nixos-servers/nixos/modules/networking/default.nix

{ lib, config, machine, ... }:
let cfg = config.lab.networking;
in {
  imports = [ ./dmz ];

  options.lab.networking = {
    allowDMZConnectivity = lib.mkOption {
      default = false;
      type = lib.types.bool;
      description = ''
        Whether to allow networking on the DMZ bridge interface.
      '';
    };

    staticDMZIPv4Address = lib.mkOption {
      default = "";
      type = lib.types.str;
      description = ''
        Assign a static IPv4 address on the DMZ interface.
      '';
    };

    staticDMZIPv6Address = lib.mkOption {
      default = "";
      type = lib.types.str;
      description = ''
        Assign a static IPv6 address on the DMZ interface.
      '';
    };

    publicIPv4 = lib.mkOption {
      type = lib.types.str;
      description = ''
        Public IPv4 address of our home.
      '';
    };

    dockerSwarmInternalIPv4 = lib.mkOption {
      type = lib.types.str;
      description = ''
        Internal IPv4 address of the Docker Swarm.
      '';
    };

    dockerSwarmIPv6 = lib.mkOption {
      type = lib.types.str;
      description = ''
        Globally routable IPv6 address of the Docker Swarm.
      '';
    };

    dmzRouterIPv4 = lib.mkOption {
      type = lib.types.str;
      description = ''
        The router's IPv4 address on the DMZ network.
      '';
    };

    dmzServicesIPv4 = lib.mkOption {
      type = lib.types.str;
      description = ''
        The IPv4 address of the interface serving DHCP and DNS on the DMZ network.
      '';
    };

    dmzServicesIPv6 = lib.mkOption {
      type = lib.types.str;
      description = ''
        The IPv6 address of the interface serving DHCP and DNS on the DMZ network.
      '';
    };

    dmzBridgeName = lib.mkOption {
      default = "bridgedmz";
      type = lib.types.str;
      description = ''
        The name of the DMZ bridge.
      '';
    };

    mainNicNamePattern = lib.mkOption {
      default = "en*";
      type = lib.types.str;
      description = ''
        Pattern to match the name of this machine's main NIC.
      '';
    };
  };

  config = {
    networking = {
      domain = if machine.type == "physical" then "hyp" else "dmz";
      nftables.enable = true;
      useDHCP = machine.type == "virtual";

      firewall = {
        enable = true;
        checkReversePath = false;
      };
    };

    systemd.network = lib.mkIf (machine.type == "physical") {
      enable = true;

      netdevs = {
        "20-vlandmz" = {
          vlanConfig.Id = 30;

          netdevConfig = {
            Kind = "vlan";
            Name = "vlandmz";
          };
        };

        "20-bridgedmz" = {
          netdevConfig = {
            Kind = "bridge";
            Name = cfg.dmzBridgeName;
          };
        };
      };

      networks = {
        "30-main-nic" = {
          matchConfig.Name = cfg.mainNicNamePattern;
          vlan = [ "vlandmz" ];

          networkConfig = {
            DHCP = "yes";
          };
        };

        "40-vlandmz" = {
          matchConfig.Name = "vlandmz";
          linkConfig.RequiredForOnline = "enslaved";

          networkConfig = {
            IPv6AcceptRA = false;
            LinkLocalAddressing = "no";
            Bridge = cfg.dmzBridgeName;
          };
        };

        "40-bridgedmz" = {
          matchConfig.Name = cfg.dmzBridgeName;
          linkConfig.RequiredForOnline = "carrier";

          networkConfig = {
            IPv6AcceptRA = cfg.allowDMZConnectivity;
            LinkLocalAddressing = if cfg.allowDMZConnectivity then "ipv6" else "no";
            DHCP = lib.mkIf (cfg.allowDMZConnectivity && cfg.staticDMZIPv4Address == "") "yes";
            Address = lib.lists.optional (cfg.staticDMZIPv4Address != "") cfg.staticDMZIPv4Address
              ++ lib.lists.optional (cfg.staticDMZIPv6Address != "") cfg.staticDMZIPv6Address;
          };
        };

