From ae8d6897271cd35fc2d8ae4ebdfc58e5acadce65 Mon Sep 17 00:00:00 2001 From: nyanloutre Date: Fri, 8 Nov 2024 11:04:12 +0100 Subject: [PATCH 1/8] =?UTF-8?q?Cr=C3=A9ation=20de=20la=20config=20de=20bas?= =?UTF-8?q?e=20WireGuard?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- systems/LoutreOS/configuration.nix | 196 +++++++++++++++++------------ 1 file changed, 115 insertions(+), 81 deletions(-) diff --git a/systems/LoutreOS/configuration.nix b/systems/LoutreOS/configuration.nix index ccb68d8..899802e 100644 --- a/systems/LoutreOS/configuration.nix +++ b/systems/LoutreOS/configuration.nix @@ -1,7 +1,3 @@ -# Edit this configuration file to define what should be installed on -# your system. Help is available in the configuration.nix(5) man page -# and in the NixOS manual (accessible by running ‘nixos-help’). - { config, pkgs, inputs, ... }: { @@ -59,6 +55,11 @@ useNetworkd = true; useDHCP = false; + nameservers = [ + "1.1.1.1" + "1.0.0.1" + ]; + vlans = { bouygues = { id = 100; @@ -133,86 +134,119 @@ }; }; - systemd.network.networks = { - "40-bouygues" = { - dhcpV4Config.RouteMetric = 1; - dhcpV6Config = { - DUIDRawData = "00:03:00:01:E8:AD:A6:21:73:68"; - WithoutRA = "solicit"; - }; - ipv6AcceptRAConfig.DHCPv6Client = true; - networkConfig = { - KeepConfiguration = "dhcp-on-stop"; - IPv6AcceptRA = true; - DHCPPrefixDelegation = true; - }; - dhcpPrefixDelegationConfig.SubnetId = "0"; - }; - "40-eno1".linkConfig.RequiredForOnline = "no"; - "40-eno2" = { - networkConfig = { - IPv6SendRA = true; - DHCPPrefixDelegation = true; - DHCPServer = true; - }; - dhcpServerConfig = { - # MIN = 10.30.100.0 - #PoolOffset = 25500; - # MAX = 10.30.200.0 - #PoolSize = 25500; - EmitRouter = true; - EmitDNS = true; - DNS = [ - "1.1.1.1" - "1.0.0.1" - ]; - }; - dhcpServerStaticLeases = [ - # IPMI - { - dhcpServerStaticLeaseConfig = { - Address = "10.30.1.1"; - MACAddress = "ac:1f:6b:4b:01:15"; - }; - } - # paul-fixe - { - dhcpServerStaticLeaseConfig = { - Address = "10.30.50.1"; - MACAddress = "b4:2e:99:ed:24:26"; - }; - } - # salonled - { - dhcpServerStaticLeaseConfig = { - Address = "10.30.40.1"; - MACAddress = "e0:98:06:85:e9:ce"; - }; - } - # miroir-bleu - { - dhcpServerStaticLeaseConfig = { - Address = "10.30.40.2"; - MACAddress = "e0:98:06:86:38:fc"; - }; - } - # miroir-orange - { - dhcpServerStaticLeaseConfig = { - Address = "10.30.40.3"; - MACAddress = "50:02:91:78:be:be"; - }; - } - ]; - ipv6SendRAConfig = { - EmitDNS = true; - DNS = [ - "2606:4700:4700::1111" - "2606:4700:4700::1001" + systemd.network = { + enable = true; + + netdevs = { + "10-wg0" = { + netdevConfig = { + Kind = "wireguard"; + Name = "wg0"; + }; + wireguardConfig = { + PrivateKeyFile = "/run/keys/wireguard-privkey"; + ListenPort = 9918; + }; + wireguardPeers = [ + { + PublicKey = "OhApdFoOYnKesRVpnYRqwk3pdM247j8PPVH5K7aIKX0="; + AllowedIPs = ["fc00::1/64" "10.100.0.1"]; + Endpoint = "{set this to the server ip}:51820"; + } ]; }; }; - "40-enp0s21u1".dhcpV4Config.RouteMetric = 1024; + + networks = { + "40-bouygues" = { + dhcpV4Config.RouteMetric = 1; + dhcpV6Config = { + DUIDRawData = "00:03:00:01:E8:AD:A6:21:73:68"; + WithoutRA = "solicit"; + }; + ipv6AcceptRAConfig.DHCPv6Client = true; + networkConfig = { + KeepConfiguration = "dhcp-on-stop"; + IPv6AcceptRA = true; + DHCPPrefixDelegation = true; + }; + dhcpPrefixDelegationConfig.SubnetId = "0"; + }; + "40-eno1".linkConfig.RequiredForOnline = "no"; + "10-wg0" = { + matchConfig.Name = "wg0"; + address = [ + "fe80::3/64" + "fc00::3/120" + "10.100.0.2/24" + ]; + }; + "40-eno2" = { + networkConfig = { + IPv6SendRA = true; + DHCPPrefixDelegation = true; + DHCPServer = true; + }; + dhcpServerConfig = { + # MIN = 10.30.100.0 + #PoolOffset = 25500; + # MAX = 10.30.200.0 + #PoolSize = 25500; + EmitRouter = true; + EmitDNS = true; + DNS = [ + "1.1.1.1" + "1.0.0.1" + ]; + }; + dhcpServerStaticLeases = [ + # IPMI + { + dhcpServerStaticLeaseConfig = { + Address = "10.30.1.1"; + MACAddress = "ac:1f:6b:4b:01:15"; + }; + } + # paul-fixe + { + dhcpServerStaticLeaseConfig = { + Address = "10.30.50.1"; + MACAddress = "b4:2e:99:ed:24:26"; + }; + } + # salonled + { + dhcpServerStaticLeaseConfig = { + Address = "10.30.40.1"; + MACAddress = "e0:98:06:85:e9:ce"; + }; + } + # miroir-bleu + { + dhcpServerStaticLeaseConfig = { + Address = "10.30.40.2"; + MACAddress = "e0:98:06:86:38:fc"; + }; + } + # miroir-orange + { + dhcpServerStaticLeaseConfig = { + Address = "10.30.40.3"; + MACAddress = "50:02:91:78:be:be"; + }; + } + ]; + ipv6SendRAConfig = { + EmitDNS = true; + DNS = [ + "2606:4700:4700::1111" + "2606:4700:4700::1001" + ]; + }; + }; + # Set 4G connection as low routing priority + "40-enp0s21u1".dhcpV4Config.RouteMetric = 1024; + }; }; services.openssh = { From 67d7b6669f3353e91ea94afcb06b6b0d3806f264 Mon Sep 17 00:00:00 2001 From: nyanloutre Date: Wed, 13 Nov 2024 14:44:13 +0100 Subject: [PATCH 2/8] setup wireguard interface --- systems/LoutreOS/configuration.nix | 17 ++++++++++------- 1 file changed, 10 insertions(+), 7 deletions(-) diff --git a/systems/LoutreOS/configuration.nix b/systems/LoutreOS/configuration.nix index 899802e..977bc58 100644 --- a/systems/LoutreOS/configuration.nix +++ b/systems/LoutreOS/configuration.nix @@ -142,16 +142,20 @@ netdevConfig = { Kind = "wireguard"; Name = "wg0"; + MTUBytes = "1450"; }; wireguardConfig = { PrivateKeyFile = "/run/keys/wireguard-privkey"; - ListenPort = 9918; + #ListenPort = 9918; }; wireguardPeers = [ { - PublicKey = "OhApdFoOYnKesRVpnYRqwk3pdM247j8PPVH5K7aIKX0="; - AllowedIPs = ["fc00::1/64" "10.100.0.1"]; - Endpoint = "{set this to the server ip}:51820"; + wireguardPeerConfig = { + PublicKey = "t3+JkBfXI1uw8fa9P6JfxXJfTPm9cOHcgIN215UHg2g="; + AllowedIPs = ["0.0.0.0/0" "::/0"]; + Endpoint = "89.234.141.83"; + PersistentKeepalive = 15; + }; } ]; }; @@ -176,9 +180,8 @@ "10-wg0" = { matchConfig.Name = "wg0"; address = [ - "fe80::3/64" - "fc00::3/120" - "10.100.0.2/24" + "89.234.141.196/32" + "2a00:5881:8119:400::1/128" ]; }; "40-eno2" = { From e8e4c4b3115c080b527c1c85e27b25ac2c615727 Mon Sep 17 00:00:00 2001 From: nyanloutre Date: Wed, 20 Nov 2024 09:15:56 +0100 Subject: [PATCH 3/8] wireguard partial setup --- systems/LoutreOS/configuration.nix | 41 ++++++++++++++++++++++++++++-- 1 file changed, 39 insertions(+), 2 deletions(-) diff --git a/systems/LoutreOS/configuration.nix b/systems/LoutreOS/configuration.nix index 977bc58..616c927 100644 --- a/systems/LoutreOS/configuration.nix +++ b/systems/LoutreOS/configuration.nix @@ -146,14 +146,15 @@ }; wireguardConfig = { PrivateKeyFile = "/run/keys/wireguard-privkey"; - #ListenPort = 9918; + FirewallMark = 51820; }; wireguardPeers = [ { wireguardPeerConfig = { + Endpoint = "89.234.141.83:8095"; PublicKey = "t3+JkBfXI1uw8fa9P6JfxXJfTPm9cOHcgIN215UHg2g="; + PresharedKeyFile = "/run/keys/wireguard-psk.key"; AllowedIPs = ["0.0.0.0/0" "::/0"]; - Endpoint = "89.234.141.83"; PersistentKeepalive = 15; }; } @@ -183,6 +184,42 @@ "89.234.141.196/32" "2a00:5881:8119:400::1/128" ]; + # routingPolicyRules = [ + # { + # routingPolicyRuleConfig = { + # FirewallMark = "51820"; + # InvertRule = true; + # Table = "51820"; + # Priority = "10"; + # }; + # } + # { + # routingPolicyRuleConfig = { + # To = "10.0.0.0/8"; + # Priority = "9"; + # }; + # } + # { + # routingPolicyRuleConfig = { + # To = "192.168.0.0/16"; + # Priority = "9"; + # }; + # } + # { + # routingPolicyRuleConfig = { + # To = "89.234.141.83/32"; + # Priority = "5"; + # }; + # } + # ]; + # routes = [ + # { + # routeConfig = { + # Destination = "0.0.0.0/0"; + # Table = 