feat: switch to new extra-modules allowing multiple interfaces

feat: finish firewall network config
feat: kea configuration
2024-12-20 11:42:35 +01:00 · 2024-12-20 11:42:34 +01:00 · 2024-12-20 11:42:34 +01:00
17 changed files with 396 additions and 269 deletions
--- a/README.md
+++ b/README.md
@ -90,15 +90,13 @@ These are notable external flakes which this config depend upon

 ### Add secureboot to new systems

-1. generate keys with `sbct create-keys`
-1. tar the resulting folder using `tar cvf secureboot.tar -C /etc/secureboot .`
+1. generate keys with `sbctl create-keys`
+1. tar the resulting folder using `tar cvf secureboot.tar -C /var/lib/sbctl .`
 1. Copy the tar to local using scp and encrypt it using rage
    - `rage -e -R ./secrets/recipients.txt secureboot.tar -o <host>/secrets/secureboot.tar.age`
 1. safe the encrypted archive to `hosts/<host>/secrets/secureboot.tar.age`
 1. *DO NOT* forget to delete the unecrypted archives
 1. Deploy your system with lanzaboote enabled
-    - link `/run/secureboot` to `/etc/secureboot`
-    - This is necesarry since for your this apply the rekeyed keys are not yet available but already needed for signing the boot files
 1. ensure the boot files are signed using `sbctl verify`
 1. Now reboot the computer into BIOS and enable secureboot,
    this may include removing any existing old keys
--- a/config/services/adguardhome.nix
+++ b/config/services/adguardhome.nix
@ -13,12 +13,7 @@
    settings = {
      dns = {
        bind_hosts = [
-          (lib.net.cidr.host config.secrets.secrets.global.net.ips.${config.node.name}
-            config.secrets.secrets.global.net.privateSubnetv4
-          )
-          (lib.net.cidr.host config.secrets.secrets.global.net.ips.${config.node.name}
-            config.secrets.secrets.global.net.privateSubnetv6
-          )
+          "0.0.0.0"
        ];
        anonymize_client_ip = false;
        upstream_dns = [
--- a/config/services/netbird.nix
+++ b/config/services/netbird.nix
@ -79,7 +79,8 @@

      management = {
        port = 3000;
-        dnsDomain = "internal.${config.secrets.secrets.global.domains.web}";
+        # DNS server should do the lookup this is not used
+        dnsDomain = "internal.invalid";
        singleAccountModeDomain = "netbird.patrick";
        oidcConfigEndpoint = "https://auth.${config.secrets.secrets.global.domains.web}/oauth2/openid/netbird/.well-known/openid-configuration";
        settings = {
--- a/config/support/secureboot.nix
+++ b/config/support/secureboot.nix
@ -8,15 +8,16 @@
 lib.optionalAttrs (!minimal) {
  environment.systemPackages = [
    # For debugging and troubleshooting Secure Boot.
-    (pkgs.sbctl.override { databasePath = "/run/secureboot"; })
+    pkgs.sbctl
  ];
  age.secrets.secureboot.rekeyFile = ../../hosts/${config.node.name}/secrets/secureboot.tar.age;
  system.activationScripts.securebootuntar = {
+    # TODO sbctl config file
    text = ''
-         rm -r /run/secureboot || true
-         mkdir -p /run/secureboot
-      chmod 700 /run/secureboot
-         ${pkgs.gnutar}/bin/tar xf ${config.age.secrets.secureboot.path} -C /run/secureboot || true
+      rm -r /var/lib/sbctl || true
+      mkdir -p /var/lib/sbctl
+      chmod 700 /var/lib/sbctl
+      ${pkgs.gnutar}/bin/tar xf ${config.age.secrets.secureboot.path} -C /var/lib/sbctl || true
    '';
    deps = [ "agenix" ];
  };
@ -29,8 +30,6 @@ lib.optionalAttrs (!minimal) {

  boot.lanzaboote = {
    enable = true;
-    # Not usable anyway
-    #enrollKeys = true;
-    pkiBundle = "/run/secureboot";
+    pkiBundle = "/var/lib/sbctl/";
  };
 }
--- a/flake.lock
+++ b/flake.lock
@ -134,29 +134,14 @@
    },
    "crane_2": {
      "inputs": {
-        "flake-compat": [
-          "lanzaboote",
-          "flake-compat"
-        ],
-        "flake-utils": [
-          "lanzaboote",
-          "flake-utils"
-        ],
-        "nixpkgs": [
-          "lanzaboote",
-          "nixpkgs"
-        ],
-        "rust-overlay": [
-          "lanzaboote",
