fixup! shinobu/router: Split configuration
This commit is contained in:
parent
d733c5a802
commit
560fc237b7
|
@ -45,4 +45,146 @@ in
|
|||
environment.systemPackages = with pkgs; [
|
||||
ethtool
|
||||
];
|
||||
|
||||
sops.secrets.wg-upstream-private-key = {
|
||||
owner = config.users.users.systemd-network.name;
|
||||
sopsFile = ../../secrets.yaml;
|
||||
};
|
||||
|
||||
networking.useDHCP = false;
|
||||
|
||||
systemd.network = {
|
||||
enable = true;
|
||||
# not all interfaces need to be up
|
||||
wait-online.extraArgs = [ "--any" ];
|
||||
netdevs = {
|
||||
br-lan = {
|
||||
netdevConfig = {
|
||||
Name = "br-lan";
|
||||
Kind = "bridge";
|
||||
};
|
||||
};
|
||||
wg-upstream = {
|
||||
netdevConfig = {
|
||||
Kind = "wireguard";
|
||||
Name = "wg-upstream";
|
||||
};
|
||||
wireguardConfig = {
|
||||
PrivateKeyFile = config.sops.secrets.wg-upstream-private-key.path;
|
||||
FirewallMark = 51820;
|
||||
};
|
||||
wireguardPeers = lib.singleton {
|
||||
wireguardPeerConfig = with cfg.wg-upstream; {
|
||||
Endpoint = endpoint.full;
|
||||
PublicKey = publicKey;
|
||||
AllowedIPs = [ "0.0.0.0/0" "::0/0" ];
|
||||
PersistentKeepalive = 25;
|
||||
};
|
||||
};
|
||||
};
|
||||
};
|
||||
networks = {
|
||||
wan = {
|
||||
name = "enp1s0";
|
||||
DHCP = "ipv4";
|
||||
networkConfig = {
|
||||
IPv6AcceptRA = "yes";
|
||||
};
|
||||
dhcpV4Config = {
|
||||
UseDNS = "no";
|
||||
};
|
||||
ipv6AcceptRAConfig = {
|
||||
# Only use RA
|
||||
DHCPv6Client = false;
|
||||
UseDNS = "no";
|
||||
};
|
||||
};
|
||||
lan1 = {
|
||||
name = "enp2s0";
|
||||
bridge = [ "br-lan" ];
|
||||
};
|
||||
lan2 = {
|
||||
name = "enp3s0";
|
||||
bridge = [ "br-lan" ];
|
||||
};
|
||||
lan3 = {
|
||||
name = "enp4s0";
|
||||
bridge = [ "br-lan" ];
|
||||
};
|
||||
br-lan = {
|
||||
name = "br-lan";
|
||||
domains = [ cfg.domain ];
|
||||
address = [ "10.80.1.1/24" "fd00:80:1::1/64" ];
|
||||
};
|
||||
wg-upstream = {
|
||||
name = "wg-upstream";
|
||||
address = cfg.wg-upstream.addresses;
|
||||
routingPolicyRules = [
|
||||
{
|
||||
routingPolicyRuleConfig = {
|
||||
Family = "both"; # default is only ipv4
|
||||
FirewallMark = 51820;
|
||||
InvertRule = "yes";
|
||||
Table = 51820;
|
||||
Priority = 10;
|
||||
#SuppressPrefixLength = 0; # can’t be used here (forwarding does not work with it)
|
||||
};
|
||||
}
|
||||
# FIXME: those two shouldn’t be necessary
|
||||
# It should automatically detect those routes existing and prioritise them
|
||||
# LAN (v4)
|
||||
{
|
||||
routingPolicyRuleConfig = {
|
||||
To = "10.80.1.0/24";
|
||||
Priority = 9;
|
||||
};
|
||||
}
|
||||
# LAN (v6)
|
||||
{
|
||||
routingPolicyRuleConfig = {
|
||||
To = "fd00:80:1::/64";
|
||||
Priority = 9;
|
||||
};
|
||||
}
|
||||
# wg-home
|
||||
{
|
||||
routingPolicyRuleConfig = {
|
||||
To = "10.80.0.0/24";
|
||||
Priority = 9;
|
||||
};
|
||||
}
|
||||
# VPN bypass
|
||||
{
|
||||
routingPolicyRuleConfig = {
|
||||
Family = "both"; # welcome in the year 2023, where ipv4 is the default
|
||||
FirewallMark = cfg.vpnBypassFwMark;
|
||||
Priority = 9;
|
||||
};
|
||||
}
|
||||
# plastic router
|
||||
{
|
||||
routingPolicyRuleConfig = {
|
||||
To = "192.168.0.0/24";
|
||||
Priority = 9;
|
||||
};
|
||||
}
|
||||
];
|
||||
routes = [
|
||||
{
|
||||
routeConfig = {
|
||||
Gateway = "0.0.0.0"; # point-to-point connection
|
||||
Table = 51820;
|
||||
};
|
||||
}
|
||||
{
|
||||
routeConfig = {
|
||||
Gateway = "::";
|
||||
Table = 51820;
|
||||
};
|
||||
}
|
||||
];
|
||||
};
|
||||
};
|
||||
};
|
||||
