diff options
| author | Karel Kočí <cynerd@email.cz> | 2024-01-27 13:20:03 +0100 |
|---|---|---|
| committer | Karel Kočí <cynerd@email.cz> | 2024-01-27 13:20:03 +0100 |
| commit | c1a76b4403edcf5e2a147d68b7bbdf1c33ac95ef (patch) | |
| tree | 95b00eb500c49c3358b3f736eae9cfe9165f354a /nixos/routers/router.nix | |
| parent | 6b0bc35f83a14ee9f9a34e1af782f1ef4c363d6e (diff) | |
| download | nixos-personal-c1a76b4403edcf5e2a147d68b7bbdf1c33ac95ef.tar.gz nixos-personal-c1a76b4403edcf5e2a147d68b7bbdf1c33ac95ef.tar.bz2 nixos-personal-c1a76b4403edcf5e2a147d68b7bbdf1c33ac95ef.zip | |
Rework routers to use systemd-networkd
Diffstat (limited to 'nixos/routers/router.nix')
| -rw-r--r-- | nixos/routers/router.nix | 237 |
1 files changed, 59 insertions, 178 deletions
diff --git a/nixos/routers/router.nix b/nixos/routers/router.nix index da625e4..545f109 100644 --- a/nixos/routers/router.nix +++ b/nixos/routers/router.nix @@ -40,33 +40,71 @@ in { }; config = mkIf cnf.enable { + networking = { + useNetworkd = true; + nftables.enable = true; + firewall = { + interfaces = { + "lan" = { + allowedUDPPorts = [53 67 68]; + allowedTCPPorts = [53]; + }; + "guest" = { + allowedUDPPorts = [53 67 68]; + allowedTCPPorts = [53]; + }; + }; + filterForward = true; + extraForwardRules = '' + iifname "guest" oifname != "${cnf.wan}" drop comment "prevent guest to access lan" + ''; + }; + nat = { + enable = true; + externalInterface = cnf.wan; + internalInterfaces = ["lan" "guest"]; + }; + }; + systemd.network = { netdevs = { - "brlan".netdevConfig = { - Kind = "bridge"; - Name = "brlan"; - }; - "brguest".netdevConfig = { - Kind = "bridge"; - Name = "brguest"; + "brlan" = { + netdevConfig = { + Kind = "bridge"; + Name = "brlan"; + }; + extraConfig = '' + [Bridge] + DefaultPVID=none + VLANFiltering=yes + ''; }; - }; - networks = { - "${cnf.wan}" = { - matchConfig.Name = cnf.wan; - networkConfig = { - DHCP = "yes"; - DHCPPrefixDelegation = "yes"; + "lan" = { + netdevConfig = { + Kind = "vlan"; + Name = "lan"; }; - dhcpPrefixDelegationConfig = { - UplinkInterface = ":self"; - SubnetId = 0; - Announce = "no"; + vlanConfig.Id = 1; + }; + "guest" = { + netdevConfig = { + Kind = "vlan"; + Name = "guest"; }; - linkConfig.RequiredForOnline = "routable"; + vlanConfig.Id = 2; }; + }; + networks = { "brlan" = { matchConfig.Name = "brlan"; + networkConfig.VLAN = ["lan" "guest"]; + bridgeVLANs = [ + {bridgeVLANConfig.VLAN = 1;} + {bridgeVLANConfig.VLAN = 2;} + ]; + }; + "lan" = { + matchConfig.Name = "lan"; networkConfig = { Address = "${cnf.lanIP}/${toString cnf.lanPrefix}"; IPForward = "yes"; @@ -74,7 +112,6 @@ in { DHCPPrefixDelegation = "yes"; IPv6SendRA = "yes"; IPv6AcceptRA = "no"; - VLAN = ["brlan.brguest"]; }; dhcpServerConfig = { UplinkInterface = cnf.wan; @@ -89,8 +126,8 @@ in { Announce = "yes"; }; }; - "brguest" = { - matchConfig.Name = "brguest"; + "guest" = { + matchConfig.Name = "guest"; networkConfig = { Address = "192.168.1.1/24"; IPForward = "yes"; @@ -116,166 +153,10 @@ in { wait-online.anyInterface = true; }; - networking = { - nftables.enable = true; - firewall = { - interfaces = { - "brlan" = { - allowedUDPPorts = [53 67 68]; - allowedTCPPorts = [53]; - }; - "brguest" = { - allowedUDPPorts = [53 67 68]; - allowedTCPPorts = [53]; - }; - }; - filterForward = true; - extraForwardRules = '' - iifname "brguest" oifname != "${cnf.wan}" drop comment "prevent guest to access lan" - ''; - }; - nat = { - enable = true; - externalInterface = cnf.wan; - internalInterfaces = ["brlan" "brguest"]; - }; - }; - services.resolved = { enable = true; dnssec = "true"; fallbackDns = ["1.1.1.1" "8.8.8.8"]; }; - - #networking = { - # interfaces = { - # brlan.ipv4.addresses = [ - # { - # address = cnf.lanIP; - # prefixLength = cnf.lanPrefix; - # } - # ]; - # brguest.ipv4.addresses = [ - # { - # address = "192.168.1.1"; - # prefixLength = 24; - # } - # ]; - # }; - # vlans = { - # "brlan.guest" = { - # interface = "brlan"; - # id = 100; - # }; - # }; - # bridges = { - # brlan.interfaces = []; - # brguest.interfaces = ["brlan.guest"]; - # }; - # nat = { - # enable = true; - # externalInterface = cnf.wan; - # internalInterfaces = ["brlan" "brguest"]; - # }; - # dhcpcd = { - # allowInterfaces = [cnf.wan]; - # extraConfig = '' - # duid - # noipv6rs - # waitip 6 - - # interface ${cnf.wan} - # ipv6rs - # iaid 1 - - # ia_pd 1 brlan - # #ia_pd 1/::/64 LAN/0/64 - #toString ''; - # }; - #nameservers = ["1.1.1.1" "8.8.8.8"]; - #}; - - #services = { - # kea = { - # dhcp4 = { - # enable = true; - # settings = { - # lease-database = { - # name = "/var/lib/kea/dhcp4.leases"; - # persist = true; - # type = "memfile"; - # }; - # valid-lifetime = 4000; - # renew-timer = 1000; - # rebind-timer = 2000; - # interfaces-config = { - # interfaces = ["brlan" "brguest"]; - # service-sockets-max-retries = -1; - # }; - # option-data = [ - # { - # name = "domain-name-servers"; - # data = "1.1.1.1, 8.8.8.8"; - # } - # ]; - # subnet4 = [ - # { - # interface = "brlan"; - # subnet = "${ipv4.prefix2ip cnf.lanIP cnf.lanPrefix}/${toString cnf.lanPrefix}"; - # pools = let - # ip_start = ipv4.ipAdd cnf.lanIP cnf.lanPrefix cnf.dynIPStart; - # ip_end = ipv4.ipAdd cnf.lanIP cnf.lanPrefix (cnf.dynIPStart + cnf.dynIPCount); - # in [{pool = "${ip_start} - ${ip_end}";}]; - # option-data = [ - # { - # name = "routers"; - # data = cnf.lanIP; - # } - # ]; - # reservations = [ - # { - # duid = "e4:6f:13:f3:d5:be"; - # ip-address = ipv4.ipAdd cnf.lanIP cnf.lanPrefix 60; - # } - # ]; - # } - # { - # interface = "brguest"; - # subnet = "192.168.1.0/24"; - # pools = [{pool = "192.168.1.50 - 192.168.1.254";}]; - # "option-data" = [ - # { - # name = "routers"; - # data = "192.168.1.1"; - # } - # ]; - # } - # ]; - # }; - # }; - # }; - # radvd = { - # enable = true; - # config = '' - # interface brlan { - # AdvSendAdvert on; - # MinRtrAdvInterval 3; - # MaxRtrAdvInterval 10; - # prefix ::/64 { - # AdvOnLink on; - # AdvAutonomous on; - # AdvRouterAddr on; - # }; - # RDNSS 2001:4860:4860::8888 2001:4860:4860::8844 { - # }; - # }; - # ''; - # }; - # kresd = {enable = false;}; - #}; - #systemd.services.kea-dhcp4-server.after = [ - # "sys-subsystem-net-devices-brlan.device" - # "sys-subsystem-net-devices-brguest.device" - #]; }; } |