patrick/nix-config
1
1
Fork 0
Code Issues Pull requests Projects Wiki Activity

Compare commits

base: patrick:8332bc45ba6a59148acc09abeab1c56b291e397e
Branches Tags
patrick:master
...
compare: patrick:5cf3b3a69c0f4ac1ff107cff6de27797e8dc669d
Branches Tags
patrick:master

2 commits
8332bc45ba ... 5cf3b3a69c

Author SHA1 Message Date
Patrick 5cf3b3a69c
feat: finish firewall network config 
feat: kea configuration
 2024-12-19 20:25:01 +01:00
Patrick 0bdd15c113
chore: nucnix secureboot 2024-12-17 21:54:26 +01:00
13 changed files with 339 additions and 218 deletions
Show stats Expand all files Collapse all files

6
README.md
View file

@ -90,15 +90,13 @@ These are notable external flakes which this config depend upon
### Add secureboot to new systems
1. generate keys with `sbct create-keys`
1. tar the resulting folder using `tar cvf secureboot.tar -C /etc/secureboot .`
1. generate keys with `sbctl create-keys`
1. tar the resulting folder using `tar cvf secureboot.tar -C /var/lib/sbctl .`
1. Copy the tar to local using scp and encrypt it using rage
- `rage -e -R ./secrets/recipients.txt secureboot.tar -o <host>/secrets/secureboot.tar.age`
1. safe the encrypted archive to `hosts/<host>/secrets/secureboot.tar.age`
1. *DO NOT* forget to delete the unecrypted archives
1. Deploy your system with lanzaboote enabled
- link `/run/secureboot` to `/etc/secureboot`
- This is necesarry since for your this apply the rekeyed keys are not yet available but already needed for signing the boot files
1. ensure the boot files are signed using `sbctl verify`
1. Now reboot the computer into BIOS and enable secureboot,
this may include removing any existing old keys

3
config/services/netbird.nix
View file

@ -79,7 +79,8 @@
management = {
port = 3000;
dnsDomain = "internal.${config.secrets.secrets.global.domains.web}";
# DNS server should do the lookup this is not used
dnsDomain = "internal.invalid";
singleAccountModeDomain = "netbird.patrick";
oidcConfigEndpoint = "https://auth.${config.secrets.secrets.global.domains.web}/oauth2/openid/netbird/.well-known/openid-configuration";
settings = {

15
config/support/secureboot.nix
View file

@ -8,15 +8,16 @@
lib.optionalAttrs (!minimal) {
environment.systemPackages = [
# For debugging and troubleshooting Secure Boot.
(pkgs.sbctl.override { databasePath = "/run/secureboot"; })
pkgs.sbctl
];
age.secrets.secureboot.rekeyFile = ../../hosts/${config.node.name}/secrets/secureboot.tar.age;
system.activationScripts.securebootuntar = {
# TODO sbctl config file
text = ''
rm -r /run/secureboot || true
mkdir -p /run/secureboot
chmod 700 /run/secureboot
${pkgs.gnutar}/bin/tar xf ${config.age.secrets.secureboot.path} -C /run/secureboot || true
rm -r /var/lib/sbctl || true
mkdir -p /var/lib/sbctl
chmod 700 /var/lib/sbctl
${pkgs.gnutar}/bin/tar xf ${config.age.secrets.secureboot.path} -C /var/lib/sbctl || true
'';
deps = [ "agenix" ];
};
@ -29,8 +30,6 @@ lib.optionalAttrs (!minimal) {
boot.lanzaboote = {
enable = true;
# Not usable anyway
#enrollKeys = true;
pkiBundle = "/run/secureboot";
pkiBundle = "/var/lib/sbctl/";
};
}

