z9-router(host): rename rt1 to z9-router

resources/z9/z9-router/kea_dhcp.yaml

@@ -0,0 +1,293 @@
+kea_dhcp__dns_servers:
+  v4:
+    - 185.161.129.134
+  v6:
+    - 2a07:c481::1:2
+
+kea_dhcp__dhcp4:
+  enable: true
+  interfaces: [ "netlan.51", "netlan.52", "netlan.54" ]
+  control-sockets:
+    - socket-name: /var/run/kea-dhcp4-ctrl-agent.sock
+      socket-type: unix
+  lease-database:
+    type: memfile
+    persist: true
+  option-data:
+    - name: "domain-name-servers"
+      code: 6
+      csv-format: true
+      data: "{{ kea_dhcp__dns_servers.v4 | join(',') }}"
+  subnets:
+    - id: 1
+      subnet: 10.89.208.0/22
+      pools:
+        - pool: "10.89.208.32 - 10.89.211.250"
+      reservations:
+        - ip-address: 10.89.208.11
+          hostname: beamer
+          hw-address: "ac:87:a3:18:9e:01"
+        - ip-address: 10.89.208.12
+          hostname: Brother-CCCHH
+          hw-address: "00:80:77:04:3a:55"
+        - ip-address: 10.89.208.13
+          hostname: muzak
+          hw-address: "00:11:24:5f:4f:80"
+        - ip-address: 10.89.208.14
+          hostname: Big-Room-Beamer
+          hw-address: "64:d2:c4:db:08:5c"
+        - ip-address: 10.89.208.16
+          hostname: dooris
+          hw-address: "bc:24:11:b3:93:9c"
+        - ip-address: 10.89.208.17
+          hostname: hmdooris-ccu
+          hw-address: "bc:24:11:5f:2d:b1"
+        - ip-address: 10.89.208.27
+          hostname: cisco-slm248p
+          hw-address: "00:23:eb:b0:fc:3f"
+        - ip-address: 10.89.208.47
+          hw-address: "6c:df:fb:0b:34:21"
+        - ip-address: 10.89.208.48
+          hw-address: "6c:df:fb:0d:91:63"
+        - ip-address: 10.89.209.28
+          hostname: hp-color
+          hw-address: "3c:52:82:29:21:79"
+        - ip-address: 10.89.209.29
+          hostname: dooris-ng
+          hw-address: "6c:4b:90:19:21:a1"
+        - ip-address: 10.89.209.166
+          hostname: encoder-ccchh
+          hw-address: "00:4e:01:a2:40:d7"
+        - ip-address: 10.89.209.254
+          hostname: ki10
+          hw-address: "dc:a6:32:a9:ff:82"
+      option-data:
+        - name: routers,
+          csv-format: true
+          data: 10.89.208.1
+    - id: 2
+      subnet: 10.89.212.0/24
+      pools:
+        - pool: "10.89.212.32 - 10.89.212.250"
+      reservations:
+        - ip-address: 10.89.212.3
+          hostname: prusamk3
+          hw-address: "10:9c:70:2e:59:3e"
+        - ip-address: 10.89.212.4
+          hostname: prusamk4
+          hw-address: "10:9c:70:2e:6e:f0"
+        - ip-address: 10.89.212.11
+          hostname: Ziggy
+          hw-address: "44:17:93:53:65:57"
+        - ip-address: 10.89.212.12
+          hostname: legacy
+          hw-address: "00:15:65:a1:ed:98"
+        - ip-address: 10.89.212.23
+          hostname: foobarpay
+          hw-address: "f4:f2:6d:09:a6:73"
+        - ip-address: 10.89.212.24
+          hostname: foobackup
+          hw-address: "bc:24:11:20:1a:a8"
+        - ip-address: 10.89.212.27
+          hostname: ender3v2-sonic-pad
+          hw-address: "fc:ee:91:00:0e:14"
+        - ip-address: 10.89.212.31
+          hostname: octopi
+          hw-address: "b8:27:eb:0f:d8:09"
+        - ip-address: 10.89.212.32
+          hostname: 433mhz-bridge
+          hw-address: "0c:b8:15:fe:e3:34"
+        - ip-address: 10.89.212.33
+          hostname: wled-kueche
