zentralwerk/network
zentralwerk
/
network
12
4
Fork 2
Code Issues 3 Pull Requests 1 Releases Wiki Activity

Compare commits

base: zentralwerk:master
Branches Tags
zentralwerk:master
zentralwerk:nixos-23.05
zentralwerk:bgp
zentralwerk:flpk-data-hoarder
zentralwerk:pacemaker
zentralwerk:nek0-mailtngbert-patch
zentralwerk:yggdrasil
zentralwerk:legacy
..
compare: zentralwerk:bgp
Branches Tags
zentralwerk:master
zentralwerk:nixos-23.05
zentralwerk:bgp
zentralwerk:flpk-data-hoarder
zentralwerk:pacemaker
zentralwerk:nek0-mailtngbert-patch
zentralwerk:yggdrasil
zentralwerk:legacy

No commits in common. "master" and "bgp" have entirely different histories.
master ... bgp

57 changed files with 19154 additions and 2573 deletions
Show Stats Expand all files Collapse all files

4
cabling.md
View File

@ -26,11 +26,11 @@ Alle Stecker im Haus sind in Schema A gecrimpt.
| | ![][gi] B 2.05.02 | ![][gi] UVB 1.09 | | 14 | | | ![][gi] B 2.05.02 | ![][gi] UVB 1.09 | | 14 |
| ![][ri] B 4.02.01 *v* | ![][gi] B 2.05.05 | ![][gi] UVB 1.10 | | 15 | | ![][ri] B 4.02.01 *v* | ![][gi] B 2.05.05 | ![][gi] UVB 1.10 | | 15 |
| ![][ri] B 4.01.01 *v* | ![][gi] B 2.05.06 | ![][gi] 1.06 | | 16 | | ![][ri] B 4.01.01 *v* | ![][gi] B 2.05.06 | ![][gi] 1.06 | | 16 |
| ![][ri] B 4.03.01 *v* | ![][gi] B 2.05.03 *v* | ![][gi] 1.16 *v* | | 17 | | ![][ri] B 4.03.01 | ![][gi] B 2.05.03 *v* | | | 17 |
| ![][ri] B 4.04.01 *v* | ![][gi] B 2.05.07 *v* | | | 18 | | ![][ri] B 4.04.01 *v* | ![][gi] B 2.05.07 *v* | | | 18 |
| ![][ri] B 4.05.02 *v* | ![][gi] B 2.06 | | | 19 | | ![][ri] B 4.05.02 *v* | ![][gi] B 2.06 | | | 19 |
| ![][ri] B 4.06.01 *v* | ![][ri] B 2.07 | | | 20 | | ![][ri] B 4.06.01 *v* | ![][ri] B 2.07 | | | 20 |
| ![][ri] B 4.07.05 *v* | | | | 21 | | ![][ri] B 4.07.05 | | | | 21 |
| ![][ri] B 4.08.01 | | | | 22 | | ![][ri] B 4.08.01 | | | | 22 |
| ![][ri] B 4.09.01 *v* | | | | 23 | | ![][ri] B 4.09.01 *v* | | | | 23 |
| ![][ri] B 4.10.01 *v* | | | | 24 | | ![][ri] B 4.10.01 *v* | | | | 24 |

535
config/ap.nix
View File

@ -33,7 +33,7 @@
wifi = { wifi = {
"platform/qca953x_wmac" = { "platform/qca953x_wmac" = {
channel = 1; channel = 1;
htmode = "HT20"; htmode = "HT40+";
ssids = { ssids = {
"ZW public" = { net = "pub"; }; "ZW public" = { net = "pub"; };
uebergangsnetz = { net = "priv6"; }; uebergangsnetz = { net = "priv6"; };
@ -60,15 +60,15 @@
}; };
}; };
location = "Turm D, 1. Etage"; location = "Turm D, 1. Etage";
model = "tl-wr841-v9"; model = "tl-wr841-v10";
role = "ap"; role = "ap";
wifi = { wifi = {
"platform/qca953x_wmac" = { "platform/qca953x_wmac" = {
channel = 6; channel = 6;
htmode = "HT20"; htmode = "HT40+";
ssids = { ssids = {
"ZW public" = { net = "pub"; }; "ZW public" = { net = "pub"; };
"iz-dresden.org" = { net = "priv15"; encryption = "wpa2"; }; "iz-dresden.org" = { net = "priv15"; };
}; };
}; };
}; };
@ -92,12 +92,12 @@
}; };
}; };
location = "B 2.03.04"; location = "B 2.03.04";
model = "tplink_tl-wr1043nd-v2"; model = "tplink_tl-wr1043nd-v1";
role = "ap"; role = "ap";
wifi = { wifi = {
"platform/ahb/18100000.wmac" = { "platform/ahb/18100000.wmac" = {
channel = 1; channel = 1;
htmode = "HT20"; htmode = "HT40+";
ssids = { ssids = {
"ZW public" = { net = "pub"; }; "ZW public" = { net = "pub"; };
braeunigkoschnik = { net = "priv8"; }; braeunigkoschnik = { net = "priv8"; };
@ -130,7 +130,7 @@
wifi = { wifi = {
"platform/ar934x_wmac" = { "platform/ar934x_wmac" = {
channel = 6; channel = 6;
htmode = "HT20"; htmode = "HT40+";
ssids = { ssids = {
"IrèneMélix" = { net = "priv38"; }; "IrèneMélix" = { net = "priv38"; };
"ZW public" = { net = "pub"; }; "ZW public" = { net = "pub"; };
@ -139,6 +139,8 @@
}; };
}; };
}; };
ap13 = { };
ap14 = { };
ap15 = { ap15 = {
interfaces = { interfaces = {
mgmt = { mgmt = {
@ -163,7 +165,7 @@
wifi = { wifi = {
"platform/ahb/18100000.wmac" = { "platform/ahb/18100000.wmac" = {
channel = 1; channel = 1;
htmode = "HT20"; htmode = "HT40+";
ssids = { ssids = {
"ZW public" = { net = "pub"; }; "ZW public" = { net = "pub"; };
etz250 = { net = "priv10"; }; etz250 = { net = "priv10"; };
@ -171,6 +173,7 @@
}; };
}; };
}; };
ap16 = { };
ap17 = { ap17 = {
interfaces = { interfaces = {
mgmt = { mgmt = {
@ -197,7 +200,7 @@
wifi = { wifi = {
"platform/ahb/18100000.wmac" = { "platform/ahb/18100000.wmac" = {
channel = 5; channel = 5;
htmode = "HT20"; htmode = "HT40+";
ssids = { ssids = {
EDUB = { net = "priv33"; }; EDUB = { net = "priv33"; };
"ZW public" = { net = "pub"; }; "ZW public" = { net = "pub"; };
@ -231,7 +234,7 @@
wifi = { wifi = {
"platform/qca953x_wmac" = { "platform/qca953x_wmac" = {
channel = 1; channel = 1;
htmode = "HT20"; htmode = "HT40+";
ssids = { ssids = {
"Restaurierung Wolff/Kober" = { net = "priv9"; }; "Restaurierung Wolff/Kober" = { net = "priv9"; };
"ZW public" = { net = "pub"; }; "ZW public" = { net = "pub"; };
@ -259,15 +262,15 @@
}; };
}; };
location = "Turm C oberste Etage"; location = "Turm C oberste Etage";
model = "tl-wr841-v11"; model = "tl-wr841-v10";
role = "ap"; role = "ap";
wifi = { wifi = {
"platform/qca953x_wmac" = { "platform/qca953x_wmac" = {
channel = 6; channel = 6;
htmode = "HT20"; htmode = "HT40+";
ssids = { ssids = {
"Bockwurst" = { net = "priv41"; encryption = "wpa2"; }; "Studio 01127" = { net = "priv41"; };
Walter = { net = "priv26"; encryption = "wpa2"; }; Walter = { net = "priv26"; };
"ZW public" = { net = "pub"; }; "ZW public" = { net = "pub"; };
}; };
}; };
@ -276,7 +279,6 @@
ap2 = { ap2 = {
interfaces = { interfaces = {
c3d2.type = "bridge"; c3d2.type = "bridge";
c3d2iot.type = "bridge";
mgmt = { mgmt = {
gw4 = "mgmt-gw"; gw4 = "mgmt-gw";
gw6 = "mgmt-gw"; gw6 = "mgmt-gw";
@ -301,20 +303,15 @@
htmode = "VHT80"; htmode = "VHT80";
ssids = { ssids = {
C3D2 = { net = "c3d2"; }; C3D2 = { net = "c3d2"; };
"ZW public" = { net = "pub"; }; "ZW public legacy" = { net = "pub"; };
}; };
}; };
"platform/ahb/18100000.wmac" = { "platform/ahb/18100000.wmac" = {
channel = 1; channel = 1;
htmode = "HT20"; htmode = "HT40+";
ssids = { ssids = {
"C3D2 legacy" = { net = "c3d2"; }; "C3D2 legacy" = { net = "c3d2"; };
"C3D2 IoT" = { "ZW public" = { net = "pub"; };
net = "c3d2iot";
hidden = true;
disassocLowAck = false;
};
"ZW public legacy" = { net = "pub"; };
}; };
}; };
}; };
@ -345,7 +342,7 @@
}; };
"platform/ahb/18100000.wmac" = { "platform/ahb/18100000.wmac" = {
channel = 5; channel = 5;
htmode = "HT20"; htmode = "HT40+";
ssids = { ssids = {
"ZW public" = { net = "pub"; }; "ZW public" = { net = "pub"; };
}; };
@ -375,7 +372,7 @@
wifi = { wifi = {
"pci0000:00/0000:00:00.0" = { "pci0000:00/0000:00:00.0" = {
channel = 11; channel = 11;
htmode = "HT20"; htmode = "HT40-";
ssids = { "ZW public" = { net = "pub"; }; }; ssids = { "ZW public" = { net = "pub"; }; };
}; };
}; };
@ -409,7 +406,7 @@
}; };
"platform/ahb/18100000.wmac" = { "platform/ahb/18100000.wmac" = {
channel = 1; channel = 1;
htmode = "HT20"; htmode = "HT40+";
ssids = { ssids = {
"LBK Network" = { net = "priv30"; }; "LBK Network" = { net = "priv30"; };
"ZW public" = { net = "pub"; }; "ZW public" = { net = "pub"; };
@ -428,20 +425,23 @@
pub.type = "bridge"; pub.type = "bridge";
}; };
links = { links = {
# Ends up in /etc/config but not in `swconfig dev switch0 show` priv12 = {
priv12.ports = [ "lan:1" "lan:2" "lan:3" "lan:4" ]; ports = [ "lan" ];
switch-b3.ports = [ "wan" ]; };
switch-b3 = {
ports = [ "wan" ];
};
}; };
location = "Farbwerk"; location = "Farbwerk";
model = "tl-wr740n-v4"; model = "tl-wr740n-v1";
role = "ap"; role = "ap";
wifi = { wifi = {
"platform/ar933x_wmac" = { "platform/ar933x_wmac" = {
channel = 6; channel = 6;
htmode = "HT20"; htmode = "HT40-";
ssids = { ssids = {
"ZW public" = { net = "pub"; }; "ZW public" = { net = "pub"; };
farbwerk = { net = "priv12"; encryption = "wpa2"; }; farbwerk = { net = "priv12"; };
}; };
}; };
}; };
@ -464,13 +464,13 @@
ports = [ "wan" ]; ports = [ "wan" ];
}; };
}; };
location = "Farbwerk, lost"; location = "Farbwerk";
model = "tl-wr740n-v1"; model = "tl-wr740n-v1";
role = "ap"; role = "ap";
wifi = { wifi = {
"platform/ar933x_wmac" = { "platform/ar933x_wmac" = {
channel = 6; channel = 6;
htmode = "HT20"; htmode = "HT40-";
ssids = { ssids = {
"ZW public" = { net = "pub"; }; "ZW public" = { net = "pub"; };
farbwerk = { net = "priv12"; }; farbwerk = { net = "priv12"; };
@ -502,7 +502,7 @@
wifi = { wifi = {
"pci0000:00/0000:00:00.0" = { "pci0000:00/0000:00:00.0" = {
channel = 11; channel = 11;
htmode = "HT20"; htmode = "HT40-";
ssids = { ssids = {
Dezember = { net = "priv37"; }; Dezember = { net = "priv37"; };
"ZW public" = { net = "pub"; }; "ZW public" = { net = "pub"; };
@ -533,7 +533,7 @@
wifi = { wifi = {
"platform/qca953x_wmac" = { "platform/qca953x_wmac" = {
channel = 1; channel = 1;
htmode = "HT20"; htmode = "HT40+";
ssids = { "ZW public" = { net = "pub"; }; }; ssids = { "ZW public" = { net = "pub"; }; };
}; };
}; };
@ -561,7 +561,7 @@
wifi = { wifi = {
"platform/ar934x_wmac" = { "platform/ar934x_wmac" = {
channel = 9; channel = 9;
htmode = "HT20"; htmode = "HT40+";
ssids = { "ZW public" = { net = "pub"; }; }; ssids = { "ZW public" = { net = "pub"; }; };
}; };
}; };
@ -598,7 +598,7 @@
}; };
"platform/ahb/18100000.wmac" = { "platform/ahb/18100000.wmac" = {
channel = 6; channel = 6;
htmode = "HT20"; htmode = "HT40+";
ssids = { ssids = {
"ZW public" = { net = "pub"; }; "ZW public" = { net = "pub"; };
jungnickel-fotografie = { net = "priv13"; }; jungnickel-fotografie = { net = "priv13"; };
@ -633,7 +633,7 @@
wifi = { wifi = {
"pci0000:00/0000:00:00.0" = { "pci0000:00/0000:00:00.0" = {
channel = 128; channel = 128;
htmode = "HT20"; htmode = "HT40+";
ssids = { ssids = {
C3D2 = { net = "c3d2"; }; C3D2 = { net = "c3d2"; };
"ZW public" = { net = "pub"; }; "ZW public" = { net = "pub"; };
@ -641,7 +641,7 @@
}; };
"platform/ar934x_wmac" = { "platform/ar934x_wmac" = {
channel = 1; channel = 1;
htmode = "HT20"; htmode = "HT40+";
ssids = { ssids = {
"C3D2 legacy" = { net = "c3d2"; }; "C3D2 legacy" = { net = "c3d2"; };
"ZW public legacy" = { net = "pub"; }; "ZW public legacy" = { net = "pub"; };
@ -673,7 +673,7 @@
wifi = { wifi = {
"platform/ahb/18100000.wmac" = { "platform/ahb/18100000.wmac" = {
channel = 1; channel = 1;
htmode = "HT20"; htmode = "HT40+";
ssids = { ssids = {
WLANb0402 = { net = "priv14"; }; WLANb0402 = { net = "priv14"; };
"ZW public" = { net = "pub"; }; "ZW public" = { net = "pub"; };
@ -684,7 +684,6 @@
ap31 = { ap31 = {
interfaces = { interfaces = {
c3d2.type = "bridge"; c3d2.type = "bridge";
c3d2iot.type = "bridge";
mgmt = { mgmt = {
gw4 = "mgmt-gw"; gw4 = "mgmt-gw";
gw6 = "mgmt-gw"; gw6 = "mgmt-gw";
@ -712,14 +711,9 @@
}; };
"platform/ahb/18100000.wmac" = { "platform/ahb/18100000.wmac" = {
channel = 5; channel = 5;
htmode = "HT20"; htmode = "HT40+";
ssids = { ssids = {
"C3D2 legacy" = { net = "c3d2"; }; "C3D2 legacy" = { net = "c3d2"; };
"C3D2 IoT" = {
net = "c3d2iot";
hidden = true;
disassocLowAck = false;
};
FOTOAKADEMIEdd = { net = "priv39"; }; FOTOAKADEMIEdd = { net = "priv39"; };
"ZW public legacy" = { net = "pub"; }; "ZW public legacy" = { net = "pub"; };
}; };
@ -757,7 +751,7 @@
channel = 9; channel = 9;
htmode = "HT20"; htmode = "HT20";
ssids = { ssids = {
"ZW public legacy" = { net = "pub"; }; "ZW public" = { net = "pub"; };
"ZW stage legacy" = { net = "priv25"; }; "ZW stage legacy" = { net = "priv25"; };
}; };
}; };
@ -792,7 +786,7 @@
}; };
"platform/ahb/18100000.wmac" = { "platform/ahb/18100000.wmac" = {
channel = 9; channel = 9;
htmode = "HT20"; htmode = "HT40+";
ssids = { ssids = {
"C3D2 legacy" = { net = "c3d2"; }; "C3D2 legacy" = { net = "c3d2"; };
"ZW public legacy" = { net = "pub"; }; "ZW public legacy" = { net = "pub"; };
@ -829,7 +823,7 @@
}; };
"platform/ahb/18100000.wmac" = { "platform/ahb/18100000.wmac" = {
channel = 9; channel = 9;
htmode = "HT20"; htmode = "HT40+";
ssids = { ssids = {
"ZW public" = { net = "pub"; }; "ZW public" = { net = "pub"; };
etz250 = { net = "priv10"; }; etz250 = { net = "priv10"; };
@ -861,7 +855,7 @@
wifi = { wifi = {
"platform/ahb/18100000.wmac" = { "platform/ahb/18100000.wmac" = {
channel = 1; channel = 1;
htmode = "HT20"; htmode = "HT40+";
ssids = { ssids = {
Koch = { net = "priv18"; }; Koch = { net = "priv18"; };
"ZW public" = { net = "pub"; }; "ZW public" = { net = "pub"; };
@ -893,7 +887,7 @@
wifi = { wifi = {
"platform/ar933x_wmac" = { "platform/ar933x_wmac" = {
channel = 5; channel = 5;
htmode = "HT20"; htmode = "HT40+";
ssids = { ssids = {
"C3D2 legacy" = { net = "c3d2"; }; "C3D2 legacy" = { net = "c3d2"; };
"ZW public" = { net = "pub"; }; "ZW public" = { net = "pub"; };
@ -930,10 +924,11 @@
}; };
"platform/ahb/18100000.wmac" = { "platform/ahb/18100000.wmac" = {
channel = 6; channel = 6;
htmode = "HT20"; htmode = "HT40-";
ssids = { ssids = {
"ZW public" = { net = "pub"; }; "ZW public" = { net = "pub"; };
"hechtfilm.de legacy" = { net = "priv19"; }; "hechtfilm.de legacy" = { net = "priv19"; };
"LIZA".net = "priv43";
}; };
}; };
}; };
@ -947,7 +942,6 @@
}; };
priv20.type = "bridge"; priv20.type = "bridge";
priv28.type = "bridge"; priv28.type = "bridge";
priv47.type = "bridge";
pub.type = "bridge"; pub.type = "bridge";
}; };
links = { links = {
@ -973,12 +967,11 @@
}; };
"platform/ahb/18100000.wmac" = { "platform/ahb/18100000.wmac" = {
channel = 11; channel = 11;
htmode = "HT20"; htmode = "HT40-";
ssids = { ssids = {
"ZW heinrichsgarten" = { net = "priv28"; }; "ZW heinrichsgarten" = { net = "priv28"; };
"ZW public" = { net = "pub"; }; "ZW public" = { net = "pub"; };
plop = { net = "priv20"; }; plop = { net = "priv20"; };
millimeter = { net = "priv47"; };
}; };
}; };
}; };
@ -1007,7 +1000,7 @@
wifi = { wifi = {
"platform/10180000.wmac" = { "platform/10180000.wmac" = {
channel = 9; channel = 9;
htmode = "HT20"; htmode = "HT40+";
ssids = { ssids = {
EckiTino = { net = "priv7"; }; EckiTino = { net = "priv7"; };
"ZW public" = { net = "pub"; }; "ZW public" = { net = "pub"; };
@ -1040,7 +1033,7 @@
wifi = { wifi = {
"platform/ahb/18100000.wmac" = { "platform/ahb/18100000.wmac" = {
channel = 11; channel = 11;
htmode = "HT20"; htmode = "HT40-";
ssids = { ssids = {
"ZW public" = { net = "pub"; }; "ZW public" = { net = "pub"; };
"jam-circle.de" = { net = "priv4"; }; "jam-circle.de" = { net = "priv4"; };
@ -1059,9 +1052,12 @@
pub.type = "bridge"; pub.type = "bridge";
}; };
links = { links = {
priv22.ports = [ "lan:2" "lan:3" "lan:4" ]; priv22 = {
ap70.ports = [ "lan:1" ]; ports = [ "lan:1" "lan:2" "lan:3" "lan:4" ];
switch-b3.ports = [ "wan" ]; };
switch-b3 = {
ports = [ "wan" ];
};
}; };
location = "B4.01"; location = "B4.01";
model = "tplink_archer-c7-v5"; model = "tplink_archer-c7-v5";
@ -1077,7 +1073,7 @@
}; };
"platform/ahb/18100000.wmac" = { "platform/ahb/18100000.wmac" = {
channel = 6; channel = 6;
htmode = "HT20"; htmode = "HT40-";
ssids = { ssids = {
"M legacy" = { net = "priv22"; }; "M legacy" = { net = "priv22"; };
"ZW public" = { net = "pub"; }; "ZW public" = { net = "pub"; };
@ -1117,7 +1113,7 @@
}; };
"platform/ahb/18100000.wmac" = { "platform/ahb/18100000.wmac" = {
channel = 6; channel = 6;
htmode = "HT20"; htmode = "HT40-";
ssids = { ssids = {
Walter = { net = "priv26"; }; Walter = { net = "priv26"; };
"ZW public" = { net = "pub"; }; "ZW public" = { net = "pub"; };
@ -1136,8 +1132,8 @@
pub.type = "bridge"; pub.type = "bridge";
}; };
links = { links = {
# ap21.ports = [ "lan:3" ]; ap21.ports = [ "lan:3" ];
priv4.ports = [ "lan:1" "lan:2" "lan:3" "lan:4" ]; priv4.ports = [ "lan:1" "lan:2" "lan:4" ];
switch-b3.ports = [ "wan" ]; switch-b3.ports = [ "wan" ];
}; };
location = "Dresden School of Lindy Hop"; location = "Dresden School of Lindy Hop";
@ -1146,7 +1142,7 @@
wifi = { wifi = {
"pci0000:00/0000:00:00.0" = { "pci0000:00/0000:00:00.0" = {
channel = 128; channel = 128;
htmode = "HT20"; htmode = "HT40+";
ssids = { ssids = {
"ZW public" = { net = "pub"; }; "ZW public" = { net = "pub"; };
"jam-circle.de" = { net = "priv4"; }; "jam-circle.de" = { net = "priv4"; };
@ -1154,7 +1150,7 @@
}; };
"platform/ahb/18100000.wmac" = { "platform/ahb/18100000.wmac" = {
channel = 11; channel = 11;
htmode = "HT20"; htmode = "HT40-";
ssids = { ssids = {
"ZW public" = { net = "pub"; }; "ZW public" = { net = "pub"; };
"jam-circle.de legacy" = { net = "priv4"; }; "jam-circle.de legacy" = { net = "priv4"; };
@ -1411,7 +1407,7 @@
wifi = { wifi = {
"platform/ahb/18100000.wmac" = { "platform/ahb/18100000.wmac" = {
channel = 1; channel = 1;
htmode = "HT20"; htmode = "HT40+";
ssids = { ssids = {
"ZW public" = { net = "pub"; }; "ZW public" = { net = "pub"; };
"verbalwerk.de" = { net = "priv5"; }; "verbalwerk.de" = { net = "priv5"; };
@ -1490,7 +1486,7 @@
}; };
"platform/ahb/18100000.wmac" = { "platform/ahb/18100000.wmac" = {
channel = 9; channel = 9;
htmode = "HT20"; htmode = "HT40+";
ssids = { ssids = {
"ZW public" = { net = "pub"; }; "ZW public" = { net = "pub"; };
antrares = { net = "priv17"; }; antrares = { net = "priv17"; };
@ -1559,7 +1555,7 @@
wifi = { wifi = {
"platform/qca953x_wmac" = { "platform/qca953x_wmac" = {
channel = 9; channel = 9;
htmode = "HT20"; htmode = "HT40+";
ssids = { ssids = {
"Karen Koschnick" = { net = "priv11"; }; "Karen Koschnick" = { net = "priv11"; };
"ZW public" = { net = "pub"; }; "ZW public" = { net = "pub"; };
@ -1585,13 +1581,13 @@
ports = [ "wan" ]; ports = [ "wan" ];
}; };
}; };
location = "Removed"; location = "B1.05.02";
model = "tplink_archer-c7-v5"; model = "tplink_archer-c7-v5";
role = "ap"; role = "ap";
wifi = { wifi = {
"pci0000:00/0000:00:00.0" = { "pci0000:00/0000:00:00.0" = {
channel = 128; channel = 128;
htmode = "HT20"; htmode = "HT40+";
ssids = { ssids = {
Abyssinia = { net = "priv35"; }; Abyssinia = { net = "priv35"; };
"ZW public" = { net = "pub"; }; "ZW public" = { net = "pub"; };
@ -1599,7 +1595,7 @@
}; };
"platform/ahb/18100000.wmac" = { "platform/ahb/18100000.wmac" = {
channel = 1; channel = 1;
htmode = "HT20"; htmode = "HT40+";
ssids = { ssids = {
Abyssinia = { net = "priv35"; }; Abyssinia = { net = "priv35"; };
"ZW public" = { net = "pub"; }; "ZW public" = { net = "pub"; };
@ -1708,12 +1704,9 @@
wifi = { wifi = {
"pci0000:00/0000:00:00.0" = { "pci0000:00/0000:00:00.0" = {
channel = 100; channel = 100;
htmode = "HT40"; htmode = "VHT80";
ssids = { ssids = {
"Zentralwerk" = { "Zentralwerk" = { net = "roof"; };
net = "roof";
disassocLowAck = false;
};
"ZW public" = { net = "pub"; }; "ZW public" = { net = "pub"; };
}; };
}; };
@ -1806,7 +1799,7 @@
}; };
"platform/ahb/18100000.wmac" = { "platform/ahb/18100000.wmac" = {
channel = 6; channel = 6;
htmode = "HT20"; htmode = "HT40-";
ssids = { ssids = {
"ZW public" = { net = "pub"; }; "ZW public" = { net = "pub"; };
"Ebs 2000" = { net = "priv21"; }; "Ebs 2000" = { net = "priv21"; };
@ -1837,7 +1830,7 @@
wifi = { wifi = {
"platform/qca953x_wmac" = { "platform/qca953x_wmac" = {
channel = 13; channel = 13;
htmode = "HT20"; htmode = "HT40-";
ssids = { "ZW public" = { net = "pub"; }; }; ssids = { "ZW public" = { net = "pub"; }; };
}; };
}; };
@ -1866,7 +1859,7 @@
wifi = { wifi = {
"pci0000:00/0000:00:00.0" = { "pci0000:00/0000:00:00.0" = {
channel = 128; channel = 128;
htmode = "HT20"; htmode = "HT40+";
ssids = { ssids = {
Abyssinia = { net = "priv35"; }; Abyssinia = { net = "priv35"; };
"ZW public" = { net = "pub"; }; "ZW public" = { net = "pub"; };
@ -1874,7 +1867,7 @@
}; };
"platform/ahb/18100000.wmac" = { "platform/ahb/18100000.wmac" = {
channel = 1; channel = 1;
htmode = "HT20"; htmode = "HT40+";
ssids = { ssids = {
Abyssinia = { net = "priv35"; }; Abyssinia = { net = "priv35"; };
"ZW public" = { net = "pub"; }; "ZW public" = { net = "pub"; };
@ -1902,7 +1895,7 @@
wifi = { wifi = {
"pci0000:00/0000:00:00.0" = { "pci0000:00/0000:00:00.0" = {
channel = 36; channel = 36;
htmode = "HT20"; htmode = "HT40+";
ssids = { ssids = {
tomiru = { net = "priv44"; }; tomiru = { net = "priv44"; };
"ZW public" = { net = "pub"; }; "ZW public" = { net = "pub"; };
@ -1910,7 +1903,7 @@
}; };
"platform/ahb/18100000.wmac" = { "platform/ahb/18100000.wmac" = {
channel = 1; channel = 1;
htmode = "HT20"; htmode = "HT40+";
ssids = { ssids = {
tomiru = { net = "priv44"; }; tomiru = { net = "priv44"; };
"ZW public" = { net = "pub"; }; "ZW public" = { net = "pub"; };
@ -1950,7 +1943,7 @@
}; };
"platform/ahb/18100000.wmac" = { "platform/ahb/18100000.wmac" = {
channel = 9; channel = 9;
htmode = "HT20"; htmode = "HT40+";
ssids = { ssids = {
"Wolke7 legacy" = { net = "priv45"; encryption = "wpa2"; }; "Wolke7 legacy" = { net = "priv45"; encryption = "wpa2"; };
"ZW public" = { net = "pub"; }; "ZW public" = { net = "pub"; };
@ -1982,7 +1975,7 @@
wifi = { wifi = {
"pci0000:00/0000:00:00.0" = { "pci0000:00/0000:00:00.0" = {
channel = 36; channel = 36;
htmode = "HT20"; htmode = "HT40+";
ssids = { ssids = {
"ZW public" = { net = "pub"; }; "ZW public" = { net = "pub"; };
EckiTino = { net = "priv7"; }; EckiTino = { net = "priv7"; };
@ -1990,7 +1983,7 @@
}; };
"platform/ahb/18100000.wmac" = { "platform/ahb/18100000.wmac" = {
channel = 9; channel = 9;
htmode = "HT20"; htmode = "HT40-";
ssids = { ssids = {
"ZW public" = { net = "pub"; }; "ZW public" = { net = "pub"; };
"EckiTino legacy" = { net = "priv7"; }; "EckiTino legacy" = { net = "priv7"; };
@ -1998,227 +1991,7 @@
}; };
}; };
}; };
ap64 = { ap64 = { };
interfaces = {
mgmt = {
gw4 = "mgmt-gw";
gw6 = "mgmt-gw";
type = "phys";
};
priv46.type = "bridge";
pub.type = "bridge";
};
links = {
priv46 = {
ports = [ "lan:1" "lan:2" "lan:3" "lan:4" ];
};
switch-b3 = {
ports = [ "wan" ];
};
};
location = "replaced by ap73";
model = "tplink_tl-wr1043nd-v2";
role = "ap";
wifi = {
"platform/ahb/18100000.wmac" = {
channel = 1;
htmode = "HT20";
ssids = {
"ZW public" = { net = "pub"; };
"Princess Castle" = { net = "priv46"; };
};
};
};
};
ap65 = {
interfaces = {
mgmt = {
gw4 = "mgmt-gw";
gw6 = "mgmt-gw";
type = "phys";
};
priv12.type = "bridge";
priv27.type = "bridge";
pub.type = "bridge";
};
links = {
switch-b3.ports = [ "lan" ];
};
location = "El Perro";
model = "ubnt_unifi-6-lite";
role = "ap";
wifi = {
"1e140000.pcie/pci0000:00/0000:00:00.0/0000:01:00.0" = {
channel = 6;
htmode = "HT20";
ssids = {
"ZW public".net = "pub";
"farbwerk".net = "priv12";
"Kaffeetasse".net = "priv27";
};
};
"1e140000.pcie/pci0000:00/0000:00:01.0/0000:02:00.0" = {
channel = 149;
htmode = "VHT80";
ssids = {
"ZW public".net = "pub";
"farbwerk".net = "priv12";
};
};
};
};
ap66 = {
interfaces = {
priv48.type = "bridge";
mgmt = {
gw4 = "mgmt-gw";
gw6 = "mgmt-gw";
type = "phys";
};
pub.type = "bridge";
};
links = {
priv48.ports = [ "lan:1" "lan:2" "lan:3" "lan:4" ];
switch-b3.ports = [ "wan" ];
};
location = "B 4.03.01";
model = "tplink_archer-c7-v5";
role = "ap";
wifi = {
"pci0000:00/0000:00:00.0" = {
channel = 36;
htmode = "VHT80";
ssids = {
"Buschfunk4.03" = { net = "priv48"; };
"ZW public" = { net = "pub"; };
};
};
"platform/ahb/18100000.wmac" = {
channel = 9;
htmode = "HT20";
ssids = {
"Buschfunk4.03 legacy" = { net = "priv48"; };
"ZW public" = { net = "pub"; };
};
};
};
};
ap67 = {
interfaces = {
mgmt = {
gw4 = "mgmt-gw";
gw6 = "mgmt-gw";
type = "phys";
};
priv12.type = "bridge";
pub.type = "bridge";
};
links = {
priv12.ports = [
"lan1" "lan2" "lan3"
];
switch-b3.ports = [ "wan" ];
};
location = "Farbwerk";
model = "zyxel_wsm20";
role = "ap";
wifi = {
"1e140000.pcie/pci0000:00/0000:00:01.0/0000:02:00.0" = {
channel = 6;
htmode = "HT20";
ssids = {
"ZW public" = { net = "pub"; };
farbwerk = { net = "priv12"; };
};
};
"1e140000.pcie/pci0000:00/0000:00:01.0/0000:02:00.0+1" = {
channel = 149;
htmode = "VHT80";
ssids = {
"ZW public" = { net = "pub"; };
farbwerk = { net = "priv12"; };
};
};
};
};
ap68 = {
interfaces = {
mgmt = {
gw4 = "mgmt-gw";
gw6 = "mgmt-gw";
type = "phys";
};
priv12.type = "bridge";
pub.type = "bridge";
};
links = {
priv12.ports = [
"lan1" "lan2" "lan3"
];
switch-b3.ports = [ "wan" ];
};
location = "Farbwerk";
model = "zyxel_wsm20";
role = "ap";
wifi = {
"1e140000.pcie/pci0000:00/0000:00:01.0/0000:02:00.0" = {
channel = 1;
htmode = "HT20";
ssids = {
"ZW public" = { net = "pub"; };
farbwerk = { net = "priv12"; };
};
};
"1e140000.pcie/pci0000:00/0000:00:01.0/0000:02:00.0+1" = {
channel = 36;
htmode = "VHT80";
ssids = {
"ZW public" = { net = "pub"; };
farbwerk = { net = "priv12"; };
};
};
};
};
ap69 = {
interfaces = {
mgmt = {
gw4 = "mgmt-gw";
gw6 = "mgmt-gw";
type = "phys";
};
priv43.type = "bridge";
pub.type = "bridge";
};
links = {
priv43 = {
ports = [ "lan" ];
};
switch-b3 = {
ports = [ "wan" ];
};
};
location = "B.01.B01";
model = "tplink_archer-c7-v2";
role = "ap";
wifi = {
"pci0000:00/0000:00:00.0" = {
channel = 36;
htmode = "HT40+";
ssids = {
"ZW public".net = "pub";
"LIZA".net = "priv43";
};
};
"platform/ahb/18100000.wmac" = {
channel = 1;
htmode = "HT20";
ssids = {
"ZW public".net = "pub";
"LIZA".net = "priv43";
};
};
};
};
ap7 = { ap7 = {
interfaces = { interfaces = {
mgmt = { mgmt = {
@ -2243,7 +2016,7 @@
wifi = { wifi = {
"platform/qca953x_wmac" = { "platform/qca953x_wmac" = {
channel = 1; channel = 1;
htmode = "HT20"; htmode = "HT40+";
ssids = { ssids = {
"ZW public" = { net = "pub"; }; "ZW public" = { net = "pub"; };
mino = { net = "priv40"; }; mino = { net = "priv40"; };
@ -2251,137 +2024,6 @@
}; };
}; };
}; };
ap70 = {
interfaces = {
mgmt = {
gw4 = "mgmt-gw";
gw6 = "mgmt-gw";
type = "phys";
};
priv22.type = "bridge";
pub.type = "bridge";
};
links = {
priv22.ports = [ "lan" ];
ap40.ports = [ "wan" ];
};
location = "B4.01 behind ap40";
model = "tplink_archer-c7-v2";
role = "ap";
wifi = {
"pci0000:00/0000:00:00.0" = {
channel = 149;
htmode = "HT40+";
ssids = {
"ZW public".net = "pub";
M.net = "priv22";
};
};
"platform/ahb/18100000.wmac" = {
channel = 9;
htmode = "HT20";
ssids = {
"ZW public".net = "pub";
"M legacy".net = "priv22";
};
};
};
};
ap71 = {
interfaces = {
mgmt = {
gw4 = "mgmt-gw";
gw6 = "mgmt-gw";
type = "phys";
};
priv22.type = "bridge";
pub.type = "bridge";
};
links = {
priv22.ports = [ "eth1" "eth2" ];
ap40.ports = [ "eth0" ];
};
location = "B4.01 behind ap40";
model = "ubnt_unifi-usg";
role = "ap";
# No WiFi, splits just VLANs
};
ap72 = {
interfaces = {
mgmt = {
gw4 = "mgmt-gw";
gw6 = "mgmt-gw";
type = "phys";
};
priv12.type = "bridge";
pub.type = "bridge";
};
links = {
priv12.ports = [
"lan1" "lan2" "lan3"
];
switch-b3.ports = [ "wan" ];
};
location = "B1.05.02 (Patchpanel B12)";
model = "zyxel_wsm20";
role = "ap";
wifi = {
"1e140000.pcie/pci0000:00/0000:00:01.0/0000:02:00.0" = {
channel = 1;
htmode = "HT20";
ssids = {
"ZW public" = { net = "pub"; };
farbwerk = { net = "priv12"; };
};
};
"1e140000.pcie/pci0000:00/0000:00:01.0/0000:02:00.0+1" = {
channel = 36;
htmode = "VHT80";
ssids = {
"ZW public" = { net = "pub"; };
farbwerk = { net = "priv12"; };
};
};
};
};
ap73 = {
interfaces = {
mgmt = {
gw4 = "mgmt-gw";
gw6 = "mgmt-gw";
type = "phys";
};
priv46.type = "bridge";
pub.type = "bridge";
};
links = {
priv46.ports = [
"lan1" "lan2" "lan3"
];
switch-b3.ports = [ "wan" ];
};
location = "B4.07";
model = "zyxel_wsm20";
role = "ap";
wifi = {
"1e140000.pcie/pci0000:00/0000:00:01.0/0000:02:00.0" = {
channel = 1;
htmode = "HT20";
ssids = {
"ZW public" = { net = "pub"; };
"Princess Castle" = { net = "priv46"; };
};
};
"1e140000.pcie/pci0000:00/0000:00:01.0/0000:02:00.0+1" = {
channel = 36;
htmode = "VHT80";
ssids = {
"ZW public" = { net = "pub"; };
"Princess Castle" = { net = "priv46"; };
};
};
};
};
ap8 = { ap8 = {
interfaces = { interfaces = {
c3d2.type = "bridge"; c3d2.type = "bridge";
@ -2395,10 +2037,7 @@
}; };
links = { links = {
c3d2 = { c3d2 = {
ports = [ "lan:3" "lan:4" ]; ports = [ "lan:1" "lan:2" "lan:3" "lan:4" ];
};
priv23 = {
ports = [ "lan:2" ];
}; };
switch-b3 = { switch-b3 = {
ports = [ "wan" ]; ports = [ "wan" ];
@ -2410,7 +2049,7 @@
wifi = { wifi = {
"pci0000:00/0000:00:00.0" = { "pci0000:00/0000:00:00.0" = {
channel = 36; channel = 36;
htmode = "HT20"; htmode = "HT40+";
ssids = { ssids = {
C3D2 = { net = "c3d2"; }; C3D2 = { net = "c3d2"; };
"ZW public" = { net = "pub"; }; "ZW public" = { net = "pub"; };
@ -2418,7 +2057,7 @@
}; };
"platform/ar934x_wmac" = { "platform/ar934x_wmac" = {
channel = 13; channel = 13;
htmode = "HT20"; htmode = "HT40-";
ssids = { ssids = {
"C3D2 legacy" = { net = "c3d2"; }; "C3D2 legacy" = { net = "c3d2"; };
"ZW public" = { net = "pub"; }; "ZW public" = { net = "pub"; };
@ -2451,7 +2090,7 @@
wifi = { wifi = {
"platform/qca953x_wmac" = { "platform/qca953x_wmac" = {
channel = 1; channel = 1;
htmode = "HT20"; htmode = "HT40+";
ssids = { ssids = {
Herzzbuehne = { net = "priv16"; }; Herzzbuehne = { net = "priv16"; };
"ZW public" = { net = "pub"; }; "ZW public" = { net = "pub"; };

