0/64/0 # request a PD and assign it to the LAN - ia_pd 1 dmz01/1/64/0 # request a PD and assign it to dmz01 reboot 0 diff --git a/hosts/vidhar/network/ruleset.nft b/hosts/vidhar/network/ruleset.nft index da3a9048..d2c88008 100644 --- a/hosts/vidhar/network/ruleset.nft +++ b/hosts/vidhar/network/ruleset.nft @@ -59,6 +59,9 @@ table inet filter { counter fw-lo {} counter fw-lan {} counter fw-dsl {} + counter fw-printing {} + + counter fw-cups {} counter reject-ratelimit-fw {} counter reject-fw {} @@ -137,12 +140,17 @@ table inet filter { iifname lo counter name fw-lo accept - oifname { lan, dsl, bifrost } meta l4proto $icmp_protos jump forward_icmp_accept - + oifname { lan, dsl, bifrost, ve-printing } meta l4proto $icmp_protos jump forward_icmp_accept iifname lan oifname { dsl, bifrost } counter name fw-lan accept - iifname dsl oifname { lan, dmz01 } ct state {established, related} counter name fw-dsl accept + iifname lan oifname ve-printing ip daddr 10.141.4.1 tcp dport 631 counter name fw-cups accept + iifname lan oifname ve-printing ip6 daddr 2a03:4000:52:ada:4::1 tcp dport 631 counter name fw-cups accept + + + iifname ve-printing oifname lan ct state {established, related} counter name fw-printing accept + iifname dsl oifname lan ct state {established, related} counter name fw-dsl accept + limit name lim_reject log level debug prefix "drop forward: " counter name reject-ratelimit-fw drop log level debug prefix "reject forward: " counter name reject-fw @@ -169,7 +177,7 @@ table inet filter { iifname { lan, mgmt, dsl, yggdrasil, bifrost } tcp dport 22 counter name ssh-rx accept iifname { lan, mgmt, dsl, yggdrasil, bifrost } udp dport 60000-61000 counter name mosh-rx accept - iifname { lan, mgmt, dmz01, yggdrasil } meta l4proto { tcp, udp } th dport 53 counter name dns-rx accept + iifname { lan, mgmt, wifibh, yggdrasil, ve-printing } meta l4proto { tcp, udp } th dport 53 counter name dns-rx accept iifname { lan, yggdrasil } tcp dport 2049 counter name nfs-rx accept @@ -179,9 +187,9 @@ table inet filter { iifname dsl meta protocol ip6 udp dport 546 udp sport 547 counter name ipv6-pd-rx accept - iifname mgmt udp dport 123 counter name ntp-rx accept + iifname { mgmt, ve-printing } udp dport 123 counter name ntp-rx accept - iifname { lan, mgmt, dmz01 } udp dport 67 counter name dhcp-rx accept + iifname { lan, mgmt, wifibh } udp dport 67 counter name dhcp-rx accept iifname lan udp dport { 137, 138, 3702 } counter name samba-rx accept iifname lan tcp dport { 445, 139, 5357 } counter name samba-rx accept @@ -268,4 +276,4 @@ table ip mss_clamp { oifname dsl tcp flags & (syn|rst) == syn counter name dsl-mss-clamp tcp option maxseg size set rt mtu } -} \ No newline at end of file +} diff --git a/hosts/vidhar/printing/default.nix b/hosts/vidhar/printing/default.nix new file mode 100644 index 00000000..0e0dfcf7 --- /dev/null +++ b/hosts/vidhar/printing/default.nix @@ -0,0 +1,124 @@ +{ config, lib, ... }: + +with lib; + +let + containerConfig = config.containers.printing.config; +in { + config = { + containers.printing = { + privateNetwork = true; + ephemeral = true; + autoStart = true; + hostAddress = "10.141.4.0"; + hostAddress6 = "2a03:4000:52:ada:4::"; + localAddress = "10.141.4.1"; + localAddress6 = "2a03:4000:52:ada:4::1"; + interfaces = [ "printer" ]; + config = let + hostConfig = config; + in { ... }: { + config = { + services = { + kea = { + dhcp4 = { + enable = true; + settings = { + valid-lifetime = 4000; + rebind-timer = 2000; + renew-timer = 1000; + + interfaces-config = { + interfaces = [ "printer" ]; + }; + + lease-database = { + name = "/var/lib/kea/dhcp4.leases"; + persist = true; + type = "memfile"; + }; + + subnet4 = [ + { subnet = "10.141.3.0/24"; + option-data = [ + { name = "domain-name-servers"; + data = "10.141.4.0"; + } + { name = "ntp-servers"; + data = "10.141.4.0"; + } + { name = "broadcast-address"; + data = "10.141.3.255"; + } + { name = "routers"; + data = "10.141.3.1"; + } + { name = "domain-name"; + data = "yggdrasil"; + } + { name = "domain-search"; + data = "printer.yggdrasil, yggdrasil"; + } + ]; + pools = [ { pool = "10.141.3.128 - 10.141.3.254"; } ]; + reservations = [ + { hostname = "printer"; + hw-address = "30:cd:a7:b0:55:8d"; + ip-address = "10.141.3.2"; + } + ]; + } + ]; + }; + }; + }; + + printing = { + enable = true; + listenAddresses = [ + "*:631" + ]; + allowFrom = [ "all" ]; + extraConf = '' + ServerName printing + ServerAlias 10.141.4.1 2a03:4000:52:ada:4::1 printing.vidhar.yggdrasil printing.vidhar.lan.yggdrasil + ''; + }; + + resolved.enable = false; + }; + + networking = { + firewall.enable = false; + nftables = { + enable = true; + rulesetFile = ./ruleset.nft; + }; + + useDHCP = false; + useNetworkd = true; + + interfaces."printer" = { + ipv4.addresses = [ + { address = "10.141.3.1"; prefixLength = 24; } + ]; + }; + }; + + environment.etc."resolv.conf".text = '' + nameserver ${hostConfig.containers.printing.hostAddress6} + ''; + + system.stateVersion = hostConfig.system.stateVersion; + }; + }; + }; + + networking = { + vlans.printer = { + id = 5; + interface = "eno2"; + }; + }; + }; +} diff --git a/hosts/vidhar/printing/ruleset.nft b/hosts/vidhar/printing/ruleset.nft new file mode 100644 index 00000000..c3027567 --- /dev/null +++ b/hosts/vidhar/printing/ruleset.nft @@ -0,0 +1,185 @@ +define icmp_protos = {ipv6-icmp, icmp, igmp} + +table arp filter { + limit lim_arp { + rate over 50 mbytes/second burst 50 mbytes + } + + counter arp-rx {} + counter arp-tx {} + + counter arp-ratelimit-rx {} + counter arp-ratelimit-tx {} + + chain input { + type filter hook input priority filter + policy accept + + limit name lim_arp counter name arp-ratelimit-rx drop + + counter name arp-rx + } + + chain output { + type filter hook output priority filter + policy accept + + limit name lim_arp counter name arp-ratelimit-tx drop + + counter name arp-tx + } +} + +table inet filter { + limit lim_reject { + rate over 1000/second burst 1000 packets + } + + limit lim_icmp { + rate over 50 mbytes/second burst 50 mbytes + } + + counter invalid-fw {} + counter fw-lo {} + counter fw-printer {} + counter fw-host {} + + counter icmp-ratelimit-fw {} + + counter reject-ratelimit-fw {} + counter reject-fw {} + counter reject-tcp-fw {} + counter reject-icmp-fw {} + + counter drop-fw {} + + counter invalid-rx {} + + counter rx-lo {} + counter invalid-local4-rx {} + counter invalid-local6-rx {} + + counter icmp-ratelimit-rx {} + counter icmp-rx {} + + counter cups-rx {} + + counter established-rx {} + + counter reject-ratelimit-rx {} + counter reject-rx {} + counter reject-tcp-rx {} + counter reject-icmp-rx {} + + counter drop-rx {} + + counter tx-lo {} + + counter icmp-ratelimit-tx {} + counter icmp-tx {} + + counter cups-tx {} + + counter tx {} + + chain forward { + type filter hook forward priority filter + policy drop + + + ct state invalid log level debug prefix "drop invalid forward: " counter name invalid-fw drop + + + iifname lo counter name fw-lo accept + + + meta l4proto $icmp_protos limit name lim_icmp counter name icmp-ratelimit-fw drop + meta l4proto $icmp_protos counter name icmp-fw accept + + + iifname printer oifname eth0 ip daddr 10.141.4.0 meta l4proto . th dport { tcp . 