summaryrefslogtreecommitdiff
path: root/config/networking
diff options
context:
space:
mode:
Diffstat (limited to 'config/networking')
-rw-r--r--config/networking/default.nix100
-rw-r--r--config/networking/services/ap.nix20
-rw-r--r--config/networking/services/dhcp.nix35
-rw-r--r--config/networking/services/dns.nix8
-rw-r--r--config/networking/services/firewall.nix111
5 files changed, 137 insertions, 137 deletions
diff --git a/config/networking/default.nix b/config/networking/default.nix
index bcaf989..0bf3cbc 100644
--- a/config/networking/default.nix
+++ b/config/networking/default.nix
@@ -2,25 +2,37 @@
# https://blog.fraggod.net/2017/04/27/wifi-hostapd-configuration-for-80211ac-networks.html
{ config, lib, pkgs, secrets, ... }:
-let
- cfg = config.personal.networking;
+let cfg = config.personal.networking;
in {
imports = [ ./nat.nix ./services ];
options.personal.networking = {
interfaces = lib.mkOption {
- type = with lib.types; attrsOf str;
- description = "Reusable names for network devices.";
- example = {
- eth = "enp4s0";
- };
- };
- subnets = lib.mkOption {
- type = with lib.types; attrsOf str;
- description = "Reusable names for subnets.";
- example = {
- private = "192.168.1";
- };
+ type = with lib.types;
+ attrsOf (submodule {
+ interface = lib.mkOption {
+ type = lib.types.str;
+ description = "Name of the network interface.";
+ example = "enp4s0";
+ };
+ subnet = lib.mkOption {
+ type = lib.types.str;
+ description = "IPv4 subnet of the network.";
+ example = "192.168.1";
+ };
+ machines = lib.mkOption {
+ type = with lib.types;
+ attrsOf (submodule {
+ address = lib.mkOption {
+ type = lib.types.str;
+ description = "IP address of this machine.";
+ example = "192.168.1.1";
+ };
+ });
+ description = "Some machines connected to this network.";
+ };
+ });
+ description = "Networks this device belongs to.";
};
};
@@ -28,15 +40,25 @@ in {
personal.networking = {
enable = true;
ssh.enable = true;
- interfaces = {
- eth = "enp4s0";
- wlp2ghz = "wlp5s0";
- wlp5ghz = "wlp1s0";
- };
- subnets = {
- public = "192.168.1";
- private = "192.168.2";
- iot = "192.168.3";
+ networks = {
+ lan = {
+ interface = "enp4s0";
+ subnet = "192.168.1";
+ machines = {
+ livebox = { address = "192.168.1.1"; };
+ self = { address = "192.168.1.2"; };
+ };
+ };
+ wan = {
+ interface = "wlp1s0";
+ subnet = "192.168.2";
+ machines = { self.address = "192.168.2.1"; };
+ };
+ iot = {
+ interface = "wlp5s0";
+ subnet = "192.168.3";
+ machines = { self.address = "192.168.3.1"; };
+ };
};
};
@@ -44,35 +66,21 @@ in {
hostName = "kerberos";
domain = "local";
- defaultGateway = {
- address = "${cfg.subnets.public}.1";
- interface = cfg.interfaces.eth;
+ defaultGateway = with cfg.networks.lan; {
+ inherit interface;
+ inherit (machines.livebox) address;
};
dhcpcd.enable = false;
- interfaces = {
- "${cfg.interfaces.eth}" = {
+ interfaces = lib.concatMapAttrs (name: value: {
+ "${value.interface}" = {
useDHCP = false;
- ipv4.addresses = [{
- address = "${cfg.subnets.public}.2";
+ ipv4.address = lib.optional (value.machines ? self) {
+ inherit (value.machines) address;
prefixLength = 24;
- }];
+ };
};
- "${cfg.interfaces.wlp5ghz}" = {
- useDHCP = false;
- ipv4.addresses = [{
- address = "${cfg.subnets.private}.1";
- prefixLength = 24;
- }];
- };
- "${cfg.interfaces.wlp2ghz}" = {
- useDHCP = false;
- ipv4.addresses = [{
- address = "${cfg.subnets.iot}.1";
- prefixLength = 24;
- }];
- };
- };
+ }) cfg.networks;
};
};
}
diff --git a/config/networking/services/ap.nix b/config/networking/services/ap.nix
index f5f399b..202cff5 100644
--- a/config/networking/services/ap.nix
