steveej/infra
1
0
Fork 0
Code Issues 2 Pull requests Projects Releases Packages Wiki Activity Actions

router0-dmz0: lots of formattign and exposed host fixes

Browse source
This commit is contained in:
steveej 2024-01-18 23:35:54 +01:00
parent 2c84e79f4a
commit 9ad9b97298
2 changed files with 491 additions and 461 deletions
Download patch file Download diff file Expand all files Collapse all files

115
nix/os/devices/router0-dmz0/configuration.nix
View file

@ -1,14 +1,14 @@
{
repoFlake,
pkgs,
lib,
config,
nodeFlake,
nodeName,
localDomainName,
system,
...
}: let
{ repoFlake
, pkgs
, lib
, config
, nodeFlake
, nodeName
, localDomainName
, system
, ...
}:
let
inherit
(nodeFlake.inputs)
bpir3
@ -20,7 +20,8 @@
vlanRange = builtins.map (vlanid: (lib.strings.toInt vlanid)) (builtins.attrNames vlans);
vlanRangeWith0 = [ 0 ] ++ vlanRange;
mkVlanIpv4HostAddr = { vlanid, host, thirdIpv4SegmentMin ? 20, cidr ? true }: let
mkVlanIpv4HostAddr = { vlanid, host, thirdIpv4SegmentMin ? 20, cidr ? true }:
let
# reserve the first subnet for vlanid == 0
# number the other subnets continously from there
offset =
@ -57,11 +58,13 @@
"15".packet_priority = -10;
};
vlansByName = lib.attrsets.mapAttrs' (vlanid': attrs:
vlansByName = lib.attrsets.mapAttrs'
(vlanid': attrs:
lib.attrsets.nameValuePair
attrs.name
(attrs // { id = lib.strings.toInt vlanid'; id' = vlanid'; })
) vlans;
)
vlans;
getVlanDomain = { vlanid }:
if vlanid == 0
@ -77,7 +80,10 @@
then bridgeInterfaceName
else "${bridgeInterfaceName}.${toString vlanid}"
;
in {
exposedHost = "sj-srv1.dmz.internal";
in
{
imports = [
repoFlake.inputs.sops-nix.nixosModules.sops
@ -180,15 +186,16 @@ in {
chains = {
prerouting = {
"redirectweb" = {
"exposeHost" = {
after = [ "hook" ];
rules = let
rules =
let
wanInterfaces = builtins.concatStringsSep ", " config.networking.nftables.firewall.zones.wan.interfaces;
exposedHost = "srv0-dmz0.dmz.internal";
in [
"iifname { ${wanInterfaces} } tcp dport 220 redirect to 22"
in
# TODO: if this hostname doesn't resolve it'll break the whole ruleset
# "iifname { ${wanInterfaces} } dnat ip to ${exposedHost}"
[
"iifname { ${wanInterfaces} } tcp dport 220 redirect to 22"
"iifname { ${wanInterfaces} } dnat ip to ${exposedHost}"
];
};
};
@ -203,28 +210,41 @@ in {
wan.interfaces = [ "wan" "lan0" ];
} //
# generate a zone for each vlan
lib.attrsets.mapAttrs (key: value: {
lib.attrsets.mapAttrs
(key: value: {
interfaces = [ (mkInterfaceName { vlanid = value.id; }) ];
})
vlansByName
;
rules = let
rules =
let
ipv6IcmpTypes = [
"destination-unreachable" "echo-reply" "echo-request"
"packet-too-big" "parameter-problem" "time-exceeded"
"destination-unreachable"
"echo-reply"
"echo-request"
"packet-too-big"
"parameter-problem"
"time-exceeded"
# Without the nd-* ones ipv6 will not work.
"nd-neighbor-solicit" "nd-router-advert" "nd-neighbor-advert"
"nd-neighbor-solicit"
"nd-router-advert"
"nd-neighbor-advert"
];
ipv4IcmpTypes = [
"destination-unreachable" "echo-reply" "echo-request" "source-quench" "time-exceeded"
"destination-unreachable"
"echo-reply"
"echo-request"
"source-quench"
"time-exceeded"
"router-advertisement"
];
allowIcmpLines = [
"ip protocol icmp icmp type { ${builtins.concatStringsSep ", " ipv4IcmpTypes} } accept"
"ip6 nexthdr icmpv6 icmpv6 type { ${builtins.concatStringsSep ", " ipv6IcmpTypes} } accept"
];
in {
in
{
fw = {
from = [ "fw" ];
verdict = "accept";
@ -468,7 +488,8 @@ in {
builtins.foldl'
(acc: cur: acc // cur)
{ }
(builtins.map ({ vlanid, vlanid' }: {
(builtins.map
({ vlanid, vlanid' }: {
# configure the tagged vlan device with an address and vlan filtering.
# dnsmasq is configured to serve the respective /24 range on each tagged device.
# this device only receives traffic for the given vlanid and sends tagged traffic to the bridge.
@ -539,10 +560,12 @@ in {
services.hostapd = {
enable = true;
package = nodeFlake.packages.${system}.hostapd_patched;
radios = let
radios =
let
# generated with https://miniwebtool.com/mac-address-generator/
mkBssid = i: "34:56:ce:0f:ed:4${toString i}";
in {
in
{
wlan0 = {
band = "2g";
countryCode = "CH";
@ -554,9 +577,11 @@ in {
capabilities = [ "HT40+" "LDPC" "SHORT-GI-20" "SHORT-GI-40" "TX-STBC" "RX-STBC1" "MAX-AMSDU-7935" ];
};
networks = {
wlan0 = let
wlan0 =
let
iface = "wlan0";
in {
in
{
ssid = "mlsia";
bssid = mkBssid 0;
@ -594,10 +619,13 @@ in {
vlan_bridge = "br-${iface}.";
*/
vlan_file = let
generated = builtins.map (vlanid:
vlan_file =
let
generated = builtins.map
(vlanid:
"${builtins.toString vlanid} ${iface}.${builtins.toString vlanid}"
) vlanRange
)
vlanRange
;
wildcard = [
@ -611,7 +639,8 @@ in {
file = pkgs.writeText "hostapd.vlan"
(builtins.concatStringsSep "\n" (generated ++ wildcard));
filePath = toString file;
in filePath;
in
filePath;
wpa_key_mgmt = lib.mkForce (builtins.concatStringsSep " " [
"WPA-PSK"
@ -797,7 +826,8 @@ in {
local-ttl = 0;
dhcp-ttl = 0;
dhcp-range = let
dhcp-range =
let
mkDhcpRange = { tag, vlanid }: builtins.concatStringsSep "," [
tag
(mkVlanIpv4HostAddr { inherit vlanid; host = 100; cidr = false; })
@ -854,7 +884,9 @@ in {
(vlanid:
builtins.concatStringsSep "," [
# "${getVlanDomain{inherit vlanid;}}" "0.0.0.1" (mkInterfaceName {inherit vlanid;})
"${nodeName}.${getVlanDomain{inherit vlanid;}}" "0.0.0.1" (mkInterfaceName {inherit vlanid;})
"${nodeName}.${getVlanDomain{inherit vlanid;}}"
"0.0.0.1"
(mkInterfaceName { inherit vlanid; })
]
)
vlanRangeWith0
@ -864,6 +896,11 @@ in {
(vlanid: "${mkInterfaceName {inherit vlanid;}},option:domain-search,${getVlanDomain{inherit vlanid;}}")
vlanRangeWith0
;
cname = [
"mailserver.svc.stefanjunker.de,${exposedHost}"
"www.stefanjunker.de,${exposedHost}"
];
};
};

