steveej/infra
1
0
Fork 0
Code Issues 2 Pull requests Projects Releases Packages Wiki Activity Actions

router0-dmz0: lots of formattign and exposed host fixes

Browse source
This commit is contained in:
steveej 2024-01-18 23:35:54 +01:00
parent a825e8eea9
commit a7e2bc2c3b
2 changed files with 491 additions and 461 deletions
Download patch file Download diff file Expand all files Collapse all files

187
nix/os/devices/router0-dmz0/configuration.nix
View file

@ -1,14 +1,14 @@
{ { repoFlake
repoFlake, , pkgs
pkgs, , lib
lib, , config
config, , nodeFlake
nodeFlake, , nodeName
nodeName, , localDomainName
localDomainName, , system
system, , ...
... }:
}: let let
inherit inherit
(nodeFlake.inputs) (nodeFlake.inputs)
bpir3 bpir3
@ -16,11 +16,12 @@
; ;
vlanRangeStart = builtins.head vlanRange; vlanRangeStart = builtins.head vlanRange;
vlanRangeEnd = builtins.elemAt vlanRange ((builtins.length vlanRange)-1); vlanRangeEnd = builtins.elemAt vlanRange ((builtins.length vlanRange) - 1);
vlanRange = builtins.map (vlanid: (lib.strings.toInt vlanid)) (builtins.attrNames vlans); vlanRange = builtins.map (vlanid: (lib.strings.toInt vlanid)) (builtins.attrNames vlans);
vlanRangeWith0 = [ 0 ] ++ vlanRange; vlanRangeWith0 = [ 0 ] ++ vlanRange;
mkVlanIpv4HostAddr = { vlanid, host, thirdIpv4SegmentMin ? 20, cidr ? true }: let mkVlanIpv4HostAddr = { vlanid, host, thirdIpv4SegmentMin ? 20, cidr ? true }:
let
# reserve the first subnet for vlanid == 0 # reserve the first subnet for vlanid == 0
# number the other subnets continously from there # number the other subnets continously from there
offset = offset =
@ -57,11 +58,13 @@
"15".packet_priority = -10; "15".packet_priority = -10;
}; };
vlansByName = lib.attrsets.mapAttrs' (vlanid': attrs: vlansByName = lib.attrsets.mapAttrs'
(vlanid': attrs:
lib.attrsets.nameValuePair lib.attrsets.nameValuePair
attrs.name attrs.name
(attrs // { id = lib.strings.toInt vlanid'; id' = vlanid';}) (attrs // { id = lib.strings.toInt vlanid'; id' = vlanid'; })
) vlans; )
vlans;
getVlanDomain = { vlanid }: getVlanDomain = { vlanid }:
if vlanid == 0 if vlanid == 0
@ -77,7 +80,10 @@
then bridgeInterfaceName then bridgeInterfaceName
else "${bridgeInterfaceName}.${toString vlanid}" else "${bridgeInterfaceName}.${toString vlanid}"
; ;
in {
exposedHost = "sj-srv1.dmz.internal";
in
{
imports = [ imports = [
repoFlake.inputs.sops-nix.nixosModules.sops repoFlake.inputs.sops-nix.nixosModules.sops
@ -180,15 +186,16 @@ in {
chains = { chains = {
prerouting = { prerouting = {
"redirectweb" = { "exposeHost" = {
after = ["hook"]; after = [ "hook" ];
rules = let rules =
let
wanInterfaces = builtins.concatStringsSep ", " config.networking.nftables.firewall.zones.wan.interfaces; wanInterfaces = builtins.concatStringsSep ", " config.networking.nftables.firewall.zones.wan.interfaces;
exposedHost = "srv0-dmz0.dmz.internal"; in
in [
"iifname { ${wanInterfaces} } tcp dport 220 redirect to 22"
# TODO: if this hostname doesn't resolve it'll break the whole ruleset # TODO: if this hostname doesn't resolve it'll break the whole ruleset
# "iifname { ${wanInterfaces} } dnat ip to ${exposedHost}" [
"iifname { ${wanInterfaces} } tcp dport 220 redirect to 22"
