Compare commits
No commits in common. "master" and "bgp" have entirely different histories.
|
@ -26,11 +26,11 @@ Alle Stecker im Haus sind in Schema A gecrimpt.
|
|||
| | ![][gi] B 2.05.02 | ![][gi] UVB 1.09 | | 14 |
|
||||
| ![][ri] B 4.02.01 *v* | ![][gi] B 2.05.05 | ![][gi] UVB 1.10 | | 15 |
|
||||
| ![][ri] B 4.01.01 *v* | ![][gi] B 2.05.06 | ![][gi] 1.06 | | 16 |
|
||||
| ![][ri] B 4.03.01 *v* | ![][gi] B 2.05.03 *v* | ![][gi] 1.16 *v* | | 17 |
|
||||
| ![][ri] B 4.03.01 | ![][gi] B 2.05.03 *v* | | | 17 |
|
||||
| ![][ri] B 4.04.01 *v* | ![][gi] B 2.05.07 *v* | | | 18 |
|
||||
| ![][ri] B 4.05.02 *v* | ![][gi] B 2.06 | | | 19 |
|
||||
| ![][ri] B 4.06.01 *v* | ![][ri] B 2.07 | | | 20 |
|
||||
| ![][ri] B 4.07.05 *v* | | | | 21 |
|
||||
| ![][ri] B 4.07.05 | | | | 21 |
|
||||
| ![][ri] B 4.08.01 | | | | 22 |
|
||||
| ![][ri] B 4.09.01 *v* | | | | 23 |
|
||||
| ![][ri] B 4.10.01 *v* | | | | 24 |
|
||||
|
|
535
config/ap.nix
535
config/ap.nix
|
@ -33,7 +33,7 @@
|
|||
wifi = {
|
||||
"platform/qca953x_wmac" = {
|
||||
channel = 1;
|
||||
htmode = "HT20";
|
||||
htmode = "HT40+";
|
||||
ssids = {
|
||||
"ZW public" = { net = "pub"; };
|
||||
uebergangsnetz = { net = "priv6"; };
|
||||
|
@ -60,15 +60,15 @@
|
|||
};
|
||||
};
|
||||
location = "Turm D, 1. Etage";
|
||||
model = "tl-wr841-v9";
|
||||
model = "tl-wr841-v10";
|
||||
role = "ap";
|
||||
wifi = {
|
||||
"platform/qca953x_wmac" = {
|
||||
channel = 6;
|
||||
htmode = "HT20";
|
||||
htmode = "HT40+";
|
||||
ssids = {
|
||||
"ZW public" = { net = "pub"; };
|
||||
"iz-dresden.org" = { net = "priv15"; encryption = "wpa2"; };
|
||||
"iz-dresden.org" = { net = "priv15"; };
|
||||
};
|
||||
};
|
||||
};
|
||||
|
@ -92,12 +92,12 @@
|
|||
};
|
||||
};
|
||||
location = "B 2.03.04";
|
||||
model = "tplink_tl-wr1043nd-v2";
|
||||
model = "tplink_tl-wr1043nd-v1";
|
||||
role = "ap";
|
||||
wifi = {
|
||||
"platform/ahb/18100000.wmac" = {
|
||||
channel = 1;
|
||||
htmode = "HT20";
|
||||
htmode = "HT40+";
|
||||
ssids = {
|
||||
"ZW public" = { net = "pub"; };
|
||||
braeunigkoschnik = { net = "priv8"; };
|
||||
|
@ -130,7 +130,7 @@
|
|||
wifi = {
|
||||
"platform/ar934x_wmac" = {
|
||||
channel = 6;
|
||||
htmode = "HT20";
|
||||
htmode = "HT40+";
|
||||
ssids = {
|
||||
"IrèneMélix" = { net = "priv38"; };
|
||||
"ZW public" = { net = "pub"; };
|
||||
|
@ -139,6 +139,8 @@
|
|||
};
|
||||
};
|
||||
};
|
||||
ap13 = { };
|
||||
ap14 = { };
|
||||
ap15 = {
|
||||
interfaces = {
|
||||
mgmt = {
|
||||
|
@ -163,7 +165,7 @@
|
|||
wifi = {
|
||||
"platform/ahb/18100000.wmac" = {
|
||||
channel = 1;
|
||||
htmode = "HT20";
|
||||
htmode = "HT40+";
|
||||
ssids = {
|
||||
"ZW public" = { net = "pub"; };
|
||||
etz250 = { net = "priv10"; };
|
||||
|
@ -171,6 +173,7 @@
|
|||
};
|
||||
};
|
||||
};
|
||||
ap16 = { };
|
||||
ap17 = {
|
||||
interfaces = {
|
||||
mgmt = {
|
||||
|
@ -197,7 +200,7 @@
|
|||
wifi = {
|
||||
"platform/ahb/18100000.wmac" = {
|
||||
channel = 5;
|
||||
htmode = "HT20";
|
||||
htmode = "HT40+";
|
||||
ssids = {
|
||||
EDUB = { net = "priv33"; };
|
||||
"ZW public" = { net = "pub"; };
|
||||
|
@ -231,7 +234,7 @@
|
|||
wifi = {
|
||||
"platform/qca953x_wmac" = {
|
||||
channel = 1;
|
||||
htmode = "HT20";
|
||||
htmode = "HT40+";
|
||||
ssids = {
|
||||
"Restaurierung Wolff/Kober" = { net = "priv9"; };
|
||||
"ZW public" = { net = "pub"; };
|
||||
|
@ -259,15 +262,15 @@
|
|||
};
|
||||
};
|
||||
location = "Turm C oberste Etage";
|
||||
model = "tl-wr841-v11";
|
||||
model = "tl-wr841-v10";
|
||||
role = "ap";
|
||||
wifi = {
|
||||
"platform/qca953x_wmac" = {
|
||||
channel = 6;
|
||||
htmode = "HT20";
|
||||
htmode = "HT40+";
|
||||
ssids = {
|
||||
"Bockwurst" = { net = "priv41"; encryption = "wpa2"; };
|
||||
Walter = { net = "priv26"; encryption = "wpa2"; };
|
||||
"Studio 01127" = { net = "priv41"; };
|
||||
Walter = { net = "priv26"; };
|
||||
"ZW public" = { net = "pub"; };
|
||||
};
|
||||
};
|
||||
|
@ -276,7 +279,6 @@
|
|||
ap2 = {
|
||||
interfaces = {
|
||||
c3d2.type = "bridge";
|
||||
c3d2iot.type = "bridge";
|
||||
mgmt = {
|
||||
gw4 = "mgmt-gw";
|
||||
gw6 = "mgmt-gw";
|
||||
|
@ -301,20 +303,15 @@
|
|||
htmode = "VHT80";
|
||||
ssids = {
|
||||
C3D2 = { net = "c3d2"; };
|
||||
"ZW public" = { net = "pub"; };
|
||||
"ZW public legacy" = { net = "pub"; };
|
||||
};
|
||||
};
|
||||
"platform/ahb/18100000.wmac" = {
|
||||
channel = 1;
|
||||
htmode = "HT20";
|
||||
htmode = "HT40+";
|
||||
ssids = {
|
||||
"C3D2 legacy" = { net = "c3d2"; };
|
||||
"C3D2 IoT" = {
|
||||
net = "c3d2iot";
|
||||
hidden = true;
|
||||
disassocLowAck = false;
|
||||
};
|
||||
"ZW public legacy" = { net = "pub"; };
|
||||
"ZW public" = { net = "pub"; };
|
||||
};
|
||||
};
|
||||
};
|
||||
|
@ -345,7 +342,7 @@
|
|||
};
|
||||
"platform/ahb/18100000.wmac" = {
|
||||
channel = 5;
|
||||
htmode = "HT20";
|
||||
htmode = "HT40+";
|
||||
ssids = {
|
||||
"ZW public" = { net = "pub"; };
|
||||
};
|
||||
|
@ -375,7 +372,7 @@
|
|||
wifi = {
|
||||
"pci0000:00/0000:00:00.0" = {
|
||||
channel = 11;
|
||||
htmode = "HT20";
|
||||
htmode = "HT40-";
|
||||
ssids = { "ZW public" = { net = "pub"; }; };
|
||||
};
|
||||
};
|
||||
|
@ -409,7 +406,7 @@
|
|||
};
|
||||
"platform/ahb/18100000.wmac" = {
|
||||
channel = 1;
|
||||
htmode = "HT20";
|
||||
htmode = "HT40+";
|
||||
ssids = {
|
||||
"LBK Network" = { net = "priv30"; };
|
||||
"ZW public" = { net = "pub"; };
|
||||
|
@ -428,20 +425,23 @@
|
|||
pub.type = "bridge";
|
||||
};
|
||||
links = {
|
||||
# Ends up in /etc/config but not in `swconfig dev switch0 show`
|
||||
priv12.ports = [ "lan:1" "lan:2" "lan:3" "lan:4" ];
|
||||
switch-b3.ports = [ "wan" ];
|
||||
priv12 = {
|
||||
ports = [ "lan" ];
|
||||
};
|
||||
switch-b3 = {
|
||||
ports = [ "wan" ];
|
||||
};
|
||||
};
|
||||
location = "Farbwerk";
|
||||
model = "tl-wr740n-v4";
|
||||
model = "tl-wr740n-v1";
|
||||
role = "ap";
|
||||
wifi = {
|
||||
"platform/ar933x_wmac" = {
|
||||
channel = 6;
|
||||
htmode = "HT20";
|
||||
htmode = "HT40-";
|
||||
ssids = {
|
||||
"ZW public" = { net = "pub"; };
|
||||
farbwerk = { net = "priv12"; encryption = "wpa2"; };
|
||||
farbwerk = { net = "priv12"; };
|
||||
};
|
||||
};
|
||||
};
|
||||
|
@ -464,13 +464,13 @@
|
|||
ports = [ "wan" ];
|
||||
};
|
||||
};
|
||||
location = "Farbwerk, lost";
|
||||
location = "Farbwerk";
|
||||
model = "tl-wr740n-v1";
|
||||
role = "ap";
|
||||
wifi = {
|
||||
"platform/ar933x_wmac" = {
|
||||
channel = 6;
|
||||
htmode = "HT20";
|
||||
htmode = "HT40-";
|
||||
ssids = {
|
||||
"ZW public" = { net = "pub"; };
|
||||
farbwerk = { net = "priv12"; };
|
||||
|
@ -502,7 +502,7 @@
|
|||
wifi = {
|
||||
"pci0000:00/0000:00:00.0" = {
|
||||
channel = 11;
|
||||
htmode = "HT20";
|
||||
htmode = "HT40-";
|
||||
ssids = {
|
||||
Dezember = { net = "priv37"; };
|
||||
"ZW public" = { net = "pub"; };
|
||||
|
@ -533,7 +533,7 @@
|
|||
wifi = {
|
||||
"platform/qca953x_wmac" = {
|
||||
channel = 1;
|
||||
htmode = "HT20";
|
||||
htmode = "HT40+";
|
||||
ssids = { "ZW public" = { net = "pub"; }; };
|
||||
};
|
||||
};
|
||||
|
@ -561,7 +561,7 @@
|
|||
wifi = {
|
||||
"platform/ar934x_wmac" = {
|
||||
channel = 9;
|
||||
htmode = "HT20";
|
||||
htmode = "HT40+";
|
||||
ssids = { "ZW public" = { net = "pub"; }; };
|
||||
};
|
||||
};
|
||||
|
@ -598,7 +598,7 @@
|
|||
};
|
||||
"platform/ahb/18100000.wmac" = {
|
||||
channel = 6;
|
||||
htmode = "HT20";
|
||||
htmode = "HT40+";
|
||||
ssids = {
|
||||
"ZW public" = { net = "pub"; };
|
||||
jungnickel-fotografie = { net = "priv13"; };
|
||||
|
@ -633,7 +633,7 @@
|
|||
wifi = {
|
||||
"pci0000:00/0000:00:00.0" = {
|
||||
channel = 128;
|
||||
htmode = "HT20";
|
||||
htmode = "HT40+";
|
||||
ssids = {
|
||||
C3D2 = { net = "c3d2"; };
|
||||
"ZW public" = { net = "pub"; };
|
||||
|
@ -641,7 +641,7 @@
|
|||
};
|
||||
"platform/ar934x_wmac" = {
|
||||
channel = 1;
|
||||
htmode = "HT20";
|
||||
htmode = "HT40+";
|
||||
ssids = {
|
||||
"C3D2 legacy" = { net = "c3d2"; };
|
||||
"ZW public legacy" = { net = "pub"; };
|
||||
|
@ -673,7 +673,7 @@
|
|||
wifi = {
|
||||
"platform/ahb/18100000.wmac" = {
|
||||
channel = 1;
|
||||
htmode = "HT20";
|
||||
htmode = "HT40+";
|
||||
ssids = {
|
||||
WLANb0402 = { net = "priv14"; };
|
||||
"ZW public" = { net = "pub"; };
|
||||
|
@ -684,7 +684,6 @@
|
|||
ap31 = {
|
||||
interfaces = {
|
||||
c3d2.type = "bridge";
|
||||
c3d2iot.type = "bridge";
|
||||
mgmt = {
|
||||
gw4 = "mgmt-gw";
|
||||
gw6 = "mgmt-gw";
|
||||
|
@ -712,14 +711,9 @@
|
|||
};
|
||||
"platform/ahb/18100000.wmac" = {
|
||||
channel = 5;
|
||||
htmode = "HT20";
|
||||
htmode = "HT40+";
|
||||
ssids = {
|
||||
"C3D2 legacy" = { net = "c3d2"; };
|
||||
"C3D2 IoT" = {
|
||||
net = "c3d2iot";
|
||||
hidden = true;
|
||||
disassocLowAck = false;
|
||||
};
|
||||
FOTOAKADEMIEdd = { net = "priv39"; };
|
||||
"ZW public legacy" = { net = "pub"; };
|
||||
};
|
||||
|
@ -757,7 +751,7 @@
|
|||
channel = 9;
|
||||
htmode = "HT20";
|
||||
ssids = {
|
||||
"ZW public legacy" = { net = "pub"; };
|
||||
"ZW public" = { net = "pub"; };
|
||||
"ZW stage legacy" = { net = "priv25"; };
|
||||
};
|
||||
};
|
||||
|
@ -792,7 +786,7 @@
|
|||
};
|
||||
"platform/ahb/18100000.wmac" = {
|
||||
channel = 9;
|
||||
htmode = "HT20";
|
||||
htmode = "HT40+";
|
||||
ssids = {
|
||||
"C3D2 legacy" = { net = "c3d2"; };
|
||||
"ZW public legacy" = { net = "pub"; };
|
||||
|
@ -829,7 +823,7 @@
|
|||
};
|
||||
"platform/ahb/18100000.wmac" = {
|
||||
channel = 9;
|
||||
htmode = "HT20";
|
||||
htmode = "HT40+";
|
||||
ssids = {
|
||||
"ZW public" = { net = "pub"; };
|
||||
etz250 = { net = "priv10"; };
|
||||
|
@ -861,7 +855,7 @@
|
|||
wifi = {
|
||||
"platform/ahb/18100000.wmac" = {
|
||||
channel = 1;
|
||||
htmode = "HT20";
|
||||
htmode = "HT40+";
|
||||
ssids = {
|
||||
Koch = { net = "priv18"; };
|
||||
"ZW public" = { net = "pub"; };
|
||||
|
@ -893,7 +887,7 @@
|
|||
wifi = {
|
||||
"platform/ar933x_wmac" = {
|
||||
channel = 5;
|
||||
htmode = "HT20";
|
||||
htmode = "HT40+";
|
||||
ssids = {
|
||||
"C3D2 legacy" = { net = "c3d2"; };
|
||||
"ZW public" = { net = "pub"; };
|
||||
|
@ -930,10 +924,11 @@
|
|||
};
|
||||
"platform/ahb/18100000.wmac" = {
|
||||
channel = 6;
|
||||
htmode = "HT20";
|
||||
htmode = "HT40-";
|
||||
ssids = {
|
||||
"ZW public" = { net = "pub"; };
|
||||
"hechtfilm.de legacy" = { net = "priv19"; };
|
||||
"LIZA".net = "priv43";
|
||||
};
|
||||
};
|
||||
};
|
||||
|
@ -947,7 +942,6 @@
|
|||
};
|
||||
priv20.type = "bridge";
|
||||
priv28.type = "bridge";
|
||||
priv47.type = "bridge";
|
||||
pub.type = "bridge";
|
||||
};
|
||||
links = {
|
||||
|
@ -973,12 +967,11 @@
|
|||
};
|
||||
"platform/ahb/18100000.wmac" = {
|
||||
channel = 11;
|
||||
htmode = "HT20";
|
||||
htmode = "HT40-";
|
||||
ssids = {
|
||||
"ZW heinrichsgarten" = { net = "priv28"; };
|
||||
"ZW public" = { net = "pub"; };
|
||||
plop = { net = "priv20"; };
|
||||
millimeter = { net = "priv47"; };
|
||||
};
|
||||
};
|
||||
};
|
||||
|
@ -1007,7 +1000,7 @@
|
|||
wifi = {
|
||||
"platform/10180000.wmac" = {
|
||||
channel = 9;
|
||||
htmode = "HT20";
|
||||
htmode = "HT40+";
|
||||
ssids = {
|
||||
EckiTino = { net = "priv7"; };
|
||||
"ZW public" = { net = "pub"; };
|
||||
|
@ -1040,7 +1033,7 @@
|
|||
wifi = {
|
||||
"platform/ahb/18100000.wmac" = {
|
||||
channel = 11;
|
||||
htmode = "HT20";
|
||||
htmode = "HT40-";
|
||||
ssids = {
|
||||
"ZW public" = { net = "pub"; };
|
||||
"jam-circle.de" = { net = "priv4"; };
|
||||
|
@ -1059,9 +1052,12 @@
|
|||
pub.type = "bridge";
|
||||
};
|
||||
links = {
|
||||
priv22.ports = [ "lan:2" "lan:3" "lan:4" ];
|
||||
ap70.ports = [ "lan:1" ];
|
||||
switch-b3.ports = [ "wan" ];
|
||||
priv22 = {
|
||||
ports = [ "lan:1" "lan:2" "lan:3" "lan:4" ];
|
||||
};
|
||||
switch-b3 = {
|
||||
ports = [ "wan" ];
|
||||
};
|
||||
};
|
||||
location = "B4.01";
|
||||
model = "tplink_archer-c7-v5";
|
||||
|
@ -1077,7 +1073,7 @@
|
|||
};
|
||||
"platform/ahb/18100000.wmac" = {
|
||||
channel = 6;
|
||||
htmode = "HT20";
|
||||
htmode = "HT40-";
|
||||
ssids = {
|
||||
"M legacy" = { net = "priv22"; };
|
||||
"ZW public" = { net = "pub"; };
|
||||
|
@ -1117,7 +1113,7 @@
|
|||
};
|
||||
"platform/ahb/18100000.wmac" = {
|
||||
channel = 6;
|
||||
htmode = "HT20";
|
||||
htmode = "HT40-";
|
||||
ssids = {
|
||||
Walter = { net = "priv26"; };
|
||||
"ZW public" = { net = "pub"; };
|
||||
|
@ -1136,8 +1132,8 @@
|
|||
pub.type = "bridge";
|
||||
};
|
||||
links = {
|
||||
# ap21.ports = [ "lan:3" ];
|
||||
priv4.ports = [ "lan:1" "lan:2" "lan:3" "lan:4" ];
|
||||
ap21.ports = [ "lan:3" ];
|
||||
priv4.ports = [ "lan:1" "lan:2" "lan:4" ];
|
||||
switch-b3.ports = [ "wan" ];
|
||||
};
|
||||
location = "Dresden School of Lindy Hop";
|
||||
|
@ -1146,7 +1142,7 @@
|
|||
wifi = {
|
||||
"pci0000:00/0000:00:00.0" = {
|
||||
channel = 128;
|
||||
htmode = "HT20";
|
||||
htmode = "HT40+";
|
||||
ssids = {
|
||||
"ZW public" = { net = "pub"; };
|
||||
"jam-circle.de" = { net = "priv4"; };
|
||||
|
@ -1154,7 +1150,7 @@
|
|||
};
|
||||
"platform/ahb/18100000.wmac" = {
|
||||
channel = 11;
|
||||
htmode = "HT20";
|
||||
htmode = "HT40-";
|
||||
ssids = {
|
||||
"ZW public" = { net = "pub"; };
|
||||
"jam-circle.de legacy" = { net = "priv4"; };
|
||||
|
@ -1411,7 +1407,7 @@
|
|||
wifi = {
|
||||
"platform/ahb/18100000.wmac" = {
|
||||
channel = 1;
|
||||
htmode = "HT20";
|
||||
htmode = "HT40+";
|
||||
ssids = {
|
||||
"ZW public" = { net = "pub"; };
|
||||
"verbalwerk.de" = { net = "priv5"; };
|
||||
|
@ -1490,7 +1486,7 @@
|
|||
};
|
||||
"platform/ahb/18100000.wmac" = {
|
||||
channel = 9;
|
||||
htmode = "HT20";
|
||||
htmode = "HT40+";
|
||||
ssids = {
|
||||
"ZW public" = { net = "pub"; };
|
||||
antrares = { net = "priv17"; };
|
||||
|
@ -1559,7 +1555,7 @@
|
|||
wifi = {
|
||||
"platform/qca953x_wmac" = {
|
||||
channel = 9;
|
||||
htmode = "HT20";
|
||||
htmode = "HT40+";
|
||||
ssids = {
|
||||
"Karen Koschnick" = { net = "priv11"; };
|
||||
"ZW public" = { net = "pub"; };
|
||||
|
@ -1585,13 +1581,13 @@
|
|||
ports = [ "wan" ];
|
||||
};
|
||||
};
|
||||
location = "Removed";
|
||||
location = "B1.05.02";
|
||||
model = "tplink_archer-c7-v5";
|
||||
role = "ap";
|
||||
wifi = {
|
||||
"pci0000:00/0000:00:00.0" = {
|
||||
channel = 128;
|
||||
htmode = "HT20";
|
||||
htmode = "HT40+";
|
||||
ssids = {
|
||||
Abyssinia = { net = "priv35"; };
|
||||
"ZW public" = { net = "pub"; };
|
||||
|
@ -1599,7 +1595,7 @@
|
|||
};
|
||||
"platform/ahb/18100000.wmac" = {
|
||||
channel = 1;
|
||||
htmode = "HT20";
|
||||
htmode = "HT40+";
|
||||
ssids = {
|
||||
Abyssinia = { net = "priv35"; };
|
||||
"ZW public" = { net = "pub"; };
|
||||
|
@ -1708,12 +1704,9 @@
|
|||
wifi = {
|
||||
"pci0000:00/0000:00:00.0" = {
|
||||
channel = 100;
|
||||
htmode = "HT40";
|
||||
htmode = "VHT80";
|
||||
ssids = {
|
||||
"Zentralwerk" = {
|
||||
net = "roof";
|
||||
disassocLowAck = false;
|
||||
};
|
||||
"Zentralwerk" = { net = "roof"; };
|
||||
"ZW public" = { net = "pub"; };
|
||||
};
|
||||
};
|
||||
|
@ -1806,7 +1799,7 @@
|
|||
};
|
||||
"platform/ahb/18100000.wmac" = {
|
||||
channel = 6;
|
||||
htmode = "HT20";
|
||||
htmode = "HT40-";
|
||||
ssids = {
|
||||
"ZW public" = { net = "pub"; };
|
||||
"Ebs 2000" = { net = "priv21"; };
|
||||
|
@ -1837,7 +1830,7 @@
|
|||
wifi = {
|
||||
"platform/qca953x_wmac" = {
|
||||
channel = 13;
|
||||
htmode = "HT20";
|
||||
htmode = "HT40-";
|
||||
ssids = { "ZW public" = { net = "pub"; }; };
|
||||
};
|
||||
};
|
||||
|
@ -1866,7 +1859,7 @@
|
|||
wifi = {
|
||||
"pci0000:00/0000:00:00.0" = {
|
||||
channel = 128;
|
||||
htmode = "HT20";
|
||||
htmode = "HT40+";
|
||||
ssids = {
|
||||
Abyssinia = { net = "priv35"; };
|
||||
"ZW public" = { net = "pub"; };
|
||||
|
@ -1874,7 +1867,7 @@
|
|||
};
|
||||
"platform/ahb/18100000.wmac" = {
|
||||
channel = 1;
|
||||
htmode = "HT20";
|
||||
htmode = "HT40+";
|
||||
ssids = {
|
||||
Abyssinia = { net = "priv35"; };
|
||||
"ZW public" = { net = "pub"; };
|
||||
|
@ -1902,7 +1895,7 @@
|
|||
wifi = {
|
||||
"pci0000:00/0000:00:00.0" = {
|
||||
channel = 36;
|
||||
htmode = "HT20";
|
||||
htmode = "HT40+";
|
||||
ssids = {
|
||||
tomiru = { net = "priv44"; };
|
||||
"ZW public" = { net = "pub"; };
|
||||
|
@ -1910,7 +1903,7 @@
|
|||
};
|
||||
"platform/ahb/18100000.wmac" = {
|
||||
channel = 1;
|
||||
htmode = "HT20";
|
||||
htmode = "HT40+";
|
||||
ssids = {
|
||||
tomiru = { net = "priv44"; };
|
||||
"ZW public" = { net = "pub"; };
|
||||
|
@ -1950,7 +1943,7 @@
|
|||
};
|
||||
"platform/ahb/18100000.wmac" = {
|
||||
channel = 9;
|
||||
htmode = "HT20";
|
||||
htmode = "HT40+";
|
||||
ssids = {
|
||||
"Wolke7 legacy" = { net = "priv45"; encryption = "wpa2"; };
|
||||
"ZW public" = { net = "pub"; };
|
||||
|
@ -1982,7 +1975,7 @@
|
|||
wifi = {
|
||||
"pci0000:00/0000:00:00.0" = {
|
||||
channel = 36;
|
||||
htmode = "HT20";
|
||||
htmode = "HT40+";
|
||||
ssids = {
|
||||
"ZW public" = { net = "pub"; };
|
||||
EckiTino = { net = "priv7"; };
|
||||
|
@ -1990,7 +1983,7 @@
|
|||
};
|
||||
"platform/ahb/18100000.wmac" = {
|
||||
channel = 9;
|
||||
htmode = "HT20";
|
||||
htmode = "HT40-";
|
||||
ssids = {
|
||||
"ZW public" = { net = "pub"; };
|
||||
"EckiTino legacy" = { net = "priv7"; };
|
||||
|
@ -1998,227 +1991,7 @@
|
|||
};
|
||||
};
|
||||
};
|
||||
ap64 = {
|
||||
interfaces = {
|
||||
mgmt = {
|
||||
gw4 = "mgmt-gw";
|
||||
gw6 = "mgmt-gw";
|
||||
type = "phys";
|
||||
};
|
||||
priv46.type = "bridge";
|
||||
pub.type = "bridge";
|
||||
};
|
||||
links = {
|
||||
priv46 = {
|
||||
ports = [ "lan:1" "lan:2" "lan:3" "lan:4" ];
|
||||
};
|
||||
switch-b3 = {
|
||||
ports = [ "wan" ];
|
||||
};
|
||||
};
|
||||
location = "replaced by ap73";
|
||||
model = "tplink_tl-wr1043nd-v2";
|
||||
role = "ap";
|
||||
wifi = {
|
||||
"platform/ahb/18100000.wmac" = {
|
||||
channel = 1;
|
||||
htmode = "HT20";
|
||||
ssids = {
|
||||
"ZW public" = { net = "pub"; };
|
||||
"Princess Castle" = { net = "priv46"; };
|
||||
};
|
||||
};
|
||||
};
|
||||
};
|
||||
ap65 = {
|
||||
interfaces = {
|
||||
mgmt = {
|
||||
gw4 = "mgmt-gw";
|
||||
gw6 = "mgmt-gw";
|
||||
type = "phys";
|
||||
};
|
||||
priv12.type = "bridge";
|
||||
priv27.type = "bridge";
|
||||
pub.type = "bridge";
|
||||
};
|
||||
links = {
|
||||
switch-b3.ports = [ "lan" ];
|
||||
};
|
||||
location = "El Perro";
|
||||
model = "ubnt_unifi-6-lite";
|
||||
role = "ap";
|
||||
wifi = {
|
||||
"1e140000.pcie/pci0000:00/0000:00:00.0/0000:01:00.0" = {
|
||||
channel = 6;
|
||||
htmode = "HT20";
|
||||
ssids = {
|
||||
"ZW public".net = "pub";
|
||||
"farbwerk".net = "priv12";
|
||||
"Kaffeetasse".net = "priv27";
|
||||
};
|
||||
};
|
||||
"1e140000.pcie/pci0000:00/0000:00:01.0/0000:02:00.0" = {
|
||||
channel = 149;
|
||||
htmode = "VHT80";
|
||||
ssids = {
|
||||
"ZW public".net = "pub";
|
||||
"farbwerk".net = "priv12";
|
||||
};
|
||||
};
|
||||
};
|
||||
};
|
||||
ap66 = {
|
||||
interfaces = {
|
||||
priv48.type = "bridge";
|
||||
mgmt = {
|
||||
gw4 = "mgmt-gw";
|
||||
gw6 = "mgmt-gw";
|
||||
type = "phys";
|
||||
};
|
||||
pub.type = "bridge";
|
||||
};
|
||||
links = {
|
||||
priv48.ports = [ "lan:1" "lan:2" "lan:3" "lan:4" ];
|
||||
switch-b3.ports = [ "wan" ];
|
||||
};
|
||||
location = "B 4.03.01";
|
||||
model = "tplink_archer-c7-v5";
|
||||
role = "ap";
|
||||
wifi = {
|
||||
"pci0000:00/0000:00:00.0" = {
|
||||
channel = 36;
|
||||
htmode = "VHT80";
|
||||
ssids = {
|
||||
"Buschfunk4.03" = { net = "priv48"; };
|
||||
"ZW public" = { net = "pub"; };
|
||||
};
|
||||
};
|
||||
"platform/ahb/18100000.wmac" = {
|
||||
channel = 9;
|
||||
htmode = "HT20";
|
||||
ssids = {
|
||||
"Buschfunk4.03 legacy" = { net = "priv48"; };
|
||||
"ZW public" = { net = "pub"; };
|
||||
};
|
||||
};
|
||||
};
|
||||
};
|
||||
ap67 = {
|
||||
interfaces = {
|
||||
mgmt = {
|
||||
gw4 = "mgmt-gw";
|
||||
gw6 = "mgmt-gw";
|
||||
type = "phys";
|
||||
};
|
||||
priv12.type = "bridge";
|
||||
pub.type = "bridge";
|
||||
};
|
||||
links = {
|
||||
priv12.ports = [
|
||||
"lan1" "lan2" "lan3"
|
||||
];
|
||||
switch-b3.ports = [ "wan" ];
|
||||
};
|
||||
location = "Farbwerk";
|
||||
model = "zyxel_wsm20";
|
||||
role = "ap";
|
||||
wifi = {
|
||||
"1e140000.pcie/pci0000:00/0000:00:01.0/0000:02:00.0" = {
|
||||
channel = 6;
|
||||
htmode = "HT20";
|
||||
ssids = {
|
||||
"ZW public" = { net = "pub"; };
|
||||
farbwerk = { net = "priv12"; };
|
||||
};
|
||||
};
|
||||
"1e140000.pcie/pci0000:00/0000:00:01.0/0000:02:00.0+1" = {
|
||||
channel = 149;
|
||||
htmode = "VHT80";
|
||||
ssids = {
|
||||
"ZW public" = { net = "pub"; };
|
||||
farbwerk = { net = "priv12"; };
|
||||
};
|
||||
};
|
||||
};
|
||||
};
|
||||
ap68 = {
|
||||
interfaces = {
|
||||
mgmt = {
|
||||
gw4 = "mgmt-gw";
|
||||
gw6 = "mgmt-gw";
|
||||
type = "phys";
|
||||
};
|
||||
priv12.type = "bridge";
|
||||
pub.type = "bridge";
|
||||
};
|
||||
links = {
|
||||
priv12.ports = [
|
||||
"lan1" "lan2" "lan3"
|
||||
];
|
||||
