router: add host configurations for test routers

flake.nix

@@ -37,6 +37,19 @@
       # Optionally, use home-manager.extraSpecialArgs to pass
       # arguments to home.nix
     };
+
+    mkRouter = hostFile: nixpkgs.lib.nixosSystem {
+      system = "x86_64-linux";
+      modules = [
+        secrix.nixosModules.default
+        ./modules
+        ./modules/router
+        ./hosts/common.nix
+        hostFile
+        ./users/cazzzer
+        (hmModule ./home/common.nix)
+      ];
+    };
   in
   {
     apps.x86_64-linux.secrix = secrix.secrix self;
@@ -77,17 +90,9 @@
           (hmModule ./home/cazzzer-pc.nix)
         ];
       };
-      router = nixpkgs.lib.nixosSystem {
-        system = "x86_64-linux";
-        modules = [
-          secrix.nixosModules.default
-          ./modules
-          ./hosts/common.nix
-          ./hosts/router
-          ./users/cazzzer
-          (hmModule ./home/common.nix)
-        ];
-      };
+      router = mkRouter ./hosts/router;
+      router-1 = mkRouter ./hosts/router-1;
+      router-2 = mkRouter ./hosts/router-2;
     };
     # https://github.com/nix-community/nixos-generators?tab=readme-ov-file#using-in-a-flake
     packages.x86_64-linux = {

hosts/router-1/default.nix

@@ -0,0 +1,24 @@
+{
+  imports = [
+    ../hw-vm.nix
+  ];
+
+  router = {
+    enableDesktop = false;
+    enableDhcpClient = false;
+    wanMAC = "bc:24:11:af:bd:84";
+    lanMAC = "bc:24:11:38:b1:91";
+    wanLL = "fe80::be24:11ff:feaf:bd84";
+    lanLL = "fe80::be24:11ff:fe38:b191";
+    defaultToken = 251;
+
+    pdFromWan = "fd46:fbbe:ca55:100";
+    wanAddr4 = "192.168.1.63";
+    wanGw4 = "192.168.1.254";
+  };
+
+  networking.hostName = "grouty";
+
+  # override hw-vm.nix default
+  networking.useDHCP = false;
+}

hosts/router-2/default.nix

@@ -0,0 +1,24 @@
+{
+  imports = [
+    ../hw-vm.nix
+  ];
+
+  router = {
+    enableDesktop = false;
+    enableDhcpClient = false;
+    wanMAC = "bc:24:11:bc:db:c1";
+    lanMAC = "bc:24:11:19:2a:96";
+    wanLL = "fe80::be24:11ff:febc:dbc1";
+    lanLL = "fe80::be24:11ff:fe19:2a96";
+    defaultToken = 252;
+
+    pdFromWan = "fd46:fbbe:ca55:100";
+    wanAddr4 = "192.168.1.64";
+    wanGw4 = "192.168.1.254";
+  };
+
+  networking.hostName = "grouta";
+
+  # override hw-vm.nix default
+  networking.useDHCP = false;
+}

hosts/router/default.nix

@@ -1,91 +1,18 @@
-{ config, lib, pkgs, ... }:
-let
-  vars = import ./vars.nix;
-  enableDesktop = false;
-in
 {
-  imports =
-    [ # Include the results of the hardware scan.
-      ./hardware-configuration.nix
-      ./ifconfig.nix
-      ./wireguard.nix
-      ./firewall.nix
-      ./dns.nix
-      ./kea.nix
-      ./glance.nix
-      ./services.nix
-    ];
-  # Secrix for secrets management
-  secrix.hostPubKey = vars.pubkey;
-
-  # Bootloader.
-  boot.loader.systemd-boot.enable = true;
-  boot.loader.efi.canTouchEfiVariables = false;
-  boot.kernelParams = [
-    "sysrq_always_enabled=1"
+  imports = [
+    ./hardware-configuration.nix
+    ./private.nix
   ];
 
