From c4891afe7dff8c5c3d9e1e581211fcc6148c6c14 Mon Sep 17 00:00:00 2001 From: oddlama Date: Sun, 16 Mar 2025 22:38:03 +0100 Subject: [PATCH] feat: add firezone gateway and allow trafic --- hosts/sausebiene/esphome.nix | 3 +++ hosts/sausebiene/home-assistant.nix | 4 +++ hosts/sentinel/firezone.nix | 7 ++++-- .../sentinel/secrets/firezone-relay-token.age | Bin 670 -> 626 bytes hosts/ward/default.nix | 18 ++++++++++++++ hosts/ward/guests/adguardhome.nix | 1 + hosts/ward/net.nix | 23 ++++++++++++++++++ hosts/ward/secrets/firezone-gateway-token.age | Bin 633 -> 695 bytes ...e8f9b3ef8f8397aa8-firezone-relay-token.age | Bin 0 -> 644 bytes ...b02931f73a0b7e9-firezone-gateway-token.age | Bin 0 -> 541 bytes 10 files changed, 54 insertions(+), 2 deletions(-) create mode 100644 secrets/rekeyed/sentinel/7b54639dac73dffe8f9b3ef8f8397aa8-firezone-relay-token.age create mode 100644 secrets/rekeyed/ward/4c7905ddc4c355cd7b02931f73a0b7e9-firezone-gateway-token.age diff --git a/hosts/sausebiene/esphome.nix b/hosts/sausebiene/esphome.nix index 89da3d6..422ee98 100644 --- a/hosts/sausebiene/esphome.nix +++ b/hosts/sausebiene/esphome.nix @@ -51,6 +51,9 @@ in extraConfig = '' allow ${globals.net.home-lan.vlans.home.cidrv4}; allow ${globals.net.home-lan.vlans.home.cidrv6}; + # Firezone traffic + allow ${globals.net.home-lan.vlans.services.hosts.ward.ipv4}; + allow ${globals.net.home-lan.vlans.services.hosts.ward.ipv6}; deny all; ''; }; diff --git a/hosts/sausebiene/home-assistant.nix b/hosts/sausebiene/home-assistant.nix index 821bbf3..06beefe 100644 --- a/hosts/sausebiene/home-assistant.nix +++ b/hosts/sausebiene/home-assistant.nix @@ -234,8 +234,12 @@ in allow ${globals.net.home-lan.vlans.home.cidrv6}; allow ${globals.net.home-lan.vlans.devices.cidrv4}; allow ${globals.net.home-lan.vlans.devices.cidrv6}; + # Self-traffic (needed for media in Voice PE) allow ${globals.net.home-lan.vlans.services.hosts.sausebiene.ipv4}; allow ${globals.net.home-lan.vlans.services.hosts.sausebiene.ipv6}; + # Firezone traffic + allow ${globals.net.home-lan.vlans.services.hosts.ward.ipv4}; + allow ${globals.net.home-lan.vlans.services.hosts.ward.ipv6}; deny all; ''; }; diff --git a/hosts/sentinel/firezone.nix b/hosts/sentinel/firezone.nix index 249ee6c..41cce45 100644 --- a/hosts/sentinel/firezone.nix +++ b/hosts/sentinel/firezone.nix @@ -7,6 +7,9 @@ }: let firezoneDomain = "firezone.