From 329de92b6e00f1af9925f56a4fc6da14087802e5 Mon Sep 17 00:00:00 2001 From: Gregor Kleen Date: Sat, 25 May 2024 20:37:25 +0200 Subject: tkleen --- .../ccert_policy_server/__main__.py | 35 +++++++------ hosts/surtr/email/default.nix | 57 ++++++++++++++++++---- hosts/surtr/postgresql/default.nix | 14 ++++++ hosts/surtr/ruleset.nft | 6 +-- 4 files changed, 85 insertions(+), 27 deletions(-) (limited to 'hosts') diff --git a/hosts/surtr/email/ccert-policy-server/ccert_policy_server/__main__.py b/hosts/surtr/email/ccert-policy-server/ccert_policy_server/__main__.py index f481090c..00182523 100644 --- a/hosts/surtr/email/ccert-policy-server/ccert_policy_server/__main__.py +++ b/hosts/surtr/email/ccert-policy-server/ccert_policy_server/__main__.py @@ -27,20 +27,27 @@ class PolicyHandler(StreamRequestHandler): logger.info('Connection parameters: %s', self.args) allowed = False - with self.server.db_pool.connection() as conn: - local, domain = self.args['sender'].split(sep='@', maxsplit=1) - extension = None - if '+' in local: - local, extension = local.split(sep='+', maxsplit=1) - - logger.debug('Parsed address: %s', {'local': local, 'extension': extension, 'domain': domain}) - - with conn.cursor() as cur: - cur.row_factory = namedtuple_row - cur.execute('SELECT "mailbox"."mailbox" as "user", "local", "extension", "domain" FROM "mailbox" INNER JOIN "mailbox_mapping" ON "mailbox".id = "mailbox_mapping"."mailbox" WHERE "mailbox"."mailbox" = %(user)s AND ("local" = %(local)s OR "local" IS NULL) AND ("extension" = %(extension)s OR "extension" IS NULL) AND "domain" = %(domain)s', params = {'user': self.args['ccert_subject'], 'local': local, 'extension': extension if extension is not None else '', 'domain': domain}, prepare=True) - for record in cur: - logger.debug('Received result: %s', record) - allowed = True + user = None + if self.args['sasl_username']: + user = self.args['sasl_username'] + if self.args['ccert_subject']: + user = self.args['ccert_subject'] + + if user: + with self.server.db_pool.connection() as conn: + local, domain = self.args['sender'].split(sep='@', maxsplit=1) + extension = None + if '+' in local: + local, extension = local.split(sep='+', maxsplit=1) + + logger.debug('Parsed address: %s', {'local': local, 'extension': extension, 'domain': domain}) + + with conn.cursor() as cur: + cur.row_factory = namedtuple_row + cur.execute('SELECT "mailbox"."mailbox" as "user", "local", "extension", "domain" FROM "mailbox" INNER JOIN "mailbox_mapping" ON "mailbox".id = "mailbox_mapping"."mailbox" WHERE "mailbox"."mailbox" = %(user)s AND ("local" = %(local)s OR "local" IS NULL) AND ("extension" = %(extension)s OR "extension" IS NULL) AND "domain" = %(domain)s', params = {'user': user, 'local': local, 'extension': extension if extension is not None else '', 'domain': domain}, prepare=True) + for record in cur: + logger.debug('Received result: %s', record) + allowed = True action = '550 5.7.0 Sender address not authorized for current user' if allowed: diff --git a/hosts/surtr/email/default.nix b/hosts/surtr/email/default.nix index 9c3e8849..66c39e8f 100644 --- a/hosts/surtr/email/default.nix +++ b/hosts/surtr/email/default.nix @@ -204,17 +204,15 @@ in { postscreen_greet_action = "enforce"; }; masterConfig = { - smtps = { + "465" = { type = "inet"; private = false; - command = "smtpd"; + command = "smtpd -v"; args = [ "-o" "smtpd_tls_security_level=encrypt" "-o" "{smtpd_tls_mandatory_protocols = !SSLv2, !SSLv3, !TLSv1, !TLSv1.1, !TLSv1.2}" "-o" "{smtpd_tls_protocols = !SSLv2, !SSLv3, !TLSv1, !TLSv1.1, !TLSv1.2}" "-o" "smtpd_tls_mandatory_ciphers=high" - "-o" "smtpd_tls_dh1024_param_file=${toString config.security.dhparams.params."postfix-smtps-1024".path}" - "-o" "smtpd_tls_dh512_param_file=${toString config.security.dhparams.params."postfix-smtps-512".path}" "-o" "{tls_eecdh_auto_curves = X25519 X448}" "-o" "smtpd_tls_wrappermode=yes" @@ -223,16 +221,46 @@ in { "-o" "smtpd_tls_received_header=no" "-o" "cleanup_service_name=subcleanup" "-o" "smtpd_client_restrictions=permit_tls_all_clientcerts,reject" - "-o" "{smtpd_data_restrictions = check_policy_service unix:/run/postfwd3/postfwd3.sock}" - "-o" "smtpd_relay_restrictions=permit_tls_all_clientcerts,reject" "-o" "{smtpd_sender_restrictions = reject_unknown_sender_domain,reject_unverified_sender,check_policy_service unix:/run/postfix-ccert-sender-policy.sock}" + "-o" ''{smtpd_recipient_restrictions=reject_unauth_pipelining,reject_non_fqdn_recipient,reject_unknown_recipient_domain,check_recipient_access pgsql:${pkgs.writeText "check_recipient_access.cf" '' + hosts = postgresql:///email + dbname = email + query = SELECT action FROM virtual_mailbox_access WHERE lookup = '%s' OR (lookup = regexp_replace('%s', '\+[^@]*@', '@') AND NOT EXISTS (SELECT 1 FROM virtual_mailbox_access WHERE lookup = '%s')) + ''},permit_tls_all_clientcerts,reject}'' + "-o" "smtpd_relay_restrictions=permit_tls_all_clientcerts,reject" + "-o" "{smtpd_data_restrictions = check_policy_service unix:/run/postfwd3/postfwd3.sock}" "-o" "unverified_sender_reject_code=550" "-o" "unverified_sender_reject_reason={Sender address rejected: undeliverable address}" + "-o" "milter_macro_daemon_name=surtr.yggdrasil.li" + "-o" ''smtpd_milters=${config.services.opendkim.socket}'' + ]; + }; + "466" = { + type = "inet"; + private = false; + command = "smtpd -v"; + args = [ + "-o" "smtpd_tls_security_level=encrypt" + + "-o" "smtpd_tls_wrappermode=yes" + "-o" "smtpd_tls_ask_ccert=no" + "-o" "smtpd_tls_req_ccert=no" + "-o" "smtpd_sasl_type=dovecot" + "-o" "smtpd_sasl_path=/run/dovecot-sasl" + "-o" "smtpd_sasl_auth_enable=yes" + "-o" "smtpd_tls_received_header=no" + "-o" "cleanup_service_name=subcleanup" + "-o" "smtpd_client_restrictions=permit_sasl_authenticated,reject" + "-o" "{smtpd_sender_restrictions = reject_unknown_sender_domain,reject_unverified_sender,check_policy_service unix:/run/postfix-ccert-sender-policy.sock}" "-o" ''{smtpd_recipient_restrictions=reject_unauth_pipelining,reject_non_fqdn_recipient,reject_unknown_recipient_domain,check_recipient_access pgsql:${pkgs.writeText "check_recipient_access.cf" '' hosts = postgresql:///email dbname = email query = SELECT action FROM virtual_mailbox_access WHERE lookup = '%s' OR (lookup = regexp_replace('%s', '\+[^@]*@', '@') AND NOT EXISTS (SELECT 1 FROM virtual_mailbox_access WHERE lookup = '%s')) - ''},permit_tls_all_clientcerts,reject}'' + ''},permit_sasl_authenticated,reject}'' + "-o" "smtpd_relay_restrictions=permit_sasl_authenticated,reject" + "-o" "{smtpd_data_restrictions = check_policy_service unix:/run/postfwd3/postfwd3.sock}" + "-o" "unverified_sender_reject_code=550" + "-o" "unverified_sender_reject_reason={Sender address rejected: undeliverable address}" "-o" "milter_macro_daemon_name=surtr.yggdrasil.li" "-o" ''smtpd_milters=${config.services.opendkim.socket}'' ]; @@ -256,7 +284,7 @@ in { smtp_pass = { name = "smtpd"; type = "pass"; - command = "smtpd"; + command = "smtpd -v"; }; postscreen = { name = "smtp"; @@ -413,7 +441,7 @@ in { dovecotSqlConf = pkgs.writeText "dovecot-sql.conf" '' driver = pgsql connect = dbname=email - password_query = SELECT NULL as password, 'Y' as nopassword, "user", quota_rule, 'dovecot2' as uid, 'dovecot2' as gid FROM imap_user WHERE "user" = '%n' + password_query = SELECT (CASE WHEN '%k' = 'valid' AND '%m' = 'EXTERNAL' THEN NULL ELSE "password" END) as password, (CASE WHEN '%k' = 'valid' AND '%m' = 'EXTERNAL' THEN true WHEN password IS NULL THEN true ELSE NULL END) as nopassword, "user", quota_rule, 'dovecot2' as uid, 'dovecot2' as gid FROM imap_user WHERE "user" = '%n' user_query = SELECT "user", quota_rule, 'dovecot2' as uid, 'dovecot2' as gid FROM imap_user WHERE "user" = '%n' iterate_query = SELECT "user" FROM imap_user ''; @@ -445,7 +473,7 @@ in { auth_ssl_username_from_cert = yes ssl_cert_username_field = commonName - auth_mechanisms = external + auth_mechanisms = plain login external auth_verbose = yes verbose_ssl = yes @@ -501,6 +529,15 @@ in { group = postfix } } + service auth { + vsz_limit = 2G + + unix_listener /run/dovecot-sasl { + mode = 0600 + user = postfix + group = postfix + } + } namespace inbox { separator = / diff --git a/hosts/surtr/postgresql/default.nix b/hosts/surtr/postgresql/default.nix index f0e42ee8..583e4443 100644 --- a/hosts/surtr/postgresql/default.nix +++ b/hosts/surtr/postgresql/default.nix @@ -262,6 +262,20 @@ in { GRANT DELETE ON "mailbox_mapping" TO "spm"; COMMIT; + + BEGIN; + SELECT _v.register_patch('011-password', ARRAY['000-base'], null); + + ALTER TABLE mailbox ADD COLUMN password text CONSTRAINT password_non_empty CHECK (password IS DISTINCT FROM '''); + COMMIT; + + BEGIN; + SELECT _v.register_patch('012-imap-password', ARRAY['000-base', '002-citext'], null); + + DROP VIEW imap_user; + CREATE VIEW imap_user ("user", "password", quota_rule) AS SELECT mailbox.mailbox AS "user", "password", quota_rule FROM mailbox_quota_rule INNER JOIN mailbox ON mailbox_quota_rule.mailbox = mailbox.mailbox; + + COMMIT; ''} psql etebase postgres -eXf ${pkgs.writeText "etebase.sql" '' diff --git a/hosts/surtr/ruleset.nft b/hosts/surtr/ruleset.nft index ee72614f..14fc9b79 100644 --- a/hosts/surtr/ruleset.nft +++ b/hosts/surtr/ruleset.nft @@ -178,7 +178,7 @@ table inet filter { udp dport 49000-50000 counter name turn-rx accept tcp dport 25 counter name smtp-rx accept - tcp dport 465 counter name submissions-rx accept + tcp dport {465, 466} counter name submissions-rx accept tcp dport 993 counter name imaps-rx accept tcp dport 4190 counter name managesieve-rx accept iifname yggdrasil tcp dport 8432 counter name pgbackrest-rx accept @@ -224,7 +224,7 @@ table inet filter { udp sport 49000-50000 counter name turn-tx accept tcp sport 25 counter name smtp-tx accept - tcp sport 465 counter name submissions-tx accept + tcp sport {465, 466} counter name submissions-tx accept tcp sport 993 counter name imaps-tx accept tcp sport 4190 counter name managesieve-tx accept tcp sport 8432 counter name pgbackrest-tx accept @@ -232,4 +232,4 @@ table inet filter { counter name tx } -} \ No newline at end of file +} -- cgit v1.2.3 From de2521348c54e73c5260a15bd2d7eb214df24c60 Mon Sep 17 00:00:00 2001 From: Gregor Kleen Date: Sun, 26 May 2024 12:08:43 +0200 Subject: ... --- hosts/surtr/email/default.nix | 8 ++++++-- 1 file changed, 6 insertions(+), 2 deletions(-) (limited to 'hosts') diff --git a/hosts/surtr/email/default.nix b/hosts/surtr/email/default.nix index 66c39e8f..4d75dfae 100644 --- a/hosts/surtr/email/default.nix +++ b/hosts/surtr/email/default.nix @@ -902,9 +902,13 @@ in { services.postfwd = { enable = true; + cache = false; rules = '' - id=RCPT01; protocol_state=DATA; protocol_state=END-OF-MESSAGE; action=rcpt(ccert_subject/100/3600/set(HIT_RATELIMIT=1,HIT_RATECOUNT=$$ratecount,HIT_RATELIMIT_LIMIT=100,HIT_RATELIMIT_INTERVAL=3600)) - id=RCPT02; protocol_state=DATA; protocol_state=END-OF-MESSAGE; action=rcpt(ccert_subject/1000/86400/set(HIT_RATELIMIT=1,HIT_RATECOUNT=$$ratecount,HIT_RATELIMIT_LIMIT=1000,HIT_RATELIMIT_INTERVAL=86400)) + id=RCPT_SASL01; protocol_state=DATA; protocol_state=END-OF-MESSAGE; sasl_username!=; action=rcpt(sasl_username/100/3600/set(HIT_RATELIMIT=1,HIT_RATECOUNT=$$ratecount,HIT_RATELIMIT_LIMIT=100,HIT_RATELIMIT_INTERVAL=3600)) + id=RCPT_SASL02; protocol_state=DATA; protocol_state=END-OF-MESSAGE; sasl_username!=; action=rcpt(sasl_username/1000/86400/set(HIT_RATELIMIT=1,HIT_RATECOUNT=$$ratecount,HIT_RATELIMIT_LIMIT=1000,HIT_RATELIMIT_INTERVAL=86400)) + + id=RCPT_CCERT01; protocol_state=DATA; protocol_state=END-OF-MESSAGE; ccert_subject!=; action=rcpt(ccert_subject/100/3600/set(HIT_RATELIMIT=1,HIT_RATECOUNT=$$ratecount,HIT_RATELIMIT_LIMIT=100,HIT_RATELIMIT_INTERVAL=3600)) + id=RCPT_CCERT02; protocol_state=DATA; protocol_state=END-OF-MESSAGE; ccert_subject!=; action=rcpt(ccert_subject/1000/86400/set(HIT_RATELIMIT=1,HIT_RATECOUNT=$$ratecount,HIT_RATELIMIT_LIMIT=1000,HIT_RATELIMIT_INTERVAL=86400)) id=JUMP_REJECT_RL; HIT_RATELIMIT=="1"; action=jump(REJECT_RL) -- cgit v1.2.3 From 94e07ef75250bf3567790d5b16cb76abf42f8746 Mon Sep 17 00:00:00 2001 From: Gregor Kleen Date: Sun, 2 Jun 2024 12:06:40 +0200 Subject: ... --- hosts/surtr/email/default.nix | 1 + 1 file changed, 1 insertion(+) (limited to 'hosts') diff --git a/hosts/surtr/email/default.nix b/hosts/surtr/email/default.nix index 4d75dfae..a9491007 100644 --- a/hosts/surtr/email/default.nix +++ b/hosts/surtr/email/default.nix @@ -167,6 +167,7 @@ in { maximal_backoff_time = "10m"; maximal_queue_lifetime = "100m"; bounce_queue_lifetime = "20m"; + delay_warning_time = "10m"; smtpd_discard_ehlo_keyword_address_maps = "cidr:${pkgs.writeText "esmtp_access" '' # Allow DSN requests from local subnet only -- cgit v1.2.3 From d521ae2d5d765f1047f437ecc7af140178b4c0e1 Mon Sep 17 00:00:00 2001 From: Gregor Kleen Date: Sun, 2 Jun 2024 12:29:17 +0200 Subject: ... --- hosts/surtr/email/default.nix | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) (limited to 'hosts') diff --git a/hosts/surtr/email/default.nix b/hosts/surtr/email/default.nix index a9491007..057e29f3 100644 --- a/hosts/surtr/email/default.nix +++ b/hosts/surtr/email/default.nix @@ -267,7 +267,7 @@ in { ]; }; subcleanup = { - command = "cleanup"; + command = "cleanup -v"; private = false; maxproc = 0; args = [ @@ -291,7 +291,7 @@ in { name = "smtp"; type = "inet"; private = false; - command = "postscreen"; + command = "postscreen -v"; maxproc = 1; }; smtp = {}; -- cgit v1.2.3 From c2a1e00b26b7e65305a36aa817a311ecbd2d831c Mon Sep 17 00:00:00 2001 From: Gregor Kleen Date: Tue, 11 Jun 2024 10:05:16 +0200 Subject: email nologin by as-set --- hosts/surtr/email/default.nix | 58 +++++++++++++++++++++++++++++++++++++++++++ hosts/surtr/ruleset.nft | 31 +++++++++++++++++------ 2 files changed, 82 insertions(+), 7 deletions(-) (limited to 'hosts') diff --git a/hosts/surtr/email/default.nix b/hosts/surtr/email/default.nix index 057e29f3..23ac8aa1 100644 --- a/hosts/surtr/email/default.nix +++ b/hosts/surtr/email/default.nix @@ -32,9 +32,47 @@ let }); }; + nftables-nologin-script = pkgs.writeScript "nftables-mail-nologin" '' + #!