+          hw-address: "30:ae:a4:7a:8d:a0"
+        - ip-address: 10.89.212.34
+          hostname: wled-serverschrank
+          hw-address: "18:fe:34:a6:64:76"
+        - ip-address: 10.89.212.35
+          hostname: wled-couch
+          hw-address: "64:b7:08:40:ab:c0"
+        - ip-address: 10.89.212.36
+          hostname: laser
+          hw-address: "b8:27:eb:be:38:fa"
+        - ip-address: 10.89.212.37
+          hostname: laser-eth
+          hw-address: "b8:27:eb:eb:6d:af"
+        - ip-address: 10.89.212.42
+          hostname: t-mix
+          hw-address: "40:a5:ef:d9:eb:93"
+        - ip-address: 10.89.212.86
+          hostname: fritz-fon
+          hw-address: "00:1f:3f:c9:e5:b2"
+        - ip-address: 10.89.212.211
+          hostname: hauptraum-esphome
+          hw-address: "e8:db:84:e8:18:d2"
+        - ip-address: 10.89.212.212
+          hostname: werkstatt-esphome
+          hw-address: "3c:71:bf:26:42:32"
+        - ip-address: 10.89.212.213
+          hostname: ir-bridge-beamer
+          hw-address: "8c:ce:4e:51:93:dd"
+        - ip-address: 10.89.212.215
+          hostname: pi-dmx-werkstatt
+          hw-address: "b8:27:eb:65:e5:31"
+        - ip-address: 10.89.212.227
+          hostname: SIP-T46S
+          hw-address: "80:5e:c0:09:bf:55"
+        - ip-address: 10.89.212.230
+          hostname: SIP-T46S
+          hw-address: "80:5e:c0:22:33:08"
+        - ip-address: 10.89.212.232
+          hostname: staubi
+          hw-address: "b8:4d:43:98:51:2b"
+        - ip-address: 10.89.212.233
+          hostname: staubiv2
+          hw-address: "70:c9:32:82:25:b2"
+        - ip-address: 10.89.212.234
+          hostname: AtemMini
+          hw-address: "7c:2e:0d:13:72:a8"
+        - ip-address: 10.89.212.235
+          hostname: okilaser
+          hw-address: "2c:ff:65:22:b4:63"
+        - ip-address: 10.89.212.236
+          hw-address: "b8:27:eb:29:bd:77"
+      option-data:
+        - name: routers,
+          csv-format: true
+          data: 10.89.212.1
+    - id: 3
+      subnet: 10.89.213.0/24
+      pools:
+        - pool: "10.89.213.32 - 10.89.213.250"
+      reservations:
+        - ip-address: 10.89.213.2
+          hostname: sw-rack-1
+          hw-address: "F0:9F:C2:10:C3:AA"
+        - ip-address: 10.89.213.3
+          hostname: sw-rack-2-peo
+          hw-address: "44:d9:e7:06:69:5d"
+        - ip-address: 10.89.213.4
+          hostname: sw-main-1
+          hw-address: "a8:9c:6c:16:df:cc"
+        - ip-address: 10.89.213.5
+          hostname: sw-main-2
+          hw-address: "a8:9c:6c:16:e8:86"
+        - ip-address: 10.89.213.6
+          hostname: sw-shop-1
+          hw-address: "C0:4A:00:FB:DA:C5"
+        - ip-address: 10.89.213.7
+          hostname: sw-shop-2-peo
+          hw-address: "f4:e2:c6:bf:20:ee"
+        - ip-address: 10.89.213.8
+          hostname: sw-shop-3-peo
+          hw-address: "d8:b3:70:85:72:76"
+        - ip-address: 10.89.213.11
+          hostname: pve01
+          hw-address: "38:05:25:30:80:35"
+        - ip-address: 10.89.213.12
+          hostname: pve02
+          hw-address: "b8:85:84:b1:57:b6"
+        - ip-address: 10.89.213.13
+          hostname: pve03
+          hw-address: "98:fa:9b:a2:ed:e8"
+        - ip-address: 10.89.213.15
+          hostname: pbs
+          hw-address: "BC:24:11:D6:2C:81"
+        - ip-address: 10.89.213.21
