mirrors_public/oddlama_nix-config
1
1
Fork 1
mirror of https://github.com/oddlama/nix-config.git synced 2025-10-11 07:10:39 +02:00
Code Activity

feat: switch to avahi for mdns and mdns reflection

Browse source
This commit is contained in:
oddlama 2025-04-27 11:08:40 +02:00
parent 919ce9fc6a
commit 3f3573a1e2
No known key found for this signature in database
GPG key ID: 14EFE510775FE39A
12 changed files with 30 additions and 195 deletions
Download patch file Download diff file Expand all files Collapse all files

10
hosts/kroma/net.nix
View file

@ -15,20 +15,14 @@
"10-lan1" = {
DHCP = "yes";
matchConfig.MACAddress = config.repo.secrets.local.networking.interfaces.lan1.mac;
networkConfig = {
IPv6PrivacyExtensions = "yes";
MulticastDNS = true;
};
networkConfig.IPv6PrivacyExtensions = "yes";
dhcpV4Config.RouteMetric = 10;
dhcpV6Config.RouteMetric = 10;
};
"10-wlan1" = {
DHCP = "yes";
matchConfig.MACAddress = config.repo.secrets.local.networking.interfaces.wlan1.mac;
networkConfig = {
IPv6PrivacyExtensions = "yes";
MulticastDNS = true;
};
networkConfig.IPv6PrivacyExtensions = "yes";
dhcpV4Config.RouteMetric = 40;
dhcpV6Config.RouteMetric = 40;
};

10
hosts/nom/net.nix
View file

@ -16,20 +16,14 @@
"10-lan1" = {
DHCP = "yes";
matchConfig.MACAddress = config.repo.secrets.local.networking.interfaces.lan1.mac;
networkConfig = {
IPv6PrivacyExtensions = "yes";
MulticastDNS = true;
};
networkConfig.IPv6PrivacyExtensions = true;
dhcpV4Config.RouteMetric = 10;
dhcpV6Config.RouteMetric = 10;
};
"10-wlan1" = {
DHCP = "yes";
matchConfig.MACAddress = config.repo.secrets.local.networking.interfaces.wlan1.mac;
networkConfig = {
IPv6PrivacyExtensions = "yes";
MulticastDNS = true;
};
networkConfig.IPv6PrivacyExtensions = true;
dhcpV4Config.RouteMetric = 40;
dhcpV6Config.RouteMetric = 40;
};

10
hosts/sausebiene/net.nix
View file

@ -40,10 +40,7 @@ in
];
gateway = [ globals.net.home-lan.vlans.services.hosts.ward.ipv4 ];
matchConfig.Name = "vlan-services";
networkConfig = {
IPv6PrivacyExtensions = "yes";
MulticastDNS = true;
};
networkConfig.IPv6PrivacyExtensions = "yes";
linkConfig.RequiredForOnline = "routable";
};
};
@ -83,10 +80,7 @@ in
];
gateway = lib.optionals (vlanName == "services") [ vlanCfg.hosts.ward.ipv4 ];
matchConfig.Name = "vlan-${vlanName}";
networkConfig = {
IPv6PrivacyExtensions = "yes";
MulticastDNS = vlanName == "services";
};
networkConfig.IPv6PrivacyExtensions = "yes";
linkConfig.RequiredForOnline = "routable";
};
}

10
hosts/sire/net.nix
View file

@ -40,10 +40,7 @@ in
];
gateway = [ globals.net.home-lan.vlans.home.hosts.ward.ipv4 ];
matchConfig.Name = "vlan-home";
networkConfig = {
IPv6PrivacyExtensions = "yes";
MulticastDNS = true;
};
networkConfig.IPv6PrivacyExtensions = "yes";
linkConfig.RequiredForOnline = "routable";
};
};
@ -110,10 +107,7 @@ in
];
gateway = lib.optionals (vlanName == "services") [ vlanCfg.hosts.ward.ipv4 ];
matchConfig.Name = "me-${vlanName}";
networkConfig = {
IPv6PrivacyExtensions = "yes";
MulticastDNS = vlanName == "services";
};
networkConfig.IPv6PrivacyExtensions = "yes";
linkConfig.RequiredForOnline = "routable";
};
}

