Router alive, but not routing
This commit is contained in:
parent
e6e1225858
commit
a2c6a0fe93
4 changed files with 217 additions and 27 deletions
60
flake.lock
60
flake.lock
|
@ -21,6 +21,27 @@
|
|||
"type": "github"
|
||||
}
|
||||
},
|
||||
"dependencyDagOfSubmodule": {
|
||||
"inputs": {
|
||||
"nixpkgs": [
|
||||
"nnf",
|
||||
"nixpkgs"
|
||||
]
|
||||
},
|
||||
"locked": {
|
||||
"lastModified": 1656615370,
|
||||
"narHash": "sha256-IZDqz1aSySoqf1qtVQg+oJMHfC4IlT55Zoa7EkjvPug=",
|
||||
"owner": "thelegy",
|
||||
"repo": "nix-dependencyDagOfSubmodule",
|
||||
"rev": "98eb563d80b35acafbfc1abb9ccee569c1efb19c",
|
||||
"type": "github"
|
||||
},
|
||||
"original": {
|
||||
"owner": "thelegy",
|
||||
"repo": "nix-dependencyDagOfSubmodule",
|
||||
"type": "github"
|
||||
}
|
||||
},
|
||||
"disko": {
|
||||
"inputs": {
|
||||
"nixpkgs": [
|
||||
|
@ -395,6 +416,22 @@
|
|||
}
|
||||
},
|
||||
"nixpkgs_4": {
|
||||
"locked": {
|
||||
"lastModified": 1692638711,
|
||||
"narHash": "sha256-J0LgSFgJVGCC1+j5R2QndadWI1oumusg6hCtYAzLID4=",
|
||||
"owner": "nixos",
|
||||
"repo": "nixpkgs",
|
||||
"rev": "91a22f76cd1716f9d0149e8a5c68424bb691de15",
|
||||
"type": "github"
|
||||
},
|
||||
"original": {
|
||||
"owner": "NixOS",
|
||||
"ref": "nixos-unstable",
|
||||
"repo": "nixpkgs",
|
||||
"type": "github"
|
||||
}
|
||||
},
|
||||
"nixpkgs_5": {
|
||||
"locked": {
|
||||
"lastModified": 1716769173,
|
||||
"narHash": "sha256-7EXDb5WBw+d004Agt+JHC/Oyh/KTUglOaQ4MNjBbo5w=",
|
||||
|
@ -410,6 +447,26 @@
|
|||
"type": "github"
|
||||
}
|
||||
},
|
||||
"nnf": {
|
||||
"inputs": {
|
||||
"dependencyDagOfSubmodule": "dependencyDagOfSubmodule",
|
||||
"nixpkgs": "nixpkgs_4"
|
||||
},
|
||||
"locked": {
|
||||
"lastModified": 1720615408,
|
||||
"narHash": "sha256-Q1G6GVUWXra9rdWTbSq21WaeRyWwINE7a5SRJekn6h4=",
|
||||
"owner": "thelegy",
|
||||
"repo": "nixos-nftables-firewall",
|
||||
"rev": "71fc2b79358d0dbacde83c806a0f008ece567b7b",
|
||||
"type": "github"
|
||||
},
|
||||
"original": {
|
||||
"owner": "thelegy",
|
||||
"repo": "nixos-nftables-firewall",
|
||||
"rev": "71fc2b79358d0dbacde83c806a0f008ece567b7b",
|
||||
"type": "github"
|
||||
}
|
||||
},
|
||||
"pre-commit": {
|
||||
"inputs": {
|
||||
"flake-compat": "flake-compat",
|
||||
|
@ -442,6 +499,7 @@
|
|||
"hyprland": "hyprland",
|
||||
"nixpkgs": "nixpkgs_3",
|
||||
"nixpkgs-unstable": "nixpkgs-unstable",
|
||||
"nnf": "nnf",
|
||||
"pre-commit": "pre-commit",
|
||||
"slippi": "slippi",
|
||||
"sops-nix": "sops-nix"
|
||||
|
@ -474,7 +532,7 @@
|
|||
},
|
||||
"slippi": {
|
||||
"inputs": {
|
||||
"nixpkgs": "nixpkgs_4"
|
||||
"nixpkgs": "nixpkgs_5"
|
||||
},
|
||||
"locked": {
|
||||
"lastModified": 1720625270,
|
||||
|
|
|
@ -20,6 +20,8 @@
|
|||
hardware.url = "github:nixos/nixos-hardware";
|
||||
hyprland.url = "github:hyprwm/Hyprland";
|
||||
slippi.url = "github:lytedev/slippi-nix";
|
||||
|
||||
nnf.url = "github:thelegy/nixos-nftables-firewall?rev=71fc2b79358d0dbacde83c806a0f008ece567b7b";
|
||||
};
|
||||
|
||||
nixConfig = {
|
||||
|
@ -52,6 +54,7 @@
|
|||
home-manager,
|
||||
helix,
|
||||
hardware,
|
||||
nnf,
|
||||
# hyprland,
|
||||
slippi,
|
||||
...
