nix/host/x86_64-linux/home/Network.nix

{ util, config, lib, ... }: let
	internal = "10.0.0.1";        # Lan host IP address.
	external = "188.242.247.132"; # Wan host IP address.
	wifi     = "10.0.0.2";        # Wifi router IP address.

	lan = "br0";    # Lan interface.
	wan = "enp8s0"; # Wan interface.
in {
	# Allow packet routing (we are a router).
	boot.kernel.sysctl = {
		"net.ipv4.conf.all.src_valid_mark" = lib.mkForce 1;
		"net.ipv4.ip_forward" = lib.mkForce 1;
	};

	# Disable SSH access from everywhere, configure access bellow.
	services.openssh.openFirewall = false;

	networking = {
		# Use only external DNS.
		networkmanager.insertNameservers = [
			"1.1.1.1"
			"8.8.8.8"
		];

		# Some extra hosts for local access.
		extraHosts = with config.container.module; util.trimTabs ''
			${git.address} git.voronind.com
			${proxy.address} iot.voronind.com
			${proxy.address} pass.voronind.com
		'';

		firewall = {
			enable = true;
			extraCommands = let
				# Container configs.
				cfg = config.container.module;

				# Const.
				tcp = "tcp";
				udp = "udp";

				# Create port forwarding rule.
				mkForward = src: sport: dst: dport: proto: "iptables -t nat -I PREROUTING -d ${src} -p ${proto} --dport ${toString sport} -j DNAT --to-destination ${dst}:${toString dport}\n";
			in ''
				# Wan access for 10.0.0.0/24 subnet.
				iptables -t nat -A POSTROUTING -s 10.0.0.0/24 -d 0/0 -o ${wan} -j MASQUERADE

				# Full access from VPN clients.
				iptables -I INPUT -j ACCEPT -s ${cfg.vpn.address} -d ${internal}
				iptables -I INPUT -j ACCEPT -s ${cfg.frkn.address} -d ${internal}

				# Full access from Lan.
				iptables -I INPUT -j ACCEPT -i ${lan} -d ${internal}
			''
			# Expose DNS server for internal network.
			+ (mkForward internal cfg.dns.port cfg.dns.address cfg.dns.port tcp)
			+ (mkForward internal cfg.dns.port cfg.dns.address cfg.dns.port udp)

			# Email server.
			+ (mkForward external 25  cfg.mail.address 25  tcp)
			+ (mkForward internal 25  cfg.mail.address 25  tcp)
			+ (mkForward internal 465 cfg.mail.address 465 tcp)
			+ (mkForward internal 993 cfg.mail.address 993 tcp)

			# FRKN internal proxy server.
			+ (mkForward internal cfg.frkn.port     cfg.frkn.address cfg.frkn.port     tcp)
			+ (mkForward internal cfg.frkn.torport  cfg.frkn.address cfg.frkn.torport  tcp)
			+ (mkForward internal cfg.frkn.xrayport cfg.frkn.address cfg.frkn.xrayport tcp)
			+ (mkForward internal cfg.frkn.port     cfg.frkn.address cfg.frkn.port     udp)
			+ (mkForward internal cfg.frkn.torport  cfg.frkn.address cfg.frkn.torport  udp)
			+ (mkForward internal cfg.frkn.xrayport cfg.frkn.address cfg.frkn.xrayport udp)

			# Allow VPN connections from Wan.
			+ (mkForward external cfg.vpn.port cfg.vpn.address cfg.vpn.port udp)

			# Nginx HTTP access from Wan.
			+ (mkForward external cfg.proxy.port cfg.proxy.address cfg.proxy.port tcp)
			+ (mkForward internal cfg.proxy.port cfg.proxy.address cfg.proxy.port tcp)

			# Download ports for torrents.
			+ (mkForward external 54630 cfg.download.address 54630 tcp)
			+ (mkForward external 54631 cfg.download.address 54631 tcp)
			+ (mkForward external 54630 cfg.download.address 54630 udp)
			+ (mkForward external 54631 cfg.download.address 54631 udp)