switch-b3.ports = [ "wan" ];
|
||||
};
|
||||
location = "Farbwerk";
|
||||
model = "zyxel_wsm20";
|
||||
role = "ap";
|
||||
wifi = {
|
||||
"1e140000.pcie/pci0000:00/0000:00:01.0/0000:02:00.0" = {
|
||||
channel = 1;
|
||||
htmode = "HT20";
|
||||
ssids = {
|
||||
"ZW public" = { net = "pub"; };
|
||||
farbwerk = { net = "priv12"; };
|
||||
};
|
||||
};
|
||||
"1e140000.pcie/pci0000:00/0000:00:01.0/0000:02:00.0+1" = {
|
||||
channel = 36;
|
||||
htmode = "VHT80";
|
||||
ssids = {
|
||||
"ZW public" = { net = "pub"; };
|
||||
farbwerk = { net = "priv12"; };
|
||||
};
|
||||
};
|
||||
};
|
||||
};
|
||||
ap69 = {
|
||||
interfaces = {
|
||||
mgmt = {
|
||||
gw4 = "mgmt-gw";
|
||||
gw6 = "mgmt-gw";
|
||||
type = "phys";
|
||||
};
|
||||
priv43.type = "bridge";
|
||||
pub.type = "bridge";
|
||||
};
|
||||
links = {
|
||||
priv43 = {
|
||||
ports = [ "lan" ];
|
||||
};
|
||||
switch-b3 = {
|
||||
ports = [ "wan" ];
|
||||
};
|
||||
};
|
||||
location = "B.01.B01";
|
||||
model = "tplink_archer-c7-v2";
|
||||
role = "ap";
|
||||
wifi = {
|
||||
"pci0000:00/0000:00:00.0" = {
|
||||
channel = 36;
|
||||
htmode = "HT40+";
|
||||
ssids = {
|
||||
"ZW public".net = "pub";
|
||||
"LIZA".net = "priv43";
|
||||
};
|
||||
};
|
||||
"platform/ahb/18100000.wmac" = {
|
||||
channel = 1;
|
||||
htmode = "HT20";
|
||||
ssids = {
|
||||
"ZW public".net = "pub";
|
||||
"LIZA".net = "priv43";
|
||||
};
|
||||
};
|
||||
};
|
||||
};
|
||||
ap64 = { };
|
||||
ap7 = {
|
||||
interfaces = {
|
||||
mgmt = {
|
||||
|
@ -2243,7 +2016,7 @@
|
|||
wifi = {
|
||||
"platform/qca953x_wmac" = {
|
||||
channel = 1;
|
||||
htmode = "HT20";
|
||||
htmode = "HT40+";
|
||||
ssids = {
|
||||
"ZW public" = { net = "pub"; };
|
||||
mino = { net = "priv40"; };
|
||||
|
@ -2251,137 +2024,6 @@
|
|||
};
|
||||
};
|
||||
};
|
||||
ap70 = {
|
||||
interfaces = {
|
||||
mgmt = {
|
||||
gw4 = "mgmt-gw";
|
||||
gw6 = "mgmt-gw";
|
||||
type = "phys";
|
||||
};
|
||||
priv22.type = "bridge";
|
||||
pub.type = "bridge";
|
||||
};
|
||||
links = {
|
||||
priv22.ports = [ "lan" ];
|
||||
ap40.ports = [ "wan" ];
|
||||
};
|
||||
location = "B4.01 behind ap40";
|
||||
model = "tplink_archer-c7-v2";
|
||||
role = "ap";
|
||||
wifi = {
|
||||
"pci0000:00/0000:00:00.0" = {
|
||||
channel = 149;
|
||||
htmode = "HT40+";
|
||||
ssids = {
|
||||
"ZW public".net = "pub";
|
||||
M.net = "priv22";
|
||||
};
|
||||
};
|
||||
"platform/ahb/18100000.wmac" = {
|
||||
channel = 9;
|
||||
htmode = "HT20";
|
||||
ssids = {
|
||||
"ZW public".net = "pub";
|
||||
"M legacy".net = "priv22";
|
||||
};
|
||||
};
|
||||
};
|
||||
};
|
||||
ap71 = {
|
||||
interfaces = {
|
||||
mgmt = {
|
||||
gw4 = "mgmt-gw";
|
||||
gw6 = "mgmt-gw";
|
||||
type = "phys";
|
||||
};
|
||||
priv22.type = "bridge";
|
||||
pub.type = "bridge";
|
||||
};
|
||||
links = {
|
||||
priv22.ports = [ "eth1" "eth2" ];
|
||||
ap40.ports = [ "eth0" ];
|
||||
};
|
||||
location = "B4.01 behind ap40";
|
||||
model = "ubnt_unifi-usg";
|
||||
role = "ap";
|
||||
# No WiFi, splits just VLANs
|
||||
};
|
||||
ap72 = {
|
||||
interfaces = {
|
||||
mgmt = {
|
||||
gw4 = "mgmt-gw";
|
||||
gw6 = "mgmt-gw";
|
||||
type = "phys";
|
||||
};
|
||||
priv12.type = "bridge";
|
||||
pub.type = "bridge";
|
||||
};
|
||||
links = {
|
||||
priv12.ports = [
|
||||
"lan1" "lan2" "lan3"
|
||||
];
|
||||
switch-b3.ports = [ "wan" ];
|
||||
};
|
||||
location = "B1.05.02 (Patchpanel B12)";
|
||||
model = "zyxel_wsm20";
|
||||
role = "ap";
|
||||
wifi = {
|
||||
"1e140000.pcie/pci0000:00/0000:00:01.0/0000:02:00.0" = {
|
||||
channel = 1;
|
||||
htmode = "HT20";
|
||||
ssids = {
|
||||
"ZW public" = { net = "pub"; };
|
||||
farbwerk = { net = "priv12"; };
|
||||
};
|
||||
};
|
||||
"1e140000.pcie/pci0000:00/0000:00:01.0/0000:02:00.0+1" = {
|
||||
channel = 36;
|
||||
htmode = "VHT80";
|
||||
ssids = {
|
||||
"ZW public" = { net = "pub"; };
|
||||
farbwerk = { net = "priv12"; };
|
||||
};
|
||||
};
|
||||
};
|
||||
};
|
||||
ap73 = {
|
||||
interfaces = {
|
||||
mgmt = {
|
||||
gw4 = "mgmt-gw";
|
||||
gw6 = "mgmt-gw";
|
||||
type = "phys";
|
||||
};
|
||||
priv46.type = "bridge";
|
||||
pub.type = "bridge";
|
||||
};
|
||||
links = {
|
||||
priv46.ports = [
|
||||
"lan1" "lan2" "lan3"
|
||||
];
|
||||
switch-b3.ports = [ "wan" ];
|
||||
};
|
||||
location = "B4.07";
|
||||
model = "zyxel_wsm20";
|
||||
role = "ap";
|
||||
wifi = {
|
||||
"1e140000.pcie/pci0000:00/0000:00:01.0/0000:02:00.0" = {
|
||||
channel = 1;
|
||||
htmode = "HT20";
|
||||
ssids = {
|
||||
"ZW public" = { net = "pub"; };
|
||||
"Princess Castle" = { net = "priv46"; };
|
||||
};
|
||||
};
|
||||
"1e140000.pcie/pci0000:00/0000:00:01.0/0000:02:00.0+1" = {
|
||||
channel = 36;
|
||||
htmode = "VHT80";
|
||||
ssids = {
|
||||
"ZW public" = { net = "pub"; };
|
||||
"Princess Castle" = { net = "priv46"; };
|
||||
};
|
||||
};
|
||||
};
|
||||
};
|
||||
ap8 = {
|
||||
interfaces = {
|
||||
c3d2.type = "bridge";
|
||||
|
@ -2395,10 +2037,7 @@
|
|||
};
|
||||
links = {
|
||||
c3d2 = {
|
||||
ports = [ "lan:3" "lan:4" ];
|
||||
};
|
||||
priv23 = {
|
||||
ports = [ "lan:2" ];
|
||||
ports = [ "lan:1" "lan:2" "lan:3" "lan:4" ];
|
||||
};
|
||||
switch-b3 = {
|
||||
ports = [ "wan" ];
|
||||
|
@ -2410,7 +2049,7 @@
|
|||
wifi = {
|
||||
"pci0000:00/0000:00:00.0" = {
|
||||
channel = 36;
|
||||
htmode = "HT20";
|
||||
htmode = "HT40+";
|
||||
ssids = {
|
||||
C3D2 = { net = "c3d2"; };
|
||||
"ZW public" = { net = "pub"; };
|
||||
|
@ -2418,7 +2057,7 @@
|
|||
};
|
||||
"platform/ar934x_wmac" = {
|
||||
channel = 13;
|
||||
htmode = "HT20";
|
||||
htmode = "HT40-";
|
||||
ssids = {
|
||||
"C3D2 legacy" = { net = "c3d2"; };
|
||||
"ZW public" = { net = "pub"; };
|
||||
|
@ -2451,7 +2090,7 @@
|
|||
wifi = {
|
||||
"platform/qca953x_wmac" = {
|
||||
channel = 1;
|
||||
htmode = "HT20";
|
||||
htmode = "HT40+";
|
||||
ssids = {
|
||||
Herzzbuehne = { net = "priv16"; };
|
||||
"ZW public" = { net = "pub"; };
|
||||
|
|
|
@ -18,4 +18,7 @@ in
|
|||
# IP networks
|
||||
++ lib.filesystem.listFilesRecursive ./net;
|
||||
|
||||
site.net-combined = concatMapAttrsRecursive (name: value: { inherit (value) hosts4 hosts6; }) config.site.net;
|
||||
|
||||
site.bgp.asn = 4242421127;
|
||||
}
|
||||
|
|
|
@ -1,78 +1,75 @@
|
|||
{ lib, ... }:
|
||||
{ config, lib, ... }:
|
||||
|
||||
{
|
||||
site.net.c3d2 = {
|
||||
dhcp = {
|
||||
server = "c3d2-gw3";
|
||||
start = "172.22.99.100";
|
||||
start = "172.22.99.60";
|
||||
end = "172.22.99.199";
|
||||
fixed-hosts = {
|
||||
"172.22.99.96" = "08:00:27:bb:8c:b3";
|
||||
"172.22.99.98" = "08:00:27:aa:90:e2";
|
||||
# "astrom" = "aa:00:5b:08:f0:5c";
|
||||
# "astron" = "aa:00:5b:08:f0:5b";
|
||||
# "batman" = "5c:cf:7f:c0:05:28";
|
||||
# "beere" = "b8:27:eb:ac:65:d2";
|
||||
# "beere2" = "b8:27:eb:53:0b:27";
|
||||
# "astrom.hq.c3d2.de" = "aa:00:5b:08:f0:5c";
|
||||
# "astron.hq.c3d2.de" = "aa:00:5b:08:f0:5b";
|
||||
# "batman.hq.c3d2.de" = "5c:cf:7f:c0:05:28";
|
||||
# "beere.hq.c3d2.de" = "b8:27:eb:ac:65:d2";
|
||||
# "beere2.hq.c3d2.de" = "b8:27:eb:53:0b:27";
|
||||
# "bender.hq.c3de.de" = "00:23:df:7e:c8:0a";
|
||||
# "cider" = "00:0d:93:75:ee:fa";
|
||||
"dacbert" = "dc:a6:32:e0:46:bf";
|
||||
"dn42" = "aa:00:42:7a:32:46";
|
||||
# "drucker" = "00:23:c3:d2:12:0f";
|
||||
# "feile" = "aa:00:5b:12:c1:f7";
|
||||
# "fernandopoo" = "aa:00:f7:52:85:27";
|
||||
# "fhem" = "b8:27:eb:9e:8b:db";
|
||||
# "git" = "aa:00:47:d8:57:10";
|
||||
"glotzbert" = "90:1b:0e:88:da:0a";
|
||||
# "wled-nix-snowflake" = "44:17:93:10:77:e8";
|
||||
# "wled-fairy-dust" = "3c:61:05:e3:2f:ad";
|
||||
# "wled-warnbert" = "3c:61:05:fc:21:37";
|
||||
# "wled-matrix" = "e8:db:84:e4:f4:30";
|
||||
# "ledball1" = "b8:27:eb:53:0b:27";
|
||||
# Beleuchtungskiste auf Traverse über Fernseher
|
||||
# "ledbeere" = "b8:27:eb:60:99:59";
|
||||
# "leviathan" = "00:ff:08:31:db:e5";
|
||||
# "lisbeth" = "b8:27:eb:a5:ee:5c";
|
||||
# "marenz-build" = "44:1e:a1:59:2e:e8";
|
||||
# "matemat" = "a2:1b:7c:e8:19:72";
|
||||
# "minecraft" = "4a:57:d3:64:fe:e9";
|
||||
# "moleflap" = "aa:00:0d:b1:6c:67";
|
||||
# "monit" = "00:23:ae:94:e7:19";
|
||||
"pipebert" = "ec:a8:6b:fe:b4:cb";
|
||||
# "public-access-proxy" = "12:24:5f:bd:9b:e7";
|
||||
"pulsebert" = "b8:27:eb:16:31:61";
|
||||
# "ruststripe1" = "06:32:0e:39:21:69";
|
||||
"schalter" = "b8:27:eb:ac:65:d2";
|
||||
# "semanta" = "00:ff:e4:bb:ea:2a";
|
||||
# "server2" = "d0:67:e5:f3:57:10";
|
||||
# "server3" = "e4:1f:13:2e:4f:c0";
|
||||
# "server4" = "00:9c:02:a9:26:01";
|
||||
# "sharing" = "00:23:c3:d2:75:18";
|
||||
# "sofafon" = "b8:27:eb:23:8d:01";
|
||||
# "storage2" = "42:5e:0f:4e:f3:cc";
|
||||
# "ustriper" = "aa:bb:95:33:bb:aa";
|
||||
# "wiefelspuetz" = "aa:00:7f:01:8a:d0";
|
||||
# "wormhole" = "00:23:c3:d2:00:76";
|
||||
# "www1" = "aa:00:13:8b:03:47";
|
||||
# "riscbert" = "6c:cf:39:00:05:95";
|
||||
# "cider.hq.c3d2.de" = "00:0d:93:75:ee:fa";
|
||||
"dacbert.hq.c3d2.de" = "dc:a6:32:e0:46:bf";
|
||||
"dn42.hq.c3d2.de" = "aa:00:42:7a:32:46";
|
||||
"drucker.hq.c3d2.de" = "00:23:c3:d2:12:0f";
|
||||
# "feile.hq.c3d2.de" = "aa:00:5b:12:c1:f7";
|
||||
# "fernandopoo.hq.c3d2.de" = "aa:00:f7:52:85:27";
|
||||
# "fhem.hq.c3d2.de" = "b8:27:eb:9e:8b:db";
|
||||
# "git.hq.c3d2.de" = "aa:00:47:d8:57:10";
|
||||
"glotzbert.hq.c3d2.de" = "ec:a8:6b:fe:b4:cb";
|
||||
# "icq.hq.c3d2.de" = "aa:00:30:f6:27:89";
|
||||
# "jabber1.hq.c3d2.de" = "aa:00:0b:19:8f:14";
|
||||
# "jabber2.hq.c3d2.de" = "aa:00:3d:6a:23:b8";
|
||||
# "knot.hq.c3d2.de" = "52:54:cf:fd:ce:3f";
|
||||
# "ledball1.hq.c3d2.de" = "b8:27:eb:53:0b:27";
|
||||
# "ledbeere.hq.c3d2.de" = "b8:27:eb:60:99:59";
|
||||
# "leviathan.hq.c3d2.de" = "00:ff:08:31:db:e5";
|
||||
# "lisbeth.hq.c3d2.de" = "b8:27:eb:a5:ee:5c";
|
||||
# "marenz-build.hq.c3d2.de" = "44:1e:a1:59:2e:e8";
|
||||
"matemat.hq.c3d2.de" = "a2:1b:7c:e8:19:72";
|
||||
# "minecraft.hq.c3d2.de" = "4a:57:d3:64:fe:e9";
|
||||
# "moleflap.hq.c3d2.de" = "aa:00:0d:b1:6c:67";
|
||||
# "monit.hq.c3d2.de" = "00:23:ae:94:e7:19";
|
||||
"public-access-proxy.hq.c3d2.de" = "12:24:5f:bd:9b:e7";
|
||||
"pulsebert.hq.c3d2.de" = "b8:27:eb:16:31:61";
|
||||
# "ruststripe1.hq.c3d2.de" = "06:32:0e:39:21:69";
|
||||
"schalter.hq.c3d2.de" = "b8:27:eb:4c:be:ff";
|
||||
# "semanta.hq.c3d2.de" = "00:ff:e4:bb:ea:2a";
|
||||
# "server2.hq.c3d2.de" = "d0:67:e5:f3:57:10";
|
||||
# "server3.hq.c3d2.de" = "e4:1f:13:2e:4f:c0";
|
||||
# "server4.hq.c3d2.de" = "00:9c:02:a9:26:01";
|
||||
# "sharing.hq.c3d2.de" = "00:23:c3:d2:75:18";
|
||||
# "sofafon.hq.c3d2.de" = "b8:27:eb:23:8d:01";
|
||||
# "storage2.hq.c3d2.de" = "42:5e:0f:4e:f3:cc";
|
||||
# "ustriper.hq.c3d2.de" = "aa:bb:95:33:bb:aa";
|
||||
# "wiefelspuetz.hq.c3d2.de" = "aa:00:7f:01:8a:d0";
|
||||
# "wormhole.hq.c3d2.de" = "00:23:c3:d2:00:76";
|
||||
# "www1.hq.c3d2.de" = "aa:00:13:8b:03:47";
|
||||
"riscbert.hq.c3d2.de" = "6c:cf:39:00:05:95";
|
||||
};
|
||||
time = 300;
|
||||
max-time = 30 * 24 * 3600;
|
||||
time = 86400;
|
||||
max-time = 2592000;
|
||||
router = "c3d2-gw3";
|
||||
};
|
||||
domainName = "c3d2.zentralwerk.org";
|
||||
dynamicDomain = true;
|
||||
subnet4 = "172.22.99.0/24";
|
||||
hosts4 = {
|
||||
bgp = "172.22.99.250";
|
||||
c3d2-anon = "172.22.99.1";
|
||||
c3d2-gw1 = "172.22.99.2";
|
||||
c3d2-gw2 = "172.22.99.3";
|
||||
c3d2-gw3 = "172.22.99.4";
|
||||
dacbert = "172.22.99.203";
|
||||
schalter = "172.22.99.204";
|
||||
glotzbert = "172.22.99.205";
|
||||
pulsebert = "172.22.99.208";
|
||||
pipebert = "172.22.99.209";
|
||||
bgp = "172.22.99.250";
|
||||
dn42 = "172.22.99.253";
|
||||
};
|
||||
ipv6Router = "c3d2-gw3";
|
||||
|
@ -89,8 +86,6 @@
|
|||
c3d2-gw1 = "2a00:8180:2c00:223::c3d2:2";
|
||||
c3d2-gw2 = "2a00:8180:2c00:223::c3d2:3";
|
||||
c3d2-gw3 = "2a00:8180:2c00:223::c3d2:4";
|
||||
glotzbert = "2a00:8180:2c00:223:e1ad:6c2b:af9f:2d13";
|
||||
pipebert = "2a00:8180:2c00:223:eea8:6bff:fefe:b4cb";
|
||||
};
|
||||
subnets6 = {
|
||||
dn42 = "fd23:42:c3d2:523::/64";
|
||||
|
@ -114,28 +109,34 @@
|
|||
c3d2.hwaddr = "0A:14:48:01:07:05";
|
||||
core.hwaddr = "0A:14:48:01:07:04";
|
||||
};
|
||||
ospf.allowedUpstreams = [ "anon1" "freifunk" ];
|
||||
bgp.allowedUpstreams = [ "anon1" "freifunk" ];
|
||||
};
|
||||
c3d2-gw1 = makeGateway {
|
||||
interfaces = {
|
||||
c3d2.hwaddr = "0A:14:48:01:21:01";
|
||||
core.hwaddr = "0A:14:48:01:21:00";
|
||||
};
|
||||
ospf.allowedUpstreams = [ "flpk-gw" "freifunk" "upstream4" "upstream3" "anon1" ];
|
||||
bgp.allowedUpstreams = [ "flpk-gw" "freifunk" "upstream4" "upstream3" "anon1" ];
|
||||
};
|
||||
c3d2-gw2 = makeGateway {
|
||||
interfaces = {
|
||||
c3d2.hwaddr = "0A:14:48:01:21:03";
|
||||
core.hwaddr = "0A:14:48:01:21:02";
|
||||
};
|
||||
ospf.allowedUpstreams = [ "upstream3" "upstream4" "anon1" "freifunk" ];
|
||||
bgp.allowedUpstreams = [ "upstream3" "upstream4" "anon1" "freifunk" ];
|
||||
};
|
||||
c3d2-gw3 = makeGateway {
|
||||
interfaces = {
|
||||
c3d2.hwaddr = "0A:14:48:01:21:05";
|
||||
core.hwaddr = "0A:14:48:01:21:04";
|
||||
};
|
||||
ospf.allowedUpstreams = [ "upstream4" "upstream3" "anon1" "freifunk" ];
|
||||
bgp = {
|
||||
peers.${config.site.net.core.hosts6.dn42.bgp} = {
|
||||
type = "rr_client";
|
||||
name = "rr";
|
||||
};
|
||||
allowedUpstreams = [ "upstream4" "upstream3" "anon1" "freifunk" ];
|
||||
};
|
||||
};
|
||||
};
|
||||
}
|
||||
|
|
|
@ -1,47 +0,0 @@
|
|||
{
|
||||
site.net.c3d2iot = {
|
||||
dhcp = {
|
||||
start = "10.22.0.2";
|
||||
end = "10.22.255.253";
|
||||
router = "iot-gw";
|
||||
server = "iot-gw";
|
||||
# devices don't often change and a missing DNS record causes trouble
|
||||
time = 3600;
|
||||
max-time = 24 * 3600;
|
||||
};
|
||||
dynamicDomain = true;
|
||||
domainName = "c3d2iot.zentralwerk.org";
|
||||
hosts4 = {
|
||||
iot-gw = "10.22.0.1";
|
||||
};
|
||||
hosts6 = {
|
||||
dn42 = {
|
||||
iot-gw = "fd23:42:c3d2:587:ffff:ffff:ffff:ffff";
|
||||
};
|
||||
};
|
||||
subnet4 = "10.22.0.0/16";
|
||||
subnets6 = {
|
||||
dn42 = "fd23:42:c3d2:587::/64";
|
||||
up4 = "2a00:8180:2c00:287::/64";
|
||||
};
|
||||
};
|
||||
|
||||
site.hosts.iot-gw = {
|
||||
# TODO: needs to be done more granular, aka allow c3d2 and serv network
|
||||
# firewall.enable = true;
|
||||
interfaces = {
|
||||
core = {
|
||||
hwaddr = "0A:22:48:01:24:01";
|
||||
type = "veth";
|
||||
};
|
||||
c3d2iot = {
|
||||
hwaddr = "0A:22:48:01:24:00";
|
||||
type = "veth";
|
||||
};
|
||||
};
|
||||
ospf = {
|
||||
allowedUpstreams = [ "upstream4" "upstream3" "anon1" ];
|
||||
};
|
||||
role = "container";
|
||||
};
|
||||
}
|
|
@ -1,4 +1,4 @@
|
|||
{ lib, ... }:
|
||||
{ config, lib, ... }:
|
||||
let
|
||||
cephMonServers = [ "server5" "server6" "server8" ];
|
||||
in
|
||||
|
@ -7,15 +7,8 @@ in
|
|||
ipv6Router = "cls-gw";
|
||||
domainName = "cluster.zentralwerk.org";
|
||||
extraRecords = map (host: {
|
||||
data = {
|
||||
service = "ceph-mon";
|
||||
proto = "tcp";
|
||||
priority = 1;
|
||||
weight = 1;
|
||||
port = 6789;
|
||||
target = host;
|
||||
};
|
||||
name = "@";
|
||||
data = "1 1 6789 ${host}";
|
||||
name = "_ceph-mon._tcp";
|
||||
type = "SRV";
|
||||
}) cephMonServers
|
||||
++
|
||||
|
@ -144,7 +137,6 @@ in
|
|||
"mgmt"
|
||||
"serv"
|
||||
"c3d2"
|
||||
"c3d2iot"
|
||||
"pub"
|
||||
"priv23"
|
||||
"priv31"
|
||||
|
@ -166,7 +158,13 @@ in
|
|||
type = "veth";
|
||||
};
|
||||
};
|
||||
ospf.allowedUpstreams = [ "upstream4" "upstream3" "anon1" "freifunk" ];
|
||||
bgp = {
|
||||
peers.${config.site.net.core.hosts6.dn42.bgp} = {
|
||||
type = "rr_client";
|
||||
name = "rr";
|
||||
};
|
||||
allowedUpstreams = [ "upstream4" "upstream3" "anon1" "freifunk" ];
|
||||
};
|
||||
};
|
||||
server3 = makeServer;
|
||||
server5 = makeServer;
|
||||
|
|
|
@ -1,38 +0,0 @@
|
|||
{
|
||||
site.net.coloradio = {
|
||||
domainName = "coloradio.zentralwerk.org";
|
||||
subnet4 = "192.168.9.0/24";
|
||||
hosts4 = {
|
||||
coloradio-gw = "192.168.9.1";
|
||||
coloradio-in = "192.168.9.2";
|
||||
};
|
||||
|
||||
ipv6Router = "coloradio-gw";
|
||||
subnets6.dn42 = "fd23:42:c3d2:590::/64";
|
||||
hosts6.dn42 = {
|
||||
coloradio-gw = "fd23:42:c3d2:590::1";
|
||||
};
|
||||
};
|
||||
|
||||
site.hosts = {
|
||||
coloradio-gw = {
|
||||
role = "container";
|
||||
interfaces = {
|
||||
core = {
|
||||
type = "veth";
|
||||
hwaddr = "0A:14:48:01:06:08";
|
||||
gw4 = null;
|
||||
gw6 = null;
|
||||
};
|
||||
coloradio = {
|
||||
type = "veth";
|
||||
hwaddr = "0A:14:48:01:06:09";
|
||||
gw4 = null;
|
||||
gw6 = null;
|
||||
};
|
||||
};
|
||||
ospf.allowedUpstreams =
|
||||
[ "upstream4" "upstream3" "freifunk" ];
|
||||
};
|
||||
};
|
||||
}
|
|
@ -1,3 +1,5 @@
|
|||
{ config, lib, ... }:
|
||||
|
||||
{
|
||||
site.net.core = {
|
||||
domainName = "core.zentralwerk.org";
|
||||
|
@ -52,10 +54,6 @@
|
|||
priv43-gw = "172.20.72.68";
|
||||
priv44-gw = "172.20.72.70";
|
||||
priv45-gw = "172.20.72.72";
|
||||
priv46-gw = "172.20.72.73";
|
||||
priv47-gw = "172.20.72.74";
|
||||
priv48-gw = "172.20.72.75";
|
||||
priv49-gw = "172.20.72.76";
|
||||
priv5-gw = "172.20.72.15";
|
||||
priv6-gw = "172.20.72.16";
|
||||
priv7-gw = "172.20.72.17";
|
||||
|
@ -71,10 +69,9 @@
|
|||
server8 = "172.20.72.58";
|
||||
upstream3 = "172.20.72.11";
|
||||
upstream4 = "172.20.72.12";
|
||||
coloradio-gw = "172.20.72.62";
|
||||
# unused = "172.20.72.62";
|
||||
vpn-gw = "172.20.72.69";
|
||||
flpk-gw = "172.20.72.71";
|
||||
iot-gw = "172.20.72.77";
|
||||
};
|
||||
hosts6 = {
|
||||
dn42 = {
|
||||
|
@ -84,10 +81,8 @@
|
|||
c3d2-gw1 = "fd23:42:c3d2:581::c3d2:1";
|
||||
c3d2-gw2 = "fd23:42:c3d2:581::c3d2:2";
|
||||
c3d2-gw3 = "fd23:42:c3d2:581::c3d2:3";
|
||||
cls-gw = "fd23:42:c3d2:581::c3d2:4";
|
||||
freifunk = "fd23:42:c3d2:581:8000::1";
|
||||
mgmt-gw = "fd23:42:c3d2:581::8:3";
|
||||
iot-gw = "fd23:42:c3d2:581::8:7";
|
||||
priv1-gw = "fd23:42:c3d2:581::c:0";
|
||||
priv10-gw = "fd23:42:c3d2:581::c:9";
|
||||
priv11-gw = "fd23:42:c3d2:581::c:a";
|
||||
|
@ -128,10 +123,6 @@
|
|||
priv43-gw = "fd23:42:c3d2:581::c:2a";
|
||||
priv44-gw = "fd23:42:c3d2:581::c:2b";
|
||||
priv45-gw = "fd23:42:c3d2:581::c:2c";
|
||||
priv46-gw = "fd23:42:c3d2:581::c:2d";
|
||||
priv47-gw = "fd23:42:c3d2:581::c:2e";
|
||||
priv48-gw = "fd23:42:c3d2:581::c:2f";
|
||||
priv49-gw = "fd23:42:c3d2:581::c:30";
|
||||
priv5-gw = "fd23:42:c3d2:581::c:4";
|
||||
priv6-gw = "fd23:42:c3d2:581::c:5";
|
||||
priv7-gw = "fd23:42:c3d2:581::c:6";
|
||||
|
@ -142,7 +133,7 @@
|
|||
upstream3 = "fd23:42:c3d2:581::b:2";
|
||||
upstream4 = "fd23:42:c3d2:581::b:3";
|
||||
vpn-gw = "fd23:42:c3d2:581:9001::1";
|
||||
coloradio-gw = "fd23:42:c3d2:581:9009::1";
|
||||
flpk-gw = "fd23:42:c3d2:581:9002::1";
|
||||
};
|
||||
up4 = {
|
||||
anon1 = "2a00:8180:2c00:281::9:1";
|
||||
|
@ -154,7 +145,6 @@
|
|||
cls-gw = "2a00:8180:2c00:281::8:4";
|
||||
freifunk = "2a00:8180:2c00:281:8000::1";
|
||||
mgmt-gw = "2a00:8180:2c00:281::8:3";
|
||||
iot-gw = "2a00:8180:2c00:281::8:7";
|
||||
priv1-gw = "2a00:8180:2c00:281::c:0";
|
||||
priv10-gw = "2a00:8180:2c00:281::c:9";
|
||||
priv11-gw = "2a00:8180:2c00:281::c:a";
|
||||
|
@ -195,10 +185,6 @@
|
|||
priv43-gw = "2a00:8180:2c00:281::c:2a";
|
||||
priv44-gw = "2a00:8180:2c00:281::c:2b";
|
||||
priv45-gw = "2a00:8180:2c00:281::c:2c";
|
||||
priv46-gw = "2a00:8180:2c00:281::c:2d";
|
||||
priv47-gw = "2a00:8180:2c00:281::c:2e";
|
||||
priv48-gw = "2a00:8180:2c00:281::c:2f";
|
||||
priv49-gw = "2a00:8180:2c00:281::c:30";
|
||||
priv5-gw = "2a00:8180:2c00:281::c:4";
|
||||
priv6-gw = "2a00:8180:2c00:281::c:5";
|
||||
priv7-gw = "2a00:8180:2c00:281::c:6";
|
||||
|
@ -207,7 +193,6 @@
|
|||
serv-gw = "2a00:8180:2c00:281::8:1";
|
||||
upstream4 = "2a00:8180:2c00:281::b:1";
|
||||
vpn-gw = "2a00:8180:2c00:281:9001::1";
|
||||
coloradio-gw = "2a00:8180:2c00:281:9009::1";
|
||||
};
|
||||
};
|
||||
subnet4 = "172.20.72.0/25";
|
||||
|
@ -217,15 +202,33 @@
|
|||
};
|
||||
};
|
||||
|
||||
site.hosts = {
|
||||
site.hosts = lib.mkMerge ([ {
|
||||
bgp = {
|
||||
bgp = {
|
||||
asn = 4242421127;
|
||||
peers = {
|
||||
"172.22.99.253" = { asn = 64699; };
|
||||
"fe80::a800:42ff:fe7a:3246%c3d2" = { asn = 64699; };
|
||||
"172.22.99.253" = {
|
||||
asn = 64699;
|
||||
type = "external";
|
||||
name = "dn42_4";
|
||||
};
|
||||
"fe80::a800:42ff:fe7a:3246%c3d2" = {
|
||||
asn = 64699;
|
||||
type = "external";
|
||||
name = "dn42_6";
|
||||
};
|
||||
# ${config.site.net.core.subnet4} = {};
|
||||
${config.site.net.core.subnets6.dn42} = {
|
||||
type = "rr_server";
|
||||
name = "rr";
|
||||
};
|
||||
};
|
||||
# allowedUpstreams =
|
||||
# [ "upstream4" "upstream3" "anon1" "freifunk" ];
|
||||
nets4 = [ "172.20.0.0/14" "10.0.0.0/8" ];
|
||||
nets6 =
|
||||
[ "fd00::/8" "2a00:8180:2c00:200::/56" ];
|
||||
};
|
||||
role = "container";
|
||||
interfaces = {
|
||||
c3d2 = {
|
||||
hwaddr = "0A:14:48:01:22:01";
|
||||
|
@ -236,14 +239,21 @@
|
|||
type = "veth";
|
||||
};
|
||||
};
|
||||
ospf = {
|
||||
allowedUpstreams =
|
||||
[ "upstream4" "upstream3" "anon1" "freifunk" ];
