1.0.0 Release IaaS

config/node/app/nftables.conf.j2

@@ -0,0 +1,38 @@
+#!/usr/sbin/nft -f
+flush ruleset
+
+define NET4_SERVER = {{ hostvars['fw']['network4']['subnet']['server'] }}
+define NET6_SERVER = {{ hostvars['fw']['network6']['subnet']['server'] }}
+define HOSTS4_CONSOLE = { {{ hostvars['fw']['network4']['console'].values() | join(', ') }} }
+define HOSTS6_CONSOLE = { {{ hostvars['fw']['network6']['console'].values() | join(', ') }} }
+define PORTS_SSH = 22
+
+table inet nat {
+    chain prerouting {
+        type nat hook prerouting priority dstnat; policy accept;
+    }
+    chain postrouting {
+
+    }
+    chain output {
+        type nat hook output priority dstnat; policy accept;
+    }
+}
+
+table inet filter {
+    chain input {
+        type filter hook input priority 0; policy drop;
+        ct state invalid drop comment "deny invalid connection"
+        ct state established, related accept comment "allow all connection already existing"
+        iifname "lo" accept comment "allow local connection"
+        meta l4proto { icmp, icmpv6 } accept comment "allow icmp connection"
+        ip saddr $HOSTS4_CONSOLE tcp dport $PORTS_SSH accept comment "allow ipv4 ssh connection: CONSOLE > APP"
+        ip6 saddr $HOSTS6_CONSOLE tcp dport $PORTS_SSH  accept comment "allow ipv6 ssh connection: CONSOLE > APP"
+    }
+    chain forward {
+        type filter hook forward priority 0; policy drop;
+    }
+    chain output {
+        type filter hook output priority 0; policy accept;
+    }
+}

config/node/auth/nftables.conf.j2

@@ -0,0 +1,48 @@
+#!/usr/sbin/nft -f
+flush ruleset
+
+define NET4_SERVER = {{ hostvars['fw']['network4']['subnet']['server'] }}
+define NET6_SERVER = {{ hostvars['fw']['network6']['subnet']['server'] }}
+define HOSTS4_CONSOLE = { {{ hostvars['fw']['network4']['console'].values() | join(', ') }} }
+define HOSTS6_CONSOLE = { {{ hostvars['fw']['network6']['console'].values() | join(', ') }} }
+define PORTS_SSH = 22
+define PORTS_HTTP = 80
+define PORTS_HTTP_FORWARD = 2080
+define PORTS_HTTPS = 443
+define PORTS_HTTPS_FORWARD = 2443
+
+table inet nat {
+    chain prerouting {
+        type nat hook prerouting priority dstnat; policy accept;
+        tcp dport $PORTS_HTTP dnat to :$PORTS_HTTP_FORWARD comment "dnat http ports to $PORTS_HTTP_FORWARD"
+        tcp dport $PORTS_HTTPS dnat to :$PORTS_HTTPS_FORWARD comment "dnat https ports to $PORTS_HTTPS_FORWARD"
+    }
+    chain postrouting {
+
+    }
+    chain output {
+        type nat hook output priority dstnat; policy accept;
+        oifname "lo" tcp dport $PORTS_HTTP dnat to :$PORTS_HTTP_FORWARD comment "dnat http ports to $PORTS_HTTP_FORWARD out of LOCALHOST"
+        oifname "lo" tcp dport $PORTS_HTTPS dnat to :$PORTS_HTTPS_FORWARD comment "dnat https ports to $PORTS_HTTPS_FORWARD out of LOCALHOST"
+    }
+}
+
+table inet filter {
+    chain input {
+        type filter hook input priority 0; policy drop;
+        ct state invalid drop comment "deny invalid connection"
+        ct state established, related accept comment "allow all connection already existing"
+        iifname "lo" accept comment "allow local connection: AUTH > AUTH"
+        meta l4proto { icmp, icmpv6 } accept comment "allow icmp connection: AUTH"
+        ip saddr $HOSTS4_CONSOLE tcp dport $PORTS_SSH accept comment "allow ipv4 ssh connection: CONSOLE > AUTH"
+        ip6 saddr $HOSTS6_CONSOLE tcp dport $PORTS_SSH accept comment "allow ipv6 ssh connection: CONSOLE > AUTH"
+        tcp dport $PORTS_HTTP_FORWARD ct original proto-dst $PORTS_HTTP accept comment "allow ipv4, 6 http connection: > AUTH"
+        tcp dport $PORTS_HTTPS_FORWARD ct original proto-dst $PORTS_HTTPS accept comment "allow ipv4, 6 https connection: > AUTH"
+    }
+    chain forward {
+        type filter hook forward priority 0; policy drop;
+    }
+    chain output {
+        type filter hook output priority 0; policy accept;
+    }
+}