-          "rust-overlay"
-        ]
+        "nixpkgs": "nixpkgs"
      },
      "locked": {
-        "lastModified": 1681177078,
-        "narHash": "sha256-ZNIjBDou2GOabcpctiQykEQVkI8BDwk7TyvlWlI4myE=",
+        "lastModified": 1717535930,
+        "narHash": "sha256-1hZ/txnbd/RmiBPNUs7i8UQw2N89uAK3UzrGAWdnFfU=",
        "owner": "ipetkov",
        "repo": "crane",
-        "rev": "0c9f468ff00576577d83f5019a66c557ede5acf6",
+        "rev": "55e7754ec31dac78980c8be45f8a28e80e370946",
        "type": "github"
      },
      "original": {
@ -553,11 +538,11 @@
    "flake-compat_4": {
      "flake": false,
      "locked": {
-        "lastModified": 1673956053,
-        "narHash": "sha256-4gtG9iQuiKITOjNQQeQIpoIB6b16fm+504Ch3sNKLd8=",
+        "lastModified": 1696426674,
+        "narHash": "sha256-kvjfFW7WAETZlt09AgDn1MrtKzP7t90Vf7vypd3OL1U=",
        "owner": "edolstra",
        "repo": "flake-compat",
-        "rev": "35bb57c0c8d8b62bbfd284272c928ceb64ddbde9",
+        "rev": "0f9255e01c2351cc7d116c072cb317785dd33b33",
        "type": "github"
      },
      "original": {
@ -707,11 +692,11 @@
        ]
      },
      "locked": {
-        "lastModified": 1680392223,
-        "narHash": "sha256-n3g7QFr85lDODKt250rkZj2IFS3i4/8HBU2yKHO3tqw=",
+        "lastModified": 1717285511,
+        "narHash": "sha256-iKzJcpdXih14qYVcZ9QC9XuZYnPc6T8YImb6dX166kw=",
        "owner": "hercules-ci",
        "repo": "flake-parts",
-        "rev": "dcc36e45d054d7bb554c9cdab69093debd91a0b5",
+        "rev": "2a55567fcf15b1b1c7ed712a2c6fadaec7412ea8",
        "type": "github"
      },
      "original": {
@ -786,11 +771,11 @@
        "systems": "systems_2"
      },
      "locked": {
-        "lastModified": 1681202837,
-        "narHash": "sha256-H+Rh19JDwRtpVPAWp64F+rlEtxUWBAQW28eAi3SRSzg=",
+        "lastModified": 1731533236,
+        "narHash": "sha256-l0KFg5HjrsfsO/JpG+r7fRrqm12kzFHyUHqHCVpMMbI=",
        "owner": "numtide",
        "repo": "flake-utils",
-        "rev": "cfacdce06f30d2b68473a46042957675eebb3401",
+        "rev": "11707dc2f618dd54ca8739b309ec4fc024de578b",
        "type": "github"
      },
      "original": {
@ -1009,11 +994,11 @@
        ]
      },
      "locked": {
-        "lastModified": 1660459072,
-        "narHash": "sha256-8DFJjXG8zqoONA1vXtgeKXy68KdJL5UaXR8NtVMUbx8=",
+        "lastModified": 1709087332,
+        "narHash": "sha256-HG2cCnktfHsKV0s4XW83gU3F57gaTljL9KNSuG6bnQs=",
        "owner": "hercules-ci",
        "repo": "gitignore.nix",
-        "rev": "a20de23b925fd8264fd7fad6454652e142fd7f73",
+        "rev": "637db329424fd7e46cf4185293b9cc8c88c95394",
        "type": "github"
      },
      "original": {
@ -1283,7 +1268,6 @@
        "crane": "crane_2",
        "flake-compat": "flake-compat_4",
        "flake-parts": "flake-parts_4",
-        "flake-utils": "flake-utils",
        "nixpkgs": [
          "nixpkgs"
        ],
@ -1291,16 +1275,15 @@
        "rust-overlay": "rust-overlay_2"
      },
      "locked": {
-        "lastModified": 1682802423,
-        "narHash": "sha256-Fb5TeRTdvUlo/5Yi2d+FC8a6KoRLk2h1VE0/peMhWPs=",
+        "lastModified": 1731941836,
+        "narHash": "sha256-zpmAzrvK8KdssBSwiIwwRxaUJ77oWORbW0XFvgCFpTE=",
        "owner": "nix-community",
        "repo": "lanzaboote",
-        "rev": "64b903ca87d18cef2752c19c098af275c6e51d63",
+        "rev": "2f48272f34174fd2a5ab3df4d8a46919247be879",
        "type": "github"
      },
      "original": {
        "owner": "nix-community",
-        "ref": "v0.3.0",
        "repo": "lanzaboote",
        "type": "github"
      }
@ -1423,7 +1406,7 @@
        "crane": "crane_3",
        "dream2nix": "dream2nix_2",
        "mk-naked-shell": "mk-naked-shell_2",
-        "nixpkgs": "nixpkgs_2",
+        "nixpkgs": "nixpkgs_3",
        "parts": "parts_2",
        "rust-overlay": "rust-overlay_3",
        "treefmt": "treefmt_2"
@ -1467,7 +1450,7 @@
      "inputs": {
        "flake-parts": "flake-parts_6",
        "nix-github-actions": "nix-github-actions",
