router: small update
Since I have to rebuild unbound and Linux anyway, might as well change it a bit
This commit is contained in:
parent
64ff8be357
commit
0ac1502979
|
@ -99,12 +99,14 @@
|
|||
};
|
||||
router-emmc = rec {
|
||||
system = "aarch64-linux";
|
||||
specialArgs.notnft = if devNft then (import /${devPath}/notnft { inherit (nixpkgs) lib; }).config.notnft else notnft.lib.${system};
|
||||
specialArgs.router-lib = if devNixRt then import /${devPath}/nixos-router/lib.nix { inherit (nixpkgs) lib; } else nixos-router.lib.${system};
|
||||
specialArgs.server-config = nixosConfigurations.nixserver.config;
|
||||
modules = [
|
||||
{
|
||||
_module.args.notnft = if devNft then (import /${devPath}/notnft { inherit (nixpkgs) lib; }).config.notnft else notnft.lib.${system};
|
||||
}
|
||||
(import ./system/devices/bpi-r3-router.nix "emmc")
|
||||
(if devNixRt then (import /${devPath}/nixos-router) else nixos-router.nixosModules.default)
|
||||
(if devNixRt then import /${devPath}/nixos-router else nixos-router.nixosModules.default)
|
||||
];
|
||||
};
|
||||
router-sd = rec {
|
||||
|
|
|
@ -80,23 +80,6 @@ in
|
|||
stdenv = pkgs'.ccacheStdenv;
|
||||
};
|
||||
|
||||
hostapd = (pkgs.hostapd.override { stdenv = pkgs'.ccacheStdenv; }).overrideAttrs (old: {
|
||||
# also remove 80211N
|
||||
extraConfig = old.extraConfig + ''
|
||||
CONFIG_OCV=y
|
||||
CONFIG_WPS=y
|
||||
CONFIG_WPS_NFC=y
|
||||
CONFIG_WNM=y
|
||||
CONFIG_IEEE80211AX=y
|
||||
CONFIG_IEEE80211BE=y
|
||||
CONFIG_ELOOP_EPOLL=y
|
||||
CONFIG_MBO=y
|
||||
CONFIG_TAXONOMY=y
|
||||
CONFIG_OWE=y
|
||||
CONFIG_AIRTIME_POLICY=y
|
||||
'';
|
||||
});
|
||||
|
||||
cutter2 = pkgs.callPackage ./rizin/wrapper.nix {
|
||||
unwrapped = pkgs.cutter;
|
||||
} [ (pkgs.libsForQt5.callPackage ./rizin/rz-ghidra.nix {
|
||||
|
|
|
@ -116,7 +116,7 @@ in rec {
|
|||
'';
|
||||
fixupPhase = "true";
|
||||
};
|
||||
linux_bpiR3 = pkgs.linux_testing.override {
|
||||
linux_bpiR3 = pkgs.linux_latest.override {
|
||||
stdenv = pkgs'.ccacheStdenv;
|
||||
buildPackages = pkgs'.buildPackages // {
|
||||
stdenv = pkgs'.buildPackages.ccacheStdenv;
|
||||
|
@ -250,14 +250,23 @@ in rec {
|
|||
# hardware specific stuff
|
||||
FB = lib.mkForce no;
|
||||
DRM = no;
|
||||
SOUND = no;
|
||||
INFINIBAND = lib.mkForce no;
|
||||
CFG80211 = module;
|
||||
MAC80211 = module;
|
||||
WLAN = yes;
|
||||
|
||||
NR_CPUS = lib.mkForce (freeform "4");
|
||||
SMP = yes;
|
||||
|
||||
SFP = yes;
|
||||
ARCH_MEDIATEK = yes;
|
||||
COMMON_CLK_MEDIATEK = yes;
|
||||
COMMON_CLK_MEDIATEK_FHCTL = yes;
|
||||
COMMON_CLK_MT7986 = yes;
|
||||
COMMON_CLK_MT7986_ETHSYS = yes;
|
||||
EINT_MTK = yes;
|
||||
MEDIATEK_GE_PHY = yes;
|
||||
MEDIATEK_WATCHDOG = yes;
|
||||
MTD_NAND_ECC_MEDIATEK = yes;
|
||||
MTD_NAND_ECC_SW_HAMMING = yes;
|
||||
|
@ -269,6 +278,8 @@ in rec {
|
|||
MTK_HSDMA = yes;
|
||||
MTK_INFRACFG = yes;
|
||||
MTK_PMIC_WRAP = yes;
|
||||
MTK_LVTS_THERMAL = yes;
