298 lines
8.4 KiB
Nix
298 lines
8.4 KiB
Nix
{ config, pkgs, lib, ... }:
|
||
|
||
{
|
||
imports = [
|
||
./hardware-configuration.nix
|
||
];
|
||
|
||
config = {
|
||
system.stateVersion = "22.11";
|
||
|
||
networking.hostName = "router";
|
||
networking.domain = "home.ts.hillion.co.uk";
|
||
|
||
boot.loader.systemd-boot.enable = true;
|
||
boot.loader.efi.canTouchEfiVariables = true;
|
||
|
||
boot.kernel.sysctl = {
|
||
"net.ipv4.conf.all.forwarding" = true;
|
||
};
|
||
|
||
custom.defaults = true;
|
||
|
||
## Interactive password
|
||
custom.users.jake.password = true;
|
||
|
||
## Impermanence
|
||
custom.impermanence.enable = true;
|
||
|
||
## Networking
|
||
networking = {
|
||
firewall.enable = lib.mkForce false;
|
||
nat.enable = lib.mkForce false;
|
||
|
||
useDHCP = false;
|
||
interfaces = {
|
||
enp1s0 = {
|
||
name = "eth0";
|
||
macAddress = "b4:fb:e4:b0:90:3c";
|
||
useDHCP = true;
|
||
};
|
||
enp2s0 = {
|
||
name = "eth1";
|
||
ipv4.addresses = [
|
||
{
|
||
address = "10.64.50.1";
|
||
prefixLength = 24;
|
||
}
|
||
];
|
||
};
|
||
enp3s0 = {
|
||
name = "eth2";
|
||
ipv4.addresses = [
|
||
{
|
||
address = "10.239.19.1";
|
||
prefixLength = 24;
|
||
}
|
||
];
|
||
};
|
||
enp4s0 = { name = "eth3"; };
|
||
enp5s0 = { name = "eth4"; };
|
||
enp6s0 = { name = "eth5"; };
|
||
};
|
||
|
||
nftables = {
|
||
enable = true;
|
||
ruleset = ''
|
||
table inet filter {
|
||
chain output {
|
||
type filter hook output priority 100; policy accept;
|
||
}
|
||
|
||
chain input {
|
||
type filter hook input priority filter; policy drop;
|
||
|
||
# Allow trusted networks to access the router
|
||
iifname {
|
||
"lo",
|
||
"eth1",
|
||
"eth2",
|
||
"tailscale0",
|
||
} counter accept
|
||
|
||
ip protocol icmp counter accept comment "accept all ICMP types"
|
||
|
||
iifname "eth0" ct state { established, related } counter accept
|
||
iifname "eth0" drop
|
||
}
|
||
|
||
chain forward {
|
||
type filter hook forward priority filter; policy drop;
|
||
|
||
iifname {
|
||
"eth1",
|
||
"eth2",
|
||
} oifname {
|
||
"eth0",
|
||
} counter accept comment "Allow trusted LAN to WAN"
|
||
|
||
iifname {
|
||
"eth0",
|
||
} oifname {
|
||
"eth1",
|
||
"eth2",
|
||
} ct state established,related counter accept comment "Allow established back to LANs"
|
||
|
||
ip daddr 10.64.50.20 tcp dport 32400 counter accept comment "Plex"
|
||
|
||
ip daddr 10.64.50.20 tcp dport 8444 counter accept comment "Chia"
|
||
|
||
ip daddr 10.64.50.21 tcp dport 7654 counter accept comment "Tang"
|
||
}
|
||
}
|
||
|
||
table ip nat {
|
||
chain prerouting {
|
||
type nat hook prerouting priority filter; policy accept;
|
||
|
||
iifname eth0 tcp dport 32400 counter dnat to 10.64.50.20
|
||
|
||
iifname eth0 tcp dport 8444 counter dnat to 10.64.50.20
|
||
|
||
iifname eth0 tcp dport 7654 counter dnat to 10.64.50.21
|
||
}
|
||
|
||
chain postrouting {
|
||
type nat hook postrouting priority filter; policy accept;
|
||
oifname "eth0" masquerade
|
||
}
|
||
}
|
||
'';
|
||
};
|
||
};
|
||
|
||
services = {
|
||
kea = {
|
||
dhcp4 = {
|
||
enable = true;
|
||
|
||
settings = {
|
||
interfaces-config = {
|
||
interfaces = [ "eth1" "eth2" ];
|
||
};
|
||
lease-database = {
|
||
type = "memfile";
|
||
persist = true;
|
||
name = "/var/lib/kea/dhcp4.leases";
|
||
};
|
||
subnet4 = [
|
||
{
|
||
subnet = "10.64.50.0/24";
|
||
interface = "eth1";
|
||
pools = [{
|
||
pool = "10.64.50.64 - 10.64.50.254";
|
||
}];
|
||
option-data = [
|
||
{
|
||
name = "routers";
|
||
data = "10.64.50.1";
|
||
}
|
||
{
|
