feat: cleaner port forwarding

feat: port forwarding
feat: dns for vlans
2024-12-22 00:10:37 +01:00 · 2024-12-21 23:32:42 +01:00 · 2024-12-21 20:57:16 +01:00 · 2024-12-21 14:06:00 +01:00
9 changed files with 250 additions and 69 deletions
--- a/config/services/adguardhome.nix
+++ b/config/services/adguardhome.nix
@ -1,4 +1,9 @@
-{ config, ... }:
+{
+  config,
+  lib,
+  globals,
+  ...
+}:
 {
  wireguard.services = {
    client.via = "nucnix";
@ -30,11 +35,9 @@
        ];
      };
      user_rules = [
-        # "||adguardhome.${config.secrets.secrets.global.domains.web}^$dnsrewrite=${lib.net.cidr.host config.secrets.secrets.global.net.ips.elisabeth config.secrets.secrets.global.net.privateSubnetv4}"
-        # "||nc.${config.secrets.secrets.global.domains.web}^$dnsrewrite=${lib.net.cidr.host config.secrets.secrets.global.net.ips.elisabeth config.secrets.secrets.global.net.privateSubnetv4}"
-        # "||immich.${config.secrets.secrets.global.domains.web}^$dnsrewrite=${lib.net.cidr.host config.secrets.secrets.global.net.ips.elisabeth config.secrets.secrets.global.net.privateSubnetv4}"
-        # "||smb.${config.secrets.secrets.global.domains.web}^$dnsrewrite=${lib.net.cidr.host config.secrets.secrets.global.net.ips.elisabeth-samba config.secrets.secrets.global.net.privateSubnetv4}"
-        # "||fritz.box^$dnsrewrite=${lib.net.cidr.host 1 config.secrets.secrets.global.net.privateSubnetv4}"
+        "||${globals.domains.web}^$dnsrewrite=${lib.net.cidr.host globals.services.nginx.ip globals.net.vlans.home.cidrv4}"
+        "||${globals.services.samba.domain}^$dnsrewrite=${lib.net.cidr.host globals.services.samba.ip globals.net.vlans.home.cidrv4}"
+        "||fritz.box^$dnsrewrite=${lib.net.cidr.host 1 "10.99.2.0/24"}"
      ];
      dhcp.enabled = false;
      ratelimit = 60;
--- a/globals.nix
+++ b/globals.nix
@ -49,10 +49,12 @@ in
      adguardhome = {
        domain = "adguardhome.${globals.domains.web}";
        host = "nucnix-adguardhome";
+        ip = 10;
      };
      forgejo = {
        domain = "forge.${globals.domains.web}";
        host = "elisabeth-forgejo";
+        ip = 13;
      };
      immich = {
        domain = "immich.${globals.domains.web}";
@ -84,7 +86,7 @@ in
      };
      apispotify = {
        domain = "apisptfy.${globals.domains.web}";
-        host = "elisabeth-apispotify";
+        host = "elisabeth-yourspotify";
      };
      kanidm = {
        domain = "auth.${globals.domains.web}";
@ -117,6 +119,26 @@ in
      netbird = {
        domain = "netbird.${globals.domains.web}";
        host = "elisabeth-netbird";
+        ip = 16;
+      };
+      nginx = {
+        domain = globals.domains.web;
+        host = "nucnix-nginx";
+        ip = 5;
+      };
+      samba = {
+        domain = "smb.${globals.domains.web}";
+        host = "elisabeth-samba";
+        ip = 12;
+      };
+      ddclient = {
+        domain = "";
+        host = "elisabeth-ddclient";
+      };
+      murmur = {
+        domain = "ts.${globals.domains.web}";
+        host = "elisabeth-murmur";
+        ip = 9;
      };
    };
  };
--- a/hosts/elisabeth/guests.nix
+++ b/hosts/elisabeth/guests.nix
@ -1,5 +1,6 @@
 {
  config,
+  globals,
  stateVersion,
  inputs,
  lib,
@ -17,6 +18,7 @@
          enableRenaultFT ? false,
          enableBunker ? false,
          enableSharedPaperless ? false,
+          vlans ? [ "services" ],
          ...
