From eb660c668a38de52cfae154eb3b33f5ade81aed2 Mon Sep 17 00:00:00 2001 From: Tine Date: Fri, 8 Nov 2024 21:54:59 +0100 Subject: [PATCH] feat(firewall): manage config via templating --- README.md | 8 +---- configs/common.yaml | 13 ++++++++ configs/node.batuu.yaml | 8 +++++ configs/node.jakku.yaml | 8 +++++ configs/node.nevaroo.yaml | 8 +++++ devbox.json | 3 +- devbox.lock | 48 +++++++++++++++++++++++++++++ justfile | 41 ++++++++++-------------- openwrt/etc/config/dhcp | 27 ++-------------- openwrt/etc/config/firewall | 23 ++++++++++++++ openwrt/etc/config/firewall.batuu | 7 ----- openwrt/etc/config/firewall.jakku | 7 ----- openwrt/etc/config/firewall.nevaroo | 7 ----- openwrt/etc/config/network | 4 +-- openwrt/etc/config/system | 2 +- 15 files changed, 133 insertions(+), 81 deletions(-) create mode 100644 configs/common.yaml create mode 100644 configs/node.batuu.yaml create mode 100644 configs/node.jakku.yaml create mode 100644 configs/node.nevaroo.yaml delete mode 100644 openwrt/etc/config/firewall.batuu delete mode 100644 openwrt/etc/config/firewall.jakku delete mode 100644 openwrt/etc/config/firewall.nevaroo diff --git a/README.md b/README.md index 11cb6d8..9ba99c8 100644 --- a/README.md +++ b/README.md @@ -83,15 +83,9 @@ Once tailscale is up and manually configured (see the config files for guide). We can use automated way of maintaining config. ``` -just deploy-config batuu 10.0.16.1 fd74:6a6f:0:1000:: -just deploy-config jakku 10.0.32.1 fd74:6a6f:0:2000:: -just deploy-config nevaroo 10.0.48.1 fd74:6a6f:0:3000:: +just deploy-config ``` -# Static Internal IP Addresses - -Any VM that requires a static IP, can add it's configuration to `openwrt/etc/config/dhcp`. - # TODO ## Use gitops for tailscale ACL. diff --git a/configs/common.yaml b/configs/common.yaml new file mode 100644 index 0000000..edac7b6 --- /dev/null +++ b/configs/common.yaml @@ -0,0 +1,13 @@ +firewall: + - name: "ingress.tjo.cloud" + host: "ingress.tjo.cloud" + ports: + - 22 # SSH + - 25 # SMTP (explicit TLS => STARTTLS) + - 80 # HTTP + - 143 # IMAP (explicit TLS => STARTTLS) + - 443 # HTTPS + - 465 # ESMTP (implicit TLS) + - 587 # ESMTP (explicit TLS => STARTTLS) + - 993 # IMAP4 (implicit TLS) + - 4190 # MANAGE SIEVE diff --git a/configs/node.batuu.yaml b/configs/node.batuu.yaml new file mode 100644 index 0000000..d68ab9b --- /dev/null +++ b/configs/node.batuu.yaml @@ -0,0 +1,8 @@ +name: "batuu" +ipv4: "10.0.16.1" +ipv6: "fd74:6a6f:0:1000::" + +hosts: + ingress.tjo.cloud: + ipv4: "10.0.16.10" + ipv6: "fd74:6a6f:0:1010::1" diff --git a/configs/node.jakku.yaml b/configs/node.jakku.yaml new file mode 100644 index 0000000..2f3d433 --- /dev/null +++ b/configs/node.jakku.yaml @@ -0,0 +1,8 @@ +name: "jakku" +ipv4: "10.0.32.1" +ipv6: "fd74:6a6f:0:2000::" + +hosts: + ingress.tjo.cloud: + ipv4: "10.0.32.10" + ipv6: "fd74:6a6f:0:2010::1" diff --git a/configs/node.nevaroo.yaml b/configs/node.nevaroo.yaml new file mode 100644 index 0000000..0ed93e1 --- /dev/null +++ b/configs/node.nevaroo.yaml @@ -0,0 +1,8 @@ +name: "nevarro" +ipv4: "10.0.48.1" +ipv6: "fd74:6a6f:0:3000::" + +hosts: + ingress.tjo.cloud: + ipv4: "10.0.48.10" + ipv6: "fd74:6a6f:0:3010::1" diff --git a/devbox.json b/devbox.json index 87ae00a..8102090 100644 --- a/devbox.json +++ b/devbox.json @@ -2,7 +2,8 @@ "$schema": "https://raw.githubusercontent.com/jetify-com/devbox/0.12.0/.schema/devbox.schema.json", "packages": [ "tflint@latest", - "tenv@latest" + "tenv@latest", + "gomplate@latest" ], "env": { "TENV_AUTO_INSTALL": "true" diff --git a/devbox.lock b/devbox.lock index