2021-03-20 01:00:18 +01:00
|
|
|
{ config, pkgs, lib, self, ... }:
|
2021-02-25 01:06:32 +01:00
|
|
|
|
|
|
|
let
|
2021-08-20 21:39:31 +02:00
|
|
|
mainServers = [ "server1" "server2" ];
|
2021-03-27 01:32:06 +01:00
|
|
|
pillar = self.lib.saltPillarFor "*";
|
2021-03-25 00:08:24 +01:00
|
|
|
|
|
|
|
renameAttr = from: to: attrset:
|
|
|
|
builtins.foldl' (result: name:
|
|
|
|
if name == from
|
|
|
|
then result // { "${to}" = attrset.${name}; }
|
|
|
|
else result // { "${name}" = attrset.${name}; }
|
|
|
|
) {} (builtins.attrNames attrset);
|
2021-03-27 01:32:51 +01:00
|
|
|
|
|
|
|
# HACK: `type = "phys"` works but once an LXC container is stopped
|
|
|
|
# the VLAN interface is not moved back.
|
|
|
|
forceVeth = interface: interface // {
|
|
|
|
type = "veth";
|
|
|
|
};
|
2021-03-31 02:11:19 +02:00
|
|
|
|
|
|
|
netHasDHCP = net:
|
|
|
|
net == "pub" ||
|
|
|
|
net == "serv" ||
|
|
|
|
builtins.match "priv[[:digit:]]+" net != null;
|
2021-02-25 01:06:32 +01:00
|
|
|
in
|
|
|
|
{
|
|
|
|
options.salt-pillar = lib.mkOption {};
|
|
|
|
config.salt-pillar = pillar;
|
|
|
|
|
|
|
|
config.site.net = lib.mkMerge ([
|
|
|
|
(builtins.mapAttrs (_: vlan: { vlan = vlan; }) pillar.vlans)
|
2021-03-25 00:08:24 +01:00
|
|
|
(builtins.mapAttrs (_: subnet4: { inherit subnet4; }) pillar.subnets-inet)
|
|
|
|
(builtins.mapAttrs (_: hosts4: { inherit hosts4; }) pillar.hosts-inet)
|
2021-03-31 02:11:19 +02:00
|
|
|
(builtins.mapAttrs (net: dhcpData: {
|
2021-03-27 02:07:14 +01:00
|
|
|
dhcp = {
|
2021-03-31 02:46:21 +02:00
|
|
|
inherit (dhcpData) start end time max-time;
|
2021-03-31 02:11:19 +02:00
|
|
|
server =
|
|
|
|
if netHasDHCP net
|
|
|
|
then "${net}-gw"
|
|
|
|
else null;
|
2021-03-31 02:46:21 +02:00
|
|
|
fixed-hosts =
|
|
|
|
if dhcpData ? fixed-hosts
|
|
|
|
then dhcpData.fixed-hosts
|
|
|
|
else {};
|
2021-03-27 02:07:14 +01:00
|
|
|
router = dhcpData.host-opts.routers;
|
|
|
|
};
|
2021-04-02 03:09:45 +02:00
|
|
|
domainName = dhcpData.string-opts.domain-name;
|
2021-03-27 02:07:14 +01:00
|
|
|
}) pillar.dhcp)
|
2021-05-06 15:01:39 +02:00
|
|
|
{
|
|
|
|
core.ospf.secret = pillar.ospf.secret;
|
|
|
|
pub.dynamicDomain = true;
|
2021-06-09 22:09:18 +02:00
|
|
|
|
2021-07-16 19:36:41 +02:00
|
|
|
c3d2.dynamicDomain = true;
|
2021-06-09 22:09:18 +02:00
|
|
|
c3d2.dhcp = {
|
|
|
|
server = "c3d2-gw3";
|
|
|
|
router = "c3d2-anon";
|
|
|
|
start = "172.22.99.100";
|
|
|
|
end = "172.22.99.199";
|
2021-06-16 19:58:40 +02:00
