From dbce99ae250ed102be9e401e7c6b40811e24243c Mon Sep 17 00:00:00 2001
From: Kjetil Orbekk <kj@orbekk.com>
Date: Sun, 19 Feb 2023 10:56:27 -0500
Subject: new router config

---
 config/router.nix           |   2 +-
 machines/dragon.nix         |   3 +-
 modules/router.nix          | 103 ++++++++++++++++++++++++++++++++++++++++----
 modules/simple-firewall.nix |   2 +-
 4 files changed, 98 insertions(+), 12 deletions(-)

diff --git a/config/router.nix b/config/router.nix
index d15da89..aa6b5d9 100644
--- a/config/router.nix
+++ b/config/router.nix
@@ -249,7 +249,7 @@ in {
     enable = true;
     servers = [ "1.1.1.1" "8.8.8.8" "8.8.4.4" ];
     resolveLocalQueries = false;
-    extraConfig = ''
+     extraConfig = ''
       port=2053
 
       no-resolv
diff --git a/machines/dragon.nix b/machines/dragon.nix
index f5d967b..6920363 100644
--- a/machines/dragon.nix
+++ b/machines/dragon.nix
@@ -2,7 +2,7 @@
 let duid = "00:01:00:01:21:a2:4e:a8:d0:bf:9c:45:a6:ec";
 in {
   imports = [
-    ../config/router.nix
+    # ../config/router.nix
     # ../config/borg-backup.nix
     ../config/keycloak.nix
     ../config/dns.nix
@@ -10,6 +10,7 @@ in {
     ../config/cgit.nix
   ];
 
+  orbekk.router.enable = true;
   orbekk.monitoring-server.enable = true;
   orbekk.postfix.enable = true;
   orbekk.nextcloud.enable = true;
diff --git a/modules/router.nix b/modules/router.nix
index 621a627..359832e 100644
--- a/modules/router.nix
+++ b/modules/router.nix
@@ -1,7 +1,77 @@
-{ config, lib, pkgs, ... };
+{ config, lib, pkgs, ... }:
 with lib;
 let
   cfg = config.orbekk.router;
+
+  devices = ["eno1" "eno2"];
+
+  router-netns-up = pkgs.writeScript "router-netns-up" ''
+    #!${pkgs.bash}/bin/bash
+    ip netns add router
+    ip netns exec router ip link set lo up
+    ${lib.concatMapStrings (device: ''
+      ip link set ${device} netns router
+    '')
+    devices}
+    ip link add router-vport type veth peer name dragon-vport netns router
+  '';
+
+  router-netns-down = pkgs.writeScript "router-netns-down" ''
+    #!${pkgs.bash}/bin/bash
+    ip link del main
+    ip netns del router
+  '';
+
+  router-config = { config, lib, pkgs, ... }: {
+    system.stateVersion = "22.05";
+
+    virtualisation.vswitch.enable = true;
+    virtualisation.vswitch.resetOnStart = true;
+    networking.vswitches.kjlan = {
+      interfaces.wan-vport = { vlan = 10; type = "internal"; };
+      interfaces.lan-vport = { vlan = 100; type = "internal"; };
+      interfaces.admin-vport = { vlan = 255; type = "internal"; };
+      interfaces.dragon-vport = { vlan = 100; };
+
+      extraOvsctlCmds = ''
+        add bond kjlan bond0 eno1 eno2 lacp=active miimon=5000
+        set interface wan-vport mac=\"3c:97:0e:19:7e:5c\"
+      '';
+    };
+
+    networking.interfaces.lan-vport = {
+      ipv4.addresses = [{address = "172.20.100.1"; prefixLength = 23;}];
+    };
+    networking.interfaces.admin-vport = {
+      ipv4.addresses = [{address = "10.10.255.18"; prefixLength = 24;}];
+      ipv4.routes = [{address = "10.10.255.0"; prefixLength = 24;}];
+    };
+
+    services.dnsmasq = {
+      enable = true;
+      servers = [ "1.1.1.1" "8.8.8.8" "8.8.4.4" ];
+      resolveLocalQueries = false;
+
+      extraConfig = ''
+        no-resolv
+        no-hosts
+
+        address=/localhost/::1
+        address=/localhost/127.0.0.1
+
+        dhcp-range=lan-vport,172.20.100.1,172.20.101.254,5m
+        dhcp-option=net:lan,option:router,172.20.100.1
+        dhcp-option=net:lan,option:dns-server,172.20.100.1
+      '';
+    };
+
+    networking.dhcpcd = {
+      extraConfig = ''
+        interface wan-vport
+          dhcp
+      '';
+    };
+  };
 in {
   options = {
     orbekk.router = {
@@ -10,17 +80,32 @@ in {
   };
 
   config = mkIf cfg.enable {
-    systemd.services."router" = {
+    systemd.services."router-netns" = {
       description = "router network namespace";
       before = ["network.target"];
-      path = with pkgs; [ iproute ];
+      after = ["network-interfaces.target"];
+      path = with pkgs; [bash iproute];
       serviceConfig = {
-        ExecStart = [
-          "ip netns up router"
-          "ip netns exec router ip link set lo up"
-        ];
-        ExecStop = "netns del router";
+        Type = "oneshot";
+        RemainAfterExit = "yes";
+        ExecStart = "${router-netns-up}";
+        ExecStop = "${router-netns-down}";
       };
     };
+
+    networking.wireguard.interfaces.vpn.interfaceNamespace = "router";
+
+    systemd.services."container@router" = {
+      after = ["router-netns.service"];
+      wantedBy = ["network.target"];
+    };
+
+    containers.router = {
+      autoStart = true;
+      extraFlags = ["--network-namespace-path" "/var/run/netns/router"];
+      privateNetwork = false;
+      config = router-config;
+      additionalCapabilities = ["CAP_NET_ADMIN"];
+    };
   };
-};
+}
diff --git a/modules/simple-firewall.nix b/modules/simple-firewall.nix
index 3c69d5d..3173672 100644
--- a/modules/simple-firewall.nix
+++ b/modules/simple-firewall.nix
@@ -55,7 +55,7 @@ in
           ip protocol icmp limit rate 4/second counter accept
           ip6 nexthdr ipv6-icmp limit rate 4/second counter accept
 
-	  ip6 saddr 2001:470:8e2e:1000::/64 counter accept
+	        ip6 saddr 2001:470:8e2e:1000::/64 counter accept
 
           tcp dport @allowed_tcp_ports counter accept
           udp dport @allowed_udp_ports counter accept
-- 
cgit v1.2.3