Skip to content

Instantly share code, notes, and snippets.

@anthr76

anthr76/gist:4b091d952bcd69b1ac8d4c7d08aaaac6 Secret

Last active September 4, 2023 20:51
Show Gist options
  • Star 0 You must be signed in to star a gist
  • Fork 0 You must be signed in to fork a gist
  • Save anthr76/4b091d952bcd69b1ac8d4c7d08aaaac6 to your computer and use it in GitHub Desktop.
Save anthr76/4b091d952bcd69b1ac8d4c7d08aaaac6 to your computer and use it in GitHub Desktop.
Download ZIP
Raw
gistfile1.txt
container {
name coredns-1 {
cap-add net-bind-service
environment SECONDAY_COREDNS {
value 10.7.0.8
}
image ghcr.io/damomurf/coredns-tailscale:v0.2.5
network lb {
address 10.7.0.7
}
volume corefile {
destination /Corefile
source /config/Corefile
}
volume hosts {
destination /etc/hosts
source /etc/hosts
}
volume tailsocket {
destination /var/run/tailscale/
source /config/tailscaled/
}
}
name coredns-2 {
cap-add net-bind-service
environment APEX {
value coredns-2.omit2.rabbito.tech
}
environment SECONDAY_COREDNS {
value 10.7.0.7
}
image ghcr.io/damomurf/coredns-tailscale:v0.2.5
network lb {
address 10.7.0.8
}
volume corefile {
destination /Corefile
source /config/Corefile
}
volume hosts {
destination /etc/hosts
source /etc/hosts
}
volume tailsocket {
destination /var/run/tailscale/
source /config/tailscaled/
}
}
name tailscale {
allow-host-networks
cap-add net-admin
cap-add net-raw
cap-add net-bind-service
cap-add sys-admin
environment TS_AUTHKEY {
value omit
}
environment TS_EXTRA_ARGS {
value --accept-routes
}
environment TS_HOSTNAME {
value omit
}
environment TS_ROUTES {
value 192.168.14.0/24,10.40.99.0/24,10.7.0.0/24
}
environment TS_SOCKET {
value /config/tailscaled.sock
}
environment TS_STATE_DIR {
value /config
}
environment TS_TAILSCALED_EXTRA_ARGS {
value "-port 51820"
}
environment TS_USERSPACE {
value false
}
image ghcr.io/tailscale/tailscale:v1.48.1
volume lib-mod {
destination /lib/modules
source /lib/modules
}
volume state {
destination /config
source /config/tailscaled
}
volume tun {
destination /dev/net/tun
source /dev/net/tun
}
}
network lb {
description general
prefix 10.7.0.0/24
}
}
firewall {
all-ping enable
config-trap disable
group {
address-group local {
address 192.168.17.1-192.168.17.255
address 192.168.14.1-192.168.14.255
}
interface-group local {
interface eth1.10
interface eth1.100
interface eth1.8
interface eth1.99
}
ipv6-address-group local {
address 2600:4041:42f7:fa00:0000:0000:0000:0000-2600:4041:42f7:fa00:ffff:ffff:ffff:ffff
}
port-group chromecast {
port 32768-61000
}
}
interface eth0 {
in {
ipv6-name OUT-IN-V6
name OUTSIDE-IN
}
local {
ipv6-name OUT-LOCAL-V6
name OUTSIDE-LOCAL
}
}
interface tailscale0 {
in {
ipv6-name WG-IN
name WG-IN
}
local {
ipv6-name WG-LOCAL
name WG-LOCAL
}
out {
ipv6-name WG-OUT
name WG-OUT
}
}
ipv6-name OUT-IN-V6 {
default-action drop
rule 10 {
action accept
state {
established enable
related enable
}
}
rule 20 {
action accept
protocol icmpv6
}
}
ipv6-name OUT-LOCAL-V6 {
default-action drop
rule 10 {
action accept
state {
established enable
related enable
}
}
rule 11 {
action accept
destination {
port 546
}
protocol udp
source {
port 547
}
}
rule 21 {
action accept
description "Allow link-local"
protocol icmpv6
source {
address fe80::/10
}
}
rule 22 {
action accept
limit {
burst 1
}
protocol icmpv6
}
rule 30 {
action drop
destination {
port 22
}
protocol tcp
recent {
count 4
time minute
}
state {
new enable
}
}
rule 31 {
action accept
destination {
port 22
}
protocol tcp
state {
new enable
}
}
rule 5182 {
action accept
destination {
port 51820
}
protocol udp
}
}
ipv6-name WG-IN {
default-action accept
rule 10 {
action drop
description "block TCP traffic from chromecast"
destination {
group {
address-group local
}
}
protocol tcp
source {
port 8008-8009,8443
}
}
rule 11 {
action drop
description "block UDP traffic from chromecast"
destination {
address 2001:559:87dd:629::/64
}
protocol udp
source {
group {
