2024-08-27 00:13:25 +02:00
|
|
|
|
# SPDX-FileCopyrightText: 2023-2024 Simon Bruder <simon@sbruder.de>
|
2024-01-06 01:19:35 +01:00
|
|
|
|
#
|
|
|
|
|
# SPDX-License-Identifier: AGPL-3.0-or-later
|
|
|
|
|
|
2023-09-24 14:41:22 +02:00
|
|
|
|
# Home network configuration
|
2023-10-18 20:12:41 +02:00
|
|
|
|
#
|
|
|
|
|
# +----------+ +------------+
|
|
|
|
|
# | | | | (clients)# (guests)
|
|
|
|
|
# | | | +--|--|--|--|-#+-|--|--|-|-unused|
|
|
|
|
|
# +---+----+ +-+-+-+-+-+ | 01 02 …… 12 # 13 …… 24 | 25 26 |
|
|
|
|
|
# |upstream| | 1 2 3 4 | | aruba Instant On 1830 | (SFP) |
|
|
|
|
|
# +--------+ | shinobu | +------------------------+-------+
|
2023-09-24 14:41:22 +02:00
|
|
|
|
# +---------+
|
|
|
|
|
#
|
|
|
|
|
# It consists of shinobu as a router (this configuration),
|
2023-10-18 20:12:41 +02:00
|
|
|
|
# connected to a aruba (HPE) Instant ON 1830 24-port 1GbE switch.
|
2023-09-24 14:41:22 +02:00
|
|
|
|
# The upstream comes (for now) from a PŸUR “WLAN-Kabelbox” (Compal CH7467CE).
|
2023-09-26 15:38:02 +02:00
|
|
|
|
# Sadly, I could not enable bridge mode on it, so the packets now go through (at least) three layers of NAT:
|
|
|
|
|
# device → NAT on shinobu → NAT on plastic router → PŸUR CGNAT
|
2023-09-24 14:41:22 +02:00
|
|
|
|
#
|
2023-10-18 20:12:41 +02:00
|
|
|
|
# Because of issues with the NICs operating at 2.5GbE,
|
|
|
|
|
# all clients are connected to the switch,
|
|
|
|
|
# even if they have a 2.5GbE NIC.
|
2023-09-24 14:41:22 +02:00
|
|
|
|
#
|
|
|
|
|
# Wireless is configured by providing the whole hostapd configuration file as a secret.
|
|
|
|
|
# Once nixpkgs PR 222536 is merged, I will migrate to using the NixOS module.
|
|
|
|
|
# Thanks to Intel’s wisdom, it’s not possible to use 5GHz in AP mode.
|
|
|
|
|
{ config, lib, pkgs, ... }:
|
|
|
|
|
let
|
2023-10-18 20:04:04 +02:00
|
|
|
|
cfg = pkgs.callPackage ./common.nix { };
|
2023-09-24 14:41:22 +02:00
|
|
|
|
in
|
|
|
|
|
{
|
|
|
|
|
imports = [
|
2024-09-23 20:27:28 +02:00
|
|
|
|
./avahi.nix
|
2023-09-24 14:41:22 +02:00
|
|
|
|
./dnsmasq.nix
|
|
|
|
|
./nft.nix
|
2023-10-07 22:31:29 +02:00
|
|
|
|
./tc.nix
|
2023-09-24 14:41:22 +02:00
|
|
|
|
];
|
|
|
|
|
|
2024-08-27 00:13:25 +02:00
|
|
|
|
sbruder.wireguard.he.enable = true;
|
|
|
|
|
|
2023-09-24 14:41:22 +02:00
|
|
|
|
boot.kernel.sysctl = {
|
|
|
|
|
"net.ipv4.conf.all.forwarding" = true;
|
|
|
|
|
"net.ipv6.conf.all.forwarding" = true;
|
|
|
|
|
};
|
|
|
|
|
|
|
|
|
|
environment.systemPackages = with pkgs; [
|
|
|
|
|
ethtool
|
|
|
|
|
];
|
|
|
|
|
|
|
|
|
|
networking.useDHCP = false;
|
|
|
|
|
|
|
|
|
|
systemd.network = {
|
|
|
|
|
enable = true;
|
|
|
|
|
# not all interfaces need to be up
|
|
|
|
|
wait-online.extraArgs = [ "--any" ];
|
2023-10-18 20:12:41 +02:00
|
|
|
|
netdevs = lib.mkMerge [
|
|
|
|
|
(lib.mapAttrs
|
|
|
|
|
(name: config: {
|
|
|
|
|
netdevConfig = {
|
|
|
|
|
Kind = "vlan";
|
|
|
|
|
Name = name;
|
|
|
|
|
};
|
|
|
|
|
