Home : Make a router!

container/Dns.nix

@@ -17,18 +17,6 @@ in {
 
 	config = mkIf cfg.enable {
 		containers.dns = container.mkContainer cfg {
-			forwardPorts = [
-				{
-					containerPort = cfg.port;
-					hostPort      = cfg.port;
-					protocol      = "udp";
-				} {
-					containerPort = cfg.port;
-					hostPort      = cfg.port;
-					protocol      = "tcp";
-				}
-			];
-
 			config = { ... }: container.mkContainerConfig cfg {
 				environment.systemPackages = [
 					pkgs.cloudflared

container/Mail.nix

@@ -35,22 +35,6 @@ in {
 		];
 
 		containers.mail = container.mkContainer cfg {
-			forwardPorts = [
-				{
-					containerPort = 993;
-					hostPort      = 993;
-					protocol      = "tcp";
-				} {
-					containerPort = 25;
-					hostPort      = 25;
-					protocol      = "tcp";
-				} {
-					containerPort = 465;
-					hostPort      = 465;
-					protocol      = "tcp";
-				}
-			];
-
 			bindMounts = {
 				"/var/lib/dovecot/indices" = {
 					hostPath   = "${cfg.storage}/data/indices";

container/Print.nix

@@ -5,6 +5,7 @@
 { container, pkgs, lib, config, __findFile, ... } @args: with lib; let
 	cfg     = config.container.module.print;
 	package = pkgs.callPackage <package/print> args;
+	host    = config.container.host;
 in {
 	options = {
 		container.module.print = {
@@ -42,6 +43,12 @@ in {
 			};
 
 			config = { ... }: container.mkContainerConfig cfg {
+				networking.interfaces."eth0".ipv4.routes = [{
+					address      = "192.168.2.237";
+					prefixLength = 32;
+					via          = host;
+				}];
+
 				services.printing = {
 					enable          = true;
 					allowFrom       = [ "all" ];

container/Proxy.nix

@@ -38,19 +38,6 @@ in {
 		];
 
 		containers.proxy = container.mkContainer cfg {
-			forwardPorts = [
-				# {
-				# 	containerPort = 80;
-				# 	hostPort      = 80;
-				# 	protocol      = "tcp";
-				# } {
-				{
-					containerPort = cfg.port;
-					hostPort      = cfg.port;
-					protocol      = "tcp";
-				}
-			];
-
 			bindMounts = {
 				"/etc/letsencrypt" = {
 					hostPath   = "${cfg.storage}/letsencrypt";

container/Vpn.nix

@@ -39,19 +39,7 @@ in {
 			"data/preshared"
 		];
 
-		boot.kernel.sysctl = {
-			"net.ipv4.conf.all.src_valid_mark" = 1;
-			"net.ipv4.ip_forward" = 1;
-		};
-
 		containers.vpn = container.mkContainer cfg {
-			forwardPorts = [
-				{
-					containerPort = cfg.port;
-					hostPort      = cfg.port;
-					protocol      = "udp";
-				}
-			];
 			bindMounts = {
 				"/var/lib/wireguard" = {
 					hostPath   = "${cfg.storage}/data";

container/Zapret.nix

@@ -23,29 +23,6 @@ in {
 
 	config = mkIf cfg.enable {
 		containers.zapret = container.mkContainer cfg {
-			forwardPorts = [
-				{
-					containerPort = cfg.port;
-					hostPort      = cfg.port;
-					protocol      = "tcp";
-				}
-				{
-					containerPort = cfg.port;
-					hostPort      = cfg.port;
-					protocol      = "udp";
-				}
-				{
-					containerPort = cfg.torport;
-					hostPort      = cfg.torport;
-					protocol      = "tcp";
-				}
-				{
-					containerPort = cfg.torport;
-					hostPort      = cfg.torport;
-					protocol      = "udp";
-				}
-			];
-
 			config = { ... }: container.mkContainerConfig cfg {
 				boot.kernel.sysctl = {
 					"net.ipv4.conf.all.src_valid_mark" = 1;

