222 lines
6 KiB
Nix
222 lines
6 KiB
Nix
# Home network configuration
|
||
#
|
||
# +----------+ +---------------+
|
||
# | | | +-+-+---+ |
|
||
# | +|-|-|-|-|+ | |
|
||
# +---+----+ |5 4 3 2 1| | +--+--+
|
||
# |upstream| |TL-SG105 | | |fuuko|
|
||
# +--------+ +---------+ | +-----+
|
||
# |
|
||
# ( clients )
|
||
#
|
||
# It consists of fuuko as a router (this configuration),
|
||
# connected to a TP-LINK TL-SG105E “smart managed” (i.e., it can do VLANs) 5-port switch.
|
||
# The upstream comes from some plasic Huawei router/AP I don’t control.
|
||
#
|
||
# The VLANs are configured as follows:
|
||
# Port | VLAN | ID(s)
|
||
# 5 | untagged | 2
|
||
# 4 | tagged | 2,3
|
||
# 1-3 | untagged | 3
|
||
#
|
||
# Wireless currently still is done by a separate GL.iNet GL-MT300N-V2 running OpenWRT,
|
||
# but this will be changed to a Intel Wireless-AC 9260 in fuuko at a later date.
|
||
{ config, lib, ... }:
|
||
let
|
||
domain = "home.sbruder.de";
|
||
in
|
||
{
|
||
sops.secrets.wg-mullvad-private-key = {
|
||
owner = config.users.users.systemd-network.name;
|
||
sopsFile = ../secrets.yaml;
|
||
};
|
||
|
||
boot.kernel.sysctl = {
|
||
"net.ipv4.conf.all.forwarding" = true;
|
||
};
|
||
|
||
networking = {
|
||
# networkd handles this
|
||
useDHCP = false;
|
||
# networkd didn’t work that well for this
|
||
nat = {
|
||
enable = true;
|
||
enableIPv6 = true;
|
||
externalInterface = "wg-mullvad";
|
||
internalInterfaces = [ "lan" ];
|
||
internalIPv6s = [ "fd00:80:1::/64" ];
|
||
};
|
||
};
|
||
|
||
systemd.network = {
|
||
enable = true;
|
||
netdevs = {
|
||
wan = {
|
||
netdevConfig = {
|
||
Kind = "vlan";
|
||
Name = "wan";
|
||
};
|
||
vlanConfig = {
|
||
Id = 2;
|
||
};
|
||
};
|
||
lan = {
|
||
netdevConfig = {
|
||
Kind = "vlan";
|
||
Name = "lan";
|
||
};
|
||
vlanConfig = {
|
||
Id = 3;
|
||
};
|
||
};
|
||
wg-mullvad = {
|
||
netdevConfig = {
|
||
Kind = "wireguard";
|
||
Name = "wg-mullvad";
|
||
};
|
||
wireguardConfig = {
|
||
PrivateKeyFile = config.sops.secrets.wg-mullvad-private-key.path;
|
||
FirewallMark = 51820;
|
||
};
|
||
wireguardPeers = lib.singleton {
|
||
wireguardPeerConfig = {
|
||
Endpoint = "146.70.117.194:51820";
|
||
PublicKey = "ydXFN45/kROELJrF6id+uIrnS5DvTKSCkZDjfL9De2Q=";
|
||
AllowedIPs = [ "0.0.0.0/0" "::0/0" ];
|
||
PersistentKeepalive = 25;
|
||
};
|
||
};
|
||
};
|
||
};
|
||
networks = {
|
||
physical = {
|
||
name = "enp8s0";
|
||
vlan = [ "wan" "lan" ];
|
||
# no autoconfiguration needed, only tagged VLAN
|
||
networkConfig = {
|
||
LinkLocalAddressing = "no";
|
||
LLDP = "no";
|
||
EmitLLDP = "no";
|
||
IPv6AcceptRA = "no";
|
||
IPv6SendRA = "no";
|
||
};
|
||
};
|
||
wan = {
|
||
name = "wan";
|
||
matchConfig = {
|
||
Type = "vlan";
|
||
};
|
||
networkConfig = {
|
||
# Upstream provides no IPv6 :(
|
||
# If this is not set, it waits and fails systemd-networkd-wait-online
|
||