-  boot.loader.timeout = 2;
-  boot.loader.systemd-boot.configurationLimit = 5;
-  boot.kernelPackages = pkgs.linuxKernel.packages.linux_6_12;
-  boot.growPartition = true;
+  router = {
+    enableDesktop = false;
+    enableDhcpClient = true;
+    wanMAC = "bc:24:11:4f:c9:c4";
+    lanMAC = "bc:24:11:83:d8:de";
+    wanLL = "fe80::be24:11ff:fe4f:c9c4";
+    lanLL = "fe80::be24:11ff:fe83:d8de";
+    defaultToken = 1;
+  };
 
   networking.hostName = "grouter";
-
-  # Enable the X11 windowing system.
-  # You can disable this if you're only using the Wayland session.
-  services.xserver.enable = false;
-
-  # Enable the KDE Plasma Desktop Environment.
-  # Useful for debugging with wireshark.
-  hardware.graphics.enable = true;
-  services.displayManager.sddm.enable = enableDesktop;
-  services.displayManager.sddm.wayland.enable = enableDesktop;
-  services.desktopManager.plasma6.enable = enableDesktop;
-  # No need for audio in VM
-  services.pipewire.enable = false;
-
-  # VM services
-  services.qemuGuest.enable = true;
-  services.spice-vdagentd.enable = true;
-
-  security.sudo.wheelNeedsPassword = false;
-
-  programs.firefox.enable = true;
-  programs.fish.enable = true;
-  programs.git.enable = true;
-  programs.neovim.enable = true;
-  programs.bat.enable = true;
-  programs.htop.enable = true;
-  programs.wireshark.enable = true;
-  programs.wireshark.package = pkgs.wireshark; # wireshark-cli by default
-
-  environment.systemPackages = with pkgs; [
-    dust
-    eza
-    fastfetch
-    fd
-    kdePackages.kate
-    ldns
-    lsof
-    micro
-    mpv
-    openssl
-    ripgrep
-    rustscan
-    starship
-    tealdeer
-    transcrypt
-    waypipe
-    whois
-    wireguard-tools
-  ];
-
-  # This value determines the NixOS release from which the default
-  # settings for stateful data, like file locations and database versions
-  # on your system were taken. It‘s perfectly fine and recommended to leave
-  # this value at the release version of the first install of this system.
-  # Before changing this value read the documentation for this option
-  # (e.g. man configuration.nix or on https://nixos.org/nixos/options.html).
-  system.stateVersion = "24.11"; # Did you read the comment?
 }

hosts/router/private.nix

@@ -1,3 +1,3 @@
-U2FsdGVkX1/MGwxIMmhbZuPqJUZzex9v5tTuiOrEvDVldI7xY0edUy9Ii5udFLXt
-AbxShsH43FH1ucgygKDlKTB/yXZWDoDVhjdgLFjaBtAt0xyAL9Doet844oDVhbbO
-FqOwXHMd+PE23rgqiCscsA==
+U2FsdGVkX1+eMFkQxarJDGLkX0zXyMRPukeRNvzd/BJ0XDAUZ2EeZvQnZw8U53Xz
+W97X4rvT+K/NQ7FVCYfOg1XpQhzlSiC9z1M4WLmPRutUgsDY5n5RFJu2R8K5DAfi
+sAPcxiQUGVKrmDUva16yNqoR2Dkx2XE9iW1hpkfGFYVUK+QKIBkUEowQQlJJ1Wg1