|
||||
MTK_SOC_THERMAL = yes;
|
||||
MTK_THERMAL = yes;
|
||||
MTK_TIMER = yes;
|
||||
NET_DSA_MT7530 = yes;
|
||||
|
@ -282,8 +293,15 @@ in rec {
|
|||
NET_VENDOR_MEDIATEK = yes;
|
||||
PCIE_MEDIATEK = yes;
|
||||
PCIE_MEDIATEK_GEN3 = yes;
|
||||
PCS_MTK_LYNXI = yes;
|
||||
PINCTRL_MTK = yes;
|
||||
PINCTRL_MT7986 = yes;
|
||||
PWM_MEDIATEK = yes;
|
||||
REGULATOR_MT6380 = yes;
|
||||
MT76_CORE = module;
|
||||
MT76_LEDS = yes;
|
||||
MT76_CONNAC_LIB = module;
|
||||
MT7815E = module;
|
||||
MT7915E = module;
|
||||
MT7986_WMAC = yes;
|
||||
SPI_MT65XX = yes;
|
||||
|
|
|
@ -50,7 +50,7 @@ let
|
|||
|
||||
dnatRuleMode = rule:
|
||||
if rule.mode != "" then rule.mode
|
||||
else if rule.target4.address or null == gatewayAddr4 || rule.target6.address or null == gatewayAddr6 then "rule"
|
||||
else if rule.target4.address or null == netAddresses.lan4 || rule.target6.address or null == netAddresses.lan6 then "rule"
|
||||
else "mark";
|
||||
|
||||
# nftables rules generator
|
||||
|
@ -179,31 +179,27 @@ let
|
|||
} // extraInetEntries);
|
||||
};
|
||||
|
||||
unbound-python = pkgs.python3.withPackages (ps: with ps; [ pydbus dnspython requests pytricia nftables ]);
|
||||
netAddressesWithPrefixLen = {
|
||||
lan4 = cfg.network;
|
||||
lan6 = cfg.network6;
|
||||
netns4 = cfg.netnsNet;
|
||||
netns6 = cfg.netnsNet6;
|
||||
};
|
||||
|
||||
# parse a.b.c.d/x into { address, prefixLength }
|
||||
netParsedCidr4 = router-lib.parseCidr cfg.network;
|
||||
netParsedCidr6 = router-lib.parseCidr cfg.network6;
|
||||
netnsParsedCidr4 = router-lib.parseCidr cfg.netnsNet;
|
||||
netnsParsedCidr6 = router-lib.parseCidr cfg.netnsNet6;
|
||||
netParsedCidrs = builtins.mapAttrs (_: router-lib.parseCidr) netAddressesWithPrefixLen;
|
||||
|
||||
# generate network cidr from device address
|
||||
# (normalizeCidr applies network mask to the address)
|
||||
netCidr4 = router-lib.serializeCidr (router-lib.normalizeCidr netParsedCidr4);
|
||||
netCidr6 = router-lib.serializeCidr (router-lib.normalizeCidr netParsedCidr6);
|
||||
netnsCidr4 = router-lib.serializeCidr (router-lib.normalizeCidr netnsParsedCidr4);
|
||||
netnsCidr6 = router-lib.serializeCidr (router-lib.normalizeCidr netnsParsedCidr6);
|
||||
netCidrs = builtins.mapAttrs (_: v: router-lib.serializeCidr (router-lib.normalizeCidr v)) netParsedCidrs;
|
||||
|
||||
gatewayAddr4 = netParsedCidr4.address;
|
||||
gatewayAddr6 = netParsedCidr6.address;
|
||||
mainNetnsAddr4 = netnsParsedCidr4.address;
|
||||
mainNetnsAddr6 = netnsParsedCidr6.address;
|
||||
netAddresses = builtins.mapAttrs (_: v: v.address) netParsedCidrs;
|
||||
|
||||
wanNetnsAddr4 = cfg.wanNetnsAddr;
|
||||
wanNetnsAddr6 = cfg.wanNetnsAddr6;
|
||||
|
||||
parsedGatewayAddr4 = router-lib.parseIp4 gatewayAddr4;
|
||||
parsedGatewayAddr6 = router-lib.parseIp6 gatewayAddr6;
|
||||
parsedGatewayAddr4 = router-lib.parseIp4 netAddresses.lan4;
|
||||
