steveej/infra
1
0
Fork 0
Code Issues 2 Pull requests Projects Releases Packages Wiki Activity Actions

WIP: set up bpir3

Browse source
This commit is contained in:
steveej 2023-08-22 10:20:16 +02:00
parent 2bedcc0fd3
commit 3cd0eb718e
6 changed files with 96 additions and 65 deletions
Download patch file Download diff file Expand all files Collapse all files

59
nix/os/devices/router0-dmz0/configuration.nix
View file

@ -108,7 +108,7 @@ in {
enable = true; enable = true;
zones = { zones = {
lan.interfaces = ["br-lan"]; lan.interfaces = ["br-lan"];
wan.interfaces = ["wan"]; wan.interfaces = ["wan" "lan0"];
}; };
rules = { rules = {
lan = { lan = {
@ -130,6 +130,12 @@ in {
incoming-wan = { incoming-wan = {
from = ["wan"]; from = ["wan"];
to = ["fw"]; to = ["fw"];
allowedTCPPortRanges = [
{
from = 22;
to = 22;
}
];
verdict = "drop"; verdict = "drop";
}; };
}; };
@ -150,14 +156,6 @@ in {
}; };
networks = { networks = {
# Connect the bridge ports to the bridge # Connect the bridge ports to the bridge
"30-lan0" = {
matchConfig.Name = "lan0";
networkConfig = {
Bridge = "br-lan";
ConfigureWithoutCarrier = true;
};
linkConfig.RequiredForOnline = "enslaved";
};
"30-lan1" = { "30-lan1" = {
matchConfig.Name = "lan1"; matchConfig.Name = "lan1";
networkConfig = { networkConfig = {
@ -195,6 +193,22 @@ in {
# Don't wait for it as it also would wait for wlan and DFS which takes around 5 min # Don't wait for it as it also would wait for wlan and DFS which takes around 5 min
linkConfig.RequiredForOnline = "no"; linkConfig.RequiredForOnline = "no";
}; };
# use lan0 as secondary WAN interface
"10-lan0-wan" = {
matchConfig.Name = "lan0";
networkConfig = {
# start a DHCP Client for IPv4 Addressing/Routing
DHCP = "ipv4";
# accept Router Advertisements for Stateless IPv6 Autoconfiguraton (SLAAC)
IPv6AcceptRA = true;
DNSOverTLS = true;
DNSSEC = true;
IPv6PrivacyExtensions = false;
IPForward = true;
};
# Don't wait for it as it also would wait for wlan and DFS which takes around 5 min
linkConfig.RequiredForOnline = "no";
};
"10-wan" = { "10-wan" = {
matchConfig.Name = "wan"; matchConfig.Name = "wan";
networkConfig = { networkConfig = {
@ -216,7 +230,9 @@ in {
# wireless access point # wireless access point
services.hostapd = { services.hostapd = {
enable = true; enable = true;
radios = { radios = let
mkBssid = i: "34:56:ce:0f:ed:4${builtins.toString i}";
in {
wlan0 = { wlan0 = {
band = "2g"; band = "2g";
countryCode = "CH"; countryCode = "CH";
@ -234,12 +250,15 @@ in {
mode = "wpa3-sae"; mode = "wpa3-sae";
# saePasswordsFile = config.sops.secrets.wifiPassword.path; # saePasswordsFile = config.sops.secrets.wifiPassword.path;
saePasswords = [ saePasswords = [
{password = "justtestingwifi";} {
password = "justtestingwifi";
# vlanid = 100;
}
]; ];
}; };
# generated with https://miniwebtool.com/mac-address-generator/ # generated with https://miniwebtool.com/mac-address-generator/
bssid = "34:56:ce:0f:ed:40"; bssid = mkBssid 0;
settings = { settings = {
bridge = "br-lan"; bridge = "br-lan";
}; };
@ -251,13 +270,19 @@ in {
mode = "wpa3-sae-transition"; mode = "wpa3-sae-transition";
# saePasswordsFile = config.sops.secrets.wifiPassword.path; # saePasswordsFile = config.sops.secrets.wifiPassword.path;
saePasswords = [ saePasswords = [
{password = "justtestingwifi";} {
password = "justtestingwifi";
# vlanid = 100;
}
]; ];
wpaPassword = "justtestingwifi"; wpaPskFile = pkgs.writeText "pskfile" ''
00:00:00:00:00:00 justtestingwifi
# vlanid=100 00:00:00:00:00:00 justtestingwifi-vlan
'';
}; };
# generated with https://miniwebtool.com/mac-address-generator/ # generated with https://miniwebtool.com/mac-address-generator/
bssid = "34:56:ce:0f:ed:41"; bssid = mkBssid 1;
settings = { settings = {
bridge = "br-lan"; bridge = "br-lan";
}; };
@ -392,9 +417,9 @@ in {
domain = "lan"; domain = "lan";
expand-hosts = true; expand-hosts = true;
# don't use /etc/hosts as this would advertise surfer as localhost # don't use /etc/hosts as this would advertise ${nodeName} as localhost
no-hosts = true; no-hosts = true;
address = "/surfer.lan/192.168.10.1"; address = "/${nodeName}.lan/192.168.10.1";
}; };
}; };

