From 3260eaf3a31726328036d47b43d35dfa6ce93f44 Mon Sep 17 00:00:00 2001 From: Dominik Polakovics Date: Fri, 10 Nov 2023 18:40:26 +0100 Subject: [PATCH] add initial fw configs --- fleet.nix | 4 + hosts/fw.cloonar.com/configuration.nix | 60 +++++++++++++ hosts/fw.cloonar.com/fleet.nix | 1 + .../fw.cloonar.com/hardware-configuration.nix | 9 ++ hosts/fw.cloonar.com/modules/avahi.nix | 10 +++ hosts/fw.cloonar.com/modules/dhcp4.nix | 45 ++++++++++ hosts/fw.cloonar.com/modules/firewall.nix | 87 +++++++++++++++++++ hosts/fw.cloonar.com/modules/networking.nix | 74 ++++++++++++++++ hosts/fw.cloonar.com/modules/openconnect.nix | 10 +++ hosts/fw.cloonar.com/utils | 1 + 10 files changed, 301 insertions(+) create mode 100644 hosts/fw.cloonar.com/configuration.nix create mode 120000 hosts/fw.cloonar.com/fleet.nix create mode 100644 hosts/fw.cloonar.com/hardware-configuration.nix create mode 100644 hosts/fw.cloonar.com/modules/avahi.nix create mode 100644 hosts/fw.cloonar.com/modules/dhcp4.nix create mode 100644 hosts/fw.cloonar.com/modules/firewall.nix create mode 100644 hosts/fw.cloonar.com/modules/networking.nix create mode 100644 hosts/fw.cloonar.com/modules/openconnect.nix create mode 120000 hosts/fw.cloonar.com/utils diff --git a/fleet.nix b/fleet.nix index 26fa7d6..dc22559 100644 --- a/fleet.nix +++ b/fleet.nix @@ -40,6 +40,10 @@ username = "steamdeck.cloonar.com"; key = "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDj14N3imYWbcLShJS0f1tv74cFuMblK1YmaEMhjVkj7WlNaIJYmE0BVXTR+An/XeBsOPGo4lr+E/gi4Io0mlNrD0xa4EqPyB/rXdmHpP3PVmIf2A1pIwnKqEVcgRrzp5ZdYxhYnHSPFe2kaF98J0wtLOTci85t8i9PwxVC1SyUM2J/AC3b/av9udGNyDdguGAXk/QaTlyPQz1QEk4VE+J/FblG5N5Hyq4xp20pcKtyEhNOMBFUQvoqAKdVIRH9Bhml8ksLivbIKkW6nJMEPfe03eG9FencR4SHltUXAk10KSLcwXyBKHp9opVPanMSy/lhoqyynJSfvITQs2xhp1W9wc5AEQHc6j/oOoGk/tUWlvUTSxZw/oG8pPvqeAYvtKtZWpS+UqvPzgx53fsdwSSy4tlTU1hjj35RM1dSchTJMs/9ohZN/ePoaCIDwRU2JThXrZqD50feP7+Tmaqhisk+I2WZokL4unfxz71PtRz2UK71jqiMMr8+R8e3LP32340= root@steamdeck"; } + { + username = "fw.cloonar.com"; + key = "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDj14N3imYWbcLShJS0f1tv74cFuMblK1YmaEMhjVkj7WlNaIJYmE0BVXTR+An/XeBsOPGo4lr+E/gi4Io0mlNrD0xa4EqPyB/rXdmHpP3PVmIf2A1pIwnKqEVcgRrzp5ZdYxhYnHSPFe2kaF98J0wtLOTci85t8i9PwxVC1SyUM2J/AC3b/av9udGNyDdguGAXk/QaTlyPQz1QEk4VE+J/FblG5N5Hyq4xp20pcKtyEhNOMBFUQvoqAKdVIRH9Bhml8ksLivbIKkW6nJMEPfe03eG9FencR4SHltUXAk10KSLcwXyBKHp9opVPanMSy/lhoqyynJSfvITQs2xhp1W9wc5AEQHc6j/oOoGk/tUWlvUTSxZw/oG8pPvqeAYvtKtZWpS+UqvPzgx53fsdwSSy4tlTU1hjj35RM1dSchTJMs/9ohZN/ePoaCIDwRU2JThXrZqD50feP7+Tmaqhisk+I2WZokL4unfxz71PtRz2UK71jqiMMr8+R8e3LP32340= root@steamdeck"; + } ]; in { imports = builtins.map create_users users; diff --git a/hosts/fw.cloonar.com/configuration.nix b/hosts/fw.cloonar.com/configuration.nix new file mode 100644 index 0000000..5b7dc47 --- /dev/null +++ b/hosts/fw.cloonar.com/configuration.nix @@ -0,0 +1,60 @@ +{ ... }: { + imports = [ + ./utils/bento.nix + ./utils/modules/sops.nix + ./utils/modules/lego/lego.nix + + ./utils/modules/nginx.nix + + ./utils/modules/autoupgrade.nix + ./utils/modules/promtail + ./utils/modules/borgbackup.nix + ./utils/modules/netdata.nix + + ./modules/networking.nix + ./modules/firewall.nix + ./modules/dhcp4.nix + ./modules/avahi.nix + ./modules/openconnect.nix + + ./hardware-configuration.nix + ]; + + nixpkgs.config.permittedInsecurePackages = [ + ]; + + time.timeZone = "Europe/Vienna"; + + services.logind.extraConfig = "RuntimeDirectorySize=2G"; + + sops.age.sshKeyPaths = [ "/etc/ssh/ssh_host_ed25519_key" ]; + sops.defaultSopsFile = ./secrets.yaml; + + environment.systemPackages = with pkgs; [ + vim # my preferred editor + htop # to see the system load + ppp # for some manual debugging of pppd + ethtool # manage NIC settings (offload, NIC feeatures, ...) + tcpdump # view network traffic + conntrack-tools # view network connection states + ]; + + nix.gc = { + automatic = true; + options = "--delete-older-than 60d"; + }; + + boot.tmp.cleanOnBoot = true; + zramSwap.enable = true; + networking.hostName = "fw"; + services.openssh.enable = true; + users.users.root.openssh.authorizedKeys.keys = [ + "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDN/2SAFm50kraB1fepAizox/QRXxB7WbqVbH+5OPalDT47VIJGNKOKhixQoqhABHxEoLxdf/C83wxlCVlPV9poLfDgVkA3Lyt5r3tSFQ6QjjOJAgchWamMsxxyGBedhKvhiEzcr/Lxytnoz3kjDG8fqQJwEpdqMmJoMUfyL2Rqp16u+FQ7d5aJtwO8EUqovhMaNO7rggjPpV/uMOg+tBxxmscliN7DLuP4EMTA/FwXVzcFNbOx3K9BdpMRAaSJt4SWcJO2cS2KHA5n/H+PQI7nz5KN3Yr/upJN5fROhi/SHvK39QOx12Pv7FCuWlc+oR68vLaoCKYhnkl3DnCfc7A7" + "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIIRQuPqH5fdX3KEw7DXzWEdO3AlUn1oSmtJtHB71ICoH Generated By Termius" + ]; + + # backups + borgbackup.repo = "u149513-sub5@u149513-sub5.your-backup.de:borg"; + + system.stateVersion = "22.05"; +} diff --git a/hosts/fw.cloonar.com/fleet.nix b/hosts/fw.cloonar.com/fleet.nix new file mode 120000 index 0000000..5b16de1 --- /dev/null +++ b/hosts/fw.cloonar.com/fleet.nix @@ -0,0 +1 @@ +../../fleet.nix \ No newline at end of file diff --git a/hosts/fw.cloonar.com/hardware-configuration.nix b/hosts/fw.cloonar.com/hardware-configuration.nix new file mode 100644 index 0000000..f67b9f4 --- /dev/null +++ b/hosts/fw.cloonar.com/hardware-configuration.nix @@ -0,0 +1,9 @@ +{ modulesPath, ... }: +{ + imports = [ (modulesPath + "/profiles/qemu-guest.nix") ]; + boot.loader.grub.device = "/dev/sda"; + boot.initrd.availableKernelModules = [ "ata_piix" "uhci_hcd" "vmw_pvscsi" "xen_blkfront" ]; + boot.initrd.kernelModules = [ "nvme" ]; + fileSystems."