# Home network configuration # # +----------+ +------+ # | | | | ( clients ) # | | | +|-|-|-|-|+ # +---+----+ +-+-+-+ |5 4 3 2 1| # |upstream| |fuuko| |TL-SG105 | # +--------+ +-----+ +---------+ # # It consists of fuuko as a router (this configuration), # connected to a TP-LINK TL-SG105E “smart managed” (i.e., it can do VLANs) 5-port switch. # The upstream comes from some plasic Huawei router/AP I don’t control. # # fuuko has two physical network interfaces, # because remote unlocking (which requires network in initrd) is hard with VLANs. # # Wireless is configured by providing the whole hostapd configuration file as a secret. # Once nixpkgs PR 222536 is merged, I will migrate to using the NixOS module. # Thanks to Intel’s wisdom, it’s not possible to use 5GHz in AP mode. { config, lib, pkgs, ... }: let domain = "home.sbruder.de"; in { sops.secrets.wg-mullvad-private-key = { owner = config.users.users.systemd-network.name; sopsFile = ../secrets.yaml; }; sops.secrets.hostapd-config = { sopsFile = ../secrets.yaml; }; boot.kernel.sysctl = { "net.ipv4.conf.all.forwarding" = true; }; networking = { # networkd handles this useDHCP = false; # networkd didn’t work that well for this nat = { enable = true; enableIPv6 = true; externalInterface = "wg-mullvad"; internalInterfaces = [ "br-lan" ]; internalIPv6s = [ "fd00:80:1::/64" ]; }; }; systemd.network = { enable = true; netdevs = { br-lan = { netdevConfig = { Name = "br-lan"; Kind = "bridge"; }; }; wg-mullvad = { netdevConfig = { Kind = "wireguard"; Name = "wg-mullvad"; }; wireguardConfig = { PrivateKeyFile = config.sops.secrets.wg-mullvad-private-key.path; FirewallMark = 51820; }; wireguardPeers = lib.singleton { wireguardPeerConfig = { Endpoint = ""; PublicKey = "xpZ3ZDEukbqKQvdHwaqKMUhsYhcYD3uLPUh1ACsVr1s="; AllowedIPs = [ "" "::0/0" ]; PersistentKeepalive = 25; }; }; }; }; networks = { wan = { name = "enp9s0"; networkConfig = { # Upstream provides no IPv6 :( # If this is not set, it waits and fails systemd-networkd-wait-online LinkLocalAddressing = "no"; IPv6AcceptRA = "no"; }; DHCP = "ipv4"; dhcpV4Config = { UseDNS = "no"; }; }; lan = { name = "enp10s0"; bridge = [ "br-lan" ]; }; br-lan = { name = "br-lan"; domains = [ domain ]; address = [ "" "fd00:80:1::1/64" ]; }; wg-mullvad = { name = "wg-mullvad"; address = [ "" "fc00:bbbb:bbbb:bb01::3:d057/128" ]; dns = [ "" ]; routingPolicyRules = [ { routingPolicyRuleConfig = { FirewallMark = 51820; InvertRule = "yes"; Table = 51820; Priority = 10; #SuppressPrefixLength = 0; # can’t be used here (forwarding does not work with it) }; } # FIXME: those two shouldn’t be necessary # It should automatically detect those routes existing and prioritise them { routingPolicyRuleConfig = { To = ""; Priority = 9; }; } { routingPolicyRuleConfig = { To = ""; Priority = 9; }; } ]; routes = [ { routeConfig = { Gateway = ""; # point-to-point connection Table = 51820; }; } { routeConfig = { Gateway = "::"; }; } ]; }; }; }; services.resolved.enable = false; services.dnsmasq = { enable = true; settings = { bogus-priv = true; # do not forward revese lookups of internal addresses domain-needed = true; # do not forward names without domain interface = "br-lan"; # only respond to queries from lan no-hosts = true; # do not resolve hosts from /etc/hosts no-resolv = true; # only use explicitly configured resolvers cache-size = 10000; inherit domain; # Allow resolving the router interface-name = [ "${config.networking.hostName}.${domain},br-lan" "${config.networking.hostName},br-lan" ]; # DHCPv4 dhcp-range = [ ",,12h" # DHCPv4 "fd00:80:1::,ra-stateless,ra-names" # SLAAC (for addresses) / DHCPv6 (for DNS) ]; dhcp-option = [ "option:router," "option6:dns-server,fd00:80:1::1" ]; # Despite its name, the switch does not have a “smart” configuration, # that would allow me to tell it not to get DHCP from wan, # but from lan instead. # So it has to use static configuration. host-record = "switchviech,switchviech.${domain},"; server = [ "" # mullvad DNS, should be fastest overall #"" # dns.quad9.net #"2620:fe::fe" ]; }; }; systemd.services.dnsmasq.after = [ "systemd-networkd.service" ]; services.prometheus.exporters.dnsmasq = { enable = true; listenAddress = config.sbruder.wireguard.home.address; leasesPath = "/var/lib/dnsmasq/dnsmasq.leases"; }; networking.firewall.allowedUDPPorts = [ 53 67 ]; networking.firewall.allowedTCPPorts = [ 53 ]; # Wireless boot.kernelModules = [ "nl80211" ]; environment.systemPackages = with pkgs; [ iw wirelesstools ]; # The service is mostly taken from nixpkgs pr 222536. systemd.services.hostapd = { path = with pkgs; [ hostapd ]; after = [ "sys-subsystem-net-devices-wlp8s0.device" ]; bindsTo = [ "sys-subsystem-net-devices-wlp8s0.device" ]; wantedBy = [ "multi-user.target" ]; serviceConfig = { ExecStart = "${pkgs.hostapd}/bin/hostapd ${config.sops.secrets.hostapd-config.path}"; Restart = "always"; ExecReload = "${pkgs.coreutils}/bin/kill -HUP $MAINPID"; RuntimeDirectory = "hostapd"; # Hardening LockPersonality = true; MemoryDenyWriteExecute = true; DevicePolicy = "closed"; DeviceAllow = "/dev/rfkill rw"; NoNewPrivileges = true; PrivateUsers = false; # hostapd requires true root access. PrivateTmp = true; ProtectClock = true; ProtectControlGroups = true; ProtectHome = true; ProtectHostname = true; ProtectKernelLogs = true; ProtectKernelModules = true; ProtectKernelTunables = true; ProtectProc = "invisible"; ProcSubset = "pid"; ProtectSystem = "strict"; RestrictAddressFamilies = [ "AF_INET" "AF_INET6" "AF_NETLINK" "AF_UNIX" ]; RestrictNamespaces = true; RestrictRealtime = true; RestrictSUIDSGID = true; SystemCallArchitectures = "native"; SystemCallFilter = [ "@system-service" "~@privileged" "@chown" ]; UMask = "0077"; }; }; }