        }:
        {
@ -54,6 +56,25 @@
              networking.nftables.firewall.zones.untrusted.interfaces = lib.mkIf (
                lib.length config.guests.${guestName}.networking.links == 1
              ) config.guests.${guestName}.networking.links;
+              systemd.network.networks = lib.mkIf (globals.services.${guestName}.ip != null) (
+                lib.listToAttrs (
+                  lib.flip map vlans (
+                    name:
+                    lib.nameValuePair "09-mv-${name}" {
+                      matchConfig.Name = "mv-${name}";
+                      DHCP = "no";
+                      address = [
+                        (lib.net.cidr.hostCidr globals.services.${guestName}.ip globals.net.vlans.${name}.cidrv4)
+                        (lib.net.cidr.hostCidr globals.services.${guestName}.ip globals.net.vlans.${name}.cidrv6)
+                      ];
+                      gateway = [
+                        (lib.net.cidr.hostCidr 1 globals.net.vlans.${name}.cidrv4)
+                        (lib.net.cidr.hostCidr 1 globals.net.vlans.${name}.cidrv6)
+                      ];
+                    }
+                  )
+                )
+              );
            }
          ];
        };
@ -74,17 +95,23 @@
        };
      };

-      mkContainer = guestName: cfg: {
-        ${guestName} = mkGuest guestName cfg // {
-          backend = "container";
-          container.macvlans = [ "lan-services" ];
-          extraSpecialArgs = {
-            inherit (inputs.self) nodes globals;
-            inherit (inputs.self.pkgs.x86_64-linux) lib;
-            inherit inputs minimal stateVersion;
+      mkContainer =
+        guestName:
+        {
+          vlans ? [ "services" ],
+          ...
+        }@cfg:
+        {
+          ${guestName} = mkGuest guestName cfg // {
+            backend = "container";
+            container.macvlans = lib.flip map vlans (x: "lan-${x}:mv-${x}");
+            extraSpecialArgs = {
+              inherit (inputs.self) nodes globals;
+              inherit (inputs.self.pkgs.x86_64-linux) lib;
+              inherit inputs minimal stateVersion;
+            };
          };
        };
-      };
    in
    { }
    // mkContainer "adguardhome" { }
@ -110,5 +137,6 @@
      enableRenaultFT = true;
      enableBunker = true;
      enableSharedPaperless = true;
+      vlans = [ "home" ];
    };
 }
--- a/hosts/nucnix/forwarding.nix
+++ b/hosts/nucnix/forwarding.nix
@ -0,0 +1,79 @@
+{ globals, lib, ... }:
+let
+  inherit (lib)
+    concatStringsSep
+    net
+    toUpper
+    mkMerge
+    ;
+  forward =
+    {
+      service,
+      ports,
+      protocol,
+      ...
+    }:
+    {
+      networking.nftables = {
+        chains = {
+          prerouting.port-forward = {
+            after = [ "hook" ];
+            rules = [
+              "iifname lan-fritz ${protocol} dport { ${concatStringsSep ", " (map toString ports)} } dnat ip to ${
+                net.cidr.host globals.services.${service}.ip globals.net.vlans.services.cidrv4
+              }"
+              "iifname lan-fritz ${protocol} dport { ${concatStringsSep ", " (map toString ports)} } dnat ip6 to ${
+                net.cidr.host globals.services.${service}.ip globals.net.vlans.services.cidrv6
+              }"
+            ];
+          };
+        };
+        firewall = {
+          zones = {
+            ${service}.ipv4Addresses = [
+              (lib.net.cidr.host globals.services.${service}.ip globals.net.vlans.services.cidrv4)
+            ];
+          };
+          rules = {
+            "forward-${service}" = {
+              from = [ "fritz" ];
+              to = [ service ];
+              "allowed${toUpper protocol}Ports" = ports;
+            };
+          };
+        };
+      };
+    };
+in
+mkMerge [
+  (forward {
+    service = "nginx";
+    ports = [
+      80
+      443
+    ];
+    protocol = "tcp";
+  })
+  (forward {
+    service = "forgejo";
+    ports = [
+      9922
+    ];
+    protocol = "tcp";
+  })
+  (forward {
+    service = "murmur";
+    ports = [
+      9987
+    ];
+    protocol = "udp";
+  })
+  (forward {
+    service = "netbird";
+    ports = [
+      3478
+      5349
+    ];
+    protocol = "udp";
+  })
+]
--- a/hosts/nucnix/guests.nix
+++ b/hosts/nucnix/guests.nix
@ -1,6 +1,7 @@
 {
  config,
  stateVersion,
+  globals,
  inputs,
  lib,
  minimal,
@ -9,34 +10,59 @@
 {
  guests =
    let
-      mkGuest = guestName: _: {
-        autostart = true;
-        zfs."/state" = {
-          pool = "rpool";
-          dataset = "local/guests/${guestName}";
+      mkGuest =
+        guestName:
+        {
+          vlans ? [ "services" ],
+          ...
