dev/nixfiles
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases 1 Wiki Activity

nixos: Test setup with public networking

Browse Source
This commit is contained in:
Jack O'Sullivan 2022-05-28 22:59:50 +01:00
parent 32421f7af1
commit e6e4a1d38e
6 changed files with 98 additions and 51 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
lib.nix
View File

@ -153,7 +153,7 @@ rec {
filterOpts = filterAttrsRecursive (_: v: v != null);
};
colonyDomain = "fra1.int.nul.ie";
colonyDomain = "test.int.nul.ie";
# Shouldn't need this hopefully (IPv6 RA)
colonyDNS = {
domains = [ colonyDomain ];

11
nixos/boxes/colony/default.nix
View File

@ -8,14 +8,16 @@
internal = {
altNames = [ "vm" ];
ipv4.address = "10.100.0.2";
ipv6.address = "2a0e:97c0:4d1:0::2";
#ipv6.address = "2a0e:97c0:4d1:0::2";
ipv6.address = "2a0e:97c0:4d0:bbb0::2";
};
vms = {
ipv4 = {
address = "10.100.1.1";
gateway = null;
};
ipv6.address = "2a0e:97c0:4d1:1::1";
#ipv6.address = "2a0e:97c0:4d1:1::1";
ipv6.address = "2a0e:97c0:4d0:bbb1::1";
};
};
@ -27,7 +29,7 @@
{
imports = [ "${modulesPath}/profiles/qemu-guest.nix" ./vms.nix ];
networking.domain = "fra1.int.nul.ie";
networking.domain = lib.my.colonyDomain;
boot.kernelParams = [ "intel_iommu=on" ];
boot.loader.systemd-boot.configurationLimit = 20;
@ -96,7 +98,8 @@
};
ipv6Prefixes = [
{
ipv6PrefixConfig.Prefix = "2a0e:97c0:4d1:1::/64";
#ipv6PrefixConfig.Prefix = "2a0e:97c0:4d1:1::/64";
ipv6PrefixConfig.Prefix = "2a0e:97c0:4d0:bbb1::/64";
}
];
}

76
nixos/modules/firewall.nix
View File

@ -3,10 +3,43 @@ let
inherit (lib) optionalString concatStringsSep concatMapStringsSep optionalAttrs mkIf mkDefault mkMerge mkOverride;
inherit (lib.my) parseIPPort mkOpt' mkBoolOpt';
allowICMP = ''
icmp type {
destination-unreachable,
router-solicitation,
router-advertisement,
time-exceeded,
parameter-problem,
echo-request
} accept
'';
allowICMP6 = ''
icmpv6 type {
destination-unreachable,
packet-too-big,
time-exceeded,
parameter-problem,
mld-listener-query,
mld-listener-report,
mld-listener-reduction,
nd-router-solicit,
nd-router-advert,
nd-neighbor-solicit,
nd-neighbor-advert,
ind-neighbor-solicit,
ind-neighbor-advert,
mld2-listener-report,
echo-request
} accept
'';
allowUDPTraceroute = ''
udp dport 33434-33625 accept
'';
forwardOpts = with lib.types; {
options = {
proto = mkOpt' (enum [ "tcp" "udp" ]) "tcp" "Protocol.";
port = mkOpt' (either port str) null "Incoming port";
port = mkOpt' (either port str) null "Incoming port.";
dst = mkOpt' str null "Destination (ip:port).";
};
};
@ -23,6 +56,7 @@ in
};
udp = {
allowed = mkOpt' (listOf (either port str)) [ ] "UDP ports to open.";
allowTraceroute = mkBoolOpt' true "Whethor or not to add a rule to accept UDP traceroute packets.";
};
extraRules = mkOpt' lines "" "Arbitrary additional nftables rules.";
@ -55,37 +89,15 @@ in
}
chain wan {
ip protocol icmp icmp type {
destination-unreachable,
router-solicitation,
router-advertisement,
time-exceeded,
parameter-problem,
echo-request
} accept
${allowICMP}
ip protocol igmp accept
ip protocol tcp tcp flags & (fin|syn|rst|ack) == syn ct state new jump wan-tcp
ip protocol udp ct state new jump wan-udp
${allowICMP6}
${allowUDPTraceroute}
ip6 nexthdr icmpv6 icmpv6 type {
destination-unreachable,
packet-too-big,
time-exceeded,
parameter-problem,
mld-listener-query,
mld-listener-report,
mld-listener-reduction,
nd-router-solicit,
nd-router-advert,
nd-neighbor-solicit,
nd-neighbor-advert,
ind-neighbor-solicit,
ind-neighbor-advert,
mld2-listener-report,
echo-request
} accept
ip6 nexthdr tcp tcp flags & (fin|syn|rst|ack) == syn ct state new jump wan-tcp
ip6 nexthdr udp ct state new jump wan-udp
tcp flags & (fin|syn|rst|ack) == syn ct state new jump wan-tcp
meta l4proto udp ct state new jump wan-udp
return
}
chain input {
@ -102,6 +114,10 @@ in
type filter hook forward priority 0; policy drop;
${optionalString (cfg.trustedInterfaces != []) "\n iifname ${trusted'} accept\n"}
ct state related,established accept
${allowICMP}
${allowICMP6}
${allowUDPTraceroute}
}
chain output {
type filter hook output priority 0; policy accept;