-        "nixpkgs": "nixpkgs_7",
+        "nixpkgs": "nixpkgs_8",
        "treefmt-nix": "treefmt-nix_4"
      },
      "locked": {
@ -1530,7 +1513,7 @@
      "inputs": {
        "devshell": "devshell_4",
        "flake-utils": "flake-utils_3",
-        "nixpkgs": "nixpkgs",
+        "nixpkgs": "nixpkgs_2",
        "pre-commit-hooks": "pre-commit-hooks_3"
      },
      "locked": {
@ -1573,12 +1556,13 @@
        "pre-commit-hooks": "pre-commit-hooks_4"
      },
      "locked": {
-        "lastModified": 1734380654,
-        "narHash": "sha256-YrJ4vz6fbz5Sz7H6mdFsqaqEkLVOJUnrUi6swiYbmc4=",
-        "owner": "oddlama",
-        "repo": "nixos-extra-modules",
-        "rev": "da6945497bb3e6a2baf3d783c12d780ea8c4b5ea",
-        "type": "github"
+        "lastModified": 1734643696,
+        "narHash": "sha256-W5JSWhhThI9erzhZmpHy1gZGwSxEGPKYmOUBEXH/WGA=",
+        "ref": "refs/heads/main",
+        "rev": "6a4736e0773a1852b0b6c5f71cbe96dd39c3caf1",
+        "revCount": 40,
+        "type": "git",
+        "url": "file:///home/patrick/repos/nix/nixos-extra-modules"
      },
      "original": {
        "owner": "oddlama",
@ -1648,7 +1632,7 @@
        "devshell": "devshell_6",
        "flake-parts": "flake-parts_5",
        "nci": "nci_2",
-        "nixpkgs": "nixpkgs_3",
+        "nixpkgs": "nixpkgs_4",
        "pre-commit-hooks": "pre-commit-hooks_5",
        "treefmt-nix": "treefmt-nix_3"
      },
@ -1668,16 +1652,16 @@
    },
    "nixpkgs": {
      "locked": {
-        "lastModified": 1730531603,
-        "narHash": "sha256-Dqg6si5CqIzm87sp57j5nTaeBbWhHFaVyG7V6L8k3lY=",
+        "lastModified": 1734126203,
+        "narHash": "sha256-0XovF7BYP50rTD2v4r55tR5MuBLet7q4xIz6Rgh3BBU=",
        "owner": "NixOS",
        "repo": "nixpkgs",
-        "rev": "7ffd9ae656aec493492b44d0ddfb28e79a1ea25d",
+        "rev": "71a6392e367b08525ee710a93af2e80083b5b3e2",
        "type": "github"
      },
      "original": {
        "owner": "NixOS",
-        "ref": "nixos-unstable",
+        "ref": "nixpkgs-unstable",
        "repo": "nixpkgs",
        "type": "github"
      }
@ -1779,16 +1763,16 @@
    },
    "nixpkgs-stable_3": {
      "locked": {
-        "lastModified": 1678872516,
-        "narHash": "sha256-/E1YwtMtFAu2KUQKV/1+KFuReYPANM2Rzehk84VxVoc=",
+        "lastModified": 1710695816,
+        "narHash": "sha256-3Eh7fhEID17pv9ZxrPwCLfqXnYP006RKzSs0JptsN84=",
        "owner": "NixOS",
        "repo": "nixpkgs",
-        "rev": "9b8e5abb18324c7fe9f07cb100c3cd4a29cda8b8",
+        "rev": "614b4613980a522ba49f0d194531beddbb7220d3",
        "type": "github"
      },
      "original": {
        "owner": "NixOS",
-        "ref": "nixos-22.11",
+        "ref": "nixos-23.11",
        "repo": "nixpkgs",
        "type": "github"
      }
@ -1865,6 +1849,22 @@
      }
    },
    "nixpkgs_2": {
+      "locked": {
+        "lastModified": 1730531603,
+        "narHash": "sha256-Dqg6si5CqIzm87sp57j5nTaeBbWhHFaVyG7V6L8k3lY=",
+        "owner": "NixOS",
+        "repo": "nixpkgs",
+        "rev": "7ffd9ae656aec493492b44d0ddfb28e79a1ea25d",
+        "type": "github"
+      },
+      "original": {
+        "owner": "NixOS",
+        "ref": "nixos-unstable",
+        "repo": "nixpkgs",
+        "type": "github"
+      }
+    },
+    "nixpkgs_3": {
      "locked": {
        "lastModified": 1731139594,
        "narHash": "sha256-IigrKK3vYRpUu+HEjPL/phrfh7Ox881er1UEsZvw9Q4=",
@ -1880,7 +1880,7 @@
        "type": "github"
      }
    },
-    "nixpkgs_3": {
+    "nixpkgs_4": {
      "locked": {
        "lastModified": 1731319897,
        "narHash": "sha256-PbABj4tnbWFMfBp6OcUK5iGy1QY+/Z96ZcLpooIbuEI=",
@ -1896,7 +1896,7 @@
        "type": "github"
      }
    },
-    "nixpkgs_4": {
+    "nixpkgs_5": {
      "locked": {
        "lastModified": 1730768919,
        "narHash": "sha256-8AKquNnnSaJRXZxc5YmF/WfmxiHX6MMZZasRP6RRQkE=",
@ -1912,7 +1912,7 @@
        "type": "github"
      }
    },
-    "nixpkgs_5": {
+    "nixpkgs_6": {
      "locked": {
        "lastModified": 1726871744,
