diff options
Diffstat (limited to 'hosts/carmel/networking.nix')
-rw-r--r-- | hosts/carmel/networking.nix | 117 |
1 files changed, 97 insertions, 20 deletions
diff --git a/hosts/carmel/networking.nix b/hosts/carmel/networking.nix index 8ad9d3e..22d4e42 100644 --- a/hosts/carmel/networking.nix +++ b/hosts/carmel/networking.nix @@ -1,35 +1,112 @@ { lib, ... }: +let + ethLink = (name: + (mac: { + matchConfig = { + Type = "ether"; + MACAddress = mac; + }; + linkConfig.Name = name; + })); + + vlanNetdev = (name: + (id: { + netdevConfig = { + Name = name; + Kind = "vlan"; + }; + vlanConfig.Id = id; + })); + vlanNetwork = (name: + (id: { + matchConfig.Name = name; + + # Embed ID directly in IPv4 address for clarity. + address = [ "192.168.${toString id}.1/24" ]; + })); +in { - # Use systemd-networkd for networking systemd.network = { enable = true; - networks = { - enp9s0 = { - matchConfig.Name = "enp9s0"; - networkConfig = { DHCP = "yes"; }; - extraConfig = '' - [DHCPv4] - UseDNS=yes - UseDomains=yes - ''; + + links."10-wan0" = ethLink "wan0" "a8:a1:59:43:95:36"; + networks."10-wan0" = { + matchConfig.Name = "wan0"; + networkConfig.DHCP = "ipv4"; + dhcpV4Config = { + UseDNS = true; + UseDomains = true; }; }; + + links."15-mgmt0" = ethLink "mgmt0" "a0:36:9f:fa:5d:6c"; + networks."15-mgmt0" = { + matchConfig.Name = "mgmt0"; + address = [ "192.168.0.1/24" ]; + vlan = [ "iot" "guest" ]; + networkConfig = { + DHCP = "no"; + Domains = "home"; + }; + }; + + # unused interface + links."16-mgmt1" = ethLink "mgmt1" "a0:36:9f:fa:5d:6d"; + + # IoT VLAN. + netdevs."25-iot" = vlanNetdev "iot" 10; + networks."25-iot" = vlanNetwork "iot" 10; + + # Guest VLAN. + netdevs."30-guest" = vlanNetdev "guest" 20; + networks."30-guest" = vlanNetwork "guest" 20; + + # ignore these interfaces, as they are not used + wait-online.ignoredInterfaces = [ "mgmt1" "wlp8s0" ]; }; - services.nscd.enable = false; - system.nssModules = lib.mkForce [ ]; + # don't use systemd-resolved on the router + services.resolved.enable = false; + + networking.hostName = "carmel"; + networking.useDHCP = false; - # Use systemd-resolved - services.resolved = { + networking.firewall = { enable = true; - dnssec = "false"; + allowPing = true; + # If rejectPackets = true, refused packets are rejected rather than dropped (ignored). This + # means that an ICMP "port unreachable" error message is sent back to the client (or a TCP RST + # packet in case of an existing connection). Rejecting packets makes port scanning somewhat + # easier. + rejectPackets = false; + + trustedInterfaces = [ "mgmt0" "iot" "guest" ]; + + logRefusedConnections = true; + logRefusedPackets = false; + logReversePathDrops = true; + + # Do not perform reverse path filter test on a packet. + checkReversePath = false; + + interfaces = { + "wan0" = { + allowedTCPPorts = [ + 22 # ssh + 51413 # transmission + ]; + allowedUDPPorts = [ + 35947 # wireguard + 51413 # transmission + ]; + }; + }; }; - networking = { - hostName = "carmel"; - useNetworkd = true; - useDHCP = false; - private-wireguard.enable = true; + networking.nat = { + enable = true; + externalInterface = "wan0"; + internalInterfaces = [ "mgmt0" "guest" "iot" ]; }; } |