parsedGatewayAddr6 = router-lib.parseIp6 netAddresses.lan6;
|
||||
|
||||
addToIp' = ip: n: lib.init ip ++ [ (lib.last ip + n) ];
|
||||
addToIp = ip: n: router-lib.serializeIp (addToIp' ip n);
|
||||
|
@ -230,7 +226,7 @@ in {
|
|||
services.openssh.enable = true;
|
||||
services.fail2ban = {
|
||||
enable = true;
|
||||
ignoreIP = [ netCidr4 netCidr6 ];
|
||||
ignoreIP = [ netCidrs.lan4 netCidrs.lan6 ];
|
||||
maxretry = 10;
|
||||
};
|
||||
|
||||
|
@ -359,19 +355,19 @@ in {
|
|||
router.interfaces.br0 = {
|
||||
dependentServices = [ { service = "unbound"; bindType = "wants"; } ];
|
||||
ipv4.addresses = [ {
|
||||
address = gatewayAddr4;
|
||||
inherit (netParsedCidr4) prefixLength;
|
||||
dns = [ gatewayAddr4 ];
|
||||
address = netAddresses.lan4;
|
||||
inherit (netParsedCidrs.lan4) prefixLength;
|
||||
dns = [ netAddresses.lan4 ];
|
||||
keaSettings.reservations = map (res: {
|
||||
hw-address = res.macAddress;
|
||||
ip-address = res.ipAddress;
|
||||
}) cfg.dhcpReservations;
|
||||
} ];
|
||||
ipv6.addresses = [ {
|
||||
address = gatewayAddr6;
|
||||
inherit (netParsedCidr6) prefixLength;
|
||||
dns = [ gatewayAddr6 ];
|
||||
gateways = [ gatewayAddr6 ];
|
||||
address = netAddresses.lan6;
|
||||
inherit (netParsedCidrs.lan6) prefixLength;
|
||||
dns = [ netAddresses.lan6 ];
|
||||
gateways = [ netAddresses.lan6 ];
|
||||
radvdSettings.AdvAutonomous = true;
|
||||
coreradSettings.autonomous = true;
|
||||
# don't autoallocate addresses, keep autonomous ones
|
||||
|
@ -383,10 +379,10 @@ in {
|
|||
}) cfg.dhcp6Reservations;
|
||||
} ];
|
||||
ipv4.routes = [
|
||||
{ extraArgs = [ netCidr4 "dev" "br0" "proto" "kernel" "scope" "link" "src" gatewayAddr4 "table" wan_table ]; }
|
||||
{ extraArgs = [ netCidrs.lan4 "dev" "br0" "proto" "kernel" "scope" "link" "src" netAddresses.lan4 "table" wan_table ]; }
|
||||
];
|
||||
ipv6.routes = [
|
||||
{ extraArgs = [ netCidr6 "dev" "br0" "proto" "kernel" "metric" "256" "pref" "medium" "table" wan_table ]; }
|
||||
{ extraArgs = [ netCidrs.lan6 "dev" "br0" "proto" "kernel" "metric" "256" "pref" "medium" "table" wan_table ]; }
|
||||
];
|
||||
ipv4.kea.enable = true;
|
||||
ipv6.radvd.enable = true;
|
||||
|
@ -421,8 +417,8 @@ in {
|
|||
# things to note: this has the code for switching between rtables
|
||||
# otherwise, boring stuff
|
||||
nftables.jsonRules = mkRules {
|
||||
selfIp4 = gatewayAddr4;
|
||||
selfIp6 = gatewayAddr6;
|
||||
selfIp4 = netAddresses.lan4;
|
||||
selfIp6 = netAddresses.lan6;
|
||||
lans = [ "br0" ];
|
||||
wans = [ "wg0" "veth-wan-a" ];
|
||||
logPrefix = "lan ";
|
||||
|
@ -452,8 +448,8 @@ in {
|
|||
# allow dnat ("ct status dnat" doesn't work)
|
||||
];
|
||||
inetInboundWanRules = with notnft.dsl; with payload; [
|
||||
[(is.eq ip.saddr (cidr netnsCidr4)) accept]
|
||||
[(is.eq ip6.saddr (cidr netnsCidr6)) accept]
|
||||
[(is.eq ip.saddr (cidr netCidrs.netns4)) accept]
|
||||
