mirrors_public/oddlama_nix-config
1
1
Fork 1
mirror of https://github.com/oddlama/nix-config.git synced 2025-10-10 23:00:39 +02:00
Code Activity

feat: enable cross VLAN mdns

Browse source
This commit is contained in:
oddlama 2025-01-23 17:26:35 +01:00
parent 5954cc30fc
commit 7c61ac80fa
No known key found for this signature in database
GPG key ID: 14EFE510775FE39A
7 changed files with 117 additions and 0 deletions
Download patch file Download diff file Expand all files Collapse all files

4
globals.nix
View file

@ -66,6 +66,10 @@ in
id = 23;
mac = globals.macs.scanner-ads-4300n;
};
hosts.epsondc44f7 = {
id = 30;
mac = globals.macs.epsondc44f7;
};
hosts.wallbox = {
id = 40;
mac = globals.macs.wallbox;

1
hosts/ward/default.nix
View file

@ -20,6 +20,7 @@
./fs.nix
./net.nix
./kea.nix
./mdns-repeater.nix
];
topology.self.hardware.image = ../../topology/images/odroid-h3.png;

78
hosts/ward/mdns-repeater.nix Normal file
View file

@ -0,0 +1,78 @@
{
pkgs,
lib,
...
}:
let
interfaces = [
"me-services"
"me-devices"
"me-iot"
"wan"
];
interfacesRegex = "(${lib.concatStringsSep "|" (interfaces ++ [ "me-home" ])})";
cfg = {
interfaces = interfacesRegex;
rules =
[
{
from = interfacesRegex;
to = "me-home";
allow_answers = ".*";
}
]
++ lib.forEach interfaces (to: {
from = "me-home";
inherit to;
allow_questions = ".*";
});
};
in
{
systemd.services.mdns-repeater = {
wantedBy = [ "multi-user.target" ];
after = [ "network.target" ];
environment.RUST_LOG = "info";
serviceConfig = {
Restart = "on-failure";
ExecStart = "${lib.getExe pkgs.mdns-repeater} --config ${pkgs.writeText "config.json" (builtins.toJSON cfg)}";
# Hardening
DynamicUser = true;
CapabilityBoundingSet = "";
LockPersonality = true;
MemoryDenyWriteExecute = true;
NoNewPrivileges = true;
PrivateUsers = true;
PrivateTmp = true;
PrivateDevices = true;
PrivateMounts = true;
ProtectClock = true;
ProtectControlGroups = true;
ProtectHome = true;
ProtectHostname = true;
ProtectKernelLogs = true;
ProtectKernelModules = true;
ProtectKernelTunables = true;
ProtectProc = "invisible";
ProtectSystem = "strict";
RemoveIPC = true;
RestrictAddressFamilies = [
"AF_INET"
"AF_INET6"
"AF_NETLINK"
];
RestrictNamespaces = true;
RestrictRealtime = true;
RestrictSUIDSGID = true;
SystemCallArchitectures = "native";
SystemCallFilter = [
"@system-service"
"~@privileged"
];
UMask = "0027";
};
};
}

2
hosts/ward/net.nix
View file

@ -102,6 +102,7 @@
gateway = [ globals.net.home-wan.hosts.fritzbox.ipv4 ];
matchConfig.Name = "wan";
networkConfig.IPv6PrivacyExtensions = "yes";
networkConfig.MulticastDNS = true;
# dhcpV6Config.PrefixDelegationHint = "::/64";
# FIXME: This should not be needed, but for some reason part of networkd
# isn't seeing the RAs and not triggering DHCPv6. Even though some other
@ -229,6 +230,7 @@
to = [
"vlan-services"
"vlan-devices"
"vlan-iot"
];
late = true;
verdict = "accept";

2
pkgs/default.nix
View file

@ -23,6 +23,8 @@ _inputs: [
firezone-server-web = prev.callPackage ./firezone-server-web/package.nix { };
firezone-server-api = prev.callPackage ./firezone-server-api/package.nix { };
mdns-repeater = prev.callPackage ./mdns-repeater.nix { };
formats = prev.formats // {
ron = import ./ron.nix { inherit (prev) lib pkgs; };
};

30
pkgs/mdns-repeater.nix Normal file
View file

@ -0,0 +1,30 @@
{
lib,
fetchFromGitHub,
rustPlatform,
}:
rustPlatform.buildRustPackage {
pname = "mdns-repeater";
version = "unstable-git";
src = fetchFromGitHub {
owner = "PatrickDaG";
repo = "mdns-repeater";
rev = "5178041edbd0382bdeac462223549e093b26fe12";
hash = "sha256-cIrHSzdzFqfArE2bqWPm+CULuQU/KajkRN+i0b+seD0=";
};
cargoHash = "sha256-00Vh2AVECtqvkmLZmyDCR43tUqKdN4j1B8GnnRiWAmU=";
meta = {
description = "mDNS packet relayer";
homepage = "https://github.com/PatrickDaG/mdns-repeater";
license = lib.licenses.asl20;
maintainers = with lib.maintainers; [
oddlama
patrickdag
];
mainProgram = "mdns-repeater";
platforms = lib.platforms.linux;
};
}

BIN
secrets/global.nix.age
View file

Binary file not shown.