From 085a4805d7768f4e1f92bea507a54cf470bb425c Mon Sep 17 00:00:00 2001
From: Mathias Magnusson <mathias@magnusson.space>
Date: Sun, 26 Oct 2025 13:28:03 +0100
Subject: wip: vlans

---
 router.nix                          | 87 ++++++++++++++++++++++++++-----------
 secrets/secrets.nix                 |  3 +-
 secrets/wifi-password-guest.txt.age | 11 +++++
 secrets/wifi-password-staff.txt.age | 11 +++++
 secrets/wifi-password.txt.age       | 11 -----
 5 files changed, 85 insertions(+), 38 deletions(-)
 create mode 100644 secrets/wifi-password-guest.txt.age
 create mode 100644 secrets/wifi-password-staff.txt.age
 delete mode 100644 secrets/wifi-password.txt.age

diff --git a/router.nix b/router.nix
index 03f41fc..b8942e7 100644
--- a/router.nix
+++ b/router.nix
@@ -11,11 +11,21 @@
         53
         67
       ];
+      extraForwardRules = ''
+        iifname "ethlan"     oifname "wlan-staff" accept
+        iifname "ethlan"     oifname "wlan-guest" accept
+
+        iifname "wlan-staff" oifname "ethlan"     accept
+        iifname "wlan-staff" oifname "wlan-guest" accept
+
+        iifname "wlan-guest" oifname "ethlan"     accept
+        iifname "wlan-guest" oifname "wlan-staff" accept
+      '';
     };
     nat = {
       enable = true;
       externalInterface = "wan";
-      internalInterfaces = [ "lanbr" ];
+      internalInterfaces = [ "ethlan" "wlan-staff" "wlan-guest" ];
       forwardPorts = [
         {
           sourcePort = 51801;
@@ -53,38 +63,51 @@
       linkConfig.RequiredForOnline = "routable";
     };
 
-    netdevs."10-lanbr".netdevConfig = {
-      Kind = "bridge";
-      Name = "lanbr";
-    };
-    networks."10-lanbr" = {
-      matchConfig.Name = "lanbr";
-      bridgeConfig = { };
-      networkConfig = {
-        IPMasquerade = "ipv4";
-        Address = "10.69.0.1/16";
-      };
-      linkConfig.RequiredForOnline = "routable";
-    };
-
     links."10-ethlan" = {
       matchConfig.Path = "pci-0000:05:00.0-usb-0:2:1.0";
       linkConfig.Name = "ethlan";
     };
     networks."10-ethlan" = {
       matchConfig.Name = "ethlan";
-      networkConfig.Bridge = "lanbr";
-      linkConfig.RequiredForOnline = "enslaved";
+      networkConfig.Address = "10.69.0.1/24";
+      linkConfig.RequiredForOnline = "routable";
     };
 
     links."10-wlan" = {
       matchConfig.Path = "pci-0000:09:00.0";
       linkConfig.Name = "wlan";
     };
-    networks."10-wlan" = {
+    networks."20-wlan" = {
       matchConfig.Name = "wlan";
-      networkConfig.Bridge = "lanbr";
-      linkConfig.RequiredForOnline = "enslaved";
+      vlan = [ "wlan-staff" "wlan-guest" ];
+      networkConfig.LinkLocalAddressing = "no";
+      linkConfig.RequiredForOnline = "carrier";
+    };
+
+    netdevs."10-vlan-staff" = {
+      netdevConfig = {
+        Kind = "vlan";
+        Name = "wlan-staff";
+      };
+      vlanConfig.Id = 10;
+    };
+    networks."30-vlan-staff" = {
+      matchConfig.Name = "wlan-staff";
+      networkConfig.Address = "10.69.1.1/24";
+      linkConfig.RequiredForOnline = "routable";
+    };
+
+    netdevs."10-vlan-guest" = {
+      netdevConfig = {
+        Kind = "vlan";
+        Name = "wlan-guest";
+      };
+      vlanConfig.Id = 20;
+    };
+    networks."30-vlan-guest" = {
+      matchConfig.Name = "wlan-guest";
+      networkConfig.Address = "10.69.2.1/24";
+      linkConfig.RequiredForOnline = "routable";
     };
   };
   services.resolved.enable = false;
@@ -119,7 +142,8 @@
         authentication = {
           mode = "wpa3-sae";
           saePasswords = [
-            { passwordFile = config.age.secrets."wifi-password.txt".path; }
+            { passwordFile = config.age.secrets."wifi-password-staff.txt".path; vlanid = 10; }
+            { passwordFile = config.age.secrets."wifi-password-guest.txt".path; vlanid = 20; }
           ];
         };
       };
@@ -141,11 +165,21 @@
         "1.0.0.1"
       ];
 
