nix/packages/hosts/router.nix

{
  hardware,
  config,
  lib,
  # outputs,
  pkgs,
  ...
}:
let
in
/*
  NOTE: My goal is to be able to apply most of the common tweaks to the router
  either live on the system for ad-hoc changes (such as forwarding a port for a
  multiplayer game) or to tweak these values just below without reaching deeper
  into the modules' implementation of these configuration values
  NOTE: I could turn this into a cool NixOS module?
  TODO: review https://francis.begyn.be/blog/nixos-home-router
  TODO: more recent: https://github.com/ghostbuster91/blogposts/blob/a2374f0039f8cdf4faddeaaa0347661ffc2ec7cf/router2023-part2/main.md
*/
{
  system.stateVersion = "24.11";

  # hardware
  boot = {
    loader = {
      efi.canTouchEfiVariables = true;
      systemd-boot.enable = true;
    };
    initrd.availableKernelModules = [ "xhci_pci" ];
    initrd.kernelModules = [ ];
    kernelModules = [ "kvm-intel" ];
    extraModulePackages = [ ];
  };

  fileSystems."/" = {
    device = "/dev/disk/by-uuid/6ec80156-62e0-4f6f-b6eb-e2f588f88802";
    fsType = "btrfs";
    options = [ "subvol=root" ];
  };
  fileSystems."/nix" = {
    device = "/dev/disk/by-uuid/6ec80156-62e0-4f6f-b6eb-e2f588f88802";
    fsType = "btrfs";
    options = [ "subvol=nix" ];
  };
  fileSystems."/home" = {
    device = "/dev/disk/by-uuid/6ec80156-62e0-4f6f-b6eb-e2f588f88802";
    fsType = "btrfs";
    options = [ "subvol=home" ];
  };
  fileSystems."/boot" = {
    device = "/dev/disk/by-uuid/7F78-7AE8";
    fsType = "vfat";
    options = [
      "fmask=0022"
      "dmask=0022"
    ];
  };
  powerManagement.cpuFreqGovernor = "performance";

  imports = with hardware; [
    common-cpu-intel
    common-pc-ssd
  ];

  environment.systemPackages = with pkgs; [
    iftop
  ];

  sops = {
    defaultSopsFile = ../../secrets/router/secrets.yml;
    age = {
      sshKeyPaths = [ "/etc/ssh/ssh_host_ed25519_key" ];
      keyFile = "/var/lib/sops-nix/key.txt";
      generateKey = true;
    };
    secrets = {
      netlify-ddns-password = {
        mode = "0400";
      };
    };
  };
  services.deno-netlify-ddns-client = {
    passwordFile = config.sops.secrets.netlify-ddns-password.path;
  };

  services.openssh.listenAddresses = [
    {
      addr = "0.0.0.0";
      port = 2201;
    }
    {
      addr = "0.0.0.0";
      port = 22;
    }
    {
      addr = "[::]";
      port = 2201;
    }
    {
      addr = "[::]";
      port = 22;
    }
  ];

  lyte = {
    shell.enable = true;
    router = {
      enable = true;
      hostname = "router";
      domain = "h.lyte.dev";
      interfaces = {
        wan.mac = "00:01:2e:82:73:59";
        lan.mac = "00:01:2e:82:73:5a";
      };

      openPorts = {
        tcp = {
          "Accept SSH to router" = 2201;
        };
        udp = {
          "Accept DNS" = 53;
        };
      };

