nix-config/hosts/elisabeth/net.nix

{
  config,
  lib,
  globals,
  ...
}:
let
  inherit (lib)
    flip
    mapAttrsToList
    mkMerge
    genAttrs
    attrNames
    ;
in
{
  networking = {
    inherit (config.secrets.secrets.local.networking) hostId;
  };
  networking.nftables.firewall.zones = genAttrs (attrNames globals.net.vlans) (name: {
    interfaces = [ "lan-${name}" ];
  });
  systemd.network.netdevs = mkMerge (
    flip mapAttrsToList globals.net.vlans (
      name:
      {
        id,
        ...
      }:
      {
        "40-vlan-${name}" = {
          netdevConfig = {
            Name = "vlan-${name}";
            Kind = "vlan";
          };
          vlanConfig.Id = id;
        };
        "50-macvlan-${name}" = {
          netdevConfig = {
            Name = "lan-${name}";
            Kind = "macvlan";
          };
          extraConfig = ''
            [MACVLAN]
            Mode=bridge
          '';
        };
      }
    )
  );
  systemd.network.networks = mkMerge (
    [
      {
        "40-vlans" = {
          matchConfig.Name = "lan01";
          networkConfig.LinkLocalAddressing = "no";
        };
      }
    ]
    ++ (flip mapAttrsToList globals.net.vlans (
      name: _: {
        "40-vlans".vlan = [ "vlan-${name}" ];
        "10-vlan-${name}" = {
          matchConfig.Name = "vlan-${name}";
          # This interface should only be used from attached macvtaps.
          # So don't acquire a link local address and only wait for
          # this interface to gain a carrier.
          networkConfig.LinkLocalAddressing = "no";
          linkConfig.RequiredForOnline = "carrier";
          extraConfig = ''
            [Network]
            MACVLAN=lan-${name}
          '';
        };
        "20-lan-${name}" = {
          DHCP = "yes";
          matchConfig.Name = "lan-${name}";
          networkConfig = {
            MulticastDNS = true;
            IPv6PrivacyExtensions = "yes";
          };
        };
      }
    ))
  );
  networking.nftables.firewall = {
    snippets.nnf-ssh.enable = lib.mkForce false;
    rules = {
      ssh = {
        from = [
          "home"
        ];
        to = [ "local" ];
        allowedTCPPorts = [ 22 ];
      };
      mdns = {
        from = [ "home" ];
        to = [ "local" ];
        allowedUDPPorts = [ 5353 ];
      };
    };
  };

  boot.initrd = {

    availableKernelModules = [
      "8021q"
    ];
    systemd.network = {
      enable = true;
      networks = {
        # redo the network cause the livesystem has macvlans
        "10-lan-home" = {
          DHCP = "yes";
          matchConfig.Name = "vlan-home";
          networkConfig = {
            IPv6PrivacyExtensions = "yes";
          };
        };
        "40-vlans" = {
          matchConfig.MACAddress = config.secrets.secrets.local.networking.interfaces.lan01.mac;
          vlan = [
            "vlan-home"
          ];
        };
      };
      netdevs = {
        "10-vlan-home" = {
          netdevConfig = {
            Name = "vlan-home";
            Kind = "vlan";
          };
          vlanConfig.Id = globals.net.vlans.home.id;
        };
      };
    };
  };

