From 508b86c9cccc77921954eed401db72c343a92903 Mon Sep 17 00:00:00 2001 From: Fabian Hauser Date: Sun, 17 May 2020 12:04:30 +0000 Subject: [PATCH] Split up router role into multiple roles --- .../dns-local.nix => router-dhcp/default.nix} | 17 +++++---- .../default.nix} | 12 +++---- .../default.nix} | 0 .../hostapd5ghz.nix | 0 role/router/README.adoc | 10 +++--- role/router/default.nix | 35 ++++++------------- 6 files changed, 29 insertions(+), 45 deletions(-) rename role/{router/dns-local.nix => router-dhcp/default.nix} (98%) rename role/{router/dns-recursive.nix => router-dns/default.nix} (61%) rename role/{router/wireless-access-point.nix => router-wireless-ap/default.nix} (100%) rename role/{router => router-wireless-ap}/hostapd5ghz.nix (100%) diff --git a/role/router/dns-local.nix b/role/router-dhcp/default.nix similarity index 98% rename from role/router/dns-local.nix rename to role/router-dhcp/default.nix index fee2a98..6f1cc23 100644 --- a/role/router/dns-local.nix +++ b/role/router-dhcp/default.nix @@ -1,5 +1,4 @@ -{ routerAddress, netid, revIpDomain, prefixLength, domain, dhcpRange -, routerHostName, }: +{ internalRouterIP, localDomain, dhcpRange, routerHostName, internalBridgeInterfaceName? "lan", localDnsPort? 5553}: let pkgs = import { }; in { @@ -9,7 +8,7 @@ in { # Listen on this specific port instead of the standard DNS port # (53). Setting this to zero completely disables DNS function, # leaving only DHCP and/or TFTP. - port=5553 + port=${localDnsPort} # The following two options make you a better netizen, since they # tell dnsmasq to filter out queries which the public DNS cannot @@ -61,13 +60,13 @@ in { # Add local-only domains here, queries in these domains are answered # from /etc/hosts or DHCP only. - local=/${domain}/ + local=/${localDomain}/ # Add domains which you want to force to an IP address here. # The example below send any host in double-click.net to a local # web-server. #address=/double-click.net/127.0.0.1 - address=/${routerHostName}.${domain}/${routerAddress} + address=/${routerHostName}.${localDomain}/${internalRouterIP} # --address (and --server) work with IPv6 addresses too. #address=/www.thekelleys.org.uk/fe80::20d:60ff:fe36:f83 @@ -90,7 +89,7 @@ in { # specified interfaces (and the loopback) give the name of the # interface (eg eth0) here. # Repeat the line for more than one interface. - interface=lan + interface=${internalBridgeInterfaceName} interface=lo # Or you can specify which interface _not_ to listen on #except-interface= @@ -129,7 +128,7 @@ in { # 2) Sets the "domain" DHCP option thereby potentially setting the # domain of all systems configured by DHCP # 3) Provides the domain part for "expand-hosts" - domain=${domain} + domain=${localDomain} # Set a different domain for a particular subnet #domain=wireless.thekelleys.org.uk,192.168.2.0/24 @@ -310,7 +309,7 @@ in { # Override the default route supplied by dnsmasq, which assumes the # router is the same machine as the one running dnsmasq. #dhcp-option=3,1.2.3.4 - dhcp-option=6,${routerAddress} + dhcp-option=6,${internalRouterIP} # Do the same thing, but using the option name #dhcp-option=option:router,1.2.3.4 @@ -370,7 +369,7 @@ in { # Send RFC-3397 DNS domain search DHCP option. WARNING: Your DHCP client # probably doesn't support this...... - dhcp-option=option:domain-search,${domain} + dhcp-option=option:domain-search,${localDomain} # Send RFC-3442 classless static routes (note the netmask encoding) #dhcp-option=121,192.168.1.0/24,1.2.3.4,10.0.0.0/8,5.6.7.8 diff --git a/role/router/dns-recursive.nix b/role/router-dns/default.nix similarity index 61% rename from role/router/dns-recursive.nix rename to role/router-dns/default.nix index 5c6c019..a7aba93 100644 --- a/role/router/dns-recursive.nix +++ b/role/router-dns/default.nix @@ -1,22 +1,22 @@ -{ routerAddress, netid, revIpDomain, prefixLength, domain, }: +{ internalRouterIP, networkIdIP, revIpDomain, internalPrefixLength? 