lasuite-federez/nix
4
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

dedicated nftables

Browse source
This commit is contained in:
asyncnomi 2025-07-22 00:05:56 +02:00
parent 395a34d811
commit ff133ea171
9 changed files with 28 additions and 23 deletions
Download patch file Download diff file Expand all files Collapse all files

2
mapping.nix
View file

@ -6,7 +6,7 @@
bastion = [ bastion = [
"bastion-mtz-lasuite-federez" "bastion-mtz-lasuite-federez"
"bastion-ren-lasuite-federez" "bastion-ren-lasuite-federez"
] ];
# For instance: # For instance:
# psql = { # psql = {

2
shared/bastion.nix
View file

@ -3,7 +3,5 @@
# Import dependencies # Import dependencies
imports = [ imports = [
./bastion/wireguard.nix ./bastion/wireguard.nix
./bastion/forward.nix
./bastion/nftables.nix
]; ];
} }

8
shared/bastion/wireguard.nix
View file

@ -42,14 +42,6 @@ in
{ {
age.secrets = buildSecret myZone; age.secrets = buildSecret myZone;
# Networkd backend introduce in 25.05
# No independant target are generated
# when using networkd as a backend
# If custom systemd ordering is needed
# between wg interface and the rest of
# networking: switch to false here
networking.wireguard.useNetworkd = true;
# Return all WireGuard interfaces for each node # Return all WireGuard interfaces for each node
networking.wireguard.interfaces = interface; networking.wireguard.interfaces = interface;
} }

2
shared/commons.nix
View file

@ -8,5 +8,7 @@
./commons/sudo.nix ./commons/sudo.nix
./commons/networking.nix ./commons/networking.nix
./commons/mesh.nix ./commons/mesh.nix
./commons/forward.nix
./commons/nftables.nix
]; ];
} }

0
shared/bastion/forward.nix → shared/commons/forward.nix
View file

8
shared/commons/mesh.nix
View file

@ -51,6 +51,7 @@ let
"172.19.128.0/17" "172.19.128.0/17"
"fc00:f::/96" "fc00:f::/96"
]; ];
endpoint = "${builtins.head (builtins.split "/" peerConfig.ip4)}:${toString (51000 + myId)}";
persistentKeepalive = 25; persistentKeepalive = 25;
}]; }];
# Throw away route created by wireguard # Throw away route created by wireguard
@ -68,7 +69,7 @@ let
${pkgs.iproute2}/bin/ip -6 route replace fc00::${toString myId}:${toString peerConfig.id} dev mesh-${shorten peerName}-${toString peerConfig.zone}-${toString peerConfig.id} scope link ${pkgs.iproute2}/bin/ip -6 route replace fc00::${toString myId}:${toString peerConfig.id} dev mesh-${shorten peerName}-${toString peerConfig.zone}-${toString peerConfig.id} scope link
# Return path for mgmt trafic # Return path for mgmt trafic
${if !(lib.elem myPeer mapping.bastion) && (lib.elem peerName mapping.bastion) then '' ${if lib.elem peerName mapping.bastion then ''
${pkgs.iproute2}/bin/ip route replace 172.19.${toString (peerConfig.zone + 127)}.0/24 via 172.19.${toString myPeer.id}.${toString peerConfig.id} dev mesh-${shorten peerName}-${toString peerConfig.zone}-${toString peerConfig.id} ${pkgs.iproute2}/bin/ip route replace 172.19.${toString (peerConfig.zone + 127)}.0/24 via 172.19.${toString myPeer.id}.${toString peerConfig.id} dev mesh-${shorten peerName}-${toString peerConfig.zone}-${toString peerConfig.id}
${pkgs.iproute2}/bin/ip -6 route replace fc00:f::${toString (peerConfig.zone + 127)}:0/96 via fc00::${toString myPeer.id}:${toString peerConfig.id} dev mesh-${shorten peerName}-${toString peerConfig.zone}-${toString peerConfig.id} ${pkgs.iproute2}/bin/ip -6 route replace fc00:f::${toString (peerConfig.zone + 127)}:0/96 via fc00::${toString myPeer.id}:${toString peerConfig.id} dev mesh-${shorten peerName}-${toString peerConfig.zone}-${toString peerConfig.id}
'' else ""} '' else ""}
@ -107,9 +108,4 @@ in
ExecStart = "${wireguardStaticRoute}/bin/wireguardStaticRoute"; ExecStart = "${wireguardStaticRoute}/bin/wireguardStaticRoute";
}; };
}; };
# Open UDP port for wireguard traffic
networking.firewall.allowedUDPPorts = lib.range 51000 (51000 + builtins.head (
builtins.sort (a: b: a > b) (
lib.mapAttrsToList (name: node: node.id) nodes)));
} }

