diff options
| -rw-r--r-- | .sops.yaml | 10 | ||||
| -rw-r--r-- | hosts/flex-wg-router/configuration.nix | 45 | ||||
| -rw-r--r-- | nixos/services/fileshares.nix | 2 | ||||
| -rw-r--r-- | nixos/services/router/dns-dhcp.nix | 6 | ||||
| -rw-r--r-- | nixos/services/router/routing.nix | 62 | ||||
| -rwxr-xr-x | rebuild | 7 |
6 files changed, 69 insertions, 63 deletions
@@ -2,23 +2,23 @@ keys: - &general age1w80rc0dnuu8nw99gw64c596qqetm78jdnsqajr0u7ephykekr39qfz8vnv - &flex-wg-router age1f0tmpy2nam58skmznjyqd3zf54rxtfrk6fda0vlpq9y3yg6wac7sjf0vja creation_rules: - - path_regex: timmy/resources/secrets/hashed-root-password.yaml + - path_regex: timmy/resources/secrets/.*\.yaml key_groups: - age: - *general - *flex-wg-router - - path_regex: timmy/resources/secrets/wpa_supplicant-conf.yaml + - path_regex: T495/resources/secrets/.*\.yaml key_groups: - age: - *general - - path_regex: T495/resources/secrets/wg0.yaml + - path_regex: X230/resources/secrets/.*\.yaml key_groups: - age: - *general - - path_regex: X230/resources/secrets/wg0.yaml + - path_regex: flex-wg-router/resources/secrets/.*\.yaml key_groups: - age: - - *general + - *flex-wg-router diff --git a/hosts/flex-wg-router/configuration.nix b/hosts/flex-wg-router/configuration.nix index 6fea096..5777626 100644 --- a/hosts/flex-wg-router/configuration.nix +++ b/hosts/flex-wg-router/configuration.nix @@ -6,33 +6,56 @@ in { # Enable common options _archetypes = { - # Use headless profile profiles.headless = { enable = true; home.users.timmy.enable = true; }; - profiles.router = { - enable = true; - home.users.timmy.enable = true; - }; + profiles.router.enable = true; }; networking = { + # Label lan and wan interfaces _interfaceLabels = { - lan0 = "98:b7:85:22:9b:43"; # internal - wan0 = "54:ee:75:8c:4b:2d"; # external + enable = true; + interfaces = { + lan0 = "98:b7:85:22:9b:43"; # Internal + wan0 = "54:ee:75:8c:4b:2d"; # External + }; }; - #useDHCP = false; # TODO Enable when accessible via wireguard + # Set ip addresses interfaces = { lan0.ipv4.addresses = [{ address = ipAddress; prefixLength = 24; }]; wan0.ipv4.addresses = [{ - address = "46.110.173.165"; # Public static ip 4 + address = "46.110.173.163"; # Reserved static ip for wg-router prefixLength = 31; }]; }; + defaultGateway = { + address = "46.110.173.161"; + interface = "wan0"; + }; + nameservers = [ "127.0.0.1" ]; + # Firewall rules + firewall = { + interfaces.wan0 = { + allowedTCPPorts = [ 22 ]; + }; + }; + #nat.forwardPorts = [ + # { + # sourcePort = 2222; + # proto = "tcp"; + # destination = "10.1.1.1:22"; + # } + # { + # sourcePort = 22; + # proto = "tcp"; + # destination = "10.1.1.1:22"; + # } + #]; }; services._router = { @@ -44,8 +67,8 @@ in { rangeStart = "10.1.1.100"; rangeEnd = "10.1.1.250"; staticLeases = { - poweredge-pro-idrac = { - macAddress = "00:11:22:33:44:55"; + idrac-8HT2W52 = { + macAddress = "18:fb:7b:9d:16:b3"; staticIp = "10.1.1.10"; }; }; diff --git a/nixos/services/fileshares.nix b/nixos/services/fileshares.nix index d6af47b..c99c9f9 100644 --- a/nixos/services/fileshares.nix +++ b/nixos/services/fileshares.nix @@ -70,7 +70,7 @@ in { # TODO configure smb nfs here }; - config = { + config = lib.mkIf cfg.enable { services.samba = { enable = true; openFirewall = true; diff --git a/nixos/services/router/dns-dhcp.nix b/nixos/services/router/dns-dhcp.nix index ea8f32e..48e0b8e 100644 --- a/nixos/services/router/dns-dhcp.nix +++ b/nixos/services/router/dns-dhcp.nix @@ -165,7 +165,7 @@ in { mkDHCPRange = ipRangeStart: ipRangeEnd: subnetMask: leaseTime: "${ipRangeStart},${ipRangeEnd},${subnetMask},${leaseTime}"; mkDHCPOption = option: value: "option:${option},${value}"; mkDHCPStaticLease = macAddress: hostname: staticIp: "${macAddress},${hostname},${staticIp},infinite"; - dhcpStaticLeases = builtins.map (l: mkDHCPStaticLease l.macAddress l.hostname