gensokyo-zone/infrastructure
1
0
Fork 0
mirror of https://github.com/gensokyo-zone/infrastructure.git synced 2026-02-09 12:29:19 -08:00
Code Issues Projects Releases Packages Wiki Activity Actions

fix(nginx): remove meaningless address bits

Browse source
This commit is contained in:
arcnmx 2024-05-01 10:07:42 -07:00
parent 12ca25421c
commit e2a091e17a
8 changed files with 482 additions and 256 deletions
Download patch file Download diff file Expand all files Collapse all files

238
modules/nixos/access.nix
View file

@ -1,238 +0,0 @@
{
pkgs,
config,
lib,
...
}: let
inherit (lib.modules) mkIf mkMerge mkBefore mkAfter mkOptionDefault;
inherit (lib.options) mkOption mkEnableOption;
inherit (lib.lists) optionals;
inherit (lib.strings) concatStringsSep optionalString;
inherit (config.services) tailscale;
inherit (config) networking;
cfg = config.networking.access;
cidrModule = {config, ...}: {
options = with lib.types; {
all = mkOption {
type = listOf str;
readOnly = true;
};
v4 = mkOption {
type = listOf str;
default = [];
};
v6 = mkOption {
type = listOf str;
default = [];
};
};
config.all = mkOptionDefault (
config.v4
++ optionals networking.enableIPv6 config.v6
);
};
in {
options.networking.access = with lib.types; {
cidrForNetwork = mkOption {
type = attrsOf (submodule cidrModule);
default = {};
};
localaddrs = {
enable =
mkEnableOption "localaddrs"
// {
default = networking.firewall.interfaces.local.nftables.enable;
};
stateDir = mkOption {
type = path;
default = "/var/lib/localaddrs";
};
reloadScript = mkOption {
type = path;
readOnly = true;
};
nftablesInclude = mkOption {
type = lines;
readOnly = true;
};
};
};
config.networking.access = {
cidrForNetwork = {
loopback = {
v4 = [
"127.0.0.0/8"
];
v6 = [
"::1"
];
};
local = {
v4 = [
"10.1.1.0/24"
];
v6 = [
"fd0a::/64"
"fe80::/64"
];
};
int = {
v4 = [
"10.9.1.0/24"
];
v6 = [
"fd0c::/64"
];
};
tail = mkIf tailscale.enable {
v4 = [
"100.64.0.0/10"
];
v6 = [
"fd7a:115c:a1e0::/96"
"fd7a:115c:a1e0:ab12::/64"
];
};
allLan = {
v4 = cfg.cidrForNetwork.loopback.v4
++ cfg.cidrForNetwork.local.v4
++ cfg.cidrForNetwork.int.v4;
v6 = cfg.cidrForNetwork.loopback.v6
++ cfg.cidrForNetwork.local.v6
++ cfg.cidrForNetwork.int.v6;
};
allLocal = {
v4 = mkMerge [
cfg.cidrForNetwork.allLan.v4
(mkIf tailscale.enable cfg.cidrForNetwork.tail.v4)
];
v6 = mkMerge [
cfg.cidrForNetwork.allLan.v6
(mkIf tailscale.enable cfg.cidrForNetwork.tail.v6)
];
};
};
localaddrs = {
nftablesInclude = mkBefore (''
define localrange6 = 2001:568::/29
''
+ optionalString cfg.localaddrs.enable ''
include "${cfg.localaddrs.stateDir}/*.nft"
'');
reloadScript = let
localaddrs-reload = pkgs.writeShellScript "localaddrs-reload" ''
${config.systemd.package}/bin/systemctl reload localaddrs 2>/dev/null ||
${config.systemd.package}/bin/systemctl restart localaddrs ||
true
'';
in "${localaddrs-reload}";
};
moduleArgAttrs = {
inherit (cfg) cidrForNetwork localaddrs;
mkSnakeOil = pkgs.callPackage ../../packages/snakeoil.nix {};
};
};
config.networking = {
nftables.ruleset = mkBefore cfg.localaddrs.nftablesInclude;
firewall = {
interfaces.local = {
nftables.conditions = [
"ip saddr { ${concatStringsSep ", " (cfg.cidrForNetwork.local.v4 ++ cfg.cidrForNetwork.int.v4)} }"
(
mkIf networking.enableIPv6
"ip6 saddr { $localrange6, ${concatStringsSep ", " (cfg.cidrForNetwork.local.v6 ++ cfg.cidrForNetwork.int.v6)} }"
)
];
};
};
};
config.systemd.services = let
localaddrs = pkgs.writeShellScript "localaddrs" ''
set -eu
getaddrs() {
local PREFIX=$1 PATTERN=$2 IPADDRS
IPADDRS=$(${pkgs.iproute2}/bin/ip -o addr show to "$PREFIX") || return $?
IPADDRS=$(printf '%s\n' "$IPADDRS" | ${pkgs.gnugrep}/bin/grep -o "$PATTERN") || return $?
if [[ -z $IPADDRS ]]; then
return 1
fi
printf '%s\n' "$IPADDRS"
}
getaddrs4() {
getaddrs 10.1.1.0/24 '[0-9]*\.[0-9.]*/[0-9]*'
}
getaddrs6() {
getaddrs 2001:568::/29 '[0-9a-f:]*:[0-9a-f:]*/[0-9]*'
}
mkdir -p $STATE_DIRECTORY
if LOCALADDRS4=$(getaddrs4); then
printf '%s\n' "$LOCALADDRS4" > $STATE_DIRECTORY/localaddrs4
else
echo WARNING: localaddr4 not found >&2
fi
if LOCALADDRS6=$(getaddrs6); then
echo "$LOCALADDRS6" > $STATE_DIRECTORY/localaddrs6
else
echo WARNING: localaddr6 not found >&2
fi
'';
localaddrs-nftables = pkgs.writeShellScript "localaddrs-nftables" ''
set -eu
LOCALADDR6=$(head -n1 "${cfg.localaddrs.stateDir}/localaddrs6" || true)
if [[ -n $LOCALADDR6 ]]; then
printf 'redefine localrange6 = %s\n' "$LOCALADDR6" > ${cfg.localaddrs.stateDir}/ranges.nft
fi
'';
localaddrs-nginx = pkgs.writeShellScript "localaddrs-nginx" ''
set -eu
LOCALADDR6=$(head -n1 "${cfg.localaddrs.stateDir}/localaddrs6" || true)
if [[ -n $LOCALADDR6 ]]; then
printf 'allow %s;\n' "$LOCALADDR6" > ${cfg.localaddrs.stateDir}/allow.nginx.conf
fi
LOCALADDR4=$(head -n1 "${cfg.localaddrs.stateDir}/localaddrs4" || true)
if [[ -n $LOCALADDR4 ]]; then
printf 'allow %s;\n' "$LOCALADDR4" >> ${cfg.localaddrs.stateDir}/allow.nginx.conf
fi
'';
in {
localaddrs = mkIf cfg.localaddrs.enable {
unitConfig = {
After = ["network-online.target"];
};
serviceConfig = rec {
StateDirectory = "localaddrs";
ExecStart = mkMerge [
["${localaddrs}"]
(mkIf networking.nftables.enable (mkAfter [
"${localaddrs-nftables}"
]))
(mkIf config.services.nginx.enable (mkAfter [
"${localaddrs-nginx}"
]))
];
ExecReload = ExecStart;
Type = "oneshot";
RemainAfterExit = true;
};
};
nftables = mkIf (networking.nftables.enable && cfg.localaddrs.enable) rec {
wants = ["localaddrs.service"];
serviceConfig = {
ExecReload = mkBefore [
"+${cfg.localaddrs.reloadScript}"
];
};
};
nginx = mkIf (config.services.nginx.enable && cfg.localaddrs.enable) rec {
wants = ["localaddrs.service"];
after = wants;
serviceConfig = {
ExecReload = mkBefore [
"+${cfg.localaddrs.reloadScript}"
];
};
};
};
}

