From c56ba89284cbb584e977a142086cd9094999c45d Mon Sep 17 00:00:00 2001 From: Daniel Flanagan Date: Tue, 31 Oct 2023 17:21:56 -0500 Subject: [PATCH] Add wip router --- flake.nix | 3 + nixos/foxtrot/default.nix | 1 - nixos/router/default.nix | 242 ++++++++++++++++++++++++++++++++++++++ 3 files changed, 245 insertions(+), 1 deletion(-) create mode 100644 nixos/router/default.nix diff --git a/flake.nix b/flake.nix index 3e780b9..8783b95 100644 --- a/flake.nix +++ b/flake.nix @@ -117,6 +117,9 @@ musicbox = mkNixosSystem "x86_64-linux" [./nixos/musicbox] (with outputs.homeManagerModules; [ sway ]); + router = mkNixosSystem "x86_64-linux" [./nixos/router] (with outputs.homeManagerModules; [ + common + ]); }; # Standalone home-manager configuration entrypoint diff --git a/nixos/foxtrot/default.nix b/nixos/foxtrot/default.nix index 354bf59..2c293ac 100644 --- a/nixos/foxtrot/default.nix +++ b/nixos/foxtrot/default.nix @@ -27,7 +27,6 @@ ]; # TODO: hibernation? does sleep suffice? - # TODO: perform a hardware scan boot = { loader = { diff --git a/nixos/router/default.nix b/nixos/router/default.nix new file mode 100644 index 0000000..779dc43 --- /dev/null +++ b/nixos/router/default.nix @@ -0,0 +1,242 @@ +{ + flake, + inputs, + lib, + # outputs, + # config, + pkgs, + ... +}: let + ip = "192.168.0.1"; + cidr = "${ip}/16"; + netmask = "255.255.0.0"; + lease = { + min = "192.168.0.5"; + max = "192.168.0.250"; + }; + wan_if = "wan0"; + lan_if = "lan0"; + hosts = { + dragon = { + identifier = "dragon"; + host = "dragon"; + ip = "192.168.0.1"; + }; + }; +in { + networking.hostName = "router"; + networking.domain = "h.lyte.dev"; + + imports = + [ + inputs.disko.nixosModules.disko + flake.diskoConfigurations.unencrypted + ] + ++ [ + # inputs.hardware.nixosModules.common-cpu-amd + # inputs.hardware.nixosModules.common-cpu-amd-pstate + # inputs.hardware.nixosModules.common-pc-laptop-ssd + ]; + + # TODO: perform a hardware scan + + boot = { + loader = { + efi.canTouchEfiVariables = true; + systemd-boot.enable = true; + }; + kernel = { + sysctl = { + "net.ipv4.ip_forward" = 1; + "net.ipv6.conf.all.forwarding" = 1; + "net.ipv6.conf.wan0.accept_ra" = 2; + }; + }; + }; + + powerManagement.cpuFreqGovernor = lib.mkDefault "ondemand"; + + services.fail2ban.enable = true; + services.radvd = { + enable = true; + # TODO: this config is just the default arch linux config I think and may + # need tweaking? this is what I had on the arch linux router, though :shrug: + config = '' + interface lo + { + AdvSendAdvert on; + MinRtrAdvInterval 3; + MaxRtrAdvInterval 10; + AdvDefaultPreference low; + AdvHomeAgentFlag off; + + prefix 2001:db8:1:0::/64 + { + AdvOnLink on; + AdvAutonomous on; + AdvRouterAddr off; + }; + + prefix 0:0:0:1234::/64 + { + AdvOnLink on; + AdvAutonomous on; + AdvRouterAddr off; + Base6to4Interface ppp0; + AdvPreferredLifetime 120; + AdvValidLifetime 300; + }; + + route 2001:db0:fff::/48 + { + AdvRoutePreference high; + AdvRouteLifetime 3600; + }; + + RDNSS 