summaryrefslogtreecommitdiff
path: root/config/networking
diff options
context:
space:
mode:
Diffstat (limited to 'config/networking')
-rw-r--r--config/networking/default.nix78
-rw-r--r--config/networking/services/dhcp.nix59
-rw-r--r--config/networking/services/firewall/ruleset.nix80
3 files changed, 139 insertions, 78 deletions
diff --git a/config/networking/default.nix b/config/networking/default.nix
index 087f791..136be95 100644
--- a/config/networking/default.nix
+++ b/config/networking/default.nix
@@ -1,10 +1,13 @@
# https://skogsbrus.xyz/blog/2022/06/12/router/
# https://blog.fraggod.net/2017/04/27/wifi-hostapd-configuration-for-80211ac-networks.html
-{ config, lib, pkgs, secrets, ... }:
-
-let cfg = config.personal.networking;
+{
+ config,
+ lib,
+ ...
+}: let
+ cfg = config.personal.networking;
in {
- imports = [ ./bridges.nix ./services ];
+ imports = [./bridges.nix ./services];
options.personal.networking = {
networks = lib.mkOption {
@@ -31,11 +34,17 @@ in {
type = with lib.types;
attrsOf (submodule {
options = {
- address = lib.mkOption {
+ ip = lib.mkOption {
type = lib.types.str;
description = "IP address of this machine.";
example = "192.168.1.1";
};
+ mac = lib.mkOption {
+ type = with lib.types; nullOr str;
+ description = "MAC address of this machine.";
+ default = null;
+ example = "01:23:45:67:89:ab";
+ };
};
});
description = "Some machines connected to this network.";
@@ -51,38 +60,52 @@ in {
enable = true;
ssh.enable = true;
networks = {
- lan = let device = "enp4s0";
+ lan = let
+ device = "enp4s0";
in {
inherit device;
interface = device;
subnet = "192.168.1";
machines = {
- livebox = { address = "192.168.1.1"; };
- self = { address = "192.168.1.2"; };
+ livebox = {ip = "192.168.1.1";};
+ self = {ip = "192.168.1.2";};
};
};
wan = {
device = "wlp1s0";
interface = "wan";
subnet = "192.168.2";
- machines = { self.address = "192.168.2.1"; };
+ machines = {self.ip = "192.168.2.1";};
};
iot = {
device = "wlp5s0";
interface = "iot";
subnet = "192.168.3";
machines = {
- self.address = "192.168.3.1";
- sonos-move.address = "192.168.3.10";
- sonos-play1.address = "192.168.3.11";
+ self.ip = "192.168.3.1";
+ sonos-move = {
+ ip = "192.168.3.10";
+ mac = "54:2a:1b:73:7a:1e";
+ };
+ sonos-play1 = {
+ ip = "192.168.3.11";
+ mac = "5c:aa:fd:44:b2:6a";
+ };
};
};
- eth0 = let device = "enp3s0";
+ eth0 = let
+ device = "enp3s0";
in {
inherit device;
interface = device;
subnet = "192.168.4";
- machines = { self.address = "192.168.4.1"; };
+ machines = {
+ self.ip = "192.168.4.1";
+ steam-deck = {
+ ip = "192.168.4.10";
+ mac = "10:82:86:22:90:17";
+ };
+ };
};
};
};
@@ -90,25 +113,30 @@ in {
networking = {
hostName = "kerberos";
domain = "local";
- nameservers = [ cfg.networks.lan.machines.livebox.address ];
+ nameservers = [cfg.networks.lan.machines.livebox.ip];
defaultGateway = with cfg.networks.lan; {
inherit interface;
- inherit (machines.livebox) address;
+ address = machines.livebox.ip;
};
useDHCP = false;
dhcpcd.enable = false;
- interfaces = lib.concatMapAttrs (name: value: {
- "${value.interface}" = {
- useDHCP = false;
- ipv4.addresses = lib.optional (value.machines ? self) {
- inherit (value.machines.self) address;
- prefixLength = 24;
+ interfaces =
+ lib.concatMapAttrs (_: {
+ interface,
+ machines,
+ ...
