mirror of
https://github.com/mdlayher/homelab.git
synced 2024-12-14 11:47:32 +00:00
nixos/routnerr-2: cleanup nix variables
This commit is contained in:
parent
ddafa50943
commit
c0d51e5482
6 changed files with 61 additions and 71 deletions
|
@ -39,7 +39,7 @@ in {
|
|||
# Use the GRUB 2 boot loader with MBR.
|
||||
boot = {
|
||||
kernel = {
|
||||
sysctl = {
|
||||
sysctl = with vars.interfaces.wan0; {
|
||||
# Forward on all interfaces.
|
||||
"net.ipv4.conf.all.forwarding" = true;
|
||||
"net.ipv6.conf.all.forwarding" = true;
|
||||
|
@ -50,9 +50,9 @@ in {
|
|||
"net.ipv6.conf.all.use_tempaddr" = 0;
|
||||
|
||||
# On WAN, allow IPv6 autoconfiguration and tempory address use.
|
||||
"net.ipv6.conf.${vars.interfaces.wan0.name}.accept_ra" = 2;
|
||||
"net.ipv6.conf.${vars.interfaces.wan0.name}.autoconf" = 1;
|
||||
"net.ipv6.conf.${vars.interfaces.wan0.name}.use_tempaddr" = 1;
|
||||
"net.ipv6.conf.${name}.accept_ra" = 2;
|
||||
"net.ipv6.conf.${name}.autoconf" = 1;
|
||||
"net.ipv6.conf.${name}.use_tempaddr" = 1;
|
||||
};
|
||||
};
|
||||
# Use GRUB in MBR mode.
|
||||
|
@ -93,8 +93,7 @@ in {
|
|||
# Google Home and Chromecast.
|
||||
avahi = {
|
||||
enable = true;
|
||||
interfaces =
|
||||
[ "${vars.interfaces.lan0.name}" "${vars.interfaces.iot0.name}" ];
|
||||
interfaces = with vars.interfaces; [ "${lan0.name}" "${iot0.name}" ];
|
||||
ipv4 = true;
|
||||
ipv6 = true;
|
||||
reflector = true;
|
||||
|
|
|
@ -1,22 +1,17 @@
|
|||
{ lib, ... }:
|
||||
|
||||
let
|
||||
vars = import ./vars.nix;
|
||||
domain = vars.domain;
|
||||
|
||||
lan0 = vars.interfaces.lan0;
|
||||
wg0 = vars.interfaces.wg0;
|
||||
let vars = import ./vars.nix;
|
||||
|
||||
in {
|
||||
systemd.services.coredns = {
|
||||
systemd.services.coredns = with vars.interfaces.wg0; {
|
||||
# Delay CoreDNS startup until after WireGuard tunnel device is created.
|
||||
requires = [ "wireguard-${wg0.name}.service" ];
|
||||
after = [ "wireguard-${wg0.name}.service" ];
|
||||
requires = [ "wireguard-${name}.service" ];
|
||||
after = [ "wireguard-${name}.service" ];
|
||||
};
|
||||
|
||||
services.coredns = {
|
||||
enable = true;
|
||||
config = ''
|
||||
config = with vars; ''
|
||||
# Root zone.
|
||||
. {
|
||||
cache 3600 {
|
||||
|
@ -45,10 +40,10 @@ in {
|
|||
${host.ipv6.ula} ${host.name}.ipv6.${domain}
|
||||
'' else
|
||||
""}
|
||||
'') (vars.hosts.servers ++ vars.hosts.infra ++ [{
|
||||
'') (hosts.servers ++ hosts.infra ++ [{
|
||||
name = "routnerr-2";
|
||||
ipv4 = lan0.ipv4;
|
||||
ipv6.ula = lan0.ipv6.ula;
|
||||
ipv4 = interfaces.lan0.ipv4;
|
||||
ipv6.ula = interfaces.lan0.ipv6.ula;
|
||||
}])
|
||||
}
|
||||
}
|
||||
|
|
|
@ -3,11 +3,6 @@
|
|||
let
|
||||
vars = import ./vars.nix;
|
||||
|
||||
guest0 = vars.interfaces.guest0;
|
||||
iot0 = vars.interfaces.iot0;
|
||||
lab0 = vars.interfaces.lab0;
|
||||
lan0 = vars.interfaces.lan0;