136
flake.lock
View file

@ -134,29 +134,14 @@
},
"crane_2": {
"inputs": {
"flake-compat": [
"lanzaboote",
"flake-compat"
],
"flake-utils": [
"lanzaboote",
"flake-utils"
],
"nixpkgs": [
"lanzaboote",
"nixpkgs"
],
"rust-overlay": [
"lanzaboote",
"rust-overlay"
]
"nixpkgs": "nixpkgs"
},
"locked": {
"lastModified": 1681177078,
"narHash": "sha256-ZNIjBDou2GOabcpctiQykEQVkI8BDwk7TyvlWlI4myE=",
"lastModified": 1717535930,
"narHash": "sha256-1hZ/txnbd/RmiBPNUs7i8UQw2N89uAK3UzrGAWdnFfU=",
"owner": "ipetkov",
"repo": "crane",
"rev": "0c9f468ff00576577d83f5019a66c557ede5acf6",
"rev": "55e7754ec31dac78980c8be45f8a28e80e370946",
"type": "github"
},
"original": {
@ -553,11 +538,11 @@
"flake-compat_4": {
"flake": false,
"locked": {
"lastModified": 1673956053,
"narHash": "sha256-4gtG9iQuiKITOjNQQeQIpoIB6b16fm+504Ch3sNKLd8=",
"lastModified": 1696426674,
"narHash": "sha256-kvjfFW7WAETZlt09AgDn1MrtKzP7t90Vf7vypd3OL1U=",
"owner": "edolstra",
"repo": "flake-compat",
"rev": "35bb57c0c8d8b62bbfd284272c928ceb64ddbde9",
"rev": "0f9255e01c2351cc7d116c072cb317785dd33b33",
"type": "github"
},
"original": {
@ -707,11 +692,11 @@
]
},
"locked": {
"lastModified": 1680392223,
"narHash": "sha256-n3g7QFr85lDODKt250rkZj2IFS3i4/8HBU2yKHO3tqw=",
"lastModified": 1717285511,
"narHash": "sha256-iKzJcpdXih14qYVcZ9QC9XuZYnPc6T8YImb6dX166kw=",
"owner": "hercules-ci",
"repo": "flake-parts",
"rev": "dcc36e45d054d7bb554c9cdab69093debd91a0b5",
"rev": "2a55567fcf15b1b1c7ed712a2c6fadaec7412ea8",
"type": "github"
},
"original": {
@ -786,11 +771,11 @@
"systems": "systems_2"
},
"locked": {
"lastModified": 1681202837,
"narHash": "sha256-H+Rh19JDwRtpVPAWp64F+rlEtxUWBAQW28eAi3SRSzg=",
"lastModified": 1731533236,
"narHash": "sha256-l0KFg5HjrsfsO/JpG+r7fRrqm12kzFHyUHqHCVpMMbI=",
"owner": "numtide",
"repo": "flake-utils",
"rev": "cfacdce06f30d2b68473a46042957675eebb3401",
"rev": "11707dc2f618dd54ca8739b309ec4fc024de578b",
"type": "github"
},
"original": {
@ -1009,11 +994,11 @@
]
},
"locked": {
"lastModified": 1660459072,
"narHash": "sha256-8DFJjXG8zqoONA1vXtgeKXy68KdJL5UaXR8NtVMUbx8=",
"lastModified": 1709087332,
"narHash": "sha256-HG2cCnktfHsKV0s4XW83gU3F57gaTljL9KNSuG6bnQs=",
"owner": "hercules-ci",
"repo": "gitignore.nix",
"rev": "a20de23b925fd8264fd7fad6454652e142fd7f73",
"rev": "637db329424fd7e46cf4185293b9cc8c88c95394",
"type": "github"
},
"original": {
@ -1283,7 +1268,6 @@
"crane": "crane_2",
"flake-compat": "flake-compat_4",
"flake-parts": "flake-parts_4",
"flake-utils": "flake-utils",
"nixpkgs": [
"nixpkgs"
],
@ -1291,16 +1275,15 @@
"rust-overlay": "rust-overlay_2"
},
"locked": {
"lastModified": 1682802423,
"narHash": "sha256-Fb5TeRTdvUlo/5Yi2d+FC8a6KoRLk2h1VE0/peMhWPs=",
"lastModified": 1731941836,
"narHash": "sha256-zpmAzrvK8KdssBSwiIwwRxaUJ77oWORbW0XFvgCFpTE=",
"owner": "nix-community",
"repo": "lanzaboote",
