zentralwerk/network
zentralwerk
/
network
12
4
Fork 2
Code Issues 3 Pull Requests 1 Releases Wiki Activity

Compare commits

base: zentralwerk:master
Branches Tags
zentralwerk:master
zentralwerk:nixos-23.05
zentralwerk:bgp
zentralwerk:flpk-data-hoarder
zentralwerk:pacemaker
zentralwerk:nek0-mailtngbert-patch
zentralwerk:yggdrasil
zentralwerk:legacy
..
compare: zentralwerk:nixos-23.05
Branches Tags
zentralwerk:master
zentralwerk:nixos-23.05
zentralwerk:bgp
zentralwerk:flpk-data-hoarder
zentralwerk:pacemaker
zentralwerk:nek0-mailtngbert-patch
zentralwerk:yggdrasil
zentralwerk:legacy

7 Commits
master ... nixos-23.0

Author SHA1 Message Date
Astro f076089053 flake.lock: Update 
Flake lock file updates:

• Updated input 'nixpkgs':
    'github:NixOS/nixpkgs/4ecab3273592f27479a583fb6d975d4aba3486fe' (2023-05-31)
  → 'github:NixOS/nixpkgs/18388d019974e90a035bdb938a8a3ca3c0408db9' (2023-06-04)
• Updated input 'openwrt':
    'git+https://git.openwrt.org/openwrt/openwrt.git?ref=openwrt-22.03&rev=ce32068bf2d85e03d3dd034ab345d55247e5626c' (2023-05-28)
  → 'git+https://git.openwrt.org/openwrt/openwrt.git?ref=openwrt-22.03&rev=171b51519206b5e66ebd01d322f41d790976ce87' (2023-06-03)
• Updated input 'openwrt-imagebuilder':
    'github:astro/nix-openwrt-imagebuilder/c600f6dbe0516b34a307d9ec69015e123ec859a4' (2023-05-31)
  → 'github:astro/nix-openwrt-imagebuilder/b5901ec9361152f1f588445d1b3f06239ea4b86c' (2023-06-04)
 2023-06-04 23:30:57 +02:00
Astro d7ef05fa64 config/secrets: generate site.dyndnsKey that is accepted by dhcpd 2023-06-04 23:29:17 +02:00
Astro f55cb13ecf nixos-module/server/lxc-containers: prevent restart on host nixos-rebuild switch 2023-06-04 23:14:47 +02:00
Astro 1caffb4f0f nixos-module/server/lxc-containers: shorten coloradio iface names 2023-06-04 23:02:30 +02:00
Astro 7cf95cd2f0 prepare for nixos 23.05 2023-06-04 23:02:06 +02:00
Astro 2ee8f7a5cc flake.lock: Update 
Flake lock file updates:

• Updated input 'nixpkgs':
    'github:NixOS/nixpkgs/781df3d2de37ace250ba3c2731606c0b6bee465b' (2023-04-14)
  → 'github:NixOS/nixpkgs/4ecab3273592f27479a583fb6d975d4aba3486fe' (2023-05-31)
• Updated input 'openwrt':
    'git+https://git.openwrt.org/openwrt/openwrt.git?ref=openwrt-22.03&rev=9af29da281213108cd861ed77b0416bf6eda0aaf' (2023-04-13)
  → 'git+https://git.openwrt.org/openwrt/openwrt.git?ref=openwrt-22.03&rev=ce32068bf2d85e03d3dd034ab345d55247e5626c' (2023-05-28)
• Updated input 'openwrt-imagebuilder':
    'github:astro/nix-openwrt-imagebuilder/b3d1f398472452ea288ce2d8dbf20d6115bf1c64' (2023-04-14)
  → 'github:astro/nix-openwrt-imagebuilder/c600f6dbe0516b34a307d9ec69015e123ec859a4' (2023-05-31)
 2023-05-31 23:52:50 +02:00
Astro bb7460ff83 flake.nix: bump inputs.nixpkgs from 22.11 to 23.05 2023-05-31 23:52:05 +02:00
53 changed files with 18764 additions and 2013 deletions
Show Stats Expand all files Collapse all files

2
cabling.md
View File

@ -26,7 +26,7 @@ Alle Stecker im Haus sind in Schema A gecrimpt.
| | ![][gi] B 2.05.02 | ![][gi] UVB 1.09 | | 14 |
| ![][ri] B 4.02.01 *v* | ![][gi] B 2.05.05 | ![][gi] UVB 1.10 | | 15 |
| ![][ri] B 4.01.01 *v* | ![][gi] B 2.05.06 | ![][gi] 1.06 | | 16 |
| ![][ri] B 4.03.01 *v* | ![][gi] B 2.05.03 *v* | ![][gi] 1.16 *v* | | 17 |
| ![][ri] B 4.03.01 | ![][gi] B 2.05.03 *v* | | | 17 |
| ![][ri] B 4.04.01 *v* | ![][gi] B 2.05.07 *v* | | | 18 |
| ![][ri] B 4.05.02 *v* | ![][gi] B 2.06 | | | 19 |
| ![][ri] B 4.06.01 *v* | ![][ri] B 2.07 | | | 20 |

462
config/ap.nix
View File

@ -33,7 +33,7 @@
wifi = {
"platform/qca953x_wmac" = {
channel = 1;
htmode = "HT20";
htmode = "HT40+";
ssids = {
"ZW public" = { net = "pub"; };
uebergangsnetz = { net = "priv6"; };
@ -60,15 +60,15 @@
};
};
location = "Turm D, 1. Etage";
model = "tl-wr841-v9";
model = "tl-wr841-v10";
role = "ap";
wifi = {
"platform/qca953x_wmac" = {
channel = 6;
htmode = "HT20";
htmode = "HT40+";
ssids = {
"ZW public" = { net = "pub"; };
"iz-dresden.org" = { net = "priv15"; encryption = "wpa2"; };
"iz-dresden.org" = { net = "priv15"; };
};
};
};
@ -92,12 +92,12 @@
};
};
location = "B 2.03.04";
model = "tplink_tl-wr1043nd-v2";
model = "tplink_tl-wr1043nd-v1";
role = "ap";
wifi = {
"platform/ahb/18100000.wmac" = {
channel = 1;
htmode = "HT20";
htmode = "HT40+";
ssids = {
"ZW public" = { net = "pub"; };
braeunigkoschnik = { net = "priv8"; };
@ -130,7 +130,7 @@
wifi = {
"platform/ar934x_wmac" = {
channel = 6;
htmode = "HT20";
htmode = "HT40+";
ssids = {
"IrèneMélix" = { net = "priv38"; };
"ZW public" = { net = "pub"; };
@ -139,6 +139,8 @@
};
};
};
ap13 = { };
ap14 = { };
ap15 = {
interfaces = {
mgmt = {
@ -163,7 +165,7 @@
wifi = {
"platform/ahb/18100000.wmac" = {
channel = 1;
htmode = "HT20";
htmode = "HT40+";
ssids = {
"ZW public" = { net = "pub"; };
etz250 = { net = "priv10"; };
@ -171,6 +173,7 @@
};
};
};
ap16 = { };
ap17 = {
interfaces = {
mgmt = {
@ -197,7 +200,7 @@
wifi = {
"platform/ahb/18100000.wmac" = {
channel = 5;
htmode = "HT20";
htmode = "HT40+";
ssids = {
EDUB = { net = "priv33"; };
"ZW public" = { net = "pub"; };
@ -231,7 +234,7 @@
wifi = {
"platform/qca953x_wmac" = {
channel = 1;
htmode = "HT20";
htmode = "HT40+";
ssids = {
"Restaurierung Wolff/Kober" = { net = "priv9"; };
"ZW public" = { net = "pub"; };
@ -259,15 +262,15 @@
};
};
location = "Turm C oberste Etage";
model = "tl-wr841-v11";
model = "tl-wr841-v10";
role = "ap";
wifi = {
"platform/qca953x_wmac" = {
channel = 6;
htmode = "HT20";
htmode = "HT40+";
ssids = {
"Bockwurst" = { net = "priv41"; encryption = "wpa2"; };
Walter = { net = "priv26"; encryption = "wpa2"; };
"Studio 01127" = { net = "priv41"; };
Walter = { net = "priv26"; };
"ZW public" = { net = "pub"; };
};
};
@ -276,7 +279,6 @@
ap2 = {
interfaces = {
c3d2.type = "bridge";
c3d2iot.type = "bridge";
mgmt = {
gw4 = "mgmt-gw";
gw6 = "mgmt-gw";
@ -301,20 +303,15 @@
htmode = "VHT80";
ssids = {
C3D2 = { net = "c3d2"; };
"ZW public" = { net = "pub"; };
"ZW public legacy" = { net = "pub"; };
};
};
"platform/ahb/18100000.wmac" = {
channel = 1;
htmode = "HT20";
htmode = "HT40+";
ssids = {
"C3D2 legacy" = { net = "c3d2"; };
"C3D2 IoT" = {
net = "c3d2iot";
hidden = true;
disassocLowAck = false;
};
"ZW public legacy" = { net = "pub"; };
"ZW public" = { net = "pub"; };
};
};
};
@ -345,7 +342,7 @@
};
"platform/ahb/18100000.wmac" = {
channel = 5;
htmode = "HT20";
htmode = "HT40+";
ssids = {
"ZW public" = { net = "pub"; };
};
@ -375,7 +372,7 @@
wifi = {
"pci0000:00/0000:00:00.0" = {
channel = 11;
htmode = "HT20";
htmode = "HT40-";
ssids = { "ZW public" = { net = "pub"; }; };
};
};
@ -409,7 +406,7 @@
};
"platform/ahb/18100000.wmac" = {
channel = 1;
htmode = "HT20";
htmode = "HT40+";
ssids = {
"LBK Network" = { net = "priv30"; };
"ZW public" = { net = "pub"; };
@ -428,9 +425,12 @@
pub.type = "bridge";
};
links = {
# Ends up in /etc/config but not in `swconfig dev switch0 show`
priv12.ports = [ "lan:1" "lan:2" "lan:3" "lan:4" ];
switch-b3.ports = [ "wan" ];
priv12 = {
ports = [ "lan" ];
};
switch-b3 = {
ports = [ "wan" ];
};
};
location = "Farbwerk";
model = "tl-wr740n-v4";
@ -438,7 +438,7 @@
wifi = {
"platform/ar933x_wmac" = {
channel = 6;
htmode = "HT20";
htmode = "HT40-";
ssids = {
"ZW public" = { net = "pub"; };
farbwerk = { net = "priv12"; encryption = "wpa2"; };
@ -464,13 +464,13 @@
ports = [ "wan" ];
};
};
location = "Farbwerk, lost";
location = "Farbwerk";
model = "tl-wr740n-v1";
role = "ap";
wifi = {
"platform/ar933x_wmac" = {
channel = 6;
htmode = "HT20";
htmode = "HT40-";
ssids = {
"ZW public" = { net = "pub"; };
farbwerk = { net = "priv12"; };
@ -502,7 +502,7 @@
wifi = {
"pci0000:00/0000:00:00.0" = {
channel = 11;
htmode = "HT20";
htmode = "HT40-";
ssids = {
Dezember = { net = "priv37"; };
"ZW public" = { net = "pub"; };
@ -533,7 +533,7 @@
wifi = {
"platform/qca953x_wmac" = {
channel = 1;
htmode = "HT20";
htmode = "HT40+";
ssids = { "ZW public" = { net = "pub"; }; };
};
};
@ -561,7 +561,7 @@
wifi = {
"platform/ar934x_wmac" = {
channel = 9;
htmode = "HT20";
htmode = "HT40+";
ssids = { "ZW public" = { net = "pub"; }; };
};
};
@ -598,7 +598,7 @@
};
"platform/ahb/18100000.wmac" = {
channel = 6;
htmode = "HT20";
htmode = "HT40+";
ssids = {
"ZW public" = { net = "pub"; };
jungnickel-fotografie = { net = "priv13"; };
@ -633,7 +633,7 @@
wifi = {
"pci0000:00/0000:00:00.0" = {
channel = 128;
htmode = "HT20";
htmode = "HT40+";
ssids = {
C3D2 = { net = "c3d2"; };
"ZW public" = { net = "pub"; };
@ -641,7 +641,7 @@
};
"platform/ar934x_wmac" = {
channel = 1;
htmode = "HT20";
htmode = "HT40+";
ssids = {
"C3D2 legacy" = { net = "c3d2"; };
"ZW public legacy" = { net = "pub"; };
@ -673,7 +673,7 @@
wifi = {
"platform/ahb/18100000.wmac" = {
channel = 1;
htmode = "HT20";
htmode = "HT40+";
ssids = {
WLANb0402 = { net = "priv14"; };
"ZW public" = { net = "pub"; };
@ -684,7 +684,6 @@
ap31 = {
interfaces = {
c3d2.type = "bridge";
c3d2iot.type = "bridge";
mgmt = {
gw4 = "mgmt-gw";
gw6 = "mgmt-gw";
@ -712,14 +711,9 @@
};
"platform/ahb/18100000.wmac" = {
channel = 5;
htmode = "HT20";
htmode = "HT40+";
ssids = {
"C3D2 legacy" = { net = "c3d2"; };
"C3D2 IoT" = {
net = "c3d2iot";
hidden = true;
disassocLowAck = false;
};
FOTOAKADEMIEdd = { net = "priv39"; };
"ZW public legacy" = { net = "pub"; };
};
@ -757,7 +751,7 @@
channel = 9;
htmode = "HT20";
ssids = {
"ZW public legacy" = { net = "pub"; };
"ZW public" = { net = "pub"; };
"ZW stage legacy" = { net = "priv25"; };
};
};
@ -792,7 +786,7 @@
};
"platform/ahb/18100000.wmac" = {
channel = 9;
htmode = "HT20";
htmode = "HT40+";
ssids = {
"C3D2 legacy" = { net = "c3d2"; };
"ZW public legacy" = { net = "pub"; };
@ -829,7 +823,7 @@
};
"platform/ahb/18100000.wmac" = {
channel = 9;
htmode = "HT20";
htmode = "HT40+";
ssids = {
"ZW public" = { net = "pub"; };
etz250 = { net = "priv10"; };
@ -861,7 +855,7 @@
wifi = {
"platform/ahb/18100000.wmac" = {
channel = 1;
htmode = "HT20";
htmode = "HT40+";
ssids = {
Koch = { net = "priv18"; };
"ZW public" = { net = "pub"; };
@ -893,7 +887,7 @@
wifi = {
"platform/ar933x_wmac" = {
channel = 5;
htmode = "HT20";
htmode = "HT40+";
ssids = {
"C3D2 legacy" = { net = "c3d2"; };
"ZW public" = { net = "pub"; };
@ -930,10 +924,11 @@
};
"platform/ahb/18100000.wmac" = {
channel = 6;
htmode = "HT20";
htmode = "HT40-";
ssids = {
"ZW public" = { net = "pub"; };
"hechtfilm.de legacy" = { net = "priv19"; };
"LIZA".net = "priv43";
};
};
};
@ -947,7 +942,6 @@
};
priv20.type = "bridge";
priv28.type = "bridge";
priv47.type = "bridge";
pub.type = "bridge";
};
links = {
@ -973,12 +967,11 @@
};
"platform/ahb/18100000.wmac" = {
channel = 11;
htmode = "HT20";
htmode = "HT40-";
ssids = {
"ZW heinrichsgarten" = { net = "priv28"; };
"ZW public" = { net = "pub"; };
plop = { net = "priv20"; };
millimeter = { net = "priv47"; };
};
};
};
@ -1007,7 +1000,7 @@
wifi = {
"platform/10180000.wmac" = {
channel = 9;
htmode = "HT20";
htmode = "HT40+";
ssids = {
EckiTino = { net = "priv7"; };
"ZW public" = { net = "pub"; };
@ -1040,7 +1033,7 @@
wifi = {
"platform/ahb/18100000.wmac" = {
channel = 11;
htmode = "HT20";
htmode = "HT40-";
ssids = {
"ZW public" = { net = "pub"; };
"jam-circle.de" = { net = "priv4"; };
@ -1059,9 +1052,12 @@
pub.type = "bridge";
};
links = {
priv22.ports = [ "lan:2" "lan:3" "lan:4" ];
ap70.ports = [ "lan:1" ];
switch-b3.ports = [ "wan" ];
priv22 = {
ports = [ "lan:1" "lan:2" "lan:3" "lan:4" ];
};
switch-b3 = {
ports = [ "wan" ];
};
};
location = "B4.01";
model = "tplink_archer-c7-v5";
@ -1077,7 +1073,7 @@
};
"platform/ahb/18100000.wmac" = {
channel = 6;
htmode = "HT20";
htmode = "HT40-";
ssids = {
"M legacy" = { net = "priv22"; };
"ZW public" = { net = "pub"; };
@ -1117,7 +1113,7 @@
};
"platform/ahb/18100000.wmac" = {
channel = 6;
htmode = "HT20";
htmode = "HT40-";
ssids = {
Walter = { net = "priv26"; };
"ZW public" = { net = "pub"; };
@ -1136,8 +1132,8 @@
pub.type = "bridge";
};
links = {
# ap21.ports = [ "lan:3" ];
priv4.ports = [ "lan:1" "lan:2" "lan:3" "lan:4" ];
ap21.ports = [ "lan:3" ];
priv4.ports = [ "lan:1" "lan:2" "lan:4" ];
switch-b3.ports = [ "wan" ];
};
location = "Dresden School of Lindy Hop";
@ -1146,7 +1142,7 @@
wifi = {
"pci0000:00/0000:00:00.0" = {
channel = 128;
htmode = "HT20";
htmode = "HT40+";
ssids = {
"ZW public" = { net = "pub"; };
"jam-circle.de" = { net = "priv4"; };
@ -1154,7 +1150,7 @@
};
"platform/ahb/18100000.wmac" = {
channel = 11;
htmode = "HT20";
htmode = "HT40-";
ssids = {
"ZW public" = { net = "pub"; };
"jam-circle.de legacy" = { net = "priv4"; };
@ -1411,7 +1407,7 @@
wifi = {
"platform/ahb/18100000.wmac" = {
channel = 1;
htmode = "HT20";
htmode = "HT40+";
ssids = {
"ZW public" = { net = "pub"; };
"verbalwerk.de" = { net = "priv5"; };
@ -1490,7 +1486,7 @@
};
"platform/ahb/18100000.wmac" = {
channel = 9;
htmode = "HT20";
htmode = "HT40+";
ssids = {
"ZW public" = { net = "pub"; };
antrares = { net = "priv17"; };
@ -1559,7 +1555,7 @@
wifi = {
"platform/qca953x_wmac" = {
channel = 9;
htmode = "HT20";
htmode = "HT40+";
ssids = {
"Karen Koschnick" = { net = "priv11"; };
"ZW public" = { net = "pub"; };
@ -1585,13 +1581,13 @@
ports = [ "wan" ];
};
};
location = "Removed";
location = "B1.05.02";
model = "tplink_archer-c7-v5";
role = "ap";
wifi = {
"pci0000:00/0000:00:00.0" = {
channel = 128;
htmode = "HT20";
htmode = "HT40+";
ssids = {
Abyssinia = { net = "priv35"; };
"ZW public" = { net = "pub"; };
@ -1599,7 +1595,7 @@
};
"platform/ahb/18100000.wmac" = {
channel = 1;
htmode = "HT20";
htmode = "HT40+";
ssids = {
Abyssinia = { net = "priv35"; };
"ZW public" = { net = "pub"; };
@ -1708,12 +1704,9 @@
wifi = {
"pci0000:00/0000:00:00.0" = {
channel = 100;
htmode = "HT40";
htmode = "VHT80";
ssids = {
"Zentralwerk" = {
net = "roof";
disassocLowAck = false;
};
"Zentralwerk" = { net = "roof"; };
"ZW public" = { net = "pub"; };
};
};
@ -1806,7 +1799,7 @@
};
"platform/ahb/18100000.wmac" = {
channel = 6;
htmode = "HT20";
htmode = "HT40-";
ssids = {
"ZW public" = { net = "pub"; };
"Ebs 2000" = { net = "priv21"; };
@ -1837,7 +1830,7 @@
wifi = {
"platform/qca953x_wmac" = {
channel = 13;
htmode = "HT20";
htmode = "HT40-";
ssids = { "ZW public" = { net = "pub"; }; };
};
};
@ -1866,7 +1859,7 @@
wifi = {
"pci0000:00/0000:00:00.0" = {
channel = 128;
htmode = "HT20";
htmode = "HT40+";
ssids = {
Abyssinia = { net = "priv35"; };
"ZW public" = { net = "pub"; };
@ -1874,7 +1867,7 @@
};
"platform/ahb/18100000.wmac" = {
channel = 1;
htmode = "HT20";
htmode = "HT40+";
ssids = {
Abyssinia = { net = "priv35"; };
"ZW public" = { net = "pub"; };
@ -1902,7 +1895,7 @@
wifi = {
"pci0000:00/0000:00:00.0" = {
channel = 36;
htmode = "HT20";
htmode = "HT40+";
ssids = {
tomiru = { net = "priv44"; };
"ZW public" = { net = "pub"; };
@ -1910,7 +1903,7 @@
};
"platform/ahb/18100000.wmac" = {
channel = 1;
htmode = "HT20";
htmode = "HT40+";
ssids = {
tomiru = { net = "priv44"; };
"ZW public" = { net = "pub"; };
@ -1950,7 +1943,7 @@
};
"platform/ahb/18100000.wmac" = {
channel = 9;
htmode = "HT20";
htmode = "HT40+";
ssids = {
"Wolke7 legacy" = { net = "priv45"; encryption = "wpa2"; };
"ZW public" = { net = "pub"; };
@ -1982,7 +1975,7 @@
wifi = {
"pci0000:00/0000:00:00.0" = {
channel = 36;
htmode = "HT20";
htmode = "HT40+";
ssids = {
"ZW public" = { net = "pub"; };
EckiTino = { net = "priv7"; };
@ -1990,7 +1983,7 @@
};
"platform/ahb/18100000.wmac" = {
channel = 9;
htmode = "HT20";
htmode = "HT40-";
ssids = {
"ZW public" = { net = "pub"; };
"EckiTino legacy" = { net = "priv7"; };
@ -2022,7 +2015,7 @@
wifi = {
"platform/ahb/18100000.wmac" = {
channel = 1;
htmode = "HT20";
htmode = "HT40+";
ssids = {
"ZW public" = { net = "pub"; };
"Princess Castle" = { net = "priv46"; };
@ -2030,195 +2023,6 @@
};
};
};
ap65 = {
interfaces = {
mgmt = {
gw4 = "mgmt-gw";
gw6 = "mgmt-gw";
type = "phys";
};
priv12.type = "bridge";
priv27.type = "bridge";
pub.type = "bridge";
};
links = {
switch-b3.ports = [ "lan" ];
};
location = "El Perro";
model = "ubnt_unifi-6-lite";
role = "ap";
wifi = {
"1e140000.pcie/pci0000:00/0000:00:00.0/0000:01:00.0" = {
channel = 6;
htmode = "HT20";
ssids = {
"ZW public".net = "pub";
"farbwerk".net = "priv12";
"Kaffeetasse".net = "priv27";
};
};
"1e140000.pcie/pci0000:00/0000:00:01.0/0000:02:00.0" = {
channel = 149;
htmode = "VHT80";
ssids = {
"ZW public".net = "pub";
"farbwerk".net = "priv12";
};
};
};
};
ap66 = {
interfaces = {
priv48.type = "bridge";
mgmt = {
gw4 = "mgmt-gw";
gw6 = "mgmt-gw";
type = "phys";
};
pub.type = "bridge";
};
links = {
priv48.ports = [ "lan:1" "lan:2" "lan:3" "lan:4" ];
switch-b3.ports = [ "wan" ];
};
location = "B 4.03.01";
model = "tplink_archer-c7-v5";
role = "ap";
wifi = {
"pci0000:00/0000:00:00.0" = {
channel = 36;
htmode = "VHT80";
ssids = {
"Buschfunk4.03" = { net = "priv48"; };
"ZW public" = { net = "pub"; };
};
};
"platform/ahb/18100000.wmac" = {
channel = 9;
htmode = "HT20";
ssids = {
"Buschfunk4.03 legacy" = { net = "priv48"; };
"ZW public" = { net = "pub"; };
};
};
};
};
ap67 = {
interfaces = {
mgmt = {
gw4 = "mgmt-gw";
gw6 = "mgmt-gw";
type = "phys";
};
priv12.type = "bridge";
pub.type = "bridge";
};
links = {
priv12.ports = [
"lan1" "lan2" "lan3"
];
switch-b3.ports = [ "wan" ];
};
location = "Farbwerk";
model = "zyxel_wsm20";
role = "ap";
wifi = {
"1e140000.pcie/pci0000:00/0000:00:01.0/0000:02:00.0" = {
channel = 6;
htmode = "HT20";
ssids = {
"ZW public" = { net = "pub"; };
farbwerk = { net = "priv12"; };
};
};
"1e140000.pcie/pci0000:00/0000:00:01.0/0000:02:00.0+1" = {
channel = 149;
htmode = "VHT80";
ssids = {
"ZW public" = { net = "pub"; };
farbwerk = { net = "priv12"; };
};
};
};
};
ap68 = {
interfaces = {
mgmt = {
gw4 = "mgmt-gw";
gw6 = "mgmt-gw";
type = "phys";
};
priv12.type = "bridge";
pub.type = "bridge";
};
links = {
priv12.ports = [
"lan1" "lan2" "lan3"
];
switch-b3.ports = [ "wan" ];
};
location = "Farbwerk";
model = "zyxel_wsm20";
role = "ap";
wifi = {
"1e140000.pcie/pci0000:00/0000:00:01.0/0000:02:00.0" = {
channel = 1;
htmode = "HT20";
ssids = {
"ZW public" = { net = "pub"; };
farbwerk = { net = "priv12"; };
};
};
"1e140000.pcie/pci0000:00/0000:00:01.0/0000:02:00.0+1" = {
channel = 36;
htmode = "VHT80";
ssids = {
"ZW public" = { net = "pub"; };
farbwerk = { net = "priv12"; };
};
};
};
};
ap69 = {
interfaces = {
mgmt = {
gw4 = "mgmt-gw";
gw6 = "mgmt-gw";
type = "phys";
};
priv43.type = "bridge";
pub.type = "bridge";
};
links = {
priv43 = {
ports = [ "lan" ];
};
switch-b3 = {
ports = [ "wan" ];
};
};
location = "B.01.B01";
model = "tplink_archer-c7-v2";
role = "ap";
wifi = {
"pci0000:00/0000:00:00.0" = {
channel = 36;
htmode = "HT40+";
ssids = {
"ZW public".net = "pub";
"LIZA".net = "priv43";
};
};
"platform/ahb/18100000.wmac" = {
channel = 1;
htmode = "HT20";
ssids = {
"ZW public".net = "pub";
"LIZA".net = "priv43";
};
};
};
};
ap7 = {
interfaces = {
mgmt = {
@ -2243,7 +2047,7 @@
wifi = {
"platform/qca953x_wmac" = {
channel = 1;
htmode = "HT20";
htmode = "HT40+";
ssids = {
"ZW public" = { net = "pub"; };
mino = { net = "priv40"; };
@ -2251,99 +2055,6 @@
};
};
};
ap70 = {
interfaces = {
mgmt = {
gw4 = "mgmt-gw";
gw6 = "mgmt-gw";
type = "phys";
};
priv22.type = "bridge";
pub.type = "bridge";
};
links = {
priv22.ports = [ "lan" ];
ap40.ports = [ "wan" ];
};
location = "B4.01 behind ap40";
model = "tplink_archer-c7-v2";
role = "ap";
wifi = {
"pci0000:00/0000:00:00.0" = {
channel = 149;
htmode = "HT40+";
ssids = {
"ZW public".net = "pub";
M.net = "priv22";
};
};
"platform/ahb/18100000.wmac" = {
channel = 9;
htmode = "HT20";
ssids = {
"ZW public".net = "pub";
"M legacy".net = "priv22";
};
};
};
};
ap71 = {
interfaces = {
mgmt = {
gw4 = "mgmt-gw";
gw6 = "mgmt-gw";
type = "phys";
};
priv22.type = "bridge";
pub.type = "bridge";
};
links = {
priv22.ports = [ "eth1" "eth2" ];
ap40.ports = [ "eth0" ];
};
location = "B4.01 behind ap40";
model = "ubnt_unifi-usg";
role = "ap";
# No WiFi, splits just VLANs
};
ap72 = {
interfaces = {
mgmt = {
gw4 = "mgmt-gw";
gw6 = "mgmt-gw";
type = "phys";
};
priv12.type = "bridge";
pub.type = "bridge";
};
links = {
priv12.ports = [
"lan1" "lan2" "lan3"
];
switch-b3.ports = [ "wan" ];
};
location = "B1.05.02 (Patchpanel B12)";
model = "zyxel_wsm20";
role = "ap";
wifi = {
"1e140000.pcie/pci0000:00/0000:00:01.0/0000:02:00.0" = {
channel = 1;
htmode = "HT20";
ssids = {
"ZW public" = { net = "pub"; };
farbwerk = { net = "priv12"; };
};
};
"1e140000.pcie/pci0000:00/0000:00:01.0/0000:02:00.0+1" = {
channel = 36;
htmode = "VHT80";
ssids = {
"ZW public" = { net = "pub"; };
farbwerk = { net = "priv12"; };
};
};
};
};
ap8 = {
interfaces = {
c3d2.type = "bridge";
@ -2357,10 +2068,7 @@
};
links = {
c3d2 = {
ports = [ "lan:3" "lan:4" ];
};
priv23 = {
ports = [ "lan:2" ];
ports = [ "lan:1" "lan:2" "lan:3" "lan:4" ];
};
switch-b3 = {
ports = [ "wan" ];
@ -2372,7 +2080,7 @@
wifi = {
"pci0000:00/0000:00:00.0" = {
channel = 36;
htmode = "HT20";
htmode = "HT40+";
ssids = {
C3D2 = { net = "c3d2"; };
"ZW public" = { net = "pub"; };
@ -2380,7 +2088,7 @@
};
"platform/ar934x_wmac" = {
channel = 13;
htmode = "HT20";
htmode = "HT40-";
ssids = {
"C3D2 legacy" = { net = "c3d2"; };
"ZW public" = { net = "pub"; };
@ -2413,7 +2121,7 @@
wifi = {
"platform/qca953x_wmac" = {
channel = 1;
htmode = "HT20";
htmode = "HT40+";
ssids = {
Herzzbuehne = { net = "priv16"; };
"ZW public" = { net = "pub"; };