3
config/default.nix
View File

@ -18,4 +18,7 @@ in
# IP networks # IP networks
++ lib.filesystem.listFilesRecursive ./net; ++ lib.filesystem.listFilesRecursive ./net;
site.net-combined = concatMapAttrsRecursive (name: value: { inherit (value) hosts4 hosts6; }) config.site.net;
site.bgp.asn = 4242421127;
} }

116
config/net/c3d2.nix
View File

@ -1,78 +1,75 @@
{ lib, ... }: { config, lib, ... }:
{ {
site.net.c3d2 = { site.net.c3d2 = {
dhcp = { dhcp = {
server = "c3d2-gw3"; server = "c3d2-gw3";
start = "172.22.99.100"; start = "172.22.99.60";
end = "172.22.99.199"; end = "172.22.99.199";
fixed-hosts = { fixed-hosts = {
"172.22.99.96" = "08:00:27:bb:8c:b3"; "172.22.99.96" = "08:00:27:bb:8c:b3";
"172.22.99.98" = "08:00:27:aa:90:e2"; "172.22.99.98" = "08:00:27:aa:90:e2";
# "astrom" = "aa:00:5b:08:f0:5c"; # "astrom.hq.c3d2.de" = "aa:00:5b:08:f0:5c";
# "astron" = "aa:00:5b:08:f0:5b"; # "astron.hq.c3d2.de" = "aa:00:5b:08:f0:5b";
# "batman" = "5c:cf:7f:c0:05:28"; # "batman.hq.c3d2.de" = "5c:cf:7f:c0:05:28";
# "beere" = "b8:27:eb:ac:65:d2"; # "beere.hq.c3d2.de" = "b8:27:eb:ac:65:d2";
# "beere2" = "b8:27:eb:53:0b:27"; # "beere2.hq.c3d2.de" = "b8:27:eb:53:0b:27";
# "bender.hq.c3de.de" = "00:23:df:7e:c8:0a"; # "bender.hq.c3de.de" = "00:23:df:7e:c8:0a";
# "cider" = "00:0d:93:75:ee:fa"; # "cider.hq.c3d2.de" = "00:0d:93:75:ee:fa";
"dacbert" = "dc:a6:32:e0:46:bf"; "dacbert.hq.c3d2.de" = "dc:a6:32:e0:46:bf";
"dn42" = "aa:00:42:7a:32:46"; "dn42.hq.c3d2.de" = "aa:00:42:7a:32:46";
# "drucker" = "00:23:c3:d2:12:0f"; "drucker.hq.c3d2.de" = "00:23:c3:d2:12:0f";
# "feile" = "aa:00:5b:12:c1:f7"; # "feile.hq.c3d2.de" = "aa:00:5b:12:c1:f7";
# "fernandopoo" = "aa:00:f7:52:85:27"; # "fernandopoo.hq.c3d2.de" = "aa:00:f7:52:85:27";
# "fhem" = "b8:27:eb:9e:8b:db"; # "fhem.hq.c3d2.de" = "b8:27:eb:9e:8b:db";
# "git" = "aa:00:47:d8:57:10"; # "git.hq.c3d2.de" = "aa:00:47:d8:57:10";
"glotzbert" = "90:1b:0e:88:da:0a"; "glotzbert.hq.c3d2.de" = "ec:a8:6b:fe:b4:cb";
# "wled-nix-snowflake" = "44:17:93:10:77:e8"; # "icq.hq.c3d2.de" = "aa:00:30:f6:27:89";
# "wled-fairy-dust" = "3c:61:05:e3:2f:ad"; # "jabber1.hq.c3d2.de" = "aa:00:0b:19:8f:14";
# "wled-warnbert" = "3c:61:05:fc:21:37"; # "jabber2.hq.c3d2.de" = "aa:00:3d:6a:23:b8";
# "wled-matrix" = "e8:db:84:e4:f4:30"; # "knot.hq.c3d2.de" = "52:54:cf:fd:ce:3f";
# "ledball1" = "b8:27:eb:53:0b:27"; # "ledball1.hq.c3d2.de" = "b8:27:eb:53:0b:27";
# Beleuchtungskiste auf Traverse über Fernseher # "ledbeere.hq.c3d2.de" = "b8:27:eb:60:99:59";
# "ledbeere" = "b8:27:eb:60:99:59"; # "leviathan.hq.c3d2.de" = "00:ff:08:31:db:e5";
# "leviathan" = "00:ff:08:31:db:e5"; # "lisbeth.hq.c3d2.de" = "b8:27:eb:a5:ee:5c";
# "lisbeth" = "b8:27:eb:a5:ee:5c"; # "marenz-build.hq.c3d2.de" = "44:1e:a1:59:2e:e8";
# "marenz-build" = "44:1e:a1:59:2e:e8"; "matemat.hq.c3d2.de" = "a2:1b:7c:e8:19:72";
# "matemat" = "a2:1b:7c:e8:19:72"; # "minecraft.hq.c3d2.de" = "4a:57:d3:64:fe:e9";
# "minecraft" = "4a:57:d3:64:fe:e9"; # "moleflap.hq.c3d2.de" = "aa:00:0d:b1:6c:67";
# "moleflap" = "aa:00:0d:b1:6c:67"; # "monit.hq.c3d2.de" = "00:23:ae:94:e7:19";
# "monit" = "00:23:ae:94:e7:19"; "public-access-proxy.hq.c3d2.de" = "12:24:5f:bd:9b:e7";
"pipebert" = "ec:a8:6b:fe:b4:cb"; "pulsebert.hq.c3d2.de" = "b8:27:eb:16:31:61";
# "public-access-proxy" = "12:24:5f:bd:9b:e7"; # "ruststripe1.hq.c3d2.de" = "06:32:0e:39:21:69";
"pulsebert" = "b8:27:eb:16:31:61"; "schalter.hq.c3d2.de" = "b8:27:eb:4c:be:ff";
# "ruststripe1" = "06:32:0e:39:21:69"; # "semanta.hq.c3d2.de" = "00:ff:e4:bb:ea:2a";
"schalter" = "b8:27:eb:ac:65:d2"; # "server2.hq.c3d2.de" = "d0:67:e5:f3:57:10";
# "semanta" = "00:ff:e4:bb:ea:2a"; # "server3.hq.c3d2.de" = "e4:1f:13:2e:4f:c0";
# "server2" = "d0:67:e5:f3:57:10"; # "server4.hq.c3d2.de" = "00:9c:02:a9:26:01";
# "server3" = "e4:1f:13:2e:4f:c0"; # "sharing.hq.c3d2.de" = "00:23:c3:d2:75:18";
# "server4" = "00:9c:02:a9:26:01"; # "sofafon.hq.c3d2.de" = "b8:27:eb:23:8d:01";
# "sharing" = "00:23:c3:d2:75:18"; # "storage2.hq.c3d2.de" = "42:5e:0f:4e:f3:cc";
# "sofafon" = "b8:27:eb:23:8d:01"; # "ustriper.hq.c3d2.de" = "aa:bb:95:33:bb:aa";
# "storage2" = "42:5e:0f:4e:f3:cc"; # "wiefelspuetz.hq.c3d2.de" = "aa:00:7f:01:8a:d0";
# "ustriper" = "aa:bb:95:33:bb:aa"; # "wormhole.hq.c3d2.de" = "00:23:c3:d2:00:76";
# "wiefelspuetz" = "aa:00:7f:01:8a:d0"; # "www1.hq.c3d2.de" = "aa:00:13:8b:03:47";
# "wormhole" = "00:23:c3:d2:00:76"; "riscbert.hq.c3d2.de" = "6c:cf:39:00:05:95";
# "www1" = "aa:00:13:8b:03:47";
# "riscbert" = "6c:cf:39:00:05:95";
}; };
time = 300; time = 86400;
max-time = 30 * 24 * 3600; max-time = 2592000;
router = "c3d2-gw3"; router = "c3d2-gw3";
}; };
domainName = "c3d2.zentralwerk.org"; domainName = "c3d2.zentralwerk.org";
dynamicDomain = true; dynamicDomain = true;
subnet4 = "172.22.99.0/24"; subnet4 = "172.22.99.0/24";
hosts4 = { hosts4 = {
bgp = "172.22.99.250";
c3d2-anon = "172.22.99.1"; c3d2-anon = "172.22.99.1";
c3d2-gw1 = "172.22.99.2"; c3d2-gw1 = "172.22.99.2";
c3d2-gw2 = "172.22.99.3"; c3d2-gw2 = "172.22.99.3";
c3d2-gw3 = "172.22.99.4"; c3d2-gw3 = "172.22.99.4";
dacbert = "172.22.99.203"; dacbert = "172.22.99.203";
schalter = "172.22.99.204";
glotzbert = "172.22.99.205"; glotzbert = "172.22.99.205";
pulsebert = "172.22.99.208"; pulsebert = "172.22.99.208";
pipebert = "172.22.99.209";
bgp = "172.22.99.250";
dn42 = "172.22.99.253"; dn42 = "172.22.99.253";
}; };
ipv6Router = "c3d2-gw3"; ipv6Router = "c3d2-gw3";
@ -89,7 +86,6 @@
c3d2-gw1 = "2a00:8180:2c00:223::c3d2:2"; c3d2-gw1 = "2a00:8180:2c00:223::c3d2:2";
c3d2-gw2 = "2a00:8180:2c00:223::c3d2:3"; c3d2-gw2 = "2a00:8180:2c00:223::c3d2:3";
c3d2-gw3 = "2a00:8180:2c00:223::c3d2:4"; c3d2-gw3 = "2a00:8180:2c00:223::c3d2:4";
pipebert = "2a00:8180:2c00:223:eea8:6bff:fefe:b4cb";
}; };
subnets6 = { subnets6 = {
dn42 = "fd23:42:c3d2:523::/64"; dn42 = "fd23:42:c3d2:523::/64";
@ -113,28 +109,34 @@
c3d2.hwaddr = "0A:14:48:01:07:05"; c3d2.hwaddr = "0A:14:48:01:07:05";
core.hwaddr = "0A:14:48:01:07:04"; core.hwaddr = "0A:14:48:01:07:04";
}; };
ospf.allowedUpstreams = [ "anon1" "freifunk" ]; bgp.allowedUpstreams = [ "anon1" "freifunk" ];
}; };
c3d2-gw1 = makeGateway { c3d2-gw1 = makeGateway {
interfaces = { interfaces = {
c3d2.hwaddr = "0A:14:48:01:21:01"; c3d2.hwaddr = "0A:14:48:01:21:01";
core.hwaddr = "0A:14:48:01:21:00"; core.hwaddr = "0A:14:48:01:21:00";
}; };
ospf.allowedUpstreams = [ "flpk-gw" "freifunk" "upstream4" "upstream3" "anon1" ]; bgp.allowedUpstreams = [ "flpk-gw" "freifunk" "upstream4" "upstream3" "anon1" ];
}; };
c3d2-gw2 = makeGateway { c3d2-gw2 = makeGateway {
interfaces = { interfaces = {
c3d2.hwaddr = "0A:14:48:01:21:03"; c3d2.hwaddr = "0A:14:48:01:21:03";
core.hwaddr = "0A:14:48:01:21:02"; core.hwaddr = "0A:14:48:01:21:02";
}; };
ospf.allowedUpstreams = [ "upstream3" "upstream4" "anon1" "freifunk" ]; bgp.allowedUpstreams = [ "upstream3" "upstream4" "anon1" "freifunk" ];
}; };
c3d2-gw3 = makeGateway { c3d2-gw3 = makeGateway {
interfaces = { interfaces = {
c3d2.hwaddr = "0A:14:48:01:21:05"; c3d2.hwaddr = "0A:14:48:01:21:05";
core.hwaddr = "0A:14:48:01:21:04"; core.hwaddr = "0A:14:48:01:21:04";
}; };
ospf.allowedUpstreams = [ "upstream4" "upstream3" "anon1" "freifunk" ]; bgp = {
peers.${config.site.net.core.hosts6.dn42.bgp} = {
type = "rr_client";
name = "rr";
};
allowedUpstreams = [ "upstream4" "upstream3" "anon1" "freifunk" ];
};
}; };
}; };
} }

47
config/net/c3d2iot.nix
View File

@ -1,47 +0,0 @@
{
site.net.c3d2iot = {
dhcp = {
start = "10.22.0.2";
end = "10.22.255.253";
router = "iot-gw";
server = "iot-gw";
# devices don't often change and a missing DNS record causes trouble
time = 3600;
max-time = 24 * 3600;
};
dynamicDomain = true;
domainName = "c3d2iot.zentralwerk.org";
hosts4 = {
iot-gw = "10.22.0.1";
};
hosts6 = {
dn42 = {
iot-gw = "fd23:42:c3d2:587:ffff:ffff:ffff:ffff";
};
};
subnet4 = "10.22.0.0/16";
subnets6 = {
dn42 = "fd23:42:c3d2:587::/64";
up4 = "2a00:8180:2c00:287::/64";
};
};
site.hosts.iot-gw = {
# TODO: needs to be done more granular, aka allow c3d2 and serv network
# firewall.enable = true;
interfaces = {
core = {
hwaddr = "0A:22:48:01:24:01";
type = "veth";
};
c3d2iot = {
hwaddr = "0A:22:48:01:24:00";
type = "veth";
};
};
ospf = {
allowedUpstreams = [ "upstream4" "upstream3" "anon1" ];
};
role = "container";
};
}

22
config/net/cluster.nix
View File

@ -1,4 +1,4 @@
{ lib, ... }: { config, lib, ... }:
let let
cephMonServers = [ "server5" "server6" "server8" ]; cephMonServers = [ "server5" "server6" "server8" ];
in in
@ -7,15 +7,8 @@ in
ipv6Router = "cls-gw"; ipv6Router = "cls-gw";
domainName = "cluster.zentralwerk.org"; domainName = "cluster.zentralwerk.org";
extraRecords = map (host: { extraRecords = map (host: {
data = { data = "1 1 6789 ${host}";
service = "ceph-mon"; name = "_ceph-mon._tcp";
proto = "tcp";
priority = 1;
weight = 1;
port = 6789;
target = host;
};
name = "@";
type = "SRV"; type = "SRV";
}) cephMonServers }) cephMonServers
++ ++
@ -144,7 +137,6 @@ in
"mgmt" "mgmt"
"serv" "serv"
"c3d2" "c3d2"
"c3d2iot"
"pub" "pub"
"priv23" "priv23"
"priv31" "priv31"
@ -166,7 +158,13 @@ in
type = "veth"; type = "veth";
}; };
}; };
ospf.allowedUpstreams = [ "upstream4" "upstream3" "anon1" "freifunk" ]; bgp = {
peers.${config.site.net.core.hosts6.dn42.bgp} = {
type = "rr_client";
name = "rr";
};
allowedUpstreams = [ "upstream4" "upstream3" "anon1" "freifunk" ];
};
}; };
server3 = makeServer; server3 = makeServer;
server5 = makeServer; server5 = makeServer;

38
config/net/coloradio.nix
View File

@ -1,38 +0,0 @@
{
site.net.coloradio = {
domainName = "coloradio.zentralwerk.org";
subnet4 = "192.168.9.0/24";
hosts4 = {
coloradio-gw = "192.168.9.1";
coloradio-in = "192.168.9.2";
};
ipv6Router = "coloradio-gw";
subnets6.dn42 = "fd23:42:c3d2:590::/64";
hosts6.dn42 = {
coloradio-gw = "fd23:42:c3d2:590::1";
};
};
site.hosts = {
coloradio-gw = {
role = "container";
interfaces = {
core = {
type = "veth";
hwaddr = "0A:14:48:01:06:08";
gw4 = null;
gw6 = null;
};
coloradio = {
type = "veth";
hwaddr = "0A:14:48:01:06:09";
gw4 = null;
gw6 = null;
};
};
ospf.allowedUpstreams =
[ "upstream4" "upstream3" "freifunk" ];
};
};
}

74
config/net/core.nix
View File

@ -1,3 +1,5 @@
{ config, lib, ... }:
{ {
site.net.core = { site.net.core = {
domainName = "core.zentralwerk.org"; domainName = "core.zentralwerk.org";
@ -52,10 +54,6 @@
priv43-gw = "172.20.72.68"; priv43-gw = "172.20.72.68";
priv44-gw = "172.20.72.70"; priv44-gw = "172.20.72.70";
priv45-gw = "172.20.72.72"; priv45-gw = "172.20.72.72";
priv46-gw = "172.20.72.73";
priv47-gw = "172.20.72.74";
priv48-gw = "172.20.72.75";
priv49-gw = "172.20.72.76";
priv5-gw = "172.20.72.15"; priv5-gw = "172.20.72.15";
priv6-gw = "172.20.72.16"; priv6-gw = "172.20.72.16";
priv7-gw = "172.20.72.17"; priv7-gw = "172.20.72.17";
@ -71,10 +69,9 @@
server8 = "172.20.72.58"; server8 = "172.20.72.58";
upstream3 = "172.20.72.11"; upstream3 = "172.20.72.11";
upstream4 = "172.20.72.12"; upstream4 = "172.20.72.12";
coloradio-gw = "172.20.72.62"; # unused = "172.20.72.62";
vpn-gw = "172.20.72.69"; vpn-gw = "172.20.72.69";
flpk-gw = "172.20.72.71"; flpk-gw = "172.20.72.71";
iot-gw = "172.20.72.77";
}; };
hosts6 = { hosts6 = {
dn42 = { dn42 = {
@ -84,10 +81,8 @@
c3d2-gw1 = "fd23:42:c3d2:581::c3d2:1"; c3d2-gw1 = "fd23:42:c3d2:581::c3d2:1";
c3d2-gw2 = "fd23:42:c3d2:581::c3d2:2"; c3d2-gw2 = "fd23:42:c3d2:581::c3d2:2";
c3d2-gw3 = "fd23:42:c3d2:581::c3d2:3"; c3d2-gw3 = "fd23:42:c3d2:581::c3d2:3";
cls-gw = "fd23:42:c3d2:581::c3d2:4";
freifunk = "fd23:42:c3d2:581:8000::1"; freifunk = "fd23:42:c3d2:581:8000::1";
mgmt-gw = "fd23:42:c3d2:581::8:3"; mgmt-gw = "fd23:42:c3d2:581::8:3";
iot-gw = "fd23:42:c3d2:581::8:7";
priv1-gw = "fd23:42:c3d2:581::c:0"; priv1-gw = "fd23:42:c3d2:581::c:0";
priv10-gw = "fd23:42:c3d2:581::c:9"; priv10-gw = "fd23:42:c3d2:581::c:9";
priv11-gw = "fd23:42:c3d2:581::c:a"; priv11-gw = "fd23:42:c3d2:581::c:a";
@ -128,10 +123,6 @@
priv43-gw = "fd23:42:c3d2:581::c:2a"; priv43-gw = "fd23:42:c3d2:581::c:2a";
priv44-gw = "fd23:42:c3d2:581::c:2b"; priv44-gw = "fd23:42:c3d2:581::c:2b";
priv45-gw = "fd23:42:c3d2:581::c:2c"; priv45-gw = "fd23:42:c3d2:581::c:2c";
priv46-gw = "fd23:42:c3d2:581::c:2d";
priv47-gw = "fd23:42:c3d2:581::c:2e";
priv48-gw = "fd23:42:c3d2:581::c:2f";
priv49-gw = "fd23:42:c3d2:581::c:30";
priv5-gw = "fd23:42:c3d2:581::c:4"; priv5-gw = "fd23:42:c3d2:581::c:4";
priv6-gw = "fd23:42:c3d2:581::c:5"; priv6-gw = "fd23:42:c3d2:581::c:5";
priv7-gw = "fd23:42:c3d2:581::c:6"; priv7-gw = "fd23:42:c3d2:581::c:6";
@ -142,7 +133,7 @@
upstream3 = "fd23:42:c3d2:581::b:2"; upstream3 = "fd23:42:c3d2:581::b:2";
upstream4 = "fd23:42:c3d2:581::b:3"; upstream4 = "fd23:42:c3d2:581::b:3";
vpn-gw = "fd23:42:c3d2:581:9001::1"; vpn-gw = "fd23:42:c3d2:581:9001::1";
coloradio-gw = "fd23:42:c3d2:581:9009::1"; flpk-gw = "fd23:42:c3d2:581:9002::1";
}; };
up4 = { up4 = {
anon1 = "2a00:8180:2c00:281::9:1"; anon1 = "2a00:8180:2c00:281::9:1";
@ -154,7 +145,6 @@
cls-gw = "2a00:8180:2c00:281::8:4"; cls-gw = "2a00:8180:2c00:281::8:4";
freifunk = "2a00:8180:2c00:281:8000::1"; freifunk = "2a00:8180:2c00:281:8000::1";
mgmt-gw = "2a00:8180:2c00:281::8:3"; mgmt-gw = "2a00:8180:2c00:281::8:3";
iot-gw = "2a00:8180:2c00:281::8:7";
priv1-gw = "2a00:8180:2c00:281::c:0"; priv1-gw = "2a00:8180:2c00:281::c:0";
priv10-gw = "2a00:8180:2c00:281::c:9"; priv10-gw = "2a00:8180:2c00:281::c:9";
priv11-gw = "2a00:8180:2c00:281::c:a"; priv11-gw = "2a00:8180:2c00:281::c:a";
@ -195,10 +185,6 @@
priv43-gw = "2a00:8180:2c00:281::c:2a"; priv43-gw = "2a00:8180:2c00:281::c:2a";
priv44-gw = "2a00:8180:2c00:281::c:2b"; priv44-gw = "2a00:8180:2c00:281::c:2b";
priv45-gw = "2a00:8180:2c00:281::c:2c"; priv45-gw = "2a00:8180:2c00:281::c:2c";
priv46-gw = "2a00:8180:2c00:281::c:2d";
priv47-gw = "2a00:8180:2c00:281::c:2e";
priv48-gw = "2a00:8180:2c00:281::c:2f";
priv49-gw = "2a00:8180:2c00:281::c:30";
priv5-gw = "2a00:8180:2c00:281::c:4"; priv5-gw = "2a00:8180:2c00:281::c:4";
priv6-gw = "2a00:8180:2c00:281::c:5"; priv6-gw = "2a00:8180:2c00:281::c:5";
priv7-gw = "2a00:8180:2c00:281::c:6"; priv7-gw = "2a00:8180:2c00:281::c:6";
@ -207,7 +193,6 @@
serv-gw = "2a00:8180:2c00:281::8:1"; serv-gw = "2a00:8180:2c00:281::8:1";
upstream4 = "2a00:8180:2c00:281::b:1"; upstream4 = "2a00:8180:2c00:281::b:1";
vpn-gw = "2a00:8180:2c00:281:9001::1"; vpn-gw = "2a00:8180:2c00:281:9001::1";
coloradio-gw = "2a00:8180:2c00:281:9009::1";
}; };
}; };
subnet4 = "172.20.72.0/25"; subnet4 = "172.20.72.0/25";
@ -217,15 +202,33 @@
}; };
}; };
site.hosts = { site.hosts = lib.mkMerge ([ {
bgp = { bgp = {
bgp = { bgp = {
asn = 4242421127;
peers = { peers = {
"172.22.99.253" = { asn = 64699; }; "172.22.99.253" = {
"fe80::a800:42ff:fe7a:3246%c3d2" = { asn = 64699; }; asn = 64699;
type = "external";
name = "dn42_4";
};
"fe80::a800:42ff:fe7a:3246%c3d2" = {
asn = 64699;
type = "external";
name = "dn42_6";
};
# ${config.site.net.core.subnet4} = {};
${config.site.net.core.subnets6.dn42} = {
type = "rr_server";
name = "rr";
};
}; };
# allowedUpstreams =
# [ "upstream4" "upstream3" "anon1" "freifunk" ];
nets4 = [ "172.20.0.0/14" "10.0.0.0/8" ];
nets6 =
[ "fd00::/8" "2a00:8180:2c00:200::/56" ];
}; };
role = "container";
interfaces = { interfaces = {
c3d2 = { c3d2 = {
hwaddr = "0A:14:48:01:22:01"; hwaddr = "0A:14:48:01:22:01";
@ -236,14 +239,21 @@
type = "veth"; type = "veth";
}; };
}; };
ospf = {
allowedUpstreams =
[ "upstream4" "upstream3" "anon1" "freifunk" ];
stubNets4 = [ "172.20.0.0/14" "10.0.0.0/8" ];
stubNets6 =
[ "fd00::/8" "2a00:8180:2c00:200::/56" ];
};
role = "container";
}; };
}; } ] ++ builtins.concatMap (hostName:
if hostName != "bgp"
# everyone in core peers with router "bgp"
then [ {
${hostName}.bgp = {
# peers.${config.site.net.core.hosts4.bgp} = {};
peers.${config.site.net.core.hosts6.dn42.bgp} = {
type = "rr_client";
name = "rr";
};
};
# TODO: upstreams
} ]
# except "bgp" itself :)
else []
) (builtins.attrNames config.site.net.core.hosts6.dn42));
} }