${pkgs.zsh}/bin/zsh + + set -e + export PATH="${lib.makeBinPath (with pkgs; [inetutils nftables])}:$PATH" + + typeset -a as_sets route route6 + as_sets=(${lib.escapeShellArgs config.services.email.nologinASSets}) + + for as_set in $as_sets; do + while IFS=$'\n' read line; do + if [[ "''${line}" =~ "^route:\s+(.+)$" ]]; then + route+=($match[1]) + elif [[ "''${line}" =~ "^route6:\s+(.+)$" ]]; then + route6+=($match[1]) + fi + done < <(whois -h whois.radb.net "!i''${as_set},1" | egrep -o 'AS[0-9]+' | xargs -- whois -h whois.radb.net -- -i origin) + done + + printf -v elements4 '%s,' "''${route[@]}" + elements4=''${elements4%,} + printf -v elements6 '%s,' "''${route6[@]}" + elements6=''${elements6%,} + nft -f - < Date: Tue, 11 Jun 2024 10:49:39 +0200 Subject: ... --- hosts/surtr/email/default.nix | 28 ++++++++++++++++++++++------ 1 file changed, 22 insertions(+), 6 deletions(-) (limited to 'hosts') diff --git a/hosts/surtr/email/default.nix b/hosts/surtr/email/default.nix index 23ac8aa1..bd72b10e 100644 --- a/hosts/surtr/email/default.nix +++ b/hosts/surtr/email/default.nix @@ -38,8 +38,9 @@ let set -e export PATH="${lib.makeBinPath (with pkgs; [inetutils nftables])}:$PATH" - typeset -a as_sets route route6 - as_sets=(${lib.escapeShellArgs config.services.email.nologinASSets}) + typeset -a as_sets mnt_bys route route6 + as_sets=(${lib.escapeShellArgs config.services.email.nologin.ASSets}) + mnt_bys=(${lib.escapeShellArgs config.services.email.nologin.MNTBys}) for as_set in $as_sets; do while IFS=$'\n' read line; do @@ -50,6 +51,15 @@ let fi done < <(whois -h whois.radb.net "!i''${as_set},1" | egrep -o 'AS[0-9]+' | xargs -- whois -h whois.radb.net -- -i origin) done + for mnt_by in $mnt_bys; do + while IFS=$'\n' read line; do + if [[ "''${line}" =~ "^route:\s+(.+)$" ]]; then + route+=($match[1]) + elif [[ "''${line}" =~ "^route6:\s+(.+)$" ]]; then + route6+=($match[1]) + fi + done < <(whois -h whois.radb.net "!o''${mnt_by}") + done printf -v elements4 '%s,' "''${route[@]}" elements4=''${elements4%,} @@ -67,9 +77,15 @@ let emailDomains = spmDomains ++ ["kleen.consulting"]; in { options = { - services.email.nologinASSets = mkOption { - type = types.listOf types.str; - default = []; + services.email.nologin = { + ASSets = mkOption { + type = types.listOf types.str; + default = []; + }; + MNTBys = mkOption { + type = types.listOf types.str; + default = []; + }; }; }; @@ -957,7 +973,7 @@ in { ''; }; - services.email.nologinASSets = ["AS-MICROSOFT"]; + services.email.nologin.MNTBys = ["MICROSOFT-MAINT"]; systemd.services.nftables.serviceConfig = { ExecStart = lib.mkAfter [ nftables-nologin-script ]; ExecReload = lib.mkAfter [ nftables-nologin-script ]; -- cgit v1.2.3 From 7850385f9b285d31d79d26d82ab8a858839d29ea Mon Sep 17 00:00:00 2001 From: Gregor Kleen Date: Tue, 11 Jun 2024 11:37:04 +0200 Subject: ... --- hosts/surtr/zfs.nix | 9 ++++++--- 1 file changed, 6 insertions(+), 3 deletions(-) (limited to 'hosts') diff --git a/hosts/surtr/zfs.nix b/hosts/surtr/zfs.nix index 583ab8e1..17c5cd32 100644 --- a/hosts/surtr/zfs.nix +++ b/hosts/surtr/zfs.nix @@ -17,7 +17,7 @@ fsType = "zfs"; neededForBoot = true; }; - + "/var/lib/nixos" = { device = "surtr/local/var-lib-nixos"; fsType = "zfs"; @@ -62,10 +62,13 @@ }; services.zfssnap.enable = true; - services.zfs.trim.enable = false; + services.zfs.trim = { + enable = true; + interval = "Sun 16:00:00 Europe/Berlin"; + }; services.zfs.autoScrub = { enable = true; - interval = "Sun *-*-1..7 04:00:00"; + interval = "Sun *-*-1..7 04:00:00 Europe/Berlin"; }; services.zfs.zed.settings = { ZED_SYSLOG_SUBCLASS_EXCLUDE = "history_event"; -- cgit v1.2.3 From e4e7651887bca1179348c4303a319f2f3e339942 Mon Sep 17 00:00:00 2001 From: Gregor Kleen Date: Sat, 22 Jun 2024 21:09:58 +0200 Subject: surtr: fix vpn --- hosts/surtr/vpn/default.nix | 59 ++++++++++++++++----------------------------- 1 file changed, 21 insertions(+), 38 deletions(-) (limited to 'hosts') diff --git a/hosts/surtr/vpn/default.nix b/hosts/surtr/vpn/default.nix index 74a9fb22..636dab1a 100644 --- a/hosts/surtr/vpn/default.nix +++ b/hosts/surtr/vpn/default.nix @@ -12,12 +12,21 @@ in { "net.netfilter.nf_log_all_netns" = true; }; - networking.namespaces = { - enable = true; - containers."vpn".config = { + containers."vpn" = { + autoStart = true; + ephemeral = true; + extraFlags = [ + "--network-ipvlan=ens3:upstream" + "--load-credential=surtr.priv:${config.sops.secrets.vpn.path}" + ]; + + config = { boot.kernel.sysctl = { "net.core.rmem_max" = 4194304; "net.core.wmem_max" = 4194304; + "net.ipv6.conf.all.forwarding" = 1; + "net.ipv6.conf.default.forwarding"= 1; + "net.ipv4.conf.all.forwarding" = 1; }; environment = { @@ -53,6 +62,15 @@ in { systemd.network = { netdevs = { + upstream = { + netdevConfig = { + Name = "upstream"; + Kind = "ipvlan"; + }; + ipvlanConfig = { + Mode = "L2"; + }; + }; vpn = { netdevConfig = { Name = "vpn"; @@ -136,41 +154,6 @@ in { }; }; - systemd.services = { - "vpn-upstream" = { - bindsTo = ["netns@vpn.service"]; - after = ["netns@vpn.service"]; - serviceConfig = { - Type = "oneshot"; - RemainAfterExit = true; - ExecStop = "${pkgs.iproute2}/bin/ip netns exec vpn ip link delete upstream"; - }; - path = with pkgs; [ iproute2 procps ]; - script = '' - ip netns exec vpn sysctl \ - net.ipv6.conf.all.forwarding=1 \ - net.ipv6.conf.default.forwarding=1 \ - net.ipv4.conf.all.forwarding=1 \ - net.ipv4.conf.default.forwarding=1 - - ip link add link ens3 name upstream type ipvlan mode l2 - ip link set upstream netns vpn - ''; - }; - - "netns-container@vpn" = { - wantedBy = ["multi-user.target" "network-online.target"]; - after = ["vpn-upstream.service"]; - bindsTo = ["vpn-upstream.service"]; - - serviceConfig = { - LoadCredential = [ - "surtr.priv:${config.sops.secrets.vpn.path}" - ]; - }; - }; - }; - sops.secrets.vpn = { format = "binary"; sopsFile = ./surtr.priv; -- cgit v1.2.3 From 68f7b6dcf0d388ea14b0782fb62f6cb7b7ea941c Mon Sep 17 00:00:00 2001 From: Gregor Kleen Date: Tue, 9 Jul 2024 14:24:14 +0200 Subject: dsl -> gpon --- hosts/vidhar/dns/zones/yggdrasil.soa | 3 +- hosts/vidhar/network/default.nix | 2 +- hosts/vidhar/network/dsl.nix | 265 ----------------------- hosts/vidhar/network/gpon.nix | 265 +++++++++++++++++++++++ hosts/vidhar/network/ruleset.nft | 72 +++--- hosts/vidhar/prometheus/default.nix | 54 +---- hosts/vidhar/prometheus/zte_dsl01.mgmt.yggdrasil | 26 --- 7 files changed, 305 insertions(+), 382 deletions(-) delete mode 100644 hosts/vidhar/network/dsl.nix create mode 100644 hosts/vidhar/network/gpon.nix delete mode 100644 hosts/vidhar/prometheus/zte_dsl01.mgmt.yggdrasil (limited to 'hosts') diff --git a/hosts/vidhar/dns/zones/yggdrasil.soa b/hosts/vidhar/dns/zones/yggdrasil.soa index f679b741..dede06ac 100644 --- a/hosts/vidhar/dns/zones/yggdrasil.soa +++ b/hosts/vidhar/dns/zones/yggdrasil.soa @@ -1,7 +1,7 @@ $ORIGIN yggdrasil. $TTL 300 @ IN SOA vidhar.yggdrasil. hostmaster.yggdrasil.li ( - 2023030501 ; serial + 2024070901 ; serial 300 ; refresh 300 ; retry 300 ; expire @@ -27,4 +27,5 @@ vidhar.lan IN A 10.141.0.1 vidhar.mgmt IN A 10.141.1.1 switch01.mgmt IN A 10.141.1.2 dsl01.mgmt IN A 10.141.1.3 +gpon01.mgmt IN A 10.10.1.1 ap01.mgmt IN A 10.141.1.4 diff --git a/hosts/vidhar/network/default.nix b/hosts/vidhar/network/default.nix index e961c17e..cbfbb65a 100644 --- a/hosts/vidhar/network/default.nix +++ b/hosts/vidhar/network/default.nix @@ -3,7 +3,7 @@ with lib; { - imports = [ ./dsl.nix ./bifrost ./dhcp ]; + imports = [ ./gpon.nix ./bifrost ./dhcp ]; config = { networking = { diff --git a/hosts/vidhar/network/dsl.nix b/hosts/vidhar/network/dsl.nix deleted file mode 100644 index 1e8e9c73..00000000 --- a/hosts/vidhar/network/dsl.nix +++ /dev/null @@ -1,265 +0,0 @@ -{ config, lib, pkgs, ... }: - -with lib; - -let - pppInterface = config.networking.pppInterface; -in { - options = { - networking.pppInterface = mkOption { - type = types.str; - default = "dsl"; - }; - }; - - config = { - networking.vlans = { - telekom = { - id = 7; - interface = "eno2"; - }; - }; - - services.pppd = { - enable = true; - peers.telekom.config = '' - nodefaultroute - ifname ${pppInterface} - lcp-echo-adaptive - lcp-echo-failure 5 - lcp-echo-interval 1 - maxfail 0 - mtu 1492 - mru 1492 - plugin pppoe.so - name telekom - user 002576900250551137425220#0001@t-online.de - telekom - debug - +ipv6 - ''; - }; - systemd.services."pppd-telekom" = { - stopIfChanged = true; - - serviceConfig = { - PIDFile = "/run/pppd/${pppInterface}.pid"; - }; - }; - sops.secrets."pap-secrets" = { - format = "binary"; - sopsFile = ./pap-secrets; - path = "/etc/ppp/pap-secrets"; - }; - - environment.etc = { - "ppp/ip-pre-up".source = let - app = pkgs.writeShellApplication { - name = "ip-pre-up"; - runtimeInputs = with pkgs; [ iproute2 ethtool ]; - text = '' - ethtool -K telekom tso off gso off gro off - - ip link del "ifb4${pppInterface}" || true - ip link add name "ifb4${pppInterface}" type ifb - ip link set "ifb4${pppInterface}" up - - tc qdisc del dev "ifb4${pppInterface}" root || true - tc qdisc del dev "${pppInterface}" ingress || true - tc qdisc del dev "${pppInterface}" root || true - - tc qdisc add dev "${pppInterface}" handle ffff: ingress - tc filter add dev "${pppInterface}" parent ffff: basic action ctinfo dscp 0x0000003f 0x00000040 action mirred egress redirect dev "ifb4${pppInterface}" - tc qdisc replace dev "ifb4${pppInterface}" root cake memlimit 64Mb pppoe-ptm diffserv4 bandwidth 93mbit - tc qdisc replace dev "${pppInterface}" root cake memlimit 64Mb pppoe-ptm nat diffserv4 wash bandwidth 35mbit - ''; - }; - in "${app}/bin/${app.meta.mainProgram}"; - "ppp/ip-up".source = let - app = pkgs.writeShellApplication { - name = "ip-up"; - runtimeInputs = with pkgs; [ iproute2 ]; - text = '' - ip route add default via "$5" dev "${pppInterface}" metric 512 - ''; - }; - in "${app}/bin/${app.meta.mainProgram}"; - "ppp/ip-down".source = let - app = pkgs.writeShellApplication { - name = "ip-down"; - runtimeInputs = with pkgs; [ iproute2 ]; - text = '' - ip link del "ifb4${pppInterface}" - ''; - }; - in "${app}/bin/${app.meta.mainProgram}"; - }; - - systemd.network.networks.${pppInterface} = { - matchConfig = { - Name = pppInterface; - }; - dns = [ "::1" "127.0.0.1" ]; - domains = [ "~." ]; - networkConfig = { - LinkLocalAddressing = "no"; - DNSSEC = true; - }; - }; - - services.corerad = { - enable = true; - settings = { - interfaces = [ - { name = pppInterface; - monitor = true; - verbose = true; - } - { name = "lan"; - advertise = true; - verbose = true; - prefix = [{ prefix = "::/64"; }]; - route = [{ prefix = "::/0"; }]; - rdnss = [{ servers = ["::"]; }]; - dnssl = [{ domain_names = ["yggdrasil"]; }]; - # other_config = true; - } - ]; - - debug = { - address = "localhost:9430"; - prometheus = true; - }; - }; - }; - services.ndppd = { - enable = true; - proxies = { - ${pppInterface} = { - router = true; - rules = { - lan = { - method = "iface"; - interface = "lan"; - network = "::/0"; - }; - }; - }; - }; - }; - boot.kernelModules = [ "ifb" ]; - boot.kernel.sysctl = { - "net.ipv6.conf.all.forwarding" = true; - "net.ipv6.conf.default.forwarding" = true; - "net.ipv4.conf.all.forwarding" = true; - "net.ipv4.conf.default.forwarding" = true; - - "net.core.rmem_max" = 4194304; - "net.core.wmem_max" = 4194304; - }; - systemd.services."pppd-telekom" = { - bindsTo = [ "sys-subsystem-net-devices-telekom.device" ]; - after = [ "sys-subsystem-net-devices-telekom.device" ]; - }; - systemd.services."dhcpcd-${pppInterface}" = { - wantedBy = [ "multi-user.target" "network-online.target" "pppd-telekom.service" ]; - bindsTo = [ "pppd-telekom.service" ]; - after = [ "pppd-telekom.service" ]; - wants = [ "network.target" ]; - before = [ "network-online.target" ]; - - path = with pkgs; [ dhcpcd nettools openresolv ]; - unitConfig.ConditionCapability = "CAP_NET_ADMIN"; - - stopIfChanged = true; - - preStart = '' - i=0 - - while [[ -z "$(${pkgs.iproute2}/bin/ip -6 addr show dev ${pppInterface} scope link)" ]]; do - ${pkgs.coreutils}/bin/sleep 0.1 - i=$((i + 1)) - if [[ "$i" -ge 10 ]]; then - exit 1 - fi - done - ''; - - postStop = '' - for dev in lan; do - ${pkgs.iproute2}/bin/ip -6 a show dev "''${dev}" scope global | ${pkgs.gnugrep}/bin/grep inet6 | ${pkgs.gawk}/bin/awk '{ print $2; }' | ${pkgs.findutils}/bin/xargs -I '{}' -- ${pkgs.iproute2}/bin/ip addr del '{}' dev "''${dev}" - done - ''; - - serviceConfig = let - dhcpcdConf = pkgs.writeText "dhcpcd.conf" '' - duid - vendorclassid - ipv6only - - nooption domain_name_servers, domain_name, domain_search - option classless_static_routes - option interface_mtu - - option host_name - option rapid_commit - require dhcp_server_identifier - slaac private - - nohook resolv.conf - ipv6ra_autoconf - iaid 1195061668 - ipv6rs # enable routing solicitation for WAN adapter - ia_pd 1 lan/0/64/0 # request a PD and assign it to the LAN - - reboot 0 - - waitip 6 - ''; - in { - Type = "forking"; - PIDFile = "/var/run/dhcpcd/${pppInterface}.pid"; - RuntimeDirectory = "dhcpcd"; - ExecStart = "@${pkgs.dhcpcd}/sbin/dhcpcd dhcpcd -q --config ${dhcpcdConf} ${pppInterface}"; - ExecReload = "${pkgs.dhcpcd}/sbin/dhcpcd --rebind ${pppInterface}"; - Restart = "always"; - RestartSec = "5"; - }; - }; - systemd.services.ndppd = { - wantedBy = [ "dhcpcd-${pppInterface}.service" ]; - bindsTo = [ "dhcpcd-${pppInterface}.service" ]; - after = [ "dhcpcd-${pppInterface}.service" ]; - - serviceConfig = { - Restart = "always"; - RestartSec = "5"; - }; - }; - systemd.services.corerad = { - wantedBy = [ "dhcpcd-${pppInterface}.service" ]; - bindsTo = [ "dhcpcd-${pppInterface}.service" ]; - after = [ "dhcpcd-${pppInterface}.service" ]; - - serviceConfig = { - Restart = lib.mkForce "always"; - RestartSec = "5"; - }; - }; - users.users.dhcpcd = { - isSystemUser = true; - group = "dhcpcd"; - }; - users.groups.dhcpcd = {}; - - systemd.services.unbound = { - wantedBy = [ "dhcpcd-${pppInterface}.service" ]; - bindsTo = [ "dhcpcd-${pppInterface}.service" ]; - after = [ "dhcpcd-${pppInterface}.service" ]; - - serviceConfig = { - Restart = lib.mkForce "always"; - }; - }; - }; -} diff --git a/hosts/vidhar/network/gpon.nix b/hosts/vidhar/network/gpon.nix new file mode 100644 index 00000000..c15a6e8d --- /dev/null +++ b/hosts/vidhar/network/gpon.nix @@ -0,0 +1,265 @@ +{ config, lib, pkgs, ... }: + +with lib; + +let + pppInterface = config.networking.pppInterface; +in { + options = { + networking.pppInterface = mkOption { + type = types.str; + default = "gpon"; + }; + }; + + config = { + networking.vlans = { + telekom = { + id = 7; + interface = "eno2"; + }; + }; + + services.pppd = { + enable = true; + peers.telekom.config = '' + nodefaultroute + ifname ${pppInterface} + lcp-echo-adaptive + lcp-echo-failure 5 + lcp-echo-interval 1 + maxfail 0 + mtu 1492 + mru 1492 + plugin pppoe.so + name telekom + user 002576900250551137425220#0001@t-online.de + nic-telekom + debug + +ipv6 + ''; + }; + systemd.services."pppd-telekom" = { + stopIfChanged = true; + + serviceConfig = { + PIDFile = "/run/pppd/${pppInterface}.pid"; + }; + }; + sops.secrets."pap-secrets" = { + format = "binary"; + sopsFile = ./pap-secrets; + path = "/etc/ppp/pap-secrets"; + }; + + environment.etc = { + "ppp/ip-pre-up".source = let + app = pkgs.writeShellApplication { + name = "ip-pre-up"; + runtimeInputs = with pkgs; [ iproute2 ethtool ]; + text = '' + ethtool -K telekom tso off gso off gro off + + ip link del "ifb4${pppInterface}" || true + ip link add name "ifb4${pppInterface}" type ifb + ip link set "ifb4${pppInterface}" up + + tc qdisc del dev "ifb4${pppInterface}" root || true + tc qdisc del dev "${pppInterface}" ingress || true + tc qdisc del dev "${pppInterface}" root || true + + tc qdisc add dev "${pppInterface}" handle ffff: ingress + tc filter add dev "${pppInterface}" parent ffff: basic action ctinfo dscp 0x0000003f 0x00000040 action mirred egress redirect dev "ifb4${pppInterface}" + tc qdisc replace dev "ifb4${pppInterface}" root cake memlimit 128Mb pppoe-ptm diffserv4 bandwidth 238mbit + tc qdisc replace dev "${pppInterface}" root cake memlimit 128Mb pppoe-ptm nat diffserv4 wash bandwidth 48mbit + ''; + }; + in "${app}/bin/${app.meta.mainProgram}"; + "ppp/ip-up".source = let + app = pkgs.writeShellApplication { + name = "ip-up"; + runtimeInputs = with pkgs; [ iproute2 ]; + text = '' + ip route add default via "$5" dev "${pppInterface}" metric 512 + ''; + }; + in "${app}/bin/${app.meta.mainProgram}"; + "ppp/ip-down".source = let + app = pkgs.writeShellApplication { + name = "ip-down"; + runtimeInputs = with pkgs; [ iproute2 ]; + text = '' + ip link del "ifb4${pppInterface}" + ''; + }; + in "${app}/bin/${app.meta.mainProgram}"; + }; + + systemd.network.networks.${pppInterface} = { + matchConfig = { + Name = pppInterface; + }; + dns = [ "::1" "127.0.0.1" ]; + domains = [ "~." ]; + networkConfig = { + LinkLocalAddressing = "no"; + DNSSEC = true; + }; + }; + + services.corerad = { + enable = true; + settings = { + interfaces = [ + { name = pppInterface; + monitor = true; + verbose = true; + } + { name = "lan"; + advertise = true; + verbose = true; + prefix = [{ prefix = "::/64"; }]; + route = [{ prefix = "::/0"; }]; + rdnss = [{ servers = ["::"]; }]; + dnssl = [{ domain_names = ["yggdrasil"]; }]; + # other_config = true; + } + ]; + + debug = { + address = "localhost:9430"; + prometheus = true; + }; + }; + }; + services.ndppd = { + enable = true; + proxies = { + ${pppInterface} = { + router = true; + rules = { + lan = { + method = "iface"; + interface = "lan"; + network = "::/0"; + }; + }; + }; + }; + }; + boot.kernelModules = [ "ifb" ]; + boot.kernel.sysctl = { + "net.ipv6.conf.all.forwarding" = true; + "net.ipv6.conf.default.forwarding" = true; + "net.ipv4.conf.all.forwarding" = true; + "net.ipv4.conf.default.forwarding" = true; + + "net.core.rmem_max" = 4194304; + "net.core.wmem_max" = 4194304; + }; + systemd.services."pppd-telekom" = { + bindsTo = [ "sys-subsystem-net-devices-telekom.device" ]; + after = [ "sys-subsystem-net-devices-telekom.device" ]; + }; + systemd.services."dhcpcd-${pppInterface}" = { + wantedBy = [ "multi-user.target" "network-online.target" "pppd-telekom.service" ]; + bindsTo = [ "pppd-telekom.service" ]; + after = [ "pppd-telekom.service" ]; + wants = [ "network.target" ]; + before = [ "network-online.target" ]; + + path = with pkgs; [ dhcpcd nettools openresolv ]; + unitConfig.ConditionCapability = "CAP_NET_ADMIN"; + + stopIfChanged = true; + + preStart = '' + i=0 + + while [[ -z "$(${pkgs.iproute2}/bin/ip -6 addr show dev ${pppInterface} scope link)" ]]; do + ${pkgs.coreutils}/bin/sleep 0.1 + i=$((i + 1)) + if [[ "$i" -ge 10 ]]; then + exit 1 + fi + done + ''; + + postStop = '' + for dev in lan; do + ${pkgs.iproute2}/bin/ip -6 a show dev "''${dev}" scope global | ${pkgs.gnugrep}/bin/grep inet6 | ${pkgs.gawk}/bin/awk '{ print $2; }' | ${pkgs.findutils}/bin/xargs -I '{}' -- ${pkgs.iproute2}/bin/ip addr del '{}' dev "''${dev}" + done + ''; + + serviceConfig = let + dhcpcdConf = pkgs.writeText "dhcpcd.conf" '' + duid + vendorclassid + ipv6only + + nooption domain_name_servers, domain_name, domain_search + option classless_static_routes + option interface_mtu + + option host_name + option rapid_commit + require dhcp_server_identifier + slaac private + + nohook resolv.conf + ipv6ra_autoconf + iaid 1195061668 + ipv6rs # enable routing solicitation for WAN adapter + ia_pd 1 lan/0/64/0 # request a PD and assign it to the LAN + + reboot 0 + + waitip 6 + ''; + in { + Type = "forking"; + PIDFile = "/var/run/dhcpcd/${pppInterface}.pid"; + RuntimeDirectory = "dhcpcd"; + ExecStart = "@${pkgs.dhcpcd}/sbin/dhcpcd dhcpcd -q --config ${dhcpcdConf} ${pppInterface}"; + ExecReload = "${pkgs.dhcpcd}/sbin/dhcpcd --rebind ${pppInterface}"; + Restart = "always"; + RestartSec = "5"; + }; + }; + systemd.services.ndppd = { + wantedBy = [ "dhcpcd-${pppInterface}.service" ]; + bindsTo = [ "dhcpcd-${pppInterface}.service" ]; + after = [ "dhcpcd-${pppInterface}.service" ]; + + serviceConfig = { + Restart = "always"; + RestartSec = "5"; + }; + }; + systemd.services.corerad = { + wantedBy = [ "dhcpcd-${pppInterface}.service" ]; + bindsTo = [ "dhcpcd-${pppInterface}.service" ]; + after = [ "dhcpcd-${pppInterface}.service" ]; + + serviceConfig = { + Restart = lib.mkForce "always"; + RestartSec = "5"; + }; + }; + users.users.dhcpcd = { + isSystemUser = true; + group = "dhcpcd"; + }; + users.groups.dhcpcd = {}; + + systemd.services.unbound = { + wantedBy = [ "dhcpcd-${pppInterface}.service" ]; + bindsTo = [ "dhcpcd-${pppInterface}.service" ]; + after = [ "dhcpcd-${pppInterface}.service" ]; + + serviceConfig = { + Restart = lib.mkForce "always"; + }; + }; + }; +} diff --git a/hosts/vidhar/network/ruleset.nft b/hosts/vidhar/network/ruleset.nft index 6eb97f85..9843b71a 100644 --- a/hosts/vidhar/network/ruleset.nft +++ b/hosts/vidhar/network/ruleset.nft @@ -4,15 +4,15 @@ table arp filter { limit lim_arp_local { rate over 50 mbytes/second burst 50 mbytes } - limit lim_arp_dsl { - rate over 1400 kbytes/second burst 1400 kbytes + limit lim_arp_gpon { + rate over 1750 kbytes/second burst 1750 kbytes } counter arp-rx {} counter arp-tx {} - counter arp-ratelimit-dsl-rx {} - counter arp-ratelimit-dsl-tx {} + counter arp-ratelimit-gpon-rx {} + counter arp-ratelimit-gpon-tx {} counter arp-ratelimit-local-rx {} counter arp-ratelimit-local-tx {} @@ -21,8 +21,8 @@ table arp filter { type filter hook input priority filter policy accept - iifname != dsl limit name lim_arp_local counter name arp-ratelimit-local-rx drop - iifname dsl limit name lim_arp_dsl counter name arp-ratelimit-dsl-rx drop + iifname != gpon limit name lim_arp_local counter name arp-ratelimit-local-rx drop + iifname gpon limit name lim_arp_gpon counter name arp-ratelimit-gpon-rx drop counter name arp-rx } @@ -31,8 +31,8 @@ table arp filter { type filter hook output priority filter policy accept - oifname != dsl limit name lim_arp_local counter name arp-ratelimit-local-tx drop - oifname dsl limit name lim_arp_dsl counter name arp-ratelimit-dsl-tx drop + oifname != gpon limit name lim_arp_local counter name arp-ratelimit-local-tx drop + oifname gpon limit name lim_arp_gpon counter name arp-ratelimit-gpon-tx drop counter name arp-tx } @@ -46,11 +46,11 @@ table inet filter { limit lim_icmp_local { rate over 50 mbytes/second burst 50 mbytes } - limit lim_icmp_dsl { - rate over 1400 kbytes/second burst 1400 kbytes + limit lim_icmp_gpon { + rate over 1750 kbytes/second burst 1750 kbytes } - counter icmp-ratelimit-dsl-fw {} + counter icmp-ratelimit-gpon-fw {} counter icmp-ratelimit-local-fw {} counter icmp-fw {} @@ -58,7 +58,7 @@ table inet filter { counter invalid-fw {} counter fw-lo {} counter fw-lan {} - counter fw-dsl {} + counter fw-gpon {} counter fw-cups {} @@ -73,7 +73,7 @@ table inet filter { counter invalid-local4-rx {} counter invalid-local6-rx {} - counter icmp-ratelimit-dsl-rx {} + counter icmp-ratelimit-gpon-rx {} counter icmp-ratelimit-local-rx {} counter icmp-rx {} @@ -101,7 +101,7 @@ table inet filter { counter tx-lo {} - counter icmp-ratelimit-dsl-tx {} + counter icmp-ratelimit-gpon-tx {} counter icmp-ratelimit-local-tx {} counter icmp-tx {} @@ -123,10 +123,10 @@ table inet filter { chain forward_icmp_accept { - oifname { dsl, bifrost } limit name lim_icmp_dsl counter name icmp-ratelimit-dsl-fw drop - iifname { dsl, bifrost } limit name lim_icmp_dsl counter name icmp-ratelimit-dsl-fw drop - oifname != { dsl, bifrost } limit name lim_icmp_local counter name icmp-ratelimit-local-fw drop - iifname != { dsl, bifrost } limit name lim_icmp_local counter name icmp-ratelimit-local-fw drop + oifname { gpon, bifrost } limit name lim_icmp_gpon counter name icmp-ratelimit-gpon-fw drop + iifname { gpon, bifrost } limit name lim_icmp_gpon counter name icmp-ratelimit-gpon-fw drop + oifname != { gpon, bifrost } limit name lim_icmp_local counter name icmp-ratelimit-local-fw drop + iifname != { gpon, bifrost } limit name lim_icmp_local counter name icmp-ratelimit-local-fw drop counter name icmp-fw accept } chain forward { @@ -139,10 +139,10 @@ table inet filter { iifname lo counter name fw-lo accept - oifname { lan, dsl, bifrost } meta l4proto $icmp_protos jump forward_icmp_accept - iifname lan oifname { dsl, bifrost } counter name fw-lan accept + oifname { lan, gpon, bifrost } meta l4proto $icmp_protos jump forward_icmp_accept + iifname lan oifname { gpon, bifrost } counter name fw-lan accept - iifname dsl oifname lan ct state { established, related } counter name fw-dsl accept + iifname gpon oifname lan ct state { established, related } counter name fw-gpon accept limit name lim_reject log level debug prefix "drop forward: " counter name reject-ratelimit-fw drop @@ -163,22 +163,22 @@ table inet filter { iif != lo ip daddr 127.0.0.1/8 counter name invalid-local4-rx reject iif != lo ip6 daddr ::1/128 counter name invalid-local6-rx reject - iifname { bifrost, dsl } meta l4proto $icmp_protos limit name lim_icmp_dsl counter name icmp-ratelimit-dsl-rx drop - iifname != { bifrost, dsl } meta l4proto $icmp_protos limit name lim_icmp_local counter name icmp-ratelimit-local-rx drop + iifname { bifrost, gpon } meta l4proto $icmp_protos limit name lim_icmp_gpon counter name icmp-ratelimit-gpon-rx drop + iifname != { bifrost, gpon } meta l4proto $icmp_protos limit name lim_icmp_local counter name icmp-ratelimit-local-rx drop meta l4proto $icmp_protos counter name icmp-rx accept - iifname { lan, mgmt, dsl, yggdrasil, bifrost } tcp dport 22 counter name ssh-rx accept - iifname { lan, mgmt, dsl, yggdrasil, bifrost } udp dport 60000-61000 counter name mosh-rx accept + iifname { lan, mgmt, gpon, yggdrasil, bifrost } tcp dport 22 counter name ssh-rx accept + iifname { lan, mgmt, gpon, yggdrasil, bifrost } udp dport 60000-61000 counter name mosh-rx accept iifname { lan, mgmt, wifibh, yggdrasil } meta l4proto { tcp, udp } th dport 53 counter name dns-rx accept iifname { lan, yggdrasil } tcp dport 2049 counter name nfs-rx accept - iifname { lan, mgmt, dsl } meta protocol ip udp dport 51820 counter name wg-rx accept - iifname { lan, mgmt, dsl } meta protocol ip6 udp dport 51821 counter name wg-rx accept + iifname { lan, mgmt, gpon } meta protocol ip udp dport 51820 counter name wg-rx accept + iifname { lan, mgmt, gpon } meta protocol ip6 udp dport 51821 counter name wg-rx accept iifname "yggdrasil-wg-*" meta l4proto gre counter name yggdrasil-gre-rx accept - iifname dsl meta protocol ip6 udp dport 546 udp sport 547 counter name ipv6-pd-rx accept + iifname gpon meta protocol ip6 udp dport 546 udp sport 547 counter name ipv6-pd-rx accept iifname mgmt udp dport 123 counter name ntp-rx accept @@ -209,8 +209,8 @@ table inet filter { oifname lo counter name tx-lo accept - oifname { bifrost, dsl } meta l4proto $icmp_protos limit name lim_icmp_dsl counter name icmp-ratelimit-dsl-tx drop - oifname != { bifrost, dsl } meta l4proto $icmp_protos limit name lim_icmp_local counter name icmp-ratelimit-local-tx drop + oifname { bifrost, gpon } meta l4proto $icmp_protos limit name lim_icmp_gpon counter name icmp-ratelimit-gpon-tx drop + oifname != { bifrost, gpon } meta l4proto $icmp_protos limit name lim_icmp_local counter name icmp-ratelimit-local-tx drop meta l4proto $icmp_protos counter name icmp-tx accept @@ -246,7 +246,7 @@ table inet filter { } table inet nat { - counter dsl-nat {} + counter gpon-nat {} # counter container-nat {} chain postrouting { @@ -254,20 +254,20 @@ table inet nat { policy accept - meta nfproto ipv4 oifname dsl counter name dsl-nat masquerade - # iifname ve-* oifname dsl counter name container-nat masquerade + meta nfproto ipv4 oifname gpon counter name gpon-nat masquerade + # iifname ve-* oifname gpon counter name container-nat masquerade } } table inet mss_clamp { - counter dsl-mss-clamp {} + counter gpon-mss-clamp {} chain postrouting { type filter hook postrouting priority mangle policy accept - oifname dsl tcp flags & (syn|rst) == syn counter name dsl-mss-clamp tcp option maxseg size set rt mtu + oifname gpon tcp flags & (syn|rst) == syn counter name gpon-mss-clamp tcp option maxseg size set rt mtu } } @@ -402,7 +402,7 @@ table inet dscpclassify { chain postrouting { type filter hook postrouting priority filter + 1; policy accept - oifname != dsl return + oifname != gpon return ip dscp cs0 goto ct_set_cs0 ip dscp lephb goto ct_set_lephb diff --git a/hosts/vidhar/prometheus/default.nix b/hosts/vidhar/prometheus/default.nix index 1e649824..330026d7 100644 --- a/hosts/vidhar/prometheus/default.nix +++ b/hosts/vidhar/prometheus/default.nix @@ -63,7 +63,7 @@ in { systemd = { enable = true; extraFlags = [ - "--systemd.collector.unit-include=(dhcpcd-dsl|pppd-telekom|corerad|ndppd)\.service" + "--systemd.collector.unit-include=(dhcpcd-.*|pppd-telekom|corerad|ndppd)\.service" "--systemd.collector.enable-restart-count" "--systemd.collector.enable-ip-accounting" ]; @@ -144,17 +144,6 @@ in { ]; scrape_interval = "15s"; } - { job_name = "zte"; - static_configs = [ - { targets = ["localhost:9900"]; } - ]; - relabel_configs = [ - { replacement = "dsl01"; - target_label = "instance"; - } - ]; - scrape_interval = "15s"; - } { job_name = "unbound"; static_configs = [ { targets = ["localhost:${toString config.services.prometheus.exporters.unbound.port}"]; } @@ -315,47 +304,6 @@ in { }; }; - systemd.services."prometheus-zte-exporter@dsl01.mgmt.yggdrasil" = { - wantedBy = [ "multi-user.target" ]; - after = [ "network.target" ]; - serviceConfig = { - Restart = "always"; - PrivateTmp = true; - WorkingDirectory = "/tmp"; - DynamicUser = true; - CapabilityBoundingSet = [""]; - DeviceAllow = [""]; - LockPersonality = true; - MemoryDenyWriteExecute = true; - NoNewPrivileges = true; - PrivateDevices = true; - ProtectClock = true; - ProtectControlGroups = true; - ProtectHome = true; - ProtectHostname = true; - ProtectKernelLogs = true; - ProtectKernelModules = true; - ProtectKernelTunables = true; - ProtectSystem = "strict"; - RemoveIPC = true; - RestrictAddressFamilies = [ "AF_INET" "AF_INET6" ]; - RestrictNamespaces = true; - RestrictRealtime = true; - RestrictSUIDSGID = true; - SystemCallArchitectures = "native"; - UMask = "0077"; - - Type = "simple"; - ExecStart = "${pkgs.zte-prometheus-exporter}/bin/zte-prometheus-exporter"; - Environment = "ZTE_BASEURL=http://%I ZTE_HOSTNAME=localhost ZTE_PORT=9900"; - EnvironmentFile = config.sops.secrets."zte_dsl01.mgmt.yggdrasil".path; - }; - }; - sops.secrets."zte_dsl01.mgmt.yggdrasil" = { - format = "binary"; - sopsFile = ./zte_dsl01.mgmt.yggdrasil; - }; - systemd.services."prometheus-nftables-exporter" = { wantedBy = [ "multi-user.target" ]; after = [ "network.target" ]; diff --git a/hosts/vidhar/prometheus/zte_dsl01.mgmt.yggdrasil b/hosts/vidhar/prometheus/zte_dsl01.mgmt.yggdrasil deleted file mode 100644 index 1c9c1fe0..00000000 --- a/hosts/vidhar/prometheus/zte_dsl01.mgmt.yggdrasil +++ /dev/null @@ -1,26 +0,0 @@ -{ - "data": "ENC[AES256_GCM,data:nAsn7dhfDr0+V1cJjpqWn/kJQt2zGjlfQKi3n5speroJkL3IvMG/9fsTaXJQZSi2gPlrN8GbxKQ=,iv:9g0V3xRBC+sa/JPP2bUZMfg//VuKT5qI7ua9iU4QRCg=,tag:fzwih9OHUBLmx8dxL4BjGg==,type:str]", - "sops": { - "kms": null, - "gcp_kms": null, - "azure_kv": null, - "hc_vault": null, - "age": [ - { - "recipient": "age1qffdqvy9arld9zd5a5cylt0n98xhcns5shxhrhwjq5g4qa844ejselaa4l", - "enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBIaEE3bUFBY0xKSDUrVnc2\nbFpjSkNOSm56amJTNjdXcTljdDNRREhITm1NCjZrOUEwNFpxN2FmTVV5T2xCbENk\nMEFmVzlPZ29CTlJ4dVNCRUsyRFFseXcKLS0tIEhscVZ4VUVsaG9OUnBIRFE4WXA2\ncGFnbWpNMlNIQzFLc1Ryc1Z3NUl1bVUKi9zYBlF2vslGKu4GP368ApbvuxjZnQpF\nuOujXSNoEps21wY6xUENm+CbYbgaJjSgmb5c1IjAmnubVI4JVY9OyQ==\n-----END AGE ENCRYPTED FILE-----\n" - } - ], - "lastmodified": "2021-12-31T15:00:33Z", - "mac": "ENC[AES256_GCM,data:sw2NVXHLibbuOChgScLhSTjGZBjSoHpzIuRqfCW0eL3DwhL5CekG6T/oYu06KjNmxVjxwb3OmqECSU0TUvPn9ySOWwMSoBfyJpDoTHnZ+YOjOH351IOAMBNcBDJse7aLGRWW5YXKLDfmp8Dhg2hlMhCmkVwAquQjPhfmAdJfj64=,iv:wgM/BlRU2XJSGj7KvAo1WRamecffUDnFvv2+4twtsQY=,tag:0mXblJtTGMTvxndedws94A==,type:str]", - "pgp": [ - { - "created_at": "2023-01-30T10:58:49Z", - "enc": "-----BEGIN PGP MESSAGE-----\n\nhF4DXxoViZlp6dISAQdAcwl1Blp3J5wgpRJKbYI1G1yEZrRYeYuoDtYUh3ToMAQw\nd92/bIJJR5Ml91eDym9uBN0fFRRy72r6FOx4qZT7S4DhmuA84qCbASjF8bKSclc0\n0l4BBXvDS5Dz1Q7iYc+LxZjHASV1v73A+MaeCFvG/pjmHzF0z0EzBiAJD4ZWGcP0\nX2dDbjl+n9VFrvmeLRxQNh4XZW43iTXdRjwHDgm16zhd9X6VOVhr5UkC4Nyjq2Ar\n=4ZEa\n-----END PGP MESSAGE-----\n", - "fp": "30D3453B8CD02FE2A3E7C78C0FB536FB87AE8F51" - } - ], - "unencrypted_suffix": "_unencrypted", - "version": "3.7.1" - } -} \ No newline at end of file -- cgit v1.2.3 From c6af884353a633989ee4561a4fc9f641aef7506f Mon Sep 17 00:00:00 2001 From: Gregor Kleen Date: Tue, 9 Jul 2024 14:31:06 +0200 Subject: ... --- hosts/surtr/dns/zones/email.bouncy.soa | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) (limited to 'hosts') diff --git a/hosts/surtr/dns/zones/email.bouncy.soa b/hosts/surtr/dns/zones/email.bouncy.soa index 40e4b78b..2b319a93 100644 --- a/hosts/surtr/dns/zones/email.bouncy.soa +++ b/hosts/surtr/dns/zones/email.bouncy.soa @@ -1,7 +1,7 @@ $ORIGIN bouncy.email. $TTL 3600 @ IN SOA ns.yggdrasil.li. hostmaster.yggdrasil.li ( - 2023020101 ; serial + 2024070901 ; serial 10800 ; refresh 3600 ; retry 604800 ; expire @@ -41,10 +41,10 @@ mailin IN MX 0 mailin.bouncy.email. mailin IN TXT "v=spf1 redirect=bouncy.email" _acme-challenge.mailin IN NS ns.yggdrasil.li. -_25._tcp.mailin IN TLSA 2 1 1 276fe8a8c4ec7611565bf9fce6dcace9be320c1b5bea27596b2204071ed04f10 -_25._tcp.mailin IN TLSA 2 1 1 bd936e72b212ef6f773102c6b77d38f94297322efc25396bc3279422e0c89270 -_25._tcp.mailin IN TLSA 2 1 1 8d02536c887482bc34ff54e41d2ba659bf85b341a0a20afadb5813dcfbcf286d -_25._tcp.mailin IN TLSA 2 1 1 e5545e211347241891c554a03934cde9b749664a59d26d615fe58f77990f2d03 +; _25._tcp.mailin IN TLSA 2 1 1 276fe8a8c4ec7611565bf9fce6dcace9be320c1b5bea27596b2204071ed04f10 +; _25._tcp.mailin IN TLSA 2 1 1 bd936e72b212ef6f773102c6b77d38f94297322efc25396bc3279422e0c89270 +; _25._tcp.mailin IN TLSA 2 1 1 8d02536c887482bc34ff54e41d2ba659bf85b341a0a20afadb5813dcfbcf286d +; _25._tcp.mailin IN TLSA 2 1 1 e5545e211347241891c554a03934cde9b749664a59d26d615fe58f77990f2d03 mailsub IN A 202.61.241.61 mailsub IN AAAA 2a03:4000:52:ada:: -- cgit v1.2.3 From d2a60dec0e131ab24c56965a7c8fa84d3899d8ab Mon Sep 17 00:00:00 2001 From: Gregor Kleen Date: Tue, 9 Jul 2024 19:11:29 +0200 Subject: bump gpon speed --- hosts/vidhar/network/gpon.nix | 4 ++-- hosts/vidhar/network/ruleset.nft | 4 ++-- 2 files changed, 4 insertions(+), 4 deletions(-) (limited to 'hosts') diff --git a/hosts/vidhar/network/gpon.nix b/hosts/vidhar/network/gpon.nix index c15a6e8d..6751978f 100644 --- a/hosts/vidhar/network/gpon.nix +++ b/hosts/vidhar/network/gpon.nix @@ -70,8 +70,8 @@ in { tc qdisc add dev "${pppInterface}" handle ffff: ingress tc filter add dev "${pppInterface}" parent ffff: basic action ctinfo dscp 0x0000003f 0x00000040 action mirred egress redirect dev "ifb4${pppInterface}" - tc qdisc replace dev "ifb4${pppInterface}" root cake memlimit 128Mb pppoe-ptm diffserv4 bandwidth 238mbit - tc qdisc replace dev "${pppInterface}" root cake memlimit 128Mb pppoe-ptm nat diffserv4 wash bandwidth 48mbit + tc qdisc replace dev "ifb4${pppInterface}" root cake memlimit 128Mb pppoe-ptm diffserv4 bandwidth 285mbit + tc qdisc replace dev "${pppInterface}" root cake memlimit 128Mb pppoe-ptm nat diffserv4 wash bandwidth 143mbit ''; }; in "${app}/bin/${app.meta.mainProgram}"; diff --git a/hosts/vidhar/network/ruleset.nft b/hosts/vidhar/network/ruleset.nft index 9843b71a..9f519302 100644 --- a/hosts/vidhar/network/ruleset.nft +++ b/hosts/vidhar/network/ruleset.nft @@ -5,7 +5,7 @@ table arp filter { rate over 50 mbytes/second burst 50 mbytes } limit lim_arp_gpon { - rate over 1750 kbytes/second burst 1750 kbytes + rate over 7500 kbytes/second burst 7500 kbytes } counter arp-rx {} @@ -47,7 +47,7 @@ table inet filter { rate over 50 mbytes/second burst 50 mbytes } limit lim_icmp_gpon { - rate over 1750 kbytes/second burst 1750 kbytes + rate over 7500 kbytes/second burst 7500 kbytes } counter icmp-ratelimit-gpon-fw {} -- cgit v1.2.3 From d305ddcea6880c31d67fab87c6dd898c5643e479 Mon Sep 17 00:00:00 2001 From: Gregor Kleen Date: Wed, 10 Jul 2024 09:16:27 +0200 Subject: ... --- hosts/vidhar/network/gpon.nix | 10 ++++++++-- 1 file changed, 8 insertions(+), 2 deletions(-) (limited to 'hosts') diff --git a/hosts/vidhar/network/gpon.nix b/hosts/vidhar/network/gpon.nix index 6751978f..750f6545 100644 --- a/hosts/vidhar/network/gpon.nix +++ b/hosts/vidhar/network/gpon.nix @@ -45,6 +45,12 @@ in { serviceConfig = { PIDFile = "/run/pppd/${pppInterface}.pid"; }; + restartTriggers = with config; [ + environment.etc."ppp/ip-pre-up".source + environment.etc."ppp/ip-up".source + environment.etc."ppp/ip-down".source + sops.secrets."pap-secrets".sopsFile + ]; }; sops.secrets."pap-secrets" = { format = "binary"; @@ -70,8 +76,8 @@ in { tc qdisc add dev "${pppInterface}" handle ffff: ingress tc filter add dev "${pppInterface}" parent ffff: basic action ctinfo dscp 0x0000003f 0x00000040 action mirred egress redirect dev "ifb4${pppInterface}" - tc qdisc replace dev "ifb4${pppInterface}" root cake memlimit 128Mb pppoe-ptm diffserv4 bandwidth 285mbit - tc qdisc replace dev "${pppInterface}" root cake memlimit 128Mb pppoe-ptm nat diffserv4 wash bandwidth 143mbit + tc qdisc replace dev "ifb4${pppInterface}" root cake memlimit 128Mb overhead 35 mpu 74 regional diffserv4 bandwidth 285mbit autorate-ingress + tc qdisc replace dev "${pppInterface}" root cake memlimit 128Mb overhead 35 mpu 74 regional nat diffserv4 wash bandwidth 143mbit ''; }; in "${app}/bin/${app.meta.mainProgram}"; -- cgit v1.2.3 From 2b8683f43eb38e0d8c08a3ae6b58022ed0e7acac Mon Sep 17 00:00:00 2001 From: Gregor Kleen Date: Wed, 10 Jul 2024 09:18:52 +0200 Subject: ... --- hosts/vidhar/network/gpon.nix | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'hosts') diff --git a/hosts/vidhar/network/gpon.nix b/hosts/vidhar/network/gpon.nix index 750f6545..759adf40 100644 --- a/hosts/vidhar/network/gpon.nix +++ b/hosts/vidhar/network/gpon.nix @@ -76,7 +76,7 @@ in { tc qdisc add dev "${pppInterface}" handle ffff: ingress tc filter add dev "${pppInterface}" parent ffff: basic action ctinfo dscp 0x0000003f 0x00000040 action mirred egress redirect dev "ifb4${pppInterface}" - tc qdisc replace dev "ifb4${pppInterface}" root cake memlimit 128Mb overhead 35 mpu 74 regional diffserv4 bandwidth 285mbit autorate-ingress + tc qdisc replace dev "ifb4${pppInterface}" root cake memlimit 128Mb overhead 35 mpu 74 regional diffserv4 bandwidth 285mbit tc qdisc replace dev "${pppInterface}" root cake memlimit 128Mb overhead 35 mpu 74 regional nat diffserv4 wash bandwidth 143mbit ''; }; -- cgit v1.2.3 From bc90ef66903e78713db1fd3a700785572b794cde Mon Sep 17 00:00:00 2001 From: Gregor Kleen Date: Sat, 20 Jul 2024 10:41:20 +0200 Subject: ... --- hosts/vidhar/network/gpon.nix | 2 +- hosts/vidhar/prometheus/default.nix | 6 ++++++ 2 files changed, 7 insertions(+), 1 deletion(-) (limited to 'hosts') diff --git a/hosts/vidhar/network/gpon.nix b/hosts/vidhar/network/gpon.nix index 759adf40..1628159c 100644 --- a/hosts/vidhar/network/gpon.nix +++ b/hosts/vidhar/network/gpon.nix @@ -49,7 +49,7 @@ in { environment.etc."ppp/ip-pre-up".source environment.etc."ppp/ip-up".source environment.etc."ppp/ip-down".source - sops.secrets."pap-secrets".sopsFile + # sops.secrets."pap-secrets".sopsFile ]; }; sops.secrets."pap-secrets" = { diff --git a/hosts/vidhar/prometheus/default.nix b/hosts/vidhar/prometheus/default.nix index 330026d7..3e938933 100644 --- a/hosts/vidhar/prometheus/default.nix +++ b/hosts/vidhar/prometheus/default.nix @@ -263,6 +263,9 @@ in { { record = "systemd_unit_runtime_seconds:resets_per_week"; expr = "resets(systemd_unit_runtime_seconds[1w])"; } + { record = "systemd_unit_runtime_seconds:avg_resets_per_day"; + expr = "avg_over_time(systemd_unit_runtime_seconds:resets_per_day[1w])"; + } ]; } { name = "apcupsd-transfers"; @@ -279,6 +282,9 @@ in { { record = "apcupsd_last_transfer_on_battery_counter_seconds:resets_per_week"; expr = "resets(apcupsd_last_transfer_on_battery_counter_seconds[1w])"; } + { record = "apcupsd_last_transfer_on_battery_counter_seconds:avg_resets_per_day"; + expr = "avg_over_time(apcupsd_last_transfer_on_battery_counter_seconds:resets_per_day[1w])"; + } ]; } ]; -- cgit v1.2.3