vidhar: ...

author: Gregor Kleen <gkleen@yggdrasil.li> 2021-12-29 10:52:45 +0100
committer: Gregor Kleen <gkleen@yggdrasil.li> 2021-12-29 10:52:45 +0100
commit: 49b2b0cd849a3acd040a40b5be98875b58a236b0 (patch)
tree: e1b205f6589e1dc087cea2a86c19e2db4655b413 /hosts/vidhar
parent: bb2ef19025d688433e7e3f9ef8edc26a3fa69d24 (diff)
download: nixos-49b2b0cd849a3acd040a40b5be98875b58a236b0.tar
nixos-49b2b0cd849a3acd040a40b5be98875b58a236b0.tar.gz
nixos-49b2b0cd849a3acd040a40b5be98875b58a236b0.tar.bz2
nixos-49b2b0cd849a3acd040a40b5be98875b58a236b0.tar.xz
nixos-49b2b0cd849a3acd040a40b5be98875b58a236b0.zip
3 files changed, 68 insertions, 26 deletions
diff --git a/hosts/vidhar/default.nix b/hosts/vidhar/default.nix
index 405b5efa..933f5af9 100644
--- a/hosts/vidhar/default.nix
+++ b/hosts/vidhar/default.nix
@@ -72,7 +72,7 @@
      useDHCP = false;
      useNetworkd = true;
-      interfaces."eno1" = {
+      interfaces."lan" = {
        ipv4.addresses = [
          { address = "10.141.0.1"; prefixLength = 24; }
        ];
@@ -88,6 +88,10 @@
          id = 2;
          interface = "eno2";
        };
+        lan = {
+          id = 3;
+          interface = "eno2";
+        };
      };
      firewall.enable = false;
@@ -103,7 +107,7 @@
    services.dhcpd4 = {
      enable = true;
-      interfaces = [ "eno1" "mgmt" ];
+      interfaces = [ "lan" "mgmt" ];
      extraConfig = ''
        subnet 10.141.0.0 netmask 255.255.255.0 {
          range 10.141.0.128 10.141.0.254;
@@ -138,7 +142,7 @@
            monitor = true;
            verbose = true;
          }
-          { name = "eno1";
+          { name = "lan";
            advertise = true;
            verbose = true;
            prefix = [{ prefix = "::/64"; }];
@@ -156,7 +160,7 @@
          router = true;
          rules.lan = {
            method = "iface";
-            interface = "eno1";
+            interface = "lan";
            network = "::/0";
          };
        };
@@ -186,9 +190,9 @@
      after = [ "sys-subsystem-net-devices-telekom.device" ];
    };
    systemd.services."dhcpcd-telekom" = {
-      wantedBy = [ "multi-user.target" "network-online.target" ];
+      wantedBy = [ "multi-user.target" "network-online.target" "pppd-telekom.service" ];
-      bindsTo = [ "pppd-telekom.service" ];
+      bindsTo = [ "pppd-telekom.service" "sys-subsystem-net-devices-dsl.device" ];
-      after = [ "pppd-telekom.service" ];
+      after = [ "pppd-telekom.service" "sys-subsystem-net-devices-dsl.device" ];
      wants = [ "network.target" ];
      before = [ "network-online.target" ];
@@ -197,6 +201,18 @@
      stopIfChanged = false;
+      preStart = ''
+        i=0
+        while [[ -z "$(${pkgs.iproute2}/bin/ip -6 addr show dev ${config.networking.pppInterface} scope link)" ]]; do
+          ${pkgs.coreutils}/bin/sleep 0.1
+          i=$((i + 1))
+          if [[ "$i" -ge 10 ]]; then
+            exit 1
+          fi
+        done
+      '';
      serviceConfig = let
        dhcpcdConf = pkgs.writeText "dhcpcd.conf" ''
          duid
@@ -219,7 +235,7 @@
            ipv6ra_autoconf
            iaid 1195061668
            ipv6rs                 # enable routing solicitation for WAN adapter
