Skip to content

feat: 8-VLAN Segmentation & Router Automation #52

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Closed
geeksbsmrt wants to merge 6 commits into from
Closed

feat: 8-VLAN Segmentation & Router Automation #52

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
6 commits
Select commit Hold shift + click to select a range
cdf3453
feat(kea): add ISC Kea DHCP4 config template with 8 VLAN subnets
geeksbsmrt Mar 23, 2026
b840ba6
feat(router): add Merlin VLAN and firewall scripts
geeksbsmrt Mar 23, 2026
1b5d5dd
feat(host): add Pi VLAN sub-interfaces script and systemd unit
geeksbsmrt Mar 23, 2026
680d551
ci(router): add GitHub Action for router script deployment
geeksbsmrt Mar 23, 2026
3750801
ci(deploy): add Kea templating and Pi host VLAN setup
geeksbsmrt Mar 23, 2026
d5d15b0
feat(docker): migrate DHCP to Kea and redesign VLAN networking
geeksbsmrt Mar 23, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
32 changes: 31 additions & 1 deletion .github/workflows/deploy-prod.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -6,6 +6,7 @@ on:
- main
paths:
- "docker/**"
- "scripts/**"
- "secrets.sops.env"
- ".github/workflows/deploy-prod.yaml"
workflow_dispatch:
Expand Down Expand Up @@ -186,6 +187,34 @@ jobs:
exit 1
fi

# --- Kea DHCP4 ---
KEA_TEMPLATE_PATH="$GITHUB_WORKSPACE/docker/kea/kea-dhcp4.conf.template"
KEA_OUTPUT_PATH="$GITHUB_WORKSPACE/docker/kea/kea-dhcp4.conf"
echo "Templating Kea DHCP4 configuration..."
if [ ! -f "${KEA_TEMPLATE_PATH}" ]; then
echo "ERROR: Kea template file NOT FOUND at ${KEA_TEMPLATE_PATH}"
exit 1
fi
envsubst < "${KEA_TEMPLATE_PATH}" > "${KEA_OUTPUT_PATH}"
if [ $? -eq 0 ]; then
echo "Kea DHCP4 configuration templated successfully."
else
echo "ERROR: envsubst for Kea command failed."
exit 1
fi

- name: Deploy VLAN setup script and systemd unit
run: |
sudo mkdir -p /opt/homelab/scripts
sudo cp "$GITHUB_WORKSPACE/scripts/setup-vlans.sh" /opt/homelab/scripts/
sudo chmod +x /opt/homelab/scripts/setup-vlans.sh
sudo cp "$GITHUB_WORKSPACE/scripts/pi-vlans.service" /etc/systemd/system/
sudo systemctl daemon-reload
sudo systemctl enable pi-vlans.service

- name: Ensure VLAN sub-interfaces exist
run: sudo systemctl start pi-vlans.service

- name: Sync configuration files
id: sync
run: |
Expand All @@ -198,7 +227,8 @@ jobs:
--exclude ".github/" \
--exclude "*.sops.env" \
--exclude "prometheus/config/prometheus.yml.template" \
--exclude "unbound/unbound.conf.template" > rsync_output.txt
--exclude "unbound/unbound.conf.template" \
--exclude "kea/kea-dhcp4.conf.template" > rsync_output.txt

cat rsync_output.txt

Expand Down
58 changes: 58 additions & 0 deletions .github/workflows/deploy-router.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,58 @@
name: Deploy Router Scripts

on:
push:
branches: [main]
paths:
- "router/scripts/**"
workflow_dispatch:

jobs:
deploy:
name: Deploy to Router
runs-on: self-hosted

steps:
- name: Checkout repository
uses: actions/checkout@v4

- name: Copy scripts to router
uses: appleboy/scp-action@v0.1.7
with:
host: ${{ secrets.ROUTER_IP }}
username: ${{ secrets.ROUTER_SSH_USER }}
key: ${{ secrets.ROUTER_SSH_KEY }}
source: "router/scripts/*"
target: "/jffs/scripts/"
strip_components: 2

- name: Set permissions and apply services
uses: appleboy/ssh-action@v1.2.2
with:
host: ${{ secrets.ROUTER_IP }}
username: ${{ secrets.ROUTER_SSH_USER }}
key: ${{ secrets.ROUTER_SSH_KEY }}
script: |
chmod +x /jffs/scripts/services-start \
/jffs/scripts/firewall-start \
/jffs/scripts/confirm-firewall.sh
/jffs/scripts/services-start

- name: Apply firewall rules (dead man's switch active)
uses: appleboy/ssh-action@v1.2.2
with:
host: ${{ secrets.ROUTER_IP }}
username: ${{ secrets.ROUTER_SSH_USER }}
key: ${{ secrets.ROUTER_SSH_KEY }}
script: /jffs/scripts/firewall-start