modules/router/default.nix

@@ -0,0 +1,91 @@
+{ config, lib, pkgs, ... }:
+let
+  vars = import ./vars.nix config;
+  enableDesktop = config.router.enableDesktop;
+in
+{
+  imports =
+    [ # Include the results of the hardware scan.
+      ./opts.nix
+      ./ifconfig.nix
+      ./wireguard.nix
+      ./firewall.nix
+      ./dns.nix
+      ./kea.nix
+      ./glance.nix
+      ./services.nix
+    ];
+  # Secrix for secrets management
+  secrix.hostPubKey = vars.pubkey;
+
+  # Bootloader.
+  boot.loader.systemd-boot.enable = true;
+  boot.loader.efi.canTouchEfiVariables = false;
+  boot.kernelParams = [
+    "sysrq_always_enabled=1"
+  ];
+
+  boot.loader.timeout = 2;
+  boot.loader.systemd-boot.configurationLimit = 5;
+  boot.kernelPackages = pkgs.linuxKernel.packages.linux_6_12;
+  boot.growPartition = true;
+
+  # Enable the X11 windowing system.
+  # You can disable this if you're only using the Wayland session.
+  services.xserver.enable = false;
+
+  # Enable the KDE Plasma Desktop Environment.
+  # Useful for debugging with wireshark.
+  hardware.graphics.enable = true;
+  services.xserver.desktopManager.xfce.enable = enableDesktop;
+  services.xserver.desktopManager.xfce.enableWaylandSession = enableDesktop;
+  # services.displayManager.sddm.enable = enableDesktop;
+  # services.displayManager.sddm.wayland.enable = enableDesktop;
+  # services.desktopManager.plasma6.enable = enableDesktop;
+  # No need for audio in VM
+  services.pipewire.enable = false;
+
+  # VM services
+  services.qemuGuest.enable = true;
+  services.spice-vdagentd.enable = true;
+
+  security.sudo.wheelNeedsPassword = false;
+
+  programs.firefox.enable = true;
+  programs.fish.enable = true;
+  programs.git.enable = true;
+  programs.neovim.enable = true;
+  programs.bat.enable = true;
+  programs.htop.enable = true;
+  programs.wireshark.enable = true;
+  programs.wireshark.package = pkgs.wireshark; # wireshark-cli by default
+
+  environment.systemPackages = with pkgs; [
+    dust
+    eza
+    fastfetch
+    fd
+    kdePackages.kate
+    ldns
+    lsof
+    micro
+    mpv
+    openssl
+    ripgrep
+    rustscan
+    starship
+    tealdeer
+    transcrypt
+    waypipe
+    whois
+    wireguard-tools
+  ];
+
+  # This value determines the NixOS release from which the default
+  # settings for stateful data, like file locations and database versions
+  # on your system were taken. It‘s perfectly fine and recommended to leave
+  # this value at the release version of the first install of this system.
+  # Before changing this value read the documentation for this option
+  # (e.g. man configuration.nix or on https://nixos.org/nixos/options.html).
+  system.stateVersion = "24.11"; # Did you read the comment?
+}

modules/router/dns.nix

@@ -1,6 +1,6 @@
 { config, lib, pkgs, ... }:
 let
-  vars = import ./vars.nix;
+  vars = import ./vars.nix config;
   domain = vars.domain;
   ldomain = vars.ldomain;
   sysdomain = vars.sysdomain;

modules/router/firewall.nix

@@ -1,6 +1,6 @@
 { config, lib, pkgs, ... }:
 let
-  vars = import ./vars.nix;
+  vars = import ./vars.nix config;
   links = vars.links;
   ifs = vars.ifs;
   pdFromWan = vars.pdFromWan;

modules/router/glance.nix

@@ -1,6 +1,6 @@
 { config, lib, pkgs, ... }:
 let
-  vars = import ./vars.nix;
+  vars = import ./vars.nix config;
   domain = vars.domain;
 in
 {

modules/router/ifconfig.nix

@@ -1,6 +1,7 @@
 { config, lib, pkgs, ... }:
 let
-  vars = import ./vars.nix;
+  cfg = config.router;
+  vars = import ./vars.nix config;
   links = vars.links;
   ifs = vars.ifs;
   pdFromWan = vars.pdFromWan;
@@ -57,7 +58,7 @@ in
   # https://github.com/systemd/systemd/issues/22571
   # https://github.com/systemd/systemd/issues/22571#issuecomment-2094905496
   # https://gist.github.com/csamsel/0f8cca3b2e64d7e4cc47819ec5ba9396
-  networking.dhcpcd.enable = true;
+  networking.dhcpcd.enable = cfg.enableDhcpClient;
   networking.dhcpcd.allowInterfaces = [ ifs.wan.name ];
   networking.dhcpcd.extraConfig = ''
     debug

modules/router/kea.nix

@@ -1,6 +1,6 @@
 { config, lib, pkgs, ... }:
 let
-  vars = import ./vars.nix;
+  vars = import ./vars.nix config;
   ldomain = vars.ldomain;
   ifs = vars.ifs;
 

