summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
-rw-r--r--krebs/3modules/iptables.nix8
-rw-r--r--lass/1systems/green/config.nix2
-rw-r--r--lass/1systems/neoprism/config.nix4
-rw-r--r--lass/1systems/prism/config.nix20
-rw-r--r--lass/2configs/AP.nix4
-rw-r--r--lass/2configs/container-networking.nix4
-rw-r--r--lass/2configs/default.nix40
-rw-r--r--lass/2configs/gg23.nix4
-rw-r--r--lass/2configs/hfos.nix24
-rw-r--r--lass/2configs/libvirt.nix4
-rw-r--r--lass/2configs/wiregrill.nix14
-rw-r--r--lib/types.nix16
-rw-r--r--tv/1systems/xu/config.nix1
-rw-r--r--tv/2configs/autotether.nix19
-rw-r--r--tv/2configs/retiolum.nix10
15 files changed, 110 insertions, 64 deletions
diff --git a/krebs/3modules/iptables.nix b/krebs/3modules/iptables.nix
index 7007090c0..052dad9c6 100644
--- a/krebs/3modules/iptables.nix
+++ b/krebs/3modules/iptables.nix
@@ -43,10 +43,6 @@ let
target = mkOption {
type = str;
};
- precedence = mkOption {
- type = int;
- default = 0;
- };
v4 = mkOption {
type = bool;
default = true;
@@ -145,13 +141,11 @@ let
buildChain = tn: cn:
let
filteredRules = filter (r: r."${v}") ts."${tn}"."${cn}".rules;
- sortedRules = sort (a: b: a.precedence > b.precedence) filteredRules;
-
in
#TODO: double check should be unneccessary, refactor!
if ts.${tn}.${cn}.rules or null != null then
concatMapStringsSep "\n" (rule: "\n-A ${cn} ${rule}") ([]
- ++ map (buildRule tn cn) sortedRules
+ ++ map (buildRule tn cn) filteredRules
)
else
""
diff --git a/lass/1systems/green/config.nix b/lass/1systems/green/config.nix
index 4c98091f1..cd38c3585 100644
--- a/lass/1systems/green/config.nix
+++ b/lass/1systems/green/config.nix
@@ -57,7 +57,7 @@ with import <stockholm/lib>;
];
krebs.iptables.tables.nat.PREROUTING.rules = [
- { predicate = "-i eth0 -p tcp -m tcp --dport 22"; target = "ACCEPT"; precedence = 101; }
+ { predicate = "-i eth0 -p tcp -m tcp --dport 22"; target = "ACCEPT"; }
];
# workaround for ssh access from yubikey via android
diff --git a/lass/1systems/neoprism/config.nix b/lass/1systems/neoprism/config.nix
index e4f9d2560..89ad8cfdc 100644
--- a/lass/1systems/neoprism/config.nix
+++ b/lass/1systems/neoprism/config.nix
@@ -15,8 +15,8 @@
];
};
# krebs.iptables.tables.filter.FORWARD.rules = [
- # { v6 = false; precedence = 1000; predicate = "--destination 95.216.1.130"; target = "ACCEPT"; }
- # { v6 = false; precedence = 1000; predicate = "--source 95.216.1.130"; target = "ACCEPT"; }
+ # { v6 = false; predicate = "--destination 95.216.1.130"; target = "ACCEPT"; }
+ # { v6 = false; predicate = "--source 95.216.1.130"; target = "ACCEPT"; }
# ];
}
];
diff --git a/lass/1systems/prism/config.nix b/lass/1systems/prism/config.nix
index 594a21c02..c2a405759 100644
--- a/lass/1systems/prism/config.nix
+++ b/lass/1systems/prism/config.nix
@@ -33,9 +33,9 @@ with import <stockholm/lib>;
"ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQC6o6sdTu/CX1LW2Ff5bNDqGEAGwAsjf0iIe5DCdC7YikCct+7x4LTXxY+nDlPMeGcOF88X9/qFwdyh+9E4g0nUAZaeL14Uc14QDqDt/aiKjIXXTepxE/i4JD9YbTqStAnA/HYAExU15yqgUdj2dnHu7OZcGxk0ZR1OY18yclXq7Rq0Fd3pN3lPP1T4QHM9w66r83yJdFV9szvu5ral3/QuxQnCNohTkR6LoJ4Ny2RbMPTRtb+jPbTQYTWUWwV69mB8ot5nRTP4MRM9pu7vnoPF4I2S5DvSnx4C5zdKzsb7zmIvD4AmptZLrXj4UXUf00Xf7Js5W100Ne2yhYyhq+35 riot@lagrange"
];
};
- krebs.iptables.tables.filter.FORWARD.rules = [
- { v6 = false; precedence = 1000; predicate = "--destination 95.216.1.130"; target = "ACCEPT"; }
- { v6 = false; precedence = 1000; predicate = "--source 95.216.1.130"; target = "ACCEPT"; }
+ krebs.iptables.tables.filter.FORWARD.rules = mkBefore [
+ { v6 = false; predicate = "--destination 95.216.1.130"; target = "ACCEPT"; }
+ { v6 = false; predicate = "--source 95.216.1.130"; target = "ACCEPT"; }
];
}
{
@@ -227,13 +227,13 @@ with import <stockholm/lib>;
imports = [
<stockholm/lass/2configs/wiregrill.nix>
];
- krebs.iptables.tables.nat.PREROUTING.rules = [
- { v6 = false; precedence = 1000; predicate = "-s 10.244.1.0/24"; target = "ACCEPT"; }
- { v4 = false; precedence = 1000; predicate = "-s 42:1::/32"; target = "ACCEPT"; }
+ krebs.iptables.tables.nat.PREROUTING.rules = mkOrder 999 [
+ { v6 = false; predicate = "-s 10.244.1.0/24"; target = "ACCEPT"; }
+ { v4 = false; predicate = "-s 42:1::/32"; target = "ACCEPT"; }
];
- krebs.iptables.tables.filter.FORWARD.rules = [
- { precedence = 1000; predicate = "-i wiregrill -o retiolum"; target = "ACCEPT"; }
- { precedence = 1000; predicate = "-i retiolum -o wiregrill"; target = "ACCEPT"; }
+ krebs.iptables.tables.filter.FORWARD.rules = mkBefore [
+ { predicate = "-i wiregrill -o retiolum"; target = "ACCEPT"; }
+ { predicate = "-i retiolum -o wiregrill"; target = "ACCEPT"; }
];
krebs.iptables.tables.nat.POSTROUTING.rules = [
{ v4 = false; predicate = "-s 42:1::/32 ! -d 42:1::/48"; target = "MASQUERADE"; }
@@ -252,7 +252,7 @@ with import <stockholm/lib>;
}
{
krebs.iptables.tables.filter.INPUT.rules = [
- { predicate = "-p udp --dport 60000:61000"; target = "ACCEPT";}
+ { predicate = "-p udp --dport 60000:61000"; target = "ACCEPT"; }
];
}
<stockholm/lass/2configs/murmur.nix>
diff --git a/lass/2configs/AP.nix b/lass/2configs/AP.nix
index dfffbfdf9..e38475381 100644
--- a/lass/2configs/AP.nix
+++ b/lass/2configs/AP.nix
@@ -68,8 +68,8 @@ in {
{ v6 = false; predicate = "-o br0"; target = "REJECT --reject-with icmp-port-unreachable"; }
{ v6 = false; predicate = "-i br0"; target = "REJECT --reject-with icmp-port-unreachable"; }
];
- krebs.iptables.tables.nat.PREROUTING.rules = [
- { v6 = false; predicate = "-s 10.99.0.0/24"; target = "ACCEPT"; precedence = 1000; }
+ krebs.iptables.tables.nat.PREROUTING.rules = mkBefore [
+ { v6 = false; predicate = "-s 10.99.0.0/24"; target = "ACCEPT"; }
];
krebs.iptables.tables.nat.POSTROUTING.rules = [
#TODO find out what this is about?
