update router confi

common.nix

@@ -1,4 +1,10 @@
-{ lib, pkgs, config, self, ... }:
+{
+  lib,
+  pkgs,
+  config,
+  self,
+  ...
+}:
 {
   networking = {
     wireless = {

flake.nix

@@ -46,5 +46,12 @@
     inputs@{ self, nixpkgs, ... }:
     {
       nixosConfigurations = import ./systems.nix { inherit self inputs nixpkgs; };
+      packages = nixpkgs.lib.attrsets.genAttrs nixpkgs.lib.systems.flakeExposed (
+        system:
+        import ./mikrotik.nix {
+          inherit system inputs;
+          pkgs = nixpkgs.legacyPackages.${system};
+        }
+      );
     };
 }

mikrotik.nix

@@ -0,0 +1,55 @@
+{
+  mikrotik-config ? ./router.nix,
+  pkgs,
+  inputs,
+  system,
+}:
+with pkgs;
+with lib;
+with builtins;
+
+let
+  rtr = (import mikrotik-config);
+
+  formatValue =
+    key: value:
+    if key == "comment" then
+      ''${key}="${value}"''
+    else if key == "no_label" then
+      formatValue null value
+    #''${key}="${value}"''
+    else if isAttrs value && key != null then
+      concatStringsSep " " ([ "${key}" ] ++ (mapAttrsToList (k: v: formatValue k v) value))
+
+    else if isAttrs value then
+      concatStringsSep " " (mapAttrsToList (k: v: formatValue k v) value)
+
+    else
+      "${key}=${value}";
+
+  formatSection =
+    name: opts:
+    [ "${name}" ]
+    ++ (
+      if isAttrs opts then
+        (mapAttrsToList (k: v: "set ${formatValue k v}") opts)
+      else
+        (map (x: "add ${formatValue null x}") opts)
+    );
+in
+rec {
+  mikrotik-router = stdenv.mkDerivation rec {
+    version = "0.0.1";
+    name = "mikrotik-router-${version}";
+
+    src = builtins.toFile "router-config.rsc" (
+      concatStringsSep "\n" (flatten (mapAttrsToList (key: values: formatSection key values) rtr))
+    );
+
+    builder = builtins.toFile "builder.sh" ''
+      source $stdenv/setup
+      mkdir $out
+      install $src $out/router-config.rsc
+    '';
+  };
+}