			# Git ssh connections.
			+ (mkForward external cfg.git.portSsh cfg.git.address cfg.git.portSsh tcp)
			+ (mkForward internal cfg.git.portSsh cfg.git.address cfg.git.portSsh tcp)

			# Print serivce.
			+ (mkForward internal cfg.print.port cfg.print.address cfg.print.port tcp)
			;
		};

		# Create Lan bridge.
		bridges.${lan}.interfaces = [
			"enp6s0f0"
			"enp6s0f1"
			"enp7s0f1"
			"enp7s0f1"
		];

		interfaces = {
			${lan}.ipv4 = {
				# Assign Lan address and subnet.
				addresses = [{
					address      = internal;
					prefixLength = 24;
				}];

				# Assign traffic routes.
				routes = [
					# Wifi 5G clients.
					{
						address      = "192.168.1.0";
						prefixLength = 24;
						via          = wifi;
					}
					# Wifi 2.4G clients.
					{
						address      = "192.168.2.0";
						prefixLength = 24;
						via          = wifi;
					}
				];
			};
		};
	};
}
Home : Make a router! 2024-08-14 02:19:47 +03:00			`{ util, config, lib, ... }: let`
Enable firewall by default & add comments for Home host Network. 2024-08-16 05:18:42 +03:00			`internal = "10.0.0.1"; # Lan host IP address.`
			`external = "188.242.247.132"; # Wan host IP address.`
			`wifi = "10.0.0.2"; # Wifi router IP address.`
Home : Make a router! 2024-08-14 02:19:47 +03:00
Enable firewall by default & add comments for Home host Network. 2024-08-16 05:18:42 +03:00			`lan = "br0"; # Lan interface.`
			`wan = "enp8s0"; # Wan interface.`
Home : Make a router! 2024-08-14 02:19:47 +03:00			`in {`
Enable firewall by default & add comments for Home host Network. 2024-08-16 05:18:42 +03:00			`# Allow packet routing (we are a router).`
Home : Make a router! 2024-08-14 02:19:47 +03:00			`boot.kernel.sysctl = {`
Kernel : Disable latest by default. 2024-08-24 20:20:13 +03:00			`"net.ipv4.conf.all.src_valid_mark" = lib.mkForce 1;`
			`"net.ipv4.ip_forward" = lib.mkForce 1;`
Home : Make a router! 2024-08-14 02:19:47 +03:00			`};`

Enable firewall by default & add comments for Home host Network. 2024-08-16 05:18:42 +03:00			`# Disable SSH access from everywhere, configure access bellow.`
			`services.openssh.openFirewall = false;`

Refactored this mess a bit. 2024-08-02 23:45:19 +03:00			`networking = {`
Enable firewall by default & add comments for Home host Network. 2024-08-16 05:18:42 +03:00			`# Use only external DNS.`
Refactored this mess a bit. 2024-08-02 23:45:19 +03:00			`networkmanager.insertNameservers = [`
			`"1.1.1.1"`
			`"8.8.8.8"`
			`];`
Home : Make a router! 2024-08-14 02:19:47 +03:00
Enable firewall by default & add comments for Home host Network. 2024-08-16 05:18:42 +03:00			`# Some extra hosts for local access.`
Home : Update hosts. 2024-08-24 19:15:30 +03:00			`extraHosts = with config.container.module; util.trimTabs ''`
			`${git.address} git.voronind.com`
			`${proxy.address} iot.voronind.com`
			`${proxy.address} pass.voronind.com`
Refactored this mess a bit. 2024-08-02 23:45:19 +03:00			`'';`
Home : Make a router! 2024-08-14 02:19:47 +03:00
			`firewall = {`
Enable firewall by default & add comments for Home host Network. 2024-08-16 05:18:42 +03:00			`enable = true;`
Home : Make a router! 2024-08-14 02:19:47 +03:00			`extraCommands = let`
Enable firewall by default & add comments for Home host Network. 2024-08-16 05:18:42 +03:00			`# Container configs.`
Home : Make a router! 2024-08-14 02:19:47 +03:00			`cfg = config.container.module;`