1
config/default.nix
View File

@ -18,4 +18,5 @@ in
# IP networks
++ lib.filesystem.listFilesRecursive ./net;
site.net-combined = concatMapAttrsRecursive (name: value: { inherit (value) hosts4 hosts6; }) config.site.net;
}

96
config/net/c3d2.nix
View File

@ -3,60 +3,60 @@
site.net.c3d2 = {
dhcp = {
server = "c3d2-gw3";
start = "172.22.99.100";
start = "172.22.99.60";
end = "172.22.99.199";
fixed-hosts = {
"172.22.99.96" = "08:00:27:bb:8c:b3";
"172.22.99.98" = "08:00:27:aa:90:e2";
# "astrom" = "aa:00:5b:08:f0:5c";
# "astron" = "aa:00:5b:08:f0:5b";
# "batman" = "5c:cf:7f:c0:05:28";
# "beere" = "b8:27:eb:ac:65:d2";
# "beere2" = "b8:27:eb:53:0b:27";
# "astrom.hq.c3d2.de" = "aa:00:5b:08:f0:5c";
# "astron.hq.c3d2.de" = "aa:00:5b:08:f0:5b";
# "batman.hq.c3d2.de" = "5c:cf:7f:c0:05:28";
# "beere.hq.c3d2.de" = "b8:27:eb:ac:65:d2";
# "beere2.hq.c3d2.de" = "b8:27:eb:53:0b:27";
# "bender.hq.c3de.de" = "00:23:df:7e:c8:0a";
# "cider" = "00:0d:93:75:ee:fa";
"dacbert" = "dc:a6:32:e0:46:bf";
"dn42" = "aa:00:42:7a:32:46";
# "drucker" = "00:23:c3:d2:12:0f";
# "feile" = "aa:00:5b:12:c1:f7";
# "fernandopoo" = "aa:00:f7:52:85:27";
# "fhem" = "b8:27:eb:9e:8b:db";
# "git" = "aa:00:47:d8:57:10";
"glotzbert" = "90:1b:0e:88:da:0a";
# "wled-nix-snowflake" = "44:17:93:10:77:e8";
# "wled-fairy-dust" = "3c:61:05:e3:2f:ad";
# "wled-warnbert" = "3c:61:05:fc:21:37";
# "wled-matrix" = "e8:db:84:e4:f4:30";
# "ledball1" = "b8:27:eb:53:0b:27";
# "cider.hq.c3d2.de" = "00:0d:93:75:ee:fa";
"dacbert.hq.c3d2.de" = "dc:a6:32:e0:46:bf";
"dn42.hq.c3d2.de" = "aa:00:42:7a:32:46";
"drucker.hq.c3d2.de" = "00:23:c3:d2:12:0f";
# "feile.hq.c3d2.de" = "aa:00:5b:12:c1:f7";
# "fernandopoo.hq.c3d2.de" = "aa:00:f7:52:85:27";
# "fhem.hq.c3d2.de" = "b8:27:eb:9e:8b:db";
# "git.hq.c3d2.de" = "aa:00:47:d8:57:10";
"glotzbert.hq.c3d2.de" = "90:1b:0e:88:da:0a";
"wled-nix-snowflake.hq.c3d2.de" = "44:17:93:10:77:e8";
"wled-fairy-dust.hq.c3d2.de" = "3c:61:05:e3:2f:ad";
"wled-warnbert.hq.c3d2.de" = "3c:61:05:fc:21:37";
"wled-matrix.hq.c3d2.de" = "e8:db:84:e4:f4:30";
# "ledball1.hq.c3d2.de" = "b8:27:eb:53:0b:27";
# Beleuchtungskiste auf Traverse über Fernseher
# "ledbeere" = "b8:27:eb:60:99:59";
# "leviathan" = "00:ff:08:31:db:e5";
# "lisbeth" = "b8:27:eb:a5:ee:5c";
# "marenz-build" = "44:1e:a1:59:2e:e8";
# "matemat" = "a2:1b:7c:e8:19:72";
# "minecraft" = "4a:57:d3:64:fe:e9";
# "moleflap" = "aa:00:0d:b1:6c:67";
# "monit" = "00:23:ae:94:e7:19";
"pipebert" = "ec:a8:6b:fe:b4:cb";
# "public-access-proxy" = "12:24:5f:bd:9b:e7";
"pulsebert" = "b8:27:eb:16:31:61";
# "ruststripe1" = "06:32:0e:39:21:69";
"schalter" = "b8:27:eb:ac:65:d2";
# "semanta" = "00:ff:e4:bb:ea:2a";
# "server2" = "d0:67:e5:f3:57:10";
# "server3" = "e4:1f:13:2e:4f:c0";
# "server4" = "00:9c:02:a9:26:01";
# "sharing" = "00:23:c3:d2:75:18";
# "sofafon" = "b8:27:eb:23:8d:01";
# "storage2" = "42:5e:0f:4e:f3:cc";
# "ustriper" = "aa:bb:95:33:bb:aa";
# "wiefelspuetz" = "aa:00:7f:01:8a:d0";
# "wormhole" = "00:23:c3:d2:00:76";
# "www1" = "aa:00:13:8b:03:47";
# "riscbert" = "6c:cf:39:00:05:95";
"ledbeere.hq.c3d2.de" = "b8:27:eb:60:99:59";
# "leviathan.hq.c3d2.de" = "00:ff:08:31:db:e5";
# "lisbeth.hq.c3d2.de" = "b8:27:eb:a5:ee:5c";
# "marenz-build.hq.c3d2.de" = "44:1e:a1:59:2e:e8";
"matemat.hq.c3d2.de" = "a2:1b:7c:e8:19:72";
# "minecraft.hq.c3d2.de" = "4a:57:d3:64:fe:e9";
# "moleflap.hq.c3d2.de" = "aa:00:0d:b1:6c:67";
# "monit.hq.c3d2.de" = "00:23:ae:94:e7:19";
"pipebert.hq.c3d2.de" = "ec:a8:6b:fe:b4:cb";
"public-access-proxy.hq.c3d2.de" = "12:24:5f:bd:9b:e7";
"pulsebert.hq.c3d2.de" = "b8:27:eb:16:31:61";
# "ruststripe1.hq.c3d2.de" = "06:32:0e:39:21:69";
"schalter.hq.c3d2.de" = "b8:27:eb:4c:be:ff";
# "semanta.hq.c3d2.de" = "00:ff:e4:bb:ea:2a";
# "server2.hq.c3d2.de" = "d0:67:e5:f3:57:10";
# "server3.hq.c3d2.de" = "e4:1f:13:2e:4f:c0";
# "server4.hq.c3d2.de" = "00:9c:02:a9:26:01";
# "sharing.hq.c3d2.de" = "00:23:c3:d2:75:18";
# "sofafon.hq.c3d2.de" = "b8:27:eb:23:8d:01";
# "storage2.hq.c3d2.de" = "42:5e:0f:4e:f3:cc";
# "ustriper.hq.c3d2.de" = "aa:bb:95:33:bb:aa";
# "wiefelspuetz.hq.c3d2.de" = "aa:00:7f:01:8a:d0";
# "wormhole.hq.c3d2.de" = "00:23:c3:d2:00:76";
# "www1.hq.c3d2.de" = "aa:00:13:8b:03:47";
"riscbert.hq.c3d2.de" = "6c:cf:39:00:05:95";
};
time = 300;
max-time = 30 * 24 * 3600;
time = 86400;
max-time = 2592000;
router = "c3d2-gw3";
};
domainName = "c3d2.zentralwerk.org";
@ -68,7 +68,6 @@
c3d2-gw2 = "172.22.99.3";
c3d2-gw3 = "172.22.99.4";
dacbert = "172.22.99.203";
schalter = "172.22.99.204";
glotzbert = "172.22.99.205";
pulsebert = "172.22.99.208";
pipebert = "172.22.99.209";
@ -89,7 +88,6 @@
c3d2-gw1 = "2a00:8180:2c00:223::c3d2:2";
c3d2-gw2 = "2a00:8180:2c00:223::c3d2:3";
c3d2-gw3 = "2a00:8180:2c00:223::c3d2:4";
pipebert = "2a00:8180:2c00:223:eea8:6bff:fefe:b4cb";
};
subnets6 = {
dn42 = "fd23:42:c3d2:523::/64";

47
config/net/c3d2iot.nix
View File

@ -1,47 +0,0 @@
{
site.net.c3d2iot = {
dhcp = {
start = "10.22.0.2";
end = "10.22.255.253";
router = "iot-gw";
server = "iot-gw";
# devices don't often change and a missing DNS record causes trouble
time = 3600;
max-time = 24 * 3600;
};
dynamicDomain = true;
domainName = "c3d2iot.zentralwerk.org";
hosts4 = {
iot-gw = "10.22.0.1";
};
hosts6 = {
dn42 = {
iot-gw = "fd23:42:c3d2:587:ffff:ffff:ffff:ffff";
};
};
subnet4 = "10.22.0.0/16";
subnets6 = {
dn42 = "fd23:42:c3d2:587::/64";
up4 = "2a00:8180:2c00:287::/64";
};
};
site.hosts.iot-gw = {
# TODO: needs to be done more granular, aka allow c3d2 and serv network
# firewall.enable = true;
interfaces = {
core = {
hwaddr = "0A:22:48:01:24:01";
type = "veth";
};
c3d2iot = {
hwaddr = "0A:22:48:01:24:00";
type = "veth";
};
};
ospf = {
allowedUpstreams = [ "upstream4" "upstream3" "anon1" ];
};
role = "container";
};
}

12
config/net/cluster.nix
View File

@ -7,15 +7,8 @@ in
ipv6Router = "cls-gw";
domainName = "cluster.zentralwerk.org";
extraRecords = map (host: {
data = {
service = "ceph-mon";
proto = "tcp";
priority = 1;
weight = 1;
port = 6789;
target = host;
};
name = "@";
data = "1 1 6789 ${host}";
name = "_ceph-mon._tcp";
type = "SRV";
}) cephMonServers
++
@ -144,7 +137,6 @@ in
"mgmt"
"serv"
"c3d2"
"c3d2iot"
"pub"
"priv23"
"priv31"

16
config/net/core.nix
View File

@ -53,9 +53,6 @@
priv44-gw = "172.20.72.70";
priv45-gw = "172.20.72.72";
priv46-gw = "172.20.72.73";
priv47-gw = "172.20.72.74";
priv48-gw = "172.20.72.75";
priv49-gw = "172.20.72.76";
priv5-gw = "172.20.72.15";
priv6-gw = "172.20.72.16";
priv7-gw = "172.20.72.17";
@ -71,10 +68,9 @@
server8 = "172.20.72.58";
upstream3 = "172.20.72.11";
upstream4 = "172.20.72.12";
coloradio-gw = "172.20.72.62";
# unused = "172.20.72.62";
vpn-gw = "172.20.72.69";
flpk-gw = "172.20.72.71";
iot-gw = "172.20.72.77";
};
hosts6 = {
dn42 = {
@ -87,7 +83,6 @@
cls-gw = "fd23:42:c3d2:581::c3d2:4";
freifunk = "fd23:42:c3d2:581:8000::1";
mgmt-gw = "fd23:42:c3d2:581::8:3";
iot-gw = "fd23:42:c3d2:581::8:7";
priv1-gw = "fd23:42:c3d2:581::c:0";
priv10-gw = "fd23:42:c3d2:581::c:9";
priv11-gw = "fd23:42:c3d2:581::c:a";
@ -129,9 +124,6 @@
priv44-gw = "fd23:42:c3d2:581::c:2b";
priv45-gw = "fd23:42:c3d2:581::c:2c";
priv46-gw = "fd23:42:c3d2:581::c:2d";
priv47-gw = "fd23:42:c3d2:581::c:2e";
priv48-gw = "fd23:42:c3d2:581::c:2f";
priv49-gw = "fd23:42:c3d2:581::c:30";
priv5-gw = "fd23:42:c3d2:581::c:4";
priv6-gw = "fd23:42:c3d2:581::c:5";
priv7-gw = "fd23:42:c3d2:581::c:6";
@ -142,7 +134,6 @@
upstream3 = "fd23:42:c3d2:581::b:2";
upstream4 = "fd23:42:c3d2:581::b:3";
vpn-gw = "fd23:42:c3d2:581:9001::1";
coloradio-gw = "fd23:42:c3d2:581:9009::1";
};
up4 = {
anon1 = "2a00:8180:2c00:281::9:1";
@ -154,7 +145,6 @@
cls-gw = "2a00:8180:2c00:281::8:4";
freifunk = "2a00:8180:2c00:281:8000::1";
mgmt-gw = "2a00:8180:2c00:281::8:3";
iot-gw = "2a00:8180:2c00:281::8:7";
priv1-gw = "2a00:8180:2c00:281::c:0";
priv10-gw = "2a00:8180:2c00:281::c:9";
priv11-gw = "2a00:8180:2c00:281::c:a";
@ -196,9 +186,6 @@
priv44-gw = "2a00:8180:2c00:281::c:2b";
priv45-gw = "2a00:8180:2c00:281::c:2c";
priv46-gw = "2a00:8180:2c00:281::c:2d";
priv47-gw = "2a00:8180:2c00:281::c:2e";
priv48-gw = "2a00:8180:2c00:281::c:2f";
priv49-gw = "2a00:8180:2c00:281::c:30";
priv5-gw = "2a00:8180:2c00:281::c:4";
priv6-gw = "2a00:8180:2c00:281::c:5";
priv7-gw = "2a00:8180:2c00:281::c:6";
@ -207,7 +194,6 @@
serv-gw = "2a00:8180:2c00:281::8:1";
upstream4 = "2a00:8180:2c00:281::b:1";
vpn-gw = "2a00:8180:2c00:281:9001::1";
coloradio-gw = "2a00:8180:2c00:281:9009::1";
};
};
subnet4 = "172.20.72.0/25";

20
config/net/flpk.nix
View File

@ -7,31 +7,23 @@
subnets6.flpk = "2a0f:5382:acab:1400::/64";
hosts4 = {
flpk-gw = "45.158.40.160";
notice-me-senpai = "45.158.40.162"; # tlms monitoring
leon = "45.158.40.162";
sshlog = "45.158.40.163";
caveman = "45.158.40.164";
# tlms-37c3-ctf vm on server9
ctf = "45.158.40.165";
leoncloud = "45.158.40.165";
mastodon = "45.158.40.166";
c3d2-web = "45.158.40.167";
mail = "45.158.40.168";
dresden-zone-dns = "45.158.40.169";
# server7 = "45.158.40.170"; # unused
rtrlab = "45.158.40.171"; # temporary
mailtngbert = "45.158.40.168";
};
hosts6.flpk = {
flpk-gw = "2a0f:5382:acab:1400::c3d2";
notice-me-senpai = "2a0f:5382:acab:1400:2de:5bff:fef9:e23e"; # tlms-monitoring
leon = "2a0f:5382:acab:1400::1e0";
sshlog = "2a0f:5382:acab:1400::22";
caveman = "2a0f:5382:acab:1400::a4";
# tlms-37c3-ctf vm on server9
ctf = "2a0f:5382:acab:1400::a5";
leoncloud = "2a0f:5382:acab:1400::a5";
mastodon = "2a0f:5382:acab:1400::a6";
c3d2-web = "2a0f:5382:acab:1400::a7";
# mail = "2a0f:5382:acab:1400::a8"; # we don't have an PTR for IPv6 and it gets way more often marked as spam
dresden-zone-dns = "2a0f:5382:acab:1400::a9";
# server7 = "2a0f:5382:acab:1400::aa";
rtrlab = "2a0f:5382:acab:1400::ab";
mailtngbert = "2a0f:5382:acab:1400::a8";
};
};