config/node/common/hosts.j2

@@ -0,0 +1,34 @@
+# localhost
+127.0.0.1 {{ node['local_san'] }}
+::1 {{ node['local_san'] }}
+{% if node['name'] == 'console' %}
+# Hosts IPv4
+{{ hostvars['fw']['network4']['firewall']['server'] }} fw.ilnmors.internal
+{{ hostvars['fw']['network4']['vmm']['client'] }} init.vmm.ilnmors.internal
+{{ hostvars['fw']['network4']['vmm']['server'] }} vmm.ilnmors.internal
+{{ hostvars['fw']['network4']['infra']['server'] }} infra.ilnmors.internal
+{{ hostvars['fw']['network4']['auth']['server'] }} auth.ilnmors.internal
+{{ hostvars['fw']['network4']['app']['server'] }} app.ilnmors.internal
+# Hosts IPv6
+{{ hostvars['fw']['network6']['firewall']['server'] }} fw.ilnmors.internal
+{{ hostvars['fw']['network6']['vmm']['client'] }} init.vmm.ilnmors.internal
+{{ hostvars['fw']['network6']['vmm']['server'] }} vmm.ilnmors.internal
+{{ hostvars['fw']['network6']['infra']['server'] }} infra.ilnmors.internal
+{{ hostvars['fw']['network6']['auth']['server'] }} auth.ilnmors.internal
+{{ hostvars['fw']['network6']['app']['server'] }} app.ilnmors.internal
+{% else %}
+# IPv4
+# Crowdsec, blocky, bind(fw)
+{{ hostvars['fw']['network4']['firewall']['server'] }} ntp.ilnmors.internal crowdsec.ilnmors.internal
+{{ hostvars['fw']['network4']['blocky']['server'] }} blocky.ilnmors.internal
+{{ hostvars['fw']['network4']['bind']['server'] }} bind.ilnmors.internal
+# DB, LDAP, CA, Prometheus, Loki, mail (infra)
+{{ hostvars['fw']['network4']['infra']['server'] }} postgresql.ilnmors.internal ldap.ilnmors.internal prometheus.ilnmors.internal loki.ilnmors.internal mail.ilnmors.internal ca.ilnmors.internal
+# IPv6
+# Crowdsec, blocky, bind(fw)
+{{ hostvars['fw']['network6']['firewall']['server'] }} ntp.ilnmors.internal crowdsec.ilnmors.internal
+{{ hostvars['fw']['network6']['blocky']['server'] }} blocky.ilnmors.internal
+{{ hostvars['fw']['network6']['bind']['server'] }} bind.ilnmors.internal
+# DB, LDAP, CA, Prometheus, Loki, mail (infra)
+{{ hostvars['fw']['network6']['infra']['server'] }} postgresql.ilnmors.internal ldap.ilnmors.internal prometheus.ilnmors.internal loki.ilnmors.internal mail.ilnmors.internal ca.ilnmors.internal
+{% endif %}

config/node/common/networkd/00-eth0.link

@@ -0,0 +1,5 @@
+[Match]
+MACAddress={{ hostvars[target_vm]['vm']['lan_mac'] }}
+
+[Link]
+Name=eth0

config/node/common/networkd/20-eth0.network

@@ -0,0 +1,13 @@
+[Match]
+Name=eth0
+
+[Network]
+# IPv4
+Address={{ hostvars['fw']['network4'][target_vm]['server'] }}/24
+Gateway={{ hostvars['fw']['network4']['firewall']['server'] }}
+DNS={{ hostvars['fw']['network4']['blocky']['server'] }}
+# IPv6
+IPv6AcceptRA=false
+Address={{ hostvars['fw']['network6'][target_vm]['server'] }}/64
+Gateway={{ hostvars['fw']['network6']['firewall']['server'] }}
+DNS={{ hostvars['fw']['network6']['blocky']['server'] }}

config/node/common/resolved/global.conf.j2

@@ -0,0 +1,6 @@
+[Resolve]
+{% if node['name'] in ['vmm', 'fw'] %}
+DNS=1.1.1.2 1.0.0.2
+DNS=2606:4700:4700::1112 2606:4700:4700::1002
+{% endif %}
+cache=false

config/node/common/ssh/host_certificate.conf

@@ -0,0 +1,2 @@
+HostKey /etc/ssh/ssh_host_ed25519_key
+HostCertificate /etc/ssh/ssh_host_ed25519_key-cert.pub

config/node/common/ssh/prohibit_root.conf

@@ -0,0 +1 @@
+PermitRootLogin no

config/node/common/ssh/ssh_ca.conf

@@ -0,0 +1 @@
+TrustedUserCAKeys /etc/ssh/local_ssh_ca.pub

config/node/common/timesyncd/local-ntp.conf

@@ -0,0 +1,3 @@
+[Time]
+NTP=ntp.ilnmors.internal
+FallbackNTP=0.debian.pool.ntp.org 1.debian.pool.ntp.org 2.debian.pool.ntp.org 3.debian.pool.ntp.org

config/node/fw/networkd/00-fw-wan.link

@@ -0,0 +1,5 @@
+[Match]
+MACAddress={{ hostvars['fw']['vm']['wan_mac'] }}
+
+[Link]
+Name=wan

config/node/fw/networkd/01-fw-client.link

@@ -0,0 +1,5 @@
+[Match]
+MACAddress={{ hostvars['fw']['vm']['lan_mac'] }}
+
+[Link]
+Name=client

config/node/fw/networkd/10-fw-server.netdev

@@ -0,0 +1,6 @@
+[NetDev]
+Name=server
+Kind=vlan
+
+[VLAN]
+Id=10

config/node/fw/networkd/11-fw-user.netdev

@@ -0,0 +1,6 @@
+[NetDev]
+Name=user
+Kind=vlan
+
+[VLAN]
+Id=20

config/node/fw/networkd/20-fw-wan.network

@@ -0,0 +1,16 @@
+[Match]
+Name=wan
+
+[Network]
+DHCP=true
+IPv6AcceptRA=true
+IPForward=true
+RequiredForOnline=false
+
+[DHCPv4]
+UseDNS=false
+
+[DHCPv6]
+WithoutRA=solicit
+PrefixDelegationHint=yes
+UseDNS=false