+++ b/config/networking/services/ap.nix
@@ -78,9 +78,9 @@ let
tx_queue_data0_cwmax=7
tx_queue_data0_burst=1.5
'' + extraConfig);
- hostapd2ghzConf = makeHostapdConf {
- name = "2ghz";
- interface = config.personal.networking.interfaces.wlp2ghz;
+ hostapdIotConf = makeHostapdConf {
+ name = "iot";
+ interface = config.personal.networking.networks.iot.interface;
ssid = "Quentinternet of Things";
hwMode = "g";
channel = 0;
@@ -91,9 +91,9 @@ let
ht_capab=[HT40+][SHORT-GI-40][TX-STBC][RX-STBC1][DSSS_CCK-40]
'';
};
- hostapd5ghzConf = makeHostapdConf {
- name = "5ghz";
- interface = config.personal.networking.interfaces.wlp5ghz;
+ hostapdWanConf = makeHostapdConf {
+ name = "wan";
+ interface = config.personal.networking.networks.wan.interface;
ssid = "Quentintranet";
hwMode = "a";
channel = 36;
@@ -119,9 +119,9 @@ in {
};
systemd.services.hostapd = let
- interfaces = with config.personal.networking.interfaces; [
- wlp2ghz
- wlp5ghz
+ interfaces = with config.personal.networking.networks; [
+ wan.interface
+ iot.interface
];
netDevices = builtins.map (interface:
"sys-subsystem-net-devices-${utils.escapeSystemdPath interface}.device")
@@ -130,7 +130,7 @@ in {
builtins.map (interface: "network-link-${interface}.service") interfaces;
in {
serviceConfig.ExecStart = lib.mkForce
- "${pkgs.hostapd}/bin/hostapd ${hostapd2ghzConf} ${hostapd5ghzConf}";
+ "${pkgs.hostapd}/bin/hostapd ${hostapdIotConf} ${hostapdWanConf}";
after = lib.mkForce netDevices;
bindsTo = lib.mkForce netDevices;
requiredBy = lib.mkForce networkLinkServices;
diff --git a/config/networking/services/dhcp.nix b/config/networking/services/dhcp.nix
index 9953389..cca9328 100644
--- a/config/networking/services/dhcp.nix
+++ b/config/networking/services/dhcp.nix
@@ -1,26 +1,21 @@
{ config, ... }:
-let cfg = config.personal.networking;
+let
+ makeSubnet = network: ''
+ subnet ${network.subnet}.0 netmask 255.255.255.0 {
+ option broadcast-address ${network.subnet}.255;
+ option routers ${network.machines.self.address};
+ interface ${network.interface};
+ range ${network.subnet}.10 ${network.subnet}.99
+ }
+ '';
in {
- services.dhcpd4 = {
+ services.dhcpd4 = with config.personal.networking.networks; {
enable = true;
- interfaces = with cfg.interfaces; [ wlp2ghz wlp5ghz ];
- extraConfig = with cfg.subnets; ''
- option domain-name-servers ${public}.1, 9.9.9.9;
- subnet ${private}.0 netmask 255.255.255.0 {
- option broadcast-address ${private}.255;
- option routers ${private}.1;
- option subnet-mask 255.255.255.0;
- interface ${cfg.interfaces.wlp5ghz};
- range ${private}.10 ${private}.99;
- }
- subnet ${iot}.0 netmask 255.255.255.0 {
- option broadcast-address ${iot}.255;
- option routers ${iot}.1;
- option subnet-mask 255.255.255.0;
- interface ${cfg.interfaces.wlp2ghz};
- range ${iot}.10 ${iot}.99
- }
- '';
+ interfaces = [ wan.interface iot.interface ];
+ extraConfig = ''
+ option domain-name-servers ${lan.subnet}.1, 9.9.9.9;
+ option subnet-mask 255.255.255.0;
+ '' + makeSubnet wan + makeSubnet iot;
};
}
diff --git a/config/networking/services/dns.nix b/config/networking/services/dns.nix
index 9e26b41..5c06eeb 100644
--- a/config/networking/services/dns.nix
+++ b/config/networking/services/dns.nix
@@ -1,18 +1,18 @@
{ config, ... }:
-let cfg = config.personal.networking;
+let nets = config.personal.networking.networks;
in {
services.unbound = {
enable = true;
settings = {
server = {
interface =
- [ "127.0.0.1" "${cfg.subnets.private}.1" "${cfg.subnets.iot}.1" ];
+ [ "127.0.0.1" "${nets.wan.subnet}.1" "${nets.iot.subnet}.1" ];
access-control = [
"0.0.0.0/0 refuse"
"127.0.0.0/8 allow"
- "${cfg.subnets.private}.0/24 allow"
