feat(router0-dmz0,sj-srv1): use bridged macvlan as main dmz interface
this allows guest VMs to communicate with the host via their macvtap connection.
This commit is contained in:
parent
84b473d38c
commit
7d0515d6f0
2 changed files with 44 additions and 6 deletions
|
|
@ -87,13 +87,16 @@
|
||||||
then bridgeInterfaceName
|
then bridgeInterfaceName
|
||||||
else "${bridgeInterfaceName}.${toString vlanid}";
|
else "${bridgeInterfaceName}.${toString vlanid}";
|
||||||
|
|
||||||
dmzExposedHost = "sj-srv1.dmz.internal";
|
dmzExposedHost = "sj-srv1";
|
||||||
|
dmzExposedHostDomain = "dmz.internal";
|
||||||
|
dmzExposedHostFQDN = "${dmzExposedHost}.${dmzExposedHostDomain}";
|
||||||
dmzExposedHostIpv4 = mkVlanIpv4HostAddr {
|
dmzExposedHostIpv4 = mkVlanIpv4HostAddr {
|
||||||
vlanid = vlansByName.dmz.id;
|
vlanid = vlansByName.dmz.id;
|
||||||
host = 99;
|
host = 99;
|
||||||
cidr = false;
|
cidr = false;
|
||||||
};
|
};
|
||||||
# "sj-srv1.dmz.internal";
|
|
||||||
|
dmzExposedHostMACaddr = repoFlake.nixosConfigurations.${dmzExposedHost}.config.systemd.network.netdevs."10-dmz0".netdevConfig.MACAddress;
|
||||||
in {
|
in {
|
||||||
imports = [
|
imports = [
|
||||||
nixos-sbc.nixosModules.default
|
nixos-sbc.nixosModules.default
|
||||||
|
|
@ -1126,8 +1129,11 @@ in {
|
||||||
)
|
)
|
||||||
vlanRangeWith0;
|
vlanRangeWith0;
|
||||||
|
|
||||||
# TODO: double-check that this works
|
dhcp-host = builtins.concatStringsSep "," [
|
||||||
dhcp-host = "1c:69:7a:07:08:5f,${dmzExposedHostIpv4},${dmzExposedHost}";
|
dmzExposedHostMACaddr
|
||||||
|
dmzExposedHostIpv4
|
||||||
|
dmzExposedHostFQDN
|
||||||
|
];
|
||||||
|
|
||||||
expand-hosts = true;
|
expand-hosts = true;
|
||||||
|
|
||||||
|
|
|
||||||
|
|
@ -25,12 +25,12 @@
|
||||||
networking.usePredictableInterfaceNames = false;
|
networking.usePredictableInterfaceNames = false;
|
||||||
|
|
||||||
networking.useNetworkd = true;
|
networking.useNetworkd = true;
|
||||||
networking.useDHCP = true;
|
networking.useDHCP = false;
|
||||||
|
|
||||||
networking.nat = {
|
networking.nat = {
|
||||||
enable = true;
|
enable = true;
|
||||||
externalInterface = "eth0";
|
|
||||||
internalInterfaces = ["br0"];
|
internalInterfaces = ["br0"];
|
||||||
|
externalInterface = "dmz0";
|
||||||
};
|
};
|
||||||
|
|
||||||
networking.bridges = {
|
networking.bridges = {
|
||||||
|
|
@ -49,8 +49,40 @@
|
||||||
};
|
};
|
||||||
};
|
};
|
||||||
|
|
||||||
|
systemd.network.netdevs."10-dmz0" = {
|
||||||
|
enable = true;
|
||||||
|
netdevConfig = {
|
||||||
|
Name = "dmz0";
|
||||||
|
Kind = "macvlan";
|
||||||
|
MACAddress = "1c:69:7a:07:08:6f";
|
||||||
|
};
|
||||||
|
|
||||||
|
macvlanConfig = {
|
||||||
|
Mode = "bridge";
|
||||||
|
};
|
||||||
|
};
|
||||||
|
|
||||||
|
systemd.network.networks."20-eth0" = {
|
||||||
|
enable = true;
|
||||||
|
matchConfig.Name = "eth0";
|
||||||
|
|
||||||
|
# TODO: i'm not sure if and if so why this is required
|
||||||
|
macvlan = [
|
||||||
|
"dmz0"
|
||||||
|
];
|
||||||
|
|
||||||
|
DHCP = "no";
|
||||||
|
};
|
||||||
|
|
||||||
|
systemd.network.networks."30-dmz0" = {
|
||||||
|
enable = true;
|
||||||
|
matchConfig.Name = "dmz0";
|
||||||
|
DHCP = "yes";
|
||||||
|
};
|
||||||
|
|
||||||
boot.kernel.sysctl = {
|
boot.kernel.sysctl = {
|
||||||
"net.ipv4.ip_forward" = 1;
|
"net.ipv4.ip_forward" = 1;
|
||||||
|
"net.ipv6.ip_forward" = 1;
|
||||||
};
|
};
|
||||||
|
|
||||||
# virtualization
|
# virtualization
|
||||||
|
|
|
||||||
Loading…
Add table
Add a link
Reference in a new issue