Script things out, fix ipv6?

This commit is contained in:
Daniel Flanagan 2023-07-17 18:09:47 +00:00
parent 6674150b7c
commit a4e7534403
10 changed files with 131 additions and 114 deletions

View file

@ -12,17 +12,18 @@ require dhcp_server_identifier
slaac private
noipv4ll
noipv6rs
waitip 6
static domain_name_servers=10.0.0.1 1.1.1.1 1.0.0.1
interface wan0
gateway
ipv6rs
iaid 1
option rapid_commit
ia_na 1
# option rapid_commit
# ia_na 1
ia_pd 1 lan0
interface lan0
static ip_address=10.0.0.1/8
static routers=10.0.0.1
static domain_name_servers=1.1.1.1 1.0.0.1
static domain_name_servers=10.0.0.1 1.1.1.1 1.0.0.1

View file

@ -11,6 +11,7 @@ dhcp-range=tag:lan0,::1,constructor:lan0,ra-names,12h
local=/h.lyte.dev/
dhcp-host=dragon,10.0.0.10,12h
dhcp-host=beefcake,10.0.0.9,12h
dhcp-host=chromebox,10.0.0.5,12h
dhcp-host=mnemonic,10.0.0.248,ea:1b:7a:fb:8b:b8,12h
# dhcp-host=frontdoorcam,10.0.0.89,9c:8e:cd:2b:71:e9,120m
@ -18,6 +19,8 @@ dhcp-host=mnemonic,10.0.0.248,ea:1b:7a:fb:8b:b8,12h
address=/video.lyte.dev/10.0.0.5
address=/git.lyte.dev/10.0.0.5
address=/bw.lyte.dev/10.0.0.5
address=/files.lyte.dev/10.0.0.5
address=/vpn.h.lyte.dev/10.0.0.9
address=/.h.lyte.dev/10.0.0.5
dhcp-host=AMC058BA_A75F1E,10.0.0.150,12h
@ -26,14 +29,15 @@ dhcp-host=AMC0587F_A2969A,10.0.0.151,12h
# dhcp-host=kubeworker3,d0:50:99:26:89:86,ourcraft,10.0.0.244,120m
# address=/dragon.h.lyte.dev/10.0.0.10
# address=/git.lyte.dev/10.0.0.5
# address=/h.lyte.dev/10.0.0.5
# address=/a.lyte.dev/10.0.0.5
# address=/bw.lyte.dev/10.0.0.5
# address=/files.lyte.dev/10.0.0.5
address=/git.lyte.dev/10.0.0.5
address=/h.lyte.dev/10.0.0.5
address=/a.lyte.dev/10.0.0.5
address=/bw.lyte.dev/10.0.0.5
address=/files.lyte.dev/10.0.0.5
# address=/grafana.h.lyte.dev/10.0.0.5
# address=/ourcraft.lyte.dev/10.0.0.244
server=10.0.0.1
server=1.1.1.1
server=1.0.0.1

View file

@ -1,44 +1,14 @@
# Static table lookup for hostnames.
# See hosts(5) for details.
# WARNING: Do not edit this file at /etc/hosts
# You must edit it from the router configuration repository and re-run the
# `link.fish` script! If you do otherwise, your changes will be overridden.
127.0.0.1 localhost
::1 localhost
# 127.0.1.1 router.h.lyte.dev router
127.0.1.1 router.h.lyte.dev router
# 10.0.0.1 router.h.lyte.dev router
::1 localhost ip6-localhost ip6-loopback
ff02::1 ip6-allnodes
ff02::2 ip6-allrouters
10.0.0.1 vpn.h.lyte.dev
10.0.0.10 dragon.h.lyte.dev
10.0.0.210 git.lyte.dev
10.0.0.210 a.lyte.dev
10.0.0.210 h.lyte.dev
10.0.0.210 chat.lyte.dev
10.0.0.210 matrix.lyte.dev
10.0.0.210 bw.lyte.dev
10.0.0.210 files.lyte.dev
10.0.0.210 files.h.lyte.dev
10.0.0.210 grafana.lyte.dev
10.0.0.210 grafana.h.lyte.dev
10.0.0.210 faceless.h.lyte.dev
10.0.0.210 video.h.lyte.dev
10.0.0.210 video.lyte.dev
10.0.0.81 kube-cluster.home.lyte.dev
10.0.0.138 kube-cluster.home.lyte.dev
10.0.0.244 kube-cluster.home.lyte.dev
# 10.0.0.81 kube-cluster.home.lyte.dev
10.0.0.210 dmf.me
10.0.0.210 greenroof.house
10.0.0.210 ranch-talk.h.lyte.dev
10.0.0.138 ourcraft.lyte.dev
10.0.0.244 factorio.lyte.dev
10.0.0.5 git.lyte.dev
10.0.0.5 video.lyte.dev
10.0.0.5 files.lyte.dev
10.0.0.5 bw.lyte.dev

