diff --git a/hosts/zerocool/configuration.nix b/hosts/zerocool/configuration.nix index 9bb16c2..a2cb45a 100644 --- a/hosts/zerocool/configuration.nix +++ b/hosts/zerocool/configuration.nix @@ -1,43 +1,168 @@ -{ config, lib, pkgs, ... }: +{ + config, + lib, + pkgs, + ... +}: let - wan_iface = "enp3s0f0"; - lan_iface = "enp3s0f1"; - wg_iface = "wg0"; - lan_addr = "10.98.4.1"; - lan_cidr = 22; + wanIface = "enp3s0f0"; + wan = { + ipv4 = { + gateway = "198.82.185.129"; + address = "198.82.185.170"; + cidr = 22; + }; + ipv6 = { + gateway = "2001:468:c80:6119::1"; + address = "2001:468:c80:6119:82c1:6eff:fe21:2b88"; + cidr = 64; + }; + tcpPorts = [ + 22 + 2222 + ]; + udpPorts = [ 51820 ]; + # Publicly routable IPv4 addresses only + exposeIpv4Hosts = [ + # Alex's box + "198.82.185.174" + ]; + # Publicly routable IPv6 addresses only + exposeIpv6Hosts = [ + # Alex's box + "2607:b400:6:ce83:225:90ff:fe9b:ed30" + ]; + }; + + wgIface = "wg0"; + + lanIface = "enp3s0f1"; + lan = { + # Management + "10" = { + ipv4 = { + address = "10.98.4.1"; + cidr = 24; + }; + ipv6 = { + address = "2607:b400:6:ce80::1"; + cidr = 64; + }; + isolate = true; + allowRouterAccess = true; + domain = "mgmt"; + dhcpv4 = "10.98.4.128,10.98.4.254,12h"; + dhcpv6 = "ra-stateless,ra-names,12h"; + }; + # Untagged (native) VLAN Internal Traffic + "20" = { + ipv4 = { + address = "10.98.5.1"; + cidr = 24; + }; + ipv6 = { + address = "2607:b400:6:ce81::1"; + cidr = 64; + }; + isolate = false; + allowRouterAccess = true; + untagged = true; + domain = "internal"; + dhcpv4 = "10.98.5.128,10.98.5.254,12h"; + dhcpv6 = "ra-stateless,ra-names,12h"; + }; + # General Hosts + "30" = { + ipv4 = { + address = "10.98.6.1"; + cidr = 24; + # IPv4 hosts for ARP proxy + publicHosts = [ ]; + }; + ipv6 = { + address = "2607:b400:6:ce82::1"; + cidr = 64; + }; + isolate = false; + allowRouterAccess = true; + domain = "g"; + dhcpv4 = "10.98.6.128,10.98.6.254,12h"; + dhcpv6 = "ra-stateless,ra-names,12h"; + }; + # Co-location + "40" = { + ipv4 = { + address = "10.98.7.1"; + cidr = 24; + # IPv4 hosts for ARP proxy + publicHosts = [ + # Alex's box + "198.82.185.174" + ]; + }; + ipv6 = { + address = "2607:b400:6:ce83::1"; + cidr = 64; + }; + isolate = true; + allowRouterAccess = false; + domain = "colo"; + dhcpv4 = "10.98.7.128,10.98.7.254,12h"; + dhcpv6 = "ra-stateless,ra-names,12h"; + }; + }; + + checkUntagged = lib.asserts.assertMsg ( + builtins.length ( + builtins.filter (e: builtins.hasAttr "untagged" e.snd) ( + lib.lists.zipLists (builtins.attrNames lan) (builtins.attrValues lan) + ) + ) == 1 + ) "There must be exactly one untagged VLAN for LAN" lan; in { - imports = - [ - ./hardware-configuration.nix - ../common/nix.nix - ../common/sshd.nix - ../common/users-local.nix - ../common/tz-locale.nix + imports = [ + ./hardware-configuration.nix + ../common/nix.nix + ../common/sshd.nix + ../common/users-local.nix + ../common/tz-locale.nix - ./dns.nix - (import ./router.nix { - inherit wan_iface lan_iface lan_addr lan_cidr wg_iface; - wan_gateway = "198.82.185.129"; - wan_addr = "198.82.185.170"; - wan_cidr = 22; - wan_addr6 = "2001:468:c80:6119:82c1:6eff:fe21:2b88"; - wan_cidr6 = 64; - }) - (import ./firewall.nix { - inherit