cofractal-ams01: set up network bridge

ops/nixos/cofractal-ams01/default.nix

@@ -65,6 +65,8 @@ in
     ../lib/coredns/default.nix
     ../lib/deluge.nix
     ../lib/plex.nix
+    ./vm-bridge.nix
+    ./vxlan-bridge.nix
   ];
 
   my.plex.customTLS = {
@@ -219,6 +221,7 @@ in
   in [
     (bindMountSvc "/var/lib/tailscale" "tailscaled.service")
     (bindMountSvc "/var/lib/private/factorio" "factorio.service")
+    (bindMountSvc "/var/lib/libvirt" "libvirt.service")
   ];
 
   services.lukegbgp = let
@@ -274,8 +277,8 @@ in
     game-name = "Briefcase Full of Bees";
     mods = depot.nix.pkgs.factorio-mods._all;
     mods-dat = ./mod-settings.dat;
+    admins = ["lukegb"];
     extraSettings = {
-      admins = ["lukegb"];
       auto_pause = true;
       only_admins_can_pause_the_game = false;
       game_password = depot.ops.secrets.factorioServerPassword;

ops/nixos/cofractal-ams01/vm-bridge.nix

@@ -0,0 +1,27 @@
+# SPDX-FileCopyrightText: 2024 Luke Granger-Brown <depot@lukegb.com>
+#
+# SPDX-License-Identifier: Apache-2.0
+
+{ depot, lib, pkgs, config, ... }:
+
+{
+  systemd.network.netdevs."40-br-public" = {
+    netdevConfig = {
+      Name = "br-public";
+      Kind = "bridge";
+    };
+  };
+  systemd.network.networks."40-br-public" = {
+    matchConfig.Name = "br-public";
+  };
+
+  systemd.network.netdevs."40-br-mgmt" = {
+    netdevConfig = {
+      Name = "br-mgmt";
+      Kind = "bridge";
+    };
+  };
+  systemd.network.networks."40-br-mgmt" = {
+    matchConfig.Name = "br-mgmt";
+  };
+}

ops/nixos/cofractal-ams01/vxlan-bridge.nix

@@ -0,0 +1,49 @@
+# SPDX-FileCopyrightText: 2024 Luke Granger-Brown <depot@lukegb.com>
+#
+# SPDX-License-Identifier: Apache-2.0
+
+{ depot, lib, pkgs, config, ... }:
+
+{
+  imports = [ ./vm-bridge.nix ];
+
+  systemd.network.netdevs."40-vx-public" = {
+    netdevConfig = {
+      Name = "vx-public";
+      Kind = "vxlan";
+    };
+    vxlanConfig = {
+      VNI = 100;
+      Remote = "2a09:a441:0:ffff::1";
+      Local = "2a09:a446:1337:ffff::10";
+      DestinationPort = 4789;
+    };
+  };
+  systemd.network.networks."40-vx-public" = {
+    matchConfig.Name = "vx-public";
+    networkConfig.Bridge = "br-public";
+  };
+
+  systemd.network.netdevs."40-vx-mgmt" = {
+    netdevConfig = {
+      Name = "vx-mgmt";
+      Kind = "vxlan";
+    };
+    vxlanConfig = {
+      VNI = 101;
+      Remote = "2a09:a441:0:ffff::1";
+      Local = "2a09:a446:1337:ffff::10";
+      DestinationPort = 4789;
+    };
+  };
+  systemd.network.networks."40-vx-mgmt" = {
+    matchConfig.Name = "vx-mgmt";
+    networkConfig.Bridge = "br-mgmt";
+  };
+
+  networking.firewall.extraCommands = ''
+    ip6tables -I nixos-fw -p udp --src 2a09:a441:0:ffff::1 --dst 2a09:a446:1337:ffff::10 --dport 4789 -j ACCEPT
+  '';
+
+  systemd.network.networks."40-bond0".networkConfig.VXLAN = [ "vx-public" "vx-mgmt" ];
+}