Home : Make a router!
This commit is contained in:
parent
e1d1da934d
commit
d57fd86708
|
@ -17,18 +17,6 @@ in {
|
|||
|
||||
config = mkIf cfg.enable {
|
||||
containers.dns = container.mkContainer cfg {
|
||||
forwardPorts = [
|
||||
{
|
||||
containerPort = cfg.port;
|
||||
hostPort = cfg.port;
|
||||
protocol = "udp";
|
||||
} {
|
||||
containerPort = cfg.port;
|
||||
hostPort = cfg.port;
|
||||
protocol = "tcp";
|
||||
}
|
||||
];
|
||||
|
||||
config = { ... }: container.mkContainerConfig cfg {
|
||||
environment.systemPackages = [
|
||||
pkgs.cloudflared
|
||||
|
|
|
@ -35,22 +35,6 @@ in {
|
|||
];
|
||||
|
||||
containers.mail = container.mkContainer cfg {
|
||||
forwardPorts = [
|
||||
{
|
||||
containerPort = 993;
|
||||
hostPort = 993;
|
||||
protocol = "tcp";
|
||||
} {
|
||||
containerPort = 25;
|
||||
hostPort = 25;
|
||||
protocol = "tcp";
|
||||
} {
|
||||
containerPort = 465;
|
||||
hostPort = 465;
|
||||
protocol = "tcp";
|
||||
}
|
||||
];
|
||||
|
||||
bindMounts = {
|
||||
"/var/lib/dovecot/indices" = {
|
||||
hostPath = "${cfg.storage}/data/indices";
|
||||
|
|
|
@ -5,6 +5,7 @@
|
|||
{ container, pkgs, lib, config, __findFile, ... } @args: with lib; let
|
||||
cfg = config.container.module.print;
|
||||
package = pkgs.callPackage <package/print> args;
|
||||
host = config.container.host;
|
||||
in {
|
||||
options = {
|
||||
container.module.print = {
|
||||
|
@ -42,6 +43,12 @@ in {
|
|||
};
|
||||
|
||||
config = { ... }: container.mkContainerConfig cfg {
|
||||
networking.interfaces."eth0".ipv4.routes = [{
|
||||
address = "192.168.2.237";
|
||||
prefixLength = 32;
|
||||
via = host;
|
||||
}];
|
||||
|
||||
services.printing = {
|
||||
enable = true;
|
||||
allowFrom = [ "all" ];
|
||||
|
|
|
@ -38,19 +38,6 @@ in {
|
|||
];
|
||||
|
||||
containers.proxy = container.mkContainer cfg {
|
||||
forwardPorts = [
|
||||
# {
|
||||
# containerPort = 80;
|
||||
# hostPort = 80;
|
||||
# protocol = "tcp";
|
||||
# } {
|
||||
{
|
||||
containerPort = cfg.port;
|
||||
hostPort = cfg.port;
|
||||
protocol = "tcp";
|
||||
}
|
||||
];
|
||||
|
||||
bindMounts = {
|
||||
"/etc/letsencrypt" = {
|
||||
hostPath = "${cfg.storage}/letsencrypt";
|
||||
|
|
|
@ -39,19 +39,7 @@ in {
|
|||
"data/preshared"
|
||||
];
|
||||
|
||||
boot.kernel.sysctl = {
|
||||
"net.ipv4.conf.all.src_valid_mark" = 1;
|
||||
"net.ipv4.ip_forward" = 1;
|
||||
};
|
||||
|
||||
containers.vpn = container.mkContainer cfg {
|
||||
forwardPorts = [
|
||||
{
|
||||
containerPort = cfg.port;
|
||||
hostPort = cfg.port;
|
||||
protocol = "udp";
|
||||
}
|
||||
];
|
||||
bindMounts = {
|
||||
"/var/lib/wireguard" = {
|
||||
hostPath = "${cfg.storage}/data";
|
||||
|
|
|
@ -23,29 +23,6 @@ in {
|
|||
|
||||
config = mkIf cfg.enable {
|
||||
containers.zapret = container.mkContainer cfg {
|
||||
forwardPorts = [
|
||||
{
|
||||
containerPort = cfg.port;
|
||||
hostPort = cfg.port;
|
||||
protocol = "tcp";
|
||||
}
|
||||
{
|
||||
containerPort = cfg.port;
|
||||
hostPort = cfg.port;
|
||||
protocol = "udp";
|
||||
}
|
||||
{
|
||||
containerPort = cfg.torport;
|
||||
hostPort = cfg.torport;
|
||||
protocol = "tcp";
|
||||
}
|
||||
{
|
||||
containerPort = cfg.torport;
|
||||
hostPort = cfg.torport;
|
||||
protocol = "udp";
|
||||
}
|
||||
];
|
||||
|
||||
config = { ... }: container.mkContainerConfig cfg {
|
||||
boot.kernel.sysctl = {
|
||||
