fixup! shinobu/router: Split configuration

2023-09-24 14:47:04 +02:00 · 2023-09-24 14:47:04 +02:00 · 560fc237b7
parent d733c5a802
commit 560fc237b7
2 changed files with 142 additions and 147 deletions
--- a/machines/shinobu/services/router/default.nix
+++ b/machines/shinobu/services/router/default.nix
@ -45,4 +45,146 @@ in
  environment.systemPackages = with pkgs; [
    ethtool
  ];
+
+  sops.secrets.wg-upstream-private-key = {
+    owner = config.users.users.systemd-network.name;
+    sopsFile = ../../secrets.yaml;
+  };
+
+  networking.useDHCP = false;
+
+  systemd.network = {
+    enable = true;
+    # not all interfaces need to be up
+    wait-online.extraArgs = [ "--any" ];
+    netdevs = {
+      br-lan = {
+        netdevConfig = {
+          Name = "br-lan";
+          Kind = "bridge";
+        };
+      };
+      wg-upstream = {
+        netdevConfig = {
+          Kind = "wireguard";
+          Name = "wg-upstream";
+        };
+        wireguardConfig = {
+          PrivateKeyFile = config.sops.secrets.wg-upstream-private-key.path;
+          FirewallMark = 51820;
+        };
+        wireguardPeers = lib.singleton {
+          wireguardPeerConfig = with cfg.wg-upstream; {
+            Endpoint = endpoint.full;
+            PublicKey = publicKey;
+            AllowedIPs = [ "0.0.0.0/0" "::0/0" ];
+            PersistentKeepalive = 25;
+          };
+        };
+      };
+    };
+    networks = {
+      wan = {
+        name = "enp1s0";
+        DHCP = "ipv4";
+        networkConfig = {
+          IPv6AcceptRA = "yes";
+        };
+        dhcpV4Config = {
+          UseDNS = "no";
+        };
+        ipv6AcceptRAConfig = {
+          # Only use RA
+          DHCPv6Client = false;
+          UseDNS = "no";
+        };
+      };
+      lan1 = {
+        name = "enp2s0";
+        bridge = [ "br-lan" ];
+      };
+      lan2 = {
+        name = "enp3s0";
+        bridge = [ "br-lan" ];
+      };
+      lan3 = {
+        name = "enp4s0";
+        bridge = [ "br-lan" ];
+      };
+      br-lan = {
+        name = "br-lan";
+        domains = [ cfg.domain ];
+        address = [ "10.80.1.1/24" "fd00:80:1::1/64" ];
+      };
+      wg-upstream = {
+        name = "wg-upstream";
+        address = cfg.wg-upstream.addresses;
+        routingPolicyRules = [
+          {
+            routingPolicyRuleConfig = {
+              Family = "both"; # default is only ipv4
+              FirewallMark = 51820;
+              InvertRule = "yes";
+              Table = 51820;
+              Priority = 10;
+              #SuppressPrefixLength = 0; # can’t be used here (forwarding does not work with it)
+            };
+          }
+          # FIXME: those two shouldn’t be necessary
+          # It should automatically detect those routes existing and prioritise them
+          # LAN (v4)
+          {
+            routingPolicyRuleConfig = {
+              To = "10.80.1.0/24";
+              Priority = 9;
+            };
+          }
+          # LAN (v6)
+          {
+            routingPolicyRuleConfig = {
+              To = "fd00:80:1::/64";
+              Priority = 9;
+            };
+          }
+          # wg-home
+          {
+            routingPolicyRuleConfig = {
+              To = "10.80.0.0/24";
+              Priority = 9;
+            };
+          }
+          # VPN bypass
+          {
+            routingPolicyRuleConfig = {
+              Family = "both"; # welcome in the year 2023, where ipv4 is the default
+              FirewallMark = cfg.vpnBypassFwMark;
+              Priority = 9;
+            };
+          }
+          # plastic router
+          {
+            routingPolicyRuleConfig = {
+              To = "192.168.0.0/24";
+              Priority = 9;
+            };
+          }
+        ];
+        routes = [
+          {
+            routeConfig = {
+              Gateway = "0.0.0.0"; # point-to-point connection
+              Table = 51820;
+            };
+          }
+          {
+            routeConfig = {
+              Gateway = "::";
+              Table = 51820;