}
feat: globals feat: more vlan config 2024-12-20 20:40:27 +01:00			`{`
			`config,`
			`lib,`
			`globals,`
			`...`
			`}:`
			`let`
			`inherit (lib)`
			`flip`
			`mapAttrsToList`
			`mkMerge`
			`genAttrs`
			`attrNames`
			`;`
			`in`
feat: adguard home feat: implement extra module containers feat: final smb confi feat: final nextcloud confi feat: rework networks ip feat: move acme and ddclient to server 2024-01-11 22:42:03 +01:00			`{`
			`networking = {`
			`inherit (config.secrets.secrets.local.networking) hostId;`
			`};`
feat: globals feat: more vlan config 2024-12-20 20:40:27 +01:00			`networking.nftables.firewall.zones = genAttrs (attrNames globals.net.vlans) (name: {`
			`interfaces = [ "lan-${name}" ];`
			`});`
			`systemd.network.netdevs = mkMerge (`
			`flip mapAttrsToList globals.net.vlans (`
			`name:`
			`{`
			`id,`
			`...`
			`}:`
			`{`
			`"40-vlan-${name}" = {`
			`netdevConfig = {`
			`Name = "vlan-${name}";`
			`Kind = "vlan";`
			`};`
			`vlanConfig.Id = id;`
			`};`
			`"50-macvlan-${name}" = {`
			`netdevConfig = {`
			`Name = "lan-${name}";`
			`Kind = "macvlan";`
			`};`
			`extraConfig = ''`
			`[MACVLAN]`
			`Mode=bridge`
			`'';`
feat: adguard home feat: implement extra module containers feat: final smb confi feat: final nextcloud confi feat: rework networks ip feat: move acme and ddclient to server 2024-01-11 22:42:03 +01:00			`};`
feat: globals feat: more vlan config 2024-12-20 20:40:27 +01:00			`}`
			`)`
			`);`
			`systemd.network.networks = mkMerge (`
			`[`
			`{`
			`"40-vlans" = {`
			`matchConfig.Name = "lan01";`
			`networkConfig.LinkLocalAddressing = "no";`
			`};`
			`}`
			`]`
			`++ (flip mapAttrsToList globals.net.vlans (`
fix: switch to vlan 2024-12-22 19:00:21 +01:00			`name: _: {`
feat: globals feat: more vlan config 2024-12-20 20:40:27 +01:00			`"40-vlans".vlan = [ "vlan-${name}" ];`
			`"10-vlan-${name}" = {`
			`matchConfig.Name = "vlan-${name}";`
			`# This interface should only be used from attached macvtaps.`
			`# So don't acquire a link local address and only wait for`
			`# this interface to gain a carrier.`
			`networkConfig.LinkLocalAddressing = "no";`
			`linkConfig.RequiredForOnline = "carrier";`
			`extraConfig = ''`
			`[Network]`
			`MACVLAN=lan-${name}`
			`'';`
			`};`
			`"20-lan-${name}" = {`
fix: switch to vlan 2024-12-22 19:00:21 +01:00			`DHCP = "yes";`
feat: globals feat: more vlan config 2024-12-20 20:40:27 +01:00			`matchConfig.Name = "lan-${name}";`
			`networkConfig = {`
			`MulticastDNS = true;`
			`IPv6PrivacyExtensions = "yes";`
			`};`
			`};`
			`}`
			`))`
			`);`
			`networking.nftables.firewall = {`
			`snippets.nnf-ssh.enable = lib.mkForce false;`
			`rules = {`
			`ssh = {`
			`from = [`
			`"home"`
			`];`
			`to = [ "local" ];`
			`allowedTCPPorts = [ 22 ];`
feat: adguard home feat: implement extra module containers feat: final smb confi feat: final nextcloud confi feat: rework networks ip feat: move acme and ddclient to server 2024-01-11 22:42:03 +01:00			`};`
fix: switch to vlan 2024-12-22 19:00:21 +01:00			`mdns = {`
			`from = [ "home" ];`
			`to = [ "local" ];`
			`allowedUDPPorts = [ 5353 ];`
			`};`
feat: adguard home feat: implement extra module containers feat: final smb confi feat: final nextcloud confi feat: rework networks ip feat: move acme and ddclient to server 2024-01-11 22:42:03 +01:00			`};`
			`};`
feat: added local wireguard routing 2024-03-14 23:08:42 +01:00
feat: globals feat: more vlan config 2024-12-20 20:40:27 +01:00			`boot.initrd = {`
feat: forgejo backups feat: maddy 2024-01-27 23:21:42 +01:00
feat: globals feat: more vlan config 2024-12-20 20:40:27 +01:00			`availableKernelModules = [`
			`"8021q"`
			`];`
			`systemd.network = {`
			`enable = true;`
			`networks = {`
			`# redo the network cause the livesystem has macvlans`
fix: switch to vlan 2024-12-22 19:00:21 +01:00			`"10-lan-home" = {`
			`DHCP = "yes";`
feat: globals feat: more vlan config 2024-12-20 20:40:27 +01:00			`matchConfig.Name = "vlan-home";`
			`networkConfig = {`
			`IPv6PrivacyExtensions = "yes";`
			`};`
			`};`
			`"40-vlans" = {`
			`matchConfig.MACAddress = config.secrets.secrets.local.networking.interfaces.lan01.mac;`
			`vlan = [`
			`"vlan-home"`
			`];`
			`};`
			`};`
			`netdevs = {`
			`"10-vlan-home" = {`
			`netdevConfig = {`
			`Name = "vlan-home";`
			`Kind = "vlan";`
			`};`
fix: switch to vlan 2024-12-22 19:00:21 +01:00			`vlanConfig.Id = globals.net.vlans.home.id;`
feat: globals feat: more vlan config 2024-12-20 20:40:27 +01:00			`};`
feat: forgejo backups feat: maddy 2024-01-27 23:21:42 +01:00			`};`
			`};`
			`};`
feat: globals feat: more vlan config 2024-12-20 20:40:27 +01:00
feat: adguard home feat: implement extra module containers feat: final smb confi feat: final nextcloud confi feat: rework networks ip feat: move acme and ddclient to server 2024-01-11 22:42:03 +01:00			`}`