"net.ipv4.conf.all.src_valid_mark" = 1;
|
||||
|
|
|
@ -1,5 +1,5 @@
|
|||
{ util, container, config, ... }: let
|
||||
address = "192.168.1.1";
|
||||
address = "10.0.0.2";
|
||||
domain = "router.${config.container.domain}";
|
||||
port = 80;
|
||||
name = "router";
|
||||
|
|
|
@ -2,8 +2,8 @@
|
|||
bookmarks = util.trimTabs ''
|
||||
file:///storage
|
||||
file:///home/voronind/tmp
|
||||
sftp://192.168.1.2:22143/storage/hot/docker/cloud/data/data/cakee/files/ home cloud
|
||||
sftp://192.168.1.2:22143/ home sftp
|
||||
ftp://192.168.1.2/ home ftp
|
||||
sftp://10.0.0.1:22143/storage/hot/docker/cloud/data/data/cakee/files/ home cloud
|
||||
sftp://10.0.0.1:22143/ home sftp
|
||||
ftp://10.0.0.1/ home ftp
|
||||
'';
|
||||
}
|
||||
|
|
|
@ -2,12 +2,12 @@
|
|||
{ util, ... }: {
|
||||
text = util.trimTabs ''
|
||||
Host dasha
|
||||
HostName 192.168.1.7
|
||||
HostName 10.0.0.7
|
||||
User root
|
||||
Port 22143
|
||||
|
||||
Host desktop
|
||||
Hostname 192.168.1.3
|
||||
Hostname 10.0.0.3
|
||||
User root
|
||||
Port 22143
|
||||
|
||||
|
@ -22,23 +22,23 @@
|
|||
Port 22143
|
||||
|
||||
Host home
|
||||
HostName 192.168.1.2
|
||||
HostName 10.0.0.1
|
||||
User root
|
||||
Port 22143
|
||||
|
||||
Host nixbuilder
|
||||
HostName 192.168.1.2
|
||||
HostName 10.0.0.1
|
||||
User nixbuilder
|
||||
StrictHostKeyChecking=accept-new
|
||||
Port 22143
|
||||
|
||||
Host laptop
|
||||
Hostname 192.168.1.9
|
||||
Hostname 10.0.0.9
|
||||
User root
|
||||
Port 22143
|
||||
|
||||
Host pi
|
||||
Hostname 192.168.1.6
|
||||
Hostname 10.0.0.6
|
||||
User root
|
||||
Port 22143
|
||||
|
||||
|
@ -48,7 +48,7 @@
|
|||
Port 22143
|
||||
|
||||
Host work
|
||||
Hostname 192.168.1.5
|
||||
Hostname 10.0.0.5
|
||||
User root
|
||||
Port 22143
|
||||
'';
|
||||
|
|
|
@ -35,9 +35,9 @@
|
|||
|
||||
storage = "/storage/hot/container";
|
||||
domain = "voronind.com";
|
||||
host = "192.168.1.2";
|
||||
interface = "enp7s0";
|
||||
localAccess = "192.168.1.0/24";
|
||||
host = "188.242.247.132";
|
||||
interface = "enp8s0";
|
||||
localAccess = "10.0.0.0/24";
|
||||
media = {
|
||||
anime = [ "/storage/cold_1/media/anime" "/storage/cold_2/media/anime" ];
|
||||
book = [ "/storage/hot/media/book" ];
|
||||
|
|
|
@ -19,9 +19,9 @@
|
|||
};
|
||||
};
|
||||
|
||||
swapDevices = [{
|
||||
device = "/storage/hot/.swapfile";
|
||||
size = 128 * 1024;
|
||||
options = [ "nofail" ];
|
||||
}];
|
||||
# swapDevices = [{
|
||||
# device = "/storage/hot/.swapfile";
|
||||
# size = 128 * 1024;
|
||||
# options = [ "nofail" ];
|
||||
# }];
|
||||
}
|
||||
|
|
|
@ -1,13 +1,107 @@
|
|||
{ util, ... }: {
|
||||
{ util, config, lib, ... }: let
|
||||
internal = "10.0.0.1";
|
||||
external = "188.242.247.132";
|
||||
wifi = "10.0.0.2";
|
||||
|
||||
lan = "br0";
|
||||
wan = "enp8s0";
|
||||
in {
|
||||
boot.kernel.sysctl = {
|
||||
"net.ipv4.conf.all.src_valid_mark" = 1;
|
||||
"net.ipv4.ip_forward" = 1;
|
||||
};
|
||||
|
||||
networking = {
|
||||
networkmanager.insertNameservers = [
|
||||
"1.1.1.1"
|
||||
"8.8.8.8"
|
||||
];
|
||||
|
||||
extraHosts = util.trimTabs ''
|
||||
10.1.0.2 git.voronind.com
|
||||
10.1.0.2 iot.voronind.com
|
||||
10.1.0.2 pass.voronind.com
|
||||
'';
|
||||
|
||||
firewall = {
|
||||
enable = lib.mkForce true;
|
||||
trustedInterfaces = [
|
||||
lan
|
||||
];
|
||||
extraCommands = let
|
||||
cfg = config.container.module;
|
||||
|
||||
