diff --git a/hosts/router/default.nix b/hosts/router/default.nix index 681fa55..7b0423b 100644 --- a/hosts/router/default.nix +++ b/hosts/router/default.nix @@ -1,91 +1,19 @@ -{ config, lib, pkgs, ... }: -let - vars = import ./vars.nix; - enableDesktop = false; -in { - imports = - [ # Include the results of the hardware scan. - ./hardware-configuration.nix - ./ifconfig.nix - ./wireguard.nix - ./firewall.nix - ./dns.nix - ./kea.nix - ./glance.nix - ./services.nix - ]; - # Secrix for secrets management - secrix.hostPubKey = vars.pubkey; - - # Bootloader. - boot.loader.systemd-boot.enable = true; - boot.loader.efi.canTouchEfiVariables = false; - boot.kernelParams = [ - "sysrq_always_enabled=1" + imports = [ + ../../modules/router + ./hardware-configuration.nix + ./private.nix ]; - boot.loader.timeout = 2; - boot.loader.systemd-boot.configurationLimit = 5; - boot.kernelPackages = pkgs.linuxKernel.packages.linux_6_12; - boot.growPartition = true; + router = { + enableDesktop = false; + enableDhcpClient = true; + wanMAC = "bc:24:11:4f:c9:c4"; + lanMAC = "bc:24:11:83:d8:de"; + wanLL = "fe80::be24:11ff:fe4f:c9c4"; + lanLL = "fe80::be24:11ff:fe83:d8de"; + defaultToken = 1; + }; networking.hostName = "grouter"; - - # Enable the X11 windowing system. - # You can disable this if you're only using the Wayland session. - services.xserver.enable = false; - - # Enable the KDE Plasma Desktop Environment. - # Useful for debugging with wireshark. - hardware.graphics.enable = true; - services.displayManager.sddm.enable = enableDesktop; - services.displayManager.sddm.wayland.enable = enableDesktop; - services.desktopManager.plasma6.enable = enableDesktop; - # No need for audio in VM - services.pipewire.enable = false; - - # VM services - services.qemuGuest.enable = true; - services.spice-vdagentd.enable = true; - - security.sudo.wheelNeedsPassword = false; - - programs.firefox.enable = true; - programs.fish.enable = true; - programs.git.enable = true; - programs.neovim.enable = true; - programs.bat.enable = true; - programs.htop.enable = true; - programs.wireshark.enable = true; - programs.wireshark.package = pkgs.wireshark; # wireshark-cli by default - - environment.systemPackages = with pkgs; [ - dust - eza - fastfetch - fd - kdePackages.kate - ldns - lsof - micro - mpv - openssl - ripgrep - rustscan - starship - tealdeer - transcrypt - waypipe - whois - wireguard-tools - ]; - - # This value determines the NixOS release from which the default - # settings for stateful data, like file locations and database versions - # on your system were taken. It‘s perfectly fine and recommended to leave - # this value at the release version of the first install of this system. - # Before changing this value read the documentation for this option - # (e.g. man configuration.nix or on https://nixos.org/nixos/options.html). - system.stateVersion = "24.11"; # Did you read the comment? } diff --git a/hosts/router/private.nix b/hosts/router/private.nix index 56d08c6..716cff8 100644 --- a/hosts/router/private.nix +++ b/hosts/router/private.nix @@ -1,3 +1,3 @@ -U2FsdGVkX1/MGwxIMmhbZuPqJUZzex9v5tTuiOrEvDVldI7xY0edUy9Ii5udFLXt -AbxShsH43FH1ucgygKDlKTB/yXZWDoDVhjdgLFjaBtAt0xyAL9Doet844oDVhbbO -FqOwXHMd+PE23rgqiCscsA== +U2FsdGVkX1+eMFkQxarJDGLkX0zXyMRPukeRNvzd/BJ0XDAUZ2EeZvQnZw8U53Xz +W97X4rvT+K/NQ7FVCYfOg1XpQhzlSiC9z1M4WLmPRutUgsDY5n5RFJu2R8K5DAfi +sAPcxiQUGVKrmDUva16yNqoR2Dkx2XE9iW1hpkfGFYVUK+QKIBkUEowQQlJJ1Wg1 