diff --git a/mapping.nix b/mapping.nix index 188168a..ba66749 100644 --- a/mapping.nix +++ b/mapping.nix @@ -6,7 +6,7 @@ bastion = [ "bastion-mtz-lasuite-federez" "bastion-ren-lasuite-federez" - ] + ]; # For instance: # psql = { diff --git a/shared/bastion.nix b/shared/bastion.nix index 759886e..0c2ec72 100644 --- a/shared/bastion.nix +++ b/shared/bastion.nix @@ -3,7 +3,5 @@ # Import dependencies imports = [ ./bastion/wireguard.nix - ./bastion/forward.nix - ./bastion/nftables.nix ]; } \ No newline at end of file diff --git a/shared/bastion/wireguard.nix b/shared/bastion/wireguard.nix index 790e699..c839fc4 100644 --- a/shared/bastion/wireguard.nix +++ b/shared/bastion/wireguard.nix @@ -42,14 +42,6 @@ in { age.secrets = buildSecret myZone; - # Networkd backend introduce in 25.05 - # No independant target are generated - # when using networkd as a backend - # If custom systemd ordering is needed - # between wg interface and the rest of - # networking: switch to false here - networking.wireguard.useNetworkd = true; - # Return all WireGuard interfaces for each node networking.wireguard.interfaces = interface; } \ No newline at end of file diff --git a/shared/commons.nix b/shared/commons.nix index 4a08d54..5256d58 100755 --- a/shared/commons.nix +++ b/shared/commons.nix @@ -8,5 +8,7 @@ ./commons/sudo.nix ./commons/networking.nix ./commons/mesh.nix + ./commons/forward.nix + ./commons/nftables.nix ]; } \ No newline at end of file diff --git a/shared/bastion/forward.nix b/shared/commons/forward.nix similarity index 100% rename from shared/bastion/forward.nix rename to shared/commons/forward.nix diff --git a/shared/commons/mesh.nix b/shared/commons/mesh.nix index 23fe88c..0d30350 100644 --- a/shared/commons/mesh.nix +++ b/shared/commons/mesh.nix @@ -51,6 +51,7 @@ let "172.19.128.0/17" "fc00:f::/96" ]; + endpoint = "${builtins.head (builtins.split "/" peerConfig.ip4)}:${toString (51000 + myId)}"; persistentKeepalive = 25; }]; # Throw away route created by wireguard @@ -68,7 +69,7 @@ let ${pkgs.iproute2}/bin/ip -6 route replace fc00::${toString myId}:${toString peerConfig.id} dev mesh-${shorten peerName}-${toString peerConfig.zone}-${toString peerConfig.id} scope link # Return path for mgmt trafic - ${if !(lib.elem myPeer mapping.bastion) && (lib.elem peerName mapping.bastion) then '' + ${if lib.elem peerName mapping.bastion then '' ${pkgs.iproute2}/bin/ip route replace 172.19.${toString (peerConfig.zone + 127)}.0/24 via 172.19.${toString myPeer.id}.${toString peerConfig.id} dev mesh-${shorten peerName}-${toString peerConfig.zone}-${toString peerConfig.id} ${pkgs.iproute2}/bin/ip -6 route replace fc00:f::${toString (peerConfig.zone + 127)}:0/96 via fc00::${toString myPeer.id}:${toString peerConfig.id} dev mesh-${shorten peerName}-${toString peerConfig.zone}-${toString peerConfig.id} '' else ""} @@ -107,9 +108,4 @@ in ExecStart = "${wireguardStaticRoute}/bin/wireguardStaticRoute"; }; }; - - # Open UDP port for wireguard traffic - networking.firewall.allowedUDPPorts = lib.range 51000 (51000 + builtins.head ( - builtins.sort (a: b: a > b) ( - lib.mapAttrsToList (name: node: node.id) nodes))); } \ No newline at end of file diff --git a/shared/commons/networking.nix b/shared/commons/networking.nix index 46cf14a..1f3101e 100644 --- a/shared/commons/networking.nix +++ b/shared/commons/networking.nix @@ -42,5 +42,4 @@ in off = 999; }; }; - networking.firewall.enable = true; } \ No newline at end of file diff --git a/shared/bastion/nftables.nix b/shared/commons/nftables.nix similarity index 84% rename from shared/bastion/nftables.nix rename to shared/commons/nftables.nix index b4fe396..dde5c72 100644 --- a/shared/bastion/nftables.nix +++ b/shared/commons/nftables.nix @@ -1,9 +1,18 @@ { lib, ... }: +let + # Import nodes + nodes = import ./../../nodes.nix; + myPeer = nodes."${config.hostName}"; + + meshUdpRange = "51000-${toString (51000 + builtins.head ( + builtins.sort (a: b: a > b) ( + l ib.mapAttrsToList (name: node: node.id) nodes)))}"; +in { networking = { nat.enable = false; - firewall.enable = lib.mkForce false; + firewall.enable = false; nftables = { enable = true; checkRuleset = true; @@ -38,10 +47,12 @@ tcp dport 22 accept # Mesh - udp dport 51820 accept + udp dport ${meshUdpRange} accept - # Mgmt - udp dport 51920 accept + ${if lib.elem myPeer mapping.bastion then '' + # Mgmt + udp dport 51920 accept + '' else ""} # Log anything else ip protocol tcp counter log prefix "tcp.in.dropped: " diff --git a/shell.nix b/shell.nix index 91cc8fe..de2cada 100644 --- a/shell.nix +++ b/shell.nix @@ -94,6 +94,13 @@ pkgs.mkShell { deployparallel() { echo "Deploying to all nodes in parallel..." echo "" + + local deploy_args=() + if [ $# -gt 0 ]; then + deploy_args=("$@") + echo "Deploy arguments: ${"\${deploy_args[*]}"}" + echo "" + fi local nodes=($(grep -E '^[[:space:]]*[a-zA-Z0-9_-]+-[a-zA-Z0-9_-]+-[a-zA-Z0-9_-]+-[a-zA-Z0-9_-]+[[:space:]]*=' nodes.nix | \ sed 's/^[[:space:]]*//; s/[[:space:]]*=.*//' | \ @@ -125,7 +132,7 @@ pkgs.mkShell { for node in "${"\${nodes[@]}"}"; do { echo "[$node] Starting deployment..." - deploy -s ".#$node" 2>&1 | while IFS= read -r line; do + deploy -s ".#$node" "${"\${deploy_args[@]}"}" 2>&1 | while IFS= read -r line; do echo "[$node] $line" done echo "[$node] Deployment finished"