|
||||
stubNets4 = [ "172.20.0.0/14" "10.0.0.0/8" ];
|
||||
stubNets6 =
|
||||
[ "fd00::/8" "2a00:8180:2c00:200::/56" ];
|
||||
};
|
||||
role = "container";
|
||||
} ] ++ builtins.concatMap (hostName:
|
||||
if hostName != "bgp"
|
||||
# everyone in core peers with router "bgp"
|
||||
then [ {
|
||||
${hostName}.bgp = {
|
||||
# peers.${config.site.net.core.hosts4.bgp} = {};
|
||||
peers.${config.site.net.core.hosts6.dn42.bgp} = {
|
||||
type = "rr_client";
|
||||
name = "rr";
|
||||
};
|
||||
};
|
||||
# TODO: upstreams
|
||||
} ]
|
||||
# except "bgp" itself :)
|
||||
else []
|
||||
) (builtins.attrNames config.site.net.core.hosts6.dn42));
|
||||
}
|
||||
|
|
|
@ -1,3 +1,5 @@
|
|||
{ config, ... }:
|
||||
|
||||
{
|
||||
site.net.flpk = {
|
||||
domainName = "flpk.zentralwerk.org";
|
||||
|
@ -7,31 +9,23 @@
|
|||
subnets6.flpk = "2a0f:5382:acab:1400::/64";
|
||||
hosts4 = {
|
||||
flpk-gw = "45.158.40.160";
|
||||
notice-me-senpai = "45.158.40.162"; # tlms monitoring
|
||||
leon = "45.158.40.162";
|
||||
sshlog = "45.158.40.163";
|
||||
caveman = "45.158.40.164";
|
||||
# tlms-37c3-ctf vm on server9
|
||||
ctf = "45.158.40.165";
|
||||
leoncloud = "45.158.40.165";
|
||||
mastodon = "45.158.40.166";
|
||||
c3d2-web = "45.158.40.167";
|
||||
mail = "45.158.40.168";
|
||||
dresden-zone-dns = "45.158.40.169";
|
||||
# server7 = "45.158.40.170"; # unused
|
||||
rtrlab = "45.158.40.171"; # temporary
|
||||
mailtngbert = "45.158.40.168";
|
||||
};
|
||||
hosts6.flpk = {
|
||||
flpk-gw = "2a0f:5382:acab:1400::c3d2";
|
||||
notice-me-senpai = "2a0f:5382:acab:1400:2de:5bff:fef9:e23e"; # tlms-monitoring
|
||||
leon = "2a0f:5382:acab:1400::1e0";
|
||||
sshlog = "2a0f:5382:acab:1400::22";
|
||||
caveman = "2a0f:5382:acab:1400::a4";
|
||||
# tlms-37c3-ctf vm on server9
|
||||
ctf = "2a0f:5382:acab:1400::a5";
|
||||
leoncloud = "2a0f:5382:acab:1400::a5";
|
||||
mastodon = "2a0f:5382:acab:1400::a6";
|
||||
c3d2-web = "2a0f:5382:acab:1400::a7";
|
||||
# mail = "2a0f:5382:acab:1400::a8"; # we don't have an PTR for IPv6 and it gets way more often marked as spam
|
||||
dresden-zone-dns = "2a0f:5382:acab:1400::a9";
|
||||
# server7 = "2a0f:5382:acab:1400::aa";
|
||||
rtrlab = "2a0f:5382:acab:1400::ab";
|
||||
mailtngbert = "2a0f:5382:acab:1400::a8";
|
||||
};
|
||||
};
|
||||
|
||||
|
@ -56,9 +50,13 @@
|
|||
};
|
||||
};
|
||||
};
|
||||
ospf = {
|
||||
bgp = {
|
||||
allowedUpstreams = [ "upstream4" "upstream3" "freifunk" ];
|
||||
upstreamInstance = 2;
|
||||
upstreamTable = "vpn_table";
|
||||
peers.${config.site.net.core.subnets6.dn42} = {
|
||||
type = "upstream";
|
||||
name = "up";
|
||||
};
|
||||
};
|
||||
role = "container";
|
||||
};
|
||||
|
|
|
@ -63,16 +63,7 @@
|
|||
ap62 = "10.0.0.102";
|
||||
ap63 = "10.0.0.103";
|
||||
ap64 = "10.0.0.104";
|
||||
ap65 = "10.0.0.105";
|
||||
ap66 = "10.0.0.106";
|
||||
ap67 = "10.0.0.107";
|
||||
ap68 = "10.0.0.108";
|
||||
ap69 = "10.0.0.109";
|
||||
ap7 = "10.0.0.47";
|
||||
ap70 = "10.0.0.110";
|
||||
ap71 = "10.0.0.111";
|
||||
ap72 = "10.0.0.112";
|
||||
ap73 = "10.0.0.113";
|
||||
ap8 = "10.0.0.48";
|
||||
ap9 = "10.0.0.49";
|
||||
logging = "10.0.0.251";
|
||||
|
@ -107,7 +98,6 @@
|
|||
switch-b3 = "10.0.0.18";
|
||||
switch-ds1 = "10.0.0.20";
|
||||
switch-ds2 = "10.0.0.21";
|
||||
switch-ds3 = "10.0.0.22";
|
||||
};
|
||||
hosts6 = {
|
||||
dn42 = {
|
||||
|
@ -172,16 +162,7 @@
|
|||
ap62 = "fd23:42:c3d2:580::4:3e";
|
||||
ap63 = "fd23:42:c3d2:580::4:3f";
|
||||
ap64 = "fd23:42:c3d2:580::4:40";
|
||||
ap65 = "fd23:42:c3d2:580::4:41";
|
||||
ap66 = "fd23:42:c3d2:580::4:42";
|
||||
ap67 = "fd23:42:c3d2:580::4:43";
|
||||
ap68 = "fd23:42:c3d2:580::4:44";
|
||||
ap69 = "fd23:42:c3d2:580::4:45";
|
||||
ap7 = "fd23:42:c3d2:580::4:7";
|
||||
ap70 = "fd23:42:c3d2:580::4:46";
|
||||
ap71 = "fd23:42:c3d2:580::4:47";
|
||||
ap72 = "fd23:42:c3d2:580::4:48";
|
||||
ap73 = "fd23:42:c3d2:580::4:49";
|
||||
ap8 = "fd23:42:c3d2:580::4:8";
|
||||
ap9 = "fd23:42:c3d2:580::4:9";
|
||||
mgmt-gw = "fd23:42:c3d2:580:ffff:ffff:ffff:ffff";
|
||||
|
@ -211,10 +192,7 @@
|
|||
type = "veth";
|
||||
};
|
||||
};
|
||||
ospf = {
|
||||
allowedUpstreams =
|
||||
[ "upstream4" "upstream3" "anon1" "freifunk" ];
|
||||
};
|
||||
bgp.allowedUpstreams = [ "upstream4" "upstream3" "anon1" "freifunk" ];
|
||||
role = "container";
|
||||
};
|
||||
}
|
||||
|
|
|
@ -1,6 +1,6 @@
|
|||
{ lib, ... }:
|
||||
let
|
||||
privCount = 49;
|
||||
privCount = 45;
|
||||
seq = n: max:
|
||||
if n <= max
|
||||
then [ n ] ++ seq (n + 1) max
|
||||
|
@ -16,8 +16,8 @@ lib.mkMerge (
|
|||
site.net."priv${toString n}" = {
|
||||
dhcp = {
|
||||
server = "priv${toString n}-gw";
|
||||
time = 300;
|
||||
max-time = 60 * 24 * 3600;
|
||||
time = 120;
|
||||
max-time = 86400;
|
||||
router = "priv${toString n}-gw";
|
||||
};
|
||||
domainName = "priv${toString n}.zentralwerk.org";
|
||||
|
@ -38,7 +38,7 @@ lib.mkMerge (
|
|||
core.type = "veth";
|
||||
"priv${toString n}".type = "veth";
|
||||
};
|
||||
ospf.allowedUpstreams = [ "upstream4" "upstream3" "anon1" "freifunk" ];
|
||||
bgp.allowedUpstreams = [ "upstream4" "upstream3" "anon1" "freifunk" ];
|
||||
};
|
||||
}
|
||||
) (seq 1 privCount)
|
||||
|
@ -58,12 +58,10 @@ lib.mkMerge (
|
|||
subnet4 = "172.20.75.0/27";
|
||||
dhcp = {
|
||||
start = "172.20.75.2";
|
||||
end = "172.20.75.30";
|
||||
end = "172.20.75.31";
|
||||
fixed-hosts = {
|
||||
"172.20.75.2" = "ac:1f:6b:dc:93:8e";
|
||||
"172.20.75.3" = "ac:1f:6b:dc:95:de";
|
||||
"172.20.75.9" = "ac:1f:6b:dc:95:df";
|
||||
"172.20.75.7" = "60:33:4b:0b:cd:fc";
|
||||
"172.20.75.9" = "00:11:32:22:95:79";
|
||||
};
|
||||
};
|
||||
};
|
||||
|
@ -204,6 +202,7 @@ lib.mkMerge (
|
|||
dhcp = {
|
||||
start = "172.20.73.194";
|
||||
end = "172.20.73.254";
|
||||
max-time = lib.mkForce 2592000;
|
||||
};
|
||||
};
|
||||
priv20 = {
|
||||
|
@ -238,10 +237,9 @@ lib.mkMerge (
|
|||
end = "172.20.73.190";
|
||||
fixed-hosts = {
|
||||
"172.20.73.162" = "da:2c:3a:2c:87:22";
|
||||
"172.20.73.163" = "b8:27:eb:16:31:61";
|
||||
"172.20.73.164" = "ca:71:c4:90:3e:c7";
|
||||
"172.20.73.163" = "ca:9f:27:b2:bf:6d";
|
||||
"172.20.73.164" = "60:01:94:6f:81:a6";
|
||||
};
|
||||
time = lib.mkForce 900;
|
||||
};
|
||||
};
|
||||
priv24 = {
|
||||
|
@ -424,38 +422,6 @@ lib.mkMerge (
|
|||
end = "172.20.77.174";
|
||||
};
|
||||
};
|
||||
priv46 = {
|
||||
hosts4 = { priv46-gw = "172.20.77.225"; };
|
||||
subnet4 = "172.20.77.224/28";
|
||||
dhcp = {
|
||||
start = "172.20.77.226";
|
||||
end = "172.20.77.238";
|
||||
};
|
||||
};
|
||||
priv47 = {
|
||||
hosts4 = { priv47-gw = "172.20.76.161"; };
|
||||
subnet4 = "172.20.76.160/28";
|
||||
dhcp = {
|
||||
start = "172.20.76.162";
|
||||
end = "172.20.76.174";
|
||||
};
|
||||
};
|
||||
priv48 = {
|
||||
hosts4 = { priv48-gw = "172.20.77.33"; };
|
||||
subnet4 = "172.20.77.32/28";
|
||||
dhcp = {
|
||||
start = "172.20.77.34";
|
||||
end = "172.20.77.46";
|
||||
};
|
||||
};
|
||||
priv49 = {
|
||||
hosts4 = { priv49-gw = "172.20.76.49"; };
|
||||
subnet4 = "172.20.76.48/28";
|
||||
dhcp = {
|
||||
start = "172.20.76.50";
|
||||
end = "172.20.76.62";
|
||||
};
|
||||
};
|
||||
};
|
||||
|
||||
site.hosts = {
|
||||
|
@ -574,7 +540,7 @@ lib.mkMerge (
|
|||
hwaddr = "0A:14:47:02:2A:19";
|
||||
};
|
||||
};
|
||||
ospf.allowedUpstreams = [ "upstream3" "upstream4" "anon1" "freifunk" ];
|
||||
bgp.allowedUpstreams = [ "upstream3" "upstream4" "anon1" "freifunk" ];
|
||||
};
|
||||
priv18-gw = {
|
||||
interfaces = {
|
||||
|
@ -744,30 +710,6 @@ lib.mkMerge (
|
|||
priv45.hwaddr = "0A:14:48:01:2A:57";
|
||||
};
|
||||
};
|
||||
priv46-gw = {
|
||||
interfaces = {
|
||||
core.hwaddr = "0A:14:48:01:2A:58";
|
||||
priv46.hwaddr = "0A:14:48:01:2A:59";
|
||||
};
|
||||
};
|
||||
priv47-gw = {
|
||||
interfaces = {
|
||||
core.hwaddr = "0A:14:48:01:2A:5A";
|
||||
priv47.hwaddr = "0A:14:48:01:2A:5B";
|
||||
};
|
||||
};
|
||||
priv48-gw = {
|
||||
interfaces = {
|
||||
core.hwaddr = "0A:14:48:01:2A:5C";
|
||||
priv48.hwaddr = "0A:14:48:01:2A:5D";
|
||||
};
|
||||
};
|
||||
priv49-gw = {
|
||||
interfaces = {
|
||||
core.hwaddr = "0A:14:48:01:2A:5E";
|
||||
priv49.hwaddr = "0A:14:48:01:2A:5F";
|
||||
};
|
||||
};
|
||||
};
|
||||
} ]
|
||||
)
|
||||
|
|
|
@ -3,10 +3,10 @@
|
|||
dhcp = {
|
||||
start = "172.20.78.2";
|
||||
end = "172.20.79.253";
|
||||
max-time = 3600;
|
||||
router = "pub-gw";
|
||||
server = "pub-gw";
|
||||
time = 120;
|
||||
max-time = 12 * 3600;
|
||||
time = 300;
|
||||
};
|
||||
domainName = "pub.zentralwerk.org";
|
||||
dynamicDomain = true;
|
||||
|
@ -39,7 +39,7 @@
|
|||
type = "veth";
|
||||
};
|
||||
};
|
||||
ospf = {
|
||||
bgp = {
|
||||
allowedUpstreams = [ "anon1" "freifunk" ];
|
||||
allowedUpstreams6 = [ "flpk-gw" "anon1" "freifunk" ];
|
||||
};
|
||||
|
|
|
@ -7,28 +7,51 @@
|
|||
serv-gw = "172.20.73.1";
|
||||
dns = "172.20.73.2";
|
||||
stats = "172.20.73.3";
|
||||
dresden-zone = "172.20.73.4";
|
||||
tlms-elastic = "172.20.73.7"; # tlms
|
||||
radius = "172.20.73.4";
|
||||
zeit = "172.20.73.5";
|
||||
minecraft = "172.20.73.6";
|
||||
used1 = "172.20.73.7";
|
||||
dnscache = "172.20.73.8";
|
||||
tlms-ctfd = "172.20.73.9"; # tlms
|
||||
used2 = "172.20.73.9";
|
||||
used3 = "172.20.73.10";
|
||||
used4 = "172.20.73.11";
|
||||
used5 = "172.20.73.12";
|
||||
logging = "172.20.73.13";
|
||||
used6 = "172.20.73.14";
|
||||
buzzrelay = "172.20.73.15";
|
||||
deployer = "172.20.73.16";
|
||||
used7 = "172.20.73.17";
|
||||
used8 = "172.20.73.18";
|
||||
used9 = "172.20.73.19";
|
||||
ipa = "172.20.73.20";
|
||||
matemat = "172.20.73.21";
|
||||
used10 = "172.20.73.22";
|
||||
used11 = "172.20.73.23";
|
||||
used12 = "172.20.73.24";
|
||||
spaceapi = "172.20.73.25";
|
||||
used13 = "172.20.73.26";
|
||||
mucbot = "172.20.73.27";
|
||||
used14 = "172.20.73.28";
|
||||
used15 = "172.20.73.29";
|
||||
used16 = "172.20.73.30";
|
||||
used17 = "172.20.73.31";
|
||||
scrape = "172.20.73.32";
|
||||
pretalx = "172.20.73.33";
|
||||
vaultwarden = "172.20.73.34";
|
||||
uranus = "172.20.73.37"; # tlms
|
||||
tram-borzoi = "172.20.73.38"; # tlms
|
||||
borken-data-hoarder = "172.20.73.39"; # tlms
|
||||
matrix = "172.20.73.40";
|
||||
activity-relay = "172.20.73.41";
|
||||
used19 = "172.20.73.33";
|
||||
used20 = "172.20.73.34";
|
||||
used21 = "172.20.73.35";
|
||||
used22 = "172.20.73.36";
|
||||
used23 = "172.20.73.37";
|
||||
used24 = "172.20.73.38";
|
||||
used25 = "172.20.73.39";
|
||||
used26 = "172.20.73.40";
|
||||
direkthilfe = "172.20.73.41";
|
||||
luulaatsch-asterisk = "172.20.73.42";
|
||||
grafana = "172.20.73.43";
|
||||
tmppleroma = "172.20.73.44";
|
||||
public-access-proxy = "172.20.73.45";
|
||||
marenz = "172.20.73.46";
|
||||
network-homepage = "172.20.73.47";
|
||||
home-assistant = "172.20.73.48";
|
||||
minetest = "172.20.73.48";
|
||||
hydra = "172.20.73.49";
|
||||
owncast = "172.20.73.50";
|
||||
nfsroot = "172.20.73.51";
|
||||
|
@ -38,38 +61,42 @@
|
|||
jabber = "172.20.73.55";
|
||||
mobilizon = "172.20.73.56";
|
||||
radiobert = "172.20.73.57";
|
||||
# mail = "172.20.73.58";
|
||||
mail = "172.20.73.58";
|
||||
keycloak = "172.20.73.59";
|
||||
sdrweb = "172.20.73.60";
|
||||
knot = "172.20.73.61";
|
||||
bind = "172.20.73.61";
|
||||
blogs = "172.20.73.62";
|
||||
staging-data-hoarder = "172.20.73.64"; # tlms
|
||||
nix-build = "172.20.73.63";
|
||||
staging-data-hoarder = "172.20.73.64";
|
||||
oparl = "172.20.73.65";
|
||||
hedgedoc = "172.20.73.66";
|
||||
mediawiki = "172.20.73.67";
|
||||
gnunet = "172.20.73.68";
|
||||
data-hoarder = "172.20.73.69"; # tlms
|
||||
data-hoarder = "172.20.73.69";
|
||||
broker = "172.20.73.70";
|
||||
ftp = "172.20.73.71";
|
||||
auth = "172.20.73.72";
|
||||
doubleblind-science = "172.20.73.73";
|
||||
factorio = "172.20.73.73";
|
||||
zengel = "172.20.73.74";
|
||||
prometheus = "172.20.73.75";
|
||||
drone = "172.20.73.77";
|
||||
# FILL IN THE HOLES BEFORE APPENDING!
|
||||
oxigraph = "172.20.73.76";
|
||||
};
|
||||
ipv6Router = "serv-gw";
|
||||
subnets6.dn42 = "fd23:42:c3d2:582::/64";
|
||||
subnets6.up4 = "2a00:8180:2c00:282::/64";
|
||||
hosts6.dn42 = {
|
||||
knot = "fd23:42:c3d2:582:cd7:56ff:fe69:6366";
|
||||
blogs = "fd23:42:c3d2:582:b8a8:7dff:fee8:5ac2";
|
||||
bind = "fd23:42:c3d2:582:cd7:56ff:fe69:6366";
|
||||
blogs = "fd42:42:c3d2:582:b8a8:7dff:fee8:5ac2";
|
||||
dns = "fd23:42:c3d2:582:2:0:0:2";
|
||||
dnscache = "fd23:42:c3d2:582:f096:dbff:fee8:427d";
|
||||
gitea = "fd23:42:c3d2:582:702a:daff:fe35:83be";
|
||||
grafana = "fd23:42:c3d2:582:4042:fbff:fe4b:2de8";
|
||||
hydra = "fd23:42:c3d2:582:e2cb:4eff:fe3b:f94b";
|
||||
jabber = "fd23:42:c3d2:582:b869:ccff:fe46:902a";
|
||||
# mail = "fd23:42:c3d2:582:88c0:41ff:fe70:d6cd";
|
||||
keycloak = "fd23:42:c3d2:582:c48:bbff:fe87:721d";
|
||||
logging = "fd23:42:c3d2:582:6811:edff:fe40:89c6";
|
||||
mail = "fd23:42:c3d2:582:88c0:41ff:fe70:d6cd";
|
||||
matemat = "fd23:42:c3d2:582:f82b:1bff:fedc:8572";
|
||||
minetest = "fd23:42:c3d2:582:c3a:42ff:fe5d:b20c";
|
||||
mobilizon = "fd23:42:c3d2:582:48d1:5cff:fea7:1676";
|
||||
mongo = "fd23:42:c3d2:582:14ec:c8ff:fe0a:fc5c";
|
||||
mucbot = "fd23:42:c3d2:582:28db:dff:fe6b:e89a";
|
||||
|
@ -79,64 +106,69 @@
|
|||
serv-gw = "fd23:42:c3d2:582::1";
|
||||
spaceapi = "fd23:42:c3d2:582:1457:adff:fe93:62e9";
|
||||
stats = "fd23:42:c3d2:582:2:0:0:3";
|
||||
zeit = "fd23:42:c3d2:582:2:0:0:5";
|
||||
direkthilfe = "fd23:42:c3d2:582:1cde:c5ff:fe47:8c2a";
|
||||
nix-build = "fd23:42:c3d2:582:683d:a9ff:fe45:3d1f";
|
||||
staging-data-hoarder = "fd23:42:c3d2:582:2de:5bff:fef9:e23d";
|
||||
oparl = "fd23:42:c3d2:582:2de:9aff:fece:3879";
|
||||
gnunet = "fd23:42:c3d2:582::44";
|
||||
broker = "fd23:42:c3d2:582::46";
|
||||
ftp = "fd23:42:c3d2:582::47";
|
||||
network-homepage = "fd23:42:c3d2:582::2f";
|
||||
owncast = "fd23:42:c3d2:582::32";
|
||||
prometheus = "fd23:42:c3d2:582::4b";
|
||||
buzzrelay = "fd23:42:c3d2:582::f";
|
||||
oxigraph = "fd23:42:c3d2:582::4c";
|
||||
luulaatsch-asterisk = "fd23:42:c3d2:582::2a";
|
||||
stream = "fd23:42:c3d2:583:dc91:c7ff:fe51:d1c5";
|
||||
gnunet = "fd23:42:c3d2:582:44";
|
||||
broker = "fd23:42:c3d2:582:46";
|
||||
ftp = "fd23:42:c3d2:582:47";
|
||||
zengel = "fd23:42:c3d2:582:4a";
|
||||
network-homepage = "fd23:42:c3d2:582:2f";
|
||||
owncast = "fd23:42:c3d2:582:32";
|
||||
prometheus = "fd23:42:c3d2:582:4b";
|
||||
buzzrelay = "fd23:42:c3d2:582:f";
|
||||
oxigraph = "fd23:42:c3d2:582:4c";
|
||||
tmppleroma = "fd23:42:c3d2:582:2c";
|
||||
luulaatsch-asterisk = "fd23:42:c3d2:582:2a";
|
||||
};
|
||||
hosts6.up4 = {
|
||||
knot = "2a00:8180:2c00:282:cd7:56ff:fe69:6366";
|
||||
bind = "2a00:8180:2c00:282:cd7:56ff:fe69:6366";
|
||||
blogs = "2a00:8180:2c00:282:b8a8:7dff:fee8:5ac2";
|
||||
dns = "2a00:8180:2c00:282:2:0:0:2";
|
||||
dnscache = "2a00:8180:2c00:282:f096:dbff:fee8:427d";
|
||||
gitea = "2a00:8180:2c00:282:702a:daff:fe35:83be";
|
||||
grafana = "2a00:8180:2c00:282:4042:fbff:fe4b:2de8";
|
||||
hydra = "2a00:8180:2c00:282:e2cb:4eff:fe3b:f94b";
|
||||
jabber = "2a00:8180:2c00:282:b869:ccff:fe46:902a";
|
||||
# mail = "2a00:8180:2c00:282:88c0:41ff:fe70:d6cd";
|
||||
keycloak = "2a00:8180:2c00:282:c48:bbff:fe87:721d";
|
||||
logging = "2a00:8180:2c00:282:6811:edff:fe40:89c6";
|
||||
mail = "2a00:8180:2c00:282:88c0:41ff:fe70:d6cd";
|
||||
matemat = "2a00:8180:2c00:282:f82b:1bff:fedc:8572";
|
||||
minetest = "2a00:8180:2c00:282:c3a:42ff:fe5d:b20c";
|
||||
mobilizon = "2a00:8180:2c00:282:48d1:5cff:fea7:1676";
|
||||
mongo = "2a00:8180:2c00:282:14ec:c8ff:fe0a:fc5c";
|
||||
mucbot = "2a00:8180:2c00:282:28db:dff:fe6b:e89a";
|
||||
public-access-proxy = "2a00:8180:2c00:282:1024:5fff:febd:9be7";
|
||||
radiobert = "2a00:8180:2c00:282:e65f:1ff:fe5d:1679";
|
||||
radius = "2a00:8180:2c00:282:2:0:0:4";
|
||||
scrape = "2a00:8180:2c00:282:e073:50ff:fef5:eb6e";
|
||||
sdrweb = "2a00:8180:2c00:282:3078:bbff:fe76:e9ef";
|
||||
serv-gw = "2a00:8180:2c00:282::1";
|
||||
spaceapi = "2a00:8180:2c00:282:1457:adff:fe93:62e9";
|
||||
stats = "2a00:8180:2c00:282:2:0:0:3";
|
||||
stream = "2a00:8180:2c00:282:dc91:c7ff:fe51:d1c5";
|
||||
stream = "fd23:42:c3d2:583:dc91:c7ff:fe51:d1c5";
|
||||
ticker = "2a00:8180:2c00:282:b407:40ff:fec1:81f2";
|
||||
zeit = "2a00:8180:2c00:282:2:0:0:5";
|
||||
direkthilfe = "2a00:8180:2c00:282:1cde:c5ff:fe47:8c2a";
|
||||
nix-build = "2a00:8180:2c00:282:683d:a9ff:fe45:3d1f";
|
||||
staging-data-hoarder = "2a00:8180:2c00:282:2de:5bff:fef9:e23d";
|
||||
oparl = "2a00:8180:2c00:282:2de:9aff:fece:3879";
|
||||
|
||||
serv-gw = "2a00:8180:2c00:282::1";
|
||||
luulaatsch-asterisk = "2a00:8180:2c00:282::2a";
|
||||
drone = "2a00:8180:2c00:282::2b";
|
||||
pretalx = "2a00:8180:2c00:282::2c";
|
||||
matrix = "2a00:8180:2c00:282::2d";
|
||||
activity-relay = "2a00:8180:2c00:282::2e";
|
||||
network-homepage = "2a00:8180:2c00:282::2f";
|
||||
vaultwarden = "2a00:8180:2c00:282::31";
|
||||
owncast = "2a00:8180:2c00:282::32";
|
||||
hedgedoc = "2a00:8180:2c00:282::6";
|
||||
mediawiki = "2a00:8180:2c00:282::43";
|
||||
gnunet = "2a00:8180:2c00:282::44";
|
||||
data-hoarder = "2a00:8180:2c00:282::45";
|
||||
broker = "2a00:8180:2c00:282::46";
|
||||
ftp = "2a00:8180:2c00:282::47";
|
||||
auth = "2a00:8180:2c00:282::48";
|
||||
dresden-zone = "2a00:8180:2c00:282::49";
|
||||
zengel = "2a00:8180:2c00:282::4a";
|
||||
network-homepage = "2a00:8180:2c00:282::2f";
|
||||
owncast = "2a00:8180:2c00:282::32";
|
||||
prometheus = "2a00:8180:2c00:282::4b";
|
||||
oxigraph = "2a00:8180:2c00:282::4c";
|
||||
hedgedoc = "2a00:8180:2c00:282::6";
|
||||
buzzrelay = "2a00:8180:2c00:282::f";
|
||||
oxigraph = "2a00:8180:2c00:282::4c";
|
||||
tmppleroma = "2a00:8180:2c00:282::2c";
|
||||
luulaatsch-asterisk = "2a00:8180:2c00:282::2a";
|
||||
};
|
||||
};
|
||||
|
||||
|
@ -174,7 +206,7 @@
|
|||
gw6 = null;
|
||||
};
|
||||
};
|
||||
ospf.allowedUpstreams =
|
||||
bgp.allowedUpstreams =
|
||||
[ "upstream4" "upstream3" "anon1" "freifunk" ];
|
||||
};
|
||||
stats = makeContainer {
|
||||
|
|
|
@ -2,7 +2,7 @@
|
|||
let
|
||||
servHosts = config.site.net.serv.hosts4;
|
||||
inherit (config.site.net.c3d2.hosts4) dn42;
|
||||
inherit (config.site.net.flpk.hosts4) c3d2-web;
|
||||
inherit (config.site.net.flpk.hosts4) c3d2-web leon mailtngbert;
|
||||
in
|
||||
{
|
||||
site.hosts = {
|
||||
|
@ -24,8 +24,12 @@ in
|
|||
};
|
||||
};
|
||||
};
|
||||
ospf.upstreamInstance = 7;
|
||||
role = "container";
|
||||
bgp.peers.${config.site.net.core.subnets6.dn42} = {
|
||||
asn = config.site.hosts.upstream3.bgp.asn;
|
||||
type = "upstream";
|
||||
name = "up";
|
||||
};
|
||||
};
|
||||
|
||||
upstream4 = rec {
|
||||
|
@ -43,177 +47,260 @@ in
|
|||
{ # gemini
|
||||
destination = "${c3d2-web}:1965";
|
||||
proto = "tcp";
|
||||
reflect = true;
|
||||
sourcePort = 1965;
|
||||
}
|
||||
{
|
||||
destination = servHosts.knot;
|
||||
destination = "172.20.73.61";
|
||||
proto = "tcp";
|
||||
reflect = true;
|
||||
sourcePort = 53;
|
||||
}
|
||||
{
|
||||
destination = servHosts.knot;
|
||||
destination = "172.20.73.61";
|
||||
proto = "udp";
|
||||
reflect = true;
|
||||
sourcePort = 53;
|
||||
}
|
||||
{
|
||||
destination = dn42;
|
||||
proto = "udp";
|
||||
reflect = true;
|
||||
sourcePort = 2325;
|
||||
}
|
||||
{
|
||||
destination = dn42;
|
||||
proto = "udp";
|
||||
reflect = true;
|
||||
sourcePort = 2327;
|
||||
}
|
||||
{
|
||||
destination = dn42;
|
||||
proto = "udp";
|
||||
reflect = true;
|
||||
sourcePort = 2337;
|
||||
}
|
||||
{
|
||||
destination = dn42;
|
||||
proto = "udp";
|
||||
reflect = true;
|
||||
sourcePort = 2338;
|
||||
}
|
||||
{
|
||||
destination = dn42;
|
||||
proto = "udp";
|
||||
reflect = true;
|
||||
sourcePort = 2339;
|
||||
}
|
||||
{
|
||||
destination = dn42;
|
||||
proto = "udp";
|
||||
reflect = true;
|
||||
sourcePort = 2340;
|
||||
}
|
||||
{
|
||||
destination = dn42;
|
||||
proto = "udp";
|
||||
sourcePort = 2342;
|
||||
}
|
||||
{
|
||||
destination = dn42;
|
||||
proto = "udp";
|
||||
reflect = true;
|
||||
sourcePort = 2399;
|
||||
}
|
||||
{
|
||||
destination = dn42;
|
||||
proto = "udp";
|
||||
reflect = true;
|
||||
sourcePort = 24699;
|
||||
}
|
||||
{
|
||||
destination = dn42;
|
||||
proto = "udp";
|
||||
reflect = true;
|
||||
sourcePort = 64699;
|
||||
}
|
||||
{ #ssh
|
||||
destination = "${leon}:22";
|
||||
proto = "tcp";
|
||||
reflect = true;
|
||||
sourcePort = 2223;
|
||||
}
|
||||
{ #Website
|
||||
destination = "${leon}:5000";
|
||||
proto = "tcp";
|
||||
reflect = true;
|
||||
sourcePort = 5001;
|
||||
}
|
||||
{ #VPN_Wireguard VPN1-interface
|
||||
destination = "${leon}:18900";
|
||||
proto = "udp";
|
||||
reflect = true;
|
||||
sourcePort = 18800;
|
||||
}
|
||||
{ #VPN_Wireguard VPN2-interface
|
||||
destination = "${leon}:19900";
|
||||
proto = "udp";
|
||||
reflect = true;
|
||||
sourcePort = 19800;
|
||||
}
|
||||
{
|
||||
destination = servHosts.minetest;
|
||||
proto = "udp";
|
||||
reflect = true;
|
||||
sourcePort = 30000;
