Router alive, but not routing

This commit is contained in:
Daniel Flanagan 2024-07-17 14:18:35 -05:00
parent e6e1225858
commit a2c6a0fe93
4 changed files with 217 additions and 27 deletions

View file

@ -21,6 +21,27 @@
"type": "github"
}
},
"dependencyDagOfSubmodule": {
"inputs": {
"nixpkgs": [
"nnf",
"nixpkgs"
]
},
"locked": {
"lastModified": 1656615370,
"narHash": "sha256-IZDqz1aSySoqf1qtVQg+oJMHfC4IlT55Zoa7EkjvPug=",
"owner": "thelegy",
"repo": "nix-dependencyDagOfSubmodule",
"rev": "98eb563d80b35acafbfc1abb9ccee569c1efb19c",
"type": "github"
},
"original": {
"owner": "thelegy",
"repo": "nix-dependencyDagOfSubmodule",
"type": "github"
}
},
"disko": {
"inputs": {
"nixpkgs": [
@ -395,6 +416,22 @@
}
},
"nixpkgs_4": {
"locked": {
"lastModified": 1692638711,
"narHash": "sha256-J0LgSFgJVGCC1+j5R2QndadWI1oumusg6hCtYAzLID4=",
"owner": "nixos",
"repo": "nixpkgs",
"rev": "91a22f76cd1716f9d0149e8a5c68424bb691de15",
"type": "github"
},
"original": {
"owner": "NixOS",
"ref": "nixos-unstable",
"repo": "nixpkgs",
"type": "github"
}
},
"nixpkgs_5": {
"locked": {
"lastModified": 1716769173,
"narHash": "sha256-7EXDb5WBw+d004Agt+JHC/Oyh/KTUglOaQ4MNjBbo5w=",
@ -410,6 +447,26 @@
"type": "github"
}
},
"nnf": {
"inputs": {
"dependencyDagOfSubmodule": "dependencyDagOfSubmodule",
"nixpkgs": "nixpkgs_4"
},
"locked": {
"lastModified": 1720615408,
"narHash": "sha256-Q1G6GVUWXra9rdWTbSq21WaeRyWwINE7a5SRJekn6h4=",
"owner": "thelegy",
"repo": "nixos-nftables-firewall",
"rev": "71fc2b79358d0dbacde83c806a0f008ece567b7b",
"type": "github"
},
"original": {
"owner": "thelegy",
"repo": "nixos-nftables-firewall",
"rev": "71fc2b79358d0dbacde83c806a0f008ece567b7b",
"type": "github"
}
},
"pre-commit": {
"inputs": {
"flake-compat": "flake-compat",
@ -442,6 +499,7 @@
"hyprland": "hyprland",
"nixpkgs": "nixpkgs_3",
"nixpkgs-unstable": "nixpkgs-unstable",
"nnf": "nnf",
"pre-commit": "pre-commit",
"slippi": "slippi",
"sops-nix": "sops-nix"
@ -474,7 +532,7 @@
},
"slippi": {
"inputs": {
"nixpkgs": "nixpkgs_4"
"nixpkgs": "nixpkgs_5"
},
"locked": {
"lastModified": 1720625270,

View file

@ -20,6 +20,8 @@
hardware.url = "github:nixos/nixos-hardware";
hyprland.url = "github:hyprwm/Hyprland";
slippi.url = "github:lytedev/slippi-nix";
nnf.url = "github:thelegy/nixos-nftables-firewall?rev=71fc2b79358d0dbacde83c806a0f008ece567b7b";
};
nixConfig = {
@ -52,6 +54,7 @@
home-manager,
helix,
hardware,
nnf,
# hyprland,
slippi,
...
@ -344,6 +347,7 @@
modules = with nixosModules; [
outputs.diskoConfigurations.unencrypted
common
nnf.nixosModules.default
./nixos/router.nix
];
};