24, localDomain, }: let pkgs = import { }; in { services.unbound = { enable = true; - interfaces = [ "127.0.0.1" routerAddress ]; - allowedAccess = [ "127.0.0.0/24" "${netid}/${toString prefixLength}" ]; + interfaces = [ "127.0.0.1" internalRouterIP ]; + allowedAccess = [ "127.0.0.0/24" "${networkIdIP}/${toString internalPrefixLength}" ]; extraConfig = '' # Custom configuration (leave this note to assure indentation!) do-not-query-localhost: no - private-domain: "${domain}." - domain-insecure: "${domain}." + private-domain: "${localDomain}." + domain-insecure: "${localDomain}." private-domain: "${revIpDomain}.in-addr.arpa." domain-insecure: "${revIpDomain}.in-addr.arpa." local-zone: "${revIpDomain}.in-addr.arpa" transparent forward-zone: - name: "${domain}." + name: "${localDomain}." forward-addr: 127.0.0.1@5553 forward-zone: diff --git a/role/router/wireless-access-point.nix b/role/router-wireless-ap/default.nix similarity index 100% rename from role/router/wireless-access-point.nix rename to role/router-wireless-ap/default.nix diff --git a/role/router/hostapd5ghz.nix b/role/router-wireless-ap/hostapd5ghz.nix similarity index 100% rename from role/router/hostapd5ghz.nix rename to role/router-wireless-ap/hostapd5ghz.nix diff --git a/role/router/README.adoc b/role/router/README.adoc index ff193d2..c9d3816 100644 --- a/role/router/README.adoc +++ b/role/router/README.adoc @@ -1,10 +1,10 @@ == Router Role -This role is applied on hosts which serve the rule of a SOHO router. +The `router` role set is applied on hosts which serve the rule of a SOHO router. Features: -* NAT and basic Firewalling -* Recursive DNS with `unbound` (DNSSEC validated) -* Local DHCP and DNS with `dnsmasq` -* Wireless with `hostapd` +* NAT and basic Firewalling (`router`) +* Recursive DNS with `unbound` (DNSSEC validated) (`router-dns`) +* Local DHCP and local DNS hostname resolution with `dnsmasq` (`router-dhcp`) +* Wireless with `hostapd` (`router-wireless-ap`) diff --git a/role/router/default.nix b/role/router/default.nix index 3d5e828..c0a8d79 100644 --- a/role/router/default.nix +++ b/role/router/default.nix @@ -1,47 +1,32 @@ { # To get the MAC address of each card, use this command: cat /sys/class/net/*device_name*/address # Make sure to use the lower-case hex values in your udev rules. It does not like upper-case. -wanInterface, wireless ? { - wleInterface = "wlp5s0"; - wleSSID = "hauser"; - # Generate Encrypted Passphrase with: wpa_passphrase - wlePassphrase = - "a5e42b914b5ad2b7e0474c3b9b35d0843a52668d30cd6aa8650ec43263a60b6e"; -}, lanInterfaces ? [ "enp2s0" "enp3s0" ], lanNetwork ? { - routerAddress = "10.1.1.1"; - netid = "10.1.1.0"; - revIpDomain = "1.1.10"; - prefixLength = 24; - domain = "ilanz.fh2.ch"; - dhcpRange = "10.1.1.2,10.1.1.249"; - routerHostName = "router"; -}, }: +wanInterface, wirelessInterfaces, lanInterfaces, +internalRouterIP, +internalPrefixLength? 24, +internalBridgeInterfaceName? "lan" +}: let pkgs = import { }; in { - imports = [ - (import ./wireless-access-point.nix wireless) - (import ./dns-recursive.nix lanNetwork) - ]; - networking = { enableIPv6 = false; # TODO nat = { enable = true; externalInterface = wanInterface; - internalInterfaces = [ "lan" ]; + internalInterfaces = [ internalBridgeInterfaceName ]; }; - bridges.lan.interfaces = lanInterfaces ++ [ wireless.wleInterface ]; + bridges.lan.interfaces = lanInterfaces ++ wirelessInterfaces; interfaces.lan = { ipv4 = { addresses = [{ - address = lanNetwork.routerAddress; - prefixLength = lanNetwork.prefixLength; + address = internalRouterIP; + prefixLength = internalPrefixLength; }]; }; }; - firewall.trustedInterfaces = [ "lan" ]; + firewall.trustedInterfaces = [ internalBridgeInterfaceName ]; }; }