diff --git a/hosts/sire/default.nix b/hosts/sire/default.nix index b137ccf..d4a1893 100644 --- a/hosts/sire/default.nix +++ b/hosts/sire/default.nix @@ -112,7 +112,9 @@ backend = "container"; container.macvlan = "lan"; extraSpecialArgs = { - inherit lib nodes inputs minimal; + inherit (inputs.self) nodes globals; + inherit (inputs.self.pkgs.x86_64-linux) lib; + inherit inputs minimal; }; }; }; diff --git a/hosts/sire/guests/grafana.nix b/hosts/sire/guests/grafana.nix index bd9f3de..9493dcf 100644 --- a/hosts/sire/guests/grafana.nix +++ b/hosts/sire/guests/grafana.nix @@ -118,10 +118,9 @@ in { proxyPass = "http://grafana"; proxyWebsockets = true; }; - # FIXME: refer to lan 192.168... and fd10:: via globals extraConfig = '' - allow 192.168.1.0/24; - allow fd10::/64; + allow ${globals.net.home-lan.cidrv4}; + allow ${globals.net.home-lan.cidrv6}; deny all; ''; }; diff --git a/hosts/sire/guests/immich.nix b/hosts/sire/guests/immich.nix index 56de5ee..e0373f6 100644 --- a/hosts/sire/guests/immich.nix +++ b/hosts/sire/guests/immich.nix @@ -224,11 +224,10 @@ in { proxyPass = "http://immich"; proxyWebsockets = true; }; - # FIXME: refer to lan 192.168... and fd10:: via globals extraConfig = '' client_max_body_size 10G; - allow 192.168.1.0/24; - allow fd10::/64; + allow ${globals.net.home-lan.cidrv4}; + allow ${globals.net.home-lan.cidrv6}; deny all; ''; }; diff --git a/hosts/sire/guests/influxdb.nix b/hosts/sire/guests/influxdb.nix index 7a0e0e3..ec49f67 100644 --- a/hosts/sire/guests/influxdb.nix +++ b/hosts/sire/guests/influxdb.nix @@ -1,5 +1,6 @@ { config, + globals, lib, nodes, pkgs, @@ -33,8 +34,8 @@ in { { method = "native"; urls = [ - "192.168.178.1" - "192.168.1.1" + globals.net.home-wan.hosts.fritzbox.ipv4 + globals.net.home-lan.hosts.ward.ipv4 ]; tags.type = "internal"; fieldpass = [ diff --git a/hosts/sire/guests/paperless.nix b/hosts/sire/guests/paperless.nix index dc64009..9131e41 100644 --- a/hosts/sire/guests/paperless.nix +++ b/hosts/sire/guests/paperless.nix @@ -61,11 +61,10 @@ in { virtualHosts.${paperlessDomain} = { forceSSL = true; useACMEWildcardHost = true; - # FIXME: refer to lan 192.168... and fd10:: via globals extraConfig = '' client_max_body_size 512M; - allow 192.168.1.0/24; - allow fd10::/64; + allow ${globals.net.home-lan.cidrv4}; + allow ${globals.net.home-lan.cidrv6}; deny all; ''; locations."/" = { diff --git a/hosts/sire/guests/samba.nix b/hosts/sire/guests/samba.nix index 06eaa11..ebb470c 100644 --- a/hosts/sire/guests/samba.nix +++ b/hosts/sire/guests/samba.nix @@ -1,5 +1,6 @@ { config, + globals, lib, ... }: let @@ -155,7 +156,7 @@ in { # Deny access to all hosts by default. "hosts deny = 0.0.0.0/0" # Allow access to local network and TODO: wireguard - "hosts allow = 192.168.1.0/24 fd10::/64" + "hosts allow = ${globals.net.home-lan.cidrv4} ${globals.net.home-lan.cidrv6}" # Don't advertise inaccessible shares to users "access based share enum = yes" diff --git a/hosts/sire/net.nix b/hosts/sire/net.nix index 530f0c0..76e04c3 100644 --- a/hosts/sire/net.nix +++ b/hosts/sire/net.nix @@ -1,11 +1,15 @@ -{config, ...