"iifname { ${wanInterfaces} } dnat ip to ${exposedHost}"
]; ];
}; };
}; };
@ -197,60 +204,73 @@ in {
firewall = { firewall = {
enable = true; enable = true;
zones = { zones = {
lan.interfaces = [ (mkInterfaceName {vlanid = 0;}) ]; lan.interfaces = [ (mkInterfaceName { vlanid = 0; }) ];
vlan.interfaces = builtins.map (vlanid: (mkInterfaceName {inherit vlanid;})) vlanRange; vlan.interfaces = builtins.map (vlanid: (mkInterfaceName { inherit vlanid; })) vlanRange;
# lan.ipv4Addresses = ["192.168.0.0/16"]; # lan.ipv4Addresses = ["192.168.0.0/16"];
wan.interfaces = ["wan" "lan0"]; wan.interfaces = [ "wan" "lan0" ];
} // } //
# generate a zone for each vlan # generate a zone for each vlan
lib.attrsets.mapAttrs (key: value: { lib.attrsets.mapAttrs
(key: value: {
interfaces = [ (mkInterfaceName { vlanid = value.id; }) ]; interfaces = [ (mkInterfaceName { vlanid = value.id; }) ];
}) })
vlansByName vlansByName
; ;
rules = let rules =
let
ipv6IcmpTypes = [ ipv6IcmpTypes = [
"destination-unreachable" "echo-reply" "echo-request" "destination-unreachable"
"packet-too-big" "parameter-problem" "time-exceeded" "echo-reply"
"echo-request"
"packet-too-big"
"parameter-problem"
"time-exceeded"
# Without the nd-* ones ipv6 will not work. # Without the nd-* ones ipv6 will not work.
"nd-neighbor-solicit" "nd-router-advert" "nd-neighbor-advert" "nd-neighbor-solicit"
"nd-router-advert"
"nd-neighbor-advert"
]; ];
ipv4IcmpTypes = [ ipv4IcmpTypes = [
"destination-unreachable" "echo-reply" "echo-request" "source-quench" "time-exceeded" "destination-unreachable"
"echo-reply"
"echo-request"
"source-quench"
"time-exceeded"
"router-advertisement" "router-advertisement"
]; ];
allowIcmpLines = [ allowIcmpLines = [
"ip protocol icmp icmp type { ${builtins.concatStringsSep ", " ipv4IcmpTypes} } accept" "ip protocol icmp icmp type { ${builtins.concatStringsSep ", " ipv4IcmpTypes} } accept"
"ip6 nexthdr icmpv6 icmpv6 type { ${builtins.concatStringsSep ", " ipv6IcmpTypes} } accept" "ip6 nexthdr icmpv6 icmpv6 type { ${builtins.concatStringsSep ", " ipv6IcmpTypes} } accept"
]; ];
in { in
{
fw = { fw = {
from = ["fw"]; from = [ "fw" ];
verdict = "accept"; verdict = "accept";
}; };
office-to-dmz = { office-to-dmz = {
from = ["office"]; from = [ "office" ];
to = ["dmz"]; to = [ "dmz" ];
verdict = "accept"; verdict = "accept";
}; };
lan-to-fw = { lan-to-fw = {
from = ["lan"]; from = [ "lan" ];
to = ["fw" "lan"]; to = [ "fw" "lan" ];
verdict = "accept"; verdict = "accept";
}; };
lan-to-wan = { lan-to-wan = {
from = ["lan"]; from = [ "lan" ];
to = ["wan"]; to = [ "wan" ];
verdict = "accept"; verdict = "accept";
}; };
vlan-to-wan = { vlan-to-wan = {
from = ["vlan"]; from = [ "vlan" ];
to = ["wan"]; to = [ "wan" ];
verdict = "accept"; verdict = "accept";
}; };
@ -264,29 +284,29 @@ in {
{ from = 53; to = 53; } { from = 53; to = 53; }
{ from = 5201; to = 5201; } { from = 5201; to = 5201; }
]; ];
from = ["vlan"]; from = [ "vlan" ];
to = ["fw"]; to = [ "fw" ];
extraLines = allowIcmpLines ++ [ extraLines = allowIcmpLines ++ [
"drop" "drop"
]; ];
}; };
to-wan-nat = { to-wan-nat = {
from = ["lan" "vlan"]; from = [ "lan" "vlan" ];
to = ["wan"]; to = [ "wan" ];
masquerade = true; masquerade = true;
