nixos/stream: Initial working config
All checks were successful
CI / Check, build and cache Nix flake (push) Successful in 15m5s
All checks were successful
CI / Check, build and cache Nix flake (push) Successful in 15m5s
This commit is contained in:
@@ -1,20 +1,27 @@
|
||||
{ index, name }: { lib, ... }:
|
||||
index: { lib, ... }:
|
||||
let
|
||||
inherit (builtins) elemAt;
|
||||
inherit (lib.my) net;
|
||||
inherit (lib.my.c.home) domain vlans prefixes;
|
||||
inherit (lib.my.c) pubDomain;
|
||||
inherit (lib.my.c.home) domain vlans prefixes routers;
|
||||
|
||||
name = elemAt routers index;
|
||||
in
|
||||
{
|
||||
nixos.systems."${name}" = {
|
||||
assignments = {
|
||||
modem = {
|
||||
ipv4.address = net.cidr.host (254 - index) prefixes.modem.v4;
|
||||
ipv4 = {
|
||||
address = net.cidr.host (254 - index) prefixes.modem.v4;
|
||||
gateway = null;
|
||||
};
|
||||
};
|
||||
core = {
|
||||
name = "${name}-core";
|
||||
inherit domain;
|
||||
ipv4 = {
|
||||
address = net.cidr.host (index + 1) prefixes.core.v4;
|
||||
mask = 24;
|
||||
gateway = null;
|
||||
};
|
||||
};
|
||||
hi = {
|
||||
@@ -77,6 +84,8 @@ in
|
||||
};
|
||||
};
|
||||
|
||||
networking.domain = "h.${pubDomain}";
|
||||
|
||||
systemd.network = {
|
||||
wait-online.enable = false;
|
||||
config = {
|
||||
@@ -109,36 +118,23 @@ in
|
||||
};
|
||||
}
|
||||
|
||||
(mkVLAN "hi" vlans.hi)
|
||||
(mkVLAN "lo" vlans.lo)
|
||||
(mkVLAN "untrusted" vlans.untrusted)
|
||||
(mkVLAN "lan-hi" vlans.hi)
|
||||
(mkVLAN "lan-lo" vlans.lo)
|
||||
(mkVLAN "lan-untrusted" vlans.untrusted)
|
||||
(mkVLAN "wan-tunnel" vlans.wan)
|
||||
];
|
||||
|
||||
links = {
|
||||
"10-lan-jim" = {
|
||||
matchConfig = {
|
||||
# Matching against MAC address seems to break VLAN interfaces
|
||||
# (since they share the same MAC address)
|
||||
Driver = "igb";
|
||||
Path = "pci-0000:01:00.0";
|
||||
};
|
||||
linkConfig = {
|
||||
Name = "lan-jim";
|
||||
RxBufferSize = 4096;
|
||||
TxBufferSize = 4096;
|
||||
MTUBytes = toString lib.my.c.home.hiMTU;
|
||||
};
|
||||
};
|
||||
};
|
||||
|
||||
networks =
|
||||
let
|
||||
mkVLANConfig = name: {
|
||||
"60-${name}" = mkMerge [
|
||||
(networkdAssignment name assignments.hi)
|
||||
mkVLANConfig = name: mtu:
|
||||
let
|
||||
iface = "lan-${name}";
|
||||
in
|
||||
{
|
||||
"60-${iface}" = mkMerge [
|
||||
(networkdAssignment iface assignments."${name}")
|
||||
{
|
||||
dns = [ "127.0.0.1" "::1" ];
|
||||
linkConfig.MTUBytes = toString mtu;
|
||||
domains = [ config.networking.domain ];
|
||||
networkConfig = {
|
||||
IPv6AcceptRA = mkForce false;
|
||||
@@ -171,12 +167,14 @@ in
|
||||
"50-wan-tunnel" = {
|
||||
matchConfig.Name = "wan-tunnel";
|
||||
networkConfig.Bridge = "wan";
|
||||
linkConfig.MTUBytes = "1500";
|
||||
};
|
||||
"50-wan" = mkMerge [
|
||||
