From a2c6a0fe93677213dfe436825f01b6efd1f27fb2 Mon Sep 17 00:00:00 2001 From: Daniel Flanagan Date: Wed, 17 Jul 2024 14:18:35 -0500 Subject: [PATCH] Router alive, but not routing --- flake.lock | 60 +++++++++++++- flake.nix | 4 + nixos/router.nix | 167 +++++++++++++++++++++++++++++++++------ safe-remote-upgrade.bash | 13 ++- 4 files changed, 217 insertions(+), 27 deletions(-) diff --git a/flake.lock b/flake.lock index 78dcacc..6e24da3 100644 --- a/flake.lock +++ b/flake.lock @@ -21,6 +21,27 @@ "type": "github" } }, + "dependencyDagOfSubmodule": { + "inputs": { + "nixpkgs": [ + "nnf", + "nixpkgs" + ] + }, + "locked": { + "lastModified": 1656615370, + "narHash": "sha256-IZDqz1aSySoqf1qtVQg+oJMHfC4IlT55Zoa7EkjvPug=", + "owner": "thelegy", + "repo": "nix-dependencyDagOfSubmodule", + "rev": "98eb563d80b35acafbfc1abb9ccee569c1efb19c", + "type": "github" + }, + "original": { + "owner": "thelegy", + "repo": "nix-dependencyDagOfSubmodule", + "type": "github" + } + }, "disko": { "inputs": { "nixpkgs": [ @@ -395,6 +416,22 @@ } }, "nixpkgs_4": { + "locked": { + "lastModified": 1692638711, + "narHash": "sha256-J0LgSFgJVGCC1+j5R2QndadWI1oumusg6hCtYAzLID4=", + "owner": "nixos", + "repo": "nixpkgs", + "rev": "91a22f76cd1716f9d0149e8a5c68424bb691de15", + "type": "github" + }, + "original": { + "owner": "NixOS", + "ref": "nixos-unstable", + "repo": "nixpkgs", + "type": "github" + } + }, + "nixpkgs_5": { "locked": { "lastModified": 1716769173, "narHash": "sha256-7EXDb5WBw+d004Agt+JHC/Oyh/KTUglOaQ4MNjBbo5w=", @@ -410,6 +447,26 @@ "type": "github" } }, + "nnf": { + "inputs": { + "dependencyDagOfSubmodule": "dependencyDagOfSubmodule", + "nixpkgs": "nixpkgs_4" + }, + "locked": { + "lastModified": 1720615408, + "narHash": "sha256-Q1G6GVUWXra9rdWTbSq21WaeRyWwINE7a5SRJekn6h4=", + "owner": "thelegy", + "repo": "nixos-nftables-firewall", + "rev": "71fc2b79358d0dbacde83c806a0f008ece567b7b", + "type": "github" + }, + "original": { + "owner": "thelegy", + "repo": "nixos-nftables-firewall", + "rev": "71fc2b79358d0dbacde83c806a0f008ece567b7b", + "type": "github" + } + }, "pre-commit": { "inputs": { "flake-compat": "flake-compat", @@ -442,6 +499,7 @@ "hyprland": "hyprland", "nixpkgs": "nixpkgs_3", "nixpkgs-unstable": "nixpkgs-unstable", + "nnf": "nnf", "pre-commit": "pre-commit", "slippi": "slippi", "sops-nix": "sops-nix" @@ -474,7 +532,7 @@ }, "slippi": { "inputs": { - "nixpkgs": "nixpkgs_4" + "nixpkgs": "nixpkgs_5" }, "locked": { "lastModified": 1720625270, diff --git a/flake.nix b/flake.nix index 9c5ea4a..7deb12c 100644 --- a/flake.nix +++ b/flake.nix @@ -20,6 +20,8 @@ hardware.url = "github:nixos/nixos-hardware"; hyprland.url = "github:hyprwm/Hyprland"; slippi.url = "github:lytedev/slippi-nix"; + + nnf.url = "github:thelegy/nixos-nftables-firewall?rev=71fc2b79358d0dbacde83c806a0f008ece567b7b"; }; nixConfig = { @@ -52,6 +54,7 @@ home-manager, helix, hardware, + nnf, # hyprland, slippi, ... @@ -344,6 +347,7 @@ modules = with nixosModules; [ outputs.diskoConfigurations.unencrypted common + nnf.nixosModules.default ./nixos/router.nix ]; }; diff --git a/nixos/router.nix b/nixos/router.nix index 6f019d0..bada4ff 100644 --- a/nixos/router.nix +++ b/nixos/router.nix @@ -12,9 +12,9 @@ domain = "h.lyte.dev"; ip = "192.168.0.1"; cidr = "${ip}/16"; - netmask = "255.255.0.0"; # see cidr + netmask = "255.255.255.0"; # see cidr dhcp_lease_space = { - min = "192.168.0.5"; + min = "192.168.0.30"; max = "192.168.0.250"; }; interfaces = { @@ -29,13 +29,9 @@ }; hosts = { dragon = { - identifier = "dragon"; - host = "dragon"; ip = "192.168.0.10"; }; beefcake = { - identifier = "beefcake"; - host = "beefcake"; ip = "192.168.0.9"; }; }; @@ -92,38 +88,116 @@ in { networking = { hostName = hostname; domain = domain; + useDHCP = false; + nat.enable = false; + firewall.enable = false; + + useNetworkd = true; extraHosts = '' - 127.0.0.1 localhost - 127.0.0.2 ${hostname}.${domain} ${hostname} - ${ip} ${hostname}.${domain} ${hostname} + 127.0.0.1 localhost + 127.0.0.2 ${hostname}.${domain} ${hostname} + ${ip} ${hostname}.