feat: add firezone gateway and allow trafic

2025-03-16 22:38:03 +01:00 · 2025-03-16 22:38:03 +01:00 · c4891afe7d
commit c4891afe7d
parent 3725789765
10 changed files with 54 additions and 2 deletions
--- a/hosts/sausebiene/esphome.nix
+++ b/hosts/sausebiene/esphome.nix
@ -51,6 +51,9 @@ in
        extraConfig = ''
          allow ${globals.net.home-lan.vlans.home.cidrv4};
          allow ${globals.net.home-lan.vlans.home.cidrv6};
          # Firezone traffic
          allow ${globals.net.home-lan.vlans.services.hosts.ward.ipv4};
          allow ${globals.net.home-lan.vlans.services.hosts.ward.ipv6};
          deny all;
        '';
      };
--- a/hosts/sausebiene/home-assistant.nix
+++ b/hosts/sausebiene/home-assistant.nix
@ -234,8 +234,12 @@ in
          allow ${globals.net.home-lan.vlans.home.cidrv6};
          allow ${globals.net.home-lan.vlans.devices.cidrv4};
          allow ${globals.net.home-lan.vlans.devices.cidrv6};
          # Self-traffic (needed for media in Voice PE)
          allow ${globals.net.home-lan.vlans.services.hosts.sausebiene.ipv4};
          allow ${globals.net.home-lan.vlans.services.hosts.sausebiene.ipv6};
          # Firezone traffic
          allow ${globals.net.home-lan.vlans.services.hosts.ward.ipv4};
          allow ${globals.net.home-lan.vlans.services.hosts.ward.ipv6};
          deny all;
        '';
      };
--- a/hosts/sentinel/firezone.nix
+++ b/hosts/sentinel/firezone.nix
@ -7,6 +7,9 @@
 }:
 let
  firezoneDomain = "firezone.${globals.domains.me}";
  # FIXME: dont hardcode, filter global service domains by internal state
  # FIXME: new entry here? make new adguardhome entry too.
  # FIXME: new entry here? make new firezone gateway on ward entry too.
  homeDomains = [
    globals.services.grafana.domain
    globals.services.immich.domain
@ -91,8 +94,6 @@ in
            };
          };
        # FIXME: dont hardcode, filter global service domains by internal state
        # FIXME: new entry here? make new adguardhome entry too.
        resources =
          lib.genAttrs homeDomains (domain: {
            type = "dns";
@ -152,6 +153,8 @@ in
    openFirewall = true;
  };
  systemd.services.firezone-relay.environment.HEALTH_CHECK_ADDR = "127.0.0.1:17999";
  services.nginx = {
    upstreams.firezone = {
      servers."127.0.0.1:${toString config.services.firezone.server.web.port}" = { };
--- a/hosts/sentinel/secrets/firezone-relay-token.age
+++ b/hosts/sentinel/secrets/firezone-relay-token.age
--- a/hosts/ward/default.nix
+++ b/hosts/ward/default.nix
@ -7,6 +7,21 @@
  nodes,
  ...
 }:
 let
  # FIXME: dont hardcode, filter global service domains by internal state
  # FIXME: new entry here? make new adguardhome entry too.
  # FIXME: new entry here? make new firezone entry too.
  homeDomains = [
    globals.services.grafana.domain
    globals.services.immich.domain
    globals.services.influxdb.domain
    globals.services.loki.domain
    globals.services.paperless.domain
    globals.services.esphome.domain
    globals.services.home-assistant.domain
    "fritzbox.${globals.domains.personal}"
  ];
 in
 {
  imports = [
    inputs.nixos-hardware.nixosModules.common-cpu-intel
@ -63,6 +78,9 @@
    rekeyFile = config.node.secretsDir + "/firezone-gateway-token.age";
  };
  networking.hosts.${globals.net.home-lan.vlans.services.hosts.ward-web-proxy.ipv6} = homeDomains;
  networking.hosts.${globals.net.home-lan.vlans.services.hosts.ward-web-proxy.ipv4} = homeDomains;
  systemd.services.firezone-gateway.environment.HEALTH_CHECK_ADDR = "127.0.0.1:17999";
  services.firezone.gateway = {
    enable = true;
    name = "ward";
--- a/hosts/ward/guests/adguardhome.nix
+++ b/hosts/ward/guests/adguardhome.nix
@ -110,6 +110,7 @@ in
            [
              # FIXME: dont hardcode, filter global service domains by internal state
              # FIXME: new entry here? make new firezone entry too.
              # FIXME: new entry here? make new firezone gateway on ward entry too.
              globals.services.grafana.domain
              globals.services.immich.domain
              globals.services.influxdb.domain
--- a/hosts/ward/net.nix
+++ b/hosts/ward/net.nix
@ -169,6 +169,7 @@
      {
        untrusted.interfaces = [ "wan" ];
        proxy-home.interfaces = [ "proxy-home" ];
        firezone.interfaces = [ "tun-firezone" ];
        adguardhome.ipv4Addresses = [ globals.net.home-lan.vlans.services.hosts.ward-adguardhome.ipv4 ];
        adguardhome.ipv6Addresses = [ globals.net.home-lan.vlans.services.hosts.ward-adguardhome.ipv6 ];
        web-proxy.ipv4Addresses = [ globals.net.home-lan.vlans.services.hosts.ward-web-proxy.ipv4 ];
@ -260,6 +261,28 @@
        to = [ "proxy-home" ];
        verdict = "accept";
      };
      # masquerade firezone traffic
      masquerade-firezone = {
        from = [ "firezone" ];
        to = [ "vlan-services" ];
        masquerade = true;
        late = true; # Only accept after any rejects have been processed
        verdict = "accept";
      };
      # forward firezone traffic
      forward-incoming-firezone-traffic = {
        from = [ "firezone" ];
        to = [ "vlan-services" ];
        verdict = "accept";
      };
      forward-outgoing-firezone-traffic = {
        from = [ "vlan-services" ];
        to = [ "firezone" ];
        verdict = "accept";
      };
    };
  };
--- a/hosts/ward/secrets/firezone-gateway-token.age
+++ b/hosts/ward/secrets/firezone-gateway-token.age
--- a/secrets/rekeyed/sentinel/7b54639dac73dffe8f9b3ef8f8397aa8-firezone-relay-token.age
+++ b/secrets/rekeyed/sentinel/7b54639dac73dffe8f9b3ef8f8397aa8-firezone-relay-token.age
--- a/secrets/rekeyed/ward/4c7905ddc4c355cd7b02931f73a0b7e9-firezone-gateway-token.age
+++ b/secrets/rekeyed/ward/4c7905ddc4c355cd7b02931f73a0b7e9-firezone-gateway-token.age