"rev": "64b903ca87d18cef2752c19c098af275c6e51d63",
"rev": "2f48272f34174fd2a5ab3df4d8a46919247be879",
"type": "github"
},
"original": {
"owner": "nix-community",
"ref": "v0.3.0",
"repo": "lanzaboote",
"type": "github"
}
@ -1423,7 +1406,7 @@
"crane": "crane_3",
"dream2nix": "dream2nix_2",
"mk-naked-shell": "mk-naked-shell_2",
"nixpkgs": "nixpkgs_2",
"nixpkgs": "nixpkgs_3",
"parts": "parts_2",
"rust-overlay": "rust-overlay_3",
"treefmt": "treefmt_2"
@ -1467,7 +1450,7 @@
"inputs": {
"flake-parts": "flake-parts_6",
"nix-github-actions": "nix-github-actions",
"nixpkgs": "nixpkgs_7",
"nixpkgs": "nixpkgs_8",
"treefmt-nix": "treefmt-nix_4"
},
"locked": {
@ -1530,7 +1513,7 @@
"inputs": {
"devshell": "devshell_4",
"flake-utils": "flake-utils_3",
"nixpkgs": "nixpkgs",
"nixpkgs": "nixpkgs_2",
"pre-commit-hooks": "pre-commit-hooks_3"
},
"locked": {
@ -1648,7 +1631,7 @@
"devshell": "devshell_6",
"flake-parts": "flake-parts_5",
"nci": "nci_2",
"nixpkgs": "nixpkgs_3",
"nixpkgs": "nixpkgs_4",
"pre-commit-hooks": "pre-commit-hooks_5",
"treefmt-nix": "treefmt-nix_3"
},
@ -1668,16 +1651,16 @@
},
"nixpkgs": {
"locked": {
"lastModified": 1730531603,
"narHash": "sha256-Dqg6si5CqIzm87sp57j5nTaeBbWhHFaVyG7V6L8k3lY=",
"lastModified": 1734126203,
"narHash": "sha256-0XovF7BYP50rTD2v4r55tR5MuBLet7q4xIz6Rgh3BBU=",
"owner": "NixOS",
"repo": "nixpkgs",
"rev": "7ffd9ae656aec493492b44d0ddfb28e79a1ea25d",
"rev": "71a6392e367b08525ee710a93af2e80083b5b3e2",
"type": "github"
},
"original": {
"owner": "NixOS",
"ref": "nixos-unstable",
"ref": "nixpkgs-unstable",
"repo": "nixpkgs",
"type": "github"
}
@ -1779,16 +1762,16 @@
},
"nixpkgs-stable_3": {
"locked": {
"lastModified": 1678872516,
"narHash": "sha256-/E1YwtMtFAu2KUQKV/1+KFuReYPANM2Rzehk84VxVoc=",
"lastModified": 1710695816,
"narHash": "sha256-3Eh7fhEID17pv9ZxrPwCLfqXnYP006RKzSs0JptsN84=",
"owner": "NixOS",
"repo": "nixpkgs",
"rev": "9b8e5abb18324c7fe9f07cb100c3cd4a29cda8b8",
"rev": "614b4613980a522ba49f0d194531beddbb7220d3",
"type": "github"
},
"original": {
"owner": "NixOS",
"ref": "nixos-22.11",
"ref": "nixos-23.11",
"repo": "nixpkgs",
"type": "github"
}
@ -1865,6 +1848,22 @@
}
},
"nixpkgs_2": {
"locked": {
"lastModified": 1730531603,
"narHash": "sha256-Dqg6si5CqIzm87sp57j5nTaeBbWhHFaVyG7V6L8k3lY=",
"owner": "NixOS",
"repo": "nixpkgs",
"rev": "7ffd9ae656aec493492b44d0ddfb28e79a1ea25d",
"type": "github"
},
"original": {
"owner": "NixOS",
"ref": "nixos-unstable",
"repo": "nixpkgs",
"type": "github"
}
},
"nixpkgs_3": {
"locked": {
"lastModified": 1731139594,
"narHash": "sha256-IigrKK3vYRpUu+HEjPL/phrfh7Ox881er1UEsZvw9Q4=",
@ -1880,7 +1879,7 @@
"type": "github"
}
},
"nixpkgs_3": {
"nixpkgs_4": {
"locked": {
"lastModified": 1731319897,
"narHash": "sha256-PbABj4tnbWFMfBp6OcUK5iGy1QY+/Z96ZcLpooIbuEI=",
@ -1896,7 +1895,7 @@
"type": "github"
}
},
"nixpkgs_4": {
"nixpkgs_5": {
"locked": {
