commit ff9d1282c1331c0f76b6bb07e9934502ead7c999
parent b0dc4a7ebead22da8043b7a4acff6bbdcf6114db
Author: Katja (ctucx) <git@ctu.cx>
Date: Wed, 26 Feb 2025 20:12:17 +0100
parent b0dc4a7ebead22da8043b7a4acff6bbdcf6114db
Author: Katja (ctucx) <git@ctu.cx>
Date: Wed, 26 Feb 2025 20:12:17 +0100
machines/briefkasten: refactor router configuartion
19 files changed, 291 insertions(+), 573 deletions(-)
D
|
125
-------------------------------------------------------------------------------
M
|
234
++++++++++++++++++++++++++++++++++++++++++++++---------------------------------
M
|
138
++++++++++++++++++++++++++++++++++++-------------------------------------------
diff --git a/configurations/linux/services/dns.nix b/configurations/linux/services/dns.nix @@ -33,35 +33,6 @@ in { ns2 = (host nodes.wanderduene.config.networking.primaryIP4 nodes.wanderduene.config.networking.primaryIP); _atproto.TXT = [ "did=did:plc:zaeuok3fmh2pcp4cjiicku4i" ]; - - blechkasten.CNAME = [ "blechkasten.home" ]; - briefkasten.CNAME = [ "briefkasten.home" ]; - - "48-247-39-195.wireguard".A = [ (a "195.39.247.48") ]; - "49-247-39-195.wireguard".A = [ (a "195.39.247.49") ]; - "50-247-39-195.wireguard".A = [ (a "195.39.247.50") ]; - "51-247-39-195.wireguard".A = [ (a "195.39.247.51") ]; - "52-247-39-195.wireguard".A = [ (a "195.39.247.52") ]; - "53-247-39-195.wireguard".A = [ (a "195.39.247.53") ]; - "54-247-39-195.wireguard".A = [ (a "195.39.247.54") ]; - "55-247-39-195.wireguard".A = [ (a "195.39.247.55") ]; - - "32-246-39-195.dynamic".A = [ (a "195.39.246.32") ]; - "33-246-39-195.dynamic".A = [ (a "195.39.246.33") ]; - "34-246-39-195.dynamic".A = [ (a "195.39.246.34") ]; - "35-246-39-195.dynamic".A = [ (a "195.39.246.35") ]; - "36-246-39-195.dynamic".A = [ (a "195.39.246.36") ]; - "37-246-39-195.dynamic".A = [ (a "195.39.246.37") ]; - "38-246-39-195.dynamic".A = [ (a "195.39.246.38") ]; - "39-246-39-195.dynamic".A = [ (a "195.39.246.39") ]; - "40-246-39-195.dynamic".A = [ (a "195.39.246.40") ]; - "41-246-39-195.dynamic".A = [ (a "195.39.246.41") ]; - "42-246-39-195.dynamic".A = [ (a "195.39.246.42") ]; - "43-246-39-195.dynamic".A = [ (a "195.39.246.43") ]; - "44-246-39-195.dynamic".A = [ (a "195.39.246.44") ]; - "45-246-39-195.dynamic".A = [ (a "195.39.246.45") ]; - "46-246-39-195.dynamic".A = [ (a "195.39.246.46") ]; - "47-246-39-195.dynamic".A = [ (a "195.39.246.47") ]; }; };
diff --git a/machines/briefkasten/default.nix b/machines/briefkasten/default.nix @@ -2,8 +2,6 @@ { - deployment.targetHost = config.networking.secondaryIP4; - #this enables the following services: restic-server deployment.tags = [ "resticServer" ]; @@ -26,17 +24,18 @@ ./websites ]; - # dns.zones."ctu.cx".subdomains."${config.networking.hostName}.home" = (pkgs.dns.lib.combinators.host config.networking.primaryIP4 config.networking.primaryIP); - # dns.zones."ctu.cx".subdomains."${config.networking.hostName}".CNAME = [ "${config.networking.hostName}.home" ]; - # dns.zones."ctu.cx".subdomains."home".CNAME = [ "${config.networking.hostName}.home" ]; - age.secrets = { restic-server-briefkasten.file = ../../secrets/restic-server/briefkasten.age; restic-server-wanderduene.file = ../../secrets/restic-server/wanderduene.age; }; - boot = { + dns.zones."ctu.cx".subdomains = { + briefkasten.AAAA = [ config.networking.primaryIP ]; + home.AAAA = [ config.networking.primaryIP ]; + "briefkasten.home".AAAA = [ config.networking.primaryIP ]; + }; + boot = { kernelModules = [ "intel_rapl_common" ]; # seems to make realtek ethernet faster? @@ -61,20 +60,12 @@ postCommands = '' echo 'cryptsetup-askpass' >> /root/.profile - '' + lib.optionalString config.networking.usePBBUplink '' sysctl -w net.ipv6.conf.enp1s0.autoconf=0 sysctl -w net.ipv6.conf.enp1s0.accept_ra=0 - '' + '' ip link set dev enp1s0 up - - ip addr add ${config.networking.primaryIP4}/28 dev enp1s0 - ip addr add ${config.networking.secondaryIP4}/8 dev enp1s0 -# ip route add default via 195.39.246.41 dev enp1s0 onlink - - '' + lib.optionalString config.networking.usePBBUplink '' - ip addr add ${config.networking.primaryIP}/128 dev enp1s0 -# ip route add default via 2a0f:4ac0:acab::1 dev enp1s0 onlink + ip addr add 10.0.0.1/8 dev enp1s0 + ip addr add 2a03:4000:4d:5e:acab::1/112 dev enp1s0 ''; }; @@ -83,48 +74,22 @@ nix.optimise.automatic = false; nix.gc.automatic = false; - systemd.network.networks = { - "40-enp1s0".networkConfig.IPv6AcceptRA = lib.mkIf config.networking.usePBBUplink false; - }; - services.logind.extraConfig = '' # don’t shutdown when power button is short-pressed HandlePowerKey=ignore ''; - services.udev.extraRules = '' - ACTION=="add", SUBSYSTEM=="net", ENV{INTERFACE}=="iphone", RUN+="${pkgs.systemd}/bin/networkctl up bruplink", - ''; - - systemd.network.links."10-iphone" = { - matchConfig.PermanentMACAddress = "aa:ab:b5:18:95:d9"; - linkConfig.Name = "iphone"; - }; - networking = { useNetworkd = true; - usePBBUplink = true; - - primaryIP = "2a0f:4ac0:acab::1"; - primaryIP4 = "195.39.246.42"; - secondaryIP4 = "10.0.0.1"; - domain = "home.ctu.cx"; + domain = "home.ctu.cx"; + primaryIP = "2a03:4000:4d:5e:acab::1"; + primaryIP4 = "10.0.0.1"; }; services = { usbmuxd.enable = true; email-notify.enable = true; - nginx.virtualHosts."${config.networking.fqdn}" = { - enableACME = lib.mkIf (config.networking.usePBBUplink == false) false; - forceSSL = lib.mkIf (config.networking.usePBBUplink == false) false; - kTLS = lib.mkIf (config.networking.usePBBUplink == false) false; - }; - nginx.virtualHosts."restic.${config.networking.hostName}.ctu.cx" = { - enableACME = lib.mkIf (config.networking.usePBBUplink == false) false; - forceSSL = lib.mkIf (config.networking.usePBBUplink == false) false; - kTLS = lib.mkIf (config.networking.usePBBUplink == false) false; - }; }; ctucxConfig = { @@ -133,7 +98,6 @@ }; system.stateVersion = "22.11"; # Did you read the comment? - home-manager.users.leah.home.stateVersion = "22.11"; home-manager.users.katja.home.stateVersion = "22.11"; }
diff --git a/machines/briefkasten/gotosocial.nix b/machines/briefkasten/gotosocial.nix @@ -5,11 +5,9 @@ let in { -# dns.zones."ctu.cx".subdomains."fedi.home".CNAME = [ "${config.networking.fqdn}." ]; - services.dnsmasq.settings.cname = [ "fedi.home.ctu.cx, ${config.networking.fqdn}" ]; + dns.zones."ctu.cx".subdomains."fedi.home".AAAA = [ config.networking.primaryIP ]; age.secrets.restic-gotosocial.file = ./. + "/../../secrets/${config.networking.hostName}/restic/gotosocial.age"; - age.secrets.gotosocial-env.file = ./. + "/../../secrets/${config.networking.hostName}/gotosocial-env.age"; systemd.services.restic-backup-gotosocial.serviceConfig.ReadWritePaths = [ "/var/lib/gotosocial" ]; @@ -24,8 +22,7 @@ in { }; systemd.services.gotosocial.serviceConfig = { - Group = lib.mkForce config.services.nginx.group; - EnvironmentFile = lib.mkIf (config.networking.usePBBUplink == false) config.age.secrets.gotosocial-env.path; + Group = lib.mkForce config.services.nginx.group; }; services.gotosocial = { @@ -70,9 +67,9 @@ in { ''; services.nginx.virtualHosts."fedi.home.ctu.cx" = { - enableACME = lib.mkIf config.networking.usePBBUplink true; - forceSSL = lib.mkIf config.networking.usePBBUplink true; - kTLS = lib.mkIf config.networking.usePBBUplink true; + enableACME = true; + forceSSL = true; + kTLS = true; locations = { "= /".return = "307 /@leah";
diff --git a/machines/briefkasten/router/default.nix b/machines/briefkasten/router/default.nix @@ -5,20 +5,46 @@ imports = [ ./systemd-networkd.nix ./ppp.nix - ./nftables.nix - ./dnsmasq.nix ]; - boot = { - kernel.sysctl."net.ipv4.ip_forward" = true; - kernel.sysctl."net.ipv6.conf.all.forwarding" = true; + environment.systemPackages = [ pkgs.wireguard-tools ]; + + networking = { + useDHCP = false; + firewall.enable = false; + + nftables.enable = true; + nftables.rulesetFile = ./ruleset.nft; + + jool.enable = true; + jool.nat64.default = { }; }; - environment.systemPackages = with pkgs; [ - wireguard-tools - ]; + services = { + avahi.allowInterfaces = [ "brlan" ]; + bind = { + enable = true; + forwarders = [ "1.1.1.1" ]; + cacheNetworks = [ "localnets" ]; - services.avahi.allowInterfaces = [ "brlan" ]; - networking.useDHCP = false; + extraConfig = '' + acl translator { + localhost; + }; + + acl dns64-good-clients { + localnets; + }; + ''; + + extraOptions = '' + auth-nxdomain no; + + dns64 64:ff9b::/96 { + clients { !translator; dns64-good-clients; }; + }; + ''; + }; + }; }
