├── .github ├── .gitignore └── renovate.json5 ├── .gitignore ├── .sops.yaml ├── LICENSE ├── README.md ├── apply-config.sh ├── bootstrap ├── .gitignore └── bootstrap.sh ├── config-parts ├── .gitignore ├── container.sh ├── firewall-ipv4.sh ├── firewall-zone.sh ├── firewall.sh ├── interfaces.sh ├── nat.sh ├── protocols.sh ├── service-dhcp_server.sh ├── service.sh └── system.sh ├── containers ├── .gitignore ├── bind │ ├── .gitignore │ └── config │ │ ├── named.conf │ │ └── zones │ │ ├── db.1.10.in-addr.arpa │ │ ├── db.bjw-s.casa │ │ ├── db.bjw-s.dev │ │ └── db.unifi ├── blocky │ ├── .gitignore │ └── config │ │ └── config.yml ├── dnsdist │ ├── .gitignore │ └── config │ │ └── dnsdist.conf ├── haproxy │ ├── .gitignore │ └── config │ │ └── haproxy.cfg └── unifi │ ├── .gitignore │ └── .gitkeep └── scripts ├── .gitignore ├── mount_usb.sh ├── task-config-backup-usb.sh ├── vyos-postconfig-bootup.script └── vyos-preconfig-bootup.script /.github/.gitignore: -------------------------------------------------------------------------------- 1 | # Ignore everything 2 | /* 3 | 4 | # Track certain files and directories 5 | !.gitignore 6 | !renovate.json5 7 | 8 | !/workflows/ 9 | /workflows/* 10 | !/workflows/**.yaml 11 | -------------------------------------------------------------------------------- /.github/renovate.json5: -------------------------------------------------------------------------------- 1 | { 2 | $schema: "https://docs.renovatebot.com/renovate-schema.json", 3 | extends: [ 4 | "github>bjw-s/renovate-config", 5 | "github>bjw-s/renovate-config:automerge-github-actions", 6 | ], 7 | regexManagers: [ 8 | { 9 | description: ["Generic Docker image Regex manager"], 10 | fileMatch: ["config-parts/.+\\.sh$"], 11 | matchStrings: [ 12 | "set container name .* image '?(?.*?):(?[^'\n]*=?)'?", 13 | ], 14 | datasourceTemplate: "docker", 15 | }, 16 | ], 17 | packageRules: [ 18 | { 19 | description: "1Password Connect images", 20 | groupName: "1password-connect", 21 | matchPackageNames: [ 22 | "docker.io/1password/connect-sync", 23 | "docker.io/1password/connect-api", 24 | ], 25 | matchDatasources: ["docker"], 26 | group: { 27 | commitMessageTopic: "{{{groupName}}} group", 28 | }, 29 | separateMinorPatch: true, 30 | }, 31 | ], 32 | } 33 | -------------------------------------------------------------------------------- /.gitignore: -------------------------------------------------------------------------------- 1 | # Ignore everything 2 | /* 3 | 4 | # Track certain files and directories 5 | !.gitignore 6 | !/.sops.yaml 7 | !/apply-config.sh 8 | !/LICENSE 9 | !/README.md 10 | 11 | # VyOS config 12 | !bootstrap/ 13 | !config-parts/ 14 | !containers/ 15 | !scripts/ 16 | 17 | # CI 18 | !.github/ 19 | -------------------------------------------------------------------------------- /.sops.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | creation_rules: 3 | - path_regex: .*\.sops\.env 4 | # Personal, VyOS 5 | age: >- 6 | age1uk0y2ahfavgsgqvrtg5a22w5gytpdmjuatxtcw6kntmxhlcgreesuwzw5s, 7 | age1px5u0v9cm60mturyp7lmv6ceudwx2vqxgqtnmfkunwye78k8tcxqdh26zp 8 | -------------------------------------------------------------------------------- /LICENSE: -------------------------------------------------------------------------------- 1 | Apache License 2 | Version 2.0, January 2004 3 | http://www.apache.org/licenses/ 4 | 5 | TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION 6 | 7 | 1. Definitions. 8 | 9 | "License" shall mean the terms and conditions for use, reproduction, 10 | and distribution as defined by Sections 1 through 9 of this document. 11 | 12 | "Licensor" shall mean the copyright owner or entity authorized by 13 | the copyright owner that is granting the License. 14 | 15 | "Legal Entity" shall mean the union of the acting entity and all 16 | other entities that control, are controlled by, or are under common 17 | control with that entity. For the purposes of this definition, 18 | "control" means (i) the power, direct or indirect, to cause the 19 | direction or management of such entity, whether by contract or 20 | otherwise, or (ii) ownership of fifty percent (50%) or more of the 21 | outstanding shares, or (iii) beneficial ownership of such entity. 22 | 23 | "You" (or "Your") shall mean an individual or Legal Entity 24 | exercising permissions granted by this License. 25 | 26 | "Source" form shall mean the preferred form for making modifications, 27 | including but not limited to software source code, documentation 28 | source, and configuration files. 29 | 30 | "Object" form shall mean any form resulting from mechanical 31 | transformation or translation of a Source form, including but 32 | not limited to compiled object code, generated documentation, 33 | and conversions to other media types. 34 | 35 | "Work" shall mean the work of authorship, whether in Source or 36 | Object form, made available under the License, as indicated by a 37 | copyright notice that is included in or attached to the work 38 | (an example is provided in the Appendix below). 39 | 40 | "Derivative Works" shall mean any work, whether in Source or Object 41 | form, that is based on (or derived from) the Work and for which the 42 | editorial revisions, annotations, elaborations, or other modifications 43 | represent, as a whole, an original work of authorship. For the purposes 44 | of this License, Derivative Works shall not include works that remain 45 | separable from, or merely link (or bind by name) to the interfaces of, 46 | the Work and Derivative Works thereof. 47 | 48 | "Contribution" shall mean any work of authorship, including 49 | the original version of the Work and any modifications or additions 50 | to that Work or Derivative Works thereof, that is intentionally 51 | submitted to Licensor for inclusion in the Work by the copyright owner 52 | or by an individual or Legal Entity authorized to submit on behalf of 53 | the copyright owner. For the purposes of this definition, "submitted" 54 | means any form of electronic, verbal, or written communication sent 55 | to the Licensor or its representatives, including but not limited to 56 | communication on electronic mailing lists, source code control systems, 57 | and issue tracking systems that are managed by, or on behalf of, the 58 | Licensor for the purpose of discussing and improving the Work, but 59 | excluding communication that is conspicuously marked or otherwise 60 | designated in writing by the copyright owner as "Not a Contribution." 61 | 62 | "Contributor" shall mean Licensor and any individual or Legal Entity 63 | on behalf of whom a Contribution has been received by Licensor and 64 | subsequently incorporated within the Work. 65 | 66 | 2. Grant of Copyright License. Subject to the terms and conditions of 67 | this License, each Contributor hereby grants to You a perpetual, 68 | worldwide, non-exclusive, no-charge, royalty-free, irrevocable 69 | copyright license to reproduce, prepare Derivative Works of, 70 | publicly display, publicly perform, sublicense, and distribute the 71 | Work and such Derivative Works in Source or Object form. 72 | 73 | 3. Grant of Patent License. Subject to the terms and conditions of 74 | this License, each Contributor hereby grants to You a perpetual, 75 | worldwide, non-exclusive, no-charge, royalty-free, irrevocable 76 | (except as stated in this section) patent license to make, have made, 77 | use, offer to sell, sell, import, and otherwise transfer the Work, 78 | where such license applies only to those patent claims licensable 79 | by such Contributor that are necessarily infringed by their 80 | Contribution(s) alone or by combination of their Contribution(s) 81 | with the Work to which such Contribution(s) was submitted. If You 82 | institute patent litigation against any entity (including a 83 | cross-claim or counterclaim in a lawsuit) alleging that the Work 84 | or a Contribution incorporated within the Work constitutes direct 85 | or contributory patent infringement, then any patent licenses 86 | granted to You under this License for that Work shall terminate 87 | as of the date such litigation is filed. 88 | 89 | 4. Redistribution. You may reproduce and distribute copies of the 90 | Work or Derivative Works thereof in any medium, with or without 91 | modifications, and in Source or Object form, provided that You 92 | meet the following conditions: 93 | 94 | (a) You must give any other recipients of the Work or 95 | Derivative Works a copy of this License; and 96 | 97 | (b) You must cause any modified files to carry prominent notices 98 | stating that You changed the files; and 99 | 100 | (c) You must retain, in the Source form of any Derivative Works 101 | that You distribute, all copyright, patent, trademark, and 102 | attribution notices from the Source form of the Work, 103 | excluding those notices that do not pertain to any part of 104 | the Derivative Works; and 105 | 106 | (d) If the Work includes a "NOTICE" text file as part of its 107 | distribution, then any Derivative Works that You distribute must 108 | include a readable copy of the attribution notices contained 109 | within such NOTICE file, excluding those notices that do not 110 | pertain to any part of the Derivative Works, in at least one 111 | of the following places: within a NOTICE text file distributed 112 | as part of the Derivative Works; within the Source form or 113 | documentation, if provided along with the Derivative Works; or, 114 | within a display generated by the Derivative Works, if and 115 | wherever such third-party notices normally appear. The contents 116 | of the NOTICE file are for informational purposes only and 117 | do not modify the License. You may add Your own attribution 118 | notices within Derivative Works that You distribute, alongside 119 | or as an addendum to the NOTICE text from the Work, provided 120 | that such additional attribution notices cannot be construed 121 | as modifying the License. 122 | 123 | You may add Your own copyright statement to Your modifications and 124 | may provide additional or different license terms and conditions 125 | for use, reproduction, or distribution of Your modifications, or 126 | for any such Derivative Works as a whole, provided Your use, 127 | reproduction, and distribution of the Work otherwise complies with 128 | the conditions stated in this License. 129 | 130 | 5. Submission of Contributions. Unless You explicitly state otherwise, 131 | any Contribution intentionally submitted for inclusion in the Work 132 | by You to the Licensor shall be under the terms and conditions of 133 | this License, without any additional terms or conditions. 134 | Notwithstanding the above, nothing herein shall supersede or modify 135 | the terms of any separate license agreement you may have executed 136 | with Licensor regarding such Contributions. 137 | 138 | 6. Trademarks. This License does not grant permission to use the trade 139 | names, trademarks, service marks, or product names of the Licensor, 140 | except as required for reasonable and customary use in describing the 141 | origin of the Work and reproducing the content of the NOTICE file. 142 | 143 | 7. Disclaimer of Warranty. Unless required by applicable law or 144 | agreed to in writing, Licensor provides the Work (and each 145 | Contributor provides its Contributions) on an "AS IS" BASIS, 146 | WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or 147 | implied, including, without limitation, any warranties or conditions 148 | of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A 149 | PARTICULAR PURPOSE. You are solely responsible for determining the 150 | appropriateness of using or redistributing the Work and assume any 151 | risks associated with Your exercise of permissions under this License. 152 | 153 | 8. Limitation of Liability. In no event and under no legal theory, 154 | whether in tort (including negligence), contract, or otherwise, 155 | unless required by applicable law (such as deliberate and grossly 156 | negligent acts) or agreed to in writing, shall any Contributor be 157 | liable to You for damages, including any direct, indirect, special, 158 | incidental, or consequential damages of any character arising as a 159 | result of this License or out of the use or inability to use the 160 | Work (including but not limited to damages for loss of goodwill, 161 | work stoppage, computer failure or malfunction, or any and all 162 | other commercial damages or losses), even if such Contributor 163 | has been advised of the possibility of such damages. 164 | 165 | 9. Accepting Warranty or Additional Liability. While redistributing 166 | the Work or Derivative Works thereof, You may choose to offer, 167 | and charge a fee for, acceptance of support, warranty, indemnity, 168 | or other liability obligations and/or rights consistent with this 169 | License. However, in accepting such obligations, You may act only 170 | on Your own behalf and on Your sole responsibility, not on behalf 171 | of any other Contributor, and only if You agree to indemnify, 172 | defend, and hold each Contributor harmless for any liability 173 | incurred by, or claims asserted against, such Contributor by reason 174 | of your accepting any such warranty or additional liability. 175 | 176 | END OF TERMS AND CONDITIONS 177 | 178 | APPENDIX: How to apply the Apache License to your work. 179 | 180 | To apply the Apache License to your work, attach the following 181 | boilerplate notice, with the fields enclosed by brackets "[]" 182 | replaced with your own identifying information. (Don't include 183 | the brackets!) The text should be enclosed in the appropriate 184 | comment syntax for the file format. We also recommend that a 185 | file or class name and description of purpose be included on the 186 | same "printed page" as the copyright notice for easier 187 | identification within third-party archives. 188 | 189 | Copyright [yyyy] [name of copyright owner] 190 | 191 | Licensed under the Apache License, Version 2.0 (the "License"); 192 | you may not use this file except in compliance with the License. 193 | You may obtain a copy of the License at 194 | 195 | http://www.apache.org/licenses/LICENSE-2.0 196 | 197 | Unless required by applicable law or agreed to in writing, software 198 | distributed under the License is distributed on an "AS IS" BASIS, 199 | WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 200 | See the License for the specific language governing permissions and 201 | limitations under the License. 202 | -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 | ## vyos-config 2 | 3 | ### Notice of archival (2024-04-25) 4 | 5 | Due to the way VyOS has been [handling their community recently](https://blog.vyos.io/community-contributors-userbase-and-lts-builds) I have decided to step away from VyOS as my router platform and have archived this repository. 6 | -------------------------------------------------------------------------------- /apply-config.sh: -------------------------------------------------------------------------------- 1 | #!/bin/vbash 2 | # shellcheck shell=bash 3 | # shellcheck source=/dev/null 4 | dry_run=true 5 | 6 | if [[ "$(id -g -n)" != 'vyattacfg' ]] ; then 7 | exec sg vyattacfg -c "/bin/vbash $(readlink -f "$0") $*" 8 | fi 9 | 10 | while getopts "c" options; do 11 | case "${options}" in 12 | # -c Commit changes - default is dry-run 13 | c) 14 | echo 'Will commit changes' 15 | dry_run=false 16 | ;; 17 | *) 18 | echo 'error in command line parsing' >&2 19 | exit 1 20 | ;; 21 | esac 22 | done 23 | 24 | # Load secrets into ENV vars 25 | if [[ -f "/config/secrets.sops.env" ]]; then 26 | export SOPS_AGE_KEY_FILE=/config/secrets/age.key 27 | 28 | mapfile environmentAsArray < <( 29 | sops --decrypt "/config/secrets.sops.env" | 30 | grep --invert-match '^#' | 31 | grep --invert-match '^\s*$' 32 | ) # Uses grep to remove commented and blank lines 33 | for variableDeclaration in "${environmentAsArray[@]}"; do 34 | export "${variableDeclaration//[$'\r\n']/}" # The substitution removes the line breaks 35 | done 36 | fi 37 | 38 | # Apply environment to container (configuration) files 39 | restart_containers="" 40 | while IFS= read -r -d '' file 41 | do 42 | cfgfile="${file%.tmpl}" 43 | 44 | shafile="${file}.sha256" 45 | if ! test -e "${shafile}"; then 46 | echo "rebuild" >"${shafile}" 47 | fi 48 | 49 | newsha=$(envsubst <"${file}" | shasum -a 256 | awk '{print $1}') 50 | oldsha=$(cat "${shafile}") 51 | 52 | if ! test "${newsha}" == "${oldsha}"; then 53 | echo "Configuration changed for ${file}" 54 | if ! "${dry_run}"; then 55 | envsubst <"${file}" >"${cfgfile}" 56 | echo "${newsha}" >"${shafile}" 57 | restart_containers="${restart_containers} $(echo "${file}" | awk -F / '{print $1}')" 58 | fi 59 | fi 60 | done < <(find containers -type f -name "*.tmpl" -print0) 61 | 62 | # Include VyOS specific functions and aliases 63 | source /opt/vyatta/etc/functions/script-template 64 | 65 | # Reset the configuration 66 | load /opt/vyatta/etc/config.boot.default 67 | 68 | # Load all config files 69 | for f in /config/config-parts/*.sh; do 70 | if [[ -f "${f}" ]]; then 71 | echo "Processing ${f}" 72 | source "${f}" 73 | fi 74 | done 75 | 76 | echo "Changes to running config:" 77 | compare 78 | 79 | if "${dry_run}"; then 80 | exit 0 81 | else 82 | # Pull new container images 83 | mapfile -t AVAILABLE_IMAGES < <(run show container image | awk '{ if ( NR > 1 ) { print $1 ":" $2} }') 84 | mapfile -t CONFIG_IMAGES < <(sed -nr "s/set container name .* image '(.*)'/\1/p" /config/config-parts/* | uniq) 85 | 86 | for image in "${CONFIG_IMAGES[@]}"; do 87 | if [[ ! " ${AVAILABLE_IMAGES[*]} " =~ \ ${image}\ ]]; then 88 | echo "Pulling image ${image}" 89 | run add container image "${image}" 90 | fi 91 | done 92 | 93 | # Commit and save 94 | echo "Committing and saving config" 95 | commit 96 | save 97 | 98 | # Clean obsolete container images 99 | IFS=$'\n' read -rd '' -a AVAILABLE_IMAGES <<<"$(run show container image | tail -n +2)" 100 | for image in "${AVAILABLE_IMAGES[@]}"; do 101 | image_name=$(echo "${image}" | awk '{ print $1 }') 102 | image_tag=$(echo "${image}" | awk '{ print $2 }') 103 | image_id=$(echo "${image}" | awk '{ print $3 }') 104 | image_name_tag="${image_name}:${image_tag}" 105 | 106 | if [[ ! " ${CONFIG_IMAGES[*]} " =~ \ ${image_name_tag}\ ]]; then 107 | echo "Removing container ${image_name_tag}" 108 | run delete container image "${image_id}" 109 | fi 110 | done 111 | 112 | # Restart containers 113 | for container in ${restart_containers}; do 114 | run restart container "${container}" 115 | done 116 | fi 117 | 118 | # Clean annoying overlay* folders 119 | sudo find "/config" -name "overlay*" -type d -prune -exec rm -rf "{}" \; 120 | 121 | exit 122 | -------------------------------------------------------------------------------- /bootstrap/.gitignore: -------------------------------------------------------------------------------- 1 | # Ignore everything 2 | /* 3 | 4 | # Track certain files and directories 5 | !.gitignore 6 | !*.sh 7 | -------------------------------------------------------------------------------- /bootstrap/bootstrap.