home/nixos-servers
home/nixos-servers
Archived
2
0
Fork 0
Code Issues 8 Pull requests Projects Releases Packages Wiki Activity Actions

restructure modules

Browse source
This commit is contained in:
Pim Kunis 2024-01-07 23:06:27 +01:00
parent 11ec763244
commit aba16d3fd1
7 changed files with 51 additions and 49 deletions
Download patch file Download diff file Expand all files Collapse all files

92
nixos/modules/networking/default.nix Normal file
View file

@ -0,0 +1,92 @@
{ lib, config, ... }:
let cfg = config.lab.networking;
in {
imports = [ ./dmz ];
options.lab.networking = {
allowDMZConnectivity = lib.mkOption {
default = false;
type = lib.types.bool;
description = ''
Whether to create a networking interface on the DMZ bridge.
'';
};
staticDMZIpv4Address = lib.mkOption {
default = "";
type = lib.types.str;
description = ''
Assign a static IPv4 on the DMZ interface.
'';
};
};
config = {
networking = {
domain = "hyp";
# TODO: Enabling the firewall makes connectivity of LAN -> DMZ impossible...
firewall.enable = false;
useDHCP = false;
};
systemd.network = {
enable = true;
netdevs = {
"20-vlandmz" = {
vlanConfig.Id = 30;
netdevConfig = {
Kind = "vlan";
Name = "vlandmz";
};
};
"20-bridgedmz" = {
netdevConfig = {
Kind = "bridge";
Name = "bridgedmz";
# TODO: This does not seem to work? Unsure what the problem is.
# We don't necessary need this though: we simply use DNS as the host.
# MACAddress = lib.mkIf cfg.allowDMZConnectivity "CA:FE:C0:FF:EE:0A";
# MACAddress = "ca:fe:c0:ff:ee:0a";
};
};
};
networks = {
"30-main-nic" = {
matchConfig.Name = "en*";
vlan = [ "vlandmz" ];
networkConfig = {
DHCP = "yes";
};
};
"40-vlandmz" = {
matchConfig.Name = "vlandmz";
linkConfig.RequiredForOnline = "enslaved";
networkConfig = {
IPv6AcceptRA = false;
LinkLocalAddressing = "no";
Bridge = "bridgedmz";
};
};
"40-bridgedmz" = {
matchConfig.Name = "bridgedmz";
linkConfig.RequiredForOnline = "carrier";
networkConfig = {
IPv6AcceptRA = false;
LinkLocalAddressing = "no";
DHCP = lib.mkIf cfg.allowDMZConnectivity "yes";
Address = lib.mkIf (cfg.staticDMZIpv4Address != "") cfg.staticDMZIpv4Address;
};
};
};
};
};
}

72
nixos/modules/networking/dmz/default.nix Normal file
View file

@ -0,0 +1,72 @@
{ pkgs, lib, config, dns, ... }:
let
cfg = config.lab.networking.dmzServices;
publicIpv4 = "192.145.57.90";
kunisZoneFile = pkgs.writeTextFile {
name = "kunis-zone-file";
text = (dns.lib.toString "kun.is" (import ./zones/kun.is.nix { inherit dns publicIpv4; }));
};
geokunis2nlZoneFile = pkgs.writeTextFile {
name = "geokunis2nl-zone-file";
text = (dns.lib.toString "geokunis2.nl" (import ./zones/geokunis2.nl.nix { inherit dns publicIpv4; }));
};
in
{
options.lab.networking.dmzServices.enable = lib.mkOption {
default = false;
type = lib.types.bool;
description = ''
Whether to enable an authoritative DNS server and DNSmasq for DMZ network.
'';
};
config = lib.mkIf cfg.enable {
networking.firewall = {
allowedTCPPorts = [ 53 ];
allowedUDPPorts = [ 53 67 ];
};
services = {
bind = {
enable = true;
forwarders = [ ];
# TODO: disable ipv6 for now, as the hosts themselves lack routes it seems.
ipv4Only = true;
extraOptions = ''
allow-transfer { none; };
allow-recursion { none; };
version "No dice.";
'';
zones = {
"kun.is" = {
master = true;
file = kunisZoneFile;
allowQuery = [ "any" ];
extraConfig = ''
notify yes;
allow-update { none; };
'';
};
"geokunis2.nl" = {
master = true;
file = geokunis2nlZoneFile;
allowQuery = [ "any" ];
extraConfig = ''
notify yes;
allow-update { none; };
'';
};
};
};
dnsmasq = {
enable = true;
settings = import ./dnsmasq.nix;
};
};
};
}

