From d09e80e88eaa2543d0c55a87bb933cd4acc5e60f Mon Sep 17 00:00:00 2001
From: clerie <git@clerie.de>
Date: Sun, 14 Jul 2024 00:06:41 +0200
Subject: [PATCH 01/11] hosts/carbon: Migrate to DTAG DSL
---
hosts/carbon/configuration.nix | 29 +++----------------
hosts/carbon/ppp.nix | 51 ++++++++++++++++++++++++++++++++++
hosts/carbon/secrets.json | 6 ++--
3 files changed, 59 insertions(+), 27 deletions(-)
create mode 100644 hosts/carbon/ppp.nix
diff --git a/hosts/carbon/configuration.nix b/hosts/carbon/configuration.nix
index 06b8004..fe40263 100644
--- a/hosts/carbon/configuration.nix
+++ b/hosts/carbon/configuration.nix
@@ -5,6 +5,8 @@
[
./hardware-configuration.nix
../../configuration/router
+
+ ./ppp.nix
];
boot.kernelParams = [ "console=ttyS0,115200n8" ];
@@ -88,7 +90,7 @@
networking.nat = {
enableIPv6 = true;
enable = true;
- externalInterface = "ppp-ntvdsl";
+ externalInterface = "ppp-dtagdsl";
internalIPv6s = [ "fd00:152:152::/48" "fd00:3214:9453:4920::/64"];
internalIPs = [ "10.152.0.0/16" "192.168.32.0/24" ];
};
@@ -256,7 +258,7 @@
clerie.firewall.enable = true;
clerie.firewall.extraForwardFilterCommands = ''
- ip46tables -A forward-filter -i enp1s0.202 -o ppp-ntvdsl -j ACCEPT
+ ip46tables -A forward-filter -i enp1s0.202 -o ppp-dtagdsl -j ACCEPT
ip46tables -A forward-filter -i enp1s0.202 -j DROP
ip46tables -A forward-filter -o enp1s0.202 -j DROP
'';
@@ -264,29 +266,6 @@
ip46tables -t mangle -A forward-mangle -p tcp -m tcp --tcp-flags SYN,RST SYN -j TCPMSS --set-mss 1416
'';
- services.pppd = {
- enable = true;
- peers.ntvdsl = {
- config = ''
- plugin pppoe.so net-dsl
- user "dsl-31997-001#regio@bsa-vdsl"
- ifname ppp-ntvdsl
- persist
- maxfail 0
- holdoff 5
- noipdefault
- lcp-echo-interval 20
- lcp-echo-failure 3
- mtu 1456
- hide-password
- defaultroute
- +ipv6
- debug
- '';
- };
- };
-
-
clerie.monitoring = {
enable = true;
id = "104";
diff --git a/hosts/carbon/ppp.nix b/hosts/carbon/ppp.nix
new file mode 100644
index 0000000..82cec5f
--- /dev/null
+++ b/hosts/carbon/ppp.nix
@@ -0,0 +1,51 @@
+{ config, pkgs, utils, ... }:
+
+{
+
+ services.pppd = {
+ enable = true;
+ peers.dtagdsl = {
+ config = ''
+ plugin pppoe.so net-dsl
+ user "''${PPPD_DTAGDSL_USERNAME}"
+ ifname ppp-dtagdsl
+ persist
+ maxfail 0
+ holdoff 5
+ noipdefault
+ lcp-echo-interval 20
+ lcp-echo-failure 3
+ mtu 14592
+ hide-password
+ defaultroute
+ +ipv6
+ debug
+ '';
+ };
+ };
+
+ environment.etc."ppp/peers/dtagdsl".enable = false;
+
+ systemd.services."pppd-dtagdsl".serviceConfig = {
+ EnvironmentFile = config.sops.secrets.pppd-dtagdsl-username.path;
+ ExecStartPre = [
+ "+${utils.systemdUtils.lib.makeJobScript "pppd-dtagdsl-pre-start" ''
+ mkdir -p /etc/ppp/peers
+
+ # Created files only readable by root
+ umask u=rw,g=,o=
+
+ # Copy config and substitute username
+ rm -f /etc/ppp/peers/dtagdsl
+ ${pkgs.envsubst}/bin/envsubst -i "${config.environment.etc."ppp/peers/dtagdsl".source}" > /etc/ppp/peers/dtagdsl
+
+ # Copy login secrets
+ rm -f /etc/ppp/pap-secrets
+ cat ${config.sops.secrets.pppd-dtagdsl-secrets.path} > /etc/ppp/pap-secrets
+ rm -f /etc/ppp/chap-secrets
+ cat ${config.sops.secrets.pppd-dtagdsl-secrets.path} > /etc/ppp/chap-secrets
+ ''}"
+ ];
+ };
+
+}
diff --git a/hosts/carbon/secrets.json b/hosts/carbon/secrets.json
index b2ef8ab..1b585f6 100644
--- a/hosts/carbon/secrets.json
+++ b/hosts/carbon/secrets.json
@@ -1,5 +1,7 @@
{