diff --git a/lass/2configs/container-networking.nix b/lass/2configs/container-networking.nix
index f04e4342d..0cfe193d9 100644
--- a/lass/2configs/container-networking.nix
+++ b/lass/2configs/container-networking.nix
@@ -8,8 +8,8 @@
{ v6 = false; predicate = "-o ve-+"; target = "REJECT --reject-with icmp-port-unreachable"; }
{ v6 = false; predicate = "-i ve-+"; target = "REJECT --reject-with icmp-port-unreachable"; }
];
- krebs.iptables.tables.nat.PREROUTING.rules = [
- { v6 = false; predicate = "-s 10.233.2.0/24"; target = "ACCEPT"; precedence = 1000; }
+ krebs.iptables.tables.nat.PREROUTING.rules = lib.mkBefore [
+ { v6 = false; predicate = "-s 10.233.2.0/24"; target = "ACCEPT"; }
];
krebs.iptables.tables.nat.POSTROUTING.rules = [
{ v6 = false; predicate = "-s 10.233.2.0/24 -d 224.0.0.0/24"; target = "RETURN"; }
diff --git a/lass/2configs/default.nix b/lass/2configs/default.nix
index e649c0dea..3d7188dc6 100644
--- a/lass/2configs/default.nix
+++ b/lass/2configs/default.nix
@@ -189,28 +189,34 @@ with import <stockholm/lib>;
enable = true;
tables = {
nat.PREROUTING.rules = [
- { predicate = "-i retiolum -p tcp -m tcp --dport 22"; target = "ACCEPT"; precedence = 101; }
- { predicate = "-i wiregrill -p tcp -m tcp --dport 22"; target = "ACCEPT"; precedence = 101; }
- { predicate = "-p tcp -m tcp --dport 22"; target = "REDIRECT --to-ports 0"; precedence = 100; }
- { predicate = "-p tcp -m tcp --dport 45621"; target = "REDIRECT --to-ports 22"; precedence = 99; }
+ { predicate = "-i retiolum -p tcp -m tcp --dport 22"; target = "ACCEPT"; }
+ { predicate = "-i wiregrill -p tcp -m tcp --dport 22"; target = "ACCEPT"; }
+ { predicate = "-p tcp -m tcp --dport 22"; target = "REDIRECT --to-ports 0"; }
+ { predicate = "-p tcp -m tcp --dport 45621"; target = "REDIRECT --to-ports 22"; }
];
nat.OUTPUT.rules = [
- { predicate = "-o lo -p tcp -m tcp --dport 45621"; target = "REDIRECT --to-ports 22"; precedence = 100; }
+ { predicate = "-o lo -p tcp -m tcp --dport 45621"; target = "REDIRECT --to-ports 22"; }
];
filter.INPUT.policy = "DROP";
filter.FORWARD.policy = "DROP";
- filter.INPUT.rules = [
- { predicate = "-i retiolum -p udp --dport 60000:61000"; target = "ACCEPT";}
- { predicate = "-m conntrack --ctstate RELATED,ESTABLISHED"; target = "ACCEPT"; precedence = 10001; }
- { predicate = "-p icmp"; target = "ACCEPT"; precedence = 10000; }
- { predicate = "-p ipv6-icmp"; target = "ACCEPT"; v4 = false; precedence = 10000; }
- { predicate = "-i lo"; target = "ACCEPT"; precedence = 9999; }
- { predicate = "-p tcp --dport 22"; target = "ACCEPT"; precedence = 9998; }
- { predicate = "-p tcp -i retiolum"; target = "REJECT --reject-with tcp-reset"; precedence = -10000; }
- { predicate = "-p udp -i retiolum"; target = "REJECT --reject-with icmp-port-unreachable"; v6 = false; precedence = -10000; }
- { predicate = "-i retiolum"; target = "REJECT --reject-with icmp-proto-unreachable"; v6 = false; precedence = -10000; }
- { predicate = "-i retiolum -p udp -m udp --dport 53"; target = "ACCEPT"; }
- { predicate = "-i retiolum -p tcp --dport 19999"; target = "ACCEPT"; }
+ filter.INPUT.rules = mkMerge [
+ (mkBefore [