|
||||
|
||||
# Produces a compatible object for the dhcpd4 machines array.
|
||||
mkHost = (host: {
|
||||
hostName = host.name;
|
||||
|
@ -17,37 +12,47 @@ let
|
|||
|
||||
in {
|
||||
services.dhcpd4 = {
|
||||
interfaces =
|
||||
[ "${lan0.name}" "${guest0.name}" "${iot0.name}" "${lab0.name}" ];
|
||||
interfaces = with vars.interfaces; [
|
||||
"${lan0.name}"
|
||||
"${guest0.name}"
|
||||
"${iot0.name}"
|
||||
"${lab0.name}"
|
||||
];
|
||||
enable = true;
|
||||
machines = lib.forEach (vars.hosts.infra ++ vars.hosts.servers) mkHost;
|
||||
machines = with vars.hosts; lib.forEach (infra ++ servers) mkHost;
|
||||
extraConfig = ''
|
||||
ddns-update-style none;
|
||||
|
||||
default-lease-time 86400;
|
||||
max-lease-time 86400;
|
||||
|
||||
${lib.concatMapStrings (ifi:
|
||||
${with vars.interfaces;
|
||||
lib.concatMapStrings (ifi:
|
||||
# Since dhcpd4 doesn't speak CIDR notation, trim off the final octet of
|
||||
# the router's address for our "/24" prefix.
|
||||
let pfx = lib.removeSuffix ".1" ifi.ipv4;
|
||||
let
|
||||
pfx = lib.removeSuffix ".1" ipv4;
|
||||
ipv4 = ifi.ipv4;
|
||||
|
||||
in ''
|
||||
subnet ${pfx}.0 netmask 255.255.255.0 {
|
||||
option subnet-mask 255.255.255.0;
|
||||
option broadcast-address ${pfx}.255;
|
||||
option routers ${ifi.ipv4};
|
||||
option domain-name-servers ${ifi.ipv4};
|
||||
option routers ${ipv4};
|
||||
option domain-name-servers ${ipv4};
|
||||
range ${pfx}.20 ${pfx}.240;
|
||||
|
||||
allow booting;
|
||||
next-server ${ifi.ipv4};
|
||||
next-server ${ipv4};
|
||||
option bootfile-name "netboot.xyz.kpxe";
|
||||
|
||||
${
|
||||
# Configure additional options for the primary internal LAN.
|
||||
if ifi.internal_domain then ''
|
||||
option domain-search "${vars.domain}";
|
||||
option domain-name "${vars.domain}";
|
||||
let
|
||||
domain = vars.domain;
|
||||
# Configure additional options for the primary internal LAN.
|
||||
in if ifi.internal_domain then ''
|
||||
option domain-search "${domain}";
|
||||
option domain-name "${domain}";
|
||||
'' else
|
||||
""
|
||||
}
|
||||
|
|
|
@ -1,16 +1,15 @@
|
|||
{ lib, ... }:
|
||||
|
||||
let
|
||||
vars = import ./vars.nix;
|
||||
let vars = import ./vars.nix;
|
||||
|
||||
guest0 = vars.interfaces.guest0;
|
||||
iot0 = vars.interfaces.iot0;
|
||||
lab0 = vars.interfaces.lab0;
|
||||
lan0 = vars.interfaces.lan0;
|
||||
in {
|
||||
services.dhcpd6 = {
|
||||
interfaces =
|
||||
[ "${lan0.name}" "${guest0.name}" "${iot0.name}" "${lab0.name}" ];
|
||||
interfaces = with vars.interfaces; [
|
||||
"${lan0.name}"
|
||||
"${guest0.name}"
|
||||
"${iot0.name}"
|
||||
"${lab0.name}"
|
||||
];
|
||||
enable = true;
|
||||
extraConfig = ''
|
||||
ddns-update-style none;
|
||||
|
@ -22,19 +21,22 @@ in {
|
|||
|
||||
option dhcp6.rapid-commit;
|
||||
|
||||
${lib.concatMapStrings (ifi:
|
||||
${with vars.interfaces;
|
||||
lib.concatMapStrings (ifi:
|
||||
# Router ULA addresses have a ::1 suffix, so trim the 1 from the
|
||||
# router's address for our /64 prefix.
|
||||
let pfx = lib.removeSuffix "1" ifi.ipv6.ula;
|
||||
let
|
||||
pfx = lib.removeSuffix "1" ifi.ipv6.ula;
|
||||
ipv6 = ifi.ipv6.ula;
|
||||
in ''
|
||||
subnet6 ${pfx}/64 {
|
||||
range6 ${pfx}ffff:1000 ${pfx}ffff:ffff;
|
||||
range6 ${pfx} temporary;
|
||||
|
||||
option dhcp6.name-servers ${ifi.ipv6.ula};
|
||||
option dhcp6.name-servers ${ipv6};