config/node/fw/networkd/21-fw-client.network

@@ -0,0 +1,16 @@
+[Match]
+Name=client
+
+[Network]
+# General
+IPForward=true
+IPv6SendRA=false
+IPv6AcceptRA=false
+VLAN=server
+VLAN=user
+# IPv4
+Address={{ hostvars['fw']['network4']['firewall']['client'] }}/24
+DNS={{ hostvars['fw']['network4']['blocky']['server'] }}
+# IPv6
+Address={{ hostvars['fw']['network6']['firewall']['client'] }}/64
+DNS={{ hostvars['fw']['network6']['blocky']['server'] }}

config/node/fw/networkd/22-fw-server.network

@@ -0,0 +1,24 @@
+[Match]
+Name=server
+
+[Network]
+IPForward=true
+IPv6SendRA=false
+IPv6AcceptRA=false
+# IPv4
+Address={{ hostvars['fw']['network4']['firewall']['server'] }}/24
+DNS={{ hostvars['fw']['network4']['blocky']['server'] }}
+# IPv6
+Address={{ hostvars['fw']['network6']['firewall']['server'] }}/64
+DNS={{ hostvars['fw']['network6']['blocky']['server'] }}
+
+[Address]
+Address={{ hostvars['fw']['network4']['blocky']['server'] }}/24
+[Address]
+Address={{ hostvars['fw']['network4']['bind']['server'] }}/24
+[Address]
+Address={{ hostvars['fw']['network6']['blocky']['server'] }}/64
+PreferredLifetime=0
+[Address]
+Address={{ hostvars['fw']['network6']['bind']['server'] }}/64
+PreferredLifetime=0

config/node/fw/networkd/23-fw-user.network

@@ -0,0 +1,25 @@
+[Match]
+Name=user
+
+[Network]
+IPForward=true
+IPv6PrefixDelegation=true
+IPv6SendRA=true
+IPv6SendRAExtension=false
+# IPv4
+Address={{ hostvars['fw']['network4']['firewall']['user'] }}/24
+DNS={{ hostvars['fw']['network4']['blocky']['server'] }}
+
+[IPv6PrefixDelegation]
+SubnetId=20
+# A-Flag: Enable SLAAC
+AddressAutoconfiguration=true
+OnLink=true
+
+[IPv6SendRA]
+# M-Flag: Client IP from DHCPv6
+Managed=false
+# O-Flag: Other information form DHCPv6
+OtherInformation=false
+EmitDNS=true
+DNS={{ hostvars['fw']['network6']['blocky']['server'] }}

