From 5dfbcbebd38ff59a899e04699e6f7e5763593787 Mon Sep 17 00:00:00 2001 From: Daniel Flanagan Date: Tue, 16 Jul 2024 10:48:32 -0500 Subject: [PATCH] Router has connectivity --- flake.nix | 2 +- nixos/beefcake.nix | 5 + nixos/router.nix | 313 ++++++++++++++++++++++++--------------------- 3 files changed, 172 insertions(+), 148 deletions(-) diff --git a/flake.nix b/flake.nix index 896d0ed..304b22e 100644 --- a/flake.nix +++ b/flake.nix @@ -329,7 +329,7 @@ router = nixpkgs.lib.nixosSystem { system = "x86_64-linux"; modules = with nixosModules; [ - # outputs.diskoConfigurations.unencrypted + outputs.diskoConfigurations.unencrypted common ./nixos/router.nix ]; diff --git a/nixos/beefcake.nix b/nixos/beefcake.nix index b82c821..6402c47 100644 --- a/nixos/beefcake.nix +++ b/nixos/beefcake.nix @@ -753,6 +753,11 @@ sudo nix run nixpkgs#ipmitool -- raw 0x30 0x30 0x02 0xff 0x00 reverse_proxy :${toString config.services.gitea.settings.server.HTTP_PORT} ''; }; + services.caddy.virtualHosts."git.beefcake" = { + extraConfig = '' + reverse_proxy :${toString config.services.gitea.settings.server.HTTP_PORT} + ''; + }; } { services.vaultwarden = { diff --git a/nixos/router.nix b/nixos/router.nix index 2a373c3..2c17371 100644 --- a/nixos/router.nix +++ b/nixos/router.nix @@ -29,10 +29,6 @@ }; }; in { - networking.hostName = "router"; - networking.domain = "h.lyte.dev"; - networking.useDHCP = false; - boot.initrd.availableKernelModules = ["xhci_pci"]; boot.initrd.kernelModules = []; boot.kernelModules = ["kvm-intel"]; @@ -178,152 +174,177 @@ in { }; }; - networking.extraHosts = '' - 127.0.0.1 localhost - ${ip} router.h.lyte.dev router + networking = { + nat.enable = true; # TODO: maybe replace some of the nftables stuff with this? + firewall.enable = false; + hostName = "router"; + domain = "h.lyte.dev"; + # useDHCP = true; - ::1 localhost ip6-localhost ip6-loopback - ff02::1 ip6-allnodes - ff02::2 ip6-allrouters - ''; - - networking.nat.enable = true; # TODO: maybe replace some of the nftables stuff with this? - networking.firewall.enable = false; - networking.nftables = { - enable = true; - flushRuleset = true; - - tables = { - filter = { - family = "inet"; - content = '' - chain input { - # type filter hook input priority filter; policy accept; - type filter hook input priority 0; - - # anything from loopback interface - iifname "lo" accept - - # accept traffic we originated - ct state { established, related } counter accept - ct state invalid counter drop - - # ICMP - ip6 nexthdr icmpv6 icmpv6 type { echo-request, nd-neighbor-solicit, nd-neighbor-advert, nd-router-solicit, nd-router-advert, mld-listener-query, destination-unreachable, packet-too-big, time-exceeded, parameter-problem } counter accept - ip protocol icmp icmp type { echo-request, destination-unreachable, router-advertisement, time-exceeded, parameter-problem } counter accept - ip protocol icmpv6 counter accept - ip protocol icmp counter accept - meta l4proto ipv6-icmp counter accept - - udp dport dhcpv6-client counter accept - - tcp dport { 64022, 22, 53, 67, 25565 } counter accept - udp dport { 64020, 22, 53, 67 } counter accept - - # iifname "iot" ip saddr $iot-ip tcp dport { llmnr } counter accept - # iifname "iot" ip saddr $iot-ip udp dport { mdns, llmnr } counter accept - iifname "${lan_if}" tcp dport { llmnr } counter accept - iifname "${lan_if}" udp dport { mdns, llmnr } counter accept - - counter drop - } - - # allow all outgoing - chain output { - type filter hook output priority 0; - accept - } - - chain forward { - type filter hook forward priority 0; - accept - } - ''; + interfaces = { + enp2s0 = { + # should be wan0 + useDHCP = true; }; - - nat = { - family = "ip"; - content = '' - set masq_saddr { - type ipv4_addr - flags interval - elements = { ${cidr} } - } - - map map_port_ipport { - type inet_proto . inet_service : ipv4_addr . inet_service - } - - chain prerouting { - iifname ${lan_if} accept - - type nat hook prerouting priority dstnat + 1; policy accept; - fib daddr type local dnat ip addr . port to meta l4proto . th dport map @map_port_ipport - - iifname ${wan_if} tcp dport { 22, 80, 443, 25565, 64022 } dnat to ${hosts.beefcake.ip} - iifname ${wan_if} udp dport { 64020 } dnat to ${hosts.beefcake.ip} - - # iifname ${wan_if} tcp dport { 25565 } dnat to 192.168.0.244 - # iifname ${wan_if} udp dport { 25565 } dnat to 192.168.0.244 - - # router - iifname ${wan_if} tcp dport { 2201 } dnat to ${ip} - } - - chain output { - type nat hook output priority -99; policy accept; - ip daddr != 127.0.0.0/8 oif "lo" dnat ip addr . port to meta l4proto . th dport map @map_port_ipport - } - - chain postrouting { - type nat hook postrouting priority srcnat + 1; policy accept; - oifname ${lan_if} masquerade - ip saddr @masq_saddr