sokai/mynixos-config
1
1
Fork 0
forked from mirrors_public/oddlama_nix-config
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

feat: finish vlan setup

Browse source
This commit is contained in:
oddlama 2024-12-20 01:05:17 +01:00
parent d0448757bf
commit 297d19fa0c
No known key found for this signature in database
GPG key ID: 14EFE510775FE39A
16 changed files with 115 additions and 100 deletions
Download patch file Download diff file Expand all files Collapse all files

6
hosts/sire/default.nix
View file

@ -95,7 +95,9 @@
{
node.secretsDir = ./secrets/${guestName};
networking.nftables.firewall = {
zones.untrusted.interfaces = [ config.guests.${guestName}.networking.mainLinkName ];
zones.untrusted.interfaces = lib.mkIf (
lib.length config.guests.${guestName}.networking.links == 1
) config.guests.${guestName}.networking.links;
};
}
];
@ -106,8 +108,8 @@
backend = "microvm";
microvm = {
system = "x86_64-linux";
macvtap = "lan";
baseMac = config.repo.secrets.local.networking.interfaces.lan.mac;
interfaces.lan = { };
};
extraSpecialArgs = {
inherit (inputs.self) nodes globals;

30
hosts/sire/guests/grafana.nix
View file

@ -65,12 +65,13 @@ in
group = "influxdb2";
};
services.influxdb2.provision.organizations.machines.auths."grafana machines:telegraf (${config.node.name})" = {
readBuckets = [ "telegraf" ];
writeBuckets = [ "telegraf" ];
tokenFile =
nodes.sire-influxdb.config.age.secrets."grafana-influxdb-token-machines-${config.node.name}".path;
};
services.influxdb2.provision.organizations.machines.auths."grafana machines:telegraf (${config.node.name})" =
{
readBuckets = [ "telegraf" ];
writeBuckets = [ "telegraf" ];
tokenFile =
nodes.sire-influxdb.config.age.secrets."grafana-influxdb-token-machines-${config.node.name}".path;
};
age.secrets."grafana-influxdb-token-home-${config.node.name}" = {
inherit (config.age.secrets.grafana-influxdb-token-home) rekeyFile;
@ -78,12 +79,13 @@ in
group = "influxdb2";
};
services.influxdb2.provision.organizations.home.auths."grafana home:home_assistant (${config.node.name})" = {
readBuckets = [ "home_assistant" ];
writeBuckets = [ "home_assistant" ];
tokenFile =
nodes.sire-influxdb.config.age.secrets."grafana-influxdb-token-home-${config.node.name}".path;
};
services.influxdb2.provision.organizations.home.auths."grafana home:home_assistant (${config.node.name})" =
{
readBuckets = [ "home_assistant" ];
writeBuckets = [ "home_assistant" ];
tokenFile =
nodes.sire-influxdb.config.age.secrets."grafana-influxdb-token-home-${config.node.name}".path;
};
};
globals.services.grafana.domain = grafanaDomain;
@ -144,8 +146,8 @@ in
proxyWebsockets = true;
};
extraConfig = ''
allow ${globals.net.home-lan.cidrv4};
allow ${globals.net.home-lan.cidrv6};
allow ${globals.net.home-lan.vlans.services.cidrv4};
allow ${globals.net.home-lan.vlans.services.cidrv6};
deny all;
'';
};

4
hosts/sire/guests/immich.nix
View file

@ -249,8 +249,8 @@ in
proxy_read_timeout 600s;
proxy_send_timeout 600s;
send_timeout 600s;
allow ${globals.net.home-lan.cidrv4};
allow ${globals.net.home-lan.cidrv6};
allow ${globals.net.home-lan.vlans.services.cidrv4};
allow ${globals.net.home-lan.vlans.services.cidrv6};
deny all;
'';
};

4
hosts/sire/guests/paperless.nix
View file

@ -79,8 +79,8 @@ in
useACMEWildcardHost = true;
extraConfig = ''
client_max_body_size 512M;
allow ${globals.net.home-lan.cidrv4};
allow ${globals.net.home-lan.cidrv6};
allow ${globals.net.home-lan.vlans.services.cidrv4};
allow ${globals.net.home-lan.vlans.services.cidrv6};
deny all;
'';
locations."/" = {

