From f4301a77c9410f931c61b851bc5c1076d25dae80 Mon Sep 17 00:00:00 2001 From: Gregor Kleen Date: Fri, 31 Dec 2021 15:13:52 +0100 Subject: vidhar: ... --- hosts/vidhar/default.nix | 334 +---------------------------------------------- hosts/vidhar/dns.nix | 47 +++++++ hosts/vidhar/dsl.nix | 134 ++++++++++++++++++- hosts/vidhar/network.nix | 83 ++++++++++++ hosts/vidhar/samba.nix | 81 ++++++++++++ 5 files changed, 344 insertions(+), 335 deletions(-) create mode 100644 hosts/vidhar/dns.nix create mode 100644 hosts/vidhar/network.nix create mode 100644 hosts/vidhar/samba.nix diff --git a/hosts/vidhar/default.nix b/hosts/vidhar/default.nix index 933f5af9..a2764158 100644 --- a/hosts/vidhar/default.nix +++ b/hosts/vidhar/default.nix @@ -1,7 +1,7 @@ { hostName, flake, config, pkgs, lib, ... }: { imports = with flake.nixosModules.systemProfiles; [ - ./zfs.nix ./dsl.nix + ./zfs.nix ./network.nix ./samba.nix ./dns.nix initrd-all-crypto-modules default-locale openssh rebuild-machines build-server initrd-ssh @@ -63,218 +63,6 @@ options = [ "mode=0755" ]; }; }; - - networking = { - hostName = "vidhar"; - domain = "yggdrasil"; - search = [ "yggdrasil" ]; - - useDHCP = false; - useNetworkd = true; - - interfaces."lan" = { - ipv4.addresses = [ - { address = "10.141.0.1"; prefixLength = 24; } - ]; - }; - interfaces."mgmt" = { - ipv4.addresses = [ - { address = "10.141.1.1"; prefixLength = 24; } - ]; - }; - - vlans = { - mgmt = { - id = 2; - interface = "eno2"; - }; - lan = { - id = 3; - interface = "eno2"; - }; - }; - - firewall.enable = false; - nftables = { - enable = true; - rulesetFile = ./ruleset.nft; - }; - }; - - services.resolved = { - llmnr = "false"; - }; - - services.dhcpd4 = { - enable = true; - interfaces = [ "lan" "mgmt" ]; - extraConfig = '' - subnet 10.141.0.0 netmask 255.255.255.0 { - range 10.141.0.128 10.141.0.254; - option domain-name-servers 10.141.0.1; - option broadcast-address 10.141.0.255; - option routers 10.141.0.1; - option domain-name "yggdrasil"; - } - - subnet 10.141.1.0 netmask 255.255.255.0 { - range 10.141.1.128 10.141.1.254; - } - ''; - machines = [ - { - ethernetAddress = "50:d4:f7:f3:0f:7e"; - hostName = "gauss-ap01"; - ipAddress = "10.141.0.64"; - } - { - ethernetAddress = "60:a4:b7:53:94:b5"; - hostName = "switch01"; - ipAddress = "10.141.1.2"; - } - ]; - }; - services.corerad = { - enable = true; - settings = { - interfaces = [ - { name = config.networking.pppInterface; - monitor = true; - verbose = true; - } - { name = "lan"; - advertise = true; - verbose = true; - prefix = [{ prefix = "::/64"; }]; - route = [{ prefix = "::/0"; }]; - rdnss = [{ servers = ["::"]; }]; - dnssl = [{ domain_names = ["yggdrasil"]; }]; - } - ]; - }; - }; - services.ndppd = { - enable = true; - proxies = { - ${config.networking.pppInterface} = { - router = true; - rules.lan = { - method = "iface"; - interface = "lan"; - network = "::/0"; - }; - }; - }; - }; - boot.kernel.sysctl = { - "net.ipv6.conf.all.forwarding" = true; - "net.ipv6.conf.default.forwarding" = true; - "net.ipv4.conf.all.forwarding" = true; - "net.ipv4.conf.default.forwarding" = true; - - "net.core.rmem_max" = "4194304"; - "net.core.wmem_max" = "4194304"; - }; - systemd.network.networks = { - "eno2" = { - matchConfig.Name = "eno2"; - networkConfig.LinkLocalAddressing = "no"; - }; - "telekom" = { - matchConfig.Name = "telekom"; - networkConfig.LinkLocalAddressing = "no"; - }; - }; - systemd.services."pppd-telekom" = { - bindsTo = [ "sys-subsystem-net-devices-telekom.device" ]; - after = [ "sys-subsystem-net-devices-telekom.device" ]; - }; - systemd.services."dhcpcd-telekom" = { - wantedBy = [ "multi-user.target" "network-online.target" "pppd-telekom.service" ]; - bindsTo = [ "pppd-telekom.service" "sys-subsystem-net-devices-dsl.device" ]; - after = [ "pppd-telekom.service" "sys-subsystem-net-devices-dsl.device" ]; - wants = [ "network.target" ]; - before = [ "network-online.target" ]; - - path = with pkgs; [ dhcpcd nettools openresolv ]; - unitConfig.ConditionCapability = "CAP_NET_ADMIN"; - - stopIfChanged = false; - - preStart = '' - i=0 - - while [[ -z "$(${pkgs.iproute2}/bin/ip -6 addr show dev ${config.networking.pppInterface} scope link)" ]]; do - ${pkgs.coreutils}/bin/sleep 0.1 - i=$((i + 1)) - if [[ "$i" -ge 10 ]]; then - exit 1 - fi - done - ''; - - serviceConfig = let - dhcpcdConf = pkgs.writeText "dhcpcd.conf" '' - duid - vendorclassid - ipv6only - - nooption domain_name_servers, domain_name, domain_search - option classless_static_routes - option interface_mtu - - option host_name - option rapid_commit - require dhcp_server_identifier - slaac private - - noipv6rs # disable routing solicitation - nohook resolv.conf - allowinterfaces dsl - interface dsl - ipv6ra_autoconf - iaid 1195061668 - ipv6rs # enable routing solicitation for WAN adapter - ia_pd 1 lan/0/64/0 # request a PD and assign it to the LAN - - waitip 6 - ''; - in { - Type = "forking"; - PIDFile = "/run/dhcpcd/pid"; - RuntimeDirectory = "dhcpcd"; - ExecStart = "@${pkgs.dhcpcd}/sbin/dhcpcd dhcpcd -q --config ${dhcpcdConf}"; - ExecReload = "${pkgs.dhcpcd}/sbin/dhcpcd --rebind"; - Restart = "always"; - RestartSec = "5"; - }; - }; - systemd.services.ndppd = { - wantedBy = [ "dhcpcd-telekom.service" ]; - bindsTo = [ "dhcpcd-telekom.service" ]; - after = [ "dhcpcd-telekom.service" ]; - - serviceConfig = { - Restart = "always"; - RestartSec = "5"; - }; - }; - systemd.services.corerad = { - wantedBy = [ "dhcpcd-telekom.service" ]; - bindsTo = [ "dhcpcd-telekom.service" ]; - after = [ "dhcpcd-telekom.service" ]; - - serviceConfig = { - Restart = lib.mkForce "always"; - RestartSec = "5"; - }; - }; - systemd.services."systemd-networkd".stopIfChanged = false; - users.users.dhcpcd = { - isSystemUser = true; - group = "dhcpcd"; - }; - users.groups.dhcpcd = {}; services.timesyncd.enable = false; services.chrony = { @@ -331,125 +119,5 @@ cpuFreqGovernor = "schedutil"; }; - - services.unbound = { - enable = true; - resolveLocalQueries = false; - stateDir = "/var/lib/unbound"; - localControlSocketPath = "/run/unbound/unbound.ctl"; - settings = { - server = { - interface = ["127.0.0.1" "10.141.0.1" "::0"]; - access-control = ["0.0.0.0/0 allow" "::/0 allow"]; - root-hints = "${pkgs.dns-root-data}/root.hints"; - - num-threads = 12; - so-reuseport = true; - msg-cache-slabs = 16; - rrset-cache-slabs = 16; - infra-cache-slabs = 16; - key-cache-slabs = 16; - - rrset-cache-size = "100m"; - msg-cache-size = "50m"; - outgoing-range = 8192; - num-queries-per-thread = 4096; - - so-rcvbuf = "4m"; - so-sndbuf = "4m"; - - serve-expired = true; - serve-expired-ttl = 86400; - serve-expired-reply-ttl = 0; - - prefetch = true; - prefetch-key = true; - - minimal-responses = false; - - extended-statistics = true; - - rrset-roundrobin = true; - use-caps-for-id = true; - }; - }; - }; - - services.samba = { - enable = true; - securityType = "user"; - extraConfig = '' - domain master = yes - workgroup = WORKGROUP - load printers = no - printing = bsd - printcap name = /dev/null - disable spoolss = yes - guest account = nobody - bind interfaces only = yes - interfaces = lo lan - ''; - shares = { - homes = { - comment = "Home Directories"; - path = "/home/%S"; - browseable = "no"; - "valid users" = "%S"; - "read only" = "no"; - "create mask" = "0700"; - "directory mask" = "0700"; - "vfs objects" = "shadow_copy2"; - "shadow:snapdir" = ".zfs/snapshot"; - "shadow:sort" = "desc"; - "shadow:format" = "%Y-%m-%d-%Hh%MU"; - "shadow:snapprefix" = "^zfs-auto-snap_\(frequent\)\{0,1\}\(hourly\)\{0,1\}\(daily\)\{0,1\}\(monthly\)\{0,1\}"; - "shadow:delimiter" = "-"; - }; - eos = { - comment = "Disk image of eos"; - browseable = true; - "valid users" = "mherold"; - writeable = "true"; - path = "/srv/eos"; - }; - }; - }; - services.samba-wsdd = { - enable = true; - workgroup = "WORKGROUP"; - interface = [ "lo" "lan" ]; - }; - - fileSystems."/srv/eos.lower" = { - device = "/dev/zvol/hdd-raid6/safe/home/mherold/eos/base"; - fsType = "ntfs3"; - options = [ "ro" "uid=mherold" "gid=users" "fmask=0177" "dmask=0077" "nofail" "noauto" ]; - }; - - fileSystems."/srv/eos.upper" = { - device = "/dev/zvol/hdd-raid6/safe/home/mherold/eos/upper"; - fsType = "ext4"; - options = [ "nofail" "noauto" ]; - }; - - systemd.mounts = [ - { - wantedBy = [ "samba-smbd.service" ]; - before = [ "samba-smbd.service" ]; - - where = "/srv/eos"; - what = "overlay"; - type = "overlay"; - options = lib.concatStringsSep "," - [ "lowerdir=/srv/eos.lower" - "upperdir=/srv/eos.upper/upper" - "workdir=/srv/eos.upper/work" - ]; - - unitConfig = { - RequiresMountsFor = [ "/srv/eos.lower" "/srv/eos.upper" ]; - }; - } - ]; }; } diff --git a/hosts/vidhar/dns.nix b/hosts/vidhar/dns.nix new file mode 100644 index 00000000..49afc5fc --- /dev/null +++ b/hosts/vidhar/dns.nix @@ -0,0 +1,47 @@ +{ config, lib, pkgs, ... }: +{ + config = { + services.unbound = { + enable = true; + resolveLocalQueries = false; + stateDir = "/var/lib/unbound"; + localControlSocketPath = "/run/unbound/unbound.ctl"; + settings = { + server = { + interface = ["127.0.0.1" "10.141.0.1" "::0"]; + access-control = ["0.0.0.0/0 allow" "::/0 allow"]; + root-hints = "${pkgs.dns-root-data}/root.hints"; + + num-threads = 12; + so-reuseport = true; + msg-cache-slabs = 16; + rrset-cache-slabs = 16; + infra-cache-slabs = 16; + key-cache-slabs = 16; + + rrset-cache-size = "100m"; + msg-cache-size = "50m"; + outgoing-range = 8192; + num-queries-per-thread = 4096; + + so-rcvbuf = "4m"; + so-sndbuf = "4m"; + + serve-expired = true; + serve-expired-ttl = 86400; + serve-expired-reply-ttl = 0; + + prefetch = true; + prefetch-key = true; + + minimal-responses = false; + + extended-statistics = true; + + rrset-roundrobin = true; + use-caps-for-id = true; + }; + }; + }; + }; +} diff --git a/hosts/vidhar/dsl.nix b/hosts/vidhar/dsl.nix index 0f92a079..8cbfc1e7 100644 --- a/hosts/vidhar/dsl.nix +++ b/hosts/vidhar/dsl.nix @@ -67,9 +67,9 @@ in { }; }; - systemd.network.networks."dsl" = { + systemd.network.networks.