feat: enable cross VLAN mdns

2025-10-10 23:00:39 +02:00 · 2025-01-23 17:26:35 +01:00 · 2025-01-23 17:26:35 +01:00 · 7c61ac80fa
commit 7c61ac80fa
parent 5954cc30fc
7 changed files with 117 additions and 0 deletions
--- a/hosts/ward/default.nix
+++ b/hosts/ward/default.nix
@ -20,6 +20,7 @@
    ./fs.nix
    ./net.nix
    ./kea.nix
+    ./mdns-repeater.nix
  ];

  topology.self.hardware.image = ../../topology/images/odroid-h3.png;
--- a/hosts/ward/mdns-repeater.nix
+++ b/hosts/ward/mdns-repeater.nix
@ -0,0 +1,78 @@
+{
+  pkgs,
+  lib,
+  ...
+}:
+let
+  interfaces = [
+    "me-services"
+    "me-devices"
+    "me-iot"
+    "wan"
+  ];
+  interfacesRegex = "(${lib.concatStringsSep "|" (interfaces ++ [ "me-home" ])})";
+  cfg = {
+    interfaces = interfacesRegex;
+    rules =
+      [
+        {
+          from = interfacesRegex;
+          to = "me-home";
+          allow_answers = ".*";
+        }
+      ]
+      ++ lib.forEach interfaces (to: {
+        from = "me-home";
+        inherit to;
+        allow_questions = ".*";
+      });
+  };
+in
+{
+  systemd.services.mdns-repeater = {
+    wantedBy = [ "multi-user.target" ];
+    after = [ "network.target" ];
+
+    environment.RUST_LOG = "info";
+
+    serviceConfig = {
+      Restart = "on-failure";
+      ExecStart = "${lib.getExe pkgs.mdns-repeater} --config ${pkgs.writeText "config.json" (builtins.toJSON cfg)}";
+
+      # Hardening
+      DynamicUser = true;
+      CapabilityBoundingSet = "";
+      LockPersonality = true;
+      MemoryDenyWriteExecute = true;
+      NoNewPrivileges = true;
+      PrivateUsers = true;
+      PrivateTmp = true;
+      PrivateDevices = true;
+      PrivateMounts = true;
+      ProtectClock = true;
+      ProtectControlGroups = true;
+      ProtectHome = true;
+      ProtectHostname = true;
+      ProtectKernelLogs = true;
+      ProtectKernelModules = true;
+      ProtectKernelTunables = true;
+      ProtectProc = "invisible";
+      ProtectSystem = "strict";
+      RemoveIPC = true;
+      RestrictAddressFamilies = [
+        "AF_INET"
+        "AF_INET6"
+        "AF_NETLINK"
+      ];
+      RestrictNamespaces = true;
+      RestrictRealtime = true;
+      RestrictSUIDSGID = true;
+      SystemCallArchitectures = "native";
+      SystemCallFilter = [
+        "@system-service"
+        "~@privileged"
+      ];
+      UMask = "0027";
+    };
+  };
+}
--- a/hosts/ward/net.nix
+++ b/hosts/ward/net.nix
@ -102,6 +102,7 @@
        gateway = [ globals.net.home-wan.hosts.fritzbox.ipv4 ];
        matchConfig.Name = "wan";
        networkConfig.IPv6PrivacyExtensions = "yes";
+        networkConfig.MulticastDNS = true;
        # dhcpV6Config.PrefixDelegationHint = "::/64";
        # FIXME: This should not be needed, but for some reason part of networkd
        # isn't seeing the RAs and not triggering DHCPv6. Even though some other
@ -229,6 +230,7 @@
        to = [
          "vlan-services"
          "vlan-devices"
+          "vlan-iot"
        ];
        late = true;
        verdict = "accept";