fcf0f43..f3c61c7 100644 --- a/devbox.lock +++ b/devbox.lock @@ -1,6 +1,54 @@ { "lockfile_version": "1", "packages": { + "gomplate@latest": { + "last_modified": "2024-11-03T14:18:04Z", + "resolved": "github:NixOS/nixpkgs/4ae2e647537bcdbb82265469442713d066675275#gomplate", + "source": "devbox-search", + "version": "4.1.0", + "systems": { + "aarch64-darwin": { + "outputs": [ + { + "name": "out", + "path": "/nix/store/lg9rdl6as50qi3bvq5r36g1499cz18r2-gomplate-4.1.0", + "default": true + } + ], + "store_path": "/nix/store/lg9rdl6as50qi3bvq5r36g1499cz18r2-gomplate-4.1.0" + }, + "aarch64-linux": { + "outputs": [ + { + "name": "out", + "path": "/nix/store/98dbxhjciq984637q4sb1ndk5p2c1w6v-gomplate-4.1.0", + "default": true + } + ], + "store_path": "/nix/store/98dbxhjciq984637q4sb1ndk5p2c1w6v-gomplate-4.1.0" + }, + "x86_64-darwin": { + "outputs": [ + { + "name": "out", + "path": "/nix/store/6n4vb7q3nvd43zv1lfv1qb30pdjagkxm-gomplate-4.1.0", + "default": true + } + ], + "store_path": "/nix/store/6n4vb7q3nvd43zv1lfv1qb30pdjagkxm-gomplate-4.1.0" + }, + "x86_64-linux": { + "outputs": [ + { + "name": "out", + "path": "/nix/store/fila3y6icb544kr954jigi6pr2h1654h-gomplate-4.1.0", + "default": true + } + ], + "store_path": "/nix/store/fila3y6icb544kr954jigi6pr2h1654h-gomplate-4.1.0" + } + } + }, "tenv@latest": { "last_modified": "2024-08-18T12:44:29Z", "resolved": "github:NixOS/nixpkgs/ff1c2669bbb4d0dd9e62cc94f0968cfa652ceec1#tenv", diff --git a/justfile b/justfile index 3525e73..5629f0a 100644 --- a/justfile +++ b/justfile @@ -21,34 +21,25 @@ destroy: cd {{justfile_directory()}}/terraform tofu destroy -deploy-config node ipv4_subnet ipv6_subnet: +configure: #!/usr/bin/env sh - echo "Configuring {{node}}.network.tjo.cloud" - echo " - IPv4: {{ipv4_subnet}}" - echo " - IPv6: {{ipv6_subnet}}" + set -euo pipefail - for file in {{justfile_directory()}}/openwrt/etc/config/* + for node in $(ls configs/node.*.yaml | cut -d '.' -f 2) do - # Skip node specific configs - if [[ "$file" == *\.* ]] - then - continue - fi + echo "Configuring ${node}.network.tjo.cloud" - echo "Deploying /etc/config/$(basename $file)" - export IPV4_SUBNET="{{ipv4_subnet}}" - export IPV6_SUBNET="{{ipv6_subnet}}" - export HOSTNAME="{{node}}.network.tjo.cloud" - cat $file | envsubst | tailscale ssh "root@{{node}}-network-tjo-cloud" "cat > /etc/config/$(basename $file)" + for file in {{justfile_directory()}}/openwrt/etc/config/* + do + echo "Deploying /etc/config/$(basename $file)" + gomplate --file $file \ + --datasource common=configs/common.yaml \ + --datasource node=configs/node.${node}.yaml \ + | tailscale ssh "root@${node}-network-tjo-cloud" "cat > /etc/config/$(basename $file)" + done - # Deploy node specific configs - if [ -f "${file}.{{node}}" ] - then - cat "${file}.{{node}}" | envsubst | tailscale ssh "root@{{node}}-network-tjo-cloud" "cat >> /etc/config/$(basename $file)" - fi + echo "Reboot router in 5 seconds..." + sleep 5 + echo "Rebooting router..." + tailscale ssh "root@${node}-network-tjo-cloud" "reboot" done - - echo "Reboot router in 5 seconds..." - sleep 5 - echo "Rebooting router..." - tailscale ssh "root@{{node}}-network-tjo-cloud" "reboot" diff --git a/openwrt/etc/config/dhcp b/openwrt/etc/config/dhcp index b68d3f0..4774a15 100644 --- a/openwrt/etc/config/dhcp +++ b/openwrt/etc/config/dhcp @@ -17,7 +17,9 @@ config dnsmasq config dhcp 'lan' option interface 'lan' - option start '1' + # Skip first 100. + # Reserved for ingress.tjo.cloud and other. + option start '100' # 1/4 of the subnet space. # The rest is reserved for other