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | 3 | load /opt/vyatta/etc/config.boot.default 4 | 5 | set interfaces ethernet eth0 description 'LAN' 6 | set interfaces ethernet eth0 address '10.1.0.1/24' 7 | set interfaces ethernet eth0 hw-id 'e4:3a:6e:5f:33:9d' 8 | 9 | set interfaces ethernet eth5 description 'WAN - Cable' 10 | set interfaces ethernet eth5 address 'dhcp' 11 | set interfaces ethernet eth5 hw-id 'e4:3a:6e:5f:33:a1' 12 | 13 | set system login user vyos authentication public-keys personal key 'AAAAC3NzaC1lZDI1NTE5AAAAIMyYn4k4V+myBBl79Nt3t7EZugvz9A+d3ZbKyaP1w7J5' 14 | set system login user vyos authentication public-keys personal type 'ssh-ed25519' 15 | 16 | set service ssh disable-password-authentication 17 | set service ssh port '22' 18 | 19 | delete system host-name 20 | set system host-name 'gateway' 21 | set system domain-name 'bjw-s.casa' 22 | 23 | set system ipv6 disable-forwarding 24 | 25 | set system name-server '1.1.1.1' 26 | 27 | set system sysctl parameter kernel.pty.max value '24000' 28 | 29 | set system time-zone 'Europe/Amsterdam' 30 | 31 | set service dhcp-server shared-network-name LAN authoritative 32 | set service dhcp-server shared-network-name LAN ping-check 33 | set service dhcp-server shared-network-name LAN subnet 10.1.0.0/24 default-router '10.1.0.1' 34 | set service dhcp-server shared-network-name LAN subnet 10.1.0.0/24 lease '86400' 35 | set service dhcp-server shared-network-name LAN subnet 10.1.0.0/24 name-server '1.1.1.1' 36 | set service dhcp-server shared-network-name LAN subnet 10.1.0.0/24 range 0 start '10.1.0.200' 37 | set service dhcp-server shared-network-name LAN subnet 10.1.0.0/24 range 0 stop '10.1.0.254' 38 | 39 | # ALL -> WAN masquerade 40 | set nat source rule 100 description 'LAN -> WAN' 41 | set nat source rule 100 outbound-interface 'eth5' 42 | set nat source rule 100 destination address '0.0.0.0/0' 43 | set nat source rule 100 translation address 'masquerade' 44 | -------------------------------------------------------------------------------- /config-parts/.gitignore: -------------------------------------------------------------------------------- 1 | # Ignore everything 2 | /* 3 | 4 | # Track certain files and directories 5 | !.gitignore 6 | !*.sh 7 | -------------------------------------------------------------------------------- /config-parts/container.sh: -------------------------------------------------------------------------------- 1 | #!/bin/vbash 2 | 3 | # Container networks 4 | set container network containers description 'Network for VyOS containers' 5 | set container network containers prefix '10.5.0.0/24' 6 | 7 | # cloudflare-ddns 8 | set container name cloudflare-ddns allow-host-networks 9 | set container name cloudflare-ddns environment CF_API_TOKEN value "${SECRET_CLOUDFLARE_DYNDNS_TOKEN}" 10 | set container name cloudflare-ddns environment DOMAINS value 'ipv4.schorgers.nl,ipv4.bjw-s.casa,ipv4.bjw-s.dev,ipv4.bjws.nl' 11 | set container name cloudflare-ddns environment IP6_PROVIDER value "none" 12 | set container name cloudflare-ddns environment TZ value 'Europe/Amsterdam' 13 | set container name cloudflare-ddns environment PGID value "1000" 14 | set container name cloudflare-ddns environment PUID value "1000" 15 | set container name cloudflare-ddns image 'docker.io/favonia/cloudflare-ddns:1.11.0' 16 | set container name cloudflare-ddns memory '0' 17 | set container name cloudflare-ddns restart 'on-failure' 18 | set container name cloudflare-ddns shared-memory '0' 19 | 20 | # bind 21 | set container name bind cap-add 'net-bind-service' 22 | set container name bind image 'docker.io/internetsystemsconsortium/bind9:9.19' 23 | set container name bind command '/usr/sbin/named -4 -f -c /etc/bind/named.conf -u bind' 24 | set container name bind memory '0' 25 | set container name bind network containers address '10.5.0.3' 26 | set container name bind restart 'on-failure' 27 | set container name bind shared-memory '0' 28 | set container name bind volume config destination '/etc/bind' 29 | set container name bind volume config source '/config/containers/bind/config' 30 | set container name bind volume config mode 'ro' 31 | set container name bind volume cache source '/tmp/bind/cache' 32 | set container name bind volume cache destination '/var/cache/bind' 33 | set container name bind volume cache mode 'rw' 34 | 35 | # dnsdist 36 | set container name dnsdist cap-add 'net-bind-service' 37 | set container name dnsdist environment TZ value 'Europe/Amsterdam' 38 | set container name dnsdist image 'docker.io/powerdns/dnsdist-18:1.8.3' 39 | set container name dnsdist arguments '--log-timestamps' 40 | set container name dnsdist memory '0' 41 | set container name dnsdist network containers address '10.5.0.4' 42 | set container name dnsdist restart 'on-failure' 43 | set container name dnsdist shared-memory '0' 44 | set container name dnsdist volume config source '/config/containers/dnsdist/config/dnsdist.conf' 45 | set container name dnsdist volume config destination '/etc/dnsdist/dnsdist.conf' 46 | set container name dnsdist volume config mode 'ro' 47 | 48 | # wildcard certificate 49 | set container name lego-auto image 'ghcr.io/bjw-s/lego-auto:v0.3.0' 50 | set container name lego-auto memory '0' 51 | set container name lego-auto allow-host-networks 52 | set container name lego-auto shared-memory '0' 53 | set container name lego-auto restart 'on-failure' 54 | set container name lego-auto environment TZ value 'Europe/Amsterdam' 55 | set container name lego-auto environment LA_DATADIR value '/config' 56 | set container name lego-auto environment LA_CACHEDIR value '/config/.cache' 57 | set container name lego-auto environment LA_EMAIL value 'postmaster@bjw-s.dev' 58 | set container name lego-auto environment LA_PROVIDER value 'cloudflare' 59 | set container name lego-auto environment LA_DOMAINS value '*.bjw-s.dev' 60 | set container name lego-auto environment CF_DNS_API_TOKEN value "${SECRET_CLOUDFLARE_DYNDNS_TOKEN}" 61 | set container name lego-auto volume datadir source '/config/secrets/certs/_.bjw-s.dev' 62 | set container name lego-auto volume datadir destination '/config' 63 | set container name lego-auto volume datadir mode 'rw' 64 | 65 | # blocky 66 | set container name blocky image 'ghcr.io/0xerr0r/blocky:v0.23' 67 | set container name blocky memory '0' 68 | set container name blocky network containers address '10.5.0.7' 69 | set container name blocky shared-memory '0' 70 | set container name blocky restart 'on-failure' 71 | set container name blocky environment TZ value 'Europe/Amsterdam' 72 | set container name blocky volume config source '/config/containers/blocky/config/config.yml' 73 | set container name blocky volume config destination '/app/config.yml' 74 | set container name blocky volume config mode 'ro' 75 | 76 | # haproxy-k8s-api 77 | set container name haproxy-k8s-api image 'docker.io/library/haproxy:2.9.7' 78 | set container name haproxy-k8s-api memory '0' 79 | set container name haproxy-k8s-api network containers address '10.5.0.2' 80 | set container name haproxy-k8s-api restart 'on-failure' 81 | set container name haproxy-k8s-api shared-memory '0' 82 | set container name haproxy-k8s-api volume config source '/config/containers/haproxy/config/haproxy.cfg' 83 | set container name haproxy-k8s-api volume config destination '/usr/local/etc/haproxy/haproxy.cfg' 84 | set container name haproxy-k8s-api volume config mode 'ro' 85 | 86 | # node-exporter 87 | set container name node-exporter environment procfs value '/host/proc' 88 | set container name node-exporter environment rootfs value '/host/rootfs' 89 | set container name node-exporter environment sysfs value '/host/sys' 90 | set container name node-exporter image 'quay.io/prometheus/node-exporter:v1.7.0' 91 | set container name node-exporter memory '0' 92 | set container name node-exporter allow-host-networks 93 | set container name node-exporter restart 'on-failure' 94 | set container name node-exporter shared-memory '0' 95 | set container name node-exporter volume procfs source '/proc' 96 | set container name node-exporter volume procfs destination '/host/proc' 97 | set container name node-exporter volume procfs mode 'ro' 98 | set container name node-exporter volume rootfs source '/' 99 | set container name node-exporter volume rootfs destination '/host/rootfs' 100 | set container name node-exporter volume rootfs mode 'ro' 101 | set container name node-exporter volume sysfs source '/sys' 102 | set container name node-exporter volume sysfs destination '/host/sys' 103 | set container name node-exporter volume sysfs mode 'ro' 104 | 105 | # speedtest-exporter 106 | set container name speedtest-exporter image 'ghcr.io/miguelndecarvalho/speedtest-exporter:v3.5.4' 107 | set container name speedtest-exporter memory '0' 108 | set container name speedtest-exporter allow-host-networks 109 | set container name speedtest-exporter restart 'on-failure' 110 | set container name speedtest-exporter shared-memory '0' 111 | 112 | # unifi 113 | set container name unifi environment TZ value 'Europe/Amsterdam' 114 | set container name unifi environment RUNAS_UID0 value 'false' 115 | set container name unifi environment PGID value '102' 116 | set container name unifi environment PUID value '999' 117 | set container name unifi image 'ghcr.io/goofball222/unifi:8.1.113' 118 | set container name unifi memory '0' 119 | set container name unifi network containers address '10.5.0.10' 120 | set container name unifi restart 'on-failure' 121 | set container name unifi shared-memory '0' 122 | set container name unifi volume cert source '/config/containers/unifi/cert' 123 | set container name unifi volume cert destination '/usr/lib/unifi/cert' 124 | set container name unifi volume cert mode 'rw' 125 | set container name unifi volume data source '/config/containers/unifi/data' 126 | set container name unifi volume data destination '/usr/lib/unifi/data' 127 | set container name unifi volume data mode 'rw' 128 | set container name unifi volume logs source '/config/containers/unifi/logs' 129 | set container name unifi volume logs destination '/usr/lib/unifi/logs' 130 | set container name unifi volume logs mode 'rw' 131 | 132 | # onepassword-connect 133 | set container name onepassword-connect image 'docker.io/1password/connect-api:1.7.2' 134 | set container name onepassword-connect environment TZ value 'Europe/Amsterdam' 135 | set container name onepassword-connect memory '0' 136 | set container name onepassword-connect network containers address '10.5.0.5' 137 | set container name onepassword-connect shared-memory '0' 138 | set container name onepassword-connect volume credentials source '/config/secrets/1password-credentials.json' 139 | set container name onepassword-connect volume credentials destination '/home/opuser/.op/1password-credentials.json' 140 | set container name onepassword-connect volume credentials mode 'ro' 141 | set container name onepassword-connect volume data source '/tmp/onepassword/data' 142 | set container name onepassword-connect volume data destination '/home/opuser/.op/data' 143 | set container name onepassword-connect volume data mode 'rw' 144 | 145 | # onepassword-sync 146 | set container name onepassword-sync image 'docker.io/1password/connect-sync:1.7.2' 147 | set container name onepassword-sync environment TZ value 'Europe/Amsterdam' 148 | set container name onepassword-sync memory '0' 149 | set container name onepassword-sync shared-memory '0' 150 | set container name onepassword-sync network containers address '10.5.0.6' 151 | set container name onepassword-sync volume credentials source '/config/secrets/1password-credentials.json' 152 | set container name onepassword-sync volume credentials destination '/home/opuser/.op/1password-credentials.json' 153 | set container name onepassword-sync volume credentials mode 'ro' 154 | set container name onepassword-sync volume data source '/tmp/onepassword/data' 155 | set container name onepassword-sync volume data destination '/home/opuser/.op/data' 156 | set container name onepassword-sync volume data mode 'rw' 157 | 158 | # matchbox 159 | set container name matchbox arguments '-address=0.0.0.0:80 -log-level=debug' 160 | set container name matchbox cap-add 'net-bind-service' 161 | set container name matchbox image 'quay.io/poseidon/matchbox:v0.11.0' 162 | set container name matchbox memory '0' 163 | set container name matchbox network containers address '10.5.0.8' 164 | set container name matchbox shared-memory '0' 165 | set container name matchbox volume matchbox-data destination '/var/lib/matchbox' 166 | set container name matchbox volume matchbox-data mode 'rw' 167 | set container name matchbox volume matchbox-data propagation 'private' 168 | set container name matchbox volume matchbox-data source '/config/containers/matchbox/data' 169 | -------------------------------------------------------------------------------- /config-parts/firewall-ipv4.sh: -------------------------------------------------------------------------------- 1 | #!/bin/vbash 2 | # From GUEST to IOT 3 | set firewall ipv4 name guest-iot default-action 'drop' 4 | set firewall ipv4 name guest-iot description 'From GUEST to IOT' 5 | set firewall ipv4 name guest-iot default-log 6 | set firewall ipv4 name guest-iot rule 100 action 'accept' 7 | set firewall ipv4 name guest-iot rule 100 description 'Rule: accept_tcp_printer_from_allowed_devices' 8 | set firewall ipv4 name guest-iot rule 100 destination group address-group 'printers' 9 | set firewall ipv4 name guest-iot rule 100 destination port 'http,9100' 10 | set firewall ipv4 name guest-iot rule 100 protocol 'tcp' 11 | set firewall ipv4 name guest-iot rule 100 source group address-group 'printer_allowed' 12 | set firewall ipv4 name guest-iot rule 101 action 'accept' 13 | set firewall ipv4 name guest-iot rule 101 description 'Rule: accept_udp_printer_from_allowed_devices' 14 | set firewall ipv4 name guest-iot rule 101 destination group address-group 'printers' 15 | set firewall ipv4 name guest-iot rule 101 destination port '161' 16 | set firewall ipv4 name guest-iot rule 101 protocol 'udp' 17 | set firewall ipv4 name guest-iot rule 101 source group address-group 'printer_allowed' 18 | set firewall ipv4 name guest-iot rule 999 action 'drop' 19 | set firewall ipv4 name guest-iot rule 999 description 'Rule: drop_invalid' 20 | set firewall ipv4 name guest-iot rule 999 state invalid 21 | set firewall ipv4 name guest-iot rule 999 log 22 | 23 | # From GUEST to LAN 24 | set firewall ipv4 name guest-lan default-action 'drop' 25 | set firewall ipv4 name guest-lan description 'From GUEST to LAN' 26 | set firewall ipv4 name guest-lan default-log 27 | set firewall ipv4 name guest-lan rule 999 action 'drop' 28 | set firewall ipv4 name guest-lan rule 999 description 'Rule: drop_invalid' 29 | set firewall ipv4 name guest-lan rule 999 state invalid 30 | set firewall ipv4 name guest-lan rule 999 log 31 | 32 | # From GUEST to LOCAL 33 | set firewall ipv4 name guest-local default-action 'drop' 34 | set firewall ipv4 name guest-local description 'From GUEST to LOCAL' 35 | set firewall ipv4 name guest-local default-log 36 | set firewall ipv4 name guest-local rule 50 action 'accept' 37 | set firewall ipv4 name guest-local rule 50 description 'Rule: accept_dhcp' 38 | set firewall ipv4 name guest-local rule 50 destination port '67,68' 39 | set firewall ipv4 name guest-local rule 50 protocol 'udp' 40 | set firewall ipv4 name guest-local rule 50 source port '67,68' 41 | set firewall ipv4 name guest-local rule 999 action 'drop' 42 | set firewall ipv4 name guest-local rule 999 description 'Rule: drop_invalid' 43 | set firewall ipv4 name guest-local rule 999 state invalid 44 | set firewall ipv4 name guest-local rule 999 log 45 | 46 | # From GUEST to SERVERS 47 | set firewall ipv4 name guest-servers default-action 'drop' 48 | set firewall ipv4 name guest-servers description 'From GUEST to SERVERS' 49 | set firewall ipv4 name guest-servers default-log 50 | set firewall ipv4 name guest-servers rule 410 action 'accept' 51 | set firewall ipv4 name guest-servers rule 410 description 'Rule: accept_k8s_ingress_from_allowed_devices' 52 | set firewall ipv4 name guest-servers rule 410 destination group address-group 'k8s_ingress' 53 | set firewall ipv4 name guest-servers rule 410 destination port 'http,https' 54 | set firewall ipv4 name guest-servers rule 410 protocol 'tcp' 55 | set firewall ipv4 name guest-servers rule 410 source group address-group 'k8s_ingress_allowed' 56 | set firewall ipv4 name guest-servers rule 999 action 'drop' 57 | set firewall ipv4 name guest-servers rule 999 description 'Rule: drop_invalid' 58 | set firewall ipv4 name guest-servers rule 999 state invalid 59 | set firewall ipv4 name guest-servers rule 999 log 60 | 61 | # From GUEST to CONTAINERS 62 | set firewall ipv4 name guest-containers default-action 'drop' 63 | set firewall ipv4 name guest-containers description 'From GUEST to CONTAINERS' 64 | set firewall ipv4 name guest-containers default-log 65 | set firewall ipv4 name guest-containers rule 40 action 'accept' 66 | set firewall ipv4 name guest-containers rule 40 description 'Rule: accept_dns' 67 | set firewall ipv4 name guest-containers rule 40 destination port 'domain,domain-s' 68 | set firewall ipv4 name guest-containers rule 40 protocol 'tcp_udp' 69 | set firewall ipv4 name guest-containers rule 999 action 'drop' 70 | set firewall ipv4 name guest-containers rule 999 description 'Rule: drop_invalid' 71 | set firewall ipv4 name guest-containers rule 999 state invalid 72 | set firewall ipv4 name guest-containers rule 999 log 73 | 74 | # From GUEST to TRUSTED 75 | set firewall ipv4 name guest-trusted default-action 'drop' 76 | set firewall ipv4 name guest-trusted description 'From GUEST to TRUSTED' 77 | set firewall ipv4 name guest-trusted default-log 78 | set firewall ipv4 name guest-trusted rule 999 action 'drop' 79 | set firewall ipv4 name guest-trusted rule 999 description 'Rule: drop_invalid' 80 | set firewall ipv4 name guest-trusted rule 999 state invalid 81 | set firewall ipv4 name guest-trusted rule 999 log 82 | 83 | # From GUEST to VIDEO 84 | set firewall ipv4 name guest-video default-action 'drop' 85 | set firewall ipv4 name guest-video description 'From GUEST to VIDEO' 86 | set firewall ipv4 name guest-video default-log 87 | set firewall ipv4 name guest-video rule 999 action 'drop' 88 | set firewall ipv4 name guest-video rule 999 description 'Rule: drop_invalid' 89 | set firewall ipv4 name guest-video rule 999 state invalid 90 | set firewall ipv4 name guest-video rule 999 log 91 | 92 | # From GUEST to WAN 93 | set firewall ipv4 name guest-wan default-action 'accept' 94 | set firewall ipv4 name guest-wan description 'From GUEST to WAN' 95 | 96 | # From IOT to GUEST 97 | set firewall ipv4 name iot-guest default-action 'drop' 98 | set firewall ipv4 name iot-guest description 'From IOT to GUEST' 99 | set firewall ipv4 name iot-guest default-log 100 | set firewall ipv4 name iot-guest rule 999 action 'drop' 101 | set firewall ipv4 name iot-guest rule 999 description 'Rule: drop_invalid' 102 | set firewall ipv4 name iot-guest rule 999 state invalid 103 | set firewall ipv4 name iot-guest rule 999 log 104 | 105 | # From IOT to LAN 106 | set firewall ipv4 name iot-lan default-action 'drop' 107 | set firewall ipv4 name iot-lan description 'From IOT to LAN' 108 | set firewall ipv4 name iot-lan default-log 109 | set firewall ipv4 name iot-lan rule 999 action 'drop' 110 | set firewall ipv4 name iot-lan rule 999 description 'Rule: drop_invalid' 111 | set firewall ipv4 name iot-lan rule 999 state invalid 112 | set firewall ipv4 name iot-lan rule 999 log 113 | 114 | # From IOT to LOCAL 115 | set firewall ipv4 name iot-local default-action 'drop' 116 | set firewall ipv4 name iot-local description 'From IOT to LOCAL' 117 | set firewall ipv4 name iot-local default-log 118 | set firewall ipv4 name iot-local rule 50 action 'accept' 119 | set firewall ipv4 name iot-local rule 50 description 'Rule: accept_dhcp' 120 | set firewall ipv4 name iot-local rule 50 destination port '67,68' 121 | set firewall ipv4 name iot-local rule 50 protocol 'udp' 122 | set firewall ipv4 name iot-local rule 50 source port '67,68' 123 | set firewall ipv4 name iot-local rule 60 action 'accept' 124 | set firewall ipv4 name iot-local