feat: finish vlan setup

2025-10-11 07:10:39 +02:00 · 2024-12-20 01:05:17 +01:00 · 2024-12-20 01:05:17 +01:00 · 297d19fa0c
commit 297d19fa0c
parent d0448757bf
16 changed files with 115 additions and 100 deletions
--- a/hosts/ward/default.nix
+++ b/hosts/ward/default.nix
@ -79,7 +79,9 @@
          {
            node.secretsDir = ./secrets/${guestName};
            networking.nftables.firewall = {
-              zones.untrusted.interfaces = [ config.guests.${guestName}.networking.mainLinkName ];
+              zones.untrusted.interfaces = lib.mkIf (
+                lib.length config.guests.${guestName}.networking.links == 1
+              ) config.guests.${guestName}.networking.links;
            };
          }
        ];
@ -90,8 +92,8 @@
          backend = "microvm";
          microvm = {
            system = "x86_64-linux";
-            macvtap = "lan";
            baseMac = config.repo.secrets.local.networking.interfaces.lan.mac;
+            interfaces.vlan-services = { };
          };
          extraSpecialArgs = {
            inherit (inputs.self) nodes globals;
--- a/hosts/ward/guests/adguardhome.nix
+++ b/hosts/ward/guests/adguardhome.nix
@ -16,9 +16,9 @@ in

  globals.services.adguardhome.domain = adguardhomeDomain;
  globals.monitoring.dns.adguardhome = {
-    server = globals.net.home-lan.hosts.ward-adguardhome.ipv4;
+    server = globals.net.home-lan.vlans.services.hosts.ward-adguardhome.ipv4;
    domain = ".";
-    network = "home-lan";
+    network = "home-lan.vlans.services";
  };

  nodes.sentinel = {
@ -99,7 +99,7 @@ in
          map
            (domain: {
              inherit domain;
-              answer = globals.net.home-lan.hosts.ward-web-proxy.ipv4;
+              answer = globals.net.home-lan.vlans.services.hosts.ward-web-proxy.ipv4;
            })
            [
              # FIXME: dont hardcode, filter global service domains by internal state
--- a/hosts/ward/guests/web-proxy.nix
+++ b/hosts/ward/guests/web-proxy.nix
@ -22,7 +22,7 @@ in
  meta.telegraf.availableMonitoringNetworks = [
    "internet"
    "home-wan"
-    "home-lan"
+    "home-lan.vlans.services"
  ];

  age.secrets.acme-cloudflare-dns-token = {
@ -70,8 +70,8 @@ in
      # is over TLS.
      extraConfig = ''
        proxy_ssl_verify off;
-        allow ${globals.net.home-lan.cidrv4};
-        allow ${globals.net.home-lan.cidrv6};
+        allow ${globals.net.home-lan.vlans.services.cidrv4};
+        allow ${globals.net.home-lan.vlans.services.cidrv6};
        deny all;
      '';
    };
--- a/hosts/ward/kea.nix
+++ b/hosts/ward/kea.nix
@ -5,7 +5,11 @@
  ...
 }:
 let
-  inherit (lib) net;
+  inherit (lib)
+    flip
+    mapAttrsToList
+    net
+    ;
 in
 {
  environment.persistence."/persist".directories = [
@ -32,7 +36,7 @@ in
        interfaces = map (name: "me-${name}") (builtins.attrNames globals.net.home-lan.vlans);
        service-sockets-max-retries = -1;
      };
-      subnet4 = lib.mapAttrsToList globals.net.home-lan.vlans (
+      subnet4 = flip mapAttrsToList globals.net.home-lan.vlans (
        vlanName: vlanCfg: [
          {
            inherit (vlanCfg) id;
--- a/hosts/ward/net.nix
+++ b/hosts/ward/net.nix
@ -9,9 +9,9 @@
  networking.hostId = config.repo.secrets.local.networking.hostId;

  globals.monitoring.ping.ward = {
-    hostv4 = lib.net.cidr.ip globals.net.home-lan.hosts.ward.cidrv4;
-    hostv6 = lib.net.cidr.ip globals.net.home-lan.hosts.ward.cidrv6;
-    network = "home-lan.vlans.devices";
+    hostv4 = lib.net.cidr.ip globals.net.home-lan.vlans.services.hosts.ward.cidrv4;
+    hostv6 = lib.net.cidr.ip globals.net.home-lan.vlans.services.hosts.ward.cidrv6;
+    network = "home-lan.vlans.services";
  };

  boot.initrd.availableKernelModules = [ "8021q" ];
@ -43,8 +43,8 @@
      };
      "30-vlan-home" = {
        address = [
-          globals.net.home-lan.hosts.ward.cidrv4
-          globals.net.home-lan.hosts.ward.cidrv6
+          globals.net.home-lan.vlans.home.hosts.ward.cidrv4
+          globals.net.home-lan.vlans.home.hosts.ward.cidrv6
        ];
        matchConfig.Name = "vlan-home";
        networkConfig = {
@ -157,7 +157,7 @@
          # ipv6SendRAConfig = {
          #   Managed = true;
          #   EmitDNS = true;
-          # FIXME: this is not the true ipv6 of adguardhome   DNS = globals.net.home-lan.hosts.ward-adguardhome.ipv6;
+          # FIXME: this is not the true ipv6 of adguardhome   DNS = globals.net.home-lan.vlans.services.hosts.ward-adguardhome.ipv6;
          # FIXME: todo assign static additional to reservation in kea
          # };
          linkConfig.RequiredForOnline = "routable";
@ -178,15 +178,15 @@
      }
      // lib.flip lib.concatMapAttrs globals.net.home-lan.vlans (
        vlanName: _: {
-          "me-${vlanName}".interfaces = [ "me-${vlanName}" ];
+          "vlan-${vlanName}".interfaces = [ "me-${vlanName}" ];
        }
      );

    rules = {
      masquerade-internet = {
        from = [
-          "vlan-home"
          "vlan-services"
+          "vlan-home"
          "vlan-devices"
          "vlan-guests"
        ];
@ -222,7 +222,7 @@
  #};

  wireguard.proxy-home.server = {
-    host = globals.net.home-lan.hosts.ward.ipv4;
+    host = globals.net.home-lan.vlans.services.hosts.ward.ipv4;
    port = 51444;
    reservedAddresses = [
      globals.net.proxy-home.cidrv4