116
modules/nixos/access/cidr.nix Normal file
View file

@ -0,0 +1,116 @@
{
pkgs,
config,
lib,
...
}: let
inherit (lib.modules) mkIf mkMerge mkOptionDefault;
inherit (lib.options) mkOption;
inherit (lib.lists) optionals;
inherit (lib.strings) concatStringsSep;
inherit (config.services) tailscale;
inherit (config) networking;
cfg = config.networking.access;
cidrModule = {config, ...}: {
options = with lib.types; {
all = mkOption {
type = listOf str;
readOnly = true;
};
v4 = mkOption {
type = listOf str;
default = [];
};
v6 = mkOption {
type = listOf str;
default = [];
};
};
config.all = mkOptionDefault (
config.v4
++ optionals networking.enableIPv6 config.v6
);
};
in {
options.networking.access = with lib.types; {
cidrForNetwork = mkOption {
type = attrsOf (submodule cidrModule);
default = {};
};
};
config.networking.access = {
cidrForNetwork = {
loopback = {
v4 = [
"127.0.0.0/8"
];
v6 = [
"::1"
];
};
local = {
v4 = [
"10.1.1.0/24"
];
v6 = [
"fd0a::/64"
"fe80::/64"
];
};
int = {
v4 = [
"10.9.1.0/24"
];
v6 = [
"fd0c::/64"
];
};
tail = mkIf tailscale.enable {
v4 = [
"100.64.0.0/10"
];
v6 = [
"fd7a:115c:a1e0::/96"
"fd7a:115c:a1e0:ab12::/64"
];
};
allLan = {
v4 = cfg.cidrForNetwork.loopback.v4
++ cfg.cidrForNetwork.local.v4
++ cfg.cidrForNetwork.int.v4;
v6 = cfg.cidrForNetwork.loopback.v6
++ cfg.cidrForNetwork.local.v6
++ cfg.cidrForNetwork.int.v6;
};
allLocal = {
v4 = mkMerge [
cfg.cidrForNetwork.allLan.v4
(mkIf tailscale.enable cfg.cidrForNetwork.tail.v4)
];
v6 = mkMerge [
cfg.cidrForNetwork.allLan.v6
(mkIf tailscale.enable cfg.cidrForNetwork.tail.v6)
];
};
};
moduleArgAttrs = {
inherit (cfg) cidrForNetwork;
mkSnakeOil = pkgs.callPackage ../../../packages/snakeoil.nix {};
};
};
config.networking = {
firewall = {
interfaces.local = {
nftables.conditions = [
"ip saddr { ${concatStringsSep ", " (cfg.cidrForNetwork.local.v4 ++ cfg.cidrForNetwork.int.v4)} }"
(
mkIf networking.enableIPv6
"ip6 saddr { ${concatStringsSep ", " (cfg.cidrForNetwork.local.v6 ++ cfg.cidrForNetwork.int.v6)} }"
)
];
};
};
};
}

166
modules/nixos/access/local.nix Normal file
View file

@ -0,0 +1,166 @@
{
pkgs,
config,
lib,
...
}: let
inherit (lib.modules) mkIf mkMerge mkBefore mkAfter;
inherit (lib.options) mkOption mkEnableOption;
inherit (lib.strings) optionalString;
inherit (config) networking;
cfg = config.networking.access.localaddrs;
in {
options.networking.access.localaddrs = with lib.types; {
enable =
mkEnableOption "localaddrs"
// {
default = networking.firewall.interfaces.local.nftables.enable;
};
stateDir = mkOption {
type = path;
default = "/var/lib/localaddrs";
};
reloadScript = mkOption {
type = path;
readOnly = true;
};
nftablesInclude = mkOption {
type = lines;
readOnly = true;
};
};
config.networking.access = {
localaddrs = {
nftablesInclude = mkBefore (''
define localrange6 = 2001:568::/29
''
+ optionalString cfg.enable ''
include "${cfg.stateDir}/*.nft"
'');
reloadScript = let
localaddrs-reload = pkgs.writeShellScript "localaddrs-reload" ''
${config.systemd.package}/bin/systemctl reload localaddrs 2>/dev/null ||
${config.systemd.package}/bin/systemctl restart localaddrs ||