"wg-monitoring": "ENC[AES256_GCM,data:+k5MgBrj/psMCE1T2jDtCCJI9Q7L+wJ3j83inNkeGp3LSUjoAPtBp4YoyL4=,iv:C19g/Lqi+cWAyiJBMNDtgLc3SDNI9bMBrBPWn+26mVY=,tag:9zIoawuGeGCMbOX1HKR/sQ==,type:str]",
+ "pppd-dtagdsl-username": "ENC[AES256_GCM,data:JC7EyyMoN0p5YwnS9W5I0G5Omhk5usw28UiJrCfifGr+2FUgMrtFYAHQdrtWAELvYNBQDPgrHMmQjGQLhpqqK0hH,iv:/q+Fm63GVBApGInyS8i39V/lo6iv+I2omVh47deq+o8=,tag:LkR+1zTDNWuYkhH2iWT7SA==,type:str]",
+ "pppd-dtagdsl-secrets": "ENC[AES256_GCM,data:c5pOb8It1py/9NXNTgLvt9zmsBVbSLHJt4iXWiNA+Osvomw3r7pgoO/JJh9ujomPMnOlDwN7g+pJ,iv:W36gA8E1mWchN6+8hdMdt2epv/RdS91T5ANB/JTcHCE=,tag:7eZ3fZkjERCVJCXYrABnlQ==,type:str]",
"sops": {
"kms": null,
"gcp_kms": null,
@@ -11,8 +13,8 @@
"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB3Rkd5WFE3aE5EQzY5ZXV4\nbXVGYmxTdVg1ekRpVjlRUnozY2tMTGloL21RCktjZW95OU9ZZ2owTCtMR1NxaXJn\na2VYS2ttb3VhSjNXOG84UUJtYU04QjAKLS0tIGd3aHM0RldFYnVFdDRVS0Vhc3BF\nckJhYmN6a1FJUC9ibks1cGlRaU1zbFkKE4ClunQ3XGAILwluC6iYFs+rlR02PdhK\njOmPbOlS0aNG0hoC7Z6aetgpj689AkJgl68QVcyvm+ecHH7TOT7l1A==\n-----END AGE ENCRYPTED FILE-----\n"
}
],
- "lastmodified": "2024-05-10T13:06:06Z",
- "mac": "ENC[AES256_GCM,data:Suz7S6XzlEMvVVRMb1YIkeiZWRcnadFeX6oswLiZSc4w35Xw/nn/XY1wsWTZEXj+TecEyhWJDzw27mKLRoqClA9BqPT0E1nzkXMjb2aTp72DjrI6VuBmbuUDBQgKDXToEfrv3/H5ovAT1s69nlxYDqUq185KR2eMqhsJPUwMRSw=,iv:0vj9ezTPxPyx751iEY++GMnzuQ/HM0tgLwAeJpk7CAk=,tag:7nYfqhy4R5JOYR0majlafg==,type:str]",
+ "lastmodified": "2024-07-13T21:56:57Z",
+ "mac": "ENC[AES256_GCM,data:/jZ/aIQUxYrF0deBTJOyc009yPKfshiYnAB2GR5SRTi00Ls5efKzhjDJaEWvAkgBTFz5/a8fy2k+vXEDsDlrgcgWqMS8/Az5LRf9RWUBWkerDyoBJ2UZRdt7UVPfkN8ObKQpfFqxhzkm4zio+MwSbqSMZil6fGaxz6lyUkwaphg=,iv:KStinEtV1DTaEl0ebMEw8lSMvrE5rtxqfTbzssC9oGY=,tag:YOr8T3wqqxyv0mpO1wMDEg==,type:str]",
"pgp": [
{
"created_at": "2024-05-10T13:05:56Z",
From b860650ead474f1ee2ea4486362355568c433375 Mon Sep 17 00:00:00 2001
From: clerie <git@clerie.de>
Date: Sun, 14 Jul 2024 00:14:14 +0200
Subject: [PATCH 02/11] hosts/carbon: Restructure ExecStartPre script for
pppd-dtagdsl
---
hosts/carbon/ppp.nix | 39 ++++++++++++++++++++++-----------------
1 file changed, 22 insertions(+), 17 deletions(-)
diff --git a/hosts/carbon/ppp.nix b/hosts/carbon/ppp.nix
index 82cec5f..7c09f21 100644
--- a/hosts/carbon/ppp.nix
+++ b/hosts/carbon/ppp.nix
@@ -26,25 +26,30 @@
environment.etc."ppp/peers/dtagdsl".enable = false;
- systemd.services."pppd-dtagdsl".serviceConfig = {
+ systemd.services."pppd-dtagdsl".serviceConfig = let
+ preStart = ''
+ mkdir -p /etc/ppp/peers
+
+ # Created files only readable by root
+ umask u=rw,g=,o=
+
+ # Copy config and substitute username
+ rm -f /etc/ppp/peers/dtagdsl
+ ${pkgs.envsubst}/bin/envsubst -i "${config.environment.etc."ppp/peers/dtagdsl".source}" > /etc/ppp/peers/dtagdsl
+
+ # Copy login secrets
+ rm -f /etc/ppp/pap-secrets
+ cat ${config.sops.secrets.pppd-dtagdsl-secrets.path} > /etc/ppp/pap-secrets
+ rm -f /etc/ppp/chap-secrets
+ cat ${config.sops.secrets.pppd-dtagdsl-secrets.path} > /etc/ppp/chap-secrets
+ '';
+
+ preStartFile = utils.systemdUtils.lib.makeJobScript "pppd-dtagdsl-pre-start" preStart;
+ in {
EnvironmentFile = config.sops.secrets.pppd-dtagdsl-username.path;
ExecStartPre = [
- "+${utils.systemdUtils.lib.makeJobScript "pppd-dtagdsl-pre-start" ''
- mkdir -p /etc/ppp/peers
-
- # Created files only readable by root
- umask u=rw,g=,o=
-
- # Copy config and substitute username
- rm -f /etc/ppp/peers/dtagdsl
