feat(vault01): global options for vlans decl

2025-01-27 20:28:48 +01:00 · 2025-01-27 20:28:48 +01:00 · c97db7609d
commit c97db7609d
parent 7dab4ef1cb
1 changed files with 194 additions and 172 deletions
--- a/machines/nixos/vault01/networking.nix
+++ b/machines/nixos/vault01/networking.nix
@ -12,7 +12,8 @@
 }:

 let
-  inherit (lib) mapAttrs' nameValuePair;
+  inherit (lib) mapAttrs' mkOption nameValuePair;
+  inherit (lib.types) listOf attrs;

  uplink = {
    ip = "10.120.33.250";
@ -93,6 +94,7 @@ let
    netIP = "10.0.${toString prefix24nb}.${toString prefix27nb}";
    servIP = "10.0.${toString prefix24nb}.${toString (prefix27nb + 1)}";
    interfaceName = "vlan-user-${toString vlan}";
+    prefixLen = 27;
  }) 850;

  vlans = {
@ -160,194 +162,214 @@ let
    };
  } // builtins.listToAttrs (map mkUserVlan userVlans);
 in
-
 {
-  systemd = {
-    network = {
-      config.routeTables."user" = 1000;
-      networks = {
-        "10-lo" = {
-          name = "lo";
-          address = [
-            "::1/128"
-            "127.0.0.1/8"
-            "10.0.0.1/27"
-          ];
-          routes = [
-            {
-              Destination = "10.0.0.0/27";
-              Table = "user";
-            }
-          ];
-          routingPolicyRules = [
-            {
-              IncomingInterface = "lo";
-              Table = "user";
-            }
-          ];
-        };
-        "10-enp67s0f0np0" = {
-          name = "enp67s0f0np0";
-          linkConfig.Promiscuous = true;
-          networkConfig = {
-            Bridge = "br0";
+  options.networking.vlans-info = mkOption {
+    type = listOf attrs;
+    description = ''
+      Information about vlans for log analysis.
+    '';
+    readOnly = true;
+  };
+  config = {
+    systemd = {
+      network = {
+        config.routeTables."user" = 1000;
+        networks = {
+          "10-lo" = {
+            name = "lo";
+            address = [
+              "::1/128"
+              "127.0.0.1/8"
+              "10.0.0.1/27"
+            ];
+            routes = [
+              {
+                Destination = "10.0.0.0/27";
+                Table = "user";
+              }
+            ];
+            routingPolicyRules = [
+              {
+                IncomingInterface = "lo";
+                Table = "user";
+              }
+            ];
+          };
+          "10-enp67s0f0np0" = {
+            name = "enp67s0f0np0";
+            linkConfig.Promiscuous = true;
+            networkConfig = {
+              Bridge = "br0";

-            LinkLocalAddressing = false;
-            LLDP = false;
-            EmitLLDP = false;
-            IPv6AcceptRA = false;
-            IPv6SendRA = false;
+              LinkLocalAddressing = false;
+              LLDP = false;
+              EmitLLDP = false;
+              IPv6AcceptRA = false;
+              IPv6SendRA = false;
+            };
+            linkConfig.MTUBytes = 1504;
          };
-          linkConfig.MTUBytes = 1504;
-        };
-        "50-gretap1" = {
-          name = "gretap1";
-          networkConfig = {
-            Bridge = "br0";
+          "50-gretap1" = {
+            name = "gretap1";
+            networkConfig = {
+              Bridge = "br0";

-            LinkLocalAddressing = false;
-            LLDP = false;
-            EmitLLDP = false;
-            IPv6AcceptRA = false;
-            IPv6SendRA = false;
+              LinkLocalAddressing = false;
+              LLDP = false;
+              EmitLLDP = false;
+              IPv6AcceptRA = false;
+              IPv6SendRA = false;
+            };
+            linkConfig.MTUBytes = 1504;
          };
-          linkConfig.MTUBytes = 1504;
-        };
-        "50-br0" = {
-          name = "br0";
-          networkConfig = {
-            VLAN = builtins.attrNames vlans;
+          "50-br0" = {
+            name = "br0";
+            networkConfig = {
+              VLAN = builtins.attrNames vlans;

