steveej/infra
1
0
Fork 0
Code Issues 2 Pull requests Projects Releases Packages Wiki Activity Actions

feat(router0-dmz0): bump pkgs, adjust VLAN ids, use SFP with quirks

Browse source
This commit is contained in:
steveej 2025-02-07 11:56:00 +01:00
parent d629f4b354
commit 05973a61a5
4 changed files with 215 additions and 161 deletions
Download patch file Download diff file Expand all files Collapse all files

316
nix/os/devices/router0-dmz0/configuration.nix
View file

@ -43,23 +43,17 @@ let
};
vlans = {
"10".name = "mgmt";
"10".packet_priority = 0;
"2".name = "dmz";
"2".packet_priority = -5;
"11".name = "dmz";
"11".packet_priority = -5;
"3".name = "iot";
"3".packet_priority = -5;
"12".name = "iot";
"12".packet_priority = -5;
"4".name = "office";
"4".packet_priority = -10;
"13".name = "office";
"13".packet_priority = -10;
"14".name = "guests";
"14".packet_priority = 10;
"15".name = "iot2";
"15".packet_priority = -10;
"5".name = "guests";
"5".packet_priority = 10;
};
vlansByName = lib.attrsets.mapAttrs' (
@ -382,12 +376,77 @@ in
group = "systemd-network";
};
# TODO: this shouldn't be necessary _at all_
systemd.services.sfp-quirk = {
enable = true;
wantedBy = [
"network.target"
"multi-user.target"
];
requires = [
"sys-subsystem-net-devices-lan4.device"
"sys-subsystem-net-devices-eth1.device"
];
after = [
"sys-subsystem-net-devices-lan4.device"
"sys-subsystem-net-devices-eth1.device"
];
path = [
pkgs.ethtool
pkgs.iproute2
pkgs.coreutils
];
script = ''
set -xeE
ip l set dev lan4 down
ip l set dev eth1 down
sleep 0.5
ethtool -s lan4 duplex full autoneg off
ethtool -s eth1 duplex full autoneg off
sleep 0.5
ip l set dev lan4 up
ip l set dev eth1 up
echo quirk applied, fingers crossed.
'';
};
systemd.network = {
wait-online.anyInterface = true;
config.networkConfig = {
IPv4Forwarding = true;
IPv6Forwarding = true;
};
links = {
# TODO: this doesn't work, thus shoving it into a quirk service. however, there's a proper solution beyond any of this.
# "00-eth1" = {
# enable = true;
# matchConfig.Name = "eth1";
# linkConfig = {
# # BitsPerSecond = "2500M";
# Duplex= "full";
# AutoNegotiation = false;
# };
# };
# "00-lan4" = {
# enable = true;
# matchConfig.Name = "lan4@eth0";
# linkConfig = {
# # BitsPerSecond = "1000M";
# Duplex= "full";
# AutoNegotiation = false;
# };
# };
};
netdevs =
let
router0-ifog_wg0Endpoint = "${repoFlake.colmena.router0-ifog.deployment.targetHost}:${builtins.toString repoFlake.nixosConfigurations.router0-ifog.config.systemd.network.netdevs.wg0.wireguardConfig.ListenPort}";
@ -425,26 +484,24 @@ in
};
wireguardPeers = [
{
wireguardPeerConfig = {
AllowedIPs = [
# this allows all traffic to be routed through this interface
"0.0.0.0/0"
AllowedIPs = [
# this allows all traffic to be routed through this interface
"0.0.0.0/0"
# # alternatively, specific destinations could be allowed
# # alternatively, specific destinations could be allowed
# # remote peer wg addr
# "10.0.0.0/32"
# # remote peer wg addr
# "10.0.0.0/32"
# "1.1.1.1/32"
# # ifconfig.co.
# "172.67.168.106"
# "104.21.54.91"
];
PersistentKeepalive = 15;
PresharedKeyFile = builtins.toString config.sops.secrets.wg0-peer0-psk.path;
PublicKey = "/RPDdqPzr9iRc7zR0bRkt9aS2QCt+b2K3WbsNg8XamM=";
Endpoint = router0-ifog_wg0Endpoint;
};
