nix-config/hosts/nucnix/net.nix

265 lines
6 KiB
Nix
Raw Normal View History

2024-12-20 20:40:27 +01:00
{
config,
lib,
globals,
...
}:
let
2024-12-20 20:40:27 +01:00
inherit (lib)
flip
mapAttrsToList
mkMerge
genAttrs
attrNames
;
in
2024-12-14 21:45:46 +01:00
{
2024-12-20 20:40:27 +01:00
imports = [
./kea.nix
2024-12-22 00:10:37 +01:00
./forwarding.nix
2024-12-20 20:40:27 +01:00
];
2024-12-21 23:32:42 +01:00
boot.kernel.sysctl."net.ipv4.ip_forward" = 1;
2024-12-20 20:40:27 +01:00
networking.nftables.firewall.zones = mkMerge [
2024-12-21 23:32:42 +01:00
{
fritz.interfaces = [ "vlan-fritz" ];
2024-12-22 19:00:21 +01:00
wg-services.interfaces = [ "services" ];
2024-12-21 23:32:42 +01:00
adguard.ipv4Addresses = [
(lib.net.cidr.host globals.services.adguardhome.ip globals.net.vlans.services.cidrv4)
];
}
2024-12-20 20:40:27 +01:00
(genAttrs (attrNames globals.net.vlans) (name: {
interfaces = [ "lan-${name}" ];
}))
];
systemd.network.netdevs = mkMerge (
[
2024-12-20 20:40:27 +01:00
{
"40-vlan-fritz" = {
netdevConfig = {
Name = "vlan-fritz";
Kind = "vlan";
};
vlanConfig.Id = 2;
};
}
]
2024-12-20 20:40:27 +01:00
++ (flip mapAttrsToList globals.net.vlans (
name:
{
id,
...
}:
{
"40-vlan-${name}" = {
netdevConfig = {
Name = "vlan-${name}";
Kind = "vlan";
};
vlanConfig.Id = id;
};
"50-macvlan-${name}" = {
netdevConfig = {
Name = "lan-${name}";
Kind = "macvlan";
};
extraConfig = ''
[MACVLAN]
Mode=bridge
'';
};
}
))
);
systemd.network.networks = mkMerge (
[
{
"10-lan-fritz" = {
address = [
(lib.net.cidr.hostCidr 2 "10.99.2.0/24")
];
gateway = [ (lib.net.cidr.host 1 "10.99.2.0/24") ];
matchConfig.Name = "vlan-fritz";
networkConfig = {
IPv6PrivacyExtensions = "yes";
};
2024-12-20 20:40:27 +01:00
};
"40-vlans" = {
matchConfig.Name = "lan01";
networkConfig.LinkLocalAddressing = "no";
2024-12-22 19:00:21 +01:00
vlan = [ "vlan-fritz" ];
2024-12-20 20:40:27 +01:00
};
}
]
++ (flip mapAttrsToList globals.net.vlans (
name:
{
cidrv4,
cidrv6,
...
}:
{
"40-vlans".vlan = [ "vlan-${name}" ];
"10-vlan-${name}" = {
matchConfig.Name = "vlan-${name}";
# This interface should only be used from attached macvtaps.
# So don't acquire a link local address and only wait for
# this interface to gain a carrier.
networkConfig.LinkLocalAddressing = "no";
linkConfig.RequiredForOnline = "carrier";
extraConfig = ''
[Network]
MACVLAN=lan-${name}
'';
};
"20-lan-${name}" = {
address = [
(lib.net.cidr.hostCidr 1 cidrv4)
];
matchConfig.Name = "lan-${name}";
networkConfig = {
MulticastDNS = true;
IPv6PrivacyExtensions = "yes";
IPv4Forwarding = "yes";
IPv6SendRA = true;
IPv6AcceptRA = false;
DHCPPrefixDelegation = true;
};
2024-12-20 20:40:27 +01:00
ipv6Prefixes = [
{ Prefix = cidrv6; }
];
};
}
2024-12-20 20:40:27 +01:00
))
);
networking.nftables.firewall = {
snippets.nnf-ssh.enable = lib.mkForce false;
rules = {
2024-12-22 19:00:21 +01:00
mdns = {
from = [ "home" ];
to = [ "local" ];
allowedUDPPorts = [ 5353 ];
};
ssh = {
from = [
"fritz"
"home"
];
to = [ "local" ];
allowedTCPPorts = [ 22 ];
};
2024-12-21 23:32:42 +01:00
services = {
from = [
"home"
];
to = [
"services"
"fritz"
];
late = true;
verdict = "accept";
};
dns = {
from = [
"home"
"devices"
"guests"
"services"
];
to = [ "adguard" ];
allowedUDPPorts = [ 53 ];
};
internet = {
from = [
"home"
"devices"
"guests"
"services"
];
to = [ "fritz" ];
late = true;
verdict = "accept";
masquerade = true;
};
2024-12-20 20:40:27 +01:00
wireguard = {
from = [ "services" ];
to = [ "local" ];
allowedUDPPorts = [ config.wireguard.services.server.port ];
};
2024-12-22 19:00:21 +01:00
# Forward traffic between participants
forward-wireguard = {
from = [ "wg-services" ];
to = [ "wg-services" ];
verdict = "accept";
};
};
};
2024-12-20 20:40:27 +01:00
wireguard.services.server = {
host = lib.net.cidr.host 1 "10.99.20.0/24";
reservedAddresses = [
"10.42.0.0/20"
"fd00:1764::/112"
];
openFirewall = true;
};
2024-12-14 21:45:46 +01:00
networking = {
inherit (config.secrets.secrets.local.networking) hostId;
};
2024-12-16 21:28:08 +01:00
boot.initrd = {
availableKernelModules = [
"8021q"
];
systemd.network = {
enable = true;
networks = {
# redo the network cause the livesystem has macvlans
"10-lanhome" = {
2024-12-16 21:28:08 +01:00
address = [
2024-12-20 20:40:27 +01:00
(lib.net.cidr.hostCidr 1 globals.net.vlans.home.cidrv4)
2024-12-16 21:28:08 +01:00
];
matchConfig.Name = "vlan-home";
networkConfig = {
IPv6PrivacyExtensions = "yes";
};
};
# redo the network cause the livesystem has macvlans
"10-lan-fritz" = {
address = [
(lib.net.cidr.hostCidr 2 "10.99.2.0/24")
];
gateway = [ (lib.net.cidr.host 1 "10.99.2.0/24") ];
matchConfig.Name = "vlan-fritz";
networkConfig = {
IPv6PrivacyExtensions = "yes";
};
};
"40-vlans" = {
matchConfig.MACAddress = config.secrets.secrets.local.networking.interfaces.lan01.mac;
vlan = [
"vlan-home"
"vlan-fritz"
];
2024-12-16 21:28:08 +01:00
};
};
netdevs = {
"10-vlan-home" = {
netdevConfig = {
Name = "vlan-home";
Kind = "vlan";
};
2024-12-20 20:40:27 +01:00
vlanConfig.Id = globals.net.vlans.home.id;
};
"10-vlan-fritz" = {
netdevConfig = {
Name = "vlan-fritz";
Kind = "vlan";
};
vlanConfig.Id = 2;
};
2024-12-16 21:28:08 +01:00
};
};
};
2024-12-14 21:45:46 +01:00
}