Compare commits
No commits in common. "master" and "dev" have entirely different histories.
14 changed files with 135 additions and 257 deletions
2
.gitignore
vendored
Executable file → Normal file
2
.gitignore
vendored
Executable file → Normal file
|
@ -1 +1 @@
|
||||||
dnsmasq.leases
|
tags
|
||||||
|
|
18
dhcpcd.conf
Executable file → Normal file
18
dhcpcd.conf
Executable file → Normal file
|
@ -1,8 +1,4 @@
|
||||||
duid
|
duid
|
||||||
|
|
||||||
# No way.... https://github.com/NetworkConfiguration/dhcpcd/issues/36#issuecomment-954777644
|
|
||||||
# issues caused by guests with oneplus devices
|
|
||||||
noarp
|
|
||||||
persistent
|
persistent
|
||||||
vendorclassid
|
vendorclassid
|
||||||
|
|
||||||
|
@ -16,18 +12,16 @@ require dhcp_server_identifier
|
||||||
slaac private
|
slaac private
|
||||||
noipv4ll
|
noipv4ll
|
||||||
noipv6rs
|
noipv6rs
|
||||||
|
waitip 6
|
||||||
static domain_name_servers=192.168.0.1
|
|
||||||
|
|
||||||
interface wan0
|
interface wan0
|
||||||
gateway
|
|
||||||
ipv6rs
|
ipv6rs
|
||||||
iaid 1
|
iaid 1
|
||||||
# option rapid_commit
|
option rapid_commit
|
||||||
# ia_na 1
|
ia_na 1
|
||||||
ia_pd 1 lan0
|
ia_pd 1 lan0
|
||||||
|
|
||||||
interface lan0
|
interface lan0
|
||||||
static ip_address=192.168.0.1/16
|
static ip_address=10.0.0.1/24
|
||||||
static routers=192.168.0.1
|
static routers=10.0.0.1
|
||||||
static domain_name_servers=192.168.0.1
|
static domain_name_servers=10.0.0.1 8.8.8.8 8.8.4.4
|
||||||
|
|
63
dnsmasq.conf
Executable file → Normal file
63
dnsmasq.conf
Executable file → Normal file
|
@ -1,54 +1,37 @@
|
||||||
# server endpoints
|
|
||||||
listen-address=::1,127.0.0.1,192.168.0.1,0.0.0.0
|
|
||||||
port=53
|
|
||||||
|
|
||||||
# DNS cache entries
|
|
||||||
cache-size=10000
|
|
||||||
|
|
||||||
# local domain entries
|
|
||||||
local=/lan/
|
|
||||||
domain=lan
|
|
||||||
expand-hosts
|
|
||||||
|
|
||||||
dhcp-authoritative
|
|
||||||
|
|
||||||
conf-file=/usr/share/dnsmasq/trust-anchors.conf
|
|
||||||
dnssec
|
|
||||||
|
|
||||||
except-interface=wan0
|
except-interface=wan0
|
||||||
interface=lan0
|
bogus-priv
|
||||||
|
|
||||||
enable-ra
|
enable-ra
|
||||||
|
|
||||||
# dhcp-option=121,192.168.0.0/16,192.168.0.1
|
dhcp-range=lan,10.0.0.5,10.0.0.250,255.255.255.0,10m
|
||||||
|
|
||||||
dhcp-range=lan,192.168.0.5,192.168.0.250,255.255.255.0,10m
|
|
||||||
dhcp-range=tag:lan0,::1,constructor:lan0,ra-names,12h
|
dhcp-range=tag:lan0,::1,constructor:lan0,ra-names,12h
|
||||||
|
|
||||||
dhcp-host=dragon,192.168.0.10,12h
|
local=/h.lyte.dev/
|
||||||
dhcp-host=beefcake,192.168.0.9,12h
|
|
||||||