-            LinkLocalAddressing = false;
-            LLDP = false;
-            EmitLLDP = false;
-            IPv6AcceptRA = false;
-            IPv6SendRA = false;
+              LinkLocalAddressing = false;
+              LLDP = false;
+              EmitLLDP = false;
+              IPv6AcceptRA = false;
+              IPv6SendRA = false;
+            };
+            linkConfig.MTUBytes = 1504;
          };
-          linkConfig.MTUBytes = 1504;
-        };
-        "50-wg0" = {
-          name = "wg0";
-          address = [ "10.10.17.1/30" ];
-          networkConfig.Tunnel = "gretap1";
-        };
-      } // (mapAttrs' mkNetwork vlans);
+          "50-wg0" = {
+            name = "wg0";
+            address = [ "10.10.17.1/30" ];
+            networkConfig.Tunnel = "gretap1";
+          };
+        } // (mapAttrs' mkNetwork vlans);

-      netdevs = {
-        "50-gretap1" = {
-          netdevConfig = {
-            Name = "gretap1";
-            Kind = "gretap";
+        netdevs = {
+          "50-gretap1" = {
+            netdevConfig = {
+              Name = "gretap1";
+              Kind = "gretap";
+            };
+            tunnelConfig = {
+              Local = "10.10.17.1";
+              Remote = "10.10.17.2";
+            };
          };
-          tunnelConfig = {
-            Local = "10.10.17.1";
-            Remote = "10.10.17.2";
-          };
-        };
-        "50-br0" = {
-          netdevConfig = {
-            Name = "br0";
-            Kind = "bridge";
-          };
-          bridgeConfig = {
-            VLANFiltering = false;
-            STP = false;
-          };
-        };
-        "50-wg0" = {
-          netdevConfig = {
-            Name = "wg0";
-            Kind = "wireguard";
-          };
-          wireguardConfig = {
-            ListenPort = 1194;
-            PrivateKeyFile = config.age.secrets."wg-key".path;
+          "50-br0" = {
+            netdevConfig = {
+              Name = "br0";
+              Kind = "bridge";
+            };
+            bridgeConfig = {
+              VLANFiltering = false;
+              STP = false;
+            };
          };
+          "50-wg0" = {
+            netdevConfig = {
+              Name = "wg0";
+              Kind = "wireguard";
+            };
+            wireguardConfig = {
+              ListenPort = 1194;
+              PrivateKeyFile = config.age.secrets."wg-key".path;
+            };

-          wireguardPeers = [
-            {
-              AllowedIPs = [
-                "10.10.17.0/30"
-              ];
-              PublicKey = "g6S3gBx1Hf2iX41tokD+m8WfzJJTTcsKifOkn+Wcd00=";
-            }
-          ];
-        };
-      } // mapAttrs' mkNetdev vlans;
-    };
-
-    services = {
-      ethtoolConfig = {
-        wantedBy = [ "systemd-networkd.service" ];
-        after = [ "sys-subsystem-net-devices-enp67s0f0np0.device" ];
-        bindsTo = [ "sys-subsystem-net-devices-enp67s0f0np0.device" ];
-        script = builtins.concatStringsSep "\n" (
-          builtins.map (name: "${lib.getExe pkgs.ethtool} -K enp67s0f0np0 ${name} off") [
-            "rxvlan"
-            "txvlan"
-            "rx-vlan-filter"
-            "rx-vlan-offload"
-            "tx-vlan-offload"
-            "tx-vlan-stag-hw-insert"
-          ]
-        );
+            wireguardPeers = [
+              {
+                AllowedIPs = [
+                  "10.10.17.0/30"
+                ];
+                PublicKey = "g6S3gBx1Hf2iX41tokD+m8WfzJJTTcsKifOkn+Wcd00=";
+              }
+            ];
+          };
+        } // mapAttrs' mkNetdev vlans;
      };

-      systemd-networkd.serviceConfig.LimitNOFILE = 4096;
+      services = {
+        ethtoolConfig = {
+          wantedBy = [ "systemd-networkd.service" ];
+          after = [ "sys-subsystem-net-devices-enp67s0f0np0.device" ];
+          bindsTo = [ "sys-subsystem-net-devices-enp67s0f0np0.device" ];
+          script = builtins.concatStringsSep "\n" (
+            builtins.map (name: "${lib.getExe pkgs.ethtool} -K enp67s0f0np0 ${name} off") [
+              "rxvlan"
+              "txvlan"
+              "rx-vlan-filter"
+              "rx-vlan-offload"
+              "tx-vlan-offload"
+              "tx-vlan-stag-hw-insert"
+            ]
+          );
+        };