uses. option limit '1021' @@ -37,26 +39,3 @@ config odhcpd 'odhcpd' option leasefile '/tmp/hosts/odhcpd' option leasetrigger '/usr/sbin/odhcpd-update' option loglevel '4' - -### -# STATIC LEASES -### - -### ingress.tjo.cloud -config host - option name 'nevaroo.ingress.tjo.cloud' - option ip '10.0.49.171' - option mac 'AA:BB:07:00:45:36' - option duid '00020000AB11737DBD064C59B945' - -config host - option name 'jakuu.ingress.tjo.cloud' - option ip '10.0.35.19' - option mac 'AA:BB:07:00:8A:AF' - option duid '00020000ab1172c7a6dd4f3307d3' - -config host - option name 'batuu.ingress.tjo.cloud' - option ip '10.0.19.126' - option mac 'AA:BB:07:00:F7:37' - option duid '00020000AB1175B0A5597B06BA82' diff --git a/openwrt/etc/config/firewall b/openwrt/etc/config/firewall index 9ce8566..c27bea7 100644 --- a/openwrt/etc/config/firewall +++ b/openwrt/etc/config/firewall @@ -134,3 +134,26 @@ config forwarding config forwarding option src 'lan' option dest 'tailscale' + +{{- range (ds "common").firewall }} +{{ $host := index (ds "node").hosts .host }} +{{ $name := .name }} +{{- range $port := .ports }} + +# {{ $port }} - {{ $name }} +config redirect + option name 'IPv4 - {{ $port }} - {{ $name }}' + option target 'DNAT' + option src 'wan' + option src_dport '{{ $port }}' + option dest_ip '{{ $host.ipv4 }}' + option family 'ipv4' +config redirect + option name 'IPv6 - {{ $port }} - {{ $name }}' + option target 'DNAT' + option src 'wan' + option src_dport '{{ $port }}' + option dest_ip '{{ $host.ipv6 }}' + option family 'ipv6' +{{- end }} +{{- end }} diff --git a/openwrt/etc/config/firewall.batuu b/openwrt/etc/config/firewall.batuu deleted file mode 100644 index 1cb0881..0000000 --- a/openwrt/etc/config/firewall.batuu +++ /dev/null @@ -1,7 +0,0 @@ -config redirect - option dest 'lan' - option target 'DNAT' - option name 'batuu.ingress.tjo.cloud' - option src 'wan' - option src_dport '1-1000' - option dest_ip '10.0.19.126' diff --git a/openwrt/etc/config/firewall.jakku b/openwrt/etc/config/firewall.jakku deleted file mode 100644 index 7cfdaf2..0000000 --- a/openwrt/etc/config/firewall.jakku +++ /dev/null @@ -1,7 +0,0 @@ -config redirect - option dest 'lan' - option target 'DNAT' - option name 'jakku.ingress.tjo.cloud' - option src 'wan' - option src_dport '1-1000' - option dest_ip '10.0.32.19' diff --git a/openwrt/etc/config/firewall.nevaroo b/openwrt/etc/config/firewall.nevaroo deleted file mode 100644 index 8f3ee08..0000000 --- a/openwrt/etc/config/firewall.nevaroo +++ /dev/null @@ -1,7 +0,0 @@ -config redirect - option dest 'lan' - option target 'DNAT' - option name 'nevaroo.ingress.tjo.cloud' - option src 'wan' - option src_dport '1-1000' - option dest_ip '10.0.49.171' diff --git a/openwrt/etc/config/network b/openwrt/etc/config/network index 525b7c7..2d97fa9 100644 --- a/openwrt/etc/config/network +++ b/openwrt/etc/config/network @@ -11,12 +11,12 @@ config device # LAN config globals 'globals' - option ula_prefix '${IPV6_SUBNET}/52' + option ula_prefix '{{ (ds "node").ipv6 }}/52' config interface 'lan' option device 'br-lan' option proto 'static' - option ipaddr '${IPV4_SUBNET}' + option ipaddr '{{ (ds "node").ipv4 }}' option netmask '255.255.240.0' option ip6assign '64' diff --git a/openwrt/etc/config/system b/openwrt/etc/config/system index b88cb34..c78a3cf 100644 --- a/openwrt/etc/config/system +++ b/openwrt/etc/config/system @@ -1,5 +1,5 @@ config system - option hostname '${HOSTNAME}' + option hostname '{{ (ds "node").name }}.network.tjo.cloud' option timezone 'UTC' option ttylogin '0' option log_size '64'