Skip to content

Instantly share code, notes, and snippets.

@cleverca22

cleverca22/router.nat.nix

Created June 9, 2016 17:07
Show Gist options
  • Star 2 You must be signed in to star a gist
  • Fork 1 You must be signed in to fork a gist
  • Save cleverca22/5fb37427c8d944626a49eff525a91d06 to your computer and use it in GitHub Desktop.
Save cleverca22/5fb37427c8d944626a49eff525a91d06 to your computer and use it in GitHub Desktop.
Download ZIP
router setup
Raw
router.nat.nix
{ lib, config, pkgs, ... }:
let
WANMASTER = "enp4s2f0";
WAN = "wan";
LAN = "enp4s2f1";
in
{
networking = {
defaultMailServer.directDelivery = true;
defaultMailServer.hostName = "c2d.localnet";
vlans = {
wan = {
interface = "${WANMASTER}";
id = 35;
};
};
firewall = {
enable = true;
extraCommands = lib.mkMerge [ (lib.mkAfter ''
iptables -w -t filter -A nixos-fw -s 192.168.2.0/24 -p udp --dport 53 -i ${LAN} -j nixos-fw-accept
'') ];
};
interfaces = {
${WANMASTER} = {
useDHCP = false;
};
${WAN} = {
useDHCP = true;
};
${LAN} = {
ipAddress = "192.168.2.1";
prefixLength = 24;
};
};
nat = {
enable = true;
externalInterface = "${WAN}";
internalIPs = [ "192.168.2.0/24" "10.67.15.0/24" ];
internalInterfaces = [ "${LAN}" ];
forwardPorts = [
{ destination = "192.168.2.61"; sourcePort = 25; } # email
{ destination = "192.168.2.62"; sourcePort = 80; } # http
];
};
};
services = {
bind = {
enable = true;
cacheNetworks = [ "192.168.2.0/24" "127.0.0.0/8" ];
zones = [
{
name = "localnet";
slaves = [ ];
file = ./localnet;
}
{
name = "2.168.192.in-addr.arpa";
slaves = [ ];
file = ./lan.reverse;
}
];
};
dhcpd = {
interfaces = [ "${LAN}" ];
enable = true;
machines = [
{ hostName = "ramboot"; ethernetAddress = "00:1c:23:16:4b:b3"; ipAddress = "192.168.2.10"; }
{ hostName = "nas"; ethernetAddress = "d0:50:99:7a:80:21"; ipAddress = "192.168.2.11"; }
{ hostName = "amd"; ethernetAddress = "40:16:7e:b3:32:48"; ipAddress = "192.168.2.15"; }
{ hostName = "nix1"; ethernetAddress = "92:C5:E2:BB:12:A9"; ipAddress = "192.168.2.30"; }
{ hostName = "nix2"; ethernetAddress = "5E:88:5B:D7:6E:BC"; ipAddress = "192.168.2.31"; }
];
extraConfig = ''
subnet 192.168.2.0 netmask 255.255.255.0 {
option domain-search "localnet";
option subnet-mask 255.255.255.0;
option broadcast-address 192.168.2.255;
option routers 192.168.2.1;
option domain-name-servers 192.168.2.1;
range 192.168.2.100 192.168.2.200;
next-server 192.168.2.61;
if exists user-class and option user-class = "iPXE" {
filename "http://c2d.localnet/boot.php?mac=''${net0/mac}&asset=''${asset:uristring}";
#option root-path "iscsi:192.168.2.61:::1:iqn.2015-10.com.laptop-root";
} else {
filename = "undionly.kpxe";
}
}
'';
};
};
}
Raw
router.nix
{ lib, config, pkgs, ... }:
let
passwords = import ./passwords.nix;
builders = import ./builders.nix;
keys = import ./keys.nix;
in
{
imports = [ ./core.nix ./router.nat.nix /root/hydra/hydra-module.nix ./snmpd.nix ];
networking = {
hostId = "136e6c46";
firewall = {
enable = true;
allowPing = true;
allowedUDPPorts = [ ];
allowedTCPPorts = [ ];
trustedInterfaces = [ "tox_master0" ]; # a VPN
};
search = [ "localnet" ];
};
services = {
radvd = {
enable = true;
config = ''
interface enp4s2f1 {
AdvSendAdvert on;
AdvHomeAgentFlag off;
MinRtrAdvInterval 30;
MaxRtrAdvInterval 100;
AdvDefaultPreference high;
prefix 2001:470:1d:19a::/64 {
AdvOnLink on;
AdvAutonomous on;
AdvRouterAddr on;
};
};
'';
};
};
}
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment