diff options
| -rw-r--r-- | nixos/services/router/dns-dhcp.nix | 8 | ||||
| -rw-r--r-- | nixos/services/router/routing.nix | 83 |
2 files changed, 44 insertions, 47 deletions
diff --git a/nixos/services/router/dns-dhcp.nix b/nixos/services/router/dns-dhcp.nix index 5839227..5dd1612 100644 --- a/nixos/services/router/dns-dhcp.nix +++ b/nixos/services/router/dns-dhcp.nix @@ -26,7 +26,7 @@ in { options.services._router.dnsDhcpConfig = { enable = lib.mkEnableOption "enable pre-configured unbound(outbound) + dnsmasq(local) dns(+dhcp) server"; - # TODO + #enableUnbound = lib.mkEnableOption "enable unbound as outbound dns server"; dhcp = { defaultGateway = lib.mkOption { type = lib.types.str; @@ -165,7 +165,7 @@ in { mkDHCPRange = ipRangeStart: ipRangeEnd: subnetMask: leaseTime: "${ipRangeStart},${ipRangeEnd},${subnetMask},${leaseTime}"; mkDHCPOption = option: value: "option:${option},${value}"; mkDHCPStaticLease = macAddress: hostname: staticIp: "${macAddress},${hostname},${staticIp},infinite"; - #dhcpStaticLeases = builtins.map (); + dhcpStaticLeases = builtins.map (l: mkDHCPStaticLease l.macAddress l.hostname l.staticIp) cfg.staticLeases; in { # General no-resolv = true; # Do not read /etc/resolv.conf, resolve only the LAN @@ -183,9 +183,7 @@ in { #dhcp-range = mkDHCPRange "192.168.1.50" "192.168.1.150" "255.255.255.0" "12h"; # Enable DHCP on the LAN interface dhcp-range = with cfg.dhcp; mkDHCPRange rangeStart rangeEnd subnetMask leaseTime; # Enable DHCP on the LAN interface - # TODO config - #dhcp-host = [ mkDHCPStaticLease ... ]; # Setup static leases - #dhcp-host = dhcpStaticLeases; # Setup static leases + dhcp-host = dhcpStaticLeases; # Setup static leases dhcp-option = with cfg.dhcp; [ (mkDHCPOption "router" defaultGateway) # Set default gateway for clients diff --git a/nixos/services/router/routing.nix b/nixos/services/router/routing.nix index 324e1a9..8b09d95 100644 --- a/nixos/services/router/routing.nix +++ b/nixos/services/router/routing.nix @@ -3,64 +3,63 @@ in { options.services._router.routing = { enable = lib.mkEnableOption "enable nftables routing"; - interfaces.wan = lib.mkOption = { - type = lib.types.str; - default = ""; - description = "wan interface"; - }; - interfaces.lan = lib.mkOption = { - type = lib.types.str; - default = ""; - description = "lan interface"; + interfaces = { + wan = lib.mkOption = { + type = lib.types.str; + default = ""; + description = "wan interface"; + }; + lan = lib.mkOption = { + type = lib.types.str; + default = ""; + description = "lan interface"; + }; }; }; config = lib.mkIf cfg.enable { networking.nftables = { enable = true; - table = { - filter = { - family = "ip"; - # https://hackers-arise.com/linux-basics-for-hackers-building-a-router-with-nftables/ - content = '' - chain input { - type filter hook input priority 0; policy drop; - - # Allow established/related connections - ct state established,related accept + table.filter = { + family = "ip"; + # https://hackers-arise.com/linux-basics-for-hackers-building-a-router-with-nftables/ + content = '' + chain input { + type filter hook input priority 0; policy drop; - # Allow loopback - iifname "lo" accept + # Allow established/related connections + ct state established,related accept - # Allow LAN to access router - iifname ${cfg.interfaces.lan} accept + # Allow loopback + iifname "lo" accept - # Allow ICMP from WAN (for ping) - iifname ${cfg.interfaces.wan} icmp type echo-request accept + # Allow LAN to access router + iifname ${cfg.interfaces.lan} accept - # Drop invalid connections - ct state invalid drop - } + # Allow ICMP from WAN (for ping) + iifname ${cfg.interfaces.wan} icmp type echo-request accept - chain forward { - type filter hook forward priority 0; policy drop; + # Drop invalid connections + ct state invalid drop + } - # Allow established/related connections - ct state established,related accept + chain forward { + type filter hook forward priority 0; policy drop; - # Allow LAN to WAN - iifname ${cfg.interfaces.lan} oifname ${cfg.interfaces.wan} accept + # Allow established/related connections + ct state established,related accept - # Drop invalid connections - ct state invalid drop - } + # Allow LAN to WAN + iifname ${cfg.interfaces.lan} oifname ${cfg.interfaces.wan} accept - chain output { - type filter hook output priority 0; policy accept; - } - ''; + # Drop invalid connections + ct state invalid drop + } - } + chain output { + type filter hook output priority 0; policy accept; + } + ''; }; }; networking.nat.enable = true; |