rule 60 description 'Rule: accept_ntp' 125 | set firewall ipv4 name iot-local rule 60 destination port 'ntp' 126 | set firewall ipv4 name iot-local rule 60 protocol 'udp' 127 | set firewall ipv4 name iot-local rule 100 action 'accept' 128 | set firewall ipv4 name iot-local rule 100 description 'Rule: accept_igmp' 129 | set firewall ipv4 name iot-local rule 100 protocol '2' 130 | set firewall ipv4 name iot-local rule 110 action 'accept' 131 | set firewall ipv4 name iot-local rule 110 description 'Rule: accept_mdns' 132 | set firewall ipv4 name iot-local rule 110 destination port 'mdns' 133 | set firewall ipv4 name iot-local rule 110 protocol 'udp' 134 | set firewall ipv4 name iot-local rule 110 source port 'mdns' 135 | set firewall ipv4 name iot-local rule 200 action 'accept' 136 | set firewall ipv4 name iot-local rule 200 description 'Rule: accept_discovery_from_sonos_players' 137 | set firewall ipv4 name iot-local rule 200 destination group port-group sonos-player-discovery 138 | set firewall ipv4 name iot-local rule 200 protocol 'udp' 139 | set firewall ipv4 name iot-local rule 200 source group address-group 'sonos_players' 140 | set firewall ipv4 name iot-local rule 220 action 'accept' 141 | set firewall ipv4 name iot-local rule 220 description 'Rule: accept_api_from_sonos_controllers' 142 | set firewall ipv4 name iot-local rule 220 destination group port-group sonos-controller-api 143 | set firewall ipv4 name iot-local rule 220 protocol 'tcp' 144 | set firewall ipv4 name iot-local rule 220 source group address-group 'sonos_controllers' 145 | set firewall ipv4 name iot-local rule 300 action 'accept' 146 | set firewall ipv4 name iot-local rule 300 description 'Rule: accept_discovery_from_bambu_printers' 147 | set firewall ipv4 name iot-local rule 300 destination group port-group bambu-discovery 148 | set firewall ipv4 name iot-local rule 300 protocol 'udp' 149 | set firewall ipv4 name iot-local rule 300 source group address-group 'bambu-printers' 150 | set firewall ipv4 name iot-local rule 999 action 'drop' 151 | set firewall ipv4 name iot-local rule 999 description 'Rule: drop_invalid' 152 | set firewall ipv4 name iot-local rule 999 state invalid 153 | set firewall ipv4 name iot-local rule 999 log 154 | 155 | # From IOT to SERVERS 156 | set firewall ipv4 name iot-servers default-action 'drop' 157 | set firewall ipv4 name iot-servers description 'From IOT to SERVERS' 158 | set firewall ipv4 name iot-servers default-log 159 | set firewall ipv4 name iot-servers rule 100 action 'accept' 160 | set firewall ipv4 name iot-servers rule 100 description 'Rule: accept_nas_smb_from_scanners' 161 | set firewall ipv4 name iot-servers rule 100 destination group address-group 'nas' 162 | set firewall ipv4 name iot-servers rule 100 destination port 'microsoft-ds' 163 | set firewall ipv4 name iot-servers rule 100 protocol 'tcp' 164 | set firewall ipv4 name iot-servers rule 100 source group address-group 'scanners' 165 | set firewall ipv4 name iot-servers rule 200 action 'accept' 166 | set firewall ipv4 name iot-servers rule 200 description 'Rule: accept_plex_from_plex_clients' 167 | set firewall ipv4 name iot-servers rule 200 destination group address-group 'k8s_plex' 168 | set firewall ipv4 name iot-servers rule 200 destination port '32400' 169 | set firewall ipv4 name iot-servers rule 200 protocol 'tcp' 170 | set firewall ipv4 name iot-servers rule 200 source group address-group 'plex_clients' 171 | set firewall ipv4 name iot-servers rule 300 action 'accept' 172 | set firewall ipv4 name iot-servers rule 300 description 'Rule: accept_mqtt_from_mqtt_clients' 173 | set firewall ipv4 name iot-servers rule 300 destination group address-group 'k8s_mqtt' 174 | set firewall ipv4 name iot-servers rule 300 destination port '1883' 175 | set firewall ipv4 name iot-servers rule 300 protocol 'tcp' 176 | set firewall ipv4 name iot-servers rule 300 source group address-group 'mqtt_clients' 177 | set firewall ipv4 name iot-servers rule 400 action 'accept' 178 | set firewall ipv4 name iot-servers rule 400 description 'Rule: accept_k8s_ingress_from_sonos_players' 179 | set firewall ipv4 name iot-servers rule 400 destination group address-group 'k8s_ingress' 180 | set firewall ipv4 name iot-servers rule 400 destination port 'http,https' 181 | set firewall ipv4 name iot-servers rule 400 protocol 'tcp' 182 | set firewall ipv4 name iot-servers rule 400 source group address-group 'sonos_players' 183 | set firewall ipv4 name iot-servers rule 410 action 'accept' 184 | set firewall ipv4 name iot-servers rule 410 description 'Rule: accept_k8s_ingress_from_allowed_devices' 185 | set firewall ipv4 name iot-servers rule 410 destination group address-group 'k8s_ingress' 186 | set firewall ipv4 name iot-servers rule 410 destination port 'http,https' 187 | set firewall ipv4 name iot-servers rule 410 protocol 'tcp' 188 | set firewall ipv4 name iot-servers rule 410 source group address-group 'k8s_ingress_allowed' 189 | set firewall ipv4 name iot-servers rule 999 action 'drop' 190 | set firewall ipv4 name iot-servers rule 999 description 'Rule: drop_invalid' 191 | set firewall ipv4 name iot-servers rule 999 state invalid 192 | set firewall ipv4 name iot-servers rule 999 log 193 | 194 | # From IOT to CONTAINERS 195 | set firewall ipv4 name iot-containers default-action 'accept' 196 | set firewall ipv4 name iot-containers description 'From IOT to CONTAINERS' 197 | set firewall ipv4 name iot-containers rule 40 action 'accept' 198 | set firewall ipv4 name iot-containers rule 40 description 'Rule: accept_dns' 199 | set firewall ipv4 name iot-containers rule 40 destination port 'domain,domain-s' 200 | set firewall ipv4 name iot-containers rule 40 protocol 'tcp_udp' 201 | set firewall ipv4 name iot-containers rule 999 action 'drop' 202 | set firewall ipv4 name iot-containers rule 999 description 'Rule: drop_invalid' 203 | set firewall ipv4 name iot-containers rule 999 state invalid 204 | set firewall ipv4 name iot-containers rule 999 log 205 | 206 | # From IOT to TRUSTED 207 | set firewall ipv4 name iot-trusted default-action 'drop' 208 | set firewall ipv4 name iot-trusted description 'From IOT to TRUSTED' 209 | set firewall ipv4 name iot-trusted default-log 210 | set firewall ipv4 name iot-trusted rule 100 action 'accept' 211 | set firewall ipv4 name iot-trusted rule 100 description 'Rule: accept_udp_from_sonos_players_to_sonos_controllers' 212 | set firewall ipv4 name iot-trusted rule 100 destination group address-group 'sonos_controllers' 213 | set firewall ipv4 name iot-trusted rule 100 destination port '319,320,30000-65535' 214 | set firewall ipv4 name iot-trusted rule 100 protocol 'udp' 215 | set firewall ipv4 name iot-trusted rule 100 source group address-group 'sonos_players' 216 | set firewall ipv4 name iot-trusted rule 110 action 'accept' 217 | set firewall ipv4 name iot-trusted rule 110 description 'Rule: accept_tcp_from_sonos_players_to_sonos_controllers' 218 | set firewall ipv4 name iot-trusted rule 110 destination group address-group 'sonos_controllers' 219 | set firewall ipv4 name iot-trusted rule 110 destination port '1400,3400,3401,3500,30000-65535' 220 | set firewall ipv4 name iot-trusted rule 110 protocol 'tcp' 221 | set firewall ipv4 name iot-trusted rule 110 source group address-group 'sonos_players' 222 | set firewall ipv4 name iot-trusted rule 200 action 'accept' 223 | set firewall ipv4 name iot-trusted rule 200 description 'Rule: accept_apple_services_ports' 224 | set firewall ipv4 name iot-trusted rule 200 destination group port-group 'apple_services_ports' 225 | set firewall ipv4 name iot-trusted rule 200 source group address-group 'apple_devices' 226 | set firewall ipv4 name iot-trusted rule 200 protocol 'tcp_udp' 227 | set firewall ipv4 name iot-trusted rule 210 action 'accept' 228 | set firewall ipv4 name iot-trusted rule 210 description 'Rule: allow Scrypted' 229 | set firewall ipv4 name iot-trusted rule 210 protocol 'tcp_udp' 230 | set firewall ipv4 name iot-trusted rule 210 source group address-group 'k8s_scrypted' 231 | set firewall ipv4 name iot-trusted rule 999 action 'drop' 232 | set firewall ipv4 name iot-trusted rule 999 description 'Rule: drop_invalid' 233 | set firewall ipv4 name iot-trusted rule 999 state invalid 234 | set firewall ipv4 name iot-trusted rule 999 log 235 | 236 | # From IOT to VIDEO 237 | set firewall ipv4 name iot-video default-action 'drop' 238 | set firewall ipv4 name iot-video description 'From IOT to VIDEO' 239 | set firewall ipv4 name iot-video default-log 240 | set firewall ipv4 name iot-video rule 100 action 'accept' 241 | set firewall ipv4 name iot-video rule 100 description 'Rule: accept_k8s_nodes' 242 | set firewall ipv4 name iot-video rule 100 protocol 'tcp' 243 | set firewall ipv4 name iot-video rule 100 source group address-group 'k8s_nodes' 244 | set firewall ipv4 name iot-video rule 999 action 'drop' 245 | set firewall ipv4 name iot-video rule 999 description 'Rule: drop_invalid' 246 | set firewall ipv4 name iot-video rule 999 state invalid 247 | set firewall ipv4 name iot-video rule 999 log 248 | 249 | # From IOT to WAN 250 | set firewall ipv4 name iot-wan default-action 'accept' 251 | set firewall ipv4 name iot-wan description 'From IOT to WAN' 252 | 253 | # From LAN to GUEST 254 | set firewall ipv4 name lan-guest default-action 'drop' 255 | set firewall ipv4 name lan-guest description 'From LAN to GUEST' 256 | set firewall ipv4 name lan-guest default-log 257 | set firewall ipv4 name lan-guest rule 999 action 'drop' 258 | set firewall ipv4 name lan-guest rule 999 description 'Rule: drop_invalid' 259 | set firewall ipv4 name lan-guest rule 999 state invalid 260 | set firewall ipv4 name lan-guest rule 999 log 261 | 262 | # From LAN to IOT 263 | set firewall ipv4 name lan-iot default-action 'drop' 264 | set firewall ipv4 name lan-iot description 'From LAN to IOT' 265 | set firewall ipv4 name lan-iot default-log 266 | set firewall ipv4 name lan-iot rule 999 action 'drop' 267 | set firewall ipv4 name lan-iot rule 999 description 'Rule: drop_invalid' 268 | set firewall ipv4 name lan-iot rule 999 state invalid 269 | set firewall ipv4 name lan-iot rule 999 log 270 | 271 | # From LAN to LOCAL 272 | set firewall ipv4 name lan-local default-action 'drop' 273 | set firewall ipv4 name lan-local description 'From LAN to LOCAL' 274 | set firewall ipv4 name lan-local default-log 275 | set firewall ipv4 name lan-local rule 50 action 'accept' 276 | set firewall ipv4 name lan-local rule 50 description 'Rule: accept_dhcp' 277 | set firewall ipv4 name lan-local rule 50 destination port '67,68' 278 | set firewall ipv4 name lan-local rule 50 protocol 'udp' 279 | set firewall ipv4 name lan-local rule 50 source port '67,68' 280 | set firewall ipv4 name lan-local rule 60 action 'accept' 281 | set firewall ipv4 name lan-local rule 60 description 'Rule: accept_ntp' 282 | set firewall ipv4 name lan-local rule 60 destination port 'ntp' 283 | set firewall ipv4 name lan-local rule 60 protocol 'udp' 284 | set firewall ipv4 name lan-local rule 999 action 'drop' 285 | set firewall ipv4 name lan-local rule 999 description 'Rule: drop_invalid' 286 | set firewall ipv4 name lan-local rule 999 state invalid 287 | set firewall ipv4 name lan-local rule 999 log 288 | 289 | # From LAN to SERVERS 290 | set firewall ipv4 name lan-servers default-action 'drop' 291 | set firewall ipv4 name lan-servers description 'From LAN to SERVERS' 292 | set firewall ipv4 name lan-servers default-log 293 | set firewall ipv4 name lan-servers rule 999 action 'drop' 294 | set firewall ipv4 name lan-servers rule 999 description 'Rule: drop_invalid' 295 | set firewall ipv4 name lan-servers rule 999 state invalid 296 | set firewall ipv4 name lan-servers rule 999 log 297 | 298 | # From LAN to CONTAINERS 299 | set firewall ipv4 name lan-containers default-action 'accept' 300 | set firewall ipv4 name lan-containers description 'From LAN to CONTAINERS' 301 | set firewall ipv4 name lan-containers rule 40 action 'accept' 302 | set firewall ipv4 name lan-containers rule 40 description 'Rule: accept_dns' 303 | set firewall ipv4 name lan-containers rule 40 destination port 'domain,domain-s' 304 | set firewall ipv4 name lan-containers rule 40 protocol 'tcp_udp' 305 | set firewall ipv4 name lan-containers rule 999 action 'drop' 306 | set firewall ipv4 name lan-containers rule 999 description 'Rule: drop_invalid' 307 | set firewall ipv4 name lan-containers rule 999 state invalid 308 | set firewall ipv4 name lan-containers rule 999 log 309 | 310 | # From LAN to TRUSTED 311 | set firewall ipv4 name lan-trusted default-action 'drop' 312 | set firewall ipv4 name lan-trusted description 'From LAN to TRUSTED' 313 | set firewall ipv4 name lan-trusted default-log 314 | set firewall ipv4 name lan-trusted rule 999 action 'drop' 315 | set firewall ipv4 name lan-trusted rule 999 description 'Rule: drop_invalid' 316 | set firewall ipv4 name lan-trusted rule 999 state invalid 317 | set firewall ipv4 name lan-trusted rule 999 log 318 | 319 | # From LAN to VIDEO 320 | set firewall ipv4 name lan-video default-action 'drop' 321 | set firewall ipv4 name lan-video description 'From LAN to VIDEO' 322 | set firewall ipv4 name lan-video default-log 323 | set firewall ipv4 name lan-video rule 999 action 'drop' 324 | set firewall ipv4 name lan-video rule 999 description 'Rule: drop_invalid' 325 | set firewall ipv4 name lan-video rule 999 state invalid 326 | set firewall ipv4 name lan-video rule 999 log 327 | 328 | # From LAN to WAN 329 | set firewall ipv4 name lan-wan default-action 'accept' 330 | set firewall ipv4 name lan-wan description 'From LAN to WAN' 331 | 332 | # From LOCAL to GUEST 333 | set firewall ipv4 name local-guest default-action 'drop' 334 | set firewall ipv4 name local-guest description 'From LOCAL to GUEST' 335 | set firewall ipv4 name local-guest default-log 336 | set firewall ipv4 name local-guest rule 999 action 'drop' 337 | set firewall ipv4 name local-guest rule 999 description 'Rule: drop_invalid' 338 | set firewall ipv4 name local-guest rule 999 state invalid 339 | set firewall ipv4 name local-guest rule 999 log 340 | 341 | # From LOCAL to IOT 342 | set firewall ipv4 name local-iot default-action 'drop' 343 | set firewall ipv4 name local-iot description 'From LOCAL to IOT' 344 | set firewall ipv4 name local-iot default-log 345 | set firewall ipv4 name local-iot rule 100 action 'accept' 346 | set firewall ipv4 name local-iot rule 100 description 'Rule: accept_igmp' 347 | set firewall ipv4 name local-iot rule 100 protocol '2' 348 | set firewall ipv4 name local-iot rule 110 action 'accept' 349 | set firewall ipv4 name local-iot rule 110 description 'Rule: accept_mdns' 350 | set firewall ipv4 name local-iot rule 110 destination port 'mdns' 351 | set firewall ipv4 name local-iot rule 110 protocol 'udp' 352 | set firewall ipv4 name local-iot rule 110 source port 'mdns' 353 | set firewall ipv4 name local-iot rule 200 action 'accept' 354 | set firewall ipv4 name local-iot rule 200 description 'Rule: accept_discovery_from_sonos_controllers' 355 | set firewall ipv4 name local-iot rule 200 destination group port-group sonos-controller-discovery 356 | set firewall ipv4 name local-iot rule 200 protocol 'udp' 357 | set firewall ipv4 name local-iot rule 200 source group address-group 'sonos_controllers' 358 | set firewall ipv4 name local-iot rule 999 action 'drop' 359 | set firewall ipv4 name local-iot rule 999 description 'Rule: drop_invalid' 360 | set firewall ipv4 name local-iot rule 999 state invalid 361 | set firewall ipv4 name local-iot rule 999 log 362 | 363 | # From LOCAL to LAN 364 | set firewall ipv4 name local-lan default-action 'drop' 365 | set firewall ipv4 name local-lan description 'From LOCAL to LAN' 366 | set firewall ipv4 name local-lan default-log 367 | set firewall ipv4 name local-lan rule 999 action 'drop' 368 | set firewall ipv4 name local-lan rule 999 description 'Rule: drop_invalid' 369 | set firewall ipv4 name local-lan rule 999 state invalid 370 | set firewall ipv4 name local-lan rule 999 log 371 | 372 | # From LOCAL to SERVERS 373 | set firewall ipv4 name local-servers default-action 'drop' 374 | set firewall ipv4 name local-servers description 'From LOCAL to SERVERS' 375 | set firewall ipv4 name local-servers default-log 376 | set firewall ipv4 name local-servers rule 40 action 'accept' 377 | set firewall ipv4 name local-servers rule 40 description 'Rule: accept_dns' 378 | set firewall ipv4 name local-servers rule 40 destination port 'domain,domain-s' 379 | set firewall ipv4 name local-servers rule 40 protocol 'tcp_udp' 380 | set firewall ipv4 name local-servers rule 70 action 'accept' 381 | set firewall ipv4 name local-servers rule 70 description 'Rule: accept_bgp' 382 | set firewall ipv4 name local-servers rule 70 destination port 'bgp' 383 | set firewall ipv4 name local-servers rule 70 protocol 'tcp' 384 | # TODO: This needs to be more specific 385 | set firewall ipv4 name local-servers rule 80 action 'accept' 386 | set firewall ipv4 name local-servers rule 80 description 'Rule: accept_pxe' 387 | set firewall ipv4 name local-servers rule 80 protocol 'udp' 388 | set firewall ipv4 name local-servers rule 80 log 389 | set firewall ipv4 name local-servers rule 100 action 'accept' 390 | set firewall ipv4 name local-servers rule 100 description 'Rule: accept_k8s_api' 391 | set firewall ipv4 name local-servers rule 100 destination port '6443' 392 | set firewall ipv4 name local-servers rule 100 protocol 'tcp' 393 | set firewall ipv4 name local-servers rule 200 action 'accept' 394 | set firewall ipv4 name local-servers rule 200 description 'Rule: accept_vector_syslog' 395 | set firewall ipv4 name local-servers rule 200 destination group address-group 'k8s_vector_aggregator' 396 | set firewall ipv4 name local-servers rule 200 destination port '6001' 397 | set firewall ipv4 name local-servers rule 200 protocol 'tcp' 398 | set firewall ipv4 name local-servers rule 999 action 'drop' 399 | set firewall ipv4 name local-servers rule 999 description 'Rule: drop_invalid' 400 | set firewall ipv4 name local-servers rule 999 state invalid 401 | set firewall ipv4 name local-servers rule 999 log 402 | 403 | # From LOCAL to CONTAINERS 404 | set firewall ipv4 name local-containers default-action 'accept' 405 | set firewall ipv4 name local-containers description 'From LOCAL to CONTAINERS' 406 | set firewall ipv4 name local-containers rule 40 action 'accept' 407 | set firewall ipv4 name local-containers rule 40 description 'Rule: accept_dns' 408 | set firewall ipv4 name local-containers rule 40 destination port 'domain,domain-s' 409 | set firewall ipv4 name local-containers rule 40 protocol 'tcp_udp' 410 | set firewall ipv4 name local-containers rule 999 action 'drop' 411 | set firewall ipv4 name local-containers rule 999 description 'Rule: drop_invalid' 412 | set firewall ipv4 name local-containers rule 999 state invalid 413 | set firewall ipv4 name local-containers rule 999 log 414 | 415 | # From LOCAL to TRUSTED 416 | set firewall ipv4 name local-trusted default-action 'drop' 417 | set firewall ipv4 name local-trusted description 'From LOCAL to TRUSTED' 418 | set firewall ipv4 name local-trusted default-log 419 | set firewall ipv4 name local-trusted rule 100 action 'accept' 420 | set firewall ipv4 name local-trusted rule 100 description 'Rule: accept_igmp' 421 | set firewall ipv4 name local-trusted rule 100 protocol '2' 422 | set firewall ipv4 name local-trusted rule 110 action 'accept' 423 | set firewall ipv4 name local-trusted rule 110 description 'Rule: accept_mdns' 424 | set firewall ipv4 name local-trusted rule 110 destination port 'mdns' 425 | set firewall ipv4 name local-trusted rule 110 protocol 'udp' 426 | set firewall ipv4 name local-trusted