zentralwerk/network
zentralwerk
/
network
12
4
Fork 2
Code Issues 3 Pull Requests 1 Releases Wiki Activity

Compare commits

base: zentralwerk:bgp
Branches Tags
zentralwerk:master
zentralwerk:nixos-23.05
zentralwerk:bgp
zentralwerk:flpk-data-hoarder
zentralwerk:pacemaker
zentralwerk:nek0-mailtngbert-patch
zentralwerk:yggdrasil
zentralwerk:legacy
..
compare: zentralwerk:master
Branches Tags
zentralwerk:master
zentralwerk:nixos-23.05
zentralwerk:bgp
zentralwerk:flpk-data-hoarder
zentralwerk:pacemaker
zentralwerk:nek0-mailtngbert-patch
zentralwerk:yggdrasil
zentralwerk:legacy

295 Commits
bgp ... master

Author SHA1 Message Date
Astro 1c02f8c0b0 ap73: replace ap64 2024-05-14 20:44:13 +02:00
Sandro - af5cf82ed2
dns: bump SOA checks 2024-05-01 23:15:47 +02:00
Sandro - 0ec977a618
dns: switch to serial-policy increment 2024-05-01 23:11:19 +02:00
Astro 065d86b527 revive NAT reflection 2024-05-01 22:27:11 +02:00
Astro 90a9ece874 upstream4: turn nat reflection back on for vpn-gw:wireguard 
SNAT is needed as vpn-gw's default route does not go over upstream4.
 2024-05-01 22:22:40 +02:00
Markus Schmidl 848cf110ed switch tlms monitoring from serv to flpk 2024-04-28 02:29:17 +02:00
Markus Schmidl dc4a045b92 net serv: add tlms-monitoring v6 2024-04-28 00:24:51 +02:00
Markus Schmidl 6b767f964d net serv: add tlms-monitoring 2024-04-28 00:13:03 +02:00
Sandro - 5e96baf278
dns: only notify over IPv6 which has no nating 2024-04-25 20:08:08 +02:00
Sandro - a49408c480
dns: format 2024-04-25 20:04:38 +02:00
Sandro - f308cbb292
dns: map acl to key 
upsi
 2024-04-25 20:04:25 +02:00
Sandro - 793547d0ca
dns: add more ipv6 addresses 2024-04-24 21:58:12 +02:00
Sandro - 5b611d43f3
flpk: drop mail AAAA 2024-04-24 20:12:14 +02:00
Sandro - 54fe20b027
uci-config: disable ieee80211r 2024-04-22 21:06:09 +02:00
Sandro - 7872e9e5c5
Switch to our dns.nix fork 2024-04-22 20:41:37 +02:00
Sandro - f5e2724091
dns: advertise ns1.supersandro.de 2024-04-21 19:15:27 +02:00
Sandro - 57e86a5dbf
dns: listen on some addresses 2024-04-21 18:49:34 +02:00
Sandro - 18fb8b635f
dns: add public ns.spaceboyz.net 2024-04-21 18:47:30 +02:00
Sandro - 9b2b8250c4
dns: switch to knot 2024-04-21 18:17:41 +02:00
Sandro - d7fdfd8aa6
dns: fix missing dots 2024-04-21 00:03:38 +02:00
Sandro - e36881f687
Fix srv records 2024-04-20 23:57:34 +02:00
Sandro - 4e848d27f8
dns: collect records correctly 2024-04-20 23:31:13 +02:00
Sandro - e90f8e7ea6
Switch to dns.nix 2024-04-20 22:45:31 +02:00
Sandro - 54c215c320
dnscache: add forth quad 9 server 2024-04-19 11:06:14 +02:00
Sandro - 349f3dcd1b
dnscache: set insecure domains again 2024-04-19 00:03:19 +02:00
Sandro - 05510d606b
dnscache: activate psl 2024-04-18 23:58:07 +02:00
Sandro - 0561661489
flake.lock: Update 
Flake lock file updates:

• Updated input 'nixpkgs':
    'github:SuperSandro2000/nixpkgs/5b8aa4fcd72d3e696ede8bfdbbe28e2fd52d23a0' (2024-04-18)
  → 'github:SuperSandro2000/nixpkgs/31755a107e7a2ec708a10d4cbb03c91b00108756' (2024-04-18)
 2024-04-18 23:22:06 +02:00
Sandro - 1f6f96d433
dnscache: activate features that required extraFeatures enabled 2024-04-18 22:49:46 +02:00
Sandro - aa0f8b1a5a
dnscache: activate kresd extra features 2024-04-18 22:35:25 +02:00
Sandro - 19f8010560
flake.lock: Update 
Flake lock file updates:

• Updated input 'nixpkgs':
    'github:SuperSandro2000/nixpkgs/eacb5e3139ae31cdb8af9b33d5c53ab3ea61527f' (2024-02-08)
  → 'github:SuperSandro2000/nixpkgs/5b8aa4fcd72d3e696ede8bfdbbe28e2fd52d23a0' (2024-04-18)
• Updated input 'openwrt':
    'git+https://git.openwrt.org/openwrt/openwrt.git?ref=openwrt-23.05&rev=9e41117953e31ffe355416e962ecf0e000dc594d' (2024-02-07)
  → 'git+https://git.openwrt.org/openwrt/openwrt.git?ref=openwrt-23.05&rev=9b33b74ef71225442361d5192d3a727be212c3cd' (2024-04-18)
• Updated input 'openwrt-imagebuilder':
    'github:astro/nix-openwrt-imagebuilder/50b6b5c5ae73db5d43c38371d0e6ae4221c68e35' (2024-02-08)
  → 'github:astro/nix-openwrt-imagebuilder/f206bd647a53866c62920a0cfc245a2e358c3374' (2024-04-18)
 2024-04-18 22:35:25 +02:00
Sandro - 62fae6a546
dnscache: fix eval and start 2024-04-18 22:18:40 +02:00
Sandro - 721e6959b3
Configure git aliases 2024-04-18 21:37:47 +02:00
Sandro - 3c5fe9c1df
dnscache: migrate to kresd 2024-04-18 21:37:42 +02:00
Sandro - 858d6b170f
Add ns1.supersandro as secondary DNS server 2024-04-18 21:01:26 +02:00
Sandro - 57ca79dc02
Set ddns-replace-client-name 2024-04-18 19:49:38 +02:00
Astro 6b0118254d priv23: bump dhcp.time to 900 2024-04-18 19:43:21 +02:00
Astro 42e2fd8681 ap: remove unused aps 2024-04-18 19:22:44 +02:00
Astro e19caf29ba priv23: lower dhcp.time to 300 2024-04-18 19:22:29 +02:00
Astro dc4cfef526 Revert "Add ddns-update-on-renew option and higher lease time" 
This reverts commit 5e36c91ef6.

This is very bad for DynDNS and our DNS servers.
 2024-04-18 19:20:53 +02:00
somebody 579fe9226d DHCP: Add control socket and tools 2024-04-18 14:03:26 +02:00
Daniel Poelzleithner 5e36c91ef6 Add ddns-update-on-renew option and higher lease time 
Update DDNS entries on renew of lease. Automatically
fixes stale and missing DNS entries.

increase lease time to 15 minutes on priv networks
 2024-04-18 13:48:56 +02:00
Sandro - c277a38f5c
upstream: add c3d2 range back 2024-04-17 21:10:43 +02:00
Daniel Poelzleithner 7b198d98a4 priv23: update fixed ips 2024-04-17 10:20:33 +02:00
Daniel Poelzleithner f67fb9333a priv23: change mac of static host 2024-04-16 23:05:37 +02:00
Daniel Poelzleithner eb8ba4d924 ap8: use lan:2 for priv23 network 2024-04-16 22:11:58 +02:00
Astro 6e9ee9c1fe pkgs/openwrt/uci-config: add automatic option band to combat wrong defaults in openwrt 2024-04-16 21:41:27 +02:00
Daniel Poelzleithner 0ae5e86f08 ap8/priv23: route private network to port lan1 2024-04-15 23:28:09 +02:00
Daniel Poelzleithner 7a83be4be9 Add dhcpdump for debugging to package list 2024-04-15 21:15:02 +02:00
Sandro - 753cd1d5f3
upstream: reflect on entire internal network 2024-04-14 21:31:18 +02:00
Sandro - b2b8ba1252
Remove duplicated IP range 2024-04-14 14:23:49 +02:00
Sandro - bc56014b83
Cleanup 2024-04-14 13:44:00 +02:00
Sandro - 0cfb02df6c
Disable mail in serv network, disable port forwards for mail 2024-04-13 15:13:41 +02:00
Sandro - f89eb6146d
upstream: fix mail forward 2024-04-12 23:38:41 +02:00
Sandro - 8c03619c0d
Update mail name 2024-04-12 18:21:16 +02:00
Sandro - 8c844dedd2
Just copy more upstream code to not do stupid mistakes 2024-04-12 00:18:15 +02:00
Sandro - 6a29757919
Fix eval and nat rules 2024-04-12 00:12:12 +02:00
Sandro - 611ac377be
upstream: fix masquerading 2024-04-12 00:01:55 +02:00
Sandro - a2f7356c53
Drop nat reflection 
We want to preserve the source ip address especially when using ip allow
lists
 2024-04-11 21:59:58 +02:00
Sandro - d76a1c5d25
Reflect 80, 443, 53 2024-04-11 21:12:54 +02:00
Sandro - 795571316f
Drop leon 2024-04-11 21:12:50 +02:00
Sandro - cb616b8b88
serv: add gitea v6 2024-04-08 13:47:56 +02:00
Astro 22a4fb5c39 replace ap54 with ap72 2024-04-03 20:53:13 +02:00
Tassilo - faf3f4eb23
renaming one network allocation addr from internal space 2024-04-01 18:11:41 +02:00
Sandro - f2ac3a3ae2
Remove duplicated -t argument 2024-03-23 23:32:23 +01:00
Astro 4f82d29f79 pkgs/openwrt/uci-config: uciDeleteAll wireless.radio 2024-03-10 20:46:39 +01:00
Astro 69d4bac929 net/mgmt: add ap72 2024-03-10 19:20:51 +01:00
Astro 5bfc31eae3 ap72: prepare 2024-03-10 19:19:20 +01:00
Astro ba0c26319c options: allow "HT40" for wifi htmode 2024-03-03 00:21:38 +01:00
Astro c181d9ad19 doc/hello: update openwrt model recommendations 2024-02-21 18:02:01 +01:00
Astro db45aa1cec pkgs/openwrt: update openwrt 18.06.9 hashes 2024-02-20 10:32:46 +01:00
Sandro - 38f08272a8
flake.lock: Update 
Flake lock file updates:

• Updated input 'nixpkgs':
    'github:SuperSandro2000/nixpkgs/a01cce68456d5c9df5d9620f3e0f8194c4457a45' (2024-02-08)
  → 'github:SuperSandro2000/nixpkgs/eacb5e3139ae31cdb8af9b33d5c53ab3ea61527f' (2024-02-08)
 2024-02-08 22:49:20 +01:00
Sandro - 61731ca8bb
flake: fix 2024-02-08 20:40:35 +01:00
Sandro - 93398a69b9
flake.lock: Update 
Flake lock file updates:

• Updated input 'nixpkgs':
    'git+file:///home/sandro/src/nixpkgs' (2024-02-06)
  → 'github:SuperSandro2000/nixpkgs/a01cce68456d5c9df5d9620f3e0f8194c4457a45' (2024-02-08)
• Updated input 'openwrt':
    'git+https://git.openwrt.org/openwrt/openwrt.git?ref=openwrt-23.05&rev=c51d49ba3974ff9e350261bc023970f1d809962e' (2024-02-04)
  → 'git+https://git.openwrt.org/openwrt/openwrt.git?ref=openwrt-23.05&rev=9e41117953e31ffe355416e962ecf0e000dc594d' (2024-02-07)
• Updated input 'openwrt-imagebuilder':
    'github:astro/nix-openwrt-imagebuilder/443a26d41300963899e91bc130eee838b20fba9e' (2024-02-06)
  → 'github:astro/nix-openwrt-imagebuilder/50b6b5c5ae73db5d43c38371d0e6ae4221c68e35' (2024-02-08)
 2024-02-08 20:38:01 +01:00
Sandro - 87cea37356
Revert bad change 2024-02-08 20:04:32 +01:00
Sandro - e6b77b8946
c3d2iot: bump dhcp time 2024-02-06 20:21:54 +01:00
Sandro - 14ce3fa31e
c3d2iot: add wled-fairydust 2024-02-06 19:55:24 +01:00
Sandro - f22fc0cd21
defaults: add dig 2024-02-06 18:53:47 +01:00
Sandro - f367cd84e1
c3d2iot: disable firewall for now 2024-02-06 18:22:27 +01:00
Sandro - 59c77fd898
flake.lock: Update 
Flake lock file updates:

• Updated input 'nixpkgs':
    'github:nixos/nixpkgs/f4a8d6d5324c327dcc2d863eb7f3cc06ad630df4' (2024-01-29)
  → 'github:nixos/nixpkgs/9f2ee8c91ac42da3ae6c6a1d21555f283458247e' (2024-02-05)
• Updated input 'openwrt':
    'git+https://git.openwrt.org/openwrt/openwrt.git?ref=openwrt-23.05&rev=8a7f667fb53eb242b684e9c96124778bdee8b743' (2024-01-31)
  → 'git+https://git.openwrt.org/openwrt/openwrt.git?ref=openwrt-23.05&rev=c51d49ba3974ff9e350261bc023970f1d809962e' (2024-02-04)
• Updated input 'openwrt-imagebuilder':
    'github:astro/nix-openwrt-imagebuilder/a288a4b0d2ae43c87dbe44e39214d5c48c3fc0f0' (2024-02-04)
  → 'github:astro/nix-openwrt-imagebuilder/443a26d41300963899e91bc130eee838b20fba9e' (2024-02-06)
 2024-02-06 18:19:37 +01:00
Sandro - da788522ab
c3d2iot: increase dhcp lease time, dump freifunk upstream 2024-02-06 18:18:19 +01:00
Astro df3d446992 pkgs/subnetplan/render.rb: fix 2024-02-05 04:07:45 +01:00
Astro 65127a79aa nixos-module/firewall: fix allowing ospf on routers 2024-02-05 03:52:02 +01:00
Astro 19527e47fd nixos-module/firewall: allow ospf on routers 2024-02-05 03:45:26 +01:00
Astro cf1a645d54 cluster: add vlan c3d2iot to servers 2024-02-05 01:34:17 +01:00
Astro de5e360e72 lib/dns: add c3d2iot to dynamicReverseZones4 2024-02-05 01:08:12 +01:00
Astro 09d01a5f43 ap71: prepare 2024-02-05 00:43:37 +01:00
Astro 46debf50c5 nixos-module/firewall: fix 2024-02-04 22:33:47 +01:00
Astro 19f0ae856f openwrt: update sha256 for legacy release 2024-02-04 22:33:25 +01:00
Astro f780643294 c3d2iot: disable disassocLowAck 2024-02-04 22:33:07 +01:00
Astro 6b3005ec1f ap2, ap31: fix c3d2iot 2024-02-04 21:18:39 +01:00
Astro 63328e8cdc contact.md: update 2024-02-04 20:55:25 +01:00
Astro 26bd8446b4 c3d2iot: set wifi psk 2024-02-04 20:53:12 +01:00
Astro f255d09d70 c3d2iot: rename c3d2iot-gw to iot-gw 2024-02-04 20:01:34 +01:00
Astro 8dcb480ea3 c3d2iot: fix addr 2024-02-04 19:57:07 +01:00
Astro 51919fa5d2 c3d2iot: prepare 2024-02-04 19:54:50 +01:00
Astro 9c765d05e0 ap58: remove wlan5-pub 
on this device 5ghz is used for backhaul
 2024-02-04 03:45:08 +01:00
Astro 85340e955d ap65: fix priv27 bridge 2024-01-31 21:27:18 +01:00
Astro cc172cf61e move priv27, reuse priv41 2024-01-31 20:27:21 +01:00
Astro 5758b028f4 priv49: deploy 2024-01-31 19:59:29 +01:00
Astro 872a2aad0d ap11: fix model 2024-01-31 19:32:17 +01:00
Astro 379e8cf9e6 flake.lock: Update 
Flake lock file updates:

• Updated input 'nixpkgs':
    'github:nixos/nixpkgs/d2003f2223cbb8cd95134e4a0541beea215c1073' (2024-01-19)
  → 'github:nixos/nixpkgs/f4a8d6d5324c327dcc2d863eb7f3cc06ad630df4' (2024-01-29)
• Updated input 'openwrt':
    'git+https://git.openwrt.org/openwrt/openwrt.git?ref=openwrt-23.05&rev=7338733dc94e3e3b5f3a32d98e9719af20be6cc0' (2024-01-20)
  → 'git+https://git.openwrt.org/openwrt/openwrt.git?ref=openwrt-23.05&rev=8a7f667fb53eb242b684e9c96124778bdee8b743' (2024-01-31)
 2024-01-31 17:10:47 +01:00
Astro 0a9d749e64 ap57: switch roof 5ghz wifi from VHT80 to HT40 2024-01-30 23:38:35 +01:00
Astro 7720bc6160 ap19: update 2024-01-30 23:35:59 +01:00
Astro 7cbc0b4ecf vpn-gw: update a key 2024-01-30 23:35:29 +01:00
Astro 797886af1e vpn-gw: add peer 2024-01-27 23:57:47 +01:00
Sandro - 7c0e748b77
dns: fix more eval 2024-01-27 23:50:54 +01:00
Sandro - 0b2cc008b4
dns: fix eval 2024-01-27 23:49:11 +01:00
Sandro - 6122a49883
Rename bind to knot 2024-01-27 23:27:11 +01:00
Sandro - 4419a70661
Use variable for port forward 2024-01-27 23:20:07 +01:00
Astro 751a8279de contact.md: update 2024-01-22 15:53:44 +01:00
Astro f9782c3a4f ap69: deploy 2024-01-22 00:03:02 +01:00
Astro 7664394354 ap69, ap70: prepare 2024-01-21 23:16:25 +01:00
Astro 7af4dc6732 flake.lock: Update 
Flake lock file updates:

• Updated input 'nixpkgs':
    'github:nixos/nixpkgs/1e2e384c5b7c50dbf8e9c441a9e58d85f408b01f' (2023-12-17)
  → 'github:nixos/nixpkgs/d2003f2223cbb8cd95134e4a0541beea215c1073' (2024-01-19)
• Updated input 'openwrt':
    'git+https://git.openwrt.org/openwrt/openwrt.git?ref=openwrt-23.05&rev=fd6831731b9bde3847c7d8fd8dae528d863017dd' (2023-12-18)
  → 'git+https://git.openwrt.org/openwrt/openwrt.git?ref=openwrt-23.05&rev=7338733dc94e3e3b5f3a32d98e9719af20be6cc0' (2024-01-20)
• Updated input 'openwrt-imagebuilder':
    'github:astro/nix-openwrt-imagebuilder/130f7e8f40ceece87056b4aea866845c6d1b9b6b' (2023-12-18)
  → 'github:astro/nix-openwrt-imagebuilder/593e499e5fa5e92775f65d2a9bb1754b941d3e4a' (2024-01-21)
 2024-01-21 20:21:37 +01:00
Sandro - 7a04f2d556
serv: cleanup 2023-12-30 00:11:54 +01:00
Astro a91e96900b network-homepage: add /security.txt 2023-12-29 17:20:23 +01:00
Sandro - 4c46e4befe
c3d2: add v4 for schalter to fix kea 2023-12-29 04:13:20 +01:00
Sandro - f83ff221b9
c3d2: add schalter back 2023-12-29 02:17:25 +01:00
Astro aaa5adab62 upstream4: add dn42 port forwarding 2023-12-28 21:15:21 +01:00
Sandro - 868e492014
Don't busyloop when fifo file is missing 2023-12-26 00:16:02 +01:00
Sandro - ab941d3770
Add htop 2023-12-26 00:09:29 +01:00
Markus Schmidl cdbd21c017 net/flpk: add ctf host 2023-12-24 20:01:23 +01:00
Sandro - 3167524757
flpk: cleanup 2023-12-24 18:57:03 +01:00
Astro 7605141e3e pkgs/openwrt/uci-config: create bridge devices for DSA 2023-12-20 23:37:27 +01:00
Astro cbf7404027 pkgs/openwrt/uci-config: revamp DSA config 2023-12-20 22:37:09 +01:00
Astro cda8b4bfbc ap67, ap68: fix priv12 2023-12-20 22:12:46 +01:00
Astro 30dab76fca ap67, ap68: deploy 2023-12-19 02:20:59 +01:00
Astro 571365548c pkgs/openwrt/uci-config: add config for Distributed Switch Architecture 2023-12-19 02:16:52 +01:00
Astro a8bb090bba nix/pkgs/openwrt/usteer-stats: fix fifo path to writable location 2023-12-19 02:16:13 +01:00
Astro e4337940bf ap66: fix 2023-12-18 23:23:58 +01:00
Astro 4aba3c5961 pkgs/openwrt/uci-config: make uci stats scripts +x 2023-12-18 22:34:39 +01:00
Astro a1dbc3d300 priv48: fix dhcp range 2023-12-18 22:31:20 +01:00
Astro 67bdd9cbfd ap66: deploy 2023-12-18 22:22:20 +01:00
Astro 7d5ec3c831 flake.lock: Update 
Flake lock file updates:

• Updated input 'nixpkgs':
    'github:nixos/nixpkgs/781e2a9797ecf0f146e81425c822dca69fe4a348' (2023-12-10)
  → 'github:nixos/nixpkgs/1e2e384c5b7c50dbf8e9c441a9e58d85f408b01f' (2023-12-17)
• Updated input 'openwrt':
    'git+https://git.openwrt.org/openwrt/openwrt.git?ref=openwrt-23.05&rev=d6b62611b845ea90ad4c901e28fa1787c4b7e9e5' (2023-11-24)
  → 'git+https://git.openwrt.org/openwrt/openwrt.git?ref=openwrt-23.05&rev=fd6831731b9bde3847c7d8fd8dae528d863017dd' (2023-12-18)
• Updated input 'openwrt-imagebuilder':
    'github:astro/nix-openwrt-imagebuilder/86b569526dfce69df8bc1fc7dc5d7b3f09ea52d3' (2023-11-26)
  → 'github:astro/nix-openwrt-imagebuilder/130f7e8f40ceece87056b4aea866845c6d1b9b6b' (2023-12-18)
 2023-12-18 21:44:15 +01:00
Astro 0c74a10ac2 priv48-gw: fix 2023-12-18 21:41:03 +01:00
Astro 875f828ef0 c3d2: fix dhcp range 2023-12-18 21:37:50 +01:00
Astro d6279db3ec priv48: prepare 2023-12-18 21:36:57 +01:00
Sandro - 07eaed643f
Add pipebert ipv6 to fix deployment over ipv6 2023-12-17 16:40:47 +01:00
Sandro - 6e2b5e2c5b
serv: add vaultwarden, pretalx v6 2023-12-16 18:37:58 +01:00
Sandro - 71a3c1b687
Delete tmppleroma 2023-12-16 18:37:52 +01:00
Sandro - 754d8168fb
serv: add vaultwarden, pretalx 2023-12-16 18:34:22 +01:00
Jan Böhme bc72cbe596 priv2: fix for dhcp config, upstream4: added forwared port 2023-12-12 17:46:07 +01:00
Astro 45c4938ad1 nixos-module/container/bird: fix check-upstream-ipv[46] ping path 2023-12-11 22:28:26 +01:00
Astro 86add1041d nixos-module/container/bird: fix for site.net.*.dhcp == null 2023-12-11 21:35:27 +01:00
Astro 60e7ce4f51 flake.nix: nixos 23.05 -> 23.11 2023-12-11 20:48:26 +01:00
Sandro - 072867a2a6
flake.lock: Update 
Flake lock file updates:

• Updated input 'nixpkgs':
    'github:SuperSandro2000/nixpkgs/c7ea327afe69a5431c4088186035f93660ffe16c' (2023-11-08)
  → 'github:SuperSandro2000/nixpkgs/337b3996fc95c5d53bc1af2ca650aa85b56c3c92' (2023-11-26)
• Updated input 'openwrt':
    'git+https://git.openwrt.org/openwrt/openwrt.git?ref=openwrt-23.05&rev=d3c193525e6210da2834050e92a077d408381320' (2023-11-06)
  → 'git+https://git.openwrt.org/openwrt/openwrt.git?ref=openwrt-23.05&rev=d6b62611b845ea90ad4c901e28fa1787c4b7e9e5' (2023-11-24)
• Updated input 'openwrt-imagebuilder':
    'github:astro/nix-openwrt-imagebuilder/5eac42bca97629365c763a6ab68f8ef38a338c8d' (2023-11-07)
  → 'github:astro/nix-openwrt-imagebuilder/86b569526dfce69df8bc1fc7dc5d7b3f09ea52d3' (2023-11-26)
 2023-11-26 20:42:14 +01:00
Astro 13426907df remove pre-openwrt-imagebuilder configs 2023-11-18 03:31:51 +01:00
Astro dbc0e14f63 nixos-module/container/dhcp-server: don't set max-valid-lifetime but hold-reclaimed-time 
hope that works without depleting the address pools
 2023-11-14 23:30:41 +01:00
Astro dd3d650e46 nixos-module/container/dhcp-server: s/lib.optionalAttrs/lib.mkIf/ 2023-11-14 23:26:33 +01:00
Astro dc27ba9a69 stream.serv: fix addrs 
fixes an ip6 reverse zone occuring twice in localZones.
 2023-11-13 23:53:54 +01:00
Astro aee094ada3 net/serv: remove bogus fd42:42:c3d2:: address 2023-11-13 23:43:10 +01:00
Astro a138bc2d98 nixos-module/container/dhcp-server: set dhcp6 dns info 2023-11-13 23:35:54 +01:00
Astro aa81a890f3 pkgs/default: s/nixpkgs.lib/lib/ 2023-11-13 23:35:30 +01:00
Astro 93a1ac7ee9 pkgs/default: fix #export-config to contain both config and localZones 2023-11-13 23:34:51 +01:00
Astro 4e6dd9a4a1 nix/lib/config/options: remove net-combined 2023-11-13 23:33:35 +01:00
Astro 125beb091d priv19: remove extra dhcp.max-time config 2023-11-13 23:30:57 +01:00
Astro a9bebbe3a0 nixos-module/container/dhcp-server: just set Restart for kea-*-server.service 2023-11-13 23:14:16 +01:00
Astro c40997bacc nixos-module/container/dhcp-server: use the proper max-valid-lifetime parameter instead of calculating timers 2023-11-13 22:46:51 +01:00
Sandro - 6c6c6f30b0
kea: tweak renew,rebind timer to 2.5min/5min, change max-time of c3d2 to 1d 2023-11-13 19:53:32 +01:00
Astro 352d95bf55 pkgs/openwrt/usteer-stats.sh: output stats for all wlan interfaces 2023-11-10 19:28:02 +01:00
Astro ec47077368 lib/dns: split dynamicReverseZones for ipv4/ipv6 to avoid ip6.arpa zones ending up in reverseZones4 2023-11-10 00:43:57 +01:00
Astro 3295a15758 config/net/{c3d2,pub}: wiggle dhcp pool and times 2023-11-08 20:52:26 +01:00
Sandro - 7cc8115896
Add ripgrep 2023-11-08 01:13:30 +01:00
Sandro - 88a8c9f3e2
flake.lock: Update 
Flake lock file updates:

• Updated input 'nixpkgs':
    'github:SuperSandro2000/nixpkgs/2b29ce8cfbbc7967bd86016eda3944af22869bf4' (2023-11-04)
  → 'github:SuperSandro2000/nixpkgs/c7ea327afe69a5431c4088186035f93660ffe16c' (2023-11-08)
• Updated input 'openwrt':
    'git+https://git.openwrt.org/openwrt/openwrt.git?ref=openwrt-23.05&rev=ec54022549f90ba4b72ac4f089ee46510c7127e4' (2023-11-04)
  → 'git+https://git.openwrt.org/openwrt/openwrt.git?ref=openwrt-23.05&rev=d3c193525e6210da2834050e92a077d408381320' (2023-11-06)
• Updated input 'openwrt-imagebuilder':
    'github:astro/nix-openwrt-imagebuilder/5f000c690764b3f64cbb58dbc31d7c6be182d59d' (2023-11-05)
  → 'github:astro/nix-openwrt-imagebuilder/5eac42bca97629365c763a6ab68f8ef38a338c8d' (2023-11-07)
 2023-11-08 01:12:54 +01:00
Sandro - bac3c5ba02
Disable assoc steering, initial delay, add comment, cleanup old comment 
People should not notice any delay when initially connecting and their
device hopefully choose an AP with good connection
 2023-11-06 01:39:14 +01:00
Sandro - 588b86e1dc
flake.lock: Update 
Flake lock file updates:

• Updated input 'openwrt-imagebuilder':
    'git+file:///home/sandro/src/github.com/astro/nix-openwrt-imagebuilder' (2023-11-04)
  → 'github:astro/nix-openwrt-imagebuilder/5f000c690764b3f64cbb58dbc31d7c6be182d59d' (2023-11-05)
 2023-11-06 01:36:29 +01:00
Sandro - b9a2208602
Add comment 2023-11-05 23:59:32 +01:00
Sandro - e155bc1b1b
Add tmux 2023-11-05 23:59:25 +01:00
Sandro - 1732598123
Fix another chmod +x 2023-11-05 22:47:26 +01:00
Sandro - cd15bb1c9c
Add +x 2023-11-05 04:41:39 +01:00
Sandro - 14ca5736b2
flake.lock: Update 
Flake lock file updates:

• Updated input 'nixpkgs':
    'github:SuperSandro2000/nixpkgs/2b6e730df4c428d340b01efecf9199269c853eeb' (2023-10-29)
  → 'github:SuperSandro2000/nixpkgs/2b29ce8cfbbc7967bd86016eda3944af22869bf4' (2023-11-04)
• Updated input 'openwrt':
    'git+https://git.openwrt.org/openwrt/openwrt.git?ref=openwrt-23.05&rev=64ab02aff86839dad65d97d38ed302c73b22ad40' (2023-10-29)
  → 'git+https://git.openwrt.org/openwrt/openwrt.git?ref=openwrt-23.05&rev=ec54022549f90ba4b72ac4f089ee46510c7127e4' (2023-11-04)
• Updated input 'openwrt-imagebuilder':
    'github:astro/nix-openwrt-imagebuilder/bc529bf83f17e440e3c0e32a6f777dae59b24fc6' (2023-10-29)
  → 'github:astro/nix-openwrt-imagebuilder/98962168b64ee5456aeb2de8169a61c971050a28' (2023-11-04)
 2023-11-05 04:13:34 +01:00
Sandro - 6547d4808c
Comment lots of things, use ft-over-air, set reassociation_deadline to 20s from 1s 2023-11-05 04:11:21 +01:00
Sandro - a84afb3a95
Throw out old and noisy candelatech firmware 2023-11-05 04:10:44 +01:00
Sandro - d2ed5665fc
Add comments 2023-11-05 03:46:53 +01:00
Astro 36dbe33fa4 pkgs/openwrt/default: fix script perms 2023-11-03 21:48:31 +01:00
Astro 82c6c49da4 ap65: deploy 2023-11-03 21:10:01 +01:00
Astro 6735263bcf cabling: port discovery! 2023-11-03 20:36:08 +01:00
Astro e50531209c pkgs/openwrt/usteer-stats.sh: fix by outputting types 2023-11-03 20:36:08 +01:00
Astro ccd904f700 pkgs/openwrt/uci-config: configure a static ieee80211rKey so that fast transition works with WPA3 2023-11-03 20:36:08 +01:00
Sandro - fa5ef40657
Name legacy consistent, add ZW Public where missing 2023-11-01 04:02:40 +01:00
Sandro - 80c94ba7a1
Fix legacy on 5 Ghz 2023-11-01 04:02:15 +01:00
Sandro - 24145d86c4
Switch to 20 Mhz bands on 2.4 Ghz 2023-11-01 04:01:50 +01:00
Astro 10bcbd5d52 nix/pkgs/openwrt: add usteer stats 2023-11-01 01:22:43 +01:00
Astro 779cbe9795 pkgs/openwrt/uci-config: properly set mobility_domain, nasid to fix fast transition 2023-11-01 01:14:47 +01:00
Astro 053b49b83f net/serv: fix syntax 2023-10-29 22:00:34 +01:00
Astro 4dfba56509 net/serv: add activity-relay 2023-10-29 20:49:14 +01:00
Sandro - 933cdbac0c
network: don't wait for all interfaces to be online 2023-10-29 18:50:22 +01:00
Sandro - 01572b34c2
Switch to nixos-23.05 fork 2023-10-29 18:30:39 +01:00
Astro dab9f5d1e6 net/{c3d2,priv,pub}: increment dhcp times for stability 2023-10-29 17:56:13 +01:00
Astro b78f9c9305 nixos-module/container/dhcp-server: fix reservations by moving them from global dhcp4 config to subnet4 2023-10-28 03:40:15 +02:00
Astro 0e2c4c7afd nixos-module/container/dhcp-server: fix reservations 2023-10-28 03:20:51 +02:00
Astro 4901048463 config/net/*: lower dhcp times 2023-10-28 01:05:06 +02:00
Astro 6ac42aa334 nixos-module/container/dhcp-server: disable dyndns conflict resolution for dual stack operation 2023-10-28 00:45:24 +02:00
Astro 07963d1b61 nixos-module/container/dhcp-server: enable dhcp6-server just for dyndns 2023-10-27 23:46:06 +02:00
Astro 7149638ef0 pkgs/openwrt/uci-config: try some usteer tuning 2023-10-27 23:46:06 +02:00
Sandro - 5bf28d9326
Add comments 2023-10-27 19:52:03 +02:00
Astro 7722eb6243 nix/nixos-module/container/dhcp-server: fix dyndns and stats 2023-10-24 01:17:41 +02:00
Astro 9b39803076 nix/nixos-module/container/dhcp-server: migrate from isc-dhcpd to kea-dhcp4 2023-10-24 00:57:25 +02:00
Astro db71886898 flake.lock: Update 
Flake lock file updates:

• Updated input 'nixpkgs':
    'github:NixOS/nixpkgs/81122565d7e8cb02536fa2bbcf4573c2a770d967' (2023-09-20)
  → 'github:NixOS/nixpkgs/c1cc5a1dc6ead6839b6dc0ebe29b36ba1daaf59c' (2023-10-20)
• Updated input 'openwrt':
    'git+https://git.openwrt.org/openwrt/openwrt.git?ref=openwrt-23.05&rev=4245adf4e0597c4a44c396dbe2206f26f73a1555' (2023-10-14)
  → 'git+https://git.openwrt.org/openwrt/openwrt.git?ref=openwrt-23.05&rev=4afff7b8b54c3b246fba30ed83dfac527e78e57d' (2023-10-20)
• Updated input 'openwrt-imagebuilder':
    'github:astro/nix-openwrt-imagebuilder/dac9cd8abfbf1254546eb12f0610fbc6cae9a709' (2023-10-15)
  → 'github:astro/nix-openwrt-imagebuilder/9b83af25f73021cea155004a8a42e4c195e27b5e' (2023-10-20)
 2023-10-21 00:55:40 +02:00
Astro e034170ce2 pkgs/openwrt: install and configure usteerd 2023-10-21 00:50:55 +02:00
Astro 7856805718 nixos-module/server/defaults: install liboping 2023-10-20 22:03:22 +02:00
Tassilo - 094380ebb7
add rtrlab 2023-10-19 15:19:13 +02:00
Tassilo - 81bd3825a1
fixing v6 addr for server7 2023-10-18 23:22:23 +02:00
Tassilo - 4f53cc3508
removing server7 as section 2023-10-18 22:46:49 +02:00
Tassilo - 4a32f6d021
putting server7 into flpk and reserving ipv4 for dd-dns 2023-10-18 22:45:18 +02:00
Astro d507a95d9b nix/pkgs/openwrt/default: update pkgs for openwrt 23.05 2023-10-15 22:12:38 +02:00
Astro 5740e8b6e5 flake.nix: update input openwrt to 23.05 2023-10-15 19:43:12 +02:00
Astro 1dea065c82 flake.lock: Update 
Flake lock file updates:

• Updated input 'openwrt':
    'git+https://git.openwrt.org/openwrt/openwrt.git?ref=openwrt-22.03&rev=92a0dd2447bda9a6d5440f4a94d9b617406e3f76' (2023-09-17)
  → 'git+https://git.openwrt.org/openwrt/openwrt.git?ref=openwrt-23.05&rev=4245adf4e0597c4a44c396dbe2206f26f73a1555' (2023-10-14)
 2023-10-15 19:42:48 +02:00
Astro b839192f7b flake.lock: Update 
Flake lock file updates:

• Updated input 'openwrt-imagebuilder':
    'github:astro/nix-openwrt-imagebuilder/4edbf74f124cd49f30705f82b6127741cbc4447e' (2023-09-25)
  → 'github:astro/nix-openwrt-imagebuilder/dac9cd8abfbf1254546eb12f0610fbc6cae9a709' (2023-10-15)
 2023-10-15 19:40:23 +02:00
Tassilo - b7178ba555
removing link aggregation 2023-10-08 01:31:55 +02:00
Sandro - 8750906814
Enable fzf 2023-10-07 16:47:06 +02:00
Tassilo - 5fa2fbb024
adding dresden-zone-dns 2023-10-06 21:04:14 +02:00
Astro d33c0fa2c7 switch-b3: plug priv12 2023-09-29 00:21:17 +02:00
Astro 0aa6cb7828 pkgs/openwrt/uci-config: add support for disassoc_low_ack as used with ap57 2023-09-25 22:06:14 +02:00
Astro fc5f04850a switch-a1: stage many ports 2023-09-25 19:42:18 +02:00
Astro 3f654da630 ap42: plug out ap21 2023-09-21 00:11:49 +02:00
Astro cbb3e618e3 ap38: create br-priv47 2023-09-20 23:23:28 +02:00
Astro f04dcee530 upstream4: remove NAT reflection for dns 
doesn't make sense, right?
 2023-09-20 22:43:56 +02:00
Astro 30749a5a2b ap24: try to provide priv12 on lan ports 2023-09-20 22:43:21 +02:00
Astro 8c0ac6ba79 flake.lock: Update 
Flake lock file updates:

• Updated input 'nixpkgs':
    'github:NixOS/nixpkgs/18388d019974e90a035bdb938a8a3ca3c0408db9' (2023-06-04)
  → 'github:NixOS/nixpkgs/81122565d7e8cb02536fa2bbcf4573c2a770d967' (2023-09-20)
• Updated input 'openwrt':
    'git+https://git.openwrt.org/openwrt/openwrt.git?ref=openwrt-22.03&rev=171b51519206b5e66ebd01d322f41d790976ce87' (2023-06-03)
  → 'git+https://git.openwrt.org/openwrt/openwrt.git?ref=openwrt-22.03&rev=92a0dd2447bda9a6d5440f4a94d9b617406e3f76' (2023-09-17)
• Updated input 'openwrt-imagebuilder':
    'github:astro/nix-openwrt-imagebuilder/b5901ec9361152f1f588445d1b3f06239ea4b86c' (2023-06-04)
  → 'github:astro/nix-openwrt-imagebuilder/083b982deb6c92848051708f41ba8315fe838a10' (2023-09-20)
 2023-09-20 22:41:00 +02:00
Astro dfba6ae3b1 priv47: prepare and plug into ap38 2023-09-20 22:39:53 +02:00
Astro e2bd0ba1ca switch-c3d2-main: deploy another VOC port 2023-09-17 17:49:01 +02:00
Astro d38bb3f450 switch-a1: move port 2 to pub 2023-09-16 00:35:15 +02:00
Astro 39ac6cbc49 switch-ds1: deploy priv25 2023-09-15 19:30:39 +02:00
Astro 58d8d50751 switch: reflect actual plugging 2023-09-14 20:08:21 +02:00
Astro d42bbf429b switch-a1: ds23 2023-09-14 19:22:53 +02:00
Astro 9bff1f171e switch-ds3: deploy 2023-09-14 18:22:28 +02:00
Astro 8e878d1d75 switch-c3d2-main: rm dup vlan 2023-09-14 18:07:31 +02:00
Astro 8b53a1b681 switch-c3d2-main: add more VOC ports 2023-09-14 18:03:04 +02:00
Markus Schmidl 889021152c config/net/serv: add tlms-ctfd 2023-08-25 21:37:54 +02:00
Astro 3ac9e008f6 ap10: fix 2023-07-18 22:08:10 +02:00
Sandro - aa19bcb24f
Revert "Fix schalter ipv6" 
This reverts commit 13379379f9.
 2023-07-05 23:27:42 +02:00
Sandro - 13379379f9
Fix schalter ipv6 2023-06-25 20:20:02 +02:00
Astro 6c4c86e4a5 nixos-module/container/upstream: flush conntrack states after nat startup 2023-06-07 23:00:50 +02:00
Astro e48343ac8c net/core: add coloradio-gw 2023-06-05 01:32:57 +02:00
Astro 07433f8e7e nixos-module/container/dns: make nsupdate use TCP 2023-06-05 01:25:32 +02:00
Astro b8d27ab9ca nixos-module/container/lxc-config: simplify 2023-06-05 01:25:04 +02:00
Astro c41f5c56a6 nix/nixos-module/server/lxc-containers: make container config independend of host system 2023-06-05 01:17:05 +02:00
Astro e76c8a9a3a pkgs/switches/junos: update password hash method from SHA-256 to SHA-512 2023-06-05 00:27:24 +02:00
Astro 4ada8878fc upstream4: forward 8000/tcp for coloradio 2023-06-04 23:43:45 +02:00
Astro 674f119168 nixos-module/server/lxc-containers: fix container config syntax 2023-06-04 23:43:29 +02:00
Astro 5fa0ac96ff server2: remove deprecated boot.loader.grub.version 2023-06-04 23:36:49 +02:00
Astro d3446c1a94 flake.lock: Update 
Flake lock file updates:

• Updated input 'nixpkgs':
    'github:NixOS/nixpkgs/4ecab3273592f27479a583fb6d975d4aba3486fe' (2023-05-31)
  → 'github:NixOS/nixpkgs/18388d019974e90a035bdb938a8a3ca3c0408db9' (2023-06-04)
• Updated input 'openwrt':
    'git+https://git.openwrt.org/openwrt/openwrt.git?ref=openwrt-22.03&rev=ce32068bf2d85e03d3dd034ab345d55247e5626c' (2023-05-28)
  → 'git+https://git.openwrt.org/openwrt/openwrt.git?ref=openwrt-22.03&rev=171b51519206b5e66ebd01d322f41d790976ce87' (2023-06-03)
• Updated input 'openwrt-imagebuilder':
    'github:astro/nix-openwrt-imagebuilder/c600f6dbe0516b34a307d9ec69015e123ec859a4' (2023-05-31)
  → 'github:astro/nix-openwrt-imagebuilder/b5901ec9361152f1f588445d1b3f06239ea4b86c' (2023-06-04)
 2023-06-04 23:35:21 +02:00
Astro 22b08ab0b1 config/secrets: generate site.dyndnsKey that is accepted by dhcpd 2023-06-04 23:35:21 +02:00
Astro f73d4b64dc nixos-module/server/lxc-containers: prevent restart on host nixos-rebuild switch 2023-06-04 23:35:21 +02:00
Astro 87cf64653c nixos-module/server/lxc-containers: shorten coloradio iface names 2023-06-04 23:35:21 +02:00
Astro 8bb6821b87 prepare for nixos 23.05 2023-06-04 23:35:19 +02:00
Astro 371d41b69b flake.lock: Update 
Flake lock file updates:

• Updated input 'nixpkgs':
    'github:NixOS/nixpkgs/781df3d2de37ace250ba3c2731606c0b6bee465b' (2023-04-14)
  → 'github:NixOS/nixpkgs/4ecab3273592f27479a583fb6d975d4aba3486fe' (2023-05-31)
• Updated input 'openwrt':
    'git+https://git.openwrt.org/openwrt/openwrt.git?ref=openwrt-22.03&rev=9af29da281213108cd861ed77b0416bf6eda0aaf' (2023-04-13)
  → 'git+https://git.openwrt.org/openwrt/openwrt.git?ref=openwrt-22.03&rev=ce32068bf2d85e03d3dd034ab345d55247e5626c' (2023-05-28)
• Updated input 'openwrt-imagebuilder':
    'github:astro/nix-openwrt-imagebuilder/b3d1f398472452ea288ce2d8dbf20d6115bf1c64' (2023-04-14)
  → 'github:astro/nix-openwrt-imagebuilder/c600f6dbe0516b34a307d9ec69015e123ec859a4' (2023-05-31)
 2023-06-04 23:34:50 +02:00
Astro d797cdd3a2 flake.nix: bump inputs.nixpkgs from 22.11 to 23.05 2023-06-04 23:34:50 +02:00
Sandro - d410bf0d82
Add telnet 2023-06-01 21:35:46 +02:00
Sandro - f46e961d1b
Format 2023-06-01 21:35:46 +02:00
Astro ef35aca8f2 config/net/coloradio: add interface type 2023-05-31 22:39:56 +02:00
Astro c6bf9edc6d config/net/coloradio: init 2023-05-31 22:38:16 +02:00
oxapentane - 3442a76eb5
reserve IP for uranus 2023-05-30 16:03:38 +02:00
Sandro - 000000003b
Fix eval 2023-05-26 22:31:54 +02:00
Sandro - 00000033d0
shorten comments 2023-05-26 22:30:17 +02:00
Sandro - 29ceeb88a4
network-graphs: use graphviz without X 2023-05-26 22:29:18 +02:00
Markus Schmidl 53692344ee remove old dns record 2023-05-26 22:24:06 +02:00
Markus Schmidl 8da1dba1af remove old upstream forward 2023-05-26 22:18:12 +02:00
Markus Schmidl 08f2340c34 cleanup serv ip addresses 2023-05-26 22:15:19 +02:00
Astro 05a1406968 switch-b3: remove one mgmt port 2023-05-19 18:29:08 +02:00
Astro fad2cd5d00 switch-b3: deploy server6 2023-05-19 18:26:10 +02:00
oxapentane - d7ea0a7d7b
serv: reserve IP for tram-borzoi 2023-05-19 17:51:46 +02:00
Markus Schmidl be66f26ad6 add port to switch on the roof 2023-05-11 15:45:17 +02:00
oxapentane - 0c5de6364b
serv: reserve an IP for borken-data-hoarder 2023-05-01 04:37:19 +02:00
Sandro - 9759deaaaf
c3d2: add pipebert 2023-04-29 21:26:11 +02:00
Sandro - 3750053a7b
c3d2: update mac of glotzbert 2023-04-24 21:37:19 +02:00
Astro d7e617d755 switch-b3: deploy priv30 2023-04-19 22:06:28 +02:00
Sandro - dd75dcd8e4
c3d2: add wled 2023-04-14 21:34:42 +02:00
Sandro - 91ca539317
flake.lock: Update 
Flake lock file updates:

• Updated input 'nixpkgs':
    'github:NixOS/nixpkgs/cdead16a444a3e5de7bc9b0af8e198b11bb01804' (2023-01-20)
  → 'github:NixOS/nixpkgs/781df3d2de37ace250ba3c2731606c0b6bee465b' (2023-04-14)
• Updated input 'openwrt':
    'git+https://git.openwrt.org/openwrt/openwrt.git?ref=openwrt-22.03&rev=1bead4c521b6f6cf711fd06398d54b1a6fbbef96' (2023-01-20)
  → 'git+https://git.openwrt.org/openwrt/openwrt.git?ref=openwrt-22.03&rev=9af29da281213108cd861ed77b0416bf6eda0aaf' (2023-04-13)
• Updated input 'openwrt-imagebuilder':
    'github:astro/nix-openwrt-imagebuilder/676f6c33fda9e0c94232001249364aebde67ffe4' (2023-02-25)
  → 'github:astro/nix-openwrt-imagebuilder/b3d1f398472452ea288ce2d8dbf20d6115bf1c64' (2023-04-14)
 2023-04-14 21:27:01 +02:00
Sandro - 3069e4c5b9
upstream: remove port forward for removed minetest 2023-04-06 01:37:50 +02:00
Sandro - f53a153d4c
serv: add home-assistant 2023-04-03 20:41:43 +02:00
Sandro - d1afbcdf48
serv: add comment to reuse old ips 2023-04-03 20:41:34 +02:00
Sandro - e95536ff4f
serv: cleanup unused 2023-04-03 20:41:27 +02:00
Astro 7df69471c6 pkgs/openwrt: split off a working package set for tiny devices 2023-04-01 01:15:04 +02:00
Astro 9392b9c05a ap24: correct model, revert to wpa2 for flash space reasons 2023-04-01 01:15:04 +02:00
Sandro - e1ad3f3726
serv: sort, fix duplicated address for matrix 2023-03-24 00:01:26 +01:00
Sandro - 03bb74ff38
Add IPs for matrix 2023-03-23 23:47:13 +01:00
Markus Schmidl 211b59ed83 Revert "serv: add tlms-elastic" 
This reverts commit c8ef65b97c.
 2023-03-19 23:29:33 +01:00
Markus Schmidl c8ef65b97c serv: add tlms-elastic 2023-03-19 22:09:39 +01:00
oxapentane - 1f7e1e003b
remove duplicate ports 2023-03-06 23:03:33 +01:00
oxapentane - ac61e1f4f2
add server7 2023-03-06 23:00:56 +01:00
Astro 0a0ed7da0e flake.lock: Update 
Flake lock file updates:

• Updated input 'openwrt-imagebuilder':
    'github:astro/nix-openwrt-imagebuilder/e1454108a5c2f9daf6c3f478962706379e41f765' (2023-01-29)
  → 'github:astro/nix-openwrt-imagebuilder/676f6c33fda9e0c94232001249364aebde67ffe4' (2023-02-25)
 2023-02-25 16:02:04 +01:00
Astro 17932770b3 pkgs/openwrt/default: remove ath10k non-ct driver/firmware for ubnt_unifiac again 2023-02-25 16:01:31 +01:00
Astro 70adef38bb ap64: try to fix lan ports 2023-02-21 00:48:28 +01:00
Astro 131d6916a0 priv46: enlarge 2023-02-20 23:31:05 +01:00
Astro e7e4874366 ap64: deploy 2023-02-20 23:30:57 +01:00
Astro 4f85845c37 flake.lock: Update 
Flake lock file updates:

• Updated input 'openwrt-imagebuilder':
    'github:astro/nix-openwrt-imagebuilder/f9b70efd4254e905a700361e3052fc4860dda73c' (2023-01-20)
  → 'github:astro/nix-openwrt-imagebuilder/e1454108a5c2f9daf6c3f478962706379e41f765' (2023-01-29)
 2023-02-20 23:02:24 +01:00
Astro c931fced06 config/secrets-production: restore ospf secret 2023-02-20 20:00:17 +01:00
Astro fb69152675 deploy priv46 2023-02-20 19:59:06 +01:00
Sandro - f7f3ec5b26
Switch to drone 2023-01-29 20:53:08 +01:00
Sandro - a818cee9b5
Add woodpecker 2023-01-26 00:47:57 +01:00
Sandro - d6c14b1b0e
Add ledbeere back 2023-01-23 22:49:09 +01:00
Astro d3d82d4807 core: add hosts6.dn42.cls-gw 2023-01-22 01:45:19 +01:00
Astro ae6de7754c nixos-module/container/bird: revert bgp experiments for now 2023-01-22 01:44:35 +01:00
Astro f2bb5a2735 nixos-module/container/bird: bgp fixups 2023-01-22 01:42:19 +01:00
57 changed files with 2571 additions and 19152 deletions
Show Stats Expand all files Collapse all files

4
cabling.md
View File

@ -26,11 +26,11 @@ Alle Stecker im Haus sind in Schema A gecrimpt.
| | ![][gi] B 2.05.02 | ![][gi] UVB 1.09 | | 14 | | | ![][gi] B 2.05.02 | ![][gi] UVB 1.09 | | 14 |
| ![][ri] B 4.02.01 *v* | ![][gi] B 2.05.05 | ![][gi] UVB 1.10 | | 15 | | ![][ri] B 4.02.01 *v* | ![][gi] B 2.05.05 | ![][gi] UVB 1.10 | | 15 |
| ![][ri] B 4.01.01 *v* | ![][gi] B 2.05.06 | ![][gi] 1.06 | | 16 | | ![][ri] B 4.01.01 *v* | ![][gi] B 2.05.06 | ![][gi] 1.06 | | 16 |
| ![][ri] B 4.03.01 | ![][gi] B 2.05.03 *v* | | | 17 | | ![][ri] B 4.03.01 *v* | ![][gi] B 2.05.03 *v* | ![][gi] 1.16 *v* | | 17 |
| ![][ri] B 4.04.01 *v* | ![][gi] B 2.05.07 *v* | | | 18 | | ![][ri] B 4.04.01 *v* | ![][gi] B 2.05.07 *v* | | | 18 |
| ![][ri] B 4.05.02 *v* | ![][gi] B 2.06 | | | 19 | | ![][ri] B 4.05.02 *v* | ![][gi] B 2.06 | | | 19 |
| ![][ri] B 4.06.01 *v* | ![][ri] B 2.07 | | | 20 | | ![][ri] B 4.06.01 *v* | ![][ri] B 2.07 | | | 20 |
| ![][ri] B 4.07.05 | | | | 21 | | ![][ri] B 4.07.05 *v* | | | | 21 |
| ![][ri] B 4.08.01 | | | | 22 | | ![][ri] B 4.08.01 | | | | 22 |
| ![][ri] B 4.09.01 *v* | | | | 23 | | ![][ri] B 4.09.01 *v* | | | | 23 |
| ![][ri] B 4.10.01 *v* | | | | 24 | | ![][ri] B 4.10.01 *v* | | | | 24 |

535
config/ap.nix
View File

@ -33,7 +33,7 @@
wifi = { wifi = {
"platform/qca953x_wmac" = { "platform/qca953x_wmac" = {
channel = 1; channel = 1;
htmode = "HT40+"; htmode = "HT20";
ssids = { ssids = {
"ZW public" = { net = "pub"; }; "ZW public" = { net = "pub"; };
uebergangsnetz = { net = "priv6"; }; uebergangsnetz = { net = "priv6"; };
@ -60,15 +60,15 @@
}; };
}; };
location = "Turm D, 1. Etage"; location = "Turm D, 1. Etage";
model = "tl-wr841-v10"; model = "tl-wr841-v9";
role = "ap"; role = "ap";
wifi = { wifi = {
"platform/qca953x_wmac" = { "platform/qca953x_wmac" = {
channel = 6; channel = 6;
htmode = "HT40+"; htmode = "HT20";
ssids = { ssids = {
"ZW public" = { net = "pub"; }; "ZW public" = { net = "pub"; };
"iz-dresden.org" = { net = "priv15"; }; "iz-dresden.org" = { net = "priv15"; encryption = "wpa2"; };
}; };
}; };
}; };
@ -92,12 +92,12 @@
}; };
}; };
location = "B 2.03.04"; location = "B 2.03.04";
model = "tplink_tl-wr1043nd-v1"; model = "tplink_tl-wr1043nd-v2";
role = "ap"; role = "ap";
wifi = { wifi = {
"platform/ahb/18100000.wmac" = { "platform/ahb/18100000.wmac" = {
channel = 1; channel = 1;
htmode = "HT40+"; htmode = "HT20";
ssids = { ssids = {
"ZW public" = { net = "pub"; }; "ZW public" = { net = "pub"; };
braeunigkoschnik = { net = "priv8"; }; braeunigkoschnik = { net = "priv8"; };
@ -130,7 +130,7 @@
wifi = { wifi = {
"platform/ar934x_wmac" = { "platform/ar934x_wmac" = {
channel = 6; channel = 6;
htmode = "HT40+"; htmode = "HT20";
ssids = { ssids = {
"IrèneMélix" = { net = "priv38"; }; "IrèneMélix" = { net = "priv38"; };
"ZW public" = { net = "pub"; }; "ZW public" = { net = "pub"; };
@ -139,8 +139,6 @@
}; };
}; };
}; };
ap13 = { };
ap14 = { };
ap15 = { ap15 = {
interfaces = { interfaces = {
mgmt = { mgmt = {
@ -165,7 +163,7 @@
wifi = { wifi = {
"platform/ahb/18100000.wmac" = { "platform/ahb/18100000.wmac" = {
channel = 1; channel = 1;
htmode = "HT40+"; htmode = "HT20";
ssids = { ssids = {
"ZW public" = { net = "pub"; }; "ZW public" = { net = "pub"; };
etz250 = { net = "priv10"; }; etz250 = { net = "priv10"; };
@ -173,7 +171,6 @@
}; };
}; };
}; };
ap16 = { };
ap17 = { ap17 = {
interfaces = { interfaces = {
mgmt = { mgmt = {
@ -200,7 +197,7 @@
wifi = { wifi = {
"platform/ahb/18100000.wmac" = { "platform/ahb/18100000.wmac" = {
channel = 5; channel = 5;
htmode = "HT40+"; htmode = "HT20";
ssids = { ssids = {
EDUB = { net = "priv33"; }; EDUB = { net = "priv33"; };
"ZW public" = { net = "pub"; }; "ZW public" = { net = "pub"; };
@ -234,7 +231,7 @@
wifi = { wifi = {
"platform/qca953x_wmac" = { "platform/qca953x_wmac" = {
channel = 1; channel = 1;
htmode = "HT40+"; htmode = "HT20";
ssids = { ssids = {
"Restaurierung Wolff/Kober" = { net = "priv9"; }; "Restaurierung Wolff/Kober" = { net = "priv9"; };
"ZW public" = { net = "pub"; }; "ZW public" = { net = "pub"; };
@ -262,15 +259,15 @@
}; };
}; };
location = "Turm C oberste Etage"; location = "Turm C oberste Etage";
model = "tl-wr841-v10"; model = "tl-wr841-v11";
role = "ap"; role = "ap";
wifi = { wifi = {
"platform/qca953x_wmac" = { "platform/qca953x_wmac" = {
channel = 6; channel = 6;
htmode = "HT40+"; htmode = "HT20";
ssids = { ssids = {
"Studio 01127" = { net = "priv41"; }; "Bockwurst" = { net = "priv41"; encryption = "wpa2"; };
Walter = { net = "priv26"; }; Walter = { net = "priv26"; encryption = "wpa2"; };
"ZW public" = { net = "pub"; }; "ZW public" = { net = "pub"; };
}; };
}; };
@ -279,6 +276,7 @@
ap2 = { ap2 = {
interfaces = { interfaces = {
c3d2.type = "bridge"; c3d2.type = "bridge";
c3d2iot.type = "bridge";
mgmt = { mgmt = {
gw4 = "mgmt-gw"; gw4 = "mgmt-gw";
gw6 = "mgmt-gw"; gw6 = "mgmt-gw";
@ -303,15 +301,20 @@
htmode = "VHT80"; htmode = "VHT80";
ssids = { ssids = {
C3D2 = { net = "c3d2"; }; C3D2 = { net = "c3d2"; };
"ZW public legacy" = { net = "pub"; }; "ZW public" = { net = "pub"; };
}; };
}; };
"platform/ahb/18100000.wmac" = { "platform/ahb/18100000.wmac" = {
channel = 1; channel = 1;
htmode = "HT40+"; htmode = "HT20";
ssids = { ssids = {
"C3D2 legacy" = { net = "c3d2"; }; "C3D2 legacy" = { net = "c3d2"; };
"ZW public" = { net = "pub"; }; "C3D2 IoT" = {
net = "c3d2iot";
hidden = true;
disassocLowAck = false;
};
"ZW public legacy" = { net = "pub"; };
}; };
}; };
}; };
@ -342,7 +345,7 @@
}; };
"platform/ahb/18100000.wmac" = { "platform/ahb/18100000.wmac" = {
channel = 5; channel = 5;
htmode = "HT40+"; htmode = "HT20";
ssids = { ssids = {
"ZW public" = { net = "pub"; }; "ZW public" = { net = "pub"; };
}; };
@ -372,7 +375,7 @@
wifi = { wifi = {
"pci0000:00/0000:00:00.0" = { "pci0000:00/0000:00:00.0" = {
channel = 11; channel = 11;
htmode = "HT40-"; htmode = "HT20";
ssids = { "ZW public" = { net = "pub"; }; }; ssids = { "ZW public" = { net = "pub"; }; };
}; };
}; };
@ -406,7 +409,7 @@
}; };
"platform/ahb/18100000.wmac" = { "platform/ahb/18100000.wmac" = {
channel = 1; channel = 1;
htmode = "HT40+"; htmode = "HT20";
ssids = { ssids = {
"LBK Network" = { net = "priv30"; }; "LBK Network" = { net = "priv30"; };
"ZW public" = { net = "pub"; }; "ZW public" = { net = "pub"; };
@ -425,23 +428,20 @@
pub.type = "bridge"; pub.type = "bridge";
}; };
links = { links = {
priv12 = { # Ends up in /etc/config but not in `swconfig dev switch0 show`
ports = [ "lan" ]; priv12.ports = [ "lan:1" "lan:2" "lan:3" "lan:4" ];
}; switch-b3.ports = [ "wan" ];
switch-b3 = {
ports = [ "wan" ];
};
}; };
location = "Farbwerk"; location = "Farbwerk";
model = "tl-wr740n-v1"; model = "tl-wr740n-v4";
role = "ap"; role = "ap";
wifi = { wifi = {
"platform/ar933x_wmac" = { "platform/ar933x_wmac" = {
channel = 6; channel = 6;
htmode = "HT40-"; htmode = "HT20";
ssids = { ssids = {
"ZW public" = { net = "pub"; }; "ZW public" = { net = "pub"; };
farbwerk = { net = "priv12"; }; farbwerk = { net = "priv12"; encryption = "wpa2"; };
}; };
}; };
}; };
@ -464,13 +464,13 @@
ports = [ "wan" ]; ports = [ "wan" ];
}; };
}; };
location = "Farbwerk"; location = "Farbwerk, lost";
model = "tl-wr740n-v1"; model = "tl-wr740n-v1";
role = "ap"; role = "ap";
wifi = { wifi = {
"platform/ar933x_wmac" = { "platform/ar933x_wmac" = {
channel = 6; channel = 6;
htmode = "HT40-"; htmode = "HT20";
ssids = { ssids = {
"ZW public" = { net = "pub"; }; "ZW public" = { net = "pub"; };
farbwerk = { net = "priv12"; }; farbwerk = { net = "priv12"; };
@ -502,7 +502,7 @@
wifi = { wifi = {
"pci0000:00/0000:00:00.0" = { "pci0000:00/0000:00:00.0" = {
channel = 11; channel = 11;
htmode = "HT40-"; htmode = "HT20";
ssids = { ssids = {
Dezember = { net = "priv37"; }; Dezember = { net = "priv37"; };
"ZW public" = { net = "pub"; }; "ZW public" = { net = "pub"; };
@ -533,7 +533,7 @@
wifi = { wifi = {
"platform/qca953x_wmac" = { "platform/qca953x_wmac" = {
channel = 1; channel = 1;
htmode = "HT40+"; htmode = "HT20";
ssids = { "ZW public" = { net = "pub"; }; }; ssids = { "ZW public" = { net = "pub"; }; };
}; };
}; };
@ -561,7 +561,7 @@
wifi = { wifi = {
"platform/ar934x_wmac" = { "platform/ar934x_wmac" = {
channel = 9; channel = 9;
htmode = "HT40+"; htmode = "HT20";
ssids = { "ZW public" = { net = "pub"; }; }; ssids = { "ZW public" = { net = "pub"; }; };
}; };
}; };
@ -598,7 +598,7 @@
}; };
"platform/ahb/18100000.wmac" = { "platform/ahb/18100000.wmac" = {
channel = 6; channel = 6;
htmode = "HT40+"; htmode = "HT20";
ssids = { ssids = {
"ZW public" = { net = "pub"; }; "ZW public" = { net = "pub"; };
jungnickel-fotografie = { net = "priv13"; }; jungnickel-fotografie = { net = "priv13"; };
@ -633,7 +633,7 @@
wifi = { wifi = {
"pci0000:00/0000:00:00.0" = { "pci0000:00/0000:00:00.0" = {
channel = 128; channel = 128;
htmode = "HT40+"; htmode = "HT20";
ssids = { ssids = {
C3D2 = { net = "c3d2"; }; C3D2 = { net = "c3d2"; };
"ZW public" = { net = "pub"; }; "ZW public" = { net = "pub"; };
@ -641,7 +641,7 @@
}; };
"platform/ar934x_wmac" = { "platform/ar934x_wmac" = {
channel = 1; channel = 1;
htmode = "HT40+"; htmode = "HT20";
ssids = { ssids = {
"C3D2 legacy" = { net = "c3d2"; }; "C3D2 legacy" = { net = "c3d2"; };
"ZW public legacy" = { net = "pub"; }; "ZW public legacy" = { net = "pub"; };
@ -673,7 +673,7 @@
wifi = { wifi = {
"platform/ahb/18100000.wmac" = { "platform/ahb/18100000.wmac" = {
channel = 1; channel = 1;
htmode = "HT40+"; htmode = "HT20";
ssids = { ssids = {
WLANb0402 = { net = "priv14"; }; WLANb0402 = { net = "priv14"; };
"ZW public" = { net = "pub"; }; "ZW public" = { net = "pub"; };
@ -684,6 +684,7 @@
ap31 = { ap31 = {
interfaces = { interfaces = {
c3d2.type = "bridge"; c3d2.type = "bridge";
c3d2iot.type = "bridge";
mgmt = { mgmt = {
gw4 = "mgmt-gw"; gw4 = "mgmt-gw";
gw6 = "mgmt-gw"; gw6 = "mgmt-gw";
@ -711,9 +712,14 @@
}; };
"platform/ahb/18100000.wmac" = { "platform/ahb/18100000.wmac" = {
channel = 5; channel = 5;
htmode = "HT40+"; htmode = "HT20";
ssids = { ssids = {
"C3D2 legacy" = { net = "c3d2"; }; "C3D2 legacy" = { net = "c3d2"; };
"C3D2 IoT" = {
net = "c3d2iot";
hidden = true;
disassocLowAck = false;
};
FOTOAKADEMIEdd = { net = "priv39"; }; FOTOAKADEMIEdd = { net = "priv39"; };
"ZW public legacy" = { net = "pub"; }; "ZW public legacy" = { net = "pub"; };
}; };
@ -751,7 +757,7 @@
channel = 9; channel = 9;
htmode = "HT20"; htmode = "HT20";
ssids = { ssids = {
"ZW public" = { net = "pub"; }; "ZW public legacy" = { net = "pub"; };
"ZW stage legacy" = { net = "priv25"; }; "ZW stage legacy" = { net = "priv25"; };
}; };
}; };
@ -786,7 +792,7 @@
}; };
"platform/ahb/18100000.wmac" = { "platform/ahb/18100000.wmac" = {
channel = 9; channel = 9;
htmode = "HT40+"; htmode = "HT20";
ssids = { ssids = {
"C3D2 legacy" = { net = "c3d2"; }; "C3D2 legacy" = { net = "c3d2"; };
"ZW public legacy" = { net = "pub"; }; "ZW public legacy" = { net = "pub"; };
@ -823,7 +829,7 @@
}; };
"platform/ahb/18100000.wmac" = { "platform/ahb/18100000.wmac" = {
channel = 9; channel = 9;
htmode = "HT40+"; htmode = "HT20";
ssids = { ssids = {
"ZW public" = { net = "pub"; }; "ZW public" = { net = "pub"; };
etz250 = { net = "priv10"; }; etz250 = { net = "priv10"; };
@ -855,7 +861,7 @@
wifi = { wifi = {
"platform/ahb/18100000.wmac" = { "platform/ahb/18100000.wmac" = {
channel = 1; channel = 1;
htmode = "HT40+"; htmode = "HT20";
ssids = { ssids = {
Koch = { net = "priv18"; }; Koch = { net = "priv18"; };
"ZW public" = { net = "pub"; }; "ZW public" = { net = "pub"; };
@ -887,7 +893,7 @@
wifi = { wifi = {
"platform/ar933x_wmac" = { "platform/ar933x_wmac" = {
channel = 5; channel = 5;
htmode = "HT40+"; htmode = "HT20";
ssids = { ssids = {
"C3D2 legacy" = { net = "c3d2"; }; "C3D2 legacy" = { net = "c3d2"; };
"ZW public" = { net = "pub"; }; "ZW public" = { net = "pub"; };
@ -924,11 +930,10 @@
}; };
"platform/ahb/18100000.wmac" = { "platform/ahb/18100000.wmac" = {
channel = 6; channel = 6;
htmode = "HT40-"; htmode = "HT20";
ssids = { ssids = {
"ZW public" = { net = "pub"; }; "ZW public" = { net = "pub"; };
"hechtfilm.de legacy" = { net = "priv19"; }; "hechtfilm.de legacy" = { net = "priv19"; };
"LIZA".net = "priv43";
}; };
}; };
}; };
@ -942,6 +947,7 @@
}; };
priv20.type = "bridge"; priv20.type = "bridge";
priv28.type = "bridge"; priv28.type = "bridge";
priv47.type = "bridge";
pub.type = "bridge"; pub.type = "bridge";
}; };
links = { links = {
@ -967,11 +973,12 @@
}; };
"platform/ahb/18100000.wmac" = { "platform/ahb/18100000.wmac" = {
channel = 11; channel = 11;
htmode = "HT40-"; htmode = "HT20";
ssids = { ssids = {
"ZW heinrichsgarten" = { net = "priv28"; }; "ZW heinrichsgarten" = { net = "priv28"; };
"ZW public" = { net = "pub"; }; "ZW public" = { net = "pub"; };
plop = { net = "priv20"; }; plop = { net = "priv20"; };
millimeter = { net = "priv47"; };
}; };
}; };
}; };
@ -1000,7 +1007,7 @@
wifi = { wifi = {
"platform/10180000.wmac" = { "platform/10180000.wmac" = {
channel = 9; channel = 9;
htmode = "HT40+"; htmode = "HT20";
ssids = { ssids = {
EckiTino = { net = "priv7"; }; EckiTino = { net = "priv7"; };
"ZW public" = { net = "pub"; }; "ZW public" = { net = "pub"; };
@ -1033,7 +1040,7 @@
wifi = { wifi = {
"platform/ahb/18100000.wmac" = { "platform/ahb/18100000.wmac" = {
channel = 11; channel = 11;
htmode = "HT40-"; htmode = "HT20";
ssids = { ssids = {
"ZW public" = { net = "pub"; }; "ZW public" = { net = "pub"; };
"jam-circle.de" = { net = "priv4"; }; "jam-circle.de" = { net = "priv4"; };
@ -1052,12 +1059,9 @@
pub.type = "bridge"; pub.type = "bridge";
}; };
links = { links = {
priv22 = { priv22.ports = [ "lan:2" "lan:3" "lan:4" ];
ports = [ "lan:1" "lan:2" "lan:3" "lan:4" ]; ap70.ports = [ "lan:1" ];
}; switch-b3.ports = [ "wan" ];
switch-b3 = {
ports = [ "wan" ];
};
}; };
location = "B4.01"; location = "B4.01";
model = "tplink_archer-c7-v5"; model = "tplink_archer-c7-v5";
@ -1073,7 +1077,7 @@
}; };
"platform/ahb/18100000.wmac" = { "platform/ahb/18100000.wmac" = {
channel = 6; channel = 6;
htmode = "HT40-"; htmode = "HT20";
ssids = { ssids = {
"M legacy" = { net = "priv22"; }; "M legacy" = { net = "priv22"; };
"ZW public" = { net = "pub"; }; "ZW public" = { net = "pub"; };
@ -1113,7 +1117,7 @@
}; };
"platform/ahb/18100000.wmac" = { "platform/ahb/18100000.wmac" = {
channel = 6; channel = 6;
htmode = "HT40-"; htmode = "HT20";
ssids = { ssids = {
Walter = { net = "priv26"; }; Walter = { net = "priv26"; };
"ZW public" = { net = "pub"; }; "ZW public" = { net = "pub"; };
@ -1132,8 +1136,8 @@
pub.type = "bridge"; pub.type = "bridge";
}; };
links = { links = {
ap21.ports = [ "lan:3" ]; # ap21.ports = [ "lan:3" ];
priv4.ports = [ "lan:1" "lan:2" "lan:4" ]; priv4.ports = [ "lan:1" "lan:2" "lan:3" "lan:4" ];
switch-b3.ports = [ "wan" ]; switch-b3.ports = [ "wan" ];
}; };
location = "Dresden School of Lindy Hop"; location = "Dresden School of Lindy Hop";
@ -1142,7 +1146,7 @@
wifi = { wifi = {
"pci0000:00/0000:00:00.0" = { "pci0000:00/0000:00:00.0" = {
channel = 128; channel = 128;
htmode = "HT40+"; htmode = "HT20";
ssids = { ssids = {
"ZW public" = { net = "pub"; }; "ZW public" = { net = "pub"; };
"jam-circle.de" = { net = "priv4"; }; "jam-circle.de" = { net = "priv4"; };
@ -1150,7 +1154,7 @@
}; };
"platform/ahb/18100000.wmac" = { "platform/ahb/18100000.wmac" = {
channel = 11; channel = 11;
htmode = "HT40-"; htmode = "HT20";
ssids = { ssids = {
"ZW public" = { net = "pub"; }; "ZW public" = { net = "pub"; };
"jam-circle.de legacy" = { net = "priv4"; }; "jam-circle.de legacy" = { net = "priv4"; };
@ -1407,7 +1411,7 @@
wifi = { wifi = {
"platform/ahb/18100000.wmac" = { "platform/ahb/18100000.wmac" = {
channel = 1; channel = 1;
htmode = "HT40+"; htmode = "HT20";
ssids = { ssids = {
"ZW public" = { net = "pub"; }; "ZW public" = { net = "pub"; };
"verbalwerk.de" = { net = "priv5"; }; "verbalwerk.de" = { net = "priv5"; };
@ -1486,7 +1490,7 @@
}; };
"platform/ahb/18100000.wmac" = { "platform/ahb/18100000.wmac" = {
channel = 9; channel = 9;
htmode = "HT40+"; htmode = "HT20";
ssids = { ssids = {
"ZW public" = { net = "pub"; }; "ZW public" = { net = "pub"; };
antrares = { net = "priv17"; }; antrares = { net = "priv17"; };
@ -1555,7 +1559,7 @@
wifi = { wifi = {
"platform/qca953x_wmac" = { "platform/qca953x_wmac" = {
channel = 9; channel = 9;
htmode = "HT40+"; htmode = "HT20";
ssids = { ssids = {
"Karen Koschnick" = { net = "priv11"; }; "Karen Koschnick" = { net = "priv11"; };
"ZW public" = { net = "pub"; }; "ZW public" = { net = "pub"; };
@ -1581,13 +1585,13 @@
ports = [ "wan" ]; ports = [ "wan" ];
}; };
}; };
location = "B1.05.02"; location = "Removed";
model = "tplink_archer-c7-v5"; model = "tplink_archer-c7-v5";
role = "ap"; role = "ap";
wifi = { wifi = {
"pci0000:00/0000:00:00.0" = { "pci0000:00/0000:00:00.0" = {
channel = 128; channel = 128;
htmode = "HT40+"; htmode = "HT20";
ssids = { ssids = {
Abyssinia = { net = "priv35"; }; Abyssinia = { net = "priv35"; };
"ZW public" = { net = "pub"; }; "ZW public" = { net = "pub"; };
@ -1595,7 +1599,7 @@
}; };
"platform/ahb/18100000.wmac" = { "platform/ahb/18100000.wmac" = {
channel = 1; channel = 1;
htmode = "HT40+"; htmode = "HT20";
ssids = { ssids = {
Abyssinia = { net = "priv35"; }; Abyssinia = { net = "priv35"; };
"ZW public" = { net = "pub"; }; "ZW public" = { net = "pub"; };
@ -1704,9 +1708,12 @@
wifi = { wifi = {
"pci0000:00/0000:00:00.0" = { "pci0000:00/0000:00:00.0" = {
channel = 100; channel = 100;
htmode = "VHT80"; htmode = "HT40";
ssids = { ssids = {
"Zentralwerk" = { net = "roof"; }; "Zentralwerk" = {
net = "roof";
disassocLowAck = false;
};
"ZW public" = { net = "pub"; }; "ZW public" = { net = "pub"; };
}; };
}; };
@ -1799,7 +1806,7 @@
}; };
"platform/ahb/18100000.wmac" = { "platform/ahb/18100000.wmac" = {
channel = 6; channel = 6;
htmode = "HT40-"; htmode = "HT20";
ssids = { ssids = {
"ZW public" = { net = "pub"; }; "ZW public" = { net = "pub"; };
"Ebs 2000" = { net = "priv21"; }; "Ebs 2000" = { net = "priv21"; };
@ -1830,7 +1837,7 @@
wifi = { wifi = {
"platform/qca953x_wmac" = { "platform/qca953x_wmac" = {
channel = 13; channel = 13;
htmode = "HT40-"; htmode = "HT20";
ssids = { "ZW public" = { net = "pub"; }; }; ssids = { "ZW public" = { net = "pub"; }; };
}; };
}; };
@ -1859,7 +1866,7 @@
wifi = { wifi = {
"pci0000:00/0000:00:00.0" = { "pci0000:00/0000:00:00.0" = {
channel = 128; channel = 128;
htmode = "HT40+"; htmode = "HT20";
ssids = { ssids = {
Abyssinia = { net = "priv35"; }; Abyssinia = { net = "priv35"; };
"ZW public" = { net = "pub"; }; "ZW public" = { net = "pub"; };
@ -1867,7 +1874,7 @@
}; };
"platform/ahb/18100000.wmac" = { "platform/ahb/18100000.wmac" = {
channel = 1; channel = 1;
htmode = "HT40+"; htmode = "HT20";
ssids = { ssids = {
Abyssinia = { net = "priv35"; }; Abyssinia = { net = "priv35"; };
"ZW public" = { net = "pub"; }; "ZW public" = { net = "pub"; };
@ -1895,7 +1902,7 @@
wifi = { wifi = {
"pci0000:00/0000:00:00.0" = { "pci0000:00/0000:00:00.0" = {
channel = 36; channel = 36;
htmode = "HT40+"; htmode = "HT20";
ssids = { ssids = {
tomiru = { net = "priv44"; }; tomiru = { net = "priv44"; };
"ZW public" = { net = "pub"; }; "ZW public" = { net = "pub"; };
@ -1903,7 +1910,7 @@
}; };
"platform/ahb/18100000.wmac" = { "platform/ahb/18100000.wmac" = {
channel = 1; channel = 1;
htmode = "HT40+"; htmode = "HT20";
ssids = { ssids = {
tomiru = { net = "priv44"; }; tomiru = { net = "priv44"; };
"ZW public" = { net = "pub"; }; "ZW public" = { net = "pub"; };
@ -1943,7 +1950,7 @@
}; };
"platform/ahb/18100000.wmac" = { "platform/ahb/18100000.wmac" = {
channel = 9; channel = 9;
htmode = "HT40+"; htmode = "HT20";
ssids = { ssids = {
"Wolke7 legacy" = { net = "priv45"; encryption = "wpa2"; }; "Wolke7 legacy" = { net = "priv45"; encryption = "wpa2"; };
"ZW public" = { net = "pub"; }; "ZW public" = { net = "pub"; };
@ -1975,7 +1982,7 @@
wifi = { wifi = {
"pci0000:00/0000:00:00.0" = { "pci0000:00/0000:00:00.0" = {
channel = 36; channel = 36;
htmode = "HT40+"; htmode = "HT20";
ssids = { ssids = {
"ZW public" = { net = "pub"; }; "ZW public" = { net = "pub"; };
EckiTino = { net = "priv7"; }; EckiTino = { net = "priv7"; };
@ -1983,7 +1990,7 @@
}; };
"platform/ahb/18100000.wmac" = { "platform/ahb/18100000.wmac" = {
channel = 9; channel = 9;
htmode = "HT40-"; htmode = "HT20";
ssids = { ssids = {
"ZW public" = { net = "pub"; }; "ZW public" = { net = "pub"; };
"EckiTino legacy" = { net = "priv7"; }; "EckiTino legacy" = { net = "priv7"; };
@ -1991,7 +1998,227 @@
}; };
}; };
}; };
ap64 = { }; ap64 = {
interfaces = {
mgmt = {
gw4 = "mgmt-gw";
gw6 = "mgmt-gw";
type = "phys";
};
priv46.type = "bridge";
pub.type = "bridge";
};
links = {
priv46 = {
ports = [ "lan:1" "lan:2" "lan:3" "lan:4" ];
};
switch-b3 = {
ports = [ "wan" ];
};
};
location = "replaced by ap73";
model = "tplink_tl-wr1043nd-v2";
role = "ap";
wifi = {
"platform/ahb/18100000.wmac" = {
channel = 1;
htmode = "HT20";
ssids = {
"ZW public" = { net = "pub"; };
"Princess Castle" = { net = "priv46"; };
};
};
};
};
ap65 = {
interfaces = {
mgmt = {
gw4 = "mgmt-gw";
gw6 = "mgmt-gw";
type = "phys";
};
priv12.type = "bridge";
priv27.type = "bridge";
pub.type = "bridge";
};
links = {
switch-b3.ports = [ "lan" ];
};
location = "El Perro";
model = "ubnt_unifi-6-lite";
role = "ap";
wifi = {
"1e140000.pcie/pci0000:00/0000:00:00.0/0000:01:00.0" = {
channel = 6;
htmode = "HT20";
ssids = {
"ZW public".net = "pub";
"farbwerk".net = "priv12";
"Kaffeetasse".net = "priv27";
};
};
"1e140000.pcie/pci0000:00/0000:00:01.0/0000:02:00.0" = {
channel = 149;
htmode = "VHT80";
ssids = {
"ZW public".net = "pub";
"farbwerk".net = "priv12";
};
};
};
};
ap66 = {
interfaces = {
priv48.type = "bridge";
mgmt = {
gw4 = "mgmt-gw";
gw6 = "mgmt-gw";
type = "phys";
};
pub.type = "bridge";
};
links = {
priv48.ports = [ "lan:1" "lan:2" "lan:3" "lan:4" ];
switch-b3.ports = [ "wan" ];
};
location = "B 4.03.01";
model = "tplink_archer-c7-v5";
role = "ap";
wifi = {
"pci0000:00/0000:00:00.0" = {
channel = 36;
htmode = "VHT80";
ssids = {
"Buschfunk4.03" = { net = "priv48"; };
"ZW public" = { net = "pub"; };
};
};
"platform/ahb/18100000.wmac" = {
channel = 9;
htmode = "HT20";
ssids = {
"Buschfunk4.03 legacy" = { net = "priv48"; };
"ZW public" = { net = "pub"; };
};
};
};
};
ap67 = {
interfaces = {
mgmt = {
gw4 = "mgmt-gw";
gw6 = "mgmt-gw";
type = "phys";
};
priv12.type = "bridge";
pub.type = "bridge";
};
links = {
priv12.ports = [
"lan1" "lan2" "lan3"
];
switch-b3.ports = [ "wan" ];
};
location = "Farbwerk";
model = "zyxel_wsm20";
role = "ap";
wifi = {
"1e140000.pcie/pci0000:00/0000:00:01.0/0000:02:00.0" = {
channel = 6;
htmode = "HT20";
ssids = {
"ZW public" = { net = "pub"; };
farbwerk = { net = "priv12"; };
};
};
"1e140000.pcie/pci0000:00/0000:00:01.0/0000:02:00.0+1" = {
channel = 149;
htmode = "VHT80";
ssids = {
"ZW public" = { net = "pub"; };
farbwerk = { net = "priv12"; };
};
};
};
};
ap68 = {
interfaces = {
mgmt = {
gw4 = "mgmt-gw";
gw6 = "mgmt-gw";
type = "phys";
};
priv12.type = "bridge";
pub.type = "bridge";
};
links = {
priv12.ports = [
"lan1" "lan2" "lan3"
];
switch-b3.ports = [ "wan" ];
};
location = "Farbwerk";
model = "zyxel_wsm20";
role = "ap";
wifi = {
"1e140000.pcie/pci0000:00/0000:00:01.0/0000:02:00.0" = {
channel = 1;
htmode = "HT20";
ssids = {
"ZW public" = { net = "pub"; };
farbwerk = { net = "priv12"; };
};
};
"1e140000.pcie/pci0000:00/0000:00:01.0/0000:02:00.0+1" = {
channel = 36;
htmode = "VHT80";
ssids = {
"ZW public" = { net = "pub"; };
farbwerk = { net = "priv12"; };
};
};
};
};
ap69 = {
interfaces = {
mgmt = {
gw4 = "mgmt-gw";
gw6 = "mgmt-gw";
type = "phys";
};
priv43.type = "bridge";
pub.type = "bridge";
};
links = {
priv43 = {
ports = [ "lan" ];
};
switch-b3 = {
ports = [ "wan" ];
};
};
location = "B.01.B01";
model = "tplink_archer-c7-v2";
role = "ap";
wifi = {
"pci0000:00/0000:00:00.0" = {
channel = 36;
htmode = "HT40+";
ssids = {
"ZW public".net = "pub";
"LIZA".net = "priv43";
};
};
"platform/ahb/18100000.wmac" = {
channel = 1;
htmode = "HT20";
ssids = {
"ZW public".net = "pub";
"LIZA".net = "priv43";
};
};
};
};
ap7 = { ap7 = {
interfaces = { interfaces = {
mgmt = { mgmt = {
@ -2016,7 +2243,7 @@
wifi = { wifi = {
"platform/qca953x_wmac" = { "platform/qca953x_wmac" = {
channel = 1; channel = 1;
htmode = "HT40+"; htmode = "HT20";
ssids = { ssids = {
"ZW public" = { net = "pub"; }; "ZW public" = { net = "pub"; };
mino = { net = "priv40"; }; mino = { net = "priv40"; };
@ -2024,6 +2251,137 @@
}; };
}; };
}; };
ap70 = {
interfaces = {
mgmt = {
gw4 = "mgmt-gw";
gw6 = "mgmt-gw";
type = "phys";
};
priv22.type = "bridge";
pub.type = "bridge";
};
links = {
priv22.ports = [ "lan" ];
ap40.ports = [ "wan" ];
};
location = "B4.01 behind ap40";
model = "tplink_archer-c7-v2";
role = "ap";
wifi = {
"pci0000:00/0000:00:00.0" = {
channel = 149;
htmode = "HT40+";
ssids = {
"ZW public".net = "pub";
M.net = "priv22";
};
};
"platform/ahb/18100000.wmac" = {
channel = 9;
htmode = "HT20";
ssids = {
"ZW public".net = "pub";
"M legacy".net = "priv22";
};
};
};
};
ap71 = {
interfaces = {
mgmt = {
gw4 = "mgmt-gw";
gw6 = "mgmt-gw";
type = "phys";
};
priv22.type = "bridge";
pub.type = "bridge";
};
links = {
priv22.ports = [ "eth1" "eth2" ];
ap40.ports = [ "eth0" ];
};
location = "B4.01 behind ap40";
model = "ubnt_unifi-usg";
role = "ap";
# No WiFi, splits just VLANs
};
ap72 = {
interfaces = {
mgmt = {
gw4 = "mgmt-gw";
gw6 = "mgmt-gw";
type = "phys";
};
priv12.type = "bridge";
pub.type = "bridge";
};
links = {
priv12.ports = [
"lan1" "lan2" "lan3"
];
switch-b3.ports = [ "wan" ];
};
location = "B1.05.02 (Patchpanel B12)";
model = "zyxel_wsm20";
role = "ap";
wifi = {
"1e140000.pcie/pci0000:00/0000:00:01.0/0000:02:00.0" = {
channel = 1;
htmode = "HT20";
ssids = {
"ZW public" = { net = "pub"; };
farbwerk = { net = "priv12"; };
};
};
"1e140000.pcie/pci0000:00/0000:00:01.0/0000:02:00.0+1" = {
channel = 36;
htmode = "VHT80";
ssids = {
"ZW public" = { net = "pub"; };
farbwerk = { net = "priv12"; };
};
};
};
};
ap73 = {
interfaces = {
mgmt = {
gw4 = "mgmt-gw";
gw6 = "mgmt-gw";
type = "phys";
};
priv46.type = "bridge";
pub.type = "bridge";
};
links = {
priv46.ports = [
"lan1" "lan2" "lan3"
];
switch-b3.ports = [ "wan" ];
};
location = "B4.07";
model = "zyxel_wsm20";
role = "ap";
wifi = {
"1e140000.pcie/pci0000:00/0000:00:01.0/0000:02:00.0" = {
channel = 1;
htmode = "HT20";
ssids = {
"ZW public" = { net = "pub"; };
"Princess Castle" = { net = "priv46"; };
};
};
"1e140000.pcie/pci0000:00/0000:00:01.0/0000:02:00.0+1" = {
channel = 36;
htmode = "VHT80";
ssids = {
"ZW public" = { net = "pub"; };
"Princess Castle" = { net = "priv46"; };
};
};
};
};
ap8 = { ap8 = {
interfaces = { interfaces = {
c3d2.type = "bridge"; c3d2.type = "bridge";
@ -2037,7 +2395,10 @@
}; };
links = { links = {
c3d2 = { c3d2 = {
ports = [ "lan:1" "lan:2" "lan:3" "lan:4" ]; ports = [ "lan:3" "lan:4" ];
};
priv23 = {
ports = [ "lan:2" ];
}; };
switch-b3 = { switch-b3 = {
ports = [ "wan" ]; ports = [ "wan" ];
@ -2049,7 +2410,7 @@
wifi = { wifi = {
"pci0000:00/0000:00:00.0" = { "pci0000:00/0000:00:00.0" = {
channel = 36; channel = 36;
htmode = "HT40+"; htmode = "HT20";
ssids = { ssids = {
C3D2 = { net = "c3d2"; }; C3D2 = { net = "c3d2"; };
"ZW public" = { net = "pub"; }; "ZW public" = { net = "pub"; };
@ -2057,7 +2418,7 @@
}; };
"platform/ar934x_wmac" = { "platform/ar934x_wmac" = {
channel = 13; channel = 13;
htmode = "HT40-"; htmode = "HT20";
ssids = { ssids = {
"C3D2 legacy" = { net = "c3d2"; }; "C3D2 legacy" = { net = "c3d2"; };
"ZW public" = { net = "pub"; }; "ZW public" = { net = "pub"; };
@ -2090,7 +2451,7 @@
wifi = { wifi = {
"platform/qca953x_wmac" = { "platform/qca953x_wmac" = {
channel = 1; channel = 1;
htmode = "HT40+"; htmode = "HT20";
ssids = { ssids = {
Herzzbuehne = { net = "priv16"; }; Herzzbuehne = { net = "priv16"; };
"ZW public" = { net = "pub"; }; "ZW public" = { net = "pub"; };