+          hostname: unifi
+          hw-address: "BC:24:11:25:77:60"
+        - ip-address: 10.89.213.22
+          hostname: club-assistant
+          hw-address: "7a:55:61:c3:a2:89"
+        - ip-address: 10.89.213.23
+          hostname: automation
+          hw-address: "f2:20:75:5a:2f:8c"
+        - ip-address: 10.89.213.24
+          hostname: yate
+          hw-address: "bc:24:11:73:3e:f7"
+        - ip-address: 10.89.213.25
+          hostname: ptouch-print-server
+          hw-address: "bc:24:11:f2:cf:8f"
+        - ip-address: 10.89.213.26
+          hostname: mqtt
+          hw-address: "bc:24:11:48:85:73"
+        - ip-address: 10.89.213.27
+          hostname: factorio
+          hw-address: "bc:24:11:a3:43:7f"
+        - ip-address: 10.89.213.28
+          hostname: light
+          hw-address: "72:61:ea:e6:49:e3"
+        - ip-address: 10.89.213.29
+          hostname: homematic
+          hw-address: "fe:3a:42:77:3a:be"
+        - ip-address: 10.89.213.30
+          hostname: proxmox-backup-server
+          hw-address: "8a:48:dd:a3:22:40"
+      option-data:
+        - name: routers,
+          csv-format: true
+          data: 10.89.213.1
+
+kea_dhcp__dhcp6:
+  enable: true
+  interfaces: [ "netlan.51", "netlan.52", "netlan.54" ]
+  control-sockets:
+    - socket-name: /var/run/kea-dhcp6-ctrl-agent.sock
+      socket-type: unix
+  lease-database:
+    type: memfile
+    persist: true
+  option-data:
+    - name: "dns-servers"
+      code: 23
+      csv-format: true
+      data: "{{ kea_dhcp__dns_servers.v6 | join(',') }}"
+  subnets:
+    - id: 1
+      subnet: "2a07:c481:1:33::/64"
+      pools:
+        - pool: "2a07:c481:1:33::1:1 - 2a07:c481:1:33::FFFF:FFFF"
+    - id: 2
+      subnet: "2a07:c481:1:34::/64"
+      pools:
+        - pool: "2a07:c481:1:34::1:1 - 2a07:c481:1:34::FFFF:FFFF"
+    - id: 3
+      subnet: "2a07:c481:1:36::/64"
+      pools:
+        - pool: "2a07:c481:1:36::1:1 - 2a07:c481:1:36::FFFF:FFFF"
+      reservations:
+        - ip-address: "2a07:c481:1:36::2"
+          hostname: sw-rack-1
+          hw-address: "F0:9F:C2:10:C3:AA"
+        - ip-address: "2a07:c481:1:36::3"
+          hostname: sw-rack-2-peo
+          hw-address: "44:d9:e7:06:69:5d"
+        - ip-address: "2a07:c481:1:36::4"
+          hostname: sw-main-1
+          hw-address: "a8:9c:6c:16:df:cc"
+        - ip-address: "2a07:c481:1:36::5"
+          hostname: sw-main-2
+          hw-address: "a8:9c:6c:16:e8:86"
+        - ip-address: "2a07:c481:1:36::6"
+          hostname: sw-shop-1
+          hw-address: "C0:4A:00:FB:DA:C5"
+        - ip-address: "2a07:c481:1:36::7"
+          hostname: sw-shop-2-peo
+          hw-address: "f4:e2:c6:bf:20:ee"
+        - ip-address: "2a07:c481:1:36::8"
+          hostname: sw-shop-3-peo
+          hw-address: "d8:b3:70:85:72:76"
+        - ip-address: "2a07:c481:1:36::b"
+          hostname: pve01
+          hw-address: "38:05:25:30:80:35"
+        - ip-address: "2a07:c481:1:36::c"
+          hostname: pve02
+          hw-address: "b8:85:84:b1:57:b6"
+        - ip-address: "2a07:c481:1:36::d"
+          hostname: pve03
+          hw-address: "98:fa:9b:a2:ed:e8"
+        - ip-address: "2a07:c481:1:36::f"
+          hostname: pbs
+          hw-address: "BC:24:11:D6:2C:81"
+        - ip-address: "2a07:c481:1:36::14"
+          hostname: unifi
+          hw-address: "BC:24:11:25:77:60"