41
nixos/modules/networking/dmz/dnsmasq.nix Normal file
View file

@ -0,0 +1,41 @@
{
no-resolv = true;
server = [
"192.168.30.1"
"/geokunis2.nl/192.168.30.7"
"/kun.is/192.168.30.7"
];
local = "/dmz/";
dhcp-fqdn = true;
no-hosts = true;
expand-hosts = true;
domain = "dmz";
dhcp-authoritative = true;
dhcp-range = [
"192.168.30.50,192.168.30.127,15m"
"2a02:58:19a:f730::, ra-stateless, ra-names"
];
dhcp-host = [
"b8:27:eb:b9:ab:e2,esrom"
"ca:fe:c0:ff:ee:03,max,192.168.30.3"
"ca:fe:c0:ff:ee:08,maestro,192.168.30.8"
"dc:a6:32:7b:e2:11,iris,192.168.30.9"
"ca:fe:c0:ff:ee:0a,thecloud,192.168.30.10"
"52:54:00:72:e0:9a,forum,192.168.30.11"
];
dhcp-option = [
"3,192.168.30.1"
"option6:dns-server,[2a02:58:19a:f730::1]"
"option:dns-server,192.168.30.1"
];
ra-param = "*,0,0";
alias = "192.145.57.90,192.168.30.8";
log-dhcp = true;
log-queries = true;
interface-name = "hermes.dmz,ens3";
port = "5353";
address = [
"/ns.pizzapim.nl/ns.geokunis2.nl/ns.pim.kunis.nl/192.168.30.7"
"/ns.pizzapim.nl/ns.geokunis2.nl/ns.pim.kunis.nl/2a02:58:19a:f730:c8fe:c0ff:feff:ee07"
];
}

29
nixos/modules/networking/dmz/zones/geokunis2.nl.nix Normal file
View file

@ -0,0 +1,29 @@
{ publicIpv4, dns }:
with dns.lib.combinators;
{
SOA = {
nameServer = "ns";
adminEmail = "hostmaster@geokunis2.nl";
serial = 1704580936;
};
NS = [
"ns.geokunis2.nl."
"ns0.transip.net."
"ns1.transip.nl."
"ns2.transip.eu."
];
MX = [ (mx.mx 10 "mail.geokunis2.nl.") ];
A = [ publicIpv4 ];
CAA = letsEncrypt "caa@geokunis2.nl";
subdomains = {
ns.A = [ publicIpv4 ];
ns1.A = [ publicIpv4 ];
ns2.A = [ publicIpv4 ];
"*".A = [ publicIpv4 ];
};
}

28
nixos/modules/networking/dmz/zones/kun.is.nix Normal file
View file

@ -0,0 +1,28 @@
{ publicIpv4, dns }:
with dns.lib.combinators;
{
CAA = letsEncrypt "caa@kun.is";
SOA = {
nameServer = "ns1";
adminEmail = "webmaster@kun.is";
serial = 1704580936;
};
NS = [
"ns1.kun.is."
"ns2.kun.is."
];
MX = [
(mx.mx 10 "mail.kun.is.")
];
subdomains = {
ns.A = [ publicIpv4 ];
ns1.A = [ publicIpv4 ];
ns2.A = [ publicIpv4 ];
"*".A = [ publicIpv4 ];
};
}