patrick/nix-config
1
1
Fork 0
Code Issues Pull requests Projects Wiki Activity

feat: vlans

Browse source
This commit is contained in:
Patrick 2024-12-16 21:28:08 +01:00
parent d4e2805a87
commit 3d39955759
Signed by: patrick
GPG key ID: 451F95EFB8BECD0F
10 changed files with 127 additions and 61 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

1
config/basic/net.nix
View file

@ -5,6 +5,7 @@
}: }:
{ {
networking = { networking = {
search = [ "local" ];
useNetworkd = true; useNetworkd = true;
dhcpcd.enable = false; dhcpcd.enable = false;
useDHCP = false; useDHCP = false;

11
config/support/server.nix
View file

@ -6,17 +6,6 @@
# stubs. Server users should know what they are doing. # stubs. Server users should know what they are doing.
stub-ld.enable = false; stub-ld.enable = false;
}; };
# Given that our systems are headless, emergency mode is useless.
# We prefer the system to attempt to continue booting so
# that we can hopefully still access it remotely.
boot.initrd.systemd.suppressedUnits = [
"emergency.service"
"emergency.target"
];
# Given that our systems are headless, emergency mode is useless.
# We prefer the system to attempt to continue booting so
# that we can hopefully still access it remotely.
systemd.enableEmergencyMode = false;
documentation.nixos.enable = false; documentation.nixos.enable = false;

8
flake.lock
View file

@ -1642,11 +1642,11 @@
"treefmt-nix": "treefmt-nix_3" "treefmt-nix": "treefmt-nix_3"
}, },
"locked": { "locked": {
"lastModified": 1734202825, "lastModified": 1734374811,
"narHash": "sha256-/9r2lRpVLG81uF7zxuk4LDnPZN0kk93tTclMA5KQK0E=", "narHash": "sha256-+an6TysKwyWWeC7MeWGoHcULR9gc7TeXyszMAzvwRRo=",
"ref": "refs/heads/main", "ref": "refs/heads/main",
"rev": "09fb938cb462681aaf6d7016e35a90d4995aad8c", "rev": "85a6a4df38b05ed2d70e530d43de9820b3231e4a",
"revCount": 23, "revCount": 25,
"type": "git", "type": "git",
"url": "https://forge.lel.lol/patrick/nixp-meta.git" "url": "https://forge.lel.lol/patrick/nixp-meta.git"
}, },

19
hosts/elisabeth/guests.nix
View file

@ -59,6 +59,7 @@ in
port ? 3000, port ? 3000,
upstream ? hostName, upstream ? hostName,
protocol ? "http", protocol ? "http",
...
}: }:
{ {
upstreams.${hostName} = { upstreams.${hostName} = {
@ -84,7 +85,11 @@ in
}; };
}; };
proxyProtect = proxyProtect =
hostName: cfg: allowedGroup: hostName:
{
allowedGroup ? true,
...
}@cfg:
lib.mkMerge [ lib.mkMerge [
(blockOf hostName cfg) (blockOf hostName cfg)
{ {
@ -145,16 +150,16 @@ in
proxy_request_buffering off; proxy_request_buffering off;
''; '';
}) })
(proxyProtect "adguardhome" { } true) (proxyProtect "adguardhome" { })
(proxyProtect "oauth2-proxy" { } false) (proxyProtect "oauth2-proxy" { allowedGroup = false; })
(blockOf "paperless" { maxBodySize = "5G"; }) (blockOf "paperless" { maxBodySize = "5G"; })
(proxyProtect "ttrss" { port = 80; } true) (proxyProtect "ttrss" { port = 80; })
(proxyProtect "invidious" { } true) (proxyProtect "invidious" { })
(blockOf "yourspotify" { port = 80; }) (blockOf "yourspotify" { port = 80; })
(blockOf "blog" { port = 80; }) (blockOf "blog" { port = 80; })
(blockOf "homebox" { }) (blockOf "homebox" { })
(proxyProtect "ollama" { } true) (proxyProtect "ollama" { })
(proxyProtect "firefly" { port = 80; } true) (proxyProtect "firefly" { port = 80; })
(blockOf "apispotify" { (blockOf "apispotify" {
port = 3000; port = 3000;
upstream = "yourspotify"; upstream = "yourspotify";

