Working router
This commit is contained in:
parent
ba1a4122bc
commit
5042acc900
2 changed files with 85 additions and 42 deletions
20
flake.nix
20
flake.nix
|
@ -437,12 +437,12 @@
|
||||||
};
|
};
|
||||||
|
|
||||||
makeRouterConfig = system:
|
makeRouterConfig = system:
|
||||||
{ hostname }:
|
{ hostName }:
|
||||||
makeServerConfig {
|
makeServerConfig {
|
||||||
inherit hostname;
|
hostname = hostName;
|
||||||
|
|
||||||
extraModules = sd-images.packages.${system}.RockPro64v2.modules ++ [
|
extraModules = sd-images.packages.${system}.RockPro64v2.modules ++ [
|
||||||
routerModule
|
(routerModule { inherit hostName; })
|
||||||
];
|
];
|
||||||
};
|
};
|
||||||
|
|
||||||
|
@ -1198,6 +1198,10 @@
|
||||||
}
|
}
|
||||||
]);
|
]);
|
||||||
};
|
};
|
||||||
|
|
||||||
|
router = makeRouterConfig system {
|
||||||
|
hostName = "router";
|
||||||
|
};
|
||||||
};
|
};
|
||||||
|
|
||||||
deploy.nodes =
|
deploy.nodes =
|
||||||
|
@ -1335,19 +1339,25 @@
|
||||||
name = "jellyfin";
|
name = "jellyfin";
|
||||||
ip = "192.168.20.195";
|
ip = "192.168.20.195";
|
||||||
}
|
}
|
||||||
|
{
|
||||||
|
name = "router";
|
||||||
|
ip = "192.168.20.1";
|
||||||
|
port = "3128";
|
||||||
|
}
|
||||||
];
|
];
|
||||||
in
|
in
|
||||||
builtins.foldl'
|
builtins.foldl'
|
||||||
(acc:
|
(acc:
|
||||||
{ name, ip }:
|
{ name, ip, port ? "22" }:
|
||||||
acc // {
|
acc // {
|
||||||
${name} = {
|
${name} = {
|
||||||
hostname = ip;
|
hostname = ip;
|
||||||
profiles.system = {
|
profiles.system = {
|
||||||
|
magicRollback = false;
|
||||||
sshUser = "asonix";
|
sshUser = "asonix";
|
||||||
user = "root";
|
user = "root";
|
||||||
interactiveSudo = true;
|
interactiveSudo = true;
|
||||||
sshOpts = [ "-i" "/home/asonix/.ssh/kube-rsa" ];
|
sshOpts = [ "-i" "/home/asonix/.ssh/kube-rsa" "-p" port ];
|
||||||
path = deploy-rs.lib.aarch64-linux.activate.nixos
|
path = deploy-rs.lib.aarch64-linux.activate.nixos
|
||||||
self.nixosConfigurations.${name};
|
self.nixosConfigurations.${name};
|
||||||
};
|
};
|
||||||
|
|
|
@ -1,60 +1,70 @@
|
||||||
|
{ hostName }:
|
||||||
|
|
||||||
{ ... }:
|
{ ... }:
|
||||||
|
|
||||||
|
let
|
||||||
|
wan = "end0";
|
||||||
|
lan = "enp1s0";
|
||||||
|
bridge = "br-lan";
|
||||||
|
in
|
||||||
{
|
{
|
||||||
boot.kernel = {
|
boot.kernel = {
|
||||||
sysctl = {
|
sysctl = {
|
||||||
"net.ipv4.conf.all.forwarding" = true;
|
"net.ipv4.conf.all.forwarding" = true;
|
||||||
"net.ipv6.conf.all.forwarding" = false;
|
"net.ipv6.conf.all.forwarding" = false;
|
||||||
"net.ipv4.conf.default.rp_filter" = 1;
|
"net.ipv4.conf.default.rp_filter" = 1;
|
||||||
"net.ipv4.conf.enp1s0"
|
"net.ipv4.conf.${wan}.rp_filter" = 1;
|
||||||
|
"net.ipv4.conf.${bridge}.rp_filter" = 0;
|
||||||
};
|
};
|
||||||
};
|
};
|
||||||
|
|
||||||
systemd.network = {
|
systemd.network = {
|
||||||
wait-online.anyInterface = true;
|
wait-online.anyInterface = true;
|
||||||
netdevs = {
|
netdevs = {
|
||||||
"20-br-lan" = {
|
"20-${bridge}" = {
|
||||||
netDevConfig = {
|
netdevConfig = {
|
||||||
Kind = "bridge";
|
Kind = "bridge";
|
||||||
Name = "br-lan";
|
Name = bridge;
|