-            ia_pd 1 eno1/0/64/0    # request a PD and assign it to the LAN
+            ia_pd 1 lan/0/64/0    # request a PD and assign it to the LAN
          waitip 6
        '';
@@ -230,8 +246,30 @@
        ExecStart = "@${pkgs.dhcpcd}/sbin/dhcpcd dhcpcd -q --config ${dhcpcdConf}";
        ExecReload = "${pkgs.dhcpcd}/sbin/dhcpcd --rebind";
        Restart = "always";
+        RestartSec = "5";
+      };
+    };
+    systemd.services.ndppd = {
+      wantedBy = [ "dhcpcd-telekom.service" ];
+      bindsTo = [ "dhcpcd-telekom.service" ];
+      after = [ "dhcpcd-telekom.service" ];
+      serviceConfig = {
+        Restart = "always";
+        RestartSec = "5";
+      };
+    };
+    systemd.services.corerad = {
+      wantedBy = [ "dhcpcd-telekom.service" ];
+      bindsTo = [ "dhcpcd-telekom.service" ];
+      after = [ "dhcpcd-telekom.service" ];
+      serviceConfig = {
+        Restart = lib.mkForce "always";
+        RestartSec = "5";
      };
    };
+    systemd.services."systemd-networkd".stopIfChanged = false;
    users.users.dhcpcd = {
      isSystemUser = true;
      group = "dhcpcd";
@@ -349,7 +387,7 @@
        disable spoolss = yes
        guest account = nobody
        bind interfaces only = yes
-        interfaces = lo eno1
+        interfaces = lo lan
      '';
      shares = {
        homes = {
@@ -379,7 +417,7 @@
    services.samba-wsdd = {
      enable = true;
      workgroup = "WORKGROUP";
-      interface = [ "lo" "eno1" ];
+      interface = [ "lo" "lan" ];
    };
    fileSystems."/srv/eos.lower" = {
diff --git a/hosts/vidhar/dsl.nix b/hosts/vidhar/dsl.nix
index be07b9f7..0f92a079 100644
--- a/hosts/vidhar/dsl.nix
+++ b/hosts/vidhar/dsl.nix
@@ -37,15 +37,19 @@ in {
        debug
      '';
    };
-    systemd.services."pppd-telekom".serviceConfig = lib.mkForce {
+    systemd.services."pppd-telekom" = {
-      Type = "forking";
+      stopIfChanged = false;
-      PIDFile = "/run/pppd/${pppInterface}.pid";
+      
-      ExecStart = "${lib.getBin pkgs.ppp}/sbin/pppd call telekom updetach nolog +ipv6";
+      serviceConfig = lib.mkForce {
-      Restart = "always";
+        Type = "notify";
-      RestartSec = 5;
+        PIDFile = "/run/pppd/${pppInterface}.pid";
+        ExecStart = "${lib.getBin pkgs.ppp}/sbin/pppd call telekom up_sdnotify nolog +ipv6";
+        Restart = "always";
+        RestartSec = 5;
-      RuntimeDirectory = "pppd";
+        RuntimeDirectory = "pppd";
-      RuntimeDirectoryPreserve = true;
+        RuntimeDirectoryPreserve = true;
+      };
    };
    sops.secrets."pap-secrets" = {
      format = "binary";
diff --git a/hosts/vidhar/ruleset.nft b/hosts/vidhar/ruleset.nft
index 2f8e7b57..57ac2716 100644
--- a/hosts/vidhar/ruleset.nft
+++ b/hosts/vidhar/ruleset.nft
@@ -59,10 +59,10 @@ table inet filter {
    iifname lo counter accept
-    oifname {eno1, dsl} meta l4proto $icmp_protos jump forward_icmp_accept
+    oifname {lan, dsl} meta l4proto $icmp_protos jump forward_icmp_accept
-    iifname eno1 oifname dsl counter accept
+    iifname lan oifname dsl counter accept
-    iifname dsl oifname eno1 ct state {established, related} counter accept
+    iifname dsl oifname lan ct state {established, related} counter accept
