From 0f45dfcc1cccdaeeec900007a02e415633057a13 Mon Sep 17 00:00:00 2001 From: oddlama Date: Mon, 20 Jan 2025 03:46:16 +0100 Subject: [PATCH] feat: switch to new VLAN setup --- globals.nix | 20 ++-- hosts/sausebiene/default.nix | 1 - hosts/sire/default.nix | 2 +- hosts/sire/net.nix | 149 ++++++++++++++++++++---------- hosts/ward/guests/adguardhome.nix | 11 +-- hosts/ward/guests/forgejo.nix | 1 + hosts/ward/kea.nix | 65 ++++++------- hosts/ward/net.nix | 37 +++++--- 8 files changed, 171 insertions(+), 115 deletions(-) diff --git a/globals.nix b/globals.nix index 59f315c..93cc4eb 100644 --- a/globals.nix +++ b/globals.nix @@ -32,8 +32,8 @@ in vlans = { services = { id = 5; - cidrv4 = "192.168.20.0/24"; - cidrv6 = "fd20::/64"; + cidrv4 = "192.168.5.0/24"; + cidrv6 = "fd05::/64"; hosts.ward.id = 1; hosts.sire.id = 2; hosts.ward-adguardhome = { @@ -54,14 +54,14 @@ in cidrv4 = "192.168.10.0/24"; cidrv6 = "fd10::/64"; hosts.ward.id = 1; - hosts.ward-adguardhome.id = 3; + hosts.sire.id = 2; }; devices = { id = 20; - cidrv4 = "192.168.30.0/24"; - cidrv6 = "fd30::/64"; + cidrv4 = "192.168.20.0/24"; + cidrv6 = "fd20::/64"; hosts.ward.id = 1; - hosts.ward-adguardhome.id = 3; + hosts.sire.id = 2; hosts.wallbox = { id = 40; mac = globals.macs.wallbox; @@ -73,17 +73,15 @@ in }; iot = { id = 30; - cidrv4 = "192.168.40.0/24"; - cidrv6 = "fd40::/64"; + cidrv4 = "192.168.30.0/24"; + cidrv6 = "fd30::/64"; hosts.ward.id = 1; - hosts.ward-adguardhome.id = 3; }; guests = { - id = 40; + id = 50; cidrv4 = "192.168.50.0/24"; cidrv6 = "fd50::/64"; hosts.ward.id = 1; - hosts.ward-adguardhome.id = 3; }; }; }; diff --git a/hosts/sausebiene/default.nix b/hosts/sausebiene/default.nix index 56263b9..9e03cd9 100644 --- a/hosts/sausebiene/default.nix +++ b/hosts/sausebiene/default.nix @@ -32,7 +32,6 @@ }; boot.initrd.availableKernelModules = [ "r8169" - "tpm_crb" ]; security.tpm2 = { enable = true; diff --git a/hosts/sire/default.nix b/hosts/sire/default.nix index 58ace3c..5d9cf88 100644 --- a/hosts/sire/default.nix +++ b/hosts/sire/default.nix @@ -109,7 +109,7 @@ microvm = { system = "x86_64-linux"; baseMac = config.repo.secrets.local.networking.interfaces.lan.mac; - interfaces.lan = { }; + interfaces.vlan-services = { }; }; extraSpecialArgs = { inherit (inputs.self) nodes globals; diff --git a/hosts/sire/net.nix b/hosts/sire/net.nix index 175ae87..dce2bdb 100644 --- a/hosts/sire/net.nix +++ b/hosts/sire/net.nix @@ -4,6 +4,9 @@ lib, ... }: +let + localVlans = lib.genAttrs [ "services" "home" "devices" ] (x: globals.net.home-lan.vlans.${x}); +in { networking.hostId = config.repo.secrets.local.networking.hostId; @@ -15,64 +18,108 @@ boot.initrd.systemd.network = { enable = true; - networks."10-lan" = { - address = [ globals.net.home-lan.vlans.services.hosts.sire.cidrv4 ]; - gateway = [ globals.net.home-lan.vlans.services.hosts.ward.ipv4 ]; - matchConfig.MACAddress = config.repo.secrets.local.networking.interfaces.lan.mac; - networkConfig = { - IPv6PrivacyExtensions = "yes"; - MulticastDNS = true; + netdevs."30-vlan-home" = { + netdevConfig = { + Kind = "vlan"; + Name = "vlan-home"; + }; + vlanConfig.Id = globals.net.home-lan.vlans.home.id; + }; + networks = { + "10-lan" = { + matchConfig.Name = "lan"; + networkConfig.LinkLocalAddressing = "no"; + linkConfig.RequiredForOnline = "carrier"; + vlan = [ "vlan-home" ]; + }; + "30-vlan-home" = { + address = [ + globals.net.home-lan.vlans.home.hosts.sire.cidrv4 + globals.net.home-lan.vlans.home.hosts.sire.cidrv6 + ]; + gateway = [ globals.net.home-lan.vlans.home.hosts.ward.ipv4 ]; + matchConfig.Name = "vlan-home"; + networkConfig = { + IPv6PrivacyExtensions = "yes"; + MulticastDNS = true; + }; + linkConfig.RequiredForOnline = "routable"; }; - linkConfig.RequiredForOnline = "routable"; }; }; - # Create a MACVTAP for ourselves too, so that we can communicate with - # our guests on the same interface. - systemd.network.netdevs."10-lan-self" = { - netdevConfig = { - Name = "lan-self"; - Kind = "macvlan"; - }; - extraConfig = '' - [MACVLAN] - Mode=bridge - ''; - }; - - systemd.network.networks = { - "10-lan" = { - matchConfig.MACAddress = config.repo.secrets.local.networking.interfaces.lan.mac; - # This interface should only be used from attached macvtaps. - # So don't acquire a link local address and only wait for - # this interface to gain a carrier. - networkConfig.LinkLocalAddressing = "no"; - linkConfig.RequiredForOnline = "carrier"; - extraConfig = '' - [Network] - MACVLAN=lan-self - ''; - }; - "20-lan-self" = { - address = [ globals.net.home-lan.vlans.services.hosts.sire.cidrv4 ]; - gateway = [ globals.net.home-lan.vlans.services.hosts.ward.ipv4 ]; - matchConfig.Name = "lan-self"; - networkConfig = { - IPv6PrivacyExtensions = "yes"; - MulticastDNS = true; + systemd.network.netdevs = lib.flip lib.concatMapAttrs localVlans ( + vlanName: vlanCfg: { + # Add an interface for each VLAN + "30-vlan-${vlanName}" = { + netdevConfig = { + Kind = "vlan"; + Name = "vlan-${vlanName}"; + }; + vlanConfig.Id = vlanCfg.id; }; - linkConfig.RequiredForOnline = "routable"; - }; - # Remaining macvtap interfaces should not be touched. - "90-macvtap-ignore" = { - matchConfig.Kind = "macvtap"; - linkConfig.ActivationPolicy = "manual"; - linkConfig.Unmanaged = "yes"; - }; - }; + # Create a MACVTAP for ourselves too, so that we can communicate with + # our guests on the same interface. + "40-me-${vlanName}" = { + netdevConfig = { + Name = "me-${vlanName}"; + Kind = "macvlan"; + }; + extraConfig = '' + [MACVLAN] + Mode=bridge + ''; + }; + } + ); + + systemd.network.networks = + { + "10-lan" = { + matchConfig.Name = "lan"; + # This interface should only be used from attached vlans. + # So don't acquire a link local address and only wait for + # this interface to gain a carrier. + networkConfig.LinkLocalAddressing = "no"; + linkConfig.RequiredForOnline = "carrier"; + vlan = map (name: "vlan-${name}") (builtins.attrNames localVlans); + }; + # Remaining macvtap interfaces should not be touched. + "90-macvtap-ignore" = { + matchConfig.Kind = "macvtap"; + linkConfig.ActivationPolicy = "manual"; + linkConfig.Unmanaged = "yes"; + }; + } + // lib.flip lib.concatMapAttrs localVlans ( + vlanName: vlanCfg: { + "30-vlan-${vlanName}" = { + matchConfig.Name = "vlan-${vlanName}"; + # This interface should only be used from attached macvlans. + # So don't acquire a link local address and only wait for + # this interface to gain a carrier. + networkConfig.LinkLocalAddressing = "no"; + networkConfig.MACVLAN = "me-${vlanName}"; + linkConfig.RequiredForOnline = "carrier"; + }; + "40-me-${vlanName}" = { + address = [ + vlanCfg.hosts.sire.cidrv4 + vlanCfg.hosts.sire.cidrv6 + ]; + gateway = [ vlanCfg.hosts.ward.ipv4 ]; + matchConfig.Name = "me-${vlanName}"; + networkConfig = { + IPv6PrivacyExtensions = "yes"; + MulticastDNS = true; + }; + linkConfig.RequiredForOnline = "routable"; + }; + } + ); networking.nftables.firewall = { - zones.untrusted.interfaces = [ "lan-self" ]; + zones.untrusted.interfaces = [ "me-services" ]; }; # Allow accessing influx diff --git a/hosts/ward/guests/adguardhome.nix b/hosts/ward/guests/adguardhome.nix index 8a258e7..98fdcee 100644 --- a/hosts/ward/guests/adguardhome.nix +++ b/hosts/ward/guests/adguardhome.nix @@ -2,7 +2,6 @@ config, globals, lib, - pkgs, ... }: let @@ -68,6 +67,7 @@ in port = 3000; settings = { dns = { + bind_hosts = [ globals.net.home-lan.vlans.services.hosts.ward-adguardhome.ipv4 ]; # allowed_clients = [ # ]; #trusted_proxies = []; @@ -131,12 +131,5 @@ in }; }; - systemd.services.adguardhome = { - preStart = lib.mkAfter '' - INTERFACE_ADDR=$(${pkgs.iproute2}/bin/ip -family inet -brief addr show lan | grep -o "[0-9]\+\.[0-9]\+\.[0-9]\+\.[0-9]\+") \ - ${lib.getExe pkgs.yq-go} -i '.dns.bind_hosts = [strenv(INTERFACE_ADDR)]' \ - "$STATE_DIRECTORY/AdGuardHome.yaml" - ''; - serviceConfig.RestartSec = lib.mkForce "60"; # Retry every minute - }; + systemd.services.adguardhome.serviceConfig.RestartSec = lib.mkForce "60"; # Retry every minute } diff --git a/hosts/ward/guests/forgejo.nix b/hosts/ward/guests/forgejo.nix index f89c661..2dac6cf 100644 --- a/hosts/ward/guests/forgejo.nix +++ b/hosts/ward/guests/forgejo.nix @@ -115,6 +115,7 @@ in services.forgejo = { enable = true; + package = pkgs.forgejo; # TODO db backups # dump.enable = true; user = "git"; diff --git a/hosts/ward/kea.nix b/hosts/ward/kea.nix index 09cc4e0..2d705a5 100644 --- a/hosts/ward/kea.nix +++ b/hosts/ward/kea.nix @@ -1,7 +1,6 @@ { lib, globals, - utils, ... }: let @@ -37,42 +36,46 @@ in service-sockets-max-retries = -1; }; subnet4 = flip mapAttrsToList globals.net.home-lan.vlans ( - vlanName: vlanCfg: [ - { - inherit (vlanCfg) id; - interface = "me-${vlanName}"; - subnet = vlanCfg.cidrv4; - pools = [ - { - pool = "${net.cidr.host 20 vlanCfg.cidrv4} - ${net.cidr.host (-6) vlanCfg.cidrv4}"; - } - ]; - option-data = [ + vlanName: vlanCfg: { + inherit (vlanCfg) id; + interface = "me-${vlanName}"; + subnet = vlanCfg.cidrv4; + pools = [ + { + pool = "${net.cidr.host 20 vlanCfg.cidrv4} - ${net.cidr.host (-6) vlanCfg.cidrv4}"; + } + ]; + option-data = + [ { name = "routers"; data = vlanCfg.hosts.ward.ipv4; # FIXME: how to advertise v6 address also? } - { - name = "domain-name-servers"; - data = vlanCfg.hosts.ward-adguardhome.ipv4; + ] + # Advertise DNS server for VLANS that have internet access + ++ + lib.optional + (lib.elem vlanName [ + "services" + "home" + "devices" + "guests" + ]) + { + name = "domain-name-servers"; + data = globals.net.home-lan.vlans.services.hosts.ward-adguardhome.ipv4; + }; + reservations = lib.concatLists ( + lib.forEach (builtins.attrValues vlanCfg.hosts) ( + hostCfg: + lib.optional (hostCfg.mac != null) { + hw-address = hostCfg.mac; + ip-address = hostCfg.ipv4; } - ]; - reservations = lib.concatLists ( - lib.forEach (builtins.attrValues vlanCfg.hosts) ( - hostCfg: - lib.optional (hostCfg.mac != null) { - hw-address = hostCfg.mac; - ip-address = hostCfg.ipv4; - } - ) - ); - } - ] + ) + ); + } ); }; }; - - systemd.services.kea-dhcp4-server.after = [ - "sys-subsystem-net-devices-${utils.escapeSystemdPath "lan-self"}.device" - ]; } diff --git a/hosts/ward/net.nix b/hosts/ward/net.nix index 40fe659..f1f58f7 100644 --- a/hosts/ward/net.nix +++ b/hosts/ward/net.nix @@ -28,12 +28,12 @@ "10-wan" = { address = [ globals.net.home-wan.hosts.ward.cidrv4 ]; gateway = [ globals.net.home-wan.hosts.fritzbox.ipv4 ]; - matchConfig.MACAddress = config.repo.secrets.local.networking.interfaces.wan.mac; + matchConfig.Name = "wan"; networkConfig.IPv6PrivacyExtensions = "yes"; linkConfig.RequiredForOnline = "routable"; }; "10-lan" = { - matchConfig.MACAddress = config.repo.secrets.local.networking.interfaces.lan.mac; + matchConfig.Name = "lan"; # This interface should only be used from attached vlans. # So don't acquire a link local address and only wait for # this interface to gain a carrier. @@ -57,10 +57,9 @@ }; }; - # Create a MACVTAP for ourselves too, so that we can communicate with - # our guests on the same interface. systemd.network.netdevs = lib.flip lib.concatMapAttrs globals.net.home-lan.vlans ( vlanName: vlanCfg: { + # Add an interface for each VLAN "30-vlan-${vlanName}" = { netdevConfig = { Kind = "vlan"; @@ -68,6 +67,8 @@ }; vlanConfig.Id = vlanCfg.id; }; + # Create a MACVTAP for ourselves too, so that we can communicate with + # our guests on the same interface. "40-me-${vlanName}" = { netdevConfig = { Name = "me-${vlanName}"; @@ -84,7 +85,7 @@ systemd.network.networks = { "10-lan" = { - matchConfig.MACAddress = config.repo.secrets.local.networking.interfaces.lan.mac; + matchConfig.Name = "lan"; # This interface should only be used from attached vlans. # So don't acquire a link local address and only wait for # this interface to gain a carrier. @@ -99,7 +100,7 @@ #ipv6AcceptRAConfig.UseDNS = false; address = [ globals.net.home-wan.hosts.ward.cidrv4 ]; gateway = [ globals.net.home-wan.hosts.fritzbox.ipv4 ]; - matchConfig.MACAddress = config.repo.secrets.local.networking.interfaces.wan.mac; + matchConfig.Name = "wan"; networkConfig.IPv6PrivacyExtensions = "yes"; # dhcpV6Config.PrefixDelegationHint = "::/64"; # FIXME: This should not be needed, but for some reason part of networkd @@ -123,11 +124,8 @@ # So don't acquire a link local address and only wait for # this interface to gain a carrier. networkConfig.LinkLocalAddressing = "no"; + networkConfig.MACVLAN = "me-${vlanName}"; linkConfig.RequiredForOnline = "carrier"; - extraConfig = '' - [Network] - MACVLAN=me-${vlanName} - ''; }; "40-me-${vlanName}" = { address = [ @@ -175,6 +173,12 @@ { untrusted.interfaces = [ "wan" ]; proxy-home.interfaces = [ "proxy-home" ]; + adguardhome.ipv4Addresses = [ + globals.net.home-lan.vlans.services.hosts.ward-adguardhome.ipv4 + ]; + adguardhome.ipv6Addresses = [ + globals.net.home-lan.vlans.services.hosts.ward-adguardhome.ipv6 + ]; } // lib.flip lib.concatMapAttrs globals.net.home-lan.vlans ( vlanName: _: { @@ -198,10 +202,21 @@ verdict = "accept"; }; + # Allow access to the AdGuardHome DNS server from any VLAN that has internet access + access-adguardhome-dns = { + from = [ + "vlan-services" + "vlan-home" + "vlan-devices" + "vlan-guests" + ]; + to = [ "adguardhome" ]; + verdict = "accept"; + }; + services-to-local = { from = [ "vlan-services" ]; to = [ "local" ]; - allowedUDPPorts = [ config.wireguard.proxy-home.server.port ]; };