||||||
};
|
};
|
||||||
};
|
};
|
||||||
};
|
};
|
||||||
networks = {
|
networks = {
|
||||||
"10-wan" = {
|
"10-${wan}" = {
|
||||||
matchConfig.name = "enp*"; # enp1s0
|
matchConfig.Name = wan;
|
||||||
linkConfig.RequiredForOnline = "routable";
|
linkConfig.RequiredForOnline = "routable";
|
||||||
networkConfig = {
|
networkConfig = {
|
||||||
DHCP = "ipv4";
|
DHCP = "ipv4";
|
||||||
|
IPv6AcceptRA = true;
|
||||||
DNSOverTLS = true;
|
DNSOverTLS = true;
|
||||||
DNSSEC = true;
|
DNSSEC = true;
|
||||||
IPv6PrivacyExtensions = false;
|
IPv6PrivacyExtensions = false;
|
||||||
IPForward = true;
|
IPForward = true;
|
||||||
};
|
};
|
||||||
};
|
};
|
||||||
"30-lan" = {
|
"30-${lan}" = {
|
||||||
matchConfig.Name = "end*"; # end0
|
matchConfig.Name = lan;
|
||||||
linkConfig.RequiredForOnline = "enslaved";
|
linkConfig.RequiredForOnline = "enslaved";
|
||||||
networkConfig = {
|
networkConfig = {
|
||||||
Bridge = "br-lan";
|
Bridge = bridge;
|
||||||
ConfigureWithoutCarrier = true;
|
ConfigureWithoutCarrier = true;
|
||||||
};
|
};
|
||||||
};
|
};
|
||||||
"40-br-lan" = {
|
"40-${bridge}" = {
|
||||||
matchConfig.Name = "br-lan";
|
matchConfig.Name = bridge;
|
||||||
bridgeConfig = { };
|
bridgeConfig = { };
|
||||||
address = [
|
address = [
|
||||||
"192.168.6.1/24"
|
"192.168.20.1/24"
|
||||||
];
|
];
|
||||||
networkConfig = {
|
networkConfig = {
|
||||||
ConfigureWithoutCarrier = true;
|
ConfigureWithoutCarrier = true;
|
||||||
};
|
};
|
||||||
|
linkConfig.RequiredForOnline = "no";
|
||||||
};
|
};
|
||||||
};
|
};
|
||||||
};
|
};
|
||||||
|
|
||||||
networking = {
|
networking = {
|
||||||
hostName = hostname;
|
inherit hostName;
|
||||||
useNetworkd = true;
|
useNetworkd = true;
|
||||||
useDHCP = false;
|
useDHCP = false;
|
||||||
|
|
||||||
|
@ -63,55 +73,78 @@
|
||||||
|
|
||||||
nftables = {
|
nftables = {
|
||||||
enable = true;
|
enable = true;
|
||||||
|
checkRuleset = false;
|
||||||
ruleset = ''
|
ruleset = ''
|
||||||
|
define WAN=${wan}
|
||||||
|
define LAN=${lan}
|
||||||
|
define BRIDGE=${bridge}
|
||||||
|
|
||||||
table inet filter {
|
table inet filter {
|
||||||
|
|
||||||
chain input {
|
chain input {
|
||||||
type filter hook input priority 0; policy drop;
|
type filter hook input priority 0; policy drop;
|
||||||
|
|
||||||
iifname { "br-lan" } accept comment "Allow local network to access the router"
|
iifname $BRIDGE accept comment "Allow local network to access the router"
|
||||||
iifname "enp1s0" ct state { established, related } accept comment "Allow established traffic"
|
iifname $WAN ct state { established, related } accept comment "Allow established traffic"
|
||||||
iifname "enp1s0" icmp type { echo-request, destination-unreachable, time-exceeded } counter accept comment "icmp stuff"
|
iifname $WAN icmp type { echo-request, destination-unreachable, time-exceeded } counter accept comment "icmp stuff"
|
||||||
iifname "enp1s0" counter drop comment "Drop all other traffic from wan"
|
iifname $WAN tcp dport 3128 accept comment "Allow SSH in"
|
||||||
|
iifname $WAN counter drop comment "Drop all other traffic from wan"
|