"lastModified": 1730768919,
"narHash": "sha256-8AKquNnnSaJRXZxc5YmF/WfmxiHX6MMZZasRP6RRQkE=",
@ -1912,7 +1911,7 @@
"type": "github"
}
},
"nixpkgs_5": {
"nixpkgs_6": {
"locked": {
"lastModified": 1726871744,
"narHash": "sha256-V5LpfdHyQkUF7RfOaDPrZDP+oqz88lTJrMT1+stXNwo=",
@ -1928,7 +1927,7 @@
"type": "github"
}
},
"nixpkgs_6": {
"nixpkgs_7": {
"locked": {
"lastModified": 1734119587,
"narHash": "sha256-AKU6qqskl0yf2+JdRdD0cfxX4b9x3KKV5RqA6wijmPM=",
@ -1944,7 +1943,7 @@
"type": "github"
}
},
"nixpkgs_7": {
"nixpkgs_8": {
"locked": {
"lastModified": 1732238832,
"narHash": "sha256-sQxuJm8rHY20xq6Ah+GwIUkF95tWjGRd1X8xF+Pkk38=",
@ -1960,7 +1959,7 @@
"type": "github"
}
},
"nixpkgs_8": {
"nixpkgs_9": {
"locked": {
"lastModified": 1725194671,
"narHash": "sha256-tLGCFEFTB5TaOKkpfw3iYT9dnk4awTP/q4w+ROpMfuw=",
@ -2101,10 +2100,6 @@
"lanzaboote",
"flake-compat"
],
"flake-utils": [
"lanzaboote",
"flake-utils"
],
"gitignore": "gitignore_3",
"nixpkgs": [
"lanzaboote",
@ -2113,11 +2108,11 @@
"nixpkgs-stable": "nixpkgs-stable_3"
},
"locked": {
"lastModified": 1681413034,
"narHash": "sha256-/t7OjNQcNkeWeSq/CFLYVBfm+IEnkjoSm9iKvArnUUI=",
"lastModified": 1717664902,
"narHash": "sha256-7XfBuLULizXjXfBYy/VV+SpYMHreNRHk9nKMsm1bgb4=",
"owner": "cachix",
"repo": "pre-commit-hooks.nix",
"rev": "d3de8f69ca88fb6f8b09e5b598be5ac98d28ede5",
"rev": "cc4d466cb1254af050ff7bdf47f6d404a7c646d1",
"type": "github"
},
"original": {
@ -2209,7 +2204,7 @@
"inputs": {
"flake-compat": "flake-compat_8",
"gitignore": "gitignore_6",
"nixpkgs": "nixpkgs_4",
"nixpkgs": "nixpkgs_5",
"nixpkgs-stable": "nixpkgs-stable_5"
},
"locked": {
@ -2352,7 +2347,7 @@
"nixos-hardware": "nixos-hardware",
"nixos-nftables-firewall": "nixos-nftables-firewall",
"nixp-meta": "nixp-meta",
"nixpkgs": "nixpkgs_6",
"nixpkgs": "nixpkgs_7",
"nixpkgs-wayland": "nixpkgs-wayland",
"nixvim": "nixvim",
"pre-commit-hooks": "pre-commit-hooks_6",
@ -2386,21 +2381,18 @@
},
"rust-overlay_2": {
"inputs": {
"flake-utils": [
"lanzaboote",
"flake-utils"
],
"flake-utils": "flake-utils",
"nixpkgs": [
"lanzaboote",
"nixpkgs"
]
},
"locked": {
"lastModified": 1682129965,
"narHash": "sha256-1KRPIorEL6pLpJR04FwAqqnt4Tzcm4MqD84yhlD+XSk=",
"lastModified": 1717813066,
"narHash": "sha256-wqbRwq3i7g5EHIui0bIi84mdqZ/It1AXBSLJ5tafD28=",
"owner": "oxalica",
"repo": "rust-overlay",
"rev": "2c417c0460b788328220120c698630947547ee83",
"rev": "6dc3e45fe4aee36efeed24d64fc68b1f989d5465",
"type": "github"
},
"original": {
@ -2526,7 +2518,7 @@
"flake-utils": "flake-utils_7",
"gnome-shell": "gnome-shell",
"home-manager": "home-manager_3",
"nixpkgs": "nixpkgs_8",
"nixpkgs": "nixpkgs_9",
"systems": "systems_9",
"tinted-foot": "tinted-foot",
"tinted-kitty": "tinted-kitty",
@ -2827,7 +2819,7 @@
},
"treefmt-nix_3": {
"inputs": {
"nixpkgs": "nixpkgs_5"
"nixpkgs": "nixpkgs_6"
},
"locked": {
"lastModified": 1730321837,

