kitten.sh / system
Personal Nix setup
0
fork

Configure Feed

Select the types of activity you want to include in your feed.

Consolidate network configuration

Phil Pluckthun 3482f3e7 4e16f5a8

+103 -32
+3 -22
modules/router/default.nix
··· 1 - { lib, config, helpers, ... }: 1 + { lib, helpers, ... }: 2 2 3 - with lib; 4 - let 5 - cfg = config.modules.router; 6 - in { 3 + with lib; { 7 4 options.modules.router = { 8 5 enable = mkOption { 9 6 default = false; ··· 11 8 description = "Whether to enable Router options."; 12 9 type = types.bool; 13 10 }; 14 - 15 - interfaces = { 16 - external = mkOption { 17 - default = "extern0"; 18 - type = types.str; 19 - }; 20 - internal = mkOption { 21 - default = "intern0"; 22 - type = types.str; 23 - }; 24 - }; 25 11 }; 26 12 27 13 config.modules.router = { ··· 29 15 }; 30 16 } // helpers.linuxAttrs { 31 17 imports = [ 18 + ./network.nix 32 19 ./timeserver.nix 33 20 ./dnsOverTLS.nix 34 21 ./dnsmasq.nix ··· 37 24 ./mdns.nix 38 25 ./kernel.nix 39 26 ]; 40 - 41 - config = mkIf cfg.enable { 42 - networking.firewall.trustedInterfaces = [ 43 - cfg.interfaces.internal 44 - ]; 45 - }; 46 27 }
+2 -2
modules/router/mdns.nix
··· 15 15 config = mkIf cfg.mdns.enable { 16 16 services.avahi = { 17 17 enable = true; 18 - allowInterfaces = [ cfg.interfaces.internal ]; 19 - denyInterfaces = [ cfg.interfaces.external ]; 18 + allowInterfaces = [ cfg.interfaces.internal.name ]; 19 + denyInterfaces = [ cfg.interfaces.external.name ]; 20 20 }; 21 21 }; 22 22 }
+84
modules/router/network.nix
··· 1 + { lib, config, ... }: 2 + 3 + with lib; 4 + let 5 + cfg = config.modules.router; 6 + 7 + interfaceType = types.submodule { 8 + options = { 9 + name = mkOption { 10 + type = types.str; 11 + example = "eth0"; 12 + }; 13 + macAddress = mkOption { 14 + type = types.str; 15 + example = "00:00:00:00:00:00"; 16 + }; 17 + }; 18 + }; 19 + 20 + extern0 = cfg.interfaces.external.name; 21 + extern0MAC = cfg.interfaces.external.macAddress; 22 + intern0 = cfg.interfaces.internal.name; 23 + intern0MAC = cfg.interfaces.internal.macAddress; 24 + in { 25 + options.modules.router = { 26 + interfaces = { 27 + external = interfaceType; 28 + internal = interfaceType; 29 + }; 30 + }; 31 + 32 + config = mkIf cfg.enable { 33 + services.irqbalance.enable = true; 34 + 35 + networking.firewall.trustedInterfaces = [ "lo" intern0 ]; 36 + 37 + systemd.network = { 38 + enable = true; 39 + 40 + links."10-${extern0}" = { 41 + matchConfig.PermanentMACAddress = extern0MAC; 42 + linkConfig = { 43 + Description = "External Network Interface"; 44 + Name = extern0; 45 + # MACAddress = "64:20:9f:16:70:a6"; 46 + MTUBytes = "1500"; 47 + }; 48 + }; 49 + 50 + links."11-${intern0}" = { 51 + matchConfig.PermanentMACAddress = intern0MAC; 52 + linkConfig = { 53 + Description = "Internal Network Interface"; 54 + Name = intern0; 55 + MTUBytes = "1500"; 56 + }; 57 + }; 58 + 59 + networks."10-${extern0}" = { 60 + name = extern0; 61 + networkConfig = { 62 + DHCP = "ipv4"; 63 + DNS = if cfg.dnsmasq.enable then "127.0.0.1" else "1.1.1.1"; 64 + IPForward = true; 65 + }; 66 + dhcpV4Config = { 67 + UseDNS = false; 68 + UseDomains = false; 69 + UseNTP = !cfg.timeserver.enable; 70 + }; 71 + }; 72 + 73 + networks."11-${intern0}" = { 74 + name = intern0; 75 + networkConfig = { 76 + Address = "10.0.0.1/24"; 77 + DHCPServer = false; 78 + IPForward = true; 79 + ConfigureWithoutCarrier = true; 80 + }; 81 + }; 82 + }; 83 + }; 84 + }
+6 -3
modules/router/nftables.nix
··· 4 4 let 5 5 cfg = config.modules.router; 6 6 7 + intern0 = cfg.interfaces.internal.name; 8 + extern0 = cfg.interfaces.external.name; 9 + 7 10 trustedInterfaces = 8 11 strings.concatMapStringsSep ", " strings.escapeNixIdentifier config.networking.firewall.trustedInterfaces; 9 12 ··· 13 16 14 17 blockForwardRules = 15 18 string.concatMapStringsSep "\n" 16 - (builtins.map (mac: " iifname ${cfg.interfaces.internal} oifname != ${cfg.interfaces.internal} ether saddr = ${mac} drop")); 19 + (builtins.map (mac: " iifname ${intern0} oifname != ${intern0} ether saddr = ${mac} drop")); 17 20 in { 18 21 options.modules.router = { 19 22 nftables = { ··· 121 124 family = "netdev"; 122 125 content = '' 123 126 chain lan { 124 - type filter hook ingress device ${cfg.interfaces.internal} priority -150; policy accept; 127 + type filter hook ingress device ${intern0} priority -150; policy accept; 125 128 jump tags 126 129 } 127 130 128 131 chain wan { 129 - type filter hook ingress device ${cfg.interfaces.external} priority -149; policy accept; 132 + type filter hook ingress device ${extern0} priority -149; policy accept; 130 133 jump tags 131 134 } 132 135
+6 -3
modules/router/timeserver.nix
··· 4 4 let 5 5 cfg = config.modules.router; 6 6 7 + listenInterfaces = 8 + strings.concatMapStringsSep "\n" 9 + (builtins.map (ifname: "interface listen ${ifname}") config.networking.firewall.trustedInterfaces); 10 + 7 11 ntpExtraConfig = '' 8 - interface listen lo 9 - interface listen ${cfg.interfaces.internal} 10 - interface ignore ${cfg.interfaces.external} 12 + ${listenInterfaces} 13 + interface ignore ${cfg.interfaces.external.name} 11 14 ''; 12 15 in { 13 16 options.modules.router = {
+2 -2
modules/router/upnp.nix
··· 19 19 enable = true; 20 20 upnp = true; 21 21 natpmp = true; 22 - internalIPs = [ cfg.interfaces.internal ]; 23 - externalInterface = cfg.interfaces.external; 22 + internalIPs = [ cfg.interfaces.internal.name ]; 23 + externalInterface = cfg.interfaces.external.name; 24 24 appendConfig = '' 25 25 secure_mode=yes 26 26 notify_interval=60