tjo-cloud/network
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

feat(firewall): manage config via templating

Browse source
This commit is contained in:
Tine 2024-11-08 21:54:59 +01:00
parent 07a1da4410
commit eb660c668a
Signed by: mentos1386
SSH key fingerprint: SHA256:MNtTsLbihYaWF8j1fkOHfkKNlnN1JQfxEU/rBU8nCGw
15 changed files with 133 additions and 81 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

8
README.md
View file

@ -83,15 +83,9 @@ Once tailscale is up and manually configured (see the config files for guide).
We can use automated way of maintaining config.
```
just deploy-config batuu 10.0.16.1 fd74:6a6f:0:1000::
just deploy-config jakku 10.0.32.1 fd74:6a6f:0:2000::
just deploy-config nevaroo 10.0.48.1 fd74:6a6f:0:3000::
just deploy-config
```
# Static Internal IP Addresses
Any VM that requires a static IP, can add it's configuration to `openwrt/etc/config/dhcp`.
# TODO
## Use gitops for tailscale ACL.

13
configs/common.yaml Normal file
View file

@ -0,0 +1,13 @@
firewall:
- name: "ingress.tjo.cloud"
host: "ingress.tjo.cloud"
ports:
- 22 # SSH
- 25 # SMTP (explicit TLS => STARTTLS)
- 80 # HTTP
- 143 # IMAP (explicit TLS => STARTTLS)
- 443 # HTTPS
- 465 # ESMTP (implicit TLS)
- 587 # ESMTP (explicit TLS => STARTTLS)
- 993 # IMAP4 (implicit TLS)
- 4190 # MANAGE SIEVE

8
configs/node.batuu.yaml Normal file
View file

@ -0,0 +1,8 @@
name: "batuu"
ipv4: "10.0.16.1"
ipv6: "fd74:6a6f:0:1000::"
hosts:
ingress.tjo.cloud:
ipv4: "10.0.16.10"
ipv6: "fd74:6a6f:0:1010::1"

8
configs/node.jakku.yaml Normal file
View file

@ -0,0 +1,8 @@
name: "jakku"
ipv4: "10.0.32.1"
ipv6: "fd74:6a6f:0:2000::"
hosts:
ingress.tjo.cloud:
ipv4: "10.0.32.10"
ipv6: "fd74:6a6f:0:2010::1"

8
configs/node.nevaroo.yaml Normal file
View file

@ -0,0 +1,8 @@
name: "nevarro"
ipv4: "10.0.48.1"
ipv6: "fd74:6a6f:0:3000::"
hosts:
ingress.tjo.cloud:
ipv4: "10.0.48.10"
ipv6: "fd74:6a6f:0:3010::1"

3
devbox.json
View file

@ -2,7 +2,8 @@
"$schema": "https://raw.githubusercontent.com/jetify-com/devbox/0.12.0/.schema/devbox.schema.json",
"packages": [
"tflint@latest",
"tenv@latest"
"tenv@latest",
"gomplate@latest"
],
"env": {
"TENV_AUTO_INSTALL": "true"

48
devbox.lock
View file

@ -1,6 +1,54 @@
{
"lockfile_version": "1",
"packages": {
"gomplate@latest": {
"last_modified": "2024-11-03T14:18:04Z",
"resolved": "github:NixOS/nixpkgs/4ae2e647537bcdbb82265469442713d066675275#gomplate",
"source": "devbox-search",
"version": "4.1.0",
"systems": {
"aarch64-darwin": {
"outputs": [
{
"name": "out",
"path": "/nix/store/lg9rdl6as50qi3bvq5r36g1499cz18r2-gomplate-4.1.0",
"default": true
}
],
"store_path": "/nix/store/lg9rdl6as50qi3bvq5r36g1499cz18r2-gomplate-4.1.0"
},
"aarch64-linux": {
"outputs": [
{
"name": "out",
"path": "/nix/store/98dbxhjciq984637q4sb1ndk5p2c1w6v-gomplate-4.1.0",
"default": true
}
],
"store_path": "/nix/store/98dbxhjciq984637q4sb1ndk5p2c1w6v-gomplate-4.1.0"
},
"x86_64-darwin": {
"outputs": [
{
"name": "out",
"path": "/nix/store/6n4vb7q3nvd43zv1lfv1qb30pdjagkxm-gomplate-4.1.0",
"default": true
}
],
"store_path": "/nix/store/6n4vb7q3nvd43zv1lfv1qb30pdjagkxm-gomplate-4.1.0"
},
"x86_64-linux": {
"outputs": [
{
"name": "out",
"path": "/nix/store/fila3y6icb544kr954jigi6pr2h1654h-gomplate-4.1.0",
"default": true
}
],
"store_path": "/nix/store/fila3y6icb544kr954jigi6pr2h1654h-gomplate-4.1.0"
}
}
},
"tenv@latest": {
"last_modified": "2024-08-18T12:44:29Z",
"resolved": "github:NixOS/nixpkgs/ff1c2669bbb4d0dd9e62cc94f0968cfa652ceec1#tenv",