2
flake.nix
View file

@ -85,7 +85,7 @@
};
lanzaboote = {
url = "github:nix-community/lanzaboote/v0.3.0";
url = "github:nix-community/lanzaboote";
inputs.nixpkgs.follows = "nixpkgs";
};

1
hosts/nucnix/default.nix
View file

@ -16,6 +16,7 @@
../../config/support/physical.nix
../../config/support/zfs.nix
../../config/support/server.nix
../../config/support/secureboot.nix
./net.nix
./fs.nix

18
hosts/nucnix/guests.nix
View file

@ -11,9 +11,8 @@ let
domainOf =
hostName:
let
domains =
{
};
domains = {
};
in
"${domains.${hostName}}.${config.secrets.secrets.global.domains.web}";
# TODO hard coded elisabeth nicht so schön
@ -134,18 +133,7 @@ in
config.guests.${guestName}.networking.mainLinkName
];
systemd.network.networks."10-${config.guests.${guestName}.networking.mainLinkName}" = {
DHCP = lib.mkForce "no";
address = [
(lib.net.cidr.hostCidr
config.secrets.secrets.global.net.ips."${config.guests.${guestName}.nodeName}"
config.secrets.secrets.global.net.privateSubnetv4
)
(lib.net.cidr.hostCidr
config.secrets.secrets.global.net.ips."${config.guests.${guestName}.nodeName}"
config.secrets.secrets.global.net.privateSubnetv6
)
];
gateway = [ (lib.net.cidr.host 1 config.secrets.secrets.global.net.privateSubnetv4) ];
DHCP = "yes";
};
}
];

63
hosts/nucnix/hostapd.nix
View file

@ -1,35 +1,4 @@
{ config, ... }:
let
cfg = name: {
countryCode = "DE";
# wifi4.capabilities = [
# "LDPC"
# "HT40+"
# "HT40-"
# "GF"
# "SHORT-GI-20"
# "SHORT-GI-40"
# "TX-STBC"
# "RX-STBC1"
# ];
wifi6.enable = true;
wifi7.enable = true;
networks."${name}" = {
inherit (config.secrets.secrets.global.hostapd) ssid;
apIsolate = true;
authentication = {
saePasswords = [
{
password = "lol";
vlanid = 10;
}
];
enableRecommendedPairwiseCiphers = true;
};
bssid = "02:c0:ca:b1:4f:9f";
};
};
in
{
@ -39,9 +8,33 @@ in
enable = true;
radios.wlan1 = {
band = "2g";
} // cfg "wlan1";
radios.wlan2 = {
band = "5g";
} // cfg "wlan2";
countryCode = "DE";
# wifi4.capabilities = [
# "LDPC"
# "HT40+"
# "HT40-"
# "GF"
# "SHORT-GI-20"
# "SHORT-GI-40"
# "TX-STBC"
# "RX-STBC1"
# ];
wifi6.enable = true;
wifi7.enable = true;
networks.wlan1 = {
inherit (config.secrets.secrets.global.hostapd) ssid;
apIsolate = true;
authentication = {
saePasswords = [
{
password = "lol";
vlanid = 10;
}
];
enableRecommendedPairwiseCiphers = true;
};
bssid = "02:c0:ca:b1:4f:9f";
};
};
};
}