diff --git a/machines/briefkasten/router/dnsmasq.nix b/machines/briefkasten/router/dnsmasq.nix @@ -1,125 +0,0 @@ -{ config, pkgs, ... }: - -{ - - dns.zones."ctu.cx".subdomains = with pkgs.dns.lib.combinators; { - home.NS = [ "home.ctu.cx." ]; - home.A = [ (a "195.39.246.42") ]; - home.AAAA = [ "2a0f:4ac0:acab::1" ]; - }; - - systemd.services.dnsmasq.onFailure = [ "email-notify@%i.service" ]; - - services = { - - resolved.enable = false; - - dnsmasq = { - enable = true; - settings = { - local-service = true; - no-resolv = true; - no-hosts = true; - domain-needed = true; - bogus-priv = true; - - enable-ra = true; - quiet-ra = true; - - server = [ "1.1.1.1" "1.0.0.1" "8.8.8.8" "8.8.4.4" ]; - - local = "/home.ctu.cx/"; - domain = "home.ctu.cx"; - - auth-ttl = 600; - auth-server = "home.ctu.cx, 195.39.246.42, 2a0f:4ac0:acab::1"; - auth-zone = "home.ctu.cx, 10.0.0.1/24, 195.39.246.32/28, 2a0f:4ac0:acab::1/64"; - - host-record = [ - "home.ctu.cx, 195.39.246.42, 2a0f:4ac0:acab::1" - ]; - - cname = [ - "briefkasten.home.ctu.cx, home.ctu.cx" - "dnsmasq.home.ctu.cx, home.ctu.cx" - ]; - - address = [ - "/briefkasten/10.0.0.1" - "/ads1700w/10.0.0.10" - "/scanner/10.0.0.10" - ]; - - dhcp-authoritative = true; - dhcp-rapid-commit = true; - dhcp-sequential-ip = true; - - dhcp-range = [ - "private, 10.0.0.100, 10.0.0.200, 255.255.255.0, 48h" - "public, 195.39.246.34, static, 255.255.255.240, 195.39.246.47, 48h" - " 2a0f:4ac0:acab::100, 2a0f:4ac0:acab::01ff, ra-names,slaac, 64, 48h" - ]; - - dhcp-option = [ - "option6:information-refresh-time, 6h" - "option6:dns-server, [2a0f:4ac0:acab::1]" - - "private, option:router, 10.0.0.1" - "private, option:dns-server, 10.0.0.1" - - "public, option:router, 195.39.246.42" - "public, option:dns-server, 195.39.246.42" - ]; - - - dhcp-host = [ - "48:a9:8a:8e:dd:0b, accesspoint, 10.0.0.2" - "5c:f3:70:b9:35:9c, ctux-ads1700w, 10.0.0.10" - "34:31:c4:46:88:31, pbx, 10.0.0.20" - - "id:bc:6e:e2:03:99:40, nadia-work, [2a0f:4ac0:acab::37]" - "bc:6e:e2:03:99:40, nadia-work, 195.39.246.37" - - "id:1c:57:dc:40:dc:b2, blechkasten, [2a0f:4ac0:acab::43]" - "1c:57:dc:40:dc:b2, blechkasten, 195.39.246.43" - - "id:00:e0:4c:02:13:75, desktop, [2a0f:4ac0:acab::44]" - "00:e0:4c:02:13:75, desktop, 195.39.246.44" - - "id:f4:3b:d8:cb:7c:49, coladose, [2a0f:4ac0:acab::45]" - "f4:3b:d8:cb:7c:49, coladose, 195.39.246.45" - ]; - }; - }; - - fcgiwrap.instances.dnsmasq = { - process.user = "dnsmasq"; - process.group = "dnsmasq"; - socket.user = "nginx"; - socket.group = "nginx"; - }; - - nginx = { - enable = true; - virtualHosts."dnsmasq.home.ctu.cx" = { - enableACME = true; - forceSSL = true; - kTLS = true; - locations = { - "/".extraConfig = '' - include "${pkgs.nginx}/conf/fastcgi_params"; - fastcgi_param SCRIPT_FILENAME "${pkgs.dnsmasq-lease-overview}/bin/overview"; - fastcgi_param LEASE_PATH "/var/lib/dnsmasq/dnsmasq.leases"; - fastcgi_param MIKROTIK_HOST "http://10.0.0.2"; - fastcgi_param MIKROTIK_USER "leah"; - fastcgi_param MIKROTIK_PASSWORD "nie5eevaeNohZuyugh2Eo6phaif9ahngiel8oom2aj7cooGohbaiqui9dah4Thie"; - fastcgi_param QUERY_STRING $args; - fastcgi_pass unix:${config.services.fcgiwrap.instances.dnsmasq.socket.address}; - ''; - }; - }; - }; - - }; - -}
diff --git a/machines/briefkasten/router/nftables.nix b/machines/briefkasten/router/nftables.nix @@ -1,14 +0,0 @@ -{ ... }: - -{ - - networking = { - firewall.enable = false; - - nftables = { - enable = true; - rulesetFile = ./ruleset.nft; - }; - }; - -}- \ No newline at end of file
diff --git a/machines/briefkasten/router/ppp.nix b/machines/briefkasten/router/ppp.nix @@ -4,7 +4,6 @@ age.secrets.pppd-env.file = ./. + "/../../../secrets/${config.networking.hostName}/pppd-env.age"; - services.pppd = { enable = true; peers.dtagdsl = { @@ -33,6 +32,13 @@ }; environment.etc."ppp/peers/dtagdsl".enable = false; + environment.etc."ip-up.d/1systemd-networkd" = { + mode = "755"; + text = '' + #!{pkgs.bash}/bin/bash + networkctl reconfigure "$PPP_IFACE"; + ''; + }; systemd.services."pppd-dtagdsl".serviceConfig = let preStart = '' @@ -55,4 +61,4 @@ ]; }; -}- \ No newline at end of file +}
