diff options
Diffstat (limited to 'nixos/routers/router.nix')
| -rw-r--r-- | nixos/routers/router.nix | 145 |
1 files changed, 76 insertions, 69 deletions
diff --git a/nixos/routers/router.nix b/nixos/routers/router.nix index a3fc0c1..5aa6cc6 100644 --- a/nixos/routers/router.nix +++ b/nixos/routers/router.nix @@ -2,8 +2,8 @@ config, lib, ... -}: -with lib; let +}: let + inherit (lib) mkOption types mkIf mapAttrsToList; cnf = config.cynerd.router; in { options = { @@ -36,6 +36,14 @@ in { default = 24; description = "LAN IP network prefix length"; }; + staticLeases = mkOption { + type = with types; attrsOf str; + default = {}; + example = '' + {"xx:xx:xx:xx:xx:xx" = "10.8.1.30";} + ''; + description = "Mapping of MAC address to IP address"; + }; }; }; @@ -44,25 +52,21 @@ in { useNetworkd = true; nftables.enable = true; firewall = { + logRefusedConnections = false; interfaces = { - "brlan" = { - allowedUDPPorts = [53 67 68]; - allowedTCPPorts = [53]; - }; - #"guest" = { - # allowedUDPPorts = [53 67 68]; - # allowedTCPPorts = [53]; - #}; + "home" = {allowedUDPPorts = [67 68];}; + "guest" = {allowedUDPPorts = [67 68];}; }; + rejectPackets = true; filterForward = true; - #extraForwardRules = '' - # iifname "guest" oifname != "${cnf.wan}" drop comment "prevent guest to access brlan" - #''; + extraForwardRules = '' + iifname "guest" oifname != "${cnf.wan}" drop comment "prevent guest to access other networks" + ''; }; nat = { enable = true; externalInterface = cnf.wan; - internalInterfaces = ["brlan"]; + internalInterfaces = ["home" "guest"]; }; }; @@ -73,43 +77,38 @@ in { Kind = "bridge"; Name = "brlan"; }; - #extraConfig = '' - # [Bridge] - # DefaultPVID=none - # VLANFiltering=yes - #''; + extraConfig = '' + [Bridge] + DefaultPVID=none + VLANFiltering=yes + ''; + }; + "home" = { + netdevConfig = { + Kind = "vlan"; + Name = "home"; + }; + vlanConfig.Id = 1; + }; + "guest" = { + netdevConfig = { + Kind = "vlan"; + Name = "guest"; + }; + vlanConfig.Id = 2; }; - #"home" = { - # netdevConfig = { - # Kind = "vlan"; - # Name = "home"; - # }; - # vlanConfig.Id = 1; - #}; - #"guest" = { - # netdevConfig = { - # Kind = "vlan"; - # Name = "guest"; - # }; - # vlanConfig.Id = 2; - #}; }; networks = { "brlan" = { matchConfig.Name = "brlan"; - #networkConfig.VLAN = ["home"]; - #bridgeVLANs = [ - # { - # bridgeVLANConfig = { - # EgressUntagged = 1; - # PVID = 1; - # }; - # } - # {bridgeVLANConfig.VLAN = 2;} - #]; - #}; - #"home" = { - #matchConfig.Name = "home"; + networkConfig.VLAN = ["home" "guest"]; + bridgeVLANs = [ + {bridgeVLANConfig.VLAN = 1;} + {bridgeVLANConfig.VLAN = 2;} + ]; + }; + "home" = { + matchConfig.Name = "home"; networkConfig = { Address = "${cnf.lanIP}/${toString cnf.lanPrefix}"; IPForward = "yes"; @@ -125,35 +124,43 @@ in { EmitDNS = "yes"; DNS = "1.1.1.1"; }; + dhcpServerStaticLeases = + mapAttrsToList (n: v: { + dhcpServerStaticLeaseConfig = { + MACAddress = n; + Address = v; + }; + }) + cnf.staticLeases; dhcpPrefixDelegationConfig = { UplinkInterface = cnf.wan; SubnetId = 1; Announce = "yes"; }; }; - #"guest" = { - # matchConfig.Name = "guest"; - # networkConfig = { - # Address = "192.168.1.1/24"; - # IPForward = "yes"; - # DHCPServer = "yes"; - # DHCPPrefixDelegation = "yes"; - # IPv6SendRA = "yes"; - # IPv6AcceptRA = "no"; - # }; - # dhcpServerConfig = { - # UplinkInterface = cnf.wan; - # PoolOffset = cnf.dynIPStart; - # PoolSize = cnf.dynIPCount; - # EmitDNS = "yes"; - # DNS = "1.1.1.1"; - # }; - # dhcpPrefixDelegationConfig = { - # UplinkInterface = cnf.wan; - # SubnetId = 2; - # Announce = "yes"; - # }; - #}; + "guest" = { + matchConfig.Name = "guest"; + networkConfig = { + Address = "192.168.1.1/24"; + IPForward = "yes"; + DHCPServer = "yes"; + DHCPPrefixDelegation = "yes"; + IPv6SendRA = "yes"; + IPv6AcceptRA = "no"; + }; + dhcpServerConfig = { + UplinkInterface = cnf.wan; + PoolOffset = cnf.dynIPStart; + PoolSize = cnf.dynIPCount; + EmitDNS = "yes"; + DNS = "1.1.1.1"; + }; + dhcpPrefixDelegationConfig = { + UplinkInterface = cnf.wan; + SubnetId = 2; + Announce = "yes"; + }; + }; }; wait-online.anyInterface = true; }; |