        "narHash": "sha256-V5LpfdHyQkUF7RfOaDPrZDP+oqz88lTJrMT1+stXNwo=",
@ -1928,7 +1928,7 @@
        "type": "github"
      }
    },
-    "nixpkgs_6": {
+    "nixpkgs_7": {
      "locked": {
        "lastModified": 1734119587,
        "narHash": "sha256-AKU6qqskl0yf2+JdRdD0cfxX4b9x3KKV5RqA6wijmPM=",
@ -1944,7 +1944,7 @@
        "type": "github"
      }
    },
-    "nixpkgs_7": {
+    "nixpkgs_8": {
      "locked": {
        "lastModified": 1732238832,
        "narHash": "sha256-sQxuJm8rHY20xq6Ah+GwIUkF95tWjGRd1X8xF+Pkk38=",
@ -1960,7 +1960,7 @@
        "type": "github"
      }
    },
-    "nixpkgs_8": {
+    "nixpkgs_9": {
      "locked": {
        "lastModified": 1725194671,
        "narHash": "sha256-tLGCFEFTB5TaOKkpfw3iYT9dnk4awTP/q4w+ROpMfuw=",
@ -2101,10 +2101,6 @@
          "lanzaboote",
          "flake-compat"
        ],
-        "flake-utils": [
-          "lanzaboote",
-          "flake-utils"
-        ],
        "gitignore": "gitignore_3",
        "nixpkgs": [
          "lanzaboote",
@ -2113,11 +2109,11 @@
        "nixpkgs-stable": "nixpkgs-stable_3"
      },
      "locked": {
-        "lastModified": 1681413034,
-        "narHash": "sha256-/t7OjNQcNkeWeSq/CFLYVBfm+IEnkjoSm9iKvArnUUI=",
+        "lastModified": 1717664902,
+        "narHash": "sha256-7XfBuLULizXjXfBYy/VV+SpYMHreNRHk9nKMsm1bgb4=",
        "owner": "cachix",
        "repo": "pre-commit-hooks.nix",
-        "rev": "d3de8f69ca88fb6f8b09e5b598be5ac98d28ede5",
+        "rev": "cc4d466cb1254af050ff7bdf47f6d404a7c646d1",
        "type": "github"
      },
      "original": {
@ -2209,7 +2205,7 @@
      "inputs": {
        "flake-compat": "flake-compat_8",
        "gitignore": "gitignore_6",
-        "nixpkgs": "nixpkgs_4",
+        "nixpkgs": "nixpkgs_5",
        "nixpkgs-stable": "nixpkgs-stable_5"
      },
      "locked": {
@ -2352,7 +2348,7 @@
        "nixos-hardware": "nixos-hardware",
        "nixos-nftables-firewall": "nixos-nftables-firewall",
        "nixp-meta": "nixp-meta",
-        "nixpkgs": "nixpkgs_6",
+        "nixpkgs": "nixpkgs_7",
        "nixpkgs-wayland": "nixpkgs-wayland",
        "nixvim": "nixvim",
        "pre-commit-hooks": "pre-commit-hooks_6",
@ -2386,21 +2382,18 @@
    },
    "rust-overlay_2": {
      "inputs": {
-        "flake-utils": [
-          "lanzaboote",
-          "flake-utils"
-        ],
+        "flake-utils": "flake-utils",
        "nixpkgs": [
          "lanzaboote",
          "nixpkgs"
        ]
      },
      "locked": {
-        "lastModified": 1682129965,
-        "narHash": "sha256-1KRPIorEL6pLpJR04FwAqqnt4Tzcm4MqD84yhlD+XSk=",
+        "lastModified": 1717813066,
+        "narHash": "sha256-wqbRwq3i7g5EHIui0bIi84mdqZ/It1AXBSLJ5tafD28=",
        "owner": "oxalica",
        "repo": "rust-overlay",
-        "rev": "2c417c0460b788328220120c698630947547ee83",
+        "rev": "6dc3e45fe4aee36efeed24d64fc68b1f989d5465",
        "type": "github"
      },
      "original": {
@ -2526,7 +2519,7 @@
        "flake-utils": "flake-utils_7",
        "gnome-shell": "gnome-shell",
        "home-manager": "home-manager_3",
-        "nixpkgs": "nixpkgs_8",
+        "nixpkgs": "nixpkgs_9",
        "systems": "systems_9",
        "tinted-foot": "tinted-foot",
        "tinted-kitty": "tinted-kitty",
@ -2827,7 +2820,7 @@
    },
    "treefmt-nix_3": {
      "inputs": {
-        "nixpkgs": "nixpkgs_5"
+        "nixpkgs": "nixpkgs_6"
      },
      "locked": {
        "lastModified": 1730321837,
--- a/flake.nix
+++ b/flake.nix
@ -85,7 +85,7 @@
    };

    lanzaboote = {
-      url = "github:nix-community/lanzaboote/v0.3.0";
+      url = "github:nix-community/lanzaboote";
      inputs.nixpkgs.follows = "nixpkgs";
    };

--- a/hosts/elisabeth/guests.nix
+++ b/hosts/elisabeth/guests.nix
@ -219,23 +219,11 @@ in
            ../../config/services/${guestName}.nix
            {
              node.secretsDir = config.node.secretsDir + "/${guestName}";
-              networking.nftables.firewall.zones.untrusted.interfaces = [