/" = { device = "/dev/sda1"; fsType = "ext4"; }; + +} diff --git a/hosts/fw.cloonar.com/modules/avahi.nix b/hosts/fw.cloonar.com/modules/avahi.nix new file mode 100644 index 0000000..660d374 --- /dev/null +++ b/hosts/fw.cloonar.com/modules/avahi.nix @@ -0,0 +1,10 @@ +{ ... }: { + services.avahi = { + enable = true; + reflector = true; + interfaces = [ + "lan" + "multimedia" + ]; + }; +} diff --git a/hosts/fw.cloonar.com/modules/dhcp4.nix b/hosts/fw.cloonar.com/modules/dhcp4.nix new file mode 100644 index 0000000..d750f5b --- /dev/null +++ b/hosts/fw.cloonar.com/modules/dhcp4.nix @@ -0,0 +1,45 @@ +{ ... }: { + services.dhcpd4 = { + enable = true; + interfaces = [ "lan" "server" "smart" "multimedia" "guest" ]; + extraConfig = '' + option domain-name-servers 10.42.97.1, 9.9.9.9; + option subnet-mask 255.255.255.0; + + subnet 10.42.96.0 netmask 255.255.255.0 { + option broadcast-address 10.42.96.255; + option routers 10.42.97.1; + interface lan; + range 10.42.96.128 10.42.96.254; + } + + subnet 10.42.97.0 netmask 255.255.255.0 { + option broadcast-address 10.42.97.255; + option routers 10.42.97.1; + interface server; + range 10.42.96.128 10.42.97.254; + } + + subnet 10.42.99.0 netmask 255.255.255.0 { + option broadcast-address 10.42.99.255; + option routers 10.42.99.1; + interface multimedia; + range 10.42.99.128 10.42.99.254; + } + + subnet 10.42.100.0 netmask 255.255.255.0 { + option broadcast-address 10.42.100.255; + option routers 10.42.100.1; + interface smart; + range 10.42.100.128 10.42.100.254; + } + + subnet 10.42.254.0 netmask 255.255.255.0 { + option broadcast-address 10.42.254.255; + option routers 10.42.254.1; + interface guest; + range 10.42.100.128 10.42.254.254; + } + ''; + }; +} diff --git a/hosts/fw.cloonar.com/modules/firewall.nix b/hosts/fw.cloonar.com/modules/firewall.nix new file mode 100644 index 0000000..4f11976 --- /dev/null +++ b/hosts/fw.cloonar.com/modules/firewall.nix @@ -0,0 +1,87 @@ +{ ... }: { + networking = { + nat.enable = false; + firewall.enable = false; + nftables = { + enable = true; + ruleset = '' + table inet filter { + # enable flow offloading for better throughput + flowtable f { + hook ingress priority 0; + devices = { lan, server, wg0, smart, multimedia, guest }; + } + + chain output { + type filter hook output priority 100; policy accept; + } + + chain input { + type filter hook input priority filter; policy drop; + + # Allow trusted networks to access the router + iifname { + "lan", + "wg0" + } counter accept + + # Accept mDNS for avahi reflection + iifname "multimedia" ip saddr tcp dport { llmnr } counter accept + iifname "multimedia" ip saddr udp dport { mdns, llmnr } counter accept + + # Allow returning traffic from wg0 and drop everthing else + iifname "wg0" ct state { established, related } counter accept + iifname "wg0" drop + } + + chain forward { + type filter hook forward priority filter; policy drop; + + # enable flow offloading for better throughput + ip protocol { tcp, udp } flow offload @f + + # multimedia airplay + iifname "multimedia" oifname { "lan" } counter accept + + # lan