config/node/fw/nftables.conf.j2

@@ -0,0 +1,186 @@
+#!/usr/sbin/nft -f
+# Convention
+# iifname oifname saddr daddr proto dport ct state action / Ellipsis if you can something
+flush ruleset
+
+define IF_WAN = "wan"
+define IF_CLIENT = "client"
+define IF_SERVER = "server"
+define IF_USER = "user"
+define IF_WG = "wg0"
+
+define NET4_CLIENT = {{ hostvars['fw']['network4']['subnet']['client'] }}
+define NET4_SERVER = {{ hostvars['fw']['network4']['subnet']['server'] }}
+define NET4_USER = {{ hostvars['fw']['network4']['subnet']['user'] }}
+define NET4_WG = {{ hostvars['fw']['network4']['subnet']['wg'] }}
+define NET4_LLA = {{ hostvars['fw']['network4']['subnet']['lla'] }}
+define NET4_RFC1918 = { 10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16 }
+
+define NET6_CLIENT = {{ hostvars['fw']['network6']['subnet']['client'] }}
+define NET6_SERVER = {{ hostvars['fw']['network6']['subnet']['server'] }}
+define NET6_WG = {{ hostvars['fw']['network6']['subnet']['wg'] }}
+define NET6_LLA = {{ hostvars['fw']['network6']['subnet']['lla'] }}
+
+define HOSTS4_FW = { {{ hostvars['fw']['network4']['firewall'].values() | join(', ') }} }
+define HOSTS4_BLOCKY = {{ hostvars['fw']['network4']['blocky']['server'] }}
+define HOSTS4_BIND = {{ hostvars['fw']['network4']['bind']['server'] }}
+define HOSTS4_CONSOLE = { {{ hostvars['fw']['network4']['console'].values() | join(', ') }} }
+define HOSTS4_VMM = { {{ hostvars['fw']['network4']['vmm'].values() | join(', ') }} }
+define HOSTS4_INFRA = {{ hostvars['fw']['network4']['infra']['server'] }}
+define HOSTS4_AUTH = {{ hostvars['fw']['network4']['auth']['server'] }}
+define HOSTS4_APP = {{ hostvars['fw']['network4']['app']['server'] }}
+define HOSTS4_NAS = {{ hostvars['fw']['network4']['nas']['client'] }}
+
+define HOSTS6_FW = { {{ hostvars['fw']['network6']['firewall'].values() | join(', ') }} }
+define HOSTS6_BLOCKY = {{ hostvars['fw']['network6']['blocky']['server'] }}
+define HOSTS6_BIND = {{ hostvars['fw']['network6']['bind']['server'] }}
+define HOSTS6_CONSOLE = { {{ hostvars['fw']['network6']['console'].values() | join(', ') }} }
+define HOSTS6_VMM = { {{ hostvars['fw']['network6']['vmm'].values() | join(', ') }} }
+define HOSTS6_INFRA = {{ hostvars['fw']['network6']['infra']['server'] }}
+define HOSTS6_AUTH = {{ hostvars['fw']['network6']['auth']['server'] }}
+define HOSTS6_APP = {{ hostvars['fw']['network6']['app']['server'] }}
+define HOSTS6_NAS = {{ hostvars['fw']['network6']['nas']['client'] }}
+
+define PORTS_SSH = 22
+define PORTS_WEB = { 80, 443 }
+define PORTS_DHCP = { 67, 68, 546, 547 }
+define PORTS_DNS = 53
+define PORTS_NTP = 123
+define PORTS_VPN = 11290
+define PORTS_CROWDSEC = 8080
+define PORTS_NAS = { 5000, 5001 }
+define PORTS_KOPIA = 51515
+
+table inet nat {
+        chain prerouting {
+                type nat hook prerouting priority dstnat; policy accept;
+                # After prerouting, accept forward chain WAN
+                iifname $IF_WAN meta nfproto ipv4 tcp dport $PORTS_WEB dnat to $HOSTS4_AUTH comment "DNAT44 ipv4 web connection: WAN > FW > SERVER AUTH"
+                iifname $IF_WAN meta nfproto ipv6 tcp dport $PORTS_WEB dnat to $HOSTS6_AUTH comment "DNAT66 ipv6 web connection: WAN > FW > SERVER AUTH"
+        }
+        chain postrouting {
+                type nat hook postrouting priority srcnat; policy accept;
+                # Masquerade the packet
+                oifname $IF_WAN meta nfproto ipv4 masquerade comment "masquerade ipv4 wan connection: > FW > WAN"
+                # $IF_USER uses GUA on IPv6
+                iifname { $IF_CLIENT, $IF_SERVER, $IF_WG } oifname $IF_WAN meta nfproto ipv6 masquerade comment "masquerade ipv6 wan connection: CLIENT/SERVER/WG > FW > WAN"
+        }
+        chain output {
+        }
+}
+
+table inet filter {
+        set crowdsec-blacklists {
+                type ipv4_addr
+                flags timeout
+        }
+        set crowdsec6-blacklists {
+                type ipv6_addr
+                flags timeout
+        }        
+        chain global {
+                # invalid packets
+                ct state invalid drop comment "deny invalid connection"
+                # crowdsec
+                ip saddr @crowdsec-blacklists counter drop comment "deny all crowdsec blacklist"
+                ip6 saddr @crowdsec6-blacklists counter drop comment "deny all ipv6 crowdsec blacklist"
+                # fw
+                ct state established, related accept comment "allow all connection already existing"
+                ip6 saddr $NET6_LLA return comment "return ipv6 linklocaladdress to input and forward chain"