      # TODO: nftables

      hosts = {
        dragon = {
          ip = "192.168.0.10";
        };
        bald = {
          ip = "192.168.0.11";
          nat.tcp.minecraft = 25565;
          additionalHosts = [
            "ourcraft.lyte.dev"
          ];
        };
        beefcake = {
          ip = "192.168.0.9";
          nat = {
            tcp = {
              "SSH" = 22;
              "HTTP" = 80;
              "HTTPS" = 443;
              "Minecraft Flanilla" = 26966;
            };
            udp = {
              "QUIC" = [
                80
                443
              ];
              "Factorio" = 34197;
            };
          };
          additionalHosts = [
            ".beefcake.lan"
            "a.lyte.dev"
            "atuin.h.lyte.dev"
            "audio.lyte.dev"
            "bw.lyte.dev"
            "files.lyte.dev"
            "finances.h.lyte.dev"
            "git.lyte.dev"
            "grafana.h.lyte.dev"
            "idm.h.lyte.dev"
            "matrix.lyte.dev"
            "nextcloud.h.lyte.dev"
            "nix.h.lyte.dev"
            "onlyoffice.h.lyte.dev"
            "paperless.h.lyte.dev"
            "prometheus.h.lyte.dev"
            "video.lyte.dev"
            "vpn.h.lyte.dev"
          ];
        };
      };
    };
  };
}
Add wip router 2023-10-31 17:21:56 -05:00			`{`
chore: wip router migration 2025-02-18 16:28:00 -06:00			`hardware,`
Router secrets 2024-09-13 00:38:04 -05:00			`config,`
Add wip router 2023-10-31 17:21:56 -05:00			`lib,`
			`# outputs,`
Firewall? 2024-07-16 16:36:22 -05:00			`pkgs,`
Add wip router 2023-10-31 17:21:56 -05:00			`...`
Format 2025-02-14 13:31:18 -06:00			`}:`
			`let`
chore: wip router migration 2025-02-18 16:28:00 -06:00			`in`
feat: add router 2025-02-18 21:53:09 -06:00			`/*`
			`NOTE: My goal is to be able to apply most of the common tweaks to the router`
			`either live on the system for ad-hoc changes (such as forwarding a port for a`
			`multiplayer game) or to tweak these values just below without reaching deeper`
			`into the modules' implementation of these configuration values`
			`NOTE: I could turn this into a cool NixOS module?`
			`TODO: review https://francis.begyn.be/blog/nixos-home-router`
			`TODO: more recent: https://github.com/ghostbuster91/blogposts/blob/a2374f0039f8cdf4faddeaaa0347661ffc2ec7cf/router2023-part2/main.md`
			`*/`
chore: wip router migration 2025-02-18 16:28:00 -06:00			`{`
			`system.stateVersion = "24.11";`
Getting there... 2024-07-17 16:27:54 -05:00
chore: wip router migration 2025-02-18 16:28:00 -06:00			`# hardware`
			`boot = {`
			`loader = {`
			`efi.canTouchEfiVariables = true;`
			`systemd-boot.enable = true;`
			`};`
			`initrd.availableKernelModules = [ "xhci_pci" ];`
			`initrd.kernelModules = [ ];`
			`kernelModules = [ "kvm-intel" ];`
			`extraModulePackages = [ ];`
			`};`
Lan services? 2024-07-18 15:54:50 -05:00
chore: wip router migration 2025-02-18 16:28:00 -06:00			`fileSystems."/" = {`
			`device = "/dev/disk/by-uuid/6ec80156-62e0-4f6f-b6eb-e2f588f88802";`
			`fsType = "btrfs";`
			`options = [ "subvol=root" ];`
Stuff 2024-07-16 20:34:02 -05:00			`};`
chore: wip router migration 2025-02-18 16:28:00 -06:00			`fileSystems."/nix" = {`
			`device = "/dev/disk/by-uuid/6ec80156-62e0-4f6f-b6eb-e2f588f88802";`
			`fsType = "btrfs";`
			`options = [ "subvol=nix" ];`
			`};`
			`fileSystems."/home" = {`
			`device = "/dev/disk/by-uuid/6ec80156-62e0-4f6f-b6eb-e2f588f88802";`
			`fsType = "btrfs";`
			`options = [ "subvol=home" ];`
			`};`
			`fileSystems."/boot" = {`
			`device = "/dev/disk/by-uuid/7F78-7AE8";`
			`fsType = "vfat";`
			`options = [`
			`"fmask=0022"`
			`"dmask=0022"`
			`];`
			`};`
			`powerManagement.cpuFreqGovernor = "performance";`
Trying to upgrade router to NixOS 2024-07-11 12:51:51 -05:00
chore: wip router migration 2025-02-18 16:28:00 -06:00			`imports = with hardware; [`
			`common-cpu-intel`
			`common-pc-ssd`
No bitwarden desktop on macos 2024-07-16 15:38:46 -05:00			`];`
Add wip router 2023-10-31 17:21:56 -05:00
Add iftop to router 2024-09-09 10:05:23 -05:00			`environment.systemPackages = with pkgs; [`
			`iftop`
			`];`

