feat: automatically generate allowedTCPPorts for mdns enabled

interfaces; simplify nftables rules by adding a general untrusted zone

hosts/common/core/default.nix

@@ -12,6 +12,7 @@
 
     ../../../users/root
 
+    ../../../modules/extra.nix
     ../../../modules/interface-naming.nix
     ../../../modules/microvms.nix
     ../../../modules/wireguard.nix

hosts/common/core/impermanence.nix

@@ -5,6 +5,8 @@
 }: {
   # State that should be kept across reboots, but is otherwise
   # NOT important information in any way that needs to be backed up.
+  #environment.persistence."/local" = {
+  # with new dataset   --> ^-- , or without v--
   #environment.persistence."/nix/state" = {
   #  hideMounts = true;
   #  files = [
@@ -32,12 +34,14 @@
           group = "root";
           mode = "0755";
         }
+        # TODO only persist across reboots, don't backup, once loki is used
         {
           directory = "/var/lib/systemd";
           user = "root";
           group = "root";
           mode = "0755";
         }
+        # TODO only persist across reboots, don't backup, once loki is used
         {
           directory = "/var/log";
           user = "root";
@@ -46,6 +50,7 @@
         }
         #{ directory = "/tmp"; user = "root"; group = "root"; mode = "1777"; }
         #{ directory = "/var/tmp"; user = "root"; group = "root"; mode = "1777"; }
+        # TODO only persist across reboots, don't backup, once loki is used
         {
           directory = "/var/spool";
           user = "root";

hosts/common/core/net.nix

@@ -70,6 +70,17 @@ in {
           to = ["local"];
           allowedTCPPorts = config.services.openssh.ports;
         };
+
+        untrusted-to-local = {
+          from = ["untrusted"];
+          to = ["local"];
+
+          inherit
+            (config.networking.firewall)
+            allowedTCPPorts
+            allowedUDPPorts
+            ;
+        };
       };
     };
   };

hosts/common/core/resolved.nix

@@ -1,9 +1,8 @@
-{lib, ...}: {
-  networking.firewall = {
-    allowedTCPPorts = [5355];
-    allowedUDPPorts = [5353 5355];
-  };
-
+{
+  config,
+  lib,
+  ...
+}: {
   services.resolved = {
     enable = true;
     dnssec = "allow-downgrade";
@@ -24,4 +23,53 @@
     (lib.mkBefore ["mdns_minimal [NOTFOUND=return]"])
     (lib.mkAfter ["mdns"])
   ];
+
+  # TODO mkForce nftables
+  # Open port 5353 for any interfaces that have MulticastDNS enabled
+  networking.nftables.firewall = let
+    # Determine all networks that have MulticastDNS enabled
+    networksWithMulticast =
+      lib.filter
+      (n: config.systemd.network.networks.${n}.networkConfig.MulticastDNS or false)
+      (lib.attrNames config.systemd.network.networks);
+
+    # Determine all known mac addresses and the corresponding link name
+    # based on the renameInterfacesByMac option.
+    knownMacs =
+      lib.mapAttrs'
+      (k: v: lib.nameValuePair v k)
+      config.extra.networking.renameInterfacesByMac;
+    # A helper that returns the link name for the given mac address,
+    # or null if it doesn't exist or the given mac was null.
+    linkNameFor = mac:
+      if mac == null
+      then null
+      else knownMacs.${mac} or null;
+
+    # Calls the given function for each network that has MulticastDNS enabled,
+    # and collects all non-null values.
+    mapNetworks = f: lib.filter (v: v != null) (map f networksWithMulticast);
+
+    # All interfaces on which MulticastDNS is used
+    mdnsInterfaces = lib.unique (
+      # For each network that is matched by MAC, lookup the link name
+      # and if map the definition name to the link name.
+      mapNetworks (x: linkNameFor (config.systemd.network.networks.${x}.matchConfig.MACAddress or null))
+      # For each network that is matched by name, map the definition
+      # name to the link name.
+      ++ mapNetworks (x: config.systemd.network.networks.${x}.matchConfig.Name or null)
+    );
+  in {
+    zones = lib.mkForce {
+      mdns.interfaces = mdnsInterfaces;
+    };
+
+    rules = lib.mkForce {
+      mdns-to-local = {
+        from = ["mdns"];
+        to = ["local"];
+        allowedUDPPorts = [5353];
+      };
+    };
+  };
 }

