nix-config/hosts/elisabeth/net.nix
2024-12-22 19:00:21 +01:00

140 lines
3 KiB
Nix

{
config,
lib,
globals,
...
}:
let
inherit (lib)
flip
mapAttrsToList
mkMerge
genAttrs
attrNames
;
in
{
networking = {
inherit (config.secrets.secrets.local.networking) hostId;
};
networking.nftables.firewall.zones = genAttrs (attrNames globals.net.vlans) (name: {
interfaces = [ "lan-${name}" ];
});
systemd.network.netdevs = mkMerge (
flip mapAttrsToList globals.net.vlans (
name:
{
id,
...
}:
{
"40-vlan-${name}" = {
netdevConfig = {
Name = "vlan-${name}";
Kind = "vlan";
};
vlanConfig.Id = id;
};
"50-macvlan-${name}" = {
netdevConfig = {
Name = "lan-${name}";
Kind = "macvlan";
};
extraConfig = ''
[MACVLAN]
Mode=bridge
'';
};
}
)
);
systemd.network.networks = mkMerge (
[
{
"40-vlans" = {
matchConfig.Name = "lan01";
networkConfig.LinkLocalAddressing = "no";
};
}
]
++ (flip mapAttrsToList globals.net.vlans (
name: _: {
"40-vlans".vlan = [ "vlan-${name}" ];
"10-vlan-${name}" = {
matchConfig.Name = "vlan-${name}";
# This interface should only be used from attached macvtaps.
# So don't acquire a link local address and only wait for
# this interface to gain a carrier.
networkConfig.LinkLocalAddressing = "no";
linkConfig.RequiredForOnline = "carrier";
extraConfig = ''
[Network]
MACVLAN=lan-${name}
'';
};
"20-lan-${name}" = {
DHCP = "yes";
matchConfig.Name = "lan-${name}";
networkConfig = {
MulticastDNS = true;
IPv6PrivacyExtensions = "yes";
};
};
}
))
);
networking.nftables.firewall = {
snippets.nnf-ssh.enable = lib.mkForce false;
rules = {
ssh = {
from = [
"home"
];
to = [ "local" ];
allowedTCPPorts = [ 22 ];
};
mdns = {
from = [ "home" ];
to = [ "local" ];
allowedUDPPorts = [ 5353 ];
};
};
};
boot.initrd = {
availableKernelModules = [
"8021q"
];
systemd.network = {
enable = true;
networks = {
# redo the network cause the livesystem has macvlans
"10-lan-home" = {
DHCP = "yes";
matchConfig.Name = "vlan-home";
networkConfig = {
IPv6PrivacyExtensions = "yes";
};
};
"40-vlans" = {
matchConfig.MACAddress = config.secrets.secrets.local.networking.interfaces.lan01.mac;
vlan = [
"vlan-home"
];
};
};
netdevs = {
"10-vlan-home" = {
netdevConfig = {
Name = "vlan-home";
Kind = "vlan";
};
vlanConfig.Id = globals.net.vlans.home.id;
};
};
};
};
}