dhcp-host=bald,192.168.0.153,12h
|
|
||||||
dhcp-host=chromebox,192.168.0.5,12h
|
|
||||||
dhcp-host=B-C02G56VXML85,192.168.0.128,12h
|
|
||||||
dhcp-host=B-W4KNHWJ6XY,192.168.0.217,12h
|
|
||||||
dhcp-host=mnemonic,192.168.0.248,ea:1b:7a:fb:8b:b8,12h
|
|
||||||
# dhcp-host=frontdoorcam,192.168.0.89,9c:8e:cd:2b:71:e9,120m
|
|
||||||
|
|
||||||
address=/video.lyte.dev/192.168.0.9
|
dhcp-host=f0:2f:74:c9:9b:61,dragon,10.0.0.10,12h
|
||||||
address=/git.lyte.dev/192.168.0.9
|
dhcp-host=00:50:b6:24:27:0b,faceless,10.0.0.25,12h
|
||||||
address=/bw.lyte.dev/192.168.0.9
|
dhcp-host=d0:50:99:26:89:86,ourcraft,10.0.0.244,2m
|
||||||
address=/files.lyte.dev/192.168.0.9
|
|
||||||
address=/vpn.h.lyte.dev/192.168.0.9
|
|
||||||
address=/.h.lyte.dev/192.168.0.9
|
|
||||||
|
|
||||||
dhcp-host=AMC058BA_A75F1E,192.168.0.150,12h
|
address=/dragon.h.lyte.dev/10.0.0.10
|
||||||
dhcp-host=AMC0587F_A2969A,192.168.0.151,12h
|
address=/git.lyte.dev/10.0.0.25
|
||||||
|
address=/h.lyte.dev/10.0.0.25
|
||||||
|
address=/a.lyte.dev/10.0.0.25
|
||||||
|
address=/.h.lyte.dev/10.0.0.25
|
||||||
|
address=/#.h.lyte.dev/10.0.0.25
|
||||||
|
address=/bw.lyte.dev/10.0.0.25
|
||||||
|
address=/files.lyte.dev/10.0.0.25
|
||||||
|
address=/grafana.lyte.dev/10.0.0.25
|
||||||
|
address=/ourcraft.lyte.dev/10.0.0.244
|
||||||
|
|
||||||
server=192.168.0.1
|
|
||||||
server=8.8.8.8
|
server=8.8.8.8
|
||||||
server=8.8.4.4
|
server=8.8.4.4
|
||||||
server=1.1.1.1
|
|
||||||
server=1.0.0.1
|
|
||||||
|
|
||||||
|
expand-hosts
|
||||||
|
|
||||||
|
port=53
|
||||||
|
|
||||||
|
interface=lan0
|
||||||
|
|
||||||
|
domain=h.lyte.dev
|
||||||
|
|
||||||
|
dhcp-authoritative
|
||||||
|
|
1
dnsmasq.leases
Symbolic link
1
dnsmasq.leases
Symbolic link
|
@ -0,0 +1 @@
|
||||||
|
/var/lib/misc/dnsmasq.leases
|
20
etc-hosts
20
etc-hosts
|
@ -1,20 +0,0 @@
|
||||||
# Static table lookup for hostnames.
|
|
||||||
# See hosts(5) for details.
|
|
||||||
|
|
||||||
127.0.0.1 localhost
|
|
||||||
192.168.0.1 router.h.lyte.dev router
|
|
||||||
|
|
||||||
::1 localhost ip6-localhost ip6-loopback
|
|
||||||
ff02::1 ip6-allnodes
|
|
||||||
ff02::2 ip6-allrouters
|
|
||||||
|
|
||||||
192.168.0.9 git.lyte.dev
|
|
||||||
192.168.0.9 video.lyte.dev
|
|
||||||
192.168.0.9 files.lyte.dev
|
|
||||||
192.168.0.9 bw.lyte.dev
|
|
||||||
192.168.0.9 vpn.h.lyte.dev
|
|
||||||
192.168.0.9 nix.h.lyte.dev
|
|
||||||
192.168.0.9 a.lyte.dev
|
|
||||||
192.168.0.9 api.lyte.dev
|
|
||||||
192.168.0.9 ourcraft.lyte.dev
|
|
||||||
192.168.0.9 jland.lyte.dev
|
|
|
@ -8,7 +8,7 @@ t="/tmp/nftables.conf"
|
||||||
# we don't care about existing rules - just use ours, thanks
|
