WIP: router: remove hosts from vars for now

WIP: router: firewall: proper filtering for hosts proxied by cloudflare
WIP: router: dns: add entries for sysdomain hosts
2025-03-26 00:15:48 -07:00 · 2025-03-25 22:50:11 -07:00 · 2025-03-25 22:49:10 -07:00 · 2025-03-25 20:59:41 -07:00 · 2025-03-25 20:59:41 -07:00 · 2025-03-25 20:59:41 -07:00
7 changed files with 14 additions and 63 deletions
--- a/flake.lock
+++ b/flake.lock
@@ -7,11 +7,11 @@
        ]
      },
      "locked": {
-        "lastModified": 1745001336,
-        "narHash": "sha256-R4HuzrgYtOYBNmB3lfRxcieHEBO4uSfgHNz4MzWkZ5M=",
+        "lastModified": 1742957044,
+        "narHash": "sha256-gwW0tBIA77g6qq45y220drTy0DmThF3fJMwVFUtYV9c=",
        "owner": "nix-community",
        "repo": "home-manager",
-        "rev": "fc09cb7aaadb70d6c4898654ffc872f0d2415df9",
+        "rev": "ce287a5cd3ef78203bc78021447f937a988d9f6f",
        "type": "github"
      },
      "original": {
@@ -58,11 +58,11 @@
    },
    "nixpkgs": {
      "locked": {
-        "lastModified": 1744932701,
-        "narHash": "sha256-fusHbZCyv126cyArUwwKrLdCkgVAIaa/fQJYFlCEqiU=",
+        "lastModified": 1742669843,
+        "narHash": "sha256-G5n+FOXLXcRx+3hCJ6Rt6ZQyF1zqQ0DL0sWAMn2Nk0w=",
        "owner": "NixOS",
        "repo": "nixpkgs",
-        "rev": "b024ced1aac25639f8ca8fdfc2f8c4fbd66c48ef",
+        "rev": "1e5b653dff12029333a6546c11e108ede13052eb",
        "type": "github"
      },
      "original": {
--- a/home/default.nix
+++ b/home/default.nix
@@ -19,7 +19,6 @@ in
    SHELL = "fish";
  };

-  # TODO: remove (replace by bitwarden-desktop)
  services.gnome-keyring = {
    enable = true;
    components = [ "pkcs11" "ssh" ];
@@ -49,7 +48,7 @@ in
      ll = "exa -l --color=always --group-directories-first --icons";  # long format
      lt = "exa -aT --color=always --group-directories-first --icons"; # tree listing
      "l." = "exa -a | rg '^\.'";                                      # show only dotfiles
-
+      
      # Replace cat with bat
      cat = "bat";
    };
@@ -162,7 +161,6 @@ in
        shellExpand = true;
      };
      dolphinrc.General.ShowFullPath = true;
-      dolphinrc.DetailsMode.PreviewSize.persistent = true;
      kactivitymanagerdrc = {
        activities."809dc779-bf5b-49e6-8e3f-cbe283cb05b6" = "Default";
        activities."b34a506d-ac4f-4797-8c08-6ef45bc49341" = "Fun";
--- a/hosts/Yura-PC/default.nix
+++ b/hosts/Yura-PC/default.nix
@@ -32,7 +32,7 @@

  boot.loader.timeout = 3;
  boot.loader.systemd-boot.configurationLimit = 5;
-  boot.kernelPackages = pkgs.linuxKernel.packages.linux_6_13;
+  boot.kernelPackages = pkgs.linuxKernel.packages.linux_6_12;

  # https://nixos.wiki/wiki/Accelerated_Video_Playback
  hardware.graphics = {
@@ -125,7 +125,6 @@

      # Nix
      nixd
-      nil

      # Gleam
      gleam
@@ -160,7 +159,7 @@

  # https://discourse.nixos.org/t/firefox-does-not-use-kde-window-decorations-and-cursor/32132/3
  # programs.dconf.enable = true;
-  # programs.firefox = {
+  # programs.firefox = {                  
    # enable = true;
    # preferences = {
      # "widget.use-xdg-desktop-portal.file-picker" = 1;
@@ -179,9 +178,9 @@

  programs.nix-ld.enable = true;
  programs.nix-ld.libraries = with pkgs; [
-    # Add any missing dynamic libraries for unpackaged
+    # Add any missing dynamic libraries for unpackaged 
    # programs here, NOT in environment.systemPackages
-
+    
    # For JetBrains stuff
    # https://github.com/NixOS/nixpkgs/issues/240444
  ];
@@ -208,7 +207,7 @@
   ];
  # fonts.fontDir.enable = true;
  # fonts.fontconfig.allowBitmaps = false;
-
+  
  environment.systemPackages = with pkgs; [
    dust
    eza
@@ -238,14 +237,12 @@
    whois
    yt-dlp
  ] ++ [
-    bitwarden-desktop
    darkman
    host-spawn # for flatpaks
    kdePackages.filelight
    kdePackages.flatpak-kcm
    kdePackages.kate
    kdePackages.yakuake
-    # TODO: remove (replace by bitwarden-desktop)
    gcr
    gnome-keyring # config for this and some others
    mpv
@@ -264,7 +261,6 @@
    jetbrains.webstorm
    android-studio
    rustup
-    zed-editor
  ];

