From 9e7eca47bb3ddb6e88720cfcb28c995acbb072c1 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Karel=20Ko=C4=8D=C3=AD?= <cynerd@email.cz>
Date: Sat, 17 Feb 2024 12:18:48 +0100
Subject: spt-omnia: deploy

---
 nixos/routers/router.nix | 145 +++++++++++++++++++++++++----------------------
 1 file changed, 76 insertions(+), 69 deletions(-)

(limited to 'nixos/routers')

diff --git a/nixos/routers/router.nix b/nixos/routers/router.nix
index a3fc0c1..5aa6cc6 100644
--- a/nixos/routers/router.nix
+++ b/nixos/routers/router.nix
@@ -2,8 +2,8 @@
   config,
   lib,
   ...
-}:
-with lib; let
+}: let
+  inherit (lib) mkOption types mkIf mapAttrsToList;
   cnf = config.cynerd.router;
 in {
   options = {
@@ -36,6 +36,14 @@ in {
         default = 24;
         description = "LAN IP network prefix length";
       };
+      staticLeases = mkOption {
+        type = with types; attrsOf str;
+        default = {};
+        example = ''
+          {"xx:xx:xx:xx:xx:xx" = "10.8.1.30";}
+        '';
+        description = "Mapping of MAC address to IP address";
+      };
     };
   };
 
@@ -44,25 +52,21 @@ in {
       useNetworkd = true;
       nftables.enable = true;
       firewall = {
+        logRefusedConnections = false;
         interfaces = {
-          "brlan" = {
-            allowedUDPPorts = [53 67 68];
-            allowedTCPPorts = [53];
-          };
-          #"guest" = {
-          #  allowedUDPPorts = [53 67 68];
-          #  allowedTCPPorts = [53];
-          #};
+          "home" = {allowedUDPPorts = [67 68];};
+          "guest" = {allowedUDPPorts = [67 68];};
         };
+        rejectPackets = true;
         filterForward = true;
-        #extraForwardRules = ''
-        #  iifname "guest" oifname != "${cnf.wan}" drop comment "prevent guest to access brlan"
-        #'';
+        extraForwardRules = ''
+          iifname "guest" oifname != "${cnf.wan}" drop comment "prevent guest to access other networks"
+        '';
       };
       nat = {
         enable = true;
         externalInterface = cnf.wan;
-        internalInterfaces = ["brlan"];
+        internalInterfaces = ["home" "guest"];
       };
     };
 
@@ -73,43 +77,38 @@ in {
             Kind = "bridge";
             Name = "brlan";
           };
-          #extraConfig = ''
-          #  [Bridge]
-          #  DefaultPVID=none
-          #  VLANFiltering=yes
-          #'';
+          extraConfig = ''
+            [Bridge]
+            DefaultPVID=none
+            VLANFiltering=yes
+          '';
+        };
+        "home" = {
+          netdevConfig = {
+            Kind = "vlan";
+            Name = "home";
+          };
+          vlanConfig.Id = 1;
+        };
+        "guest" = {
+          netdevConfig = {
+            Kind = "vlan";
+            Name = "guest";
+          };
+          vlanConfig.Id = 2;
         };
-        #"home" = {
-        #  netdevConfig = {
-        #    Kind = "vlan";
-        #    Name = "home";
-        #  };
-        #  vlanConfig.Id = 1;
-        #};
-        #"guest" = {
-        #  netdevConfig = {
-        #    Kind = "vlan";
-        #    Name = "guest";
-        #  };
-        #  vlanConfig.Id = 2;
-        #};
       };
       networks = {
         "brlan" = {
           matchConfig.Name = "brlan";
-          #networkConfig.VLAN = ["home"];
-          #bridgeVLANs = [
-          #  {
-          #    bridgeVLANConfig = {
-          #      EgressUntagged = 1;
-          #      PVID = 1;
-          #    };
-          #  }
-          #  {bridgeVLANConfig.VLAN = 2;}
-          #];
-        #};
-        #"home" = {
-          #matchConfig.Name = "home";
+          networkConfig.VLAN = ["home" "guest"];
+          bridgeVLANs = [
+            {bridgeVLANConfig.VLAN = 1;}
+            {bridgeVLANConfig.VLAN = 2;}
+          ];
+        };
+        "home" = {
+          matchConfig.Name = "home";
           networkConfig = {
             Address = "${cnf.lanIP}/${toString cnf.lanPrefix}";
             IPForward = "yes";
@@ -125,35 +124,43 @@ in {
             EmitDNS = "yes";
             DNS = "1.1.1.1";
           };
+          dhcpServerStaticLeases =
+            mapAttrsToList (n: v: {
+              dhcpServerStaticLeaseConfig = {
+                MACAddress = n;
+                Address = v;
+              };
+            })
+            cnf.staticLeases;
           dhcpPrefixDelegationConfig = {
             UplinkInterface = cnf.wan;
             SubnetId = 1;
             Announce = "yes";
           };
         };
-        #"guest" = {
-        #  matchConfig.Name = "guest";
-        #  networkConfig = {
-        #    Address = "192.168.1.1/24";
-        #    IPForward = "yes";
-        #    DHCPServer = "yes";
-        #    DHCPPrefixDelegation = "yes";
-        #    IPv6SendRA = "yes";
-        #    IPv6AcceptRA = "no";
-        #  };
-        #  dhcpServerConfig = {
-        #    UplinkInterface = cnf.wan;
-        #    PoolOffset = cnf.dynIPStart;
-        #    PoolSize = cnf.dynIPCount;
-        #    EmitDNS = "yes";
-        #    DNS = "1.1.1.1";
-        #  };
-        #  dhcpPrefixDelegationConfig = {
-        #    UplinkInterface = cnf.wan;
-        #    SubnetId = 2;
-        #    Announce = "yes";
-        #  };
-        #};
+        "guest" = {
+          matchConfig.Name = "guest";
+          networkConfig = {
+            Address = "192.168.1.1/24";
+            IPForward = "yes";
+            DHCPServer = "yes";
+            DHCPPrefixDelegation = "yes";
+            IPv6SendRA = "yes";
+            IPv6AcceptRA = "no";
+          };
+          dhcpServerConfig = {
+            UplinkInterface = cnf.wan;
+            PoolOffset = cnf.dynIPStart;
+            PoolSize = cnf.dynIPCount;
+            EmitDNS = "yes";
+            DNS = "1.1.1.1";
+          };
+          dhcpPrefixDelegationConfig = {
+            UplinkInterface = cnf.wan;
+            SubnetId = 2;
+            Announce = "yes";
+          };
+        };
       };
       wait-online.anyInterface = true;
     };
-- 
cgit v1.2.3