5 files changed, 133 insertions, 1 deletions

diff --git a/common.nix b/common.nix
index 3517182..6d6b8f1 100644
--- a/common.nix
+++ b/common.nix
@@ -84,7 +84,7 @@ in
 
   # sops
   sops = {
-    defaultSopsFile = "./${host}/secrets.yaml";
+    defaultSopsFile = ./hosts/${host}/secrets.yaml;
     age.keyFile = "/var/secrets/sops-nix/key.txt";
   };
 
diff --git a/hosts/kay/configuration.nix b/hosts/kay/configuration.nix
index 11b99d9..99d52bc 100644
--- a/hosts/kay/configuration.nix
+++ b/hosts/kay/configuration.nix
@@ -3,6 +3,7 @@
 {
   imports = [
     ./hardware-configuration.nix
+    ./modules/network.nix
     ../../common.nix
   ];
 
diff --git a/hosts/kay/modules/network.nix b/hosts/kay/modules/network.nix
new file mode 100644
index 0000000..9ef8ee6
--- /dev/null
+++ b/hosts/kay/modules/network.nix
@@ -0,0 +1,63 @@
+{ config, pkgs, ... }:
+
+let
+  inetVlan = 722;
+  wanInterface = "enp4s0";
+  domain = config.userdata.domain;
+  nameServer = "1.0.0.1";
+in
+{
+  imports = [ ./router.nix ];
+
+  sops.secrets = {
+    "ppp/chap-secrets" = {};
+    "ppp/pap-secrets" = {};
+    "ppp/username" = {};
+    "misc/namecheap.com" = {};
+  };
+
+  networking = {
+    enableIPv6 = false;
+    vlans.wan = {
+      id = inetVlan;
+      interface = wanInterface;
+    };
+  };
+
+  services = {
+    dnsmasq = {
+      enable = true;
+      settings.server = [ nameServer ];
+    };
+    pppd = {
+      secret = {
+        chap = config.sops.secrets."ppp/chap-secrets".path;
+        pap = config.sops.secrets."ppp/pap-secrets".path;
+      };
+      enable = true;
+      config = ''
+        plugin pppoe.so
+        nic-wan
+        defaultroute
+        noauth
+      '';
+      script."01-ddns" = {
+      runtimeInputs = with pkgs; [ curl coreutils ];
+      text = ''
+        wan_ip="$4"
+        api_key="$(cat ${config.sops.secrets."misc/namecheap.com".path})"
+        auth_url="https://dynamicdns.park-your-domain.com/update?host=@&domain=${domain}&password=''${api_key}&ip="
+
+        until curl --silent "$auth_url$wan_ip"; do
+            sleep 5
+        done
+      '';
+      };
+      peers.bsnl = {
+        enable = true;
+        autostart = true;
+        configFile = config.sops.secrets."ppp/username".path;
+      };
+    };
+  };
+}
diff --git a/hosts/kay/modules/router.nix b/hosts/kay/modules/router.nix
new file mode 100644
index 0000000..c33fff2
--- /dev/null
+++ b/hosts/kay/modules/router.nix
@@ -0,0 +1,42 @@
+{ ... }:
+
+let
+  lanInterface = "enp4s0";
+  wanInterface = "ppp0";
+  subnet = "10.0.0.0";
+  prefix = 24;
+  host = "10.0.0.1";
+  leaseRangeStart = "10.0.0.100";
+  leaseRangeEnd = "10.0.0.240";
+in
+{
+  networking = {
+    nat.enable = true;
+    useDHCP = false;
+    interfaces."${lanInterface}" = {
