fix: switch to vlan
This commit is contained in:
parent
268bd66c76
commit
556cfab0df
GPG key ID:
451F95EFB8BECD0F
|
|
@ -18,7 +18,8 @@
|
|||
settings = {
|
||||
dns = {
|
||||
bind_hosts = [
|
||||
"0.0.0.0"
|
||||
(lib.net.cidr.host globals.services.adguardhome.ip globals.net.vlans.services.cidrv4)
|
||||
(lib.net.cidr.host globals.services.adguardhome.ip globals.net.vlans.services.cidrv6)
|
||||
];
|
||||
anonymize_client_ip = false;
|
||||
upstream_dns = [
|
||||
|
|
@ -35,8 +36,8 @@
|
|||
];
|
||||
};
|
||||
user_rules = [
|
||||
"||${globals.domains.web}^$dnsrewrite=${lib.net.cidr.host globals.services.nginx.ip globals.net.vlans.home.cidrv4}"
|
||||
"||${globals.services.samba.domain}^$dnsrewrite=${lib.net.cidr.host globals.services.samba.ip globals.net.vlans.home.cidrv4}"
|
||||
"||${globals.domains.web}^$dnsrewrite=${lib.net.cidr.host 1 globals.net.vlans.services.cidrv4}"
|
||||
"||fritz.box^$dnsrewrite=${lib.net.cidr.host 1 "10.99.2.0/24"}"
|
||||
];
|
||||
dhcp.enabled = false;
|
||||
|
|
|
|||
|
|
@ -119,7 +119,7 @@ in
|
|||
# clients hardcode the host and share names.
|
||||
"disable netbios" = "yes";
|
||||
# Allow access to local network
|
||||
"hosts allow" = "192.168.178. 10. localhost";
|
||||
"hosts allow" = "10. localhost";
|
||||
|
||||
"guest account" = "nobody";
|
||||
"map to guest" = "bad user";
|
||||
|
|
|
|||
|
|
@ -68,8 +68,8 @@
|
|||
(lib.net.cidr.hostCidr globals.services.${guestName}.ip globals.net.vlans.${name}.cidrv6)
|
||||
];
|
||||
gateway = [
|
||||
(lib.net.cidr.hostCidr 1 globals.net.vlans.${name}.cidrv4)
|
||||
(lib.net.cidr.hostCidr 1 globals.net.vlans.${name}.cidrv6)
|
||||
(lib.net.cidr.host 1 globals.net.vlans.${name}.cidrv4)
|
||||
(lib.net.cidr.host 1 globals.net.vlans.${name}.cidrv6)
|
||||
];
|
||||
}
|
||||
)
|
||||
|
|
@ -84,7 +84,7 @@
|
|||
backend = "microvm";
|
||||
microvm = {
|
||||
system = "x86_64-linux";
|
||||
interfaces.lan = { };
|
||||
interfaces.lan-services = { };
|
||||
baseMac = config.secrets.secrets.local.networking.interfaces.lan01.mac;
|
||||
};
|
||||
extraSpecialArgs = {
|
||||
|
|
@ -114,7 +114,6 @@
|
|||
};
|
||||
in
|
||||
{ }
|
||||
// mkContainer "adguardhome" { }
|
||||
// mkContainer "oauth2-proxy" { }
|
||||
// mkContainer "vaultwarden" { }
|
||||
// mkContainer "ddclient" { }
|
||||
|
|
|
|||
|
|
@ -58,13 +58,7 @@ in
|
|||
}
|
||||
]
|
||||
++ (flip mapAttrsToList globals.net.vlans (
|
||||
name:
|
||||
{
|
||||
cidrv4,
|
||||
cidrv6,
|
||||
...
|
||||
}:
|
||||
{
|
||||
name: _: {
|
||||
"40-vlans".vlan = [ "vlan-${name}" ];
|
||||
"10-vlan-${name}" = {
|
||||
matchConfig.Name = "vlan-${name}";
|
||||
|
|
@ -79,21 +73,12 @@ in
|
|||
'';
|
||||
};
|
||||
"20-lan-${name}" = {
|
||||
address = [
|
||||
(lib.net.cidr.hostCidr 1 cidrv4)
|
||||
];
|
||||
DHCP = "yes";
|
||||
matchConfig.Name = "lan-${name}";
|
||||
networkConfig = {
|
||||
MulticastDNS = true;
|
||||
IPv6PrivacyExtensions = "yes";
|
||||
IPv4Forwarding = "yes";
|
||||
IPv6SendRA = true;
|
||||
IPv6AcceptRA = false;
|
||||
DHCPPrefixDelegation = true;
|
||||
};
|
||||
ipv6Prefixes = [
|
||||
{ Prefix = cidrv6; }
|
||||
];
|
||||
};
|
||||
}
|
||||
))
|
||||
|
|
@ -108,6 +93,11 @@ in
|
|||
to = [ "local" ];
|
||||
allowedTCPPorts = [ 22 ];
|
||||
};
|
||||
mdns = {
|
||||
from = [ "home" ];
|
||||
to = [ "local" ];
|
||||
allowedUDPPorts = [ 5353 ];
|
||||
};
|
||||
};
|
||||
};
|
||||
|
||||
|
|
@ -120,10 +110,8 @@ in
|
|||
enable = true;
|
||||
networks = {
|
||||
# redo the network cause the livesystem has macvlans
|
||||
"10-lanhome" = {
|
||||
address = [
|
||||
# (lib.net.cidr.hostCidr 1 globals.net.vlans.home.cidrv4)
|
||||
];
|
||||
"10-lan-home" = {
|
||||
DHCP = "yes";
|
||||
matchConfig.Name = "vlan-home";
|
