From 9e7eca47bb3ddb6e88720cfcb28c995acbb072c1 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Karel=20Ko=C4=8D=C3=AD?= <cynerd@email.cz>
Date: Sat, 17 Feb 2024 12:18:48 +0100
Subject: spt-omnia: deploy
---
nixos/routers/router.nix | 145 +++++++++++++++++++++++++----------------------
1 file changed, 76 insertions(+), 69 deletions(-)
(limited to 'nixos/routers')
diff --git a/nixos/routers/router.nix b/nixos/routers/router.nix
index a3fc0c1..5aa6cc6 100644
--- a/nixos/routers/router.nix
+++ b/nixos/routers/router.nix
@@ -2,8 +2,8 @@
config,
lib,
...
-}:
-with lib; let
+}: let
+ inherit (lib) mkOption types mkIf mapAttrsToList;
cnf = config.cynerd.router;
in {
options = {
@@ -36,6 +36,14 @@ in {
default = 24;
description = "LAN IP network prefix length";
};
+ staticLeases = mkOption {
+ type = with types; attrsOf str;
+ default = {};
+ example = ''
+ {"xx:xx:xx:xx:xx:xx" = "10.8.1.30";}
+ '';
+ description = "Mapping of MAC address to IP address";
+ };
};
};
@@ -44,25 +52,21 @@ in {
useNetworkd = true;
nftables.enable = true;
firewall = {
+ logRefusedConnections = false;
interfaces = {
- "brlan" = {
- allowedUDPPorts = [53 67 68];
- allowedTCPPorts = [53];
- };
- #"guest" = {
- # allowedUDPPorts = [53 67 68];
- # allowedTCPPorts = [53];
- #};
+ "home" = {allowedUDPPorts = [67 68];};
+ "guest" = {allowedUDPPorts = [67 68];};
};
+ rejectPackets = true;
filterForward = true;
- #extraForwardRules = ''
- # iifname "guest" oifname != "${cnf.wan}" drop comment "prevent guest to access brlan"
- #'';
+ extraForwardRules = ''
+ iifname "guest" oifname != "${cnf.wan}" drop comment "prevent guest to access other networks"
+ '';
};
nat = {
enable = true;
externalInterface = cnf.wan;
- internalInterfaces = ["brlan"];
+ internalInterfaces = ["home" "guest"];
};
};
@@ -73,43 +77,38 @@ in {
Kind = "bridge";
Name = "brlan";
};
- #extraConfig = ''
- # [Bridge]
- # DefaultPVID=none
- # VLANFiltering=yes
- #'';
+ extraConfig = ''
+ [Bridge]
+ DefaultPVID=none
+ VLANFiltering=yes
+ '';
+ };
+ "home" = {
+ netdevConfig = {
+ Kind = "vlan";
+ Name = "home";
+ };
+ vlanConfig.Id = 1;
+ };
+ "guest" = {
+ netdevConfig = {
+ Kind = "vlan";
+ Name = "guest";
+ };
+ vlanConfig.Id = 2;
};
- #"home" = {
- # netdevConfig = {
- # Kind = "vlan";
- # Name = "home";
- # };
- # vlanConfig.Id = 1;
- #};
- #"guest" = {
- # netdevConfig = {
- # Kind = "vlan";
- # Name = "guest";
- # };
- # vlanConfig.Id = 2;
- #};
};
networks = {
"brlan" = {
matchConfig.Name = "brlan";
- #networkConfig.VLAN = ["home"];
- #bridgeVLANs = [
- # {
- # bridgeVLANConfig = {
- # EgressUntagged = 1;
- # PVID = 1;
- # };
- # }
- # {bridgeVLANConfig.VLAN = 2;}
- #];
- #};
- #"home" = {
- #matchConfig.Name = "home";
+ networkConfig.VLAN = ["home" "guest"];
+ bridgeVLANs = [
+ {bridgeVLANConfig.VLAN = 1;}
+ {bridgeVLANConfig.VLAN = 2;}
+ ];
+ };
+ "home" = {
+ matchConfig.Name = "home";
networkConfig = {
Address = "${cnf.lanIP}/${toString cnf.lanPrefix}";
IPForward = "yes";
@@ -125,35 +124,43 @@ in {
EmitDNS = "yes";
DNS = "1.1.1.1";
};
+ dhcpServerStaticLeases =
+ mapAttrsToList (n: v: {
+ dhcpServerStaticLeaseConfig = {
+ MACAddress = n;
+ Address = v;
+ };
+ })
+ cnf.staticLeases;
dhcpPrefixDelegationConfig = {
UplinkInterface = cnf.wan;
SubnetId = 1;
Announce = "yes";
};
};
- #"guest" = {
- # matchConfig.Name = "guest";
- # networkConfig = {
- # Address = "192.168.1.1/24";
- # IPForward = "yes";
- # DHCPServer = "yes";
- # DHCPPrefixDelegation = "yes";
- # IPv6SendRA = "yes";
- # IPv6AcceptRA = "no";
- # };
- # dhcpServerConfig = {
- # UplinkInterface = cnf.wan;
- # PoolOffset = cnf.dynIPStart;
- # PoolSize = cnf.dynIPCount;
- # EmitDNS = "yes";
- # DNS = "1.1.1.1";
- # };
- # dhcpPrefixDelegationConfig = {
- # UplinkInterface = cnf.wan;
- # SubnetId = 2;
- # Announce = "yes";
- # };
- #};
+ "guest" = {
+ matchConfig.Name = "guest";
+ networkConfig = {
+ Address = "192.168.1.1/24";
+ IPForward = "yes";
+ DHCPServer = "yes";
+ DHCPPrefixDelegation = "yes";
+ IPv6SendRA = "yes";
+ IPv6AcceptRA = "no";
+ };
+ dhcpServerConfig = {
+ UplinkInterface = cnf.wan;
+ PoolOffset = cnf.dynIPStart;
+ PoolSize = cnf.dynIPCount;
+ EmitDNS = "yes";
+ DNS = "1.1.1.1";
+ };
+ dhcpPrefixDelegationConfig = {
+ UplinkInterface = cnf.wan;
+ SubnetId = 2;
+ Announce = "yes";
+ };
+ };
};
wait-online.anyInterface = true;
};
--
cgit v1.2.3