2024-12-20 20:40:27 +01:00
|
|
|
{
|
|
|
|
config,
|
|
|
|
lib,
|
|
|
|
globals,
|
|
|
|
...
|
|
|
|
}:
|
|
|
|
let
|
|
|
|
inherit (lib)
|
|
|
|
flip
|
|
|
|
mapAttrsToList
|
|
|
|
mkMerge
|
|
|
|
genAttrs
|
|
|
|
attrNames
|
|
|
|
;
|
|
|
|
in
|
2024-01-11 22:42:03 +01:00
|
|
|
{
|
|
|
|
networking = {
|
|
|
|
inherit (config.secrets.secrets.local.networking) hostId;
|
|
|
|
};
|
2024-12-20 20:40:27 +01:00
|
|
|
networking.nftables.firewall.zones = genAttrs (attrNames globals.net.vlans) (name: {
|
|
|
|
interfaces = [ "lan-${name}" ];
|
|
|
|
});
|
|
|
|
systemd.network.netdevs = mkMerge (
|
|
|
|
flip mapAttrsToList globals.net.vlans (
|
|
|
|
name:
|
|
|
|
{
|
|
|
|
id,
|
|
|
|
...
|
|
|
|
}:
|
|
|
|
{
|
|
|
|
"40-vlan-${name}" = {
|
|
|
|
netdevConfig = {
|
|
|
|
Name = "vlan-${name}";
|
|
|
|
Kind = "vlan";
|
|
|
|
};
|
|
|
|
vlanConfig.Id = id;
|
|
|
|
};
|
|
|
|
"50-macvlan-${name}" = {
|
|
|
|
netdevConfig = {
|
|
|
|
Name = "lan-${name}";
|
|
|
|
Kind = "macvlan";
|
|
|
|
};
|
|
|
|
extraConfig = ''
|
|
|
|
[MACVLAN]
|
|
|
|
Mode=bridge
|
|
|
|
'';
|
2024-01-11 22:42:03 +01:00
|
|
|
};
|
2024-12-20 20:40:27 +01:00
|
|
|
}
|
|
|
|
)
|
|
|
|
);
|
|
|
|
systemd.network.networks = mkMerge (
|
|
|
|
[
|
|
|
|
{
|
|
|
|
"40-vlans" = {
|
|
|
|
matchConfig.Name = "lan01";
|
|
|
|
networkConfig.LinkLocalAddressing = "no";
|
|
|
|
};
|
|
|
|
}
|
|
|
|
]
|
|
|
|
++ (flip mapAttrsToList globals.net.vlans (
|
2024-12-22 19:00:21 +01:00
|
|
|
name: _: {
|
2024-12-20 20:40:27 +01:00
|
|
|
"40-vlans".vlan = [ "vlan-${name}" ];
|
|
|
|
"10-vlan-${name}" = {
|
|
|
|
matchConfig.Name = "vlan-${name}";
|
|
|
|
# This interface should only be used from attached macvtaps.
|
|
|
|
# So don't acquire a link local address and only wait for
|
|
|
|
# this interface to gain a carrier.
|
|
|
|
networkConfig.LinkLocalAddressing = "no";
|
|
|
|
linkConfig.RequiredForOnline = "carrier";
|
|
|
|
extraConfig = ''
|
|
|
|
[Network]
|
|
|
|
MACVLAN=lan-${name}
|
|
|
|
'';
|
|
|
|
};
|
|
|
|
"20-lan-${name}" = {
|
2024-12-22 19:00:21 +01:00
|
|
|
DHCP = "yes";
|
2024-12-20 20:40:27 +01:00
|
|
|
matchConfig.Name = "lan-${name}";
|
|
|
|
networkConfig = {
|
|
|
|
IPv6PrivacyExtensions = "yes";
|
|
|
|
};
|
|
|
|
};
|
|
|
|
}
|
|
|
|
))
|
|
|
|
);
|
|
|
|
networking.nftables.firewall = {
|
|
|
|
snippets.nnf-ssh.enable = lib.mkForce false;
|
|
|
|
rules = {
|
|
|
|
ssh = {
|
|
|
|
from = [
|
|
|
|
"home"
|
|
|
|
];
|
|
|
|
to = [ "local" ];
|
|
|
|
allowedTCPPorts = [ 22 ];
|
2024-01-11 22:42:03 +01:00
|
|
|
};
|
2024-12-22 19:00:21 +01:00
|
|
|
mdns = {
|
|
|
|
from = [ "home" ];
|
|
|
|
to = [ "local" ];
|
|
|
|
allowedUDPPorts = [ 5353 ];
|
|
|
|
};
|
2024-01-11 22:42:03 +01:00
|
|
|
};
|
|
|
|
};
|
2024-03-14 23:08:42 +01:00
|
|
|
|
2024-12-20 20:40:27 +01:00
|
|
|
boot.initrd = {
|
2024-01-27 23:21:42 +01:00
|
|
|
|
2024-12-20 20:40:27 +01:00
|
|
|
availableKernelModules = [
|
|
|
|
"8021q"
|
|
|
|
];
|
|
|
|
systemd.network = {
|
|
|
|
enable = true;
|
|
|
|
networks = {
|
|
|
|
# redo the network cause the livesystem has macvlans
|
2024-12-22 19:00:21 +01:00
|
|
|
"10-lan-home" = {
|
|
|
|
DHCP = "yes";
|
2024-12-20 20:40:27 +01:00
|
|
|
matchConfig.Name = "vlan-home";
|
|
|
|
networkConfig = {
|
|
|
|
IPv6PrivacyExtensions = "yes";
|
|
|
|
};
|
|
|
|
};
|
|
|
|
"40-vlans" = {
|
|
|
|
matchConfig.MACAddress = config.secrets.secrets.local.networking.interfaces.lan01.mac;
|
|
|
|
vlan = [
|
|
|
|
"vlan-home"
|
|
|
|
];
|
|
|
|
};
|
|
|
|
};
|
|
|
|
netdevs = {
|
|
|
|
"10-vlan-home" = {
|
|
|
|
netdevConfig = {
|
|
|
|
Name = "vlan-home";
|
|
|
|
Kind = "vlan";
|
|
|
|
};
|
2024-12-22 19:00:21 +01:00
|
|
|
vlanConfig.Id = globals.net.vlans.home.id;
|
2024-12-20 20:40:27 +01:00
|
|
|
};
|
2024-01-27 23:21:42 +01:00
|
|
|
};
|
|
|
|
};
|
|
|
|
};
|
2024-12-20 20:40:27 +01:00
|
|
|
|
2024-01-11 22:42:03 +01:00
|
|
|
}
|