|
|
|
fixed-hosts = {
|
|
|
|
"astron.hq.c3d2.de" = "aa:00:5b:08:f0:5b";
|
|
|
|
"astrom.hq.c3d2.de" = "aa:00:5b:08:f0:5c";
|
|
|
|
"www1.hq.c3d2.de" = "aa:00:13:8b:03:47";
|
|
|
|
"dn42.hq.c3d2.de" = "aa:00:42:7a:32:46";
|
|
|
|
"icq.hq.c3d2.de" = "aa:00:30:f6:27:89";
|
|
|
|
"jabber1.hq.c3d2.de" = "aa:00:0b:19:8f:14";
|
|
|
|
"jabber2.hq.c3d2.de" = "aa:00:3d:6a:23:b8";
|
|
|
|
"wiefelspuetz.hq.c3d2.de" = "aa:00:7f:01:8a:d0";
|
|
|
|
"git.hq.c3d2.de" = "aa:00:47:d8:57:10";
|
|
|
|
"fernandopoo.hq.c3d2.de" = "aa:00:f7:52:85:27";
|
|
|
|
"moleflap.hq.c3d2.de" = "aa:00:0d:b1:6c:67";
|
|
|
|
"wormhole.hq.c3d2.de" = "00:23:c3:d2:00:76";
|
|
|
|
"sharing.hq.c3d2.de" = "00:23:c3:d2:75:18";
|
|
|
|
"drucker.hq.c3d2.de" = "00:23:c3:d2:12:0f";
|
|
|
|
"knot.hq.c3d2.de" = "52:54:cf:fd:ce:3f";
|
|
|
|
"bender.hq.c3de.de" = "00:23:df:7e:c8:0a";
|
|
|
|
"sofafon.hq.c3d2.de" = "b8:27:eb:23:8d:01";
|
|
|
|
"schalter.hq.c3d2.de" = "b8:27:eb:4c:be:ff";
|
|
|
|
"beere.hq.c3d2.de" = "b8:27:eb:ac:65:d2";
|
|
|
|
"ledball1.hq.c3d2.de" = "b8:27:eb:53:0b:27";
|
|
|
|
"cider.hq.c3d2.de" = "00:0d:93:75:ee:fa";
|
|
|
|
"semanta.hq.c3d2.de" = "00:ff:e4:bb:ea:2a";
|
|
|
|
"leviathan.hq.c3d2.de" = "00:ff:08:31:db:e5";
|
|
|
|
"beere2.hq.c3d2.de" = "b8:27:eb:53:0b:27";
|
|
|
|
"feile.hq.c3d2.de" = "aa:00:5b:12:c1:f7";
|
|
|
|
"matemat.hq.c3d2.de" = "a2:1b:7c:e8:19:72";
|
|
|
|
"172.22.99.98" = "08:00:27:aa:90:e2";
|
|
|
|
"172.22.99.96" = "08:00:27:bb:8c:b3";
|
|
|
|
"batman.hq.c3d2.de" = "5c:cf:7f:c0:05:28";
|
|
|
|
"monit.hq.c3d2.de" = "00:23:ae:94:e7:19";
|
|
|
|
"storage2.hq.c3d2.de" = "42:5e:0f:4e:f3:cc";
|
|
|
|
"server2.hq.c3d2.de" = "d0:67:e5:f3:57:10";
|
|
|
|
"server3.hq.c3d2.de" = "e4:1f:13:2e:4f:c0";
|
|
|
|
"server4.hq.c3d2.de" = "00:9c:02:a9:26:01";
|
|
|
|
"minecraft.hq.c3d2.de" = "4a:57:d3:64:fe:e9";
|
|
|
|
"ustriper.hq.c3d2.de" = "aa:bb:95:33:bb:aa";
|
|
|
|
"lisbeth.hq.c3d2.de" = "b8:27:eb:a5:ee:5c";
|
|
|
|
"ruststripe1.hq.c3d2.de" = "06:32:0e:39:21:69";
|
|
|
|
"fhem.hq.c3d2.de" = "b8:27:eb:9e:8b:db";
|
|
|
|
"glotzbert.hq.c3d2.de" = "ec:a8:6b:fe:b4:cb";
|
|
|
|
"pulsebert.hq.c3d2.de" = "dc:a6:32:31:b6:32";
|
|
|
|
"public-access-proxy.hq.c3d2.de" = "12:24:5f:bd:9b:e7";
|
|
|
|
"marenz-build.hq.c3d2.de" = "44:1e:a1:59:2e:e8";
|
|
|
|
"ledbeere.hq.c3d2.de" = "b8:27:eb:60:99:59";
|
|
|
|
};
|
2021-06-09 22:09:18 +02:00
|
|
|
time = 86400;
|
|
|
|
max-time = 30 * 86400;
|
|
|
|
};
|
2021-05-06 15:01:39 +02:00
|
|
|
}
|
2021-05-06 03:21:58 +02:00