-                config.guests.${guestName}.networking.mainLinkName
-              ];
-              systemd.network.networks."10-${config.guests.${guestName}.networking.mainLinkName}" = {
-                DHCP = lib.mkForce "no";
-                address = [
-                  (lib.net.cidr.hostCidr
-                    config.secrets.secrets.global.net.ips."${config.guests.${guestName}.nodeName}"
-                    config.secrets.secrets.global.net.privateSubnetv4
-                  )
-                  (lib.net.cidr.hostCidr
-                    config.secrets.secrets.global.net.ips."${config.guests.${guestName}.nodeName}"
-                    config.secrets.secrets.global.net.privateSubnetv6
-                  )
-                ];
-                gateway = [ (lib.net.cidr.host 1 config.secrets.secrets.global.net.privateSubnetv4) ];
-              };
+              networking.nftables.firewall.zones.untrusted.interfaces =
+                if lib.length config.guests.${guestName}.networking.links < 2 then
+                  config.guests.${guestName}.networking.links
+                else
+                  [ ];
            }
          ];
        };
@ -245,7 +233,7 @@ in
          backend = "microvm";
          microvm = {
            system = "x86_64-linux";
-            macvtap = "lan";
+            interfaces."lan" = { };
            baseMac = config.secrets.secrets.local.networking.interfaces.lan01.mac;
          };
          extraSpecialArgs = {
@ -259,7 +247,7 @@ in
      mkContainer = guestName: cfg: {
        ${guestName} = mkGuest guestName cfg // {
          backend = "container";
-          container.macvlan = "lan";
+          container.macvlans = [ "lan" ];
          extraSpecialArgs = {
            inherit
              lib
--- a/hosts/nucnix/default.nix
+++ b/hosts/nucnix/default.nix
@ -16,6 +16,7 @@
    ../../config/support/physical.nix
    ../../config/support/zfs.nix
    ../../config/support/server.nix
+    ../../config/support/secureboot.nix

    ./net.nix
    ./fs.nix
--- a/hosts/nucnix/guests.nix
+++ b/hosts/nucnix/guests.nix
@ -11,8 +11,7 @@ let
  domainOf =
    hostName:
    let
-      domains =
-        {
+      domains = {
      };
    in
    "${domains.${hostName}}.${config.secrets.secrets.global.domains.web}";
@ -115,7 +114,7 @@ in

  guests =
    let
-      mkGuest = guestName: {
+      mkGuest = guestName: _: {
        autostart = true;
        zfs."/state" = {
          pool = "rpool";
@ -130,23 +129,11 @@ in
          ../../config/services/${guestName}.nix
          {
            node.secretsDir = config.node.secretsDir + "/${guestName}";
-            networking.nftables.firewall.zones.untrusted.interfaces = [
-              config.guests.${guestName}.networking.mainLinkName
-            ];
-            systemd.network.networks."10-${config.guests.${guestName}.networking.mainLinkName}" = {
-              DHCP = lib.mkForce "no";
-              address = [
-                (lib.net.cidr.hostCidr
-                  config.secrets.secrets.global.net.ips."${config.guests.${guestName}.nodeName}"
-                  config.secrets.secrets.global.net.privateSubnetv4
-                )
-                (lib.net.cidr.hostCidr
-                  config.secrets.secrets.global.net.ips."${config.guests.${guestName}.nodeName}"
-                  config.secrets.secrets.global.net.privateSubnetv6
-                )
-              ];
-              gateway = [ (lib.net.cidr.host 1 config.secrets.secrets.global.net.privateSubnetv4) ];
-            };
+            networking.nftables.firewall.zones.untrusted.interfaces =
+              if lib.length config.guests.${guestName}.networking.links < 2 then
+                config.guests.${guestName}.networking.links
+              else
+                [ ];
          }
        ];
      };
@ -167,10 +154,16 @@ in
        };
      };

-      mkContainer = guestName: cfg: {
+      mkContainer =
+        guestName:
+        {
+          macvlans ? [ "lan-services" ],
+          ...