# mkForward = src: sport: dst: dport: proto: "iptables -t nat -I PREROUTING -i ${src} -p ${proto} --dport ${toString sport} -j DNAT --to-destination ${dst}:${toString dport}\n";
|
||||
mkForward = src: sport: dst: dport: proto: "iptables -t nat -I PREROUTING -d ${src} -p ${proto} --dport ${toString sport} -j DNAT --to-destination ${dst}:${toString dport}\n";
|
||||
in ''
|
||||
iptables -t nat -A POSTROUTING -s 10.0.0.0/24 -d 0/0 -o ${wan} -j MASQUERADE
|
||||
''
|
||||
+ (mkForward internal cfg.dns.port cfg.dns.address cfg.dns.port "tcp")
|
||||
+ (mkForward internal cfg.dns.port cfg.dns.address cfg.dns.port "udp")
|
||||
|
||||
+ (mkForward external 25 cfg.mail.address 25 "tcp")
|
||||
+ (mkForward internal 25 cfg.mail.address 25 "tcp")
|
||||
+ (mkForward internal 465 cfg.mail.address 465 "tcp")
|
||||
+ (mkForward internal 993 cfg.mail.address 993 "tcp")
|
||||
|
||||
+ (mkForward internal cfg.zapret.port cfg.zapret.address cfg.zapret.port "tcp")
|
||||
+ (mkForward internal cfg.zapret.torport cfg.zapret.address cfg.zapret.torport "tcp")
|
||||
+ (mkForward internal cfg.zapret.port cfg.zapret.address cfg.zapret.port "udp")
|
||||
+ (mkForward internal cfg.zapret.torport cfg.zapret.address cfg.zapret.torport "udp")
|
||||
|
||||
+ (mkForward external cfg.vpn.port cfg.vpn.address cfg.vpn.port "udp")
|
||||
|
||||
+ (mkForward external cfg.proxy.port cfg.proxy.address cfg.proxy.port "tcp")
|
||||
+ (mkForward internal cfg.proxy.port cfg.proxy.address cfg.proxy.port "tcp")
|
||||
|
||||
+ (mkForward external 54630 cfg.download.address 54630 "tcp")
|
||||
+ (mkForward external 54631 cfg.download.address 54631 "tcp")
|
||||
+ (mkForward external 54630 cfg.download.address 54630 "udp")
|
||||
+ (mkForward external 54631 cfg.download.address 54631 "udp")
|
||||
;
|
||||
|
||||
interfaces = {
|
||||
"${wan}" = {
|
||||
allowedUDPPorts = [
|
||||
];
|
||||
allowedTCPPorts = [
|
||||
# 22143
|
||||
];
|
||||
};
|
||||
"${lan}" = {
|
||||
allowedUDPPorts = [
|
||||
];
|
||||
allowedTCPPorts = [
|
||||
22143
|
||||
];
|
||||
};
|
||||
};
|
||||
};
|
||||
|
||||
bridges."${lan}".interfaces = [
|
||||
"enp6s0f0"
|
||||
"enp6s0f1"
|
||||
];
|
||||
|
||||
interfaces = {
|
||||
"${lan}".ipv4 = {
|
||||
addresses = [{
|
||||
address = internal;
|
||||
prefixLength = 24;
|
||||
}];
|
||||
routes = [
|
||||
{
|
||||
address = "192.168.1.0";
|
||||
prefixLength = 24;
|
||||
via = wifi;
|
||||
}
|
||||
{
|
||||
address = "192.168.2.0";
|
||||
prefixLength = 24;
|
||||
via = wifi;
|
||||
}
|
||||
];
|
||||
};
|
||||
};
|
||||
};
|
||||
}
|
||||
|
|
|
@ -10,7 +10,7 @@ in {
|
|||
enable = true;
|
||||
clientConf = ''
|
||||
DigestOptions DenyMD5
|
||||
ServerName 192.168.1.2
|
||||
ServerName 10.0.0.1
|
||||
'';
|
||||
};
|
||||
};
|
||||
|
|
|
@ -4,6 +4,7 @@
|
|||
services.openssh = {
|
||||
enable = true;
|
||||
allowSFTP = true;
|
||||
openFirewall = false;
|
||||
ports = [ 22143 ];
|
||||
listenAddresses = [
|
||||
{
|
||||
|
|
|
@ -2,6 +2,7 @@
|
|||
core = with pkgs; [
|
||||
android-tools # Android adb tool. Can be used to connect to itself via wireless debugging.
|
||||
binwalk # Can analyze files for other files inside them.
|
||||
bridge-utils # Network bridges.
|
||||
btop htop # System monitors.
|
||||
coreutils # UNIX Core utilities.
|
||||
cryptsetup # Filesystem encryption (LUKS).
|
||||
|
|
Loading…
Reference in a new issue