summaryrefslogtreecommitdiff
path: root/hosts/vidhar/network
diff options
context:
space:
mode:
authorGregor Kleen <gkleen@yggdrasil.li>2022-03-15 16:37:42 +0100
committerGregor Kleen <gkleen@yggdrasil.li>2022-03-15 16:37:42 +0100
commit366cf64e848eebea98f9d9bb95e623597af74669 (patch)
tree949daf1e7b58ce2370b16663fb535ca10bc46bf1 /hosts/vidhar/network
parent6dd45923b4bba68eb08b9d3ec43dc924734dd8c8 (diff)
downloadnixos-366cf64e848eebea98f9d9bb95e623597af74669.tar
nixos-366cf64e848eebea98f9d9bb95e623597af74669.tar.gz
nixos-366cf64e848eebea98f9d9bb95e623597af74669.tar.bz2
nixos-366cf64e848eebea98f9d9bb95e623597af74669.tar.xz
nixos-366cf64e848eebea98f9d9bb95e623597af74669.zip
vidhar: ddns
Diffstat (limited to 'hosts/vidhar/network')
-rw-r--r--hosts/vidhar/network/default.nix152
-rw-r--r--hosts/vidhar/network/dhcp/default.nix264
-rw-r--r--hosts/vidhar/network/dhcp/knot-tsig.json.frag26
3 files changed, 292 insertions, 150 deletions
diff --git a/hosts/vidhar/network/default.nix b/hosts/vidhar/network/default.nix
index 2d9a7b8f..85ddd4ef 100644
--- a/hosts/vidhar/network/default.nix
+++ b/hosts/vidhar/network/default.nix
@@ -1,6 +1,6 @@
1{ flake, config, lib, pkgs, ... }: 1{ ... }:
2{ 2{
3 imports = [ ./dsl.nix ./bifrost ]; 3 imports = [ ./dsl.nix ./bifrost ./dhcp ];
4 4
5 config = { 5 config = {
6 networking = { 6 networking = {
@@ -53,132 +53,6 @@
53 llmnr = "false"; 53 llmnr = "false";
54 }; 54 };
55 55
56 services.kea = {
57 dhcp4 = {
58 enable = true;
59 settings = {
60 valid-lifetime = 4000;
61 rebind-timer = 2000;
62 renew-timer = 1000;
63
64 interfaces-config = {
65 interfaces = [ "lan" "mgmt" ];
66 };
67
68 lease-database = {
69 name = "/var/lib/kea/dhcp4.leases";
70 persist = true;
71 type = "memfile";
72 };
73
74 client-classes = [
75 { name = "ipxe";
76 test = "option[77].hex == 'iPXE'";
77 next-server = "10.141.0.1";
78 boot-file-name = "netboot.ipxe";
79 only-if-required = true;
80 }
81 { name = "uefi-64";
82 test = "substring(option[60].hex,0,20) == 'PXEClient:Arch:00007' or substring(option[60].hex,0,20) == 'PXEClient:Arch:00008' or substring(option[60].hex,0,20) == 'PXEClient:Arch:00009'";
83 only-if-required = true;
84 option-data = [
85 { name = "tftp-server-name"; data = "10.141.0.1"; }
86 ];
87 boot-file-name = "ipxe.efi";
88 }
89 { name = "uefi-32";
90 test = "substring(option[60].hex,0,20) == 'PXEClient:Arch:00002' or substring(option[60].hex,0,20) == 'PXEClient:Arch:00006'";
91 only-if-required = true;
92 option-data = [
93 { name = "tftp-server-name"; data = "10.141.0.1"; }
94 ];
95 boot-file-name = "i386-ipxe.efi";
96 }
97 { name = "legacy";
98 test = "substring(option[60].hex,0,20) == 'PXEClient:Arch:00000'";
99 only-if-required = true;
100 option-data = [
101 { name = "tftp-server-name"; data = "10.141.0.1"; }
102 ];
103 boot-file-name = "undionly.kpxe";
104 }
105 ];
106
107 subnet4 = [
