ringofstorms/dotfiles
ringofstorms/dotfiles
1
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

Compare commits

base: ringofstorms:eef385fbb70469afa7d26fdfe81d59b7ae008124
Branches Tags
ringofstorms:master
..
compare: ringofstorms:e22501c9b59808f4a72b379e1b8448e12e3fb392
Branches Tags
ringofstorms:master

No commits in common. "eef385fbb70469afa7d26fdfe81d59b7ae008124" and "e22501c9b59808f4a72b379e1b8448e12e3fb392" have entirely different histories.
eef385fbb7 ... e22501c9b5

3 changed files with 46 additions and 101 deletions
Download patch file Download diff file Expand all files Collapse all files

2
hosts/h003/flake.nix
View file

@ -29,7 +29,7 @@
ros_neovim.nixosModules.default ros_neovim.nixosModules.default
./configuration.nix ./configuration.nix
./hardware-configuration.nix ./hardware-configuration.nix
./networking.nix # ./networking.nix
( (
{ config, pkgs, ... }: { config, pkgs, ... }:
{ {

2
hosts/h003/hardware-configuration.nix
View file

@ -85,7 +85,7 @@
# (the default) this is the recommended approach. When using systemd-networkd it's # (the default) this is the recommended approach. When using systemd-networkd it's
# still possible to use this option, but it's recommended to use it in conjunction # still possible to use this option, but it's recommended to use it in conjunction
# with explicit per-interface declarations with `networking.interfaces.<interface>.useDHCP`. # with explicit per-interface declarations with `networking.interfaces.<interface>.useDHCP`.
# networking.useDHCP = lib.mkDefault true; networking.useDHCP = lib.mkDefault true;
# networking.interfaces.enp1s0.useDHCP = lib.mkDefault true; # networking.interfaces.enp1s0.useDHCP = lib.mkDefault true;
# networking.interfaces.enp2s0.useDHCP = lib.mkDefault true; # networking.interfaces.enp2s0.useDHCP = lib.mkDefault true;
# networking.interfaces.wlp3s0.useDHCP = lib.mkDefault true; # networking.interfaces.wlp3s0.useDHCP = lib.mkDefault true;

