diff --git a/flake.lock b/flake.lock index 0b763b4..868e8d9 100644 --- a/flake.lock +++ b/flake.lock @@ -268,11 +268,11 @@ }, "nixpkgs_3": { "locked": { - "lastModified": 1720542800, - "narHash": "sha256-ZgnNHuKV6h2+fQ5LuqnUaqZey1Lqqt5dTUAiAnqH0QQ=", + "lastModified": 1720768451, + "narHash": "sha256-EYekUHJE2gxeo2pM/zM9Wlqw1Uw2XTJXOSAO79ksc4Y=", "owner": "NixOS", "repo": "nixpkgs", - "rev": "feb2849fdeb70028c70d73b848214b00d324a497", + "rev": "7e7c39ea35c5cdd002cd4588b03a3fb9ece6fad9", "type": "github" }, "original": { diff --git a/hosts/carbon/configuration.nix b/hosts/carbon/configuration.nix index 06b8004..b97e2fe 100644 --- a/hosts/carbon/configuration.nix +++ b/hosts/carbon/configuration.nix @@ -5,6 +5,14 @@ [ ./hardware-configuration.nix ../../configuration/router + + ./dns.nix + ./net-dsl.nix + ./net-gastnetz.nix + ./net-heimnetz.nix + ./net-lte.nix + ./net-voip.nix + ./ppp.nix ]; boot.kernelParams = [ "console=ttyS0,115200n8" ]; @@ -18,101 +26,21 @@ "; networking.useDHCP = false; - # Local Router IPs - networking.interfaces.lo.ipv6.addresses = [ - { address = "fd00:152:152::1"; prefixLength = 128; } # Anycast - ]; - networking.interfaces.lo.ipv4.addresses = [ - { address = "10.152.0.1"; prefixLength = 32; } # Anycast - ]; - # Network - ## DSL-Uplink - networking.vlans."enp1s0.7" = { - id = 7; - interface = "enp1s0"; - }; - networking.vlans."enp3s0.7" = { - id = 7; - interface = "enp3s0"; - }; - networking.bridges."net-dsl".interfaces = [ - "enp1s0.7" - "enp3s0.7" - ]; - ## LTE-Uplink - networking.vlans."enp1s0.102" = { - id = 102; - interface = "enp1s0"; - }; - ## Heimnetz - networking.vlans."enp1s0.201" = { - id = 201; - interface = "enp1s0"; - }; - networking.bridges."net-heimnetz".interfaces = [ - "enp1s0.201" - "enp2s0" - ]; - networking.interfaces."net-heimnetz".ipv6.addresses = [ - { address = "fe80::1"; prefixLength = 64; } - { address = "fd00:152:152:4::1"; prefixLength = 64; } - { address = "2001:4cd8:100:1337::1"; prefixLength = 64; } # public IPs for local network - ]; - networking.interfaces."net-heimnetz".ipv4.addresses = [ - { address = "10.152.4.1"; prefixLength = 24; } - ]; - ## Gastnetz - networking.vlans."enp1s0.202" = { - id = 202; - interface = "enp1s0"; - }; - networking.interfaces."enp1s0.202".ipv6.addresses = [ - { address = "fd00:3214:9453:4920::1"; prefixLength = 64; } - { address = "2001:4cd8:100:1313::1"; prefixLength = 64; } # public IPs for local network - ]; - networking.interfaces."enp1s0.202".ipv4.addresses = [ - { address = "192.168.32.1"; prefixLength = 24; } - ]; - ## VoIP - networking.vlans."enp1s0.204" = { - id = 204; - interface = "enp1s0"; - }; - networking.interfaces."enp1s0.204".ipv4.addresses = [ - { address = "10.152.33.1"; prefixLength = 24; } - ]; - - # Use