+        }:
+        {
+          autostart = true;
+          zfs."/state" = {
+            pool = "rpool";
+            dataset = "local/guests/${guestName}";
+          };
+          zfs."/persist" = {
+            pool = "rpool";
+            dataset = "safe/guests/${guestName}";
+          };
+          modules = [
+            ../../config/basic
+            ../../config/services/${guestName}.nix
+            {
+              node.secretsDir = config.node.secretsDir + "/${guestName}";
+              networking.nftables.firewall.zones.untrusted.interfaces = lib.mkIf (
+                lib.length config.guests.${guestName}.networking.links == 1
+              ) config.guests.${guestName}.networking.links;
+              systemd.network.networks = lib.mkIf (globals.services.${guestName}.ip != null) (
+                lib.listToAttrs (
+                  lib.flip map vlans (
+                    name:
+                    lib.nameValuePair "09-mv-${name}" {
+                      matchConfig.Name = "mv-${name}";
+                      DHCP = "no";
+                      address = [
+                        (lib.net.cidr.hostCidr globals.services.${guestName}.ip globals.net.vlans.${name}.cidrv4)
+                        (lib.net.cidr.hostCidr globals.services.${guestName}.ip globals.net.vlans.${name}.cidrv6)
+                      ];
+                      gateway = [
+                        (lib.net.cidr.hostCidr 1 globals.net.vlans.${name}.cidrv4)
+                        (lib.net.cidr.hostCidr 1 globals.net.vlans.${name}.cidrv6)
+                      ];
+                    }
+                  )
+                )
+              );
+            }
+          ];
        };
-        zfs."/persist" = {
-          pool = "rpool";
-          dataset = "safe/guests/${guestName}";
-        };
-        modules = [
-          ../../config/basic
-          ../../config/services/${guestName}.nix
-          {
-            node.secretsDir = config.node.secretsDir + "/${guestName}";
-            networking.nftables.firewall.zones.untrusted.interfaces = lib.mkIf (
-              lib.length config.guests.${guestName}.networking.links == 1
-            ) config.guests.${guestName}.networking.links;
-          }
-        ];
-      };

      mkMicrovm = guestName: cfg: {
        ${guestName} = mkGuest guestName cfg // {
          backend = "microvm";
          microvm = {
            system = "x86_64-linux";
-            interfaces.lan = { };
+            interfaces.lan = lib.trace "This don't work yet" { };
            baseMac = config.secrets.secrets.local.networking.interfaces.lan01.mac;
          };
          extraSpecialArgs = {
@ -50,22 +76,23 @@
      mkContainer =
        guestName:
        {
-          macvlans ? [ "lan-services" ],
+          vlans ? [ "services" ],
          ...
        }@cfg:
        {
-          ${guestName} = mkGuest guestName cfg // {
-            backend = "container";
-            container.macvlans = macvlans;
-            extraSpecialArgs = {
-              inherit (inputs.self) nodes globals;
-              inherit (inputs.self.pkgs.x86_64-linux) lib;
-              inherit inputs minimal stateVersion;
-            };
-          };
+          ${guestName} = lib.mkMerge [
+            (mkGuest guestName cfg)
+            {
+              backend = "container";
+              container.macvlans = lib.flip map vlans (x: "lan-${x}:mv-${x}");
+              extraSpecialArgs = {
+                inherit (inputs.self) nodes globals;
+                inherit (inputs.self.pkgs.x86_64-linux) lib;
+                inherit inputs minimal stateVersion;
+              };
+            }
+          ];
        };
    in
-    { }
-    // mkContainer "adguardhome" { macvlans = [ "lan-services" ]; }
-    // mkContainer "nginx" { macvlans = [ "lan-services" ]; };
+    { } // mkContainer "adguardhome" { } // mkContainer "nginx" { };
 }
--- a/hosts/nucnix/kea.nix
+++ b/hosts/nucnix/kea.nix
@ -1,7 +1,9 @@
 {
  lib,
  utils,
+  globals,
  ...
