From 3ba8be0f8621b695d9b1cbe432f29512e5ce1fb1 Mon Sep 17 00:00:00 2001 From: Tim Keller Date: Sat, 13 Jun 2026 14:14:46 -0500 Subject: containerized router and networking services and update poweredge config --- hosts/poweredge/configuration.nix | 34 ++--- hosts/poweredge/networking.nix | 174 +++++++++++++--------- hosts/poweredge/resources/secrets/wg0-router.yaml | 16 ++ hosts/poweredge/resources/secrets/wg1.yaml | 16 -- hosts/poweredge/router-hosts.nix | 71 +++++++++ hosts/poweredge/wg1.nix | 7 - 6 files changed, 197 insertions(+), 121 deletions(-) create mode 100644 hosts/poweredge/resources/secrets/wg0-router.yaml delete mode 100644 hosts/poweredge/resources/secrets/wg1.yaml create mode 100644 hosts/poweredge/router-hosts.nix delete mode 100644 hosts/poweredge/wg1.nix (limited to 'hosts/poweredge') diff --git a/hosts/poweredge/configuration.nix b/hosts/poweredge/configuration.nix index f2e3e09..8ad7350 100644 --- a/hosts/poweredge/configuration.nix +++ b/hosts/poweredge/configuration.nix @@ -1,10 +1,13 @@ { config, lib, pkgs, ... }: { imports = [ - ./ddns-updater.nix + #./ddns-updater.nix ./fileshares.nix ./networking.nix #./notification-mailer.nix # TODO move some of this stuff to archetype - ./wg1.nix + #./gitea.nix + ./jellyfin.nix + ./immich.nix + #./bitcoind.nix ]; # Setup bootloader @@ -18,10 +21,6 @@ home.users.timmy.enable = true; }; zfs.enable = true; - router.enable = true; - }; - collections = { - development.docker.enable = true; }; }; @@ -31,27 +30,12 @@ # Enable smartd services.smartd.enable = true; # TODO move to archetype - # Enable web services - services = { - #_cgit = { - # enable = true; - # hostAddress = "192.168.1.10"; - # localAddress = "192.168.1.11"; - # rootTitle = "PowerEdge local cgit"; - # # TODO add authorizedKeys - #}; - _immich = { - enable = true; - mediaLocationHostPath = "/media/ingens/immich"; - }; - _jellyfin = { - enable = true; - mediaLocationHostPath = "/media/ingens/media"; - }; + # Enable nvidia + hardware.nvidia = { + open = false; # Need for NVENC + package = config.boot.kernelPackages.nvidiaPackages.stable; }; - #services._klipper.enable = true; - # Enable user timmy _users.timmy.enable = true; diff --git a/hosts/poweredge/networking.nix b/hosts/poweredge/networking.nix index 09759ee..9a9273c 100644 --- a/hosts/poweredge/networking.nix +++ b/hosts/poweredge/networking.nix @@ -1,90 +1,118 @@ -{ +let + hostIp = "192.168.1.10"; +in { config, ... }: { networking = { - enableIPv6 = false; # Label lan and wan interfaces _interfaceLabels = { enable = true; - interfaces = { - lan0 = "50:9a:4c:5d:c3:7a"; - wan0 = "50:9a:4c:5d:c3:7b"; - }; + interfaces.lan0 = "50:9a:4c:5d:c3:7a"; + interfaces.wan0 = "50:9a:4c:5d:c3:7b"; }; - # Set ip addresses + # Create bridged lan interface for all containers + bridges.br-lan0.interfaces = [ "lan0" ]; + # Disable dhcp on router interfaces interfaces = { - lan0.ipv4.addresses = [{ - address = "192.168.1.1"; - prefixLength = 24; - }]; - wan0.useDHCP = true; + veth-router-lan.useDHCP = false; + vb-router-lan0.useDHCP = false; }; - # Firewall rules - firewall = { - interfaces.wan0 = { - allowedUDPPorts = [ 51820 ]; - }; - interfaces.lan0 = { - allowedTCPPorts = [ 2283 80 ]; # FIXME temp - }; + # Configure network + defaultGateway = "10.255.255.1"; # Read explaination for veth-router-lan below + nameservers = [ "192.168.1.1" ]; # DNS will only be available from this ip address THROUGH the default gateway + # br-lan0 will be the interface used for networking on poweredge host + interfaces.br-lan0.ipv4.addresses = [{ + address = hostIp; + prefixLength = 24; + }]; + }; + + # Wireguard office tunnel secret + sops.secrets.wg0-router.sopsFile = ./resources/secrets/wg0-router.yaml; + + # Router container + containers.router = { + autoStart = true; + ephemeral = true; + privateNetwork = true; + # Pass wan0 directly into container since it isn't needed elsewhere + interfaces = [ "wan0" ]; + # Setup router lan0 + # NOTE: Host/container communication is not possible through a hostBridge interface + extraVeths.vb-router-lan0.hostBridge = "br-lan0"; + # Setup virtual host-router bridge interface. + # This is the default gateway for host/container communication since + # communication isn't possible through hostBridge interfaces. + # This is essentially equivalent to connecting the host to the + # container with a virtual ethernet cable on a separate interface. + extraVeths.veth-router-lan = { + hostAddress = "10.255.255.2"; + localAddress = "10.255.255.1"; }; - # Additional advanced rules - # TODO add multi NAT feature to router service - nftables = { - enable = true; - tables = { - # NAT/masquerade wg1 allowing lan0 clients to access wg1 - wg-nat = { - family = "ip"; - content = '' - chain post { - type nat hook postrouting priority srcnat; policy accept; - iifname "lan0" oifname "wg1" masquerade comment "lan0 => wg1" - } - ''; - }; - }; + # Bind wg0-router secret to container + bindMounts."/run/secrets/wg0" = { + hostPath = config.sops.secrets.wg0-router.path; + isReadOnly = true; }; - }; - services._router = { - dnsDhcpConfig = { - localDomain = "home.lan"; - dhcp = { - defaultGateway = "192.168.1.1"; - localhostIp = "192.168.1.1"; - rangeStart = "192.168.1.50"; - rangeEnd = "192.168.1.250"; - # TODO think about moving leases to another file - staticLeases = { - idrac-7N94GK2 = { - macAddress = "50:9a:4c:5d:c3:7c"; - staticIp = "192.168.1.2"; - }; - OpenWrt-Attic = { - macAddress = "34:98:b5:60:5e:be"; - staticIp = "192.168.1.3"; - }; - OpenWrt-Basement = { - macAddress = "8c:3b:ad:35:c7:8c"; - staticIp = "192.168.1.4"; - }; - ArcherC54 = { - macAddress = "12:eb:b6:13:f9:e2"; - staticIp = "192.168.1.5"; - }; - T495 = { - macAddress = "04:33:c2:9d:34:74"; - staticIp = "192.168.1.11"; - }; - optiplex = { - macAddress = "e4:54:e8:bc:ba:05"; - staticIp = "192.168.1.12"; + config = { lib, config, ... }: { + imports = [ + ../../nixos/services/router + ./router-hosts.nix # Contains dhcp config + static leases + overrides + ]; + + networking = { + # Set ip addresses + enableIPv6 = false; + interfaces = { + vb-router-lan0.ipv4.addresses = [{ + address = "192.168.1.1"; + prefixLength = 24; + }]; + wan0.useDHCP = true; + }; + # Setup wireguard + wg-quick.interfaces = { + wg0.configFile = "/run/secrets/wg0"; + }; + # Firewall (port-forwarding) rules + firewall = { + #interfaces.wan0 = { + # allowedTCPPorts = [ 8333 ]; # bitcoin + # allowedUDPPorts = [ 51820 ]; # wg + #}; + }; + # Additional advanced rules + # TODO add multi NAT feature to router service (this is just a normal nat rule) + nftables = { + enable = true; + tables = { + # NAT/masquerade wg0 allowing vb-router-lan0 clients to access wg0 + wg-nat = { + family = "ip"; + content = '' + chain post { + type nat hook postrouting priority srcnat; policy accept; + iifname "vb-router-lan0" oifname "wg0" masquerade comment "vb-router-lan0 => wg0" + } + ''; + }; }; - X230 = { - macAddress = "84:3a:4b:60:34:c4"; - staticIp = "192.168.1.13"; + }; + }; + + # Setup router + services._router = { + dnsDhcpConfig.enable = true; + routing = { + enable = true; + interfaces = { + lan = [ "vb-router-lan0" "veth-router-lan" ]; + wan = "wan0"; }; }; }; + + system.stateVersion = "25.11"; }; }; + } diff --git a/hosts/poweredge/resources/secrets/wg0-router.yaml b/hosts/poweredge/resources/secrets/wg0-router.yaml new file mode 100644 index 0000000..647039d --- /dev/null +++ b/hosts/poweredge/resources/secrets/wg0-router.yaml @@ -0,0 +1,16 @@ +wg0-router: ENC[AES256_GCM,data:MGgB2vdRHgLlFjqB8miSE4myIGWdZazsvDfNUvYS7fM57NM6fzylHz1zle3nwNIysclPCQt9PSZqAJUkdZ5d0ocMhsnbpL9iKBiTHtqdl0KfDkKctWxi8sr3NqNPkW9uJD26aDA8Ti3OWM3JFIyxUb9KT53nZZLHpwpcygeEbfYMMTpKbUf68gMAClvYDg0mHwxVYbZT6aLqZewORBT1JkEPClone00YXizedWGzMsJ/p6b6mQz/HfbEdfq95EWTKSkHRYLPosXCikrJ6VV+uQt0dNS/Gqe0vfocYQUqcK9dt37n7q40Fh2oJgPwMsTj7lTJiAE87GqmpGuRsfbSF+Fr2pu4RRbm9iulzy13PcdrRPrjSKtM6oh/d13T7Yv8MJQTZDNWWsG9ApCXLqH8mF6pFckEtrWSB0sQQEt9ITkIs82t0kwgGh/fsig0cQ==,iv:AX2lb8By/hL5EWodLqGq8KvymkRyytZSGBpvydvBQcU=,tag:iadygaObGVNzvihxbtQRtw==,type:str] +sops: + age: + - recipient: age1zfvmt2avdlfz0fvchczplc84u7m8vqausm7zytl9s4x9m9yax4cqy30zpz + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAxOFFVRFl2MDhiUVRPdnZJ + b3BSZ0pSaG8vR3o3SGlmVENvN3ZObHU3eUc4CmJrdk8rbXpBMWhTZ2hvdlk0VWo1 + ejdnTDR4bFlUUXc4Smd0NEp6b3crZFUKLS0tIFBsQUdRWjZLSDY1ZlFaRDdLOVhs + MFFGY0NSU3NaK2U0U1NndUIyYm54ZWsKZ6q9j1fNaNSzBA0rbZYyUWt3U2V/7/9/ + FZTKd8mH/uCoxvK8unlVZ9uYNADRh2smp7LwK1AWie/6khAIFqVBeg== + -----END AGE ENCRYPTED FILE----- + lastmodified: "2026-06-13T18:52:56Z" + mac: ENC[AES256_GCM,data:s7zE/odQ1AAgAjeUGT1ROe/zGQWz2JP7jh04/sY87gQ8xfgG2PJVlsyW1dZvzHesAf/1UqCaY9rYhZ4xo/GN8JTo2P9QqX38Mg/YNPk+GSpZ4TMGpxBHqb1DOPkDWvE9K43bm35GHluDBA7aOjkqMT9VaQHvYtHS+vLsdiGtyFw=,iv:javBbSBq3qkF25iLZgHthfS/OFDH6DTsnGNmIR/LrN4=,tag:Zs7ckugLHY/cjCWTaImzSg==,type:str] + unencrypted_suffix: _unencrypted + version: 3.12.1 diff --git a/hosts/poweredge/resources/secrets/wg1.yaml b/hosts/poweredge/resources/secrets/wg1.yaml deleted file mode 100644 index 6610514..0000000 --- a/hosts/poweredge/resources/secrets/wg1.yaml +++ /dev/null @@ -1,16 +0,0 @@ -wg1: ENC[AES256_GCM,data:1IySjV57HcywgiCZ/ZYbcr4Y9EbLrb6bE4kpG1DmDsLiRVFSfZA1UOoMGosot+7YiuE4xfZNHGSnzDrpE73gi5E9qYlvjhOfyLq06a1lK7Q0Wo/QrH9eSH05h6SA4E8sE0w2aKY/6cWfLaXTP1d7xLJA1OOCy7y+wIXrHQcA/TI5XIxikFSe+tT7rhKz128u6MIGl8VWzCp4RmoN94MAgWp0RoVt0VSHlvNPTbMuTZI0YPN1NgHjcf7KWnit33GXydmAWr+wym/oxxdT77O6wMPcGIsxmMLOPNy3K1sTezGTPSS1CSVniKIIW2HYZepGfaTlKwBFIn7ctmMrBvqmMcHiW+QIPwWbOC8UWHJAGklv3vCa7Q8XDUKlOPNdS0o73jb+BVUJWerwR4ik6NPu/H/lWgIETg1pd/Qv//nGsPeGRIUFKyKxoL/5E67+pA==,iv:d+T6wKhV1i/2kae03VPLMaTFB2yleeDFPm1lrfjvkx8=,tag:h/41zAlfz6oBo8jqz9NW7A==,type:str] -sops: - age: - - recipient: age1zfvmt2avdlfz0fvchczplc84u7m8vqausm7zytl9s4x9m9yax4cqy30zpz - enc: | - -----BEGIN AGE ENCRYPTED FILE----- - YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAxOFFVRFl2MDhiUVRPdnZJ - b3BSZ0pSaG8vR3o3SGlmVENvN3ZObHU3eUc4CmJrdk8rbXpBMWhTZ2hvdlk0VWo1 - ejdnTDR4bFlUUXc4Smd0NEp6b3crZFUKLS0tIFBsQUdRWjZLSDY1ZlFaRDdLOVhs - MFFGY0NSU3NaK2U0U1NndUIyYm54ZWsKZ6q9j1fNaNSzBA0rbZYyUWt3U2V/7/9/ - FZTKd8mH/uCoxvK8unlVZ9uYNADRh2smp7LwK1AWie/6khAIFqVBeg== - -----END AGE ENCRYPTED FILE----- - lastmodified: "2026-03-31T02:00:52Z" - mac: ENC[AES256_GCM,data:VXBQSegpiLmT5pF0XVB8NTVzhn4QDE2WfVznANVdrXC4BqFYoQXscW+4BcMmwkUqz5MjeKNF4KgRwtpKWVyRXG7EXVEGeA/NdysAxM9eSD4YrQZLqWzG8UKStyFG7jgHw/YA3H94hJ3rYnhsA9Kb3DHEmnQSZskTOmn2ppyUunQ=,iv:/rVWmaXl149Prhv35wBDZN6c+HgQ6PYSb8RIE30t7MI=,tag:SZ7mI9XDsIjhliFyWO14ug==,type:str] - unencrypted_suffix: _unencrypted - version: 3.12.1 diff --git a/hosts/poweredge/router-hosts.nix b/hosts/poweredge/router-hosts.nix new file mode 100644 index 0000000..007d2d7 --- /dev/null +++ b/hosts/poweredge/router-hosts.nix @@ -0,0 +1,71 @@ +let + localDomain = "home.lan"; + dhcp = { + inherit staticLeases; + defaultGateway = "192.168.1.1"; + localhostIp = "192.168.1.1"; + rangeStart = "192.168.1.50"; + rangeEnd = "192.168.1.250"; + }; + staticLeases = { + # Network + idrac-7N94GK2 = { + macAddress = "50:9a:4c:5d:c3:7c"; + staticIp = "192.168.1.2"; + }; + OpenWrt-Attic = { + macAddress = "34:98:b5:60:5e:be"; + staticIp = "192.168.1.3"; + }; + OpenWrt-Basement = { + macAddress = "8c:3b:ad:35:c7:8c"; + staticIp = "192.168.1.4"; + }; + ArcherC54 = { + macAddress = "12:eb:b6:13:f9:e2"; + staticIp = "192.168.1.5"; + }; + # Desktops + T495 = { + macAddress = "04:33:c2:9d:34:74"; + staticIp = "192.168.1.11"; + }; + optiplex = { + macAddress = "e4:54:e8:bc:ba:05"; + staticIp = "192.168.1.12"; + }; + X230 = { + macAddress = "84:3a:4b:60:34:c4"; + staticIp = "192.168.1.13"; + }; + # Services + gnuslashprinter = { + macAddress = "00:23:24:5b:f0:6d"; + staticIp = "192.168.1.40"; + }; + immich = { + macAddress = "02:00:00:00:00:01"; + staticIp = "192.168.1.41"; + }; + jellyfin = { + macAddress = "02:00:00:00:00:02"; + staticIp = "192.168.1.42"; + }; + gitea = { + macAddress = "02:00:00:00:00:03"; + staticIp = "192.168.1.43"; + }; + bitcoind = { + macAddress = "02:00:00:00:00:04"; + staticIp = "192.168.1.44"; + }; + }; + dns.hostOverrides = { + "router.${localDomain}" = "192.168.1.1"; + "poweredge.${localDomain}" = "192.168.1.10"; + }; +in { + services._router.dnsDhcpConfig = { + inherit localDomain dhcp dns; + }; +} diff --git a/hosts/poweredge/wg1.nix b/hosts/poweredge/wg1.nix deleted file mode 100644 index d94efb6..0000000 --- a/hosts/poweredge/wg1.nix +++ /dev/null @@ -1,7 +0,0 @@ -{ config, pkgs, inputs, ... }: { - sops.secrets.wg1.sopsFile = ./resources/secrets/wg1.yaml; - - networking.wg-quick.interfaces = { - wg1.configFile = config.sops.secrets.wg1.path; - }; -} -- cgit v1.2.3