rule 110 source port 'mdns' 427 | set firewall ipv4 name local-trusted rule 200 action 'accept' 428 | set firewall ipv4 name local-trusted rule 200 description 'Rule: accept_discovery_from_sonos_players' 429 | set firewall ipv4 name local-trusted rule 200 destination group port-group sonos-player-discovery 430 | set firewall ipv4 name local-trusted rule 200 protocol 'udp' 431 | set firewall ipv4 name local-trusted rule 200 source group address-group 'sonos_players' 432 | set firewall ipv4 name local-trusted rule 300 action 'accept' 433 | set firewall ipv4 name local-trusted rule 300 description 'Rule: accept_discovery_from_bambu_printers' 434 | set firewall ipv4 name local-trusted rule 300 destination group port-group bambu-discovery 435 | set firewall ipv4 name local-trusted rule 300 protocol 'udp' 436 | set firewall ipv4 name local-trusted rule 300 source group address-group 'bambu-printers' 437 | set firewall ipv4 name local-trusted rule 400 action 'accept' 438 | set firewall ipv4 name local-trusted rule 400 description 'Rule: accept_wireguard' 439 | set firewall ipv4 name local-trusted rule 400 source port '51820' 440 | set firewall ipv4 name local-trusted rule 400 protocol 'udp' 441 | set firewall ipv4 name local-trusted rule 999 action 'drop' 442 | set firewall ipv4 name local-trusted rule 999 description 'Rule: drop_invalid' 443 | set firewall ipv4 name local-trusted rule 999 state invalid 444 | set firewall ipv4 name local-trusted rule 999 log 445 | 446 | # From LOCAL to VIDEO 447 | set firewall ipv4 name local-video default-action 'drop' 448 | set firewall ipv4 name local-video description 'From LOCAL to VIDEO' 449 | set firewall ipv4 name local-video default-log 450 | set firewall ipv4 name local-video rule 999 action 'drop' 451 | set firewall ipv4 name local-video rule 999 description 'Rule: drop_invalid' 452 | set firewall ipv4 name local-video rule 999 state invalid 453 | set firewall ipv4 name local-video rule 999 log 454 | 455 | # From LOCAL to WAN 456 | set firewall ipv4 name local-wan default-action 'accept' 457 | set firewall ipv4 name local-wan description 'From LOCAL to WAN' 458 | 459 | # From SERVERS to GUEST 460 | set firewall ipv4 name servers-guest default-action 'drop' 461 | set firewall ipv4 name servers-guest description 'From SERVERS to GUEST' 462 | set firewall ipv4 name servers-guest default-log 463 | set firewall ipv4 name servers-guest rule 999 action 'drop' 464 | set firewall ipv4 name servers-guest rule 999 description 'Rule: drop_invalid' 465 | set firewall ipv4 name servers-guest rule 999 state invalid 466 | set firewall ipv4 name servers-guest rule 999 log 467 | 468 | # From SERVERS to IOT 469 | set firewall ipv4 name servers-iot default-action 'drop' 470 | set firewall ipv4 name servers-iot description 'From SERVERS to IOT' 471 | set firewall ipv4 name servers-iot default-log 472 | set firewall ipv4 name servers-iot rule 100 action 'accept' 473 | set firewall ipv4 name servers-iot rule 100 description 'Rule: accept_k8s_nodes' 474 | set firewall ipv4 name servers-iot rule 100 protocol 'tcp' 475 | set firewall ipv4 name servers-iot rule 100 source group address-group 'k8s_nodes' 476 | set firewall ipv4 name servers-iot rule 110 action 'accept' 477 | set firewall ipv4 name servers-iot rule 110 description 'Rule: accept_k8s_nodes' 478 | set firewall ipv4 name servers-iot rule 110 protocol 'icmp' 479 | set firewall ipv4 name servers-iot rule 110 source group address-group 'k8s_nodes' 480 | set firewall ipv4 name servers-iot rule 999 action 'drop' 481 | set firewall ipv4 name servers-iot rule 999 description 'Rule: drop_invalid' 482 | set firewall ipv4 name servers-iot rule 999 state invalid 483 | set firewall ipv4 name servers-iot rule 999 log 484 | 485 | # From SERVERS to LAN 486 | set firewall ipv4 name servers-lan default-action 'drop' 487 | set firewall ipv4 name servers-lan description 'From SERVERS to LAN' 488 | set firewall ipv4 name servers-lan default-log 489 | set firewall ipv4 name servers-lan rule 999 action 'drop' 490 | set firewall ipv4 name servers-lan rule 999 description 'Rule: drop_invalid' 491 | set firewall ipv4 name servers-lan rule 999 state invalid 492 | set firewall ipv4 name servers-lan rule 999 log 493 | 494 | # From SERVERS to LOCAL 495 | set firewall ipv4 name servers-local default-action 'drop' 496 | set firewall ipv4 name servers-local description 'From SERVERS to LOCAL' 497 | set firewall ipv4 name servers-local default-log 498 | set firewall ipv4 name servers-local rule 50 action 'accept' 499 | set firewall ipv4 name servers-local rule 50 description 'Rule: accept_dhcp' 500 | set firewall ipv4 name servers-local rule 50 destination port '67,68' 501 | set firewall ipv4 name servers-local rule 50 protocol 'udp' 502 | set firewall ipv4 name servers-local rule 50 source port '67,68' 503 | set firewall ipv4 name servers-local rule 60 action 'accept' 504 | set firewall ipv4 name servers-local rule 60 description 'Rule: accept_ntp' 505 | set firewall ipv4 name servers-local rule 60 destination port 'ntp' 506 | set firewall ipv4 name servers-local rule 60 protocol 'udp' 507 | set firewall ipv4 name servers-local rule 70 action 'accept' 508 | set firewall ipv4 name servers-local rule 70 description 'Rule: accept_bgp' 509 | set firewall ipv4 name servers-local rule 70 destination port 'bgp' 510 | set firewall ipv4 name servers-local rule 70 protocol 'tcp' 511 | set firewall ipv4 name servers-local rule 80 action 'accept' 512 | set firewall ipv4 name servers-local rule 80 description 'Rule: accept_tftp' 513 | set firewall ipv4 name servers-local rule 80 destination port '69' 514 | set firewall ipv4 name servers-local rule 80 protocol 'udp' 515 | set firewall ipv4 name servers-local rule 100 action 'accept' 516 | set firewall ipv4 name servers-local rule 100 description 'Rule: accept_node_exporter_from_k8s_nodes' 517 | set firewall ipv4 name servers-local rule 100 destination port '9100' 518 | set firewall ipv4 name servers-local rule 100 protocol 'tcp' 519 | set firewall ipv4 name servers-local rule 100 source group address-group 'k8s_nodes' 520 | set firewall ipv4 name servers-local rule 110 action 'accept' 521 | set firewall ipv4 name servers-local rule 110 description 'Rule: accept_speedtest_exporter_from_k8s_nodes' 522 | set firewall ipv4 name servers-local rule 110 destination port '9798' 523 | set firewall ipv4 name servers-local rule 110 protocol 'tcp' 524 | set firewall ipv4 name servers-local rule 110 source group address-group 'k8s_nodes' 525 | set firewall ipv4 name servers-local rule 999 action 'drop' 526 | set firewall ipv4 name servers-local rule 999 description 'Rule: drop_invalid' 527 | set firewall ipv4 name servers-local rule 999 state invalid 528 | set firewall ipv4 name servers-local rule 999 log 529 | 530 | # From SERVERS to CONTAINERS 531 | set firewall ipv4 name servers-containers default-action 'accept' 532 | set firewall ipv4 name servers-containers description 'From SERVERS to CONTAINERS' 533 | set firewall ipv4 name servers-containers default-log 534 | set firewall ipv4 name servers-containers rule 40 action 'accept' 535 | set firewall ipv4 name servers-containers rule 40 description 'Rule: accept_dns' 536 | set firewall ipv4 name servers-containers rule 40 destination port 'domain,domain-s' 537 | set firewall ipv4 name servers-containers rule 40 protocol 'tcp_udp' 538 | set firewall ipv4 name servers-containers rule 100 action 'accept' 539 | set firewall ipv4 name servers-containers rule 100 description 'Rule: accept_k8s_nodes' 540 | set firewall ipv4 name servers-containers rule 100 protocol 'tcp' 541 | set firewall ipv4 name servers-containers rule 100 source group address-group 'k8s_nodes' 542 | set firewall ipv4 name servers-containers rule 999 action 'drop' 543 | set firewall ipv4 name servers-containers rule 999 description 'Rule: drop_invalid' 544 | set firewall ipv4 name servers-containers rule 999 state invalid 545 | set firewall ipv4 name servers-containers rule 999 log 546 | 547 | # From SERVERS to TRUSTED 548 | set firewall ipv4 name servers-trusted default-action 'drop' 549 | set firewall ipv4 name servers-trusted description 'From SERVERS to TRUSTED' 550 | set firewall ipv4 name servers-trusted default-log 551 | set firewall ipv4 name servers-trusted rule 999 action 'drop' 552 | set firewall ipv4 name servers-trusted rule 999 description 'Rule: drop_invalid' 553 | set firewall ipv4 name servers-trusted rule 999 state invalid 554 | set firewall ipv4 name servers-trusted rule 999 log 555 | 556 | # From SERVERS to VIDEO 557 | set firewall ipv4 name servers-video default-action 'drop' 558 | set firewall ipv4 name servers-video description 'From SERVERS to VIDEO' 559 | set firewall ipv4 name servers-video default-log 560 | set firewall ipv4 name servers-video rule 100 action 'accept' 561 | set firewall ipv4 name servers-video rule 100 description 'Rule: accept_k8s_nodes' 562 | set firewall ipv4 name servers-video rule 100 protocol 'tcp_udp' 563 | set firewall ipv4 name servers-video rule 100 source group address-group 'k8s_nodes' 564 | set firewall ipv4 name servers-video rule 999 action 'drop' 565 | set firewall ipv4 name servers-video rule 999 description 'Rule: drop_invalid' 566 | set firewall ipv4 name servers-video rule 999 state invalid 567 | set firewall ipv4 name servers-video rule 999 log 568 | 569 | # From SERVERS to WAN 570 | set firewall ipv4 name servers-wan default-action 'accept' 571 | set firewall ipv4 name servers-wan description 'From SERVERS to WAN' 572 | 573 | # From CONTAINERS to GUEST 574 | set firewall ipv4 name containers-guest default-action 'drop' 575 | set firewall ipv4 name containers-guest description 'From CONTAINERS to GUEST' 576 | set firewall ipv4 name containers-guest default-log 577 | set firewall ipv4 name containers-guest rule 999 action 'drop' 578 | set firewall ipv4 name containers-guest rule 999 description 'Rule: drop_invalid' 579 | set firewall ipv4 name containers-guest rule 999 state invalid 580 | set firewall ipv4 name containers-guest rule 999 log 581 | 582 | # From CONTAINERS to IOT 583 | set firewall ipv4 name containers-iot default-action 'drop' 584 | set firewall ipv4 name containers-iot description 'From CONTAINERS to IOT' 585 | set firewall ipv4 name containers-iot default-log 586 | set firewall ipv4 name containers-iot rule 999 action 'drop' 587 | set firewall ipv4 name containers-iot rule 999 description 'Rule: drop_invalid' 588 | set firewall ipv4 name containers-iot rule 999 state invalid 589 | set firewall ipv4 name containers-iot rule 999 log 590 | 591 | # From CONTAINERS to LAN 592 | set firewall ipv4 name containers-lan default-action 'drop' 593 | set firewall ipv4 name containers-lan description 'From CONTAINERS to LAN' 594 | set firewall ipv4 name containers-lan default-log 595 | set firewall ipv4 name containers-lan rule 999 action 'drop' 596 | set firewall ipv4 name containers-lan rule 999 description 'Rule: drop_invalid' 597 | set firewall ipv4 name containers-lan rule 999 state invalid 598 | set firewall ipv4 name containers-lan rule 999 log 599 | 600 | # From CONTAINERS to LOCAL 601 | set firewall ipv4 name containers-local default-action 'drop' 602 | set firewall ipv4 name containers-local description 'From CONTAINERS to LOCAL' 603 | set firewall ipv4 name containers-local default-log 604 | set firewall ipv4 name containers-local rule 40 action 'accept' 605 | set firewall ipv4 name containers-local rule 40 description 'Rule: accept_dns' 606 | set firewall ipv4 name containers-local rule 40 destination port 'domain,domain-s' 607 | set firewall ipv4 name containers-local rule 40 protocol 'tcp_udp' 608 | set firewall ipv4 name containers-local rule 50 action 'accept' 609 | set firewall ipv4 name containers-local rule 50 description 'Rule: accept_dhcp' 610 | set firewall ipv4 name containers-local rule 50 destination port '67,68' 611 | set firewall ipv4 name containers-local rule 50 protocol 'udp' 612 | set firewall ipv4 name containers-local rule 50 source port '67,68' 613 | set firewall ipv4 name containers-local rule 60 action 'accept' 614 | set firewall ipv4 name containers-local rule 60 description 'Rule: accept_ntp' 615 | set firewall ipv4 name containers-local rule 60 destination port 'ntp' 616 | set firewall ipv4 name containers-local rule 60 protocol 'udp' 617 | set firewall ipv4 name containers-local rule 999 action 'drop' 618 | set firewall ipv4 name containers-local rule 999 description 'Rule: drop_invalid' 619 | set firewall ipv4 name containers-local rule 999 state invalid 620 | set firewall ipv4 name containers-local rule 999 log 621 | 622 | # From CONTAINERS to SERVERS 623 | set firewall ipv4 name containers-servers default-action 'accept' 624 | set firewall ipv4 name containers-servers description 'From CONTAINERS to SERVERS' 625 | set firewall ipv4 name containers-servers rule 999 action 'drop' 626 | set firewall ipv4 name containers-servers rule 999 description 'Rule: drop_invalid' 627 | set firewall ipv4 name containers-servers rule 999 state invalid 628 | set firewall ipv4 name containers-servers rule 999 log 629 | 630 | # From CONTAINERS to TRUSTED 631 | set firewall ipv4 name containers-trusted default-action 'drop' 632 | set firewall ipv4 name containers-trusted description 'From CONTAINERS to TRUSTED' 633 | set firewall ipv4 name containers-trusted default-log 634 | set firewall ipv4 name containers-trusted rule 999 action 'drop' 635 | set firewall ipv4 name containers-trusted rule 999 description 'Rule: drop_invalid' 636 | set firewall ipv4 name containers-trusted rule 999 state invalid 637 | set firewall ipv4 name containers-trusted rule 999 log 638 | 639 | # From CONTAINERS to VIDEO 640 | set firewall ipv4 name containers-video default-action 'drop' 641 | set firewall ipv4 name containers-video description 'From CONTAINERS to VIDEO' 642 | set firewall ipv4 name containers-video default-log 643 | set firewall ipv4 name containers-video rule 999 action 'drop' 644 | set firewall ipv4 name containers-video rule 999 description 'Rule: drop_invalid' 645 | set firewall ipv4 name containers-video rule 999 state invalid 646 | set firewall ipv4 name containers-video rule 999 log 647 | 648 | # From CONTAINERS to WAN 649 | set firewall ipv4 name containers-wan default-action 'accept' 650 | set firewall ipv4 name containers-wan description 'From CONTAINERS to WAN' 651 | 652 | # From TRUSTED to GUEST 653 | set firewall ipv4 name trusted-guest default-action 'drop' 654 | set firewall ipv4 name trusted-guest description 'From TRUSTED to GUEST' 655 | set firewall ipv4 name trusted-guest default-log 656 | set firewall ipv4 name trusted-guest rule 999 action 'drop' 657 | set firewall ipv4 name trusted-guest rule 999 description 'Rule: drop_invalid' 658 | set firewall ipv4 name trusted-guest rule 999 state invalid 659 | set firewall ipv4 name trusted-guest rule 999 log 660 | 661 | # From TRUSTED to IOT 662 | set firewall ipv4 name trusted-iot default-action 'accept' 663 | set firewall ipv4 name trusted-iot description 'From TRUSTED to IOT' 664 | set firewall ipv4 name trusted-iot rule 110 action 'accept' 665 | set firewall ipv4 name trusted-iot rule 110 description 'Rule: accept_tcp_from_sonos_controllers_to_sonos_players' 666 | set firewall ipv4 name trusted-iot rule 110 destination port '1400,1443,4444,7000,30000-65535' 667 | set firewall ipv4 name trusted-iot rule 110 protocol 'tcp' 668 | set firewall ipv4 name trusted-iot rule 110 source group address-group 'sonos_controllers' 669 | set firewall ipv4 name trusted-iot rule 111 action 'accept' 670 | set firewall ipv4 name trusted-iot rule 111 description 'Rule: accept_udp_from_sonos_controllers_to_sonos_players' 671 | set firewall ipv4 name trusted-iot rule 111 destination port '319,320,30000-65535' 672 | set firewall ipv4 name trusted-iot rule 111 protocol 'udp' 673 | set firewall ipv4 name trusted-iot rule 111 source group address-group 'sonos_controllers' 674 | set firewall ipv4 name trusted-iot rule 999 action 'drop' 675 | set firewall ipv4 name trusted-iot rule 999 description 'Rule: drop_invalid' 676 | set firewall ipv4 name trusted-iot rule 999 state invalid 677 | set firewall ipv4 name trusted-iot rule 999 log 678 | 679 | # From TRUSTED to LAN 680 | set firewall ipv4 name trusted-lan default-action 'accept' 681 | set firewall ipv4 name trusted-lan description 'From TRUSTED to LAN' 682 | set firewall ipv4 name trusted-lan rule 999 action 'drop' 683 | set firewall ipv4 name trusted-lan rule 999 description 'Rule: drop_invalid' 684 | set firewall ipv4 name trusted-lan rule 999 state invalid 685 | set firewall ipv4 name trusted-lan rule 999 log 686 | 687 | # From TRUSTED to LOCAL 688 | set firewall ipv4 name trusted-local default-action 'drop' 689 | set firewall ipv4 name trusted-local description 'From TRUSTED to LOCAL' 690 | set firewall ipv4 name trusted-local default-log 691 | set firewall ipv4 name trusted-local rule 50 action 'accept' 692 | set firewall ipv4 name trusted-local rule 50 description 'Rule: accept_dhcp' 693 | set firewall ipv4 name trusted-local rule 50 destination port '67,68' 694 | set firewall ipv4 name trusted-local rule 50 protocol 'udp' 695 | set firewall ipv4 name trusted-local rule 50 source port '67,68' 696 | set firewall ipv4 name trusted-local rule 60 action 'accept' 697 | set firewall ipv4 name trusted-local rule 60 description 'Rule: accept_ntp' 698 | set firewall ipv4 name trusted-local rule 60 destination port 'ntp' 699 | set firewall ipv4 name trusted-local rule 60 protocol 'udp' 700 | set firewall ipv4 name trusted-local rule 100 action 'accept' 701 | set firewall ipv4 name trusted-local rule 100 description 'Rule: accept_igmp' 702 | set firewall ipv4 name trusted-local rule 100 protocol '2' 703 | set firewall ipv4 name trusted-local rule 110 action 'accept' 704 | set firewall ipv4 name trusted-local rule 110 description 'Rule: accept_mdns' 705 | set firewall ipv4 name trusted-local rule 110 destination port 'mdns' 706 | set firewall ipv4 name trusted-local rule 110 protocol 'udp' 707 | set firewall ipv4 name trusted-local rule 110 source port 'mdns' 708 | set firewall ipv4 name trusted-local rule 111 action 'accept' 709 | set firewall ipv4 name trusted-local rule 111 description 'Rule: accept_mdns_2' 710 | set firewall ipv4 name trusted-local rule 111 destination address '255.255.255.255' 711 | set firewall ipv4 name trusted-local rule 111 destination port '9' 712 | set firewall ipv4 name trusted-local rule 111 protocol 'udp' 713 | set firewall ipv4 name trusted-local rule 210 action 'accept' 714 | set firewall ipv4 name trusted-local rule 210 description 'Rule: accept_discovery_from_sonos_controllers' 715 | set firewall ipv4 name trusted-local rule 210 destination group port-group sonos-controller-discovery 716 | set firewall ipv4 name trusted-local rule 210 protocol 'udp' 717 | set firewall ipv4 name trusted-local rule 210 source group address-group 'sonos_controllers' 718 | set firewall ipv4 name trusted-local rule 211 action 'accept' 719 | set firewall ipv4 name trusted-local rule 211 description 'Rule: accept_discovery_from_sonos_players' 720 | set firewall ipv4 name trusted-local rule 211 destination group port-group sonos-player-discovery 721 | set firewall ipv4 name trusted-local rule 211 protocol 'udp' 722 | set firewall ipv4 name trusted-local rule 211 source group address-group 'sonos_players' 723 | set firewall ipv4 name trusted-local rule 300 action 'accept' 724 | set firewall ipv4 name trusted-local rule 300 description 'Rule: accept_discovery_from_bambu_printers' 725 | set firewall ipv4 name trusted-local rule 300 destination group port-group bambu-discovery 726 | set firewall ipv4 name trusted-local rule 300 