lytedev/nix
1
0
Fork 1
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

Things work nominally now, but IPv6 is lacking

Browse source
This commit is contained in:
Daniel Flanagan 2024-07-17 17:35:36 -05:00
parent a0b505e226
commit 1364e4b6e9
3 changed files with 40 additions and 15 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

1
flake.nix
View file

@ -165,6 +165,7 @@
hardware.nixosModules.common-cpu-intel hardware.nixosModules.common-cpu-intel
common common
linux
fonts fonts
./nixos/beefcake.nix ./nixos/beefcake.nix

2
modules/nixos/default.nix
View file

@ -428,7 +428,7 @@
services.desktopManager.plasma6.enable = true; services.desktopManager.plasma6.enable = true;
programs.dconf.enable = true; programs.dconf.enable = true;
services.xrdp.enable = true; services.xrdp.enable = false;
services.xrdp.defaultWindowManager = "plasma"; services.xrdp.defaultWindowManager = "plasma";
services.xrdp.openFirewall = false; services.xrdp.openFirewall = false;

52
nixos/router.nix
View file

@ -1,7 +1,7 @@
{ {
lib, lib,
# outputs, # outputs,
config, # config,
pkgs, pkgs,
... ...
}: let }: let
@ -51,13 +51,8 @@
"net.ipv4.conf.${interfaces.wan.name}.rp_filter" = 1; "net.ipv4.conf.${interfaces.wan.name}.rp_filter" = 1;
"net.ipv4.conf.${interfaces.lan.name}.rp_filter" = 0; "net.ipv4.conf.${interfaces.lan.name}.rp_filter" = 0;
# TODO: may want to disable this once it's working "net.ipv6.conf.${interfaces.wan.name}.accept_ra" = 2;
# "net.ipv6.conf.all.accept_ra" = 0; "net.ipv6.conf.${interfaces.wan.name}.autoconf" = 1;
# "net.ipv6.conf.all.autoconf" = 0;
# "net.ipv6.conf.all.use_tempaddr" = 0;
# "net.ipv6.conf.${wan_if}.accept_ra" = 2;
# "net.ipv6.conf.${wan_if}.autoconf" = 1;
}; };
in { in {
imports = [ imports = [
@ -154,6 +149,10 @@ in {
meta l4proto icmp accept comment "Accept ICMP" meta l4proto icmp accept comment "Accept ICMP"
ip protocol igmp accept comment "Accept IGMP" ip protocol igmp accept comment "Accept IGMP"
ip6 nexthdr icmpv6 icmpv6 type nd-router-solicit accept comment "Accept IPv6 router solicitation"
ip6 nexthdr icmpv6 icmpv6 type nd-router-advert accept comment "Accept IPv6 router advertisements"
udp dport dhcpv6-client udp sport dhcpv6-server accept comment "IPv6 DHCP"
udp dport mdns ip6 daddr ff02::fb accept comment "Accept mDNS" udp dport mdns ip6 daddr ff02::fb accept comment "Accept mDNS"
udp dport mdns ip daddr 224.0.0.251 accept comment "Accept mDNS" udp dport mdns ip daddr 224.0.0.251 accept comment "Accept mDNS"
@ -165,6 +164,7 @@ in {
ip saddr @LANv4 jump my_input_lan comment "Connections from private IP address ranges" ip saddr @LANv4 jump my_input_lan comment "Connections from private IP address ranges"
iifname "${lan}" accept comment "Allow local network to access the router" iifname "${lan}" accept comment "Allow local network to access the router"
iifname "tailscale0" accept comment "Allow local network to access the router"
iifname "${wan}" counter drop comment "Drop all other unsolicited traffic from wan" iifname "${wan}" counter drop comment "Drop all other unsolicited traffic from wan"
} }
@ -172,6 +172,7 @@ in {
type filter hook forward priority filter; policy drop; type filter hook forward priority filter; policy drop;
iifname { "${lan}" } oifname { "${wan}" } accept comment "Allow trusted LAN to WAN" iifname { "${lan}" } oifname { "${wan}" } accept comment "Allow trusted LAN to WAN"
iifname { "tailscale0" } oifname { "${wan}" } accept comment "Allow trusted LAN to WAN"
iifname { "${wan}" } oifname { "${lan}" } ct state { established, related } accept comment "Allow established back to LAN" iifname { "${wan}" } oifname { "${lan}" } ct state { established, related } accept comment "Allow established back to LAN"
} }
} }
@ -181,9 +182,11 @@ in {
type nat hook prerouting priority dstnat; type nat hook prerouting priority dstnat;
iifname ${lan} accept iifname ${lan} accept
iifname tailscale0 accept
iifname ${wan} tcp dport {22} dnat to ${hosts.beefcake.ip} comment "Allow SSH to server" iifname ${wan} tcp dport {22} dnat to ${hosts.beefcake.ip} comment "NAT SSH to beefcake"
iifname ${wan} tcp dport {80, 443} dnat to ${hosts.beefcake.ip} comment "Allow HTTP/HTTPS to server" iifname ${wan} tcp dport {80, 443} dnat to ${hosts.beefcake.ip} comment "NAT HTTP/HTTPS to beefcake"
iifname ${wan} tcp dport {25565, 26966} dnat to ${hosts.beefcake.ip} comment "NAT minecraft servers to beefcake"
} }
chain postrouting { chain postrouting {
@ -282,22 +285,43 @@ in {
cidr cidr
]; ];
networkConfig = { networkConfig = {
Description = "LAN network - connection to switch in house";
ConfigureWithoutCarrier = true; ConfigureWithoutCarrier = true;
IPv6AcceptRA = false;
IPv6SendRA = true;
}; };
}; };
"40-${interfaces.wan.name}" = { "40-${interfaces.wan.name}" = {
matchConfig.Name = "${interfaces.wan.name}"; matchConfig.Name = "${interfaces.wan.name}";
networkConfig = { networkConfig = {
DHCP = true; Description = "WAN network - connection to fiber ISP jack";
DNSOverTLS = true; DHCP = "ipv4";
DNSSEC = true; IPv6AcceptRA = true;
IPv6PrivacyExtensions = false;
IPForward = true; IPForward = true;
}; };
dhcpV6Config = {
# ForceDHCPv6PDOtherInformation = true;
UseHostname = false;
UseDNS = false;
UseNTP = false;
};
dhcpV4Config = {
Hostname = hostname;
UseHostname = false;
UseDNS = false;
UseNTP = false;
UseSIP = false;
UseRoutes = false;
UseGateway = true;
};
linkConfig = { linkConfig = {
RequiredForOnline = "routable"; RequiredForOnline = "routable";
# Name = interfaces.wan.name; # Name = interfaces.wan.name;
}; };
ipv6AcceptRAConfig = {
DHCPv6Client = "always";
UseDNS = false;
};
}; };
}; };
}; };