- ${pkgs.envsubst}/bin/envsubst -i "${config.environment.etc."ppp/peers/dtagdsl".source}" > /etc/ppp/peers/dtagdsl
-
- # Copy login secrets
- rm -f /etc/ppp/pap-secrets
- cat ${config.sops.secrets.pppd-dtagdsl-secrets.path} > /etc/ppp/pap-secrets
- rm -f /etc/ppp/chap-secrets
- cat ${config.sops.secrets.pppd-dtagdsl-secrets.path} > /etc/ppp/chap-secrets
- ''}"
+ # "+" marks script to be executed without priviledge restrictions
+ "+${preStartFile}"
];
};
From 410552883544614eab88267873cc147c423a170e Mon Sep 17 00:00:00 2001
From: clerie <git@clerie.de>
Date: Sun, 14 Jul 2024 00:23:58 +0200
Subject: [PATCH 03/11] hosts/carbon: Move DNS server to seperate file
---
hosts/carbon/configuration.nix | 19 +------------------
hosts/carbon/dns.nix | 23 +++++++++++++++++++++++
2 files changed, 24 insertions(+), 18 deletions(-)
create mode 100644 hosts/carbon/dns.nix
diff --git a/hosts/carbon/configuration.nix b/hosts/carbon/configuration.nix
index fe40263..08bb266 100644
--- a/hosts/carbon/configuration.nix
+++ b/hosts/carbon/configuration.nix
@@ -6,6 +6,7 @@
./hardware-configuration.nix
../../configuration/router
+ ./dns.nix
./ppp.nix
];
@@ -253,9 +254,6 @@
};
};
- networking.firewall.allowedUDPPorts = [ 53 ];
- networking.firewall.allowedTCPPorts = [ 53 ];
-
clerie.firewall.enable = true;
clerie.firewall.extraForwardFilterCommands = ''
ip46tables -A forward-filter -i enp1s0.202 -o ppp-dtagdsl -j ACCEPT
@@ -273,20 +271,5 @@
blackbox = true;
};
- services.unbound = {
- enable = true;
- resolveLocalQueries = false;
- settings = {
- server = {
- interface = [ "fd00:152:152::1" "10.152.0.1" ];
- access-control = [ "::/0 allow" "0.0.0.0/0 allow" ];
- prefer-ip6 = true;
- prefetch = true;
- serve-expired = true;
- serve-expired-ttl-reset = true;
- };
- };
- };
-
system.stateVersion = "21.03";
}
diff --git a/hosts/carbon/dns.nix b/hosts/carbon/dns.nix
new file mode 100644
index 0000000..2019726
--- /dev/null
+++ b/hosts/carbon/dns.nix
@@ -0,0 +1,23 @@
+{ ... }:
+
+{
+
+ networking.firewall.allowedUDPPorts = [ 53 ];
+ networking.firewall.allowedTCPPorts = [ 53 ];
+
+ services.unbound = {
+ enable = true;
+ resolveLocalQueries = false;
+ settings = {
+ server = {
+ interface = [ "fd00:152:152::1" "10.152.0.1" ];
+ access-control = [ "::/0 allow" "0.0.0.0/0 allow" ];
+ prefer-ip6 = true;
+ prefetch = true;
+ serve-expired = true;
+ serve-expired-ttl-reset = true;
+ };
+ };
+ };
+
+}
From f7b3336e417a7f4f518ea954cba68635ffe3f7df Mon Sep 17 00:00:00 2001
From: clerie <git@clerie.de>
Date: Sun, 14 Jul 2024 00:31:13 +0200
Subject: [PATCH 04/11] hosts/carbon: Move net-heimnetz to seperate file
---
hosts/carbon/configuration.nix | 50 ++------------------------
hosts/carbon/net-heimnetz.nix | 66 ++++++++++++++++++++++++++++++++++
2 files changed, 68 insertions(+), 48 deletions(-)
create mode 100644 hosts/carbon/net-heimnetz.nix
diff --git a/hosts/carbon/configuration.nix b/hosts/carbon/configuration.nix
index 08bb266..63a8393 100644
--- a/hosts/carbon/configuration.nix
+++ b/hosts/carbon/configuration.nix
@@ -7,6 +7,7 @@
../../configuration/router
./dns.nix
+ ./net-heimnetz.nix
./ppp.nix
];
@@ -47,23 +48,6 @@
id = 102;
interface = "enp1s0";
};
- ## Heimnetz
- networking.vlans."enp1s0.201" = {
- id = 201;
- interface = "enp1s0";
- };
- networking.bridges."net-heimnetz".interfaces = [
- "enp1s0.201"
- "enp2s0"
- ];
- networking.interfaces."net-heimnetz".ipv6.addresses = [
- { address = "fe80::1"; prefixLength = 64; }
