dev/nixfiles
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases 1 Wiki Activity

nixos: Test setup with public networking

Browse Source
This commit is contained in:
Jack O'Sullivan 2022-05-28 22:59:50 +01:00
parent 32421f7af1
commit e6e4a1d38e
6 changed files with 98 additions and 51 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
lib.nix
View File

@ -153,7 +153,7 @@ rec {
filterOpts = filterAttrsRecursive (_: v: v != null); filterOpts = filterAttrsRecursive (_: v: v != null);
}; };
colonyDomain = "fra1.int.nul.ie"; colonyDomain = "test.int.nul.ie";
# Shouldn't need this hopefully (IPv6 RA) # Shouldn't need this hopefully (IPv6 RA)
colonyDNS = { colonyDNS = {
domains = [ colonyDomain ]; domains = [ colonyDomain ];

11
nixos/boxes/colony/default.nix
View File

@ -8,14 +8,16 @@
internal = { internal = {
altNames = [ "vm" ]; altNames = [ "vm" ];
ipv4.address = "10.100.0.2"; ipv4.address = "10.100.0.2";
ipv6.address = "2a0e:97c0:4d1:0::2"; #ipv6.address = "2a0e:97c0:4d1:0::2";
ipv6.address = "2a0e:97c0:4d0:bbb0::2";
}; };
vms = { vms = {
ipv4 = { ipv4 = {
address = "10.100.1.1"; address = "10.100.1.1";
gateway = null; gateway = null;
}; };
ipv6.address = "2a0e:97c0:4d1:1::1"; #ipv6.address = "2a0e:97c0:4d1:1::1";
ipv6.address = "2a0e:97c0:4d0:bbb1::1";
}; };
}; };
@ -27,7 +29,7 @@
{ {
imports = [ "${modulesPath}/profiles/qemu-guest.nix" ./vms.nix ]; imports = [ "${modulesPath}/profiles/qemu-guest.nix" ./vms.nix ];
networking.domain = "fra1.int.nul.ie"; networking.domain = lib.my.colonyDomain;
boot.kernelParams = [ "intel_iommu=on" ]; boot.kernelParams = [ "intel_iommu=on" ];
boot.loader.systemd-boot.configurationLimit = 20; boot.loader.systemd-boot.configurationLimit = 20;
@ -96,7 +98,8 @@
}; };
ipv6Prefixes = [ ipv6Prefixes = [
{ {
ipv6PrefixConfig.Prefix = "2a0e:97c0:4d1:1::/64"; #ipv6PrefixConfig.Prefix = "2a0e:97c0:4d1:1::/64";
ipv6PrefixConfig.Prefix = "2a0e:97c0:4d0:bbb1::/64";
} }
]; ];
} }

