diff options
Diffstat (limited to 'config')
| -rw-r--r-- | config/networking/bridges.nix | 4 | ||||
| -rw-r--r-- | config/networking/default.nix | 7 | ||||
| -rw-r--r-- | config/networking/services/dhcp.nix | 2 | ||||
| -rw-r--r-- | config/networking/services/dns.nix | 13 | ||||
| -rw-r--r-- | config/networking/services/firewall/ruleset.nix | 14 |
5 files changed, 26 insertions, 14 deletions
diff --git a/config/networking/bridges.nix b/config/networking/bridges.nix index 236aae0..48a3391 100644 --- a/config/networking/bridges.nix +++ b/config/networking/bridges.nix @@ -18,7 +18,5 @@ in { sleep 3 ${pkgs.iproute2}/bin/bridge link set dev ${device} hairpin on ''; - }) [ nets.wan nets.iot ]) ++ [{ - networking.bridges.${nets.wan.interface}.interfaces = [ "enp3s0" ]; - }]); + }) [ nets.wan nets.iot ])); } diff --git a/config/networking/default.nix b/config/networking/default.nix index 3d8c464..a3486be 100644 --- a/config/networking/default.nix +++ b/config/networking/default.nix @@ -77,6 +77,13 @@ in { sonos-play1.address = "192.168.3.29"; }; }; + eth0 = let device = "enp3s0"; + in { + inherit device; + interface = device; + subnet = "192.168.4"; + machines = { self.address = "192.168.4.1"; }; + }; }; }; diff --git a/config/networking/services/dhcp.nix b/config/networking/services/dhcp.nix index 360eb66..e625a4d 100644 --- a/config/networking/services/dhcp.nix +++ b/config/networking/services/dhcp.nix @@ -4,7 +4,7 @@ let nets = config.personal.networking.networks; in { services.kea.dhcp4 = { enable = true; - settings = let subnets = with nets; [ wan iot ]; + settings = let subnets = with nets; [ wan iot eth0 ]; in { interfaces-config.interfaces = builtins.map (network: network.interface) subnets; diff --git a/config/networking/services/dns.nix b/config/networking/services/dns.nix index cce2f17..9e70958 100644 --- a/config/networking/services/dns.nix +++ b/config/networking/services/dns.nix @@ -7,18 +7,21 @@ in { settings = { server = { module-config = ''"respip validator iterator"''; - interface = - [ "127.0.0.1" "${nets.wan.subnet}.1" "${nets.iot.subnet}.1" ]; + interface = [ + "127.0.0.1" + "${nets.wan.subnet}.1" + "${nets.iot.subnet}.1" + "${nets.eth0.subnet}.1" + ]; access-control = [ "0.0.0.0/0 refuse" "127.0.0.0/8 allow" "${nets.wan.subnet}.0/24 allow" "${nets.iot.subnet}.0/24 allow" + "${nets.eth0.subnet}.0/24 allow" ]; }; - rpz = { - name = "rpz.oisd.nl"; - }; + rpz = { name = "rpz.oisd.nl"; }; }; }; } diff --git a/config/networking/services/firewall/ruleset.nix b/config/networking/services/firewall/ruleset.nix index 7184de7..5871385 100644 --- a/config/networking/services/firewall/ruleset.nix +++ b/config/networking/services/firewall/ruleset.nix @@ -101,12 +101,14 @@ in { chains = { wan_in.rules = with rulesCommon; dns + dhcp + ssh + ssdp; iot_in.rules = with rulesCommon; dns + dhcp + igmp; + eth0_in.rules = with rulesCommon; dns + dhcp; input = makeBaseChain "filter" "input" { rules = with rulesCommon; conntrack + ping + '' - meta iifname vmap { lo : accept \ - , ${nets.wan.interface} : goto wan_in \ - , ${nets.iot.interface} : goto iot_in } + meta iifname vmap { lo : accept \ + , ${nets.wan.interface} : goto wan_in \ + , ${nets.iot.interface} : goto iot_in \ + , ${nets.eth0.interface} : goto eth0_in } ''; }; iot_wan.rules = rulesCommon.sonos.player-controller; @@ -118,8 +120,10 @@ in { '' + conntrack + '' meta oifname ${nets.lan.interface} accept meta iifname . meta oifname vmap \ - { ${nets.wan.interface} . ${nets.iot.interface} : goto wan_iot \ - , ${nets.iot.interface} . ${nets.wan.interface} : goto iot_wan } + { ${nets.wan.interface} . ${nets.iot.interface} \ + : goto wan_iot \ + , ${nets.iot.interface} . ${nets.wan.interface} \ + : goto iot_wan } ''; }; }; |