diff --git a/modules/router/default.nix b/modules/router/default.nix new file mode 100644 index 0000000..9d7b380 --- /dev/null +++ b/modules/router/default.nix @@ -0,0 +1,91 @@ +{ config, lib, pkgs, ... }: +let + vars = import ./vars.nix config; + enableDesktop = config.router.enableDesktop; +in +{ + imports = + [ # Include the results of the hardware scan. + ./opts.nix + ./ifconfig.nix + ./wireguard.nix + ./firewall.nix + ./dns.nix + ./kea.nix + ./glance.nix + ./services.nix + ]; + # Secrix for secrets management + secrix.hostPubKey = vars.pubkey; + + # Bootloader. + boot.loader.systemd-boot.enable = true; + boot.loader.efi.canTouchEfiVariables = false; + boot.kernelParams = [ + "sysrq_always_enabled=1" + ]; + + boot.loader.timeout = 2; + boot.loader.systemd-boot.configurationLimit = 5; + boot.kernelPackages = pkgs.linuxKernel.packages.linux_6_12; + boot.growPartition = true; + + # Enable the X11 windowing system. + # You can disable this if you're only using the Wayland session. + services.xserver.enable = false; + + # Enable the KDE Plasma Desktop Environment. + # Useful for debugging with wireshark. + hardware.graphics.enable = true; + services.xserver.desktopManager.xfce.enable = enableDesktop; + services.xserver.desktopManager.xfce.enableWaylandSession = enableDesktop; + # services.displayManager.sddm.enable = enableDesktop; + # services.displayManager.sddm.wayland.enable = enableDesktop; + # services.desktopManager.plasma6.enable = enableDesktop; + # No need for audio in VM + services.pipewire.enable = false; + + # VM services + services.qemuGuest.enable = true; + services.spice-vdagentd.enable = true; + + security.sudo.wheelNeedsPassword = false; + + programs.firefox.enable = true; + programs.fish.enable = true; + programs.git.enable = true; + programs.neovim.enable = true; + programs.bat.enable = true; + programs.htop.enable = true; + programs.wireshark.enable = true; + programs.wireshark.package = pkgs.wireshark; # wireshark-cli by default + + environment.systemPackages = with pkgs; [ + dust + eza + fastfetch + fd + kdePackages.kate + ldns + lsof + micro + mpv + openssl + ripgrep + rustscan + starship + tealdeer + transcrypt + waypipe + whois + wireguard-tools + ]; + + # This value determines the NixOS release from which the default + # settings for stateful data, like file locations and database versions + # on your system were taken. It‘s perfectly fine and recommended to leave + # this value at the release version of the first install of this system. + # Before changing this value read the documentation for this option + # (e.g. man configuration.nix or on https://nixos.org/nixos/options.html). + system.stateVersion = "24.11"; # Did you read the comment? +} diff --git a/hosts/router/dns.nix b/modules/router/dns.nix similarity index 99% rename from hosts/router/dns.nix rename to modules/router/dns.nix index c8bcd69..57a0f3a 100644 --- a/hosts/router/dns.nix +++ b/modules/router/dns.nix @@ -1,6 +1,6 @@ { config, lib, pkgs, ... }: let - vars = import ./vars.nix; + vars = import ./vars.nix config; domain = vars.domain; ldomain = vars.ldomain; sysdomain = vars.sysdomain; diff --git a/hosts/router/firewall.nix b/modules/router/firewall.nix similarity index 99% rename from hosts/router/firewall.nix rename to modules/router/firewall.nix index 32a7ab8..5da730b 100644 --- a/hosts/router/firewall.nix +++ b/modules/router/firewall.nix @@ -1,6 +1,6 @@ { config, lib, pkgs, ... }: let - vars = import ./vars.nix; + vars = import ./vars.nix config; links = vars.links; ifs = vars.ifs; pdFromWan = vars.pdFromWan; diff --git a/hosts/router/glance.nix b/modules/router/glance.nix similarity index 99% rename from hosts/router/glance.nix rename to modules/router/glance.nix index ddc25a2..aad23d9 100644 --- a/hosts/router/glance.nix +++ b/modules/router/glance.nix @@ -1,6 +1,6 @@ { config, lib, pkgs, ... }: let - vars = import ./vars.nix; + vars = import ./vars.nix config; domain = vars.domain; in { diff --git a/hosts/router/ifconfig.nix b/modules/router/ifconfig.nix similarity index 98% rename from hosts/router/ifconfig.nix rename to modules/router/ifconfig.nix index 3d419b8..aa227b0 100644 --- a/hosts/router/ifconfig.nix +++ b/modules/router/ifconfig.nix @@ -1,6 +1,7 @@ { config, lib, pkgs, ... }: let - vars = import ./vars.nix; + cfg = config.router; + vars = import ./vars.nix config; links = vars.links; ifs = vars.ifs; pdFromWan = vars.pdFromWan; @@ -57,7 +58,7 @@ in # https://github.com/systemd/systemd/issues/22571 # https://github.com/systemd/systemd/issues/22571#issuecomment-2094905496 # https://gist.github.com/csamsel/0f8cca3b2e64d7e4cc47819ec5ba9396 - networking.dhcpcd.enable = true; + networking.dhcpcd.enable = cfg.enableDhcpClient; networking.dhcpcd.allowInterfaces = [ ifs.wan.name ]; networking.dhcpcd.extraConfig = '' debug diff --git a/hosts/router/kea.nix b/modules/router/kea.nix similarity index 99% rename from hosts/router/kea.nix rename to modules/router/kea.nix index 2932d3a..89905aa 100644 --- a/hosts/router/kea.nix +++ b/modules/router/kea.nix @@ -1,6 +1,6 @@ { config, lib, pkgs, ... }: let - vars = import ./vars.nix; + vars = import ./vars.nix config; ldomain = vars.ldomain; ifs = vars.ifs; diff --git a/modules/router/opts.nix b/modules/router/opts.nix new file mode 100644 index 0000000..d9a39bf --- /dev/null +++ b/modules/router/opts.nix @@ -0,0 +1,69 @@ +{ lib, config, ... }: + +with lib; + +{ + options = { + router = { + enableDesktop = mkOption { + type = types.bool; + default = false; + description = "Enable desktop environment for debugging"; + }; + + enableDhcpClient = mkOption { + type = types.bool; + default = false; + description = "Enable DHCP client (should only be set on the main router)"; + }; + + wanMAC = mkOption { + type = types.str; + example = "bc:24:11:4f:c9:c4"; + description = "WAN interface MAC address"; + }; + + lanMAC = mkOption { + type = types.str; + example = "bc:24:11:83:d8:de"; + description = "LAN interface MAC address"; + }; + + wanLL = mkOption { + type = types.str; + example = "fe80::be24:11ff:fe4f:c9c4"; + description = "WAN IPv6 link-local address"; + }; + + lanLL = mkOption { + type = types.str; + example = "fe80::be24:11ff:fe83:d8de"; + description = "LAN IPv6 link-local address"; + }; + + defaultToken = mkOption { + type = types.int; + default = 1; + description = "Default token for interface addressing"; + }; + + wanAddr4 = mkOption { + type = types.str; + example = "192.168.1.61"; + description = "WAN IPv4 address"; + }; + + wanGw4 = mkOption { + type = types.str; + example = "192.168.1.254"; + description = "WAN IPv4 gateway"; + }; + + pdFromWan = mkOption { + type = types.str; + example = "2001:db8:0:000"; + description = "IPv6 prefix delegation from ISP (/60)"; + }; + }; + }; +} diff --git a/hosts/router/secrets/cf-api-key.age b/modules/router/secrets/cf-api-key.age similarity