diff --git a/machines/nixos/vault01/networking.nix b/machines/nixos/vault01/networking.nix index fdaafe5..5751385 100644 --- a/machines/nixos/vault01/networking.nix +++ b/machines/nixos/vault01/networking.nix @@ -12,7 +12,8 @@ }: let - inherit (lib) mapAttrs' nameValuePair; + inherit (lib) mapAttrs' mkOption nameValuePair; + inherit (lib.types) listOf attrs; uplink = { ip = "10.120.33.250"; @@ -93,6 +94,7 @@ let netIP = "10.0.${toString prefix24nb}.${toString prefix27nb}"; servIP = "10.0.${toString prefix24nb}.${toString (prefix27nb + 1)}"; interfaceName = "vlan-user-${toString vlan}"; + prefixLen = 27; }) 850; vlans = { @@ -160,194 +162,214 @@ let }; } // builtins.listToAttrs (map mkUserVlan userVlans); in - { - systemd = { - network = { - config.routeTables."user" = 1000; - networks = { - "10-lo" = { - name = "lo"; - address = [ - "::1/128" - "127.0.0.1/8" - "10.0.0.1/27" - ]; - routes = [ - { - Destination = "10.0.0.0/27"; - Table = "user"; - } - ]; - routingPolicyRules = [ - { - IncomingInterface = "lo"; - Table = "user"; - } - ]; - }; - "10-enp67s0f0np0" = { - name = "enp67s0f0np0"; - linkConfig.Promiscuous = true; - networkConfig = { - Bridge = "br0"; + options.networking.vlans-info = mkOption { + type = listOf attrs; + description = '' + Information about vlans for log analysis. + ''; + readOnly = true; + }; + config = { + systemd = { + network = { + config.routeTables."user" = 1000; + networks = { + "10-lo" = { + name = "lo"; + address = [ + "::1/128" + "127.0.0.1/8" + "10.0.0.1/27" + ]; + routes = [ + { + Destination = "10.0.0.0/27"; + Table = "user"; + } + ]; + routingPolicyRules = [ + { + IncomingInterface = "lo"; + Table = "user"; + } + ]; + }; + "10-enp67s0f0np0" = { + name = "enp67s0f0np0"; + linkConfig.Promiscuous = true; + networkConfig = { + Bridge = "br0"; - LinkLocalAddressing = false; - LLDP = false; - EmitLLDP = false; - IPv6AcceptRA = false; - IPv6SendRA = false; + LinkLocalAddressing = false; + LLDP = false; + EmitLLDP = false; + IPv6AcceptRA = false; + IPv6SendRA = false; + }; + linkConfig.MTUBytes = 1504; }; - linkConfig.MTUBytes = 1504; - }; - "50-gretap1" = { - name = "gretap1"; - networkConfig = { - Bridge = "br0"; + "50-gretap1" = { + name = "gretap1"; + networkConfig = { + Bridge = "br0"; - LinkLocalAddressing = false; - LLDP = false; - EmitLLDP = false; - IPv6AcceptRA = false; - IPv6SendRA = false; + LinkLocalAddressing = false; + LLDP = false; + EmitLLDP = false; + IPv6AcceptRA = false; + IPv6SendRA = false; + }; + linkConfig.MTUBytes = 1504; }; - linkConfig.MTUBytes = 1504; - }; - "50-br0" = { - name = "br0"; - networkConfig = { - VLAN = builtins.attrNames vlans; + "50-br0" = { + name = "br0"; + networkConfig = { + VLAN = builtins.attrNames vlans; - LinkLocalAddressing = false; - LLDP = false; - EmitLLDP = false; - IPv6AcceptRA = false; - IPv6SendRA = false; + LinkLocalAddressing = false; + LLDP = false; + EmitLLDP = false; + IPv6AcceptRA = false; + IPv6SendRA = false; + }; + linkConfig.MTUBytes = 1504; }; - linkConfig.MTUBytes = 1504; - }; - "50-wg0" = { - name = "wg0"; - address = [ "10.10.17.1/30" ]; - networkConfig.Tunnel = "gretap1"; - }; - } // (mapAttrs' mkNetwork vlans); + "50-wg0" = { + name = "wg0"; + address = [ "10.10.17.1/30" ]; + networkConfig.Tunnel = "gretap1"; + }; + } // (mapAttrs' mkNetwork vlans); - netdevs = { - "50-gretap1" = { - netdevConfig = { - Name = "gretap1"; - Kind = "gretap"; + netdevs = { + "50-gretap1" = { + netdevConfig = { + Name = "gretap1"; + Kind = "gretap"; + }; + tunnelConfig = { + Local = "10.10.17.1"; + Remote = "10.10.17.2"; + }; }; - tunnelConfig = { - Local = "10.10.17.1"; - Remote = "10.10.17.2"; - }; - }; - "50-br0" = { - netdevConfig = { - Name = "br0"; - Kind = "bridge"; - }; - bridgeConfig = { - VLANFiltering = false; - STP = false; - }; - }; - "50-wg0" = { - netdevConfig = { - Name = "wg0"; - Kind = "wireguard"; - }; - wireguardConfig = { - ListenPort = 1194; - PrivateKeyFile = config.age.secrets."wg-key".path; + "50-br0" = { + netdevConfig = { + Name = "br0"; + Kind = "bridge"; + }; + bridgeConfig = { + VLANFiltering = false; + STP = false; + }; }; + "50-wg0" = { + netdevConfig = { + Name = "wg0"; + Kind = "wireguard"; + }; + wireguardConfig = { + ListenPort = 1194; + PrivateKeyFile = config.age.secrets."wg-key".path; + }; - wireguardPeers = [ - { - AllowedIPs = [ - "10.10.17.0/30" - ]; - PublicKey = "g6S3gBx1Hf2iX41tokD+m8WfzJJTTcsKifOkn+Wcd00="; - } - ]; - }; - } // mapAttrs' mkNetdev vlans; - }; - - services = { - ethtoolConfig = { - wantedBy = [ "systemd-networkd.service" ]; - after = [ "sys-subsystem-net-devices-enp67s0f0np0.device" ]; - bindsTo = [ "sys-subsystem-net-devices-enp67s0f0np0.device" ]; - script = builtins.concatStringsSep "\n" ( - builtins.map (name: "${lib.getExe pkgs.ethtool} -K enp67s0f0np0 ${name} off") [ - "rxvlan" - "txvlan" - "rx-vlan-filter" - "rx-vlan-offload" - "tx-vlan-offload" - "tx-vlan-stag-hw-insert" - ] - ); + wireguardPeers = [ + { + AllowedIPs = [ + "10.10.17.0/30" + ]; + PublicKey = "g6S3gBx1Hf2iX41tokD+m8WfzJJTTcsKifOkn+Wcd00="; + } + ]; + }; + } // mapAttrs' mkNetdev vlans; }; - systemd-networkd.serviceConfig.LimitNOFILE = 4096; + services = { + ethtoolConfig = { + wantedBy = [ "systemd-networkd.service" ]; + after = [ "sys-subsystem-net-devices-enp67s0f0np0.device" ]; + bindsTo = [ "sys-subsystem-net-devices-enp67s0f0np0.device" ]; + script = builtins.concatStringsSep "\n" ( + builtins.map (name: "${lib.getExe pkgs.ethtool} -K enp67s0f0np0 ${name} off") [ + "rxvlan" + "txvlan" + "rx-vlan-filter" + "rx-vlan-offload" + "tx-vlan-offload" + "tx-vlan-stag-hw-insert" + ] + ); + }; - net-checker = { - path = [ - pkgs.iputils - pkgs.systemd + systemd-networkd.serviceConfig.LimitNOFILE = 