30
config/net/flpk.nix
View File

@ -1,3 +1,5 @@
{ config, ... }:
{ {
site.net.flpk = { site.net.flpk = {
domainName = "flpk.zentralwerk.org"; domainName = "flpk.zentralwerk.org";
@ -7,31 +9,23 @@
subnets6.flpk = "2a0f:5382:acab:1400::/64"; subnets6.flpk = "2a0f:5382:acab:1400::/64";
hosts4 = { hosts4 = {
flpk-gw = "45.158.40.160"; flpk-gw = "45.158.40.160";
notice-me-senpai = "45.158.40.162"; # tlms monitoring leon = "45.158.40.162";
sshlog = "45.158.40.163"; sshlog = "45.158.40.163";
caveman = "45.158.40.164"; caveman = "45.158.40.164";
# tlms-37c3-ctf vm on server9 leoncloud = "45.158.40.165";
ctf = "45.158.40.165";
mastodon = "45.158.40.166"; mastodon = "45.158.40.166";
c3d2-web = "45.158.40.167"; c3d2-web = "45.158.40.167";
mail = "45.158.40.168"; mailtngbert = "45.158.40.168";
dresden-zone-dns = "45.158.40.169";
# server7 = "45.158.40.170"; # unused
rtrlab = "45.158.40.171"; # temporary
}; };
hosts6.flpk = { hosts6.flpk = {
flpk-gw = "2a0f:5382:acab:1400::c3d2"; flpk-gw = "2a0f:5382:acab:1400::c3d2";
notice-me-senpai = "2a0f:5382:acab:1400:2de:5bff:fef9:e23e"; # tlms-monitoring leon = "2a0f:5382:acab:1400::1e0";
sshlog = "2a0f:5382:acab:1400::22"; sshlog = "2a0f:5382:acab:1400::22";
caveman = "2a0f:5382:acab:1400::a4"; caveman = "2a0f:5382:acab:1400::a4";
# tlms-37c3-ctf vm on server9 leoncloud = "2a0f:5382:acab:1400::a5";
ctf = "2a0f:5382:acab:1400::a5";
mastodon = "2a0f:5382:acab:1400::a6"; mastodon = "2a0f:5382:acab:1400::a6";
c3d2-web = "2a0f:5382:acab:1400::a7"; c3d2-web = "2a0f:5382:acab:1400::a7";
# mail = "2a0f:5382:acab:1400::a8"; # we don't have an PTR for IPv6 and it gets way more often marked as spam mailtngbert = "2a0f:5382:acab:1400::a8";
dresden-zone-dns = "2a0f:5382:acab:1400::a9";
# server7 = "2a0f:5382:acab:1400::aa";
rtrlab = "2a0f:5382:acab:1400::ab";
}; };
}; };
@ -56,9 +50,13 @@
}; };
}; };
}; };
ospf = { bgp = {
allowedUpstreams = [ "upstream4" "upstream3" "freifunk" ]; allowedUpstreams = [ "upstream4" "upstream3" "freifunk" ];
upstreamInstance = 2; upstreamTable = "vpn_table";
peers.${config.site.net.core.subnets6.dn42} = {
type = "upstream";
name = "up";
};
}; };
role = "container"; role = "container";
}; };

24
config/net/mgmt.nix
View File

@ -63,16 +63,7 @@
ap62 = "10.0.0.102"; ap62 = "10.0.0.102";
ap63 = "10.0.0.103"; ap63 = "10.0.0.103";
ap64 = "10.0.0.104"; ap64 = "10.0.0.104";
ap65 = "10.0.0.105";
ap66 = "10.0.0.106";
ap67 = "10.0.0.107";
ap68 = "10.0.0.108";
ap69 = "10.0.0.109";
ap7 = "10.0.0.47"; ap7 = "10.0.0.47";
ap70 = "10.0.0.110";
ap71 = "10.0.0.111";
ap72 = "10.0.0.112";
ap73 = "10.0.0.113";
ap8 = "10.0.0.48"; ap8 = "10.0.0.48";
ap9 = "10.0.0.49"; ap9 = "10.0.0.49";
logging = "10.0.0.251"; logging = "10.0.0.251";
@ -107,7 +98,6 @@
switch-b3 = "10.0.0.18"; switch-b3 = "10.0.0.18";
switch-ds1 = "10.0.0.20"; switch-ds1 = "10.0.0.20";
switch-ds2 = "10.0.0.21"; switch-ds2 = "10.0.0.21";
switch-ds3 = "10.0.0.22";
}; };
hosts6 = { hosts6 = {
dn42 = { dn42 = {
@ -172,16 +162,7 @@
ap62 = "fd23:42:c3d2:580::4:3e"; ap62 = "fd23:42:c3d2:580::4:3e";
ap63 = "fd23:42:c3d2:580::4:3f"; ap63 = "fd23:42:c3d2:580::4:3f";
ap64 = "fd23:42:c3d2:580::4:40"; ap64 = "fd23:42:c3d2:580::4:40";
ap65 = "fd23:42:c3d2:580::4:41";
ap66 = "fd23:42:c3d2:580::4:42";
ap67 = "fd23:42:c3d2:580::4:43";
ap68 = "fd23:42:c3d2:580::4:44";
ap69 = "fd23:42:c3d2:580::4:45";
ap7 = "fd23:42:c3d2:580::4:7"; ap7 = "fd23:42:c3d2:580::4:7";
ap70 = "fd23:42:c3d2:580::4:46";
ap71 = "fd23:42:c3d2:580::4:47";
ap72 = "fd23:42:c3d2:580::4:48";
ap73 = "fd23:42:c3d2:580::4:49";
ap8 = "fd23:42:c3d2:580::4:8"; ap8 = "fd23:42:c3d2:580::4:8";
ap9 = "fd23:42:c3d2:580::4:9"; ap9 = "fd23:42:c3d2:580::4:9";
mgmt-gw = "fd23:42:c3d2:580:ffff:ffff:ffff:ffff"; mgmt-gw = "fd23:42:c3d2:580:ffff:ffff:ffff:ffff";
@ -211,10 +192,7 @@
type = "veth"; type = "veth";
}; };
}; };
ospf = { bgp.allowedUpstreams = [ "upstream4" "upstream3" "anon1" "freifunk" ];
allowedUpstreams =
[ "upstream4" "upstream3" "anon1" "freifunk" ];
};
role = "container"; role = "container";
}; };
} }

78
config/net/priv.nix
View File

@ -1,6 +1,6 @@
{ lib, ... }: { lib, ... }:
let let
privCount = 49; privCount = 45;
seq = n: max: seq = n: max:
if n <= max if n <= max
then [ n ] ++ seq (n + 1) max then [ n ] ++ seq (n + 1) max
@ -16,8 +16,8 @@ lib.mkMerge (
site.net."priv${toString n}" = { site.net."priv${toString n}" = {
dhcp = { dhcp = {
server = "priv${toString n}-gw"; server = "priv${toString n}-gw";
time = 300; time = 120;
max-time = 60 * 24 * 3600; max-time = 86400;
router = "priv${toString n}-gw"; router = "priv${toString n}-gw";
}; };
domainName = "priv${toString n}.zentralwerk.org"; domainName = "priv${toString n}.zentralwerk.org";
@ -38,7 +38,7 @@ lib.mkMerge (
core.type = "veth"; core.type = "veth";
"priv${toString n}".type = "veth"; "priv${toString n}".type = "veth";
}; };
ospf.allowedUpstreams = [ "upstream4" "upstream3" "anon1" "freifunk" ]; bgp.allowedUpstreams = [ "upstream4" "upstream3" "anon1" "freifunk" ];
}; };
} }
) (seq 1 privCount) ) (seq 1 privCount)
@ -58,12 +58,10 @@ lib.mkMerge (
subnet4 = "172.20.75.0/27"; subnet4 = "172.20.75.0/27";
dhcp = { dhcp = {
start = "172.20.75.2"; start = "172.20.75.2";
end = "172.20.75.30"; end = "172.20.75.31";
fixed-hosts = { fixed-hosts = {
"172.20.75.2" = "ac:1f:6b:dc:93:8e";
"172.20.75.3" = "ac:1f:6b:dc:95:de";
"172.20.75.9" = "ac:1f:6b:dc:95:df";
"172.20.75.7" = "60:33:4b:0b:cd:fc"; "172.20.75.7" = "60:33:4b:0b:cd:fc";
"172.20.75.9" = "00:11:32:22:95:79";
}; };
}; };
}; };
@ -204,6 +202,7 @@ lib.mkMerge (
dhcp = { dhcp = {
start = "172.20.73.194"; start = "172.20.73.194";
end = "172.20.73.254"; end = "172.20.73.254";
max-time = lib.mkForce 2592000;
}; };
}; };
priv20 = { priv20 = {
@ -238,10 +237,9 @@ lib.mkMerge (
end = "172.20.73.190"; end = "172.20.73.190";
fixed-hosts = { fixed-hosts = {
"172.20.73.162" = "da:2c:3a:2c:87:22"; "172.20.73.162" = "da:2c:3a:2c:87:22";
"172.20.73.163" = "b8:27:eb:16:31:61"; "172.20.73.163" = "ca:9f:27:b2:bf:6d";
"172.20.73.164" = "ca:71:c4:90:3e:c7"; "172.20.73.164" = "60:01:94:6f:81:a6";
}; };
time = lib.mkForce 900;
}; };
}; };
priv24 = { priv24 = {
@ -424,38 +422,6 @@ lib.mkMerge (
end = "172.20.77.174"; end = "172.20.77.174";
}; };
}; };
priv46 = {
hosts4 = { priv46-gw = "172.20.77.225"; };
subnet4 = "172.20.77.224/28";
dhcp = {
start = "172.20.77.226";
end = "172.20.77.238";
};
};
priv47 = {
hosts4 = { priv47-gw = "172.20.76.161"; };
subnet4 = "172.20.76.160/28";
dhcp = {
start = "172.20.76.162";
end = "172.20.76.174";
};
};
priv48 = {
hosts4 = { priv48-gw = "172.20.77.33"; };
subnet4 = "172.20.77.32/28";
dhcp = {
start = "172.20.77.34";
end = "172.20.77.46";
};
};
priv49 = {
hosts4 = { priv49-gw = "172.20.76.49"; };
subnet4 = "172.20.76.48/28";
dhcp = {
start = "172.20.76.50";
end = "172.20.76.62";
};
};
}; };
site.hosts = { site.hosts = {
@ -574,7 +540,7 @@ lib.mkMerge (
hwaddr = "0A:14:47:02:2A:19"; hwaddr = "0A:14:47:02:2A:19";
}; };
}; };
ospf.allowedUpstreams = [ "upstream3" "upstream4" "anon1" "freifunk" ]; bgp.allowedUpstreams = [ "upstream3" "upstream4" "anon1" "freifunk" ];
}; };
priv18-gw = { priv18-gw = {
interfaces = { interfaces = {
@ -744,30 +710,6 @@ lib.mkMerge (
priv45.hwaddr = "0A:14:48:01:2A:57"; priv45.hwaddr = "0A:14:48:01:2A:57";
}; };
}; };
priv46-gw = {
interfaces = {
core.hwaddr = "0A:14:48:01:2A:58";
priv46.hwaddr = "0A:14:48:01:2A:59";
};
};
priv47-gw = {
interfaces = {
core.hwaddr = "0A:14:48:01:2A:5A";
priv47.hwaddr = "0A:14:48:01:2A:5B";
};
};
priv48-gw = {
interfaces = {
core.hwaddr = "0A:14:48:01:2A:5C";
priv48.hwaddr = "0A:14:48:01:2A:5D";
};
};
priv49-gw = {
interfaces = {
core.hwaddr = "0A:14:48:01:2A:5E";
priv49.hwaddr = "0A:14:48:01:2A:5F";
};
};
}; };
} ] } ]
) )

6
config/net/pub.nix
View File

@ -3,10 +3,10 @@
dhcp = { dhcp = {
start = "172.20.78.2"; start = "172.20.78.2";
end = "172.20.79.253"; end = "172.20.79.253";
max-time = 3600;
router = "pub-gw"; router = "pub-gw";
server = "pub-gw"; server = "pub-gw";
time = 120; time = 300;
max-time = 12 * 3600;
}; };
domainName = "pub.zentralwerk.org"; domainName = "pub.zentralwerk.org";
dynamicDomain = true; dynamicDomain = true;
@ -39,7 +39,7 @@
type = "veth"; type = "veth";
}; };
}; };
ospf = { bgp = {
allowedUpstreams = [ "anon1" "freifunk" ]; allowedUpstreams = [ "anon1" "freifunk" ];
allowedUpstreams6 = [ "flpk-gw" "anon1" "freifunk" ]; allowedUpstreams6 = [ "flpk-gw" "anon1" "freifunk" ];
}; };

114
config/net/serv.nix
View File

@ -7,28 +7,51 @@
serv-gw = "172.20.73.1"; serv-gw = "172.20.73.1";
dns = "172.20.73.2"; dns = "172.20.73.2";
stats = "172.20.73.3"; stats = "172.20.73.3";
dresden-zone = "172.20.73.4"; radius = "172.20.73.4";
tlms-elastic = "172.20.73.7"; # tlms zeit = "172.20.73.5";
minecraft = "172.20.73.6";
used1 = "172.20.73.7";
dnscache = "172.20.73.8"; dnscache = "172.20.73.8";
tlms-ctfd = "172.20.73.9"; # tlms used2 = "172.20.73.9";
used3 = "172.20.73.10";
used4 = "172.20.73.11";
used5 = "172.20.73.12";
logging = "172.20.73.13";
used6 = "172.20.73.14";
buzzrelay = "172.20.73.15"; buzzrelay = "172.20.73.15";
deployer = "172.20.73.16";
used7 = "172.20.73.17";
used8 = "172.20.73.18";
used9 = "172.20.73.19";
ipa = "172.20.73.20";
matemat = "172.20.73.21"; matemat = "172.20.73.21";
used10 = "172.20.73.22";
used11 = "172.20.73.23";
used12 = "172.20.73.24";
spaceapi = "172.20.73.25"; spaceapi = "172.20.73.25";
used13 = "172.20.73.26";
mucbot = "172.20.73.27"; mucbot = "172.20.73.27";
used14 = "172.20.73.28";
used15 = "172.20.73.29";
used16 = "172.20.73.30";
used17 = "172.20.73.31";
scrape = "172.20.73.32"; scrape = "172.20.73.32";
pretalx = "172.20.73.33"; used19 = "172.20.73.33";
vaultwarden = "172.20.73.34"; used20 = "172.20.73.34";
uranus = "172.20.73.37"; # tlms used21 = "172.20.73.35";
tram-borzoi = "172.20.73.38"; # tlms used22 = "172.20.73.36";
borken-data-hoarder = "172.20.73.39"; # tlms used23 = "172.20.73.37";
matrix = "172.20.73.40"; used24 = "172.20.73.38";
activity-relay = "172.20.73.41"; used25 = "172.20.73.39";
used26 = "172.20.73.40";
direkthilfe = "172.20.73.41";
luulaatsch-asterisk = "172.20.73.42"; luulaatsch-asterisk = "172.20.73.42";
grafana = "172.20.73.43"; grafana = "172.20.73.43";
tmppleroma = "172.20.73.44";
public-access-proxy = "172.20.73.45"; public-access-proxy = "172.20.73.45";
marenz = "172.20.73.46"; marenz = "172.20.73.46";
network-homepage = "172.20.73.47"; network-homepage = "172.20.73.47";
home-assistant = "172.20.73.48"; minetest = "172.20.73.48";
hydra = "172.20.73.49"; hydra = "172.20.73.49";
owncast = "172.20.73.50"; owncast = "172.20.73.50";
nfsroot = "172.20.73.51"; nfsroot = "172.20.73.51";
@ -38,38 +61,42 @@
jabber = "172.20.73.55"; jabber = "172.20.73.55";
mobilizon = "172.20.73.56"; mobilizon = "172.20.73.56";
radiobert = "172.20.73.57"; radiobert = "172.20.73.57";
# mail = "172.20.73.58"; mail = "172.20.73.58";
keycloak = "172.20.73.59";
sdrweb = "172.20.73.60"; sdrweb = "172.20.73.60";
knot = "172.20.73.61"; bind = "172.20.73.61";
blogs = "172.20.73.62"; blogs = "172.20.73.62";
staging-data-hoarder = "172.20.73.64"; # tlms nix-build = "172.20.73.63";
staging-data-hoarder = "172.20.73.64";
oparl = "172.20.73.65"; oparl = "172.20.73.65";
hedgedoc = "172.20.73.66"; hedgedoc = "172.20.73.66";
mediawiki = "172.20.73.67"; mediawiki = "172.20.73.67";
gnunet = "172.20.73.68"; gnunet = "172.20.73.68";
data-hoarder = "172.20.73.69"; # tlms data-hoarder = "172.20.73.69";
broker = "172.20.73.70"; broker = "172.20.73.70";
ftp = "172.20.73.71"; ftp = "172.20.73.71";
auth = "172.20.73.72"; auth = "172.20.73.72";
doubleblind-science = "172.20.73.73"; factorio = "172.20.73.73";
zengel = "172.20.73.74";
prometheus = "172.20.73.75"; prometheus = "172.20.73.75";
drone = "172.20.73.77"; oxigraph = "172.20.73.76";
# FILL IN THE HOLES BEFORE APPENDING!
}; };
ipv6Router = "serv-gw"; ipv6Router = "serv-gw";
subnets6.dn42 = "fd23:42:c3d2:582::/64"; subnets6.dn42 = "fd23:42:c3d2:582::/64";
subnets6.up4 = "2a00:8180:2c00:282::/64"; subnets6.up4 = "2a00:8180:2c00:282::/64";
hosts6.dn42 = { hosts6.dn42 = {
knot = "fd23:42:c3d2:582:cd7:56ff:fe69:6366"; bind = "fd23:42:c3d2:582:cd7:56ff:fe69:6366";
blogs = "fd23:42:c3d2:582:b8a8:7dff:fee8:5ac2"; blogs = "fd42:42:c3d2:582:b8a8:7dff:fee8:5ac2";
dns = "fd23:42:c3d2:582:2:0:0:2"; dns = "fd23:42:c3d2:582:2:0:0:2";
dnscache = "fd23:42:c3d2:582:f096:dbff:fee8:427d"; dnscache = "fd23:42:c3d2:582:f096:dbff:fee8:427d";
gitea = "fd23:42:c3d2:582:702a:daff:fe35:83be";
grafana = "fd23:42:c3d2:582:4042:fbff:fe4b:2de8"; grafana = "fd23:42:c3d2:582:4042:fbff:fe4b:2de8";
hydra = "fd23:42:c3d2:582:e2cb:4eff:fe3b:f94b"; hydra = "fd23:42:c3d2:582:e2cb:4eff:fe3b:f94b";
jabber = "fd23:42:c3d2:582:b869:ccff:fe46:902a"; jabber = "fd23:42:c3d2:582:b869:ccff:fe46:902a";
# mail = "fd23:42:c3d2:582:88c0:41ff:fe70:d6cd"; keycloak = "fd23:42:c3d2:582:c48:bbff:fe87:721d";
logging = "fd23:42:c3d2:582:6811:edff:fe40:89c6";
mail = "fd23:42:c3d2:582:88c0:41ff:fe70:d6cd";
matemat = "fd23:42:c3d2:582:f82b:1bff:fedc:8572"; matemat = "fd23:42:c3d2:582:f82b:1bff:fedc:8572";
minetest = "fd23:42:c3d2:582:c3a:42ff:fe5d:b20c";
mobilizon = "fd23:42:c3d2:582:48d1:5cff:fea7:1676"; mobilizon = "fd23:42:c3d2:582:48d1:5cff:fea7:1676";
mongo = "fd23:42:c3d2:582:14ec:c8ff:fe0a:fc5c"; mongo = "fd23:42:c3d2:582:14ec:c8ff:fe0a:fc5c";
mucbot = "fd23:42:c3d2:582:28db:dff:fe6b:e89a"; mucbot = "fd23:42:c3d2:582:28db:dff:fe6b:e89a";
@ -79,64 +106,69 @@
serv-gw = "fd23:42:c3d2:582::1"; serv-gw = "fd23:42:c3d2:582::1";
spaceapi = "fd23:42:c3d2:582:1457:adff:fe93:62e9"; spaceapi = "fd23:42:c3d2:582:1457:adff:fe93:62e9";
stats = "fd23:42:c3d2:582:2:0:0:3"; stats = "fd23:42:c3d2:582:2:0:0:3";
zeit = "fd23:42:c3d2:582:2:0:0:5";
direkthilfe = "fd23:42:c3d2:582:1cde:c5ff:fe47:8c2a";
nix-build = "fd23:42:c3d2:582:683d:a9ff:fe45:3d1f";
staging-data-hoarder = "fd23:42:c3d2:582:2de:5bff:fef9:e23d"; staging-data-hoarder = "fd23:42:c3d2:582:2de:5bff:fef9:e23d";
oparl = "fd23:42:c3d2:582:2de:9aff:fece:3879"; oparl = "fd23:42:c3d2:582:2de:9aff:fece:3879";
gnunet = "fd23:42:c3d2:582:44"; gnunet = "fd23:42:c3d2:582:44";
broker = "fd23:42:c3d2:582:46"; broker = "fd23:42:c3d2:582:46";
ftp = "fd23:42:c3d2:582:47"; ftp = "fd23:42:c3d2:582:47";
zengel = "fd23:42:c3d2:582:4a";
network-homepage = "fd23:42:c3d2:582:2f"; network-homepage = "fd23:42:c3d2:582:2f";
owncast = "fd23:42:c3d2:582:32"; owncast = "fd23:42:c3d2:582:32";
prometheus = "fd23:42:c3d2:582:4b"; prometheus = "fd23:42:c3d2:582:4b";
buzzrelay = "fd23:42:c3d2:582:f"; buzzrelay = "fd23:42:c3d2:582:f";
oxigraph = "fd23:42:c3d2:582:4c"; oxigraph = "fd23:42:c3d2:582:4c";
tmppleroma = "fd23:42:c3d2:582:2c";
luulaatsch-asterisk = "fd23:42:c3d2:582:2a"; luulaatsch-asterisk = "fd23:42:c3d2:582:2a";
stream = "fd23:42:c3d2:583:dc91:c7ff:fe51:d1c5";
}; };
hosts6.up4 = { hosts6.up4 = {
knot = "2a00:8180:2c00:282:cd7:56ff:fe69:6366"; bind = "2a00:8180:2c00:282:cd7:56ff:fe69:6366";
blogs = "2a00:8180:2c00:282:b8a8:7dff:fee8:5ac2"; blogs = "2a00:8180:2c00:282:b8a8:7dff:fee8:5ac2";
dns = "2a00:8180:2c00:282:2:0:0:2"; dns = "2a00:8180:2c00:282:2:0:0:2";
dnscache = "2a00:8180:2c00:282:f096:dbff:fee8:427d"; dnscache = "2a00:8180:2c00:282:f096:dbff:fee8:427d";
gitea = "2a00:8180:2c00:282:702a:daff:fe35:83be";
grafana = "2a00:8180:2c00:282:4042:fbff:fe4b:2de8"; grafana = "2a00:8180:2c00:282:4042:fbff:fe4b:2de8";
hydra = "2a00:8180:2c00:282:e2cb:4eff:fe3b:f94b"; hydra = "2a00:8180:2c00:282:e2cb:4eff:fe3b:f94b";
jabber = "2a00:8180:2c00:282:b869:ccff:fe46:902a"; jabber = "2a00:8180:2c00:282:b869:ccff:fe46:902a";
# mail = "2a00:8180:2c00:282:88c0:41ff:fe70:d6cd"; keycloak = "2a00:8180:2c00:282:c48:bbff:fe87:721d";
logging = "2a00:8180:2c00:282:6811:edff:fe40:89c6";
mail = "2a00:8180:2c00:282:88c0:41ff:fe70:d6cd";
matemat = "2a00:8180:2c00:282:f82b:1bff:fedc:8572"; matemat = "2a00:8180:2c00:282:f82b:1bff:fedc:8572";
minetest = "2a00:8180:2c00:282:c3a:42ff:fe5d:b20c";
mobilizon = "2a00:8180:2c00:282:48d1:5cff:fea7:1676"; mobilizon = "2a00:8180:2c00:282:48d1:5cff:fea7:1676";
mongo = "2a00:8180:2c00:282:14ec:c8ff:fe0a:fc5c";
mucbot = "2a00:8180:2c00:282:28db:dff:fe6b:e89a"; mucbot = "2a00:8180:2c00:282:28db:dff:fe6b:e89a";
public-access-proxy = "2a00:8180:2c00:282:1024:5fff:febd:9be7"; public-access-proxy = "2a00:8180:2c00:282:1024:5fff:febd:9be7";
radiobert = "2a00:8180:2c00:282:e65f:1ff:fe5d:1679"; radiobert = "2a00:8180:2c00:282:e65f:1ff:fe5d:1679";
radius = "2a00:8180:2c00:282:2:0:0:4"; radius = "2a00:8180:2c00:282:2:0:0:4";
scrape = "2a00:8180:2c00:282:e073:50ff:fef5:eb6e"; scrape = "2a00:8180:2c00:282:e073:50ff:fef5:eb6e";
sdrweb = "2a00:8180:2c00:282:3078:bbff:fe76:e9ef"; sdrweb = "2a00:8180:2c00:282:3078:bbff:fe76:e9ef";
serv-gw = "2a00:8180:2c00:282::1";
spaceapi = "2a00:8180:2c00:282:1457:adff:fe93:62e9"; spaceapi = "2a00:8180:2c00:282:1457:adff:fe93:62e9";
stats = "2a00:8180:2c00:282:2:0:0:3"; stats = "2a00:8180:2c00:282:2:0:0:3";
stream = "2a00:8180:2c00:282:dc91:c7ff:fe51:d1c5"; stream = "fd23:42:c3d2:583:dc91:c7ff:fe51:d1c5";
ticker = "2a00:8180:2c00:282:b407:40ff:fec1:81f2"; ticker = "2a00:8180:2c00:282:b407:40ff:fec1:81f2";
zeit = "2a00:8180:2c00:282:2:0:0:5";
direkthilfe = "2a00:8180:2c00:282:1cde:c5ff:fe47:8c2a";
nix-build = "2a00:8180:2c00:282:683d:a9ff:fe45:3d1f";
staging-data-hoarder = "2a00:8180:2c00:282:2de:5bff:fef9:e23d"; staging-data-hoarder = "2a00:8180:2c00:282:2de:5bff:fef9:e23d";
oparl = "2a00:8180:2c00:282:2de:9aff:fece:3879"; oparl = "2a00:8180:2c00:282:2de:9aff:fece:3879";
hedgedoc = "2a00:8180:2c00:282::6";
serv-gw = "2a00:8180:2c00:282::1";
luulaatsch-asterisk = "2a00:8180:2c00:282::2a";
drone = "2a00:8180:2c00:282::2b";
pretalx = "2a00:8180:2c00:282::2c";
matrix = "2a00:8180:2c00:282::2d";
activity-relay = "2a00:8180:2c00:282::2e";
network-homepage = "2a00:8180:2c00:282::2f";
vaultwarden = "2a00:8180:2c00:282::31";
owncast = "2a00:8180:2c00:282::32";
mediawiki = "2a00:8180:2c00:282::43"; mediawiki = "2a00:8180:2c00:282::43";
gnunet = "2a00:8180:2c00:282::44"; gnunet = "2a00:8180:2c00:282::44";
data-hoarder = "2a00:8180:2c00:282::45"; data-hoarder = "2a00:8180:2c00:282::45";
broker = "2a00:8180:2c00:282::46"; broker = "2a00:8180:2c00:282::46";
ftp = "2a00:8180:2c00:282::47"; ftp = "2a00:8180:2c00:282::47";
auth = "2a00:8180:2c00:282::48"; auth = "2a00:8180:2c00:282::48";
dresden-zone = "2a00:8180:2c00:282::49"; zengel = "2a00:8180:2c00:282::4a";
network-homepage = "2a00:8180:2c00:282::2f";
owncast = "2a00:8180:2c00:282::32";
prometheus = "2a00:8180:2c00:282::4b"; prometheus = "2a00:8180:2c00:282::4b";
oxigraph = "2a00:8180:2c00:282::4c";
hedgedoc = "2a00:8180:2c00:282::6";
buzzrelay = "2a00:8180:2c00:282::f"; buzzrelay = "2a00:8180:2c00:282::f";
oxigraph = "2a00:8180:2c00:282::4c";
tmppleroma = "2a00:8180:2c00:282::2c";
luulaatsch-asterisk = "2a00:8180:2c00:282::2a";
}; };
}; };
@ -174,7 +206,7 @@
gw6 = null; gw6 = null;
}; };
}; };
ospf.allowedUpstreams = bgp.allowedUpstreams =
[ "upstream4" "upstream3" "anon1" "freifunk" ]; [ "upstream4" "upstream3" "anon1" "freifunk" ];
}; };
stats = makeContainer { stats = makeContainer {