+ }: {
+ "${interface}" = {
+ useDHCP = false;
+ ipv4.addresses = lib.optional (machines ? self) {
+ address = machines.self.ip;
+ prefixLength = 24;
+ };
};
- };
- }) cfg.networks;
-
+ })
+ cfg.networks;
};
};
}
diff --git a/config/networking/services/dhcp.nix b/config/networking/services/dhcp.nix
index 1f2d06f..d27bbce 100644
--- a/config/networking/services/dhcp.nix
+++ b/config/networking/services/dhcp.nix
@@ -1,13 +1,17 @@
-{ config, ... }:
-
-let
+{
+ config,
+ lib,
+ ...
+}: let
nets = config.personal.networking.networks;
- netdevServices = builtins.map (subnet: "${subnet.interface}-netdev.service")
- (with nets; [ wan iot ]);
+ netdevServices =
+ builtins.map (subnet: "${subnet.interface}-netdev.service")
+ (with nets; [wan iot]);
in {
services.kea.dhcp4 = {
enable = true;
- settings = let subnets = with nets; [ wan iot eth0 ];
+ settings = let
+ subnets = with nets; [wan iot eth0];
in {
interfaces-config = {
interfaces = builtins.map (network: network.interface) subnets;
@@ -31,21 +35,34 @@ in {
data = "255.255.255.0";
}
];
- subnet4 = builtins.map (network: {
- subnet = "${network.subnet}.0/24";
- option-data = [
- {
- name = "broadcast-address";
- data = "${network.subnet}.255";
- }
- {
- name = "routers";
- data = network.machines.self.address;
- }
- ];
- inherit (network) interface;
- pools = [{ pool = "${network.subnet}.10 - ${network.subnet}.99"; }];
- }) subnets;
+ subnet4 =
+ builtins.map (network: {
+ subnet = "${network.subnet}.0/24";
+ option-data = [
+ {
+ name = "broadcast-address";
+ data = "${network.subnet}.255";
+ }
+ {
+ name = "routers";
+ data = network.machines.self.ip;
+ }
+ ];
+ inherit (network) interface;
+ pools = [{pool = "${network.subnet}.10 - ${network.subnet}.99";}];
+ reservations = let
+ machines = builtins.attrValues (lib.filterAttrs (name: {mac, ...}: name != "self" && mac != null) network.machines);
+ in
+ builtins.map ({
+ ip,
+ mac,
+ }: {
+ hw-address = mac;
+ ip-address = ip;
+ })
+ machines;
+ })
+ subnets;
};
};
diff --git a/config/networking/services/firewall/ruleset.nix b/config/networking/services/firewall/ruleset.nix
index bef7dad..47aa49b 100644
--- a/config/networking/services/firewall/ruleset.nix
+++ b/config/networking/services/firewall/ruleset.nix
@@ -1,26 +1,32 @@
-{ lib, nets }:
-
-let
+{
+ lib,
+ nets,
+}: let
makeTable = args:
{
- chains = { };
- flowtables = { };
- sets = { };
- maps = { };
- objects = { };
- } // args;
+ chains = {};
+ flowtables = {};
+ sets = {};
+ maps = {};
+ objects = {};
+ }
+ // args;
makeFlowtable = args:
{
hook = "ingress";
priority = "filter";
- devices = [ ];
+ devices = [];
offload = false;
- } // args;
- makeBaseChain = type: hook:
- { priority ? type, policy ? "drop", rules ? "" }: {
- base = { inherit type hook priority policy; };
- inherit rules;
- };
+ }
+ // args;
+ makeBaseChain = type: hook: {
+ priority ? type,
+ policy ? "drop",
+ rules ? "",
+ }: {
+ base = {inherit type hook priority policy;};
+ inherit rules;
+ };
rulesCommon = {
conntrack = ''
ct state vmap { established : accept \