2001:db8::1 2001:db8::2 + { + AdvRDNSSLifetime 30; + }; + + DNSSL branch.example.com example.com + { + AdvDNSSLLifetime 30; + }; + }; + ''; + }; + + # TODO: lan0 and wan0 systemd.network.link ? + + networking.extraHosts = '' + 127.0.0.1 localhost + 127.0.1.1 router.h.lyte.dev router + + ::1 localhost ip6-localhost ip6-loopback + ff02::1 ip6-allnodes + ff02::2 ip6-allrouters + + 192.168.0.9 git.lyte.dev + 192.168.0.9 video.lyte.dev + 192.168.0.9 files.lyte.dev + 192.168.0.9 bw.lyte.dev + 192.168.0.9 vpn.h.lyte.dev + ''; + + services.resolved = { + enable = true; + extraConfig = '' + [Resolve] + DNSStubListener=no + ''; + }; + + networking.firewall = { + # TODO: port router firewall config + enable = true; + package = pkgs.nftables; + allowPing = true; + allowedTCPPorts = [22]; + allowedUDPPorts = []; + }; + + networking.dhcpcd = { + enable = true; + extraConfig = '' + duid + + # No way.... https://github.com/NetworkConfiguration/dhcpcd/issues/36#issuecomment-954777644 + # issues caused by guests with oneplus devices + noarp + persistent + vendorclassid + + option domain_name_servers, domain_name, domain_search + option classless_static_routes + option interface_mtu + option host_name + #option ntp_servers + + require dhcp_server_identifier + slaac private + noipv4ll + noipv6rs + + static domain_name_servers=${ip} + + interface ${wan_if} + gateway + ipv6rs + iaid 1 + # option rapid_commit + # ia_na 1 + ia_pd 1 ${lan_if} + + interface ${lan_if} + static ip_address=${cidr} + static routers=${ip} + static domain_name_servers=${ip} + ''; + }; + + services.dnsmasq = { + enable = true; + # TODO: port to settings + extraConfig = '' + # server endpoints + listen-address=::1,127.0.0.1,${ip} + port=53 + + # DNS cache entries + cache-size=10000 + + # local domain entries + local=/lan/ + domain=lan + expand-hosts + + dhcp-authoritative + + conf-file=/usr/share/dnsmasq/trust-anchors.conf + dnssec + + except-interface=${wan_if} + interface=${lan_if} + + enable-ra + + # dhcp-option=121,${cidr},${ip} + + dhcp-range=lan,${lease.min},${lease.max},${netmask},10m + dhcp-range=tag:${lan_if},::1,constructor:${lan_if},ra-names,12h + + dhcp-host=${hosts.dragon.identifier},${hosts.dragon.ip},12h + + # TODO: parameterize the rest? + + dhcp-host=beefcake,192.168.0.9,12h + dhcp-host=chromebox,192.168.0.5,12h + dhcp-host=B-C02G56VXML85,192.168.0.128,12h + dhcp-host=B-W4KNHWJ6XY,192.168.0.217,12h + dhcp-host=mnemonic,192.168.0.248,ea:1b:7a:fb:8b:b8,12h + # dhcp-host=frontdoorcam,192.168.0.89,9c:8e:cd:2b:71:e9,120m + dhcp-host=AMC058BA_A75F1E,192.168.0.150,12h + dhcp-host=AMC0587F_A2969A,192.168.0.151,12h + + address=/video.lyte.dev/192.168.0.9 + address=/git.lyte.dev/192.168.0.9 + address=/bw.lyte.dev/192.168.0.9 + address=/files.lyte.dev/192.168.0.9 + address=/vpn.h.lyte.dev/192.168.0.9 + address=/.h.lyte.dev/192.168.0.9 + + server=${ip} + server=8.8.8.8 + server=8.8.4.4 + server=1.1.1.1 + server=1.0.0.1 + ''; + }; + + system.stateVersion = "23.11"; +}