+                iifname $IF_WAN tcp dport $PORTS_SSH drop comment "deny ssh connection: WAN !> "
+                iifname $IF_WAN udp dport $PORTS_DNS drop comment "deny udp dns connection: WAN !> "
+                iifname $IF_WAN tcp dport $PORTS_DNS drop comment "deny tcp dns connection: WAN !> "
+                iifname $IF_WAN icmp type echo-request drop comment "deny icmp echo connection (Ping): WAN !>"
+                iifname $IF_WAN icmpv6 type echo-request drop comment "deny icmpv6 echo connection (Ping): WAN !>"
+                iifname $IF_WAN meta l4proto { icmp, icmpv6 } accept comment "allow icmp, icmpv6 connection: WAN >"
+                iifname $IF_WAN ip saddr $NET4_RFC1918 drop comment "deny ipv4 all connection: WAN RFC1918 !>"
+                iifname $IF_WAN ip saddr $NET4_LLA drop comment "deny ipv4 all connection: WAN APIPA(bogon) !>"
+                iifname { $IF_CLIENT, $IF_SERVER, $IF_USER } udp dport $PORTS_DHCP accept comment "allow dhcp4, dhcp6 connection: CLIENT/SERVER/USER > FW"
+                iifname $IF_CLIENT ip saddr != $NET4_CLIENT drop comment "deny ipv4 all connection: CLIENT !CLIENT !>"
+                iifname $IF_CLIENT ip6 saddr != $NET6_CLIENT drop comment "deny ipv6 all connection: CLIENT !CLIENT !>"
+                iifname $IF_SERVER ip saddr != $NET4_SERVER drop comment "deny ipv4 all connection: SERVER !SERVER !>"
+                iifname $IF_SERVER ip6 saddr != $NET6_SERVER drop comment "deny ipv6 all connection: SERVER !SERVER !>"
+                # IF_USER uses GUA on ipv6, so ipv6 rule is not needed
+                iifname $IF_USER ip saddr != $NET4_USER drop comment "deny ipv4 all connection: USER !USER !>"
+                iifname $IF_WG ip saddr != $NET4_WG drop comment "deny all ipv4 connection: WG !WG !>"
+                iifname $IF_WG ip6 saddr != $NET6_WG drop comment "deny all ipv6 connection: WG !WG !>"
+        }
+        chain input {
+                type filter hook input priority filter; policy drop;
+                jump global comment "set global condition"
+                iifname "lo" accept comment "allow local connection: FW > FW"
+                udp dport $PORTS_VPN accept comment "allow vpn connection: > FW"
+                iifname { $IF_CLIENT, $IF_SERVER, $IF_USER, $IF_WG } meta l4proto { icmp, icmpv6 } accept comment "allow icmp, icmpv6 connection: CLIENT/SERVER/USER/WG > FW"
+                iifname { $IF_CLIENT, $IF_SERVER, $IF_USER, $IF_WG } udp dport $PORTS_NTP accept comment "allow ntp connection: CLIENT/SERVER/USER/WG > FW"
+                # Global chain contains "WAN !> :SSH_PORT"
+                ip saddr $HOSTS4_CONSOLE tcp dport $PORTS_SSH accept comment "allow ipv4 ssh connection: CONSOLE > FW"
+                ip6 saddr $HOSTS6_CONSOLE tcp dport $PORTS_SSH accept comment "allow ipv6 ssh connection: CONSOLE > FW"
+                ip saddr { $HOSTS4_VMM, $HOSTS4_INFRA, $HOSTS4_AUTH, $HOSTS4_APP } tcp dport $PORTS_CROWDSEC accept comment "allow ipv4 crowdsec lapi connection: SERVER > FW"
+                ip6 saddr { $HOSTS6_VMM, $HOSTS6_INFRA, $HOSTS6_AUTH, $HOSTS6_APP } tcp dport $PORTS_CROWDSEC accept comment "allow ipv6 crowdsec lapi connection: SERVER > FW"
+                # Global chain contains "WAN !> :DNS_PORT"
+                ip daddr $HOSTS4_BLOCKY udp dport $PORTS_DNS accept comment "allow ipv4 udp dns connection: !WAN > SERVER BLOCKY(FW)"
+                ip daddr $HOSTS4_BLOCKY tcp dport $PORTS_DNS accept comment "allow ipv4 tcp dns connection: !WAN > SERVER BLOCKY(FW)"
+                ip6 daddr $HOSTS6_BLOCKY udp dport $PORTS_DNS accept comment "allow ipv6 udp dns connection: !WAN > SERVER BLOCKY(FW)"
+                ip6 daddr $HOSTS6_BLOCKY tcp dport $PORTS_DNS accept comment "allow ipv6 tcp dns connection: !WAN > SERVER BLOCKY(FW)"
+                ip saddr { $HOSTS4_INFRA, $HOSTS4_AUTH, $HOSTS4_APP } ip daddr $HOSTS4_BIND udp dport $PORTS_DNS accept comment "allow ipv4 udp dns connection (nsupdate): SERVER INFRA/AUTH/APP > BIND9(FW)"
+                ip saddr { $HOSTS4_INFRA, $HOSTS4_AUTH, $HOSTS4_APP } ip daddr $HOSTS4_BIND tcp dport $PORTS_DNS accept comment "allow ipv4 tcp dns connection (nsupdate): SERVER INFRA/AUTH/APP > BIND9(FW)"
+                ip6 saddr { $HOSTS6_INFRA, $HOSTS6_AUTH, $HOSTS6_APP } ip6 daddr $HOSTS6_BIND udp dport $PORTS_DNS accept comment "allow ipv6 udp dns connection (nsupdate): SERVER INFRA/AUTH/APP > BIND9(FW)"
