From 6c89b45eec2a7bfc21b2831118d3a5a05aa3b162 Mon Sep 17 00:00:00 2001
From: "quentin@aristote.fr" <quentin@aristote.fr>
Date: Sun, 19 May 2024 20:24:50 +0200
Subject: networking: dhcp: add static ips

---
 config/networking/services/dhcp.nix             | 59 +++++++++++-------
 config/networking/services/firewall/ruleset.nix | 80 +++++++++++++++----------
 2 files changed, 86 insertions(+), 53 deletions(-)

(limited to 'config/networking/services')

diff --git a/config/networking/services/dhcp.nix b/config/networking/services/dhcp.nix
index 1f2d06f..d27bbce 100644
--- a/config/networking/services/dhcp.nix
+++ b/config/networking/services/dhcp.nix
@@ -1,13 +1,17 @@
-{ config, ... }:
-
-let
+{
+  config,
+  lib,
+  ...
+}: let
   nets = config.personal.networking.networks;
-  netdevServices = builtins.map (subnet: "${subnet.interface}-netdev.service")
-    (with nets; [ wan iot ]);
+  netdevServices =
+    builtins.map (subnet: "${subnet.interface}-netdev.service")
+    (with nets; [wan iot]);
 in {
   services.kea.dhcp4 = {
     enable = true;
-    settings = let subnets = with nets; [ wan iot eth0 ];
+    settings = let
+      subnets = with nets; [wan iot eth0];
     in {
       interfaces-config = {
         interfaces = builtins.map (network: network.interface) subnets;
@@ -31,21 +35,34 @@ in {
           data = "255.255.255.0";
         }
       ];
-      subnet4 = builtins.map (network: {
-        subnet = "${network.subnet}.0/24";
-        option-data = [
-          {
-            name = "broadcast-address";
-            data = "${network.subnet}.255";
-          }
-          {
-            name = "routers";
-            data = network.machines.self.address;
-          }
-        ];
-        inherit (network) interface;
-        pools = [{ pool = "${network.subnet}.10 - ${network.subnet}.99"; }];
-      }) subnets;
+      subnet4 =
+        builtins.map (network: {
+          subnet = "${network.subnet}.0/24";
+          option-data = [
+            {
+              name = "broadcast-address";
+              data = "${network.subnet}.255";
+            }
+            {
+              name = "routers";
+              data = network.machines.self.ip;
+            }
+          ];
+          inherit (network) interface;
+          pools = [{pool = "${network.subnet}.10 - ${network.subnet}.99";}];
+          reservations = let
+            machines = builtins.attrValues (lib.filterAttrs (name: {mac, ...}: name != "self" && mac != null) network.machines);
+          in
+            builtins.map ({
+              ip,
+              mac,
+            }: {
+              hw-address = mac;
+              ip-address = ip;
+            })
+            machines;
+        })
+        subnets;
     };
   };
 