|
||||
|
||||
# TODO: find a working IPv6 TFTP implementation and enable.
|
||||
# option dhcp6.bootfile-url "tftp://[${ifi.ipv6.ula}]/netboot.xyz.kpxe";
|
||||
# option dhcp6.bootfile-url "tftp://[${ipv6}]/netboot.xyz.kpxe";
|
||||
|
||||
${
|
||||
# Configure additional options for the primary internal LAN.
|
||||
|
|
|
@ -3,13 +3,6 @@
|
|||
let
|
||||
vars = import ./vars.nix;
|
||||
|
||||
guest0 = vars.interfaces.guest0;
|
||||
iot0 = vars.interfaces.iot0;
|
||||
lab0 = vars.interfaces.lab0;
|
||||
lan0 = vars.interfaces.lan0;
|
||||
wan0 = vars.interfaces.wan0;
|
||||
wg0 = vars.interfaces.wg0;
|
||||
|
||||
# Produces the configuration for a LAN interface.
|
||||
mkInterface = (ifi: {
|
||||
ipv4.addresses = [{
|
||||
|
@ -33,14 +26,14 @@ in {
|
|||
# LAN interface.
|
||||
networking = {
|
||||
hostName = "routnerr-2";
|
||||
nameservers = [ "${vars.localhost.ipv4}" "${vars.localhost.ipv6}" ];
|
||||
nameservers = with vars.localhost; [ "${ipv4}" "${ipv6}" ];
|
||||
|
||||
dhcpcd = {
|
||||
enable = true;
|
||||
# Do not remove interface configuration on shutdown.
|
||||
persistent = true;
|
||||
allowInterfaces = [ "${wan0.name}" ];
|
||||
extraConfig = ''
|
||||
allowInterfaces = [ "${vars.interfaces.wan0.name}" ];
|
||||
extraConfig = with vars.interfaces; ''
|
||||
noipv6rs
|
||||
interface ${wan0.name}
|
||||
ipv6rs
|
||||
|
@ -55,14 +48,14 @@ in {
|
|||
'';
|
||||
};
|
||||
|
||||
interfaces = {
|
||||
interfaces = with vars.interfaces; {
|
||||
${lan0.name} = mkInterface lan0;
|
||||
${lab0.name} = mkInterface lab0;
|
||||
${guest0.name} = mkInterface guest0;
|
||||
${iot0.name} = mkInterface iot0;
|
||||
};
|
||||
|
||||
vlans = {
|
||||
vlans = with vars.interfaces; {
|
||||
${lab0.name} = {
|
||||
id = 2;
|
||||
interface = "${lan0.name}";
|
||||
|
@ -77,25 +70,21 @@ in {
|
|||
};
|
||||
};
|
||||
|
||||
wireguard = {
|
||||
wireguard = with vars.interfaces.wg0; {
|
||||
enable = true;
|
||||
interfaces = {
|
||||
${wg0.name} = {
|
||||
${name} = {
|
||||
listenPort = 51820;
|
||||
ips = [
|
||||
"${wg0.ipv4}/24"
|
||||
"${wg0.ipv6.gua}/64"
|
||||
"${wg0.ipv6.ula}/64"
|
||||
"${wg0.ipv6.lla}/64"
|
||||
];
|
||||
privateKeyFile = "/var/lib/wireguard/wg0.key";
|
||||
ips =
|
||||
[ "${ipv4}/24" "${ipv6.gua}/64" "${ipv6.ula}/64" "${ipv6.lla}/64" ];
|
||||
privateKeyFile = "/var/lib/wireguard/${name}.key";
|
||||
peers = [
|
||||
# mdlayher-fastly
|
||||
{
|
||||
publicKey = "VWRsPtbdGtcNyaQ+cFAZfZnYL05uj+XINQS6yQY5gQ8=";
|
||||
allowedIPs = [
|
||||
"192.168.20.0/24"
|
||||
"2600:6c4a:787f:d120::/64"
|
||||
"2600:6c4a:7880:3220::/64"
|
||||
"fd9e:1a04:f01d:20::/64"
|
||||
"fe80::10/128"
|
||||
];
|
||||
|
|
|
@ -109,7 +109,7 @@ in {
|
|||
ipv4 = "192.168.20.1";
|
||||
ipv6 = {
|
||||
# TODO try to get prefix delegation ordering working.
|
||||
gua = "2600:6c4a:7880:3202::1";
|
||||
gua = "2600:6c4a:7880:3220::1";
|
||||
lla = "fe80::";
|
||||
ula = "fd9e:1a04:f01d:20::1";
|
||||
};
|
||||
|
|
Loading…
Reference in a new issue