3
config/default.nix
View File

@ -18,7 +18,4 @@ in
# IP networks # IP networks
++ lib.filesystem.listFilesRecursive ./net; ++ lib.filesystem.listFilesRecursive ./net;
site.net-combined = concatMapAttrsRecursive (name: value: { inherit (value) hosts4 hosts6; }) config.site.net;
site.bgp.asn = 4242421127;
} }

116
config/net/c3d2.nix
View File

@ -1,75 +1,78 @@
{ config, lib, ... }: { lib, ... }:
{ {
site.net.c3d2 = { site.net.c3d2 = {
dhcp = { dhcp = {
server = "c3d2-gw3"; server = "c3d2-gw3";
start = "172.22.99.60"; start = "172.22.99.100";
end = "172.22.99.199"; end = "172.22.99.199";
fixed-hosts = { fixed-hosts = {
"172.22.99.96" = "08:00:27:bb:8c:b3"; "172.22.99.96" = "08:00:27:bb:8c:b3";
"172.22.99.98" = "08:00:27:aa:90:e2"; "172.22.99.98" = "08:00:27:aa:90:e2";
# "astrom.hq.c3d2.de" = "aa:00:5b:08:f0:5c"; # "astrom" = "aa:00:5b:08:f0:5c";
# "astron.hq.c3d2.de" = "aa:00:5b:08:f0:5b"; # "astron" = "aa:00:5b:08:f0:5b";
# "batman.hq.c3d2.de" = "5c:cf:7f:c0:05:28"; # "batman" = "5c:cf:7f:c0:05:28";
# "beere.hq.c3d2.de" = "b8:27:eb:ac:65:d2"; # "beere" = "b8:27:eb:ac:65:d2";
# "beere2.hq.c3d2.de" = "b8:27:eb:53:0b:27"; # "beere2" = "b8:27:eb:53:0b:27";
# "bender.hq.c3de.de" = "00:23:df:7e:c8:0a"; # "bender.hq.c3de.de" = "00:23:df:7e:c8:0a";
# "cider.hq.c3d2.de" = "00:0d:93:75:ee:fa"; # "cider" = "00:0d:93:75:ee:fa";
"dacbert.hq.c3d2.de" = "dc:a6:32:e0:46:bf"; "dacbert" = "dc:a6:32:e0:46:bf";
"dn42.hq.c3d2.de" = "aa:00:42:7a:32:46"; "dn42" = "aa:00:42:7a:32:46";
"drucker.hq.c3d2.de" = "00:23:c3:d2:12:0f"; # "drucker" = "00:23:c3:d2:12:0f";
# "feile.hq.c3d2.de" = "aa:00:5b:12:c1:f7"; # "feile" = "aa:00:5b:12:c1:f7";
# "fernandopoo.hq.c3d2.de" = "aa:00:f7:52:85:27"; # "fernandopoo" = "aa:00:f7:52:85:27";
# "fhem.hq.c3d2.de" = "b8:27:eb:9e:8b:db"; # "fhem" = "b8:27:eb:9e:8b:db";
# "git.hq.c3d2.de" = "aa:00:47:d8:57:10"; # "git" = "aa:00:47:d8:57:10";
"glotzbert.hq.c3d2.de" = "ec:a8:6b:fe:b4:cb"; "glotzbert" = "90:1b:0e:88:da:0a";
# "icq.hq.c3d2.de" = "aa:00:30:f6:27:89"; # "wled-nix-snowflake" = "44:17:93:10:77:e8";
# "jabber1.hq.c3d2.de" = "aa:00:0b:19:8f:14"; # "wled-fairy-dust" = "3c:61:05:e3:2f:ad";
# "jabber2.hq.c3d2.de" = "aa:00:3d:6a:23:b8"; # "wled-warnbert" = "3c:61:05:fc:21:37";
# "knot.hq.c3d2.de" = "52:54:cf:fd:ce:3f"; # "wled-matrix" = "e8:db:84:e4:f4:30";
# "ledball1.hq.c3d2.de" = "b8:27:eb:53:0b:27"; # "ledball1" = "b8:27:eb:53:0b:27";
# "ledbeere.hq.c3d2.de" = "b8:27:eb:60:99:59"; # Beleuchtungskiste auf Traverse über Fernseher
# "leviathan.hq.c3d2.de" = "00:ff:08:31:db:e5"; # "ledbeere" = "b8:27:eb:60:99:59";
# "lisbeth.hq.c3d2.de" = "b8:27:eb:a5:ee:5c"; # "leviathan" = "00:ff:08:31:db:e5";
# "marenz-build.hq.c3d2.de" = "44:1e:a1:59:2e:e8"; # "lisbeth" = "b8:27:eb:a5:ee:5c";
"matemat.hq.c3d2.de" = "a2:1b:7c:e8:19:72"; # "marenz-build" = "44:1e:a1:59:2e:e8";
# "minecraft.hq.c3d2.de" = "4a:57:d3:64:fe:e9"; # "matemat" = "a2:1b:7c:e8:19:72";
# "moleflap.hq.c3d2.de" = "aa:00:0d:b1:6c:67"; # "minecraft" = "4a:57:d3:64:fe:e9";
# "monit.hq.c3d2.de" = "00:23:ae:94:e7:19"; # "moleflap" = "aa:00:0d:b1:6c:67";
"public-access-proxy.hq.c3d2.de" = "12:24:5f:bd:9b:e7"; # "monit" = "00:23:ae:94:e7:19";
"pulsebert.hq.c3d2.de" = "b8:27:eb:16:31:61"; "pipebert" = "ec:a8:6b:fe:b4:cb";
# "ruststripe1.hq.c3d2.de" = "06:32:0e:39:21:69"; # "public-access-proxy" = "12:24:5f:bd:9b:e7";
"schalter.hq.c3d2.de" = "b8:27:eb:4c:be:ff"; "pulsebert" = "b8:27:eb:16:31:61";
# "semanta.hq.c3d2.de" = "00:ff:e4:bb:ea:2a"; # "ruststripe1" = "06:32:0e:39:21:69";
# "server2.hq.c3d2.de" = "d0:67:e5:f3:57:10"; "schalter" = "b8:27:eb:ac:65:d2";
# "server3.hq.c3d2.de" = "e4:1f:13:2e:4f:c0"; # "semanta" = "00:ff:e4:bb:ea:2a";
# "server4.hq.c3d2.de" = "00:9c:02:a9:26:01"; # "server2" = "d0:67:e5:f3:57:10";
# "sharing.hq.c3d2.de" = "00:23:c3:d2:75:18"; # "server3" = "e4:1f:13:2e:4f:c0";
# "sofafon.hq.c3d2.de" = "b8:27:eb:23:8d:01"; # "server4" = "00:9c:02:a9:26:01";
# "storage2.hq.c3d2.de" = "42:5e:0f:4e:f3:cc"; # "sharing" = "00:23:c3:d2:75:18";
# "ustriper.hq.c3d2.de" = "aa:bb:95:33:bb:aa"; # "sofafon" = "b8:27:eb:23:8d:01";
# "wiefelspuetz.hq.c3d2.de" = "aa:00:7f:01:8a:d0"; # "storage2" = "42:5e:0f:4e:f3:cc";
# "wormhole.hq.c3d2.de" = "00:23:c3:d2:00:76"; # "ustriper" = "aa:bb:95:33:bb:aa";
# "www1.hq.c3d2.de" = "aa:00:13:8b:03:47"; # "wiefelspuetz" = "aa:00:7f:01:8a:d0";
"riscbert.hq.c3d2.de" = "6c:cf:39:00:05:95"; # "wormhole" = "00:23:c3:d2:00:76";
# "www1" = "aa:00:13:8b:03:47";
# "riscbert" = "6c:cf:39:00:05:95";
}; };
time = 86400; time = 300;
max-time = 2592000; max-time = 30 * 24 * 3600;
router = "c3d2-gw3"; router = "c3d2-gw3";
}; };
domainName = "c3d2.zentralwerk.org"; domainName = "c3d2.zentralwerk.org";
dynamicDomain = true; dynamicDomain = true;
subnet4 = "172.22.99.0/24"; subnet4 = "172.22.99.0/24";
hosts4 = { hosts4 = {
bgp = "172.22.99.250";
c3d2-anon = "172.22.99.1"; c3d2-anon = "172.22.99.1";
c3d2-gw1 = "172.22.99.2"; c3d2-gw1 = "172.22.99.2";
c3d2-gw2 = "172.22.99.3"; c3d2-gw2 = "172.22.99.3";
c3d2-gw3 = "172.22.99.4"; c3d2-gw3 = "172.22.99.4";
dacbert = "172.22.99.203"; dacbert = "172.22.99.203";
schalter = "172.22.99.204";
glotzbert = "172.22.99.205"; glotzbert = "172.22.99.205";
pulsebert = "172.22.99.208"; pulsebert = "172.22.99.208";
pipebert = "172.22.99.209";
bgp = "172.22.99.250";
dn42 = "172.22.99.253"; dn42 = "172.22.99.253";
}; };
ipv6Router = "c3d2-gw3"; ipv6Router = "c3d2-gw3";
@ -86,6 +89,7 @@
c3d2-gw1 = "2a00:8180:2c00:223::c3d2:2"; c3d2-gw1 = "2a00:8180:2c00:223::c3d2:2";
c3d2-gw2 = "2a00:8180:2c00:223::c3d2:3"; c3d2-gw2 = "2a00:8180:2c00:223::c3d2:3";
c3d2-gw3 = "2a00:8180:2c00:223::c3d2:4"; c3d2-gw3 = "2a00:8180:2c00:223::c3d2:4";
pipebert = "2a00:8180:2c00:223:eea8:6bff:fefe:b4cb";
}; };
subnets6 = { subnets6 = {
dn42 = "fd23:42:c3d2:523::/64"; dn42 = "fd23:42:c3d2:523::/64";
@ -109,34 +113,28 @@
c3d2.hwaddr = "0A:14:48:01:07:05"; c3d2.hwaddr = "0A:14:48:01:07:05";
core.hwaddr = "0A:14:48:01:07:04"; core.hwaddr = "0A:14:48:01:07:04";
}; };
bgp.allowedUpstreams = [ "anon1" "freifunk" ]; ospf.allowedUpstreams = [ "anon1" "freifunk" ];
}; };
c3d2-gw1 = makeGateway { c3d2-gw1 = makeGateway {
interfaces = { interfaces = {
c3d2.hwaddr = "0A:14:48:01:21:01"; c3d2.hwaddr = "0A:14:48:01:21:01";
core.hwaddr = "0A:14:48:01:21:00"; core.hwaddr = "0A:14:48:01:21:00";
}; };
bgp.allowedUpstreams = [ "flpk-gw" "freifunk" "upstream4" "upstream3" "anon1" ]; ospf.allowedUpstreams = [ "flpk-gw" "freifunk" "upstream4" "upstream3" "anon1" ];
}; };
c3d2-gw2 = makeGateway { c3d2-gw2 = makeGateway {
interfaces = { interfaces = {
c3d2.hwaddr = "0A:14:48:01:21:03"; c3d2.hwaddr = "0A:14:48:01:21:03";
core.hwaddr = "0A:14:48:01:21:02"; core.hwaddr = "0A:14:48:01:21:02";
}; };
bgp.allowedUpstreams = [ "upstream3" "upstream4" "anon1" "freifunk" ]; ospf.allowedUpstreams = [ "upstream3" "upstream4" "anon1" "freifunk" ];
}; };
c3d2-gw3 = makeGateway { c3d2-gw3 = makeGateway {
interfaces = { interfaces = {
c3d2.hwaddr = "0A:14:48:01:21:05"; c3d2.hwaddr = "0A:14:48:01:21:05";
core.hwaddr = "0A:14:48:01:21:04"; core.hwaddr = "0A:14:48:01:21:04";
}; };
bgp = { ospf.allowedUpstreams = [ "upstream4" "upstream3" "anon1" "freifunk" ];
peers.${config.site.net.core.hosts6.dn42.bgp} = {
type = "rr_client";
name = "rr";
};
allowedUpstreams = [ "upstream4" "upstream3" "anon1" "freifunk" ];
};
}; };
}; };
} }

47
config/net/c3d2iot.nix Normal file
View File

@ -0,0 +1,47 @@
{
site.net.c3d2iot = {
dhcp = {
start = "10.22.0.2";
end = "10.22.255.253";
router = "iot-gw";
server = "iot-gw";
# devices don't often change and a missing DNS record causes trouble
time = 3600;
max-time = 24 * 3600;
};
dynamicDomain = true;
domainName = "c3d2iot.zentralwerk.org";
hosts4 = {
iot-gw = "10.22.0.1";
};
hosts6 = {
dn42 = {
iot-gw = "fd23:42:c3d2:587:ffff:ffff:ffff:ffff";
};
};
subnet4 = "10.22.0.0/16";
subnets6 = {
dn42 = "fd23:42:c3d2:587::/64";
up4 = "2a00:8180:2c00:287::/64";
};
};
site.hosts.iot-gw = {
# TODO: needs to be done more granular, aka allow c3d2 and serv network
# firewall.enable = true;
interfaces = {
core = {
hwaddr = "0A:22:48:01:24:01";
type = "veth";
};
c3d2iot = {
hwaddr = "0A:22:48:01:24:00";
type = "veth";
};
};
ospf = {
allowedUpstreams = [ "upstream4" "upstream3" "anon1" ];
};
role = "container";
};
}

22
config/net/cluster.nix
View File

@ -1,4 +1,4 @@
{ config, lib, ... }: { lib, ... }:
let let
cephMonServers = [ "server5" "server6" "server8" ]; cephMonServers = [ "server5" "server6" "server8" ];
in in
@ -7,8 +7,15 @@ in
ipv6Router = "cls-gw"; ipv6Router = "cls-gw";
domainName = "cluster.zentralwerk.org"; domainName = "cluster.zentralwerk.org";
extraRecords = map (host: { extraRecords = map (host: {
data = "1 1 6789 ${host}"; data = {
name = "_ceph-mon._tcp"; service = "ceph-mon";
proto = "tcp";
priority = 1;
weight = 1;
port = 6789;
target = host;
};
name = "@";
type = "SRV"; type = "SRV";
}) cephMonServers }) cephMonServers
++ ++
@ -137,6 +144,7 @@ in
"mgmt" "mgmt"
"serv" "serv"
"c3d2" "c3d2"
"c3d2iot"
"pub" "pub"
"priv23" "priv23"
"priv31" "priv31"
@ -158,13 +166,7 @@ in
type = "veth"; type = "veth";
}; };
}; };
bgp = { ospf.allowedUpstreams = [ "upstream4" "upstream3" "anon1" "freifunk" ];
peers.${config.site.net.core.hosts6.dn42.bgp} = {
type = "rr_client";
name = "rr";
};
allowedUpstreams = [ "upstream4" "upstream3" "anon1" "freifunk" ];
};
}; };
server3 = makeServer; server3 = makeServer;
server5 = makeServer; server5 = makeServer;

38
config/net/coloradio.nix Normal file
View File

@ -0,0 +1,38 @@
{
site.net.coloradio = {
domainName = "coloradio.zentralwerk.org";
subnet4 = "192.168.9.0/24";
hosts4 = {
coloradio-gw = "192.168.9.1";
coloradio-in = "192.168.9.2";
};
ipv6Router = "coloradio-gw";
subnets6.dn42 = "fd23:42:c3d2:590::/64";
hosts6.dn42 = {
coloradio-gw = "fd23:42:c3d2:590::1";
};
};
site.hosts = {
coloradio-gw = {
role = "container";
interfaces = {
core = {
type = "veth";
hwaddr = "0A:14:48:01:06:08";
gw4 = null;
gw6 = null;
};
coloradio = {
type = "veth";
hwaddr = "0A:14:48:01:06:09";
gw4 = null;
gw6 = null;
};
};
ospf.allowedUpstreams =
[ "upstream4" "upstream3" "freifunk" ];
};
};
}

74
config/net/core.nix
View File

@ -1,5 +1,3 @@
{ config, lib, ... }:
{ {
site.net.core = { site.net.core = {
domainName = "core.zentralwerk.org"; domainName = "core.zentralwerk.org";
@ -54,6 +52,10 @@
priv43-gw = "172.20.72.68"; priv43-gw = "172.20.72.68";
priv44-gw = "172.20.72.70"; priv44-gw = "172.20.72.70";
priv45-gw = "172.20.72.72"; priv45-gw = "172.20.72.72";
priv46-gw = "172.20.72.73";
priv47-gw = "172.20.72.74";
priv48-gw = "172.20.72.75";
priv49-gw = "172.20.72.76";
priv5-gw = "172.20.72.15"; priv5-gw = "172.20.72.15";
priv6-gw = "172.20.72.16"; priv6-gw = "172.20.72.16";
priv7-gw = "172.20.72.17"; priv7-gw = "172.20.72.17";
@ -69,9 +71,10 @@
server8 = "172.20.72.58"; server8 = "172.20.72.58";
upstream3 = "172.20.72.11"; upstream3 = "172.20.72.11";
upstream4 = "172.20.72.12"; upstream4 = "172.20.72.12";
# unused = "172.20.72.62"; coloradio-gw = "172.20.72.62";
vpn-gw = "172.20.72.69"; vpn-gw = "172.20.72.69";
flpk-gw = "172.20.72.71"; flpk-gw = "172.20.72.71";
iot-gw = "172.20.72.77";
}; };
hosts6 = { hosts6 = {
dn42 = { dn42 = {
@ -81,8 +84,10 @@
c3d2-gw1 = "fd23:42:c3d2:581::c3d2:1"; c3d2-gw1 = "fd23:42:c3d2:581::c3d2:1";
c3d2-gw2 = "fd23:42:c3d2:581::c3d2:2"; c3d2-gw2 = "fd23:42:c3d2:581::c3d2:2";
c3d2-gw3 = "fd23:42:c3d2:581::c3d2:3"; c3d2-gw3 = "fd23:42:c3d2:581::c3d2:3";
cls-gw = "fd23:42:c3d2:581::c3d2:4";
freifunk = "fd23:42:c3d2:581:8000::1"; freifunk = "fd23:42:c3d2:581:8000::1";
mgmt-gw = "fd23:42:c3d2:581::8:3"; mgmt-gw = "fd23:42:c3d2:581::8:3";
iot-gw = "fd23:42:c3d2:581::8:7";
priv1-gw = "fd23:42:c3d2:581::c:0"; priv1-gw = "fd23:42:c3d2:581::c:0";
priv10-gw = "fd23:42:c3d2:581::c:9"; priv10-gw = "fd23:42:c3d2:581::c:9";
priv11-gw = "fd23:42:c3d2:581::c:a"; priv11-gw = "fd23:42:c3d2:581::c:a";
@ -123,6 +128,10 @@
priv43-gw = "fd23:42:c3d2:581::c:2a"; priv43-gw = "fd23:42:c3d2:581::c:2a";
priv44-gw = "fd23:42:c3d2:581::c:2b"; priv44-gw = "fd23:42:c3d2:581::c:2b";
priv45-gw = "fd23:42:c3d2:581::c:2c"; priv45-gw = "fd23:42:c3d2:581::c:2c";
priv46-gw = "fd23:42:c3d2:581::c:2d";
priv47-gw = "fd23:42:c3d2:581::c:2e";
priv48-gw = "fd23:42:c3d2:581::c:2f";
priv49-gw = "fd23:42:c3d2:581::c:30";
priv5-gw = "fd23:42:c3d2:581::c:4"; priv5-gw = "fd23:42:c3d2:581::c:4";
priv6-gw = "fd23:42:c3d2:581::c:5"; priv6-gw = "fd23:42:c3d2:581::c:5";
priv7-gw = "fd23:42:c3d2:581::c:6"; priv7-gw = "fd23:42:c3d2:581::c:6";
@ -133,7 +142,7 @@
upstream3 = "fd23:42:c3d2:581::b:2"; upstream3 = "fd23:42:c3d2:581::b:2";
upstream4 = "fd23:42:c3d2:581::b:3"; upstream4 = "fd23:42:c3d2:581::b:3";
vpn-gw = "fd23:42:c3d2:581:9001::1"; vpn-gw = "fd23:42:c3d2:581:9001::1";
flpk-gw = "fd23:42:c3d2:581:9002::1"; coloradio-gw = "fd23:42:c3d2:581:9009::1";
}; };
up4 = { up4 = {
anon1 = "2a00:8180:2c00:281::9:1"; anon1 = "2a00:8180:2c00:281::9:1";
@ -145,6 +154,7 @@
cls-gw = "2a00:8180:2c00:281::8:4"; cls-gw = "2a00:8180:2c00:281::8:4";
freifunk = "2a00:8180:2c00:281:8000::1"; freifunk = "2a00:8180:2c00:281:8000::1";
mgmt-gw = "2a00:8180:2c00:281::8:3"; mgmt-gw = "2a00:8180:2c00:281::8:3";
iot-gw = "2a00:8180:2c00:281::8:7";
priv1-gw = "2a00:8180:2c00:281::c:0"; priv1-gw = "2a00:8180:2c00:281::c:0";
priv10-gw = "2a00:8180:2c00:281::c:9"; priv10-gw = "2a00:8180:2c00:281::c:9";
priv11-gw = "2a00:8180:2c00:281::c:a"; priv11-gw = "2a00:8180:2c00:281::c:a";
@ -185,6 +195,10 @@
priv43-gw = "2a00:8180:2c00:281::c:2a"; priv43-gw = "2a00:8180:2c00:281::c:2a";
priv44-gw = "2a00:8180:2c00:281::c:2b"; priv44-gw = "2a00:8180:2c00:281::c:2b";
priv45-gw = "2a00:8180:2c00:281::c:2c"; priv45-gw = "2a00:8180:2c00:281::c:2c";
priv46-gw = "2a00:8180:2c00:281::c:2d";
priv47-gw = "2a00:8180:2c00:281::c:2e";
priv48-gw = "2a00:8180:2c00:281::c:2f";
priv49-gw = "2a00:8180:2c00:281::c:30";
priv5-gw = "2a00:8180:2c00:281::c:4"; priv5-gw = "2a00:8180:2c00:281::c:4";
priv6-gw = "2a00:8180:2c00:281::c:5"; priv6-gw = "2a00:8180:2c00:281::c:5";
priv7-gw = "2a00:8180:2c00:281::c:6"; priv7-gw = "2a00:8180:2c00:281::c:6";
@ -193,6 +207,7 @@
serv-gw = "2a00:8180:2c00:281::8:1"; serv-gw = "2a00:8180:2c00:281::8:1";
upstream4 = "2a00:8180:2c00:281::b:1"; upstream4 = "2a00:8180:2c00:281::b:1";
vpn-gw = "2a00:8180:2c00:281:9001::1"; vpn-gw = "2a00:8180:2c00:281:9001::1";
coloradio-gw = "2a00:8180:2c00:281:9009::1";
}; };
}; };
subnet4 = "172.20.72.0/25"; subnet4 = "172.20.72.0/25";
@ -202,33 +217,15 @@
}; };
}; };
site.hosts = lib.mkMerge ([ { site.hosts = {
bgp = { bgp = {
bgp = { bgp = {
asn = 4242421127;
peers = { peers = {
"172.22.99.253" = { "172.22.99.253" = { asn = 64699; };
asn = 64699; "fe80::a800:42ff:fe7a:3246%c3d2" = { asn = 64699; };
type = "external";
name = "dn42_4";
};
"fe80::a800:42ff:fe7a:3246%c3d2" = {
asn = 64699;
type = "external";
name = "dn42_6";
};
# ${config.site.net.core.subnet4} = {};
${config.site.net.core.subnets6.dn42} = {
type = "rr_server";
name = "rr";
};
}; };
# allowedUpstreams =
# [ "upstream4" "upstream3" "anon1" "freifunk" ];
nets4 = [ "172.20.0.0/14" "10.0.0.0/8" ];
nets6 =
[ "fd00::/8" "2a00:8180:2c00:200::/56" ];
}; };
role = "container";
interfaces = { interfaces = {
c3d2 = { c3d2 = {
hwaddr = "0A:14:48:01:22:01"; hwaddr = "0A:14:48:01:22:01";
@ -239,21 +236,14 @@
type = "veth"; type = "veth";
}; };
}; };
}; ospf = {
} ] ++ builtins.concatMap (hostName: allowedUpstreams =
if hostName != "bgp" [ "upstream4" "upstream3" "anon1" "freifunk" ];
# everyone in core peers with router "bgp" stubNets4 = [ "172.20.0.0/14" "10.0.0.0/8" ];
then [ { stubNets6 =
${hostName}.bgp = { [ "fd00::/8" "2a00:8180:2c00:200::/56" ];
# peers.${config.site.net.core.hosts4.bgp} = {};
peers.${config.site.net.core.hosts6.dn42.bgp} = {
type = "rr_client";
name = "rr";
};
}; };
# TODO: upstreams role = "container";
} ] };
# except "bgp" itself :) };
else []
) (builtins.attrNames config.site.net.core.hosts6.dn42));
} }

30
config/net/flpk.nix
View File

@ -1,5 +1,3 @@
{ config, ... }:
{ {
site.net.flpk = { site.net.flpk = {
domainName = "flpk.zentralwerk.org"; domainName = "flpk.zentralwerk.org";
@ -9,23 +7,31 @@
subnets6.flpk = "2a0f:5382:acab:1400::/64"; subnets6.flpk = "2a0f:5382:acab:1400::/64";
hosts4 = { hosts4 = {
flpk-gw = "45.158.40.160"; flpk-gw = "45.158.40.160";
leon = "45.158.40.162"; notice-me-senpai = "45.158.40.162"; # tlms monitoring
sshlog = "45.158.40.163"; sshlog = "45.158.40.163";
caveman = "45.158.40.164"; caveman = "45.158.40.164";
leoncloud = "45.158.40.165"; # tlms-37c3-ctf vm on server9
ctf = "45.158.40.165";
mastodon = "45.158.40.166"; mastodon = "45.158.40.166";
c3d2-web = "45.158.40.167"; c3d2-web = "45.158.40.167";
mailtngbert = "45.158.40.168"; mail = "45.158.40.168";
dresden-zone-dns = "45.158.40.169";
# server7 = "45.158.40.170"; # unused
rtrlab = "45.158.40.171"; # temporary
}; };
hosts6.flpk = { hosts6.flpk = {
flpk-gw = "2a0f:5382:acab:1400::c3d2"; flpk-gw = "2a0f:5382:acab:1400::c3d2";
leon = "2a0f:5382:acab:1400::1e0"; notice-me-senpai = "2a0f:5382:acab:1400:2de:5bff:fef9:e23e"; # tlms-monitoring
sshlog = "2a0f:5382:acab:1400::22"; sshlog = "2a0f:5382:acab:1400::22";
caveman = "2a0f:5382:acab:1400::a4"; caveman = "2a0f:5382:acab:1400::a4";
leoncloud = "2a0f:5382:acab:1400::a5"; # tlms-37c3-ctf vm on server9
ctf = "2a0f:5382:acab:1400::a5";
mastodon = "2a0f:5382:acab:1400::a6"; mastodon = "2a0f:5382:acab:1400::a6";
c3d2-web = "2a0f:5382:acab:1400::a7"; c3d2-web = "2a0f:5382:acab:1400::a7";
mailtngbert = "2a0f:5382:acab:1400::a8"; # mail = "2a0f:5382:acab:1400::a8"; # we don't have an PTR for IPv6 and it gets way more often marked as spam
dresden-zone-dns = "2a0f:5382:acab:1400::a9";
# server7 = "2a0f:5382:acab:1400::aa";
rtrlab = "2a0f:5382:acab:1400::ab";
}; };
}; };
@ -50,13 +56,9 @@
}; };
}; };
}; };
bgp = { ospf = {
allowedUpstreams = [ "upstream4" "upstream3" "freifunk" ]; allowedUpstreams = [ "upstream4" "upstream3" "freifunk" ];
upstreamTable = "vpn_table"; upstreamInstance = 2;
peers.${config.site.net.core.subnets6.dn42} = {
type = "upstream";
name = "up";
};
}; };
role = "container"; role = "container";
}; };