17
config/net/mgmt.nix
View File

@ -63,15 +63,7 @@
ap62 = "10.0.0.102";
ap63 = "10.0.0.103";
ap64 = "10.0.0.104";
ap65 = "10.0.0.105";
ap66 = "10.0.0.106";
ap67 = "10.0.0.107";
ap68 = "10.0.0.108";
ap69 = "10.0.0.109";
ap7 = "10.0.0.47";
ap70 = "10.0.0.110";
ap71 = "10.0.0.111";
ap72 = "10.0.0.112";
ap8 = "10.0.0.48";
ap9 = "10.0.0.49";
logging = "10.0.0.251";
@ -106,7 +98,6 @@
switch-b3 = "10.0.0.18";
switch-ds1 = "10.0.0.20";
switch-ds2 = "10.0.0.21";
switch-ds3 = "10.0.0.22";
};
hosts6 = {
dn42 = {
@ -171,15 +162,7 @@
ap62 = "fd23:42:c3d2:580::4:3e";
ap63 = "fd23:42:c3d2:580::4:3f";
ap64 = "fd23:42:c3d2:580::4:40";
ap65 = "fd23:42:c3d2:580::4:41";
ap66 = "fd23:42:c3d2:580::4:42";
ap67 = "fd23:42:c3d2:580::4:43";
ap68 = "fd23:42:c3d2:580::4:44";
ap69 = "fd23:42:c3d2:580::4:45";
ap7 = "fd23:42:c3d2:580::4:7";
ap70 = "fd23:42:c3d2:580::4:46";
ap71 = "fd23:42:c3d2:580::4:47";
ap72 = "fd23:42:c3d2:580::4:48";
ap8 = "fd23:42:c3d2:580::4:8";
ap9 = "fd23:42:c3d2:580::4:9";
mgmt-gw = "fd23:42:c3d2:580:ffff:ffff:ffff:ffff";

60
config/net/priv.nix
View File

@ -1,6 +1,6 @@
{ lib, ... }:
let
privCount = 49;
privCount = 46;
seq = n: max:
if n <= max
then [ n ] ++ seq (n + 1) max
@ -16,8 +16,8 @@ lib.mkMerge (
site.net."priv${toString n}" = {
dhcp = {
server = "priv${toString n}-gw";
time = 300;
max-time = 60 * 24 * 3600;
time = 120;
max-time = 86400;
router = "priv${toString n}-gw";
};
domainName = "priv${toString n}.zentralwerk.org";
@ -58,12 +58,10 @@ lib.mkMerge (
subnet4 = "172.20.75.0/27";
dhcp = {
start = "172.20.75.2";
end = "172.20.75.30";
end = "172.20.75.31";
fixed-hosts = {
"172.20.75.2" = "ac:1f:6b:dc:93:8e";
"172.20.75.3" = "ac:1f:6b:dc:95:de";
"172.20.75.9" = "ac:1f:6b:dc:95:df";
"172.20.75.7" = "60:33:4b:0b:cd:fc";
"172.20.75.9" = "00:11:32:22:95:79";
};
};
};
@ -204,6 +202,7 @@ lib.mkMerge (
dhcp = {
start = "172.20.73.194";
end = "172.20.73.254";
max-time = lib.mkForce 2592000;
};
};
priv20 = {
@ -238,10 +237,9 @@ lib.mkMerge (
end = "172.20.73.190";
fixed-hosts = {
"172.20.73.162" = "da:2c:3a:2c:87:22";
"172.20.73.163" = "b8:27:eb:16:31:61";
"172.20.73.164" = "ca:71:c4:90:3e:c7";
"172.20.73.163" = "ca:9f:27:b2:bf:6d";
"172.20.73.164" = "60:01:94:6f:81:a6";
};
time = lib.mkForce 900;
};
};
priv24 = {
@ -432,30 +430,6 @@ lib.mkMerge (
end = "172.20.77.238";
};
};
priv47 = {
hosts4 = { priv47-gw = "172.20.76.161"; };
subnet4 = "172.20.76.160/28";
dhcp = {
start = "172.20.76.162";
end = "172.20.76.174";
};
};
priv48 = {
hosts4 = { priv48-gw = "172.20.77.33"; };
subnet4 = "172.20.77.32/28";
dhcp = {
start = "172.20.77.34";
end = "172.20.77.46";
};
};
priv49 = {
hosts4 = { priv49-gw = "172.20.76.49"; };
subnet4 = "172.20.76.48/28";
dhcp = {
start = "172.20.76.50";
end = "172.20.76.62";
};
};
};
site.hosts = {
@ -750,24 +724,6 @@ lib.mkMerge (
priv46.hwaddr = "0A:14:48:01:2A:59";
};
};
priv47-gw = {
interfaces = {
core.hwaddr = "0A:14:48:01:2A:5A";
priv47.hwaddr = "0A:14:48:01:2A:5B";
};
};
priv48-gw = {
interfaces = {
core.hwaddr = "0A:14:48:01:2A:5C";
priv48.hwaddr = "0A:14:48:01:2A:5D";
};
};
priv49-gw = {
interfaces = {
core.hwaddr = "0A:14:48:01:2A:5E";
priv49.hwaddr = "0A:14:48:01:2A:5F";
};
};
};
} ]
)

4
config/net/pub.nix
View File

@ -3,10 +3,10 @@
dhcp = {
start = "172.20.78.2";
end = "172.20.79.253";
max-time = 3600;
router = "pub-gw";
server = "pub-gw";
time = 120;
max-time = 12 * 3600;
time = 300;
};
domainName = "pub.zentralwerk.org";
dynamicDomain = true;

56
config/net/serv.nix
View File

@ -7,24 +7,21 @@
serv-gw = "172.20.73.1";
dns = "172.20.73.2";
stats = "172.20.73.3";
dresden-zone = "172.20.73.4";
tlms-elastic = "172.20.73.7"; # tlms
dnscache = "172.20.73.8";
tlms-ctfd = "172.20.73.9"; # tlms
buzzrelay = "172.20.73.15";
matemat = "172.20.73.21";
spaceapi = "172.20.73.25";
mucbot = "172.20.73.27";
scrape = "172.20.73.32";
pretalx = "172.20.73.33";
vaultwarden = "172.20.73.34";
uranus = "172.20.73.37"; # tlms
tram-borzoi = "172.20.73.38"; # tlms
borken-data-hoarder = "172.20.73.39"; # tlms
matrix = "172.20.73.40";
activity-relay = "172.20.73.41";
# "172.20.73.41"
luulaatsch-asterisk = "172.20.73.42";
grafana = "172.20.73.43";
# "172.20.73.44"
public-access-proxy = "172.20.73.45";
marenz = "172.20.73.46";
network-homepage = "172.20.73.47";
@ -38,10 +35,12 @@
jabber = "172.20.73.55";
mobilizon = "172.20.73.56";
radiobert = "172.20.73.57";
# mail = "172.20.73.58";
mail = "172.20.73.58";
# "172.20.73.59"
sdrweb = "172.20.73.60";
knot = "172.20.73.61";
bind = "172.20.73.61";
blogs = "172.20.73.62";
# "172.20.73.63"
staging-data-hoarder = "172.20.73.64"; # tlms
oparl = "172.20.73.65";
hedgedoc = "172.20.73.66";
@ -51,25 +50,28 @@
broker = "172.20.73.70";
ftp = "172.20.73.71";
auth = "172.20.73.72";
doubleblind-science = "172.20.73.73";
# "172.20.73.73"
# "172.20.73.74"
prometheus = "172.20.73.75";
# "172.20.73.76"
drone = "172.20.73.77";
# FILL IN THE HOLES BEFORE APPENDING!
};
ipv6Router = "serv-gw";
subnets6.dn42 = "fd23:42:c3d2:582::/64";
subnets6.up4 = "2a00:8180:2c00:282::/64";
hosts6.dn42 = {
knot = "fd23:42:c3d2:582:cd7:56ff:fe69:6366";
blogs = "fd23:42:c3d2:582:b8a8:7dff:fee8:5ac2";
bind = "fd23:42:c3d2:582:cd7:56ff:fe69:6366";
blogs = "fd42:42:c3d2:582:b8a8:7dff:fee8:5ac2";
dns = "fd23:42:c3d2:582:2:0:0:2";
dnscache = "fd23:42:c3d2:582:f096:dbff:fee8:427d";
gitea = "fd23:42:c3d2:582:702a:daff:fe35:83be";
grafana = "fd23:42:c3d2:582:4042:fbff:fe4b:2de8";
hydra = "fd23:42:c3d2:582:e2cb:4eff:fe3b:f94b";
jabber = "fd23:42:c3d2:582:b869:ccff:fe46:902a";
# mail = "fd23:42:c3d2:582:88c0:41ff:fe70:d6cd";
keycloak = "fd23:42:c3d2:582:c48:bbff:fe87:721d";
logging = "fd23:42:c3d2:582:6811:edff:fe40:89c6";
mail = "fd23:42:c3d2:582:88c0:41ff:fe70:d6cd";
matemat = "fd23:42:c3d2:582:f82b:1bff:fedc:8572";
minetest = "fd23:42:c3d2:582:c3a:42ff:fe5d:b20c";
mobilizon = "fd23:42:c3d2:582:48d1:5cff:fea7:1676";
mongo = "fd23:42:c3d2:582:14ec:c8ff:fe0a:fc5c";
mucbot = "fd23:42:c3d2:582:28db:dff:fe6b:e89a";
@ -79,31 +81,38 @@
serv-gw = "fd23:42:c3d2:582::1";
spaceapi = "fd23:42:c3d2:582:1457:adff:fe93:62e9";
stats = "fd23:42:c3d2:582:2:0:0:3";
zeit = "fd23:42:c3d2:582:2:0:0:5";
direkthilfe = "fd23:42:c3d2:582:1cde:c5ff:fe47:8c2a";
nix-build = "fd23:42:c3d2:582:683d:a9ff:fe45:3d1f";
staging-data-hoarder = "fd23:42:c3d2:582:2de:5bff:fef9:e23d";
oparl = "fd23:42:c3d2:582:2de:9aff:fece:3879";
gnunet = "fd23:42:c3d2:582:44";
broker = "fd23:42:c3d2:582:46";
ftp = "fd23:42:c3d2:582:47";
zengel = "fd23:42:c3d2:582:4a";
network-homepage = "fd23:42:c3d2:582:2f";
owncast = "fd23:42:c3d2:582:32";
prometheus = "fd23:42:c3d2:582:4b";
buzzrelay = "fd23:42:c3d2:582:f";
oxigraph = "fd23:42:c3d2:582:4c";
tmppleroma = "fd23:42:c3d2:582:2c";
luulaatsch-asterisk = "fd23:42:c3d2:582:2a";
stream = "fd23:42:c3d2:583:dc91:c7ff:fe51:d1c5";
};
hosts6.up4 = {
knot = "2a00:8180:2c00:282:cd7:56ff:fe69:6366";
bind = "2a00:8180:2c00:282:cd7:56ff:fe69:6366";
blogs = "2a00:8180:2c00:282:b8a8:7dff:fee8:5ac2";
dns = "2a00:8180:2c00:282:2:0:0:2";
dnscache = "2a00:8180:2c00:282:f096:dbff:fee8:427d";
gitea = "2a00:8180:2c00:282:702a:daff:fe35:83be";
grafana = "2a00:8180:2c00:282:4042:fbff:fe4b:2de8";
hydra = "2a00:8180:2c00:282:e2cb:4eff:fe3b:f94b";
jabber = "2a00:8180:2c00:282:b869:ccff:fe46:902a";
# mail = "2a00:8180:2c00:282:88c0:41ff:fe70:d6cd";
keycloak = "2a00:8180:2c00:282:c48:bbff:fe87:721d";
logging = "2a00:8180:2c00:282:6811:edff:fe40:89c6";
mail = "2a00:8180:2c00:282:88c0:41ff:fe70:d6cd";
matemat = "2a00:8180:2c00:282:f82b:1bff:fedc:8572";
minetest = "2a00:8180:2c00:282:c3a:42ff:fe5d:b20c";
mobilizon = "2a00:8180:2c00:282:48d1:5cff:fea7:1676";
mongo = "2a00:8180:2c00:282:14ec:c8ff:fe0a:fc5c";
mucbot = "2a00:8180:2c00:282:28db:dff:fe6b:e89a";
public-access-proxy = "2a00:8180:2c00:282:1024:5fff:febd:9be7";
radiobert = "2a00:8180:2c00:282:e65f:1ff:fe5d:1679";
@ -112,27 +121,28 @@
sdrweb = "2a00:8180:2c00:282:3078:bbff:fe76:e9ef";
spaceapi = "2a00:8180:2c00:282:1457:adff:fe93:62e9";
stats = "2a00:8180:2c00:282:2:0:0:3";
stream = "2a00:8180:2c00:282:dc91:c7ff:fe51:d1c5";
stream = "fd23:42:c3d2:583:dc91:c7ff:fe51:d1c5";
ticker = "2a00:8180:2c00:282:b407:40ff:fec1:81f2";
zeit = "2a00:8180:2c00:282:2:0:0:5";
direkthilfe = "2a00:8180:2c00:282:1cde:c5ff:fe47:8c2a";
nix-build = "2a00:8180:2c00:282:683d:a9ff:fe45:3d1f";
staging-data-hoarder = "2a00:8180:2c00:282:2de:5bff:fef9:e23d";
oparl = "2a00:8180:2c00:282:2de:9aff:fece:3879";
serv-gw = "2a00:8180:2c00:282::1";
luulaatsch-asterisk = "2a00:8180:2c00:282::2a";
drone = "2a00:8180:2c00:282::2b";
pretalx = "2a00:8180:2c00:282::2c";
tmppleroma = "2a00:8180:2c00:282::2c";
matrix = "2a00:8180:2c00:282::2d";
activity-relay = "2a00:8180:2c00:282::2e";
network-homepage = "2a00:8180:2c00:282::2f";
vaultwarden = "2a00:8180:2c00:282::31";
owncast = "2a00:8180:2c00:282::32";
mediawiki = "2a00:8180:2c00:282::43";
owncast = "2a00:8180:2c00:282::32";
gnunet = "2a00:8180:2c00:282::44";
data-hoarder = "2a00:8180:2c00:282::45";
broker = "2a00:8180:2c00:282::46";
ftp = "2a00:8180:2c00:282::47";
auth = "2a00:8180:2c00:282::48";
dresden-zone = "2a00:8180:2c00:282::49";
zengel = "2a00:8180:2c00:282::4a";
prometheus = "2a00:8180:2c00:282::4b";
oxigraph = "2a00:8180:2c00:282::4c";
hedgedoc = "2a00:8180:2c00:282::6";

125
config/net/upstream.nix
View File

@ -2,7 +2,7 @@
let
servHosts = config.site.net.serv.hosts4;
inherit (config.site.net.c3d2.hosts4) dn42;
inherit (config.site.net.flpk.hosts4) c3d2-web;
inherit (config.site.net.flpk.hosts4) c3d2-web leon mailtngbert;
in
{
site.hosts = {
@ -43,177 +43,248 @@ in
{ # gemini
destination = "${c3d2-web}:1965";
proto = "tcp";
reflect = true;
sourcePort = 1965;
}
{
destination = servHosts.knot;
destination = "172.20.73.61";
proto = "tcp";
reflect = true;
sourcePort = 53;
}
{
destination = servHosts.knot;
destination = "172.20.73.61";
proto = "udp";
reflect = true;
sourcePort = 53;
}
{
destination = dn42;
proto = "udp";
reflect = true;
sourcePort = 2325;
}
{
destination = dn42;
proto = "udp";
reflect = true;
sourcePort = 2327;
}
{
destination = dn42;
proto = "udp";
reflect = true;
sourcePort = 2337;
}
{
destination = dn42;
proto = "udp";
reflect = true;
sourcePort = 2338;
}
{
destination = dn42;
proto = "udp";
reflect = true;
sourcePort = 2339;
}
{
destination = dn42;
proto = "udp";
reflect = true;
sourcePort = 2340;
}
{
destination = dn42;
proto = "udp";
sourcePort = 2342;
}
{
destination = dn42;
proto = "udp";
reflect = true;
sourcePort = 2399;
}
{
destination = dn42;
proto = "udp";
reflect = true;
sourcePort = 24699;
}
{
destination = dn42;
proto = "udp";
reflect = true;
sourcePort = 64699;
}
{ #ssh
destination = "${leon}:22";
proto = "tcp";
reflect = true;
sourcePort = 2223;
}
{ #Website
destination = "${leon}:5000";
proto = "tcp";
reflect = true;
sourcePort = 5001;
}
{ #VPN_Wireguard VPN1-interface
destination = "${leon}:18900";
proto = "udp";
reflect = true;
sourcePort = 18800;
}
{ #VPN_Wireguard VPN2-interface
destination = "${leon}:19900";
proto = "udp";
reflect = true;
sourcePort = 19800;
}
# ?
{
destination = "172.22.99.175:22";
proto = "tcp";
reflect = true;
sourcePort = 2224;
}
{
destination = servHosts.gitea;
proto = "tcp";
reflect = true;
sourcePort = 22;
}
{
destination = servHosts.jabber;
proto = "tcp";
reflect = true;
sourcePort = 5222;
}
{
destination = servHosts.jabber;
proto = "tcp";
reflect = true;
sourcePort = 5223;
}
{
destination = servHosts.jabber;
proto = "tcp";
reflect = true;
sourcePort = 5269;
}
{
destination = servHosts.jabber;
proto = "tcp";
reflect = true;
sourcePort = 3478;
}
{
destination = servHosts.jabber;
proto = "tcp";
reflect = true;
sourcePort = 3479;
}
{
destination = servHosts.jabber;
proto = "udp";
reflect = true;
sourcePort = 3478;
}
{
destination = servHosts.jabber;
proto = "udp";
reflect = true;
sourcePort = 3479;
}
{
destination = mailtngbert;
proto = "tcp";
reflect = true;
sourcePort = 25;
}
{
destination = mailtngbert;
proto = "tcp";
reflect = true;
sourcePort = 465;
}
{
destination = mailtngbert;
proto = "tcp";
reflect = true;
sourcePort = 587;
}
{
destination = mailtngbert;
proto = "tcp";
reflect = true;
sourcePort = 110;
}
{
destination = mailtngbert;
proto = "tcp";
reflect = true;
sourcePort = 143;
}
{
destination = mailtngbert;
proto = "tcp";
reflect = true;
sourcePort = 993;
}
{
destination = mailtngbert;
proto = "tcp";
reflect = true;
sourcePort = 995;
}
# poelzi
{
destination = "172.20.73.162:22";
proto = "tcp";
reflect = true;
sourcePort = 2323;
}
# jan
{
destination = "172.20.75.3:51820";
proto = "udp";
sourcePort = 30057;
}
# zw-ev RDP
{
destination = "172.20.75.222:3389";
proto = "tcp";
reflect = true;
sourcePort = 45000;
}
{
destination = config.site.net.core.hosts4.vpn-gw;
proto = "udp";
sourcePort = config.site.vpn.wireguard.port;
reflect = true;
sourcePort = config.site.vpn.wireguard.port;
}
{
destination = servHosts.gnunet;
proto = "tcp";
reflect = true;
sourcePort = 2086;
}
# dresden zone
{
destination = servHosts.dresden-zone;
proto = "udp";
sourcePort = 51844;
}
# data-hoarder
{
destination = servHosts.data-hoarder;
proto = "udp";
reflect = true;
sourcePort = 51820;
}
{
destination = "${servHosts.data-hoarder}:22";
proto = "tcp";
reflect = false;
sourcePort = 2269;
}
# data-hoarder-staging
{
destination = "${servHosts.staging-data-hoarder}:51820";
proto = "udp";
reflect = true;
sourcePort = 51821;
}
{
destination = "${servHosts.ftp}:22";
proto = "tcp";
reflect = true;
sourcePort = 1022;
}
# coloRadio
{
proto = "tcp";
sourcePort = 8000;
destination = "192.168.9.127";
}
];
interfaces = {
core = {

