{ config, lib, pkgs, ... }: let wan-dev = "eno1"; lan-dev = "eno2"; mullvadPort = config.orbekk.mullvad.listenPort; mullvadMark = 30; in { orbekk.mullvad.enable = true; networking.networkmanager.enable = lib.mkForce false; networking.nameservers = [ "8.8.8.8" ]; networking.vlans = builtins.listToAttrs (map (id: { name = "${lan-dev}.${toString id}"; value = { inherit id; interface = lan-dev; }; } ) [30 100 255]); systemd.services.update-dynamic-dns = { description = "Update dynamic dns records"; path = with pkgs; [bash dnsutils nettools gawk iproute]; startLimitIntervalSec = 5; script = toString ../tools/update-dns.sh; }; networking.dhcpcd.runHook = '' systemctl restart update-dynamic-dns.service ''; networking.firewall = { enable = lib.mkForce false; allowedTCPPorts = lib.mkForce [ ]; allowedUDPPorts = lib.mkForce [ ]; allowPing = true; logRefusedConnections = false; checkReversePath = false; }; services.ddclient = { enable = true; configFile = "/opt/secret/he-ddclient.conf"; }; services.ferm = { enable = true; config = '' @def $DEV_UNTRUSTED_LAN = (${lan-dev}.30); @def $DEV_LAN = (${lan-dev}.100 ${lan-dev}.255); @def $DEV_WAN = (${wan-dev} he0 mullvad); @def $NET_LAN = 10.0.0.0/8; domain (ip ip6) table filter { chain INPUT { policy DROP; mod state state INVALID DROP; mod state state (ESTABLISHED RELATED) ACCEPT; interface lo ACCEPT; proto icmp ACCEPT; proto (udp udp) dport dhcpv6-client ACCEPT; proto 41 ACCEPT; # IPv6 sit tunnel interface ($DEV_WAN $DEV_UNTRUSTED_LAN) @subchain "wan_services" { proto (tcp udp) dport (bootpc bootps) ACCEPT; proto tcp dport ssh ACCEPT; proto (tcp udp) dport domain ACCEPT; proto tcp dport (http https) ACCEPT; proto udp dport ${toString mullvadPort} ACCEPT; } interface $DEV_LAN @subchain "lan_services" { proto (tcp udp) dport (ssh domain bootpc bootps) ACCEPT; proto tcp dport (http https) ACCEPT; # RTMP streaming proto (tcp udp) dport 1935 ACCEPT; # Chromecast # proto udp dport 32768:61000 ACCEPT; # proto udp dport (5353 1900) ACCEPT; # proto tcp dport (8008 8009) ACCEPT; # chain logdrop { # LOG log-level warning log-prefix "dropped-lan "; # DROP; # } # jump logdrop; } } chain OUTPUT policy ACCEPT; chain FORWARD { policy DROP; mod state state INVALID DROP; mod state state (ESTABLISHED RELATED) ACCEPT; interface $DEV_UNTRUSTED_LAN outerface mullvad ACCEPT; interface $DEV_LAN ACCEPT; } } domain ip6 table filter chain INPUT { proto ipv6-icmp ACCEPT; } domain (ip ip6) table filter chain logdrop { LOG log-level warning log-prefix "dropped "; DROP; } domain (ip ip6) table filter chain INPUT { interface $DEV_WAN DROP; jump logdrop; } domain ip table nat { chain POSTROUTING { saddr $NET_LAN outerface $DEV_WAN MASQUERADE; } } domain (ip ip6) table mangle { chain PREROUTING { interface ${lan-dev}.30 MARK set-mark ${toString mullvadMark}; } } ''; }; services = { openssh.enable = lib.mkDefault true; openssh.passwordAuthentication = false; }; boot.kernel.sysctl = { "net.ipv4.conf.all.forwarding" = true; "net.ipv4.conf.default.forwarding" = true; "net.ipv6.conf.all.forwarding" = true; "net.ipv6.conf.default.forwarding" = true; }; #services.hostapd = { # enable = true; # # driver = "iwlwifi"; # ssid = "2c"; # wpaPassphrase = "mintchip"; # interface = "${lan-dev}"; # hwMode = "g"; # channel = 11; # extraConfig = '' # country_code=US # wpa_key_mgmt=WPA-PSK # rsn_pairwise=CCMP # ''; #}; networking.dhcpcd = { # Wain for v4 and v6 addresses. # wait = "both"; extraConfig = '' debug noipv6rs interface ${wan-dev} dhcp ipv6rs ia_na 0 # ia_pd 1/::/64 ${lan-dev}.100/0/64 ''; }; systemd.services.dhcpcd.preStart = lib.mkAfter '' ${pkgs.iproute}/bin/ip link set dev ${wan-dev} address ${config.networking.interfaces.${wan-dev}.macAddress}; ''; services.dnsmasq = { enable = true; servers = [ "1.1.1.1" "8.8.8.8" "8.8.4.4" ]; extraConfig = '' port=0 dhcp-authoritative dhcp-range=10.65.30.100,10.65.30.255,255.255.255.0,24h dhcp-range=10.64.31.1,10.64.31.255,255.255.254.0,24h dhcp-option=option:router,10.65.30.1 dhcp-option=option:dns-server,1.1.1.1,8.8.8.8,8.8.4.4 dhcp-option=option:netmask,255.255.255.0 dhcp-range=::,constructor:${lan-dev}.100,slaac,off-link ''; }; networking.sits.he0 = { dev = wan-dev; local = "74.73.86.185"; remote = "209.51.161.14"; }; networking.iproute2.enable = true; networking.iproute2.rttablesExtraConfig = '' ${toString mullvadMark} mullvad 200 he ''; networking.localCommands = '' ip -6 rule add from 2001:470:8e2e::/48 lookup he prio 0 || true ip -6 route flush cache ip -6 route replace default dev he0 src 2001:470:8e2e:20::d table he ip -6 route flush cache ip route flush cache ip rule add fwmark ${toString mullvadMark} table mullvad ip route replace default dev mullvad table mullvad ip route flush cache ''; # boot.kernel.sysctl."net.ipv6.conf.${wan-dev}.disable_ipv6" = true; networking.interfaces.${wan-dev} = { macAddress = "3c:97:0e:19:7e:5c"; useDHCP = true; }; networking.interfaces.he0.ipv6 = { addresses = [ { address = "2001:470:1f06:1195::2"; prefixLength = 64; } { address = "2001:470:8e2e:20::d"; prefixLength = 64; } ]; # routes = [{ address = "::"; prefixLength = 0; }]; }; networking.interfaces."${lan-dev}".useDHCP = false; networking.interfaces."${lan-dev}.255".useDHCP = true; networking.interfaces."${lan-dev}.100" = { ipv4.addresses = [ { address = "10.65.30.1"; prefixLength = 24; } ]; useDHCP = false; }; networking.interfaces."${lan-dev}.30" = { ipv4.addresses = [ { address = "10.64.30.1"; prefixLength = 23; } ]; useDHCP = false; }; }