ryantrinkle · August 14, 2018 15:15
diff --git a/router.nix b/router.nix
 { config, lib, pkgs, ... }:

 #TODO: Hairpinning
 #TODO: WiFi AP
 # - NAT
 # - DHCP

 with lib;

 let externalInterface = "enp1s0";
    internalEthernetInterface = "enp2s0";
    internalInterface = "br0";
    subnetPrefix = "192.168.1";
    subnetPrefixLength = 24;
    subnet = "${subnetPrefix}.0/${toString subnetPrefixLength}";
    internalInterfaceIpSuffix = ".1";
    internalIpAddress = "${subnetPrefix}${internalInterfaceIpSuffix}";
    upstreamDnsServers = [
      "8.8.8.8"
      "8.8.4.4"
    ];
    clients = {
    };
 in {
  networking.domain = "office";
  networking.nameservers = [ "127.0.0.1" ] ++ upstreamDnsServers;
  networking.hosts = {
    ${internalIpAddress} = [
      config.networking.hostName
      (config.networking.hostName + "." + config.networking.domain)
    ];
  };
  networking.bridges = {
    ${internalInterface}.interfaces = [
      internalEthernetInterface
    ];
  };

  networking.firewall = {
    enable = true;
    allowPing = true;
    allowedUDPPorts = [
      53
      67
      655 # TINC
      22222 # External ssh
    ];
    #NOTE: Ports MUST be in the `forwardPorts` below to go to this machine, even if the port is the same; otherwise they will go to the DMZ host
    allowedTCPPorts = [
      655 # TINC
      80 # http nginx
      5201 # iperf
    ];
    extraCommands = ''
      # Allow certain traffic only on the internal interface
      # - DNS
      ip46tables -A nixos-fw -i ${internalInterface} -p udp --dport 53 -j nixos-fw-accept
      # - DHCP
      ip46tables -A nixos-fw -i ${internalInterface} -p udp --dport 67 -j nixos-fw-accept
    '';
  };

  networking.nat = {
    enable = true;
    internalIPs = [ "${subnetPrefix}.0/${toString subnetPrefixLength}" ];
    inherit externalInterface;
    forwardPorts = [
      # HTTP
      { sourcePort = 80; proto = "tcp"; destination = "${clients.example-host.ip}:80"; }
      # SSH to router
      { sourcePort = 22222; proto = "tcp"; destination = "${internalIpAddress}:22"; }
    ];
    dmzHost = clients.example-host.ip;
    extraCommands = ''
      iptables -t nat -A nixos-nat-post -d 192.168.1.0/24 -j SNAT --to-source 192.168.1.1
    '';
  };

  networking.interfaces = {
    ${internalInterface} = {
      ipAddress = internalIpAddress;
      prefixLength = subnetPrefixLength;
    };
  };

  services.hostapd = {
    enable = true;
    interface = "wlp4s0";
    ssid = "router-direct-wifi";
    wpaPassphrase = "wpapassphrase";
    hwMode = "g";
    channel = 10;
  };

  services.dnsmasq = {
    enable = true;
    servers = upstreamDnsServers;
    extraConfig = ''
      domain=${config.networking.domain}
      interface=${internalInterface}
      bind-interfaces
      dhcp-range=${subnetPrefix}.10,${subnetPrefix}.254,24h
      dhcp-option=15,${config.networking.domain}

      # DHCP Reservations
      ${concatMapStrings (name: ''
        dhcp-host=${clients.${name}.mac},${clients.${name}.ip},${name}
      '') (builtins.attrNames clients)}
    '';
  };

  services.miniupnpd = {
    enable = false;
    inherit externalInterface;
    natpmp = true;
    internalIPs = [ internalInterface ];
  };

  services.ddclient = {
    enable = true;
    domain = "your.domain";
    username = "someuser";
    password = "somepassword";
  };

  environment.etc."tinc/office/tinc-up" = {
    text = ''
      ${pkgs.bridge-utils}/bin/brctl addif br0 tinc.office
    '';
    mode = "0700";
  };

  services.tinc.networks = {
    office = {
      ed25519PrivateKeyFile = "/root/tinc/office/ed25519_key.priv";
      interfaceType = "tap";
      extraConfig = ''
        Mode = switch
      '';
      hosts = {
        router = ''
          Address = your.domain
          Ed25519PublicKey = 0123456789abcdefghijklmnopqrstuvwxyzABCDEFG
        '';
        aji = ''
          Port = 656
          Ed25519PublicKey = 0123456789abcdefghijklmnopqrstuvwxyzABCDEFG
        '';
      };
    };
  };
 }
	{ config, lib, pkgs, ... }:

