Richie/dotfiles
1
0
Fork 0
mirror of https://github.com/RichieCahill/dotfiles.git synced 2026-04-21 06:39:09 -04:00
Code Issues Packages Projects Releases Wiki Activity
Files
4a456c5a06331101448158743ba0cc0fc1c3dcec
dotfiles/systems/router/default.nix
Richie Cahill 4a456c5a06 bootstrapping
2024-10-25 16:54:01 -04:00

148 lines
3.9 KiB
Nix
Raw Blame History

# https://github.com/ghostbuster91/blogposts/blob/a2374f0039f8cdf4faddeaaa0347661ffc2ec7cf/router2023-part2/main.md
# https://francis.begyn.be/blog/nixos-home-router
{
imports = [
../../users/richie
../../common/global
../../common/optional/zerotier.nix
./docker
./hardware.nix
];
boot.kernel = {
sysctl = {
"net.ipv4.conf.all.forwarding" = true;
"net.ipv6.conf.all.forwarding" = false;
};
};
systemd.network = {
wait-online.anyInterface = true;
networks = {
"30-lan0" = {
matchConfig.Name = "lan0";
linkConfig.RequiredForOnline = "enslaved";
networkConfig = {
ConfigureWithoutCarrier = true;
};
};
# lan1 and lan2 look analogical
"30-lan3" = {
matchConfig.Name = "lan3";
linkConfig.RequiredForOnline = "enslaved";
networkConfig = {
ConfigureWithoutCarrier = true;
};
};
"10-wan" = {
matchConfig.Name = "wan";
networkConfig = {
# start a DHCP Client for IPv4 Addressing/Routing
DHCP = "ipv4";
DNSOverTLS = true;
DNSSEC = true;
IPv6PrivacyExtensions = false;
IPForward = true;
};
# make routing on this interface a dependency for network-online.target
linkConfig.RequiredForOnline = "routable";
};
};
};
networking = {
hostName = "surfer";
useNetworkd = true;
useDHCP = false;
# No local firewall.
nat.enable = false;
firewall.enable = false;
nftables = {
enable = true;
ruleset = ''
table inet filter {
chain input {
type filter hook input priority 0; policy drop;
iifname { "br-lan" } accept comment "Allow local network to access the router"
iifname "wan" ct state { established, related } accept comment "Allow established traffic"
iifname "wan" icmp type { echo-request, destination-unreachable, time-exceeded } counter accept comment "Allow select ICMP"
iifname "wan" counter drop comment "Drop all other unsolicited traffic from wan"
iifname "lo" accept comment "Accept everything from loopback interface"
}
chain forward {
type filter hook forward priority filter; policy drop;
iifname { "br-lan" } oifname { "wan" } accept comment "Allow trusted LAN to WAN"
iifname { "wan" } oifname { "br-lan" } ct state { established, related } accept comment "Allow established back to LANs"
}
}
table ip nat {
chain postrouting {
type nat hook postrouting priority 100; policy accept;
oifname "wan" masquerade
}
}
'';
};
};
services.dnsmasq = {
enable = true;
settings = {
# upstream DNS servers
server = [ "9.9.9.9" "8.8.8.8" "1.1.1.1" ];
# sensible behaviours
domain-needed = true;
bogus-priv = true;
no-resolv = true;
# Cache dns queries.
cache-size = 1000;
dhcp-range = [ "br-lan,192.168.10.50,192.168.10.254,24h" ];
interface = "br-lan";
dhcp-host = "192.168.10.1";
# local domains
local = "/lan/";
domain = "lan";
expand-hosts = true;
# don't use /etc/hosts as this would advertise surfer as localhost
no-hosts = true;
address = "/surfer.lan/192.168.10.1";
};
};
boot.kernel = {
sysctl = {
"net.ipv4.conf.default.rp_filter" = 1;
"net.ipv4.conf.wan.rp_filter" = 1;
"net.ipv4.conf.br-lan.rp_filter" = 0;
};
};
services = {
openssh.ports = [ 629 ];
smartd.enable = true;
snapshot_manager = {
enable = true;
path = ./snapshot_config.toml;
};
sysstat.enable = true;
zfs = {
trim.enable = true;
autoScrub.enable = true;
};
};
system.stateVersion = "24.05";
}
Reference in New Issue View Git Blame Copy Permalink