fuuko/router: Use bridge for lan

This commit is contained in:
Simon Bruder 2023-04-05 10:09:14 +02:00
parent 67dabb0de5
commit 7c0ccbbd6a
Signed by: simon
GPG key ID: 8D3C82F9F309F8EC
2 changed files with 16 additions and 5 deletions

View file

@ -15,7 +15,7 @@
supportedFilesystems = [ "btrfs" ];
# FIXME this doesnt work because (AFAIK) there is no VLAN support in the ip= parameter
kernelParams = [
(with config.systemd.network.networks; "ip=${lib.elemAt lan.address 0}::::${config.networking.hostName}:${physical.name}")
(with config.systemd.network.networks; "ip=${lib.elemAt br-lan.address 0}::::${config.networking.hostName}:${physical.name}")
];
initrd = {
availableKernelModules = [

View file

@ -43,7 +43,7 @@ in
enable = true;
enableIPv6 = true;
externalInterface = "wg-mullvad";
internalInterfaces = [ "lan" ];
internalInterfaces = [ "br-lan" ];
internalIPv6s = [ "fd00:80:1::/64" ];
};
};
@ -69,6 +69,12 @@ in
Id = 3;
};
};
br-lan = {
netdevConfig = {
Name = "br-lan";
Kind = "bridge";
};
};
wg-mullvad = {
netdevConfig = {
Kind = "wireguard";
@ -122,6 +128,10 @@ in
matchConfig = {
Type = "vlan";
};
bridge = [ "br-lan" ];
};
br-lan = {
name = "br-lan";
domains = [ domain ];
address = [ "10.80.1.1/24" "fd00:80:1::1/64" ];
};
@ -178,7 +188,7 @@ in
extraConfig = ''
bogus-priv # do not forward revese lookups of internal addresses
domain-needed # do not forward names without domain
interface=lan # only respond to queries from lan
interface=br-lan # only respond to queries from lan
no-hosts # do not resolve hosts from /etc/hosts
no-resolv # only use explicitly configured resolvers
@ -186,8 +196,8 @@ in
domain=${domain}
# Allow resolving the router
interface-name=${config.networking.hostName}.${domain},lan
interface-name=${config.networking.hostName},lan
interface-name=${config.networking.hostName}.${domain},br-lan
interface-name=${config.networking.hostName},br-lan
# DHCPv4
dhcp-range=10.80.1.20,10.80.1.150,12h
@ -209,6 +219,7 @@ in
#"2620:fe::fe"
];
};
systemd.services.dnsmasq.after = [ "systemd-networkd.service" ];
services.prometheus.exporters.dnsmasq = {
enable = true;