76
nixos/modules/firewall.nix
View File

@ -3,10 +3,43 @@ let
inherit (lib) optionalString concatStringsSep concatMapStringsSep optionalAttrs mkIf mkDefault mkMerge mkOverride; inherit (lib) optionalString concatStringsSep concatMapStringsSep optionalAttrs mkIf mkDefault mkMerge mkOverride;
inherit (lib.my) parseIPPort mkOpt' mkBoolOpt'; inherit (lib.my) parseIPPort mkOpt' mkBoolOpt';
allowICMP = ''
icmp type {
destination-unreachable,
router-solicitation,
router-advertisement,
time-exceeded,
parameter-problem,
echo-request
} accept
'';
allowICMP6 = ''
icmpv6 type {
destination-unreachable,
packet-too-big,
time-exceeded,
parameter-problem,
mld-listener-query,
mld-listener-report,
mld-listener-reduction,
nd-router-solicit,
nd-router-advert,
nd-neighbor-solicit,
nd-neighbor-advert,
ind-neighbor-solicit,
ind-neighbor-advert,
mld2-listener-report,
echo-request
} accept
'';
allowUDPTraceroute = ''
udp dport 33434-33625 accept
'';
forwardOpts = with lib.types; { forwardOpts = with lib.types; {
options = { options = {
proto = mkOpt' (enum [ "tcp" "udp" ]) "tcp" "Protocol."; proto = mkOpt' (enum [ "tcp" "udp" ]) "tcp" "Protocol.";
port = mkOpt' (either port str) null "Incoming port"; port = mkOpt' (either port str) null "Incoming port.";
dst = mkOpt' str null "Destination (ip:port)."; dst = mkOpt' str null "Destination (ip:port).";
}; };
}; };
@ -23,6 +56,7 @@ in
}; };
udp = { udp = {
allowed = mkOpt' (listOf (either port str)) [ ] "UDP ports to open."; allowed = mkOpt' (listOf (either port str)) [ ] "UDP ports to open.";
allowTraceroute = mkBoolOpt' true "Whethor or not to add a rule to accept UDP traceroute packets.";
}; };
extraRules = mkOpt' lines "" "Arbitrary additional nftables rules."; extraRules = mkOpt' lines "" "Arbitrary additional nftables rules.";
@ -55,37 +89,15 @@ in
} }
chain wan { chain wan {
ip protocol icmp icmp type { ${allowICMP}
destination-unreachable,
router-solicitation,
router-advertisement,
time-exceeded,
parameter-problem,
echo-request
} accept
ip protocol igmp accept ip protocol igmp accept
ip protocol tcp tcp flags & (fin|syn|rst|ack) == syn ct state new jump wan-tcp ${allowICMP6}
ip protocol udp ct state new jump wan-udp ${allowUDPTraceroute}
ip6 nexthdr icmpv6 icmpv6 type { tcp flags & (fin|syn|rst|ack) == syn ct state new jump wan-tcp
destination-unreachable, meta l4proto udp ct state new jump wan-udp
packet-too-big,
time-exceeded, return
parameter-problem,
mld-listener-query,
mld-listener-report,
mld-listener-reduction,
nd-router-solicit,
nd-router-advert,
nd-neighbor-solicit,
nd-neighbor-advert,
ind-neighbor-solicit,
ind-neighbor-advert,
mld2-listener-report,
echo-request
} accept
ip6 nexthdr tcp tcp flags & (fin|syn|rst|ack) == syn ct state new jump wan-tcp
ip6 nexthdr udp ct state new jump wan-udp
} }
chain input { chain input {
@ -102,6 +114,10 @@ in
type filter hook forward priority 0; policy drop; type filter hook forward priority 0; policy drop;
${optionalString (cfg.trustedInterfaces != []) "\n iifname ${trusted'} accept\n"} ${optionalString (cfg.trustedInterfaces != []) "\n iifname ${trusted'} accept\n"}
ct state related,established accept ct state related,established accept
${allowICMP}
${allowICMP6}
${allowUDPTraceroute}
} }
chain output { chain output {
type filter hook output priority 0; policy accept; type filter hook output priority 0; policy accept;

2
nixos/modules/pdns.nix
View File

@ -11,7 +11,7 @@ let
toBool = val: if val then "yes" else "no"; toBool = val: if val then "yes" else "no";
serialize = val: with lib.types; serialize = val: with lib.types;
if str.check val then val if str.check val then val
else if int.check val then toString val else if int.check val then toString val
else if path.check val then toString val else if path.check val then toString val
else if bool.check val then toBool val else if bool.check val then toBool val