${pppInterface} = { matchConfig = { - Name = "dsl"; + Name = pppInterface; }; dns = [ "::1" "127.0.0.1" ]; domains = [ "~." ]; @@ -78,5 +78,135 @@ in { DNSSEC = true; }; }; + + services.corerad = { + enable = true; + settings = { + interfaces = [ + { name = pppInterface; + monitor = true; + verbose = true; + } + { name = "lan"; + advertise = true; + verbose = true; + prefix = [{ prefix = "::/64"; }]; + route = [{ prefix = "::/0"; }]; + rdnss = [{ servers = ["::"]; }]; + dnssl = [{ domain_names = ["yggdrasil"]; }]; + } + ]; + }; + }; + services.ndppd = { + enable = true; + proxies = { + ${pppInterface} = { + router = true; + rules.lan = { + method = "iface"; + interface = "lan"; + network = "::/0"; + }; + }; + }; + }; + boot.kernel.sysctl = { + "net.ipv6.conf.all.forwarding" = true; + "net.ipv6.conf.default.forwarding" = true; + "net.ipv4.conf.all.forwarding" = true; + "net.ipv4.conf.default.forwarding" = true; + + "net.core.rmem_max" = "4194304"; + "net.core.wmem_max" = "4194304"; + }; + systemd.services."pppd-telekom" = { + bindsTo = [ "sys-subsystem-net-devices-${pppInterface}.device" ]; + after = [ "sys-subsystem-net-devices-${pppInterface}.device" ]; + }; + systemd.services."dhcpcd-telekom" = { + wantedBy = [ "multi-user.target" "network-online.target" "pppd-telekom.service" ]; + bindsTo = [ "pppd-telekom.service" "sys-subsystem-net-devices-${pppInterface}.device" ]; + after = [ "pppd-telekom.service" "sys-subsystem-net-devices-${pppInterface}.device" ]; + wants = [ "network.target" ]; + before = [ "network-online.target" ]; + + path = with pkgs; [ dhcpcd nettools openresolv ]; + unitConfig.ConditionCapability = "CAP_NET_ADMIN"; + + stopIfChanged = false; + + preStart = '' + i=0 + + while [[ -z "$(${pkgs.iproute2}/bin/ip -6 addr show dev ${pppInterface} scope link)" ]]; do + ${pkgs.coreutils}/bin/sleep 0.1 + i=$((i + 1)) + if [[ "$i" -ge 10 ]]; then + exit 1 + fi + done + ''; + + serviceConfig = let + dhcpcdConf = pkgs.writeText "dhcpcd.conf" '' + duid + vendorclassid + ipv6only + + nooption domain_name_servers, domain_name, domain_search + option classless_static_routes + option interface_mtu + + option host_name + option rapid_commit + require dhcp_server_identifier + slaac private + + nohook resolv.conf + ipv6ra_autoconf + iaid 1195061668 + ipv6rs # enable routing solicitation for WAN adapter + ia_pd 1 lan/0/64/0 # request a PD and assign it to the LAN + + reboot 0 + + waitip 6 + ''; + in { + Type = "forking"; + PIDFile = "/run/dhcpcd/pid"; + RuntimeDirectory = "dhcpcd"; + ExecStart = "@${pkgs.dhcpcd}/sbin/dhcpcd dhcpcd -q --config ${dhcpcdConf} ${pppInterface}"; + ExecReload = "${pkgs.dhcpcd}/sbin/dhcpcd --rebind ${pppInterface}"; + Restart = "always"; + RestartSec = "5"; + }; + }; + systemd.services.ndppd = { + wantedBy = [ "dhcpcd-telekom.service" ]; + bindsTo = [ "dhcpcd-telekom.service" ]; + after = [ "dhcpcd-telekom.service" ]; + + serviceConfig = { + Restart = "always"; + RestartSec = "5"; + }; + }; + systemd.services.corerad = { + wantedBy = [ "dhcpcd-telekom.service" ]; + bindsTo = [ "dhcpcd-telekom.service" ]; + after = [ "dhcpcd-telekom.service" ]; + + serviceConfig = { + Restart = lib.mkForce "always"; + RestartSec = "5"; + }; + }; + users.users.dhcpcd = { + isSystemUser = true; + group = "dhcpcd"; + }; + users.groups.dhcpcd = {}; }; } diff --git a/hosts/vidhar/network.nix b/hosts/vidhar/network.nix new file mode 100644 index 00000000..a32dd2f8 --- /dev/null +++ b/hosts/vidhar/network.nix @@ -0,0 +1,83 @@ +{ config, lib, pkgs, ... }: +{ + imports = [ ./dsl.nix ]; + + config = { + networking = { + hostName = "vidhar"; + domain = "yggdrasil"; + search = [ "yggdrasil" ]; + + useDHCP = false; + useNetworkd = true; + + interfaces."lan" = { + ipv4.addresses = [ + { address = "10.141.0.1"; prefixLength = 24; } + ]; + }; + interfaces."mgmt" = { + ipv4.addresses = [ + { address = "10.141.1.1"; prefixLength = 24; } + ]; + }; + + vlans = { + mgmt = { + id = 2; + interface = "eno2"; + }; + lan = { + id = 3; + interface = "eno2"; + }; + }; + + firewall.enable = false; + nftables = { + enable = true; + rulesetFile = ./ruleset.nft; + }; + }; + + services.resolved = { + llmnr = "false"; + }; + + services.dhcpd4 = { + enable = true; + interfaces = [ "lan" "mgmt" ]; + extraConfig = '' + subnet 10.141.0.0 netmask 255.255.255.0 { + range 10.141.0.128 10.141.0.254; + option domain-name-servers 10.141.0.1; + option broadcast-address 10.141.0.255; + option routers 10.141.0.1; + option domain-name "yggdrasil"; + } + + subnet 10.141.1.0 netmask 255.255.255.0 { + range 10.141.1.128 10.141.1.254; + } + ''; + machines = [ + { + ethernetAddress = "50:d4:f7:f3:0f:7e"; + hostName = "gauss-ap01"; + ipAddress = "10.141.0.64"; + } + { + ethernetAddress = "60:a4:b7:53:94:b5"; + hostName = "switch01"; + ipAddress = "10.141.1.2"; + } + ]; + }; + systemd.network.networks = { + "eno2" = { + matchConfig.Name = "eno2"; + networkConfig.LinkLocalAddressing = "no"; + }; + }; + }; +} diff --git a/hosts/vidhar/samba.nix b/hosts/vidhar/samba.nix new file mode 100644 index 00000000..b3722617 --- /dev/null +++ b/hosts/vidhar/samba.nix @@ -0,0 +1,81 @@ +{ config, lib, pkgs, ... }: +{ + config = { + services.samba = { + enable = true; + securityType = "user"; + extraConfig = '' + domain master = yes + workgroup = WORKGROUP + load printers = no + printing = bsd + printcap name = /dev/null + disable spoolss = yes + guest account = nobody + bind interfaces only = yes + interfaces = lo lan + ''; + shares = { + homes = { + comment = "Home Directories"; + path = "/home/%S"; + browseable = "no"; + "valid users" = "%S"; + "read only" = "no"; + "create mask" = "0700"; + "directory mask" = "0700"; + "vfs objects" = "shadow_copy2"; + "shadow:snapdir" = ".zfs/snapshot"; + "shadow:sort" = "desc"; + "shadow:format" = "%Y-%m-%d-%Hh%MU"; + "shadow:snapprefix" = "^zfs-auto-snap_\(frequent\)\{0,1\}\(hourly\)\{0,1\}\(daily\)\{0,1\}\(monthly\)\{0,1\}"; + "shadow:delimiter" = "-"; + }; + eos = { + comment = "Disk image of eos"; + browseable = true; + "valid users" = "mherold"; + writeable = "true"; + path = "/srv/eos"; + }; + }; + }; + services.samba-wsdd = { + enable = true; + workgroup = "WORKGROUP"; + interface = [ "lo" "lan" ]; + }; + + fileSystems."/srv/eos.lower" = { + device = "/dev/zvol/hdd-raid6/safe/home/mherold/eos/base"; + fsType = "ntfs3"; + options = [ "ro" "uid=mherold" "gid=users" "fmask=0177" "dmask=0077" "nofail" "noauto" ]; + }; + + fileSystems."/srv/eos.upper" = { + device = "/dev/zvol/hdd-raid6/safe/home/mherold/eos/upper"; + fsType = "ext4"; + options = [ "nofail" "noauto" ]; + }; + + systemd.mounts = [ + { + wantedBy = [ "samba-smbd.service" ]; + before = [ "samba-smbd.service" ]; + + where = "/srv/eos"; + what = "overlay"; + type = "overlay"; + options = lib.concatStringsSep "," + [ "lowerdir=/srv/eos.lower" + "upperdir=/srv/eos.upper/upper" + "workdir=/srv/eos.upper/work" + ]; + + unitConfig = { + RequiresMountsFor = [ "/srv/eos.lower" "/srv/eos.upper" ]; + }; + } + ]; + }; +} -- cgit v1.2.3