protocol 'udp' 727 | set firewall ipv4 name trusted-local rule 300 source group address-group 'bambu-printers' 728 | set firewall ipv4 name trusted-local rule 400 action 'accept' 729 | set firewall ipv4 name trusted-local rule 400 description 'Rule: accept_ssh' 730 | set firewall ipv4 name trusted-local rule 400 destination port 'ssh' 731 | set firewall ipv4 name trusted-local rule 400 protocol 'tcp' 732 | set firewall ipv4 name trusted-local rule 410 action 'accept' 733 | set firewall ipv4 name trusted-local rule 410 description 'Rule: accept_vyos_api' 734 | set firewall ipv4 name trusted-local rule 410 destination port '8443' 735 | set firewall ipv4 name trusted-local rule 410 protocol 'tcp' 736 | set firewall ipv4 name trusted-local rule 420 action 'accept' 737 | set firewall ipv4 name trusted-local rule 420 description 'Rule: accept_wireguard' 738 | set firewall ipv4 name trusted-local rule 420 destination port '51820' 739 | set firewall ipv4 name trusted-local rule 420 protocol 'udp' 740 | set firewall ipv4 name trusted-local rule 999 action 'drop' 741 | set firewall ipv4 name trusted-local rule 999 description 'Rule: drop_invalid' 742 | set firewall ipv4 name trusted-local rule 999 state invalid 743 | set firewall ipv4 name trusted-local rule 999 log 744 | 745 | # From TRUSTED to SERVERS 746 | set firewall ipv4 name trusted-servers default-action 'accept' 747 | set firewall ipv4 name trusted-servers description 'From TRUSTED to SERVERS' 748 | set firewall ipv4 name trusted-servers rule 999 action 'drop' 749 | set firewall ipv4 name trusted-servers rule 999 description 'Rule: drop_invalid' 750 | set firewall ipv4 name trusted-servers rule 999 state invalid 751 | set firewall ipv4 name trusted-servers rule 999 log 752 | 753 | # From TRUSTED to CONTAINERS 754 | set firewall ipv4 name trusted-containers default-action 'accept' 755 | set firewall ipv4 name trusted-containers description 'From TRUSTED to CONTAINERS' 756 | set firewall ipv4 name trusted-containers rule 40 action 'accept' 757 | set firewall ipv4 name trusted-containers rule 40 description 'Rule: accept_dns' 758 | set firewall ipv4 name trusted-containers rule 40 destination port 'domain,domain-s' 759 | set firewall ipv4 name trusted-containers rule 40 protocol 'tcp_udp' 760 | set firewall ipv4 name trusted-containers rule 999 action 'drop' 761 | set firewall ipv4 name trusted-containers rule 999 description 'Rule: drop_invalid' 762 | set firewall ipv4 name trusted-containers rule 999 state invalid 763 | set firewall ipv4 name trusted-containers rule 999 log 764 | 765 | # From TRUSTED to VIDEO 766 | set firewall ipv4 name trusted-video default-action 'accept' 767 | set firewall ipv4 name trusted-video description 'From TRUSTED to VIDEO' 768 | set firewall ipv4 name trusted-video rule 999 action 'drop' 769 | set firewall ipv4 name trusted-video rule 999 description 'Rule: drop_invalid' 770 | set firewall ipv4 name trusted-video rule 999 state invalid 771 | set firewall ipv4 name trusted-video rule 999 log 772 | 773 | # From TRUSTED to WAN 774 | set firewall ipv4 name trusted-wan default-action 'accept' 775 | set firewall ipv4 name trusted-wan description 'From TRUSTED to WAN' 776 | 777 | # From VIDEO to GUEST 778 | set firewall ipv4 name video-guest default-action 'drop' 779 | set firewall ipv4 name video-guest description 'From VIDEO to GUEST' 780 | set firewall ipv4 name video-guest default-log 781 | set firewall ipv4 name video-guest rule 999 action 'drop' 782 | set firewall ipv4 name video-guest rule 999 description 'Rule: drop_invalid' 783 | set firewall ipv4 name video-guest rule 999 state invalid 784 | set firewall ipv4 name video-guest rule 999 log 785 | 786 | # From VIDEO to IOT 787 | set firewall ipv4 name video-iot default-action 'drop' 788 | set firewall ipv4 name video-iot description 'From VIDEO to IOT' 789 | set firewall ipv4 name video-iot default-log 790 | set firewall ipv4 name video-iot rule 100 action 'accept' 791 | set firewall ipv4 name video-iot rule 100 description 'Rule: allow connecting to hass' 792 | set firewall ipv4 name video-iot rule 100 protocol 'tcp' 793 | set firewall ipv4 name video-iot rule 100 destination group address-group 'k8s_hass' 794 | set firewall ipv4 name video-iot rule 100 destination port '8123' 795 | set firewall ipv4 name video-iot rule 999 action 'drop' 796 | set firewall ipv4 name video-iot rule 999 description 'Rule: drop_invalid' 797 | set firewall ipv4 name video-iot rule 999 state invalid 798 | set firewall ipv4 name video-iot rule 999 log 799 | 800 | # From VIDEO to LAN 801 | set firewall ipv4 name video-lan default-action 'drop' 802 | set firewall ipv4 name video-lan description 'From VIDEO to LAN' 803 | set firewall ipv4 name video-lan default-log 804 | set firewall ipv4 name video-lan rule 999 action 'drop' 805 | set firewall ipv4 name video-lan rule 999 description 'Rule: drop_invalid' 806 | set firewall ipv4 name video-lan rule 999 state invalid 807 | set firewall ipv4 name video-lan rule 999 log 808 | 809 | # From VIDEO to LOCAL 810 | set firewall ipv4 name video-local default-action 'drop' 811 | set firewall ipv4 name video-local description 'From VIDEO to LOCAL' 812 | set firewall ipv4 name video-local default-log 813 | set firewall ipv4 name video-local rule 50 action 'accept' 814 | set firewall ipv4 name video-local rule 50 description 'Rule: accept_dhcp' 815 | set firewall ipv4 name video-local rule 50 destination port '67,68' 816 | set firewall ipv4 name video-local rule 50 protocol 'udp' 817 | set firewall ipv4 name video-local rule 50 source port '67,68' 818 | set firewall ipv4 name video-local rule 60 action 'accept' 819 | set firewall ipv4 name video-local rule 60 description 'Rule: accept_ntp' 820 | set firewall ipv4 name video-local rule 60 destination port 'ntp' 821 | set firewall ipv4 name video-local rule 60 protocol 'udp' 822 | set firewall ipv4 name video-local rule 999 action 'drop' 823 | set firewall ipv4 name video-local rule 999 description 'Rule: drop_invalid' 824 | set firewall ipv4 name video-local rule 999 state invalid 825 | set firewall ipv4 name video-local rule 999 log 826 | 827 | # From VIDEO to SERVERS 828 | set firewall ipv4 name video-servers default-action 'drop' 829 | set firewall ipv4 name video-servers description 'From VIDEO to SERVERS' 830 | set firewall ipv4 name video-servers default-log 831 | set firewall ipv4 name video-servers rule 100 action 'accept' 832 | set firewall ipv4 name video-servers rule 100 description 'Rule: accept_k8s_nodes' 833 | set firewall ipv4 name video-servers rule 100 protocol 'udp' 834 | set firewall ipv4 name video-servers rule 100 destination group address-group 'k8s_nodes' 835 | set firewall ipv4 name video-servers rule 100 source port '6987-6989' 836 | set firewall ipv4 name video-servers rule 999 action 'drop' 837 | set firewall ipv4 name video-servers rule 999 description 'Rule: drop_invalid' 838 | set firewall ipv4 name video-servers rule 999 state invalid 839 | set firewall ipv4 name video-servers rule 999 log 840 | 841 | # From VIDEO to CONTAINERS 842 | set firewall ipv4 name video-containers default-action 'accept' 843 | set firewall ipv4 name video-containers description 'From VIDEO to CONTAINERS' 844 | set firewall ipv4 name video-containers rule 40 action 'accept' 845 | set firewall ipv4 name video-containers rule 40 description 'Rule: accept_dns' 846 | set firewall ipv4 name video-containers rule 40 destination port 'domain,domain-s' 847 | set firewall ipv4 name video-containers rule 40 protocol 'tcp_udp' 848 | set firewall ipv4 name video-containers rule 999 action 'drop' 849 | set firewall ipv4 name video-containers rule 999 description 'Rule: drop_invalid' 850 | set firewall ipv4 name video-containers rule 999 state invalid 851 | set firewall ipv4 name video-containers rule 999 log 852 | 853 | # From VIDEO to TRUSTED 854 | set firewall ipv4 name video-trusted default-action 'drop' 855 | set firewall ipv4 name video-trusted description 'From VIDEO to TRUSTED' 856 | set firewall ipv4 name video-trusted default-log 857 | set firewall ipv4 name video-trusted rule 999 action 'drop' 858 | set firewall ipv4 name video-trusted rule 999 description 'Rule: drop_invalid' 859 | set firewall ipv4 name video-trusted rule 999 state invalid 860 | set firewall ipv4 name video-trusted rule 999 log 861 | 862 | # From VIDEO to WAN 863 | set firewall ipv4 name video-wan default-action 'drop' 864 | set firewall ipv4 name video-wan description 'From VIDEO to WAN' 865 | 866 | # From WAN to GUEST 867 | set firewall ipv4 name wan-guest default-action 'drop' 868 | set firewall ipv4 name wan-guest description 'From WAN to GUEST' 869 | set firewall ipv4 name wan-guest default-log 870 | set firewall ipv4 name wan-guest rule 999 action 'drop' 871 | set firewall ipv4 name wan-guest rule 999 description 'Rule: drop_invalid' 872 | set firewall ipv4 name wan-guest rule 999 state invalid 873 | set firewall ipv4 name wan-guest rule 999 log 874 | 875 | # From WAN to IOT 876 | set firewall ipv4 name wan-iot default-action 'drop' 877 | set firewall ipv4 name wan-iot description 'From WAN to IOT' 878 | set firewall ipv4 name wan-iot default-log 879 | set firewall ipv4 name wan-iot rule 999 action 'drop' 880 | set firewall ipv4 name wan-iot rule 999 description 'Rule: drop_invalid' 881 | set firewall ipv4 name wan-iot rule 999 state invalid 882 | set firewall ipv4 name wan-iot rule 999 log 883 | 884 | # From WAN to LAN 885 | set firewall ipv4 name wan-lan default-action 'drop' 886 | set firewall ipv4 name wan-lan description 'From WAN to LAN' 887 | set firewall ipv4 name wan-lan default-log 888 | set firewall ipv4 name wan-lan rule 999 action 'drop' 889 | set firewall ipv4 name wan-lan rule 999 description 'Rule: drop_invalid' 890 | set firewall ipv4 name wan-lan rule 999 state invalid 891 | set firewall ipv4 name wan-lan rule 999 log 892 | 893 | # From WAN to LOCAL 894 | set firewall ipv4 name wan-local default-action 'drop' 895 | set firewall ipv4 name wan-local description 'From WAN to LOCAL' 896 | set firewall ipv4 name wan-local default-log 897 | set firewall ipv4 name wan-local rule 1 action 'drop' 898 | set firewall ipv4 name wan-local rule 1 description 'Rule: drop_invalid' 899 | set firewall ipv4 name wan-local rule 1 state invalid 900 | set firewall ipv4 name wan-local rule 1 log 901 | set firewall ipv4 name wan-local rule 100 action 'accept' 902 | set firewall ipv4 name wan-local rule 100 description 'Rule: accept_wireguard' 903 | set firewall ipv4 name wan-local rule 100 destination port '51820' 904 | set firewall ipv4 name wan-local rule 100 protocol 'udp' 905 | 906 | # From WAN to SERVERS 907 | set firewall ipv4 name wan-servers default-action 'drop' 908 | set firewall ipv4 name wan-servers description 'From WAN to SERVERS' 909 | set firewall ipv4 name wan-servers default-log 910 | set firewall ipv4 name wan-servers rule 999 action 'drop' 911 | set firewall ipv4 name wan-servers rule 999 description 'Rule: drop_invalid' 912 | set firewall ipv4 name wan-servers rule 999 state invalid 913 | set firewall ipv4 name wan-servers rule 999 log 914 | 915 | # From WAN to CONTAINERS 916 | set firewall ipv4 name wan-containers default-action 'drop' 917 | set firewall ipv4 name wan-containers description 'From WAN to CONTAINERS' 918 | set firewall ipv4 name wan-containers default-log 919 | set firewall ipv4 name wan-containers rule 999 action 'drop' 920 | set firewall ipv4 name wan-containers rule 999 description 'Rule: drop_invalid' 921 | set firewall ipv4 name wan-containers rule 999 state invalid 922 | set firewall ipv4 name wan-containers rule 999 log 923 | 924 | # From WAN to TRUSTED 925 | set firewall ipv4 name wan-trusted default-action 'drop' 926 | set firewall ipv4 name wan-trusted description 'From WAN to TRUSTED' 927 | set firewall ipv4 name wan-trusted default-log 928 | set firewall ipv4 name wan-trusted rule 999 action 'drop' 929 | set firewall ipv4 name wan-trusted rule 999 description 'Rule: drop_invalid' 930 | set firewall ipv4 name wan-trusted rule 999 state invalid 931 | set firewall ipv4 name wan-trusted rule 999 log 932 | 933 | # From WAN to VIDEO 934 | set firewall ipv4 name wan-video default-action 'drop' 935 | set firewall ipv4 name wan-video description 'From WAN to VIDEO' 936 | set firewall ipv4 name wan-video default-log 937 | set firewall ipv4 name wan-video rule 999 action 'drop' 938 | set firewall ipv4 name wan-video rule 999 description 'Rule: drop_invalid' 939 | set firewall ipv4 name wan-video rule 999 state invalid 940 | set firewall ipv4 name wan-video rule 999 log 941 | -------------------------------------------------------------------------------- /config-parts/firewall-zone.sh: -------------------------------------------------------------------------------- 1 | #!/bin/vbash 2 | 3 | set firewall zone guest default-action 'drop' 4 | set firewall zone guest from iot firewall name 'iot-guest' 5 | set firewall zone guest from lan firewall name 'lan-guest' 6 | set firewall zone guest from local firewall name 'local-guest' 7 | set firewall zone guest from servers firewall name 'servers-guest' 8 | set firewall zone guest from containers firewall name 'containers-guest' 9 | set firewall zone guest from trusted firewall name 'trusted-guest' 10 | set firewall zone guest from video firewall name 'video-guest' 11 | set firewall zone guest from wan firewall name 'wan-guest' 12 | set firewall zone guest interface 'eth1.30' 13 | 14 | set firewall zone iot default-action 'drop' 15 | set firewall zone iot from guest firewall name 'guest-iot' 16 | set firewall zone iot from lan firewall name 'lan-iot' 17 | set firewall zone iot from local firewall name 'local-iot' 18 | set firewall zone iot from servers firewall name 'servers-iot' 19 | set firewall zone iot from containers firewall name 'containers-iot' 20 | set firewall zone iot from trusted firewall name 'trusted-iot' 21 | set firewall zone iot from video firewall name 'video-iot' 22 | set firewall zone iot from wan firewall name 'wan-iot' 23 | set firewall zone iot interface 'eth1.40' 24 | 25 | set firewall zone lan default-action 'drop' 26 | set firewall zone lan from guest firewall name 'guest-lan' 27 | set firewall zone lan from iot firewall name 'iot-lan' 28 | set firewall zone lan from local firewall name 'local-lan' 29 | set firewall zone lan from servers firewall name 'servers-lan' 30 | set firewall zone lan from containers firewall name 'containers-lan' 31 | set firewall zone lan from trusted firewall name 'trusted-lan' 32 | set firewall zone lan from video firewall name 'video-lan' 33 | set firewall zone lan from wan firewall name 'wan-lan' 34 | set firewall zone lan interface 'eth1' 35 | 36 | set firewall zone local default-action 'drop' 37 | set firewall zone local description 'Local router zone' 38 | set firewall zone local from guest firewall name 'guest-local' 39 | set firewall zone local from iot firewall name 'iot-local' 40 | set firewall zone local from lan firewall name 'lan-local' 41 | set firewall zone local from servers firewall name 'servers-local' 42 | set firewall zone local from containers firewall name 'containers-local' 43 | set firewall zone local from trusted firewall name 'trusted-local' 44 | set firewall zone local from video firewall name 'video-local' 45 | set firewall zone local from wan firewall name 'wan-local' 46 | set firewall zone local local-zone 47 | 48 | set firewall zone servers default-action 'drop' 49 | set firewall zone servers from guest firewall name 'guest-servers' 50 | set firewall zone servers from iot firewall name 'iot-servers' 51 | set firewall zone servers from lan firewall name 'lan-servers' 52 | set firewall zone servers from local firewall name 'local-servers' 53 | set firewall zone servers from containers firewall name 'containers-servers' 54 | set firewall zone servers from trusted firewall name 'trusted-servers' 55 | set firewall zone servers from video firewall name 'video-servers' 56 | set firewall zone servers from wan firewall name 'wan-servers' 57 | set firewall zone servers interface 'eth1.10' 58 | 59 | set firewall zone containers default-action 'drop' 60 | set firewall zone containers description 'VyOS containers zone' 61 | set firewall zone containers from guest firewall name 'guest-containers' 62 | set firewall zone containers from iot firewall name 'iot-containers' 63 | set firewall zone containers from lan firewall name 'lan-containers' 64 | set firewall zone containers from local firewall name 'local-containers' 65 | set firewall zone containers from servers firewall name 'servers-containers' 66 | set firewall zone containers from trusted firewall name 'trusted-containers' 67 | set firewall zone containers from video firewall name 'video-containers' 68 | set firewall zone containers from wan firewall name 'wan-containers' 69 | set firewall zone containers interface 'pod-containers' 70 | 71 | set firewall zone trusted default-action 'drop' 72 | set firewall zone trusted from guest firewall name 'guest-trusted' 73 | set firewall zone trusted from iot firewall name 'iot-trusted' 74 | set firewall zone trusted from lan firewall name 'lan-trusted' 75 | set firewall zone trusted from local firewall name 'local-trusted' 76 | set firewall zone trusted from servers firewall name 'servers-trusted' 77 | set firewall zone trusted from containers firewall name 'containers-trusted' 78 | set firewall zone trusted from video firewall name 'video-trusted' 79 | set firewall zone trusted from wan firewall name 'wan-trusted' 80 | set firewall zone trusted interface 'eth1.20' 81 | set firewall zone trusted interface 'wg01' 82 | 83 | set firewall zone video default-action 'drop' 84 | set firewall zone video from guest firewall name 'guest-video' 85 | set firewall zone video from iot firewall name 'iot-video' 86 | set firewall zone video from lan firewall name 'lan-video' 87 | set firewall zone video from local firewall name 'local-video' 88 | set firewall zone video from servers firewall name 'servers-video' 89 | set firewall zone video from containers firewall name 'containers-video' 90 | set firewall zone video from trusted firewall name 'trusted-video' 91 | set firewall zone video from wan firewall name 'wan-video' 92 | set firewall zone video interface 'eth1.50' 93 | set firewall zone wan default-action 'drop' 94 | 95 | set firewall zone wan from guest firewall name 'guest-wan' 96 | set firewall zone wan from iot firewall name 'iot-wan' 97 | set firewall zone wan from lan firewall name 'lan-wan' 98 | set firewall zone wan from local firewall name 'local-wan' 99 | set firewall zone wan from servers firewall name 'servers-wan' 100 | set firewall zone wan from containers firewall name 'containers-wan' 101 | set firewall zone wan from trusted firewall name 'trusted-wan' 102 | set firewall zone wan from video firewall name 'video-wan' 103 | set firewall zone wan interface 'eth5' 104 | set firewall zone wan interface 'pppoe0' 105 | -------------------------------------------------------------------------------- /config-parts/firewall.sh: -------------------------------------------------------------------------------- 1 | #!