1
shared/commons/networking.nix
View file

@ -42,5 +42,4 @@ in
off = 999; off = 999;
}; };
}; };
networking.firewall.enable = true;
} }

19
shared/bastion/nftables.nix → shared/commons/nftables.nix
View file

@ -1,9 +1,18 @@
{ lib, ... }: { lib, ... }:
let
# Import nodes
nodes = import ./../../nodes.nix;
myPeer = nodes."${config.hostName}";
meshUdpRange = "51000-${toString (51000 + builtins.head (
builtins.sort (a: b: a > b) (
l ib.mapAttrsToList (name: node: node.id) nodes)))}";
in
{ {
networking = { networking = {
nat.enable = false; nat.enable = false;
firewall.enable = lib.mkForce false; firewall.enable = false;
nftables = { nftables = {
enable = true; enable = true;
checkRuleset = true; checkRuleset = true;
@ -38,10 +47,12 @@
tcp dport 22 accept tcp dport 22 accept
# Mesh # Mesh
udp dport 51820 accept udp dport ${meshUdpRange} accept
# Mgmt ${if lib.elem myPeer mapping.bastion then ''
udp dport 51920 accept # Mgmt
udp dport 51920 accept
'' else ""}
# Log anything else # Log anything else
ip protocol tcp counter log prefix "tcp.in.dropped: " ip protocol tcp counter log prefix "tcp.in.dropped: "

9
shell.nix
View file

@ -94,6 +94,13 @@ pkgs.mkShell {
deployparallel() { deployparallel() {
echo "Deploying to all nodes in parallel..." echo "Deploying to all nodes in parallel..."
echo "" echo ""
local deploy_args=()
if [ $# -gt 0 ]; then
deploy_args=("$@")
echo "Deploy arguments: ${"\${deploy_args[*]}"}"
echo ""
fi
local nodes=($(grep -E '^[[:space:]]*[a-zA-Z0-9_-]+-[a-zA-Z0-9_-]+-[a-zA-Z0-9_-]+-[a-zA-Z0-9_-]+[[:space:]]*=' nodes.nix | \ local nodes=($(grep -E '^[[:space:]]*[a-zA-Z0-9_-]+-[a-zA-Z0-9_-]+-[a-zA-Z0-9_-]+-[a-zA-Z0-9_-]+[[:space:]]*=' nodes.nix | \
sed 's/^[[:space:]]*//; s/[[:space:]]*=.*//' | \ sed 's/^[[:space:]]*//; s/[[:space:]]*=.*//' | \
@ -125,7 +132,7 @@ pkgs.mkShell {
for node in "${"\${nodes[@]}"}"; do for node in "${"\${nodes[@]}"}"; do
{ {
echo "[$node] Starting deployment..." echo "[$node] Starting deployment..."
deploy -s ".#$node" 2>&1 | while IFS= read -r line; do deploy -s ".#$node" "${"\${deploy_args[@]}"}" 2>&1 | while IFS= read -r line; do
echo "[$node] $line" echo "[$node] $line"
done done
echo "[$node] Deployment finished" echo "[$node] Deployment finished"