2024-03-02 21:56:49 +01:00
|
|
|
{
|
|
|
|
pkgs,
|
|
|
|
secret,
|
|
|
|
config,
|
|
|
|
lib,
|
|
|
|
...
|
|
|
|
}: let
|
|
|
|
inherit
|
|
|
|
(lib)
|
2023-06-12 23:25:40 +02:00
|
|
|
mapAttrs
|
|
|
|
const
|
|
|
|
mkForce
|
2024-03-02 21:56:49 +01:00
|
|
|
singleton
|
|
|
|
;
|
2023-06-12 23:25:40 +02:00
|
|
|
|
|
|
|
wlan = "wlp10s0";
|
2023-07-18 11:44:27 +02:00
|
|
|
lan = "eno1";
|
2023-07-09 23:54:19 +02:00
|
|
|
wan = "eno3";
|
2023-06-12 23:25:40 +02:00
|
|
|
doVPN = "do_vpn0";
|
|
|
|
|
|
|
|
nomad = mapAttrs (const toString) {
|
2024-03-02 21:56:49 +01:00
|
|
|
inherit
|
|
|
|
(config.services.hashicorp.nomad.settings.client)
|
2023-06-12 23:25:40 +02:00
|
|
|
min_dynamic_port
|
2024-03-02 21:56:49 +01:00
|
|
|
max_dynamic_port
|
|
|
|
;
|
2023-06-12 23:25:40 +02:00
|
|
|
};
|
2024-03-02 21:56:49 +01:00
|
|
|
in {
|
2023-06-12 23:25:40 +02:00
|
|
|
boot.kernel.sysctl = {
|
|
|
|
# Enable forwarding on IPv4 but disable on IPv6
|
|
|
|
"net.ipv4.conf.all.forwarding" = true;
|
|
|
|
"net.ipv6.conf.all.forwarding" = false;
|
|
|
|
|
|
|
|
# source: https://github.com/mdlayher/homelab/blob/master/nixos/routnerr-2/configuration.nix#L52
|
|
|
|
# By default, not automatically configure any IPv6 addresses.
|
|
|
|
"net.ipv6.conf.all.accept_ra" = 0;
|
|
|
|
"net.ipv6.conf.all.autoconf" = 0;
|
|
|
|
"net.ipv6.conf.all.use_tempaddr" = 0;
|
|
|
|
|
|
|
|
# On WAN, allow IPv6 autoconfiguration and tempory address use.
|
|
|
|
# "net.ipv6.conf.${name}.accept_ra" = 2;
|
|
|
|
# "net.ipv6.conf.${name}.autoconf" = 1;
|
|
|
|
};
|
|
|
|
|
|
|
|
services.dnscrypt-proxy2 = {
|
|
|
|
enable = true;
|
|
|
|
upstreamDefaults = true;
|
|
|
|
settings = {
|
|
|
|
listen_addresses = singleton "127.0.0.1:5353";
|
|
|
|
|
|
|
|
dnscrypt_servers = false;
|
|
|
|
doh_servers = true;
|
|
|
|
odoh_servers = false;
|
|
|
|
|
2024-03-02 21:56:49 +01:00
|
|
|
block_ipv6 = false;
|
2023-06-12 23:25:40 +02:00
|
|
|
|
|
|
|
static."mullvad".stamp = "sdns://AgcAAAAAAAAAAAAPZG9oLm11bGx2YWQubmV0Ci9kbnMtcXVlcnk";
|
|
|
|
static."meganerd".stamp = "sdns://AQcAAAAAAAAADjEzNi4yNDQuOTcuMTE0ICif6V9M6EF_9Xo_MHwkDN4ZJjERopSJN8hBuUWg9YeMJTIuZG5zY3J5cHQtY2VydC5jaGV3YmFjY2EubWVnYW5lcmQubmw";
|
|
|
|
sources = {};
|
2023-07-28 00:22:54 +02:00
|
|
|
|
|
|
|
max_clients = 1024;
|
|
|
|
|
2023-07-28 14:34:00 +02:00
|
|
|
cache_size = 32768;
|
2023-06-12 23:25:40 +02:00
|
|
|
};
|
|
|
|
};
|
|
|
|
|
|
|
|
systemd.services.dnscrypt-proxy2 = {
|
2024-03-02 21:56:49 +01:00
|
|
|
before = ["network-online.target"];
|
2023-06-12 23:25:40 +02:00
|
|
|
};
|
|
|
|
|
2023-10-07 22:44:42 +02:00
|
|
|
services.kea.dhcp4 = {
|
2023-06-12 23:25:40 +02:00
|
|
|
enable = true;
|
2024-03-02 21:56:49 +01:00
|
|
|
settings =
|
|
|
|
{
|
|
|
|