}: { +{ + config, + globals, + ... +}: { networking.hostId = config.repo.secrets.local.networking.hostId; boot.initrd.systemd.network = { enable = true; networks."10-lan" = { - address = ["192.168.1.2/24"]; - gateway = ["192.168.1.1"]; + address = [globals.net.home-lan.hosts.sire.cidrv4]; + gateway = [globals.net.home-lan.hosts.ward.ipv4]; matchConfig.MACAddress = config.repo.secrets.local.networking.interfaces.lan.mac; networkConfig = { IPv6PrivacyExtensions = "yes"; @@ -42,8 +46,8 @@ ''; }; "20-lan-self" = { - address = ["192.168.1.2/24"]; - gateway = ["192.168.1.1"]; + address = [globals.net.home-lan.hosts.sire.cidrv4]; + gateway = [globals.net.home-lan.hosts.ward.ipv4]; matchConfig.Name = "lan-self"; networkConfig = { IPv6PrivacyExtensions = "yes"; diff --git a/hosts/ward/default.nix b/hosts/ward/default.nix index 69ae731..875cc17 100644 --- a/hosts/ward/default.nix +++ b/hosts/ward/default.nix @@ -4,7 +4,6 @@ inputs, lib, minimal, - nodes, ... }: { imports = [ @@ -99,7 +98,9 @@ backend = "container"; container.macvlan = "lan"; extraSpecialArgs = { - inherit lib nodes inputs minimal; + inherit (inputs.self) nodes globals; + inherit (inputs.self.pkgs.x86_64-linux) lib; + inherit inputs minimal; }; }; }; diff --git a/hosts/ward/guests/adguardhome.nix b/hosts/ward/guests/adguardhome.nix index 1c4d2f1..76657ac 100644 --- a/hosts/ward/guests/adguardhome.nix +++ b/hosts/ward/guests/adguardhome.nix @@ -84,7 +84,7 @@ in { # Use the local mirror-proxy for some services (not necessary, just for speed) ++ map (domain: { inherit domain; - answer = "192.168.1.4"; + answer = globals.net.home-lan.hosts.ward-web-proxy.ipv4; }) [ # FIXME: dont hardcode, filter global service domains by internal state globals.services.grafana.domain diff --git a/hosts/ward/guests/web-proxy.nix b/hosts/ward/guests/web-proxy.nix index 1f7c78a..ae18c4c 100644 --- a/hosts/ward/guests/web-proxy.nix +++ b/hosts/ward/guests/web-proxy.nix @@ -1,4 +1,8 @@ -{config, ...}: let +{ + config, + globals, + ... +}: let inherit (config.repo.secrets.local) acme; fritzboxDomain = "fritzbox.${config.repo.secrets.global.domains.me}"; in { @@ -35,7 +39,7 @@ in { services.nginx = { upstreams.fritzbox = { - servers."192.168.178.1" = {}; + servers.${globals.net.home-wan.hosts.fritzbox.ipv4} = {}; extraConfig = '' zone grafana 64k; keepalive 2; @@ -50,11 +54,10 @@ in { }; # Allow using self-signed certs. We just want to make sure the connection # is over TLS. - # FIXME: refer to lan 192.168... and fd10:: via globals extraConfig = '' proxy_ssl_verify off; - allow 192.168.1.0/24; - allow fd10::/64; + allow ${globals.net.home-lan.cidrv4}; + allow ${globals.net.home-lan.cidrv6}; deny all; ''; }; diff --git a/hosts/ward/kea.nix b/hosts/ward/kea.nix index da93bb6..bfad152 100644 --- a/hosts/ward/kea.nix +++ b/hosts/ward/kea.nix @@ -1,13 +1,11 @@ { lib, + globals, utils, nodes, ... }: let inherit (lib) net; - lanCidrv4 = "192.168.1.0/24"; - dnsIp = net.cidr.host 3 lanCidrv4; - webProxyIp = net.cidr.host 4 lanCidrv4; in { environment.persistence."