From b3a714f295aa620c95a89688fad6d69835b2f100 Mon Sep 17 00:00:00 2001
From: sinanmohd <sinan@sinanmohd.com>
Date: Fri, 8 Sep 2023 19:58:22 +0530
Subject: hosts/cez: init modules/network
---
hosts/kay/modules/network.nix | 63 +++++++++++++++++++++++++++++++++++++++++++
hosts/kay/modules/router.nix | 42 +++++++++++++++++++++++++++++
2 files changed, 105 insertions(+)
create mode 100644 hosts/kay/modules/network.nix
create mode 100644 hosts/kay/modules/router.nix
(limited to 'hosts/kay/modules')
diff --git a/hosts/kay/modules/network.nix b/hosts/kay/modules/network.nix
new file mode 100644
index 0000000..9ef8ee6
--- /dev/null
+++ b/hosts/kay/modules/network.nix
@@ -0,0 +1,63 @@
+{ config, pkgs, ... }:
+
+let
+ inetVlan = 722;
+ wanInterface = "enp4s0";
+ domain = config.userdata.domain;
+ nameServer = "1.0.0.1";
+in
+{
+ imports = [ ./router.nix ];
+
+ sops.secrets = {
+ "ppp/chap-secrets" = {};
+ "ppp/pap-secrets" = {};
+ "ppp/username" = {};
+ "misc/namecheap.com" = {};
+ };
+
+ networking = {
+ enableIPv6 = false;
+ vlans.wan = {
+ id = inetVlan;
+ interface = wanInterface;
+ };
+ };
+
+ services = {
+ dnsmasq = {
+ enable = true;
+ settings.server = [ nameServer ];
+ };
+ pppd = {
+ secret = {
+ chap = config.sops.secrets."ppp/chap-secrets".path;
+ pap = config.sops.secrets."ppp/pap-secrets".path;
+ };
+ enable = true;
+ config = ''
+ plugin pppoe.so
+ nic-wan
+ defaultroute
+ noauth
+ '';
+ script."01-ddns" = {
+ runtimeInputs = with pkgs; [ curl coreutils ];
+ text = ''
+ wan_ip="$4"
+ api_key="$(cat ${config.sops.secrets."misc/namecheap.com".path})"
+ auth_url="https://dynamicdns.park-your-domain.com/update?host=@&domain=${domain}&password=''${api_key}&ip="
+
+ until curl --silent "$auth_url$wan_ip"; do
+ sleep 5
+ done
+ '';
+ };
+ peers.bsnl = {
+ enable = true;
+ autostart = true;
+ configFile = config.sops.secrets."ppp/username".path;
+ };
+ };
+ };
+}
diff --git a/hosts/kay/modules/router.nix b/hosts/kay/modules/router.nix
new file mode 100644
index 0000000..c33fff2
--- /dev/null
+++ b/hosts/kay/modules/router.nix
@@ -0,0 +1,42 @@
+{ ... }:
+
+let
+ lanInterface = "enp4s0";
+ wanInterface = "ppp0";
+ subnet = "10.0.0.0";
+ prefix = 24;
+ host = "10.0.0.1";
+ leaseRangeStart = "10.0.0.100";
+ leaseRangeEnd = "10.0.0.240";
+in
+{
+ networking = {
+ nat.enable = true;
+ useDHCP = false;
+ interfaces."${lanInterface}" = {
+ ipv4.addresses = [{
+ address = host;
+ prefixLength = prefix;
+ }];
+ };
+ firewall = {
+ extraCommands = ''
+ # nat datagrams comming through lanInterface to wanInterface
+ iptables -t nat -I POSTROUTING 1 -s ${subnet}/${toString prefix} -o ${wanInterface} -j MASQUERADE
+
+ # allow all traffic on lanInterface interface
+ iptables -I INPUT 1 -i ${lanInterface} -j ACCEPT
+
+ # forward rules
+ iptables -I FORWARD 1 -i ${lanInterface} -o ${lanInterface} -j ACCEPT
+ iptables -I FORWARD 1 -i ${wanInterface} -o ${lanInterface} -j ACCEPT
+ iptables -I FORWARD 1 -i ${lanInterface} -o ${wanInterface} -j ACCEPT
+ '';
+ };
+ };
+
+ services.dnsmasq.settings = {
+ dhcp-range = [ "${leaseRangeStart},${leaseRangeEnd}" ];
+ interface = lanInterface;
+ };
+}
--
cgit v1.2.3