resources/z9/z9-router/nftables/nftables.conf

@@ -0,0 +1,114 @@
+#!/usr/sbin/nft -f
+
+## Variables
+
+# Hosts
+
+
+# Interfaces
+define if_netwan = "netwan"
+define if_netlan = "netlan"
+define if_wg55_management   = "wg55"
+define if_netwan_400_fux_uplink = "netwan.400"
+define if_netlan_51_clients = "netlan.51"
+define if_netlan_52_iot = "netlan.52"
+define if_netlan_53_public = "netlan.53"
+define if_netlan_54_management = "netlan.54"
+
+# Interface Groups
+define wan_ifs = { $if_netwan_400_fux_uplink }
+define lan_ifs = { $if_netlan_51_clients,
+                   $if_netlan_52_iot,
+                   $if_netlan_53_public,
+                   $if_netlan_54_management }
+define v4_exposed_ifs = { $if_netlan_53_public }
+define v6_exposed_ifs = { $if_netlan_53_public }
+define v4_nat_ifs = { $if_netlan_51_clients,
+                      $if_netlan_52_iot,
+                      $if_netlan_54_management }
+
+
+## Rules
+
+table inet reverse-path-forwarding {
+    chain rpf-filter {
+        type filter hook prerouting priority mangle + 10; policy drop;
+
+        # Only allow packets if their source address is routed via their incoming interface.
+        # https://github.com/NixOS/nixpkgs/blob/d9d87c51960050e89c79e4025082ed965e770d68/nixos/modules/services/networking/firewall-nftables.nix#L100
+        fib saddr . mark . iif oif exists accept
+    }
+}
+
+table inet host {
+    chain input {
+        type filter hook input priority filter; policy drop;
+
+        iifname "lo" accept comment "allow loopback"
+
+        ct state invalid drop
+        ct state established,related accept
+
+		    ip protocol icmp accept
+        # ICMPv6
+        # https://datatracker.ietf.org/doc/html/rfc4890#autoid-24
+        # Allowlist consisting of: "Traffic That Must Not Be Dropped" and "Traffic That Normally Should Not Be Dropped"
+        # Error messages that are essential to the establishment and maintenance of communications:
+        icmpv6 type { destination-unreachable, packet-too-big } accept
+        icmpv6 type { time-exceeded } accept
+        icmpv6 type { parameter-problem } accept
+        # Connectivity checking messages:
+        icmpv6 type { echo-request, echo-reply } accept
+        # Address Configuration and Router Selection messages:
+        icmpv6 type { nd-router-solicit, nd-router-advert, nd-neighbor-solicit, nd-neighbor-advert, ind-neighbor-solicit, ind-neighbor-advert } accept
+        # Link-Local Multicast Receiver Notification messages:
+        icmpv6 type { mld-listener-query, mld-listener-report, mld-listener-done, mld2-listener-report } accept
+        # SEND Certificate Path Notification messages:
+        icmpv6 type { 148, 149 } accept
+        # Multicast Router Discovery messages:
+        icmpv6 type { 151, 152, 153 } accept
+
+        # Allow SSH access.
+        tcp dport 22 accept comment "allow ssh access"
+
+        # Allow WireGuard access.
+        udp dport 51820 accept comment "allow WireGuard access"
+
+        # Allow DHCP server access.
+		    iifname { $lan_ifs } udp dport 67 accept comment "allow dhcp server access"
+
+        # Allow DNS server access from lan_ifs
+        iifname { $lan_ifs, $if_wg55_management } udp dport 53 accept comment "allow dns server access from lan_ifs"
+    }
+}
+
+table ip v4nat {
+    chain prerouting {
+        type nat hook prerouting priority dstnat; policy accept;
+    }
+
+    chain postrouting {
+        type nat hook postrouting priority srcnat; policy accept;
+
+        iifname { $v4_nat_ifs, $if_wg55_management } oifname $wan_ifs masquerade
+    }
+}
+
+table inet forward {
+    chain forward {
+        type filter hook forward priority filter; policy drop;
+
+        ct state invalid drop
+        ct state established,related accept
+
+        # Allow internet access.
+		    iifname { $lan_ifs, $if_wg55_management } oifname $wan_ifs accept comment "allow internet access"
+
+        # Allow access to exposed networks from internet.
+        meta nfproto ipv4 oifname $v4_exposed_ifs accept comment "allow v4 exposed network access"
+        meta nfproto ipv6 oifname $v6_exposed_ifs accept comment "allow v6 exposed network access"
+
+        # Allow clients and managment to most
+        iifname { $if_netlan_51_clients, $if_netlan_54_management, $if_wg55_management } oifname $lan_ifs accept comment "allow clients and managment to lan_ifs"
+    }
+}