/bin/vbash 2 | 3 | # General configuration 4 | set firewall global-options state-policy established action 'accept' 5 | set firewall global-options state-policy related action 'accept' 6 | set firewall global-options all-ping enable 7 | set firewall global-options broadcast-ping disable 8 | 9 | # Router (VyOS itself) 10 | set firewall group address-group router-addresses address 10.0.0.1 11 | set firewall group address-group router-addresses address 127.0.0.1 12 | set firewall group ipv6-address-group router-addresses-ipv6 address fe80::e63a:6eff:fe5a:f805 13 | set firewall group ipv6-address-group router-addresses-ipv6 address ::1 14 | 15 | # k8s nodes 16 | set firewall group address-group k8s_nodes address '10.1.1.31-10.1.1.33' # Servers vLAN 17 | set firewall group address-group k8s_nodes address '10.1.3.121-10.1.3.123' # IoT vLAN 18 | 19 | # k8s ingress client devices 20 | set firewall group address-group k8s_ingress_allowed address '10.1.3.16' # Apple TV 21 | set firewall group address-group k8s_ingress_allowed address '10.1.3.35' # Shared iPad 22 | set firewall group address-group k8s_ingress_allowed address '10.1.3.36' # iPad Eva 23 | set firewall group address-group k8s_ingress_allowed address '10.1.3.53' # Tablet Hallway 24 | set firewall group address-group k8s_ingress_allowed address '10.1.3.54' # Tablet Garage 25 | set firewall group address-group k8s_ingress_allowed address '192.168.2.11' # Work machine 26 | set firewall group address-group k8s_ingress_allowed address '192.168.2.12' # Work machine 27 | 28 | # k8s cluster services 29 | set firewall group address-group k8s_api address '10.5.0.2' 30 | set firewall group address-group k8s_hass address '10.1.3.151' 31 | set firewall group address-group k8s_scrypted address '10.1.3.153' 32 | set firewall group address-group k8s_ingress address '10.45.0.1' 33 | set firewall group address-group k8s_ingress address '10.45.0.3' 34 | set firewall group address-group k8s_mqtt address '10.45.0.10' 35 | set firewall group address-group k8s_plex address '10.45.0.20' 36 | set firewall group address-group k8s_vector_aggregator address '10.45.0.2' 37 | 38 | # MQTT client devices 39 | set firewall group address-group mqtt_clients address '10.1.2.21' # Bernd 40 | set firewall group address-group mqtt_clients address '10.1.3.18' # Vacuum livingroom 41 | set firewall group address-group mqtt_clients address '10.1.3.22' # Vacuum upstairs 42 | set firewall group address-group mqtt_clients address '10.1.3.38' # Ventilation ESP 43 | 44 | # Plex client devices 45 | set firewall group address-group plex_clients address '10.1.2.21' # Bernd 46 | set firewall group address-group plex_clients address '10.1.2.31' 47 | set firewall group address-group plex_clients address '10.1.2.22' # Man-Yie 48 | set firewall group address-group plex_clients address '10.1.2.33-10.1.2.34' 49 | set firewall group address-group plex_clients address '10.1.2.35' # Eva 50 | set firewall group address-group plex_clients address '10.1.2.36' # Shared iPad 51 | set firewall group address-group plex_clients address '10.1.3.16' # Apple TV 52 | 53 | # Printers 54 | set firewall group address-group printers address '10.1.3.55' 55 | 56 | # 3D printer 57 | set firewall group port-group bambu-discovery port '1990' 58 | set firewall group port-group bambu-discovery port '2021' 59 | 60 | set firewall group address-group bambu-printers address '10.1.3.11' 61 | 62 | # Printer client machines 63 | set firewall group address-group printer_allowed address '192.168.2.11' 64 | 65 | # Scanners 66 | set firewall group address-group scanners address '10.1.3.55' 67 | 68 | # Sonos controllers 69 | set firewall group port-group sonos-controller-api port '1400' 70 | set firewall group port-group sonos-controller-discovery port '1900' 71 | 72 | set firewall group address-group sonos_controllers address '10.1.2.21' # Bernd 73 | set firewall group address-group sonos_controllers address '10.1.2.31' 74 | set firewall group address-group sonos_controllers address '10.1.2.22' # Man-Yie 75 | set firewall group address-group sonos_controllers address '10.1.2.33-10.1.2.34' 76 | set firewall group address-group sonos_controllers address '10.1.3.36' # Shared 77 | 78 | # Sonos players 79 | set firewall group port-group sonos-player-discovery port '1900' 80 | 81 | set firewall group address-group sonos_players address '10.1.3.61-10.1.3.67' 82 | 83 | # Unifi devices 84 | set firewall group address-group unifi_devices address '10.1.0.11-10.1.0.13' # Switches 85 | set firewall group address-group unifi_devices address '10.1.0.21-10.1.0.24' # AP's 86 | 87 | # Apple devices 88 | set firewall group address-group apple_devices address '10.1.3.16' # Apple TV 89 | 90 | set firewall group port-group apple_services_ports port '3722' 91 | 92 | # Vyos containers addresses 93 | set firewall group address-group vyos_coredns address '10.5.0.3' 94 | set firewall group address-group vyos_dnsdist address '10.5.0.4' 95 | set firewall group address-group vyos_unifi address '10.5.0.10' 96 | 97 | # Storage devices 98 | set firewall group address-group nas address '10.1.1.12' 99 | 100 | # Port groups 101 | set firewall group port-group wireguard port '51820' 102 | -------------------------------------------------------------------------------- /config-parts/interfaces.sh: -------------------------------------------------------------------------------- 1 | #!/bin/vbash 2 | 3 | set interfaces ethernet eth0 description 'WAN - Fiber' 4 | set interfaces ethernet eth0 hw-id 'e4:3a:6e:5f:33:9c' 5 | set interfaces ethernet eth0 mtu '1508' 6 | set interfaces ethernet eth0 vif 6 description 'Internet' 7 | set interfaces ethernet eth0 vif 6 mtu '1508' 8 | 9 | set interfaces ethernet eth1 address '10.1.0.1/24' 10 | set interfaces ethernet eth1 description 'LAN' 11 | set interfaces ethernet eth1 hw-id 'e4:3a:6e:5f:33:9d' 12 | set interfaces ethernet eth1 vif 10 address '10.1.1.1/24' 13 | set interfaces ethernet eth1 vif 10 description 'SERVERS' 14 | set interfaces ethernet eth1 vif 20 address '10.1.2.1/24' 15 | set interfaces ethernet eth1 vif 20 description 'TRUSTED' 16 | set interfaces ethernet eth1 vif 30 address '192.168.2.1/24' 17 | set interfaces ethernet eth1 vif 30 description 'GUEST' 18 | set interfaces ethernet eth1 vif 40 address '10.1.3.1/24' 19 | set interfaces ethernet eth1 vif 40 description 'IOT' 20 | set interfaces ethernet eth1 vif 50 address '10.1.4.1/24' 21 | set interfaces ethernet eth1 vif 50 description 'VIDEO' 22 | 23 | set interfaces ethernet eth2 hw-id 'e4:3a:6e:5f:33:9e' 24 | set interfaces ethernet eth3 hw-id 'e4:3a:6e:5f:33:9f' 25 | set interfaces ethernet eth4 hw-id 'e4:3a:6e:5f:33:a0' 26 | 27 | set interfaces ethernet eth5 hw-id 'e4:3a:6e:5f:33:a1' 28 | set interfaces ethernet eth5 description 'WAN - Cable' 29 | set interfaces ethernet eth5 address 'dhcp' 30 | 31 | set interfaces pppoe pppoe0 description 'WAN - Fiber' 32 | set interfaces pppoe pppoe0 source-interface 'eth0.6' 33 | set interfaces pppoe pppoe0 mtu '1500' 34 | set interfaces pppoe pppoe0 mru '1500' 35 | set interfaces pppoe pppoe0 authentication user "${SECRET_ISP_AUTH_USER}" 36 | set interfaces pppoe pppoe0 authentication password "${SECRET_ISP_AUTH_PASSWORD}" 37 | 38 | set interfaces wireguard wg01 address '10.0.11.1/24' 39 | set interfaces wireguard wg01 description 'WIREGUARD' 40 | set interfaces wireguard wg01 peer ipad-bernd allowed-ips '10.0.11.4/32' 41 | set interfaces wireguard wg01 peer ipad-bernd persistent-keepalive '15' 42 | set interfaces wireguard wg01 peer ipad-bernd public-key '8WyIUVFoOCP14rAK/s7aUareIH2O/5kIgu/lvWPbZnA=' 43 | set interfaces wireguard wg01 peer iphone-bernd allowed-ips '10.0.11.2/32' 44 | set interfaces wireguard wg01 peer iphone-bernd persistent-keepalive '15' 45 | set interfaces wireguard wg01 peer iphone-bernd public-key '608IT2YRPTCabLMGnpYfIWhgDnEpLV5IIpYi5J7m3As=' 46 | set interfaces wireguard wg01 peer macbook-bernd allowed-ips '10.0.11.3/32' 47 | set interfaces wireguard wg01 peer macbook-bernd persistent-keepalive '15' 48 | set interfaces wireguard wg01 peer macbook-bernd public-key 'iWKTc88fDBhqlsAgoCXYvkBdf9wG4YBZ8XTg/+0Ln2I=' 49 | set interfaces wireguard wg01 port '51820' 50 | set interfaces wireguard wg01 private-key "${SECRET_WIREGUARD_PRIVATE_KEY}" 51 | -------------------------------------------------------------------------------- /config-parts/nat.sh: -------------------------------------------------------------------------------- 1 | #!/bin/vbash 2 | 3 | # Force DNS 4 | set nat destination rule 102 description 'Force DNS for IoT' 5 | set nat destination rule 102 destination address '!10.5.0.4' 6 | set nat destination rule 102 destination port '53' 7 | set nat destination rule 102 inbound-interface name 'eth1.40' 8 | set nat destination rule 102 protocol 'tcp_udp' 9 | set nat destination rule 102 translation address '10.5.0.4' 10 | set nat destination rule 102 translation port '53' 11 | 12 | set nat destination rule 103 description 'Force DNS for Video' 13 | set nat destination rule 103 destination address '!10.5.0.4' 14 | set nat destination rule 103 destination port '53' 15 | set nat destination rule 103 inbound-interface name 'eth1.50' 16 | set nat destination rule 103 protocol 'tcp_udp' 17 | set nat destination rule 103 translation address '10.5.0.4' 18 | set nat destination rule 103 translation port '53' 19 | 20 | # Force NTP 21 | set nat destination rule 104 description 'Force NTP for LAN' 22 | set nat destination rule 104 destination address '!10.1.0.1' 23 | set nat destination rule 104 destination port '123' 24 | set nat destination rule 104 inbound-interface name 'eth1' 25 | set nat destination rule 104 protocol 'udp' 26 | set nat destination rule 104 translation address '10.1.0.1' 27 | set nat destination rule 104 translation port '123' 28 | 29 | set nat destination rule 105 description 'Force NTP for Servers' 30 | set nat destination rule 105 destination address '!10.1.1.1' 31 | set nat destination rule 105 destination port '123' 32 | set nat destination rule 105 inbound-interface name 'eth1.10' 33 | set nat destination rule 105 protocol 'udp' 34 | set nat destination rule 105 translation address '10.1.1.1' 35 | set nat destination rule 105 translation port '123' 36 | 37 | set nat destination rule 106 description 'Force NTP for Trusted' 38 | set nat destination rule 106 destination address '!10.1.2.1' 39 | set nat destination rule 106 destination port '123' 40 | set nat destination rule 106 inbound-interface name 'eth1.20' 41 | set nat destination rule 106 protocol 'udp' 42 | set nat destination rule 106 translation address '10.1.2.1' 43 | set nat destination rule 106 translation port '123' 44 | 45 | set nat destination rule 107 description 'Force NTP for IoT' 46 | set nat destination rule 107 destination address '!10.1.3.1' 47 | set nat destination rule 107 destination port '123' 48 | set nat destination rule 107 inbound-interface name 'eth1.40' 49 | set nat destination rule 107 protocol 'udp' 50 | set nat destination rule 107 translation address '10.1.3.1' 51 | set nat destination rule 107 translation port '123' 52 | 53 | set nat destination rule 108 description 'Force NTP for Video' 54 | set nat destination rule 108 destination address '!10.1.4.1' 55 | set nat destination rule 108 destination port '123' 56 | set nat destination rule 108 inbound-interface name 'eth1.50' 57 | set nat destination rule 108 protocol 'udp' 58 | set nat destination rule 108 translation address '10.1.4.1' 59 | set nat destination rule 108 translation port '123' 60 | 61 | set nat destination rule 109 description 'Force NTP for Wireguard Trusted' 62 | set nat destination rule 109 destination address '!10.0.11.1' 63 | set nat destination rule 109 destination port '123' 64 | set nat destination rule 109 inbound-interface name 'wg01' 65 | set nat destination rule 109 protocol 'udp' 66 | set nat destination rule 109 translation address '10.0.11.1' 67 | set nat destination rule 109 translation port '123' 68 | 69 | # LAN -> WAN masquerade 70 | set nat source rule 100 description 'LAN -> WAN' 71 | set nat source rule 100 destination address '0.0.0.0/0' 72 | set nat source rule 100 outbound-interface name 'eth5' 73 | # set nat source rule 100 outbound-interface name 'pppoe0' 74 | set nat source rule 100 translation address 'masquerade' 75 | -------------------------------------------------------------------------------- /config-parts/protocols.sh: -------------------------------------------------------------------------------- 1 | #!/bin/vbash 2 | 3 | # BGP configuration 4 | set protocols bgp neighbor 10.1.1.31 address-family ipv4-unicast 5 | set protocols bgp neighbor 10.1.1.31 description 'delta' 6 | set protocols bgp neighbor 10.1.1.31 remote-as '64512' 7 | set protocols bgp neighbor 10.1.1.32 address-family ipv4-unicast 8 | set protocols bgp neighbor 10.1.1.32 description 'enigma' 9 | set protocols bgp neighbor 10.1.1.32 remote-as '64512' 10 | set protocols bgp neighbor 10.1.1.33 address-family ipv4-unicast 11 | set protocols bgp neighbor 10.1.1.33 description 'felix' 12 | set protocols bgp neighbor 10.1.1.33 remote-as '64512' 13 | set protocols bgp parameters router-id '10.1.0.1' 14 | set protocols bgp system-as '64512' 15 | -------------------------------------------------------------------------------- /config-parts/service-dhcp_server.sh: -------------------------------------------------------------------------------- 1 | #!/bin/vbash 2 | 3 | # Global options 4 | set service dhcp-server global-parameters 'option system-arch code 93 = unsigned integer 16;' 5 | 6 | # Guest VLAN 7 | set service dhcp-server shared-network-name GUEST authoritative 8 | set service dhcp-server shared-network-name GUEST ping-check 9 | set service dhcp-server shared-network-name GUEST subnet 192.168.2.0/24 default-router '192.168.2.1' 10 | set service dhcp-server shared-network-name GUEST subnet 192.168.2.0/24 lease '86400' 11 | set service dhcp-server shared-network-name GUEST subnet 192.168.2.0/24 name-server '10.5.0.4' 12 | set service dhcp-server shared-network-name GUEST subnet 192.168.2.0/24 range 0 start '192.168.2.200' 13 | set service dhcp-server shared-network-name GUEST subnet 192.168.2.0/24 range 0 stop '192.168.2.254' 14 | 15 | set service dhcp-server shared-network-name GUEST subnet 192.168.2.0/24 static-mapping manyie-work-laptop ip-address '192.168.2.11' 16 | set service dhcp-server shared-network-name GUEST subnet 192.168.2.0/24 static-mapping manyie-work-laptop mac-address '14:f6:d8:32:46:41' 17 | set service dhcp-server shared-network-name GUEST subnet 192.168.2.0/24 static-mapping bernd-work-laptop ip-address '192.168.2.12' 18 | set service dhcp-server shared-network-name GUEST subnet 192.168.2.0/24 static-mapping bernd-work-laptop mac-address '5c:e9:1e:7b:f2:c2' 19 | 20 | # IoT VLAN 21 | set service dhcp-server shared-network-name IOT authoritative 22 | set service dhcp-server shared-network-name IOT ping-check 23 | set service dhcp-server shared-network-name IOT subnet 10.1.3.0/24 default-router '10.1.3.1' 24 | set service dhcp-server shared-network-name IOT subnet 10.1.3.0/24 domain-name 'bjw-s.casa' 25 | set service dhcp-server shared-network-name IOT subnet 10.1.3.0/24 lease '86400' 26 | set service dhcp-server shared-network-name IOT subnet 10.1.3.0/24 name-server '10.5.0.4' 27 | set service dhcp-server shared-network-name IOT subnet 10.1.3.0/24 range 0 start '10.1.3.200' 28 | set service dhcp-server shared-network-name IOT subnet 10.1.3.0/24 range 0 stop '10.1.3.254' 29 | 30 | set service dhcp-server shared-network-name IOT subnet 10.1.3.0/24 static-mapping attic-office-3dprinter-plug ip-address '10.1.3.33' 31 | set service dhcp-server shared-network-name IOT subnet 10.1.3.0/24 static-mapping attic-office-3dprinter-plug mac-address 'a4:e5:7c:ab:f4:cd' 32 | set service dhcp-server shared-network-name IOT subnet 10.1.3.0/24 static-mapping attic-office-desk-plug ip-address '10.1.3.31' 33 | set service dhcp-server shared-network-name IOT subnet 10.1.3.0/24 static-mapping attic-office-desk-plug mac-address 'a4:e5:7c:ab:f5:ad' 34 | set service dhcp-server shared-network-name IOT subnet 10.1.3.0/24 static-mapping bedroom-bed-occupancy-esp ip-address '10.1.3.37' 35 | set service dhcp-server shared-network-name IOT subnet 10.1.3.0/24 static-mapping bedroom-bed-occupancy-esp mac-address 'a4:cf:12:25:0f:e8' 36 | set service dhcp-server shared-network-name IOT subnet 10.1.3.0/24 static-mapping attic-ventilation-esp ip-address '10.1.3.38' 37 | set service dhcp-server shared-network-name IOT subnet 10.1.3.0/24 static-mapping attic-ventilation-esp mac-address 'b0:b2:1c:ca:dc:8c' 38 | set service dhcp-server shared-network-name IOT subnet 10.1.3.0/24 static-mapping bedroom-eva-sonos ip-address '10.1.3.65' 39 | set service dhcp-server shared-network-name IOT subnet 10.1.3.0/24 static-mapping bedroom-eva-sonos mac-address 'b8:e9:37:55:d8:6c' 40 | set service dhcp-server shared-network-name IOT subnet 10.1.3.0/24 static-mapping bernd-ereader ip-address '10.1.3.51' 41 | set service dhcp-server shared-network-name IOT subnet 10.1.3.0/24 static-mapping bernd-ereader mac-address '58:b0:d4:6e:53:29' 42 | set service dhcp-server shared-network-name IOT subnet 10.1.3.0/24 static-mapping garage-tablet ip-address '10.1.3.54' 43 | set service dhcp-server shared-network-name IOT subnet 10.1.3.0/24 static-mapping garage-tablet mac-address '4c:ef:c0:00:50:aa' 44 | set service dhcp-server shared-network-name IOT subnet 10.1.3.0/24 static-mapping garden-wlanthermo ip-address '10.1.3.21' 45 | set service dhcp-server shared-network-name IOT subnet 10.1.3.0/24 static-mapping garden-wlanthermo mac-address '8c:aa:b5:c1:ce:c8' 46 | set service dhcp-server shared-network-name IOT subnet 10.1.3.0/24 static-mapping hallway-tablet ip-address '10.1.3.53' 47 | set service dhcp-server shared-network-name IOT subnet 10.1.3.0/24 static-mapping hallway-tablet mac-address '40:45:da:3b:c4:d6' 48 | set service dhcp-server shared-network-name IOT subnet 10.1.3.0/24 static-mapping hallway-p1reader-esp ip-address '10.1.3.45' 49 | set service dhcp-server shared-network-name IOT subnet 10.1.3.0/24 static-mapping hallway-p1reader-esp mac-address 'c4:5b:be:49:4c:c8' 50 | set service dhcp-server shared-network-name IOT subnet 10.1.3.0/24 static-mapping hallway-tado-bridge ip-address '10.1.3.23' 51 | set service dhcp-server shared-network-name IOT subnet 10.1.3.0/24 static-mapping hallway-tado-bridge mac-address 'ec:e5:12:1b:39:a6' 52 | set service dhcp-server shared-network-name IOT subnet 10.1.3.0/24 static-mapping hallway-zigbee-adapter ip-address '10.1.3.46' 53 | set service dhcp-server shared-network-name IOT subnet 10.1.3.0/24 static-mapping hallway-zigbee-adapter mac-address 'cc:db:a7:48:19:b3' 54 | set service dhcp-server shared-network-name IOT subnet 10.1.3.0/24 static-mapping kitchen-coffeemaker ip-address '10.1.3.13' 55 | set service dhcp-server shared-network-name IOT subnet 10.1.3.0/24 static-mapping kitchen-coffeemaker mac-address '68:a4:0e:35:43:72' 56 | set service dhcp-server shared-network-name IOT subnet 10.1.3.0/24 static-mapping kitchen-oven ip-address '10.1.3.12' 57 | set service dhcp-server shared-network-name IOT subnet 10.1.3.0/24 static-mapping kitchen-oven mac-address '68:a4:0e:34:fc:6f' 58 | set service dhcp-server shared-network-name IOT subnet 10.1.3.0/24 static-mapping kitchen-sonos ip-address '10.1.3.61' 59 | set service dhcp-server shared-network-name IOT subnet 10.1.3.0/24 static-mapping kitchen-sonos mac-address '48:a6:b8:d3:6c:f4' 60 | set service dhcp-server shared-network-name IOT subnet 10.1.3.0/24 static-mapping livingroom-airpurifier ip-address '10.1.3.19' 61 | set service dhcp-server shared-network-name IOT subnet 10.1.3.0/24 static-mapping livingroom-airpurifier mac-address '78:11:dc:bc:eb:de' 62 | set service dhcp-server shared-network-name IOT subnet 10.1.3.0/24 static-mapping livingroom-receiver ip-address '10.1.3.17' 63 | set service dhcp-server shared-network-name IOT subnet 10.1.3.0/24 static-mapping livingroom-receiver mac-address '00:05:cd:82:29:21' 64 | set service dhcp-server shared-network-name IOT subnet 10.1.3.0/24 static-mapping livingroom-atv ip-address '10.1.3.16' 65 | set service dhcp-server shared-network-name IOT subnet 10.1.3.0/24 static-mapping livingroom-atv mac-address 'a4:cf:99:eb:02:07' 