xin/hosts/router/default.nix

483 lines
13 KiB
Nix

{ config, pkgs, lib, inputs, ... }:
let
inherit (builtins)
head concatStringsSep attrValues mapAttrs attrNames; # hasAttr;
inherit (lib.attrsets) filterAttrsRecursive filterAttrs;
pubKeys = [
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIO7v+/xS8832iMqJHCWsxUZ8zYoMWoZhjj++e26g1fLT europa"
];
userBase = {
openssh.authorizedKeys.keys = pubKeys ++ config.myconf.managementPubKeys;
};
tsvnstat = inputs.tsvnstat.packages.${pkgs.system}.tsvnstat;
wan = "enp5s0f0";
trunk = "enp5s0f1";
dnsServers = [ "45.90.28.147" "45.90.30.147" ];
interfaces = {
"${wan}" = { useDHCP = true; };
"${trunk}" = rec {
ipv4.addresses = [{
address = "10.99.99.1";
prefixLength = 24;
}];
info = rec {
description = "Management";
route = false;
router = "${(head ipv4.addresses).address}";
netmask = "255.255.255.0";
network = "${net}/${toString (head ipv4.addresses).prefixLength}";
net = "10.99.99.0";
dhcp = {
enable = true;
start = "10.99.99.100";
end = "10.99.99.150";
staticIPs = [
{
name = "doublemint";
mac = "74:83:c2:19:9e:51";
address = "10.99.99.54";
}
{
name = "switch0";
mac = "18:e8:29:b5:48:15";
address = "10.99.99.4";
}
{
name = "switch1";
mac = "fc:ec:da:4e:2e:51";
address = "10.99.99.5";
}
{
name = "switch2";
mac = "fc:ec:da:d4:10:81";
address = "10.99.99.6";
}
{
name = "ap2";
mac = "74:83:c2:89:0b:52";
address = "10.99.99.7";
}
{
name = "ap1";
mac = "80:2a:a8:96:50:76";
address = "10.99.99.8";
}
];
};
};
};
enp1s0f0 = rec {
ipv4.addresses = [{
address = "10.99.1.1";
prefixLength = 24;
}];
info = rec {
description = "unused";
route = true;
router = "${(head ipv4.addresses).address}";
net = "10.99.1.0";
netmask = "255.255.255.0";
network = "${net}/${toString (head ipv4.addresses).prefixLength}";
dhcp = {
enable = true;
start = "10.99.1.100";
end = "10.99.1.155";
staticIPs = [ ];
};
};
};
enp2s0f1 = rec {
ipv4.addresses = [{
address = "10.98.1.1";
prefixLength = 24;
}];
info = rec {
description = "work";
route = false;
router = "${(head ipv4.addresses).address}";
net = "10.98.1.0";
netmask = "255.255.255.0";
network = "${net}/${toString (head ipv4.addresses).prefixLength}";
dhcp = {
enable = true;
start = "10.98.1.100";
end = "10.98.1.150";
staticIPs = [ ];
};
};
};
badwifi = rec {
ipv4.addresses = [{
address = "10.10.0.1";
prefixLength = 24;
}];
info = rec {
description = "IoT WiFi";
route = true;
router = "${(head ipv4.addresses).address}";
net = "10.10.0.0";
netmask = "255.255.255.0";
network = "${net}/${toString (head ipv4.addresses).prefixLength}";
dhcp = {
enable = true;
start = "10.10.0.100";
end = "10.10.0.155";
staticIPs = [ ];
};
};
};
goodwifi = rec {
ipv4.addresses = [{
address = "10.12.0.1";
prefixLength = 24;
}];
info = rec {
description = "WiFi";
route = false;
router = "${(head ipv4.addresses).address}";
net = "10.12.0.0";
netmask = "255.255.255.0";
network = "${net}/${toString (head ipv4.addresses).prefixLength}";
dhcp = {
enable = false;
start = "10.12.0.100";
end = "10.12.0.155";
staticIPs = [ ];
};
};
};
lab = rec {
ipv4.addresses = [{