  # Some programs need SUID wrappers, can be configured further or are
--- a/hosts/router/firewall.nix
+++ b/hosts/router/firewall.nix
@@ -20,9 +20,8 @@ in
          ${ifs.lan40.name},
          ${ifs.lan50.name},
      }
-      define OPNSENSE_NET6 = ${vars.extra.opnsense.net6}
+      define OPNSENSE_NET6 = ${pdFromWan}d::/64
      define ZONE_LAN_EXTRA_NET6 = {
-          # TODO: reevaluate this statement
          ${ifs.lan20.net6},  # needed since packets can come in from wan on these addrs
          $OPNSENSE_NET6,
      }
@@ -30,7 +29,6 @@ in
      define CLOUDFLARE_NET6 = {
          # https://www.cloudflare.com/ips-v6
          # TODO: figure out a better way to get addrs dynamically from url
-          # perhaps building a nixos module/package that fetches the ips?
          2400:cb00::/32,
          2606:4700::/32,
          2803:f800::/32,
@@ -127,7 +125,7 @@ in
          meta l4proto . ip6 daddr . th dport @port_forward_v6 accept

          # Allowed IPv6 from cloudflare
-          ip6 saddr $CLOUDFLARE_NET6 ip6 daddr @cloudflare_forward_v6 th dport https accept
+          ip6 saddr $CLOUDFLARE_NET6 ip6 daddr @cloudflare_forward_v6 accept
      }

      chain zone_lan_input {
--- a/hosts/router/ifconfig.nix
+++ b/hosts/router/ifconfig.nix
@@ -46,12 +46,6 @@ let
  };
 in
 {
-  # By default, Linux will respond to ARP requests that belong to other interfaces.
-  # Normally this isn't a problem, but it causes issues
-  # since my WAN and LAN20 are technically bridged.
-  # https://networkengineering.stackexchange.com/questions/83071/why-linux-answers-arp-requests-for-ips-that-belong-to-different-network-interfac
-  boot.kernel.sysctl."net.ipv4.conf.default.arp_filter" = 1;
-
  # It is impossible to do multiple prefix requests with networkd,
  # so I use dhcpcd for this
  # https://github.com/systemd/systemd/issues/22571
@@ -150,7 +144,6 @@ in
          ifs.lan40.name
          ifs.lan50.name
        ];
-        routes = vars.extra.opnsense.routes;
      };
      "30-vlan10" = mkLanConfig ifs.lan10;
      "30-vlan20" = mkLanConfig ifs.lan20;
--- a/hosts/router/services.nix
+++ b/hosts/router/services.nix
@@ -4,16 +4,6 @@ let
  domain = vars.domain;
 in
 {
-  services.miniupnpd = {
-    enable = true;
-    natpmp = true;
-    externalInterface = vars.ifs.wan.name;
-    internalIPs = [
-      vars.ifs.lan.name
-      vars.ifs.lan20.name
-    ];
-  };
-
  # https://wiki.nixos.org/wiki/Prometheus
  services.prometheus = {
    enable = true;
--- a/hosts/router/vars.nix
+++ b/hosts/router/vars.nix
@@ -95,28 +95,4 @@ rec {
      ulaPrefix_ = "${ulaPrefix}:0050";  # ::/64
    };
  };
-
-  extra = {
-    opnsense = rec {
-      addr4 = "${ifs.lan.p4}.250";
-      ulaAddr = "${ifs.lan.ulaPrefix}::250";
-      p6 = "${pdFromWan}d";
-      net6 = "${p6}::/64";
-      # VPN routes on opnsense
-      routes = [
-        {
-          Destination = "10.6.0.0/24";
-          Gateway = addr4;
-        }
-        {
-          Destination = "10.18.0.0/20";
-          Gateway = addr4;
-        }
-        {
-          Destination = net6;
-          Gateway = ulaAddr;
-        }
-      ];
-    };
-  };
 }
Author	SHA1	Message	Date
Yuri Tatishchev	df216b3298	WIP: router: remove hosts from vars for now	2025-03-26 00:15:48 -07:00
Yuri Tatishchev	809a6f36dc	WIP: router: firewall: proper filtering for hosts proxied by cloudflare	2025-03-25 22:50:11 -07:00
Yuri Tatishchev	8290063bca	WIP: router: dns: add entries for sysdomain hosts	2025-03-25 22:49:10 -07:00
Yuri Tatishchev	1248086964	WIP: router: some dns changes	2025-03-25 20:59:41 -07:00
Yuri Tatishchev	c70fae9bd6	WIP: router: I swear the ipv6 routes work now	2025-03-25 20:59:41 -07:00
Yuri Tatishchev	51c03e46e5	WIP: router: move wan ipv4 configuration from dhcpcd to networkd	2025-03-25 20:59:41 -07:00
Yuri Tatishchev	ad61c36b76	WIP: router: fix firewall for dhcpv6-client	2025-03-25 20:59:40 -07:00
Yuri Tatishchev	7abb0ecea5	WIP: router: bring back lan10	2025-03-25 20:59:40 -07:00
Yuri Tatishchev	ccbc53579d	WIP: router: remove temporary tests	2025-03-25 20:59:40 -07:00
Yuri Tatishchev	478cf9ca2a	WIP: router: refactor config into separate files	2025-03-25 20:59:40 -07:00
Yuri Tatishchev	cf6e195028	WIP: router: attempt timer to restart networkd every minute	2025-03-25 20:59:39 -07:00
Yuri Tatishchev	e32bcaf945	WIP: router: attempt static ipv6 gateway on wan	2025-03-25 20:59:39 -07:00
Yuri Tatishchev	74f789f3ec	WIP: router: temporarily disable lan10	2025-03-25 20:59:39 -07:00
Yuri Tatishchev	adb0bd78f0	WIP: router: attempt networking.interfaces config instead of networkd for lan10	2025-03-25 20:59:39 -07:00
Yuri Tatishchev	f640e3cb19	WIP: router: attempt removing networkd, some bs testing	2025-03-25 20:59:39 -07:00
Yuri Tatishchev	3935e0316b	WIP: router: attempt some ipv6 prefix fixes	2025-03-25 20:59:38 -07:00