interfaces-config.interfaces = [
|
|
|
|
"${lan}"
|
|
|
|
];
|
|
|
|
lease-database = {
|
|
|
|
name = "/var/lib/kea/dhcp4.leases";
|
|
|
|
persist = true;
|
|
|
|
type = "memfile";
|
|
|
|
};
|
|
|
|
rebind-timer = 2000;
|
|
|
|
renew-timer = 1000;
|
|
|
|
}
|
|
|
|
// (secret.dhcp.blowhole.zones or (const {}) {inherit wlan lan;});
|
2023-06-12 23:25:40 +02:00
|
|
|
};
|
|
|
|
|
|
|
|
networking = {
|
|
|
|
useDHCP = false;
|
|
|
|
hostName = "blowhole";
|
|
|
|
|
|
|
|
resolvconf.useLocalResolver = false;
|
|
|
|
nameservers = singleton (secret.network.ips.blowhole.ip or "");
|
|
|
|
|
|
|
|
# Disable the in-built iptable based firewall
|
|
|
|
firewall.enable = mkForce false;
|
|
|
|
|
|
|
|
interfaces = {
|
|
|
|
# Don't do DHCP on the LAN interface
|
|
|
|
"${lan}" = {
|
|
|
|
useDHCP = false;
|
2024-03-02 21:56:49 +01:00
|
|
|
ipv4.addresses = [
|
|
|
|
{
|
|
|
|
address = secret.network.ips.blowhole.ip or "";
|
|
|
|
prefixLength = 24;
|
|
|
|
}
|
|
|
|
];
|
2023-06-12 23:25:40 +02:00
|
|
|
};
|
2023-07-18 11:44:27 +02:00
|
|
|
# "${wlan}" = {
|
|
|
|
# useDHCP = false;
|
|
|
|
# ipv4.addresses = [{
|
|
|
|
# address = secret.network.ips.blowhole.wlan or "";
|
|
|
|
# prefixLength = 24;
|
|
|
|
# }];
|
|
|
|
# };
|
2023-06-12 23:25:40 +02:00
|
|
|
# But do DHCP on the WAN interface
|
|
|
|
"${wan}".useDHCP = true;
|
|
|
|
};
|
|
|
|
|
|
|
|
wireguard = {
|
|
|
|
enable = true;
|
|
|
|
interfaces."${doVPN}" =
|
2024-03-02 21:56:49 +01:00
|
|
|
secret.wireguard."${config.networking.hostName}"
|
|
|
|
or {}
|
|
|
|
// {
|
2023-06-12 23:25:40 +02:00
|
|
|
listenPort = 6666;
|
|
|
|
privateKeyFile = "/var/secrets/${doVPN}.key";
|
|
|
|
};
|
|
|
|
};
|
|
|
|
|
|
|
|
nftables = {
|
|
|
|
enable = true;
|
|
|
|
ruleset = ''
|
|
|
|
table ip nf_filter {
|
|
|
|
chain input_out {
|
|
|
|
ct state { established, related } accept comment "Allow established traffic"
|
|
|
|
icmp type { echo-request, destination-unreachable, time-exceeded } counter accept comment "Allow select ICMP"
|
|
|
|
}
|
|
|
|
|
|
|
|
chain input_doVPN {
|
|
|
|
tcp dport { 4646, 4647, 4648 } accept comment "Nomad traffic"
|
|
|
|
tcp dport { 8600, 8500, 8502, 8300, 8301, 8302 } accept comment "Consul traffic"
|
|
|
|
tcp dport { 8200 } accept comment "Vault traffic"
|
|
|
|
tcp dport { 111, 2049, 4000, 4001, 4002, 20048 } accept comment "NFS traffic"
|
|
|
|
tcp dport ${nomad.min_dynamic_port}-${nomad.max_dynamic_port} accept comment "Consul Connect sidecar traffic"
|
|
|
|
tcp dport { 53 } accept comment "DNS traffic"
|
|
|
|
tcp dport { 80 } accept comment "HTTP traffic"
|
|
|
|
|
|
|
|
udp dport { 8600, 8301, 8302 } comment "Consul traffic"
|
|
|
|
udp dport { 111, 2049, 4000, 4001, 4002, 20048 } accept comment "NFS traffic"
|
|
|
|
