infrastructure/machines/vault01/networking.nix

186 lines
4.5 KiB
Nix

{
pkgs,
lib,
meta,
name,
...
}:
let
inherit (lib) mapAttrs' nameValuePair;
uplink = {
ip = "10.120.33.250";
prefix = 30;
router = "10.120.33.249";
};
mkNetwork =
name:
{
address,
extraNetwork ? { },
...
}:
nameValuePair "10-${name}" ({ inherit name address; } // extraNetwork);
mkNetdev =
name:
{ Id, ... }:
nameValuePair "10-${name}" {
netdevConfig = {
Name = name;
Kind = "vlan";
};
vlanConfig.Id = Id;
};
mkUserVlan =
id:
let
# on alloue 10.0.0.0/17 aux thurnés, avec un /27 chacun, on garde 10.0.0.0/27 pour nous (routeur et autres)
vlan = 4094 - id;
prefix24nb = (id + 1) / 8;
prefix27nb = (id + 1 - prefix24nb * 8) * 32;
in
{
name = "vlan-user-${builtins.toString vlan}";
value = {
Id = vlan;
address = [ ];
extraNetwork = {
networkConfig = {
LinkLocalAddressing = "no";
};
linkConfig = {
Promiscuous = true;
};
addresses = [
{
addressConfig = {
Address = "10.0.${builtins.toString prefix24nb}.${builtins.toString (prefix27nb + 1)}/27";
AddPrefixRoute = false;
};
}
];
routes = [
{
routeConfig = {
Destination = "10.0.${builtins.toString prefix24nb}.${builtins.toString prefix27nb}/27";
Table = "user";
};
}
];
routingPolicyRules = [
{
routingPolicyRuleConfig = {
From = "10.0.${builtins.toString prefix24nb}.${builtins.toString prefix27nb}/27";
To = "10.0.0.0/27";
IncomingInterface = "vlan-user-${builtins.toString vlan}";
Table = "user";
};
}
];
};
};
};
vlans = {
vlan-uplink-cri = {
Id = 223;
address = with uplink; [ "${ip}/${builtins.toString prefix}" ];
extraNetwork.routes = [
{
routeConfig = {
# Get the public ip from the metadata
PreferredSource = builtins.head meta.network.${name}.addresses.ipv4;
Gateway = uplink.router;
};
}
];
};
vlan-admin = {
Id = 3000;
address = [ "fd26:baf9:d250:8000::1/64" ];
};
vlan-admin-ap = {
Id = 3001;
address = [ "fd26:baf9:d250:8010::1/60" ];
};
vlan-apro = {
Id = 2000;
address = [ "10.0.255.1/24" ];
extraNetwork.networkConfig.DHCPServer = "yes";
};
} // builtins.listToAttrs (builtins.genList mkUserVlan 850); # 850 when we can
in
{
systemd.network = {
config.routeTables."user" = 1000;
networks = {
"10-lo" = {
name = "lo";
address = [
"::1/128"
"127.0.0.1/8"
"10.0.0.1/16"
];
routes = [
{
routeConfig = {
Destination = "10.0.0.0/27";
Table = "user";
};
}
];
routingPolicyRules = [
{
routingPolicyRuleConfig = {
IncomingInterface = "lo";
Table = "user";
};
}
];
};
"10-enp67s0f0np0" = {
name = "enp67s0f0np0";
linkConfig.Promiscuous = true;
networkConfig = {
VLAN = builtins.attrNames vlans;
LinkLocalAddressing = false;
LLDP = false;
EmitLLDP = false;
IPv6AcceptRA = false;
IPv6SendRA = false;
};
};
} // (mapAttrs' mkNetwork vlans);
netdevs = mapAttrs' mkNetdev vlans;
};
systemd.services.ethtoolConfig = {
wantedBy = [ "systemd-networkd.service" ];
after = [ "sys-subsystem-net-devices-enp67s0f0np0.device" ];
bindsTo = [ "sys-subsystem-net-devices-enp67s0f0np0.device" ];
script = ''
${lib.getExe pkgs.ethtool} -K enp67s0f0np0 rxvlan off
${lib.getExe pkgs.ethtool} -K enp67s0f0np0 txvlan off
${lib.getExe pkgs.ethtool} -K enp67s0f0np0 rx-vlan-filter off
${lib.getExe pkgs.ethtool} -K enp67s0f0np0 rx-vlan-offload off
${lib.getExe pkgs.ethtool} -K enp67s0f0np0 tx-vlan-offload off
${lib.getExe pkgs.ethtool} -K enp67s0f0np0 tx-vlan-stag-hw-insert off
echo "Hardware for enp67s0f0np0 configured"
'';
};
networking.firewall.allowedUDPPorts = [ 67 ];
}