+        }@cfg:
+        {
          ${guestName} = mkGuest guestName cfg // {
            backend = "container";
-          container.macvlan = "lan";
+            container.macvlans = macvlans;
            extraSpecialArgs = {
              inherit
                lib
@ -183,5 +176,5 @@ in
          };
        };
    in
-    { };
+    { } // mkContainer "adguardhome" { macvlans = [ "lan-services" ]; };
 }
--- a/hosts/nucnix/hostapd.nix
+++ b/hosts/nucnix/hostapd.nix
@ -1,6 +1,13 @@
 { config, ... }:
-let
-  cfg = name: {
+
+{
+
+  hardware.wirelessRegulatoryDatabase = true;
+
+  services.hostapd = {
+    enable = true;
+    radios.wlan1 = {
+      band = "2g";
      countryCode = "DE";
      # wifi4.capabilities = [
      #   "LDPC"
@ -14,7 +21,7 @@ let
      # ];
      wifi6.enable = true;
      wifi7.enable = true;
-    networks."${name}" = {
+      networks.wlan1 = {
        inherit (config.secrets.secrets.global.hostapd) ssid;
        apIsolate = true;
        authentication = {
@ -29,19 +36,5 @@ let
        bssid = "02:c0:ca:b1:4f:9f";
      };
    };
-in
-
-{
-
-  hardware.wirelessRegulatoryDatabase = true;
-
-  services.hostapd = {
-    enable = true;
-    radios.wlan1 = {
-      band = "2g";
-    } // cfg "wlan1";
-    radios.wlan2 = {
-      band = "5g";
-    } // cfg "wlan2";
  };
 }
--- a/hosts/nucnix/kea.nix
+++ b/hosts/nucnix/kea.nix
@ -0,0 +1,84 @@
+{
+  lib,
+  utils,
+  ...
+}:
+let
+  inherit (lib)
+    net
+    flip
+    mapAttrsToList
+    ;
+  vlans = {
+    home = 10;
+    services = 20;
+    devices = 30;
+    iot = 40;
+    guests = 50;
+  };
+in
+{
+  environment.persistence."/persist".directories = [
+    {
+      directory = "/var/lib/private/kea";
+      mode = "0700";
+    }
+  ];
+
+  services.kea.dhcp4 = {
+    enable = true;
+    settings = {
+      lease-database = {
+        name = "/var/lib/kea/dhcp4.leases";
+        persist = true;
+        type = "memfile";
+      };
+      valid-lifetime = 86400;
+      renew-timer = 3600;
+      interfaces-config = {
+        interfaces = flip mapAttrsToList vlans (x: _: "lan-${x}");
+      };
+      subnet4 = flip mapAttrsToList vlans (
+        name: id: rec {
+          inherit id;
+          interface = "lan-${name}";
+          subnet = "10.99.${toString id}.0/24";
+          pools = [
+            {
+              pool = "${net.cidr.host 50 subnet} - ${net.cidr.host (-6) subnet}";
+            }
+          ];
+          option-data = [
+            {
+              name = "routers";
+              data = "${net.cidr.host 1 subnet}";
+            }
+            {
+              name = "domain-name-servers";
+              data = "${net.cidr.host 10 subnet}";
+            }
+          ];
+          reservations = [
+            #FIXME
+            # {
+            #   hw-address = nodes.ward-adguardhome.config.lib.microvm.mac;
+            #   ip-address = globals.net.home-lan.hosts.ward-adguardhome.ipv4;
+            # }
+            # {
+            #   hw-address = nodes.ward-web-proxy.config.lib.microvm.mac;
+            #   ip-address = globals.net.home-lan.hosts.ward-web-proxy.ipv4;
+            # }
+            # {
+            #   hw-address = nodes.sire-samba.config.lib.microvm.mac;
+            #   ip-address = globals.net.home-lan.hosts.sire-samba.ipv4;
+            # }
+          ];
+        }
+      );
+    };
+  };
+
+  systemd.services.kea-dhcp4-server.after = [
+    "sys-subsystem-net-devices-${utils.escapeSystemdPath "lan-self"}.device"
+  ];
+}
--- a/hosts/nucnix/net.nix
+++ b/hosts/nucnix/net.nix
@ -1,72 +1,133 @@
 { config, lib, ... }:
+let
+  vlans = {
+    home = 10;
+    services = 20;
+    devices = 30;
+    iot = 40;
+    guests = 50;
+  };
+  inherit (lib) flip mapAttrsToList;
+in
 {
-  imports = [ ./hostapd.nix ];
+  imports =
+    [
+      ./hostapd.nix
+      ./kea.nix
+    ]
+    ++ (flip mapAttrsToList vlans (
+      name: id: {
+        networking.nftables.firewall.zones.${name}.interfaces = [ "lan-${name}" ];
+
+        systemd.network = {
+          netdevs = {
+            "40-vlan-${name}" = {
+              netdevConfig = {
+                Name = "vlan-${name}";
+                Kind = "vlan";
+              };
+              vlanConfig.Id = id;
+            };
+            "50-mlan-${name}" = {
+              netdevConfig = {
+                Name = "lan-${name}";
+                Kind = "macvlan";
+              };
+              extraConfig = ''
+                [MACVLAN]
+                Mode=bridge
+              '';
+            };
+          };
+          networks = {
+            "10-vlan-${name}" = {
+              matchConfig.Name = "vlan-${name}";
+              # This interface should only be used from attached macvtaps.
+              # So don't acquire a link local address and only wait for
+              # this interface to gain a carrier.
