tjo-cloud/network
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

feat(firewall): manage config via templating

Browse source
This commit is contained in:
Tine 2024-11-08 21:54:59 +01:00
parent 07a1da4410
commit eb660c668a
Signed by: mentos1386
SSH key fingerprint: SHA256:MNtTsLbihYaWF8j1fkOHfkKNlnN1JQfxEU/rBU8nCGw
15 changed files with 133 additions and 81 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

8
README.md
View file

@ -83,15 +83,9 @@ Once tailscale is up and manually configured (see the config files for guide).
We can use automated way of maintaining config. We can use automated way of maintaining config.
``` ```
just deploy-config batuu 10.0.16.1 fd74:6a6f:0:1000:: just deploy-config
just deploy-config jakku 10.0.32.1 fd74:6a6f:0:2000::
just deploy-config nevaroo 10.0.48.1 fd74:6a6f:0:3000::
``` ```
# Static Internal IP Addresses
Any VM that requires a static IP, can add it's configuration to `openwrt/etc/config/dhcp`.
# TODO # TODO
## Use gitops for tailscale ACL. ## Use gitops for tailscale ACL.

13
configs/common.yaml Normal file
View file

@ -0,0 +1,13 @@
firewall:
- name: "ingress.tjo.cloud"
host: "ingress.tjo.cloud"
ports:
- 22 # SSH
- 25 # SMTP (explicit TLS => STARTTLS)
- 80 # HTTP
- 143 # IMAP (explicit TLS => STARTTLS)
- 443 # HTTPS
- 465 # ESMTP (implicit TLS)
- 587 # ESMTP (explicit TLS => STARTTLS)
- 993 # IMAP4 (implicit TLS)
- 4190 # MANAGE SIEVE

8
configs/node.batuu.yaml Normal file
View file

@ -0,0 +1,8 @@
name: "batuu"
ipv4: "10.0.16.1"
ipv6: "fd74:6a6f:0:1000::"
hosts:
ingress.tjo.cloud:
ipv4: "10.0.16.10"
ipv6: "fd74:6a6f:0:1010::1"

8
configs/node.jakku.yaml Normal file
View file

@ -0,0 +1,8 @@
name: "jakku"
ipv4: "10.0.32.1"
ipv6: "fd74:6a6f:0:2000::"
hosts:
ingress.tjo.cloud:
ipv4: "10.0.32.10"
ipv6: "fd74:6a6f:0:2010::1"

8
configs/node.nevaroo.yaml Normal file
View file

@ -0,0 +1,8 @@
name: "nevarro"
ipv4: "10.0.48.1"
ipv6: "fd74:6a6f:0:3000::"
hosts:
ingress.tjo.cloud:
ipv4: "10.0.48.10"
ipv6: "fd74:6a6f:0:3010::1"

3
devbox.json
View file

@ -2,7 +2,8 @@
"$schema": "https://raw.githubusercontent.com/jetify-com/devbox/0.12.0/.schema/devbox.schema.json", "$schema": "https://raw.githubusercontent.com/jetify-com/devbox/0.12.0/.schema/devbox.schema.json",
"packages": [ "packages": [
"tflint@latest", "tflint@latest",
"tenv@latest" "tenv@latest",
"gomplate@latest"
], ],
"env": { "env": {
"TENV_AUTO_INSTALL": "true" "TENV_AUTO_INSTALL": "true"