+            };
+          }
+        ];
+      };
+    };
+  };
+  services.resolved.enable = false;
 }
--- a/machines/shinobu/services/router/networkd.nix
+++ b/machines/shinobu/services/router/networkd.nix
@ -1,147 +0,0 @@
-{ config, lib, ... }:
-let
-  cfg = import ./common.nix;
-in
-{
-  sops.secrets.wg-upstream-private-key = {
-    owner = config.users.users.systemd-network.name;
-    sopsFile = ../../secrets.yaml;
-  };
-
-  networking.useDHCP = false;
-
-  systemd.network = {
-    enable = true;
-    # not all interfaces need to be up
-    wait-online.extraArgs = [ "--any" ];
-    netdevs = {
-      br-lan = {
-        netdevConfig = {
-          Name = "br-lan";
-          Kind = "bridge";
-        };
-      };
-      wg-upstream = {
-        netdevConfig = {
-          Kind = "wireguard";
-          Name = "wg-upstream";
-        };
-        wireguardConfig = {
-          PrivateKeyFile = config.sops.secrets.wg-upstream-private-key.path;
-          FirewallMark = 51820;
-        };
-        wireguardPeers = lib.singleton {
-          wireguardPeerConfig = with cfg.wg-upstream; {
-            Endpoint = endpoint.full;
-            PublicKey = publicKey;
-            AllowedIPs = [ "0.0.0.0/0" "::0/0" ];
-            PersistentKeepalive = 25;
-          };
-        };
-      };
-    };
-    networks = {
-      wan = {
-        name = "enp1s0";
-        DHCP = "ipv4";
-        networkConfig = {
-          IPv6AcceptRA = "yes";
-        };
-        dhcpV4Config = {
-          UseDNS = "no";
-        };
-        ipv6AcceptRAConfig = {
-          # Only use RA
-          DHCPv6Client = false;
-          UseDNS = "no";
-        };
-      };
-      lan1 = {
-        name = "enp2s0";
-        bridge = [ "br-lan" ];
-      };
-      lan2 = {
-        name = "enp3s0";
-        bridge = [ "br-lan" ];
-      };
-      lan3 = {
-        name = "enp4s0";
-        bridge = [ "br-lan" ];
-      };
-      br-lan = {
-        name = "br-lan";
-        domains = [ cfg.domain ];
-        address = [ "10.80.1.1/24" "fd00:80:1::1/64" ];
-      };
-      wg-upstream = {
-        name = "wg-upstream";
-        address = cfg.wg-upstream.addresses;
-        routingPolicyRules = [
-          {
-            routingPolicyRuleConfig = {
-              Family = "both"; # default is only ipv4
-              FirewallMark = 51820;
-              InvertRule = "yes";
-              Table = 51820;
-              Priority = 10;
-              #SuppressPrefixLength = 0; # can’t be used here (forwarding does not work with it)
-            };
-          }
-          # FIXME: those two shouldn’t be necessary
-          # It should automatically detect those routes existing and prioritise them
-          # LAN (v4)
-          {
-            routingPolicyRuleConfig = {
-              To = "10.80.1.0/24";
-              Priority = 9;
-            };
-          }
-          # LAN (v6)
-          {
-            routingPolicyRuleConfig = {
-              To = "fd00:80:1::/64";
-              Priority = 9;
-            };
-          }
-          # wg-home
-          {
-            routingPolicyRuleConfig = {
-              To = "10.80.0.0/24";
-              Priority = 9;
-            };
-          }
-          # VPN bypass
-          {
-            routingPolicyRuleConfig = {
-              Family = "both"; # welcome in the year 2023, where ipv4 is the default
-              FirewallMark = cfg.vpnBypassFwMark;
-              Priority = 9;
-            };
-          }
-          # plastic router
-          {
-            routingPolicyRuleConfig = {
-              To = "192.168.0.0/24";
-              Priority = 9;
-            };
-          }
-        ];
-        routes = [
-          {
-            routeConfig = {
-              Gateway = "0.0.0.0"; # point-to-point connection
-              Table = 51820;
-            };
-          }
-          {
-            routeConfig = {
-              Gateway = "::";
-              Table = 51820;
-            };
-          }
-        ];
-      };
-    };
-  };
-  services.resolved.enable = false;
-}