udp dport ${nomad.min_dynamic_port}-${nomad.max_dynamic_port} accept comment "Consul Connect sidecar traffic"
|
|
|
|
udp dport { 53 } accept comment "DNS traffic"
|
|
|
|
}
|
|
|
|
|
|
|
|
chain input {
|
|
|
|
type filter hook input priority 0; policy drop;
|
|
|
|
|
2024-03-30 23:09:27 +01:00
|
|
|
iifname != "${wan}" tcp dport 22 accept comment "Accept SSH traffic always"
|
2023-06-12 23:25:40 +02:00
|
|
|
iifname != "lo" tcp dport 5353 drop comment "Drop traffic to dnscrypt-proxy always except for localhost to localhost traffic"
|
|
|
|
|
2023-07-09 23:44:15 +02:00
|
|
|
# Accept WireGuard
|
|
|
|
iifname "${wan}" udp dport 6666 accept;
|
|
|
|
|
2024-03-02 21:56:49 +01:00
|
|
|
# Accept file-share
|
|
|
|
iifname "${wan}" tcp dport 5666 accept;
|
2024-02-11 16:21:25 +01:00
|
|
|
|
|
|
|
# Accept minecraft
|
|
|
|
iifname "${wan}" tcp dport 25560 accept;
|
|
|
|
|
2024-03-02 21:56:49 +01:00
|
|
|
# iifname "cni0" accept;
|
|
|
|
iifgroup { 99 } tcp dport { 6443, 10250, 4244 } accept
|
|
|
|
iifgroup { 99 } oifgroup { 99 } accept
|
|
|
|
iifgroup { 99 } ip saddr 10.64.48.0/21 ip daddr 10.64.48.0/21 accept
|
|
|
|
iifgroup { 99 } ip saddr 10.64.48.0/21 ip daddr != 10.0.0.0/8 ip daddr != 192.168.0.0/16 ip daddr != 172.0.0.0/12 accept
|
|
|
|
|
2023-06-12 23:25:40 +02:00
|
|
|
iifname { "nomad", "ve-monitor", "ve-klipper" } oifname { "nomad", "ve-monitor", "ve-klipper" } accept comment "Allow Nomad to do whatever it wants in its interface"
|
|
|
|
iifname { "${wlan}", "${lan}", "lo" } accept comment "Allow local network to access the router"
|
2024-03-02 21:56:49 +01:00
|
|
|
iifname { "${wan}", "${doVPN}", "nomad", "docker0", "ve-monitor", "ve-klipper", "ve-k3s-psql", "mvm0" } jump input_out
|
|
|
|
iifgroup 99 jump input_out
|
|
|
|
# iifname { "${doVPN}", "${lan}" } tcp dport { 6443 } accept
|
2023-06-12 23:25:40 +02:00
|
|
|
iifname { "${doVPN}" } jump input_doVPN
|
|
|
|
|
|
|
|
# Allow containers to reach the DNS server
|
|
|
|
iifname { "nomad", "docker0", "ve-monitor", "ve-klipper" } tcp dport 53 accept
|
2024-03-02 21:56:49 +01:00
|
|
|
iifgroup { 99 } tcp dport 53 accept
|
2023-06-12 23:25:40 +02:00
|
|
|
iifname { "nomad", "docker0", "ve-monitor", "ve-klipper" } udp dport 53 accept
|
2024-03-02 21:56:49 +01:00
|
|
|
iifgroup { 99 } udp dport 53 accept
|
2023-06-12 23:25:40 +02:00
|
|
|
|
|
|
|
# Allow Nomad Containers to reach Nomad
|
|
|
|
iifname { "nomad" } tcp dport 4646 accept
|
|
|
|
|
|
|
|
# Allow proxies to reach consul
|
|
|
|
iifname { "nomad", "ve-monitor", "ve-klipper" } tcp dport 8500 accept
|
|
|
|
iifname { "ve-monitor", "ve-klipper" } tcp dport 8502 accept
|
|
|
|
|
|
|
|
# Allow containers to reach the NFS server
|
|
|
|
