feat: vlans

2024-12-16 21:28:08 +01:00 · 2024-12-16 21:28:08 +01:00 · 3d39955759
parent d4e2805a87
commit 3d39955759
10 changed files with 127 additions and 61 deletions
--- a/config/basic/net.nix
+++ b/config/basic/net.nix
@ -5,6 +5,7 @@
 }:
 {
  networking = {
+    search = [ "local" ];
    useNetworkd = true;
    dhcpcd.enable = false;
    useDHCP = false;
--- a/config/support/server.nix
+++ b/config/support/server.nix
@ -6,17 +6,6 @@
    # stubs. Server users should know what they are doing.
    stub-ld.enable = false;
  };
-  # Given that our systems are headless, emergency mode is useless.
-  # We prefer the system to attempt to continue booting so
-  # that we can hopefully still access it remotely.
-  boot.initrd.systemd.suppressedUnits = [
-    "emergency.service"
-    "emergency.target"
-  ];
-  # Given that our systems are headless, emergency mode is useless.
-  # We prefer the system to attempt to continue booting so
-  # that we can hopefully still access it remotely.
-  systemd.enableEmergencyMode = false;

  documentation.nixos.enable = false;

--- a/flake.lock
+++ b/flake.lock
@ -1642,11 +1642,11 @@
        "treefmt-nix": "treefmt-nix_3"
      },
      "locked": {
-        "lastModified": 1734202825,
-        "narHash": "sha256-/9r2lRpVLG81uF7zxuk4LDnPZN0kk93tTclMA5KQK0E=",
+        "lastModified": 1734374811,
+        "narHash": "sha256-+an6TysKwyWWeC7MeWGoHcULR9gc7TeXyszMAzvwRRo=",
        "ref": "refs/heads/main",
-        "rev": "09fb938cb462681aaf6d7016e35a90d4995aad8c",
-        "revCount": 23,
+        "rev": "85a6a4df38b05ed2d70e530d43de9820b3231e4a",
+        "revCount": 25,
        "type": "git",
        "url": "https://forge.lel.lol/patrick/nixp-meta.git"
      },
--- a/hosts/elisabeth/guests.nix
+++ b/hosts/elisabeth/guests.nix
@ -59,6 +59,7 @@ in
          port ? 3000,
          upstream ? hostName,
          protocol ? "http",
+          ...
        }:
        {
          upstreams.${hostName} = {
@ -84,7 +85,11 @@ in
          };
        };
      proxyProtect =
-        hostName: cfg: allowedGroup:
+        hostName:
+        {
+          allowedGroup ? true,
+          ...
+        }@cfg:
        lib.mkMerge [
          (blockOf hostName cfg)
          {
@ -145,16 +150,16 @@ in
          proxy_request_buffering off;
        '';
      })
-      (proxyProtect "adguardhome" { } true)
-      (proxyProtect "oauth2-proxy" { } false)
+      (proxyProtect "adguardhome" { })
+      (proxyProtect "oauth2-proxy" { allowedGroup = false; })
      (blockOf "paperless" { maxBodySize = "5G"; })
-      (proxyProtect "ttrss" { port = 80; } true)
-      (proxyProtect "invidious" { } true)
+      (proxyProtect "ttrss" { port = 80; })
+      (proxyProtect "invidious" { })
      (blockOf "yourspotify" { port = 80; })
      (blockOf "blog" { port = 80; })
      (blockOf "homebox" { })
-      (proxyProtect "ollama" { } true)
-      (proxyProtect "firefly" { port = 80; } true)
+      (proxyProtect "ollama" { })
+      (proxyProtect "firefly" { port = 80; })
      (blockOf "apispotify" {
        port = 3000;
        upstream = "yourspotify";
--- a/hosts/nucnix/guests.nix
+++ b/hosts/nucnix/guests.nix
@ -30,6 +30,7 @@ in
          port ? 3000,
          upstream ? hostName,
          protocol ? "http",
+          ...
        }:
        {
          upstreams.${hostName} = {
@ -55,7 +56,11 @@ in
          };
        };
      proxyProtect =
-        hostName: cfg: allowedGroup:
+        hostName:
+        {
+          allowedGroup ? true,
+          ...
+        }@cfg:
        lib.mkMerge [
          (blockOf hostName cfg)
          {
--- a/hosts/nucnix/net.nix
+++ b/hosts/nucnix/net.nix
@ -3,28 +3,8 @@
  networking = {
    inherit (config.secrets.secrets.local.networking) hostId;
  };
-  systemd.network.networks = {
-    "10-lan01" = {
-      address = [
-        (lib.net.cidr.hostCidr config.secrets.secrets.global.net.ips.${config.node.name}
-          config.secrets.secrets.global.net.privateSubnetv4
-        )
-      ];
-      gateway = [ (lib.net.cidr.host 1 config.secrets.secrets.global.net.privateSubnetv4) ];
-      #matchConfig.MACAddress = config.secrets.secrets.local.networking.interfaces.lan01.mac;
-      matchConfig.Name = "lan";
-      dhcpV6Config.UseDNS = false;
-      dhcpV4Config.UseDNS = false;
-      ipv6AcceptRAConfig.UseDNS = false;
-      networkConfig = {
-        MulticastDNS = true;
-      };
-    };
-  };
-  boot.initrd.systemd.network = {
-    enable = true;
+  systemd.network = {
    networks = {
-      # redo the network cause the livesystem has macvlans
      "10-lan01" = {
        address = [
          (lib.net.cidr.hostCidr config.secrets.secrets.global.net.ips.${config.node.name}
@ -32,23 +12,118 @@
          )
        ];
        gateway = [ (lib.net.cidr.host 1 config.secrets.secrets.global.net.privateSubnetv4) ];
-        matchConfig.MACAddress = config.secrets.secrets.local.networking.interfaces.lan01.mac;
+        #matchConfig.MACAddress = config.secrets.secrets.local.networking.interfaces.lan01.mac;
+        matchConfig.Name = "lan";
        dhcpV6Config.UseDNS = false;
        dhcpV4Config.UseDNS = false;
        ipv6AcceptRAConfig.UseDNS = false;
        networkConfig = {
-          IPv6PrivacyExtensions = "yes";
          MulticastDNS = true;
        };
      };
    };
+    netdevs."40-vlan-home" = {
+      netdevConfig = {
+        Name = "vlan-home";
+        Kind = "vlan";
+      };
+      vlanConfig.Id = 10;
+    };
+
+    netdevs."40-vlan-services" = {
+      netdevConfig = {
+        Name = "vlan-services";
+        Kind = "vlan";
+      };
+      vlanConfig.Id = 20;
+    };
+
+    netdevs."40-vlan-devices" = {
+      netdevConfig = {
+        Name = "vlan-devices";
+        Kind = "vlan";
+      };
+      vlanConfig.Id = 30;
+    };
+
+    netdevs."40-vlan-iot" = {
+      netdevConfig = {
+        Name = "vlan-iot";
+        Kind = "vlan";
+      };
+      vlanConfig.Id = 40;
+    };
+
+    netdevs."40-vlan-guests" = {
+      netdevConfig = {
+        Name = "vlan-guests";
+        Kind = "vlan";
+
+      };
+      vlanConfig.Id = 50;
+    };
+
+    networks."40-vlans" = {
+      matchConfig.Name = "lan01";
+      vlan = [
+        "vlan-home"
+        "vlan-services"
+        "vlan-devices"
+        "vlan-iot"
+        "vlan-guests"
+      ];
+    };
  };
  networking.nftables.firewall.zones.untrusted.interfaces = [ "lan" ];