||||||
iifname "lo" accept comment "Accept everything from loopback"
|
iifname "lo" accept comment "Accept everything from loopback"
|
||||||
}
|
}
|
||||||
chain forward {
|
chain forward {
|
||||||
type filter hook forward priority filter; policy drop;
|
type filter hook forward priority filter; policy drop;
|
||||||
|
|
||||||
iifname { "br-lan" } oifname { "enp1s0" } accept comment "Allow trusted LAN to WAN"
|
iifname $BRIDGE oifname $BRIDGE accept comment "Allow forwarding internal traffic"
|
||||||
iifname { "wan" } oifname { "br-lan" } ct state { established, related } accept comment "Allow established traffic"
|
iifname $WAN oifname $BRIDGE tcp dport { 22, 80, 443, 27750 } accept comment "Allow forwarding external traffic to services"
|
||||||
|
iifname $BRIDGE oifname $WAN accept comment "Allow trusted LAN to WAN"
|
||||||
|
iifname $WAN oifname $BRIDGE ct state { established, related } accept comment "Allow established traffic"
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
table ip nat {
|
table ip nat {
|
||||||
|
chain prerouting {
|
||||||
|
type nat hook prerouting priority -100; policy accept;
|
||||||
|
fib daddr type local tcp dport { 80, 443 } dnat to 192.168.20.200
|
||||||
|
fib daddr type local tcp dport 22 dnat to 192.168.20.201:2222
|
||||||
|
fib daddr type local tcp dport 27750 dnat to 192.168.20.202:27750
|
||||||
|
}
|
||||||
|
|
||||||
chain postrouting {
|
chain postrouting {
|
||||||
type nat hook postrouting priority 100; policy accept;
|
type nat hook postrouting priority 100; policy accept;
|
||||||
oifname "enp1s0" masquerade
|
oifname $WAN masquerade
|
||||||
|
ip saddr 192.168.20.0/24 masquerade
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
'';
|
'';
|
||||||
};
|
};
|
||||||
|
};
|
||||||
|
|
||||||
services.dnsmasq = {
|
services.openssh.ports = [ 22 3128 ];
|
||||||
enable = true;
|
|
||||||
settings = {
|
|
||||||
server = [ "9.9.9.9" "9.9.9.10" ];
|
|
||||||
domain-needed = true;
|
|
||||||
bogus-priv = true;
|
|
||||||
no-resolv = true;
|
|
||||||
|
|
||||||
cache-size = 1000;
|
services.resolved.enable = false;
|
||||||
|
|
||||||
dhcp-range = [ "br-lan,192.168.20.50,192.168.20.90,24h" ];
|
services.dnsmasq = {
|
||||||
interface = "br-lan";
|
enable = true;
|
||||||
dhcp-host = "192.168.20.1";
|
settings = {
|
||||||
|
server = [ "9.9.9.9" "9.9.9.10" ];
|
||||||
|
domain-needed = true;
|
||||||
|
bogus-priv = true;
|
||||||
|
no-resolv = true;
|
||||||
|
|
||||||
local = "/lan/";
|
cache-size = 1000;
|
||||||
domain = "lan";
|
|
||||||
expand-hosts = true;
|
|
||||||
|
|
||||||
no-hosts = true;
|
dhcp-range = [ "br-lan,192.168.20.50,192.168.20.90,24h" ];
|
||||||
address = "/router.lan/192.168.20.1";
|
interface = "br-lan";
|
||||||
};
|
dhcp-host = "192.168.20.1";
|
||||||
|
|
||||||
|
local = "/lan/";
|
||||||
|
domain = "lan";
|
||||||
|
expand-hosts = true;
|
||||||
|
|
||||||
|
no-hosts = true;
|
||||||
|
address = "/router.lan/192.168.20.1";
|
||||||
};
|
};
|
||||||
};
|
};
|
||||||
|
|
||||||
|
services.irqbalance.enable = false;
|
||||||
}
|
}
|
||||||
|
|
Loading…
Reference in a new issue