-      interface = "lanbr";
-      dhcp-range = "10.69.0.50,10.69.0.254,255.255.0.0,1h";
+      except-interface = "wan";
+      dhcp-range = [
+        "ethlan,10.69.0.50,10.69.0.254,255.255.255.0,1h"
+        "wlan-staff,10.69.1.2,10.69.1.254,255.255.255.0,1h"
+        "wlan-guest,10.69.2.2,10.69.2.254,255.255.255.0,1h"
+      ];
       dhcp-option = [
-        "option:router,10.69.0.1"
-        "option:dns-server,10.69.0.1"
+        "ethlan,option:router,10.69.0.1"
+        "ethlan,option:dns-server,10.69.0.1"
+
+        "wlan-staff,option:router,10.69.1.1"
+        "wlan-staff,option:dns-server,10.69.1.1"
+
+        "wlan-guest,option:router,10.69.2.1"
+        "wlan-guest,option:dns-server,10.69.2.1"
       ];
       dhcp-authoritative = true;
 
@@ -160,6 +194,7 @@
   };
   oden.persist.directories = [ "/var/lib/dnsmasq" ];
 
-  age.secrets."wifi-password.txt".file = ./secrets/wifi-password.txt.age;
+  age.secrets."wifi-password-staff.txt".file = ./secrets/wifi-password-staff.txt.age;
+  age.secrets."wifi-password-guest.txt".file = ./secrets/wifi-password-guest.txt.age;
   age.secrets."dyndns-url.txt".file = ./secrets/dyndns-url.txt.age;
 }
diff --git a/secrets/secrets.nix b/secrets/secrets.nix
index 0125da8..be661f8 100644
--- a/secrets/secrets.nix
+++ b/secrets/secrets.nix
@@ -7,7 +7,8 @@ let
     "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPC69ml72mqbn7L3QkpsCJuWdrKFYFNd0MaS5xERbuSF" # ymer
   ];
   files = [
-    "wifi-password.txt.age"
+    "wifi-password-staff.txt.age"
+    "wifi-password-guest.txt.age"
     "password-hash.txt.age"
     "dyndns-url.txt.age"
   ];
diff --git a/secrets/wifi-password-guest.txt.age b/secrets/wifi-password-guest.txt.age
new file mode 100644
index 0000000..4396abe
--- /dev/null
+++ b/secrets/wifi-password-guest.txt.age
@@ -0,0 +1,11 @@
+age-encryption.org/v1
+-> ssh-ed25519 rf0kpA msdDPOThxoyWJRmo/bglWm2nzYOpi5NNF3Klj7lKxQA
+dPwPPcj6miYcIvKWB+EInfRQcV6rIRbeGYIDu/8hgeI
+-> piv-p256 Ddzw4A AjgyIJrJeopGKXqr3zarCKIK3cebSsEQu4Fp474eXmW7