108 { subnet = "10.141.0.0/24";
109 option-data = [
110 { name = "domain-name-servers";
111 data = "10.141.0.1";
112 }
113 { name = "broadcast-address";
114 data = "10.141.0.255";
115 }
116 { name = "routers";
117 data = "10.141.0.1";
118 }
119 { name = "domain-name";
120 data = "yggdrasil";
121 }
122 ];
123 pools = [ { pool = "10.141.0.128 - 10.141.0.254"; } ];
124 reservations = [];
125 require-client-classes = ["ipxe" "uefi-64" "uefi-32" "legacy"];
126 }
127 { subnet = "10.141.1.0/24";
128 option-data = [
129 { name = "domain-name-servers";
130 data = "10.141.1.1";
131 }
132 { name = "broadcast-address";
133 data = "10.141.1.255";
134 }
135 ];
136 pools = [ { pool = "10.141.1.128 - 10.141.1.254"; } ];
137 reservations = [
138 { hostname = "switch01";
139 hw-address = "60:a4:b7:53:94:b5";
140 ip-address = "10.141.1.2";
141 }
142 { hostname = "ap01";
143 hw-address = "74:ac:b9:29:ad:9a";
144 ip-address = "10.141.1.4";
145 }
146 ];
147 }
148 { subnet = "10.141.2.0/24";
149 option-data = [
150 { name = "domain-name-servers";
151 data = "10.141.2.1";
152 }
153 { name = "broadcast-address";
154 data = "10.141.2.255";
155 }
156 { name = "routers";
157 data = "10.141.2.1";
158 }
159 ];
160 pools = [ { pool = "10.141.2.128 - 10.141.2.254"; } ];
161 reservations = [];
162 }
163 ];
164 };
165 };
166 dhcp6 = {
167 enable = true;
168 settings = {
169 interfaces-config = {
170 interfaces = [ "lan" ];
171 };
172
173 lease-database = {
174 name = "/var/lib/kea/dhcp6.leases";
175 persist = true;
176 type = "memfile";
177 };
178 };
179 };
180 };
181
182 systemd.network.networks = { 56 systemd.network.networks = {
183 "eno1" = { 57 "eno1" = {
184 matchConfig.Name = "eno1"; 58 matchConfig.Name = "eno1";
@@ -191,27 +65,5 @@
191 networkConfig.LinkLocalAddressing = "no"; 65 networkConfig.LinkLocalAddressing = "no";
192 }; 66 };
193 }; 67 };
194
195 systemd.services."installer-atftpd" = {
196 description = "TFTP Server for PXE Booting NixOS Installer";
197 after = [ "network.target" ];
198 wantedBy = [ "multi-user.target" ];
199 serviceConfig.ExecStart = let
200 installerBuild = flake.nixosConfigurations.installer-x86_64-linux-netboot.config.system.build;
201 ipxe = pkgs.ipxe.override {
202 additionalTargets = {
203 "bin-i386-efi/ipxe.efi" = "i386-ipxe.efi";
204 };
205 };
206 tftpRoot = pkgs.runCommandLocal "installer-netboot" {} ''
207 mkdir -p $out
208 install -m 0444 -t $out \
209 ${installerBuild.netbootRamdisk}/initrd \
210 ${installerBuild.kernel}/bzImage \
211 ${installerBuild.netbootIpxeScript}/netboot.ipxe \
212 ${ipxe}/ipxe.efi ${ipxe}/i386-ipxe.efi ${ipxe}/undionly.kpxe
213 '';
214 in "${pkgs.atftp}/sbin/atftpd --daemon --no-fork --bind-address=10.141.0.1 ${tftpRoot}";
215 };
216 }; 68 };
217} 69}
diff --git a/hosts/vidhar/network/dhcp/default.nix b/hosts/vidhar/network/dhcp/default.nix
new file mode 100644
index 00000000..ccc22c7f
--- /dev/null