address = "10.3.0.1";
prefixLength = 24;
}];
info = rec {
vlanID = 2;
description = "Lab";
route = true;
router = "${(head ipv4.addresses).address}";
net = "10.3.0.0";
netmask = "255.255.255.0";
network = "${net}/${toString (head ipv4.addresses).prefixLength}";
dhcp = {
enable = true;
start = "10.3.0.100";
end = "10.3.0.155";
staticIPs = [{
name = "bbb";
mac = "c8:a0:30:ac:1d:0d";
address = "10.3.0.2";
}];
};
};
};
external = rec {
ipv4.addresses = [{
address = "10.20.30.1";
prefixLength = 24;
}];
info = rec {
description = "DMZ";
route = true;
router = "${(head ipv4.addresses).address}";
net = "10.20.30.0";
netmask = "255.255.255.0";
network = "${net}/${toString (head ipv4.addresses).prefixLength}";
dhcp = {
enable = false;
start = "10.20.30.100";
end = "10.20.30.155";
staticIPs = [ ];
};
};
};
common = rec {
ipv4.addresses = [{
address = "10.6.0.1";
prefixLength = 24;
}];
info = rec {
description = "Common";
route = true;
router = "${(head ipv4.addresses).address}";
vlanID = 5;
net = "10.6.0.0";
netmask = "255.255.255.0";
network = "${net}/${toString (head ipv4.addresses).prefixLength}";
dhcp = {
enable = true;
start = "10.6.0.100";
end = "10.6.0.250";
staticIPs = [
{
name = "tal";
mac = "3c:7c:3f:1d:95:9c";
address = "10.6.0.110";
}
{
name = "namish";
mac = "b8:ae:ed:78:b5:37";
address = "10.6.0.78";
}
{
name = "g5";
mac = "00:0a:95:a8:26:42";
address = "10.6.0.111";
}
{
name = "box";
mac = "d0:50:99:c2:b5:4b";
address = "10.6.0.15";
}
{
name = "greenhouse";
mac = "6c:0b:84:1b:20:07";
address = "10.6.0.20";
}
{
name = "inside";
mac = "6c:0b:84:cb:a7:59";
address = "10.6.0.21";
}
{
name = "weather";
mac = "b8:27:eb:3e:5b:4e";
address = "10.6.0.22";
}
];
};
};
};
voip = rec {
ipv4.addresses = [{
address = "10.7.0.1";
prefixLength = 24;
}];
info = rec {
description = "VoIP";
route = true;
router = "${(head ipv4.addresses).address}";
net = "10.7.0.0";
netmask = "255.255.255.0";
network = "${net}/${toString (head ipv4.addresses).prefixLength}";
dhcp = {
enable = false;
start = "10.7.0.100";
end = "10.7.0.155";
staticIPs = [ ];
};
};
};
};
in {
_module.args.isUnstable = false;
imports = [ ./hardware-configuration.nix ];
boot.kernel.sysctl = {
"net.ipv4.conf.all.forwarding" = true;
"net.ipv6.conf.all.forwarding" = true;
"net.netfilter.nf_conntrack_helper" = true;
};
sops.secrets = {
wireguard_private_key = {
sopsFile = config.xin-secrets.router.networking;
};
};
networking = {
hostName = "router";
useDHCP = false;
firewall.enable = false;
# TODO: iterate over interfaces where .<name>.vlanID is set
vlans = {
badwifi = {
id = 10;
interface = "${trunk}";
};
goodwifi = {
id = 11;
interface = "${trunk}";
};
lab = {
id = 2;
interface = "${trunk}";
};
common = {
id = 5;
interface = "${trunk}";
};
voip = {
id = 6;
interface = "${trunk}";
};
external = {
id = 20;
interface = "${trunk}";
};
};
interfaces = filterAttrsRecursive (n: v: n != "info") interfaces;
nftables = {
enable = true;
ruleset = ''
define DEV_PRIVATE = enp1s0f0
define DEV_HAM = enp2s0f1
table ip global {
chain inbound_world {