24
config/net/mgmt.nix
View File

@ -63,7 +63,16 @@
ap62 = "10.0.0.102"; ap62 = "10.0.0.102";
ap63 = "10.0.0.103"; ap63 = "10.0.0.103";
ap64 = "10.0.0.104"; ap64 = "10.0.0.104";
ap65 = "10.0.0.105";
ap66 = "10.0.0.106";
ap67 = "10.0.0.107";
ap68 = "10.0.0.108";
ap69 = "10.0.0.109";
ap7 = "10.0.0.47"; ap7 = "10.0.0.47";
ap70 = "10.0.0.110";
ap71 = "10.0.0.111";
ap72 = "10.0.0.112";
ap73 = "10.0.0.113";
ap8 = "10.0.0.48"; ap8 = "10.0.0.48";
ap9 = "10.0.0.49"; ap9 = "10.0.0.49";
logging = "10.0.0.251"; logging = "10.0.0.251";
@ -98,6 +107,7 @@
switch-b3 = "10.0.0.18"; switch-b3 = "10.0.0.18";
switch-ds1 = "10.0.0.20"; switch-ds1 = "10.0.0.20";
switch-ds2 = "10.0.0.21"; switch-ds2 = "10.0.0.21";
switch-ds3 = "10.0.0.22";
}; };
hosts6 = { hosts6 = {
dn42 = { dn42 = {
@ -162,7 +172,16 @@
ap62 = "fd23:42:c3d2:580::4:3e"; ap62 = "fd23:42:c3d2:580::4:3e";
ap63 = "fd23:42:c3d2:580::4:3f"; ap63 = "fd23:42:c3d2:580::4:3f";
ap64 = "fd23:42:c3d2:580::4:40"; ap64 = "fd23:42:c3d2:580::4:40";
ap65 = "fd23:42:c3d2:580::4:41";
ap66 = "fd23:42:c3d2:580::4:42";
ap67 = "fd23:42:c3d2:580::4:43";
ap68 = "fd23:42:c3d2:580::4:44";
ap69 = "fd23:42:c3d2:580::4:45";
ap7 = "fd23:42:c3d2:580::4:7"; ap7 = "fd23:42:c3d2:580::4:7";
ap70 = "fd23:42:c3d2:580::4:46";
ap71 = "fd23:42:c3d2:580::4:47";
ap72 = "fd23:42:c3d2:580::4:48";
ap73 = "fd23:42:c3d2:580::4:49";
ap8 = "fd23:42:c3d2:580::4:8"; ap8 = "fd23:42:c3d2:580::4:8";
ap9 = "fd23:42:c3d2:580::4:9"; ap9 = "fd23:42:c3d2:580::4:9";
mgmt-gw = "fd23:42:c3d2:580:ffff:ffff:ffff:ffff"; mgmt-gw = "fd23:42:c3d2:580:ffff:ffff:ffff:ffff";
@ -192,7 +211,10 @@
type = "veth"; type = "veth";
}; };
}; };
bgp.allowedUpstreams = [ "upstream4" "upstream3" "anon1" "freifunk" ]; ospf = {
allowedUpstreams =
[ "upstream4" "upstream3" "anon1" "freifunk" ];
};
role = "container"; role = "container";
}; };
} }

78
config/net/priv.nix
View File

@ -1,6 +1,6 @@
{ lib, ... }: { lib, ... }:
let let
privCount = 45; privCount = 49;
seq = n: max: seq = n: max:
if n <= max if n <= max
then [ n ] ++ seq (n + 1) max then [ n ] ++ seq (n + 1) max
@ -16,8 +16,8 @@ lib.mkMerge (
site.net."priv${toString n}" = { site.net."priv${toString n}" = {
dhcp = { dhcp = {
server = "priv${toString n}-gw"; server = "priv${toString n}-gw";
time = 120; time = 300;
max-time = 86400; max-time = 60 * 24 * 3600;
router = "priv${toString n}-gw"; router = "priv${toString n}-gw";
}; };
domainName = "priv${toString n}.zentralwerk.org"; domainName = "priv${toString n}.zentralwerk.org";
@ -38,7 +38,7 @@ lib.mkMerge (
core.type = "veth"; core.type = "veth";
"priv${toString n}".type = "veth"; "priv${toString n}".type = "veth";
}; };
bgp.allowedUpstreams = [ "upstream4" "upstream3" "anon1" "freifunk" ]; ospf.allowedUpstreams = [ "upstream4" "upstream3" "anon1" "freifunk" ];
}; };
} }
) (seq 1 privCount) ) (seq 1 privCount)
@ -58,10 +58,12 @@ lib.mkMerge (
subnet4 = "172.20.75.0/27"; subnet4 = "172.20.75.0/27";
dhcp = { dhcp = {
start = "172.20.75.2"; start = "172.20.75.2";
end = "172.20.75.31"; end = "172.20.75.30";
fixed-hosts = { fixed-hosts = {
"172.20.75.2" = "ac:1f:6b:dc:93:8e";
"172.20.75.3" = "ac:1f:6b:dc:95:de";
"172.20.75.9" = "ac:1f:6b:dc:95:df";
"172.20.75.7" = "60:33:4b:0b:cd:fc"; "172.20.75.7" = "60:33:4b:0b:cd:fc";
"172.20.75.9" = "00:11:32:22:95:79";
}; };
}; };
}; };
@ -202,7 +204,6 @@ lib.mkMerge (
dhcp = { dhcp = {
start = "172.20.73.194"; start = "172.20.73.194";
end = "172.20.73.254"; end = "172.20.73.254";
max-time = lib.mkForce 2592000;
}; };
}; };
priv20 = { priv20 = {
@ -237,9 +238,10 @@ lib.mkMerge (
end = "172.20.73.190"; end = "172.20.73.190";
fixed-hosts = { fixed-hosts = {
"172.20.73.162" = "da:2c:3a:2c:87:22"; "172.20.73.162" = "da:2c:3a:2c:87:22";
"172.20.73.163" = "ca:9f:27:b2:bf:6d"; "172.20.73.163" = "b8:27:eb:16:31:61";
"172.20.73.164" = "60:01:94:6f:81:a6"; "172.20.73.164" = "ca:71:c4:90:3e:c7";
}; };
time = lib.mkForce 900;
}; };
}; };
priv24 = { priv24 = {
@ -422,6 +424,38 @@ lib.mkMerge (
end = "172.20.77.174"; end = "172.20.77.174";
}; };
}; };
priv46 = {
hosts4 = { priv46-gw = "172.20.77.225"; };
subnet4 = "172.20.77.224/28";
dhcp = {
start = "172.20.77.226";
end = "172.20.77.238";
};
};
priv47 = {
hosts4 = { priv47-gw = "172.20.76.161"; };
subnet4 = "172.20.76.160/28";
dhcp = {
start = "172.20.76.162";
end = "172.20.76.174";
};
};
priv48 = {
hosts4 = { priv48-gw = "172.20.77.33"; };
subnet4 = "172.20.77.32/28";
dhcp = {
start = "172.20.77.34";
end = "172.20.77.46";
};
};
priv49 = {
hosts4 = { priv49-gw = "172.20.76.49"; };
subnet4 = "172.20.76.48/28";
dhcp = {
start = "172.20.76.50";
end = "172.20.76.62";
};
};
}; };
site.hosts = { site.hosts = {
@ -540,7 +574,7 @@ lib.mkMerge (
hwaddr = "0A:14:47:02:2A:19"; hwaddr = "0A:14:47:02:2A:19";
}; };
}; };
bgp.allowedUpstreams = [ "upstream3" "upstream4" "anon1" "freifunk" ]; ospf.allowedUpstreams = [ "upstream3" "upstream4" "anon1" "freifunk" ];
}; };
priv18-gw = { priv18-gw = {
interfaces = { interfaces = {
@ -710,6 +744,30 @@ lib.mkMerge (
priv45.hwaddr = "0A:14:48:01:2A:57"; priv45.hwaddr = "0A:14:48:01:2A:57";
}; };
}; };
priv46-gw = {
interfaces = {
core.hwaddr = "0A:14:48:01:2A:58";
priv46.hwaddr = "0A:14:48:01:2A:59";
};
};
priv47-gw = {
interfaces = {
core.hwaddr = "0A:14:48:01:2A:5A";
priv47.hwaddr = "0A:14:48:01:2A:5B";
};
};
priv48-gw = {
interfaces = {
core.hwaddr = "0A:14:48:01:2A:5C";
priv48.hwaddr = "0A:14:48:01:2A:5D";
};
};
priv49-gw = {
interfaces = {
core.hwaddr = "0A:14:48:01:2A:5E";
priv49.hwaddr = "0A:14:48:01:2A:5F";
};
};
}; };
} ] } ]
) )

6
config/net/pub.nix
View File

@ -3,10 +3,10 @@
dhcp = { dhcp = {
start = "172.20.78.2"; start = "172.20.78.2";
end = "172.20.79.253"; end = "172.20.79.253";
max-time = 3600;
router = "pub-gw"; router = "pub-gw";
server = "pub-gw"; server = "pub-gw";
time = 300; time = 120;
max-time = 12 * 3600;
}; };
domainName = "pub.zentralwerk.org"; domainName = "pub.zentralwerk.org";
dynamicDomain = true; dynamicDomain = true;
@ -39,7 +39,7 @@
type = "veth"; type = "veth";
}; };
}; };
bgp = { ospf = {
allowedUpstreams = [ "anon1" "freifunk" ]; allowedUpstreams = [ "anon1" "freifunk" ];
allowedUpstreams6 = [ "flpk-gw" "anon1" "freifunk" ]; allowedUpstreams6 = [ "flpk-gw" "anon1" "freifunk" ];
}; };

114
config/net/serv.nix
View File

@ -7,51 +7,28 @@
serv-gw = "172.20.73.1"; serv-gw = "172.20.73.1";
dns = "172.20.73.2"; dns = "172.20.73.2";
stats = "172.20.73.3"; stats = "172.20.73.3";
radius = "172.20.73.4"; dresden-zone = "172.20.73.4";
zeit = "172.20.73.5"; tlms-elastic = "172.20.73.7"; # tlms
minecraft = "172.20.73.6";
used1 = "172.20.73.7";
dnscache = "172.20.73.8"; dnscache = "172.20.73.8";
used2 = "172.20.73.9"; tlms-ctfd = "172.20.73.9"; # tlms
used3 = "172.20.73.10";
used4 = "172.20.73.11";
used5 = "172.20.73.12";
logging = "172.20.73.13";
used6 = "172.20.73.14";
buzzrelay = "172.20.73.15"; buzzrelay = "172.20.73.15";
deployer = "172.20.73.16";
used7 = "172.20.73.17";
used8 = "172.20.73.18";
used9 = "172.20.73.19";
ipa = "172.20.73.20";
matemat = "172.20.73.21"; matemat = "172.20.73.21";
used10 = "172.20.73.22";
used11 = "172.20.73.23";
used12 = "172.20.73.24";
spaceapi = "172.20.73.25"; spaceapi = "172.20.73.25";
used13 = "172.20.73.26";
mucbot = "172.20.73.27"; mucbot = "172.20.73.27";
used14 = "172.20.73.28";
used15 = "172.20.73.29";
used16 = "172.20.73.30";
used17 = "172.20.73.31";
scrape = "172.20.73.32"; scrape = "172.20.73.32";
used19 = "172.20.73.33"; pretalx = "172.20.73.33";
used20 = "172.20.73.34"; vaultwarden = "172.20.73.34";
used21 = "172.20.73.35"; uranus = "172.20.73.37"; # tlms
used22 = "172.20.73.36"; tram-borzoi = "172.20.73.38"; # tlms
used23 = "172.20.73.37"; borken-data-hoarder = "172.20.73.39"; # tlms
used24 = "172.20.73.38"; matrix = "172.20.73.40";
used25 = "172.20.73.39"; activity-relay = "172.20.73.41";
used26 = "172.20.73.40";
direkthilfe = "172.20.73.41";
luulaatsch-asterisk = "172.20.73.42"; luulaatsch-asterisk = "172.20.73.42";
grafana = "172.20.73.43"; grafana = "172.20.73.43";
tmppleroma = "172.20.73.44";
public-access-proxy = "172.20.73.45"; public-access-proxy = "172.20.73.45";
marenz = "172.20.73.46"; marenz = "172.20.73.46";
network-homepage = "172.20.73.47"; network-homepage = "172.20.73.47";
minetest = "172.20.73.48"; home-assistant = "172.20.73.48";
hydra = "172.20.73.49"; hydra = "172.20.73.49";
owncast = "172.20.73.50"; owncast = "172.20.73.50";
nfsroot = "172.20.73.51"; nfsroot = "172.20.73.51";
@ -61,42 +38,38 @@
jabber = "172.20.73.55"; jabber = "172.20.73.55";
mobilizon = "172.20.73.56"; mobilizon = "172.20.73.56";
radiobert = "172.20.73.57"; radiobert = "172.20.73.57";
mail = "172.20.73.58"; # mail = "172.20.73.58";
keycloak = "172.20.73.59";
sdrweb = "172.20.73.60"; sdrweb = "172.20.73.60";
bind = "172.20.73.61"; knot = "172.20.73.61";
blogs = "172.20.73.62"; blogs = "172.20.73.62";
nix-build = "172.20.73.63"; staging-data-hoarder = "172.20.73.64"; # tlms
staging-data-hoarder = "172.20.73.64";
oparl = "172.20.73.65"; oparl = "172.20.73.65";
hedgedoc = "172.20.73.66"; hedgedoc = "172.20.73.66";
mediawiki = "172.20.73.67"; mediawiki = "172.20.73.67";
gnunet = "172.20.73.68"; gnunet = "172.20.73.68";
data-hoarder = "172.20.73.69"; data-hoarder = "172.20.73.69"; # tlms
broker = "172.20.73.70"; broker = "172.20.73.70";
ftp = "172.20.73.71"; ftp = "172.20.73.71";
auth = "172.20.73.72"; auth = "172.20.73.72";
factorio = "172.20.73.73"; doubleblind-science = "172.20.73.73";
zengel = "172.20.73.74";
prometheus = "172.20.73.75"; prometheus = "172.20.73.75";
oxigraph = "172.20.73.76"; drone = "172.20.73.77";
# FILL IN THE HOLES BEFORE APPENDING!
}; };
ipv6Router = "serv-gw"; ipv6Router = "serv-gw";
subnets6.dn42 = "fd23:42:c3d2:582::/64"; subnets6.dn42 = "fd23:42:c3d2:582::/64";
subnets6.up4 = "2a00:8180:2c00:282::/64"; subnets6.up4 = "2a00:8180:2c00:282::/64";
hosts6.dn42 = { hosts6.dn42 = {
bind = "fd23:42:c3d2:582:cd7:56ff:fe69:6366"; knot = "fd23:42:c3d2:582:cd7:56ff:fe69:6366";
blogs = "fd42:42:c3d2:582:b8a8:7dff:fee8:5ac2"; blogs = "fd23:42:c3d2:582:b8a8:7dff:fee8:5ac2";
dns = "fd23:42:c3d2:582:2:0:0:2"; dns = "fd23:42:c3d2:582:2:0:0:2";
dnscache = "fd23:42:c3d2:582:f096:dbff:fee8:427d"; dnscache = "fd23:42:c3d2:582:f096:dbff:fee8:427d";
gitea = "fd23:42:c3d2:582:702a:daff:fe35:83be";
grafana = "fd23:42:c3d2:582:4042:fbff:fe4b:2de8"; grafana = "fd23:42:c3d2:582:4042:fbff:fe4b:2de8";
hydra = "fd23:42:c3d2:582:e2cb:4eff:fe3b:f94b"; hydra = "fd23:42:c3d2:582:e2cb:4eff:fe3b:f94b";
jabber = "fd23:42:c3d2:582:b869:ccff:fe46:902a"; jabber = "fd23:42:c3d2:582:b869:ccff:fe46:902a";
keycloak = "fd23:42:c3d2:582:c48:bbff:fe87:721d"; # mail = "fd23:42:c3d2:582:88c0:41ff:fe70:d6cd";
logging = "fd23:42:c3d2:582:6811:edff:fe40:89c6";
mail = "fd23:42:c3d2:582:88c0:41ff:fe70:d6cd";
matemat = "fd23:42:c3d2:582:f82b:1bff:fedc:8572"; matemat = "fd23:42:c3d2:582:f82b:1bff:fedc:8572";
minetest = "fd23:42:c3d2:582:c3a:42ff:fe5d:b20c";
mobilizon = "fd23:42:c3d2:582:48d1:5cff:fea7:1676"; mobilizon = "fd23:42:c3d2:582:48d1:5cff:fea7:1676";
mongo = "fd23:42:c3d2:582:14ec:c8ff:fe0a:fc5c"; mongo = "fd23:42:c3d2:582:14ec:c8ff:fe0a:fc5c";
mucbot = "fd23:42:c3d2:582:28db:dff:fe6b:e89a"; mucbot = "fd23:42:c3d2:582:28db:dff:fe6b:e89a";
@ -106,69 +79,64 @@
serv-gw = "fd23:42:c3d2:582::1"; serv-gw = "fd23:42:c3d2:582::1";
spaceapi = "fd23:42:c3d2:582:1457:adff:fe93:62e9"; spaceapi = "fd23:42:c3d2:582:1457:adff:fe93:62e9";
stats = "fd23:42:c3d2:582:2:0:0:3"; stats = "fd23:42:c3d2:582:2:0:0:3";
zeit = "fd23:42:c3d2:582:2:0:0:5";
direkthilfe = "fd23:42:c3d2:582:1cde:c5ff:fe47:8c2a";
nix-build = "fd23:42:c3d2:582:683d:a9ff:fe45:3d1f";
staging-data-hoarder = "fd23:42:c3d2:582:2de:5bff:fef9:e23d"; staging-data-hoarder = "fd23:42:c3d2:582:2de:5bff:fef9:e23d";
oparl = "fd23:42:c3d2:582:2de:9aff:fece:3879"; oparl = "fd23:42:c3d2:582:2de:9aff:fece:3879";
gnunet = "fd23:42:c3d2:582:44"; gnunet = "fd23:42:c3d2:582:44";
broker = "fd23:42:c3d2:582:46"; broker = "fd23:42:c3d2:582:46";
ftp = "fd23:42:c3d2:582:47"; ftp = "fd23:42:c3d2:582:47";
zengel = "fd23:42:c3d2:582:4a";
network-homepage = "fd23:42:c3d2:582:2f"; network-homepage = "fd23:42:c3d2:582:2f";
owncast = "fd23:42:c3d2:582:32"; owncast = "fd23:42:c3d2:582:32";
prometheus = "fd23:42:c3d2:582:4b"; prometheus = "fd23:42:c3d2:582:4b";
buzzrelay = "fd23:42:c3d2:582:f"; buzzrelay = "fd23:42:c3d2:582:f";
oxigraph = "fd23:42:c3d2:582:4c"; oxigraph = "fd23:42:c3d2:582:4c";
tmppleroma = "fd23:42:c3d2:582:2c";
luulaatsch-asterisk = "fd23:42:c3d2:582:2a"; luulaatsch-asterisk = "fd23:42:c3d2:582:2a";
stream = "fd23:42:c3d2:583:dc91:c7ff:fe51:d1c5";
}; };
hosts6.up4 = { hosts6.up4 = {
bind = "2a00:8180:2c00:282:cd7:56ff:fe69:6366"; knot = "2a00:8180:2c00:282:cd7:56ff:fe69:6366";
blogs = "2a00:8180:2c00:282:b8a8:7dff:fee8:5ac2"; blogs = "2a00:8180:2c00:282:b8a8:7dff:fee8:5ac2";
dns = "2a00:8180:2c00:282:2:0:0:2"; dns = "2a00:8180:2c00:282:2:0:0:2";
dnscache = "2a00:8180:2c00:282:f096:dbff:fee8:427d"; dnscache = "2a00:8180:2c00:282:f096:dbff:fee8:427d";
gitea = "2a00:8180:2c00:282:702a:daff:fe35:83be";
grafana = "2a00:8180:2c00:282:4042:fbff:fe4b:2de8"; grafana = "2a00:8180:2c00:282:4042:fbff:fe4b:2de8";
hydra = "2a00:8180:2c00:282:e2cb:4eff:fe3b:f94b"; hydra = "2a00:8180:2c00:282:e2cb:4eff:fe3b:f94b";
jabber = "2a00:8180:2c00:282:b869:ccff:fe46:902a"; jabber = "2a00:8180:2c00:282:b869:ccff:fe46:902a";
keycloak = "2a00:8180:2c00:282:c48:bbff:fe87:721d"; # mail = "2a00:8180:2c00:282:88c0:41ff:fe70:d6cd";
logging = "2a00:8180:2c00:282:6811:edff:fe40:89c6";
mail = "2a00:8180:2c00:282:88c0:41ff:fe70:d6cd";
matemat = "2a00:8180:2c00:282:f82b:1bff:fedc:8572"; matemat = "2a00:8180:2c00:282:f82b:1bff:fedc:8572";
minetest = "2a00:8180:2c00:282:c3a:42ff:fe5d:b20c";
mobilizon = "2a00:8180:2c00:282:48d1:5cff:fea7:1676"; mobilizon = "2a00:8180:2c00:282:48d1:5cff:fea7:1676";
mongo = "2a00:8180:2c00:282:14ec:c8ff:fe0a:fc5c";
mucbot = "2a00:8180:2c00:282:28db:dff:fe6b:e89a"; mucbot = "2a00:8180:2c00:282:28db:dff:fe6b:e89a";
public-access-proxy = "2a00:8180:2c00:282:1024:5fff:febd:9be7"; public-access-proxy = "2a00:8180:2c00:282:1024:5fff:febd:9be7";
radiobert = "2a00:8180:2c00:282:e65f:1ff:fe5d:1679"; radiobert = "2a00:8180:2c00:282:e65f:1ff:fe5d:1679";
radius = "2a00:8180:2c00:282:2:0:0:4"; radius = "2a00:8180:2c00:282:2:0:0:4";
scrape = "2a00:8180:2c00:282:e073:50ff:fef5:eb6e"; scrape = "2a00:8180:2c00:282:e073:50ff:fef5:eb6e";
sdrweb = "2a00:8180:2c00:282:3078:bbff:fe76:e9ef"; sdrweb = "2a00:8180:2c00:282:3078:bbff:fe76:e9ef";
serv-gw = "2a00:8180:2c00:282::1";
spaceapi = "2a00:8180:2c00:282:1457:adff:fe93:62e9"; spaceapi = "2a00:8180:2c00:282:1457:adff:fe93:62e9";
stats = "2a00:8180:2c00:282:2:0:0:3"; stats = "2a00:8180:2c00:282:2:0:0:3";
stream = "fd23:42:c3d2:583:dc91:c7ff:fe51:d1c5"; stream = "2a00:8180:2c00:282:dc91:c7ff:fe51:d1c5";
ticker = "2a00:8180:2c00:282:b407:40ff:fec1:81f2"; ticker = "2a00:8180:2c00:282:b407:40ff:fec1:81f2";
zeit = "2a00:8180:2c00:282:2:0:0:5";
direkthilfe = "2a00:8180:2c00:282:1cde:c5ff:fe47:8c2a";
nix-build = "2a00:8180:2c00:282:683d:a9ff:fe45:3d1f";
staging-data-hoarder = "2a00:8180:2c00:282:2de:5bff:fef9:e23d"; staging-data-hoarder = "2a00:8180:2c00:282:2de:5bff:fef9:e23d";
oparl = "2a00:8180:2c00:282:2de:9aff:fece:3879"; oparl = "2a00:8180:2c00:282:2de:9aff:fece:3879";
hedgedoc = "2a00:8180:2c00:282::6";
serv-gw = "2a00:8180:2c00:282::1";
luulaatsch-asterisk = "2a00:8180:2c00:282::2a";
drone = "2a00:8180:2c00:282::2b";
pretalx = "2a00:8180:2c00:282::2c";
matrix = "2a00:8180:2c00:282::2d";
activity-relay = "2a00:8180:2c00:282::2e";
network-homepage = "2a00:8180:2c00:282::2f";
vaultwarden = "2a00:8180:2c00:282::31";
owncast = "2a00:8180:2c00:282::32";
mediawiki = "2a00:8180:2c00:282::43"; mediawiki = "2a00:8180:2c00:282::43";
gnunet = "2a00:8180:2c00:282::44"; gnunet = "2a00:8180:2c00:282::44";
data-hoarder = "2a00:8180:2c00:282::45"; data-hoarder = "2a00:8180:2c00:282::45";
broker = "2a00:8180:2c00:282::46"; broker = "2a00:8180:2c00:282::46";
ftp = "2a00:8180:2c00:282::47"; ftp = "2a00:8180:2c00:282::47";
auth = "2a00:8180:2c00:282::48"; auth = "2a00:8180:2c00:282::48";
zengel = "2a00:8180:2c00:282::4a"; dresden-zone = "2a00:8180:2c00:282::49";
network-homepage = "2a00:8180:2c00:282::2f";
owncast = "2a00:8180:2c00:282::32";
prometheus = "2a00:8180:2c00:282::4b"; prometheus = "2a00:8180:2c00:282::4b";
buzzrelay = "2a00:8180:2c00:282::f";
oxigraph = "2a00:8180:2c00:282::4c"; oxigraph = "2a00:8180:2c00:282::4c";
tmppleroma = "2a00:8180:2c00:282::2c"; hedgedoc = "2a00:8180:2c00:282::6";
luulaatsch-asterisk = "2a00:8180:2c00:282::2a"; buzzrelay = "2a00:8180:2c00:282::f";
}; };
}; };
@ -206,7 +174,7 @@
gw6 = null; gw6 = null;
}; };
}; };
bgp.allowedUpstreams = ospf.allowedUpstreams =
[ "upstream4" "upstream3" "anon1" "freifunk" ]; [ "upstream4" "upstream3" "anon1" "freifunk" ];
}; };
stats = makeContainer { stats = makeContainer {

164
config/net/upstream.nix
View File

@ -2,7 +2,7 @@
let let
servHosts = config.site.net.serv.hosts4; servHosts = config.site.net.serv.hosts4;
inherit (config.site.net.c3d2.hosts4) dn42; inherit (config.site.net.c3d2.hosts4) dn42;
inherit (config.site.net.flpk.hosts4) c3d2-web leon mailtngbert; inherit (config.site.net.flpk.hosts4) c3d2-web;
in in
{ {
site.hosts = { site.hosts = {
@ -24,12 +24,8 @@ in
}; };
}; };
}; };
ospf.upstreamInstance = 7;
role = "container"; role = "container";
bgp.peers.${config.site.net.core.subnets6.dn42} = {
asn = config.site.hosts.upstream3.bgp.asn;
type = "upstream";
name = "up";
};
}; };
upstream4 = rec { upstream4 = rec {
@ -47,260 +43,177 @@ in
{ # gemini { # gemini
destination = "${c3d2-web}:1965"; destination = "${c3d2-web}:1965";
proto = "tcp"; proto = "tcp";
reflect = true;
sourcePort = 1965; sourcePort = 1965;
} }
{ {
destination = "172.20.73.61"; destination = servHosts.knot;
proto = "tcp"; proto = "tcp";
reflect = true;
sourcePort = 53; sourcePort = 53;
} }
{ {
destination = "172.20.73.61"; destination = servHosts.knot;
proto = "udp"; proto = "udp";
reflect = true;
sourcePort = 53; sourcePort = 53;
} }
{ {
destination = dn42; destination = dn42;
proto = "udp"; proto = "udp";
reflect = true;
sourcePort = 2325; sourcePort = 2325;
} }
{ {
destination = dn42; destination = dn42;
proto = "udp"; proto = "udp";
reflect = true;
sourcePort = 2327; sourcePort = 2327;
} }
{ {
destination = dn42; destination = dn42;
proto = "udp"; proto = "udp";
reflect = true;
sourcePort = 2337; sourcePort = 2337;
} }
{ {
destination = dn42; destination = dn42;
proto = "udp"; proto = "udp";
reflect = true;
sourcePort = 2338; sourcePort = 2338;
} }
{ {
destination = dn42; destination = dn42;
proto = "udp"; proto = "udp";
reflect = true;
sourcePort = 2339; sourcePort = 2339;
} }
{ {
destination = dn42; destination = dn42;
proto = "udp"; proto = "udp";
reflect = true;
sourcePort = 2340; sourcePort = 2340;
} }
{ {
destination = dn42; destination = dn42;
proto = "udp"; proto = "udp";
reflect = true; sourcePort = 2342;
}
{
destination = dn42;
proto = "udp";
sourcePort = 2399; sourcePort = 2399;
} }
{ {
destination = dn42; destination = dn42;
proto = "udp"; proto = "udp";
reflect = true;
sourcePort = 24699; sourcePort = 24699;
} }
{ {
destination = dn42; destination = dn42;
proto = "udp"; proto = "udp";
reflect = true;
sourcePort = 64699; sourcePort = 64699;
} }
{ #ssh
destination = "${leon}:22";
proto = "tcp";
reflect = true;
sourcePort = 2223;
}
{ #Website
destination = "${leon}:5000";
proto = "tcp";
reflect = true;
sourcePort = 5001;
}
{ #VPN_Wireguard VPN1-interface
destination = "${leon}:18900";
proto = "udp";
reflect = true;
sourcePort = 18800;
}
{ #VPN_Wireguard VPN2-interface
destination = "${leon}:19900";
proto = "udp";
reflect = true;
sourcePort = 19800;
}
{
destination = servHosts.minetest;
proto = "udp";
reflect = true;
sourcePort = 30000;
}
# ? # ?
{ {
destination = "172.22.99.175:22"; destination = "172.22.99.175:22";
proto = "tcp"; proto = "tcp";
reflect = true;
sourcePort = 2224; sourcePort = 2224;
} }
{ {
destination = servHosts.gitea; destination = servHosts.gitea;
proto = "tcp"; proto = "tcp";
reflect = true;
sourcePort = 22; sourcePort = 22;
} }
{ {
destination = servHosts.jabber; destination = servHosts.jabber;
proto = "tcp"; proto = "tcp";
reflect = true;
sourcePort = 5222; sourcePort = 5222;
} }
{ {
destination = servHosts.jabber; destination = servHosts.jabber;
proto = "tcp"; proto = "tcp";
reflect = true;
sourcePort = 5223; sourcePort = 5223;
} }
{ {
destination = servHosts.jabber; destination = servHosts.jabber;
proto = "tcp"; proto = "tcp";
reflect = true;
sourcePort = 5269; sourcePort = 5269;
} }
{ {
destination = servHosts.jabber; destination = servHosts.jabber;
proto = "tcp"; proto = "tcp";
reflect = true;
sourcePort = 3478; sourcePort = 3478;
} }
{ {
destination = servHosts.jabber; destination = servHosts.jabber;
proto = "tcp"; proto = "tcp";
reflect = true;
sourcePort = 3479; sourcePort = 3479;
} }
{ {
destination = servHosts.jabber; destination = servHosts.jabber;
proto = "udp"; proto = "udp";
reflect = true;
sourcePort = 3478; sourcePort = 3478;
} }
{ {
destination = servHosts.jabber; destination = servHosts.jabber;
proto = "udp"; proto = "udp";
reflect = true;
sourcePort = 3479; sourcePort = 3479;
} }
{
destination = mailtngbert;
proto = "tcp";
reflect = true;
sourcePort = 25;
}
{
destination = mailtngbert;
proto = "tcp";
reflect = true;
sourcePort = 465;
}
{
destination = mailtngbert;
proto = "tcp";
reflect = true;
sourcePort = 587;
}
{
destination = mailtngbert;
proto = "tcp";
reflect = true;
sourcePort = 110;
}
{
destination = mailtngbert;
proto = "tcp";
reflect = true;
sourcePort = 143;
}
{
destination = mailtngbert;
proto = "tcp";
reflect = true;
sourcePort = 993;
}
{
destination = mailtngbert;
proto = "tcp";
reflect = true;
sourcePort = 995;
}
# poelzi # poelzi
{ {
destination = "172.20.73.162:22"; destination = "172.20.73.162:22";
proto = "tcp"; proto = "tcp";
reflect = true;
sourcePort = 2323; sourcePort = 2323;
} }
# jan
{
destination = "172.20.75.3:51820";
proto = "udp";
sourcePort = 30057;
}
# zw-ev RDP # zw-ev RDP
{ {
destination = "172.20.75.222:3389"; destination = "172.20.75.222:3389";
proto = "tcp"; proto = "tcp";
reflect = true;
sourcePort = 45000; sourcePort = 45000;
} }
{ {
destination = config.site.net.core.hosts4.vpn-gw; destination = config.site.net.core.hosts4.vpn-gw;
proto = "udp"; proto = "udp";
reflect = true;
sourcePort = config.site.vpn.wireguard.port; sourcePort = config.site.vpn.wireguard.port;
} reflect = true;
{
destination = "${config.site.net.serv.hosts4.direkthilfe}:22";
proto = "tcp";
reflect = false;
sourcePort = 3822;
} }
{ {
destination = servHosts.gnunet; destination = servHosts.gnunet;
proto = "tcp"; proto = "tcp";
reflect = true;
sourcePort = 2086; sourcePort = 2086;
} }
# dresden zone
{
destination = servHosts.dresden-zone;
proto = "udp";
sourcePort = 51844;
}
# data-hoarder # data-hoarder
{ {
destination = servHosts.data-hoarder; destination = servHosts.data-hoarder;
proto = "udp"; proto = "udp";
reflect = true;
sourcePort = 51820; sourcePort = 51820;
} }
{ {
destination = "${servHosts.data-hoarder}:22"; destination = "${servHosts.data-hoarder}:22";
proto = "tcp"; proto = "tcp";
reflect = false;
sourcePort = 2269; sourcePort = 2269;
} }
# data-hoarder-staging # data-hoarder-staging
{ {
destination = "${servHosts.staging-data-hoarder}:51820"; destination = "${servHosts.staging-data-hoarder}:51820";
proto = "udp"; proto = "udp";
reflect = true;
sourcePort = 51821; sourcePort = 51821;
} }
{ {
destination = "${servHosts.ftp}:22"; destination = "${servHosts.ftp}:22";
proto = "tcp"; proto = "tcp";
reflect = true;
sourcePort = 1022; sourcePort = 1022;
} }
# coloRadio
{
proto = "tcp";
sourcePort = 8000;
destination = "192.168.9.127";
}
]; ];
interfaces = { interfaces = {
core = { core = {
@ -325,19 +238,17 @@ in
}; };
}; };
}; };
bgp = { ospf = {
nets4 = [ upstreamInstance = 8;
stubNets4 = [
"${interfaces.up4-pppoe.upstream.staticIpv4Address}/32" "${interfaces.up4-pppoe.upstream.staticIpv4Address}/32"
]; ];
peers.${config.site.net.core.subnets6.dn42} = {
asn = config.site.hosts.upstream4.bgp.asn;
type = "upstream";
name = "up";
};
}; };
role = "container"; role = "container";
}; };
freifunk.ospf.upstreamInstance = 6;
anon1 = { anon1 = {
interfaces = { interfaces = {
core = { core = {
@ -352,14 +263,9 @@ in
}; };
}; };
}; };
bgp = { ospf = {
allowedUpstreams = [ "upstream3" "upstream4" "freifunk" ]; allowedUpstreams = [ "upstream3" "upstream4" "freifunk" ];
upstreamTable = "vpn_table"; upstreamInstance = 5;
peers.${config.site.net.core.subnets6.dn42} = {
asn = config.site.hosts.upstream3.bgp.asn;
type = "upstream";
name = "up";
};
}; };
role = "container"; role = "container";
}; };

4
config/net/vpn.nix
View File

@ -33,6 +33,8 @@
type = "wireguard"; type = "wireguard";
}; };
}; };
bgp.allowedUpstreams = [ "flpk-gw" "anon1" "freifunk" ]; ospf = {
allowedUpstreams = [ "flpk-gw" "anon1" "freifunk" ];
};
}; };
} }

