rt1(z9 host): create host and configure networkd and nftables

resources/z9/rt1/nftables/nftables.conf

@@ -0,0 +1,111 @@
+#!/usr/sbin/nft -f
+
+## Variables
+
+# Hosts
+
+
+# Interfaces
+define if_netwan = "netwan"
+define if_netlan = "netlan"
+define if_wg55_management   = "wg55"
+define if_netwan_400_fux_uplink = "netwan.400"
+define if_netlan_51_clients = "netlan.51"
+define if_netlan_52_iot = "netlan.52"
+define if_netlan_53_public = "netlan.53"
+define if_netlan_54_management = "netlan.54"
+
+# Interface Groups
+define wan_ifs = { $if_netwan_400_fux_uplink }
+define lan_ifs = { $if_netlan_51_clients,
+                   $if_netlan_52_iot,
+                   $if_netlan_53_public,
+                   $if_netlan_54_management }
+define v4_exposed_ifs = { $if_netlan_53_public }
+define v6_exposed_ifs = { $if_netlan_53_public }
+define v4_nat_ifs = { $if_netlan_51_clients,
+                      $if_netlan_52_iot,
+                      $if_netlan_54_management }
+
+
+## Rules
+
+table inet reverse-path-forwarding {
+    chain rpf-filter {
+        type filter hook prerouting priority mangle + 10; policy drop;
+
+        # Only allow packets if their source address is routed via their incoming interface.
+        # https://github.com/NixOS/nixpkgs/blob/d9d87c51960050e89c79e4025082ed965e770d68/nixos/modules/services/networking/firewall-nftables.nix#L100
+        fib saddr . mark . iif oif exists accept
+    }
+}
+
+table inet host {
+    chain input {
+        type filter hook input priority filter; policy drop;
+
+        iifname "lo" accept comment "allow loopback"
+
+        ct state invalid drop
+        ct state established,related accept
+
+		    ip protocol icmp accept
+        # ICMPv6
+        # https://datatracker.ietf.org/doc/html/rfc4890#autoid-24
+        # Allowlist consisting of: "Traffic That Must Not Be Dropped" and "Traffic That Normally Should Not Be Dropped"
+        # Error messages that are essential to the establishment and maintenance of communications:
+        icmpv6 type { destination-unreachable, packet-too-big } accept
+        icmpv6 type { time-exceeded } accept
+        icmpv6 type { parameter-problem } accept
+        # Connectivity checking messages:
+        icmpv6 type { echo-request, echo-reply } accept
+        # Address Configuration and Router Selection messages:
+        icmpv6 type { nd-router-solicit, nd-router-advert, nd-neighbor-solicit, nd-neighbor-advert, ind-neighbor-solicit, ind-neighbor-advert } accept
+        # Link-Local Multicast Receiver Notification messages:
+        icmpv6 type { mld-listener-query, mld-listener-report, mld-listener-done, mld2-listener-report } accept
+        # SEND Certificate Path Notification messages:
+        icmpv6 type { 148, 149 } accept
+        # Multicast Router Discovery messages:
+        icmpv6 type { 151, 152, 153 } accept
+
+        # Allow SSH access.
+        tcp dport 22 accept comment "allow ssh access"
+
+        # Allow WireGuard access.
+        udp dport 51820 accept comment "allow WireGuard access"
+
+        # Allow DHCP server access.
+		    iifname { $lan_ifs } udp dport 67 accept comment "allow dhcp server access"
+    }
+}
+
+table ip v4nat {
+    chain prerouting {
+        type nat hook prerouting priority dstnat; policy accept;
+    }
+
+    chain postrouting {
+        type nat hook postrouting priority srcnat; policy accept;
+
+        iifname { $v4_nat_ifs, $if_wg55_management } oifname $wan_ifs masquerade
+    }
+}
+
+table inet forward {
+    chain forward {
+        type filter hook forward priority filter; policy drop;
+
+        ct state invalid drop
+        ct state established,related accept
+
+        # Allow internet access.
+		    iifname { $lan_ifs, $if_wg55_management } oifname $wan_ifs accept comment "allow internet access"
+
+        # Allow access to exposed networks from internet.
+        meta nfproto ipv4 oifname $v4_exposed_ifs accept comment "allow v4 exposed network access"
+        meta nfproto ipv6 oifname $v6_exposed_ifs accept comment "allow v6 exposed network access"
+
+        # Allow clients and managment to most
+        iifname { $if_netlan_51_clients, $if_netlan_54_management, $if_wg55_management } oifname $lan_ifs accept comment "allow clients and managment to lan_ifs"
+    }
+}

