2 files changed, 105 insertions, 0 deletions
diff --git a/hosts/kay/modules/network.nix b/hosts/kay/modules/network.nix
new file mode 100644
index 0000000..9ef8ee6
--- /dev/null
+++ b/hosts/kay/modules/network.nix
@@ -0,0 +1,63 @@
+{ config, pkgs, ... }:
+
+let
+  inetVlan = 722;
+  wanInterface = "enp4s0";
+  domain = config.userdata.domain;
+  nameServer = "1.0.0.1";
+in
+{
+  imports = [ ./router.nix ];
+
+  sops.secrets = {
+    "ppp/chap-secrets" = {};
+    "ppp/pap-secrets" = {};
+    "ppp/username" = {};
+    "misc/namecheap.com" = {};
+  };
+
+  networking = {
+    enableIPv6 = false;
+    vlans.wan = {
+      id = inetVlan;
+      interface = wanInterface;
+    };
+  };
+
+  services = {
+    dnsmasq = {
+      enable = true;
+      settings.server = [ nameServer ];
+    };
+    pppd = {
+      secret = {
+        chap = config.sops.secrets."ppp/chap-secrets".path;
+        pap = config.sops.secrets."ppp/pap-secrets".path;
+      };
+      enable = true;
+      config = ''
+        plugin pppoe.so
+        nic-wan
+        defaultroute
+        noauth
+      '';
+      script."01-ddns" = {
+      runtimeInputs = with pkgs; [ curl coreutils ];
+      text = ''
+        wan_ip="$4"
+        api_key="$(cat ${config.sops.secrets."misc/namecheap.com".path})"
+        auth_url="https://dynamicdns.park-your-domain.com/update?host=@&domain=${domain}&password=''${api_key}&ip="
+
+        until curl --silent "$auth_url$wan_ip"; do
+            sleep 5
+        done
+      '';
+      };
+      peers.bsnl = {
+        enable = true;
+        autostart = true;
+        configFile = config.sops.secrets."ppp/username".path;
+      };
+    };
+  };
+}
diff --git a/hosts/kay/modules/router.nix b/hosts/kay/modules/router.nix
new file mode 100644
index 0000000..c33fff2
--- /dev/null
+++ b/hosts/kay/modules/router.nix
@@ -0,0 +1,42 @@
+{ ... }:
+
+let
+  lanInterface = "enp4s0";
+  wanInterface = "ppp0";
+  subnet = "10.0.0.0";
+  prefix = 24;
+  host = "10.0.0.1";
+  leaseRangeStart = "10.0.0.100";
+  leaseRangeEnd = "10.0.0.240";
+in
+{
+  networking = {
+    nat.enable = true;
+    useDHCP = false;
+    interfaces."${lanInterface}" = {
+      ipv4.addresses = [{ 
+        address = host;
+        prefixLength  = prefix;
+      }];
+    };
+    firewall = {
+      extraCommands = ''
+        # nat datagrams comming through lanInterface to wanInterface
+        iptables -t nat -I POSTROUTING 1 -s ${subnet}/${toString prefix} -o ${wanInterface} -j MASQUERADE
+
+        # allow all traffic on lanInterface interface
+        iptables -I INPUT 1 -i ${lanInterface} -j ACCEPT
+
+        # forward rules
+        iptables -I FORWARD 1 -i ${lanInterface} -o ${lanInterface} -j ACCEPT
+        iptables -I FORWARD 1 -i ${wanInterface} -o ${lanInterface} -j ACCEPT
+        iptables -I FORWARD 1 -i ${lanInterface} -o ${wanInterface} -j ACCEPT
+      '';
+    };
+  };
+
+  services.dnsmasq.settings = {
+    dhcp-range = [ "${leaseRangeStart},${leaseRangeEnd}" ];
+    interface = lanInterface;
+  };
+}