vskilet/nixos-config
1
0
Fork 0
forked from nyanloutre/nixos-config
Code Issues Pull requests Releases Wiki Activity

global reformat with treefmt

Browse source
This commit is contained in:
nyanloutre 2025-04-23 11:15:31 +02:00
parent 97f849e454
commit 393e92fe14
17 changed files with 979 additions and 726 deletions
Download patch file Download diff file Expand all files Collapse all files

426
systems/LoutreOS/network.nix
View file

@ -1,4 +1,9 @@
{ config, pkgs, inputs, ... }:
{
config,
pkgs,
inputs,
...
}:
{
boot = {
@ -52,7 +57,10 @@
};
eno2 = {
ipv4.addresses = [
{ address = "10.30.0.1"; prefixLength = 16; }
{
address = "10.30.0.1";
prefixLength = 16;
}
];
};
enp0s21u1.useDHCP = true;
@ -110,18 +118,31 @@
firewall = {
enable = true;
allowedTCPPorts = [ 80 443 ];
allowedTCPPorts = [
80
443
];
allowedUDPPorts = [ ];
# Open ports on local netwok only
interfaces.eno2 = {
allowedTCPPorts = [
111 2049 4000 4001 4002 # NFS
3483 9000 9090 # Slimserver
111
2049
4000
4001
4002 # NFS
3483
9000
9090 # Slimserver
1935 # RTMP
];
allowedUDPPorts = [
111 2049 4000 4001 4002 # NFS
111
2049
4000
4001
4002 # NFS
3483 # Slimserver
67 # DHCP
];
@ -142,8 +163,8 @@
};
serviceConfig = {
LoadCredential = [
"network.wireguard.private.wg0:/mnt/secrets/wireguard/wireguard.private"
"network.wireguard.preshared.wg0:/mnt/secrets/wireguard/wireguard.preshared"
"network.wireguard.private.wg0:/mnt/secrets/wireguard/wireguard.private"
"network.wireguard.preshared.wg0:/mnt/secrets/wireguard/wireguard.preshared"
];
};
};
@ -162,204 +183,209 @@
# 51000: from all lookup fiber # first table encountered with a default route if fiber is up
# 52000: from all lookup lte # first table encountered with a default route if fiber is down
systemd.network = let
routeTables = {
fiber = 1;
lte = 2;
vpn = 3;
};
in {
enable = true;
config = {
inherit routeTables;
addRouteTablesToIPRoute2 = true;
};
# Wireguard ARN device configuation
netdevs = {
"10-wg0" = {
netdevConfig = {
Kind = "wireguard";
Name = "wg0";
MTUBytes = "1450";
};
wireguardConfig = {
PrivateKey = "@network.wireguard.private.wg0";
RouteTable = routeTables.vpn;
};
wireguardPeers = [
{
Endpoint = "89.234.141.83:8095";
PublicKey = "t3+JkBfXI1uw8fa9P6JfxXJfTPm9cOHcgIN215UHg2g=";
PresharedKey = "@network.wireguard.preshared.wg0";
AllowedIPs = ["0.0.0.0/0" "::/0"];
PersistentKeepalive = 15;
}
];
systemd.network =
let
routeTables = {
fiber = 1;
lte = 2;
vpn = 3;
};
};
in
{
enable = true;
networks = {
#########
# FIBER #
#########
# Set route metric to highest priority
# Set DHCP client magic settings for Bouygues
"40-bouygues" = {
dhcpV4Config.RouteTable = routeTables.fiber;
dhcpV6Config = {
DUIDRawData = "00:03:00:01:E8:AD:A6:21:73:68";
WithoutRA = "solicit";
};
ipv6AcceptRAConfig = {
DHCPv6Client = true;
RouteTable = routeTables.fiber;
};
networkConfig = {
KeepConfiguration = "dhcp-on-stop";
IPv6AcceptRA = true;
DHCPPrefixDelegation = true;
};
# Static attribution of first IPv6 subnet
dhcpPrefixDelegationConfig.SubnetId = "0";
# Route everything to fiber link with a priority of 40000
routingPolicyRules = [
{
FirewallMark = 1;
Table = routeTables.fiber;
Priority = 41000;
Family = "both";
}
{
Table = routeTables.fiber;
Priority = 51000;
Family = "both";
}
];
config = {
inherit routeTables;
addRouteTablesToIPRoute2 = true;
};
# Don't check VLAN physical interface as it is not directly used
"40-eno1".linkConfig.RequiredForOnline = "no";
#######
# LTE #
#######
# Set LTE route to lower priority
"40-enp0s21u1" = {
dhcpV4Config.RouteTable = routeTables.lte;
# Route all to lte link with a priority of 50000
routingPolicyRules = [
{
FirewallMark = 2;
Table = routeTables.lte;
Priority = 42000;
Family = "both";
}
{
Table = routeTables.lte;
Priority = 52000;
Family = "both";
}
];
};
#######
# VPN #
#######
# Wireguard ARN network configuation
"10-wg0" = {
matchConfig.Name = "wg0";
address = [
"89.234.141.196/32"
"2a00:5881:8119:400::1/128"
];
routingPolicyRules = [
# Route outgoing emails to VPN table
{
IncomingInterface = "lo";
DestinationPort = "25";
Table = routeTables.vpn;
Priority = 60;
