nixos-servers/nix/modules/networking/default.nix

168 lines
4.1 KiB
Nix
Raw Normal View History

2024-01-28 10:48:13 +00:00
{ lib, config, machine, ... }:
let cfg = config.lab.networking;
in {
2024-01-31 20:58:23 +00:00
imports = [ ./dmz_services ];
2024-01-07 22:06:27 +00:00
options.lab.networking = {
2024-01-31 20:58:23 +00:00
dmz = {
allowConnectivity = lib.mkOption {
default = false;
type = lib.types.bool;
description = ''
Whether to allow networking on the DMZ bridge interface.
'';
};
2024-01-31 20:58:23 +00:00
bridgeName = lib.mkOption {
default = "bridgedmz";
type = lib.types.str;
description = ''
The name of the DMZ bridge.
'';
};
};
2024-02-27 22:28:52 +00:00
staticNetworking = lib.mkOption {
default = false;
type = lib.types.bool;
description = ''
Whether this machine has static networking configuration applied.
Routing is prepopulated, but IP addresses have to be set.
'';
};
staticIPv4 = lib.mkOption {
type = lib.types.str;
description = ''
Static IPv4 address for the machine.
'';
};
staticIPv6 = lib.mkOption {
type = lib.types.str;
description = ''
2024-02-27 22:28:52 +00:00
Static IPv6 address for the machine.
'';
};
2023-12-30 14:20:16 +00:00
};
config = {
networking = {
domain = if machine.isPhysical then "hyp" else "dmz";
2024-01-31 20:58:23 +00:00
nftables.enable = true;
2024-02-27 22:28:52 +00:00
useDHCP = false;
2024-01-28 10:48:13 +00:00
firewall = {
2024-01-31 20:58:23 +00:00
enable = true;
checkReversePath = false;
};
};
2024-02-27 22:28:52 +00:00
systemd.network = {
enable = true;
2023-12-30 14:20:16 +00:00
2024-02-27 22:28:52 +00:00
netdevs = lib.mkIf machine.isHypervisor {
"20-vlandmz" = {
vlanConfig.Id = 30;
2023-12-30 14:20:16 +00:00
netdevConfig = {
Kind = "vlan";
Name = "vlandmz";
};
2023-12-30 14:20:16 +00:00
};
"20-bridgedmz" = {
netdevConfig = {
Kind = "bridge";
2024-01-31 20:58:23 +00:00
Name = cfg.dmz.bridgeName;
};
2023-12-30 14:20:16 +00:00
};
};
2024-02-27 22:28:52 +00:00
networks = lib.attrsets.mergeAttrsList [
(lib.optionalAttrs machine.isHypervisor {
"30-main-nic" = {
matchConfig.Name = "en*";
vlan = [ "vlandmz" ];
2023-12-30 14:20:16 +00:00
2024-02-27 22:28:52 +00:00
networkConfig = {
DHCP = "yes";
};
};
2023-12-30 14:20:16 +00:00
2024-02-27 22:28:52 +00:00
"40-vlandmz" = {
matchConfig.Name = "vlandmz";
linkConfig.RequiredForOnline = "enslaved";
2023-12-30 14:20:16 +00:00
2024-02-27 22:28:52 +00:00
networkConfig = {
IPv6AcceptRA = false;
LinkLocalAddressing = "no";
Bridge = cfg.dmz.bridgeName;
};
};
2023-12-30 14:20:16 +00:00
2024-02-27 22:28:52 +00:00
"40-bridgedmz" = {
matchConfig.Name = cfg.dmz.bridgeName;
linkConfig.RequiredForOnline = "carrier";
2023-12-30 14:20:16 +00:00
2024-02-27 22:28:52 +00:00
networkConfig = {
IPv6AcceptRA = cfg.dmz.allowConnectivity;
LinkLocalAddressing = if cfg.dmz.allowConnectivity then "ipv6" else "no";
DHCP = "yes";
};
};
2024-01-17 20:28:15 +00:00
2024-02-27 22:28:52 +00:00
"40-vms" = {
matchConfig.Name = "vm-*";
networkConfig.Bridge = cfg.dmz.bridgeName;
};
})
(lib.optionalAttrs machine.isVirtual {
2024-02-27 22:28:52 +00:00
"30-main-nic" = {
matchConfig.Name = "en*";
networkConfig = {
IPv6AcceptRA = ! cfg.staticNetworking;
DHCP = lib.mkIf (! cfg.staticNetworking) "yes";
Address = lib.mkIf cfg.staticNetworking [
"${cfg.staticIPv4}/${cfg.dmz.ipv4.prefixLength}"
"${cfg.staticIPv6}/${cfg.dmz.ipv6.prefixLength}"
];
DNS = lib.mkIf cfg.staticNetworking [
cfg.dmz.ipv4.router
cfg.dmz.ipv6.router
];
};
routes = lib.mkIf cfg.staticNetworking [
{
routeConfig = {
Gateway = cfg.dmz.ipv4.router;
Destination = "0.0.0.0/0";
};
}
{
routeConfig = {
Gateway = cfg.dmz.ipv6.router;
Destination = "::/0";
};
}
];
};
})
(lib.optionalAttrs machine.isRaspberryPi {
"30-main-nic" = {
matchConfig.Name = "end*";
networkConfig = {
IPv6AcceptRA = true;
DHCP = "yes";
};
};
})
];
2023-12-30 14:20:16 +00:00
};
};
}