add possibility of DMZ connectivity on hypervisor

nixos/machines/default.nix

@@ -39,6 +39,7 @@
     nixosModule.lab = {
       disko.osDiskDevice = "/dev/sda";
       backups.enable = true;
+      networking.allowDMZConnectivity = true;
 
       dataDisk = {
         enable = true;

nixos/modules/default.nix

@@ -6,5 +6,6 @@
     ./k3s
     ./disko.nix
     ./backups.nix
+    ./networking.nix
   ];
 }

nixos/modules/networking.nix

@@ -1,59 +1,72 @@
-{
+{ lib, config, ... }:
-  networking = {
+let cfg = config.lab.networking;
-    domain = "hyp";
+in {
-    firewall.enable = true;
+  options.lab.networking.allowDMZConnectivity = lib.mkOption {
-    useDHCP = false;
+    default = false;
+    type = lib.types.bool;
+    description = ''
+      Whether to create a networking interface on the DMZ bridge.
+    '';
   };
 
-  systemd.network = {
+  config = {
-    enable = true;
+    networking = {
-
+      domain = "hyp";
-    netdevs = {
+      firewall.enable = true;
-      "20-vlandmz" = {
+      useDHCP = false;
-        vlanConfig.Id = 30;
-
-        netdevConfig = {
-          Kind = "vlan";
-          Name = "vlandmz";
-        };
-      };
-
-      "20-bridgedmz" = {
-        netdevConfig = {
-          Kind = "bridge";
-          Name = "bridgedmz";
-        };
-      };
     };
 
-    networks = {
+    systemd.network = {
-      "30-main-nic" = {
+      enable = true;
-        matchConfig.Name = "en*";
-        vlan = [ "vlandmz" ];
 
-        networkConfig = {
+      netdevs = {
-          DHCP = "yes";
+        "20-vlandmz" = {
+          vlanConfig.Id = 30;
+
+          netdevConfig = {
+            Kind = "vlan";
+            Name = "vlandmz";
+          };
+        };
+
+        "20-bridgedmz" = {
+          netdevConfig = {
+            Kind = "bridge";
+            Name = "bridgedmz";
+          };
         };
       };
 
-      "40-vlandmz" = {
+      networks = {
-        matchConfig.Name = "vlandmz";
+        "30-main-nic" = {
-        linkConfig.RequiredForOnline = "enslaved";
+          matchConfig.Name = "en*";
+          vlan = [ "vlandmz" ];
 
-        networkConfig = {
+          networkConfig = {
-          IPv6AcceptRA = false;
+            DHCP = "yes";
-          LinkLocalAddressing = "no";
+          };
-          Bridge = "bridgedmz";
         };
-      };
 
-      "40-bridgedmz" = {
+        "40-vlandmz" = {
-        matchConfig.Name = "bridgedmz";
+          matchConfig.Name = "vlandmz";
-        linkConfig.RequiredForOnline = "carrier";
+          linkConfig.RequiredForOnline = "enslaved";
 
-        networkConfig = {
+          networkConfig = {
-          IPv6AcceptRA = false;
+            IPv6AcceptRA = false;
-          LinkLocalAddressing = "no";
+            LinkLocalAddressing = "no";
+            Bridge = "bridgedmz";
+          };
+        };
+
+        "40-bridgedmz" = {
+          matchConfig.Name = "bridgedmz";
+          linkConfig.RequiredForOnline = "carrier";
+
+          networkConfig = {
+            IPv6AcceptRA = false;
+            LinkLocalAddressing = "no";
+            DHCP = lib.mkIf cfg.allowDMZConnectivity "yes";
+          };
         };
       };
     };