153
config/secrets-production.nix.gpg
View File

@ -1,74 +1,85 @@
-----BEGIN PGP MESSAGE----- -----BEGIN PGP MESSAGE-----
hQEMA2PKcvDMvlKLAQf+N28QCjh68YIkQYSL3EnA34fuG4PqrPONlCOVbuH3SsA/ hQEMA2PKcvDMvlKLAQgAjGer7r8wCoigtDTS5zzUnJI02b3RQvhbqjv4a6RD52ry
BPzZEA2dURxbgIFTkjUCqORv62aMgTxJQdGN6S3x3je5aGXGk38SoTYuPZo5Mdss NzqqX7yIVyOEP2SnqoBpmWHYFJ3WcRb5Io3DXBLjgVHZbWJMP/DtVzHN+1ix3A5T
75l9cj8zJsz9ZnawXbFiM6RMpxd/zGoaPqiOclkiA/NcaaGVuhEYv57ucFsESwcJ ZjxROLc/EDyd+prSvbol5UJkHJeoH7PWwPmO1VPOVZwAV+NGJS/qKXz/wUGFA6y5
8Pb4PVAt50vH3pcmJUezK1EWftKbMjIB1w/QoiBFbkCi6/2GIs/3ISCFiBO0O7g+ iH6vzetTvxSBt08dYVulzmI/B6MwHUz8W7YTTal7QTKftlyzXWZHydbj1AWJjGoR
egW6/6ivODTGV/TghlMoB5717eORUUGr2nejbSV/OaK/bz+KjznJfclg/bRVxM2p qadxsH4ZlqdHJrP/j5Yvw72XgdzAN7MQrofslqFI9ro9nccLQ7Q3B7kzt/EvoOPm
QYgidYaINIb95O1P56kMYlTfZ7czBwpTr/HV8XuWEdLqAfpIIaf3SlQZKl7FJShO obPHW1I0UFoFXhfTujROXwVlernk6qmxO/oNr5UZB9LqAaroXhliddAzPZPT5qcK
Skxxt2nhQzyLIZq8TEexXO5ayTOfuAmCAx3GEv6tPy77KwW/5lzq416TcVgk9ZKh szctWSv1eNlGO44iwIJyrh/Yetmrhll8flPl9URWIi9r383xkawhxG52alUVjRIz
qBZB2SBaqH6JavphKFet1GLzztW0Xd1J874P0FXhIdT8OKsJyGNkxgBevEEwNICz u2BC3vdrt5o0GfEpZlDo23UbIxLIFbMg2xTXcFBq5TJEw0+owwhz+m+JRrXY9h1+
RVJAAboAF2GwLqdhruT5cTBAKtFPq3QJ/3G/rZQ4WoJ7geYhJHlIlMhG1AkPhKt/ SVlMX0PcUUg4vmX+7/KVIwrSECFpfPcBTSyMafUT6SfxG02/WmvzcEXk8E8hK+a3
hCb4nz9nD+9xL8dM1C/6LqROHFZV6X6gha79+84YXfM9wdHP6/Dj1Bs5wB9qQhZu VzolJIqirrv1CRwm60xOucytFI5OnxYI3kV9saiLwB6i9KI8Hw91pM7T+kQmXbbl
HEJOAgule7on5dPaXOV3LzSKLSriDHWcVEsZnN4IzO0I7u59TGWF/RQypThBqDUu etRddcQLXdhjRB/bCUJbQeEKZx0gjVAQkTFtdz6tp2vc9u/WS6UMrrQIkzdwLIOg
4C+AwXpoyzGC0rqa+fLfOmWAN0K/uV3Mt+Uj4HwFxu4lYUUqDpB2hcCX6DHytttm AXa8JmCtlTcN1uVVDlmQqba5li6ObqM4dtyOwHkXmpwBLObtoSg2yxTExxVwtAxz
C7fuqungdMgcpzE5fYH4k38sMPxI98Tnma1hC2MpFIrgV7OgiJ1mVP86rHEGnVut CgNcPZ9snnht8MpXGrrzQUsdGfBY4gZ8Hgh1oScqW9b8o5XtT74hdtWXFMv6tE2F
92EJ4n7aLHpydcaDYVrIE6x5xmcBbe2Cwf8dBawAsm12nACo9c07AtAsQZUpSF67 8bco4QBt6q95aYSi/wcyLwIyhUI+PEh2m5UM7KjYs2xxWbzU7Q0nj70VI9x+0Y+U
2G3vDJnC0iEF1PGJrWw9tTGBoCS6q3N8iPJ7UF7uSE0DI2Ja5pxiRGVjTe0ddRbJ Apez4mYlqiep5l94E4Q4wb3rizYeXFAzZDe5FXfcpRgVPHGSq6XWUYSgyQENuRTB
WDhYye/bNjprQh0NY9A5qUfXXnIo5tB0A2aSi2z/vUrffefMIkhYihEyFcPEtpr9 Ll8usdYLgT3Y7ULxT4O/8OKkDFMyfmTIdSiJRUJ8izMTm0yq5lKrSsqYTZVNOF6v
XqmS7TU0gU2ehcMZZdm0alNo3mjX4lHwczIEiLHMmj3J7Ozgq7aCMwSdFN8TpwOH NDEolddj4DOaRV07DkrQRMpukrTCauZdC/c/hwmr3+ZcaMi33ZKHIbCXex/34D9z
0pAqSjrvG8C05Hr6ymlwRYrJ/OfLAkb1Kjf/Me3N2/ZAjeSzTRFuZ2vgbODCk/BM 0CH3fA0nn/w3jh9CwOKBrT+cbOlMF3gVJbQU8xGgf7QHyaf8dEoayiInk9wKfUJd
rSy/RMKB0WEvwLEq9Fj5XNH2p9P++v8JDpiH6I/HPZfRORGs5Gs2d7QQiXZ0YIWl BQ6YGukQBb6KDDNuDq0r9UYeRPjWc/mGSZkluoEl1GVFkFNpxlKStB68hNRJg63i
lUyj9qGUj+RSXVcaHRZxx18RpvA+sgY1E7THx/2+Viwjx+zUHioFnVoEK8ft/hNV gS/l6jSkj1IKmsnbkJVtC+YwH/Pkx6+fcisXmUGPZ9KUiw2qiCGLFbHm5Shc7YBW
KtX9+wonftW6aQgN+VGqtWu+uGwxvNe9oxzuT2OWSH2OTFirmqK27KfDpHjjWIrp BpiZzCEjRrp71lB5URbbY+zhf+lcAdxewbw8v0R0tJP2hzmXCqsvJnB4jcEc1YD5
+6S5ZGkTm8QzfVeADdmPtQ5lmYCKeugkKQpVyvxZA5lUyROvKMZ7PKLRKTTu6qFL lFD/4ivgZ95pVaoV+WsjETZZd3pkvo2PQC0f/2momT+KwYAdwcPfwJH8S9FLBjKE
B8GdQTdaw4gQY8qliAVy7NvMVVdG8RhIyxRHEKSsV+cuftRvzRo89lyY4I3GTzII nQRlYRjiUUEMO7TZ9J7a8onyFxozVwH7IJMz/L2wEs0u8dPr3Rj3kpCbHD8tNCE4
m6CbRCSNXMXWsyLFM2gd9ICn7Ax9XhuNyJ8NbeDp7f2Qr1GswKA4gJB/ybHpTOAi BP5s1d+S18vSKNRBYY2z7t1eyBZ+9hu1vgWR7GsAcgwCv6YTfVT8VE9RBdkglwP2
f9WzUZINWeklP5ORTk84ZfHtoZsU3a6ZQUCOLg3MKHtbcvmcb4Z1R9dwKiDCREWX Me6G1Af5KMNyQq0GDaKT/pPlS3WCdjpkOHCpw+2HfSjPVDAvWbBkrB8xQrQp8kwg
59oCDmjZHsQqEzTTw/n9l9g1EHIu1l8zjAy7AzwEuup34Pwuw+Y/0JLsBrXzk869 mHMD9udGsfpUSQVoNxIjIeK9EfFEjgXA+53/BVuCbSL5bWQXnKCMba656z7UrWqo
ISAMvHy/n6uZVWmqi+PW30i8LhiRvOg4htOs5kQg4PER0+X/hapKVcVIfFP2kPYm NqVdJ7c8N7/U9fxaUaagDoziBUsV+eT58eGFRZJJHkbDZvmRthYOQnR82KSQz2cx
TOrfyn1WVsJ1ltsLX0LtQimGjFguDmR2/xlcYjBCKj8lDrNov7Qq8R2yXiZtuSgZ Neo9z3mSVA8FVRnwNaSNZiHRRKoFY+6HfDOmP5PzAIrW1/TBVYR6+5gmqou3KPqY
/YEG3GT8EmBvIXgN/1btvn0udY3edA6QxXtuLQ/aZExJqkZgWuhpgoP4A9P3GPzx 1I8DKkVYqlRSve+GXeFIEkeiJ8N5BZ4WZw3EglWSrP+uG7zywJ1pWNja5WNKSzX4
Bmxg1WB+yMFlKAKbhnQkEjdPLKo7tTmonMOtpvPbuc7W7WT2Sh9jmDIV7U6tXkQA mXPdI6KxTL40V06SraUqAOhd8uqH4fEhaBJVCqtm9cdXar7dqAbkaX5RARDb/BNg
AGtk0TYsa1YBWMAqzP2bHNwJ1sMfdeSt9jffxrWSjj5v52qKGovhkr3EqoeCefCV K4m8iDRkrFCO6JYMmwWJz+q/HxY5u71szxFKUiYREeP0udxapekx6IELMwnMrdUT
POoAjnp9Fm9dOs9DTzstt3cZpHL6zQtNRdTZhrXIEZJ/JavhTd7hjJrSGJrxRt44 GCryJs0VJuRDsOxSyuGprz+UnhY/K7NXRmE6hIrXJQ5mjsHtyjd2vk+OzJY6mL7S
jKcftkwsE1jMB8uSZGpOSfqwF+jZizoREdgQh8QQ3ZQbl8UMWdTUjhhekqK0noWn vRZw5FUqRvFsXXLNq/+YtRZSSZChMX0BM42prcC61PIm8qiVLs2199hKWmJmBill
qVT7KzXiTG/1DKLaot755iK7iJhyL9PTT/NCHUbnFzFkHyQjHwwwOw86s7JuTSS4 DZnTJzvm38EWBPkm5JGh4tJ9VN769kyhDtWKtZ4aEuykcPJor+Did+oYuMadKUCN
l0w04bEOwy5EP8RJDDSFMaW/5qJYsaefBv+0R8DTyod6VG6YRk1jTBTU9HLzlImC 0NAuKxXAUHc/TfnSxBZxRdHWZo9vyYhiIWNoy5724yWfBH+STgNy3c+Z/JeKXvVB
Md3hi4Ar4P/dxIBb7eebx4x4P5AVeecRAjNFCOlzuMobwdFWhbPhiNIigPLXl2oS YUM4J7ys2TEnTmcoR43MPrF2+bdDsgsItQjtLlBmRvRItdswFYkunuQRBYmXoNBb
cMxQQBGenB2eSDbJYbycXD2oZtCRghL+Snj9deFmynBCYxUe9NToXS6IqKmmvdcI 2MTTxHSU4jyM5FUxBi9XAk0mnWgo/aK/FhfE73VxvVXwfwpEkomL/TFexGzfFx7d
SU4GKJDbREedfIVUdNNnK5L5goCjKHRsHamPrNGlxrEeeH/VZKh+3yKJlWahpELM 70T8RWCYgFHOuoe+O04wo2qyvCZZittRQGlInNztDCQI6lqa8TSILVgIRMgvnrcR
OdcxEaBEXRzOJW62TRm5JjluI8P0wQJCWn5TzOkNwGYCWiN+rSd5S9PhUDZ67Cjn P9BUixDlFfl8x4g0lacxZm9nN5XNgnI1RTiXNXeigIciRydyeAKoV3gxY54i5jOm
xKvhfXyLi0j45TbHFnwpBI2b5/z29EqviRBrII2mk07DDTKFiHQA4l3Ep44dInSW VFUClFfQFz+nBStRQumqxMXKa433J1l8NENmZmkc+D2TeLt8kbgNN4Zg7zKiNRFt
WVRzzcAhDaO0A/wiDS25AhU2P0Bq9LpaQAoQwYOcK70YfY11EybNHey0CGHvuwj3 UvFEtqPxQSiFgLCjrMH2wLkq79EtP/Zfpok/1iGbKfT+/bhDFB0iWE0AdIAa0oiu
hEWQeH7WgqafRj/lnScLdlgw78Disc8DqiNB+PlTSsyEubeVM+p2loz3mXsjLYOQ 1JDsSFmoMTtMHgywSvVxaDVE4/0C81D3foLERbc+dwo00+YyROrQ74+mNoFrY4vd
lauDOCjQD6B4jGXigNFk8w+SdI9YCB4oQu5YMPXOzWA93bSmK0ZMl2ntN+1LmyWA xcDKxgkcZeZXxsUlox0F26OVZ3B7krUQC7EbBBVvdimJk7S0WXTHfR5ENz7lp1C2
ecHlRrAZp7NzG2CGVnnsqPRcK6EJNrfI1jbCE0eYvIW/tzrmj8DAfmLsA4H2CDt2 2gRL8Pdj9I4VsOmGAfcNPV2J5RVdRwyL9dSxCPVQ4ECrBqHSPqGbQoT7aHX9b+6A
wDVEu+uDZ2UkXm21Jm7NdKIiYjmKfFMQNgkoPwFJab4FE1zV2ZK5tcTy6tPEj/rS LKCWUqC18NxrRr4dbSxcjkE4w+vPmENrDh+yR7zDgdWY03rGN/jT2CV1le69AAaq
vw1u7Gg+ewB6yo6N11ZYA5Q5ivLgn2yY+1HO3e2Se3+VFdTb3mgqypEAfUADD5Xs RTf5n+skzsWz+u09bW7b43gpwhh7YeSFKpogNZ8z2ujEr0fkrGsOWWba9z620Xls
Vy6DNpZpxx+elHr9xt0m+WF5tMCxGawbyKl/6VAsRTEV7sSIaQFpRoBilXVf/n4S f/4dPKcNiJLOIOXT555xZSpsgzAtPO1g9QM+l8Q6PZjqAvGjbHsYMw5ao+iwL0qt
anTn27031AK5+QGhiO+14AK/anEODcVql+wqvnBeIju0QmhOdy23dAnlsNU2Z3ff M93Uj47PxD4qqz4MwYQw8S/dtrUkvBDEoA2fVU/00Fb9XzrECDUffDxHEUmDIcJQ
F620h34C3+3PQKrLzmr3Enam6jFG96nn3cpFn3jqxybbm7ipy7n6mqIeAAvPLbqu h/q7ZntcVp//Gy4DeEiqp63s6poWGdbDmccN3hWmzWHEI0HR7pNS/FHEzESCw9oh
ZaZ7URbGlYAC8pUTO5UE5eRO5KXp1lITL7eEo8D2wGr/pXfrKVObCh82MPDpL2FS PkZzOa76GmyDqbopneVUmtfCuBjahTjVSAv4YlAsqQMI5wUgV+bwlfB7Rm2v8X4R
6wQQAPBxEC2NE2KrwthCknHCgfjXEoq6AB8HmyjdumxC7Z3aMkr514ebh49it/I6 cyka3F9xWxuC3/5vxuPyyxA1YZc/fzpOqafFCU3mGF2byOKCL0YNuoqUbQBtagHZ
Z18DLT4AonINWO3AGiB172Zsln4LjBIWad4PaSAAAhDu9QV4IIxjNEd8mtZ7ZUIS 6rrmGqNjyVuUG15KLBF29sYlJTBYF7tAeyVx2vLJqzKPRMGL2Ph8wg8Rg58eqKgU
ZOW/JOILwh/wkN4DLby8WakjZ351Z+UIqdvKbLVY17tAc+sOYBgnJL05o6URQFqw gUIlCGzxGoqK1fVlrvvRATHplO77s+W/dA0svfSeD3xrtEd5oF9oQeI78A71Vmrw
RSHkxjF3GxdlpwYOHQfoWeWSxQkur+aPWMhXdKiYJzlH76KF9RdlzP4i89OpDAVy ZsMech54mketddbn9t2MID8rVWxTtX5xIAxnW5TBfO8DucsqbxsJNm7Edzue0C2L
udz/h8cgwTD1yadB27NX31wez0RRuECGAlpEk3vyo9+VDL+NOHiG0jc5xWY4Kk2Q i7tDKM5ZSbkivh0C7G1w7cu9SAv7gHStu+3DKGlW7MmCfLSEGk34jRdTRUu/2KAh
P2KlaFXUwlb2qJXSNfT9uWUT+tzelYC0gJEVXVYe+DV3sr/5kLSTn8D0KpqhuGd9 cbHxHj25mDC6ZPz54FX6iDA0epm0ILVXZa75gjlfq4o9ldjKbR6yueIuc2hy7H1b
rNPkLakqfYUlDYMChE6ZDkaV1v6T4jwjgBB65RtvGRsTmhZQIz9bHl04J0xs/UZP QFlmx415H5TGTpjSJdjXCqvbbwphOIqsN0Qh3ZqUdaboVGipZdlFv3FH/2uxAFKW
5MWOsQghvEx8xtLFuXbHQAXJd8n3XjUn+OQ81olBEwXWSrMorVjHrfOKVCtaDr8g VMJ1CpFAWe2iLtQEgrxJ15xpsLx+zcFUfftR8vXNRwMcEffV7xQguTugGic5O0DB
o9dIsVn6Ox77brX9902+DLuybMb0roBKcg6uQdq52Z5sQ0dUPNDI6YC0LTCxXwU4 m5Oopo6bB9wMU4tvDRosjnvMEkuwbSPLSA/8JeZFO1zCK8Pa2znYNEwHNxeHiTCT
IjTLwSkQqow/Igmr339Bv4fUBft+eLuVkceQnJ+C8Osu3zQ2JJfFZDa2Rvn7xhcO +oouXDqdcT9dnH4cg4GeHjVDZO0I9yZL/cMDUPtqN0XySXe8Zj7VxtpQmcePklV/
y4NyTdJpJHOQ2F7Pu2rh4WwTLJwf5rdwotc7UNQgXqZAhzMPNYBGp469mJK387sc RDoGKHxEVz2a16foONjtVfsoheFHLWAI47IOTFDHA/CSQLCmCqwpfZQIuX2oWRwc
igGndEvKsjQ9EkLoyszjY77B0FwMrF0VsoK7q5Acw9rZu/jpt4PAdRXF2uGCV9ZK aPN4t5Qkx5TllLzL6keXkDV43/yw0dnXBQQDQ/Z4DP5GShwahyFggA/XonKYb9F0
SPrYAj2C3YvRbSscfQlczkpRZQSZUT0MiU9U12v8De29e5SYhL7wOLFKNBNVOqNO B+pz+NOOkZjcFrcFeMr4cMdffc2ACxDJZWH4BHcwM9WICqoefJHlUu65ZTBBlisJ
vpF+MoY/CtjFoo/yep5W5tvGhn8y1M6uY6ERV1G2wuHbJJsV5vwal7se61U+aHmL mwP4Xapx8khsln2xXDUfhsoXu5+FHBexyVP1OUmZZ+zO3UEXPa+OwpglqrYGMueE
zMQQEvAQVd9MID6HKElepP6NJOPuirk9UfVqoLAUa2tS+H1srVAvfISxjTF4fzFg iXEO2lCOi6HrQCd7cvONPEwLaqavojMhsP42ywirWK7J9XuCoaEWtZjlA/Sq2D2B
StmSJPn4B8EUdFtow9fWvDrDUEDZibmuG2bjruqday09L1NYxrj6O3Cps8u3j4Z7 upK6WuFMr+eE5lhrp5LFCRMJoiiwJb/bA7sMdZhg6HjIZNoNkrCvdgvLScbKxHM8
PFA0Eq6ZSVLGUCzTa/OUWWuJl318JXeXFn/wOyG/PBP49gTYDG6JX3Nv7l04WXaW 4G82FAafs/fbel5mdUNEe3nOXhQX2KH1MkUhnKGv5hi9gsXLaJlQTZBFsjoT8MUX
qZXYYoyez7vzQ87B7zS2/5oCchLI3s8DhdhCLN28ZwaIgDXF4VbyqDddhpjBLtgs XUNdEWQ/xtGjs7eNBn/MzpP3JeByrDG0u0Tbt2whOkwhKQt+odph7sMRxwtvvniu
w4Fdor/N3rzuCtKV5MgX/ZRGuqADwCgN78DhEuCyWWvUf8CoSAKcCx1xSZYf6rlU ij9nA3OlSGpTEItmC1jls29sJy5/0Ojp6Y3v/ZBfG6xh0xhhjpZIoOGQoK1wdG4m
PulV0jUfVRSc+jIj4Oe2HplI1qeGsK8EUCkSWGlC+UKqyqsCz9M= m0j6TZqRKwX9FqQ9aCVY65lp/MsdXehe6/EShyT4K56KuGbpDuzoeZRshDPOvcjU
=gug1 A1t44vBp3aYH9gE6QfM/dg8akN+LXOM7komveAbFvcvE8KFVdfHOUJIjPyy+saX0
ZHWLrH/SU+vUuFUw9VSuEavar95l9pRyWCeV67DWN2+FY8HESlfltjwiswActvrt
uDeIdtd42y4yA5u3BFCGEAWgZm+aVkQxuMN4OynTHM3NGJ6NUOeL8cGMA02KE65v
8pg4o3sIjfmsD76srDx7hKIpIe+K4QpAIxxL21HPZuXhE3ksNHh3x5x7hjkvNAUi
z3xbaR03avMeSle1LvUH/A88Fn+/0ataHYiQiIM95RXvMdKAk6SNNsN7rp1RZNhV
X6cNTBz2uUVbAXMUgbbBc9O2AVMR0pbfAYBKHPm24b+tWMShG/DR9f/mFFdUznEX
9+ydjRh9Mh9ZYgzKXqA9SZ/4Zhqn2Mve3r3Rii4K2w6KUbxRHev7FpV/KGgYsMmw
bLjSgS/cwQ7Ky9yRM12EmoAcimy/7vpyPRBM1tWnPBKhZf1xq15UM/lf53OcBjxb
ezeETqSQc6flKtEAxRv6nWSuormgn6JbClMjhII3velUKyfPCe29HNtFQ3LWJu4R
WLMH7A2qx0cIuyOuoFXefWh/9C3fiO72hqI5yQ2x4dxtEutUNTmByxZxTxJD/tSN
BI3ZmHeysFpUVdfDdt3Nc/Jw3lQCuBk=
=sq5B
-----END PGP MESSAGE----- -----END PGP MESSAGE-----

67
config/secrets.nix
View File

@ -1,5 +1,11 @@
# Dummy secrets for testing # Dummy secrets for testing
{ {
site.net = {
core.ospf.secret = "encrypted";
pub.wifi.ieee80211rKey = "2dc40abba46da9490ea0e00f93f18ce5";
c3d2.wifi.ieee80211rKey = "d1b1fa2461efc0df9e2d96579607b7f6";
};
site.hosts = { site.hosts = {
ap1.password = "encrypted"; ap1.password = "encrypted";
ap2.password = "encrypted"; ap2.password = "encrypted";
@ -58,6 +64,16 @@
ap60.password = "encrypted"; ap60.password = "encrypted";
ap61.password = "encrypted"; ap61.password = "encrypted";
ap63.password = "encrypted"; ap63.password = "encrypted";
ap64.password = "encrypted";
ap65.password = "encrypted";
ap66.password = "encrypted";
ap67.password = "encrypted";
ap68.password = "encrypted";
ap69.password = "encrypted";
ap70.password = "encrypted";
ap71.password = "encrypted";
ap72.password = "encrypted";
ap73.password = "encrypted";
switch-a1.password = "encrypted"; switch-a1.password = "encrypted";
switch-b1.password = "encrypted"; switch-b1.password = "encrypted";
switch-b2.password = "encrypted"; switch-b2.password = "encrypted";
@ -68,6 +84,7 @@
switch-dach.password = "encrypted"; switch-dach.password = "encrypted";
switch-ds1.password = "encrypted"; switch-ds1.password = "encrypted";
switch-ds2.password = "encrypted"; switch-ds2.password = "encrypted";
switch-ds3.password = "encrypted";
upstream4.interfaces.up4-pppoe.upstream = { upstream4.interfaces.up4-pppoe.upstream = {
user = "encrypted"; user = "encrypted";
@ -104,12 +121,15 @@
}; };
ap18.wifi."platform/qca953x_wmac".ssids."Restaurierung Wolff/Kober".psk = "encrypted"; ap18.wifi."platform/qca953x_wmac".ssids."Restaurierung Wolff/Kober".psk = "encrypted";
ap19.wifi."platform/qca953x_wmac".ssids = { ap19.wifi."platform/qca953x_wmac".ssids = {
"Studio 01127".psk = "encrypted"; "Bockwurst".psk = "encrypted";
"Walter".psk = "encrypted"; "Walter".psk = "encrypted";
}; };
ap2.wifi = { ap2.wifi = {
"pci0000:00/0000:00:00.0".ssids."C3D2".psk = "encrypted"; "pci0000:00/0000:00:00.0".ssids."C3D2".psk = "encrypted";
"platform/ahb/18100000.wmac".ssids."C3D2 legacy".psk = "encrypted"; "platform/ahb/18100000.wmac".ssids = {
"C3D2 legacy".psk = "encrypted";
"C3D2 IoT".psk = "encrypted";
};
}; };
ap23.wifi = { ap23.wifi = {
"pci0000:00/0000:00:00.0".ssids."LBK Network".psk = "encrypted"; "pci0000:00/0000:00:00.0".ssids."LBK Network".psk = "encrypted";
@ -131,6 +151,7 @@
"pci0000:00/0000:00:00.0".ssids."C3D2".psk = "encrypted"; "pci0000:00/0000:00:00.0".ssids."C3D2".psk = "encrypted";
"platform/ahb/18100000.wmac".ssids = { "platform/ahb/18100000.wmac".ssids = {
"C3D2 legacy" = { "psk" = "encrypted"; }; "C3D2 legacy" = { "psk" = "encrypted"; };
"C3D2 IoT" = { "psk" = "encrypted"; };
"FOTOAKADEMIEdd" = { "psk" = "encrypted"; }; "FOTOAKADEMIEdd" = { "psk" = "encrypted"; };
}; };
}; };
@ -149,7 +170,6 @@
ap37.wifi = { ap37.wifi = {
"pci0000:00/0000:00:00.0".ssids."hechtfilm.de".psk = "encrypted"; "pci0000:00/0000:00:00.0".ssids."hechtfilm.de".psk = "encrypted";
"platform/ahb/18100000.wmac".ssids."hechtfilm.de legacy".psk = "encrypted"; "platform/ahb/18100000.wmac".ssids."hechtfilm.de legacy".psk = "encrypted";
"platform/ahb/18100000.wmac".ssids."LIZA".psk = "encrypted";
}; };
ap38.wifi = { ap38.wifi = {
"pci0000:00/0000:00:00.0".ssids = { "pci0000:00/0000:00:00.0".ssids = {
@ -159,6 +179,7 @@
"platform/ahb/18100000.wmac".ssids = { "platform/ahb/18100000.wmac".ssids = {
"ZW heinrichsgarten" = { "psk" = "encrypted"; }; "ZW heinrichsgarten" = { "psk" = "encrypted"; };
"plop" = { "psk" = "encrypted"; }; "plop" = { "psk" = "encrypted"; };
"millimeter" = { "psk" = "encrypted"; };
}; };
}; };
ap39.wifi."platform/10180000.wmac".ssids."EckiTino".psk = "encrypted"; ap39.wifi."platform/10180000.wmac".ssids."EckiTino".psk = "encrypted";
@ -261,7 +282,45 @@
"pci0000:00/0000:00:00.0".ssids."EckiTino".psk = "encrypted"; "pci0000:00/0000:00:00.0".ssids."EckiTino".psk = "encrypted";
"platform/ahb/18100000.wmac".ssids."EckiTino legacy".psk = "encrypted"; "platform/ahb/18100000.wmac".ssids."EckiTino legacy".psk = "encrypted";
}; };
ap64.wifi = {
"platform/ahb/18100000.wmac".ssids."Princess Castle".psk = "encrypted";
};
ap65.wifi = {
"1e140000.pcie/pci0000:00/0000:00:00.0/0000:01:00.0".ssids = {
"farbwerk".psk = "encrypted";
"Kaffeetasse".psk = "encrypted";
};
"1e140000.pcie/pci0000:00/0000:00:01.0/0000:02:00.0".ssids."farbwerk".psk = "encrypted";
};
ap66.wifi = {
"pci0000:00/0000:00:00.0".ssids."Buschfunk4.03".psk = "encrypted";
"platform/ahb/18100000.wmac".ssids."Buschfunk4.03 legacy".psk = "encrypted";
};
ap67.wifi = {
"1e140000.pcie/pci0000:00/0000:00:01.0/0000:02:00.0".ssids."farbwerk".psk = "encrypted";
"1e140000.pcie/pci0000:00/0000:00:01.0/0000:02:00.0+1".ssids."farbwerk".psk = "encrypted";
};
ap68.wifi = {
"1e140000.pcie/pci0000:00/0000:00:01.0/0000:02:00.0".ssids."farbwerk".psk = "encrypted";
"1e140000.pcie/pci0000:00/0000:00:01.0/0000:02:00.0+1".ssids."farbwerk".psk = "encrypted";
};
ap69.wifi = {
"pci0000:00/0000:00:00.0".ssids."LIZA".psk = "encrypted";
"platform/ahb/18100000.wmac".ssids."LIZA".psk = "encrypted";
};
ap7.wifi."platform/qca953x_wmac".ssids."mino".psk = "encrypted"; ap7.wifi."platform/qca953x_wmac".ssids."mino".psk = "encrypted";
ap70.wifi = {
"pci0000:00/0000:00:00.0".ssids."M".psk = "encrypted";
"platform/ahb/18100000.wmac".ssids."M legacy".psk = "encrypted";
};
ap72.wifi = {
"1e140000.pcie/pci0000:00/0000:00:01.0/0000:02:00.0".ssids."farbwerk".psk = "encrypted";
"1e140000.pcie/pci0000:00/0000:00:01.0/0000:02:00.0+1".ssids."farbwerk".psk = "encrypted";
};
ap73.wifi = {
"1e140000.pcie/pci0000:00/0000:00:01.0/0000:02:00.0".ssids."Princess Castle".psk = "encrypted";
"1e140000.pcie/pci0000:00/0000:00:01.0/0000:02:00.0+1".ssids."Princess Castle".psk = "encrypted";
};
ap8.wifi = { ap8.wifi = {
"pci0000:00/0000:00:00.0".ssids."C3D2".psk = "encrypted"; "pci0000:00/0000:00:00.0".ssids."C3D2".psk = "encrypted";
"platform/ar934x_wmac".ssids = { "platform/ar934x_wmac".ssids = {
@ -272,7 +331,7 @@
ap9.wifi."platform/qca953x_wmac".ssids."Herzzbuehne".psk = "encrypted"; ap9.wifi."platform/qca953x_wmac".ssids."Herzzbuehne".psk = "encrypted";
}; };
site.dyndnsKey = "SECRET"; site.dyndnsKey = "oYmxXCIa0nArp0679L6v+y/UfnhripOudLv+R5Cop8I=";
site.vpn.wireguard = { site.vpn.wireguard = {
privateKey = "wPNXY4ED3Jz3Kz0KOmvfQOou6/wHrgqSsykaMYrtb28="; privateKey = "wPNXY4ED3Jz3Kz0KOmvfQOou6/wHrgqSsykaMYrtb28=";

145
config/switch.nix
View File

@ -8,17 +8,30 @@
links = { links = {
switch-a2.ports = [ "7" ]; switch-a2.ports = [ "7" ];
# Panel A2: Foyer
switch-ds1.ports = [ "3" ];
# Panel A6: kl Saal hinten
switch-ds2.ports = [ "8" ];
priv25.ports = [ priv25.ports = [
# A6: Kleiner Saal Schaltschrank
"1"
# Kabinett A10
"2" "2"
"3"
# A16: Buehne rechts unten
"4" "4"
# artnet node
"5" "5"
# Panel A2: Foyer
"8"
# Panel A8: Kleiner Saal Buehne
]; ];
priv31.ports = [ "6" ]; priv31.ports = [
iso4.ports = [ "1" ]; # A4: Buero
"6"
];
# A3: Techniklager
# (DS23: Hackcenter vor kleinem Saal)
# A17: Grosser Saal ueber der Buehne
# switch-a2 Port 13
# Panel A6: kl Saal hinten
}; };
}; };
switch-a2 = { switch-a2 = {
@ -29,6 +42,9 @@
links = { links = {
switch-c1.ports = [ "1" ]; switch-c1.ports = [ "1" ];
switch-a1.ports = [ "2" ]; switch-a1.ports = [ "2" ];
switch-ds1.ports = [ "3" ];
switch-ds2.ports = [ "4" ];
switch-ds3.ports = [ "5" ];
ap44.ports = [ "10" ]; ap44.ports = [ "10" ];
ap45.ports = [ "11" ]; ap45.ports = [ "11" ];
ap46.ports = [ "12" ]; ap46.ports = [ "12" ];
@ -57,7 +73,8 @@
iso1.ports = [ "ge-0/0/2" ]; iso1.ports = [ "ge-0/0/2" ];
iso2.ports = [ "ge-0/0/3" ]; iso2.ports = [ "ge-0/0/3" ];
iso3.ports = [ "ge-0/0/4" ]; iso3.ports = [ "ge-0/0/4" ];
serv.ports = [ coloradio.ports = [
# Patchpanel C8
"ge-0/0/22" "ge-0/0/22"
]; ];
c3d2.ports = [ c3d2.ports = [
@ -116,8 +133,6 @@
ap11.ports = [ "ge-1/0/10" ]; ap11.ports = [ "ge-1/0/10" ];
ap34.ports = [ "ge-1/0/12" ]; ap34.ports = [ "ge-1/0/12" ];
ap18.ports = [ "ge-1/0/18" ]; ap18.ports = [ "ge-1/0/18" ];
ap24.ports = [ "ge-1/0/34" ];
ap25.ports = [ "ge-1/0/35" ];
ap29.ports = [ "ge-0/0/46" ]; ap29.ports = [ "ge-0/0/46" ];
ap30.ports = [ "ge-1/0/22" ]; ap30.ports = [ "ge-1/0/22" ];
ap35.ports = [ "ge-1/0/23" ]; ap35.ports = [ "ge-1/0/23" ];
@ -129,33 +144,40 @@
ap5.ports = [ "ge-1/0/7" ]; ap5.ports = [ "ge-1/0/7" ];
ap51.ports = [ "ge-1/0/13" ]; ap51.ports = [ "ge-1/0/13" ];
ap53.ports = [ "ge-0/0/7" ]; ap53.ports = [ "ge-0/0/7" ];
ap54.ports = [ "ge-1/0/38" ]; ap72.ports = [ "ge-1/0/38" ];
ap55.ports = [ "ge-1/0/19" ]; ap55.ports = [ "ge-1/0/19" ];
ap56.ports = [ "ge-1/0/9" ]; ap56.ports = [ "ge-1/0/9" ];
ap60.ports = [ "ge-1/0/20" ]; ap60.ports = [ "ge-1/0/20" ];
ap62.ports = [ "ge-0/0/11" ]; ap62.ports = [ "ge-0/0/11" ];
ap65.ports = [ "ge-0/0/9" ];
ap66.ports = [ "ge-1/0/43" ];
mgmt.ports = [ mgmt.ports = [
"ge-0/0/0" "ge-0/0/0"
"ge-1/0/0" "ge-0/0/1"
"ge-0/0/1"
"ge-1/0/1"
# server1
"ge-1/0/43"
"ge-1/0/44" "ge-1/0/44"
# server6
"ge-1/0/45"
# server7 # server7
"ge-1/0/45"
"ge-1/0/46" "ge-1/0/46"
# server8 # server8
"ge-1/0/47" "ge-1/0/47"
# server9 # server9
"ge-1/0/48" "ge-1/0/48"
]; ];
flpk.ports = [
# server7
"ge-0/0/40"
];
priv1.ports = [ "ge-1/0/3" ]; priv1.ports = [ "ge-1/0/3" ];
priv19.ports = [ "ge-1/0/40" ]; priv19.ports = [ "ge-1/0/40" ];
priv2.ports = [ "ge-1/0/4" ]; priv2.ports = [ "ge-1/0/4" ];
priv24.ports = [ "ge-0/0/6" "ge-1/0/16" ]; priv24.ports = [ "ge-0/0/6" "ge-1/0/16" ];
priv3.ports = [ "ge-1/0/5" ]; priv3.ports = [ "ge-1/0/5" ];
priv30.ports = [ "ge-0/0/12" ];
priv49.ports = [ "ge-1/0/1" ];
ap67.ports = [ "ge-1/0/34" ];
ap68.ports = [ "ge-1/0/35" ];
ap69.ports = [ "ge-0/0/35" ];
ap73.ports = [ "ge-0/0/45" ];
pub.ports = [ pub.ports = [
"ge-1/0/11" "ge-1/0/11"
]; ];
@ -177,6 +199,15 @@
"ge-1/0/42" "ge-1/0/42"
]; ];
}; };
server6 = {
group = "9";
ports = [
"ge-0/0/18"
"ge-0/0/19"
"ge-1/0/0"
"ge-1/0/2"
];
};
}; };
}; };
@ -238,11 +269,8 @@
# Fenster # Fenster
ap33.ports = [ "5" ]; ap33.ports = [ "5" ];
c3d2.ports = [ "8-20" ]; c3d2.ports = [ "8-20" ];
# Testing
ap-test1.ports = [ "4" ];
bmx.ports = [ "7" ];
# tmp Datenspuren: VOC # tmp Datenspuren: VOC
iso4.ports = [ "6" ]; iso4.ports = [ "4" "6" "7" ];
}; };
}; };
@ -300,8 +328,8 @@
up3.ports = [ "3" ]; up3.ports = [ "3" ];
# unifiac-mesh # unifiac-mesh
ap57.ports = [ "10" ]; ap57.ports = [ "10" ];
# dump-dvb traffic-stop-box # TLMS tetra and traffic-stop-box
c3d2.ports = [ "20" ]; c3d2.ports = [ "19,20" ];
}; };
}; };
@ -329,27 +357,30 @@
"GigabitEthernet1/0/13" "GigabitEthernet1/0/13"
"GigabitEthernet1/0/14" "GigabitEthernet1/0/14"
"GigabitEthernet1/0/15" "GigabitEthernet1/0/15"
];
# Stage uplink
priv25.ports = [
"GigabitEthernet1/0/16" "GigabitEthernet1/0/16"
"GigabitEthernet1/0/17" "GigabitEthernet1/0/17"
"GigabitEthernet1/0/18" "GigabitEthernet1/0/18"
"GigabitEthernet1/0/19" "GigabitEthernet1/0/19"
"GigabitEthernet1/0/20"
]; ];
# Uplink
switch-a1.ports = [ "GigabitEthernet1/0/24" ];
# Freifunk # Freifunk
bmx.ports = [ bmx.ports = [
"GigabitEthernet1/0/20"
"GigabitEthernet1/0/21" "GigabitEthernet1/0/21"
"GigabitEthernet1/0/22" "GigabitEthernet1/0/22"
"GigabitEthernet1/0/23" "GigabitEthernet1/0/23"
]; ];
# Uplink
switch-a2.ports = [ "GigabitEthernet1/0/24" ];
}; };
}; };
switch-ds2 = { switch-ds2 = {
role = "switch"; role = "switch";
model = "3com-5500G"; model = "3com-5500G";
location = "Vor dem Kl Saal"; location = "Grosser Saal oben";
interfaces = { mgmt.type = "phys"; }; interfaces = { mgmt.type = "phys"; };
links = { links = {
@ -374,16 +405,64 @@
"GigabitEthernet1/0/17" "GigabitEthernet1/0/17"
"GigabitEthernet1/0/18" "GigabitEthernet1/0/18"
"GigabitEthernet1/0/19" "GigabitEthernet1/0/19"
"GigabitEthernet1/0/20"
]; ];
# Uplink # Stage uplink
switch-a1.ports = [ "GigabitEthernet1/0/24" ]; priv25.ports = [
# Freifunk "GigabitEthernet1/0/20"
bmx.ports = [
"GigabitEthernet1/0/21" "GigabitEthernet1/0/21"
];
# VOC isolated
iso4.ports = [
"GigabitEthernet1/0/22" "GigabitEthernet1/0/22"
"GigabitEthernet1/0/23" "GigabitEthernet1/0/23"
]; ];
# Uplink
switch-a2.ports = [ "GigabitEthernet1/0/24" ];
};
};
switch-ds3 = {
firstboot = true;
role = "switch";
model = "3com-5500G";
location = "Kleiner Saal";
interfaces = { mgmt.type = "phys"; };
links = {
# Public
pub.ports = [
"GigabitEthernet1/0/1"
"GigabitEthernet1/0/2"
"GigabitEthernet1/0/3"
"GigabitEthernet1/0/4"
"GigabitEthernet1/0/5"
"GigabitEthernet1/0/6"
"GigabitEthernet1/0/7"
"GigabitEthernet1/0/8"
"GigabitEthernet1/0/9"
"GigabitEthernet1/0/10"
"GigabitEthernet1/0/11"
"GigabitEthernet1/0/12"
"GigabitEthernet1/0/13"
"GigabitEthernet1/0/14"
"GigabitEthernet1/0/15"
"GigabitEthernet1/0/16"
"GigabitEthernet1/0/17"
"GigabitEthernet1/0/18"
"GigabitEthernet1/0/19"
];
# Stage uplink
priv25.ports = [
"GigabitEthernet1/0/20"
"GigabitEthernet1/0/21"
];
# VOC isolated
iso4.ports = [
"GigabitEthernet1/0/22"
"GigabitEthernet1/0/23"
];
# Uplink
switch-a2.ports = [ "GigabitEthernet1/0/24" ];
}; };
}; };
}; };

3
config/vlan.nix
View File

@ -19,11 +19,14 @@ in
cluster = 6; cluster = 6;
bmx = 7; bmx = 7;
flpk = 8; flpk = 8;
coloradio = 9;
# Modems # Modems
up1 = 10; up1 = 10;
up2 = 11; up2 = 11;
up3 = 12; up3 = 12;
up4 = 13; up4 = 13;
# Isolated other stuff
c3d2iot = 20;
# Isolated neighbors directly connectied with their modems # Isolated neighbors directly connectied with their modems
iso1 = 101; iso1 = 101;
iso2 = 102; iso2 = 102;

BIN
contact.md.asc
View File

Binary file not shown.