- "${cfg.subnets.iot}.0/24 allow"
+ "${nets.wan.subnet}.0/24 allow"
+ "${nets.iot.subnet}.0/24 allow"
];
};
};
diff --git a/config/networking/services/firewall.nix b/config/networking/services/firewall.nix
index 767e122..1d8a297 100644
--- a/config/networking/services/firewall.nix
+++ b/config/networking/services/firewall.nix
@@ -1,75 +1,72 @@
{ config, ... }:
-let cfg = config.personal.networking;
- ifaces = cfg.interfaces;
+let nets = config.personal.networking.networks;
in {
- boot.kernel.sysctl = {
- "net.ipv4.conf.all.forwarding" = true;
- };
+ boot.kernel.sysctl = { "net.ipv4.conf.all.forwarding" = true; };
networking = {
nftables = {
enable = true;
- ruleset = ''
- table ip global {
- chain inbound_public {
- icmp type echo-request limit rate 5/second accept
- }
- chain inbound_private {
- icmp type echo-request limit rate 5/second accept
- ip protocol . th dport { tcp . 22 \
- , udp . 53 \
- , tcp . 53 \
- , udp . 67 } accept
- }
- chain inbound_iot {
- icmp type echo-request limit rate 5/second accept
- ip protocol . th dport { udp . 53 \
- , tcp . 53 \
- , udp . 67 } accept
- }
- chain inbound {
- type filter hook input priority 0; policy drop;
- icmp type echo-request limit rate 5/second accept
- ct state vmap { { established \
- , related } : accept \
- , invalid : drop }
- meta iifname vmap { lo : accept \
- , ${ifaces.eth} : jump inbound_public \
- , ${ifaces.wlp5ghz} : jump inbound_private \
- , ${ifaces.wlp2ghz} : jump inbound_iot }
- }
+ ruleset = with nets; ''
+ table ip global {
+ chain inbound_lan {
+ icmp type echo-request limit rate 5/second accept
+ }
+ chain inbound_wan {
+ icmp type echo-request limit rate 5/second accept
+ ip protocol . th dport { tcp . 22 \
+ , udp . 53 \
+ , tcp . 53 \
+ , udp . 67 } accept
+ }
+ chain inbound_iot {
+ icmp type echo-request limit rate 5/second accept
+ ip protocol . th dport { udp . 53 \
+ , tcp . 53 \
+ , udp . 67 } accept
+ }
+ chain inbound {
+ type filter hook input priority 0; policy drop;
+ icmp type echo-request limit rate 5/second accept
+ ct state vmap { { established \
+ , related } : accept \
+ , invalid : drop }
+ meta iifname vmap { lo : accept \
+ , ${lan.interface} : jump inbound_lan \
+ , ${wan.interface} : jump inbound_wan \
+ , ${iot.interface} : jump inbound_iot }
+ }
- chain forward {
- type filter hook input priority 0; policy drop;
- ct state vmap { { established \
- , related } : accept \
- , invalid : drop }
- meta oifname ${ifaces.eth} accept
- meta iifname ${ifaces.wlp5ghz} accept
- meta iifname ${ifaces.wlp2ghz} meta oifname ${ifaces.wlp2ghz} accept
+ chain forward {
+ type filter hook input priority 0; policy drop;
+ ct state vmap { { established \
+ , related } : accept \
+ , invalid : drop }
+ meta oifname ${lan.interface} accept
+ meta iifname ${wan.interface} accept
+ meta iifname ${iot.interface} meta oifname ${iot.interface} accept
+ }
}
- }
- table ip nat {
- chain postrouting {
- type nat hook postrouting priority 100; policy accept;
- meta oifname ${ifaces.eth} masquerade
+ table ip nat {
+ chain postrouting {
+ type nat hook postrouting priority 100; policy accept;
+ meta oifname ${lan.interface} masquerade
+ }
}
- }
- table ip6 global6 {
- chain input {
- type filter hook input priority 0; policy drop;
- }
- chain forward {
- type filter hook forward priority 0; policy drop;
- }
- }
+ table ip6 global6 {
+ chain input {
+ type filter hook input priority 0; policy drop;
+ }
+ chain forward {
+ type filter hook forward priority 0; policy drop;
+ }
+ }
'';
};
firewall.enable = false;
};
}
-
+
generated by cgit v1.2.3 (git 2.25.1) at 2026-01-25 10:12:07 +0000