sokai/mynixos-config
1
1
Fork 0
forked from mirrors_public/oddlama_nix-config
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

feat(nftables): update to new nftables firewall branch

Browse source
This commit is contained in:
oddlama 2023-10-15 14:10:06 +02:00
parent 051fdc24cb
commit 1f9a28c3db
No known key found for this signature in database
GPG key ID: 14EFE510775FE39A
11 changed files with 48 additions and 100 deletions
Download patch file Download diff file Expand all files Collapse all files

7
flake.lock generated
View file

@ -845,15 +845,16 @@
] ]
}, },
"locked": { "locked": {
"lastModified": 1695065444, "lastModified": 1694993757,
"narHash": "sha256-c39mzyE1Z95bOjNfcCpENdQUn8lgTQFXNDeDguZnKs4=", "narHash": "sha256-aXjkz/3rSuJ78Ry0ekzcTrdwvdgJwFyblOSL/PdgbUo=",
"owner": "thelegy", "owner": "thelegy",
"repo": "nixos-nftables-firewall", "repo": "nixos-nftables-firewall",
"rev": "f1d43094940379f8aa3b7ef750b48db48b622584", "rev": "0680e272f389a8101f87dd82be0a8132c8eabddf",
"type": "github" "type": "github"
}, },
"original": { "original": {
"owner": "thelegy", "owner": "thelegy",
"ref": "opt-in-rules",
"repo": "nixos-nftables-firewall", "repo": "nixos-nftables-firewall",
"type": "github" "type": "github"
} }

2
flake.nix
View file

@ -56,7 +56,7 @@
}; };
nixos-nftables-firewall = { nixos-nftables-firewall = {
url = "github:thelegy/nixos-nftables-firewall"; url = "github:thelegy/nixos-nftables-firewall/opt-in-rules";
inputs.nixpkgs.follows = "nixpkgs"; inputs.nixpkgs.follows = "nixpkgs";
}; };

10
hosts/kroma/net.nix
View file

@ -1,8 +1,4 @@
{ {config, ...}: {
config,
lib,
...
}: {
networking = { networking = {
inherit (config.repo.secrets.local.networking) hostId; inherit (config.repo.secrets.local.networking) hostId;
wireless.iwd.enable = true; wireless.iwd.enable = true;
@ -37,8 +33,6 @@
}; };
networking.nftables.firewall = { networking.nftables.firewall = {
zones = lib.mkForce { zones.untrusted.interfaces = ["lan1" "wlan1"];
untrusted.interfaces = ["lan1" "wlan1"];
};
}; };
} }

10
hosts/nom/net.nix
View file

@ -1,8 +1,4 @@
{ {config, ...}: {
config,
lib,
...
}: {
networking = { networking = {
inherit (config.repo.secrets.local.networking) hostId; inherit (config.repo.secrets.local.networking) hostId;
wireless.iwd.enable = true; wireless.iwd.enable = true;
@ -37,8 +33,6 @@
}; };
networking.nftables.firewall = { networking.nftables.firewall = {
zones = lib.mkForce { zones.untrusted.interfaces = ["lan1" "wlan1"];
untrusted.interfaces = ["lan1" "wlan1"];
};
}; };
} }

13
hosts/sentinel/net.nix
View file

@ -1,8 +1,4 @@
{ {config, ...}: {
config,
lib,
...
}: {
networking.hostId = config.repo.secrets.local.networking.hostId; networking.hostId = config.repo.secrets.local.networking.hostId;
networking.domain = config.repo.secrets.local.personalDomain; networking.domain = config.repo.secrets.local.personalDomain;
@ -35,21 +31,18 @@
}; };
}; };
# TODO mkForce nftables
networking.nftables.firewall = { networking.nftables.firewall = {
zones = lib.mkForce { zones = {
untrusted.interfaces = ["wan"]; untrusted.interfaces = ["wan"];
proxy-sentinel.interfaces = ["proxy-sentinel"]; proxy-sentinel.interfaces = ["proxy-sentinel"];
}; };
rules = lib.mkForce {
# Allow accessing nginx through the proxy # Allow accessing nginx through the proxy
proxy-sentinel-to-local = { rules.proxy-sentinel-to-local = {
from = ["proxy-sentinel"]; from = ["proxy-sentinel"];
to = ["local"]; to = ["local"];
allowedTCPPorts = [80 443]; allowedTCPPorts = [80 443];
}; };
}; };
};
meta.wireguard.proxy-sentinel.server = { meta.wireguard.proxy-sentinel.server = {
host = config.networking.fqdn; host = config.networking.fqdn;

