add possibility of DMZ connectivity on hypervisor

2023-12-30 16:11:28 +01:00 · 2023-12-30 16:11:28 +01:00 · d9f697d171
commit d9f697d171
parent 0518fb5949
3 changed files with 59 additions and 44 deletions
--- a/nixos/machines/default.nix
+++ b/nixos/machines/default.nix
@ -39,6 +39,7 @@
    nixosModule.lab = {
      disko.osDiskDevice = "/dev/sda";
      backups.enable = true;
+      networking.allowDMZConnectivity = true;

      dataDisk = {
        enable = true;
--- a/nixos/modules/default.nix
+++ b/nixos/modules/default.nix
@ -6,5 +6,6 @@
    ./k3s
    ./disko.nix
    ./backups.nix
+    ./networking.nix
  ];
 }
--- a/nixos/modules/networking.nix
+++ b/nixos/modules/networking.nix
@ -1,59 +1,72 @@
-{
-  networking = {
-    domain = "hyp";
-    firewall.enable = true;
-    useDHCP = false;
+{ lib, config, ... }:
+let cfg = config.lab.networking;
+in {
+  options.lab.networking.allowDMZConnectivity = lib.mkOption {
+    default = false;
+    type = lib.types.bool;
+    description = ''
+      Whether to create a networking interface on the DMZ bridge.
+    '';
  };

-  systemd.network = {
-    enable = true;
-
-    netdevs = {
-      "20-vlandmz" = {
-        vlanConfig.Id = 30;
-
-        netdevConfig = {
-          Kind = "vlan";
-          Name = "vlandmz";
-        };
-      };
-
-      "20-bridgedmz" = {
-        netdevConfig = {
-          Kind = "bridge";
-          Name = "bridgedmz";
-        };
-      };
+  config = {
+    networking = {
+      domain = "hyp";
+      firewall.enable = true;
+      useDHCP = false;
    };

-    networks = {
-      "30-main-nic" = {
-        matchConfig.Name = "en*";
-        vlan = [ "vlandmz" ];
+    systemd.network = {
+      enable = true;

-        networkConfig = {
-          DHCP = "yes";
+      netdevs = {
+        "20-vlandmz" = {
+          vlanConfig.Id = 30;
+
+          netdevConfig = {
+            Kind = "vlan";
+            Name = "vlandmz";
+          };
+        };
+
+        "20-bridgedmz" = {
+          netdevConfig = {
+            Kind = "bridge";
+            Name = "bridgedmz";
+          };
        };
      };

-      "40-vlandmz" = {
-        matchConfig.Name = "vlandmz";
-        linkConfig.RequiredForOnline = "enslaved";
+      networks = {
+        "30-main-nic" = {
+          matchConfig.Name = "en*";
+          vlan = [ "vlandmz" ];

-        networkConfig = {
-          IPv6AcceptRA = false;
-          LinkLocalAddressing = "no";
-          Bridge = "bridgedmz";
+          networkConfig = {
+            DHCP = "yes";
+          };
        };
-      };

-      "40-bridgedmz" = {
-        matchConfig.Name = "bridgedmz";
-        linkConfig.RequiredForOnline = "carrier";
+        "40-vlandmz" = {
+          matchConfig.Name = "vlandmz";
+          linkConfig.RequiredForOnline = "enslaved";

-        networkConfig = {
-          IPv6AcceptRA = false;
-          LinkLocalAddressing = "no";
+          networkConfig = {
+            IPv6AcceptRA = false;
+            LinkLocalAddressing = "no";
+            Bridge = "bridgedmz";
+          };
+        };
+
+        "40-bridgedmz" = {
+          matchConfig.Name = "bridgedmz";
+          linkConfig.RequiredForOnline = "carrier";
+
+          networkConfig = {
+            IPv6AcceptRA = false;
+            LinkLocalAddressing = "no";
+            DHCP = lib.mkIf cfg.allowDMZConnectivity "yes";
+          };
        };
      };
    };