- { address = "fd00:152:152:4::1"; prefixLength = 64; }
- { address = "2001:4cd8:100:1337::1"; prefixLength = 64; } # public IPs for local network
- ];
- networking.interfaces."net-heimnetz".ipv4.addresses = [
- { address = "10.152.4.1"; prefixLength = 24; }
- ];
## Gastnetz
networking.vlans."enp1s0.202" = {
id = 202;
@@ -98,12 +82,6 @@
services.radvd.enable = true;
services.radvd.config = ''
- interface net-heimnetz {
- AdvSendAdvert on;
- prefix 2001:4cd8:100:1337::/64 {};
- RDNSS fd00:152:152::1 {};
- DNSSL net.clerie.de {};
- };
interface enp1s0.202 {
AdvSendAdvert on;
prefix 2001:4cd8:100:1313::/64 {};
@@ -115,7 +93,7 @@
enable = true;
settings = {
interfaces-config = {
- interfaces = [ "net-heimnetz" "enp1s0.202" "enp1s0.204" ];
+ interfaces = [ "enp1s0.202" "enp1s0.204" ];
service-sockets-max-retries = 15;
service-sockets-retry-wait-time = 2000;
};
@@ -164,30 +142,6 @@
}
];
subnet4 = [
- # Heimnetz
- {
- id = 201;
- subnet = "10.152.4.0/24";
- pools = [
- {
- pool = "10.152.4.100 - 10.152.4.240";
- }
- ];
- option-data = [
- {
- name = "routers";
- data = "10.152.4.1";
- }
- {
- name = "domain-name-servers";
- data = "10.152.0.1";
- }
- {
- name = "domain-name";
- data = "net.clerie.de";
- }
- ];
- }
# Gastnetz
{
id = 202;
diff --git a/hosts/carbon/net-heimnetz.nix b/hosts/carbon/net-heimnetz.nix
new file mode 100644
index 0000000..60e0bc6
--- /dev/null
+++ b/hosts/carbon/net-heimnetz.nix
@@ -0,0 +1,66 @@
+{ ... }:
+
+{
+
+ ## Heimnetz
+ networking.vlans."enp1s0.201" = {
+ id = 201;
+ interface = "enp1s0";
+ };
+ networking.bridges."net-heimnetz".interfaces = [
+ "enp1s0.201"
+ "enp2s0"
+ ];
+ networking.interfaces."net-heimnetz".ipv6.addresses = [
+ { address = "fe80::1"; prefixLength = 64; }
+ { address = "fd00:152:152:4::1"; prefixLength = 64; }
+ { address = "2001:4cd8:100:1337::1"; prefixLength = 64; } # public IPs for local network
+ ];
+ networking.interfaces."net-heimnetz".ipv4.addresses = [
+ { address = "10.152.4.1"; prefixLength = 24; }
+ ];
+
+ services.radvd.config = ''
+ interface net-heimnetz {
+ AdvSendAdvert on;
+ prefix 2001:4cd8:100:1337::/64 {};
+ RDNSS fd00:152:152::1 {};
+ DNSSL net.clerie.de {};
+ };
+ '';
+
+ services.kea.dhcp4 = {
+ settings = {
+ interfaces-config = {
+ interfaces = [ "net-heimnetz" ];
+ };
+ subnet4 = [
+ # Heimnetz
+ {
+ id = 201;
+ subnet = "10.152.4.0/24";
+ pools = [
+ {
+ pool = "10.152.4.100 - 10.152.4.240";
+ }
+ ];
+ option-data = [
+ {
+ name = "routers";
+ data = "10.152.4.1";
+ }
+ {
+ name = "domain-name-servers";
+ data = "10.152.0.1";
+ }
+ {
+ name = "domain-name";
+ data = "net.clerie.de";
+ }
+ ];
+ }
+ ];
+ };
+ };
+
+}
From 332b70a4807c73d81a00546cc2256ae80636874f Mon Sep 17 00:00:00 2001
From: clerie <git@clerie.de>
Date: Sun, 14 Jul 2024 00:37:48 +0200
Subject: [PATCH 05/11] hosts/carbon: Move net-gastnetz to seperate file
---
hosts/carbon/configuration.nix | 47 ++-----------------------
hosts/carbon/net-gastnetz.nix | 63 ++++++++++++++++++++++++++++++++++
2 files changed, 65 insertions(+), 45 deletions(-)
create mode 100644 hosts/carbon/net-gastnetz.nix
diff --git a/hosts/carbon/configuration.nix b/hosts/carbon/configuration.nix
index 63a8393..9508a93 100644
--- a/hosts/carbon/configuration.nix
+++ b/hosts/carbon/configuration.nix
@@ -7,6 +7,7 @@
../../configuration/router
./dns.nix
+ ./net-gastnetz.nix
./net-heimnetz.nix
./ppp.nix
];
@@ -48,18 +49,6 @@
id = 102;
interface = "enp1s0";
};
- ## Gastnetz
