cst1/infrastructure
1
0
Fork 0
forked from DGNum/infrastructure
Code Pull requests Activity

feat(vault01): global options for vlans decl

Browse source
This commit is contained in:
catvayor 2025-01-27 20:28:48 +01:00
parent 7dab4ef1cb
commit c97db7609d
Signed by untrusted user: lbailly
GPG key ID: CE3E645251AC63F3
1 changed files with 194 additions and 172 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

366
machines/nixos/vault01/networking.nix
View file

@ -12,7 +12,8 @@
}: }:
let let
inherit (lib) mapAttrs' nameValuePair; inherit (lib) mapAttrs' mkOption nameValuePair;
inherit (lib.types) listOf attrs;
uplink = { uplink = {
ip = "10.120.33.250"; ip = "10.120.33.250";
@ -93,6 +94,7 @@ let
netIP = "10.0.${toString prefix24nb}.${toString prefix27nb}"; netIP = "10.0.${toString prefix24nb}.${toString prefix27nb}";
servIP = "10.0.${toString prefix24nb}.${toString (prefix27nb + 1)}"; servIP = "10.0.${toString prefix24nb}.${toString (prefix27nb + 1)}";
interfaceName = "vlan-user-${toString vlan}"; interfaceName = "vlan-user-${toString vlan}";
prefixLen = 27;
}) 850; }) 850;
vlans = { vlans = {
@ -160,194 +162,214 @@ let
}; };
} // builtins.listToAttrs (map mkUserVlan userVlans); } // builtins.listToAttrs (map mkUserVlan userVlans);
in in
{ {
systemd = { options.networking.vlans-info = mkOption {
network = { type = listOf attrs;
config.routeTables."user" = 1000; description = ''
networks = { Information about vlans for log analysis.
"10-lo" = { '';
name = "lo"; readOnly = true;
address = [ };
"::1/128" config = {
"127.0.0.1/8" systemd = {
"10.0.0.1/27" network = {
]; config.routeTables."user" = 1000;
routes = [ networks = {
{ "10-lo" = {
Destination = "10.0.0.0/27"; name = "lo";
Table = "user"; address = [
} "::1/128"
]; "127.0.0.1/8"
routingPolicyRules = [ "10.0.0.1/27"
{ ];
IncomingInterface = "lo"; routes = [
Table = "user"; {
} Destination = "10.0.0.0/27";
]; Table = "user";
}; }
"10-enp67s0f0np0" = { ];
name = "enp67s0f0np0"; routingPolicyRules = [
linkConfig.Promiscuous = true; {
networkConfig = { IncomingInterface = "lo";
Bridge = "br0"; Table = "user";
}
];
};
"10-enp67s0f0np0" = {
name = "enp67s0f0np0";
linkConfig.Promiscuous = true;
networkConfig = {
Bridge = "br0";
LinkLocalAddressing = false; LinkLocalAddressing = false;
LLDP = false; LLDP = false;
EmitLLDP = false; EmitLLDP = false;
IPv6AcceptRA = false; IPv6AcceptRA = false;
IPv6SendRA = false; IPv6SendRA = false;
};
linkConfig.MTUBytes = 1504;
}; };
linkConfig.MTUBytes = 1504; "50-gretap1" = {
}; name = "gretap1";
"50-gretap1" = { networkConfig = {
name = "gretap1"; Bridge = "br0";
networkConfig = {
Bridge = "br0";
LinkLocalAddressing = false; LinkLocalAddressing = false;
LLDP = false; LLDP = false;
EmitLLDP = false; EmitLLDP = false;
IPv6AcceptRA = false; IPv6AcceptRA = false;