index 100% rename from hosts/router/secrets/cf-api-key.age rename to modules/router/secrets/cf-api-key.age diff --git a/hosts/router/secrets/wireguard/wg0-peer-Yura-Pixel7Pro-psk.age b/modules/router/secrets/wireguard/wg0-peer-Yura-Pixel7Pro-psk.age similarity index 100% rename from hosts/router/secrets/wireguard/wg0-peer-Yura-Pixel7Pro-psk.age rename to modules/router/secrets/wireguard/wg0-peer-Yura-Pixel7Pro-psk.age diff --git a/hosts/router/secrets/wireguard/wg0-peer-Yura-TPX13-psk.age b/modules/router/secrets/wireguard/wg0-peer-Yura-TPX13-psk.age similarity index 100% rename from hosts/router/secrets/wireguard/wg0-peer-Yura-TPX13-psk.age rename to modules/router/secrets/wireguard/wg0-peer-Yura-TPX13-psk.age diff --git a/hosts/router/secrets/wireguard/wg0-private-key.age b/modules/router/secrets/wireguard/wg0-private-key.age similarity index 100% rename from hosts/router/secrets/wireguard/wg0-private-key.age rename to modules/router/secrets/wireguard/wg0-private-key.age diff --git a/hosts/router/services.nix b/modules/router/services.nix similarity index 98% rename from hosts/router/services.nix rename to modules/router/services.nix index b0f8448..4c96d97 100644 --- a/hosts/router/services.nix +++ b/modules/router/services.nix @@ -1,6 +1,6 @@ { config, lib, pkgs, ... }: let - vars = import ./vars.nix; + vars = import ./vars.nix config; domain = vars.domain; in { diff --git a/hosts/router/vars.nix b/modules/router/vars.nix similarity index 89% rename from hosts/router/vars.nix rename to modules/router/vars.nix index 889cc24..713ba73 100644 --- a/hosts/router/vars.nix +++ b/modules/router/vars.nix @@ -1,6 +1,6 @@ +config: let - private = import ./private.nix; - + cfg = config.router; mkIfConfig = { name_, domain_, @@ -10,7 +10,7 @@ let p6Size_ ? 64, ulaPrefix_, # /64 ulaSize_ ? 64, - token? 1, + token? cfg.defaultToken, ip6Token_? "::${toString token}", ulaToken_? "::${toString token}", }: rec { @@ -41,21 +41,21 @@ rec { ldomain = "l.${domain}"; sysdomain = "sys.${domain}"; links = { - wanMAC = "bc:24:11:4f:c9:c4"; - lanMAC = "bc:24:11:83:d8:de"; - wanLL = "fe80::be24:11ff:fe4f:c9c4"; - lanLL = "fe80::be24:11ff:fe83:d8de"; + wanMAC = cfg.wanMAC; + lanMAC = cfg.lanMAC; + wanLL = cfg.wanLL; + lanLL = cfg.lanLL; }; p4 = "10.17"; # .0.0/16 - pdFromWan = private.pdFromWan; # ::/60 + pdFromWan = cfg.pdFromWan; # ::/60 ulaPrefix = "fdab:07d3:581d"; # ::/48 ifs = rec { wan = rec { name = "wan"; - addr4 = private.wanAddr4; - addr4Sized = "${addr4}/23"; - gw4 = private.wanGw4; + addr4 = cfg.wanAddr4; + addr4Sized = "${addr4}/24"; + gw4 = cfg.wanGw4; }; lan = mkIfConfig { name_ = "lan"; @@ -77,7 +77,7 @@ rec { p4_ = "${p4}.20"; # .0/24 p6_ = "${pdFromWan}0"; # ::/64 managed by Att box ulaPrefix_ = "${ulaPrefix}:0020"; # ::/64 - ip6Token_ = "::1:1"; # override ipv6 for lan20, since the Att box uses ::1 here + ip6Token_ = "::1:${toString cfg.defaultToken}"; # override ipv6 for lan20, since the Att box uses ::1 here }; lan30 = mkIfConfig { name_ = "${lan.name}.30"; diff --git a/hosts/router/wireguard.nix b/modules/router/wireguard.nix similarity index 98% rename from hosts/router/wireguard.nix rename to modules/router/wireguard.nix index 97d7837..da0398a 100644 --- a/hosts/router/wireguard.nix +++ b/modules/router/wireguard.nix @@ -1,6 +1,6 @@ { config, lib, pkgs, ... }: let - vars = import ./vars.nix; + vars = import ./vars.nix config; wg0 = vars.ifs.wg0; peerIps = ifObj: token: [