45
nixos/vms/estuary/default.nix
View File

@ -11,7 +11,8 @@
address = "10.100.0.1"; address = "10.100.0.1";
gateway = null; gateway = null;
}; };
ipv6.address = "2a0e:97c0:4d1:0::1"; #ipv6.address = "2a0e:97c0:4d1:0::1";
ipv6.address = "2a0e:97c0:4d0:bbb0::1";
}; };
configuration = { lib, pkgs, modulesPath, config, assignments, allAssignments, ... }: configuration = { lib, pkgs, modulesPath, config, assignments, allAssignments, ... }:
@ -62,13 +63,6 @@
}; };
networks = { networks = {
#"80-wan" = {
# matchConfig.Name = "wan";
# address = [
# "1.2.3.4/24"
# "2a00::2/64"
# ];
#};
"80-wan" = { "80-wan" = {
matchConfig.Name = "wan"; matchConfig.Name = "wan";
DHCP = "ipv4"; DHCP = "ipv4";
@ -76,6 +70,13 @@
UseDNS = false; UseDNS = false;
UseHostname = false; UseHostname = false;
}; };
address = [
"2a0e:97c0:4d0:bbbf::1/64"
];
gateway = [
"fe80::215:17ff:fe4b:494a"
];
networkConfig.IPv6AcceptRA = false;
}; };
"80-base" = mkMerge [ "80-base" = mkMerge [
(networkdAssignment "base" assignments.internal) (networkdAssignment "base" assignments.internal)
@ -92,7 +93,8 @@
}; };
ipv6Prefixes = [ ipv6Prefixes = [
{ {
ipv6PrefixConfig.Prefix = "2a0e:97c0:4d1:0::/64"; #ipv6PrefixConfig.Prefix = "2a0e:97c0:4d1:0::/64";
ipv6PrefixConfig.Prefix = "2a0e:97c0:4d0:bbb0::/64";
} }
]; ];
} }
@ -101,17 +103,40 @@
}; };
my = { my = {
#deploy.generate.system.mode = "boot";
secrets.key = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPhxM5mnguExkcLue47QKk1vA72OoPc3HOqqoHqHHfa1"; secrets.key = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPhxM5mnguExkcLue47QKk1vA72OoPc3HOqqoHqHHfa1";
server.enable = true; server.enable = true;
firewall = { firewall = {
trustedInterfaces = [ "base" ]; trustedInterfaces = [ "base" ];
udp.allowed = [ 5353 ];
tcp.allowed = [ 5353 ];
nat = { nat = {
enable = true; enable = true;
externalInterface = "wan"; externalInterface = "wan";
}; };
extraRules = '' extraRules = ''
table nat { table inet filter {
chain routing-tcp {
# Safe enough to allow all SSH
tcp dport ssh accept
}
chain routing-udp {
}
chain filter-routing {
tcp flags & (fin|syn|rst|ack) == syn ct state new jump routing-tcp
meta l4proto udp ct state new jump routing-udp
return
}
chain forward {
iifname wan oifname base jump filter-routing
}
}
table inet nat {
chain prerouting {
iifname wan meta l4proto { udp, tcp } th dport domain redirect to :5353
}
chain postrouting { chain postrouting {
ip saddr 10.100.0.0/16 masquerade ip saddr 10.100.0.0/16 masquerade
} }

13
nixos/vms/estuary/dns.nix
View File

@ -5,8 +5,8 @@ let
ptrDots = 2; ptrDots = 2;
reverseZone = "100.10.in-addr.arpa"; reverseZone = "100.10.in-addr.arpa";
ptrDots6 = 20; ptrDots6 = 17;
reverseZone6 = "1.d.4.0.0.c.7.9.e.0.a.2.ip6.arpa"; reverseZone6 = "b.b.b.0.d.4.0.0.c.7.9.e.0.a.2.ip6.arpa";
authZones = attrNames config.my.pdns.auth.bind.zones; authZones = attrNames config.my.pdns.auth.bind.zones;
in in
@ -22,6 +22,8 @@ in
allowFrom = [ allowFrom = [
"127.0.0.0/8" "::1/128" "127.0.0.0/8" "::1/128"
"10.100.0.0/16" "2a0e:97c0:4d1::/48" "10.100.0.0/16" "2a0e:97c0:4d1::/48"
# TODO: Remove when moving to proper net!
"2a0e:97c0:4d0::/48"
]; ];
}; };
forwardZones = genAttrs authZones (_: "127.0.0.1:5353"); forwardZones = genAttrs authZones (_: "127.0.0.1:5353");
@ -46,8 +48,8 @@ in
resolver = "127.0.0.1"; resolver = "127.0.0.1";
expand-alias = true; expand-alias = true;
local-address = [ local-address = [
"127.0.0.1:5353" "[::]:5353" "0.0.0.0:5353" "[::]:5353"
] ++ (optional (!config.my.build.isDevVM) "192.168.122.126"); ];
also-notify = [ "127.0.0.1" ]; also-notify = [ "127.0.0.1" ];
}; };
@ -85,7 +87,8 @@ in
) )
@ IN NS ns @ IN NS ns
ns IN ALIAS ${config.networking.fqdn}. ns IN A 188.141.14.6
ns IN AAAA 2a0e:97c0:4d0:bbbf::1
@ IN ALIAS ${config.networking.fqdn}. @ IN ALIAS ${config.networking.fqdn}.