+
 }:
 let
  inherit (lib)
@ -55,30 +57,17 @@ in
            }
            {
              name = "domain-name-servers";
-              data = "${net.cidr.host 10 subnet}";
+              data = "${net.cidr.host globals.services.adguardhome.ip globals.net.vlans.services.cidrv4}";
            }
          ];
          reservations = [
-            #FIXME
-            # {
-            #   hw-address = nodes.ward-adguardhome.config.lib.microvm.mac;
-            #   ip-address = globals.net.home-lan.hosts.ward-adguardhome.ipv4;
-            # }
-            # {
-            #   hw-address = nodes.ward-web-proxy.config.lib.microvm.mac;
-            #   ip-address = globals.net.home-lan.hosts.ward-web-proxy.ipv4;
-            # }
-            # {
-            #   hw-address = nodes.sire-samba.config.lib.microvm.mac;
-            #   ip-address = globals.net.home-lan.hosts.sire-samba.ipv4;
-            # }
          ];
        }
      );
    };
  };

-  systemd.services.kea-dhcp4-server.after = [
-    "sys-subsystem-net-devices-${utils.escapeSystemdPath "lan-self"}.device"
-  ];
+  systemd.services.kea-dhcp4-server.after = flip mapAttrsToList vlans (
+    name: _: "sys-subsystem-net-devices-${utils.escapeSystemdPath "lan-${name}"}.device"
+  );
 }
--- a/hosts/nucnix/net.nix
+++ b/hosts/nucnix/net.nix
@ -17,9 +17,16 @@ in
  imports = [
    ./hostapd.nix
    ./kea.nix
+    ./forwarding.nix
  ];
+  boot.kernel.sysctl."net.ipv4.ip_forward" = 1;
  networking.nftables.firewall.zones = mkMerge [
-    { fritz.interfaces = [ "vlan-fritz" ]; }
+    {
+      fritz.interfaces = [ "vlan-fritz" ];
+      adguard.ipv4Addresses = [
+        (lib.net.cidr.host globals.services.adguardhome.ip globals.net.vlans.services.cidrv4)
+      ];
+    }
    (genAttrs (attrNames globals.net.vlans) (name: {
      interfaces = [ "lan-${name}" ];
    }))
@ -136,6 +143,27 @@ in
        to = [ "local" ];
        allowedTCPPorts = [ 22 ];
      };
+      services = {
+        from = [
+          "home"
+        ];
+        to = [
+          "services"
+          "fritz"
+        ];
+        late = true;
+        verdict = "accept";
+      };
+      dns = {
+        from = [
+          "home"
+          "devices"
+          "guests"
+          "services"
+        ];
+        to = [ "adguard" ];
+        allowedUDPPorts = [ 53 ];
+      };
      internet = {
        from = [
          "home"
--- a/modules/globals.nix
+++ b/modules/globals.nix
@ -132,6 +132,11 @@ in
                    type = types.str;
                    description = "The node-name on which this service runs";
                  };
+                  ip = mkOption {
+                    type = types.nullOr (types.ints.between 5 49);
+                    default = null;
+                    description = "Optional IP in case this service runs needs a static ip. Shou";
+                  };
                };
              }
            );
--- a/users/patrick/theme.nix
+++ b/users/patrick/theme.nix
@ -95,7 +95,7 @@
    image = config.lib.stylix.pixel "base00";
    base16Scheme = {
      yaml = "${pkgs.base16-schemes}/share/themes/vice.yaml";
-      use-ifd = "auto";
+      use-ifd = "always";
    };
    # Has to be green
    override.base0B = "#00CC99";
Author	SHA1	Message	Date
Patrick	268bd66c76	feat: cleaner port forwarding	2024-12-22 00:10:37 +01:00
Patrick	65e207d999	feat: port forwarding	2024-12-21 23:32:42 +01:00
Patrick	9347751df7	feat: dns for vlans	2024-12-21 20:57:16 +01:00
Patrick	5d1bc8cf67	chore: support static ips	2024-12-21 14:06:00 +01:00