66 | set service dhcp-server shared-network-name IOT subnet 10.1.3.0/24 static-mapping livingroom-sonos ip-address '10.1.3.63' 67 | set service dhcp-server shared-network-name IOT subnet 10.1.3.0/24 static-mapping livingroom-sonos mac-address '48:a6:b8:dc:6c:7e' 68 | set service dhcp-server shared-network-name IOT subnet 10.1.3.0/24 static-mapping livingroom-tv ip-address '10.1.3.14' 69 | set service dhcp-server shared-network-name IOT subnet 10.1.3.0/24 static-mapping livingroom-tv mac-address '74:40:be:0d:54:9a' 70 | set service dhcp-server shared-network-name IOT subnet 10.1.3.0/24 static-mapping livingroom-vacuum ip-address '10.1.3.18' 71 | set service dhcp-server shared-network-name IOT subnet 10.1.3.0/24 static-mapping livingroom-vacuum mac-address '50:ec:50:1d:37:3c' 72 | set service dhcp-server shared-network-name IOT subnet 10.1.3.0/24 static-mapping livingroom-harmony-hub ip-address '10.1.3.15' 73 | set service dhcp-server shared-network-name IOT subnet 10.1.3.0/24 static-mapping livingroom-harmony-hub mac-address '00:04:20:fd:2d:e4' 74 | set service dhcp-server shared-network-name IOT subnet 10.1.3.0/24 static-mapping livingroom-nintendo-switch ip-address '10.1.3.20' 75 | set service dhcp-server shared-network-name IOT subnet 10.1.3.0/24 static-mapping livingroom-nintendo-switch mac-address '98:41:5c:b2:98:2e' 76 | set service dhcp-server shared-network-name IOT subnet 10.1.3.0/24 static-mapping livingroom-receiver-sonos ip-address '10.1.3.66' 77 | set service dhcp-server shared-network-name IOT subnet 10.1.3.0/24 static-mapping livingroom-receiver-sonos mac-address 'b8:e9:37:9b:f5:c6' 78 | set service dhcp-server shared-network-name IOT subnet 10.1.3.0/24 static-mapping livingroom-sonos-move ip-address '10.1.3.67' 79 | set service dhcp-server shared-network-name IOT subnet 10.1.3.0/24 static-mapping livingroom-sonos-move mac-address 'c4:38:75:25:83:76' 80 | set service dhcp-server shared-network-name IOT subnet 10.1.3.0/24 static-mapping manyie-ereader ip-address '10.1.3.52' 81 | set service dhcp-server shared-network-name IOT subnet 10.1.3.0/24 static-mapping manyie-ereader mac-address '58:b0:d4:67:f5:74' 82 | set service dhcp-server shared-network-name IOT subnet 10.1.3.0/24 static-mapping spare-p1eu-1 ip-address '10.1.3.34' 83 | set service dhcp-server shared-network-name IOT subnet 10.1.3.0/24 static-mapping spare-p1eu-1 mac-address 'a4:e5:7c:ab:c8:db' 84 | set service dhcp-server shared-network-name IOT subnet 10.1.3.0/24 static-mapping study-printer ip-address '10.1.3.55' 85 | set service dhcp-server shared-network-name IOT subnet 10.1.3.0/24 static-mapping study-printer mac-address '80:2b:f9:d4:3a:be' 86 | set service dhcp-server shared-network-name IOT subnet 10.1.3.0/24 static-mapping upstairs-vacuum ip-address '10.1.3.22' 87 | set service dhcp-server shared-network-name IOT subnet 10.1.3.0/24 static-mapping upstairs-vacuum mac-address '7c:49:eb:94:4a:58' 88 | set service dhcp-server shared-network-name IOT subnet 10.1.3.0/24 static-mapping upstairs-office-sonos ip-address '10.1.3.62' 89 | set service dhcp-server shared-network-name IOT subnet 10.1.3.0/24 static-mapping upstairs-office-sonos mac-address '94:9f:3e:04:88:2a' 90 | set service dhcp-server shared-network-name IOT subnet 10.1.3.0/24 static-mapping upstairs-office-desk-plug ip-address '10.1.3.32' 91 | set service dhcp-server shared-network-name IOT subnet 10.1.3.0/24 static-mapping upstairs-office-desk-plug mac-address 'a4:e5:7c:ab:ca:33' 92 | set service dhcp-server shared-network-name IOT subnet 10.1.3.0/24 static-mapping attic-office-3dprinter ip-address '10.1.3.11' 93 | set service dhcp-server shared-network-name IOT subnet 10.1.3.0/24 static-mapping attic-office-3dprinter mac-address '34:85:18:44:aa:94' 94 | 95 | set service dhcp-server shared-network-name IOT subnet 10.1.3.0/24 static-mapping delta ip-address '10.1.3.121' 96 | set service dhcp-server shared-network-name IOT subnet 10.1.3.0/24 static-mapping delta mac-address '48:21:0b:55:c4:8a' 97 | set service dhcp-server shared-network-name IOT subnet 10.1.3.0/24 static-mapping enigma ip-address '10.1.3.122' 98 | set service dhcp-server shared-network-name IOT subnet 10.1.3.0/24 static-mapping enigma mac-address '48:21:0b:55:dc:7b' 99 | set service dhcp-server shared-network-name IOT subnet 10.1.3.0/24 static-mapping felix ip-address '10.1.3.123' 100 | set service dhcp-server shared-network-name IOT subnet 10.1.3.0/24 static-mapping felix mac-address '48:21:0b:56:09:47' 101 | 102 | # LAN 103 | set service dhcp-server shared-network-name LAN authoritative 104 | set service dhcp-server shared-network-name LAN ping-check 105 | set service dhcp-server shared-network-name LAN subnet 10.1.0.0/24 default-router '10.1.0.1' 106 | set service dhcp-server shared-network-name LAN subnet 10.1.0.0/24 lease '86400' 107 | set service dhcp-server shared-network-name LAN subnet 10.1.0.0/24 name-server '10.5.0.4' 108 | set service dhcp-server shared-network-name LAN subnet 10.1.0.0/24 range 0 start '10.1.0.200' 109 | set service dhcp-server shared-network-name LAN subnet 10.1.0.0/24 range 0 stop '10.1.0.254' 110 | 111 | set service dhcp-server shared-network-name LAN subnet 10.1.0.0/24 static-mapping ap01 ip-address '10.1.0.21' 112 | set service dhcp-server shared-network-name LAN subnet 10.1.0.0/24 static-mapping ap01 mac-address '44:d9:e7:fc:21:f9' 113 | set service dhcp-server shared-network-name LAN subnet 10.1.0.0/24 static-mapping ap02 ip-address '10.1.0.22' 114 | set service dhcp-server shared-network-name LAN subnet 10.1.0.0/24 static-mapping ap02 mac-address 'fc:ec:da:b6:27:87' 115 | set service dhcp-server shared-network-name LAN subnet 10.1.0.0/24 static-mapping ap03 ip-address '10.1.0.23' 116 | set service dhcp-server shared-network-name LAN subnet 10.1.0.0/24 static-mapping ap03 mac-address 'e0:63:da:ac:d4:3e' 117 | set service dhcp-server shared-network-name LAN subnet 10.1.0.0/24 static-mapping ap04 ip-address '10.1.0.24' 118 | set service dhcp-server shared-network-name LAN subnet 10.1.0.0/24 static-mapping ap04 mac-address '80:2a:a8:d3:0b:b3' 119 | set service dhcp-server shared-network-name LAN subnet 10.1.0.0/24 static-mapping switch01 ip-address '10.1.0.11' 120 | set service dhcp-server shared-network-name LAN subnet 10.1.0.0/24 static-mapping switch01 mac-address '70:a7:41:f3:c8:92' 121 | set service dhcp-server shared-network-name LAN subnet 10.1.0.0/24 static-mapping switch02 ip-address '10.1.0.12' 122 | set service dhcp-server shared-network-name LAN subnet 10.1.0.0/24 static-mapping switch02 mac-address '68:d7:9a:3c:b0:75' 123 | set service dhcp-server shared-network-name LAN subnet 10.1.0.0/24 static-mapping switch03 ip-address '10.1.0.13' 124 | set service dhcp-server shared-network-name LAN subnet 10.1.0.0/24 static-mapping switch03 mac-address '74:83:c2:0c:19:90' 125 | set service dhcp-server shared-network-name LAN subnet 10.1.0.0/24 static-mapping switch04 ip-address '10.1.0.14' 126 | set service dhcp-server shared-network-name LAN subnet 10.1.0.0/24 static-mapping switch04 mac-address '70:a7:41:e5:76:a2' 127 | 128 | # Servers VLAN 129 | set service dhcp-server shared-network-name SERVERS authoritative 130 | set service dhcp-server shared-network-name SERVERS ping-check 131 | set service dhcp-server shared-network-name SERVERS subnet 10.1.1.0/24 default-router '10.1.1.1' 132 | set service dhcp-server shared-network-name SERVERS subnet 10.1.1.0/24 domain-name 'bjw-s.casa' 133 | set service dhcp-server shared-network-name SERVERS subnet 10.1.1.0/24 lease '86400' 134 | set service dhcp-server shared-network-name SERVERS subnet 10.1.1.0/24 name-server '10.5.0.4' 135 | set service dhcp-server shared-network-name SERVERS subnet 10.1.1.0/24 range 0 start '10.1.1.200' 136 | set service dhcp-server shared-network-name SERVERS subnet 10.1.1.0/24 range 0 stop '10.1.1.254' 137 | 138 | set service dhcp-server shared-network-name SERVERS subnet 10.1.1.0/24 subnet-parameters 'allow bootp;' 139 | set service dhcp-server shared-network-name SERVERS subnet 10.1.1.0/24 subnet-parameters 'allow booting;' 140 | set service dhcp-server shared-network-name SERVERS subnet 10.1.1.0/24 subnet-parameters 'next-server 10.1.1.1;' 141 | set service dhcp-server shared-network-name SERVERS subnet 10.1.1.0/24 subnet-parameters 'if exists user-class and option user-class = "iPXE" {' 142 | set service dhcp-server shared-network-name SERVERS subnet 10.1.1.0/24 subnet-parameters 'filename "http://10.5.0.8/boot.ipxe";' 143 | set service dhcp-server shared-network-name SERVERS subnet 10.1.1.0/24 subnet-parameters '} else {' 144 | set service dhcp-server shared-network-name SERVERS subnet 10.1.1.0/24 subnet-parameters 'filename "ipxe.efi";' 145 | set service dhcp-server shared-network-name SERVERS subnet 10.1.1.0/24 subnet-parameters '}' 146 | 147 | set service dhcp-server shared-network-name SERVERS subnet 10.1.1.0/24 static-mapping delta ip-address '10.1.1.31' 148 | set service dhcp-server shared-network-name SERVERS subnet 10.1.1.0/24 static-mapping delta mac-address '48:21:0b:55:c4:8a' 149 | set service dhcp-server shared-network-name SERVERS subnet 10.1.1.0/24 static-mapping enigma ip-address '10.1.1.32' 150 | set service dhcp-server shared-network-name SERVERS subnet 10.1.1.0/24 static-mapping enigma mac-address '48:21:0b:55:dc:7b' 151 | set service dhcp-server shared-network-name SERVERS subnet 10.1.1.0/24 static-mapping felix ip-address '10.1.1.33' 152 | set service dhcp-server shared-network-name SERVERS subnet 10.1.1.0/24 static-mapping felix mac-address '48:21:0b:56:09:47' 153 | set service dhcp-server shared-network-name SERVERS subnet 10.1.1.0/24 static-mapping gladius ip-address '10.1.1.12' 154 | set service dhcp-server shared-network-name SERVERS subnet 10.1.1.0/24 static-mapping gladius mac-address '9c:6b:00:04:d5:49' 155 | 156 | set service dhcp-server shared-network-name SERVERS subnet 10.1.1.0/24 static-mapping pikvm ip-address '10.1.1.52' 157 | set service dhcp-server shared-network-name SERVERS subnet 10.1.1.0/24 static-mapping pikvm mac-address 'dc:a6:32:93:f5:83' 158 | 159 | # Trusted VLAN 160 | set service dhcp-server shared-network-name TRUSTED authoritative 161 | set service dhcp-server shared-network-name TRUSTED ping-check 162 | set service dhcp-server shared-network-name TRUSTED subnet 10.1.2.0/24 default-router '10.1.2.1' 163 | set service dhcp-server shared-network-name TRUSTED subnet 10.1.2.0/24 domain-name 'bjw-s.casa' 164 | set service dhcp-server shared-network-name TRUSTED subnet 10.1.2.0/24 lease '86400' 165 | set service dhcp-server shared-network-name TRUSTED subnet 10.1.2.0/24 name-server '10.5.0.4' 166 | set service dhcp-server shared-network-name TRUSTED subnet 10.1.2.0/24 range 0 start '10.1.2.200' 167 | set service dhcp-server shared-network-name TRUSTED subnet 10.1.2.0/24 range 0 stop '10.1.2.254' 168 | 169 | set service dhcp-server shared-network-name TRUSTED subnet 10.1.2.0/24 static-mapping bernd-iphone ip-address '10.1.2.31' 170 | set service dhcp-server shared-network-name TRUSTED subnet 10.1.2.0/24 static-mapping bernd-iphone mac-address '24:5e:48:98:39:1c' 171 | set service dhcp-server shared-network-name TRUSTED subnet 10.1.2.0/24 static-mapping bernd-macbook ip-address '10.1.2.21' 172 | set service dhcp-server shared-network-name TRUSTED subnet 10.1.2.0/24 static-mapping bernd-macbook mac-address 'f8:4d:89:7a:db:8b' 173 | set service dhcp-server shared-network-name TRUSTED subnet 10.1.2.0/24 static-mapping manyie-ipad ip-address '10.1.2.34' 174 | set service dhcp-server shared-network-name TRUSTED subnet 10.1.2.0/24 static-mapping manyie-ipad mac-address '40:e6:4b:14:88:c0' 175 | set service dhcp-server shared-network-name TRUSTED subnet 10.1.2.0/24 static-mapping manyie-iphone ip-address '10.1.2.33' 176 | set service dhcp-server shared-network-name TRUSTED subnet 10.1.2.0/24 static-mapping manyie-iphone mac-address '8c:98:6b:a9:18:cb' 177 | set service dhcp-server shared-network-name TRUSTED subnet 10.1.2.0/24 static-mapping manyie-macbook ip-address '10.1.2.22' 178 | set service dhcp-server shared-network-name TRUSTED subnet 10.1.2.0/24 static-mapping manyie-macbook mac-address '8c:85:90:18:42:38' 179 | set service dhcp-server shared-network-name TRUSTED subnet 10.1.2.0/24 static-mapping eva-ipad ip-address '10.1.2.35' 180 | set service dhcp-server shared-network-name TRUSTED subnet 10.1.2.0/24 static-mapping eva-ipad mac-address '54:62:e2:53:72:1b' 181 | set service dhcp-server shared-network-name TRUSTED subnet 10.1.2.0/24 static-mapping shared-ipad ip-address '10.1.2.36' 182 | set service dhcp-server shared-network-name TRUSTED subnet 10.1.2.0/24 static-mapping shared-ipad mac-address '94:bf:2d:f0:3f:c3' 183 | 184 | # Video VLAN 185 | set service dhcp-server shared-network-name VIDEO authoritative 186 | set service dhcp-server shared-network-name VIDEO ping-check 187 | set service dhcp-server shared-network-name VIDEO subnet 10.1.4.0/24 default-router '10.1.4.1' 188 | set service dhcp-server shared-network-name VIDEO subnet 10.1.4.0/24 domain-name 'bjw-s.casa' 189 | set service dhcp-server shared-network-name VIDEO subnet 10.1.4.0/24 lease '86400' 190 | set service dhcp-server shared-network-name VIDEO subnet 10.1.4.0/24 name-server '10.5.0.4' 191 | set service dhcp-server shared-network-name VIDEO subnet 10.1.4.0/24 range 0 start '10.1.4.200' 192 | set service dhcp-server shared-network-name VIDEO subnet 10.1.4.0/24 range 0 stop '10.1.4.254' 193 | 194 | set service dhcp-server shared-network-name VIDEO subnet 10.1.4.0/24 static-mapping driveway-camera-doorbell ip-address '10.1.4.12' 195 | set service dhcp-server shared-network-name VIDEO subnet 10.1.4.0/24 static-mapping driveway-camera-doorbell mac-address 'ec:71:db:88:50:f8' 196 | -------------------------------------------------------------------------------- /config-parts/service.sh: -------------------------------------------------------------------------------- 1 | #!/bin/vbash 2 | 3 | # NTP server 4 | delete service ntp allow-client 5 | set service ntp allow-client address '127.0.0.0/8' 6 | set service ntp allow-client address '10.0.0.0/8' 7 | set service ntp allow-client address '172.16.0.0/12' 8 | set service ntp allow-client address '192.168.0.0/16' 9 | delete service ntp server 10 | set service ntp server nl.pool.ntp.org 11 | 12 | # SSH server 13 | set service ssh disable-password-authentication 14 | set service ssh port '22' 15 | 16 | # UDP Broadcast-Relay 17 | set service broadcast-relay id 1 description 'Sonos' 18 | set service broadcast-relay id 1 interface 'eth1.20' 19 | set service broadcast-relay id 1 interface 'eth1.40' 20 | set service broadcast-relay id 1 port '1900' 21 | 22 | # mDNS Repeater 23 | set service mdns repeater interface 'eth1.20' 24 | set service mdns repeater interface 'eth1.40' 25 | 26 | # TFTP server 27 | set service tftp-server directory '/config/tftpboot' 28 | set service tftp-server listen-address 10.1.1.1 29 | -------------------------------------------------------------------------------- /config-parts/system.sh: -------------------------------------------------------------------------------- 1 | #!/bin/vbash 2 | 3 | set system domain-name 'bjw-s.casa' 4 | set system host-name 'gateway' 5 | 6 | set system ipv6 disable-forwarding 7 | 8 | set system login user vyos authentication public-keys ios key 'AAAAC3NzaC1lZDI1NTE5AAAAINllIKQjpMumg9CCz1HIEsti/cN6MpUWZbCeLiLjKH2W' 9 | set system login user vyos authentication public-keys ios type 'ssh-ed25519' 10 | set system login user vyos authentication public-keys personal key 'AAAAC3NzaC1lZDI1NTE5AAAAIMyYn4k4V+myBBl79Nt3t7EZugvz9A+d3ZbKyaP1w7J5' 11 | set system login user vyos authentication public-keys personal type 'ssh-ed25519' 12 | 13 | set system name-server '1.1.1.1' 14 | 15 | set system sysctl parameter kernel.pty.max value '24000' 16 | 17 | set system syslog global facility all level info 18 | set system syslog host 10.45.0.2 facility kern level 'warning' 19 | set system syslog host 10.45.0.2 protocol 'tcp' 20 | set system syslog host 10.45.0.2 port '6001' 21 | set system syslog host 10.45.0.2 format 'octet-counted' 22 | 23 | set system static-host-mapping host-name gateway inet '10.1.0.1' 24 | 25 | set system task-scheduler task backup-config crontab-spec '30 0 * * *' 26 | set system task-scheduler task backup-config executable path '/config/scripts/task-config-backup-usb.sh' 27 | 28 | set system time-zone 'Europe/Amsterdam' 29 | -------------------------------------------------------------------------------- /containers/.gitignore: -------------------------------------------------------------------------------- 1 | # Ignore everything 2 | /* 3 | 4 | # Track certain files and directories 5 | !.gitignore 6 | 7 | !/bind/ 8 | !/blocky/ 9 | !/dnsdist/ 10 | !/haproxy/ 11 | !/unifi/ 12 | !/vector-agent/ 13 | -------------------------------------------------------------------------------- /containers/bind/.gitignore: -------------------------------------------------------------------------------- 1 | # Ignore everything 2 | /* 3 | 4 | # Track certain files and directories 5 | !.gitignore 6 | 7 | !/config/ 8 | /config/* 9 | 10 | !/config/named.conf 11 | !/config/zones/ 12 | /config/zones/* 13 | !/config/zones/db.