|
|
|
|
|
|
|
# net priv* settings
|
|
|
|
(
|
|
|
|
builtins.mapAttrs (netName: _: {
|
|
|
|
dynamicDomain = true;
|
|
|
|
}) (
|
|
|
|
lib.filterAttrs (netName: _:
|
|
|
|
builtins.match "priv[[:digit:]]+" netName != null
|
|
|
|
) pillar.hosts-inet
|
|
|
|
)
|
|
|
|
)
|
2021-02-25 01:06:32 +01:00
|
|
|
] ++ (
|
|
|
|
map (ctx:
|
|
|
|
builtins.mapAttrs (_: subnet: { subnets6.${ctx} = subnet; }) pillar.subnets-inet6.${ctx}
|
|
|
|
) (builtins.attrNames pillar.subnets-inet6)
|
2021-03-25 00:08:24 +01:00
|
|
|
) ++ (
|
|
|
|
map (ctx:
|
|
|
|
builtins.mapAttrs (_: subnet: { hosts6.${ctx} = subnet; }) pillar.hosts-inet6.${ctx}
|
|
|
|
) (builtins.attrNames pillar.hosts-inet6)
|
2021-02-25 01:06:32 +01:00
|
|
|
));
|
|
|
|
|
|
|
|
config.site.hosts = lib.mkMerge (
|
|
|
|
[
|
2021-04-29 01:44:48 +02:00
|
|
|
{ # Static definitions
|
|
|
|
|
2021-04-14 20:04:28 +02:00
|
|
|
mgmt-gw.firewall.enable = true;
|
|
|
|
priv13-gw.firewall.enable = true;
|
2021-04-14 23:07:27 +02:00
|
|
|
|
2021-05-03 01:26:57 +02:00
|
|
|
dns.services.dns.enable = true;
|
|
|
|
|
2021-04-14 23:07:27 +02:00
|
|
|
dnscache = {
|
|
|
|
role = "container";
|
|
|
|
|
|
|
|
interfaces.serv = {
|
|
|
|
gw4 = "serv-gw";
|
|
|
|
gw6 = "serv-gw";
|
|
|
|
type = "veth";
|
|
|
|
};
|
|
|
|
|
|
|
|
services.dnscache.enable = true;
|
|
|
|
};
|
2021-04-29 01:44:48 +02:00
|
|
|
|
2021-05-23 23:16:28 +02:00
|
|
|
upstream1.interfaces.up1.upstream = {
|
|
|
|
provider = "vodafone";
|
|
|
|
noNat.subnets6 = [
|
|
|
|
"2a02:8106:208:5200::/56"
|
|
|
|
];
|
|
|
|
};
|
|
|
|
upstream2.interfaces.up2.upstream = {
|
|
|
|
provider = "vodafone";
|
|
|
|
noNat.subnets6 = [
|
|
|
|
"2a02:8106:208:e900::/56"
|
|
|
|
];
|
|
|
|
};
|
|
|
|
upstream3.interfaces.up3.upstream.provider = "starlink";
|
2021-05-31 00:41:38 +02:00
|
|
|
upstream4.interfaces.up4-pppoe = {
|
|
|
|
type = "pppoe";
|
|
|
|
upstream = {
|
|
|
|
provider = "dsi";
|
|
|
|
link = "up4";
|
2021-06-02 19:56:24 +02:00
|
|
|
upBandwidth = 98000;
|
|
|
|
noNat.subnets6 = [
|
|
|
|
"2a00:8180:2000:37::1/128"
|
|
|
|
"2a00:8180:2c00:200::/56"
|
|
|
|
];
|
2021-05-31 00:41:38 +02:00
|
|
|
};
|
|
|
|
};
|
2021-04-30 23:54:36 +02:00
|
|
|
upstream1.ospf.upstreamInstance = 3;
|
|
|
|
upstream2.ospf.upstreamInstance = 4;
|
|
|
|
anon1.ospf.upstreamInstance = 5;
|
|
|
|
freifunk.ospf.upstreamInstance = 6;
|
2021-05-22 01:02:01 +02:00
|
|
|
upstream3.ospf.upstreamInstance = 7;
|
|
|
|
upstream4.ospf.upstreamInstance = 8;
