From 7b8d19d10892eddd7cdaa1e9384185a0a6d64dae Mon Sep 17 00:00:00 2001 From: Gregor Kleen Date: Fri, 31 Dec 2021 16:42:08 +0100 Subject: vidhar: prometheus: snmp: ... --- hosts/vidhar/network/default.nix | 83 +++++++++++++++ hosts/vidhar/network/dsl.nix | 217 +++++++++++++++++++++++++++++++++++++++ hosts/vidhar/network/pap-secrets | 26 +++++ 3 files changed, 326 insertions(+) create mode 100644 hosts/vidhar/network/default.nix create mode 100644 hosts/vidhar/network/dsl.nix create mode 100644 hosts/vidhar/network/pap-secrets (limited to 'hosts/vidhar/network') diff --git a/hosts/vidhar/network/default.nix b/hosts/vidhar/network/default.nix new file mode 100644 index 00000000..a32dd2f8 --- /dev/null +++ b/hosts/vidhar/network/default.nix @@ -0,0 +1,83 @@ +{ config, lib, pkgs, ... }: +{ + imports = [ ./dsl.nix ]; + + config = { + networking = { + hostName = "vidhar"; + domain = "yggdrasil"; + search = [ "yggdrasil" ]; + + useDHCP = false; + useNetworkd = true; + + interfaces."lan" = { + ipv4.addresses = [ + { address = "10.141.0.1"; prefixLength = 24; } + ]; + }; + interfaces."mgmt" = { + ipv4.addresses = [ + { address = "10.141.1.1"; prefixLength = 24; } + ]; + }; + + vlans = { + mgmt = { + id = 2; + interface = "eno2"; + }; + lan = { + id = 3; + interface = "eno2"; + }; + }; + + firewall.enable = false; + nftables = { + enable = true; + rulesetFile = ./ruleset.nft; + }; + }; + + services.resolved = { + llmnr = "false"; + }; + + services.dhcpd4 = { + enable = true; + interfaces = [ "lan" "mgmt" ]; + extraConfig = '' + subnet 10.141.0.0 netmask 255.255.255.0 { + range 10.141.0.128 10.141.0.254; + option domain-name-servers 10.141.0.1; + option broadcast-address 10.141.0.255; + option routers 10.141.0.1; + option domain-name "yggdrasil"; + } + + subnet 10.141.1.0 netmask 255.255.255.0 { + range 10.141.1.128 10.141.1.254; + } + ''; + machines = [ + { + ethernetAddress = "50:d4:f7:f3:0f:7e"; + hostName = "gauss-ap01"; + ipAddress = "10.141.0.64"; + } + { + ethernetAddress = "60:a4:b7:53:94:b5"; + hostName = "switch01"; + ipAddress = "10.141.1.2"; + } + ]; + }; + systemd.network.networks = { + "eno2" = { + matchConfig.Name = "eno2"; + networkConfig.LinkLocalAddressing = "no"; + }; + }; + }; +} diff --git a/hosts/vidhar/network/dsl.nix b/hosts/vidhar/network/dsl.nix new file mode 100644 index 00000000..4f781422 --- /dev/null +++ b/hosts/vidhar/network/dsl.nix @@ -0,0 +1,217 @@ +{ config, lib, pkgs, ... }: + +with lib; + +let + pppInterface = config.networking.pppInterface; +in { + options = { + networking.pppInterface = mkOption { + type = types.str; + default = "dsl"; + }; + }; + + config = { + networking.vlans = { + telekom = { + id = 7; + interface = "eno2"; + }; + }; + + services.pppd = { + enable = true; + peers.telekom.config = '' + nodefaultroute + ifname ${pppInterface} + lcp-echo-failure 1 + lcp-echo-interval 1 + maxfail 0 + mtu 1492 + mru 1492 + plugin rp-pppoe.so + name telekom + user 002576900250551137425220#0001@t-online.de + telekom + debug + ''; + }; + systemd.services."pppd-telekom" = { + stopIfChanged = true; + + serviceConfig = lib.mkForce { + Type = "notify"; + PIDFile = "/run/pppd/${pppInterface}.pid"; + ExecStart = "${lib.getBin pkgs.ppp}/sbin/pppd call telekom up_sdnotify nolog +ipv6"; + Restart = "always"; + RestartSec = 5; + + RuntimeDirectory = "pppd"; + RuntimeDirectoryPreserve = true; + }; + }; + sops.secrets."pap-secrets" = { + format = "binary"; + sopsFile = ./pap-secrets; + path = "/etc/ppp/pap-secrets"; + }; + + environment.etc = { + "ppp/ip-up" = { + text = '' + #!${pkgs.runtimeShell} + ${pkgs.iproute}/bin/ip route add default via "$5" dev "${pppInterface}" metric 512 + ''; + mode = "0555"; + }; + }; + + systemd.network.networks.${pppInterface} = { + matchConfig = { + Name = pppInterface; + }; + dns = [ "::1" "127.0.0.1" ]; + domains = [ "~." ]; + networkConfig = { + LinkLocalAddressing = "no"; + DNSSEC = true; + }; + }; + + services.corerad = { + enable = true; + settings = { + interfaces = [ + { name = pppInterface; + monitor = true; + verbose = true; + } + { name = "lan"; + advertise = true; + verbose = true; + prefix = [{ prefix = "::/64"; }]; + route = [{ prefix = "::/0"; }]; + rdnss = [{ servers = ["::"]; }]; + dnssl = [{ domain_names = ["yggdrasil"]; }]; + } + ]; + + debug = { + address = "localhost:9430"; + prometheus = true; + }; + }; + }; + services.ndppd = { + enable = true; + proxies = { + ${pppInterface} = { + router = true; + rules.lan = { + method = "iface"; + interface = "lan"; + network = "::/0"; + }; + }; + }; + }; + boot.kernel.sysctl = { + "net.ipv6.conf.all.forwarding" = true; + "net.ipv6.conf.default.forwarding" = true; + "net.ipv4.conf.all.forwarding" = true; + "net.ipv4.conf.default.forwarding" = true; + + "net.core.rmem_max" = "4194304"; + "net.core.wmem_max" = "4194304"; + }; + systemd.services."pppd-telekom" = { + bindsTo = [ "sys-subsystem-net-devices-telekom.device" ]; + after = [ "sys-subsystem-net-devices-telekom.device" ]; + }; + systemd.services."dhcpcd-${pppInterface}" = { + wantedBy = [ "multi-user.target" "network-online.target" "pppd-telekom.service" ]; + bindsTo = [ "pppd-telekom.service" "sys-subsystem-net-devices-${pppInterface}.device" ]; + after = [ "pppd-telekom.service" "sys-subsystem-net-devices-${pppInterface}.device" ]; + wants = [ "network.target" ]; + before = [ "network-online.target" ]; + + path = with pkgs; [ dhcpcd nettools openresolv ]; + unitConfig.ConditionCapability = "CAP_NET_ADMIN"; + + stopIfChanged = true; + + preStart = '' + i=0 + + while [[ -z "$(${pkgs.iproute2}/bin/ip -6 addr show dev ${pppInterface} scope link)" ]]; do + ${pkgs.coreutils}/bin/sleep 0.1 + i=$((i + 1)) + if [[ "$i" -ge 10 ]]; then + exit 1 + fi + done + ''; + + serviceConfig = let + dhcpcdConf = pkgs.writeText "dhcpcd.conf" '' + duid + vendorclassid + ipv6only + + nooption domain_name_servers, domain_name, domain_search + option classless_static_routes + option interface_mtu + + option host_name + option rapid_commit + require dhcp_server_identifier + slaac private + + nohook resolv.conf + ipv6ra_autoconf + iaid 1195061668 + ipv6rs # enable routing solicitation for WAN adapter + ia_pd 1 lan/0/64/0 # request a PD and assign it to the LAN + + reboot 0 + + waitip 6 + ''; + in { + Type = "forking"; + PIDFile = "/var/run/dhcpcd/${pppInterface}.pid"; + RuntimeDirectory = "dhcpcd"; + ExecStart = "@${pkgs.dhcpcd}/sbin/dhcpcd dhcpcd -q --config ${dhcpcdConf} ${pppInterface}"; + ExecReload = "${pkgs.dhcpcd}/sbin/dhcpcd --rebind ${pppInterface}"; + Restart = "always"; + RestartSec = "5"; + }; + }; + systemd.services.ndppd = { + wantedBy = [ "dhcpcd-${pppInterface}.service" ]; + bindsTo = [ "dhcpcd-${pppInterface}.service" ]; + after = [ "dhcpcd-${pppInterface}.service" ]; + + serviceConfig = { + Restart = "always"; + RestartSec = "5"; + }; + }; + systemd.services.corerad = { + wantedBy = [ "dhcpcd-${pppInterface}.service" ]; + bindsTo = [ "dhcpcd-${pppInterface}.service" ]; + after = [ "dhcpcd-${pppInterface}.service" ]; + + serviceConfig = { + Restart = lib.mkForce "always"; + RestartSec = "5"; + }; + }; + users.users.dhcpcd = { + isSystemUser = true; + group = "dhcpcd"; + }; + users.groups.dhcpcd = {}; + }; +} diff --git a/hosts/vidhar/network/pap-secrets b/hosts/vidhar/network/pap-secrets new file mode 100644 index 00000000..a7937caa --- /dev/null +++ b/hosts/vidhar/network/pap-secrets @@ -0,0 +1,26 @@ +{ + "data": "ENC[AES256_GCM,data:BOyWdys7Oja54Ijv5j+kqufdokQe0onnqw/gVxpNOMf+YI/LlzJscaEtGqPh3ehVtYoSWGumCBPrjdq/zhYq4VV/PCtdeu3MnX1CH2B5bH0mFs0eXcqeGK6NErz/b5nEglv4Z19ig2CUDlbvi8h1zZAEjxTNKhT16ItCtJnBCsIoiMl2QcTTWMyh4a02v3wA1UrOQZvFuCgCHmRoBE6vpREyB23gQdrdKLk7D1LLw5C1aZnzQOhFsgs7bVjOcBnmwTao8ntXxw==,iv:X5FgYkl3DGA/lkRsoc+5XrK3Nlp/ldnFigpXpYNfSJE=,tag:qUH7m9NzuVNnOfr3rRgaOg==,type:str]", + "sops": { + "kms": null, + "gcp_kms": null, + "azure_kv": null, + "hc_vault": null, + "age": null, + "lastmodified": "2021-11-15T08:30:09Z", + "mac": "ENC[AES256_GCM,data:TAgZ4ktdN9sZPMo1UtwjKdTM2QBjLorcm84HYXTGYNNEorPoqrXAWOvyWRLjx+zxzpRuDLBPQHCkjwkVO2CctxnTaWPMwITbYtQqj/5ZxACuAeX8MaSximB8s5MJK2faCuVXEnFehbnnPr5Fs8ZsgHwu2iH6DU8ScLEkgckzGV0=,iv:keUbKwWfoIIBsp5Rsm2lEba1ZHAozQY2YpA6p5qDBiU=,tag:1llGytMGvOjSVYKJXGUmXg==,type:str]", + "pgp": [ + { + "created_at": "2021-11-15T07:45:08Z", + "enc": "-----BEGIN PGP MESSAGE-----\n\nhF4DbYDvGI0HDr0SAQdADLXtluBBuSsm9CIPG1mEJnOJ0IQmCpwQPcU+Bl/zOE8w\nseSG0fcoBnRX7ngWMoJZ7a0G1ARjBql63SJN7OJ8E7OLcMBeaRkjl/F9jRM6gfIJ\n0l4BCu/V/objPnHxlQ9ETKheAjr7aEH+Wuttut1U+a8Ad5kl5/hKtkK5gv+q0WTi\nRBCe8OIKFbkzd8OvvzZlQBBEa4G/2Az2lVYFrxHq0a7XyJOxmnUJWurbsPUK6EMk\n=ksU8\n-----END PGP MESSAGE-----\n", + "fp": "A1C7C95E6CAF0A965CB47277BCF50A89C1B1F362" + }, + { + "created_at": "2021-11-15T07:45:08Z", + "enc": "-----BEGIN PGP MESSAGE-----\n\nhF4DXxoViZlp6dISAQdAf37n8FlEvDjECfajRNxIh+sLj+VZOSYfzt+GovJN1C4w\nQRkd//w4h6CqMcVz3LzNZIn2Pa8lhBLFV2tBfFqZDa80HcBWCtBgDivq8l7onmJm\n0l4BiAv4DzVVjBOZqhBnzla6SmRqAZDwE1WO7gN+R3/7S/0DXUxopjvdFaheLVj9\n/tKup9Dn2n3mr7gCvgvuPIaoJqdJSG5v8rgp1IrFSIlVtLv+ThgCsGCKZ/P9ef56\n=aqGg\n-----END PGP MESSAGE-----\n", + "fp": "30D3453B8CD02FE2A3E7C78C0FB536FB87AE8F51" + } + ], + "unencrypted_suffix": "_unencrypted", + "version": "3.7.1" + } +} \ No newline at end of file -- cgit v1.2.3