164
config/net/upstream.nix
View File

@ -2,7 +2,7 @@
let let
servHosts = config.site.net.serv.hosts4; servHosts = config.site.net.serv.hosts4;
inherit (config.site.net.c3d2.hosts4) dn42; inherit (config.site.net.c3d2.hosts4) dn42;
inherit (config.site.net.flpk.hosts4) c3d2-web; inherit (config.site.net.flpk.hosts4) c3d2-web leon mailtngbert;
in in
{ {
site.hosts = { site.hosts = {
@ -24,8 +24,12 @@ in
}; };
}; };
}; };
ospf.upstreamInstance = 7;
role = "container"; role = "container";
bgp.peers.${config.site.net.core.subnets6.dn42} = {
asn = config.site.hosts.upstream3.bgp.asn;
type = "upstream";
name = "up";
};
}; };
upstream4 = rec { upstream4 = rec {
@ -43,177 +47,260 @@ in
{ # gemini { # gemini
destination = "${c3d2-web}:1965"; destination = "${c3d2-web}:1965";
proto = "tcp"; proto = "tcp";
reflect = true;
sourcePort = 1965; sourcePort = 1965;
} }
{ {
destination = servHosts.knot; destination = "172.20.73.61";
proto = "tcp"; proto = "tcp";
reflect = true;
sourcePort = 53; sourcePort = 53;
} }
{ {
destination = servHosts.knot; destination = "172.20.73.61";
proto = "udp"; proto = "udp";
reflect = true;
sourcePort = 53; sourcePort = 53;
} }
{ {
destination = dn42; destination = dn42;
proto = "udp"; proto = "udp";
reflect = true;
sourcePort = 2325; sourcePort = 2325;
} }
{ {
destination = dn42; destination = dn42;
proto = "udp"; proto = "udp";
reflect = true;
sourcePort = 2327; sourcePort = 2327;
} }
{ {
destination = dn42; destination = dn42;
proto = "udp"; proto = "udp";
reflect = true;
sourcePort = 2337; sourcePort = 2337;
} }
{ {
destination = dn42; destination = dn42;
proto = "udp"; proto = "udp";
reflect = true;
sourcePort = 2338; sourcePort = 2338;
} }
{ {
destination = dn42; destination = dn42;
proto = "udp"; proto = "udp";
reflect = true;
sourcePort = 2339; sourcePort = 2339;
} }
{ {
destination = dn42; destination = dn42;
proto = "udp"; proto = "udp";
reflect = true;
sourcePort = 2340; sourcePort = 2340;
} }
{ {
destination = dn42; destination = dn42;
proto = "udp"; proto = "udp";
sourcePort = 2342; reflect = true;
}
{
destination = dn42;
proto = "udp";
sourcePort = 2399; sourcePort = 2399;
} }
{ {
destination = dn42; destination = dn42;
proto = "udp"; proto = "udp";
reflect = true;
sourcePort = 24699; sourcePort = 24699;
} }
{ {
destination = dn42; destination = dn42;
proto = "udp"; proto = "udp";
reflect = true;
sourcePort = 64699; sourcePort = 64699;
} }
{ #ssh
destination = "${leon}:22";
proto = "tcp";
reflect = true;
sourcePort = 2223;
}
{ #Website
destination = "${leon}:5000";
proto = "tcp";
reflect = true;
sourcePort = 5001;
}
{ #VPN_Wireguard VPN1-interface
destination = "${leon}:18900";
proto = "udp";
reflect = true;
sourcePort = 18800;
}
{ #VPN_Wireguard VPN2-interface
destination = "${leon}:19900";
proto = "udp";
reflect = true;
sourcePort = 19800;
}
{
destination = servHosts.minetest;
proto = "udp";
reflect = true;
sourcePort = 30000;
}
# ? # ?
{ {
destination = "172.22.99.175:22"; destination = "172.22.99.175:22";
proto = "tcp"; proto = "tcp";
reflect = true;
sourcePort = 2224; sourcePort = 2224;
} }
{ {
destination = servHosts.gitea; destination = servHosts.gitea;
proto = "tcp"; proto = "tcp";
reflect = true;
sourcePort = 22; sourcePort = 22;
} }
{ {
destination = servHosts.jabber; destination = servHosts.jabber;
proto = "tcp"; proto = "tcp";
reflect = true;
sourcePort = 5222; sourcePort = 5222;
} }
{ {
destination = servHosts.jabber; destination = servHosts.jabber;
proto = "tcp"; proto = "tcp";
reflect = true;
sourcePort = 5223; sourcePort = 5223;
} }
{ {
destination = servHosts.jabber; destination = servHosts.jabber;
proto = "tcp"; proto = "tcp";
reflect = true;
sourcePort = 5269; sourcePort = 5269;
} }
{ {
destination = servHosts.jabber; destination = servHosts.jabber;
proto = "tcp"; proto = "tcp";
reflect = true;
sourcePort = 3478; sourcePort = 3478;
} }
{ {
destination = servHosts.jabber; destination = servHosts.jabber;
proto = "tcp"; proto = "tcp";
reflect = true;
sourcePort = 3479; sourcePort = 3479;
} }
{ {
destination = servHosts.jabber; destination = servHosts.jabber;
proto = "udp"; proto = "udp";
reflect = true;
sourcePort = 3478; sourcePort = 3478;
} }
{ {
destination = servHosts.jabber; destination = servHosts.jabber;
proto = "udp"; proto = "udp";
reflect = true;
sourcePort = 3479; sourcePort = 3479;
} }
{
destination = mailtngbert;
proto = "tcp";
reflect = true;
sourcePort = 25;
}
{
destination = mailtngbert;
proto = "tcp";
reflect = true;
sourcePort = 465;
}
{
destination = mailtngbert;
proto = "tcp";
reflect = true;
sourcePort = 587;
}
{
destination = mailtngbert;
proto = "tcp";
reflect = true;
sourcePort = 110;
}
{
destination = mailtngbert;
proto = "tcp";
reflect = true;
sourcePort = 143;
}
{
destination = mailtngbert;
proto = "tcp";
reflect = true;
sourcePort = 993;
}
{
destination = mailtngbert;
proto = "tcp";
reflect = true;
sourcePort = 995;
}
# poelzi # poelzi
{ {
destination = "172.20.73.162:22"; destination = "172.20.73.162:22";
proto = "tcp"; proto = "tcp";
reflect = true;
sourcePort = 2323; sourcePort = 2323;
} }
# jan
{
destination = "172.20.75.3:51820";
proto = "udp";
sourcePort = 30057;
}
# zw-ev RDP # zw-ev RDP
{ {
destination = "172.20.75.222:3389"; destination = "172.20.75.222:3389";
proto = "tcp"; proto = "tcp";
reflect = true;
sourcePort = 45000; sourcePort = 45000;
} }
{ {
destination = config.site.net.core.hosts4.vpn-gw; destination = config.site.net.core.hosts4.vpn-gw;
proto = "udp"; proto = "udp";
sourcePort = config.site.vpn.wireguard.port;
reflect = true; reflect = true;
sourcePort = config.site.vpn.wireguard.port;
}
{
destination = "${config.site.net.serv.hosts4.direkthilfe}:22";
proto = "tcp";
reflect = false;
sourcePort = 3822;
} }
{ {
destination = servHosts.gnunet; destination = servHosts.gnunet;
proto = "tcp"; proto = "tcp";
reflect = true;
sourcePort = 2086; sourcePort = 2086;
} }
# dresden zone
{
destination = servHosts.dresden-zone;
proto = "udp";
sourcePort = 51844;
}
# data-hoarder # data-hoarder
{ {
destination = servHosts.data-hoarder; destination = servHosts.data-hoarder;
proto = "udp"; proto = "udp";
reflect = true;
sourcePort = 51820; sourcePort = 51820;
} }
{ {
destination = "${servHosts.data-hoarder}:22"; destination = "${servHosts.data-hoarder}:22";
proto = "tcp"; proto = "tcp";
reflect = false;
sourcePort = 2269; sourcePort = 2269;
} }
# data-hoarder-staging # data-hoarder-staging
{ {
destination = "${servHosts.staging-data-hoarder}:51820"; destination = "${servHosts.staging-data-hoarder}:51820";
proto = "udp"; proto = "udp";
reflect = true;
sourcePort = 51821; sourcePort = 51821;
} }
{ {
destination = "${servHosts.ftp}:22"; destination = "${servHosts.ftp}:22";
proto = "tcp"; proto = "tcp";
reflect = true;
sourcePort = 1022; sourcePort = 1022;
} }
# coloRadio
{
proto = "tcp";
sourcePort = 8000;
destination = "192.168.9.127";
}
]; ];
interfaces = { interfaces = {
core = { core = {
@ -238,17 +325,19 @@ in
}; };
}; };
}; };
ospf = { bgp = {
upstreamInstance = 8; nets4 = [
stubNets4 = [
"${interfaces.up4-pppoe.upstream.staticIpv4Address}/32" "${interfaces.up4-pppoe.upstream.staticIpv4Address}/32"
]; ];
peers.${config.site.net.core.subnets6.dn42} = {
asn = config.site.hosts.upstream4.bgp.asn;
type = "upstream";
name = "up";
};
}; };
role = "container"; role = "container";
}; };
freifunk.ospf.upstreamInstance = 6;
anon1 = { anon1 = {
interfaces = { interfaces = {
core = { core = {
@ -263,9 +352,14 @@ in
}; };
}; };
}; };
ospf = { bgp = {
allowedUpstreams = [ "upstream3" "upstream4" "freifunk" ]; allowedUpstreams = [ "upstream3" "upstream4" "freifunk" ];
upstreamInstance = 5; upstreamTable = "vpn_table";
peers.${config.site.net.core.subnets6.dn42} = {
asn = config.site.hosts.upstream3.bgp.asn;
type = "upstream";
name = "up";
};
}; };
role = "container"; role = "container";
}; };

4
config/net/vpn.nix
View File

@ -33,8 +33,6 @@
type = "wireguard"; type = "wireguard";
}; };
}; };
ospf = { bgp.allowedUpstreams = [ "flpk-gw" "anon1" "freifunk" ];
allowedUpstreams = [ "flpk-gw" "anon1" "freifunk" ];
};
}; };
} }

153
config/secrets-production.nix.gpg
View File

@ -1,85 +1,74 @@
-----BEGIN PGP MESSAGE----- -----BEGIN PGP MESSAGE-----
hQEMA2PKcvDMvlKLAQgAjGer7r8wCoigtDTS5zzUnJI02b3RQvhbqjv4a6RD52ry hQEMA2PKcvDMvlKLAQf+N28QCjh68YIkQYSL3EnA34fuG4PqrPONlCOVbuH3SsA/
NzqqX7yIVyOEP2SnqoBpmWHYFJ3WcRb5Io3DXBLjgVHZbWJMP/DtVzHN+1ix3A5T BPzZEA2dURxbgIFTkjUCqORv62aMgTxJQdGN6S3x3je5aGXGk38SoTYuPZo5Mdss
ZjxROLc/EDyd+prSvbol5UJkHJeoH7PWwPmO1VPOVZwAV+NGJS/qKXz/wUGFA6y5 75l9cj8zJsz9ZnawXbFiM6RMpxd/zGoaPqiOclkiA/NcaaGVuhEYv57ucFsESwcJ
iH6vzetTvxSBt08dYVulzmI/B6MwHUz8W7YTTal7QTKftlyzXWZHydbj1AWJjGoR 8Pb4PVAt50vH3pcmJUezK1EWftKbMjIB1w/QoiBFbkCi6/2GIs/3ISCFiBO0O7g+
qadxsH4ZlqdHJrP/j5Yvw72XgdzAN7MQrofslqFI9ro9nccLQ7Q3B7kzt/EvoOPm egW6/6ivODTGV/TghlMoB5717eORUUGr2nejbSV/OaK/bz+KjznJfclg/bRVxM2p
obPHW1I0UFoFXhfTujROXwVlernk6qmxO/oNr5UZB9LqAaroXhliddAzPZPT5qcK QYgidYaINIb95O1P56kMYlTfZ7czBwpTr/HV8XuWEdLqAfpIIaf3SlQZKl7FJShO
szctWSv1eNlGO44iwIJyrh/Yetmrhll8flPl9URWIi9r383xkawhxG52alUVjRIz Skxxt2nhQzyLIZq8TEexXO5ayTOfuAmCAx3GEv6tPy77KwW/5lzq416TcVgk9ZKh
u2BC3vdrt5o0GfEpZlDo23UbIxLIFbMg2xTXcFBq5TJEw0+owwhz+m+JRrXY9h1+ qBZB2SBaqH6JavphKFet1GLzztW0Xd1J874P0FXhIdT8OKsJyGNkxgBevEEwNICz
SVlMX0PcUUg4vmX+7/KVIwrSECFpfPcBTSyMafUT6SfxG02/WmvzcEXk8E8hK+a3 RVJAAboAF2GwLqdhruT5cTBAKtFPq3QJ/3G/rZQ4WoJ7geYhJHlIlMhG1AkPhKt/
VzolJIqirrv1CRwm60xOucytFI5OnxYI3kV9saiLwB6i9KI8Hw91pM7T+kQmXbbl hCb4nz9nD+9xL8dM1C/6LqROHFZV6X6gha79+84YXfM9wdHP6/Dj1Bs5wB9qQhZu
etRddcQLXdhjRB/bCUJbQeEKZx0gjVAQkTFtdz6tp2vc9u/WS6UMrrQIkzdwLIOg HEJOAgule7on5dPaXOV3LzSKLSriDHWcVEsZnN4IzO0I7u59TGWF/RQypThBqDUu
AXa8JmCtlTcN1uVVDlmQqba5li6ObqM4dtyOwHkXmpwBLObtoSg2yxTExxVwtAxz 4C+AwXpoyzGC0rqa+fLfOmWAN0K/uV3Mt+Uj4HwFxu4lYUUqDpB2hcCX6DHytttm
CgNcPZ9snnht8MpXGrrzQUsdGfBY4gZ8Hgh1oScqW9b8o5XtT74hdtWXFMv6tE2F C7fuqungdMgcpzE5fYH4k38sMPxI98Tnma1hC2MpFIrgV7OgiJ1mVP86rHEGnVut
8bco4QBt6q95aYSi/wcyLwIyhUI+PEh2m5UM7KjYs2xxWbzU7Q0nj70VI9x+0Y+U 92EJ4n7aLHpydcaDYVrIE6x5xmcBbe2Cwf8dBawAsm12nACo9c07AtAsQZUpSF67
Apez4mYlqiep5l94E4Q4wb3rizYeXFAzZDe5FXfcpRgVPHGSq6XWUYSgyQENuRTB 2G3vDJnC0iEF1PGJrWw9tTGBoCS6q3N8iPJ7UF7uSE0DI2Ja5pxiRGVjTe0ddRbJ
Ll8usdYLgT3Y7ULxT4O/8OKkDFMyfmTIdSiJRUJ8izMTm0yq5lKrSsqYTZVNOF6v WDhYye/bNjprQh0NY9A5qUfXXnIo5tB0A2aSi2z/vUrffefMIkhYihEyFcPEtpr9
NDEolddj4DOaRV07DkrQRMpukrTCauZdC/c/hwmr3+ZcaMi33ZKHIbCXex/34D9z XqmS7TU0gU2ehcMZZdm0alNo3mjX4lHwczIEiLHMmj3J7Ozgq7aCMwSdFN8TpwOH
0CH3fA0nn/w3jh9CwOKBrT+cbOlMF3gVJbQU8xGgf7QHyaf8dEoayiInk9wKfUJd 0pAqSjrvG8C05Hr6ymlwRYrJ/OfLAkb1Kjf/Me3N2/ZAjeSzTRFuZ2vgbODCk/BM
BQ6YGukQBb6KDDNuDq0r9UYeRPjWc/mGSZkluoEl1GVFkFNpxlKStB68hNRJg63i rSy/RMKB0WEvwLEq9Fj5XNH2p9P++v8JDpiH6I/HPZfRORGs5Gs2d7QQiXZ0YIWl
gS/l6jSkj1IKmsnbkJVtC+YwH/Pkx6+fcisXmUGPZ9KUiw2qiCGLFbHm5Shc7YBW lUyj9qGUj+RSXVcaHRZxx18RpvA+sgY1E7THx/2+Viwjx+zUHioFnVoEK8ft/hNV
BpiZzCEjRrp71lB5URbbY+zhf+lcAdxewbw8v0R0tJP2hzmXCqsvJnB4jcEc1YD5 KtX9+wonftW6aQgN+VGqtWu+uGwxvNe9oxzuT2OWSH2OTFirmqK27KfDpHjjWIrp
lFD/4ivgZ95pVaoV+WsjETZZd3pkvo2PQC0f/2momT+KwYAdwcPfwJH8S9FLBjKE +6S5ZGkTm8QzfVeADdmPtQ5lmYCKeugkKQpVyvxZA5lUyROvKMZ7PKLRKTTu6qFL
nQRlYRjiUUEMO7TZ9J7a8onyFxozVwH7IJMz/L2wEs0u8dPr3Rj3kpCbHD8tNCE4 B8GdQTdaw4gQY8qliAVy7NvMVVdG8RhIyxRHEKSsV+cuftRvzRo89lyY4I3GTzII
BP5s1d+S18vSKNRBYY2z7t1eyBZ+9hu1vgWR7GsAcgwCv6YTfVT8VE9RBdkglwP2 m6CbRCSNXMXWsyLFM2gd9ICn7Ax9XhuNyJ8NbeDp7f2Qr1GswKA4gJB/ybHpTOAi
Me6G1Af5KMNyQq0GDaKT/pPlS3WCdjpkOHCpw+2HfSjPVDAvWbBkrB8xQrQp8kwg f9WzUZINWeklP5ORTk84ZfHtoZsU3a6ZQUCOLg3MKHtbcvmcb4Z1R9dwKiDCREWX
mHMD9udGsfpUSQVoNxIjIeK9EfFEjgXA+53/BVuCbSL5bWQXnKCMba656z7UrWqo 59oCDmjZHsQqEzTTw/n9l9g1EHIu1l8zjAy7AzwEuup34Pwuw+Y/0JLsBrXzk869
NqVdJ7c8N7/U9fxaUaagDoziBUsV+eT58eGFRZJJHkbDZvmRthYOQnR82KSQz2cx ISAMvHy/n6uZVWmqi+PW30i8LhiRvOg4htOs5kQg4PER0+X/hapKVcVIfFP2kPYm
Neo9z3mSVA8FVRnwNaSNZiHRRKoFY+6HfDOmP5PzAIrW1/TBVYR6+5gmqou3KPqY TOrfyn1WVsJ1ltsLX0LtQimGjFguDmR2/xlcYjBCKj8lDrNov7Qq8R2yXiZtuSgZ
1I8DKkVYqlRSve+GXeFIEkeiJ8N5BZ4WZw3EglWSrP+uG7zywJ1pWNja5WNKSzX4 /YEG3GT8EmBvIXgN/1btvn0udY3edA6QxXtuLQ/aZExJqkZgWuhpgoP4A9P3GPzx
mXPdI6KxTL40V06SraUqAOhd8uqH4fEhaBJVCqtm9cdXar7dqAbkaX5RARDb/BNg Bmxg1WB+yMFlKAKbhnQkEjdPLKo7tTmonMOtpvPbuc7W7WT2Sh9jmDIV7U6tXkQA
K4m8iDRkrFCO6JYMmwWJz+q/HxY5u71szxFKUiYREeP0udxapekx6IELMwnMrdUT AGtk0TYsa1YBWMAqzP2bHNwJ1sMfdeSt9jffxrWSjj5v52qKGovhkr3EqoeCefCV
GCryJs0VJuRDsOxSyuGprz+UnhY/K7NXRmE6hIrXJQ5mjsHtyjd2vk+OzJY6mL7S POoAjnp9Fm9dOs9DTzstt3cZpHL6zQtNRdTZhrXIEZJ/JavhTd7hjJrSGJrxRt44
vRZw5FUqRvFsXXLNq/+YtRZSSZChMX0BM42prcC61PIm8qiVLs2199hKWmJmBill jKcftkwsE1jMB8uSZGpOSfqwF+jZizoREdgQh8QQ3ZQbl8UMWdTUjhhekqK0noWn
DZnTJzvm38EWBPkm5JGh4tJ9VN769kyhDtWKtZ4aEuykcPJor+Did+oYuMadKUCN qVT7KzXiTG/1DKLaot755iK7iJhyL9PTT/NCHUbnFzFkHyQjHwwwOw86s7JuTSS4
0NAuKxXAUHc/TfnSxBZxRdHWZo9vyYhiIWNoy5724yWfBH+STgNy3c+Z/JeKXvVB l0w04bEOwy5EP8RJDDSFMaW/5qJYsaefBv+0R8DTyod6VG6YRk1jTBTU9HLzlImC
YUM4J7ys2TEnTmcoR43MPrF2+bdDsgsItQjtLlBmRvRItdswFYkunuQRBYmXoNBb Md3hi4Ar4P/dxIBb7eebx4x4P5AVeecRAjNFCOlzuMobwdFWhbPhiNIigPLXl2oS
2MTTxHSU4jyM5FUxBi9XAk0mnWgo/aK/FhfE73VxvVXwfwpEkomL/TFexGzfFx7d cMxQQBGenB2eSDbJYbycXD2oZtCRghL+Snj9deFmynBCYxUe9NToXS6IqKmmvdcI
70T8RWCYgFHOuoe+O04wo2qyvCZZittRQGlInNztDCQI6lqa8TSILVgIRMgvnrcR SU4GKJDbREedfIVUdNNnK5L5goCjKHRsHamPrNGlxrEeeH/VZKh+3yKJlWahpELM
P9BUixDlFfl8x4g0lacxZm9nN5XNgnI1RTiXNXeigIciRydyeAKoV3gxY54i5jOm OdcxEaBEXRzOJW62TRm5JjluI8P0wQJCWn5TzOkNwGYCWiN+rSd5S9PhUDZ67Cjn
VFUClFfQFz+nBStRQumqxMXKa433J1l8NENmZmkc+D2TeLt8kbgNN4Zg7zKiNRFt xKvhfXyLi0j45TbHFnwpBI2b5/z29EqviRBrII2mk07DDTKFiHQA4l3Ep44dInSW
UvFEtqPxQSiFgLCjrMH2wLkq79EtP/Zfpok/1iGbKfT+/bhDFB0iWE0AdIAa0oiu WVRzzcAhDaO0A/wiDS25AhU2P0Bq9LpaQAoQwYOcK70YfY11EybNHey0CGHvuwj3
1JDsSFmoMTtMHgywSvVxaDVE4/0C81D3foLERbc+dwo00+YyROrQ74+mNoFrY4vd hEWQeH7WgqafRj/lnScLdlgw78Disc8DqiNB+PlTSsyEubeVM+p2loz3mXsjLYOQ
xcDKxgkcZeZXxsUlox0F26OVZ3B7krUQC7EbBBVvdimJk7S0WXTHfR5ENz7lp1C2 lauDOCjQD6B4jGXigNFk8w+SdI9YCB4oQu5YMPXOzWA93bSmK0ZMl2ntN+1LmyWA
2gRL8Pdj9I4VsOmGAfcNPV2J5RVdRwyL9dSxCPVQ4ECrBqHSPqGbQoT7aHX9b+6A ecHlRrAZp7NzG2CGVnnsqPRcK6EJNrfI1jbCE0eYvIW/tzrmj8DAfmLsA4H2CDt2
LKCWUqC18NxrRr4dbSxcjkE4w+vPmENrDh+yR7zDgdWY03rGN/jT2CV1le69AAaq wDVEu+uDZ2UkXm21Jm7NdKIiYjmKfFMQNgkoPwFJab4FE1zV2ZK5tcTy6tPEj/rS
RTf5n+skzsWz+u09bW7b43gpwhh7YeSFKpogNZ8z2ujEr0fkrGsOWWba9z620Xls vw1u7Gg+ewB6yo6N11ZYA5Q5ivLgn2yY+1HO3e2Se3+VFdTb3mgqypEAfUADD5Xs
f/4dPKcNiJLOIOXT555xZSpsgzAtPO1g9QM+l8Q6PZjqAvGjbHsYMw5ao+iwL0qt Vy6DNpZpxx+elHr9xt0m+WF5tMCxGawbyKl/6VAsRTEV7sSIaQFpRoBilXVf/n4S
M93Uj47PxD4qqz4MwYQw8S/dtrUkvBDEoA2fVU/00Fb9XzrECDUffDxHEUmDIcJQ anTn27031AK5+QGhiO+14AK/anEODcVql+wqvnBeIju0QmhOdy23dAnlsNU2Z3ff
h/q7ZntcVp//Gy4DeEiqp63s6poWGdbDmccN3hWmzWHEI0HR7pNS/FHEzESCw9oh F620h34C3+3PQKrLzmr3Enam6jFG96nn3cpFn3jqxybbm7ipy7n6mqIeAAvPLbqu
PkZzOa76GmyDqbopneVUmtfCuBjahTjVSAv4YlAsqQMI5wUgV+bwlfB7Rm2v8X4R ZaZ7URbGlYAC8pUTO5UE5eRO5KXp1lITL7eEo8D2wGr/pXfrKVObCh82MPDpL2FS
cyka3F9xWxuC3/5vxuPyyxA1YZc/fzpOqafFCU3mGF2byOKCL0YNuoqUbQBtagHZ 6wQQAPBxEC2NE2KrwthCknHCgfjXEoq6AB8HmyjdumxC7Z3aMkr514ebh49it/I6
6rrmGqNjyVuUG15KLBF29sYlJTBYF7tAeyVx2vLJqzKPRMGL2Ph8wg8Rg58eqKgU Z18DLT4AonINWO3AGiB172Zsln4LjBIWad4PaSAAAhDu9QV4IIxjNEd8mtZ7ZUIS
gUIlCGzxGoqK1fVlrvvRATHplO77s+W/dA0svfSeD3xrtEd5oF9oQeI78A71Vmrw ZOW/JOILwh/wkN4DLby8WakjZ351Z+UIqdvKbLVY17tAc+sOYBgnJL05o6URQFqw
ZsMech54mketddbn9t2MID8rVWxTtX5xIAxnW5TBfO8DucsqbxsJNm7Edzue0C2L RSHkxjF3GxdlpwYOHQfoWeWSxQkur+aPWMhXdKiYJzlH76KF9RdlzP4i89OpDAVy
i7tDKM5ZSbkivh0C7G1w7cu9SAv7gHStu+3DKGlW7MmCfLSEGk34jRdTRUu/2KAh udz/h8cgwTD1yadB27NX31wez0RRuECGAlpEk3vyo9+VDL+NOHiG0jc5xWY4Kk2Q
cbHxHj25mDC6ZPz54FX6iDA0epm0ILVXZa75gjlfq4o9ldjKbR6yueIuc2hy7H1b P2KlaFXUwlb2qJXSNfT9uWUT+tzelYC0gJEVXVYe+DV3sr/5kLSTn8D0KpqhuGd9
QFlmx415H5TGTpjSJdjXCqvbbwphOIqsN0Qh3ZqUdaboVGipZdlFv3FH/2uxAFKW rNPkLakqfYUlDYMChE6ZDkaV1v6T4jwjgBB65RtvGRsTmhZQIz9bHl04J0xs/UZP
VMJ1CpFAWe2iLtQEgrxJ15xpsLx+zcFUfftR8vXNRwMcEffV7xQguTugGic5O0DB 5MWOsQghvEx8xtLFuXbHQAXJd8n3XjUn+OQ81olBEwXWSrMorVjHrfOKVCtaDr8g
m5Oopo6bB9wMU4tvDRosjnvMEkuwbSPLSA/8JeZFO1zCK8Pa2znYNEwHNxeHiTCT o9dIsVn6Ox77brX9902+DLuybMb0roBKcg6uQdq52Z5sQ0dUPNDI6YC0LTCxXwU4
+oouXDqdcT9dnH4cg4GeHjVDZO0I9yZL/cMDUPtqN0XySXe8Zj7VxtpQmcePklV/ IjTLwSkQqow/Igmr339Bv4fUBft+eLuVkceQnJ+C8Osu3zQ2JJfFZDa2Rvn7xhcO
RDoGKHxEVz2a16foONjtVfsoheFHLWAI47IOTFDHA/CSQLCmCqwpfZQIuX2oWRwc y4NyTdJpJHOQ2F7Pu2rh4WwTLJwf5rdwotc7UNQgXqZAhzMPNYBGp469mJK387sc
aPN4t5Qkx5TllLzL6keXkDV43/yw0dnXBQQDQ/Z4DP5GShwahyFggA/XonKYb9F0 igGndEvKsjQ9EkLoyszjY77B0FwMrF0VsoK7q5Acw9rZu/jpt4PAdRXF2uGCV9ZK
B+pz+NOOkZjcFrcFeMr4cMdffc2ACxDJZWH4BHcwM9WICqoefJHlUu65ZTBBlisJ SPrYAj2C3YvRbSscfQlczkpRZQSZUT0MiU9U12v8De29e5SYhL7wOLFKNBNVOqNO
mwP4Xapx8khsln2xXDUfhsoXu5+FHBexyVP1OUmZZ+zO3UEXPa+OwpglqrYGMueE vpF+MoY/CtjFoo/yep5W5tvGhn8y1M6uY6ERV1G2wuHbJJsV5vwal7se61U+aHmL
iXEO2lCOi6HrQCd7cvONPEwLaqavojMhsP42ywirWK7J9XuCoaEWtZjlA/Sq2D2B zMQQEvAQVd9MID6HKElepP6NJOPuirk9UfVqoLAUa2tS+H1srVAvfISxjTF4fzFg
upK6WuFMr+eE5lhrp5LFCRMJoiiwJb/bA7sMdZhg6HjIZNoNkrCvdgvLScbKxHM8 StmSJPn4B8EUdFtow9fWvDrDUEDZibmuG2bjruqday09L1NYxrj6O3Cps8u3j4Z7
4G82FAafs/fbel5mdUNEe3nOXhQX2KH1MkUhnKGv5hi9gsXLaJlQTZBFsjoT8MUX PFA0Eq6ZSVLGUCzTa/OUWWuJl318JXeXFn/wOyG/PBP49gTYDG6JX3Nv7l04WXaW
XUNdEWQ/xtGjs7eNBn/MzpP3JeByrDG0u0Tbt2whOkwhKQt+odph7sMRxwtvvniu qZXYYoyez7vzQ87B7zS2/5oCchLI3s8DhdhCLN28ZwaIgDXF4VbyqDddhpjBLtgs
ij9nA3OlSGpTEItmC1jls29sJy5/0Ojp6Y3v/ZBfG6xh0xhhjpZIoOGQoK1wdG4m w4Fdor/N3rzuCtKV5MgX/ZRGuqADwCgN78DhEuCyWWvUf8CoSAKcCx1xSZYf6rlU
m0j6TZqRKwX9FqQ9aCVY65lp/MsdXehe6/EShyT4K56KuGbpDuzoeZRshDPOvcjU PulV0jUfVRSc+jIj4Oe2HplI1qeGsK8EUCkSWGlC+UKqyqsCz9M=
A1t44vBp3aYH9gE6QfM/dg8akN+LXOM7komveAbFvcvE8KFVdfHOUJIjPyy+saX0 =gug1
ZHWLrH/SU+vUuFUw9VSuEavar95l9pRyWCeV67DWN2+FY8HESlfltjwiswActvrt
uDeIdtd42y4yA5u3BFCGEAWgZm+aVkQxuMN4OynTHM3NGJ6NUOeL8cGMA02KE65v
8pg4o3sIjfmsD76srDx7hKIpIe+K4QpAIxxL21HPZuXhE3ksNHh3x5x7hjkvNAUi
z3xbaR03avMeSle1LvUH/A88Fn+/0ataHYiQiIM95RXvMdKAk6SNNsN7rp1RZNhV
X6cNTBz2uUVbAXMUgbbBc9O2AVMR0pbfAYBKHPm24b+tWMShG/DR9f/mFFdUznEX
9+ydjRh9Mh9ZYgzKXqA9SZ/4Zhqn2Mve3r3Rii4K2w6KUbxRHev7FpV/KGgYsMmw
bLjSgS/cwQ7Ky9yRM12EmoAcimy/7vpyPRBM1tWnPBKhZf1xq15UM/lf53OcBjxb
ezeETqSQc6flKtEAxRv6nWSuormgn6JbClMjhII3velUKyfPCe29HNtFQ3LWJu4R
WLMH7A2qx0cIuyOuoFXefWh/9C3fiO72hqI5yQ2x4dxtEutUNTmByxZxTxJD/tSN
BI3ZmHeysFpUVdfDdt3Nc/Jw3lQCuBk=
=sq5B
-----END PGP MESSAGE----- -----END PGP MESSAGE-----