6
doc/hello.md
View File

@ -55,10 +55,14 @@ Von geeigneten Routern haben wir stets zu wenige übrig, so dass wir sie
gemeinsam kaufen und bezahlen müssen. Such dir einen aus, dann gemeinsam kaufen und bezahlen müssen. Such dir einen aus, dann
bestellen und konfigurieren wir ihn. bestellen und konfigurieren wir ihn.
* Zyxel WSM20 (Multy M1) ([25€](https://geizhals.de/zyxel-multy-m1-v101058.html))
* TP-Link Archer C7 v2 ([58€](http://geizhals.de/tp-link-archer-c7-v2-a923544.html)) * TP-Link Archer C7 v2 ([58€](http://geizhals.de/tp-link-archer-c7-v2-a923544.html))
* Ubiquiti UniFi nanoHD ([150€](https://geizhals.de/ubiquiti-unifi-nanohd-uap-nanohd-a1802819.html))
* [Jedes Gerät auf dem OpenWRT läuft](https://openwrt.org/supported_devices) * [Jedes Gerät auf dem OpenWRT läuft](https://openwrt.org/supported_devices)
Die genannten Preise sind unverbindlich und schwanken stark mit den
Situationen rund um die Straße von Malaka, Rotem Meer und
Suez-Kanal. Auf eBay gibts gebrauchte Geräte.
![WLAN-Router](https://upload.wikimedia.org/wikipedia/commons/thumb/3/34/Linksys-Wireless-G-Router.jpg/280px-Linksys-Wireless-G-Router.jpg) ![WLAN-Router](https://upload.wikimedia.org/wikipedia/commons/thumb/3/34/Linksys-Wireless-G-Router.jpg/280px-Linksys-Wireless-G-Router.jpg)
### Netzverteilung ### Netzverteilung

71
flake.lock
View File

@ -1,17 +1,53 @@
{ {
"nodes": { "nodes": {
"nixpkgs": { "dns-nix": {
"inputs": {
"flake-utils": "flake-utils",
"nixpkgs": [
"nixpkgs"
]
},
"locked": { "locked": {
"lastModified": 1674242456, "lastModified": 1703643450,
"narHash": "sha256-yBy7rCH7EiBe9+CHZm9YB5ii5GRa+MOxeW0oDEBO8SE=", "narHash": "sha256-EUUF5oxFFPX/etKm0FNQg+7MPHQlNjmM1XhNgyDf7A0=",
"owner": "NixOS", "owner": "SuperSandro2000",
"repo": "nixpkgs", "repo": "dns.nix",
"rev": "cdead16a444a3e5de7bc9b0af8e198b11bb01804", "rev": "70dcce71560d4253f63812fa36dee994c81ae814",
"type": "github" "type": "github"
}, },
"original": { "original": {
"owner": "NixOS", "owner": "SuperSandro2000",
"ref": "release-22.11", "repo": "dns.nix",
"type": "github"
}
},
"flake-utils": {
"locked": {
"lastModified": 1614513358,
"narHash": "sha256-LakhOx3S1dRjnh0b5Dg3mbZyH0ToC9I8Y2wKSkBaTzU=",
"owner": "numtide",
"repo": "flake-utils",
"rev": "5466c5bbece17adaab2d82fae80b46e807611bf3",
"type": "github"
},
"original": {
"owner": "numtide",
"repo": "flake-utils",
"type": "github"
}
},
"nixpkgs": {
"locked": {
"lastModified": 1713634877,
"narHash": "sha256-+tmLKU8N+YMIIBRPmWFueaytsbSDu4wqGnxc3RKYZwk=",
"owner": "SuperSandro2000",
"repo": "nixpkgs",
"rev": "84f20dcf85434cd2e2a163ec3a30937c78cc26b2",
"type": "github"
},
"original": {
"owner": "SuperSandro2000",
"ref": "nixos-23.11",
"repo": "nixpkgs", "repo": "nixpkgs",
"type": "github" "type": "github"
} }
@ -19,16 +55,16 @@
"openwrt": { "openwrt": {
"flake": false, "flake": false,
"locked": { "locked": {
"lastModified": 1674227662, "lastModified": 1713442482,
"narHash": "sha256-MtkO4sbP+75B9j2oW0/JFvosWQh8H0S95VJ3r0wl+xk=", "narHash": "sha256-OAcv1qiM2V6wPQm4Tz2QnnDpw34pifG6QRDZea7AP9o=",
"ref": "openwrt-22.03", "ref": "openwrt-23.05",
"rev": "1bead4c521b6f6cf711fd06398d54b1a6fbbef96", "rev": "9b33b74ef71225442361d5192d3a727be212c3cd",
"revCount": 54502, "revCount": 58296,
"type": "git", "type": "git",
"url": "https://git.openwrt.org/openwrt/openwrt.git" "url": "https://git.openwrt.org/openwrt/openwrt.git"
}, },
"original": { "original": {
"ref": "openwrt-22.03", "ref": "openwrt-23.05",
"type": "git", "type": "git",
"url": "https://git.openwrt.org/openwrt/openwrt.git" "url": "https://git.openwrt.org/openwrt/openwrt.git"
} }
@ -40,11 +76,11 @@
] ]
}, },
"locked": { "locked": {
"lastModified": 1674207776, "lastModified": 1713693953,
"narHash": "sha256-XfIWLKlpFSBNqzx8Nf0hUZGOK0HhBTaFjmtsdkMnY/A=", "narHash": "sha256-DsJ/pzBSF3CxQWyiw4V3k96h7Q3UaRnQnL1N9tw+uWg=",
"owner": "astro", "owner": "astro",
"repo": "nix-openwrt-imagebuilder", "repo": "nix-openwrt-imagebuilder",
"rev": "f9b70efd4254e905a700361e3052fc4860dda73c", "rev": "d4dc8c84f4397be494ae834709276f099df892e7",
"type": "github" "type": "github"
}, },
"original": { "original": {
@ -55,6 +91,7 @@
}, },
"root": { "root": {
"inputs": { "inputs": {
"dns-nix": "dns-nix",
"nixpkgs": "nixpkgs", "nixpkgs": "nixpkgs",
"openwrt": "openwrt", "openwrt": "openwrt",
"openwrt-imagebuilder": "openwrt-imagebuilder" "openwrt-imagebuilder": "openwrt-imagebuilder"

17
flake.nix
View File

@ -2,9 +2,13 @@
description = "Zentralwerk network"; description = "Zentralwerk network";
inputs = { inputs = {
nixpkgs.url = "github:NixOS/nixpkgs/release-22.11"; dns-nix = {
url = "github:SuperSandro2000/dns.nix";
inputs.nixpkgs.follows = "nixpkgs";
};
nixpkgs.url = "github:SuperSandro2000/nixpkgs/nixos-23.11";
openwrt = { openwrt = {
url = "git+https://git.openwrt.org/openwrt/openwrt.git?ref=openwrt-22.03"; url = "git+https://git.openwrt.org/openwrt/openwrt.git?ref=openwrt-23.05";
flake = false; flake = false;
}; };
openwrt-imagebuilder = { openwrt-imagebuilder = {
@ -13,7 +17,7 @@
}; };
}; };
outputs = inputs@{ self, nixpkgs, openwrt, openwrt-imagebuilder }: outputs = inputs@{ self, dns-nix, nixpkgs, openwrt, openwrt-imagebuilder }:
let let
system = "x86_64-linux"; system = "x86_64-linux";
systems = [ system ]; systems = [ system ];
@ -26,16 +30,15 @@
specialArgs = { specialArgs = {
hostName = name; hostName = name;
inherit (self) lib; inherit (self) lib;
inherit inputs self; inherit inputs dns-nix self;
}; };
}; };
in { in {
# Config, and utilities # Config, and utilities
lib = nixpkgs.lib.extend (_final: _prev: lib = nixpkgs.lib.extend (_final: _prev:
import ./nix/lib { import ./nix/lib {
inherit self; inherit self openwrt;
inherit openwrt; inherit (nixpkgs.legacyPackages.x86_64-linux) lib pkgs;
pkgs = nixpkgs.legacyPackages.x86_64-linux;
}); });
# Everything that can be built locally outside of NixOS # Everything that can be built locally outside of NixOS

121
nix/lib/config/options.nix
View File

@ -148,6 +148,12 @@ let
type = with types; attrsOf (attrsOf str); type = with types; attrsOf (attrsOf str);
default = {}; default = {};
}; };
ospf = {
secret = mkOption {
type = with types; nullOr str;
default = null;
};
};
dhcp = mkOption { dhcp = mkOption {
type = with types; nullOr (submodule { options = dhcpOpts; }); type = with types; nullOr (submodule { options = dhcpOpts; });
default = null; default = null;
@ -172,7 +178,7 @@ let
type = enum [ "A" "AAAA" "MX" "SRV" "CNAME" "TXT" ]; type = enum [ "A" "AAAA" "MX" "SRV" "CNAME" "TXT" ];
}; };
data = mkOption { data = mkOption {
type = str; type = oneOf [ str (attrsOf (oneOf [ int str ])) ];
}; };
}; };
}); });
@ -188,6 +194,13 @@ let
type = with types; nullOr int; type = with types; nullOr int;
default = null; default = null;
}; };
wifi.ieee80211rKey = mkOption {
type = with types; nullOr str;
default = null;
description = ''
Key between WiFi access points for Fast Transition
'';
};
}; };
}; };
@ -384,10 +397,35 @@ let
}; }); }; });
default = []; default = [];
}; };
ospf.stubNets4 = mkOption {
type = with types; listOf str;
default = [];
description = "Additional IPv4 networks to announce";
};
ospf.stubNets6 = mkOption {
type = with types; listOf str;
default = [];
description = "Additional IPv6 networks to announce";
};
ospf.allowedUpstreams = mkOption {
type = with types; listOf str;
default = [];
description = "Accept default routes from these OSPF routers, in order of preference";
};
ospf.allowedUpstreams6 = mkOption {
type = with types; listOf str;
default = config.site.hosts.${name}.ospf.allowedUpstreams;
description = "Accept IPv6 default routes from these OSPF3 routers, in order of preference";
};
ospf.upstreamInstance = mkOption {
type = with types; nullOr int;
default = null;
description = "OSPF instance for advertising the default route";
};
bgp = mkOption { bgp = mkOption {
default = null; default = null;
type = with types; nullOr (submodule { type = with types; nullOr (submodule {
options = bgpOpts name; options = bgpOpts;
}); });
}; };
services.dns = { services.dns = {
@ -408,10 +446,19 @@ let
wifi = mkOption { wifi = mkOption {
default = {}; default = {};
type = with types; attrsOf (submodule ( type = with types; attrsOf (submodule (
{ ... }: { { config, ... }: {
options = { options = {
band = mkOption {
type = enum [ "2g" "5g" ];
default =
if config.channel >= 1 && config.channel <= 14
then "2g"
else if config.channel >= 32 && config.channel <= 177
then "5g"
else throw "What band is channel ${toString config.channel}?";
};
htmode = mkOption { htmode = mkOption {
type = enum [ "HT20" "HT40-" "HT40+" "VHT80" ]; type = enum [ "HT20" "HT40-" "HT40+" "HT40" "VHT80" ];
}; };
channel = mkOption { channel = mkOption {
type = int; type = int;
@ -426,6 +473,10 @@ let
type = nullOr str; type = nullOr str;
default = null; default = null;
}; };
hidden = mkOption {
type = bool;
default = false;
};
encryption = mkOption { encryption = mkOption {
type = enum [ "none" "owe" "wpa2" "wpa3" ]; type = enum [ "none" "owe" "wpa2" "wpa3" ];
default = default =
@ -441,6 +492,13 @@ let
type = nullOr str; type = nullOr str;
default = null; default = null;
}; };
disassocLowAck = mkOption {
type = bool;
default = true;
description = ''
Disable for wireless bridges.
'';
};
}; };
})); }));
}; };
@ -458,52 +516,20 @@ let
}; };
}; };
bgpOpts = hostName: { bgpOpts = {
asn = mkOption { asn = mkOption {
type = types.int; type = types.int;
default = config.site.bgp.asn;
}; };
peers = mkOption { peers = mkOption {
type = with types; attrsOf (submodule (submoduleArg: { type = with types; attrsOf (submodule ({ ... }: {
options = { options = {
asn = mkOption { asn = mkOption {
type = types.int; type = types.int;
default = config.site.bgp.asn;
};
name = mkOption {
type = types.str;
};
type = mkOption {
type = types.enum [ "external" "rr_server" "rr_client" "upstream" ];
}; };
}; };
})); }));
default = {}; default = {};
}; };
nets4 = mkOption {
type = with types; listOf str;
default = [];
description = "Additional IPv4 networks to announce";
};
nets6 = mkOption {
type = with types; listOf str;
default = [];
description = "Additional IPv6 networks to announce";
};
allowedUpstreams = mkOption {
type = with types; listOf str;
default = [];
description = "Accept default routes from these BGP routers, in order of preference";
};
allowedUpstreams6 = mkOption {
type = with types; listOf str;
default = config.site.hosts.${hostName}.bgp.allowedUpstreams;
description = "Accept IPv6 default routes from these BGP routers, in order of preference";
};
upstreamTable = mkOption {
type = with types; nullOr str;
default = null;
};
}; };
linkOpts = hostName: { name, ... }: { linkOpts = hostName: { name, ... }: {
@ -578,11 +604,6 @@ in
type = with types; attrsOf (submodule netOpts); type = with types; attrsOf (submodule netOpts);
}; };
net-combined = mkOption {
description = "All hosts of all subnets";
default = {};
type = with types; submodule netOpts;
};
hosts = mkOption { hosts = mkOption {
description = "All the static hosts"; description = "All the static hosts";
@ -614,12 +635,6 @@ in
default = "secret"; default = "secret";
}; };
}; };
bgp = {
asn = mkOption {
type = types.int;
};
};
}; };
config.warnings = config.warnings =
@ -640,16 +655,16 @@ in
reportCollisions = name: getter: xs: reportCollisions = name: getter: xs:
map (k: "Duplicate ${name}: ${k}") (findCollisions getter xs); map (k: "Duplicate ${name}: ${k}") (findCollisions getter xs);
bgpUpstreamXorGw = ospfUpstreamXorGw =
builtins.concatMap (hostName: builtins.concatMap (hostName:
let let
hostConf = config.site.hosts.${hostName}; hostConf = config.site.hosts.${hostName};
gwNets = builtins.filter (netName: gwNets = builtins.filter (netName:
hostConf.interfaces.${netName}.gw4 != null hostConf.interfaces.${netName}.gw4 != null
) (builtins.attrNames hostConf.interfaces); ) (builtins.attrNames hostConf.interfaces);
in if gwNets != [] && hostConf.bgp.allowedUpstreams or [] != [] in if gwNets != [] && hostConf.ospf.allowedUpstreams != []
then [ '' then [ ''
Host ${hostName} has gateway on ${builtins.head gwNets} but accepts default routes from BGP Host ${hostName} has gateway on ${builtins.head gwNets} but accepts default routes from OSPF
'' ] '' ]
else [] else []
) (builtins.attrNames config.site.hosts); ) (builtins.attrNames config.site.hosts);
@ -657,7 +672,7 @@ in
(reportCollisions "VLAN tag" (x: lib.optional (x.vlan != null) x.vlan) config.site.net) ++ (reportCollisions "VLAN tag" (x: lib.optional (x.vlan != null) x.vlan) config.site.net) ++
(reportCollisions "IPv4 subnet" (x: if x.subnet4 == null then [] else [x.subnet4]) config.site.net) ++ (reportCollisions "IPv4 subnet" (x: if x.subnet4 == null then [] else [x.subnet4]) config.site.net) ++
(reportCollisions "IPv6 subnet" (x: builtins.attrValues x.subnets6) config.site.net) ++ (reportCollisions "IPv6 subnet" (x: builtins.attrValues x.subnets6) config.site.net) ++
bgpUpstreamXorGw; ospfUpstreamXorGw;
config.assertions = config.assertions =
# Duplicate host/net name check # Duplicate host/net name check

6
nix/lib/default.nix
View File

@ -1,13 +1,13 @@
{ self, pkgs, openwrt }: { self, lib, openwrt, pkgs }:
rec { rec {
config = (import ./config { inherit self pkgs; }).config; inherit (import ./config { inherit self pkgs; }) config;
netmasks = import ./netmasks.nix; netmasks = import ./netmasks.nix;
subnet = import ./subnet { inherit pkgs; }; subnet = import ./subnet { inherit pkgs; };
dns = import ./dns.nix { inherit pkgs config; }; dns = import ./dns.nix { inherit config lib; };
openwrtModels = import ./openwrt-models.nix { inherit self openwrt; }; openwrtModels = import ./openwrt-models.nix { inherit self openwrt; };

30
nix/lib/dns.nix
View File

@ -1,17 +1,18 @@
{ pkgs, config }: { config, lib }:
let
lib = pkgs.lib;
in
rec { rec {
ns = "dns.serv.zentralwerk.org"; ns = "dns.serv.zentralwerk.org";
internalNS = [ ns ]; internalNS = [ ns ];
# public servers (slaves) # public servers (slaves)
publicNS = [ "ns.c3d2.de" "ns.spaceboyz.net" ]; publicNS = [
"ns.c3d2.de"
"ns.spaceboyz.net"
"ns1.supersandro.de"
];
publicIPv4 = config.site.hosts.upstream4.interfaces.up4-pppoe.upstream.staticIpv4Address; publicIPv4 = config.site.hosts.upstream4.interfaces.up4-pppoe.upstream.staticIpv4Address;
dynamicReverseZones = [ dynamicReverseZones4 = [
"73.20.172.in-addr.arpa" "73.20.172.in-addr.arpa"
"74.20.172.in-addr.arpa" "74.20.172.in-addr.arpa"
"75.20.172.in-addr.arpa" "75.20.172.in-addr.arpa"
@ -20,6 +21,12 @@ rec {
"78.20.172.in-addr.arpa" "78.20.172.in-addr.arpa"
"79.20.172.in-addr.arpa" "79.20.172.in-addr.arpa"
"99.22.172.in-addr.arpa" "99.22.172.in-addr.arpa"
"22.10.in-addr.arpa"
];
dynamicReverseZones6 = [
"2.0.0.0.c.2.0.8.1.8.0.0.a.2.ip6.arpa"
"4.1.b.a.c.a.2.8.3.5.f.0.a.2.ip6.arpa"
"5.0.2.d.3.c.2.4.0.0.3.2.d.f.ip6.arpa"
]; ];
mapI = start: end: f: mapI = start: end: f:
@ -92,7 +99,7 @@ rec {
"${zone}" = true; "${zone}" = true;
} }
) {} (builtins.attrNames reverseHosts4) ) {} (builtins.attrNames reverseHosts4)
) ++ dynamicReverseZones ) ++ dynamicReverseZones4
); );
# turns `::` into `0000:0000:0000:0000:0000:0000:0000:0000` # turns `::` into `0000:0000:0000:0000:0000:0000:0000:0000`
@ -185,11 +192,7 @@ rec {
} { } {
name = "zentralwerk.dn42"; name = "zentralwerk.dn42";
ns = internalNS; ns = internalNS;
records = [ { records = [ ];
name = "ipa";
type = "A";
data = config.site.net.serv.hosts4.ipa;
} ];
} { } {
name = "dyn.zentralwerk.org"; name = "dyn.zentralwerk.org";
ns = publicNS; ns = publicNS;
@ -241,7 +244,7 @@ rec {
builtins.filter (lib.hasSuffix ".${zone}") builtins.filter (lib.hasSuffix ".${zone}")
(builtins.attrNames reverseHosts4) (builtins.attrNames reverseHosts4)
); );
dynamic = builtins.elem zone dynamicReverseZones; dynamic = builtins.elem zone dynamicReverseZones4;
}) reverseZones4 }) reverseZones4
++ ++
builtins.concatMap (ctx: builtins.concatMap (ctx:
@ -260,6 +263,7 @@ rec {
builtins.filter (lib.hasSuffix ".${zone}") builtins.filter (lib.hasSuffix ".${zone}")
(builtins.attrNames reverseHosts6.${ctx}) (builtins.attrNames reverseHosts6.${ctx})
); );
dynamic = builtins.elem zone dynamicReverseZones6;
}) reverseZones6.${ctx} }) reverseZones6.${ctx}
) (builtins.attrNames reverseZones6); ) (builtins.attrNames reverseZones6);
} }

4
nix/lib/openwrt-models.nix
View File

@ -95,7 +95,9 @@ let
ucidef_set_interfaces_lan_wan.ports = ucidef_set_interfaces_lan_wan.ports =
makeLinkFromArg "lan" (builtins.elemAt args 0) // makeLinkFromArg "lan" (builtins.elemAt args 0) //
makeLinkFromArg "wan" (builtins.elemAt args 1); self.lib.optionalAttrs (builtins.length args > 1) (
makeLinkFromArg "wan" (builtins.elemAt args 1)
);
}; };
in in
if commands ? ${command} if commands ? ${command}

8
nix/nixos-module/collectd/default.nix
View File

@ -90,7 +90,7 @@ in
Host "inbert.c3d2.de" Host "inbert.c3d2.de"
Host "heise.de" Host "heise.de"
''; '';
}) (lib.optionalAttrs config.services.dhcpd4.enable { }) (lib.optionalAttrs config.services.kea.dhcp4.enable {
plugins.exec = plugins.exec =
let let
maxTimeout = builtins.foldl' (maxTimeout: net: maxTimeout = builtins.foldl' (maxTimeout: net:
@ -117,11 +117,11 @@ in
}) ]; }) ];
systemd.services.collectd = lib.mkIf config.services.dhcpd4.enable { systemd.services.collectd = lib.mkIf config.services.kea.dhcp4.enable {
after = [ "dhcpd4.service" ]; after = [ "kea-dhcp4-server.service" ];
}; };
security.wrappers = lib.mkIf config.services.dhcpd4.enable { security.wrappers = lib.mkIf config.services.kea.dhcp4.enable {
collectd-dhcpcount = collectd-dhcpcount =
let let
dhcpcount = pkgs.runCommand "dhcpcount" { dhcpcount = pkgs.runCommand "dhcpcount" {

38
nix/nixos-module/collectd/dhcpcount.rb
View File

@ -1,36 +1,28 @@
#!/usr/bin/env ruby #!/usr/bin/env ruby
require 'date' require 'csv'
INTERVAL = 300 INTERVAL = 60
TIMEOUT = ARGV[0].to_i TIMEOUT = ARGV[0].to_i # TODO: now unused
hostname = IO::readlines("/proc/sys/kernel/hostname").join.strip hostname = CSV::readlines("/proc/sys/kernel/hostname").join.strip
STDOUT.sync = true STDOUT.sync = true
loop do loop do
seen = {} seen = {}
count = 0 count = 0
now = Time.now.to_i
addr = nil CSV::readlines("/var/lib/kea/kea-leases4.csv", headers: true).each do |rec|
starts = nil h = rec.to_h
addr = h["hwaddr"]
next unless addr
last = h["expire"].to_i
elapsed = now - last
next if elapsed >= TIMEOUT
IO::readlines("/var/lib/dhcpd4/dhcpd.leases").each do |line| unless seen[addr]
if line =~ /^lease (.+) \{/ count += 1
addr = $1 seen[addr] = true
starts = nil
elsif line =~ /starts \d+ (.+?);/
starts = DateTime.parse($1).to_time
elsif line =~ /^\}/
now = Time.now
if starts and
now >= starts and now < starts + TIMEOUT
unless seen[addr]
count += 1
seen[addr] = true
end
end
end end
end end
puts "PUTVAL \"#{hostname}/exec-dhcpd/current_sessions-leases\" interval=#{INTERVAL} N:#{count}" puts "PUTVAL \"#{hostname}/exec-dhcpd/current_sessions-leases\" interval=#{INTERVAL} N:#{count}"

449
nix/nixos-module/container/bird.nix
View File

@ -25,42 +25,6 @@ let
n = n; n = n;
x = builtins.head list; x = builtins.head list;
} ] ++ (enumerate (n + 1) (builtins.tail list)); } ] ++ (enumerate (n + 1) (builtins.tail list));
nets4 =
hostConf.bgp.nets4
++
builtins.concatMap (net:
if net != "core"
then
let
subnet4 = config.site.net.${net}.subnet4 or null;
in lib.optional (subnet4 != null) subnet4
else
[]
) (builtins.attrNames hostConf.interfaces);
nets6 =
hostConf.bgp.nets6
++
builtins.concatMap (net:
if net != "core"
then
builtins.attrValues config.site.net.${net}.subnets6 or {}
else
[]
) (builtins.attrNames hostConf.interfaces);
upstreamsToOrder = upstreams:
builtins.foldl' (order: { n, x }:
order // {
${x} = n;
}
) {} (enumerate 1 upstreams);
upstream4Order = upstreamsToOrder hostConf.bgp.allowedUpstreams;
upstream6Order = upstreamsToOrder hostConf.bgp.allowedUpstreams6;
allowedUpstreams = lib.unique (
hostConf.bgp.allowedUpstreams ++ hostConf.bgp.allowedUpstreams6
);
in in
{ {
services.bird2 = { services.bird2 = {
@ -71,13 +35,31 @@ in
protocol kernel K4 { protocol kernel K4 {
learn; learn;
ipv4 { ipv4 {
export all; ${if isUpstream
then ''
# Install all routes but the default route on upstreams
export where net != 0.0.0.0/0;
# Learn the upstream default route
import where net = 0.0.0.0/0;
''
else ''
export all;
''}
}; };
} }
protocol kernel K6 { protocol kernel K6 {
learn; learn;
ipv6 { ipv6 {
export all; ${if isUpstream
then ''
# Install all routes but the default route on upstreams
export where net != ::/0;
# Learn the upstream default route
import where net = ::/0;
''
else ''
export all;
''}
}; };
} }
protocol device { protocol device {
@ -102,7 +84,10 @@ in
check link yes; check link yes;
} }
${lib.optionalString (hostConf.bgp.upstreamTable != null) '' ${lib.optionalString (
builtins.match "anon.*" hostName != null ||
hostName == "flpk-gw"
) ''
# BIRD routing table for Wireguard transport # BIRD routing table for Wireguard transport
ipv4 table vpn_table; ipv4 table vpn_table;
@ -127,6 +112,14 @@ in
min ra interval 10; min ra interval 10;
max ra interval 60; max ra interval 60;
solicited ra unicast yes; solicited ra unicast yes;
${if (config.site.net.${net}.dhcp.server or null) == null
then ''
# Do not use DHCP6.
managed no;
'' else ''
# Use DHCP6 for DynDNS.
managed yes;
''}
${builtins.concatStringsSep "\n" ( ${builtins.concatStringsSep "\n" (
map (subnet6: '' map (subnet6: ''
@ -143,6 +136,235 @@ in
} }
''} ''}
# OSPFv2 for site-local IPv4
protocol ospf v2 ZW4 {
ipv4 {
import all;
# OSPF is self-contained
export none;
};
area 0 {
${builtins.concatStringsSep "\n" (
builtins.attrValues (
builtins.mapAttrs (net: _:
# Enable OSPF only on networks with a secret.
if config.site.net ? "${net}" && config.site.net.${net}.ospf.secret != null
then ''
interface "${net}" {
hello 10;
wait 20;
authentication cryptographic;
password "${config.site.net.${net}.ospf.secret}";
};
''
else ''
interface "${net}" {
stub yes;
cost 10;
};
''
) hostConf.interfaces
)
)}
${builtins.concatStringsSep "\n" (
map (stubnet4: ''
# Advertise additional route
stubnet ${stubnet4} {};
'') hostConf.ospf.stubNets4
)}
};
}
${lib.optionalString isUpstream ''
# OSPFv2 to advertise my default route
protocol ospf v2 ZW4_${hostNameEscaped} {
ipv4 {
export where net = 0.0.0.0/0;
};
area 0 {
${builtins.concatStringsSep "\n" (
builtins.attrValues (
builtins.mapAttrs (net: _:
# Enable OSPF only on interfaces with a secret.
lib.optionalString (config.site.net.${net}.ospf.secret != null) ''
interface "${net}" instance ${toString hostConf.ospf.upstreamInstance} {
# Become the designated router
priority 10;
hello 10;
wait 20;
authentication cryptographic;
password "${config.site.net.${net}.ospf.secret}";
};
''
) hostConf.physicalInterfaces
)
)}
};
}
''}
${(
builtins.foldl' ({ text, n }: upstream: {
text = ''
${text}
# OSPFv2 to receive a default route from ${upstream}
protocol ospf v2 ZW4_${
builtins.replaceStrings [ "-" ] [ "_" ] upstream
} {
ipv4 {
import filter {
preference = preference + ${toString (100 - n)};
accept;
};
${lib.optionalString (
builtins.match "anon.*" hostName != null ||
hostName == "flpk-gw"
) ''
table vpn_table;
''}
};
area 0 {
${builtins.concatStringsSep "\n" (
builtins.attrValues (
builtins.mapAttrs (net: _:
# Enable OSPF only on interfaces with a secret.
lib.optionalString (config.site.net.${net}.ospf.secret != null) ''
interface "${net}" instance ${
builtins.replaceStrings [ "-" ] [ "_" ] (
toString config.site.hosts.${upstream}.ospf.upstreamInstance
)
} {
hello 10;
wait 20;
authentication cryptographic;
password "${config.site.net.${net}.ospf.secret}";
};
''
) hostConf.physicalInterfaces
)
)}
};
}
'';
n = n + 1;
}) { text = ""; n = 0; } hostConf.ospf.allowedUpstreams
).text}
# OSPFv3 for site-local IPv6
protocol ospf v3 ZW6 {
ipv6 {
import all;
# OSPF is self-contained
export none;
};
area 0 {
${builtins.concatStringsSep "\n" (
builtins.attrValues (
builtins.mapAttrs (net: _:
# Enable OSPF only on networks with a secret.
if config.site.net.${net}.ospf.secret != null
then ''
interface "${net}" {
hello 10;
wait 20;
authentication cryptographic;
password "${config.site.net.${net}.ospf.secret}";
};
''
else ''
interface "${net}" {
stub yes;
cost 10;
};
''
) hostConf.physicalInterfaces
)
)}
${builtins.concatStringsSep "\n" (
map (stubnet6: ''
# Advertise additional route
stubnet ${stubnet6} {};
'')
hostConf.ospf.stubNets6
)}
};
}
${lib.optionalString isUpstream ''
# OSPFv3 to advertise my default route
protocol ospf v3 ZW6_${hostNameEscaped} {
ipv6 {
export where net = ::/0;
};
area 0 {
${builtins.concatStringsSep "\n" (
builtins.attrValues (
builtins.mapAttrs (net: _:
# Enable OSPF only on interfaces with a secret.
lib.optionalString (config.site.net.${net}.ospf.secret != null) ''
interface "${net}" instance ${toString hostConf.ospf.upstreamInstance} {
# Become the designated router
priority 10;
hello 10;
wait 20;
authentication cryptographic;
password "${config.site.net.${net}.ospf.secret}";
};
''
) hostConf.physicalInterfaces
)
)}
};
}
''}
${lib.optionalString (builtins.match "anon.*" hostName == null) (
builtins.foldl' ({ text, n }: upstream: {
text = ''
${text}
# OSPFv3 to receive a default route from ${upstream}
protocol ospf v3 ZW6_${
builtins.replaceStrings [ "-" ] [ "_" ] upstream
} {
ipv6 {
import filter {
preference = preference + ${toString (100 - n)};
accept;
};
};
area 0 {
${builtins.concatStringsSep "\n" (
builtins.attrValues (
builtins.mapAttrs (net: _:
# Enable OSPF only on interfaces with a secret.
lib.optionalString (config.site.net.${net}.ospf.secret != null) ''
interface "${net}" instance ${
builtins.replaceStrings [ "-" ] [ "_" ] (
toString config.site.hosts.${upstream}.ospf.upstreamInstance
)
} {
hello 10;
wait 20;
authentication cryptographic;
password "${config.site.net.${net}.ospf.secret}";
};
''
) hostConf.physicalInterfaces
)
)}
};
}
'';
n = n + 1;
}) { text = ""; n = 0; } hostConf.ospf.allowedUpstreams6
).text}
# Zentralwerk DN42 # Zentralwerk DN42
protocol static { protocol static {
ipv4; ipv4;
@ -156,146 +378,31 @@ in
} }
${lib.optionalString (hostConf.bgp != null) '' ${lib.optionalString (hostConf.bgp != null) ''
# zentralwerk-network template bgp bgppeer {
template bgp bgp_rr_server {
local as ${toString hostConf.bgp.asn}; local as ${toString hostConf.bgp.asn};
direct;
ipv4 { ipv4 {
import filter { import all;
preference = preference + 200; export where source=RTS_STATIC;
accept;
};
${lib.optionalString (nets4 != []) ''
export where net ~ [ ${lib.concatMapStringsSep ", " (n: "${n}") nets4} ];
''}
}; };
ipv6 { ipv6 {
import filter {
preference = preference + 200;
accept;
};
${lib.optionalString (nets6 != []) ''
export where net ~ [ ${lib.concatMapStringsSep ", " (n: "${n}") nets6} ];
''}
};
}
template bgp bgp_rr_client {
local as ${toString hostConf.bgp.asn};
direct;
ipv4 {
next hop self on;
import filter {
preference = preference + 200;
accept;
};
${lib.optionalString (nets4 != []) ''
export where net ~ [ ${lib.concatMapStringsSep ", " (n: "${n}") nets4} ];
''}
};
ipv6 {
next hop self on;
import filter {
preference = preference + 200;
accept;
};
${lib.optionalString (nets6 != []) ''
export where net ~ [ ${lib.concatMapStringsSep ", " (n: "${n}") nets6} ];
''}
};
}
# dn42
template bgp bgp_external {
local as ${toString hostConf.bgp.asn};
direct;
ipv4 {
next hop self on;
import all; import all;
export where source = RTS_STATIC; export where source=RTS_STATIC;
};
ipv6 {
next hop self on;
import all;
export where source = RTS_STATIC;
};
}
# emitting default routes
template bgp bgp_upstream {
local as ${toString hostConf.bgp.asn};
direct;
ipv4 {
next hop self on;
import all;
export where net = 0.0.0.0/0;
};
ipv6 {
next hop self on;
import all;
export where net = ::/0;
}; };
} }
${lib.concatMapStrings (peer: ${builtins.concatStringsSep "\n" (
let map ({ n, x }:
peerConf = hostConf.bgp.peers.${peer}; let
isRange = lib.hasInfix "/" peer; peer = x;
in '' peerConf = hostConf.bgp.peers.${peer};
protocol bgp bgp_${peerConf.name} from bgp_${peerConf.type} { in ''
neighbor ${lib.optionalString isRange "range"} ${peer} as ${toString peerConf.asn}; protocol bgp bgp_${toString n} from bgppeer {
${lib.optionalString isRange '' neighbor ${peer} as ${toString peerConf.asn};
dynamic name "bgp_${peerConf.name}"; }
''} ''
${lib.optionalString (peerConf.type == "rr") '' ) (enumerate 1 (builtins.attrNames hostConf.bgp.peers))
rr client; )}
''}
}
'') (builtins.attrNames hostConf.bgp.peers)}
${lib.concatMapStrings ({ n, x }: let upstream = x; in ''
# upstream client instance #${toString n}
protocol bgp bgp_up_${builtins.replaceStrings ["-"] ["_"] upstream} {
local as ${toString hostConf.bgp.asn};
neighbor ${config.site.net.core.hosts6.dn42.${upstream}} as ${toString hostConf.bgp.asn};
direct;
ipv4 {
${if (upstream4Order ? ${upstream})
then ''
import filter {
preference = preference + ${toString (100 - upstream4Order.${upstream})};
accept;
};
''
else ''
import none;
''}
${lib.optionalString (nets4 != []) ''
export where net ~ [ ${lib.concatMapStringsSep ", " (n: "${n}") nets4} ];
''}
${lib.optionalString (hostConf.bgp.upstreamTable != null) ''
table ${hostConf.bgp.upstreamTable};
''}
};
ipv6 {
${if (upstream4Order ? ${upstream})
then ''
import filter {
preference = preference + ${toString (100 - upstream4Order.${upstream})};
accept;
};
''
else ''
import none;
''}
${lib.optionalString (nets6 != []) ''
export where net ~ [ ${lib.concatMapStringsSep ", " (n: "${n}") nets6} ];
''}
};
}
'') (enumerate 1 allowedUpstreams)}
''} ''}
''; '';
}; };
@ -340,7 +447,7 @@ in
User = "bird2"; User = "bird2";
Group = "bird2"; Group = "bird2";
}; };
path = [ pkgs.bird2 "/run/wrappers" ]; path = with pkgs; [ bird2 iputils ];
script = '' script = ''
STATE=unknown STATE=unknown

17
nix/nixos-module/container/defaults.nix
View File

@ -1,4 +1,4 @@
{ config, lib, modulesPath, ... }: { config, lib, modulesPath, pkgs, ... }:
{ {
imports = [ imports = [
@ -6,18 +6,13 @@
(modulesPath + "/virtualisation/lxc-container.nix") (modulesPath + "/virtualisation/lxc-container.nix")
]; ];
boot = { environment = {
isContainer = true; etc."machine-id".text = builtins.substring 0 8 (builtins.hashString "sha256" config.networking.hostName);
loader = { systemPackages = with pkgs; [
initScript.enable = true; ripgrep
}; ];
}; };
environment.etc."machine-id".text =
builtins.substring 0 8 (
builtins.hashString "sha256" config.networking.hostName
);
nix = { nix = {
settings = { settings = {
sandbox = false; sandbox = false;