diff --git a/machines/briefkasten/router/ruleset.nft b/machines/briefkasten/router/ruleset.nft @@ -19,22 +19,19 @@ table inet firewall { # Allow all ICMP and IGMP traffic, but enforce a rate limit # to help prevent some types of flood attacks. - ip protocol icmp limit rate 5/second accept - ip protocol igmp limit rate 5/second accept - #ip6 protocol ipv6-icmp icmpv6-type redirect drop - #ip6 protocol ipv6-icmp icmpv6-type 139 drop - ip6 nexthdr ipv6-icmp limit rate 5/second accept + ip protocol icmp limit rate 5/second accept + ip protocol igmp limit rate 5/second accept + ip6 nexthdr ipv6-icmp limit rate 5/second accept + + # required for dhcp-pd to work! + udp dport dhcpv6-client accept # Allow some ports - tcp dport ssh accept comment "ssh" - tcp dport domain accept comment "dns (tcp)" - udp dport domain accept comment "dns (udp)" - tcp dport http accept comment "http" - tcp dport https accept comment "https" + tcp dport ssh accept + tcp dport http accept + tcp dport https accept tcp dport 22000 accept comment "syncthing" udp dport 21027 accept comment "syncthing" - tcp dport 5201 accept comment "iperf3 (tcp)" - udp dport 5201 accept comment "iperf3 (udp)" } chain forward { @@ -55,16 +52,13 @@ table inet firewall { # Allow all ICMP and IGMP traffic, but enforce a rate limit # to help prevent some types of flood attacks. - ip protocol icmp limit rate 5/second accept + ip protocol icmp limit rate 5/second accept + ip protocol igmp limit rate 5/second accept ip6 nexthdr ipv6-icmp limit rate 5/second accept - ip protocol igmp limit rate 5/second accept # drop incomming netbios traffic tcp dport {139, 445} counter drop comment "silently drop NetBios" udp dport {137, 138} counter drop comment "silently drop NetBios" - - #make public ips world accessible - ip daddr 195.39.246.33/28 accept } chain outbound { @@ -72,19 +66,4 @@ table inet firewall { type filter hook output priority 0 policy accept } - } - -table ip nat { - chain prerouting { - type nat hook prerouting priority -100 - policy accept - } - - chain postrouting { - type nat hook postrouting priority 0 - policy accept - oifname iphone masquerade - oifname ppp-dtagdsl masquerade - } -}- \ No newline at end of file
diff --git a/machines/briefkasten/router/systemd-networkd.nix b/machines/briefkasten/router/systemd-networkd.nix @@ -2,6 +2,8 @@ { +# systemd.services."systemd-networkd".serviceConfig.Environment = "SYSTEMD_LOG_LEVEL=debug"; + age.secrets.wireguard-privkey = { file = ./. + "../../../../secrets/${config.networking.hostName}/wireguard-privkey.age"; mode = "640"; @@ -13,87 +15,97 @@ enable = true; wait-online.enable = false; - links = { - "5-dtagdsl" = { - matchConfig.PermanentMACAddress = "d0:37:45:06:de:de"; - linkConfig.Name = "dtagdsl"; - }; + config.networkConfig = { + IPv6Forwarding = true; + }; - "10-iphone" = { - matchConfig.PermanentMACAddress = "aa:ab:b5:18:95:d9"; - linkConfig.Name = "iphone"; - }; + links."5-dtagdsl" = { + matchConfig.PermanentMACAddress = "d0:37:45:06:de:de"; + linkConfig.Name = "dtagdsl"; }; - netdevs = { + links."5-iphone" = { + matchConfig.PermanentMACAddress = "aa:ab:b5:18:95:d9"; + linkConfig.Name = "iphone"; + }; - "20-brlan" = { - netdevConfig = { - Kind = "bridge"; - Name = "brlan"; - }; + netdevs."20-brlan" = { + netdevConfig = { + Kind = "bridge"; + Name = "brlan"; }; + }; - # "30-enp1s0.5" = { - # netdevConfig = { - # Kind = "vlan"; - # Name = "enp1s0.5"; - # }; - # vlanConfig = { - # Id = 5; - # }; - # }; - - "40-wg-pbb" = { - netdevConfig = { - Kind = "wireguard"; - Name = "wg-pbb"; - }; - wireguardConfig = { - PrivateKeyFile = config.age.secrets.wireguard-privkey.path; - ListenPort = 51820; - FirewallMark = 51820; - }; - wireguardPeers = [{ - Endpoint = "195.39.247.161:51820"; - PublicKey = "kih/GnR4Bov/DM/7Rd21wK+PFQRUNH6sywVuNKkUAkk="; - AllowedIPs = [ "0.0.0.0/0" "::/0" ]; - PersistentKeepalive = 10; -# RouteTable = "off"; - }]; + netdevs."10-wg-wanderduene" = { + netdevConfig = { + Kind = "wireguard"; + Name = "wg-wanderduene"; + }; + + wireguardConfig = { + PrivateKeyFile = config.age.secrets.wireguard-privkey.path; + ListenPort = 51820; + FirewallMark = 51820; }; + wireguardPeers = [{ + Endpoint = "wanderduene.ctu.cx:51820"; + PublicKey = "hOUeP8RFchzJXyy8DceTFKN9f1VHi9GzZQii0dX2zww="; + AllowedIPs = [ "::/0" ]; + PersistentKeepalive = 10; + }]; }; networks = { + "5-dtagdsl" = { + matchConfig.Name = "dtagdsl"; - "10-dtagdsl" = { - matchConfig = { - Name = "dtagdsl"; - }; - DHCP = "no"; + linkConfig.RequiredForOnline = false; + networkConfig.LinkLocalAddressing = false; }; - "10-iphone" = { - matchConfig = { - Name = "iphone"; - }; - DHCP = "yes"; + "5-enp1s0" = { + matchConfig.Name = "enp1s0"; + + networkConfig.ConfigureWithoutCarrier = true; + bridge = [ "brlan" ]; }; - # "10-enp1s0.5" = { - # matchConfig = { - # Name = "enp1s0.5"; - # }; - # DHCP = "yes"; - # }; + "5-iphone" = { + matchConfig.Name = "iphone"; - "10-enp1s0" = { - matchConfig = { - Name = "enp1s0"; + networkConfig.DHCP = true; + }; + + "10-ppp-dtagdsl" = { + matchConfig.Name = "ppp-dtagdsl"; + + networkConfig = { + KeepConfiguration = true; + IPv6AcceptRA = true; + DHCP = "ipv6"; + }; + + ipv6AcceptRAConfig = { + UseDNS = false; + }; + + dhcpV6Config = { + WithoutRA = "solicit"; + PrefixDelegationHint = "::/56"; + IAID = 0; + UseDNS = false; }; - bridge = [ "brlan" ]; -# vlan = [ "enp1s0.5" ]; + }; + + "10-wg-wanderduene" = { + matchConfig.Name = "wg-wanderduene"; + + linkConfig.RequiredForOnline = false; + routes = [{ + Destination = "::/0"; + Table = "1234"; + }]; }; "20-brlan" = { @@ -101,60 +113,87 @@ Name = "brlan"; Driver = "bridge"; }; - networkConfig = { - IPv6AcceptRA = "no"; - DHCP = "no"; - }; - address = [ - "10.0.0.1/24" - "195.39.246.42/28" - "2a0f:4ac0:acab::1/62" - ]; + + address = [ "10.0.0.1/8" "2a03:4000:4d:5e:acab::1/112" ]; + routingPolicyRules = [ { - From = "195.39.246.32/28"; + From = "2a03:4000:4d:5e:acab::/112"; Table = 254; Priority = 1900; SuppressPrefixLength = 0; } { - From = "2a0f:4ac0:acab::/62"; - Table = 254; - Priority = 1900; - SuppressPrefixLength = 0; - } - { - From = "195.39.246.32/28"; - Table = 1234; - Priority = 2000; - } - { - From = "2a0f:4ac0:acab::/62"; + From = "2a03:4000:4d:5e:acab::/112"; Table = 1234; Priority = 2000; } ]; - }; - "30-wg-pbb" = { - matchConfig = { - Name = "wg-pbb"; + networkConfig = { + ConfigureWithoutCarrier = true; + IPv4Forwarding = true; + IPMasquerade = "ipv4"; + + DHCPPrefixDelegation = true; + IPv6PrivacyExtensions = false; + IPv6AcceptRA = false; + IPv6SendRA = true; + + DHCPServer = true; + DNS = "10.0.0.1"; + }; + + dhcpPrefixDelegationConfig = { + UplinkInterface = "ppp-dtagdsl"; + Announce = true; + SubnetId = 0; + Token = "::1"; + }; + + ipv6SendRAConfig = { + EmitDNS = true; + DNS = "_link_local"; }; - linkConfig = { - MTUBytes = "1500"; + + dhcpServerConfig = { + PersistLeases = true; + PoolOffset = 100; + PoolSize = 100; + EmitDNS = true; + DNS = "10.0.0.1"; }; - routes = [ + + dhcpServerStaticLeases = [ + { + # accesspoint + MACAddress = "48:a9:8a:8e:dd:0b"; + Address = "10.0.0.2"; + } + { + # pbx + MACAddress = "34:31:c4:46:88:31"; + Address = "10.0.0.3"; + } + { + # scanner + MACAddress = "5c:f3:70:b9:35:9c"; + Address = "10.0.0.4"; + } { - Destination = "0.0.0.0/0"; - Table = "1234"; + # printer + MACAddress = "70:77:81:2a:e7:96"; + Address = "10.0.0.5"; } { - Destination = "::/0"; - Table = "1234"; + # katja x13 + MACAddress = "04:CF:4B:76:93:55"; + Address = "10.0.0.10"; } ]; }; }; }; -}- \ No newline at end of file + +}