/persist".directories = [ { @@ -36,35 +34,36 @@ in { option-data = [ { name = "domain-name-servers"; - data = dnsIp; + data = globals.net.home-lan.hosts.ward-adguardhome.ipv4; } ]; subnet4 = [ { id = 1; interface = "lan-self"; - subnet = lanCidrv4; + subnet = globals.net.home-lan.cidrv4; pools = [ - {pool = "${net.cidr.host 20 lanCidrv4} - ${net.cidr.host (-6) lanCidrv4}";} + {pool = "${net.cidr.host 20 globals.net.home-lan.cidrv4} - ${net.cidr.host (-6) globals.net.home-lan.cidrv4}";} ]; option-data = [ { name = "routers"; - data = net.cidr.host 1 lanCidrv4; # FIXME: how to advertise v6 address also? + data = globals.net.home-lan.hosts.ward.ipv4; # FIXME: how to advertise v6 address also? } ]; + # FIXME: map this over globals.guests or smth. marker tag for finding: ipv4 192.168.1.1 reservations = [ { hw-address = nodes.ward-adguardhome.config.lib.microvm.mac; - ip-address = dnsIp; + ip-address = globals.net.home-lan.hosts.ward-adguardhome.ipv4; } { hw-address = nodes.ward-web-proxy.config.lib.microvm.mac; - ip-address = webProxyIp; + ip-address = globals.net.home-lan.hosts.ward-web-proxy.ipv4; } { hw-address = nodes.sire-samba.config.lib.microvm.mac; - ip-address = net.cidr.host 10 lanCidrv4; + ip-address = globals.net.home-lan.hosts.sire-samba.ipv4; } ]; } diff --git a/hosts/ward/net.nix b/hosts/ward/net.nix index fdf8705..1d9d4f8 100644 --- a/hosts/ward/net.nix +++ b/hosts/ward/net.nix @@ -1,21 +1,41 @@ { config, - lib, + globals, ... -}: let - lanCidrv4 = "192.168.1.0/24"; - lanCidrv6 = "fd10::/64"; -in { +}: { networking.hostId = config.repo.secrets.local.networking.hostId; + globals.net = { + home-wan = { + cidrv4 = "192.168.178.0/24"; + hosts.fritzbox.id = 1; + hosts.ward.id = 2; + }; + + home-lan = { + cidrv4 = "192.168.1.0/24"; + cidrv6 = "fd10::/64"; + hosts.ward.id = 1; + hosts.sire.id = 2; + hosts.ward-adguardhome.id = 3; + hosts.ward-web-proxy.id = 4; + hosts.sire-samba.id = 10; + }; + + proxy-home = { + cidrv4 = "10.44.0.0/24"; + cidrv6 = "fd00:44::/120"; + }; + }; + boot.initrd.systemd.network = { enable = true; networks = { inherit (config.systemd.network.networks) "10-wan"; "20-lan" = { address = [ - (lib.net.cidr.hostCidr 1 lanCidrv4) - (lib.net.cidr.hostCidr 1 lanCidrv6) + globals.net.home-lan.hosts.ward.cidrv4 + globals.net.home-lan.hosts.ward.cidrv6 ]; matchConfig.MACAddress = config.repo.secrets.local.networking.interfaces.lan.mac; networkConfig = { @@ -59,16 +79,16 @@ in { #dhcpV4Config.UseDNS = false; #dhcpV6Config.UseDNS = false; #ipv6AcceptRAConfig.UseDNS = false; - address = ["192.168.178.2/24"]; - gateway = ["192.168.178.1"]; + address = [globals.net.home-wan.hosts.ward.cidrv4]; + gateway = [globals.net.home-wan.hosts.fritzbox.ipv4]; matchConfig.MACAddress = config.repo.secrets.local.networking.interfaces.wan.mac; networkConfig.IPv6PrivacyExtensions = "yes"; linkConfig.RequiredForOnline = "routable"; }; "20-lan-self" = { address = [ - (lib.net.cidr.hostCidr 1 lanCidrv4) - (lib.net.cidr.hostCidr 1 lanCidrv6) + globals.net.home-lan.hosts.ward.cidrv4 + globals.net.home-lan.hosts.ward.cidrv6 ]; matchConfig.Name = "lan-self"; networkConfig = { @@ -81,7 +101,7 @@ in { }; # Announce a static prefix ipv6Prefixes = [ - {ipv6PrefixConfig.Prefix = lanCidrv6;} + {ipv6PrefixConfig.Prefix = globals.net.home-lan.cidrv6;} ]; # Delegate prefix dhcpPrefixDelegationConfig = { @@ -90,7 +110,7 @@ in { # Provide a DNS resolver ipv6SendRAConfig = { EmitDNS = true; - DNS = lib.net.cidr.host 3 lanCidrv6; + DNS = globals.net.home-lan.hosts.ward-adguardhome.ipv4; }; linkConfig.RequiredForOnline = "routable"; }; @@ -162,9 +182,12 @@ in { #}; wireguard.proxy-home.server = { - host = "192.168.1.1"; + host = globals.net.home-lan.hosts.ward.ipv4; port = 51444; - reservedAddresses = ["10.44.0.0/24" "fd00:44::/120"]; + reservedAddresses = [ + globals.net.proxy-home.cidrv4 + globals.net.proxy-home.cidrv6 + ]; openFirewall = false; # Explicitly opened only for lan }; } diff --git a/hosts/zackbiene/esphome.nix b/hosts/zackbiene/esphome.nix index 267abf0..d7e29c9 100644 --- a/hosts/zackbiene/esphome.nix +++ b/hosts/zackbiene/esphome.nix @@ -48,7 +48,6 @@ in { }; # TODO dynamic definitions for the "local" network, IPv6 extraConfig = '' - allow 192.168.0.0/22; deny all; ''; }; diff --git a/hosts/zackbiene/home-assistant.nix b/hosts/zackbiene/home-assistant.nix index f449018..d1c9a36 100644 --- a/hosts/zackbiene/home-assistant.nix +++ b/hosts/zackbiene/home-assistant.nix @@ -149,7 +149,7 @@ in { }; # Connect to fritzbox via https proxy (to ensure valid cert) - networking.hosts."192.168.1.4" = [fritzboxDomain]; + networking.hosts.${globals.net.home-lan.hosts.ward-web-proxy.ipv4} = [fritzboxDomain]; nodes.ward-web-proxy = { services.nginx = { @@ -167,10 +167,9 @@ in { proxyPass = "http://home-assistant"; proxyWebsockets = true; }; - # FIXME: refer to lan 192.168... and fd10:: via globals extraConfig = '' - allow 192.168.1.0/24; - allow fd10::/64; + allow ${globals.net.home-lan.cidrv4}; + allow ${globals.net.home-lan.cidrv6}; deny all; ''; }; diff --git a/hosts/zackbiene/net.nix b/hosts/zackbiene/net.nix index d7aeacf..132acd8 100644 --- a/hosts/zackbiene/net.nix +++ b/hosts/zackbiene/net.nix @@ -1,5 +1,6 @@ { config, + globals, lib, ... }: let @@ -56,8 +57,8 @@ in { lan-interface.interfaces = ["lan1"]; lan = { parent = "lan-interface"; - ipv4Addresses = ["192.168.1.0/24"]; # FIXME: refer to via globals - ipv6Addresses = ["fd10::/64"]; # FIXME: refer to via globals + ipv4Addresses = [globals.net.home-lan.cidrv4]; + ipv6Addresses = [globals.net.home-lan.cidrv6]; }; iot.interfaces = ["wlan1"]; }; diff --git a/hosts/zackbiene/zigbee2mqtt.nix b/hosts/zackbiene/zigbee2mqtt.nix index a146a1d..8fcf245 100644 --- a/hosts/zackbiene/zigbee2mqtt.nix +++ b/hosts/zackbiene/zigbee2mqtt.nix @@ -53,7 +53,6 @@ in { locations."