From 5cf3b3a69c0f4ac1ff107cff6de27797e8dc669d Mon Sep 17 00:00:00 2001 From: Patrick Date: Thu, 19 Dec 2024 20:25:01 +0100 Subject: [PATCH] feat: finish firewall network config feat: kea configuration --- hosts/nucnix/guests.nix | 18 +-- hosts/nucnix/hostapd.nix | 63 +++++------ hosts/nucnix/kea.nix | 84 ++++++++++++++ hosts/nucnix/net.nix | 231 ++++++++++++++++++++++++--------------- 4 files changed, 259 insertions(+), 137 deletions(-) create mode 100644 hosts/nucnix/kea.nix diff --git a/hosts/nucnix/guests.nix b/hosts/nucnix/guests.nix index 1e7c971..04e25f4 100644 --- a/hosts/nucnix/guests.nix +++ b/hosts/nucnix/guests.nix @@ -11,9 +11,8 @@ let domainOf = hostName: let - domains = - { - }; + domains = { + }; in "${domains.${hostName}}.${config.secrets.secrets.global.domains.web}"; # TODO hard coded elisabeth nicht so schön @@ -134,18 +133,7 @@ in config.guests.${guestName}.networking.mainLinkName ]; systemd.network.networks."10-${config.guests.${guestName}.networking.mainLinkName}" = { - DHCP = lib.mkForce "no"; - address = [ - (lib.net.cidr.hostCidr - config.secrets.secrets.global.net.ips."${config.guests.${guestName}.nodeName}" - config.secrets.secrets.global.net.privateSubnetv4 - ) - (lib.net.cidr.hostCidr - config.secrets.secrets.global.net.ips."${config.guests.${guestName}.nodeName}" - config.secrets.secrets.global.net.privateSubnetv6 - ) - ]; - gateway = [ (lib.net.cidr.host 1 config.secrets.secrets.global.net.privateSubnetv4) ]; + DHCP = "yes"; }; } ]; diff --git a/hosts/nucnix/hostapd.nix b/hosts/nucnix/hostapd.nix index ba6a575..7b4ef67 100644 --- a/hosts/nucnix/hostapd.nix +++ b/hosts/nucnix/hostapd.nix @@ -1,35 +1,4 @@ { config, ... }: -let - cfg = name: { - countryCode = "DE"; - # wifi4.capabilities = [ - # "LDPC" - # "HT40+" - # "HT40-" - # "GF" - # "SHORT-GI-20" - # "SHORT-GI-40" - # "TX-STBC" - # "RX-STBC1" - # ]; - wifi6.enable = true; - wifi7.enable = true; - networks."${name}" = { - inherit (config.secrets.secrets.global.hostapd) ssid; - apIsolate = true; - authentication = { - saePasswords = [ - { - password = "lol"; - vlanid = 10; - } - ]; - enableRecommendedPairwiseCiphers = true; - }; - bssid = "02:c0:ca:b1:4f:9f"; - }; - }; -in { @@ -39,9 +8,33 @@ in enable = true; radios.wlan1 = { band = "2g"; - } // cfg "wlan1"; - radios.wlan2 = { - band = "5g"; - } // cfg "wlan2"; + countryCode = "DE"; + # wifi4.capabilities = [ + # "LDPC" + # "HT40+" + # "HT40-" + # "GF" + # "SHORT-GI-20" + # "SHORT-GI-40" + # "TX-STBC" + # "RX-STBC1" + # ]; + wifi6.enable = true; + wifi7.enable = true; + networks.wlan1 = { + inherit (config.secrets.secrets.global.hostapd) ssid; + apIsolate = true; + authentication = { + saePasswords = [ + { + password = "lol"; + vlanid = 10; + } + ]; + enableRecommendedPairwiseCiphers = true; + }; + bssid = "02:c0:ca:b1:4f:9f"; + }; + }; }; } diff --git a/hosts/nucnix/kea.nix b/hosts/nucnix/kea.nix new file mode 100644 index 0000000..03938e7 --- /dev/null +++ b/hosts/nucnix/kea.nix @@ -0,0 +1,84 @@ +{ + lib, + utils, + ... +}: +let + inherit (lib) + net + flip + mapAttrsToList + ; + vlans = { + home = 10; + services = 20; + devices = 30; + iot = 40; + guests = 50; + }; +in +{ + environment.persistence."