154
config/secrets-production.nix.gpg
View File

@ -1,84 +1,76 @@
-----BEGIN PGP MESSAGE-----
hQEMA2PKcvDMvlKLAQf9H11MeVsKpyi49/f8YxayUL8mbu8FEuUEW2F4N6MbThXz
/kEweXTs3m9KywyieiF17S2UE/02b5E2533sn41mRa5Jo3vmGPb6WANRkoB7YLOO
T770KStpvdIH8vljhGj3eFrNk64POch9fPrGMt8pz4uYcmKgjYhKNb4iUqFj8ZIi
RsdheQ78MnY37df7IzLQmFGZs1jIA773rHN6aVomOqNBTzfVTQO41zKATzbrKpW4
qqau3kn1fbQTab1FedJMEqk1YPhD1H8Pyhib3ff7JpPeWxkUzuZt+grAUD59aJsr
ZX93USKoHSuJ5tUCY3dfmpiaetH2qjOmjI2ysCYGENLqAW440k/1U/Z58B0/ezTZ
RTyU2GPbf7kpC2VL8EDZSTwLkDMB+mmXlZffF3bB1rdmZCahzjk4X9awKSXLIVTV
ShGx2z9sI1pjmtz5CzXA7Ry0wmfJJ8gFM4DUaPCs2KghHVurGY4lmn1VWw80VtXn
+u2dqhYTtdgxArwGV4EsKYBqRRAjsKn9NWXRo+WXIhH9EPzHioJGwKgbDw/n69Qa
zMBNfePDj1HapEILaTq7jL/K67+07hDMVOnkUJL/lE2yzwCKkb0PnWAGgzXyOCQG
p4ih9+samGMM7rIjxM1eI892MuAlrf+awkHY6P4cwU9vKxKHbqmqeRbOe8wUBuqg
kmF9MCOPsCrS/5Dtr0JoR9WTnByLvekPbChW3ANMzAuHtKrjE7H583Z+ql52iYcj
cLqlDP/1XzXu7dwfm3VcY0VD73Qy9gAHaOXcMHk6nOFzPiiAjVuqrw+pC7qS3SxJ
pnzbyRz4ourfMymsfGj0aMlZknCcWidR366gnVLVDw19hWQ+s76cBJ1sKh/dNpUo
d9h5qC7mlZ1RTHZFS8RKF1WODcq9h9W+CkQUg0y2R6EztEdVnc263fgwJH1VFAZW
vsYhFehx1TJ/X/miMvScUDedrA1xcD+gs2zhXi5lYpk2U3HpfvGpEkLJaTzAXQiX
7MxTBjnWviHv0s4ozeLICQDp81QqPNgCskaWf2I+9tYjU0Ob2I2ZqQ4LCx4UAraV
iHmrszgP3OvkqRnidX1sYxwu7NUxZQK+Nmpb+N0+PyDErZdHNfpgl0erh0YswPOf
Cc6WLsp9B2YkLNNGLxJnpYJEccE3I23JJ5/2A/4ZbfUZnDA6jKTx4qXj4ScygY0S
kBiCwIaX2xEPOpQ61fE0xzV2xXnfGBT7IgcTwjL1ilOIWrWRbCad1wIlaL1c5lfv
chCdv3ItWL9rwQvv3aiFm1oq3PL0Tp5qdth5ylmcyFwLRNVJKmZC79tD9/XYx1LG
NTAWtMqR2dsz44nTPvn3x+HI08Ll3UbGK64hKlfjUjjYUUMCDwXXSl1HiunzZVa9
5aVMD/Eg5TzzuS1aL1y01cfBhjZH5guFRxl6KUuNzIjAWh4rScCplTWfKtSQVhTO
ZwAAuY3TZ5R4M/PFNLXCByUMI+nivKazVhVZSVMPTU1ENYrSFVKURsvuLwju8Pan
K026oBtPdnaetOkERZJzayiPA2KCqN/LkPNMsmfniAZedj+7SUmyYigwMVRWFuB+
HLPzZSDb4WJD53OiJhYdFlblEtTATZ2JdOBEATHB7wQqxBTNKheYTKV3ALZnu0d/
6jOlRNHeAD6XlyAvTyuMFiU1qHEACmFN4EQ2y7yR9TI8KmCKkP6wXPzavtVjB/ll
qeozsjD1BDhHhQLmOra8yXuZ9NoWkgNUtn9HRhbMlv0XjrPerkJ+xv0HQudI6Hyy
sEj3fJY5l47CauUOaMmzSf/+ONSE5YQ6eh8Q6RNqpjKJ7HKJqgBDsVCcfkbA6Dtp
KaQcUr4Q8cGoYejqUt9glVnmJDYicebdZFt9BA8i/mCykKvPpsGc/oFyh+u5lFjd
GiFr4QlULSZsO3Yfv4xeFPWqkJ7xMeX65zPc+q5MH2+8pYXL6l/7U3yFI4gEXACX
xiWrnvi8KWhju0GMHji/obUHuaudzYRaWdQWb7ga/xw2Q3UagXZxvM0arOliQT1P
1EvHdN8U7xahKo9kGYAn2sgbOEMuoLC+MRkBE2PocC1TqU8LRootXXah4oJMglvu
80MJYCZ5AvbMeW/lpnrtx9v9gbumP1bl/fxzi+fksMJzjwrQlgjdTM2peNVRP2OT
EQFQm3jtqLqtKo0Oc7BtExevVzb0eGH8L/3Y2NUZCsLkY+KvIZe6O+8nBOcX4GeU
nxSypDDTNxP0bhjMYaSI+eIVFRhEvCHdtscbtzpiOdsAUq9C20HDNTjeJ4QlpP4t
/8nfywmBvgQ3ddujkRX7iGYzGebHOKfJwSXksT+md2wslx/CvMumEvK3CRN2OLK/
dS3deYWLy3DLRJA5bgcp/OAnVKNGt3EGQq11ucup23Fm3jINCgEVzccW/X2AP0uV
cyEFudLnMuHERcjcAHfXHqPCqqohSo+MNGZwoKLjXWSctY7dlofILlwShauBR/Gb
HnArSBPuQaWQRX8gtWIwwjUmy2a63cgKIrvhtSGQO7JY32/omZjAYSGJQ2zppZh+
aluD1TMos69ThHITEaLApO18xzWHlHFxdP0v9sPx1BUhd6NaZiXvjWQnTjBlepjn
xntPyEsM4xypmEAViQeWz7WJdm5O7NhafoFQyn1i+fVysO/ru+LBRFmXp2xwfVUw
Z8m1bCNAZ3ZOro2VIztQsgO9Zv1tycteII+wP+RicDIYaaHnLYbGznbuTtYNAyqb
rBd2uHwlUjVqEfSMlnmdsOcF34ssGF6hU8bBgU3d44BeQCzYpCaxN0MQCCPK/d+V
R/KDe1C1QkDEifDL0wvAZ6uyPPakpQlPi0pTA/20Vfc16LQiCISWBrLWoE3MmtGV
ocAQe1M+xt+1pjOMlv7vPJ5Wfb3zeQ3yL/+d+qL54kr0cHSAF5mE6GjMYscWjott
Vz81RjFgt8ci3pdzDK3W1Zt97qUcFBG+4liQpJZVB3we/v6mhJaQ9lcyb/G1Urk1
GynGtWzzk8aXHMeVi5cfNAGqigxuwl8lMDYlCRoT+q6lzCFqIk+P9avoCZRXCS62
FzVz8lwhDaslYoC+SdWQl7hq6gdxdRFvx+n+nHWcKprGVJ82f9wVid7fqwKh++2P
bNequ4JORLCofyJ1QWYTv/Ep/RQW1rNdgrEf+SUXtK+HSxz6ZwRYCyz2OdBqJgLt
df6s3ivk4ekkowF0h+8a62+aQpHmW9rWVFdP1ibUeThxsyLu41Y4/6LG8FhKxn8U
Qyz9xJvP3QhSrf4LgY8hDb4I8YbZFYrNqlkaeT9ulcbR9bilNJJ8vbpPt0/gsDNx
hbkaL6grhoyva/dDbnUIuYoSRJUCp4I6lBczyYXBtP900jSNH4ezJS0HRarRHf1V
vn5J2xWQnFzbbYAlY4wbzjDRqKwShx/koe9q4JSvs2cYc6tg7Aw1cjJcrmo+TORo
cdoN4S5iL3babk788B8FHjZJeMnoEyqFzzHgq+bSzR4RrhIUVPf6PTIiMMcUt20j
seYUAwZC0I4cJU81Y+ok8nVuOHxRucr9A0MWhjaY05+rdM+TmwFVHDuPGoy0fKOQ
Acj1EAPhhAQGQRXlq7tlbPrsJCHxHpQvCcawIGVYf9Ci0QwDd4q3s5nR5rSW2LUy
+MJh57Rutd7H0Exgj7+KDkEoBxAJMMYuiOm9FJBZ7rxBe9dYjih0vv0ORsMjWTgW
Jr5IxxXuLgIHsMOIL/Z3TS+omXqia6SAWcEogh6QwXdKrt/HZnKJIpUF5roTPmFK
iFTMh3brwkJ2FF8Xgf3MYKnb5WHplQvK8hkLb98rz7J2YqwPY52vaNPQInnocfEs
pYTQTVb2OhRop/nMSr/77vNirnGocySg6IWpQnwU8pc4evtdmX6G0Q4rdHpwy3DE
21w7SOIYAaDKJj9gmsUiik8lCIn58xL+lgZjt1OuB1LP3P5OZ8rZ7Ff+S6Cdltyy
Gn/Q0YBFRD1JtM2anXOGhX/bqsJyvmqD4NsO1dogT8GDd9TJLSbUFdY0zoCk6xfJ
BKQ/IwN7mfXMRmqlJaZgGwzywPpoViQ6iHHIfGNGnqjNwltGHJDefGMLPos03c40
fHqsfCJfseTEUZtreKp/B2RiZeqYg72emcpqWs+q9C2Warrn52GeKpFzKJlELeTL
WpIhuaYI1WEbeoMdBJrV7207U4Ufd4sHTC2QOQOXoRCNMBUHF77vMvgaPHPVETTg
fEzpuDpoTnU79LMWdME0MkGvsCudbBrupNwC15ULt7mNuA2SalfrYxkNskvPKYAh
sg87w/zkl/IVIk5tvSdN44Gvji7vVZvMkfVcyk5o8OU4IZUxy/iRTZUzvBZrqzaA
CFHl+QwXLgApwphApTBEZGWZMCdP1FD21QXNUt4sXWB8eW419p0a6oJFwGPEkRMD
XTJMjhCqP7SJUDPWIS1CuI33bdOuyjGeUSeb0Xe1IYuxWqPBI0oNJL3s6K+V98Ut
meIVIUCOo+sOS64UqdBmcbAkFSnE04xxiFN7jOd3Bfr+2aRDOMYlozM2j+H2oDBF
JyMEZAY2Nn7s2iqyK66q70DLku2x9kmuuY1U6jUxuvYn3id6D5tk4+BhvbSXpvHo
a0pGupBsx2pIY+uHQafwErqGNoH6BAhARq8aeRzNZrPlcfyTiTZ2xYsh40AVYx0S
fNcWNhi4/ZVamjveZD1Gg/w6u4ouzrrBS3PeOebuBrVkUExitZ4QnvZe8Vda/YcY
miV13I66Ks6ZTALSeZ4Hd0b7yjsZnNiBkmAMCClYM8qcrOfGJsAGhi/V4uIzrz0Z
LAMMX5Il3xwDhN/463hP89GTWymwQ2s6R2Y5e4TNUzt/2fajPy7ENDT1htnObeIR
cEsjz7vCkMplEK6tVNbfp7PxfOrH3SnBkkG1A+QlWPrHL3J8Ck4hVq6XKhRwPRgM
8ERpyTgTRmwvPEGXQptVsStFKvqhS8jsJDkxadGFJaOhgqzysIhJUgbO8335oW6M
efyeKPih0zwr2RUq1sKE9KW9T8vnwT2V5BRw3LjZ99NP3ONiuhXflVyLevnGLkmY
7VScu8rGlKij6jW9mIiAL/UA0nt9Dh/vJZGDTh4bMHVwJb0yFMfsbw==
=EhAz
hQEMA2PKcvDMvlKLAQf+JsLbrcbKYL196zauRq/WXR04ls0lWKGgxf/U7kdOJW+a
ldf29aRG95v0ditzate8pISfg+Ffs0HR/86sxnFRvo81NXcVlTSFZohjRvSeD6iG
wISlWpi89YzxSpXE5gZuGW5HFJCInlcP8aFZ1t1TObOoLZjuscvG0gHQjHil7sRD
l7P/J9ors9RWs9bY9fc4FtfcYaBucXkxPz1eWml0B/8B1c4ttb/UAyH+ozatwi/H
JVyy/2EdvGhOX+HJmcwgFwmfcYu9PMSsKGPPb7jznBHnPJ9fFjxZsS+rQJSBGvnK
+dzO31PJYfxgwkLYFpPcO84bjiTNR/7PgaRqi2tjUdLqARSwfzcYWhOUKiCabiZT
Mb5xiGcR7EWW3bbuRss5UPMhwN6UBigcAeACIvgB0aHrQT2v89is5pzw0yR38NS8
B59XHM0R5DyF3AO35oEZDoY3v3AvJ21LmxFZJhey80qp4TXaE7SFwhIB/ym2a/KZ
DKdDb+kpdetKLlH68JQ3p/+V9xCs11fp//1jR+63ieT10o0+MH/JaibbpXZgkvck
1PwY2Lbnu5kqPHklAprzcLUSlA7oWfpOwCr2KI+NHI9vYSsKFKs5GrbU+a3KQ5GD
rCsV8yxTz2njlFBtTc9qUl+VpmJd7rn1l7YnyM5LRo3+wfez1mpTU3u6YZaA/MLm
+nNNLjR/HSgw9DWVulAgxLzcrLXXh8fLBO9QLrMbUu0EgGj6xCyG2Uzo+/b+7lYg
NO4ReHc3sVeLnWvtAH8G3Z5drkyXxZFuYxS8JzrV0g3hpXr3S5fzt8OMgZTnGHmm
3XxJfEBl32wVvJ5fOToXWe4xZzSok5tyQ3fnwMhiHLT4VbeHk4qOAx702nPTEVpC
YLzKW0mLf/CASNv+Zbzbg/F951fETDoqzzhK7zuZIxCKT9HdEFOptKpuu1EwC1p4
o6nXc92IOB1OO6o3I0qpxeHnm7N0K0KMV3PGgjH7CtdeprfJ7YuSiRZfDVYU50WD
Z19f9/hPc1GT5/+Cit2Gx9hYA4R1l3aNnhRxqmGF5QUWQHjo592PKGL+5UobjitD
8CnZcyzyij/hCne/70COg9S/88Gq0EZL3ETpKnR0jkeDz7jLEcfgclmQhd92rnuc
EhAmZMoX1safyICIdwTab6ZsUwt0f0Ri0k8106VePhcKX6G/EUFTt5Zk41GSQbNH
y5B7/oiP3o04FGLQs3+oDGiM2VaS+nm1pHeZ5X7j80kvSLrjVoEu08LVfr/KC5QQ
cpA3pMAuST5u76bacxffK0ECBlHB8Ayy5Jqsap/6CnuXRq32GkyE8cy449tETpcT
oxXg/Jt9WJLxAGPq6JXJ1Ygn4VxAjq2qya2taXxS/DDdANhplWgOHf/vJo4tUQ6L
Jn6oQY9cM4cnxYijvykRLGKw9xUzn617B5UDw7o6WGngogAqwFwFOfb4oY1EQx9j
LMWJ3oh+PXR1BqBHMPFfbeBn7AU/+4+Z0BukO0xa1HI/JX40qZrJbiDthrx3LyxX
N3zvA2tKaVGyzJ/sLNUqzUpCnbkfK9VBvIJXKkdAPlqYzPGSicN0IjyiBLM7WYrk
XiXNIANtWBN8hZx4psOuuohi9F7N0PDpdLjhpavXm3DC01j5+OQvkEUxe/B3JaJE
wZUovYchZzdCgNvp0We8tS6PvENVAp5nGlxYsZRSzAa0U+pJDUfQ8sN7+qLBGdic
xerKCHnrGFhY91BYNl8AaEURmrvF3xvPMfPQCMpJZM9E+yxsikxOFbPa6XDOgmCQ
7h52ASwkE6Qyu1oug53N2d/Jc6sUCk/fjVmYthKq2feZIJU7YmipZLawmzP+HkjO
0jtkB/3cZsd9xuhwCf/tq/ZV0RYzV5Iicp+RE74r5tmo9PZyVr+5GSDitbKDyqwm
eOJvQrgZFIxylgExmZSRUM9wbXfHTBwb9ESfETcAsF+UFUk9hIRfTwkUz1HKPg9p
Y9MN1e8ujxT/yUPX1Hx/Zplf3kHFSj01WROsc6zwbrnhJ66oV5XYfnLs7t6vICXQ
dqrWpLYKJF4Yz2ersS6VcZ+FgFKOq7JgrqQ5xVxJ8y2e1UOlyo7Zpz8jOAAml9xr
m2kgDVaVWLnbPhpIaeDZkyedIvbd5dRFprYxsW9oDEGKjNmjXkmg+Gj+uLlpMCKh
GlmJXGSdMp0AJcde8KZueICkE9mK3OloBVYvwoCqUFU76emZxcBcjlI1g2wiik9K
nUinR+6AcejzmOTpRerHr1VDrVb4r2WqfetcnOYD73OElJljG7kYl8oTGyT8fMbR
wStT4TTRB8l1B3j41MONlY3exZ0UIHpu0Ht+CQ7KnyEV84n0rII97CAuLISPe8+0
6q08i5t2Kk0OyX4FzhAv5zXRUV+wzNc9tYzLTHdNE4PL8Jn8X+HCksStNUtvNSIy
mahKKJH44WV44wBEArI8RUAJDNafohNfgGMkZ7IFSaxCXabwQ4OseElE6T+tPdR4
DBCbIT6bt8QCSAE1A/1Uk1BmKfnudErXI+TvhdVrLv5bZgY6J51Np6eBnCZOMCPP
GxXazmkmQnnmQezUEkz4uCCUIUFR/gkXLGH80uFdBpd22XMy1xiLNtbauiZCNiOK
uVXNGgfiPa80fgO1wIpAkQFk3+vxQP/JILtiOH20zfenp8SCxZ3SO8CcjXGshYns
z5fot3ROozuk2qX2/kjwmuvJOjgR1Ikw45yZbZdNsB2oSwQVzlPzAxnMGI6HOk8G
vybM+YAOWKbA0dIh6GCmr3serukuAbGCs2ixxw0qq11LqsAqg1mljD+l/GBnMuw7
S2/g6LXvHD8ukgGwz/rwDtVXWlFxuZrA+OQh2kKYmF4N5dkU11EVr8alZCW43trv
hluz21NsrTlbNwOaQwotrfPeKKjQLYCI9xaEW7udjI9FexfKzT4Ef7ozuKIhQtta
53EZeGJY052fvYPDaZxy+5qo3i0ewbauC1zVuu1ZcQyYDaqb0pNr3uoimJDcKw9m
UOyvkqYtgiFB0JQHHIrtgAl2REYZiBsdnZfdBtvBnY2+CYp+rPhdsSBrsGA7LEVr
59LOpEqhZF+kRW6Isr7B2o+Q6pasZHqEc6yRvDA2rwx1Rqk7wTtx2wDIo5RVDSVW
bJxXBB8h///SmNE9ie2Axt0IjOV3lxQVns1wEFXZIaPxOrZHorzpEaaF50mBXzys
IZ6Y9bo2BrRhuyWmz1YFa7oMeOcdBIOohRorbNaT6indz7fx0r/im16HoV3Rjk44
DlU6qA7Gmvwl7HjP0HftjAKz8UndygffY7fuYcEcWURKTCdFECCaj8sYfVf6rw5H
ZR7BY0Z9kAnVe8Vokh2OwMme3tKOsRcA61zIhc55I3yJZ9cdkeNymhjNaGun34DO
qErA5pwrZXjzE/nzJ1wIwh4jCjs5h2f828yIK4e23Jofjjt+/l8hCTaA3Ftd4tWM
vJUlPbUgGk5gTMCc8szuMGlH17vL7VVhXaaOcqStTBWs4aUeIMDYFejUyUvUrwMl
qI90JRwBSEbfUZUpuNneUsb+QBeLJMVxcFsJH5TtRptDhIp8/6uuJ52Azr2mIRLV
/C7iQ1WXyZ1i7r9cFzSLi8UbTLGxi6hXD4y3VRiOQbU/PM1koYqtS5+BeTzzVpcy
pKluVOgqSWK8lCTgRLh6cchfGBY2VGjicxoM9/sOohT/Wnh/tWfouWIegnlKyQI0
yFIxnObDpcdhw8+tO+JNNK+z5fLc7IubjW9MaAklsI++2Cz2HsevE/vwjstRi3+V
6yyUTQlQVCHc+xAJFnoHdtmkJFe2+K2+Eszj466sVQH5NMhjilRnLm5QCETeLq7n
Eg2G1nh2H609psEkJTr5Lb/DfSqZvkI/15WbUebr/YU4ETYHdyCZQkwO/8EpxQFB
+9NYs8+55Gw8Wg1egO/dUUCOjfsuTsJd7aCshUFSe2p16DBPnKDR/INHa2E2aY1G
AC+BdYYe91u2H5OsVsIs+uFDy0E28Dj1E63y5O7SvAqVFqbdMMxAmntfaZ+QEzZY
twoEqpZDuE0DnOJ1AylWVKtcGm44odpwfvudI9xAqXQMhx7x1EE9dlx8eC1fxj9h
LUpui1A74tbCQ7OKm4rFZDfZlFAW4J+yToQZGD8lEZshsEa8tW4EyJMRSHKIPz7x
tijuEVZIjMIBtpE8PnFJGgVH6GdvFZ1xFS/gmT1o0U82504zkXmy2yI82W6Gc7Is
2taTPIEH1MEnM8nXDa+PQLSVZUtVku1rsqFthMvJVGmE9ltGMIjbHot6o58pzwhG
eNdr3+tLXW1Qk3WdzvZ9HrkQdy889s+J0cRtiRfzn58JPMXrOCZewzMtSMvC3egY
tk/lKvIKx2MnXq74peh5k1Q2saYqj55ciisotwv5W+BZD5Pi1t/CjXXbtbWqonZJ
MUdPDrUyuNjmQsATZ9AErVol+Zn0fX9opsNuEJmV16DHM7NREGrJvTbnWC6kQEmv
3AzIJIGZzowJvhm1hGNDzQ2wa9I4Mq900+DscUImJRG5cZMDCt+PxUONg0k11ypP
Rmax/XN+U1apZtOMls8w9//dIId8
=4rTB
-----END PGP MESSAGE-----