modules/router/opts.nix

@@ -0,0 +1,69 @@
+{ lib, config, ... }:
+
+with lib;
+
+{
+  options = {
+    router = {
+      enableDesktop = mkOption {
+        type = types.bool;
+        default = false;
+        description = "Enable desktop environment for debugging";
+      };
+
+      enableDhcpClient = mkOption {
+        type = types.bool;
+        default = false;
+        description = "Enable DHCP client (should only be set on the main router)";
+      };
+
+      wanMAC = mkOption {
+        type = types.str;
+        example = "bc:24:11:4f:c9:c4";
+        description = "WAN interface MAC address";
+      };
+
+      lanMAC = mkOption {
+        type = types.str;
+        example = "bc:24:11:83:d8:de";
+        description = "LAN interface MAC address";
+      };
+
+      wanLL = mkOption {
+          type = types.str;
+          example = "fe80::be24:11ff:fe4f:c9c4";
+          description = "WAN IPv6 link-local address";
+      };
+
+      lanLL = mkOption {
+          type = types.str;
+          example = "fe80::be24:11ff:fe83:d8de";
+          description = "LAN IPv6 link-local address";
+      };
+
+      defaultToken = mkOption {
+        type = types.int;
+        default = 1;
+        description = "Default token for interface addressing";
+      };
+
+      wanAddr4 = mkOption {
+        type = types.str;
+        example = "192.168.1.61";
+        description = "WAN IPv4 address";
+      };
+
+      wanGw4 = mkOption {
+        type = types.str;
+        example = "192.168.1.254";
+        description = "WAN IPv4 gateway";
+      };
+
+      pdFromWan = mkOption {
+        type = types.str;
+        example = "2001:db8:0:000";
+        description = "IPv6 prefix delegation from ISP (/60)";
+      };
+    };
+  };
+}

modules/router/services.nix

@@ -1,6 +1,6 @@
 { config, lib, pkgs, ... }:
 let
-  vars = import ./vars.nix;
+  vars = import ./vars.nix config;
   domain = vars.domain;
 in
 {

modules/router/vars.nix

@@ -1,6 +1,6 @@
+config:
 let
-  private = import ./private.nix;
-
+  cfg = config.router;
   mkIfConfig = {
     name_,
     domain_,
@@ -10,7 +10,7 @@ let
     p6Size_ ? 64,
     ulaPrefix_,  # /64
     ulaSize_ ? 64,
-    token? 1,
+    token? cfg.defaultToken,
     ip6Token_? "::${toString token}",
     ulaToken_? "::${toString token}",
     }: rec {
@@ -41,21 +41,21 @@ rec {
   ldomain = "l.${domain}";
   sysdomain = "sys.${domain}";
   links = {
-    wanMAC = "bc:24:11:4f:c9:c4";
-    lanMAC = "bc:24:11:83:d8:de";
-    wanLL = "fe80::be24:11ff:fe4f:c9c4";
-    lanLL = "fe80::be24:11ff:fe83:d8de";
+    wanMAC = cfg.wanMAC;
+    lanMAC = cfg.lanMAC;
+    wanLL = cfg.wanLL;
+    lanLL = cfg.lanLL;
   };
 
   p4 = "10.17";                      # .0.0/16
-  pdFromWan = private.pdFromWan;  # ::/60
+  pdFromWan = cfg.pdFromWan;         # ::/60
   ulaPrefix = "fdab:07d3:581d";      # ::/48
   ifs = rec {
     wan = rec {
       name = "wan";
-      addr4 = private.wanAddr4;
-      addr4Sized = "${addr4}/23";
-      gw4 = private.wanGw4;
+      addr4 = cfg.wanAddr4;
+      addr4Sized = "${addr4}/24";
+      gw4 = cfg.wanGw4;
     };
     lan = mkIfConfig {
       name_ = "lan";
@@ -77,7 +77,7 @@ rec {
       p4_ = "${p4}.20";                  # .0/24
       p6_ = "${pdFromWan}0";             # ::/64 managed by Att box
       ulaPrefix_ = "${ulaPrefix}:0020";  # ::/64
-      ip6Token_ = "::1:1";  # override ipv6 for lan20, since the Att box uses ::1 here
+      ip6Token_ = "::1:${toString cfg.defaultToken}";  # override ipv6 for lan20, since the Att box uses ::1 here
     };
     lan30 = mkIfConfig {
       name_ = "${lan.name}.30";

modules/router/wireguard.nix

@@ -1,6 +1,6 @@
 { config, lib, pkgs, ... }:
 let
-  vars = import ./vars.nix;
+  vars = import ./vars.nix config;
   wg0 = vars.ifs.wg0;
 
   peerIps = ifObj: token: [