- networking.vlans."enp1s0.202" = {
- id = 202;
- interface = "enp1s0";
- };
- networking.interfaces."enp1s0.202".ipv6.addresses = [
- { address = "fd00:3214:9453:4920::1"; prefixLength = 64; }
- { address = "2001:4cd8:100:1313::1"; prefixLength = 64; } # public IPs for local network
- ];
- networking.interfaces."enp1s0.202".ipv4.addresses = [
- { address = "192.168.32.1"; prefixLength = 24; }
- ];
## VoIP
networking.vlans."enp1s0.204" = {
id = 204;
@@ -81,19 +70,12 @@
};
services.radvd.enable = true;
- services.radvd.config = ''
- interface enp1s0.202 {
- AdvSendAdvert on;
- prefix 2001:4cd8:100:1313::/64 {};
- RDNSS 2620:fe::fe 2620:fe::9 {}; # Quad 9
- };
- '';
services.kea.dhcp4 = {
enable = true;
settings = {
interfaces-config = {
- interfaces = [ "enp1s0.202" "enp1s0.204" ];
+ interfaces = [ "enp1s0.204" ];
service-sockets-max-retries = 15;
service-sockets-retry-wait-time = 2000;
};
@@ -142,26 +124,6 @@
}
];
subnet4 = [
- # Gastnetz
- {
- id = 202;
- subnet = "192.168.32.0/24";
- pools = [
- {
- pool = "192.168.32.100 - 192.168.32.240";
- }
- ];
- option-data = [
- {
- name = "routers";
- data = "192.168.32.1";
- }
- {
- name = "domain-name-servers";
- data = "9.9.9.9,149.112.112.112"; # Quad 9
- }
- ];
- }
# VoIP
{
id = 204;
@@ -209,11 +171,6 @@
};
clerie.firewall.enable = true;
- clerie.firewall.extraForwardFilterCommands = ''
- ip46tables -A forward-filter -i enp1s0.202 -o ppp-dtagdsl -j ACCEPT
- ip46tables -A forward-filter -i enp1s0.202 -j DROP
- ip46tables -A forward-filter -o enp1s0.202 -j DROP
- '';
clerie.firewall.extraForwardMangleCommands = ''
ip46tables -t mangle -A forward-mangle -p tcp -m tcp --tcp-flags SYN,RST SYN -j TCPMSS --set-mss 1416
'';
diff --git a/hosts/carbon/net-gastnetz.nix b/hosts/carbon/net-gastnetz.nix
new file mode 100644
index 0000000..932c374
--- /dev/null
+++ b/hosts/carbon/net-gastnetz.nix
@@ -0,0 +1,63 @@
+{ ... }:
+
+{
+
+ ## Gastnetz
+ networking.vlans."enp1s0.202" = {
+ id = 202;
+ interface = "enp1s0";
+ };
+ networking.interfaces."enp1s0.202".ipv6.addresses = [
+ { address = "fd00:3214:9453:4920::1"; prefixLength = 64; }
+ { address = "2001:4cd8:100:1313::1"; prefixLength = 64; } # public IPs for local network
+ ];
+ networking.interfaces."enp1s0.202".ipv4.addresses = [
+ { address = "192.168.32.1"; prefixLength = 24; }
+ ];
+
+ services.radvd.config = ''
+ interface enp1s0.202 {
+ AdvSendAdvert on;
+ prefix 2001:4cd8:100:1313::/64 {};
+ RDNSS 2620:fe::fe 2620:fe::9 {}; # Quad 9
+ };
+ '';
+
+ services.kea.dhcp4 = {
+ settings = {
+ interfaces-config = {
+ interfaces = [ "enp1s0.202" ];
+ };
+ subnet4 = [
+ # Gastnetz
+ {
+ id = 202;
+ subnet = "192.168.32.0/24";
+ pools = [
+ {
+ pool = "192.168.32.100 - 192.168.32.240";
+ }
+ ];
+ option-data = [
+ {
+ name = "routers";
+ data = "192.168.32.1";
+ }
+ {
+ name = "domain-name-servers";
+ data = "9.9.9.9,149.112.112.112"; # Quad 9
+ }
+ ];
+ }
+ ];
+ };
+ };
+
+ # net-gastnetz can only access internet
+ clerie.firewall.extraForwardFilterCommands = ''
+ ip46tables -A forward-filter -i enp1s0.202 -o ppp-dtagdsl -j ACCEPT
+ ip46tables -A forward-filter -i enp1s0.202 -j DROP
+ ip46tables -A forward-filter -o enp1s0.202 -j DROP
+ '';
+
+}
From 8e88006abe80653e09781b7f8ba85b874a8c1ece Mon Sep 17 00:00:00 2001
From: clerie <git@clerie.de>
Date: Sun, 14 Jul 2024 00:43:47 +0200
Subject: [PATCH 06/11] hosts/carbon: Move net-voip to seperate file
---