#icmp type echo-request limit rate 5/second accept
tcp dport ssh limit rate 1/minute accept
}
chain inbound_private {
icmp type echo-request limit rate 5/second accept
ip protocol . th dport vmap {
tcp . 22 : accept,
udp . 53 : accept,
tcp . 53 : accept,
udp . 67 : accept
}
}
#ct helper tftp {
# type "tftp" protocol udp;
#}
chain inbound_lab {
icmp type echo-request limit rate 5/second accept
#udp dport 69 ct helper set "tftp"
ip protocol . th dport vmap {
tcp . 53 : accept,
tcp . 67 : accept,
udp . 53 : accept,
udp . 69 : accept,
udp . 67 : accept
}
}
chain inbound {
type filter hook input priority 0; policy drop;
ct state vmap { established : accept, related : accept, invalid : drop }
iifname vmap {
lo : accept,
${wan} : jump inbound_world,
$DEV_PRIVATE : jump inbound_private,
$DEV_HAM : jump inbound_private,
common : jump inbound_private,
badwifi : jump inbound_private,
external : jump inbound_private,
voip : jump inbound_private,
lab : jump inbound_lab
}
}
chain forward {
type filter hook forward priority 0; policy drop;
ct state vmap { established : accept, related : accept, invalid : drop }
oifname $DEV_HAM iifname != $DEV_HAM drop
iifname $DEV_PRIVATE accept
iifname $DEV_HAM accept
iifname common accept
iifname badwifi accept
iifname external accept
iifname voip accept
iifname lab accept
}
chain postrouting {
type nat hook postrouting priority 100; policy accept;
oifname ${wan} masquerade
}
}
'';
};
};
services = {
vnstat.enable = true;
atftpd = {
enable = true;
extraOptions = [
"--verbose=9"
"--trace"
"--bind-address ${
(head config.networking.interfaces.lab.ipv4.addresses).address
}"
];
};
dhcpd4 = {
enable = true;
extraConfig = ''
option subnet-mask 255.255.255.0;
option domain-name-servers ${concatStringsSep ", " dnsServers};
${concatStringsSep "\n" (attrValues (mapAttrs (intf: val: ''
# ${intf} : ${val.info.description}
subnet ${val.info.net} netmask ${val.info.netmask} {
option routers ${val.info.router};
range ${val.info.dhcp.start} ${val.info.dhcp.end};
${
concatStringsSep "\n" (map (e: ''
host ${e.name} {
hardware ethernet ${e.mac};
fixed-address ${e.address};
}
'') val.info.dhcp.staticIPs)
}
}
'') (filterAttrsRecursive (n: v: n != "${wan}") interfaces)))}
'';
interfaces = attrNames (filterAttrs (n: v: v.info.dhcp.enable)
(filterAttrsRecursive (n: v: n != "${wan}") interfaces));
# TODO: Probably a better way to pre-filter the interfaces set
};
};
environment.systemPackages = with pkgs; [ bmon termshark tcpdump tsvnstat ];
users.groups.tsvnstat = { };
users.users.tsvnstat = {
createHome = true;
isSystemUser = true;
home = "/var/lib/tsvnstat";
group = "tsvnstat";
};
systemd.services.tsvnstat = {
wantedBy = [ "network.target" ];
serviceConfig = {
User = "tsvnstat";
Group = "tsvnstat";
Restart = "always";
WorkingDirectory = "/var/lib/tsvnstat";
ExecStart = "${tsvnstat}/bin/tsvnstat -name ${config.networking.hostName}-stats";
};
};
users.users.root = userBase;
users.users.qbit = userBase;
system = {
autoUpgrade = {
rebootWindow = {
upper = "03:00";
lower = "01:00";
};
};
stateVersion = "22.05";
};
}