container/proxy/host/Router.nix

@@ -1,5 +1,5 @@
 { util, container, config, ... }: let
-	address = "192.168.1.1";
+	address = "10.0.0.2";
 	domain  = "router.${config.container.domain}";
 	port    = 80;
 	name    = "router";

home/config/gtk/3/default.nix

@@ -2,8 +2,8 @@
 	bookmarks = util.trimTabs ''
 		file:///storage
 		file:///home/voronind/tmp
-		sftp://192.168.1.2:22143/storage/hot/docker/cloud/data/data/cakee/files/ home cloud
+		sftp://10.0.0.1:22143/storage/hot/docker/cloud/data/data/cakee/files/ home cloud
-		sftp://192.168.1.2:22143/ home sftp
+		sftp://10.0.0.1:22143/ home sftp
-		ftp://192.168.1.2/ home ftp
+		ftp://10.0.0.1/ home ftp
 	'';
 }

home/config/ssh/default.nix

@@ -2,12 +2,12 @@
 { util, ... }: {
 	text = util.trimTabs ''
 		Host dasha
-			HostName 192.168.1.7
+			HostName 10.0.0.7
 			User root
 			Port 22143
 
 		Host desktop
-			Hostname 192.168.1.3
+			Hostname 10.0.0.3
 			User root
 			Port 22143
 
@@ -22,23 +22,23 @@
 			Port 22143
 
 		Host home
-			HostName 192.168.1.2
+			HostName 10.0.0.1
 			User root
 			Port 22143
 
 		Host nixbuilder
-			HostName 192.168.1.2
+			HostName 10.0.0.1
 			User nixbuilder
 			StrictHostKeyChecking=accept-new
 			Port 22143
 
 		Host laptop
-			Hostname 192.168.1.9
+			Hostname 10.0.0.9
 			User root
 			Port 22143
 
 		Host pi
-			Hostname 192.168.1.6
+			Hostname 10.0.0.6
 			User root
 			Port 22143
 
@@ -48,7 +48,7 @@
 			Port 22143
 
 		Host work
-			Hostname 192.168.1.5
+			Hostname 10.0.0.5
 			User root
 			Port 22143
 	'';

host/home/Container.nix

@@ -35,9 +35,9 @@
 
 		storage     = "/storage/hot/container";
 		domain      = "voronind.com";
-		host        = "192.168.1.2";
+		host        = "188.242.247.132";
-		interface   = "enp7s0";
+		interface   = "enp8s0";
-		localAccess = "192.168.1.0/24";
+		localAccess = "10.0.0.0/24";
 		media = {
 			anime    = [ "/storage/cold_1/media/anime" "/storage/cold_2/media/anime" ];
 			book     = [ "/storage/hot/media/book" ];

host/home/Filesystem.nix

@@ -19,9 +19,9 @@
 		};
 	};
 
-	swapDevices = [{
+	# swapDevices = [{
-		device  = "/storage/hot/.swapfile";
+	# 	device  = "/storage/hot/.swapfile";
-		size    = 128 * 1024;
+	# 	size    = 128 * 1024;
-		options = [ "nofail" ];
+	# 	options = [ "nofail" ];
-	}];
+	# }];
 }