verdict = "accept"; verdict = "accept";
}; };
wan-to-dmz = { wan-to-dmz = {
from = ["wan"]; from = [ "wan" ];
to = ["dmz"]; to = [ "dmz" ];
verdict = "accept"; verdict = "accept";
}; };
wan-to-fw = { wan-to-fw = {
from = ["wan"]; from = [ "wan" ];
to = ["fw"]; to = [ "fw" ];
allowedTCPPortRanges = [ allowedTCPPortRanges = [
{ {
from = 22; from = 22;
@ -325,7 +345,7 @@ in {
# generate the vlan devices. these will be tagged on the main bridge # generate the vlan devices. these will be tagged on the main bridge
// builtins.foldl' // builtins.foldl'
(acc: cur: acc // cur) (acc: cur: acc // cur)
{} { }
(builtins.map (builtins.map
({ vlanid, vlanid' }: { ({ vlanid, vlanid' }: {
"20-${mkInterfaceName { inherit vlanid; }}" = { "20-${mkInterfaceName { inherit vlanid; }}" = {
@ -433,9 +453,9 @@ in {
# Configure the bridge for its desired function # Configure the bridge for its desired function
"40-${bridgeInterfaceName}" = { "40-${bridgeInterfaceName}" = {
matchConfig.Name = bridgeInterfaceName; matchConfig.Name = bridgeInterfaceName;
bridgeConfig = {}; bridgeConfig = { };
address = [ address = [
(mkVlanIpv4HostAddr { vlanid = 0; host = 1;}) (mkVlanIpv4HostAddr { vlanid = 0; host = 1; })
]; ];
networkConfig = { networkConfig = {
ConfigureWithoutCarrier = true; ConfigureWithoutCarrier = true;
@ -467,8 +487,9 @@ in {
// //
builtins.foldl' builtins.foldl'
(acc: cur: acc // cur) (acc: cur: acc // cur)
{} { }
(builtins.map ({ vlanid, vlanid' }: { (builtins.map
({ vlanid, vlanid' }: {
# configure the tagged vlan device with an address and vlan filtering. # configure the tagged vlan device with an address and vlan filtering.
# dnsmasq is configured to serve the respective /24 range on each tagged device. # dnsmasq is configured to serve the respective /24 range on each tagged device.
# this device only receives traffic for the given vlanid and sends tagged traffic to the bridge. # this device only receives traffic for the given vlanid and sends tagged traffic to the bridge.
@ -539,10 +560,12 @@ in {
services.hostapd = { services.hostapd = {
enable = true; enable = true;
package = nodeFlake.packages.${system}.hostapd_patched; package = nodeFlake.packages.${system}.hostapd_patched;
radios = let radios =
let
# generated with https://miniwebtool.com/mac-address-generator/ # generated with https://miniwebtool.com/mac-address-generator/
mkBssid = i: "34:56:ce:0f:ed:4${toString i}"; mkBssid = i: "34:56:ce:0f:ed:4${toString i}";
in { in
{
wlan0 = { wlan0 = {
band = "2g"; band = "2g";
countryCode = "CH"; countryCode = "CH";
@ -551,12 +574,14 @@ in {
# use 'iw phy#1 info' to determine your VHT capabilities # use 'iw phy#1 info' to determine your VHT capabilities
wifi4 = { wifi4 = {
enable = true; enable = true;
capabilities = ["HT40+" "LDPC" "SHORT-GI-20" "SHORT-GI-40" "TX-STBC" "RX-STBC1" "MAX-AMSDU-7935"]; capabilities = [ "HT40+" "LDPC" "SHORT-GI-20" "SHORT-GI-40" "TX-STBC" "RX-STBC1" "MAX-AMSDU-7935" ];
}; };
networks = { networks = {
wlan0 = let wlan0 =
let
iface = "wlan0"; iface = "wlan0";
in { in
{
ssid = "mlsia"; ssid = "mlsia";
bssid = mkBssid 0; bssid = mkBssid 0;
@ -575,7 +600,7 @@ in {
