From 49b2b0cd849a3acd040a40b5be98875b58a236b0 Mon Sep 17 00:00:00 2001 From: Gregor Kleen Date: Wed, 29 Dec 2021 10:52:45 +0100 Subject: vidhar: ... --- hosts/vidhar/default.nix | 58 +++++++++++++++++++++++++++++++++++++++--------- hosts/vidhar/dsl.nix | 20 ++++++++++------- hosts/vidhar/ruleset.nft | 16 ++++++------- 3 files changed, 68 insertions(+), 26 deletions(-) (limited to 'hosts/vidhar') diff --git a/hosts/vidhar/default.nix b/hosts/vidhar/default.nix index 405b5efa..933f5af9 100644 --- a/hosts/vidhar/default.nix +++ b/hosts/vidhar/default.nix @@ -72,7 +72,7 @@ useDHCP = false; useNetworkd = true; - interfaces."eno1" = { + interfaces."lan" = { ipv4.addresses = [ { address = "10.141.0.1"; prefixLength = 24; } ]; @@ -88,6 +88,10 @@ id = 2; interface = "eno2"; }; + lan = { + id = 3; + interface = "eno2"; + }; }; firewall.enable = false; @@ -103,7 +107,7 @@ services.dhcpd4 = { enable = true; - interfaces = [ "eno1" "mgmt" ]; + interfaces = [ "lan" "mgmt" ]; extraConfig = '' subnet 10.141.0.0 netmask 255.255.255.0 { range 10.141.0.128 10.141.0.254; @@ -138,7 +142,7 @@ monitor = true; verbose = true; } - { name = "eno1"; + { name = "lan"; advertise = true; verbose = true; prefix = [{ prefix = "::/64"; }]; @@ -156,7 +160,7 @@ router = true; rules.lan = { method = "iface"; - interface = "eno1"; + interface = "lan"; network = "::/0"; }; }; @@ -186,9 +190,9 @@ after = [ "sys-subsystem-net-devices-telekom.device" ]; }; systemd.services."dhcpcd-telekom" = { - wantedBy = [ "multi-user.target" "network-online.target" ]; - bindsTo = [ "pppd-telekom.service" ]; - after = [ "pppd-telekom.service" ]; + wantedBy = [ "multi-user.target" "network-online.target" "pppd-telekom.service" ]; + bindsTo = [ "pppd-telekom.service" "sys-subsystem-net-devices-dsl.device" ]; + after = [ "pppd-telekom.service" "sys-subsystem-net-devices-dsl.device" ]; wants = [ "network.target" ]; before = [ "network-online.target" ]; @@ -197,6 +201,18 @@ stopIfChanged = false; + preStart = '' + i=0 + + while [[ -z "$(${pkgs.iproute2}/bin/ip -6 addr show dev ${config.networking.pppInterface} scope link)" ]]; do + ${pkgs.coreutils}/bin/sleep 0.1 + i=$((i + 1)) + if [[ "$i" -ge 10 ]]; then + exit 1 + fi + done + ''; + serviceConfig = let dhcpcdConf = pkgs.writeText "dhcpcd.conf" '' duid @@ -219,7 +235,7 @@ ipv6ra_autoconf iaid 1195061668 ipv6rs # enable routing solicitation for WAN adapter - ia_pd 1 eno1/0/64/0 # request a PD and assign it to the LAN + ia_pd 1 lan/0/64/0 # request a PD and assign it to the LAN waitip 6 ''; @@ -230,8 +246,30 @@ ExecStart = "@${pkgs.dhcpcd}/sbin/dhcpcd dhcpcd -q --config ${dhcpcdConf}"; ExecReload = "${pkgs.dhcpcd}/sbin/dhcpcd --rebind"; Restart = "always"; + RestartSec = "5"; + }; + }; + systemd.services.ndppd = { + wantedBy = [ "dhcpcd-telekom.service" ]; + bindsTo = [ "dhcpcd-telekom.service" ]; + after = [ "dhcpcd-telekom.service" ]; + + serviceConfig = { + Restart = "always"; + RestartSec = "5"; + }; + }; + systemd.services.corerad = { + wantedBy = [ "dhcpcd-telekom.service" ]; + bindsTo = [ "dhcpcd-telekom.service" ]; + after = [ "dhcpcd-telekom.service" ]; + + serviceConfig = { + Restart = lib.mkForce "always"; + RestartSec = "5"; }; }; + systemd.services."systemd-networkd".stopIfChanged = false; users.users.dhcpcd = { isSystemUser = true; group = "dhcpcd"; @@ -349,7 +387,7 @@ disable spoolss = yes guest account = nobody bind interfaces only = yes - interfaces = lo eno1 + interfaces = lo lan ''; shares = { homes = { @@ -379,7 +417,7 @@ services.samba-wsdd = { enable = true; workgroup = "WORKGROUP"; - interface = [ "lo" "eno1" ]; + interface = [ "lo" "lan" ]; }; fileSystems."/srv/eos.lower" = { diff --git a/hosts/vidhar/dsl.nix b/hosts/vidhar/dsl.nix index be07b9f7..0f92a079 100644 --- a/hosts/vidhar/dsl.nix +++ b/hosts/vidhar/dsl.nix @@ -37,15 +37,19 @@ in { debug ''; }; - systemd.services."pppd-telekom".serviceConfig = lib.mkForce { - Type = "forking"; - PIDFile = "/run/pppd/${pppInterface}.pid"; - ExecStart = "${lib.getBin pkgs.ppp}/sbin/pppd call telekom updetach nolog +ipv6"; - Restart = "always"; - RestartSec = 5; + systemd.services."pppd-telekom" = { + stopIfChanged = false; + + serviceConfig = lib.mkForce { + Type = "notify"; + PIDFile = "/run/pppd/${pppInterface}.pid"; + ExecStart = "${lib.getBin pkgs.ppp}/sbin/pppd call telekom up_sdnotify nolog +ipv6"; + Restart = "always"; + RestartSec = 5; - RuntimeDirectory = "pppd"; - RuntimeDirectoryPreserve = true; + RuntimeDirectory = "pppd"; + RuntimeDirectoryPreserve = true; + }; }; sops.secrets."pap-secrets" = { format = "binary"; diff --git a/hosts/vidhar/ruleset.nft b/hosts/vidhar/ruleset.nft index 2f8e7b57..57ac2716 100644 --- a/hosts/vidhar/ruleset.nft +++ b/hosts/vidhar/ruleset.nft @@ -59,10 +59,10 @@ table inet filter { iifname lo counter accept - oifname {eno1, dsl} meta l4proto $icmp_protos jump forward_icmp_accept + oifname {lan, dsl} meta l4proto $icmp_protos jump forward_icmp_accept - iifname eno1 oifname dsl counter accept - iifname dsl oifname eno1 ct state {established, related} counter accept + iifname lan oifname dsl counter accept + iifname dsl oifname lan ct state {established, related} counter accept @@ -94,8 +94,8 @@ table inet filter { tcp dport 22 counter accept udp dport 60001-61000 counter accept - iifname eno1 tcp dport 53 counter accept - iifname eno1 udp dport 53 counter accept + iifname lan tcp dport 53 counter accept + iifname lan udp dport 53 counter accept meta protocol ip udp dport 51820 counter accept meta protocol ip6 udp dport 51821 counter accept @@ -105,10 +105,10 @@ table inet filter { iifname mgmt udp dport 123 counter accept - iifname {eno1, mgmt} udp dport 67 counter accept + iifname {lan, mgmt} udp dport 67 counter accept - iifname eno1 udp dport { 137, 138, 3702 } counter accept - iifname eno1 tcp dport { 445, 139, 5357 } counter accept + iifname lan udp dport { 137, 138, 3702 } counter accept + iifname lan tcp dport { 445, 139, 5357 } counter accept ct state {established, related} counter accept -- cgit v1.2.3