7
hosts/nucnix/guests.nix
View file

@ -30,6 +30,7 @@ in
port ? 3000, port ? 3000,
upstream ? hostName, upstream ? hostName,
protocol ? "http", protocol ? "http",
...
}: }:
{ {
upstreams.${hostName} = { upstreams.${hostName} = {
@ -55,7 +56,11 @@ in
}; };
}; };
proxyProtect = proxyProtect =
hostName: cfg: allowedGroup: hostName:
{
allowedGroup ? true,
...
}@cfg:
lib.mkMerge [ lib.mkMerge [
(blockOf hostName cfg) (blockOf hostName cfg)
{ {

123
hosts/nucnix/net.nix
View file

@ -3,28 +3,8 @@
networking = { networking = {
inherit (config.secrets.secrets.local.networking) hostId; inherit (config.secrets.secrets.local.networking) hostId;
}; };
systemd.network.networks = { systemd.network = {
"10-lan01" = {
address = [
(lib.net.cidr.hostCidr config.secrets.secrets.global.net.ips.${config.node.name}
config.secrets.secrets.global.net.privateSubnetv4
)
];
gateway = [ (lib.net.cidr.host 1 config.secrets.secrets.global.net.privateSubnetv4) ];
#matchConfig.MACAddress = config.secrets.secrets.local.networking.interfaces.lan01.mac;
matchConfig.Name = "lan";
dhcpV6Config.UseDNS = false;
dhcpV4Config.UseDNS = false;
ipv6AcceptRAConfig.UseDNS = false;
networkConfig = {
MulticastDNS = true;
};
};
};
boot.initrd.systemd.network = {
enable = true;
networks = { networks = {
# redo the network cause the livesystem has macvlans
"10-lan01" = { "10-lan01" = {
address = [ address = [
(lib.net.cidr.hostCidr config.secrets.secrets.global.net.ips.${config.node.name} (lib.net.cidr.hostCidr config.secrets.secrets.global.net.ips.${config.node.name}
@ -32,23 +12,118 @@
) )
]; ];
gateway = [ (lib.net.cidr.host 1 config.secrets.secrets.global.net.privateSubnetv4) ]; gateway = [ (lib.net.cidr.host 1 config.secrets.secrets.global.net.privateSubnetv4) ];
matchConfig.MACAddress = config.secrets.secrets.local.networking.interfaces.lan01.mac; #matchConfig.MACAddress = config.secrets.secrets.local.networking.interfaces.lan01.mac;
matchConfig.Name = "lan";
dhcpV6Config.UseDNS = false; dhcpV6Config.UseDNS = false;
dhcpV4Config.UseDNS = false; dhcpV4Config.UseDNS = false;
ipv6AcceptRAConfig.UseDNS = false; ipv6AcceptRAConfig.UseDNS = false;
networkConfig = { networkConfig = {
IPv6PrivacyExtensions = "yes";
MulticastDNS = true; MulticastDNS = true;
}; };
}; };
}; };
netdevs."40-vlan-home" = {
netdevConfig = {
Name = "vlan-home";
Kind = "vlan";
};
vlanConfig.Id = 10;
};
netdevs."40-vlan-services" = {
netdevConfig = {
Name = "vlan-services";
Kind = "vlan";
};
vlanConfig.Id = 20;
};
netdevs."40-vlan-devices" = {
netdevConfig = {
Name = "vlan-devices";
Kind = "vlan";
};
vlanConfig.Id = 30;
};
netdevs."40-vlan-iot" = {
netdevConfig = {
Name = "vlan-iot";
Kind = "vlan";
};
vlanConfig.Id = 40;
};
netdevs."40-vlan-guests" = {
netdevConfig = {
Name = "vlan-guests";
Kind = "vlan";
};
vlanConfig.Id = 50;
};
networks."40-vlans" = {
matchConfig.Name = "lan01";
vlan = [
"vlan-home"
"vlan-services"
"vlan-devices"
"vlan-iot"
"vlan-guests"
];
};
}; };
networking.nftables.firewall.zones.untrusted.interfaces = [ "lan" ]; networking.nftables.firewall.zones.untrusted.interfaces = [ "lan" ];
# To be able to ping containers from the host, it is necessary # To be able to ping containers from the host, it is necessary
# to create a macvlan on the host on the VLAN 1 network. # to create a macvlan on the host on the VLAN 1 network.
networking.macvlans.lan = { networking.macvlans.lan = {
interface = "lan01"; interface = "vlan-home";
mode = "bridge"; mode = "bridge";
}; };
boot.initrd = {
availableKernelModules = [
"8021q"
];
systemd.network = {
enable = true;
networks = {
# redo the network cause the livesystem has macvlans
"10-lan01" = {
address = [
(lib.net.cidr.hostCidr config.secrets.secrets.global.net.ips.${config.node.name}
config.secrets.secrets.global.net.privateSubnetv4
)
];
gateway = [ (lib.net.cidr.host 1 config.secrets.secrets.global.net.privateSubnetv4) ];
matchConfig.Name = "vlan-home";
dhcpV6Config.UseDNS = false;
dhcpV4Config.UseDNS = false;
ipv6AcceptRAConfig.UseDNS = false;
networkConfig = {
IPv6PrivacyExtensions = "yes";
MulticastDNS = true;
};
};
};
netdevs."10-vlan-home" = {
netdevConfig = {
Name = "vlan-home";
Kind = "vlan";
};
vlanConfig.Id = 10;
};
networks."40-vlans" = {
matchConfig.MACAddress = config.secrets.secrets.local.networking.interfaces.lan01.mac;
vlan = [
"vlan-home"
];
};
};
};
} }