51820; + # }; + # } + # ]; }; "40-eno2" = { networkConfig = { From ca01004c8684550dfdf93dff9887ef3ed6ff889c Mon Sep 17 00:00:00 2001 From: nyanloutre Date: Wed, 20 Nov 2024 16:50:26 +0100 Subject: [PATCH 4/8] multi table route setup --- systems/LoutreOS/configuration.nix | 255 +----------------------- systems/LoutreOS/network.nix | 309 +++++++++++++++++++++++++++++ 2 files changed, 310 insertions(+), 254 deletions(-) create mode 100644 systems/LoutreOS/network.nix diff --git a/systems/LoutreOS/configuration.nix b/systems/LoutreOS/configuration.nix index 616c927..330a373 100644 --- a/systems/LoutreOS/configuration.nix +++ b/systems/LoutreOS/configuration.nix @@ -5,6 +5,7 @@ "${inputs.nixpkgs-unstable}/nixos/modules/services/misc/flaresolverr.nix" ../common-cli.nix ./hardware-configuration.nix + ./network.nix ./users.nix ./services.nix ]; @@ -21,8 +22,6 @@ tmp.useTmpfs = true; - kernel.sysctl."net.ipv6.conf.all.forwarding" = true; - # Enabling both boot.enableContainers & virtualisation.containers on system.stateVersion < 22.05 is unsupported enableContainers = false; }; @@ -37,258 +36,6 @@ }; }; - hardware.usb-modeswitch.enable = true; - - # eno1 -> VLAN100 -> Internet - # eno2 -> LAN - # eno3 -> Legacy client DHCP - # eno4 -> Pas utilisé - - networking = { - hostName = "loutreos"; # Define your hostname. - hostId = "7e66e347"; - - hosts = { - "127.0.0.1" = [ "gitea.nyanlout.re" ]; - }; - - useNetworkd = true; - useDHCP = false; - - nameservers = [ - "1.1.1.1" - "1.0.0.1" - ]; - - vlans = { - bouygues = { - id = 100; - interface = "eno1"; - }; - }; - - interfaces = { - bouygues = { - # Adresse MAC BBox ? https://lafibre.info/remplacer-bbox/informations-de-connexion-ftth/msg598303/#msg598303 - macAddress = "E8:AD:A6:21:73:68"; - useDHCP = true; - }; - eno2 = { - ipv4.addresses = [ - { address = "10.30.0.1"; prefixLength = 16; } - ]; - }; - enp0s21u1.useDHCP = true; - }; - - # NAT bouygues <-> eno2 - nat = { - enable = true; - externalInterface = "bouygues"; - # Permet d'utiliser le SNAT plus rapide au lieu de MASQUERADE - # externalIP = "0.0.0.0"; - internalIPs = [ "10.30.0.0/16" ]; - internalInterfaces = [ "eno2" ]; - forwardPorts = [ - { destination = "10.30.0.1:22"; proto = "tcp"; sourcePort = 8443;} - { destination = "10.30.135.35:25565"; proto = "tcp"; sourcePort = 25565; loopbackIPs=[ "195.36.180.44" ];} - ]; - }; - - firewall = { - enable = true; - allowedTCPPorts = [ 80 443 ]; - allowedUDPPorts = [ ]; - interfaces.eno2 = { - allowedTCPPorts = [ - 111 2049 4000 4001 4002 # NFS - 3483 9000 9090 # Slimserver - 1935 # RTMP - ]; - allowedUDPPorts = [ - 111 2049 4000 4001 4002 # NFS - 3483 # Slimserver - 67 # DHCP - ]; - }; - extraCommands = '' - ip6tables -w -D FORWARD -j loutreos-forward 2>/dev/null || true - ip6tables -w -F loutreos-forward 2>/dev/null || true - ip6tables -w -X loutreos-forward 2>/dev/null || true - ip6tables -w -N loutreos-forward - ip6tables -A loutreos-forward -m state --state RELATED,ESTABLISHED -j ACCEPT - ip6tables -A loutreos-forward -j ACCEPT -i eno2 - ip6tables -A loutreos-forward -j nixos-fw-log-refuse - ip6tables -w -A FORWARD -j loutreos-forward - - # Redirect local network request from server external IP to internal IP - # Make the server available even without internet access - iptables -t nat -D PREROUTING -s 10.30.0.0/16 -d 176.180.172.105 -j DNAT --to 10.30.0.1 || true - iptables -t nat -A PREROUTING -s 10.30.0.0/16 -d 176.180.172.105 -j DNAT --to 10.30.0.1 - ''; - # remove refs to nixos-fw-log-refuse before restarting firewall - # prevents "ressource busy" errors - extraStopCommands = '' - ip6tables -D loutreos-forward -j nixos-fw-log-refuse 2>/dev/null || true - ''; - }; - }; - - systemd.network = { - enable = true; - - netdevs = { - "10-wg0" = { - netdevConfig = { - Kind = "wireguard"; - Name = "wg0"; - MTUBytes = "1450"; - }; - wireguardConfig = { - PrivateKeyFile = "/run/keys/wireguard-privkey"; - FirewallMark = 51820; - }; - wireguardPeers = [ - { - wireguardPeerConfig = { - Endpoint = "89.234.141.83:8095"; - PublicKey = "t3+JkBfXI1uw8fa9P6JfxXJfTPm9cOHcgIN215UHg2g="; - PresharedKeyFile = "/run/keys/wireguard-psk.key"; - AllowedIPs = ["0.0.0.0/0" "::/0"]; - PersistentKeepalive = 15; - }; - } - ]; - }; - }; - - networks = { - "40-bouygues" = { - dhcpV4Config.RouteMetric = 1; - dhcpV6Config = { - DUIDRawData = "00:03:00:01:E8:AD:A6:21:73:68"; - WithoutRA = "solicit"; - }; - ipv6AcceptRAConfig.DHCPv6Client = true; - networkConfig = { - KeepConfiguration = "dhcp-on-stop"; - IPv6AcceptRA = true; - DHCPPrefixDelegation = true; - }; - dhcpPrefixDelegationConfig.SubnetId = "0"; - }; - "40-eno1".linkConfig.RequiredForOnline = "no"; - "10-wg0" = { - matchConfig.Name = "wg0"; - address = [ - "89.234.141.196/32" - "2a00:5881:8119:400::1/128" - ]; - # routingPolicyRules = [ - # { - # routingPolicyRuleConfig = { - # FirewallMark = "51820"; - # InvertRule = true; - # Table = "51820"; - # Priority = "10"; - # }; - # } - # { - # routingPolicyRuleConfig = { - # To = "10.0.0.0/8"; - # Priority = "9"; - # }; - # } - # { - # routingPolicyRuleConfig = { - # To = "192.168.0.0/16"; - # Priority = "9"; - # }; - # } - # { - # routingPolicyRuleConfig = { - # To = "89.234.141.83/32"; - # Priority = "5"; - # }; - # } - # ]; - # routes = [ - # { - # routeConfig = { - # Destination = "0.0.0.0/0"; - # Table = 51820; - # }; - # } - # ]; - }; - "40-eno2" = { - networkConfig = { - IPv6SendRA = true; - DHCPPrefixDelegation = true; - DHCPServer = true; - }; - dhcpServerConfig = { - # MIN = 10.30.100.0 - #PoolOffset = 25500; - # MAX = 10.30.200.0 - #PoolSize = 25500; - EmitRouter = true; - EmitDNS = true; - DNS = [ - "1.1.1.1" - "1.0.0.1" - ]; - }; - dhcpServerStaticLeases = [ - # IPMI - { - dhcpServerStaticLeaseConfig = { - Address = "10.30.1.1"; - MACAddress = "ac:1f:6b:4b:01:15"; - }; - } - # paul-fixe - { - dhcpServerStaticLeaseConfig = { - Address = "10.30.50.1"; - MACAddress = "b4:2e:99:ed:24:26"; - }; - } - # salonled - { - dhcpServerStaticLeaseConfig = { - Address = "10.30.40.1"; - MACAddress = "e0:98:06:85:e9:ce"; - }; - } - # miroir-bleu - { - dhcpServerStaticLeaseConfig = { - Address = "10.30.40.2"; - MACAddress = "e0:98:06:86:38:fc"; - }; - } - # miroir-orange - { - dhcpServerStaticLeaseConfig = { - Address = "10.30.40.3"; - MACAddress = "50:02:91:78:be:be"; - }; - } - ]; - ipv6SendRAConfig = { - EmitDNS = true; - DNS = [ - "2606:4700:4700::1111" - "2606:4700:4700::1001" - ]; - }; - }; - # Set 4G connection as low routing priority - "40-enp0s21u1".dhcpV4Config.RouteMetric = 1024; - }; - }; - services.openssh = { enable = true; settings = { diff --git a/systems/LoutreOS/network.nix b/systems/LoutreOS/network.nix new file mode 100644 index 0000000..0f83980 --- /dev/null +++ b/systems/LoutreOS/network.nix @@ -0,0 +1,309 @@ +{ config, pkgs, inputs, ... }: + +{ + boot = { + kernel.sysctl."net.ipv6.conf.all.forwarding" = true; + }; + + # Enable LTE drivers + hardware.usb-modeswitch.enable = true; + + ################## + # NETWORK CONFIG # + ################## + + # eno1 -> VLAN100 -> Internet + # eno2 -> LAN + # eno3 -> Pas utilisé + # eno4 -> Pas utilisé + # enp0s21u1 -> Clé 4G Bouygues + # wg0 -> Tunnel Wireguard ARN + + networking = { + hostName = "loutreos"; # Define your hostname. + hostId = "7e66e347"; + + useNetworkd = true; + useDHCP = false; + + nameservers = [ + "1.1.1.1" + "1.0.0.1" + ]; + + vlans = { + bouygues = { + id = 100; + interface = "eno1"; + }; + }; + + interfaces = { + bouygues = { + # Adresse MAC BBox ? https://lafibre.info/remplacer-bbox/informations-de-connexion-ftth/msg598303/#msg598303 + macAddress = "E8:AD:A6:21:73:68"; + useDHCP = true; + }; + eno2 = { + ipv4.addresses = [ + { address = "10.30.0.1"; prefixLength = 16; } + ]; + }; + enp0s21u1.useDHCP = true; + }; + + # NAT bouygues <-> eno2 + nat = { + enable = true; + externalInterface = "bouygues"; + internalIPs = [ "10.30.0.0/16" ]; + internalInterfaces = [ "eno2" ]; + forwardPorts = [ + { destination = "10.30.0.1:22"; proto = "tcp"; sourcePort = 8443;} + { destination = "10.30.135.35:25565"; proto = "tcp"; sourcePort = 25565; loopbackIPs=[ "195.36.180.44" ];} + ]; + }; + + firewall = { + enable = true; + allowedTCPPorts = [ 80 443 ]; + allowedUDPPorts = [ ]; + + # Open ports on local netwok only + interfaces.eno2 = { + allowedTCPPorts = [ + 111 2049 4000 4001 4002 # NFS + 3483 9000 9090 # Slimserver + 1935 # RTMP + ]; + allowedUDPPorts = [ + 111 2049 4000 4001 4002 # NFS + 3483 # Slimserver + 67 # DHCP + ]; + }; + + extraCommands = '' + # Forward all IPv6 traffic from local network and reject incoming traffic + ip6tables -w -D FORWARD -j loutreos-forward 2>/dev/null || true + ip6tables -w -F loutreos-forward 2>/dev/null || true + ip6tables -w -X loutreos-forward 2>/dev/null || true + ip6tables -w -N loutreos-forward + ip6tables -A loutreos-forward -m state --state RELATED,ESTABLISHED -j ACCEPT + ip6tables -A loutreos-forward -j ACCEPT -i eno2 + ip6tables -A loutreos-forward -j nixos-fw-log-refuse + ip6tables -w -A FORWARD -j loutreos-forward + + # Redirect local network request from server external IP to internal IP + # Make the server available even without internet access + iptables -t nat -D PREROUTING -s 10.30.0.0/16 -d 176.180.172.105 -j DNAT --to 10.30.0.1 || true + iptables -t nat -A PREROUTING -s 10.30.0.0/16 -d 176.180.172.105 -j DNAT --to 10.30.0.1 + ''; + # remove refs to nixos-fw-log-refuse before restarting firewall + # prevents "ressource busy" errors + extraStopCommands = '' + ip6tables -D loutreos-forward -j nixos-fw-log-refuse 2>/dev/null || true + ''; + }; + }; + + ################# + # ROUTING RULES # + ################# + + # 0: from all lookup local + # 50: from all ipproto tcp dport 25 lookup vpn + # 100: from all lookup fiber + # 200: from all lookup lte + # 32766: from all lookup main + # 32767: from all lookup default + + systemd.network = { + enable = true; + + config = { + routeTables = { + fiber = 1; + lte = 2; + vpn = 3; + }; + addRouteTablesToIPRoute2 = true; + }; + + # Wireguard ARN device configuation + netdevs = { + "10-wg0" = { + netdevConfig = { + Kind = "wireguard"; + Name = "wg0"; + MTUBytes = "1450"; + }; + wireguardConfig = { + PrivateKeyFile = "/run/keys/wireguard-privkey"; + RouteTable = "vpn"; + }; + wireguardPeers = [ + { + wireguardPeerConfig = { + Endpoint = "89.234.141.83:8095"; + PublicKey = "t3+JkBfXI1uw8fa9P6JfxXJfTPm9cOHcgIN215UHg2g="; + PresharedKeyFile = "/run/keys/wireguard-psk.key"; + AllowedIPs = ["0.0.0.0/0" "::/0"]; + PersistentKeepalive = 15; + }; + } + ]; + }; + }; + + networks = { + ######### + # FIBER # + ######### + + # Set DHCP client magic settings for Bouygues + # Put routes in fiber table + "40-bouygues" = { + dhcpV4Config.RouteTable = "fiber"; + dhcpV6Config = { + DUIDRawData = "00:03:00:01:E8:AD:A6:21:73:68"; + WithoutRA = "solicit"; + }; + ipv6AcceptRAConfig = { + DHCPv6Client = true; + RouteTable = "fiber"; + }; + networkConfig = { + KeepConfiguration = "dhcp-on-stop"; + IPv6AcceptRA = true; + DHCPPrefixDelegation = true; + }; + # Static attribution of first IPv6 subnet + dhcpPrefixDelegationConfig.SubnetId = "0"; + + # Route everything to fiber link with a priority of 100 + routingPolicyRules = [ + { + routingPolicyRuleConfig = { + Table = "fiber"; + Priority = "100"; + Family = "both"; + }; + } + ]; + }; + + # Don't check VLAN physical