84
hosts/nucnix/kea.nix Normal file
View file

@ -0,0 +1,84 @@
{
lib,
utils,
...
}:
let
inherit (lib)
net
flip
mapAttrsToList
;
vlans = {
home = 10;
services = 20;
devices = 30;
iot = 40;
guests = 50;
};
in
{
environment.persistence."/persist".directories = [
{
directory = "/var/lib/private/kea";
mode = "0700";
}
];
services.kea.dhcp4 = {
enable = true;
settings = {
lease-database = {
name = "/var/lib/kea/dhcp4.leases";
persist = true;
type = "memfile";
};
valid-lifetime = 86400;
renew-timer = 3600;
interfaces-config = {
interfaces = flip mapAttrsToList vlans (x: _: "lan-${x}");
};
subnet4 = flip mapAttrsToList vlans (
name: id: rec {
inherit id;
interface = "lan-${name}";
subnet = "10.99.${toString id}.0/24";
pools = [
{
pool = "${net.cidr.host 50 subnet} - ${net.cidr.host (-6) subnet}";
}
];
option-data = [
{
name = "routers";
data = "${net.cidr.host 1 subnet}";
}
{
name = "domain-name-servers";
data = "${net.cidr.host 10 subnet}";
}
];
reservations = [
#FIXME
# {
# hw-address = nodes.ward-adguardhome.config.lib.microvm.mac;
# ip-address = globals.net.home-lan.hosts.ward-adguardhome.ipv4;
# }
# {
# hw-address = nodes.ward-web-proxy.config.lib.microvm.mac;
# ip-address = globals.net.home-lan.hosts.ward-web-proxy.ipv4;
# }
# {
# hw-address = nodes.sire-samba.config.lib.microvm.mac;
# ip-address = globals.net.home-lan.hosts.sire-samba.ipv4;
# }
];
}
);
};
};
systemd.services.kea-dhcp4-server.after = [
"sys-subsystem-net-devices-${utils.escapeSystemdPath "lan-self"}.device"
];
}

