nixos-config/machines/shinobu/services/router/default.nix

190 lines
5.2 KiB
Nix
Raw Blame History

This file contains ambiguous Unicode characters

This file contains Unicode characters that might be confused with other characters. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.

# Home network configuration
# (2.5GbE clients)
# | |
# +----------+ +----------+
# | | | | | | (1GbE clients)
# | | | | | +|-|-|-|-|+
# +---+----+ +-+-+-+-+-+ |5 4 3 2 1|
# |upstream| | 1 2 3 4 | |TL-SG105 |
# +--------+ | shinobu | +---------+
# +---------+
#
# It consists of shinobu as a router (this configuration),
# connected to a TP-LINK TL-SG105E “smart managed” (i.e., it can do VLANs) 5-port switch.
# The upstream comes (for now) from a PŸUR “WLAN-Kabelbox” (Compal CH7467CE).
# Sadly, I could not enable bridge mode on it, so the packets now go through (at least) four layers of NAT:
# device → NAT on shinobu (→ NAT on plastic router → PŸUR CGNAT) → NAT on VPN
#
# Because the switch only supports GbE,
# the two clients I currently have with support for 2.5GbE are connected
# directly to the two remaining network interfaces on shinobu.
# Once I have more devices with support for 2.5GbE
# or I find a good deal on a matching switch,
# I will change this.
#
# Wireless is configured by providing the whole hostapd configuration file as a secret.
# Once nixpkgs PR 222536 is merged, I will migrate to using the NixOS module.
# Thanks to Intels wisdom, its not possible to use 5GHz in AP mode.
{ config, lib, pkgs, ... }:
let
cfg = import ./common.nix;
in
{
imports = [
./dnsmasq.nix
./nft.nix
./wlan.nix
];
boot.kernel.sysctl = {
"net.ipv4.conf.all.forwarding" = true;
"net.ipv6.conf.all.forwarding" = true;
};
environment.systemPackages = with pkgs; [
ethtool
];
sops.secrets.wg-upstream-private-key = {
owner = config.users.users.systemd-network.name;
sopsFile = ../../secrets.yaml;
};
networking.useDHCP = false;
systemd.network = {
enable = true;
# not all interfaces need to be up
wait-online.extraArgs = [ "--any" ];
netdevs = {
br-lan = {
netdevConfig = {
Name = "br-lan";
Kind = "bridge";
};
};
wg-upstream = {
netdevConfig = {
Kind = "wireguard";
Name = "wg-upstream";
};
wireguardConfig = {
PrivateKeyFile = config.sops.secrets.wg-upstream-private-key.path;
FirewallMark = 51820;
};
wireguardPeers = lib.singleton {
wireguardPeerConfig = with cfg.wg-upstream; {
Endpoint = endpoint.full;
PublicKey = publicKey;
AllowedIPs = [ "0.0.0.0/0" "::0/0" ];
PersistentKeepalive = 25;
};
};
};
};
networks = {
wan = {
name = "enp1s0";
DHCP = "ipv4";
networkConfig = {
IPv6AcceptRA = "yes";
};
dhcpV4Config = {
UseDNS = "no";
};
ipv6AcceptRAConfig = {
# Only use RA
DHCPv6Client = false;
UseDNS = "no";
};
};
lan1 = {
name = "enp2s0";
bridge = [ "br-lan" ];
};
lan2 = {
name = "enp3s0";
bridge = [ "br-lan" ];
};
lan3 = {
name = "enp4s0";
bridge = [ "br-lan" ];
};
br-lan = {
name = "br-lan";
domains = [ cfg.domain ];
address = [ "10.80.1.1/24" "fd00:80:1::1/64" ];
};
wg-upstream = {
name = "wg-upstream";
address = cfg.wg-upstream.addresses;
routingPolicyRules = [
{
routingPolicyRuleConfig = {
Family = "both"; # default is only ipv4
FirewallMark = 51820;
InvertRule = "yes";
Table = 51820;
Priority = 10;
#SuppressPrefixLength = 0; # cant be used here (forwarding does not work with it)
};
}
# FIXME: those two shouldnt be necessary
# It should automatically detect those routes existing and prioritise them
# LAN (v4)
{
routingPolicyRuleConfig = {
To = "10.80.1.0/24";
Priority = 9;
};
}
# LAN (v6)
{
routingPolicyRuleConfig = {
To = "fd00:80:1::/64";
Priority = 9;
};
}
# wg-home
{
routingPolicyRuleConfig = {
To = "10.80.0.0/24";
Priority = 9;
};
}
# VPN bypass
{
routingPolicyRuleConfig = {
Family = "both"; # welcome in the year 2023, where ipv4 is the default
FirewallMark = cfg.vpnBypassFwMark;
Priority = 9;
};
}
# plastic router
{
routingPolicyRuleConfig = {
To = "192.168.0.0/24";
Priority = 9;
};
}
];
routes = [
{
routeConfig = {
Gateway = "0.0.0.0"; # point-to-point connection
Table = 51820;
};
}
{
routeConfig = {
Gateway = "::";
Table = 51820;
};
}
];
};
};
};
services.resolved.enable = false;
}