	#TODO: Hairpinning
	#TODO: WiFi AP
	# - NAT
	# - DHCP

	with lib;

	let externalInterface = "enp1s0";
	internalEthernetInterface = "enp2s0";
	internalInterface = "br0";
	subnetPrefix = "192.168.1";
	subnetPrefixLength = 24;
	subnet = "${subnetPrefix}.0/${toString subnetPrefixLength}";
	internalInterfaceIpSuffix = ".1";
	internalIpAddress = "${subnetPrefix}${internalInterfaceIpSuffix}";
	upstreamDnsServers = [
	"8.8.8.8"
	"8.8.4.4"
	];
	clients = {
	};
	in {
	networking.domain = "office";
	networking.nameservers = [ "127.0.0.1" ] ++ upstreamDnsServers;
	networking.hosts = {
	${internalIpAddress} = [
	config.networking.hostName
	(config.networking.hostName + "." + config.networking.domain)
	];
	};
	networking.bridges = {
	${internalInterface}.interfaces = [
	internalEthernetInterface
	];
	};

	networking.firewall = {
	enable = true;
	allowPing = true;
	allowedUDPPorts = [
	53
	67
	655 # TINC
	22222 # External ssh
	];
	#NOTE: Ports MUST be in the `forwardPorts` below to go to this machine, even if the port is the same; otherwise they will go to the DMZ host
	allowedTCPPorts = [
	655 # TINC
	80 # http nginx
	5201 # iperf
	];
	extraCommands = ''
	# Allow certain traffic only on the internal interface
	# - DNS
	ip46tables -A nixos-fw -i ${internalInterface} -p udp --dport 53 -j nixos-fw-accept
	# - DHCP
	ip46tables -A nixos-fw -i ${internalInterface} -p udp --dport 67 -j nixos-fw-accept
	'';
	};

	networking.nat = {
	enable = true;
	internalIPs = [ "${subnetPrefix}.0/${toString subnetPrefixLength}" ];
	inherit externalInterface;
	forwardPorts = [
	# HTTP
	{ sourcePort = 80; proto = "tcp"; destination = "${clients.example-host.ip}:80"; }
	# SSH to router
	{ sourcePort = 22222; proto = "tcp"; destination = "${internalIpAddress}:22"; }
	];
	dmzHost = clients.example-host.ip;
	extraCommands = ''
	iptables -t nat -A nixos-nat-post -d 192.168.1.0/24 -j SNAT --to-source 192.168.1.1
	'';
	};

	networking.interfaces = {
	${internalInterface} = {
	ipAddress = internalIpAddress;
	prefixLength = subnetPrefixLength;
	};
	};

	services.hostapd = {
	enable = true;
	interface = "wlp4s0";
	ssid = "router-direct-wifi";
	wpaPassphrase = "wpapassphrase";
	hwMode = "g";
	channel = 10;
	};

	services.dnsmasq = {
	enable = true;
	servers = upstreamDnsServers;
	extraConfig = ''
	domain=${config.networking.domain}
	interface=${internalInterface}
	bind-interfaces
	dhcp-range=${subnetPrefix}.10,${subnetPrefix}.254,24h
	dhcp-option=15,${config.networking.domain}

	# DHCP Reservations
	${concatMapStrings (name: ''
	dhcp-host=${clients.${name}.mac},${clients.${name}.ip},${name}
	'') (builtins.attrNames clients)}
	'';
	};

	services.miniupnpd = {
	enable = false;
	inherit externalInterface;
	natpmp = true;
	internalIPs = [ internalInterface ];
	};

	services.ddclient = {
	enable = true;
	domain = "your.domain";
	username = "someuser";
	password = "somepassword";
	};

	environment.etc."tinc/office/tinc-up" = {
	text = ''
	${pkgs.bridge-utils}/bin/brctl addif br0 tinc.office
	'';
	mode = "0700";
	};

	services.tinc.networks = {
	office = {
	ed25519PrivateKeyFile = "/root/tinc/office/ed25519_key.priv";
	interfaceType = "tap";
	extraConfig = ''
	Mode = switch
	'';
	hosts = {
	router = ''
	Address = your.domain
	Ed25519PublicKey = 0123456789abcdefghijklmnopqrstuvwxyzABCDEFG
	'';
	aji = ''
	Port = 656
	Ed25519PublicKey = 0123456789abcdefghijklmnopqrstuvwxyzABCDEFG
	'';
	};
	};
	};
	}