View file

@ -12,9 +12,9 @@
domain = "h.lyte.dev";
ip = "192.168.0.1";
cidr = "${ip}/16";
netmask = "255.255.0.0"; # see cidr
netmask = "255.255.255.0"; # see cidr
dhcp_lease_space = {
min = "192.168.0.5";
min = "192.168.0.30";
max = "192.168.0.250";
};
interfaces = {
@ -29,13 +29,9 @@
};
hosts = {
dragon = {
identifier = "dragon";
host = "dragon";
ip = "192.168.0.10";
};
beefcake = {
identifier = "beefcake";
host = "beefcake";
ip = "192.168.0.9";
};
};
@ -92,38 +88,116 @@ in {
networking = {
hostName = hostname;
domain = domain;
useDHCP = false;
nat.enable = false;
firewall.enable = false;
useNetworkd = true;
extraHosts = ''
127.0.0.1 localhost
127.0.0.2 ${hostname}.${domain} ${hostname}
${ip} ${hostname}.${domain} ${hostname}
127.0.0.1 localhost
127.0.0.2 ${hostname}.${domain} ${hostname}
${ip} ${hostname}.${domain} ${hostname}
::1 localhost ip6-localhost ip6-loopback
ff02::1 ip6-allnodes
kkkkk ff02::2 ip6-allrouters
::1 localhost ip6-localhost ip6-loopback
ff02::1 ip6-allnodes
ff02::2 ip6-allrouters
'';
firewall.enable = true;
firewall.allowedTCPPorts = [
2201
22
];
nftables.firewall = let
me = config.networking.nftables.firewall.localZoneName;
in {
enable = true;
snippets.nnf-common.enable = true;
zones = {
${interfaces.wan.name} = {
interfaces = [interfaces.wan.name];
};
${interfaces.lan.name} = {
parent = interfaces.wan.name;
ipv4Addresses = [cidr];
};
# banned = {
# ingressExpression = [
# "ip saddr @banlist"
# "ip6 saddr @banlist6"
# ];
# egressExpression = [
# "ip daddr @banlist"
# "ip6 daddr @banlist6"
# ];
# };
};
rules = {
dhcp = {
from = "all";
to = [hosts.beefcake.ip];
allowedTCPPorts = [67];
allowedUDPPorts = [67];
};
http = {
from = "all";
to = [hosts.beefcake.ip];
allowedTCPPorts = [80 443];
};
router-ssh = {
from = "all";
to = [me];
allowedTCPPorts = [2201];
};
server-ssh = {
from = "all";
to = [hosts.beefcake.ip];
allowedTCPPorts = [22];
};
};
};
};
systemd.network = {
enable = true;
wait-online.anyInterface = true;
links = {
"10-${interfaces.wan.name}" = {
enable = true;
matchConfig = {
MACAddress = interfaces.wan.mac;
};
linkConfig = {
Name = interfaces.wan.name;
};
};
"10-${interfaces.lan.name}" = {
enable = true;
matchConfig = {
MACAddress = interfaces.lan.mac;
};
linkConfig = {
Name = interfaces.lan.name;
};
};
};
networks = {
"30-${interfaces.lan.name}" = {
matchConfig.MACAddress = "${interfaces.lan.mac}";
linkConfig.RequiredForOnline = "enslaved";
matchConfig.Name = "${interfaces.lan.name}";
linkConfig = {
RequiredForOnline = "enslaved";
# Name = interfaces.lan.name;
};
address = [
cidr
];
networkConfig = {
ConfigureWithoutCarrier = true;
};
};
"10-${interfaces.wan.name}" = {
matchConfig.MACAddress = "${interfaces.wan.mac}";
"20-${interfaces.wan.name}" = {
matchConfig.Name = "${interfaces.wan.name}";
networkConfig = {
DHCP = true;
DNSOverTLS = true;
@ -131,11 +205,60 @@ in {
IPv6PrivacyExtensions = false;
IPForward = true;
};
linkConfig.RequiredForOnline = "routable";
linkConfig = {
RequiredForOnline = "routable";
# Name = interfaces.wan.name;
};
};
};
};
services.resolved.enable = false;
services.dnsmasq = {
enable = true;
settings = {
server = ["1.1.1.1" "9.9.9.9" "8.8.8.8"];
domain-needed = true;
bogus-priv = true;
no-resolv = true;
cache-size = 1000;
dhcp-range = with dhcp_lease_space; ["${interfaces.lan.name},${min},${max},${netmask},24h"];
interface = interfaces.lan.name;
dhcp-host =
[
]
++ (lib.attrsets.mapAttrsToList (name: {
ip,
identifier ? name,
time ? "12h",
}: "${name},${ip},${identifier},${time}")
hosts);
address =
[
"/${hostname}.${domain}/${ip}"
]
++ (lib.attrsets.mapAttrsToList (name: {
ip,
identifier ? name,
time ? "12h",
}: "/${name}.${domain}/${ip}")
hosts);
# local domains
local = "/lan/";
domain = "lan";
expand-hosts = true;
# don't use /etc/hosts as this would advertise surfer as localhost
no-hosts = true;
};
};
systemd.services.systemd-networkd-wait-online.enable = lib.mkForce false;
services.openssh.listenAddresses = [

View file

@ -1,7 +1,8 @@
#!/usr/bin/env bash
usage() {
echo 'safe-remote-upgrade.bash $flake $target_host'
echo 'usage'
echo ' safe-remote-upgrade.bash $FLAKE_REF $TARGET_HOST'
}
error() {
@ -23,16 +24,18 @@ if [[ -z $1 ]]; then
fi
target_host="$1"; shift
set -eu
git add -A
ssh "root@$target_host" "bash -c '
set -m
# sleep 5 mins
echo \"Starting background reboot job...\"
(sleep 300; reboot;) &
jobs -p
bg
disown
'"
'" &
nix run nixpkgs#nixos-rebuild -- --flake "$flake" \
--target-host "root@$target_host" test --show-trace
@ -40,5 +43,7 @@ nix run nixpkgs#nixos-rebuild -- --flake "$flake" \
echo "Upgrade ready for verification. If you still have SSH access you can bail out without waiting with the following command:"
echo " ssh 'root@$target_host' nixos-rebuild --rollback switch"
echo
echo "Waiting..."
wait
echo 'Done!'