Home : Make a router!

This commit is contained in:
Dmitry Voronin 2024-08-14 02:19:47 +03:00
parent e1d1da934d
commit d57fd86708
Signed by: voronind
SSH key fingerprint: SHA256:3kBb4iV2ahufEBNq+vFbUe4QYfHt98DHQjN7QaptY9k
15 changed files with 124 additions and 97 deletions

View file

@ -17,18 +17,6 @@ in {
config = mkIf cfg.enable { config = mkIf cfg.enable {
containers.dns = container.mkContainer cfg { containers.dns = container.mkContainer cfg {
forwardPorts = [
{
containerPort = cfg.port;
hostPort = cfg.port;
protocol = "udp";
} {
containerPort = cfg.port;
hostPort = cfg.port;
protocol = "tcp";
}
];
config = { ... }: container.mkContainerConfig cfg { config = { ... }: container.mkContainerConfig cfg {
environment.systemPackages = [ environment.systemPackages = [
pkgs.cloudflared pkgs.cloudflared

View file

@ -35,22 +35,6 @@ in {
]; ];
containers.mail = container.mkContainer cfg { containers.mail = container.mkContainer cfg {
forwardPorts = [
{
containerPort = 993;
hostPort = 993;
protocol = "tcp";
} {
containerPort = 25;
hostPort = 25;
protocol = "tcp";
} {
containerPort = 465;
hostPort = 465;
protocol = "tcp";
}
];
bindMounts = { bindMounts = {
"/var/lib/dovecot/indices" = { "/var/lib/dovecot/indices" = {
hostPath = "${cfg.storage}/data/indices"; hostPath = "${cfg.storage}/data/indices";

View file

@ -5,6 +5,7 @@
{ container, pkgs, lib, config, __findFile, ... } @args: with lib; let { container, pkgs, lib, config, __findFile, ... } @args: with lib; let
cfg = config.container.module.print; cfg = config.container.module.print;
package = pkgs.callPackage <package/print> args; package = pkgs.callPackage <package/print> args;
host = config.container.host;
in { in {
options = { options = {
container.module.print = { container.module.print = {
@ -42,6 +43,12 @@ in {
}; };
config = { ... }: container.mkContainerConfig cfg { config = { ... }: container.mkContainerConfig cfg {
networking.interfaces."eth0".ipv4.routes = [{
address = "192.168.2.237";
prefixLength = 32;
via = host;
}];
services.printing = { services.printing = {
enable = true; enable = true;
allowFrom = [ "all" ]; allowFrom = [ "all" ];

View file

@ -38,19 +38,6 @@ in {
]; ];
containers.proxy = container.mkContainer cfg { containers.proxy = container.mkContainer cfg {
forwardPorts = [
# {
# containerPort = 80;
# hostPort = 80;
# protocol = "tcp";
# } {
{
containerPort = cfg.port;
hostPort = cfg.port;
protocol = "tcp";
}
];
bindMounts = { bindMounts = {
"/etc/letsencrypt" = { "/etc/letsencrypt" = {
hostPath = "${cfg.storage}/letsencrypt"; hostPath = "${cfg.storage}/letsencrypt";

View file

@ -39,19 +39,7 @@ in {
"data/preshared" "data/preshared"
]; ];
boot.kernel.sysctl = {
"net.ipv4.conf.all.src_valid_mark" = 1;
"net.ipv4.ip_forward" = 1;
};
containers.vpn = container.mkContainer cfg { containers.vpn = container.mkContainer cfg {
forwardPorts = [
{
containerPort = cfg.port;
hostPort = cfg.port;
protocol = "udp";
}
];
bindMounts = { bindMounts = {
"/var/lib/wireguard" = { "/var/lib/wireguard" = {
hostPath = "${cfg.storage}/data"; hostPath = "${cfg.storage}/data";

View file

@ -23,29 +23,6 @@ in {
config = mkIf cfg.enable { config = mkIf cfg.enable {
containers.zapret = container.mkContainer cfg { containers.zapret = container.mkContainer cfg {
forwardPorts = [
{
containerPort = cfg.port;
hostPort = cfg.port;
protocol = "tcp";
}
{
containerPort = cfg.port;
hostPort = cfg.port;
protocol = "udp";
}
{
containerPort = cfg.torport;
hostPort = cfg.torport;
protocol = "tcp";
}
{
containerPort = cfg.torport;
hostPort = cfg.torport;
protocol = "udp";
}
];
config = { ... }: container.mkContainerConfig cfg { config = { ... }: container.mkContainerConfig cfg {
boot.kernel.sysctl = { boot.kernel.sysctl = {
"net.ipv4.conf.all.src_valid_mark" = 1; "net.ipv4.conf.all.src_valid_mark" = 1;

