feat: switch to new VLAN setup

2025-10-11 07:10:39 +02:00 · 2025-01-20 03:46:16 +01:00 · 2025-01-20 03:46:16 +01:00 · 0f45dfcc1c
commit 0f45dfcc1c
parent 181819d2e6
8 changed files with 171 additions and 115 deletions
--- a/globals.nix
+++ b/globals.nix
@ -32,8 +32,8 @@ in
        vlans = {
          services = {
            id = 5;
-            cidrv4 = "192.168.20.0/24";
+            cidrv4 = "192.168.5.0/24";
-            cidrv6 = "fd20::/64";
+            cidrv6 = "fd05::/64";
            hosts.ward.id = 1;
            hosts.sire.id = 2;
            hosts.ward-adguardhome = {
@ -54,14 +54,14 @@ in
            cidrv4 = "192.168.10.0/24";
            cidrv6 = "fd10::/64";
            hosts.ward.id = 1;
-            hosts.ward-adguardhome.id = 3;
+            hosts.sire.id = 2;
          };
          devices = {
            id = 20;
-            cidrv4 = "192.168.30.0/24";
+            cidrv4 = "192.168.20.0/24";
-            cidrv6 = "fd30::/64";
+            cidrv6 = "fd20::/64";
            hosts.ward.id = 1;
-            hosts.ward-adguardhome.id = 3;
+            hosts.sire.id = 2;
            hosts.wallbox = {
              id = 40;
              mac = globals.macs.wallbox;
@ -73,17 +73,15 @@ in
          };
          iot = {
            id = 30;
-            cidrv4 = "192.168.40.0/24";
+            cidrv4 = "192.168.30.0/24";
-            cidrv6 = "fd40::/64";
+            cidrv6 = "fd30::/64";
            hosts.ward.id = 1;
            hosts.ward-adguardhome.id = 3;
          };
          guests = {
-            id = 40;
+            id = 50;
            cidrv4 = "192.168.50.0/24";
            cidrv6 = "fd50::/64";
            hosts.ward.id = 1;
            hosts.ward-adguardhome.id = 3;
          };
        };
      };
--- a/hosts/sausebiene/default.nix
+++ b/hosts/sausebiene/default.nix
@ -32,7 +32,6 @@
  };
  boot.initrd.availableKernelModules = [
    "r8169"
    "tpm_crb"
  ];
  security.tpm2 = {
    enable = true;
--- a/hosts/sire/default.nix
+++ b/hosts/sire/default.nix
@ -109,7 +109,7 @@
          microvm = {
            system = "x86_64-linux";
            baseMac = config.repo.secrets.local.networking.interfaces.lan.mac;
-            interfaces.lan = { };
+            interfaces.vlan-services = { };
          };
          extraSpecialArgs = {
            inherit (inputs.self) nodes globals;
--- a/hosts/sire/net.nix
+++ b/hosts/sire/net.nix
@ -4,6 +4,9 @@
  lib,
  ...