+++ b/hosts/vidhar/network/dhcp/default.nix
@@ -0,0 +1,264 @@
1{ flake, config, pkgs, lib, ... }:
2{
3 config = {
4 services.kea = {
5 dhcp4 = {
6 enable = true;
7 settings = {
8 valid-lifetime = 4000;
9 rebind-timer = 2000;
10 renew-timer = 1000;
11
12 interfaces-config = {
13 interfaces = [ "lan" "mgmt" ];
14 };
15
16 lease-database = {
17 name = "/var/lib/kea/dhcp4.leases";
18 persist = true;
19 type = "memfile";
20 };
21
22 client-classes = [
23 { name = "ipxe";
24 test = "option[77].hex == 'iPXE'";
25 next-server = "10.141.0.1";
26 boot-file-name = "netboot.ipxe";
27 only-if-required = true;
28 }
29 { name = "uefi-64";
30 test = "substring(option[60].hex,0,20) == 'PXEClient:Arch:00007' or substring(option[60].hex,0,20) == 'PXEClient:Arch:00008' or substring(option[60].hex,0,20) == 'PXEClient:Arch:00009'";
31 only-if-required = true;
32 option-data = [
33 { name = "tftp-server-name"; data = "10.141.0.1"; }
34 ];
35 boot-file-name = "ipxe.efi";
36 }
37 { name = "uefi-32";
38 test = "substring(option[60].hex,0,20) == 'PXEClient:Arch:00002' or substring(option[60].hex,0,20) == 'PXEClient:Arch:00006'";
39 only-if-required = true;
40 option-data = [
41 { name = "tftp-server-name"; data = "10.141.0.1"; }
42 ];
43 boot-file-name = "i386-ipxe.efi";
44 }
45 { name = "legacy";
46 test = "substring(option[60].hex,0,20) == 'PXEClient:Arch:00000'";
47 only-if-required = true;
48 option-data = [
49 { name = "tftp-server-name"; data = "10.141.0.1"; }
50 ];
51 boot-file-name = "undionly.kpxe";
52 }
53 ];
54
55 dhcp-ddns.enable-updates = true;
56 ddns-send-updates = false;
57 ddns-override-client-update = true;
58 ddns-override-no-update = true;
59 ddns-replace-client-name = "when-not-present";
60 ddns-generated-prefix = "noname";
61 ddns-update-on-renew = true;
62
63 subnet4 = [
64 { subnet = "10.141.0.0/24";
65 option-data = [
66 { name = "domain-name-servers";
67 data = "10.141.0.1";
68 }
69 { name = "broadcast-address";
70 data = "10.141.0.255";
71 }
72 { name = "routers";
73 data = "10.141.0.1";
74 }
75 { name = "domain-name";
76 data = "yggdrasil";
77 }
78 { name = "domain-search";
79 data = "lan.yggdrasil, yggdrasil";
80 }
81 ];
82 ddns-send-updates = true;
83 ddns-qualifying-suffix = "lan.yggdrasil";
84 pools = [ { pool = "10.141.0.128 - 10.141.0.254"; } ];
85 require-client-classes = ["ipxe" "uefi-64" "uefi-32" "legacy"];
86 reservations = [
87 { hostname = "sif";
88 hw-address = "3c:e1:a1:52:24:35";
89 }
90 { hostname = "sif";
91 hw-address = "ee:32:68:76:83:ac";
92 }
93 { hostname = "sif";
94 hw-address = "48:2a:e3:64:62:97";
95 }
96 { hostname = "eos";
97 hw-address = "00:d8:61:79:c5:40";
98 }
99 ];
100 }
101 { subnet = "10.141.1.0/24";
102 option-data = [
103 { name = "domain-name-servers";
104 data = "10.141.1.1";
105 }
106 { name = "broadcast-address";
107 data = "10.141.1.255";
108 }
109 { name = "domain-name";
