feat: internal bridge

2026-02-09 12:29:19 -08:00 · 2024-03-22 19:18:24 -07:00 · 2024-03-22 19:18:24 -07:00 · 1d1dc64ef5
commit 1d1dc64ef5
parent 5f36636902
4 changed files with 78 additions and 0 deletions
--- a/nixos/reisen-ct/internal.nix
+++ b/nixos/reisen-ct/internal.nix
@ -0,0 +1,48 @@
+{
+  config,
+  lib,
+  ...
+}: let
+  inherit (lib.options) mkOption mkEnableOption;
+  inherit (lib.modules) mkIf mkMerge mkDefault mkOptionDefault;
+  inherit (lib.trivial) toHexString;
+  cfg = config.access.internal;
+  offset = 32;
+in {
+  options.access = with lib.types; {
+    internal = {
+      enable = mkEnableOption "eth9";
+      macAddress = mkOption {
+        type = nullOr str;
+        default = null;
+      };
+      vmid = mkOption {
+        type = int;
+      };
+      address4 = mkOption {
+        type = str;
+      };
+      address6 = mkOption {
+        type = str;
+      };
+    };
+  };
+  config.access.internal = {
+    address4 = mkOptionDefault "10.9.1.${toString (cfg.vmid - offset)}";
+    address6 = mkOptionDefault "fd0c::${toHexString (cfg.vmid - offset)}";
+  };
+  config.systemd.network.networks.eth9 = mkIf cfg.enable {
+    mdns.enable = false;
+    name = mkDefault "eth9";
+    matchConfig = {
+      MACAddress = mkIf (cfg.macAddress != null) (mkOptionDefault cfg.macAddress);
+      Type = mkOptionDefault "ether";
+    };
+    linkConfig.RequiredForOnline = mkOptionDefault false;
+    address = mkMerge [
+      ["${cfg.address4}/24"]
+      (mkIf config.networking.enableIPv6 [ "${cfg.address6}/64" ])
+    ];
+    DHCP = "no";
+  };
+}
--- a/systems/mediabox/nixos.nix
+++ b/systems/mediabox/nixos.nix
@ -116,6 +116,11 @@ in {
    gateway = ["10.1.1.1"];
    DHCP = "no";
  };
+  access.internal = {
+    enable = true;
+    macAddress = "BC:24:19:34:F4:A8";
+    vmid = 102;
+  };

  sops.defaultSopsFile = ./secrets.yaml;

--- a/tf/proxmox_reisen.tf
+++ b/tf/proxmox_reisen.tf
@ -1,4 +1,8 @@
 locals {
+  reisen_int_prefix4 = "10.9.1.0/24"
+  reisen_int_prefix6 = "fd0c::/64"
+  reisen_int_offset  = 32
+
  proxmox_reisen_connection = {
    type     = "ssh"
    user     = var.proxmox_reisen_ssh_username
@ -60,3 +64,11 @@ resource "terraform_data" "proxmox_reisen_users" {
    ]
  }
 }
+
+resource "proxmox_virtual_environment_network_linux_bridge" "internal" {
+  node_name = "reisen"
+  name      = "vmbr9"
+  address   = "${cidrhost(local.reisen_int_prefix4, 2)}/24"
+  address6  = "${cidrhost(local.reisen_int_prefix6, 2)}/64"
+  comment = "internal private network"
+}
--- a/tf/proxmox_vms.tf
+++ b/tf/proxmox_vms.tf
@ -143,6 +143,14 @@ EOT
        gateway = "10.1.1.1"
      }
    }
+    ip_config {
+      ipv6 {
+        address = "${cidrhost(local.reisen_int_prefix6, local.proxmox_mediabox_vm_id - local.reisen_int_offset)}/64"
+      }
+      ipv4 {
+        address = "${cidrhost(local.reisen_int_prefix4, local.proxmox_mediabox_vm_id - local.reisen_int_offset)}/24"
+      }
+    }
  }

  startup {
@ -155,6 +163,11 @@ EOT
    name        = "eth0"
    mac_address = "BC:24:11:34:F4:A8"
  }
+  network_interface {
+    name        = "eth9"
+    mac_address = "BC:24:19:34:F4:A8"
+    bridge      = proxmox_virtual_environment_network_linux_bridge.internal.name
+  }

  operating_system {
    template_file_id = var.proxmox_container_template