hosts/nom/net.nix

@@ -1,4 +1,8 @@
-{config, ...}: {
+{
+  config,
+  lib,
+  ...
+}: {
   networking = {
     inherit (config.repo.secrets.local.networking) hostId;
     wireless.iwd.enable = true;
@@ -31,4 +35,10 @@
       dhcpV6Config.RouteMetric = 40;
     };
   };
+
+  networking.nftables.firewall = {
+    zones = lib.mkForce {
+      untrusted.interfaces = ["lan1" "wlan1"];
+    };
+  };
 }

hosts/ward/default.nix

@@ -65,10 +65,6 @@ in {
 
     #automatic1111 = defineVm 19;
     #invokeai = defineVm 19;
-
-    #kanidm = defineVm 12 // {
-    #  configPath = ./vm-test.nix;
-    #};
   };
 
   microvm.vms.test.config = {
@@ -95,61 +91,22 @@ in {
       mode = "440";
       group = "acme";
     };
+
     security.acme = {
       acceptTerms = true;
       defaults = {
         inherit (acme) email;
-        dnsProvider = "cloudflare";
         credentialsFile = config.rekey.secrets.acme-credentials.path;
+        dnsProvider = "cloudflare";
         dnsPropagationCheck = true;
+        reloadServices = ["nginx"];
       };
-      certs = lib.genAttrs acme.domains (domain: {
-        extraDomainNames = ["*.${domain}"];
-      });
     };
+    extra.acme.wildcardDomains = acme.domains;
     users.groups.acme.members = ["nginx"];
+    services.nginx.enable = true;
 
-    # TODO reload nginx when acme is renewed
-
-    # TODO make default nginx config in core to reduce boilerplate?
-    services.nginx = let
-      # TODO not implemented well
-      # TODO not implemented well
-      # TODO not implemented well
-      # TODO not implemented well
-      # TODO not implemented well
-      # TODO not implemented well
-      # TODO not implemented well
-      # TODO not implemented well
-      # TODO (acme.domains is very specific)
-      # TODO (security.acme causes recursion)
-      matchingWildcardCert = domain: let
-        # Filter all certs that are wildcard certs and which match the given domain
-        matchingCerts =
-          lib.filter
-          (x: !lib.hasInfix "." (lib.removeSuffix ".${x}" domain))
-          acme.domains;
-      in
-        assert lib.assertMsg (matchingCerts != []) "No wildcard certificate was defined that matches ${domain}";
-          lib.head matchingCerts;
-    in {
-      enable = true;
-
-      recommendedBrotliSettings = true;
-      recommendedGzipSettings = true;
-      recommendedOptimisation = true;
-      recommendedProxySettings = true;
-      recommendedTlsSettings = true;
-
-      # SSL config
-      sslCiphers = "EECDH+AESGCM:EDH+AESGCM:!aNULL";
-      sslDhparam = config.rekey.secrets."dhparams.pem".path;
-      commonHttpConfig = ''
-        error_log syslog:server=unix:/dev/log;
-        access_log syslog:server=unix:/dev/log;
-        ssl_ecdh_curve secp384r1;
-      '';
-
+    services.nginx = {
       upstreams."kanidm" = {
         servers."${config.extra.wireguard."${parentNodeName}-local-vms".ipv4}:8300" = {};
         extraConfig = ''
@@ -159,7 +116,7 @@ in {
       };
       virtualHosts.${auth.domain} = {
         forceSSL = true;
-        useACMEHost = matchingWildcardCert auth.domain;
+        useACMEHost = config.lib.matchingWildcardCert auth.domain;
         locations."/".proxyPass = "https://kanidm";
         # Allow using self-signed certs to satisfy kanidm's requirement
         # for TLS connections. (This is over wireguard anyway)
@@ -169,10 +126,18 @@ in {
       };
     };
 