diff --git a/machines/briefkasten/smarthome/influxdb2.nix b/machines/briefkasten/smarthome/influxdb2.nix @@ -2,12 +2,11 @@ { + dns.zones."ctu.cx".subdomains."influx.home".AAAA = [ config.networking.primaryIP ]; + age.secrets.restic-influxdb.file = ./. + "/../../../secrets/${config.networking.hostName}/restic/influxdb.age"; age.secrets.influx-backup-env.file = ./. + "/../../../secrets/${config.networking.hostName}/influx/backup_env.age"; -# dns.zones."ctu.cx".subdomains."influx.home".CNAME = [ "${config.networking.fqdn}." ]; - services.dnsmasq.settings.cname = [ "influx.home.ctu.cx, ${config.networking.fqdn}" ]; - systemd.services.restic-backup-influxdb.serviceConfig.EnvironmentFile = config.age.secrets.influx-backup-env.path; restic-backups.influxdb = { @@ -27,9 +26,9 @@ services.nginx = { enable = true; virtualHosts."influx.home.ctu.cx" = { - enableACME = lib.mkIf config.networking.usePBBUplink true; - forceSSL = lib.mkIf config.networking.usePBBUplink true; - kTLS = lib.mkIf config.networking.usePBBUplink true; + enableACME = true; + forceSSL = true; + kTLS = true; locations."/".proxyPass = "http://${toString config.services.influxdb2.settings.http-bind-address}/"; }; };
diff --git a/machines/briefkasten/smarthome/mqtt-webui/default.nix b/machines/briefkasten/smarthome/mqtt-webui/default.nix @@ -6,16 +6,15 @@ let in { - services.dnsmasq.settings.cname = [ "smart.home.ctu.cx, home.ctu.cx" ]; - + dns.zones."ctu.cx".subdomains."smart.home".AAAA = [ config.networking.primaryIP ]; services = { nginx = { enable = true; virtualHosts."smart.home.ctu.cx" = { - enableACME = lib.mkIf config.networking.usePBBUplink true; - forceSSL = lib.mkIf config.networking.usePBBUplink true; - kTLS = lib.mkIf config.networking.usePBBUplink true; + enableACME = true; + forceSSL = true; + kTLS = true; locations = { "/" = {
diff --git a/machines/briefkasten/smarthome/zigbee2mqtt.nix b/machines/briefkasten/smarthome/zigbee2mqtt.nix @@ -2,7 +2,7 @@ { - services.dnsmasq.settings.cname = [ "zigbee2mqtt.home.ctu.cx, home.ctu.cx" ]; + dns.zones."ctu.cx".subdomains."zigbee2mqtt.home".AAAA = [ config.networking.primaryIP ]; age.secrets = { "zigbee2mqtt-htpasswd" = { @@ -35,9 +35,9 @@ nginx = { enable = true; virtualHosts."zigbee2mqtt.${config.networking.domain}" = { - enableACME = lib.mkIf config.networking.usePBBUplink true; - forceSSL = lib.mkIf config.networking.usePBBUplink true; - kTLS = lib.mkIf config.networking.usePBBUplink true; + enableACME = true; + forceSSL = true; + kTLS = true; locations."/" = { proxyPass = "http://[::1]:${toString config.services.zigbee2mqtt.settings.frontend.port}"; proxyWebsockets = true;
diff --git a/machines/briefkasten/websites/audiobooks.home.ctu.cx.nix b/machines/briefkasten/websites/audiobooks.home.ctu.cx.nix @@ -2,8 +2,7 @@ { -# dns.zones."ctu.cx".subdomains."audiobooks.home".CNAME = [ "${config.networking.fqdn}." ]; - services.dnsmasq.settings.cname = [ "audiobooks.home.ctu.cx, ${config.networking.fqdn}" ]; + dns.zones."ctu.cx".subdomains."audiobooks.home".AAAA = [ config.networking.primaryIP ]; fileSystems."/mnt/audiobooks" = { device = "/nix/persist/home/katja/syncthing/Audiobooks"; @@ -13,9 +12,9 @@ services.nginx = { enable = true; virtualHosts."audiobooks.home.ctu.cx" = { - enableACME = lib.mkIf config.networking.usePBBUplink true; - forceSSL = lib.mkIf config.networking.usePBBUplink true; - kTLS = lib.mkIf config.networking.usePBBUplink true; + enableACME = true; + forceSSL = true; + kTLS = true; locations = { "/jdfoniobhfijnfoilp[dfponbiuyfbu/".alias = "/mnt/audiobooks/";
diff --git a/machines/briefkasten/websites/music.home.ctu.cx.nix b/machines/briefkasten/websites/music.home.ctu.cx.nix @@ -9,8 +9,7 @@ let in { -# dns.zones."ctu.cx".subdomains."music.home".CNAME = [ "${config.networking.fqdn}." ]; - services.dnsmasq.settings.cname = [ "music.home.ctu.cx, ${config.networking.fqdn}" ]; + dns.zones."ctu.cx".subdomains."music.home".AAAA = [ config.networking.primaryIP ]; fileSystems."/mnt/music_originals" = { device = "/nix/persist/home/katja/syncthing/Music (Originals)"; @@ -20,9 +19,9 @@ in { services.nginx = { enable = true; virtualHosts."music.home.ctu.cx" = { - enableACME = lib.mkIf config.networking.usePBBUplink true; - forceSSL = lib.mkIf config.networking.usePBBUplink true; - kTLS = lib.mkIf config.networking.usePBBUplink true; + enableACME = true; + forceSSL = true; + kTLS = true; root = "/mnt/music_originals"; locations = { @@ -51,10 +50,7 @@ in { extraConfig = '' satisfy any; - allow 2a0f:4ac0:acab::/48; allow 10.0.0.0/8; - allow 195.39.246.32/28; - allow 195.39.247.48/29; ''; };
