feat: switch to new VLAN setup

2025-10-11 07:10:39 +02:00 · 2025-01-20 03:46:16 +01:00 · 2025-01-20 03:46:16 +01:00 · 0f45dfcc1c
commit 0f45dfcc1c
parent 181819d2e6
8 changed files with 171 additions and 115 deletions
--- a/hosts/sire/net.nix
+++ b/hosts/sire/net.nix
@ -4,6 +4,9 @@
  lib,
  ...
 }:
+let
+  localVlans = lib.genAttrs [ "services" "home" "devices" ] (x: globals.net.home-lan.vlans.${x});
+in
 {
  networking.hostId = config.repo.secrets.local.networking.hostId;

@ -15,64 +18,108 @@

  boot.initrd.systemd.network = {
    enable = true;
-    networks."10-lan" = {
-      address = [ globals.net.home-lan.vlans.services.hosts.sire.cidrv4 ];
-      gateway = [ globals.net.home-lan.vlans.services.hosts.ward.ipv4 ];
-      matchConfig.MACAddress = config.repo.secrets.local.networking.interfaces.lan.mac;
-      networkConfig = {
-        IPv6PrivacyExtensions = "yes";
-        MulticastDNS = true;
+    netdevs."30-vlan-home" = {
+      netdevConfig = {
+        Kind = "vlan";
+        Name = "vlan-home";
+      };
+      vlanConfig.Id = globals.net.home-lan.vlans.home.id;
+    };
+    networks = {
+      "10-lan" = {
+        matchConfig.Name = "lan";
+        networkConfig.LinkLocalAddressing = "no";
+        linkConfig.RequiredForOnline = "carrier";
+        vlan = [ "vlan-home" ];
+      };
+      "30-vlan-home" = {
+        address = [
+          globals.net.home-lan.vlans.home.hosts.sire.cidrv4
+          globals.net.home-lan.vlans.home.hosts.sire.cidrv6
+        ];
+        gateway = [ globals.net.home-lan.vlans.home.hosts.ward.ipv4 ];
+        matchConfig.Name = "vlan-home";
+        networkConfig = {
+          IPv6PrivacyExtensions = "yes";
+          MulticastDNS = true;
+        };
+        linkConfig.RequiredForOnline = "routable";
      };
-      linkConfig.RequiredForOnline = "routable";
    };
  };

-  # Create a MACVTAP for ourselves too, so that we can communicate with
-  # our guests on the same interface.
-  systemd.network.netdevs."10-lan-self" = {
-    netdevConfig = {
-      Name = "lan-self";
-      Kind = "macvlan";
-    };
-    extraConfig = ''
-      [MACVLAN]
-      Mode=bridge
-    '';
-  };
-
-  systemd.network.networks = {
-    "10-lan" = {
-      matchConfig.MACAddress = config.repo.secrets.local.networking.interfaces.lan.mac;
-      # This interface should only be used from attached macvtaps.
-      # So don't acquire a link local address and only wait for
-      # this interface to gain a carrier.
-      networkConfig.LinkLocalAddressing = "no";
-      linkConfig.RequiredForOnline = "carrier";
-      extraConfig = ''
-        [Network]
-        MACVLAN=lan-self
-      '';
-    };
-    "20-lan-self" = {
-      address = [ globals.net.home-lan.vlans.services.hosts.sire.cidrv4 ];
-      gateway = [ globals.net.home-lan.vlans.services.hosts.ward.ipv4 ];
-      matchConfig.Name = "lan-self";
-      networkConfig = {
-        IPv6PrivacyExtensions = "yes";
-        MulticastDNS = true;
+  systemd.network.netdevs = lib.flip lib.concatMapAttrs localVlans (
+    vlanName: vlanCfg: {
+      # Add an interface for each VLAN
+      "30-vlan-${vlanName}" = {
+        netdevConfig = {
+          Kind = "vlan";
+          Name = "vlan-${vlanName}";
+        };
+        vlanConfig.Id = vlanCfg.id;
      };
-      linkConfig.RequiredForOnline = "routable";
-    };
-    # Remaining macvtap interfaces should not be touched.
-    "90-macvtap-ignore" = {
-      matchConfig.Kind = "macvtap";
-      linkConfig.ActivationPolicy = "manual";
-      linkConfig.Unmanaged = "yes";
-    };
-  };
+      # Create a MACVTAP for ourselves too, so that we can communicate with
+      # our guests on the same interface.
+      "40-me-${vlanName}" = {
+        netdevConfig = {
+          Name = "me-${vlanName}";
+          Kind = "macvlan";
+        };
+        extraConfig = ''
+          [MACVLAN]
+          Mode=bridge
+        '';
+      };
+    }
+  );
+
+  systemd.network.networks =
+    {
+      "10-lan" = {
+        matchConfig.Name = "lan";
+        # This interface should only be used from attached vlans.
+        # So don't acquire a link local address and only wait for
+        # this interface to gain a carrier.
+        networkConfig.LinkLocalAddressing = "no";
+        linkConfig.RequiredForOnline = "carrier";
+        vlan = map (name: "vlan-${name}") (builtins.attrNames localVlans);
+      };
+      # Remaining macvtap interfaces should not be touched.
+      "90-macvtap-ignore" = {
+        matchConfig.Kind = "macvtap";
+        linkConfig.ActivationPolicy = "manual";
+        linkConfig.Unmanaged = "yes";
+      };
+    }
+    // lib.flip lib.concatMapAttrs localVlans (
+      vlanName: vlanCfg: {
+        "30-vlan-${vlanName}" = {
+          matchConfig.Name = "vlan-${vlanName}";
+          # This interface should only be used from attached macvlans.
+          # So don't acquire a link local address and only wait for
+          # this interface to gain a carrier.
+          networkConfig.LinkLocalAddressing = "no";
+          networkConfig.MACVLAN = "me-${vlanName}";
+          linkConfig.RequiredForOnline = "carrier";
+        };
+        "40-me-${vlanName}" = {
+          address = [
+            vlanCfg.hosts.sire.cidrv4
+            vlanCfg.hosts.sire.cidrv6
+          ];
+          gateway = [ vlanCfg.hosts.ward.ipv4 ];
+          matchConfig.Name = "me-${vlanName}";
+          networkConfig = {
+            IPv6PrivacyExtensions = "yes";
+            MulticastDNS = true;
+          };
+          linkConfig.RequiredForOnline = "routable";
+        };
+      }
+    );

  networking.nftables.firewall = {
-    zones.untrusted.interfaces = [ "lan-self" ];
+    zones.untrusted.interfaces = [ "me-services" ];
  };

  # Allow accessing influx