48
devbox.lock
View file

@ -1,6 +1,54 @@
{ {
"lockfile_version": "1", "lockfile_version": "1",
"packages": { "packages": {
"gomplate@latest": {
"last_modified": "2024-11-03T14:18:04Z",
"resolved": "github:NixOS/nixpkgs/4ae2e647537bcdbb82265469442713d066675275#gomplate",
"source": "devbox-search",
"version": "4.1.0",
"systems": {
"aarch64-darwin": {
"outputs": [
{
"name": "out",
"path": "/nix/store/lg9rdl6as50qi3bvq5r36g1499cz18r2-gomplate-4.1.0",
"default": true
}
],
"store_path": "/nix/store/lg9rdl6as50qi3bvq5r36g1499cz18r2-gomplate-4.1.0"
},
"aarch64-linux": {
"outputs": [
{
"name": "out",
"path": "/nix/store/98dbxhjciq984637q4sb1ndk5p2c1w6v-gomplate-4.1.0",
"default": true
}
],
"store_path": "/nix/store/98dbxhjciq984637q4sb1ndk5p2c1w6v-gomplate-4.1.0"
},
"x86_64-darwin": {
"outputs": [
{
"name": "out",
"path": "/nix/store/6n4vb7q3nvd43zv1lfv1qb30pdjagkxm-gomplate-4.1.0",
"default": true
}
],
"store_path": "/nix/store/6n4vb7q3nvd43zv1lfv1qb30pdjagkxm-gomplate-4.1.0"
},
"x86_64-linux": {
"outputs": [
{
"name": "out",
"path": "/nix/store/fila3y6icb544kr954jigi6pr2h1654h-gomplate-4.1.0",
"default": true
}
],
"store_path": "/nix/store/fila3y6icb544kr954jigi6pr2h1654h-gomplate-4.1.0"
}
}
},
"tenv@latest": { "tenv@latest": {
"last_modified": "2024-08-18T12:44:29Z", "last_modified": "2024-08-18T12:44:29Z",
"resolved": "github:NixOS/nixpkgs/ff1c2669bbb4d0dd9e62cc94f0968cfa652ceec1#tenv", "resolved": "github:NixOS/nixpkgs/ff1c2669bbb4d0dd9e62cc94f0968cfa652ceec1#tenv",

41
justfile
View file

@ -21,34 +21,25 @@ destroy:
cd {{justfile_directory()}}/terraform cd {{justfile_directory()}}/terraform
tofu destroy tofu destroy
deploy-config node ipv4_subnet ipv6_subnet: configure:
#!/usr/bin/env sh #!/usr/bin/env sh
echo "Configuring {{node}}.network.tjo.cloud" set -euo pipefail
echo " - IPv4: {{ipv4_subnet}}"
echo " - IPv6: {{ipv6_subnet}}"
for file in {{justfile_directory()}}/openwrt/etc/config/* for node in $(ls configs/node.*.yaml | cut -d '.' -f 2)
do do
# Skip node specific configs echo "Configuring ${node}.network.tjo.cloud"
if [[ "$file" == *\.* ]]
then
continue
fi
echo "Deploying /etc/config/$(basename $file)" for file in {{justfile_directory()}}/openwrt/etc/config/*
export IPV4_SUBNET="{{ipv4_subnet}}" do
export IPV6_SUBNET="{{ipv6_subnet}}" echo "Deploying /etc/config/$(basename $file)"
export HOSTNAME="{{node}}.network.tjo.cloud" gomplate --file $file \
cat $file | envsubst | tailscale ssh "root@{{node}}-network-tjo-cloud" "cat > /etc/config/$(basename $file)" --datasource common=configs/common.yaml \
--datasource node=configs/node.${node}.yaml \
| tailscale ssh "root@${node}-network-tjo-cloud" "cat > /etc/config/$(basename $file)"
done
# Deploy node specific configs echo "Reboot router in 5 seconds..."
if [ -f "${file}.{{node}}" ] sleep 5
then echo "Rebooting router..."
cat "${file}.{{node}}" | envsubst | tailscale ssh "root@{{node}}-network-tjo-cloud" "cat >> /etc/config/$(basename $file)" tailscale ssh "root@${node}-network-tjo-cloud" "reboot"
fi
done done
echo "Reboot router in 5 seconds..."
sleep 5
echo "Rebooting router..."
tailscale ssh "root@{{node}}-network-tjo-cloud" "reboot"