resources/z9/z9-router/systemd_networkd/00-netlan.link

@@ -0,0 +1,6 @@
+[Match]
+MACAddress=BC:24:11:72:A3:27
+Type=ether
+
+[Link]
+Name=netlan

resources/z9/z9-router/systemd_networkd/00-netwan.link

@@ -0,0 +1,6 @@
+[Match]
+MACAddress=BC:24:11:CF:65:57
+Type=ether
+
+[Link]
+Name=netwan

resources/z9/z9-router/systemd_networkd/10-netlan.51.netdev

@@ -0,0 +1,7 @@
+[NetDev]
+Name=netlan.51
+Kind=vlan
+
+[VLAN]
+Id=51
+

resources/z9/z9-router/systemd_networkd/10-netlan.52.netdev

@@ -0,0 +1,7 @@
+[NetDev]
+Name=netlan.52
+Kind=vlan
+
+[VLAN]
+Id=52
+

resources/z9/z9-router/systemd_networkd/10-netlan.53.netdev

@@ -0,0 +1,7 @@
+[NetDev]
+Name=netlan.53
+Kind=vlan
+
+[VLAN]
+Id=53
+

resources/z9/z9-router/systemd_networkd/10-netlan.54.netdev

@@ -0,0 +1,7 @@
+[NetDev]
+Name=netlan.54
+Kind=vlan
+
+[VLAN]
+Id=54
+

resources/z9/z9-router/systemd_networkd/10-netwan.400.netdev

@@ -0,0 +1,7 @@
+[NetDev]
+Name=netwan.400
+Kind=vlan
+
+[VLAN]
+Id=400
+

resources/z9/z9-router/systemd_networkd/10-wg55.netdev

@@ -0,0 +1,90 @@
+[NetDev]
+Description=Admin-Wireguard
+Kind=wireguard
+Name=wg55
+
+[WireGuard]
+ListenPort=51820
+PrivateKeyFile=/etc/ansible_secrets/wireguard_wg55_privat_key
+
+# WireGuard Peers
+
+[WireGuardPeer]
+# friendly_name = stb
+AllowedIPs = 10.89.214.2/32,2a07:c481:1:37::2/128
+PublicKey = vILSL4dbaC5IaTsRhJviamV18ssxWSj+qLVyowLQ214=
+PersistentKeepalive = 30
+
+[WireGuardPeer]
+# friendly_name = fi
+AllowedIPs = 10.89.214.3/32,2a07:c481:1:37::3/128
+PublicKey = UHi/if5uW2V3+8Q3R+uk6/XpRi4fPXbw7chsKI4xlkI=
+PresharedKeyFile = /etc/ansible_secrets/wireguard_wg55_peer_fi_psk
+
+[WireGuardPeer]
+# friendly_name = jtbx
+AllowedIPs = 10.89.214.4/32,2a07:c481:1:37::4/128
+PublicKey = NyyEqdWgScgsnTF8Zz/Om4Lc84fdFMwVtvaCmLEkUlQ=
+
+[WireGuardPeer]
+# friendly_name = June
+AllowedIPs = 10.89.214.6/32,2a07:c481:1:37::6/128
+PublicKey = 6jAEB+f9przBGxPhuvv9U9gvZDEBQNqpQSD0BoGqXQQ=
+PresharedKeyFile = /etc/ansible_secrets/wireguard_wg55_peer_June_psk
+
+[WireGuardPeer]
+# friendly_name = Max
+AllowedIPs = 10.89.214.7/32,2a07:c481:1:37::7/128
+PublicKey = oC1hJjtlAgLX/CmbwTC+LPmd1uwluQTwsN8RaMNmHn0=
