feat(sire): init host: main media storage server

hosts/sire/net.nix

@@ -0,0 +1,66 @@
+{config, ...}: {
+  networking.hostId = config.repo.secrets.local.networking.hostId;
+
+  boot.initrd.systemd.network = {
+    enable = true;
+    networks."10-lan" = {
+      address = ["192.168.1.2"];
+      matchConfig.MACAddress = config.repo.secrets.local.networking.interfaces.lan.mac;
+      networkConfig = {
+        IPv6PrivacyExtensions = "yes";
+        MulticastDNS = true;
+      };
+      linkConfig.RequiredForOnline = "routable";
+    };
+  };
+
+  # Create a MACVTAP for ourselves too, so that we can communicate with
+  # our guests on the same interface.
+  systemd.network.netdevs."10-lan-self" = {
+    netdevConfig = {
+      Name = "lan-self";
+      Kind = "macvlan";
+    };
+    extraConfig = ''
+      [MACVLAN]
+      Mode=bridge
+    '';
+  };
+
+  systemd.network.networks = {
+    "10-lan" = {
+      matchConfig.MACAddress = config.repo.secrets.local.networking.interfaces.lan.mac;
+      # This interface should only be used from attached macvtaps.
+      # So don't acquire a link local address and only wait for
+      # this interface to gain a carrier.
+      networkConfig.LinkLocalAddressing = "no";
+      linkConfig.RequiredForOnline = "carrier";
+      extraConfig = ''
+        [Network]
+        MACVLAN=lan-self
+      '';
+    };
+    "20-lan-self" = {
+      address = ["192.168.1.2"];
+      matchConfig.Name = "lan-self";
+      networkConfig = {
+        IPv6PrivacyExtensions = "yes";
+        MulticastDNS = true;
+      };
+      linkConfig.RequiredForOnline = "routable";
+    };
+    # Remaining macvtap interfaces should not be touched.
+    "90-macvtap-ignore" = {
+      matchConfig.Kind = "macvtap";
+      linkConfig.ActivationPolicy = "manual";
+      linkConfig.Unmanaged = "yes";
+    };
+  };
+
+  networking.nftables.firewall = {
+    zones.untrusted.interfaces = ["lan-self"];
+  };
+
+  # Allow accessing influx
+  meta.wireguard.proxy-sentinel.client.via = "sentinel";
+}