27
openwrt/etc/config/dhcp
View file

@ -17,7 +17,9 @@ config dnsmasq
config dhcp 'lan' config dhcp 'lan'
option interface 'lan' option interface 'lan'
option start '1' # Skip first 100.
# Reserved for ingress.tjo.cloud and other.
option start '100'
# 1/4 of the subnet space. # 1/4 of the subnet space.
# The rest is reserved for other uses. # The rest is reserved for other uses.
option limit '1021' option limit '1021'
@ -37,26 +39,3 @@ config odhcpd 'odhcpd'
option leasefile '/tmp/hosts/odhcpd' option leasefile '/tmp/hosts/odhcpd'
option leasetrigger '/usr/sbin/odhcpd-update' option leasetrigger '/usr/sbin/odhcpd-update'
option loglevel '4' option loglevel '4'
###
# STATIC LEASES
###
### ingress.tjo.cloud
config host
option name 'nevaroo.ingress.tjo.cloud'
option ip '10.0.49.171'
option mac 'AA:BB:07:00:45:36'
option duid '00020000AB11737DBD064C59B945'
config host
option name 'jakuu.ingress.tjo.cloud'
option ip '10.0.35.19'
option mac 'AA:BB:07:00:8A:AF'
option duid '00020000ab1172c7a6dd4f3307d3'
config host
option name 'batuu.ingress.tjo.cloud'
option ip '10.0.19.126'
option mac 'AA:BB:07:00:F7:37'
option duid '00020000AB1175B0A5597B06BA82'

23
openwrt/etc/config/firewall
View file

@ -134,3 +134,26 @@ config forwarding
config forwarding config forwarding
option src 'lan' option src 'lan'
option dest 'tailscale' option dest 'tailscale'
{{- range (ds "common").firewall }}
{{ $host := index (ds "node").hosts .host }}
{{ $name := .name }}
{{- range $port := .ports }}
# {{ $port }} - {{ $name }}
config redirect
option name 'IPv4 - {{ $port }} - {{ $name }}'
option target 'DNAT'
option src 'wan'
option src_dport '{{ $port }}'
option dest_ip '{{ $host.ipv4 }}'
option family 'ipv4'
config redirect
option name 'IPv6 - {{ $port }} - {{ $name }}'
option target 'DNAT'
option src 'wan'
option src_dport '{{ $port }}'
option dest_ip '{{ $host.ipv6 }}'
option family 'ipv6'
{{- end }}
{{- end }}

7
openwrt/etc/config/firewall.batuu
View file

@ -1,7 +0,0 @@
config redirect
option dest 'lan'
option target 'DNAT'
option name 'batuu.ingress.tjo.cloud'
option src 'wan'
option src_dport '1-1000'
option dest_ip '10.0.19.126'

7
openwrt/etc/config/firewall.jakku
View file

@ -1,7 +0,0 @@
config redirect
option dest 'lan'
option target 'DNAT'
option name 'jakku.ingress.tjo.cloud'
option src 'wan'
option src_dport '1-1000'
option dest_ip '10.0.32.19'

7
openwrt/etc/config/firewall.nevaroo
View file

@ -1,7 +0,0 @@
config redirect
option dest 'lan'
option target 'DNAT'
option name 'nevaroo.ingress.tjo.cloud'
option src 'wan'
option src_dport '1-1000'
option dest_ip '10.0.49.171'

4
openwrt/etc/config/network
View file

@ -11,12 +11,12 @@ config device
# LAN # LAN
config globals 'globals' config globals 'globals'
option ula_prefix '${IPV6_SUBNET}/52' option ula_prefix '{{ (ds "node").ipv6 }}/52'
config interface 'lan' config interface 'lan'
option device 'br-lan' option device 'br-lan'
option proto 'static' option proto 'static'
option ipaddr '${IPV4_SUBNET}' option ipaddr '{{ (ds "node").ipv4 }}'
option netmask '255.255.240.0' option netmask '255.255.240.0'
option ip6assign '64' option ip6assign '64'

2
openwrt/etc/config/system
View file

@ -1,5 +1,5 @@
config system config system
option hostname '${HOSTNAME}' option hostname '{{ (ds "node").name }}.network.tjo.cloud'
option timezone 'UTC' option timezone 'UTC'
option ttylogin '0' option ttylogin '0'
option log_size '64' option log_size '64'