masquerade - } - ''; + enp3s0 = { + # should be lan0 + useDHCP = false; }; + wan0 = { + useDHCP = true; + }; + lan0 = { + useDHCP = false; + }; + }; + + extraHosts = '' + 127.0.0.1 localhost + ${ip} router.h.lyte.dev router + + ::1 localhost ip6-localhost ip6-loopback + ff02::1 ip6-allnodes + ff02::2 ip6-allrouters + ''; + + nftables = { + enable = true; + flushRuleset = true; + + tables = { + filter = { + family = "inet"; + content = '' + chain input { + # type filter hook input priority filter; policy accept; + type filter hook input priority 0; + + # anything from loopback interface + iifname "lo" accept + + # accept traffic we originated + ct state { established, related } counter accept + ct state invalid counter drop + + # ICMP + ip6 nexthdr icmpv6 icmpv6 type { echo-request, nd-neighbor-solicit, nd-neighbor-advert, nd-router-solicit, nd-router-advert, mld-listener-query, destination-unreachable, packet-too-big, time-exceeded, parameter-problem } counter accept + ip protocol icmp icmp type { echo-request, destination-unreachable, router-advertisement, time-exceeded, parameter-problem } counter accept + ip protocol icmpv6 counter accept + ip protocol icmp counter accept + meta l4proto ipv6-icmp counter accept + + udp dport dhcpv6-client counter accept + + tcp dport { 64022, 22, 53, 67, 25565 } counter accept + udp dport { 64020, 22, 53, 67 } counter accept + + # iifname "iot" ip saddr $iot-ip tcp dport { llmnr } counter accept + # iifname "iot" ip saddr $iot-ip udp dport { mdns, llmnr } counter accept + iifname "${lan_if}" tcp dport { llmnr } counter accept + iifname "${lan_if}" udp dport { mdns, llmnr } counter accept + + counter drop + } + + # allow all outgoing + chain output { + type filter hook output priority 0; + accept + } + + chain forward { + type filter hook forward priority 0; + accept + } + ''; + }; + + nat = { + family = "ip"; + content = '' + set masq_saddr { + type ipv4_addr + flags interval + elements = { ${cidr} } + } + + map map_port_ipport { + type inet_proto . inet_service : ipv4_addr . inet_service + } + + chain prerouting { + iifname ${lan_if} accept + + type nat hook prerouting priority dstnat + 1; policy accept; + fib daddr type local dnat ip addr . port to meta l4proto . th dport map @map_port_ipport + + iifname ${wan_if} tcp dport { 22, 80, 443, 25565, 64022 } dnat to ${hosts.beefcake.ip} + iifname ${wan_if} udp dport { 64020 } dnat to ${hosts.beefcake.ip} + + # iifname ${wan_if} tcp dport { 25565 } dnat to 192.168.0.244 + # iifname ${wan_if} udp dport { 25565 } dnat to 192.168.0.244 + + # router + iifname ${wan_if} tcp dport { 2201 } dnat to ${ip} + } + + chain output { + type nat hook output priority -99; policy accept; + ip daddr != 127.0.0.0/8 oif "lo" dnat ip addr . port to meta l4proto . th dport map @map_port_ipport + } + + chain postrouting { + type nat hook postrouting priority srcnat + 1; policy accept; + oifname ${lan_if} masquerade + ip saddr @masq_saddr masquerade + } + ''; + }; + }; + }; + + dhcpcd = { + enable = true; + extraConfig = '' + duid + + # No way.... https://github.com/NetworkConfiguration/dhcpcd/issues/36#issuecomment-954777644 + # issues caused by guests with oneplus devices + noarp + + persistent + vendorclassid + + option domain_name_servers, domain_name, domain_search + option classless_static_routes + option interface_mtu + option host_name + #option ntp_servers + + require dhcp_server_identifier + slaac private + noipv4ll + noipv6rs + + static domain_name_servers=${ip} + + interface ${wan_if} + gateway + ipv6rs + iaid 1 + # option rapid_commit + # ia_na 1 + ia_pd 1 ${lan_if} + + interface ${lan_if} + static ip_address=${cidr} + static routers=${ip} + static domain_name_servers=${ip} + ''; }; }; - networking.dhcpcd = { - enable = true; - extraConfig = '' - duid - - # No way.... https://github.com/NetworkConfiguration/dhcpcd/issues/36#issuecomment-954777644 - # issues caused by guests with oneplus devices - noarp - - persistent - vendorclassid - - option domain_name_servers, domain_name, domain_search - option classless_static_routes - option interface_mtu - option host_name - #option ntp_servers - - require dhcp_server_identifier - slaac private - noipv4ll - noipv6rs - - static domain_name_servers=${ip} - - interface ${wan_if} - gateway - ipv6rs - iaid 1 - # option rapid_commit - # ia_na 1 - ia_pd 1 ${lan_if} - - interface ${lan_if} - static ip_address=${cidr} - static routers=${ip} - static domain_name_servers=${ip} - ''; - }; + systemd.services.systemd-networkd-wait-online.enable = lib.mkForce false; systemd.network = { enable = true; @@ -352,9 +373,7 @@ in { services.avahi = { enable = true; reflector = true; - allowInterfaces = [ - lan_if - ]; + allowInterfaces = [lan_if]; }; system.stateVersion = "24.05";