Router alive, but not routing

This commit is contained in:
Daniel Flanagan 2024-07-17 14:18:35 -05:00
parent e6e1225858
commit a2c6a0fe93
4 changed files with 217 additions and 27 deletions

View file

@ -21,6 +21,27 @@
"type": "github" "type": "github"
} }
}, },
"dependencyDagOfSubmodule": {
"inputs": {
"nixpkgs": [
"nnf",
"nixpkgs"
]
},
"locked": {
"lastModified": 1656615370,
"narHash": "sha256-IZDqz1aSySoqf1qtVQg+oJMHfC4IlT55Zoa7EkjvPug=",
"owner": "thelegy",
"repo": "nix-dependencyDagOfSubmodule",
"rev": "98eb563d80b35acafbfc1abb9ccee569c1efb19c",
"type": "github"
},
"original": {
"owner": "thelegy",
"repo": "nix-dependencyDagOfSubmodule",
"type": "github"
}
},
"disko": { "disko": {
"inputs": { "inputs": {
"nixpkgs": [ "nixpkgs": [
@ -395,6 +416,22 @@
} }
}, },
"nixpkgs_4": { "nixpkgs_4": {
"locked": {
"lastModified": 1692638711,
"narHash": "sha256-J0LgSFgJVGCC1+j5R2QndadWI1oumusg6hCtYAzLID4=",
"owner": "nixos",
"repo": "nixpkgs",
"rev": "91a22f76cd1716f9d0149e8a5c68424bb691de15",
"type": "github"
},
"original": {
"owner": "NixOS",
"ref": "nixos-unstable",
"repo": "nixpkgs",
"type": "github"
}
},
"nixpkgs_5": {
"locked": { "locked": {
"lastModified": 1716769173, "lastModified": 1716769173,
"narHash": "sha256-7EXDb5WBw+d004Agt+JHC/Oyh/KTUglOaQ4MNjBbo5w=", "narHash": "sha256-7EXDb5WBw+d004Agt+JHC/Oyh/KTUglOaQ4MNjBbo5w=",
@ -410,6 +447,26 @@
"type": "github" "type": "github"
} }
}, },
"nnf": {
"inputs": {
"dependencyDagOfSubmodule": "dependencyDagOfSubmodule",
"nixpkgs": "nixpkgs_4"
},
"locked": {
"lastModified": 1720615408,
"narHash": "sha256-Q1G6GVUWXra9rdWTbSq21WaeRyWwINE7a5SRJekn6h4=",
"owner": "thelegy",
"repo": "nixos-nftables-firewall",
"rev": "71fc2b79358d0dbacde83c806a0f008ece567b7b",
"type": "github"
},
"original": {
"owner": "thelegy",
"repo": "nixos-nftables-firewall",
"rev": "71fc2b79358d0dbacde83c806a0f008ece567b7b",
"type": "github"
}
},
"pre-commit": { "pre-commit": {
"inputs": { "inputs": {
"flake-compat": "flake-compat", "flake-compat": "flake-compat",
@ -442,6 +499,7 @@
"hyprland": "hyprland", "hyprland": "hyprland",
"nixpkgs": "nixpkgs_3", "nixpkgs": "nixpkgs_3",
"nixpkgs-unstable": "nixpkgs-unstable", "nixpkgs-unstable": "nixpkgs-unstable",
"nnf": "nnf",
"pre-commit": "pre-commit", "pre-commit": "pre-commit",
"slippi": "slippi", "slippi": "slippi",
"sops-nix": "sops-nix" "sops-nix": "sops-nix"
@ -474,7 +532,7 @@
}, },
"slippi": { "slippi": {
"inputs": { "inputs": {
"nixpkgs": "nixpkgs_4" "nixpkgs": "nixpkgs_5"
}, },
"locked": { "locked": {
"lastModified": 1720625270, "lastModified": 1720625270,

