{ lib, config, machine, ... }: let cfg = config.lab.networking; in { imports = [ ./dmz_services ]; options.lab.networking = { dmz = { allowConnectivity = lib.mkOption { default = false; type = lib.types.bool; description = '' Whether to allow networking on the DMZ bridge interface. ''; }; bridgeName = lib.mkOption { default = "bridgedmz"; type = lib.types.str; description = '' The name of the DMZ bridge. ''; }; }; mainNicNamePattern = lib.mkOption { default = "en*"; type = lib.types.str; description = '' Pattern to match the name of this machine's main NIC. ''; }; }; config = { networking = { domain = if machine.type == "physical" then "hyp" else "dmz"; nftables.enable = true; useDHCP = false; firewall = { enable = true; checkReversePath = false; }; }; systemd.network = lib.mkIf (machine.type == "physical") { enable = true; netdevs = { "20-vlandmz" = { vlanConfig.Id = 30; netdevConfig = { Kind = "vlan"; Name = "vlandmz"; }; }; "20-bridgedmz" = { netdevConfig = { Kind = "bridge"; Name = cfg.dmz.bridgeName; }; }; }; networks = { "30-main-nic" = { matchConfig.Name = cfg.mainNicNamePattern; vlan = [ "vlandmz" ]; networkConfig = { DHCP = "yes"; }; }; "40-vlandmz" = { matchConfig.Name = "vlandmz"; linkConfig.RequiredForOnline = "enslaved"; networkConfig = { IPv6AcceptRA = false; LinkLocalAddressing = "no"; Bridge = cfg.dmz.bridgeName; }; }; "40-bridgedmz" = { matchConfig.Name = cfg.dmz.bridgeName; linkConfig.RequiredForOnline = "carrier"; networkConfig = { IPv6AcceptRA = cfg.dmz.allowConnectivity; LinkLocalAddressing = if cfg.dmz.allowConnectivity then "ipv6" else "no"; DHCP = "yes"; }; }; "40-vms" = { matchConfig.Name = "vm-*"; networkConfig.Bridge = cfg.dmz.bridgeName; }; }; }; }; }