resources/z9/rt1/systemd_networkd/00-netlan.link

@@ -0,0 +1,6 @@
+[Match]
+MACAddress=BC:24:11:72:A3:27
+Type=ether
+
+[Link]
+Name=netlan

resources/z9/rt1/systemd_networkd/00-netwan.link

@@ -0,0 +1,6 @@
+[Match]
+MACAddress=BC:24:11:CF:65:57
+Type=ether
+
+[Link]
+Name=netwan

resources/z9/rt1/systemd_networkd/10-netlan.51.netdev

@@ -0,0 +1,7 @@
+[NetDev]
+Name=netlan.51
+Kind=vlan
+
+[VLAN]
+Id=51
+

resources/z9/rt1/systemd_networkd/10-netlan.52.netdev

@@ -0,0 +1,7 @@
+[NetDev]
+Name=netlan.52
+Kind=vlan
+
+[VLAN]
+Id=52
+

resources/z9/rt1/systemd_networkd/10-netlan.53.netdev

@@ -0,0 +1,7 @@
+[NetDev]
+Name=netlan.53
+Kind=vlan
+
+[VLAN]
+Id=53
+

resources/z9/rt1/systemd_networkd/10-netlan.54.netdev

@@ -0,0 +1,7 @@
+[NetDev]
+Name=netlan.54
+Kind=vlan
+
+[VLAN]
+Id=54
+

resources/z9/rt1/systemd_networkd/10-netwan.400.netdev

@@ -0,0 +1,7 @@
+[NetDev]
+Name=netwan.400
+Kind=vlan
+
+[VLAN]
+Id=400
+

resources/z9/rt1/systemd_networkd/10-wg55.netdev

@@ -0,0 +1,90 @@
+[NetDev]
+Description=Admin-Wireguard
+Kind=wireguard
+Name=wg55
+
+[WireGuard]
+ListenPort=51820
+PrivateKeyFile=/etc/ansible_secrets/wireguard_wg55_privat_key
+
+# WireGuard Peers
+
+[WireGuardPeer]
+# friendly_name = stb
+AllowedIPs = 10.89.214.2/32,2a07:c481:1:37::2/128
+PublicKey = vILSL4dbaC5IaTsRhJviamV18ssxWSj+qLVyowLQ214=
+PersistentKeepalive = 30
+
+[WireGuardPeer]
+# friendly_name = fi
+AllowedIPs = 10.89.214.3/32,2a07:c481:1:37::3/128
+PublicKey = UHi/if5uW2V3+8Q3R+uk6/XpRi4fPXbw7chsKI4xlkI=
+PresharedKeyFile = /etc/ansible_secrets/wireguard_wg55_peer_fi_psk
+
+[WireGuardPeer]
+# friendly_name = jtbx
+AllowedIPs = 10.89.214.4/32,2a07:c481:1:37::4/128
+PublicKey = NyyEqdWgScgsnTF8Zz/Om4Lc84fdFMwVtvaCmLEkUlQ=
+
+[WireGuardPeer]
+# friendly_name = June
+AllowedIPs = 10.89.214.6/32,2a07:c481:1:37::6/128
+PublicKey = 6jAEB+f9przBGxPhuvv9U9gvZDEBQNqpQSD0BoGqXQQ=
+PresharedKeyFile = /etc/ansible_secrets/wireguard_wg55_peer_June_psk
+
+[WireGuardPeer]
+# friendly_name = Max
+AllowedIPs = 10.89.214.7/32,2a07:c481:1:37::7/128
+PublicKey = oC1hJjtlAgLX/CmbwTC+LPmd1uwluQTwsN8RaMNmHn0=
+PresharedKeyFile = /etc/ansible_secrets/wireguard_wg55_peer_Max_psk
+
+[WireGuardPeer]
