From d57fd86708c386469627c91f187e537de8afc9a4 Mon Sep 17 00:00:00 2001 From: Dmitry Voronin Date: Wed, 14 Aug 2024 02:19:47 +0300 Subject: [PATCH] Home : Make a router! --- container/Dns.nix | 12 ----- container/Mail.nix | 16 ------ container/Print.nix | 7 +++ container/Proxy.nix | 13 ----- container/Vpn.nix | 12 ----- container/Zapret.nix | 23 -------- container/proxy/host/Router.nix | 2 +- home/config/gtk/3/default.nix | 6 +-- home/config/ssh/default.nix | 14 ++--- host/home/Container.nix | 6 +-- host/home/Filesystem.nix | 10 ++-- host/home/Network.nix | 96 ++++++++++++++++++++++++++++++++- module/Print.nix | 2 +- module/Sshd.nix | 1 + package/default.nix | 1 + 15 files changed, 124 insertions(+), 97 deletions(-) diff --git a/container/Dns.nix b/container/Dns.nix index a38ff62..dc11398 100644 --- a/container/Dns.nix +++ b/container/Dns.nix @@ -17,18 +17,6 @@ in { config = mkIf cfg.enable { containers.dns = container.mkContainer cfg { - forwardPorts = [ - { - containerPort = cfg.port; - hostPort = cfg.port; - protocol = "udp"; - } { - containerPort = cfg.port; - hostPort = cfg.port; - protocol = "tcp"; - } - ]; - config = { ... }: container.mkContainerConfig cfg { environment.systemPackages = [ pkgs.cloudflared diff --git a/container/Mail.nix b/container/Mail.nix index b3337ae..10646f6 100644 --- a/container/Mail.nix +++ b/container/Mail.nix @@ -35,22 +35,6 @@ in { ]; containers.mail = container.mkContainer cfg { - forwardPorts = [ - { - containerPort = 993; - hostPort = 993; - protocol = "tcp"; - } { - containerPort = 25; - hostPort = 25; - protocol = "tcp"; - } { - containerPort = 465; - hostPort = 465; - protocol = "tcp"; - } - ]; - bindMounts = { "/var/lib/dovecot/indices" = { hostPath = "${cfg.storage}/data/indices"; diff --git a/container/Print.nix b/container/Print.nix index 99dd7dc..6539a31 100644 --- a/container/Print.nix +++ b/container/Print.nix @@ -5,6 +5,7 @@ { container, pkgs, lib, config, __findFile, ... } @args: with lib; let cfg = config.container.module.print; package = pkgs.callPackage args; + host = config.container.host; in { options = { container.module.print = { @@ -42,6 +43,12 @@ in { }; config = { ... }: container.mkContainerConfig cfg { + networking.interfaces."eth0".ipv4.routes = [{ + address = "192.168.2.237"; + prefixLength = 32; + via = host; + }]; + services.printing = { enable = true; allowFrom = [ "all" ]; diff --git a/container/Proxy.nix b/container/Proxy.nix index 2d85ec8..b586ce8 100644 --- a/container/Proxy.nix +++ b/container/Proxy.nix @@ -38,19 +38,6 @@ in { ]; containers.proxy = container.mkContainer cfg { - forwardPorts = [ - # { - # containerPort = 80; - # hostPort = 80; - # protocol = "tcp"; - # } { - { - containerPort = cfg.port; - hostPort = cfg.port; - protocol = "tcp"; - } - ]; - bindMounts = { "/etc/letsencrypt" = { hostPath = "${cfg.storage}/letsencrypt"; diff --git a/container/Vpn.nix b/container/Vpn.nix index ad1c259..c4ecdc8 100644 --- a/container/Vpn.nix +++ b/container/Vpn.nix @@ -39,19 +39,7 @@ in { "data/preshared" ]; - boot.kernel.sysctl = { - "net.ipv4.conf.all.src_valid_mark" = 1; - "net.ipv4.ip_forward" = 1; - }; - containers.vpn = container.mkContainer cfg { - forwardPorts = [ - { - containerPort = cfg.port; - hostPort = cfg.port; - protocol = "udp"; - } - ]; bindMounts = { "/var/lib/wireguard" = { hostPath = "${cfg.storage}/data"; diff --git a/container/Zapret.nix b/container/Zapret.nix index 9c80df6..4b9cea6 100644 --- a/container/Zapret.nix +++ b/container/Zapret.nix @@ -23,29 +23,6 @@ in { config = mkIf cfg.enable { containers.zapret = container.mkContainer cfg { - forwardPorts = [ - { - containerPort = cfg.port; - hostPort = cfg.port; - protocol = "tcp"; - } - { - containerPort = cfg.port; - hostPort = cfg.port; - protocol = "udp"; - } - { - containerPort = cfg.torport; - hostPort = cfg.torport; - protocol = "tcp"; - } - { - containerPort = cfg.torport; - hostPort = cfg.torport; - protocol = "udp"; - } - ]; - config = { ... }: container.mkContainerConfig cfg { boot.kernel.sysctl = { "net.ipv4.conf.all.src_valid_mark" = 1; diff --git a/container/proxy/host/Router.nix b/container/proxy/host/Router.nix index b41ae84..4470898 100644 --- a/container/proxy/host/Router.nix +++ b/container/proxy/host/Router.nix @@ -1,5 +1,5 @@ { util, container, config, ... }: let - address = "192.168.1.1"; + address = "10.0.0.2"; domain = "router.${config.container.domain}"; port = 80; name = "router"; diff --git a/home/config/gtk/3/default.nix b/home/config/gtk/3/default.nix index a6b26af..703de73 100644 --- a/home/config/gtk/3/default.nix +++ b/home/config/gtk/3/default.nix @@ -2,8 +2,8 @@ bookmarks = util.trimTabs '' file:///storage file:///home/voronind/tmp - sftp://192.168.1.2:22143/storage/hot/docker/cloud/data/data/cakee/files/ home cloud - sftp://192.168.1.2:22143/ home sftp - ftp://192.168.1.2/ home ftp + sftp://10.0.0.1:22143/storage/hot/docker/cloud/data/data/cakee/files/ home cloud + sftp://10.0.0.1:22143/ home sftp + ftp://10.0.0.1/ home ftp ''; } diff --git a/home/config/ssh/default.nix b/home/config/ssh/default.nix index e01571e..829e916 100644 --- a/home/config/ssh/default.nix +++ b/home/config/ssh/default.nix @@ -2,12 +2,12 @@ { util, ... }: { text = util.trimTabs '' Host dasha - HostName 192.168.1.7 + HostName 10.0.0.7 User root Port 22143 Host desktop - Hostname 192.168.1.3 + Hostname 10.0.0.3 User root Port 22143 @@ -22,23 +22,23 @@ Port 22143 Host home - HostName 192.168.1.2 + HostName 10.0.0.1 User root Port 22143 Host nixbuilder - HostName 192.168.1.2 + HostName 10.0.0.1 User nixbuilder StrictHostKeyChecking=accept-new Port 22143 Host laptop - Hostname 192.168.1.9 + Hostname 10.0.0.9 User root Port 22143 Host pi - Hostname 192.168.1.6 + Hostname 10.0.0.6 User root Port 22143 @@ -48,7 +48,7 @@ Port 22143 Host work - Hostname 192.168.1.5 + Hostname 10.0.0.5 User root Port 22143 ''; diff --git a/host/home/Container.nix b/host/home/Container.nix index b394f67..d359781 100644 --- a/host/home/Container.nix +++ b/host/home/Container.nix @@ -35,9 +35,9 @@ storage = "/storage/hot/container"; domain = "voronind.com"; - host = "192.168.1.2"; - interface = "enp7s0"; - localAccess = "192.168.1.0/24"; + host = "188.242.247.132"; + interface = "enp8s0"; + localAccess = "10.0.0.0/24"; media = { anime = [ "/storage/cold_1/media/anime" "/storage/cold_2/media/anime" ]; book = [ "/storage/hot/media/book" ]; diff --git a/host/home/Filesystem.nix b/host/home/Filesystem.nix index 43b6813..f6b9231 100644 --- a/host/home/Filesystem.nix +++ b/host/home/Filesystem.nix @@ -19,9 +19,9 @@ }; }; - swapDevices = [{ - device = "/storage/hot/.swapfile"; - size = 128 * 1024; - options = [ "nofail" ]; - }]; + # swapDevices = [{ + # device = "/storage/hot/.swapfile"; + # size = 128 * 1024; + # options = [ "nofail" ]; + # }]; } diff --git a/host/home/Network.nix b/host/home/Network.nix index 9c588aa..edf19da 100644 --- a/host/home/Network.nix +++ b/host/home/Network.nix @@ -1,13 +1,107 @@ -{ util, ... }: { +{ util, config, lib, ... }: let + internal = "10.0.0.1"; + external = "188.242.247.132"; + wifi = "10.0.0.2"; + + lan = "br0"; + wan = "enp8s0"; +in { + boot.kernel.sysctl = { + "net.ipv4.conf.all.src_valid_mark" = 1; + "net.ipv4.ip_forward" = 1; + }; + networking = { networkmanager.insertNameservers = [ "1.1.1.1" "8.8.8.8" ]; + extraHosts = util.trimTabs '' 10.1.0.2 git.voronind.com 10.1.0.2 iot.voronind.com 10.1.0.2 pass.voronind.com ''; + + firewall = { + enable = lib.mkForce true; + trustedInterfaces = [ + lan + ]; + extraCommands = let + cfg = config.container.module; + + # mkForward = src: sport: dst: dport: proto: "iptables -t nat -I PREROUTING -i ${src} -p ${proto} --dport ${toString sport} -j DNAT --to-destination ${dst}:${toString dport}\n"; + mkForward = src: sport: dst: dport: proto: "iptables -t nat -I PREROUTING -d ${src} -p ${proto} --dport ${toString sport} -j DNAT --to-destination ${dst}:${toString dport}\n"; + in '' + iptables -t nat -A POSTROUTING -s 10.0.0.0/24 -d 0/0 -o ${wan} -j MASQUERADE + '' + + (mkForward internal cfg.dns.port cfg.dns.address cfg.dns.port "tcp") + + (mkForward internal cfg.dns.port cfg.dns.address cfg.dns.port "udp") + + + (mkForward external 25 cfg.mail.address 25 "tcp") + + (mkForward internal 25 cfg.mail.address 25 "tcp") + + (mkForward internal 465 cfg.mail.address 465 "tcp") + + (mkForward internal 993 cfg.mail.address 993 "tcp") + + + (mkForward internal cfg.zapret.port cfg.zapret.address cfg.zapret.port "tcp") + + (mkForward internal cfg.zapret.torport cfg.zapret.address cfg.zapret.torport "tcp") + + (mkForward internal cfg.zapret.port cfg.zapret.address cfg.zapret.port "udp") + + (mkForward internal cfg.zapret.torport cfg.zapret.address cfg.zapret.torport "udp") + + + (mkForward external cfg.vpn.port cfg.vpn.address cfg.vpn.port "udp") + + + (mkForward external cfg.proxy.port cfg.proxy.address cfg.proxy.port "tcp") + + (mkForward internal cfg.proxy.port cfg.proxy.address cfg.proxy.port "tcp") + + + (mkForward external 54630 cfg.download.address 54630 "tcp") + + (mkForward external 54631 cfg.download.address 54631 "tcp") + + (mkForward external 54630 cfg.download.address 54630 "udp") + + (mkForward external 54631 cfg.download.address 54631 "udp") + ; + + interfaces = { + "${wan}" = { + allowedUDPPorts = [ + ]; + allowedTCPPorts = [ + # 22143 + ]; + }; + "${lan}" = { + allowedUDPPorts = [ + ]; + allowedTCPPorts = [ + 22143 + ]; + }; + }; + }; + + bridges."${lan}".interfaces = [ + "enp6s0f0" + "enp6s0f1" + ]; + + interfaces = { + "${lan}".ipv4 = { + addresses = [{ + address = internal; + prefixLength = 24; + }]; + routes = [ + { + address = "192.168.1.0"; + prefixLength = 24; + via = wifi; + } + { + address = "192.168.2.0"; + prefixLength = 24; + via = wifi; + } + ]; + }; + }; }; } diff --git a/module/Print.nix b/module/Print.nix index 63f579d..21f46a8 100644 --- a/module/Print.nix +++ b/module/Print.nix @@ -10,7 +10,7 @@ in { enable = true; clientConf = '' DigestOptions DenyMD5 - ServerName 192.168.1.2 + ServerName 10.0.0.1 ''; }; }; diff --git a/module/Sshd.nix b/module/Sshd.nix index d872e89..0499036 100644 --- a/module/Sshd.nix +++ b/module/Sshd.nix @@ -4,6 +4,7 @@ services.openssh = { enable = true; allowSFTP = true; + openFirewall = false; ports = [ 22143 ]; listenAddresses = [ { diff --git a/package/default.nix b/package/default.nix index ef042b8..f1720fe 100644 --- a/package/default.nix +++ b/package/default.nix @@ -2,6 +2,7 @@ core = with pkgs; [ android-tools # Android adb tool. Can be used to connect to itself via wireless debugging. binwalk # Can analyze files for other files inside them. + bridge-utils # Network bridges. btop htop # System monitors. coreutils # UNIX Core utilities. cryptsetup # Filesystem encryption (LUKS).