asonix/sbc-deploys
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity

Working router

Browse source
This commit is contained in:
asonix 2024-07-02 00:52:32 -05:00
parent ba1a4122bc
commit 5042acc900
2 changed files with 85 additions and 42 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

20
flake.nix
View file

@ -437,12 +437,12 @@
}; };
makeRouterConfig = system: makeRouterConfig = system:
{ hostname }: { hostName }:
makeServerConfig { makeServerConfig {
inherit hostname; hostname = hostName;
extraModules = sd-images.packages.${system}.RockPro64v2.modules ++ [ extraModules = sd-images.packages.${system}.RockPro64v2.modules ++ [
routerModule (routerModule { inherit hostName; })
]; ];
}; };
@ -1198,6 +1198,10 @@
} }
]); ]);
}; };
router = makeRouterConfig system {
hostName = "router";
};
}; };
deploy.nodes = deploy.nodes =
@ -1335,19 +1339,25 @@
name = "jellyfin"; name = "jellyfin";
ip = "192.168.20.195"; ip = "192.168.20.195";
} }
{
name = "router";
ip = "192.168.20.1";
port = "3128";
}
]; ];
in in
builtins.foldl' builtins.foldl'
(acc: (acc:
{ name, ip }: { name, ip, port ? "22" }:
acc // { acc // {
${name} = { ${name} = {
hostname = ip; hostname = ip;
profiles.system = { profiles.system = {
magicRollback = false;
sshUser = "asonix"; sshUser = "asonix";
user = "root"; user = "root";
interactiveSudo = true; interactiveSudo = true;
sshOpts = [ "-i" "/home/asonix/.ssh/kube-rsa" ]; sshOpts = [ "-i" "/home/asonix/.ssh/kube-rsa" "-p" port ];
path = deploy-rs.lib.aarch64-linux.activate.nixos path = deploy-rs.lib.aarch64-linux.activate.nixos
self.nixosConfigurations.${name}; self.nixosConfigurations.${name};
}; };