+              networkConfig.LinkLocalAddressing = "no";
+              linkConfig.RequiredForOnline = "carrier";
+              extraConfig = ''
+                [Network]
+                MACVLAN=lan-${name}
+              '';
+            };
+            "20-lan-${name}" = {
+              address = [
+                (lib.net.cidr.hostCidr 1 "10.99.${toString id}.0/24")
+              ];
+              matchConfig.Name = "lan-${name}";
+              networkConfig = {
+                MulticastDNS = true;
+                IPv6PrivacyExtensions = "yes";
+                IPv4Forwarding = "yes";
+                IPv6SendRA = true;
+                IPv6AcceptRA = false;
+                DHCPPrefixDelegation = true;
+              };
+              ipv6Prefixes = [
+                { Prefix = "fd${toString id}::/64"; }
+              ];
+            };
+          };
+        };
+      }
+    ));
+  networking.nftables.firewall = {
+    snippets.nnf-ssh.enable = lib.mkForce false;
+    rules = {
+      ssh = {
+        from = [
+          "fritz"
+          "home"
+        ];
+        to = [ "local" ];
+        allowedTCPPorts = [ 22 ];
+      };
+      internet = {
+        from = [
+          "home"
+          "devices"
+          "guests"
+          "services"
+        ];
+        to = [ "fritz" ];
+        late = true;
+        verdict = "accept";
+        masquerade = true;
+      };
+    };
+  };
+  networking.nftables.firewall.zones.fritz.interfaces = [ "vlan-fritz" ];
  networking = {
    inherit (config.secrets.secrets.local.networking) hostId;
  };
  systemd.network = {
+    netdevs."40-vlan-fritz" = {
+      netdevConfig = {
+        Name = "vlan-fritz";
+        Kind = "vlan";
+      };
+      vlanConfig.Id = 2;
+    };
    networks = {
-      "10-lan01" = {
+      "10-lan-fritz" = {
        address = [
-          (lib.net.cidr.hostCidr config.secrets.secrets.global.net.ips.${config.node.name}
-            config.secrets.secrets.global.net.privateSubnetv4
-          )
+          (lib.net.cidr.hostCidr 2 "10.99.2.0/24")
        ];
-        gateway = [ (lib.net.cidr.host 1 config.secrets.secrets.global.net.privateSubnetv4) ];
-        #matchConfig.MACAddress = config.secrets.secrets.local.networking.interfaces.lan01.mac;
-        matchConfig.Name = "lan";
-        dhcpV6Config.UseDNS = false;
-        dhcpV4Config.UseDNS = false;
-        ipv6AcceptRAConfig.UseDNS = false;
+        gateway = [ (lib.net.cidr.host 1 "10.99.2.0/24") ];
+        matchConfig.Name = "vlan-fritz";
        networkConfig = {
-          MulticastDNS = true;
+          IPv6PrivacyExtensions = "yes";
        };
      };
    };
-    netdevs."40-vlan-home" = {
-      netdevConfig = {
-        Name = "vlan-home";
-        Kind = "vlan";
-      };
-      vlanConfig.Id = 10;
-    };
-
-    netdevs."40-vlan-services" = {
-      netdevConfig = {
-        Name = "vlan-services";
-        Kind = "vlan";
-      };
-      vlanConfig.Id = 20;
-    };
-
-    netdevs."40-vlan-devices" = {
-      netdevConfig = {
-        Name = "vlan-devices";
-        Kind = "vlan";
-      };
-      vlanConfig.Id = 30;
-    };
-
-    netdevs."40-vlan-iot" = {
-      netdevConfig = {
-        Name = "vlan-iot";
-        Kind = "vlan";
-      };
-      vlanConfig.Id = 40;
-    };
-
-    netdevs."40-vlan-guests" = {
-      netdevConfig = {
-        Name = "vlan-guests";
-        Kind = "vlan";
-
-      };
-      vlanConfig.Id = 50;
-    };

    networks."40-vlans" = {
      matchConfig.Name = "lan01";
+      networkConfig.LinkLocalAddressing = "no";
      vlan = [
+        "vlan-fritz"
        "vlan-home"
        "vlan-services"
        "vlan-devices"
@ -75,14 +136,6 @@
      ];
    };
  };
-  networking.nftables.firewall.zones.untrusted.interfaces = [ "lan" ];
-
-  # To be able to ping containers from the host, it is necessary
-  # to create a macvlan on the host on the VLAN 1 network.