67
config/secrets.nix
View File

@ -1,11 +1,5 @@
# Dummy secrets for testing # Dummy secrets for testing
{ {
site.net = {
core.ospf.secret = "encrypted";
pub.wifi.ieee80211rKey = "2dc40abba46da9490ea0e00f93f18ce5";
c3d2.wifi.ieee80211rKey = "d1b1fa2461efc0df9e2d96579607b7f6";
};
site.hosts = { site.hosts = {
ap1.password = "encrypted"; ap1.password = "encrypted";
ap2.password = "encrypted"; ap2.password = "encrypted";
@ -64,16 +58,6 @@
ap60.password = "encrypted"; ap60.password = "encrypted";
ap61.password = "encrypted"; ap61.password = "encrypted";
ap63.password = "encrypted"; ap63.password = "encrypted";
ap64.password = "encrypted";
ap65.password = "encrypted";
ap66.password = "encrypted";
ap67.password = "encrypted";
ap68.password = "encrypted";
ap69.password = "encrypted";
ap70.password = "encrypted";
ap71.password = "encrypted";
ap72.password = "encrypted";
ap73.password = "encrypted";
switch-a1.password = "encrypted"; switch-a1.password = "encrypted";
switch-b1.password = "encrypted"; switch-b1.password = "encrypted";
switch-b2.password = "encrypted"; switch-b2.password = "encrypted";
@ -84,7 +68,6 @@
switch-dach.password = "encrypted"; switch-dach.password = "encrypted";
switch-ds1.password = "encrypted"; switch-ds1.password = "encrypted";
switch-ds2.password = "encrypted"; switch-ds2.password = "encrypted";
switch-ds3.password = "encrypted";
upstream4.interfaces.up4-pppoe.upstream = { upstream4.interfaces.up4-pppoe.upstream = {
user = "encrypted"; user = "encrypted";
@ -121,15 +104,12 @@
}; };
ap18.wifi."platform/qca953x_wmac".ssids."Restaurierung Wolff/Kober".psk = "encrypted"; ap18.wifi."platform/qca953x_wmac".ssids."Restaurierung Wolff/Kober".psk = "encrypted";
ap19.wifi."platform/qca953x_wmac".ssids = { ap19.wifi."platform/qca953x_wmac".ssids = {
"Bockwurst".psk = "encrypted"; "Studio 01127".psk = "encrypted";
"Walter".psk = "encrypted"; "Walter".psk = "encrypted";
}; };
ap2.wifi = { ap2.wifi = {
"pci0000:00/0000:00:00.0".ssids."C3D2".psk = "encrypted"; "pci0000:00/0000:00:00.0".ssids."C3D2".psk = "encrypted";
"platform/ahb/18100000.wmac".ssids = { "platform/ahb/18100000.wmac".ssids."C3D2 legacy".psk = "encrypted";
"C3D2 legacy".psk = "encrypted";
"C3D2 IoT".psk = "encrypted";
};
}; };
ap23.wifi = { ap23.wifi = {
"pci0000:00/0000:00:00.0".ssids."LBK Network".psk = "encrypted"; "pci0000:00/0000:00:00.0".ssids."LBK Network".psk = "encrypted";
@ -151,7 +131,6 @@
"pci0000:00/0000:00:00.0".ssids."C3D2".psk = "encrypted"; "pci0000:00/0000:00:00.0".ssids."C3D2".psk = "encrypted";
"platform/ahb/18100000.wmac".ssids = { "platform/ahb/18100000.wmac".ssids = {
"C3D2 legacy" = { "psk" = "encrypted"; }; "C3D2 legacy" = { "psk" = "encrypted"; };
"C3D2 IoT" = { "psk" = "encrypted"; };
"FOTOAKADEMIEdd" = { "psk" = "encrypted"; }; "FOTOAKADEMIEdd" = { "psk" = "encrypted"; };
}; };
}; };
@ -170,6 +149,7 @@
ap37.wifi = { ap37.wifi = {
"pci0000:00/0000:00:00.0".ssids."hechtfilm.de".psk = "encrypted"; "pci0000:00/0000:00:00.0".ssids."hechtfilm.de".psk = "encrypted";
"platform/ahb/18100000.wmac".ssids."hechtfilm.de legacy".psk = "encrypted"; "platform/ahb/18100000.wmac".ssids."hechtfilm.de legacy".psk = "encrypted";
"platform/ahb/18100000.wmac".ssids."LIZA".psk = "encrypted";
}; };
ap38.wifi = { ap38.wifi = {
"pci0000:00/0000:00:00.0".ssids = { "pci0000:00/0000:00:00.0".ssids = {
@ -179,7 +159,6 @@
"platform/ahb/18100000.wmac".ssids = { "platform/ahb/18100000.wmac".ssids = {
"ZW heinrichsgarten" = { "psk" = "encrypted"; }; "ZW heinrichsgarten" = { "psk" = "encrypted"; };
"plop" = { "psk" = "encrypted"; }; "plop" = { "psk" = "encrypted"; };
"millimeter" = { "psk" = "encrypted"; };
}; };
}; };
ap39.wifi."platform/10180000.wmac".ssids."EckiTino".psk = "encrypted"; ap39.wifi."platform/10180000.wmac".ssids."EckiTino".psk = "encrypted";
@ -282,45 +261,7 @@
"pci0000:00/0000:00:00.0".ssids."EckiTino".psk = "encrypted"; "pci0000:00/0000:00:00.0".ssids."EckiTino".psk = "encrypted";
"platform/ahb/18100000.wmac".ssids."EckiTino legacy".psk = "encrypted"; "platform/ahb/18100000.wmac".ssids."EckiTino legacy".psk = "encrypted";
}; };
ap64.wifi = {
"platform/ahb/18100000.wmac".ssids."Princess Castle".psk = "encrypted";
};
ap65.wifi = {
"1e140000.pcie/pci0000:00/0000:00:00.0/0000:01:00.0".ssids = {
"farbwerk".psk = "encrypted";
"Kaffeetasse".psk = "encrypted";
};
"1e140000.pcie/pci0000:00/0000:00:01.0/0000:02:00.0".ssids."farbwerk".psk = "encrypted";
};
ap66.wifi = {
"pci0000:00/0000:00:00.0".ssids."Buschfunk4.03".psk = "encrypted";
"platform/ahb/18100000.wmac".ssids."Buschfunk4.03 legacy".psk = "encrypted";
};
ap67.wifi = {
"1e140000.pcie/pci0000:00/0000:00:01.0/0000:02:00.0".ssids."farbwerk".psk = "encrypted";
"1e140000.pcie/pci0000:00/0000:00:01.0/0000:02:00.0+1".ssids."farbwerk".psk = "encrypted";
};
ap68.wifi = {
"1e140000.pcie/pci0000:00/0000:00:01.0/0000:02:00.0".ssids."farbwerk".psk = "encrypted";
"1e140000.pcie/pci0000:00/0000:00:01.0/0000:02:00.0+1".ssids."farbwerk".psk = "encrypted";
};
ap69.wifi = {
"pci0000:00/0000:00:00.0".ssids."LIZA".psk = "encrypted";
"platform/ahb/18100000.wmac".ssids."LIZA".psk = "encrypted";
};
ap7.wifi."platform/qca953x_wmac".ssids."mino".psk = "encrypted"; ap7.wifi."platform/qca953x_wmac".ssids."mino".psk = "encrypted";
ap70.wifi = {
"pci0000:00/0000:00:00.0".ssids."M".psk = "encrypted";
"platform/ahb/18100000.wmac".ssids."M legacy".psk = "encrypted";
};
ap72.wifi = {
"1e140000.pcie/pci0000:00/0000:00:01.0/0000:02:00.0".ssids."farbwerk".psk = "encrypted";
"1e140000.pcie/pci0000:00/0000:00:01.0/0000:02:00.0+1".ssids."farbwerk".psk = "encrypted";
};
ap73.wifi = {
"1e140000.pcie/pci0000:00/0000:00:01.0/0000:02:00.0".ssids."Princess Castle".psk = "encrypted";
"1e140000.pcie/pci0000:00/0000:00:01.0/0000:02:00.0+1".ssids."Princess Castle".psk = "encrypted";
};
ap8.wifi = { ap8.wifi = {
"pci0000:00/0000:00:00.0".ssids."C3D2".psk = "encrypted"; "pci0000:00/0000:00:00.0".ssids."C3D2".psk = "encrypted";
"platform/ar934x_wmac".ssids = { "platform/ar934x_wmac".ssids = {
@ -331,7 +272,7 @@
ap9.wifi."platform/qca953x_wmac".ssids."Herzzbuehne".psk = "encrypted"; ap9.wifi."platform/qca953x_wmac".ssids."Herzzbuehne".psk = "encrypted";
}; };
site.dyndnsKey = "oYmxXCIa0nArp0679L6v+y/UfnhripOudLv+R5Cop8I="; site.dyndnsKey = "SECRET";
site.vpn.wireguard = { site.vpn.wireguard = {
privateKey = "wPNXY4ED3Jz3Kz0KOmvfQOou6/wHrgqSsykaMYrtb28="; privateKey = "wPNXY4ED3Jz3Kz0KOmvfQOou6/wHrgqSsykaMYrtb28=";

149
config/switch.nix
View File

@ -8,30 +8,17 @@
links = { links = {
switch-a2.ports = [ "7" ]; switch-a2.ports = [ "7" ];
priv25.ports = [ # Panel A2: Foyer
# A6: Kleiner Saal Schaltschrank switch-ds1.ports = [ "3" ];
"1"
# Kabinett A10
"2"
"3"
# A16: Buehne rechts unten
"4"
# artnet node
"5"
# Panel A2: Foyer
"8"
# Panel A8: Kleiner Saal Buehne
];
priv31.ports = [
# A4: Buero
"6"
];
# A3: Techniklager
# (DS23: Hackcenter vor kleinem Saal)
# A17: Grosser Saal ueber der Buehne
# switch-a2 Port 13
# Panel A6: kl Saal hinten # Panel A6: kl Saal hinten
switch-ds2.ports = [ "8" ];
priv25.ports = [
"2"
"4"
"5"
];
priv31.ports = [ "6" ];
iso4.ports = [ "1" ];
}; };
}; };
switch-a2 = { switch-a2 = {
@ -42,9 +29,6 @@
links = { links = {
switch-c1.ports = [ "1" ]; switch-c1.ports = [ "1" ];
switch-a1.ports = [ "2" ]; switch-a1.ports = [ "2" ];
switch-ds1.ports = [ "3" ];
switch-ds2.ports = [ "4" ];
switch-ds3.ports = [ "5" ];
ap44.ports = [ "10" ]; ap44.ports = [ "10" ];
ap45.ports = [ "11" ]; ap45.ports = [ "11" ];
ap46.ports = [ "12" ]; ap46.ports = [ "12" ];
@ -73,8 +57,7 @@
iso1.ports = [ "ge-0/0/2" ]; iso1.ports = [ "ge-0/0/2" ];
iso2.ports = [ "ge-0/0/3" ]; iso2.ports = [ "ge-0/0/3" ];
iso3.ports = [ "ge-0/0/4" ]; iso3.ports = [ "ge-0/0/4" ];
coloradio.ports = [ serv.ports = [
# Patchpanel C8
"ge-0/0/22" "ge-0/0/22"
]; ];
c3d2.ports = [ c3d2.ports = [
@ -133,6 +116,8 @@
ap11.ports = [ "ge-1/0/10" ]; ap11.ports = [ "ge-1/0/10" ];
ap34.ports = [ "ge-1/0/12" ]; ap34.ports = [ "ge-1/0/12" ];
ap18.ports = [ "ge-1/0/18" ]; ap18.ports = [ "ge-1/0/18" ];
ap24.ports = [ "ge-1/0/34" ];
ap25.ports = [ "ge-1/0/35" ];
ap29.ports = [ "ge-0/0/46" ]; ap29.ports = [ "ge-0/0/46" ];
ap30.ports = [ "ge-1/0/22" ]; ap30.ports = [ "ge-1/0/22" ];
ap35.ports = [ "ge-1/0/23" ]; ap35.ports = [ "ge-1/0/23" ];
@ -144,40 +129,33 @@
ap5.ports = [ "ge-1/0/7" ]; ap5.ports = [ "ge-1/0/7" ];
ap51.ports = [ "ge-1/0/13" ]; ap51.ports = [ "ge-1/0/13" ];
ap53.ports = [ "ge-0/0/7" ]; ap53.ports = [ "ge-0/0/7" ];
ap72.ports = [ "ge-1/0/38" ]; ap54.ports = [ "ge-1/0/38" ];
ap55.ports = [ "ge-1/0/19" ]; ap55.ports = [ "ge-1/0/19" ];
ap56.ports = [ "ge-1/0/9" ]; ap56.ports = [ "ge-1/0/9" ];
ap60.ports = [ "ge-1/0/20" ]; ap60.ports = [ "ge-1/0/20" ];
ap62.ports = [ "ge-0/0/11" ]; ap62.ports = [ "ge-0/0/11" ];
ap65.ports = [ "ge-0/0/9" ];
ap66.ports = [ "ge-1/0/43" ];
mgmt.ports = [ mgmt.ports = [
"ge-0/0/0" "ge-0/0/0"
"ge-1/0/0"
"ge-0/0/1" "ge-0/0/1"
"ge-1/0/1"
# server1
"ge-1/0/43"
"ge-1/0/44" "ge-1/0/44"
# server7 # server6
"ge-1/0/45" "ge-1/0/45"
# server7
"ge-1/0/46" "ge-1/0/46"
# server8 # server8
"ge-1/0/47" "ge-1/0/47"
# server9 # server9
"ge-1/0/48" "ge-1/0/48"
]; ];
flpk.ports = [
# server7
"ge-0/0/40"
];
priv1.ports = [ "ge-1/0/3" ]; priv1.ports = [ "ge-1/0/3" ];
priv19.ports = [ "ge-1/0/40" ]; priv19.ports = [ "ge-1/0/40" ];
priv2.ports = [ "ge-1/0/4" ]; priv2.ports = [ "ge-1/0/4" ];
priv24.ports = [ "ge-0/0/6" "ge-1/0/16" ]; priv24.ports = [ "ge-0/0/6" "ge-1/0/16" ];
priv3.ports = [ "ge-1/0/5" ]; priv3.ports = [ "ge-1/0/5" ];
priv30.ports = [ "ge-0/0/12" ];
priv49.ports = [ "ge-1/0/1" ];
ap67.ports = [ "ge-1/0/34" ];
ap68.ports = [ "ge-1/0/35" ];
ap69.ports = [ "ge-0/0/35" ];
ap73.ports = [ "ge-0/0/45" ];
pub.ports = [ pub.ports = [
"ge-1/0/11" "ge-1/0/11"
]; ];
@ -199,15 +177,6 @@
"ge-1/0/42" "ge-1/0/42"
]; ];
}; };
server6 = {
group = "9";
ports = [
"ge-0/0/18"
"ge-0/0/19"
"ge-1/0/0"
"ge-1/0/2"
];
};
}; };
}; };
@ -269,8 +238,11 @@
# Fenster # Fenster
ap33.ports = [ "5" ]; ap33.ports = [ "5" ];
c3d2.ports = [ "8-20" ]; c3d2.ports = [ "8-20" ];
# Testing
ap-test1.ports = [ "4" ];
bmx.ports = [ "7" ];
# tmp Datenspuren: VOC # tmp Datenspuren: VOC
iso4.ports = [ "4" "6" "7" ]; iso4.ports = [ "6" ];
}; };
}; };
@ -328,8 +300,8 @@
up3.ports = [ "3" ]; up3.ports = [ "3" ];
# unifiac-mesh # unifiac-mesh
ap57.ports = [ "10" ]; ap57.ports = [ "10" ];
# TLMS tetra and traffic-stop-box # dump-dvb traffic-stop-box
c3d2.ports = [ "19,20" ]; c3d2.ports = [ "20" ];
}; };
}; };
@ -357,30 +329,27 @@
"GigabitEthernet1/0/13" "GigabitEthernet1/0/13"
"GigabitEthernet1/0/14" "GigabitEthernet1/0/14"
"GigabitEthernet1/0/15" "GigabitEthernet1/0/15"
];
# Stage uplink
priv25.ports = [
"GigabitEthernet1/0/16" "GigabitEthernet1/0/16"
"GigabitEthernet1/0/17" "GigabitEthernet1/0/17"
"GigabitEthernet1/0/18" "GigabitEthernet1/0/18"
"GigabitEthernet1/0/19" "GigabitEthernet1/0/19"
"GigabitEthernet1/0/20"
]; ];
# Uplink
switch-a1.ports = [ "GigabitEthernet1/0/24" ];
# Freifunk # Freifunk
bmx.ports = [ bmx.ports = [
"GigabitEthernet1/0/20"
"GigabitEthernet1/0/21" "GigabitEthernet1/0/21"
"GigabitEthernet1/0/22" "GigabitEthernet1/0/22"
"GigabitEthernet1/0/23" "GigabitEthernet1/0/23"
]; ];
# Uplink
switch-a2.ports = [ "GigabitEthernet1/0/24" ];
}; };
}; };
switch-ds2 = { switch-ds2 = {
role = "switch"; role = "switch";
model = "3com-5500G"; model = "3com-5500G";
location = "Grosser Saal oben"; location = "Vor dem Kl Saal";
interfaces = { mgmt.type = "phys"; }; interfaces = { mgmt.type = "phys"; };
links = { links = {
@ -405,64 +374,16 @@
"GigabitEthernet1/0/17" "GigabitEthernet1/0/17"
"GigabitEthernet1/0/18" "GigabitEthernet1/0/18"
"GigabitEthernet1/0/19" "GigabitEthernet1/0/19"
];
# Stage uplink
priv25.ports = [
"GigabitEthernet1/0/20" "GigabitEthernet1/0/20"
"GigabitEthernet1/0/21"
]; ];
# VOC isolated # Uplink
iso4.ports = [ switch-a1.ports = [ "GigabitEthernet1/0/24" ];
# Freifunk
bmx.ports = [
"GigabitEthernet1/0/21"
"GigabitEthernet1/0/22" "GigabitEthernet1/0/22"
"GigabitEthernet1/0/23" "GigabitEthernet1/0/23"
]; ];
# Uplink
switch-a2.ports = [ "GigabitEthernet1/0/24" ];
};
};
switch-ds3 = {
firstboot = true;
role = "switch";
model = "3com-5500G";
location = "Kleiner Saal";
interfaces = { mgmt.type = "phys"; };
links = {
# Public
pub.ports = [
"GigabitEthernet1/0/1"
"GigabitEthernet1/0/2"
"GigabitEthernet1/0/3"
"GigabitEthernet1/0/4"
"GigabitEthernet1/0/5"
"GigabitEthernet1/0/6"
"GigabitEthernet1/0/7"
"GigabitEthernet1/0/8"
"GigabitEthernet1/0/9"
"GigabitEthernet1/0/10"
"GigabitEthernet1/0/11"
"GigabitEthernet1/0/12"
"GigabitEthernet1/0/13"
"GigabitEthernet1/0/14"
"GigabitEthernet1/0/15"
"GigabitEthernet1/0/16"
"GigabitEthernet1/0/17"
"GigabitEthernet1/0/18"
"GigabitEthernet1/0/19"
];
# Stage uplink
priv25.ports = [
"GigabitEthernet1/0/20"
"GigabitEthernet1/0/21"
];
# VOC isolated
iso4.ports = [
"GigabitEthernet1/0/22"
"GigabitEthernet1/0/23"
];
# Uplink
switch-a2.ports = [ "GigabitEthernet1/0/24" ];
}; };
}; };
}; };

3
config/vlan.nix
View File

@ -19,14 +19,11 @@ in
cluster = 6; cluster = 6;
bmx = 7; bmx = 7;
flpk = 8; flpk = 8;
coloradio = 9;
# Modems # Modems
up1 = 10; up1 = 10;
up2 = 11; up2 = 11;
up3 = 12; up3 = 12;
up4 = 13; up4 = 13;
# Isolated other stuff
c3d2iot = 20;
# Isolated neighbors directly connectied with their modems # Isolated neighbors directly connectied with their modems
iso1 = 101; iso1 = 101;
iso2 = 102; iso2 = 102;

BIN
contact.md.asc
View File

Binary file not shown.

6
doc/hello.md
View File

@ -55,14 +55,10 @@ Von geeigneten Routern haben wir stets zu wenige übrig, so dass wir sie
gemeinsam kaufen und bezahlen müssen. Such dir einen aus, dann gemeinsam kaufen und bezahlen müssen. Such dir einen aus, dann
bestellen und konfigurieren wir ihn. bestellen und konfigurieren wir ihn.
* Zyxel WSM20 (Multy M1) ([25€](https://geizhals.de/zyxel-multy-m1-v101058.html))
* TP-Link Archer C7 v2 ([58€](http://geizhals.de/tp-link-archer-c7-v2-a923544.html)) * TP-Link Archer C7 v2 ([58€](http://geizhals.de/tp-link-archer-c7-v2-a923544.html))
* Ubiquiti UniFi nanoHD ([150€](https://geizhals.de/ubiquiti-unifi-nanohd-uap-nanohd-a1802819.html))
* [Jedes Gerät auf dem OpenWRT läuft](https://openwrt.org/supported_devices) * [Jedes Gerät auf dem OpenWRT läuft](https://openwrt.org/supported_devices)
Die genannten Preise sind unverbindlich und schwanken stark mit den
Situationen rund um die Straße von Malaka, Rotem Meer und
Suez-Kanal. Auf eBay gibts gebrauchte Geräte.
![WLAN-Router](https://upload.wikimedia.org/wikipedia/commons/thumb/3/34/Linksys-Wireless-G-Router.jpg/280px-Linksys-Wireless-G-Router.jpg) ![WLAN-Router](https://upload.wikimedia.org/wikipedia/commons/thumb/3/34/Linksys-Wireless-G-Router.jpg/280px-Linksys-Wireless-G-Router.jpg)
### Netzverteilung ### Netzverteilung

67
flake.lock
View File

@ -1,53 +1,17 @@
{ {
"nodes": { "nodes": {
"dns-nix": {
"inputs": {
"flake-utils": "flake-utils",
"nixpkgs": [
"nixpkgs"
]
},
"locked": {
"lastModified": 1703643450,
"narHash": "sha256-EUUF5oxFFPX/etKm0FNQg+7MPHQlNjmM1XhNgyDf7A0=",
"owner": "SuperSandro2000",
"repo": "dns.nix",
"rev": "70dcce71560d4253f63812fa36dee994c81ae814",
"type": "github"
},
"original": {
"owner": "SuperSandro2000",
"repo": "dns.nix",
"type": "github"
}
},
"flake-utils": {
"locked": {
"lastModified": 1614513358,
"narHash": "sha256-LakhOx3S1dRjnh0b5Dg3mbZyH0ToC9I8Y2wKSkBaTzU=",
"owner": "numtide",
"repo": "flake-utils",
"rev": "5466c5bbece17adaab2d82fae80b46e807611bf3",
"type": "github"
},
"original": {
"owner": "numtide",
"repo": "flake-utils",
"type": "github"
}
},
"nixpkgs": { "nixpkgs": {
"locked": { "locked": {
"lastModified": 1713634877, "lastModified": 1674242456,
"narHash": "sha256-+tmLKU8N+YMIIBRPmWFueaytsbSDu4wqGnxc3RKYZwk=", "narHash": "sha256-yBy7rCH7EiBe9+CHZm9YB5ii5GRa+MOxeW0oDEBO8SE=",
"owner": "SuperSandro2000", "owner": "NixOS",
"repo": "nixpkgs", "repo": "nixpkgs",
"rev": "84f20dcf85434cd2e2a163ec3a30937c78cc26b2", "rev": "cdead16a444a3e5de7bc9b0af8e198b11bb01804",
"type": "github" "type": "github"
}, },
"original": { "original": {
"owner": "SuperSandro2000", "owner": "NixOS",
"ref": "nixos-23.11", "ref": "release-22.11",
"repo": "nixpkgs", "repo": "nixpkgs",
"type": "github" "type": "github"
} }
@ -55,16 +19,16 @@
"openwrt": { "openwrt": {
"flake": false, "flake": false,
"locked": { "locked": {
"lastModified": 1713442482, "lastModified": 1674227662,
"narHash": "sha256-OAcv1qiM2V6wPQm4Tz2QnnDpw34pifG6QRDZea7AP9o=", "narHash": "sha256-MtkO4sbP+75B9j2oW0/JFvosWQh8H0S95VJ3r0wl+xk=",
"ref": "openwrt-23.05", "ref": "openwrt-22.03",
"rev": "9b33b74ef71225442361d5192d3a727be212c3cd", "rev": "1bead4c521b6f6cf711fd06398d54b1a6fbbef96",
"revCount": 58296, "revCount": 54502,
"type": "git", "type": "git",
"url": "https://git.openwrt.org/openwrt/openwrt.git" "url": "https://git.openwrt.org/openwrt/openwrt.git"
}, },
"original": { "original": {
"ref": "openwrt-23.05", "ref": "openwrt-22.03",
"type": "git", "type": "git",
"url": "https://git.openwrt.org/openwrt/openwrt.git" "url": "https://git.openwrt.org/openwrt/openwrt.git"
} }
@ -76,11 +40,11 @@
] ]
}, },
"locked": { "locked": {
"lastModified": 1713693953, "lastModified": 1674207776,
"narHash": "sha256-DsJ/pzBSF3CxQWyiw4V3k96h7Q3UaRnQnL1N9tw+uWg=", "narHash": "sha256-XfIWLKlpFSBNqzx8Nf0hUZGOK0HhBTaFjmtsdkMnY/A=",
"owner": "astro", "owner": "astro",
"repo": "nix-openwrt-imagebuilder", "repo": "nix-openwrt-imagebuilder",
"rev": "d4dc8c84f4397be494ae834709276f099df892e7", "rev": "f9b70efd4254e905a700361e3052fc4860dda73c",
"type": "github" "type": "github"
}, },
"original": { "original": {
@ -91,7 +55,6 @@
}, },
"root": { "root": {
"inputs": { "inputs": {
"dns-nix": "dns-nix",
"nixpkgs": "nixpkgs", "nixpkgs": "nixpkgs",
"openwrt": "openwrt", "openwrt": "openwrt",
"openwrt-imagebuilder": "openwrt-imagebuilder" "openwrt-imagebuilder": "openwrt-imagebuilder"

17
flake.nix
View File

@ -2,13 +2,9 @@
description = "Zentralwerk network"; description = "Zentralwerk network";
inputs = { inputs = {
dns-nix = { nixpkgs.url = "github:NixOS/nixpkgs/release-22.11";
url = "github:SuperSandro2000/dns.nix";
inputs.nixpkgs.follows = "nixpkgs";
};
nixpkgs.url = "github:SuperSandro2000/nixpkgs/nixos-23.11";
openwrt = { openwrt = {
url = "git+https://git.openwrt.org/openwrt/openwrt.git?ref=openwrt-23.05"; url = "git+https://git.openwrt.org/openwrt/openwrt.git?ref=openwrt-22.03";
flake = false; flake = false;
}; };
openwrt-imagebuilder = { openwrt-imagebuilder = {
@ -17,7 +13,7 @@
}; };
}; };
outputs = inputs@{ self, dns-nix, nixpkgs, openwrt, openwrt-imagebuilder }: outputs = inputs@{ self, nixpkgs, openwrt, openwrt-imagebuilder }:
let let
system = "x86_64-linux"; system = "x86_64-linux";
systems = [ system ]; systems = [ system ];
@ -30,15 +26,16 @@
specialArgs = { specialArgs = {
hostName = name; hostName = name;
inherit (self) lib; inherit (self) lib;
inherit inputs dns-nix self; inherit inputs self;
}; };
}; };
in { in {
# Config, and utilities # Config, and utilities
lib = nixpkgs.lib.extend (_final: _prev: lib = nixpkgs.lib.extend (_final: _prev:
import ./nix/lib { import ./nix/lib {
inherit self openwrt; inherit self;
inherit (nixpkgs.legacyPackages.x86_64-linux) lib pkgs; inherit openwrt;
pkgs = nixpkgs.legacyPackages.x86_64-linux;
}); });
# Everything that can be built locally outside of NixOS # Everything that can be built locally outside of NixOS

121
nix/lib/config/options.nix
View File

@ -148,12 +148,6 @@ let
type = with types; attrsOf (attrsOf str); type = with types; attrsOf (attrsOf str);
default = {}; default = {};
}; };
ospf = {
secret = mkOption {
type = with types; nullOr str;
default = null;
};
};
dhcp = mkOption { dhcp = mkOption {
type = with types; nullOr (submodule { options = dhcpOpts; }); type = with types; nullOr (submodule { options = dhcpOpts; });
default = null; default = null;
@ -178,7 +172,7 @@ let
type = enum [ "A" "AAAA" "MX" "SRV" "CNAME" "TXT" ]; type = enum [ "A" "AAAA" "MX" "SRV" "CNAME" "TXT" ];
}; };
data = mkOption { data = mkOption {
type = oneOf [ str (attrsOf (oneOf [ int str ])) ]; type = str;
}; };
}; };
}); });
@ -194,13 +188,6 @@ let
type = with types; nullOr int; type = with types; nullOr int;
default = null; default = null;
}; };
wifi.ieee80211rKey = mkOption {
type = with types; nullOr str;
default = null;
description = ''
Key between WiFi access points for Fast Transition
'';
};
}; };
}; };
@ -397,35 +384,10 @@ let
}; }); }; });
default = []; default = [];
}; };
ospf.stubNets4 = mkOption {
type = with types; listOf str;
default = [];
description = "Additional IPv4 networks to announce";
};
ospf.stubNets6 = mkOption {
type = with types; listOf str;
default = [];
description = "Additional IPv6 networks to announce";
};
ospf.allowedUpstreams = mkOption {
type = with types; listOf str;
default = [];
description = "Accept default routes from these OSPF routers, in order of preference";
};
ospf.allowedUpstreams6 = mkOption {
type = with types; listOf str;
default = config.site.hosts.${name}.ospf.allowedUpstreams;
description = "Accept IPv6 default routes from these OSPF3 routers, in order of preference";
};
ospf.upstreamInstance = mkOption {
type = with types; nullOr int;
default = null;
description = "OSPF instance for advertising the default route";
};
bgp = mkOption { bgp = mkOption {
default = null; default = null;
type = with types; nullOr (submodule { type = with types; nullOr (submodule {
options = bgpOpts; options = bgpOpts name;
}); });
}; };
services.dns = { services.dns = {
@ -446,19 +408,10 @@ let
wifi = mkOption { wifi = mkOption {
default = {}; default = {};
type = with types; attrsOf (submodule ( type = with types; attrsOf (submodule (
{ config, ... }: { { ... }: {
options = { options = {
band = mkOption {
type = enum [ "2g" "5g" ];
default =
if config.channel >= 1 && config.channel <= 14
then "2g"
else if config.channel >= 32 && config.channel <= 177
then "5g"
else throw "What band is channel ${toString config.channel}?";
};
htmode = mkOption { htmode = mkOption {
type = enum [ "HT20" "HT40-" "HT40+" "HT40" "VHT80" ]; type = enum [ "HT20" "HT40-" "HT40+" "VHT80" ];
}; };
channel = mkOption { channel = mkOption {
type = int; type = int;
@ -473,10 +426,6 @@ let
type = nullOr str; type = nullOr str;
default = null; default = null;
}; };
hidden = mkOption {
type = bool;
default = false;
};
encryption = mkOption { encryption = mkOption {
type = enum [ "none" "owe" "wpa2" "wpa3" ]; type = enum [ "none" "owe" "wpa2" "wpa3" ];
default = default =
@ -492,13 +441,6 @@ let
type = nullOr str; type = nullOr str;
default = null; default = null;
}; };
disassocLowAck = mkOption {
type = bool;
default = true;
description = ''
Disable for wireless bridges.
'';
};
}; };
})); }));
}; };
@ -516,20 +458,52 @@ let
}; };
}; };
bgpOpts = { bgpOpts = hostName: {
asn = mkOption { asn = mkOption {
type = types.int; type = types.int;
default = config.site.bgp.asn;
}; };
peers = mkOption { peers = mkOption {
type = with types; attrsOf (submodule ({ ... }: { type = with types; attrsOf (submodule (submoduleArg: {
options = { options = {
asn = mkOption { asn = mkOption {
type = types.int; type = types.int;
default = config.site.bgp.asn;
};
name = mkOption {
type = types.str;
};
type = mkOption {
type = types.enum [ "external" "rr_server" "rr_client" "upstream" ];
}; };
}; };
})); }));
default = {}; default = {};
}; };
nets4 = mkOption {
type = with types; listOf str;
default = [];
description = "Additional IPv4 networks to announce";
};
nets6 = mkOption {
type = with types; listOf str;
default = [];
description = "Additional IPv6 networks to announce";
};
allowedUpstreams = mkOption {
type = with types; listOf str;
default = [];
description = "Accept default routes from these BGP routers, in order of preference";
};
allowedUpstreams6 = mkOption {
type = with types; listOf str;
default = config.site.hosts.${hostName}.bgp.allowedUpstreams;
description = "Accept IPv6 default routes from these BGP routers, in order of preference";
};
upstreamTable = mkOption {
type = with types; nullOr str;
default = null;
};
}; };
linkOpts = hostName: { name, ... }: { linkOpts = hostName: { name, ... }: {
@ -604,6 +578,11 @@ in
type = with types; attrsOf (submodule netOpts); type = with types; attrsOf (submodule netOpts);
}; };
net-combined = mkOption {
description = "All hosts of all subnets";
default = {};
type = with types; submodule netOpts;
};
hosts = mkOption { hosts = mkOption {
description = "All the static hosts"; description = "All the static hosts";
@ -635,6 +614,12 @@ in
default = "secret"; default = "secret";
}; };
}; };
bgp = {
asn = mkOption {
type = types.int;
};
};
}; };
config.warnings = config.warnings =
@ -655,16 +640,16 @@ in
reportCollisions = name: getter: xs: reportCollisions = name: getter: xs:
map (k: "Duplicate ${name}: ${k}") (findCollisions getter xs); map (k: "Duplicate ${name}: ${k}") (findCollisions getter xs);
ospfUpstreamXorGw = bgpUpstreamXorGw =
builtins.concatMap (hostName: builtins.concatMap (hostName:
let let
hostConf = config.site.hosts.${hostName}; hostConf = config.site.hosts.${hostName};
gwNets = builtins.filter (netName: gwNets = builtins.filter (netName:
hostConf.interfaces.${netName}.gw4 != null hostConf.interfaces.${netName}.gw4 != null
) (builtins.attrNames hostConf.interfaces); ) (builtins.attrNames hostConf.interfaces);
in if gwNets != [] && hostConf.ospf.allowedUpstreams != [] in if gwNets != [] && hostConf.bgp.allowedUpstreams or [] != []
then [ '' then [ ''
Host ${hostName} has gateway on ${builtins.head gwNets} but accepts default routes from OSPF Host ${hostName} has gateway on ${builtins.head gwNets} but accepts default routes from BGP
'' ] '' ]
else [] else []
) (builtins.attrNames config.site.hosts); ) (builtins.attrNames config.site.hosts);
@ -672,7 +657,7 @@ in
(reportCollisions "VLAN tag" (x: lib.optional (x.vlan != null) x.vlan) config.site.net) ++ (reportCollisions "VLAN tag" (x: lib.optional (x.vlan != null) x.vlan) config.site.net) ++
(reportCollisions "IPv4 subnet" (x: if x.subnet4 == null then [] else [x.subnet4]) config.site.net) ++ (reportCollisions "IPv4 subnet" (x: if x.subnet4 == null then [] else [x.subnet4]) config.site.net) ++
(reportCollisions "IPv6 subnet" (x: builtins.attrValues x.subnets6) config.site.net) ++ (reportCollisions "IPv6 subnet" (x: builtins.attrValues x.subnets6) config.site.net) ++
ospfUpstreamXorGw; bgpUpstreamXorGw;
config.assertions = config.assertions =
# Duplicate host/net name check # Duplicate host/net name check

6
nix/lib/default.nix
View File

@ -1,13 +1,13 @@
{ self, lib, openwrt, pkgs }: { self, pkgs, openwrt }:
rec { rec {
inherit (import ./config { inherit self pkgs; }) config; config = (import ./config { inherit self pkgs; }).config;
netmasks = import ./netmasks.nix; netmasks = import ./netmasks.nix;
subnet = import ./subnet { inherit pkgs; }; subnet = import ./subnet { inherit pkgs; };
dns = import ./dns.nix { inherit config lib; }; dns = import ./dns.nix { inherit pkgs config; };
openwrtModels = import ./openwrt-models.nix { inherit self openwrt; }; openwrtModels = import ./openwrt-models.nix { inherit self openwrt; };