33
justfile
View file

@ -21,34 +21,25 @@ destroy:
cd {{justfile_directory()}}/terraform
tofu destroy
deploy-config node ipv4_subnet ipv6_subnet:
configure:
#!/usr/bin/env sh
echo "Configuring {{node}}.network.tjo.cloud"
echo " - IPv4: {{ipv4_subnet}}"
echo " - IPv6: {{ipv6_subnet}}"
set -euo pipefail
for node in $(ls configs/node.*.yaml | cut -d '.' -f 2)
do
echo "Configuring ${node}.network.tjo.cloud"
for file in {{justfile_directory()}}/openwrt/etc/config/*
do
# Skip node specific configs
if [[ "$file" == *\.* ]]
then
continue
fi
echo "Deploying /etc/config/$(basename $file)"
export IPV4_SUBNET="{{ipv4_subnet}}"
export IPV6_SUBNET="{{ipv6_subnet}}"
export HOSTNAME="{{node}}.network.tjo.cloud"
cat $file | envsubst | tailscale ssh "root@{{node}}-network-tjo-cloud" "cat > /etc/config/$(basename $file)"
# Deploy node specific configs
if [ -f "${file}.{{node}}" ]
then
cat "${file}.{{node}}" | envsubst | tailscale ssh "root@{{node}}-network-tjo-cloud" "cat >> /etc/config/$(basename $file)"
fi
gomplate --file $file \
--datasource common=configs/common.yaml \
--datasource node=configs/node.${node}.yaml \
| tailscale ssh "root@${node}-network-tjo-cloud" "cat > /etc/config/$(basename $file)"
done
echo "Reboot router in 5 seconds..."
sleep 5
echo "Rebooting router..."
tailscale ssh "root@{{node}}-network-tjo-cloud" "reboot"
tailscale ssh "root@${node}-network-tjo-cloud" "reboot"
done

27
openwrt/etc/config/dhcp
View file

@ -17,7 +17,9 @@ config dnsmasq
config dhcp 'lan'
option interface 'lan'
option start '1'
# Skip first 100.
# Reserved for ingress.tjo.cloud and other.
option start '100'
# 1/4 of the subnet space.
# The rest is reserved for other uses.
option limit '1021'
@ -37,26 +39,3 @@ config odhcpd 'odhcpd'
option leasefile '/tmp/hosts/odhcpd'
option leasetrigger '/usr/sbin/odhcpd-update'
option loglevel '4'
###
# STATIC LEASES
###
### ingress.tjo.cloud
config host
option name 'nevaroo.ingress.tjo.cloud'
option ip '10.0.49.171'
option mac 'AA:BB:07:00:45:36'
option duid '00020000AB11737DBD064C59B945'
config host
option name 'jakuu.ingress.tjo.cloud'
option ip '10.0.35.19'
option mac 'AA:BB:07:00:8A:AF'
option duid '00020000ab1172c7a6dd4f3307d3'
config host
option name 'batuu.ingress.tjo.cloud'
option ip '10.0.19.126'
option mac 'AA:BB:07:00:F7:37'
option duid '00020000AB1175B0A5597B06BA82'

23
openwrt/etc/config/firewall
View file

@ -134,3 +134,26 @@ config forwarding
config forwarding
option src 'lan'
option dest 'tailscale'
{{- range (ds "common").firewall }}
{{ $host := index (ds "node").hosts .host }}
{{ $name := .name }}
{{- range $port := .ports }}
# {{ $port }} - {{ $name }}
config redirect
option name 'IPv4 - {{ $port }} - {{ $name }}'
option target 'DNAT'
option src 'wan'
option src_dport '{{ $port }}'
option dest_ip '{{ $host.ipv4 }}'
option family 'ipv4'
config redirect
option name 'IPv6 - {{ $port }} - {{ $name }}'
option target 'DNAT'
option src 'wan'
option src_dport '{{ $port }}'
option dest_ip '{{ $host.ipv6 }}'
option family 'ipv6'
{{- end }}
{{- end }}

7
openwrt/etc/config/firewall.batuu
View file

@ -1,7 +0,0 @@
config redirect
option dest 'lan'
option target 'DNAT'
option name 'batuu.ingress.tjo.cloud'
option src 'wan'
option src_dport '1-1000'
option dest_ip '10.0.19.126'

7
openwrt/etc/config/firewall.jakku
View file

@ -1,7 +0,0 @@
config redirect
option dest 'lan'
option target 'DNAT'
option name 'jakku.ingress.tjo.cloud'
option src 'wan'
option src_dport '1-1000'
option dest_ip '10.0.32.19'

7
openwrt/etc/config/firewall.nevaroo
View file

@ -1,7 +0,0 @@
config redirect
option dest 'lan'
option target 'DNAT'
option name 'nevaroo.ingress.tjo.cloud'
option src 'wan'
option src_dport '1-1000'
option dest_ip '10.0.49.171'

4
openwrt/etc/config/network
View file

@ -11,12 +11,12 @@ config device
# LAN
config globals 'globals'
option ula_prefix '${IPV6_SUBNET}/52'
option ula_prefix '{{ (ds "node").ipv6 }}/52'
config interface 'lan'
option device 'br-lan'
option proto 'static'
option ipaddr '${IPV4_SUBNET}'
option ipaddr '{{ (ds "node").ipv4 }}'
option netmask '255.255.240.0'
option ip6assign '64'

2
openwrt/etc/config/system
View file

@ -1,5 +1,5 @@
config system
option hostname '${HOSTNAME}'
option hostname '{{ (ds "node").name }}.network.tjo.cloud'
option timezone 'UTC'
option ttylogin '0'
option log_size '64'