interface as it is not directly used + "40-eno1".linkConfig.RequiredForOnline = "no"; + + ####### + # LTE # + ####### + + # Put routes in lte table + "40-enp0s21u1" = { + dhcpV4Config.RouteTable = "lte"; + + # Route all to lte link with a priority of 200 + routingPolicyRules = [ + { + routingPolicyRuleConfig = { + Table = "lte"; + Priority = "200"; + Family = "both"; + }; + } + ]; + }; + + ####### + # VPN # + ####### + + # Wireguard ARN network configuation + "10-wg0" = { + matchConfig.Name = "wg0"; + address = [ + "89.234.141.196/32" + "2a00:5881:8119:400::1/128" + ]; + routingPolicyRules = [ + # Route outgoing emails to VPN table + { + routingPolicyRuleConfig = { + DestinationPort = "25"; + Table = "vpn"; + Priority = "50"; + Family = "both"; + }; + } + ]; + }; + + ####### + # LAN # + ####### + + # LAN DHCP server config + "40-eno2" = { + networkConfig = { + IPv6SendRA = true; + DHCPPrefixDelegation = true; + DHCPServer = true; + }; + dhcpServerConfig = { + EmitRouter = true; + EmitDNS = true; + DNS = [ + "1.1.1.1" + "1.0.0.1" + ]; + }; + dhcpServerStaticLeases = [ + # IPMI + { + dhcpServerStaticLeaseConfig = { + Address = "10.30.1.1"; + MACAddress = "ac:1f:6b:4b:01:15"; + }; + } + # paul-fixe + { + dhcpServerStaticLeaseConfig = { + Address = "10.30.50.1"; + MACAddress = "b4:2e:99:ed:24:26"; + }; + } + # salonled + { + dhcpServerStaticLeaseConfig = { + Address = "10.30.40.1"; + MACAddress = "e0:98:06:85:e9:ce"; + }; + } + # miroir-bleu + { + dhcpServerStaticLeaseConfig = { + Address = "10.30.40.2"; + MACAddress = "e0:98:06:86:38:fc"; + }; + } + # miroir-orange + { + dhcpServerStaticLeaseConfig = { + Address = "10.30.40.3"; + MACAddress = "50:02:91:78:be:be"; + }; + } + ]; + ipv6SendRAConfig = { + EmitDNS = true; + DNS = [ + "2606:4700:4700::1111" + "2606:4700:4700::1001" + ]; + }; + }; + }; + }; +} From 4df84a3be0ffa85c62123169351689d53b7c6570 Mon Sep 17 00:00:00 2001 From: nyanloutre Date: Wed, 20 Nov 2024 21:19:10 +0100 Subject: [PATCH 5/8] begin migration to VPN --- systems/LoutreOS/network.nix | 66 +++++++++++++++++------------------ systems/LoutreOS/services.nix | 16 ++++----- 2 files changed, 41 insertions(+), 41 deletions(-) diff --git a/systems/LoutreOS/network.nix b/systems/LoutreOS/network.nix index 0f83980..7008094 100644 --- a/systems/LoutreOS/network.nix +++ b/systems/LoutreOS/network.nix @@ -140,7 +140,7 @@ }; wireguardConfig = { PrivateKeyFile = "/run/keys/wireguard-privkey"; - RouteTable = "vpn"; + RouteTable = 3; }; wireguardPeers = [ { @@ -164,14 +164,14 @@ # Set DHCP client magic settings for Bouygues # Put routes in fiber table "40-bouygues" = { - dhcpV4Config.RouteTable = "fiber"; + dhcpV4Config.RouteMetric = 1; dhcpV6Config = { DUIDRawData = "00:03:00:01:E8:AD:A6:21:73:68"; WithoutRA = "solicit"; }; ipv6AcceptRAConfig = { DHCPv6Client = true; - RouteTable = "fiber"; + # RouteTable = 1; }; networkConfig = { KeepConfiguration = "dhcp-on-stop"; @@ -182,15 +182,15 @@ dhcpPrefixDelegationConfig.SubnetId = "0"; # Route everything to fiber link with a priority of 100 - routingPolicyRules = [ - { - routingPolicyRuleConfig = { - Table = "fiber"; - Priority = "100"; - Family = "both"; - }; - } - ]; + # routingPolicyRules = [ + # { + # routingPolicyRuleConfig = { + # Table = 1; + # Priority = 100; + # Family = "both"; + # }; + # } + # ]; }; # Don't check VLAN physical interface as it is not directly used @@ -202,18 +202,18 @@ # Put routes in lte table "40-enp0s21u1" = { - dhcpV4Config.RouteTable = "lte"; + dhcpV4Config.RouteTable = 2; # Route all to lte link with a priority of 200 - routingPolicyRules = [ - { - routingPolicyRuleConfig = { - Table = "lte"; - Priority = "200"; - Family = "both"; - }; - } - ]; + # routingPolicyRules = [ + # { + # routingPolicyRuleConfig = { + # Table = 2; + # Priority = 200; + # Family = "both"; + # }; + # } + # ]; }; ####### @@ -227,17 +227,17 @@ "89.234.141.196/32" "2a00:5881:8119:400::1/128" ]; - routingPolicyRules = [ - # Route outgoing emails to VPN table - { - routingPolicyRuleConfig = { - DestinationPort = "25"; - Table = "vpn"; - Priority = "50"; - Family = "both"; - }; - } - ]; + #routingPolicyRules = [ + # # Route outgoing emails to VPN table + # { + # routingPolicyRuleConfig = { + # DestinationPort = "25"; + # Table = 3; + # Priority = 50; + # Family = "both"; + # }; + # } + #]; }; ####### diff --git a/systems/LoutreOS/services.nix b/systems/LoutreOS/services.nix index e4f0e79..fac5b6c 100644 --- a/systems/LoutreOS/services.nix +++ b/systems/LoutreOS/services.nix @@ -77,14 +77,14 @@ in }; services = { - postfix = { - relayHost = "mailvps.nyanlout.re"; - relayPort = 587; - config = { - smtp_tls_cert_file = lib.mkForce "/var/lib/postfix/postfixrelay.crt"; - smtp_tls_key_file = lib.mkForce "/var/lib/postfix/postfixrelay.key"; - }; - }; + # postfix = { + # relayHost = "mailvps.nyanlout.re"; + # relayPort = 587; + # config = { + # smtp_tls_cert_file = lib.mkForce "/var/lib/postfix/postfixrelay.crt"; + # smtp_tls_key_file = lib.mkForce "/var/lib/postfix/postfixrelay.key"; + # }; + # }; rspamd.workers.controller.extraConfig = '' secure_ip = ["0.0.0.0/0", "::"]; From 4d8c76e2078de847d154c24fe2166e219fb545e3 Mon Sep 17 00:00:00 2001 From: nyanloutre Date: Thu, 21 Nov 2024 11:32:35 +0100 Subject: [PATCH 6/8] Working outgoing emails --- systems/LoutreOS/network.nix | 39 ++++++++++++++++++++++++++---------- 1 file changed, 28 insertions(+), 11 deletions(-) diff --git a/systems/LoutreOS/network.nix b/systems/LoutreOS/network.nix index 7008094..7bab14d 100644 --- a/systems/LoutreOS/network.nix +++ b/systems/LoutreOS/network.nix @@ -227,17 +227,34 @@ "89.234.141.196/32" "2a00:5881:8119:400::1/128" ]; - #routingPolicyRules = [ - # # Route outgoing emails to VPN table - # { - # routingPolicyRuleConfig = { - # DestinationPort = "25"; - # Table = 3; - # Priority = 50; - # Family = "both"; - # }; - # } - #]; + routingPolicyRules = [ + # Route outgoing emails to VPN table + { + routingPolicyRuleConfig = { + IncomingInterface = "lo"; + DestinationPort = "25"; + Table = 3; + Priority = 50; + Family = "both"; + }; + } + # Route packets originating from wg0 device to VPN table + # Allow server to respond on the wg0 interface requests + { + routingPolicyRuleConfig = { + From = "89.234.141.196"; + Table = 3; + Priority = 49; + }; + } + { + routingPolicyRuleConfig = { + From = "2a00:5881:8119:400::1"; + Table = 3; + Priority = 49; + }; + } + ]; }; ####### From 8ad48e5aa48784ab97c1ddefbca1958921bd2059 Mon Sep 17 00:00:00 2001 From: nyanloutre Date: Mon, 25 Nov 2024 17:26:38 +0100 Subject: [PATCH 7/8] set Wireguard keys with credentials --- systems/LoutreOS/network.nix | 15 +++++++++++++-- 1 file changed, 13 insertions(+), 2 deletions(-) diff --git a/systems/LoutreOS/network.nix b/systems/LoutreOS/network.nix index 7bab14d..c42c405 100644 --- a/systems/LoutreOS/network.nix +++ b/systems/LoutreOS/network.nix @@ -107,6 +107,13 @@ }; }; + systemd.services.systemd-networkd.serviceConfig = { + LoadCredential = [ + "network.wireguard.private.wg0:/mnt/secrets/wireguard/wireguard.private" + "network.wireguard.preshared.wg0:/mnt/secrets/wireguard/wireguard.preshared" + ]; + }; + ################# # ROUTING RULES # ################# @@ -139,7 +146,9 @@ MTUBytes = "1450"; }; wireguardConfig = { - PrivateKeyFile = "/run/keys/wireguard-privkey"; + PrivateKeyFile = "/run/credentials/systemd-networkd.service/network.wireguard.private.wg0"; + # Wait for 24.11 + # PrivateKey = "@network.wireguard.private.wg0"; RouteTable = 3; }; wireguardPeers = [ @@ -147,7 +156,9 @@ wireguardPeerConfig = { Endpoint = "89.234.141.83:8095"; PublicKey = "t3+JkBfXI1uw8fa9P6JfxXJfTPm9cOHcgIN215UHg2g="; - PresharedKeyFile = "/run/keys/wireguard-psk.key"; + PresharedKeyFile = "/run/credentials/systemd-networkd.service/network.wireguard.preshared.wg0"; + # Wait for 24.11 + # PresharedKey = "@network.wireguard.preshared.wg0"; AllowedIPs = ["0.0.0.0/0" "::/0"]; PersistentKeepalive = 15; }; From 0d64372b579dec1f75172329203dba4be7ea4525 Mon Sep 17 00:00:00 2001 From: nyanloutre Date: Mon, 25 Nov 2024 18:09:42 +0100 Subject: [PATCH 8/8] remove comments --- systems/LoutreOS/network.nix | 83 +++++++++++------------------------- 1 file changed, 26 insertions(+), 57 deletions(-) diff --git a/systems/LoutreOS/network.nix b/systems/LoutreOS/network.nix index c42c405..141298b 100644 --- a/systems/LoutreOS/network.nix +++ b/systems/LoutreOS/network.nix @@ -114,26 +114,15 @@ ]; }; - ################# - # ROUTING RULES # - ################# - - # 0: from all lookup local - # 50: from all ipproto tcp dport 25 lookup vpn - # 100: from all lookup fiber - # 200: from all lookup lte - # 32766: from all lookup main - # 32767: from all lookup default - - systemd.network = { + systemd.network = let + routeTables = { + vpn = 3; + }; + in { enable = true; config = { - routeTables = { - fiber = 1; - lte = 2; - vpn = 3; - }; + inherit routeTables; addRouteTablesToIPRoute2 = true; }; @@ -149,7 +138,7 @@ PrivateKeyFile = "/run/credentials/systemd-networkd.service/network.wireguard.private.wg0"; # Wait for 24.11 # PrivateKey = "@network.wireguard.private.wg0"; - RouteTable = 3; + RouteTable = routeTables.vpn; }; wireguardPeers = [ { @@ -172,36 +161,26 @@ # FIBER # ######### + # Set route metric to highest priority # Set DHCP client magic settings for Bouygues - # Put routes in fiber table "40-bouygues" = { dhcpV4Config.RouteMetric = 1; + dhcpV6Config = { DUIDRawData = "00:03:00:01:E8:AD:A6:21:73:68"; WithoutRA = "solicit"; }; - ipv6AcceptRAConfig = { - DHCPv6Client = true; - # RouteTable = 1; - }; + + ipv6AcceptRAConfig.DHCPv6Client = true; + networkConfig = { KeepConfiguration = "dhcp-on-stop"; IPv6AcceptRA = true; DHCPPrefixDelegation = true; }; + # Static attribution of first IPv6 subnet dhcpPrefixDelegationConfig.SubnetId = "0"; - - # Route everything to fiber link with a priority of 100 - # routingPolicyRules = [ - # { - # routingPolicyRuleConfig = { - # Table = 1; - # Priority = 100; - # Family = "both"; - # }; - # } - # ]; }; # Don't check VLAN physical interface as it is not directly used @@ -211,32 +190,22 @@ # LTE # ####### - # Put routes in lte table - "40-enp0s21u1" = { - dhcpV4Config.RouteTable = 2; - - # Route all to lte link with a priority of 200 - # routingPolicyRules = [ - # { - # routingPolicyRuleConfig = { - # Table = 2; - # Priority = 200; - # Family = "both"; - # }; - # } - # ]; - }; + # Set LTE route to lower priority + "40-enp0s21u1".dhcpV4Config.RouteMetric = 1024; ####### # VPN # ####### # Wireguard ARN network configuation - "10-wg0" = { + "10-wg0" = let + vpnIPv4 = "89.234.141.196/32"; + vpnIPv6 = "2a00:5881:8119:400::1/128"; + in { matchConfig.Name = "wg0"; address = [ - "89.234.141.196/32" - "2a00:5881:8119:400::1/128" + vpnIPv4 + vpnIPv6 ]; routingPolicyRules = [ # Route outgoing emails to VPN table @@ -244,7 +213,7 @@ routingPolicyRuleConfig = { IncomingInterface = "lo"; DestinationPort = "25"; - Table = 3; + Table = routeTables.vpn; Priority = 50; Family = "both"; }; @@ -253,15 +222,15 @@ # Allow server to respond on the wg0 interface requests { routingPolicyRuleConfig = { - From = "89.234.141.196"; - Table = 3; + From = vpnIPv4; + Table = routeTables.vpn; Priority = 49; }; } { routingPolicyRuleConfig = { - From = "2a00:5881:8119:400::1"; - Table = 3; + From = vpnIPv6; + Table = routeTables.vpn; Priority = 49; }; }