||
name = "broadcast-address";
|
||
data = "10.64.50.255";
|
||
}
|
||
{
|
||
name = "domain-name-servers";
|
||
data = "10.64.50.1, 1.1.1.1, 8.8.8.8";
|
||
}
|
||
];
|
||
reservations = lib.lists.imap0
|
||
(i: el: {
|
||
ip-address = "10.64.50.${toString (20 + i)}";
|
||
inherit (el) hw-address hostname;
|
||
}) [
|
||
{ hostname = "tywin"; hw-address = "c8:7f:54:6d:e1:03"; }
|
||
{ hostname = "microserver"; hw-address = "e4:5f:01:b4:58:95"; }
|
||
{ hostname = "theon"; hw-address = "00:1e:06:49:06:1e"; }
|
||
{ hostname = "server-switch"; hw-address = "84:d8:1b:9d:0d:85"; }
|
||
];
|
||
}
|
||
{
|
||
subnet = "10.239.19.0/24";
|
||
interface = "eth2";
|
||
pools = [{
|
||
pool = "10.239.19.64 - 10.239.19.254";
|
||
}];
|
||
option-data = [
|
||
{
|
||
name = "routers";
|
||
data = "10.239.19.1";
|
||
}
|
||
{
|
||
name = "broadcast-address";
|
||
data = "10.239.19.255";
|
||
}
|
||
{
|
||
name = "domain-name-servers";
|
||
data = "10.239.19.1, 1.1.1.1, 8.8.8.8";
|
||
}
|
||
];
|
||
reservations = [
|
||
{
|
||
# bedroom-everything-presence-one
|
||
hw-address = "40:22:d8:e0:1d:50";
|
||
ip-address = "10.239.19.2";
|
||
hostname = "bedroom-everything-presence-one";
|
||
}
|
||
{
|
||
# living-room-everything-presence-one
|
||
hw-address = "40:22:d8:e0:0f:78";
|
||
ip-address = "10.239.19.3";
|
||
hostname = "living-room-everything-presence-one";
|
||
}
|
||
];
|
||
}
|
||
];
|
||
};
|
||
};
|
||
};
|
||
|
||
unbound = {
|
||
enable = true;
|
||
settings = {
|
||
server = {
|
||
interface = [
|
||
"127.0.0.1"
|
||
"10.64.50.1"
|
||
"10.239.19.1"
|
||
];
|
||
access-control = [
|
||
"10.64.50.0/24 allow"
|
||
"10.239.19.0/24 allow"
|
||
];
|
||
};
|
||
|
||
forward-zone = [
|
||
{
|
||
name = ".";
|
||
forward-tls-upstream = "yes";
|
||
forward-addr = [
|
||
"1.1.1.1#cloudflare-dns.com"
|
||
"1.0.0.1#cloudflare-dns.com"
|
||
"8.8.8.8#dns.google"
|
||
"8.8.4.4#dns.google"
|
||
];
|
||
}
|
||
];
|
||
};
|
||
};
|
||
};
|
||
|
||
## Tailscale
|
||
age.secrets."tailscale/router.home.ts.hillion.co.uk".file = ../../secrets/tailscale/router.home.ts.hillion.co.uk.age;
|
||
services.tailscale = {
|
||
enable = true;
|
||
authKeyFile = config.age.secrets."tailscale/router.home.ts.hillion.co.uk".path;
|
||
};
|
||
|
||
## Enable btrfs compression
|
||
fileSystems."/data".options = [ "compress=zstd" ];
|
||
fileSystems."/nix".options = [ "compress=zstd" ];
|
||
|
||
## Run a persistent iperf3 server
|
||
services.iperf3.enable = true;
|
||
|
||
## Zigbee2Mqtt
|
||
custom.services.zigbee2mqtt.enable = true;
|
||
|
||
## Netdata
|
||
services.netdata = {
|
||
enable = true;
|
||
config = {
|
||
web = {
|
||
"bind to" = "unix:/run/netdata/netdata.sock";
|
||
};
|
||
};
|
||
};
|
||
services.caddy = {
|
||
enable = true;
|
||
virtualHosts."http://graphs.router.home.ts.hillion.co.uk" = {
|
||
listenAddresses = [ config.custom.dns.tailscale.ipv4 config.custom.dns.tailscale.ipv6 ];
|
||
extraConfig = "reverse_proxy unix///run/netdata/netdata.sock";
|
||
};
|
||
};
|
||
users.users.caddy.extraGroups = [ "netdata" ];
|
||
### HACK: Allow Caddy to restart if it fails. This happens because Tailscale
|
||
### is too late at starting. Upstream nixos caddy does restart on failure
|
||
### but it's prevented on exit code 1. Set the exit code to 0 (non-failure)
|
||
### to override this.
|
||
systemd.services.caddy = {
|
||
requires = [ "tailscaled.service" ];
|
||
after = [ "tailscaled.service" ];
|
||
serviceConfig = {
|
||
RestartPreventExitStatus = lib.mkForce 0;
|
||
};
|
||
};
|
||
};
|
||
}
|