From 029882f05188fe41b90cf41954035cb29cd7639b Mon Sep 17 00:00:00 2001
From: Daniel Micay <daniel.micay@grapheneos.org>
Date: Sat, 3 May 2025 22:13:13 -0400
Subject: [PATCH] set up certificate replication for ns1 replicas

---
 etc/nftables/nftables-ns1.conf | 16 ++++++++++++----
 hosts.sh                       |  1 +
 2 files changed, 13 insertions(+), 4 deletions(-)

diff --git a/etc/nftables/nftables-ns1.conf b/etc/nftables/nftables-ns1.conf
index 1e0f0fa..78a7aa0 100644
--- a/etc/nftables/nftables-ns1.conf
+++ b/etc/nftables/nftables-ns1.conf
@@ -3,6 +3,14 @@
 flush ruleset
 
 table inet filter {
+    define ip-allowlist-ssh = {
+        51.161.34.158, # 0.ns1.grapheneos.org
+    }
+
+    define ip6-allowlist-ssh = {
+        2607:5300:205:200::eaa, # 0.ns1.grapheneos.org
+    }
+
     set ip-connlimit-ssh {
         type ipv4_addr
         flags dynamic
@@ -79,8 +87,8 @@ table inet filter {
     # add connections established without synproxy to connection limit sets with limits enforced
     chain input-tcp-service-established {
         ct mark 0x1 accept
-        tcp dport 22 add @ip-connlimit-ssh { ip saddr ct count over 1 } counter reject with tcp reset
-        tcp dport 22 add @ip6-connlimit-ssh { ip6 saddr and ffff:ffff:ffff:ffff:ffff:: ct count over 1 } counter reject with tcp reset
+        tcp dport 22 ip saddr != $ip-allowlist-ssh add @ip-connlimit-ssh { ip saddr ct count over 1 } counter reject with tcp reset
+        tcp dport 22 ip6 saddr != $ip6-allowlist-ssh add @ip6-connlimit-ssh { ip6 saddr and ffff:ffff:ffff:ffff:ffff:: ct count over 1 } counter reject with tcp reset
         tcp dport { 53, 80, 443, 853 } add @ip-connlimit-main { ip saddr ct count over 16 } counter reject with tcp reset
         tcp dport { 53, 80, 443, 853 } add @ip6-connlimit-main { ip6 saddr and ffff:ffff:ffff:ffff:: ct count over 16 } counter reject with tcp reset
         ct mark set 0x1 accept
@@ -89,8 +97,8 @@ table inet filter {
     # add connections established with synproxy to connection limit sets with limits enforced
     chain input-tcp-service-loopback {
         tcp flags != syn accept
-        tcp dport 22 add @ip-connlimit-ssh { ip saddr ct count over 1 } counter reject with tcp reset
-        tcp dport 22 add @ip6-connlimit-ssh { ip6 saddr and ffff:ffff:ffff:ffff:ffff:: ct count over 1 } counter reject with tcp reset
+        tcp dport 22 ip saddr != $ip-allowlist-ssh add @ip-connlimit-ssh { ip saddr ct count over 1 } counter reject with tcp reset
+        tcp dport 22 ip6 saddr != $ip6-allowlist-ssh add @ip6-connlimit-ssh { ip6 saddr and ffff:ffff:ffff:ffff:ffff:: ct count over 1 } counter reject with tcp reset
         tcp dport { 53, 80, 443, 853 } add @ip-connlimit-main { ip saddr ct count over 16 } counter reject with tcp reset
         tcp dport { 53, 80, 443, 853 } add @ip6-connlimit-main { ip6 saddr and ffff:ffff:ffff:ffff:: ct count over 16 } counter reject with tcp reset
         ct mark set 0x1 accept
diff --git a/hosts.sh b/hosts.sh
index 8c6a880..ade468f 100644
--- a/hosts.sh
+++ b/hosts.sh
@@ -44,6 +44,7 @@ declare -Ar hosts_hardware_watchdog=(
 )
 
 declare -Ar hosts_authorized_keys=(
+    [2.ns1.grapheneos.org]=authorized_keys-replica-ns1
     [1.ns2.grapheneos.org]=authorized_keys-replica-ns2
     [2.ns2.grapheneos.org]=authorized_keys-replica-ns2
     [1.grapheneos.org]=authorized_keys-replica-grapheneos