  # To be able to ping containers from the host, it is necessary
  # to create a macvlan on the host on the VLAN 1 network.
  networking.macvlans.lan = {
-    interface = "lan01";
+    interface = "vlan-home";
    mode = "bridge";
  };
+
+  boot.initrd = {
+
+    availableKernelModules = [
+      "8021q"
+    ];
+    systemd.network = {
+      enable = true;
+      networks = {
+        # redo the network cause the livesystem has macvlans
+        "10-lan01" = {
+          address = [
+            (lib.net.cidr.hostCidr config.secrets.secrets.global.net.ips.${config.node.name}
+              config.secrets.secrets.global.net.privateSubnetv4
+            )
+          ];
+          gateway = [ (lib.net.cidr.host 1 config.secrets.secrets.global.net.privateSubnetv4) ];
+          matchConfig.Name = "vlan-home";
+          dhcpV6Config.UseDNS = false;
+          dhcpV4Config.UseDNS = false;
+          ipv6AcceptRAConfig.UseDNS = false;
+          networkConfig = {
+            IPv6PrivacyExtensions = "yes";
+            MulticastDNS = true;
+          };
+        };
+      };
+      netdevs."10-vlan-home" = {
+        netdevConfig = {
+          Name = "vlan-home";
+          Kind = "vlan";
+
+        };
+        vlanConfig.Id = 10;
+      };
+
+      networks."40-vlans" = {
+        matchConfig.MACAddress = config.secrets.secrets.local.networking.interfaces.lan01.mac;
+        vlan = [
+          "vlan-home"
+        ];
+      };
+    };
+  };
 }
--- a/nix/topology.nix
+++ b/nix/topology.nix
@ -68,6 +68,7 @@ in
        eth3 = mkConnection "switch-patrick" "eth5";
        eth4 = mkConnection "docking-station-ganzoben" "lan";
        eth5 = mkConnection "desktop-ganzoben" "lan";
+        eth6 = mkConnection "nucnix" "lan01";
        eth9 = mkConnection "drucker" "lan";
        eth10 = mkConnection "homematic" "lan";
        eth11 = mkConnection "raspberry-pi" "lan";
--- a/users/patrick/impermanence.nix
+++ b/users/patrick/impermanence.nix
@ -32,6 +32,8 @@

        ".config/gh"

+        ".config/qmk"
+
        ".local/share/osu"

        ".local/share/monado"
--- a/users/patrick/patrick.nix
+++ b/users/patrick/patrick.nix
@ -41,6 +41,7 @@
      yt-dlp
      zathura
      zotero
+      qmk
    ];
  };
  hm.programs.bat.enable = true;
@ -60,4 +61,5 @@
      DOWN add volume -2
    '';
  };
+  services.udev.packages = [ pkgs.qmk-udev-rules ];
 }
--- a/users/patrick/ssh.nix
+++ b/users/patrick/ssh.nix
@ -26,16 +26,6 @@
          user = "root";
        };

-        "testienix" = {
-          hostname = "testienix.local";
-          user = "root";
-        };
-
-        "patricknix" = {
-          hostname = "patricknix.local";
-          user = "root";
-        };
-
        "maddy" = {
          hostname = config.secrets.secrets.global.user.hetzner_ip;
          user = "root";
@ -45,10 +35,6 @@
          user = "root";
        };

-        "desktopnix" = {
-          hostname = "desktopnix.local";
-          user = "root";
-        };
        "*" = {
          user = "root";
          identitiesOnly = true;