46
nix/os/devices/router0-dmz0/flake.lock generated
View file

@ -120,48 +120,16 @@
}, },
"nixpkgs": { "nixpkgs": {
"locked": { "locked": {
"lastModified": 1691654369, "lastModified": 1691788113,
"narHash": "sha256-gSILTEx1jRaJjwZxRlnu3ZwMn1FVNk80qlwiCX8kmpo=", "narHash": "sha256-h5dnmk0QMQI+WkP7ZGbqusr7GfeXOrYCzO7BoZpSGJ0=",
"owner": "nixos", "owner": "steveej-forks",
"repo": "nixpkgs", "repo": "nixpkgs",
"rev": "ce5e4a6ef2e59d89a971bc434ca8ca222b9c7f5e", "rev": "f358ddb768fad528772ae3faf786337fe89a7568",
"type": "github" "type": "github"
}, },
"original": { "original": {
"owner": "nixos", "owner": "steveej-forks",
"ref": "nixos-unstable", "ref": "hostapd-fix",
"repo": "nixpkgs",
"type": "github"
}
},
"nixpkgs-master": {
"locked": {
"lastModified": 1691753935,
"narHash": "sha256-fjH5oZ0g8Cb0vrJ8TlS4B7kaVr7YmEdee64ueQ6arAo=",
"owner": "nixos",
"repo": "nixpkgs",
"rev": "650596759b8b38399a0c4d5e366847d190360e55",
"type": "github"
},
"original": {
"owner": "nixos",
"ref": "master",
"repo": "nixpkgs",
"type": "github"
}
},
"nixpkgs-unstable": {
"locked": {
"lastModified": 1691703261,
"narHash": "sha256-jUzmIeh+F+XKkuEhfY+VRgbVitTOr5oh5Oi5p5kr9tQ=",
"owner": "nixos",
"repo": "nixpkgs",
"rev": "079f7bd05bf72641e3b5904ed891d44d21ea90ed",
"type": "github"
},
"original": {
"owner": "nixos",
"ref": "nixos-unstable-small",
"repo": "nixpkgs", "repo": "nixpkgs",
"type": "github" "type": "github"
} }
@ -174,8 +142,6 @@
"home-manager": "home-manager", "home-manager": "home-manager",
"nixos-nftables-firewall": "nixos-nftables-firewall", "nixos-nftables-firewall": "nixos-nftables-firewall",
"nixpkgs": "nixpkgs", "nixpkgs": "nixpkgs",
"nixpkgs-master": "nixpkgs-master",
"nixpkgs-unstable": "nixpkgs-unstable",
"srvos": "srvos" "srvos": "srvos"
} }
}, },

6
nix/os/devices/router0-dmz0/flake.nix
View file

@ -1,9 +1,7 @@
{ {
inputs = { inputs = {
# nixpkgs.url = "github:nixos/nixpkgs/nixos-23.05"; # nixpkgs.url = "github:nixos/nixpkgs/nixos-unstable";
nixpkgs.url = "github:nixos/nixpkgs/nixos-unstable"; nixpkgs.url = "github:steveej-forks/nixpkgs/hostapd-fix";
nixpkgs-unstable.url = "github:nixos/nixpkgs/nixos-unstable-small";
nixpkgs-master.url = "github:nixos/nixpkgs/master";
get-flake.url = "github:ursi/get-flake"; get-flake.url = "github:ursi/get-flake";

