From c9a1fd0189a14fdad9521439605f6f2a1e5904bf Mon Sep 17 00:00:00 2001 From: Gregor Kleen Date: Sun, 15 Apr 2018 17:03:26 +0200 Subject: bridge on bragi --- bragi.nix | 105 +++++++++++++++++++++++++------------------------ custom/dhcp-helper.nix | 13 ++++++ 2 files changed, 67 insertions(+), 51 deletions(-) create mode 100644 custom/dhcp-helper.nix diff --git a/bragi.nix b/bragi.nix index 045973a3..9dcb88e2 100644 --- a/bragi.nix +++ b/bragi.nix @@ -21,9 +21,60 @@ in rec { boot.supportedFilesystems = [ "cifs" ]; - networking.hostName = "bragi"; - networking.hostId = "2af11085"; - networking.wireless.enable = true; + networking = { + hostName = "bragi"; + hostId = "2af11085"; + wireless.enable = true; + + bridges = { + br0 = { + interfaces = [ "enp1s0" "enp2s0" "enp3s0" "wlp4s0" ]; + }; + }; + + interfaces = lib.genAttrs ["enp1s0" "enp2s0" "enp3s0"] { + proxyARP = true; + useDHCP = false; + }; + + interfaces.wlp4s0 = { + proxyARP = true; + useDHCP = true; + }; + + firewall = { + enable = true; + allowPing = true; + allowedTCPPorts = [ 22 # SSH + 80 # HTTP + 5432 # PostgreSQL + 6600 # MPD + 139 445 # SAMBA + ]; + allowedUDPPorts = [ 137 138 # SAMBA + 67 # DHCP + ]; + allowedUDPPortRanges = [ { from = 60000; to = 61000; } # mosh + ]; + }; + + networking.defaultMailServer = { + directDelivery = true; + hostName = "ymir.niflheim.yggdrasil"; + useSTARTTLS = true; + setSendmail = true; + }; + }; + + systemd.services."dhcp-helper" = { + serviceConfig = { + ExecStart = '' + ${pkgs.callPackage ./custom/dhcp-helper.nix {}}/bin/dhcp-helper -b wlp4s0 + ''; + }; + + wantedBy = [ "network.target" ]; + }; nixpkgs.config.packageOverrides = oldPkgs: rec { @@ -225,54 +276,6 @@ in rec { esac ''; - networking.interfaces = { - "enp1s0" = { - useDHCP = false; - ipv4.addresses = [ - { address = "10.141.4.1"; prefixLength = 24; } - ]; - }; - }; - - networking.nat = { - enable = true; - externalIP = "10.141.1.5"; - externalInterface = "wlp4s0"; - internalIPs = [ "10.141.4.0/24" - ]; - internalInterfaces = [ "enp1s0" - ]; - }; - - networking.firewall = { - enable = true; - allowPing = true; - allowedTCPPorts = [ 22 # SSH - 80 # HTTP - 5432 # PostgreSQL - 6600 # MPD - 139 445 # SAMBA - ]; - allowedUDPPorts = [ 137 138 ]; # SAMBA - allowedUDPPortRanges = [ { from = 60000; to = 61000; } # mosh - ]; - extraCommands = '' - iptables -t nat -A POSTROUTING -o wlp4s0 -j MASQUERADE - #iptables -A FORWARD -i wlp4s0 -o enp1s0 -m state --state RELATED,ESTABLISHED -j ACCEPT - iptables -A FORWARD -i wlp4s0 -o enp1s0 -j ACCEPT - iptables -A FORWARD -i enp1s0 -o wlp4s0 -j ACCEPT - ''; - }; - - networking.defaultMailServer = { - directDelivery = true; - hostName = "ymir.niflheim.yggdrasil"; - useSTARTTLS = true; - setSendmail = true; - }; - - networking.search = [ "bragisheimr.yggdrasil" "asgard.yggdrasil" ]; - services.dhcpd4 = { enable = true; interfaces = [ "enp1s0" diff --git a/custom/dhcp-helper.nix b/custom/dhcp-helper.nix new file mode 100644 index 00000000..433528a3 --- /dev/null +++ b/custom/dhcp-helper.nix @@ -0,0 +1,13 @@ +{ stdenv, fetchurl }: + +stdenv.mkDerivation rec { + name = "dhcp-helper-${version}"; + version = "1.2-1"; + + src = fetchurl { + url = "mirror://debian/pool/main/d/dhcp-helper/dhcp-helper_${version}.tar.gz"; + sha256 = "0jby762a5f7mxwcfjzfr8rs0v4b6xi7l8vsbhpxjb2qzmzj4f5ni"; + }; + + makeFlags = "PREFIX=$(out)"; +} -- cgit v1.2.3