Split up router role into multiple roles
This commit is contained in:
parent
51ac8518a2
commit
508b86c9cc
6 changed files with 29 additions and 45 deletions
|
|
@ -1,5 +1,4 @@
|
||||||
{ routerAddress, netid, revIpDomain, prefixLength, domain, dhcpRange
|
{ internalRouterIP, localDomain, dhcpRange, routerHostName, internalBridgeInterfaceName? "lan", localDnsPort? 5553}:
|
||||||
, routerHostName, }:
|
|
||||||
|
|
||||||
let pkgs = import <nixpkgs> { };
|
let pkgs = import <nixpkgs> { };
|
||||||
in {
|
in {
|
||||||
|
|
@ -9,7 +8,7 @@ in {
|
||||||
# Listen on this specific port instead of the standard DNS port
|
# Listen on this specific port instead of the standard DNS port
|
||||||
# (53). Setting this to zero completely disables DNS function,
|
# (53). Setting this to zero completely disables DNS function,
|
||||||
# leaving only DHCP and/or TFTP.
|
# leaving only DHCP and/or TFTP.
|
||||||
port=5553
|
port=${localDnsPort}
|
||||||
|
|
||||||
# The following two options make you a better netizen, since they
|
# The following two options make you a better netizen, since they
|
||||||
# tell dnsmasq to filter out queries which the public DNS cannot
|
# tell dnsmasq to filter out queries which the public DNS cannot
|
||||||
|
|
@ -61,13 +60,13 @@ in {
|
||||||
|
|
||||||
# Add local-only domains here, queries in these domains are answered
|
# Add local-only domains here, queries in these domains are answered
|
||||||
# from /etc/hosts or DHCP only.
|
# from /etc/hosts or DHCP only.
|
||||||
local=/${domain}/
|
local=/${localDomain}/
|
||||||
|
|
||||||
# Add domains which you want to force to an IP address here.
|
# Add domains which you want to force to an IP address here.
|
||||||
# The example below send any host in double-click.net to a local
|
# The example below send any host in double-click.net to a local
|
||||||
# web-server.
|
# web-server.
|
||||||
#address=/double-click.net/127.0.0.1
|
#address=/double-click.net/127.0.0.1
|
||||||
address=/${routerHostName}.${domain}/${routerAddress}
|
address=/${routerHostName}.${localDomain}/${internalRouterIP}
|
||||||
|
|
||||||
# --address (and --server) work with IPv6 addresses too.
|
# --address (and --server) work with IPv6 addresses too.
|
||||||
#address=/www.thekelleys.org.uk/fe80::20d:60ff:fe36:f83
|
#address=/www.thekelleys.org.uk/fe80::20d:60ff:fe36:f83
|
||||||
|
|
@ -90,7 +89,7 @@ in {
|
||||||
# specified interfaces (and the loopback) give the name of the
|
# specified interfaces (and the loopback) give the name of the
|
||||||
# interface (eg eth0) here.
|
# interface (eg eth0) here.
|
||||||
# Repeat the line for more than one interface.
|
# Repeat the line for more than one interface.
|
||||||
interface=lan
|
interface=${internalBridgeInterfaceName}
|
||||||
interface=lo
|
interface=lo
|
||||||
# Or you can specify which interface _not_ to listen on
|
# Or you can specify which interface _not_ to listen on
|
||||||
#except-interface=
|
#except-interface=
|
||||||
|
|
@ -129,7 +128,7 @@ in {
|
||||||
# 2) Sets the "domain" DHCP option thereby potentially setting the
|
# 2) Sets the "domain" DHCP option thereby potentially setting the
|
||||||
# domain of all systems configured by DHCP
|
# domain of all systems configured by DHCP
|
||||||
# 3) Provides the domain part for "expand-hosts"
|
# 3) Provides the domain part for "expand-hosts"
|
||||||
domain=${domain}
|
domain=${localDomain}