33
nix/os/devices/sj-vps-htz0/system.nix
View file

@ -3,8 +3,11 @@
lib, lib,
config, config,
repoFlake, repoFlake,
nodeName,
... ...
}: { }: let
wireguardPort = 51820;
in {
networking.firewall.enable = true; networking.firewall.enable = true;
networking.nftables.enable = true; networking.nftables.enable = true;
@ -12,6 +15,10 @@
# iperf3 # iperf3
5201 5201
]; ];
networking.firewall.allowedUDPPorts = [
wireguardPort
];
networking.firewall.logRefusedConnections = false; networking.firewall.logRefusedConnections = false;
networking.usePredictableInterfaceNames = false; networking.usePredictableInterfaceNames = false;
@ -54,7 +61,7 @@
networking.nat = { networking.nat = {
enable = true; enable = true;
internalInterfaces = ["ve-*"]; internalInterfaces = ["ve-*" "wg*"];
externalInterface = "eth0"; externalInterface = "eth0";
}; };
@ -64,6 +71,28 @@
meta nfproto ipv6 tcp flags syn tcp option maxseg size set 1340; meta nfproto ipv6 tcp flags syn tcp option maxseg size set 1340;
''; '';
sops.secrets.wg0-private.sopsFile = ../../../../secrets/${nodeName}/secrets.yaml;
sops.secrets.wg0-psk-steveej-psk.sopsFile = ../../../../secrets/${nodeName}/secrets.yaml;
networking.wireguard.enable = true;
networking.wireguard.interfaces.wg0 = {
# eth0 MTU (1400) - 80
mtu = 1320;
ips = [
"192.168.99.1/31"
];
listenPort =
wireguardPort;
privateKeyFile = config.sops.secrets.wg0-private.path;
peers = [
{
allowedIPs = ["192.168.99.2/32"];
publicKey = "O3k4jEdX6jkV1fHP/J8KSH5tvi+n1VvnBTD5na6Naw0=";
presharedKeyFile = config.sops.secrets.wg0-psk-steveej-psk.path;
}
];
};
# virtualization # virtualization
virtualisation = {docker.enable = false;}; virtualisation = {docker.enable = false;};

9
nix/os/devices/steveej-t14/system.nix
View file

@ -36,6 +36,9 @@ in {
} }
]; ];
# needed to make wireguard managed by networkmanager route all traffic through it
networking.firewall.checkReversePath = false;
networking.firewall.enable = true; networking.firewall.enable = true;
services.openssh.openFirewall = false; services.openssh.openFirewall = false;
@ -93,6 +96,12 @@ in {
services.samba.extraConfig = '' services.samba.extraConfig = ''
# client min protocol = NT1 # client min protocol = NT1
''; '';
services.gvfs = {
enable = true;
package = lib.mkForce pkgs.gnome3.gvfs;
};
environment.systemPackages = with pkgs; [ lxqt.lxqt-policykit ]; # provides a default authentification client for policykit
security.pki.certificateFiles = ["${pkgs.cacert}/etc/ssl/certs/ca-bundle.crt"]; security.pki.certificateFiles = ["${pkgs.cacert}/etc/ssl/certs/ca-bundle.crt"];

