feat: prep work for vyos->nixos

Signed-off-by: Anthony Rabbito <[email protected]>
anthr76 · Apr 27, 2024 · e682807 · e682807
1 parent 35222f8
commit e682807
Show file tree

Hide file tree

Showing 6 changed files with 307 additions and 0 deletions.
diff --git a/flake.nix b/flake.nix
@@ -74,6 +74,12 @@
             ./nixos/hosts/f80.nwk3.rabbito.tech
           ];
         };
+        "fw1.nwk3.rabbito.tech" = lib.nixosSystem {
+          specialArgs = { inherit inputs outputs; };
+          modules = [
+            ./nixos/hosts/fw1.nwk3.rabbito.tech
+          ];
+        };
       };
       homeConfigurations = {
         "[email protected]" = lib.homeManagerConfiguration {

diff --git a/nixos/hosts/fw1.nwk3.rabbito.tech/default.nix b/nixos/hosts/fw1.nwk3.rabbito.tech/default.nix
@@ -0,0 +1,134 @@
+{ lib, inputs, ... }:
+{
+  imports = [
+    ../../personalities/server/router.nix
+    ./disks.nix
+    inputs.disko.nixosModules.disko
+  ];
+  networking.hostName = "fw1";
+  system.stateVersion = "23.11";
+  nixpkgs.hostPlatform = "x86_64-linux";
+  services.udev.extraRules = ''
+    SUBSYSTEM=="net", ACTION=="add", ATTR{address}=="00:e0:67:26:40:d9", NAME="lan"
+    SUBSYSTEM=="net", ACTION=="add", ATTR{address}=="00:e0:67:26:40:d8", NAME="wan"
+  '';
+
+  networking.interfaces = {
+    vlan8 = { ipv4 = { addresses = [{ address = "192.168.17.1"; prefixLength = 24; }]; }; };
+    vlan10 = { ipv4 = { addresses = [{ address = "192.168.16.1"; prefixLength = 24; }]; }; };
+    vlan99 = { ipv4 = { addresses = [{ address = "10.40.99.1"; prefixLength = 24; }]; }; };
+    vlan100 = { ipv4 = { addresses = [{ address = "192.168.14.1"; prefixLength = 24; }]; }; };
+    vlan101 = { ipv4 = { addresses = [{ address = "192.168.13.1"; prefixLength = 24; }]; }; };
+  };
+  services.kea.dhcp4 = {
+    settings = {
+      interfaces-config = {
+        interfaces = [
+          "vlan8/192.168.17.1"
+          "vlan10/192.168.16.1"
+          "vlan99/10.40.99.1"
+          "vlan100/192.168.14.1"
+          "vlan101/192.168.13.1"
+        ];
+      };
+      option-data = [
+        {
+          name = "domain-name-servers";
+          data = "10.40.99.1";
+        }
+      ];
+      subnet4 = [
+        {
+          pools = [
+            {
+              pool = "192.168.17 - 192.168.17.240";
+            }
+          ];
+          subnet = "192.168.17.0/24";
+        }
+        {
+          pools = [
+            {
+              pool = "192.168.16.100 - 192.168.16.240";
+            }
+          ];
+          subnet = "192.168.16.0/24";
+        }
+        {
+          pools = [
+            {
+              pool = "10.49.99.100 - 10.49.99.240";
+            }
+          ];
+          subnet = "10.49.99.0/24";
+        }
+        {
+          pools = [
+            {
+              pool = "192.168.14.100 - 192.168.14.240";
+            }
+          ];
+          subnet = "192.168.14.0/24";
+        }
+        {
+          pools = [
+            {
+              pool = "192.168.13.100 - 192.168.13.240";
+            }
+          ];
+          subnet = "192.168.13.0/24";
+        }
+      ];
+      valid-lifetime = 4000;
+    };
+  };
+  services.coredns = {
+    config = ''
+      (common) {
+        log error
+        reload
+        loop
+        loadbalance
+        cache
+        local
+        prometheus 0.0.0.0:9153
+        ready
+        hosts {
+          fallthrough
+          ttl 1
+          reload 300ms
+        }
+        template ANY ANY {
+          match (?:^|\.)(?:deviceenrollment|mdmenrollment|iprofiles|wifi)?\.(?:.{1,3})+
+          rcode NXDOMAIN
+          fallthrough
+        }
+      }
+
+
+      .:53 {
+        import common
+        forward . tls://1.1.1.1 tls://1.0.0.1 {
+          tls_servername cloudflare-dns.com
+        }
+        health {
+          lameduck 5s
+        }
+      }
+
+      nwk3.rabbito.tech:53 {
+        import common
+      }
+      nwk2.rabbito.tech:53 {
+        forward . 10.6.0.7 10.6.0.8
+      }
+      scr1.rabbito.tech:53 {
+        forward . 10.5.0.7 10.5.0.8
+      }
+      kutara.io:53 {
+        forward . 10.5.0.7 10.5.0.8
+      }
+
+    '';
+  };
+}
diff --git a/nixos/hosts/fw1.nwk3.rabbito.tech/disks.nix b/nixos/hosts/fw1.nwk3.rabbito.tech/disks.nix
@@ -0,0 +1,62 @@
+{
+  disko.devices = {
+    disk = {
+      main = {
+        type = "disk";
+        device =
+          "/dev/disk/by-id/nvme-Sabrent_Rocket_4.0_500GB_03F10711184419353987";
+        content = {
+          type = "gpt";