# we don't care about existing rules - just use ours, thanks
|
||||||
# sudo nft -s list ruleset >> "$f"
|
# sudo nft -s list ruleset >> "$f"
|
||||||
|
|
||||||
sudo -E $EDITOR "$my_config"
|
sudo -E nvim "$my_config"
|
||||||
cat "$my_config"
|
cat "$my_config"
|
||||||
echo "Do you want to load this config? [y/N]"
|
echo "Do you want to load this config? [y/N]"
|
||||||
read -r l
|
read -r l
|
0
lan0.link
Executable file → Normal file
0
lan0.link
Executable file → Normal file
31
link.fish
Executable file
31
link.fish
Executable file
|
@ -0,0 +1,31 @@
|
||||||
|
#!/usr/bin/env fish
|
||||||
|
|
||||||
|
if test (id -u) -ne 0
|
||||||
|
echo "must run as root"
|
||||||
|
exit 1
|
||||||
|
end
|
||||||
|
|
||||||
|
function relink
|
||||||
|
rm -f $argv[2]
|
||||||
|
ezln $argv[1] $argv[2]
|
||||||
|
end
|
||||||
|
|
||||||
|
function recopy
|
||||||
|
rm -f $argv[2]
|
||||||
|
cp $argv[1] $argv[2]
|
||||||
|
end
|
||||||
|
|
||||||
|
recopy dnsmasq.conf /etc/dnsmasq.conf
|
||||||
|
recopy resolved.conf /etc/systemd/resolved.conf
|
||||||
|
recopy ./sysctl-configs /etc/sysctl.d/10-router-configs.conf
|
||||||
|
|
||||||
|
# enable systemd-networkd to setup network interfaces with useful names
|
||||||
|
recopy lan0.link /etc/systemd/network/10-lan0.link
|
||||||
|
recopy wan0.link /etc/systemd/network/10-wan0.link
|
||||||
|
|
||||||
|
# enable systemd-networkd set the proper sysctl flags
|
||||||
|
# recopy wan0.network /etc/systemd/network/wan0.network
|
||||||
|
# recopy lan0.network /etc/systemd/network/lan0.network
|
||||||
|
|
||||||
|
# dhcp client configuration
|
||||||
|
recopy dhcpcd.conf /etc/dhcpcd.conf
|
96
makefile
96
makefile
|
@ -1,96 +0,0 @@
|
||||||
# TODO: some kind of automatic (without confirmation) rollback setup?
|
|
||||||
|
|
||||||
.PHONY: default
|
|
||||||
default: copy-configuration-files restart-services
|
|
||||||
|
|
||||||
.PHONY: setup
|
|
||||||
setup: system-dependencies /root/router.wg-pub enable-and-start-services mkinitcpio
|
|
||||||
|
|
||||||
.PHONY: firewall-edit
|
|
||||||
firewall-edit:
|
|
||||||
./firewall-edit.bash
|
|
||||||
|
|
||||||
.PHONY: mkinitcpio
|
|
||||||
mkinitcpio:
|
|
||||||
mkinitcpio -p linux
|
|
||||||
|
|
||||||
.PHONY: system-dependencies
|
|
||||||
system-dependencies:
|
|
||||||
echo "Updating system..."
|
|
||||||
pacman -Sy --needed archlinux-keyring # get latest keys
|
|
||||||
pacman -Syu # update everything
|
|
||||||
pacman -S --needed dnsmasq nftables fail2ban radvd git dhcpcd wireguard-tools tailscale # install anything needed
|
|
||||||
echo "Done updating system!"