IPv6SendRA = false; IPv6SendRA = false;
};
linkConfig.MTUBytes = 1504;
}; };
linkConfig.MTUBytes = 1504; "50-br0" = {
}; name = "br0";
"50-br0" = { networkConfig = {
name = "br0"; VLAN = builtins.attrNames vlans;
networkConfig = {
VLAN = builtins.attrNames vlans;
LinkLocalAddressing = false; LinkLocalAddressing = false;
LLDP = false; LLDP = false;
EmitLLDP = false; EmitLLDP = false;
IPv6AcceptRA = false; IPv6AcceptRA = false;
IPv6SendRA = false; IPv6SendRA = false;
};
linkConfig.MTUBytes = 1504;
}; };
linkConfig.MTUBytes = 1504; "50-wg0" = {
}; name = "wg0";
"50-wg0" = { address = [ "10.10.17.1/30" ];
name = "wg0"; networkConfig.Tunnel = "gretap1";
address = [ "10.10.17.1/30" ]; };
networkConfig.Tunnel = "gretap1"; } // (mapAttrs' mkNetwork vlans);
};
} // (mapAttrs' mkNetwork vlans);
netdevs = { netdevs = {
"50-gretap1" = { "50-gretap1" = {
netdevConfig = { netdevConfig = {
Name = "gretap1"; Name = "gretap1";
Kind = "gretap"; Kind = "gretap";
};
tunnelConfig = {
Local = "10.10.17.1";
Remote = "10.10.17.2";
};
}; };
tunnelConfig = { "50-br0" = {
Local = "10.10.17.1"; netdevConfig = {
Remote = "10.10.17.2"; Name = "br0";
}; Kind = "bridge";
}; };
"50-br0" = { bridgeConfig = {
netdevConfig = { VLANFiltering = false;
Name = "br0"; STP = false;
Kind = "bridge"; };
};
bridgeConfig = {
VLANFiltering = false;
STP = false;
};
};
"50-wg0" = {
netdevConfig = {
Name = "wg0";
Kind = "wireguard";
};
wireguardConfig = {
ListenPort = 1194;
PrivateKeyFile = config.age.secrets."wg-key".path;
}; };
"50-wg0" = {
netdevConfig = {
Name = "wg0";
Kind = "wireguard";
};
wireguardConfig = {
ListenPort = 1194;
PrivateKeyFile = config.age.secrets."wg-key".path;
};
wireguardPeers = [ wireguardPeers = [
{ {
AllowedIPs = [ AllowedIPs = [
"10.10.17.0/30" "10.10.17.0/30"
]; ];
PublicKey = "g6S3gBx1Hf2iX41tokD+m8WfzJJTTcsKifOkn+Wcd00="; PublicKey = "g6S3gBx1Hf2iX41tokD+m8WfzJJTTcsKifOkn+Wcd00=";
} }
]; ];
}; };
} // mapAttrs' mkNetdev vlans; } // mapAttrs' mkNetdev vlans;
};
services = {
ethtoolConfig = {
wantedBy = [ "systemd-networkd.service" ];
after = [ "sys-subsystem-net-devices-enp67s0f0np0.device" ];
bindsTo = [ "sys-subsystem-net-devices-enp67s0f0np0.device" ];
script = builtins.concatStringsSep "\n" (
builtins.map (name: "${lib.getExe pkgs.ethtool} -K enp67s0f0np0 ${name} off") [
"rxvlan"
"txvlan"
"rx-vlan-filter"
"rx-vlan-offload"
"tx-vlan-offload"
"tx-vlan-stag-hw-insert"
]
);
}; };
systemd-networkd.serviceConfig.LimitNOFILE = 4096; services = {
ethtoolConfig = {
wantedBy = [ "systemd-networkd.service" ];
after = [ "sys-subsystem-net-devices-enp67s0f0np0.device" ];
bindsTo = [ "sys-subsystem-net-devices-enp67s0f0np0.device" ];
script = builtins.concatStringsSep "\n" (
builtins.map (name: "${lib.getExe pkgs.ethtool} -K enp67s0f0np0 ${name} off") [
"rxvlan"
"txvlan"
"rx-vlan-filter"
"rx-vlan-offload"