@@ -94,8 +94,8 @@ table inet filter {
    tcp dport 22 counter accept
    udp dport 60001-61000 counter accept
-    iifname eno1 tcp dport 53 counter accept
+    iifname lan tcp dport 53 counter accept
-    iifname eno1 udp dport 53 counter accept
+    iifname lan udp dport 53 counter accept
    meta protocol ip udp dport 51820 counter accept
    meta protocol ip6 udp dport 51821 counter accept
@@ -105,10 +105,10 @@ table inet filter {
    iifname mgmt udp dport 123 counter accept
-    iifname {eno1, mgmt} udp dport 67 counter accept
+    iifname {lan, mgmt} udp dport 67 counter accept
-    iifname eno1 udp dport { 137, 138, 3702 } counter accept
+    iifname lan udp dport { 137, 138, 3702 } counter accept
-    iifname eno1 tcp dport { 445, 139, 5357 } counter accept
+    iifname lan tcp dport { 445, 139, 5357 } counter accept
    ct state {established, related} counter accept
author	Gregor Kleen <gkleen@yggdrasil.li>	2021-12-29 10:52:45 +0100
committer	Gregor Kleen <gkleen@yggdrasil.li>	2021-12-29 10:52:45 +0100
commit	49b2b0cd849a3acd040a40b5be98875b58a236b0 (patch)
tree	e1b205f6589e1dc087cea2a86c19e2db4655b413 /hosts/vidhar
parent	bb2ef19025d688433e7e3f9ef8edc26a3fa69d24 (diff)
download	nixos-49b2b0cd849a3acd040a40b5be98875b58a236b0.tar nixos-49b2b0cd849a3acd040a40b5be98875b58a236b0.tar.gz nixos-49b2b0cd849a3acd040a40b5be98875b58a236b0.tar.bz2 nixos-49b2b0cd849a3acd040a40b5be98875b58a236b0.tar.xz nixos-49b2b0cd849a3acd040a40b5be98875b58a236b0.zip

diff --git a/hosts/vidhar/default.nix b/hosts/vidhar/default.nix index 405b5efa..933f5af9 100644 --- a/hosts/vidhar/default.nix +++ b/hosts/vidhar/default.nix
@@ -72,7 +72,7 @@
72	useDHCP = false;	72	useDHCP = false;
73	useNetworkd = true;	73	useNetworkd = true;
74		74
75	interfaces."eno1" = {	75	interfaces."lan" = {
76	ipv4.addresses = [	76	ipv4.addresses = [
77	{ address = "10.141.0.1"; prefixLength = 24; }	77	{ address = "10.141.0.1"; prefixLength = 24; }
78	];	78	];
@@ -88,6 +88,10 @@
88	id = 2;	88	id = 2;
89	interface = "eno2";	89	interface = "eno2";
90	};	90	};
		91	lan = {
		92	id = 3;
		93	interface = "eno2";
		94	};
91	};	95	};
92		96
93	firewall.enable = false;	97	firewall.enable = false;
@@ -103,7 +107,7 @@
103		107
104	services.dhcpd4 = {	108	services.dhcpd4 = {
105	enable = true;	109	enable = true;
106	interfaces = [ "eno1" "mgmt" ];	110	interfaces = [ "lan" "mgmt" ];
107	extraConfig = ''	111	extraConfig = ''
108	subnet 10.141.0.0 netmask 255.255.255.0 {	112	subnet 10.141.0.0 netmask 255.255.255.0 {
109	range 10.141.0.128 10.141.0.254;	113	range 10.141.0.128 10.141.0.254;
@@ -138,7 +142,7 @@
138	monitor = true;	142	monitor = true;
139	verbose = true;	143	verbose = true;
140	}	144	}
141	{ name = "eno1";	145	{ name = "lan";
142	advertise = true;	146	advertise = true;
143	verbose = true;	147	verbose = true;
144	prefix = [{ prefix = "::/64"; }];	148	prefix = [{ prefix = "::/64"; }];
@@ -156,7 +160,7 @@
156	router = true;	160	router = true;
157	rules.lan = {	161	rules.lan = {
158	method = "iface";	162	method = "iface";
159	interface = "eno1";	163	interface = "lan";
160	network = "::/0";	164	network = "::/0";
161	};	165	};
162	};	166	};
@@ -186,9 +190,9 @@