|
||||
|
@ -344,6 +347,7 @@
|
|||
modules = with nixosModules; [
|
||||
outputs.diskoConfigurations.unencrypted
|
||||
common
|
||||
nnf.nixosModules.default
|
||||
./nixos/router.nix
|
||||
];
|
||||
};
|
||||
|
|
167
nixos/router.nix
167
nixos/router.nix
|
@ -12,9 +12,9 @@
|
|||
domain = "h.lyte.dev";
|
||||
ip = "192.168.0.1";
|
||||
cidr = "${ip}/16";
|
||||
netmask = "255.255.0.0"; # see cidr
|
||||
netmask = "255.255.255.0"; # see cidr
|
||||
dhcp_lease_space = {
|
||||
min = "192.168.0.5";
|
||||
min = "192.168.0.30";
|
||||
max = "192.168.0.250";
|
||||
};
|
||||
interfaces = {
|
||||
|
@ -29,13 +29,9 @@
|
|||
};
|
||||
hosts = {
|
||||
dragon = {
|
||||
identifier = "dragon";
|
||||
host = "dragon";
|
||||
ip = "192.168.0.10";
|
||||
};
|
||||
beefcake = {
|
||||
identifier = "beefcake";
|
||||
host = "beefcake";
|
||||
ip = "192.168.0.9";
|
||||
};
|
||||
};
|
||||
|
@ -92,38 +88,116 @@ in {
|
|||
networking = {
|
||||
hostName = hostname;
|
||||
domain = domain;
|
||||
|
||||
useDHCP = false;
|
||||
nat.enable = false;
|
||||
firewall.enable = false;
|
||||
|
||||
useNetworkd = true;
|
||||
|
||||
extraHosts = ''
|
||||
127.0.0.1 localhost
|
||||
127.0.0.2 ${hostname}.${domain} ${hostname}
|
||||
${ip} ${hostname}.${domain} ${hostname}
|
||||
127.0.0.1 localhost
|
||||
127.0.0.2 ${hostname}.${domain} ${hostname}
|
||||
${ip} ${hostname}.${domain} ${hostname}
|
||||
|
||||
::1 localhost ip6-localhost ip6-loopback
|
||||
ff02::1 ip6-allnodes
|
||||
kkkkk ff02::2 ip6-allrouters
|
||||
::1 localhost ip6-localhost ip6-loopback
|
||||
ff02::1 ip6-allnodes
|
||||
ff02::2 ip6-allrouters
|
||||
'';
|
||||
|
||||
firewall.enable = true;
|
||||
firewall.allowedTCPPorts = [
|
||||
2201
|
||||
22
|
||||
];
|
||||
nftables.firewall = let
|
||||
me = config.networking.nftables.firewall.localZoneName;
|
||||
in {
|
||||
enable = true;
|
||||
snippets.nnf-common.enable = true;
|
||||
|
||||
zones = {
|
||||
${interfaces.wan.name} = {
|
||||
interfaces = [interfaces.wan.name];
|
||||
};
|
||||
${interfaces.lan.name} = {
|
||||
parent = interfaces.wan.name;
|
||||
ipv4Addresses = [cidr];
|
||||
};
|
||||
# banned = {
|
||||
# ingressExpression = [
|
||||
# "ip saddr @banlist"
|
||||
# "ip6 saddr @banlist6"
|
||||
# ];
|
||||
# egressExpression = [
|
||||
# "ip daddr @banlist"
|
||||
# "ip6 daddr @banlist6"
|
||||
# ];
|
||||
# };
|
||||
};
|
||||
|
||||
rules = {
|
||||
dhcp = {
|
||||
from = "all";
|
||||
to = [hosts.beefcake.ip];
|
||||
allowedTCPPorts = [67];
|
||||
allowedUDPPorts = [67];
|
||||
};
|
||||
http = {
|
||||
from = "all";
|
||||
to = [hosts.beefcake.ip];
|
||||
allowedTCPPorts = [80 443];
|
||||
};
|
||||
router-ssh = {
|
||||
from = "all";
|
||||
to = [me];
|
||||
allowedTCPPorts = [2201];
|
||||
};
|
||||
server-ssh = {
|
||||
from = "all";
|
||||
to = [hosts.beefcake.ip];
|
||||
allowedTCPPorts = [22];
|
||||
};
|
||||
};
|
||||
};
|
||||
};
|
||||
|
||||
systemd.network = {
|
||||
enable = true;
|
||||
wait-online.anyInterface = true;
|
||||
|
||||
links = {
|
||||
"10-${interfaces.wan.name}" = {
|
||||
enable = true;
|
||||
matchConfig = {
|
||||
MACAddress = interfaces.wan.mac;
|
||||
};
|
||||
linkConfig = {
|
||||
Name = interfaces.wan.name;
|
||||
};
|
||||
};
|
||||
"10-${interfaces.lan.name}" = {
|
||||
enable = true;
|
||||
matchConfig = {
|
||||
MACAddress = interfaces.lan.mac;
|
||||
};
|
||||
linkConfig = {
|
||||
