vtluug · mikhail729 · Nov 19, 2025 · Dec 5, 2025 · Dec 5, 2025 · Dec 15, 2025
diff --git a/hosts/zerocool/configuration.nix b/hosts/zerocool/configuration.nix
@@ -1,43 +1,168 @@
-{ config, lib, pkgs, ... }:
+{
+  config,
+  lib,
+  pkgs,
+  ...
+}:
 let
-  wan_iface = "enp3s0f0";
-  lan_iface = "enp3s0f1";
-  wg_iface  = "wg0";
-  lan_addr  = "10.98.4.1";
-  lan_cidr  = 22;
+  wanIface = "enp3s0f0";
+  wan = {
+    ipv4 = {
+      gateway = "198.82.185.129";
+      address = "198.82.185.170";
+      cidr = 22;
+    };
+    ipv6 = {
+      gateway = "2001:468:c80:6119::1";
+      address = "2001:468:c80:6119:82c1:6eff:fe21:2b88";
+      cidr = 64;
+    };
+    tcpPorts = [
+      22
+      2222
+    ];
+    udpPorts = [ 51820 ];
+    # Publicly routable IPv4 addresses only
+    exposeIpv4Hosts = [
+      # Alex's box
+      "198.82.185.174"
+    ];
+    # Publicly routable IPv6 addresses only
+    exposeIpv6Hosts = [
+      # Alex's box
+      "2607:b400:6:ce83:225:90ff:fe9b:ed30"
+    ];
+  };
+
+  wgIface = "wg0";
+
+  lanIface = "enp3s0f1";
+  lan = {
+    # Management
+    "10" = {
+      ipv4 = {
+        address = "10.98.4.1";
+        cidr = 24;
+      };
+      ipv6 = {
+        address = "2607:b400:6:ce80::1";
+        cidr = 64;
+      };
+      isolate = true;
+      allowRouterAccess = true;
+      domain = "mgmt";
+      dhcpv4 = "10.98.4.128,10.98.4.254,12h";
+      dhcpv6 = "ra-stateless,ra-names,12h";
+    };
+    # Untagged (native) VLAN Internal Traffic
+    "20" = {
+      ipv4 = {
+        address = "10.98.5.1";
+        cidr = 24;
+      };
+      ipv6 = {
+        address = "2607:b400:6:ce81::1";
+        cidr = 64;
+      };
+      isolate = false;
+      allowRouterAccess = true;
+      untagged = true;
+      domain = "internal";
+      dhcpv4 = "10.98.5.128,10.98.5.254,12h";
+      dhcpv6 = "ra-stateless,ra-names,12h";
+    };
+    # General Hosts
+    "30" = {
+      ipv4 = {
+        address = "10.98.6.1";
+        cidr = 24;
+        # IPv4 hosts for ARP proxy
+        publicHosts = [ ];
+      };
+      ipv6 = {
+        address = "2607:b400:6:ce82::1";
+        cidr = 64;
+      };
+      isolate = false;
+      allowRouterAccess = true;
+      domain = "g";
+      dhcpv4 = "10.98.6.128,10.98.6.254,12h";
+      dhcpv6 = "ra-stateless,ra-names,12h";
+    };
+    # Co-location
+    "40" = {
+      ipv4 = {
+        address = "10.98.7.1";
+        cidr = 24;
+        # IPv4 hosts for ARP proxy
+        publicHosts = [
+          # Alex's box
+          "198.82.185.174"
+        ];
+      };
+      ipv6 = {
+        address = "2607:b400:6:ce83::1";
+        cidr = 64;
+      };
+      isolate = true;
+      allowRouterAccess = false;
+      domain = "colo";
+      dhcpv4 = "10.98.7.128,10.98.7.254,12h";
+      dhcpv6 = "ra-stateless,ra-names,12h";
+    };
+  };
+
+  checkUntagged = lib.asserts.assertMsg (
+    builtins.length (
+      builtins.filter (e: builtins.hasAttr "untagged" e.snd) (
+        lib.lists.zipLists (builtins.attrNames lan) (builtins.attrValues lan)
+      )
+    ) == 1
+  ) "There must be exactly one untagged VLAN for LAN" lan;
 in
 {
-  imports =
-    [
-      ./hardware-configuration.nix
-      ../common/nix.nix
-      ../common/sshd.nix
-      ../common/users-local.nix
-      ../common/tz-locale.nix
+  imports = [
+    ./hardware-configuration.nix
+    ../common/nix.nix
+    ../common/sshd.nix
+    ../common/users-local.nix
+    ../common/tz-locale.nix
 
-      ./dns.nix
-      (import ./router.nix {
-        inherit wan_iface lan_iface lan_addr lan_cidr wg_iface;
-        wan_gateway = "198.82.185.129";
-        wan_addr = "198.82.185.170";
-        wan_cidr = 22;
-        wan_addr6 = "2001:468:c80:6119:82c1:6eff:fe21:2b88";
-        wan_cidr6 = 64;
-      })
-      (import ./firewall.nix {
-        inherit lan_iface;
-      })
-      (import ./dhcp.nix {
-        inherit lan_iface;
-        dhcp_start = "10.98.5.1";
-        dhcp_end = "10.98.5.127";
-      })
-      (import ./wireguard.nix {
-        inherit config wg_iface;
-      })
-    ];
+    ./router.nix
+    (import ./lan.nix {
+      inherit lib lanIface lan;
+    })
+    (import ./dhcp.nix {
+      inherit lib lanIface lan;
+    })
+    (import ./wan.nix {
+      inherit wanIface wan;
+    })
+    (import ./firewall.nix {
+      inherit
+        lib
+        lanIface
+        lan
+        wanIface
+        wan
+        wgIface
+        ;
+    })
+    (import ./wireguard.nix {
+      inherit config wgIface;
+    })
+  ];
+
+  environment.systemPackages = with pkgs; [
+    neovim
+    helix
+    mtr
+    dig
+    tcpdump
+    ndisc6
+    inetutils
+  ];
 
   networking.hostName = "zerocool";
   system.stateVersion = "25.05";
 }
-
diff --git a/hosts/zerocool/dhcp.nix b/hosts/zerocool/dhcp.nix
@@ -1,20 +1,73 @@
-{ lan_iface, dhcp_start, dhcp_end }:
+{
+  lib,
+  lanIface,
+  lan,
+  ...
