router: flesh out config a bit more

2022-10-14 16:55:25 -06:00 · 2022-10-14 16:55:25 -06:00 · 8e14e55781
commit 8e14e55781
parent 36e6d6d20c
3 changed files with 151 additions and 18 deletions
--- a/hosts/router/alias
+++ b/hosts/router/alias
@ -1 +1 @@
-10.6.0.236
+10.6.0.229
--- a/hosts/router/default.nix
+++ b/hosts/router/default.nix
@ -8,16 +8,155 @@ in {
  _module.args.isUnstable = false;
  imports = [ ./hardware-configuration.nix ];

-  # Bootloader.
-  boot.loader.grub.enable = true;
-  boot.loader.grub.device = "/dev/sda";
-  boot.loader.grub.useOSProber = true;
+  boot.kernel.sysctl = {
+    "net.ipv4.conf.all.forwarding" = true;
+    "net.ipv6.conf.all.forwarding" = true;
+  };

-  networking.hostName = "router";
+  sops.secrets = {
+    wireguard_private_key = {
+      sopsFile = config.xin-secrets.router.networking;
+    };
+  };

-  networking.networkmanager.enable = true;
+  networking = {
+    hostName = "router";

-  networking.firewall.allowedTCPPorts = [ 22 ];
+    nat = {
+      enable = true;
+      externalInterface = "enp5s0f0";
+      internalInterfaces =
+        [ "enp5s0f1" "lab" "common" "external" "voip" "enp1s0f0" ];
+    };
+
+    firewall = {
+      enable = false;
+      allowedTCPPorts = [ 22 ];
+    };
+
+    useDHCP = false;
+
+    wireguard = {
+      enable = false;
+      interfaces = {
+        wg0 = {
+          listenPort = 7122;
+          ips = [ "192.168.112.4/32" ];
+          peers = [{
+            publicKey = "CEnjIUpeOEZ9nUvuA1HCDg3duE/OPcdvJpbEsX1dXBM=";
+            endpoint = "107.191.42.21:7122";
+            allowedIPs = [ "0.0.0.0/0" ];
+            persistentKeepalive = 25;
+          }];
+          privateKeyFile = "${config.sops.secrets.wireguard_private_key.path}";
+        };
+      };
+    };
+
+    vlans = {
+      badwifi = {
+        id = 10;
+        interface = "enp5s0f1";
+      };
+      goodwifi = {
+        id = 11;
+        interface = "enp5s0f1";
+      };
+      lab = {
+        id = 2;
+        interface = "enp5s0f1";
+      };
+      common = {
+        id = 5;
+        interface = "enp5s0f1";
+      };
+      voip = {
+        id = 6;
+        interface = "enp5s0f1";
+      };
+      external = {
+        id = 20;
+        interface = "enp5s0f1";
+      };
+    };
+
+    interfaces = {
+      enp5s0f0 = { useDHCP = true; };
+
+      enp5s0f1 = {
+        ipv4.addresses = [{
+          address = "10.99.99.1";
+          prefixLength = 24;
+        }];
+      };
+
+      enp1s0f0 = {
+        ipv4.addresses = [{
+          address = "10.99.1.1";
+          prefixLength = 24;
+        }];
+      };
+
+      badwifi = {
+        ipv4.addresses = [{
+          address = "10.10.0.1";
+          prefixLength = 24;
+        }];
+      };
+      goodwifi = {
+        ipv4.addresses = [{
+          address = "10.12.0.1";
+          prefixLength = 24;
+        }];
+      };
+      lab = {
+        ipv4.addresses = [{
+          address = "10.3.0.1";
+          prefixLength = 24;
+        }];
+      };
+      external = {
+        ipv4.addresses = [{
+          address = "10.20.30.1";
+          prefixLength = 24;
+        }];
+      };
+      #common = {
+      #  ipv4.addresses = [{
+      #    address = "10.6.0.1";
+      #    prefixLength = 24;
+      #  }];
+      #};
+      voip = {
+        ipv4.addresses = [{
+          address = "10.7.0.1";
+          prefixLength = 24;
+        }];
+      };
+    };
+  };
+
+  services.atftpd = {
+    enable = true;
+    extraOptions = [
+      "--bind-address ${
+        (builtins.head config.networking.interfaces.lab.ipv4.addresses).address
+      }"
+    ];
+  };
+
+  services.dhcpd4 = {
+    enable = true;
+    extraConfig = ''
+      option subnet-mask 255.255.255.0;
+      option routers 10.99.1.1;
+      option domain-name-servers 9.9.9.9;
+      subnet 10.99.1.0 netmask 255.255.255.0 {
+          range 10.99.1.100 10.99.1.199;
+      }
+    '';
+    interfaces = [ "enp1s0f0" ];
+  };

  users.users.root = userBase;
  users.users.qbit = userBase;
--- a/hosts/router/hardware-configuration.nix
+++ b/hosts/router/hardware-configuration.nix
@ -6,6 +6,10 @@
 {
  imports = [ (modulesPath + "/installer/scan/not-detected.nix") ];

+  boot.loader.grub.enable = true;
+  boot.loader.grub.device = "/dev/sda";
+  boot.loader.grub.useOSProber = true;
+
  boot.initrd.availableKernelModules =
    [ "ehci_pci" "ahci" "xhci_pci" "usb_storage" "usbhid" "sd_mod" ];
  boot.initrd.kernelModules = [ ];
@ -19,16 +23,6 @@

  swapDevices = [ ];

-  # Enables DHCP on each ethernet and wireless interface. In case of scripted networking
-  # (the default) this is the recommended approach. When using systemd-networkd it's
-  # still possible to use this option, but it's recommended to use it in conjunction
-  # with explicit per-interface declarations with `networking.interfaces.<interface>.useDHCP`.
-  networking.useDHCP = lib.mkDefault true;
-  # networking.interfaces.enp1s0f0.useDHCP = lib.mkDefault true;
-  # networking.interfaces.enp1s0f1.useDHCP = lib.mkDefault true;
-  # networking.interfaces.enp4s0f0.useDHCP = lib.mkDefault true;
-  # networking.interfaces.enp4s0f1.useDHCP = lib.mkDefault true;
-
  hardware.cpu.intel.updateMicrocode =
    lib.mkDefault config.hardware.enableRedistributableFirmware;
 }