+                ip6 saddr { $HOSTS6_INFRA, $HOSTS6_AUTH, $HOSTS6_APP } ip6 daddr $HOSTS6_BIND tcp dport $PORTS_DNS accept comment "allow ipv6 tcp dns connection (nsupdate): SERVER INFRA/AUTH/APP > BIND9(FW)"
+        }
+        chain forward {
+                type filter hook forward priority filter; policy drop;
+
+                jump global comment "set global condition"
+                # ICMP
+                ip saddr $HOSTS4_CONSOLE meta l4proto icmp accept comment "allow icmp connection: CONSOLE > FW >"
+                ip6 saddr $HOSTS6_CONSOLE meta l4proto icmpv6 accept comment "allow icmpv6 connection: CONSOLE > FW >"
+                # SSH connection
+                ip saddr $HOSTS4_CONSOLE tcp dport $PORTS_SSH accept comment "allow ipv4 ssh connection: CONSOLE > FW >"
+                ip6 saddr $HOSTS6_CONSOLE tcp dport $PORTS_SSH accept comment "allow ipv6 ssh connection: CONSOLE > FW >"
+                # Reverse proxy (WAN)
+                oifname $IF_SERVER ip daddr $HOSTS4_AUTH tcp dport $PORTS_WEB accept comment "allow ipv4 web connection: > FW > SERVER AUTH"
+                oifname $IF_SERVER ip6 daddr $HOSTS6_AUTH tcp dport $PORTS_WEB accept comment "allow ipv6 web connection: > FW > SERVER AUTH"
+                # Reverse proxy (SERVER)
+                oifname $IF_SERVER ip saddr $HOSTS4_CONSOLE ip daddr { $HOSTS4_INFRA, $HOSTS4_APP } tcp dport $PORTS_WEB accept comment "allow ipv4 web connection: CONSOLE > FW > SERVER INFRA/APP"
+                oifname $IF_SERVER ip6 saddr $HOSTS6_CONSOLE ip6 daddr { $HOSTS6_INFRA, $HOSTS6_APP } tcp dport $PORTS_WEB accept comment "allow ipv6 web connection: CONSOLE > FW > SERVER INFRA/APP"
+                # Kopia/NAS Console > NAS
+                oifname $IF_CLIENT ip saddr $HOSTS4_CONSOLE ip daddr $HOSTS4_NAS tcp dport { $PORTS_NAS, $PORTS_KOPIA } accept comment "allow ipv4 web connection (DSM, KOPIA): CONSOLE > FW > CLIENT NAS"
+                oifname $IF_CLIENT ip6 saddr $HOSTS6_CONSOLE ip6 daddr $HOSTS6_NAS tcp dport { $PORTS_NAS, $PORTS_KOPIA } accept comment "allow ipv6 web connection (DSM, KOPIA): CONSOLE > FW > CLIENT NAS"
+
+                iifname $IF_WAN jump wan comment "set WAN interface rules"
+                iifname $IF_CLIENT jump client comment "set CLIENT interface rules"
+                iifname $IF_SERVER jump server comment "set SERVER interface rules"
+                iifname $IF_USER jump user comment "set USER interface rules"
+                iifname $IF_WG jump wg comment "set WG interface rules"
+        }
+        chain wan {
+                return
+        }
+        chain client {
+                oifname $IF_WAN ip saddr { $HOSTS4_CONSOLE, $HOSTS4_NAS } accept comment "allow ipv4 internet connection: CLIENT CONSOLE/NAS > FW > WAN"
+                oifname $IF_WAN ip6 saddr { $HOSTS6_CONSOLE, $HOSTS6_NAS } accept comment "allow ipv6 internet connection: CLIENT CONSOLE/NAS > FW > WAN"
+                return
+        }
+        chain server {
+                # reverse proxy AUTH > NAS
+                oifname $IF_CLIENT ip saddr $HOSTS4_AUTH ip daddr $HOSTS4_NAS tcp dport $PORTS_NAS accept comment "allow ipv4 web connection(DSM): SERVER AUTH > FW > CLIENT NAS"
+                oifname $IF_CLIENT ip6 saddr $HOSTS6_AUTH ip6 daddr $HOSTS6_NAS tcp dport $PORTS_NAS accept comment "allow ipv6 web connection(DSM): SERVER AUTH > FW > CLIENT NAS"
+                # Kopia INFRA, APP > NAS
+                oifname $IF_CLIENT ip saddr { $HOSTS4_INFRA, $HOSTS4_APP } ip daddr $HOSTS4_NAS tcp dport $PORTS_KOPIA accept comment "allow ipv4 web connection(kopia): SERVER INFRA/APP > FW > CLIENT NAS"
+                oifname $IF_CLIENT ip6 saddr { $HOSTS6_INFRA, $HOSTS6_APP } ip6 daddr $HOSTS6_NAS tcp dport $PORTS_KOPIA accept comment "allow ipv6 web connection(kopia): SERVER INFRA/APP > FW > CLIENT NAS"
+                oifname $IF_WAN ip saddr { $HOSTS4_VMM, $HOSTS4_INFRA, $HOSTS4_AUTH, $HOSTS4_APP } accept comment "allow ipv4 internet connection: SERVER VMM/INFRA/AUTH/APP > FW > WAN"
+                oifname $IF_WAN ip6 saddr { $HOSTS6_VMM, $HOSTS6_INFRA, $HOSTS6_AUTH, $HOSTS6_APP } accept comment "allow ipv6 internet connection: SERVER VMM/INFRA/AUTH/APP > FW > WAN"
+                return
+        }
+        chain user {
+                oifname $IF_WAN accept comment "allow internet connection: USER > FW > WAN"
+                return
+        }
+        chain wg {
+                oifname $IF_WAN accept comment "allow internet connection: WG > FW > WAN"
+                return
+        }
+        chain output {
+                type filter hook output priority filter; policy accept;
+        }
+}

