Start work on router module

flake.nix

@@ -29,6 +29,7 @@
       wireguardModule = import ./modules/wireguard;
       desktopModule = import ./modules/desktop;
       serverModule = import ./modules/server;
+      routerModule = import ./modules/router;
 
       makeConfig = { hostname, extraModules ? [ ] }:
         nixpkgs.lib.nixosSystem {
@@ -435,6 +436,16 @@
           ];
         };
 
+      makeRouterConfig = system:
+        { hostname }:
+        makeServerConfig {
+          inherit hostname;
+
+          extraModules = sd-images.packages.${system}.RockPro64v2.modules ++ [
+            routerModule
+          ];
+        };
+
       makeBoardBackupConfig = modules: system:
         { hostname
         , selfIp

modules/router/default.nix

@@ -0,0 +1,117 @@
+{ ... }:
+
+{
+  boot.kernel = {
+    sysctl = {
+      "net.ipv4.conf.all.forwarding" = true;
+      "net.ipv6.conf.all.forwarding" = false;
+      "net.ipv4.conf.default.rp_filter" = 1;
+      "net.ipv4.conf.enp1s0"
+    };
+  };
+
+  systemd.network = {
+    wait-online.anyInterface = true;
+    netdevs = {
+      "20-br-lan" = {
+        netDevConfig = {
+          Kind = "bridge";
+          Name = "br-lan";
+        };
+      };
+    };
+    networks = {
+      "10-wan" = {
+        matchConfig.name = "enp*"; # enp1s0
+        linkConfig.RequiredForOnline = "routable";
+        networkConfig = {
+          DHCP = "ipv4";
+          DNSOverTLS = true;
+          DNSSEC = true;
+          IPv6PrivacyExtensions = false;
+          IPForward = true;
+        };
+      };
+      "30-lan" = {
+        matchConfig.Name = "end*"; # end0
+        linkConfig.RequiredForOnline = "enslaved";
+        networkConfig = {
+          Bridge = "br-lan";
+          ConfigureWithoutCarrier = true;
+        };
+      };
+      "40-br-lan" = {
+        matchConfig.Name = "br-lan";
+        bridgeConfig = { };
+        address = [
+          "192.168.6.1/24"
+        ];
+        networkConfig = {
+          ConfigureWithoutCarrier = true;
+        };
+      };
+    };
+  };
+
+  networking = {
+    hostName = hostname;
+    useNetworkd = true;
+    useDHCP = false;
+
+    nat.enable = false;
+    firewall.enable = false;
+
+    nftables = {
+      enable = true;
+      ruleset = ''
+      table inet filter {
+        chain input {
+          type filter hook input priority 0; policy drop;
+
+          iifname { "br-lan" } accept comment "Allow local network to access the router"
+          iifname "enp1s0" ct state { established, related } accept comment "Allow established traffic"
+          iifname "enp1s0" icmp type { echo-request, destination-unreachable, time-exceeded } counter accept comment "icmp stuff"
+          iifname "enp1s0" counter drop comment "Drop all other traffic from wan"
+          iifname "lo" accept comment "Accept everything from loopback"
+        }
+        chain forward {
+          type filter hook forward priority filter; policy drop;
+
+          iifname { "br-lan" } oifname { "enp1s0" } accept comment "Allow trusted LAN to WAN"
+          iifname { "wan" } oifname { "br-lan" } ct state { established, related } accept comment "Allow established traffic"
+        }
+      }
+
+      table ip nat {
+        chain postrouting {
+          type nat hook postrouting priority 100; policy accept;
+          oifname "enp1s0" masquerade
+        }
+      }
+      '';
+    };
+
+    services.dnsmasq = {
+      enable = true;
+      settings = {
+        server = [ "9.9.9.9" "9.9.9.10" ];
+        domain-needed = true;
+        bogus-priv = true;
+        no-resolv = true;
+
+        cache-size = 1000;
+
+        dhcp-range = [ "br-lan,192.168.20.50,192.168.20.90,24h" ];
+        interface = "br-lan";
+        dhcp-host = "192.168.20.1";
+
+        local = "/lan/";
+        domain = "lan";
+        expand-hosts = true;
+
+        no-hosts = true;
+        address = "/router.lan/192.168.20.1";
+      };
+    };
+  };
+}