dev/nixfiles
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases 1 Wiki Activity

Compare commits

base: dev:master
Branches Tags
dev:master dev:fastback-ssh
dev:installer
...
compare: dev:1e66a993521cc5cd8d6a155cff23da0c0447060e
Branches Tags
dev:master dev:fastback-ssh
dev:installer

1 Commits
master ... 1e66a99352

Author SHA1 Message Date
Jack O'Sullivan
1e66a99352 Don't blindly trust as211024
Some checks failed
CI / Check, build and cache Nix flake (push) Failing after 2m4s
Details
2023-12-20 22:59:51 +00:00
4 changed files with 32 additions and 5 deletions
Expand all files Collapse all files

19
lib/constants.nix
View File

@@ -281,6 +281,25 @@ rec {
}; };
}; };
as211024 = rec {
trusted = {
v4 = [
colony.prefixes.all.v4
home.prefixes.all.v4
tailscale.prefix.v4
];
v6 = [
colony.prefixes.all.v6
home.prefixes.all.v6
tailscale.prefix.v6
];
};
nftTrust = ''
iifname as211024 ip saddr { ${concatStringsSep ", " trusted.v4} } accept
iifname as211024 ip6 saddr { ${concatStringsSep ", " trusted.v6} } accept
'';
};
kelder = { kelder = {
groups = { groups = {
storage = 2000; storage = 2000;

8
nixos/boxes/britway/default.nix
View File

@@ -150,8 +150,14 @@ in
}; };
firewall = { firewall = {
trustedInterfaces = [ "as211024" "tailscale0" ]; trustedInterfaces = [ "tailscale0" ];
extraRules = '' extraRules = ''
table inet filter {
chain forward {
${lib.my.as211024.nftTrust}
oifname as211024 accept
}
}
table inet nat { table inet nat {
chain postrouting { chain postrouting {
iifname tailscale0 oifname veth0 snat ip to ${assignments.vultr.ipv4.address} iifname tailscale0 oifname veth0 snat ip to ${assignments.vultr.ipv4.address}

4
nixos/boxes/colony/vms/estuary/default.nix
View File

@@ -366,7 +366,6 @@ in
}; };
}; };
firewall = { firewall = {
trustedInterfaces = [ "as211024" ];
udp.allowed = [ 5353 lib.my.c.kelder.vpn.port ]; udp.allowed = [ 5353 lib.my.c.kelder.vpn.port ];
tcp.allowed = [ 5353 "bgp" ]; tcp.allowed = [ 5353 "bgp" ];
nat = { nat = {
@@ -416,7 +415,8 @@ in
} }
chain forward { chain forward {
iifname { wan, $ixps } oifname base jump filter-routing ${lib.my.c.as211024.nftTrust}
iifname { wan, as211024, $ixps } oifname base jump filter-routing
oifname $ixps jump ixp oifname $ixps jump ixp
iifname base oifname { base, wan, $ixps } accept iifname base oifname { base, wan, $ixps } accept
oifname { as211024, kelder } accept oifname { as211024, kelder } accept

6
nixos/boxes/home/routing-common/default.nix
View File

@@ -311,7 +311,7 @@ in
}; };
}; };
firewall = { firewall = {
trustedInterfaces = [ "lan-hi" "lan-lo" "as211024" ]; trustedInterfaces = [ "lan-hi" "lan-lo" ];
udp.allowed = [ 5353 ]; udp.allowed = [ 5353 ];
tcp.allowed = [ 5353 ]; tcp.allowed = [ 5353 ];
nat = { nat = {
@@ -358,8 +358,10 @@ in
} }
chain forward { chain forward {
${lib.my.c.as211024.nftTrust}
iifname lan-untrusted jump filter-untrusted iifname lan-untrusted jump filter-untrusted
iifname { wan, lan-untrusted } oifname { lan-hi, lan-lo } jump filter-routing iifname { wan, as211024, lan-untrusted } oifname { lan-hi, lan-lo } jump filter-routing
oifname as211024 accept
} }
chain output { } chain output { }
} }