|
|
||||||
echo "The system has updated. This usually means the kernel updated, so tailscale needs you to reboot."
|
|
||||||
|
|
||||||
.PHONY: restart-services
|
|
||||||
restart-services:
|
|
||||||
echo "Restarting services..."
|
|
||||||
systemctl restart nftables
|
|
||||||
systemctl restart systemd-sysctl
|
|
||||||
systemctl restart systemd-networkd
|
|
||||||
systemctl restart dnsmasq
|
|
||||||
# systemctl restart systemd-resolved # this seems to conflict with dnsmasq - not sure we need it?
|
|
||||||
systemctl restart dhcpcd@lan0
|
|
||||||
systemctl restart dhcpcd@wan0
|
|
||||||
systemctl restart radvd
|
|
||||||
# ksystemctl restart tailscaled # is this necessary since no config lies in this repo?
|
|
||||||
echo "Services restarted!"
|
|
||||||
|
|
||||||
.PHONY: enable-and-start-services
|
|
||||||
enable-and-start-services:
|
|
||||||
echo "Enabling and starting services..."
|
|
||||||
systemctl enable --now nftables
|
|
||||||
systemctl enable --now systemd-sysctl
|
|
||||||
systemctl enable --now systemd-networkd
|
|
||||||
systemctl enable --now dnsmasq
|
|
||||||
# systemctl enable --now systemd-resolved # this seems to conflict with dnsmasq - not sure we need it?
|
|
||||||
systemctl enable --now dhcpcd@lan0
|
|
||||||
systemctl enable --now dhcpcd@wan0
|
|
||||||
systemctl enable --now radvd
|
|
||||||
# systemctl enable --now tailscaled # is this necessary since no config lies in this repo?
|
|
||||||
echo "Services enabled and restarted!"
|
|
||||||
|
|
||||||
.PHONY: copy-configuration-files
|
|
||||||
copy-configuration-files: /etc/dnsmasq.conf /etc/systemd/resolved.conf /etc/sysctl.d/10-router-configs.conf /etc/systemd/network/10-lan0.link /etc/systemd/network/10-wan0.link /etc/dhcpcd.conf /etc/hosts
|
|
||||||
|
|
||||||
/root/router.wg-key:
|
|
||||||
umask 0077 && wg genkey > $@
|
|
||||||
|
|
||||||
/root/router.wg-pub: /root/router.wg-key
|
|
||||||
umask 0077 && cat $^ wg genkey > $@
|
|
||||||
|
|
||||||
/etc/dnsmasq.conf: dnsmasq.conf
|
|
||||||
rm -f $@
|
|
||||||
cp $^ $@
|
|
||||||
|
|
||||||
/etc/systemd/resolved.conf: resolved.conf
|
|
||||||
rm -f $@
|
|
||||||
cp $^ $@
|
|
||||||
|
|
||||||
/etc/sysctl.d/10-router-configs.conf: sysctl-configs
|
|
||||||
rm -f $@
|
|
||||||
cp $^ $@
|
|
||||||
|
|
||||||
/etc/systemd/network/10-lan0.link: lan0.link
|
|
||||||
rm -f $@
|
|
||||||
cp $^ $@
|
|
||||||
|
|
||||||
/etc/systemd/network/10-wan0.link: wan0.link
|
|
||||||
rm -f $@
|
|
||||||
cp $^ $@
|
|
||||||
|
|
||||||
/etc/dhcpcd.conf: dhcpcd.conf
|
|
||||||
rm -f $@
|
|
||||||
cp $^ $@
|
|
||||||
|
|
||||||
/etc/hosts: ./etc-hosts
|
|
||||||
rm -f $@ /tmp/etc-hosts
|
|
||||||
printf "%s\n" "# DO NOT EDIT DIRECTLY - See router config for details" >> /tmp/etc-hosts
|
|
||||||
cat $^ >> /tmp/etc-hosts
|
|
||||||