@@ -75,8 +81,8 @@ let
'';
player-controller = ''
ip protocol udp \
- ip saddr { ${nets.iot.machines.sonos-move.address} \
- , ${nets.iot.machines.sonos-play1.address} } \
+ ip saddr { ${nets.iot.machines.sonos-move.ip} \
+ , ${nets.iot.machines.sonos-play1.ip} } \
udp sport >30000 \
udp dport >30000 \
accept comment "sonos: app control: player to controller"
@@ -101,7 +107,7 @@ in {
filter = makeTable {
flowtables = {
default = makeFlowtable {
- devices = lib.mapAttrsToList (_: { device, ... }: device) nets;
+ devices = lib.mapAttrsToList (_: {device, ...}: device) nets;
};
};
chains = {
@@ -110,7 +116,9 @@ in {
eth0_in.rules = with rulesCommon; dns + dhcp;
input = makeBaseChain "filter" "input" {
rules = with rulesCommon;
- conntrack + ping + ''
+ conntrack
+ + ping
+ + ''
meta iifname vmap { lo : accept \
, ${nets.wan.interface} : goto wan_in \
, ${nets.iot.interface} : goto iot_in \
@@ -123,7 +131,9 @@ in {
rules = with rulesCommon;
''
ip protocol { udp, tcp } flow add @default
- '' + conntrack + ''
+ ''
+ + conntrack
+ + ''
meta oifname ${nets.lan.interface} accept
meta iifname . meta oifname vmap \
{ ${nets.wan.interface} . ${nets.iot.interface} \
@@ -141,7 +151,7 @@ in {
policy = "accept";
rules = ''
meta oifname ${nets.lan.interface} \
- snat to ${nets.lan.machines.self.address}
+ snat to ${nets.lan.machines.self.ip}
'';
};
};
@@ -151,8 +161,8 @@ in {
ip6 = {
global6 = makeTable {
chains = {
- input = makeBaseChain "filter" "input" { };
- forward = makeBaseChain "filter" "forward" { };
+ input = makeBaseChain "filter" "input" {};
+ forward = makeBaseChain "filter" "forward" {};
};
};
};
@@ -162,18 +172,24 @@ in {
chains = {
iot_iot.rules = with rulesCommon;
''
- ip saddr { ${nets.iot.machines.sonos-move.address} \
- , ${nets.iot.machines.sonos-play1.address} } \
- ip daddr { ${nets.iot.machines.sonos-move.address} \
- , ${nets.iot.machines.sonos-play1.address} } \
+ ip saddr { ${nets.iot.machines.sonos-move.ip} \
+ , ${nets.iot.machines.sonos-play1.ip} } \
+ ip daddr { ${nets.iot.machines.sonos-move.ip} \
+ , ${nets.iot.machines.sonos-play1.ip} } \
accept comment "sonos: player to player"
- '' + ssdp + sonos.player-controller + sonos.controller-player;
+ ''
+ + ssdp
+ + sonos.player-controller
+ + sonos.controller-player;
wan_wan.rules = with rulesCommon; syncthing + kdeconnect;
forward = makeBaseChain "filter" "forward" {
rules = with rulesCommon;
- conntrack + ''
+ conntrack
+ + ''
ether type vmap { ip6 : drop, arp : accept }
- '' + ping + ''
+ ''
+ + ping
+ + ''
meta ibrname . meta obrname vmap \
{ ${nets.wan.interface} . ${nets.wan.interface} : goto wan_wan \
, ${nets.iot.interface} . ${nets.iot.interface} : goto iot_iot }
@@ -183,7 +199,6 @@ in {
};
};
}
-
# chain steam {
# # https://help.steampowered.com/en/faqs/view/2EA8-4D75-DA21-31EB
# ip protocol { udp, tcp } \
@@ -208,3 +223,4 @@ in {
# udp dport { 3478, 4379, 4380, 27014-27030 } \
# accept comment "steam: p2p, voice chat"
# }
+
generated by cgit v1.2.3 (git 2.25.1) at 2026-01-25 05:13:46 +0000