true
'';
in "${localaddrs-reload}";
};
moduleArgAttrs = {
inherit (cfg) localaddrs;
};
};
config.networking = {
nftables.ruleset = mkIf cfg.enable (mkBefore cfg.nftablesInclude);
firewall = {
interfaces.local = {
nftables.conditions = mkIf (cfg.enable && networking.enableIPv6) [ "ip6 saddr $localrange6" ];
};
};
};
config.systemd.services = let
localaddrs = pkgs.writeShellScript "localaddrs" ''
set -eu
getaddrs() {
local PREFIX=$1 PATTERN=$2 IPADDRS
IPADDRS=$(${pkgs.iproute2}/bin/ip -o addr show to "$PREFIX") || return $?
IPADDRS=$(printf '%s\n' "$IPADDRS" | ${pkgs.gnugrep}/bin/grep -o "$PATTERN") || return $?
if [[ -z $IPADDRS ]]; then
return 1
fi
printf '%s\n' "$IPADDRS"
}
getaddrs4() {
getaddrs 10.1.1.0/24 '[0-9]*\.[0-9.]*/[0-9]*'
}
getaddrs6() {
getaddrs 2001:568::/29 '[0-9a-f:]*:[0-9a-f:]*/[0-9]*'
}
stripcidr() {
local IPADDR
while read -r IPADDR; do
if [[ $IPADDR = ?*:?*:?*:?*:?*:?*:?*:?*/64 ]]; then
echo ''${IPADDR%:?*:?*:?*:?*/64}::/64
elif [[ $IPADDR = ?*:?*:?*:?*::*/64 ]] || [[ $IPADDR = ?*::?*:?*:?*:?*/64 ]]; then
echo ''${IPADDR%::*/64}::/64
elif [[ $IPADDR = *.*.*.*/24 ]]; then
echo "''${IPADDR%.*/24}.0/24"
else
echo "WARNING: localaddrs failed to parse CIDR: $IPADDR" >&2
echo "$IPADDR"
fi
done
}
mkdir -p $STATE_DIRECTORY
if LOCALADDRS4=$(getaddrs4); then
printf '%s\n' "$LOCALADDRS4" > $STATE_DIRECTORY/localaddrs4
stripcidr <<<"$LOCALADDRS4" > $STATE_DIRECTORY/localcidrs4
else
echo WARNING: localaddr4 not found >&2
fi
if LOCALADDRS6=$(getaddrs6); then
echo "$LOCALADDRS6" > $STATE_DIRECTORY/localaddrs6
stripcidr <<<"$LOCALADDRS6" > $STATE_DIRECTORY/localcidrs6
else
echo WARNING: localaddr6 not found >&2
fi
'';
localaddrs-nftables = pkgs.writeShellScript "localaddrs-nftables" ''
set -eu
LOCALADDR6=$(head -n1 "${cfg.stateDir}/localcidrs6" || true)
if [[ -n $LOCALADDR6 ]]; then
printf 'redefine localrange6 = %s\n' "$LOCALADDR6" > ${cfg.stateDir}/ranges.nft
fi
'';
localaddrs-nginx = pkgs.writeShellScript "localaddrs-nginx" ''
set -eu
LOCALADDR6=$(head -n1 "${cfg.stateDir}/localcidrs6" || true)
if [[ -n $LOCALADDR6 ]]; then
printf 'allow %s;\n' "$LOCALADDR6" > ${cfg.stateDir}/allow.nginx.conf
fi
LOCALADDR4=$(head -n1 "${cfg.stateDir}/localcidrs4" || true)
if [[ -n $LOCALADDR4 ]]; then
printf 'allow %s;\n' "$LOCALADDR4" >> ${cfg.stateDir}/allow.nginx.conf
fi
'';
in {
localaddrs = mkIf cfg.enable {
unitConfig = {
After = ["network-online.target"];
};
serviceConfig = rec {
StateDirectory = "localaddrs";
ExecStart = mkMerge [
["${localaddrs}"]
(mkIf networking.nftables.enable (mkAfter [
"${localaddrs-nftables}"
]))
(mkIf config.services.nginx.enable (mkAfter [
"${localaddrs-nginx}"
]))
];
ExecReload = ExecStart;
Type = "oneshot";
RemainAfterExit = true;
};
};
nftables = mkIf (networking.nftables.enable && cfg.enable) {
wants = ["localaddrs.service"];
serviceConfig = {
ExecReload = mkBefore [
"+${cfg.reloadScript}"
];
};
};
nginx = mkIf (config.services.nginx.enable && cfg.enable) rec {
wants = ["localaddrs.service"];
after = wants;
serviceConfig = {
ExecReload = mkBefore [
"+${cfg.reloadScript}"
];
};
};
};
}