|
||||
}
|
||||
# ?
|
||||
{
|
||||
destination = "172.22.99.175:22";
|
||||
proto = "tcp";
|
||||
reflect = true;
|
||||
sourcePort = 2224;
|
||||
}
|
||||
{
|
||||
destination = servHosts.gitea;
|
||||
proto = "tcp";
|
||||
reflect = true;
|
||||
sourcePort = 22;
|
||||
}
|
||||
{
|
||||
destination = servHosts.jabber;
|
||||
proto = "tcp";
|
||||
reflect = true;
|
||||
sourcePort = 5222;
|
||||
}
|
||||
{
|
||||
destination = servHosts.jabber;
|
||||
proto = "tcp";
|
||||
reflect = true;
|
||||
sourcePort = 5223;
|
||||
}
|
||||
{
|
||||
destination = servHosts.jabber;
|
||||
proto = "tcp";
|
||||
reflect = true;
|
||||
sourcePort = 5269;
|
||||
}
|
||||
{
|
||||
destination = servHosts.jabber;
|
||||
proto = "tcp";
|
||||
reflect = true;
|
||||
sourcePort = 3478;
|
||||
}
|
||||
{
|
||||
destination = servHosts.jabber;
|
||||
proto = "tcp";
|
||||
reflect = true;
|
||||
sourcePort = 3479;
|
||||
}
|
||||
{
|
||||
destination = servHosts.jabber;
|
||||
proto = "udp";
|
||||
reflect = true;
|
||||
sourcePort = 3478;
|
||||
}
|
||||
{
|
||||
destination = servHosts.jabber;
|
||||
proto = "udp";
|
||||
reflect = true;
|
||||
sourcePort = 3479;
|
||||
}
|
||||
{
|
||||
destination = mailtngbert;
|
||||
proto = "tcp";
|
||||
reflect = true;
|
||||
sourcePort = 25;
|
||||
}
|
||||
{
|
||||
destination = mailtngbert;
|
||||
proto = "tcp";
|
||||
reflect = true;
|
||||
sourcePort = 465;
|
||||
}
|
||||
{
|
||||
destination = mailtngbert;
|
||||
proto = "tcp";
|
||||
reflect = true;
|
||||
sourcePort = 587;
|
||||
}
|
||||
{
|
||||
destination = mailtngbert;
|
||||
proto = "tcp";
|
||||
reflect = true;
|
||||
sourcePort = 110;
|
||||
}
|
||||
{
|
||||
destination = mailtngbert;
|
||||
proto = "tcp";
|
||||
reflect = true;
|
||||
sourcePort = 143;
|
||||
}
|
||||
{
|
||||
destination = mailtngbert;
|
||||
proto = "tcp";
|
||||
reflect = true;
|
||||
sourcePort = 993;
|
||||
}
|
||||
{
|
||||
destination = mailtngbert;
|
||||
proto = "tcp";
|
||||
reflect = true;
|
||||
sourcePort = 995;
|
||||
}
|
||||
# poelzi
|
||||
{
|
||||
destination = "172.20.73.162:22";
|
||||
proto = "tcp";
|
||||
reflect = true;
|
||||
sourcePort = 2323;
|
||||
}
|
||||
# jan
|
||||
{
|
||||
destination = "172.20.75.3:51820";
|
||||
proto = "udp";
|
||||
sourcePort = 30057;
|
||||
}
|
||||
# zw-ev RDP
|
||||
{
|
||||
destination = "172.20.75.222:3389";
|
||||
proto = "tcp";
|
||||
reflect = true;
|
||||
sourcePort = 45000;
|
||||
}
|
||||
{
|
||||
destination = config.site.net.core.hosts4.vpn-gw;
|
||||
proto = "udp";
|
||||
sourcePort = config.site.vpn.wireguard.port;
|
||||
reflect = true;
|
||||
sourcePort = config.site.vpn.wireguard.port;
|
||||
}
|
||||
{
|
||||
destination = "${config.site.net.serv.hosts4.direkthilfe}:22";
|
||||
proto = "tcp";
|
||||
reflect = false;
|
||||
sourcePort = 3822;
|
||||
}
|
||||
{
|
||||
destination = servHosts.gnunet;
|
||||
proto = "tcp";
|
||||
reflect = true;
|
||||
sourcePort = 2086;
|
||||
}
|
||||
# dresden zone
|
||||
{
|
||||
destination = servHosts.dresden-zone;
|
||||
proto = "udp";
|
||||
sourcePort = 51844;
|
||||
}
|
||||
# data-hoarder
|
||||
{
|
||||
destination = servHosts.data-hoarder;
|
||||
proto = "udp";
|
||||
reflect = true;
|
||||
sourcePort = 51820;
|
||||
}
|
||||
{
|
||||
destination = "${servHosts.data-hoarder}:22";
|
||||
proto = "tcp";
|
||||
reflect = false;
|
||||
sourcePort = 2269;
|
||||
}
|
||||
# data-hoarder-staging
|
||||
{
|
||||
destination = "${servHosts.staging-data-hoarder}:51820";
|
||||
proto = "udp";
|
||||
reflect = true;
|
||||
sourcePort = 51821;
|
||||
}
|
||||
{
|
||||
destination = "${servHosts.ftp}:22";
|
||||
proto = "tcp";
|
||||
reflect = true;
|
||||
sourcePort = 1022;
|
||||
}
|
||||
# coloRadio
|
||||
{
|
||||
proto = "tcp";
|
||||
sourcePort = 8000;
|
||||
destination = "192.168.9.127";
|
||||
}
|
||||
];
|
||||
interfaces = {
|
||||
core = {
|
||||
|
@ -238,17 +325,19 @@ in
|
|||
};
|
||||
};
|
||||
};
|
||||
ospf = {
|
||||
upstreamInstance = 8;
|
||||
stubNets4 = [
|
||||
bgp = {
|
||||
nets4 = [
|
||||
"${interfaces.up4-pppoe.upstream.staticIpv4Address}/32"
|
||||
];
|
||||
peers.${config.site.net.core.subnets6.dn42} = {
|
||||
asn = config.site.hosts.upstream4.bgp.asn;
|
||||
type = "upstream";
|
||||
name = "up";
|
||||
};
|
||||
};
|
||||
role = "container";
|
||||
};
|
||||
|
||||
freifunk.ospf.upstreamInstance = 6;
|
||||
|
||||
anon1 = {
|
||||
interfaces = {
|
||||
core = {
|
||||
|
@ -263,9 +352,14 @@ in
|
|||
};
|
||||
};
|
||||
};
|
||||
ospf = {
|
||||
bgp = {
|
||||
allowedUpstreams = [ "upstream3" "upstream4" "freifunk" ];
|
||||
upstreamInstance = 5;
|
||||
upstreamTable = "vpn_table";
|
||||
peers.${config.site.net.core.subnets6.dn42} = {
|
||||
asn = config.site.hosts.upstream3.bgp.asn;
|
||||
type = "upstream";
|
||||
name = "up";
|
||||
};
|
||||
};
|
||||
role = "container";
|
||||
};
|
||||
|
|
|
@ -33,8 +33,6 @@
|
|||
type = "wireguard";
|
||||
};
|
||||
};
|
||||
ospf = {
|
||||
allowedUpstreams = [ "flpk-gw" "anon1" "freifunk" ];
|
||||
};
|
||||
bgp.allowedUpstreams = [ "flpk-gw" "anon1" "freifunk" ];
|
||||
};
|
||||
}
|
||||
|
|
|
@ -1,85 +1,74 @@
|
|||
-----BEGIN PGP MESSAGE-----
|
||||
|
||||
hQEMA2PKcvDMvlKLAQgAjGer7r8wCoigtDTS5zzUnJI02b3RQvhbqjv4a6RD52ry
|
||||
NzqqX7yIVyOEP2SnqoBpmWHYFJ3WcRb5Io3DXBLjgVHZbWJMP/DtVzHN+1ix3A5T
|
||||
ZjxROLc/EDyd+prSvbol5UJkHJeoH7PWwPmO1VPOVZwAV+NGJS/qKXz/wUGFA6y5
|
||||
iH6vzetTvxSBt08dYVulzmI/B6MwHUz8W7YTTal7QTKftlyzXWZHydbj1AWJjGoR
|
||||
qadxsH4ZlqdHJrP/j5Yvw72XgdzAN7MQrofslqFI9ro9nccLQ7Q3B7kzt/EvoOPm
|
||||
obPHW1I0UFoFXhfTujROXwVlernk6qmxO/oNr5UZB9LqAaroXhliddAzPZPT5qcK
|
||||
szctWSv1eNlGO44iwIJyrh/Yetmrhll8flPl9URWIi9r383xkawhxG52alUVjRIz
|
||||
u2BC3vdrt5o0GfEpZlDo23UbIxLIFbMg2xTXcFBq5TJEw0+owwhz+m+JRrXY9h1+
|
||||
SVlMX0PcUUg4vmX+7/KVIwrSECFpfPcBTSyMafUT6SfxG02/WmvzcEXk8E8hK+a3
|
||||
VzolJIqirrv1CRwm60xOucytFI5OnxYI3kV9saiLwB6i9KI8Hw91pM7T+kQmXbbl
|
||||
etRddcQLXdhjRB/bCUJbQeEKZx0gjVAQkTFtdz6tp2vc9u/WS6UMrrQIkzdwLIOg
|
||||
AXa8JmCtlTcN1uVVDlmQqba5li6ObqM4dtyOwHkXmpwBLObtoSg2yxTExxVwtAxz
|
||||
CgNcPZ9snnht8MpXGrrzQUsdGfBY4gZ8Hgh1oScqW9b8o5XtT74hdtWXFMv6tE2F
|
||||
8bco4QBt6q95aYSi/wcyLwIyhUI+PEh2m5UM7KjYs2xxWbzU7Q0nj70VI9x+0Y+U
|
||||
Apez4mYlqiep5l94E4Q4wb3rizYeXFAzZDe5FXfcpRgVPHGSq6XWUYSgyQENuRTB
|
||||
Ll8usdYLgT3Y7ULxT4O/8OKkDFMyfmTIdSiJRUJ8izMTm0yq5lKrSsqYTZVNOF6v
|
||||
NDEolddj4DOaRV07DkrQRMpukrTCauZdC/c/hwmr3+ZcaMi33ZKHIbCXex/34D9z
|
||||
0CH3fA0nn/w3jh9CwOKBrT+cbOlMF3gVJbQU8xGgf7QHyaf8dEoayiInk9wKfUJd
|
||||
BQ6YGukQBb6KDDNuDq0r9UYeRPjWc/mGSZkluoEl1GVFkFNpxlKStB68hNRJg63i
|
||||
gS/l6jSkj1IKmsnbkJVtC+YwH/Pkx6+fcisXmUGPZ9KUiw2qiCGLFbHm5Shc7YBW
|
||||
BpiZzCEjRrp71lB5URbbY+zhf+lcAdxewbw8v0R0tJP2hzmXCqsvJnB4jcEc1YD5
|
||||
lFD/4ivgZ95pVaoV+WsjETZZd3pkvo2PQC0f/2momT+KwYAdwcPfwJH8S9FLBjKE
|
||||
nQRlYRjiUUEMO7TZ9J7a8onyFxozVwH7IJMz/L2wEs0u8dPr3Rj3kpCbHD8tNCE4
|
||||
BP5s1d+S18vSKNRBYY2z7t1eyBZ+9hu1vgWR7GsAcgwCv6YTfVT8VE9RBdkglwP2
|
||||
Me6G1Af5KMNyQq0GDaKT/pPlS3WCdjpkOHCpw+2HfSjPVDAvWbBkrB8xQrQp8kwg
|
||||
mHMD9udGsfpUSQVoNxIjIeK9EfFEjgXA+53/BVuCbSL5bWQXnKCMba656z7UrWqo
|
||||
NqVdJ7c8N7/U9fxaUaagDoziBUsV+eT58eGFRZJJHkbDZvmRthYOQnR82KSQz2cx
|
||||
Neo9z3mSVA8FVRnwNaSNZiHRRKoFY+6HfDOmP5PzAIrW1/TBVYR6+5gmqou3KPqY
|
||||
1I8DKkVYqlRSve+GXeFIEkeiJ8N5BZ4WZw3EglWSrP+uG7zywJ1pWNja5WNKSzX4
|
||||
mXPdI6KxTL40V06SraUqAOhd8uqH4fEhaBJVCqtm9cdXar7dqAbkaX5RARDb/BNg
|
||||
K4m8iDRkrFCO6JYMmwWJz+q/HxY5u71szxFKUiYREeP0udxapekx6IELMwnMrdUT
|
||||
GCryJs0VJuRDsOxSyuGprz+UnhY/K7NXRmE6hIrXJQ5mjsHtyjd2vk+OzJY6mL7S
|
||||
vRZw5FUqRvFsXXLNq/+YtRZSSZChMX0BM42prcC61PIm8qiVLs2199hKWmJmBill
|
||||
DZnTJzvm38EWBPkm5JGh4tJ9VN769kyhDtWKtZ4aEuykcPJor+Did+oYuMadKUCN
|
||||
0NAuKxXAUHc/TfnSxBZxRdHWZo9vyYhiIWNoy5724yWfBH+STgNy3c+Z/JeKXvVB
|
||||
YUM4J7ys2TEnTmcoR43MPrF2+bdDsgsItQjtLlBmRvRItdswFYkunuQRBYmXoNBb
|
||||
2MTTxHSU4jyM5FUxBi9XAk0mnWgo/aK/FhfE73VxvVXwfwpEkomL/TFexGzfFx7d
|
||||
70T8RWCYgFHOuoe+O04wo2qyvCZZittRQGlInNztDCQI6lqa8TSILVgIRMgvnrcR
|
||||
P9BUixDlFfl8x4g0lacxZm9nN5XNgnI1RTiXNXeigIciRydyeAKoV3gxY54i5jOm
|
||||
VFUClFfQFz+nBStRQumqxMXKa433J1l8NENmZmkc+D2TeLt8kbgNN4Zg7zKiNRFt
|
||||
UvFEtqPxQSiFgLCjrMH2wLkq79EtP/Zfpok/1iGbKfT+/bhDFB0iWE0AdIAa0oiu
|
||||
1JDsSFmoMTtMHgywSvVxaDVE4/0C81D3foLERbc+dwo00+YyROrQ74+mNoFrY4vd
|
||||
xcDKxgkcZeZXxsUlox0F26OVZ3B7krUQC7EbBBVvdimJk7S0WXTHfR5ENz7lp1C2
|
||||
2gRL8Pdj9I4VsOmGAfcNPV2J5RVdRwyL9dSxCPVQ4ECrBqHSPqGbQoT7aHX9b+6A
|
||||
LKCWUqC18NxrRr4dbSxcjkE4w+vPmENrDh+yR7zDgdWY03rGN/jT2CV1le69AAaq
|
||||
RTf5n+skzsWz+u09bW7b43gpwhh7YeSFKpogNZ8z2ujEr0fkrGsOWWba9z620Xls
|
||||
f/4dPKcNiJLOIOXT555xZSpsgzAtPO1g9QM+l8Q6PZjqAvGjbHsYMw5ao+iwL0qt
|
||||
M93Uj47PxD4qqz4MwYQw8S/dtrUkvBDEoA2fVU/00Fb9XzrECDUffDxHEUmDIcJQ
|
||||
h/q7ZntcVp//Gy4DeEiqp63s6poWGdbDmccN3hWmzWHEI0HR7pNS/FHEzESCw9oh
|
||||
PkZzOa76GmyDqbopneVUmtfCuBjahTjVSAv4YlAsqQMI5wUgV+bwlfB7Rm2v8X4R
|
||||
cyka3F9xWxuC3/5vxuPyyxA1YZc/fzpOqafFCU3mGF2byOKCL0YNuoqUbQBtagHZ
|
||||
6rrmGqNjyVuUG15KLBF29sYlJTBYF7tAeyVx2vLJqzKPRMGL2Ph8wg8Rg58eqKgU
|
||||
gUIlCGzxGoqK1fVlrvvRATHplO77s+W/dA0svfSeD3xrtEd5oF9oQeI78A71Vmrw
|
||||
ZsMech54mketddbn9t2MID8rVWxTtX5xIAxnW5TBfO8DucsqbxsJNm7Edzue0C2L
|
||||
i7tDKM5ZSbkivh0C7G1w7cu9SAv7gHStu+3DKGlW7MmCfLSEGk34jRdTRUu/2KAh
|
||||
cbHxHj25mDC6ZPz54FX6iDA0epm0ILVXZa75gjlfq4o9ldjKbR6yueIuc2hy7H1b
|
||||
QFlmx415H5TGTpjSJdjXCqvbbwphOIqsN0Qh3ZqUdaboVGipZdlFv3FH/2uxAFKW
|
||||
VMJ1CpFAWe2iLtQEgrxJ15xpsLx+zcFUfftR8vXNRwMcEffV7xQguTugGic5O0DB
|
||||
m5Oopo6bB9wMU4tvDRosjnvMEkuwbSPLSA/8JeZFO1zCK8Pa2znYNEwHNxeHiTCT
|
||||
+oouXDqdcT9dnH4cg4GeHjVDZO0I9yZL/cMDUPtqN0XySXe8Zj7VxtpQmcePklV/
|
||||
RDoGKHxEVz2a16foONjtVfsoheFHLWAI47IOTFDHA/CSQLCmCqwpfZQIuX2oWRwc
|
||||
aPN4t5Qkx5TllLzL6keXkDV43/yw0dnXBQQDQ/Z4DP5GShwahyFggA/XonKYb9F0
|
||||
B+pz+NOOkZjcFrcFeMr4cMdffc2ACxDJZWH4BHcwM9WICqoefJHlUu65ZTBBlisJ
|
||||
mwP4Xapx8khsln2xXDUfhsoXu5+FHBexyVP1OUmZZ+zO3UEXPa+OwpglqrYGMueE
|
||||
iXEO2lCOi6HrQCd7cvONPEwLaqavojMhsP42ywirWK7J9XuCoaEWtZjlA/Sq2D2B
|
||||
upK6WuFMr+eE5lhrp5LFCRMJoiiwJb/bA7sMdZhg6HjIZNoNkrCvdgvLScbKxHM8
|
||||
4G82FAafs/fbel5mdUNEe3nOXhQX2KH1MkUhnKGv5hi9gsXLaJlQTZBFsjoT8MUX
|
||||
XUNdEWQ/xtGjs7eNBn/MzpP3JeByrDG0u0Tbt2whOkwhKQt+odph7sMRxwtvvniu
|
||||
ij9nA3OlSGpTEItmC1jls29sJy5/0Ojp6Y3v/ZBfG6xh0xhhjpZIoOGQoK1wdG4m
|
||||
m0j6TZqRKwX9FqQ9aCVY65lp/MsdXehe6/EShyT4K56KuGbpDuzoeZRshDPOvcjU
|
||||
A1t44vBp3aYH9gE6QfM/dg8akN+LXOM7komveAbFvcvE8KFVdfHOUJIjPyy+saX0
|
||||
ZHWLrH/SU+vUuFUw9VSuEavar95l9pRyWCeV67DWN2+FY8HESlfltjwiswActvrt
|
||||
uDeIdtd42y4yA5u3BFCGEAWgZm+aVkQxuMN4OynTHM3NGJ6NUOeL8cGMA02KE65v
|
||||
8pg4o3sIjfmsD76srDx7hKIpIe+K4QpAIxxL21HPZuXhE3ksNHh3x5x7hjkvNAUi
|
||||
z3xbaR03avMeSle1LvUH/A88Fn+/0ataHYiQiIM95RXvMdKAk6SNNsN7rp1RZNhV
|
||||
X6cNTBz2uUVbAXMUgbbBc9O2AVMR0pbfAYBKHPm24b+tWMShG/DR9f/mFFdUznEX
|
||||
9+ydjRh9Mh9ZYgzKXqA9SZ/4Zhqn2Mve3r3Rii4K2w6KUbxRHev7FpV/KGgYsMmw
|
||||
bLjSgS/cwQ7Ky9yRM12EmoAcimy/7vpyPRBM1tWnPBKhZf1xq15UM/lf53OcBjxb
|
||||
ezeETqSQc6flKtEAxRv6nWSuormgn6JbClMjhII3velUKyfPCe29HNtFQ3LWJu4R
|
||||
WLMH7A2qx0cIuyOuoFXefWh/9C3fiO72hqI5yQ2x4dxtEutUNTmByxZxTxJD/tSN
|
||||
BI3ZmHeysFpUVdfDdt3Nc/Jw3lQCuBk=
|
||||
=sq5B
|
||||
hQEMA2PKcvDMvlKLAQf+N28QCjh68YIkQYSL3EnA34fuG4PqrPONlCOVbuH3SsA/
|
||||
BPzZEA2dURxbgIFTkjUCqORv62aMgTxJQdGN6S3x3je5aGXGk38SoTYuPZo5Mdss
|
||||
75l9cj8zJsz9ZnawXbFiM6RMpxd/zGoaPqiOclkiA/NcaaGVuhEYv57ucFsESwcJ
|
||||
8Pb4PVAt50vH3pcmJUezK1EWftKbMjIB1w/QoiBFbkCi6/2GIs/3ISCFiBO0O7g+
|
||||
egW6/6ivODTGV/TghlMoB5717eORUUGr2nejbSV/OaK/bz+KjznJfclg/bRVxM2p
|
||||
QYgidYaINIb95O1P56kMYlTfZ7czBwpTr/HV8XuWEdLqAfpIIaf3SlQZKl7FJShO
|
||||
Skxxt2nhQzyLIZq8TEexXO5ayTOfuAmCAx3GEv6tPy77KwW/5lzq416TcVgk9ZKh
|
||||
qBZB2SBaqH6JavphKFet1GLzztW0Xd1J874P0FXhIdT8OKsJyGNkxgBevEEwNICz
|
||||
RVJAAboAF2GwLqdhruT5cTBAKtFPq3QJ/3G/rZQ4WoJ7geYhJHlIlMhG1AkPhKt/
|
||||
hCb4nz9nD+9xL8dM1C/6LqROHFZV6X6gha79+84YXfM9wdHP6/Dj1Bs5wB9qQhZu
|
||||
HEJOAgule7on5dPaXOV3LzSKLSriDHWcVEsZnN4IzO0I7u59TGWF/RQypThBqDUu
|
||||
4C+AwXpoyzGC0rqa+fLfOmWAN0K/uV3Mt+Uj4HwFxu4lYUUqDpB2hcCX6DHytttm
|
||||
C7fuqungdMgcpzE5fYH4k38sMPxI98Tnma1hC2MpFIrgV7OgiJ1mVP86rHEGnVut
|
||||
92EJ4n7aLHpydcaDYVrIE6x5xmcBbe2Cwf8dBawAsm12nACo9c07AtAsQZUpSF67
|
||||
2G3vDJnC0iEF1PGJrWw9tTGBoCS6q3N8iPJ7UF7uSE0DI2Ja5pxiRGVjTe0ddRbJ
|
||||
WDhYye/bNjprQh0NY9A5qUfXXnIo5tB0A2aSi2z/vUrffefMIkhYihEyFcPEtpr9
|
||||
XqmS7TU0gU2ehcMZZdm0alNo3mjX4lHwczIEiLHMmj3J7Ozgq7aCMwSdFN8TpwOH
|
||||
0pAqSjrvG8C05Hr6ymlwRYrJ/OfLAkb1Kjf/Me3N2/ZAjeSzTRFuZ2vgbODCk/BM
|
||||
rSy/RMKB0WEvwLEq9Fj5XNH2p9P++v8JDpiH6I/HPZfRORGs5Gs2d7QQiXZ0YIWl
|
||||
lUyj9qGUj+RSXVcaHRZxx18RpvA+sgY1E7THx/2+Viwjx+zUHioFnVoEK8ft/hNV
|
||||
KtX9+wonftW6aQgN+VGqtWu+uGwxvNe9oxzuT2OWSH2OTFirmqK27KfDpHjjWIrp
|
||||
+6S5ZGkTm8QzfVeADdmPtQ5lmYCKeugkKQpVyvxZA5lUyROvKMZ7PKLRKTTu6qFL
|
||||
B8GdQTdaw4gQY8qliAVy7NvMVVdG8RhIyxRHEKSsV+cuftRvzRo89lyY4I3GTzII
|
||||
m6CbRCSNXMXWsyLFM2gd9ICn7Ax9XhuNyJ8NbeDp7f2Qr1GswKA4gJB/ybHpTOAi
|
||||
f9WzUZINWeklP5ORTk84ZfHtoZsU3a6ZQUCOLg3MKHtbcvmcb4Z1R9dwKiDCREWX
|
||||
59oCDmjZHsQqEzTTw/n9l9g1EHIu1l8zjAy7AzwEuup34Pwuw+Y/0JLsBrXzk869
|
||||
ISAMvHy/n6uZVWmqi+PW30i8LhiRvOg4htOs5kQg4PER0+X/hapKVcVIfFP2kPYm
|
||||
TOrfyn1WVsJ1ltsLX0LtQimGjFguDmR2/xlcYjBCKj8lDrNov7Qq8R2yXiZtuSgZ
|
||||
/YEG3GT8EmBvIXgN/1btvn0udY3edA6QxXtuLQ/aZExJqkZgWuhpgoP4A9P3GPzx
|
||||
Bmxg1WB+yMFlKAKbhnQkEjdPLKo7tTmonMOtpvPbuc7W7WT2Sh9jmDIV7U6tXkQA
|
||||
AGtk0TYsa1YBWMAqzP2bHNwJ1sMfdeSt9jffxrWSjj5v52qKGovhkr3EqoeCefCV
|
||||
POoAjnp9Fm9dOs9DTzstt3cZpHL6zQtNRdTZhrXIEZJ/JavhTd7hjJrSGJrxRt44
|
||||
jKcftkwsE1jMB8uSZGpOSfqwF+jZizoREdgQh8QQ3ZQbl8UMWdTUjhhekqK0noWn
|
||||
qVT7KzXiTG/1DKLaot755iK7iJhyL9PTT/NCHUbnFzFkHyQjHwwwOw86s7JuTSS4
|
||||
l0w04bEOwy5EP8RJDDSFMaW/5qJYsaefBv+0R8DTyod6VG6YRk1jTBTU9HLzlImC
|
||||
Md3hi4Ar4P/dxIBb7eebx4x4P5AVeecRAjNFCOlzuMobwdFWhbPhiNIigPLXl2oS
|
||||
cMxQQBGenB2eSDbJYbycXD2oZtCRghL+Snj9deFmynBCYxUe9NToXS6IqKmmvdcI
|
||||
SU4GKJDbREedfIVUdNNnK5L5goCjKHRsHamPrNGlxrEeeH/VZKh+3yKJlWahpELM
|
||||
OdcxEaBEXRzOJW62TRm5JjluI8P0wQJCWn5TzOkNwGYCWiN+rSd5S9PhUDZ67Cjn
|
||||
xKvhfXyLi0j45TbHFnwpBI2b5/z29EqviRBrII2mk07DDTKFiHQA4l3Ep44dInSW
|
||||
WVRzzcAhDaO0A/wiDS25AhU2P0Bq9LpaQAoQwYOcK70YfY11EybNHey0CGHvuwj3
|
||||
hEWQeH7WgqafRj/lnScLdlgw78Disc8DqiNB+PlTSsyEubeVM+p2loz3mXsjLYOQ
|
||||
lauDOCjQD6B4jGXigNFk8w+SdI9YCB4oQu5YMPXOzWA93bSmK0ZMl2ntN+1LmyWA
|
||||
ecHlRrAZp7NzG2CGVnnsqPRcK6EJNrfI1jbCE0eYvIW/tzrmj8DAfmLsA4H2CDt2
|
||||
wDVEu+uDZ2UkXm21Jm7NdKIiYjmKfFMQNgkoPwFJab4FE1zV2ZK5tcTy6tPEj/rS
|
||||
vw1u7Gg+ewB6yo6N11ZYA5Q5ivLgn2yY+1HO3e2Se3+VFdTb3mgqypEAfUADD5Xs
|
||||
Vy6DNpZpxx+elHr9xt0m+WF5tMCxGawbyKl/6VAsRTEV7sSIaQFpRoBilXVf/n4S
|
||||
anTn27031AK5+QGhiO+14AK/anEODcVql+wqvnBeIju0QmhOdy23dAnlsNU2Z3ff
|
||||
F620h34C3+3PQKrLzmr3Enam6jFG96nn3cpFn3jqxybbm7ipy7n6mqIeAAvPLbqu
|
||||
ZaZ7URbGlYAC8pUTO5UE5eRO5KXp1lITL7eEo8D2wGr/pXfrKVObCh82MPDpL2FS
|
||||
6wQQAPBxEC2NE2KrwthCknHCgfjXEoq6AB8HmyjdumxC7Z3aMkr514ebh49it/I6
|
||||
Z18DLT4AonINWO3AGiB172Zsln4LjBIWad4PaSAAAhDu9QV4IIxjNEd8mtZ7ZUIS
|
||||
ZOW/JOILwh/wkN4DLby8WakjZ351Z+UIqdvKbLVY17tAc+sOYBgnJL05o6URQFqw
|
||||
RSHkxjF3GxdlpwYOHQfoWeWSxQkur+aPWMhXdKiYJzlH76KF9RdlzP4i89OpDAVy
|
||||
udz/h8cgwTD1yadB27NX31wez0RRuECGAlpEk3vyo9+VDL+NOHiG0jc5xWY4Kk2Q
|
||||
P2KlaFXUwlb2qJXSNfT9uWUT+tzelYC0gJEVXVYe+DV3sr/5kLSTn8D0KpqhuGd9
|
||||
rNPkLakqfYUlDYMChE6ZDkaV1v6T4jwjgBB65RtvGRsTmhZQIz9bHl04J0xs/UZP
|
||||
5MWOsQghvEx8xtLFuXbHQAXJd8n3XjUn+OQ81olBEwXWSrMorVjHrfOKVCtaDr8g
|
||||
o9dIsVn6Ox77brX9902+DLuybMb0roBKcg6uQdq52Z5sQ0dUPNDI6YC0LTCxXwU4
|
||||
IjTLwSkQqow/Igmr339Bv4fUBft+eLuVkceQnJ+C8Osu3zQ2JJfFZDa2Rvn7xhcO
|
||||
y4NyTdJpJHOQ2F7Pu2rh4WwTLJwf5rdwotc7UNQgXqZAhzMPNYBGp469mJK387sc
|
||||
igGndEvKsjQ9EkLoyszjY77B0FwMrF0VsoK7q5Acw9rZu/jpt4PAdRXF2uGCV9ZK
|
||||
SPrYAj2C3YvRbSscfQlczkpRZQSZUT0MiU9U12v8De29e5SYhL7wOLFKNBNVOqNO
|
||||
vpF+MoY/CtjFoo/yep5W5tvGhn8y1M6uY6ERV1G2wuHbJJsV5vwal7se61U+aHmL
|
||||
zMQQEvAQVd9MID6HKElepP6NJOPuirk9UfVqoLAUa2tS+H1srVAvfISxjTF4fzFg
|
||||
StmSJPn4B8EUdFtow9fWvDrDUEDZibmuG2bjruqday09L1NYxrj6O3Cps8u3j4Z7
|
||||
PFA0Eq6ZSVLGUCzTa/OUWWuJl318JXeXFn/wOyG/PBP49gTYDG6JX3Nv7l04WXaW
|
||||
qZXYYoyez7vzQ87B7zS2/5oCchLI3s8DhdhCLN28ZwaIgDXF4VbyqDddhpjBLtgs
|
||||
w4Fdor/N3rzuCtKV5MgX/ZRGuqADwCgN78DhEuCyWWvUf8CoSAKcCx1xSZYf6rlU
|
||||
PulV0jUfVRSc+jIj4Oe2HplI1qeGsK8EUCkSWGlC+UKqyqsCz9M=
|
||||
=gug1
|
||||
-----END PGP MESSAGE-----
|
||||
|
|
|
@ -1,11 +1,5 @@
|
|||
# Dummy secrets for testing
|
||||
{
|
||||
site.net = {
|
||||
core.ospf.secret = "encrypted";
|
||||
pub.wifi.ieee80211rKey = "2dc40abba46da9490ea0e00f93f18ce5";
|
||||
c3d2.wifi.ieee80211rKey = "d1b1fa2461efc0df9e2d96579607b7f6";
|
||||
};
|
||||
|
||||
site.hosts = {
|
||||
ap1.password = "encrypted";
|
||||
ap2.password = "encrypted";
|
||||
|
@ -64,16 +58,6 @@
|
|||
ap60.password = "encrypted";
|
||||
ap61.password = "encrypted";
|
||||
ap63.password = "encrypted";
|
||||
ap64.password = "encrypted";
|
||||
ap65.password = "encrypted";
|
||||
ap66.password = "encrypted";
|
||||
ap67.password = "encrypted";
|
||||
ap68.password = "encrypted";
|
||||
ap69.password = "encrypted";
|
||||
ap70.password = "encrypted";
|
||||
ap71.password = "encrypted";
|
||||
ap72.password = "encrypted";
|
||||
ap73.password = "encrypted";
|
||||
switch-a1.password = "encrypted";
|
||||
switch-b1.password = "encrypted";
|
||||
switch-b2.password = "encrypted";
|
||||
|
@ -84,7 +68,6 @@
|
|||
switch-dach.password = "encrypted";
|
||||
switch-ds1.password = "encrypted";
|
||||
switch-ds2.password = "encrypted";
|
||||
switch-ds3.password = "encrypted";
|
||||
|
||||
upstream4.interfaces.up4-pppoe.upstream = {
|
||||
user = "encrypted";
|
||||
|
@ -121,15 +104,12 @@
|
|||
};
|
||||
ap18.wifi."platform/qca953x_wmac".ssids."Restaurierung Wolff/Kober".psk = "encrypted";
|
||||
ap19.wifi."platform/qca953x_wmac".ssids = {
|
||||
"Bockwurst".psk = "encrypted";
|
||||
"Studio 01127".psk = "encrypted";
|
||||
"Walter".psk = "encrypted";
|
||||
};
|
||||
ap2.wifi = {
|
||||
"pci0000:00/0000:00:00.0".ssids."C3D2".psk = "encrypted";
|
||||
"platform/ahb/18100000.wmac".ssids = {
|
||||
"C3D2 legacy".psk = "encrypted";
|
||||
"C3D2 IoT".psk = "encrypted";
|
||||
};
|
||||
"platform/ahb/18100000.wmac".ssids."C3D2 legacy".psk = "encrypted";
|
||||
};
|
||||
ap23.wifi = {
|
||||
"pci0000:00/0000:00:00.0".ssids."LBK Network".psk = "encrypted";
|
||||
|
@ -151,7 +131,6 @@
|
|||
"pci0000:00/0000:00:00.0".ssids."C3D2".psk = "encrypted";
|
||||
"platform/ahb/18100000.wmac".ssids = {
|
||||
"C3D2 legacy" = { "psk" = "encrypted"; };
|
||||
"C3D2 IoT" = { "psk" = "encrypted"; };
|
||||
"FOTOAKADEMIEdd" = { "psk" = "encrypted"; };
|
||||
};
|
||||
};
|
||||
|
@ -170,6 +149,7 @@
|
|||
ap37.wifi = {
|
||||
"pci0000:00/0000:00:00.0".ssids."hechtfilm.de".psk = "encrypted";
|
||||
"platform/ahb/18100000.wmac".ssids."hechtfilm.de legacy".psk = "encrypted";
|
||||
"platform/ahb/18100000.wmac".ssids."LIZA".psk = "encrypted";
|
||||
};
|
||||
ap38.wifi = {
|
||||
"pci0000:00/0000:00:00.0".ssids = {
|
||||
|
@ -179,7 +159,6 @@
|
|||
"platform/ahb/18100000.wmac".ssids = {
|
||||
"ZW heinrichsgarten" = { "psk" = "encrypted"; };
|
||||
"plop" = { "psk" = "encrypted"; };
|
||||
"millimeter" = { "psk" = "encrypted"; };
|
||||
};
|
||||
};
|
||||
ap39.wifi."platform/10180000.wmac".ssids."EckiTino".psk = "encrypted";
|
||||
|
@ -282,45 +261,7 @@
|
|||
"pci0000:00/0000:00:00.0".ssids."EckiTino".psk = "encrypted";
|
||||
"platform/ahb/18100000.wmac".ssids."EckiTino legacy".psk = "encrypted";
|
||||
};
|
||||
ap64.wifi = {
|
||||
"platform/ahb/18100000.wmac".ssids."Princess Castle".psk = "encrypted";
|
||||
};
|
||||
ap65.wifi = {
|
||||
"1e140000.pcie/pci0000:00/0000:00:00.0/0000:01:00.0".ssids = {
|
||||
"farbwerk".psk = "encrypted";
|
||||
"Kaffeetasse".psk = "encrypted";
|
||||
};
|
||||
"1e140000.pcie/pci0000:00/0000:00:01.0/0000:02:00.0".ssids."farbwerk".psk = "encrypted";
|
||||
};
|
||||
ap66.wifi = {
|
||||
"pci0000:00/0000:00:00.0".ssids."Buschfunk4.03".psk = "encrypted";
|
||||
"platform/ahb/18100000.wmac".ssids."Buschfunk4.03 legacy".psk = "encrypted";
|
||||
};
|
||||
ap67.wifi = {
|
||||
"1e140000.pcie/pci0000:00/0000:00:01.0/0000:02:00.0".ssids."farbwerk".psk = "encrypted";
|
||||
"1e140000.pcie/pci0000:00/0000:00:01.0/0000:02:00.0+1".ssids."farbwerk".psk = "encrypted";
|
||||
};
|
||||
ap68.wifi = {
|
||||
"1e140000.pcie/pci0000:00/0000:00:01.0/0000:02:00.0".ssids."farbwerk".psk = "encrypted";
|
||||
"1e140000.pcie/pci0000:00/0000:00:01.0/0000:02:00.0+1".ssids."farbwerk".psk = "encrypted";
|
||||
};
|
||||
ap69.wifi = {
|
||||
"pci0000:00/0000:00:00.0".ssids."LIZA".psk = "encrypted";
|
||||
"platform/ahb/18100000.wmac".ssids."LIZA".psk = "encrypted";
|
||||
};
|
||||
ap7.wifi."platform/qca953x_wmac".ssids."mino".psk = "encrypted";
|
||||
ap70.wifi = {
|
||||
"pci0000:00/0000:00:00.0".ssids."M".psk = "encrypted";
|
||||
"platform/ahb/18100000.wmac".ssids."M legacy".psk = "encrypted";
|
||||
};
|
||||
ap72.wifi = {
|
||||
"1e140000.pcie/pci0000:00/0000:00:01.0/0000:02:00.0".ssids."farbwerk".psk = "encrypted";
|
||||
"1e140000.pcie/pci0000:00/0000:00:01.0/0000:02:00.0+1".ssids."farbwerk".psk = "encrypted";
|
||||
};
|
||||
ap73.wifi = {
|
||||
"1e140000.pcie/pci0000:00/0000:00:01.0/0000:02:00.0".ssids."Princess Castle".psk = "encrypted";
|
||||
"1e140000.pcie/pci0000:00/0000:00:01.0/0000:02:00.0+1".ssids."Princess Castle".psk = "encrypted";
|
||||
};
|
||||
ap8.wifi = {
|
||||
"pci0000:00/0000:00:00.0".ssids."C3D2".psk = "encrypted";
|
||||
"platform/ar934x_wmac".ssids = {
|
||||
|
@ -331,7 +272,7 @@
|
|||
ap9.wifi."platform/qca953x_wmac".ssids."Herzzbuehne".psk = "encrypted";
|
||||
};
|
||||
|
||||
site.dyndnsKey = "oYmxXCIa0nArp0679L6v+y/UfnhripOudLv+R5Cop8I=";
|
||||
site.dyndnsKey = "SECRET";
|
||||
|
||||
site.vpn.wireguard = {
|
||||
privateKey = "wPNXY4ED3Jz3Kz0KOmvfQOou6/wHrgqSsykaMYrtb28=";
|
||||
|
|
|
@ -8,30 +8,17 @@
|
|||
|
||||
links = {
|
||||
switch-a2.ports = [ "7" ];
|
||||
priv25.ports = [
|
||||
# A6: Kleiner Saal Schaltschrank
|
||||
"1"
|
||||
# Kabinett A10
|
||||
"2"
|
||||
"3"
|
||||
# A16: Buehne rechts unten
|
||||
"4"
|
||||
# artnet node
|
||||
"5"
|
||||
# Panel A2: Foyer
|
||||
"8"
|
||||
# Panel A8: Kleiner Saal Buehne
|
||||
];
|
||||
priv31.ports = [
|
||||
# A4: Buero
|
||||
"6"
|
||||
];
|
||||
# A3: Techniklager
|
||||
# (DS23: Hackcenter vor kleinem Saal)
|
||||
|
||||
# A17: Grosser Saal ueber der Buehne
|
||||
# switch-a2 Port 13
|
||||
switch-ds1.ports = [ "3" ];
|
||||
# Panel A6: kl Saal hinten
|
||||
switch-ds2.ports = [ "8" ];
|
||||
priv25.ports = [
|
||||
"2"
|
||||
"4"
|
||||
"5"
|
||||
];
|
||||
priv31.ports = [ "6" ];
|
||||
iso4.ports = [ "1" ];
|
||||
};
|
||||
};
|
||||
switch-a2 = {
|
||||
|
@ -42,9 +29,6 @@
|
|||
links = {
|
||||
switch-c1.ports = [ "1" ];
|
||||
switch-a1.ports = [ "2" ];
|
||||
switch-ds1.ports = [ "3" ];
|
||||
switch-ds2.ports = [ "4" ];
|
||||
switch-ds3.ports = [ "5" ];
|
||||
ap44.ports = [ "10" ];
|
||||
ap45.ports = [ "11" ];
|
||||
ap46.ports = [ "12" ];
|
||||
|
@ -73,8 +57,7 @@
|
|||
iso1.ports = [ "ge-0/0/2" ];
|
||||
iso2.ports = [ "ge-0/0/3" ];
|
||||
iso3.ports = [ "ge-0/0/4" ];
|
||||
coloradio.ports = [
|
||||
# Patchpanel C8
|
||||
serv.ports = [
|
||||
"ge-0/0/22"
|
||||
];
|
||||
c3d2.ports = [
|
||||
|
@ -133,6 +116,8 @@
|
|||
ap11.ports = [ "ge-1/0/10" ];
|
||||
ap34.ports = [ "ge-1/0/12" ];
|
||||
ap18.ports = [ "ge-1/0/18" ];
|
||||
ap24.ports = [ "ge-1/0/34" ];
|
||||
ap25.ports = [ "ge-1/0/35" ];
|
||||
ap29.ports = [ "ge-0/0/46" ];
|
||||
ap30.ports = [ "ge-1/0/22" ];
|
||||
ap35.ports = [ "ge-1/0/23" ];
|
||||
|
@ -144,40 +129,33 @@
|
|||
ap5.ports = [ "ge-1/0/7" ];
|
||||
ap51.ports = [ "ge-1/0/13" ];
|
||||
ap53.ports = [ "ge-0/0/7" ];
|
||||
ap72.ports = [ "ge-1/0/38" ];
|
||||
ap54.ports = [ "ge-1/0/38" ];
|
||||
ap55.ports = [ "ge-1/0/19" ];
|
||||
ap56.ports = [ "ge-1/0/9" ];
|
||||
ap60.ports = [ "ge-1/0/20" ];
|
||||
ap62.ports = [ "ge-0/0/11" ];
|
||||
ap65.ports = [ "ge-0/0/9" ];
|
||||
ap66.ports = [ "ge-1/0/43" ];
|
||||
mgmt.ports = [
|
||||
"ge-0/0/0"
|
||||
"ge-1/0/0"
|
||||
"ge-0/0/1"
|
||||
"ge-1/0/1"
|
||||
# server1
|
||||
"ge-1/0/43"
|
||||
"ge-1/0/44"
|
||||
# server7
|
||||
# server6
|
||||
"ge-1/0/45"
|
||||
# server7
|
||||
"ge-1/0/46"
|
||||
# server8
|
||||
"ge-1/0/47"
|
||||
# server9
|
||||
"ge-1/0/48"
|
||||
];
|
||||
flpk.ports = [
|
||||
# server7
|
||||
"ge-0/0/40"
|
||||
];
|
||||
priv1.ports = [ "ge-1/0/3" ];
|
||||
priv19.ports = [ "ge-1/0/40" ];
|
||||
priv2.ports = [ "ge-1/0/4" ];
|
||||
priv24.ports = [ "ge-0/0/6" "ge-1/0/16" ];
|
||||
priv3.ports = [ "ge-1/0/5" ];
|
||||
priv30.ports = [ "ge-0/0/12" ];
|
||||
priv49.ports = [ "ge-1/0/1" ];
|
||||
ap67.ports = [ "ge-1/0/34" ];
|
||||
ap68.ports = [ "ge-1/0/35" ];
|
||||
ap69.ports = [ "ge-0/0/35" ];
|
||||
ap73.ports = [ "ge-0/0/45" ];
|
||||
pub.ports = [
|
||||
"ge-1/0/11"
|
||||
];
|
||||
|
@ -199,15 +177,6 @@
|
|||
"ge-1/0/42"
|
||||
];
|
||||
};
|
||||
server6 = {
|
||||
group = "9";
|
||||
ports = [
|
||||
"ge-0/0/18"
|
||||
"ge-0/0/19"
|
||||
"ge-1/0/0"
|
||||
"ge-1/0/2"
|
||||
];
|
||||
};
|
||||
};
|
||||
};
|
||||
|
||||
|
@ -269,8 +238,11 @@
|
|||
# Fenster
|
||||
ap33.ports = [ "5" ];
|
||||
c3d2.ports = [ "8-20" ];
|
||||
# Testing
|
||||
ap-test1.ports = [ "4" ];
|
||||
bmx.ports = [ "7" ];
|
||||
# tmp Datenspuren: VOC
|
||||
iso4.ports = [ "4" "6" "7" ];
|
||||
iso4.ports = [ "6" ];
|
||||
};
|
||||
};
|
||||
|
||||
|
@ -328,8 +300,8 @@
|
|||
up3.ports = [ "3" ];
|
||||
# unifiac-mesh
|
||||
ap57.ports = [ "10" ];
|
||||
# TLMS tetra and traffic-stop-box
|
||||
c3d2.ports = [ "19,20" ];
|
||||
# dump-dvb traffic-stop-box
|
||||
c3d2.ports = [ "20" ];
|
||||
};
|
||||
};
|
||||
|
||||
|
@ -357,30 +329,27 @@
|
|||
"GigabitEthernet1/0/13"
|
||||
"GigabitEthernet1/0/14"
|
||||
"GigabitEthernet1/0/15"
|
||||
];
|
||||
# Stage uplink
|
||||
priv25.ports = [
|
||||
"GigabitEthernet1/0/16"
|
||||
"GigabitEthernet1/0/17"
|
||||
"GigabitEthernet1/0/18"
|
||||
"GigabitEthernet1/0/19"
|
||||
"GigabitEthernet1/0/20"
|
||||
];
|
||||
# Uplink
|
||||
switch-a1.ports = [ "GigabitEthernet1/0/24" ];
|
||||
# Freifunk
|
||||
bmx.ports = [
|
||||
"GigabitEthernet1/0/20"
|
||||
"GigabitEthernet1/0/21"
|
||||
"GigabitEthernet1/0/22"
|
||||
"GigabitEthernet1/0/23"
|
||||
];
|
||||
# Uplink
|
||||
switch-a2.ports = [ "GigabitEthernet1/0/24" ];
|
||||
};
|
||||
};
|
||||
|
||||
switch-ds2 = {
|
||||
role = "switch";
|
||||
model = "3com-5500G";
|
||||
location = "Grosser Saal oben";
|
||||
location = "Vor dem Kl Saal";
|
||||
interfaces = { mgmt.type = "phys"; };
|
||||
|
||||
links = {
|
||||
|
@ -405,64 +374,16 @@
|
|||
"GigabitEthernet1/0/17"
|
||||
"GigabitEthernet1/0/18"
|
||||
"GigabitEthernet1/0/19"
|
||||
];
|
||||
# Stage uplink
|
||||
priv25.ports = [
|
||||
"GigabitEthernet1/0/20"
|
||||
"GigabitEthernet1/0/21"
|
||||
];
|
||||
# VOC isolated
|
||||
iso4.ports = [
|
||||
# Uplink
|
||||
switch-a1.ports = [ "GigabitEthernet1/0/24" ];
|
||||
# Freifunk
|
||||
bmx.ports = [
|
||||
"GigabitEthernet1/0/21"
|
||||
"GigabitEthernet1/0/22"
|
||||
"GigabitEthernet1/0/23"
|
||||
];
|
||||
# Uplink
|
||||
switch-a2.ports = [ "GigabitEthernet1/0/24" ];
|
||||
};
|
||||
};
|
||||
|
||||
switch-ds3 = {
|
||||
firstboot = true;
|
||||
role = "switch";
|
||||
model = "3com-5500G";
|
||||
location = "Kleiner Saal";
|
||||
interfaces = { mgmt.type = "phys"; };
|
||||
|
||||
links = {
|
||||
# Public
|
||||
pub.ports = [
|
||||
"GigabitEthernet1/0/1"
|
||||
"GigabitEthernet1/0/2"
|
||||
"GigabitEthernet1/0/3"
|
||||
"GigabitEthernet1/0/4"
|
||||
"GigabitEthernet1/0/5"
|
||||
"GigabitEthernet1/0/6"
|
||||
"GigabitEthernet1/0/7"
|
||||
"GigabitEthernet1/0/8"
|
||||
"GigabitEthernet1/0/9"
|
||||
"GigabitEthernet1/0/10"
|
||||
"GigabitEthernet1/0/11"
|
||||
"GigabitEthernet1/0/12"
|
||||
"GigabitEthernet1/0/13"
|
||||
"GigabitEthernet1/0/14"
|
||||
"GigabitEthernet1/0/15"
|
||||
"GigabitEthernet1/0/16"
|
||||
"GigabitEthernet1/0/17"
|
||||
"GigabitEthernet1/0/18"
|
||||
"GigabitEthernet1/0/19"
|
||||
];
|
||||
# Stage uplink
|
||||
priv25.ports = [
|
||||
"GigabitEthernet1/0/20"
|
||||
"GigabitEthernet1/0/21"
|
||||
];
|
||||
# VOC isolated
|
||||
iso4.ports = [
|
||||
"GigabitEthernet1/0/22"
|
||||
"GigabitEthernet1/0/23"
|
||||
];
|
||||
# Uplink
|
||||
switch-a2.ports = [ "GigabitEthernet1/0/24" ];
|
||||
};
|
||||
};
|
||||
};
|
||||
|
|
|
@ -19,14 +19,11 @@ in
|
|||
cluster = 6;
|
||||
bmx = 7;
|
||||
flpk = 8;
|
||||
coloradio = 9;
|
||||
# Modems
|
||||
up1 = 10;
|
||||
up2 = 11;
|
||||
up3 = 12;
|
||||
up4 = 13;
|
||||
# Isolated other stuff
|
||||
c3d2iot = 20;
|
||||
# Isolated neighbors directly connectied with their modems
|
||||
iso1 = 101;
|
||||
iso2 = 102;
|
||||
|
|
BIN
contact.md.asc
BIN
contact.md.asc
Binary file not shown.