395
nix/nixos-module/container/dhcp-server.nix
View File

@ -8,98 +8,331 @@ let
dhcp.server == hostName dhcp.server == hostName
) config.site.net; ) config.site.net;
concatMapDhcpNets = f:
lib.pipe dhcpNets [
(builtins.mapAttrs f)
builtins.attrValues
(map (r: if builtins.isList r then r else [ r ]))
builtins.concatLists
];
enabled = builtins.length (builtins.attrNames dhcpNets) > 0; enabled = builtins.length (builtins.attrNames dhcpNets) > 0;
in in
{ {
services.dhcpd4 = lib.optionalAttrs enabled { services.kea.dhcp4 = lib.mkIf enabled {
enable = true; enable = true;
interfaces = builtins.attrNames dhcpNets; settings = {
interfaces-config.interfaces = builtins.attrNames dhcpNets;
dhcp-ddns.enable-updates = true;
ddns-send-updates = true;
# TODO: use with kea >= 2.5.0
# ddns-conflict-resolution-mode = "check-exists-with-dhcid";
ddns-use-conflict-resolution = false;
ddns-replace-client-name = "when-not-present";
expired-leases-processing.hold-reclaimed-time = builtins.foldl' lib.max
3600 (concatMapDhcpNets (net: { dhcp, ... }: dhcp.max-time));
extraConfig = '' subnet4 = concatMapDhcpNets (net: { vlan, subnet4, hosts4, dhcp, domainName, ... }: {
${builtins.concatStringsSep "\n" ( id = vlan;
builtins.attrValues ( subnet = subnet4;
builtins.mapAttrs (net: { dhcp, subnet4Net, subnet4Len, domainName, ...}: pools = [ {
'' pool = "${dhcp.start} - ${dhcp.end}";
ddns-update-style standard; } ];
key dyndns { renew-timer = builtins.ceil (.5 * dhcp.time);
algorithm hmac-sha256; rebind-timer = builtins.ceil (.85 * dhcp.time);
secret ${config.site.dyndnsKey}; valid-lifetime = dhcp.time;
}; option-data = [ {
zone ${domainName}. { space = "dhcp4";
primary ${config.site.net.serv.hosts4.dns}; name = "routers";
primary6 ${config.site.net.serv.hosts6.dn42.dns}; code = 3;
key dyndns; data = config.site.net.${net}.hosts4.${dhcp.router};
} {
space = "dhcp4";
name = "domain-name";
code = 15;
data = domainName;
} {
space = "dhcp4";
name = "domain-name-servers";
code = 6;
data = "${config.site.net.serv.hosts4.dnscache}, 9.9.9.9";
} ];
ddns-qualifying-suffix = domainName;
reservations = lib.pipe dhcp.fixed-hosts [
(builtins.mapAttrs (fixedAddr: hwaddr:
if hosts4 ? ${fixedAddr}
then # fixedAddr is a known hostname
let
name = fixedAddr;
addr = hosts4.${fixedAddr};
in {
hostname = "${name}.${net}.zentralwerk.org";
hw-address = hwaddr;
ip-address = addr;
} }
${lib.concatMapStrings ({ name, dynamic, ... }: else
lib.optionalString ( let
dynamic && names = builtins.attrNames (
lib.hasSuffix ".in-addr.arpa" name lib.filterAttrs (_: hostAddr:
) '' hostAddr == fixedAddr
zone ${name}. { ) hosts4);
primary ${config.site.net.serv.hosts4.dns}; name = builtins.head names;
primary6 ${config.site.net.serv.hosts6.dn42.dns}; in
key dyndns; if builtins.length names > 0
} then { # fixedAddr is IPv4 of a known hostname
'' hostname = "${name}.${net}.zentralwerk.org";
) config.site.dns.localZones} hw-address = hwaddr;
ip-address = hosts4.${name};
option guid code 97 = text; } # fixedAddr is IPv4?
group { else {
default-lease-time ${toString dhcp.time}; hw-address = hwaddr;
max-lease-time ${toString dhcp.max-time}; ip-address = fixedAddr;
option routers ${config.site.net.${net}.hosts4.${dhcp.router}};
option domain-name "${domainName}";
option domain-name-servers 172.20.73.8, 9.9.9.9;
ddns-domainname "${domainName}";
class "pxeclients" {
match if substring (option vendor-class-identifier, 0, 9) = "PXEClient";
next-server ${config.site.net.serv.hosts4.nfsroot};
option tftp-server-address ${config.site.net.serv.hosts4.nfsroot};
if suffix(reverse(1, option guid), 5) = 34:69:50:52:00 {
# RPi4
option vendor-class-identifier "PXEClient";
option vendor-encapsulated-options "Raspberry Pi Boot";
option tftp-server-name "${config.site.net.serv.hosts4.nfsroot}";
} elsif option pxe-system-type = 00:00 {
filename "netboot.xyz.kpxe"; # BIOS
} elsif option pxe-system-type = 00:07 {
filename "netboot.xyz.efi"; # EFI
option bootfile-name "netboot.xyz.efi";
} elsif option pxe-system-type = 00:06 {
filename "netboot.xyz.efi"; # ia32_EFI
}
} }
))
builtins.attrValues
(builtins.filter (r: r != null))
];
});
subnet ${subnet4Net} netmask ${lib.netmasks.${toString subnet4Len}} { match-client-id = false;
range ${dhcp.start} ${dhcp.end}; host-reservation-identifiers = [ "hw-address" ];
# always assign the same IP to the same MAC address. # Netbooting
# fixes changing IP for PXE clients. option-def = [ {
ignore-client-uids true; name = "PXEDiscoveryControl";
} code = 6;
space = "vendor-encapsulated-options-space";
type = "uint8";
array = false;
} {
name = "PXEMenuPrompt";
code = 10;
space = "vendor-encapsulated-options-space";
type = "record";
array = false;
record-types = "uint8,string";
} {
name = "PXEBootMenu";
code = 9;
space = "vendor-encapsulated-options-space";
type = "record";
array = false;
record-types = "uint16,uint8,string";
} ];
client-classes =
let
rpi4Class = {
name = "rpi4-pxe";
test = "option[vendor-class-identifier].text == 'PXEClient:Arch:00000:UNDI:002001'";
option-data = [ {
name = "boot-file-name";
data = "bootcode.bin";
} {
name = "vendor-class-identifier";
data = "PXEClient";
} {
name = "vendor-encapsulated-options";
} {
name = "PXEBootMenu";
csv-format = true;
data = "0,17,Raspberry Pi Boot";
space = "vendor-encapsulated-options-space";
} {
name = "PXEDiscoveryControl";
data = "3";
space = "vendor-encapsulated-options-space";
} {
name = "PXEMenuPrompt";
csv-format = true;
data = "0,PXE";
space = "vendor-encapsulated-options-space";
} ];
};
update-static-leases on; pxeClassData = {
PXE-Legacy = {
arch = "00000";
boot-file-name = "netboot.xyz.kpxe";
};
PXE-UEFI-32-1.arch = "00002";
PXE-UEFI-32-2.arch = "00006";
PXE-UEFI-64-1.arch = "00007";
PXE-UEFI-64-2.arch = "00008";
PXE-UEFI-64-3.arch = "00009";
};
${builtins.concatStringsSep "\n" ( makePxe = name: { boot-file-name ? "netboot.xyz.efi", arch }: {
builtins.attrValues ( inherit name boot-file-name;
builtins.mapAttrs (addr: hwaddr: test = "substring(option[60].hex,0,20) == 'PXEClient:Arch:${arch}'";
'' next-server = config.site.net.serv.hosts4.nfsroot;
host ${addr} { };
hardware ethernet ${hwaddr}; in
fixed-address ${addr}; [ rpi4Class ]
} ++
'' builtins.attrValues (
) dhcp.fixed-hosts builtins.mapAttrs makePxe pxeClassData
) );
)}
} control-socket = {
'' socket-type = "unix";
) dhcpNets socket-name = "/run/kea/dhcp4-socket";
) };
)} hooks-libraries = [ {
''; library = "/run/current-system/sw/lib/kea/hooks/libdhcp_stat_cmds.so";
} {
library = "/run/current-system/sw/lib/kea/hooks/libdhcp_lease_cmds.so";
} ];
};
}; };
services.kea.dhcp6 = lib.mkIf enabled {
enable = true;
settings = {
interfaces-config.interfaces = builtins.attrNames dhcpNets;
dhcp-ddns.enable-updates = true;
ddns-override-no-update = true;
ddns-override-client-update = true;
ddns-replace-client-name = "when-not-present";
# TODO: use with kea >= 2.5.0
# ddns-conflict-resolution-mode = "check-exists-with-dhcid";
ddns-use-conflict-resolution = false;
subnet6 = concatMapDhcpNets (net: { vlan, subnets6, dhcp, domainName, ... }:
let
subnet = subnets6.up4 or subnets6.flpk or null;
prefix = builtins.head (builtins.split "::/" subnet);
in
if subnet != null
then {
id = vlan;
interface = net;
inherit subnet;
pools = [ {
pool = "${prefix}:c3d2:c3d2:c3d2:1000 - ${prefix}:c3d2:c3d2:c3d2:ffff";
#pool = subnet;
} ];
valid-lifetime = dhcp.time;
max-valid-lifetime = dhcp.max-time;
option-data = [ {
space = "dhcp6";
name = "domain-search";
code = 24;
data = domainName;
} {
space = "dhcp6";
name = "dns-servers";
code = 23;
data = "${config.site.net.serv.hosts6.dn42.dnscache}, 2620:fe::9";
} ];
ddns-generated-prefix = "d";
ddns-qualifying-suffix = domainName;
}
else []
);
host-reservation-identifiers = [ "hw-address" ];
#reservations = concatMapDhcpNets (net: { hosts6, dhcp, ... }:
# builtins.filter (r: r != null) (
# builtins.attrValues (
# builtins.mapAttrs (name: hwaddr:
# let
# ip-addresses = lib.pipe hosts6 [
# (builtins.mapAttrs (_: hosts6: hosts6.${name} or null))
# builtins.attrValues
# (builtins.filter (a: a != null))
# ];
# in
# if builtins.trace (lib.generators.toPretty {} ip-addresses) (builtins.length ip-addresses) > 0
# then {
# hostname = "${name}.${net}.zentralwerk.org";
# hw-address = hwaddr;
# inherit ip-addresses;
# }
# else null
# ) dhcp.fixed-hosts
# )));
control-socket = {
socket-type = "unix";
socket-name = "/run/kea/dhcp6.socket";
};
hooks-libraries = [ {
library = "/run/current-system/sw/lib/kea/hooks/libdhcp_stat_cmds.so";
} {
library = "/run/current-system/sw/lib/kea/hooks/libdhcp_lease_cmds.so";
} ];
};
};
services.kea.dhcp-ddns = lib.mkIf enabled {
enable = true;
settings = {
tsig-keys = [ {
name = "dyndns";
algorithm = "hmac-sha256";
secret = config.site.dyndnsKey;
} ];
forward-ddns.ddns-domains = concatMapDhcpNets (net: { domainName, ... }: {
name = "${domainName}.";
key-name = "dyndns";
dns-servers = [ {
ip-address = config.site.net.serv.hosts4.dns;
} {
ip-address = config.site.net.serv.hosts6.dn42.dns;
} ];
});
reverse-ddns.ddns-domains = map ({ name, ...}: {
name = "${name}.";
key-name = "dyndns";
dns-servers = [ {
ip-address = config.site.net.serv.hosts4.dns;
} {
ip-address = config.site.net.serv.hosts6.dn42.dns;
} ];
}) (
builtins.filter ({ name, dynamic, ... }:
dynamic &&
(lib.hasSuffix ".in-addr.arpa" name ||
lib.hasSuffix ".ip6.arpa" name)
) config.site.dns.localZones
);
control-socket = {
socket-type = "unix";
socket-name = "/run/kea/dhcp-ddns.socket";
};
};
};
services.kea.ctrl-agent = lib.mkIf enabled {
enable = true;
settings.control-sockets = {
dhcp4 = {
socket-type = "unix";
socket-name = "/run/kea/dhcp4.socket";
};
dhcp6 = {
socket-type = "unix";
socket-name = "/run/kea/dhcp6.socket";
};
d2 = {
socket-type = "unix";
socket-name = "/run/kea/dhcp-ddns.socket";
};
};
};
# Increase reliablity
# (mostly for kea-dhcp-ddns-server.service)
systemd.services =
let
restartService.serviceConfig = {
RestartSec = 4;
Restart = "always";
};
in {
kea-dhcp4-server = restartService;
kea-dhcp6-server = restartService;
kea-dhcp-ddns-server = restartService;
};
} }

251
nix/nixos-module/container/dns.nix
View File

@ -1,26 +1,26 @@
{ hostName, config, lib, pkgs, self, ... }: { config, dns-nix, hostName, lib, pkgs, self, ... }:
let let
serial = builtins.substring 0 10 self.lastModifiedDate; serial = builtins.substring 0 10 self.lastModifiedDate;
generateZoneFile = { name, ns, records, dynamic }: generateZoneFile = let
builtins.toFile "${name}.zone" '' util = dns-nix.util.${pkgs.system};
$ORIGIN ${name}. in { name, ns, records, ... }: util.writeZone name {
$TTL 1h TTL = 60*60;
SOA = {
@ IN SOA ${lib.dns.ns}. astro.spaceboyz.net. ( nameServer = "${lib.dns.ns}.";
${serial} ; serial adminEmail = "astro@spaceboyz.net";
1h ; refresh serial = lib.toInt serial;
1m ; retry refresh = 1*60*60;
2h ; expire retry = 5*60;
1m ; minimum expire = 2*60*60;
) minimum = 1*60;
${lib.concatMapStrings (ns: " IN NS ${ns}.\n") ns} };
NS = map (a: a+".") ns;
${lib.concatMapStrings ({ name, type, data }: subdomains = lib.foldl (a: b: lib.recursiveUpdate a b) { } (map ({ name, type, data }: {
"${name} IN ${type} ${data}\n" ${name}.${type} = [ data ];
) records} }) records);
''; };
in in
{ {
options = options =
@ -35,7 +35,7 @@ in
type = types.enum [ "A" "AAAA" "MX" "SRV" "CNAME" "TXT" "PTR" ]; type = types.enum [ "A" "AAAA" "MX" "SRV" "CNAME" "TXT" "PTR" ];
}; };
data = mkOption { data = mkOption {
type = types.str; type = types.oneOf [ types.str (types.attrsOf (types.oneOf [ types.int types.str ]))];
}; };
}; };
@ -69,90 +69,151 @@ in
config = { config = {
site.dns.localZones = lib.dns.localZones; site.dns.localZones = lib.dns.localZones;
services.bind = lib.mkIf config.site.hosts.${hostName}.services.dns.enable ( services.knot = lib.mkIf config.site.hosts.${hostName}.services.dns.enable (
let let
generateZone = zone@{ name, dynamic, ... }: { generateZone = zone@{ name, dynamic, ... }: {
inherit name; domain = name;
master = true; template = "zentralwerk";
# allowed for zone-transfer acl = [ "zone_xfr" ] ++ lib.optional dynamic "dyndns";
slaves = [ file = if dynamic
# ns.c3d2.de then "/var/lib/knot/zones/${name}.zone"
"217.197.84.53" "2001:67c:1400:2240::a"
config.site.net.serv.hosts4.bind
config.site.net.serv.hosts6.dn42.bind
config.site.net.serv.hosts6.up4.bind
# ns.spaceboyz.net
"172.22.24.4" "2a01:4f9:4b:39ec::4"
];
file =
if dynamic
then "/var/db/bind/${name}.zone"
else generateZoneFile zone; else generateZoneFile zone;
extraConfig = '' notify = [ "all" ];
also-notify {
# ns.c3d2.de
217.197.84.53;
2001:67c:1400:2240::a;
${config.site.net.serv.hosts4.bind};
${config.site.net.serv.hosts6.dn42.bind};
${config.site.net.serv.hosts6.up4.bind};
# ns.spaceboyz.net
172.22.24.4;
95.217.229.209;
2a01:4f9:4b:39ec::4;
};
notify-source ${config.site.net.serv.hosts4.dns};
notify-source-v6 ${config.site.net.serv.hosts6.up4.dns};
'' + lib.optionalString dynamic ''
allow-update { key "dyndns"; };
'';
}; };
in { in {
enable = true; enable = true;
zones = map generateZone config.site.dns.localZones; settings = {
acl = [
{
id = "dyndns";
action = "update";
key = "dyndns";
}
{
id = "zone_xfr";
address = with config.site.net.serv; [
# ns.c3d2.de
hosts4.knot hosts6.dn42.knot hosts6.up4.knot
"2a00:8180:2c00:282:2041:cbff:fe0c:8516"
"fd23:42:c3d2:582:2041:cbff:fe0c:8516"
# ns.spaceboyz.net
"172.22.24.4" "95.217.229.209" "2a01:4f9:4b:39ec::4"
# ns1.supersandro.de
"188.34.196.104" "2a01:4f8:1c1c:1d38::1"
];
action = "transfer";
}
];
extraConfig = '' key = [ {
key "dyndns" { id = "dyndns";
algorithm hmac-sha256; algorithm = "hmac-sha256";
secret "${config.site.dyndnsKey}"; secret = config.site.dyndnsKey;
} ];
log = [ {
target = "syslog";
any = "info";
} ];
mod-stats = [ {
id = "default";
query-type = "on";
} ];
remote = let
via = with config.site.net.serv; [ hosts4.dns hosts6.up4.dns ];
in [
{
id = "ns.c3d2.de";
address = with config.site.net.serv; [ hosts4.knot hosts6.dn42.knot hosts6.up4.knot ];
inherit via;
} {
id = "ns.spaceboyz.net";
address = [ "172.22.24.4" "95.217.229.209" "2a01:4f9:4b:39ec::4" ];
inherit via;
} {
id = "ns1.supersandro.de";
address = [ /*"188.34.196.104"*/ "2a01:4f8:1c1c:1d38::1" ];
inherit via;
}
];
remotes = [ {
id = "all";
remote = [ "ns.c3d2.de" "ns.spaceboyz.net" "ns1.supersandro.de" ];
} ];
server = {
answer-rotation = true;
automatic-acl = true;
identity = "dns.serv.zentralwerk.org";
listen = with config.site.net; [
"127.0.0.1" "::1"
serv.hosts4.dns serv.hosts6.up4.dns serv.hosts6.dn42.dns
];
tcp-fastopen = true;
version = null;
}; };
'';
extraOptions = '' template = [
# allow underscores in dynamic hostnames {
${lib.concatMapStringsSep "\n" (type: '' # default is a magic name and is always loaded.
check-names ${type} ignore; # Because we want to use catalog-role/catalog-zone settings for all zones *except* the catalog zone itself, we must split the templates
'') [ "master" "slave" "response" ]} id = "default";
''; global-module = [ "mod-stats" ];
}
{
id = "zentralwerk";
catalog-role = "member";
catalog-zone = "zentralwerk.";
dnssec-signing = true;
journal-content = "all"; # required for zonefile-load=difference-no-serial and makes cold starts like zone reloads
module = "mod-stats/default";
semantic-checks = true;
serial-policy = "increment";
storage = "/var/lib/knot/zones";
zonefile-load = "difference-no-serial";
}
];
zone = [ {
acl = "zone_xfr";
catalog-role = "generate";
domain = "zentralwerk.";
notify = [ "ns1.supersandro.de" ];
storage = "/var/lib/knot/catalog";
} ] ++ map generateZone config.site.dns.localZones;
};
}); });
systemd.services.create-dynamic-zones = { systemd.services = {
description = "Creates dynamic zone files"; create-dynamic-zones = {
requiredBy = [ "bind.service" ]; description = "Creates dynamic zone files";
before = [ "bind.service" ]; requiredBy = [ "knot.service" ];
serviceConfig.Type = "oneshot"; before = [ "knot.service" ];
script = '' serviceConfig.Type = "oneshot";
mkdir -p /var/db/bind script = ''
mkdir -p /var/lib/knot/zones
${lib.concatMapStringsSep "\n" (zone@{ name, ... }: '' ${lib.concatMapStringsSep "\n" (zone@{ name, ... }: ''
[ -e /var/db/bind/${name}.zone ] || \ [ -e /var/lib/knot/zones/${name}.zone ] || \
cp ${generateZoneFile zone} /var/db/bind/${name}.zone cp ${generateZoneFile zone} /var/lib/knot/zones/${name}.zone
chown -R named /var/db/bind chown -R knot /var/lib/knot/zones
chmod -R u+rwX /var/db/bind chmod -R u+rwX /var/lib/knot/zones
'') ( '') (builtins.filter ({ dynamic, ... }: dynamic) config.site.dns.localZones)}
builtins.filter ({ dynamic, ... }: dynamic) config.site.dns.localZones '';
)} };
'';
}; update-dynamic-zones = {
systemd.services.update-dynamic-zones = { description = "Creates initial records in dynamic zone files";
description = "Creates initial records in dynamic zone files"; requiredBy = [ "knot.service" ];
requiredBy = [ "bind.service" ]; after = [ "knot.service" ];
after = [ "bind.service" ]; serviceConfig.Type = "oneshot";
serviceConfig.Type = "oneshot"; path = [ pkgs.dnsutils ];
path = [ pkgs.dnsutils ]; script = lib.concatMapStrings (zone: ''
script = '' nsupdate -v -y "hmac-sha256:dyndns:${config.site.dyndnsKey}" <<EOF
${lib.concatMapStrings (zone: ''
nsupdate -y "hmac-sha256:dyndns:${config.site.dyndnsKey}" <<EOF
server localhost server localhost
${lib.concatMapStringsSep "\n" ({ name, type, data }: '' ${lib.concatMapStringsSep "\n" ({ name, type, data }: ''
@ -162,10 +223,8 @@ in
send send
EOF EOF
'') ( '') (builtins.filter ({ dynamic, ... }: dynamic) config.site.dns.localZones);
builtins.filter ({ dynamic, ... }: dynamic) config.site.dns.localZones };
)}
'';
}; };
}; };
} }

203
nix/nixos-module/container/dnscache.nix
View File

@ -1,124 +1,99 @@
{ hostName, config, lib, pkgs, ... }: { hostName, config, lib, pkgs, ... }:
lib.mkIf config.site.hosts.${hostName}.services.dnscache.enable { lib.mkIf config.site.hosts.${hostName}.services.dnscache.enable {
services.unbound = { services.kresd = {
enable = true; enable = true;
settings = { instances = 4;
remote-control = { listenPlain = [ "0.0.0.0:53" "[::0]:53" ];
control-enable = true; package = pkgs.knot-resolver.override { extraFeatures = true; };
control-use-cert = false; extraConfig = /* lua */ ''
}; modules = {
server = { 'http',
num-threads = 4; 'policy',
verbosity = 1; 'predict',
prefetch = true; 'prefill',
prefetch-key = true; 'serve_stale < cache', -- servce stail records while refreshing the record
serve-expired = true; 'workarounds < iterate', -- solve problems around specific broken subdomains, mainly disables case randomization
cache-min-ttl = 60; 'view'
cache-max-ttl = 3600; }
infra-cache-slabs = "8";
key-cache-slabs = "8";
msg-cache-slabs = "8";
rrset-cache-slabs = "8";
msg-cache-size = "256m"; # half again 128m?
rrset-cache-size = "512m"; # half again 256m?
interface = [ "0.0.0.0" "'::0'" ]; cache.size = 500 * MB
# TODO: generate cache.min_ttl(60)
access-control = builtins.concatLists [
[ # localhost
"::1/128 allow"
"127.0.0.0/8 allow"
]
[ # mgmt
"${config.site.net.mgmt.subnet4} allow"
]
[ # dn42
"fd23:42:c3d2:500::/56 allow"
"::172.20.72.0/117 allow"
"::172.22.99.0/120 allow"
"172.20.72.0/21 allow"
"172.22.99.0/24 allow"
]
[ # freifunk
"10.200.0.0/15 allow"
]
[ # DSI
"2a00:8180:2000:37::1/128 allow"
"2a00:8180:2c00:200::/56 allow"
]
[ # flpk
"${config.site.net.flpk.subnet4} allow"
"2a0f:5382:acab:1400::/56 allow"
]
[ # default
"0.0.0.0/0 deny"
"::/0 deny"
]
];
# For DNS over TLS
tls-cert-bundle = "${pkgs.cacert}/etc/ssl/certs/ca-bundle.crt";
# allow reverse lookup of rfc1918 space, which includes the DN42 address space net.listen('127.0.0.1', 8453, { kind = 'webmgmt' })
unblock-lan-zones = true; http.prometheus.namespace = 'resolver_'
insecure-lan-zones = true;
domain-insecure = [ -- dns42
"dn42" policy.add(policy.suffix(
"d.f.ip6.arpa" policy.STUB({'fd42:d42:d42:54::1', 'fd42:d42:d42:53::1', '172.20.0.53', '172.23.0.53'}),
"ffdd" policy.todnames({'dn42.', 'd.f.ip6.arpa', '20.172.in-addr.arpa', '21.172.in-addr.arpa', '22.172.in-addr.arpa', '23.172.in-addr.arpa'})
]; ))
};
forward-zone = let -- freifunk
mkFfddZone = name: { policy.add(policy.suffix(
inherit name; policy.STUB({'10.200.0.4', '10.200.0.16'}),
forward-addr = [ "10.200.0.4" "10.200.0.16" ]; policy.todnames({'ffdd.', '200.10.in-addr.arpa', '201.10.in-addr.arpa'})
}; ))
in [ {
name = "."; -- size.dns.localZones
forward-tls-upstream = true; policy.add(policy.suffix(
forward-addr = [ policy.STUB({'${config.site.net.serv.hosts4.dns}', ${lib.concatStringsSep ", " (map (hosts6: "'${hosts6.dns}'") (builtins.attrValues config.site.net.serv.hosts6))}}),
# Quad9 policy.todnames({${lib.concatStringsSep ", " (map (zone: "'${zone.name}'") config.site.dns.localZones)}})
"2620:fe::fe@853#dns.quad9.net" ))
"9.9.9.9@853#dns.quad9.net"
"2620:fe::9@853#dns.quad9.net" -- forward to dns caches
"149.112.112.112@853#dns.quad9.net" policy.add(policy.slice(
# Cloudflare DNS policy.slice_randomize_psl(),
"2606:4700:4700::1111@853#cloudflare-dns.com" -- quad9
"1.1.1.1@853#cloudflare-dns.com" policy.TLS_FORWARD({
"2606:4700:4700::1001@853#cloudflare-dns.com" {'2620:fe::fe', hostname='dns.quad9.net'},
"1.0.0.1@853#cloudflare-dns.com" {'2620:fe::9', hostname='dns.quad9.net'},
]; {'9.9.9.9', hostname='dns.quad9.net'},
} ] ++ {'149.112.112.112', hostname='dns.quad9.net'}
# Local networks }),
map ({ name, ... }: { -- cloudflare
name = "${name}"; policy.TLS_FORWARD({
forward-addr = [ "${config.site.net.serv.hosts4.dns}" ] ++ {'2606:4700:4700::1111', hostname='cloudflare-dns.com'},
map (hosts6: hosts6.dns) {'2606:4700:4700::1001', hostname='cloudflare-dns.com'},
(builtins.attrValues config.site.net.serv.hosts6); {'1.1.1.1', hostname='cloudflare-dns.com'},
}) config.site.dns.localZones {'1.0.0.1', hostname='cloudflare-dns.com'}
# Freifunk })
++ (map mkFfddZone [ ))
"ffdd"
"200.10.in-addr.arpa" -- allow access from our networks
"201.10.in-addr.arpa" '' + lib.concatMapStringsSep "\n" (cidr: "view:addr('${cidr}', policy.all(policy.PASS))") [
]); # localhost
# DN42 "::1/128" "127.0.0.0/8"
stub-zone = let # mgmt
mkDn42Zone = name: { "${config.site.net.mgmt.subnet4}"
inherit name; # dn42
stub-prime = true; "fd23:42:c3d2:500::/56" "::172.20.72.0/117" "::172.22.99.0/120"
stub-addr = [ "172.20.72.0/21" "172.22.99.0/24"
"172.20.0.53" "fd42:d42:d42:54::1" # freifunk
"172.23.0.53" "fd42:d42:d42:53::1" "10.200.0.0/15"
]; # DSI
}; "2a00:8180:2000:37::1/128" "2a00:8180:2c00:200::/56"
in map mkDn42Zone [ # flpk
"dn42" "d.f.ip6.arpa" "${config.site.net.flpk.subnet4}" "2a0f:5382:acab:1400::/56 allow"
"20.172.in-addr.arpa" "21.172.in-addr.arpa" ] + "\n" + /* lua */ ''
"22.172.in-addr.arpa" "23.172.in-addr.arpa"
]; -- drop everything that hasn't matched
}; view:addr('0.0.0.0/0', policy.all(policy.DROP))
view:addr('::/0', policy.all(policy.DROP))
predict = {
window = 15, -- sampling window
period = 24*(60/15) -- track last X hours, divide through sampling window
}
prefill.config({
['.'] = {
url = 'https://www.internic.net/domain/root.zone',
interval = 86400, -- seconds
}
})
trust_anchors.set_insecure({'dn42', 'd.f.ip6.arpa', 'ffdd'})
'';
}; };
} }

114
nix/nixos-module/container/lxc-config.nix Normal file
View File

@ -0,0 +1,114 @@
{ config, lib, ... }:
let
inherit (config.networking) hostName;
interfaces = config.site.hosts.${hostName}.physicalInterfaces;
# linux iface name max length = 15
shortenNetName = name:
if builtins.match "priv(.*)" name != null
then "p" + builtins.substring 4 9 name
else if name == "coloradio"
then "cr"
else if name == "coloradio-gw"
then "cr-gw"
else name;
checkIfname = ifname: let
len = builtins.stringLength ifname;
in if len > 15
then throw "Interface name ${ifname} is ${toString (len - 15)} chars too long."
else ifname;
# `lxc.net.*` formatter for lxc.container.conf files
netConfig =
let
attrNamesOrdered = attrs:
if attrs ? type
then [ "type" ] ++ lib.remove "type" (builtins.attrNames attrs)
else builtins.attrNames attrs;
serialize = name: x:
if builtins.isString x
then "${name} = ${x}\n"
else if builtins.isAttrs x
then builtins.concatStringsSep "" (
map (n: serialize "${name}.${n}" x.${n}) (attrNamesOrdered x)
)
else if builtins.isList x
then
let
enumerate = xs: n:
if xs == []
then []
else [ {
e = builtins.head xs;
i = n;
} ] ++ enumerate (builtins.tail xs) (n + 1);
in
builtins.concatStringsSep "" (
map ({ e, i }: serialize "${name}.${toString i}" e) (enumerate x 0)
)
else throw "Invalid data in lxc net config for ${name}: ${lib.generators.toPretty {} x}";
in
serialize "lxc.net" (
map (netName:
let
ifData = interfaces.${netName};
in {
type = ifData.type;
name = checkIfname netName;
flags = "up";
hwaddr = if ifData ? hwaddr && ifData.hwaddr != null
then ifData.hwaddr
else "0A:14:48:xx:xx:xx";
} // (lib.optionalAttrs (ifData.type == "veth") {
veth.pair = checkIfname "${shortenNetName hostName}-${shortenNetName netName}";
veth.mode = checkIfname "bridge";
link = checkIfname netName;
}) // (lib.optionalAttrs (ifData.type == "phys") {
link = checkIfname "ext-${netName}";
})
) (builtins.attrNames interfaces)
);
in
{
system.build.lxcConfig = builtins.toFile "${hostName}.conf" ''
# For lxcfs and sane defaults
lxc.include = /etc/lxc/common.conf
lxc.uts.name = ${hostName}
# Handled by lxc@.service
lxc.start.auto = 0
lxc.rootfs.path = /var/lib/lxc/${hostName}/rootfs
lxc.init.cmd = "/init"
lxc.mount.entry = /nix/store nix/store none bind,ro 0 0
lxc.mount.entry = none tmp tmpfs defaults 0 0
lxc.mount.auto = proc:mixed sys:ro cgroup:mixed
lxc.autodev = 1
lxc.tty.max = 0
lxc.pty.max = 8
lxc.cap.drop = sys_module sys_time sys_nice sys_pacct sys_rawio
security.privileged = false
lxc.apparmor.profile = lxc-container-default-with-mounting
lxc.cgroup.memory.limit_in_bytes = 1G
lxc.cgroup.memory.kmem.tcp.limit_in_bytes = 128M
# tuntap
lxc.cgroup.devices.allow = c 10:200 rw
lxc.cgroup2.devices.allow = c 10:200 rw
# ppp
lxc.cgroup.devices.allow = c 108:0 rwm
lxc.cgroup2.devices.allow = c 108:0 rwm
${netConfig}
'';
}

25
nix/nixos-module/container/upstream.nix
View File

@ -1,4 +1,4 @@
{ hostName, config, lib, ... }: { hostName, config, lib, pkgs, ... }:
let let
hostConf = config.site.hosts.${hostName}; hostConf = config.site.hosts.${hostName};
@ -98,12 +98,25 @@ in
${lib.optionalString (staticIpv4Address != null) '' ${lib.optionalString (staticIpv4Address != null) ''
# Allow connections to ${staticIpv4Address} from other hosts behind NAT # Allow connections to ${staticIpv4Address} from other hosts behind NAT
${lib.concatMapStrings (fwd: '' ${lib.concatMapStrings (fwd: let
iptables -t nat -t nat -A nixos-nat-pre \ m = builtins.match "([0-9.]+):([0-9-]+)" fwd.destination;
destinationIP = if m == null then throw "bad ip:ports `${fwd.destination}'" else lib.elemAt m 0;
destinationPorts = if m == null then throw "bad ip:ports `${fwd.destination}'" else builtins.replaceStrings ["-"] [":"] (lib.elemAt m 1);
in ''
iptables -t nat -A nixos-nat-pre \
-d ${staticIpv4Address} -p ${fwd.proto} \ -d ${staticIpv4Address} -p ${fwd.proto} \
--dport ${builtins.toString fwd.sourcePort} \ --dport ${builtins.toString fwd.sourcePort} \
-j DNAT --to-destination ${fwd.destination} -j DNAT --to-destination ${fwd.destination}
'') config.networking.nat.forwardPorts}
iptables -t nat -A nixos-nat-post \
-d ${destinationIP} -p ${fwd.proto} \
--dport ${destinationPorts} \
-s 172.20.72.0/21 -j MASQUERADE
iptables -t nat -A nixos-nat-post \
-d ${destinationIP} -p ${fwd.proto} \
--dport ${destinationPorts} \
-s ${config.site.net.c3d2.subnet4} -j MASQUERADE
'') config.networking.nat.forwardPorts}
''} ''}
# Do not NAT our public IPv4 addresses # Do not NAT our public IPv4 addresses
@ -126,6 +139,10 @@ in
-j RETURN -j RETURN
'') upstreamInterfaces.${net}.upstream.noNat.subnets6 '') upstreamInterfaces.${net}.upstream.noNat.subnets6
) (builtins.attrNames upstreamInterfaces)} ) (builtins.attrNames upstreamInterfaces)}
# There just have been moments without a complete ruleset. Flush
# out invalid conntrack states!
${pkgs.conntrack-tools}/bin/conntrack -F
''; '';
extraStopCommands = '' extraStopCommands = ''
iptables -F FORWARD 2>/dev/null || true iptables -F FORWARD 2>/dev/null || true

6
nix/nixos-module/container/upstream/pppoe.nix
View File

@ -26,7 +26,7 @@ in lib.mkIf (pppoeInterfaces != {}) {
enable = true; enable = true;
autostart = true; autostart = true;
config = '' config = ''
plugin rp-pppoe.so plugin pppoe.so
nic-${upstream.link} nic-${upstream.link}
ifname ${ifName} ifname ${ifName}
# Login settings. (PAP) # Login settings. (PAP)
@ -39,11 +39,11 @@ in lib.mkIf (pppoeInterfaces != {}) {
maxfail 0 maxfail 0
# Seconds between reconnection attempts # Seconds between reconnection attempts
holdoff 1 holdoff 1
# LCP settings. # LCP settings.
lcp-echo-interval 5 lcp-echo-interval 5
lcp-echo-failure 6 lcp-echo-failure 6
# PPPoE compliant settings. # PPPoE compliant settings.
noaccomp noaccomp
default-asyncmap default-asyncmap

5
nix/nixos-module/default.nix
View File

@ -1,13 +1,13 @@
# Pulls together NixOS configuration modules according to the # Pulls together NixOS configuration modules according to the
# name/role of the host to be built. # name/role of the host to be built.
{ hostName, config, lib, ... }: { hostName, lib, ... }:
let let
inherit (lib) optionals; inherit (lib) optionals;
hostConfig = lib.config.site.hosts.${hostName}; hostConfig = lib.config.site.hosts.${hostName};
in { in {
site = lib.config.site; inherit (lib.config) site;
imports = [ imports = [
../lib/config/options.nix ../lib/config/options.nix
@ -20,6 +20,7 @@ in {
./server/default.nix ./server/default.nix
] ++ ] ++
optionals (hostConfig.role == "container") [ optionals (hostConfig.role == "container") [
./container/lxc-config.nix
./container/defaults.nix ./container/defaults.nix
./container/dhcp-server.nix ./container/dhcp-server.nix
./container/wireguard.nix ./container/wireguard.nix

30
nix/nixos-module/defaults.nix
View File

@ -7,9 +7,9 @@
# Prevents automatic creation of interface bond0 by the kernel # Prevents automatic creation of interface bond0 by the kernel
"bonding.max_bonds=0" "bonding.max_bonds=0"
]; ];
boot.tmpOnTmpfs = true; boot.tmp.useTmpfs = true;
# Includes wireguard # Includes wireguard
boot.kernelPackages = pkgs.linuxPackages_latest; boot.kernelPackages = pkgs.zfsUnstable.latestCompatibleLinuxPackages;
# Keep building # Keep building
boot.zfs.enableUnstable = true; boot.zfs.enableUnstable = true;
@ -35,8 +35,8 @@
}; };
documentation = { documentation = {
enable = false; enable = lib.mkForce false;
nixos.enable = false; nixos.enable = lib.mkForce false;
}; };
environment.systemPackages = with pkgs; [ environment.systemPackages = with pkgs; [
@ -44,6 +44,8 @@
bridge-utils bridge-utils
conntrack-tools conntrack-tools
dhcpcd dhcpcd
dhcpdump
dig
ethtool ethtool
git git
iftop iftop
@ -56,6 +58,7 @@
screen screen
speedtest-cli speedtest-cli
tcpdump tcpdump
tmux
traceroute traceroute
vim vim
wget wget
@ -63,6 +66,25 @@
networking.hostName = hostName; networking.hostName = hostName;
programs = {
fzf.keybindings = true;
git = {
enable = true;
config = {
alias = {
co = "checkout";
lg = "log --graph --abbrev-commit --decorate --format=format:'%C(bold blue)%h%C(reset) - %C(bold green)(%ar)%C(reset) %C(white)%s%C(reset) %C(dim white)- %an%C(reset)%C(bold y
ow)%d%C(reset)'";
remote = "remote -v";
st = "status";
undo = "reset --soft HEAD^";
};
pull.rebase = true;
rebase.autoStash = true;
};
};
};
users.users.root.initialHashedPassword = ""; users.users.root.initialHashedPassword = "";
system.stateVersion = "20.09"; system.stateVersion = "20.09";