# "1.1.1.1/32"
# # ifconfig.co.
# "172.67.168.106"
# "104.21.54.91"
];
PersistentKeepalive = 15;
PresharedKeyFile = builtins.toString config.sops.secrets.wg0-peer0-psk.path;
PublicKey = "/RPDdqPzr9iRc7zR0bRkt9aS2QCt+b2K3WbsNg8XamM=";
Endpoint = router0-ifog_wg0Endpoint;
}
];
};
@ -461,16 +518,14 @@ in
};
wireguardPeers = [
{
wireguardPeerConfig = {
AllowedIPs = [
# this allows all traffic to be routed through this interface
"0.0.0.0/0"
];
PersistentKeepalive = 15;
PresharedKeyFile = builtins.toString config.sops.secrets.wg1-peer0-psk.path;
PublicKey = "/RPDdqPzr9iRc7zR0bRkt9aS2QCt+b2K3WbsNg8XamM=";
Endpoint = router0-ifog_wg1Endpoint;
};
AllowedIPs = [
# this allows all traffic to be routed through this interface
"0.0.0.0/0"
];
PersistentKeepalive = 15;
PresharedKeyFile = builtins.toString config.sops.secrets.wg1-peer0-psk.path;
PublicKey = "/RPDdqPzr9iRc7zR0bRkt9aS2QCt+b2K3WbsNg8XamM=";
Endpoint = router0-ifog_wg1Endpoint;
}
];
};
@ -487,26 +542,24 @@ in
};
wireguardPeers = [
{
wireguardPeerConfig = {
AllowedIPs = [
# this allows all traffic to be routed through this interface
"0.0.0.0/0"
AllowedIPs = [
# this allows all traffic to be routed through this interface
"0.0.0.0/0"
# # alternatively, specific destinations could be allowed
# # alternatively, specific destinations could be allowed
# # remote peer wg addr
# "10.0.0.0/32"
# # remote peer wg addr
# "10.0.0.0/32"
# "1.1.1.1/32"
# # ifconfig.co.
# "172.67.168.106"
# "104.21.54.91"
];
PersistentKeepalive = 15;
PresharedKeyFile = builtins.toString config.sops.secrets.wg0-peer0-psk.path;
PublicKey = "/RPDdqPzr9iRc7zR0bRkt9aS2QCt+b2K3WbsNg8XamM=";
Endpoint = router0-hosthatch_wg0Endpoint;
};
# "1.1.1.1/32"
# # ifconfig.co.
# "172.67.168.106"
# "104.21.54.91"
];
PersistentKeepalive = 15;
PresharedKeyFile = builtins.toString config.sops.secrets.wg0-peer0-psk.path;
PublicKey = "/RPDdqPzr9iRc7zR0bRkt9aS2QCt+b2K3WbsNg8XamM=";
Endpoint = router0-hosthatch_wg0Endpoint;
}
];
};
@ -588,49 +641,37 @@ in
# ip rule add fwmark 101 priority 1 prohibit
routingPolicyRules = [
{
routingPolicyRuleConfig = {
FirewallMark = 100;
Priority = 30000;
Table = 100;
};
FirewallMark = 100;
Priority = 30000;
Table = 100;
}
{
routingPolicyRuleConfig = {
FirewallMark = 100;
Priority = 30001;
Table = 100;
Type = "prohibit";
};
FirewallMark = 100;
Priority = 30001;
Table = 100;
Type = "prohibit";
}
{
routingPolicyRuleConfig = {
FirewallMark = 101;
Priority = 30000;
Table = 101;
};
FirewallMark = 101;
Priority = 30000;
Table = 101;
}
{
routingPolicyRuleConfig = {
FirewallMark = 101;
Priority = 30001;
Table = 101;
Type = "prohibit";
};
FirewallMark = 101;
Priority = 30001;
Table = 101;
Type = "prohibit";
}
{
routingPolicyRuleConfig = {
FirewallMark = 102;
Priority = 30000;
Table = 102;
};
FirewallMark = 102;
Priority = 30000;
Table = 102;
}
{
routingPolicyRuleConfig = {
FirewallMark = 102;
Priority = 30001;
Table = 102;
Type = "prohibit";
};
FirewallMark = 102;
Priority = 30001;