+      ipv4.addresses = [{ 
+        address = host;
+        prefixLength  = prefix;
+      }];
+    };
+    firewall = {
+      extraCommands = ''
+        # nat datagrams comming through lanInterface to wanInterface
+        iptables -t nat -I POSTROUTING 1 -s ${subnet}/${toString prefix} -o ${wanInterface} -j MASQUERADE
+
+        # allow all traffic on lanInterface interface
+        iptables -I INPUT 1 -i ${lanInterface} -j ACCEPT
+
+        # forward rules
+        iptables -I FORWARD 1 -i ${lanInterface} -o ${lanInterface} -j ACCEPT
+        iptables -I FORWARD 1 -i ${wanInterface} -o ${lanInterface} -j ACCEPT
+        iptables -I FORWARD 1 -i ${lanInterface} -o ${wanInterface} -j ACCEPT
+      '';
+    };
+  };
+
+  services.dnsmasq.settings = {
+    dhcp-range = [ "${leaseRangeStart},${leaseRangeEnd}" ];
+    interface = lanInterface;
+  };
+}
diff --git a/hosts/kay/secrets.yaml b/hosts/kay/secrets.yaml
new file mode 100644
index 0000000..9db62ac
--- /dev/null
+++ b/hosts/kay/secrets.yaml
@@ -0,0 +1,26 @@
+ppp:
+    chap-secrets: ENC[AES256_GCM,data:4POH1o4VOKg0ZGYOZ+gIZJGlSxaRq101zMjjp/+BSlmZAz+cOc9+Kw==,iv:IC1Ii+rnTvFa0F2bi0fnEAEO7XWV7Wues9T+28bhDnc=,tag:Yatte1K8N3rrTFppc0p7Qw==,type:str]
+    pap-secrets: ENC[AES256_GCM,data:K92+nAzZtBEUijXUq26eidWNJL38VvoCx8PlCtWxxgAcZCA/CW1DVg==,iv:4kNHSZ3+FMA9ROLEgrU38IWd+MBt+vf8CV3WGHkRCCc=,tag:YLiRrrCiymVOCcVzs+AVFw==,type:str]
+    username: ENC[AES256_GCM,data:Xa6wBxpAtaKwsbEeudVvkpsX6CPG8E3Aku1zTi0o6Kdy9Q==,iv:yTRruKpMda4N2J3Z8MEesrFxqV4g1usbYoxTeKlWf4M=,tag:gTsn7HzgE3tHTIo2MVN12g==,type:str]
+misc:
+    namecheap.com: ENC[AES256_GCM,data:8sN1/APumZDclTAeYEy4nidGbvooDK6Us0yOZBbG4oU=,iv:WGof33ezbBpFmnWTWS9gzDayJpz2BVMTPsShYY+nuXY=,tag:ky/ucGEHWBtWwGcwK+1nhw==,type:str]
+sops:
+    kms: []
+    gcp_kms: []
+    azure_kv: []
+    hc_vault: []
+    age:
+        - recipient: age1hngjn65pvc8458z5uxz6qjktp45fp8s8jqxgqklsndkdp0s26gtqdxqazm
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB2cGZsN2RDSVRhSUpHdUto
+            WU1UVHZ5NEcxelgvZWQyYlUzaURVM3MvOEhvCi9CaEowWlp1Y3prZ1hUaTV6T01P
+            T3Z3LzliTjV1SVQ5MC9maG5oK2xTczQKLS0tIEFXOEo2WWwydjJQd0Z3a3hFN1oy
+            bUY4eisvWDIxdWplQjlod0hIcjVGNlUKYkA9hUTHuWgST3UUr7ACtmgC9s5SGEAp
+            ker5KUGGi1fHgGlsPKHmnJSvikkVFlOVAhVa8R6X02l8FJf0lcjOYA==
+            -----END AGE ENCRYPTED FILE-----
+    lastmodified: "2023-09-08T16:51:01Z"
+    mac: ENC[AES256_GCM,data:lW4EoZAjHH5L1++ravYUAkWLRtHMpmL6qWlEUM7xmDZzM9FzCILi9SglNaht72j3I83//7CWfMWftvhIzgy1wiGorLdQEz/jsf7fM1tGpNVyg8DOO2NCT5QWESQjDdjE+74tloG20Jbs0VHoGxHFarLNSc4qe0V8nSgjtnurlj4=,iv:akj2kcf6YuoOyA5CEFF6X2+e2OHyXrCzJ15IFD9z/DY=,tag:26ldQCKhCWjtEZUAYCStuQ==,type:str]
+    pgp: []
+    unencrypted_suffix: _unencrypted
+    version: 3.7.3