186	after = [ "sys-subsystem-net-devices-telekom.device" ];	190	after = [ "sys-subsystem-net-devices-telekom.device" ];
187	};	191	};
188	systemd.services."dhcpcd-telekom" = {	192	systemd.services."dhcpcd-telekom" = {
189	wantedBy = [ "multi-user.target" "network-online.target" ];	193	wantedBy = [ "multi-user.target" "network-online.target" "pppd-telekom.service" ];
190	bindsTo = [ "pppd-telekom.service" ];	194	bindsTo = [ "pppd-telekom.service" "sys-subsystem-net-devices-dsl.device" ];
191	after = [ "pppd-telekom.service" ];	195	after = [ "pppd-telekom.service" "sys-subsystem-net-devices-dsl.device" ];
192	wants = [ "network.target" ];	196	wants = [ "network.target" ];
193	before = [ "network-online.target" ];	197	before = [ "network-online.target" ];
194		198
@@ -197,6 +201,18 @@
197		201
198	stopIfChanged = false;	202	stopIfChanged = false;
199		203
		204	preStart = ''
		205	i=0
		206
		207	while [[ -z "$(${pkgs.iproute2}/bin/ip -6 addr show dev ${config.networking.pppInterface} scope link)" ]]; do
		208	${pkgs.coreutils}/bin/sleep 0.1
		209	i=$((i + 1))
		210	if [[ "$i" -ge 10 ]]; then
		211	exit 1
		212	fi
		213	done
		214	'';
		215
200	serviceConfig = let	216	serviceConfig = let
201	dhcpcdConf = pkgs.writeText "dhcpcd.conf" ''	217	dhcpcdConf = pkgs.writeText "dhcpcd.conf" ''
202	duid	218	duid
@@ -219,7 +235,7 @@
219	ipv6ra_autoconf	235	ipv6ra_autoconf
220	iaid 1195061668	236	iaid 1195061668
221	ipv6rs # enable routing solicitation for WAN adapter	237	ipv6rs # enable routing solicitation for WAN adapter
222	ia_pd 1 eno1/0/64/0 # request a PD and assign it to the LAN	238	ia_pd 1 lan/0/64/0 # request a PD and assign it to the LAN
223		239
224	waitip 6	240	waitip 6
225	'';	241	'';
@@ -230,8 +246,30 @@
230	ExecStart = "@${pkgs.dhcpcd}/sbin/dhcpcd dhcpcd -q --config ${dhcpcdConf}";	246	ExecStart = "@${pkgs.dhcpcd}/sbin/dhcpcd dhcpcd -q --config ${dhcpcdConf}";
231	ExecReload = "${pkgs.dhcpcd}/sbin/dhcpcd --rebind";	247	ExecReload = "${pkgs.dhcpcd}/sbin/dhcpcd --rebind";
232	Restart = "always";	248	Restart = "always";
		249	RestartSec = "5";
		250	};
		251	};
		252	systemd.services.ndppd = {
		253	wantedBy = [ "dhcpcd-telekom.service" ];
		254	bindsTo = [ "dhcpcd-telekom.service" ];
		255	after = [ "dhcpcd-telekom.service" ];
		256
		257	serviceConfig = {
		258	Restart = "always";
		259	RestartSec = "5";
		260	};
		261	};
		262	systemd.services.corerad = {
		263	wantedBy = [ "dhcpcd-telekom.service" ];
		264	bindsTo = [ "dhcpcd-telekom.service" ];
		265	after = [ "dhcpcd-telekom.service" ];
		266
		267	serviceConfig = {
		268	Restart = lib.mkForce "always";
		269	RestartSec = "5";
233	};	270	};
234	};	271	};
		272	systemd.services."systemd-networkd".stopIfChanged = false;
235	users.users.dhcpcd = {	273	users.users.dhcpcd = {
236	isSystemUser = true;	274	isSystemUser = true;
237	group = "dhcpcd";	275	group = "dhcpcd";
@@ -349,7 +387,7 @@
349	disable spoolss = yes	387	disable spoolss = yes
350	guest account = nobody	388	guest account = nobody
351	bind interfaces only = yes	389	bind interfaces only = yes
352	interfaces = lo eno1	390	interfaces = lo lan
353	'';	391	'';
354	shares = {	392	shares = {
355	homes = {	393	homes = {
@@ -379,7 +417,7 @@
379	services.samba-wsdd = {	417	services.samba-wsdd = {
