nixos-config/machines/fuuko/services/router.nix

222 lines
6 KiB
Nix
Raw Blame History

This file contains ambiguous Unicode characters

This file contains Unicode characters that might be confused with other characters. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.

# Home network configuration
#
# +----------+ +---------------+
# | | | +-+-+---+ |
# | +|-|-|-|-|+ | |
# +---+----+ |5 4 3 2 1| | +--+--+
# |upstream| |TL-SG105 | | |fuuko|
# +--------+ +---------+ | +-----+
# |
# ( clients )
#
# It consists of fuuko as a router (this configuration),
# connected to a TP-LINK TL-SG105E “smart managed” (i.e., it can do VLANs) 5-port switch.
# The upstream comes from some plasic Huawei router/AP I dont control.
#
# The VLANs are configured as follows:
# Port | VLAN | ID(s)
# 5 | untagged | 2
# 4 | tagged | 2,3
# 1-3 | untagged | 3
#
# Wireless currently still is done by a separate GL.iNet GL-MT300N-V2 running OpenWRT,
# but this will be changed to a Intel Wireless-AC 9260 in fuuko at a later date.
{ config, lib, ... }:
let
domain = "home.sbruder.de";
in
{
sops.secrets.wg-mullvad-private-key = {
owner = config.users.users.systemd-network.name;
sopsFile = ../secrets.yaml;
};
boot.kernel.sysctl = {
"net.ipv4.conf.all.forwarding" = true;
};
networking = {
# networkd handles this
useDHCP = false;
# networkd didnt work that well for this
nat = {
enable = true;
enableIPv6 = true;
externalInterface = "wg-mullvad";
internalInterfaces = [ "lan" ];
internalIPv6s = [ "fd00:80:1::/64" ];
};
};
systemd.network = {
enable = true;
netdevs = {
wan = {
netdevConfig = {
Kind = "vlan";
Name = "wan";
};
vlanConfig = {
Id = 2;
};
};
lan = {
netdevConfig = {
Kind = "vlan";
Name = "lan";
};
vlanConfig = {
Id = 3;
};
};
wg-mullvad = {
netdevConfig = {
Kind = "wireguard";
Name = "wg-mullvad";
};
wireguardConfig = {
PrivateKeyFile = config.sops.secrets.wg-mullvad-private-key.path;
FirewallMark = 51820;
};
wireguardPeers = lib.singleton {
wireguardPeerConfig = {
Endpoint = "146.70.117.194:51820";
PublicKey = "ydXFN45/kROELJrF6id+uIrnS5DvTKSCkZDjfL9De2Q=";
AllowedIPs = [ "0.0.0.0/0" "::0/0" ];
PersistentKeepalive = 25;
};
};
};
};
networks = {
physical = {
name = "enp8s0";
vlan = [ "wan" "lan" ];
# no autoconfiguration needed, only tagged VLAN
networkConfig = {
LinkLocalAddressing = "no";
LLDP = "no";
EmitLLDP = "no";
IPv6AcceptRA = "no";
IPv6SendRA = "no";
};
};
wan = {
name = "wan";
matchConfig = {
Type = "vlan";
};
networkConfig = {
# Upstream provides no IPv6 :(
# If this is not set, it waits and fails systemd-networkd-wait-online
LinkLocalAddressing = "no";
IPv6AcceptRA = "no";
};
DHCP = "ipv4";
dhcpV4Config = {
UseDNS = "no";
};
};
lan = {
name = "lan";
matchConfig = {
Type = "vlan";
};
domains = [ domain ];
address = [ "10.80.1.1/24" "fd00:80:1::1/64" ];
};
wg-mullvad = {
name = "wg-mullvad";
address = [ "10.66.208.88/32" "fc00:bbbb:bbbb:bb01::3:d057/128" ];
dns = [ "10.64.0.1" ];
routingPolicyRules = [
{
routingPolicyRuleConfig = {
FirewallMark = 51820;
InvertRule = "yes";
Table = 51820;
Priority = 10;
#SuppressPrefixLength = 0; # cant be used here (forwarding does not work with it)
};
}
# FIXME: those two shouldnt be necessary
# It should automatically detect those routes existing and prioritise them
{
routingPolicyRuleConfig = {
To = "10.80.0.0/24";
Priority = 9;
};
}
{
routingPolicyRuleConfig = {
To = "10.80.1.0/24";
Priority = 9;
};
}
];
routes = [
{
routeConfig = {
Gateway = "0.0.0.0"; # point-to-point connection
Table = 51820;
};
}
{
routeConfig = {
Gateway = "::";
};
}
];
};
};
};
services.resolved.enable = false;
services.dnsmasq = {
enable = true;
extraConfig = ''
bogus-priv # do not forward revese lookups of internal addresses
domain-needed # do not forward names without domain
interface=lan # only respond to queries from lan
no-hosts # do not resolve hosts from /etc/hosts
no-resolv # only use explicitly configured resolvers
cache-size=10000
domain=${domain}
# Allow resolving the router
interface-name=${config.networking.hostName}.${domain},lan
interface-name=${config.networking.hostName},lan
# DHCPv4
dhcp-range=10.80.1.20,10.80.1.150,12h
dhcp-option=option:router,10.80.1.1
# SLAAC (for addresses) / DHCPv6 (for DNS)
dhcp-range=fd00:80:1::,ra-stateless,ra-names
dhcp-option=option6:dns-server,fd00:80:1::1
# Despite its name, the switch does not have a smart configuration,
# that would allow me to tell it not to get DHCP from wan,
# but from lan instead.
# So it has to use static configuration.
host-record=switchviech,switchviech.${domain},10.80.1.19
'';
servers = [
"10.64.0.1" # mullvad DNS, should be fastest overall
#"9.9.9.9" # dns.quad9.net
#"2620:fe::fe"
];
};
services.prometheus.exporters.dnsmasq = {
enable = true;
listenAddress = config.sbruder.wireguard.home.address;
leasesPath = "/var/lib/dnsmasq/dnsmasq.leases";
};
networking.firewall.allowedUDPPorts = [ 53 67 ];
networking.firewall.allowedTCPPorts = [ 53 ];
}