-      net-checker = {
-        path = [
-          pkgs.iputils
-          pkgs.systemd
+        systemd-networkd.serviceConfig.LimitNOFILE = 4096;
+
+        net-checker = {
+          path = [
+            pkgs.iputils
+            pkgs.systemd
+          ];
+          script = ''
+            if ping -c 1 8.8.8.8 > /dev/null || ping -c 1 1.1.1.1 > /dev/null; then
+              ${lib.concatMapStringsSep "\n  " (
+                { interfaceName, ... }: "networkctl up ${interfaceName}"
+              ) userVlans}
+            else
+              ${lib.concatMapStringsSep "\n  " (
+                { interfaceName, ... }: "networkctl down ${interfaceName}"
+              ) userVlans}
+            fi
+          '';
+        };
+      };
+
+      timers.net-checker = {
+        wantedBy = [ "timers.target" ];
+        timerConfig.OnCalendar = "*-*-* *:*:42";
+      };
+    };
+
+    networking = {
+      vlans-info = [
+        {
+          vlan = 2001;
+          netIP = "10.0.254.0";
+          prefixLen = 24;
+        }
+        {
+          vlan = 3001;
+          netIP = "10.0.253.0";
+          prefixLen = 24;
+        }
+      ] ++ userVlans;
+      nftables = {
+        enable = true;
+        tables.nat = {
+          family = "ip";
+          content = ''
+            chain postrouting {
+              type nat hook postrouting priority 100;
+              ip saddr 10.0.0.0/16 ip saddr != 10.0.255.0/24 snat ip to 129.199.195.130-129.199.195.158
+              ether saddr { e0:2e:0b:bd:97:73, e8:d5:2b:0d:fe:4a } snat to 129.199.195.130 comment "Elias"
+              ether saddr { 1c:1b:b5:14:9c:e5, e6:ce:e2:b6:e3:82 } snat to 129.199.195.131 comment "Lubin"
+              ether saddr d0:49:7c:46:f6:39 snat to 129.199.195.132 comment "Jean-Marc"
+              ether saddr { 5c:64:8e:f4:09:06 } snat to 129.199.195.158 comment "APs"
+            }
+          '';
+        };
+      };
+      firewall = {
+        allowedUDPPorts = [
+          67
+          1194
        ];
-        script = ''
-          if ping -c 1 8.8.8.8 > /dev/null || ping -c 1 1.1.1.1 > /dev/null; then
-            ${lib.concatMapStringsSep "\n  " (
-              { interfaceName, ... }: "networkctl up ${interfaceName}"
-            ) userVlans}
-          else
-            ${lib.concatMapStringsSep "\n  " (
-              { interfaceName, ... }: "networkctl down ${interfaceName}"
-            ) userVlans}
-          fi
-        '';
+        checkReversePath = false;
      };
    };

-    timers.net-checker = {
-      wantedBy = [ "timers.target" ];
-      timerConfig.OnCalendar = "*-*-* *:*:42";
-    };
+    age.secrets."wg-key".owner = "systemd-network";
+    users.users."systemd-network".extraGroups = [ "keys" ];
+
+    boot.kernel.sysctl."net.ipv4.ip_forward" = true;
  };
-
-  networking = {
-    nftables = {
-      enable = true;
-      tables.nat = {
-        family = "ip";
-        content = ''
-          chain postrouting {
-            type nat hook postrouting priority 100;
-            ip saddr 10.0.0.0/16 ip saddr != 10.0.255.0/24 snat ip to 129.199.195.130-129.199.195.158
-            ether saddr { e0:2e:0b:bd:97:73, e8:d5:2b:0d:fe:4a } snat to 129.199.195.130 comment "Elias"
-            ether saddr { 1c:1b:b5:14:9c:e5, e6:ce:e2:b6:e3:82 } snat to 129.199.195.131 comment "Lubin"
-            ether saddr d0:49:7c:46:f6:39 snat to 129.199.195.132 comment "Jean-Marc"
-            ether saddr { 5c:64:8e:f4:09:06 } snat to 129.199.195.158 comment "APs"
-          }
-        '';
-      };
-    };
-    firewall = {
-      allowedUDPPorts = [
-        67
-        1194
-      ];
-      checkReversePath = false;
-    };
-  };
-
-  age.secrets."wg-key".owner = "systemd-network";
-  users.users."systemd-network".extraGroups = [ "keys" ];
-
-  boot.kernel.sysctl."net.ipv4.ip_forward" = true;
 }