nix/host/x86_64-linux/home/Network.nix

202 lines
5.6 KiB
Nix
Raw Normal View History

2024-12-02 08:59:02 +03:00
# 10.0.0.0/24 & fd09:8d46:0b26::/48 - phys clients (lan).
2024-12-02 21:12:45 +03:00
# 10.0.1.0/24 - vpn clients.
{
2024-11-04 04:37:29 +03:00
config,
2024-11-30 14:14:35 +03:00
const,
2024-11-04 04:37:29 +03:00
lib,
util,
...
}: let
2024-12-02 21:12:45 +03:00
internal = "10.0.0.1"; # Lan host IP address.
internal6 = "fd09:8d46:b26:0:8079:82ff:fe1a:916a"; # Lan host IP6 address.
2024-11-04 04:37:29 +03:00
lan = "br0"; # Lan interface.
wan = "enp8s0"; # Wan interface.
in {
# Disable SSH access from everywhere, configure access bellow.
services.openssh.openFirewall = false;
2024-12-02 21:12:45 +03:00
# Disable systemd-resolved for DNS server.
services.resolved.enable = false;
2024-11-30 14:14:35 +03:00
# NOTE: Debugging.
# systemd.services."systemd-networkd".environment.SYSTEMD_LOG_LEVEL = "debug";
2024-11-29 01:44:48 +03:00
# Wan configuration.
2024-11-30 14:14:35 +03:00
# REF: https://nixos.wiki/wiki/Systemd-networkd
2024-11-30 17:57:25 +03:00
# REF: man 5 systemd.network
2024-11-30 14:53:20 +03:00
# REF: Wifi config: https://openwrt.org/docs/guide-user/network/wifi/wifiextenders/bridgedap#wireless_access_point_-_dumb_access_point
2024-11-29 01:44:48 +03:00
systemd.network = {
2024-11-30 14:14:35 +03:00
enable = true;
2024-11-29 01:44:48 +03:00
networks = {
"10-${wan}" = {
matchConfig.Name = wan;
linkConfig.RequiredForOnline = "carrier";
dhcpV4Config = {
ClientIdentifier = "mac";
2024-11-29 03:31:59 +03:00
UseDNS = false;
UseRoutes = true;
2024-11-29 01:44:48 +03:00
};
dhcpV6Config = {
2024-11-29 03:31:59 +03:00
DUIDRawData = "00:03:00:01:a8:a1:59:47:fd:a2";
DUIDType = "vendor";
UseDNS = false;
WithoutRA = "solicit";
# PrefixDelegationHint = "::/56";
2024-11-29 01:44:48 +03:00
};
networkConfig = {
DHCP = "yes";
2024-11-29 03:31:59 +03:00
DNS = "1.1.1.1";
2024-11-29 09:41:15 +03:00
IPv6AcceptRA = true;
2024-11-29 03:31:59 +03:00
IPv6SendRA = false;
DHCPPrefixDelegation = true;
};
dhcpPrefixDelegationConfig = {
UplinkInterface = ":self";
SubnetId = 0;
Announce = false;
2024-11-29 01:44:48 +03:00
};
};
"20-enp6s0f0" = {
linkConfig.RequiredForOnline = "enslaved";
2024-11-29 03:31:59 +03:00
matchConfig.Name = "enp6s0f0";
networkConfig.Bridge = lan;
2024-11-29 01:44:48 +03:00
};
"20-enp6s0f1" = {
linkConfig.RequiredForOnline = "enslaved";
2024-11-29 03:31:59 +03:00
matchConfig.Name = "enp6s0f1";
networkConfig.Bridge = lan;
2024-11-29 01:44:48 +03:00
};
"20-enp7s0f0" = {
linkConfig.RequiredForOnline = "enslaved";
2024-11-29 03:31:59 +03:00
matchConfig.Name = "enp7s0f0";
networkConfig.Bridge = lan;
2024-11-29 01:44:48 +03:00
};
"20-enp7s0f1" = {
linkConfig.RequiredForOnline = "enslaved";
2024-11-29 03:31:59 +03:00
matchConfig.Name = "enp7s0f1";
networkConfig.Bridge = lan;
2024-11-29 01:44:48 +03:00
};
"30-${lan}" = {
matchConfig.Name = lan;
linkConfig.RequiredForOnline = "carrier";
address = [
2024-12-02 08:59:02 +03:00
"${internal}/24"
2024-12-02 21:12:45 +03:00
# "${internal6}/48"
2024-11-29 01:44:48 +03:00
];
2024-11-29 03:31:59 +03:00
networkConfig = {
DHCPPrefixDelegation = true;
2024-11-30 14:14:35 +03:00
DHCPServer = true;
2024-11-29 03:31:59 +03:00
IPv6AcceptRA = false;
2024-11-29 09:41:15 +03:00
IPv6SendRA = true;
2024-11-29 03:31:59 +03:00
};
ipv6SendRAConfig = {
2024-12-02 08:59:02 +03:00
EmitDNS = true;
DNS = internal6;
2024-11-29 03:31:59 +03:00
};
2024-12-02 08:59:02 +03:00
ipv6Prefixes = [
{
2024-12-02 21:12:45 +03:00
Assign = true;
2024-12-02 08:59:02 +03:00
Prefix = "${internal6}/64";
}
];
2024-11-29 03:31:59 +03:00
dhcpPrefixDelegationConfig = {
Announce = true;
2024-11-30 14:14:35 +03:00
SubnetId = 1;
UplinkInterface = wan;
};
dhcpServerConfig = {
2024-12-02 08:59:02 +03:00
DNS = internal;
2024-11-30 14:14:35 +03:00
DefaultLeaseTimeSec = "12h";
EmitDNS = true;
EmitNTP = true;
EmitRouter = true;
EmitTimezone = true;
MaxLeaseTimeSec = "24h";
PoolOffset = 100;
PoolSize = 150;
2024-12-02 08:59:02 +03:00
ServerAddress = "${internal}/24";
2024-11-30 14:14:35 +03:00
Timezone = const.timeZone;
UplinkInterface = wan;
2024-11-29 03:31:59 +03:00
};
2024-11-30 14:14:35 +03:00
dhcpServerStaticLeases = let
2024-12-02 21:12:45 +03:00
mkStatic = Address: MACAddress: { inherit Address MACAddress; };