# sae_password_file = config.sops.secrets.wlan0_saePasswordsFile.path; # sae_password_file = config.sops.secrets.wlan0_saePasswordsFile.path;
# enables debug logging # enables debug logging
logger_stdout_level= lib.mkForce 0; logger_stdout_level = lib.mkForce 0;
logger_stdout = -1; logger_stdout = -1;
# logger_syslog_level= lib.mkForce 0; # logger_syslog_level= lib.mkForce 0;
@ -594,10 +619,13 @@ in {
vlan_bridge = "br-${iface}."; vlan_bridge = "br-${iface}.";
*/ */
vlan_file = let vlan_file =
generated = builtins.map (vlanid: let
generated = builtins.map
(vlanid:
"${builtins.toString vlanid} ${iface}.${builtins.toString vlanid}" "${builtins.toString vlanid} ${iface}.${builtins.toString vlanid}"
) vlanRange )
vlanRange
; ;
wildcard = [ wildcard = [
@ -611,7 +639,8 @@ in {
file = pkgs.writeText "hostapd.vlan" file = pkgs.writeText "hostapd.vlan"
(builtins.concatStringsSep "\n" (generated ++ wildcard)); (builtins.concatStringsSep "\n" (generated ++ wildcard));
filePath = toString file; filePath = toString file;
in filePath; in
filePath;
wpa_key_mgmt = lib.mkForce (builtins.concatStringsSep " " [ wpa_key_mgmt = lib.mkForce (builtins.concatStringsSep " " [
"WPA-PSK" "WPA-PSK"
@ -634,10 +663,10 @@ in {
sae_groups = "19 20 21"; sae_groups = "19 20 21";
# [ENABLE-TLSv1.3] = enable TLSv1.3 (experimental - disabled by default) # [ENABLE-TLSv1.3] = enable TLSv1.3 (experimental - disabled by default)
tls_flags= "[ENABLE-TLSv1.3]"; tls_flags = "[ENABLE-TLSv1.3]";
ieee8021x=0; ieee8021x = 0;
eap_server=0; eap_server = 0;
}; };
}; };
@ -797,7 +826,8 @@ in {
local-ttl = 0; local-ttl = 0;
dhcp-ttl = 0; dhcp-ttl = 0;
dhcp-range = let dhcp-range =
let
mkDhcpRange = { tag, vlanid }: builtins.concatStringsSep "," [ mkDhcpRange = { tag, vlanid }: builtins.concatStringsSep "," [
tag tag
(mkVlanIpv4HostAddr { inherit vlanid; host = 100; cidr = false; }) (mkVlanIpv4HostAddr { inherit vlanid; host = 100; cidr = false; })
@ -807,7 +837,7 @@ in {
in in
builtins.map builtins.map
(vlanid: (vlanid:
mkDhcpRange { tag = mkInterfaceName {inherit vlanid;}; inherit vlanid; } mkDhcpRange { tag = mkInterfaceName { inherit vlanid; }; inherit vlanid; }
) )
vlanRangeWith0 vlanRangeWith0
; ;
@ -854,7 +884,9 @@ in {
(vlanid: (vlanid:
builtins.concatStringsSep "," [ builtins.concatStringsSep "," [
# "${getVlanDomain{inherit vlanid;}}" "0.0.0.1" (mkInterfaceName {inherit vlanid;}) # "${getVlanDomain{inherit vlanid;}}" "0.0.0.1" (mkInterfaceName {inherit vlanid;})
"${nodeName}.${getVlanDomain{inherit vlanid;}}" "0.0.0.1" (mkInterfaceName {inherit vlanid;}) "${nodeName}.${getVlanDomain{inherit vlanid;}}"
"0.0.0.1"
(mkInterfaceName { inherit vlanid; })
] ]
) )
vlanRangeWith0 vlanRangeWith0
@ -864,6 +896,11 @@ in {
(vlanid: "${mkInterfaceName {inherit vlanid;}},option:domain-search,${getVlanDomain{inherit vlanid;}}") (vlanid: "${mkInterfaceName {inherit vlanid;}},option:domain-search,${getVlanDomain{inherit vlanid;}}")
vlanRangeWith0 vlanRangeWith0
; ;
cname = [
"mailserver.svc.stefanjunker.de,${exposedHost}"
"www.stefanjunker.de,${exposedHost}"
];
}; };
}; };
@ -881,10 +918,10 @@ in {
# They fail to load properly, leaving the system without working ethernet, they'll oops on # They fail to load properly, leaving the system without working ethernet, they'll oops on
