dev/nixfiles
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases 1 Wiki Activity

Compare commits

base: dev:1e66a993521cc5cd8d6a155cff23da0c0447060e
Branches Tags
dev:master
dev:fastback-ssh
dev:installer
..
compare: dev:b48e7b1c33d04bd7f521587b68c60b044a1cc7b2
Branches Tags
dev:master
dev:fastback-ssh
dev:installer

No commits in common. "1e66a993521cc5cd8d6a155cff23da0c0447060e" and "b48e7b1c33d04bd7f521587b68c60b044a1cc7b2" have entirely different histories.
1e66a99352 ... b48e7b1c33

5 changed files with 10 additions and 53 deletions
Show Stats Expand all files Collapse all files

19
lib/constants.nix
View File

@ -281,25 +281,6 @@ rec {
}; };
}; };
as211024 = rec {
trusted = {
v4 = [
colony.prefixes.all.v4
home.prefixes.all.v4
tailscale.prefix.v4
];
v6 = [
colony.prefixes.all.v6
home.prefixes.all.v6
tailscale.prefix.v6
];
};
nftTrust = ''
iifname as211024 ip saddr { ${concatStringsSep ", " trusted.v4} } accept
iifname as211024 ip6 saddr { ${concatStringsSep ", " trusted.v6} } accept
'';
};
kelder = { kelder = {
groups = { groups = {
storage = 2000; storage = 2000;

8
nixos/boxes/britway/default.nix
View File

@ -150,14 +150,8 @@ in
}; };
firewall = { firewall = {
trustedInterfaces = [ "tailscale0" ]; trustedInterfaces = [ "as211024" "tailscale0" ];
extraRules = '' extraRules = ''
table inet filter {
chain forward {
${lib.my.as211024.nftTrust}
oifname as211024 accept
}
}
table inet nat { table inet nat {
chain postrouting { chain postrouting {
iifname tailscale0 oifname veth0 snat ip to ${assignments.vultr.ipv4.address} iifname tailscale0 oifname veth0 snat ip to ${assignments.vultr.ipv4.address}

8
nixos/boxes/colony/vms/estuary/bgp.nix
View File

@ -27,9 +27,7 @@ in
define HOMENET6 = ${homenet6}; define HOMENET6 = ${homenet6};
define OWNIP6 = ${assignments.base.ipv6.address}; define OWNIP6 = ${assignments.base.ipv6.address};
# we have issues with sending ICMPv6 too big back on the wrong interface right now... define OWNNETSET6 = [ ${intnet6}, ${amsnet6}, ${homenet6} ];
define OWNNETSET6 = [ ${intnet6}, ${amsnet6} ];
define CCNETSET6 = [ ];
#define TRANSSET6 = [ ::1/128 ]; #define TRANSSET6 = [ ::1/128 ];
define DUB1IP6 = ${lib.my.c.home.vips.as211024.v6}; define DUB1IP6 = ${lib.my.c.home.vips.as211024.v6};
@ -44,7 +42,7 @@ in
if net ~ OWNNETSET4 || net ~ OWNNETSET6 then accept; else reject; if net ~ OWNNETSET4 || net ~ OWNNETSET6 then accept; else reject;
} }
filter bgp_export_cc { filter bgp_export_cc {
if net ~ OWNNETSET4 || net ~ OWNNETSET6 || net ~ CCNETSET4 || net ~ CCNETSET6 then accept; else reject; if net ~ OWNNETSET4 || net ~ OWNNETSET6 || net ~ CCNETSET4 then accept; else reject;
} }
router id from "wan"; router id from "wan";
@ -190,12 +188,10 @@ in
protocol bgp upstream6_coloclue_eun2 from upstream_bgp6 { protocol bgp upstream6_coloclue_eun2 from upstream_bgp6 {
description "ColoClue euNetworks 2 (IPv6)"; description "ColoClue euNetworks 2 (IPv6)";
neighbor 2a02:898:0:20::e2 as 8283; neighbor 2a02:898:0:20::e2 as 8283;
ipv6 { export filter bgp_export_cc; };
} }
protocol bgp upstream6_coloclue_eun3 from upstream_bgp6 { protocol bgp upstream6_coloclue_eun3 from upstream_bgp6 {
description "ColoClue euNetworks 3 (IPv6)"; description "ColoClue euNetworks 3 (IPv6)";
neighbor 2a02:898:0:20::e1 as 8283; neighbor 2a02:898:0:20::e1 as 8283;
ipv6 { export filter bgp_export_cc; };
} }
protocol bgp upstream6_ifog from upstream_bgp6 { protocol bgp upstream6_ifog from upstream_bgp6 {

4
nixos/boxes/colony/vms/estuary/default.nix
View File

@ -366,6 +366,7 @@ in
}; };
}; };
firewall = { firewall = {
trustedInterfaces = [ "as211024" ];
udp.allowed = [ 5353 lib.my.c.kelder.vpn.port ]; udp.allowed = [ 5353 lib.my.c.kelder.vpn.port ];
tcp.allowed = [ 5353 "bgp" ]; tcp.allowed = [ 5353 "bgp" ];
nat = { nat = {
@ -415,8 +416,7 @@ in
} }
chain forward { chain forward {
${lib.my.c.as211024.nftTrust} iifname { wan, $ixps } oifname base jump filter-routing
iifname { wan, as211024, $ixps } oifname base jump filter-routing
oifname $ixps jump ixp oifname $ixps jump ixp
iifname base oifname { base, wan, $ixps } accept iifname base oifname { base, wan, $ixps } accept
oifname { as211024, kelder } accept oifname { as211024, kelder } accept

24
nixos/boxes/home/routing-common/default.nix
View File

@ -311,18 +311,14 @@ in
}; };
}; };
firewall = { firewall = {
trustedInterfaces = [ "lan-hi" "lan-lo" ]; trustedInterfaces = [ "lan-hi" "lan-lo" "as211024" ];
udp.allowed = [ 5353 ]; udp.allowed = [ 5353 ];
tcp.allowed = [ 5353 ]; tcp.allowed = [ 5353 ];
nat = { nat = {
enable = true; enable = true;
externalInterface = "wan"; externalInterface = "wan";
}; };
extraRules = extraRules = ''
let
aa = allAssignments;
in
''
table inet filter { table inet filter {
chain input { chain input {
iifname base meta l4proto { udp, tcp } th dport domain accept iifname base meta l4proto { udp, tcp } th dport domain accept
@ -330,16 +326,8 @@ in
} }
chain routing-tcp { chain routing-tcp {
ip daddr { # Safe enough to allow all SSH
${aa.castle.hi.ipv4.address}, tcp dport ssh accept
${aa.cellar.hi.ipv4.address},
${aa.palace.hi.ipv4.address}
} tcp dport ssh accept
ip6 daddr {
${aa.castle.hi.ipv6.address},
${aa.cellar.hi.ipv6.address},
${aa.palace.hi.ipv6.address}
} tcp dport ssh accept
return return
} }
@ -358,10 +346,8 @@ in
} }
chain forward { chain forward {
${lib.my.c.as211024.nftTrust}
iifname lan-untrusted jump filter-untrusted iifname lan-untrusted jump filter-untrusted
iifname { wan, as211024, lan-untrusted } oifname { lan-hi, lan-lo } jump filter-routing iifname { wan, lan-untrusted } oifname { lan-hi, lan-lo } jump filter-routing
oifname as211024 accept
} }
chain output { } chain output { }
} }