mirrors_public/oddlama_nix-config
1
1
Fork 1
mirror of https://github.com/oddlama/nix-config.git synced 2025-10-10 23:00:39 +02:00
Code Activity

feat: add firezone gateway and allow trafic

Browse source
This commit is contained in:
oddlama 2025-03-16 22:38:03 +01:00
parent 3725789765
commit c4891afe7d
No known key found for this signature in database
GPG key ID: 14EFE510775FE39A
10 changed files with 54 additions and 2 deletions
Download patch file Download diff file Expand all files Collapse all files

3
hosts/sausebiene/esphome.nix
View file

@ -51,6 +51,9 @@ in
extraConfig = '' extraConfig = ''
allow ${globals.net.home-lan.vlans.home.cidrv4}; allow ${globals.net.home-lan.vlans.home.cidrv4};
allow ${globals.net.home-lan.vlans.home.cidrv6}; allow ${globals.net.home-lan.vlans.home.cidrv6};
# Firezone traffic
allow ${globals.net.home-lan.vlans.services.hosts.ward.ipv4};
allow ${globals.net.home-lan.vlans.services.hosts.ward.ipv6};
deny all; deny all;
''; '';
}; };

4
hosts/sausebiene/home-assistant.nix
View file

@ -234,8 +234,12 @@ in
allow ${globals.net.home-lan.vlans.home.cidrv6}; allow ${globals.net.home-lan.vlans.home.cidrv6};
allow ${globals.net.home-lan.vlans.devices.cidrv4}; allow ${globals.net.home-lan.vlans.devices.cidrv4};
allow ${globals.net.home-lan.vlans.devices.cidrv6}; allow ${globals.net.home-lan.vlans.devices.cidrv6};
# Self-traffic (needed for media in Voice PE)
allow ${globals.net.home-lan.vlans.services.hosts.sausebiene.ipv4}; allow ${globals.net.home-lan.vlans.services.hosts.sausebiene.ipv4};
allow ${globals.net.home-lan.vlans.services.hosts.sausebiene.ipv6}; allow ${globals.net.home-lan.vlans.services.hosts.sausebiene.ipv6};
# Firezone traffic
allow ${globals.net.home-lan.vlans.services.hosts.ward.ipv4};
allow ${globals.net.home-lan.vlans.services.hosts.ward.ipv6};
deny all; deny all;
''; '';
}; };

7
hosts/sentinel/firezone.nix
View file

@ -7,6 +7,9 @@
}: }:
let let
firezoneDomain = "firezone.${globals.domains.me}"; firezoneDomain = "firezone.${globals.domains.me}";
# FIXME: dont hardcode, filter global service domains by internal state
# FIXME: new entry here? make new adguardhome entry too.
# FIXME: new entry here? make new firezone gateway on ward entry too.
homeDomains = [ homeDomains = [
globals.services.grafana.domain globals.services.grafana.domain
globals.services.immich.domain globals.services.immich.domain
@ -91,8 +94,6 @@ in
}; };
}; };
# FIXME: dont hardcode, filter global service domains by internal state
# FIXME: new entry here? make new adguardhome entry too.
resources = resources =
lib.genAttrs homeDomains (domain: { lib.genAttrs homeDomains (domain: {
type = "dns"; type = "dns";
@ -152,6 +153,8 @@ in
openFirewall = true; openFirewall = true;
}; };
systemd.services.firezone-relay.environment.HEALTH_CHECK_ADDR = "127.0.0.1:17999";
services.nginx = { services.nginx = {
upstreams.firezone = { upstreams.firezone = {
servers."127.0.0.1:${toString config.services.firezone.server.web.port}" = { }; servers."127.0.0.1:${toString config.services.firezone.server.web.port}" = { };

BIN
hosts/sentinel/secrets/firezone-relay-token.age
View file

Binary file not shown.

