From 3d3995575982e06f13d53087cd73330f8a967380 Mon Sep 17 00:00:00 2001 From: Patrick Date: Mon, 16 Dec 2024 21:28:08 +0100 Subject: [PATCH] feat: vlans --- config/basic/net.nix | 1 + config/support/server.nix | 11 --- flake.lock | 8 +-- hosts/elisabeth/guests.nix | 19 +++-- hosts/nucnix/guests.nix | 7 +- hosts/nucnix/net.nix | 123 ++++++++++++++++++++++++++------- nix/topology.nix | 1 + users/patrick/impermanence.nix | 2 + users/patrick/patrick.nix | 2 + users/patrick/ssh.nix | 14 ---- 10 files changed, 127 insertions(+), 61 deletions(-) diff --git a/config/basic/net.nix b/config/basic/net.nix index 0588783..ff0e03b 100644 --- a/config/basic/net.nix +++ b/config/basic/net.nix @@ -5,6 +5,7 @@ }: { networking = { + search = [ "local" ]; useNetworkd = true; dhcpcd.enable = false; useDHCP = false; diff --git a/config/support/server.nix b/config/support/server.nix index 4d3e51d..2479f8d 100644 --- a/config/support/server.nix +++ b/config/support/server.nix @@ -6,17 +6,6 @@ # stubs. Server users should know what they are doing. stub-ld.enable = false; }; - # Given that our systems are headless, emergency mode is useless. - # We prefer the system to attempt to continue booting so - # that we can hopefully still access it remotely. - boot.initrd.systemd.suppressedUnits = [ - "emergency.service" - "emergency.target" - ]; - # Given that our systems are headless, emergency mode is useless. - # We prefer the system to attempt to continue booting so - # that we can hopefully still access it remotely. - systemd.enableEmergencyMode = false; documentation.nixos.enable = false; diff --git a/flake.lock b/flake.lock index f817007..3aaf8c0 100644 --- a/flake.lock +++ b/flake.lock @@ -1642,11 +1642,11 @@ "treefmt-nix": "treefmt-nix_3" }, "locked": { - "lastModified": 1734202825, - "narHash": "sha256-/9r2lRpVLG81uF7zxuk4LDnPZN0kk93tTclMA5KQK0E=", + "lastModified": 1734374811, + "narHash": "sha256-+an6TysKwyWWeC7MeWGoHcULR9gc7TeXyszMAzvwRRo=", "ref": "refs/heads/main", - "rev": "09fb938cb462681aaf6d7016e35a90d4995aad8c", - "revCount": 23, + "rev": "85a6a4df38b05ed2d70e530d43de9820b3231e4a", + "revCount": 25, "type": "git", "url": "https://forge.lel.lol/patrick/nixp-meta.git" }, diff --git a/hosts/elisabeth/guests.nix b/hosts/elisabeth/guests.nix index f0688de..a044d01 100644 --- a/hosts/elisabeth/guests.nix +++ b/hosts/elisabeth/guests.nix @@ -59,6 +59,7 @@ in port ? 3000, upstream ? hostName, protocol ? "http", + ... }: { upstreams.${hostName} = { @@ -84,7 +85,11 @@ in }; }; proxyProtect = - hostName: cfg: allowedGroup: + hostName: + { + allowedGroup ? true, + ... + }@cfg: lib.mkMerge [ (blockOf hostName cfg) { @@ -145,16 +150,16 @@ in proxy_request_buffering off; ''; }) - (proxyProtect "adguardhome" { } true) - (proxyProtect "oauth2-proxy" { } false) + (proxyProtect "adguardhome" { }) + (proxyProtect "oauth2-proxy" { allowedGroup = false; }) (blockOf "paperless" { maxBodySize = "5G"; }) - (proxyProtect "ttrss" { port = 80; } true) - (proxyProtect "invidious" { } true) + (proxyProtect "ttrss" { port = 80; }) + (proxyProtect "invidious" { }) (blockOf "yourspotify" { port = 80; }) (blockOf "blog" { port = 80; }) (blockOf "homebox" { }) - (proxyProtect "ollama" { } true) - (proxyProtect "firefly" { port = 80; } true) + (proxyProtect "ollama" { }) + (proxyProtect "firefly" { port = 80; }) (blockOf "apispotify" { port = 3000; upstream = "yourspotify"; diff --git a/hosts/nucnix/guests.nix b/hosts/nucnix/guests.nix index 51cec1f..1e7c971 100644 --- a/hosts/nucnix/guests.nix +++ b/hosts/nucnix/guests.nix @@ -30,6 +30,7 @@ in port ? 3000, upstream ? hostName, protocol ? "http", + ... }: { upstreams.${hostName} = { @@ -55,7 +56,11 @@ in }; }; proxyProtect = - hostName: cfg: allowedGroup: + hostName: + { + allowedGroup ? true, + ... + }@cfg: lib.mkMerge [ (blockOf hostName cfg) { diff --git a/hosts/nucnix/net.nix b/hosts/nucnix/net.nix index a8b7206..909b4ca 100644 --- a/hosts/nucnix/net.nix +++ b/hosts/nucnix/net.nix @@ -3,28 +3,8 @@ networking = { inherit (config.secrets.secrets.local.networking) hostId; }; - systemd.network.networks = { - "10-lan01" = { - address = [ - (lib.net.cidr.hostCidr config.secrets.secrets.global.net.ips.${config.node.name} - config.secrets.secrets.global.net.privateSubnetv4 - ) - ]; - gateway = [ (lib.net.cidr.host 1 config.secrets.secrets.global.net.privateSubnetv4) ]; - #matchConfig.MACAddress = config.secrets.secrets.local.networking.interfaces.lan01.mac; - matchConfig.Name = "lan"; - dhcpV6Config.UseDNS = false; - dhcpV4Config.UseDNS = false; - ipv6AcceptRAConfig.UseDNS = false; - networkConfig = { - MulticastDNS = true; - }; - }; - }; - boot.initrd.systemd.network = { - enable = true; + systemd.network = { networks = { - # redo the network cause the livesystem has macvlans "10-lan01" = { address = [ (lib.net.cidr.hostCidr config.secrets.secrets.global.net.ips.${config.node.name} @@ -32,23 +12,118 @@ ) ]; gateway = [ (lib.net.cidr.host 1 config.secrets.secrets.global.net.privateSubnetv4) ]; - matchConfig.MACAddress = config.secrets.secrets.local.networking.interfaces.lan01.mac; + #matchConfig.MACAddress = config.secrets.secrets.local.networking.interfaces.lan01.mac; + matchConfig.Name = "lan"; dhcpV6Config.UseDNS = false; dhcpV4Config.UseDNS = false; ipv6AcceptRAConfig.UseDNS = false; networkConfig = { - IPv6PrivacyExtensions = "yes"; MulticastDNS = true; }; }; }; + netdevs."40-vlan-home" = { + netdevConfig = { + Name = "vlan-home"; + Kind = "vlan"; + }; + vlanConfig.Id = 10; + }; + + netdevs."40-vlan-services" = { + netdevConfig = { + Name = "vlan-services"; + Kind = "vlan"; + }; + vlanConfig.Id = 20; + }; + + netdevs."40-vlan-devices" = { + netdevConfig = { + Name = "vlan-devices"; + Kind = "vlan"; + }; + vlanConfig.Id = 30; + }; + + netdevs."40-vlan-iot" = { + netdevConfig = { + Name = "vlan-iot"; + Kind = "vlan"; + }; + vlanConfig.Id = 40; + }; + + netdevs."40-vlan-guests" = { + netdevConfig = { + Name = "vlan-guests"; + Kind = "vlan"; + + }; + vlanConfig.Id = 50; + }; + + networks."40-vlans" = { + matchConfig.Name = "lan01"; + vlan = [ + "vlan-home" + "vlan-services" + "vlan-devices" + "vlan-iot" + "vlan-guests" + ]; + }; }; networking.nftables.firewall.zones.untrusted.interfaces = [ "lan" ]; # To be able to ping containers from the host, it is necessary # to create a macvlan on the host on the VLAN 1 network. networking.macvlans.lan = { - interface = "lan01"; + interface = "vlan-home"; mode = "bridge"; }; + + boot.initrd = { + + availableKernelModules = [ + "8021q" + ]; + systemd.network = { + enable = true; + networks = { + # redo the network cause the livesystem has macvlans + "10-lan01" = { + address = [ + (lib.net.cidr.hostCidr config.secrets.secrets.global.net.ips.${config.node.name} + config.secrets.secrets.global.net.privateSubnetv4 + ) + ]; + gateway = [ (lib.net.cidr.host 1 config.secrets.secrets.global.net.privateSubnetv4) ]; + matchConfig.Name = "vlan-home"; + dhcpV6Config.UseDNS = false; + dhcpV4Config.UseDNS = false; + ipv6AcceptRAConfig.UseDNS = false; + networkConfig = { + IPv6PrivacyExtensions = "yes"; + MulticastDNS = true; + }; + }; + }; + netdevs."10-vlan-home" = { + netdevConfig = { + Name = "vlan-home"; + Kind = "vlan"; + + }; + vlanConfig.Id = 10; + }; + + networks."40-vlans" = { + matchConfig.MACAddress = config.secrets.secrets.local.networking.interfaces.lan01.mac; + vlan = [ + "vlan-home" + ]; + }; + }; + }; } diff --git a/nix/topology.nix b/nix/topology.nix index b1d7bdb..f4912bb 100644 --- a/nix/topology.nix +++ b/nix/topology.nix @@ -68,6 +68,7 @@ in eth3 = mkConnection "switch-patrick" "eth5"; eth4 = mkConnection "docking-station-ganzoben" "lan"; eth5 = mkConnection "desktop-ganzoben" "lan"; + eth6 = mkConnection "nucnix" "lan01"; eth9 = mkConnection "drucker" "lan"; eth10 = mkConnection "homematic" "lan"; eth11 = mkConnection "raspberry-pi" "lan"; diff --git a/users/patrick/impermanence.nix b/users/patrick/impermanence.nix index fd7a899..a71dee4 100644 --- a/users/patrick/impermanence.nix +++ b/users/patrick/impermanence.nix @@ -32,6 +32,8 @@ ".config/gh" + ".config/qmk" + ".local/share/osu" ".local/share/monado" diff --git a/users/patrick/patrick.nix b/users/patrick/patrick.nix index 1876d83..d79554d 100644 --- a/users/patrick/patrick.nix +++ b/users/patrick/patrick.nix @@ -41,6 +41,7 @@ yt-dlp zathura zotero + qmk ]; }; hm.programs.bat.enable = true; @@ -60,4 +61,5 @@ DOWN add volume -2 ''; }; + services.udev.packages = [ pkgs.qmk-udev-rules ]; } diff --git a/users/patrick/ssh.nix b/users/patrick/ssh.nix index 8f89338..b217bda 100644 --- a/users/patrick/ssh.nix +++ b/users/patrick/ssh.nix @@ -26,16 +26,6 @@ user = "root"; }; - "testienix" = { - hostname = "testienix.local"; - user = "root"; - }; - - "patricknix" = { - hostname = "patricknix.local"; - user = "root"; - }; - "maddy" = { hostname = config.secrets.secrets.global.user.hetzner_ip; user = "root"; @@ -45,10 +35,6 @@ user = "root"; }; - "desktopnix" = { - hostname = "desktopnix.local"; - user = "root"; - }; "*" = { user = "root"; identitiesOnly = true;