lf3/server-conf
2
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity

add initial router config

Browse source
This commit is contained in:
jopejoe1 2024-05-01 10:39:52 +02:00
parent 026f94f76f
commit a7589ad4fe
3 changed files with 113 additions and 0 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

4
flake.nix
View file

@ -46,5 +46,9 @@
inputs@{ self, nixpkgs, ... }: inputs@{ self, nixpkgs, ... }:
{ {
nixosConfigurations = import ./systems.nix { inherit self inputs nixpkgs; }; nixosConfigurations = import ./systems.nix { inherit self inputs nixpkgs; };
packages = nixpkgs.lib.attrsets.genAttrs nixpkgs.lib.systems.flakeExposed (system: import ./mikrotik.nix {
inherit system inputs;
pkgs = nixpkgs.legacyPackages.${system};
});
}; };
} }

44
mikrotik.nix Normal file
View file

@ -0,0 +1,44 @@
{ mikrotik-config ? ./router.nix, pkgs, inputs, system}:
with pkgs;
with lib;
with builtins;
let
rtr = (import mikrotik-config);
formatValue = key: value:
if key == "comment" then
''${key}="${value}"''
else if key == "no_label" then
formatValue null value
#''${key}="${value}"''
else if isAttrs value && key != null then
concatStringsSep " " (["${key}"] ++ (mapAttrsToList (k: v: formatValue k v) value))
else if isAttrs value then
concatStringsSep " " (mapAttrsToList (k: v: formatValue k v) value)
else
"${key}=${value}";
formatSection = name: opts:
[ "${name}" ] ++ (if isAttrs opts then
(mapAttrsToList (k: v: "set ${formatValue k v}") opts)
else
(map (x: "add ${formatValue null x}") opts));
in rec {
mikrotik-router = stdenv.mkDerivation rec {
version = "0.0.1";
name = "mikrotik-router-${version}";
src = builtins.toFile "router-config.rsc" (concatStringsSep "\n"
(flatten (mapAttrsToList (key: values: formatSection key values) rtr)));
builder = builtins.toFile "builder.sh" ''
source $stdenv/setup
mkdir $out
install $src $out/router-config.rsc
'';
};
}

65
router.nix Normal file
View file

@ -0,0 +1,65 @@
{
"/interface bridge" = [
{
auto-mac = "no";
comment = "defconf";
name = "bridge";
}
];
"/interface list" = [
{ comment = "defconf"; name = "WAN"; }
{ comment = "defconf"; name = "LAN"; }
];
"/interface wireless security-profiles" = [{ find.default = "yes"; supplicant-identity = "MikroTik"; }];
"/ip pool" = [
{ name = "default-dhcp"; ranges = "192.168.88.10-192.168.88.254"; }
];
"/ip dhcp-server" = [
{ address-pool = "default-dhcp"; disabled = "no"; interface = "bridge"; name = "defconf"; }
];
"/interface bridge port" = [
{ bridge = "bridge"; comment = "defconf"; interface = "ether2"; }
{ bridge = "bridge"; comment = "defconf"; interface = "ether3"; }
{ bridge = "bridge"; comment = "defconf"; interface = "ether4"; }
{ bridge = "bridge"; comment = "defconf"; interface = "ether5"; }
];
"/ip neighbor discovery-settings" = { discover-interface-list = "LAN"; };
"/interface ethernet switch vlan" = [
{ "independent-learning" = "no"; ports = "ether2,ether3"; switch = "switch1"; "vlan-id" = "20"; }
{ "independent-learning" = "no"; ports = "ether4"; switch = "switch1"; "vlan-id" = "30"; }
{ "independent-learning" = "no"; ports = "ether5"; switch = "switch1"; "vlan-id" = "40"; }
];
"/interface list member" = [
{ comment = "defconf"; interface = "bridge"; list = "LAN"; }
{ comment = "defconf"; interface = "ether1"; list = "WAN"; }
];
"/ip address" = [
{ address = "192.168.88.1/24"; comment = "defconf"; interface = "bridge"; network = "192.168.88.0"; }
];
"/ip dhcp-client" = [
{ comment = "defconf"; "dhcp-options" = "hostname,clientid"; disabled = "no"; interface = "ether1"; }
];
"/ip dhcp-server lease" = [{ address = "192.168.88.253"; "allow-dual-stack-queue" = "no"; "mac-address" = "D8:3A:DD:28:1D:3B"; }];
"/ip dhcp-server network" = [{ address = "192.168.88.0/24"; comment = "defconf"; gateway = "192.168.88.1"; }];
"/ip dns" = { "allow-remote-requests" = "yes"; servers = "192.168.88.253"; };
"/ip dns static" = [{ address = "192.168.88.1"; name = "router.lan"; }];
"/ip firewall filter" = [
{ action = "accept"; chain = "input"; comment = "defconf: accept established,related,untracked"; "connection-state" = "established,related,untracked"; }
{ action = "drop"; chain = "input"; comment = "defconf: drop invalid"; "connection-state" = "invalid"; }
{ action = "accept"; chain = "input"; comment = "defconf: accept ICMP"; protocol = "icmp"; }
{ action = "drop"; chain = "input"; comment = "defconf: drop all not coming from LAN"; "in-interface-list" = "!LAN"; }
{ action = "accept"; chain = "forward"; comment = "defconf: accept in ipsec policy"; "ipsec-policy" = "in,ipsec"; }
{ action = "accept"; chain = "forward"; comment = "defconf: accept out ipsec policy"; "ipsec-policy" = "out,ipsec"; }
{ action = "fasttrack-connection"; chain = "forward"; comment = "defconf: fasttrack"; "connection-state" = "established,related"; }
{ action = "accept"; chain = "forward"; comment = "defconf: accept established,related, untracked"; "connection-state" = "established,related,untracked"; }
{ action = "drop"; chain = "forward"; comment = "defconf: drop invalid"; "connection-state" = "invalid"; }
{ action = "drop"; chain = "forward"; comment = "defconf: drop all from WAN not DSTNATed"; "connection-nat-state" = "!dstnat"; "connection-state" = "new"; "in-interface-list" = "WAN"; }
];
"/ip firewall nat" = [
{ action = "masquerade"; chain = "srcnat"; comment = "defconf: masquerade"; "ipsec-policy" = "out,none"; "out-interface-list" = "WAN"; }
];
"/system clock" = { "time-zone-name" = "Europe/Berlin"; };
"/system routerboard settings" = { "silent-boot" = "no"; };
"/tool mac-server" = { "allowed-interface-list" = "LAN"; };
"/tool mac-server mac-winbox" = { "allowed-interface-list" = "LAN"; };
}