feat: import correct files, set some kernel options, get started on firewall, rename network interfaces

2025-12-04 23:00:14 +01:00 · 2025-05-17 17:33:57 +02:00 · 2025-05-17 17:33:57 +02:00 · c6601da4e0
commit c6601da4e0
parent 27d6950542
1 changed files with 77 additions and 12 deletions
--- a/hosts/lily/default.nix
+++ b/hosts/lily/default.nix
@ -1,14 +1,87 @@
-{ pkgs, config, ... }:
+{
+  lib,
+  pkgs,
+  config,
+  ...
+}:
+let
+  externalInterface = "wan0";
+  # networks = config.homelab.networks.local;
+  # internalInterfaces = lib.mapAttrsToList (_: val: val.interface) networks;
+  # internalIPs = lib.mapAttrsToList (
+  #   _: val: lib.strings.removeSuffix ".1" val.cidr + ".0/24"
+  # ) networks;
+in
 {
  imports = [
    ./hardware-configuration.nix
    ./variables.nix
-    ./../../modules/core/default.server.nix
+    ./../../modules/core/default.router.nix
  ];

-  networking.hostName = "lily";
+  liv = {
+    server.enable = true;
+    router.enable = true;
+  };

-  liv.server.enable = true;
+  boot = {
+    supportedFilesystems = [ "zfs" ];
+    loader.grub = {
+      enable = true;
+      device = "/dev/sda";
+      useOSProber = true;
+    };
+    kernel = {
+      sysctl = {
+        # Forward both IPv4 and IPv6 on all interfaces
+        "net.ipv4.conf.all.forwarding" = true;
+        "net.ipv6.conf.all.forwarding" = false;
+
+        # By default, do not automatically configure any IPv6 addresses.
+        # "net.ipv6.conf.all.accept_ra" = 0;
+        # "net.ipv6.conf.all.autoconf" = 0;
+        # "net.ipv6.conf.all.use_tempaddr" = 0;
+
+        # Allow IPv6 autoconfiguration and tempory address use on WAN.
+        "net.ipv6.conf.${externalInterface}.accept_ra" = 2;
+        "net.ipv6.conf.${externalInterface}.autoconf" = 1;
+      };
+    };
+  };
+
+  networking = {
+    firewall = {
+      enable = true;
+      allowPing = true;
+
+      # allow ssh on *all* interfaces, even wan.
+      allowedTCPPorts = lib.mkForce [ 22 ];
+      allowedUDPPorts = lib.mkForce [ 22 ];
+
+      # interface-specific rules
+      interfaces = {
+        "lan0" = {
+          allowedTCPPorts = [
+            22
+            53
+          ];
+          allowedUDPPorts = [
+            22
+            53
+          ];
+        };
+      };
+    };
+  };
+
+  services.udev.extraRules = ''
+    SUBSYSTEM=="net", ACTION=="add", DRIVERS=="?*", ATTR{address}=="00:25:90:47:67:6e", ATTR{type}=="1", NAME="wan0"
+    SUBSYSTEM=="net", ACTION=="add", DRIVERS=="?*", ATTR{address}=="00:25:90:47:67:6f", ATTR{type}=="1", NAME="lan0"
+    SUBSYSTEM=="net", ACTION=="add", DRIVERS=="?*", ATTR{address}=="00:25:90:63:0f:80", ATTR{type}=="1", NAME="lan1"
+    SUBSYSTEM=="net", ACTION=="add", DRIVERS=="?*", ATTR{address}=="00:25:90:63:0f:81", ATTR{type}=="1", NAME="lan2"
+  '';
+
+  networking.hostName = "lily";

  time.timeZone = "Europe/Amsterdam";

@ -17,10 +90,6 @@
    zfs
  ];

-  boot = {
-    supportedFilesystems = [ "zfs" ];
-  };
-
  networking.hostId = "8ddb2a9b";

  services.zfs = {
@ -28,10 +97,6 @@
    trim.enable = true;
  };

-  boot.loader.grub.enable = true;
-  boot.loader.grub.device = "/dev/sda";
-  boot.loader.grub.useOSProber = true;
-
  # boot.zfs.extraPools = [ "terrabite" ];

  # fileSystems."/terrabite/main" = {