From 9e7eca47bb3ddb6e88720cfcb28c995acbb072c1 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Karel=20Ko=C4=8D=C3=AD?= Date: Sat, 17 Feb 2024 12:18:48 +0100 Subject: spt-omnia: deploy --- nixos/machine/spt-omnia.nix | 37 ++++++----- nixos/modules/develop.nix | 4 +- nixos/modules/generic.nix | 4 +- nixos/modules/syncthing.nix | 1 - nixos/routers/router.nix | 145 +++++++++++++++++++++++--------------------- 5 files changed, 102 insertions(+), 89 deletions(-) (limited to 'nixos') diff --git a/nixos/machine/spt-omnia.nix b/nixos/machine/spt-omnia.nix index c0a6ec2..ac4ebdf 100644 --- a/nixos/machine/spt-omnia.nix +++ b/nixos/machine/spt-omnia.nix @@ -3,14 +3,19 @@ lib, pkgs, ... -}: -with lib; { +}: let + hosts = config.cynerd.hosts.spt; +in { config = { cynerd = { router = { enable = true; wan = "pppoe-wan"; - lanIP = config.cynerd.hosts.spt.omnia; + lanIP = hosts.omnia; + staticLeases = { + "a8:a1:59:10:32:c4" = hosts.errol; + "4c:d5:77:0d:85:d9" = hosts.binky; + }; }; wifiAP.spt = { enable = true; @@ -25,7 +30,7 @@ with lib; { channel = 36; }; }; - openvpn.oldpersonal = true; + #openvpn.oldpersonal = true; monitoring.speedtest = true; }; @@ -54,7 +59,7 @@ with lib; { networkConfig = { BindCarrier = "end2.848"; DHCP = "ipv6"; - IPv6AcceptRA = "yes"; + IPv6AcceptRA = "no"; DHCPPrefixDelegation = "yes"; }; dhcpPrefixDelegationConfig = { @@ -67,15 +72,15 @@ with lib; { "lan-brlan" = { matchConfig.Name = "lan*"; networkConfig.Bridge = "brlan"; - #bridgeVLANs = [ - # { - # bridgeVLANConfig = { - # EgressUntagged = 1; - # PVID = 1; - # }; - # } - # {bridgeVLANConfig.VLAN = 2;} - #]; + bridgeVLANs = [ + { + bridgeVLANConfig = { + EgressUntagged = 1; + PVID = 1; + }; + } + {bridgeVLANConfig.VLAN = 2;} + ]; }; }; }; @@ -88,7 +93,6 @@ with lib; { lcp-echo-interval 1 lcp-echo-failure 5 lcp-echo-adaptive - +ipv6 defaultroute defaultroute6 usepeerdns @@ -98,6 +102,9 @@ with lib; { ''; }; systemd.services."pppd-wan".after = ["sys-subsystem-net-devices-end2.848.device"]; + networking.firewall.extraForwardRules = '' + tcp flags syn tcp option maxseg size set rt mtu + ''; services.syncthing = { enable = true; diff --git a/nixos/modules/develop.nix b/nixos/modules/develop.nix index 97c54ee..3ef6ce6 100644 --- a/nixos/modules/develop.nix +++ b/nixos/modules/develop.nix @@ -90,7 +90,6 @@ in { # Network iperf3 - wireshark inetutils # Gtk @@ -116,7 +115,7 @@ in { # Images imagemagick ]; - programs.wireshark.enable = true; + programs.wireshark.package = pkgs.wireshark; documentation = { dev.enable = true; @@ -152,7 +151,6 @@ in { "lxd" "develop" "libvirtd" - "wireshark" ]; }; } diff --git a/nixos/modules/generic.nix b/nixos/modules/generic.nix index a3e8dd1..33d7024 100644 --- a/nixos/modules/generic.nix +++ b/nixos/modules/generic.nix @@ -121,7 +121,7 @@ in { }; cynerd = { group = "cynerd"; - extraGroups = ["users" "wheel" "dialout" "kvm" "uucp"]; + extraGroups = ["users" "wheel" "dialout" "kvm" "uucp" "wireshark"]; uid = 1000; subUidRanges = [ { @@ -155,6 +155,8 @@ in { }; shellrc = true; vim.defaultEditor = mkDefault true; + + wireshark.enable = true; }; security.sudo.extraRules = [ diff --git a/nixos/modules/syncthing.nix b/nixos/modules/syncthing.nix index af6d957..b93ecdb 100644 --- a/nixos/modules/syncthing.nix +++ b/nixos/modules/syncthing.nix @@ -13,7 +13,6 @@ "errol" "lipwig" "ridcully" - "susan" "spt-omnia" ]; mediaDevices = [ diff --git a/nixos/routers/router.nix b/nixos/routers/router.nix index a3fc0c1..5aa6cc6 100644 --- a/nixos/routers/router.nix +++ b/nixos/routers/router.nix @@ -2,8 +2,8 @@ config, lib, ... -}: -with lib; let +}: let + inherit (lib) mkOption types mkIf mapAttrsToList; cnf = config.cynerd.router; in { options = { @@ -36,6 +36,14 @@ in { default = 24; description = "LAN IP network prefix length"; }; + staticLeases = mkOption { + type = with types; attrsOf str; + default = {}; + example = '' + {"xx:xx:xx:xx:xx:xx" = "10.8.1.30";} + ''; + description = "Mapping of MAC address to IP address"; + }; }; }; @@ -44,25 +52,21 @@ in { useNetworkd = true; nftables.enable = true; firewall = { + logRefusedConnections = false; interfaces = { - "brlan" = { - allowedUDPPorts = [53 67 68]; - allowedTCPPorts = [53]; - }; - #"guest" = { - # allowedUDPPorts = [53 67 68]; - # allowedTCPPorts = [53]; - #}; + "home" = {allowedUDPPorts = [67 68];}; + "guest" = {allowedUDPPorts = [67 68];}; }; + rejectPackets = true; filterForward = true; - #extraForwardRules = '' - # iifname "guest" oifname != "${cnf.wan}" drop comment "prevent guest to access brlan" - #''; + extraForwardRules = '' + iifname "guest" oifname != "${cnf.wan}" drop comment "prevent guest to access other networks" + ''; }; nat = { enable = true; externalInterface = cnf.wan; - internalInterfaces = ["brlan"]; + internalInterfaces = ["home" "guest"]; }; }; @@ -73,43 +77,38 @@ in { Kind = "bridge"; Name = "brlan"; }; - #extraConfig = '' - # [Bridge] - # DefaultPVID=none - # VLANFiltering=yes - #''; + extraConfig = '' + [Bridge] + DefaultPVID=none + VLANFiltering=yes + ''; + }; + "home" = { + netdevConfig = { + Kind = "vlan"; + Name = "home"; + }; + vlanConfig.Id = 1; + }; + "guest" = { + netdevConfig = { + Kind = "vlan"; + Name = "guest"; + }; + vlanConfig.Id = 2; }; - #"home" = { - # netdevConfig = { - # Kind = "vlan"; - # Name = "home"; - # }; - # vlanConfig.Id = 1; - #}; - #"guest" = { - # netdevConfig = { - # Kind = "vlan"; - # Name = "guest"; - # }; - # vlanConfig.Id = 2; - #}; }; networks = { "brlan" = { matchConfig.Name = "brlan"; - #networkConfig.VLAN = ["home"]; - #bridgeVLANs = [ - # { - # bridgeVLANConfig = { - # EgressUntagged = 1; - # PVID = 1; - # }; - # } - # {bridgeVLANConfig.VLAN = 2;} - #]; - #}; - #"home" = { - #matchConfig.Name = "home"; + networkConfig.VLAN = ["home" "guest"]; + bridgeVLANs = [ + {bridgeVLANConfig.VLAN = 1;} + {bridgeVLANConfig.VLAN = 2;} + ]; + }; + "home" = { + matchConfig.Name = "home"; networkConfig = { Address = "${cnf.lanIP}/${toString cnf.lanPrefix}"; IPForward = "yes"; @@ -125,35 +124,43 @@ in { EmitDNS = "yes"; DNS = "1.1.1.1"; }; + dhcpServerStaticLeases = + mapAttrsToList (n: v: { + dhcpServerStaticLeaseConfig = { + MACAddress = n; + Address = v; + }; + }) + cnf.staticLeases; dhcpPrefixDelegationConfig = { UplinkInterface = cnf.wan; SubnetId = 1; Announce = "yes"; }; }; - #"guest" = { - # matchConfig.Name = "guest"; - # networkConfig = { - # Address = "192.168.1.1/24"; - # IPForward = "yes"; - # DHCPServer = "yes"; - # DHCPPrefixDelegation = "yes"; - # IPv6SendRA = "yes"; - # IPv6AcceptRA = "no"; - # }; - # dhcpServerConfig = { - # UplinkInterface = cnf.wan; - # PoolOffset = cnf.dynIPStart; - # PoolSize = cnf.dynIPCount; - # EmitDNS = "yes"; - # DNS = "1.1.1.1"; - # }; - # dhcpPrefixDelegationConfig = { - # UplinkInterface = cnf.wan; - # SubnetId = 2; - # Announce = "yes"; - # }; - #}; + "guest" = { + matchConfig.Name = "guest"; + networkConfig = { + Address = "192.168.1.1/24"; + IPForward = "yes"; + DHCPServer = "yes"; + DHCPPrefixDelegation = "yes"; + IPv6SendRA = "yes"; + IPv6AcceptRA = "no"; + }; + dhcpServerConfig = { + UplinkInterface = cnf.wan; + PoolOffset = cnf.dynIPStart; + PoolSize = cnf.dynIPCount; + EmitDNS = "yes"; + DNS = "1.1.1.1"; + }; + dhcpPrefixDelegationConfig = { + UplinkInterface = cnf.wan; + SubnetId = 2; + Announce = "yes"; + }; + }; }; wait-online.anyInterface = true; }; -- cgit v1.2.3