|
2021-06-02 23:44:55 +02:00
|
|
|
c3d2-gw1.ospf.allowedUpstreams = [ "upstream3" "upstream4" "upstream1" "anon1" "freifunk" ];
|
|
|
|
c3d2-gw2.ospf.allowedUpstreams = [ "upstream1" "upstream3" "upstream4" "anon1" "freifunk" ];
|
|
|
|
c3d2-gw3.ospf.allowedUpstreams = [ "upstream4" "upstream3" "upstream1" "anon1" "freifunk" ];
|
|
|
|
serv-gw.ospf.allowedUpstreams = [ "upstream4" "upstream1" "upstream3" "anon1" "freifunk" ];
|
|
|
|
cls-gw.ospf.allowedUpstreams = [ "upstream4" "upstream1" "upstream3" "anon1" "freifunk" ];
|
|
|
|
mgmt-gw.ospf.allowedUpstreams = [ "upstream4" "upstream1" "upstream3" "anon1" "freifunk" ];
|
|
|
|
bgp.ospf.allowedUpstreams = [ "upstream4" "upstream1" "upstream3" "anon1" "freifunk" ];
|
|
|
|
anon1.ospf.allowedUpstreams = [ "upstream1" "upstream3" "upstream4" "freifunk" ];
|
2021-06-09 21:28:54 +02:00
|
|
|
priv17-gw-up3.ospf.allowedUpstreams = [ "upstream3" "upstream4" "upstream1" "anon1" "freifunk" ];
|
2021-04-29 23:09:13 +02:00
|
|
|
|
|
|
|
pub-gw.ospf.allowedUpstreams = [ "anon1" "freifunk" ];
|
|
|
|
c3d2-anon.ospf.allowedUpstreams = [ "anon1" "freifunk" ];
|
2021-06-01 19:23:56 +02:00
|
|
|
|
|
|
|
upstream4.forwardPorts = [
|
|
|
|
{
|
|
|
|
destination = "172.20.73.45:80";
|
|
|
|
proto = "tcp";
|
|
|
|
sourcePort = 80;
|
|
|
|
}
|
|
|
|
{
|
|
|
|
destination = "172.20.73.45:443";
|
|
|
|
proto = "tcp";
|
|
|
|
sourcePort = 443;
|
|
|
|
}
|
|
|
|
{
|
|
|
|
destination = "172.22.99.253";
|
|
|
|
proto = "udp";
|
|
|
|
sourcePort = 2325;
|
|
|
|
}
|
|
|
|
{
|
|
|
|
destination = "172.22.99.253";
|
|
|
|
proto = "udp";
|
|
|
|
sourcePort = 2399;
|
|
|
|
}
|
|
|
|
{
|
|
|
|
destination = "172.22.99.253";
|
|
|
|
proto = "udp";
|
|
|
|
sourcePort = 2327;
|
|
|
|
}
|
|
|
|
{
|
|
|
|
destination = "172.22.99.253";
|
|
|
|
proto = "udp";
|
|
|
|
sourcePort = 2338;
|
|
|
|
}
|
|
|
|
{
|
|
|
|
destination = "172.22.99.253";
|
|
|
|
proto = "udp";
|
|
|
|
sourcePort = 2339;
|
|
|
|
}
|
|
|
|
{
|
|
|
|
destination = "172.22.99.253";
|
|
|
|
proto = "udp";
|
|
|
|
sourcePort = 40533;
|
|
|
|
}
|
|
|
|
{
|
|
|
|
destination = "172.22.99.253";
|
|
|
|
proto = "udp";
|
|
|
|
sourcePort = 61699;
|
|
|
|
}
|
|
|
|
{
|
|
|
|
destination = "172.20.73.47:22";
|
|
|
|
proto = "tcp";
|
|
|
|
sourcePort = 2223;
|
|
|
|
}
|
|
|
|
{
|
|
|
|
destination = "172.20.73.48:30000";
|
|
|
|
proto = "udp";
|
|
|
|
sourcePort = 30000;
|
|
|
|
}
|
2021-07-16 19:36:13 +02:00
|
|
|
{
|
|
|
|
destination = "172.22.99.175:22";