View file

@ -20,6 +20,8 @@
hardware.url = "github:nixos/nixos-hardware"; hardware.url = "github:nixos/nixos-hardware";
hyprland.url = "github:hyprwm/Hyprland"; hyprland.url = "github:hyprwm/Hyprland";
slippi.url = "github:lytedev/slippi-nix"; slippi.url = "github:lytedev/slippi-nix";
nnf.url = "github:thelegy/nixos-nftables-firewall?rev=71fc2b79358d0dbacde83c806a0f008ece567b7b";
}; };
nixConfig = { nixConfig = {
@ -52,6 +54,7 @@
home-manager, home-manager,
helix, helix,
hardware, hardware,
nnf,
# hyprland, # hyprland,
slippi, slippi,
... ...
@ -344,6 +347,7 @@
modules = with nixosModules; [ modules = with nixosModules; [
outputs.diskoConfigurations.unencrypted outputs.diskoConfigurations.unencrypted
common common
nnf.nixosModules.default
./nixos/router.nix ./nixos/router.nix
]; ];
}; };

View file

@ -12,9 +12,9 @@
domain = "h.lyte.dev"; domain = "h.lyte.dev";
ip = "192.168.0.1"; ip = "192.168.0.1";
cidr = "${ip}/16"; cidr = "${ip}/16";
netmask = "255.255.0.0"; # see cidr netmask = "255.255.255.0"; # see cidr
dhcp_lease_space = { dhcp_lease_space = {
min = "192.168.0.5"; min = "192.168.0.30";
max = "192.168.0.250"; max = "192.168.0.250";
}; };
interfaces = { interfaces = {
@ -29,13 +29,9 @@
}; };
hosts = { hosts = {
dragon = { dragon = {
identifier = "dragon";
host = "dragon";
ip = "192.168.0.10"; ip = "192.168.0.10";
}; };
beefcake = { beefcake = {
identifier = "beefcake";
host = "beefcake";
ip = "192.168.0.9"; ip = "192.168.0.9";
}; };
}; };
@ -92,38 +88,116 @@ in {
networking = { networking = {
hostName = hostname; hostName = hostname;
domain = domain; domain = domain;
useDHCP = false; useDHCP = false;
nat.enable = false;
firewall.enable = false;
useNetworkd = true;
extraHosts = '' extraHosts = ''
127.0.0.1 localhost 127.0.0.1 localhost
127.0.0.2 ${hostname}.${domain} ${hostname} 127.0.0.2 ${hostname}.${domain} ${hostname}
${ip} ${hostname}.${domain} ${hostname} ${ip} ${hostname}.${domain} ${hostname}
::1 localhost ip6-localhost ip6-loopback ::1 localhost ip6-localhost ip6-loopback
ff02::1 ip6-allnodes ff02::1 ip6-allnodes
kkkkk ff02::2 ip6-allrouters ff02::2 ip6-allrouters
''; '';
firewall.enable = true; nftables.firewall = let
firewall.allowedTCPPorts = [ me = config.networking.nftables.firewall.localZoneName;
2201 in {
22 enable = true;
]; snippets.nnf-common.enable = true;
zones = {
${interfaces.wan.name} = {
interfaces = [interfaces.wan.name];
};
${interfaces.lan.name} = {
parent = interfaces.wan.name;
ipv4Addresses = [cidr];
};
# banned = {
# ingressExpression = [
# "ip saddr @banlist"
# "ip6 saddr @banlist6"
# ];
# egressExpression = [
# "ip daddr @banlist"
# "ip6 daddr @banlist6"
# ];
# };
};
rules = {
dhcp = {
from = "all";
to = [hosts.beefcake.ip];
allowedTCPPorts = [67];
allowedUDPPorts = [67];
};
http = {
from = "all";
to = [hosts.beefcake.ip];
allowedTCPPorts = [80 443];
};
router-ssh = {
from = "all";
to = [me];
allowedTCPPorts = [2201];
};
server-ssh = {
from = "all";
to = [hosts.beefcake.ip];
allowedTCPPorts = [22];
};
};
};
}; };
systemd.network = { systemd.network = {
enable = true; enable = true;
wait-online.anyInterface = true; wait-online.anyInterface = true;
links = {
"10-${interfaces.wan.name}" = {
enable = true;
matchConfig = {
MACAddress = interfaces.wan.mac;
};
linkConfig = {
Name = interfaces.wan.name;
};
};
"10-${interfaces.lan.name}" = {
enable = true;
matchConfig = {
MACAddress = interfaces.lan.mac;
};
linkConfig = {
Name = interfaces.lan.name;
};
};
};
networks = { networks = {
"30-${interfaces.lan.name}" = { "30-${interfaces.lan.name}" = {
matchConfig.MACAddress = "${interfaces.lan.mac}"; matchConfig.Name = "${interfaces.lan.name}";
linkConfig.RequiredForOnline = "enslaved"; linkConfig = {
RequiredForOnline = "enslaved";
# Name = interfaces.lan.name;
};
address = [
cidr
];
networkConfig = { networkConfig = {
ConfigureWithoutCarrier = true; ConfigureWithoutCarrier = true;
}; };
}; };
"10-${interfaces.wan.name}" = { "20-${interfaces.wan.name}" = {
matchConfig.MACAddress = "${interfaces.wan.mac}"; matchConfig.Name = "${interfaces.wan.name}";
networkConfig = { networkConfig = {
DHCP = true; DHCP = true;
DNSOverTLS = true; DNSOverTLS = true;
@ -131,11 +205,60 @@ in {
IPv6PrivacyExtensions = false; IPv6PrivacyExtensions = false;
IPForward = true; IPForward = true;
}; };
linkConfig.RequiredForOnline = "routable"; linkConfig = {
RequiredForOnline = "routable";
# Name = interfaces.wan.name;
};
}; };
}; };
}; };
services.resolved.enable = false;
services.dnsmasq = {
enable = true;
settings = {
server = ["1.1.1.1" "9.9.9.9" "8.8.8.8"];
domain-needed = true;
bogus-priv = true;
no-resolv = true;
cache-size = 1000;
dhcp-range = with dhcp_lease_space; ["${interfaces.lan.name},${min},${max},${netmask},24h"];
interface = interfaces.lan.name;
dhcp-host =
[
]
++ (lib.attrsets.mapAttrsToList (name: {
ip,
identifier ? name,
time ? "12h",
}: "${name},${ip},${identifier},${time}")
hosts);
address =
[
"/${hostname}.${domain}/${ip}"
]
++ (lib.attrsets.mapAttrsToList (name: {
ip,
identifier ? name,
time ? "12h",
}: "/${name}.${domain}/${ip}")
hosts);
# local domains
local = "/lan/";
domain = "lan";
expand-hosts = true;
# don't use /etc/hosts as this would advertise surfer as localhost
no-hosts = true;
};
};
systemd.services.systemd-networkd-wait-online.enable = lib.mkForce false; systemd.services.systemd-networkd-wait-online.enable = lib.mkForce false;
services.openssh.listenAddresses = [ services.openssh.listenAddresses = [

View file

@ -1,7 +1,8 @@
#!/usr/bin/env bash #!/usr/bin/env bash
usage() { usage() {
echo 'safe-remote-upgrade.bash $flake $target_host' echo 'usage'
echo ' safe-remote-upgrade.bash $FLAKE_REF $TARGET_HOST'
} }
error() { error() {
@ -23,16 +24,18 @@ if [[ -z $1 ]]; then
fi fi
target_host="$1"; shift target_host="$1"; shift
set -eu
git add -A git add -A
ssh "root@$target_host" "bash -c ' ssh "root@$target_host" "bash -c '
set -m set -m
# sleep 5 mins # sleep 5 mins
echo \"Starting background reboot job...\"
(sleep 300; reboot;) & (sleep 300; reboot;) &
jobs -p jobs -p
bg
disown disown
'" '" &
nix run nixpkgs#nixos-rebuild -- --flake "$flake" \ nix run nixpkgs#nixos-rebuild -- --flake "$flake" \
--target-host "root@$target_host" test --show-trace --target-host "root@$target_host" test --show-trace
@ -40,5 +43,7 @@ nix run nixpkgs#nixos-rebuild -- --flake "$flake" \
echo "Upgrade ready for verification. If you still have SSH access you can bail out without waiting with the following command:" echo "Upgrade ready for verification. If you still have SSH access you can bail out without waiting with the following command:"
echo " ssh 'root@$target_host' nixos-rebuild --rollback switch" echo " ssh 'root@$target_host' nixos-rebuild --rollback switch"
echo echo
echo "Waiting..."
wait
echo 'Done!' echo 'Done!'