53, udp . 53, udp . 123 } counter fw-printer accept + iifname printer oifname eth0 ip6 daddr 2a03:4000:52:ada:4:: meta l4proto . th dport { tcp . 53, udp . 53, udp . 123 } counter fw-printer accept + iifname eth0 oifname printer counter fw-host accept + + + limit name lim_reject log level debug prefix "drop forward: " counter name reject-ratelimit-fw drop + log level debug prefix "reject forward: " counter name reject-fw + meta l4proto tcp ct state new counter name reject-tcp-fw reject with tcp reset + ct state new counter name reject-icmp-fw reject + + + counter name drop-fw + } + + chain input { + type filter hook input priority filter + policy drop + + + ct state invalid log level debug prefix "drop invalid input: " counter name invalid-rx drop + + + iifname lo counter name rx-lo accept + iif != lo ip daddr 127.0.0.1/8 counter name invalid-local4-rx reject + iif != lo ip6 daddr ::1/128 counter name invalid-local6-rx reject + + meta l4proto $icmp_protos limit name lim_icmp counter name icmp-ratelimit-rx drop + meta l4proto $icmp_protos counter name icmp-rx accept + + + ip6 saddr 2a03:4000:52:ada:4:: tcp dport 631 counter name cups-rx accept + ip saddr 10.141.4.0 tcp dport 631 counter name cups-rx accept + + ct state {established, related} counter name established-rx accept + + + limit name lim_reject log level debug prefix "drop input: " counter name reject-ratelimit-rx drop + log level debug prefix "reject input: " counter name reject-rx + meta l4proto tcp ct state new counter name reject-tcp-rx reject with tcp reset + ct state new counter name reject-icmp-rx reject + + + counter name drop-rx + } + + chain output { + type filter hook output priority filter + policy accept + + + oifname lo counter name tx-lo accept + + meta l4proto $icmp_protos limit name lim_icmp counter name icmp-ratelimit-tx drop + meta l4proto $icmp_protos counter name icmp-tx accept + + + tcp sport 631 counter name cups-tx accept + + + counter name tx + } +} + +table ip nat { + counter host-nat {} + + chain postrouting { + type nat hook postrouting priority srcnat + policy accept + + + oifname eth0 counter name host-nat masquerade + } +} + +table ip mss_clamp { + counter host-mss-clamp {} + + chain postrouting { + type filter hook postrouting priority mangle + policy accept + + + oifname eth0 tcp flags & (syn|rst) == syn counter name host-mss-clamp tcp option maxseg size set rt mtu + } +} diff --git a/hosts/vidhar/samba.nix b/hosts/vidhar/samba.nix index 89d9f12e..cbe158a9 100644 --- a/hosts/vidhar/samba.nix +++ b/hosts/vidhar/samba.nix @@ -4,19 +4,28 @@ services.samba = { enable = true; securityType = "user"; + package = pkgs.samba4.override { + enablePrinting = true; + }; extraConfig = '' domain master = yes workgroup = WORKGROUP load printers = no - printing = bsd - printcap name = /dev/null - disable spoolss = yes + printing = cups + cups server = 10.141.4.1 guest account = nobody bind interfaces only = yes interfaces = lo lan server signing = mandatory server min protocol = SMB3 server smb encrypt = required + + [printers] + path = /srv/samba-printing + browseable = yes + printable = yes + writable = no + create mode = 0700 ''; shares = { homes = { -- cgit v1.2.3