JakeHillion/nixos
1
0
Fork 0
Code Issues 7 Pull Requests 5 Actions Packages Projects Releases Wiki Activity
90adb4f7f4
nixos/hosts/router.home.ts.hillion.co.uk/default.nix
Jake Hillion 90adb4f7f4
All checks were successful
continuous-integration/drone/pr Build is passing
Details
continuous-integration/drone/push Build is passing
Details
router: statically allocate zigbee bridge ip
2023-05-11 18:15:56 +01:00

166 lines
4.2 KiB
Nix
Raw Blame History

{ config, pkgs, lib, ... }:
{
imports = [
../../modules/common/default.nix
./hardware-configuration.nix
./persist.nix
];
config = {
system.stateVersion = "22.11";
networking.hostName = "router";
networking.domain = "home.ts.hillion.co.uk";
boot.loader.systemd-boot.enable = true;
boot.loader.efi.canTouchEfiVariables = true;
boot.kernel.sysctl = {
"net.ipv4.conf.all.forwarding" = true;
};
## Networking
networking = {
firewall.enable = lib.mkForce false;
nat.enable = lib.mkForce false;
useDHCP = false;
interfaces = {
enp1s0 = {
name = "eth0";
macAddress = "b4:fb:e4:b0:90:3c";
useDHCP = true;
};
enp2s0 = {
name = "eth1";
ipv4.addresses = [
{
address = "10.64.50.1";
prefixLength = 24;
}
];
};
enp3s0 = {
name = "eth2";
ipv4.addresses = [
{
address = "10.239.19.1";
prefixLength = 24;
}
];
};
enp4s0 = { name = "eth3"; };
enp5s0 = { name = "eth4"; };
enp6s0 = { name = "eth5"; };
};
nftables = {
enable = true;
ruleset = ''
table inet filter {
chain output {
type filter hook output priority 100; policy accept;
}
chain input {
type filter hook input priority filter; policy drop;
# Allow trusted networks to access the router
iifname {
"eth1",
"eth2",
"tailscale0",
} counter accept
ip protocol icmp counter accept comment "accept all ICMP types"
iifname "eth0" ct state { established, related } counter accept
iifname "eth0" drop
}
chain forward {
type filter hook forward priority filter; policy drop;
iifname {
"eth1",
"eth2",
} oifname {
"eth0",
} counter accept comment "Allow trusted LAN to WAN"
iifname {
"eth0",
} oifname {
"eth1",
"eth2",
} ct state established,related counter accept comment "Allow established back to LANs"
}
}
table ip nat {
chain prerouting {
type nat hook output priority filter; policy accept;
}
chain postrouting {
type nat hook postrouting priority filter; policy accept;
oifname "eth0" masquerade
}
}
'';
};
};
services = {
dhcpd4 = {
enable = true;
interfaces = [ "eth1" "eth2" ];
extraConfig = ''
subnet 10.64.50.0 netmask 255.255.255.0 {
interface eth1;
option broadcast-address 10.64.50.255;
option routers 10.64.50.1;
range 10.64.50.64 10.64.50.254;
option domain-name-servers 1.1.1.1, 8.8.8.8;
}
subnet 10.239.19.0 netmask 255.255.255.0 {
interface eth2;
option broadcast-address 10.239.19.255;
option routers 10.239.19.1;
range 10.239.19.64 10.239.19.254;
option domain-name-servers 1.1.1.1, 8.8.8.8;
}
'';
machines = [
{
# Zigbee Bridge
ethernetAddress = "48:3f:da:2a:86:7a";
ipAddress = "10.239.19.40";
hostName = "tasmota-2A867A-1658";
}
];
};
};
## Tailscale
age.secrets."tailscale/router.home.ts.hillion.co.uk".file = ../../secrets/tailscale/router.home.ts.hillion.co.uk.age;
custom.tailscale = {
enable = true;
preAuthKeyFile = config.age.secrets."tailscale/router.home.ts.hillion.co.uk".path;
};
## Enable btrfs compression
fileSystems."/data".options = [ "compress=zstd" ];
fileSystems."/nix".options = [ "compress=zstd" ];
## Run a persistent iperf3 server
services.iperf3.enable = true;
};
}
Reference in New Issue View Git Blame Copy Permalink