        "40-vms" = {
          matchConfig.Name = "vm-*";
          networkConfig.Bridge = cfg.dmzBridgeName;
        };
      };
    };
  };
}
integrate VM definitions 2024-01-28 10:48:13 +00:00			`{ lib, config, machine, ... }:`
add possibility of DMZ connectivity on hypervisor 2023-12-30 15:11:28 +00:00			`let cfg = config.lab.networking;`
			`in {`
restructure modules 2024-01-07 22:06:27 +00:00			`imports = [ ./dmz ];`

enable dnsmasq for DHCP and DNS allow setting static ipv4 address on DMZ 2024-01-07 21:36:26 +00:00			`options.lab.networking = {`
			`allowDMZConnectivity = lib.mkOption {`
			`default = false;`
			`type = lib.types.bool;`
			`description = ''`
enable IPv6 support on DNS 2024-01-14 14:20:32 +00:00			`Whether to allow networking on the DMZ bridge interface.`
enable dnsmasq for DHCP and DNS allow setting static ipv4 address on DMZ 2024-01-07 21:36:26 +00:00			`'';`
			`};`

enable IPv6 support on DNS 2024-01-14 14:20:32 +00:00			`staticDMZIPv4Address = lib.mkOption {`
enable dnsmasq for DHCP and DNS allow setting static ipv4 address on DMZ 2024-01-07 21:36:26 +00:00			`default = "";`
			`type = lib.types.str;`
			`description = ''`
enable IPv6 support on DNS 2024-01-14 14:20:32 +00:00			`Assign a static IPv4 address on the DMZ interface.`
			`'';`
			`};`

			`staticDMZIPv6Address = lib.mkOption {`
			`default = "";`
			`type = lib.types.str;`
			`description = ''`
			`Assign a static IPv6 address on the DMZ interface.`
enable dnsmasq for DHCP and DNS allow setting static ipv4 address on DMZ 2024-01-07 21:36:26 +00:00			`'';`
			`};`
create global module for machine-independent custom configuration parameterize various IP addresses 2024-01-08 22:17:37 +00:00
			`publicIPv4 = lib.mkOption {`
			`type = lib.types.str;`
			`description = ''`
			`Public IPv4 address of our home.`
			`'';`
			`};`

			`dockerSwarmInternalIPv4 = lib.mkOption {`
			`type = lib.types.str;`
			`description = ''`
			`Internal IPv4 address of the Docker Swarm.`
			`'';`
			`};`

enable ipv6 networking on docker swarm 2024-01-14 16:59:32 +00:00			`dockerSwarmIPv6 = lib.mkOption {`
			`type = lib.types.str;`
			`description = ''`
			`Globally routable IPv6 address of the Docker Swarm.`
			`'';`
			`};`

create global module for machine-independent custom configuration parameterize various IP addresses 2024-01-08 22:17:37 +00:00			`dmzRouterIPv4 = lib.mkOption {`
			`type = lib.types.str;`
			`description = ''`
			`The router's IPv4 address on the DMZ network.`
			`'';`
			`};`

enable IPv6 support on DNS 2024-01-14 14:20:32 +00:00			`dmzServicesIPv4 = lib.mkOption {`
			`type = lib.types.str;`
			`description = ''`
			`The IPv4 address of the interface serving DHCP and DNS on the DMZ network.`
			`'';`
			`};`

			`dmzServicesIPv6 = lib.mkOption {`
create global module for machine-independent custom configuration parameterize various IP addresses 2024-01-08 22:17:37 +00:00			`type = lib.types.str;`
			`description = ''`
enable IPv6 support on DNS 2024-01-14 14:20:32 +00:00			`The IPv6 address of the interface serving DHCP and DNS on the DMZ network.`
create global module for machine-independent custom configuration parameterize various IP addresses 2024-01-08 22:17:37 +00:00			`'';`
			`};`
parameterize main nic and dmz bridge interface names firewall some services to particular interfaces 2024-01-12 23:05:25 +00:00
			`dmzBridgeName = lib.mkOption {`
			`default = "bridgedmz";`
			`type = lib.types.str;`
			`description = ''`
			`The name of the DMZ bridge.`
			`'';`
			`};`

			`mainNicNamePattern = lib.mkOption {`
			`default = "en*";`
			`type = lib.types.str;`
			`description = ''`
			`Pattern to match the name of this machine's main NIC.`
			`'';`
			`};`
create module for networking 2023-12-30 14:20:16 +00:00			`};`

add possibility of DMZ connectivity on hypervisor 2023-12-30 15:11:28 +00:00			`config = {`
			`networking = {`
derive domain from server type 2024-01-28 12:46:32 +00:00			`domain = if machine.type == "physical" then "hyp" else "dmz";`
integrate VM definitions 2024-01-28 10:48:13 +00:00			`nftables.enable = true;`
			`useDHCP = machine.type == "virtual";`

enable firewall again replace iptables with nftables disable reverse path filtering for all hosts allow port 5353 for host running dnsmasq closes #31 2024-01-12 21:31:15 +00:00			`firewall = {`
			`enable = true;`
			`checkReversePath = false;`
			`};`
add possibility of DMZ connectivity on hypervisor 2023-12-30 15:11:28 +00:00			`};`