+# friendly_name = dario
+AllowedIPs = 10.89.214.9/32,2a07:c481:1:37::9/128
+PublicKey = bYF2EGRGpEGjiKcasi/oaWoWeLsgqsF6FGaq3Z4ERww=
+PresharedKeyFile = /etc/ansible_secrets/wireguard_wg55_peer_dario_psk
+
+[WireGuardPeer]
+# friendly_name = June-mobile
+AllowedIPs = 10.89.214.11/32,2a07:c481:1:37::11/128
+PublicKey = 6edjXykegUgGjbkIG1aJyBlX1SgTKcqXXaSBVPHdKDc=
+PresharedKeyFile = /etc/ansible_secrets/wireguard_wg55_peer_June-mobile_psk
+
+[WireGuardPeer]
+# friendly_name = djerun_at_ferrum.local
+AllowedIPs = 10.89.214.12/32,2a07:c481:1:37::12/128
+PublicKey = aHbdkTHhPkd+o7wWfTua9nd72aF4OVp66zGtpaoD8Fg=
+
+[WireGuardPeer]
+# friendly_name = c6ristian
+AllowedIPs = 10.89.214.13/32,2a07:c481:1:37::13/128
+PublicKey = 6ndwj3Ur6AqfUPWuyPYXIaGZs2ujJKawSQ9LEvlYzEc=
+PresharedKeyFile = /etc/ansible_secrets/wireguard_wg55_peer_c6ristian_psk
+
+[WireGuardPeer]
+# friendly_name = langoor
+AllowedIPs = 10.89.214.14/32,2a07:c481:1:37::14/128
+PublicKey = qTnVQlQa1m4SucFFNli/xM6QWfsdWx2baRAit7Cg8RM=
+PresharedKeyFile = /etc/ansible_secrets/wireguard_wg55_peer_langoor_psk
+
+[WireGuardPeer]
+# friendly_name = langoor_home
+AllowedIPs = 10.89.214.15/32,2a07:c481:1:37::15/128
+PublicKey = NeMDs2+5rHuKO5ZYXVUR76GorgdesFUnDOFECQ3RzG4=
+PresharedKeyFile = /etc/ansible_secrets/wireguard_wg55_peer_langoor_home_psk
+
+[WireGuardPeer]
+# friendly_name = lilly-lillysLaptop
+AllowedIPs = 10.89.214.16/32 #,2a07:c481:1:37::/128
+PublicKey = IBsI+N8qUNpQnDc5HnqQ2Zo/1graFM0RMIecHmAF+Vk=
+
+[WireGuardPeer]
+# friendly_name = bitwhisker
+AllowedIPs = 10.89.214.17/32,2a07:c481:1:37::a/128
+PublicKey = DvEGvQPGi+IxeRTIA72Gx3WNINcrV9HRNB1v7mHnhjA=
+
+[WireGuardPeer]
+# friendly_name = forestcat
+AllowedIPs = 10.89.214.18/32,2a07:c481:1:37::b/128
+PublicKey = PdJ7KlIeASizj0WTY87d7oSi14/MebrhRa+L8YiPoQE=
+

resources/z9/rt1/systemd_networkd/20-netlan.network

@@ -0,0 +1,12 @@
+[Match]
+Name=netlan
+
+[Link]
+RequiredForOnline=no
+
+[Network]
+VLAN=netwan.51
+VLAN=netwan.52
+VLAN=netwan.53
+VLAN=netwan.54
+

resources/z9/rt1/systemd_networkd/20-netwan.network

@@ -0,0 +1,9 @@
+[Match]
+Name=netwan
+
+[Link]
+RequiredForOnline=no
+
+[Network]
+VLAN=netwan.400
+

