nix/host/x86_64-linux/home/Network.nix

172 lines
5 KiB
Nix

# 10.0.0.0/24 - wired clients (lan).
# 10.1.0.0/24 - containers.
# 10.1.1.0/24 - vpn clients.
# 192.168.1.0/24 - 5G wireless clients.
# 192.168.2.0/24 - 2.4G wireless clients.
{
config,
lib,
util,
...
}: let
external = "188.242.247.132"; # Wan host IP address.
internal = "10.0.0.1"; # Lan host IP address.
wifi = "10.0.0.2"; # Wifi router IP address.
lan = "br0"; # Lan interface.
wan = "enp8s0"; # Wan interface.
in {
# Disable SSH access from everywhere, configure access bellow.
services.openssh.openFirewall = false;
# NOTE: Debugging.
systemd.services."systemd-networkd".environment.SYSTEMD_LOG_LEVEL = "debug";
# Wan configuration.
systemd.network = {
networks = {
"10-${wan}" = {
matchConfig.Name = wan;
linkConfig.RequiredForOnline = "carrier";
dhcpV4Config = {
UseDNS = false;
UseRoutes = true;
ClientIdentifier = "mac";
};
dhcpV6Config = {
UseDNS = false;
};
networkConfig = {
DHCP = "yes";
DNS = "1.1.1.1";
IPv6AcceptRA = true;
};
};
"20-enp6s0f0" = {
matchConfig.Name = "enp6s0f0";
networkConfig.Bridge = lan;
linkConfig.RequiredForOnline = "enslaved";
};
"20-enp6s0f1" = {
matchConfig.Name = "enp6s0f1";
networkConfig.Bridge = lan;
linkConfig.RequiredForOnline = "enslaved";
};
"20-enp7s0f0" = {
matchConfig.Name = "enp7s0f0";
networkConfig.Bridge = lan;
linkConfig.RequiredForOnline = "enslaved";
};
"20-enp7s0f1" = {
matchConfig.Name = "enp7s0f1";
networkConfig.Bridge = lan;
linkConfig.RequiredForOnline = "enslaved";
};
"30-${lan}" = {
matchConfig.Name = lan;
bridgeConfig = {};
linkConfig.RequiredForOnline = "carrier";
address = [
"10.0.0.1/24"
];
routes = [
# Wifi 5G clients.
{ routeConfig = {
Gateway = wifi;
Destination = "192.168.1.0/24";
}; }
# Wifi 2G clients.
{ routeConfig = {
Gateway = wifi;
Destination = "192.168.2.0/24";
}; }
];
};
};
netdevs = {
"10-${lan}" = {
netdevConfig = {
Kind = "bridge";
Name = lan;
};
};
};
};
networking = {
firewall = {
enable = true;
allowPing = true;
rejectPackets = false; # Drop.
logRefusedConnections = false;
logReversePathDrops = false;
logRefusedPackets = false;
logRefusedUnicastsOnly = true;
extraCommands = let
# Container configs.
cfg = config.container.module;
# Const.
tcp = "tcp";
udp = "udp";
# Create port forwarding rule.
mkForward = src: sport: dst: dport: proto: "iptables -t nat -I PREROUTING -d ${src} -p ${proto} --dport ${toString sport} -j DNAT --to-destination ${dst}:${toString dport}\n";
in (util.trimTabs ''
# Wan access for 10.0.0.0/24 subnet.
iptables -t nat -A POSTROUTING -s 10.0.0.0/24 -d 0/0 -o ${wan} -j MASQUERADE
# Full access from VPN clients.
iptables -I INPUT -j ACCEPT -s ${cfg.vpn.clients} -d ${internal}
iptables -I INPUT -j ACCEPT -s ${cfg.frkn.address} -d ${internal}
# Full access from Lan.
iptables -I INPUT -j ACCEPT -i ${lan} -d ${internal}
'')
# Expose DNS server for internal network.
+ (mkForward internal cfg.dns.port cfg.dns.address cfg.dns.port tcp)
+ (mkForward internal cfg.dns.port cfg.dns.address cfg.dns.port udp)
# Email server.
+ (mkForward external 25 cfg.mail.address 25 tcp)
+ (mkForward internal 25 cfg.mail.address 25 tcp)
+ (mkForward internal 465 cfg.mail.address 465 tcp)
+ (mkForward internal 993 cfg.mail.address 993 tcp)
# FRKN internal proxy server.
+ (mkForward internal cfg.frkn.port cfg.frkn.address cfg.frkn.port tcp)
+ (mkForward internal cfg.frkn.torport cfg.frkn.address cfg.frkn.torport tcp)
+ (mkForward internal cfg.frkn.xrayport cfg.frkn.address cfg.frkn.xrayport tcp)
+ (mkForward internal cfg.frkn.port cfg.frkn.address cfg.frkn.port udp)
+ (mkForward internal cfg.frkn.torport cfg.frkn.address cfg.frkn.torport udp)
+ (mkForward internal cfg.frkn.xrayport cfg.frkn.address cfg.frkn.xrayport udp)
# VPN connections.
+ (mkForward external cfg.vpn.port cfg.vpn.address cfg.vpn.port udp)
# Nginx HTTP.
+ (mkForward external cfg.proxy.port cfg.proxy.address cfg.proxy.port tcp)
+ (mkForward internal cfg.proxy.port cfg.proxy.address cfg.proxy.port tcp)
# Download ports for torrents.
+ (mkForward external 54630 cfg.download.address 54630 tcp)
+ (mkForward external 54631 cfg.download.address 54631 tcp)
+ (mkForward external 54630 cfg.download.address 54630 udp)
+ (mkForward external 54631 cfg.download.address 54631 udp)
# Git SSH connections.
+ (mkForward external cfg.git.portSsh cfg.git.address cfg.git.portSsh tcp)
+ (mkForward internal cfg.git.portSsh cfg.git.address cfg.git.portSsh tcp)
# Print serivce.
+ (mkForward internal cfg.print.port cfg.print.address cfg.print.port tcp);
# SSH access from WAN.
# + (mkForward external 22143 config.container.host 22143 tcp)
};
};
}