|
||||||
|
|
||||||
# Set a different domain for a particular subnet
|
# Set a different domain for a particular subnet
|
||||||
#domain=wireless.thekelleys.org.uk,192.168.2.0/24
|
#domain=wireless.thekelleys.org.uk,192.168.2.0/24
|
||||||
|
|
@ -310,7 +309,7 @@ in {
|
||||||
# Override the default route supplied by dnsmasq, which assumes the
|
# Override the default route supplied by dnsmasq, which assumes the
|
||||||
# router is the same machine as the one running dnsmasq.
|
# router is the same machine as the one running dnsmasq.
|
||||||
#dhcp-option=3,1.2.3.4
|
#dhcp-option=3,1.2.3.4
|
||||||
dhcp-option=6,${routerAddress}
|
dhcp-option=6,${internalRouterIP}
|
||||||
|
|
||||||
# Do the same thing, but using the option name
|
# Do the same thing, but using the option name
|
||||||
#dhcp-option=option:router,1.2.3.4
|
#dhcp-option=option:router,1.2.3.4
|
||||||
|
|
@ -370,7 +369,7 @@ in {
|
||||||
|
|
||||||
# Send RFC-3397 DNS domain search DHCP option. WARNING: Your DHCP client
|
# Send RFC-3397 DNS domain search DHCP option. WARNING: Your DHCP client
|
||||||
# probably doesn't support this......
|
# probably doesn't support this......
|
||||||
dhcp-option=option:domain-search,${domain}
|
dhcp-option=option:domain-search,${localDomain}
|
||||||
|
|
||||||
# Send RFC-3442 classless static routes (note the netmask encoding)
|
# Send RFC-3442 classless static routes (note the netmask encoding)
|
||||||
#dhcp-option=121,192.168.1.0/24,1.2.3.4,10.0.0.0/8,5.6.7.8
|
#dhcp-option=121,192.168.1.0/24,1.2.3.4,10.0.0.0/8,5.6.7.8
|
||||||
|
|
@ -1,22 +1,22 @@
|
||||||
{ routerAddress, netid, revIpDomain, prefixLength, domain, }:
|
{ internalRouterIP, networkIdIP, revIpDomain, internalPrefixLength? 24, localDomain, }:
|
||||||
|
|
||||||
let pkgs = import <nixpkgs> { };
|
let pkgs = import <nixpkgs> { };
|
||||||
in {
|
in {
|
||||||
services.unbound = {
|
services.unbound = {
|
||||||
enable = true;
|
enable = true;
|
||||||
interfaces = [ "127.0.0.1" routerAddress ];
|
interfaces = [ "127.0.0.1" internalRouterIP ];
|
||||||
allowedAccess = [ "127.0.0.0/24" "${netid}/${toString prefixLength}" ];
|
allowedAccess = [ "127.0.0.0/24" "${networkIdIP}/${toString internalPrefixLength}" ];
|
||||||
extraConfig = ''
|
extraConfig = ''
|
||||||
# Custom configuration (leave this note to assure indentation!)
|
# Custom configuration (leave this note to assure indentation!)
|
||||||
do-not-query-localhost: no
|
do-not-query-localhost: no
|
||||||
private-domain: "${domain}."
|
private-domain: "${localDomain}."
|
||||||
domain-insecure: "${domain}."
|
domain-insecure: "${localDomain}."
|
||||||
private-domain: "${revIpDomain}.in-addr.arpa."
|
private-domain: "${revIpDomain}.in-addr.arpa."
|
||||||
domain-insecure: "${revIpDomain}.in-addr.arpa."
|
domain-insecure: "${revIpDomain}.in-addr.arpa."
|
||||||
local-zone: "${revIpDomain}.in-addr.arpa" transparent
|
local-zone: "${revIpDomain}.in-addr.arpa" transparent
|
||||||
|
|
||||||
forward-zone:
|
forward-zone:
|
||||||
name: "${domain}."
|
name: "${localDomain}."
|
||||||
forward-addr: 127.0.0.1@5553
|
forward-addr: 127.0.0.1@5553
|
||||||
|
|
||||||
forward-zone:
|
forward-zone:
|
||||||
|
|
@ -1,10 +1,10 @@
|
||||||
== Router Role
|
== Router Role
|
||||||
|
|
||||||
This role is applied on hosts which serve the rule of a SOHO router.
|
The `router` role set is applied on hosts which serve the rule of a SOHO router.
