From ba1a4122bc7dd2fba9d0be30e025fb26ba5ae5ed Mon Sep 17 00:00:00 2001 From: asonix Date: Mon, 1 Jul 2024 14:11:08 -0500 Subject: [PATCH] Start work on router module --- flake.nix | 11 ++++ modules/router/default.nix | 117 +++++++++++++++++++++++++++++++++++++ 2 files changed, 128 insertions(+) create mode 100644 modules/router/default.nix diff --git a/flake.nix b/flake.nix index 98084c5..732060c 100644 --- a/flake.nix +++ b/flake.nix @@ -29,6 +29,7 @@ wireguardModule = import ./modules/wireguard; desktopModule = import ./modules/desktop; serverModule = import ./modules/server; + routerModule = import ./modules/router; makeConfig = { hostname, extraModules ? [ ] }: nixpkgs.lib.nixosSystem { @@ -435,6 +436,16 @@ ]; }; + makeRouterConfig = system: + { hostname }: + makeServerConfig { + inherit hostname; + + extraModules = sd-images.packages.${system}.RockPro64v2.modules ++ [ + routerModule + ]; + }; + makeBoardBackupConfig = modules: system: { hostname , selfIp diff --git a/modules/router/default.nix b/modules/router/default.nix new file mode 100644 index 0000000..8d46d01 --- /dev/null +++ b/modules/router/default.nix @@ -0,0 +1,117 @@ +{ ... }: + +{ + boot.kernel = { + sysctl = { + "net.ipv4.conf.all.forwarding" = true; + "net.ipv6.conf.all.forwarding" = false; + "net.ipv4.conf.default.rp_filter" = 1; + "net.ipv4.conf.enp1s0" + }; + }; + + systemd.network = { + wait-online.anyInterface = true; + netdevs = { + "20-br-lan" = { + netDevConfig = { + Kind = "bridge"; + Name = "br-lan"; + }; + }; + }; + networks = { + "10-wan" = { + matchConfig.name = "enp*"; # enp1s0 + linkConfig.RequiredForOnline = "routable"; + networkConfig = { + DHCP = "ipv4"; + DNSOverTLS = true; + DNSSEC = true; + IPv6PrivacyExtensions = false; + IPForward = true; + }; + }; + "30-lan" = { + matchConfig.Name = "end*"; # end0 + linkConfig.RequiredForOnline = "enslaved"; + networkConfig = { + Bridge = "br-lan"; + ConfigureWithoutCarrier = true; + }; + }; + "40-br-lan" = { + matchConfig.Name = "br-lan"; + bridgeConfig = { }; + address = [ + "192.168.6.1/24" + ]; + networkConfig = { + ConfigureWithoutCarrier = true; + }; + }; + }; + }; + + networking = { + hostName = hostname; + useNetworkd = true; + useDHCP = false; + + nat.enable = false; + firewall.enable = false; + + nftables = { + enable = true; + ruleset = '' + table inet filter { + chain input { + type filter hook input priority 0; policy drop; + + iifname { "br-lan" } accept comment "Allow local network to access the router" + iifname "enp1s0" ct state { established, related } accept comment "Allow established traffic" + iifname "enp1s0" icmp type { echo-request, destination-unreachable, time-exceeded } counter accept comment "icmp stuff" + iifname "enp1s0" counter drop comment "Drop all other traffic from wan" + iifname "lo" accept comment "Accept everything from loopback" + } + chain forward { + type filter hook forward priority filter; policy drop; + + iifname { "br-lan" } oifname { "enp1s0" } accept comment "Allow trusted LAN to WAN" + iifname { "wan" } oifname { "br-lan" } ct state { established, related } accept comment "Allow established traffic" + } + } + + table ip nat { + chain postrouting { + type nat hook postrouting priority 100; policy accept; + oifname "enp1s0" masquerade + } + } + ''; + }; + + services.dnsmasq = { + enable = true; + settings = { + server = [ "9.9.9.9" "9.9.9.10" ]; + domain-needed = true; + bogus-priv = true; + no-resolv = true; + + cache-size = 1000; + + dhcp-range = [ "br-lan,192.168.20.50,192.168.20.90,24h" ]; + interface = "br-lan"; + dhcp-host = "192.168.20.1"; + + local = "/lan/"; + domain = "lan"; + expand-hosts = true; + + no-hosts = true; + address = "/router.lan/192.168.20.1"; + }; + }; + }; +}