services.resolved.enable = false;
|
||||
}
|
||||
|
|
|
@ -1,147 +0,0 @@
|
|||
{ config, lib, ... }:
|
||||
let
|
||||
cfg = import ./common.nix;
|
||||
in
|
||||
{
|
||||
sops.secrets.wg-upstream-private-key = {
|
||||
owner = config.users.users.systemd-network.name;
|
||||
sopsFile = ../../secrets.yaml;
|
||||
};
|
||||
|
||||
networking.useDHCP = false;
|
||||
|
||||
systemd.network = {
|
||||
enable = true;
|
||||
# not all interfaces need to be up
|
||||
wait-online.extraArgs = [ "--any" ];
|
||||
netdevs = {
|
||||
br-lan = {
|
||||
netdevConfig = {
|
||||
Name = "br-lan";
|
||||
Kind = "bridge";
|
||||
};
|
||||
};
|
||||
wg-upstream = {
|
||||
netdevConfig = {
|
||||
Kind = "wireguard";
|
||||
Name = "wg-upstream";
|
||||
};
|
||||
wireguardConfig = {
|
||||
PrivateKeyFile = config.sops.secrets.wg-upstream-private-key.path;
|
||||
FirewallMark = 51820;
|
||||
};
|
||||
wireguardPeers = lib.singleton {
|
||||
wireguardPeerConfig = with cfg.wg-upstream; {
|
||||
Endpoint = endpoint.full;
|
||||
PublicKey = publicKey;
|
||||
AllowedIPs = [ "0.0.0.0/0" "::0/0" ];
|
||||
PersistentKeepalive = 25;
|
||||
};
|
||||
};
|
||||
};
|
||||
};
|
||||
networks = {
|
||||
wan = {
|
||||
name = "enp1s0";
|
||||
DHCP = "ipv4";
|
||||
networkConfig = {
|
||||
IPv6AcceptRA = "yes";
|
||||
};
|
||||
dhcpV4Config = {
|
||||
UseDNS = "no";
|
||||
};
|
||||
ipv6AcceptRAConfig = {
|
||||
# Only use RA
|
||||
DHCPv6Client = false;
|
||||
UseDNS = "no";
|
||||
};
|
||||
};
|
||||
lan1 = {
|
||||
name = "enp2s0";
|
||||
bridge = [ "br-lan" ];
|
||||
};
|
||||
lan2 = {
|
||||
name = "enp3s0";
|
||||
bridge = [ "br-lan" ];
|
||||
};
|
||||
lan3 = {
|
||||
name = "enp4s0";
|
||||
bridge = [ "br-lan" ];
|
||||
};
|
||||
br-lan = {
|
||||
name = "br-lan";
|
||||
domains = [ cfg.domain ];
|
||||
address = [ "10.80.1.1/24" "fd00:80:1::1/64" ];
|
||||
};
|
||||
wg-upstream = {
|
||||
name = "wg-upstream";
|
||||
address = cfg.wg-upstream.addresses;
|
||||
routingPolicyRules = [
|
||||
{
|
||||
routingPolicyRuleConfig = {
|
||||
Family = "both"; # default is only ipv4
|
||||
FirewallMark = 51820;
|
||||
InvertRule = "yes";
|
||||
Table = 51820;
|
||||
Priority = 10;
|
||||
#SuppressPrefixLength = 0; # can’t be used here (forwarding does not work with it)
|
||||
};
|
||||
}
|
||||
# FIXME: those two shouldn’t be necessary
|
||||
# It should automatically detect those routes existing and prioritise them
|
||||
# LAN (v4)
|
||||
{
|
||||
routingPolicyRuleConfig = {
|
||||
To = "10.80.1.0/24";
|
||||
Priority = 9;
|
||||
};
|
||||
}
|
||||
# LAN (v6)
|
||||
{
|
||||
routingPolicyRuleConfig = {
|
||||
To = "fd00:80:1::/64";
|
||||
Priority = 9;
|
||||
};
|
||||
}
|
||||
# wg-home
|
||||
{
|
||||
routingPolicyRuleConfig = {
|
||||
To = "10.80.0.0/24";
|
||||
Priority = 9;
|
||||
};
|
||||
}
|
||||
# VPN bypass
|
||||
{
|
||||
routingPolicyRuleConfig = {
|
||||
Family = "both"; # welcome in the year 2023, where ipv4 is the default
|
||||
FirewallMark = cfg.vpnBypassFwMark;
|
||||
Priority = 9;
|
||||
};
|
||||
}
|
||||
# plastic router
|
||||
{
|
||||
routingPolicyRuleConfig = {
|
||||
To = "192.168.0.0/24";
|
||||
Priority = 9;
|
||||
};
|
||||
}
|
||||
];
|
||||
routes = [
|
||||
{
|
||||
routeConfig = {
|
||||
Gateway = "0.0.0.0"; # point-to-point connection
|
||||
Table = 51820;
|
||||
};
|
||||
}
|
||||
{
|
||||
routeConfig = {
|
||||
Gateway = "::";
|
||||
Table = 51820;
|
||||
};
|
||||
}
|
||||
];
|
||||
};
|
||||
};
|
||||
};
|
||||
services.resolved.enable = false;
|
||||
}
|
Loading…
Reference in a new issue