30
nix/lib/dns.nix
View File

@ -1,18 +1,17 @@
{ config, lib }: { pkgs, config }:
let
lib = pkgs.lib;
in
rec { rec {
ns = "dns.serv.zentralwerk.org"; ns = "dns.serv.zentralwerk.org";
internalNS = [ ns ]; internalNS = [ ns ];
# public servers (slaves) # public servers (slaves)
publicNS = [ publicNS = [ "ns.c3d2.de" "ns.spaceboyz.net" ];
"ns.c3d2.de"
"ns.spaceboyz.net"
"ns1.supersandro.de"
];
publicIPv4 = config.site.hosts.upstream4.interfaces.up4-pppoe.upstream.staticIpv4Address; publicIPv4 = config.site.hosts.upstream4.interfaces.up4-pppoe.upstream.staticIpv4Address;
dynamicReverseZones4 = [ dynamicReverseZones = [
"73.20.172.in-addr.arpa" "73.20.172.in-addr.arpa"
"74.20.172.in-addr.arpa" "74.20.172.in-addr.arpa"
"75.20.172.in-addr.arpa" "75.20.172.in-addr.arpa"
@ -21,12 +20,6 @@ rec {
"78.20.172.in-addr.arpa" "78.20.172.in-addr.arpa"
"79.20.172.in-addr.arpa" "79.20.172.in-addr.arpa"
"99.22.172.in-addr.arpa" "99.22.172.in-addr.arpa"
"22.10.in-addr.arpa"
];
dynamicReverseZones6 = [
"2.0.0.0.c.2.0.8.1.8.0.0.a.2.ip6.arpa"
"4.1.b.a.c.a.2.8.3.5.f.0.a.2.ip6.arpa"
"5.0.2.d.3.c.2.4.0.0.3.2.d.f.ip6.arpa"
]; ];
mapI = start: end: f: mapI = start: end: f:
@ -99,7 +92,7 @@ rec {
"${zone}" = true; "${zone}" = true;
} }
) {} (builtins.attrNames reverseHosts4) ) {} (builtins.attrNames reverseHosts4)
) ++ dynamicReverseZones4 ) ++ dynamicReverseZones
); );
# turns `::` into `0000:0000:0000:0000:0000:0000:0000:0000` # turns `::` into `0000:0000:0000:0000:0000:0000:0000:0000`
@ -192,7 +185,11 @@ rec {
} { } {
name = "zentralwerk.dn42"; name = "zentralwerk.dn42";
ns = internalNS; ns = internalNS;
records = [ ]; records = [ {
name = "ipa";
type = "A";
data = config.site.net.serv.hosts4.ipa;
} ];
} { } {
name = "dyn.zentralwerk.org"; name = "dyn.zentralwerk.org";
ns = publicNS; ns = publicNS;
@ -244,7 +241,7 @@ rec {
builtins.filter (lib.hasSuffix ".${zone}") builtins.filter (lib.hasSuffix ".${zone}")
(builtins.attrNames reverseHosts4) (builtins.attrNames reverseHosts4)
); );
dynamic = builtins.elem zone dynamicReverseZones4; dynamic = builtins.elem zone dynamicReverseZones;
}) reverseZones4 }) reverseZones4
++ ++
builtins.concatMap (ctx: builtins.concatMap (ctx:
@ -263,7 +260,6 @@ rec {
builtins.filter (lib.hasSuffix ".${zone}") builtins.filter (lib.hasSuffix ".${zone}")
(builtins.attrNames reverseHosts6.${ctx}) (builtins.attrNames reverseHosts6.${ctx})
); );
dynamic = builtins.elem zone dynamicReverseZones6;
}) reverseZones6.${ctx} }) reverseZones6.${ctx}
) (builtins.attrNames reverseZones6); ) (builtins.attrNames reverseZones6);
} }

4
nix/lib/openwrt-models.nix
View File

@ -95,9 +95,7 @@ let
ucidef_set_interfaces_lan_wan.ports = ucidef_set_interfaces_lan_wan.ports =
makeLinkFromArg "lan" (builtins.elemAt args 0) // makeLinkFromArg "lan" (builtins.elemAt args 0) //
self.lib.optionalAttrs (builtins.length args > 1) ( makeLinkFromArg "wan" (builtins.elemAt args 1);
makeLinkFromArg "wan" (builtins.elemAt args 1)
);
}; };
in in
if commands ? ${command} if commands ? ${command}

8
nix/nixos-module/collectd/default.nix
View File

@ -90,7 +90,7 @@ in
Host "inbert.c3d2.de" Host "inbert.c3d2.de"
Host "heise.de" Host "heise.de"
''; '';
}) (lib.optionalAttrs config.services.kea.dhcp4.enable { }) (lib.optionalAttrs config.services.dhcpd4.enable {
plugins.exec = plugins.exec =
let let
maxTimeout = builtins.foldl' (maxTimeout: net: maxTimeout = builtins.foldl' (maxTimeout: net:
@ -117,11 +117,11 @@ in
}) ]; }) ];
systemd.services.collectd = lib.mkIf config.services.kea.dhcp4.enable { systemd.services.collectd = lib.mkIf config.services.dhcpd4.enable {
after = [ "kea-dhcp4-server.service" ]; after = [ "dhcpd4.service" ];
}; };
security.wrappers = lib.mkIf config.services.kea.dhcp4.enable { security.wrappers = lib.mkIf config.services.dhcpd4.enable {
collectd-dhcpcount = collectd-dhcpcount =
let let
dhcpcount = pkgs.runCommand "dhcpcount" { dhcpcount = pkgs.runCommand "dhcpcount" {

38
nix/nixos-module/collectd/dhcpcount.rb
View File

@ -1,28 +1,36 @@
#!/usr/bin/env ruby #!/usr/bin/env ruby
require 'csv' require 'date'
INTERVAL = 60 INTERVAL = 300
TIMEOUT = ARGV[0].to_i # TODO: now unused TIMEOUT = ARGV[0].to_i
hostname = CSV::readlines("/proc/sys/kernel/hostname").join.strip hostname = IO::readlines("/proc/sys/kernel/hostname").join.strip
STDOUT.sync = true STDOUT.sync = true
loop do loop do
seen = {} seen = {}
count = 0 count = 0
now = Time.now.to_i
CSV::readlines("/var/lib/kea/kea-leases4.csv", headers: true).each do |rec| addr = nil
h = rec.to_h starts = nil
addr = h["hwaddr"]
next unless addr
last = h["expire"].to_i
elapsed = now - last
next if elapsed >= TIMEOUT
unless seen[addr] IO::readlines("/var/lib/dhcpd4/dhcpd.leases").each do |line|
count += 1 if line =~ /^lease (.+) \{/
seen[addr] = true addr = $1
starts = nil
elsif line =~ /starts \d+ (.+?);/
starts = DateTime.parse($1).to_time
elsif line =~ /^\}/
now = Time.now
if starts and
now >= starts and now < starts + TIMEOUT
unless seen[addr]
count += 1
seen[addr] = true
end
end
end end
end end
puts "PUTVAL \"#{hostname}/exec-dhcpd/current_sessions-leases\" interval=#{INTERVAL} N:#{count}" puts "PUTVAL \"#{hostname}/exec-dhcpd/current_sessions-leases\" interval=#{INTERVAL} N:#{count}"

449
nix/nixos-module/container/bird.nix
View File

@ -25,6 +25,42 @@ let
n = n; n = n;
x = builtins.head list; x = builtins.head list;
} ] ++ (enumerate (n + 1) (builtins.tail list)); } ] ++ (enumerate (n + 1) (builtins.tail list));
nets4 =
hostConf.bgp.nets4
++
builtins.concatMap (net:
if net != "core"
then
let
subnet4 = config.site.net.${net}.subnet4 or null;
in lib.optional (subnet4 != null) subnet4
else
[]
) (builtins.attrNames hostConf.interfaces);
nets6 =
hostConf.bgp.nets6
++
builtins.concatMap (net:
if net != "core"
then
builtins.attrValues config.site.net.${net}.subnets6 or {}
else
[]
) (builtins.attrNames hostConf.interfaces);
upstreamsToOrder = upstreams:
builtins.foldl' (order: { n, x }:
order // {
${x} = n;
}
) {} (enumerate 1 upstreams);
upstream4Order = upstreamsToOrder hostConf.bgp.allowedUpstreams;
upstream6Order = upstreamsToOrder hostConf.bgp.allowedUpstreams6;
allowedUpstreams = lib.unique (
hostConf.bgp.allowedUpstreams ++ hostConf.bgp.allowedUpstreams6
);
in in
{ {
services.bird2 = { services.bird2 = {
@ -35,31 +71,13 @@ in
protocol kernel K4 { protocol kernel K4 {
learn; learn;
ipv4 { ipv4 {
${if isUpstream export all;
then ''
# Install all routes but the default route on upstreams
export where net != 0.0.0.0/0;
# Learn the upstream default route
import where net = 0.0.0.0/0;
''
else ''
export all;
''}
}; };
} }
protocol kernel K6 { protocol kernel K6 {
learn; learn;
ipv6 { ipv6 {
${if isUpstream export all;
then ''
# Install all routes but the default route on upstreams
export where net != ::/0;
# Learn the upstream default route
import where net = ::/0;
''
else ''
export all;
''}
}; };
} }
protocol device { protocol device {
@ -84,10 +102,7 @@ in
check link yes; check link yes;
} }
${lib.optionalString ( ${lib.optionalString (hostConf.bgp.upstreamTable != null) ''
builtins.match "anon.*" hostName != null ||
hostName == "flpk-gw"
) ''
# BIRD routing table for Wireguard transport # BIRD routing table for Wireguard transport
ipv4 table vpn_table; ipv4 table vpn_table;
@ -112,14 +127,6 @@ in
min ra interval 10; min ra interval 10;
max ra interval 60; max ra interval 60;
solicited ra unicast yes; solicited ra unicast yes;
${if (config.site.net.${net}.dhcp.server or null) == null
then ''
# Do not use DHCP6.
managed no;
'' else ''
# Use DHCP6 for DynDNS.
managed yes;
''}
${builtins.concatStringsSep "\n" ( ${builtins.concatStringsSep "\n" (
map (subnet6: '' map (subnet6: ''
@ -136,235 +143,6 @@ in
} }
''} ''}
# OSPFv2 for site-local IPv4
protocol ospf v2 ZW4 {
ipv4 {
import all;
# OSPF is self-contained
export none;
};
area 0 {
${builtins.concatStringsSep "\n" (
builtins.attrValues (
builtins.mapAttrs (net: _:
# Enable OSPF only on networks with a secret.
if config.site.net ? "${net}" && config.site.net.${net}.ospf.secret != null
then ''
interface "${net}" {
hello 10;
wait 20;
authentication cryptographic;
password "${config.site.net.${net}.ospf.secret}";
};
''
else ''
interface "${net}" {
stub yes;
cost 10;
};
''
) hostConf.interfaces
)
)}
${builtins.concatStringsSep "\n" (
map (stubnet4: ''
# Advertise additional route
stubnet ${stubnet4} {};
'') hostConf.ospf.stubNets4
)}
};
}
${lib.optionalString isUpstream ''
# OSPFv2 to advertise my default route
protocol ospf v2 ZW4_${hostNameEscaped} {
ipv4 {
export where net = 0.0.0.0/0;
};
area 0 {
${builtins.concatStringsSep "\n" (
builtins.attrValues (
builtins.mapAttrs (net: _:
# Enable OSPF only on interfaces with a secret.
lib.optionalString (config.site.net.${net}.ospf.secret != null) ''
interface "${net}" instance ${toString hostConf.ospf.upstreamInstance} {
# Become the designated router
priority 10;
hello 10;
wait 20;
authentication cryptographic;
password "${config.site.net.${net}.ospf.secret}";
};
''
) hostConf.physicalInterfaces
)
)}
};
}
''}
${(
builtins.foldl' ({ text, n }: upstream: {
text = ''
${text}
# OSPFv2 to receive a default route from ${upstream}
protocol ospf v2 ZW4_${
builtins.replaceStrings [ "-" ] [ "_" ] upstream
} {
ipv4 {
import filter {
preference = preference + ${toString (100 - n)};
accept;
};
${lib.optionalString (
builtins.match "anon.*" hostName != null ||
hostName == "flpk-gw"
) ''
table vpn_table;
''}
};
area 0 {
${builtins.concatStringsSep "\n" (
builtins.attrValues (
builtins.mapAttrs (net: _:
# Enable OSPF only on interfaces with a secret.
lib.optionalString (config.site.net.${net}.ospf.secret != null) ''
interface "${net}" instance ${
builtins.replaceStrings [ "-" ] [ "_" ] (
toString config.site.hosts.${upstream}.ospf.upstreamInstance
)
} {
hello 10;
wait 20;
authentication cryptographic;
password "${config.site.net.${net}.ospf.secret}";
};
''
) hostConf.physicalInterfaces
)
)}
};
}
'';
n = n + 1;
}) { text = ""; n = 0; } hostConf.ospf.allowedUpstreams
).text}
# OSPFv3 for site-local IPv6
protocol ospf v3 ZW6 {
ipv6 {
import all;
# OSPF is self-contained
export none;
};
area 0 {
${builtins.concatStringsSep "\n" (
builtins.attrValues (
builtins.mapAttrs (net: _:
# Enable OSPF only on networks with a secret.
if config.site.net.${net}.ospf.secret != null
then ''
interface "${net}" {
hello 10;
wait 20;
authentication cryptographic;
password "${config.site.net.${net}.ospf.secret}";
};
''
else ''
interface "${net}" {
stub yes;
cost 10;
};
''
) hostConf.physicalInterfaces
)
)}
${builtins.concatStringsSep "\n" (
map (stubnet6: ''
# Advertise additional route
stubnet ${stubnet6} {};
'')
hostConf.ospf.stubNets6
)}
};
}
${lib.optionalString isUpstream ''
# OSPFv3 to advertise my default route
protocol ospf v3 ZW6_${hostNameEscaped} {
ipv6 {
export where net = ::/0;
};
area 0 {
${builtins.concatStringsSep "\n" (
builtins.attrValues (
builtins.mapAttrs (net: _:
# Enable OSPF only on interfaces with a secret.
lib.optionalString (config.site.net.${net}.ospf.secret != null) ''
interface "${net}" instance ${toString hostConf.ospf.upstreamInstance} {
# Become the designated router
priority 10;
hello 10;
wait 20;
authentication cryptographic;
password "${config.site.net.${net}.ospf.secret}";
};
''
) hostConf.physicalInterfaces
)
)}
};
}
''}
${lib.optionalString (builtins.match "anon.*" hostName == null) (
builtins.foldl' ({ text, n }: upstream: {
text = ''
${text}
# OSPFv3 to receive a default route from ${upstream}
protocol ospf v3 ZW6_${
builtins.replaceStrings [ "-" ] [ "_" ] upstream
} {
ipv6 {
import filter {
preference = preference + ${toString (100 - n)};
accept;
};
};
area 0 {
${builtins.concatStringsSep "\n" (
builtins.attrValues (
builtins.mapAttrs (net: _:
# Enable OSPF only on interfaces with a secret.
lib.optionalString (config.site.net.${net}.ospf.secret != null) ''
interface "${net}" instance ${
builtins.replaceStrings [ "-" ] [ "_" ] (
toString config.site.hosts.${upstream}.ospf.upstreamInstance
)
} {
hello 10;
wait 20;
authentication cryptographic;
password "${config.site.net.${net}.ospf.secret}";
};
''
) hostConf.physicalInterfaces
)
)}
};
}
'';
n = n + 1;
}) { text = ""; n = 0; } hostConf.ospf.allowedUpstreams6
).text}
# Zentralwerk DN42 # Zentralwerk DN42
protocol static { protocol static {
ipv4; ipv4;
@ -378,31 +156,146 @@ in
} }
${lib.optionalString (hostConf.bgp != null) '' ${lib.optionalString (hostConf.bgp != null) ''
template bgp bgppeer { # zentralwerk-network
template bgp bgp_rr_server {
local as ${toString hostConf.bgp.asn}; local as ${toString hostConf.bgp.asn};
direct;
ipv4 { ipv4 {
import all; import filter {
export where source=RTS_STATIC; preference = preference + 200;
accept;
};
${lib.optionalString (nets4 != []) ''
export where net ~ [ ${lib.concatMapStringsSep ", " (n: "${n}") nets4} ];
''}
}; };
ipv6 { ipv6 {
import filter {
preference = preference + 200;
accept;
};
${lib.optionalString (nets6 != []) ''
export where net ~ [ ${lib.concatMapStringsSep ", " (n: "${n}") nets6} ];
''}
};
}
template bgp bgp_rr_client {
local as ${toString hostConf.bgp.asn};
direct;
ipv4 {
next hop self on;
import filter {
preference = preference + 200;
accept;
};
${lib.optionalString (nets4 != []) ''
export where net ~ [ ${lib.concatMapStringsSep ", " (n: "${n}") nets4} ];
''}
};
ipv6 {
next hop self on;
import filter {
preference = preference + 200;
accept;
};
${lib.optionalString (nets6 != []) ''
export where net ~ [ ${lib.concatMapStringsSep ", " (n: "${n}") nets6} ];
''}
};
}
# dn42
template bgp bgp_external {
local as ${toString hostConf.bgp.asn};
direct;
ipv4 {
next hop self on;
import all; import all;
export where source=RTS_STATIC; export where source = RTS_STATIC;
};
ipv6 {
next hop self on;
import all;
export where source = RTS_STATIC;
};
}
# emitting default routes
template bgp bgp_upstream {
local as ${toString hostConf.bgp.asn};
direct;
ipv4 {
next hop self on;
import all;
export where net = 0.0.0.0/0;
};
ipv6 {
next hop self on;
import all;
export where net = ::/0;
}; };
} }
${builtins.concatStringsSep "\n" ( ${lib.concatMapStrings (peer:
map ({ n, x }: let
let peerConf = hostConf.bgp.peers.${peer};
peer = x; isRange = lib.hasInfix "/" peer;
peerConf = hostConf.bgp.peers.${peer}; in ''
in '' protocol bgp bgp_${peerConf.name} from bgp_${peerConf.type} {
protocol bgp bgp_${toString n} from bgppeer { neighbor ${lib.optionalString isRange "range"} ${peer} as ${toString peerConf.asn};
neighbor ${peer} as ${toString peerConf.asn}; ${lib.optionalString isRange ''
} dynamic name "bgp_${peerConf.name}";
'' ''}
) (enumerate 1 (builtins.attrNames hostConf.bgp.peers)) ${lib.optionalString (peerConf.type == "rr") ''
)} rr client;
''}
}
'') (builtins.attrNames hostConf.bgp.peers)}
${lib.concatMapStrings ({ n, x }: let upstream = x; in ''
# upstream client instance #${toString n}
protocol bgp bgp_up_${builtins.replaceStrings ["-"] ["_"] upstream} {
local as ${toString hostConf.bgp.asn};
neighbor ${config.site.net.core.hosts6.dn42.${upstream}} as ${toString hostConf.bgp.asn};
direct;
ipv4 {
${if (upstream4Order ? ${upstream})
then ''
import filter {
preference = preference + ${toString (100 - upstream4Order.${upstream})};
accept;
};
''
else ''
import none;
''}
${lib.optionalString (nets4 != []) ''
export where net ~ [ ${lib.concatMapStringsSep ", " (n: "${n}") nets4} ];
''}
${lib.optionalString (hostConf.bgp.upstreamTable != null) ''
table ${hostConf.bgp.upstreamTable};
''}
};
ipv6 {
${if (upstream4Order ? ${upstream})
then ''
import filter {
preference = preference + ${toString (100 - upstream4Order.${upstream})};
accept;
};
''
else ''
import none;
''}
${lib.optionalString (nets6 != []) ''
export where net ~ [ ${lib.concatMapStringsSep ", " (n: "${n}") nets6} ];
''}
};
}
'') (enumerate 1 allowedUpstreams)}
''} ''}
''; '';
}; };
@ -447,7 +340,7 @@ in
User = "bird2"; User = "bird2";
Group = "bird2"; Group = "bird2";
}; };
path = with pkgs; [ bird2 iputils ]; path = [ pkgs.bird2 "/run/wrappers" ];
script = '' script = ''
STATE=unknown STATE=unknown

17
nix/nixos-module/container/defaults.nix
View File

@ -1,4 +1,4 @@
{ config, lib, modulesPath, pkgs, ... }: { config, lib, modulesPath, ... }:
{ {
imports = [ imports = [
@ -6,13 +6,18 @@
(modulesPath + "/virtualisation/lxc-container.nix") (modulesPath + "/virtualisation/lxc-container.nix")
]; ];
environment = { boot = {
etc."machine-id".text = builtins.substring 0 8 (builtins.hashString "sha256" config.networking.hostName); isContainer = true;
systemPackages = with pkgs; [ loader = {
ripgrep initScript.enable = true;
]; };
}; };
environment.etc."machine-id".text =
builtins.substring 0 8 (
builtins.hashString "sha256" config.networking.hostName
);
nix = { nix = {
settings = { settings = {
sandbox = false; sandbox = false;

395
nix/nixos-module/container/dhcp-server.nix
View File

@ -8,331 +8,98 @@ let
dhcp.server == hostName dhcp.server == hostName
) config.site.net; ) config.site.net;
concatMapDhcpNets = f:
lib.pipe dhcpNets [
(builtins.mapAttrs f)
builtins.attrValues
(map (r: if builtins.isList r then r else [ r ]))
builtins.concatLists
];
enabled = builtins.length (builtins.attrNames dhcpNets) > 0; enabled = builtins.length (builtins.attrNames dhcpNets) > 0;
in in
{ {
services.kea.dhcp4 = lib.mkIf enabled { services.dhcpd4 = lib.optionalAttrs enabled {
enable = true; enable = true;
settings = { interfaces = builtins.attrNames dhcpNets;
interfaces-config.interfaces = builtins.attrNames dhcpNets;
dhcp-ddns.enable-updates = true;
ddns-send-updates = true;
# TODO: use with kea >= 2.5.0
# ddns-conflict-resolution-mode = "check-exists-with-dhcid";
ddns-use-conflict-resolution = false;
ddns-replace-client-name = "when-not-present";
expired-leases-processing.hold-reclaimed-time = builtins.foldl' lib.max
3600 (concatMapDhcpNets (net: { dhcp, ... }: dhcp.max-time));
subnet4 = concatMapDhcpNets (net: { vlan, subnet4, hosts4, dhcp, domainName, ... }: { extraConfig = ''
id = vlan; ${builtins.concatStringsSep "\n" (
subnet = subnet4; builtins.attrValues (
pools = [ { builtins.mapAttrs (net: { dhcp, subnet4Net, subnet4Len, domainName, ...}:
pool = "${dhcp.start} - ${dhcp.end}"; ''
} ]; ddns-update-style standard;
renew-timer = builtins.ceil (.5 * dhcp.time); key dyndns {
rebind-timer = builtins.ceil (.85 * dhcp.time); algorithm hmac-sha256;
valid-lifetime = dhcp.time; secret ${config.site.dyndnsKey};
option-data = [ { };
space = "dhcp4"; zone ${domainName}. {
name = "routers"; primary ${config.site.net.serv.hosts4.dns};
code = 3; primary6 ${config.site.net.serv.hosts6.dn42.dns};
data = config.site.net.${net}.hosts4.${dhcp.router}; key dyndns;
} {
space = "dhcp4";
name = "domain-name";
code = 15;
data = domainName;
} {
space = "dhcp4";
name = "domain-name-servers";
code = 6;
data = "${config.site.net.serv.hosts4.dnscache}, 9.9.9.9";
} ];
ddns-qualifying-suffix = domainName;
reservations = lib.pipe dhcp.fixed-hosts [
(builtins.mapAttrs (fixedAddr: hwaddr:
if hosts4 ? ${fixedAddr}
then # fixedAddr is a known hostname
let
name = fixedAddr;
addr = hosts4.${fixedAddr};
in {
hostname = "${name}.${net}.zentralwerk.org";
hw-address = hwaddr;
ip-address = addr;
} }
else ${lib.concatMapStrings ({ name, dynamic, ... }:
let lib.optionalString (
names = builtins.attrNames ( dynamic &&
lib.filterAttrs (_: hostAddr: lib.hasSuffix ".in-addr.arpa" name
hostAddr == fixedAddr ) ''
) hosts4); zone ${name}. {
name = builtins.head names; primary ${config.site.net.serv.hosts4.dns};
in primary6 ${config.site.net.serv.hosts6.dn42.dns};
if builtins.length names > 0 key dyndns;
then { # fixedAddr is IPv4 of a known hostname }
hostname = "${name}.${net}.zentralwerk.org"; ''
hw-address = hwaddr; ) config.site.dns.localZones}
ip-address = hosts4.${name};
} # fixedAddr is IPv4? option guid code 97 = text;
else { group {
hw-address = hwaddr; default-lease-time ${toString dhcp.time};
ip-address = fixedAddr; max-lease-time ${toString dhcp.max-time};
option routers ${config.site.net.${net}.hosts4.${dhcp.router}};
option domain-name "${domainName}";
option domain-name-servers 172.20.73.8, 9.9.9.9;
ddns-domainname "${domainName}";
class "pxeclients" {
match if substring (option vendor-class-identifier, 0, 9) = "PXEClient";
next-server ${config.site.net.serv.hosts4.nfsroot};
option tftp-server-address ${config.site.net.serv.hosts4.nfsroot};
if suffix(reverse(1, option guid), 5) = 34:69:50:52:00 {
# RPi4
option vendor-class-identifier "PXEClient";
option vendor-encapsulated-options "Raspberry Pi Boot";
option tftp-server-name "${config.site.net.serv.hosts4.nfsroot}";
} elsif option pxe-system-type = 00:00 {
filename "netboot.xyz.kpxe"; # BIOS
} elsif option pxe-system-type = 00:07 {
filename "netboot.xyz.efi"; # EFI
option bootfile-name "netboot.xyz.efi";
} elsif option pxe-system-type = 00:06 {
filename "netboot.xyz.efi"; # ia32_EFI
}
} }
))
builtins.attrValues
(builtins.filter (r: r != null))
];
});
match-client-id = false; subnet ${subnet4Net} netmask ${lib.netmasks.${toString subnet4Len}} {
host-reservation-identifiers = [ "hw-address" ]; range ${dhcp.start} ${dhcp.end};
# Netbooting # always assign the same IP to the same MAC address.
option-def = [ { # fixes changing IP for PXE clients.
name = "PXEDiscoveryControl"; ignore-client-uids true;
code = 6; }
space = "vendor-encapsulated-options-space";
type = "uint8";
array = false;
} {
name = "PXEMenuPrompt";
code = 10;
space = "vendor-encapsulated-options-space";
type = "record";
array = false;
record-types = "uint8,string";
} {
name = "PXEBootMenu";
code = 9;
space = "vendor-encapsulated-options-space";
type = "record";
array = false;
record-types = "uint16,uint8,string";
} ];
client-classes =
let
rpi4Class = {
name = "rpi4-pxe";
test = "option[vendor-class-identifier].text == 'PXEClient:Arch:00000:UNDI:002001'";
option-data = [ {
name = "boot-file-name";
data = "bootcode.bin";
} {
name = "vendor-class-identifier";
data = "PXEClient";
} {
name = "vendor-encapsulated-options";
} {
name = "PXEBootMenu";
csv-format = true;
data = "0,17,Raspberry Pi Boot";
space = "vendor-encapsulated-options-space";
} {
name = "PXEDiscoveryControl";
data = "3";
space = "vendor-encapsulated-options-space";
} {
name = "PXEMenuPrompt";
csv-format = true;
data = "0,PXE";
space = "vendor-encapsulated-options-space";
} ];
};
pxeClassData = { update-static-leases on;
PXE-Legacy = {
arch = "00000";
boot-file-name = "netboot.xyz.kpxe";
};
PXE-UEFI-32-1.arch = "00002";
PXE-UEFI-32-2.arch = "00006";
PXE-UEFI-64-1.arch = "00007";
PXE-UEFI-64-2.arch = "00008";
PXE-UEFI-64-3.arch = "00009";
};
makePxe = name: { boot-file-name ? "netboot.xyz.efi", arch }: { ${builtins.concatStringsSep "\n" (
inherit name boot-file-name; builtins.attrValues (
test = "substring(option[60].hex,0,20) == 'PXEClient:Arch:${arch}'"; builtins.mapAttrs (addr: hwaddr:
next-server = config.site.net.serv.hosts4.nfsroot; ''
}; host ${addr} {
in hardware ethernet ${hwaddr};
[ rpi4Class ] fixed-address ${addr};
++ }
builtins.attrValues ( ''
builtins.mapAttrs makePxe pxeClassData ) dhcp.fixed-hosts
); )
)}
control-socket = { }
socket-type = "unix"; ''
socket-name = "/run/kea/dhcp4-socket"; ) dhcpNets
}; )
hooks-libraries = [ { )}
library = "/run/current-system/sw/lib/kea/hooks/libdhcp_stat_cmds.so"; '';
} {
library = "/run/current-system/sw/lib/kea/hooks/libdhcp_lease_cmds.so";
} ];
};
}; };
services.kea.dhcp6 = lib.mkIf enabled {
enable = true;
settings = {
interfaces-config.interfaces = builtins.attrNames dhcpNets;
dhcp-ddns.enable-updates = true;
ddns-override-no-update = true;
ddns-override-client-update = true;
ddns-replace-client-name = "when-not-present";
# TODO: use with kea >= 2.5.0
# ddns-conflict-resolution-mode = "check-exists-with-dhcid";
ddns-use-conflict-resolution = false;
subnet6 = concatMapDhcpNets (net: { vlan, subnets6, dhcp, domainName, ... }:
let
subnet = subnets6.up4 or subnets6.flpk or null;
prefix = builtins.head (builtins.split "::/" subnet);
in
if subnet != null
then {
id = vlan;
interface = net;
inherit subnet;
pools = [ {
pool = "${prefix}:c3d2:c3d2:c3d2:1000 - ${prefix}:c3d2:c3d2:c3d2:ffff";
#pool = subnet;
} ];
valid-lifetime = dhcp.time;
max-valid-lifetime = dhcp.max-time;
option-data = [ {
space = "dhcp6";
name = "domain-search";
code = 24;
data = domainName;
} {
space = "dhcp6";
name = "dns-servers";
code = 23;
data = "${config.site.net.serv.hosts6.dn42.dnscache}, 2620:fe::9";
} ];
ddns-generated-prefix = "d";
ddns-qualifying-suffix = domainName;
}
else []
);
host-reservation-identifiers = [ "hw-address" ];
#reservations = concatMapDhcpNets (net: { hosts6, dhcp, ... }:
# builtins.filter (r: r != null) (
# builtins.attrValues (
# builtins.mapAttrs (name: hwaddr:
# let
# ip-addresses = lib.pipe hosts6 [
# (builtins.mapAttrs (_: hosts6: hosts6.${name} or null))
# builtins.attrValues
# (builtins.filter (a: a != null))
# ];
# in
# if builtins.trace (lib.generators.toPretty {} ip-addresses) (builtins.length ip-addresses) > 0
# then {
# hostname = "${name}.${net}.zentralwerk.org";
# hw-address = hwaddr;
# inherit ip-addresses;
# }
# else null
# ) dhcp.fixed-hosts
# )));
control-socket = {
socket-type = "unix";
socket-name = "/run/kea/dhcp6.socket";
};
hooks-libraries = [ {
library = "/run/current-system/sw/lib/kea/hooks/libdhcp_stat_cmds.so";
} {
library = "/run/current-system/sw/lib/kea/hooks/libdhcp_lease_cmds.so";
} ];
};
};
services.kea.dhcp-ddns = lib.mkIf enabled {
enable = true;
settings = {
tsig-keys = [ {
name = "dyndns";
algorithm = "hmac-sha256";
secret = config.site.dyndnsKey;
} ];
forward-ddns.ddns-domains = concatMapDhcpNets (net: { domainName, ... }: {
name = "${domainName}.";
key-name = "dyndns";
dns-servers = [ {
ip-address = config.site.net.serv.hosts4.dns;
} {
ip-address = config.site.net.serv.hosts6.dn42.dns;
} ];
});
reverse-ddns.ddns-domains = map ({ name, ...}: {
name = "${name}.";
key-name = "dyndns";
dns-servers = [ {
ip-address = config.site.net.serv.hosts4.dns;
} {
ip-address = config.site.net.serv.hosts6.dn42.dns;
} ];
}) (
builtins.filter ({ name, dynamic, ... }:
dynamic &&
(lib.hasSuffix ".in-addr.arpa" name ||
lib.hasSuffix ".ip6.arpa" name)
) config.site.dns.localZones
);
control-socket = {
socket-type = "unix";
socket-name = "/run/kea/dhcp-ddns.socket";
};
};
};
services.kea.ctrl-agent = lib.mkIf enabled {
enable = true;
settings.control-sockets = {
dhcp4 = {
socket-type = "unix";
socket-name = "/run/kea/dhcp4.socket";
};
dhcp6 = {
socket-type = "unix";
socket-name = "/run/kea/dhcp6.socket";
};
d2 = {
socket-type = "unix";
socket-name = "/run/kea/dhcp-ddns.socket";
};
};
};
# Increase reliablity
# (mostly for kea-dhcp-ddns-server.service)
systemd.services =
let
restartService.serviceConfig = {
RestartSec = 4;
Restart = "always";
};
in {
kea-dhcp4-server = restartService;
kea-dhcp6-server = restartService;
kea-dhcp-ddns-server = restartService;
};
} }