110 data = "yggdrasil";
111 }
112 { name = "domain-search";
113 data = "mgmt.yggdrasil, yggdrasil";
114 }
115 ];
116 ddns-send-updates = true;
117 ddns-qualifying-suffix = "mgmt.yggdrasil";
118 pools = [ { pool = "10.141.1.128 - 10.141.1.254"; } ];
119 reservations = [
120 { hostname = "switch01";
121 hw-address = "60:a4:b7:53:94:b5";
122 ip-address = "10.141.1.2";
123 }
124 { hostname = "ap01";
125 hw-address = "74:ac:b9:29:ad:9a";
126 ip-address = "10.141.1.4";
127 }
128 ];
129 }
130 { subnet = "10.141.2.0/24";
131 option-data = [
132 { name = "domain-name-servers";
133 data = "10.141.2.1";
134 }
135 { name = "broadcast-address";
136 data = "10.141.2.255";
137 }
138 { name = "routers";
139 data = "10.141.2.1";
140 }
141 ];
142 ddns-send-updates = false;
143 pools = [ { pool = "10.141.2.128 - 10.141.2.254"; } ];
144 reservations = [];
145 }
146 ];
147 };
148 };
149 dhcp6 = {
150 enable = true;
151 settings = {
152 interfaces-config = {
153 interfaces = [ "lan" ];
154 };
155
156 lease-database = {
157 name = "/var/lib/kea/dhcp6.leases";
158 persist = true;
159 type = "memfile";
160 };
161 };
162 };
163 dhcp-ddns = {
164 enable = true;
165 settings = {
166 forward-ddns = {
167 ddns-domains = [
168 { name = "lan.yggdrasil.";
169 dns-servers = [
170 { ip-address = "127.0.0.1";
171 port = 5353;
172 key-name = "local_key";
173 }
174 ];
175 }
176 { name = "mgmt.yggdrasil.";
177 dns-servers = [
178 { ip-address = "127.0.0.1";
179 port = 5353;
180 key-name = "local_key";
181 }
182 ];
183 }
184 ];
185 };
186 reverse-ddns = {
187 ddns-domains = [
188 { name = "0.141.10.in-addr.arpa.";
189 dns-servers = [
190 { ip-address = "127.0.0.1";
191 port = 5353;
192 key-name = "local_key";
193 }
194 ];
195 }
196 { name = "1.141.10.in-addr.arpa.";
197 dns-servers = [
198 { ip-address = "127.0.0.1";
199 port = 5353;
200 key-name = "local_key";
201 }
202 ];
203 }
204 ];
205 };
206 };
207 };
208 };
209
210 systemd.services.kea-dhcp-ddns-server = {
211 preStart = let
212 configLines = [
213 "<?include \"\${CREDENTIALS_DIRECTORY}/knot-tsig.json.frag\"?>"
214 ] ++ lib.mapAttrsToList (k: v:
215 "\"${k}\": ${builtins.toJSON v}"
216 ) config.services.kea.dhcp-ddns.settings;
217
218 config-template = pkgs.writeText "dhcp-ddns.conf" ''
219 {"DhcpDdns": {
220 ${lib.concatStringsSep ",\n " configLines}
221 }}
222 '';
223 in ''
224 ${pkgs.envsubst}/bin/envsubst -i "${config-template}" -o "''${RUNTIME_DIRECTORY}/dhcp-ddns.conf"
225 '';
226
227 serviceConfig = {
228 ExecStart = lib.mkForce ''
229 ${pkgs.kea}/bin/kea-dhcp-ddns -c "''${RUNTIME_DIRECTORY}/dhcp-ddns.conf" ${lib.escapeShellArgs config.services.kea.dhcp-ddns.extraArgs}
230 '';
231 LoadCredential = [
232 "knot-tsig.json.frag:${config.sops.secrets."kea-knot-tsig.json.frag".path}"
233 ];
234 };
235 };
236
237 sops.secrets."kea-knot-tsig.json.frag" = {
238 format = "binary";
239 sopsFile = ./knot-tsig.json.frag;
