dotfiles/nixos/systems/hela/networking.nix
magic_rb 2bf58cabcf
hela: switch to stable nixpkgs
The really complex nftable rules I have seem to not work or worse, segfault with nftables 1.09 which is the version in
`nixpkgs-stable`. Therefore we need to pull in 1.10 from `nixpkgs-unstable` for now.

Signed-off-by: magic_rb <magic_rb@redalder.org>
2024-10-02 02:36:47 +02:00

232 lines
5.1 KiB
Nix

{
pkgs,
config,
inputs',
notnft,
...
}: {
imports = [
./networking/border.nix
./networking/hel.nix
./networking/dmz.nix
./hostapd.nix
];
networking.hostName = "hela";
networking = {
useDHCP = false;
firewall.enable = false;
# interfaces.ppp0.useDHCP = true;
};
# systemd.services.dhcpcd = {
# bindsTo = ["sys-devices-virtual-net-ppp0.device"];
# after = ["sys-devices-virtual-net-ppp0.device"];
# };
boot.kernel.sysctl = {
# Enable forwarding on IPv4 but disable on IPv6
"net.ipv4.conf.all.forwarding" = true;
"net.ipv6.conf.all.forwarding" = false;
};
services.ifstate = {
enable = true;
settings = {
routing.routes = [
{
to = "0.0.0.0/0";
via = "10.1.0.2";
dev = "hel";
}
];
interfaces = [
{
name = "sw";
link = {
kind = "physical";
permaddr = config.bananapi.ethaddr.sw.colon;
state = "up";
mtu = 1516;
};
}
{
name = "sfp0";
link = {
kind = "physical";
permaddr = config.bananapi.ethaddr.sfp0.colon;
state = "up";
};
}
{
name = "sfp1";
link = {
kind = "physical";
permaddr = config.bananapi.ethaddr.sfp1.colon;
state = "up";
};
}
{
name = "wan";
link = {
kind = "dsa";
address = config.bananapi.ethaddr.wan.colon;
link = "sw";
state = "up";
mtu = 1512;
};
}
{
name = "slan";
link = {
kind = "dsa";
address = config.bananapi.ethaddr.slan.colon;
link = "sw";
state = "up";
mtu = 1512;
};
}
{
name = "hel";
link = {
kind = "veth";
peer = "hela";
peer_netns = "hel";
state = "up";
};
addresses = [
"10.1.0.1/19"
];
}
];
};
};
networking.notnft.enable = true;
networking.notnft.package = inputs'.nixpkgs-unstable.legacyPackages."aarch64-linux".nftables;
networking.notnft.namespaces.default.rules =
# ---
with notnft.dsl;
with payload;
# ---
ruleset {
filter = add table {family = f: f.inet;} {
postrouting = add chain {
type = f: f.nat;
hook = f: f.postrouting;
prio = 100;
policy = f: f.accept;
};
prerouting = add chain {
type = f: f.nat;
hook = f: f.prerouting;
prio = 100;
policy = f: f.accept;
};
input =
add chain {
type = f: f.filter;
hook = f: f.input;
prio = -300;
policy = f: f.drop;
}
[(is.eq ip.saddr (set [(cidr "10.1.0.0/19")])) (is.eq ip.daddr "10.1.0.1") (is.eq ip.protocol (f: f.icmp)) accept]
[(is.eq meta.iifname "lo") accept]
# accept related, established and drop invalid
[
(vmap ct.state {
established = accept;
related = accept;
invalid = drop;
})
]
[
(is.eq ip.daddr "10.1.0.1")
(is.eq th.dport 22)
accept
]
[
(log {
prefix = "[drop] root.input: ";
queue-threshold = 1;
group = 2;
})
];
forward =
add chain {
type = f: f.filter;
hook = f: f.forward;
prio = -300;
policy = f: f.drop;
}
[
(log {
prefix = "[drop] root.forward: ";
queue-threshold = 1;
group = 2;
})
];
output = add chain {
type = f: f.filter;
hook = f: f.output;
prio = -300;
policy = f: f.accept;
};
};
};
services.ulogd = {
enable = true;
settings = {
# This one for logging to local file in emulated syslog format.
global.stack = "log2:NFLOG,base1:BASE,ifi1:IFINDEX,ip2str1:IP2STR,print1:PRINTPKT,emu1:LOGEMU";
log2.group = 2;
emu1 = {
file = "/var/log/nft_root_drop.log";
sync = 1;
};
};
};
systemd.services.sshd = {
after = ["ifstate.service"];
};
systemd.services.kea-dhcp4-server = {
after = ["ifstate.service"];
};
services.kea.dhcp4 = {
enable = true;
settings = {
interfaces-config.interfaces = [
"hel"
];
subnet4 = [
{
pools = [
{pool = "10.1.0.3 - 10.1.0.254";} # dedicate a /24 to dhcp
];
id = 1;
subnet = "10.1.0.0/19";
option-data = [
{
name = "routers";
data = "10.1.0.2";
}
];
}
];
};
};
}