resources/z9/rt1/systemd_networkd/20-wg55.network

@@ -0,0 +1,6 @@
+[Match]
+Name=wg55
+
+[Network]
+Address=10.89.214.1/24
+Address=2a07:c481:1:37::1/64

resources/z9/rt1/systemd_networkd/21-netlan.51-clients.network

@@ -0,0 +1,27 @@
+[Match]
+Name=netlan.51
+Type=vlan
+
+[Link]
+RequiredForOnline=no
+
+[Network]
+Description=clients
+
+# Masquerading done in nftables (nftables.conf).
+IPv6SendRA=yes
+
+[Address]
+Address=10.89.208.1/22
+
+[IPv6SendRA]
+UplinkInterface=netwan.400
+EmitDomains=true
+Domains=ccchh.net
+Managed=true
+
+[IPv6Prefix]
+Prefix=2a07:c481:1:33::/64
+Assign=true
+Token=static:::1
+

resources/z9/rt1/systemd_networkd/21-netlan.52-iot.network

@@ -0,0 +1,27 @@
+[Match]
+Name=netlan.52
+Type=vlan
+
+[Link]
+RequiredForOnline=no
+
+[Network]
+Description=IoT
+
+# Masquerading done in nftables (nftables.conf).
+IPv6SendRA=yes
+
+[Address]
+Address=10.89.212.1/24
+
+[IPv6SendRA]
+UplinkInterface=netwan.400
+EmitDomains=true
+Domains=ccchh.net
+Managed=true
+
+[IPv6Prefix]
+Prefix=2a07:c481:1:34::/64
+Assign=true
+Token=static:::1
+

resources/z9/rt1/systemd_networkd/21-netlan.53-public.network

@@ -0,0 +1,27 @@
+[Match]
+Name=netlan.53
+Type=vlan
+
+[Link]
+RequiredForOnline=no
+
+[Network]
+Description=public
+
+# Masquerading done in nftables (nftables.conf).
+IPv6SendRA=yes
+
+[Address]
+Address=185.161.130.65/28
+
+[IPv6SendRA]
+UplinkInterface=netwan.400
+EmitDomains=true
+Domains=ccchh.net
+Managed=true
+
+[IPv6Prefix]
+Prefix=2a07:c481:1:35::/64
+Assign=true
+Token=static:::1
+

resources/z9/rt1/systemd_networkd/21-netlan.54-management.network

@@ -0,0 +1,27 @@
+[Match]
+Name=netlan.54
+Type=vlan
+
+[Link]
+RequiredForOnline=no
+
+[Network]
+Description=Management
+
+# Masquerading done in nftables (nftables.conf).
+IPv6SendRA=yes
+
+[Address]
+Address=10.89.213.0/24
+
+[IPv6SendRA]
+UplinkInterface=netwan.400
+EmitDomains=true
+Domains=ccchh.net
+Managed=true
+
+[IPv6Prefix]
+Prefix=2a07:c481:1:36::/64
+Assign=true
+Token=static:::1
+

resources/z9/rt1/systemd_networkd/21-netwan.400-fux_uplink.network

@@ -0,0 +1,26 @@
+[Match]
+Name=netwan.400
+Type=vlan
+
+[Link]
+RequiredForOnline=no
+
+[Network]
+Description=fux-uplink
+
+DNS=185.161.128.66
+DNS=2a07:c481:0:4::2
+DNS=185.161.128.67
+DNS=2a07:c481:0:4::3
+
+IPv6AcceptRA=no
+# Masquerading done in nftables (nftables.conf).
+IPv6SendRA=no
+
+[Address]
+Address=185.161.129.134/25
+Address=2a07:c481::1:2/64
+
+[Route]
+Gateway=185.161.129.129
+Gateway=2a07:c481::1

resources/z9/rt1/systemd_networkd_global_config.conf

@@ -0,0 +1,3 @@
+[Network]
+IPv4Forwarding=true
+IPv6Forwarding=true