View file

@ -8,7 +8,7 @@ t="/tmp/nftables.conf"
# we don't care about existing rules - just use ours, thanks
# sudo nft -s list ruleset >> "$f"
sudo -E nvim "$my_config"
sudo -E $EDITOR "$my_config"
cat "$my_config"
echo "Do you want to load this config? [y/N]"
read -r l

View file

@ -1,4 +0,0 @@
#!/usr/bin/env sh
# install base packages from dotfiles first
pacman -S --needed dnsmasq nftables fail2ban radvd git dhcpcd

View file

@ -1,37 +0,0 @@
#!/usr/bin/env fish
if test (id -u) -ne 0
echo "must run as root"
exit 1
end
function relink
rm -f $argv[2]
ezln $argv[1] $argv[2]
end
function recopy
rm -f $argv[2]
cp $argv[1] $argv[2]
end
# DNS, DHCP, prefix delegation
recopy dnsmasq.conf /etc/dnsmasq.conf
# let dnsmasq handle DNS
recopy resolved.conf /etc/systemd/resolved.conf
# sysctl flags we need for forwarding and accepting IPv6 router advertisements
recopy ./sysctl-configs /etc/sysctl.d/10-router-configs.conf
# enable systemd-networkd to setup network interfaces with useful names
recopy lan0.link /etc/systemd/network/10-lan0.link
recopy wan0.link /etc/systemd/network/10-wan0.link
# dhcp client configuration
recopy dhcpcd.conf /etc/dhcpcd.conf
# hosts file
# recopy ./etc-hosts /etc/hblock/header
# recopy ./etc-hosts /etc/hosts
# hblock # temporary disable hblock because Val loves ads

78
makefile Normal file
View file

@ -0,0 +1,78 @@
# TODO: some kind of automatic (without confirmation) rollback setup?
.PHONY: default
default: copy-configuration-files restart-services
.PHONY: setup
setup: system-dependencies /root/router.wg-pub enable-and-start-services mkinitcpio
.PHONY: mkinitcpio
mkinitcpio:
mkinitcpio -p linux
.PHONY: system-dependencies
system-dependencies:
pacman -Sy --needed archlinux-keyring # get latest keys
pacman -Syu # update everything
pacman -S --needed dnsmasq nftables fail2ban radvd git dhcpcd wireguard-tools # install anything needed
.PHONY: restart-services
restart-services:
systemctl restart nftables
systemctl restart systemd-sysctl
systemctl restart systemd-networkd
systemctl restart dnsmasq
systemctl restart systemd-resolved
systemctl restart dhcpcd@lan0
systemctl restart dhcpcd@wan0
.PHONY: enable-and-start-services
enable-and-start-services:
systemctl enable --now nftables
systemctl enable --now systemd-sysctl
systemctl enable --now systemd-networkd
systemctl enable --now dnsmasq
systemctl enable --now systemd-resolved
systemctl enable --now dhcpcd@lan0
systemctl enable --now dhcpcd@wan0
.PHONY: copy-configuration-files
copy-configuration-files: /etc/dnsmasq.conf /etc/systemd/resolved.conf /etc/sysctl.d/10-router-configs.conf /etc/systemd/network/10-lan0.link /etc/systemd/network/10-wan0.link /etc/dhcpcd.conf /etc/hosts
/root/router.wg-key:
umask 0077 && wg genkey > $@
/root/router.wg-pub: /root/router.wg-key
umask 0077 && cat $^ wg genkey > $@
/etc/dnsmasq.conf: dnsmasq.conf
rm -f $@
cp $^ $@
/etc/systemd/resolved.conf: resolved.conf
rm -f $@
cp $^ $@
/etc/sysctl.d/10-router-configs.conf: sysctl-configs
rm -f $@
cp $^ $@
/etc/systemd/network/10-lan0.link: lan0.link
rm -f $@
cp $^ $@
/etc/systemd/network/10-wan0.link: wan0.link
rm -f $@
cp $^ $@
/etc/dhcpcd.conf: dhcpcd.conf
rm -f $@
cp $^ $@
/etc/hosts: ./etc-hosts
rm -f $@
cp $^ $@
/etc/nftables.conf: nftables.conf
rm -f $@
cp $^ $@