-    networking.firewall.allowedTCPPorts = [80 443];
+    networking.nftables.firewall = {
+      zones = lib.mkForce {
+        local-vms.interfaces = ["local-vms"];
+      };
 
-    networking.nftables.firewall.rules = lib.mkForce {
-      local-vms-to-local.allowedTCPPorts = [8300];
+      rules = lib.mkForce {
+        local-vms-to-local = {
+          from = ["local-vms"];
+          to = ["local"];
+          allowedTCPPorts = [8300];
+        };
+      };
     };
 
     rekey.secrets."kanidm-self-signed.crt" = {

hosts/ward/net.nix

@@ -89,9 +89,8 @@ in {
   # TODO mkForce nftables
   networking.nftables.firewall = {
     zones = lib.mkForce {
+      untrusted.interfaces = ["wan"];
       lan.interfaces = ["lan-self"];
-      wan.interfaces = ["wan"];
-      local-vms.interfaces = ["local-vms"];
     };
 
     rules = lib.mkForce {
@@ -100,34 +99,24 @@ in {
         extraLines = ["ip6 nexthdr icmpv6 icmpv6 type { mld-listener-query, nd-router-solicit } accept"];
       };
 
-      masquerade-wan = {
+      masquerade = {
         from = ["lan"];
-        to = ["wan"];
+        to = ["untrusted"];
         masquerade = true;
       };
 
+      # Rule needed to allow local-vms wireguard traffic
+      lan-to-local = {
+        from = ["lan"];
+        to = ["local"];
+      };
+
       outbound = {
         from = ["lan"];
-        to = ["lan" "wan"];
+        to = ["lan" "untrusted"];
         late = true; # Only accept after any rejects have been processed
         verdict = "accept";
       };
-
-      wan-to-local = {
-        from = ["wan"];
-        to = ["local"];
-      };
-
-      lan-to-local = {
-        from = ["lan"];
-        to = ["local"];
-
-        inherit
-          (config.networking.firewall)
-          allowedTCPPorts
-          allowedUDPPorts
-          ;
-      };
     };
   };
 

hosts/zackbiene/net.nix

@@ -38,20 +38,7 @@ in {
   # TODO mkForce nftables
   networking.nftables.firewall = {
     zones = lib.mkForce {
-      lan.interfaces = ["lan1"];
-    };
-
-    rules = lib.mkForce {
-      int-to-local = {
-        from = ["lan"];
-        to = ["local"];
-
-        inherit
-          (config.networking.firewall)
-          allowedTCPPorts
-          allowedUDPPorts
-          ;
-      };
+      untrusted.interfaces = ["lan1"];
     };
   };
 }

hosts/zackbiene/nginx.nix

@@ -21,24 +21,5 @@
 
   #security.acme.acceptTerms = true;
   #security.acme.defaults.email = "admin+acme@example.com";
-  services.nginx = {
-    enable = true;
-
-    recommendedBrotliSettings = true;
-    recommendedGzipSettings = true;
-    recommendedOptimisation = true;
-    recommendedProxySettings = true;
-    recommendedTlsSettings = true;
-
-    # SSL config
-    sslCiphers = "EECDH+AESGCM:EDH+AESGCM:!aNULL";
-    sslDhparam = config.rekey.secrets."dhparams.pem".path;
-    commonHttpConfig = ''
-      error_log syslog:server=unix:/dev/log;
-      access_log syslog:server=unix:/dev/log;
-      ssl_ecdh_curve secp384r1;
-    '';
-  };
-
-  networking.firewall.allowedTCPPorts = [80 443];
+  services.nginx.enable = true;
 }