Network : Use tcp/udp constants. 2024-08-17 14:52:15 +03:00			`# Const.`
			`tcp = "tcp";`
			`udp = "udp";`

Enable firewall by default & add comments for Home host Network. 2024-08-16 05:18:42 +03:00			`# Create port forwarding rule.`
Home : Make a router! 2024-08-14 02:19:47 +03:00			`mkForward = src: sport: dst: dport: proto: "iptables -t nat -I PREROUTING -d ${src} -p ${proto} --dport ${toString sport} -j DNAT --to-destination ${dst}:${toString dport}\n";`
			`in ''`
Enable firewall by default & add comments for Home host Network. 2024-08-16 05:18:42 +03:00			`# Wan access for 10.0.0.0/24 subnet.`
Home : Make a router! 2024-08-14 02:19:47 +03:00			`iptables -t nat -A POSTROUTING -s 10.0.0.0/24 -d 0/0 -o ${wan} -j MASQUERADE`
Enable firewall by default & add comments for Home host Network. 2024-08-16 05:18:42 +03:00
			`# Full access from VPN clients.`
Home : Allow ssh connection from vpn. 2024-08-14 20:59:42 +03:00			`iptables -I INPUT -j ACCEPT -s ${cfg.vpn.address} -d ${internal}`
Zapret : Rename to Frkn. 2024-09-01 03:43:52 +03:00			`iptables -I INPUT -j ACCEPT -s ${cfg.frkn.address} -d ${internal}`
Enable firewall by default & add comments for Home host Network. 2024-08-16 05:18:42 +03:00
			`# Full access from Lan.`
			`iptables -I INPUT -j ACCEPT -i ${lan} -d ${internal}`
Home : Make a router! 2024-08-14 02:19:47 +03:00			`''`
Enable firewall by default & add comments for Home host Network. 2024-08-16 05:18:42 +03:00			`# Expose DNS server for internal network.`
Network : Use tcp/udp constants. 2024-08-17 14:52:15 +03:00			`+ (mkForward internal cfg.dns.port cfg.dns.address cfg.dns.port tcp)`
			`+ (mkForward internal cfg.dns.port cfg.dns.address cfg.dns.port udp)`
Home : Make a router! 2024-08-14 02:19:47 +03:00
Enable firewall by default & add comments for Home host Network. 2024-08-16 05:18:42 +03:00			`# Email server.`
Network : Use tcp/udp constants. 2024-08-17 14:52:15 +03:00			`+ (mkForward external 25 cfg.mail.address 25 tcp)`
			`+ (mkForward internal 25 cfg.mail.address 25 tcp)`
			`+ (mkForward internal 465 cfg.mail.address 465 tcp)`
			`+ (mkForward internal 993 cfg.mail.address 993 tcp)`
Home : Make a router! 2024-08-14 02:19:47 +03:00
Enable firewall by default & add comments for Home host Network. 2024-08-16 05:18:42 +03:00			`# FRKN internal proxy server.`
Zapret : Rename to Frkn. 2024-09-01 03:43:52 +03:00			`+ (mkForward internal cfg.frkn.port cfg.frkn.address cfg.frkn.port tcp)`
			`+ (mkForward internal cfg.frkn.torport cfg.frkn.address cfg.frkn.torport tcp)`
			`+ (mkForward internal cfg.frkn.xrayport cfg.frkn.address cfg.frkn.xrayport tcp)`
			`+ (mkForward internal cfg.frkn.port cfg.frkn.address cfg.frkn.port udp)`
			`+ (mkForward internal cfg.frkn.torport cfg.frkn.address cfg.frkn.torport udp)`
			`+ (mkForward internal cfg.frkn.xrayport cfg.frkn.address cfg.frkn.xrayport udp)`
Home : Make a router! 2024-08-14 02:19:47 +03:00
Enable firewall by default & add comments for Home host Network. 2024-08-16 05:18:42 +03:00			`# Allow VPN connections from Wan.`
Network : Use tcp/udp constants. 2024-08-17 14:52:15 +03:00			`+ (mkForward external cfg.vpn.port cfg.vpn.address cfg.vpn.port udp)`
Home : Make a router! 2024-08-14 02:19:47 +03:00
Enable firewall by default & add comments for Home host Network. 2024-08-16 05:18:42 +03:00			`# Nginx HTTP access from Wan.`
Network : Use tcp/udp constants. 2024-08-17 14:52:15 +03:00			`+ (mkForward external cfg.proxy.port cfg.proxy.address cfg.proxy.port tcp)`
			`+ (mkForward internal cfg.proxy.port cfg.proxy.address cfg.proxy.port tcp)`
Home : Make a router! 2024-08-14 02:19:47 +03:00
Enable firewall by default & add comments for Home host Network. 2024-08-16 05:18:42 +03:00			`# Download ports for torrents.`
Network : Use tcp/udp constants. 2024-08-17 14:52:15 +03:00			`+ (mkForward external 54630 cfg.download.address 54630 tcp)`
			`+ (mkForward external 54631 cfg.download.address 54631 tcp)`
			`+ (mkForward external 54630 cfg.download.address 54630 udp)`
			`+ (mkForward external 54631 cfg.download.address 54631 udp)`
Git : Enable ssh. 2024-08-24 18:01:30 +03:00
			`# Git ssh connections.`
			`+ (mkForward external cfg.git.portSsh cfg.git.address cfg.git.portSsh tcp)`
			`+ (mkForward internal cfg.git.portSsh cfg.git.address cfg.git.portSsh tcp)`
Home : Forward printing port. 2024-08-29 21:53:30 +03:00
			`# Print serivce.`
			`+ (mkForward internal cfg.print.port cfg.print.address cfg.print.port tcp)`
Home : Make a router! 2024-08-14 02:19:47 +03:00			`;`
			`};`