1
hosts/ward/default.nix
View file

@ -36,7 +36,6 @@ in
./fs.nix
./net.nix
./kea.nix
./mdns-repeater.nix
];
topology.self.hardware.image = ../../topology/images/odroid-h3.png;

78
hosts/ward/mdns-repeater.nix
View file

@ -1,78 +0,0 @@
{
pkgs,
lib,
...
}:
let
interfaces = [
"me-services"
"me-devices"
"me-iot"
"wan"
];
interfacesRegex = "(${lib.concatStringsSep "|" (interfaces ++ [ "me-home" ])})";
cfg = {
interfaces = interfacesRegex;
rules =
[
{
from = interfacesRegex;
to = "me-home";
allow_answers = ".*";
}
]
++ lib.forEach interfaces (to: {
from = "me-home";
inherit to;
allow_questions = ".*";
});
};
in
{
systemd.services.mdns-repeater = {
wantedBy = [ "multi-user.target" ];
after = [ "network.target" ];
environment.RUST_LOG = "info";
serviceConfig = {
Restart = "on-failure";
ExecStart = "${lib.getExe pkgs.mdns-repeater} --config ${pkgs.writeText "config.json" (builtins.toJSON cfg)}";
# Hardening
DynamicUser = true;
CapabilityBoundingSet = "";
LockPersonality = true;
MemoryDenyWriteExecute = true;
NoNewPrivileges = true;
PrivateUsers = true;
PrivateTmp = true;
PrivateDevices = true;
PrivateMounts = true;
ProtectClock = true;
ProtectControlGroups = true;
ProtectHome = true;
ProtectHostname = true;
ProtectKernelLogs = true;
ProtectKernelModules = true;
ProtectKernelTunables = true;
ProtectProc = "invisible";
ProtectSystem = "strict";
RemoveIPC = true;
RestrictAddressFamilies = [
"AF_INET"
"AF_INET6"
"AF_NETLINK"
];
RestrictNamespaces = true;
RestrictRealtime = true;
RestrictSUIDSGID = true;
SystemCallArchitectures = "native";
SystemCallFilter = [
"@system-service"
"~@privileged"
];
UMask = "0027";
};
};
}

6
hosts/ward/net.nix
View file

@ -14,6 +14,9 @@
network = "home-lan.vlans.services";
};
# Reflect mDNS packets between our networks
services.avahi.reflector = true;
boot.initrd.availableKernelModules = [ "8021q" ];
boot.initrd.systemd.network = {
enable = true;
@ -50,7 +53,6 @@
networkConfig = {
IPv4Forwarding = "yes";
IPv6PrivacyExtensions = "yes";
MulticastDNS = true;
};
linkConfig.RequiredForOnline = "routable";
};
@ -102,7 +104,6 @@
gateway = [ globals.net.home-wan.hosts.fritzbox.ipv4 ];
matchConfig.Name = "wan";
networkConfig.IPv6PrivacyExtensions = "yes";
networkConfig.MulticastDNS = true;
# dhcpV6Config.PrefixDelegationHint = "::/64";
# FIXME: This should not be needed, but for some reason part of networkd
# isn't seeing the RAs and not triggering DHCPv6. Even though some other
@ -140,7 +141,6 @@
IPv6SendRA = true;
IPv6AcceptRA = false;
# DHCPPrefixDelegation = true;
MulticastDNS = vlanName == "services";
};
# dhcpPrefixDelegationConfig.UplinkInterface = "wan";
# dhcpPrefixDelegationConfig.Token = "::ff";