52
config/secrets.nix
View File

@ -2,8 +2,6 @@
{
site.net = {
core.ospf.secret = "encrypted";
pub.wifi.ieee80211rKey = "2dc40abba46da9490ea0e00f93f18ce5";
c3d2.wifi.ieee80211rKey = "d1b1fa2461efc0df9e2d96579607b7f6";
};
site.hosts = {
@ -65,14 +63,6 @@
ap61.password = "encrypted";
ap63.password = "encrypted";
ap64.password = "encrypted";
ap65.password = "encrypted";
ap66.password = "encrypted";
ap67.password = "encrypted";
ap68.password = "encrypted";
ap69.password = "encrypted";
ap70.password = "encrypted";
ap71.password = "encrypted";
ap72.password = "encrypted";
switch-a1.password = "encrypted";
switch-b1.password = "encrypted";
switch-b2.password = "encrypted";
@ -83,7 +73,6 @@
switch-dach.password = "encrypted";
switch-ds1.password = "encrypted";
switch-ds2.password = "encrypted";
switch-ds3.password = "encrypted";
upstream4.interfaces.up4-pppoe.upstream = {
user = "encrypted";
@ -120,15 +109,12 @@
};
ap18.wifi."platform/qca953x_wmac".ssids."Restaurierung Wolff/Kober".psk = "encrypted";
ap19.wifi."platform/qca953x_wmac".ssids = {
"Bockwurst".psk = "encrypted";
"Studio 01127".psk = "encrypted";
"Walter".psk = "encrypted";
};
ap2.wifi = {
"pci0000:00/0000:00:00.0".ssids."C3D2".psk = "encrypted";
"platform/ahb/18100000.wmac".ssids = {
"C3D2 legacy".psk = "encrypted";
"C3D2 IoT".psk = "encrypted";
};
"platform/ahb/18100000.wmac".ssids."C3D2 legacy".psk = "encrypted";
};
ap23.wifi = {
"pci0000:00/0000:00:00.0".ssids."LBK Network".psk = "encrypted";
@ -150,7 +136,6 @@
"pci0000:00/0000:00:00.0".ssids."C3D2".psk = "encrypted";
"platform/ahb/18100000.wmac".ssids = {
"C3D2 legacy" = { "psk" = "encrypted"; };
"C3D2 IoT" = { "psk" = "encrypted"; };
"FOTOAKADEMIEdd" = { "psk" = "encrypted"; };
};
};
@ -169,6 +154,7 @@
ap37.wifi = {
"pci0000:00/0000:00:00.0".ssids."hechtfilm.de".psk = "encrypted";
"platform/ahb/18100000.wmac".ssids."hechtfilm.de legacy".psk = "encrypted";
"platform/ahb/18100000.wmac".ssids."LIZA".psk = "encrypted";
};
ap38.wifi = {
"pci0000:00/0000:00:00.0".ssids = {
@ -178,7 +164,6 @@
"platform/ahb/18100000.wmac".ssids = {
"ZW heinrichsgarten" = { "psk" = "encrypted"; };
"plop" = { "psk" = "encrypted"; };
"millimeter" = { "psk" = "encrypted"; };
};
};
ap39.wifi."platform/10180000.wmac".ssids."EckiTino".psk = "encrypted";
@ -284,38 +269,7 @@
ap64.wifi = {
"platform/ahb/18100000.wmac".ssids."Princess Castle".psk = "encrypted";
};
ap65.wifi = {
"1e140000.pcie/pci0000:00/0000:00:00.0/0000:01:00.0".ssids = {
"farbwerk".psk = "encrypted";
"Kaffeetasse".psk = "encrypted";
};
"1e140000.pcie/pci0000:00/0000:00:01.0/0000:02:00.0".ssids."farbwerk".psk = "encrypted";
};
ap66.wifi = {
"pci0000:00/0000:00:00.0".ssids."Buschfunk4.03".psk = "encrypted";
"platform/ahb/18100000.wmac".ssids."Buschfunk4.03 legacy".psk = "encrypted";
};
ap67.wifi = {
"1e140000.pcie/pci0000:00/0000:00:01.0/0000:02:00.0".ssids."farbwerk".psk = "encrypted";
"1e140000.pcie/pci0000:00/0000:00:01.0/0000:02:00.0+1".ssids."farbwerk".psk = "encrypted";
};
ap68.wifi = {
"1e140000.pcie/pci0000:00/0000:00:01.0/0000:02:00.0".ssids."farbwerk".psk = "encrypted";
"1e140000.pcie/pci0000:00/0000:00:01.0/0000:02:00.0+1".ssids."farbwerk".psk = "encrypted";
};
ap69.wifi = {
"pci0000:00/0000:00:00.0".ssids."LIZA".psk = "encrypted";
"platform/ahb/18100000.wmac".ssids."LIZA".psk = "encrypted";
};
ap7.wifi."platform/qca953x_wmac".ssids."mino".psk = "encrypted";
ap70.wifi = {
"pci0000:00/0000:00:00.0".ssids."M".psk = "encrypted";
"platform/ahb/18100000.wmac".ssids."M legacy".psk = "encrypted";
};
ap72.wifi = {
"1e140000.pcie/pci0000:00/0000:00:01.0/0000:02:00.0".ssids."farbwerk".psk = "encrypted";
"1e140000.pcie/pci0000:00/0000:00:01.0/0000:02:00.0+1".ssids."farbwerk".psk = "encrypted";
};
ap8.wifi = {
"pci0000:00/0000:00:00.0".ssids."C3D2".psk = "encrypted";
"platform/ar934x_wmac".ssids = {

133
config/switch.nix
View File

@ -8,30 +8,17 @@
links = {
switch-a2.ports = [ "7" ];
priv25.ports = [
# A6: Kleiner Saal Schaltschrank
"1"
# Kabinett A10
"2"
"3"
# A16: Buehne rechts unten
"4"
# artnet node
"5"
# Panel A2: Foyer
"8"
# Panel A8: Kleiner Saal Buehne
];
priv31.ports = [
# A4: Buero
"6"
];
# A3: Techniklager
# (DS23: Hackcenter vor kleinem Saal)
# A17: Grosser Saal ueber der Buehne
# switch-a2 Port 13
# Panel A2: Foyer
switch-ds1.ports = [ "3" ];
# Panel A6: kl Saal hinten
switch-ds2.ports = [ "8" ];
priv25.ports = [
"2"
"4"
"5"
];
priv31.ports = [ "6" ];
iso4.ports = [ "1" ];
};
};
switch-a2 = {
@ -42,9 +29,6 @@
links = {
switch-c1.ports = [ "1" ];
switch-a1.ports = [ "2" ];
switch-ds1.ports = [ "3" ];
switch-ds2.ports = [ "4" ];
switch-ds3.ports = [ "5" ];
ap44.ports = [ "10" ];
ap45.ports = [ "11" ];
ap46.ports = [ "12" ];
@ -133,6 +117,8 @@
ap11.ports = [ "ge-1/0/10" ];
ap34.ports = [ "ge-1/0/12" ];
ap18.ports = [ "ge-1/0/18" ];
ap24.ports = [ "ge-1/0/34" ];
ap25.ports = [ "ge-1/0/35" ];
ap29.ports = [ "ge-0/0/46" ];
ap30.ports = [ "ge-1/0/22" ];
ap35.ports = [ "ge-1/0/23" ];
@ -144,13 +130,11 @@
ap5.ports = [ "ge-1/0/7" ];
ap51.ports = [ "ge-1/0/13" ];
ap53.ports = [ "ge-0/0/7" ];
ap72.ports = [ "ge-1/0/38" ];
ap54.ports = [ "ge-1/0/38" ];
ap55.ports = [ "ge-1/0/19" ];
ap56.ports = [ "ge-1/0/9" ];
ap60.ports = [ "ge-1/0/20" ];
ap62.ports = [ "ge-0/0/11" ];
ap65.ports = [ "ge-0/0/9" ];
ap66.ports = [ "ge-1/0/43" ];
mgmt.ports = [
"ge-0/0/0"
"ge-0/0/1"
@ -163,24 +147,25 @@
# server9
"ge-1/0/48"
];
flpk.ports = [
# server7
"ge-0/0/40"
];
priv1.ports = [ "ge-1/0/3" ];
priv19.ports = [ "ge-1/0/40" ];
priv2.ports = [ "ge-1/0/4" ];
priv24.ports = [ "ge-0/0/6" "ge-1/0/16" ];
priv3.ports = [ "ge-1/0/5" ];
priv30.ports = [ "ge-0/0/12" ];
priv49.ports = [ "ge-1/0/1" ];
ap67.ports = [ "ge-1/0/34" ];
ap68.ports = [ "ge-1/0/35" ];
ap69.ports = [ "ge-0/0/35" ];
ap64.ports = [ "ge-0/0/45" ];
pub.ports = [
"ge-1/0/11"
];
server7 = {
group = "8";
ports = [
"ge-0/0/40"
"ge-0/0/44"
"ge-1/0/1"
"ge-1/0/43"
];
};
server9 = {
group = "10";
ports = [
@ -269,8 +254,11 @@
# Fenster
ap33.ports = [ "5" ];
c3d2.ports = [ "8-20" ];
# Testing
ap-test1.ports = [ "4" ];
bmx.ports = [ "7" ];
# tmp Datenspuren: VOC
iso4.ports = [ "4" "6" "7" ];
iso4.ports = [ "6" ];
};
};
@ -357,30 +345,27 @@
"GigabitEthernet1/0/13"
"GigabitEthernet1/0/14"
"GigabitEthernet1/0/15"
];
# Stage uplink
priv25.ports = [
"GigabitEthernet1/0/16"
"GigabitEthernet1/0/17"
"GigabitEthernet1/0/18"
"GigabitEthernet1/0/19"
"GigabitEthernet1/0/20"
];
# Uplink
switch-a1.ports = [ "GigabitEthernet1/0/24" ];
# Freifunk
bmx.ports = [
"GigabitEthernet1/0/20"
"GigabitEthernet1/0/21"
"GigabitEthernet1/0/22"
"GigabitEthernet1/0/23"
];
# Uplink
switch-a2.ports = [ "GigabitEthernet1/0/24" ];
};
};
switch-ds2 = {
role = "switch";
model = "3com-5500G";
location = "Grosser Saal oben";
location = "Vor dem Kl Saal";
interfaces = { mgmt.type = "phys"; };
links = {
@ -405,64 +390,16 @@
"GigabitEthernet1/0/17"
"GigabitEthernet1/0/18"
"GigabitEthernet1/0/19"
];
# Stage uplink
priv25.ports = [
"GigabitEthernet1/0/20"
"GigabitEthernet1/0/21"
];
# VOC isolated
iso4.ports = [
# Uplink
switch-a1.ports = [ "GigabitEthernet1/0/24" ];
# Freifunk
bmx.ports = [
"GigabitEthernet1/0/21"
"GigabitEthernet1/0/22"
"GigabitEthernet1/0/23"
];
# Uplink
switch-a2.ports = [ "GigabitEthernet1/0/24" ];
};
};
switch-ds3 = {
firstboot = true;
role = "switch";
model = "3com-5500G";
location = "Kleiner Saal";
interfaces = { mgmt.type = "phys"; };
links = {
# Public
pub.ports = [
"GigabitEthernet1/0/1"
"GigabitEthernet1/0/2"
"GigabitEthernet1/0/3"
"GigabitEthernet1/0/4"
"GigabitEthernet1/0/5"
"GigabitEthernet1/0/6"
"GigabitEthernet1/0/7"
"GigabitEthernet1/0/8"
"GigabitEthernet1/0/9"
"GigabitEthernet1/0/10"
"GigabitEthernet1/0/11"
"GigabitEthernet1/0/12"
"GigabitEthernet1/0/13"
"GigabitEthernet1/0/14"
"GigabitEthernet1/0/15"
"GigabitEthernet1/0/16"
"GigabitEthernet1/0/17"
"GigabitEthernet1/0/18"
"GigabitEthernet1/0/19"
];
# Stage uplink
priv25.ports = [
"GigabitEthernet1/0/20"
"GigabitEthernet1/0/21"
];
# VOC isolated
iso4.ports = [
"GigabitEthernet1/0/22"
"GigabitEthernet1/0/23"
];
# Uplink
switch-a2.ports = [ "GigabitEthernet1/0/24" ];
};
};
};

2
config/vlan.nix
View File

@ -25,8 +25,6 @@ in
up2 = 11;
up3 = 12;
up4 = 13;
# Isolated other stuff
c3d2iot = 20;
# Isolated neighbors directly connectied with their modems
iso1 = 101;
iso2 = 102;

BIN
contact.md.asc
View File

Binary file not shown.

6
doc/hello.md
View File

@ -55,14 +55,10 @@ Von geeigneten Routern haben wir stets zu wenige übrig, so dass wir sie
gemeinsam kaufen und bezahlen müssen. Such dir einen aus, dann
bestellen und konfigurieren wir ihn.
* Zyxel WSM20 (Multy M1) ([25€](https://geizhals.de/zyxel-multy-m1-v101058.html))
* TP-Link Archer C7 v2 ([58€](http://geizhals.de/tp-link-archer-c7-v2-a923544.html))
* Ubiquiti UniFi nanoHD ([150€](https://geizhals.de/ubiquiti-unifi-nanohd-uap-nanohd-a1802819.html))
* [Jedes Gerät auf dem OpenWRT läuft](https://openwrt.org/supported_devices)
Die genannten Preise sind unverbindlich und schwanken stark mit den
Situationen rund um die Straße von Malaka, Rotem Meer und
Suez-Kanal. Auf eBay gibts gebrauchte Geräte.
![WLAN-Router](https://upload.wikimedia.org/wikipedia/commons/thumb/3/34/Linksys-Wireless-G-Router.jpg/280px-Linksys-Wireless-G-Router.jpg)
### Netzverteilung

67
flake.lock
View File

@ -1,53 +1,17 @@
{
"nodes": {
"dns-nix": {
"inputs": {
"flake-utils": "flake-utils",
"nixpkgs": [
"nixpkgs"
]
},
"locked": {
"lastModified": 1703643450,
"narHash": "sha256-EUUF5oxFFPX/etKm0FNQg+7MPHQlNjmM1XhNgyDf7A0=",
"owner": "SuperSandro2000",
"repo": "dns.nix",
"rev": "70dcce71560d4253f63812fa36dee994c81ae814",
"type": "github"
},
"original": {
"owner": "SuperSandro2000",
"repo": "dns.nix",
"type": "github"
}
},
"flake-utils": {
"locked": {
"lastModified": 1614513358,
"narHash": "sha256-LakhOx3S1dRjnh0b5Dg3mbZyH0ToC9I8Y2wKSkBaTzU=",
"owner": "numtide",
"repo": "flake-utils",
"rev": "5466c5bbece17adaab2d82fae80b46e807611bf3",
"type": "github"
},
"original": {
"owner": "numtide",
"repo": "flake-utils",
"type": "github"
}
},
"nixpkgs": {
"locked": {
"lastModified": 1713634877,
"narHash": "sha256-+tmLKU8N+YMIIBRPmWFueaytsbSDu4wqGnxc3RKYZwk=",
"owner": "SuperSandro2000",
"lastModified": 1685912674,
"narHash": "sha256-9iRV7ZxZO13MXEBZvWTak9OTddkit66qbbDtroqV4X4=",
"owner": "NixOS",
"repo": "nixpkgs",
"rev": "84f20dcf85434cd2e2a163ec3a30937c78cc26b2",
"rev": "18388d019974e90a035bdb938a8a3ca3c0408db9",
"type": "github"
},
"original": {
"owner": "SuperSandro2000",
"ref": "nixos-23.11",
"owner": "NixOS",
"ref": "release-23.05",
"repo": "nixpkgs",
"type": "github"
}
@ -55,16 +19,16 @@
"openwrt": {
"flake": false,
"locked": {
"lastModified": 1713442482,
"narHash": "sha256-OAcv1qiM2V6wPQm4Tz2QnnDpw34pifG6QRDZea7AP9o=",
"ref": "openwrt-23.05",
"rev": "9b33b74ef71225442361d5192d3a727be212c3cd",
"revCount": 58296,
"lastModified": 1685795498,
"narHash": "sha256-DZS2L/646UDQjXKVYL5wuqoYXQ1cc/9M7fy5lXQ5/Gw=",
"ref": "openwrt-22.03",
"rev": "171b51519206b5e66ebd01d322f41d790976ce87",
"revCount": 54629,
"type": "git",
"url": "https://git.openwrt.org/openwrt/openwrt.git"
},
"original": {
"ref": "openwrt-23.05",
"ref": "openwrt-22.03",
"type": "git",
"url": "https://git.openwrt.org/openwrt/openwrt.git"
}
@ -76,11 +40,11 @@
]
},
"locked": {
"lastModified": 1713693953,
"narHash": "sha256-DsJ/pzBSF3CxQWyiw4V3k96h7Q3UaRnQnL1N9tw+uWg=",
"lastModified": 1685874260,
"narHash": "sha256-rem5LdqVtunLJZ+lXvwAJCMFucJmT+kaXoTOIbGelXg=",
"owner": "astro",
"repo": "nix-openwrt-imagebuilder",
"rev": "d4dc8c84f4397be494ae834709276f099df892e7",
"rev": "b5901ec9361152f1f588445d1b3f06239ea4b86c",
"type": "github"
},
"original": {
@ -91,7 +55,6 @@
},
"root": {
"inputs": {
"dns-nix": "dns-nix",
"nixpkgs": "nixpkgs",
"openwrt": "openwrt",
"openwrt-imagebuilder": "openwrt-imagebuilder"

17
flake.nix
View File

@ -2,13 +2,9 @@
description = "Zentralwerk network";
inputs = {
dns-nix = {
url = "github:SuperSandro2000/dns.nix";
inputs.nixpkgs.follows = "nixpkgs";
};
nixpkgs.url = "github:SuperSandro2000/nixpkgs/nixos-23.11";
nixpkgs.url = "github:NixOS/nixpkgs/release-23.05";
openwrt = {
url = "git+https://git.openwrt.org/openwrt/openwrt.git?ref=openwrt-23.05";
url = "git+https://git.openwrt.org/openwrt/openwrt.git?ref=openwrt-22.03";
flake = false;
};
openwrt-imagebuilder = {
@ -17,7 +13,7 @@
};
};
outputs = inputs@{ self, dns-nix, nixpkgs, openwrt, openwrt-imagebuilder }:
outputs = inputs@{ self, nixpkgs, openwrt, openwrt-imagebuilder }:
let
system = "x86_64-linux";
systems = [ system ];
@ -30,15 +26,16 @@
specialArgs = {
hostName = name;
inherit (self) lib;
inherit inputs dns-nix self;
inherit inputs self;
};
};
in {
# Config, and utilities
lib = nixpkgs.lib.extend (_final: _prev:
import ./nix/lib {
inherit self openwrt;
inherit (nixpkgs.legacyPackages.x86_64-linux) lib pkgs;
inherit self;
inherit openwrt;
pkgs = nixpkgs.legacyPackages.x86_64-linux;
});
# Everything that can be built locally outside of NixOS

38
nix/lib/config/options.nix
View File

@ -178,7 +178,7 @@ let
type = enum [ "A" "AAAA" "MX" "SRV" "CNAME" "TXT" ];
};
data = mkOption {
type = oneOf [ str (attrsOf (oneOf [ int str ])) ];
type = str;
};
};
});
@ -194,13 +194,6 @@ let
type = with types; nullOr int;
default = null;
};
wifi.ieee80211rKey = mkOption {
type = with types; nullOr str;
default = null;
description = ''
Key between WiFi access points for Fast Transition
'';
};
};
};
@ -446,19 +439,10 @@ let
wifi = mkOption {
default = {};
type = with types; attrsOf (submodule (
{ config, ... }: {
{ ... }: {
options = {
band = mkOption {
type = enum [ "2g" "5g" ];
default =
if config.channel >= 1 && config.channel <= 14
then "2g"
else if config.channel >= 32 && config.channel <= 177
then "5g"
else throw "What band is channel ${toString config.channel}?";
};
htmode = mkOption {
type = enum [ "HT20" "HT40-" "HT40+" "HT40" "VHT80" ];
type = enum [ "HT20" "HT40-" "HT40+" "VHT80" ];
};
channel = mkOption {
type = int;
@ -473,10 +457,6 @@ let
type = nullOr str;
default = null;
};
hidden = mkOption {
type = bool;
default = false;
};
encryption = mkOption {
type = enum [ "none" "owe" "wpa2" "wpa3" ];
default =
@ -492,13 +472,6 @@ let
type = nullOr str;
default = null;
};
disassocLowAck = mkOption {
type = bool;
default = true;
description = ''
Disable for wireless bridges.
'';
};
};
}));
};
@ -604,6 +577,11 @@ in
type = with types; attrsOf (submodule netOpts);
};
net-combined = mkOption {
description = "All hosts of all subnets";
default = {};
type = with types; submodule netOpts;
};
hosts = mkOption {
description = "All the static hosts";

6
nix/lib/default.nix
View File

@ -1,13 +1,13 @@
{ self, lib, openwrt, pkgs }:
{ self, pkgs, openwrt }:
rec {
inherit (import ./config { inherit self pkgs; }) config;
config = (import ./config { inherit self pkgs; }).config;
netmasks = import ./netmasks.nix;
subnet = import ./subnet { inherit pkgs; };
dns = import ./dns.nix { inherit config lib; };
dns = import ./dns.nix { inherit pkgs config; };
openwrtModels = import ./openwrt-models.nix { inherit self openwrt; };

24
nix/lib/dns.nix
View File

@ -1,18 +1,17 @@
{ config, lib }:
{ pkgs, config }:
let
lib = pkgs.lib;
in
rec {
ns = "dns.serv.zentralwerk.org";
internalNS = [ ns ];
# public servers (slaves)
publicNS = [
"ns.c3d2.de"
"ns.spaceboyz.net"
"ns1.supersandro.de"
];
publicNS = [ "ns.c3d2.de" "ns.spaceboyz.net" ];
publicIPv4 = config.site.hosts.upstream4.interfaces.up4-pppoe.upstream.staticIpv4Address;
dynamicReverseZones4 = [
dynamicReverseZones = [
"73.20.172.in-addr.arpa"
"74.20.172.in-addr.arpa"
"75.20.172.in-addr.arpa"
@ -21,12 +20,6 @@ rec {
"78.20.172.in-addr.arpa"
"79.20.172.in-addr.arpa"
"99.22.172.in-addr.arpa"
"22.10.in-addr.arpa"
];
dynamicReverseZones6 = [
"2.0.0.0.c.2.0.8.1.8.0.0.a.2.ip6.arpa"
"4.1.b.a.c.a.2.8.3.5.f.0.a.2.ip6.arpa"
"5.0.2.d.3.c.2.4.0.0.3.2.d.f.ip6.arpa"
];
mapI = start: end: f:
@ -99,7 +92,7 @@ rec {
"${zone}" = true;
}
) {} (builtins.attrNames reverseHosts4)
) ++ dynamicReverseZones4
) ++ dynamicReverseZones
);
# turns `::` into `0000:0000:0000:0000:0000:0000:0000:0000`
@ -244,7 +237,7 @@ rec {
builtins.filter (lib.hasSuffix ".${zone}")
(builtins.attrNames reverseHosts4)
);
dynamic = builtins.elem zone dynamicReverseZones4;
dynamic = builtins.elem zone dynamicReverseZones;
}) reverseZones4
++
builtins.concatMap (ctx:
@ -263,7 +256,6 @@ rec {
builtins.filter (lib.hasSuffix ".${zone}")
(builtins.attrNames reverseHosts6.${ctx})
);
dynamic = builtins.elem zone dynamicReverseZones6;
}) reverseZones6.${ctx}
) (builtins.attrNames reverseZones6);
}

4
nix/lib/openwrt-models.nix
View File

@ -95,9 +95,7 @@ let
ucidef_set_interfaces_lan_wan.ports =
makeLinkFromArg "lan" (builtins.elemAt args 0) //
self.lib.optionalAttrs (builtins.length args > 1) (
makeLinkFromArg "wan" (builtins.elemAt args 1)
);
makeLinkFromArg "wan" (builtins.elemAt args 1);
};
in
if commands ? ${command}

8
nix/nixos-module/collectd/default.nix
View File

@ -90,7 +90,7 @@ in
Host "inbert.c3d2.de"
Host "heise.de"
'';
}) (lib.optionalAttrs config.services.kea.dhcp4.enable {
}) (lib.optionalAttrs config.services.dhcpd4.enable {
plugins.exec =
let
maxTimeout = builtins.foldl' (maxTimeout: net:
@ -117,11 +117,11 @@ in
}) ];
systemd.services.collectd = lib.mkIf config.services.kea.dhcp4.enable {
after = [ "kea-dhcp4-server.service" ];
systemd.services.collectd = lib.mkIf config.services.dhcpd4.enable {
after = [ "dhcpd4.service" ];
};
security.wrappers = lib.mkIf config.services.kea.dhcp4.enable {
security.wrappers = lib.mkIf config.services.dhcpd4.enable {
collectd-dhcpcount =
let
dhcpcount = pkgs.runCommand "dhcpcount" {