1
nix/topology.nix
View file

@ -68,6 +68,7 @@ in
eth3 = mkConnection "switch-patrick" "eth5"; eth3 = mkConnection "switch-patrick" "eth5";
eth4 = mkConnection "docking-station-ganzoben" "lan"; eth4 = mkConnection "docking-station-ganzoben" "lan";
eth5 = mkConnection "desktop-ganzoben" "lan"; eth5 = mkConnection "desktop-ganzoben" "lan";
eth6 = mkConnection "nucnix" "lan01";
eth9 = mkConnection "drucker" "lan"; eth9 = mkConnection "drucker" "lan";
eth10 = mkConnection "homematic" "lan"; eth10 = mkConnection "homematic" "lan";
eth11 = mkConnection "raspberry-pi" "lan"; eth11 = mkConnection "raspberry-pi" "lan";

2
users/patrick/impermanence.nix
View file

@ -32,6 +32,8 @@
".config/gh" ".config/gh"
".config/qmk"
".local/share/osu" ".local/share/osu"
".local/share/monado" ".local/share/monado"

2
users/patrick/patrick.nix
View file

@ -41,6 +41,7 @@
yt-dlp yt-dlp
zathura zathura
zotero zotero
qmk
]; ];
}; };
hm.programs.bat.enable = true; hm.programs.bat.enable = true;
@ -60,4 +61,5 @@
DOWN add volume -2 DOWN add volume -2
''; '';
}; };
services.udev.packages = [ pkgs.qmk-udev-rules ];
} }

14
users/patrick/ssh.nix
View file

@ -26,16 +26,6 @@
user = "root"; user = "root";
}; };
"testienix" = {
hostname = "testienix.local";
user = "root";
};
"patricknix" = {
hostname = "patricknix.local";
user = "root";
};
"maddy" = { "maddy" = {
hostname = config.secrets.secrets.global.user.hetzner_ip; hostname = config.secrets.secrets.global.user.hetzner_ip;
user = "root"; user = "root";
@ -45,10 +35,6 @@
user = "root"; user = "root";
}; };
"desktopnix" = {
hostname = "desktopnix.local";
user = "root";
};
"*" = { "*" = {
user = "root"; user = "root";
identitiesOnly = true; identitiesOnly = true;