From 8332bc45ba6a59148acc09abeab1c56b291e397e Mon Sep 17 00:00:00 2001 From: Patrick Date: Fri, 20 Dec 2024 11:07:22 +0100 Subject: [PATCH] feat: switch to new extra-modules allowing multiple interfaces --- config/services/adguardhome.nix | 7 +-- flake.lock | 13 ++--- hosts/elisabeth/guests.nix | 26 +++------- hosts/nucnix/guests.nix | 47 ++++++++++-------- .../elisabeth/keys/nucnix-adguardhome.age | Bin 0 -> 780 bytes .../elisabeth/keys/nucnix-adguardhome.pub | 1 + .../psks/elisabeth+nucnix-adguardhome.age | 16 ++++++ 7 files changed, 58 insertions(+), 52 deletions(-) create mode 100644 secrets/wireguard/elisabeth/keys/nucnix-adguardhome.age create mode 100644 secrets/wireguard/elisabeth/keys/nucnix-adguardhome.pub create mode 100644 secrets/wireguard/elisabeth/psks/elisabeth+nucnix-adguardhome.age diff --git a/config/services/adguardhome.nix b/config/services/adguardhome.nix index d586715..67365f2 100644 --- a/config/services/adguardhome.nix +++ b/config/services/adguardhome.nix @@ -13,12 +13,7 @@ settings = { dns = { bind_hosts = [ - (lib.net.cidr.host config.secrets.secrets.global.net.ips.${config.node.name} - config.secrets.secrets.global.net.privateSubnetv4 - ) - (lib.net.cidr.host config.secrets.secrets.global.net.ips.${config.node.name} - config.secrets.secrets.global.net.privateSubnetv6 - ) + "0.0.0.0" ]; anonymize_client_ip = false; upstream_dns = [ diff --git a/flake.lock b/flake.lock index 112b0b5..c3996f8 100644 --- a/flake.lock +++ b/flake.lock @@ -1556,12 +1556,13 @@ "pre-commit-hooks": "pre-commit-hooks_4" }, "locked": { - "lastModified": 1734380654, - "narHash": "sha256-YrJ4vz6fbz5Sz7H6mdFsqaqEkLVOJUnrUi6swiYbmc4=", - "owner": "oddlama", - "repo": "nixos-extra-modules", - "rev": "da6945497bb3e6a2baf3d783c12d780ea8c4b5ea", - "type": "github" + "lastModified": 1734643696, + "narHash": "sha256-W5JSWhhThI9erzhZmpHy1gZGwSxEGPKYmOUBEXH/WGA=", + "ref": "refs/heads/main", + "rev": "6a4736e0773a1852b0b6c5f71cbe96dd39c3caf1", + "revCount": 40, + "type": "git", + "url": "file:///home/patrick/repos/nix/nixos-extra-modules" }, "original": { "owner": "oddlama", diff --git a/hosts/elisabeth/guests.nix b/hosts/elisabeth/guests.nix index a044d01..5a53f0c 100644 --- a/hosts/elisabeth/guests.nix +++ b/hosts/elisabeth/guests.nix @@ -219,23 +219,11 @@ in ../../config/services/${guestName}.nix { node.secretsDir = config.node.secretsDir + "/${guestName}"; - networking.nftables.firewall.zones.untrusted.interfaces = [ - config.guests.${guestName}.networking.mainLinkName - ]; - systemd.network.networks."10-${config.guests.${guestName}.networking.mainLinkName}" = { - DHCP = lib.mkForce "no"; - address = [ - (lib.net.cidr.hostCidr - config.secrets.secrets.global.net.ips."${config.guests.${guestName}.nodeName}" - config.secrets.secrets.global.net.privateSubnetv4 - ) - (lib.net.cidr.hostCidr - config.secrets.secrets.global.net.ips."${config.guests.${guestName}.nodeName}" - config.secrets.secrets.global.net.privateSubnetv6 - ) - ]; - gateway = [ (lib.net.cidr.host 1 config.secrets.secrets.global.net.privateSubnetv4) ]; - }; + networking.nftables.firewall.zones.untrusted.interfaces = + if lib.length config.guests.${guestName}.networking.links < 2 then + config.guests.${guestName}.networking.links + else + [ ]; } ]; }; @@ -245,7 +233,7 @@ in backend = "microvm"; microvm = { system = "x86_64-linux"; - macvtap = "lan"; + interfaces."lan" = { }; baseMac = config.secrets.secrets.local.networking.interfaces.lan01.mac; }; extraSpecialArgs = { @@ -259,7 +247,7 @@ in mkContainer = guestName: cfg: { ${guestName} = mkGuest guestName cfg // { backend = "container"; - container.macvlan = "lan"; + container.macvlans = [ "lan" ]; extraSpecialArgs = { inherit lib diff --git a/hosts/nucnix/guests.nix b/hosts/nucnix/guests.nix index 04e25f4..624a2d4 100644 --- a/hosts/nucnix/guests.nix +++ b/hosts/nucnix/guests.nix @@ -114,7 +114,7 @@ in guests = let - mkGuest = guestName: { + mkGuest = guestName: _: { autostart = true; zfs."/state" = { pool = "rpool"; @@ -129,12 +129,11 @@ in ../../config/services/${guestName}.nix { node.secretsDir = config.node.secretsDir + "/${guestName}"; - networking.nftables.firewall.zones.untrusted.interfaces = [ - config.guests.${guestName}.networking.mainLinkName - ]; - systemd.network.networks."10-${config.guests.${guestName}.networking.mainLinkName}" = { - DHCP = "yes"; - }; + networking.nftables.firewall.zones.untrusted.interfaces = + if lib.length config.guests.${guestName}.networking.links < 2 then + config.guests.${guestName}.networking.links + else + [ ]; } ]; }; @@ -155,21 +154,27 @@ in }; }; - mkContainer = guestName: cfg: { - ${guestName} = mkGuest guestName cfg // { - backend = "container"; - container.macvlan = "lan"; - extraSpecialArgs = { - inherit - lib - nodes - inputs - minimal - stateVersion - ; + mkContainer = + guestName: + { + macvlans ? [ "lan-services" ], + ... + }@cfg: + { + ${guestName} = mkGuest guestName cfg // { + backend = "container"; + container.macvlans = macvlans; + extraSpecialArgs = { + inherit + lib + nodes + inputs + minimal + stateVersion + ; + }; }; }; - }; in - { }; + { } // mkContainer "adguardhome" { macvlans = [ "lan-services" ]; }; } diff --git a/secrets/wireguard/elisabeth/keys/nucnix-adguardhome.age b/secrets/wireguard/elisabeth/keys/nucnix-adguardhome.age new file mode 100644 index 0000000000000000000000000000000000000000..ec388f953cc08131ca33da76a2c6664e34c5c47a GIT binary patch literal 780 zcmY+?JFk;q0LF3S$mHr|jV5Ox6X<+P3J%(Ad$TO>w_xRQybXuCS%RCX+lgq7wwHXSM2p)}^I zKg757F%bnKWmn8THo=Vhmcb*hMGEN!m% zi+-a|kl3c3Zn2rPZb=zUmR!w74jp^Lc9iU*wSX7330polN)dIVs=a;*6r)ZvxlC%X z8v{Xir%WXByK?M_rI6yALRa-O*8i@q6?QRtW^RWIlnGOIIMexEtz?um+4KW{KdAQU zfFH~R)ImU?u~E28=RSHk%K9-)^%jidtYo$}<|Lf}up2385J6^f#v;p5E|k9;M%mUw z+l-6G<7A+uM5t*yj=-klX_QR+iji1i4pKa@3B+RbaVCW1GA#-)cDa(T4PY`5S0`Z7 z+h%@uKVb+$%6<6Hs;37g8#Ud`UgdVVV3+AuJ&Tn^i64YeiQt+yepv@}`*OokEBy4n~kiqBPIii3`4%7 zLuFmEqUyncYvDD|d4z+q^uExf`K0iXkNNSN^Tcgm=O160-g=a(eto)p`{i8n<15z5 zUX9@K>HGWw_we)6=f6MPJ2ARfA0Xcr?>>EhefQ$xrE&fKub)p&FTXf>b9D6V(jN!o B3;h59 literal 0 HcmV?d00001 diff --git a/secrets/wireguard/elisabeth/keys/nucnix-adguardhome.pub b/secrets/wireguard/elisabeth/keys/nucnix-adguardhome.pub new file mode 100644 index 0000000..fcabb70 --- /dev/null +++ b/secrets/wireguard/elisabeth/keys/nucnix-adguardhome.pub @@ -0,0 +1 @@ +F3tFnEGn58ahB2p4hI4xFRfwyK7SU3+Dx598DcLAQlA= diff --git a/secrets/wireguard/elisabeth/psks/elisabeth+nucnix-adguardhome.age b/secrets/wireguard/elisabeth/psks/elisabeth+nucnix-adguardhome.age new file mode 100644 index 0000000..f3e2bda --- /dev/null +++ b/secrets/wireguard/elisabeth/psks/elisabeth+nucnix-adguardhome.age @@ -0,0 +1,16 @@ +age-encryption.org/v1 +-> X25519 SaIhuXPtLjcLt1Bmbbmx8WaluLUtJRGS6Ehu641msW0 +3Jyo1+XU0WVEsndNWFadBOcbE2TD7akuyyocxnzXcsU +-> piv-p256 ZFgiIw At2NriI63IhtpOKPqROmstH/t/kIMbXwWD/pKijLGdsd +yTUXG+ZeR9451nnGg5Nevhf6ES2tL6GpsTgNriNpg0Q +-> piv-p256 XTQkUA A9BJKAQ8L6ZjMm8W087HhkLNticb/Ddr7eiv/cI0guis +qPgkfSrq1RtZYCjXgujchhm1M9cW9boWrxCLhwoN/1c +-> piv-p256 ZFgiIw AzR6JgDfdmALfrIMrk43Fskz3ANKkSHz9bKlW2OF5T/P +k/vh/K8fmyCGQkoMvNf02b9KB0CZqMLu5RZc9yj1wRE +-> piv-p256 5vmPtQ AxioglXD0p1v6ZepKafFLW49RG3CUyl4lxjagpkUuI0H +3/XzPXIV1S7kuTICI0fD+Y2lCjSwcSPwrH9YfkPIyDI +-> #8D3.~O-grease [Gk GcS +wuRoJDrp0TmHzMmIEyPkSe4N9ITWjxfMbqQJSxn4rWH4wE+YAbXmJE+Ujtecupnf +xmymVCCVP5Cvmnx/KrXVVsyxKaLtiYcAnqHvTsmQgQR1LbuV9FB/tw +--- v0LwqJa53xUGcC7NIzI1UwACS8kGzRaMOsf0HIF6X2A +Ékv?V"0nd" ;QHS򂫿T^I*(>ӅbWmBL-, \ No newline at end of file