 }:
 let
  localVlans = lib.genAttrs [ "services" "home" "devices" ] (x: globals.net.home-lan.vlans.${x});
 in
 {
  networking.hostId = config.repo.secrets.local.networking.hostId;
@ -15,10 +18,27 @@
  boot.initrd.systemd.network = {
    enable = true;
-    networks."10-lan" = {
+    netdevs."30-vlan-home" = {
-      address = [ globals.net.home-lan.vlans.services.hosts.sire.cidrv4 ];
+      netdevConfig = {
-      gateway = [ globals.net.home-lan.vlans.services.hosts.ward.ipv4 ];
+        Kind = "vlan";
-      matchConfig.MACAddress = config.repo.secrets.local.networking.interfaces.lan.mac;
+        Name = "vlan-home";
      };
      vlanConfig.Id = globals.net.home-lan.vlans.home.id;
    };
    networks = {
      "10-lan" = {
        matchConfig.Name = "lan";
        networkConfig.LinkLocalAddressing = "no";
        linkConfig.RequiredForOnline = "carrier";
        vlan = [ "vlan-home" ];
      };
      "30-vlan-home" = {
        address = [
          globals.net.home-lan.vlans.home.hosts.sire.cidrv4
          globals.net.home-lan.vlans.home.hosts.sire.cidrv6
        ];
        gateway = [ globals.net.home-lan.vlans.home.hosts.ward.ipv4 ];
        matchConfig.Name = "vlan-home";
        networkConfig = {
          IPv6PrivacyExtensions = "yes";
          MulticastDNS = true;
@ -26,12 +46,23 @@
        linkConfig.RequiredForOnline = "routable";
      };
    };
  };
  systemd.network.netdevs = lib.flip lib.concatMapAttrs localVlans (
    vlanName: vlanCfg: {
      # Add an interface for each VLAN
      "30-vlan-${vlanName}" = {
        netdevConfig = {
          Kind = "vlan";
          Name = "vlan-${vlanName}";
        };
        vlanConfig.Id = vlanCfg.id;
      };
      # Create a MACVTAP for ourselves too, so that we can communicate with
      # our guests on the same interface.
-  systemd.network.netdevs."10-lan-self" = {
+      "40-me-${vlanName}" = {
        netdevConfig = {
-      Name = "lan-self";
+          Name = "me-${vlanName}";
          Kind = "macvlan";
        };
        extraConfig = ''
@ -39,29 +70,19 @@
          Mode=bridge
        '';
      };
    }
  );
-  systemd.network.networks = {
+  systemd.network.networks =
    {
      "10-lan" = {
-      matchConfig.MACAddress = config.repo.secrets.local.networking.interfaces.lan.mac;
+        matchConfig.Name = "lan";
-      # This interface should only be used from attached macvtaps.
+        # This interface should only be used from attached vlans.
        # So don't acquire a link local address and only wait for
        # this interface to gain a carrier.
        networkConfig.LinkLocalAddressing = "no";
        linkConfig.RequiredForOnline = "carrier";
-      extraConfig = ''
+        vlan = map (name: "vlan-${name}") (builtins.attrNames localVlans);
        [Network]
        MACVLAN=lan-self
      '';
    };
    "20-lan-self" = {
      address = [ globals.net.home-lan.vlans.services.hosts.sire.cidrv4 ];
      gateway = [ globals.net.home-lan.vlans.services.hosts.ward.ipv4 ];
      matchConfig.Name = "lan-self";
      networkConfig = {
        IPv6PrivacyExtensions = "yes";
        MulticastDNS = true;
      };
      linkConfig.RequiredForOnline = "routable";
      };
      # Remaining macvtap interfaces should not be touched.
      "90-macvtap-ignore" = {
@ -69,10 +90,36 @@
        linkConfig.ActivationPolicy = "manual";
        linkConfig.Unmanaged = "yes";
      };
    }
    // lib.flip lib.concatMapAttrs localVlans (
      vlanName: vlanCfg: {
        "30-vlan-${vlanName}" = {
          matchConfig.Name = "vlan-${vlanName}";
          # This interface should only be used from attached macvlans.
          # So don't acquire a link local address and only wait for
          # this interface to gain a carrier.
          networkConfig.LinkLocalAddressing = "no";
          networkConfig.MACVLAN = "me-${vlanName}";
          linkConfig.RequiredForOnline = "carrier";
        };
        "40-me-${vlanName}" = {
          address = [
            vlanCfg.hosts.sire.cidrv4
            vlanCfg.hosts.sire.cidrv6
          ];
          gateway = [ vlanCfg.hosts.ward.ipv4 ];
          matchConfig.Name = "me-${vlanName}";
          networkConfig = {
            IPv6PrivacyExtensions = "yes";
            MulticastDNS = true;
          };
          linkConfig.RequiredForOnline = "routable";
        };
      }
    );
  networking.nftables.firewall = {
-    zones.untrusted.interfaces = [ "lan-self" ];
+    zones.untrusted.interfaces = [ "me-services" ];
  };
  # Allow accessing influx
--- a/hosts/ward/guests/adguardhome.nix
+++ b/hosts/ward/guests/adguardhome.nix
@ -2,7 +2,6 @@
  config,
  globals,
  lib,
  pkgs,
  ...