iifname { "docker0" } tcp dport { 111, 2049, 4000, 4001, 4002, 20048 } accept comment "NFS traffic"
|
|
|
|
iifname { "docker0" } udp dport { 111, 2049, 4000, 4001, 4002, 20048 } accept comment "NFS traffic"
|
|
|
|
}
|
|
|
|
|
|
|
|
chain output {
|
|
|
|
type filter hook output priority 0; policy accept;
|
|
|
|
|
|
|
|
# Drop all DNS traffic if leaving through "wan"
|
|
|
|
# oifname { "${wan}" } tcp dport 53 drop
|
|
|
|
# oifname { "${wan}" } udp dport 53 drop
|
|
|
|
# Allow DoT traffic to leave through "wan" if it comes from "lo"
|
|
|
|
# iifname != { "lo" } oifname { "${wan}" } tcp dport 853 drop
|
|
|
|
}
|
|
|
|
|
|
|
|
chain forward {
|
|
|
|
type filter hook forward priority 10; policy drop;
|
|
|
|
|
|
|
|
# Enable flow offloading for better throughput
|
|
|
|
# ip protocol { tcp, udp } flow offload @f
|
|
|
|
|
2024-03-02 21:56:49 +01:00
|
|
|
ip daddr 10.64.52.130 nftrace set 1
|
|
|
|
ip saddr 10.64.52.130 nftrace set 1
|
|
|
|
|
2023-06-12 23:25:40 +02:00
|
|
|
# Drop all DNS or DoT traffic if forwarded through "wan"
|
|
|
|
oifname { "${wan}" } tcp dport 853 drop
|
|
|
|
oifname { "${wan}" } tcp dport 53 drop
|
|
|
|
oifname { "${wan}" } udp dport 53 drop
|
|
|
|
|
|
|
|
# Allow trusted LAN to WAN"
|
|
|
|
iifname { "${lan}", "${wlan}" } oifname { "${wan}" } accept
|
|
|
|
iifname { "${wan}" } oifname { "${lan}", "${wlan}" } ct state established, related accept
|
|
|
|
|
2024-03-02 21:56:49 +01:00
|
|
|
iifgroup { 99 } oifname { "${doVPN}", "${lan}", "${wlan}" } ct state established, related accept
|
2023-06-12 23:25:40 +02:00
|
|
|
|
|
|
|
iifname { "nomad" } oifname { "${doVPN}", "${lan}", "${wlan}" } accept
|
|
|
|
iifname { "${doVPN}", "${lan}", "${wlan}" } oifname { "nomad" } accept
|
|
|
|
iifname { "${doVPN}" } oifname { "${lan}", "${wlan}" } accept
|
|
|
|
iifname { "${lan}", "${wlan}" } oifname { "${doVPN}" } accept
|
|
|
|
|
|
|
|
# Allow containers to reach WAN
|
2024-03-02 21:56:49 +01:00
|
|
|
iifname { "nomad", "docker0", "ve-monitor", "ve-klipper", "cni0" } oifname { "${wan}" } accept
|
|
|
|
iifgroup { 99 } oifname { "${wan}" } accept
|
|
|
|
iifname { "${wan}" } oifname { "nomad", "docker0", "ve-monitor", "ve-klipper", "cni0" } ct state established, related accept
|
|
|
|
iifname { "${wan}" } oifgroup { 99 } ct state established, related accept
|
2023-06-12 23:25:40 +02:00
|
|
|
|
|
|
|
# Allow containers to reach the DNS and NFS server
|
|
|
|
iifname { "nomad", "docker0", "ve-monitor", "ve-klipper" } oifname { "${lan}" } ip daddr 10.64.2.1 tcp dport { 53 } accept
|
|
|
|
iifname { "nomad", "docker0", "ve-monitor", "ve-klipper" } oifname { "${lan}" } ip saddr 10.64.2.1 tcp sport { 53 } accept
|
|
|
|
iifname { "nomad", "docker0", "ve-monitor", "ve-klipper" } oifname { "${lan}" } ip daddr 10.64.2.1 tcp dport { 111, 2049, 4000, 4001, 4002, 20048 } accept