+ { predicate = "-m conntrack --ctstate RELATED,ESTABLISHED"; target = "ACCEPT"; }
+ { predicate = "-p icmp"; target = "ACCEPT"; }
+ { predicate = "-p ipv6-icmp"; target = "ACCEPT"; v4 = false; }
+ { predicate = "-i lo"; target = "ACCEPT"; }
+ { predicate = "-p tcp --dport 22"; target = "ACCEPT"; }
+ ])
+ (mkOrder 1000 [
+ { predicate = "-i retiolum -p udp --dport 60000:61000"; target = "ACCEPT"; }
+ { predicate = "-i retiolum -p udp -m udp --dport 53"; target = "ACCEPT"; }
+ { predicate = "-i retiolum -p tcp --dport 19999"; target = "ACCEPT"; }
+ ])
+ (mkAfter [
+ { predicate = "-p tcp -i retiolum"; target = "REJECT --reject-with tcp-reset"; }
+ { predicate = "-p udp -i retiolum"; target = "REJECT --reject-with icmp-port-unreachable"; v6 = false; }
+ { predicate = "-i retiolum"; target = "REJECT --reject-with icmp-proto-unreachable"; v6 = false; }
+ ])
];
};
};
diff --git a/lass/2configs/gg23.nix b/lass/2configs/gg23.nix
index 89ccae408..6bcbd7400 100644
--- a/lass/2configs/gg23.nix
+++ b/lass/2configs/gg23.nix
@@ -56,8 +56,8 @@ with import <stockholm/lib>;
{ v6 = false; predicate = "-o int0"; target = "REJECT --reject-with icmp-port-unreachable"; }
{ v6 = false; predicate = "-i int0"; target = "REJECT --reject-with icmp-port-unreachable"; }
];
- krebs.iptables.tables.nat.PREROUTING.rules = [
- { v6 = false; predicate = "-s 10.42.0.0/24"; target = "ACCEPT"; precedence = 1000; }
+ krebs.iptables.tables.nat.PREROUTING.rules = mkBefore [
+ { v6 = false; predicate = "-s 10.42.0.0/24"; target = "ACCEPT"; }
];
krebs.iptables.tables.nat.POSTROUTING.rules = [
{ v6 = false; predicate = "-s 10.42.0.0/24 ! -d 10.42.0.0/24"; target = "MASQUERADE"; }
diff --git a/lass/2configs/hfos.nix b/lass/2configs/hfos.nix
index f8dd2f0d2..9dafe086c 100644
--- a/lass/2configs/hfos.nix
+++ b/lass/2configs/hfos.nix
@@ -18,22 +18,22 @@ with import <stockholm/lib>;
}
];
- krebs.iptables.tables.nat.PREROUTING.rules = [
- { v6 = false; precedence = 1000; predicate = "-d 213.239.205.246 -p tcp --dport 22"; target = "DNAT --to-destination 192.168.122.208:22"; }
- { v6 = false; precedence = 1000; predicate = "-d 213.239.205.246 -p tcp --dport 25"; target = "DNAT --to-destination 192.168.122.208:25"; }
- { v6 = false; precedence = 1000; predicate = "-d 213.239.205.246 -p tcp --dport 80"; target = "DNAT --to-destination 192.168.122.208:1080"; }
- { v6 = false; precedence = 1000; predicate = "-d 213.239.205.246 -p tcp --dport 443"; target = "DNAT --to-destination 192.168.122.208:1443"; }
+ krebs.iptables.tables.nat.PREROUTING.rules = mkBefore [
+ { v6 = false; predicate = "-d 213.239.205.246 -p tcp --dport 22"; target = "DNAT --to-destination 192.168.122.208:22"; }
+ { v6 = false; predicate = "-d 213.239.205.246 -p tcp --dport 25"; target = "DNAT --to-destination 192.168.122.208:25"; }
+ { v6 = false; predicate = "-d 213.239.205.246 -p tcp --dport 80"; target = "DNAT --to-destination 192.168.122.208:1080"; }
+ { v6 = false; predicate = "-d 213.239.205.246 -p tcp --dport 443"; target = "DNAT --to-destination 192.168.122.208:1443"; }
];
- krebs.iptables.tables.filter.FORWARD.rules = [