251
nix/nixos-module/container/dns.nix
View File

@ -1,26 +1,26 @@
{ config, dns-nix, hostName, lib, pkgs, self, ... }: { hostName, config, lib, pkgs, self, ... }:
let let
serial = builtins.substring 0 10 self.lastModifiedDate; serial = builtins.substring 0 10 self.lastModifiedDate;
generateZoneFile = let generateZoneFile = { name, ns, records, dynamic }:
util = dns-nix.util.${pkgs.system}; builtins.toFile "${name}.zone" ''
in { name, ns, records, ... }: util.writeZone name { $ORIGIN ${name}.
TTL = 60*60; $TTL 1h
SOA = {
nameServer = "${lib.dns.ns}."; @ IN SOA ${lib.dns.ns}. astro.spaceboyz.net. (
adminEmail = "astro@spaceboyz.net"; ${serial} ; serial
serial = lib.toInt serial; 1h ; refresh
refresh = 1*60*60; 1m ; retry
retry = 5*60; 2h ; expire
expire = 2*60*60; 1m ; minimum
minimum = 1*60; )
}; ${lib.concatMapStrings (ns: " IN NS ${ns}.\n") ns}
NS = map (a: a+".") ns;
subdomains = lib.foldl (a: b: lib.recursiveUpdate a b) { } (map ({ name, type, data }: { ${lib.concatMapStrings ({ name, type, data }:
${name}.${type} = [ data ]; "${name} IN ${type} ${data}\n"
}) records); ) records}
}; '';
in in
{ {
options = options =
@ -35,7 +35,7 @@ in
type = types.enum [ "A" "AAAA" "MX" "SRV" "CNAME" "TXT" "PTR" ]; type = types.enum [ "A" "AAAA" "MX" "SRV" "CNAME" "TXT" "PTR" ];
}; };
data = mkOption { data = mkOption {
type = types.oneOf [ types.str (types.attrsOf (types.oneOf [ types.int types.str ]))]; type = types.str;
}; };
}; };
@ -69,151 +69,90 @@ in
config = { config = {
site.dns.localZones = lib.dns.localZones; site.dns.localZones = lib.dns.localZones;
services.knot = lib.mkIf config.site.hosts.${hostName}.services.dns.enable ( services.bind = lib.mkIf config.site.hosts.${hostName}.services.dns.enable (
let let
generateZone = zone@{ name, dynamic, ... }: { generateZone = zone@{ name, dynamic, ... }: {
domain = name; inherit name;
template = "zentralwerk"; master = true;
acl = [ "zone_xfr" ] ++ lib.optional dynamic "dyndns"; # allowed for zone-transfer
file = if dynamic slaves = [
then "/var/lib/knot/zones/${name}.zone" # ns.c3d2.de
"217.197.84.53" "2001:67c:1400:2240::a"
config.site.net.serv.hosts4.bind
config.site.net.serv.hosts6.dn42.bind
config.site.net.serv.hosts6.up4.bind
# ns.spaceboyz.net
"172.22.24.4" "2a01:4f9:4b:39ec::4"
];
file =
if dynamic
then "/var/db/bind/${name}.zone"
else generateZoneFile zone; else generateZoneFile zone;
notify = [ "all" ]; extraConfig = ''
also-notify {
# ns.c3d2.de
217.197.84.53;
2001:67c:1400:2240::a;
${config.site.net.serv.hosts4.bind};
${config.site.net.serv.hosts6.dn42.bind};
${config.site.net.serv.hosts6.up4.bind};
# ns.spaceboyz.net
172.22.24.4;
95.217.229.209;
2a01:4f9:4b:39ec::4;
};
notify-source ${config.site.net.serv.hosts4.dns};
notify-source-v6 ${config.site.net.serv.hosts6.up4.dns};
'' + lib.optionalString dynamic ''
allow-update { key "dyndns"; };
'';
}; };
in { in {
enable = true; enable = true;
settings = { zones = map generateZone config.site.dns.localZones;
acl = [
{
id = "dyndns";
action = "update";
key = "dyndns";
}
{
id = "zone_xfr";
address = with config.site.net.serv; [
# ns.c3d2.de
hosts4.knot hosts6.dn42.knot hosts6.up4.knot
"2a00:8180:2c00:282:2041:cbff:fe0c:8516"
"fd23:42:c3d2:582:2041:cbff:fe0c:8516"
# ns.spaceboyz.net
"172.22.24.4" "95.217.229.209" "2a01:4f9:4b:39ec::4"
# ns1.supersandro.de
"188.34.196.104" "2a01:4f8:1c1c:1d38::1"
];
action = "transfer";
}
];
key = [ { extraConfig = ''
id = "dyndns"; key "dyndns" {
algorithm = "hmac-sha256"; algorithm hmac-sha256;
secret = config.site.dyndnsKey; secret "${config.site.dyndnsKey}";
} ];
log = [ {
target = "syslog";
any = "info";
} ];
mod-stats = [ {
id = "default";
query-type = "on";
} ];
remote = let
via = with config.site.net.serv; [ hosts4.dns hosts6.up4.dns ];
in [
{
id = "ns.c3d2.de";
address = with config.site.net.serv; [ hosts4.knot hosts6.dn42.knot hosts6.up4.knot ];
inherit via;
} {
id = "ns.spaceboyz.net";
address = [ "172.22.24.4" "95.217.229.209" "2a01:4f9:4b:39ec::4" ];
inherit via;
} {
id = "ns1.supersandro.de";
address = [ /*"188.34.196.104"*/ "2a01:4f8:1c1c:1d38::1" ];
inherit via;
}
];
remotes = [ {
id = "all";
remote = [ "ns.c3d2.de" "ns.spaceboyz.net" "ns1.supersandro.de" ];
} ];
server = {
answer-rotation = true;
automatic-acl = true;
identity = "dns.serv.zentralwerk.org";
listen = with config.site.net; [
"127.0.0.1" "::1"
serv.hosts4.dns serv.hosts6.up4.dns serv.hosts6.dn42.dns
];
tcp-fastopen = true;
version = null;
}; };
'';
template = [ extraOptions = ''
{ # allow underscores in dynamic hostnames
# default is a magic name and is always loaded. ${lib.concatMapStringsSep "\n" (type: ''
# Because we want to use catalog-role/catalog-zone settings for all zones *except* the catalog zone itself, we must split the templates check-names ${type} ignore;
id = "default"; '') [ "master" "slave" "response" ]}
global-module = [ "mod-stats" ]; '';
}
{
id = "zentralwerk";
catalog-role = "member";
catalog-zone = "zentralwerk.";
dnssec-signing = true;
journal-content = "all"; # required for zonefile-load=difference-no-serial and makes cold starts like zone reloads
module = "mod-stats/default";
semantic-checks = true;
serial-policy = "increment";
storage = "/var/lib/knot/zones";
zonefile-load = "difference-no-serial";
}
];
zone = [ {
acl = "zone_xfr";
catalog-role = "generate";
domain = "zentralwerk.";
notify = [ "ns1.supersandro.de" ];
storage = "/var/lib/knot/catalog";
} ] ++ map generateZone config.site.dns.localZones;
};
}); });
systemd.services = { systemd.services.create-dynamic-zones = {
create-dynamic-zones = { description = "Creates dynamic zone files";
description = "Creates dynamic zone files"; requiredBy = [ "bind.service" ];
requiredBy = [ "knot.service" ]; before = [ "bind.service" ];
before = [ "knot.service" ]; serviceConfig.Type = "oneshot";
serviceConfig.Type = "oneshot"; script = ''
script = '' mkdir -p /var/db/bind
mkdir -p /var/lib/knot/zones
${lib.concatMapStringsSep "\n" (zone@{ name, ... }: '' ${lib.concatMapStringsSep "\n" (zone@{ name, ... }: ''
[ -e /var/lib/knot/zones/${name}.zone ] || \ [ -e /var/db/bind/${name}.zone ] || \
cp ${generateZoneFile zone} /var/lib/knot/zones/${name}.zone cp ${generateZoneFile zone} /var/db/bind/${name}.zone
chown -R knot /var/lib/knot/zones chown -R named /var/db/bind
chmod -R u+rwX /var/lib/knot/zones chmod -R u+rwX /var/db/bind
'') (builtins.filter ({ dynamic, ... }: dynamic) config.site.dns.localZones)} '') (
''; builtins.filter ({ dynamic, ... }: dynamic) config.site.dns.localZones
}; )}
'';
update-dynamic-zones = { };
description = "Creates initial records in dynamic zone files"; systemd.services.update-dynamic-zones = {
requiredBy = [ "knot.service" ]; description = "Creates initial records in dynamic zone files";
after = [ "knot.service" ]; requiredBy = [ "bind.service" ];
serviceConfig.Type = "oneshot"; after = [ "bind.service" ];
path = [ pkgs.dnsutils ]; serviceConfig.Type = "oneshot";
script = lib.concatMapStrings (zone: '' path = [ pkgs.dnsutils ];
nsupdate -v -y "hmac-sha256:dyndns:${config.site.dyndnsKey}" <<EOF script = ''
${lib.concatMapStrings (zone: ''
nsupdate -y "hmac-sha256:dyndns:${config.site.dyndnsKey}" <<EOF
server localhost server localhost
${lib.concatMapStringsSep "\n" ({ name, type, data }: '' ${lib.concatMapStringsSep "\n" ({ name, type, data }: ''
@ -223,8 +162,10 @@ in
send send
EOF EOF
'') (builtins.filter ({ dynamic, ... }: dynamic) config.site.dns.localZones); '') (
}; builtins.filter ({ dynamic, ... }: dynamic) config.site.dns.localZones
)}
'';
}; };
}; };
} }

203
nix/nixos-module/container/dnscache.nix
View File

@ -1,99 +1,124 @@
{ hostName, config, lib, pkgs, ... }: { hostName, config, lib, pkgs, ... }:
lib.mkIf config.site.hosts.${hostName}.services.dnscache.enable { lib.mkIf config.site.hosts.${hostName}.services.dnscache.enable {
services.kresd = { services.unbound = {
enable = true; enable = true;
instances = 4; settings = {
listenPlain = [ "0.0.0.0:53" "[::0]:53" ]; remote-control = {
package = pkgs.knot-resolver.override { extraFeatures = true; }; control-enable = true;
extraConfig = /* lua */ '' control-use-cert = false;
modules = { };
'http', server = {
'policy', num-threads = 4;
'predict', verbosity = 1;
'prefill', prefetch = true;
'serve_stale < cache', -- servce stail records while refreshing the record prefetch-key = true;
'workarounds < iterate', -- solve problems around specific broken subdomains, mainly disables case randomization serve-expired = true;
'view' cache-min-ttl = 60;
} cache-max-ttl = 3600;
infra-cache-slabs = "8";
key-cache-slabs = "8";
msg-cache-slabs = "8";
rrset-cache-slabs = "8";
msg-cache-size = "256m"; # half again 128m?
rrset-cache-size = "512m"; # half again 256m?
cache.size = 500 * MB interface = [ "0.0.0.0" "'::0'" ];
cache.min_ttl(60) # TODO: generate
access-control = builtins.concatLists [
[ # localhost
"::1/128 allow"
"127.0.0.0/8 allow"
]
[ # mgmt
"${config.site.net.mgmt.subnet4} allow"
]
[ # dn42
"fd23:42:c3d2:500::/56 allow"
"::172.20.72.0/117 allow"
"::172.22.99.0/120 allow"
"172.20.72.0/21 allow"
"172.22.99.0/24 allow"
]
[ # freifunk
"10.200.0.0/15 allow"
]
[ # DSI
"2a00:8180:2000:37::1/128 allow"
"2a00:8180:2c00:200::/56 allow"
]
[ # flpk
"${config.site.net.flpk.subnet4} allow"
"2a0f:5382:acab:1400::/56 allow"
]
[ # default
"0.0.0.0/0 deny"
"::/0 deny"
]
];
# For DNS over TLS
tls-cert-bundle = "${pkgs.cacert}/etc/ssl/certs/ca-bundle.crt";
net.listen('127.0.0.1', 8453, { kind = 'webmgmt' }) # allow reverse lookup of rfc1918 space, which includes the DN42 address space
http.prometheus.namespace = 'resolver_' unblock-lan-zones = true;
insecure-lan-zones = true;
-- dns42 domain-insecure = [
policy.add(policy.suffix( "dn42"
policy.STUB({'fd42:d42:d42:54::1', 'fd42:d42:d42:53::1', '172.20.0.53', '172.23.0.53'}), "d.f.ip6.arpa"
policy.todnames({'dn42.', 'd.f.ip6.arpa', '20.172.in-addr.arpa', '21.172.in-addr.arpa', '22.172.in-addr.arpa', '23.172.in-addr.arpa'}) "ffdd"
)) ];
};
-- freifunk forward-zone = let
policy.add(policy.suffix( mkFfddZone = name: {
policy.STUB({'10.200.0.4', '10.200.0.16'}), inherit name;
policy.todnames({'ffdd.', '200.10.in-addr.arpa', '201.10.in-addr.arpa'}) forward-addr = [ "10.200.0.4" "10.200.0.16" ];
)) };
in [ {
-- size.dns.localZones name = ".";
policy.add(policy.suffix( forward-tls-upstream = true;
policy.STUB({'${config.site.net.serv.hosts4.dns}', ${lib.concatStringsSep ", " (map (hosts6: "'${hosts6.dns}'") (builtins.attrValues config.site.net.serv.hosts6))}}), forward-addr = [
policy.todnames({${lib.concatStringsSep ", " (map (zone: "'${zone.name}'") config.site.dns.localZones)}}) # Quad9
)) "2620:fe::fe@853#dns.quad9.net"
"9.9.9.9@853#dns.quad9.net"
-- forward to dns caches "2620:fe::9@853#dns.quad9.net"
policy.add(policy.slice( "149.112.112.112@853#dns.quad9.net"
policy.slice_randomize_psl(), # Cloudflare DNS
-- quad9 "2606:4700:4700::1111@853#cloudflare-dns.com"
policy.TLS_FORWARD({ "1.1.1.1@853#cloudflare-dns.com"
{'2620:fe::fe', hostname='dns.quad9.net'}, "2606:4700:4700::1001@853#cloudflare-dns.com"
{'2620:fe::9', hostname='dns.quad9.net'}, "1.0.0.1@853#cloudflare-dns.com"
{'9.9.9.9', hostname='dns.quad9.net'}, ];
{'149.112.112.112', hostname='dns.quad9.net'} } ] ++
}), # Local networks
-- cloudflare map ({ name, ... }: {
policy.TLS_FORWARD({ name = "${name}";
{'2606:4700:4700::1111', hostname='cloudflare-dns.com'}, forward-addr = [ "${config.site.net.serv.hosts4.dns}" ] ++
{'2606:4700:4700::1001', hostname='cloudflare-dns.com'}, map (hosts6: hosts6.dns)
{'1.1.1.1', hostname='cloudflare-dns.com'}, (builtins.attrValues config.site.net.serv.hosts6);
{'1.0.0.1', hostname='cloudflare-dns.com'} }) config.site.dns.localZones
}) # Freifunk
)) ++ (map mkFfddZone [
"ffdd"
-- allow access from our networks "200.10.in-addr.arpa"
'' + lib.concatMapStringsSep "\n" (cidr: "view:addr('${cidr}', policy.all(policy.PASS))") [ "201.10.in-addr.arpa"
# localhost ]);
"::1/128" "127.0.0.0/8" # DN42
# mgmt stub-zone = let
"${config.site.net.mgmt.subnet4}" mkDn42Zone = name: {
# dn42 inherit name;
"fd23:42:c3d2:500::/56" "::172.20.72.0/117" "::172.22.99.0/120" stub-prime = true;
"172.20.72.0/21" "172.22.99.0/24" stub-addr = [
# freifunk "172.20.0.53" "fd42:d42:d42:54::1"
"10.200.0.0/15" "172.23.0.53" "fd42:d42:d42:53::1"
# DSI ];
"2a00:8180:2000:37::1/128" "2a00:8180:2c00:200::/56" };
# flpk in map mkDn42Zone [
"${config.site.net.flpk.subnet4}" "2a0f:5382:acab:1400::/56 allow" "dn42" "d.f.ip6.arpa"
] + "\n" + /* lua */ '' "20.172.in-addr.arpa" "21.172.in-addr.arpa"
"22.172.in-addr.arpa" "23.172.in-addr.arpa"
-- drop everything that hasn't matched ];
view:addr('0.0.0.0/0', policy.all(policy.DROP)) };
view:addr('::/0', policy.all(policy.DROP))
predict = {
window = 15, -- sampling window
period = 24*(60/15) -- track last X hours, divide through sampling window
}
prefill.config({
['.'] = {
url = 'https://www.internic.net/domain/root.zone',
interval = 86400, -- seconds
}
})
trust_anchors.set_insecure({'dn42', 'd.f.ip6.arpa', 'ffdd'})
'';
}; };
} }

114
nix/nixos-module/container/lxc-config.nix
View File

@ -1,114 +0,0 @@
{ config, lib, ... }:
let
inherit (config.networking) hostName;
interfaces = config.site.hosts.${hostName}.physicalInterfaces;
# linux iface name max length = 15
shortenNetName = name:
if builtins.match "priv(.*)" name != null
then "p" + builtins.substring 4 9 name
else if name == "coloradio"
then "cr"
else if name == "coloradio-gw"
then "cr-gw"
else name;
checkIfname = ifname: let
len = builtins.stringLength ifname;
in if len > 15
then throw "Interface name ${ifname} is ${toString (len - 15)} chars too long."
else ifname;
# `lxc.net.*` formatter for lxc.container.conf files
netConfig =
let
attrNamesOrdered = attrs:
if attrs ? type
then [ "type" ] ++ lib.remove "type" (builtins.attrNames attrs)
else builtins.attrNames attrs;
serialize = name: x:
if builtins.isString x
then "${name} = ${x}\n"
else if builtins.isAttrs x
then builtins.concatStringsSep "" (
map (n: serialize "${name}.${n}" x.${n}) (attrNamesOrdered x)
)
else if builtins.isList x
then
let
enumerate = xs: n:
if xs == []
then []
else [ {
e = builtins.head xs;
i = n;
} ] ++ enumerate (builtins.tail xs) (n + 1);
in
builtins.concatStringsSep "" (
map ({ e, i }: serialize "${name}.${toString i}" e) (enumerate x 0)
)
else throw "Invalid data in lxc net config for ${name}: ${lib.generators.toPretty {} x}";
in
serialize "lxc.net" (
map (netName:
let
ifData = interfaces.${netName};
in {
type = ifData.type;
name = checkIfname netName;
flags = "up";
hwaddr = if ifData ? hwaddr && ifData.hwaddr != null
then ifData.hwaddr
else "0A:14:48:xx:xx:xx";
} // (lib.optionalAttrs (ifData.type == "veth") {
veth.pair = checkIfname "${shortenNetName hostName}-${shortenNetName netName}";
veth.mode = checkIfname "bridge";
link = checkIfname netName;
}) // (lib.optionalAttrs (ifData.type == "phys") {
link = checkIfname "ext-${netName}";
})
) (builtins.attrNames interfaces)
);
in
{
system.build.lxcConfig = builtins.toFile "${hostName}.conf" ''
# For lxcfs and sane defaults
lxc.include = /etc/lxc/common.conf
lxc.uts.name = ${hostName}
# Handled by lxc@.service
lxc.start.auto = 0
lxc.rootfs.path = /var/lib/lxc/${hostName}/rootfs
lxc.init.cmd = "/init"
lxc.mount.entry = /nix/store nix/store none bind,ro 0 0
lxc.mount.entry = none tmp tmpfs defaults 0 0
lxc.mount.auto = proc:mixed sys:ro cgroup:mixed
lxc.autodev = 1
lxc.tty.max = 0
lxc.pty.max = 8
lxc.cap.drop = sys_module sys_time sys_nice sys_pacct sys_rawio
security.privileged = false
lxc.apparmor.profile = lxc-container-default-with-mounting
lxc.cgroup.memory.limit_in_bytes = 1G
lxc.cgroup.memory.kmem.tcp.limit_in_bytes = 128M
# tuntap
lxc.cgroup.devices.allow = c 10:200 rw
lxc.cgroup2.devices.allow = c 10:200 rw
# ppp
lxc.cgroup.devices.allow = c 108:0 rwm
lxc.cgroup2.devices.allow = c 108:0 rwm
${netConfig}
'';
}

25
nix/nixos-module/container/upstream.nix
View File

@ -1,4 +1,4 @@
{ hostName, config, lib, pkgs, ... }: { hostName, config, lib, ... }:
let let
hostConf = config.site.hosts.${hostName}; hostConf = config.site.hosts.${hostName};
@ -98,25 +98,12 @@ in
${lib.optionalString (staticIpv4Address != null) '' ${lib.optionalString (staticIpv4Address != null) ''
# Allow connections to ${staticIpv4Address} from other hosts behind NAT # Allow connections to ${staticIpv4Address} from other hosts behind NAT
${lib.concatMapStrings (fwd: let ${lib.concatMapStrings (fwd: ''
m = builtins.match "([0-9.]+):([0-9-]+)" fwd.destination; iptables -t nat -t nat -A nixos-nat-pre \
destinationIP = if m == null then throw "bad ip:ports `${fwd.destination}'" else lib.elemAt m 0;
destinationPorts = if m == null then throw "bad ip:ports `${fwd.destination}'" else builtins.replaceStrings ["-"] [":"] (lib.elemAt m 1);
in ''
iptables -t nat -A nixos-nat-pre \
-d ${staticIpv4Address} -p ${fwd.proto} \ -d ${staticIpv4Address} -p ${fwd.proto} \
--dport ${builtins.toString fwd.sourcePort} \ --dport ${builtins.toString fwd.sourcePort} \
-j DNAT --to-destination ${fwd.destination} -j DNAT --to-destination ${fwd.destination}
'') config.networking.nat.forwardPorts}
iptables -t nat -A nixos-nat-post \
-d ${destinationIP} -p ${fwd.proto} \
--dport ${destinationPorts} \
-s 172.20.72.0/21 -j MASQUERADE
iptables -t nat -A nixos-nat-post \
-d ${destinationIP} -p ${fwd.proto} \
--dport ${destinationPorts} \
-s ${config.site.net.c3d2.subnet4} -j MASQUERADE
'') config.networking.nat.forwardPorts}
''} ''}
# Do not NAT our public IPv4 addresses # Do not NAT our public IPv4 addresses
@ -139,10 +126,6 @@ in
-j RETURN -j RETURN
'') upstreamInterfaces.${net}.upstream.noNat.subnets6 '') upstreamInterfaces.${net}.upstream.noNat.subnets6
) (builtins.attrNames upstreamInterfaces)} ) (builtins.attrNames upstreamInterfaces)}
# There just have been moments without a complete ruleset. Flush
# out invalid conntrack states!
${pkgs.conntrack-tools}/bin/conntrack -F
''; '';
extraStopCommands = '' extraStopCommands = ''
iptables -F FORWARD 2>/dev/null || true iptables -F FORWARD 2>/dev/null || true

2
nix/nixos-module/container/upstream/pppoe.nix
View File

@ -26,7 +26,7 @@ in lib.mkIf (pppoeInterfaces != {}) {
enable = true; enable = true;
autostart = true; autostart = true;
config = '' config = ''
plugin pppoe.so plugin rp-pppoe.so
nic-${upstream.link} nic-${upstream.link}
ifname ${ifName} ifname ${ifName}
# Login settings. (PAP) # Login settings. (PAP)

5
nix/nixos-module/default.nix
View File

@ -1,13 +1,13 @@
# Pulls together NixOS configuration modules according to the # Pulls together NixOS configuration modules according to the
# name/role of the host to be built. # name/role of the host to be built.
{ hostName, lib, ... }: { hostName, config, lib, ... }:
let let
inherit (lib) optionals; inherit (lib) optionals;
hostConfig = lib.config.site.hosts.${hostName}; hostConfig = lib.config.site.hosts.${hostName};
in { in {
inherit (lib.config) site; site = lib.config.site;
imports = [ imports = [
../lib/config/options.nix ../lib/config/options.nix
@ -20,7 +20,6 @@ in {
./server/default.nix ./server/default.nix
] ++ ] ++
optionals (hostConfig.role == "container") [ optionals (hostConfig.role == "container") [
./container/lxc-config.nix
./container/defaults.nix ./container/defaults.nix
./container/dhcp-server.nix ./container/dhcp-server.nix
./container/wireguard.nix ./container/wireguard.nix

30
nix/nixos-module/defaults.nix
View File

@ -7,9 +7,9 @@
# Prevents automatic creation of interface bond0 by the kernel # Prevents automatic creation of interface bond0 by the kernel
"bonding.max_bonds=0" "bonding.max_bonds=0"
]; ];
boot.tmp.useTmpfs = true; boot.tmpOnTmpfs = true;
# Includes wireguard # Includes wireguard
boot.kernelPackages = pkgs.zfsUnstable.latestCompatibleLinuxPackages; boot.kernelPackages = pkgs.linuxPackages_latest;
# Keep building # Keep building
boot.zfs.enableUnstable = true; boot.zfs.enableUnstable = true;
@ -35,8 +35,8 @@
}; };
documentation = { documentation = {
enable = lib.mkForce false; enable = false;
nixos.enable = lib.mkForce false; nixos.enable = false;
}; };
environment.systemPackages = with pkgs; [ environment.systemPackages = with pkgs; [
@ -44,8 +44,6 @@
bridge-utils bridge-utils
conntrack-tools conntrack-tools
dhcpcd dhcpcd
dhcpdump
dig
ethtool ethtool
git git
iftop iftop
@ -58,7 +56,6 @@
screen screen
speedtest-cli speedtest-cli
tcpdump tcpdump
tmux
traceroute traceroute
vim vim
wget wget
@ -66,25 +63,6 @@
networking.hostName = hostName; networking.hostName = hostName;
programs = {
fzf.keybindings = true;
git = {
enable = true;
config = {
alias = {
co = "checkout";
lg = "log --graph --abbrev-commit --decorate --format=format:'%C(bold blue)%h%C(reset) - %C(bold green)(%ar)%C(reset) %C(white)%s%C(reset) %C(dim white)- %an%C(reset)%C(bold y
ow)%d%C(reset)'";
remote = "remote -v";
st = "status";
undo = "reset --soft HEAD^";
};
pull.rebase = true;
rebase.autoStash = true;
};
};
};
users.users.root.initialHashedPassword = ""; users.users.root.initialHashedPassword = "";
system.stateVersion = "20.09"; system.stateVersion = "20.09";

13
nix/nixos-module/firewall.nix
View File

@ -1,18 +1,11 @@
{ hostName, config, lib, ... }: { hostName, config, lib, ... }:
let lib.mkIf config.site.hosts.${hostName}.firewall.enable {
hostConfig = config.site.hosts.${hostName}; networking.firewall = {
in {
networking.firewall = lib.mkIf hostConfig.firewall.enable {
enable = true; enable = true;
extraCommands = '' extraCommands = ''
${lib.optionalString hostConfig.isRouter ''
ip46tables -I nixos-fw -p ospfigp -j ACCEPT
''}
ip46tables -A FORWARD -i core -m state --state ESTABLISHED,RELATED -j ACCEPT ip46tables -A FORWARD -i core -m state --state ESTABLISHED,RELATED -j ACCEPT
ip46tables -A FORWARD -i core -j REJECT ip46tables -A FORWARD -i core -j REJECT --reject-with net-unreach
''; '';
extraStopCommands = '' extraStopCommands = ''
ip46tables -F FORWARD ip46tables -F FORWARD

18
nix/nixos-module/server/defaults.nix
View File

@ -8,20 +8,14 @@
time.timeZone = "Europe/Berlin"; time.timeZone = "Europe/Berlin";
environment.systemPackages = with pkgs; [ environment.systemPackages = with pkgs; [
git wget vim git screen
inetutils # telnet
ipmitool ipmitool
liboping # noping
screen
vim
wget
]; ];
services.openssh.enable = true;
services.openssh = { services.openssh.permitRootLogin = "prohibit-password";
enable = true;
settings.PermitRootLogin = "prohibit-password";
};
# additional config for bare metal # additional config for bare metal
services.collectd.plugins.ipmi = ""; services.collectd = {
plugins.ipmi = "";
};
} }

119
nix/nixos-module/server/lxc-containers.nix
View File

@ -10,6 +10,70 @@ let
enabled = containers != {}; enabled = containers != {};
# linux iface name max length = 15
shortenNetName = name:
if builtins.match "priv(.*)" name != null
then "p" + builtins.substring 4 9 name
else name;
checkIfname = ifname: let
len = builtins.stringLength ifname;
in if len > 15
then throw "Interface name ${ifname} is ${toString (len - 15)} chars too long."
else ifname;
# `lxc.net.*` formatter for lxc.container.conf files
netConfig = ctName: interfaces:
let
config = map (netName:
let
ifData = interfaces.${netName};
in {
type = ifData.type;
name = checkIfname netName;
flags = "up";
hwaddr = if ifData ? hwaddr && ifData.hwaddr != null
then ifData.hwaddr
else "0A:14:48:xx:xx:xx";
} // (lib.optionalAttrs (ifData.type == "veth") {
veth.pair = checkIfname "${shortenNetName ctName}-${shortenNetName netName}";
veth.mode = checkIfname "bridge";
link = checkIfname netName;
}) // (lib.optionalAttrs (ifData.type == "phys") {
link = checkIfname "ext-${netName}";
})
) (builtins.attrNames interfaces);
attrNamesOrdered = attrs:
if attrs ? type
then [ "type" ] ++ lib.remove "type" (builtins.attrNames attrs)
else builtins.attrNames attrs;
serialize = name: x:
if builtins.isString x
then "${name} = ${x}\n"
else if builtins.isAttrs x
then builtins.concatStringsSep "" (
map (n: serialize "${name}.${n}" x.${n}) (attrNamesOrdered x)
)
else if builtins.isList x
then
let
enumerate = xs: n:
if xs == []
then []
else [ {
e = builtins.head xs;
i = n;
} ] ++ enumerate (builtins.tail xs) (n + 1);
in
builtins.concatStringsSep "" (
map ({ e, i }: serialize "${name}.${toString i}" e) (enumerate x 0)
)
else throw "Invalid data in lxc net config for ${name}: ${lib.generators.toPretty {} x}";
in
serialize "lxc.net" config;
# User-facing script to build/update container NixOS systems # User-facing script to build/update container NixOS systems
build-script = pkgs.writeScriptBin "build-container" '' build-script = pkgs.writeScriptBin "build-container" ''
#! ${pkgs.runtimeShell} -e #! ${pkgs.runtimeShell} -e
@ -30,7 +94,6 @@ let
${ctName}) ${ctName})
echo Using prebuilt system for container $c echo Using prebuilt system for container $c
SYSTEM=${self.packages.x86_64-linux."${ctName}-rootfs"} SYSTEM=${self.packages.x86_64-linux."${ctName}-rootfs"}
CONFIG=${self.packages.x86_64-linux."${ctName}-lxc-config"}
;; ;;
'') ( '') (
builtins.attrNames ( builtins.attrNames (
@ -42,8 +105,6 @@ let
echo Building $c echo Building $c
nix build -o /nix/var/nix/gcroots/lxc/$c zentralwerk-network#$c-rootfs nix build -o /nix/var/nix/gcroots/lxc/$c zentralwerk-network#$c-rootfs
SYSTEM=$(readlink /nix/var/nix/gcroots/lxc/$c) SYSTEM=$(readlink /nix/var/nix/gcroots/lxc/$c)
nix build -o /nix/var/nix/gcroots/lxc/$c.config zentralwerk-network#$c-lxc-config
CONFIG=$(readlink /nix/var/nix/gcroots/lxc/$c.config)
;; ;;
esac esac
@ -56,7 +117,6 @@ let
mkdir -p /var/lib/lxc/$c/rootfs/$d mkdir -p /var/lib/lxc/$c/rootfs/$d
done done
ln -fs $SYSTEM/init /var/lib/lxc/$c/rootfs/init ln -fs $SYSTEM/init /var/lib/lxc/$c/rootfs/init
ln -fs $CONFIG /var/lib/lxc/$c/config
done done
# Activate all the desired container after all of them are # Activate all the desired container after all of them are
@ -102,8 +162,10 @@ in
virtualisation.lxc = lib.mkIf enabled { virtualisation.lxc = lib.mkIf enabled {
enable = true; enable = true;
# Container configs live in /etc so that they can be created
# through `environment.etc`.
systemConfig = '' systemConfig = ''
lxc.lxcpath = /var/lib/lxc lxc.lxcpath = /etc/lxc/containers
''; '';
}; };
@ -114,7 +176,50 @@ in
enable-script disable-script enable-script disable-script
]; ];
environment.etc."lxc/common.conf".source = "${pkgs.lxc}/share/lxc/config/common.conf"; # Create lxc.container.conf files
environment.etc =
builtins.foldl' (etc: ctName: etc // {
"lxc/containers/${ctName}/config" = {
enable = true;
source =
builtins.toFile "${ctName}.conf" ''
# For lxcfs and sane defaults
lxc.include = /etc/lxc/common.conf
lxc.uts.name = ${ctName}
# Handled by lxc@.service
lxc.start.auto = 0
lxc.rootfs.path = /var/lib/lxc/${ctName}/rootfs
lxc.init.cmd = "/init"
lxc.mount.entry = /nix/store nix/store none bind,ro 0 0
lxc.mount.entry = none tmp tmpfs defaults 0 0
lxc,mount.auto = proc:mixed sys:ro cgroup:mixed
lxc.autodev = 1
lxc.tty.max = 0
lxc.pty.max = 8
lxc.cap.drop = sys_module sys_time sys_nice sys_pacct sys_rawio
security.privileged = false
lxc.apparmor.profile = lxc-container-default-with-mounting
lxc.cgroup.memory.limit_in_bytes = 1G
lxc.cgroup.memory.kmem.tcp.limit_in_bytes = 128M
# tuntap
lxc.cgroup.devices.allow = c 10:200 rw
lxc.cgroup2.devices.allow = c 10:200 rw
# ppp
lxc.cgroup.devices.allow = c 108:0 rwm
lxc.cgroup2.devices.allow = c 108:0 rwm
${netConfig ctName containers.${ctName}.physicalInterfaces}
'';
};
}) {
"lxc/common.conf".source = "${pkgs.lxc}/share/lxc/config/common.conf";
} (builtins.attrNames containers);
# Systemd service template for LXC containers # Systemd service template for LXC containers
systemd.services."lxc@" = { systemd.services."lxc@" = {
@ -143,8 +248,6 @@ in
Restart = "always"; Restart = "always";
RestartSec = "1s"; RestartSec = "1s";
}; };
# Prevent restart on host nixos-rebuild switch
restartIfChanged = false;
}; };
# Starts all the containers after boot # Starts all the containers after boot

2
nix/nixos-module/server/network.nix
View File

@ -114,7 +114,5 @@ in
networkConfig.Bridge = net; networkConfig.Bridge = net;
}; };
}) {} ctNets; }) {} ctNets;
wait-online.anyInterface = true;
}; };
} }

1
nix/nixos-module/server/server2.nix
View File

@ -39,6 +39,7 @@
}; };
boot.loader.grub.enable = true; boot.loader.grub.enable = true;
boot.loader.grub.version = 2;
boot.loader.grub.device = "/dev/sda"; boot.loader.grub.device = "/dev/sda";
networking.hostName = "server2"; # Define your hostname. networking.hostName = "server2"; # Define your hostname.

