From 3ba8be0f8621b695d9b1cbe432f29512e5ce1fb1 Mon Sep 17 00:00:00 2001
From: Tim Keller <tjk@tjkeller.xyz>
Date: Sat, 13 Jun 2026 14:14:46 -0500
Subject: containerized router and networking services and update poweredge
 config

---
 hosts/poweredge/networking.nix | 174 ++++++++++++++++++++++++-----------------
 1 file changed, 101 insertions(+), 73 deletions(-)

(limited to 'hosts/poweredge/networking.nix')

diff --git a/hosts/poweredge/networking.nix b/hosts/poweredge/networking.nix
index 09759ee..9a9273c 100644
--- a/hosts/poweredge/networking.nix
+++ b/hosts/poweredge/networking.nix
@@ -1,90 +1,118 @@
-{
+let
+	hostIp = "192.168.1.10";
+in { config, ... }: {
 	networking = {
-		enableIPv6 = false;
 		# Label lan and wan interfaces
 		_interfaceLabels = {
 			enable = true;
-			interfaces = {
-				lan0 = "50:9a:4c:5d:c3:7a";
-				wan0 = "50:9a:4c:5d:c3:7b";
-			};
+			interfaces.lan0 = "50:9a:4c:5d:c3:7a";
+			interfaces.wan0 = "50:9a:4c:5d:c3:7b";
 		};
-		# Set ip addresses
+		# Create bridged lan interface for all containers
+		bridges.br-lan0.interfaces = [ "lan0" ];
+		# Disable dhcp on router interfaces
 		interfaces = {
-			lan0.ipv4.addresses = [{
-				address = "192.168.1.1";
-				prefixLength = 24;
-			}];
-			wan0.useDHCP = true;
+			veth-router-lan.useDHCP = false;
+			vb-router-lan0.useDHCP = false;
 		};
-		# Firewall rules
-		firewall = {
-			interfaces.wan0 = {
-				allowedUDPPorts = [ 51820 ];
-			};
-			interfaces.lan0 = {
-				allowedTCPPorts = [ 2283 80 ];  # FIXME temp
-			};
+		# Configure network
+		defaultGateway = "10.255.255.1";  # Read explaination for veth-router-lan below
+		nameservers = [ "192.168.1.1" ];  # DNS will only be available from this ip address THROUGH the default gateway
+		# br-lan0 will be the interface used for networking on poweredge host
+		interfaces.br-lan0.ipv4.addresses = [{
+			address = hostIp;
+			prefixLength = 24;
+		}];
+	};
+
+	# Wireguard office tunnel secret
+	sops.secrets.wg0-router.sopsFile = ./resources/secrets/wg0-router.yaml;
+
+	# Router container
+	containers.router = {
+		autoStart = true;
+		ephemeral = true;
+		privateNetwork = true;
+		# Pass wan0 directly into container since it isn't needed elsewhere
+		interfaces = [ "wan0" ];
+		# Setup router lan0
+		# NOTE: Host/container communication is not possible through a hostBridge interface
+		extraVeths.vb-router-lan0.hostBridge = "br-lan0";
+		# Setup virtual host-router bridge interface.
+		# This is the default gateway for host/container communication since
+		# communication isn't possible through hostBridge interfaces.
+		# This is essentially equivalent to connecting the host to the
+		# container with a virtual ethernet cable on a separate interface.
+		extraVeths.veth-router-lan = {
+			hostAddress  = "10.255.255.2";
+			localAddress = "10.255.255.1";
 		};
-		# Additional advanced rules
-		# TODO add multi NAT feature to router service
-		nftables = {
-			enable = true;
-			tables = {
-				# NAT/masquerade wg1 allowing lan0 clients to access wg1
-				wg-nat = {
-					family = "ip";
-					content = ''
-						chain post {
-							type nat hook postrouting priority srcnat; policy accept;
-							iifname "lan0" oifname "wg1" masquerade comment "lan0 => wg1"
-						}
-					'';
-				};
-			};
+		# Bind wg0-router secret to container
+		bindMounts."/run/secrets/wg0" = {
+			hostPath = config.sops.secrets.wg0-router.path;
+			isReadOnly = true;
 		};
-	};
 
-	services._router = {
-		dnsDhcpConfig = {
-			localDomain = "home.lan";
-			dhcp = {
-				defaultGateway = "192.168.1.1";
-				localhostIp = "192.168.1.1";
-				rangeStart = "192.168.1.50";
-				rangeEnd = "192.168.1.250";
-				# TODO think about moving leases to another file
-				staticLeases = {
-					idrac-7N94GK2 = {
-						macAddress = "50:9a:4c:5d:c3:7c";
-						staticIp = "192.168.1.2";
-					};
-					OpenWrt-Attic = {
-						macAddress = "34:98:b5:60:5e:be";
-						staticIp = "192.168.1.3";
-					};
-					OpenWrt-Basement = {
-						macAddress = "8c:3b:ad:35:c7:8c";
-						staticIp = "192.168.1.4";
-					};
-					ArcherC54 = {
-						macAddress = "12:eb:b6:13:f9:e2";
-						staticIp = "192.168.1.5";
-					};
-					T495 = {
-						macAddress = "04:33:c2:9d:34:74";
-						staticIp = "192.168.1.11";
-					};
-					optiplex = {
-						macAddress = "e4:54:e8:bc:ba:05";
-						staticIp = "192.168.1.12";
+		config = { lib, config, ... }: {
+			imports = [
+				../../nixos/services/router
+				./router-hosts.nix  # Contains dhcp config + static leases + overrides
+			];
+
+			networking = {
+				# Set ip addresses
+				enableIPv6 = false;
+				interfaces = {
+					vb-router-lan0.ipv4.addresses = [{
+						address = "192.168.1.1";
+						prefixLength = 24;
+					}];
+					wan0.useDHCP = true;
+				};
+				# Setup wireguard
+				wg-quick.interfaces = {
+					wg0.configFile = "/run/secrets/wg0";
+				};
+				# Firewall (port-forwarding) rules
+				firewall = {
+					#interfaces.wan0 = {
+					#	allowedTCPPorts = [ 8333 ];  # bitcoin
+					#	allowedUDPPorts = [ 51820 ];  # wg
+					#};
+				};
+				# Additional advanced rules
+				# TODO add multi NAT feature to router service (this is just a normal nat rule)
+				nftables = {
+					enable = true;
+					tables = {
+						# NAT/masquerade wg0 allowing vb-router-lan0 clients to access wg0
+						wg-nat = {
+							family = "ip";
+							content = ''
+								chain post {
+									type nat hook postrouting priority srcnat; policy accept;
+									iifname "vb-router-lan0" oifname "wg0" masquerade comment "vb-router-lan0 => wg0"
+								}
+						'';
+						};
 					};
-					X230 = {
-						macAddress = "84:3a:4b:60:34:c4";
-						staticIp = "192.168.1.13";
+				};
+			};
+
+			# Setup router
+			services._router = {
+				dnsDhcpConfig.enable = true;
+				routing = {
+					enable = true;
+					interfaces = {
+						lan = [ "vb-router-lan0" "veth-router-lan" ];
+						wan = "wan0";
 					};
 				};
 			};
+
+			system.stateVersion = "25.11";
 		};
 	};
+
 }
-- 
cgit v1.2.3