|
||||||
|
|
||||||
Features:
|
Features:
|
||||||
|
|
||||||
* NAT and basic Firewalling
|
* NAT and basic Firewalling (`router`)
|
||||||
* Recursive DNS with `unbound` (DNSSEC validated)
|
* Recursive DNS with `unbound` (DNSSEC validated) (`router-dns`)
|
||||||
* Local DHCP and DNS with `dnsmasq`
|
* Local DHCP and local DNS hostname resolution with `dnsmasq` (`router-dhcp`)
|
||||||
* Wireless with `hostapd`
|
* Wireless with `hostapd` (`router-wireless-ap`)
|
||||||
|
|
|
||||||
|
|
@ -1,47 +1,32 @@
|
||||||
{
|
{
|
||||||
# To get the MAC address of each card, use this command: cat /sys/class/net/*device_name*/address
|
# To get the MAC address of each card, use this command: cat /sys/class/net/*device_name*/address
|
||||||
# Make sure to use the lower-case hex values in your udev rules. It does not like upper-case.
|
# Make sure to use the lower-case hex values in your udev rules. It does not like upper-case.
|
||||||
wanInterface, wireless ? {
|
wanInterface, wirelessInterfaces, lanInterfaces,
|
||||||
wleInterface = "wlp5s0";
|
internalRouterIP,
|
||||||
wleSSID = "hauser";
|
internalPrefixLength? 24,
|
||||||
# Generate Encrypted Passphrase with: wpa_passphrase <wleSSID> <passphrase>
|
internalBridgeInterfaceName? "lan"
|
||||||
wlePassphrase =
|
}:
|
||||||
"a5e42b914b5ad2b7e0474c3b9b35d0843a52668d30cd6aa8650ec43263a60b6e";
|
|
||||||
}, lanInterfaces ? [ "enp2s0" "enp3s0" ], lanNetwork ? {
|
|
||||||
routerAddress = "10.1.1.1";
|
|
||||||
netid = "10.1.1.0";
|
|
||||||
revIpDomain = "1.1.10";
|
|
||||||
prefixLength = 24;
|
|
||||||
domain = "ilanz.fh2.ch";
|
|
||||||
dhcpRange = "10.1.1.2,10.1.1.249";
|
|
||||||
routerHostName = "router";
|
|
||||||
}, }:
|
|
||||||
|
|
||||||
let pkgs = import <nixpkgs> { };
|
let pkgs = import <nixpkgs> { };
|
||||||
in {
|
in {
|
||||||
imports = [
|
|
||||||
(import ./wireless-access-point.nix wireless)
|
|
||||||
(import ./dns-recursive.nix lanNetwork)
|
|
||||||
];
|
|
||||||
|
|
||||||
networking = {
|
networking = {
|
||||||
enableIPv6 = false; # TODO
|
enableIPv6 = false; # TODO
|
||||||
nat = {
|
nat = {
|
||||||
enable = true;
|
enable = true;
|
||||||
externalInterface = wanInterface;
|
externalInterface = wanInterface;
|
||||||
internalInterfaces = [ "lan" ];
|
internalInterfaces = [ internalBridgeInterfaceName ];
|
||||||
};
|
};
|
||||||
|
|
||||||
bridges.lan.interfaces = lanInterfaces ++ [ wireless.wleInterface ];
|
bridges.lan.interfaces = lanInterfaces ++ wirelessInterfaces;
|
||||||
interfaces.lan = {
|
interfaces.lan = {
|
||||||
ipv4 = {
|
ipv4 = {
|
||||||
addresses = [{
|
addresses = [{
|
||||||
address = lanNetwork.routerAddress;
|
address = internalRouterIP;
|
||||||
prefixLength = lanNetwork.prefixLength;
|
prefixLength = internalPrefixLength;
|
||||||
}];
|
}];
|
||||||
};
|
};
|
||||||
};
|
};
|
||||||
firewall.trustedInterfaces = [ "lan" ];
|
firewall.trustedInterfaces = [ internalBridgeInterfaceName ];
|
||||||
};
|
};
|
||||||
|
|
||||||
}
|
}
|
||||||
|
|
|
||||||
Loading…
Add table
Reference in a new issue