7
hosts/sire/guests/samba.nix
View file

@ -148,9 +148,9 @@ in
};
globals.monitoring.tcp.samba = {
host = globals.net.home-lan.hosts.sire-samba.ipv4;
host = globals.net.home-lan.vlans.services.hosts.sire-samba.ipv4;
port = 445;
network = "home-lan";
network = "home-lan.vlans.services";
};
services.samba = {
@ -179,7 +179,8 @@ in
# Deny access to all hosts by default.
"hosts deny" = "0.0.0.0/0";
# Allow access to local network and TODO: wireguard
"hosts allow" = "${globals.net.home-lan.cidrv4} ${globals.net.home-lan.cidrv6}";
"hosts allow" =
"${globals.net.home-lan.vlans.services.cidrv4} ${globals.net.home-lan.vlans.services.cidrv6}";
# Don't advertise inaccessible shares to users
"access based share enum" = "yes";

14
hosts/sire/net.nix
View file

@ -8,16 +8,16 @@
networking.hostId = config.repo.secrets.local.networking.hostId;
globals.monitoring.ping.sire = {
hostv4 = lib.net.cidr.ip globals.net.home-lan.hosts.sire.cidrv4;
hostv6 = lib.net.cidr.ip globals.net.home-lan.hosts.sire.cidrv6;
network = "home-lan";
hostv4 = lib.net.cidr.ip globals.net.home-lan.vlans.services.hosts.sire.cidrv4;
hostv6 = lib.net.cidr.ip globals.net.home-lan.vlans.services.hosts.sire.cidrv6;
network = "home-lan.vlans.services";
};
boot.initrd.systemd.network = {
enable = true;
networks."10-lan" = {
address = [ globals.net.home-lan.hosts.sire.cidrv4 ];
gateway = [ globals.net.home-lan.hosts.ward.ipv4 ];
address = [ globals.net.home-lan.vlans.services.hosts.sire.cidrv4 ];
gateway = [ globals.net.home-lan.vlans.services.hosts.ward.ipv4 ];
matchConfig.MACAddress = config.repo.secrets.local.networking.interfaces.lan.mac;
networkConfig = {
IPv6PrivacyExtensions = "yes";
@ -54,8 +54,8 @@
'';
};
"20-lan-self" = {
address = [ globals.net.home-lan.hosts.sire.cidrv4 ];
gateway = [ globals.net.home-lan.hosts.ward.ipv4 ];
address = [ globals.net.home-lan.vlans.services.hosts.sire.cidrv4 ];
gateway = [ globals.net.home-lan.vlans.services.hosts.ward.ipv4 ];
matchConfig.Name = "lan-self";
networkConfig = {
IPv6PrivacyExtensions = "yes";

6
hosts/ward/default.nix
View file

@ -79,7 +79,9 @@
{
node.secretsDir = ./secrets/${guestName};
networking.nftables.firewall = {
zones.untrusted.interfaces = [ config.guests.${guestName}.networking.mainLinkName ];
zones.untrusted.interfaces = lib.mkIf (
lib.length config.guests.${guestName}.networking.links == 1
) config.guests.${guestName}.networking.links;
};
}
];
@ -90,8 +92,8 @@
backend = "microvm";
microvm = {
system = "x86_64-linux";
macvtap = "lan";
baseMac = config.repo.secrets.local.networking.interfaces.lan.mac;
interfaces.vlan-services = { };
};
extraSpecialArgs = {
inherit (inputs.self) nodes globals;

6
hosts/ward/guests/adguardhome.nix
View file

@ -16,9 +16,9 @@ in
globals.services.adguardhome.domain = adguardhomeDomain;
globals.monitoring.dns.adguardhome = {
server = globals.net.home-lan.hosts.ward-adguardhome.ipv4;
server = globals.net.home-lan.vlans.services.hosts.ward-adguardhome.ipv4;
domain = ".";
network = "home-lan";
network = "home-lan.vlans.services";
};
nodes.sentinel = {
@ -99,7 +99,7 @@ in
map
(domain: {
inherit domain;
answer = globals.net.home-lan.hosts.ward-web-proxy.ipv4;
answer = globals.net.home-lan.vlans.services.hosts.ward-web-proxy.ipv4;
})
[
# FIXME: dont hardcode, filter global service domains by internal state

6
hosts/ward/guests/web-proxy.nix
View file

@ -22,7 +22,7 @@ in
meta.telegraf.availableMonitoringNetworks = [
"internet"
"home-wan"
"home-lan"
"home-lan.vlans.services"
];
age.secrets.acme-cloudflare-dns-token = {
@ -70,8 +70,8 @@ in
# is over TLS.
extraConfig = ''
proxy_ssl_verify off;
allow ${globals.net.home-lan.cidrv4};
allow ${globals.net.home-lan.cidrv6};
allow ${globals.net.home-lan.vlans.services.cidrv4};
allow ${globals.net.home-lan.vlans.services.cidrv6};
deny all;
'';
};

