From d09e80e88eaa2543d0c55a87bb933cd4acc5e60f Mon Sep 17 00:00:00 2001 From: clerie Date: Sun, 14 Jul 2024 00:06:41 +0200 Subject: [PATCH 01/11] hosts/carbon: Migrate to DTAG DSL --- hosts/carbon/configuration.nix | 29 +++---------------- hosts/carbon/ppp.nix | 51 ++++++++++++++++++++++++++++++++++ hosts/carbon/secrets.json | 6 ++-- 3 files changed, 59 insertions(+), 27 deletions(-) create mode 100644 hosts/carbon/ppp.nix diff --git a/hosts/carbon/configuration.nix b/hosts/carbon/configuration.nix index 06b8004..fe40263 100644 --- a/hosts/carbon/configuration.nix +++ b/hosts/carbon/configuration.nix @@ -5,6 +5,8 @@ [ ./hardware-configuration.nix ../../configuration/router + + ./ppp.nix ]; boot.kernelParams = [ "console=ttyS0,115200n8" ]; @@ -88,7 +90,7 @@ networking.nat = { enableIPv6 = true; enable = true; - externalInterface = "ppp-ntvdsl"; + externalInterface = "ppp-dtagdsl"; internalIPv6s = [ "fd00:152:152::/48" "fd00:3214:9453:4920::/64"]; internalIPs = [ "10.152.0.0/16" "192.168.32.0/24" ]; }; @@ -256,7 +258,7 @@ clerie.firewall.enable = true; clerie.firewall.extraForwardFilterCommands = '' - ip46tables -A forward-filter -i enp1s0.202 -o ppp-ntvdsl -j ACCEPT + ip46tables -A forward-filter -i enp1s0.202 -o ppp-dtagdsl -j ACCEPT ip46tables -A forward-filter -i enp1s0.202 -j DROP ip46tables -A forward-filter -o enp1s0.202 -j DROP ''; @@ -264,29 +266,6 @@ ip46tables -t mangle -A forward-mangle -p tcp -m tcp --tcp-flags SYN,RST SYN -j TCPMSS --set-mss 1416 ''; - services.pppd = { - enable = true; - peers.ntvdsl = { - config = '' - plugin pppoe.so net-dsl - user "dsl-31997-001#regio@bsa-vdsl" - ifname ppp-ntvdsl - persist - maxfail 0 - holdoff 5 - noipdefault - lcp-echo-interval 20 - lcp-echo-failure 3 - mtu 1456 - hide-password - defaultroute - +ipv6 - debug - ''; - }; - }; - - clerie.monitoring = { enable = true; id = "104"; diff --git a/hosts/carbon/ppp.nix b/hosts/carbon/ppp.nix new file mode 100644 index 0000000..82cec5f --- /dev/null +++ b/hosts/carbon/ppp.nix @@ -0,0 +1,51 @@ +{ config, pkgs, utils, ... }: + +{ + + services.pppd = { + enable = true; + peers.dtagdsl = { + config = '' + plugin pppoe.so net-dsl + user "''${PPPD_DTAGDSL_USERNAME}" + ifname ppp-dtagdsl + persist + maxfail 0 + holdoff 5 + noipdefault + lcp-echo-interval 20 + lcp-echo-failure 3 + mtu 14592 + hide-password + defaultroute + +ipv6 + debug + ''; + }; + }; + + environment.etc."ppp/peers/dtagdsl".enable = false; + + systemd.services."pppd-dtagdsl".serviceConfig = { + EnvironmentFile = config.sops.secrets.pppd-dtagdsl-username.path; + ExecStartPre = [ + "+${utils.systemdUtils.lib.makeJobScript "pppd-dtagdsl-pre-start" '' + mkdir -p /etc/ppp/peers + + # Created files only readable by root + umask u=rw,g=,o= + + # Copy config and substitute username + rm -f /etc/ppp/peers/dtagdsl + ${pkgs.envsubst}/bin/envsubst -i "${config.environment.etc."ppp/peers/dtagdsl".source}" > /etc/ppp/peers/dtagdsl + + # Copy login secrets + rm -f /etc/ppp/pap-secrets + cat ${config.sops.secrets.pppd-dtagdsl-secrets.path} > /etc/ppp/pap-secrets + rm -f /etc/ppp/chap-secrets + cat ${config.sops.secrets.pppd-dtagdsl-secrets.path} > /etc/ppp/chap-secrets + ''}" + ]; + }; + +} diff --git a/hosts/carbon/secrets.json b/hosts/carbon/secrets.json index b2ef8ab..1b585f6 100644 --- a/hosts/carbon/secrets.json +++ b/hosts/carbon/secrets.json @@ -1,5 +1,7 @@ { "wg-monitoring": "ENC[AES256_GCM,data:+k5MgBrj/psMCE1T2jDtCCJI9Q7L+wJ3j83inNkeGp3LSUjoAPtBp4YoyL4=,iv:C19g/Lqi+cWAyiJBMNDtgLc3SDNI9bMBrBPWn+26mVY=,tag:9zIoawuGeGCMbOX1HKR/sQ==,type:str]", + "pppd-dtagdsl-username": "ENC[AES256_GCM,data:JC7EyyMoN0p5YwnS9W5I0G5Omhk5usw28UiJrCfifGr+2FUgMrtFYAHQdrtWAELvYNBQDPgrHMmQjGQLhpqqK0hH,iv:/q+Fm63GVBApGInyS8i39V/lo6iv+I2omVh47deq+o8=,tag:LkR+1zTDNWuYkhH2iWT7SA==,type:str]", + "pppd-dtagdsl-secrets": "ENC[AES256_GCM,data:c5pOb8It1py/9NXNTgLvt9zmsBVbSLHJt4iXWiNA+Osvomw3r7pgoO/JJh9ujomPMnOlDwN7g+pJ,iv:W36gA8E1mWchN6+8hdMdt2epv/RdS91T5ANB/JTcHCE=,tag:7eZ3fZkjERCVJCXYrABnlQ==,type:str]", "sops": { "kms": null, "gcp_kms": null, @@ -11,8 +13,8 @@ "enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB3Rkd5WFE3aE5EQzY5ZXV4\nbXVGYmxTdVg1ekRpVjlRUnozY2tMTGloL21RCktjZW95OU9ZZ2owTCtMR1NxaXJn\na2VYS2ttb3VhSjNXOG84UUJtYU04QjAKLS0tIGd3aHM0RldFYnVFdDRVS0Vhc3BF\nckJhYmN6a1FJUC9ibks1cGlRaU1zbFkKE4ClunQ3XGAILwluC6iYFs+rlR02PdhK\njOmPbOlS0aNG0hoC7Z6aetgpj689AkJgl68QVcyvm+ecHH7TOT7l1A==\n-----END AGE ENCRYPTED FILE-----\n" } ], - "lastmodified": "2024-05-10T13:06:06Z", - "mac": "ENC[AES256_GCM,data:Suz7S6XzlEMvVVRMb1YIkeiZWRcnadFeX6oswLiZSc4w35Xw/nn/XY1wsWTZEXj+TecEyhWJDzw27mKLRoqClA9BqPT0E1nzkXMjb2aTp72DjrI6VuBmbuUDBQgKDXToEfrv3/H5ovAT1s69nlxYDqUq185KR2eMqhsJPUwMRSw=,iv:0vj9ezTPxPyx751iEY++GMnzuQ/HM0tgLwAeJpk7CAk=,tag:7nYfqhy4R5JOYR0majlafg==,type:str]", + "lastmodified": "2024-07-13T21:56:57Z", + "mac": "ENC[AES256_GCM,data:/jZ/aIQUxYrF0deBTJOyc009yPKfshiYnAB2GR5SRTi00Ls5efKzhjDJaEWvAkgBTFz5/a8fy2k+vXEDsDlrgcgWqMS8/Az5LRf9RWUBWkerDyoBJ2UZRdt7UVPfkN8ObKQpfFqxhzkm4zio+MwSbqSMZil6fGaxz6lyUkwaphg=,iv:KStinEtV1DTaEl0ebMEw8lSMvrE5rtxqfTbzssC9oGY=,tag:YOr8T3wqqxyv0mpO1wMDEg==,type:str]", "pgp": [ { "created_at": "2024-05-10T13:05:56Z", From b860650ead474f1ee2ea4486362355568c433375 Mon Sep 17 00:00:00 2001 From: clerie Date: Sun, 14 Jul 2024 00:14:14 +0200 Subject: [PATCH 02/11] hosts/carbon: Restructure ExecStartPre script for pppd-dtagdsl --- hosts/carbon/ppp.nix | 39 ++++++++++++++++++++++----------------- 1 file changed, 22 insertions(+), 17 deletions(-) diff --git a/hosts/carbon/ppp.nix b/hosts/carbon/ppp.nix index 82cec5f..7c09f21 100644 --- a/hosts/carbon/ppp.nix +++ b/hosts/carbon/ppp.nix @@ -26,25 +26,30 @@ environment.etc."ppp/peers/dtagdsl".enable = false; - systemd.services."pppd-dtagdsl".serviceConfig = { + systemd.services."pppd-dtagdsl".serviceConfig = let + preStart = '' + mkdir -p /etc/ppp/peers + + # Created files only readable by root + umask u=rw,g=,o= + + # Copy config and substitute username + rm -f /etc/ppp/peers/dtagdsl + ${pkgs.envsubst}/bin/envsubst -i "${config.environment.etc."ppp/peers/dtagdsl".source}" > /etc/ppp/peers/dtagdsl + + # Copy login secrets + rm -f /etc/ppp/pap-secrets + cat ${config.sops.secrets.pppd-dtagdsl-secrets.path} > /etc/ppp/pap-secrets + rm -f /etc/ppp/chap-secrets + cat ${config.sops.secrets.pppd-dtagdsl-secrets.path} > /etc/ppp/chap-secrets + ''; + + preStartFile = utils.systemdUtils.lib.makeJobScript "pppd-dtagdsl-pre-start" preStart; + in { EnvironmentFile = config.sops.secrets.pppd-dtagdsl-username.path; ExecStartPre = [ - "+${utils.systemdUtils.lib.makeJobScript "pppd-dtagdsl-pre-start" '' - mkdir -p /etc/ppp/peers - - # Created files only readable by root - umask u=rw,g=,o= - - # Copy config and substitute username - rm -f /etc/ppp/peers/dtagdsl - ${pkgs.envsubst}/bin/envsubst -i "${config.environment.etc."ppp/peers/dtagdsl".source}" > /etc/ppp/peers/dtagdsl - - # Copy login secrets - rm -f /etc/ppp/pap-secrets - cat ${config.sops.secrets.pppd-dtagdsl-secrets.path} > /etc/ppp/pap-secrets - rm -f /etc/ppp/chap-secrets - cat ${config.sops.secrets.pppd-dtagdsl-secrets.path} > /etc/ppp/chap-secrets - ''}" + # "+" marks script to be executed without priviledge restrictions + "+${preStartFile}" ]; }; From 410552883544614eab88267873cc147c423a170e Mon Sep 17 00:00:00 2001 From: clerie Date: Sun, 14 Jul 2024 00:23:58 +0200 Subject: [PATCH 03/11] hosts/carbon: Move DNS server to seperate file --- hosts/carbon/configuration.nix | 19 +------------------ hosts/carbon/dns.nix | 23 +++++++++++++++++++++++ 2 files changed, 24 insertions(+), 18 deletions(-) create mode 100644 hosts/carbon/dns.nix diff --git a/hosts/carbon/configuration.nix b/hosts/carbon/configuration.nix index fe40263..08bb266 100644 --- a/hosts/carbon/configuration.nix +++ b/hosts/carbon/configuration.nix @@ -6,6 +6,7 @@ ./hardware-configuration.nix ../../configuration/router + ./dns.nix ./ppp.nix ]; @@ -253,9 +254,6 @@ }; }; - networking.firewall.allowedUDPPorts = [ 53 ]; - networking.firewall.allowedTCPPorts = [ 53 ]; - clerie.firewall.enable = true; clerie.firewall.extraForwardFilterCommands = '' ip46tables -A forward-filter -i enp1s0.202 -o ppp-dtagdsl -j ACCEPT @@ -273,20 +271,5 @@ blackbox = true; }; - services.unbound = { - enable = true; - resolveLocalQueries = false; - settings = { - server = { - interface = [ "fd00:152:152::1" "10.152.0.1" ]; - access-control = [ "::/0 allow" "0.0.0.0/0 allow" ]; - prefer-ip6 = true; - prefetch = true; - serve-expired = true; - serve-expired-ttl-reset = true; - }; - }; - }; - system.stateVersion = "21.03"; } diff --git a/hosts/carbon/dns.nix b/hosts/carbon/dns.nix new file mode 100644 index 0000000..2019726 --- /dev/null +++ b/hosts/carbon/dns.nix @@ -0,0 +1,23 @@ +{ ... }: + +{ + + networking.firewall.allowedUDPPorts = [ 53 ]; + networking.firewall.allowedTCPPorts = [ 53 ]; + + services.unbound = { + enable = true; + resolveLocalQueries = false; + settings = { + server = { + interface = [ "fd00:152:152::1" "10.152.0.1" ]; + access-control = [ "::/0 allow" "0.0.0.0/0 allow" ]; + prefer-ip6 = true; + prefetch = true; + serve-expired = true; + serve-expired-ttl-reset = true; + }; + }; + }; + +} From f7b3336e417a7f4f518ea954cba68635ffe3f7df Mon Sep 17 00:00:00 2001 From: clerie Date: Sun, 14 Jul 2024 00:31:13 +0200 Subject: [PATCH 04/11] hosts/carbon: Move