2024-11-30 14:14:35 +03:00
in [
# TODO: Add pocket.
2024-11-30 14:34:40 +03:00
(mkStatic "10.0.0.2" "9c:9d:7e:8e:3d:c7") # Wifi AP.
2024-11-30 14:14:35 +03:00
(mkStatic "10.0.0.3" "d8:bb:c1:cc:da:30") # Desktop.
(mkStatic "10.0.0.4" "2c:be:eb:52:53:2b") # Phone.
(mkStatic "10.0.0.5" "14:85:7f:eb:6c:25") # Work.
(mkStatic "10.0.0.6" "08:38:e6:31:54:b6") # Tablet.
(mkStatic "10.0.0.7" "2c:f0:5d:3b:07:78") # Dasha.
(mkStatic "10.0.0.8" "ac:5f:ea:ef:b5:05") # Dasha phone.
(mkStatic "10.0.0.9" "10:b1:df:ea:18:57") # Laptop.
(mkStatic "10.0.0.10" "9c:1c:37:62:3f:d5") # Printer.
(mkStatic "10.0.0.11" "dc:a6:32:f5:77:95") # RPi.
(mkStatic "10.0.0.12" "ec:9c:32:ad:bc:4a") # Camera.
];
2024-11-29 01:44:48 +03:00
};
};
2024-11-04 04:37:29 +03:00
2024-11-29 01:44:48 +03:00
netdevs = {
"10-${lan}" = {
netdevConfig = {
Kind = "bridge";
Name = lan;
};
};
};
};
networking = {
2024-11-30 14:14:35 +03:00
dhcpcd.enable = false;
useDHCP = false;
useNetworkd = true;
networkmanager.enable = lib.mkForce false;
2024-11-04 04:37:29 +03:00
firewall = {
enable = true;
2024-11-24 22:47:57 +03:00
allowPing = true;
rejectPackets = false; # Drop.
logRefusedConnections = false;
logReversePathDrops = false;
logRefusedPackets = false;
logRefusedUnicastsOnly = true;
2024-12-02 21:12:45 +03:00
extraCommands = util.trimTabs ''
# Wan access for 10.0.0.0/8 subnet.
iptables -t nat -A POSTROUTING -s 10.0.0.0/8 -d 0/0 -o ${wan} -j MASQUERADE
2024-11-04 04:37:29 +03:00
# Full access from Lan.
iptables -I INPUT -j ACCEPT -i ${lan} -d ${internal}
2024-12-02 08:59:02 +03:00
ip6tables -I INPUT -j ACCEPT -i ${lan} -d ${internal6}
2024-11-30 14:14:35 +03:00
# Allow DHCP.
iptables -I INPUT -j ACCEPT -i ${lan} -p udp --dport 67
2024-12-02 21:12:45 +03:00
# Public email server.
ip46tables -I INPUT -j ACCEPT -i ${wan} -p tcp --dport 25
# Public VPN service.
ip46tables -I INPUT -j ACCEPT -i ${wan} -p udp --dport 22145
iptables -I INPUT -j ACCEPT -s 10.0.1.0/24 -d ${internal}
# Public Nginx.
ip46tables -I INPUT -j ACCEPT -i ${wan} -p tcp --dport 443
# Deluge torrenting ports.
ip46tables -I INPUT -j ACCEPT -i ${wan} -p tcp --dport 54630
ip46tables -I INPUT -j ACCEPT -i ${wan} -p udp --dport 54630
ip46tables -I INPUT -j ACCEPT -i ${wan} -p tcp --dport 54631
ip46tables -I INPUT -j ACCEPT -i ${wan} -p udp --dport 54631
# Terraria server.
ip46tables -I INPUT -j ACCEPT -i ${wan} -p tcp --dport 22777
# Public SSH access.
# ip46tables -I INPUT -j ACCEPT -i ${wan} -p tcp --dport 22143
'';
2024-11-04 04:37:29 +03:00
};
};
2024-03-29 09:05:08 +03:00
}