integrate VM definitions 2024-01-28 10:48:13 +00:00			`systemd.network = lib.mkIf (machine.type == "physical") {`
add possibility of DMZ connectivity on hypervisor 2023-12-30 15:11:28 +00:00			`enable = true;`
create module for networking 2023-12-30 14:20:16 +00:00
add possibility of DMZ connectivity on hypervisor 2023-12-30 15:11:28 +00:00			`netdevs = {`
			`"20-vlandmz" = {`
			`vlanConfig.Id = 30;`
create module for networking 2023-12-30 14:20:16 +00:00
add possibility of DMZ connectivity on hypervisor 2023-12-30 15:11:28 +00:00			`netdevConfig = {`
			`Kind = "vlan";`
			`Name = "vlandmz";`
			`};`
create module for networking 2023-12-30 14:20:16 +00:00			`};`

add possibility of DMZ connectivity on hypervisor 2023-12-30 15:11:28 +00:00			`"20-bridgedmz" = {`
			`netdevConfig = {`
			`Kind = "bridge";`
parameterize main nic and dmz bridge interface names firewall some services to particular interfaces 2024-01-12 23:05:25 +00:00			`Name = cfg.dmzBridgeName;`
add possibility of DMZ connectivity on hypervisor 2023-12-30 15:11:28 +00:00			`};`
create module for networking 2023-12-30 14:20:16 +00:00			`};`
			`};`

add possibility of DMZ connectivity on hypervisor 2023-12-30 15:11:28 +00:00			`networks = {`
			`"30-main-nic" = {`
parameterize main nic and dmz bridge interface names firewall some services to particular interfaces 2024-01-12 23:05:25 +00:00			`matchConfig.Name = cfg.mainNicNamePattern;`
add possibility of DMZ connectivity on hypervisor 2023-12-30 15:11:28 +00:00			`vlan = [ "vlandmz" ];`
create module for networking 2023-12-30 14:20:16 +00:00
add possibility of DMZ connectivity on hypervisor 2023-12-30 15:11:28 +00:00			`networkConfig = {`
			`DHCP = "yes";`
			`};`
create module for networking 2023-12-30 14:20:16 +00:00			`};`

add possibility of DMZ connectivity on hypervisor 2023-12-30 15:11:28 +00:00			`"40-vlandmz" = {`
			`matchConfig.Name = "vlandmz";`
			`linkConfig.RequiredForOnline = "enslaved";`
create module for networking 2023-12-30 14:20:16 +00:00
add possibility of DMZ connectivity on hypervisor 2023-12-30 15:11:28 +00:00			`networkConfig = {`
			`IPv6AcceptRA = false;`
			`LinkLocalAddressing = "no";`
parameterize main nic and dmz bridge interface names firewall some services to particular interfaces 2024-01-12 23:05:25 +00:00			`Bridge = cfg.dmzBridgeName;`
add possibility of DMZ connectivity on hypervisor 2023-12-30 15:11:28 +00:00			`};`
create module for networking 2023-12-30 14:20:16 +00:00			`};`

add possibility of DMZ connectivity on hypervisor 2023-12-30 15:11:28 +00:00			`"40-bridgedmz" = {`
parameterize main nic and dmz bridge interface names firewall some services to particular interfaces 2024-01-12 23:05:25 +00:00			`matchConfig.Name = cfg.dmzBridgeName;`
add possibility of DMZ connectivity on hypervisor 2023-12-30 15:11:28 +00:00			`linkConfig.RequiredForOnline = "carrier";`
create module for networking 2023-12-30 14:20:16 +00:00
add possibility of DMZ connectivity on hypervisor 2023-12-30 15:11:28 +00:00			`networkConfig = {`
enable ipv6 networking on DMZ 2024-01-13 16:33:14 +00:00			`IPv6AcceptRA = cfg.allowDMZConnectivity;`
			`LinkLocalAddressing = if cfg.allowDMZConnectivity then "ipv6" else "no";`
enable ipv6 networking on docker swarm 2024-01-14 16:59:32 +00:00			`DHCP = lib.mkIf (cfg.allowDMZConnectivity && cfg.staticDMZIPv4Address == "") "yes";`
enable IPv6 support on DNS 2024-01-14 14:20:32 +00:00			`Address = lib.lists.optional (cfg.staticDMZIPv4Address != "") cfg.staticDMZIPv4Address`
			`++ lib.lists.optional (cfg.staticDMZIPv6Address != "") cfg.staticDMZIPv6Address;`
add possibility of DMZ connectivity on hypervisor 2023-12-30 15:11:28 +00:00			`};`
create module for networking 2023-12-30 14:20:16 +00:00			`};`
copy microvm config 2024-01-17 20:28:15 +00:00
			`"40-vms" = {`
			`matchConfig.Name = "vm-*";`
			`networkConfig.Bridge = cfg.dmzBridgeName;`
			`};`
create module for networking 2023-12-30 14:20:16 +00:00			`};`
			`};`
			`};`
			`}`