/persist".directories = [ + { + directory = "/var/lib/private/kea"; + mode = "0700"; + } + ]; + + services.kea.dhcp4 = { + enable = true; + settings = { + lease-database = { + name = "/var/lib/kea/dhcp4.leases"; + persist = true; + type = "memfile"; + }; + valid-lifetime = 86400; + renew-timer = 3600; + interfaces-config = { + interfaces = flip mapAttrsToList vlans (x: _: "lan-${x}"); + }; + subnet4 = flip mapAttrsToList vlans ( + name: id: rec { + inherit id; + interface = "lan-${name}"; + subnet = "10.99.${toString id}.0/24"; + pools = [ + { + pool = "${net.cidr.host 50 subnet} - ${net.cidr.host (-6) subnet}"; + } + ]; + option-data = [ + { + name = "routers"; + data = "${net.cidr.host 1 subnet}"; + } + { + name = "domain-name-servers"; + data = "${net.cidr.host 10 subnet}"; + } + ]; + reservations = [ + #FIXME + # { + # hw-address = nodes.ward-adguardhome.config.lib.microvm.mac; + # ip-address = globals.net.home-lan.hosts.ward-adguardhome.ipv4; + # } + # { + # hw-address = nodes.ward-web-proxy.config.lib.microvm.mac; + # ip-address = globals.net.home-lan.hosts.ward-web-proxy.ipv4; + # } + # { + # hw-address = nodes.sire-samba.config.lib.microvm.mac; + # ip-address = globals.net.home-lan.hosts.sire-samba.ipv4; + # } + ]; + } + ); + }; + }; + + systemd.services.kea-dhcp4-server.after = [ + "sys-subsystem-net-devices-${utils.escapeSystemdPath "lan-self"}.device" + ]; +} diff --git a/hosts/nucnix/net.nix b/hosts/nucnix/net.nix index 625c1f8..4e95aef 100644 --- a/hosts/nucnix/net.nix +++ b/hosts/nucnix/net.nix @@ -1,28 +1,108 @@ { config, lib, ... }: +let + vlans = { + home = 10; + services = 20; + devices = 30; + iot = 40; + guests = 50; + }; + inherit (lib) flip mapAttrsToList; +in { - imports = [ ./hostapd.nix ]; + imports = + [ + ./hostapd.nix + ./kea.nix + ] + ++ (flip mapAttrsToList vlans ( + name: id: { + networking.nftables.firewall.zones.${name}.interfaces = [ "lan-${name}" ]; + + systemd.network = { + netdevs = { + "40-vlan-${name}" = { + netdevConfig = { + Name = "vlan-${name}"; + Kind = "vlan"; + }; + vlanConfig.Id = id; + }; + "50-mlan-${name}" = { + netdevConfig = { + Name = "lan-${name}"; + Kind = "macvlan"; + }; + extraConfig = '' + [MACVLAN] + Mode=bridge + ''; + }; + }; + networks = { + "10-vlan-${name}" = { + matchConfig.Name = "vlan-${name}"; + # This interface should only be used from attached macvtaps. + # So don't acquire a link local address and only wait for + # this interface to gain a carrier. + networkConfig.LinkLocalAddressing = "no"; + linkConfig.RequiredForOnline = "carrier"; + extraConfig = '' + [Network] + MACVLAN=lan-${name} + ''; + }; + "20-lan-${name}" = { + address = [ + (lib.net.cidr.hostCidr 1 "10.99.${toString id}.0/24") + ]; + matchConfig.Name = "lan-${name}"; + networkConfig = { + MulticastDNS = true; + IPv6PrivacyExtensions = "yes"; + IPv4Forwarding = "yes"; + IPv6SendRA = true; + IPv6AcceptRA = false; + DHCPPrefixDelegation = true; + }; + ipv6Prefixes = [ + { Prefix = "fd${toString id}::/64"; } + ]; + }; + }; + }; + } + )); + networking.nftables.firewall = { + snippets.nnf-ssh.enable = lib.mkForce false; + rules = { + ssh = { + from = [ + "fritz" + "home" + ]; + to = [ "local" ]; + allowedTCPPorts = [ 22 ]; + }; + internet = { + from = [ + "home" + "devices" + "guests" + "services" + ]; + to = [ "fritz" ]; + late = true; + verdict = "accept"; + masquerade = true; + }; + }; + }; + networking.nftables.firewall.zones.fritz.interfaces = [ "vlan-fritz" ]; networking = { inherit (config.secrets.secrets.local.networking) hostId; }; systemd.network = { - networks = { - "10-lan01" = { - address = [ - (lib.net.cidr.hostCidr config.secrets.secrets.global.net.ips.