diff --git a/ops/nixos/swann/default.nix b/ops/nixos/swann/default.nix index 6d7bed0ce4..beba1ba04c 100644 --- a/ops/nixos/swann/default.nix +++ b/ops/nixos/swann/default.nix @@ -80,7 +80,7 @@ in { ]; # Additional options configured in networkd. }; - en-general = { + br-internal = { ipv4.addresses = [ { address = "192.168.1.1"; prefixLength = 23; } { address = "92.118.30.17"; prefixLength = 28; } @@ -100,12 +100,6 @@ in { ]; }; }; - vlans = { - vl-eduroam = { - id = 100; - interface = "en-general"; - }; - }; }; systemd.network = let hexToInt = h: (builtins.fromTOML "h = ${h}").h; @@ -308,6 +302,17 @@ in { linkConfig.RequiredForOnline = "no"; }; networks."40-en-gnet" = (physicalNetwork routeTables.gnet "0xcafe" []); + networks."40-br-internal" = { + networkConfig.VLAN = [ "vl-eduroam" ]; + }; + networks."40-en-int-eth" = { + matchConfig.Name = "en-int-eth"; + networkConfig.Bridge = "br-internal"; + }; + networks."40-en-int-sfp" = { + matchConfig.Name = "en-int-sfp"; + networkConfig.Bridge = "br-internal"; + }; netdevs = let wireguard = { name, listenPort, privateKey, endpoint, publicKey, fwmark }: { @@ -357,14 +362,42 @@ in { endpoint = "92.118.28.252:51822"; fwmark = "0xcafe"; }; + "20-br-internal" = { + netdevConfig = { + Name = "br-internal"; + Kind = "bridge"; + Description = "Bridge br-internal"; + }; + extraConfig = '' + [Bridge] + VLANFiltering=true + MulticastQuerier=true + MulticastSnooping=true + STP=true + VLANProtocol=802.1q + MulticastIGMPVersion=3 + ''; + }; + "25-vl-eduroam" = { + netdevConfig = { + Name = "vl-eduroam"; + Kind = "vlan"; + Description = "Eduroam VLAN on br-internal"; + }; + vlanConfig = { + Id = 100; + }; + }; }; }; + services.mstpd.enable = true; my.ip.tailscale = "100.102.224.95"; services.udev.extraRules = '' ATTR{address}=="e4:3a:6e:16:07:62", DRIVERS=="?*", NAME="en-virginmedia" ATTR{address}=="e4:3a:6e:16:07:63", DRIVERS=="?*", NAME="en-ee" ATTR{address}=="e4:3a:6e:16:07:64", DRIVERS=="?*", NAME="en-gnet" - ATTR{address}=="e4:3a:6e:16:07:67", DRIVERS=="?*", NAME="en-general" + ATTR{address}=="e4:3a:6e:16:07:67", DRIVERS=="?*", NAME="en-int-eth" + ATTR{address}=="e4:3a:6e:16:08:bc", DRIVERS=="?*", NAME="en-int-sfp" ''; boot.kernel.sysctl = { "net.ipv4.ip_forward" = "1"; @@ -376,7 +409,7 @@ in { }; networking.nat = { enable = true; - internalInterfaces = ["en-general"]; + internalInterfaces = ["br-internal"]; externalInterface = "en-virginmedia"; extraCommands = '' # Send PS5 RTMP to totoro instead. @@ -409,7 +442,7 @@ in { }; services.dhcpd4 = { enable = true; - interfaces = ["en-general" "vl-eduroam"]; + interfaces = ["br-internal" "vl-eduroam"]; authoritative = true; extraConfig = '' shared-network int { @@ -496,7 +529,7 @@ in { }; networking.firewall = { - interfaces.en-general = { + interfaces.br-internal = { allowedTCPPorts = [ 8080 6789 # Unifi 53 # DNS @@ -562,6 +595,26 @@ in { environment.systemPackages = with pkgs; [ ethtool + (writeShellApplication { + name = "bridge-stp"; + runtimeInputs = [ mstpd ]; + text = '' + BRIDGES=("br-internal") + for BRIDGE in "''${BRIDGES[@]}"; do + if [[ "$BRIDGE" = "$1" ]]; then + if [[ "$2" = "start" ]]; then + mstpctl addbridge "$BRIDGE" + exit 0 + elif [[ "$2" = "stop" ]]; then + mstpctl delbridge "$BRIDGE" + exit 0 + fi + exit 1 + fi + done + exit 1 + ''; + }) ]; services.coredns = { @@ -689,8 +742,8 @@ in { }; # Covering route... - route 2a09:a443::/64 via "en-general"; - route 2a09:a443:1::/48 via "en-general"; + route 2a09:a443::/64 via "br-internal"; + route 2a09:a443:1::/48 via "br-internal"; route 2a09:a443:2::/64 via "vl-eduroam"; route 2a09:a443:3::/48 via "vl-eduroam"; route 2a09:a443::/32 unreachable; @@ -716,7 +769,7 @@ in { services.radvd = { enable = true; config = '' - interface en-general { + interface br-internal { AdvSendAdvert on; AdvLinkMTU 1420; # Wireguard AdvManagedFlag on; @@ -754,7 +807,7 @@ in { }; services.dhcpd6 = { enable = true; - interfaces = ["en-general" "vl-eduroam"]; + interfaces = ["br-internal" "vl-eduroam"]; authoritative = true; extraConfig = '' subnet6 2a09:a443:1::/48 {