mirrors_public/oddlama_nix-config
1
1
Fork 1
mirror of https://github.com/oddlama/nix-config.git synced 2025-10-11 07:10:39 +02:00
Code Activity

feat: switch to new VLAN setup

Browse source
This commit is contained in:
oddlama 2025-01-20 03:46:16 +01:00
parent 181819d2e6
commit 0f45dfcc1c
No known key found for this signature in database
GPG key ID: 14EFE510775FE39A
8 changed files with 171 additions and 115 deletions
Download patch file Download diff file Expand all files Collapse all files

11
hosts/ward/guests/adguardhome.nix
View file

@ -2,7 +2,6 @@
config,
globals,
lib,
pkgs,
...
}:
let
@ -68,6 +67,7 @@ in
port = 3000;
settings = {
dns = {
bind_hosts = [ globals.net.home-lan.vlans.services.hosts.ward-adguardhome.ipv4 ];
# allowed_clients = [
# ];
#trusted_proxies = [];
@ -131,12 +131,5 @@ in
};
};
systemd.services.adguardhome = {
preStart = lib.mkAfter ''
INTERFACE_ADDR=$(${pkgs.iproute2}/bin/ip -family inet -brief addr show lan | grep -o "[0-9]\+\.[0-9]\+\.[0-9]\+\.[0-9]\+") \
${lib.getExe pkgs.yq-go} -i '.dns.bind_hosts = [strenv(INTERFACE_ADDR)]' \
"$STATE_DIRECTORY/AdGuardHome.yaml"
'';
serviceConfig.RestartSec = lib.mkForce "60"; # Retry every minute
};
systemd.services.adguardhome.serviceConfig.RestartSec = lib.mkForce "60"; # Retry every minute
}

1
hosts/ward/guests/forgejo.nix
View file

@ -115,6 +115,7 @@ in
services.forgejo = {
enable = true;
package = pkgs.forgejo;
# TODO db backups
# dump.enable = true;
user = "git";

65
hosts/ward/kea.nix
View file

@ -1,7 +1,6 @@
{
lib,
globals,
utils,
...
}:
let
@ -37,42 +36,46 @@ in
service-sockets-max-retries = -1;
};
subnet4 = flip mapAttrsToList globals.net.home-lan.vlans (
vlanName: vlanCfg: [
{
inherit (vlanCfg) id;
interface = "me-${vlanName}";
subnet = vlanCfg.cidrv4;
pools = [
{
pool = "${net.cidr.host 20 vlanCfg.cidrv4} - ${net.cidr.host (-6) vlanCfg.cidrv4}";
}
];
option-data = [
vlanName: vlanCfg: {
inherit (vlanCfg) id;
interface = "me-${vlanName}";
subnet = vlanCfg.cidrv4;
pools = [
{
pool = "${net.cidr.host 20 vlanCfg.cidrv4} - ${net.cidr.host (-6) vlanCfg.cidrv4}";
}
];
option-data =
[
{
name = "routers";
data = vlanCfg.hosts.ward.ipv4; # FIXME: how to advertise v6 address also?
}
{
name = "domain-name-servers";
data = vlanCfg.hosts.ward-adguardhome.ipv4;
]
# Advertise DNS server for VLANS that have internet access
++
lib.optional
(lib.elem vlanName [
"services"
"home"
"devices"
"guests"
])
{
name = "domain-name-servers";
data = globals.net.home-lan.vlans.services.hosts.ward-adguardhome.ipv4;
};
reservations = lib.concatLists (
lib.forEach (builtins.attrValues vlanCfg.hosts) (
hostCfg:
lib.optional (hostCfg.mac != null) {
hw-address = hostCfg.mac;
ip-address = hostCfg.ipv4;
}
];
reservations = lib.concatLists (
lib.forEach (builtins.attrValues vlanCfg.hosts) (
hostCfg:
lib.optional (hostCfg.mac != null) {
hw-address = hostCfg.mac;
ip-address = hostCfg.ipv4;
}
)
);
}
]
)
);
}
);
};
};
systemd.services.kea-dhcp4-server.after = [
"sys-subsystem-net-devices-${utils.escapeSystemdPath "lan-self"}.device"
];
}