/".proxyPass = "http://zigbee2mqtt"; # TODO dynamic definitions for the "local" network, IPv6 extraConfig = '' - allow 192.168.0.0/22; deny all; ''; }; diff --git a/modules/globals.nix b/modules/globals.nix index a9da0ee..21e6f50 100644 --- a/modules/globals.nix +++ b/modules/globals.nix @@ -14,12 +14,81 @@ in { default = {}; type = types.submodule { options = { + net = mkOption { + type = types.attrsOf (types.submodule (netSubmod: { + options = { + cidrv4 = mkOption { + type = types.nullOr types.net.cidrv4; + description = "The CIDRv4 of this network"; + default = null; + }; + + cidrv6 = mkOption { + type = types.nullOr types.net.cidrv6; + description = "The CIDRv6 of this network"; + default = null; + }; + + hosts = mkOption { + type = types.attrsOf (types.submodule (hostSubmod: { + options = { + id = mkOption { + type = types.int; + description = "The id of this host in the network"; + }; + + ipv4 = mkOption { + type = types.net.ipv4; + description = "The IPv4 of this host"; + readOnly = true; + default = + if netSubmod.config.cidrv4 == null + then null + else lib.net.cidr.host hostSubmod.config.id netSubmod.config.cidrv4; + }; + + ipv6 = mkOption { + type = types.net.ipv6; + description = "The IPv6 of this host"; + readOnly = true; + default = + if netSubmod.config.cidrv6 == null + then null + else lib.net.cidr.host hostSubmod.config.id netSubmod.config.cidrv6; + }; + + cidrv4 = mkOption { + type = types.net.cidrv4; + description = "The IPv4 of this host including CIDR mask"; + readOnly = true; + default = + if netSubmod.config.cidrv4 == null + then null + else lib.net.cidr.hostCidr hostSubmod.config.id netSubmod.config.cidrv4; + }; + + cidrv6 = mkOption { + type = types.net.cidrv6; + description = "The IPv6 of this host including CIDR mask"; + readOnly = true; + default = + if netSubmod.config.cidrv6 == null + then null + else lib.net.cidr.hostCidr hostSubmod.config.id netSubmod.config.cidrv6; + }; + }; + })); + }; + }; + })); + }; + services = mkOption { type = types.attrsOf (types.submodule { options = { domain = mkOption { type = types.str; - description = ""; + description = "The domain under which this service can be reached"; }; }; }); diff --git a/nix/globals.nix b/nix/globals.nix index 4ab81d7..0e7243e 100644 --- a/nix/globals.nix +++ b/nix/globals.nix @@ -1,4 +1,4 @@ -{ +{inputs, ...}: { flake = { config, lib, @@ -7,6 +7,9 @@ globals = let globalsSystem = lib.evalModules { prefix = ["globals"]; + specialArgs = { + inherit (inputs.self.pkgs.x86_64-linux) lib; + }; modules = [ ../modules/globals.nix ({lib, ...}: { @@ -23,7 +26,7 @@ in { # Make sure the keys of this attrset are trivially evaluatable to avoid infinite recursion, # therefore we inherit relevant attributes from the config. - inherit (globalsSystem.config.globals) services; + inherit (globalsSystem.config.globals) net services; }; }; }