architect: port firewall to networking attrset

2023-05-12 14:28:58 +02:00 · 2023-05-12 14:28:58 +02:00 · e5aab58be7
commit e5aab58be7
parent 1e19a08665
1 changed files with 58 additions and 33 deletions
--- a/hosts/architect/firewall.nix
+++ b/hosts/architect/firewall.nix
@ -1,13 +1,38 @@
 { config, lib, ... }:

-with import ./network.nix;
-with lib;
-
 let
-  openTCP = concatMapStringsSep "," (x: toString x) config.architect.firewall.openTCP;
-  openUDP = concatMapStringsSep "," (x: toString x) config.architect.firewall.openUDP;
-  openTCPVPN = concatMapStringsSep "," (x: toString x) config.architect.firewall.openTCPVPN;
-  openUDPVPN = concatMapStringsSep "," (x: toString x) config.architect.firewall.openUDPVPN;
+  openTCP = lib.concatMapStringsSep "," (x: toString x) config.architect.firewall.openTCP;
+  openUDP = lib.concatMapStringsSep "," (x: toString x) config.architect.firewall.openUDP;
+  openTCPVPN = lib.concatMapStringsSep "," (x: toString x) config.architect.firewall.openTCPVPN;
+  openUDPVPN = lib.concatMapStringsSep "," (x: toString x) config.architect.firewall.openUDPVPN;
+
+  deviceAddress = interface: device: 
+    config.architect.networks.${interface}.devices.${device}.address;
+    
+  gdevices = [
+    (deviceAddress "tailscale" "architect")
+    (deviceAddress "tailscale" "dodino")
+    (deviceAddress "tailscale" "manduria")
+    (deviceAddress "tailscale" "kmerr")
+    (deviceAddress "tailscale" "chuck")
+  ];
+
+  wireguardToWAN = [
+    (deviceAddress "wireguard" "shield")
+    (deviceAddress "wireguard" "parina")
+    (deviceAddress "wireguard" "parina-ipad")
+    (deviceAddress "wireguard" "germano")
+  ];
+
+  frameccaDevices = [
+    (deviceAddress "wireguard" "framecca")
+    (deviceAddress "wireguard" "framecca_one")
+    (deviceAddress "wireguard" "framecca_two")
+    (deviceAddress "wireguard" "framecca_three")
+    (deviceAddress "wireguard" "framecca_four")
+  ];
+  
+  clientToClientWireguard = frameccaDevices;
 in
 {
  networking = {
@ -17,7 +42,7 @@ in

    nftables = {
      enable = true;
-      ruleset = ''
+      ruleset = with config.architect.networks; ''
        table ip raw {
          chain PREROUTING {
            type filter hook prerouting priority raw; policy accept;
@ -43,11 +68,11 @@ in

          chain POSTROUTING {
            type nat hook postrouting priority srcnat; policy accept;
-            oifname ${wan-if} ip saddr {${
-              lib.concatStringsSep "," towan-wg
+            oifname ${lan.interface} ip saddr {${
+              lib.concatStringsSep "," wireguardToWAN
            }} masquerade
-            oifname ${wan-if} ip saddr ${docker-net} masquerade
-            oifname ${wan-if} ip saddr ${tailscale-net} masquerade
+            oifname ${lan.interface} ip saddr ${docker.net} masquerade
+            oifname ${lan.interface} ip saddr ${tailscale.net} masquerade
          }
        }