+}:
 let
   hosts = import ./static-hosts.nix;
-  dnsmasq-hosts = builtins.map (host:
-  "${host.mac},${host.ipv4},${host.name}"
-  ) hosts;
+  dnsmasqHosts = builtins.map (host: "${host.mac},${host.ipv4},${host.name}") hosts;
+  globalDomain = "mcb.vtluug.org";
+
+  taggedVlans = (
+    builtins.filter (e: !builtins.hasAttr "untagged" e.snd) (
+      lib.lists.zipLists (builtins.attrNames lan) (builtins.attrValues lan)
+    )
+  );
+  untaggedVlan = lib.lists.findFirst (
+    e: builtins.hasAttr "untagged" e
+  ) (throw "Must have untagged VLAN") (builtins.attrValues lan);
+
+  interfaces = builtins.map (e: "vlan${e.fst}") (
+    builtins.filter (
+      e: (builtins.hasAttr "dhcpv4" e.snd) || (builtins.hasAttr "dhcpv6" e.snd)
+    ) taggedVlans
+  );
 in
 {
+  networking.nameservers = [
+    "::"
+    "127.0.0.1"
+  ];
+
+  # DNS, DHCPv4, DHCPv6
+  networking.firewall.allowedUDPPorts = [
+    53
+    67
+    547
+  ];
+
   services.dnsmasq = {
     enable = true;
     settings = {
-      interface = lan_iface;
-      dhcp-range = [
-        "${dhcp_start},${dhcp_end},12h"
-        "10.98.4.2,static,255.255.255.0"
+      domain =
+        (lib.lists.optional (builtins.hasAttr "domain" untaggedVlan) "${untaggedVlan.domain}.${globalDomain},${untaggedVlan.ipv4.address}/${toString untaggedVlan.ipv4.cidr}")
+        ++ (builtins.map (
+          e: "${e.snd.domain}.${globalDomain},${e.snd.ipv4.address}/${toString e.snd.ipv4.cidr}"
+        ) (builtins.filter (e: builtins.hasAttr "domain" e.snd) taggedVlans));
+      server = [
+        "9.9.9.9"
+        "2620:fe::fe"
+        "1.1.1.1"
+        "2606:4700:4700::1111"
+        "/whit.vtluug.org/10.98.3.2"
+        "/bastille.vtluug.org/10.98.3.2"
       ];
-      "dhcp-host" = dnsmasq-hosts;
+      interface =
+        (lib.lists.optional (
+          (builtins.hasAttr "dhcpv4" untaggedVlan) || (builtins.hasAttr "dhcpv6" untaggedVlan)
+        ) lanIface)
+        ++ interfaces;
+      dhcp-range =
+        (lib.lists.optional (builtins.hasAttr "dhcpv4" untaggedVlan) "interface:${lanIface},${untaggedVlan.dhcpv4}")
+        ++ (lib.lists.optional (builtins.hasAttr "dhcpv6" untaggedVlan) "interface:${lanIface},::,constructor:${lanIface},${untaggedVlan.dhcpv6}")
+        ++ (builtins.map (e: "interface:vlan${e.fst},${e.snd.dhcpv4}") (
+          builtins.filter (e: builtins.hasAttr "dhcpv4" e.snd) taggedVlans
+        ))
+        ++ (builtins.map (e: "interface:vlan${e.fst},::,constructor:vlan${e.fst},${e.snd.dhcpv6}") (
+          builtins.filter (e: builtins.hasAttr "dhcpv6" e.snd) taggedVlans
+        ));
+      dhcp-host = dnsmasqHosts;
     };
   };
-}
+}
diff --git a/hosts/zerocool/dns.nix b/hosts/zerocool/dns.nix