107
modules/router/default.nix
View file

@ -1,60 +1,70 @@
{ hostName }:
{ ... }: { ... }:
let
wan = "end0";
lan = "enp1s0";
bridge = "br-lan";
in
{ {
boot.kernel = { boot.kernel = {
sysctl = { sysctl = {
"net.ipv4.conf.all.forwarding" = true; "net.ipv4.conf.all.forwarding" = true;
"net.ipv6.conf.all.forwarding" = false; "net.ipv6.conf.all.forwarding" = false;
"net.ipv4.conf.default.rp_filter" = 1; "net.ipv4.conf.default.rp_filter" = 1;
"net.ipv4.conf.enp1s0" "net.ipv4.conf.${wan}.rp_filter" = 1;
"net.ipv4.conf.${bridge}.rp_filter" = 0;
}; };
}; };
systemd.network = { systemd.network = {
wait-online.anyInterface = true; wait-online.anyInterface = true;
netdevs = { netdevs = {
"20-br-lan" = { "20-${bridge}" = {
netDevConfig = { netdevConfig = {
Kind = "bridge"; Kind = "bridge";
Name = "br-lan"; Name = bridge;
}; };
}; };
}; };
networks = { networks = {
"10-wan" = { "10-${wan}" = {
matchConfig.name = "enp*"; # enp1s0 matchConfig.Name = wan;
linkConfig.RequiredForOnline = "routable"; linkConfig.RequiredForOnline = "routable";
networkConfig = { networkConfig = {
DHCP = "ipv4"; DHCP = "ipv4";
IPv6AcceptRA = true;
DNSOverTLS = true; DNSOverTLS = true;
DNSSEC = true; DNSSEC = true;
IPv6PrivacyExtensions = false; IPv6PrivacyExtensions = false;
IPForward = true; IPForward = true;
}; };
}; };
"30-lan" = { "30-${lan}" = {
matchConfig.Name = "end*"; # end0 matchConfig.Name = lan;
linkConfig.RequiredForOnline = "enslaved"; linkConfig.RequiredForOnline = "enslaved";
networkConfig = { networkConfig = {
Bridge = "br-lan"; Bridge = bridge;
ConfigureWithoutCarrier = true; ConfigureWithoutCarrier = true;
}; };
}; };
"40-br-lan" = { "40-${bridge}" = {
matchConfig.Name = "br-lan"; matchConfig.Name = bridge;
bridgeConfig = { }; bridgeConfig = { };
address = [ address = [
"192.168.6.1/24" "192.168.20.1/24"
]; ];
networkConfig = { networkConfig = {
ConfigureWithoutCarrier = true; ConfigureWithoutCarrier = true;
}; };
linkConfig.RequiredForOnline = "no";
}; };
}; };
}; };
networking = { networking = {
hostName = hostname; inherit hostName;
useNetworkd = true; useNetworkd = true;
useDHCP = false; useDHCP = false;
@ -63,55 +73,78 @@
nftables = { nftables = {
enable = true; enable = true;
checkRuleset = false;
ruleset = '' ruleset = ''
define WAN=${wan}
define LAN=${lan}
define BRIDGE=${bridge}
table inet filter { table inet filter {
chain input { chain input {
type filter hook input priority 0; policy drop; type filter hook input priority 0; policy drop;
iifname { "br-lan" } accept comment "Allow local network to access the router" iifname $BRIDGE accept comment "Allow local network to access the router"
iifname "enp1s0" ct state { established, related } accept comment "Allow established traffic" iifname $WAN ct state { established, related } accept comment "Allow established traffic"
iifname "enp1s0" icmp type { echo-request, destination-unreachable, time-exceeded } counter accept comment "icmp stuff" iifname $WAN icmp type { echo-request, destination-unreachable, time-exceeded } counter accept comment "icmp stuff"
iifname "enp1s0" counter drop comment "Drop all other traffic from wan" iifname $WAN tcp dport 3128 accept comment "Allow SSH in"
iifname $WAN counter drop comment "Drop all other traffic from wan"
iifname "lo" accept comment "Accept everything from loopback" iifname "lo" accept comment "Accept everything from loopback"
} }
chain forward { chain forward {
type filter hook forward priority filter; policy drop; type filter hook forward priority filter; policy drop;
iifname { "br-lan" } oifname { "enp1s0" } accept comment "Allow trusted LAN to WAN" iifname $BRIDGE oifname $BRIDGE accept comment "Allow forwarding internal traffic"
iifname { "wan" } oifname { "br-lan" } ct state { established, related } accept comment "Allow established traffic" iifname $WAN oifname $BRIDGE tcp dport { 22, 80, 443, 27750 } accept comment "Allow forwarding external traffic to services"
iifname $BRIDGE oifname $WAN accept comment "Allow trusted LAN to WAN"
iifname $WAN oifname $BRIDGE ct state { established, related } accept comment "Allow established traffic"
} }
} }
table ip nat { table ip nat {
chain prerouting {
type nat hook prerouting priority -100; policy accept;
fib daddr type local tcp dport { 80, 443 } dnat to 192.168.20.200
fib daddr type local tcp dport 22 dnat to 192.168.20.201:2222
fib daddr type local tcp dport 27750 dnat to 192.168.20.202:27750
}
chain postrouting { chain postrouting {
type nat hook postrouting priority 100; policy accept; type nat hook postrouting priority 100; policy accept;
oifname "enp1s0" masquerade oifname $WAN masquerade
ip saddr 192.168.20.0/24 masquerade
} }
} }
''; '';
}; };
};
services.dnsmasq = { services.openssh.ports = [ 22 3128 ];
enable = true;
settings = {
server = [ "9.9.9.9" "9.9.9.10" ];
domain-needed = true;
bogus-priv = true;
no-resolv = true;
cache-size = 1000; services.resolved.enable = false;
dhcp-range = [ "br-lan,192.168.20.50,192.168.20.90,24h" ]; services.dnsmasq = {
interface = "br-lan"; enable = true;
dhcp-host = "192.168.20.1"; settings = {
server = [ "9.9.9.9" "9.9.9.10" ];
domain-needed = true;
bogus-priv = true;
no-resolv = true;
local = "/lan/"; cache-size = 1000;
domain = "lan";
expand-hosts = true;
no-hosts = true; dhcp-range = [ "br-lan,192.168.20.50,192.168.20.90,24h" ];
address = "/router.lan/192.168.20.1"; interface = "br-lan";
}; dhcp-host = "192.168.20.1";
local = "/lan/";
domain = "lan";
expand-hosts = true;
no-hosts = true;
address = "/router.lan/192.168.20.1";
}; };
}; };
services.irqbalance.enable = false;
} }