From a625ba6f41895df3984c266eef895499e3ccae9d Mon Sep 17 00:00:00 2001 From: Lauren Lagarde Date: Sun, 27 Jul 2025 17:59:44 -0500 Subject: [PATCH] Significantly improve bastion network configuration --- systems/bastion/configuration.nix | 71 +++++++++++++++++++++++----- systems/blockhouse/configuration.nix | 10 ++-- 2 files changed, 62 insertions(+), 19 deletions(-) diff --git a/systems/bastion/configuration.nix b/systems/bastion/configuration.nix index 2d421ee..4b63d72 100644 --- a/systems/bastion/configuration.nix +++ b/systems/bastion/configuration.nix @@ -34,7 +34,6 @@ # Bastion Features ../../nixos/features/hardware/yubikey.nix - ../../nixos/features/networking/networkd-br0.nix ../../nixos/features/virtualization/dockge.nix ../../nixos/features/virtualization/docker.nix ../../nixos/features/virtualization/libvirt-host.nix @@ -193,19 +192,67 @@ ############################################################################## # Networking - systemd.network.networks = { - "30-eno1" = { - matchConfig.Name = "eno1"; - networkConfig.Bridge = "br0"; - linkConfig.RequiredForOnline = "enslaved"; - }; - "30-enp0s20f0u8" = { - matchConfig.Name = "enp0s20f0u8"; - networkConfig.Bridge = "br0"; - linkConfig.RequiredForOnline = "enslaved"; + networking.useNetworkd = true; + systemd.network = { + enable = true; + + # Configure Physical Interfaces + links."10-usb0" = { + linkConfig.Name = "usb0"; + matchConfig.PermanentMACAddress = "8c:ae:4c:dd:f7:aa"; # 2.5Gb USB NIC }; - "90-tinc" = { + # Declare VLAN Interfaces + netdevs."10-usb0-vlan-wan" = { + netdevConfig = { + Kind = "vlan"; + Name = "usb0"; + }; + vlanConfig.Id = 288; + }; + + # Declare Bridge Interfaces + netdevs."10-br-lan".netdevConfig = { + Kind = "bridge"; + Name = "br-lan"; + MACAddress = "56:66:4b:dd:9b:0e"; + }; + netdevs."10-br-wan".netdevConfig = { + Kind = "bridge"; + Name = "br-wan"; + }; + + # Add Bridge Members + networks."20-eno0" = { + matchConfig.Name = "eno0"; + networkConfig.Bridge = "br-lan"; + linkConfig.RequiredForOnline = "enslaved"; + }; + networks."20-usb0" = { + matchConfig.Name = "usb0"; + networkConfig = { + VLAN = [ + "usb0-wan" + ]; + Bridge = "br-lan"; + }; + linkConfig.RequiredForOnline = "enslaved"; + }; + networks."20-usb0-wan" = { + matchConfig.Name = "usb0-wan"; + networkConfig.Bridge = "br-wan"; + }; + + # Actual Network Configs + networks."30-br-lan" = { + matchConfig.Name = "br-lan"; + address = [ "192.168.2.51/24" ]; + routes = [ { Gateway = "192.168.2.1"; } ]; + networkConfig.IPv6AcceptRA = true; + linkConfig.RequiredForOnline = "routable"; + }; + + networks."90-tinc" = { matchConfig.Name = "tinc.dotspace"; address = [ "10.86.84.105/32" ]; routes = [ { Destination = "10.86.84.0/24"; } ]; diff --git a/systems/blockhouse/configuration.nix b/systems/blockhouse/configuration.nix index ed0711e..395ce9b 100755 --- a/systems/blockhouse/configuration.nix +++ b/systems/blockhouse/configuration.nix @@ -193,7 +193,7 @@ ############################################################################## ############################################################################## ############################################################################## - # Network + # Networking # Disable IPv6? networking.enableIPv6 = false; @@ -204,10 +204,6 @@ enable = true; # Configure Physical Interfaces - links."10-mobo0" = { - linkConfig.Name = "mobo0"; - matchConfig.PermanentMACAddress = "94:cc:04:11:30:b8"; # Builtin NIC - }; links."10-card0" = { linkConfig.Name = "card0"; matchConfig.PermanentMACAddress = "6c:92:bf:42:51:c6"; # 10Gb SFP+ NIC @@ -245,8 +241,8 @@ }; # Add Bridge Members - networks."20-mobo0" = { - matchConfig.Name = "mobo0"; + networks."20-eno0" = { + matchConfig.Name = "eno0"; networkConfig.Bridge = "br-lan"; linkConfig.RequiredForOnline = "enslaved"; };