${config.node.name} - config.secrets.secrets.global.net.privateSubnetv4 - ) - ]; - gateway = [ (lib.net.cidr.host 1 config.secrets.secrets.global.net.privateSubnetv4) ]; - #matchConfig.MACAddress = config.secrets.secrets.local.networking.interfaces.lan01.mac; - matchConfig.Name = "lan"; - dhcpV6Config.UseDNS = false; - dhcpV4Config.UseDNS = false; - ipv6AcceptRAConfig.UseDNS = false; - networkConfig = { - MulticastDNS = true; - }; - }; - }; netdevs."40-vlan-fritz" = { netdevConfig = { Name = "vlan-fritz"; @@ -30,49 +110,22 @@ }; vlanConfig.Id = 2; }; - netdevs."40-vlan-home" = { - netdevConfig = { - Name = "vlan-home"; - Kind = "vlan"; + networks = { + "10-lan-fritz" = { + address = [ + (lib.net.cidr.hostCidr 2 "10.99.2.0/24") + ]; + gateway = [ (lib.net.cidr.host 1 "10.99.2.0/24") ]; + matchConfig.Name = "vlan-fritz"; + networkConfig = { + IPv6PrivacyExtensions = "yes"; + }; }; - vlanConfig.Id = 10; - }; - - netdevs."40-vlan-services" = { - netdevConfig = { - Name = "vlan-services"; - Kind = "vlan"; - }; - vlanConfig.Id = 20; - }; - - netdevs."40-vlan-devices" = { - netdevConfig = { - Name = "vlan-devices"; - Kind = "vlan"; - }; - vlanConfig.Id = 30; - }; - - netdevs."40-vlan-iot" = { - netdevConfig = { - Name = "vlan-iot"; - Kind = "vlan"; - }; - vlanConfig.Id = 40; - }; - - netdevs."40-vlan-guests" = { - netdevConfig = { - Name = "vlan-guests"; - Kind = "vlan"; - - }; - vlanConfig.Id = 50; }; networks."40-vlans" = { matchConfig.Name = "lan01"; + networkConfig.LinkLocalAddressing = "no"; vlan = [ "vlan-fritz" "vlan-home" @@ -83,14 +136,6 @@ ]; }; }; - networking.nftables.firewall.zones.untrusted.interfaces = [ "lan" ]; - - # To be able to ping containers from the host, it is necessary - # to create a macvlan on the host on the VLAN 1 network. - networking.macvlans.lan = { - interface = "vlan-home"; - mode = "bridge"; - }; boot.initrd = { @@ -101,37 +146,49 @@ enable = true; networks = { # redo the network cause the livesystem has macvlans - "10-lan01" = { + "10-lanhome" = { address = [ - (lib.net.cidr.hostCidr config.secrets.secrets.global.net.ips.${config.node.name} - config.secrets.secrets.global.net.privateSubnetv4 - ) + (lib.net.cidr.hostCidr 1 "10.99.10.0/24") ]; - gateway = [ (lib.net.cidr.host 1 config.secrets.secrets.global.net.privateSubnetv4) ]; matchConfig.Name = "vlan-home"; - dhcpV6Config.UseDNS = false; - dhcpV4Config.UseDNS = false; - ipv6AcceptRAConfig.UseDNS = false; networkConfig = { IPv6PrivacyExtensions = "yes"; - MulticastDNS = true; }; }; - }; - netdevs."10-vlan-home" = { - netdevConfig = { - Name = "vlan-home"; - Kind = "vlan"; - + # redo the network cause the livesystem has macvlans + "10-lan-fritz" = { + address = [ + (lib.net.cidr.hostCidr 2 "10.99.2.0/24") + ]; + gateway = [ (lib.net.cidr.host 1 "10.99.2.0/24") ]; + matchConfig.Name = "vlan-fritz"; + networkConfig = { + IPv6PrivacyExtensions = "yes"; + }; + }; + "40-vlans" = { + matchConfig.MACAddress = config.secrets.secrets.local.networking.interfaces.lan01.mac; + vlan = [ + "vlan-home" + "vlan-fritz" + ]; }; - vlanConfig.Id = 10; }; - - networks."40-vlans" = { - matchConfig.MACAddress = config.secrets.secrets.local.networking.interfaces.lan01.mac; - vlan = [ - "vlan-home" - ]; + netdevs = { + "10-vlan-home" = { + netdevConfig = { + Name = "vlan-home"; + Kind = "vlan"; + }; + vlanConfig.Id = 10; + }; + "10-vlan-fritz" = { + netdevConfig = { + Name = "vlan-fritz"; + Kind = "vlan"; + }; + vlanConfig.Id = 2; + }; }; }; };