++nnfFvB1KNdyntxq0iHuyjRa219CfnDNoDUO+nnfLbg
+-> piv-p256 9aSbLw Ah9pJvMr5tQj8l1+p9O+pGJVpEvomsnKQudp+NvA11QI
+23h+az85MVXrKNT2ufdLDpiCmb9IWpp6oL5YgtD8ti0
+-> ssh-ed25519 YS7/yg oIQkL1BRoTBzp5XPVFxIRhRD/LX2RIPxZodMiBF7dBc
+23FyGh6NfFqLTxxAuNW+Nc6NCIMJMkXxqTC7PkQjEio
+--- xOXMGYxRuRpoqbUBNk6/zhCjTKptV44bWW3MDQLG6IU
+ÂkSMÖM°’9ÍTÊÂ1‚æ¾/ÖŸu©ý+OlÎ‰|;®;+Œ˜m8.¥ÔÛUc»²—;ÜÙÁN×Ç¶‘¦WœË
\ No newline at end of file
diff --git a/secrets/wifi-password-staff.txt.age b/secrets/wifi-password-staff.txt.age
new file mode 100644
index 0000000..97874ac
--- /dev/null
+++ b/secrets/wifi-password-staff.txt.age
@@ -0,0 +1,11 @@
+age-encryption.org/v1
+-> ssh-ed25519 rf0kpA ZRfFZC4N5Jdnc32fZiL0QkXth2Lm1AuvGBW2PaFS/Dk
+RxOiUlv8wkWggGrRB0tokIyZIno+4Yxk/kf9FxpKqZ8
+-> piv-p256 Ddzw4A AwOuo9hts6Yz0cm878aHI6rwFyXNT1dHOiYsvloVA+2E
+GolNszVMq4xdHm0HIrAWVGhHwmSySkYbaA2+BVEhvGw
+-> piv-p256 9aSbLw Ay35UlB8/sD2b92X/AQ47MZG5FmEh8BaaNpAYm6Ousb4
+ctMzgWfXczvfQFBNTeFau4E6LlrKiDma5JN3T48WYMU
+-> ssh-ed25519 YS7/yg pxaaPWZcrAv8B11T+h/v9CE4xzb/VglRPRJbAthA6lU
+/Ye6TnDB+49l7REHzxBN4jPbOIfLevdadIrt7S20ZIU
+--- fi9+1UaXfza/crt3fD64sPAxIqlTB9uI4/hgjGS1gdM
+©5Ò¡VÊù˜îc•(¬ˆ‰ÏùeLÖs30°ÀïÝû·:6jÉ9­Ð……›h+Ïm²Aà°ý¼O÷
\ No newline at end of file
diff --git a/secrets/wifi-password.txt.age b/secrets/wifi-password.txt.age
deleted file mode 100644
index 97874ac..0000000
--- a/secrets/wifi-password.txt.age
+++ /dev/null
@@ -1,11 +0,0 @@
-age-encryption.org/v1
--> ssh-ed25519 rf0kpA ZRfFZC4N5Jdnc32fZiL0QkXth2Lm1AuvGBW2PaFS/Dk
-RxOiUlv8wkWggGrRB0tokIyZIno+4Yxk/kf9FxpKqZ8
--> piv-p256 Ddzw4A AwOuo9hts6Yz0cm878aHI6rwFyXNT1dHOiYsvloVA+2E
-GolNszVMq4xdHm0HIrAWVGhHwmSySkYbaA2+BVEhvGw
--> piv-p256 9aSbLw Ay35UlB8/sD2b92X/AQ47MZG5FmEh8BaaNpAYm6Ousb4
-ctMzgWfXczvfQFBNTeFau4E6LlrKiDma5JN3T48WYMU
--> ssh-ed25519 YS7/yg pxaaPWZcrAv8B11T+h/v9CE4xzb/VglRPRJbAthA6lU
-/Ye6TnDB+49l7REHzxBN4jPbOIfLevdadIrt7S20ZIU
---- fi9+1UaXfza/crt3fD64sPAxIqlTB9uI4/hgjGS1gdM
-©5Ò¡VÊù˜îc•(¬ˆ‰ÏùeLÖs30°ÀïÝû·:6jÉ9­Ð……›h+Ïm²Aà°ý¼O÷
\ No newline at end of file
-- 
cgit v1.2.3