lan_iface; - }) - (import ./dhcp.nix { - inherit lan_iface; - dhcp_start = "10.98.5.1"; - dhcp_end = "10.98.5.127"; - }) - (import ./wireguard.nix { - inherit config wg_iface; - }) - ]; + ./router.nix + (import ./lan.nix { + inherit lib lanIface lan; + }) + (import ./dhcp.nix { + inherit lib lanIface lan; + }) + (import ./wan.nix { + inherit wanIface wan; + }) + (import ./firewall.nix { + inherit + lib + lanIface + lan + wanIface + wan + wgIface + ; + }) + (import ./wireguard.nix { + inherit config wgIface; + }) + ]; + + environment.systemPackages = with pkgs; [ + neovim + helix + mtr + dig + tcpdump + ndisc6 + inetutils + ]; networking.hostName = "zerocool"; system.stateVersion = "25.05"; } - diff --git a/hosts/zerocool/dhcp.nix b/hosts/zerocool/dhcp.nix index bab2f1a..89e2319 100644 --- a/hosts/zerocool/dhcp.nix +++ b/hosts/zerocool/dhcp.nix @@ -1,20 +1,73 @@ -{ lan_iface, dhcp_start, dhcp_end }: +{ + lib, + lanIface, + lan, + ... +}: let hosts = import ./static-hosts.nix; - dnsmasq-hosts = builtins.map (host: - "${host.mac},${host.ipv4},${host.name}" - ) hosts; + dnsmasqHosts = builtins.map (host: "${host.mac},${host.ipv4},${host.name}") hosts; + globalDomain = "mcb.vtluug.org"; + + taggedVlans = ( + builtins.filter (e: !builtins.hasAttr "untagged" e.snd) ( + lib.lists.zipLists (builtins.attrNames lan) (builtins.attrValues lan) + ) + ); + untaggedVlan = lib.lists.findFirst ( + e: builtins.hasAttr "untagged" e + ) (throw "Must have untagged VLAN") (builtins.attrValues lan); + + interfaces = builtins.map (e: "vlan${e.fst}") ( + builtins.filter ( + e: (builtins.hasAttr "dhcpv4" e.snd) || (builtins.hasAttr "dhcpv6" e.snd) + ) taggedVlans + ); in { + networking.nameservers = [ + "::" + "127.0.0.1" + ]; + + # DNS, DHCPv4, DHCPv6 + networking.firewall.allowedUDPPorts = [ + 53 + 67 + 547 + ]; + services.dnsmasq = { enable = true; settings = { - interface = lan_iface; - dhcp-range = [ - "${dhcp_start},${dhcp_end},12h" - "10.98.4.2,static,255.255.255.0" + domain = + (lib.lists.optional (builtins.hasAttr "domain" untaggedVlan) "${untaggedVlan.domain}.${globalDomain},${untaggedVlan.ipv4.address}/${toString untaggedVlan.ipv4.cidr}") + ++ (builtins.map ( + e: "${e.snd.domain}.${globalDomain},${e.snd.ipv4.address}/${toString e.snd.ipv4.cidr}" + ) (builtins.filter (e: builtins.hasAttr "domain" e.snd) taggedVlans)); + server = [ + "9.9.9.9" + "2620:fe::fe" + "1.1.1.1" + "2606:4700:4700::1111" + "/whit.vtluug.org/10.98.3.2" + "/bastille.vtluug.org/10.98.3.2" ]; - "dhcp-host" = dnsmasq-hosts; + interface = + (lib.lists.optional ( + (builtins.hasAttr "dhcpv4" untaggedVlan) || (builtins.hasAttr "dhcpv6" untaggedVlan) + ) lanIface) + ++ interfaces; + dhcp-range = + (lib.lists.optional (builtins.hasAttr "dhcpv4" untaggedVlan) "interface:${lanIface},${untaggedVlan.dhcpv4}") + ++ (lib.lists.optional (builtins.hasAttr "dhcpv6" untaggedVlan) "interface:${lanIface},::,constructor:${lanIface},${untaggedVlan.dhcpv6}") + ++ (builtins.map (e: "interface:vlan${e.fst},${e.snd.dhcpv4}") ( + builtins.filter (e: builtins.hasAttr "dhcpv4" e.snd) taggedVlans + )) + ++ (builtins.map (e: "interface:vlan${e.fst},::,constructor:vlan${e.fst},${e.snd.dhcpv6}") ( + builtins.filter (e: builtins.hasAttr "dhcpv6" e.snd) taggedVlans + )); + dhcp-host = dnsmasqHosts; }; }; -} \ No newline at end of file +} diff --git a/hosts/zerocool/dns.nix b/hosts/zerocool/dns.nix deleted file mode 100644 index 86be9cb..0000000 --- a/hosts/zerocool/dns.nix +++ /dev/null @@ -1,7 +0,0 @@ -{ config, pkgs, ... }: -{ - networking.nameservers = [ - "1.1.1.1" - "9.9.9.9" - ]; -} diff --git a/hosts/zerocool/firewall.nix b/hosts/zerocool/firewall.nix index 090667d..10c3187 100644 --- a/hosts/zerocool/firewall.nix +++ b/hosts/zerocool/firewall.nix @@ -1,9 +1,201 @@ -{ lan_iface }: { - networking.nftables.enable = true; - networking.firewall = { + lib, + lanIface, + lan, + wanIface, + wan, + wgIface, + ... +}: +let + untaggedVlan = lib.lists.findFirst ( + e: builtins.hasAttr "untagged" e + ) (throw "Must have untagged VLAN") (builtins.attrValues lan); + + taggedVlans = ( + builtins.filter (e: !builtins.hasAttr "untagged" e.snd) ( + lib.lists.zipLists (builtins.attrNames lan) (builtins.attrValues lan) + ) + ); + + routerAccess = lib.strings.concatStringsSep "\n" ( + builtins.map ( + e: ''iifname { "vlan${e.fst}" } accept comment "Allow vlan${e.fst} to access the router"'' + ) (builtins.filter (e: e.snd.allowRouterAccess) taggedVlans) + ++ (lib.lists.optional (untaggedVlan.allowRouterAccess) ''iifname { "${lanIface}" } accept comment "Allow ${lanIface} to access the router"'') + ); + + routerDenyAccess = lib.strings.concatStringsSep "\n" ( + builtins.map ( + e: ''iifname { "vlan${e.fst}" } drop comment "Deny vlan${e.fst} to access the router"'' + ) (builtins.filter (e: !e.snd.allowRouterAccess) taggedVlans) + ++ (lib.lists.optional ( + !untaggedVlan.allowRouterAccess + ) ''iifname { "${lanIface}" } drop comment "Deny ${lanIface} to access the router"'') + ); + + isolateVlans = lib.strings.concatStringsSep "\n" ( + builtins.map (e: '' + iifname { "vlan${e.fst}" } oifname { "${lanIface}", "${wgIface}", "vlan*" } drop comment "Isolate vlan${e.fst} from luug network" + iifname { "${lanIface}", "${wgIface}", "vlan*" } oifname { "vlan${e.fst}" } drop comment "Allow luug network from vlan${e.fst}" + '') (builtins.filter (e: e.snd.isolate) taggedVlans) + ++ (lib.lists.optional (untaggedVlan.isolate) '' + iifname { "${lanIface}" } oifname { "${wgIface}", "vlan*" } drop comment "Isolate ${lanIface} from luug network" + iifname { "${wgIface}", "vlan*" } oifname { "${lanIface}" } drop comment "Isolate luug network from ${lanIface}" + '') + ); + + luugNetworkForward = lib.strings.concatStringsSep "\n" ( + builtins.map (e: '' + iifname { "vlan${e.fst}" } oifname { "${lanIface}", "${wgIface}", "vlan*" } accept comment "Allow vlan${e.fst} to luug network" + iifname { "${lanIface}", "${wgIface}", "vlan*" } oifname { "vlan${e.fst}" } accept comment "Allow luug network to vlan${e.fst}" + '') (builtins.filter (e: !e.snd.isolate) taggedVlans) + ++ (lib.lists.optional (!untaggedVlan.isolate) '' + iifname { "${lanIface}" } oifname { "${wgIface}", "vlan*"} accept comment "Allow ${lanIface} to luug network" + iifname { "${wgIface}", "vlan*" } oifname { "${lanIface}" } accept comment "Allow luug network to ${lanIface}" + '') + ); + + deniedVlanDhcpv4Access = lib.strings.concatStringsSep "\n" ( + builtins.map (e: '' + iifname { "vlan${e.fst}" } udp dport { 53, 67 } accept comment "Allow vlan${e.fst} DHCP and DNS access the router" + iifname { "vlan${e.fst}" } tcp dport 53 accept comment "Allow vlan${e.fst} TCP DNS access the router" + '') (builtins.filter (e: !e.snd.allowRouterAccess && (builtins.hasAttr "dhcpv4" e.snd)) taggedVlans) + ++ (lib.lists.optional (!untaggedVlan.allowRouterAccess && (builtins.hasAttr "dhcpv4" untaggedVlan)) + '' + iifname { "${lanIface}" } udp dport { 53, 67 } accept comment "Allow ${lanIface} DHCP and DNS access the router" + iifname { "${lanIface}" } tcp dport 53 accept comment "Allow ${lanIface} TCP DNS access the router" + '' + ) + ); + + deniedVlanDhcpv6Access = lib.strings.concatStringsSep "\n" ( + builtins.map (e: '' + iifname { "vlan${e.fst}" } udp dport { 53, 547 } accept comment "Allow vlan${e.fst} DHCP and DNS access the router" + iifname { "vlan${e.fst}" } tcp dport 53 accept comment "Allow vlan${e.fst} TCP DNS access the router" + '') (builtins.filter (e: !e.snd.allowRouterAccess && (builtins.hasAttr "dhcpv6" e.snd)) taggedVlans) + ++ (lib.lists.optional (!untaggedVlan.allowRouterAccess && (builtins.hasAttr "dhcpv6" untaggedVlan)) + '' + iifname { "${lanIface}" } udp dport { 53, 547 } accept comment "Allow ${lanIface} DHCP and DNS access the router" + iifname { "${lanIface}" } tcp dport 53 accept comment "Allow ${lanIface} TCP DNS access the router" + '' + ) + ); + + exposedUdpPorts = lib.strings.concatStringsSep "\n" ( + builtins.map (port: '' + iifname { "${wanIface}" } udp dport ${toString port} accept comment "Allow UDP port ${toString port} from WAN" + '') wan.udpPorts + ); + + exposedTcpPorts = lib.strings.concatStringsSep "\n" ( + builtins.map (port: '' + iifname { "${wanIface}" } tcp dport ${toString port} accept comment "Allow TCP port ${toString port} from WAN" + '') wan.tcpPorts + ); + + exposedIpv4Hosts = lib.strings.concatStringsSep "\n" ( + builtins.map (daddr: '' + iifname { "${wanIface}" } ip daddr ${daddr} accept comment "Expose ${daddr} to WAN" + oifname { "${wanIface}" } ip saddr ${daddr} accept comment "Expose ${daddr} to WAN" + '') wan.exposeIpv4Hosts + ); + + exposedIpv4HostsNatDisable = lib.strings.concatStringsSep "," ( + builtins.map (toString) wan.exposeIpv4Hosts + ); + + exposedIpv6Hosts = lib.strings.concatStringsSep "\n" ( + builtins.map (daddr: '' + iifname { "${wanIface}" } ip6 daddr ${daddr} accept comment "Expose ${daddr} to WAN" + oifname { "${wanIface}" } ip6 saddr ${daddr} accept comment "Expose ${daddr} to WAN" + '') wan.exposeIpv6Hosts + ); +in +{ + networking.firewall.enable = true; + + networking.nftables = { enable = true; - allowPing = true; - trustedInterfaces = [ lan_iface ]; + ruleset = '' + table ip filter { + chain input { + type filter hook input priority 0; policy drop; + + ct state { established, related } accept comment "Allow all established traffic" + iifname { "${wgIface}" } accept comment "Allow wireguard to access the router" + + iifname { "${wanIface}", "${lanIface}", "vlan*" } icmp type { echo-request, destination-unreachable, time-exceeded } counter accept comment "Allow select ICMP" + + ${routerAccess} + ${deniedVlanDhcpv4Access} + + ${exposedUdpPorts} + ${exposedTcpPorts} + + ${routerDenyAccess} + iifname "${wanIface}" counter drop comment "Drop all other unsolicited traffic from wan" + + iif lo accept comment "Allow all loopback traffic" + } + + chain forward { + type filter hook forward priority 0; policy drop; + + ct state { established, related } accept comment "Allow all established traffic" + iifname { "${lanIface}", "vlan*" } oifname { "${wanIface}" } accept comment "Allow all traffic going out" + + ${isolateVlans} + ${luugNetworkForward} + + ${exposedIpv4Hosts} + } + } + + table ip nat { + chain postrouting { + type nat hook postrouting priority 100; policy accept; + oifname "${wanIface}" ip saddr != { ${exposedIpv4HostsNatDisable} } masquerade comment "NAT IPv4 traffic to WAN" + } + } + + table ip6 filter { + chain input { + type filter hook input priority 0; policy drop; + + ct state { established, related } accept comment "Allow all established traffic" + iifname { "${wgIface}" } accept comment "Allow wireguard to access the router" + + iifname { "${wanIface}", "${lanIface}", "vlan*" } icmpv6 type { + destination-unreachable, packet-too-big, time-exceeded, + parameter-problem, echo-request, echo-reply, + nd-router-advert, nd-neighbor-solicit, nd-neighbor-advert + } accept comment "Allow essential ICMPv6" + + ${routerAccess} + ${deniedVlanDhcpv6Access} + + ${exposedUdpPorts} + ${exposedTcpPorts} + + ${routerDenyAccess} + iifname "${wanIface}" counter drop comment "Drop all other unsolicited traffic from WAN" + + iif lo accept comment "Allow all loopback traffic" + } + + chain forward { + type filter hook forward priority 0; policy drop; + + ct state { established, related } accept comment "Allow all established traffic" + iifname { "${lanIface}", "vlan*" } oifname { "${wanIface}" } accept comment "Allow all traffic going out" + + ${isolateVlans} + ${luugNetworkForward} + + ${exposedIpv6Hosts} + } + } + ''; }; } diff --git a/hosts/zerocool/hardware-configuration.nix b/hosts/zerocool/hardware-configuration.nix index fdebaf2..1e3ff38 100644 --- a/hosts/zerocool/hardware-configuration.nix +++ b/hosts/zerocool/hardware-configuration.nix @@ -1,14 +1,29 @@ # Do not modify this file! It was generated by ‘nixos-generate-config’ # and may be overwritten by future invocations. Please make changes # to /etc/nixos/configuration.nix instead. -{ config, lib, pkgs, modulesPath, ... }: +{ + config, + lib, + pkgs, + modulesPath, + ... +}: { - imports = - [ (modulesPath + "/installer/scan/not-detected.nix") - ]; + imports = [ + (modulesPath + "/installer/scan/not-detected.nix") + ]; - boot.initrd.availableKernelModules = [ "uhci_hcd" "ehci_pci" "ata_piix" "hpsa" "usb_storage" "usbhid" "sd_mod" "sr_mod" ]; + boot.initrd.availableKernelModules = [ + "uhci_hcd" + "ehci_pci" + "ata_piix" + "hpsa" + "usb_storage" + "usbhid" + "sd_mod" + "sr_mod" + ]; boot.initrd.kernelModules = [ ]; boot.kernelModules = [ "kvm-intel" ]; boot.extraModulePackages = [ ]; @@ -16,10 +31,10 @@ boot.loader.grub.enable = true; boot.loader.grub.device = "/dev/sda"; - fileSystems."/" = - { device = "/dev/disk/by-uuid/d8144b9a-85d4-4ea3-938a-f21f2795d967"; - fsType = "ext4"; - }; + fileSystems."