diff --git a/machines/wanderduene/3proxy.nix b/machines/wanderduene/3proxy.nix @@ -1,42 +0,0 @@ -{ pkgs, ... }: - -{ - - services._3proxy = { - enable = true; - denyPrivate = false; - services = [ - #mikrotik ssh forwarding - { - type = "tcppm"; - auth = [ "none" ]; - extraArguments = "2201 172.16.0.2 22"; - } - #briefkasten ssh forwarding - { - type = "tcppm"; - auth = [ "none" ]; - extraArguments = "2202 172.17.0.2 22"; - } - #stasicontainer ssh forwarding - { - type = "tcppm"; - auth = [ "none" ]; - extraArguments = "2203 172.18.0.2 22"; - } - { - type = "socks"; - auth = [ "strong" ]; - acl = [ { - rule = "allow"; - users = [ "gotosocial" ]; - } - ]; - } - ]; - usersFile = pkgs.writeText "3proxy-users" '' - gotosocial:CR:$1$p9CQeW/0$DXaBBc9cD0Xv1XZtPBbW00 - ''; - }; - -}- \ No newline at end of file
diff --git a/machines/wanderduene/default.nix b/machines/wanderduene/default.nix @@ -14,26 +14,28 @@ ./rclone-restic-server.nix - ./3proxy.nix - ./syncthing.nix ./dendrite.nix ./websites - ] ++ (if nodes.briefkasten.config.networking.usePBBUplink != true then [ - ./reverse-proxy-briefkasten.nix - ] else [ ]); + ]; dns.zones."ctu.cx".subdomains."${config.networking.hostName}" = (pkgs.dns.lib.combinators.host config.networking.primaryIP4 config.networking.primaryIP); - age.secrets.wireguard-privkey.file = ../../secrets/wanderduene/wireguard-privkey.age; + age.secrets.wireguard-privkey = { + file = ../../secrets/wanderduene/wireguard-privkey.age; + owner = "systemd-network"; + group = "systemd-network"; + }; boot = { # Use the systemd-boot EFI boot loader. loader.systemd-boot.enable = true; loader.efi.canTouchEfiVariables = true; + kernel.sysctl."net.ipv6.conf.all.proxy_ndp" = true; + initrd.network = { enable = true; ssh = { @@ -49,7 +51,7 @@ ip route add default via fe80::1 dev ens3 onlink ip addr add ${config.networking.primaryIP4}/22 dev ens3 - ip route add default via ${config.networking.defaultGateway.address} dev ens3 onlink + ip route add default via 194.36.144.1 dev ens3 onlink echo 'cryptsetup-askpass' >> /root/.profile ''; }; @@ -59,90 +61,81 @@ primaryIP = "2a03:4000:4d:5e::1"; primaryIP4 = "194.36.145.49"; - resolvconf.enable = false; - nameservers = [ "8.8.8.8" "1.1.1.1" ]; + useNetworkd = true; + useDHCP = false; + + nftables.enable = true; - defaultGateway = { - interface = "ens3"; - address = "194.36.144.1"; + firewall = { + enable = true; + allowedUDPPorts = [ 51820 ]; }; - defaultGateway6 = { - interface = "ens3"; - address = "fe80::1"; + }; + + systemd.network = { + enable = true; + wait-online.enable = false; + + config.networkConfig = { + IPv6Forwarding = true; }; - interfaces.ens3 = { - ipv4.addresses = [{ - address = config.networking.primaryIP4; - prefixLength = 24; - }]; + netdevs."20-wg0" = { + netdevConfig = { + Kind = "wireguard"; + Name = "wg0"; + }; + + wireguardConfig = { + PrivateKeyFile = config.age.secrets.wireguard-privkey.path; + ListenPort = 51820; + FirewallMark = 51820; + }; - ipv6.addresses = [{ - address = config.networking.primaryIP; - prefixLength = 64; + wireguardPeers = [{ + PublicKey = "nvyhYuWJl/dKyV/2+bDrUisvL3mi38PsNzfdIDDwSjY="; + AllowedIPs = [ "172.17.0.0/24" "2a03:4000:4d:5e:acab::/112" ]; + PersistentKeepalive = 10; }]; }; - wireguard = { - enable = true; - interfaces.wg-mikrotik = { - listenPort = 51820; - privateKeyFile = config.age.secrets.wireguard-privkey.path; - generatePrivateKeyFile = true; - postSetup = "ip link set dev wg-mikrotik mtu 1500"; - ips = [ "172.16.0.1/24" ]; + networks = { + "10-ens3" = { + matchConfig.Name = "ens3"; - peers = [ - { - persistentKeepalive = 10; - allowedIPs = [ "172.16.0.0/24" "10.0.0.0/8" ]; - publicKey = "nvyhYuWJl/dKyV/2+bDrUisvL3mi38PsNzfdIDDwSjY="; - } - ]; - }; + address = [ "${config.networking.primaryIP4}/24" "${config.networking.primaryIP}/64" ]; - interfaces.wg-briefkasten = { - listenPort = 51821; - privateKeyFile = config.age.secrets.wireguard-privkey.path; - generatePrivateKeyFile = true; - postSetup = "ip link set dev