and vpn to any + iifname { "lan", "wg0" } oifname { "server", "multimedia", "smart", "wrwks" } counter accept + + # Allow trusted network WAN access + iifname { + "lan", + "server", + "multimedia", + "smart", + "wg0", + } oifname { + "wan", + } counter accept comment "Allow trusted LAN to WAN" + + # Allow established WAN to return + iifname { + "wan", + } oifname { + "lan", + "server", + "multimedia", + "smart", + "wg0", + } ct state established,related counter accept comment "Allow established back to LANs" + } + } + + table ip nat { + chain prerouting { + type nat hook prerouting priority filter; policy accept; + } + + # Setup NAT masquerading on the ppp0 interface + chain postrouting { + type nat hook postrouting priority filter; policy accept; + oifname { "wan", "wrwks" } masquerade + } + } + ''; + }; + }; +} diff --git a/hosts/fw.cloonar.com/modules/networking.nix b/hosts/fw.cloonar.com/modules/networking.nix new file mode 100644 index 0000000..5aa97c3 --- /dev/null +++ b/hosts/fw.cloonar.com/modules/networking.nix @@ -0,0 +1,74 @@ +{ ... }: { + networking = { + useDHCP = false; + nameserver = [ "9.9.9.9" "149.112.112.112" ]; + # Define VLANS + vlans = { + wan = { + id = 10; + interface = "enp1s0"; + }; + lan = { + id = 1; + interface = "enp2s0"; + }; + server = { + id = 2; + interface = "enp3s0"; + }; + multimedia = { + id = 3; + interface = "enp4s0"; + }; + smart = { + id = 4094; + interface = "enp4s0"; + }; + guest = { + id = 100; + interface = "enp4s0"; + }; + }; + + interfaces = { + # Don't request DHCP on the physical interfaces + enp1s0.useDHCP = false; + enp2s0.useDHCP = false; + enp3s0.useDHCP = false; + enp4s0.useDHCP = false; + + # Handle the VLANs + wan.useDHCP = true; + lan = { + ipv4.addresses = [{ + address = "10.42.96.1"; + prefixLength = 24; + }]; + }; + server = { + ipv4.addresses = [{ + address = "10.42.97.1"; + prefixLength = 24; + }]; + }; + multimedia = { + ipv4.addresses = [{ + address = "10.42.99.1"; + prefixLength = 24; + }]; + }; + smart = { + ipv4.addresses = [{ + address = "10.42.100.1"; + prefixLength = 24; + }]; + }; + guest = { + ipv4.addresses = [{ + address = "10.42.254.1"; + prefixLength = 24; + }]; + }; + }; + }; +} diff --git a/hosts/fw.cloonar.com/modules/openconnect.nix b/hosts/fw.cloonar.com/modules/openconnect.nix new file mode 100644 index 0000000..6e7c943 --- /dev/null +++ b/hosts/fw.cloonar.com/modules/openconnect.nix @@ -0,0 +1,10 @@ +{ ... }: { + networking.openconnect.interfaces = { + wrwks = { + gateway = "vpn.wrwks.at"; + passwordFile = "/var/lib/secrets/openconnect-passwd"; + protocol = "anyconnect"; + user = "exdpolakovics@wrwks.local"; + }; + }; +} diff --git a/hosts/fw.cloonar.com/utils b/hosts/fw.cloonar.com/utils new file mode 120000 index 0000000..6b18391 --- /dev/null +++ b/hosts/fw.cloonar.com/utils @@ -0,0 +1 @@ +../../utils \ No newline at end of file