printf "\n\n%s\n" "# DO NOT EDIT DIRECTLY - See router config for details" >> /tmp/etc-hosts
|
|
||||||
cp /tmp/etc-hosts $@
|
|
||||||
|
|
||||||
/etc/nftables.conf: nftables.conf
|
|
||||||
rm -f $@
|
|
||||||
cp $^ $@
|
|
110
nftables.conf
Executable file → Normal file
110
nftables.conf
Executable file → Normal file
|
@ -1,6 +1,5 @@
|
||||||
define WAN = wan0
|
define WAN = wan0
|
||||||
define LAN = lan0
|
define LAN = lan0
|
||||||
define VPN = wg-vpn
|
|
||||||
|
|
||||||
table inet filter {
|
table inet filter {
|
||||||
chain input {
|
chain input {
|
||||||
|
@ -8,15 +7,12 @@ table inet filter {
|
||||||
iifname "lo" accept
|
iifname "lo" accept
|
||||||
ct state invalid drop
|
ct state invalid drop
|
||||||
ct state { established, related } accept
|
ct state { established, related } accept
|
||||||
icmpv6 type {echo-request,nd-neighbor-solicit,nd-neighbor-advert,nd-router-solicit,nd-router-advert,mld-listener-query,destination-unreachable,packet-too-big,time-exceeded,parameter-problem} accept
|
|
||||||
ip protocol icmpv6 accept
|
ip protocol icmpv6 accept
|
||||||
ip protocol icmp accept
|
ip protocol icmp accept
|
||||||
meta l4proto ipv6-icmp accept
|
meta l4proto ipv6-icmp accept
|
||||||
tcp dport { 4022, 10578, 51821, 51820, 22, 53, 67, 2201, 2221, 8448, 8008, 25565, 26968, 26965, 34197, 27015, 27036 } accept
|
tcp dport { 22 } accept comment "allow ssh to router"
|
||||||
udp dport { 9876, 9877, 4020, 10578, 51821, 51820, 22, 53, 67, 2201, 2221, 25565, 26968, 26965, 34197 } accept
|
udp dport { 546, 53, 67 } accept comment "allow dhcpv6-client, dns, and dhcp"
|
||||||
udp dport 27000-27100 accept
|
udp dport { 60000-60009 } accept comment "allow mosh common ports"
|
||||||
udp dport { 60000-60009 } accept
|
|
||||||
udp dport dhcpv6-client accept
|
|
||||||
drop
|
drop
|
||||||
}
|
}
|
||||||
|
|
||||||
|
@ -32,10 +28,38 @@ table inet filter {
|
||||||
}
|
}
|
||||||
|
|
||||||
table ip nat {
|
table ip nat {
|
||||||
|
chain postrouting {
|
||||||
|
type nat hook postrouting priority 100; policy accept;
|
||||||
|
oifname $LAN masquerade
|
||||||
|
}
|
||||||
|
|
||||||
|
chain prerouting {
|
||||||
|
type nat hook prerouting priority -100; policy accept;
|
||||||
|
|
||||||
|
# ip daddr 10.0.0.1 tcp dport { 80, 443 } dnat to 10.0.0.25
|
||||||
|
|
||||||
|
# faceless
|
||||||
|
# allow HTTP, HTTPS, gitea's SSH, and host ssh to faceless
|
||||||
|
iifname $WAN tcp dport { 443, 80, 2222, 2200 } dnat to 10.0.0.25
|
||||||
|
# allow mosh
|
||||||
|
iifname $WAN udp dport 60010-60019 dnat to 10.0.0.25
|
||||||
|
|
||||||
|
# allow host ssh
|
||||||
|
iifname $WAN tcp dport { 2221 } dnat to 10.0.0.10
|
||||||
|
# allow mosh
|
||||||
|
iifname $WAN udp dport 60020-60029 dnat to 10.0.0.10
|
||||||
|
|
||||||
|
# ourcraft
|
||||||
|
iifname $WAN tcp dport { 25565 } dnat to 10.0.0.244