Enable firewall by default & add comments for Home host Network. 2024-08-16 05:18:42 +03:00			`# Create Lan bridge.`
			`bridges.${lan}.interfaces = [`
Home : Make a router! 2024-08-14 02:19:47 +03:00			`"enp6s0f0"`
			`"enp6s0f1"`
Home : Add inactive ports to the bridge. 2024-09-13 22:22:17 +03:00			`"enp7s0f1"`
			`"enp7s0f1"`
Home : Make a router! 2024-08-14 02:19:47 +03:00			`];`

			`interfaces = {`
Home : Allow ssh connection from vpn. 2024-08-14 20:59:42 +03:00			`${lan}.ipv4 = {`
Enable firewall by default & add comments for Home host Network. 2024-08-16 05:18:42 +03:00			`# Assign Lan address and subnet.`
Home : Make a router! 2024-08-14 02:19:47 +03:00			`addresses = [{`
			`address = internal;`
			`prefixLength = 24;`
			`}];`
Enable firewall by default & add comments for Home host Network. 2024-08-16 05:18:42 +03:00
			`# Assign traffic routes.`
Home : Make a router! 2024-08-14 02:19:47 +03:00			`routes = [`
Enable firewall by default & add comments for Home host Network. 2024-08-16 05:18:42 +03:00			`# Wifi 5G clients.`
Home : Make a router! 2024-08-14 02:19:47 +03:00			`{`
			`address = "192.168.1.0";`
			`prefixLength = 24;`
			`via = wifi;`
			`}`
Enable firewall by default & add comments for Home host Network. 2024-08-16 05:18:42 +03:00			`# Wifi 2.4G clients.`
Home : Make a router! 2024-08-14 02:19:47 +03:00			`{`
			`address = "192.168.2.0";`
			`prefixLength = 24;`
			`via = wifi;`
			`}`
			`];`
			`};`
			`};`
Refactored this mess a bit. 2024-08-02 23:45:19 +03:00			`};`
Host : Split configs to modules. 2024-03-29 09:05:08 +03:00			`}`