Home : Make a router!

This commit is contained in:
Dmitry Voronin 2024-08-14 02:19:47 +03:00
parent e1d1da934d
commit d57fd86708
Signed by: voronind
SSH key fingerprint: SHA256:3kBb4iV2ahufEBNq+vFbUe4QYfHt98DHQjN7QaptY9k
15 changed files with 124 additions and 97 deletions

View file

@ -17,18 +17,6 @@ in {
config = mkIf cfg.enable {
containers.dns = container.mkContainer cfg {
forwardPorts = [
{
containerPort = cfg.port;
hostPort = cfg.port;
protocol = "udp";
} {
containerPort = cfg.port;
hostPort = cfg.port;
protocol = "tcp";
}
];
config = { ... }: container.mkContainerConfig cfg {
environment.systemPackages = [
pkgs.cloudflared

View file

@ -35,22 +35,6 @@ in {
];
containers.mail = container.mkContainer cfg {
forwardPorts = [
{
containerPort = 993;
hostPort = 993;
protocol = "tcp";
} {
containerPort = 25;
hostPort = 25;
protocol = "tcp";
} {
containerPort = 465;
hostPort = 465;
protocol = "tcp";
}
];
bindMounts = {
"/var/lib/dovecot/indices" = {
hostPath = "${cfg.storage}/data/indices";

View file

@ -5,6 +5,7 @@
{ container, pkgs, lib, config, __findFile, ... } @args: with lib; let
cfg = config.container.module.print;
package = pkgs.callPackage <package/print> args;
host = config.container.host;
in {
options = {
container.module.print = {
@ -42,6 +43,12 @@ in {
};
config = { ... }: container.mkContainerConfig cfg {
networking.interfaces."eth0".ipv4.routes = [{
address = "192.168.2.237";
prefixLength = 32;
via = host;
}];
services.printing = {
enable = true;
allowFrom = [ "all" ];

View file

@ -38,19 +38,6 @@ in {
];
containers.proxy = container.mkContainer cfg {
forwardPorts = [
# {
# containerPort = 80;
# hostPort = 80;
# protocol = "tcp";
# } {
{
containerPort = cfg.port;
hostPort = cfg.port;
protocol = "tcp";
}
];
bindMounts = {
"/etc/letsencrypt" = {
hostPath = "${cfg.storage}/letsencrypt";

View file

@ -39,19 +39,7 @@ in {
"data/preshared"
];
boot.kernel.sysctl = {
"net.ipv4.conf.all.src_valid_mark" = 1;
"net.ipv4.ip_forward" = 1;
};
containers.vpn = container.mkContainer cfg {
forwardPorts = [
{
containerPort = cfg.port;
hostPort = cfg.port;
protocol = "udp";
}
];
bindMounts = {
"/var/lib/wireguard" = {
hostPath = "${cfg.storage}/data";

View file

@ -23,29 +23,6 @@ in {
config = mkIf cfg.enable {
containers.zapret = container.mkContainer cfg {
forwardPorts = [
{
containerPort = cfg.port;
hostPort = cfg.port;
protocol = "tcp";
}
{
containerPort = cfg.port;
hostPort = cfg.port;
protocol = "udp";
}
{
containerPort = cfg.torport;
hostPort = cfg.torport;
protocol = "tcp";
}
{
containerPort = cfg.torport;
hostPort = cfg.torport;
protocol = "udp";
}
];
config = { ... }: container.mkContainerConfig cfg {
boot.kernel.sysctl = {
"net.ipv4.conf.all.src_valid_mark" = 1;

View file

@ -1,5 +1,5 @@
{ util, container, config, ... }: let
address = "192.168.1.1";
address = "10.0.0.2";
domain = "router.${config.container.domain}";
port = 80;
name = "router";

View file

@ -2,8 +2,8 @@
bookmarks = util.trimTabs ''
file:///storage
file:///home/voronind/tmp
sftp://192.168.1.2:22143/storage/hot/docker/cloud/data/data/cakee/files/ home cloud
sftp://192.168.1.2:22143/ home sftp
ftp://192.168.1.2/ home ftp
sftp://10.0.0.1:22143/storage/hot/docker/cloud/data/data/cakee/files/ home cloud
sftp://10.0.0.1:22143/ home sftp
ftp://10.0.0.1/ home ftp
'';
}

View file

@ -2,12 +2,12 @@
{ util, ... }: {
text = util.trimTabs ''
Host dasha
HostName 192.168.1.7
HostName 10.0.0.7
User root
Port 22143
Host desktop
Hostname 192.168.1.3
Hostname 10.0.0.3
User root
Port 22143
@ -22,23 +22,23 @@
Port 22143
Host home
HostName 192.168.1.2
HostName 10.0.0.1
User root
Port 22143
Host nixbuilder
HostName 192.168.1.2
HostName 10.0.0.1
User nixbuilder
StrictHostKeyChecking=accept-new
Port 22143
Host laptop
Hostname 192.168.1.9
Hostname 10.0.0.9
User root
Port 22143
Host pi
Hostname 192.168.1.6
Hostname 10.0.0.6
User root
Port 22143
@ -48,7 +48,7 @@
Port 22143
Host work
Hostname 192.168.1.5
Hostname 10.0.0.5
User root
Port 22143
'';