port-group chromecast
}
}
}
}
ipv6-name WG-LOCAL {
default-action accept
}
ipv6-name WG-OUT {
default-action accept
rule 20 {
action drop
protocol igmp
}
}
name OUTSIDE-IN {
default-action drop
description "incoming WAN ruleset"
rule 10 {
action accept
state {
established enable
related enable
}
}
}
name OUTSIDE-LOCAL {
default-action drop
description "local WAN ruleset"
rule 10 {
action accept
state {
established enable
related enable
}
}
rule 20 {
action accept
icmp {
type-name echo-request
}
protocol icmp
state {
new enable
}
}
rule 30 {
action drop
destination {
port 22
}
protocol tcp
recent {
count 60
time second
}
state {
new enable
}
}
rule 31 {
action accept
destination {
port 22
}
protocol tcp
state {
new enable
}
}
rule 5182 {
action accept
description wireguard
destination {
port 51820
}
log enable
protocol udp
}
rule 5201 {
action accept
destination {
port 5201
}
disable
protocol tcp
}
}
name WG-IN {
default-action accept
rule 10 {
action drop
description "block TCP traffic from chromecast"
destination {
group {
address-group local
}
}
protocol tcp
source {
port 8008-8009,8443
}
}
rule 11 {
action drop
description "block UDP traffic from chromecast"
destination {
address 10.200.200.0/24
}
protocol udp
source {
group {
port-group chromecast
}
}
}
}
name WG-LOCAL {
default-action accept
}
name WG-OUT {
default-action accept
rule 20 {
action drop
protocol igmp
}
}
receive-redirects disable
send-redirects enable
source-validation disable
syn-cookies enable
twa-hazards-protection disable
}
interfaces {
ethernet eth0 {
address dhcp
address dhcpv6
description OUTSIDE
dhcpv6-options {
duid 00:e0:67:26:40:d8
pd 0 {
interface eth1.10 {
sla-id 2
}
interface eth1.100 {
sla-id 0
}
length 56
}
rapid-commit
}
hw-id 00:e0:67:26:40:d8
ip {
}
ipv6 {
address {
autoconf
}
}
}
ethernet eth1 {
address 192.168.1.1/24
description INSIDE
hw-id 00:e0:67:26:40:d9
ipv6 {
}
vif 8 {
address 192.168.17.1/24
description VLAN_8
}
vif 10 {
address 192.168.16.1/24
description VLAN_10
}
vif 99 {
address 10.40.99.1/24
description VLAN_99
}
vif 100 {
address 192.168.14.1/24
description VLAN_100
}
vif 101 {
address 192.168.13.1/24
description VLAN_101
}
}
ethernet eth2 {
address 192.168.2.1/30
hw-id 00:e0:67:26:40:da
}
ethernet eth3 {
hw-id 00:e0:67:26:40:db
}
loopback lo {
}
wireguard wg0 {
address 10.200.200.6/24
address 2001:0559:87dd:0629:0000:0000:0000:0006/64
disable
ip {
adjust-mss clamp-mss-to-pmtu
}
ipv6 {
adjust-mss clamp-mss-to-pmtu
}
mtu 1420
peer omit2 {
address 2600:4041:42f2:cf00:2e0:67ff:fe27:82e9
allowed-ips 10.200.200.5/32
allowed-ips 2001:0559:87dd:0629:0000:0000:0000:0005/128
allowed-ips 2600:4041:42f2:cf00::/64
allowed-ips 192.168.11.0/24
allowed-ips 192.168.7.0/24
port 51820
preshared-key ****************
public-key ****************
}
peer omit1 {
address 50.223.56.162
allowed-ips 192.168.4.0/24
allowed-ips 192.168.8.0/24
allowed-ips 10.5.0.0/24
allowed-ips 2001:0559:87dd:0629:0000:0000:0000:0004/128
allowed-ips 10.20.99.0/24
allowed-ips 10.200.200.4/32
allowed-ips 10.45.0.0/16
allowed-ips 2001:559:87dd:a00::/56
persistent-keepalive 20
port 51820
preshared-key ****************
public-key ****************
}
port 51820
private-key ****************
}
}
nat {
source {
rule 11 {
description 1G-Outside
outbound-interface eth0
source {
address 0.0.0.0/0
}
translation {
address masquerade
}
}
}
}
policy {
prefix-list announce-nets {
rule 10 {
action permit
prefix 192.168.16.0/24
}
rule 53 {
action permit
prefix 10.7.0.0/24
}
rule 99 {
action permit
prefix 10.40.99.0/24
}
rule 100 {
action permit
prefix 192.168.14.0/24
}
}
prefix-list deny-default {
rule 1 {
action deny
prefix 0.0.0.0/0
}
}
prefix-list6 denytest {
rule 1 {
action deny
prefix ::/0
}
}
}
protocols {
static {
route 0.0.0.0/0 {
dhcp-interface eth0
interface eth0 {
distance 1
}
}
}
}
service {
dhcp-server {
hostfile-update
shared-network-name LAN {
subnet 192.168.1.0/24 {
default-router 192.168.1.1
domain-name omit.rabbito.tech