38
nix/nixos-module/collectd/dhcpcount.rb
View File

@ -1,28 +1,36 @@
#!/usr/bin/env ruby
require 'csv'
require 'date'
INTERVAL = 60
TIMEOUT = ARGV[0].to_i # TODO: now unused
hostname = CSV::readlines("/proc/sys/kernel/hostname").join.strip
INTERVAL = 300
TIMEOUT = ARGV[0].to_i
hostname = IO::readlines("/proc/sys/kernel/hostname").join.strip
STDOUT.sync = true
loop do
seen = {}
count = 0
now = Time.now.to_i
CSV::readlines("/var/lib/kea/kea-leases4.csv", headers: true).each do |rec|
h = rec.to_h
addr = h["hwaddr"]
next unless addr
last = h["expire"].to_i
elapsed = now - last
next if elapsed >= TIMEOUT
addr = nil
starts = nil
unless seen[addr]
count += 1
seen[addr] = true
IO::readlines("/var/lib/dhcpd4/dhcpd.leases").each do |line|
if line =~ /^lease (.+) \{/
addr = $1
starts = nil
elsif line =~ /starts \d+ (.+?);/
starts = DateTime.parse($1).to_time
elsif line =~ /^\}/
now = Time.now
if starts and
now >= starts and now < starts + TIMEOUT
unless seen[addr]
count += 1
seen[addr] = true
end
end
end
end
puts "PUTVAL \"#{hostname}/exec-dhcpd/current_sessions-leases\" interval=#{INTERVAL} N:#{count}"

10
nix/nixos-module/container/bird.nix
View File

@ -112,14 +112,6 @@ in
min ra interval 10;
max ra interval 60;
solicited ra unicast yes;
${if (config.site.net.${net}.dhcp.server or null) == null
then ''
# Do not use DHCP6.
managed no;
'' else ''
# Use DHCP6 for DynDNS.
managed yes;
''}
${builtins.concatStringsSep "\n" (
map (subnet6: ''
@ -447,7 +439,7 @@ in
User = "bird2";
Group = "bird2";
};
path = with pkgs; [ bird2 iputils ];
path = [ pkgs.bird2 "/run/wrappers" ];
script = ''
STATE=unknown

12
nix/nixos-module/container/defaults.nix
View File

@ -1,4 +1,4 @@
{ config, lib, modulesPath, pkgs, ... }:
{ config, lib, modulesPath, ... }:
{
imports = [
@ -6,12 +6,10 @@
(modulesPath + "/virtualisation/lxc-container.nix")
];
environment = {
etc."machine-id".text = builtins.substring 0 8 (builtins.hashString "sha256" config.networking.hostName);
systemPackages = with pkgs; [
ripgrep
];
};
environment.etc."machine-id".text =
builtins.substring 0 8 (
builtins.hashString "sha256" config.networking.hostName
);
nix = {
settings = {

395
nix/nixos-module/container/dhcp-server.nix
View File

@ -8,331 +8,98 @@ let
dhcp.server == hostName
) config.site.net;
concatMapDhcpNets = f:
lib.pipe dhcpNets [
(builtins.mapAttrs f)
builtins.attrValues
(map (r: if builtins.isList r then r else [ r ]))
builtins.concatLists
];
enabled = builtins.length (builtins.attrNames dhcpNets) > 0;
in
{
services.kea.dhcp4 = lib.mkIf enabled {
services.dhcpd4 = lib.optionalAttrs enabled {
enable = true;
settings = {
interfaces-config.interfaces = builtins.attrNames dhcpNets;
dhcp-ddns.enable-updates = true;
ddns-send-updates = true;
# TODO: use with kea >= 2.5.0
# ddns-conflict-resolution-mode = "check-exists-with-dhcid";
ddns-use-conflict-resolution = false;
ddns-replace-client-name = "when-not-present";
expired-leases-processing.hold-reclaimed-time = builtins.foldl' lib.max
3600 (concatMapDhcpNets (net: { dhcp, ... }: dhcp.max-time));
interfaces = builtins.attrNames dhcpNets;
subnet4 = concatMapDhcpNets (net: { vlan, subnet4, hosts4, dhcp, domainName, ... }: {
id = vlan;
subnet = subnet4;
pools = [ {
pool = "${dhcp.start} - ${dhcp.end}";
} ];
renew-timer = builtins.ceil (.5 * dhcp.time);
rebind-timer = builtins.ceil (.85 * dhcp.time);
valid-lifetime = dhcp.time;
option-data = [ {
space = "dhcp4";
name = "routers";
code = 3;
data = config.site.net.${net}.hosts4.${dhcp.router};
} {
space = "dhcp4";
name = "domain-name";
code = 15;
data = domainName;
} {
space = "dhcp4";
name = "domain-name-servers";
code = 6;
data = "${config.site.net.serv.hosts4.dnscache}, 9.9.9.9";
} ];
ddns-qualifying-suffix = domainName;
reservations = lib.pipe dhcp.fixed-hosts [
(builtins.mapAttrs (fixedAddr: hwaddr:
if hosts4 ? ${fixedAddr}
then # fixedAddr is a known hostname
let
name = fixedAddr;
addr = hosts4.${fixedAddr};
in {
hostname = "${name}.${net}.zentralwerk.org";
hw-address = hwaddr;
ip-address = addr;
extraConfig = ''
${builtins.concatStringsSep "\n" (
builtins.attrValues (
builtins.mapAttrs (net: { dhcp, subnet4Net, subnet4Len, domainName, ...}:
''
ddns-update-style standard;
key dyndns {
algorithm hmac-sha256;
secret ${config.site.dyndnsKey};
};
zone ${domainName}. {
primary ${config.site.net.serv.hosts4.dns};
primary6 ${config.site.net.serv.hosts6.dn42.dns};
key dyndns;
}
else
let
names = builtins.attrNames (
lib.filterAttrs (_: hostAddr:
hostAddr == fixedAddr
) hosts4);
name = builtins.head names;
in
if builtins.length names > 0
then { # fixedAddr is IPv4 of a known hostname
hostname = "${name}.${net}.zentralwerk.org";
hw-address = hwaddr;
ip-address = hosts4.${name};
} # fixedAddr is IPv4?
else {
hw-address = hwaddr;
ip-address = fixedAddr;
${lib.concatMapStrings ({ name, dynamic, ... }:
lib.optionalString (
dynamic &&
lib.hasSuffix ".in-addr.arpa" name
) ''
zone ${name}. {
primary ${config.site.net.serv.hosts4.dns};
primary6 ${config.site.net.serv.hosts6.dn42.dns};
key dyndns;
}
''
) config.site.dns.localZones}
option guid code 97 = text;
group {
default-lease-time ${toString dhcp.time};
max-lease-time ${toString dhcp.max-time};
option routers ${config.site.net.${net}.hosts4.${dhcp.router}};
option domain-name "${domainName}";
option domain-name-servers 172.20.73.8, 9.9.9.9;
ddns-domainname "${domainName}";
class "pxeclients" {
match if substring (option vendor-class-identifier, 0, 9) = "PXEClient";
next-server ${config.site.net.serv.hosts4.nfsroot};
option tftp-server-address ${config.site.net.serv.hosts4.nfsroot};
if suffix(reverse(1, option guid), 5) = 34:69:50:52:00 {
# RPi4
option vendor-class-identifier "PXEClient";
option vendor-encapsulated-options "Raspberry Pi Boot";
option tftp-server-name "${config.site.net.serv.hosts4.nfsroot}";
} elsif option pxe-system-type = 00:00 {
filename "netboot.xyz.kpxe"; # BIOS
} elsif option pxe-system-type = 00:07 {
filename "netboot.xyz.efi"; # EFI
option bootfile-name "netboot.xyz.efi";
} elsif option pxe-system-type = 00:06 {
filename "netboot.xyz.efi"; # ia32_EFI
}
}
))
builtins.attrValues
(builtins.filter (r: r != null))
];
});
match-client-id = false;
host-reservation-identifiers = [ "hw-address" ];
subnet ${subnet4Net} netmask ${lib.netmasks.${toString subnet4Len}} {
range ${dhcp.start} ${dhcp.end};
# Netbooting
option-def = [ {
name = "PXEDiscoveryControl";
code = 6;
space = "vendor-encapsulated-options-space";
type = "uint8";
array = false;
} {
name = "PXEMenuPrompt";
code = 10;
space = "vendor-encapsulated-options-space";
type = "record";
array = false;
record-types = "uint8,string";
} {
name = "PXEBootMenu";
code = 9;
space = "vendor-encapsulated-options-space";
type = "record";
array = false;
record-types = "uint16,uint8,string";
} ];
client-classes =
let
rpi4Class = {
name = "rpi4-pxe";
test = "option[vendor-class-identifier].text == 'PXEClient:Arch:00000:UNDI:002001'";
option-data = [ {
name = "boot-file-name";
data = "bootcode.bin";
} {
name = "vendor-class-identifier";
data = "PXEClient";
} {
name = "vendor-encapsulated-options";
} {
name = "PXEBootMenu";
csv-format = true;
data = "0,17,Raspberry Pi Boot";
space = "vendor-encapsulated-options-space";
} {
name = "PXEDiscoveryControl";
data = "3";
space = "vendor-encapsulated-options-space";
} {
name = "PXEMenuPrompt";
csv-format = true;
data = "0,PXE";
space = "vendor-encapsulated-options-space";
} ];
};
# always assign the same IP to the same MAC address.
# fixes changing IP for PXE clients.
ignore-client-uids true;
}
pxeClassData = {
PXE-Legacy = {
arch = "00000";
boot-file-name = "netboot.xyz.kpxe";
};
PXE-UEFI-32-1.arch = "00002";
PXE-UEFI-32-2.arch = "00006";
PXE-UEFI-64-1.arch = "00007";
PXE-UEFI-64-2.arch = "00008";
PXE-UEFI-64-3.arch = "00009";
};
update-static-leases on;
makePxe = name: { boot-file-name ? "netboot.xyz.efi", arch }: {
inherit name boot-file-name;
test = "substring(option[60].hex,0,20) == 'PXEClient:Arch:${arch}'";
next-server = config.site.net.serv.hosts4.nfsroot;
};
in
[ rpi4Class ]
++
builtins.attrValues (
builtins.mapAttrs makePxe pxeClassData
);
control-socket = {
socket-type = "unix";
socket-name = "/run/kea/dhcp4-socket";
};
hooks-libraries = [ {
library = "/run/current-system/sw/lib/kea/hooks/libdhcp_stat_cmds.so";
} {
library = "/run/current-system/sw/lib/kea/hooks/libdhcp_lease_cmds.so";
} ];
};
${builtins.concatStringsSep "\n" (
builtins.attrValues (
builtins.mapAttrs (addr: hwaddr:
''
host ${addr} {
hardware ethernet ${hwaddr};
fixed-address ${addr};
}
''
) dhcp.fixed-hosts
)
)}
}
''
) dhcpNets
)
)}
'';
};
services.kea.dhcp6 = lib.mkIf enabled {
enable = true;
settings = {
interfaces-config.interfaces = builtins.attrNames dhcpNets;
dhcp-ddns.enable-updates = true;
ddns-override-no-update = true;
ddns-override-client-update = true;
ddns-replace-client-name = "when-not-present";
# TODO: use with kea >= 2.5.0
# ddns-conflict-resolution-mode = "check-exists-with-dhcid";
ddns-use-conflict-resolution = false;
subnet6 = concatMapDhcpNets (net: { vlan, subnets6, dhcp, domainName, ... }:
let
subnet = subnets6.up4 or subnets6.flpk or null;
prefix = builtins.head (builtins.split "::/" subnet);
in
if subnet != null
then {
id = vlan;
interface = net;
inherit subnet;
pools = [ {
pool = "${prefix}:c3d2:c3d2:c3d2:1000 - ${prefix}:c3d2:c3d2:c3d2:ffff";
#pool = subnet;
} ];
valid-lifetime = dhcp.time;
max-valid-lifetime = dhcp.max-time;
option-data = [ {
space = "dhcp6";
name = "domain-search";
code = 24;
data = domainName;
} {
space = "dhcp6";
name = "dns-servers";
code = 23;
data = "${config.site.net.serv.hosts6.dn42.dnscache}, 2620:fe::9";
} ];
ddns-generated-prefix = "d";
ddns-qualifying-suffix = domainName;
}
else []
);
host-reservation-identifiers = [ "hw-address" ];
#reservations = concatMapDhcpNets (net: { hosts6, dhcp, ... }:
# builtins.filter (r: r != null) (
# builtins.attrValues (
# builtins.mapAttrs (name: hwaddr:
# let
# ip-addresses = lib.pipe hosts6 [
# (builtins.mapAttrs (_: hosts6: hosts6.${name} or null))
# builtins.attrValues
# (builtins.filter (a: a != null))
# ];
# in
# if builtins.trace (lib.generators.toPretty {} ip-addresses) (builtins.length ip-addresses) > 0
# then {
# hostname = "${name}.${net}.zentralwerk.org";
# hw-address = hwaddr;
# inherit ip-addresses;
# }
# else null
# ) dhcp.fixed-hosts
# )));
control-socket = {
socket-type = "unix";
socket-name = "/run/kea/dhcp6.socket";
};
hooks-libraries = [ {
library = "/run/current-system/sw/lib/kea/hooks/libdhcp_stat_cmds.so";
} {
library = "/run/current-system/sw/lib/kea/hooks/libdhcp_lease_cmds.so";
} ];
};
};
services.kea.dhcp-ddns = lib.mkIf enabled {
enable = true;
settings = {
tsig-keys = [ {
name = "dyndns";
algorithm = "hmac-sha256";
secret = config.site.dyndnsKey;
} ];
forward-ddns.ddns-domains = concatMapDhcpNets (net: { domainName, ... }: {
name = "${domainName}.";
key-name = "dyndns";
dns-servers = [ {
ip-address = config.site.net.serv.hosts4.dns;
} {
ip-address = config.site.net.serv.hosts6.dn42.dns;
} ];
});
reverse-ddns.ddns-domains = map ({ name, ...}: {
name = "${name}.";
key-name = "dyndns";
dns-servers = [ {
ip-address = config.site.net.serv.hosts4.dns;
} {
ip-address = config.site.net.serv.hosts6.dn42.dns;
} ];
}) (
builtins.filter ({ name, dynamic, ... }:
dynamic &&
(lib.hasSuffix ".in-addr.arpa" name ||
lib.hasSuffix ".ip6.arpa" name)
) config.site.dns.localZones
);
control-socket = {
socket-type = "unix";
socket-name = "/run/kea/dhcp-ddns.socket";
};
};
};
services.kea.ctrl-agent = lib.mkIf enabled {
enable = true;
settings.control-sockets = {
dhcp4 = {
socket-type = "unix";
socket-name = "/run/kea/dhcp4.socket";
};
dhcp6 = {
socket-type = "unix";
socket-name = "/run/kea/dhcp6.socket";
};
d2 = {
socket-type = "unix";
socket-name = "/run/kea/dhcp-ddns.socket";
};
};
};
# Increase reliablity
# (mostly for kea-dhcp-ddns-server.service)
systemd.services =
let
restartService.serviceConfig = {
RestartSec = 4;
Restart = "always";
};
in {
kea-dhcp4-server = restartService;
kea-dhcp6-server = restartService;
kea-dhcp-ddns-server = restartService;
};
}

251
nix/nixos-module/container/dns.nix
View File

@ -1,26 +1,26 @@
{ config, dns-nix, hostName, lib, pkgs, self, ... }:
{ hostName, config, lib, pkgs, self, ... }:
let
serial = builtins.substring 0 10 self.lastModifiedDate;
generateZoneFile = let
util = dns-nix.util.${pkgs.system};
in { name, ns, records, ... }: util.writeZone name {
TTL = 60*60;
SOA = {
nameServer = "${lib.dns.ns}.";
adminEmail = "astro@spaceboyz.net";
serial = lib.toInt serial;
refresh = 1*60*60;
retry = 5*60;
expire = 2*60*60;
minimum = 1*60;
};
NS = map (a: a+".") ns;
subdomains = lib.foldl (a: b: lib.recursiveUpdate a b) { } (map ({ name, type, data }: {
${name}.${type} = [ data ];
}) records);
};
generateZoneFile = { name, ns, records, dynamic }:
builtins.toFile "${name}.zone" ''
$ORIGIN ${name}.
$TTL 1h
@ IN SOA ${lib.dns.ns}. astro.spaceboyz.net. (
${serial} ; serial
1h ; refresh
1m ; retry
2h ; expire
1m ; minimum
)
${lib.concatMapStrings (ns: " IN NS ${ns}.\n") ns}
${lib.concatMapStrings ({ name, type, data }:
"${name} IN ${type} ${data}\n"
) records}
'';
in
{
options =
@ -35,7 +35,7 @@ in
type = types.enum [ "A" "AAAA" "MX" "SRV" "CNAME" "TXT" "PTR" ];
};
data = mkOption {
type = types.oneOf [ types.str (types.attrsOf (types.oneOf [ types.int types.str ]))];
type = types.str;
};
};
@ -69,151 +69,90 @@ in
config = {
site.dns.localZones = lib.dns.localZones;
services.knot = lib.mkIf config.site.hosts.${hostName}.services.dns.enable (
services.bind = lib.mkIf config.site.hosts.${hostName}.services.dns.enable (
let
generateZone = zone@{ name, dynamic, ... }: {
domain = name;
template = "zentralwerk";
acl = [ "zone_xfr" ] ++ lib.optional dynamic "dyndns";
file = if dynamic
then "/var/lib/knot/zones/${name}.zone"
inherit name;
master = true;
# allowed for zone-transfer
slaves = [
# ns.c3d2.de
"217.197.84.53" "2001:67c:1400:2240::a"
config.site.net.serv.hosts4.bind
config.site.net.serv.hosts6.dn42.bind
config.site.net.serv.hosts6.up4.bind
# ns.spaceboyz.net
"172.22.24.4" "2a01:4f9:4b:39ec::4"
];
file =
if dynamic
then "/var/db/bind/${name}.zone"
else generateZoneFile zone;
notify = [ "all" ];
extraConfig = ''
also-notify {
# ns.c3d2.de
217.197.84.53;
2001:67c:1400:2240::a;
${config.site.net.serv.hosts4.bind};
${config.site.net.serv.hosts6.dn42.bind};
${config.site.net.serv.hosts6.up4.bind};
# ns.spaceboyz.net
172.22.24.4;
95.217.229.209;
2a01:4f9:4b:39ec::4;
};
notify-source ${config.site.net.serv.hosts4.dns};
notify-source-v6 ${config.site.net.serv.hosts6.up4.dns};
'' + lib.optionalString dynamic ''
allow-update { key "dyndns"; };
'';
};
in {
enable = true;
settings = {
acl = [
{
id = "dyndns";
action = "update";
key = "dyndns";
}
{
id = "zone_xfr";
address = with config.site.net.serv; [
# ns.c3d2.de
hosts4.knot hosts6.dn42.knot hosts6.up4.knot
"2a00:8180:2c00:282:2041:cbff:fe0c:8516"
"fd23:42:c3d2:582:2041:cbff:fe0c:8516"
# ns.spaceboyz.net
"172.22.24.4" "95.217.229.209" "2a01:4f9:4b:39ec::4"
# ns1.supersandro.de
"188.34.196.104" "2a01:4f8:1c1c:1d38::1"
];
action = "transfer";
}
];
zones = map generateZone config.site.dns.localZones;
key = [ {
id = "dyndns";
algorithm = "hmac-sha256";
secret = config.site.dyndnsKey;
} ];
log = [ {
target = "syslog";
any = "info";
} ];
mod-stats = [ {
id = "default";
query-type = "on";
} ];
remote = let
via = with config.site.net.serv; [ hosts4.dns hosts6.up4.dns ];
in [
{
id = "ns.c3d2.de";
address = with config.site.net.serv; [ hosts4.knot hosts6.dn42.knot hosts6.up4.knot ];
inherit via;
} {
id = "ns.spaceboyz.net";
address = [ "172.22.24.4" "95.217.229.209" "2a01:4f9:4b:39ec::4" ];
inherit via;
} {
id = "ns1.supersandro.de";
address = [ /*"188.34.196.104"*/ "2a01:4f8:1c1c:1d38::1" ];
inherit via;
}
];
remotes = [ {
id = "all";
remote = [ "ns.c3d2.de" "ns.spaceboyz.net" "ns1.supersandro.de" ];
} ];
server = {
answer-rotation = true;
automatic-acl = true;
identity = "dns.serv.zentralwerk.org";
listen = with config.site.net; [
"127.0.0.1" "::1"
serv.hosts4.dns serv.hosts6.up4.dns serv.hosts6.dn42.dns
];
tcp-fastopen = true;
version = null;
extraConfig = ''
key "dyndns" {
algorithm hmac-sha256;
secret "${config.site.dyndnsKey}";
};
template = [
{
# default is a magic name and is always loaded.
# Because we want to use catalog-role/catalog-zone settings for all zones *except* the catalog zone itself, we must split the templates
id = "default";
global-module = [ "mod-stats" ];
}
{
id = "zentralwerk";
catalog-role = "member";
catalog-zone = "zentralwerk.";
dnssec-signing = true;
journal-content = "all"; # required for zonefile-load=difference-no-serial and makes cold starts like zone reloads
module = "mod-stats/default";
semantic-checks = true;
serial-policy = "increment";
storage = "/var/lib/knot/zones";
zonefile-load = "difference-no-serial";
}
];
zone = [ {
acl = "zone_xfr";
catalog-role = "generate";
domain = "zentralwerk.";
notify = [ "ns1.supersandro.de" ];
storage = "/var/lib/knot/catalog";
} ] ++ map generateZone config.site.dns.localZones;
};
'';
extraOptions = ''
# allow underscores in dynamic hostnames
${lib.concatMapStringsSep "\n" (type: ''
check-names ${type} ignore;
'') [ "master" "slave" "response" ]}
'';
});
systemd.services = {
create-dynamic-zones = {
description = "Creates dynamic zone files";
requiredBy = [ "knot.service" ];
before = [ "knot.service" ];
serviceConfig.Type = "oneshot";
script = ''
mkdir -p /var/lib/knot/zones
systemd.services.create-dynamic-zones = {
description = "Creates dynamic zone files";
requiredBy = [ "bind.service" ];
before = [ "bind.service" ];
serviceConfig.Type = "oneshot";
script = ''
mkdir -p /var/db/bind
${lib.concatMapStringsSep "\n" (zone@{ name, ... }: ''
[ -e /var/lib/knot/zones/${name}.zone ] || \
cp ${generateZoneFile zone} /var/lib/knot/zones/${name}.zone
chown -R knot /var/lib/knot/zones
chmod -R u+rwX /var/lib/knot/zones
'') (builtins.filter ({ dynamic, ... }: dynamic) config.site.dns.localZones)}
'';
};
update-dynamic-zones = {
description = "Creates initial records in dynamic zone files";
requiredBy = [ "knot.service" ];
after = [ "knot.service" ];
serviceConfig.Type = "oneshot";
path = [ pkgs.dnsutils ];
script = lib.concatMapStrings (zone: ''
nsupdate -v -y "hmac-sha256:dyndns:${config.site.dyndnsKey}" <<EOF
${lib.concatMapStringsSep "\n" (zone@{ name, ... }: ''
[ -e /var/db/bind/${name}.zone ] || \
cp ${generateZoneFile zone} /var/db/bind/${name}.zone
chown -R named /var/db/bind
chmod -R u+rwX /var/db/bind
'') (
builtins.filter ({ dynamic, ... }: dynamic) config.site.dns.localZones
)}
'';
};
systemd.services.update-dynamic-zones = {
description = "Creates initial records in dynamic zone files";
requiredBy = [ "bind.service" ];
after = [ "bind.service" ];
serviceConfig.Type = "oneshot";
path = [ pkgs.dnsutils ];
script = ''
${lib.concatMapStrings (zone: ''
nsupdate -y "hmac-sha256:dyndns:${config.site.dyndnsKey}" <<EOF
server localhost
${lib.concatMapStringsSep "\n" ({ name, type, data }: ''
@ -223,8 +162,10 @@ in
send
EOF
'') (builtins.filter ({ dynamic, ... }: dynamic) config.site.dns.localZones);
};
'') (
builtins.filter ({ dynamic, ... }: dynamic) config.site.dns.localZones
)}
'';
};
};
}