229
hosts/nucnix/net.nix
View file

@ -1,72 +1,133 @@
{ config, lib, ... }:
let
vlans = {
home = 10;
services = 20;
devices = 30;
iot = 40;
guests = 50;
};
inherit (lib) flip mapAttrsToList;
in
{
imports = [ ./hostapd.nix ];
imports =
[
./hostapd.nix
./kea.nix
]
++ (flip mapAttrsToList vlans (
name: id: {
networking.nftables.firewall.zones.${name}.interfaces = [ "lan-${name}" ];
systemd.network = {
netdevs = {
"40-vlan-${name}" = {
netdevConfig = {
Name = "vlan-${name}";
Kind = "vlan";
};
vlanConfig.Id = id;
};
"50-mlan-${name}" = {
netdevConfig = {
Name = "lan-${name}";
Kind = "macvlan";
};
extraConfig = ''
[MACVLAN]
Mode=bridge
'';
};
};
networks = {
"10-vlan-${name}" = {
matchConfig.Name = "vlan-${name}";
# This interface should only be used from attached macvtaps.
# So don't acquire a link local address and only wait for
# this interface to gain a carrier.
networkConfig.LinkLocalAddressing = "no";
linkConfig.RequiredForOnline = "carrier";
extraConfig = ''
[Network]
MACVLAN=lan-${name}
'';
};
"20-lan-${name}" = {
address = [
(lib.net.cidr.hostCidr 1 "10.99.${toString id}.0/24")
];
matchConfig.Name = "lan-${name}";
networkConfig = {
MulticastDNS = true;
IPv6PrivacyExtensions = "yes";
IPv4Forwarding = "yes";
IPv6SendRA = true;
IPv6AcceptRA = false;
DHCPPrefixDelegation = true;
};
ipv6Prefixes = [
{ Prefix = "fd${toString id}::/64"; }
];
};
};
};
}
));
networking.nftables.firewall = {
snippets.nnf-ssh.enable = lib.mkForce false;
rules = {
ssh = {
from = [
"fritz"
"home"
];
to = [ "local" ];
allowedTCPPorts = [ 22 ];
};
internet = {
from = [
"home"
"devices"
"guests"
"services"
];
to = [ "fritz" ];
late = true;
verdict = "accept";
masquerade = true;
};
};
};
networking.nftables.firewall.zones.fritz.interfaces = [ "vlan-fritz" ];
networking = {
inherit (config.secrets.secrets.local.networking) hostId;
};
systemd.network = {
netdevs."40-vlan-fritz" = {
netdevConfig = {
Name = "vlan-fritz";
Kind = "vlan";
};
vlanConfig.Id = 2;
};
networks = {
"10-lan01" = {
"10-lan-fritz" = {
address = [
(lib.net.cidr.hostCidr config.secrets.secrets.global.net.ips.${config.node.name}
config.secrets.secrets.global.net.privateSubnetv4
)
(lib.net.cidr.hostCidr 2 "10.99.2.0/24")
];
gateway = [ (lib.net.cidr.host 1 config.secrets.secrets.global.net.privateSubnetv4) ];
#matchConfig.MACAddress = config.secrets.secrets.local.networking.interfaces.lan01.mac;
matchConfig.Name = "lan";
dhcpV6Config.UseDNS = false;
dhcpV4Config.UseDNS = false;
ipv6AcceptRAConfig.UseDNS = false;
gateway = [ (lib.net.cidr.host 1 "10.99.2.0/24") ];
matchConfig.Name = "vlan-fritz";
networkConfig = {
MulticastDNS = true;
IPv6PrivacyExtensions = "yes";
};
};
};
netdevs."40-vlan-home" = {
netdevConfig = {
Name = "vlan-home";
Kind = "vlan";
};
vlanConfig.Id = 10;
};
netdevs."40-vlan-services" = {
netdevConfig = {
Name = "vlan-services";
Kind = "vlan";
};
vlanConfig.Id = 20;
};
netdevs."40-vlan-devices" = {
netdevConfig = {
Name = "vlan-devices";
Kind = "vlan";
};
vlanConfig.Id = 30;
};
netdevs."40-vlan-iot" = {
netdevConfig = {
Name = "vlan-iot";
Kind = "vlan";
};
vlanConfig.Id = 40;
};
netdevs."40-vlan-guests" = {
netdevConfig = {
Name = "vlan-guests";
Kind = "vlan";
};
vlanConfig.Id = 50;
};
networks."40-vlans" = {
matchConfig.Name = "lan01";
networkConfig.LinkLocalAddressing = "no";
vlan = [
"vlan-fritz"
"vlan-home"
"vlan-services"
"vlan-devices"
@ -75,14 +136,6 @@
];
};
};
networking.nftables.firewall.zones.untrusted.interfaces = [ "lan" ];
# To be able to ping containers from the host, it is necessary
# to create a macvlan on the host on the VLAN 1 network.
networking.macvlans.lan = {
interface = "vlan-home";
mode = "bridge";
};
boot.initrd = {
@ -93,37 +146,49 @@
enable = true;
networks = {
# redo the network cause the livesystem has macvlans
"10-lan01" = {
"10-lanhome" = {
address = [
(lib.net.cidr.hostCidr config.secrets.secrets.global.net.ips.${config.node.name}
config.secrets.secrets.global.net.privateSubnetv4
)
(lib.net.cidr.hostCidr 1 "10.99.10.0/24")
];
gateway = [ (lib.net.cidr.host 1 config.secrets.secrets.global.net.privateSubnetv4) ];
matchConfig.Name = "vlan-home";
dhcpV6Config.UseDNS = false;
dhcpV4Config.UseDNS = false;
ipv6AcceptRAConfig.UseDNS = false;
networkConfig = {
IPv6PrivacyExtensions = "yes";
MulticastDNS = true;
};
};
};
netdevs."10-vlan-home" = {
netdevConfig = {
Name = "vlan-home";
Kind = "vlan";
# redo the network cause the livesystem has macvlans
"10-lan-fritz" = {
address = [
(lib.net.cidr.hostCidr 2 "10.99.2.0/24")
];
gateway = [ (lib.net.cidr.host 1 "10.99.2.0/24") ];
matchConfig.Name = "vlan-fritz";
networkConfig = {
IPv6PrivacyExtensions = "yes";
};
};
"40-vlans" = {
matchConfig.MACAddress = config.secrets.secrets.local.networking.interfaces.lan01.mac;
vlan = [
"vlan-home"
"vlan-fritz"
];
};
vlanConfig.Id = 10;
};
networks."40-vlans" = {
matchConfig.MACAddress = config.secrets.secrets.local.networking.interfaces.lan01.mac;
vlan = [
"vlan-home"
];
netdevs = {
"10-vlan-home" = {
netdevConfig = {
Name = "vlan-home";
Kind = "vlan";
};
vlanConfig.Id = 10;
};
"10-vlan-fritz" = {
netdevConfig = {
Name = "vlan-fritz";
Kind = "vlan";
};
vlanConfig.Id = 2;
};
};
};
};

BIN
hosts/nucnix/secrets/secrets.nix.age
View file

Binary file not shown.

BIN
hosts/nucnix/secrets/secureboot.tar.age Normal file
View file

Binary file not shown.

BIN
secureboot.tar Normal file
View file

Binary file not shown.