commit b9e797a002193a2417e5d629d38e469166e7cd9c · kitten.sh/system

machines/ramune/configuration.nix

···

       18
       18
        
               external = {

     

       19
       19
        
                 name = "extern0";

     

       20
       20
        
                 macAddress = "5c:1b:f4:7f:dc:cd";

     

       21
       21
       +
                 adoptMacAddress = "64:20:9f:16:70:a6";

     

       21
       22
        
               };

     

       22
       23
        
               internal = {

     

       23
       24
        
                 name = "intern0";

+1 -3

modules/router/kernel.nix

···

       52
       52
        
             "net.ipv4.tcp_syncookies" = true;

     

       53
       53
        
       

     

       54
       54
        
             "net.ipv6.conf.all.forwarding" = true;

     

       55
       55
       -
             "net.ipv6.conf.all.use_tempaddr" = false;

     

       56
       56
       -
             "net.ipv6.conf.all.autoconf" = false;

     

       57
       57
       -
             "net.ipv6.conf.all.accept_ra" = false;

     

       55
       55
       +
             "net.ipv6.conf.all.accept_ra" = 2;

     

       58
       56
        
       

     

       59
       57
        
             "kernel.kptr_restrict" = 2;

     

       60
       58
        
             "kernel.dmesg_restrict" = 0;

+40 -11

modules/router/network.nix

···

       29
       29
        
               type = types.str;

     

       30
       30
        
               example = "00:00:00:00:00:00";

     

       31
       31
        
             };

     

       32
       32
       +
             adoptMacAddress = mkOption {

     

       33
       33
       +
               type = types.nullOr types.str;

     

       34
       34
       +
               example = "00:00:00:00:00:00";

     

       35
       35
       +
             };

     

       32
       36
        
             cidr = mkOption {

     

       33
       37
        
               type = types.str;

     

       34
       38
        
               default = "0.0.0.0/0";

     
···

       54
       58
        
             type = types.bool;

     

       55
       59
        
             default = !config.services.avahi.enable;

     

       56
       60
        
           };

     

       61
       61
       +
           ipv6 = mkOption {

     

       62
       62
       +
             type = types.bool;

     

       63
       63
       +
             default = false;

     

       64
       64
       +
           };

     

       57
       65
        
           interfaces = {

     

       58
       66
        
             external = mkOption {

     

       59
       67
        
               type = interfaceType;

     
···

       77
       85
        
               linkConfig = {

     

       78
       86
        
                 Description = "External Network Interface";

     

       79
       87
        
                 Name = extern.name;

     

       80
       80
       -
                 # MACAddress = "64:20:9f:16:70:a6";

     

       88
       88
       +
                 MACAddress = extern.adoptMacAddress;

     

       81
       89
        
                 MTUBytes = "1500";

     

       82
       90
        
               };

     

       83
       91
        
             };

     
···

       99
       107
        
             };

     

       100
       108
        
             nameservers = [

     

       101
       109
        
               "1.1.1.1#cloudflare-dns.com"

     

       102
       102
       -
               "2606:4700:4700::1111#cloudflare-dns.com"

     

       103
       103
       -
             ];

     

       110
       110
       +
             ] ++ (if cfg.ipv6 then [ "2606:4700:4700::1111#cloudflare-dns.com" ] else []);

     

       104
       111
        
           };

     

       105
       112
        
       

     

       106
       113
        
           boot.initrd.systemd.network = {

     
···

       111
       118
        
           systemd.network = {

     

       112
       119
        
             enable = true;

     

       113
       120
        
             inherit links;

     

       114
       114
       -
             networks = {

     

       121
       121
       +
             networks = let

     

       122
       122
       +
               gatewayAddress = ipv4.prettyIp (ipv4.cidrToIpAddress intern.cidr);

     

       123
       123
       +
             in {

     

       115
       124
        
               "10-${extern.name}" = {

     

       116
       125
        
                 name = extern.name;

     

       117
       126
        
                 networkConfig = {

     

       118
       118
       -
                   DHCP = "ipv4";

     

       127
       127
       +
                   DHCP = if cfg.ipv6 then "yes" else "ipv4";

     

       119
       128
        
                   IPv4Forwarding = true;

     

       120
       129
        
                   IPv6Forwarding = true;

     

       121
       130
        
                 };

     
···

       124
       133
        
                   UseDomains = false;

     

       125
       134
        
                   UseNTP = !cfg.timeserver.enable;

     

       126
       135
        
                 };

     

       136
       136
       +
                 dhcpV6Config = mkIf cfg.ipv6 {

     

       137
       137
       +
                   WithoutRA = "solicit";

     

       138
       138
       +
                   UseDNS = false;

     

       139
       139
       +
                   UseDomains = false;

     

       140
       140
       +
                   UseAddress = false;

     

       141
       141
       +
                   DUIDType = "link-layer";

     

       142
       142
       +
                   DUIDRawData = mkIf (extern.adoptMacAddress != null) "00:01:${extern.adoptMacAddress}";

     

       143
       143
       +
                 };

     

       144
       144
       +
                 ipv6AcceptRAConfig = mkIf cfg.ipv6 {

     

       145
       145
       +
                   UseDNS = false;

     

       146
       146
       +
                   UseDomains = false;

     

       147
       147
       +
                   DHCPv6Client = "always";

     

       148
       148
       +
                 };

     

       127
       149
        
               };

     

       128
       150
        
             } // (optionalAttrs (intern != null) {

     

       129
       151
        
               "11-${intern.name}" = {

     
···

       134
       156
        
                   DHCPServer = true;

