diff --git a/machines/shinobu/services/router/default.nix b/machines/shinobu/services/router/default.nix index 2e34f2a..a2c5cac 100644 --- a/machines/shinobu/services/router/default.nix +++ b/machines/shinobu/services/router/default.nix @@ -45,4 +45,146 @@ in environment.systemPackages = with pkgs; [ ethtool ]; + + sops.secrets.wg-upstream-private-key = { + owner = config.users.users.systemd-network.name; + sopsFile = ../../secrets.yaml; + }; + + networking.useDHCP = false; + + systemd.network = { + enable = true; + # not all interfaces need to be up + wait-online.extraArgs = [ "--any" ]; + netdevs = { + br-lan = { + netdevConfig = { + Name = "br-lan"; + Kind = "bridge"; + }; + }; + wg-upstream = { + netdevConfig = { + Kind = "wireguard"; + Name = "wg-upstream"; + }; + wireguardConfig = { + PrivateKeyFile = config.sops.secrets.wg-upstream-private-key.path; + FirewallMark = 51820; + }; + wireguardPeers = lib.singleton { + wireguardPeerConfig = with cfg.wg-upstream; { + Endpoint = endpoint.full; + PublicKey = publicKey; + AllowedIPs = [ "0.0.0.0/0" "::0/0" ]; + PersistentKeepalive = 25; + }; + }; + }; + }; + networks = { + wan = { + name = "enp1s0"; + DHCP = "ipv4"; + networkConfig = { + IPv6AcceptRA = "yes"; + }; + dhcpV4Config = { + UseDNS = "no"; + }; + ipv6AcceptRAConfig = { + # Only use RA + DHCPv6Client = false; + UseDNS = "no"; + }; + }; + lan1 = { + name = "enp2s0"; + bridge = [ "br-lan" ]; + }; + lan2 = { + name = "enp3s0"; + bridge = [ "br-lan" ]; + }; + lan3 = { + name = "enp4s0"; + bridge = [ "br-lan" ]; + }; + br-lan = { + name = "br-lan"; + domains = [ cfg.domain ]; + address = [ "10.80.1.1/24" "fd00:80:1::1/64" ]; + }; + wg-upstream = { + name = "wg-upstream"; + address = cfg.wg-upstream.addresses; + routingPolicyRules = [ + { + routingPolicyRuleConfig = { + Family = "both"; # default is only ipv4 + FirewallMark = 51820; + InvertRule = "yes"; + Table = 51820; + Priority = 10; + #SuppressPrefixLength = 0; # can’t be used here (forwarding does not work with it) + }; + } + # FIXME: those two shouldn’t be necessary + # It should automatically detect those routes existing and prioritise them + # LAN (v4) + { + routingPolicyRuleConfig = { + To = "10.80.1.0/24"; + Priority = 9; + }; + } + # LAN (v6) + { + routingPolicyRuleConfig = { + To = "fd00:80:1::/64"; + Priority = 9; + }; + } + # wg-home + { + routingPolicyRuleConfig = { + To = "10.80.0.0/24"; + Priority = 9; + }; + } + # VPN bypass + { + routingPolicyRuleConfig = { + Family = "both"; # welcome in the year 2023, where ipv4 is the default + FirewallMark = cfg.vpnBypassFwMark; + Priority = 9; + }; + } + # plastic router + { + routingPolicyRuleConfig = { + To = "192.168.0.0/24"; + Priority = 9; + }; + } + ]; + routes = [ + { + routeConfig = { + Gateway = "0.0.0.0"; # point-to-point connection + Table = 51820; + }; + } + { + routeConfig = { + Gateway = "::"; + Table = 51820; + }; + } + ]; + }; + }; + }; + services.resolved.enable = false; } diff --git a/machines/shinobu/services/router/networkd.nix b/machines/shinobu/services/router/networkd.nix deleted file mode 100644 index 7a0c51b..0000000 --- a/machines/shinobu/services/router/networkd.nix +++ /dev/null @@ -1,147 +0,0 @@ -{ config, lib, ... }: -let - cfg = import ./common.nix; -in -{ - sops.secrets.wg-upstream-private-key = { - owner = config.users.users.systemd-network.name; - sopsFile = ../../secrets.yaml; - }; - - networking.useDHCP = false; - - systemd.network = { - enable = true; - # not all interfaces need to be up - wait-online.extraArgs = [ "--any" ]; - netdevs = { - br-lan = { - netdevConfig = { - Name = "br-lan"; - Kind = "bridge"; - }; - }; - wg-upstream = { - netdevConfig = { - Kind = "wireguard"; - Name = "wg-upstream"; - }; - wireguardConfig = { - PrivateKeyFile = config.sops.secrets.wg-upstream-private-key.path; - FirewallMark = 51820; - }; - wireguardPeers = lib.singleton { - wireguardPeerConfig = with cfg.wg-upstream; { - Endpoint = endpoint.full; - PublicKey = publicKey; - AllowedIPs = [ "0.0.0.0/0" "::0/0" ]; - PersistentKeepalive = 25; - }; - }; - }; - }; - networks = { - wan = { - name = "enp1s0"; - DHCP = "ipv4"; - networkConfig = { - IPv6AcceptRA = "yes"; - }; - dhcpV4Config = { - UseDNS = "no"; - }; - ipv6AcceptRAConfig = { - # Only use RA - DHCPv6Client = false; - UseDNS = "no"; - }; - }; - lan1 = { - name = "enp2s0"; - bridge = [ "br-lan" ]; - }; - lan2 = { - name = "enp3s0"; - bridge = [ "br-lan" ]; - }; - lan3 = { - name = "enp4s0"; - bridge = [ "br-lan" ]; - }; - br-lan = { - name = "br-lan"; - domains = [ cfg.domain ]; - address = [ "10.80.1.1/24" "fd00:80:1::1/64" ]; - }; - wg-upstream = { - name = "wg-upstream"; - address = cfg.wg-upstream.addresses; - routingPolicyRules = [ - { - routingPolicyRuleConfig = { - Family = "both"; # default is only ipv4 - FirewallMark = 51820; - InvertRule = "yes"; - Table = 51820; - Priority = 10; - #SuppressPrefixLength = 0; # can’t be used here (forwarding does not work with it) - }; - } - # FIXME: those two shouldn’t be necessary - # It should automatically detect those routes existing and prioritise them - # LAN (v4) - { - routingPolicyRuleConfig = { - To = "10.80.1.0/24"; - Priority = 9; - }; - } - # LAN (v6) - { - routingPolicyRuleConfig = { - To = "fd00:80:1::/64"; - Priority = 9; - }; - } - # wg-home - { - routingPolicyRuleConfig = { - To = "10.80.0.0/24"; - Priority = 9; - }; - } - # VPN bypass - { - routingPolicyRuleConfig = { - Family = "both"; # welcome in the year 2023, where ipv4 is the default - FirewallMark = cfg.vpnBypassFwMark; - Priority = 9; - }; - } - # plastic router - { - routingPolicyRuleConfig = { - To = "192.168.0.0/24"; - Priority = 9; - }; - } - ]; - routes = [ - { - routeConfig = { - Gateway = "0.0.0.0"; # point-to-point connection - Table = 51820; - }; - } - { - routeConfig = { - Gateway = "::"; - Table = 51820; - }; - } - ]; - }; - }; - }; - services.resolved.enable = false; -}