13
nix/nixos-module/firewall.nix
View File

@ -1,11 +1,18 @@
{ hostName, config, lib, ... }: { hostName, config, lib, ... }:
lib.mkIf config.site.hosts.${hostName}.firewall.enable { let
networking.firewall = { hostConfig = config.site.hosts.${hostName};
in {
networking.firewall = lib.mkIf hostConfig.firewall.enable {
enable = true; enable = true;
extraCommands = '' extraCommands = ''
${lib.optionalString hostConfig.isRouter ''
ip46tables -I nixos-fw -p ospfigp -j ACCEPT
''}
ip46tables -A FORWARD -i core -m state --state ESTABLISHED,RELATED -j ACCEPT ip46tables -A FORWARD -i core -m state --state ESTABLISHED,RELATED -j ACCEPT
ip46tables -A FORWARD -i core -j REJECT --reject-with net-unreach ip46tables -A FORWARD -i core -j REJECT
''; '';
extraStopCommands = '' extraStopCommands = ''
ip46tables -F FORWARD ip46tables -F FORWARD

18
nix/nixos-module/server/defaults.nix
View File

@ -8,14 +8,20 @@
time.timeZone = "Europe/Berlin"; time.timeZone = "Europe/Berlin";
environment.systemPackages = with pkgs; [ environment.systemPackages = with pkgs; [
wget vim git screen git
inetutils # telnet
ipmitool ipmitool
liboping # noping
screen
vim
wget
]; ];
services.openssh.enable = true;
services.openssh.permitRootLogin = "prohibit-password"; services.openssh = {
enable = true;
settings.PermitRootLogin = "prohibit-password";
};
# additional config for bare metal # additional config for bare metal
services.collectd = { services.collectd.plugins.ipmi = "";
plugins.ipmi = "";
};
} }

119
nix/nixos-module/server/lxc-containers.nix
View File

@ -10,70 +10,6 @@ let
enabled = containers != {}; enabled = containers != {};
# linux iface name max length = 15
shortenNetName = name:
if builtins.match "priv(.*)" name != null
then "p" + builtins.substring 4 9 name
else name;
checkIfname = ifname: let
len = builtins.stringLength ifname;
in if len > 15
then throw "Interface name ${ifname} is ${toString (len - 15)} chars too long."
else ifname;
# `lxc.net.*` formatter for lxc.container.conf files
netConfig = ctName: interfaces:
let
config = map (netName:
let
ifData = interfaces.${netName};
in {
type = ifData.type;
name = checkIfname netName;
flags = "up";
hwaddr = if ifData ? hwaddr && ifData.hwaddr != null
then ifData.hwaddr
else "0A:14:48:xx:xx:xx";
} // (lib.optionalAttrs (ifData.type == "veth") {
veth.pair = checkIfname "${shortenNetName ctName}-${shortenNetName netName}";
veth.mode = checkIfname "bridge";
link = checkIfname netName;
}) // (lib.optionalAttrs (ifData.type == "phys") {
link = checkIfname "ext-${netName}";
})
) (builtins.attrNames interfaces);
attrNamesOrdered = attrs:
if attrs ? type
then [ "type" ] ++ lib.remove "type" (builtins.attrNames attrs)
else builtins.attrNames attrs;
serialize = name: x:
if builtins.isString x
then "${name} = ${x}\n"
else if builtins.isAttrs x
then builtins.concatStringsSep "" (
map (n: serialize "${name}.${n}" x.${n}) (attrNamesOrdered x)
)
else if builtins.isList x
then
let
enumerate = xs: n:
if xs == []
then []
else [ {
e = builtins.head xs;
i = n;
} ] ++ enumerate (builtins.tail xs) (n + 1);
in
builtins.concatStringsSep "" (
map ({ e, i }: serialize "${name}.${toString i}" e) (enumerate x 0)
)
else throw "Invalid data in lxc net config for ${name}: ${lib.generators.toPretty {} x}";
in
serialize "lxc.net" config;
# User-facing script to build/update container NixOS systems # User-facing script to build/update container NixOS systems
build-script = pkgs.writeScriptBin "build-container" '' build-script = pkgs.writeScriptBin "build-container" ''
#! ${pkgs.runtimeShell} -e #! ${pkgs.runtimeShell} -e
@ -94,6 +30,7 @@ let
${ctName}) ${ctName})
echo Using prebuilt system for container $c echo Using prebuilt system for container $c
SYSTEM=${self.packages.x86_64-linux."${ctName}-rootfs"} SYSTEM=${self.packages.x86_64-linux."${ctName}-rootfs"}
CONFIG=${self.packages.x86_64-linux."${ctName}-lxc-config"}
;; ;;
'') ( '') (
builtins.attrNames ( builtins.attrNames (
@ -105,6 +42,8 @@ let
echo Building $c echo Building $c
nix build -o /nix/var/nix/gcroots/lxc/$c zentralwerk-network#$c-rootfs nix build -o /nix/var/nix/gcroots/lxc/$c zentralwerk-network#$c-rootfs
SYSTEM=$(readlink /nix/var/nix/gcroots/lxc/$c) SYSTEM=$(readlink /nix/var/nix/gcroots/lxc/$c)
nix build -o /nix/var/nix/gcroots/lxc/$c.config zentralwerk-network#$c-lxc-config
CONFIG=$(readlink /nix/var/nix/gcroots/lxc/$c.config)
;; ;;
esac esac
@ -117,6 +56,7 @@ let
mkdir -p /var/lib/lxc/$c/rootfs/$d mkdir -p /var/lib/lxc/$c/rootfs/$d
done done
ln -fs $SYSTEM/init /var/lib/lxc/$c/rootfs/init ln -fs $SYSTEM/init /var/lib/lxc/$c/rootfs/init
ln -fs $CONFIG /var/lib/lxc/$c/config
done done
# Activate all the desired container after all of them are # Activate all the desired container after all of them are
@ -162,10 +102,8 @@ in
virtualisation.lxc = lib.mkIf enabled { virtualisation.lxc = lib.mkIf enabled {
enable = true; enable = true;
# Container configs live in /etc so that they can be created
# through `environment.etc`.
systemConfig = '' systemConfig = ''
lxc.lxcpath = /etc/lxc/containers lxc.lxcpath = /var/lib/lxc
''; '';
}; };
@ -176,50 +114,7 @@ in
enable-script disable-script enable-script disable-script
]; ];
# Create lxc.container.conf files environment.etc."lxc/common.conf".source = "${pkgs.lxc}/share/lxc/config/common.conf";
environment.etc =
builtins.foldl' (etc: ctName: etc // {
"lxc/containers/${ctName}/config" = {
enable = true;
source =
builtins.toFile "${ctName}.conf" ''
# For lxcfs and sane defaults
lxc.include = /etc/lxc/common.conf
lxc.uts.name = ${ctName}
# Handled by lxc@.service
lxc.start.auto = 0
lxc.rootfs.path = /var/lib/lxc/${ctName}/rootfs
lxc.init.cmd = "/init"
lxc.mount.entry = /nix/store nix/store none bind,ro 0 0
lxc.mount.entry = none tmp tmpfs defaults 0 0
lxc,mount.auto = proc:mixed sys:ro cgroup:mixed
lxc.autodev = 1
lxc.tty.max = 0
lxc.pty.max = 8
lxc.cap.drop = sys_module sys_time sys_nice sys_pacct sys_rawio
security.privileged = false
lxc.apparmor.profile = lxc-container-default-with-mounting
lxc.cgroup.memory.limit_in_bytes = 1G
lxc.cgroup.memory.kmem.tcp.limit_in_bytes = 128M
# tuntap
lxc.cgroup.devices.allow = c 10:200 rw
lxc.cgroup2.devices.allow = c 10:200 rw
# ppp
lxc.cgroup.devices.allow = c 108:0 rwm
lxc.cgroup2.devices.allow = c 108:0 rwm
${netConfig ctName containers.${ctName}.physicalInterfaces}
'';
};
}) {
"lxc/common.conf".source = "${pkgs.lxc}/share/lxc/config/common.conf";
} (builtins.attrNames containers);
# Systemd service template for LXC containers # Systemd service template for LXC containers
systemd.services."lxc@" = { systemd.services."lxc@" = {
@ -248,6 +143,8 @@ in
Restart = "always"; Restart = "always";
RestartSec = "1s"; RestartSec = "1s";
}; };
# Prevent restart on host nixos-rebuild switch
restartIfChanged = false;
}; };
# Starts all the containers after boot # Starts all the containers after boot

2
nix/nixos-module/server/network.nix
View File

@ -114,5 +114,7 @@ in
networkConfig.Bridge = net; networkConfig.Bridge = net;
}; };
}) {} ctNets; }) {} ctNets;
wait-online.anyInterface = true;
}; };
} }

1
nix/nixos-module/server/server2.nix
View File

@ -39,7 +39,6 @@
}; };
boot.loader.grub.enable = true; boot.loader.grub.enable = true;
boot.loader.grub.version = 2;
boot.loader.grub.device = "/dev/sda"; boot.loader.grub.device = "/dev/sda";
networking.hostName = "server2"; # Define your hostname. networking.hostName = "server2"; # Define your hostname.

32
nix/pkgs/default.nix
View File

@ -7,11 +7,14 @@ let
inherit (pkgs) lib; inherit (pkgs) lib;
export-openwrt-models = pkgs.writeText "openwrt-models.nix" ( export-openwrt-models = pkgs.writeText "openwrt-models.nix" (
nixpkgs.lib.generators.toPretty {} self.lib.openwrtModels lib.generators.toPretty {} self.lib.openwrtModels
); );
export-config = pkgs.writeText "config.nix" ( export-config = pkgs.writeText "config.nix" (
nixpkgs.lib.generators.toPretty {} (lib.filterAttrsRecursive (n: v: n != "net-combined") config) lib.generators.toPretty {} (
); lib.recursiveUpdate
config
{ site.dns.localZones = self.lib.dns.localZones; }
));
encrypt-secrets = pkgs.writeScriptBin "encrypt-secrets" '' encrypt-secrets = pkgs.writeScriptBin "encrypt-secrets" ''
#! ${pkgs.runtimeShell} -e #! ${pkgs.runtimeShell} -e
@ -42,7 +45,7 @@ let
''; '';
network-cypher-graphs = import ./network-cypher-graphs.nix { inherit config pkgs; }; network-cypher-graphs = import ./network-cypher-graphs.nix { inherit config pkgs; };
network-graphs = import ./network-graphs.nix { inherit config pkgs; }; network-graphs = import ./network-graphs.nix { inherit config lib pkgs; };
mkRootfs = hostName: mkRootfs = hostName:
self.nixosConfigurations.${hostName}.config.system.build.toplevel; self.nixosConfigurations.${hostName}.config.system.build.toplevel;
@ -52,7 +55,20 @@ let
"${hostName}-rootfs" = mkRootfs hostName; "${hostName}-rootfs" = mkRootfs hostName;
}) {} ( }) {} (
builtins.attrNames ( builtins.attrNames (
nixpkgs.lib.filterAttrs (_: { role, ... }: builtins.elem role ["server" "container"]) lib.filterAttrs (_: { role, ... }: builtins.elem role ["server" "container"])
config.site.hosts
)
);
mkLxcConfig = hostName:
self.nixosConfigurations.${hostName}.config.system.build.lxcConfig;
lxc-configs =
builtins.foldl' (rootfs: hostName: rootfs // {
"${hostName}-lxc-config" = mkLxcConfig hostName;
}) {} (
builtins.attrNames (
lib.filterAttrs (_: { role, ... }: role == "container")
config.site.hosts config.site.hosts
) )
); );
@ -65,7 +81,7 @@ let
}); });
}) {} ( }) {} (
builtins.attrNames ( builtins.attrNames (
nixpkgs.lib.filterAttrs (_: { role, ... }: role == "server") lib.filterAttrs (_: { role, ... }: role == "server")
config.site.hosts config.site.hosts
) )
); );
@ -79,7 +95,7 @@ let
"${hostName}-image" = openwrt.buildImage hostName; "${hostName}-image" = openwrt.buildImage hostName;
}) {} ( }) {} (
builtins.attrNames ( builtins.attrNames (
nixpkgs.lib.filterAttrs (_: { role, ... }: lib.filterAttrs (_: { role, ... }:
role == "ap" role == "ap"
) config.site.hosts ) config.site.hosts
) )
@ -117,7 +133,7 @@ let
inherit self; inherit self;
}; };
in in
rootfs-packages // vm-packages // device-templates // openwrt-packages // network-graphs // network-cypher-graphs // starlink // subnetplans // { rootfs-packages // lxc-configs // vm-packages // device-templates // openwrt-packages // network-graphs // network-cypher-graphs // starlink // subnetplans // {
inherit export-openwrt-models export-config dns-slaves inherit export-openwrt-models export-config dns-slaves
encrypt-secrets decrypt-secrets switch-to-production encrypt-secrets decrypt-secrets switch-to-production
homepage gateway-report switch-report vlan-report homepage gateway-report switch-report vlan-report

3
nix/pkgs/homepage/default.nix
View File

@ -13,7 +13,7 @@ let
export-config export-config
gateway-report network-graphs gateway-report network-graphs
subnetplans switch-report vlan-report; subnetplans switch-report vlan-report;
in in
stdenv.mkDerivation { stdenv.mkDerivation {
pname = "zentralwerk-network-homepage"; pname = "zentralwerk-network-homepage";
@ -65,6 +65,7 @@ stdenv.mkDerivation {
ln -s ${network-graphs}/share/doc/zentralwerk/* $DIR/ ln -s ${network-graphs}/share/doc/zentralwerk/* $DIR/
ln -s ${../../../doc/core.png} $DIR/core.png ln -s ${../../../doc/core.png} $DIR/core.png
ln -s ${./security.txt} $DIR/security.txt
cp *.{html,css,png,svg} $DIR/ cp *.{html,css,png,svg} $DIR/
mkdir -p $out/nix-support mkdir -p $out/nix-support

3
nix/pkgs/homepage/security.txt Normal file
View File

@ -0,0 +1,3 @@
Contact: mailto:astro@spaceboyz.net
Preferred-Languages: en, de
Hiring: https://www.c3d2.de/space.html

10
nix/pkgs/network-graphs.nix
View File

@ -1,7 +1,5 @@
{ config, pkgs, ... }: { config, lib, pkgs, ... }:
let let
inherit (pkgs) lib runCommand graphviz;
netColor = net: netColor = net:
if net == "core" if net == "core"
then "grey" then "grey"
@ -82,13 +80,13 @@ let
} }
''; '';
renderGraph = args@{ name, engine, ... }: renderGraph = args@{ name, engine, ... }:
runCommand "${name}.png" { pkgs.runCommand "${name}.png" {
src = builtins.toFile "${name}.dot" ( src = builtins.toFile "${name}.dot" (
toDot args toDot args
); );
} '' } ''
echo $src echo $src
${graphviz}/bin/${engine} -Tpng $src > $out ${pkgs.graphviz-nox}/bin/${engine} -Tpng $src > $out
''; '';
in rec { in rec {
@ -162,7 +160,7 @@ in rec {
) (builtins.attrNames containers); ) (builtins.attrNames containers);
}; };
network-graphs = runCommand "network-graphs" {} '' network-graphs = pkgs.runCommand "network-graphs" {} ''
DIR=$out/share/doc/zentralwerk DIR=$out/share/doc/zentralwerk
mkdir -p $DIR mkdir -p $DIR
ln -s ${physical-graph} $DIR/physical.png ln -s ${physical-graph} $DIR/physical.png

49
nix/pkgs/openwrt/default.nix
View File

@ -7,11 +7,11 @@ let
modelPackages = { modelPackages = {
"tplink_archer-c7-v2" = [ "tplink_archer-c7-v2" = [
"-kmod-ath10k-ct" "-ath10k-firmware-qca988x-ct" "-kmod-ath10k-ct" "-ath10k-firmware-qca988x-ct-full-htt" "-ath10k-firmware-qca988x-ct"
"kmod-ath10k" "ath10k-firmware-qca988x" "kmod-ath10k" "ath10k-firmware-qca988x"
]; ];
"tplink_archer-c7-v5" = [ "tplink_archer-c7-v5" = [
"-kmod-ath10k-ct" "-ath10k-firmware-qca988x-ct" "-kmod-ath10k-ct" "-ath10k-firmware-qca988x-ct" "-ath10k-firmware-qca988x-ct-full-htt"
"kmod-ath10k" "ath10k-firmware-qca988x" "kmod-ath10k" "ath10k-firmware-qca988x"
]; ];
"ubnt_unifiac-lite" = [ "ubnt_unifiac-lite" = [
@ -63,17 +63,17 @@ in rec {
inherit pkgs; inherit pkgs;
release = "19.07.10"; release = "19.07.10";
}).identifyProfile model }).identifyProfile model
else if builtins.match "tl-wr.*" model != null else if builtins.match "tl-wr[78].*" model != null
then { then {
release = "18.06.9"; release = "18.06.9";
packagesArch = "mips_24kc"; packagesArch = "mips_24kc";
target = "ar71xx"; target = "ar71xx";
variant = "tiny"; variant = "tiny";
profile = model; profile = model;
sha256 = "109a2557gwmgib7r500qn9ygd8j4r4cv5jl5rpn9vczsm4ilkc1z"; sha256 = "sha256-P7BJI6n6s53szYXKshnJRKL2fLIYgJLPiq/yd0oRKoE=";
feedsSha256 = { feedsSha256 = {
base.sha256 = "0xklqsk6d5d6bai0ry2hzfjr4sycf6241ihv8v1lmmf9r7d47cr1"; base.sha256 = "sha256-IbND2snJ1UrDRhvGQIRxzGuSpftQ+AyiWqaVZqbGdHY=";
packages.sha256 = "05g048saibh304ndnlczyq92b1c67c3cqvbhdamw1xqbsp6jzifp"; packages.sha256 = "sha256-18UvzdUL98CranBtzAY7hoUlEvafUdssAQOuqDQi4BU=";
}; };
} }
else null; else null;
@ -83,19 +83,34 @@ in rec {
extraImageName = "zw-${hostName}"; extraImageName = "zw-${hostName}";
packages = [ packages = [
# remove unused default .ipk # remove unused default .ipk
"-dnsmasq" "-firewall" "-dnsmasq" "-firewall" "-firewall4"
"-ppp" "-ppp-mod-pppoe" "-kmod-ppp" "-kmod-pppoe" "-kmod-pppox" "-ppp" "-ppp-mod-pppoe" "-kmod-ppp" "-kmod-pppoe" "-kmod-pppox"
"-iptables" "-ip6tables" "-kmod-ipt-offload" "-iptables" "-ip6tables" "-kmod-ipt-offload"
"-odhcp6c" "-odhcpd-ipv6only" "-odhcp6c" "-odhcpd-ipv6only"
# debugging "-wpad-basic-mbedtls"
"tcpdump"
# monitoring # monitoring
"collectd" "collectd-mod-interface" "collectd-mod-load" "collectd"
"collectd-mod-cpu" "collectd-mod-iwinfo" "collectd-mod-network" "collectd-mod-iwinfo" "collectd-mod-network"
# wpa3 "collectd-mod-interface" "collectd-mod-load" "collectd-mod-cpu"
"-wpad-basic-wolfssl" "-wpad-mini" "collectd-mod-exec"
"wpad-openssl" ] ++ (
] ++ nixpkgs.lib.optionals hasVxlan [ if args.variant != "tiny"
then [
# debugging
"htop"
"tcpdump"
# wpa3
"-wpad-basic-wolfssl" "-wpad-mini"
"wpad-openssl"
"usteer"
] else [
# debugging
"tcpdump-mini"
# wpa3
"-wpad-openssl" "-wpad-mini"
"wpad-wolfssl"
]
) ++ nixpkgs.lib.optionals hasVxlan [
"vxlan" "kmod-vxlan" "vxlan" "kmod-vxlan"
] ++ modelPackages.${model} or []; ] ++ modelPackages.${model} or [];
disabledServices = [ "dnsmasq" "uhttpd" ]; disabledServices = [ "dnsmasq" "uhttpd" ];
@ -104,6 +119,10 @@ in rec {
cat > $out/etc/uci-defaults/99-zentralwerk <<EOF cat > $out/etc/uci-defaults/99-zentralwerk <<EOF
${uciConfig hostName} ${uciConfig hostName}
EOF EOF
mkdir -p $out/usr/{bin,sbin}
cp ${./usteer-info.sh} $out/usr/sbin/usteer-info.sh
cp ${./usteer-stats.sh} $out/usr/bin/usteer-stats.sh
chmod +x $out/usr/bin/*.sh $out/usr/sbin/*.sh
''; '';
}); });

163
nix/pkgs/openwrt/uci-config.nix
View File

@ -18,8 +18,21 @@ let
# ours don't come with a switch. # ours don't come with a switch.
then false then false
else else
openwrtModel ? ports
&&
any ({ switch ? null, ... }: switch != null) any ({ switch ? null, ... }: switch != null)
(builtins.attrValues openwrtModel.ports); (builtins.attrValues openwrtModel.ports);
hasDSA = (
all ({ switch ? null, ... }:
switch == null
) (builtins.attrValues openwrtModel.ports or {})
&&
any ({ port ? null, interface ? null, ... }:
port != null &&
interface != null &&
port == interface
) (builtins.attrValues openwrtModel.ports or {})
) || hostConfig.model == "ubnt_unifi-usg";
portsDoc = portsDoc =
let let
@ -99,6 +112,20 @@ let
) )
); );
dsaPorts = net:
unique (
concatMap ({ ports, ... }: ports) (
builtins.filter ({ nets, ... }: builtins.elem net nets)
(builtins.attrValues hostConfig.links)
));
dsaPortType = net: port:
if any ({ ports, trunk, ... }: trunk && builtins.elem port ports) (
builtins.attrValues hostConfig.links
) || hostConfig.links.${net}.trunk or true
then "t"
else "u*";
networkInterfaces = net: networkInterfaces = net:
let let
inherit (config.site.net.${net}) vlan; inherit (config.site.net.${net}) vlan;
@ -132,6 +159,16 @@ let
) )
); );
mgmtInterface =
if hasDSA
then "br0.${toString config.site.net.mgmt.vlan}"
else
let
mgmtInterfaces = networkInterfaces "mgmt";
in if builtins.length mgmtInterfaces == 1
then builtins.head mgmtInterfaces
else "br-mgmt";
in in
'' ''
# Set root password # Set root password
@ -151,8 +188,8 @@ in
uci set system.@system[0].log_ip=${config.site.net.mgmt.hosts4.logging} uci set system.@system[0].log_ip=${config.site.net.mgmt.hosts4.logging}
uci set system.@system[0].log_proto=udp uci set system.@system[0].log_proto=udp
# Switch config
${optionalString hasSwitch '' ${optionalString hasSwitch ''
# Switch config
# Ports ${portsDoc} # Ports ${portsDoc}
${concatMapStrings (net: '' ${concatMapStrings (net: ''
uci add network switch_vlan uci add network switch_vlan
@ -161,7 +198,42 @@ in
uci set network.@switch_vlan[-1].vlan='${toString config.site.net.${net}.vlan}' uci set network.@switch_vlan[-1].vlan='${toString config.site.net.${net}.vlan}'
uci set network.@switch_vlan[-1].ports='${switchPortsConfig net}' uci set network.@switch_vlan[-1].ports='${switchPortsConfig net}'
uci set network.@switch_vlan[-1].comment='${net}' uci set network.@switch_vlan[-1].comment='${net}'
'') (
sort (net1: net2:
config.site.net.${net1}.vlan < config.site.net.${net2}.vlan
) (
unique (
builtins.concatMap ({ nets, ... }: nets)
(builtins.attrValues hostConfig.links)
)
)
)}
''}
${optionalString hasDSA ''
# DSA
${uciDeleteAll "network.@device"}
uci add network device
uci set network.@device[-1].name='br0'
uci set network.@device[-1].type='bridge'
${concatMapStrings (port: ''
uci add_list network.@device[-1].ports='${port}'
'') (
unique (
builtins.concatMap ({ ports, ... }: ports)
(builtins.attrValues hostConfig.links)
)
)}
uci set network.br0='interface'
uci set network.br0.proto='none'
uci set network.br0.device='br0'
${concatMapStrings (net: ''
uci add network bridge-vlan
uci set network.@bridge-vlan[-1].device='br0'
uci set network.@bridge-vlan[-1].vlan='${toString config.site.net.${net}.vlan}'
${concatMapStrings (port: ''
uci add_list network.@bridge-vlan[-1].ports='${port}:${dsaPortType net port}'
'') (dsaPorts net)}
'') ( '') (
sort (net1: net2: sort (net1: net2:
config.site.net.${net1}.vlan < config.site.net.${net2}.vlan config.site.net.${net1}.vlan < config.site.net.${net2}.vlan
@ -176,11 +248,16 @@ in
# mgmt network # mgmt network
uci set network.mgmt=interface uci set network.mgmt=interface
uci set network.mgmt.ifname='${ ${if hasDSA
if builtins.length (networkInterfaces "mgmt") > 0 then ''
then concatStringsSep " " (networkInterfaces "mgmt") uci set network.mgmt.device='br0.${toString config.site.net.mgmt.vlan}'
else throw "${hostName}: No interface for mgmt" '' else ''
}' uci set network.mgmt.ifname='${
if builtins.length (networkInterfaces "mgmt") > 0
then concatStringsSep " " (networkInterfaces "mgmt")
else throw "${hostName}: No interface for mgmt"
}'
''}
uci set network.mgmt.proto=static uci set network.mgmt.proto=static
${optionalString (hostConfig.interfaces.mgmt.type == "bridge") '' ${optionalString (hostConfig.interfaces.mgmt.type == "bridge") ''
uci set network.mgmt.type=bridge uci set network.mgmt.type=bridge
@ -210,9 +287,17 @@ in
uci set network.${net}=interface uci set network.${net}=interface
${optionalString (iface.type == "bridge") '' ${optionalString (iface.type == "bridge") ''
uci set network.${net}.type=bridge uci set network.${net}.type=bridge
uci add network device
uci set network.@device[-1].name='${net}'
uci set network.@device[-1].type='bridge'
''} ''}
uci set network.${net}.proto=static uci set network.${net}.proto=static
uci set network.${net}.ifname='${concatStringsSep " " (networkInterfaces net)}' ${if hasDSA
then ''
uci set network.${net}.device='br0.${toString config.site.net.${net}.vlan}'
'' else ''
uci set network.${net}.ifname='${concatStringsSep " " (networkInterfaces net)}'
''}
${optionalString (config.site.net.${net}.mtu != null) '' ${optionalString (config.site.net.${net}.mtu != null) ''
uci set network.${net}.mtu=${toString config.site.net.${net}.mtu} uci set network.${net}.mtu=${toString config.site.net.${net}.mtu}
''} ''}
@ -244,6 +329,7 @@ in
'') (builtins.attrNames hostConfig.interfaces) '') (builtins.attrNames hostConfig.interfaces)
} }
${uciDeleteAll "wireless.radio"}
uci -q delete wireless.default_radio0 || true uci -q delete wireless.default_radio0 || true
uci -q delete wireless.default_radio1 || true uci -q delete wireless.default_radio1 || true
${concatStrings (imap0 (index: path: ${concatStrings (imap0 (index: path:
@ -256,6 +342,7 @@ in
uci set wireless.radio${toString index}=wifi-device uci set wireless.radio${toString index}=wifi-device
uci set wireless.radio${toString index}.type=mac80211 uci set wireless.radio${toString index}.type=mac80211
uci set wireless.radio${toString index}.country=DE uci set wireless.radio${toString index}.country=DE
uci set wireless.radio${toString index}.band=${radioConfig.band}
uci set wireless.radio${toString index}.channel=${toString radioConfig.channel} uci set wireless.radio${toString index}.channel=${toString radioConfig.channel}
uci set wireless.radio${toString index}.path=${path} uci set wireless.radio${toString index}.path=${path}
uci set wireless.radio${toString index}.htmode=${radioConfig.htmode} uci set wireless.radio${toString index}.htmode=${radioConfig.htmode}
@ -265,6 +352,7 @@ in
${concatMapStrings (ssid: ${concatMapStrings (ssid:
let let
ssidConfig = radioConfig.ssids.${ssid}; ssidConfig = radioConfig.ssids.${ssid};
netConfig = config.site.net.${ssidConfig.net};
# mapping our option to openwrt/hostapd setting # mapping our option to openwrt/hostapd setting
encryption = { encryption = {
@ -279,6 +367,11 @@ in
then ssidConfig.ifname then ssidConfig.ifname
else "${ifPrefix}-${ssidConfig.net}"; else "${ifPrefix}-${ssidConfig.net}";
pad = len: prefix: s:
if builtins.stringLength s < len
then pad len prefix "${prefix}${s}"
else s;
in '' in ''
uci add wireless wifi-iface uci add wireless wifi-iface
uci set wireless.@wifi-iface[-1].ifname=${ifname} uci set wireless.@wifi-iface[-1].ifname=${ifname}
@ -287,6 +380,7 @@ in
uci set wireless.@wifi-iface[-1].mode=${ssidConfig.mode} uci set wireless.@wifi-iface[-1].mode=${ssidConfig.mode}
uci set wireless.@wifi-iface[-1].network=${ssidConfig.net} uci set wireless.@wifi-iface[-1].network=${ssidConfig.net}
uci set wireless.@wifi-iface[-1].mcast_rate=18000 uci set wireless.@wifi-iface[-1].mcast_rate=18000
uci set wireless.@wifi-iface[-1].hidden=${if ssidConfig.hidden then "1" else "0"}
uci set wireless.@wifi-iface[-1].encryption='${encryption}' uci set wireless.@wifi-iface[-1].encryption='${encryption}'
${if (ssidConfig.psk != null) ${if (ssidConfig.psk != null)
then '' then ''
@ -295,10 +389,59 @@ in
else '' else ''
uci -q delete wireless.@wifi-iface[-1].key || true uci -q delete wireless.@wifi-iface[-1].key || true
''} ''}
${lib.optionalString (!ssidConfig.disassocLowAck) ''
uci set wireless.@wifi-iface[-1].disassoc_low_ack='0'
''}
${lib.optionalString (netConfig.wifi.ieee80211rKey != null) ''
# for usteerd
# see https://www.libe.net/en-wlan-roaming#client-steering
# https://openwrt.org/docs/guide-user/network/wifi/usteer#configure_80211k_and_80211v_on_all_ap-nodes
uci set wireless.@wifi-iface[-1].bss_transition=1
uci set wireless.@wifi-iface[-1].wnm_sleep_mode=1
uci set wireless.@wifi-iface[-1].time_advertisement=2
uci set wireless.@wifi-iface[-1].time_zone=GMT0
uci set wireless.@wifi-iface[-1].ieee80211k=1
uci set wireless.@wifi-iface[-1].rrm_neighbor_report=1
uci set wireless.@wifi-iface[-1].rrm_beacon_report=1
# breaks Apple devices connecting to wifi when used together with wpa2/wpa3 mixed mode (sae-mixed)
# uci set wireless.@wifi-iface[-1].ieee80211r=1
# when unset derived from interface MAC
uci set wireless.@wifi-iface[-1].nasid=${pad 12 "0" (toString ((lib.toInt (lib.removePrefix "ap" hostName)) * 65536 + index))}
# when unset derived from the first 4 chars of the md5 hashed SSID
uci set wireless.@wifi-iface[-1].mobility_domain=${pad 4 "0" (lib.toHexString (49920 + netConfig.vlan))}
# https://github.com/openwrt/openwrt/issues/7907
# https://github.com/openwrt/openwrt/commit/2984a0420649733662ff95b0aff720b8c2c19f8a
uci set wireless.@wifi-iface[-1].ft_over_ds=0
# as recommend in 7907 and seems to fairly often trigger while testing
uci set wireless.@wifi-iface[-1].reassociation_deadline=20000
# might be unused if ft_over_ds is not used
uci set wireless.@wifi-iface[-1].ft_bridge=${mgmtInterface}
# otherwise the r0kh/r1kh options below are not applied
uci set wireless.@wifi-iface[-1].ft_psk_generate_local=0
# do not just rely on the monility domain for increased security
# https://forum.openwrt.org/t/802-11r-fast-transition-how-to-understand-that-ft-works/110920/81
uci set wireless.@wifi-iface[-1].r0kh=ff:ff:ff:ff:ff:ff,\*,${netConfig.wifi.ieee80211rKey}
uci set wireless.@wifi-iface[-1].r1kh=00:00:00:00:00:00,00:00:00:00:00:00,${netConfig.wifi.ieee80211rKey}
uci set wireless.@wifi-iface[-1].pmk_r1_push=1
''}
'' ''
) (builtins.attrNames radioConfig.ssids)} ) (builtins.attrNames radioConfig.ssids)}
'') (builtins.attrNames hostConfig.wifi))} '') (builtins.attrNames hostConfig.wifi))}
uci set usteer.@usteer[0].network=mgmt
uci set usteer.@usteer[0].load_kick_enabled=1
uci set usteer.@usteer[0].load_kick_threshold=67
uci set usteer.@usteer[0].signal_diff_threshold=15
uci set usteer.@usteer[0].load_balancing_threshold=8
uci set usteer.@usteer[0].band_steering_threshold=16
uci commit uci commit
# Add hotfixes for MTU settings # Add hotfixes for MTU settings
@ -320,6 +463,7 @@ in
# the gateways is reachable # the gateways is reachable
cat >/etc/crontabs/root <<__CRON__ cat >/etc/crontabs/root <<__CRON__
* * * * * /usr/sbin/wifi-on-link.sh * * * * * /usr/sbin/wifi-on-link.sh
* * * * * /usr/sbin/usteer-info.sh
__CRON__ __CRON__
cat >/usr/sbin/wifi-on-link.sh <<__SH__ cat >/usr/sbin/wifi-on-link.sh <<__SH__
#!/bin/sh #!/bin/sh
@ -366,11 +510,16 @@ in
LoadPlugin interface LoadPlugin interface
LoadPlugin iwinfo LoadPlugin iwinfo
LoadPlugin network LoadPlugin network
LoadPlugin exec
<Plugin network> <Plugin network>
Server "${config.site.net.serv.hosts6.dn42.stats}" "25826" Server "${config.site.net.serv.hosts6.dn42.stats}" "25826"
</Plugin> </Plugin>
<Plugin exec>
Exec "nobody" "/usr/bin/usteer-stats.sh"
</Plugin>
COLLECTD COLLECTD
''} ''}
chmod +x /usr/bin/usteer-stats.sh /usr/sbin/usteer-info.sh
for svc in dnsmasq uhttpd ; do for svc in dnsmasq uhttpd ; do
rm -f /etc/rc.d/*\$svc rm -f /etc/rc.d/*\$svc

3
nix/pkgs/openwrt/usteer-info.sh Executable file
View File

@ -0,0 +1,3 @@
#! /bin/sh
[ -p /tmp/usteer-info ] || exit 0
exec /bin/ubus call usteer local_info > /tmp/usteer-info

32
nix/pkgs/openwrt/usteer-stats.sh Executable file
View File

@ -0,0 +1,32 @@
#! /bin/sh
HOSTNAME=`cat /proc/sys/kernel/hostname`
INTERVAL=60
[ -p /tmp/usteer-info ] || mkfifo /tmp/usteer-info
while true; do
if [ ! -p /tmp/usteer-info ]; then
echo "/tmp/usteer-info went missing!"
exit 1
fi
DATA="$(cat /tmp/usteer-info)"
cd /sys/class/net
for iface in wlan*; do
eval $( echo "$DATA" | jsonfilter \
-e 'LOAD=@["hostapd.'$iface'"].load' \
-e 'NOISE=@["hostapd.'$iface'"].noise' \
-e 'N_ASSOC=@["hostapd.'$iface'"].n_assoc' \
-e 'FREQ=@["hostapd.'$iface'"].freq' \
-e 'ROAM_SOURCE=@["hostapd.'$iface'"].roam_events.source' \
-e 'ROAM_TARGET=@["hostapd.'$iface'"].roam_events.target'
)
echo "PUTVAL \"$HOSTNAME/usteer_local_info-$iface/stations-load\" interval=$INTERVAL N:$LOAD"
echo "PUTVAL \"$HOSTNAME/usteer_local_info-$iface/signal_noise-noise\" interval=$INTERVAL N:$NOISE"
echo "PUTVAL \"$HOSTNAME/usteer_local_info-$iface/stations-n_assoc\" interval=$INTERVAL N:$N_ASSOC"
echo "PUTVAL \"$HOSTNAME/usteer_local_info-$iface/frequency-freq\" interval=$INTERVAL N:$FREQ"
echo "PUTVAL \"$HOSTNAME/usteer_local_info-$iface/transitions-roam_source\" interval=$INTERVAL N:$ROAM_SOURCE"
echo "PUTVAL \"$HOSTNAME/usteer_local_info-$iface/transitions-roam_target\" interval=$INTERVAL N:$ROAM_TARGET"
done
done

6
nix/pkgs/subnetplan/render.rb
View File

@ -60,7 +60,11 @@ exit 1 if collisions > 0
GROUP_PREFIX = 19 GROUP_PREFIX = 19
groups = {} groups = {}
nets.each do |net| nets.each do |net|
group = net.addr.supernet(GROUP_PREFIX).to_s if net.addr.prefix > GROUP_PREFIX
group = net.addr.supernet(GROUP_PREFIX).to_s
else
group = net.addr.to_s
end
(groups[group] ||= []) << net (groups[group] ||= []) << net
end end

10
nix/pkgs/switches/junos.nix
View File

@ -9,7 +9,7 @@ let
host-name ${hostName}; host-name ${hostName};
time-zone Europe/Berlin; time-zone Europe/Berlin;
root-authentication { root-authentication {
encrypted-password "$5$EBmFELmv$kQxtWwS0SBS.TqVPRvs8sKpH./l9DTtTxX/I2FJB2n2"; ## SECRET-DATA encrypted-password "%%HASH%%"; ## SECRET-DATA
ssh-ed25519 "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIHGgoLzQMeyX1wjsX/hgVkN//zyfOQPiBRYgO2ajEGH6 root@server2"; ssh-ed25519 "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIHGgoLzQMeyX1wjsX/hgVkN//zyfOQPiBRYgO2ajEGH6 root@server2";
} }
services { services {
@ -114,13 +114,9 @@ let
''; '';
configFileWithHash = runCommand "junos.config" { configFileWithHash = runCommand "junos.config" {
nativeBuildInputs = [ python3 ]; nativeBuildInputs = [ mkpasswd ];
} '' } ''
cat >gen.py<<EOF HASH=$(echo "${hostConfig.password}" | mkpasswd --method=SHA-512 --stdin)
import crypt
print(crypt.crypt('${hostConfig.password}', crypt.mksalt(crypt.METHOD_SHA256)))
EOF
HASH=$(python gen.py)
substitute ${configFile} $out \ substitute ${configFile} $out \
--replace "%%HASH%%" "$HASH" --replace "%%HASH%%" "$HASH"
''; '';

5985
openwrt/tl-wr841-v10.config
View File

File diff suppressed because it is too large Load Diff

5849
openwrt/tl-wr841-v11.config
View File

File diff suppressed because it is too large Load Diff

6002
openwrt/tl-wr841-v8.config
View File

File diff suppressed because it is too large Load Diff