8
hosts/ward/kea.nix
View file

@ -5,7 +5,11 @@
...
}:
let
inherit (lib) net;
inherit (lib)
flip
mapAttrsToList
net
;
in
{
environment.persistence."/persist".directories = [
@ -32,7 +36,7 @@ in
interfaces = map (name: "me-${name}") (builtins.attrNames globals.net.home-lan.vlans);
service-sockets-max-retries = -1;
};
subnet4 = lib.mapAttrsToList globals.net.home-lan.vlans (
subnet4 = flip mapAttrsToList globals.net.home-lan.vlans (
vlanName: vlanCfg: [
{
inherit (vlanCfg) id;

18
hosts/ward/net.nix
View file

@ -9,9 +9,9 @@
networking.hostId = config.repo.secrets.local.networking.hostId;
globals.monitoring.ping.ward = {
hostv4 = lib.net.cidr.ip globals.net.home-lan.hosts.ward.cidrv4;
hostv6 = lib.net.cidr.ip globals.net.home-lan.hosts.ward.cidrv6;
network = "home-lan.vlans.devices";
hostv4 = lib.net.cidr.ip globals.net.home-lan.vlans.services.hosts.ward.cidrv4;
hostv6 = lib.net.cidr.ip globals.net.home-lan.vlans.services.hosts.ward.cidrv6;
network = "home-lan.vlans.services";
};
boot.initrd.availableKernelModules = [ "8021q" ];
@ -43,8 +43,8 @@
};
"30-vlan-home" = {
address = [
globals.net.home-lan.hosts.ward.cidrv4
globals.net.home-lan.hosts.ward.cidrv6
globals.net.home-lan.vlans.home.hosts.ward.cidrv4
globals.net.home-lan.vlans.home.hosts.ward.cidrv6
];
matchConfig.Name = "vlan-home";
networkConfig = {
@ -157,7 +157,7 @@
# ipv6SendRAConfig = {
# Managed = true;
# EmitDNS = true;
# FIXME: this is not the true ipv6 of adguardhome DNS = globals.net.home-lan.hosts.ward-adguardhome.ipv6;
# FIXME: this is not the true ipv6 of adguardhome DNS = globals.net.home-lan.vlans.services.hosts.ward-adguardhome.ipv6;
# FIXME: todo assign static additional to reservation in kea
# };
linkConfig.RequiredForOnline = "routable";
@ -178,15 +178,15 @@
}
// lib.flip lib.concatMapAttrs globals.net.home-lan.vlans (
vlanName: _: {
"me-${vlanName}".interfaces = [ "me-${vlanName}" ];
"vlan-${vlanName}".interfaces = [ "me-${vlanName}" ];
}
);
rules = {
masquerade-internet = {
from = [
"vlan-home"
"vlan-services"
"vlan-home"
"vlan-devices"
"vlan-guests"
];
@ -222,7 +222,7 @@
#};
wireguard.proxy-home.server = {
host = globals.net.home-lan.hosts.ward.ipv4;
host = globals.net.home-lan.vlans.services.hosts.ward.ipv4;
port = 51444;
reservedAddresses = [
globals.net.proxy-home.cidrv4

8
hosts/zackbiene/home-assistant.nix
View file

@ -154,7 +154,9 @@ in
};
# Connect to fritzbox via https proxy (to ensure valid cert)
networking.hosts.${globals.net.home-lan.hosts.ward-web-proxy.ipv4} = [ fritzboxDomain ];
networking.hosts.${globals.net.home-lan.vlans.services.hosts.ward-web-proxy.ipv4} = [
fritzboxDomain
];
nodes.ward-web-proxy = {
services.nginx = {
@ -174,8 +176,8 @@ in
proxyWebsockets = true;
};
extraConfig = ''
allow ${globals.net.home-lan.cidrv4};
allow ${globals.net.home-lan.cidrv6};
allow ${globals.net.home-lan.vlans.services.cidrv4};
allow ${globals.net.home-lan.vlans.services.cidrv6};
deny all;
'';
};

6
hosts/zackbiene/net.nix
View file

@ -14,7 +14,7 @@ in
globals.monitoring.ping.zackbiene = {
hostv4 = "zackbiene.local";
hostv6 = "zackbiene.local";
network = "home-lan";
network = "home-lan.vlans.services";
};
wireguard.proxy-home.client.via = "ward";
@ -70,8 +70,8 @@ in
lan-interface.interfaces = [ "lan1" ];
lan = {
parent = "lan-interface";
ipv4Addresses = [ globals.net.home-lan.cidrv4 ];
ipv6Addresses = [ globals.net.home-lan.cidrv6 ];
ipv4Addresses = [ globals.net.home-lan.vlans.services.cidrv4 ];
ipv6Addresses = [ globals.net.home-lan.vlans.services.cidrv6 ];
};
iot.interfaces = [ "wlan1" ];
};