Split up router role into multiple roles

role/router-dhcp/default.nix

@@ -1,5 +1,4 @@
-{ routerAddress, netid, revIpDomain, prefixLength, domain, dhcpRange
+{ internalRouterIP, localDomain, dhcpRange, routerHostName, internalBridgeInterfaceName? "lan", localDnsPort? 5553}:
-, routerHostName, }:
 
 let pkgs = import <nixpkgs> { };
 in {
@@ -9,7 +8,7 @@ in {
     # Listen on this specific port instead of the standard DNS port
     # (53). Setting this to zero completely disables DNS function,
     # leaving only DHCP and/or TFTP.
-    port=5553
+    port=${localDnsPort}
 
     # The following two options make you a better netizen, since they
     # tell dnsmasq to filter out queries which the public DNS cannot
@@ -61,13 +60,13 @@ in {
 
     # Add local-only domains here, queries in these domains are answered
     # from /etc/hosts or DHCP only.
-    local=/${domain}/
+    local=/${localDomain}/
 
     # Add domains which you want to force to an IP address here.
     # The example below send any host in double-click.net to a local
     # web-server.
     #address=/double-click.net/127.0.0.1
-    address=/${routerHostName}.${domain}/${routerAddress}
+    address=/${routerHostName}.${localDomain}/${internalRouterIP}
 
     # --address (and --server) work with IPv6 addresses too.
     #address=/www.thekelleys.org.uk/fe80::20d:60ff:fe36:f83
@@ -90,7 +89,7 @@ in {
     # specified interfaces (and the loopback) give the name of the
     # interface (eg eth0) here.
     # Repeat the line for more than one interface.
-    interface=lan
+    interface=${internalBridgeInterfaceName}
     interface=lo
     # Or you can specify which interface _not_ to listen on
     #except-interface=
@@ -129,7 +128,7 @@ in {
     # 2) Sets the "domain" DHCP option thereby potentially setting the
     #    domain of all systems configured by DHCP
     # 3) Provides the domain part for "expand-hosts"
-    domain=${domain}
+    domain=${localDomain}
 
     # Set a different domain for a particular subnet
     #domain=wireless.thekelleys.org.uk,192.168.2.0/24
@@ -310,7 +309,7 @@ in {
     # Override the default route supplied by dnsmasq, which assumes the
     # router is the same machine as the one running dnsmasq.
     #dhcp-option=3,1.2.3.4
-    dhcp-option=6,${routerAddress}
+    dhcp-option=6,${internalRouterIP}
 
     # Do the same thing, but using the option name
     #dhcp-option=option:router,1.2.3.4
@@ -370,7 +369,7 @@ in {
 
     # Send RFC-3397 DNS domain search DHCP option. WARNING: Your DHCP client
     # probably doesn't support this......
-    dhcp-option=option:domain-search,${domain}
+    dhcp-option=option:domain-search,${localDomain}
 
     # Send RFC-3442 classless static routes (note the netmask encoding)
     #dhcp-option=121,192.168.1.0/24,1.2.3.4,10.0.0.0/8,5.6.7.8

role/router-dns/default.nix

@@ -1,22 +1,22 @@
-{ routerAddress, netid, revIpDomain, prefixLength, domain, }:
+{ internalRouterIP, networkIdIP, revIpDomain, internalPrefixLength? 24, localDomain, }:
 
 let pkgs = import <nixpkgs> { };
 in {
   services.unbound = {
     enable = true;
-    interfaces = [ "127.0.0.1" routerAddress ];
+    interfaces = [ "127.0.0.1" internalRouterIP ];
-    allowedAccess = [ "127.0.0.0/24" "${netid}/${toString prefixLength}" ];
+    allowedAccess = [ "127.0.0.0/24" "${networkIdIP}/${toString internalPrefixLength}" ];
     extraConfig = ''
       # Custom configuration (leave this note to assure indentation!)
         do-not-query-localhost: no
-        private-domain: "${domain}."
+        private-domain: "${localDomain}."
-        domain-insecure: "${domain}."
+        domain-insecure: "${localDomain}."
         private-domain: "${revIpDomain}.in-addr.arpa."
         domain-insecure: "${revIpDomain}.in-addr.arpa."
         local-zone: "${revIpDomain}.in-addr.arpa" transparent
 
         forward-zone:
-            name: "${domain}."
+            name: "${localDomain}."
             forward-addr: 127.0.0.1@5553
 
         forward-zone:

role/router/README.adoc

@@ -1,10 +1,10 @@
 == Router Role
 
-This role is applied on hosts which serve the rule of a SOHO router.
+The `router` role set is applied on hosts which serve the rule of a SOHO router.
 
 Features:
 
-* NAT and basic Firewalling
+* NAT and basic Firewalling (`router`)
-* Recursive DNS with `unbound` (DNSSEC validated)
+* Recursive DNS with `unbound` (DNSSEC validated) (`router-dns`)
-* Local DHCP and DNS with `dnsmasq`
+* Local DHCP and local DNS hostname resolution with `dnsmasq` (`router-dhcp`)
-* Wireless with `hostapd`
+* Wireless with `hostapd` (`router-wireless-ap`)

role/router/default.nix

@@ -1,47 +1,32 @@
 {
 # To get the MAC address of each card, use this command: cat /sys/class/net/*device_name*/address
 # Make sure to use the lower-case hex values in your udev rules. It does not like upper-case.
-wanInterface, wireless ? {
+wanInterface, wirelessInterfaces, lanInterfaces,
-  wleInterface = "wlp5s0";
+internalRouterIP,
-  wleSSID = "hauser";
+internalPrefixLength? 24,
-  # Generate Encrypted Passphrase with: wpa_passphrase <wleSSID> <passphrase>
+internalBridgeInterfaceName? "lan"
-  wlePassphrase =
+}:
-    "a5e42b914b5ad2b7e0474c3b9b35d0843a52668d30cd6aa8650ec43263a60b6e";
-}, lanInterfaces ? [ "enp2s0" "enp3s0" ], lanNetwork ? {
-  routerAddress = "10.1.1.1";
-  netid = "10.1.1.0";
-  revIpDomain = "1.1.10";
-  prefixLength = 24;
-  domain = "ilanz.fh2.ch";
-  dhcpRange = "10.1.1.2,10.1.1.249";
-  routerHostName = "router";
-}, }:
 
 let pkgs = import <nixpkgs> { };
 in {
-  imports = [
-    (import ./wireless-access-point.nix wireless)
-    (import ./dns-recursive.nix lanNetwork)
-  ];
-
   networking = {
     enableIPv6 = false; # TODO
     nat = {
       enable = true;
       externalInterface = wanInterface;
-      internalInterfaces = [ "lan" ];
+      internalInterfaces = [ internalBridgeInterfaceName ];
     };
 
-    bridges.lan.interfaces = lanInterfaces ++ [ wireless.wleInterface ];
+    bridges.lan.interfaces = lanInterfaces ++ wirelessInterfaces;
     interfaces.lan = {
       ipv4 = {
         addresses = [{
-          address = lanNetwork.routerAddress;
+          address = internalRouterIP;
-          prefixLength = lanNetwork.prefixLength;
+          prefixLength = internalPrefixLength;
         }];
       };
     };
-    firewall.trustedInterfaces = [ "lan" ];
+    firewall.trustedInterfaces = [ internalBridgeInterfaceName ];
   };
 
 }