patrick/nix-config
1
1
Fork 0
Code Issues Pull requests Projects Wiki Activity

fix: switch to vlan

Browse source
This commit is contained in:
Patrick 2024-12-22 19:00:21 +01:00
parent 268bd66c76
commit 556cfab0df
Signed by: patrick
GPG key ID: 451F95EFB8BECD0F
9 changed files with 40 additions and 35 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

5
config/services/adguardhome.nix
View file

@ -18,7 +18,8 @@
settings = { settings = {
dns = { dns = {
bind_hosts = [ bind_hosts = [
"0.0.0.0" (lib.net.cidr.host globals.services.adguardhome.ip globals.net.vlans.services.cidrv4)
(lib.net.cidr.host globals.services.adguardhome.ip globals.net.vlans.services.cidrv6)
]; ];
anonymize_client_ip = false; anonymize_client_ip = false;
upstream_dns = [ upstream_dns = [
@ -35,8 +36,8 @@
]; ];
}; };
user_rules = [ user_rules = [
"||${globals.domains.web}^$dnsrewrite=${lib.net.cidr.host globals.services.nginx.ip globals.net.vlans.home.cidrv4}"
"||${globals.services.samba.domain}^$dnsrewrite=${lib.net.cidr.host globals.services.samba.ip globals.net.vlans.home.cidrv4}" "||${globals.services.samba.domain}^$dnsrewrite=${lib.net.cidr.host globals.services.samba.ip globals.net.vlans.home.cidrv4}"
"||${globals.domains.web}^$dnsrewrite=${lib.net.cidr.host 1 globals.net.vlans.services.cidrv4}"
"||fritz.box^$dnsrewrite=${lib.net.cidr.host 1 "10.99.2.0/24"}" "||fritz.box^$dnsrewrite=${lib.net.cidr.host 1 "10.99.2.0/24"}"
]; ];
dhcp.enabled = false; dhcp.enabled = false;

2
config/services/samba.nix
View file

@ -119,7 +119,7 @@ in
# clients hardcode the host and share names. # clients hardcode the host and share names.
"disable netbios" = "yes"; "disable netbios" = "yes";
# Allow access to local network # Allow access to local network
"hosts allow" = "192.168.178. 10. localhost"; "hosts allow" = "10. localhost";
"guest account" = "nobody"; "guest account" = "nobody";
"map to guest" = "bad user"; "map to guest" = "bad user";

7
hosts/elisabeth/guests.nix
View file

@ -68,8 +68,8 @@
(lib.net.cidr.hostCidr globals.services.${guestName}.ip globals.net.vlans.${name}.cidrv6) (lib.net.cidr.hostCidr globals.services.${guestName}.ip globals.net.vlans.${name}.cidrv6)
]; ];
gateway = [ gateway = [
(lib.net.cidr.hostCidr 1 globals.net.vlans.${name}.cidrv4) (lib.net.cidr.host 1 globals.net.vlans.${name}.cidrv4)
(lib.net.cidr.hostCidr 1 globals.net.vlans.${name}.cidrv6) (lib.net.cidr.host 1 globals.net.vlans.${name}.cidrv6)
]; ];
} }
) )
@ -84,7 +84,7 @@
backend = "microvm"; backend = "microvm";
microvm = { microvm = {
system = "x86_64-linux"; system = "x86_64-linux";
interfaces.lan = { }; interfaces.lan-services = { };
baseMac = config.secrets.secrets.local.networking.interfaces.lan01.mac; baseMac = config.secrets.secrets.local.networking.interfaces.lan01.mac;
}; };
extraSpecialArgs = { extraSpecialArgs = {
@ -114,7 +114,6 @@
}; };
in in
{ } { }
// mkContainer "adguardhome" { }
// mkContainer "oauth2-proxy" { } // mkContainer "oauth2-proxy" { }
// mkContainer "vaultwarden" { } // mkContainer "vaultwarden" { }
// mkContainer "ddclient" { } // mkContainer "ddclient" { }

32
hosts/elisabeth/net.nix
View file

@ -58,13 +58,7 @@ in
} }
] ]
++ (flip mapAttrsToList globals.net.vlans ( ++ (flip mapAttrsToList globals.net.vlans (
name: name: _: {
{
cidrv4,
cidrv6,
...
}:
{
"40-vlans".vlan = [ "vlan-${name}" ]; "40-vlans".vlan = [ "vlan-${name}" ];
"10-vlan-${name}" = { "10-vlan-${name}" = {
matchConfig.Name = "vlan-${name}"; matchConfig.Name = "vlan-${name}";
@ -79,21 +73,12 @@ in
''; '';
}; };
"20-lan-${name}" = { "20-lan-${name}" = {
address = [ DHCP = "yes";
(lib.net.cidr.hostCidr 1 cidrv4)
];
matchConfig.Name = "lan-${name}"; matchConfig.Name = "lan-${name}";
networkConfig = { networkConfig = {
MulticastDNS = true; MulticastDNS = true;
IPv6PrivacyExtensions = "yes"; IPv6PrivacyExtensions = "yes";
IPv4Forwarding = "yes";
IPv6SendRA = true;
IPv6AcceptRA = false;
DHCPPrefixDelegation = true;
}; };
ipv6Prefixes = [
{ Prefix = cidrv6; }
];
}; };
} }
)) ))
@ -108,6 +93,11 @@ in
to = [ "local" ]; to = [ "local" ];
allowedTCPPorts = [ 22 ]; allowedTCPPorts = [ 22 ];
}; };
mdns = {
from = [ "home" ];
to = [ "local" ];
allowedUDPPorts = [ 5353 ];
};
}; };
}; };
@ -120,10 +110,8 @@ in
enable = true; enable = true;
networks = { networks = {
# redo the network cause the livesystem has macvlans # redo the network cause the livesystem has macvlans
"10-lanhome" = { "10-lan-home" = {
address = [ DHCP = "yes";
# (lib.net.cidr.hostCidr 1 globals.net.vlans.home.cidrv4)
];
matchConfig.Name = "vlan-home"; matchConfig.Name = "vlan-home";
networkConfig = { networkConfig = {
IPv6PrivacyExtensions = "yes"; IPv6PrivacyExtensions = "yes";
@ -142,7 +130,7 @@ in
Name = "vlan-home"; Name = "vlan-home";
Kind = "vlan"; Kind = "vlan";
}; };
# vlanConfig.Id = globals.net.vlans.home.id; vlanConfig.Id = globals.net.vlans.home.id;
}; };
}; };
}; };

