From 9e59bb044ab553f5122e6df26359e26e1ecfe320 Mon Sep 17 00:00:00 2001 From: Franziska Kunsmann Date: Sun, 25 Feb 2024 20:50:25 +0100 Subject: [PATCH 1/3] nodes/home.*: add ipv6 site-local ip addressing and v6-only vlan --- nodes/home.hass.toml | 5 ++++- nodes/home/nas.py | 1 + nodes/home/router.py | 18 +++++++++++++++++- 3 files changed, 22 insertions(+), 2 deletions(-) diff --git a/nodes/home.hass.toml b/nodes/home.hass.toml index afb4bce..fab3829 100644 --- a/nodes/home.hass.toml +++ b/nodes/home.hass.toml @@ -6,7 +6,10 @@ bundles = [ groups = ["debian-bookworm"] [metadata.interfaces.enp1s0] -ips = ["172.19.138.25/24"] +ips = [ + "172.19.138.25/24", + "fd90:2017:0:1138::25/64", +] gateway4 = "172.19.138.1" ipv6_accept_ra = true diff --git a/nodes/home/nas.py b/nodes/home/nas.py index 8832b6e..9825874 100644 --- a/nodes/home/nas.py +++ b/nodes/home/nas.py @@ -25,6 +25,7 @@ nodes['home.nas'] = { 'br1138': { 'ips': { '172.19.138.20/24', + 'fd90:2017:0:1138::20/64', }, 'gateway4': '172.19.138.1', 'ipv6_accept_ra': True, diff --git a/nodes/home/router.py b/nodes/home/router.py index ff03ba1..d54d230 100644 --- a/nodes/home/router.py +++ b/nodes/home/router.py @@ -19,6 +19,7 @@ nodes['home.router'] = { 'enp1s0.1138': { 'ips': { '172.19.138.1/24', + 'fd90:2017:0:1138::1/64', }, }, 'enp1s0.1139': { @@ -26,6 +27,11 @@ nodes['home.router'] = { '172.19.139.1/24', }, }, + 'enp1s0.2000': { + 'ips': { + 'fd90:2017:0:2000::1/64', + }, + }, }, 'backups': { 'exclude_from_backups': True, @@ -104,8 +110,17 @@ nodes['home.router'] = { }, 'radvd': { 'interfaces': { - 'enp1s0.1138': {}, + 'enp1s0.1138': { + 'rdnss': { + 'fd90:2017:0:1138::1', + }, + }, 'enp1s0.1139': {}, + 'enp1s0.2000': { + 'rdnss': { + 'fd90:2017:0:2000::1', + }, + }, }, }, 'postfix': { @@ -152,6 +167,7 @@ nodes['home.router'] = { 'targets': { 'enp1s0.1138': '1', 'enp1s0.1139': '2', + 'enp1s0.2000': '3', }, }, 'wireguard': { From b89ba32f4c12593c2a3d97c0757c59fb8e1995d3 Mon Sep 17 00:00:00 2001 From: Franziska Kunsmann Date: Sun, 25 Feb 2024 20:55:53 +0100 Subject: [PATCH 2/3] home.router: allow forwarding for new vlan --- nodes/home/router.py | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/nodes/home/router.py b/nodes/home/router.py index d54d230..708737e 100644 --- a/nodes/home/router.py +++ b/nodes/home/router.py @@ -86,6 +86,8 @@ nodes['home.router'] = { 'forward': { '50-router': [ 'ct state { related, established } accept', + 'iifname enp1s0.1138 accept', + 'iifname enp1s0.2000 accept', 'ip6 nexthdr ipv6-icmp accept', 'tcp dport 22 accept', ], @@ -139,7 +141,6 @@ nodes['home.router'] = { 'password': vault.decrypt('encrypt$gAAAAABfr8Cq5M1hweeJTQAl0dLhFntdlw-QnkIYUQpY-_ycODVWOpyeAwjwOgWLSdsdXIUvqcoiXPZPV-BE12p5C42NGnj9r7sKYpoGz8xfuGIk6haMa2g='), }, 'nftables-rules.d': { - 'inet filter forward iifname enp1s0.1138 accept', 'inet filter forward iifname enp1s0.1139 oifname $INTERFACE accept', }, }, From 304ce8aa543b03025193b09899e78d9da5fa0c43 Mon Sep 17 00:00:00 2001 From: Franziska Kunsmann Date: Sun, 25 Feb 2024 20:56:13 +0100 Subject: [PATCH 3/3] home.router: a bit more firewall rules --- nodes/home/router.py | 3 +++ 1 file changed, 3 insertions(+) diff --git a/nodes/home/router.py b/nodes/home/router.py index 708737e..a239cb0 100644 --- a/nodes/home/router.py +++ b/nodes/home/router.py @@ -102,6 +102,7 @@ nodes['home.router'] = { 'restrict-to': { '172.19.136.0/25', '172.19.138.0/24', + 'fd90:2017::/32', }, 'vhosts': { 'vnstat': { @@ -128,6 +129,7 @@ nodes['home.router'] = { 'postfix': { 'mynetworks': { '172.19.138.0/24', + 'fd90:2017::/32', }, }, 'pppd': { @@ -147,6 +149,7 @@ nodes['home.router'] = { 'unbound': { 'restrict-to': { '172.19.138.0/23', + 'fd90:2017::/32', }, }, 'users': {