View file

@ -1,5 +1,5 @@
{ util, container, config, ... }: let { util, container, config, ... }: let
address = "192.168.1.1"; address = "10.0.0.2";
domain = "router.${config.container.domain}"; domain = "router.${config.container.domain}";
port = 80; port = 80;
name = "router"; name = "router";

View file

@ -2,8 +2,8 @@
bookmarks = util.trimTabs '' bookmarks = util.trimTabs ''
file:///storage file:///storage
file:///home/voronind/tmp file:///home/voronind/tmp
sftp://192.168.1.2:22143/storage/hot/docker/cloud/data/data/cakee/files/ home cloud sftp://10.0.0.1:22143/storage/hot/docker/cloud/data/data/cakee/files/ home cloud
sftp://192.168.1.2:22143/ home sftp sftp://10.0.0.1:22143/ home sftp
ftp://192.168.1.2/ home ftp ftp://10.0.0.1/ home ftp
''; '';
} }

View file

@ -2,12 +2,12 @@
{ util, ... }: { { util, ... }: {
text = util.trimTabs '' text = util.trimTabs ''
Host dasha Host dasha
HostName 192.168.1.7 HostName 10.0.0.7
User root User root
Port 22143 Port 22143
Host desktop Host desktop
Hostname 192.168.1.3 Hostname 10.0.0.3
User root User root
Port 22143 Port 22143
@ -22,23 +22,23 @@
Port 22143 Port 22143
Host home Host home
HostName 192.168.1.2 HostName 10.0.0.1
User root User root
Port 22143 Port 22143
Host nixbuilder Host nixbuilder
HostName 192.168.1.2 HostName 10.0.0.1
User nixbuilder User nixbuilder
StrictHostKeyChecking=accept-new StrictHostKeyChecking=accept-new
Port 22143 Port 22143
Host laptop Host laptop
Hostname 192.168.1.9 Hostname 10.0.0.9
User root User root
Port 22143 Port 22143
Host pi Host pi
Hostname 192.168.1.6 Hostname 10.0.0.6
User root User root
Port 22143 Port 22143
@ -48,7 +48,7 @@
Port 22143 Port 22143
Host work Host work
Hostname 192.168.1.5 Hostname 10.0.0.5
User root User root
Port 22143 Port 22143
''; '';

View file

@ -35,9 +35,9 @@
storage = "/storage/hot/container"; storage = "/storage/hot/container";
domain = "voronind.com"; domain = "voronind.com";
host = "192.168.1.2"; host = "188.242.247.132";
interface = "enp7s0"; interface = "enp8s0";
localAccess = "192.168.1.0/24"; localAccess = "10.0.0.0/24";
media = { media = {
anime = [ "/storage/cold_1/media/anime" "/storage/cold_2/media/anime" ]; anime = [ "/storage/cold_1/media/anime" "/storage/cold_2/media/anime" ];
book = [ "/storage/hot/media/book" ]; book = [ "/storage/hot/media/book" ];

View file

@ -19,9 +19,9 @@
}; };
}; };
swapDevices = [{ # swapDevices = [{
device = "/storage/hot/.swapfile"; # device = "/storage/hot/.swapfile";
size = 128 * 1024; # size = 128 * 1024;
options = [ "nofail" ]; # options = [ "nofail" ];
}]; # }];
} }