config/node/fw/wireguard/30-fw-wg0.netdev

@@ -0,0 +1,10 @@
+[NetDev]
+Name=wg0
+Kind=wireguard
+[WireGuard]
+ListenPort=11290
+PrivateKey={{ hostvars['console']['wireguard']['server']['private_key'] }}
+[WireGuardPeer]
+PublicKey={{ hostvars['console']['wireguard']['console']['public_key'] }}
+PresharedKey={{ hostvars['console']['wireguard']['console']['preshared_key'] }}
+AllowedIPs={{ hostvars['fw']["network4"]["console"]["wg"] }}/32, {{ hostvars['fw']["network6"]["console"]["wg"] }}/128

config/node/fw/wireguard/31-fw-wg0.network

@@ -0,0 +1,6 @@
+[Match]
+Name=wg0
+[Network]
+Address={{ hostvars['fw']["network4"]["firewall"]["wg"] }}/24
+Address={{ hostvars['fw']["network6"]["firewall"]["wg"] }}/64
+IPForward=yes

config/node/infra/nftables.conf.j2

@@ -0,0 +1,70 @@
+#!/usr/sbin/nft -f
+# Convention
+# iifname oifname saddr daddr proto dport ct state action / Ellipsis if you can something
+flush ruleset
+
+define NET4_SERVER = {{ hostvars['fw']['network4']['subnet']['server'] }}
+define NET6_SERVER = {{ hostvars['fw']['network6']['subnet']['server'] }}
+define HOSTS4_CONSOLE = { {{ hostvars['fw']['network4']['console'].values() | join(', ') }} }
+define HOSTS6_CONSOLE = { {{ hostvars['fw']['network6']['console'].values() | join(', ') }} }
+define PORTS_SSH = 22
+define PORTS_DB = 5432
+define PORTS_CA = 9000
+define PORTS_LDAPS = 636
+define PORTS_LDAPS_FORWARD = 6360
+define PORTS_HTTP = 80
+define PORTS_HTTP_FORWARD = 2080
+define PORTS_HTTPS = 443
+define PORTS_HTTPS_FORWARD = 2443
+define PORTS_PROMETHEUS = 9090
+define PORTS_LOKI = 3100
+
+table inet nat {
+    chain prerouting {
+        type nat hook prerouting priority dstnat; policy accept;
+        tcp dport $PORTS_HTTP dnat to :$PORTS_HTTP_FORWARD comment "DNAT http ports to $PORTS_HTTP_FORWARD"
+        tcp dport $PORTS_HTTPS dnat to :$PORTS_HTTPS_FORWARD comment "DNAT https ports to $PORTS_HTTPS_FORWARD"
+        tcp dport $PORTS_LDAPS dnat to :$PORTS_LDAPS_FORWARD comment "DNAT ldaps ports to $PORTS_LDAPS_FORWARD"
+    }
+    chain postrouting {
+
+    }
+    chain output {
+        type nat hook output priority dstnat; policy accept;
+        oifname "lo" tcp dport $PORTS_HTTP dnat to :$PORTS_HTTP_FORWARD comment "DNAT http ports to $PORTS_HTTP_FORWARD out of LOCALHOST"
+        oifname "lo" tcp dport $PORTS_HTTPS dnat to :$PORTS_HTTPS_FORWARD comment "DNAT https ports to $PORTS_HTTPS_FORWARD out of LOCALHOST"
+        oifname "lo" tcp dport $PORTS_LDAPS dnat to :$PORTS_LDAPS_FORWARD comment "DNAT ldaps ports to $PORTS_LDAPS_FORWARD out of LOCALHOST"
+    }
+}
+
+table inet filter {
+    chain input {
+        type filter hook input priority 0; policy drop;
+        ct state invalid drop comment "deny invalid connection"
+        ct state established, related accept comment "allow all connection already existing"
+        iifname "lo" accept comment "allow local connection: INFRA > INFRA"
+        meta l4proto { icmp, icmpv6 } accept comment "allow icmp connection: > INFRA"
+        ip saddr $HOSTS4_CONSOLE tcp dport $PORTS_SSH accept comment "allow ipv4 ssh connection: CONSOLE > INFRA"
+        ip6 saddr $HOSTS6_CONSOLE tcp dport $PORTS_SSH accept comment "allow ipv6 ssh connection: CONSOLE > INFRA"
+        ip saddr $NET4_SERVER tcp dport $PORTS_CA accept comment "allow ipv4 ca connection: SERVER > INFRA"
+        ip6 saddr $NET6_SERVER tcp dport $PORTS_CA accept comment "allow ipv6 ca connection: SERVER > INFRA"
+        ip saddr $NET4_SERVER tcp dport $PORTS_DB accept comment "allow ipv4 db connection: SERVER > INFRA"
+        ip6 saddr $NET6_SERVER tcp dport $PORTS_DB accept comment "allow ipv6 db connection: SERVER > INFRA"
+        ip saddr $HOSTS4_CONSOLE tcp dport $PORTS_HTTP_FORWARD ct original proto-dst $PORTS_HTTP accept comment "allow ipv4 http connection: CONSOLE > INFRA"
+        ip6 saddr $HOSTS6_CONSOLE tcp dport $PORTS_HTTP_FORWARD ct original proto-dst $PORTS_HTTP accept comment "allow ipv6 http connection: CONSOLE > INFRA"
+        ip saddr $HOSTS4_CONSOLE tcp dport $PORTS_HTTPS_FORWARD ct original proto-dst $PORTS_HTTPS accept comment "allow ipv4 https connection: CONSOLE > INFRA"
+        ip6 saddr $HOSTS6_CONSOLE tcp dport $PORTS_HTTPS_FORWARD ct original proto-dst $PORTS_HTTPS accept comment "allow ipv6 https connection: CONSOLE > INFRA"
+        ip saddr $NET4_SERVER tcp dport $PORTS_LDAPS_FORWARD ct original proto-dst $PORTS_LDAPS accept comment "allow ipv4 ldaps connection: SERVER > INFRA"
+        ip6 saddr $NET6_SERVER tcp dport $PORTS_LDAPS_FORWARD ct original proto-dst $PORTS_LDAPS accept comment "allow ipv6 ldaps connection: SERVER > INFRA"
+        ip saddr $NET4_SERVER tcp dport $PORTS_PROMETHEUS accept comment "allow ipv4 prometheus connection: SERVER > INFRA"
+        ip6 saddr $NET6_SERVER tcp dport $PORTS_PROMETHEUS accept comment "allow ipv6 prometheus connection: SERVER > INFRA"
+        ip saddr $NET4_SERVER tcp dport $PORTS_LOKI accept comment "allow ipv4 loki connection: SERVER > INFRA"
+        ip6 saddr $NET6_SERVER tcp dport $PORTS_LOKI accept comment "allow ipv6 loki connection: SERVER > INFRA"
+    }
+    chain forward {
+        type filter hook forward priority 0; policy drop;
+    }
+    chain output {
+        type filter hook output priority 0; policy accept;
+    }
+}

