hosts/carmel: reconfigure the host as a router

I'm not using it as a desktop, and the current router is getting old and
will likely fail in the near future. It's also a debian machine
configured manually, so let's reconfigure carmel as our new router.

There are three NICs in the host: 2 are 10Gb and one is 1Gb. The 1Gb
will be used as the upstream interface, and one of the 10Gb will be for
the LAN.

There are 2 VLANs to configure: one for IoT devices and one for guest.

1 files changed, 97 insertions, 20 deletions

diff --git a/hosts/carmel/networking.nix b/hosts/carmel/networking.nix
index 8ad9d3e..22d4e42 100644
--- a/hosts/carmel/networking.nix
+++ b/hosts/carmel/networking.nix
@@ -1,35 +1,112 @@
 { lib, ... }:
+let
+  ethLink = (name:
+    (mac: {
+      matchConfig = {
+        Type = "ether";
+        MACAddress = mac;
+      };
+      linkConfig.Name = name;
+    }));
+
+  vlanNetdev = (name:
+    (id: {
+      netdevConfig = {
+        Name = name;
+        Kind = "vlan";
+      };
+      vlanConfig.Id = id;
+    }));
 
+  vlanNetwork = (name:
+    (id: {
+      matchConfig.Name = name;
+
+      # Embed ID directly in IPv4 address for clarity.
+      address = [ "192.168.${toString id}.1/24" ];
+    }));
+in
 {
-  # Use systemd-networkd for networking
   systemd.network = {
     enable = true;
-    networks = {
-      enp9s0 = {
-        matchConfig.Name = "enp9s0";
-        networkConfig = { DHCP = "yes"; };
-        extraConfig = ''
-          [DHCPv4]
-          UseDNS=yes
-          UseDomains=yes
-        '';
+
+    links."10-wan0" = ethLink "wan0" "a8:a1:59:43:95:36";
+    networks."10-wan0" = {
+      matchConfig.Name = "wan0";
+      networkConfig.DHCP = "ipv4";
+      dhcpV4Config = {
+        UseDNS = true;
+        UseDomains = true;
       };
     };
+
+    links."15-mgmt0" = ethLink "mgmt0" "a0:36:9f:fa:5d:6c";
+    networks."15-mgmt0" = {
+      matchConfig.Name = "mgmt0";
+      address = [ "192.168.0.1/24" ];
+      vlan = [ "iot" "guest" ];
+      networkConfig = {
+        DHCP = "no";
+        Domains = "home";
+      };
+    };
+
+    # unused interface
+    links."16-mgmt1" = ethLink "mgmt1" "a0:36:9f:fa:5d:6d";
+
+    # IoT VLAN.
+    netdevs."25-iot" = vlanNetdev "iot" 10;
+    networks."25-iot" = vlanNetwork "iot" 10;
+
+    # Guest VLAN.
+    netdevs."30-guest" = vlanNetdev "guest" 20;
+    networks."30-guest" = vlanNetwork "guest" 20;
+
+    # ignore these interfaces, as they are not used
+    wait-online.ignoredInterfaces = [ "mgmt1" "wlp8s0" ];
   };
 
-  services.nscd.enable = false;
-  system.nssModules = lib.mkForce [ ];
+  # don't use systemd-resolved on the router
+  services.resolved.enable = false;
+
+  networking.hostName = "carmel";
+  networking.useDHCP = false;
 
-  # Use systemd-resolved
-  services.resolved = {
+  networking.firewall = {
     enable = true;
-    dnssec = "false";
+    allowPing = true;
+    # If rejectPackets = true, refused packets are rejected rather than dropped (ignored). This
+    # means that an ICMP "port unreachable" error message is sent back to the client (or a TCP RST
+    # packet in case of an existing connection). Rejecting packets makes port scanning somewhat
+    # easier.
+    rejectPackets = false;
+
+    trustedInterfaces = [ "mgmt0" "iot" "guest" ];
+
+    logRefusedConnections = true;
+    logRefusedPackets = false;
+    logReversePathDrops = true;
+
+    # Do not perform reverse path filter test on a packet.
+    checkReversePath = false;
+
+    interfaces = {
+      "wan0" = {
+        allowedTCPPorts = [
+          22 # ssh
+          51413 # transmission
+        ];
+        allowedUDPPorts = [
+          35947 # wireguard
+          51413 # transmission
+        ];
+      };
+    };
   };
 
-  networking = {
-    hostName = "carmel";
-    useNetworkd = true;
-    useDHCP = false;
-    private-wireguard.enable = true;
+  networking.nat = {
+    enable = true;
+    externalInterface = "wan0";
+    internalInterfaces = [ "mgmt0" "guest" "iot" ];
   };
 }