feat(router0-dmz0,sj-srv1): use bridged macvlan as main dmz interface

this allows guest VMs to communicate with the host via their macvtap connection.
feat(sj-srv1): switch to hostBridge set up
2024-08-24 00:18:17 +02:00 · 2024-08-24 00:16:29 +02:00
5 changed files with 78 additions and 17 deletions
--- a/nix/os/containers/mailserver.nix
+++ b/nix/os/containers/mailserver.nix
@ -1,5 +1,6 @@
 {
  specialArgs,
+  hostBridge,
  hostAddress,
  localAddress,
  imapsPort ? 993,
@ -227,5 +228,5 @@
    }
  ];

-  inherit hostAddress localAddress;
+  inherit hostBridge hostAddress localAddress;
 }
--- a/nix/os/containers/syncthing.nix
+++ b/nix/os/containers/syncthing.nix
@ -1,5 +1,6 @@
 {
  specialArgs,
+  hostBridge,
  hostAddress,
  localAddress,
  syncthingPort ? 22000,
@ -56,5 +57,5 @@
    }
  ];

-  inherit hostAddress localAddress;
+  inherit hostBridge hostAddress localAddress;
 }
--- a/nix/os/containers/webserver.nix
+++ b/nix/os/containers/webserver.nix
@ -1,5 +1,6 @@
 {
  specialArgs,
+  hostBridge,
  hostAddress,
  localAddress,
  httpPort,
@ -330,5 +331,5 @@ in {
    }
  ];

-  inherit hostAddress localAddress;
+  inherit hostBridge hostAddress localAddress;
 }
--- a/nix/os/devices/router0-dmz0/configuration.nix
+++ b/nix/os/devices/router0-dmz0/configuration.nix
@ -87,13 +87,16 @@
    then bridgeInterfaceName
    else "${bridgeInterfaceName}.${toString vlanid}";

-  dmzExposedHost = "sj-srv1.dmz.internal";
+  dmzExposedHost = "sj-srv1";
+  dmzExposedHostDomain = "dmz.internal";
+  dmzExposedHostFQDN = "${dmzExposedHost}.${dmzExposedHostDomain}";
  dmzExposedHostIpv4 = mkVlanIpv4HostAddr {
    vlanid = vlansByName.dmz.id;
    host = 99;
    cidr = false;
  };
-  # "sj-srv1.dmz.internal";
+
+  dmzExposedHostMACaddr = repoFlake.nixosConfigurations.${dmzExposedHost}.config.systemd.network.netdevs."10-dmz0".netdevConfig.MACAddress;
 in {
  imports = [
    nixos-sbc.nixosModules.default
@ -1126,8 +1129,11 @@ in {
        )
        vlanRangeWith0;

-      # TODO: double-check that this works
-      dhcp-host = "1c:69:7a:07:08:5f,${dmzExposedHostIpv4},${dmzExposedHost}";
+      dhcp-host = builtins.concatStringsSep "," [
+        dmzExposedHostMACaddr
+        dmzExposedHostIpv4
+        dmzExposedHostFQDN
+      ];

      expand-hosts = true;

--- a/nix/os/devices/sj-srv1/system.nix
+++ b/nix/os/devices/sj-srv1/system.nix
@ -25,15 +25,64 @@
  networking.usePredictableInterfaceNames = false;

  networking.useNetworkd = true;
-  networking.useDHCP = true;
+  networking.useDHCP = false;

  networking.nat = {
    enable = true;
-    internalInterfaces = ["ve-*"];
-    externalInterface = "eth0";
+    internalInterfaces = ["br0"];
+    externalInterface = "dmz0";
  };
+
+  networking.bridges = {
+    br0 = {
+      interfaces = [];
+    };
+  };
+  networking.interfaces = {
+    br0 = {
+      ipv4.addresses = [
+        {
+          address = "192.168.101.1";
+          prefixLength = 24;
+        }
+      ];
+    };
+  };
+
+  systemd.network.netdevs."10-dmz0" = {
+    enable = true;
+    netdevConfig = {
+      Name = "dmz0";
+      Kind = "macvlan";
+      MACAddress = "1c:69:7a:07:08:6f";
+    };
+
+    macvlanConfig = {
+      Mode = "bridge";
+    };
+  };
+
+  systemd.network.networks."20-eth0" = {
+    enable = true;
+    matchConfig.Name = "eth0";
+
+    # TODO: i'm not sure if and if so why this is required
+    macvlan = [
+      "dmz0"
+    ];
+
+    DHCP = "no";
+  };
+
+  systemd.network.networks."30-dmz0" = {
+    enable = true;
+    matchConfig.Name = "dmz0";
+    DHCP = "yes";
+  };
+
  boot.kernel.sysctl = {
    "net.ipv4.ip_forward" = 1;
+    "net.ipv6.ip_forward" = 1;
  };

  # virtualization
@ -84,14 +133,15 @@

      autoStart = true;

-      hostAddress = "192.168.100.10";
-      localAddress = "192.168.100.11";
+      hostBridge = "br0";
+      hostAddress = "192.168.101.1";
+      localAddress = "192.168.101.10/24";

      imapsPort = 993;
      sievePort = 4190;
    };

-    websrv0 =
+    webserver =
      import ../../containers/webserver.nix
      {
        specialArgs = {
@ -100,8 +150,9 @@

        autoStart = true;

-        hostAddress = "192.168.100.12";
-        localAddress = "192.168.100.13";
+        hostBridge = "br0";
+        hostAddress = "192.168.101.1";
+        localAddress = "192.168.101.11/24";

        httpPort = 80;
        httpsPort = 443;
@ -114,8 +165,9 @@
      };
      autoStart = true;

-      hostAddress = "192.168.100.14";
-      localAddress = "192.168.100.15";
+      hostBridge = "br0";
+      hostAddress = "192.168.101.1";
+      localAddress = "192.168.101.12/24";

      syncthingPort = 22000;
    };
Author	SHA1	Message	Date
Stefan Junker	7d0515d6f0	feat(router0-dmz0,sj-srv1): use bridged macvlan as main dmz interface this allows guest VMs to communicate with the host via their macvtap connection.	2024-08-24 00:18:17 +02:00
Stefan Junker	84b473d38c	feat(sj-srv1): switch to hostBridge set up the hostside veth interfaces seem to be buggy and this is more efficient anyway.	2024-08-24 00:16:29 +02:00