ringofstorms/dotfiles
ringofstorms/dotfiles
1
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

idk

Browse source
This commit is contained in:
RingOfStorms (Joshua Bell) 2025-08-06 00:21:50 -05:00
parent bbf0e06df7
commit e22501c9b5
3 changed files with 1507 additions and 0 deletions
Download patch file Download diff file Expand all files Collapse all files

169
hosts/h003/networking.nix Normal file
View file

@ -0,0 +1,169 @@
{
config,
pkgs,
lib,
...
}:
{
networking = {
# Configure bonding (LAG)
bonds = {
bond0 = {
interfaces = [
"enp1s0"
"enp2s0"
];
driverOptions = {
mode = "802.3ad"; # LACP
miimon = "100";
lacp_rate = "fast";
};
};
};
# Configure VLANs on the bonded interface
vlans = {
vlan10 = {
id = 10;
interface = "bond0";
};
vlan20 = {
id = 20;
interface = "bond0";
};
};
# Interface configuration
enableIPv6 = false;
interfaces = {
# WAN interface (VLAN 10 - to modem)
vlan10 = {
useDHCP = true; # Get IP from modem/ISP
tempAddress = lib.mkIf config.networking.enableIPv6 "disabled"; # For IPv6 privacy
};
# LAN interface (VLAN 20 - main network)
vlan20 = {
ipv4.addresses = [
{
address = "10.12.14.1";
prefixLength = 24;
}
];
ipv6.addresses = lib.mkIf config.networking.enableIPv6 [
{
address = "fd12:14::1"; # ULA prefix only
prefixLength = 64;
}
];
};
};
# Enable IP forwarding for routing
firewall = {
enable = true;
interfaces = {
# WAN interface - allow nothing inbound by default
vlan10 = {
allowedTCPPorts = [ ];
allowedUDPPorts = [ ];
};
vlan20 = {
allowedTCPPorts = [
53
67
68
80
443
];
allowedUDPPorts = [
53
67
68
546
547
];
};
};
};
# NAT configuration
nat = {
enable = true;
externalInterface = "vlan10"; # WAN
internalInterfaces = [ "vlan20" ]; # LAN
enableIPv6 = lib.mkIf config.networking.enableIPv6 true; # Enable IPv6 NAT
};
# example of port forwarding
# nat.forwardPorts = [
# {
# destination = "10.12.14.50:8080";
# proto = "tcp";
# sourcePort = 8080;
# }
# ];
};
# dnsmasq for DHCP + DNS
services.dnsmasq = {
enable = true;
alwaysKeepRunning = true;
settings = {
# Listen only on LAN interface
interface = "vlan20";
bind-interfaces = true;
# DHCP range and settings
dhcp-range = [
"10.12.14.100,10.12.14.200,24h"
]
++ lib.optionals config.networking.enableIPv6 [
# IPv6 DHCP range
"fd12:14::100,fd12:14::200,64,24h"
];
dhcp-option = [
"option:router,10.12.14.1"
"option:dns-server,1.1.1.1,8.8.8.8"
# "option:dns-server10.12.14.??" # Point to AdGuard,
];
# Static DHCP reservations
dhcp-host = [
"00:BE:43:B9:F4:E0,H001,10.12.14.2"
"C8:C9:A3:2B:7B:19,PRUSA-MK4,10.12.14.108"
"24:E8:53:73:A3:C6,LGWEBOSTV,10.12.14.128"
"2C:CF:67:6A:45:47,HOMEASSISTANT,10.12.14.106"
"2A:D0:EC:FA:B9:7E,PIXEL-6,10.12.14.115"
];
enable-ra = lib.mkIf config.networking.enableIPv6 true;
ra-param = lib.mkIf config.networking.enableIPv6 "vlan20,60,120"; # interface, min interval, max interval
# DNS settings
server = [
# TODO ad guard
"1.1.1.1"
"8.8.8.8"
"2606:4700:4700::1111" # Cloudflare IPv6
"2001:4860:4860::8888" # Google IPv6
];
};
};
boot.kernel.sysctl = {
# Enable IPv4 forwarding
"net.ipv4.conf.all.forwarding" = true;
# "net.ipv4.ip_forward" = 1;
# Enable IPv6 forwarding
"net.ipv6.conf.all.forwarding" = true;
# Security hardening
"net.ipv4.conf.all.send_redirects" = 0;
"net.ipv4.conf.default.send_redirects" = 0;
"net.ipv4.conf.all.accept_redirects" = 0;
"net.ipv4.conf.default.accept_redirects" = 0;
"net.ipv6.conf.all.accept_redirects" = 0;
"net.ipv6.conf.default.accept_redirects" = 0;
};
}