LinkLocalAddressing = "no";
|
||
IPv6AcceptRA = "no";
|
||
};
|
||
DHCP = "ipv4";
|
||
dhcpV4Config = {
|
||
UseDNS = "no";
|
||
};
|
||
};
|
||
lan = {
|
||
name = "lan";
|
||
matchConfig = {
|
||
Type = "vlan";
|
||
};
|
||
domains = [ domain ];
|
||
address = [ "10.80.1.1/24" "fd00:80:1::1/64" ];
|
||
};
|
||
wg-mullvad = {
|
||
name = "wg-mullvad";
|
||
address = [ "10.66.208.88/32" "fc00:bbbb:bbbb:bb01::3:d057/128" ];
|
||
dns = [ "10.64.0.1" ];
|
||
routingPolicyRules = [
|
||
{
|
||
routingPolicyRuleConfig = {
|
||
FirewallMark = 51820;
|
||
InvertRule = "yes";
|
||
Table = 51820;
|
||
Priority = 10;
|
||
#SuppressPrefixLength = 0; # can’t be used here (forwarding does not work with it)
|
||
};
|
||
}
|
||
# FIXME: those two shouldn’t be necessary
|
||
# It should automatically detect those routes existing and prioritise them
|
||
{
|
||
routingPolicyRuleConfig = {
|
||
To = "10.80.0.0/24";
|
||
Priority = 9;
|
||
};
|
||
}
|
||
{
|
||
routingPolicyRuleConfig = {
|
||
To = "10.80.1.0/24";
|
||
Priority = 9;
|
||
};
|
||
}
|
||
];
|
||
routes = [
|
||
{
|
||
routeConfig = {
|
||
Gateway = "0.0.0.0"; # point-to-point connection
|
||
Table = 51820;
|
||
};
|
||
}
|
||
{
|
||
routeConfig = {
|
||
Gateway = "::";
|
||
};
|
||
}
|
||
];
|
||
};
|
||
};
|
||
};
|
||
services.resolved.enable = false;
|
||
|
||
services.dnsmasq = {
|
||
enable = true;
|
||
|
||
extraConfig = ''
|
||
bogus-priv # do not forward revese lookups of internal addresses
|
||
domain-needed # do not forward names without domain
|
||
interface=lan # only respond to queries from lan
|
||
no-hosts # do not resolve hosts from /etc/hosts
|
||
no-resolv # only use explicitly configured resolvers
|
||
|
||
cache-size=10000
|
||
|
||
domain=${domain}
|
||
# Allow resolving the router
|
||
interface-name=${config.networking.hostName}.${domain},lan
|
||
interface-name=${config.networking.hostName},lan
|
||
|
||
# DHCPv4
|
||
dhcp-range=10.80.1.20,10.80.1.150,12h
|
||
dhcp-option=option:router,10.80.1.1
|
||
|
||
# SLAAC (for addresses) / DHCPv6 (for DNS)
|
||
dhcp-range=fd00:80:1::,ra-stateless,ra-names
|
||
dhcp-option=option6:dns-server,fd00:80:1::1
|
||
|
||
# Despite its name, the switch does not have a “smart” configuration,
|
||
# that would allow me to tell it not to get DHCP from wan,
|
||
# but from lan instead.
|
||
# So it has to use static configuration.
|
||
host-record=switchviech,switchviech.${domain},10.80.1.19
|
||
'';
|
||
servers = [
|
||
"10.64.0.1" # mullvad DNS, should be fastest overall
|
||
#"9.9.9.9" # dns.quad9.net
|
||
#"2620:fe::fe"
|
||
];
|
||
};
|
||
|
||
services.prometheus.exporters.dnsmasq = {
|
||
enable = true;
|
||
listenAddress = config.sbruder.wireguard.home.address;
|
||
leasesPath = "/var/lib/dnsmasq/dnsmasq.leases";
|
||
};
|
||
|
||
networking.firewall.allowedUDPPorts = [ 53 67 ];
|
||
networking.firewall.allowedTCPPorts = [ 53 ];
|
||
}
|