- { v6 = false; precedence = 1000; predicate = "-d 192.168.122.208 -p tcp --dport 22 -m state --state NEW,ESTABLISHED,RELATED"; target = "ACCEPT"; }
- { v6 = false; precedence = 1000; predicate = "-d 192.168.122.208 -p tcp --dport 25 -m state --state NEW,ESTABLISHED,RELATED"; target = "ACCEPT"; }
- { v6 = false; precedence = 1000; predicate = "-d 192.168.122.208 -p tcp --dport 1080 -m state --state NEW,ESTABLISHED,RELATED"; target = "ACCEPT"; }
- { v6 = false; precedence = 1000; predicate = "-d 192.168.122.208 -p tcp --dport 1443 -m state --state NEW,ESTABLISHED,RELATED"; target = "ACCEPT"; }
+ krebs.iptables.tables.filter.FORWARD.rules = mkBefore [
+ { v6 = false; predicate = "-d 192.168.122.208 -p tcp --dport 22 -m state --state NEW,ESTABLISHED,RELATED"; target = "ACCEPT"; }
+ { v6 = false; predicate = "-d 192.168.122.208 -p tcp --dport 25 -m state --state NEW,ESTABLISHED,RELATED"; target = "ACCEPT"; }
+ { v6 = false; predicate = "-d 192.168.122.208 -p tcp --dport 1080 -m state --state NEW,ESTABLISHED,RELATED"; target = "ACCEPT"; }
+ { v6 = false; predicate = "-d 192.168.122.208 -p tcp --dport 1443 -m state --state NEW,ESTABLISHED,RELATED"; target = "ACCEPT"; }
];
- krebs.iptables.tables.nat.OUTPUT.rules = [
- { v6 = false; precedence = 1000; predicate = "-d 213.239.205.246 -p tcp --dport 443"; target = "DNAT --to-destination 192.168.122.208:1443"; }
+ krebs.iptables.tables.nat.OUTPUT.rules = mkBefore [
+ { v6 = false; predicate = "-d 213.239.205.246 -p tcp --dport 443"; target = "DNAT --to-destination 192.168.122.208:1443"; }
];
# TODO use bridge interfaces instead of this crap
diff --git a/lass/2configs/libvirt.nix b/lass/2configs/libvirt.nix
index d391e0d7b..6d07c7a77 100644
--- a/lass/2configs/libvirt.nix
+++ b/lass/2configs/libvirt.nix
@@ -20,8 +20,8 @@
krebs.iptables.tables.filter.OUTPUT.rules = [
{ v6 = false; predicate = "-o virbr0 -p udp -m udp --dport 68"; target = "ACCEPT"; }
];
- krebs.iptables.tables.nat.PREROUTING.rules = [
- { v6 = false; predicate = "-s 192.168.122.0/24"; target = "ACCEPT"; precedence = 1000; }
+ krebs.iptables.tables.nat.PREROUTING.rules = lib.mkBefore [
+ { v6 = false; predicate = "-s 192.168.122.0/24"; target = "ACCEPT"; }
];
krebs.iptables.tables.nat.POSTROUTING.rules = [
{ v6 = false; predicate = "-s 192.168.122.0/24 -d 224.0.0.0/24"; target = "RETURN"; }
diff --git a/lass/2configs/wiregrill.nix b/lass/2configs/wiregrill.nix
index ba6358ab7..a27e99ee2 100644
--- a/lass/2configs/wiregrill.nix
+++ b/lass/2configs/wiregrill.nix
@@ -16,13 +16,13 @@ in mkIf (hasAttr "wiregrill" config.krebs.build.host.nets) {
krebs.iptables.tables.filter.INPUT.rules = [
{ predicate = "-p udp --dport ${toString self.wireguard.port}"; target = "ACCEPT"; }
];
- krebs.iptables.tables.filter.FORWARD.rules = mkIf isRouter [
- { precedence = 1000; predicate = "-i wiregrill -o wiregrill"; target = "ACCEPT"; }
- { precedence = 1000; predicate = "-i wiregrill -o retiolum"; target = "ACCEPT"; }
- { precedence = 1000; predicate = "-i retiolum -o wiregrill"; target = "ACCEPT"; }
- { precedence = 1000; predicate = "-i wiregrill -o eth0"; target = "ACCEPT"; }
- { precedence = 1000; predicate = "-o wiregrill -m conntrack --ctstate RELATED,ESTABLISHED"; target = "ACCEPT"; }