wg-briefkasten mtu 1500"; - ips = [ "172.17.0.1/24" ]; + networkConfig = { + DNS = [ "8.8.8.8" "1.1.1.1" ]; + }; - peers = [ + routes = [ { - persistentKeepalive = 10; - allowedIPs = [ "172.17.0.0/24" ]; - publicKey = "nvyhYuWJl/dKyV/2+bDrUisvL3mi38PsNzfdIDDwSjY="; + Gateway = "fe80::1"; + GatewayOnLink = true; } - ]; - }; - - interfaces.wg-stasicont = { - listenPort = 51822; - privateKeyFile = config.age.secrets.wireguard-privkey.path; - generatePrivateKeyFile = true; - postSetup = "ip link set dev wg-stasicont mtu 1500"; - ips = [ "172.18.0.1/24" ]; - - peers = [ { - persistentKeepalive = 10; - allowedIPs = [ "172.18.0.0/24" ]; - publicKey = "Sh5le4IsR5jW1+jSrR5N/dcuTE+OEcEB6ou7bqwriAg="; + Gateway = "194.36.144.1"; + GatewayOnLink = true; } ]; }; + "20-wg0" ={ + matchConfig.Name = "wg0"; + + address = [ "2a03:4000:4d:5e:acab::100/112"]; + }; }; + }; - firewall.allowedTCPPorts = [ 5201 2201 2202 2203 ]; - firewall.allowedUDPPorts = [ 5201 51820 51821 51822 ]; - firewall.extraCommands = '' - iptables -A nixos-fw -i wg-mikrotik -j nixos-fw-accept - iptables -A nixos-fw -i wg-briefkasten -j nixos-fw-accept - iptables -A nixos-fw -i wg-stasicont -j nixos-fw-accept - ''; + services.ndppd = { + enable = true; + proxies.ens3.rules."2a03:4000:4d:5e:acab::/112" = { + method = "iface"; + interface = "wg0"; + }; }; ctucxConfig.programs = { @@ -151,11 +144,6 @@ git.enable = false; }; - services.iperf3 = { - enable = true; - bind = "172.17.0.1"; - }; - system.stateVersion = "23.05"; home-manager.users.katja.home.stateVersion = "23.05";
diff --git a/machines/wanderduene/reverse-proxy-briefkasten.nix b/machines/wanderduene/reverse-proxy-briefkasten.nix @@ -1,44 +0,0 @@ -{ pkgs, lib, config, ... }: - -let - domains = [ - "flauschehorn.sexy" - "wifionic.de" - ]; - - subdomains = [ - "photos" - "briefkasten" - "home" - "briefkasten.home" - "fedi.home" - "influx.home" - "smart.home" - "music.home" - "wiki.home" - ]; - -in { - - services.nginx.clientMaxBodySize = "2g"; - - dns.zones = lib.mkMerge [ - (lib.attrsets.genAttrs domains (domain: (pkgs.dns.lib.combinators.host config.networking.primaryIP4 config.networking.primaryIP4))) - { - "ctu.cx".subdomains = (lib.attrsets.genAttrs subdomains (domain: { CNAME = [ "${config.networking.fqdn}." ]; })); - } - ]; - - services.nginx.virtualHosts = (lib.attrsets.genAttrs (domains ++ (lib.lists.forEach subdomains (x: "${x}.ctu.cx")) ++ [ "restic.briefkasten.ctu.cx" ]) (domain: { - enableACME = true; - forceSSL = true; - kTLS = true; - locations."/".proxyPass = "http://172.17.0.2:80/"; - locations."/".proxyWebsockets = true; - locations."/".extraConfig = '' - proxy_set_header X-Forwarded-For $remote_addr; - proxy_set_header X-Forwarded-Proto $scheme; - ''; - })); - -}- \ No newline at end of file
diff --git a/secrets/briefkasten/gotosocial-env.age b/secrets/briefkasten/gotosocial-env.age @@ -1,13 +0,0 @@ ------BEGIN AGE ENCRYPTED FILE----- -YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBoK0pFS3hhYUVCN1hmdnlw -aGNGR3RDTzF2RS9ydkEycU9qYW1UbFpDMnpFCkdha1U4c25yQXRwYnNaUUVtSHpz -bzFjdGFBV0kxRVhmYytFbnI4VklYbDQKLT4gc3NoLWVkMjU1MTkgNGhLQ013IG03 -RUhOQTh4MVU3VFV2ZDdvaGtsTWNZUDVmYkZvL2hFVE51bGhJVEYwMGMKWU9saXBo -VmpobXkyOTBWbmdQd0N5MW9hZXRDMUhaQ0lEZVRTTWFnbkZlZwotPiApbko7cz8t -Z3JlYXNlIHJmU3MvIEdld1VSQUMKY3JrUTFXbmRjazVZZldndnRROAotLS0gUy9i -Wno1czVuLzRnZC85V0NYT3NURC9nUmNvR21sL0tDSGRUR2tYM2VOTQqQPugjPdwm -RrG7103u3FK2UMLykTtu+xHvj3n7jkYOwkmg1KECuKgmLxoaDnaJ5oIoYZpkCcX7 -/0HYd3l/GYAjzFt69RyXJDFwRnsGzwF+CQzg5Zw5pQ/Zpkga27eBxw0Yv8Ugs+C+ -PJbxVt6NgcuQlKwBHXZ85oRrzHVlLDNdswt6JwYoH2vZJEwM4QFRkb9GcpChF1oK -wm52ykw9bb+AZaxnDA== ------END AGE ENCRYPTED FILE-----
diff --git a/secrets/secrets.nix b/secrets/secrets.nix @@ -46,7 +46,6 @@ in { "briefkasten/telegraf/secrets.env.age".publicKeys = [ main-key briefkasten ]; "briefkasten/wireguard-privkey.age".publicKeys = [ main-key briefkasten ]; - "briefkasten/gotosocial-env.age".publicKeys = [ main-key briefkasten ]; "briefkasten/restic-server-htpasswd.age".publicKeys = [ main-key briefkasten ]; "briefkasten/pppd-env.age".publicKeys = [ main-key briefkasten ];