hosts/carbon/configuration.nix | 93 +----------------------------
hosts/carbon/net-voip.nix | 105 +++++++++++++++++++++++++++++++++
2 files changed, 106 insertions(+), 92 deletions(-)
create mode 100644 hosts/carbon/net-voip.nix
diff --git a/hosts/carbon/configuration.nix b/hosts/carbon/configuration.nix
index 9508a93..e585000 100644
--- a/hosts/carbon/configuration.nix
+++ b/hosts/carbon/configuration.nix
@@ -9,6 +9,7 @@
./dns.nix
./net-gastnetz.nix
./net-heimnetz.nix
+ ./net-voip.nix
./ppp.nix
];
@@ -49,14 +50,6 @@
id = 102;
interface = "enp1s0";
};
- ## VoIP
- networking.vlans."enp1s0.204" = {
- id = 204;
- interface = "enp1s0";
- };
- networking.interfaces."enp1s0.204".ipv4.addresses = [
- { address = "10.152.33.1"; prefixLength = 24; }
- ];
# Use Anycast Nameservers
networking.nameservers = [ "fd00:152:152::1" "10.152.0.1" ];
@@ -75,7 +68,6 @@
enable = true;
settings = {
interfaces-config = {
- interfaces = [ "enp1s0.204" ];
service-sockets-max-retries = 15;
service-sockets-retry-wait-time = 2000;
};
@@ -84,89 +76,6 @@
persist = true;
type = "memfile";
};
- option-def = [
- {
- space = "dhcp4";
- name = "vendor-encapsulated-options";
- code = 43;
- type = "empty";
- encapsulate = "sipdect";
- }
- {
- space = "sipdect";
- name = "ommip1";
- code = 10;
- type = "ipv4-address";
- }
- {
- space = "sipdect";
- name = "ommip2";
- code = 19;
- type = "ipv4-address";
- }
- {
- space = "sipdect";
- name = "syslogip";
- code = 14;
- type = "ipv4-address";
- }
- {
- space = "sipdect";
- name = "syslogport";
- code = 15;
- type = "int16";
- }
- {
- space = "dhcp4";
- name = "magic_str";
- code = 224;
- type = "string";
- }
- ];
- subnet4 = [
- # VoIP
- {
- id = 204;
- subnet = "10.152.33.0/24";
- pools = [
- {
- pool = "10.152.33.10 - 10.152.33.200";
- }
- ];
- option-data = [
- {
- name = "routers";
- data = "10.152.33.1";
- }
- ];
-
- reservations = [
- {
- hostname = "iridium";
- hw-address = "00:30:42:1B:8C:7C";
- ip-address = "10.152.33.11";
- option-data = [
- {
- name = "host-name";
- data = "iridium";
- }
- {
- name = "vendor-encapsulated-options";
- }
- {
- space = "sipdect";
- name = "ommip1";
- data = "10.152.33.11";
- }
- {
- name = "magic_str";
- data = "OpenMobilitySIP-DECT";
- }
- ];
- }
- ];
- }
- ];
};
};
diff --git a/hosts/carbon/net-voip.nix b/hosts/carbon/net-voip.nix
new file mode 100644
index 0000000..3a816fc
--- /dev/null
+++ b/hosts/carbon/net-voip.nix
@@ -0,0 +1,105 @@
+{ ... }:
+
+{
+
+ ## VoIP
+ networking.vlans."enp1s0.204" = {
+ id = 204;
+ interface = "enp1s0";
+ };
+ networking.interfaces."enp1s0.204".ipv4.addresses = [
+ { address = "10.152.33.1"; prefixLength = 24; }
+ ];
+
+ services.kea.dhcp4 = {
+ settings = {
+ interfaces-config = {
+ interfaces = [ "enp1s0.204" ];
+ };
+ option-def = [
+ {
+ space = "dhcp4";
+ name = "vendor-encapsulated-options";
+ code = 43;
+ type = "empty";
+ encapsulate = "sipdect";
+ }
+ {
+ space = "sipdect";
+ name = "ommip1";
+ code = 10;
+ type = "ipv4-address";
+ }
+ {
+ space = "sipdect";
+ name = "ommip2";
+ code = 19;
+ type = "ipv4-address";
+ }
+ {
+ space = "sipdect";
+ name = "syslogip";
+ code = 14;
+ type = "ipv4-address";
+ }
+ {
+ space = "sipdect";
+ name = "syslogport";
+ code = 15;
+ type = "int16";
+ }
+ {
+ space = "dhcp4";
+ name = "magic_str";
+ code = 224;
+ type = "string";
+ }
+ ];
+ subnet4 = [
+ # VoIP
+ {
+ id = 204;
+ subnet = "10.152.33.0/24";
+ pools = [
+ {