 }:
 let
@ -68,6 +67,7 @@ in
    port = 3000;
    settings = {
      dns = {
        bind_hosts = [ globals.net.home-lan.vlans.services.hosts.ward-adguardhome.ipv4 ];
        # allowed_clients = [
        # ];
        #trusted_proxies = [];
@ -131,12 +131,5 @@ in
    };
  };
-  systemd.services.adguardhome = {
+  systemd.services.adguardhome.serviceConfig.RestartSec = lib.mkForce "60"; # Retry every minute
    preStart = lib.mkAfter ''
      INTERFACE_ADDR=$(${pkgs.iproute2}/bin/ip -family inet -brief addr show lan | grep -o "[0-9]\+\.[0-9]\+\.[0-9]\+\.[0-9]\+") \
        ${lib.getExe pkgs.yq-go} -i '.dns.bind_hosts = [strenv(INTERFACE_ADDR)]' \
        "$STATE_DIRECTORY/AdGuardHome.yaml"
    '';
    serviceConfig.RestartSec = lib.mkForce "60"; # Retry every minute
  };
 }
--- a/hosts/ward/guests/forgejo.nix
+++ b/hosts/ward/guests/forgejo.nix
@ -115,6 +115,7 @@ in
  services.forgejo = {
    enable = true;
    package = pkgs.forgejo;
    # TODO db backups
    # dump.enable = true;
    user = "git";
--- a/hosts/ward/kea.nix
+++ b/hosts/ward/kea.nix
@ -1,7 +1,6 @@
 {
  lib,
  globals,
  utils,
  ...
 }:
 let
@ -37,8 +36,7 @@ in
        service-sockets-max-retries = -1;
      };
      subnet4 = flip mapAttrsToList globals.net.home-lan.vlans (
-        vlanName: vlanCfg: [
+        vlanName: vlanCfg: {
          {
          inherit (vlanCfg) id;
          interface = "me-${vlanName}";
          subnet = vlanCfg.cidrv4;
@ -47,16 +45,26 @@ in
              pool = "${net.cidr.host 20 vlanCfg.cidrv4} - ${net.cidr.host (-6) vlanCfg.cidrv4}";
            }
          ];
-            option-data = [
+          option-data =
            [
              {
                name = "routers";
                data = vlanCfg.hosts.ward.ipv4; # FIXME: how to advertise v6 address also?
              }
            ]
            # Advertise DNS server for VLANS that have internet access
            ++
              lib.optional
                (lib.elem vlanName [
                  "services"
                  "home"
                  "devices"
                  "guests"
                ])
                {
                  name = "domain-name-servers";
-                data = vlanCfg.hosts.ward-adguardhome.ipv4;
+                  data = globals.net.home-lan.vlans.services.hosts.ward-adguardhome.ipv4;
-              }
+                };
            ];
          reservations = lib.concatLists (
            lib.forEach (builtins.attrValues vlanCfg.hosts) (
              hostCfg:
@ -67,12 +75,7 @@ in
            )
          );
        }
        ]
      );
    };
  };
  systemd.services.kea-dhcp4-server.after = [
    "sys-subsystem-net-devices-${utils.escapeSystemdPath "lan-self"}.device"
  ];
 }
--- a/hosts/ward/net.nix
+++ b/hosts/ward/net.nix
@ -28,12 +28,12 @@
      "10-wan" = {
        address = [ globals.net.home-wan.hosts.ward.cidrv4 ];
        gateway = [ globals.net.home-wan.hosts.fritzbox.ipv4 ];
-        matchConfig.MACAddress = config.repo.secrets.local.networking.interfaces.wan.mac;
+        matchConfig.Name = "wan";
        networkConfig.IPv6PrivacyExtensions = "yes";
        linkConfig.RequiredForOnline = "routable";
      };
      "10-lan" = {
-        matchConfig.MACAddress = config.repo.secrets.local.networking.interfaces.lan.mac;
+        matchConfig.Name = "lan";