Router secrets 2024-09-13 00:38:04 -05:00			`sops = {`
feat: add router 2025-02-18 21:53:09 -06:00			`defaultSopsFile = ../../secrets/router/secrets.yml;`
Router secrets 2024-09-13 00:38:04 -05:00			`age = {`
Format 2025-02-14 13:31:18 -06:00			`sshKeyPaths = [ "/etc/ssh/ssh_host_ed25519_key" ];`
Router secrets 2024-09-13 00:38:04 -05:00			`keyFile = "/var/lib/sops-nix/key.txt";`
			`generateKey = true;`
			`};`
			`secrets = {`
Format 2025-02-14 13:31:18 -06:00			`netlify-ddns-password = {`
			`mode = "0400";`
			`};`
Router secrets 2024-09-13 00:38:04 -05:00			`};`
			`};`
			`services.deno-netlify-ddns-client = {`
			`passwordFile = config.sops.secrets.netlify-ddns-password.path;`
			`};`

feat: add router 2025-02-18 21:53:09 -06:00			`services.openssh.listenAddresses = [`
			`{`
			`addr = "0.0.0.0";`
			`port = 2201;`
			`}`
			`{`
			`addr = "0.0.0.0";`
			`port = 22;`
			`}`
			`{`
			`addr = "[::]";`
			`port = 2201;`
			`}`
			`{`
			`addr = "[::]";`
			`port = 22;`
			`}`
			`];`

chore: wip router migration 2025-02-18 16:28:00 -06:00			`lyte = {`
			`shell.enable = true;`
			`router = {`
			`enable = true;`
			`hostname = "router";`
			`domain = "h.lyte.dev";`
			`interfaces = {`
			`wan.mac = "00:01:2e:82:73:59";`
			`lan.mac = "00:01:2e:82:73:5a";`
			`};`
feat: add router 2025-02-18 21:53:09 -06:00
chore: wip router firewall options 2025-02-18 22:37:45 -06:00			`openPorts = {`
			`tcp = {`
			`"Accept SSH to router" = 2201;`
			`};`
			`udp = {`
			`"Accept DNS" = 53;`
			`};`
			`};`

			`# TODO: nftables`

feat: add router 2025-02-18 21:53:09 -06:00			`hosts = {`
			`dragon = {`
			`ip = "192.168.0.10";`
			`};`
			`bald = {`
			`ip = "192.168.0.11";`
chore: wip router firewall options 2025-02-18 22:37:45 -06:00			`nat.tcp.minecraft = 25565;`
feat: add router 2025-02-18 21:53:09 -06:00			`additionalHosts = [`
			`"ourcraft.lyte.dev"`
			`];`
			`};`
			`beefcake = {`
			`ip = "192.168.0.9";`
chore: wip router firewall options 2025-02-18 22:37:45 -06:00			`nat = {`
			`tcp = {`
			`"SSH" = 22;`
			`"HTTP" = 80;`
			`"HTTPS" = 443;`
			`"Minecraft Flanilla" = 26966;`
			`};`
			`udp = {`
			`"QUIC" = [`
			`80`
			`443`
			`];`
			`"Factorio" = 34197;`
			`};`
			`};`
feat: add router 2025-02-18 21:53:09 -06:00			`additionalHosts = [`
			`".beefcake.lan"`
			`"a.lyte.dev"`
			`"atuin.h.lyte.dev"`
			`"audio.lyte.dev"`
			`"bw.lyte.dev"`
			`"files.lyte.dev"`
			`"finances.h.lyte.dev"`
			`"git.lyte.dev"`
			`"grafana.h.lyte.dev"`
			`"idm.h.lyte.dev"`
			`"matrix.lyte.dev"`
			`"nextcloud.h.lyte.dev"`
			`"nix.h.lyte.dev"`
			`"onlyoffice.h.lyte.dev"`
			`"paperless.h.lyte.dev"`
			`"prometheus.h.lyte.dev"`
			`"video.lyte.dev"`
			`"vpn.h.lyte.dev"`
			`];`
			`};`
Format 2025-02-14 13:31:18 -06:00			`};`
chore: wip router migration 2025-02-18 16:28:00 -06:00			`};`
			`};`
Add wip router 2023-10-31 17:21:56 -05:00			`}`