(networkdAssignment "wan" assignments.modem)
|
||||
{
|
||||
matchConfig.Name = "wan";
|
||||
DHCP = "ipv4";
|
||||
dns = [ "127.0.0.1" "::1" ];
|
||||
dhcpV4Config.UseDNS = false;
|
||||
routes = map (r: { routeConfig = r; }) [
|
||||
# {
|
||||
@@ -195,15 +193,19 @@ in
|
||||
matchConfig.Name = "lan-dave";
|
||||
networkConfig.Bridge = "lan";
|
||||
};
|
||||
"55-lan" = {
|
||||
matchConfig.Name = "lan";
|
||||
vlan = [ "hi" "lo" "untrusted" ];
|
||||
};
|
||||
"55-lan" = mkMerge [
|
||||
(networkdAssignment "lan" assignments.core)
|
||||
{
|
||||
matchConfig.Name = "lan";
|
||||
vlan = [ "lan-hi" "lan-lo" "lan-untrusted" "wan-tunnel" ];
|
||||
networkConfig.IPv6AcceptRA = mkForce false;
|
||||
}
|
||||
];
|
||||
}
|
||||
|
||||
(mkVLANConfig "hi")
|
||||
(mkVLANConfig "lo")
|
||||
(mkVLANConfig "untrusted")
|
||||
(mkVLANConfig "hi" 9000)
|
||||
(mkVLANConfig "lo" 1500)
|
||||
(mkVLANConfig "untrusted" 1500)
|
||||
];
|
||||
};
|
||||
|
||||
@@ -217,7 +219,7 @@ in
|
||||
};
|
||||
|
||||
firewall = {
|
||||
trustedInterfaces = [ "hi" "lo" ];
|
||||
trustedInterfaces = [ "lan-hi" "lan-lo" ];
|
||||
udp.allowed = [ 5353 ];
|
||||
tcp.allowed = [ 5353 ];
|
||||
nat = {
|
||||
@@ -266,8 +268,8 @@ in
|
||||
}
|
||||
|
||||
chain forward {
|
||||
iifname untrusted jump filter-untrusted
|
||||
iifname { wan, untrusted } oifname { hi, lo } jump filter-routing
|
||||
iifname lan-untrusted jump filter-untrusted
|
||||
iifname { wan, lan-untrusted } oifname { lan-hi, lan-lo } jump filter-routing
|
||||
}
|
||||
chain output { }
|
||||
}
|
||||
|
||||
@@ -43,7 +43,7 @@ in
|
||||
|
||||
settings = {
|
||||
query-local-address = [
|
||||
# TODO: IPv4 WAN address?
|
||||
# TODO: Dynamic IPv4 WAN address?
|
||||
# assignments.internal.ipv4.address
|
||||
# assignments.internal.ipv6.address
|
||||
# assignments.hi.ipv6.address
|
||||
@@ -108,12 +108,22 @@ in
|
||||
|
||||
@ IN NS ns1
|
||||
@ IN NS ns2
|
||||
# TODO: WAN?
|
||||
; TODO: WAN?
|
||||
ns1 IN A ${net.cidr.host 1 prefixes.hi.v4}
|
||||
ns2 IN A ${net.cidr.host 2 prefixes.hi.v4}
|
||||
ns1 IN AAAA ${net.cidr.host 1 prefixes.hi.v6}
|
||||
ns2 IN AAAA ${net.cidr.host 2 prefixes.hi.v6}
|
||||
|
||||
jim-core IN A ${net.cidr.host 10 prefixes.core.v4}
|
||||
jim IN A ${net.cidr.host 10 prefixes.hi.v4}
|
||||
jim-lo IN A ${net.cidr.host 10 prefixes.lo.v4}
|
||||
|
||||
dave-core IN A ${net.cidr.host 11 prefixes.core.v4}
|
||||
dave IN A ${net.cidr.host 11 prefixes.hi.v4}
|
||||
dave-lo IN A ${net.cidr.host 11 prefixes.lo.v4}
|
||||
|
||||
ups IN A ${net.cidr.host 20 prefixes.lo.v4}
|
||||
|
||||
${lib.my.dns.fwdRecords {
|
||||
inherit allAssignments names;
|
||||
domain = config.networking.domain;
|
||||
|
||||
@@ -1,10 +1,5 @@
|
||||
{
|
||||
imports = [
|
||||
(import ./routing-common {
|
||||
index = 1;
|
||||
name = "stream";