[(is.eq ip6.saddr (cidr netCidrs.netns6)) accept]
|
||||
];
|
||||
extraInetEntries = with notnft.dsl; with payload; {
|
||||
block4 = add set { type = f: f.ipv4_addr; flags = f: with f; [ interval ]; } [
|
||||
|
@ -488,10 +484,10 @@ in {
|
|||
protocols = if rule.tcp && rule.udp then notnft.dsl.set [ tcp udp ] else if rule.tcp then tcp else udp;
|
||||
rule4 = rule.target4; rule6 = rule.target6;
|
||||
in with notnft.dsl; with payload;
|
||||
lib.optionals (rule4 != null && rule4.address != gatewayAddr4) [
|
||||
lib.optionals (rule4 != null) [
|
||||
[ (is.eq meta.iifname "br0") (is.eq ip.protocol protocols) (is.eq ip.saddr rule4.address)
|
||||
(is.eq th.sport (if rule4.port != null then rule4.port else rule.port)) (mangle meta.mark wan_table) ]
|
||||
] ++ lib.optionals (rule6 != null && rule6.address != gatewayAddr6) [
|
||||
] ++ lib.optionals (rule6 != null) [
|
||||
[ (is.eq meta.iifname "br0") (is.eq ip6.nexthdr protocols) (is.eq ip6.saddr rule6.address)
|
||||
(is.eq th.sport (if rule6.port != null then rule6.port else rule.port)) (mangle meta.mark wan_table) ]
|
||||
])
|
||||
|
@ -503,10 +499,10 @@ in {
|
|||
protocols = if rule.tcp && rule.udp then notnft.dsl.set [ tcp udp ] else if rule.tcp then tcp else udp;
|
||||
rule4 = rule.target4; rule6 = rule.target6;
|
||||
in with notnft.dsl; with payload;
|
||||
lib.optionals (rule4 != null && rule4.address != gatewayAddr4) [
|
||||
lib.optionals (rule4 != null) [
|
||||
[ (is ct.status (f: f.dnat)) (is.eq meta.iifname "br0") (is.eq ip.protocol protocols) (is.eq ip.saddr rule4.address)
|
||||
(is.eq th.sport (if rule4.port != null then rule4.port else rule.port)) (mangle meta.mark vpn_table) ]
|
||||
] ++ lib.optionals (rule6 != null && rule6.address != gatewayAddr6) [
|
||||
] ++ lib.optionals (rule6 != null) [
|
||||
[ (is ct.status (f: f.dnat)) (is.eq meta.iifname "br0") (is.eq ip6.protocol protocols) (is.eq ip6.saddr rule6.address)
|
||||
(is.eq th.sport (if rule6.port != null then rule6.port else rule.port)) (mangle meta.mark vpn_table) ]
|
||||
])
|
||||
|
@ -518,8 +514,8 @@ in {
|
|||
# instead of debugging that, simply change the approach
|
||||
# [(is.eq ip.saddr vacuumAddress4) (is.ne ip.daddr) (mangle meta.mark iot_table)]
|
||||
# [(is.eq ether.saddr cfg.vacuumMac) (mangle meta.mark iot_table)]
|
||||
[(is.eq ether.saddr cfg.vacuumMac) (is.ne ip.daddr (cidr netCidr4)) (is.ne ip.daddr "@allow_iot4") (log "iot4 ") drop]
|
||||
[(is.eq ether.saddr cfg.vacuumMac) (is.ne ip6.daddr (cidr netCidr6)) (is.ne ip6.daddr "@allow_iot6") (log "iot6 ") drop]
|
||||
[(is.eq ether.saddr cfg.vacuumMac) (is.ne ip.daddr (cidr netCidrs.lan4)) (is.ne ip.daddr "@allow_iot4") (log "iot4 ") drop]
|
||||
[(is.eq ether.saddr cfg.vacuumMac) (is.ne ip6.daddr (cidr netCidrs.lan6)) (is.ne ip6.daddr "@allow_iot6") (log "iot6 ") drop]
|
||||
[(mangle ct.mark meta.mark)]
|
||||
]);
|
||||
};
|
||||
|
@ -533,17 +529,17 @@ in {
|
|||
# (and vice versa)
|
