fuuko/router: Use bridge for lan

2023-04-05 10:09:14 +02:00 · 2023-04-05 10:09:14 +02:00 · 7c0ccbbd6a
parent 67dabb0de5
commit 7c0ccbbd6a
2 changed files with 16 additions and 5 deletions
--- a/machines/fuuko/hardware-configuration.nix
+++ b/machines/fuuko/hardware-configuration.nix
@ -15,7 +15,7 @@
    supportedFilesystems = [ "btrfs" ];
    # FIXME this doesn’t work because (AFAIK) there is no VLAN support in the ip= parameter
    kernelParams = [
-      (with config.systemd.network.networks; "ip=${lib.elemAt lan.address 0}::::${config.networking.hostName}:${physical.name}")
+      (with config.systemd.network.networks; "ip=${lib.elemAt br-lan.address 0}::::${config.networking.hostName}:${physical.name}")
    ];
    initrd = {
      availableKernelModules = [
--- a/machines/fuuko/services/router.nix
+++ b/machines/fuuko/services/router.nix
@ -43,7 +43,7 @@ in
      enable = true;
      enableIPv6 = true;
      externalInterface = "wg-mullvad";
-      internalInterfaces = [ "lan" ];
+      internalInterfaces = [ "br-lan" ];
      internalIPv6s = [ "fd00:80:1::/64" ];
    };
  };
@ -69,6 +69,12 @@ in
          Id = 3;
        };
      };
+      br-lan = {
+        netdevConfig = {
+          Name = "br-lan";
+          Kind = "bridge";
+        };
+      };
      wg-mullvad = {
        netdevConfig = {
          Kind = "wireguard";
@ -122,6 +128,10 @@ in
        matchConfig = {
          Type = "vlan";
        };
+        bridge = [ "br-lan" ];
+      };
+      br-lan = {
+        name = "br-lan";
        domains = [ domain ];
        address = [ "10.80.1.1/24" "fd00:80:1::1/64" ];
      };
@ -178,7 +188,7 @@ in
    extraConfig = ''
      bogus-priv # do not forward revese lookups of internal addresses
      domain-needed # do not forward names without domain
-      interface=lan # only respond to queries from lan
+      interface=br-lan # only respond to queries from lan
      no-hosts # do not resolve hosts from /etc/hosts
      no-resolv # only use explicitly configured resolvers

@ -186,8 +196,8 @@ in

      domain=${domain}
      # Allow resolving the router
-      interface-name=${config.networking.hostName}.${domain},lan
-      interface-name=${config.networking.hostName},lan
+      interface-name=${config.networking.hostName}.${domain},br-lan
+      interface-name=${config.networking.hostName},br-lan

      # DHCPv4
      dhcp-range=10.80.1.20,10.80.1.150,12h
@ -209,6 +219,7 @@ in
      #"2620:fe::fe"
    ];
  };
+  systemd.services.dnsmasq.after = [ "systemd-networkd.service" ];

  services.prometheus.exporters.dnsmasq = {
    enable = true;