+PresharedKeyFile = /etc/ansible_secrets/wireguard_wg55_peer_Max_psk
+
+[WireGuardPeer]
+# friendly_name = dario
+AllowedIPs = 10.89.214.9/32,2a07:c481:1:37::9/128
+PublicKey = bYF2EGRGpEGjiKcasi/oaWoWeLsgqsF6FGaq3Z4ERww=
+PresharedKeyFile = /etc/ansible_secrets/wireguard_wg55_peer_dario_psk
+
+[WireGuardPeer]
+# friendly_name = June-mobile
+AllowedIPs = 10.89.214.11/32,2a07:c481:1:37::11/128
+PublicKey = 6edjXykegUgGjbkIG1aJyBlX1SgTKcqXXaSBVPHdKDc=
+PresharedKeyFile = /etc/ansible_secrets/wireguard_wg55_peer_June-mobile_psk
+
+[WireGuardPeer]
+# friendly_name = djerun_at_ferrum.local
+AllowedIPs = 10.89.214.12/32,2a07:c481:1:37::12/128
+PublicKey = aHbdkTHhPkd+o7wWfTua9nd72aF4OVp66zGtpaoD8Fg=
+
+[WireGuardPeer]
+# friendly_name = c6ristian
+AllowedIPs = 10.89.214.13/32,2a07:c481:1:37::13/128
+PublicKey = 6ndwj3Ur6AqfUPWuyPYXIaGZs2ujJKawSQ9LEvlYzEc=
+PresharedKeyFile = /etc/ansible_secrets/wireguard_wg55_peer_c6ristian_psk
+
+[WireGuardPeer]
+# friendly_name = langoor
+AllowedIPs = 10.89.214.14/32,2a07:c481:1:37::14/128
+PublicKey = qTnVQlQa1m4SucFFNli/xM6QWfsdWx2baRAit7Cg8RM=
+PresharedKeyFile = /etc/ansible_secrets/wireguard_wg55_peer_langoor_psk
+
+[WireGuardPeer]
+# friendly_name = langoor_home
+AllowedIPs = 10.89.214.15/32,2a07:c481:1:37::15/128
+PublicKey = NeMDs2+5rHuKO5ZYXVUR76GorgdesFUnDOFECQ3RzG4=
+PresharedKeyFile = /etc/ansible_secrets/wireguard_wg55_peer_langoor_home_psk
+
+[WireGuardPeer]
+# friendly_name = lilly-lillysLaptop
+AllowedIPs = 10.89.214.16/32 #,2a07:c481:1:37::/128
+PublicKey = IBsI+N8qUNpQnDc5HnqQ2Zo/1graFM0RMIecHmAF+Vk=
+
+[WireGuardPeer]
+# friendly_name = bitwhisker
+AllowedIPs = 10.89.214.17/32,2a07:c481:1:37::a/128
+PublicKey = DvEGvQPGi+IxeRTIA72Gx3WNINcrV9HRNB1v7mHnhjA=
+
+[WireGuardPeer]
+# friendly_name = forestcat
+AllowedIPs = 10.89.214.18/32,2a07:c481:1:37::b/128
+PublicKey = PdJ7KlIeASizj0WTY87d7oSi14/MebrhRa+L8YiPoQE=
+

resources/z9/z9-router/systemd_networkd/20-netlan.network

@@ -0,0 +1,12 @@
+[Match]
+Name=netlan
+
+[Link]
+RequiredForOnline=no
+
+[Network]
+VLAN=netwan.51
+VLAN=netwan.52
+VLAN=netwan.53
+VLAN=netwan.54
+