+ pool = "10.152.33.10 - 10.152.33.200";
+ }
+ ];
+ option-data = [
+ {
+ name = "routers";
+ data = "10.152.33.1";
+ }
+ ];
+
+ reservations = [
+ {
+ hostname = "iridium";
+ hw-address = "00:30:42:1B:8C:7C";
+ ip-address = "10.152.33.11";
+ option-data = [
+ {
+ name = "host-name";
+ data = "iridium";
+ }
+ {
+ name = "vendor-encapsulated-options";
+ }
+ {
+ space = "sipdect";
+ name = "ommip1";
+ data = "10.152.33.11";
+ }
+ {
+ name = "magic_str";
+ data = "OpenMobilitySIP-DECT";
+ }
+ ];
+ }
+ ];
+ }
+ ];
+ };
+ };
+
+}
From 090e2d6e483187789bf4934469c99d5d90a4e2c4 Mon Sep 17 00:00:00 2001
From: clerie <git@clerie.de>
Date: Sun, 14 Jul 2024 00:46:22 +0200
Subject: [PATCH 07/11] hosts/carbon: Move net-dsl to seperate file
---
hosts/carbon/configuration.nix | 14 +-------------
hosts/carbon/net-dsl.nix | 19 +++++++++++++++++++
2 files changed, 20 insertions(+), 13 deletions(-)
create mode 100644 hosts/carbon/net-dsl.nix
diff --git a/hosts/carbon/configuration.nix b/hosts/carbon/configuration.nix
index e585000..973c800 100644
--- a/hosts/carbon/configuration.nix
+++ b/hosts/carbon/configuration.nix
@@ -7,6 +7,7 @@
../../configuration/router
./dns.nix
+ ./net-dsl.nix
./net-gastnetz.nix
./net-heimnetz.nix
./net-voip.nix
@@ -32,19 +33,6 @@
{ address = "10.152.0.1"; prefixLength = 32; } # Anycast
];
# Network
- ## DSL-Uplink
- networking.vlans."enp1s0.7" = {
- id = 7;
- interface = "enp1s0";
- };
- networking.vlans."enp3s0.7" = {
- id = 7;
- interface = "enp3s0";
- };
- networking.bridges."net-dsl".interfaces = [
- "enp1s0.7"
- "enp3s0.7"
- ];
## LTE-Uplink
networking.vlans."enp1s0.102" = {
id = 102;
diff --git a/hosts/carbon/net-dsl.nix b/hosts/carbon/net-dsl.nix
new file mode 100644
index 0000000..b67ae33
--- /dev/null
+++ b/hosts/carbon/net-dsl.nix
@@ -0,0 +1,19 @@
+{ ... }:
+
+{
+
+ ## DSL-Uplink
+ networking.vlans."enp1s0.7" = {
+ id = 7;
+ interface = "enp1s0";
+ };
+ networking.vlans."enp3s0.7" = {
+ id = 7;
+ interface = "enp3s0";
+ };
+ networking.bridges."net-dsl".interfaces = [
+ "enp1s0.7"
+ "enp3s0.7"
+ ];
+
+}
From 38345f6dbe6faecc69500d5d96ee5ad946b61140 Mon Sep 17 00:00:00 2001
From: clerie <git@clerie.de>
Date: Sun, 14 Jul 2024 00:49:52 +0200
Subject: [PATCH 08/11] hosts/carbon: Move DNS specific network config to DNS
file
---
hosts/carbon/configuration.nix | 10 ----------
hosts/carbon/dns.nix | 11 +++++++++++
2 files changed, 11 insertions(+), 10 deletions(-)
diff --git a/hosts/carbon/configuration.nix b/hosts/carbon/configuration.nix
index 973c800..3c9b480 100644
--- a/hosts/carbon/configuration.nix
+++ b/hosts/carbon/configuration.nix
@@ -25,13 +25,6 @@
";
networking.useDHCP = false;
- # Local Router IPs
- networking.interfaces.lo.ipv6.addresses = [
- { address = "fd00:152:152::1"; prefixLength = 128; } # Anycast
- ];
- networking.interfaces.lo.ipv4.addresses = [
- { address = "10.152.0.1"; prefixLength = 32; } # Anycast
- ];
# Network
## LTE-Uplink
networking.vlans."enp1s0.102" = {
@@ -39,9 +32,6 @@
interface = "enp1s0";
};
- # Use Anycast Nameservers
- networking.nameservers = [ "fd00:152:152::1" "10.152.0.1" ];
-
networking.nat = {
enableIPv6 = true;
enable = true;
diff --git a/hosts/carbon/dns.nix b/hosts/carbon/dns.nix
index 2019726..9d935cc 100644
--- a/hosts/carbon/dns.nix
+++ b/hosts/carbon/dns.nix
@@ -2,6 +2,14 @@
{
+ # Loopbacks for DNS resolver IPs
+ networking.interfaces.lo.ipv6.addresses = [
+ { address = "fd00:152:152::1"; prefixLength = 128; } # Anycast