240 };
241
242 systemd.services."installer-atftpd" = {
243 description = "TFTP Server for PXE Booting NixOS Installer";
244 after = [ "network.target" ];
245 wantedBy = [ "multi-user.target" ];
246 serviceConfig.ExecStart = let
247 installerBuild = flake.nixosConfigurations.installer-x86_64-linux-netboot.config.system.build;
248 ipxe = pkgs.ipxe.override {
249 additionalTargets = {
250 "bin-i386-efi/ipxe.efi" = "i386-ipxe.efi";
251 };
252 };
253 tftpRoot = pkgs.runCommandLocal "installer-netboot" {} ''
254 mkdir -p $out
255 install -m 0444 -t $out \
256 ${installerBuild.netbootRamdisk}/initrd \
257 ${installerBuild.kernel}/bzImage \
258 ${installerBuild.netbootIpxeScript}/netboot.ipxe \
259 ${ipxe}/ipxe.efi ${ipxe}/i386-ipxe.efi ${ipxe}/undionly.kpxe
260 '';
261 in "${pkgs.atftp}/sbin/atftpd --daemon --no-fork --bind-address=10.141.0.1 ${tftpRoot}";
262 };
263 };
264}
diff --git a/hosts/vidhar/network/dhcp/knot-tsig.json.frag b/hosts/vidhar/network/dhcp/knot-tsig.json.frag
new file mode 100644
index 00000000..75deb41c
--- /dev/null
+++ b/hosts/vidhar/network/dhcp/knot-tsig.json.frag
@@ -0,0 +1,26 @@
1{
2 "data": "ENC[AES256_GCM,data:cGcoqYZ341xQOFukDm4J5KDfG6+NaNbk2U2k4YGneRsAoPJZe/8KDmVr8TBWFCXXbuzeCGbiuXRVBmtYSEIqbqTN4u00RdQgpeL72cB3ZFd2c7cideEQV5z802pqFfXSlmLBC01OPG3TwAgk6xhQYSn5IcBTIL6fRF235Y9Q8k/X96rhfwPRVq84,iv:UoweWBcVuQIXeWFFl/WNUHLXG8nEri1UuTskC2I26hU=,tag:TJldVr2LDTmKA3ozZoX+cQ==,type:str]",
3 "sops": {
4 "kms": null,
5 "gcp_kms": null,
6 "azure_kv": null,
7 "hc_vault": null,
8 "age": null,
9 "lastmodified": "2022-03-15T13:52:17Z",
10 "mac": "ENC[AES256_GCM,data:rTelaGx5S2E2oYPNGfctFbgDKdyRX8tpVTqLtpcCAJ8MS5ppFTjnSwYi4yQHvTicfAPNz7hGJYAnTdyC2QDTciJgkS6KC3CCXWCimkTybBdVW4Azwz9iBZCpWu+rB1vcQhSLlLCaKmKskkqDZZ5+mfuaXc+TT2uwTA0SDtZWvnM=,iv:ANCZ1fHy6w/svEE53o7rWsp5qU15qoriqyVMzClH6J0=,tag:H92RM5GuLIl9/kslq4tzkQ==,type:str]",
11 "pgp": [
12 {
13 "created_at": "2022-03-15T13:50:52Z",
14 "enc": "-----BEGIN PGP MESSAGE-----\n\nhF4DbYDvGI0HDr0SAQdANAtB0un04iI+foGRefRK249LhT6Mz+yzdhkWa0UYoxcw\nUGDSh6la4ijiaqdeVfJ3vckXfAqee7dLseNQ64dafdlk2hVI0ZNv6mjfwgWk698v\n0l4B4EOHfDrmFNhZFcj1/sCRnukgx7PSeybZn3miTLQgMGOydrfYuisA3we/4EUo\nU55PGINdtAu268OUHQjj3yF1S72Yeh1MXEdvajRQdqorQJ4TpsPUtJolM25Df/kK\n=etIn\n-----END PGP MESSAGE-----\n",
15 "fp": "A1C7C95E6CAF0A965CB47277BCF50A89C1B1F362"
16 },
17 {
18 "created_at": "2022-03-15T13:50:52Z",
19 "enc": "-----BEGIN PGP MESSAGE-----\n\nhF4DXxoViZlp6dISAQdABm/Qf3pX4SxvTzq6sJKWc5o3Fzu/nH3XAH1WE2L/BUMw\nMFFmYmq3399ZcZ6JvaHdbJFUdavo/+wOg3ecWok039wbsr9qwn8YA4cR7VBsUPLa\n0l4BxuaiT3M+mTVvr5WpGFc3Xj7Mp4/z6hBUS+qTFIFZI2U5JsmZgC7VGTm+dlSJ\nexN6yr9mlQXvDIkx8w5/eaiYGViZ90SxN9BPYDqfGGigAw+xdXaafcOx8uBldAL1\n=HLRI\n-----END PGP MESSAGE-----\n",
20 "fp": "30D3453B8CD02FE2A3E7C78C0FB536FB87AE8F51"
21 }
22 ],
23 "unencrypted_suffix": "_unencrypted",
24 "version": "3.7.1"
25 }
26} \ No newline at end of file