diff options
| -rw-r--r-- | config/networking/default.nix | 100 | ||||
| -rw-r--r-- | config/networking/services/ap.nix | 20 | ||||
| -rw-r--r-- | config/networking/services/dhcp.nix | 35 | ||||
| -rw-r--r-- | config/networking/services/dns.nix | 8 | ||||
| -rw-r--r-- | config/networking/services/firewall.nix | 111 | ||||
| -rw-r--r-- | secrets.nix | 8 |
6 files changed, 141 insertions, 141 deletions
diff --git a/config/networking/default.nix b/config/networking/default.nix index bcaf989..0bf3cbc 100644 --- a/config/networking/default.nix +++ b/config/networking/default.nix @@ -2,25 +2,37 @@ # https://blog.fraggod.net/2017/04/27/wifi-hostapd-configuration-for-80211ac-networks.html { config, lib, pkgs, secrets, ... }: -let - cfg = config.personal.networking; +let cfg = config.personal.networking; in { imports = [ ./nat.nix ./services ]; options.personal.networking = { interfaces = lib.mkOption { - type = with lib.types; attrsOf str; - description = "Reusable names for network devices."; - example = { - eth = "enp4s0"; - }; - }; - subnets = lib.mkOption { - type = with lib.types; attrsOf str; - description = "Reusable names for subnets."; - example = { - private = "192.168.1"; - }; + type = with lib.types; + attrsOf (submodule { + interface = lib.mkOption { + type = lib.types.str; + description = "Name of the network interface."; + example = "enp4s0"; + }; + subnet = lib.mkOption { + type = lib.types.str; + description = "IPv4 subnet of the network."; + example = "192.168.1"; + }; + machines = lib.mkOption { + type = with lib.types; + attrsOf (submodule { + address = lib.mkOption { + type = lib.types.str; + description = "IP address of this machine."; + example = "192.168.1.1"; + }; + }); + description = "Some machines connected to this network."; + }; + }); + description = "Networks this device belongs to."; }; }; @@ -28,15 +40,25 @@ in { personal.networking = { enable = true; ssh.enable = true; - interfaces = { - eth = "enp4s0"; - wlp2ghz = "wlp5s0"; - wlp5ghz = "wlp1s0"; - }; - subnets = { - public = "192.168.1"; - private = "192.168.2"; - iot = "192.168.3"; + networks = { + lan = { + interface = "enp4s0"; + subnet = "192.168.1"; + machines = { + livebox = { address = "192.168.1.1"; }; + self = { address = "192.168.1.2"; }; + }; + }; + wan = { + interface = "wlp1s0"; + subnet = "192.168.2"; + machines = { self.address = "192.168.2.1"; }; + }; + iot = { + interface = "wlp5s0"; + subnet = "192.168.3"; + machines = { self.address = "192.168.3.1"; }; + }; }; }; @@ -44,35 +66,21 @@ in { hostName = "kerberos"; domain = "local"; - defaultGateway = { - address = "${cfg.subnets.public}.1"; - interface = cfg.interfaces.eth; + defaultGateway = with cfg.networks.lan; { + inherit interface; + inherit (machines.livebox) address; }; dhcpcd.enable = false; - interfaces = { - "${cfg.interfaces.eth}" = { + interfaces = lib.concatMapAttrs (name: value: { + "${value.interface}" = { useDHCP = false; - ipv4.addresses = [{ - address = "${cfg.subnets.public}.2"; + ipv4.address = lib.optional (value.machines ? self) { + inherit (value.machines) address; prefixLength = 24; - }]; + }; }; - "${cfg.interfaces.wlp5ghz}" = { - useDHCP = false; - ipv4.addresses = [{ - address = "${cfg.subnets.private}.1"; - prefixLength = 24; - }]; - }; - "${cfg.interfaces.wlp2ghz}" = { - useDHCP = false; - ipv4.addresses = [{ - address = "${cfg.subnets.iot}.1"; - prefixLength = 24; - }]; - }; - }; + }) cfg.networks; }; }; } diff --git a/config/networking/services/ap.nix b/config/networking/services/ap.nix index f5f399b..202cff5 100644 --- a/config/networking/services/ap.nix +++ b/config/networking/services/ap.nix @@ -78,9 +78,9 @@ let tx_queue_data0_cwmax=7 tx_queue_data0_burst=1.5 '' + extraConfig); - hostapd2ghzConf = makeHostapdConf { - name = "2ghz"; - interface = config.personal.networking.interfaces.wlp2ghz; + hostapdIotConf = makeHostapdConf { + name = "iot"; + interface = config.personal.networking.networks.iot.interface; ssid = "Quentinternet of Things"; hwMode = "g"; channel = 0; @@ -91,9 +91,9 @@ let ht_capab=[HT40+][SHORT-GI-40][TX-STBC][RX-STBC1][DSSS_CCK-40] ''; }; - hostapd5ghzConf = makeHostapdConf { - name = "5ghz"; - interface = config.personal.networking.interfaces.wlp5ghz; + hostapdWanConf = makeHostapdConf { + name = "wan"; + interface = config.personal.networking.networks.wan.interface; ssid = "Quentintranet"; hwMode = "a"; channel = 36; @@ -119,9 +119,9 @@ in { }; systemd.services.hostapd = let - interfaces = with config.personal.networking.interfaces; [ - wlp2ghz - wlp5ghz + interfaces = with config.personal.networking.networks; [ + wan.interface + iot.interface ]; netDevices = builtins.map (interface: "sys-subsystem-net-devices-${utils.escapeSystemdPath interface}.device") @@ -130,7 +130,7 @@ in { builtins.map (interface: "network-link-${interface}.service") interfaces; in { serviceConfig.ExecStart = lib.mkForce - "${pkgs.hostapd}/bin/hostapd ${hostapd2ghzConf} ${hostapd5ghzConf}"; + "${pkgs.hostapd}/bin/hostapd ${hostapdIotConf} ${hostapdWanConf}"; after = lib.mkForce netDevices; bindsTo = lib.mkForce netDevices; requiredBy = lib.mkForce networkLinkServices; diff --git a/config/networking/services/dhcp.nix b/config/networking/services/dhcp.nix index 9953389..cca9328 100644 --- a/config/networking/services/dhcp.nix +++ b/config/networking/services/dhcp.nix @@ -1,26 +1,21 @@ { config, ... }: -let cfg = config.personal.networking; +let + makeSubnet = network: '' + subnet ${network.subnet}.0 netmask 255.255.255.0 { + option broadcast-address ${network.subnet}.255; + option routers ${network.machines.self.address}; + interface ${network.interface}; + range ${network.subnet}.10 ${network.subnet}.99 + } + ''; in { - services.dhcpd4 = { + services.dhcpd4 = with config.personal.networking.networks; { enable = true; - interfaces = with cfg.interfaces; [ wlp2ghz wlp5ghz ]; - extraConfig = with cfg.subnets; '' - option domain-name-servers ${public}.1, 9.9.9.9; - subnet ${private}.0 netmask 255.255.255.0 { - option broadcast-address ${private}.255; - option routers ${private}.1; - option subnet-mask 255.255.255.0; - interface ${cfg.interfaces.wlp5ghz}; - range ${private}.10 ${private}.99; - } - subnet ${iot}.0 netmask 255.255.255.0 { - option broadcast-address ${iot}.255; - option routers ${iot}.1; - option subnet-mask 255.255.255.0; - interface ${cfg.interfaces.wlp2ghz}; - range ${iot}.10 ${iot}.99 - } - ''; + interfaces = [ wan.interface iot.interface ]; + extraConfig = '' + option domain-name-servers ${lan.subnet}.1, 9.9.9.9; + option subnet-mask 255.255.255.0; + '' + makeSubnet wan + makeSubnet iot; }; } diff --git a/config/networking/services/dns.nix b/config/networking/services/dns.nix index 9e26b41..5c06eeb 100644 --- a/config/networking/services/dns.nix +++ b/config/networking/services/dns.nix @@ -1,18 +1,18 @@ { config, ... }: -let cfg = config.personal.networking; +let nets = config.personal.networking.networks; in { services.unbound = { enable = true; settings = { server = { interface = - [ "127.0.0.1" "${cfg.subnets.private}.1" "${cfg.subnets.iot}.1" ]; + [ "127.0.0.1" "${nets.wan.subnet}.1" "${nets.iot.subnet}.1" ]; access-control = [ "0.0.0.0/0 refuse" "127.0.0.0/8 allow" - "${cfg.subnets.private}.0/24 allow" - "${cfg.subnets.iot}.0/24 allow" + "${nets.wan.subnet}.0/24 allow" + "${nets.iot.subnet}.0/24 allow" ]; }; }; diff --git a/config/networking/services/firewall.nix b/config/networking/services/firewall.nix index 767e122..1d8a297 100644 --- a/config/networking/services/firewall.nix +++ b/config/networking/services/firewall.nix @@ -1,75 +1,72 @@ { config, ... }: -let cfg = config.personal.networking; - ifaces = cfg.interfaces; +let nets = config.personal.networking.networks; in { - boot.kernel.sysctl = { - "net.ipv4.conf.all.forwarding" = true; - }; + boot.kernel.sysctl = { "net.ipv4.conf.all.forwarding" = true; }; networking = { nftables = { enable = true; - ruleset = '' - table ip global { - chain inbound_public { - icmp type echo-request limit rate 5/second accept - } - chain inbound_private { - icmp type echo-request limit rate 5/second accept - ip protocol . th dport { tcp . 22 \ - , udp . 53 \ - , tcp . 53 \ - , udp . 67 } accept - } - chain inbound_iot { - icmp type echo-request limit rate 5/second accept - ip protocol . th dport { udp . 53 \ - , tcp . 53 \ - , udp . 67 } accept - } - chain inbound { - type filter hook input priority 0; policy drop; - icmp type echo-request limit rate 5/second accept - ct state vmap { { established \ - , related } : accept \ - , invalid : drop } - meta iifname vmap { lo : accept \ - , ${ifaces.eth} : jump inbound_public \ - , ${ifaces.wlp5ghz} : jump inbound_private \ - , ${ifaces.wlp2ghz} : jump inbound_iot } - } + ruleset = with nets; '' + table ip global { + chain inbound_lan { + icmp type echo-request limit rate 5/second accept + } + chain inbound_wan { + icmp type echo-request limit rate 5/second accept + ip protocol . th dport { tcp . 22 \ + , udp . 53 \ + , tcp . 53 \ + , udp . 67 } accept + } + chain inbound_iot { + icmp type echo-request limit rate 5/second accept + ip protocol . th dport { udp . 53 \ + , tcp . 53 \ + , udp . 67 } accept + } + chain inbound { + type filter hook input priority 0; policy drop; + icmp type echo-request limit rate 5/second accept + ct state vmap { { established \ + , related } : accept \ + , invalid : drop } + meta iifname vmap { lo : accept \ + , ${lan.interface} : jump inbound_lan \ + , ${wan.interface} : jump inbound_wan \ + , ${iot.interface} : jump inbound_iot } + } - chain forward { - type filter hook input priority 0; policy drop; - ct state vmap { { established \ - , related } : accept \ - , invalid : drop } - meta oifname ${ifaces.eth} accept - meta iifname ${ifaces.wlp5ghz} accept - meta iifname ${ifaces.wlp2ghz} meta oifname ${ifaces.wlp2ghz} accept + chain forward { + type filter hook input priority 0; policy drop; + ct state vmap { { established \ + , related } : accept \ + , invalid : drop } + meta oifname ${lan.interface} accept + meta iifname ${wan.interface} accept + meta iifname ${iot.interface} meta oifname ${iot.interface} accept + } } - } - table ip nat { - chain postrouting { - type nat hook postrouting priority 100; policy accept; - meta oifname ${ifaces.eth} masquerade + table ip nat { + chain postrouting { + type nat hook postrouting priority 100; policy accept; + meta oifname ${lan.interface} masquerade + } } - } - table ip6 global6 { - chain input { - type filter hook input priority 0; policy drop; - } - chain forward { - type filter hook forward priority 0; policy drop; - } - } + table ip6 global6 { + chain input { + type filter hook input priority 0; policy drop; + } + chain forward { + type filter hook forward priority 0; policy drop; + } + } ''; }; firewall.enable = false; }; } - + diff --git a/secrets.nix b/secrets.nix index 542fb40..a49baee 100644 --- a/secrets.nix +++ b/secrets.nix @@ -1,10 +1,10 @@ { wifi = { - "2ghz" = { - passphrase = builtins.readFile "/etc/hostapd/hostapd.2ghz.pw"; + iot = { + passphrase = builtins.readFile "/etc/hostapd/hostapd.iot.pw"; }; - "5ghz" = { - passphrase = builtins.readFile "/etc/hostapd/hostapd.5ghz.pw"; + wan = { + passphrase = builtins.readFile "/etc/hostapd/hostapd.wan.pw"; }; }; } |