12
hosts/ward/net.nix
View file

@ -95,19 +95,15 @@ in {
}; };
}; };
# TODO mkForce nftables
networking.nftables.firewall = { networking.nftables.firewall = {
zones = lib.mkForce { snippets.nnf-icmp.ipv6Types = ["mld-listener-query" "nd-router-solicit"];
zones = {
untrusted.interfaces = ["wan"]; untrusted.interfaces = ["wan"];
lan.interfaces = ["lan-self"]; lan.interfaces = ["lan-self"];
}; };
rules = lib.mkForce { rules = {
icmp = {
# accept ipv6 router solicit and multicast listener discovery query
extraLines = ["ip6 nexthdr icmpv6 icmpv6 type { mld-listener-query, nd-router-solicit } accept"];
};
masquerade = { masquerade = {
from = ["lan"]; from = ["lan"];
to = ["untrusted"]; to = ["untrusted"];

5
hosts/zackbiene/net.nix
View file

@ -46,10 +46,7 @@ in {
}; };
}; };
# TODO mkForce nftables
networking.nftables.firewall = { networking.nftables.firewall = {
zones = lib.mkForce { zones.untrusted.interfaces = ["lan1"];
untrusted.interfaces = ["lan1"];
};
}; };
} }

39
modules/config/nftables.nix
View file

@ -27,34 +27,20 @@
firewall = { firewall = {
enable = true; enable = true;
localZoneName = "local";
# TODO mkForce nftables snippets = {
zones = lib.mkForce { nnf-conntrack.enable = true;
local.localZone = true; nnf-drop.enable = true;
nnf-loopback.enable = true;
nnf-ssh.enable = true;
nnf-icmp = {
enable = true;
ipv6Types = ["echo-request" "destination-unreachable" "packet-too-big" "time-exceeded" "parameter-problem" "nd-router-advert" "nd-neighbor-solicit" "nd-neighbor-advert"];
ipv4Types = ["echo-request" "destination-unreachable" "router-advertisement" "time-exceeded" "parameter-problem"];
};
}; };
rules = lib.mkForce { rules.untrusted-to-local = {
icmp = {
early = true;
after = ["ct"];
from = "all";
to = ["local"];
extraLines = [
"ip6 nexthdr icmpv6 icmpv6 type { echo-request, destination-unreachable, packet-too-big, time-exceeded, parameter-problem, nd-router-advert, nd-neighbor-solicit, nd-neighbor-advert } accept"
"ip protocol icmp icmp type { echo-request, destination-unreachable, router-advertisement, time-exceeded, parameter-problem } accept"
#"ip6 saddr fe80::/10 ip6 daddr fe80::/10 udp dport 546 accept" # (dhcpv6)
];
};
ssh = {
early = true;
after = ["ct"];
from = "all";
to = ["local"];
allowedTCPPorts = config.services.openssh.ports;
};
untrusted-to-local = {
from = ["untrusted"]; from = ["untrusted"];
to = ["local"]; to = ["local"];
@ -66,5 +52,4 @@
}; };
}; };
}; };
};
} }

10
modules/config/resolved.nix
View file

@ -60,17 +60,11 @@
); );
in in
lib.mkIf (mdnsInterfaces != []) { lib.mkIf (mdnsInterfaces != []) {
# TODO mkForce nftables zones.mdns.interfaces = mdnsInterfaces;
zones = lib.mkForce { rules.mdns-to-local = {
mdns.interfaces = mdnsInterfaces;
};
rules = lib.mkForce {
mdns-to-local = {
from = ["mdns"]; from = ["mdns"];
to = ["local"]; to = ["local"];
allowedUDPPorts = [5353]; allowedUDPPorts = [5353];
}; };
}; };
};
} }

5
modules/meta/microvms.nix
View file

@ -190,11 +190,8 @@
}; };
}; };
# TODO mkForce nftables
networking.nftables.firewall = { networking.nftables.firewall = {
zones = mkForce { zones.untrusted.interfaces = [vmCfg.networking.mainLinkName];
untrusted.interfaces = [vmCfg.networking.mainLinkName];
};
}; };
meta.wireguard = mkIf vmCfg.localWireguard { meta.wireguard = mkIf vmCfg.localWireguard {

7
modules/meta/wireguard.nix
View file

@ -20,7 +20,6 @@
mapAttrsToList mapAttrsToList
mdDoc mdDoc
mergeToplevelConfigs mergeToplevelConfigs
mkForce
mkIf mkIf
mkOption mkOption
net net
@ -134,11 +133,9 @@
[wgCfg.server.port]; [wgCfg.server.port];
# Open the port in the given nftables rule if specified # Open the port in the given nftables rule if specified
# TODO mkForce nftables networking.nftables.firewall.rules =
networking.nftables.firewall.rules = mkForce (
optionalAttrs (isServer && wgCfg.server.openFirewallRules != []) optionalAttrs (isServer && wgCfg.server.openFirewallRules != [])
(genAttrs wgCfg.server.openFirewallRules (_: {allowedUDPPorts = [wgCfg.server.port];})) (genAttrs wgCfg.server.openFirewallRules (_: {allowedUDPPorts = [wgCfg.server.port];}));
);
age.secrets = age.secrets =
concatAttrs (map concatAttrs (map