host/home/Network.nix

@@ -1,13 +1,107 @@
-{ util, ... }: {
+{ util, config, lib, ... }: let
+	internal = "10.0.0.1";
+	external = "188.242.247.132";
+	wifi     = "10.0.0.2";
+
+	lan = "br0";
+	wan = "enp8s0";
+in {
+	boot.kernel.sysctl = {
+		"net.ipv4.conf.all.src_valid_mark" = 1;
+		"net.ipv4.ip_forward" = 1;
+	};
+
 	networking = {
 		networkmanager.insertNameservers = [
 			"1.1.1.1"
 			"8.8.8.8"
 		];
+
 		extraHosts = util.trimTabs ''
 			10.1.0.2 git.voronind.com
 			10.1.0.2 iot.voronind.com
 			10.1.0.2 pass.voronind.com
 		'';
+
+		firewall = {
+			enable = lib.mkForce true;
+			trustedInterfaces = [
+				lan
+			];
+			extraCommands = let
+				cfg = config.container.module;
+
+				# mkForward = src: sport: dst: dport: proto: "iptables -t nat -I PREROUTING -i ${src} -p ${proto} --dport ${toString sport} -j DNAT --to-destination ${dst}:${toString dport}\n";
+				mkForward = src: sport: dst: dport: proto: "iptables -t nat -I PREROUTING -d ${src} -p ${proto} --dport ${toString sport} -j DNAT --to-destination ${dst}:${toString dport}\n";
+			in ''
+				iptables -t nat -A POSTROUTING -s 10.0.0.0/24 -d 0/0 -o ${wan} -j MASQUERADE
+			''
+			+ (mkForward internal cfg.dns.port cfg.dns.address cfg.dns.port "tcp")
+			+ (mkForward internal cfg.dns.port cfg.dns.address cfg.dns.port "udp")
+
+			+ (mkForward external 25  cfg.mail.address 25  "tcp")
+			+ (mkForward internal 25  cfg.mail.address 25  "tcp")
+			+ (mkForward internal 465 cfg.mail.address 465 "tcp")
+			+ (mkForward internal 993 cfg.mail.address 993 "tcp")
+
+			+ (mkForward internal cfg.zapret.port    cfg.zapret.address cfg.zapret.port    "tcp")
+			+ (mkForward internal cfg.zapret.torport cfg.zapret.address cfg.zapret.torport "tcp")
+			+ (mkForward internal cfg.zapret.port    cfg.zapret.address cfg.zapret.port    "udp")
+			+ (mkForward internal cfg.zapret.torport cfg.zapret.address cfg.zapret.torport "udp")
+
+			+ (mkForward external cfg.vpn.port cfg.vpn.address cfg.vpn.port "udp")
+
+			+ (mkForward external cfg.proxy.port cfg.proxy.address cfg.proxy.port "tcp")
+			+ (mkForward internal cfg.proxy.port cfg.proxy.address cfg.proxy.port "tcp")
+
+			+ (mkForward external 54630 cfg.download.address 54630 "tcp")
+			+ (mkForward external 54631 cfg.download.address 54631 "tcp")
+			+ (mkForward external 54630 cfg.download.address 54630 "udp")
+			+ (mkForward external 54631 cfg.download.address 54631 "udp")
+			;
+
+			interfaces = {
+				"${wan}" = {
+					allowedUDPPorts = [
+					];
+					allowedTCPPorts = [
+						# 22143
+					];
+				};
+				"${lan}" = {
+					allowedUDPPorts = [
+					];
+					allowedTCPPorts = [
+						22143
+					];
+				};
+			};
+		};
+
+		bridges."${lan}".interfaces = [
+			"enp6s0f0"
+			"enp6s0f1"
+		];
+
+		interfaces = {
+			"${lan}".ipv4 = {
+				addresses = [{
+					address      = internal;
+					prefixLength = 24;
+				}];
+				routes = [
+					{
+						address      = "192.168.1.0";
+						prefixLength = 24;
+						via          = wifi;
+					}
+					{
+						address      = "192.168.2.0";
+						prefixLength = 24;
+						via          = wifi;
+					}
+				];
+			};
+		};
 	};
 }

module/Print.nix

@@ -10,7 +10,7 @@ in {
 			enable = true;
 			clientConf = ''
 				DigestOptions DenyMD5
-				ServerName 192.168.1.2
+				ServerName 10.0.0.1
 			'';
 		};
 	};

module/Sshd.nix

@@ -4,6 +4,7 @@
 	services.openssh = {
 		enable    = true;
 		allowSFTP = true;
+		openFirewall = false;
 		ports = [ 22143 ];
 		listenAddresses = [
 			{

package/default.nix

@@ -2,6 +2,7 @@
 	core = with pkgs; [
 		android-tools     # Android adb tool. Can be used to connect to itself via wireless debugging.
 		binwalk           # Can analyze files for other files inside them.
+		bridge-utils      # Network bridges.
 		btop htop         # System monitors.
 		coreutils         # UNIX Core utilities.
 		cryptsetup        # Filesystem encryption (LUKS).