+ ];
+ networking.interfaces.lo.ipv4.addresses = [
+ { address = "10.152.0.1"; prefixLength = 32; } # Anycast
+ ];
+
networking.firewall.allowedUDPPorts = [ 53 ];
networking.firewall.allowedTCPPorts = [ 53 ];
@@ -20,4 +28,7 @@
};
};
+ # Use Anycast Nameservers
+ networking.nameservers = [ "fd00:152:152::1" "10.152.0.1" ];
+
}
From 9102d40958001abb4ba7937e7b0ae03cae8cebcd Mon Sep 17 00:00:00 2001
From: clerie <git@clerie.de>
Date: Sun, 14 Jul 2024 00:51:49 +0200
Subject: [PATCH 09/11] hosts/carbon: Move MSS clamping to PPP config
---
hosts/carbon/configuration.nix | 3 ---
hosts/carbon/ppp.nix | 4 ++++
2 files changed, 4 insertions(+), 3 deletions(-)
diff --git a/hosts/carbon/configuration.nix b/hosts/carbon/configuration.nix
index 3c9b480..d877a9e 100644
--- a/hosts/carbon/configuration.nix
+++ b/hosts/carbon/configuration.nix
@@ -58,9 +58,6 @@
};
clerie.firewall.enable = true;
- clerie.firewall.extraForwardMangleCommands = ''
- ip46tables -t mangle -A forward-mangle -p tcp -m tcp --tcp-flags SYN,RST SYN -j TCPMSS --set-mss 1416
- '';
clerie.monitoring = {
enable = true;
diff --git a/hosts/carbon/ppp.nix b/hosts/carbon/ppp.nix
index 7c09f21..a97289e 100644
--- a/hosts/carbon/ppp.nix
+++ b/hosts/carbon/ppp.nix
@@ -53,4 +53,8 @@
];
};
+ clerie.firewall.extraForwardMangleCommands = ''
+ ip46tables -t mangle -A forward-mangle -p tcp -m tcp --tcp-flags SYN,RST SYN -j TCPMSS --set-mss 1416
+ '';
+
}
From e12888edbdb0c04993074b088d651237a998c7af Mon Sep 17 00:00:00 2001
From: clerie <git@clerie.de>
Date: Sun, 14 Jul 2024 00:56:07 +0200
Subject: [PATCH 10/11] hosts/carbon: Move net-lte to seperate file
---
hosts/carbon/configuration.nix | 7 +------
hosts/carbon/net-lte.nix | 11 +++++++++++
2 files changed, 12 insertions(+), 6 deletions(-)
create mode 100644 hosts/carbon/net-lte.nix
diff --git a/hosts/carbon/configuration.nix b/hosts/carbon/configuration.nix
index d877a9e..b97e2fe 100644
--- a/hosts/carbon/configuration.nix
+++ b/hosts/carbon/configuration.nix
@@ -10,6 +10,7 @@
./net-dsl.nix
./net-gastnetz.nix
./net-heimnetz.nix
+ ./net-lte.nix
./net-voip.nix
./ppp.nix
];
@@ -25,12 +26,6 @@
";
networking.useDHCP = false;
- # Network
- ## LTE-Uplink
- networking.vlans."enp1s0.102" = {
- id = 102;
- interface = "enp1s0";
- };
networking.nat = {
enableIPv6 = true;
diff --git a/hosts/carbon/net-lte.nix b/hosts/carbon/net-lte.nix
new file mode 100644
index 0000000..3a6f2d0
--- /dev/null
+++ b/hosts/carbon/net-lte.nix
@@ -0,0 +1,11 @@
+{ ... }:
+
+{
+
+ ## LTE-Uplink
+ networking.vlans."enp1s0.102" = {
+ id = 102;
+ interface = "enp1s0";
+ };
+
+}
From 3a3105a58e84b9f781fe8e3ac2a61c72ad90ce90 Mon Sep 17 00:00:00 2001
From: Flake Update Bot <flake-update-bot@clerie.de>
Date: Sun, 14 Jul 2024 01:07:09 +0200
Subject: [PATCH 11/11] Update nixpkgs 2024-07-13-23-05
---
flake.lock | 6 +++---
1 file changed, 3 insertions(+), 3 deletions(-)
diff --git a/flake.lock b/flake.lock
index 58bceda..868e8d9 100644
--- a/flake.lock
+++ b/flake.lock
@@ -268,11 +268,11 @@
},
"nixpkgs_3": {
"locked": {
- "lastModified": 1719848872,
- "narHash": "sha256-H3+EC5cYuq+gQW8y0lSrrDZfH71LB4DAf+TDFyvwCNA=",
+ "lastModified": 1720768451,
+ "narHash": "sha256-EYekUHJE2gxeo2pM/zM9Wlqw1Uw2XTJXOSAO79ksc4Y=",
"owner": "NixOS",
"repo": "nixpkgs",
- "rev": "00d80d13810dbfea8ab4ed1009b09100cca86ba8",
+ "rev": "7e7c39ea35c5cdd002cd4588b03a3fb9ece6fad9",
"type": "github"
},
"original": {