l.staticIp) cfg.staticLeases; + dhcpStaticLeases = lib.mapAttrsToList (_: l: mkDHCPStaticLease l.macAddress l.hostname l.staticIp) cfg.dhcp.staticLeases; in { # General no-resolv = true; # Do not read /etc/resolv.conf, resolve only the LAN @@ -181,7 +181,7 @@ in { # DHCP Server # TODO config #dhcp-range = mkDHCPRange "192.168.1.50" "192.168.1.150" "255.255.255.0" "12h"; # Enable DHCP on the LAN interface - dhcp-range = with cfg.dhcp; mkDHCPRange rangeStart rangeEnd subnetMask leaseTime; # Enable DHCP on the LAN interface + dhcp-range = with cfg.dhcp; mkDHCPRange rangeStart rangeEnd rangeSubnetMask leaseTime; # Enable DHCP on the LAN interface dhcp-host = dhcpStaticLeases; # Setup static leases @@ -189,7 +189,7 @@ in { (mkDHCPOption "router" defaultGateway) # Set default gateway for clients #(mkDHCPOption "ntp-server" defaultGateway) # Set ntp server for clients (mkDHCPOption "dns-server" localhostIp) # Set dns server for clients - (mkDHCPOption "domain-search" localDomain) # Add search rule to clients so they can resolve hostnames w/o the local domain suffix + (mkDHCPOption "domain-search" cfg.localDomain) # Add search rule to clients so they can resolve hostnames w/o the local domain suffix ]; # Logging diff --git a/nixos/services/router/routing.nix b/nixos/services/router/routing.nix index c0c49e6..25d91dd 100644 --- a/nixos/services/router/routing.nix +++ b/nixos/services/router/routing.nix @@ -9,6 +9,7 @@ in { default = ""; description = "wan interface"; }; + # TODO allow multiple lan lan = lib.mkOption { type = lib.types.str; default = ""; @@ -18,51 +19,26 @@ in { }; config = lib.mkIf cfg.enable { - networking.nftables = { - enable = true; - tables.filter = { - family = "ip"; - # https://hackers-arise.com/linux-basics-for-hackers-building-a-router-with-nftables/ - content = '' - chain input { - type filter hook input priority 0; policy drop; - - # Allow established/related connections - ct state established,related accept - - # Allow loopback - iifname "lo" accept - - # Allow LAN to access router - iifname ${cfg.interfaces.lan} accept - - # Allow ICMP from WAN (for ping) - iifname ${cfg.interfaces.wan} icmp type echo-request accept - - # Drop invalid connections - ct state invalid drop - } - - chain forward { - type filter hook forward priority 0; policy drop; - - # Allow established/related connections - ct state established,related accept - - # Allow LAN to WAN - iifname ${cfg.interfaces.lan} oifname ${cfg.interfaces.wan} accept - - # Drop invalid connections - ct state invalid drop - } - - chain output { - type filter hook output priority 0; policy accept; - } + # https://hackers-arise.com/linux-basics-for-hackers-building-a-router-with-nftables/ + networking = { + nftables.enable = true; + firewall = { + enable = true; + backend = "nftables"; # Set explicitly + + # Allow lan to access the router + trustedInterfaces = [ cfg.interfaces.lan ]; + + # Allow lan to access the internet + extraForwardRules = '' + iifname "${cfg.interfaces.lan}" oifname "${cfg.interfaces.wan}" accept ''; }; + nat = { + enable = true; + externalInterface = cfg.interfaces.wan; + internalInterfaces = [ cfg.interfaces.lan ]; + }; }; - networking.nat.enable = true; - networking.firewall.enable = true; }; } @@ -1,2 +1,9 @@ #!/bin/sh +if [ ! -f ~/.config/sops/age/keys.txt ]; then + mkdir -p ~/.config/sops/age + echo "---------------------------------------------------------------------------------------------------" + echo "| WARNING: Sops key not found. Please generate one from your ssh key using the following command: |" + echo "| nix run nixpkgs#ssh-to-age -- -private-key -i ~/.ssh/private > ~/.config/sops/age/keys.txt |" + echo "---------------------------------------------------------------------------------------------------" +fi nixos-rebuild switch --sudo --flake "$(dirname "$0")/#$(hostname)" $@ |