diff --git a/config/networking/services/firewall/ruleset.nix b/config/networking/services/firewall/ruleset.nix
index bef7dad..47aa49b 100644
--- a/config/networking/services/firewall/ruleset.nix
+++ b/config/networking/services/firewall/ruleset.nix
@@ -1,26 +1,32 @@
-{ lib, nets }:
-
-let
+{
+  lib,
+  nets,
+}: let
   makeTable = args:
     {
-      chains = { };
-      flowtables = { };
-      sets = { };
-      maps = { };
-      objects = { };
-    } // args;
+      chains = {};
+      flowtables = {};
+      sets = {};
+      maps = {};
+      objects = {};
+    }
+    // args;
   makeFlowtable = args:
     {
       hook = "ingress";
       priority = "filter";
-      devices = [ ];
+      devices = [];
       offload = false;
-    } // args;
-  makeBaseChain = type: hook:
-    { priority ? type, policy ? "drop", rules ? "" }: {
-      base = { inherit type hook priority policy; };
-      inherit rules;
-    };
+    }
+    // args;
+  makeBaseChain = type: hook: {
+    priority ? type,
+    policy ? "drop",
+    rules ? "",
+  }: {
+    base = {inherit type hook priority policy;};
+    inherit rules;
+  };
   rulesCommon = {
     conntrack = ''
       ct state vmap { established : accept \
@@ -75,8 +81,8 @@ let
       '';
       player-controller = ''
         ip protocol udp \
-          ip saddr { ${nets.iot.machines.sonos-move.address}  \
-                   , ${nets.iot.machines.sonos-play1.address} } \
+          ip saddr { ${nets.iot.machines.sonos-move.ip}  \
+                   , ${nets.iot.machines.sonos-play1.ip} } \
           udp sport >30000 \
           udp dport >30000 \
           accept comment "sonos: app control: player to controller"
@@ -101,7 +107,7 @@ in {
     filter = makeTable {
       flowtables = {
         default = makeFlowtable {
-          devices = lib.mapAttrsToList (_: { device, ... }: device) nets;
+          devices = lib.mapAttrsToList (_: {device, ...}: device) nets;
         };
       };
       chains = {
@@ -110,7 +116,9 @@ in {
         eth0_in.rules = with rulesCommon; dns + dhcp;
         input = makeBaseChain "filter" "input" {
           rules = with rulesCommon;
-            conntrack + ping + ''
+            conntrack
+            + ping
+            + ''
               meta iifname vmap { lo                     : accept       \
                                 , ${nets.wan.interface}  : goto wan_in  \
                                 , ${nets.iot.interface}  : goto iot_in  \
@@ -123,7 +131,9 @@ in {
           rules = with rulesCommon;
             ''
               ip protocol { udp, tcp } flow add @default
-            '' + conntrack + ''
+            ''
+            + conntrack
+            + ''
               meta oifname ${nets.lan.interface} accept
               meta iifname . meta oifname vmap \
                 { ${nets.wan.interface} . ${nets.iot.interface} \
@@ -141,7 +151,7 @@ in {
           policy = "accept";
           rules = ''
             meta oifname ${nets.lan.interface} \
-              snat to ${nets.lan.machines.self.address}
+              snat to ${nets.lan.machines.self.ip}
           '';
         };
       };
@@ -151,8 +161,8 @@ in {
   ip6 = {
     global6 = makeTable {
       chains = {
-        input = makeBaseChain "filter" "input" { };
-        forward = makeBaseChain "filter" "forward" { };
+        input = makeBaseChain "filter" "input" {};
+        forward = makeBaseChain "filter" "forward" {};
       };
     };
   };
@@ -162,18 +172,24 @@ in {
       chains = {
         iot_iot.rules = with rulesCommon;
           ''
-            ip saddr { ${nets.iot.machines.sonos-move.address}  \
-                     , ${nets.iot.machines.sonos-play1.address} } \
-            ip daddr { ${nets.iot.machines.sonos-move.address}  \
-                     , ${nets.iot.machines.sonos-play1.address} } \
+            ip saddr { ${nets.iot.machines.sonos-move.ip}  \
+                     , ${nets.iot.machines.sonos-play1.ip} } \
+            ip daddr { ${nets.iot.machines.sonos-move.ip}  \
+                     , ${nets.iot.machines.sonos-play1.ip} } \
               accept comment "sonos: player to player"
-          '' + ssdp + sonos.player-controller + sonos.controller-player;
+          ''
+          + ssdp
+          + sonos.player-controller
+          + sonos.controller-player;
         wan_wan.rules = with rulesCommon; syncthing + kdeconnect;
         forward = makeBaseChain "filter" "forward" {
           rules = with rulesCommon;
-            conntrack + ''
+            conntrack
+            + ''
               ether type vmap { ip6 : drop, arp : accept }
-            '' + ping + ''
+            ''
+            + ping
+            + ''
               meta ibrname . meta obrname vmap \
                 { ${nets.wan.interface} . ${nets.wan.interface} : goto wan_wan \
                 , ${nets.iot.interface} . ${nets.iot.interface} : goto iot_iot }
@@ -183,7 +199,6 @@ in {
     };
   };
 }
-
 # chain steam {
 #   # https://help.steampowered.com/en/faqs/view/2EA8-4D75-DA21-31EB
 #   ip protocol { udp, tcp } \
@@ -208,3 +223,4 @@ in {
 #     udp dport { 3478, 4379, 4380, 27014-27030 } \
 #     accept comment "steam: p2p, voice chat"
 # }
+
-- 
cgit v1.2.3