|
|
|
|
proto = "tcp";
|
|
|
|
sourcePort = 2224;
|
|
|
|
}
|
2021-09-06 21:14:04 +02:00
|
|
|
{ # Gitea ssh
|
|
|
|
destination = "${config.site.net.serv.hosts4.gitea}:22";
|
|
|
|
proto = "tcp";
|
|
|
|
sourcePort = 2222;
|
|
|
|
}
|
2021-06-01 19:23:56 +02:00
|
|
|
];
|
2021-04-14 20:04:28 +02:00
|
|
|
}
|
|
|
|
|
2021-05-06 03:21:58 +02:00
|
|
|
# host priv*-gw settings
|
2021-04-29 01:44:48 +02:00
|
|
|
(
|
|
|
|
builtins.mapAttrs (hostName: _: {
|
2021-06-02 23:44:55 +02:00
|
|
|
ospf.allowedUpstreams = [ "upstream4" "upstream3" "upstream1" "anon1" "freifunk" ];
|
2021-04-29 01:44:48 +02:00
|
|
|
}) (
|
|
|
|
lib.filterAttrs (hostName: _:
|
|
|
|
builtins.match "priv[[:digit:]]+-gw" hostName != null
|
|
|
|
) pillar.containers
|
|
|
|
)
|
|
|
|
)
|
|
|
|
|
2021-04-04 21:59:17 +02:00
|
|
|
(builtins.foldl' (result: hostName: result // {
|
2021-04-04 22:55:40 +02:00
|
|
|
"${hostName}" = {
|
|
|
|
role = "server";
|
|
|
|
interfaces = builtins.mapAttrs (net: _: {
|
|
|
|
type = "phys";
|
2021-04-07 01:22:20 +02:00
|
|
|
} // lib.optionalAttrs (net == "cluster") {
|
|
|
|
gw4 = "cls-gw";
|
|
|
|
gw6 = "cls-gw";
|
2021-04-04 22:55:40 +02:00
|
|
|
}) (
|
|
|
|
lib.filterAttrs (_: hosts: hosts ? ${hostName}) (
|
|
|
|
pillar.hosts-inet // (
|
|
|
|
builtins.foldl' (result: hosts: result // hosts) {} (builtins.attrValues pillar.hosts-inet6)
|
|
|
|
)
|
|
|
|
)
|
|
|
|
);
|
|
|
|
};
|
2021-04-04 21:59:17 +02:00
|
|
|
}) {} mainServers)
|
2021-03-20 00:06:31 +01:00
|
|
|
|
2021-02-25 01:06:32 +01:00
|
|
|
(builtins.mapAttrs (_: switch: {
|
|
|
|
inherit (switch) model location password;
|
|
|
|
role = "switch";
|
|
|
|
}) pillar.switches)
|
2021-03-20 00:06:31 +01:00
|
|
|
|
2021-02-25 01:06:32 +01:00
|
|
|
(builtins.mapAttrs (_: ap: {
|
|
|
|
inherit (ap) model location password;
|
|
|
|
role = "ap";
|
|
|
|
}) pillar.cpe)
|
2021-03-20 00:06:31 +01:00
|
|
|
|
2021-03-31 02:46:21 +02:00
|
|
|
(builtins.mapAttrs (name: container:
|
|
|
|
let
|
|
|
|
ctPillar = self.lib.saltPillarFor name;
|
|
|
|
in {
|
|
|
|
role = "container";
|
2021-04-06 19:32:25 +02:00
|
|
|
|
2021-03-31 02:46:21 +02:00
|
|
|
interfaces =
|
|
|
|
builtins.mapAttrs (net: interface:
|
|
|
|
renameAttr "gw" "gw4"
|
2021-05-22 01:19:16 +02:00
|
|
|
(forceVeth interface) // (
|
|
|
|
if ctPillar ? upstream &&
|
|
|
|
ctPillar.upstream.interface == net
|
|
|
|
then {
|
|
|
|
upstream.upBandwidth = ctPillar.upstream.up-bandwidth;
|
|
|
|
}
|
|
|