2
nixos/modules/pdns.nix
View File

@ -11,7 +11,7 @@ let
toBool = val: if val then "yes" else "no";
serialize = val: with lib.types;
if str.check val then val
if str.check val then val
else if int.check val then toString val
else if path.check val then toString val
else if bool.check val then toBool val

45
nixos/vms/estuary/default.nix
View File

@ -11,7 +11,8 @@
address = "10.100.0.1";
gateway = null;
};
ipv6.address = "2a0e:97c0:4d1:0::1";
#ipv6.address = "2a0e:97c0:4d1:0::1";
ipv6.address = "2a0e:97c0:4d0:bbb0::1";
};
configuration = { lib, pkgs, modulesPath, config, assignments, allAssignments, ... }:
@ -62,13 +63,6 @@
};
networks = {
#"80-wan" = {
# matchConfig.Name = "wan";
# address = [
# "1.2.3.4/24"
# "2a00::2/64"
# ];
#};
"80-wan" = {
matchConfig.Name = "wan";
DHCP = "ipv4";
@ -76,6 +70,13 @@
UseDNS = false;
UseHostname = false;
};
address = [
"2a0e:97c0:4d0:bbbf::1/64"
];
gateway = [
"fe80::215:17ff:fe4b:494a"
];
networkConfig.IPv6AcceptRA = false;
};
"80-base" = mkMerge [
(networkdAssignment "base" assignments.internal)
@ -92,7 +93,8 @@
};
ipv6Prefixes = [
{
ipv6PrefixConfig.Prefix = "2a0e:97c0:4d1:0::/64";
#ipv6PrefixConfig.Prefix = "2a0e:97c0:4d1:0::/64";
ipv6PrefixConfig.Prefix = "2a0e:97c0:4d0:bbb0::/64";
}
];
}
@ -101,17 +103,40 @@
};
my = {
#deploy.generate.system.mode = "boot";
secrets.key = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPhxM5mnguExkcLue47QKk1vA72OoPc3HOqqoHqHHfa1";
server.enable = true;
firewall = {
trustedInterfaces = [ "base" ];
udp.allowed = [ 5353 ];
tcp.allowed = [ 5353 ];
nat = {
enable = true;
externalInterface = "wan";
};
extraRules = ''
table nat {
table inet filter {
chain routing-tcp {
# Safe enough to allow all SSH
tcp dport ssh accept
}
chain routing-udp {
}
chain filter-routing {
tcp flags & (fin|syn|rst|ack) == syn ct state new jump routing-tcp
meta l4proto udp ct state new jump routing-udp
return
}
chain forward {
iifname wan oifname base jump filter-routing
}
}
table inet nat {
chain prerouting {
iifname wan meta l4proto { udp, tcp } th dport domain redirect to :5353
}
chain postrouting {
ip saddr 10.100.0.0/16 masquerade
}

13
nixos/vms/estuary/dns.nix
View File

@ -5,8 +5,8 @@ let
ptrDots = 2;
reverseZone = "100.10.in-addr.arpa";
ptrDots6 = 20;
reverseZone6 = "1.d.4.0.0.c.7.9.e.0.a.2.ip6.arpa";
ptrDots6 = 17;
reverseZone6 = "b.b.b.0.d.4.0.0.c.7.9.e.0.a.2.ip6.arpa";
authZones = attrNames config.my.pdns.auth.bind.zones;
in
@ -22,6 +22,8 @@ in
allowFrom = [
"127.0.0.0/8" "::1/128"
"10.100.0.0/16" "2a0e:97c0:4d1::/48"
# TODO: Remove when moving to proper net!
"2a0e:97c0:4d0::/48"
];
};
forwardZones = genAttrs authZones (_: "127.0.0.1:5353");
@ -46,8 +48,8 @@ in
resolver = "127.0.0.1";
expand-alias = true;
local-address = [
"127.0.0.1:5353" "[::]:5353"
] ++ (optional (!config.my.build.isDevVM) "192.168.122.126");
"0.0.0.0:5353" "[::]:5353"
];
also-notify = [ "127.0.0.1" ];
};
@ -85,7 +87,8 @@ in
)
@ IN NS ns
ns IN ALIAS ${config.networking.fqdn}.
ns IN A 188.141.14.6
ns IN AAAA 2a0e:97c0:4d0:bbbf::1
@ IN ALIAS ${config.networking.fqdn}.