router.nix

@@ -0,0 +1,198 @@
+{
+  "/interface bridge" = [
+    {
+      auto-mac = "no";
+      comment = "defconf";
+      name = "bridge";
+    }
+    { name = "wifi"; }
+  ];
+  "/interface list" = [
+    { name = "WAN"; }
+    { name = "LAN"; }
+  ];
+  "/ip pool" = [
+    {
+      name = "wired-pool";
+      ranges = "10.10.10.10-10.10.10.254";
+    }
+    {
+      name = "wifi-pool";
+      ranges = "10.10.11.10-10.10.11.254";
+    }
+  ];
+  "/ip dhcp-server" = [
+    {
+      address-pool = "wired-pool";
+      disabled = "no";
+      interface = "bridge";
+      name = "wired-dhcp";
+    }
+    {
+      address-pool = "wifi-pool";
+      disabled = "no";
+      interface = "wifi";
+      name = "wifi-dhcp";
+    }
+  ];
+  "/interface bridge port" = [
+    {
+      bridge = "bridge";
+      interface = "ether2";
+    }
+    {
+      bridge = "bridge";
+      interface = "ether3";
+    }
+    {
+      bridge = "bridge";
+      interface = "ether4";
+    }
+    {
+      bridge = "wifi";
+      interface = "ether5";
+    }
+    {
+      bridge = "bridge";
+      interface = "sfp1";
+    }
+  ];
+  "/ip neighbor discovery-settings" = {
+    discover-interface-list = "LAN";
+  };
+  "/interface list member" = [
+    {
+      interface = "bridge";
+      list = "LAN";
+    }
+    {
+      interface = "ether1";
+      list = "WAN";
+    }
+  ];
+  "/ip address" = [
+    {
+      address = "10.10.10.1/24";
+      interface = "bridge";
+      network = "10.10.10.0";
+    }
+    {
+      address = "10.10.11.1/24";
+      interface = "wifi";
+      network = "10.10.11.0";
+    }
+  ];
+  "/ip dhcp-client" = [
+    {
+      disabled = "no";
+      interface = "ether1";
+    }
+  ];
+  "/ip dhcp-server network" = [
+    {
+      address = "10.10.10.0/24";
+      gateway = "10.10.10.1";
+      netmask = "24";
+    }
+    {
+      address = "10.10.11.0/24";
+      gateway = "10.10.11.1";
+      netmask = "24";
+    }
+  ];
+  "/ip dns" = {
+    "allow-remote-requests" = "yes";
+    servers = "1.1.1.1,1.0.0.1";
+  };
+  "/ip dns static" = [
+    {
+      address = "192.168.88.1";
+      name = "router.lan";
+    }
+  ];
+  "/ip firewall filter" = [
+    {
+      action = "accept";
+      chain = "input";
+      comment = "defconf: accept established,related,untracked";
+      "connection-state" = "established,related,untracked";
+    }
+    {
+      action = "drop";
+      chain = "input";
+      comment = "defconf: drop invalid";
+      "connection-state" = "invalid";
+    }
+    {
+      action = "accept";
+      chain = "input";
+      comment = "defconf: accept ICMP";
+      protocol = "icmp";
+    }
+    {
+      action = "drop";
+      chain = "input";
+      comment = "defconf: drop all not coming from LAN";
+      "in-interface-list" = "!LAN";
+    }
+    {
+      action = "accept";
+      chain = "forward";
+      comment = "defconf: accept in ipsec policy";
+      "ipsec-policy" = "in,ipsec";
+    }
+    {
+      action = "accept";
+      chain = "forward";
+      comment = "defconf: accept out ipsec policy";
+      "ipsec-policy" = "out,ipsec";
+    }
+    {
+      action = "fasttrack-connection";
+      chain = "forward";
+      comment = "defconf: fasttrack";
+      "connection-state" = "established,related";
+    }
+    {
+      action = "accept";
+      chain = "forward";
+      comment = "defconf: accept established,related, untracked";
+      "connection-state" = "established,related,untracked";
+    }
+    {
+      action = "drop";
+      chain = "forward";
+      comment = "defconf: drop invalid";
+      "connection-state" = "invalid";
+    }
+    {
+      action = "drop";
+      chain = "forward";
+      comment = "defconf:  drop all from WAN not DSTNATed";
+      "connection-nat-state" = "!dstnat";
+      "connection-state" = "new";
+      "in-interface-list" = "WAN";
+    }
+  ];
+  "/ip firewall nat" = [
+    {
+      action = "masquerade";
+      chain = "srcnat";
+      comment = "defconf: masquerade";
+      "ipsec-policy" = "out,none";
+      "out-interface-list" = "WAN";
+    }
+  ];
+  "/system clock" = {
+    "time-zone-name" = "Europe/Berlin";
+  };
+  "/system routerboard settings" = {
+    "silent-boot" = "no";
+  };
+  "/tool mac-server" = {
+    "allowed-interface-list" = "LAN";
+  };
+  "/tool mac-server mac-winbox" = {
+    "allowed-interface-list" = "LAN";
+  };
+}

systems/club-mate/default.nix

@@ -65,8 +65,14 @@
       source-han-serif-japanese
     ];
     fontconfig.defaultFonts = {
-      serif = [ "Noto Serif" "Source Han Serif" ];
-      sansSerif = [ "Noto Sans" "Source Han Sans" ];
+      serif = [
+        "Noto Serif"
+        "Source Han Serif"
+      ];
+      sansSerif = [
+        "Noto Sans"
+        "Source Han Sans"
+      ];
     };
   };
 
@@ -115,7 +121,9 @@
     };
   };
 
-  environment.variables = { LOG_ICONS = "true"; };
+  environment.variables = {
+    LOG_ICONS = "true";
+  };
   services = {
     xserver = {
       xkb.layout = "de";

systems/fritz-mate/default.nix

@@ -7,9 +7,7 @@
 }:
 
 {
-  imports = [
-    (modulesPath + "/installer/scan/not-detected.nix")
-  ];
+  imports = [ (modulesPath + "/installer/scan/not-detected.nix") ];
 
   boot = {
     loader = {
@@ -19,12 +17,14 @@
     kernelPackages = self.inputs.rpi_5.legacyPackages.aarch64-linux.linuxPackages_rpi5;
     kernelModules = [ ];
     initrd = {
-      availableKernelModules = [ "usbhid" "usb_storage" ];
+      availableKernelModules = [
+        "usbhid"
+        "usb_storage"
+      ];
       kernelModules = [ ];
     };
   };
 
-
   networking = {
     useDHCP = lib.mkDefault true;
     wireless.iwd = {

systems/mio-mio-mate/default.nix

@@ -35,8 +35,16 @@
 
   networking.firewall = {
     enable = true;
-    allowedTCPPorts = [ 80 443 53 ];
-    allowedUDPPorts = [ 80 443 53 ];
+    allowedTCPPorts = [
+      80
+      443
+      53
+    ];
+    allowedUDPPorts = [
+      80
+      443
+      53
+    ];
   };
 
   services.nginx = {

users/default.nix

@@ -1,8 +1,4 @@
-{
-  pkgs,
-  config,
-  ...
-}:
+{ pkgs, config, ... }:
 {
   home = {