- name: Verify connectivity and confirm
uses: appleboy/ssh-action@v1.2.2
with:
host: ${{ secrets.ROUTER_IP }}
username: ${{ secrets.ROUTER_SSH_USER }}
key: ${{ secrets.ROUTER_SSH_KEY }}
command_timeout: 30s
script: |
echo "Connectivity verified (SSH still works)."
/jffs/scripts/confirm-firewall.sh
108 changes: 101 additions & 7 deletions docker/docker-compose.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -20,6 +20,20 @@ services:
macvlan:
ipv4_address: ${IP_PIHOLE}
backend_net: {}
mgmt_vlan:
ipv4_address: ${IP_PIHOLE_MGMT}
personal_vlan:
ipv4_address: ${IP_PIHOLE_PERSONAL}
work_vlan:
ipv4_address: ${IP_PIHOLE_WORK}
iot_vlan:
ipv4_address: ${IP_PIHOLE_IOT}
cam_vlan:
ipv4_address: ${IP_PIHOLE_CAM}
guest_vlan:
ipv4_address: ${IP_PIHOLE_GUEST}
homelab_vlan:
ipv4_address: ${IP_PIHOLE_HOMELAB}
ports:
- "53:53/tcp"
- "53:53/udp"
Expand All @@ -28,12 +42,13 @@ services:
FTLCONF_webserver_api_password: ${PIHOLE_UI_PASSWORD}
FTLCONF_dns_listeningMode: "all"
FTLCONF_dns_upstreams: "${IP_UNBOUND}"
FTLCONF_dhcp_active: "true"
FTLCONF_dhcp_start: "${PIHOLE_DHCP_START}"
FTLCONF_dhcp_end: "${PIHOLE_DHCP_END}"
FTLCONF_dhcp_router: "${PIHOLE_DHCP_ROUTER}"
FTLCONF_dhcp_leaseTime: "24h"
FTLCONF_dhcp_ipv6: "true"
FTLCONF_dhcp_active: "false"
# DHCP disabled — handled by Kea. Retained for rollback.
# FTLCONF_dhcp_start: "${PIHOLE_DHCP_START}"
# FTLCONF_dhcp_end: "${PIHOLE_DHCP_END}"
# FTLCONF_dhcp_router: "${PIHOLE_DHCP_ROUTER}"
# FTLCONF_dhcp_leaseTime: "24h"
# FTLCONF_dhcp_ipv6: "true"
FTLCONF_dns_etc_dnsmasq_d: "true"
volumes:
- "./pihole:/etc/pihole"
Expand All @@ -47,6 +62,21 @@ services:
unbound:
condition: service_healthy

kea-dhcp4:
image: docker.cloudsmith.io/isc/docker/kea-dhcp4:3.0.2
container_name: kea_dhcp4
hostname: kea_dhcp4
restart: unless-stopped
network_mode: host
volumes:
- ./kea:/etc/kea
- kea_leases:/var/lib/kea
depends_on:
pihole:
condition: service_started
environment:
TZ: "America/New_York"

unbound:
container_name: unbound
image: "mvance/unbound-rpi:1.22.0"
Expand Down Expand Up @@ -406,12 +436,13 @@ volumes:
umami_db_data:
firefly_db_data:
firefly_upload:
kea_leases:

networks:
backend_net:
driver: bridge
macvlan:
name: pi0vlan
name: infra_vlan
driver: macvlan
driver_opts:
parent: "${MACVLAN_PARENT_INTERFACE}"
Expand All @@ -422,3 +453,66 @@ networks:
ip_range: "${MACVLAN_IP_RANGE}"
aux_addresses:
host_shim_ip: "${MACVLAN_HOST_SHIM_IP}"
mgmt_vlan:
driver: macvlan
driver_opts:
parent: "eth0"
ipam:
config:
- subnet: "192.168.10.0/24"
gateway: "192.168.10.1"
ip_range: "192.168.10.240/28"
personal_vlan:
driver: macvlan
driver_opts:
parent: "eth0.30"
ipam:
config:
- subnet: "192.168.30.0/24"
gateway: "192.168.30.1"
ip_range: "192.168.30.240/28"
work_vlan:
driver: macvlan
driver_opts:
parent: "eth0.40"
ipam:
config:
- subnet: "192.168.40.0/24"
gateway: "192.168.40.1"
ip_range: "192.168.40.240/28"
iot_vlan:
driver: macvlan
driver_opts:
parent: "eth0.50"
ipam:
config:
- subnet: "192.168.50.0/24"
gateway: "192.168.50.1"
ip_range: "192.168.50.240/28"
cam_vlan:
driver: macvlan
driver_opts:
parent: "eth0.60"
ipam:
config:
- subnet: "192.168.60.0/24"
gateway: "192.168.60.1"
ip_range: "192.168.60.240/28"
guest_vlan:
driver: macvlan
driver_opts:
parent: "eth0.70"
ipam:
config:
- subnet: "192.168.70.0/24"
gateway: "192.168.70.1"
ip_range: "192.168.70.240/28"
homelab_vlan:
driver: macvlan
driver_opts:
parent: "eth0.80"
ipam:
config:
- subnet: "192.168.80.0/24"
gateway: "192.168.80.1"
ip_range: "192.168.80.240/28"
Loading