|
@ -55,14 +55,10 @@ Von geeigneten Routern haben wir stets zu wenige übrig, so dass wir sie
|
|||
gemeinsam kaufen und bezahlen müssen. Such dir einen aus, dann
|
||||
bestellen und konfigurieren wir ihn.
|
||||
|
||||
* Zyxel WSM20 (Multy M1) ([25€](https://geizhals.de/zyxel-multy-m1-v101058.html))
|
||||
* TP-Link Archer C7 v2 ([58€](http://geizhals.de/tp-link-archer-c7-v2-a923544.html))
|
||||
* Ubiquiti UniFi nanoHD ([150€](https://geizhals.de/ubiquiti-unifi-nanohd-uap-nanohd-a1802819.html))
|
||||
* [Jedes Gerät auf dem OpenWRT läuft](https://openwrt.org/supported_devices)
|
||||
|
||||
Die genannten Preise sind unverbindlich und schwanken stark mit den
|
||||
Situationen rund um die Straße von Malaka, Rotem Meer und
|
||||
Suez-Kanal. Auf eBay gibts gebrauchte Geräte.
|
||||
|
||||
![WLAN-Router](https://upload.wikimedia.org/wikipedia/commons/thumb/3/34/Linksys-Wireless-G-Router.jpg/280px-Linksys-Wireless-G-Router.jpg)
|
||||
|
||||
### Netzverteilung
|
||||
|
|
67
flake.lock
67
flake.lock
|
@ -1,53 +1,17 @@
|
|||
{
|
||||
"nodes": {
|
||||
"dns-nix": {
|
||||
"inputs": {
|
||||
"flake-utils": "flake-utils",
|
||||
"nixpkgs": [
|
||||
"nixpkgs"
|
||||
]
|
||||
},
|
||||
"locked": {
|
||||
"lastModified": 1703643450,
|
||||
"narHash": "sha256-EUUF5oxFFPX/etKm0FNQg+7MPHQlNjmM1XhNgyDf7A0=",
|
||||
"owner": "SuperSandro2000",
|
||||
"repo": "dns.nix",
|
||||
"rev": "70dcce71560d4253f63812fa36dee994c81ae814",
|
||||
"type": "github"
|
||||
},
|
||||
"original": {
|
||||
"owner": "SuperSandro2000",
|
||||
"repo": "dns.nix",
|
||||
"type": "github"
|
||||
}
|
||||
},
|
||||
"flake-utils": {
|
||||
"locked": {
|
||||
"lastModified": 1614513358,
|
||||
"narHash": "sha256-LakhOx3S1dRjnh0b5Dg3mbZyH0ToC9I8Y2wKSkBaTzU=",
|
||||
"owner": "numtide",
|
||||
"repo": "flake-utils",
|
||||
"rev": "5466c5bbece17adaab2d82fae80b46e807611bf3",
|
||||
"type": "github"
|
||||
},
|
||||
"original": {
|
||||
"owner": "numtide",
|
||||
"repo": "flake-utils",
|
||||
"type": "github"
|
||||
}
|
||||
},
|
||||
"nixpkgs": {
|
||||
"locked": {
|
||||
"lastModified": 1717104653,
|
||||
"narHash": "sha256-0ZkToL+IOOP3xw0JPgTj8WP8aeKwxNNiG3gr6prfnig=",
|
||||
"owner": "SuperSandro2000",
|
||||
"lastModified": 1674242456,
|
||||
"narHash": "sha256-yBy7rCH7EiBe9+CHZm9YB5ii5GRa+MOxeW0oDEBO8SE=",
|
||||
"owner": "NixOS",
|
||||
"repo": "nixpkgs",
|
||||
"rev": "b15c037e83ebf28278abc1769df8792ea30a223f",
|
||||
"rev": "cdead16a444a3e5de7bc9b0af8e198b11bb01804",
|
||||
"type": "github"
|
||||
},
|
||||
"original": {
|
||||
"owner": "SuperSandro2000",
|
||||
"ref": "nixos-24.05",
|
||||
"owner": "NixOS",
|
||||
"ref": "release-22.11",
|
||||
"repo": "nixpkgs",
|
||||
"type": "github"
|
||||
}
|
||||
|
@ -55,16 +19,16 @@
|
|||
"openwrt": {
|
||||
"flake": false,
|
||||
"locked": {
|
||||
"lastModified": 1713442482,
|
||||
"narHash": "sha256-OAcv1qiM2V6wPQm4Tz2QnnDpw34pifG6QRDZea7AP9o=",
|
||||
"ref": "openwrt-23.05",
|
||||
"rev": "9b33b74ef71225442361d5192d3a727be212c3cd",
|
||||
"revCount": 58296,
|
||||
"lastModified": 1674227662,
|
||||
"narHash": "sha256-MtkO4sbP+75B9j2oW0/JFvosWQh8H0S95VJ3r0wl+xk=",
|
||||
"ref": "openwrt-22.03",
|
||||
"rev": "1bead4c521b6f6cf711fd06398d54b1a6fbbef96",
|
||||
"revCount": 54502,
|
||||
"type": "git",
|
||||
"url": "https://git.openwrt.org/openwrt/openwrt.git"
|
||||
},
|
||||
"original": {
|
||||
"ref": "openwrt-23.05",
|
||||
"ref": "openwrt-22.03",
|
||||
"type": "git",
|
||||
"url": "https://git.openwrt.org/openwrt/openwrt.git"
|
||||
}
|
||||
|
@ -76,11 +40,11 @@
|
|||
]
|
||||
},
|
||||
"locked": {
|
||||
"lastModified": 1713693953,
|
||||
"narHash": "sha256-DsJ/pzBSF3CxQWyiw4V3k96h7Q3UaRnQnL1N9tw+uWg=",
|
||||
"lastModified": 1674207776,
|
||||
"narHash": "sha256-XfIWLKlpFSBNqzx8Nf0hUZGOK0HhBTaFjmtsdkMnY/A=",
|
||||
"owner": "astro",
|
||||
"repo": "nix-openwrt-imagebuilder",
|
||||
"rev": "d4dc8c84f4397be494ae834709276f099df892e7",
|
||||
"rev": "f9b70efd4254e905a700361e3052fc4860dda73c",
|
||||
"type": "github"
|
||||
},
|
||||
"original": {
|
||||
|
@ -91,7 +55,6 @@
|
|||
},
|
||||
"root": {
|
||||
"inputs": {
|
||||
"dns-nix": "dns-nix",
|
||||
"nixpkgs": "nixpkgs",
|
||||
"openwrt": "openwrt",
|
||||
"openwrt-imagebuilder": "openwrt-imagebuilder"
|
||||
|
|
17
flake.nix
17
flake.nix
|
@ -2,13 +2,9 @@
|
|||
description = "Zentralwerk network";
|
||||
|
||||
inputs = {
|
||||
dns-nix = {
|
||||
url = "github:SuperSandro2000/dns.nix";
|
||||
inputs.nixpkgs.follows = "nixpkgs";
|
||||
};
|
||||
nixpkgs.url = "github:SuperSandro2000/nixpkgs/nixos-24.05";
|
||||
nixpkgs.url = "github:NixOS/nixpkgs/release-22.11";
|
||||
openwrt = {
|
||||
url = "git+https://git.openwrt.org/openwrt/openwrt.git?ref=openwrt-23.05";
|
||||
url = "git+https://git.openwrt.org/openwrt/openwrt.git?ref=openwrt-22.03";
|
||||
flake = false;
|
||||
};
|
||||
openwrt-imagebuilder = {
|
||||
|
@ -17,7 +13,7 @@
|
|||
};
|
||||
};
|
||||
|
||||
outputs = inputs@{ self, dns-nix, nixpkgs, openwrt, openwrt-imagebuilder }:
|
||||
outputs = inputs@{ self, nixpkgs, openwrt, openwrt-imagebuilder }:
|
||||
let
|
||||
system = "x86_64-linux";
|
||||
systems = [ system ];
|
||||
|
@ -30,15 +26,16 @@
|
|||
specialArgs = {
|
||||
hostName = name;
|
||||
inherit (self) lib;
|
||||
inherit inputs dns-nix self;
|
||||
inherit inputs self;
|
||||
};
|
||||
};
|
||||
in {
|
||||
# Config, and utilities
|
||||
lib = nixpkgs.lib.extend (_final: _prev:
|
||||
import ./nix/lib {
|
||||
inherit self openwrt;
|
||||
inherit (nixpkgs.legacyPackages.x86_64-linux) lib pkgs;
|
||||
inherit self;
|
||||
inherit openwrt;
|
||||
pkgs = nixpkgs.legacyPackages.x86_64-linux;
|
||||
});
|
||||
|
||||
# Everything that can be built locally outside of NixOS
|
||||
|
|
|
@ -148,12 +148,6 @@ let
|
|||
type = with types; attrsOf (attrsOf str);
|
||||
default = {};
|
||||
};
|
||||
ospf = {
|
||||
secret = mkOption {
|
||||
type = with types; nullOr str;
|
||||
default = null;
|
||||
};
|
||||
};
|
||||
dhcp = mkOption {
|
||||
type = with types; nullOr (submodule { options = dhcpOpts; });
|
||||
default = null;
|
||||
|
@ -178,7 +172,7 @@ let
|
|||
type = enum [ "A" "AAAA" "MX" "SRV" "CNAME" "TXT" ];
|
||||
};
|
||||
data = mkOption {
|
||||
type = oneOf [ str (attrsOf (oneOf [ int str ])) ];
|
||||
type = str;
|
||||
};
|
||||
};
|
||||
});
|
||||
|
@ -194,22 +188,6 @@ let
|
|||
type = with types; nullOr int;
|
||||
default = null;
|
||||
};
|
||||
wifi.ieee80211rKey = mkOption {
|
||||
type = with types; nullOr str;
|
||||
default = null;
|
||||
description = ''
|
||||
Key between WiFi access points for Fast Transition
|
||||
'';
|
||||
};
|
||||
captiveJson = mkOption {
|
||||
type = with types; nullOr str;
|
||||
default = null;
|
||||
description = ''
|
||||
Optional URL to Captive Portal JSON file.
|
||||
|
||||
See: <https://datatracker.ietf.org/doc/html/draft-ietf-capport-api>
|
||||
'';
|
||||
};
|
||||
};
|
||||
};
|
||||
|
||||
|
@ -406,35 +384,10 @@ let
|
|||
}; });
|
||||
default = [];
|
||||
};
|
||||
ospf.stubNets4 = mkOption {
|
||||
type = with types; listOf str;
|
||||
default = [];
|
||||
description = "Additional IPv4 networks to announce";
|
||||
};
|
||||
ospf.stubNets6 = mkOption {
|
||||
type = with types; listOf str;
|
||||
default = [];
|
||||
description = "Additional IPv6 networks to announce";
|
||||
};
|
||||
ospf.allowedUpstreams = mkOption {
|
||||
type = with types; listOf str;
|
||||
default = [];
|
||||
description = "Accept default routes from these OSPF routers, in order of preference";
|
||||
};
|
||||
ospf.allowedUpstreams6 = mkOption {
|
||||
type = with types; listOf str;
|
||||
default = config.site.hosts.${name}.ospf.allowedUpstreams;
|
||||
description = "Accept IPv6 default routes from these OSPF3 routers, in order of preference";
|
||||
};
|
||||
ospf.upstreamInstance = mkOption {
|
||||
type = with types; nullOr int;
|
||||
default = null;
|
||||
description = "OSPF instance for advertising the default route";
|
||||
};
|
||||
bgp = mkOption {
|
||||
default = null;
|
||||
type = with types; nullOr (submodule {
|
||||
options = bgpOpts;
|
||||
options = bgpOpts name;
|
||||
});
|
||||
};
|
||||
services.dns = {
|
||||
|
@ -455,19 +408,10 @@ let
|
|||
wifi = mkOption {
|
||||
default = {};
|
||||
type = with types; attrsOf (submodule (
|
||||
{ config, ... }: {
|
||||
{ ... }: {
|
||||
options = {
|
||||
band = mkOption {
|
||||
type = enum [ "2g" "5g" ];
|
||||
default =
|
||||
if config.channel >= 1 && config.channel <= 14
|
||||
then "2g"
|
||||
else if config.channel >= 32 && config.channel <= 177
|
||||
then "5g"
|
||||
else throw "What band is channel ${toString config.channel}?";
|
||||
};
|
||||
htmode = mkOption {
|
||||
type = enum [ "HT20" "HT40-" "HT40+" "HT40" "VHT80" ];
|
||||
type = enum [ "HT20" "HT40-" "HT40+" "VHT80" ];
|
||||
};
|
||||
channel = mkOption {
|
||||
type = int;
|
||||
|
@ -482,10 +426,6 @@ let
|
|||
type = nullOr str;
|
||||
default = null;
|
||||
};
|
||||
hidden = mkOption {
|
||||
type = bool;
|
||||
default = false;
|
||||
};
|
||||
encryption = mkOption {
|
||||
type = enum [ "none" "owe" "wpa2" "wpa3" ];
|
||||
default =
|
||||
|
@ -501,13 +441,6 @@ let
|
|||
type = nullOr str;
|
||||
default = null;
|
||||
};
|
||||
disassocLowAck = mkOption {
|
||||
type = bool;
|
||||
default = true;
|
||||
description = ''
|
||||
Disable for wireless bridges.
|
||||
'';
|
||||
};
|
||||
};
|
||||
}));
|
||||
};
|
||||
|
@ -525,20 +458,52 @@ let
|
|||
};
|
||||
};
|
||||
|
||||
bgpOpts = {
|
||||
bgpOpts = hostName: {
|
||||
asn = mkOption {
|
||||
type = types.int;
|
||||
default = config.site.bgp.asn;
|
||||
};
|
||||
peers = mkOption {
|
||||
type = with types; attrsOf (submodule ({ ... }: {
|
||||
type = with types; attrsOf (submodule (submoduleArg: {
|
||||
options = {
|
||||
asn = mkOption {
|
||||
type = types.int;
|
||||
default = config.site.bgp.asn;
|
||||
};
|
||||
name = mkOption {
|
||||
type = types.str;
|
||||
};
|
||||
type = mkOption {
|
||||
type = types.enum [ "external" "rr_server" "rr_client" "upstream" ];
|
||||
};
|
||||
};
|
||||
}));
|
||||
default = {};
|
||||
};
|
||||
nets4 = mkOption {
|
||||
type = with types; listOf str;
|
||||
default = [];
|
||||
description = "Additional IPv4 networks to announce";
|
||||
};
|
||||
nets6 = mkOption {
|
||||
type = with types; listOf str;
|
||||
default = [];
|
||||
description = "Additional IPv6 networks to announce";
|
||||
};
|
||||
allowedUpstreams = mkOption {
|
||||
type = with types; listOf str;
|
||||
default = [];
|
||||
description = "Accept default routes from these BGP routers, in order of preference";
|
||||
};
|
||||
allowedUpstreams6 = mkOption {
|
||||
type = with types; listOf str;
|
||||
default = config.site.hosts.${hostName}.bgp.allowedUpstreams;
|
||||
description = "Accept IPv6 default routes from these BGP routers, in order of preference";
|
||||
};
|
||||
upstreamTable = mkOption {
|
||||
type = with types; nullOr str;
|
||||
default = null;
|
||||
};
|
||||
};
|
||||
|
||||
linkOpts = hostName: { name, ... }: {
|
||||
|
@ -613,6 +578,11 @@ in
|
|||
type = with types; attrsOf (submodule netOpts);
|
||||
};
|
||||
|
||||
net-combined = mkOption {
|
||||
description = "All hosts of all subnets";
|
||||
default = {};
|
||||
type = with types; submodule netOpts;
|
||||
};
|
||||
|
||||
hosts = mkOption {
|
||||
description = "All the static hosts";
|
||||
|
@ -644,6 +614,12 @@ in
|
|||
default = "secret";
|
||||
};
|
||||
};
|
||||
|
||||
bgp = {
|
||||
asn = mkOption {
|
||||
type = types.int;
|
||||
};
|
||||
};
|
||||
};
|
||||
|
||||
config.warnings =
|
||||
|
@ -664,16 +640,16 @@ in
|
|||
reportCollisions = name: getter: xs:
|
||||
map (k: "Duplicate ${name}: ${k}") (findCollisions getter xs);
|
||||
|
||||
ospfUpstreamXorGw =
|
||||
bgpUpstreamXorGw =
|
||||
builtins.concatMap (hostName:
|
||||
let
|
||||
hostConf = config.site.hosts.${hostName};
|
||||
gwNets = builtins.filter (netName:
|
||||
hostConf.interfaces.${netName}.gw4 != null
|
||||
) (builtins.attrNames hostConf.interfaces);
|
||||
in if gwNets != [] && hostConf.ospf.allowedUpstreams != []
|
||||
in if gwNets != [] && hostConf.bgp.allowedUpstreams or [] != []
|
||||
then [ ''
|
||||
Host ${hostName} has gateway on ${builtins.head gwNets} but accepts default routes from OSPF
|
||||
Host ${hostName} has gateway on ${builtins.head gwNets} but accepts default routes from BGP
|
||||
'' ]
|
||||
else []
|
||||
) (builtins.attrNames config.site.hosts);
|
||||
|
@ -681,7 +657,7 @@ in
|
|||
(reportCollisions "VLAN tag" (x: lib.optional (x.vlan != null) x.vlan) config.site.net) ++
|
||||
(reportCollisions "IPv4 subnet" (x: if x.subnet4 == null then [] else [x.subnet4]) config.site.net) ++
|
||||
(reportCollisions "IPv6 subnet" (x: builtins.attrValues x.subnets6) config.site.net) ++
|
||||
ospfUpstreamXorGw;
|
||||
bgpUpstreamXorGw;
|
||||
|
||||
config.assertions =
|
||||
# Duplicate host/net name check
|
||||
|
|
|
@ -1,13 +1,13 @@
|
|||
{ self, lib, openwrt, pkgs }:
|
||||
{ self, pkgs, openwrt }:
|
||||
|
||||
rec {
|
||||
inherit (import ./config { inherit self pkgs; }) config;
|
||||
config = (import ./config { inherit self pkgs; }).config;
|
||||
|
||||
netmasks = import ./netmasks.nix;
|
||||
|
||||
subnet = import ./subnet { inherit pkgs; };
|
||||
|
||||
dns = import ./dns.nix { inherit config lib; };
|
||||
dns = import ./dns.nix { inherit pkgs config; };
|
||||
|
||||
openwrtModels = import ./openwrt-models.nix { inherit self openwrt; };
|
||||
|
||||
|
|
|
@ -1,18 +1,17 @@
|
|||
{ config, lib }:
|
||||
{ pkgs, config }:
|
||||
|
||||
let
|
||||
lib = pkgs.lib;
|
||||
in
|
||||
rec {
|
||||
ns = "dns.serv.zentralwerk.org";
|
||||
internalNS = [ ns ];
|
||||
# public servers (slaves)
|
||||
publicNS = [
|
||||
"ns.c3d2.de"
|
||||
"ns.spaceboyz.net"
|
||||
"ns1.supersandro.de"
|
||||
];
|
||||
publicNS = [ "ns.c3d2.de" "ns.spaceboyz.net" ];
|
||||
|
||||
publicIPv4 = config.site.hosts.upstream4.interfaces.up4-pppoe.upstream.staticIpv4Address;
|
||||
|
||||
dynamicReverseZones4 = [
|
||||
dynamicReverseZones = [
|
||||
"73.20.172.in-addr.arpa"
|
||||
"74.20.172.in-addr.arpa"
|
||||
"75.20.172.in-addr.arpa"
|
||||
|
@ -21,12 +20,6 @@ rec {
|
|||
"78.20.172.in-addr.arpa"
|
||||
"79.20.172.in-addr.arpa"
|
||||
"99.22.172.in-addr.arpa"
|
||||
"22.10.in-addr.arpa"
|
||||
];
|
||||
dynamicReverseZones6 = [
|
||||
"2.0.0.0.c.2.0.8.1.8.0.0.a.2.ip6.arpa"
|
||||
"4.1.b.a.c.a.2.8.3.5.f.0.a.2.ip6.arpa"
|
||||
"5.0.2.d.3.c.2.4.0.0.3.2.d.f.ip6.arpa"
|
||||
];
|
||||
|
||||
mapI = start: end: f:
|
||||
|
@ -99,7 +92,7 @@ rec {
|
|||
"${zone}" = true;
|
||||
}
|
||||
) {} (builtins.attrNames reverseHosts4)
|
||||
) ++ dynamicReverseZones4
|
||||
) ++ dynamicReverseZones
|
||||
);
|
||||
|
||||
# turns `::` into `0000:0000:0000:0000:0000:0000:0000:0000`
|
||||
|
@ -192,7 +185,11 @@ rec {
|
|||
} {
|
||||
name = "zentralwerk.dn42";
|
||||
ns = internalNS;
|
||||
records = [ ];
|
||||
records = [ {
|
||||
name = "ipa";
|
||||
type = "A";
|
||||
data = config.site.net.serv.hosts4.ipa;
|
||||
} ];
|
||||
} {
|
||||
name = "dyn.zentralwerk.org";
|
||||
ns = publicNS;
|
||||
|
@ -244,7 +241,7 @@ rec {
|
|||
builtins.filter (lib.hasSuffix ".${zone}")
|
||||
(builtins.attrNames reverseHosts4)
|
||||
);
|
||||
dynamic = builtins.elem zone dynamicReverseZones4;
|
||||
dynamic = builtins.elem zone dynamicReverseZones;
|
||||
}) reverseZones4
|
||||
++
|
||||
builtins.concatMap (ctx:
|
||||
|
@ -263,7 +260,6 @@ rec {
|
|||
builtins.filter (lib.hasSuffix ".${zone}")
|
||||
(builtins.attrNames reverseHosts6.${ctx})
|
||||
);
|
||||
dynamic = builtins.elem zone dynamicReverseZones6;
|
||||
}) reverseZones6.${ctx}
|
||||
) (builtins.attrNames reverseZones6);
|
||||
}
|
||||
|
|
|
@ -95,9 +95,7 @@ let
|
|||
|
||||
ucidef_set_interfaces_lan_wan.ports =
|
||||
makeLinkFromArg "lan" (builtins.elemAt args 0) //
|
||||
self.lib.optionalAttrs (builtins.length args > 1) (
|
||||
makeLinkFromArg "wan" (builtins.elemAt args 1)
|
||||
);
|
||||
makeLinkFromArg "wan" (builtins.elemAt args 1);
|
||||
};
|
||||
in
|
||||
if commands ? ${command}
|
||||
|
|
|
@ -90,7 +90,7 @@ in
|
|||
Host "inbert.c3d2.de"
|
||||
Host "heise.de"
|
||||
'';
|
||||
}) (lib.optionalAttrs config.services.kea.dhcp4.enable {
|
||||
}) (lib.optionalAttrs config.services.dhcpd4.enable {
|
||||
plugins.exec =
|
||||
let
|
||||
maxTimeout = builtins.foldl' (maxTimeout: net:
|
||||
|
@ -117,11 +117,11 @@ in
|
|||
}) ];
|
||||
|
||||
|
||||
systemd.services.collectd = lib.mkIf config.services.kea.dhcp4.enable {
|
||||
after = [ "kea-dhcp4-server.service" ];
|
||||
systemd.services.collectd = lib.mkIf config.services.dhcpd4.enable {
|
||||
after = [ "dhcpd4.service" ];
|
||||
};
|
||||
|
||||
security.wrappers = lib.mkIf config.services.kea.dhcp4.enable {
|
||||
security.wrappers = lib.mkIf config.services.dhcpd4.enable {
|
||||
collectd-dhcpcount =
|
||||
let
|
||||
dhcpcount = pkgs.runCommand "dhcpcount" {
|
||||
|
|
|
@ -1,30 +1,38 @@
|
|||
#!/usr/bin/env ruby
|
||||
|
||||
require 'csv'
|
||||
require 'date'
|
||||
|
||||
INTERVAL = 60
|
||||
TIMEOUT = ARGV[0].to_i # TODO: now unused
|
||||
hostname = CSV::readlines("/proc/sys/kernel/hostname").join.strip
|
||||
INTERVAL = 300
|
||||
TIMEOUT = ARGV[0].to_i
|
||||
hostname = IO::readlines("/proc/sys/kernel/hostname").join.strip
|
||||
STDOUT.sync = true
|
||||
|
||||
loop do
|
||||
seen = {}
|
||||
count = 0
|
||||
now = Time.now.to_i
|
||||
|
||||
CSV::readlines("/var/lib/kea/kea-leases4.csv", headers: true).each do |rec|
|
||||
h = rec.to_h
|
||||
addr = h["hwaddr"]
|
||||
next unless addr
|
||||
last = h["expire"].to_i
|
||||
elapsed = now - last
|
||||
next if elapsed >= TIMEOUT
|
||||
addr = nil
|
||||
starts = nil
|
||||
|
||||
IO::readlines("/var/lib/dhcpd4/dhcpd.leases").each do |line|
|
||||
if line =~ /^lease (.+) \{/
|
||||
addr = $1
|
||||
|
||||
starts = nil
|
||||
elsif line =~ /starts \d+ (.+?);/
|
||||
starts = DateTime.parse($1).to_time
|
||||
elsif line =~ /^\}/
|
||||
now = Time.now
|
||||
if starts and
|
||||
now >= starts and now < starts + TIMEOUT
|
||||
|
||||
unless seen[addr]
|
||||
count += 1
|
||||
seen[addr] = true
|
||||
end
|
||||
end
|
||||
end
|
||||
end
|
||||
puts "PUTVAL \"#{hostname}/exec-dhcpd/current_sessions-leases\" interval=#{INTERVAL} N:#{count}"
|
||||
|
||||
sleep INTERVAL
|
||||
|
|
|
@ -25,6 +25,42 @@ let
|
|||
n = n;
|
||||
x = builtins.head list;
|
||||
} ] ++ (enumerate (n + 1) (builtins.tail list));
|
||||
|
||||
nets4 =
|
||||
hostConf.bgp.nets4
|
||||
++
|
||||
builtins.concatMap (net:
|
||||
if net != "core"
|
||||
then
|
||||
let
|
||||
subnet4 = config.site.net.${net}.subnet4 or null;
|
||||
in lib.optional (subnet4 != null) subnet4
|
||||
else
|
||||
[]
|
||||
) (builtins.attrNames hostConf.interfaces);
|
||||
|
||||
nets6 =
|
||||
hostConf.bgp.nets6
|
||||
++
|
||||
builtins.concatMap (net:
|
||||
if net != "core"
|
||||
then
|
||||
builtins.attrValues config.site.net.${net}.subnets6 or {}
|
||||
else
|
||||
[]
|
||||
) (builtins.attrNames hostConf.interfaces);
|
||||
|
||||
upstreamsToOrder = upstreams:
|
||||
builtins.foldl' (order: { n, x }:
|
||||
order // {
|
||||
${x} = n;
|
||||
}
|
||||
) {} (enumerate 1 upstreams);
|
||||
upstream4Order = upstreamsToOrder hostConf.bgp.allowedUpstreams;
|
||||
upstream6Order = upstreamsToOrder hostConf.bgp.allowedUpstreams6;
|
||||
allowedUpstreams = lib.unique (
|
||||
hostConf.bgp.allowedUpstreams ++ hostConf.bgp.allowedUpstreams6
|
||||
);
|
||||
in
|
||||
{
|
||||
services.bird2 = {
|
||||
|
@ -35,31 +71,13 @@ in
|
|||
protocol kernel K4 {
|
||||
learn;
|
||||
ipv4 {
|
||||
${if isUpstream
|
||||
then ''
|
||||
# Install all routes but the default route on upstreams
|
||||
export where net != 0.0.0.0/0;
|
||||
# Learn the upstream default route
|
||||
import where net = 0.0.0.0/0;
|
||||
''
|
||||
else ''
|
||||
export all;
|
||||
''}
|
||||
};
|
||||
}
|
||||
protocol kernel K6 {
|
||||
learn;
|
||||
ipv6 {
|
||||
${if isUpstream
|
||||
then ''
|
||||
# Install all routes but the default route on upstreams
|
||||
export where net != ::/0;
|
||||
# Learn the upstream default route
|
||||
import where net = ::/0;
|
||||
''
|
||||
else ''
|
||||
export all;
|
||||
''}
|
||||
};
|
||||
}
|
||||
protocol device {
|
||||
|
@ -84,10 +102,7 @@ in
|
|||
check link yes;
|
||||
}
|
||||
|
||||
${lib.optionalString (
|
||||
builtins.match "anon.*" hostName != null ||
|
||||
hostName == "flpk-gw"
|
||||
) ''
|
||||
${lib.optionalString (hostConf.bgp.upstreamTable != null) ''
|
||||
# BIRD routing table for Wireguard transport
|
||||
ipv4 table vpn_table;
|
||||
|
||||
|
@ -112,14 +127,6 @@ in
|
|||
min ra interval 10;
|
||||
max ra interval 60;
|
||||
solicited ra unicast yes;
|
||||
${if (config.site.net.${net}.dhcp.server or null) == null
|
||||
then ''
|
||||
# Do not use DHCP6.
|
||||
managed no;
|
||||
'' else ''
|
||||
# Use DHCP6 for DynDNS.
|
||||
managed yes;
|
||||
''}
|
||||
|
||||
${builtins.concatStringsSep "\n" (
|
||||
map (subnet6: ''
|
||||
|
@ -136,235 +143,6 @@ in
|
|||
}
|
||||
''}
|
||||
|
||||
# OSPFv2 for site-local IPv4
|
||||
protocol ospf v2 ZW4 {
|
||||
ipv4 {
|
||||
import all;
|
||||
# OSPF is self-contained
|
||||
export none;
|
||||
};
|
||||
area 0 {
|
||||
${builtins.concatStringsSep "\n" (
|
||||
builtins.attrValues (
|
||||
builtins.mapAttrs (net: _:
