{ hostName, self, config, lib, pkgs, ... }: let containers = lib.filterAttrs (_: { role, model, location, ... }: role == "container" && model == "lxc" && location == hostName ) config.site.hosts; bridgeNets = lib.lists.unique ( builtins.concatMap ({ interfaces, ... }: builtins.attrNames ( lib.filterAttrs (_: { type, ... }: type == "veth") interfaces )) (builtins.attrValues containers) ); ctNets = lib.lists.unique ( builtins.concatMap ({ interfaces, ... }: builtins.attrNames interfaces ) (builtins.attrValues containers) ); in { networking.firewall = { enable = true; allowedTCPPorts = [ 22 ]; }; systemd.network = { enable = true; netdevs = { bond0.netdevConfig = { Kind = "bond"; Name = "bond0"; }; bond0.bondConfig.Mode = "802.3ad"; } // ( builtins.foldl' (result: net: result // { "${net}".netdevConfig = { Kind = "bridge"; Name = "${net}"; }; }) {} bridgeNets ) // ( builtins.foldl' (result: net: result // { "ext-${net}" = { netdevConfig = { Kind = "vlan"; Name = "ext-${net}"; }; vlanConfig.Id = config.site.net.${net}.vlan; }; }) {} ctNets ); networks = { eth = { matchConfig.Name = "eth*"; networkConfig.Bond = "bond0"; }; en = { matchConfig.Name = "en*"; networkConfig.Bond = "bond0"; }; bond0 = { DHCP = "no"; matchConfig.Name = "bond0"; networkConfig = { VLAN = map (net: "ext-${net}") ctNets; LinkLocalAddressing = "no"; }; }; } // (builtins.foldl' (result: net: result // { "${net}" = { matchConfig.Name = net; networkConfig = { DHCP = lib.mkDefault "no"; LinkLocalAddressing = lib.mkDefault "no"; }; }; }) {} bridgeNets) // builtins.foldl' (result: net: result // { "ext-${net}" = { matchConfig.Name = "ext-${net}"; networkConfig.Bridge = net; }; }) {} ctNets; }; }