diff options
| author | Kjetil Ørbekk <kj@orbekk.com> | 2020-11-08 18:23:56 -0500 |
|---|---|---|
| committer | Kjetil Ørbekk <kj@orbekk.com> | 2020-11-08 18:24:30 -0500 |
| commit | 605a2005bb92dc47556ea6e540d4d2d1c515ffdc (patch) | |
| tree | d59a12381014b59baf0e12588b8364db657c4db7 /config/ap.nix | |
| parent | d37a4f11e1ff414f2e9fccf4316a99d914934279 (diff) | |
dragon config
Diffstat (limited to 'config/ap.nix')
| -rw-r--r-- | config/ap.nix | 186 |
1 files changed, 0 insertions, 186 deletions
diff --git a/config/ap.nix b/config/ap.nix deleted file mode 100644 index 4f3c634..0000000 --- a/config/ap.nix +++ /dev/null @@ -1,186 +0,0 @@ -{ config, lib, pkgs, ... }: -let - wan-dev = "enp37s0"; - lan-dev = "wlp39s0"; -in -{ - networking.networkmanager.enable = lib.mkForce false; - - # networking.vlans.lan = { - # id = 110; - # interface = wan-dev; - # }; - # networking.vlans.wan = { - # id = 100; - # interface = wan-dev; - # }; - - networking.firewall = { - enable = lib.mkForce false; - allowedTCPPorts = lib.mkForce [ ]; - allowedUDPPorts = lib.mkForce [ ]; - allowPing = true; - logRefusedConnections = false; - checkReversePath = false; - trustedInterfaces = [ "${lan-dev}" ]; - }; - - services.ferm = { - enable = true; - config = '' - @def $DEV_LAN = ${lan-dev}; - @def $DEV_WAN = ${wan-dev}; - @def $NET_LAN = 10.64.30.0/24; - - domain ip6 table filter chain INPUT { - proto ipv6-icmp ACCEPT; - proto udp dport (dhcpv6-client dhcpv6-server) ACCEPT; - } - - domain (ip ip6) table filter { - chain INPUT { - policy DROP; - - mod state state INVALID DROP; - mod state state (ESTABLISHED RELATED) ACCEPT; - - interface lo ACCEPT; - proto icmp icmp-type echo-request ACCEPT; - - interface $DEV_WAN { - # RTMP - # proto (tcp udp) dport 1935 ACCEPT; - - # Factorio - proto udp dport 34197 ACCEPT; - } - - interface $DEV_LAN @subchain "services" { - # 1935 for rtmp testing - proto (tcp udp) dport (ssh domain bootps 1935 4317 5353) ACCEPT; - - # Chromecast - # proto udp dport 32768:61000 ACCEPT; - # proto udp dport (5353 1900) ACCEPT; - # proto tcp dport (8008 8009) ACCEPT; - - # chain logdrop { - # LOG log-level warning log-prefix "dropped-lan "; - # DROP; - # } - # jump logdrop; - } - } - - chain OUTPUT policy ACCEPT; - - chain FORWARD { - policy DROP; - - mod state state INVALID DROP; - mod state state (ESTABLISHED RELATED) ACCEPT; - - interface $DEV_LAN ACCEPT; - } - } - - domain ip6 table filter chain INPUT { - chain logdrop { - LOG log-level warning log-prefix "dropped-6 "; - DROP; - } - jump logdrop; - } - - domain ip table nat { - chain POSTROUTING { - saddr $NET_LAN outerface $DEV_WAN MASQUERADE; - } - } - ''; - }; - - services = { - openssh.enable = lib.mkDefault true; - openssh.passwordAuthentication = false; - }; - - boot.kernel.sysctl = { - # Something wrong with Spectrum ipv6 :( - "net.ipv6.conf.all.disable_ipv6" = true; - "net.ipv4.conf.all.forwarding" = true; - "net.ipv4.conf.default.forwarding" = true; - "net.ipv6.conf.all.forwarding" = true; - "net.ipv6.conf.default.forwarding" = true; - }; - - services.hostapd = { - enable = true; - ssid = "2c"; - wpaPassphrase = "mintchip"; - interface = "${lan-dev}"; - hwMode = "g"; - channel = 11; - extraConfig = '' - country_code=US - wpa_key_mgmt=WPA-PSK - rsn_pairwise=CCMP - ''; - }; - - networking.useDHCP = true; - networking.dhcpcd = { - enable = true; - denyInterfaces = [ lan-dev ]; - extraConfig = '' - # debug - noipv6rs - interface ${wan-dev} - dhcp - ipv6rs - ia_na 1 - ia_pd 1/::/56 ${lan-dev}/0/64 - ''; - wait = "background"; - }; - - services.dnsmasq = { - enable = true; - servers = [ "8.8.8.8" "8.8.4.4" ]; - extraConfig = '' - dhcp-authoritative - dhcp-range=10.64.30.100,10.64.30.255,255.255.255.0,24h - dhcp-option=option:router,10.64.30.1 - dhcp-option=option:dns-server,10.64.30.1 - dhcp-option=option:netmask,255.255.255.0 - - #dhcp-range=::,constructor:${lan-dev},slaac - ''; - }; - - networking.nat = { - enable = true; - externalInterface = "${wan-dev}"; - internalInterfaces = [ "${lan-dev}" ]; - # internalIPs = [ "10.0.0.0/24" ]; - }; - - # Error matching on link that was already renamed. - # systemd.network.links."40-enp37s0".matchConfig = { - # # OriginalName = lib.mkForce null; - # # MACAddress = "00:d8:61:c2:c6:6c"; - # }; - # systemd.services.dhcpcd.preStart = lib.mkAfter '' - # ${pkgs.iproute}/bin/ip link set dev ${wan-dev} address ${config.networking.interfaces.${wan-dev}.macAddress}; - # ''; - # networking.interfaces.${wan-dev} = { - # macAddress = "3c:97:0e:19:7e:5c"; - # }; - - networking.interfaces."${lan-dev}" = { - ipv4.addresses = [ { - address = "10.64.30.1"; - prefixLength = 24; - } ]; - }; -} |