# remove. MTK-DSA parts and PCIe were observed to do this. # remove. MTK-DSA parts and PCIe were observed to do this.
boot.initrd.includeDefaultModules = false; boot.initrd.includeDefaultModules = false;
boot.initrd.kernelModules = ["rfkill" "cfg80211" "mt7915e"]; boot.initrd.kernelModules = [ "rfkill" "cfg80211" "mt7915e" ];
boot.initrd.availableKernelModules = ["nvme"]; boot.initrd.availableKernelModules = [ "nvme" ];
boot.kernelParams = ["console=ttyS0,115200"]; boot.kernelParams = [ "console=ttyS0,115200" ];
hardware.enableRedistributableFirmware = true; hardware.enableRedistributableFirmware = true;
# Wireless hardware exists, regulatory database is essential. # Wireless hardware exists, regulatory database is essential.
hardware.wirelessRegulatoryDatabase = true; hardware.wirelessRegulatoryDatabase = true;

39
nix/os/devices/steveej-t14/hw.nix
View file

@ -1,4 +1,5 @@
{lib, ...}: let { lib, ... }:
let
stage1Modules = [ stage1Modules = [
"aesni_intel" "aesni_intel"
"kvm_amd" "kvm_amd"
@ -10,21 +11,13 @@
"usbcore" "usbcore"
"xhci_hcd" "xhci_hcd"
"usbnet"
"snd_usb_audio"
"usbhid" "usbhid"
"snd_usbmidi_lib"
"cdc_mbim"
"cdc_ncm"
"usb_storage" "usb_storage"
"cdc_wdm"
"uvcvideo"
"btusb"
"xhci_pci" "xhci_pci"
"cdc_ether"
"uas" "uas"
]; ];
in { in
{
# TASK: new device # TASK: new device
hardware.opinionatedDisk = { hardware.opinionatedDisk = {
enable = true; enable = true;
@ -37,7 +30,7 @@ in {
# see https://linrunner.de/tlp/ # see https://linrunner.de/tlp/
services.tlp = { services.tlp = {
enable = true; enable = false;
settings = { settings = {
CPU_DRIVER_OPMODE_ON_AC = "active"; CPU_DRIVER_OPMODE_ON_AC = "active";
CPU_DRIVER_OPMODE_ON_BAT = "passive"; CPU_DRIVER_OPMODE_ON_BAT = "passive";
@ -81,7 +74,7 @@ in {
# #DEVICES_TO_DISABLE_ON_WIFI_CONNECT="wwan"; # #DEVICES_TO_DISABLE_ON_WIFI_CONNECT="wwan";
# #DEVICES_TO_DISABLE_ON_WWAN_CONNECT="wifi"; # #DEVICES_TO_DISABLE_ON_WWAN_CONNECT="wifi";
SATA_LINKPWR_ON_AC = "maax_performance"; SATA_LINKPWR_ON_AC = "max_performance";
SATA_LINKPWR_ON_BAT = "min_power"; SATA_LINKPWR_ON_BAT = "min_power";
}; };
}; };
@ -91,16 +84,16 @@ in {
enable = true; enable = true;
levels = [ levels = [
# ["level auto" 0 60] # ["level auto" 0 60]
[0 0 60] [ 0 0 60 ]
[1 60 65] [ 1 60 65 ]
[1 65 75] [ 1 65 75 ]
[2 75 78] [ 2 75 78 ]
[3 78 80] [ 3 78 80 ]
[4 80 82] [ 4 80 82 ]
[5 82 84] [ 5 82 84 ]
[6 84 86] [ 6 84 86 ]
[7 86 88] [ 7 86 88 ]
["level full-speed" 88 999] [ "level full-speed" 88 999 ]
]; ];
extraArgs = [ extraArgs = [