From 1d1dc64ef51c7aca02182f7c3cedd4df8501db67 Mon Sep 17 00:00:00 2001
From: arcnmx <git@git.arcn.mx>
Date: Fri, 22 Mar 2024 19:18:24 -0700
Subject: [PATCH] feat: internal bridge

---
 nixos/reisen-ct/internal.nix | 48 ++++++++++++++++++++++++++++++++++++
 systems/mediabox/nixos.nix   |  5 ++++
 tf/proxmox_reisen.tf         | 12 +++++++++
 tf/proxmox_vms.tf            | 13 ++++++++++
 4 files changed, 78 insertions(+)
 create mode 100644 nixos/reisen-ct/internal.nix

diff --git a/nixos/reisen-ct/internal.nix b/nixos/reisen-ct/internal.nix
new file mode 100644
index 00000000..ea69fdae
--- /dev/null
+++ b/nixos/reisen-ct/internal.nix
@@ -0,0 +1,48 @@
+{
+  config,
+  lib,
+  ...
+}: let
+  inherit (lib.options) mkOption mkEnableOption;
+  inherit (lib.modules) mkIf mkMerge mkDefault mkOptionDefault;
+  inherit (lib.trivial) toHexString;
+  cfg = config.access.internal;
+  offset = 32;
+in {
+  options.access = with lib.types; {
+    internal = {
+      enable = mkEnableOption "eth9";
+      macAddress = mkOption {
+        type = nullOr str;
+        default = null;
+      };
+      vmid = mkOption {
+        type = int;
+      };
+      address4 = mkOption {
+        type = str;
+      };
+      address6 = mkOption {
+        type = str;
+      };
+    };
+  };
+  config.access.internal = {
+    address4 = mkOptionDefault "10.9.1.${toString (cfg.vmid - offset)}";
+    address6 = mkOptionDefault "fd0c::${toHexString (cfg.vmid - offset)}";
+  };
+  config.systemd.network.networks.eth9 = mkIf cfg.enable {
+    mdns.enable = false;
+    name = mkDefault "eth9";
+    matchConfig = {
+      MACAddress = mkIf (cfg.macAddress != null) (mkOptionDefault cfg.macAddress);
+      Type = mkOptionDefault "ether";
+    };
+    linkConfig.RequiredForOnline = mkOptionDefault false;
+    address = mkMerge [
+      ["${cfg.address4}/24"]
+      (mkIf config.networking.enableIPv6 [ "${cfg.address6}/64" ])
+    ];
+    DHCP = "no";
+  };
+}
diff --git a/systems/mediabox/nixos.nix b/systems/mediabox/nixos.nix
index 7d0777a4..172c6ce3 100644
--- a/systems/mediabox/nixos.nix
+++ b/systems/mediabox/nixos.nix
@@ -116,6 +116,11 @@ in {
     gateway = ["10.1.1.1"];
     DHCP = "no";
   };
+  access.internal = {
+    enable = true;
+    macAddress = "BC:24:19:34:F4:A8";
+    vmid = 102;
+  };
 
   sops.defaultSopsFile = ./secrets.yaml;
 
diff --git a/tf/proxmox_reisen.tf b/tf/proxmox_reisen.tf
index 7d0050e6..6d37c056 100644
--- a/tf/proxmox_reisen.tf
+++ b/tf/proxmox_reisen.tf
@@ -1,4 +1,8 @@
 locals {
+  reisen_int_prefix4 = "10.9.1.0/24"
+  reisen_int_prefix6 = "fd0c::/64"
+  reisen_int_offset  = 32
+
   proxmox_reisen_connection = {
     type     = "ssh"
     user     = var.proxmox_reisen_ssh_username
@@ -60,3 +64,11 @@ resource "terraform_data" "proxmox_reisen_users" {
     ]
   }
 }
+
+resource "proxmox_virtual_environment_network_linux_bridge" "internal" {
+  node_name = "reisen"
+  name      = "vmbr9"
+  address   = "${cidrhost(local.reisen_int_prefix4, 2)}/24"
+  address6  = "${cidrhost(local.reisen_int_prefix6, 2)}/64"
+  comment = "internal private network"
+}
diff --git a/tf/proxmox_vms.tf b/tf/proxmox_vms.tf
index 30372d14..dcdb77a5 100644
--- a/tf/proxmox_vms.tf
+++ b/tf/proxmox_vms.tf
@@ -143,6 +143,14 @@ EOT
         gateway = "10.1.1.1"
       }
     }
+    ip_config {
+      ipv6 {
+        address = "${cidrhost(local.reisen_int_prefix6, local.proxmox_mediabox_vm_id - local.reisen_int_offset)}/64"
+      }
+      ipv4 {
+        address = "${cidrhost(local.reisen_int_prefix4, local.proxmox_mediabox_vm_id - local.reisen_int_offset)}/24"
+      }
+    }
   }
 
   startup {
@@ -155,6 +163,11 @@ EOT
     name        = "eth0"
     mac_address = "BC:24:11:34:F4:A8"
   }
+  network_interface {
+    name        = "eth9"
+    mac_address = "BC:24:19:34:F4:A8"
+    bridge      = proxmox_virtual_environment_network_linux_bridge.internal.name
+  }
 
   operating_system {
     template_file_id = var.proxmox_container_template