     

       135
       157
        
                   IPv4Forwarding = true;

     

       136
       158
        
                   IPv6Forwarding = true;

     

       159
       159
       +
                   IPMasquerade = "both";

     

       137
       160
        
                   ConfigureWithoutCarrier = true;

     

       138
       161
        
                   MulticastDNS = cfg.mdns;

     

       162
       162
       +
                   DHCPPrefixDelegation = cfg.ipv6;

     

       163
       163
       +
                   IPv6SendRA = cfg.ipv6;

     

       139
       164
        
                 };

     

       140
       165
        
       

     

       141
       141
       -
                 dhcpServerConfig = let

     

       142
       142
       -
                   gatewayAddress = ipv4.prettyIp (ipv4.cidrToIpAddress intern.cidr);

     

       143
       143
       -
                 in {

     

       166
       166
       +
                 dhcpServerConfig = {

     

       144
       167
        
                   EmitDNS = true;

     

       145
       168
        
                   EmitNTP = true;

     

       146
       169
        
                   DNS = gatewayAddress;

     
···

       153
       176
        
                   Address = lease.ipAddress;

     

       154
       177
        
                   MACAddress = lease.macAddress;

     

       155
       178
        
                 }) cfg.leases;

     

       179
       179
       +
       

     

       180
       180
       +
                 dhcpPrefixDelegationConfig = mkIf cfg.ipv6 {

     

       181
       181
       +
                   Announce = true;

     

       182
       182
       +
                 };

     

       156
       183
        
               };

     

       157
       184
        
             });

     

       158
       185
        
           };

     
···

       161
       188
        
             enable = true;

     

       162
       189
        
             fallbackDns = [

     

       163
       190
        
               "1.0.0.1"

     

       164
       164
       -
               "2606:4700:4700::1001"

     

       165
       165
       -
             ];

     

       191
       191
       +
             ] ++ (if cfg.ipv6 then [ "2606:4700:4700::1001" ] else []);

     

       166
       192
        
             dnsovertls = "opportunistic";

     

       167
       193
        
             extraConfig = strings.concatStringsSep "\n" [

     

       168
       168
       -
               "[Resolve]"

     

       194
       194
       +
               ''

     

       195
       195
       +
                 [Resolve]

     

       196
       196
       +
                 ReadEtcHosts=no

     

       197
       197
       +
               ''

     

       169
       198
        
               (optionalString cfg.mdns ''

     

       170
       199
        
                 MulticastDNS=yes

     

       171
       200
        
               '')

+3 -7

modules/router/nftables.nix

···

       79
       79
        
                   ip protocol icmp \

     

       80
       80
        
                     icmp type { destination-unreachable, echo-reply, echo-request, source-quench, time-exceeded } \

     

       81
       81
        
                     accept

     

       82
       82
       -
                   ip6 nexthdr icmpv6 accept

     

       83
       83
       -
                   udp dport 546 ct state { new, untracked } accept

     

       84
       84
       -
                   udp dport dhcpv6-client accept

     

       82
       82
       +
                   meta l4proto ipv6-icmp accept

     

       83
       83
       +
                   ip6 ecn not-ect accept

     

       84
       84
       +
                   udp dport dhcpv6-client ct state { new, untracked } accept

     

       85
       85
        
                   udp dport { http, https } ct state new accept

     

       86
       86
        
                   tcp dport { http, https } ct state new accept

     

       87
       87
        
                   udp dport 41641 ct state new accept

     
···

       90
       90
        
       

     

       91
       91
        
                 chain forward {

     

       92
       92
        
                   type filter hook forward priority 0; policy drop;

     

       93
       93
       -
                   ip6 nexthdr ipv6-icmp accept

     

       94
       94
       -
                   udp dport dhcpv6-client accept

     

       95
       93
        
                   ${blockForwardRules}

     

       96
       94
        
                   iifname { ${concatIfnames trustedInterfaces} } accept

     

       97
       95
        
                   oifname { ${concatIfnames trustedInterfaces} } ct state { established, related } accept

     
···

       100
       98
        
       

     

       101
       99
        
                 chain output {

     

       102
       100
        
                   type filter hook output priority 0; policy accept;

     

       103
       103
       -
                   ip6 nexthdr ipv6-icmp accept

     

       104
       104
       -
                   udp dport dhcpv6-client accept

     

       105
       101
        
                   iifname lo accept

     

       106
       102
        
                   ct state invalid drop

     

       107
       103
        
                 }

+2 -1

modules/server/tailscale.nix

···

       18
       18
        
         config = mkIf (cfg.enable && cfgRoot.enable) {

     

       19
       19
        
           networking = {

     

       20
       20
        
             domain = "fable-pancake.ts.net";

     

       21
       21
       +
             search = [ "fable-pancake.ts.net" ];

     

       21
       22
        
             firewall.trustedInterfaces = [ "tailscale0" ];

     

       22
       23
        
             hosts."${address}" = [ "${hostname}.fable-pancake.ts.net" hostname ];

     

       23
       24
        
           };

     
···

       30
       31
        
       

     

       31
       32
        
           services.tailscale = {

     

       32
       33
        
             enable = true;

     

       33
       33
       -
             useRoutingFeatures = "both";

     

       34
       34
       +
             useRoutingFeatures = "server";

     

       34
       35
        
             extraUpFlags = [ "--advertise-exit-node" "--ssh" "--accept-dns=false" ];

     

       35
       36
        
             extraDaemonFlags = [ "--no-logs-no-support" ];

     

       36
       37
        
             authKeyFile = "/run/secrets/tailscale";