|
||||
# Enable OSPF only on networks with a secret.
|
||||
if config.site.net ? "${net}" && config.site.net.${net}.ospf.secret != null
|
||||
then ''
|
||||
interface "${net}" {
|
||||
hello 10;
|
||||
wait 20;
|
||||
|
||||
authentication cryptographic;
|
||||
password "${config.site.net.${net}.ospf.secret}";
|
||||
};
|
||||
''
|
||||
else ''
|
||||
interface "${net}" {
|
||||
stub yes;
|
||||
cost 10;
|
||||
};
|
||||
''
|
||||
) hostConf.interfaces
|
||||
)
|
||||
)}
|
||||
${builtins.concatStringsSep "\n" (
|
||||
map (stubnet4: ''
|
||||
# Advertise additional route
|
||||
stubnet ${stubnet4} {};
|
||||
'') hostConf.ospf.stubNets4
|
||||
)}
|
||||
};
|
||||
}
|
||||
|
||||
${lib.optionalString isUpstream ''
|
||||
# OSPFv2 to advertise my default route
|
||||
protocol ospf v2 ZW4_${hostNameEscaped} {
|
||||
ipv4 {
|
||||
export where net = 0.0.0.0/0;
|
||||
};
|
||||
area 0 {
|
||||
${builtins.concatStringsSep "\n" (
|
||||
builtins.attrValues (
|
||||
builtins.mapAttrs (net: _:
|
||||
# Enable OSPF only on interfaces with a secret.
|
||||
lib.optionalString (config.site.net.${net}.ospf.secret != null) ''
|
||||
interface "${net}" instance ${toString hostConf.ospf.upstreamInstance} {
|
||||
# Become the designated router
|
||||
priority 10;
|
||||
hello 10;
|
||||
wait 20;
|
||||
|
||||
authentication cryptographic;
|
||||
password "${config.site.net.${net}.ospf.secret}";
|
||||
};
|
||||
''
|
||||
) hostConf.physicalInterfaces
|
||||
)
|
||||
)}
|
||||
};
|
||||
}
|
||||
''}
|
||||
|
||||
${(
|
||||
builtins.foldl' ({ text, n }: upstream: {
|
||||
text = ''
|
||||
${text}
|
||||
|
||||
# OSPFv2 to receive a default route from ${upstream}
|
||||
protocol ospf v2 ZW4_${
|
||||
builtins.replaceStrings [ "-" ] [ "_" ] upstream
|
||||
} {
|
||||
ipv4 {
|
||||
import filter {
|
||||
preference = preference + ${toString (100 - n)};
|
||||
accept;
|
||||
};
|
||||
${lib.optionalString (
|
||||
builtins.match "anon.*" hostName != null ||
|
||||
hostName == "flpk-gw"
|
||||
) ''
|
||||
table vpn_table;
|
||||
''}
|
||||
};
|
||||
area 0 {
|
||||
${builtins.concatStringsSep "\n" (
|
||||
builtins.attrValues (
|
||||
builtins.mapAttrs (net: _:
|
||||
# Enable OSPF only on interfaces with a secret.
|
||||
lib.optionalString (config.site.net.${net}.ospf.secret != null) ''
|
||||
interface "${net}" instance ${
|
||||
builtins.replaceStrings [ "-" ] [ "_" ] (
|
||||
toString config.site.hosts.${upstream}.ospf.upstreamInstance
|
||||
)
|
||||
} {
|
||||
hello 10;
|
||||
wait 20;
|
||||
authentication cryptographic;
|
||||
password "${config.site.net.${net}.ospf.secret}";
|
||||
};
|
||||
''
|
||||
) hostConf.physicalInterfaces
|
||||
)
|
||||
)}
|
||||
};
|
||||
}
|
||||
'';
|
||||
n = n + 1;
|
||||
}) { text = ""; n = 0; } hostConf.ospf.allowedUpstreams
|
||||
).text}
|
||||
|
||||
# OSPFv3 for site-local IPv6
|
||||
protocol ospf v3 ZW6 {
|
||||
ipv6 {
|
||||
import all;
|
||||
# OSPF is self-contained
|
||||
export none;
|
||||
};
|
||||
area 0 {
|
||||
${builtins.concatStringsSep "\n" (
|
||||
builtins.attrValues (
|
||||
builtins.mapAttrs (net: _:
|
||||
# Enable OSPF only on networks with a secret.
|
||||
if config.site.net.${net}.ospf.secret != null
|
||||
then ''
|
||||
interface "${net}" {
|
||||
hello 10;
|
||||
wait 20;
|
||||
|
||||
authentication cryptographic;
|
||||
password "${config.site.net.${net}.ospf.secret}";
|
||||
};
|
||||
''
|
||||
else ''
|
||||
interface "${net}" {
|
||||
stub yes;
|
||||
cost 10;
|
||||
};
|
||||
''
|
||||
) hostConf.physicalInterfaces
|
||||
)
|
||||
)}
|
||||
${builtins.concatStringsSep "\n" (
|
||||
map (stubnet6: ''
|
||||
# Advertise additional route
|
||||
stubnet ${stubnet6} {};
|
||||
'')
|
||||
hostConf.ospf.stubNets6
|
||||
)}
|
||||
};
|
||||
}
|
||||
|
||||
${lib.optionalString isUpstream ''
|
||||
# OSPFv3 to advertise my default route
|
||||
protocol ospf v3 ZW6_${hostNameEscaped} {
|
||||
ipv6 {
|
||||
export where net = ::/0;
|
||||
};
|
||||
area 0 {
|
||||
${builtins.concatStringsSep "\n" (
|
||||
builtins.attrValues (
|
||||
builtins.mapAttrs (net: _:
|
||||
# Enable OSPF only on interfaces with a secret.
|
||||
lib.optionalString (config.site.net.${net}.ospf.secret != null) ''
|
||||
interface "${net}" instance ${toString hostConf.ospf.upstreamInstance} {
|
||||
# Become the designated router
|
||||
priority 10;
|
||||
hello 10;
|
||||
wait 20;
|
||||
|
||||
authentication cryptographic;
|
||||
password "${config.site.net.${net}.ospf.secret}";
|
||||
};
|
||||
''
|
||||
) hostConf.physicalInterfaces
|
||||
)
|
||||
)}
|
||||
};
|
||||
}
|
||||
''}
|
||||
|
||||
${lib.optionalString (builtins.match "anon.*" hostName == null) (
|
||||
builtins.foldl' ({ text, n }: upstream: {
|
||||
text = ''
|
||||
${text}
|
||||
|
||||
# OSPFv3 to receive a default route from ${upstream}
|
||||
protocol ospf v3 ZW6_${
|
||||
builtins.replaceStrings [ "-" ] [ "_" ] upstream
|
||||
} {
|
||||
ipv6 {
|
||||
import filter {
|
||||
preference = preference + ${toString (100 - n)};
|
||||
accept;
|
||||
};
|
||||
};
|
||||
area 0 {
|
||||
${builtins.concatStringsSep "\n" (
|
||||
builtins.attrValues (
|
||||
builtins.mapAttrs (net: _:
|
||||
# Enable OSPF only on interfaces with a secret.
|
||||
lib.optionalString (config.site.net.${net}.ospf.secret != null) ''
|
||||
interface "${net}" instance ${
|
||||
builtins.replaceStrings [ "-" ] [ "_" ] (
|
||||
toString config.site.hosts.${upstream}.ospf.upstreamInstance
|
||||
)
|
||||
} {
|
||||
hello 10;
|
||||
wait 20;
|
||||
authentication cryptographic;
|
||||
password "${config.site.net.${net}.ospf.secret}";
|
||||
};
|
||||
''
|
||||
) hostConf.physicalInterfaces
|
||||
)
|
||||
)}
|
||||
};
|
||||
}
|
||||
'';
|
||||
n = n + 1;
|
||||
}) { text = ""; n = 0; } hostConf.ospf.allowedUpstreams6
|
||||
).text}
|
||||
|
||||
# Zentralwerk DN42
|
||||
protocol static {
|
||||
ipv4;
|
||||
|
@ -378,31 +156,146 @@ in
|
|||
}
|
||||
|
||||
${lib.optionalString (hostConf.bgp != null) ''
|
||||
template bgp bgppeer {
|
||||
# zentralwerk-network
|
||||
template bgp bgp_rr_server {
|
||||
local as ${toString hostConf.bgp.asn};
|
||||
direct;
|
||||
|
||||
ipv4 {
|
||||
import all;
|
||||
export where source=RTS_STATIC;
|
||||
import filter {
|
||||
preference = preference + 200;
|
||||
accept;
|
||||
};
|
||||
${lib.optionalString (nets4 != []) ''
|
||||
export where net ~ [ ${lib.concatMapStringsSep ", " (n: "${n}") nets4} ];
|
||||
''}
|
||||
};
|
||||
ipv6 {
|
||||
import filter {
|
||||
preference = preference + 200;
|
||||
accept;
|
||||
};
|
||||
${lib.optionalString (nets6 != []) ''
|
||||
export where net ~ [ ${lib.concatMapStringsSep ", " (n: "${n}") nets6} ];
|
||||
''}
|
||||
};
|
||||
}
|
||||
template bgp bgp_rr_client {
|
||||
local as ${toString hostConf.bgp.asn};
|
||||
direct;
|
||||
|
||||
ipv4 {
|
||||
next hop self on;
|
||||
import filter {
|
||||
preference = preference + 200;
|
||||
accept;
|
||||
};
|
||||
${lib.optionalString (nets4 != []) ''
|
||||
export where net ~ [ ${lib.concatMapStringsSep ", " (n: "${n}") nets4} ];
|
||||
''}
|
||||
};
|
||||
ipv6 {
|
||||
next hop self on;
|
||||
import filter {
|
||||
preference = preference + 200;
|
||||
accept;
|
||||
};
|
||||
${lib.optionalString (nets6 != []) ''
|
||||
export where net ~ [ ${lib.concatMapStringsSep ", " (n: "${n}") nets6} ];
|
||||
''}
|
||||
};
|
||||
}
|
||||
# dn42
|
||||
template bgp bgp_external {
|
||||
local as ${toString hostConf.bgp.asn};
|
||||
direct;
|
||||
|
||||
ipv4 {
|
||||
next hop self on;
|
||||
import all;
|
||||
export where source=RTS_STATIC;
|
||||
export where source = RTS_STATIC;
|
||||
};
|
||||
ipv6 {
|
||||
next hop self on;
|
||||
import all;
|
||||
export where source = RTS_STATIC;
|
||||
};
|
||||
}
|
||||
# emitting default routes
|
||||
template bgp bgp_upstream {
|
||||
local as ${toString hostConf.bgp.asn};
|
||||
direct;
|
||||
|
||||
ipv4 {
|
||||
next hop self on;
|
||||
import all;
|
||||
export where net = 0.0.0.0/0;
|
||||
};
|
||||
ipv6 {
|
||||
next hop self on;
|
||||
import all;
|
||||
export where net = ::/0;
|
||||
};
|
||||
}
|
||||
|
||||
${builtins.concatStringsSep "\n" (
|
||||
map ({ n, x }:
|
||||
${lib.concatMapStrings (peer:
|
||||
let
|
||||
peer = x;
|
||||
peerConf = hostConf.bgp.peers.${peer};
|
||||
isRange = lib.hasInfix "/" peer;
|
||||
in ''
|
||||
protocol bgp bgp_${toString n} from bgppeer {
|
||||
neighbor ${peer} as ${toString peerConf.asn};
|
||||
protocol bgp bgp_${peerConf.name} from bgp_${peerConf.type} {
|
||||
neighbor ${lib.optionalString isRange "range"} ${peer} as ${toString peerConf.asn};
|
||||
${lib.optionalString isRange ''
|
||||
dynamic name "bgp_${peerConf.name}";
|
||||
''}
|
||||
${lib.optionalString (peerConf.type == "rr") ''
|
||||
rr client;
|
||||
''}
|
||||
}
|
||||
'') (builtins.attrNames hostConf.bgp.peers)}
|
||||
|
||||
${lib.concatMapStrings ({ n, x }: let upstream = x; in ''
|
||||
# upstream client instance #${toString n}
|
||||
protocol bgp bgp_up_${builtins.replaceStrings ["-"] ["_"] upstream} {
|
||||
local as ${toString hostConf.bgp.asn};
|
||||
neighbor ${config.site.net.core.hosts6.dn42.${upstream}} as ${toString hostConf.bgp.asn};
|
||||
direct;
|
||||
|
||||
ipv4 {
|
||||
${if (upstream4Order ? ${upstream})
|
||||
then ''
|
||||
import filter {
|
||||
preference = preference + ${toString (100 - upstream4Order.${upstream})};
|
||||
accept;
|
||||
};
|
||||
''
|
||||
) (enumerate 1 (builtins.attrNames hostConf.bgp.peers))
|
||||
)}
|
||||
else ''
|
||||
import none;
|
||||
''}
|
||||
${lib.optionalString (nets4 != []) ''
|
||||
export where net ~ [ ${lib.concatMapStringsSep ", " (n: "${n}") nets4} ];
|
||||
''}
|
||||
${lib.optionalString (hostConf.bgp.upstreamTable != null) ''
|
||||
table ${hostConf.bgp.upstreamTable};
|
||||
''}
|
||||
};
|
||||
ipv6 {
|
||||
${if (upstream4Order ? ${upstream})
|
||||
then ''
|
||||
import filter {
|
||||
preference = preference + ${toString (100 - upstream4Order.${upstream})};
|
||||
accept;
|
||||
};
|
||||
''
|
||||
else ''
|
||||
import none;
|
||||
''}
|
||||
${lib.optionalString (nets6 != []) ''
|
||||
export where net ~ [ ${lib.concatMapStringsSep ", " (n: "${n}") nets6} ];
|
||||
''}
|
||||
};
|
||||
}
|
||||
'') (enumerate 1 allowedUpstreams)}
|
||||
''}
|
||||
'';
|
||||
};
|
||||
|
@ -447,7 +340,7 @@ in
|
|||
User = "bird2";
|
||||
Group = "bird2";
|
||||
};
|
||||
path = with pkgs; [ bird2 iputils ];
|
||||
path = [ pkgs.bird2 "/run/wrappers" ];
|
||||
script = ''
|
||||
STATE=unknown
|
||||
|
||||
|
|
|
@ -1,4 +1,4 @@
|
|||
{ config, lib, modulesPath, pkgs, ... }:
|
||||
{ config, lib, modulesPath, ... }:
|
||||
|
||||
{
|
||||
imports = [
|
||||
|
@ -6,12 +6,17 @@
|
|||
(modulesPath + "/virtualisation/lxc-container.nix")
|
||||
];
|
||||
|
||||
environment = {
|
||||
etc."machine-id".text = builtins.substring 0 8 (builtins.hashString "sha256" config.networking.hostName);
|
||||
systemPackages = with pkgs; [
|
||||
ripgrep
|
||||
];
|
||||
boot = {
|
||||
isContainer = true;
|
||||
loader = {
|
||||
initScript.enable = true;
|
||||
};
|
||||
};
|
||||
|
||||
environment.etc."machine-id".text =
|
||||
builtins.substring 0 8 (
|
||||
builtins.hashString "sha256" config.networking.hostName
|
||||
);
|
||||
|
||||
nix = {
|
||||
settings = {
|
||||
|
|
|
@ -8,341 +8,98 @@ let
|
|||
dhcp.server == hostName
|
||||
) config.site.net;
|
||||
|
||||
concatMapDhcpNets = f:
|
||||
lib.pipe dhcpNets [
|
||||
(builtins.mapAttrs f)
|
||||
builtins.attrValues
|
||||
(map (r: if builtins.isList r then r else [ r ]))
|
||||
builtins.concatLists
|
||||
];
|
||||
|
||||
enabled = builtins.length (builtins.attrNames dhcpNets) > 0;
|
||||
in
|
||||
{
|
||||
services.kea.dhcp4 = lib.mkIf enabled {
|
||||
services.dhcpd4 = lib.optionalAttrs enabled {
|
||||
enable = true;
|
||||
|
||||
settings = {
|
||||
interfaces-config.interfaces = builtins.attrNames dhcpNets;
|
||||
dhcp-ddns.enable-updates = true;
|
||||
ddns-send-updates = true;
|
||||
# TODO: use with kea >= 2.5.0
|
||||
# ddns-conflict-resolution-mode = "check-exists-with-dhcid";
|
||||
ddns-use-conflict-resolution = false;
|
||||
ddns-replace-client-name = "when-not-present";
|
||||
expired-leases-processing.hold-reclaimed-time = builtins.foldl' lib.max
|
||||
3600 (concatMapDhcpNets (net: { dhcp, ... }: dhcp.max-time));
|
||||
interfaces = builtins.attrNames dhcpNets;
|
||||
|
||||
subnet4 = concatMapDhcpNets (net: { vlan, subnet4, hosts4, dhcp, domainName, captiveJson, ... }: {
|
||||
id = vlan;
|
||||
subnet = subnet4;
|
||||
pools = [ {
|
||||
pool = "${dhcp.start} - ${dhcp.end}";
|
||||
} ];
|
||||
renew-timer = builtins.ceil (.5 * dhcp.time);
|
||||
rebind-timer = builtins.ceil (.85 * dhcp.time);
|
||||
valid-lifetime = dhcp.time;
|
||||
option-data = [ {
|
||||
space = "dhcp4";
|
||||
name = "routers";
|
||||
code = 3;
|
||||
data = config.site.net.${net}.hosts4.${dhcp.router};
|
||||
} {
|
||||
space = "dhcp4";
|
||||
name = "domain-name";
|
||||
code = 15;
|
||||
data = domainName;
|
||||
} {
|
||||
space = "dhcp4";
|
||||
name = "domain-name-servers";
|
||||
code = 6;
|
||||
data = "${config.site.net.serv.hosts4.dnscache}, 9.9.9.9";
|
||||
} ] ++ lib.optional (captiveJson != null) {
|
||||
space = "dhcp4";
|
||||
name = "v4-captive-portal";
|
||||
code = 114;
|
||||
data = captiveJson;
|
||||
};
|
||||
ddns-qualifying-suffix = domainName;
|
||||
reservations = lib.pipe dhcp.fixed-hosts [
|
||||
(builtins.mapAttrs (fixedAddr: hwaddr:
|
||||
if hosts4 ? ${fixedAddr}
|
||||
then # fixedAddr is a known hostname
|
||||
let
|
||||
name = fixedAddr;
|
||||
addr = hosts4.${fixedAddr};
|
||||
in {
|
||||
hostname = "${name}.${net}.zentralwerk.org";
|
||||
hw-address = hwaddr;
|
||||
ip-address = addr;
|
||||
}
|
||||
else
|
||||
let
|
||||
names = builtins.attrNames (
|
||||
lib.filterAttrs (_: hostAddr:
|
||||
hostAddr == fixedAddr
|
||||
) hosts4);
|
||||
name = builtins.head names;
|
||||
in
|
||||
if builtins.length names > 0
|
||||
then { # fixedAddr is IPv4 of a known hostname
|
||||
hostname = "${name}.${net}.zentralwerk.org";
|
||||
hw-address = hwaddr;
|
||||
ip-address = hosts4.${name};
|
||||
} # fixedAddr is IPv4?
|
||||
else {
|
||||
hw-address = hwaddr;
|
||||
ip-address = fixedAddr;
|
||||
}
|
||||
))
|
||||
builtins.attrValues
|
||||
(builtins.filter (r: r != null))
|
||||
];
|
||||
});
|
||||
|
||||
match-client-id = false;
|
||||
host-reservation-identifiers = [ "hw-address" ];
|
||||
|
||||
# Netbooting
|
||||
option-def = [ {
|
||||
name = "PXEDiscoveryControl";
|
||||
code = 6;
|
||||
space = "vendor-encapsulated-options-space";
|
||||
type = "uint8";
|
||||
array = false;
|
||||
} {
|
||||
name = "PXEMenuPrompt";
|
||||
code = 10;
|
||||
space = "vendor-encapsulated-options-space";
|
||||
type = "record";
|
||||
array = false;
|
||||
record-types = "uint8,string";
|
||||
} {
|
||||
name = "PXEBootMenu";
|
||||
code = 9;
|
||||
space = "vendor-encapsulated-options-space";
|
||||
type = "record";
|
||||
array = false;
|
||||
record-types = "uint16,uint8,string";
|
||||
} ];
|
||||
client-classes =
|
||||
let
|
||||
rpi4Class = {
|
||||
name = "rpi4-pxe";
|
||||
test = "option[vendor-class-identifier].text == 'PXEClient:Arch:00000:UNDI:002001'";
|
||||
option-data = [ {
|
||||
name = "boot-file-name";
|
||||
data = "bootcode.bin";
|
||||
} {
|
||||
name = "vendor-class-identifier";
|
||||
data = "PXEClient";
|
||||
} {
|
||||
name = "vendor-encapsulated-options";
|
||||
} {
|
||||
name = "PXEBootMenu";
|
||||
csv-format = true;
|
||||
data = "0,17,Raspberry Pi Boot";
|
||||
space = "vendor-encapsulated-options-space";
|
||||
} {
|
||||
name = "PXEDiscoveryControl";
|
||||
data = "3";
|
||||
space = "vendor-encapsulated-options-space";
|
||||
} {
|
||||
name = "PXEMenuPrompt";
|
||||
csv-format = true;
|
||||
data = "0,PXE";
|
||||
space = "vendor-encapsulated-options-space";
|
||||
} ];
|
||||
};
|
||||
|
||||
pxeClassData = {
|
||||
PXE-Legacy = {
|
||||
arch = "00000";
|
||||
boot-file-name = "netboot.xyz.kpxe";
|
||||
};
|
||||
PXE-UEFI-32-1.arch = "00002";
|
||||
PXE-UEFI-32-2.arch = "00006";
|
||||
PXE-UEFI-64-1.arch = "00007";
|
||||
PXE-UEFI-64-2.arch = "00008";
|
||||
PXE-UEFI-64-3.arch = "00009";
|
||||
};
|
||||
|
||||
makePxe = name: { boot-file-name ? "netboot.xyz.efi", arch }: {
|
||||
inherit name boot-file-name;
|
||||
test = "substring(option[60].hex,0,20) == 'PXEClient:Arch:${arch}'";
|
||||
next-server = config.site.net.serv.hosts4.nfsroot;
|
||||
};
|
||||
in
|
||||
[ rpi4Class ]
|
||||
++
|
||||
extraConfig = ''
|
||||
${builtins.concatStringsSep "\n" (
|
||||
builtins.attrValues (
|
||||
builtins.mapAttrs makePxe pxeClassData
|
||||
);
|
||||
|
||||
control-socket = {
|
||||
socket-type = "unix";
|
||||
socket-name = "/run/kea/dhcp4-socket";
|
||||
builtins.mapAttrs (net: { dhcp, subnet4Net, subnet4Len, domainName, ...}:
|
||||
''
|
||||
ddns-update-style standard;
|
||||
key dyndns {
|
||||
algorithm hmac-sha256;
|
||||
secret ${config.site.dyndnsKey};
|
||||
};
|
||||
hooks-libraries = [ {
|
||||
library = "/run/current-system/sw/lib/kea/hooks/libdhcp_stat_cmds.so";
|
||||
} {
|
||||
library = "/run/current-system/sw/lib/kea/hooks/libdhcp_lease_cmds.so";
|
||||
} ];
|
||||
};
|
||||
};
|
||||
services.kea.dhcp6 = lib.mkIf enabled {
|
||||
enable = true;
|
||||
|
||||
settings = {
|
||||
interfaces-config.interfaces = builtins.attrNames dhcpNets;
|
||||
dhcp-ddns.enable-updates = true;
|
||||
ddns-override-no-update = true;
|
||||
ddns-override-client-update = true;
|
||||
ddns-replace-client-name = "when-not-present";
|
||||
# TODO: use with kea >= 2.5.0
|
||||
# ddns-conflict-resolution-mode = "check-exists-with-dhcid";
|
||||
ddns-use-conflict-resolution = false;
|
||||
|
||||
subnet6 = concatMapDhcpNets (net: { vlan, subnets6, dhcp, domainName, captiveJson, ... }:
|
||||
let
|
||||
subnet = subnets6.up4 or subnets6.flpk or null;
|
||||
prefix = builtins.head (builtins.split "::/" subnet);
|
||||
in
|
||||
if subnet != null
|
||||
then {
|
||||
id = vlan;
|
||||
interface = net;
|
||||
inherit subnet;
|
||||
pools = [ {
|
||||
pool = "${prefix}:c3d2:c3d2:c3d2:1000 - ${prefix}:c3d2:c3d2:c3d2:ffff";
|
||||
#pool = subnet;
|
||||
} ];
|
||||
valid-lifetime = dhcp.time;
|
||||
max-valid-lifetime = dhcp.max-time;
|
||||
option-data = [ {
|
||||
space = "dhcp6";
|
||||
name = "domain-search";
|
||||
code = 24;
|
||||
data = domainName;
|
||||
} {
|
||||
space = "dhcp6";
|
||||
name = "dns-servers";
|
||||
code = 23;
|
||||
data = "${config.site.net.serv.hosts6.dn42.dnscache}, 2620:fe::9";
|
||||
} ] ++ lib.optional (captiveJson != null) {
|
||||
space = "dhcp6";
|
||||
name = "v6-captive-portal";
|
||||
code = 103;
|
||||
data = captiveJson;
|
||||
};
|
||||
ddns-generated-prefix = "d";
|
||||
ddns-qualifying-suffix = domainName;
|
||||
zone ${domainName}. {
|
||||
primary ${config.site.net.serv.hosts4.dns};
|
||||
primary6 ${config.site.net.serv.hosts6.dn42.dns};
|
||||
key dyndns;
|
||||
}
|
||||
else []
|
||||
);
|
||||
|
||||
host-reservation-identifiers = [ "hw-address" ];
|
||||
#reservations = concatMapDhcpNets (net: { hosts6, dhcp, ... }:
|
||||
# builtins.filter (r: r != null) (
|
||||
# builtins.attrValues (
|
||||
# builtins.mapAttrs (name: hwaddr:
|
||||
# let
|
||||
# ip-addresses = lib.pipe hosts6 [
|
||||
# (builtins.mapAttrs (_: hosts6: hosts6.${name} or null))
|
||||
# builtins.attrValues
|
||||
# (builtins.filter (a: a != null))
|
||||
# ];
|
||||
# in
|
||||
# if builtins.trace (lib.generators.toPretty {} ip-addresses) (builtins.length ip-addresses) > 0
|
||||
# then {
|
||||
# hostname = "${name}.${net}.zentralwerk.org";
|
||||
# hw-address = hwaddr;
|
||||
# inherit ip-addresses;
|
||||
# }
|
||||
# else null
|
||||
# ) dhcp.fixed-hosts
|
||||
# )));
|
||||
control-socket = {
|
||||
socket-type = "unix";
|
||||
socket-name = "/run/kea/dhcp6.socket";
|
||||
};
|
||||
hooks-libraries = [ {
|
||||
library = "/run/current-system/sw/lib/kea/hooks/libdhcp_stat_cmds.so";
|
||||
} {
|
||||
library = "/run/current-system/sw/lib/kea/hooks/libdhcp_lease_cmds.so";
|
||||
} ];
|
||||
};
|
||||
};
|
||||
services.kea.dhcp-ddns = lib.mkIf enabled {
|
||||
enable = true;
|
||||
|
||||
settings = {
|
||||
tsig-keys = [ {
|
||||
name = "dyndns";
|
||||
algorithm = "hmac-sha256";
|
||||
secret = config.site.dyndnsKey;
|
||||
} ];
|
||||
|
||||
forward-ddns.ddns-domains = concatMapDhcpNets (net: { domainName, ... }: {
|
||||
name = "${domainName}.";
|
||||
key-name = "dyndns";
|
||||
dns-servers = [ {
|
||||
ip-address = config.site.net.serv.hosts4.dns;
|
||||
} {
|
||||
ip-address = config.site.net.serv.hosts6.dn42.dns;
|
||||
} ];
|
||||
});
|
||||
reverse-ddns.ddns-domains = map ({ name, ...}: {
|
||||
name = "${name}.";
|
||||
key-name = "dyndns";
|
||||
dns-servers = [ {
|
||||
ip-address = config.site.net.serv.hosts4.dns;
|
||||
} {
|
||||
ip-address = config.site.net.serv.hosts6.dn42.dns;
|
||||
} ];
|
||||
}) (
|
||||
builtins.filter ({ name, dynamic, ... }:
|
||||
${lib.concatMapStrings ({ name, dynamic, ... }:
|
||||
lib.optionalString (
|
||||
dynamic &&
|
||||
(lib.hasSuffix ".in-addr.arpa" name ||
|
||||
lib.hasSuffix ".ip6.arpa" name)
|
||||
) config.site.dns.localZones
|
||||
);
|
||||
control-socket = {
|
||||
socket-type = "unix";
|
||||
socket-name = "/run/kea/dhcp-ddns.socket";
|
||||
};
|
||||
};
|
||||
};
|
||||
lib.hasSuffix ".in-addr.arpa" name
|
||||
) ''
|
||||
zone ${name}. {
|
||||
primary ${config.site.net.serv.hosts4.dns};
|
||||
primary6 ${config.site.net.serv.hosts6.dn42.dns};
|
||||
key dyndns;
|
||||
}
|
||||
''
|
||||
) config.site.dns.localZones}
|
||||
|
||||
services.kea.ctrl-agent = lib.mkIf enabled {
|
||||
enable = true;
|
||||
settings.control-sockets = {
|
||||
dhcp4 = {
|
||||
socket-type = "unix";
|
||||
socket-name = "/run/kea/dhcp4.socket";
|
||||
};
|
||||
dhcp6 = {
|
||||
socket-type = "unix";
|
||||
socket-name = "/run/kea/dhcp6.socket";
|
||||
};
|
||||
d2 = {
|
||||
socket-type = "unix";
|
||||
socket-name = "/run/kea/dhcp-ddns.socket";
|
||||
};
|
||||
};
|
||||
};
|
||||
option guid code 97 = text;
|
||||
group {
|
||||
default-lease-time ${toString dhcp.time};
|
||||
max-lease-time ${toString dhcp.max-time};
|
||||
option routers ${config.site.net.${net}.hosts4.${dhcp.router}};
|
||||
option domain-name "${domainName}";
|
||||
option domain-name-servers 172.20.73.8, 9.9.9.9;
|
||||
ddns-domainname "${domainName}";
|
||||
|
||||
# Increase reliablity
|
||||
# (mostly for kea-dhcp-ddns-server.service)
|
||||
systemd.services =
|
||||
let
|
||||
restartService.serviceConfig = {
|
||||
RestartSec = 4;
|
||||
Restart = "always";
|
||||
};
|
||||
in {
|
||||
kea-dhcp4-server = restartService;
|
||||
kea-dhcp6-server = restartService;
|
||||
kea-dhcp-ddns-server = restartService;
|
||||
class "pxeclients" {
|
||||
match if substring (option vendor-class-identifier, 0, 9) = "PXEClient";
|
||||
|
||||
next-server ${config.site.net.serv.hosts4.nfsroot};
|
||||
option tftp-server-address ${config.site.net.serv.hosts4.nfsroot};
|
||||
if suffix(reverse(1, option guid), 5) = 34:69:50:52:00 {
|
||||
# RPi4
|
||||
option vendor-class-identifier "PXEClient";
|
||||
option vendor-encapsulated-options "Raspberry Pi Boot";
|
||||
option tftp-server-name "${config.site.net.serv.hosts4.nfsroot}";
|
||||
} elsif option pxe-system-type = 00:00 {
|
||||
filename "netboot.xyz.kpxe"; # BIOS
|
||||
} elsif option pxe-system-type = 00:07 {
|
||||
filename "netboot.xyz.efi"; # EFI
|
||||
option bootfile-name "netboot.xyz.efi";
|
||||
} elsif option pxe-system-type = 00:06 {
|
||||
filename "netboot.xyz.efi"; # ia32_EFI
|
||||
}
|
||||
}
|
||||
|
||||
subnet ${subnet4Net} netmask ${lib.netmasks.${toString subnet4Len}} {
|
||||
range ${dhcp.start} ${dhcp.end};
|
||||
|
||||
# always assign the same IP to the same MAC address.
|
||||
# fixes changing IP for PXE clients.
|
||||
ignore-client-uids true;
|
||||
}
|
||||
|
||||
update-static-leases on;
|
||||
|
||||
${builtins.concatStringsSep "\n" (
|
||||
builtins.attrValues (
|
||||
builtins.mapAttrs (addr: hwaddr:
|
||||
''
|
||||
host ${addr} {
|
||||
hardware ethernet ${hwaddr};
|
||||
fixed-address ${addr};
|
||||
}
|
||||
''
|
||||
) dhcp.fixed-hosts
|
||||
)
|
||||
)}
|
||||
}
|
||||
''
|
||||
) dhcpNets
|
||||
)
|
||||
)}
|
||||
'';
|
||||
};
|
||||
}
|
||||
|
|
|
@ -1,30 +1,26 @@
|
|||
{ config, dns-nix, hostName, lib, pkgs, self, ... }:
|
||||
{ hostName, config, lib, pkgs, self, ... }:
|
||||
|
||||
let
|
||||
serial = builtins.substring 0 10 self.lastModifiedDate;
|
||||
|
||||
generateZoneFile = let
|
||||
util = dns-nix.util.${pkgs.system};
|
||||
in { name, ns, records, ... }: (util.writeZone name {
|
||||
TTL = 60*60;
|
||||
SOA = {
|
||||
nameServer = "${lib.dns.ns}.";
|
||||
adminEmail = "astro@spaceboyz.net";
|
||||
serial = lib.toInt serial;
|
||||
refresh = 1*60*60;
|
||||
retry = 5*60;
|
||||
expire = 2*60*60;
|
||||
minimum = 1*60;
|
||||
};
|
||||
NS = map (a: a+".") ns;
|
||||
subdomains = lib.foldl (a: b: lib.recursiveUpdate a b) { } (map ({ name, type, data }: {
|
||||
${name}.${type} = [ data ];
|
||||
}) records);
|
||||
}).overrideAttrs (_: {
|
||||
checkPhase = ''
|
||||
${pkgs.knot-dns}/bin/kzonecheck "$target"
|
||||
generateZoneFile = { name, ns, records, dynamic }:
|
||||
builtins.toFile "${name}.zone" ''
|
||||
$ORIGIN ${name}.
