dev/nixfiles
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases 1 Wiki Activity

Don't blindly trust as211024
All checks were successful
CI / Check, build and cache Nix flake (push) Successful in 20m22s
Details

Browse Source
This commit is contained in:
Jack O'Sullivan 2023-12-20 22:59:51 +00:00
parent 0fe863844f
commit e760569b3e
4 changed files with 32 additions and 5 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

19
lib/constants.nix
View File

@ -281,6 +281,25 @@ rec {
}; };
}; };
as211024 = rec {
trusted = {
v4 = [
colony.prefixes.all.v4
home.prefixes.all.v4
tailscale.prefix.v4
];
v6 = [
colony.prefixes.all.v6
home.prefixes.all.v6
tailscale.prefix.v6
];
};
nftTrust = ''
iifname as211024 ip saddr { ${concatStringsSep ", " trusted.v4} } accept
iifname as211024 ip6 saddr { ${concatStringsSep ", " trusted.v6} } accept
'';
};
kelder = { kelder = {
groups = { groups = {
storage = 2000; storage = 2000;

8
nixos/boxes/britway/default.nix
View File

@ -150,8 +150,14 @@ in
}; };
firewall = { firewall = {
trustedInterfaces = [ "as211024" "tailscale0" ]; trustedInterfaces = [ "tailscale0" ];
extraRules = '' extraRules = ''
table inet filter {
chain forward {
${lib.my.c.as211024.nftTrust}
oifname as211024 accept
}
}
table inet nat { table inet nat {
chain postrouting { chain postrouting {
iifname tailscale0 oifname veth0 snat ip to ${assignments.vultr.ipv4.address} iifname tailscale0 oifname veth0 snat ip to ${assignments.vultr.ipv4.address}

4
nixos/boxes/colony/vms/estuary/default.nix
View File

@ -366,7 +366,6 @@ in
}; };
}; };
firewall = { firewall = {
trustedInterfaces = [ "as211024" ];
udp.allowed = [ 5353 lib.my.c.kelder.vpn.port ]; udp.allowed = [ 5353 lib.my.c.kelder.vpn.port ];
tcp.allowed = [ 5353 "bgp" ]; tcp.allowed = [ 5353 "bgp" ];
nat = { nat = {
@ -416,7 +415,8 @@ in
} }
chain forward { chain forward {
iifname { wan, $ixps } oifname base jump filter-routing ${lib.my.c.as211024.nftTrust}
iifname { wan, as211024, $ixps } oifname base jump filter-routing
oifname $ixps jump ixp oifname $ixps jump ixp
iifname base oifname { base, wan, $ixps } accept iifname base oifname { base, wan, $ixps } accept
oifname { as211024, kelder } accept oifname { as211024, kelder } accept

6
nixos/boxes/home/routing-common/default.nix
View File

@ -311,7 +311,7 @@ in
}; };
}; };
firewall = { firewall = {
trustedInterfaces = [ "lan-hi" "lan-lo" "as211024" ]; trustedInterfaces = [ "lan-hi" "lan-lo" ];
udp.allowed = [ 5353 ]; udp.allowed = [ 5353 ];
tcp.allowed = [ 5353 ]; tcp.allowed = [ 5353 ];
nat = { nat = {
@ -358,8 +358,10 @@ in
} }
chain forward { chain forward {
${lib.my.c.as211024.nftTrust}
iifname lan-untrusted jump filter-untrusted iifname lan-untrusted jump filter-untrusted
iifname { wan, lan-untrusted } oifname { lan-hi, lan-lo } jump filter-routing iifname { wan, as211024, lan-untrusted } oifname { lan-hi, lan-lo } jump filter-routing
oifname as211024 accept
} }
chain output { } chain output { }
} }