View file

@ -35,9 +35,9 @@
storage = "/storage/hot/container";
domain = "voronind.com";
host = "192.168.1.2";
interface = "enp7s0";
localAccess = "192.168.1.0/24";
host = "188.242.247.132";
interface = "enp8s0";
localAccess = "10.0.0.0/24";
media = {
anime = [ "/storage/cold_1/media/anime" "/storage/cold_2/media/anime" ];
book = [ "/storage/hot/media/book" ];

View file

@ -19,9 +19,9 @@
};
};
swapDevices = [{
device = "/storage/hot/.swapfile";
size = 128 * 1024;
options = [ "nofail" ];
}];
# swapDevices = [{
# device = "/storage/hot/.swapfile";
# size = 128 * 1024;
# options = [ "nofail" ];
# }];
}

View file

@ -1,13 +1,107 @@
{ util, ... }: {
{ util, config, lib, ... }: let
internal = "10.0.0.1";
external = "188.242.247.132";
wifi = "10.0.0.2";
lan = "br0";
wan = "enp8s0";
in {
boot.kernel.sysctl = {
"net.ipv4.conf.all.src_valid_mark" = 1;
"net.ipv4.ip_forward" = 1;
};
networking = {
networkmanager.insertNameservers = [
"1.1.1.1"
"8.8.8.8"
];
extraHosts = util.trimTabs ''
10.1.0.2 git.voronind.com
10.1.0.2 iot.voronind.com
10.1.0.2 pass.voronind.com
'';
firewall = {
enable = lib.mkForce true;
trustedInterfaces = [
lan
];
extraCommands = let
cfg = config.container.module;
# mkForward = src: sport: dst: dport: proto: "iptables -t nat -I PREROUTING -i ${src} -p ${proto} --dport ${toString sport} -j DNAT --to-destination ${dst}:${toString dport}\n";
mkForward = src: sport: dst: dport: proto: "iptables -t nat -I PREROUTING -d ${src} -p ${proto} --dport ${toString sport} -j DNAT --to-destination ${dst}:${toString dport}\n";
in ''
iptables -t nat -A POSTROUTING -s 10.0.0.0/24 -d 0/0 -o ${wan} -j MASQUERADE
''
+ (mkForward internal cfg.dns.port cfg.dns.address cfg.dns.port "tcp")
+ (mkForward internal cfg.dns.port cfg.dns.address cfg.dns.port "udp")
+ (mkForward external 25 cfg.mail.address 25 "tcp")
+ (mkForward internal 25 cfg.mail.address 25 "tcp")
+ (mkForward internal 465 cfg.mail.address 465 "tcp")
+ (mkForward internal 993 cfg.mail.address 993 "tcp")
+ (mkForward internal cfg.zapret.port cfg.zapret.address cfg.zapret.port "tcp")
+ (mkForward internal cfg.zapret.torport cfg.zapret.address cfg.zapret.torport "tcp")
+ (mkForward internal cfg.zapret.port cfg.zapret.address cfg.zapret.port "udp")
+ (mkForward internal cfg.zapret.torport cfg.zapret.address cfg.zapret.torport "udp")
+ (mkForward external cfg.vpn.port cfg.vpn.address cfg.vpn.port "udp")
+ (mkForward external cfg.proxy.port cfg.proxy.address cfg.proxy.port "tcp")
+ (mkForward internal cfg.proxy.port cfg.proxy.address cfg.proxy.port "tcp")
+ (mkForward external 54630 cfg.download.address 54630 "tcp")
+ (mkForward external 54631 cfg.download.address 54631 "tcp")
+ (mkForward external 54630 cfg.download.address 54630 "udp")
+ (mkForward external 54631 cfg.download.address 54631 "udp")
;
interfaces = {
"${wan}" = {
allowedUDPPorts = [
];
allowedTCPPorts = [
# 22143
];
};
"${lan}" = {
allowedUDPPorts = [
];
allowedTCPPorts = [
22143
];
};
};
};
bridges."${lan}".interfaces = [
"enp6s0f0"
"enp6s0f1"
];
interfaces = {
"${lan}".ipv4 = {
addresses = [{
address = internal;
prefixLength = 24;
}];
routes = [
{
address = "192.168.1.0";
prefixLength = 24;
via = wifi;
}
{
address = "192.168.2.0";
prefixLength = 24;
via = wifi;
}
];
};
};
};
}

View file

@ -10,7 +10,7 @@ in {
enable = true;
clientConf = ''
DigestOptions DenyMD5
ServerName 192.168.1.2
ServerName 10.0.0.1
'';
};
};

View file

@ -4,6 +4,7 @@
services.openssh = {
enable = true;
allowSFTP = true;
openFirewall = false;
ports = [ 22143 ];
listenAddresses = [
{

View file

@ -2,6 +2,7 @@
core = with pkgs; [
android-tools # Android adb tool. Can be used to connect to itself via wireless debugging.
binwalk # Can analyze files for other files inside them.
bridge-utils # Network bridges.
btop htop # System monitors.
coreutils # UNIX Core utilities.
cryptsetup # Filesystem encryption (LUKS).