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
# nat ipv4 for lan
|
||||||
|
table ip io.systemd.nat {
|
||||||
set masq_saddr {
|
set masq_saddr {
|
||||||
type ipv4_addr
|
type ipv4_addr
|
||||||
flags interval
|
flags interval
|
||||||
elements = { 192.168.0.0/16 }
|
elements = { 10.0.0.0/24 }
|
||||||
}
|
}
|
||||||
|
|
||||||
map map_port_ipport {
|
map map_port_ipport {
|
||||||
|
@ -43,37 +67,8 @@ table ip nat {
|
||||||
}
|
}
|
||||||
|
|
||||||
chain prerouting {
|
chain prerouting {
|
||||||
iifname $LAN accept
|
|
||||||
type nat hook prerouting priority dstnat + 1; policy accept;
|
type nat hook prerouting priority dstnat + 1; policy accept;
|
||||||
fib daddr type local dnat ip addr . port to meta l4proto . th dport map @map_port_ipport
|
fib daddr type local dnat ip addr . port to meta l4proto . th dport map @map_port_ipport
|
||||||
|
|
||||||
# beefcake (ben access)
|
|
||||||
iifname $WAN tcp dport { 64022 } dnat to 192.168.0.9
|
|
||||||
iifname $WAN udp dport { 64020 } dnat to 192.168.0.9
|
|
||||||
|
|
||||||
# beefcake services
|
|
||||||
iifname $WAN tcp dport { 443, 80, 22 } dnat to 192.168.0.9
|
|
||||||
|
|
||||||
# mnemonic
|
|
||||||
iifname $WAN tcp dport { 8022 } dnat to 192.168.0.248
|
|
||||||
|
|
||||||
# ourcraft
|
|
||||||
iifname $WAN tcp dport { 2456, 2457, 25565, 34197 } dnat to 192.168.0.153
|
|
||||||
iifname $WAN udp dport { 2456, 2457, 25565, 34197 } dnat to 192.168.0.153
|
|
||||||
|
|
||||||
# jland and dawncraft
|
|
||||||
iifname $WAN tcp dport { 26968, 26965 } dnat to 192.168.0.9
|
|
||||||
iifname $WAN udp dport { 26968, 26965 } dnat to 192.168.0.9
|
|
||||||
|
|
||||||
# v rising
|
|
||||||
iifname $WAN tcp dport { 27015, 27036 } dnat to 192.168.0.9
|
|
||||||
iifname $WAN udp dport 9876-9877 dnat to 192.168.0.9
|
|
||||||
iifname $WAN udp dport { 9876, 9877 } dnat to 192.168.0.9
|
|
||||||
iifname $WAN udp dport 27000-27100 dnat to 192.168.0.9
|
|
||||||
|
|
||||||
# router
|
|
||||||
iifname $WAN tcp dport { 2201 } dnat to 192.168.0.1
|
|
||||||
iifname $WAN udp dport { 2201 } dnat to 192.168.0.1
|
|
||||||
}
|
}
|
||||||
|
|
||||||
chain output {
|
chain output {
|
||||||
|
@ -83,22 +78,33 @@ table ip nat {
|
||||||
|
|
||||||
chain postrouting {
|
chain postrouting {
|
||||||
type nat hook postrouting priority srcnat + 1; policy accept;
|
type nat hook postrouting priority srcnat + 1; policy accept;
|
||||||
oifname $LAN masquerade
|
|
||||||
ip saddr @masq_saddr masquerade
|
ip saddr @masq_saddr masquerade
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
# table ip filter {
|
# nat ipv6 for lan
|
||||||
# chain output {
|
table ip6 io.systemd.nat {
|
||||||
# type filter hook output priority 100; policy accept;
|
set masq_saddr {
|
||||||
# }
|
type ipv6_addr
|
||||||
#
|
flags interval
|
||||||
# chain input {
|