+          partitions = {
+            ESP = {
+              priority = 1;
+              name = "ESP";
+              start = "1M";
+              end = "4096M";
+              type = "EF00";
+              content = {
+                type = "filesystem";
+                format = "vfat";
+                mountpoint = "/boot";
+              };
+            };
+            root = {
+              size = "100%";
+              content = {
+                type = "btrfs";
+                extraArgs = [ "-f" ];
+                subvolumes = {
+                  "/rootfs" = { mountpoint = "/"; };
+                  "/home" = { mountpoint = "/home"; };
+                  "/nix" = {
+                    mountOptions = [ "compress=zstd" "noatime" ];
+                    mountpoint = "/nix";
+                  };
+                };
+                mountpoint = "/partition-root";
+              };
+            };
+          };
+        };
+      };
+      data = {
+        type = "disk";
+        device = "/dev/disk/by-id/nvme-WD_BLACK_SN850X_4000GB_23410U801207";
+        content = {
+          type = "gpt";
+          partitions = {
+            data = {
+              size = "100%";
+              content = {
+                type = "btrfs";
+                extraArgs = [ "-f" ];
+                subvolumes = { "/data" = { mountpoint = "/data"; }; };
+                mountpoint = "/partition-data";
+              };
+            };
+          };
+        };
+      };
+    };
+  };
+}
diff --git a/nixos/hosts/fw1.nwk3.rabbito.tech/ssh_host_ed25519_key.pub b/nixos/hosts/fw1.nwk3.rabbito.tech/ssh_host_ed25519_key.pub
@@ -0,0 +1 @@
+TODO
diff --git a/nixos/personalities/base/nix.nix b/nixos/personalities/base/nix.nix
@@ -68,4 +68,13 @@
       ${pkgs.nvd}/bin/nvd --nix-bin-dir=${pkgs.nix}/bin diff /run/current-system "$systemConfig"
     '';
   };
+  # For nixos-rebuild build-vm
+  virtualisation.vmVariant = {
+      virtualisation.sharedDirectories = {
+          keys = {
+              source = "/etc/ssh";
+              target = "/etc/ssh";
+          };
+      };
+  };
 }
diff --git a/nixos/personalities/server/router.nix b/nixos/personalities/server/router.nix
@@ -0,0 +1,95 @@
+{ inputs, config, pkgs, ... }:
+{
+ imports = [
+   ./default.nix
+  #  ./tailscale.nix
+   ../base
+ ];
+
+  boot = {
+    kernel = {
+      sysctl = {
+        "net.ipv4.conf.all.forwarding" = true;
+        "net.ipv6.conf.all.forwarding" = true;
+        "net.ipv6.conf.all.accept_ra" = 0;
+        "net.ipv6.conf.all.autoconf" = 0;
+        "net.ipv6.conf.all.use_tempaddr" = 0;
+        "net.ipv6.conf.wan.accept_ra" = 2;
+        "net.ipv6.conf.wan.autoconf" = 1;
+        "net.core.default_qdisc" = "fq";
+        "net.ipv4.tcp_congestion_control" = "bbr";
+      };
+    };
+  };
+  networking.nat = {
+    enable = true;
+    internalInterfaces = [
+      "vlan8"
+      "vlan10"
+      "vlan100"
+      "vlan101"
+    ];
+    externalInterface = "wan";
+  };
+  networking.interfaces = {
+    wan = {
+      useDHCP = true;
+    };
+    lan = {
+      ipv4.addresses = [{
+        address = "192.168.1.1";
+        prefixLength = 24;
+      }];
+    };
+  };
+  networking.vlans = {
+    vlan8 = { id=8; interface="lan"; };
+    vlan10 = { id=10; interface="lan"; };
+    vlan99 = { id=99; interface="lan"; };
+    vlan100 = { id=100; interface="lan"; };
+    vlan101 = { id=101; interface="lan"; };
+  };
+  networking.firewall = {
+    enable = true;
+    trustedInterfaces = [ "tailscale0" "vlan8" "vlan10" "vlan99" "vlan100" ];
+    interfaces = {
+      wan = {
+        allowedTCPPorts = [
+          22
+        ];
+        allowedUDPPorts = [
+          # Wireguard
+          51820
+        ];
+      };
+    };
+  };
+  services.kea.dhcp4 = {
+    enable = true;
+    settings = {
+      lease-database = {
+        name = "/var/lib/kea/dhcp4.leases";
+        persist = true;
+        type = "memfile";
+      };
+      rebind-timer = 2000;
+      renew-timer = 1000;
+      valid-lifetime = 4000;
+    };
+  };
+  services.coredns = {
+    enable = true;
+    # TODO: Move to overlay to disable check
+    # package = pkgs.coredns.override {
+    #   doCheck = false;
+    #   externalPlugins = [
+    #     {
+    #       name = "k8s_gateway";
+    #       repo = "github.com/ori-edge/k8s_gateway";
+    #       version = "3645f683ae8ccebf8eae21d675874d8f8f7b54fa";
+    #     }
+    #   ];
+    #   vendorHash = "sha256-Szj2uaml4qEXQPnXbhzJ2AmLpAHtYL123vSb0nSJFfw=";
+    # };
+  };
+}