{ lib, config, machine, ... }: let cfg = config.lab.networking; in { imports = [ ./dmz_services ]; options.lab.networking = { dmz = { allowConnectivity = lib.mkOption { default = false; type = lib.types.bool; description = '' Whether to allow networking on the DMZ bridge interface. ''; }; bridgeName = lib.mkOption { default = "bridgedmz"; type = lib.types.str; description = '' The name of the DMZ bridge. ''; }; }; staticNetworking = lib.mkOption { default = false; type = lib.types.bool; description = '' Whether this machine has static networking configuration applied. Routing is prepopulated, but IP addresses have to be set. ''; }; staticIPv4 = lib.mkOption { type = lib.types.str; description = '' Static IPv4 address for the machine. ''; }; staticIPv6 = lib.mkOption { type = lib.types.str; description = '' Static IPv6 address for the machine. ''; }; }; config = { networking = { domain = if machine.isPhysical then "hyp" else "dmz"; nftables.enable = true; useDHCP = false; firewall = { enable = true; checkReversePath = false; }; }; systemd.network = { enable = true; netdevs = lib.mkIf machine.isHypervisor { "20-vlandmz" = { vlanConfig.Id = 30; netdevConfig = { Kind = "vlan"; Name = "vlandmz"; }; }; "20-bridgedmz" = { netdevConfig = { Kind = "bridge"; Name = cfg.dmz.bridgeName; }; }; }; networks = lib.attrsets.mergeAttrsList [ (lib.optionalAttrs machine.isHypervisor { "30-main-nic" = { matchConfig.Name = "en*"; vlan = [ "vlandmz" ]; networkConfig = { DHCP = "yes"; }; }; "40-vlandmz" = { matchConfig.Name = "vlandmz"; linkConfig.RequiredForOnline = "enslaved"; networkConfig = { IPv6AcceptRA = false; LinkLocalAddressing = "no"; Bridge = cfg.dmz.bridgeName; }; }; "40-bridgedmz" = { matchConfig.Name = cfg.dmz.bridgeName; linkConfig.RequiredForOnline = "carrier"; networkConfig = { IPv6AcceptRA = cfg.dmz.allowConnectivity; LinkLocalAddressing = if cfg.dmz.allowConnectivity then "ipv6" else "no"; DHCP = "yes"; }; }; "40-vms" = { matchConfig.Name = "vm-*"; networkConfig.Bridge = cfg.dmz.bridgeName; }; }) (lib.optionalAttrs machine.isVirtual { "30-main-nic" = { matchConfig.Name = "en*"; networkConfig = { IPv6AcceptRA = ! cfg.staticNetworking; DHCP = lib.mkIf (! cfg.staticNetworking) "yes"; Address = lib.mkIf cfg.staticNetworking [ "${cfg.staticIPv4}/${cfg.dmz.ipv4.prefixLength}" "${cfg.staticIPv6}/${cfg.dmz.ipv6.prefixLength}" ]; DNS = lib.mkIf cfg.staticNetworking [ cfg.dmz.ipv4.router cfg.dmz.ipv6.router ]; }; routes = lib.mkIf cfg.staticNetworking [ { routeConfig = { Gateway = cfg.dmz.ipv4.router; Destination = "0.0.0.0/0"; }; } { routeConfig = { Gateway = cfg.dmz.ipv6.router; Destination = "::/0"; }; } ]; }; }) (lib.optionalAttrs machine.isRaspberryPi { "30-main-nic" = { matchConfig.Name = "end*"; networkConfig = { IPv6AcceptRA = true; DHCP = "yes"; }; }; }) ]; }; }; }