8
secrets/sj-vps-htz0/secrets.yaml
View file

@ -1,5 +1,9 @@
#ENC[AES256_GCM,data:NJd2BaOWeCr6IER0GSL4OrnABI65kMLg0ft0auq4gazQJ+40vYKwN7pMimXnhQrIsax01pQocF0x0R9we0i/dbE=,iv:OlqfIRF9FtZVHT4QzjQuKCMbVaA+ei7PE9QvbyWj9OA=,tag:8uPJVrva06SUg0DQ26mNow==,type:comment] #ENC[AES256_GCM,data:NJd2BaOWeCr6IER0GSL4OrnABI65kMLg0ft0auq4gazQJ+40vYKwN7pMimXnhQrIsax01pQocF0x0R9we0i/dbE=,iv:OlqfIRF9FtZVHT4QzjQuKCMbVaA+ei7PE9QvbyWj9OA=,tag:8uPJVrva06SUg0DQ26mNow==,type:comment]
passwords-root: ENC[AES256_GCM,data:mDQXWfH3zcvIifhmFdB5rfuiImHLX0Wb2WuR5Jb4lBII72AN9sEy436nHKLHdDHYDgzBkTHXDz63SfK28GEckJJKXHPcKuYl/g==,iv:M8tcUyUVuYAIesuGxQHQ/JRDlzeklTBAVgD1oBzsbVM=,tag:E8g5Qo1zAJkCvNPDeAv7pw==,type:str] passwords-root: ENC[AES256_GCM,data:mDQXWfH3zcvIifhmFdB5rfuiImHLX0Wb2WuR5Jb4lBII72AN9sEy436nHKLHdDHYDgzBkTHXDz63SfK28GEckJJKXHPcKuYl/g==,iv:M8tcUyUVuYAIesuGxQHQ/JRDlzeklTBAVgD1oBzsbVM=,tag:E8g5Qo1zAJkCvNPDeAv7pw==,type:str]
wg0-private: ENC[AES256_GCM,data:hiUUUhQ/hi6d51Wgwb0gZ5lBB5TS9+F8gVEGrRUqLauKjGZujyqjZIFix7E=,iv:ISb5cqkOE0UyQqlQCeclyMBof037XF1+7zDFslKStr0=,tag:Ox0S+YOkfXpFCSbNrdSrxQ==,type:str]
wg0-public: ENC[AES256_GCM,data:AnEK0wlEIlVrz0nubLWr3lv7R1ddzA/RPjP0CosyEJzCJU6cF2DBJig4xYo=,iv:ifaQVHQyoYqcr6a4kJ1Kvd4QBDLT5xNyr75GuogBv5g=,tag:Tl9HpsJ5+LaV81LiLcThkg==,type:str]
wg0-psk-steveej-psk: ENC[AES256_GCM,data:Z5txIdXKVshlqMBLEnW/ulFiQSmMKj6m1vLE8fuL+zl+tJxh9EX/XvjLaC4=,iv:h4ypudvQAKPM7+5vQNAb69JntdZPNa8Km6wd14ovCHc=,tag:t7ZbbcpRCTAF7zP8vKPpJw==,type:str]
wg0-psk-steveej-public: ENC[AES256_GCM,data:KU6aRVK06RkyvvYFzFZaCplz1HyirSfpjW+jjvHP+eTMs3hfhFUnPSZRCN4=,iv:2A019CQD2vjcOmX6PFpDaDCo8yN9oA9kdKxiW1e3Dss=,tag:kfRENOJY7RnwWGN1eOeEhQ==,type:str]
sops: sops:
kms: [] kms: []
gcp_kms: [] gcp_kms: []
@ -15,8 +19,8 @@ sops:
czdzaWhBRWJyb0pBSnphamZVZDgyMDAKjTYixgD7CzJImvPFRYJKJXefXqxSA6I0 czdzaWhBRWJyb0pBSnphamZVZDgyMDAKjTYixgD7CzJImvPFRYJKJXefXqxSA6I0
iOyW6E++Ax0MsYll77sR9eMNMgPCromY3uzKVJe640HKY/E1cLoi0Q== iOyW6E++Ax0MsYll77sR9eMNMgPCromY3uzKVJe640HKY/E1cLoi0Q==
-----END AGE ENCRYPTED FILE----- -----END AGE ENCRYPTED FILE-----
lastmodified: "2023-08-11T16:32:20Z" lastmodified: "2023-08-13T17:03:01Z"
mac: ENC[AES256_GCM,data:dgiAU9oMoHi1KvmkSbmNYRA6s2dIrsn8JC5UVpmfUUV5X+u+xwzt+QA/9IRHQoBWL3UZNz4E5qIvitEDx0xP8BktfNd2cGmeaBWT5e7YiSYGWNek0r/2SgXf8aSKsay4g+qdkE4mnxhRcj1pOc6dP5cKE/qh7vjnjlpTOMdp1wE=,iv:M7HE/XQGwttkwY7uXf7SHffwcaSzLqATB5Vqes3+W9w=,tag:vBhNC8zgNPPIzeNjikLt9A==,type:str] mac: ENC[AES256_GCM,data:AtD2QZsLpOLQB7Jcb0Cn+zGUK/fMzuVhQ2r5f4jL3dttqfaDa4k+bUMP7wQ9RW6cUXm5ps+s1t9TkRUi2P7bkQjtEuyiTGAUiM8OnkJQ26npITWWs8giekKq01m2DlZufWRcrZrQU43EgVNDqRTVlMK1IoVS4zqNwqt4tXG6YWk=,iv:F+BbR5aGg+6/0LBxpC+AoNT4dLutvkgeUJszkMrV5xk=,tag:4Cvd4nG+h1+hXg/NzH0wRg==,type:str]
pgp: pgp:
- created_at: "2023-08-11T16:31:41Z" - created_at: "2023-08-11T16:31:41Z"
enc: |- enc: |-