/" = { + device = "/dev/disk/by-uuid/d8144b9a-85d4-4ea3-938a-f21f2795d967"; + fsType = "ext4"; + }; swapDevices = [ ]; diff --git a/hosts/zerocool/lan.nix b/hosts/zerocool/lan.nix new file mode 100644 index 0000000..649f6bb --- /dev/null +++ b/hosts/zerocool/lan.nix @@ -0,0 +1,93 @@ +{ + lib, + lanIface, + lan, + ... +}: +let + untaggedVlan = lib.lists.findFirst ( + e: builtins.hasAttr "untagged" e + ) (throw "Must have untagged VLAN") (builtins.attrValues lan); +in +{ + networking.vlans = builtins.listToAttrs ( + builtins.map + (e: { + name = "vlan${e.fst}"; + value = { + id = builtins.fromJSON e.fst; + interface = lanIface; + }; + }) + ( + builtins.filter (e: !builtins.hasAttr "untagged" e.snd) ( + lib.lists.zipLists (builtins.attrNames lan) (builtins.attrValues lan) + ) + ) + ); + + networking.interfaces = builtins.listToAttrs ( + # Tagged VLANs + (builtins.map + (e: { + name = "vlan${e.fst}"; + value = { + useDHCP = false; + ipv4.addresses = [ + { + address = e.snd.ipv4.address; + prefixLength = e.snd.ipv4.cidr; + } + ]; + ipv6.addresses = [ + { + address = e.snd.ipv6.address; + prefixLength = e.snd.ipv6.cidr; + } + ]; + ipv4.routes = lib.optionals (builtins.hasAttr "publicHosts" e.snd.ipv4) ( + builtins.map (host: { + address = host; + prefixLength = 32; + }) e.snd.ipv4.publicHosts + ); + proxyARP = (builtins.hasAttr "publicHosts" e.snd.ipv4) && (builtins.length e.snd.ipv4.publicHosts > 0); + }; + }) + ( + builtins.filter (e: !builtins.hasAttr "untagged" e.snd) ( + lib.lists.zipLists (builtins.attrNames lan) (builtins.attrValues lan) + ) + ) + ) + ++ [ + # Untagged (native) VLAN + { + name = lanIface; + value = { + useDHCP = false; + ipv4.addresses = [ + { + address = untaggedVlan.ipv4.address; + prefixLength = untaggedVlan.ipv4.cidr; + } + ]; + ipv6.addresses = [ + { + address = untaggedVlan.ipv6.address; + prefixLength = untaggedVlan.ipv6.cidr; + } + ]; + ipv4.routes = lib.optionals (builtins.hasAttr "publicHosts" untaggedVlan.ipv4) ( + builtins.map (host: { + address = host; + prefixLength = 32; + }) untaggedVlan.ipv4.publicHosts + ); + proxyARP = (builtins.hasAttr "publicHosts" untaggedVlan.ipv4) && (builtins.length untaggedVlan.ipv4.publicHosts > 0); + + }; + } + ] + ); +} diff --git a/hosts/zerocool/router.nix b/hosts/zerocool/router.nix index 3164bfc..e789f7c 100644 --- a/hosts/zerocool/router.nix +++ b/hosts/zerocool/router.nix @@ -1,39 +1,9 @@ -{ wan_gateway, wan_iface, wan_addr, wan_cidr, wan_addr6, wan_cidr6, lan_iface, lan_addr, lan_cidr, wg_iface, ... }: +{ + ... +}: { boot.kernel.sysctl = { "net.ipv4.conf.all.forwarding" = true; "net.ipv6.conf.all.forwarding" = true; }; - networking.nat = { - enable = true; - externalInterface = wan_iface; - internalInterfaces = [ lan_iface wg_iface ]; - }; - - networking.useDHCP = false; - networking.defaultGateway = wan_gateway; - networking.interfaces = { - "${wan_iface}" = { - ipv4.addresses = [ - { - address = wan_addr; - prefixLength = wan_cidr; - } - ]; - ipv6.addresses = [ - { - address = wan_addr6; - prefixLength = wan_cidr6; - } - ]; - }; - "${lan_iface}" = { - ipv4.addresses = [ - { - address = lan_addr; - prefixLength = lan_cidr; - } - ]; - }; - }; } diff --git a/hosts/zerocool/static-hosts.nix b/hosts/zerocool/static-hosts.nix