143
hosts/h003/networking.nix
View file

@ -1,5 +1,6 @@
{ {
config, config,
pkgs,
lib, lib,
... ...
}: }:
@ -30,16 +31,10 @@
id = 20; id = 20;
interface = "bond0"; interface = "bond0";
}; };
vlan1 = {
id = 1;
interface = "bond0";
};
}; };
# enable ipv6 or not
enableIPv6 = true;
# Interface configuration # Interface configuration
enableIPv6 = false;
interfaces = { interfaces = {
# WAN interface (VLAN 10 - to modem) # WAN interface (VLAN 10 - to modem)
vlan10 = { vlan10 = {
@ -62,90 +57,44 @@
} }
]; ];
}; };
};
vlan1.ipv4.addresses = [ # Enable IP forwarding for routing
{ firewall = {
address = "192.168.0.2"; # Management network enable = true;
prefixLength = 24; interfaces = {
} # WAN interface - allow nothing inbound by default
]; vlan10 = {
allowedTCPPorts = [ ];
allowedUDPPorts = [ ];
};
vlan20 = {
allowedTCPPorts = [
53
67
68
80
443
];
allowedUDPPorts = [
53
67
68
546
547
];
};
};
}; };
# NAT configuration # NAT configuration
nat = { nat = {
enable = true; enable = true;
externalInterface = "vlan10"; # WAN externalInterface = "vlan10"; # WAN
internalInterfaces = [ internalInterfaces = [ "vlan20" ]; # LAN
"vlan20"
"vlan1"
]; # LAN
enableIPv6 = lib.mkIf config.networking.enableIPv6 true; # Enable IPv6 NAT enableIPv6 = lib.mkIf config.networking.enableIPv6 true; # Enable IPv6 NAT
}; };
# Enable IP forwarding for routing
firewall = {
enable = true;
allowPing = true; # For ddiagnostics
trustedInterfaces = [
"vlan20" # Allow all on LAN
"vlan1" # Allow all on management
];
# Block vlan to vlan communication
filterForward = true;
extraForwardRules = ''
ip saddr 10.12.14.0/24 ip daddr 192.168.0.0/24 drop
'';
# extraCommands = ''
# # Block LAN (vlan20) from accessing Management (vlan1)
# nft add rule inet nixos-fw forward ip saddr 10.12.14.0/24 ip daddr 192.168.0.0/24 drop
# '';
interfaces = {
# WAN interface - allow nothing inbound by default
vlan10 = {
# Block all WAN
allowedTCPPorts = [ ];
allowedUDPPorts = [ ];
};
# # LAN interface (VLAN 20) - FULL SERVICE
# vlan20 = {
# allowedTCPPorts = [
# 22 # SSH (if you want to SSH to your router from LAN devices)
# 53 # DNS queries
# 80 # HTTP (for local web services)
# 443 # HTTPS (for local web services)
# # Add other services you run locally (Plex, Home Assistant, etc.)
# ];
# allowedUDPPorts = [
# 53 # DNS queries
# 67 # DHCP server (dnsmasq)
# 68 # DHCP client responses
# # 123 # NTP (if you run a time server)
# ];
# };
#
# # Management interface (VLAN 1) - LIMITED SERVICE
# vlan1 = {
# allowedTCPPorts = [
# 22 # SSH (for remote admin access)
# 53 # DNS
# 80 # HTTP (to access switch web interface through the router)
# 443
# # HTTPS
# ];
# allowedUDPPorts = [
# 53 # DNS
# 67 # DHCP server
# 68
# # DHCP client
# ];
# };
};
};
# example of port forwarding # example of port forwarding
# nat.forwardPorts = [ # nat.forwardPorts = [
# { # {
@ -162,34 +111,30 @@
alwaysKeepRunning = true; alwaysKeepRunning = true;
settings = { settings = {
# Listen only on LAN interface # Listen only on LAN interface
interface = [ interface = "vlan20";
"vlan20"
"vlan1"
];
bind-interfaces = true; bind-interfaces = true;
# DHCP range and settings # DHCP range and settings
dhcp-range = [ dhcp-range = [
"10.12.14.100,10.12.14.200,1h" # LAN devices "10.12.14.100,10.12.14.200,24h"
"192.168.0.10,192.168.0.50,1h" # Management devices
] ]
++ lib.optionals config.networking.enableIPv6 [ ++ lib.optionals config.networking.enableIPv6 [
# IPv6 DHCP range # IPv6 DHCP range
"fd12:14::100,fd12:14::200,64,24h" "fd12:14::100,fd12:14::200,64,24h"
]; ];
# dhcp-option = [ dhcp-option = [
# "option:router,10.12.14.1" "option:router,10.12.14.1"
# "option:dns-server,10.12.14.1,1.1.1.1,8.8.8.8" "option:dns-server,1.1.1.1,8.8.8.8"
# ]; # "option:dns-server10.12.14.??" # Point to AdGuard,
];
# Static DHCP reservations # Static DHCP reservations
dhcp-host = [ dhcp-host = [
"00:BE:43:B9:F4:E0,H001,10.12.14.10" "00:BE:43:B9:F4:E0,H001,10.12.14.2"
# TODO add H002 for .11 "C8:C9:A3:2B:7B:19,PRUSA-MK4,10.12.14.108"
"C8:C9:A3:2B:7B:19,PRUSA-MK4,10.12.14.21" "24:E8:53:73:A3:C6,LGWEBOSTV,10.12.14.128"
"24:E8:53:73:A3:C6,LGWEBOSTV,10.12.14.30" "2C:CF:67:6A:45:47,HOMEASSISTANT,10.12.14.106"
"2C:CF:67:6A:45:47,HOMEASSISTANT,10.12.14.22" "2A:D0:EC:FA:B9:7E,PIXEL-6,10.12.14.115"
"2A:D0:EC:FA:B9:7E,PIXEL-6,10.12.14.31"
]; ];
enable-ra = lib.mkIf config.networking.enableIPv6 true; enable-ra = lib.mkIf config.networking.enableIPv6 true;
@ -200,8 +145,8 @@
# TODO ad guard # TODO ad guard
"1.1.1.1" "1.1.1.1"
"8.8.8.8" "8.8.8.8"
"2606:4700:4700::1111" # Cloudflare IPv6 "2606:4700:4700::1111" # Cloudflare IPv6
"2001:4860:4860::8888" # Google IPv6 "2001:4860:4860::8888" # Google IPv6
]; ];
}; };
}; };