${globals.domains.me}"; + # FIXME: dont hardcode, filter global service domains by internal state + # FIXME: new entry here? make new adguardhome entry too. + # FIXME: new entry here? make new firezone gateway on ward entry too. homeDomains = [ globals.services.grafana.domain globals.services.immich.domain @@ -91,8 +94,6 @@ in }; }; - # FIXME: dont hardcode, filter global service domains by internal state - # FIXME: new entry here? make new adguardhome entry too. resources = lib.genAttrs homeDomains (domain: { type = "dns"; @@ -152,6 +153,8 @@ in openFirewall = true; }; + systemd.services.firezone-relay.environment.HEALTH_CHECK_ADDR = "127.0.0.1:17999"; + services.nginx = { upstreams.firezone = { servers."127.0.0.1:${toString config.services.firezone.server.web.port}" = { }; diff --git a/hosts/sentinel/secrets/firezone-relay-token.age b/hosts/sentinel/secrets/firezone-relay-token.age index f8b69431009575776d6c66f18f6ff2a9233a4aa2..2981a8518199a44faace7e4fa9be129af5528216 100644 GIT binary patch delta 605 zcmV-j0;2t%1@Z)tAb&JWa5*(=LQODsL}o}gN<=SAYe_RxP@V_8p9M^0sTb#QM-FJWv`bx3eRc0zeHMNV;9FJ*06W^ZL-Rdsh+FbXX` zAaH4REpRe5HXwL$Q)M_&AVD&EWl&aPcUeb7OhQ*~Z8A)4D}QK6PC|2XW>ZdRX>Cto zQE)I%bZ1daQcVg@N=8*^IX8KELUv?FG%{f|X5x-a%Ew2WgswEdtXyxZXiflBx+1zKs*XGM0R0kWJyj)I7tdE zEiE80cW8P`FMm03O+{^WaAj;OcvDJtQAl`ob}&##Z*nw2N>@}?NOLzgZ&XPNWn_0w zJLU|(Bu2KG-`(Ku^0;WZpjt6(qFhW16%ycSCM?b~`|8z42MtykgrxhENU{8m0oQU_ zbasKY-%>PF`%JkKH1urI5Ww2CNsukWiFuN5kiR_<{C{Akz7SLopxC%;C)(v1iio8i zU5SpIaD9(#dT7K`$Kf&iGaixnYVIxQYHp%p&+R=l8Ad;n=h!QC&qI~PSQ|Bpmp+{W z@xN)WRgxfg7MgG_KW}PbdFpg&>BFgcB{$Lay&CSn__BzWAYW2>6aH{%Qh$WJ{_|yl zbAh2CA69z{rf}etL_uXOrX2~Hp;1h<=X=;IDfs_hmurlx)%$0zuB zGILRSRSHIVVpMonL{V;aH!w9)No+AQX-zn4Pd7McSx+}HMRhS#Z!ckLHBV4TNeV4K zAaH4REpRe5HXwL$Q)M_&AVD`(O?ERmZ7Ww#Ib=e1S2;;eHGgknGgL`cRc|?HPGopQ zS7~}{RYfyuI7kY4W^-#$XHI5nMr?OhM`|`=LsDsOaZz(OWOaIKY*cqPdU9DxV=!@N zI7tdEJ|H74XL4m>b7de_EnY8rEowg?ep**jF<~kSNmpw`VMa+bbt^S&MsqPXcy%&o zd2l&(ZEbZma({RdEiEk|Z!l?g zbWmbtNkK+oaZ+|{PewIaN=r93Z#iW(Z%S}kNl!s~+D`R5{S4l!w2>l2SF@(5- zV@Ii)fXgzKCxGiK3Bg{7g$peJ%`lGbywITuw`V+Gfq%iEJbHZIN2+Tkw_d4Az-<$5 zaK=jOx7Ku}=$`dEl;?HB_gAT*aof&B)?