203
nix/nixos-module/container/dnscache.nix
View File

@ -1,99 +1,124 @@
{ hostName, config, lib, pkgs, ... }:
lib.mkIf config.site.hosts.${hostName}.services.dnscache.enable {
services.kresd = {
services.unbound = {
enable = true;
instances = 4;
listenPlain = [ "0.0.0.0:53" "[::0]:53" ];
package = pkgs.knot-resolver.override { extraFeatures = true; };
extraConfig = /* lua */ ''
modules = {
'http',
'policy',
'predict',
'prefill',
'serve_stale < cache', -- servce stail records while refreshing the record
'workarounds < iterate', -- solve problems around specific broken subdomains, mainly disables case randomization
'view'
}
settings = {
remote-control = {
control-enable = true;
control-use-cert = false;
};
server = {
num-threads = 4;
verbosity = 1;
prefetch = true;
prefetch-key = true;
serve-expired = true;
cache-min-ttl = 60;
cache-max-ttl = 3600;
infra-cache-slabs = "8";
key-cache-slabs = "8";
msg-cache-slabs = "8";
rrset-cache-slabs = "8";
msg-cache-size = "256m"; # half again 128m?
rrset-cache-size = "512m"; # half again 256m?
cache.size = 500 * MB
cache.min_ttl(60)
interface = [ "0.0.0.0" "'::0'" ];
# TODO: generate
access-control = builtins.concatLists [
[ # localhost
"::1/128 allow"
"127.0.0.0/8 allow"
]
[ # mgmt
"${config.site.net.mgmt.subnet4} allow"
]
[ # dn42
"fd23:42:c3d2:500::/56 allow"
"::172.20.72.0/117 allow"
"::172.22.99.0/120 allow"
"172.20.72.0/21 allow"
"172.22.99.0/24 allow"
]
[ # freifunk
"10.200.0.0/15 allow"
]
[ # DSI
"2a00:8180:2000:37::1/128 allow"
"2a00:8180:2c00:200::/56 allow"
]
[ # flpk
"${config.site.net.flpk.subnet4} allow"
"2a0f:5382:acab:1400::/56 allow"
]
[ # default
"0.0.0.0/0 deny"
"::/0 deny"
]
];
# For DNS over TLS
tls-cert-bundle = "${pkgs.cacert}/etc/ssl/certs/ca-bundle.crt";
net.listen('127.0.0.1', 8453, { kind = 'webmgmt' })
http.prometheus.namespace = 'resolver_'
# allow reverse lookup of rfc1918 space, which includes the DN42 address space
unblock-lan-zones = true;
insecure-lan-zones = true;
-- dns42
policy.add(policy.suffix(
policy.STUB({'fd42:d42:d42:54::1', 'fd42:d42:d42:53::1', '172.20.0.53', '172.23.0.53'}),
policy.todnames({'dn42.', 'd.f.ip6.arpa', '20.172.in-addr.arpa', '21.172.in-addr.arpa', '22.172.in-addr.arpa', '23.172.in-addr.arpa'})
))
domain-insecure = [
"dn42"
"d.f.ip6.arpa"
"ffdd"
];
};
-- freifunk
policy.add(policy.suffix(
policy.STUB({'10.200.0.4', '10.200.0.16'}),
policy.todnames({'ffdd.', '200.10.in-addr.arpa', '201.10.in-addr.arpa'})
))
-- size.dns.localZones
policy.add(policy.suffix(
policy.STUB({'${config.site.net.serv.hosts4.dns}', ${lib.concatStringsSep ", " (map (hosts6: "'${hosts6.dns}'") (builtins.attrValues config.site.net.serv.hosts6))}}),
policy.todnames({${lib.concatStringsSep ", " (map (zone: "'${zone.name}'") config.site.dns.localZones)}})
))
-- forward to dns caches
policy.add(policy.slice(
policy.slice_randomize_psl(),
-- quad9
policy.TLS_FORWARD({
{'2620:fe::fe', hostname='dns.quad9.net'},
{'2620:fe::9', hostname='dns.quad9.net'},
{'9.9.9.9', hostname='dns.quad9.net'},
{'149.112.112.112', hostname='dns.quad9.net'}
}),
-- cloudflare
policy.TLS_FORWARD({
{'2606:4700:4700::1111', hostname='cloudflare-dns.com'},
{'2606:4700:4700::1001', hostname='cloudflare-dns.com'},
{'1.1.1.1', hostname='cloudflare-dns.com'},
{'1.0.0.1', hostname='cloudflare-dns.com'}
})
))
-- allow access from our networks
'' + lib.concatMapStringsSep "\n" (cidr: "view:addr('${cidr}', policy.all(policy.PASS))") [
# localhost
"::1/128" "127.0.0.0/8"
# mgmt
"${config.site.net.mgmt.subnet4}"
# dn42
"fd23:42:c3d2:500::/56" "::172.20.72.0/117" "::172.22.99.0/120"
"172.20.72.0/21" "172.22.99.0/24"
# freifunk
"10.200.0.0/15"
# DSI
"2a00:8180:2000:37::1/128" "2a00:8180:2c00:200::/56"
# flpk
"${config.site.net.flpk.subnet4}" "2a0f:5382:acab:1400::/56 allow"
] + "\n" + /* lua */ ''
-- drop everything that hasn't matched
view:addr('0.0.0.0/0', policy.all(policy.DROP))
view:addr('::/0', policy.all(policy.DROP))
predict = {
window = 15, -- sampling window
period = 24*(60/15) -- track last X hours, divide through sampling window
}
prefill.config({
['.'] = {
url = 'https://www.internic.net/domain/root.zone',
interval = 86400, -- seconds
}
})
trust_anchors.set_insecure({'dn42', 'd.f.ip6.arpa', 'ffdd'})
'';
forward-zone = let
mkFfddZone = name: {
inherit name;
forward-addr = [ "10.200.0.4" "10.200.0.16" ];
};
in [ {
name = ".";
forward-tls-upstream = true;
forward-addr = [
# Quad9
"2620:fe::fe@853#dns.quad9.net"
"9.9.9.9@853#dns.quad9.net"
"2620:fe::9@853#dns.quad9.net"
"149.112.112.112@853#dns.quad9.net"
# Cloudflare DNS
"2606:4700:4700::1111@853#cloudflare-dns.com"
"1.1.1.1@853#cloudflare-dns.com"
"2606:4700:4700::1001@853#cloudflare-dns.com"
"1.0.0.1@853#cloudflare-dns.com"
];
} ] ++
# Local networks
map ({ name, ... }: {
name = "${name}";
forward-addr = [ "${config.site.net.serv.hosts4.dns}" ] ++
map (hosts6: hosts6.dns)
(builtins.attrValues config.site.net.serv.hosts6);
}) config.site.dns.localZones
# Freifunk
++ (map mkFfddZone [
"ffdd"
"200.10.in-addr.arpa"
"201.10.in-addr.arpa"
]);
# DN42
stub-zone = let
mkDn42Zone = name: {
inherit name;
stub-prime = true;
stub-addr = [
"172.20.0.53" "fd42:d42:d42:54::1"
"172.23.0.53" "fd42:d42:d42:53::1"
];
};
in map mkDn42Zone [
"dn42" "d.f.ip6.arpa"
"20.172.in-addr.arpa" "21.172.in-addr.arpa"
"22.172.in-addr.arpa" "23.172.in-addr.arpa"
];
};
};
}

114
nix/nixos-module/container/lxc-config.nix
View File

@ -1,114 +0,0 @@
{ config, lib, ... }:
let
inherit (config.networking) hostName;
interfaces = config.site.hosts.${hostName}.physicalInterfaces;
# linux iface name max length = 15
shortenNetName = name:
if builtins.match "priv(.*)" name != null
then "p" + builtins.substring 4 9 name
else if name == "coloradio"
then "cr"
else if name == "coloradio-gw"
then "cr-gw"
else name;
checkIfname = ifname: let
len = builtins.stringLength ifname;
in if len > 15
then throw "Interface name ${ifname} is ${toString (len - 15)} chars too long."
else ifname;
# `lxc.net.*` formatter for lxc.container.conf files
netConfig =
let
attrNamesOrdered = attrs:
if attrs ? type
then [ "type" ] ++ lib.remove "type" (builtins.attrNames attrs)
else builtins.attrNames attrs;
serialize = name: x:
if builtins.isString x
then "${name} = ${x}\n"
else if builtins.isAttrs x
then builtins.concatStringsSep "" (
map (n: serialize "${name}.${n}" x.${n}) (attrNamesOrdered x)
)
else if builtins.isList x
then
let
enumerate = xs: n:
if xs == []
then []
else [ {
e = builtins.head xs;
i = n;
} ] ++ enumerate (builtins.tail xs) (n + 1);
in
builtins.concatStringsSep "" (
map ({ e, i }: serialize "${name}.${toString i}" e) (enumerate x 0)
)
else throw "Invalid data in lxc net config for ${name}: ${lib.generators.toPretty {} x}";
in
serialize "lxc.net" (
map (netName:
let
ifData = interfaces.${netName};
in {
type = ifData.type;
name = checkIfname netName;
flags = "up";
hwaddr = if ifData ? hwaddr && ifData.hwaddr != null
then ifData.hwaddr
else "0A:14:48:xx:xx:xx";
} // (lib.optionalAttrs (ifData.type == "veth") {
veth.pair = checkIfname "${shortenNetName hostName}-${shortenNetName netName}";
veth.mode = checkIfname "bridge";
link = checkIfname netName;
}) // (lib.optionalAttrs (ifData.type == "phys") {
link = checkIfname "ext-${netName}";
})
) (builtins.attrNames interfaces)
);
in
{
system.build.lxcConfig = builtins.toFile "${hostName}.conf" ''
# For lxcfs and sane defaults
lxc.include = /etc/lxc/common.conf
lxc.uts.name = ${hostName}
# Handled by lxc@.service
lxc.start.auto = 0
lxc.rootfs.path = /var/lib/lxc/${hostName}/rootfs
lxc.init.cmd = "/init"
lxc.mount.entry = /nix/store nix/store none bind,ro 0 0
lxc.mount.entry = none tmp tmpfs defaults 0 0
lxc.mount.auto = proc:mixed sys:ro cgroup:mixed
lxc.autodev = 1
lxc.tty.max = 0
lxc.pty.max = 8
lxc.cap.drop = sys_module sys_time sys_nice sys_pacct sys_rawio
security.privileged = false
lxc.apparmor.profile = lxc-container-default-with-mounting
lxc.cgroup.memory.limit_in_bytes = 1G
lxc.cgroup.memory.kmem.tcp.limit_in_bytes = 128M
# tuntap
lxc.cgroup.devices.allow = c 10:200 rw
lxc.cgroup2.devices.allow = c 10:200 rw
# ppp
lxc.cgroup.devices.allow = c 108:0 rwm
lxc.cgroup2.devices.allow = c 108:0 rwm
${netConfig}
'';
}

25
nix/nixos-module/container/upstream.nix
View File

@ -1,4 +1,4 @@
{ hostName, config, lib, pkgs, ... }:
{ hostName, config, lib, ... }:
let
hostConf = config.site.hosts.${hostName};
@ -98,25 +98,12 @@ in
${lib.optionalString (staticIpv4Address != null) ''
# Allow connections to ${staticIpv4Address} from other hosts behind NAT
${lib.concatMapStrings (fwd: let
m = builtins.match "([0-9.]+):([0-9-]+)" fwd.destination;
destinationIP = if m == null then throw "bad ip:ports `${fwd.destination}'" else lib.elemAt m 0;
destinationPorts = if m == null then throw "bad ip:ports `${fwd.destination}'" else builtins.replaceStrings ["-"] [":"] (lib.elemAt m 1);
in ''
iptables -t nat -A nixos-nat-pre \
${lib.concatMapStrings (fwd: ''
iptables -t nat -t nat -A nixos-nat-pre \
-d ${staticIpv4Address} -p ${fwd.proto} \
--dport ${builtins.toString fwd.sourcePort} \
-j DNAT --to-destination ${fwd.destination}
iptables -t nat -A nixos-nat-post \
-d ${destinationIP} -p ${fwd.proto} \
--dport ${destinationPorts} \
-s 172.20.72.0/21 -j MASQUERADE
iptables -t nat -A nixos-nat-post \
-d ${destinationIP} -p ${fwd.proto} \
--dport ${destinationPorts} \
-s ${config.site.net.c3d2.subnet4} -j MASQUERADE
'') config.networking.nat.forwardPorts}
'') config.networking.nat.forwardPorts}
''}
# Do not NAT our public IPv4 addresses
@ -139,10 +126,6 @@ in
-j RETURN
'') upstreamInterfaces.${net}.upstream.noNat.subnets6
) (builtins.attrNames upstreamInterfaces)}
# There just have been moments without a complete ruleset. Flush
# out invalid conntrack states!
${pkgs.conntrack-tools}/bin/conntrack -F
'';
extraStopCommands = ''
iptables -F FORWARD 2>/dev/null || true

5
nix/nixos-module/default.nix
View File

@ -1,13 +1,13 @@
# Pulls together NixOS configuration modules according to the
# name/role of the host to be built.
{ hostName, lib, ... }:
{ hostName, config, lib, ... }:
let
inherit (lib) optionals;
hostConfig = lib.config.site.hosts.${hostName};
in {
inherit (lib.config) site;
site = lib.config.site;
imports = [
../lib/config/options.nix
@ -20,7 +20,6 @@ in {
./server/default.nix
] ++
optionals (hostConfig.role == "container") [
./container/lxc-config.nix
./container/defaults.nix
./container/dhcp-server.nix
./container/wireguard.nix

22
nix/nixos-module/defaults.nix
View File

@ -44,8 +44,6 @@
bridge-utils
conntrack-tools
dhcpcd
dhcpdump
dig
ethtool
git
iftop
@ -58,7 +56,6 @@
screen
speedtest-cli
tcpdump
tmux
traceroute
vim
wget
@ -66,25 +63,6 @@
networking.hostName = hostName;
programs = {
fzf.keybindings = true;
git = {
enable = true;
config = {
alias = {
co = "checkout";
lg = "log --graph --abbrev-commit --decorate --format=format:'%C(bold blue)%h%C(reset) - %C(bold green)(%ar)%C(reset) %C(white)%s%C(reset) %C(dim white)- %an%C(reset)%C(bold y
ow)%d%C(reset)'";
remote = "remote -v";
st = "status";
undo = "reset --soft HEAD^";
};
pull.rebase = true;
rebase.autoStash = true;
};
};
};
users.users.root.initialHashedPassword = "";
system.stateVersion = "20.09";

13
nix/nixos-module/firewall.nix
View File

@ -1,18 +1,11 @@
{ hostName, config, lib, ... }:
let
hostConfig = config.site.hosts.${hostName};
in {
networking.firewall = lib.mkIf hostConfig.firewall.enable {
lib.mkIf config.site.hosts.${hostName}.firewall.enable {
networking.firewall = {
enable = true;
extraCommands = ''
${lib.optionalString hostConfig.isRouter ''
ip46tables -I nixos-fw -p ospfigp -j ACCEPT
''}
ip46tables -A FORWARD -i core -m state --state ESTABLISHED,RELATED -j ACCEPT
ip46tables -A FORWARD -i core -j REJECT
ip46tables -A FORWARD -i core -j REJECT --reject-with net-unreach
'';
extraStopCommands = ''
ip46tables -F FORWARD

18
nix/nixos-module/server/defaults.nix
View File

@ -8,20 +8,14 @@
time.timeZone = "Europe/Berlin";
environment.systemPackages = with pkgs; [
git
inetutils # telnet
wget vim git screen
ipmitool
liboping # noping
screen
vim
wget
];
services.openssh = {
enable = true;
settings.PermitRootLogin = "prohibit-password";
};
services.openssh.enable = true;
services.openssh.settings.PermitRootLogin = "prohibit-password";
# additional config for bare metal
services.collectd.plugins.ipmi = "";
services.collectd = {
plugins.ipmi = "";
};
}

121
nix/nixos-module/server/lxc-containers.nix
View File

@ -10,6 +10,74 @@ let
enabled = containers != {};
# linux iface name max length = 15
shortenNetName = name:
if builtins.match "priv(.*)" name != null
then "p" + builtins.substring 4 9 name
else if name == "coloradio"
then "cr"
else if name == "coloradio-gw"
then "cr-gw"
else name;
checkIfname = ifname: let
len = builtins.stringLength ifname;
in if len > 15
then throw "Interface name ${ifname} is ${toString (len - 15)} chars too long."
else ifname;
# `lxc.net.*` formatter for lxc.container.conf files
netConfig = ctName: interfaces:
let
config = map (netName:
let
ifData = interfaces.${netName};
in {
type = ifData.type;
name = checkIfname netName;
flags = "up";
hwaddr = if ifData ? hwaddr && ifData.hwaddr != null
then ifData.hwaddr
else "0A:14:48:xx:xx:xx";
} // (lib.optionalAttrs (ifData.type == "veth") {
veth.pair = checkIfname "${shortenNetName ctName}-${shortenNetName netName}";
veth.mode = checkIfname "bridge";
link = checkIfname netName;
}) // (lib.optionalAttrs (ifData.type == "phys") {
link = checkIfname "ext-${netName}";
})
) (builtins.attrNames interfaces);
attrNamesOrdered = attrs:
if attrs ? type
then [ "type" ] ++ lib.remove "type" (builtins.attrNames attrs)
else builtins.attrNames attrs;
serialize = name: x:
if builtins.isString x
then "${name} = ${x}\n"
else if builtins.isAttrs x
then builtins.concatStringsSep "" (
map (n: serialize "${name}.${n}" x.${n}) (attrNamesOrdered x)
)
else if builtins.isList x
then
let
enumerate = xs: n:
if xs == []
then []
else [ {
e = builtins.head xs;
i = n;
} ] ++ enumerate (builtins.tail xs) (n + 1);
in
builtins.concatStringsSep "" (
map ({ e, i }: serialize "${name}.${toString i}" e) (enumerate x 0)
)
else throw "Invalid data in lxc net config for ${name}: ${lib.generators.toPretty {} x}";
in
serialize "lxc.net" config;
# User-facing script to build/update container NixOS systems
build-script = pkgs.writeScriptBin "build-container" ''
#! ${pkgs.runtimeShell} -e
@ -30,7 +98,6 @@ let
${ctName})
echo Using prebuilt system for container $c
SYSTEM=${self.packages.x86_64-linux."${ctName}-rootfs"}
CONFIG=${self.packages.x86_64-linux."${ctName}-lxc-config"}
;;
'') (
builtins.attrNames (
@ -42,8 +109,6 @@ let
echo Building $c
nix build -o /nix/var/nix/gcroots/lxc/$c zentralwerk-network#$c-rootfs
SYSTEM=$(readlink /nix/var/nix/gcroots/lxc/$c)
nix build -o /nix/var/nix/gcroots/lxc/$c.config zentralwerk-network#$c-lxc-config
CONFIG=$(readlink /nix/var/nix/gcroots/lxc/$c.config)
;;
esac
@ -56,7 +121,6 @@ let
mkdir -p /var/lib/lxc/$c/rootfs/$d
done
ln -fs $SYSTEM/init /var/lib/lxc/$c/rootfs/init
ln -fs $CONFIG /var/lib/lxc/$c/config
done
# Activate all the desired container after all of them are
@ -102,8 +166,10 @@ in
virtualisation.lxc = lib.mkIf enabled {
enable = true;
# Container configs live in /etc so that they can be created
# through `environment.etc`.
systemConfig = ''
lxc.lxcpath = /var/lib/lxc
lxc.lxcpath = /etc/lxc/containers
'';
};
@ -114,7 +180,50 @@ in
enable-script disable-script
];
environment.etc."lxc/common.conf".source = "${pkgs.lxc}/share/lxc/config/common.conf";
# Create lxc.container.conf files
environment.etc =
builtins.foldl' (etc: ctName: etc // {
"lxc/containers/${ctName}/config" = {
enable = true;
source =
builtins.toFile "${ctName}.conf" ''
# For lxcfs and sane defaults
lxc.include = /etc/lxc/common.conf
lxc.uts.name = ${ctName}
# Handled by lxc@.service
lxc.start.auto = 0
lxc.rootfs.path = /var/lib/lxc/${ctName}/rootfs
lxc.init.cmd = "/init"
lxc.mount.entry = /nix/store nix/store none bind,ro 0 0
lxc.mount.entry = none tmp tmpfs defaults 0 0
lxc,mount.auto = proc:mixed sys:ro cgroup:mixed
lxc.autodev = 1
lxc.tty.max = 0
lxc.pty.max = 8
lxc.cap.drop = sys_module sys_time sys_nice sys_pacct sys_rawio
security.privileged = false
lxc.apparmor.profile = lxc-container-default-with-mounting
lxc.cgroup.memory.limit_in_bytes = 1G
lxc.cgroup.memory.kmem.tcp.limit_in_bytes = 128M
# tuntap
lxc.cgroup.devices.allow = c 10:200 rw
lxc.cgroup2.devices.allow = c 10:200 rw
# ppp
lxc.cgroup.devices.allow = c 108:0 rwm
lxc.cgroup2.devices.allow = c 108:0 rwm
${netConfig ctName containers.${ctName}.physicalInterfaces}
'';
};
}) {
"lxc/common.conf".source = "${pkgs.lxc}/share/lxc/config/common.conf";
} (builtins.attrNames containers);
# Systemd service template for LXC containers
systemd.services."lxc@" = {

2
nix/nixos-module/server/network.nix
View File

@ -114,7 +114,5 @@ in
networkConfig.Bridge = net;
};
}) {} ctNets;
wait-online.anyInterface = true;
};
}

1
nix/nixos-module/server/server2.nix
View File

@ -39,6 +39,7 @@
};
boot.loader.grub.enable = true;
boot.loader.grub.version = 2;
boot.loader.grub.device = "/dev/sda";
networking.hostName = "server2"; # Define your hostname.