View file

@ -13,8 +13,8 @@ table inet filter {
ip protocol icmp accept
meta l4proto ipv6-icmp accept
# do these need ipv6-specific entries, too?
tcp dport { 51821, 51820, 22, 53, 67, 2201, 2221, 8448, 8008, 25565, 34197 } accept
udp dport { 51821, 51820, 22, 53, 67, 2201, 2221, 25565, 34197 } accept
tcp dport { 64022, 10578, 51821, 51820, 22, 53, 67, 2201, 2221, 8448, 8008, 25565, 34197 } accept
udp dport { 64020, 10578, 51821, 51820, 22, 53, 67, 2201, 2221, 25565, 34197 } accept
udp dport { 60000-60009 } accept
udp dport dhcpv6-client accept
drop
@ -48,18 +48,26 @@ table ip nat {
fib daddr type local dnat ip addr . port to meta l4proto . th dport map @map_port_ipport
# chromebox
iifname $WAN tcp dport { 443, 80, 22, 8008, 8448 } dnat to 10.0.0.5
iifname $WAN tcp dport { 443, 80, 22, 8008, 8448, 7777 } dnat to 10.0.0.5
iifname $WAN udp dport { 7777 } dnat to 10.0.0.5
iifname $WAN udp dport 60010-60019 dnat to 10.0.0.5
# dragon
# old dragon?
# iifname $WAN tcp dport { 2221, 5588, 5589 } dnat to 10.0.0.10
# iifname $WAN udp dport 60020-60029 dnat to 10.0.0.10
iifname $WAN tcp dport { 10578, 5588, 5589 } dnat to 10.0.0.11
iifname $WAN udp dport { 10578 } dnat to 10.0.0.11
# dragon reinstall?
iifname $WAN tcp dport { 2221, 5588, 5589 } dnat to 10.0.0.10
iifname $WAN udp dport { 2221, 5588, 5589 } dnat to 10.0.0.10
iifname $WAN udp dport 60020-60029 dnat to 10.0.0.10
iifname $WAN udp dport 9876-9877 dnat to 10.0.0.10
# iifname $WAN udp dport 9876-9877 dnat to 10.0.0.10 # valheim
# beefcake (ben access)
iifname $WAN tcp dport { 64022 } dnat to 10.0.0.9
iifname $WAN udp dport { 64020 } dnat to 10.0.0.9
# mnemonic
iifname $WAN tcp dport { 8022 } dnat to 10.0.0.248
@ -67,6 +75,10 @@ table ip nat {
# ourcraft
iifname $WAN tcp dport { 2456, 2457, 25565, 34197 } dnat to 10.0.0.100
iifname $WAN udp dport { 2456, 2457, 25565, 34197 } dnat to 10.0.0.100
# router
iifname $WAN tcp dport { 2201 } dnat to 10.0.0.1
iifname $WAN udp dport { 2201 } dnat to 10.0.0.1
}
chain output {

View file

@ -1,26 +1,20 @@
# Router
Yeah yeah I need to document this better.
My little dual-NIC Arch Linux router configuration and scripts.
# Setup
With a fresh Arch Linux system:
```bash
make setup
reboot
```
- Install needed packages via `./install.sh`
- Run `./link.fish` script
- Enable and restart the following services:
- `nftables`
- `systemd-sysctl`
- `systemd-resolved`
- `systemd-networkd`
- `dnsmasq`
- `dhcpcd@lan0`
- `dhcpcd@wan0`
- Run `mkinitcpio -p linux`
- Add any needed hosts to `/etc/hosts`
- May be use dnsmasq's `addn-hosts` directive and copy a file from this repo
- Reboot
# Update System to Match This Configuration
```bash
make
```
# TODO:
- Script this whole thing? NixOS/declarative?
- `link.fish` could just write to these files instead of copying them?
- NixOS/declarative?

View file

@ -1,4 +1,3 @@
net.ipv4.ip_forward=1
net.ipv6.conf.all.forwarding=1
net.ipv6.conf.wan0.accept_ra=2