"tx-vlan-offload"
"tx-vlan-stag-hw-insert"
]
);
};
net-checker = { systemd-networkd.serviceConfig.LimitNOFILE = 4096;
path = [
pkgs.iputils net-checker = {
pkgs.systemd path = [
pkgs.iputils
pkgs.systemd
];
script = ''
if ping -c 1 8.8.8.8 > /dev/null || ping -c 1 1.1.1.1 > /dev/null; then
${lib.concatMapStringsSep "\n " (
{ interfaceName, ... }: "networkctl up ${interfaceName}"
) userVlans}
else
${lib.concatMapStringsSep "\n " (
{ interfaceName, ... }: "networkctl down ${interfaceName}"
) userVlans}
fi
'';
};
};
timers.net-checker = {
wantedBy = [ "timers.target" ];
timerConfig.OnCalendar = "*-*-* *:*:42";
};
};
networking = {
vlans-info = [
{
vlan = 2001;
netIP = "10.0.254.0";
prefixLen = 24;
}
{
vlan = 3001;
netIP = "10.0.253.0";
prefixLen = 24;
}
] ++ userVlans;
nftables = {
enable = true;
tables.nat = {
family = "ip";
content = ''
chain postrouting {
type nat hook postrouting priority 100;
ip saddr 10.0.0.0/16 ip saddr != 10.0.255.0/24 snat ip to 129.199.195.130-129.199.195.158
ether saddr { e0:2e:0b:bd:97:73, e8:d5:2b:0d:fe:4a } snat to 129.199.195.130 comment "Elias"
ether saddr { 1c:1b:b5:14:9c:e5, e6:ce:e2:b6:e3:82 } snat to 129.199.195.131 comment "Lubin"
ether saddr d0:49:7c:46:f6:39 snat to 129.199.195.132 comment "Jean-Marc"
ether saddr { 5c:64:8e:f4:09:06 } snat to 129.199.195.158 comment "APs"
}
'';
};
};
firewall = {
allowedUDPPorts = [
67
1194
]; ];
script = '' checkReversePath = false;
if ping -c 1 8.8.8.8 > /dev/null || ping -c 1 1.1.1.1 > /dev/null; then
${lib.concatMapStringsSep "\n " (
{ interfaceName, ... }: "networkctl up ${interfaceName}"
) userVlans}
else
${lib.concatMapStringsSep "\n " (
{ interfaceName, ... }: "networkctl down ${interfaceName}"
) userVlans}
fi
'';
}; };
}; };
timers.net-checker = { age.secrets."wg-key".owner = "systemd-network";
wantedBy = [ "timers.target" ]; users.users."systemd-network".extraGroups = [ "keys" ];
timerConfig.OnCalendar = "*-*-* *:*:42";
}; boot.kernel.sysctl."net.ipv4.ip_forward" = true;
}; };
networking = {
nftables = {
enable = true;
tables.nat = {
family = "ip";
content = ''
chain postrouting {
type nat hook postrouting priority 100;
ip saddr 10.0.0.0/16 ip saddr != 10.0.255.0/24 snat ip to 129.199.195.130-129.199.195.158
ether saddr { e0:2e:0b:bd:97:73, e8:d5:2b:0d:fe:4a } snat to 129.199.195.130 comment "Elias"
ether saddr { 1c:1b:b5:14:9c:e5, e6:ce:e2:b6:e3:82 } snat to 129.199.195.131 comment "Lubin"
ether saddr d0:49:7c:46:f6:39 snat to 129.199.195.132 comment "Jean-Marc"
ether saddr { 5c:64:8e:f4:09:06 } snat to 129.199.195.158 comment "APs"
}
'';
};
};
firewall = {
allowedUDPPorts = [
67
1194
];
checkReversePath = false;
};
};
age.secrets."wg-key".owner = "systemd-network";
users.users."systemd-network".extraGroups = [ "keys" ];
boot.kernel.sysctl."net.ipv4.ip_forward" = true;
} }