index ce679d2..44ac731 100644 --- a/hosts/zerocool/static-hosts.nix +++ b/hosts/zerocool/static-hosts.nix @@ -1,87 +1,87 @@ - [ +[ { name = "switch"; mac = "00:12:a9:d5:d4:20"; - ipv4 = "10.98.4.2"; + ipv4 = "10.98.6.2"; } { name = "meltdown"; mac = "02:00:0a:62:00:03"; - ipv4 = "10.98.4.3"; + ipv4 = "10.98.6.3"; } { name = "spectre"; mac = "02:00:0a:62:00:04"; - ipv4 = "10.98.4.4"; + ipv4 = "10.98.6.4"; } { name = "cyberdelia"; mac = "00:1e:4f:20:50:d6"; - ipv4 = "10.98.4.6"; + ipv4 = "10.98.6.6"; } { name = "dirtycow"; mac = "00:1e:c9:ef:13:f8"; - ipv4 = "10.98.4.7"; + ipv4 = "10.98.6.7"; } { name = "gibson"; mac = "48:4d:7e:f9:8b:e5"; - ipv4 = "10.98.4.8"; + ipv4 = "10.98.6.8"; } { name = "prospit"; mac = "d8:9e:f3:3e:f9:41"; - ipv4 = "10.98.4.9"; + ipv4 = "10.98.6.9"; } { name = "chimera"; mac = "02:00:0a:62:00:0a"; - ipv4 = "10.98.4.10"; + ipv4 = "10.98.6.10"; } { name = "sczi"; mac = "02:00:0a:62:00:0b"; - ipv4 = "10.98.4.11"; + ipv4 = "10.98.6.11"; } { name = "acidburn"; mac = "02:00:0a:62:00:0c"; - ipv4 = "10.98.4.12"; + ipv4 = "10.98.6.12"; } { name = "mirror"; mac = "02:00:0a:62:00:10"; - ipv4 = "10.98.4.16"; + ipv4 = "10.98.6.16"; } { name = "crashoverride"; mac = "02:00:0a:62:00:12"; - ipv4 = "10.98.4.18"; + ipv4 = "10.98.6.18"; } { name = "wargame"; mac = "02:00:0a:62:00:13"; - ipv4 = "10.98.4.19"; + ipv4 = "10.98.6.19"; } { name = "sphinx"; mac = "02:00:0a:62:00:0d"; - ipv4 = "10.98.4.20"; + ipv4 = "10.98.6.20"; } { name = "nikonwormhole"; mac = "02:00:0a:62:00:0e"; - ipv4 = "10.98.4.21"; + ipv4 = "10.98.6.21"; } { name = "scaryterry"; mac = "02:00:0a:62:00:0f"; - ipv4 = "10.98.4.22"; + ipv4 = "10.98.6.22"; } { name = "lora"; mac = "60:81:f9:3e:c9:06"; - ipv4 = "10.98.4.253"; + ipv4 = "10.98.6.127"; } -] \ No newline at end of file +] diff --git a/hosts/zerocool/wan.nix b/hosts/zerocool/wan.nix new file mode 100644 index 0000000..0a23a7e --- /dev/null +++ b/hosts/zerocool/wan.nix @@ -0,0 +1,27 @@ +{ wanIface, wan, ... }: +{ + networking.defaultGateway = wan.ipv4.gateway; + networking.defaultGateway6 = { + address = wan.ipv6.gateway; + interface = wanIface; + }; + + networking.interfaces = { + "${wanIface}" = { + useDHCP = false; + proxyARP = true; + ipv4.addresses = [ + { + address = wan.ipv4.address; + prefixLength = wan.ipv4.cidr; + } + ]; + ipv6.addresses = [ + { + address = wan.ipv6.address; + prefixLength = wan.ipv6.cidr; + } + ]; + }; + }; +} diff --git a/hosts/zerocool/wireguard.nix b/hosts/zerocool/wireguard.nix index b9c42f4..42916a1 100644 --- a/hosts/zerocool/wireguard.nix +++ b/hosts/zerocool/wireguard.nix @@ -1,8 +1,8 @@ -{ config, wg_iface }: +{ config, wgIface }: { age.secrets."wg.priv".file = ../../secrets/zerocool/wg.priv.age; networking.wireguard.interfaces = { - "${wg_iface}" = { + "${wgIface}" = { ips = [ "10.98.255.2/32" ]; listenPort = 51820; @@ -11,12 +11,16 @@ allowedIPsAsRoutes = true; peers = [ - { # shellshock + { + # shellshock publicKey = "gEk7+YfwkxM89v+nqlGZTcaxMlhAN5vCCE8U+w+Vy2g="; endpoint = "128.173.88.191:51820"; - allowedIPs = [ - "10.98.255.1/32" # wg fabric - "10.98.0.0/22" # whit + allowedIPs = [ + # Wireguard fabric + "10.98.255.1/32" + + # Whittemore + "10.98.0.0/22" ]; persistentKeepalive = 25; }