network/nix/nixos-module/server/network.nix

# Server network configuration
{ config, lib, ... }:

let
  # LXC containers on this host
  containers =
    lib.filterAttrs (_: { role, model, ... }:
      role == "container" &&
      model == "lxc"
    ) config.site.hosts;

  # Every bridged veth network required by all containers
  bridgeNets =
    lib.lists.unique (
      builtins.concatMap ({ interfaces, ... }:
        builtins.attrNames (
          lib.filterAttrs (_: { type, ... }: type == "veth") interfaces
        )) (builtins.attrValues containers)
    );

  # Every network (both veth+phys) required by all containers
  ctNets =
    lib.lists.unique (
      builtins.concatMap ({ physicalInterfaces, ... }:
        builtins.attrNames physicalInterfaces
      ) (builtins.attrValues containers)
    );

in
{
  networking.firewall = {
    enable = true;
    allowedTCPPorts = [
      # SSH
      22
    ];
  };

  systemd.network = {
    enable = true;

    netdevs = {
      bond0.netdevConfig = {
        Kind = "bond";
        Name = "bond0";
      };
      # LACP
      bond0.bondConfig.Mode = "802.3ad";
    } // (
      builtins.foldl' (result: net: result // {
        # Bridges are named just like the corresponding net.
        "${net}" = {
          netdevConfig = {
            Kind = "bridge";
            Name = "${net}";
          };
          extraConfig = ''
            [Bridge]
            ForwardDelaySec=2
            STP=true
          '';
        };
      }) {} bridgeNets
    ) // (
      builtins.foldl' (result: net: result // {
        # External VLAN interfaces (to be attached to net bridges) are
        # named with an "ext-" prefix.
        "ext-${net}" = {
          netdevConfig = {
            Kind = "vlan";
            Name = "ext-${net}";
          };
          vlanConfig.Id = config.site.net.${net}.vlan;
        };
      }) {} ctNets
    );

    networks = {
      en = {
        # physical ethernet ports
        matchConfig.Name = "en*";
        networkConfig = {
          Bond = "bond0";
          LLDP = true;
          EmitLLDP = true;
        };
      };
      bond0 = {
        DHCP = "no";
        matchConfig.Name = "bond0";
        networkConfig = {
          VLAN = map (net: "ext-${net}") ctNets;
          LinkLocalAddressing = "no";
          LLDP = true;
          EmitLLDP = true;
        };
      };
    } // (builtins.foldl' (result: net: result // {
      "${net}" = {
        matchConfig.Name = net;
        networkConfig = {
          # Disable all automatic addressing on bridges. It will delay
          # networkd going into operational state.
          DHCP = lib.mkDefault "no";
          LinkLocalAddressing = lib.mkDefault "no";
          LLDP = true;
          EmitLLDP = true;
        };
      };
    }) {} bridgeNets) // builtins.foldl' (result: net: result // {
      "ext-${net}" = {
        matchConfig.Name = "ext-${net}";
        # Attach eth*/bond0/VLAN to bridge
        networkConfig.Bridge = net;
      };
    }) {} ctNets;
  };
}
doc 2021-04-10 14:52:13 +02:00			`# Server network configuration`
*.nix: remove unused code 2022-03-22 18:13:17 +01:00			`{ config, lib, ... }:`
server/network.nix: setup vlan/bridge infra 2021-03-24 22:23:09 +01:00
			`let`
doc 2021-04-10 14:52:13 +02:00			`# LXC containers on this host`
server/network.nix: setup vlan/bridge infra 2021-03-24 22:23:09 +01:00			`containers =`
config: don't use location to select server for lxc containers 2021-08-20 21:37:43 +02:00			`lib.filterAttrs (_: { role, model, ... }:`
server/network.nix: setup vlan/bridge infra 2021-03-24 22:23:09 +01:00			`role == "container" &&`
config: don't use location to select server for lxc containers 2021-08-20 21:37:43 +02:00			`model == "lxc"`
server/network.nix: setup vlan/bridge infra 2021-03-24 22:23:09 +01:00			`) config.site.hosts;`

doc 2021-04-10 14:52:13 +02:00			`# Every bridged veth network required by all containers`
server/network.nix: setup vlan/bridge infra 2021-03-24 22:23:09 +01:00			`bridgeNets =`
			`lib.lists.unique (`
			`builtins.concatMap ({ interfaces, ... }:`
			`builtins.attrNames (`
			`lib.filterAttrs (_: { type, ... }: type == "veth") interfaces`
			`)) (builtins.attrValues containers)`
			`);`

doc 2021-04-10 14:52:13 +02:00			`# Every network (both veth+phys) required by all containers`
server/network.nix: setup vlan/bridge infra 2021-03-24 22:23:09 +01:00			`ctNets =`
			`lib.lists.unique (`
options: add physicalInterfaces 2021-05-31 00:06:56 +02:00			`builtins.concatMap ({ physicalInterfaces, ... }:`
			`builtins.attrNames physicalInterfaces`
server/network.nix: setup vlan/bridge infra 2021-03-24 22:23:09 +01:00			`) (builtins.attrValues containers)`
			`);`

