diff options
Diffstat (limited to 'sys/net/interfaces.nix')
| -rw-r--r-- | sys/net/interfaces.nix | 119 |
1 files changed, 119 insertions, 0 deletions
diff --git a/sys/net/interfaces.nix b/sys/net/interfaces.nix new file mode 100644 index 0000000..3b0abcd --- /dev/null +++ b/sys/net/interfaces.nix @@ -0,0 +1,119 @@ +{ + lib, + config, + pkgs, + ... +}: +with lib; let + cfg = config.local.net; +in { + options.local.net = with lib.types; { + enable = mkEnableOption "networking stack"; + + hostname = mkOption { + type = str; + }; + + dhcpInterface = mkOption { + type = nullOr str; + default = null; + }; + }; + + config = mkIf cfg.enable { + boot.kernel.sysctl = { + # rp_filter=1 reemplazado por nixos-fw-rpfilter + "net.ipv4.conf.all.rp_filter" = mkForce 2; + "net.ipv4.conf.default.rp_filter" = mkForce 2; + + "net.ipv4.conf.all.forwarding" = mkForce true; + "net.ipv6.conf.all.forwarding" = mkForce true; + "net.ipv4.conf.default.forwarding" = mkForce true; + "net.ipv6.conf.default.forwarding" = mkForce true; + + "net.ipv4.conf.all.accept_redirects" = mkForce false; + "net.ipv6.conf.all.accept_redirects" = mkForce false; + "net.ipv4.conf.default.accept_redirects" = mkForce false; + "net.ipv6.conf.default.accept_redirects" = mkForce false; + }; + + environment.systemPackages = with pkgs; [ + conntrack-tools + dhcpcd + dnsutils + nmap + socat + tcpdump + ]; + + networking = { + domain = mkDefault config.local.domains.host.main; + hostName = cfg.hostname; + + firewall = { + logReversePathDrops = true; + checkReversePath = "loose"; + + extraCommands = mkBefore '' + ip46tables -t filter -P INPUT DROP + ip46tables -t filter -P FORWARD ACCEPT #TODO: DROP + + ip46tables -t filter -N local-input + ip46tables -t filter -N local-forward + ip46tables -t nat -N local-prerouting + ip46tables -t nat -N local-postrouting + + ip46tables -t filter -I INPUT -j local-input + ip46tables -t filter -I FORWARD -j local-forward + ip46tables -t nat -I PREROUTING -j local-prerouting + ip46tables -t nat -I POSTROUTING -j local-postrouting + + ip46tables -t filter -A local-forward -m conntrack --ctstate RELATED,ESTABLISHED,SNAT,DNAT -j ACCEPT + ''; + + extraStopCommands = mkAfter '' + ip46tables -t filter -D INPUT -j local-input || true + ip46tables -t filter -D FORWARD -j local-forward || true + ip46tables -t nat -D PREROUTING -j local-prerouting || true + ip46tables -t nat -D POSTROUTING -j local-postrouting || true + + ip46tables -t filter -F local-input || true + ip46tables -t filter -X local-input || true + ip46tables -t filter -F local-forward || true + ip46tables -t filter -X local-forward || true + ip46tables -t nat -F local-prerouting || true + ip46tables -t nat -X local-prerouting || true + ip46tables -t nat -F local-postrouting || true + ip46tables -t nat -X local-postrouting || true + + ip46tables -t filter -P INPUT ACCEPT + ip46tables -t filter -P FORWARD ACCEPT + ''; + + logRefusedConnections = false; + }; + + useDHCP = false; + enableIPv6 = mkDefault true; + useNetworkd = mkDefault true; + useHostResolvConf = false; + + wireguard.enable = true; + }; + + systemd.network.networks = mkIf (cfg.dhcpInterface != null) { + "40-${cfg.dhcpInterface}" = { + matchConfig.Name = cfg.dhcpInterface; + + networkConfig = { + DHCP = "ipv4"; + IPv6AcceptRA = true; + IPv6PrivacyExtensions = "kernel"; + }; + + # make routing on this interface a dependency for network-online.target + linkConfig.RequiredForOnline = "routable"; + }; + }; + }; +} |