53
modules/nixos/access/peeps.nix Normal file
View file

@ -0,0 +1,53 @@
{
config,
options,
lib,
...
}: let
inherit (lib.options) mkOption mkEnableOption;
inherit (lib.modules) mkIf mkMerge mkBefore mkDefault;
inherit (lib.attrsets) mapAttrsToList mapAttrs' nameValuePair;
inherit (lib.strings) concatStringsSep;
inherit (config) networking;
cfg = config.networking.access.peeps;
mkSopsName = name: "access-peeps-nft-${name}";
mkNftName = name: "peeps_${name}6";
hasSops = options ? sops.secrets;
in {
options.networking.access.peeps = with lib.types; {
enable = mkEnableOption "peeps" // { default = hasSops; };
ranges = mkOption {
type = attrsOf str;
default = { };
};
stateDir = mkOption {
type = path;
default = "/run/access/peeps";
};
};
config.${if hasSops then "sops" else null}.secrets = let
sopsFile = mkDefault ../../../nixos/secrets/access.yaml;
sopsSecrets = mapAttrs' (name: _: nameValuePair (mkSopsName name) {
inherit sopsFile;
path = mkDefault "${cfg.stateDir}/${name}.nft";
}) cfg.ranges;
in mkIf cfg.enable sopsSecrets;
config.networking = let
nftRanges = mapAttrsToList (name: range: let
nft = "define ${mkNftName name} = ${range}";
in mkBefore nft) cfg.ranges;
condition = "ip6 saddr { ${concatStringsSep "," (mapAttrsToList (name: _: "$" + mkNftName name) cfg.ranges)} }";
in {
nftables.ruleset = mkIf cfg.enable (mkMerge (
nftRanges
++ [ (mkBefore ''include "${cfg.stateDir}/*.nft"'') ]
));
firewall.interfaces.peeps = {
nftables.enable = cfg.enable;
nftables.conditions = [
(mkIf (cfg.enable && networking.enableIPv6) condition)
];
};
};
}