380	enable = true;	418	enable = true;
381	workgroup = "WORKGROUP";	419	workgroup = "WORKGROUP";
382	interface = [ "lo" "eno1" ];	420	interface = [ "lo" "lan" ];
383	};	421	};
384		422
385	fileSystems."/srv/eos.lower" = {	423	fileSystems."/srv/eos.lower" = {


diff --git a/hosts/vidhar/dsl.nix b/hosts/vidhar/dsl.nix index be07b9f7..0f92a079 100644 --- a/hosts/vidhar/dsl.nix +++ b/hosts/vidhar/dsl.nix
@@ -37,15 +37,19 @@ in {
37	debug	37	debug
38	'';	38	'';
39	};	39	};
40	systemd.services."pppd-telekom".serviceConfig = lib.mkForce {	40	systemd.services."pppd-telekom" = {
41	Type = "forking";	41	stopIfChanged = false;
42	PIDFile = "/run/pppd/${pppInterface}.pid";	42
43	ExecStart = "${lib.getBin pkgs.ppp}/sbin/pppd call telekom updetach nolog +ipv6";	43	serviceConfig = lib.mkForce {
44	Restart = "always";	44	Type = "notify";
45	RestartSec = 5;	45	PIDFile = "/run/pppd/${pppInterface}.pid";
		46	ExecStart = "${lib.getBin pkgs.ppp}/sbin/pppd call telekom up_sdnotify nolog +ipv6";
		47	Restart = "always";
		48	RestartSec = 5;
46		49
47	RuntimeDirectory = "pppd";	50	RuntimeDirectory = "pppd";
48	RuntimeDirectoryPreserve = true;	51	RuntimeDirectoryPreserve = true;
		52	};
49	};	53	};
50	sops.secrets."pap-secrets" = {	54	sops.secrets."pap-secrets" = {
51	format = "binary";	55	format = "binary";


diff --git a/hosts/vidhar/ruleset.nft b/hosts/vidhar/ruleset.nft index 2f8e7b57..57ac2716 100644 --- a/hosts/vidhar/ruleset.nft +++ b/hosts/vidhar/ruleset.nft
@@ -59,10 +59,10 @@ table inet filter {
59		59
60	iifname lo counter accept	60	iifname lo counter accept
61		61
62	oifname {eno1, dsl} meta l4proto $icmp_protos jump forward_icmp_accept	62	oifname {lan, dsl} meta l4proto $icmp_protos jump forward_icmp_accept
63		63
64	iifname eno1 oifname dsl counter accept	64	iifname lan oifname dsl counter accept
65	iifname dsl oifname eno1 ct state {established, related} counter accept	65	iifname dsl oifname lan ct state {established, related} counter accept
66		66
67		67
68		68
@@ -94,8 +94,8 @@ table inet filter {
94	tcp dport 22 counter accept	94	tcp dport 22 counter accept
95	udp dport 60001-61000 counter accept	95	udp dport 60001-61000 counter accept
96		96
97	iifname eno1 tcp dport 53 counter accept	97	iifname lan tcp dport 53 counter accept
98	iifname eno1 udp dport 53 counter accept	98	iifname lan udp dport 53 counter accept
99		99
100	meta protocol ip udp dport 51820 counter accept	100	meta protocol ip udp dport 51820 counter accept
101	meta protocol ip6 udp dport 51821 counter accept	101	meta protocol ip6 udp dport 51821 counter accept
@@ -105,10 +105,10 @@ table inet filter {
105		105
106	iifname mgmt udp dport 123 counter accept	106	iifname mgmt udp dport 123 counter accept
107		107
108	iifname {eno1, mgmt} udp dport 67 counter accept	108	iifname {lan, mgmt} udp dport 67 counter accept
109		109
110	iifname eno1 udp dport { 137, 138, 3702 } counter accept	110	iifname lan udp dport { 137, 138, 3702 } counter accept
111	iifname eno1 tcp dport { 445, 139, 5357 } counter accept	111	iifname lan tcp dport { 445, 139, 5357 } counter accept
112		112
113	ct state {established, related} counter accept	113	ct state {established, related} counter accept
114		114