{ pkgs, config, inputs', notnft, ... }: { imports = [ ./networking/border.nix ./networking/hel.nix ./patches.nix ./networking/dmz.nix ./hostapd.nix ]; networking.hostName = "hela"; networking = { useDHCP = false; firewall.enable = false; # interfaces.ppp0.useDHCP = true; }; # systemd.services.dhcpcd = { # bindsTo = ["sys-devices-virtual-net-ppp0.device"]; # after = ["sys-devices-virtual-net-ppp0.device"]; # }; boot.kernel.sysctl = { # Enable forwarding on IPv4 but disable on IPv6 "net.ipv4.conf.all.forwarding" = true; "net.ipv6.conf.all.forwarding" = false; }; services.ifstate = { enable = true; settings = { ignore.ifname = [ "^sit0|ip6tnl0$" "^ppp-(wan|slan)$" ]; routing.routes = [ { to = "0.0.0.0/0"; via = "10.1.0.2"; dev = "hel"; } ]; interfaces = [ { name = "sw"; link = { kind = "physical"; permaddr = config.bananapi.ethaddr.sw.colon; state = "up"; mtu = config.bananapi.mtu.sw; }; } { name = "sfp0"; link = { kind = "physical"; permaddr = config.bananapi.ethaddr.sfp0.colon; state = "up"; }; } { name = "sfp1"; link = { kind = "physical"; permaddr = config.bananapi.ethaddr.sfp1.colon; state = "up"; }; } { name = "wan"; link = { kind = "dsa"; address = config.bananapi.ethaddr.wan.colon; link = "sw"; state = "up"; mtu = config.bananapi.mtu.wan; }; } { name = "slan"; link = { kind = "dsa"; address = config.bananapi.ethaddr.slan.colon; link = "sw"; state = "up"; mtu = config.bananapi.mtu.slan; }; } { name = "hel"; link = { kind = "veth"; peer = "hela"; peer_netns = "hel"; state = "up"; }; addresses = [ "10.1.0.1/19" ]; } ]; }; }; networking.notnft.enable = true; networking.notnft.package = inputs'.nixpkgs-unstable.legacyPackages."aarch64-linux".nftables; networking.notnft.namespaces.default.rules = # --- with notnft.dsl; with payload; # --- ruleset { filter = add table {family = f: f.inet;} { postrouting = add chain { type = f: f.nat; hook = f: f.postrouting; prio = 100; policy = f: f.accept; }; prerouting = add chain { type = f: f.nat; hook = f: f.prerouting; prio = 100; policy = f: f.accept; }; input = add chain { type = f: f.filter; hook = f: f.input; prio = -300; policy = f: f.drop; } [(is.eq ip.saddr (set [(cidr "10.1.0.0/19")])) (is.eq ip.daddr "10.1.0.1") (is.eq ip.protocol (f: f.icmp)) accept] [(is.eq meta.iifname "lo") accept] # accept related, established and drop invalid [ (vmap ct.state { established = accept; related = accept; invalid = drop; }) ] [ (is.eq ip.daddr "10.1.0.1") (is.eq th.dport 22) accept ] [ (log { prefix = "[drop] root.input: "; queue-threshold = 1; group = 2; }) ]; forward = add chain { type = f: f.filter; hook = f: f.forward; prio = -300; policy = f: f.drop; } [ (log { prefix = "[drop] root.forward: "; queue-threshold = 1; group = 2; }) ]; output = add chain { type = f: f.filter; hook = f: f.output; prio = -300; policy = f: f.accept; }; }; }; services.ulogd = { enable = true; settings = { # This one for logging to local file in emulated syslog format. global.stack = "log2:NFLOG,base1:BASE,ifi1:IFINDEX,ip2str1:IP2STR,print1:PRINTPKT,emu1:LOGEMU"; log2.group = 2; emu1 = { file = "/var/log/nft_root_drop.log"; sync = 1; }; }; }; systemd.services.sshd = { after = ["ifstate.service"]; }; systemd.services.kea-dhcp4-server = { after = ["ifstate.service"]; }; services.kea.dhcp4 = { enable = true; settings = { interfaces-config.interfaces = [ "hel" ]; reservation-mode = "out-of-pool"; subnet4 = [ { pools = [ {pool = "10.1.0.3 - 10.1.0.254";} # dedicate a /24 to dhcp ]; id = 1; subnet = "10.1.0.0/19"; option-data = [ { name = "domain-name-servers"; code = 6; space = "dhcp4"; csv-format = true; data = "8.8.8.8, 8.8.4.4"; } { name = "routers"; data = "10.1.0.2"; } ]; reservations = [ { hw-address = "00:25:90:85:56:3e"; ip-address = "10.1.31.1"; hostname = "blowhole.hosts.in.redalder.org"; } { hw-address = "b8:27:eb:ef:f4:c3"; ip-address = "10.1.31.2"; hostname = "gooseberry.hosts.in.redalder.org"; } ]; } ]; }; }; services.resolved.enable = true; networking.nameservers = [ "8.8.8.8" "8.8.4.4" ]; }