Personal Nix setup
Fix network setup
+46
-44
+11
machines/ramune/configuration.nix
+11
machines/ramune/configuration.nix
···
25
25
cidr = "10.0.0.1/24";
26
26
};
27
27
};
28
+
dnsmasq.leases = [
29
+
{ macAddress = "98:ed:7e:c6:57:b2"; ipAddress = "10.0.0.102"; } # eero router
30
+
{ macAddress = "c4:f1:74:51:4c:f2"; ipAddress = "10.0.0.124"; } # eero router
31
+
{ macAddress = "5c:61:99:7a:16:40"; ipAddress = "10.0.0.103"; } # brother printer
32
+
{ macAddress = "24:e8:53:95:e4:02"; ipAddress = "10.0.0.96"; } # tv
33
+
{ macAddress = "34:7e:5c:31:4f:fa"; ipAddress = "10.0.0.56"; } # sonos
34
+
{ macAddress = "e8:9c:25:6c:40:6f"; ipAddress = "10.0.0.150"; } # pepper-pc
35
+
];
36
+
nftables.blockForward = [
37
+
"ec:e5:12:1d:23:40" # tado
38
+
];
28
39
};
29
40
server = {
30
41
enable = true;
+1
-4
modules/router/kernel.nix
+1
-4
modules/router/kernel.nix
+28
-22
modules/router/network.nix
+28
-22
modules/router/network.nix
···
26
26
27
27
extern = cfg.interfaces.external;
28
28
intern = cfg.interfaces.internal;
29
+
30
+
links = {
31
+
"10-${extern.name}" = {
32
+
matchConfig.PermanentMACAddress = extern.macAddress;
33
+
linkConfig = {
34
+
Description = "External Network Interface";
35
+
Name = extern.name;
36
+
# MACAddress = "64:20:9f:16:70:a6";
37
+
MTUBytes = "1500";
38
+
};
39
+
};
40
+
} // (optionalAttrs (intern != null) {
41
+
"11-${intern.name}" = {
42
+
matchConfig.PermanentMACAddress = intern.macAddress;
43
+
linkConfig = {
44
+
Description = "Internal Network Interface";
45
+
Name = intern.name;
46
+
MTUBytes = "1500";
47
+
};
48
+
};
49
+
});
29
50
in {
30
51
options.modules.router = {
31
52
address = mkOption {
···
55
76
trustedInterfaces = [ "lo" intern.name ];
56
77
};
57
78
58
-
systemd.network = {
79
+
boot.initrd.systemd.network = {
59
80
enable = true;
81
+
inherit links;
82
+
};
60
83
61
-
links = {
62
-
"10-${extern.name}" = {
63
-
matchConfig.PermanentMACAddress = extern.macAddress;
64
-
linkConfig = {
65
-
Description = "External Network Interface";
66
-
Name = extern.name;
67
-
# MACAddress = "64:20:9f:16:70:a6";
68
-
MTUBytes = "1500";
69
-
};
70
-
};
71
-
} // (optionalAttrs (intern != null) {
72
-
"11-${intern.name}" = {
73
-
matchConfig.PermanentMACAddress = intern.macAddress;
74
-
linkConfig = {
75
-
Description = "Internal Network Interface";
76
-
Name = intern.name;
77
-
MTUBytes = "1500";
78
-
};
79
-
};
80
-
});
84
+
systemd.network = {
85
+
inherit links;
86
+
enable = true;
81
87
82
88
networks = {
83
89
"10-${extern.name}" = {
···
98
104
"11-${intern.name}" = {
99
105
name = intern.name;
100
106
networkConfig = {
101
-
Address = cfg.address;
107
+
Address = intern.cidr;
102
108
DHCPServer = false;
103
109
IPv4Forwarding = true;
104
110
IPv6Forwarding = true;
+6
-18
modules/router/nftables.nix
+6
-18
modules/router/nftables.nix
···
17
17
blockForwardRules =
18
18
if intern != null then
19
19
strings.concatStringsSep "\n"
20
-
(builtins.map (mac: " iifname ${intern0} oifname != ${intern0} ether saddr = ${mac} drop") cfg.nftables.blockForward)
20
+
(builtins.map (mac: " iifname ${intern.name} oifname != ${intern.name} ether saddr == ${mac} drop") cfg.nftables.blockForward)
21
21
else "";
22
22
in {
23
23
options.modules.router = {
···
124
124
125
125
tables.tagging = {
126
126
family = "netdev";
127
-
content = let
128
-
internChain = if intern != null then ''
129
-
chain lan {
130
-
type filter hook ingress device ${intern.name} priority -150; policy accept;
131
-
jump tags
132
-
}
133
-
'' else "";
134
-
135
-
externChain = ''
136
-
chain wan {
137
-
type filter hook ingress device ${extern.name} priority -149; policy accept;
138
-
jump tags
139
-
}
140
-
'';
141
-
in ''
142
-
${internChain}
143
-
${externChain}
127
+
content = ''
128
+
chain lan {
129
+
type filter hook ingress priority -150; policy accept;
130
+
jump tags
131
+
}
144
132
145
133
chain tags {
146
134
ip dscp set cs0