|
||||
$TTL 1h
|
||||
|
||||
@ IN SOA ${lib.dns.ns}. astro.spaceboyz.net. (
|
||||
${serial} ; serial
|
||||
1h ; refresh
|
||||
1m ; retry
|
||||
2h ; expire
|
||||
1m ; minimum
|
||||
)
|
||||
${lib.concatMapStrings (ns: " IN NS ${ns}.\n") ns}
|
||||
|
||||
${lib.concatMapStrings ({ name, type, data }:
|
||||
"${name} IN ${type} ${data}\n"
|
||||
) records}
|
||||
'';
|
||||
});
|
||||
in
|
||||
{
|
||||
options =
|
||||
|
@ -39,7 +35,7 @@ in
|
|||
type = types.enum [ "A" "AAAA" "MX" "SRV" "CNAME" "TXT" "PTR" ];
|
||||
};
|
||||
data = mkOption {
|
||||
type = types.oneOf [ types.str (types.attrsOf (types.oneOf [ types.int types.str ]))];
|
||||
type = types.str;
|
||||
};
|
||||
};
|
||||
|
||||
|
@ -73,169 +69,90 @@ in
|
|||
config = {
|
||||
site.dns.localZones = lib.dns.localZones;
|
||||
|
||||
services.knot = lib.mkIf config.site.hosts.${hostName}.services.dns.enable (
|
||||
services.bind = lib.mkIf config.site.hosts.${hostName}.services.dns.enable (
|
||||
let
|
||||
generateZone = zone@{ name, dynamic, ... }: {
|
||||
domain = name;
|
||||
template = "zentralwerk";
|
||||
acl = [ "zone_xfr" ]
|
||||
++ lib.optional (lib.hasSuffix ".arpa" name) "dn42"
|
||||
++ lib.optional dynamic "dyndns";
|
||||
file = if dynamic
|
||||
then "/var/lib/knot/zones/${name}.zone"
|
||||
inherit name;
|
||||
master = true;
|
||||
# allowed for zone-transfer
|
||||
slaves = [
|
||||
# ns.c3d2.de
|
||||
"217.197.84.53" "2001:67c:1400:2240::a"
|
||||
config.site.net.serv.hosts4.bind
|
||||
config.site.net.serv.hosts6.dn42.bind
|
||||
config.site.net.serv.hosts6.up4.bind
|
||||
# ns.spaceboyz.net
|
||||
"172.22.24.4" "2a01:4f9:4b:39ec::4"
|
||||
];
|
||||
file =
|
||||
if dynamic
|
||||
then "/var/db/bind/${name}.zone"
|
||||
else generateZoneFile zone;
|
||||
notify = [ "all" ];
|
||||
extraConfig = ''
|
||||
also-notify {
|
||||
# ns.c3d2.de
|
||||
217.197.84.53;
|
||||
2001:67c:1400:2240::a;
|
||||
${config.site.net.serv.hosts4.bind};
|
||||
${config.site.net.serv.hosts6.dn42.bind};
|
||||
${config.site.net.serv.hosts6.up4.bind};
|
||||
# ns.spaceboyz.net
|
||||
172.22.24.4;
|
||||
95.217.229.209;
|
||||
2a01:4f9:4b:39ec::4;
|
||||
};
|
||||
notify-source ${config.site.net.serv.hosts4.dns};
|
||||
notify-source-v6 ${config.site.net.serv.hosts6.up4.dns};
|
||||
'' + lib.optionalString dynamic ''
|
||||
allow-update { key "dyndns"; };
|
||||
'';
|
||||
};
|
||||
|
||||
in {
|
||||
enable = true;
|
||||
settings = {
|
||||
acl = [
|
||||
{
|
||||
id = "dyndns";
|
||||
action = "update";
|
||||
key = "dyndns";
|
||||
}
|
||||
{
|
||||
id = "zone_xfr";
|
||||
address = with config.site.net.serv; [
|
||||
# ns.c3d2.de
|
||||
hosts4.knot hosts6.dn42.knot hosts6.up4.knot
|
||||
"2a00:8180:2c00:282:2041:cbff:fe0c:8516"
|
||||
"fd23:42:c3d2:582:2041:cbff:fe0c:8516"
|
||||
# ns.spaceboyz.net
|
||||
"172.22.24.4" "37.27.116.148" "2a01:4f9:3070:2728::4"
|
||||
# ns1.supersandro.de
|
||||
"188.34.196.104" "2a01:4f8:1c1c:1d38::1"
|
||||
];
|
||||
action = "transfer";
|
||||
}
|
||||
{
|
||||
id = "dn42";
|
||||
address = [ "172.22.24.4" "fd42:180:3de0:30::1" ];
|
||||
}
|
||||
];
|
||||
zones = map generateZone config.site.dns.localZones;
|
||||
|
||||
key = [ {
|
||||
id = "dyndns";
|
||||
algorithm = "hmac-sha256";
|
||||
secret = config.site.dyndnsKey;
|
||||
} ];
|
||||
|
||||
log = [ {
|
||||
target = "syslog";
|
||||
any = "info";
|
||||
} ];
|
||||
|
||||
mod-stats = [ {
|
||||
id = "default";
|
||||
query-type = "on";
|
||||
} ];
|
||||
|
||||
remote = let
|
||||
via = with config.site.net.serv; [ hosts4.dns hosts6.up4.dns ];
|
||||
in [
|
||||
{
|
||||
id = "ns.c3d2.de";
|
||||
address = with config.site.net.serv; [ hosts4.knot hosts6.dn42.knot hosts6.up4.knot ];
|
||||
inherit via;
|
||||
} {
|
||||
id = "ns.spaceboyz.net";
|
||||
address = [
|
||||
"172.22.24.4"
|
||||
"37.27.116.148" "2a01:4f9:3070:2728::4"
|
||||
];
|
||||
inherit via;
|
||||
} {
|
||||
id = "ns1.supersandro.de";
|
||||
address = [ /*"188.34.196.104"*/ "2a01:4f8:1c1c:1d38::1" ];
|
||||
inherit via;
|
||||
} {
|
||||
id = "b.master.delegation-servers.dn42";
|
||||
address = [ "172.22.24.4" "fd42:180:3de0:30::1" ];
|
||||
}
|
||||
];
|
||||
|
||||
remotes = [
|
||||
{
|
||||
id = "all";
|
||||
remote = [ "ns.c3d2.de" "ns.spaceboyz.net" "ns1.supersandro.de" ];
|
||||
}
|
||||
{
|
||||
id = "dn42";
|
||||
remote = [ "b.master.delegation-servers.dn42" ];
|
||||
}
|
||||
];
|
||||
|
||||
server = {
|
||||
answer-rotation = true;
|
||||
automatic-acl = true;
|
||||
identity = "dns.serv.zentralwerk.org";
|
||||
listen = with config.site.net; [
|
||||
"127.0.0.1" "::1"
|
||||
serv.hosts4.dns serv.hosts6.up4.dns serv.hosts6.dn42.dns
|
||||
];
|
||||
tcp-fastopen = true;
|
||||
version = null;
|
||||
};
|
||||
|
||||
template = [
|
||||
{
|
||||
# default is a magic name and is always loaded.
|
||||
# Because we want to use catalog-role/catalog-zone settings for all zones *except* the catalog zone itself, we must split the templates
|
||||
id = "default";
|
||||
global-module = [ "mod-stats" ];
|
||||
}
|
||||
{
|
||||
id = "zentralwerk";
|
||||
catalog-role = "member";
|
||||
catalog-zone = "zentralwerk.";
|
||||
dnssec-signing = true;
|
||||
journal-content = "all"; # required for zonefile-load=difference-no-serial and makes cold starts like zone reloads
|
||||
module = "mod-stats/default";
|
||||
semantic-checks = true;
|
||||
serial-policy = "increment";
|
||||
storage = "/var/lib/knot/zones";
|
||||
zonefile-load = "difference-no-serial";
|
||||
}
|
||||
];
|
||||
|
||||
zone = [ {
|
||||
acl = "zone_xfr";
|
||||
catalog-role = "generate";
|
||||
domain = "zentralwerk.";
|
||||
notify = [ "ns1.supersandro.de" "ns.spaceboyz.net" ];
|
||||
storage = "/var/lib/knot/catalog";
|
||||
} ] ++ map generateZone config.site.dns.localZones;
|
||||
extraConfig = ''
|
||||
key "dyndns" {
|
||||
algorithm hmac-sha256;
|
||||
secret "${config.site.dyndnsKey}";
|
||||
};
|
||||
'';
|
||||
extraOptions = ''
|
||||
# allow underscores in dynamic hostnames
|
||||
${lib.concatMapStringsSep "\n" (type: ''
|
||||
check-names ${type} ignore;
|
||||
'') [ "master" "slave" "response" ]}
|
||||
'';
|
||||
});
|
||||
|
||||
systemd.services = {
|
||||
create-dynamic-zones = {
|
||||
systemd.services.create-dynamic-zones = {
|
||||
description = "Creates dynamic zone files";
|
||||
requiredBy = [ "knot.service" ];
|
||||
before = [ "knot.service" ];
|
||||
requiredBy = [ "bind.service" ];
|
||||
before = [ "bind.service" ];
|
||||
serviceConfig.Type = "oneshot";
|
||||
script = ''
|
||||
mkdir -p /var/lib/knot/zones
|
||||
mkdir -p /var/db/bind
|
||||
|
||||
${lib.concatMapStringsSep "\n" (zone@{ name, ... }: ''
|
||||
[ -e /var/lib/knot/zones/${name}.zone ] || \
|
||||
cp ${generateZoneFile zone} /var/lib/knot/zones/${name}.zone
|
||||
chown -R knot /var/lib/knot/zones
|
||||
chmod -R u+rwX /var/lib/knot/zones
|
||||
'') (builtins.filter ({ dynamic, ... }: dynamic) config.site.dns.localZones)}
|
||||
[ -e /var/db/bind/${name}.zone ] || \
|
||||
cp ${generateZoneFile zone} /var/db/bind/${name}.zone
|
||||
chown -R named /var/db/bind
|
||||
chmod -R u+rwX /var/db/bind
|
||||
'') (
|
||||
builtins.filter ({ dynamic, ... }: dynamic) config.site.dns.localZones
|
||||
)}
|
||||
'';
|
||||
};
|
||||
|
||||
update-dynamic-zones = {
|
||||
systemd.services.update-dynamic-zones = {
|
||||
description = "Creates initial records in dynamic zone files";
|
||||
requiredBy = [ "knot.service" ];
|
||||
after = [ "knot.service" ];
|
||||
requiredBy = [ "bind.service" ];
|
||||
after = [ "bind.service" ];
|
||||
serviceConfig.Type = "oneshot";
|
||||
path = [ pkgs.dnsutils ];
|
||||
script = lib.concatMapStrings (zone: ''
|
||||
nsupdate -v -y "hmac-sha256:dyndns:${config.site.dyndnsKey}" <<EOF
|
||||
script = ''
|
||||
${lib.concatMapStrings (zone: ''
|
||||
nsupdate -y "hmac-sha256:dyndns:${config.site.dyndnsKey}" <<EOF
|
||||
server localhost
|
||||
|
||||
${lib.concatMapStringsSep "\n" ({ name, type, data }: ''
|
||||
|
@ -245,8 +162,10 @@ in
|
|||
|
||||
send
|
||||
EOF
|
||||
'') (builtins.filter ({ dynamic, ... }: dynamic) config.site.dns.localZones);
|
||||
};
|
||||
'') (
|
||||
builtins.filter ({ dynamic, ... }: dynamic) config.site.dns.localZones
|
||||
)}
|
||||
'';
|
||||
};
|
||||
};
|
||||
}
|
||||
|
|
|
@ -1,99 +1,124 @@
|
|||
{ hostName, config, lib, pkgs, ... }:
|
||||
|
||||
lib.mkIf config.site.hosts.${hostName}.services.dnscache.enable {
|
||||
services.kresd = {
|
||||
services.unbound = {
|
||||
enable = true;
|
||||
instances = 4;
|
||||
listenPlain = [ "0.0.0.0:53" "[::0]:53" ];
|
||||
package = pkgs.knot-resolver.override { extraFeatures = true; };
|
||||
extraConfig = /* lua */ ''
|
||||
modules = {
|
||||
'http',
|
||||
'policy',
|
||||
'predict',
|
||||
'prefill',
|
||||
'serve_stale < cache', -- servce stail records while refreshing the record
|
||||
'workarounds < iterate', -- solve problems around specific broken subdomains, mainly disables case randomization
|
||||
'view'
|
||||
}
|
||||
settings = {
|
||||
remote-control = {
|
||||
control-enable = true;
|
||||
control-use-cert = false;
|
||||
};
|
||||
server = {
|
||||
num-threads = 4;
|
||||
verbosity = 1;
|
||||
prefetch = true;
|
||||
prefetch-key = true;
|
||||
serve-expired = true;
|
||||
cache-min-ttl = 60;
|
||||
cache-max-ttl = 3600;
|
||||
infra-cache-slabs = "8";
|
||||
key-cache-slabs = "8";
|
||||
msg-cache-slabs = "8";
|
||||
rrset-cache-slabs = "8";
|
||||
msg-cache-size = "256m"; # half again 128m?
|
||||
rrset-cache-size = "512m"; # half again 256m?
|
||||
|
||||
cache.size = 500 * MB
|
||||
cache.min_ttl(60)
|
||||
interface = [ "0.0.0.0" "'::0'" ];
|
||||
# TODO: generate
|
||||
access-control = builtins.concatLists [
|
||||
[ # localhost
|
||||
"::1/128 allow"
|
||||
"127.0.0.0/8 allow"
|
||||
]
|
||||
[ # mgmt
|
||||
"${config.site.net.mgmt.subnet4} allow"
|
||||
]
|
||||
[ # dn42
|
||||
"fd23:42:c3d2:500::/56 allow"
|
||||
"::172.20.72.0/117 allow"
|
||||
"::172.22.99.0/120 allow"
|
||||
"172.20.72.0/21 allow"
|
||||
"172.22.99.0/24 allow"
|
||||
]
|
||||
[ # freifunk
|
||||
"10.200.0.0/15 allow"
|
||||
]
|
||||
[ # DSI
|
||||
"2a00:8180:2000:37::1/128 allow"
|
||||
"2a00:8180:2c00:200::/56 allow"
|
||||
]
|
||||
[ # flpk
|
||||
"${config.site.net.flpk.subnet4} allow"
|
||||
"2a0f:5382:acab:1400::/56 allow"
|
||||
]
|
||||
[ # default
|
||||
"0.0.0.0/0 deny"
|
||||
"::/0 deny"
|
||||
]
|
||||
];
|
||||
# For DNS over TLS
|
||||
tls-cert-bundle = "${pkgs.cacert}/etc/ssl/certs/ca-bundle.crt";
|
||||
|
||||
net.listen('127.0.0.1', 8453, { kind = 'webmgmt' })
|
||||
http.prometheus.namespace = 'resolver_'
|
||||
# allow reverse lookup of rfc1918 space, which includes the DN42 address space
|
||||
unblock-lan-zones = true;
|
||||
insecure-lan-zones = true;
|
||||
|
||||
-- dns42
|
||||
policy.add(policy.suffix(
|
||||
policy.STUB({'fd42:d42:d42:54::1', 'fd42:d42:d42:53::1', '172.20.0.53', '172.23.0.53'}),
|
||||
policy.todnames({'dn42.', 'd.f.ip6.arpa', '20.172.in-addr.arpa', '21.172.in-addr.arpa', '22.172.in-addr.arpa', '23.172.in-addr.arpa'})
|
||||
))
|
||||
domain-insecure = [
|
||||
"dn42"
|
||||
"d.f.ip6.arpa"
|
||||
"ffdd"
|
||||
];
|
||||
};
|
||||
|
||||
-- freifunk
|
||||
policy.add(policy.suffix(
|
||||
policy.STUB({'10.200.0.4', '10.200.0.16'}),
|
||||
policy.todnames({'ffdd.', '200.10.in-addr.arpa', '201.10.in-addr.arpa'})
|
||||
))
|
||||
|
||||
-- size.dns.localZones
|
||||
policy.add(policy.suffix(
|
||||
policy.STUB({'${config.site.net.serv.hosts4.dns}', ${lib.concatStringsSep ", " (map (hosts6: "'${hosts6.dns}'") (builtins.attrValues config.site.net.serv.hosts6))}}),
|
||||
policy.todnames({${lib.concatStringsSep ", " (map (zone: "'${zone.name}'") config.site.dns.localZones)}})
|
||||
))
|
||||
|
||||
-- forward to dns caches
|
||||
policy.add(policy.slice(
|
||||
policy.slice_randomize_psl(),
|
||||
-- quad9
|
||||
policy.TLS_FORWARD({
|
||||
{'2620:fe::fe', hostname='dns.quad9.net'},
|
||||
{'2620:fe::9', hostname='dns.quad9.net'},
|
||||
{'9.9.9.9', hostname='dns.quad9.net'},
|
||||
{'149.112.112.112', hostname='dns.quad9.net'}
|
||||
}),
|
||||
-- cloudflare
|
||||
policy.TLS_FORWARD({
|
||||
{'2606:4700:4700::1111', hostname='cloudflare-dns.com'},
|
||||
{'2606:4700:4700::1001', hostname='cloudflare-dns.com'},
|
||||
{'1.1.1.1', hostname='cloudflare-dns.com'},
|
||||
{'1.0.0.1', hostname='cloudflare-dns.com'}
|
||||
})
|
||||
))
|
||||
|
||||
-- allow access from our networks
|
||||
'' + lib.concatMapStringsSep "\n" (cidr: "view:addr('${cidr}', policy.all(policy.PASS))") [
|
||||
# localhost
|
||||
"::1/128" "127.0.0.0/8"
|
||||
# mgmt
|
||||
"${config.site.net.mgmt.subnet4}"
|
||||
# dn42
|
||||
"fd23:42:c3d2:500::/56" "::172.20.72.0/117" "::172.22.99.0/120"
|
||||
"172.20.72.0/21" "172.22.99.0/24"
|
||||
# freifunk
|
||||
"10.200.0.0/15"
|
||||
# DSI
|
||||
"2a00:8180:2000:37::1/128" "2a00:8180:2c00:200::/56"
|
||||
# flpk
|
||||
"${config.site.net.flpk.subnet4}" "2a0f:5382:acab:1400::/56 allow"
|
||||
] + "\n" + /* lua */ ''
|
||||
|
||||
-- drop everything that hasn't matched
|
||||
view:addr('0.0.0.0/0', policy.all(policy.DROP))
|
||||
view:addr('::/0', policy.all(policy.DROP))
|
||||
|
||||
predict = {
|
||||
window = 15, -- sampling window
|
||||
period = 24*(60/15) -- track last X hours, divide through sampling window
|
||||
}
|
||||
|
||||
prefill.config({
|
||||
['.'] = {
|
||||
url = 'https://www.internic.net/domain/root.zone',
|
||||
interval = 86400, -- seconds
|
||||
}
|
||||
})
|
||||
|
||||
trust_anchors.set_insecure({'dn42', 'd.f.ip6.arpa', 'ffdd'})
|
||||
'';
|
||||
forward-zone = let
|
||||
mkFfddZone = name: {
|
||||
inherit name;
|
||||
forward-addr = [ "10.200.0.4" "10.200.0.16" ];
|
||||
};
|
||||
in [ {
|
||||
name = ".";
|
||||
forward-tls-upstream = true;
|
||||
forward-addr = [
|
||||
# Quad9
|
||||
"2620:fe::fe@853#dns.quad9.net"
|
||||
"9.9.9.9@853#dns.quad9.net"
|
||||
"2620:fe::9@853#dns.quad9.net"
|
||||
"149.112.112.112@853#dns.quad9.net"
|
||||
# Cloudflare DNS
|
||||
"2606:4700:4700::1111@853#cloudflare-dns.com"
|
||||
"1.1.1.1@853#cloudflare-dns.com"
|
||||
"2606:4700:4700::1001@853#cloudflare-dns.com"
|
||||
"1.0.0.1@853#cloudflare-dns.com"
|
||||
];
|
||||
} ] ++
|
||||
# Local networks
|
||||
map ({ name, ... }: {
|
||||
name = "${name}";
|
||||
forward-addr = [ "${config.site.net.serv.hosts4.dns}" ] ++
|
||||
map (hosts6: hosts6.dns)
|
||||
(builtins.attrValues config.site.net.serv.hosts6);
|
||||
}) config.site.dns.localZones
|
||||
# Freifunk
|
||||
++ (map mkFfddZone [
|
||||
"ffdd"
|
||||
"200.10.in-addr.arpa"
|
||||
"201.10.in-addr.arpa"
|
||||
]);
|
||||
# DN42
|
||||
stub-zone = let
|
||||
mkDn42Zone = name: {
|
||||
inherit name;
|
||||
stub-prime = true;
|
||||
stub-addr = [
|
||||
"172.20.0.53" "fd42:d42:d42:54::1"
|
||||
"172.23.0.53" "fd42:d42:d42:53::1"
|
||||
];
|
||||
};
|
||||
in map mkDn42Zone [
|
||||
"dn42" "d.f.ip6.arpa"
|
||||
"20.172.in-addr.arpa" "21.172.in-addr.arpa"
|
||||
"22.172.in-addr.arpa" "23.172.in-addr.arpa"
|
||||
];
|
||||
};
|
||||
};
|
||||
}
|
||||
|
|
|
@ -1,114 +0,0 @@
|
|||
{ config, lib, ... }:
|
||||
|
||||
let
|
||||
|
||||
inherit (config.networking) hostName;
|
||||
|
||||
interfaces = config.site.hosts.${hostName}.physicalInterfaces;
|
||||
|
||||
# linux iface name max length = 15
|
||||
shortenNetName = name:
|
||||
if builtins.match "priv(.*)" name != null
|
||||
then "p" + builtins.substring 4 9 name
|
||||
else if name == "coloradio"
|
||||
then "cr"
|
||||
else if name == "coloradio-gw"
|
||||
then "cr-gw"
|
||||
else name;
|
||||
|
||||
checkIfname = ifname: let
|
||||
len = builtins.stringLength ifname;
|
||||
in if len > 15
|
||||
then throw "Interface name ${ifname} is ${toString (len - 15)} chars too long."
|
||||
else ifname;
|
||||
|
||||
# `lxc.net.*` formatter for lxc.container.conf files
|
||||
netConfig =
|
||||
let
|
||||
attrNamesOrdered = attrs:
|
||||
if attrs ? type
|
||||
then [ "type" ] ++ lib.remove "type" (builtins.attrNames attrs)
|
||||
else builtins.attrNames attrs;
|
||||
|
||||
serialize = name: x:
|
||||
if builtins.isString x
|
||||
then "${name} = ${x}\n"
|
||||
else if builtins.isAttrs x
|
||||
then builtins.concatStringsSep "" (
|
||||
map (n: serialize "${name}.${n}" x.${n}) (attrNamesOrdered x)
|
||||
)
|
||||
else if builtins.isList x
|
||||
then
|
||||
let
|
||||
enumerate = xs: n:
|
||||
if xs == []
|
||||
then []
|
||||
else [ {
|
||||
e = builtins.head xs;
|
||||
i = n;
|
||||
} ] ++ enumerate (builtins.tail xs) (n + 1);
|
||||
in
|
||||
builtins.concatStringsSep "" (
|
||||
map ({ e, i }: serialize "${name}.${toString i}" e) (enumerate x 0)
|
||||
)
|
||||
else throw "Invalid data in lxc net config for ${name}: ${lib.generators.toPretty {} x}";
|
||||
|
||||
in
|
||||
serialize "lxc.net" (
|
||||
map (netName:
|
||||
let
|
||||
ifData = interfaces.${netName};
|
||||
in {
|
||||
type = ifData.type;
|
||||
name = checkIfname netName;
|
||||
flags = "up";
|
||||
hwaddr = if ifData ? hwaddr && ifData.hwaddr != null
|
||||
then ifData.hwaddr
|
||||
else "0A:14:48:xx:xx:xx";
|
||||
} // (lib.optionalAttrs (ifData.type == "veth") {
|
||||
veth.pair = checkIfname "${shortenNetName hostName}-${shortenNetName netName}";
|
||||
veth.mode = checkIfname "bridge";
|
||||
link = checkIfname netName;
|
||||
}) // (lib.optionalAttrs (ifData.type == "phys") {
|
||||
link = checkIfname "ext-${netName}";
|
||||
})
|
||||
) (builtins.attrNames interfaces)
|
||||
);
|
||||
|
||||
in
|
||||
{
|
||||
system.build.lxcConfig = builtins.toFile "${hostName}.conf" ''
|
||||
# For lxcfs and sane defaults
|
||||
lxc.include = /etc/lxc/common.conf
|
||||
|
||||
lxc.uts.name = ${hostName}
|
||||
# Handled by lxc@.service
|
||||
lxc.start.auto = 0
|
||||
lxc.rootfs.path = /var/lib/lxc/${hostName}/rootfs
|
||||
lxc.init.cmd = "/init"
|
||||
|
||||
lxc.mount.entry = /nix/store nix/store none bind,ro 0 0
|
||||
lxc.mount.entry = none tmp tmpfs defaults 0 0
|
||||
lxc.mount.auto = proc:mixed sys:ro cgroup:mixed
|
||||
|
||||
lxc.autodev = 1
|
||||
lxc.tty.max = 0
|
||||
lxc.pty.max = 8
|
||||
|
||||
lxc.cap.drop = sys_module sys_time sys_nice sys_pacct sys_rawio
|
||||
security.privileged = false
|
||||
lxc.apparmor.profile = lxc-container-default-with-mounting
|
||||
|
||||
lxc.cgroup.memory.limit_in_bytes = 1G
|
||||
lxc.cgroup.memory.kmem.tcp.limit_in_bytes = 128M
|
||||
|
||||
# tuntap
|
||||
lxc.cgroup.devices.allow = c 10:200 rw
|
||||
lxc.cgroup2.devices.allow = c 10:200 rw
|
||||
# ppp
|
||||
lxc.cgroup.devices.allow = c 108:0 rwm
|
||||
lxc.cgroup2.devices.allow = c 108:0 rwm
|
||||
|
||||
${netConfig}
|
||||
'';
|
||||
}
|
|
@ -1,4 +1,4 @@
|
|||
{ hostName, config, lib, pkgs, ... }:
|
||||
{ hostName, config, lib, ... }:
|
||||
|
||||
let
|
||||
hostConf = config.site.hosts.${hostName};
|
||||
|
@ -98,24 +98,11 @@ in
|
|||
|
||||
${lib.optionalString (staticIpv4Address != null) ''
|
||||
# Allow connections to ${staticIpv4Address} from other hosts behind NAT
|
||||
${lib.concatMapStrings (fwd: let
|
||||
m = builtins.match "([0-9.]+):([0-9-]+)" fwd.destination;
|
||||
destinationIP = if m == null then throw "bad ip:ports `${fwd.destination}'" else lib.elemAt m 0;
|
||||
destinationPorts = if m == null then throw "bad ip:ports `${fwd.destination}'" else builtins.replaceStrings ["-"] [":"] (lib.elemAt m 1);
|
||||
in ''
|
||||
iptables -t nat -A nixos-nat-pre \
|
||||
${lib.concatMapStrings (fwd: ''
|
||||
iptables -t nat -t nat -A nixos-nat-pre \
|
||||
-d ${staticIpv4Address} -p ${fwd.proto} \
|
||||
--dport ${builtins.toString fwd.sourcePort} \
|
||||
-j DNAT --to-destination ${fwd.destination}
|
||||
|
||||
iptables -t nat -A nixos-nat-post \
|
||||
-d ${destinationIP} -p ${fwd.proto} \
|
||||
--dport ${destinationPorts} \
|
||||
-s 172.20.72.0/21 -j MASQUERADE
|
||||
iptables -t nat -A nixos-nat-post \
|
||||
-d ${destinationIP} -p ${fwd.proto} \
|
||||
--dport ${destinationPorts} \
|
||||
-s ${config.site.net.c3d2.subnet4} -j MASQUERADE
|
||||
'') config.networking.nat.forwardPorts}
|
||||
''}
|
||||
|
||||
|
@ -139,10 +126,6 @@ in
|
|||
-j RETURN
|
||||
'') upstreamInterfaces.${net}.upstream.noNat.subnets6
|
||||
) (builtins.attrNames upstreamInterfaces)}
|
||||
|
||||
# There just have been moments without a complete ruleset. Flush
|
||||
# out invalid conntrack states!
|
||||
${pkgs.conntrack-tools}/bin/conntrack -F
|
||||
'';
|
||||
extraStopCommands = ''
|
||||
iptables -F FORWARD 2>/dev/null || true
|
||||
|
|
|
@ -26,7 +26,7 @@ in lib.mkIf (pppoeInterfaces != {}) {
|
|||
enable = true;
|
||||
autostart = true;
|
||||
config = ''
|
||||
plugin pppoe.so
|
||||
plugin rp-pppoe.so
|
||||
nic-${upstream.link}
|
||||
ifname ${ifName}
|
||||
# Login settings. (PAP)
|
||||
|
|
|
@ -1,13 +1,13 @@
|
|||
# Pulls together NixOS configuration modules according to the
|
||||
# name/role of the host to be built.
|
||||
{ hostName, lib, ... }:
|
||||
{ hostName, config, lib, ... }:
|
||||
|
||||
let
|
||||
inherit (lib) optionals;
|
||||
|
||||
hostConfig = lib.config.site.hosts.${hostName};
|
||||
in {
|
||||
inherit (lib.config) site;
|
||||
site = lib.config.site;
|
||||
|
||||
imports = [
|
||||
../lib/config/options.nix
|
||||
|
@ -20,7 +20,6 @@ in {
|
|||
./server/default.nix
|
||||
] ++
|
||||
optionals (hostConfig.role == "container") [
|
||||
./container/lxc-config.nix
|
||||
./container/defaults.nix
|
||||
./container/dhcp-server.nix
|
||||
./container/wireguard.nix
|
||||
|
|
|
@ -1,4 +1,4 @@
|
|||
{ hostName, inputs, config, lib, pkgs, ... }:
|
||||
{ hostName, inputs, lib, pkgs, ... }:
|
||||
|
||||
{
|
||||
boot.kernelParams = [
|
||||
|
@ -7,9 +7,11 @@
|
|||
# Prevents automatic creation of interface bond0 by the kernel
|
||||
"bonding.max_bonds=0"
|
||||
];
|
||||
boot.tmp.useTmpfs = true;
|
||||
boot.tmpOnTmpfs = true;
|
||||
# Includes wireguard
|
||||
boot.kernelPackages = config.boot.zfs.package.latestCompatibleLinuxPackages;
|
||||
boot.kernelPackages = pkgs.linuxPackages_latest;
|
||||
# Keep building
|
||||
boot.zfs.enableUnstable = true;
|
||||
|
||||
# no persistent logs
|
||||
services.journald.extraConfig = ''
|
||||
|
@ -33,8 +35,8 @@
|
|||
};
|
||||
|
||||
documentation = {
|
||||
enable = lib.mkForce false;
|
||||
nixos.enable = lib.mkForce false;
|
||||
enable = false;
|
||||
nixos.enable = false;
|
||||
};
|
||||
|
||||
environment.systemPackages = with pkgs; [
|
||||
|
@ -42,8 +44,6 @@
|
|||
bridge-utils
|
||||
conntrack-tools
|
||||
dhcpcd
|
||||
dhcpdump
|
||||
dig
|
||||
ethtool
|
||||
git
|
||||
iftop
|
||||
|
@ -56,7 +56,6 @@
|
|||
screen
|
||||
speedtest-cli
|
||||
tcpdump
|
||||
tmux
|
||||
traceroute
|
||||
vim
|
||||
wget
|
||||
|
@ -64,25 +63,6 @@
|
|||
|
||||
networking.hostName = hostName;
|
||||
|
||||
programs = {
|
||||
fzf.keybindings = true;
|
||||
git = {
|
||||
enable = true;
|
||||
config = {
|
||||
alias = {
|
||||
co = "checkout";
|
||||
lg = "log --graph --abbrev-commit --decorate --format=format:'%C(bold blue)%h%C(reset) - %C(bold green)(%ar)%C(reset) %C(white)%s%C(reset) %C(dim white)- %an%C(reset)%C(bold y
|
||||
ow)%d%C(reset)'";
|
||||
remote = "remote -v";
|
||||
st = "status";
|
||||
undo = "reset --soft HEAD^";
|
||||
};
|
||||
pull.rebase = true;
|
||||
rebase.autoStash = true;
|
||||
};
|
||||
};
|
||||
};
|
||||
|
||||
users.users.root.initialHashedPassword = "";
|
||||
|
||||
system.stateVersion = "20.09";
|
||||
|
|
|
@ -1,18 +1,11 @@
|
|||
{ hostName, config, lib, ... }:
|
||||
|
||||
let
|
||||
hostConfig = config.site.hosts.${hostName};
|
||||
|
||||
in {
|
||||
networking.firewall = lib.mkIf hostConfig.firewall.enable {
|
||||
lib.mkIf config.site.hosts.${hostName}.firewall.enable {
|
||||
networking.firewall = {
|
||||
enable = true;
|
||||
extraCommands = ''
|
||||
${lib.optionalString hostConfig.isRouter ''
|
||||
ip46tables -I nixos-fw -p ospfigp -j ACCEPT
|
||||
''}
|
||||
|
||||
ip46tables -A FORWARD -i core -m state --state ESTABLISHED,RELATED -j ACCEPT
|
||||
ip46tables -A FORWARD -i core -j REJECT
|
||||
ip46tables -A FORWARD -i core -j REJECT --reject-with net-unreach
|
||||
'';
|
||||
extraStopCommands = ''
|
||||
ip46tables -F FORWARD
|
||||
|
|
|
@ -8,20 +8,14 @@
|
|||
time.timeZone = "Europe/Berlin";
|
||||
|
||||
environment.systemPackages = with pkgs; [
|
||||
git
|
||||
inetutils # telnet
|
||||
wget vim git screen
|
||||
ipmitool
|
||||
liboping # noping
|
||||
screen
|
||||
vim
|
||||
wget
|
||||
];
|
||||
|
||||
services.openssh = {
|
||||
enable = true;
|
||||
settings.PermitRootLogin = "prohibit-password";
|
||||
};
|
||||
services.openssh.enable = true;
|
||||
services.openssh.permitRootLogin = "prohibit-password";
|
||||
|
||||
# additional config for bare metal
|
||||
services.collectd.plugins.ipmi = "";
|
||||
services.collectd = {
|
||||
plugins.ipmi = "";
|
||||
};
|
||||
}
|
||||
|
|
|
@ -10,6 +10,70 @@ let
|
|||
|
||||
enabled = containers != {};
|
||||
|
||||
# linux iface name max length = 15
|
||||
shortenNetName = name:
|
||||
if builtins.match "priv(.*)" name != null
|
||||
then "p" + builtins.substring 4 9 name
|
||||
else name;
|
||||
|
||||
checkIfname = ifname: let
|
||||
len = builtins.stringLength ifname;
|
||||
in if len > 15
|
||||
then throw "Interface name ${ifname} is ${toString (len - 15)} chars too long."