- ];
+ krebs.iptables.tables.filter.FORWARD.rules = mkIf isRouter (mkBefore [
+ { predicate = "-i wiregrill -o wiregrill"; target = "ACCEPT"; }
+ { predicate = "-i wiregrill -o retiolum"; target = "ACCEPT"; }
+ { predicate = "-i retiolum -o wiregrill"; target = "ACCEPT"; }
+ { predicate = "-i wiregrill -o eth0"; target = "ACCEPT"; }
+ { predicate = "-o wiregrill -m conntrack --ctstate RELATED,ESTABLISHED"; target = "ACCEPT"; }
+ ]);
systemd.network.networks.wiregrill = {
matchConfig.Name = "wiregrill";
address =
diff --git a/lib/types.nix b/lib/types.nix
index 9f278c650..32b4541ae 100644
--- a/lib/types.nix
+++ b/lib/types.nix
@@ -146,6 +146,14 @@ rec {
}.${config._module.args.name} or {
default = "${ip4.config.addr}/32";
});
+ prefixLength = mkOption ({
+ type = uint;
+ } // {
+ retiolum.default = 16;
+ wiregrill.default = 16;
+ }.${config._module.args.name} or {
+ default = 32;
+ });
};
}));
default = null;
@@ -165,6 +173,14 @@ rec {
}.${config._module.args.name} or {
default = "${ip6.config.addr}/128";
});
+ prefixLength = mkOption ({
+ type = uint;
+ } // {
+ retiolum.default = 32;
+ wiregrill.default = 32;
+ }.${config._module.args.name} or {
+ default = 128;
+ });
};
}));
default = null;
diff --git a/tv/1systems/xu/config.nix b/tv/1systems/xu/config.nix
index 6ca62ac0d..b83d01f02 100644
--- a/tv/1systems/xu/config.nix
+++ b/tv/1systems/xu/config.nix
@@ -4,6 +4,7 @@ with import ./lib;
imports = [
<stockholm/tv>
+ ../../2configs/autotether.nix
<stockholm/tv/2configs/hw/x220.nix>
<stockholm/tv/2configs/exim-retiolum.nix>
<stockholm/tv/2configs/gitconfig.nix>
diff --git a/tv/2configs/autotether.nix b/tv/2configs/autotether.nix
new file mode 100644
index 000000000..43b5575c8
--- /dev/null
+++ b/tv/2configs/autotether.nix
@@ -0,0 +1,19 @@
+{ config, pkgs, ... }: let
+ cfg.serial = "17e064850405";
+in {
+ systemd.services.usb_tether.serviceConfig = {
+ SyslogIdentifier = "usb_tether";
+ ExecStartPre = "${pkgs.android-tools}/bin/adb -s ${cfg.serial} wait-for-device";
+ ExecStart = "${pkgs.android-tools}/bin/adb -s ${cfg.serial} shell svc usb setFunctions rndis";
+ };
+ services.udev.extraRules = /* sh */ ''
+ ACTION=="add", SUBSYSTEM=="net", KERNEL=="usb*", NAME="android"
+
+ ACTION=="add", SUBSYSTEM=="usb", ATTR{serial}=="${cfg.serial}", \
+ TAG+="systemd", ENV{SYSTEMD_WANTS}="usb_tether.service"
+ '';
+ systemd.network.networks.android = {
+ matchConfig.Name = "android";
+ DHCP = "yes";
+ };
+}
diff --git a/tv/2configs/retiolum.nix b/tv/2configs/retiolum.nix
index de77de381..1b176e0b9 100644
--- a/tv/2configs/retiolum.nix
+++ b/tv/2configs/retiolum.nix
@@ -11,6 +11,16 @@ with import ./lib;
LocalDiscovery = yes
'';
tincPackage = pkgs.tinc_pre;
+ tincUp = lib.mkIf config.systemd.network.enable "";
+ };
+ systemd.network.networks.retiolum = {
+ matchConfig.Name = "retiolum";
+ address = let
+ inherit (config.krebs.build.host.nets.retiolum) ip4 ip6;
+ in [
+ "${ip4.addr}/${toString ip4.prefixLength}"
+ "${ip6.addr}/${toString ip6.prefixLength}"
+ ];
};
tv.iptables.input-internet-accept-tcp = singleton "tinc";
tv.iptables.input-internet-accept-udp = singleton "tinc";