lease 86400
name-server 10.6.0.8
name-server 10.7.0.7
range 0 {
start 192.168.1.3
stop 192.168.1.10
}
}
}
shared-network-name VLAN_8 {
subnet 192.168.17.0/24 {
default-router 192.168.17.1
lease 86400
name-server 10.6.0.8
name-server 10.7.0.7
range 0 {
start 192.168.17.9
stop 192.168.17.254
}
}
}
shared-network-name VLAN_10 {
subnet 192.168.16.0/24 {
default-router 192.168.16.1
domain-name omit.rabbito.tech
domain-search omit.rabbito.tech
domain-search rabbito.tech
lease 86400
name-server 10.6.0.8
name-server 10.7.0.7
range 0 {
start 192.168.16.9
stop 192.168.16.254
}
}
}
shared-network-name VLAN_99 {
subnet 10.40.99.0/24 {
default-router 10.40.99.1
domain-name omit.rabbito.tech
domain-search omit.rabbito.tech
domain-search rabbito.tech
lease 86400
name-server 10.6.0.8
name-server 10.7.0.7
range 0 {
start 10.40.99.9
stop 10.40.99.254
}
vendor-option {
ubiquiti {
unifi-controller 10.45.0.6
}
}
}
}
shared-network-name VLAN_100 {
subnet 192.168.14.0/24 {
default-router 192.168.14.1
domain-name omit.rabbito.tech
domain-search omit.rabbito.tech
domain-search rabbito.tech
lease 86400
name-server 10.7.0.7
name-server 10.7.0.8
range 0 {
start 192.168.14.9
stop 192.168.14.254
}
vendor-option {
ubiquiti {
unifi-controller 10.45.0.6
}
}
}
}
shared-network-name VLAN_101 {
subnet 192.168.13.0/24 {
default-router 192.168.13.1
domain-name omit.rabbito.tech
domain-search omit.rabbito.tech
domain-search rabbito.tech
lease 86400
name-server 10.6.0.8
name-server 10.7.0.7
range 0 {
start 192.168.13.9
stop 192.168.13.254
}
}
}
}
dns {
dynamic {
interface eth0 {
service cloudflare {
host-name omit.rabbito.tech
login omit@gmail.com
password ****************
protocol cloudflare
server api.cloudflare.com/client/v4
zone rabbito.tech
}
}
interface eth1.100 {
ipv6-enable
service cloudflare {
host-name omit.rabbito.tech
login omit@gmail.com
password ****************
protocol cloudflare
server api.cloudflare.com/client/v4
zone rabbito.tech
}
}
}
}
router-advert {
interface eth1.10 {
prefix ::/0 {
}
}
interface eth1.100 {
prefix ::/0 {
}
}
}
ssh {
disable-password-authentication
port 22
}
}
system {
config-management {
commit-revisions 100
}
console {
device ttyS0 {
speed 115200
}
}
domain-name omit.rabbito.tech
domain-search {
domain omit.rabbito.tech
}
host-name omit-fw-1
login {
banner {
post-login "Welcome to omit"
pre-login "WARNING: Unauthorized access to this system is forbidden and will be\nprosecuted by law. By accessing this system, you agree that your actions\nmay be monitored if unauthorized usage is suspected."
}
user vyos {
authentication {
encrypted-password ****************
plaintext-password ****************
public-keys anthony@toolbox {
key ****************
type ssh-ed25519
}
public-keys anthony@tpme39 {
key ****************
type ecdsa-sha2-nistp256
}
public-keys anthony@yubi {
key ****************
type ecdsa-sha2-nistp256
}
}
}
}
name-server 1.1.1.1
name-server 10.7.0.7
ntp {
server time.cloudflate.com {
}
}
option {
startup-beep
}
sysctl {
parameter net.core.default_qdisc {
value fq_codel
}
parameter net.ipv4.tcp_congestion_control {
value bbr
}
parameter net.ipv4.tcp_mtu_probing {
value 1
}
parameter net.ipv4.tcp_window_scaling {
value 1
}
}
syslog {
global {
facility all {
level info
}
facility protocols {
level debug
}
}
}
}
// Warning: Do not remove the following line.
// vyos-config-version: "bgp@3:broadcast-relay@1:cluster@1:config-management@1:conntrack@3:conntrack-sync@2:container@1:dhcp-relay@2:dhcp-server@6:dhcpv6-server@1:dns-forwarding@3:firewall@9:flow-accounting@1:https@4:ids@1:interfaces@26:ipoe-server@1:ipsec@10:isis@2:l2tp@4:lldp@1:mdns@1:monitoring@1:nat@5:nat66@1:ntp@1:openconnect@2:ospf@1:policy@5:pppoe-server@6:pptp@2:qos@1:quagga@10:rpki@1:salt@1:snmp@2:ssh@2:sstp@4:system@25:vrf@3:vrrp@3:vyos-accel-ppp@2:wanloadbalance@3:webproxy@2"
// Release version: 1.4-rolling-202212310809
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment