feat: finish firewall network config
feat: kea configuration
This commit is contained in:
parent
958bbc7942
commit
f2578916ae
|
@ -11,8 +11,7 @@ let
|
|||
domainOf =
|
||||
hostName:
|
||||
let
|
||||
domains =
|
||||
{
|
||||
domains = {
|
||||
};
|
||||
in
|
||||
"${domains.${hostName}}.${config.secrets.secrets.global.domains.web}";
|
||||
|
@ -134,18 +133,7 @@ in
|
|||
config.guests.${guestName}.networking.mainLinkName
|
||||
];
|
||||
systemd.network.networks."10-${config.guests.${guestName}.networking.mainLinkName}" = {
|
||||
DHCP = lib.mkForce "no";
|
||||
address = [
|
||||
(lib.net.cidr.hostCidr
|
||||
config.secrets.secrets.global.net.ips."${config.guests.${guestName}.nodeName}"
|
||||
config.secrets.secrets.global.net.privateSubnetv4
|
||||
)
|
||||
(lib.net.cidr.hostCidr
|
||||
config.secrets.secrets.global.net.ips."${config.guests.${guestName}.nodeName}"
|
||||
config.secrets.secrets.global.net.privateSubnetv6
|
||||
)
|
||||
];
|
||||
gateway = [ (lib.net.cidr.host 1 config.secrets.secrets.global.net.privateSubnetv4) ];
|
||||
DHCP = "yes";
|
||||
};
|
||||
}
|
||||
];
|
||||
|
|
|
@ -1,6 +1,13 @@
|
|||
{ config, ... }:
|
||||
let
|
||||
cfg = name: {
|
||||
|
||||
{
|
||||
|
||||
hardware.wirelessRegulatoryDatabase = true;
|
||||
|
||||
services.hostapd = {
|
||||
enable = true;
|
||||
radios.wlan1 = {
|
||||
band = "2g";
|
||||
countryCode = "DE";
|
||||
# wifi4.capabilities = [
|
||||
# "LDPC"
|
||||
|
@ -14,7 +21,7 @@ let
|
|||
# ];
|
||||
wifi6.enable = true;
|
||||
wifi7.enable = true;
|
||||
networks."${name}" = {
|
||||
networks.wlan1 = {
|
||||
inherit (config.secrets.secrets.global.hostapd) ssid;
|
||||
apIsolate = true;
|
||||
authentication = {
|
||||
|
@ -29,19 +36,5 @@ let
|
|||
bssid = "02:c0:ca:b1:4f:9f";
|
||||
};
|
||||
};
|
||||
in
|
||||
|
||||
{
|
||||
|
||||
hardware.wirelessRegulatoryDatabase = true;
|
||||
|
||||
services.hostapd = {
|
||||
enable = true;
|
||||
radios.wlan1 = {
|
||||
band = "2g";
|
||||
} // cfg "wlan1";
|
||||
radios.wlan2 = {
|
||||
band = "5g";
|
||||
} // cfg "wlan2";
|
||||
};
|
||||
}
|
||||
|
|
84
hosts/nucnix/kea.nix
Normal file
84
hosts/nucnix/kea.nix
Normal file
|
@ -0,0 +1,84 @@
|
|||
{
|
||||
lib,
|
||||
utils,
|
||||
...
|
||||
}:
|
||||
let
|
||||
inherit (lib)
|
||||
net
|
||||
flip
|
||||
mapAttrsToList
|
||||
;
|
||||
vlans = {
|
||||
home = 10;
|
||||
services = 20;
|
||||
devices = 30;
|
||||
iot = 40;
|
||||
guests = 50;
|
||||
};
|
||||
in
|
||||
{
|
||||
environment.persistence."/persist".directories = [
|
||||
{
|
||||
directory = "/var/lib/private/kea";
|
||||
mode = "0700";
|
||||
}
|
||||
];
|
||||
|
||||
services.kea.dhcp4 = {
|
||||
enable = true;
|
||||
settings = {
|
||||
lease-database = {
|
||||
name = "/var/lib/kea/dhcp4.leases";
|
||||
persist = true;
|
||||
type = "memfile";
|
||||
};
|
||||
valid-lifetime = 86400;
|
||||
renew-timer = 3600;
|
||||
interfaces-config = {
|
||||
interfaces = flip mapAttrsToList vlans (x: _: "lan-${x}");
|
||||
};
|
||||
subnet4 = flip mapAttrsToList vlans (
|
||||
name: id: rec {
|
||||
inherit id;
|
||||
interface = "lan-${name}";
|
||||
subnet = "10.99.${toString id}.0/24";
|
||||
pools = [
|
||||
{
|
||||
pool = "${net.cidr.host 50 subnet} - ${net.cidr.host (-6) subnet}";
|
||||
}
|
||||
];
|
||||
option-data = [
|
||||
{
|
||||
name = "routers";
|
||||
data = "${net.cidr.host 1 subnet}";
|
||||
}
|
||||
{
|
||||
name = "domain-name-servers";
|
||||
data = "${net.cidr.host 10 subnet}";
|
||||
}
|
||||
];
|
||||
reservations = [
|
||||
#FIXME
|
||||
# {
|
||||
# hw-address = nodes.ward-adguardhome.config.lib.microvm.mac;
|
||||
# ip-address = globals.net.home-lan.hosts.ward-adguardhome.ipv4;
|
||||
# }
|
||||
# {
|
||||
# hw-address = nodes.ward-web-proxy.config.lib.microvm.mac;
|
||||
# ip-address = globals.net.home-lan.hosts.ward-web-proxy.ipv4;
|
||||
# }
|
||||
# {
|
||||
# hw-address = nodes.sire-samba.config.lib.microvm.mac;
|
||||
# ip-address = globals.net.home-lan.hosts.sire-samba.ipv4;
|
||||
# }
|
||||
];
|
||||
}
|
||||
);
|
||||
};
|
||||
};
|
||||
|
||||
systemd.services.kea-dhcp4-server.after = [
|
||||
"sys-subsystem-net-devices-${utils.escapeSystemdPath "lan-self"}.device"
|
||||
];
|
||||
}
|
|
@ -1,28 +1,108 @@
|
|||
{ config, lib, ... }:
|
||||
let
|
||||
vlans = {
|
||||
home = 10;
|
||||
services = 20;
|
||||
devices = 30;
|
||||
iot = 40;
|
||||
guests = 50;
|
||||
};
|
||||
inherit (lib) flip mapAttrsToList;
|
||||
in
|
||||
{
|
||||
imports = [ ./hostapd.nix ];
|
||||
imports =
|
||||
[
|
||||
./hostapd.nix
|
||||
./kea.nix
|
||||
]
|
||||
++ (flip mapAttrsToList vlans (
|
||||
name: id: {
|
||||
networking.nftables.firewall.zones.${name}.interfaces = [ "lan-${name}" ];
|
||||
|
||||
systemd.network = {
|
||||
netdevs = {
|
||||
"40-vlan-${name}" = {
|
||||
netdevConfig = {
|
||||
Name = "vlan-${name}";
|
||||
Kind = "vlan";
|
||||
};
|
||||
vlanConfig.Id = id;
|
||||
};
|
||||
"50-mlan-${name}" = {
|
||||
netdevConfig = {
|
||||
Name = "lan-${name}";
|
||||
Kind = "macvlan";
|
||||
};
|
||||
extraConfig = ''
|
||||
[MACVLAN]
|
||||
Mode=bridge
|
||||
'';
|
||||
};
|
||||
};
|
||||
networks = {
|
||||
"10-vlan-${name}" = {
|
||||
matchConfig.Name = "vlan-${name}";
|
||||
# This interface should only be used from attached macvtaps.
|
||||
# So don't acquire a link local address and only wait for
|
||||
# this interface to gain a carrier.
|
||||
networkConfig.LinkLocalAddressing = "no";
|
||||
linkConfig.RequiredForOnline = "carrier";
|
||||
extraConfig = ''
|
||||
[Network]
|
||||
MACVLAN=lan-${name}
|
||||
'';
|
||||
};
|
||||
"20-lan-${name}" = {
|
||||
address = [
|
||||
(lib.net.cidr.hostCidr 1 "10.99.${toString id}.0/24")
|
||||
];
|
||||
matchConfig.Name = "lan-${name}";
|
||||
networkConfig = {
|
||||
MulticastDNS = true;
|
||||
IPv6PrivacyExtensions = "yes";
|
||||
IPv4Forwarding = "yes";
|
||||
IPv6SendRA = true;
|
||||
IPv6AcceptRA = false;
|
||||
DHCPPrefixDelegation = true;
|
||||
};
|
||||
ipv6Prefixes = [
|
||||
{ Prefix = "fd${toString id}::/64"; }
|
||||
];
|
||||
};
|
||||
};
|
||||
};
|
||||
}
|
||||
));
|
||||
networking.nftables.firewall = {
|
||||
snippets.nnf-ssh.enable = lib.mkForce false;
|
||||
rules = {
|
||||
ssh = {
|
||||
from = [
|
||||
"fritz"
|
||||
"home"
|
||||
];
|
||||
to = [ "local" ];
|
||||
allowedTCPPorts = [ 22 ];
|
||||
};
|
||||
internet = {
|
||||
from = [
|
||||
"home"
|
||||
"devices"
|
||||
"guests"
|
||||
"services"
|
||||
];
|
||||
to = [ "fritz" ];
|
||||
late = true;
|
||||
verdict = "accept";
|
||||
masquerade = true;
|
||||
};
|
||||
};
|
||||
};
|
||||
networking.nftables.firewall.zones.fritz.interfaces = [ "vlan-fritz" ];
|
||||
networking = {
|
||||
inherit (config.secrets.secrets.local.networking) hostId;
|
||||
};
|
||||
systemd.network = {
|
||||
networks = {
|
||||
"10-lan01" = {
|
||||
address = [
|
||||
(lib.net.cidr.hostCidr config.secrets.secrets.global.net.ips.${config.node.name}
|
||||
config.secrets.secrets.global.net.privateSubnetv4
|
||||
)
|
||||
];
|
||||
gateway = [ (lib.net.cidr.host 1 config.secrets.secrets.global.net.privateSubnetv4) ];
|
||||
#matchConfig.MACAddress = config.secrets.secrets.local.networking.interfaces.lan01.mac;
|
||||
matchConfig.Name = "lan";
|
||||
dhcpV6Config.UseDNS = false;
|
||||
dhcpV4Config.UseDNS = false;
|
||||
ipv6AcceptRAConfig.UseDNS = false;
|
||||
networkConfig = {
|
||||
MulticastDNS = true;
|
||||
};
|
||||
};
|
||||
};
|
||||
netdevs."40-vlan-fritz" = {
|
||||
netdevConfig = {
|
||||
Name = "vlan-fritz";
|
||||
|
@ -30,49 +110,22 @@
|
|||
};
|
||||
vlanConfig.Id = 2;
|
||||
};
|
||||
netdevs."40-vlan-home" = {
|
||||
netdevConfig = {
|
||||
Name = "vlan-home";
|
||||
Kind = "vlan";
|
||||
networks = {
|
||||
"10-lan-fritz" = {
|
||||
address = [
|
||||
(lib.net.cidr.hostCidr 2 "10.99.2.0/24")
|
||||
];
|
||||
gateway = [ (lib.net.cidr.host 1 "10.99.2.0/24") ];
|
||||
matchConfig.Name = "vlan-fritz";
|
||||
networkConfig = {
|
||||
IPv6PrivacyExtensions = "yes";
|
||||
};
|
||||
vlanConfig.Id = 10;
|
||||
};
|
||||
|
||||
netdevs."40-vlan-services" = {
|
||||
netdevConfig = {
|
||||
Name = "vlan-services";
|
||||
Kind = "vlan";
|
||||
};
|
||||
vlanConfig.Id = 20;
|
||||
};
|
||||
|
||||
netdevs."40-vlan-devices" = {
|
||||
netdevConfig = {
|
||||
Name = "vlan-devices";
|
||||
Kind = "vlan";
|
||||
};
|
||||
vlanConfig.Id = 30;
|
||||
};
|
||||
|
||||
netdevs."40-vlan-iot" = {
|
||||
netdevConfig = {
|
||||
Name = "vlan-iot";
|
||||
Kind = "vlan";
|
||||
};
|
||||
vlanConfig.Id = 40;
|
||||
};
|
||||
|
||||
netdevs."40-vlan-guests" = {
|
||||
netdevConfig = {
|
||||
Name = "vlan-guests";
|
||||
Kind = "vlan";
|
||||
|
||||
};
|
||||
vlanConfig.Id = 50;
|
||||
};
|
||||
|
||||
networks."40-vlans" = {
|
||||
matchConfig.Name = "lan01";
|
||||
networkConfig.LinkLocalAddressing = "no";
|
||||
vlan = [
|
||||
"vlan-fritz"
|
||||
"vlan-home"
|
||||
|
@ -83,14 +136,6 @@
|
|||
];
|
||||
};
|
||||
};
|
||||
networking.nftables.firewall.zones.untrusted.interfaces = [ "lan" ];
|
||||
|
||||
# To be able to ping containers from the host, it is necessary
|
||||
# to create a macvlan on the host on the VLAN 1 network.
|
||||
networking.macvlans.lan = {
|
||||
interface = "vlan-home";
|
||||
mode = "bridge";
|
||||
};
|
||||
|
||||
boot.initrd = {
|
||||
|
||||
|
@ -101,38 +146,50 @@
|
|||
enable = true;
|
||||
networks = {
|
||||
# redo the network cause the livesystem has macvlans
|
||||
"10-lan01" = {
|
||||
"10-lanhome" = {
|
||||
address = [
|
||||
(lib.net.cidr.hostCidr config.secrets.secrets.global.net.ips.${config.node.name}
|
||||
config.secrets.secrets.global.net.privateSubnetv4
|
||||
)
|
||||
(lib.net.cidr.hostCidr 1 "10.99.10.0/24")
|
||||
];
|
||||
gateway = [ (lib.net.cidr.host 1 config.secrets.secrets.global.net.privateSubnetv4) ];
|
||||
matchConfig.Name = "vlan-home";
|
||||
dhcpV6Config.UseDNS = false;
|
||||
dhcpV4Config.UseDNS = false;
|
||||
ipv6AcceptRAConfig.UseDNS = false;
|
||||
networkConfig = {
|
||||
IPv6PrivacyExtensions = "yes";
|
||||
MulticastDNS = true;
|
||||
};
|
||||
};
|
||||
# redo the network cause the livesystem has macvlans
|
||||
"10-lan-fritz" = {
|
||||
address = [
|
||||
(lib.net.cidr.hostCidr 2 "10.99.2.0/24")
|
||||
];
|
||||
gateway = [ (lib.net.cidr.host 1 "10.99.2.0/24") ];
|
||||
matchConfig.Name = "vlan-fritz";
|
||||
networkConfig = {
|
||||
IPv6PrivacyExtensions = "yes";
|
||||
};
|
||||
netdevs."10-vlan-home" = {
|
||||
netdevConfig = {
|
||||
Name = "vlan-home";
|
||||
Kind = "vlan";
|
||||
|
||||
};
|
||||
vlanConfig.Id = 10;
|
||||
};
|
||||
|
||||
networks."40-vlans" = {
|
||||
"40-vlans" = {
|
||||
matchConfig.MACAddress = config.secrets.secrets.local.networking.interfaces.lan01.mac;
|
||||
vlan = [
|
||||
"vlan-home"
|
||||
"vlan-fritz"
|
||||
];
|
||||
};
|
||||
};
|
||||
netdevs = {
|
||||
"10-vlan-home" = {
|
||||
netdevConfig = {
|
||||
Name = "vlan-home";
|
||||
Kind = "vlan";
|
||||
};
|
||||
vlanConfig.Id = 10;
|
||||
};
|
||||
"10-vlan-fritz" = {
|
||||
netdevConfig = {
|
||||
Name = "vlan-fritz";
|
||||
Kind = "vlan";
|
||||
};
|
||||
vlanConfig.Id = 2;
|
||||
};
|
||||
};
|
||||
};
|
||||
};
|
||||
}
|
||||
|
|
Loading…
Reference in a new issue