From c4d29829449ff0d2d00b91283d1b99dbaeed0691 Mon Sep 17 00:00:00 2001
From: Daniel Flanagan <daniel@lyte.dev>
Date: Thu, 2 Nov 2023 10:01:58 -0500
Subject: [PATCH] wip firewall for router

---
 .gitignore               |   1 +
 nixos/router/default.nix | 176 ++++++++++++++++++++++++---------------
 2 files changed, 111 insertions(+), 66 deletions(-)

diff --git a/.gitignore b/.gitignore
index 87a3018..7b82853 100644
--- a/.gitignore
+++ b/.gitignore
@@ -1,2 +1,3 @@
+*.log
 result
 *.qcow2
diff --git a/nixos/router/default.nix b/nixos/router/default.nix
index 8ae6afb..794d0c3 100644
--- a/nixos/router/default.nix
+++ b/nixos/router/default.nix
@@ -53,7 +53,7 @@ in {
   services.fail2ban.enable = true;
   services.radvd = {
     enable = true;
-    # TODO: this config is just the default arch linux config I think and may
+    # NOTE: this config is just the default arch linux config I think and may
     # need tweaking? this is what I had on the arch linux router, though :shrug:
     config = ''
       interface lo
@@ -100,23 +100,6 @@ in {
     '';
   };
 
-  # TODO: lan0 and wan0 systemd.network.link ?
-
-  networking.extraHosts = ''
-    127.0.0.1 localhost
-    127.0.1.1 router.h.lyte.dev router
-
-    ::1 localhost ip6-localhost ip6-loopback
-    ff02::1 ip6-allnodes
-    ff02::2 ip6-allrouters
-
-    192.168.0.9 git.lyte.dev
-    192.168.0.9 video.lyte.dev
-    192.168.0.9 files.lyte.dev
-    192.168.0.9 bw.lyte.dev
-    192.168.0.9 vpn.h.lyte.dev
-  '';
-
   services.resolved = {
     enable = true;
     extraConfig = ''
@@ -125,54 +108,6 @@ in {
     '';
   };
 
-  networking.firewall = {
-    # TODO: port router firewall config
-    enable = true;
-    package = pkgs.nftables;
-    allowPing = true;
-    allowedTCPPorts = [22];
-    allowedUDPPorts = [];
-  };
-
-  networking.dhcpcd = {
-    enable = true;
-    extraConfig = ''
-      duid
-
-      # No way.... https://github.com/NetworkConfiguration/dhcpcd/issues/36#issuecomment-954777644
-      # issues caused by guests with oneplus devices
-      noarp
-      persistent
-      vendorclassid
-
-      option domain_name_servers, domain_name, domain_search
-      option classless_static_routes
-      option interface_mtu
-      option host_name
-      #option ntp_servers
-
-      require dhcp_server_identifier
-      slaac private
-      noipv4ll
-      noipv6rs
-
-      static domain_name_servers=${ip}
-
-      interface ${wan_if}
-      	gateway
-      	ipv6rs
-      	iaid 1
-      	# option rapid_commit
-      	# ia_na 1
-      	ia_pd 1 ${lan_if}
-
-      interface ${lan_if}
-      	static ip_address=${cidr}
-      	static routers=${ip}
-      	static domain_name_servers=${ip}
-    '';
-  };
-
   services.dnsmasq = {
     enable = true;
     # TODO: port to settings
@@ -232,5 +167,114 @@ in {
     '';
   };
 
+  networking.extraHosts = ''
+    127.0.0.1 localhost
+    127.0.1.1 router.h.lyte.dev router
+
+    ::1 localhost ip6-localhost ip6-loopback
+    ff02::1 ip6-allnodes
+    ff02::2 ip6-allrouters
+
+    192.168.0.9 git.lyte.dev
+    192.168.0.9 video.lyte.dev
+    192.168.0.9 files.lyte.dev
+    192.168.0.9 bw.lyte.dev
+    192.168.0.9 vpn.h.lyte.dev
+  '';
+
+  networking.nftables = {
+    enable = true;
+    flushRuleset = true;
+  };
+
+  networking.firewall = {
+    # TODO: allow users to ssh to git.lyte.dev
+    # TODO: allow remote backuppers to ssh to beefcake
+    # TODO: allow DNS internally
+    # TODO: allow 67 for DHCP
+    # TODO: allow 2201 for router ssh access?
+    # TODO: allow 25565 to bald for minecraft
+    # TODO: allow all icmp stuff and dhcp stuff (including dhcpv6-client)
+
+    # filterForward = true;
+
+    extraInputRules = ''
+    '';
+    extraForwardRules = ''
+    '';
+
+    enable = true;
+
+    package = pkgs.nftables;
+    allowPing = true;
+    allowedTCPPorts = [22];
+    allowedUDPPorts = [];
+    # allowedTCPPortRanges = [{from = 1; to = 10;}];
+    # allowedUDPPortRanges = [{from = 1; to = 10;}];
+  };
+
+  networking.dhcpcd = {
+    enable = true;
+    extraConfig = ''
+      duid
+
+      # No way.... https://github.com/NetworkConfiguration/dhcpcd/issues/36#issuecomment-954777644
+      # issues caused by guests with oneplus devices
+      noarp
+      persistent
+      vendorclassid
+
+      option domain_name_servers, domain_name, domain_search
+      option classless_static_routes
+      option interface_mtu
+      option host_name
+      #option ntp_servers
+
+      require dhcp_server_identifier
+      slaac private
+      noipv4ll
+      noipv6rs
+
+      static domain_name_servers=${ip}
+
+      interface ${wan_if}
+      	gateway
+      	ipv6rs
+      	iaid 1
+      	# option rapid_commit
+      	# ia_na 1
+      	ia_pd 1 ${lan_if}
+
+      interface ${lan_if}
+      	static ip_address=${cidr}
+      	static routers=${ip}
+      	static domain_name_servers=${ip}
+    '';
+  };
+
+  systemd.network = {
+    enable = true;
+    links = {
+      "${wan_if}" = {
+        enable = true;
+        matchConfig = {
+          MACAddress = "00:01:2e:82:73:59";
+        };
+        linkConfig = {
+          Name = wan_if;
+        };
+      };
+      "${lan_if}" = {
+        enable = true;
+        matchConfig = {
+          MACAddress = "00:01:2e:82:73:5a";
+        };
+        linkConfig = {
+          Name = lan_if;
+        };
+      };
+    };
+  };
+
   system.stateVersion = "23.11";
 }