|
|
|
|
iifname { "nomad", "docker0", "ve-monitor", "ve-klipper" } oifname { "${lan}" } ip saddr 10.64.2.1 tcp sport { 111, 2049, 4000, 4001, 4002, 20048 } accept
|
|
|
|
iifname { "nomad", "docker0", "ve-monitor", "ve-klipper" } oifname { "${lan}" } ip daddr 10.64.2.1 udp dport { 53 } accept
|
|
|
|
iifname { "nomad", "docker0", "ve-monitor", "ve-klipper" } oifname { "${lan}" } ip saddr 10.64.2.1 udp sport { 53 } accept
|
|
|
|
iifname { "nomad", "docker0", "ve-monitor", "ve-klipper" } oifname { "${lan}" } ip daddr 10.64.2.1 udp dport { 111, 2049, 4000, 4001, 4002, 20048 } accept
|
|
|
|
iifname { "nomad", "docker0", "ve-monitor", "ve-klipper" } oifname { "${lan}" } ip saddr 10.64.2.1 udp sport { 111, 2049, 4000, 4001, 4002, 20048 } accept
|
|
|
|
|
2023-06-19 01:10:07 +02:00
|
|
|
# allow communication between all container interfaces
|
|
|
|
iifname { "nomad", "ve-monitor", "ve-klipper" } oifname { "nomad", "ve-monitor", "ve-klipper" } accept
|
2024-03-02 21:56:49 +01:00
|
|
|
iifgroup { 99 } oifgroup { 99 } accept
|
|
|
|
iifname { "${lan}" } oifgroup { 99 } accept
|
|
|
|
|
|
|
|
# allow portforwarding to lan?
|
2024-03-06 14:49:52 +01:00
|
|
|
iifname { "${lan}", "${wan}" } oifname { "${lan}" } ip daddr 10.64.2.142 udp dport 2302-2306 accept
|
2023-06-12 23:25:40 +02:00
|
|
|
|
|
|
|
# Rules to make CNI happy
|
|
|
|
meta mark and 0x01 == 0x01 accept
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
|
|
|
table ip nf_nat {
|
2024-03-02 21:56:49 +01:00
|
|
|
# TCP: 2344-2345, 27015, 27036
|
|
|
|
# UDP: 2302-2306, 2344, 27015, 27031-27036
|
|
|
|
|
|
|
|
# blowhole
|
|
|
|
# sudo nft add rule nf_filter input iifname { "eno3" } udp dport 2302-2306 accept
|
2024-03-30 23:09:27 +01:00
|
|
|
# sudo nft add rule nf_nat prerouting ip daddr { 10.64.2.1, 192.168.2.20 } udp dport 2302-2306 dnat 10.64.2.145
|
2024-03-02 21:56:49 +01:00
|
|
|
# sudo nft add rule nf_nat postrouting udp dport 2302-2306 ip daddr { 10.64.2.1, 192.168.2.20 } masquerade
|
|
|
|
|
|
|
|
# omen
|
|
|
|
# sudo nft add rule inet filter input-eth0 udp dport 2302-2306 accept
|
|
|
|
|
2023-06-12 23:25:40 +02:00
|
|
|
chain postrouting {
|
|
|
|
type nat hook postrouting priority 100; policy accept;
|
|
|
|
oifname "${wan}" masquerade
|
|
|
|
}
|
|
|
|
|
|
|
|
chain prerouting {
|
|
|
|
type nat hook prerouting priority 100; policy accept;
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
|
|
|
table ip6 nf_filter {
|
|
|
|
chain output {
|
|
|
|
type filter hook output priority 0; policy drop;
|
|
|
|
|
2024-03-02 21:56:49 +01:00
|
|
|
# meta nftrace set 1
|
2023-06-12 23:25:40 +02:00
|
|
|
|
|
|
|
oifname "lo" icmpv6 type { echo-request, destination-unreachable, time-exceeded } counter accept comment "Allow select ICMP"
