hosts: revise networking-related variables set

2025-01-31 04:58:01 +00:00 · 2023-01-25 11:38:45 +08:00 · 2023-01-25 11:38:45 +08:00 · d0720ee7b7
commit d0720ee7b7
parent 00bbbd8135
7 changed files with 95 additions and 52 deletions
--- a/hosts/ni/default.nix
+++ b/hosts/ni/default.nix
@ -9,8 +9,8 @@ let
    wireguardPeers;

  wireguardAllowedIPs = [
-    "${interfaces.internal.IPv4}/16"
-    "${interfaces.internal.IPv6}/64"
+    "${interfaces.internal.IPv4.address}/16"
+    "${interfaces.internal.IPv6.address}/64"
  ];
  wireguardIFName = "wireguard0";
 in
@ -229,7 +229,7 @@ in
            PublicKey = lib.readFile ../plover/files/wireguard/wireguard-public-key-plover;
            PresharedKeyFile = config.sops.secrets."ni/wireguard/preshared-keys/plover".path;
            AllowedIPs = lib.concatStringsSep "," wireguardAllowedIPs;
-            Endpoint = "${interfaces.main'.IPv4}:51820";
+            Endpoint = "${interfaces.main'.IPv4.address}:${toString wireguardPort}";
          };
        }
      ];
--- a/hosts/plover/default.nix
+++ b/hosts/plover/default.nix
@ -2,6 +2,7 @@

 let
  inherit (builtins) toString;
+  inherit (import ./modules/hardware/networks.nix) interfaces;

  # The head of the Borgbase hostname.
  hetzner-boxes-user = "u332477";
@ -56,6 +57,10 @@ in
  services.fail2ban.ignoreIP = [
    "172.16.0.0/12"
    "fc00::/7"
+
+    # Those from the tunneling services.
+    "${interfaces.wireguard0.IPv4.address}/16"
+    "${interfaces.wireguard0.IPv6.address}/64"
  ];

  # TODO: Put the secrets to the respective service module.
--- a/hosts/plover/modules/hardware/hetzner-cloud-cx21.nix
+++ b/hosts/plover/modules/hardware/hetzner-cloud-cx21.nix
@ -4,12 +4,12 @@
 # settings of whatever image format configuration this host system will import
 # from nixos-generators.
 let
-  network = import ./networks.nix;
  inherit (builtins) toString;
-  inherit (network) privateIPv6Prefix interfaces;
+  inherit (import ./networks.nix) interfaces;

  # This is just referring to the same interface just with alternative names.
-  mainEthernetInterfaceNames = [ "ens3" "enp0s3" ];
+  mainEthernetInterfaceNames = [ "ens10" "enp0s10" ];
+  internalEthernetInterfaceNames = [ "ens11" "enp0s11" ];
 in
 {
  imports = [
@ -58,61 +58,68 @@ in
    # For more information, you can look at Hetzner documentation from
    # https://docs.hetzner.com/robot/dedicated-server/ip/additional-ip-adresses/
    networks = {
-      "60-wan" = {
+      "20-wan" = {
        matchConfig.Name = lib.concatStringsSep " " mainEthernetInterfaceNames;

        # Setting the primary static IPs.
        address = with interfaces; [
          # The public IPs.
-          "${main'.IPv4}/32"
-          "${main'.IPv6}/128"
-
-          # IPs in the LAN.
-          "${main.IPv4}/16"
-          "${main.IPv6}/64"
+          "${main'.IPv4.address}/32"
+          "${main'.IPv6.address}/128"
        ];

-        networkConfig = {
-          IPForward = true;
-          IPMasquerade = "both";
-        };
+        networkConfig.IPForward = true;
+
+        gateway = [
+          interfaces.main'.IPv4.gateway
+          interfaces.main'.IPv6.gateway
+        ];

        routes = [
-          { routeConfig.Gateway = "fe80::1"; }
-          { routeConfig.Destination = "${interfaces.main'.IPv4}/32"; }
+          { routeConfig.Gateway = interfaces.main'.IPv6.gateway; }
+          { routeConfig.Destination = interfaces.main'.IPv4.address; }

          {
            routeConfig = {
-              Gateway = "${interfaces.main'.IPv4}/32";
+              Gateway = interfaces.main'.IPv4.gateway;
              GatewayOnLink = true;
            };
          }
        ];
      };

-      "60-lan" = {
-        matchConfig.Name = "ens11";
-        address = with interfaces.internal; [
-          "${IPv4}/16"
-          "${IPv6}/64"
+      "20-lan" = with interfaces.internal; {
+        matchConfig.Name = lib.concatStringsSep " " internalEthernetInterfaceNames;
+        address = [
+          "${IPv4.address}/16"
+          "${IPv6.address}/64"
+        ];
+        gateway = [
+          IPv4.gateway
+          IPv6.gateway
+        ];
+
+        routes = [
+          { routeConfig.Gateway = IPv6.gateway; }
+          { routeConfig.Destination = IPv4.address; }
+
+          {
+            routeConfig = {
+              Gateway = IPv4.gateway;
+              GatewayOnLink = true;
+            };
+          }
        ];
-        networkConfig.DHCP = "yes";
      };

-      # This is to make use of the remaining ethernet interfaces as we can
-      # build a local network.
-      "60-dhcpv6-pd-downstreams" = {
-        matchConfig.Name = "en*";
+      "60-internal" = {
+        matchConfig.Name = "ens*";
        networkConfig.DHCP = "yes";
-
-        # Even if there's one, it would have the interface with subnets and a
-        # guaranteed network interface for the internal services.
-        dhcpV6Config.PrefixDelegationHint = "${privateIPv6Prefix}:43ff::/64";
      };
    };
  };