|
else {}
|
|
|
|
)
|
2021-03-31 02:46:21 +02:00
|
|
|
) container.interfaces;
|
2021-04-05 15:54:15 +02:00
|
|
|
|
|
|
|
wireguard =
|
|
|
|
lib.optionalAttrs (ctPillar ? wireguard-instances) (
|
|
|
|
builtins.mapAttrs (net: wgData: {
|
|
|
|
inherit (builtins.head wgData.peers) endpoint;
|
|
|
|
publicKey = (builtins.head wgData.peers).public_key;
|
|
|
|
privateKey = wgData.private_key;
|
|
|
|
addresses = builtins.filter builtins.isString (
|
|
|
|
builtins.split "[, ]+" wgData.addr
|
|
|
|
);
|
2021-04-06 19:32:25 +02:00
|
|
|
upBandwidth = ctPillar.upstream.up-bandwidth;
|
2021-04-05 15:54:15 +02:00
|
|
|
}) ctPillar.wireguard-instances);
|
2021-04-06 19:32:25 +02:00
|
|
|
|
2021-03-31 02:46:21 +02:00
|
|
|
ospf =
|
|
|
|
let
|
2021-04-13 00:11:42 +02:00
|
|
|
ospfConf = ctPillar.ospf;
|
|
|
|
in lib.optionalAttrs (ctPillar ? ospf && ospfConf ? stubnets-inet) {
|
2021-03-31 02:46:21 +02:00
|
|
|
stubNets4 = ospfConf.stubnets-inet;
|
2021-04-13 00:11:42 +02:00
|
|
|
} // lib.optionalAttrs (ctPillar ? ospf && ospfConf ? stubnets-inet6) {
|
2021-03-25 04:06:53 +01:00
|
|
|
stubNets6 = ospfConf.stubnets-inet6;
|
2021-03-31 02:46:21 +02:00
|
|
|
};
|
2021-04-06 19:32:25 +02:00
|
|
|
|
2021-04-13 00:11:42 +02:00
|
|
|
bgp =
|
|
|
|
if ctPillar ? bgp
|
|
|
|
then
|
|
|
|
let
|
|
|
|
bgpConf = ctPillar.bgp;
|
|
|
|
in {
|
|
|
|
inherit (bgpConf) asn;
|
2021-04-13 00:46:12 +02:00
|
|
|
peers = bgpConf.peers-inet // bgpConf.peers-inet6;
|
2021-04-13 00:11:42 +02:00
|
|
|
}
|
|
|
|
else null;
|
|
|
|
|
2021-04-08 02:30:50 +02:00
|
|
|
forwardPorts =
|
2021-03-31 02:46:21 +02:00
|
|
|
if ctPillar ? port-forwarding
|
2021-04-01 01:16:13 +02:00
|
|
|
then map ({ proto, port, to }: {
|
|
|
|
proto = proto;
|
|
|
|
sourcePort = port;
|
|
|
|
destination = to;
|
|
|
|
}) ctPillar.port-forwarding
|
2021-03-31 02:46:21 +02:00
|
|
|
else [];
|
|
|
|
}) pillar.containers)
|
2021-02-25 01:06:32 +01:00
|
|
|
] ++
|
2021-03-20 00:06:31 +01:00
|
|
|
|
2021-02-25 01:06:32 +01:00
|
|
|
(map (net:
|
|
|
|
builtins.mapAttrs (_: addr4: {
|
|
|
|
}) pillar.hosts-inet.${net}
|
|
|
|
) (builtins.attrNames pillar.hosts-inet)) ++
|
2021-03-20 00:06:31 +01:00
|
|
|
|
2021-02-25 01:06:32 +01:00
|
|
|
(builtins.concatMap (ctx:
|
|
|
|
map (net:
|
|
|
|
builtins.mapAttrs (_: addr6: {
|
|
|
|
}) pillar.hosts-inet6.${ctx}.${net}
|
|
|
|
) (builtins.attrNames pillar.hosts-inet6.${ctx})
|
|
|
|
) (builtins.attrNames pillar.hosts-inet6))
|
|
|
|
);
|
|
|
|
}
|