dotfiles/nixos/systems/hela/networking.nix
magic_rb 5ce21d6a77
hela: shift around things, put server behind hela direct
Signed-off-by: magic_rb <magic_rb@redalder.org>
2024-10-22 23:58:25 +02:00

265 lines
6 KiB
Nix

{
pkgs,
config,
inputs',
notnft,
...
}: {
imports = [
./networking/border.nix
./networking/hel.nix
./patches.nix
./networking/dmz.nix
./hostapd.nix
];
networking.hostName = "hela";
networking = {
useDHCP = false;
firewall.enable = false;
# interfaces.ppp0.useDHCP = true;
};
# systemd.services.dhcpcd = {
# bindsTo = ["sys-devices-virtual-net-ppp0.device"];
# after = ["sys-devices-virtual-net-ppp0.device"];
# };
boot.kernel.sysctl = {
# Enable forwarding on IPv4 but disable on IPv6
"net.ipv4.conf.all.forwarding" = true;
"net.ipv6.conf.all.forwarding" = false;
};
services.ifstate = {
enable = true;
settings = {
ignore.ifname = [
"^sit0|ip6tnl0$"
"^ppp-(wan|slan)$"
];
routing.routes = [
{
to = "0.0.0.0/0";
via = "10.1.0.2";
dev = "hel";
}
];
interfaces = [
{
name = "sw";
link = {
kind = "physical";
permaddr = config.bananapi.ethaddr.sw.colon;
state = "up";
mtu = config.bananapi.mtu.sw;
};
}
{
name = "sfp0";
link = {
kind = "physical";
permaddr = config.bananapi.ethaddr.sfp0.colon;
state = "up";
};
}
{
name = "sfp1";
link = {
kind = "physical";
permaddr = config.bananapi.ethaddr.sfp1.colon;
state = "up";
};
}
{
name = "wan";
link = {
kind = "dsa";
address = config.bananapi.ethaddr.wan.colon;
link = "sw";
state = "up";
mtu = config.bananapi.mtu.wan;
};
}
{
name = "slan";
link = {
kind = "dsa";
address = config.bananapi.ethaddr.slan.colon;
link = "sw";
state = "up";
mtu = config.bananapi.mtu.slan;
};
}
{
name = "hel";
link = {
kind = "veth";
peer = "hela";
peer_netns = "hel";
state = "up";
};
addresses = [
"10.1.0.1/19"
];
}
];
};
};
networking.notnft.enable = true;
networking.notnft.package = inputs'.nixpkgs-unstable.legacyPackages."aarch64-linux".nftables;
networking.notnft.namespaces.default.rules =
# ---
with notnft.dsl;
with payload;
# ---
ruleset {
filter = add table {family = f: f.inet;} {
postrouting = add chain {
type = f: f.nat;
hook = f: f.postrouting;
prio = 100;
policy = f: f.accept;
};
prerouting = add chain {
type = f: f.nat;
hook = f: f.prerouting;
prio = 100;
policy = f: f.accept;
};
input =
add chain {
type = f: f.filter;
hook = f: f.input;
prio = -300;
policy = f: f.drop;
}
[(is.eq ip.saddr (set [(cidr "10.1.0.0/19")])) (is.eq ip.daddr "10.1.0.1") (is.eq ip.protocol (f: f.icmp)) accept]
[(is.eq meta.iifname "lo") accept]
# accept related, established and drop invalid
[
(vmap ct.state {
established = accept;
related = accept;
invalid = drop;
})
]
[
(is.eq ip.daddr "10.1.0.1")
(is.eq th.dport 22)
accept
]
[
(log {
prefix = "[drop] root.input: ";
queue-threshold = 1;
group = 2;
})
];
forward =
add chain {
type = f: f.filter;
hook = f: f.forward;
prio = -300;
policy = f: f.drop;
}
[
(log {
prefix = "[drop] root.forward: ";
queue-threshold = 1;
group = 2;
})
];
output = add chain {
type = f: f.filter;
hook = f: f.output;
prio = -300;
policy = f: f.accept;
};
};
};
services.ulogd = {
enable = true;
settings = {
# This one for logging to local file in emulated syslog format.
global.stack = "log2:NFLOG,base1:BASE,ifi1:IFINDEX,ip2str1:IP2STR,print1:PRINTPKT,emu1:LOGEMU";
log2.group = 2;
emu1 = {
file = "/var/log/nft_root_drop.log";
sync = 1;
};
};
};
systemd.services.sshd = {
after = ["ifstate.service"];
};
systemd.services.kea-dhcp4-server = {
after = ["ifstate.service"];
};
services.kea.dhcp4 = {
enable = true;
settings = {
interfaces-config.interfaces = [
"hel"
];
reservation-mode = "out-of-pool";
subnet4 = [
{
pools = [
{pool = "10.1.0.3 - 10.1.0.254";} # dedicate a /24 to dhcp
];
id = 1;
subnet = "10.1.0.0/19";
option-data = [
{
name = "domain-name-servers";
code = 6;
space = "dhcp4";
csv-format = true;
data = "8.8.8.8, 8.8.4.4";
}
{
name = "routers";
data = "10.1.0.2";
}
];
reservations = [
{
hw-address = "00:25:90:85:56:3e";
ip-address = "10.1.31.1";
hostname = "blowhole.hosts.in.redalder.org";
}
{
hw-address = "b8:27:eb:ef:f4:c3";
ip-address = "10.1.31.2";
hostname = "gooseberry.hosts.in.redalder.org";
}
];
}
];
};
};
services.resolved.enable = true;
networking.nameservers = [
"8.8.8.8"
"8.8.4.4"
];
}