30
nix/pkgs/default.nix
View File

@ -7,14 +7,11 @@ let
inherit (pkgs) lib;
export-openwrt-models = pkgs.writeText "openwrt-models.nix" (
lib.generators.toPretty {} self.lib.openwrtModels
nixpkgs.lib.generators.toPretty {} self.lib.openwrtModels
);
export-config = pkgs.writeText "config.nix" (
lib.generators.toPretty {} (
lib.recursiveUpdate
config
{ site.dns.localZones = self.lib.dns.localZones; }
));
nixpkgs.lib.generators.toPretty {} (lib.filterAttrsRecursive (n: v: n != "net-combined") config)
);
encrypt-secrets = pkgs.writeScriptBin "encrypt-secrets" ''
#! ${pkgs.runtimeShell} -e
@ -55,20 +52,7 @@ let
"${hostName}-rootfs" = mkRootfs hostName;
}) {} (
builtins.attrNames (
lib.filterAttrs (_: { role, ... }: builtins.elem role ["server" "container"])
config.site.hosts
)
);
mkLxcConfig = hostName:
self.nixosConfigurations.${hostName}.config.system.build.lxcConfig;
lxc-configs =
builtins.foldl' (rootfs: hostName: rootfs // {
"${hostName}-lxc-config" = mkLxcConfig hostName;
}) {} (
builtins.attrNames (
lib.filterAttrs (_: { role, ... }: role == "container")
nixpkgs.lib.filterAttrs (_: { role, ... }: builtins.elem role ["server" "container"])
config.site.hosts
)
);
@ -81,7 +65,7 @@ let
});
}) {} (
builtins.attrNames (
lib.filterAttrs (_: { role, ... }: role == "server")
nixpkgs.lib.filterAttrs (_: { role, ... }: role == "server")
config.site.hosts
)
);
@ -95,7 +79,7 @@ let
"${hostName}-image" = openwrt.buildImage hostName;
}) {} (
builtins.attrNames (
lib.filterAttrs (_: { role, ... }:
nixpkgs.lib.filterAttrs (_: { role, ... }:
role == "ap"
) config.site.hosts
)
@ -133,7 +117,7 @@ let
inherit self;
};
in
rootfs-packages // lxc-configs // vm-packages // device-templates // openwrt-packages // network-graphs // network-cypher-graphs // starlink // subnetplans // {
rootfs-packages // vm-packages // device-templates // openwrt-packages // network-graphs // network-cypher-graphs // starlink // subnetplans // {
inherit export-openwrt-models export-config dns-slaves
encrypt-secrets decrypt-secrets switch-to-production
homepage gateway-report switch-report vlan-report

3
nix/pkgs/homepage/default.nix
View File

@ -13,7 +13,7 @@ let
export-config
gateway-report network-graphs
subnetplans switch-report vlan-report;
in
stdenv.mkDerivation {
pname = "zentralwerk-network-homepage";
@ -65,7 +65,6 @@ stdenv.mkDerivation {
ln -s ${network-graphs}/share/doc/zentralwerk/* $DIR/
ln -s ${../../../doc/core.png} $DIR/core.png
ln -s ${./security.txt} $DIR/security.txt
cp *.{html,css,png,svg} $DIR/
mkdir -p $out/nix-support

3
nix/pkgs/homepage/security.txt
View File

@ -1,3 +0,0 @@
Contact: mailto:astro@spaceboyz.net
Preferred-Languages: en, de
Hiring: https://www.c3d2.de/space.html

32
nix/pkgs/openwrt/default.nix
View File

@ -7,17 +7,17 @@ let
modelPackages = {
"tplink_archer-c7-v2" = [
"-kmod-ath10k-ct" "-ath10k-firmware-qca988x-ct-full-htt" "-ath10k-firmware-qca988x-ct"
"kmod-ath10k" "ath10k-firmware-qca988x"
];
"tplink_archer-c7-v5" = [
"-kmod-ath10k-ct" "-ath10k-firmware-qca988x-ct" "-ath10k-firmware-qca988x-ct-full-htt"
"kmod-ath10k" "ath10k-firmware-qca988x"
];
"ubnt_unifiac-lite" = [
"-kmod-ath10k-ct" "-ath10k-firmware-qca988x-ct"
"kmod-ath10k" "ath10k-firmware-qca988x"
];
"tplink_archer-c7-v5" = [
"-kmod-ath10k-ct" "-ath10k-firmware-qca988x-ct"
"kmod-ath10k" "ath10k-firmware-qca988x"
];
# "ubnt_unifiac-lite" = [
# "-kmod-ath10k-ct" "-ath10k-firmware-qca988x-ct"
# "kmod-ath10k" "ath10k-firmware-qca988x"
# ];
"ubnt_unifiac-mesh" = [
"-kmod-ath10k-ct" "-ath10k-firmware-qca988x-ct"
"kmod-ath10k" "ath10k-firmware-qca988x"
@ -70,10 +70,10 @@ in rec {
target = "ar71xx";
variant = "tiny";
profile = model;
sha256 = "sha256-P7BJI6n6s53szYXKshnJRKL2fLIYgJLPiq/yd0oRKoE=";
sha256 = "109a2557gwmgib7r500qn9ygd8j4r4cv5jl5rpn9vczsm4ilkc1z";
feedsSha256 = {
base.sha256 = "sha256-IbND2snJ1UrDRhvGQIRxzGuSpftQ+AyiWqaVZqbGdHY=";
packages.sha256 = "sha256-18UvzdUL98CranBtzAY7hoUlEvafUdssAQOuqDQi4BU=";
base.sha256 = "0xklqsk6d5d6bai0ry2hzfjr4sycf6241ihv8v1lmmf9r7d47cr1";
packages.sha256 = "05g048saibh304ndnlczyq92b1c67c3cqvbhdamw1xqbsp6jzifp";
};
}
else null;
@ -83,26 +83,22 @@ in rec {
extraImageName = "zw-${hostName}";
packages = [
# remove unused default .ipk
"-dnsmasq" "-firewall" "-firewall4"
"-dnsmasq" "-firewall"
"-ppp" "-ppp-mod-pppoe" "-kmod-ppp" "-kmod-pppoe" "-kmod-pppox"
"-iptables" "-ip6tables" "-kmod-ipt-offload"
"-odhcp6c" "-odhcpd-ipv6only"
"-wpad-basic-mbedtls"
# monitoring
"collectd"
"collectd-mod-iwinfo" "collectd-mod-network"
"collectd-mod-interface" "collectd-mod-load" "collectd-mod-cpu"
"collectd-mod-exec"
] ++ (
if args.variant != "tiny"
then [
# debugging
"htop"
"tcpdump"
# wpa3
"-wpad-basic-wolfssl" "-wpad-mini"
"wpad-openssl"
"usteer"
] else [
# debugging
"tcpdump-mini"
@ -119,10 +115,6 @@ in rec {
cat > $out/etc/uci-defaults/99-zentralwerk <<EOF
${uciConfig hostName}
EOF
mkdir -p $out/usr/{bin,sbin}
cp ${./usteer-info.sh} $out/usr/sbin/usteer-info.sh
cp ${./usteer-stats.sh} $out/usr/bin/usteer-stats.sh
chmod +x $out/usr/bin/*.sh $out/usr/sbin/*.sh
'';
});

163
nix/pkgs/openwrt/uci-config.nix
View File

@ -18,21 +18,8 @@ let
# ours don't come with a switch.
then false
else
openwrtModel ? ports
&&
any ({ switch ? null, ... }: switch != null)
(builtins.attrValues openwrtModel.ports);
hasDSA = (
all ({ switch ? null, ... }:
switch == null
) (builtins.attrValues openwrtModel.ports or {})
&&
any ({ port ? null, interface ? null, ... }:
port != null &&
interface != null &&
port == interface
) (builtins.attrValues openwrtModel.ports or {})
) || hostConfig.model == "ubnt_unifi-usg";
portsDoc =
let
@ -112,20 +99,6 @@ let
)
);
dsaPorts = net:
unique (
concatMap ({ ports, ... }: ports) (
builtins.filter ({ nets, ... }: builtins.elem net nets)
(builtins.attrValues hostConfig.links)
));
dsaPortType = net: port:
if any ({ ports, trunk, ... }: trunk && builtins.elem port ports) (
builtins.attrValues hostConfig.links
) || hostConfig.links.${net}.trunk or true
then "t"
else "u*";
networkInterfaces = net:
let
inherit (config.site.net.${net}) vlan;
@ -159,16 +132,6 @@ let
)
);
mgmtInterface =
if hasDSA
then "br0.${toString config.site.net.mgmt.vlan}"
else
let
mgmtInterfaces = networkInterfaces "mgmt";
in if builtins.length mgmtInterfaces == 1
then builtins.head mgmtInterfaces
else "br-mgmt";
in
''
# Set root password
@ -188,8 +151,8 @@ in
uci set system.@system[0].log_ip=${config.site.net.mgmt.hosts4.logging}
uci set system.@system[0].log_proto=udp
# Switch config
${optionalString hasSwitch ''
# Switch config
# Ports ${portsDoc}
${concatMapStrings (net: ''
uci add network switch_vlan
@ -198,42 +161,7 @@ in
uci set network.@switch_vlan[-1].vlan='${toString config.site.net.${net}.vlan}'
uci set network.@switch_vlan[-1].ports='${switchPortsConfig net}'
uci set network.@switch_vlan[-1].comment='${net}'
'') (
sort (net1: net2:
config.site.net.${net1}.vlan < config.site.net.${net2}.vlan
) (
unique (
builtins.concatMap ({ nets, ... }: nets)
(builtins.attrValues hostConfig.links)
)
)
)}
''}
${optionalString hasDSA ''
# DSA
${uciDeleteAll "network.@device"}
uci add network device
uci set network.@device[-1].name='br0'
uci set network.@device[-1].type='bridge'
${concatMapStrings (port: ''
uci add_list network.@device[-1].ports='${port}'
'') (
unique (
builtins.concatMap ({ ports, ... }: ports)
(builtins.attrValues hostConfig.links)
)
)}
uci set network.br0='interface'
uci set network.br0.proto='none'
uci set network.br0.device='br0'
${concatMapStrings (net: ''
uci add network bridge-vlan
uci set network.@bridge-vlan[-1].device='br0'
uci set network.@bridge-vlan[-1].vlan='${toString config.site.net.${net}.vlan}'
${concatMapStrings (port: ''
uci add_list network.@bridge-vlan[-1].ports='${port}:${dsaPortType net port}'
'') (dsaPorts net)}
'') (
sort (net1: net2:
config.site.net.${net1}.vlan < config.site.net.${net2}.vlan
@ -248,16 +176,11 @@ in
# mgmt network
uci set network.mgmt=interface
${if hasDSA
then ''
uci set network.mgmt.device='br0.${toString config.site.net.mgmt.vlan}'
'' else ''
uci set network.mgmt.ifname='${
if builtins.length (networkInterfaces "mgmt") > 0
then concatStringsSep " " (networkInterfaces "mgmt")
else throw "${hostName}: No interface for mgmt"
}'
''}
uci set network.mgmt.ifname='${
if builtins.length (networkInterfaces "mgmt") > 0
then concatStringsSep " " (networkInterfaces "mgmt")
else throw "${hostName}: No interface for mgmt"
}'
uci set network.mgmt.proto=static
${optionalString (hostConfig.interfaces.mgmt.type == "bridge") ''
uci set network.mgmt.type=bridge
@ -287,17 +210,9 @@ in
uci set network.${net}=interface
${optionalString (iface.type == "bridge") ''
uci set network.${net}.type=bridge
uci add network device
uci set network.@device[-1].name='${net}'
uci set network.@device[-1].type='bridge'
''}
uci set network.${net}.proto=static
${if hasDSA
then ''
uci set network.${net}.device='br0.${toString config.site.net.${net}.vlan}'
'' else ''
uci set network.${net}.ifname='${concatStringsSep " " (networkInterfaces net)}'
''}
uci set network.${net}.ifname='${concatStringsSep " " (networkInterfaces net)}'
${optionalString (config.site.net.${net}.mtu != null) ''
uci set network.${net}.mtu=${toString config.site.net.${net}.mtu}
''}
@ -329,7 +244,6 @@ in
'') (builtins.attrNames hostConfig.interfaces)
}
${uciDeleteAll "wireless.radio"}
uci -q delete wireless.default_radio0 || true
uci -q delete wireless.default_radio1 || true
${concatStrings (imap0 (index: path:
@ -342,7 +256,6 @@ in
uci set wireless.radio${toString index}=wifi-device
uci set wireless.radio${toString index}.type=mac80211
uci set wireless.radio${toString index}.country=DE
uci set wireless.radio${toString index}.band=${radioConfig.band}
uci set wireless.radio${toString index}.channel=${toString radioConfig.channel}
uci set wireless.radio${toString index}.path=${path}
uci set wireless.radio${toString index}.htmode=${radioConfig.htmode}
@ -352,7 +265,6 @@ in
${concatMapStrings (ssid:
let
ssidConfig = radioConfig.ssids.${ssid};
netConfig = config.site.net.${ssidConfig.net};
# mapping our option to openwrt/hostapd setting
encryption = {
@ -367,11 +279,6 @@ in
then ssidConfig.ifname
else "${ifPrefix}-${ssidConfig.net}";
pad = len: prefix: s:
if builtins.stringLength s < len
then pad len prefix "${prefix}${s}"
else s;
in ''
uci add wireless wifi-iface
uci set wireless.@wifi-iface[-1].ifname=${ifname}
@ -380,7 +287,6 @@ in
uci set wireless.@wifi-iface[-1].mode=${ssidConfig.mode}
uci set wireless.@wifi-iface[-1].network=${ssidConfig.net}
uci set wireless.@wifi-iface[-1].mcast_rate=18000
uci set wireless.@wifi-iface[-1].hidden=${if ssidConfig.hidden then "1" else "0"}
uci set wireless.@wifi-iface[-1].encryption='${encryption}'
${if (ssidConfig.psk != null)
then ''
@ -389,59 +295,10 @@ in
else ''
uci -q delete wireless.@wifi-iface[-1].key || true
''}
${lib.optionalString (!ssidConfig.disassocLowAck) ''
uci set wireless.@wifi-iface[-1].disassoc_low_ack='0'
''}
${lib.optionalString (netConfig.wifi.ieee80211rKey != null) ''
# for usteerd
# see https://www.libe.net/en-wlan-roaming#client-steering
# https://openwrt.org/docs/guide-user/network/wifi/usteer#configure_80211k_and_80211v_on_all_ap-nodes
uci set wireless.@wifi-iface[-1].bss_transition=1
uci set wireless.@wifi-iface[-1].wnm_sleep_mode=1
uci set wireless.@wifi-iface[-1].time_advertisement=2
uci set wireless.@wifi-iface[-1].time_zone=GMT0
uci set wireless.@wifi-iface[-1].ieee80211k=1
uci set wireless.@wifi-iface[-1].rrm_neighbor_report=1
uci set wireless.@wifi-iface[-1].rrm_beacon_report=1
# breaks Apple devices connecting to wifi when used together with wpa2/wpa3 mixed mode (sae-mixed)
# uci set wireless.@wifi-iface[-1].ieee80211r=1
# when unset derived from interface MAC
uci set wireless.@wifi-iface[-1].nasid=${pad 12 "0" (toString ((lib.toInt (lib.removePrefix "ap" hostName)) * 65536 + index))}
# when unset derived from the first 4 chars of the md5 hashed SSID
uci set wireless.@wifi-iface[-1].mobility_domain=${pad 4 "0" (lib.toHexString (49920 + netConfig.vlan))}
# https://github.com/openwrt/openwrt/issues/7907
# https://github.com/openwrt/openwrt/commit/2984a0420649733662ff95b0aff720b8c2c19f8a
uci set wireless.@wifi-iface[-1].ft_over_ds=0
# as recommend in 7907 and seems to fairly often trigger while testing
uci set wireless.@wifi-iface[-1].reassociation_deadline=20000
# might be unused if ft_over_ds is not used
uci set wireless.@wifi-iface[-1].ft_bridge=${mgmtInterface}
# otherwise the r0kh/r1kh options below are not applied
uci set wireless.@wifi-iface[-1].ft_psk_generate_local=0
# do not just rely on the monility domain for increased security
# https://forum.openwrt.org/t/802-11r-fast-transition-how-to-understand-that-ft-works/110920/81
uci set wireless.@wifi-iface[-1].r0kh=ff:ff:ff:ff:ff:ff,\*,${netConfig.wifi.ieee80211rKey}
uci set wireless.@wifi-iface[-1].r1kh=00:00:00:00:00:00,00:00:00:00:00:00,${netConfig.wifi.ieee80211rKey}
uci set wireless.@wifi-iface[-1].pmk_r1_push=1
''}
''
) (builtins.attrNames radioConfig.ssids)}
'') (builtins.attrNames hostConfig.wifi))}
uci set usteer.@usteer[0].network=mgmt
uci set usteer.@usteer[0].load_kick_enabled=1
uci set usteer.@usteer[0].load_kick_threshold=67
uci set usteer.@usteer[0].signal_diff_threshold=15
uci set usteer.@usteer[0].load_balancing_threshold=8
uci set usteer.@usteer[0].band_steering_threshold=16
uci commit
# Add hotfixes for MTU settings
@ -463,7 +320,6 @@ in
# the gateways is reachable
cat >/etc/crontabs/root <<__CRON__
* * * * * /usr/sbin/wifi-on-link.sh
* * * * * /usr/sbin/usteer-info.sh
__CRON__
cat >/usr/sbin/wifi-on-link.sh <<__SH__
#!/bin/sh
@ -510,16 +366,11 @@ in
LoadPlugin interface
LoadPlugin iwinfo
LoadPlugin network
LoadPlugin exec
<Plugin network>
Server "${config.site.net.serv.hosts6.dn42.stats}" "25826"
</Plugin>
<Plugin exec>
Exec "nobody" "/usr/bin/usteer-stats.sh"
</Plugin>
COLLECTD
''}
chmod +x /usr/bin/usteer-stats.sh /usr/sbin/usteer-info.sh
for svc in dnsmasq uhttpd ; do
rm -f /etc/rc.d/*\$svc

3
nix/pkgs/openwrt/usteer-info.sh
View File

@ -1,3 +0,0 @@
#! /bin/sh
[ -p /tmp/usteer-info ] || exit 0
exec /bin/ubus call usteer local_info > /tmp/usteer-info

32
nix/pkgs/openwrt/usteer-stats.sh
View File

@ -1,32 +0,0 @@
#! /bin/sh
HOSTNAME=`cat /proc/sys/kernel/hostname`
INTERVAL=60
[ -p /tmp/usteer-info ] || mkfifo /tmp/usteer-info
while true; do
if [ ! -p /tmp/usteer-info ]; then
echo "/tmp/usteer-info went missing!"
exit 1
fi
DATA="$(cat /tmp/usteer-info)"
cd /sys/class/net
for iface in wlan*; do
eval $( echo "$DATA" | jsonfilter \
-e 'LOAD=@["hostapd.'$iface'"].load' \
-e 'NOISE=@["hostapd.'$iface'"].noise' \
-e 'N_ASSOC=@["hostapd.'$iface'"].n_assoc' \
-e 'FREQ=@["hostapd.'$iface'"].freq' \
-e 'ROAM_SOURCE=@["hostapd.'$iface'"].roam_events.source' \
-e 'ROAM_TARGET=@["hostapd.'$iface'"].roam_events.target'
)
echo "PUTVAL \"$HOSTNAME/usteer_local_info-$iface/stations-load\" interval=$INTERVAL N:$LOAD"
echo "PUTVAL \"$HOSTNAME/usteer_local_info-$iface/signal_noise-noise\" interval=$INTERVAL N:$NOISE"
echo "PUTVAL \"$HOSTNAME/usteer_local_info-$iface/stations-n_assoc\" interval=$INTERVAL N:$N_ASSOC"
echo "PUTVAL \"$HOSTNAME/usteer_local_info-$iface/frequency-freq\" interval=$INTERVAL N:$FREQ"
echo "PUTVAL \"$HOSTNAME/usteer_local_info-$iface/transitions-roam_source\" interval=$INTERVAL N:$ROAM_SOURCE"
echo "PUTVAL \"$HOSTNAME/usteer_local_info-$iface/transitions-roam_target\" interval=$INTERVAL N:$ROAM_TARGET"
done
done

6
nix/pkgs/subnetplan/render.rb
View File

@ -60,11 +60,7 @@ exit 1 if collisions > 0
GROUP_PREFIX = 19
groups = {}
nets.each do |net|
if net.addr.prefix > GROUP_PREFIX
group = net.addr.supernet(GROUP_PREFIX).to_s
else
group = net.addr.to_s
end
group = net.addr.supernet(GROUP_PREFIX).to_s
(groups[group] ||= []) << net
end

10
nix/pkgs/switches/junos.nix
View File

@ -9,7 +9,7 @@ let
host-name ${hostName};
time-zone Europe/Berlin;
root-authentication {
encrypted-password "%%HASH%%"; ## SECRET-DATA
encrypted-password "$5$EBmFELmv$kQxtWwS0SBS.TqVPRvs8sKpH./l9DTtTxX/I2FJB2n2"; ## SECRET-DATA
ssh-ed25519 "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIHGgoLzQMeyX1wjsX/hgVkN//zyfOQPiBRYgO2ajEGH6 root@server2";
}
services {
@ -114,9 +114,13 @@ let
'';
configFileWithHash = runCommand "junos.config" {
nativeBuildInputs = [ mkpasswd ];
nativeBuildInputs = [ python3 ];
} ''
HASH=$(echo "${hostConfig.password}" | mkpasswd --method=SHA-512 --stdin)
cat >gen.py<<EOF
import crypt
print(crypt.crypt('${hostConfig.password}', crypt.mksalt(crypt.METHOD_SHA256)))
EOF
HASH=$(python gen.py)
substitute ${configFile} $out \
--replace "%%HASH%%" "$HASH"
'';

5985
openwrt/tl-wr841-v10.config Normal file
View File

File diff suppressed because it is too large Load Diff

5849
openwrt/tl-wr841-v11.config Normal file
View File

File diff suppressed because it is too large Load Diff

6002
openwrt/tl-wr841-v8.config Normal file
View File

File diff suppressed because it is too large Load Diff