32
nix/pkgs/default.nix
View File

@ -7,14 +7,11 @@ let
inherit (pkgs) lib; inherit (pkgs) lib;
export-openwrt-models = pkgs.writeText "openwrt-models.nix" ( export-openwrt-models = pkgs.writeText "openwrt-models.nix" (
lib.generators.toPretty {} self.lib.openwrtModels nixpkgs.lib.generators.toPretty {} self.lib.openwrtModels
); );
export-config = pkgs.writeText "config.nix" ( export-config = pkgs.writeText "config.nix" (
lib.generators.toPretty {} ( nixpkgs.lib.generators.toPretty {} (lib.filterAttrsRecursive (n: v: n != "net-combined") config)
lib.recursiveUpdate );
config
{ site.dns.localZones = self.lib.dns.localZones; }
));
encrypt-secrets = pkgs.writeScriptBin "encrypt-secrets" '' encrypt-secrets = pkgs.writeScriptBin "encrypt-secrets" ''
#! ${pkgs.runtimeShell} -e #! ${pkgs.runtimeShell} -e
@ -45,7 +42,7 @@ let
''; '';
network-cypher-graphs = import ./network-cypher-graphs.nix { inherit config pkgs; }; network-cypher-graphs = import ./network-cypher-graphs.nix { inherit config pkgs; };
network-graphs = import ./network-graphs.nix { inherit config lib pkgs; }; network-graphs = import ./network-graphs.nix { inherit config pkgs; };
mkRootfs = hostName: mkRootfs = hostName:
self.nixosConfigurations.${hostName}.config.system.build.toplevel; self.nixosConfigurations.${hostName}.config.system.build.toplevel;
@ -55,20 +52,7 @@ let
"${hostName}-rootfs" = mkRootfs hostName; "${hostName}-rootfs" = mkRootfs hostName;
}) {} ( }) {} (
builtins.attrNames ( builtins.attrNames (
lib.filterAttrs (_: { role, ... }: builtins.elem role ["server" "container"]) nixpkgs.lib.filterAttrs (_: { role, ... }: builtins.elem role ["server" "container"])
config.site.hosts
)
);
mkLxcConfig = hostName:
self.nixosConfigurations.${hostName}.config.system.build.lxcConfig;
lxc-configs =
builtins.foldl' (rootfs: hostName: rootfs // {
"${hostName}-lxc-config" = mkLxcConfig hostName;
}) {} (
builtins.attrNames (
lib.filterAttrs (_: { role, ... }: role == "container")
config.site.hosts config.site.hosts
) )
); );
@ -81,7 +65,7 @@ let
}); });
}) {} ( }) {} (
builtins.attrNames ( builtins.attrNames (
lib.filterAttrs (_: { role, ... }: role == "server") nixpkgs.lib.filterAttrs (_: { role, ... }: role == "server")
config.site.hosts config.site.hosts
) )
); );
@ -95,7 +79,7 @@ let
"${hostName}-image" = openwrt.buildImage hostName; "${hostName}-image" = openwrt.buildImage hostName;
}) {} ( }) {} (
builtins.attrNames ( builtins.attrNames (
lib.filterAttrs (_: { role, ... }: nixpkgs.lib.filterAttrs (_: { role, ... }:
role == "ap" role == "ap"
) config.site.hosts ) config.site.hosts
) )
@ -133,7 +117,7 @@ let
inherit self; inherit self;
}; };
in in
rootfs-packages // lxc-configs // vm-packages // device-templates // openwrt-packages // network-graphs // network-cypher-graphs // starlink // subnetplans // { rootfs-packages // vm-packages // device-templates // openwrt-packages // network-graphs // network-cypher-graphs // starlink // subnetplans // {
inherit export-openwrt-models export-config dns-slaves inherit export-openwrt-models export-config dns-slaves
encrypt-secrets decrypt-secrets switch-to-production encrypt-secrets decrypt-secrets switch-to-production
homepage gateway-report switch-report vlan-report homepage gateway-report switch-report vlan-report

1
nix/pkgs/homepage/default.nix
View File

@ -65,7 +65,6 @@ stdenv.mkDerivation {
ln -s ${network-graphs}/share/doc/zentralwerk/* $DIR/ ln -s ${network-graphs}/share/doc/zentralwerk/* $DIR/
ln -s ${../../../doc/core.png} $DIR/core.png ln -s ${../../../doc/core.png} $DIR/core.png
ln -s ${./security.txt} $DIR/security.txt
cp *.{html,css,png,svg} $DIR/ cp *.{html,css,png,svg} $DIR/
mkdir -p $out/nix-support mkdir -p $out/nix-support

3
nix/pkgs/homepage/security.txt
View File

@ -1,3 +0,0 @@
Contact: mailto:astro@spaceboyz.net
Preferred-Languages: en, de
Hiring: https://www.c3d2.de/space.html

10
nix/pkgs/network-graphs.nix
View File

@ -1,5 +1,7 @@
{ config, lib, pkgs, ... }: { config, pkgs, ... }:
let let
inherit (pkgs) lib runCommand graphviz;
netColor = net: netColor = net:
if net == "core" if net == "core"
then "grey" then "grey"
@ -80,13 +82,13 @@ let
} }
''; '';
renderGraph = args@{ name, engine, ... }: renderGraph = args@{ name, engine, ... }:
pkgs.runCommand "${name}.png" { runCommand "${name}.png" {
src = builtins.toFile "${name}.dot" ( src = builtins.toFile "${name}.dot" (
toDot args toDot args
); );
} '' } ''
echo $src echo $src
${pkgs.graphviz-nox}/bin/${engine} -Tpng $src > $out ${graphviz}/bin/${engine} -Tpng $src > $out
''; '';
in rec { in rec {
@ -160,7 +162,7 @@ in rec {
) (builtins.attrNames containers); ) (builtins.attrNames containers);
}; };
network-graphs = pkgs.runCommand "network-graphs" {} '' network-graphs = runCommand "network-graphs" {} ''
DIR=$out/share/doc/zentralwerk DIR=$out/share/doc/zentralwerk
mkdir -p $DIR mkdir -p $DIR
ln -s ${physical-graph} $DIR/physical.png ln -s ${physical-graph} $DIR/physical.png

49
nix/pkgs/openwrt/default.nix
View File

@ -7,11 +7,11 @@ let
modelPackages = { modelPackages = {
"tplink_archer-c7-v2" = [ "tplink_archer-c7-v2" = [
"-kmod-ath10k-ct" "-ath10k-firmware-qca988x-ct-full-htt" "-ath10k-firmware-qca988x-ct" "-kmod-ath10k-ct" "-ath10k-firmware-qca988x-ct"
"kmod-ath10k" "ath10k-firmware-qca988x" "kmod-ath10k" "ath10k-firmware-qca988x"
]; ];
"tplink_archer-c7-v5" = [ "tplink_archer-c7-v5" = [
"-kmod-ath10k-ct" "-ath10k-firmware-qca988x-ct" "-ath10k-firmware-qca988x-ct-full-htt" "-kmod-ath10k-ct" "-ath10k-firmware-qca988x-ct"
"kmod-ath10k" "ath10k-firmware-qca988x" "kmod-ath10k" "ath10k-firmware-qca988x"
]; ];
"ubnt_unifiac-lite" = [ "ubnt_unifiac-lite" = [
@ -63,17 +63,17 @@ in rec {
inherit pkgs; inherit pkgs;
release = "19.07.10"; release = "19.07.10";
}).identifyProfile model }).identifyProfile model
else if builtins.match "tl-wr[78].*" model != null else if builtins.match "tl-wr.*" model != null
then { then {
release = "18.06.9"; release = "18.06.9";
packagesArch = "mips_24kc"; packagesArch = "mips_24kc";
target = "ar71xx"; target = "ar71xx";
variant = "tiny"; variant = "tiny";
profile = model; profile = model;
sha256 = "sha256-P7BJI6n6s53szYXKshnJRKL2fLIYgJLPiq/yd0oRKoE="; sha256 = "109a2557gwmgib7r500qn9ygd8j4r4cv5jl5rpn9vczsm4ilkc1z";
feedsSha256 = { feedsSha256 = {
base.sha256 = "sha256-IbND2snJ1UrDRhvGQIRxzGuSpftQ+AyiWqaVZqbGdHY="; base.sha256 = "0xklqsk6d5d6bai0ry2hzfjr4sycf6241ihv8v1lmmf9r7d47cr1";
packages.sha256 = "sha256-18UvzdUL98CranBtzAY7hoUlEvafUdssAQOuqDQi4BU="; packages.sha256 = "05g048saibh304ndnlczyq92b1c67c3cqvbhdamw1xqbsp6jzifp";
}; };
} }
else null; else null;
@ -83,34 +83,19 @@ in rec {
extraImageName = "zw-${hostName}"; extraImageName = "zw-${hostName}";
packages = [ packages = [
# remove unused default .ipk # remove unused default .ipk
"-dnsmasq" "-firewall" "-firewall4" "-dnsmasq" "-firewall"
"-ppp" "-ppp-mod-pppoe" "-kmod-ppp" "-kmod-pppoe" "-kmod-pppox" "-ppp" "-ppp-mod-pppoe" "-kmod-ppp" "-kmod-pppoe" "-kmod-pppox"
"-iptables" "-ip6tables" "-kmod-ipt-offload" "-iptables" "-ip6tables" "-kmod-ipt-offload"
"-odhcp6c" "-odhcpd-ipv6only" "-odhcp6c" "-odhcpd-ipv6only"
"-wpad-basic-mbedtls" # debugging
"tcpdump"
# monitoring # monitoring
"collectd" "collectd" "collectd-mod-interface" "collectd-mod-load"
"collectd-mod-iwinfo" "collectd-mod-network" "collectd-mod-cpu" "collectd-mod-iwinfo" "collectd-mod-network"
"collectd-mod-interface" "collectd-mod-load" "collectd-mod-cpu" # wpa3
"collectd-mod-exec" "-wpad-basic-wolfssl" "-wpad-mini"
] ++ ( "wpad-openssl"
if args.variant != "tiny" ] ++ nixpkgs.lib.optionals hasVxlan [
then [
# debugging
"htop"
"tcpdump"
# wpa3
"-wpad-basic-wolfssl" "-wpad-mini"
"wpad-openssl"
"usteer"
] else [
# debugging
"tcpdump-mini"
# wpa3
"-wpad-openssl" "-wpad-mini"
"wpad-wolfssl"
]
) ++ nixpkgs.lib.optionals hasVxlan [
"vxlan" "kmod-vxlan" "vxlan" "kmod-vxlan"
] ++ modelPackages.${model} or []; ] ++ modelPackages.${model} or [];
disabledServices = [ "dnsmasq" "uhttpd" ]; disabledServices = [ "dnsmasq" "uhttpd" ];
@ -119,10 +104,6 @@ in rec {
cat > $out/etc/uci-defaults/99-zentralwerk <<EOF cat > $out/etc/uci-defaults/99-zentralwerk <<EOF
${uciConfig hostName} ${uciConfig hostName}
EOF EOF
mkdir -p $out/usr/{bin,sbin}
cp ${./usteer-info.sh} $out/usr/sbin/usteer-info.sh
cp ${./usteer-stats.sh} $out/usr/bin/usteer-stats.sh
chmod +x $out/usr/bin/*.sh $out/usr/sbin/*.sh
''; '';
}); });

163
nix/pkgs/openwrt/uci-config.nix
View File

@ -18,21 +18,8 @@ let
# ours don't come with a switch. # ours don't come with a switch.
then false then false
else else
openwrtModel ? ports
&&
any ({ switch ? null, ... }: switch != null) any ({ switch ? null, ... }: switch != null)
(builtins.attrValues openwrtModel.ports); (builtins.attrValues openwrtModel.ports);
hasDSA = (
all ({ switch ? null, ... }:
switch == null
) (builtins.attrValues openwrtModel.ports or {})
&&
any ({ port ? null, interface ? null, ... }:
port != null &&
interface != null &&
port == interface
) (builtins.attrValues openwrtModel.ports or {})
) || hostConfig.model == "ubnt_unifi-usg";
portsDoc = portsDoc =
let let
@ -112,20 +99,6 @@ let
) )
); );
dsaPorts = net:
unique (
concatMap ({ ports, ... }: ports) (
builtins.filter ({ nets, ... }: builtins.elem net nets)
(builtins.attrValues hostConfig.links)
));
dsaPortType = net: port:
if any ({ ports, trunk, ... }: trunk && builtins.elem port ports) (
builtins.attrValues hostConfig.links
) || hostConfig.links.${net}.trunk or true
then "t"
else "u*";
networkInterfaces = net: networkInterfaces = net:
let let
inherit (config.site.net.${net}) vlan; inherit (config.site.net.${net}) vlan;
@ -159,16 +132,6 @@ let
) )
); );
mgmtInterface =
if hasDSA
then "br0.${toString config.site.net.mgmt.vlan}"
else
let
mgmtInterfaces = networkInterfaces "mgmt";
in if builtins.length mgmtInterfaces == 1
then builtins.head mgmtInterfaces
else "br-mgmt";
in in
'' ''
# Set root password # Set root password
@ -188,8 +151,8 @@ in
uci set system.@system[0].log_ip=${config.site.net.mgmt.hosts4.logging} uci set system.@system[0].log_ip=${config.site.net.mgmt.hosts4.logging}
uci set system.@system[0].log_proto=udp uci set system.@system[0].log_proto=udp
# Switch config
${optionalString hasSwitch '' ${optionalString hasSwitch ''
# Switch config
# Ports ${portsDoc} # Ports ${portsDoc}
${concatMapStrings (net: '' ${concatMapStrings (net: ''
uci add network switch_vlan uci add network switch_vlan
@ -198,42 +161,7 @@ in
uci set network.@switch_vlan[-1].vlan='${toString config.site.net.${net}.vlan}' uci set network.@switch_vlan[-1].vlan='${toString config.site.net.${net}.vlan}'
uci set network.@switch_vlan[-1].ports='${switchPortsConfig net}' uci set network.@switch_vlan[-1].ports='${switchPortsConfig net}'
uci set network.@switch_vlan[-1].comment='${net}' uci set network.@switch_vlan[-1].comment='${net}'
'') (
sort (net1: net2:
config.site.net.${net1}.vlan < config.site.net.${net2}.vlan
) (
unique (
builtins.concatMap ({ nets, ... }: nets)
(builtins.attrValues hostConfig.links)
)
)
)}
''}
${optionalString hasDSA ''
# DSA
${uciDeleteAll "network.@device"}
uci add network device
uci set network.@device[-1].name='br0'
uci set network.@device[-1].type='bridge'
${concatMapStrings (port: ''
uci add_list network.@device[-1].ports='${port}'
'') (
unique (
builtins.concatMap ({ ports, ... }: ports)
(builtins.attrValues hostConfig.links)
)
)}
uci set network.br0='interface'
uci set network.br0.proto='none'
uci set network.br0.device='br0'
${concatMapStrings (net: ''
uci add network bridge-vlan
uci set network.@bridge-vlan[-1].device='br0'
uci set network.@bridge-vlan[-1].vlan='${toString config.site.net.${net}.vlan}'
${concatMapStrings (port: ''
uci add_list network.@bridge-vlan[-1].ports='${port}:${dsaPortType net port}'
'') (dsaPorts net)}
'') ( '') (
sort (net1: net2: sort (net1: net2:
config.site.net.${net1}.vlan < config.site.net.${net2}.vlan config.site.net.${net1}.vlan < config.site.net.${net2}.vlan
@ -248,16 +176,11 @@ in
# mgmt network # mgmt network
uci set network.mgmt=interface uci set network.mgmt=interface
${if hasDSA uci set network.mgmt.ifname='${
then '' if builtins.length (networkInterfaces "mgmt") > 0
uci set network.mgmt.device='br0.${toString config.site.net.mgmt.vlan}' then concatStringsSep " " (networkInterfaces "mgmt")
'' else '' else throw "${hostName}: No interface for mgmt"
uci set network.mgmt.ifname='${ }'
if builtins.length (networkInterfaces "mgmt") > 0
then concatStringsSep " " (networkInterfaces "mgmt")
else throw "${hostName}: No interface for mgmt"
}'
''}
uci set network.mgmt.proto=static uci set network.mgmt.proto=static
${optionalString (hostConfig.interfaces.mgmt.type == "bridge") '' ${optionalString (hostConfig.interfaces.mgmt.type == "bridge") ''
uci set network.mgmt.type=bridge uci set network.mgmt.type=bridge
@ -287,17 +210,9 @@ in
uci set network.${net}=interface uci set network.${net}=interface
${optionalString (iface.type == "bridge") '' ${optionalString (iface.type == "bridge") ''
uci set network.${net}.type=bridge uci set network.${net}.type=bridge
uci add network device
uci set network.@device[-1].name='${net}'
uci set network.@device[-1].type='bridge'
''} ''}
uci set network.${net}.proto=static uci set network.${net}.proto=static
${if hasDSA uci set network.${net}.ifname='${concatStringsSep " " (networkInterfaces net)}'
then ''
uci set network.${net}.device='br0.${toString config.site.net.${net}.vlan}'
'' else ''
uci set network.${net}.ifname='${concatStringsSep " " (networkInterfaces net)}'
''}
${optionalString (config.site.net.${net}.mtu != null) '' ${optionalString (config.site.net.${net}.mtu != null) ''
uci set network.${net}.mtu=${toString config.site.net.${net}.mtu} uci set network.${net}.mtu=${toString config.site.net.${net}.mtu}
''} ''}
@ -329,7 +244,6 @@ in
'') (builtins.attrNames hostConfig.interfaces) '') (builtins.attrNames hostConfig.interfaces)
} }
${uciDeleteAll "wireless.radio"}
uci -q delete wireless.default_radio0 || true uci -q delete wireless.default_radio0 || true
uci -q delete wireless.default_radio1 || true uci -q delete wireless.default_radio1 || true
${concatStrings (imap0 (index: path: ${concatStrings (imap0 (index: path:
@ -342,7 +256,6 @@ in
uci set wireless.radio${toString index}=wifi-device uci set wireless.radio${toString index}=wifi-device
uci set wireless.radio${toString index}.type=mac80211 uci set wireless.radio${toString index}.type=mac80211
uci set wireless.radio${toString index}.country=DE uci set wireless.radio${toString index}.country=DE
uci set wireless.radio${toString index}.band=${radioConfig.band}
uci set wireless.radio${toString index}.channel=${toString radioConfig.channel} uci set wireless.radio${toString index}.channel=${toString radioConfig.channel}
uci set wireless.radio${toString index}.path=${path} uci set wireless.radio${toString index}.path=${path}
uci set wireless.radio${toString index}.htmode=${radioConfig.htmode} uci set wireless.radio${toString index}.htmode=${radioConfig.htmode}
@ -352,7 +265,6 @@ in
${concatMapStrings (ssid: ${concatMapStrings (ssid:
let let
ssidConfig = radioConfig.ssids.${ssid}; ssidConfig = radioConfig.ssids.${ssid};
netConfig = config.site.net.${ssidConfig.net};
# mapping our option to openwrt/hostapd setting # mapping our option to openwrt/hostapd setting
encryption = { encryption = {
@ -367,11 +279,6 @@ in
then ssidConfig.ifname then ssidConfig.ifname
else "${ifPrefix}-${ssidConfig.net}"; else "${ifPrefix}-${ssidConfig.net}";
pad = len: prefix: s:
if builtins.stringLength s < len
then pad len prefix "${prefix}${s}"
else s;
in '' in ''
uci add wireless wifi-iface uci add wireless wifi-iface
uci set wireless.@wifi-iface[-1].ifname=${ifname} uci set wireless.@wifi-iface[-1].ifname=${ifname}
@ -380,7 +287,6 @@ in
uci set wireless.@wifi-iface[-1].mode=${ssidConfig.mode} uci set wireless.@wifi-iface[-1].mode=${ssidConfig.mode}
uci set wireless.@wifi-iface[-1].network=${ssidConfig.net} uci set wireless.@wifi-iface[-1].network=${ssidConfig.net}
uci set wireless.@wifi-iface[-1].mcast_rate=18000 uci set wireless.@wifi-iface[-1].mcast_rate=18000
uci set wireless.@wifi-iface[-1].hidden=${if ssidConfig.hidden then "1" else "0"}
uci set wireless.@wifi-iface[-1].encryption='${encryption}' uci set wireless.@wifi-iface[-1].encryption='${encryption}'
${if (ssidConfig.psk != null) ${if (ssidConfig.psk != null)
then '' then ''
@ -389,59 +295,10 @@ in
else '' else ''
uci -q delete wireless.@wifi-iface[-1].key || true uci -q delete wireless.@wifi-iface[-1].key || true
''} ''}
${lib.optionalString (!ssidConfig.disassocLowAck) ''
uci set wireless.@wifi-iface[-1].disassoc_low_ack='0'
''}
${lib.optionalString (netConfig.wifi.ieee80211rKey != null) ''
# for usteerd
# see https://www.libe.net/en-wlan-roaming#client-steering
# https://openwrt.org/docs/guide-user/network/wifi/usteer#configure_80211k_and_80211v_on_all_ap-nodes
uci set wireless.@wifi-iface[-1].bss_transition=1
uci set wireless.@wifi-iface[-1].wnm_sleep_mode=1
uci set wireless.@wifi-iface[-1].time_advertisement=2
uci set wireless.@wifi-iface[-1].time_zone=GMT0
uci set wireless.@wifi-iface[-1].ieee80211k=1
uci set wireless.@wifi-iface[-1].rrm_neighbor_report=1
uci set wireless.@wifi-iface[-1].rrm_beacon_report=1
# breaks Apple devices connecting to wifi when used together with wpa2/wpa3 mixed mode (sae-mixed)
# uci set wireless.@wifi-iface[-1].ieee80211r=1
# when unset derived from interface MAC
uci set wireless.@wifi-iface[-1].nasid=${pad 12 "0" (toString ((lib.toInt (lib.removePrefix "ap" hostName)) * 65536 + index))}
# when unset derived from the first 4 chars of the md5 hashed SSID
uci set wireless.@wifi-iface[-1].mobility_domain=${pad 4 "0" (lib.toHexString (49920 + netConfig.vlan))}
# https://github.com/openwrt/openwrt/issues/7907
# https://github.com/openwrt/openwrt/commit/2984a0420649733662ff95b0aff720b8c2c19f8a
uci set wireless.@wifi-iface[-1].ft_over_ds=0
# as recommend in 7907 and seems to fairly often trigger while testing
uci set wireless.@wifi-iface[-1].reassociation_deadline=20000
# might be unused if ft_over_ds is not used
uci set wireless.@wifi-iface[-1].ft_bridge=${mgmtInterface}
# otherwise the r0kh/r1kh options below are not applied
uci set wireless.@wifi-iface[-1].ft_psk_generate_local=0
# do not just rely on the monility domain for increased security
# https://forum.openwrt.org/t/802-11r-fast-transition-how-to-understand-that-ft-works/110920/81
uci set wireless.@wifi-iface[-1].r0kh=ff:ff:ff:ff:ff:ff,\*,${netConfig.wifi.ieee80211rKey}
uci set wireless.@wifi-iface[-1].r1kh=00:00:00:00:00:00,00:00:00:00:00:00,${netConfig.wifi.ieee80211rKey}
uci set wireless.@wifi-iface[-1].pmk_r1_push=1
''}
'' ''
) (builtins.attrNames radioConfig.ssids)} ) (builtins.attrNames radioConfig.ssids)}
'') (builtins.attrNames hostConfig.wifi))} '') (builtins.attrNames hostConfig.wifi))}
uci set usteer.@usteer[0].network=mgmt
uci set usteer.@usteer[0].load_kick_enabled=1
uci set usteer.@usteer[0].load_kick_threshold=67
uci set usteer.@usteer[0].signal_diff_threshold=15
uci set usteer.@usteer[0].load_balancing_threshold=8
uci set usteer.@usteer[0].band_steering_threshold=16
uci commit uci commit
# Add hotfixes for MTU settings # Add hotfixes for MTU settings
@ -463,7 +320,6 @@ in
# the gateways is reachable # the gateways is reachable
cat >/etc/crontabs/root <<__CRON__ cat >/etc/crontabs/root <<__CRON__
* * * * * /usr/sbin/wifi-on-link.sh * * * * * /usr/sbin/wifi-on-link.sh
* * * * * /usr/sbin/usteer-info.sh
__CRON__ __CRON__
cat >/usr/sbin/wifi-on-link.sh <<__SH__ cat >/usr/sbin/wifi-on-link.sh <<__SH__
#!/bin/sh #!/bin/sh
@ -510,16 +366,11 @@ in
LoadPlugin interface LoadPlugin interface
LoadPlugin iwinfo LoadPlugin iwinfo
LoadPlugin network LoadPlugin network
LoadPlugin exec
<Plugin network> <Plugin network>
Server "${config.site.net.serv.hosts6.dn42.stats}" "25826" Server "${config.site.net.serv.hosts6.dn42.stats}" "25826"
</Plugin> </Plugin>
<Plugin exec>
Exec "nobody" "/usr/bin/usteer-stats.sh"
</Plugin>
COLLECTD COLLECTD
''} ''}
chmod +x /usr/bin/usteer-stats.sh /usr/sbin/usteer-info.sh
for svc in dnsmasq uhttpd ; do for svc in dnsmasq uhttpd ; do
rm -f /etc/rc.d/*\$svc rm -f /etc/rc.d/*\$svc

3
nix/pkgs/openwrt/usteer-info.sh
View File

@ -1,3 +0,0 @@
#! /bin/sh
[ -p /tmp/usteer-info ] || exit 0
exec /bin/ubus call usteer local_info > /tmp/usteer-info

32
nix/pkgs/openwrt/usteer-stats.sh
View File

@ -1,32 +0,0 @@
#! /bin/sh
HOSTNAME=`cat /proc/sys/kernel/hostname`
INTERVAL=60
[ -p /tmp/usteer-info ] || mkfifo /tmp/usteer-info
while true; do
if [ ! -p /tmp/usteer-info ]; then
echo "/tmp/usteer-info went missing!"
exit 1
fi
DATA="$(cat /tmp/usteer-info)"
cd /sys/class/net
for iface in wlan*; do
eval $( echo "$DATA" | jsonfilter \
-e 'LOAD=@["hostapd.'$iface'"].load' \
-e 'NOISE=@["hostapd.'$iface'"].noise' \
-e 'N_ASSOC=@["hostapd.'$iface'"].n_assoc' \
-e 'FREQ=@["hostapd.'$iface'"].freq' \
-e 'ROAM_SOURCE=@["hostapd.'$iface'"].roam_events.source' \
-e 'ROAM_TARGET=@["hostapd.'$iface'"].roam_events.target'
)
echo "PUTVAL \"$HOSTNAME/usteer_local_info-$iface/stations-load\" interval=$INTERVAL N:$LOAD"
echo "PUTVAL \"$HOSTNAME/usteer_local_info-$iface/signal_noise-noise\" interval=$INTERVAL N:$NOISE"
echo "PUTVAL \"$HOSTNAME/usteer_local_info-$iface/stations-n_assoc\" interval=$INTERVAL N:$N_ASSOC"
echo "PUTVAL \"$HOSTNAME/usteer_local_info-$iface/frequency-freq\" interval=$INTERVAL N:$FREQ"
echo "PUTVAL \"$HOSTNAME/usteer_local_info-$iface/transitions-roam_source\" interval=$INTERVAL N:$ROAM_SOURCE"
echo "PUTVAL \"$HOSTNAME/usteer_local_info-$iface/transitions-roam_target\" interval=$INTERVAL N:$ROAM_TARGET"
done
done

6
nix/pkgs/subnetplan/render.rb
View File

@ -60,11 +60,7 @@ exit 1 if collisions > 0
GROUP_PREFIX = 19 GROUP_PREFIX = 19
groups = {} groups = {}
nets.each do |net| nets.each do |net|
if net.addr.prefix > GROUP_PREFIX group = net.addr.supernet(GROUP_PREFIX).to_s
group = net.addr.supernet(GROUP_PREFIX).to_s
else
group = net.addr.to_s
end
(groups[group] ||= []) << net (groups[group] ||= []) << net
end end

10
nix/pkgs/switches/junos.nix
View File

@ -9,7 +9,7 @@ let
host-name ${hostName}; host-name ${hostName};
time-zone Europe/Berlin; time-zone Europe/Berlin;
root-authentication { root-authentication {
encrypted-password "%%HASH%%"; ## SECRET-DATA encrypted-password "$5$EBmFELmv$kQxtWwS0SBS.TqVPRvs8sKpH./l9DTtTxX/I2FJB2n2"; ## SECRET-DATA
ssh-ed25519 "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIHGgoLzQMeyX1wjsX/hgVkN//zyfOQPiBRYgO2ajEGH6 root@server2"; ssh-ed25519 "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIHGgoLzQMeyX1wjsX/hgVkN//zyfOQPiBRYgO2ajEGH6 root@server2";
} }
services { services {
@ -114,9 +114,13 @@ let
''; '';
configFileWithHash = runCommand "junos.config" { configFileWithHash = runCommand "junos.config" {
nativeBuildInputs = [ mkpasswd ]; nativeBuildInputs = [ python3 ];
} '' } ''
HASH=$(echo "${hostConfig.password}" | mkpasswd --method=SHA-512 --stdin) cat >gen.py<<EOF
import crypt
print(crypt.crypt('${hostConfig.password}', crypt.mksalt(crypt.METHOD_SHA256)))
EOF
HASH=$(python gen.py)
substitute ${configFile} $out \ substitute ${configFile} $out \
--replace "%%HASH%%" "$HASH" --replace "%%HASH%%" "$HASH"
''; '';

5985
openwrt/tl-wr841-v10.config Normal file
View File

File diff suppressed because it is too large Load Diff

5849
openwrt/tl-wr841-v11.config Normal file
View File

File diff suppressed because it is too large Load Diff

6002
openwrt/tl-wr841-v8.config Normal file
View File

File diff suppressed because it is too large Load Diff