|
||||
else ifname;
|
||||
|
||||
# `lxc.net.*` formatter for lxc.container.conf files
|
||||
netConfig = ctName: interfaces:
|
||||
let
|
||||
config = map (netName:
|
||||
let
|
||||
ifData = interfaces.${netName};
|
||||
in {
|
||||
type = ifData.type;
|
||||
name = checkIfname netName;
|
||||
flags = "up";
|
||||
hwaddr = if ifData ? hwaddr && ifData.hwaddr != null
|
||||
then ifData.hwaddr
|
||||
else "0A:14:48:xx:xx:xx";
|
||||
} // (lib.optionalAttrs (ifData.type == "veth") {
|
||||
veth.pair = checkIfname "${shortenNetName ctName}-${shortenNetName netName}";
|
||||
veth.mode = checkIfname "bridge";
|
||||
link = checkIfname netName;
|
||||
}) // (lib.optionalAttrs (ifData.type == "phys") {
|
||||
link = checkIfname "ext-${netName}";
|
||||
})
|
||||
) (builtins.attrNames interfaces);
|
||||
|
||||
attrNamesOrdered = attrs:
|
||||
if attrs ? type
|
||||
then [ "type" ] ++ lib.remove "type" (builtins.attrNames attrs)
|
||||
else builtins.attrNames attrs;
|
||||
|
||||
serialize = name: x:
|
||||
if builtins.isString x
|
||||
then "${name} = ${x}\n"
|
||||
else if builtins.isAttrs x
|
||||
then builtins.concatStringsSep "" (
|
||||
map (n: serialize "${name}.${n}" x.${n}) (attrNamesOrdered x)
|
||||
)
|
||||
else if builtins.isList x
|
||||
then
|
||||
let
|
||||
enumerate = xs: n:
|
||||
if xs == []
|
||||
then []
|
||||
else [ {
|
||||
e = builtins.head xs;
|
||||
i = n;
|
||||
} ] ++ enumerate (builtins.tail xs) (n + 1);
|
||||
in
|
||||
builtins.concatStringsSep "" (
|
||||
map ({ e, i }: serialize "${name}.${toString i}" e) (enumerate x 0)
|
||||
)
|
||||
else throw "Invalid data in lxc net config for ${name}: ${lib.generators.toPretty {} x}";
|
||||
in
|
||||
serialize "lxc.net" config;
|
||||
|
||||
# User-facing script to build/update container NixOS systems
|
||||
build-script = pkgs.writeScriptBin "build-container" ''
|
||||
#! ${pkgs.runtimeShell} -e
|
||||
|
@ -30,7 +94,6 @@ let
|
|||
${ctName})
|
||||
echo Using prebuilt system for container $c
|
||||
SYSTEM=${self.packages.x86_64-linux."${ctName}-rootfs"}
|
||||
CONFIG=${self.packages.x86_64-linux."${ctName}-lxc-config"}
|
||||
;;
|
||||
'') (
|
||||
builtins.attrNames (
|
||||
|
@ -42,8 +105,6 @@ let
|
|||
echo Building $c
|
||||
nix build -o /nix/var/nix/gcroots/lxc/$c zentralwerk-network#$c-rootfs
|
||||
SYSTEM=$(readlink /nix/var/nix/gcroots/lxc/$c)
|
||||
nix build -o /nix/var/nix/gcroots/lxc/$c.config zentralwerk-network#$c-lxc-config
|
||||
CONFIG=$(readlink /nix/var/nix/gcroots/lxc/$c.config)
|
||||
;;
|
||||
esac
|
||||
|
||||
|
@ -56,7 +117,6 @@ let
|
|||
mkdir -p /var/lib/lxc/$c/rootfs/$d
|
||||
done
|
||||
ln -fs $SYSTEM/init /var/lib/lxc/$c/rootfs/init
|
||||
ln -fs $CONFIG /var/lib/lxc/$c/config
|
||||
done
|
||||
|
||||
# Activate all the desired container after all of them are
|
||||
|
@ -102,8 +162,10 @@ in
|
|||
|
||||
virtualisation.lxc = lib.mkIf enabled {
|
||||
enable = true;
|
||||
# Container configs live in /etc so that they can be created
|
||||
# through `environment.etc`.
|
||||
systemConfig = ''
|
||||
lxc.lxcpath = /var/lib/lxc
|
||||
lxc.lxcpath = /etc/lxc/containers
|
||||
'';
|
||||
};
|
||||
|
||||
|
@ -114,7 +176,50 @@ in
|
|||
enable-script disable-script
|
||||
];
|
||||
|
||||
environment.etc."lxc/common.conf".source = "${pkgs.lxc}/share/lxc/config/common.conf";
|
||||
# Create lxc.container.conf files
|
||||
environment.etc =
|
||||
builtins.foldl' (etc: ctName: etc // {
|
||||
"lxc/containers/${ctName}/config" = {
|
||||
enable = true;
|
||||
source =
|
||||
builtins.toFile "${ctName}.conf" ''
|
||||
# For lxcfs and sane defaults
|
||||
lxc.include = /etc/lxc/common.conf
|
||||
|
||||
lxc.uts.name = ${ctName}
|
||||
# Handled by lxc@.service
|
||||
lxc.start.auto = 0
|
||||
lxc.rootfs.path = /var/lib/lxc/${ctName}/rootfs
|
||||
lxc.init.cmd = "/init"
|
||||
|
||||
lxc.mount.entry = /nix/store nix/store none bind,ro 0 0
|
||||
lxc.mount.entry = none tmp tmpfs defaults 0 0
|
||||
lxc,mount.auto = proc:mixed sys:ro cgroup:mixed
|
||||
|
||||
lxc.autodev = 1
|
||||
lxc.tty.max = 0
|
||||
lxc.pty.max = 8
|
||||
|
||||
lxc.cap.drop = sys_module sys_time sys_nice sys_pacct sys_rawio
|
||||
security.privileged = false
|
||||
lxc.apparmor.profile = lxc-container-default-with-mounting
|
||||
|
||||
lxc.cgroup.memory.limit_in_bytes = 1G
|
||||
lxc.cgroup.memory.kmem.tcp.limit_in_bytes = 128M
|
||||
|
||||
# tuntap
|
||||
lxc.cgroup.devices.allow = c 10:200 rw
|
||||
lxc.cgroup2.devices.allow = c 10:200 rw
|
||||
# ppp
|
||||
lxc.cgroup.devices.allow = c 108:0 rwm
|
||||
lxc.cgroup2.devices.allow = c 108:0 rwm
|
||||
|
||||
${netConfig ctName containers.${ctName}.physicalInterfaces}
|
||||
'';
|
||||
};
|
||||
}) {
|
||||
"lxc/common.conf".source = "${pkgs.lxc}/share/lxc/config/common.conf";
|
||||
} (builtins.attrNames containers);
|
||||
|
||||
# Systemd service template for LXC containers
|
||||
systemd.services."lxc@" = {
|
||||
|
@ -143,8 +248,6 @@ in
|
|||
Restart = "always";
|
||||
RestartSec = "1s";
|
||||
};
|
||||
# Prevent restart on host nixos-rebuild switch
|
||||
restartIfChanged = false;
|
||||
};
|
||||
|
||||
# Starts all the containers after boot
|
||||
|
|
|
@ -114,7 +114,5 @@ in
|
|||
networkConfig.Bridge = net;
|
||||
};
|
||||
}) {} ctNets;
|
||||
|
||||
wait-online.anyInterface = true;
|
||||
};
|
||||
}
|
||||
|
|
|
@ -12,6 +12,7 @@
|
|||
boot.initrd.kernelModules = [ ];
|
||||
boot.extraModulePackages = [ ];
|
||||
nixpkgs.config.allowBroken = true;
|
||||
boot.zfs.enableUnstable = true;
|
||||
boot.supportedFilesystems = [ "zfs" ];
|
||||
boot.initrd.supportedFilesystems = [ "zfs" ];
|
||||
# Required for Broadcom NICs
|
||||
|
|
|
@ -4,6 +4,7 @@
|
|||
boot.initrd.availableKernelModules = [ "uhci_hcd" "ehci_pci" "ahci" "usbhid" "sd_mod" "sr_mod" ];
|
||||
boot.initrd.kernelModules = [ ];
|
||||
nixpkgs.config.allowBroken = true;
|
||||
boot.zfs.enableUnstable = true;
|
||||
boot.supportedFilesystems = [ "zfs" ];
|
||||
boot.initrd.supportedFilesystems = [ "zfs" ];
|
||||
boot.extraModulePackages = [ ];
|
||||
|
@ -38,6 +39,7 @@
|
|||
};
|
||||
|
||||
boot.loader.grub.enable = true;
|
||||
boot.loader.grub.version = 2;
|
||||
boot.loader.grub.device = "/dev/sda";
|
||||
|
||||
networking.hostName = "server2"; # Define your hostname.
|
||||
|
|
|
@ -7,14 +7,11 @@ let
|
|||
inherit (pkgs) lib;
|
||||
|
||||
export-openwrt-models = pkgs.writeText "openwrt-models.nix" (
|
||||
lib.generators.toPretty {} self.lib.openwrtModels
|
||||
nixpkgs.lib.generators.toPretty {} self.lib.openwrtModels
|
||||
);
|
||||
export-config = pkgs.writeText "config.nix" (
|
||||
lib.generators.toPretty {} (
|
||||
lib.recursiveUpdate
|
||||
config
|
||||
{ site.dns.localZones = self.lib.dns.localZones; }
|
||||
));
|
||||
nixpkgs.lib.generators.toPretty {} (lib.filterAttrsRecursive (n: v: n != "net-combined") config)
|
||||
);
|
||||
|
||||
encrypt-secrets = pkgs.writeScriptBin "encrypt-secrets" ''
|
||||
#! ${pkgs.runtimeShell} -e
|
||||
|
@ -45,7 +42,7 @@ let
|
|||
'';
|
||||
|
||||
network-cypher-graphs = import ./network-cypher-graphs.nix { inherit config pkgs; };
|
||||
network-graphs = import ./network-graphs.nix { inherit config lib pkgs; };
|
||||
network-graphs = import ./network-graphs.nix { inherit config pkgs; };
|
||||
|
||||
mkRootfs = hostName:
|
||||
self.nixosConfigurations.${hostName}.config.system.build.toplevel;
|
||||
|
@ -55,20 +52,7 @@ let
|
|||
"${hostName}-rootfs" = mkRootfs hostName;
|
||||
}) {} (
|
||||
builtins.attrNames (
|
||||
lib.filterAttrs (_: { role, ... }: builtins.elem role ["server" "container"])
|
||||
config.site.hosts
|
||||
)
|
||||
);
|
||||
|
||||
mkLxcConfig = hostName:
|
||||
self.nixosConfigurations.${hostName}.config.system.build.lxcConfig;
|
||||
|
||||
lxc-configs =
|
||||
builtins.foldl' (rootfs: hostName: rootfs // {
|
||||
"${hostName}-lxc-config" = mkLxcConfig hostName;
|
||||
}) {} (
|
||||
builtins.attrNames (
|
||||
lib.filterAttrs (_: { role, ... }: role == "container")
|
||||
nixpkgs.lib.filterAttrs (_: { role, ... }: builtins.elem role ["server" "container"])
|
||||
config.site.hosts
|
||||
)
|
||||
);
|
||||
|
@ -81,7 +65,7 @@ let
|
|||
});
|
||||
}) {} (
|
||||
builtins.attrNames (
|
||||
lib.filterAttrs (_: { role, ... }: role == "server")
|
||||
nixpkgs.lib.filterAttrs (_: { role, ... }: role == "server")
|
||||
config.site.hosts
|
||||
)
|
||||
);
|
||||
|
@ -95,7 +79,7 @@ let
|
|||
"${hostName}-image" = openwrt.buildImage hostName;
|
||||
}) {} (
|
||||
builtins.attrNames (
|
||||
lib.filterAttrs (_: { role, ... }:
|
||||
nixpkgs.lib.filterAttrs (_: { role, ... }:
|
||||
role == "ap"
|
||||
) config.site.hosts
|
||||
)
|
||||
|
@ -133,7 +117,7 @@ let
|
|||
inherit self;
|
||||
};
|
||||
in
|
||||
rootfs-packages // lxc-configs // vm-packages // device-templates // openwrt-packages // network-graphs // network-cypher-graphs // starlink // subnetplans // {
|
||||
rootfs-packages // vm-packages // device-templates // openwrt-packages // network-graphs // network-cypher-graphs // starlink // subnetplans // {
|
||||
inherit export-openwrt-models export-config dns-slaves
|
||||
encrypt-secrets decrypt-secrets switch-to-production
|
||||
homepage gateway-report switch-report vlan-report
|
||||
|
|
|
@ -1,5 +0,0 @@
|
|||
{
|
||||
"captive": false,
|
||||
"user-portal-url": "https://zentralwerk.org/",
|
||||
"venue-info-url": "https://zentralwerk.org/"
|
||||
}
|
|
@ -65,8 +65,6 @@ stdenv.mkDerivation {
|
|||
|
||||
ln -s ${network-graphs}/share/doc/zentralwerk/* $DIR/
|
||||
ln -s ${../../../doc/core.png} $DIR/core.png
|
||||
ln -s ${./security.txt} $DIR/security.txt
|
||||
ln -s ${./captive.json} $DIR/captive.json
|
||||
cp *.{html,css,png,svg} $DIR/
|
||||
|
||||
mkdir -p $out/nix-support
|
||||
|
|
|
@ -1,3 +0,0 @@
|
|||
Contact: mailto:astro@spaceboyz.net
|
||||
Preferred-Languages: en, de
|
||||
Hiring: https://www.c3d2.de/space.html
|
|
@ -1,5 +1,7 @@
|
|||
{ config, lib, pkgs, ... }:
|
||||
{ config, pkgs, ... }:
|
||||
let
|
||||
inherit (pkgs) lib runCommand graphviz;
|
||||
|
||||
netColor = net:
|
||||
if net == "core"
|
||||
then "grey"
|
||||
|
@ -80,13 +82,13 @@ let
|
|||
}
|
||||
'';
|
||||
renderGraph = args@{ name, engine, ... }:
|
||||
pkgs.runCommand "${name}.png" {
|
||||
runCommand "${name}.png" {
|
||||
src = builtins.toFile "${name}.dot" (
|
||||
toDot args
|
||||
);
|
||||
} ''
|
||||
echo $src
|
||||
${pkgs.graphviz-nox}/bin/${engine} -Tpng $src > $out
|
||||
${graphviz}/bin/${engine} -Tpng $src > $out
|
||||
'';
|
||||
|
||||
in rec {
|
||||
|
@ -160,7 +162,7 @@ in rec {
|
|||
) (builtins.attrNames containers);
|
||||
};
|
||||
|
||||
network-graphs = pkgs.runCommand "network-graphs" {} ''
|
||||
network-graphs = runCommand "network-graphs" {} ''
|
||||
DIR=$out/share/doc/zentralwerk
|
||||
mkdir -p $DIR
|
||||
ln -s ${physical-graph} $DIR/physical.png
|
||||
|
|
|
@ -7,11 +7,11 @@ let
|
|||
|
||||
modelPackages = {
|
||||
"tplink_archer-c7-v2" = [
|
||||
"-kmod-ath10k-ct" "-ath10k-firmware-qca988x-ct-full-htt" "-ath10k-firmware-qca988x-ct"
|
||||
"-kmod-ath10k-ct" "-ath10k-firmware-qca988x-ct"
|
||||
"kmod-ath10k" "ath10k-firmware-qca988x"
|
||||
];
|
||||
"tplink_archer-c7-v5" = [
|
||||
"-kmod-ath10k-ct" "-ath10k-firmware-qca988x-ct" "-ath10k-firmware-qca988x-ct-full-htt"
|
||||
"-kmod-ath10k-ct" "-ath10k-firmware-qca988x-ct"
|
||||
"kmod-ath10k" "ath10k-firmware-qca988x"
|
||||
];
|
||||
"ubnt_unifiac-lite" = [
|
||||
|
@ -63,17 +63,17 @@ in rec {
|
|||
inherit pkgs;
|
||||
release = "19.07.10";
|
||||
}).identifyProfile model
|
||||
else if builtins.match "tl-wr[78].*" model != null
|
||||
else if builtins.match "tl-wr.*" model != null
|
||||
then {
|
||||
release = "18.06.9";
|
||||
packagesArch = "mips_24kc";
|
||||
target = "ar71xx";
|
||||
variant = "tiny";
|
||||
profile = model;
|
||||
sha256 = "sha256-P7BJI6n6s53szYXKshnJRKL2fLIYgJLPiq/yd0oRKoE=";
|
||||
sha256 = "109a2557gwmgib7r500qn9ygd8j4r4cv5jl5rpn9vczsm4ilkc1z";
|
||||
feedsSha256 = {
|
||||
base.sha256 = "sha256-IbND2snJ1UrDRhvGQIRxzGuSpftQ+AyiWqaVZqbGdHY=";
|
||||
packages.sha256 = "sha256-18UvzdUL98CranBtzAY7hoUlEvafUdssAQOuqDQi4BU=";
|
||||
base.sha256 = "0xklqsk6d5d6bai0ry2hzfjr4sycf6241ihv8v1lmmf9r7d47cr1";
|
||||
packages.sha256 = "05g048saibh304ndnlczyq92b1c67c3cqvbhdamw1xqbsp6jzifp";
|
||||
};
|
||||
}
|
||||
else null;
|
||||
|
@ -83,34 +83,19 @@ in rec {
|
|||
extraImageName = "zw-${hostName}";
|
||||
packages = [
|
||||
# remove unused default .ipk
|
||||
"-dnsmasq" "-firewall" "-firewall4"
|
||||
"-dnsmasq" "-firewall"
|
||||
"-ppp" "-ppp-mod-pppoe" "-kmod-ppp" "-kmod-pppoe" "-kmod-pppox"
|
||||
"-iptables" "-ip6tables" "-kmod-ipt-offload"
|
||||
"-odhcp6c" "-odhcpd-ipv6only"
|
||||
"-wpad-basic-mbedtls"
|
||||
# monitoring
|
||||
"collectd"
|
||||
"collectd-mod-iwinfo" "collectd-mod-network"
|
||||
"collectd-mod-interface" "collectd-mod-load" "collectd-mod-cpu"
|
||||
"collectd-mod-exec"
|
||||
] ++ (
|
||||
if args.variant != "tiny"
|
||||
then [
|
||||
# debugging
|
||||
"htop"
|
||||
"tcpdump"
|
||||
# monitoring
|
||||
"collectd" "collectd-mod-interface" "collectd-mod-load"
|
||||
"collectd-mod-cpu" "collectd-mod-iwinfo" "collectd-mod-network"
|
||||
# wpa3
|
||||
"-wpad-basic-wolfssl" "-wpad-mini"
|
||||
"wpad-openssl"
|
||||
"usteer"
|
||||
] else [
|
||||
# debugging
|
||||
"tcpdump-mini"
|
||||
# wpa3
|
||||
"-wpad-openssl" "-wpad-mini"
|
||||
"wpad-wolfssl"
|
||||
]
|
||||
) ++ nixpkgs.lib.optionals hasVxlan [
|
||||
] ++ nixpkgs.lib.optionals hasVxlan [
|
||||
"vxlan" "kmod-vxlan"
|
||||
] ++ modelPackages.${model} or [];
|
||||
disabledServices = [ "dnsmasq" "uhttpd" ];
|
||||
|
@ -119,10 +104,6 @@ in rec {
|
|||
cat > $out/etc/uci-defaults/99-zentralwerk <<EOF
|
||||
${uciConfig hostName}
|
||||
EOF
|
||||
mkdir -p $out/usr/{bin,sbin}
|
||||
cp ${./usteer-info.sh} $out/usr/sbin/usteer-info.sh
|
||||
cp ${./usteer-stats.sh} $out/usr/bin/usteer-stats.sh
|
||||
chmod +x $out/usr/bin/*.sh $out/usr/sbin/*.sh
|
||||
'';
|
||||
});
|
||||
|
||||
|
|
|
@ -18,21 +18,8 @@ let
|
|||
# ours don't come with a switch.
|
||||
then false
|
||||
else
|
||||
openwrtModel ? ports
|
||||
&&
|
||||
any ({ switch ? null, ... }: switch != null)
|
||||
(builtins.attrValues openwrtModel.ports);
|
||||
hasDSA = (
|
||||
all ({ switch ? null, ... }:
|
||||
switch == null
|
||||
) (builtins.attrValues openwrtModel.ports or {})
|
||||
&&
|
||||
any ({ port ? null, interface ? null, ... }:
|
||||
port != null &&
|
||||
interface != null &&
|
||||
port == interface
|
||||
) (builtins.attrValues openwrtModel.ports or {})
|
||||
) || hostConfig.model == "ubnt_unifi-usg";
|
||||
|
||||
portsDoc =
|
||||
let
|
||||
|
@ -112,20 +99,6 @@ let
|
|||
)
|
||||
);
|
||||
|
||||
dsaPorts = net:
|
||||
unique (
|
||||
concatMap ({ ports, ... }: ports) (
|
||||
builtins.filter ({ nets, ... }: builtins.elem net nets)
|
||||
(builtins.attrValues hostConfig.links)
|
||||
));
|
||||
|
||||
dsaPortType = net: port:
|
||||
if any ({ ports, trunk, ... }: trunk && builtins.elem port ports) (
|
||||
builtins.attrValues hostConfig.links
|
||||
) || hostConfig.links.${net}.trunk or true
|
||||
then "t"
|
||||
else "u*";
|
||||
|
||||
networkInterfaces = net:
|
||||
let
|
||||
inherit (config.site.net.${net}) vlan;
|
||||
|
@ -159,16 +132,6 @@ let
|
|||
)
|
||||
);
|
||||
|
||||
mgmtInterface =
|
||||
if hasDSA
|
||||
then "br0.${toString config.site.net.mgmt.vlan}"
|
||||
else
|
||||
let
|
||||
mgmtInterfaces = networkInterfaces "mgmt";
|
||||
in if builtins.length mgmtInterfaces == 1
|
||||
then builtins.head mgmtInterfaces
|
||||
else "br-mgmt";
|
||||
|
||||
in
|
||||
''
|
||||
# Set root password
|
||||
|
@ -188,8 +151,8 @@ in
|
|||
uci set system.@system[0].log_ip=${config.site.net.mgmt.hosts4.logging}
|
||||
uci set system.@system[0].log_proto=udp
|
||||
|
||||
${optionalString hasSwitch ''
|
||||
# Switch config
|
||||
${optionalString hasSwitch ''
|
||||
# Ports ${portsDoc}
|
||||
${concatMapStrings (net: ''
|
||||
uci add network switch_vlan
|
||||
|
@ -198,42 +161,7 @@ in
|
|||
uci set network.@switch_vlan[-1].vlan='${toString config.site.net.${net}.vlan}'
|
||||
uci set network.@switch_vlan[-1].ports='${switchPortsConfig net}'
|
||||
uci set network.@switch_vlan[-1].comment='${net}'
|
||||
'') (
|
||||
sort (net1: net2:
|
||||
config.site.net.${net1}.vlan < config.site.net.${net2}.vlan
|
||||
) (
|
||||
unique (
|
||||
builtins.concatMap ({ nets, ... }: nets)
|
||||
(builtins.attrValues hostConfig.links)
|
||||
)
|
||||
)
|
||||
)}
|
||||
''}
|
||||
${optionalString hasDSA ''
|
||||
# DSA
|
||||
${uciDeleteAll "network.@device"}
|
||||
uci add network device
|
||||
uci set network.@device[-1].name='br0'
|
||||
uci set network.@device[-1].type='bridge'
|
||||
${concatMapStrings (port: ''
|
||||
uci add_list network.@device[-1].ports='${port}'
|
||||
'') (
|
||||
unique (
|
||||
builtins.concatMap ({ ports, ... }: ports)
|
||||
(builtins.attrValues hostConfig.links)
|
||||
)
|
||||
)}
|
||||
uci set network.br0='interface'
|
||||
uci set network.br0.proto='none'
|
||||
uci set network.br0.device='br0'
|
||||
|
||||
${concatMapStrings (net: ''
|
||||
uci add network bridge-vlan
|
||||
uci set network.@bridge-vlan[-1].device='br0'
|
||||
uci set network.@bridge-vlan[-1].vlan='${toString config.site.net.${net}.vlan}'
|
||||
${concatMapStrings (port: ''
|
||||
uci add_list network.@bridge-vlan[-1].ports='${port}:${dsaPortType net port}'
|
||||
'') (dsaPorts net)}
|
||||
'') (
|
||||
sort (net1: net2:
|
||||
config.site.net.${net1}.vlan < config.site.net.${net2}.vlan
|
||||
|
@ -248,16 +176,11 @@ in
|
|||
|
||||
# mgmt network
|
||||
uci set network.mgmt=interface
|
||||
${if hasDSA
|
||||
then ''
|
||||
uci set network.mgmt.device='br0.${toString config.site.net.mgmt.vlan}'
|
||||
'' else ''
|
||||
uci set network.mgmt.ifname='${
|
||||
if builtins.length (networkInterfaces "mgmt") > 0
|
||||
then concatStringsSep " " (networkInterfaces "mgmt")
|
||||
else throw "${hostName}: No interface for mgmt"
|
||||
}'
|
||||
''}
|
||||
uci set network.mgmt.proto=static
|
||||
${optionalString (hostConfig.interfaces.mgmt.type == "bridge") ''
|
||||
uci set network.mgmt.type=bridge
|
||||
|
@ -287,17 +210,9 @@ in
|
|||
uci set network.${net}=interface
|
||||
${optionalString (iface.type == "bridge") ''
|
||||
uci set network.${net}.type=bridge
|
||||
uci add network device
|
||||
uci set network.@device[-1].name='${net}'
|
||||
uci set network.@device[-1].type='bridge'
|
||||
''}
|
||||
uci set network.${net}.proto=static
|
||||
${if hasDSA
|
||||
then ''
|
||||
uci set network.${net}.device='br0.${toString config.site.net.${net}.vlan}'
|
||||
'' else ''
|
||||
uci set network.${net}.ifname='${concatStringsSep " " (networkInterfaces net)}'
|
||||
''}
|
||||
${optionalString (config.site.net.${net}.mtu != null) ''
|
||||
uci set network.${net}.mtu=${toString config.site.net.${net}.mtu}
|
||||
''}
|
||||
|
@ -329,7 +244,6 @@ in
|
|||
'') (builtins.attrNames hostConfig.interfaces)
|
||||
}
|
||||
|
||||
${uciDeleteAll "wireless.radio"}
|
||||
uci -q delete wireless.default_radio0 || true
|
||||
uci -q delete wireless.default_radio1 || true
|
||||
${concatStrings (imap0 (index: path:
|
||||
|
@ -342,7 +256,6 @@ in
|
|||
uci set wireless.radio${toString index}=wifi-device
|
||||
uci set wireless.radio${toString index}.type=mac80211
|
||||
uci set wireless.radio${toString index}.country=DE
|
||||
uci set wireless.radio${toString index}.band=${radioConfig.band}
|
||||
uci set wireless.radio${toString index}.channel=${toString radioConfig.channel}
|
||||
uci set wireless.radio${toString index}.path=${path}
|
||||
uci set wireless.radio${toString index}.htmode=${radioConfig.htmode}
|
||||
|
@ -352,7 +265,6 @@ in
|
|||
${concatMapStrings (ssid:
|
||||
let
|
||||
ssidConfig = radioConfig.ssids.${ssid};
|
||||
netConfig = config.site.net.${ssidConfig.net};
|
||||
|
||||
# mapping our option to openwrt/hostapd setting
|
||||
encryption = {
|
||||
|
@ -367,11 +279,6 @@ in
|
|||
then ssidConfig.ifname
|
||||
else "${ifPrefix}-${ssidConfig.net}";
|
||||
|
||||
pad = len: prefix: s:
|
||||
if builtins.stringLength s < len
|
||||
then pad len prefix "${prefix}${s}"
|
||||
else s;
|
||||
|
||||
in ''
|
||||
uci add wireless wifi-iface
|
||||
uci set wireless.@wifi-iface[-1].ifname=${ifname}
|
||||
|
@ -380,7 +287,6 @@ in
|
|||
uci set wireless.@wifi-iface[-1].mode=${ssidConfig.mode}
|
||||
uci set wireless.@wifi-iface[-1].network=${ssidConfig.net}
|
||||
uci set wireless.@wifi-iface[-1].mcast_rate=18000
|
||||
uci set wireless.@wifi-iface[-1].hidden=${if ssidConfig.hidden then "1" else "0"}
|
||||
uci set wireless.@wifi-iface[-1].encryption='${encryption}'
|
||||
${if (ssidConfig.psk != null)
|
||||
then ''
|
||||
|
@ -389,59 +295,10 @@ in
|
|||
else ''
|
||||
uci -q delete wireless.@wifi-iface[-1].key || true
|
||||
''}
|
||||
${lib.optionalString (!ssidConfig.disassocLowAck) ''
|
||||
uci set wireless.@wifi-iface[-1].disassoc_low_ack='0'
|
||||
''}
|
||||
|
||||
${lib.optionalString (netConfig.wifi.ieee80211rKey != null) ''
|
||||
# for usteerd
|
||||
# see https://www.libe.net/en-wlan-roaming#client-steering
|
||||
# https://openwrt.org/docs/guide-user/network/wifi/usteer#configure_80211k_and_80211v_on_all_ap-nodes
|
||||
uci set wireless.@wifi-iface[-1].bss_transition=1
|
||||
uci set wireless.@wifi-iface[-1].wnm_sleep_mode=1
|
||||
uci set wireless.@wifi-iface[-1].time_advertisement=2
|
||||
uci set wireless.@wifi-iface[-1].time_zone=GMT0
|
||||
uci set wireless.@wifi-iface[-1].ieee80211k=1
|
||||
uci set wireless.@wifi-iface[-1].rrm_neighbor_report=1
|
||||
uci set wireless.@wifi-iface[-1].rrm_beacon_report=1
|
||||
|
||||
|
||||
# breaks Apple devices connecting to wifi when used together with wpa2/wpa3 mixed mode (sae-mixed)
|
||||
# uci set wireless.@wifi-iface[-1].ieee80211r=1
|
||||
# when unset derived from interface MAC
|
||||
uci set wireless.@wifi-iface[-1].nasid=${pad 12 "0" (toString ((lib.toInt (lib.removePrefix "ap" hostName)) * 65536 + index))}
|
||||
# when unset derived from the first 4 chars of the md5 hashed SSID
|
||||
uci set wireless.@wifi-iface[-1].mobility_domain=${pad 4 "0" (lib.toHexString (49920 + netConfig.vlan))}
|
||||
|
||||
# https://github.com/openwrt/openwrt/issues/7907
|
||||
# https://github.com/openwrt/openwrt/commit/2984a0420649733662ff95b0aff720b8c2c19f8a
|
||||
uci set wireless.@wifi-iface[-1].ft_over_ds=0
|
||||
# as recommend in 7907 and seems to fairly often trigger while testing
|
||||
uci set wireless.@wifi-iface[-1].reassociation_deadline=20000
|
||||
|
||||
# might be unused if ft_over_ds is not used
|
||||
uci set wireless.@wifi-iface[-1].ft_bridge=${mgmtInterface}
|
||||
|
||||
# otherwise the r0kh/r1kh options below are not applied
|
||||
uci set wireless.@wifi-iface[-1].ft_psk_generate_local=0
|
||||
|
||||
# do not just rely on the monility domain for increased security
|
||||
# https://forum.openwrt.org/t/802-11r-fast-transition-how-to-understand-that-ft-works/110920/81
|
||||
uci set wireless.@wifi-iface[-1].r0kh=ff:ff:ff:ff:ff:ff,\*,${netConfig.wifi.ieee80211rKey}
|
||||
uci set wireless.@wifi-iface[-1].r1kh=00:00:00:00:00:00,00:00:00:00:00:00,${netConfig.wifi.ieee80211rKey}
|
||||
uci set wireless.@wifi-iface[-1].pmk_r1_push=1
|
||||
''}
|
||||
''
|
||||
) (builtins.attrNames radioConfig.ssids)}
|
||||
'') (builtins.attrNames hostConfig.wifi))}
|
||||
|
||||
uci set usteer.@usteer[0].network=mgmt
|
||||
uci set usteer.@usteer[0].load_kick_enabled=1
|
||||
uci set usteer.@usteer[0].load_kick_threshold=67
|
||||
uci set usteer.@usteer[0].signal_diff_threshold=15
|
||||
uci set usteer.@usteer[0].load_balancing_threshold=8
|
||||
uci set usteer.@usteer[0].band_steering_threshold=16
|
||||
|
||||
uci commit
|
||||
|
||||
# Add hotfixes for MTU settings
|
||||
|
@ -463,7 +320,6 @@ in
|
|||
# the gateways is reachable
|
||||
cat >/etc/crontabs/root <<__CRON__
|
||||
* * * * * /usr/sbin/wifi-on-link.sh
|
||||
* * * * * /usr/sbin/usteer-info.sh
|
||||
__CRON__
|
||||
cat >/usr/sbin/wifi-on-link.sh <<__SH__
|
||||
#!/bin/sh
|
||||
|
@ -510,16 +366,11 @@ in
|
|||
LoadPlugin interface
|
||||
LoadPlugin iwinfo
|
||||
LoadPlugin network
|
||||
LoadPlugin exec
|
||||
<Plugin network>
|
||||
Server "${config.site.net.serv.hosts6.dn42.stats}" "25826"
|
||||
</Plugin>
|
||||
<Plugin exec>
|
||||
Exec "nobody" "/usr/bin/usteer-stats.sh"
|
||||
</Plugin>
|
||||
COLLECTD
|
||||
''}
|
||||
chmod +x /usr/bin/usteer-stats.sh /usr/sbin/usteer-info.sh
|
||||
|
||||
for svc in dnsmasq uhttpd ; do
|
||||
rm -f /etc/rc.d/*\$svc
|
||||
|
|
|
@ -1,3 +0,0 @@
|
|||
#! /bin/sh
|
||||
[ -p /tmp/usteer-info ] || exit 0
|
||||
exec /bin/ubus call usteer local_info > /tmp/usteer-info
|
|
@ -1,32 +0,0 @@
|
|||
#! /bin/sh
|
||||
|
||||
HOSTNAME=`cat /proc/sys/kernel/hostname`
|
||||
INTERVAL=60
|
||||
|
||||
[ -p /tmp/usteer-info ] || mkfifo /tmp/usteer-info
|
||||
|
||||
while true; do
|
||||
if [ ! -p /tmp/usteer-info ]; then
|
||||
echo "/tmp/usteer-info went missing!"
|
||||
exit 1
|
||||
fi
|
||||
|
||||
DATA="$(cat /tmp/usteer-info)"
|
||||
cd /sys/class/net
|
||||
for iface in wlan*; do
|
||||
eval $( echo "$DATA" | jsonfilter \
|
||||
-e 'LOAD=@["hostapd.'$iface'"].load' \
|
||||
-e 'NOISE=@["hostapd.'$iface'"].noise' \
|
||||
-e 'N_ASSOC=@["hostapd.'$iface'"].n_assoc' \
|
||||
-e 'FREQ=@["hostapd.'$iface'"].freq' \
|
||||
-e 'ROAM_SOURCE=@["hostapd.'$iface'"].roam_events.source' \
|
||||
-e 'ROAM_TARGET=@["hostapd.'$iface'"].roam_events.target'
|
||||
)
|
||||
echo "PUTVAL \"$HOSTNAME/usteer_local_info-$iface/stations-load\" interval=$INTERVAL N:$LOAD"
|
||||
echo "PUTVAL \"$HOSTNAME/usteer_local_info-$iface/signal_noise-noise\" interval=$INTERVAL N:$NOISE"
|
||||
echo "PUTVAL \"$HOSTNAME/usteer_local_info-$iface/stations-n_assoc\" interval=$INTERVAL N:$N_ASSOC"
|
||||
echo "PUTVAL \"$HOSTNAME/usteer_local_info-$iface/frequency-freq\" interval=$INTERVAL N:$FREQ"
|
||||
echo "PUTVAL \"$HOSTNAME/usteer_local_info-$iface/transitions-roam_source\" interval=$INTERVAL N:$ROAM_SOURCE"
|
||||
echo "PUTVAL \"$HOSTNAME/usteer_local_info-$iface/transitions-roam_target\" interval=$INTERVAL N:$ROAM_TARGET"
|
||||
done
|
||||
done
|
|
@ -60,11 +60,7 @@ exit 1 if collisions > 0
|
|||
GROUP_PREFIX = 19
|
||||
groups = {}
|
||||
nets.each do |net|
|
||||
if net.addr.prefix > GROUP_PREFIX
|
||||
group = net.addr.supernet(GROUP_PREFIX).to_s
|
||||
else
|
||||
group = net.addr.to_s
|
||||
end
|
||||
(groups[group] ||= []) << net
|
||||
end
|
||||
|
||||
|
|
|
@ -9,7 +9,7 @@ let
|
|||
host-name ${hostName};
|
||||
time-zone Europe/Berlin;
|
||||
root-authentication {
|
||||
encrypted-password "%%HASH%%"; ## SECRET-DATA
|
||||
encrypted-password "$5$EBmFELmv$kQxtWwS0SBS.TqVPRvs8sKpH./l9DTtTxX/I2FJB2n2"; ## SECRET-DATA
|
||||
ssh-ed25519 "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIHGgoLzQMeyX1wjsX/hgVkN//zyfOQPiBRYgO2ajEGH6 root@server2";
|
||||
}
|
||||
services {
|
||||
|
@ -114,9 +114,13 @@ let
|
|||
'';
|
||||
|
||||
configFileWithHash = runCommand "junos.config" {
|
||||
nativeBuildInputs = [ mkpasswd ];
|
||||
nativeBuildInputs = [ python3 ];
|
||||
} ''
|
||||
HASH=$(echo "${hostConfig.password}" | mkpasswd --method=SHA-512 --stdin)
|
||||
cat >gen.py<<EOF
|
||||
import crypt
|
||||
print(crypt.crypt('${hostConfig.password}', crypt.mksalt(crypt.METHOD_SHA256)))
|
||||
EOF
|
||||
HASH=$(python gen.py)
|
||||
substitute ${configFile} $out \
|
||||
--replace "%%HASH%%" "$HASH"
|
||||
'';
|
||||
|
|
5985
openwrt/tl-wr841-v10.config
Normal file
5985
openwrt/tl-wr841-v10.config
Normal file
File diff suppressed because it is too large
Load Diff
5849
openwrt/tl-wr841-v11.config
Normal file
5849
openwrt/tl-wr841-v11.config
Normal file
File diff suppressed because it is too large
Load Diff
6002
openwrt/tl-wr841-v8.config
Normal file
6002
openwrt/tl-wr841-v8.config
Normal file
File diff suppressed because it is too large
Load Diff
Loading…
Reference in New Issue
Block a user