router.nix


1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91

{ config, pkgs, ... }:
let
  wanInterface = "enp8s0";
  lanInterface = "enp5s0f0u2";
  wifiInterface = "wlp9s0";
in
{
  boot.kernel.sysctl."net.ipv4.conf.all.forwarding" = true;

  networking = {
    nftables.enable = true;
    firewall.filterForward = true;
    nat = {
      enable = true;
      externalInterface = wanInterface;
      internalInterfaces = [ "br0" ];
      # forwardPorts = [{ sourcePort = 1234; destination = "10.69.0.2:12345"; }];
    };
    bridges.br0.interfaces = [ lanInterface wifiInterface ];
    interfaces.br0.ipv4.addresses = [{
      address = "10.69.0.1";
      prefixLength = 16;
    }];
    networkmanager = {
      enable = true;
      unmanaged = [ "interface-name:${lanInterface}" "interface-name:${wifiInterface}" ];
      dispatcherScripts = [ {
        type = "basic";
        source = pkgs.writeScript "dynamic-dns-on-ipv4-change" ''
          #!/bin/sh

          [ "$1" = "${wanInterface}" ] || exit
          [ "$2" = dhcp4-change ] || exit
          ${pkgs.curl}/bin/curl "$(cat "${config.age.secrets."dyndns-url.txt".path}")"
          date >> /home/mathias/networkmanager-dispatcherScripts-run
        '';
      } ];
    };
  };
  services.hostapd = {
    enable = true;
    radios.${wifiInterface} = {
      countryCode = "SE";
      band = "2g";
      channel = 12;
      networks.${wifiInterface} = {
        ssid = "Heidrun";
        authentication = {
          mode = "wpa3-sae";
          saePasswords = [
            { passwordFile = config.age.secrets."wifi-password.txt".path; }
          ];
        };
      };
    };
  };

  services.dnsmasq = {
    enable = true;
    settings = {
      domain-needed = true;
      bogus-priv = true;
      no-resolv = true;

      domain = "m";
      local = "/m/";

      server = [ "1.1.1.1" "1.0.0.1" ];

      interface = "br0";
      dhcp-range = "10.69.0.50,10.69.0.254,255.255.0.0,1h";
      dhcp-option = [ "option:router,10.69.0.1" "option:dns-server,10.69.0.1" ];
      dhcp-authoritative = true;

      no-hosts = true;

      dhcp-host = "mimer,10.69.0.3";
      address = [
        "/oden.m/10.69.0.1"
        "/mimer.m/10.69.0.3"
      ];
    };
  };
  networking.nameservers = [ "127.0.0.1" ];
  networking.firewall.allowedUDPPorts = [ 53 67 ];
  networking.firewall.allowedTCPPorts = [ 53 ];
  oden.persist.directories = [ "/var/lib/dnsmasq" ];

  age.secrets."wifi-password.txt".file = ./secrets/wifi-password.txt.age;
  age.secrets."dyndns-url.txt".file = ./secrets/dyndns-url.txt.age;
}