resources/z9/z9-router/systemd_networkd/20-netwan.network

@@ -0,0 +1,9 @@
+[Match]
+Name=netwan
+
+[Link]
+RequiredForOnline=no
+
+[Network]
+VLAN=netwan.400
+

resources/z9/z9-router/systemd_networkd/20-wg55.network

@@ -0,0 +1,6 @@
+[Match]
+Name=wg55
+
+[Network]
+Address=10.89.214.1/24
+Address=2a07:c481:1:37::1/64

resources/z9/z9-router/systemd_networkd/21-netlan.51-clients.network

@@ -0,0 +1,27 @@
+[Match]
+Name=netlan.51
+Type=vlan
+
+[Link]
+RequiredForOnline=no
+
+[Network]
+Description=clients
+
+# Masquerading done in nftables (nftables.conf).
+IPv6SendRA=yes
+
+[Address]
+Address=10.89.208.1/22
+
+[IPv6SendRA]
+UplinkInterface=netwan.400
+EmitDomains=true
+Domains=ccchh.net
+Managed=true
+
+[IPv6Prefix]
+Prefix=2a07:c481:1:33::/64
+Assign=true
+Token=static:::1
+

resources/z9/z9-router/systemd_networkd/21-netlan.52-iot.network

@@ -0,0 +1,27 @@
+[Match]
+Name=netlan.52
+Type=vlan
+
+[Link]
+RequiredForOnline=no
+
+[Network]
+Description=IoT
+
+# Masquerading done in nftables (nftables.conf).
+IPv6SendRA=yes
+
+[Address]
+Address=10.89.212.1/24
+
+[IPv6SendRA]
+UplinkInterface=netwan.400
+EmitDomains=true
+Domains=ccchh.net
+Managed=true
+
+[IPv6Prefix]
+Prefix=2a07:c481:1:34::/64
+Assign=true
+Token=static:::1
+

resources/z9/z9-router/systemd_networkd/21-netlan.53-public.network

@@ -0,0 +1,27 @@
+[Match]
+Name=netlan.53
+Type=vlan
+
+[Link]
+RequiredForOnline=no
+
+[Network]
+Description=public
+
+# Masquerading done in nftables (nftables.conf).
+IPv6SendRA=yes
+
+[Address]
+Address=185.161.130.65/28
+
+[IPv6SendRA]
+UplinkInterface=netwan.400
+EmitDomains=true
+Domains=ccchh.net
+Managed=true
+
+[IPv6Prefix]
+Prefix=2a07:c481:1:35::/64
+Assign=true
+Token=static:::1
+

resources/z9/z9-router/systemd_networkd/21-netlan.54-management.network

@@ -0,0 +1,27 @@
+[Match]
+Name=netlan.54
+Type=vlan
+
+[Link]
+RequiredForOnline=no
+
+[Network]
+Description=Management
+
+# Masquerading done in nftables (nftables.conf).
+IPv6SendRA=yes
+
+[Address]
+Address=10.89.213.0/24
+
+[IPv6SendRA]
+UplinkInterface=netwan.400
+EmitDomains=true
+Domains=ccchh.net
+Managed=true
+
+[IPv6Prefix]
+Prefix=2a07:c481:1:36::/64
+Assign=true
+Token=static:::1
+

resources/z9/z9-router/systemd_networkd/21-netwan.400-fux_uplink.network

@@ -0,0 +1,26 @@
+[Match]
+Name=netwan.400
+Type=vlan
+
+[Link]
+RequiredForOnline=no
+
+[Network]
+Description=fux-uplink
+
+DNS=185.161.128.66
+DNS=2a07:c481:0:4::2
+DNS=185.161.128.67
+DNS=2a07:c481:0:4::3
+
+IPv6AcceptRA=no
+# Masquerading done in nftables (nftables.conf).
+IPv6SendRA=no
+
+[Address]
+Address=185.161.129.134/25
+Address=2a07:c481::1:2/64
+
+[Route]
+Gateway=185.161.129.129
+Gateway=2a07:c481::1

resources/z9/z9-router/systemd_networkd_global_config.conf

@@ -0,0 +1,3 @@
+[Network]
+IPv4Forwarding=true
+IPv6Forwarding=true