  # This is to look out for any errors that will occur for my networking setup
  # which is always a possibility.
-  systemd.services.systemd-networkd.serviceConfig.Environment = "SYSTEMD_LOG_LEVEL=debug";
+  systemd.services.systemd-networkd.serviceConfig.Environment = "SYSTEMD_LOG_LEVEL=info";
 }
--- a/hosts/plover/modules/hardware/networks.nix
+++ b/hosts/plover/modules/hardware/networks.nix
@ -6,30 +6,58 @@ let
 in
 rec {
  privateIPv6Prefix = "fdee:b0de:5685";
-  interfaces = {
+  interfaces = let
+    ploverInternalNetworkGateway = "172.16.0.1";
+    widdeerLan = "10.0.0.1";
+    ipv6Gateway = "fe80::1";
+  in
+    {
    # This is the public-facing interface. Any interface name with a prime
    # symbol means it's a public-facing interface.
    main' = {
-      IPv4 = "95.217.212.19";
-      IPv6 = "2a01:4f9:c011:a448::1";
+      # The gateways for the public addresses are retrieved from the following
+      # pages:
+      #
+      # * https://docs.hetzner.com/cloud/networks/faq/#are-any-ip-addresses-reserved
+      # * https://docs.hetzner.com/robot/dedicated-server/ip/additional-ip-adresses/#gateway
+      IPv4 = {
+        address = "95.217.212.19";
+        gateway = "172.31.1.1";
+      };
+      IPv6 = {
+        address = "2a01:4f9:c011:a448::1";
+        gateway = ipv6Gateway;
+      };
    };

    # /16 block for IPv4, /64 for IPv6.
    main = {
-      IPv4 = "172.25.0.1";
-      IPv6 = "${privateIPv6Prefix}:1::";
+      IPv4 = {
+        address = "172.27.0.1";
+        gateway = ploverInternalNetworkGateway;
+      };
+      IPv6 = {
+        address = "${privateIPv6Prefix}:1::";
+        gateway = ipv6Gateway;
+      };
    };

    # /16 block for IPv4, /64 for IPv6.
    internal = {
-      IPv4 = "172.24.0.1";
-      IPv6 = "${privateIPv6Prefix}:2::";
+      IPv4 = {
+        address = "172.27.0.2";
+        gateway = ploverInternalNetworkGateway;
+      };
+      IPv6 = {
+        address = "${privateIPv6Prefix}:2::";
+        gateway = ipv6Gateway;
+      };
    };

    # /16 BLOCK for IPv4, /64 for IPv6.
    wireguard0 = {
-      IPv4 = "10.210.0.1";
-      IPv6 = "${privateIPv6Prefix}:12ae::";
+      IPv4.address = "10.210.0.1";
+      IPv6.address = "${privateIPv6Prefix}:12ae::";
    };
  };

@ -39,19 +67,22 @@ rec {
  # Wireguard-related things.
  wireguardPort = 51820;
  wireguardIPHostPart = "10.210.0";
-  wireguardIPv6Prefix = interfaces.wireguard0.IPv6;
+  wireguardIPv6Prefix = interfaces.wireguard0.IPv6.address;

  # These are all fixed IP addresses. They should be /32 IPv4 block and /128
  # IPv6 block.
  wireguardPeers = {
-    server = with interfaces.wireguard0; { inherit IPv4 IPv6; };
+    server = with interfaces.wireguard0; {
+      IPv4 = IPv4.address;
+      IPv6 = IPv6.address;
+    };
    desktop = {
      IPv4 = "${wireguardIPHostPart}.2";
-      IPv6 = "${wireguardIPv6Prefix}:12ae::2";
+      IPv6 = "${wireguardIPv6Prefix}2";
    };
    phone = {
      IPv4 = "${wireguardIPHostPart}.3";
-      IPv6 = "${wireguardIPv6Prefix}:12ae::3";
+      IPv6 = "${wireguardIPv6Prefix}3";
    };
  };
 }
--- a/hosts/plover/modules/services/atuin.nix
+++ b/hosts/plover/modules/services/atuin.nix
@ -7,7 +7,7 @@ let
  inherit (import ../hardware/networks.nix) preferredInternalTLD interfaces;

  atuinDomain = "atuin.${config.networking.domain}.${preferredInternalTLD}";
-  host = interfaces.internal.IPv4;
+  host = interfaces.internal.IPv4.address;
 in
 {
  # Atuin sync server because why not.
--- a/hosts/plover/modules/services/keycloak.nix
+++ b/hosts/plover/modules/services/keycloak.nix
@ -11,7 +11,7 @@ let
  keycloakDbName = if config.services.keycloak.database.createLocally then keycloakUser else config.services.keycloak.database.username;

  certs = config.security.acme.certs;
-  host = interfaces.internal.IPv4;
+  host = interfaces.internal.IPv4.address;
 in
 {
  # Hey, the hub for your application sign-in.
--- a/hosts/plover/modules/services/wireguard.nix
+++ b/hosts/plover/modules/services/wireguard.nix
@ -53,8 +53,8 @@ in
    networks."99-${wireguardIFName}" = {
      matchConfig.Name = wireguardIFName;
      address = with interfaces.wireguard0; [
-        "${IPv4}/32"
-        "${IPv6}/128"
+        "${IPv4.address}/32"
+        "${IPv6.address}/128"
      ];

      routes = [