Name = interfaces.lan.name;
|
||||
};
|
||||
};
|
||||
};
|
||||
networks = {
|
||||
"30-${interfaces.lan.name}" = {
|
||||
matchConfig.MACAddress = "${interfaces.lan.mac}";
|
||||
linkConfig.RequiredForOnline = "enslaved";
|
||||
matchConfig.Name = "${interfaces.lan.name}";
|
||||
linkConfig = {
|
||||
RequiredForOnline = "enslaved";
|
||||
# Name = interfaces.lan.name;
|
||||
};
|
||||
|
||||
address = [
|
||||
cidr
|
||||
];
|
||||
networkConfig = {
|
||||
ConfigureWithoutCarrier = true;
|
||||
};
|
||||
};
|
||||
"10-${interfaces.wan.name}" = {
|
||||
matchConfig.MACAddress = "${interfaces.wan.mac}";
|
||||
"20-${interfaces.wan.name}" = {
|
||||
matchConfig.Name = "${interfaces.wan.name}";
|
||||
networkConfig = {
|
||||
DHCP = true;
|
||||
DNSOverTLS = true;
|
||||
|
@ -131,11 +205,60 @@ in {
|
|||
IPv6PrivacyExtensions = false;
|
||||
IPForward = true;
|
||||
};
|
||||
linkConfig.RequiredForOnline = "routable";
|
||||
linkConfig = {
|
||||
RequiredForOnline = "routable";
|
||||
# Name = interfaces.wan.name;
|
||||
};
|
||||
};
|
||||
};
|
||||
};
|
||||
|
||||
services.resolved.enable = false;
|
||||
|
||||
services.dnsmasq = {
|
||||
enable = true;
|
||||
settings = {
|
||||
server = ["1.1.1.1" "9.9.9.9" "8.8.8.8"];
|
||||
|
||||
domain-needed = true;
|
||||
bogus-priv = true;
|
||||
no-resolv = true;
|
||||
|
||||
cache-size = 1000;
|
||||
|
||||
dhcp-range = with dhcp_lease_space; ["${interfaces.lan.name},${min},${max},${netmask},24h"];
|
||||
interface = interfaces.lan.name;
|
||||
dhcp-host =
|
||||
[
|
||||
]
|
||||
++ (lib.attrsets.mapAttrsToList (name: {
|
||||
ip,
|
||||
identifier ? name,
|
||||
time ? "12h",
|
||||
}: "${name},${ip},${identifier},${time}")
|
||||
hosts);
|
||||
|
||||
address =
|
||||
[
|
||||
"/${hostname}.${domain}/${ip}"
|
||||
]
|
||||
++ (lib.attrsets.mapAttrsToList (name: {
|
||||
ip,
|
||||
identifier ? name,
|
||||
time ? "12h",
|
||||
}: "/${name}.${domain}/${ip}")
|
||||
hosts);
|
||||
|
||||
# local domains
|
||||
local = "/lan/";
|
||||
domain = "lan";
|
||||
expand-hosts = true;
|
||||
|
||||
# don't use /etc/hosts as this would advertise surfer as localhost
|
||||
no-hosts = true;
|
||||
};
|
||||
};
|
||||
|
||||
systemd.services.systemd-networkd-wait-online.enable = lib.mkForce false;
|
||||
|
||||
services.openssh.listenAddresses = [
|
||||
|
|
|
@ -1,7 +1,8 @@
|
|||
#!/usr/bin/env bash
|
||||
|
||||
usage() {
|
||||
echo 'safe-remote-upgrade.bash $flake $target_host'
|
||||
echo 'usage'
|
||||
echo ' safe-remote-upgrade.bash $FLAKE_REF $TARGET_HOST'
|
||||
}
|
||||
|
||||
error() {
|
||||
|
@ -23,22 +24,26 @@ if [[ -z $1 ]]; then
|
|||
fi
|
||||
target_host="$1"; shift
|
||||
|
||||
set -eu
|
||||
|
||||
git add -A
|
||||
|
||||
ssh "root@$target_host" "bash -c '
|
||||
set -m
|
||||
# sleep 5 mins
|
||||
echo \"Starting background reboot job...\"
|
||||
(sleep 300; reboot;) &
|
||||
jobs -p
|
||||
bg
|
||||
disown
|
||||
'"
|
||||
'" &
|
||||
|
||||
nix run nixpkgs#nixos-rebuild -- --flake "$flake" \
|
||||
--target-host "root@$target_host" test --show-trace
|
||||
|
||||
echo "Upgrade ready for verification. If you still have SSH access you can bail out without waiting with the following command:"
|
||||
echo " ssh 'root@$target_host' nixos-rebuild --rollback switch"
|
||||
echo
|
||||
echo
|
||||
echo "Waiting..."
|
||||
wait
|
||||
echo 'Done!'
|
||||
|
||||
|
|
Loading…
Reference in a new issue