From 84b473d38cb34c32c4a9a02a8b3d633ecc209826 Mon Sep 17 00:00:00 2001 From: Stefan Junker Date: Sat, 24 Aug 2024 00:16:29 +0200 Subject: [PATCH 1/2] feat(sj-srv1): switch to hostBridge set up the hostside veth interfaces seem to be buggy and this is more efficient anyway. --- nix/os/containers/mailserver.nix | 3 ++- nix/os/containers/syncthing.nix | 3 ++- nix/os/containers/webserver.nix | 3 ++- nix/os/devices/sj-srv1/system.nix | 36 ++++++++++++++++++++++++------- 4 files changed, 34 insertions(+), 11 deletions(-) diff --git a/nix/os/containers/mailserver.nix b/nix/os/containers/mailserver.nix index b906d8b..c821bf4 100644 --- a/nix/os/containers/mailserver.nix +++ b/nix/os/containers/mailserver.nix @@ -1,5 +1,6 @@ { specialArgs, + hostBridge, hostAddress, localAddress, imapsPort ? 993, @@ -227,5 +228,5 @@ } ]; - inherit hostAddress localAddress; + inherit hostBridge hostAddress localAddress; } diff --git a/nix/os/containers/syncthing.nix b/nix/os/containers/syncthing.nix index 12421c7..8c0ba82 100644 --- a/nix/os/containers/syncthing.nix +++ b/nix/os/containers/syncthing.nix @@ -1,5 +1,6 @@ { specialArgs, + hostBridge, hostAddress, localAddress, syncthingPort ? 22000, @@ -56,5 +57,5 @@ } ]; - inherit hostAddress localAddress; + inherit hostBridge hostAddress localAddress; } diff --git a/nix/os/containers/webserver.nix b/nix/os/containers/webserver.nix index c2c166c..0611f60 100644 --- a/nix/os/containers/webserver.nix +++ b/nix/os/containers/webserver.nix @@ -1,5 +1,6 @@ { specialArgs, + hostBridge, hostAddress, localAddress, httpPort, @@ -330,5 +331,5 @@ in { } ]; - inherit hostAddress localAddress; + inherit hostBridge hostAddress localAddress; } diff --git a/nix/os/devices/sj-srv1/system.nix b/nix/os/devices/sj-srv1/system.nix index bd23a9e..985ed24 100644 --- a/nix/os/devices/sj-srv1/system.nix +++ b/nix/os/devices/sj-srv1/system.nix @@ -29,9 +29,26 @@ networking.nat = { enable = true; - internalInterfaces = ["ve-*"]; externalInterface = "eth0"; + internalInterfaces = ["br0"]; }; + + networking.bridges = { + br0 = { + interfaces = []; + }; + }; + networking.interfaces = { + br0 = { + ipv4.addresses = [ + { + address = "192.168.101.1"; + prefixLength = 24; + } + ]; + }; + }; + boot.kernel.sysctl = { "net.ipv4.ip_forward" = 1; }; @@ -84,14 +101,15 @@ autoStart = true; - hostAddress = "192.168.100.10"; - localAddress = "192.168.100.11"; + hostBridge = "br0"; + hostAddress = "192.168.101.1"; + localAddress = "192.168.101.10/24"; imapsPort = 993; sievePort = 4190; }; - websrv0 = + webserver = import ../../containers/webserver.nix { specialArgs = { @@ -100,8 +118,9 @@ autoStart = true; - hostAddress = "192.168.100.12"; - localAddress = "192.168.100.13"; + hostBridge = "br0"; + hostAddress = "192.168.101.1"; + localAddress = "192.168.101.11/24"; httpPort = 80; httpsPort = 443; @@ -114,8 +133,9 @@ }; autoStart = true; - hostAddress = "192.168.100.14"; - localAddress = "192.168.100.15"; + hostBridge = "br0"; + hostAddress = "192.168.101.1"; + localAddress = "192.168.101.12/24"; syncthingPort = 22000; }; From 7d0515d6f0f39a62b6bf738208536ee365604d15 Mon Sep 17 00:00:00 2001 From: Stefan Junker Date: Sat, 24 Aug 2024 00:18:17 +0200 Subject: [PATCH 2/2] feat(router0-dmz0,sj-srv1): use bridged macvlan as main dmz interface this allows guest VMs to communicate with the host via their macvtap connection. --- nix/os/devices/router0-dmz0/configuration.nix | 14 +++++--- nix/os/devices/sj-srv1/system.nix | 36 +++++++++++++++++-- 2 files changed, 44 insertions(+), 6 deletions(-) diff --git a/nix/os/devices/router0-dmz0/configuration.nix b/nix/os/devices/router0-dmz0/configuration.nix index 4d82178..33a6ed3 100644 --- a/nix/os/devices/router0-dmz0/configuration.nix +++ b/nix/os/devices/router0-dmz0/configuration.nix @@ -87,13 +87,16 @@ then bridgeInterfaceName else "${bridgeInterfaceName}.${toString vlanid}"; - dmzExposedHost = "sj-srv1.dmz.internal"; + dmzExposedHost = "sj-srv1"; + dmzExposedHostDomain = "dmz.internal"; + dmzExposedHostFQDN = "${dmzExposedHost}.${dmzExposedHostDomain}"; dmzExposedHostIpv4 = mkVlanIpv4HostAddr { vlanid = vlansByName.dmz.id; host = 99; cidr = false; }; - # "sj-srv1.dmz.internal"; + + dmzExposedHostMACaddr = repoFlake.nixosConfigurations.${dmzExposedHost}.config.systemd.network.netdevs."10-dmz0".netdevConfig.MACAddress; in { imports = [ nixos-sbc.nixosModules.default @@ -1126,8 +1129,11 @@ in { ) vlanRangeWith0; - # TODO: double-check that this works - dhcp-host = "1c:69:7a:07:08:5f,${dmzExposedHostIpv4},${dmzExposedHost}"; + dhcp-host = builtins.concatStringsSep "," [ + dmzExposedHostMACaddr + dmzExposedHostIpv4 + dmzExposedHostFQDN + ]; expand-hosts = true; diff --git a/nix/os/devices/sj-srv1/system.nix b/nix/os/devices/sj-srv1/system.nix index 985ed24..a6498a4 100644 --- a/nix/os/devices/sj-srv1/system.nix +++ b/nix/os/devices/sj-srv1/system.nix @@ -25,12 +25,12 @@ networking.usePredictableInterfaceNames = false; networking.useNetworkd = true; - networking.useDHCP = true; + networking.useDHCP = false; networking.nat = { enable = true; - externalInterface = "eth0"; internalInterfaces = ["br0"]; + externalInterface = "dmz0"; }; networking.bridges = { @@ -49,8 +49,40 @@ }; }; + systemd.network.netdevs."10-dmz0" = { + enable = true; + netdevConfig = { + Name = "dmz0"; + Kind = "macvlan"; + MACAddress = "1c:69:7a:07:08:6f"; + }; + + macvlanConfig = { + Mode = "bridge"; + }; + }; + + systemd.network.networks."20-eth0" = { + enable = true; + matchConfig.Name = "eth0"; + + # TODO: i'm not sure if and if so why this is required + macvlan = [ + "dmz0" + ]; + + DHCP = "no"; + }; + + systemd.network.networks."30-dmz0" = { + enable = true; + matchConfig.Name = "dmz0"; + DHCP = "yes"; + }; + boot.kernel.sysctl = { "net.ipv4.ip_forward" = 1; + "net.ipv6.ip_forward" = 1; }; # virtualization