|
|
|
|
oifname "lo" ip6 saddr "::1" ip6 daddr "::1" reject
|
|
|
|
}
|
|
|
|
chain input {
|
|
|
|
type filter hook input priority 0; policy drop;
|
|
|
|
|
2024-03-02 21:56:49 +01:00
|
|
|
# meta nftrace set 1
|
2023-06-12 23:25:40 +02:00
|
|
|
|
|
|
|
iifname "lo" icmpv6 type { echo-request, destination-unreachable, time-exceeded } counter accept comment "Allow select ICMP"
|
|
|
|
}
|
|
|
|
chain forward {
|
|
|
|
type filter hook forward priority 0; policy drop;
|
|
|
|
}
|
|
|
|
}
|
|
|
|
'';
|
|
|
|
};
|
|
|
|
};
|
|
|
|
|
|
|
|
systemd.services.nftables = {
|
2023-10-07 22:47:29 +02:00
|
|
|
path = with pkgs; [
|
2024-03-02 21:56:49 +01:00
|
|
|
nftables
|
|
|
|
iptables
|
|
|
|
bash
|
2023-10-07 22:47:29 +02:00
|
|
|
];
|
2024-03-02 21:56:49 +01:00
|
|
|
serviceConfig = let
|
|
|
|
rulesScript = pkgs.writeShellScript "nftables-rules" ''
|
|
|
|
set -ex
|
2023-06-12 23:25:40 +02:00
|
|
|
|
2024-03-02 21:56:49 +01:00
|
|
|
tmpfile="$(mktemp)"
|
|
|
|
iptables-save -t filter >> $tmpfile
|
|
|
|
iptables-save -t nat >> $tmpfile
|
2023-06-12 23:25:40 +02:00
|
|
|
|
2024-03-02 21:56:49 +01:00
|
|
|
nft flush ruleset
|
2023-06-12 23:25:40 +02:00
|
|
|
|
2024-03-02 21:56:49 +01:00
|
|
|
cat $tmpfile | iptables-restore
|
|
|
|
nft -f "${pkgs.writeText "nftables-rules" config.networking.nftables.ruleset}"
|
|
|
|
rm $tmpfile
|
2023-06-12 23:25:40 +02:00
|
|
|
|
2024-03-02 21:56:49 +01:00
|
|
|
iptables -D FORWARD -j MARK --set-mark 0x01 || true
|
|
|
|
iptables -D FORWARD -j MARK --set-mark 0x00 || true
|
2023-06-12 23:25:40 +02:00
|
|
|
|
2024-03-02 21:56:49 +01:00
|
|
|
iptables -I FORWARD -j MARK --set-mark 0x01
|
|
|
|
iptables -A FORWARD -j MARK --set-mark 0x00
|
|
|
|
'';
|
|
|
|
in {
|
|
|
|
ExecStart = mkForce rulesScript;
|
|
|
|
ExecReload = mkForce rulesScript;
|
|
|
|
ExecStop = mkForce (pkgs.writeShellScript "nftables-flush" ''
|
|
|
|
set -ex
|
2023-06-12 23:25:40 +02:00
|
|
|
|
2024-03-02 21:56:49 +01:00
|
|
|
tmpfile="$(mktemp)"
|
|
|
|
iptables-save -t filter >> $tmpfile
|
|
|
|
iptables-save -t nat >> $tmpfile
|
2023-06-12 23:25:40 +02:00
|
|
|
|
2024-03-02 21:56:49 +01:00
|
|
|
nft flush ruleset
|
2023-06-12 23:25:40 +02:00
|
|
|
|
2024-03-02 21:56:49 +01:00
|
|
|
cat $tmpfile | iptables-restore
|
|
|
|
rm $tmpfile
|
2023-06-12 23:25:40 +02:00
|
|
|
|
2024-03-02 21:56:49 +01:00
|
|
|
iptables -D FORWARD -j MARK --set-mark 0x01 || true
|
|
|
|
iptables -D FORWARD -j MARK --set-mark 0x00 || true
|
2023-06-12 23:25:40 +02:00
|
|
|
|
2024-03-02 21:56:49 +01:00
|
|
|
iptables -I FORWARD -j MARK --set-mark 0x01
|
|
|
|
iptables -A FORWARD -j MARK --set-mark 0x00
|
|
|
|
'');
|
|
|
|
};
|
2023-06-12 23:25:40 +02:00
|
|
|
};
|
|
|
|
}
|