Table = 102;
Type = "prohibit";
}
];
};
@ -649,10 +690,8 @@ in
# ip route add default via 172.16.0.1 table 101
routes = [
{
routeConfig = {
Gateway = "_dhcp4";
Table = 101;
};
Gateway = "_dhcp4";
Table = 101;
}
];
};
@ -670,16 +709,12 @@ in
# ip route add default via 192.168.0.1 table 100
routes = [
{
routeConfig = {
Gateway = "_dhcp4";
Table = 100;
};
Gateway = "_dhcp4";
Table = 100;
}
{
routeConfig = {
Gateway = "_dhcp4";
Table = 102;
};
Gateway = "_dhcp4";
Table = 102;
}
];
};
@ -695,11 +730,9 @@ in
bridgeVLANs = [
{
bridgeVLANConfig = {
VLAN = vlansByName.dmz.id;
PVID = vlansByName.dmz.id;
EgressUntagged = vlansByName.dmz.id;
};
VLAN = vlansByName.dmz.id;
PVID = vlansByName.dmz.id;
EgressUntagged = vlansByName.dmz.id;
}
];
};
@ -714,11 +747,9 @@ in
bridgeVLANs = [
{
bridgeVLANConfig = {
VLAN = vlansByName.office.id;
PVID = vlansByName.office.id;
EgressUntagged = vlansByName.office.id;
};
VLAN = vlansByName.office.id;
PVID = vlansByName.office.id;
EgressUntagged = vlansByName.office.id;
}
];
};
@ -733,9 +764,39 @@ in
bridgeVLANs = [
{
bridgeVLANConfig = {
VLAN = "${toString vlanRangeStart}-${toString vlanRangeEnd}";
};
VLAN = "${toString vlanRangeStart}-${toString vlanRangeEnd}";
}
];
};
"30-lan4" = {
matchConfig.Name = "lan4";
networkConfig = {
Bridge = bridgeInterfaceName;
ConfigureWithoutCarrier = true;
};
linkConfig.RequiredForOnline = "enslaved";
bridgeVLANs = [
{
VLAN = vlansByName.office.id;
PVID = vlansByName.office.id;
EgressUntagged = vlansByName.office.id;
}
];
};
"30-eth1" = {
matchConfig.Name = "eth1";
networkConfig = {
Bridge = bridgeInterfaceName;
ConfigureWithoutCarrier = true;
};
linkConfig.RequiredForOnline = "enslaved";
bridgeVLANs = [
{
VLAN = vlansByName.dmz.id;
PVID = vlansByName.dmz.id;
EgressUntagged = vlansByName.dmz.id;
}
];
};
@ -758,9 +819,7 @@ in
bridgeVLANs = [
{
bridgeVLANConfig = {
VLAN = "${toString vlanRangeStart}-${toString vlanRangeEnd}";
};
VLAN = "${toString vlanRangeStart}-${toString vlanRangeEnd}";
}
];
@ -774,11 +833,9 @@ in
routes = [
# {
# routeConfig = {
# # test the set uprouting to a specific IP
# Destination = "${repoFlake.colmena.sj-bm-hostkey0.deployment.targetHost}/32";
# MultiPathRoute = "10.0.0.0 1";
# };
# }
];
};
@ -788,10 +845,8 @@ in
address = [ "10.0.0.3/31" ];
routes = [
# {
# routeConfig = {
# Destination = "${repoFlake.colmena.sj-bm-hostkey0.deployment.targetHost}/32";
# MultiPathRoute = "10.0.0.2 1";
# };
# }
];
};
@ -848,9 +903,7 @@ in
bridgeVLANs = [
{
bridgeVLANConfig = {
VLAN = vlanid;
};
VLAN = vlanid;
}
];
};
@ -870,11 +923,9 @@ in
bridgeVLANs = [
{
bridgeVLANConfig = {
VLAN = vlanid;
PVID = vlanid;
EgressUntagged = vlanid;
};
VLAN = vlanid;
PVID = vlanid;
EgressUntagged = vlanid;
}
];
};
@ -1215,13 +1266,14 @@ in
};
};
system.stateVersion = "24.05";
system.stateVersion = "24.11";
# boot.kernelPackages = pkgs.linuxPackages_bpir3_6_6;
environment.systemPackages = [
pkgs.ethtool
pkgs.vim
pkgs.iperf3
pkgs.wireguard-tools
pkgs.tshark