View file

@ -1,13 +1,107 @@
{ util, ... }: { { util, config, lib, ... }: let
internal = "10.0.0.1";
external = "188.242.247.132";
wifi = "10.0.0.2";
lan = "br0";
wan = "enp8s0";
in {
boot.kernel.sysctl = {
"net.ipv4.conf.all.src_valid_mark" = 1;
"net.ipv4.ip_forward" = 1;
};
networking = { networking = {
networkmanager.insertNameservers = [ networkmanager.insertNameservers = [
"1.1.1.1" "1.1.1.1"
"8.8.8.8" "8.8.8.8"
]; ];
extraHosts = util.trimTabs '' extraHosts = util.trimTabs ''
10.1.0.2 git.voronind.com 10.1.0.2 git.voronind.com
10.1.0.2 iot.voronind.com 10.1.0.2 iot.voronind.com
10.1.0.2 pass.voronind.com 10.1.0.2 pass.voronind.com
''; '';
firewall = {
enable = lib.mkForce true;
trustedInterfaces = [
lan
];
extraCommands = let
cfg = config.container.module;
# mkForward = src: sport: dst: dport: proto: "iptables -t nat -I PREROUTING -i ${src} -p ${proto} --dport ${toString sport} -j DNAT --to-destination ${dst}:${toString dport}\n";
mkForward = src: sport: dst: dport: proto: "iptables -t nat -I PREROUTING -d ${src} -p ${proto} --dport ${toString sport} -j DNAT --to-destination ${dst}:${toString dport}\n";
in ''
iptables -t nat -A POSTROUTING -s 10.0.0.0/24 -d 0/0 -o ${wan} -j MASQUERADE
''
+ (mkForward internal cfg.dns.port cfg.dns.address cfg.dns.port "tcp")
+ (mkForward internal cfg.dns.port cfg.dns.address cfg.dns.port "udp")
+ (mkForward external 25 cfg.mail.address 25 "tcp")
+ (mkForward internal 25 cfg.mail.address 25 "tcp")
+ (mkForward internal 465 cfg.mail.address 465 "tcp")
+ (mkForward internal 993 cfg.mail.address 993 "tcp")
+ (mkForward internal cfg.zapret.port cfg.zapret.address cfg.zapret.port "tcp")
+ (mkForward internal cfg.zapret.torport cfg.zapret.address cfg.zapret.torport "tcp")
+ (mkForward internal cfg.zapret.port cfg.zapret.address cfg.zapret.port "udp")
+ (mkForward internal cfg.zapret.torport cfg.zapret.address cfg.zapret.torport "udp")
+ (mkForward external cfg.vpn.port cfg.vpn.address cfg.vpn.port "udp")
+ (mkForward external cfg.proxy.port cfg.proxy.address cfg.proxy.port "tcp")
+ (mkForward internal cfg.proxy.port cfg.proxy.address cfg.proxy.port "tcp")
+ (mkForward external 54630 cfg.download.address 54630 "tcp")
+ (mkForward external 54631 cfg.download.address 54631 "tcp")
+ (mkForward external 54630 cfg.download.address 54630 "udp")
+ (mkForward external 54631 cfg.download.address 54631 "udp")
;
interfaces = {
"${wan}" = {
allowedUDPPorts = [
];
allowedTCPPorts = [
# 22143
];
};
"${lan}" = {
allowedUDPPorts = [
];
allowedTCPPorts = [
22143
];
};
};
};
bridges."${lan}".interfaces = [
"enp6s0f0"
"enp6s0f1"
];
interfaces = {
"${lan}".ipv4 = {
addresses = [{
address = internal;
prefixLength = 24;
}];
routes = [
{
address = "192.168.1.0";
prefixLength = 24;
via = wifi;
}
{
address = "192.168.2.0";
prefixLength = 24;
via = wifi;
}
];
};
};
}; };
} }

View file

@ -10,7 +10,7 @@ in {
enable = true; enable = true;
clientConf = '' clientConf = ''
DigestOptions DenyMD5 DigestOptions DenyMD5
ServerName 192.168.1.2 ServerName 10.0.0.1
''; '';
}; };
}; };

View file

@ -4,6 +4,7 @@
services.openssh = { services.openssh = {
enable = true; enable = true;
allowSFTP = true; allowSFTP = true;
openFirewall = false;
ports = [ 22143 ]; ports = [ 22143 ];
listenAddresses = [ listenAddresses = [
{ {

View file

@ -2,6 +2,7 @@
core = with pkgs; [ core = with pkgs; [
android-tools # Android adb tool. Can be used to connect to itself via wireless debugging. android-tools # Android adb tool. Can be used to connect to itself via wireless debugging.
binwalk # Can analyze files for other files inside them. binwalk # Can analyze files for other files inside them.
bridge-utils # Network bridges.
btop htop # System monitors. btop htop # System monitors.
coreutils # UNIX Core utilities. coreutils # UNIX Core utilities.
cryptsetup # Filesystem encryption (LUKS). cryptsetup # Filesystem encryption (LUKS).