From 5042acc9003efdd408d033e047c38f9e10e1bd65 Mon Sep 17 00:00:00 2001 From: asonix Date: Tue, 2 Jul 2024 00:52:32 -0500 Subject: [PATCH] Working router --- flake.nix | 20 +++++-- modules/router/default.nix | 107 ++++++++++++++++++++++++------------- 2 files changed, 85 insertions(+), 42 deletions(-) diff --git a/flake.nix b/flake.nix index 732060c..905599b 100644 --- a/flake.nix +++ b/flake.nix @@ -437,12 +437,12 @@ }; makeRouterConfig = system: - { hostname }: + { hostName }: makeServerConfig { - inherit hostname; + hostname = hostName; extraModules = sd-images.packages.${system}.RockPro64v2.modules ++ [ - routerModule + (routerModule { inherit hostName; }) ]; }; @@ -1198,6 +1198,10 @@ } ]); }; + + router = makeRouterConfig system { + hostName = "router"; + }; }; deploy.nodes = @@ -1335,19 +1339,25 @@ name = "jellyfin"; ip = "192.168.20.195"; } + { + name = "router"; + ip = "192.168.20.1"; + port = "3128"; + } ]; in builtins.foldl' (acc: - { name, ip }: + { name, ip, port ? "22" }: acc // { ${name} = { hostname = ip; profiles.system = { + magicRollback = false; sshUser = "asonix"; user = "root"; interactiveSudo = true; - sshOpts = [ "-i" "/home/asonix/.ssh/kube-rsa" ]; + sshOpts = [ "-i" "/home/asonix/.ssh/kube-rsa" "-p" port ]; path = deploy-rs.lib.aarch64-linux.activate.nixos self.nixosConfigurations.${name}; }; diff --git a/modules/router/default.nix b/modules/router/default.nix index 8d46d01..f4f8245 100644 --- a/modules/router/default.nix +++ b/modules/router/default.nix @@ -1,60 +1,70 @@ +{ hostName }: + { ... }: +let + wan = "end0"; + lan = "enp1s0"; + bridge = "br-lan"; +in { boot.kernel = { sysctl = { "net.ipv4.conf.all.forwarding" = true; "net.ipv6.conf.all.forwarding" = false; "net.ipv4.conf.default.rp_filter" = 1; - "net.ipv4.conf.enp1s0" + "net.ipv4.conf.${wan}.rp_filter" = 1; + "net.ipv4.conf.${bridge}.rp_filter" = 0; }; }; systemd.network = { wait-online.anyInterface = true; netdevs = { - "20-br-lan" = { - netDevConfig = { + "20-${bridge}" = { + netdevConfig = { Kind = "bridge"; - Name = "br-lan"; + Name = bridge; }; }; }; networks = { - "10-wan" = { - matchConfig.name = "enp*"; # enp1s0 + "10-${wan}" = { + matchConfig.Name = wan; linkConfig.RequiredForOnline = "routable"; networkConfig = { DHCP = "ipv4"; + IPv6AcceptRA = true; DNSOverTLS = true; DNSSEC = true; IPv6PrivacyExtensions = false; IPForward = true; }; }; - "30-lan" = { - matchConfig.Name = "end*"; # end0 + "30-${lan}" = { + matchConfig.Name = lan; linkConfig.RequiredForOnline = "enslaved"; networkConfig = { - Bridge = "br-lan"; + Bridge = bridge; ConfigureWithoutCarrier = true; }; }; - "40-br-lan" = { - matchConfig.Name = "br-lan"; + "40-${bridge}" = { + matchConfig.Name = bridge; bridgeConfig = { }; address = [ - "192.168.6.1/24" + "192.168.20.1/24" ]; networkConfig = { ConfigureWithoutCarrier = true; }; + linkConfig.RequiredForOnline = "no"; }; }; }; networking = { - hostName = hostname; + inherit hostName; useNetworkd = true; useDHCP = false; @@ -63,55 +73,78 @@ nftables = { enable = true; + checkRuleset = false; ruleset = '' + define WAN=${wan} + define LAN=${lan} + define BRIDGE=${bridge} + table inet filter { + chain input { type filter hook input priority 0; policy drop; - iifname { "br-lan" } accept comment "Allow local network to access the router" - iifname "enp1s0" ct state { established, related } accept comment "Allow established traffic" - iifname "enp1s0" icmp type { echo-request, destination-unreachable, time-exceeded } counter accept comment "icmp stuff" - iifname "enp1s0" counter drop comment "Drop all other traffic from wan" + iifname $BRIDGE accept comment "Allow local network to access the router" + iifname $WAN ct state { established, related } accept comment "Allow established traffic" + iifname $WAN icmp type { echo-request, destination-unreachable, time-exceeded } counter accept comment "icmp stuff" + iifname $WAN tcp dport 3128 accept comment "Allow SSH in" + iifname $WAN counter drop comment "Drop all other traffic from wan" iifname "lo" accept comment "Accept everything from loopback" } chain forward { type filter hook forward priority filter; policy drop; - iifname { "br-lan" } oifname { "enp1s0" } accept comment "Allow trusted LAN to WAN" - iifname { "wan" } oifname { "br-lan" } ct state { established, related } accept comment "Allow established traffic" + iifname $BRIDGE oifname $BRIDGE accept comment "Allow forwarding internal traffic" + iifname $WAN oifname $BRIDGE tcp dport { 22, 80, 443, 27750 } accept comment "Allow forwarding external traffic to services" + iifname $BRIDGE oifname $WAN accept comment "Allow trusted LAN to WAN" + iifname $WAN oifname $BRIDGE ct state { established, related } accept comment "Allow established traffic" } } table ip nat { + chain prerouting { + type nat hook prerouting priority -100; policy accept; + fib daddr type local tcp dport { 80, 443 } dnat to 192.168.20.200 + fib daddr type local tcp dport 22 dnat to 192.168.20.201:2222 + fib daddr type local tcp dport 27750 dnat to 192.168.20.202:27750 + } + chain postrouting { type nat hook postrouting priority 100; policy accept; - oifname "enp1s0" masquerade + oifname $WAN masquerade + ip saddr 192.168.20.0/24 masquerade } } ''; }; + }; - services.dnsmasq = { - enable = true; - settings = { - server = [ "9.9.9.9" "9.9.9.10" ]; - domain-needed = true; - bogus-priv = true; - no-resolv = true; + services.openssh.ports = [ 22 3128 ]; - cache-size = 1000; + services.resolved.enable = false; - dhcp-range = [ "br-lan,192.168.20.50,192.168.20.90,24h" ]; - interface = "br-lan"; - dhcp-host = "192.168.20.1"; + services.dnsmasq = { + enable = true; + settings = { + server = [ "9.9.9.9" "9.9.9.10" ]; + domain-needed = true; + bogus-priv = true; + no-resolv = true; - local = "/lan/"; - domain = "lan"; - expand-hosts = true; + cache-size = 1000; - no-hosts = true; - address = "/router.lan/192.168.20.1"; - }; + dhcp-range = [ "br-lan,192.168.20.50,192.168.20.90,24h" ]; + interface = "br-lan"; + dhcp-host = "192.168.20.1"; + + local = "/lan/"; + domain = "lan"; + expand-hosts = true; + + no-hosts = true; + address = "/router.lan/192.168.20.1"; }; }; + + services.irqbalance.enable = false; }