||||
router.veths.veth-wan-a.peerName = "veth-wan-b";
|
||||
router.interfaces.veth-wan-a = {
|
||||
ipv4.addresses = [ netnsParsedCidr4 ];
|
||||
ipv6.addresses = [ netnsParsedCidr6 ];
|
||||
ipv4.addresses = [ netParsedCidrs.netns4 ];
|
||||
ipv6.addresses = [ netParsedCidrs.netns6 ];
|
||||
ipv4.routes = [
|
||||
# default config duplicated for wan_table
|
||||
{ extraArgs = [ netnsCidr4 "dev" "veth-wan-a" "proto" "kernel" "scope" "link" "src" mainNetnsAddr4 "table" wan_table ]; }
|
||||
{ extraArgs = [ netCidrs.netns4 "dev" "veth-wan-a" "proto" "kernel" "scope" "link" "src" netAddresses.netns4 "table" wan_table ]; }
|
||||
# default all traffic to wan in wan_table
|
||||
{ extraArgs = [ "default" "via" wanNetnsAddr4 "table" wan_table ]; }
|
||||
];
|
||||
ipv6.routes = [
|
||||
# default config duplicated for wan_table
|
||||
{ extraArgs = [ netnsCidr6 "dev" "veth-wan-a" "proto" "kernel" "metric" "256" "pref" "medium" "table" wan_table ]; }
|
||||
{ extraArgs = [ netCidrs.netns6 "dev" "veth-wan-a" "proto" "kernel" "metric" "256" "pref" "medium" "table" wan_table ]; }
|
||||
# default all traffic to wan in wan_table
|
||||
{ extraArgs = [ "default" "via" wanNetnsAddr6 "table" wan_table ]; }
|
||||
];
|
||||
|
@ -552,18 +548,18 @@ in {
|
|||
networkNamespace = "wan";
|
||||
ipv4.addresses = [ {
|
||||
address = wanNetnsAddr4;
|
||||
inherit (netnsParsedCidr4) prefixLength;
|
||||
inherit (netParsedCidrs.netns4) prefixLength;
|
||||
} ];
|
||||
ipv6.addresses = [ {
|
||||
address = wanNetnsAddr6;
|
||||
inherit (netnsParsedCidr6) prefixLength;
|
||||
inherit (netParsedCidrs.netns6) prefixLength;
|
||||
} ];
|
||||
# allow wan->default namespace communication
|
||||
ipv4.routes = [
|
||||
{ extraArgs = [ netCidr4 "via" mainNetnsAddr4 ]; }
|
||||
{ extraArgs = [ netCidrs.lan4 "via" netAddresses.netns4 ]; }
|
||||
];
|
||||
ipv6.routes = [
|
||||
{ extraArgs = [ netCidr6 "via" mainNetnsAddr6 ]; }
|
||||
{ extraArgs = [ netCidrs.lan6 "via" netAddresses.netns6 ]; }
|
||||
];
|
||||
};
|
||||
router.networkNamespaces.wan = {
|
||||
|
@ -600,10 +596,10 @@ in {
|
|||
protocols = if rule.tcp && rule.udp then notnft.dsl.set [ tcp udp ] else if rule.tcp then tcp else udp;
|
||||
rule4 = rule.target4; rule6 = rule.target6;
|
||||
in with notnft.dsl; with payload;
|
||||
lib.optionals (rule4 != null && rule4.address == gatewayAddr4) [
|
||||
lib.optionals (rule4 != null) [
|
||||
[ (is.eq meta.iifname "wan") (is.eq meta.oifname "veth-wan-b") (is.eq ip.protocol protocols)
|
||||
(is.eq th.dport (if rule4.port != null then rule4.port else rule.port)) (is.eq ip.daddr rule4.address) masquerade ]
|
||||
] ++ lib.optionals (rule6 != null && rule6.address == gatewayAddr6) [
|
||||
] ++ lib.optionals (rule6 != null) [
|
||||
[ (is.eq meta.iifname "wan") (is.eq meta.oifname "veth-wan-b") (is.eq ip6.nexthdr protocols)
|
||||
(is.eq th.dport (if rule6.port != null then rule6.port else rule.port)) (is.eq ip6.daddr rule6.address) masquerade ]