Anycast Nameservers - networking.nameservers = [ "fd00:152:152::1" "10.152.0.1" ]; networking.nat = { enableIPv6 = true; enable = true; - externalInterface = "ppp-ntvdsl"; + externalInterface = "ppp-dtagdsl"; internalIPv6s = [ "fd00:152:152::/48" "fd00:3214:9453:4920::/64"]; internalIPs = [ "10.152.0.0/16" "192.168.32.0/24" ]; }; services.radvd.enable = true; - services.radvd.config = '' - interface net-heimnetz { - AdvSendAdvert on; - prefix 2001:4cd8:100:1337::/64 {}; - RDNSS fd00:152:152::1 {}; - DNSSL net.clerie.de {}; - }; - interface enp1s0.202 { - AdvSendAdvert on; - prefix 2001:4cd8:100:1313::/64 {}; - RDNSS 2620:fe::fe 2620:fe::9 {}; # Quad 9 - }; - ''; services.kea.dhcp4 = { enable = true; settings = { interfaces-config = { - interfaces = [ "net-heimnetz" "enp1s0.202" "enp1s0.204" ]; service-sockets-max-retries = 15; service-sockets-retry-wait-time = 2000; }; @@ -121,171 +49,10 @@ persist = true; type = "memfile"; }; - option-def = [ - { - space = "dhcp4"; - name = "vendor-encapsulated-options"; - code = 43; - type = "empty"; - encapsulate = "sipdect"; - } - { - space = "sipdect"; - name = "ommip1"; - code = 10; - type = "ipv4-address"; - } - { - space = "sipdect"; - name = "ommip2"; - code = 19; - type = "ipv4-address"; - } - { - space = "sipdect"; - name = "syslogip"; - code = 14; - type = "ipv4-address"; - } - { - space = "sipdect"; - name = "syslogport"; - code = 15; - type = "int16"; - } - { - space = "dhcp4"; - name = "magic_str"; - code = 224; - type = "string"; - } - ]; - subnet4 = [ - # Heimnetz - { - id = 201; - subnet = "10.152.4.0/24"; - pools = [ - { - pool = "10.152.4.100 - 10.152.4.240"; - } - ]; - option-data = [ - { - name = "routers"; - data = "10.152.4.1"; - } - { - name = "domain-name-servers"; - data = "10.152.0.1"; - } - { - name = "domain-name"; - data = "net.clerie.de"; - } - ]; - } - # Gastnetz - { - id = 202; - subnet = "192.168.32.0/24"; - pools = [ - { - pool = "192.168.32.100 - 192.168.32.240"; - } - ]; - option-data = [ - { - name = "routers"; - data = "192.168.32.1"; - } - { - name = "domain-name-servers"; - data = "9.9.9.9,149.112.112.112"; # Quad 9 - } - ]; - } - # VoIP - { - id = 204; - subnet = "10.152.33.0/24"; - pools = [ - { - pool = "10.152.33.10 - 10.152.33.200"; - } - ]; - option-data = [ - { - name = "routers"; - data = "10.152.33.1"; - } - ]; - - reservations = [ - { - hostname = "iridium"; - hw-address = "00:30:42:1B:8C:7C"; - ip-address = "10.152.33.11"; - option-data = [ - { - name = "host-name"; - data = "iridium"; - } - { - name = "vendor-encapsulated-options"; - } - { - space = "sipdect"; - name = "ommip1"; - data = "10.152.33.11"; - } - { - name = "magic_str"; - data = "OpenMobilitySIP-DECT"; - } - ]; - } - ]; - } - ]; }; }; - networking.firewall.allowedUDPPorts = [ 53 ]; - networking.firewall.allowedTCPPorts = [ 53 ]; - clerie.firewall.enable = true; - clerie.firewall.extraForwardFilterCommands = '' - ip46tables -A forward-filter -i enp1s0.202 -o ppp-ntvdsl -j ACCEPT - ip46tables -A forward-filter -i enp1s0.202 -j DROP - ip46tables -A forward-filter -o enp1s0.202 -j DROP - ''; - clerie.firewall.extraForwardMangleCommands = '' - ip46tables -t mangle -A forward-mangle -p tcp -m tcp --tcp-flags SYN,RST SYN -j TCPMSS --set-mss 1416 - ''; - - services.pppd = { - enable = true; - peers.ntvdsl = { - config = '' - plugin pppoe.so net-dsl - user "dsl-31997-001#regio@bsa-vdsl" - ifname ppp-ntvdsl - persist - maxfail 0 - holdoff 5 - noipdefault - lcp-echo-interval 20 - lcp-echo-failure 3 - mtu 1456 - hide-password - defaultroute - +ipv6 - debug - ''; - }; - }; - clerie.monitoring = { enable = true; @@ -294,20 +61,5 @@ blackbox = true; }; - services.unbound = { - enable = true; - resolveLocalQueries = false; - settings = { - server = { - interface = [ "fd00:152:152::1" "10.152.0.1" ]; - access-control = [ "::/0 allow" "0.0.0.0/0 allow" ]; - prefer-ip6 = true; - prefetch = true; - serve-expired = true; - serve-expired-ttl-reset = true; - }; - }; - }; - system.stateVersion = "21.03"; } diff --git a/hosts/carbon/dns.nix b/hosts/carbon/dns.nix new file mode 100644 index 0000000..9d935cc --- /dev/null +++ b/hosts/carbon/dns.nix @@ -0,0 +1,34 @@ +{ ... }: + +{ + + # Loopbacks for DNS resolver IPs + networking.interfaces.lo.ipv6.addresses = [ + { address = "fd00:152:152::1"; prefixLength = 128; } # Anycast + ]; + networking.interfaces.lo.ipv4.addresses = [ + { address = "10.152.0.1"; prefixLength = 32; } # Anycast + ]; + + networking.firewall.allowedUDPPorts = [ 53 ]; + networking.firewall.allowedTCPPorts = [ 53 ]; + + services.unbound = { + enable = true; + resolveLocalQueries = false; + settings = { + server = { + interface = [ "fd00:152:152::1" "10.152.0.1" ]; + access-control = [ "::/0 allow" "0.0.0.0/0 allow" ]; + prefer-ip6 = true; + prefetch = true; + serve-expired = true; + serve-expired-ttl-reset = true; + }; + }; + }; + + # Use Anycast Nameservers + networking.nameservers = [ "fd00:152:152::1" "10.152.0.1" ]; + +} diff --git a/hosts/carbon/net-dsl.nix b/hosts/carbon/net-dsl.nix new file mode 100644 index 0000000..b67ae33 --- /dev/null +++ b/hosts/carbon/net-dsl.nix @@ -0,0 +1,19 @@ +{ ... }: + +{ + + ## DSL-Uplink + networking.vlans."enp1s0.7" = { + id = 7; + interface = "enp1s0"; + }; + networking.vlans."enp3s0.7" = { + id = 7; + interface = "enp3s0"; + }; + networking.bridges."net-dsl".interfaces = [ + "enp1s0.7" + "enp3s0.7" + ]; + +} diff --git a/hosts/carbon/net-gastnetz.nix b/hosts/carbon/net-gastnetz.nix new file mode 100644 index 0000000..932c374 --- /dev/null +++ b/hosts/carbon/net-gastnetz.nix @@ -0,0 +1,63 @@ +{ ... }: + +{ + + ## Gastnetz + networking.vlans."enp1s0.202" = { + id = 202; + interface = "enp1s0"; + }; + networking.interfaces."enp1s0.202".ipv6.addresses = [ + { address = "fd00:3214:9453:4920::1"; prefixLength = 64; } + { address = "2001:4cd8:100:1313::1"; prefixLength = 64; } # public IPs for local network + ]; + networking.interfaces."enp1s0.202".ipv4.addresses = [ + { address = "192.168.32.1"; prefixLength = 24; } + ]; + + services.radvd.config = '' + interface enp1s0.202 { + AdvSendAdvert on; + prefix 2001:4cd8:100:1313::/64 {}; + RDNSS 2620:fe::fe 2620:fe::9 {}; # Quad 9 + }; + ''; + + services.kea.dhcp4 = { + settings = { + interfaces-config = { + interfaces = [ "enp1s0.202" ]; + }; + subnet4 = [ + # Gastnetz + { + id = 202; + subnet = "192.168.32.0/24"; + pools = [ + { + pool = "192.168.32.100 - 192.168.32.240"; + } + ]; + option-data = [ + { + name = "routers"; + data = "192.168.32.1"; + } + { + name = "domain-name-servers"; + data = "9.9.9.9,149.112.112.112"; # Quad 9 + } + ]; + } + ]; + }; + }; + + # net-gastnetz can only access internet + clerie.firewall.extraForwardFilterCommands = '' + ip46tables -A forward-filter -i enp1s0.202 -o ppp-dtagdsl -j ACCEPT + ip46tables -A forward-filter -i enp1s0.202 -j DROP + ip46tables -A forward-filter -o enp1s0.202 -j DROP + ''; + +} diff --git a/hosts/carbon/net-heimnetz.nix b/hosts/carbon/net-heimnetz.nix new file mode 100644 index 0000000..60e0bc6 --- /dev/null +++ b/hosts/carbon/net-heimnetz.nix @@ -0,0 +1,66 @@ +{ ... }: + +{ + + ## Heimnetz + networking.vlans."enp1s0.201" = { + id = 201; + interface = "enp1s0"; + }; + networking.bridges."net-heimnetz".interfaces = [ + "enp1s0.201" + "enp2s0" + ]; + networking.interfaces."net-heimnetz".ipv6.addresses = [ + { address = "fe80::1"; prefixLength = 64; } + { address = "fd00:152:152:4::1"; prefixLength = 64; } + { address = "2001:4cd8:100:1337::1"; prefixLength = 64; } # public IPs for local network + ]; + networking.interfaces."net-heimnetz".ipv4.addresses = [ + { address = "10.152.4.1"; prefixLength = 24; } + ]; + + services.radvd.config = '' + interface net-heimnetz { + AdvSendAdvert on; + prefix 2001:4cd8:100:1337::/64 {}; + RDNSS fd00:152:152::1 {}; + DNSSL net.clerie.de {}; + }; + ''; + + services.kea.dhcp4 = { + settings = { + interfaces-config = { + interfaces = [ "net-heimnetz" ]; + }; + subnet4 = [ + # Heimnetz + { + id = 201; + subnet = "10.152.4.0/24"; + pools = [ + { + pool = "10.152.4.100 - 10.152.4.240"; + } + ]; + option-data = [ + { + name = "routers"; + data = "10.152.4.1"; + } + { + name = "domain-name-servers"; + data = "10.152.0.1"; + } + { + name = "domain-name"; + data = "net.clerie.de"; + } + ]; + } + ]; + }; + }; + +} diff --git