* 14 | -------------------------------------------------------------------------------- /containers/bind/config/named.conf: -------------------------------------------------------------------------------- 1 | # Only define the known VLAN subnets as trusted 2 | acl "trusted" { 3 | 10.1.0.0/24; # LAN 4 | 10.1.1.0/24; # SERVERS 5 | 10.1.2.0/24; # TRUSTED 6 | 10.1.3.0/24; # IOT 7 | 10.1.4.0/24; # VIDEO 8 | 192.168.2.0/24; # GUEST 9 | 10.0.11.0/24; # WIREGUARD 10 | 10.5.0.0/24; # CONTAINERS 11 | }; 12 | 13 | options { 14 | directory "/var/cache/bind"; 15 | listen-on { 127.0.0.1; 10.5.0.3; }; 16 | 17 | allow-recursion { 18 | trusted; 19 | }; 20 | allow-transfer { 21 | none; 22 | }; 23 | allow-update { 24 | none; 25 | }; 26 | }; 27 | 28 | logging { 29 | channel stdout { 30 | stderr; 31 | severity info; 32 | print-category yes; 33 | print-severity yes; 34 | print-time yes; 35 | }; 36 | category security { stdout; }; 37 | category dnssec { stdout; }; 38 | category default { stdout; }; 39 | }; 40 | 41 | include "/etc/bind/rndc.key"; 42 | include "/etc/bind/externaldns.key"; 43 | 44 | controls { 45 | inet 127.0.0.1 allow { localhost; } keys { "rndc-key"; }; 46 | }; 47 | 48 | zone "unifi." { 49 | type master; 50 | file "/etc/bind/zones/db.unifi"; 51 | }; 52 | 53 | zone "bjw-s.casa." { 54 | type master; 55 | file "/etc/bind/zones/db.bjw-s.casa"; 56 | }; 57 | 58 | zone "bjw-s.dev." { 59 | type master; 60 | file "/etc/bind/zones/db.bjw-s.dev"; 61 | journal "/var/cache/bind/db.bjw-s.dev.jnl"; 62 | allow-transfer { 63 | key "externaldns"; 64 | }; 65 | update-policy { 66 | grant externaldns zonesub ANY; 67 | }; 68 | }; 69 | 70 | zone "1.10.in-addr.arpa." { 71 | type master; 72 | file "/etc/bind/zones/db.1.10.in-addr.arpa"; 73 | }; 74 | -------------------------------------------------------------------------------- /containers/bind/config/zones/db.1.10.in-addr.arpa: -------------------------------------------------------------------------------- 1 | ; Make sure to update the epoch time in the SOA records so coreDNS picks up the changes automatically 2 | ; https://www.epochconverter.com/ 3 | 4 | ; SOA Records 5 | $TTL 3600 6 | $ORIGIN 1.10.in-addr.arpa. 7 | @ 3600 IN SOA gateway.bjw-s.casa. gateway.bjw-s.casa. ( 8 | 1690965199 ; serial number (epoch timestamp) 9 | 7200 ; refresh period 10 | 3600 ; retry period 11 | 1209600 ; expire time 12 | 3600 ; minimum ttl 13 | ) 14 | 15 | ; NS Records 16 | @ IN NS gateway.bjw-s.casa. 17 | 18 | ; Reset origin 19 | $ORIGIN in-addr.arpa. 20 | 21 | ; LAN 22 | 1.0.1.10 IN PTR gateway.bjw-s.casa. 23 | 24 | ; Servers 25 | 12.1.1.10 IN PTR gladius.bjw-s.casa. 26 | 31.1.1.10 IN PTR delta.bjw-s.casa. 27 | 32.1.1.10 IN PTR enigma.bjw-s.casa. 28 | 33.1.1.10 IN PTR felix.bjw-s.casa. 29 | 52.1.1.10 IN PTR pikvm.bjw-s.casa. 30 | 31 | ; Trusted 32 | 21.2.1.10 IN PTR bernd-macbook.bjw-s.casa. 33 | 22.2.1.10 IN PTR manyie-macbook.bjw-s.casa. 34 | 31.2.1.10 IN PTR bernd-iphone.bjw-s.casa. 35 | 32.2.1.10 IN PTR bernd-ipad.bjw-s.casa. 36 | 33.2.1.10 IN PTR manyie-iphone.bjw-s.casa. 37 | 34.2.1.10 IN PTR manyie-ipad.bjw-s.casa. 38 | 35.2.1.10 IN PTR eva-ipad.bjw-s.casa. 39 | 36.2.1.10 IN PTR kitchen-ipad.bjw-s.casa. 40 | 41 | ; IOT 42 | 11.3.1.10 IN PTR attic-office-3dprinter.bjw-s.casa. 43 | 12.3.1.10 IN PTR kitchen-oven.bjw-s.casa. 44 | 13.3.1.10 IN PTR kitchen-coffeemaker.bjw-s.casa. 45 | 14.3.1.10 IN PTR livingroom-tv.bjw-s.casa. 46 | 15.3.1.10 IN PTR livingroom-harmony-hub.bjw-s.casa. 47 | 16.3.1.10 IN PTR livingroom-atv.bjw-s.casa. 48 | 17.3.1.10 IN PTR livingroom-receiver.bjw-s.casa. 49 | 18.3.1.10 IN PTR livingroom-vacuum.bjw-s.casa. 50 | 19.3.1.10 IN PTR livingroom-airpurifier.bjw-s.casa. 51 | 20.3.1.10 IN PTR livingroom-nintendo-switch.bjw-s.casa. 52 | 21.3.1.10 IN PTR garden-wlanthermo.bjw-s.casa. 53 | 22.3.1.10 IN PTR upstairs-vacuum.bjw-s.casa. 54 | 23.3.1.10 IN PTR hallway-tado-bridge.bjw-s.casa. 55 | 31.3.1.10 IN PTR attic-office-desk-plug.bjw-s.casa. 56 | 32.3.1.10 IN PTR upstairs-office-desk-plug.bjw-s.casa. 57 | 33.3.1.10 IN PTR attic-office-3dprinter-plug.bjw-s.casa. 58 | 34.3.1.10 IN PTR spare-p1eu-1.bjw-s.casa. 59 | 45.3.1.10 IN PTR hallway-p1reader-esp.bjw-s.casa. 60 | 46.3.1.10 IN PTR hallway-zigbee-adapter.bjw-s.casa. 61 | 51.3.1.10 IN PTR bernd-ereader.bjw-s.casa. 62 | 52.3.1.10 IN PTR manyie-ereader.bjw-s.casa. 63 | 53.3.1.10 IN PTR hallway-tablet.bjw-s.casa. 64 | 54.3.1.10 IN PTR garage-tablet.bjw-s.casa. 65 | 55.3.1.10 IN PTR study-printer.bjw-s.casa. 66 | 61.3.1.10 IN PTR kitchen-sonos.bjw-s.casa. 67 | 62.3.1.10 IN PTR upstairs-office-sonos.bjw-s.casa. 68 | 63.3.1.10 IN PTR livingroom-sonos.bjw-s.casa. 69 | 65.3.1.10 IN PTR bedroom-eva-sonos.bjw-s.casa. 70 | 66.3.1.10 IN PTR livingroom-receiver-sonos.bjw-s.casa. 71 | 67.3.1.10 IN PTR livingroom-sonos-move.bjw-s.casa. 72 | 121.3.1.10 IN PTR delta.bjw-s.casa. 73 | 122.3.1.10 IN PTR enigma.bjw-s.casa. 74 | 123.3.1.10 IN PTR felix.bjw-s.casa. 75 | 76 | ; Video 77 | 12.4.1.10 IN PTR driveway-camera-doorbell.bjw-s.casa. 78 | -------------------------------------------------------------------------------- /containers/bind/config/zones/db.bjw-s.casa: -------------------------------------------------------------------------------- 1 | ; Make sure to update the epoch time in the SOA records so coreDNS picks up the changes automatically 2 | ; https://www.epochconverter.com/ 3 | 4 | ; SOA Records 5 | $TTL 3600 6 | $ORIGIN bjw-s.casa. 7 | @ 3600 IN SOA gateway.bjw-s.casa. gateway.bjw-s.casa. ( 8 | 1690965199 ; serial number (epoch timestamp) 9 | 7200 ; refresh period 10 | 3600 ; retry period 11 | 1209600 ; expire time 12 | 3600 ; minimum ttl 13 | ) 14 | 15 | ; NS Records 16 | @ IN NS gateway.bjw-s.casa. 17 | 18 | ; LAN 19 | gateway IN A 10.1.0.1 20 | 21 | ; Servers 22 | gladius IN A 10.1.1.12 23 | delta IN A 10.1.1.31 24 | enigma IN A 10.1.1.32 25 | felix IN A 10.1.1.33 26 | pikvm IN A 10.1.1.52 27 | 28 | ; Trusted 29 | bernd-macbook IN A 10.1.2.21 30 | bernd-iphone IN A 10.1.2.31 31 | manyie-macbook IN A 10.1.2.22 32 | manyie-iphone IN A 10.1.2.33 33 | manyie-ipad IN A 10.1.2.34 34 | eva-ipad IN A 10.1.2.35 35 | shared-ipad IN A 10.1.2.36 36 | 37 | ; IOT 38 | attic-office-3dprinter IN A 10.1.3.11 39 | attic-office-3dprinter-plug IN A 10.1.3.33 40 | attic-office-desk-plug IN A 10.1.3.31 41 | bedroom-bed-occupancy-esp IN A 10.1.3.37 42 | bedroom-eva-sonos IN A 10.1.3.65 43 | bernd-ereader IN A 10.1.3.51 44 | garage-tablet IN A 10.1.3.54 45 | garden-wlanthermo IN A 10.1.3.21 46 | hallway-p1reader-esp IN A 10.1.3.45 47 | hallway-tablet IN A 10.1.3.53 48 | hallway-tado-bridge IN A 10.1.3.23 49 | hallway-zigbee-adapter IN A 10.1.3.46 50 | kitchen-coffeemaker IN A 10.1.3.13 51 | kitchen-oven IN A 10.1.3.12 52 | kitchen-sonos IN A 10.1.3.61 53 | livingroom-airpurifier IN A 10.1.3.19 54 | livingroom-atv IN A 10.1.3.16 55 | livingroom-harmony-hub IN A 10.1.3.15 56 | livingroom-nintendo-switch IN A 10.1.3.20 57 | livingroom-receiver IN A 10.1.3.17 58 | livingroom-receiver-sonos IN A 10.1.3.66 59 | livingroom-sonos IN A 10.1.3.63 60 | livingroom-sonos-move IN A 10.1.3.67 61 | livingroom-tv IN A 10.1.3.14 62 | livingroom-vacuum IN A 10.1.3.18 63 | manyie-ereader IN A 10.1.3.52 64 | spare-p1eu-1 IN A 10.1.3.34 65 | study-printer IN A 10.1.3.55 66 | upstairs-office-desk-plug IN A 10.1.3.32 67 | upstairs-office-sonos IN A 10.1.3.62 68 | upstairs-vacuum IN A 10.1.3.22 69 | 70 | ; Video 71 | driveway-camera-doorbell IN A 10.1.4.12 72 | 73 | ; Containers 74 | cluster-0 IN A 10.5.0.2 75 | main.k8s IN A 10.5.0.2 76 | 77 | ; CNAME records 78 | nas.k8s IN CNAME gladius.bjw-s.casa. 79 | -------------------------------------------------------------------------------- /containers/bind/config/zones/db.bjw-s.dev: -------------------------------------------------------------------------------- 1 | ; Make sure to update the epoch time in the SOA records so coreDNS picks up the changes automatically 2 | ; https://www.epochconverter.com/ 3 | 4 | ; SOA Records 5 | $TTL 3600 6 | $ORIGIN bjw-s.dev. 7 | @ 3600 IN SOA gateway.bjw-s.casa. gateway.bjw-s.casa. ( 8 | 1690965199 ; serial number (epoch timestamp) 9 | 7200 ; refresh period 10 | 3600 ; retry period 11 | 1209600 ; expire time 12 | 3600 ; minimum ttl 13 | ) 14 | 15 | ; NS Records 16 | @ IN NS gateway.bjw-s.casa. 17 | 18 | ; Containers 19 | onepassword-connect IN A 10.5.0.5 20 | pihole IN A 10.5.0.7 21 | 22 | ; CNAME Records 23 | vpn IN CNAME gateway.bjw-s.casa. 24 | -------------------------------------------------------------------------------- /containers/bind/config/zones/db.unifi: -------------------------------------------------------------------------------- 1 | ; Make sure to update the epoch time in the SOA records so coreDNS picks up the changes automatically 2 | ; https://www.epochconverter.com/ 3 | 4 | ; SOA Records 5 | $TTL 3600 6 | $ORIGIN unifi. 7 | @ 3600 IN SOA gateway.bjw-s.casa. gateway.bjw-s.casa. ( 8 | 1690965199 ; serial number (epoch timestamp) 9 | 7200 ; refresh period 10 | 3600 ; retry period 11 | 1209600 ; expire time 12 | 3600 ; minimum ttl 13 | ) 14 | 15 | ; NS Records 16 | @ IN NS gateway.bjw-s.casa. 17 | 18 | ; CNAME Records 19 | @ IN A 10.5.0.10 20 | -------------------------------------------------------------------------------- /containers/blocky/.gitignore: -------------------------------------------------------------------------------- 1 | # Ignore everything 2 | /* 3 | 4 | # Track certain files and directories 5 | !.gitignore 6 | 7 | !/config/ 8 | /config/* 9 | !/config/config.yml 10 | -------------------------------------------------------------------------------- /containers/blocky/config/config.yml: -------------------------------------------------------------------------------- 1 | ports: 2 | dns: 53 3 | http: 4000 4 | 5 | upstreams: 6 | groups: 7 | # these external DNS resolvers will be used. Blocky picks 2 random resolvers from the list for each query 8 | default: 9 | # Cloudflare 10 | - tcp-tls:1.1.1.1:853 11 | - tcp-tls:1.0.0.1:853 12 | 13 | # configuration of client name resolution 14 | clientLookup: 15 | upstream: 10.5.0.3 16 | 17 | ecs: 18 | useAsClient: true 19 | 20 | prometheus: 21 | enable: true 22 | path: /metrics 23 | 24 | blocking: 25 | loading: 26 | downloads: 27 | timeout: 4m 28 | 29 | blackLists: 30 | ads: 31 | - https://raw.githubusercontent.com/StevenBlack/hosts/master/hosts 32 | fakenews: 33 | - https://raw.githubusercontent.com/StevenBlack/hosts/master/alternates/fakenews-only/hosts 34 | gambling: 35 | - https://raw.githubusercontent.com/StevenBlack/hosts/master/alternates/gambling-only/hosts 36 | 37 | whiteLists: 38 | ads: 39 | - | 40 | rabobank.nl 41 | 42 | clientGroupsBlock: 43 | default: 44 | - ads 45 | - fakenews 46 | - gambling 47 | manyie*: 48 | - fakenews 49 | - gambling 50 | -------------------------------------------------------------------------------- /containers/dnsdist/.gitignore: -------------------------------------------------------------------------------- 1 | # Ignore everything 2 | /* 3 | 4 | # Track certain files and directories 5 | !.gitignore 6 | 7 | !/config/ 8 | /config/* 9 | !/config/dnsdist.conf 10 | -------------------------------------------------------------------------------- /containers/dnsdist/config/dnsdist.conf: -------------------------------------------------------------------------------- 1 | -- udp/tcp dns listening 2 | setLocal("0.0.0.0:53", {}) 3 | -- disable security status polling via DNS 4 | setSecurityPollSuffix("") 5 | 6 | -- Local Bind 7 | newServer({ 8 | address = "10.5.0.3", 9 | pool = "bind", 10 | healthCheckMode="lazy", 11 | checkInterval=1, 12 | lazyHealthCheckFailedInterval=30, 13 | rise=2, 14 | maxCheckFailures=3, 15 | lazyHealthCheckThreshold=30, 16 | lazyHealthCheckSampleSize=100, 17 | lazyHealthCheckMinSampleCount=10, 18 | lazyHealthCheckMode='TimeoutOnly', 19 | useClientSubnet = true 20 | }) 21 | 22 | -- Local Blocky 23 | newServer({ 24 | address = "10.5.0.7", 25 | pool = "blocky", 26 | healthCheckMode = "lazy", 27 | checkInterval = 1800, 28 | maxCheckFailures = 3, 29 | lazyHealthCheckFailedInterval = 30, 30 | rise = 2, 31 | lazyHealthCheckThreshold = 30, 32 | lazyHealthCheckSampleSize = 100, 33 | lazyHealthCheckMinSampleCount = 10, 34 | lazyHealthCheckMode = 'TimeoutOnly', 35 | useClientSubnet = true 36 | }) 37 | -- Blocky will be given requester IP 38 | setECSSourcePrefixV4(32) 39 | 40 | -- CloudFlare DNS over TLS 41 | newServer({ 42 | address = "1.1.1.1:853", 43 | tls = "openssl", 44 | subjectName = "cloudflare-dns.com", 45 | validateCertificates = true, 46 | checkInterval = 10, 47 | checkTimeout = 2000, 48 | pool = "cloudflare" 49 | }) 50 | newServer({ 51 | address = "1.0.0.1:853", 52 | tls = "openssl", 53 | subjectName = "cloudflare-dns.com", 54 | validateCertificates = true, 55 | checkInterval = 10, 56 | checkTimeout = 2000, 57 | pool = "cloudflare" 58 | }) 59 | 60 | -- Enable caching 61 | pc = newPacketCache(10000, { 62 | maxTTL = 86400, 63 | minTTL = 0, 64 | temporaryFailureTTL = 60, 65 | staleTTL = 60, 66 | dontAge = false 67 | }) 68 | getPool(""):setCache(pc) 69 | 70 | -- Create Guest exceptions 71 | guestExceptions=newNMG() 72 | guestExceptions:addMask("192.168.2.11/32") 73 | guestExceptions:addMask("192.168.2.12/32") 74 | 75 | guestExceptionAddresses=newSuffixMatchNode() 76 | guestExceptionAddresses:add('actual.bjw-s.dev') 77 | 78 | -- Request logging, uncomment to log DNS requests/responses to stdout 79 | -- addAction(AllRule(), LogAction("", false, false, true, false, false)) 80 | -- addResponseAction(AllRule(), LogResponseAction("", false, true, false, false)) 81 | 82 | -- Routing rules 83 | addAction( 84 | AndRule({ 85 | NetmaskGroupRule(guestExceptions), 86 | SuffixMatchNodeRule(guestExceptionAddresses) 87 | }), PoolAction("bind") 88 | ) 89 | addAction("192.168.2.0/24", PoolAction("cloudflare")) -- guest vlan 90 | addAction("192.168.2.0/24", DropAction()) -- stop processing 91 | 92 | addAction("zip", DropAction()) -- stop processing 93 | 94 | addAction('unifi', PoolAction('bind')) 95 | addAction('bjw-s.dev', PoolAction('bind')) 96 | addAction('bjw-s.casa', PoolAction('bind')) 97 | addAction('1.10.in-addr.arpa', PoolAction('bind')) 98 | 99 | addAction("10.1.0.0/24", PoolAction("cloudflare")) -- lan 100 | addAction("10.1.1.0/24", PoolAction("blocky")) -- servers vlan 101 | addAction("10.1.2.0/24", PoolAction("blocky")) -- trusted vlan 102 | addAction("10.1.3.0/24", PoolAction("blocky")) -- iot vlan 103 | addAction("10.0.11.0/24", PoolAction("blocky")) -- wg_trusted vlan 104 | -------------------------------------------------------------------------------- /containers/haproxy/.gitignore: -------------------------------------------------------------------------------- 1 | # Ignore everything 2 | /* 3 | 4 | # Track certain files and directories 5 | !.gitignore 6 | 7 | !/config/ 8 | /config/* 9 | !/config/haproxy.cfg 10 | -------------------------------------------------------------------------------- /containers/haproxy/config/haproxy.cfg: -------------------------------------------------------------------------------- 1 | #--------------------------------------------------------------------- 2 | # Global settings 3 | #--------------------------------------------------------------------- 4 | global 5 | log /dev/log local0 6 | log /dev/log local1 notice 7 | daemon 8 | 9 | #--------------------------------------------------------------------- 10 | # common defaults that all the 'listen' and 'backend' sections will 11 | # use if not designated in their block 12 | #--------------------------------------------------------------------- 13 | defaults 14 | mode http 15 | log global 16 | option httplog 17 | option dontlognull 18 | option http-server-close 19 | option forwardfor except 127.0.0.0/8 20 | option redispatch 21 | retries 3 22 | timeout http-request 10s 23 | timeout queue 20s 24 | timeout connect 10s 25 | timeout client 1h 26 | timeout server 1h 27 | timeout http-keep-alive 10s 28 | timeout check 10s 29 | 30 | #--------------------------------------------------------------------- 31 | # apiserver frontend which proxys to the control plane nodes 32 | #--------------------------------------------------------------------- 33 | frontend k8s_apiserver 34 | bind *:6443 35 | mode tcp 36 | option tcplog 37 | default_backend k8s_controlplane 38 | 39 | frontend talos_apiserver 40 | bind *:50000 41 | mode tcp 42 | option tcplog 43 | default_backend talos_controlplane 44 | 45 | #--------------------------------------------------------------------- 46 | # round robin balancing for apiserver 47 | #--------------------------------------------------------------------- 48 | backend k8s_controlplane 49 | option httpchk GET /healthz 50 | http-check expect status 200 51 | mode tcp 52 | option ssl-hello-chk 53 | balance roundrobin 54 | server delta 10.1.1.31:6443 check 55 | server enigma 10.1.1.32:6443 check 56 | server felix 10.1.1.33:6443 check 57 | 58 | backend talos_controlplane 59 | option httpchk GET /healthz 60 | http-check expect status 200 61 | mode tcp 62 | option ssl-hello-chk 63 | balance roundrobin 64 | server delta 10.1.1.31:50000 check 65 | server enigma 10.1.1.32:50000 check 66 | server felix 10.1.1.33:50000 check 67 | -------------------------------------------------------------------------------- /containers/unifi/.gitignore: -------------------------------------------------------------------------------- 1 | # Ignore everything 2 | /* 3 | 4 | # Track certain files and directories 5 | !.gitignore 6 | !.gitkeep 7 | -------------------------------------------------------------------------------- /containers/unifi/.gitkeep: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/bjw-s/vyos-config/0fd6974aad32067cf2412d99fe087caa74d42193/containers/unifi/.gitkeep -------------------------------------------------------------------------------- /scripts/.gitignore: -------------------------------------------------------------------------------- 1 | # Ignore everything 2 | /* 3 | 4 | # Track certain files and directories 5 | !.gitignore 6 | !*.sh 7 | !*.script 8 | 9 | !/commit 10 | /commit/* 11 | !/commit/pre-hooks.d 12 | /commit/pre-hooks.d/* 13 | !/commit/pre-hooks.d/**.sh 14 | -------------------------------------------------------------------------------- /scripts/mount_usb.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | # 3 | # Description: Backup VyOS configuration to a USB device 4 | # 5 | dest="/media/usb-backup" 6 | disk="/dev/disk/by-id/usb-USB_SanDisk_3.2Gen1_0401853931cd180d6b2371659b9f24f92dd8e4bd8a39ebee5f7163a1785d2ff3221700000000000000000000dcdd864500076b1883558107c0accd55-0:0-part2" 7 | user="vyos" 8 | 9 | # Mount a formatted exfat USB 10 | if ! findmnt -M "${dest}"; then 11 | sudo mkdir -p "${dest}" 12 | sudo mount.exfat-fuse -o "rw,uid=${user},gid=vyattacfg" "${disk}" "${dest}" 13 | fi 14 | -------------------------------------------------------------------------------- /scripts/task-config-backup-usb.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | # 3 | # Description: Backup config directory and configuration commands to a USB device 4 | # 5 | 6 | dest="/media/usb-backup" 7 | disk="/dev/disk/by-id/usb-USB_SanDisk_3.2Gen1_0401853931cd180d6b2371659b9f24f92dd8e4bd8a39ebee5f7163a1785d2ff3221700000000000000000000dcdd864500076b1883558107c0accd55-0:0-part2" 8 | user="vyos" 9 | 10 | # Mount a formatted exfat USB 11 | if ! findmnt -M "${dest}"; then 12 | sudo mkdir -p "${dest}" 13 | sudo mount.exfat-fuse -o "rw,uid=${user},gid=vyattacfg" "${disk}" "${dest}" 14 | fi 15 | 16 | # Backup 17 | if findmnt -M "${dest}"; then 18 | timestamp="$(date +%Y%m%d%H%M%S)" 19 | 20 | # VyOS Commands 21 | mkdir -p "${dest}/vyos/" 22 | /opt/vyatta/bin/vyatta-op-cmd-wrapper show configuration commands | gzip -3 -c > "${dest}/vyos/vyos-commands.${timestamp}.gz" 23 | 24 | # VyOS /config 25 | tar --exclude="overlay*" --exclude="unifi*" -zvcf "${dest}/vyos/vyos-config.${timestamp}.tar.gz" /config 26 | 27 | # Unifi backups 28 | mkdir -p "${dest}/unifi/" 29 | rsync -r /config/containers/unifi/data/backup/autobackup/ "${dest}/unifi/" 30 | 31 | # Delete backups older than 1 month 32 | find "${dest}" -type f -mtime +30 -delete 33 | 34 | # Sync the filesystem 35 | sync 36 | # Unmount the USB drive 37 | sudo umount "${dest}" 38 | fi 39 | -------------------------------------------------------------------------------- /scripts/vyos-postconfig-bootup.script: -------------------------------------------------------------------------------- 1 | #!/bin/sh 2 | # This script is executed at boot time after VyOS configuration is fully 3 | # applied. Any modifications required to work around unfixed bugs or use 4 | # services not available through the VyOS CLI system can be placed here. 5 | 6 | if [ -d "/home/vyos" ]; then 7 | # Add dotfiles for home directory 8 | tee /home/vyos/.gitconfig </dev/null 9 | [init] 10 | defaultBranch = main 11 | [safe] 12 | directory = /config 13 | [user] 14 | email = me@bjw-s.dev 15 | name = Bernd Schorgers 16 | END 17 | chown vyos:users /home/vyos/.gitconfig 18 | 19 | tee -a /home/vyos/.bash_aliases </dev/null 20 | export SOPS_AGE_KEY_FILE=/config/secrets/age.key 21 | export GIT_SSH_COMMAND="ssh -i /config/secrets/id_ed25519" 22 | export VISUAL=vi 23 | export EDITOR=vi 24 | END 25 | chown vyos:users /home/vyos/.bash_aliases 26 | fi 27 | 28 | # Disable EEE on network interfaces as a workaround to i225/i226 issues 29 | while read -r interface 30 | do 31 | sudo ethtool --set-eee "${interface}" eee off 32 | done < <(ls -l /sys/class/net/*/device/driver/module | cut -d/ -f5) 33 | -------------------------------------------------------------------------------- /scripts/vyos-preconfig-bootup.script: -------------------------------------------------------------------------------- 1 | #!/bin/sh 2 | # This script is executed at boot time before VyOS configuration is applied. 3 | # Any modifications required to work around unfixed bugs or use 4 | # services not available through the VyOS CLI system can be placed here. 5 | 6 | # Fix for containers requiring a custom user/group id 7 | # and Vyos not preserving file perms on upgrade 8 | mkdir -p /tmp/onepassword/data 9 | chown -R 999 /tmp/onepassword/data 10 | mkdir -p /tmp/bind/cache 11 | chown -R 104 /tmp/bind/cache 12 | --------------------------------------------------------------------------------