|
||||
])
|
||||
|
@ -637,7 +633,7 @@ in {
|
|||
# use main netns's address instead of 127.0.0.1
|
||||
# this ensures all network namespaces can access it
|
||||
networking.resolvconf.extraConfig = ''
|
||||
name_servers="${mainNetnsAddr4} ${mainNetnsAddr6}"
|
||||
name_servers="${netAddresses.netns4} ${netAddresses.netns6}"
|
||||
'';
|
||||
users.users.${config.common.mainUsername}.extraGroups = [ config.services.unbound.group ];
|
||||
services.unbound = {
|
||||
|
@ -645,15 +641,15 @@ in {
|
|||
package = pkgs.unbound-with-systemd.override {
|
||||
stdenv = pkgs.ccacheStdenv;
|
||||
withPythonModule = true;
|
||||
python = unbound-python;
|
||||
python = pkgs.python3;
|
||||
};
|
||||
localControlSocketPath = "/run/unbound/unbound.ctl";
|
||||
# we override resolvconf above manually
|
||||
resolveLocalQueries = false;
|
||||
settings = {
|
||||
server = {
|
||||
interface = [ mainNetnsAddr4 mainNetnsAddr6 gatewayAddr4 gatewayAddr6 ];
|
||||
access-control = [ "${netnsCidr4} allow" "${netnsCidr6} allow" "${netCidr4} allow" "${netCidr6} allow" ];
|
||||
interface = [ netAddresses.netns4 netAddresses.netns6 netAddresses.lan4 netAddresses.lan6 ];
|
||||
access-control = [ "${netCidrs.netns4} allow" "${netCidrs.netns6} allow" "${netCidrs.lan4} allow" "${netCidrs.lan6} allow" ];
|
||||
aggressive-nsec = true;
|
||||
do-ip6 = true;
|
||||
module-config = ''"validator python iterator"'';
|
||||
|
@ -682,7 +678,10 @@ in {
|
|||
networking.hosts."${serverAddress4}" = hosted-domains;
|
||||
networking.hosts."${serverAddress6}" = hosted-domains;
|
||||
systemd.services.unbound = lib.mkIf config.services.unbound.enable {
|
||||
environment.PYTHONPATH = "${unbound-python}/${unbound-python.sitePackages}";
|
||||
environment.PYTHONPATH = let
|
||||
unbound-python = pkgs.python3.withPackages (ps: with ps; [ pydbus dnspython requests pytricia nftables ]);
|
||||
in
|
||||
"${unbound-python}/${unbound-python.sitePackages}";
|
||||
environment.MDNS_ACCEPT_NAMES = "^.*\\.local\\.$";
|
||||
# load vpn_domains.json and vpn_ips.json, as well as unvpn_domains.json and unvpn_ips.json
|
||||
# resolve domains and append it to ips and add it to the nftables sets
|
||||
|
@ -738,7 +737,7 @@ in {
|
|||
|
||||
services.printing = {
|
||||
enable = true;
|
||||
allowFrom = [ "localhost" netCidr4 netCidr6 ];
|
||||
allowFrom = [ "localhost" netCidrs.lan4 netCidrs.lan6 ];
|
||||
browsing = true;
|
||||
clientConf = ''
|
||||
ServerName router.local
|
||||
|
@ -761,6 +760,11 @@ in {
|
|||
};
|
||||
};
|
||||
|
||||
services.iperf3 = {
|
||||
enable = true;
|
||||
bind = netAddresses.lan4;
|
||||
};
|
||||
|
||||
# it takes a stupidly long time when done via qemu
|
||||
# (also it's supposed to be disabled by default but it was enabled for me, why?)
|
||||
documentation.man.generateCaches = false;
|
||||
|
|
Loading…
Reference in a new issue