			`in`
			`{`
nixos-module/server/network: load iptables, open ssh 2021-04-04 23:02:12 +02:00			`networking.firewall = {`
			`enable = true;`
doc 2021-04-10 14:52:13 +02:00			`allowedTCPPorts = [`
			`# SSH`
			`22`
			`];`
nixos-module/server/network: load iptables, open ssh 2021-04-04 23:02:12 +02:00			`};`

server/network.nix: setup vlan/bridge infra 2021-03-24 22:23:09 +01:00			`systemd.network = {`
			`enable = true;`

			`netdevs = {`
			`bond0.netdevConfig = {`
			`Kind = "bond";`
			`Name = "bond0";`
			`};`
doc 2021-04-10 14:52:13 +02:00			`# LACP`
nixos-module/server/network: enable proper lacp 2021-04-05 01:17:01 +02:00			`bond0.bondConfig.Mode = "802.3ad";`
server/network.nix: setup vlan/bridge infra 2021-03-24 22:23:09 +01:00			`} // (`
			`builtins.foldl' (result: net: result // {`
doc 2021-04-10 14:52:13 +02:00			`# Bridges are named just like the corresponding net.`
nixos-module/server/network: enable STP and decrease forward_delay for bridges 2021-11-18 22:54:33 +01:00			`"${net}" = {`
			`netdevConfig = {`
			`Kind = "bridge";`
			`Name = "${net}";`
			`};`
			`extraConfig = ''`
			`[Bridge]`
			`ForwardDelaySec=2`
			`STP=true`
			`'';`
server/network.nix: setup vlan/bridge infra 2021-03-24 22:23:09 +01:00			`};`
			`}) {} bridgeNets`
			`) // (`
			`builtins.foldl' (result: net: result // {`
doc 2021-04-10 14:52:13 +02:00			`# External VLAN interfaces (to be attached to net bridges) are`
			`# named with an "ext-" prefix.`
server/network.nix: setup vlan/bridge infra 2021-03-24 22:23:09 +01:00			`"ext-${net}" = {`
			`netdevConfig = {`
			`Kind = "vlan";`
			`Name = "ext-${net}";`
			`};`
			`vlanConfig.Id = config.site.net.${net}.vlan;`
			`};`
			`}) {} ctNets`
			`);`

			`networks = {`
			`en = {`
doc 2021-04-10 14:52:13 +02:00			`# physical ethernet ports`
server/network.nix: setup vlan/bridge infra 2021-03-24 22:23:09 +01:00			`matchConfig.Name = "en*";`
nixos-module/*/network: enable LLDP 2021-06-14 22:00:06 +02:00			`networkConfig = {`
			`Bond = "bond0";`
			`LLDP = true;`
			`EmitLLDP = true;`
			`};`
server/network.nix: setup vlan/bridge infra 2021-03-24 22:23:09 +01:00			`};`
			`bond0 = {`
nixos-module/server/network: disable all addresses on bridges to make networkd happy 2021-04-05 01:18:08 +02:00			`DHCP = "no";`
server/network.nix: setup vlan/bridge infra 2021-03-24 22:23:09 +01:00			`matchConfig.Name = "bond0";`
nixos-module/server/network: disable all addresses on bridges to make networkd happy 2021-04-05 01:18:08 +02:00			`networkConfig = {`
			`VLAN = map (net: "ext-${net}") ctNets;`
			`LinkLocalAddressing = "no";`
nixos-module/*/network: enable LLDP 2021-06-14 22:00:06 +02:00			`LLDP = true;`
			`EmitLLDP = true;`
nixos-module/server/network: disable all addresses on bridges to make networkd happy 2021-04-05 01:18:08 +02:00			`};`
server/network.nix: setup vlan/bridge infra 2021-03-24 22:23:09 +01:00			`};`
nixos-module/server/network: attach vlan interfaces to bridges 2021-04-05 01:21:47 +02:00			`} // (builtins.foldl' (result: net: result // {`
nixos-module/network.nix: configure host IP 2021-03-25 00:46:46 +01:00			`"${net}" = {`
			`matchConfig.Name = net;`
			`networkConfig = {`
doc 2021-04-10 14:52:13 +02:00			`# Disable all automatic addressing on bridges. It will delay`
			`# networkd going into operational state.`
nixos-module/server/network: disable all addresses on bridges to make networkd happy 2021-04-05 01:18:08 +02:00			`DHCP = lib.mkDefault "no";`
			`LinkLocalAddressing = lib.mkDefault "no";`
nixos-module/*/network: enable LLDP 2021-06-14 22:00:06 +02:00			`LLDP = true;`
			`EmitLLDP = true;`
nixos-module/network.nix: configure host IP 2021-03-25 00:46:46 +01:00			`};`
			`};`
nixos-module/server/network: attach vlan interfaces to bridges 2021-04-05 01:21:47 +02:00			`}) {} bridgeNets) // builtins.foldl' (result: net: result // {`
			`"ext-${net}" = {`
			`matchConfig.Name = "ext-${net}";`
doc 2021-04-10 14:52:13 +02:00			`# Attach eth*/bond0/VLAN to bridge`
nixos-module/server/network: attach vlan interfaces to bridges 2021-04-05 01:21:47 +02:00			`networkConfig.Bridge = net;`
			`};`
			`}) {} ctNets;`
server/network.nix: setup vlan/bridge infra 2021-03-24 22:23:09 +01:00			`};`
			`}`