-  networking.macvlans.lan = {
-    interface = "vlan-home";
-    mode = "bridge";
-  };

  boot.initrd = {

@ -93,38 +146,50 @@
      enable = true;
      networks = {
        # redo the network cause the livesystem has macvlans
-        "10-lan01" = {
+        "10-lanhome" = {
          address = [
-            (lib.net.cidr.hostCidr config.secrets.secrets.global.net.ips.${config.node.name}
-              config.secrets.secrets.global.net.privateSubnetv4
-            )
+            (lib.net.cidr.hostCidr 1 "10.99.10.0/24")
          ];
-          gateway = [ (lib.net.cidr.host 1 config.secrets.secrets.global.net.privateSubnetv4) ];
          matchConfig.Name = "vlan-home";
-          dhcpV6Config.UseDNS = false;
-          dhcpV4Config.UseDNS = false;
-          ipv6AcceptRAConfig.UseDNS = false;
          networkConfig = {
            IPv6PrivacyExtensions = "yes";
-            MulticastDNS = true;
          };
        };
+        # redo the network cause the livesystem has macvlans
+        "10-lan-fritz" = {
+          address = [
+            (lib.net.cidr.hostCidr 2 "10.99.2.0/24")
+          ];
+          gateway = [ (lib.net.cidr.host 1 "10.99.2.0/24") ];
+          matchConfig.Name = "vlan-fritz";
+          networkConfig = {
+            IPv6PrivacyExtensions = "yes";
          };
-      netdevs."10-vlan-home" = {
-        netdevConfig = {
-          Name = "vlan-home";
-          Kind = "vlan";
-
        };
-        vlanConfig.Id = 10;
-      };
-
-      networks."40-vlans" = {
+        "40-vlans" = {
          matchConfig.MACAddress = config.secrets.secrets.local.networking.interfaces.lan01.mac;
          vlan = [
            "vlan-home"
+            "vlan-fritz"
          ];
        };
      };
+      netdevs = {
+        "10-vlan-home" = {
+          netdevConfig = {
+            Name = "vlan-home";
+            Kind = "vlan";
+          };
+          vlanConfig.Id = 10;
+        };
+        "10-vlan-fritz" = {
+          netdevConfig = {
+            Name = "vlan-fritz";
+            Kind = "vlan";
+          };
+          vlanConfig.Id = 2;
+        };
+      };
+    };
  };
 }
--- a/hosts/nucnix/secrets/secrets.nix.age
+++ b/hosts/nucnix/secrets/secrets.nix.age
--- a/hosts/nucnix/secrets/secureboot.tar.age
+++ b/hosts/nucnix/secrets/secureboot.tar.age
--- a/secrets/wireguard/elisabeth/keys/nucnix-adguardhome.age
+++ b/secrets/wireguard/elisabeth/keys/nucnix-adguardhome.age
--- a/secrets/wireguard/elisabeth/keys/nucnix-adguardhome.pub
+++ b/secrets/wireguard/elisabeth/keys/nucnix-adguardhome.pub
@ -0,0 +1 @@
+F3tFnEGn58ahB2p4hI4xFRfwyK7SU3+Dx598DcLAQlA=
--- a/secrets/wireguard/elisabeth/psks/elisabeth+nucnix-adguardhome.age
+++ b/secrets/wireguard/elisabeth/psks/elisabeth+nucnix-adguardhome.age
@ -0,0 +1,16 @@
+age-encryption.org/v1
+-> X25519 SaIhuXPtLjcLt1Bmbbmx8WaluLUtJRGS6Ehu641msW0
+3Jyo1+XU0WVEsndNWFadBOcbE2TD7akuyyocxnzXcsU
+-> piv-p256 ZFgiIw At2NriI63IhtpOKPqROmstH/t/kIMbXwWD/pKijLGdsd
+yTUXG+ZeR9451nnGg5Nevhf6ES2tL6GpsTgNriNpg0Q
+-> piv-p256 XTQkUA A9BJKAQ8L6ZjMm8W087HhkLNticb/Ddr7eiv/cI0guis
+qPgkfSrq1RtZYCjXgujchhm1M9cW9boWrxCLhwoN/1c
+-> piv-p256 ZFgiIw AzR6JgDfdmALfrIMrk43Fskz3ANKkSHz9bKlW2OF5T/P
+k/vh/K8fmyCGQkoMvNf02b9KB0CZqMLu5RZc9yj1wRE
+-> piv-p256 5vmPtQ AxioglXD0p1v6ZepKafFLW49RG3CUyl4lxjagpkUuI0H
+3/XzPXIV1S7kuTICI0fD+Y2lCjSwcSPwrH9YfkPIyDI
+-> #8D3.~O-grease [Gk GcS
+wuRoJDrp0TmHzMmIEyPkSe4N9ITWjxfMbqQJSxn4rWH4wE+YAbXmJE+Ujtecupnf
+xmymVCCVP5Cvmnx/KrXVVsyxKaLtiYcAnqHvTsmQgQR1LbuV9FB/tw
+--- v0LwqJa53xUGcC7NIzI1UwACS8kGzRaMOsf0HIF6X2A
+Ã‰k˜ÏåvÎÌÆ?¼ú—V®¿"<22>0Ðn<08>d"¸Âøá ;–ÖßËQHSò‚«¿•ÏÄT^³ I*Åï(>èÒÓ…bWmBL-‹,Ì
Author	SHA1	Message	Date
Patrick	8332bc45ba	feat: switch to new extra-modules allowing multiple interfaces	2024-12-20 11:42:35 +01:00
Patrick	f2578916ae	feat: finish firewall network config feat: kea configuration	2024-12-20 11:42:34 +01:00
Patrick	958bbc7942	chore: nucnix secureboot	2024-12-20 11:42:34 +01:00
				`@ -0,0 +1 @@`
				`F3tFnEGn58ahB2p4hI4xFRfwyK7SU3+Dx598DcLAQlA=`