|
||||
})
|
||||
];
|
||||
imports = [ (import ./routing-common 1) ];
|
||||
|
||||
config.nixos.systems.stream = {
|
||||
system = "x86_64-linux";
|
||||
@@ -18,7 +13,9 @@
|
||||
{
|
||||
config = {
|
||||
boot = {
|
||||
kernelModules = [ "kvm-intel" ];
|
||||
kernelParams = [ "intel_iommu=on" ];
|
||||
initrd.availableKernelModules = [ "xhci_pci" "usbhid" "usb_storage" "sd_mod" "sdhci_pci" ];
|
||||
};
|
||||
|
||||
hardware = {
|
||||
@@ -30,25 +27,83 @@
|
||||
|
||||
fileSystems = {
|
||||
"/boot" = {
|
||||
device = "/dev/disk/by-label/ESP";
|
||||
device = "/dev/disk/by-partuuid/fe081885-9157-46b5-be70-46ac6fcb4069";
|
||||
fsType = "vfat";
|
||||
};
|
||||
"/nix" = {
|
||||
device = "/dev/disk/by-label/nix";
|
||||
device = "/dev/disk/by-partuuid/a195e55e-397f-440d-a190-59ffa63cdb3f";
|
||||
fsType = "ext4";
|
||||
};
|
||||
"/persist" = {
|
||||
device = "/dev/disk/by-label/persist";
|
||||
device = "/dev/disk/by-partuuid/ad71fafd-2d26-49c8-b0cb-794a28e0beb7";
|
||||
fsType = "ext4";
|
||||
neededForBoot = true;
|
||||
};
|
||||
};
|
||||
|
||||
systemd.network = {
|
||||
links = {
|
||||
"10-wan-phy" = {
|
||||
matchConfig = {
|
||||
# Matching against MAC address seems to break VLAN interfaces
|
||||
# (since they share the same MAC address)
|
||||
Driver = "igc";
|
||||
PermanentMACAddress = "00:f0:cb:ee:ca:dd";
|
||||
};
|
||||
linkConfig = {
|
||||
Name = "wan-phy";
|
||||
RxBufferSize = 4096;
|
||||
TxBufferSize = 4096;
|
||||
};
|
||||
};
|
||||
"10-lan-jim" = {
|
||||
matchConfig = {
|
||||
Driver = "igc";
|
||||
PermanentMACAddress = "00:f0:cb:ee:ca:de";
|
||||
};
|
||||
linkConfig = {
|
||||
Name = "lan-jim";
|
||||
MTUBytes = toString lib.my.c.home.hiMTU;
|
||||
};
|
||||
};
|
||||
"10-et2" = {
|
||||
matchConfig = {
|
||||
Driver = "igc";
|
||||
PermanentMACAddress = "00:f0:cb:ee:ca:df";
|
||||
};
|
||||
linkConfig.Name = "et2";
|
||||
};
|
||||
|
||||
"10-lan-dave" = {
|
||||
matchConfig = {
|
||||
Driver = "mlx4_en";
|
||||
PermanentMACAddress = "00:02:c9:d5:b1:d6";
|
||||
};
|
||||
linkConfig = {
|
||||
Name = "lan-dave";
|
||||
MTUBytes = toString lib.my.c.home.hiMTU;
|
||||
};
|
||||
};
|
||||
"10-et5" = {
|
||||
matchConfig = {
|
||||
Driver = "mlx4_en";
|
||||
PermanentMACAddress = "00:02:c9:d5:b1:d7";
|
||||
};
|
||||
linkConfig.Name = "et5";
|
||||
};
|
||||
};
|
||||
};
|
||||
|
||||
services = {
|
||||
pdns-recursor.settings.query-local-address = [ "109.255.252.104" ];
|
||||
};
|
||||
|
||||
my = {
|
||||
secrets = {
|
||||
# key = "ssh-ed25519 ";
|
||||
key = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPYTB4zeAqotrEJ8M+AiGm/s9PFsWlAodz3hYSROGuDb";
|
||||
};
|
||||
server.enable = true;
|
||||
deploy.node.hostname = "109.255.252.104";
|
||||
};
|
||||
};
|
||||
};
|
||||
|
||||
Reference in New Issue
Block a user