From 6b0bc35f83a14ee9f9a34e1af782f1ef4c363d6e Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Karel=20Ko=C4=8D=C3=AD?= Date: Wed, 17 Jan 2024 19:13:22 +0100 Subject: nixos/router: rework router to use networkd --- nixos/routers/router.nix | 349 ++++++++++++++++++++++++++++++----------------- 1 file changed, 224 insertions(+), 125 deletions(-) (limited to 'nixos/routers/router.nix') diff --git a/nixos/routers/router.nix b/nixos/routers/router.nix index 50405dc..da625e4 100644 --- a/nixos/routers/router.nix +++ b/nixos/routers/router.nix @@ -40,143 +40,242 @@ in { }; config = mkIf cnf.enable { - networking = { - interfaces = { - brlan.ipv4.addresses = [ - { - address = cnf.lanIP; - prefixLength = cnf.lanPrefix; - } - ]; - brguest.ipv4.addresses = [ - { - address = "192.168.1.1"; - prefixLength = 24; - } - ]; - }; - vlans = { - "brlan.guest" = { - interface = "brlan"; - id = 100; + systemd.network = { + netdevs = { + "brlan".netdevConfig = { + Kind = "bridge"; + Name = "brlan"; + }; + "brguest".netdevConfig = { + Kind = "bridge"; + Name = "brguest"; }; }; - bridges = { - brlan.interfaces = []; - brguest.interfaces = ["brlan.guest"]; - }; - nat = { - enable = true; - externalInterface = cnf.wan; - internalInterfaces = ["brlan" "brguest"]; - }; - dhcpcd = { - allowInterfaces = [cnf.wan]; - extraConfig = '' - duid - noipv6rs - waitip 6 - - interface ${cnf.wan} - ipv6rs - iaid 1 - - ia_pd 1 brlan - #ia_pd 1/::/64 LAN/0/64 - ''; + networks = { + "${cnf.wan}" = { + matchConfig.Name = cnf.wan; + networkConfig = { + DHCP = "yes"; + DHCPPrefixDelegation = "yes"; + }; + dhcpPrefixDelegationConfig = { + UplinkInterface = ":self"; + SubnetId = 0; + Announce = "no"; + }; + linkConfig.RequiredForOnline = "routable"; + }; + "brlan" = { + matchConfig.Name = "brlan"; + networkConfig = { + Address = "${cnf.lanIP}/${toString cnf.lanPrefix}"; + IPForward = "yes"; + DHCPServer = "yes"; + DHCPPrefixDelegation = "yes"; + IPv6SendRA = "yes"; + IPv6AcceptRA = "no"; + VLAN = ["brlan.brguest"]; + }; + dhcpServerConfig = { + UplinkInterface = cnf.wan; + PoolOffset = cnf.dynIPStart; + PoolSize = cnf.dynIPCount; + EmitDNS = "yes"; + DNS = "1.1.1.1"; + }; + dhcpPrefixDelegationConfig = { + UplinkInterface = cnf.wan; + SubnetId = 1; + Announce = "yes"; + }; + }; + "brguest" = { + matchConfig.Name = "brguest"; + networkConfig = { + Address = "192.168.1.1/24"; + IPForward = "yes"; + DHCPServer = "yes"; + DHCPPrefixDelegation = "yes"; + IPv6SendRA = "yes"; + IPv6AcceptRA = "no"; + }; + dhcpServerConfig = { + UplinkInterface = cnf.wan; + PoolOffset = cnf.dynIPStart; + PoolSize = cnf.dynIPCount; + EmitDNS = "yes"; + DNS = "1.1.1.1"; + }; + dhcpPrefixDelegationConfig = { + UplinkInterface = cnf.wan; + SubnetId = 2; + Announce = "yes"; + }; + }; }; - nameservers = ["1.1.1.1" "8.8.8.8"]; + wait-online.anyInterface = true; }; - services = { - kea = { - dhcp4 = { - enable = true; - settings = { - lease-database = { - name = "/var/lib/kea/dhcp4.leases"; - persist = true; - type = "memfile"; - }; - valid-lifetime = 4000; - renew-timer = 1000; - rebind-timer = 2000; - interfaces-config = { - interfaces = ["brlan" "brguest"]; - service-sockets-max-retries = -1; - }; - option-data = [ - { - name = "domain-name-servers"; - data = "1.1.1.1, 8.8.8.8"; - } - ]; - subnet4 = [ - { - interface = "brlan"; - subnet = "${ipv4.prefix2ip cnf.lanIP cnf.lanPrefix}/${toString cnf.lanPrefix}"; - pools = let - ip_start = ipv4.ipAdd cnf.lanIP cnf.lanPrefix cnf.dynIPStart; - ip_end = ipv4.ipAdd cnf.lanIP cnf.lanPrefix (cnf.dynIPStart + cnf.dynIPCount); - in [{pool = "${ip_start} - ${ip_end}";}]; - option-data = [ - { - name = "routers"; - data = cnf.lanIP; - } - ]; - reservations = [ - { - duid = "e4:6f:13:f3:d5:be"; - ip-address = ipv4.ipAdd cnf.lanIP cnf.lanPrefix 60; - } - ]; - } - { - interface = "brguest"; - subnet = "192.168.1.0/24"; - pools = [{pool = "192.168.1.50 - 192.168.1.254";}]; - "option-data" = [ - { - name = "routers"; - data = "192.168.1.1"; - } - ]; - } - ]; + networking = { + nftables.enable = true; + firewall = { + interfaces = { + "brlan" = { + allowedUDPPorts = [53 67 68]; + allowedTCPPorts = [53]; + }; + "brguest" = { + allowedUDPPorts = [53 67 68]; + allowedTCPPorts = [53]; }; }; + filterForward = true; + extraForwardRules = '' + iifname "brguest" oifname != "${cnf.wan}" drop comment "prevent guest to access lan" + ''; }; - radvd = { + nat = { enable = true; - config = '' - interface brlan { - AdvSendAdvert on; - MinRtrAdvInterval 3; - MaxRtrAdvInterval 10; - prefix ::/64 { - AdvOnLink on; - AdvAutonomous on; - AdvRouterAddr on; - }; - RDNSS 2001:4860:4860::8888 2001:4860:4860::8844 { - }; - }; - ''; + externalInterface = cnf.wan; + internalInterfaces = ["brlan" "brguest"]; }; - kresd = {enable = false;}; }; - systemd.services.kea-dhcp4-server.after = [ - "sys-subsystem-net-devices-brlan.device" - "sys-subsystem-net-devices-brguest.device" - ]; - networking.nftables.enable = true; - networking.firewall = { - filterForward = true; - extraForwardRules = '' - iifname "brguest" oifname != "${cnf.wan}" drop comment "prevent guest to access lan" - ''; + services.resolved = { + enable = true; + dnssec = "true"; + fallbackDns = ["1.1.1.1" "8.8.8.8"]; }; + + #networking = { + # interfaces = { + # brlan.ipv4.addresses = [ + # { + # address = cnf.lanIP; + # prefixLength = cnf.lanPrefix; + # } + # ]; + # brguest.ipv4.addresses = [ + # { + # address = "192.168.1.1"; + # prefixLength = 24; + # } + # ]; + # }; + # vlans = { + # "brlan.guest" = { + # interface = "brlan"; + # id = 100; + # }; + # }; + # bridges = { + # brlan.interfaces = []; + # brguest.interfaces = ["brlan.guest"]; + # }; + # nat = { + # enable = true; + # externalInterface = cnf.wan; + # internalInterfaces = ["brlan" "brguest"]; + # }; + # dhcpcd = { + # allowInterfaces = [cnf.wan]; + # extraConfig = '' + # duid + # noipv6rs + # waitip 6 + + # interface ${cnf.wan} + # ipv6rs + # iaid 1 + + # ia_pd 1 brlan + # #ia_pd 1/::/64 LAN/0/64 + #toString ''; + # }; + #nameservers = ["1.1.1.1" "8.8.8.8"]; + #}; + + #services = { + # kea = { + # dhcp4 = { + # enable = true; + # settings = { + # lease-database = { + # name = "/var/lib/kea/dhcp4.leases"; + # persist = true; + # type = "memfile"; + # }; + # valid-lifetime = 4000; + # renew-timer = 1000; + # rebind-timer = 2000; + # interfaces-config = { + # interfaces = ["brlan" "brguest"]; + # service-sockets-max-retries = -1; + # }; + # option-data = [ + # { + # name = "domain-name-servers"; + # data = "1.1.1.1, 8.8.8.8"; + # } + # ]; + # subnet4 = [ + # { + # interface = "brlan"; + # subnet = "${ipv4.prefix2ip cnf.lanIP cnf.lanPrefix}/${toString cnf.lanPrefix}"; + # pools = let + # ip_start = ipv4.ipAdd cnf.lanIP cnf.lanPrefix cnf.dynIPStart; + # ip_end = ipv4.ipAdd cnf.lanIP cnf.lanPrefix (cnf.dynIPStart + cnf.dynIPCount); + # in [{pool = "${ip_start} - ${ip_end}";}]; + # option-data = [ + # { + # name = "routers"; + # data = cnf.lanIP; + # } + # ]; + # reservations = [ + # { + # duid = "e4:6f:13:f3:d5:be"; + # ip-address = ipv4.ipAdd cnf.lanIP cnf.lanPrefix 60; + # } + # ]; + # } + # { + # interface = "brguest"; + # subnet = "192.168.1.0/24"; + # pools = [{pool = "192.168.1.50 - 192.168.1.254";}]; + # "option-data" = [ + # { + # name = "routers"; + # data = "192.168.1.1"; + # } + # ]; + # } + # ]; + # }; + # }; + # }; + # radvd = { + # enable = true; + # config = '' + # interface brlan { + # AdvSendAdvert on; + # MinRtrAdvInterval 3; + # MaxRtrAdvInterval 10; + # prefix ::/64 { + # AdvOnLink on; + # AdvAutonomous on; + # AdvRouterAddr on; + # }; + # RDNSS 2001:4860:4860::8888 2001:4860:4860::8844 { + # }; + # }; + # ''; + # }; + # kresd = {enable = false;}; + #}; + #systemd.services.kea-dhcp4-server.after = [ + # "sys-subsystem-net-devices-brlan.device" + # "sys-subsystem-net-devices-brguest.device" + #]; }; } -- cgit v1.2.3