parameterize main nic and dmz bridge interface names

firewall some services to particular interfaces

nixos/modules/data-sharing.nix

@@ -50,7 +50,7 @@ in
   };
 
   config = lib.mkIf cfg.enable {
-    networking.firewall.allowedTCPPorts = [
+    networking.firewall.interfaces.${config.lab.networking.dmzBridgeName}.allowedTCPPorts = [
       2049 # NFS
       5432 # PostgeSQL
       111 # NFS

nixos/modules/networking/default.nix

@@ -47,6 +47,22 @@ in {
         The IPv4 address of the DHCP server on the DMZ network.
       '';
     };
+
+    dmzBridgeName = lib.mkOption {
+      default = "bridgedmz";
+      type = lib.types.str;
+      description = ''
+        The name of the DMZ bridge.
+      '';
+    };
+
+    mainNicNamePattern = lib.mkOption {
+      default = "en*";
+      type = lib.types.str;
+      description = ''
+        Pattern to match the name of this machine's main NIC.
+      '';
+    };
   };
 
   config = {
@@ -77,18 +93,14 @@ in {
         "20-bridgedmz" = {
           netdevConfig = {
             Kind = "bridge";
-            Name = "bridgedmz";
+            Name = cfg.dmzBridgeName;
-            # TODO: This does not seem to work? Unsure what the problem is.
-            # We don't necessary need this though: we simply use DNS as the host.
-            # MACAddress = lib.mkIf cfg.allowDMZConnectivity "CA:FE:C0:FF:EE:0A";
-            # MACAddress = "ca:fe:c0:ff:ee:0a";
           };
         };
       };
 
       networks = {
         "30-main-nic" = {
-          matchConfig.Name = "en*";
+          matchConfig.Name = cfg.mainNicNamePattern;
           vlan = [ "vlandmz" ];
 
           networkConfig = {
@@ -103,12 +115,12 @@ in {
           networkConfig = {
             IPv6AcceptRA = false;
             LinkLocalAddressing = "no";
-            Bridge = "bridgedmz";
+            Bridge = cfg.dmzBridgeName;
           };
         };
 
         "40-bridgedmz" = {
-          matchConfig.Name = "bridgedmz";
+          matchConfig.Name = cfg.dmzBridgeName;
           linkConfig.RequiredForOnline = "carrier";
 
           networkConfig = {

nixos/modules/networking/dmz/default.nix

@@ -21,7 +21,7 @@ in
   };
 
   config = lib.mkIf cfg.enable {
-    networking.firewall = {
+    networking.firewall.interfaces.${config.lab.networking.dmzBridgeName} = {
       allowedTCPPorts = [ 53 5353 ];
       allowedUDPPorts = [ 53 67 5353 ];
     };

nixos/modules/networking/dmz/dnsmasq.nix

@@ -4,34 +4,38 @@ let
 in
 {
   no-resolv = true;
-  server = [
-    dmzRouterIPv4
-    "/geokunis2.nl/${dmzDHCPIPv4}"
-    "/kun.is/${dmzDHCPIPv4}"
-  ];
   local = "/dmz/";
   dhcp-fqdn = true;
   no-hosts = true;
   expand-hosts = true;
   domain = "dmz";
   dhcp-authoritative = true;
-  dhcp-range = [
-    "192.168.30.50,192.168.30.127,15m"
-  ];
-  dhcp-host = [
-    "b8:27:eb:b9:ab:e2,esrom"
-    "ca:fe:c0:ff:ee:08,maestro,${dockerSwarmInternalIPv4}"
-  ];
-  dhcp-option = [
-    "3,${dmzRouterIPv4}"
-    "option:dns-server,${dmzRouterIPv4}"
-  ];
   ra-param = "*,0,0";
   alias = "${publicIPv4},${dockerSwarmInternalIPv4}";
   log-dhcp = true;
   log-queries = true;
-  # interface-name = "hermes.dmz,ens3";
   port = "5353";
+
+  server = [
+    dmzRouterIPv4
+    "/geokunis2.nl/${dmzDHCPIPv4}"
+    "/kun.is/${dmzDHCPIPv4}"
+  ];
+
+  dhcp-range = [
+    "192.168.30.50,192.168.30.127,15m"
+  ];
+
+  dhcp-host = [
+    "b8:27:eb:b9:ab:e2,esrom"
+    "ca:fe:c0:ff:ee:08,maestro,${dockerSwarmInternalIPv4}"
+  ];
+
+  dhcp-option = [
+    "3,${dmzRouterIPv4}"
+    "option:dns-server,${dmzRouterIPv4}"
+  ];
+
   address = [
     "/ns.pizzapim.nl/ns.geokunis2.nl/${dmzDHCPIPv4}"
   ];

nixos/modules/terraform-database/default.nix

@@ -10,7 +10,7 @@ in {
   };
 
   config = lib.mkIf cfg.enable {
-    networking.firewall.allowedTCPPorts = [ 5432 ];
+    networking.firewall.interfaces.${config.lab.networking.mainNicNamePattern}.allowedTCPPorts = [ 5432 ];
 
     services.postgresql = {
       enable = true;