a/hosts/carbon/net-lte.nix b/hosts/carbon/net-lte.nix new file mode 100644 index 0000000..3a6f2d0 --- /dev/null +++ b/hosts/carbon/net-lte.nix @@ -0,0 +1,11 @@ +{ ... }: + +{ + + ## LTE-Uplink + networking.vlans."enp1s0.102" = { + id = 102; + interface = "enp1s0"; + }; + +} diff --git a/hosts/carbon/net-voip.nix b/hosts/carbon/net-voip.nix new file mode 100644 index 0000000..3a816fc --- /dev/null +++ b/hosts/carbon/net-voip.nix @@ -0,0 +1,105 @@ +{ ... }: + +{ + + ## VoIP + networking.vlans."enp1s0.204" = { + id = 204; + interface = "enp1s0"; + }; + networking.interfaces."enp1s0.204".ipv4.addresses = [ + { address = "10.152.33.1"; prefixLength = 24; } + ]; + + services.kea.dhcp4 = { + settings = { + interfaces-config = { + interfaces = [ "enp1s0.204" ]; + }; + option-def = [ + { + space = "dhcp4"; + name = "vendor-encapsulated-options"; + code = 43; + type = "empty"; + encapsulate = "sipdect"; + } + { + space = "sipdect"; + name = "ommip1"; + code = 10; + type = "ipv4-address"; + } + { + space = "sipdect"; + name = "ommip2"; + code = 19; + type = "ipv4-address"; + } + { + space = "sipdect"; + name = "syslogip"; + code = 14; + type = "ipv4-address"; + } + { + space = "sipdect"; + name = "syslogport"; + code = 15; + type = "int16"; + } + { + space = "dhcp4"; + name = "magic_str"; + code = 224; + type = "string"; + } + ]; + subnet4 = [ + # VoIP + { + id = 204; + subnet = "10.152.33.0/24"; + pools = [ + { + pool = "10.152.33.10 - 10.152.33.200"; + } + ]; + option-data = [ + { + name = "routers"; + data = "10.152.33.1"; + } + ]; + + reservations = [ + { + hostname = "iridium"; + hw-address = "00:30:42:1B:8C:7C"; + ip-address = "10.152.33.11"; + option-data = [ + { + name = "host-name"; + data = "iridium"; + } + { + name = "vendor-encapsulated-options"; + } + { + space = "sipdect"; + name = "ommip1"; + data = "10.152.33.11"; + } + { + name = "magic_str"; + data = "OpenMobilitySIP-DECT"; + } + ]; + } + ]; + } + ]; + }; + }; + +} diff --git a/hosts/carbon/ppp.nix b/hosts/carbon/ppp.nix new file mode 100644 index 0000000..a97289e --- /dev/null +++ b/hosts/carbon/ppp.nix @@ -0,0 +1,60 @@ +{ config, pkgs, utils, ... }: + +{ + + services.pppd = { + enable = true; + peers.dtagdsl = { + config = '' + plugin pppoe.so net-dsl + user "''${PPPD_DTAGDSL_USERNAME}" + ifname ppp-dtagdsl + persist + maxfail 0 + holdoff 5 + noipdefault + lcp-echo-interval 20 + lcp-echo-failure 3 + mtu 14592 + hide-password + defaultroute + +ipv6 + debug + ''; + }; + }; + + environment.etc."ppp/peers/dtagdsl".enable = false; + + systemd.services."pppd-dtagdsl".serviceConfig = let + preStart = '' + mkdir -p /etc/ppp/peers + + # Created files only readable by root + umask u=rw,g=,o= + + # Copy config and substitute username + rm -f /etc/ppp/peers/dtagdsl + ${pkgs.envsubst}/bin/envsubst -i "${config.environment.etc."ppp/peers/dtagdsl".source}" > /etc/ppp/peers/dtagdsl + + # Copy login secrets + rm -f /etc/ppp/pap-secrets + cat ${config.sops.secrets.pppd-dtagdsl-secrets.path} > /etc/ppp/pap-secrets + rm -f /etc/ppp/chap-secrets + cat ${config.sops.secrets.pppd-dtagdsl-secrets.path} > /etc/ppp/chap-secrets + ''; + + preStartFile = utils.systemdUtils.lib.makeJobScript "pppd-dtagdsl-pre-start" preStart; + in { + EnvironmentFile = config.sops.secrets.pppd-dtagdsl-username.path; + ExecStartPre = [ + # "+" marks script to be executed without priviledge restrictions + "+${preStartFile}" + ]; + }; + + clerie.firewall.extraForwardMangleCommands = '' + ip46tables -t mangle -A forward-mangle -p tcp -m tcp --tcp-flags SYN,RST SYN -j TCPMSS --set-mss 1416 + ''; + +} diff --git a/hosts/carbon/secrets.json b/hosts/carbon/secrets.json index b2ef8ab..1b585f6 100644 --- a/hosts/carbon/secrets.json +++ b/hosts/carbon/secrets.json @@ -1,5 +1,7 @@ { "wg-monitoring": "ENC[AES256_GCM,data:+k5MgBrj/psMCE1T2jDtCCJI9Q7L+wJ3j83inNkeGp3LSUjoAPtBp4YoyL4=,iv:C19g/Lqi+cWAyiJBMNDtgLc3SDNI9bMBrBPWn+26mVY=,tag:9zIoawuGeGCMbOX1HKR/sQ==,type:str]", + "pppd-dtagdsl-username": "ENC[AES256_GCM,data:JC7EyyMoN0p5YwnS9W5I0G5Omhk5usw28UiJrCfifGr+2FUgMrtFYAHQdrtWAELvYNBQDPgrHMmQjGQLhpqqK0hH,iv:/q+Fm63GVBApGInyS8i39V/lo6iv+I2omVh47deq+o8=,tag:LkR+1zTDNWuYkhH2iWT7SA==,type:str]", + "pppd-dtagdsl-secrets": "ENC[AES256_GCM,data:c5pOb8It1py/9NXNTgLvt9zmsBVbSLHJt4iXWiNA+Osvomw3r7pgoO/JJh9ujomPMnOlDwN7g+pJ,iv:W36gA8E1mWchN6+8hdMdt2epv/RdS91T5ANB/JTcHCE=,tag:7eZ3fZkjERCVJCXYrABnlQ==,type:str]", "sops": { "kms": null, "gcp_kms": null, @@ -11,8 +13,8 @@ "enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB3Rkd5WFE3aE5EQzY5ZXV4\nbXVGYmxTdVg1ekRpVjlRUnozY2tMTGloL21RCktjZW95OU9ZZ2owTCtMR1NxaXJn\na2VYS2ttb3VhSjNXOG84UUJtYU04QjAKLS0tIGd3aHM0RldFYnVFdDRVS0Vhc3BF\nckJhYmN6a1FJUC9ibks1cGlRaU1zbFkKE4ClunQ3XGAILwluC6iYFs+rlR02PdhK\njOmPbOlS0aNG0hoC7Z6aetgpj689AkJgl68QVcyvm+ecHH7TOT7l1A==\n-----END AGE ENCRYPTED FILE-----\n" } ], - "lastmodified": "2024-05-10T13:06:06Z", - "mac": "ENC[AES256_GCM,data:Suz7S6XzlEMvVVRMb1YIkeiZWRcnadFeX6oswLiZSc4w35Xw/nn/XY1wsWTZEXj+TecEyhWJDzw27mKLRoqClA9BqPT0E1nzkXMjb2aTp72DjrI6VuBmbuUDBQgKDXToEfrv3/H5ovAT1s69nlxYDqUq185KR2eMqhsJPUwMRSw=,iv:0vj9ezTPxPyx751iEY++GMnzuQ/HM0tgLwAeJpk7CAk=,tag:7nYfqhy4R5JOYR0majlafg==,type:str]", + "lastmodified": "2024-07-13T21:56:57Z", + "mac": "ENC[AES256_GCM,data:/jZ/aIQUxYrF0deBTJOyc009yPKfshiYnAB2GR5SRTi00Ls5efKzhjDJaEWvAkgBTFz5/a8fy2k+vXEDsDlrgcgWqMS8/Az5LRf9RWUBWkerDyoBJ2UZRdt7UVPfkN8ObKQpfFqxhzkm4zio+MwSbqSMZil6fGaxz6lyUkwaphg=,iv:KStinEtV1DTaEl0ebMEw8lSMvrE5rtxqfTbzssC9oGY=,tag:YOr8T3wqqxyv0mpO1wMDEg==,type:str]", "pgp": [ { "created_at": "2024-05-10T13:05:56Z",