~gk+hgSNT~BsTP>i%@PyQw4YB1{orVU(D zKkeQ)^zxU#uFugST!x7HGS#EtUX0>SNC+1+;K$qZ49gz7;x71y2PsgGG49FkJyjRE zSpw5mV1GsFWn8kj1P6GMG%c&~m2gO*qU*L7-%%DTOkR{b2;*YaasB>D53S$f0VB(l z_-4lubIS6C}Kcri#~OJ;XOMoBd{Z7)eURWDFQQe{U~3N1b$ zaA|fea56PEAb4?8WjIkFK{a_VY*u-AO-*D>Lw9U%dUs($Vt+X~W>RQ3MKowRWH~rm zX>~+)LT^)TVhT1;RA+H#QgAp=Q*vu(Y-3_gQgV8FF>P3JFf&m{SaEtmH8ON}FflN3 za|$g!AbvqHePdW#LM>-fD0cxP*GR#$jUS2JO2c~f(8XHz*=YfeWsXi{)6ZE!+z zaB65cSxGlg3Nm$XZZUTXEiEk|RW*5OD{D$MVoP>mV?}6pb~#XGIb%jdaCdH4Nn<%d zSxqxXNO)yqcw|uuGP6z#XiEg&C&93mbIqN=!?4+2Jbz+6-E5~t*wziMCmPA5L@@X1 z9?!E!0x9_LwO#r;Fe+SN-L96Lw+R!~Lo9thuJR;@`-Nn{%Y&U$tWH~;bIAtJO#wMr z{csE5kCdq-eHMz_!s@n?H?No=Zs~0hp9yWw(gesps0c{OQ=-31pZc&-NxSLZEhDV7 zMjyKmoXyES!Ro$blD8nygAbg_L#HJ{6B z^uPL8gd^x+rcK+PsTqYk2Y-M30ij{B>19Yf;*XTf&j*wWwC+=RNN&l-szXqaF4QX% zm*Rn%fliLQlB9apAaB>Gxxf7MAEtoww$GZZFdKJ~#2F3WGQJ7lqp?X|cVraeG1MwO IYiJuqNID1;GXMYp delta 611 zcmV-p0-XJ~1^EP!A%8DtP)}4dGfp^eZCFonRCiV@bvJH!X=HRXHcm=Ya8hAnLN_&Q zHcM7>3Tb&vX-qdWYi@8dM_Fw(H8N3db5BHKFH1E?H#A~cax*e`SWb3GV=GHI3N1b$ zaA|fea56PEAb4?8WjIkFK`%jVa%^rkb5?CtYgTGxRcm%4^eIc`c(NpNT{ zWlU#kOH4sZaSBQ_MPqAdVncRJbaO{*VqLo-EYc5yINNM~kk zFbXX`AU{4abxm_EXL4m>b7de(HFjWWJX}&Ba9K?tCNd&ydQoad3TbC~IBZ2RL`F(y zbU1KP3N0-yAb&4Wa!g2RX;w=}WO8sxXnJL5P-1UNX+<|jRcJ77PjojiXm3?cRWmtr zO$zyX7^JQ}CoJEWWg57&b;XLz6h_3WOJ(rehy5;4JsELkDHNyGH3-5@Ma(DkCLBfo z(nIlbkySeRlWy6Z{(TeTGWT>_xHhJNC3P``{3rHrMSoE?nu54j0Ow|5P2Hv7uG`e`jM1vx-@p2acXmygc~|^9%mzK$T;x5WB)A_K|j>V)%{F1S$6=6((QD z3DK{Afn0choXJsvAZewzJaCB*JZZ289RNOe_IWMxNHc4t8}T4O|cV>wn$I8$LYRCRDUYEWlxFGOSt3N0-yAU04mW-@nG zcS%ZGR8Lt`OF21jO?7oEac*>SS!r!rV>vHIa$0spK`&Zo3jISmYCnq0>4HmLWb6GC z`@hO7YN_F3bn*6Kw;E=0vSJV8ic_~I#)A%EBbmLdYNkI(ZBf5x{~urdcWq%k0722d zO@jbB1LcmSNj1ul2iFi|D}}Vh!qW6X3}ssYFr5U{sKl=ZpoY9_LOq|^^UA@Sz?12F z98NhAUC+~nrXtrC>~0(lok=4Ml&*3T2VDCH#7<@J|HYKEoX9NVRL05Dp*M} zHa2uxAbKSrK}=azRDCEa3RO*RL0V5~RxxmFXli+8Mm92PWx7RO)z*@Q3_+3!^;)qBggB-%``8f z9pg@mJ2X77>BKu0H6}AV$Vhfsl(LF;u4V>iYf>lG-jjWCJXBe6+`SvdpZT9)LIk`g zD(n_%8e zp*JNbdM6X)A?RSy-_O1p5MYo%$!4LuqL88;?c+fIxRvruE8RPYg{{hhIlYj5L355Y zNRXT$ivZ~I8c4-!$r#1rkjkZm(DIO9i(j{f#eh(+8O=GJx%83qj!%$|()3n$GkAFD zE~BBOn2xpCt7YN2`xMEiHto?AuJ}YwW7SK~A{WT26)N%rU|UFUN;u?BJ&;qf>M2n2 f*X<9zB