${domain} ${hostname} - ::1 localhost ip6-localhost ip6-loopback - ff02::1 ip6-allnodes - kkkkk ff02::2 ip6-allrouters + ::1 localhost ip6-localhost ip6-loopback + ff02::1 ip6-allnodes + ff02::2 ip6-allrouters ''; - firewall.enable = true; - firewall.allowedTCPPorts = [ - 2201 - 22 - ]; + nftables.firewall = let + me = config.networking.nftables.firewall.localZoneName; + in { + enable = true; + snippets.nnf-common.enable = true; + + zones = { + ${interfaces.wan.name} = { + interfaces = [interfaces.wan.name]; + }; + ${interfaces.lan.name} = { + parent = interfaces.wan.name; + ipv4Addresses = [cidr]; + }; + # banned = { + # ingressExpression = [ + # "ip saddr @banlist" + # "ip6 saddr @banlist6" + # ]; + # egressExpression = [ + # "ip daddr @banlist" + # "ip6 daddr @banlist6" + # ]; + # }; + }; + + rules = { + dhcp = { + from = "all"; + to = [hosts.beefcake.ip]; + allowedTCPPorts = [67]; + allowedUDPPorts = [67]; + }; + http = { + from = "all"; + to = [hosts.beefcake.ip]; + allowedTCPPorts = [80 443]; + }; + router-ssh = { + from = "all"; + to = [me]; + allowedTCPPorts = [2201]; + }; + server-ssh = { + from = "all"; + to = [hosts.beefcake.ip]; + allowedTCPPorts = [22]; + }; + }; + }; }; systemd.network = { enable = true; wait-online.anyInterface = true; + + links = { + "10-${interfaces.wan.name}" = { + enable = true; + matchConfig = { + MACAddress = interfaces.wan.mac; + }; + linkConfig = { + Name = interfaces.wan.name; + }; + }; + "10-${interfaces.lan.name}" = { + enable = true; + matchConfig = { + MACAddress = interfaces.lan.mac; + }; + linkConfig = { + Name = interfaces.lan.name; + }; + }; + }; networks = { "30-${interfaces.lan.name}" = { - matchConfig.MACAddress = "${interfaces.lan.mac}"; - linkConfig.RequiredForOnline = "enslaved"; + matchConfig.Name = "${interfaces.lan.name}"; + linkConfig = { + RequiredForOnline = "enslaved"; + # Name = interfaces.lan.name; + }; + + address = [ + cidr + ]; networkConfig = { ConfigureWithoutCarrier = true; }; }; - "10-${interfaces.wan.name}" = { - matchConfig.MACAddress = "${interfaces.wan.mac}"; + "20-${interfaces.wan.name}" = { + matchConfig.Name = "${interfaces.wan.name}"; networkConfig = { DHCP = true; DNSOverTLS = true; @@ -131,11 +205,60 @@ in { IPv6PrivacyExtensions = false; IPForward = true; }; - linkConfig.RequiredForOnline = "routable"; + linkConfig = { + RequiredForOnline = "routable"; + # Name = interfaces.wan.name; + }; }; }; }; + services.resolved.enable = false; + + services.dnsmasq = { + enable = true; + settings = { + server = ["1.1.1.1" "9.9.9.9" "8.8.8.8"]; + + domain-needed = true; + bogus-priv = true; + no-resolv = true; + + cache-size = 1000; + + dhcp-range = with dhcp_lease_space; ["${interfaces.lan.name},${min},${max},${netmask},24h"]; + interface = interfaces.lan.name; + dhcp-host = + [ + ] + ++ (lib.attrsets.mapAttrsToList (name: { + ip, + identifier ? name, + time ? "12h", + }: "${name},${ip},${identifier},${time}") + hosts); + + address = + [ + "/${hostname}.${domain}/${ip}" + ] + ++ (lib.attrsets.mapAttrsToList (name: { + ip, + identifier ? name, + time ? "12h", + }: "/${name}.${domain}/${ip}") + hosts); + + # local domains + local = "/lan/"; + domain = "lan"; + expand-hosts = true; + + # don't use /etc/hosts as this would advertise surfer as localhost + no-hosts = true; + }; + }; + systemd.services.systemd-networkd-wait-online.enable = lib.mkForce false; services.openssh.listenAddresses = [ diff --git a/safe-remote-upgrade.bash b/safe-remote-upgrade.bash index 09efe41..d620fe6 100755 --- a/safe-remote-upgrade.bash +++ b/safe-remote-upgrade.bash @@ -1,7 +1,8 @@ #!/usr/bin/env bash usage() { - echo 'safe-remote-upgrade.bash $flake $target_host' + echo 'usage' + echo ' safe-remote-upgrade.bash $FLAKE_REF $TARGET_HOST' } error() { @@ -23,22 +24,26 @@ if [[ -z $1 ]]; then fi target_host="$1"; shift +set -eu + git add -A ssh "root@$target_host" "bash -c ' set -m # sleep 5 mins + echo \"Starting background reboot job...\" (sleep 300; reboot;) & jobs -p - bg disown -'" +'" & nix run nixpkgs#nixos-rebuild -- --flake "$flake" \ --target-host "root@$target_host" test --show-trace echo "Upgrade ready for verification. If you still have SSH access you can bail out without waiting with the following command:" echo " ssh 'root@$target_host' nixos-rebuild --rollback switch" -echo +echo +echo "Waiting..." +wait echo 'Done!'