vlanConfig = {
|
|
|
|
|
Id = config.id;
|
|
|
|
|
};
|
|
|
|
|
})
|
|
|
|
|
cfg.vlan)
|
|
|
|
|
(lib.mapAttrs'
|
|
|
|
|
(name: config: lib.nameValuePair "br-${name}" {
|
|
|
|
|
netdevConfig = {
|
|
|
|
|
Name = "br-${name}";
|
|
|
|
|
Kind = "bridge";
|
|
|
|
|
};
|
|
|
|
|
})
|
|
|
|
|
cfg.vlan)
|
|
|
|
|
];
|
|
|
|
|
networks = lib.mkMerge [
|
|
|
|
|
(lib.mapAttrs
|
|
|
|
|
(name: config: {
|
|
|
|
|
inherit name;
|
|
|
|
|
matchConfig = {
|
|
|
|
|
Type = "vlan";
|
|
|
|
|
};
|
|
|
|
|
bridge = [ "br-${name}" ];
|
|
|
|
|
})
|
|
|
|
|
cfg.vlan)
|
|
|
|
|
(lib.mapAttrs'
|
|
|
|
|
(name: config: lib.nameValuePair "br-${name}" {
|
|
|
|
|
name = "br-${name}";
|
|
|
|
|
domains = [ config.domain ];
|
|
|
|
|
address = lib.mapAttrsToList (family: familyConfig: familyConfig.gatewayCidr) config.subnet;
|
|
|
|
|
networkConfig = {
|
|
|
|
|
IPv6AcceptRA = false;
|
|
|
|
|
};
|
|
|
|
|
})
|
|
|
|
|
cfg.vlan)
|
|
|
|
|
{
|
|
|
|
|
wan = {
|
|
|
|
|
name = "enp1s0";
|
|
|
|
|
DHCP = "ipv4";
|
|
|
|
|
networkConfig = {
|
|
|
|
|
IPv6AcceptRA = "yes";
|
|
|
|
|
};
|
|
|
|
|
dhcpV4Config = {
|
|
|
|
|
UseDNS = "no";
|
|
|
|
|
};
|
|
|
|
|
ipv6AcceptRAConfig = {
|
|
|
|
|
# Only use RA
|
|
|
|
|
DHCPv6Client = false;
|
|
|
|
|
UseDNS = "no";
|
2024-08-27 00:13:25 +02:00
|
|
|
|
UseGateway = false; # should not be used by default for routing (wg-he takes precendence)
|
2023-10-18 20:12:41 +02:00
|
|
|
|
};
|
2024-08-27 16:37:48 +02:00
|
|
|
|
routingPolicyRules = lib.singleton {
|
|
|
|
|
routingPolicyRuleConfig = {
|
|
|
|
|
Family = "ipv6";
|
|
|
|
|
FirewallMark = 31092; # 0x7974
|
|
|
|
|
Table = 31092; # 0x7974
|
|
|
|
|
};
|
|
|
|
|
};
|
|
|
|
|
routes = lib.singleton {
|
|
|
|
|
routeConfig = {
|
|
|
|
|
Gateway = "_ipv6ra";
|
|
|
|
|
Table = 31092; # 0x7974
|
|
|
|
|
};
|
|
|
|
|
};
|
2023-09-24 14:41:22 +02:00
|
|
|
|
};
|
2023-10-18 20:12:41 +02:00
|
|
|
|
physical-lan = {
|
|
|
|
|
name = "enp2s0";
|
|
|
|
|
vlan = lib.attrNames cfg.vlan;
|
|
|
|
|
# no autoconfiguration needed, only tagged VLAN
|
|
|
|
|
networkConfig = {
|
|
|
|
|
LinkLocalAddressing = "no";
|
|
|
|
|
LLDP = "no";
|
|
|
|
|
EmitLLDP = "no";
|
|
|
|
|
IPv6AcceptRA = "no";
|
|
|
|
|
IPv6SendRA = "no";
|
|
|
|
|
};
|
2023-09-24 14:41:22 +02:00
|
|
|
|
};
|
2023-10-18 20:12:41 +02:00
|
|
|
|
lan2 = {
|
|
|
|
|
name = "enp3s0";
|
|
|
|
|
bridge = [ "br-lan" ];
|
2023-09-24 14:41:22 +02:00
|
|
|
|
};
|
2023-10-18 20:12:41 +02:00
|
|
|
|
lan3 = {
|
|
|
|
|
name = "enp4s0";
|
|
|
|
|
bridge = [ "br-lan" ];
|
2023-09-24 14:41:22 +02:00
|
|
|
|
};
|
2024-08-27 00:13:25 +02:00
|
|
|
|
# extended from common config
|
|
|
|
|
wg-he = {
|
|
|
|
|
address = lib.singleton "2001:470:73b9::1";
|
|
|
|
|
routes = lib.singleton {
|
|
|
|
|
routeConfig.Gateway = "::"; # on link
|
|
|
|
|
};
|
|
|
|
|
};
|
2023-10-18 20:12:41 +02:00
|
|
|
|
}
|
|
|
|
|
];
|
2023-09-24 14:41:22 +02:00
|
|
|
|
};
|
|
|
|
|
services.resolved.enable = false;
|
|
|
|
|
}
|