From 79e5320e6b1da4d9d3569fe2b4f42c5d9db7c641 Mon Sep 17 00:00:00 2001 From: lassulus Date: Mon, 3 Dec 2018 09:47:35 +0100 Subject: l: use genid_uint31 where needed --- lass/1systems/prism/config.nix | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) (limited to 'lass/1systems/prism/config.nix') diff --git a/lass/1systems/prism/config.nix b/lass/1systems/prism/config.nix index 0ca39447..e2097e93 100644 --- a/lass/1systems/prism/config.nix +++ b/lass/1systems/prism/config.nix @@ -25,7 +25,7 @@ with import ; { # TODO make new hfos.nix out of this vv boot.kernel.sysctl."net.ipv4.ip_forward" = 1; users.users.riot = { - uid = genid "riot"; + uid = genid_uint31 "riot"; isNormalUser = true; extraGroups = [ "libvirtd" ]; openssh.authorizedKeys.keys = [ @@ -44,21 +44,21 @@ with import ; } { users.users.tv = { - uid = genid "tv"; + uid = genid_uint31 "tv"; isNormalUser = true; openssh.authorizedKeys.keys = [ config.krebs.users.tv.pubkey ]; }; users.users.makefu = { - uid = genid "makefu"; + uid = genid_uint31 "makefu"; isNormalUser = true; openssh.authorizedKeys.keys = [ config.krebs.users.makefu.pubkey ]; }; users.extraUsers.dritter = { - uid = genid "dritter"; + uid = genid_uint31 "dritter"; isNormalUser = true; extraGroups = [ "download" @@ -75,7 +75,7 @@ with import ; ]; }; users.users.hellrazor = { - uid = genid "hellrazor"; + uid = genid_uint31 "hellrazor"; isNormalUser = true; extraGroups = [ "download" @@ -168,7 +168,7 @@ with import ; } { users.users.jeschli = { - uid = genid "jeschli"; + uid = genid_uint31 "jeschli"; isNormalUser = true; openssh.authorizedKeys.keys = with config.krebs.users; [ jeschli.pubkey -- cgit v1.2.3 From d04c6be43d5c63f98a0c89aad512f19f1ffa6329 Mon Sep 17 00:00:00 2001 From: lassulus Date: Thu, 6 Dec 2018 14:20:04 +0100 Subject: l prism.r: add dnsmasq for wireguard --- lass/1systems/prism/config.nix | 9 +++++++++ 1 file changed, 9 insertions(+) (limited to 'lass/1systems/prism/config.nix') diff --git a/lass/1systems/prism/config.nix b/lass/1systems/prism/config.nix index e2097e93..83cc9677 100644 --- a/lass/1systems/prism/config.nix +++ b/lass/1systems/prism/config.nix @@ -323,6 +323,15 @@ with import ; } ]; }; + services.dnsmasq = { + enable = true; + resolveLocalQueries = false; + + extraConfig= '' + except-interface=lo + interface=wg0 + ''; + }; } { krebs.iptables.tables.filter.INPUT.rules = [ -- cgit v1.2.3 From 5d321689af3fd207a72ea73280add7689dc8d8c5 Mon Sep 17 00:00:00 2001 From: lassulus Date: Sun, 9 Dec 2018 16:55:00 +0100 Subject: l prism.r: dedup with wirelum.nix --- lass/1systems/prism/config.nix | 26 +++++++------------------- 1 file changed, 7 insertions(+), 19 deletions(-) (limited to 'lass/1systems/prism/config.nix') diff --git a/lass/1systems/prism/config.nix b/lass/1systems/prism/config.nix index 83cc9677..ec397651 100644 --- a/lass/1systems/prism/config.nix +++ b/lass/1systems/prism/config.nix @@ -297,37 +297,25 @@ with import ; }; } { - krebs.iptables.tables.filter.INPUT.rules = [ - { predicate = "-p udp --dport 51820"; target = "ACCEPT"; } - ]; - krebs.iptables.tables.nat.PREROUTING.rules = [ - { v6 = false; precedence = 1000; predicate = "-s 10.244.1.0/24"; target = "ACCEPT"; } + imports = [ + ]; + #krebs.iptables.tables.nat.PREROUTING.rules = [ + # { v6 = false; precedence = 1000; predicate = "-s 10.244.1.0/24"; target = "ACCEPT"; } + #]; krebs.iptables.tables.filter.FORWARD.rules = [ - { v6 = false; precedence = 1000; predicate = "-s 10.244.1.0/24"; target = "ACCEPT"; } + { v6 = false; precedence = 1000; predicate = "-s 10.244.1.0/24 -d 10.243.0.0/16"; target = "ACCEPT"; } { v6 = false; precedence = 1000; predicate = "-s 10.243.0.0/16 -d 10.244.1.0/24"; target = "ACCEPT"; } ]; krebs.iptables.tables.nat.POSTROUTING.rules = [ { v6 = false; predicate = "-s 10.244.1.0/24 ! -d 10.244.1.0/24"; target = "MASQUERADE"; } ]; - networking.wireguard.interfaces.wg0 = { - ips = [ "10.244.1.1/24" ]; - listenPort = 51820; - privateKeyFile = (toString ) + "/wireguard.key"; - allowedIPsAsRoutes = true; - peers = [ - { - # lass-android - allowedIPs = [ "10.244.1.2/32" ]; - publicKey = "zVunBVOxsMETlnHkgjfH71HaZjjNUOeYNveAVv5z3jw="; - } - ]; - }; services.dnsmasq = { enable = true; resolveLocalQueries = false; extraConfig= '' + listen-address=10.244.1.1 except-interface=lo interface=wg0 ''; -- cgit v1.2.3 From 1f1a0e0c6bd70897e451cfd9cdf1a175a6edd38a Mon Sep 17 00:00:00 2001 From: lassulus Date: Sun, 16 Dec 2018 09:34:16 +0100 Subject: l prism: firewall for wirelum --- lass/1systems/prism/config.nix | 14 ++++++++------ 1 file changed, 8 insertions(+), 6 deletions(-) (limited to 'lass/1systems/prism/config.nix') diff --git a/lass/1systems/prism/config.nix b/lass/1systems/prism/config.nix index ec397651..962a77cc 100644 --- a/lass/1systems/prism/config.nix +++ b/lass/1systems/prism/config.nix @@ -300,14 +300,16 @@ with import ; imports = [ ]; - #krebs.iptables.tables.nat.PREROUTING.rules = [ - # { v6 = false; precedence = 1000; predicate = "-s 10.244.1.0/24"; target = "ACCEPT"; } - #]; + krebs.iptables.tables.nat.PREROUTING.rules = [ + { v6 = false; precedence = 1000; predicate = "-s 10.244.1.0/24"; target = "ACCEPT"; } + { v4 = false; precedence = 1000; predicate = "-s 42:1::/32"; target = "ACCEPT"; } + ]; krebs.iptables.tables.filter.FORWARD.rules = [ - { v6 = false; precedence = 1000; predicate = "-s 10.244.1.0/24 -d 10.243.0.0/16"; target = "ACCEPT"; } - { v6 = false; precedence = 1000; predicate = "-s 10.243.0.0/16 -d 10.244.1.0/24"; target = "ACCEPT"; } + { precedence = 1000; predicate = "-i wirelum -o retiolum"; target = "ACCEPT"; } + { precedence = 1000; predicate = "-i retiolum -o wirelum"; target = "ACCEPT"; } ]; krebs.iptables.tables.nat.POSTROUTING.rules = [ + { v4 = false; predicate = "-s 42:1:ce16::/48 ! -d 42:1:ce16::48"; target = "MASQUERADE"; } { v6 = false; predicate = "-s 10.244.1.0/24 ! -d 10.244.1.0/24"; target = "MASQUERADE"; } ]; services.dnsmasq = { @@ -315,7 +317,7 @@ with import ; resolveLocalQueries = false; extraConfig= '' - listen-address=10.244.1.1 + listen-address=42:1:ce16::1 except-interface=lo interface=wg0 ''; -- cgit v1.2.3 From 24330950fe2bd31056e3ae1d58c1965c8a736f1f Mon Sep 17 00:00:00 2001 From: lassulus Date: Sun, 16 Dec 2018 16:11:02 +0100 Subject: wirelum -> wiregrill --- lass/1systems/prism/config.nix | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) (limited to 'lass/1systems/prism/config.nix') diff --git a/lass/1systems/prism/config.nix b/lass/1systems/prism/config.nix index 962a77cc..6c454b4a 100644 --- a/lass/1systems/prism/config.nix +++ b/lass/1systems/prism/config.nix @@ -298,15 +298,15 @@ with import ; } { imports = [ - + ]; krebs.iptables.tables.nat.PREROUTING.rules = [ { v6 = false; precedence = 1000; predicate = "-s 10.244.1.0/24"; target = "ACCEPT"; } { v4 = false; precedence = 1000; predicate = "-s 42:1::/32"; target = "ACCEPT"; } ]; krebs.iptables.tables.filter.FORWARD.rules = [ - { precedence = 1000; predicate = "-i wirelum -o retiolum"; target = "ACCEPT"; } - { precedence = 1000; predicate = "-i retiolum -o wirelum"; target = "ACCEPT"; } + { precedence = 1000; predicate = "-i wiregrill -o retiolum"; target = "ACCEPT"; } + { precedence = 1000; predicate = "-i retiolum -o wiregrill"; target = "ACCEPT"; } ]; krebs.iptables.tables.nat.POSTROUTING.rules = [ { v4 = false; predicate = "-s 42:1:ce16::/48 ! -d 42:1:ce16::48"; target = "MASQUERADE"; } -- cgit v1.2.3