37
hosts/ward/net.nix
View file

@ -28,12 +28,12 @@
"10-wan" = {
address = [ globals.net.home-wan.hosts.ward.cidrv4 ];
gateway = [ globals.net.home-wan.hosts.fritzbox.ipv4 ];
matchConfig.MACAddress = config.repo.secrets.local.networking.interfaces.wan.mac;
matchConfig.Name = "wan";
networkConfig.IPv6PrivacyExtensions = "yes";
linkConfig.RequiredForOnline = "routable";
};
"10-lan" = {
matchConfig.MACAddress = config.repo.secrets.local.networking.interfaces.lan.mac;
matchConfig.Name = "lan";
# This interface should only be used from attached vlans.
# So don't acquire a link local address and only wait for
# this interface to gain a carrier.
@ -57,10 +57,9 @@
};
};
# Create a MACVTAP for ourselves too, so that we can communicate with
# our guests on the same interface.
systemd.network.netdevs = lib.flip lib.concatMapAttrs globals.net.home-lan.vlans (
vlanName: vlanCfg: {
# Add an interface for each VLAN
"30-vlan-${vlanName}" = {
netdevConfig = {
Kind = "vlan";
@ -68,6 +67,8 @@
};
vlanConfig.Id = vlanCfg.id;
};
# Create a MACVTAP for ourselves too, so that we can communicate with
# our guests on the same interface.
"40-me-${vlanName}" = {
netdevConfig = {
Name = "me-${vlanName}";
@ -84,7 +85,7 @@
systemd.network.networks =
{
"10-lan" = {
matchConfig.MACAddress = config.repo.secrets.local.networking.interfaces.lan.mac;
matchConfig.Name = "lan";
# This interface should only be used from attached vlans.
# So don't acquire a link local address and only wait for
# this interface to gain a carrier.
@ -99,7 +100,7 @@
#ipv6AcceptRAConfig.UseDNS = false;
address = [ globals.net.home-wan.hosts.ward.cidrv4 ];
gateway = [ globals.net.home-wan.hosts.fritzbox.ipv4 ];
matchConfig.MACAddress = config.repo.secrets.local.networking.interfaces.wan.mac;
matchConfig.Name = "wan";
networkConfig.IPv6PrivacyExtensions = "yes";
# dhcpV6Config.PrefixDelegationHint = "::/64";
# FIXME: This should not be needed, but for some reason part of networkd
@ -123,11 +124,8 @@
# So don't acquire a link local address and only wait for
# this interface to gain a carrier.
networkConfig.LinkLocalAddressing = "no";
networkConfig.MACVLAN = "me-${vlanName}";
linkConfig.RequiredForOnline = "carrier";
extraConfig = ''
[Network]
MACVLAN=me-${vlanName}
'';
};
"40-me-${vlanName}" = {
address = [
@ -175,6 +173,12 @@
{
untrusted.interfaces = [ "wan" ];
proxy-home.interfaces = [ "proxy-home" ];
adguardhome.ipv4Addresses = [
globals.net.home-lan.vlans.services.hosts.ward-adguardhome.ipv4
];
adguardhome.ipv6Addresses = [
globals.net.home-lan.vlans.services.hosts.ward-adguardhome.ipv6
];
}
// lib.flip lib.concatMapAttrs globals.net.home-lan.vlans (
vlanName: _: {
@ -198,10 +202,21 @@
verdict = "accept";
};
# Allow access to the AdGuardHome DNS server from any VLAN that has internet access
access-adguardhome-dns = {
from = [
"vlan-services"
"vlan-home"
"vlan-devices"
"vlan-guests"
];
to = [ "adguardhome" ];
verdict = "accept";
};
services-to-local = {
from = [ "vlan-services" ];
to = [ "local" ];
allowedUDPPorts = [ config.wireguard.proxy-home.server.port ];
};