||||
networkConfig = {
|
||||
IPv6PrivacyExtensions = "yes";
|
||||
|
|
@ -142,7 +130,7 @@ in
|
|||
Name = "vlan-home";
|
||||
Kind = "vlan";
|
||||
};
|
||||
# vlanConfig.Id = globals.net.vlans.home.id;
|
||||
vlanConfig.Id = globals.net.vlans.home.id;
|
||||
};
|
||||
};
|
||||
};
|
||||
|
|
|
|||
|
|
@ -19,10 +19,10 @@ let
|
|||
prerouting.port-forward = {
|
||||
after = [ "hook" ];
|
||||
rules = [
|
||||
"iifname lan-fritz ${protocol} dport { ${concatStringsSep ", " (map toString ports)} } dnat ip to ${
|
||||
"iifname { vlan-fritz, lan-home } ip daddr { ${net.cidr.host 1 globals.net.vlans.services.cidrv4}, ${net.cidr.host 2 "10.99.2.0/24"} } ${protocol} dport { ${concatStringsSep ", " (map toString ports)} } dnat ip to ${
|
||||
net.cidr.host globals.services.${service}.ip globals.net.vlans.services.cidrv4
|
||||
}"
|
||||
"iifname lan-fritz ${protocol} dport { ${concatStringsSep ", " (map toString ports)} } dnat ip6 to ${
|
||||
"iifname { vlan-fritz, lan-home } ip6 daddr ${net.cidr.host 1 globals.net.vlans.services.cidrv6} ${protocol} dport { ${concatStringsSep ", " (map toString ports)} } dnat ip6 to ${
|
||||
net.cidr.host globals.services.${service}.ip globals.net.vlans.services.cidrv6
|
||||
}"
|
||||
];
|
||||
|
|
@ -36,7 +36,10 @@ let
|
|||
};
|
||||
rules = {
|
||||
"forward-${service}" = {
|
||||
from = [ "fritz" ];
|
||||
from = [
|
||||
"fritz"
|
||||
"home"
|
||||
];
|
||||
to = [ service ];
|
||||
"allowed${toUpper protocol}Ports" = ports;
|
||||
};
|
||||
|
|
|
|||
|
|
@ -46,8 +46,8 @@
|
|||
(lib.net.cidr.hostCidr globals.services.${guestName}.ip globals.net.vlans.${name}.cidrv6)
|
||||
];
|
||||
gateway = [
|
||||
(lib.net.cidr.hostCidr 1 globals.net.vlans.${name}.cidrv4)
|
||||
(lib.net.cidr.hostCidr 1 globals.net.vlans.${name}.cidrv6)
|
||||
(lib.net.cidr.host 1 globals.net.vlans.${name}.cidrv4)
|
||||
(lib.net.cidr.host 1 globals.net.vlans.${name}.cidrv6)
|
||||
];
|
||||
}
|
||||
)
|
||||
|
|
|
|||
|
|
@ -23,6 +23,7 @@ in
|
|||
networking.nftables.firewall.zones = mkMerge [
|
||||
{
|
||||
fritz.interfaces = [ "vlan-fritz" ];
|
||||
wg-services.interfaces = [ "services" ];
|
||||
adguard.ipv4Addresses = [
|
||||
(lib.net.cidr.host globals.services.adguardhome.ip globals.net.vlans.services.cidrv4)
|
||||
];
|
||||
|
|
@ -86,7 +87,7 @@ in
|
|||
"40-vlans" = {
|
||||
matchConfig.Name = "lan01";
|
||||
networkConfig.LinkLocalAddressing = "no";
|
||||
vlan = [ "lan-fritz" ];
|
||||
vlan = [ "vlan-fritz" ];
|
||||
};
|
||||
}
|
||||
]
|
||||
|
|
@ -135,6 +136,11 @@ in
|
|||
networking.nftables.firewall = {
|
||||
snippets.nnf-ssh.enable = lib.mkForce false;
|
||||
rules = {
|
||||
mdns = {
|
||||
from = [ "home" ];
|
||||
to = [ "local" ];
|
||||
allowedUDPPorts = [ 5353 ];
|
||||
};
|
||||
ssh = {
|
||||
from = [
|
||||
"fritz"
|
||||
|
|
@ -181,6 +187,12 @@ in
|
|||
to = [ "local" ];
|
||||
allowedUDPPorts = [ config.wireguard.services.server.port ];
|
||||
};
|
||||
# Forward traffic between participants
|
||||
forward-wireguard = {
|
||||
from = [ "wg-services" ];
|
||||
to = [ "wg-services" ];
|
||||
verdict = "accept";
|
||||
};
|
||||
};
|
||||
};
|
||||
wireguard.services.server = {
|
||||
|
|
|
|||
1
hosts/nucnix/secrets/adguardhome/host.pub
Normal file
1
hosts/nucnix/secrets/adguardhome/host.pub
Normal file
|
|
@ -0,0 +1 @@
|
|||
ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIHCoTo3zmzagHyFMVh9Qz8co8dCsTE1rL9Jor0jbJ94I root@nucnix-adguardhome
|
||||
1
hosts/nucnix/secrets/nginx/host.pub
Normal file
1
hosts/nucnix/secrets/nginx/host.pub
Normal file
|
|
@ -0,0 +1 @@
|
|||
ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIHn/tUvgC5lXA5DKwEkSRT1dB10TKilbrqFa6/NBQsOz root@nucnix-nginx
|
||||
Loading…
Reference in a new issue