9
hosts/nucnix/forwarding.nix
View file

@ -19,10 +19,10 @@ let
prerouting.port-forward = { prerouting.port-forward = {
after = [ "hook" ]; after = [ "hook" ];
rules = [ rules = [
"iifname lan-fritz ${protocol} dport { ${concatStringsSep ", " (map toString ports)} } dnat ip to ${ "iifname { vlan-fritz, lan-home } ip daddr { ${net.cidr.host 1 globals.net.vlans.services.cidrv4}, ${net.cidr.host 2 "10.99.2.0/24"} } ${protocol} dport { ${concatStringsSep ", " (map toString ports)} } dnat ip to ${
net.cidr.host globals.services.${service}.ip globals.net.vlans.services.cidrv4 net.cidr.host globals.services.${service}.ip globals.net.vlans.services.cidrv4
}" }"
"iifname lan-fritz ${protocol} dport { ${concatStringsSep ", " (map toString ports)} } dnat ip6 to ${ "iifname { vlan-fritz, lan-home } ip6 daddr ${net.cidr.host 1 globals.net.vlans.services.cidrv6} ${protocol} dport { ${concatStringsSep ", " (map toString ports)} } dnat ip6 to ${
net.cidr.host globals.services.${service}.ip globals.net.vlans.services.cidrv6 net.cidr.host globals.services.${service}.ip globals.net.vlans.services.cidrv6
}" }"
]; ];
@ -36,7 +36,10 @@ let
}; };
rules = { rules = {
"forward-${service}" = { "forward-${service}" = {
from = [ "fritz" ]; from = [
"fritz"
"home"
];
to = [ service ]; to = [ service ];
"allowed${toUpper protocol}Ports" = ports; "allowed${toUpper protocol}Ports" = ports;
}; };

4
hosts/nucnix/guests.nix
View file

@ -46,8 +46,8 @@
(lib.net.cidr.hostCidr globals.services.${guestName}.ip globals.net.vlans.${name}.cidrv6) (lib.net.cidr.hostCidr globals.services.${guestName}.ip globals.net.vlans.${name}.cidrv6)
]; ];
gateway = [ gateway = [
(lib.net.cidr.hostCidr 1 globals.net.vlans.${name}.cidrv4) (lib.net.cidr.host 1 globals.net.vlans.${name}.cidrv4)
(lib.net.cidr.hostCidr 1 globals.net.vlans.${name}.cidrv6) (lib.net.cidr.host 1 globals.net.vlans.${name}.cidrv6)
]; ];
} }
) )

14
hosts/nucnix/net.nix
View file

@ -23,6 +23,7 @@ in
networking.nftables.firewall.zones = mkMerge [ networking.nftables.firewall.zones = mkMerge [
{ {
fritz.interfaces = [ "vlan-fritz" ]; fritz.interfaces = [ "vlan-fritz" ];
wg-services.interfaces = [ "services" ];
adguard.ipv4Addresses = [ adguard.ipv4Addresses = [
(lib.net.cidr.host globals.services.adguardhome.ip globals.net.vlans.services.cidrv4) (lib.net.cidr.host globals.services.adguardhome.ip globals.net.vlans.services.cidrv4)
]; ];
@ -86,7 +87,7 @@ in
"40-vlans" = { "40-vlans" = {
matchConfig.Name = "lan01"; matchConfig.Name = "lan01";
networkConfig.LinkLocalAddressing = "no"; networkConfig.LinkLocalAddressing = "no";
vlan = [ "lan-fritz" ]; vlan = [ "vlan-fritz" ];
}; };
} }
] ]
@ -135,6 +136,11 @@ in
networking.nftables.firewall = { networking.nftables.firewall = {
snippets.nnf-ssh.enable = lib.mkForce false; snippets.nnf-ssh.enable = lib.mkForce false;
rules = { rules = {
mdns = {
from = [ "home" ];
to = [ "local" ];
allowedUDPPorts = [ 5353 ];
};
ssh = { ssh = {
from = [ from = [
"fritz" "fritz"
@ -181,6 +187,12 @@ in
to = [ "local" ]; to = [ "local" ];
allowedUDPPorts = [ config.wireguard.services.server.port ]; allowedUDPPorts = [ config.wireguard.services.server.port ];
}; };
# Forward traffic between participants
forward-wireguard = {
from = [ "wg-services" ];
to = [ "wg-services" ];
verdict = "accept";
};
}; };
}; };
wireguard.services.server = { wireguard.services.server = {

1
hosts/nucnix/secrets/adguardhome/host.pub Normal file
View file

@ -0,0 +1 @@
ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIHCoTo3zmzagHyFMVh9Qz8co8dCsTE1rL9Jor0jbJ94I root@nucnix-adguardhome

1
hosts/nucnix/secrets/nginx/host.pub Normal file
View file

@ -0,0 +1 @@
ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIHn/tUvgC5lXA5DKwEkSRT1dB10TKilbrqFa6/NBQsOz root@nucnix-nginx