osmium/networking: init
This commit is contained in:
parent
0c29d4c6fc
commit
750625dfb7
SSH key fingerprint:
SHA256:UU5pRTl7NiLFJbWJZa+snLylZSXIz5rgHmwjzv8v4oE
1 changed files with 51 additions and 9 deletions
|
|
@ -69,7 +69,7 @@
|
||||||
neovim
|
neovim
|
||||||
jq
|
jq
|
||||||
iptables
|
iptables
|
||||||
ebtables
|
nftables
|
||||||
tcpdump
|
tcpdump
|
||||||
busybox
|
busybox
|
||||||
ethtool
|
ethtool
|
||||||
|
|
@ -88,15 +88,53 @@
|
||||||
|
|
||||||
systemd.network = {
|
systemd.network = {
|
||||||
enable = true;
|
enable = true;
|
||||||
networks."lan" = {
|
|
||||||
matchConfig.Name = "enu1";
|
|
||||||
networkConfig.DHCP = "no";
|
|
||||||
linkConfig.RequiredForOnline = "no";
|
|
||||||
};
|
|
||||||
networks."wan" = {
|
networks."wan" = {
|
||||||
matchConfig.Name = "end0";
|
matchConfig.Name = "end0";
|
||||||
networkConfig.DHCP = "yes";
|
networkConfig.DHCP = "yes";
|
||||||
linkConfig.RequiredForOnline = "yes";
|
linkConfig.RequiredForOnline = false;
|
||||||
|
};
|
||||||
|
networks."lan" = {
|
||||||
|
matchConfig.Name = "enu1";
|
||||||
|
networkConfig = {
|
||||||
|
DHCP = "no";
|
||||||
|
DHCPServer = "yes";
|
||||||
|
Address = "10.1.1.1/24";
|
||||||
|
};
|
||||||
|
dhcpServerConfig = {
|
||||||
|
ServerAddress = "10.1.1.1/24";
|
||||||
|
UplinkInterface = "end0";
|
||||||
|
EmitDNS = "yes";
|
||||||
|
DNS = [ "192.168.1.1" ];
|
||||||
|
};
|
||||||
|
linkConfig.RequiredForOnline = false;
|
||||||
|
};
|
||||||
|
};
|
||||||
|
|
||||||
|
networking.firewall.enable = false;
|
||||||
|
networking.nftables = {
|
||||||
|
enable = true;
|
||||||
|
tables = {
|
||||||
|
filter = {
|
||||||
|
family = "inet";
|
||||||
|
content = ''
|
||||||
|
chain forward {
|
||||||
|
iifname { "enu1" } oifname { "end0" } accept comment "Allow trusted LAN to WAN"
|
||||||
|
iifname { "end0" } oifname { "enu1" } ct state { established, related } accept comment "Allow established back to LANs"
|
||||||
|
iifname { "enu1" } oifname { "tailscale0" } accept comment "Allow LAN to Tailscale"
|
||||||
|
}
|
||||||
|
'';
|
||||||
|
};
|
||||||
|
|
||||||
|
nat = {
|
||||||
|
family = "ip";
|
||||||
|
content = ''
|
||||||
|
chain postrouting {
|
||||||
|
type nat hook postrouting priority 100; policy accept;
|
||||||
|
oifname "end0" masquerade
|
||||||
|
oifname "tailscale0" masquerade
|
||||||
|
}
|
||||||
|
'';
|
||||||
|
};
|
||||||
};
|
};
|
||||||
};
|
};
|
||||||
|
|
||||||
|
|
@ -105,7 +143,11 @@
|
||||||
configFile = "/var/lib/dae/config.dae";
|
configFile = "/var/lib/dae/config.dae";
|
||||||
};
|
};
|
||||||
|
|
||||||
services.tailscale.enable = true;
|
services.tailscale = {
|
||||||
|
enable = true;
|
||||||
|
extraSetFlags = [
|
||||||
|
"--advertise-routes=10.1.1.0/24"
|
||||||
|
];
|
||||||
|
};
|
||||||
};
|
};
|
||||||
}
|
}
|
||||||
|
|
|
||||||
Loading…
Add table
Reference in a new issue