18
hosts/ward/default.nix
View file

@ -7,6 +7,21 @@
nodes, nodes,
... ...
}: }:
let
# FIXME: dont hardcode, filter global service domains by internal state
# FIXME: new entry here? make new adguardhome entry too.
# FIXME: new entry here? make new firezone entry too.
homeDomains = [
globals.services.grafana.domain
globals.services.immich.domain
globals.services.influxdb.domain
globals.services.loki.domain
globals.services.paperless.domain
globals.services.esphome.domain
globals.services.home-assistant.domain
"fritzbox.${globals.domains.personal}"
];
in
{ {
imports = [ imports = [
inputs.nixos-hardware.nixosModules.common-cpu-intel inputs.nixos-hardware.nixosModules.common-cpu-intel
@ -63,6 +78,9 @@
rekeyFile = config.node.secretsDir + "/firezone-gateway-token.age"; rekeyFile = config.node.secretsDir + "/firezone-gateway-token.age";
}; };
networking.hosts.${globals.net.home-lan.vlans.services.hosts.ward-web-proxy.ipv6} = homeDomains;
networking.hosts.${globals.net.home-lan.vlans.services.hosts.ward-web-proxy.ipv4} = homeDomains;
systemd.services.firezone-gateway.environment.HEALTH_CHECK_ADDR = "127.0.0.1:17999";
services.firezone.gateway = { services.firezone.gateway = {
enable = true; enable = true;
name = "ward"; name = "ward";

1
hosts/ward/guests/adguardhome.nix
View file

@ -110,6 +110,7 @@ in
[ [
# FIXME: dont hardcode, filter global service domains by internal state # FIXME: dont hardcode, filter global service domains by internal state
# FIXME: new entry here? make new firezone entry too. # FIXME: new entry here? make new firezone entry too.
# FIXME: new entry here? make new firezone gateway on ward entry too.
globals.services.grafana.domain globals.services.grafana.domain
globals.services.immich.domain globals.services.immich.domain
globals.services.influxdb.domain globals.services.influxdb.domain

23
hosts/ward/net.nix
View file

@ -169,6 +169,7 @@
{ {
untrusted.interfaces = [ "wan" ]; untrusted.interfaces = [ "wan" ];
proxy-home.interfaces = [ "proxy-home" ]; proxy-home.interfaces = [ "proxy-home" ];
firezone.interfaces = [ "tun-firezone" ];
adguardhome.ipv4Addresses = [ globals.net.home-lan.vlans.services.hosts.ward-adguardhome.ipv4 ]; adguardhome.ipv4Addresses = [ globals.net.home-lan.vlans.services.hosts.ward-adguardhome.ipv4 ];
adguardhome.ipv6Addresses = [ globals.net.home-lan.vlans.services.hosts.ward-adguardhome.ipv6 ]; adguardhome.ipv6Addresses = [ globals.net.home-lan.vlans.services.hosts.ward-adguardhome.ipv6 ];
web-proxy.ipv4Addresses = [ globals.net.home-lan.vlans.services.hosts.ward-web-proxy.ipv4 ]; web-proxy.ipv4Addresses = [ globals.net.home-lan.vlans.services.hosts.ward-web-proxy.ipv4 ];
@ -260,6 +261,28 @@
to = [ "proxy-home" ]; to = [ "proxy-home" ];
verdict = "accept"; verdict = "accept";
}; };
# masquerade firezone traffic
masquerade-firezone = {
from = [ "firezone" ];
to = [ "vlan-services" ];
masquerade = true;
late = true; # Only accept after any rejects have been processed
verdict = "accept";
};
# forward firezone traffic
forward-incoming-firezone-traffic = {
from = [ "firezone" ];
to = [ "vlan-services" ];
verdict = "accept";
};
forward-outgoing-firezone-traffic = {
from = [ "vlan-services" ];
to = [ "firezone" ];
verdict = "accept";
};
}; };
}; };

BIN
hosts/ward/secrets/firezone-gateway-token.age
View file

Binary file not shown.

BIN
secrets/rekeyed/sentinel/7b54639dac73dffe8f9b3ef8f8397aa8-firezone-relay-token.age Normal file
View file

Binary file not shown.

BIN
secrets/rekeyed/ward/4c7905ddc4c355cd7b02931f73a0b7e9-firezone-gateway-token.age Normal file
View file

Binary file not shown.