From 8e14e55781c711a97d5db54ecc9db0b2b5e20bb7 Mon Sep 17 00:00:00 2001
From: Aaron Bieber <aaron@bolddaemon.com>
Date: Fri, 14 Oct 2022 16:55:25 -0600
Subject: [PATCH] router: flesh out config a bit more

---
 hosts/router/alias                      |   2 +-
 hosts/router/default.nix                | 153 ++++++++++++++++++++++--
 hosts/router/hardware-configuration.nix |  14 +--
 3 files changed, 151 insertions(+), 18 deletions(-)

diff --git a/hosts/router/alias b/hosts/router/alias
index d01f727..52bd224 100644
--- a/hosts/router/alias
+++ b/hosts/router/alias
@@ -1 +1 @@
-10.6.0.236
+10.6.0.229
diff --git a/hosts/router/default.nix b/hosts/router/default.nix
index f762efc..a60ba65 100644
--- a/hosts/router/default.nix
+++ b/hosts/router/default.nix
@@ -8,16 +8,155 @@ in {
   _module.args.isUnstable = false;
   imports = [ ./hardware-configuration.nix ];
 
-  # Bootloader.
-  boot.loader.grub.enable = true;
-  boot.loader.grub.device = "/dev/sda";
-  boot.loader.grub.useOSProber = true;
+  boot.kernel.sysctl = {
+    "net.ipv4.conf.all.forwarding" = true;
+    "net.ipv6.conf.all.forwarding" = true;
+  };
 
-  networking.hostName = "router";
+  sops.secrets = {
+    wireguard_private_key = {
+      sopsFile = config.xin-secrets.router.networking;
+    };
+  };
 
-  networking.networkmanager.enable = true;
+  networking = {
+    hostName = "router";
 
-  networking.firewall.allowedTCPPorts = [ 22 ];
+    nat = {
+      enable = true;
+      externalInterface = "enp5s0f0";
+      internalInterfaces =
+        [ "enp5s0f1" "lab" "common" "external" "voip" "enp1s0f0" ];
+    };
+
+    firewall = {
+      enable = false;
+      allowedTCPPorts = [ 22 ];
+    };
+
+    useDHCP = false;
+
+    wireguard = {
+      enable = false;
+      interfaces = {
+        wg0 = {
+          listenPort = 7122;
+          ips = [ "192.168.112.4/32" ];
+          peers = [{
+            publicKey = "CEnjIUpeOEZ9nUvuA1HCDg3duE/OPcdvJpbEsX1dXBM=";
+            endpoint = "107.191.42.21:7122";
+            allowedIPs = [ "0.0.0.0/0" ];
+            persistentKeepalive = 25;
+          }];
+          privateKeyFile = "${config.sops.secrets.wireguard_private_key.path}";
+        };
+      };
+    };
+
+    vlans = {
+      badwifi = {
+        id = 10;
+        interface = "enp5s0f1";
+      };
+      goodwifi = {
+        id = 11;
+        interface = "enp5s0f1";
+      };
+      lab = {
+        id = 2;
+        interface = "enp5s0f1";
+      };
+      common = {
+        id = 5;
+        interface = "enp5s0f1";
+      };
+      voip = {
+        id = 6;
+        interface = "enp5s0f1";
+      };
+      external = {
+        id = 20;
+        interface = "enp5s0f1";
+      };
+    };
+
+    interfaces = {
+      enp5s0f0 = { useDHCP = true; };
+
+      enp5s0f1 = {
+        ipv4.addresses = [{
+          address = "10.99.99.1";
+          prefixLength = 24;
+        }];
+      };
+
+      enp1s0f0 = {
+        ipv4.addresses = [{
+          address = "10.99.1.1";
+          prefixLength = 24;
+        }];
+      };
+
+      badwifi = {
+        ipv4.addresses = [{
+          address = "10.10.0.1";
+          prefixLength = 24;
+        }];
+      };
+      goodwifi = {
+        ipv4.addresses = [{
+          address = "10.12.0.1";
+          prefixLength = 24;
+        }];
+      };
+      lab = {
+        ipv4.addresses = [{
+          address = "10.3.0.1";
+          prefixLength = 24;
+        }];
+      };
+      external = {
+        ipv4.addresses = [{
+          address = "10.20.30.1";
+          prefixLength = 24;
+        }];
+      };
+      #common = {
+      #  ipv4.addresses = [{
+      #    address = "10.6.0.1";
+      #    prefixLength = 24;
+      #  }];
+      #};
+      voip = {
+        ipv4.addresses = [{
+          address = "10.7.0.1";
+          prefixLength = 24;
+        }];
+      };
+    };
+  };
+
+  services.atftpd = {
+    enable = true;
+    extraOptions = [
+      "--bind-address ${
+        (builtins.head config.networking.interfaces.lab.ipv4.addresses).address
+      }"
+    ];
+  };
+
+  services.dhcpd4 = {
+    enable = true;
+    extraConfig = ''
+      option subnet-mask 255.255.255.0;
+      option routers 10.99.1.1;
+      option domain-name-servers 9.9.9.9;
+      subnet 10.99.1.0 netmask 255.255.255.0 {
+          range 10.99.1.100 10.99.1.199;
+      }
+    '';
+    interfaces = [ "enp1s0f0" ];
+  };
 
   users.users.root = userBase;
   users.users.qbit = userBase;
diff --git a/hosts/router/hardware-configuration.nix b/hosts/router/hardware-configuration.nix
index 657ebe2..a065c8c 100644
--- a/hosts/router/hardware-configuration.nix
+++ b/hosts/router/hardware-configuration.nix
@@ -6,6 +6,10 @@
 {
   imports = [ (modulesPath + "/installer/scan/not-detected.nix") ];
 
+  boot.loader.grub.enable = true;
+  boot.loader.grub.device = "/dev/sda";
+  boot.loader.grub.useOSProber = true;
+
   boot.initrd.availableKernelModules =
     [ "ehci_pci" "ahci" "xhci_pci" "usb_storage" "usbhid" "sd_mod" ];
   boot.initrd.kernelModules = [ ];
@@ -19,16 +23,6 @@
 
   swapDevices = [ ];
 
-  # Enables DHCP on each ethernet and wireless interface. In case of scripted networking
-  # (the default) this is the recommended approach. When using systemd-networkd it's
-  # still possible to use this option, but it's recommended to use it in conjunction
-  # with explicit per-interface declarations with `networking.interfaces.<interface>.useDHCP`.
-  networking.useDHCP = lib.mkDefault true;
-  # networking.interfaces.enp1s0f0.useDHCP = lib.mkDefault true;
-  # networking.interfaces.enp1s0f1.useDHCP = lib.mkDefault true;
-  # networking.interfaces.enp4s0f0.useDHCP = lib.mkDefault true;
-  # networking.interfaces.enp4s0f1.useDHCP = lib.mkDefault true;
-
   hardware.cpu.intel.updateMicrocode =
     lib.mkDefault config.hardware.enableRedistributableFirmware;
 }