diff --git a/machines/nixos/vault01/networking.nix b/machines/nixos/vault01/networking.nix index 1471ba3..bcb3e20 100644 --- a/machines/nixos/vault01/networking.nix +++ b/machines/nixos/vault01/networking.nix @@ -35,239 +35,237 @@ let in { - config = { - systemd = { - network = { - config.routeTables."user" = 1000; - networks = { - "10-lo" = { - name = "lo"; - address = [ - "::1/128" - "127.0.0.1/8" - "10.0.0.1/27" - ]; - routes = [ - { - Destination = "10.0.0.0/27"; - Table = "user"; - } - ]; - routingPolicyRules = [ - { - To = "10.0.0.0/16"; - Table = "user"; - } - ]; - }; - "10-enp67s0f0np0" = { - name = "enp67s0f0np0"; - linkConfig.Promiscuous = true; - networkConfig = { - Bridge = "br0"; - - LinkLocalAddressing = false; - LLDP = false; - EmitLLDP = false; - IPv6AcceptRA = false; - IPv6SendRA = false; - }; - linkConfig.MTUBytes = 1504; - }; - "50-gretap1" = { - name = "gretap1"; - networkConfig = { - Bridge = "br0"; - - LinkLocalAddressing = false; - LLDP = false; - EmitLLDP = false; - IPv6AcceptRA = false; - IPv6SendRA = false; - }; - linkConfig.MTUBytes = 1504; - }; - "50-br0" = { - name = "br0"; - networkConfig = { - VLAN = builtins.attrNames vlans; - - LinkLocalAddressing = false; - LLDP = false; - EmitLLDP = false; - IPv6AcceptRA = false; - IPv6SendRA = false; - }; - linkConfig.MTUBytes = 1504; - }; - "50-wg0" = { - name = "wg0"; - address = [ "10.10.17.1/30" ]; - networkConfig.Tunnel = "gretap1"; - }; - } // (mapAttrs' mkNetwork vlans); - - netdevs = { - "50-gretap1" = { - netdevConfig = { - Name = "gretap1"; - Kind = "gretap"; - }; - tunnelConfig = { - Local = "10.10.17.1"; - Remote = "10.10.17.2"; - }; - }; - "50-br0" = { - netdevConfig = { - Name = "br0"; - Kind = "bridge"; - }; - bridgeConfig = { - VLANFiltering = false; - STP = false; - }; - }; - "50-wg0" = { - netdevConfig = { - Name = "wg0"; - Kind = "wireguard"; - }; - wireguardConfig = { - ListenPort = 1194; - PrivateKeyFile = config.age.secrets."wg-key".path; - }; - - wireguardPeers = [ - { - AllowedIPs = [ - "10.10.17.0/30" - ]; - PublicKey = "g6S3gBx1Hf2iX41tokD+m8WfzJJTTcsKifOkn+Wcd00="; - } - ]; - }; - } // (mapAttrs' mkNetdev vlans); - }; - - services = { - ethtoolConfig = { - wantedBy = [ "systemd-networkd.service" ]; - after = [ "sys-subsystem-net-devices-enp67s0f0np0.device" ]; - bindsTo = [ "sys-subsystem-net-devices-enp67s0f0np0.device" ]; - script = builtins.concatStringsSep "\n" ( - builtins.map (name: "${lib.getExe pkgs.ethtool} -K enp67s0f0np0 ${name} off") [ - "rxvlan" - "txvlan" - "rx-vlan-filter" - "rx-vlan-offload" - "tx-vlan-offload" - "tx-vlan-stag-hw-insert" - ] - ); + systemd = { + network = { + config.routeTables."user" = 1000; + networks = { + "10-lo" = { + name = "lo"; + address = [ + "::1/128" + "127.0.0.1/8" + "10.0.0.1/27" + ]; + routes = [ + { + Destination = "10.0.0.0/27"; + Table = "user"; + } + ]; + routingPolicyRules = [ + { + To = "10.0.0.0/16"; + Table = "user"; + } + ]; }; + "10-enp67s0f0np0" = { + name = "enp67s0f0np0"; + linkConfig.Promiscuous = true; + networkConfig = { + Bridge = "br0"; - systemd-networkd.serviceConfig.LimitNOFILE = 4096; - - net-checker = - let - userVlans = builtins.attrNames (filterAttrs (_: { userOnly, ... }: userOnly) vlans); - networkctl = action: concatMapStringsSep "\n " (name: "networkctl ${action} ${name}") userVlans; - in - { - path = [ - pkgs.iputils - pkgs.systemd - ]; - script = '' - if ping -c 1 8.8.8.8 > /dev/null || ping -c 1 1.1.1.1 > /dev/null; then - echo network is up - ${networkctl "up"} - else - echo network is down - ${networkctl "down"} - fi - ''; + LinkLocalAddressing = false; + LLDP = false; + EmitLLDP = false; + IPv6AcceptRA = false; + IPv6SendRA = false; }; - }; + linkConfig.MTUBytes = 1504; + }; + "50-gretap1" = { + name = "gretap1"; + networkConfig = { + Bridge = "br0"; - timers.net-checker = { - wantedBy = [ "timers.target" ]; - timerConfig.OnCalendar = "*-*-* *:*:42"; - }; - }; - - networking = { - nftables = { - enable = true; - tables = { - nat = { - family = "ip"; - content = '' - chain postrouting { - type nat hook postrouting priority 100; - ip saddr 10.0.0.0/16 ip daddr != 10.0.0.0/16 snat ip to 129.199.195.130-129.199.195.157 - } - ''; + LinkLocalAddressing = false; + LLDP = false; + EmitLLDP = false; + IPv6AcceptRA = false; + IPv6SendRA = false; }; - filter = { - family = "inet"; - content = '' - chain forward { - type filter hook forward priority filter; policy accept; - ct state vmap { - invalid: drop, - established: accept, - related: accept, - new: jump forward_decide, - untracked: jump forward_decide, - }; - } - chain forward_decide { - # Block access to vpn - ip daddr { - 10.10.17.0/30, - 100.80.0.0/16, - } jump forward_reject; + linkConfig.MTUBytes = 1504; + }; + "50-br0" = { + name = "br0"; + networkConfig = { + VLAN = builtins.attrNames vlans; - # And administrative vlans - ip6 daddr { - fd26:baf9:d250::/48, - } jump forward_reject; + LinkLocalAddressing = false; + LLDP = false; + EmitLLDP = false; + IPv6AcceptRA = false; + IPv6SendRA = false; + }; + linkConfig.MTUBytes = 1504; + }; + "50-wg0" = { + name = "wg0"; + address = [ "10.10.17.1/30" ]; + networkConfig.Tunnel = "gretap1"; + }; + } // (mapAttrs' mkNetwork vlans); - # These are being deployed, and so are not trusted - ip saddr 10.0.255.0/24 jump forward_reject; - - # We only forward for ISP clients and our stuff - ip saddr != 10.0.0.0/16 jump forward_reject; - - # Can talk to us - ip daddr 10.0.0.0/27 accept; - - # Not others nor CRI - ip daddr 10.0.0.0/8 jump forward_reject; - } - chain forward_reject { - reject with icmpx type admin-prohibited; - } - ''; + netdevs = { + "50-gretap1" = { + netdevConfig = { + Name = "gretap1"; + Kind = "gretap"; + }; + tunnelConfig = { + Local = "10.10.17.1"; + Remote = "10.10.17.2"; }; }; - }; - firewall = { - allowedUDPPorts = [ - 67 - 1194 - ]; - # FIXME: I dont't remember why it's here, and it doesn't seems right - # comes from https://git.dgnum.eu/DGNum/infrastructure/commit/411795c664374549e5e831722a80180b51fbf0d5 - # checkReversePath = false; - }; + "50-br0" = { + netdevConfig = { + Name = "br0"; + Kind = "bridge"; + }; + bridgeConfig = { + VLANFiltering = false; + STP = false; + }; + }; + "50-wg0" = { + netdevConfig = { + Name = "wg0"; + Kind = "wireguard"; + }; + wireguardConfig = { + ListenPort = 1194; + PrivateKeyFile = config.age.secrets."wg-key".path; + }; + + wireguardPeers = [ + { + AllowedIPs = [ + "10.10.17.0/30" + ]; + PublicKey = "g6S3gBx1Hf2iX41tokD+m8WfzJJTTcsKifOkn+Wcd00="; + } + ]; + }; + } // (mapAttrs' mkNetdev vlans); }; - age.secrets."wg-key".owner = "systemd-network"; - users.users."systemd-network".extraGroups = [ "keys" ]; + services = { + ethtoolConfig = { + wantedBy = [ "systemd-networkd.service" ]; + after = [ "sys-subsystem-net-devices-enp67s0f0np0.device" ]; + bindsTo = [ "sys-subsystem-net-devices-enp67s0f0np0.device" ]; + script = builtins.concatStringsSep "\n" ( + builtins.map (name: "${lib.getExe pkgs.ethtool} -K enp67s0f0np0 ${name} off") [ + "rxvlan" + "txvlan" + "rx-vlan-filter" + "rx-vlan-offload" + "tx-vlan-offload" + "tx-vlan-stag-hw-insert" + ] + ); + }; - boot.kernel.sysctl."net.ipv4.ip_forward" = true; + systemd-networkd.serviceConfig.LimitNOFILE = 4096; + + net-checker = + let + userVlans = builtins.attrNames (filterAttrs (_: { userOnly, ... }: userOnly) vlans); + networkctl = action: concatMapStringsSep "\n " (name: "networkctl ${action} ${name}") userVlans; + in + { + path = [ + pkgs.iputils + pkgs.systemd + ]; + script = '' + if ping -c 1 8.8.8.8 > /dev/null || ping -c 1 1.1.1.1 > /dev/null; then + echo network is up + ${networkctl "up"} + else + echo network is down + ${networkctl "down"} + fi + ''; + }; + }; + + timers.net-checker = { + wantedBy = [ "timers.target" ]; + timerConfig.OnCalendar = "*-*-* *:*:42"; + }; }; + + networking = { + nftables = { + enable = true; + tables = { + nat = { + family = "ip"; + content = '' + chain postrouting { + type nat hook postrouting priority 100; + ip saddr 10.0.0.0/16 ip daddr != 10.0.0.0/16 snat ip to 129.199.195.130-129.199.195.157 + } + ''; + }; + filter = { + family = "inet"; + content = '' + chain forward { + type filter hook forward priority filter; policy accept; + ct state vmap { + invalid: drop, + established: accept, + related: accept, + new: jump forward_decide, + untracked: jump forward_decide, + }; + } + chain forward_decide { + # Block access to vpn + ip daddr { + 10.10.17.0/30, + 100.80.0.0/16, + } jump forward_reject; + + # And administrative vlans + ip6 daddr { + fd26:baf9:d250::/48, + } jump forward_reject; + + # These are being deployed, and so are not trusted + ip saddr 10.0.255.0/24 jump forward_reject; + + # We only forward for ISP clients and our stuff + ip saddr != 10.0.0.0/16 jump forward_reject; + + # Can talk to us + ip daddr 10.0.0.0/27 accept; + + # Not others nor CRI + ip daddr 10.0.0.0/8 jump forward_reject; + } + chain forward_reject { + reject with icmpx type admin-prohibited; + } + ''; + }; + }; + }; + firewall = { + allowedUDPPorts = [ + 67 + 1194 + ]; + # FIXME: I dont't remember why it's here, and it doesn't seems right + # comes from https://git.dgnum.eu/DGNum/infrastructure/commit/411795c664374549e5e831722a80180b51fbf0d5 + # checkReversePath = false; + }; + }; + + age.secrets."wg-key".owner = "systemd-network"; + users.users."systemd-network".extraGroups = [ "keys" ]; + + boot.kernel.sysctl."net.ipv4.ip_forward" = true; } diff --git a/meta/isp/module.nix b/meta/isp/module.nix index 8c707c7..72a9d2a 100644 --- a/meta/isp/module.nix +++ b/meta/isp/module.nix @@ -2,13 +2,17 @@ # # SPDX-License-Identifier: EUPL-1.2 -{ lib, ... }: +{ lib, config, ... }: let inherit (lib) + attrValues + genAttrs mkDefault mkIf + mkMerge mkOption + optional ; inherit (lib.types) @@ -16,10 +20,13 @@ let attrsOf bool ints + listOf nullOr submodule str ; + + cfg = config.isp; in { @@ -30,6 +37,15 @@ in { config, ... }: { options = { + flags = mkOption { + type = listOf str; + default = optional config.userOnly "users"; + defaultText = ''optional config.userOnly "users"''; + description = '' + Groups of VLANs this VLAN belong to. + ''; + }; + id = mkOption { type = ints.between 0 (4096 - 1); description = '' @@ -97,10 +113,33 @@ in } ) ); - default = [ ]; + default = { }; description = '' The list of VLANs known to our ISP. ''; }; + + vlans-groups = mkOption { + type = attrsOf (submodule { + options.id-list = mkOption { + type = listOf (ints.between 0 (4096 - 1)); + description = '' + List of VLANs IDs inside this group. + ''; + }; + }); + default = { }; + description = '' + The list of groups of VLANs known to our ISP. + ''; + }; }; + config.isp.vlans-groups = mkMerge ( + map ( + { flags, id, ... }: + genAttrs flags (_: { + id-list = [ id ]; + }) + ) (attrValues cfg.vlans) + ); }