Family = "both";
}
# Route packets originating from wg0 device to VPN table
# Allow server to respond on the wg0 interface requests
{
FirewallMark = 3;
Table = routeTables.vpn;
Priority = 43000;
Family = "both";
}
];
};
#######
# LAN #
#######
# LAN DHCP server config
"40-eno2" = {
networkConfig = {
IPv6SendRA = true;
DHCPPrefixDelegation = true;
DHCPServer = true;
IPMasquerade = "ipv4";
};
dhcpServerConfig = {
EmitRouter = true;
EmitDNS = true;
DNS = [
# https://www.dns0.eu/fr
"193.110.81.0"
"185.253.5.0"
];
};
dhcpServerStaticLeases = [
# IPMI
{
Address = "10.30.1.1";
MACAddress = "ac:1f:6b:4b:01:15";
}
# paul-fixe
{
Address = "10.30.50.1";
MACAddress = "b4:2e:99:ed:24:26";
}
# salonled
{
Address = "10.30.40.1";
MACAddress = "e0:98:06:85:e9:ce";
}
# miroir-bleu
{
Address = "10.30.40.2";
MACAddress = "e0:98:06:86:38:fc";
}
# miroir-orange
{
Address = "10.30.40.3";
MACAddress = "50:02:91:78:be:be";
}
];
ipv6SendRAConfig = {
EmitDNS = true;
DNS = [
# https://www.dns0.eu/fr
"2a0f:fc80::"
"2a0f:fc81::"
# Wireguard ARN device configuation
netdevs = {
"10-wg0" = {
netdevConfig = {
Kind = "wireguard";
Name = "wg0";
MTUBytes = "1450";
};
wireguardConfig = {
PrivateKey = "@network.wireguard.private.wg0";
RouteTable = routeTables.vpn;
};
wireguardPeers = [
{
Endpoint = "89.234.141.83:8095";
PublicKey = "t3+JkBfXI1uw8fa9P6JfxXJfTPm9cOHcgIN215UHg2g=";
PresharedKey = "@network.wireguard.preshared.wg0";
AllowedIPs = [
"0.0.0.0/0"
"::/0"
];
PersistentKeepalive = 15;
}
];
};
};
networks = {
#########
# FIBER #
#########
# Set route metric to highest priority
# Set DHCP client magic settings for Bouygues
"40-bouygues" = {
dhcpV4Config.RouteTable = routeTables.fiber;
dhcpV6Config = {
DUIDRawData = "00:03:00:01:E8:AD:A6:21:73:68";
WithoutRA = "solicit";
};
ipv6AcceptRAConfig = {
DHCPv6Client = true;
RouteTable = routeTables.fiber;
};
networkConfig = {
KeepConfiguration = "dhcp-on-stop";
IPv6AcceptRA = true;
DHCPPrefixDelegation = true;
};
# Static attribution of first IPv6 subnet
dhcpPrefixDelegationConfig.SubnetId = "0";
# Route everything to fiber link with a priority of 40000
routingPolicyRules = [
{
FirewallMark = 1;
Table = routeTables.fiber;
Priority = 41000;
Family = "both";
}
{
Table = routeTables.fiber;
Priority = 51000;
Family = "both";
}
];
};
# Don't check VLAN physical interface as it is not directly used
"40-eno1".linkConfig.RequiredForOnline = "no";
#######
# LTE #
#######
# Set LTE route to lower priority
"40-enp0s21u1" = {
dhcpV4Config.RouteTable = routeTables.lte;
# Route all to lte link with a priority of 50000
routingPolicyRules = [
{
FirewallMark = 2;
Table = routeTables.lte;
Priority = 42000;
Family = "both";
}
{
Table = routeTables.lte;
Priority = 52000;
Family = "both";
}
];
};
#######
# VPN #
#######
# Wireguard ARN network configuation
"10-wg0" = {
matchConfig.Name = "wg0";
address = [
"89.234.141.196/32"
"2a00:5881:8119:400::1/128"
];
routingPolicyRules = [
# Route outgoing emails to VPN table
{
IncomingInterface = "lo";
DestinationPort = "25";
Table = routeTables.vpn;
Priority = 60;
Family = "both";
}
# Route packets originating from wg0 device to VPN table
# Allow server to respond on the wg0 interface requests
{
FirewallMark = 3;
Table = routeTables.vpn;
Priority = 43000;
Family = "both";
}
];
};
#######
# LAN #
#######
# LAN DHCP server config
"40-eno2" = {
networkConfig = {
IPv6SendRA = true;
DHCPPrefixDelegation = true;
DHCPServer = true;
IPMasquerade = "ipv4";
};
dhcpServerConfig = {
EmitRouter = true;
EmitDNS = true;
DNS = [
# https://www.dns0.eu/fr
"193.110.81.0"
"185.253.5.0"
];
};
dhcpServerStaticLeases = [
# IPMI
{
Address = "10.30.1.1";
MACAddress = "ac:1f:6b:4b:01:15";
}
# paul-fixe
{
Address = "10.30.50.1";
MACAddress = "b4:2e:99:ed:24:26";
}
# salonled
{
Address = "10.30.40.1";
MACAddress = "e0:98:06:85:e9:ce";
}
# miroir-bleu
{
Address = "10.30.40.2";
MACAddress = "e0:98:06:86:38:fc";
}
# miroir-orange
{
Address = "10.30.40.3";
MACAddress = "50:02:91:78:be:be";
}
];
ipv6SendRAConfig = {
EmitDNS = true;
DNS = [
# https://www.dns0.eu/fr
"2a0f:fc80::"
"2a0f:fc81::"
];
};
};
};
};
};
}