config/node/vmm/networkd/00-vmm-eth0.link

@@ -0,0 +1,5 @@
+[Match]
+MACAddress=c8:ff:bf:05:aa:b0
+
+[Link]
+Name=eth0

config/node/vmm/networkd/01-vmm-eth1.link

@@ -0,0 +1,5 @@
+[Match]
+MACAddress=c8:ff:bf:05:aa:b1
+
+[Link]
+Name=eth1

config/node/vmm/networkd/10-vmm-br0.netdev

@@ -0,0 +1,3 @@
+[NetDev]
+Name=br0
+Kind=bridge

config/node/vmm/networkd/11-vmm-br1.netdev

@@ -0,0 +1,7 @@
+[NetDev]
+Name=br1
+Kind=bridge
+
+[Bridge]
+VLANFiltering=true
+DefaultPVID=1

config/node/vmm/networkd/12-vmm-vlan1.netdev

@@ -0,0 +1,6 @@
+[NetDev]
+Name=vlan1
+Kind=vlan
+
+[VLAN]
+Id=1

config/node/vmm/networkd/13-vmm-vlan10.netdev

@@ -0,0 +1,6 @@
+[NetDev]
+Name=vlan10
+Kind=vlan
+
+[VLAN]
+Id=10

config/node/vmm/networkd/14-vmm-vlan20.netdev

@@ -0,0 +1,6 @@
+[NetDev]
+Name=vlan20
+Kind=vlan
+
+[VLAN]
+Id=20

config/node/vmm/networkd/20-vmm-eth0.network

@@ -0,0 +1,6 @@
+[Match]
+Name=eth0
+
+[Network]
+Bridge=br0
+LinkLocalAddressing=false

config/node/vmm/networkd/21-vmm-eth1.network

@@ -0,0 +1,15 @@
+[Match]
+Name=eth1
+
+[Network]
+Bridge=br1
+LinkLocalAddressing=false
+
+[BridgeVLAN]
+VLAN=1
+PVID=true
+EgressUntagged=true
+
+[BridgeVLAN]
+VLAN=10
+VLAN=20

config/node/vmm/networkd/22-vmm-br0.network

@@ -0,0 +1,5 @@
+[Match]
+Name=br0
+
+[Network]
+LinkLocalAddressing=false

config/node/vmm/networkd/23-vmm-br1.network

@@ -0,0 +1,17 @@
+[Match]
+Name=br1
+
+[Network]
+VLAN=vlan1
+VLAN=vlan10
+VLAN=vlan20
+LinkLocalAddressing=false
+
+[BridgeVLAN]
+VLAN=1
+PVID=yes
+EgressUntagged=true
+
+[BridgeVLAN]
+VLAN=10
+VLAN=20

config/node/vmm/networkd/24-vmm-vlan1.network

@@ -0,0 +1,28 @@
+[Match]
+Name=vlan1
+
+[Network]
+# IPv4
+Address=192.168.1.10/24
+# IPv6
+Address=fd00:1::10/64
+
+[RoutingPolicyRule]
+From=192.168.1.10/32
+Table=1
+Priority=100
+
+[Route]
+Destination=192.168.1.0/24
+Scope=link
+Table=1
+
+[RoutingPolicyRule]
+From=fd00:1::10/128
+Table=61
+Priority=100
+
+[Route]
+Destination=fd00:1::/64
+Scope=link
+Table=61

config/node/vmm/networkd/25-vmm-vlan10.network

@@ -0,0 +1,32 @@
+[Match]
+Name=vlan10
+[Network]
+RequiredForOnline=false
+# IPv4
+Address=192.168.10.10/24
+Gateway=192.168.10.1
+DNS=192.168.10.2
+# IPv6
+Address=fd00:10::10/64
+Gateway=fd00:10::1
+DNS=fd00:10::2
+
+[RoutingPolicyRule]
+From=192.168.10.10/32
+Table=2
+Priority=100
+
+[Route]
+Destination=0.0.0.0/0
+Gateway=192.168.10.1
+Table=2
+
+[RoutingPolicyRule]
+From=fd00:10::10/128
+Table=62
+Priority=100
+
+[Route]
+Destination=::/0
+Gateway=fd00:10::1
+Table=62

config/node/vmm/nftables.conf.j2

@@ -0,0 +1,26 @@
+#!/usr/sbin/nft -f
+# Convention
+# iifname oifname saddr daddr proto dport ct state action / Ellipsis if you can something
+flush ruleset
+
+define HOSTS4_CONSOLE = { {{ hostvars['fw']['network4']['console'].values() | join(', ') }} }
+define HOSTS6_CONSOLE = { {{ hostvars['fw']['network6']['console'].values() | join(', ') }} }
+define PORTS_SSH = 22
+
+table inet filter {
+    chain input {
+        type filter hook input priority 0; policy drop;
+        ct state invalid drop comment "deny invalid connection"
+        ct state established, related accept comment "allow all connection already existing"
+        iifname "lo" accept comment "allow local connection"
+        meta l4proto { icmp, icmpv6 } accept comment "allow icmp connection: > VMM"
+        ip saddr $HOSTS4_CONSOLE tcp dport $PORTS_SSH accept comment "allow ipv4 ssh connection: CONSOLE > VMM"
+        ip6 saddr $HOSTS6_CONSOLE tcp dport $PORTS_SSH accept comment "allow ipv6 ssh connection: CONSOLE > VMM"
+   }
+    chain forward {
+        type filter hook forward priority 0; policy drop;
+    }
+    chain output {
+        type filter hook output priority 0; policy accept;
+    }
+}