        # This interface should only be used from attached vlans.
        # So don't acquire a link local address and only wait for
        # this interface to gain a carrier.
@ -57,10 +57,9 @@
    };
  };
  # Create a MACVTAP for ourselves too, so that we can communicate with
  # our guests on the same interface.
  systemd.network.netdevs = lib.flip lib.concatMapAttrs globals.net.home-lan.vlans (
    vlanName: vlanCfg: {
      # Add an interface for each VLAN
      "30-vlan-${vlanName}" = {
        netdevConfig = {
          Kind = "vlan";
@ -68,6 +67,8 @@
        };
        vlanConfig.Id = vlanCfg.id;
      };
      # Create a MACVTAP for ourselves too, so that we can communicate with
      # our guests on the same interface.
      "40-me-${vlanName}" = {
        netdevConfig = {
          Name = "me-${vlanName}";
@ -84,7 +85,7 @@
  systemd.network.networks =
    {
      "10-lan" = {
-        matchConfig.MACAddress = config.repo.secrets.local.networking.interfaces.lan.mac;
+        matchConfig.Name = "lan";
        # This interface should only be used from attached vlans.
        # So don't acquire a link local address and only wait for
        # this interface to gain a carrier.
@ -99,7 +100,7 @@
        #ipv6AcceptRAConfig.UseDNS = false;
        address = [ globals.net.home-wan.hosts.ward.cidrv4 ];
        gateway = [ globals.net.home-wan.hosts.fritzbox.ipv4 ];
-        matchConfig.MACAddress = config.repo.secrets.local.networking.interfaces.wan.mac;
+        matchConfig.Name = "wan";
        networkConfig.IPv6PrivacyExtensions = "yes";
        # dhcpV6Config.PrefixDelegationHint = "::/64";
        # FIXME: This should not be needed, but for some reason part of networkd
@ -123,11 +124,8 @@
          # So don't acquire a link local address and only wait for
          # this interface to gain a carrier.
          networkConfig.LinkLocalAddressing = "no";
          networkConfig.MACVLAN = "me-${vlanName}";
          linkConfig.RequiredForOnline = "carrier";
          extraConfig = ''
            [Network]
            MACVLAN=me-${vlanName}
          '';
        };
        "40-me-${vlanName}" = {
          address = [
@ -175,6 +173,12 @@
      {
        untrusted.interfaces = [ "wan" ];
        proxy-home.interfaces = [ "proxy-home" ];
        adguardhome.ipv4Addresses = [
          globals.net.home-lan.vlans.services.hosts.ward-adguardhome.ipv4
        ];
        adguardhome.ipv6Addresses = [
          globals.net.home-lan.vlans.services.hosts.ward-adguardhome.ipv6
        ];
      }
      // lib.flip lib.concatMapAttrs globals.net.home-lan.vlans (
        vlanName: _: {
@ -198,10 +202,21 @@
        verdict = "accept";
      };
      # Allow access to the AdGuardHome DNS server from any VLAN that has internet access
      access-adguardhome-dns = {
        from = [
          "vlan-services"
          "vlan-home"
          "vlan-devices"
          "vlan-guests"
        ];
        to = [ "adguardhome" ];
        verdict = "accept";
      };
      services-to-local = {
        from = [ "vlan-services" ];
        to = [ "local" ];
        allowedUDPPorts = [ config.wireguard.proxy-home.server.port ];
      };