19
nix/os/devices/steveej-t14/hw.nix
View file

@ -1,4 +1,5 @@
{lib, ...}: let
{ lib, ... }:
let
stage1Modules = [
"aesni_intel"
"kvm_amd"
@ -10,21 +11,13 @@
"usbcore"
"xhci_hcd"
"usbnet"
"snd_usb_audio"
"usbhid"
"snd_usbmidi_lib"
"cdc_mbim"
"cdc_ncm"
"usb_storage"
"cdc_wdm"
"uvcvideo"
"btusb"
"xhci_pci"
"cdc_ether"
"uas"
];
in {
in
{
# TASK: new device
hardware.opinionatedDisk = {
enable = true;
@ -37,7 +30,7 @@ in {
# see https://linrunner.de/tlp/
services.tlp = {
enable = true;
enable = false;
settings = {
CPU_DRIVER_OPMODE_ON_AC = "active";
CPU_DRIVER_OPMODE_ON_BAT = "passive";
@ -81,7 +74,7 @@ in {
# #DEVICES_TO_DISABLE_ON_WIFI_CONNECT="wwan";
# #DEVICES_TO_DISABLE_ON_WWAN_CONNECT="wifi";
SATA_LINKPWR_ON_AC = "maax_performance";
SATA_LINKPWR_ON_AC = "max_performance";
SATA_LINKPWR_ON_BAT = "min_power";
};
};