}
|
||||||
# type filter hook input priority 0; policy accept;
|
|
||||||
# }
|
map map_port_ipport {
|
||||||
#
|
type inet_proto . inet_service : ipv6_addr . inet_service
|
||||||
# chain forward {
|
}
|
||||||
# type filter hook forward priority 0; policy accept;
|
|
||||||
# }
|
chain prerouting {
|
||||||
# }
|
type nat hook prerouting priority dstnat + 1; policy accept;
|
||||||
#
|
fib daddr type local dnat ip6 to meta l4proto . th dport map @map_port_ipport
|
||||||
|
}
|
||||||
|
|
||||||
|
chain output {
|
||||||
|
type nat hook output priority -99; policy accept;
|
||||||
|
ip6 daddr != ::1 oif "lo" dnat ip6 to meta l4proto . th dport map @map_port_ipport
|
||||||
|
}
|
||||||
|
|
||||||
|
chain postrouting {
|
||||||
|
type nat hook postrouting priority srcnat + 1; policy accept;
|
||||||
|
ip6 saddr @masq_saddr masquerade
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
46
readme.md
Executable file → Normal file
46
readme.md
Executable file → Normal file
|
@ -1,40 +1,18 @@
|
||||||
# Router
|
# Router
|
||||||
|
|
||||||
My little dual-NIC Arch Linux router configuration and scripts.
|
Yeah yeah I need to document this better.
|
||||||
|
|
||||||
# Setup
|
# Setup
|
||||||
|
|
||||||
```bash
|
With a fresh Arch Linux system:
|
||||||
make setup
|
|
||||||
# setup tailscale if you like
|
|
||||||
reboot
|
|
||||||
```
|
|
||||||
|
|
||||||
# Update Configuration Files
|
- Install base packages as from dotfiles
|
||||||
|
- Run `./link.fish` script
|
||||||
Copies the various services' configuration files from this repo into place and
|
- Enable and restart the following services:
|
||||||
restarts those services.
|
- `systemd-resolved`
|
||||||
|
- `dnsmasq`
|
||||||
```bash
|
- `nftables`
|
||||||
make
|
- `systemd-networkd`
|
||||||
```
|
- `dhcpcd`
|
||||||
|
- Run `mkinitcpio -p linux`
|
||||||
# System Updates
|
- Reboot
|
||||||
|
|
||||||
Should be done regularly for security reasons.
|
|
||||||
|
|
||||||
```bash
|
|
||||||
make setup
|
|
||||||
# configure tailscale as needed
|
|
||||||
reboot
|
|
||||||
```
|
|
||||||
|
|
||||||
# Quick Firewall Tweak
|
|
||||||
|
|
||||||
```bash
|
|
||||||
./firewall-edit.bash
|
|
||||||
```
|
|
||||||
|
|
||||||
# TODO:
|
|
||||||
|
|
||||||
- NixOS/declarative?
|
|
||||||
|
|
0
resolved.conf
Executable file → Normal file
0
resolved.conf
Executable file → Normal file
1
sysctl-configs
Executable file → Normal file
1
sysctl-configs
Executable file → Normal file
|
@ -1,3 +1,4 @@
|
||||||
net.ipv4.ip_forward=1
|
net.ipv4.ip_forward=1
|
||||||
|
|
||||||
net.ipv6.conf.all.forwarding=1
|
net.ipv6.conf.all.forwarding=1
|
||||||
net.ipv6.conf.wan0.accept_ra=2
|
net.ipv6.conf.wan0.accept_ra=2
|
0
wan0.link
Executable file → Normal file
0
wan0.link
Executable file → Normal file
Loading…
Reference in a new issue