4096; + + net-checker = { + path = [ + pkgs.iputils + pkgs.systemd + ]; + script = '' + if ping -c 1 8.8.8.8 > /dev/null || ping -c 1 1.1.1.1 > /dev/null; then + ${lib.concatMapStringsSep "\n " ( + { interfaceName, ... }: "networkctl up ${interfaceName}" + ) userVlans} + else + ${lib.concatMapStringsSep "\n " ( + { interfaceName, ... }: "networkctl down ${interfaceName}" + ) userVlans} + fi + ''; + }; + }; + + timers.net-checker = { + wantedBy = [ "timers.target" ]; + timerConfig.OnCalendar = "*-*-* *:*:42"; + }; + }; + + networking = { + vlans-info = [ + { + vlan = 2001; + netIP = "10.0.254.0"; + prefixLen = 24; + } + { + vlan = 3001; + netIP = "10.0.253.0"; + prefixLen = 24; + } + ] ++ userVlans; + nftables = { + enable = true; + tables.nat = { + family = "ip"; + content = '' + chain postrouting { + type nat hook postrouting priority 100; + ip saddr 10.0.0.0/16 ip saddr != 10.0.255.0/24 snat ip to 129.199.195.130-129.199.195.158 + ether saddr { e0:2e:0b:bd:97:73, e8:d5:2b:0d:fe:4a } snat to 129.199.195.130 comment "Elias" + ether saddr { 1c:1b:b5:14:9c:e5, e6:ce:e2:b6:e3:82 } snat to 129.199.195.131 comment "Lubin" + ether saddr d0:49:7c:46:f6:39 snat to 129.199.195.132 comment "Jean-Marc" + ether saddr { 5c:64:8e:f4:09:06 } snat to 129.199.195.158 comment "APs" + } + ''; + }; + }; + firewall = { + allowedUDPPorts = [ + 67 + 1194 ]; - script = '' - if ping -c 1 8.8.8.8 > /dev/null || ping -c 1 1.1.1.1 > /dev/null; then - ${lib.concatMapStringsSep "\n " ( - { interfaceName, ... }: "networkctl up ${interfaceName}" - ) userVlans} - else - ${lib.concatMapStringsSep "\n " ( - { interfaceName, ... }: "networkctl down ${interfaceName}" - ) userVlans} - fi - ''; + checkReversePath = false; }; }; - timers.net-checker = { - wantedBy = [ "timers.target" ]; - timerConfig.OnCalendar = "*-*-* *:*:42"; - }; + age.secrets."wg-key".owner = "systemd-network"; + users.users."systemd-network".extraGroups = [ "keys" ]; + + boot.kernel.sysctl."net.ipv4.ip_forward" = true; }; - - networking = { - nftables = { - enable = true; - tables.nat = { - family = "ip"; - content = '' - chain postrouting { - type nat hook postrouting priority 100; - ip saddr 10.0.0.0/16 ip saddr != 10.0.255.0/24 snat ip to 129.199.195.130-129.199.195.158 - ether saddr { e0:2e:0b:bd:97:73, e8:d5:2b:0d:fe:4a } snat to 129.199.195.130 comment "Elias" - ether saddr { 1c:1b:b5:14:9c:e5, e6:ce:e2:b6:e3:82 } snat to 129.199.195.131 comment "Lubin" - ether saddr d0:49:7c:46:f6:39 snat to 129.199.195.132 comment "Jean-Marc" - ether saddr { 5c:64:8e:f4:09:06 } snat to 129.199.195.158 comment "APs" - } - ''; - }; - }; - firewall = { - allowedUDPPorts = [ - 67 - 1194 - ]; - checkReversePath = false; - }; - }; - - age.secrets."wg-key".owner = "systemd-network"; - users.users."systemd-network".extraGroups = [ "keys" ]; - - boot.kernel.sysctl."net.ipv4.ip_forward" = true; }