@ -57,13 +82,13 @@ in
            ct state invalid,untracked drop comment "drop invalid"
            ip daddr 255.255.255.255 accept comment "allow broadcast traffic"
            ip daddr 224.0.0.0/4 accept comment "allow multicast traffic"
-            iifname ${wan-if} ip saddr ${vpn-net} drop comment "bind any ip to intf ${wan-if}"
-            iifname ${wan-if} ip saddr 127.0.0.0/8 drop comment "bind any ip to intf ${wan-if}"
-            iifname ${wan-if} accept comment "bind any ip to intf ${wan-if}"
-            iifname ${vpn-if} ip saddr ${vpn-net} accept comment "bind ip ${vpn-net} to intf ${vpn-if}"
-            iifname ${docker-if} ip saddr ${docker-net} accept comment "bind ip ${docker-net} to intf ${docker-if}"
-            iifname ${tailscale-if} ip saddr ${tailscale-net} accept
-            iifname ${tailscale-if} ip saddr 100.100.100.100/32 accept
+            iifname ${lan.interface} ip saddr ${wireguard.net} drop comment "bind any ip to intf ${lan.interface}"
+            iifname ${lan.interface} ip saddr 127.0.0.0/8 drop comment "bind any ip to intf ${lan.interface}"
+            iifname ${lan.interface} accept comment "bind any ip to intf ${lan.interface}"
+            iifname ${wireguard.interface} ip saddr ${wireguard.net} accept comment "bind ip ${wireguard.net} to intf ${wireguard.interface}"
+            iifname ${docker.interface} ip saddr ${docker.net} accept comment "bind ip ${docker.net} to intf ${docker.interface}"
+            iifname ${tailscale.interface} ip saddr ${tailscale.net} accept
+            iifname ${tailscale.interface} ip saddr 100.100.100.100/32 accept
            iifname "lo" accept comment "bind any ip to intf lo"
            jump mangle_drop
          }
@ -116,17 +141,17 @@ in
            iifname "lo" accept comment "loopback"
            ip daddr 255.255.255.255 accept comment "allow broadcast traffic"
            ip daddr 224.0.0.0/4 accept comment "allow multicast traffic"
-            ip saddr ${lan-net} accept comment "lan > local"
-            ip saddr ${tailscale-net} accept comment "tailscale > local"
+            ip saddr ${lan.net} accept comment "lan > local"
+            ip saddr ${tailscale.net} accept comment "tailscale > local"
            ip saddr {${lib.concatStringsSep "," gdevices}} accept comment "vpn > local"

-            iifname ${wan-if} tcp dport {${openTCP}} accept
-            iifname ${wan-if} udp dport {${openUDP}} accept
-            iifname ${vpn-if} tcp dport {${openTCPVPN}} accept
-            iifname ${vpn-if} udp dport {${openUDPVPN}} accept
+            iifname ${lan.interface} tcp dport {${openTCP}} accept
+            iifname ${lan.interface} udp dport {${openUDP}} accept
+            iifname ${wireguard.interface} tcp dport {${openTCPVPN}} accept
+            iifname ${wireguard.interface} udp dport {${openUDPVPN}} accept
                      
-            iifname ${vpn-if} icmp type echo-request accept
-            iifname ${docker-if} udp dport 53 accept
+            iifname ${wireguard.interface} icmp type echo-request accept
+            iifname ${docker.interface} udp dport 53 accept
            jump filter_drop
          }

@ -135,17 +160,17 @@ in
            ct state established,related accept

            # client to client
-            ip saddr {${lib.concatStringsSep "," c2c-wg}} ip daddr {${
-               lib.concatStringsSep "," c2c-wg
+            ip saddr {${lib.concatStringsSep "," clientToClientWireguard}} ip daddr {${
+               lib.concatStringsSep "," clientToClientWireguard
            }} accept                    
                    
            # nat to wan
-            oifname ${wan-if} ip saddr {${
-              lib.concatStringsSep "," towan-wg
+            oifname ${lan.interface} ip saddr {${
+              lib.concatStringsSep "," wireguardToWAN
            }} accept

-            oifname ${wan-if} ip saddr ${docker-net} accept
-            oifname ${wan-if} ip saddr ${tailscale-net} accept
+            oifname ${lan.interface} ip saddr ${docker.net} accept
+            oifname ${lan.interface} ip saddr ${tailscale.net} accept
                    
            jump filter_drop
          }