diff --git a/globals.nix b/globals.nix index 57e1b83..4dcd2d3 100644 --- a/globals.nix +++ b/globals.nix @@ -66,6 +66,10 @@ in id = 23; mac = globals.macs.scanner-ads-4300n; }; + hosts.epsondc44f7 = { + id = 30; + mac = globals.macs.epsondc44f7; + }; hosts.wallbox = { id = 40; mac = globals.macs.wallbox; diff --git a/hosts/ward/default.nix b/hosts/ward/default.nix index 7cd7c60..09e5af2 100644 --- a/hosts/ward/default.nix +++ b/hosts/ward/default.nix @@ -20,6 +20,7 @@ ./fs.nix ./net.nix ./kea.nix + ./mdns-repeater.nix ]; topology.self.hardware.image = ../../topology/images/odroid-h3.png; diff --git a/hosts/ward/mdns-repeater.nix b/hosts/ward/mdns-repeater.nix new file mode 100644 index 0000000..365181c --- /dev/null +++ b/hosts/ward/mdns-repeater.nix @@ -0,0 +1,78 @@ +{ + pkgs, + lib, + ... +}: +let + interfaces = [ + "me-services" + "me-devices" + "me-iot" + "wan" + ]; + interfacesRegex = "(${lib.concatStringsSep "|" (interfaces ++ [ "me-home" ])})"; + cfg = { + interfaces = interfacesRegex; + rules = + [ + { + from = interfacesRegex; + to = "me-home"; + allow_answers = ".*"; + } + ] + ++ lib.forEach interfaces (to: { + from = "me-home"; + inherit to; + allow_questions = ".*"; + }); + }; +in +{ + systemd.services.mdns-repeater = { + wantedBy = [ "multi-user.target" ]; + after = [ "network.target" ]; + + environment.RUST_LOG = "info"; + + serviceConfig = { + Restart = "on-failure"; + ExecStart = "${lib.getExe pkgs.mdns-repeater} --config ${pkgs.writeText "config.json" (builtins.toJSON cfg)}"; + + # Hardening + DynamicUser = true; + CapabilityBoundingSet = ""; + LockPersonality = true; + MemoryDenyWriteExecute = true; + NoNewPrivileges = true; + PrivateUsers = true; + PrivateTmp = true; + PrivateDevices = true; + PrivateMounts = true; + ProtectClock = true; + ProtectControlGroups = true; + ProtectHome = true; + ProtectHostname = true; + ProtectKernelLogs = true; + ProtectKernelModules = true; + ProtectKernelTunables = true; + ProtectProc = "invisible"; + ProtectSystem = "strict"; + RemoveIPC = true; + RestrictAddressFamilies = [ + "AF_INET" + "AF_INET6" + "AF_NETLINK" + ]; + RestrictNamespaces = true; + RestrictRealtime = true; + RestrictSUIDSGID = true; + SystemCallArchitectures = "native"; + SystemCallFilter = [ + "@system-service" + "~@privileged" + ]; + UMask = "0027"; + }; + }; +} diff --git a/hosts/ward/net.nix b/hosts/ward/net.nix index 96ff4bc..12b5d75 100644 --- a/hosts/ward/net.nix +++ b/hosts/ward/net.nix @@ -102,6 +102,7 @@ gateway = [ globals.net.home-wan.hosts.fritzbox.ipv4 ]; matchConfig.Name = "wan"; networkConfig.IPv6PrivacyExtensions = "yes"; + networkConfig.MulticastDNS = true; # dhcpV6Config.PrefixDelegationHint = "::/64"; # FIXME: This should not be needed, but for some reason part of networkd # isn't seeing the RAs and not triggering DHCPv6. Even though some other @@ -229,6 +230,7 @@ to = [ "vlan-services" "vlan-devices" + "vlan-iot" ]; late = true; verdict = "accept"; diff --git a/pkgs/default.nix b/pkgs/default.nix index d551c37..f354ade 100644 --- a/pkgs/default.nix +++ b/pkgs/default.nix @@ -23,6 +23,8 @@ _inputs: [ firezone-server-web = prev.callPackage ./firezone-server-web/package.nix { }; firezone-server-api = prev.callPackage ./firezone-server-api/package.nix { }; + mdns-repeater = prev.callPackage ./mdns-repeater.nix { }; + formats = prev.formats // { ron = import ./ron.nix { inherit (prev) lib pkgs; }; }; diff --git a/pkgs/mdns-repeater.nix b/pkgs/mdns-repeater.nix new file mode 100644 index 0000000..07ed6c0 --- /dev/null +++ b/pkgs/mdns-repeater.nix @@ -0,0 +1,30 @@ +{ + lib, + fetchFromGitHub, + rustPlatform, +}: +rustPlatform.buildRustPackage { + pname = "mdns-repeater"; + version = "unstable-git"; + + src = fetchFromGitHub { + owner = "PatrickDaG"; + repo = "mdns-repeater"; + rev = "5178041edbd0382bdeac462223549e093b26fe12"; + hash = "sha256-cIrHSzdzFqfArE2bqWPm+CULuQU/KajkRN+i0b+seD0="; + }; + + cargoHash = "sha256-00Vh2AVECtqvkmLZmyDCR43tUqKdN4j1B8GnnRiWAmU="; + + meta = { + description = "mDNS packet relayer"; + homepage = "https://github.com/PatrickDaG/mdns-repeater"; + license = lib.licenses.asl20; + maintainers = with lib.maintainers; [ + oddlama + patrickdag + ]; + mainProgram = "mdns-repeater"; + platforms = lib.platforms.linux; + }; +} diff --git a/secrets/global.nix.age b/secrets/global.nix.age index 65fa807..7571462 100644 Binary files a/secrets/global.nix.age and b/secrets/global.nix.age differ