From a7589ad4fe526f910544fd286476e312ddb4a4fd Mon Sep 17 00:00:00 2001 From: jopejoe1 Date: Wed, 1 May 2024 10:39:52 +0200 Subject: [PATCH] add initial router config --- flake.nix | 4 ++++ mikrotik.nix | 44 +++++++++++++++++++++++++++++++++++ router.nix | 65 ++++++++++++++++++++++++++++++++++++++++++++++++++++ 3 files changed, 113 insertions(+) create mode 100644 mikrotik.nix create mode 100644 router.nix diff --git a/flake.nix b/flake.nix index 92d00f0..344ed2a 100644 --- a/flake.nix +++ b/flake.nix @@ -46,5 +46,9 @@ inputs@{ self, nixpkgs, ... }: { nixosConfigurations = import ./systems.nix { inherit self inputs nixpkgs; }; + packages = nixpkgs.lib.attrsets.genAttrs nixpkgs.lib.systems.flakeExposed (system: import ./mikrotik.nix { + inherit system inputs; + pkgs = nixpkgs.legacyPackages.${system}; + }); }; } diff --git a/mikrotik.nix b/mikrotik.nix new file mode 100644 index 0000000..d393fe3 --- /dev/null +++ b/mikrotik.nix @@ -0,0 +1,44 @@ +{ mikrotik-config ? ./router.nix, pkgs, inputs, system}: +with pkgs; +with lib; +with builtins; + +let + rtr = (import mikrotik-config); + + formatValue = key: value: + if key == "comment" then + ''${key}="${value}"'' + else if key == "no_label" then + formatValue null value + #''${key}="${value}"'' + else if isAttrs value && key != null then + concatStringsSep " " (["${key}"] ++ (mapAttrsToList (k: v: formatValue k v) value)) + + else if isAttrs value then + concatStringsSep " " (mapAttrsToList (k: v: formatValue k v) value) + + else + "${key}=${value}"; + + formatSection = name: opts: + [ "${name}" ] ++ (if isAttrs opts then + (mapAttrsToList (k: v: "set ${formatValue k v}") opts) + else + (map (x: "add ${formatValue null x}") opts)); + +in rec { + mikrotik-router = stdenv.mkDerivation rec { + version = "0.0.1"; + name = "mikrotik-router-${version}"; + + src = builtins.toFile "router-config.rsc" (concatStringsSep "\n" + (flatten (mapAttrsToList (key: values: formatSection key values) rtr))); + + builder = builtins.toFile "builder.sh" '' + source $stdenv/setup + mkdir $out + install $src $out/router-config.rsc + ''; + }; +} diff --git a/router.nix b/router.nix new file mode 100644 index 0000000..e1cc0f5 --- /dev/null +++ b/router.nix @@ -0,0 +1,65 @@ +{ + "/interface bridge" = [ + { + auto-mac = "no"; + comment = "defconf"; + name = "bridge"; + } + ]; + "/interface list" = [ + { comment = "defconf"; name = "WAN"; } + { comment = "defconf"; name = "LAN"; } + ]; + "/interface wireless security-profiles" = [{ find.default = "yes"; supplicant-identity = "MikroTik"; }]; + "/ip pool" = [ + { name = "default-dhcp"; ranges = "192.168.88.10-192.168.88.254"; } + ]; + "/ip dhcp-server" = [ + { address-pool = "default-dhcp"; disabled = "no"; interface = "bridge"; name = "defconf"; } + ]; + "/interface bridge port" = [ + { bridge = "bridge"; comment = "defconf"; interface = "ether2"; } + { bridge = "bridge"; comment = "defconf"; interface = "ether3"; } + { bridge = "bridge"; comment = "defconf"; interface = "ether4"; } + { bridge = "bridge"; comment = "defconf"; interface = "ether5"; } + ]; + "/ip neighbor discovery-settings" = { discover-interface-list = "LAN"; }; + "/interface ethernet switch vlan" = [ + { "independent-learning" = "no"; ports = "ether2,ether3"; switch = "switch1"; "vlan-id" = "20"; } + { "independent-learning" = "no"; ports = "ether4"; switch = "switch1"; "vlan-id" = "30"; } + { "independent-learning" = "no"; ports = "ether5"; switch = "switch1"; "vlan-id" = "40"; } + ]; + "/interface list member" = [ + { comment = "defconf"; interface = "bridge"; list = "LAN"; } + { comment = "defconf"; interface = "ether1"; list = "WAN"; } + ]; + "/ip address" = [ + { address = "192.168.88.1/24"; comment = "defconf"; interface = "bridge"; network = "192.168.88.0"; } + ]; + "/ip dhcp-client" = [ + { comment = "defconf"; "dhcp-options" = "hostname,clientid"; disabled = "no"; interface = "ether1"; } + ]; + "/ip dhcp-server lease" = [{ address = "192.168.88.253"; "allow-dual-stack-queue" = "no"; "mac-address" = "D8:3A:DD:28:1D:3B"; }]; + "/ip dhcp-server network" = [{ address = "192.168.88.0/24"; comment = "defconf"; gateway = "192.168.88.1"; }]; + "/ip dns" = { "allow-remote-requests" = "yes"; servers = "192.168.88.253"; }; + "/ip dns static" = [{ address = "192.168.88.1"; name = "router.lan"; }]; + "/ip firewall filter" = [ + { action = "accept"; chain = "input"; comment = "defconf: accept established,related,untracked"; "connection-state" = "established,related,untracked"; } + { action = "drop"; chain = "input"; comment = "defconf: drop invalid"; "connection-state" = "invalid"; } + { action = "accept"; chain = "input"; comment = "defconf: accept ICMP"; protocol = "icmp"; } + { action = "drop"; chain = "input"; comment = "defconf: drop all not coming from LAN"; "in-interface-list" = "!LAN"; } + { action = "accept"; chain = "forward"; comment = "defconf: accept in ipsec policy"; "ipsec-policy" = "in,ipsec"; } + { action = "accept"; chain = "forward"; comment = "defconf: accept out ipsec policy"; "ipsec-policy" = "out,ipsec"; } + { action = "fasttrack-connection"; chain = "forward"; comment = "defconf: fasttrack"; "connection-state" = "established,related"; } + { action = "accept"; chain = "forward"; comment = "defconf: accept established,related, untracked"; "connection-state" = "established,related,untracked"; } + { action = "drop"; chain = "forward"; comment = "defconf: drop invalid"; "connection-state" = "invalid"; } + { action = "drop"; chain = "forward"; comment = "defconf: drop all from WAN not DSTNATed"; "connection-nat-state" = "!dstnat"; "connection-state" = "new"; "in-interface-list" = "WAN"; } + ]; + "/ip firewall nat" = [ + { action = "masquerade"; chain = "srcnat"; comment = "defconf: masquerade"; "ipsec-policy" = "out,none"; "out-interface-list" = "WAN"; } + ]; + "/system clock" = { "time-zone-name" = "Europe/Berlin"; }; + "/system routerboard settings" = { "silent-boot" = "no"; }; + "/tool mac-server" = { "allowed-interface-list" = "LAN"; }; + "/tool mac-server mac-winbox" = { "allowed-interface-list" = "LAN"; }; +}