net-heimnetz to seperate file --- hosts/carbon/configuration.nix | 50 ++------------------------ hosts/carbon/net-heimnetz.nix | 66 ++++++++++++++++++++++++++++++++++ 2 files changed, 68 insertions(+), 48 deletions(-) create mode 100644 hosts/carbon/net-heimnetz.nix diff --git a/hosts/carbon/configuration.nix b/hosts/carbon/configuration.nix index 08bb266..63a8393 100644 --- a/hosts/carbon/configuration.nix +++ b/hosts/carbon/configuration.nix @@ -7,6 +7,7 @@ ../../configuration/router ./dns.nix + ./net-heimnetz.nix ./ppp.nix ]; @@ -47,23 +48,6 @@ id = 102; interface = "enp1s0"; }; - ## Heimnetz - networking.vlans."enp1s0.201" = { - id = 201; - interface = "enp1s0"; - }; - networking.bridges."net-heimnetz".interfaces = [ - "enp1s0.201" - "enp2s0" - ]; - networking.interfaces."net-heimnetz".ipv6.addresses = [ - { address = "fe80::1"; prefixLength = 64; } - { address = "fd00:152:152:4::1"; prefixLength = 64; } - { address = "2001:4cd8:100:1337::1"; prefixLength = 64; } # public IPs for local network - ]; - networking.interfaces."net-heimnetz".ipv4.addresses = [ - { address = "10.152.4.1"; prefixLength = 24; } - ]; ## Gastnetz networking.vlans."enp1s0.202" = { id = 202; @@ -98,12 +82,6 @@ services.radvd.enable = true; services.radvd.config = '' - interface net-heimnetz { - AdvSendAdvert on; - prefix 2001:4cd8:100:1337::/64 {}; - RDNSS fd00:152:152::1 {}; - DNSSL net.clerie.de {}; - }; interface enp1s0.202 { AdvSendAdvert on; prefix 2001:4cd8:100:1313::/64 {}; @@ -115,7 +93,7 @@ enable = true; settings = { interfaces-config = { - interfaces = [ "net-heimnetz" "enp1s0.202" "enp1s0.204" ]; + interfaces = [ "enp1s0.202" "enp1s0.204" ]; service-sockets-max-retries = 15; service-sockets-retry-wait-time = 2000; }; @@ -164,30 +142,6 @@ } ]; subnet4 = [ - # Heimnetz - { - id = 201; - subnet = "10.152.4.0/24"; - pools = [ - { - pool = "10.152.4.100 - 10.152.4.240"; - } - ]; - option-data = [ - { - name = "routers"; - data = "10.152.4.1"; - } - { - name = "domain-name-servers"; - data = "10.152.0.1"; - } - { - name = "domain-name"; - data = "net.clerie.de"; - } - ]; - } # Gastnetz { id = 202; diff --git a/hosts/carbon/net-heimnetz.nix b/hosts/carbon/net-heimnetz.nix new file mode 100644 index 0000000..60e0bc6 --- /dev/null +++ b/hosts/carbon/net-heimnetz.nix @@ -0,0 +1,66 @@ +{ ... }: + +{ + + ## Heimnetz + networking.vlans."enp1s0.201" = { + id = 201; + interface = "enp1s0"; + }; + networking.bridges."net-heimnetz".interfaces = [ + "enp1s0.201" + "enp2s0" + ]; + networking.interfaces."net-heimnetz".ipv6.addresses = [ + { address = "fe80::1"; prefixLength = 64; } + { address = "fd00:152:152:4::1"; prefixLength = 64; } + { address = "2001:4cd8:100:1337::1"; prefixLength = 64; } # public IPs for local network + ]; + networking.interfaces."net-heimnetz".ipv4.addresses = [ + { address = "10.152.4.1"; prefixLength = 24; } + ]; + + services.radvd.config = '' + interface net-heimnetz { + AdvSendAdvert on; + prefix 2001:4cd8:100:1337::/64 {}; + RDNSS fd00:152:152::1 {}; + DNSSL net.clerie.de {}; + }; + ''; + + services.kea.dhcp4 = { + settings = { + interfaces-config = { + interfaces = [ "net-heimnetz" ]; + }; + subnet4 = [ + # Heimnetz + { + id = 201; + subnet = "10.152.4.0/24"; + pools = [ + { + pool = "10.152.4.100 - 10.152.4.240"; + } + ]; + option-data = [ + { + name = "routers"; + data = "10.152.4.1"; + } + { + name = "domain-name-servers"; + data = "10.152.0.1"; + } + { + name = "domain-name"; + data = "net.clerie.de"; + } + ]; + } + ]; + }; + }; + +} From 332b70a4807c73d81a00546cc2256ae80636874f Mon Sep 17 00:00:00 2001 From: clerie Date: Sun, 14 Jul 2024 00:37:48 +0200 Subject: [PATCH 05/11] hosts/carbon: Move net-gastnetz to seperate file --- hosts/carbon/configuration.nix | 47 ++----------------------- hosts/carbon/net-gastnetz.nix | 63 ++++++++++++++++++++++++++++++++++ 2 files changed, 65 insertions(+), 45 deletions(-) create mode 100644 hosts/carbon/net-gastnetz.nix diff --git a/hosts/carbon/configuration.nix b/hosts/carbon/configuration.nix index 63a8393..9508a93 100644 --- a/hosts/carbon/configuration.nix +++ b/hosts/carbon/configuration.nix @@ -7,6 +7,7 @@ ../../configuration/router ./dns.nix + ./net-gastnetz.nix ./net-heimnetz.nix ./ppp.nix ]; @@ -48,18 +49,6 @@ id = 102; interface = "enp1s0"; }; - ## Gastnetz - networking.vlans."enp1s0.202" = { - id = 202; - interface = "enp1s0"; - }; - networking.interfaces."enp1s0.202".ipv6.addresses = [ - { address = "fd00:3214:9453:4920::1"; prefixLength = 64; } - { address = "2001:4cd8:100:1313::1"; prefixLength = 64; } # public IPs for local network - ]; - networking.interfaces."enp1s0.202".ipv4.addresses = [ - { address = "192.168.32.1"; prefixLength = 24; } - ]; ## VoIP networking.vlans."enp1s0.204" = { id = 204; @@ -81,19 +70,12 @@ }; services.radvd.enable = true; - services.radvd.config = '' - interface enp1s0.202 { - AdvSendAdvert on; - prefix 2001:4cd8:100:1313::/64 {}; - RDNSS 2620:fe::fe 2620:fe::9 {}; # Quad 9 - }; - ''; services.kea.dhcp4 = { enable = true; settings = { interfaces-config = { - interfaces = [ "enp1s0.202" "enp1s0.204" ]; + interfaces = [ "enp1s0.204" ]; service-sockets-max-retries = 15; service-sockets-retry-wait-time = 2000; }; @@ -142,26 +124,6 @@ } ]; subnet4 = [ - # Gastnetz - { - id = 202; - subnet = "192.168.32.0/24"; - pools = [ - { - pool = "192.168.32.100 - 192.168.32.240"; - } - ]; - option-data = [ - { - name = "routers"; - data = "192.168.32.1"; - } - { - name = "domain-name-servers"; - data = "9.9.9.9,149.112.112.112"; # Quad 9 - } - ]; - } # VoIP { id = 204; @@ -209,11 +171,6 @@ }; clerie.firewall.enable = true; - clerie.firewall.extraForwardFilterCommands = '' - ip46tables -A forward-filter -i enp1s0.202 -o ppp-dtagdsl -j ACCEPT - ip46tables -A forward-filter -i enp1s0.202 -j DROP - ip46tables -A forward-filter -o enp1s0.202 -j DROP - ''; clerie.firewall.extraForwardMangleCommands = '' ip46tables -t mangle -A forward-mangle -p tcp -m tcp --tcp-flags SYN,RST SYN -j TCPMSS --set-mss 1416 ''; diff --git a/hosts/carbon/net-gastnetz.nix b/hosts/carbon/net-gastnetz.nix new file mode 100644 index 0000000..932c374 --- /dev/null +++ b/hosts/carbon/net-gastnetz.nix @@ -0,0 +1,63 @@ +{ ... }: + +{ + + ## Gastnetz + networking.vlans."enp1s0.202" = { + id = 202; + interface = "enp1s0"; + }; + networking.interfaces."enp1s0.202".ipv6.addresses = [ + { address = "fd00:3214:9453:4920::1"; prefixLength = 64; } + { address = "2001:4cd8:100:1313::1"; prefixLength = 64; } # public IPs for local network + ]; + networking.interfaces."enp1s0.202".ipv4.addresses = [ + { address = "192.168.32.1"; prefixLength = 24; } + ]; + + services.radvd.config = '' + interface enp1s0.202 { + AdvSendAdvert on; + prefix 2001:4cd8:100:1313::/64 {}; + RDNSS 2620:fe::fe 2620:fe::9 {}; # Quad 9 + }; + ''; + + services.kea.dhcp4 = { + settings = { + interfaces-config = { + interfaces = [ "enp1s0.202" ]; + }; + subnet4 = [ + # Gastnetz + { + id = 202; + subnet = "192.168.32.0/24"; + pools = [ + { + pool = "192.168.32.100 - 192.168.32.240"; + } + ]; + option-data = [ + { + name = "routers"; + data = "192.168.32.1"; + } + { + name = "domain-name-servers"; + data = "9.9.9.9,149.112.112.112"; # Quad 9 + } + ]; + } + ]; + }; + }; + + # net-gastnetz can only access internet + clerie.firewall.extraForwardFilterCommands = '' + ip46tables -A forward-filter -i enp1s0.202 -o ppp-dtagdsl -j ACCEPT + ip46tables -A forward-filter -i enp1s0.202 -j DROP + ip46tables -A forward-filter -o enp1s0.202 -j DROP + ''; + +} From 8e88006abe80653e09781b7f8ba85b874a8c1ece Mon Sep 17 00:00:00 2001 From: clerie Date: Sun, 14 Jul 2024 00:43:47 +0200 Subject: [PATCH 06/11] hosts/carbon: Move net-voip to seperate file --- hosts/carbon/configuration.nix | 93 +---------------------------- hosts/carbon/net-voip.nix | 105 +++++++++++++++++++++++++++++++++ 2 files changed, 106 insertions(+), 92 deletions(-) create mode 100644 hosts/carbon/net-voip.nix diff --git a/hosts/carbon/configuration.nix b/hosts/carbon/configuration.nix index 9508a93..e585000 100644 --- a/hosts/carbon/configuration.nix +++ b/hosts/carbon/configuration.nix @@ -9,6 +9,7 @@ ./dns.nix ./net-gastnetz.nix ./net-heimnetz.nix + ./net-voip.nix ./ppp.nix ]; @@ -49,14 +50,6 @@ id = 102; interface = "enp1s0"; }; - ## VoIP - networking.vlans."enp1s0.204" = { - id = 204; - interface = "enp1s0"; - }; - networking.interfaces."enp1s0.204".ipv4.addresses = [ - { address = "10.152.33.1"; prefixLength = 24; } - ]; # Use Anycast Nameservers networking.nameservers = [ "fd00:152:152::1" "10.152.0.1" ]; @@ -75,7 +68,6 @@ enable = true; settings = { interfaces-config = { - interfaces = [ "enp1s0.204" ]; service-sockets-max-retries = 15; service-sockets-retry-wait-time = 2000; }; @@ -84,89 +76,6 @@ persist = true; type = "memfile"; }; - option-def = [ - { - space = "dhcp4"; - name = "vendor-encapsulated-options"; - code = 43; - type = "empty"; - encapsulate = "sipdect"; - } - { - space = "sipdect"; - name = "ommip1"; - code = 10; - type = "ipv4-address"; - } - { - space = "sipdect"; - name = "ommip2"; - code = 19; - type = "ipv4-address"; - } - { - space = "sipdect"; - name = "syslogip"; - code = 14; - type = "ipv4-address"; - } - { - space = "sipdect"; - name = "syslogport"; - code = 15; - type = "int16"; - } - { - space = "dhcp4"; - name = "magic_str"; - code = 224; - type = "string"; - } - ]; - subnet4 = [ - # VoIP - { - id = 204; - subnet = "10.152.33.0/24"; - pools = [ - { - pool = "10.152.33.10 - 10.152.33.200"; - } - ]; - option-data = [ - { - name = "routers"; - data = "10.152.33.1"; - } - ]; - - reservations = [ - { - hostname = "iridium"; - hw-address = "00:30:42:1B:8C:7C"; - ip-address = "10.152.33.11"; - option-data = [ - { - name = "host-name"; - data = "iridium"; - } - { - name = "vendor-encapsulated-options"; - } - { - space = "sipdect"; - name = "ommip1"; - data = "10.152.33.11"; - } - { - name = "magic_str"; - data = "OpenMobilitySIP-DECT"; - } - ]; - } - ]; - } - ]; }; }; diff --git a/hosts/carbon/net-voip.nix b/hosts/carbon/net-voip.nix new file mode 100644 index 0000000..3a816fc --- /dev/null +++ b/hosts/carbon/net-voip.nix @@ -0,0 +1,105 @@ +{ ... }: + +{ + + ## VoIP + networking.vlans."enp1s0.204" = { + id = 204; + interface = "enp1s0"; + }; + networking.interfaces."enp1s0.204".ipv4.addresses = [ + { address = "10.152.33.1"; prefixLength = 24; } + ]; + + services.kea.dhcp4 = { + settings = { + interfaces-config = { + interfaces = [ "enp1s0.204" ]; + }; + option-def = [ + { + space = "dhcp4"; + name = "vendor-encapsulated-options"; + code = 43; + type = "empty"; + encapsulate = "sipdect"; + } + { + space = "sipdect"; + name = "ommip1"; + code = 10; + type = "ipv4-address"; + } + { + space = "sipdect"; + name = "ommip2"; + code = 19; + type = "ipv4-address"; + } + { + space = "sipdect"; + name = "syslogip"; + code = 14; + type = "ipv4-address"; + } + { + space = "sipdect"; + name = "syslogport"; + code = 15; + type = "int16"; + } + { + space = "dhcp4"; + name = "magic_str"; + code = 224; + type = "string"; + } + ]; + subnet4 = [ + # VoIP + { + id = 204; + subnet = "10.152.33.0/24"; + pools = [ + { + pool = "10.152.33.10 - 10.152.33.200"; + } + ]; + option-data = [ + { + name = "routers"; + data = "10.152.33.1"; + } + ]; + + reservations = [ + { + hostname = "iridium"; + hw-address = "00:30:42:1B:8C:7C"; + ip-address = "10.152.33.11"; + option-data = [ + { + name = "host-name"; + data = "iridium"; + } + { + name = "vendor-encapsulated-options"; + } + { + space = "sipdect"; + name = "ommip1"; + data = "10.152.33.11"; + } + { + name = "magic_str"; + data = "OpenMobilitySIP-DECT"; + } + ]; + } + ]; + } + ]; + }; + }; + +} From 090e2d6e483187789bf4934469c99d5d90a4e2c4 Mon Sep 17 00:00:00 2001 From: clerie Date: Sun, 14 Jul 2024 00:46:22 +0200 Subject: [PATCH 07/11] hosts/carbon: Move net-dsl to seperate file --- hosts/carbon/configuration.nix | 14 +------------- hosts/carbon/net-dsl.nix | 19 +++++++++++++++++++ 2 files changed, 20 insertions(+), 13 deletions(-) create mode 100644 hosts/carbon/net-dsl.nix diff --git a/hosts/carbon/configuration.nix b/hosts/carbon/configuration.nix index e585000..973c800 100644 --- a/hosts/carbon/configuration.nix +++ b/hosts/carbon/configuration.nix @@ -7,6 +7,7 @@ ../../configuration/router ./dns.nix + ./net-dsl.nix ./net-gastnetz.nix ./net-heimnetz.nix ./net-voip.nix @@ -32,19 +33,6 @@ { address = "10.152.0.1"; prefixLength = 32; } # Anycast ]; # Network - ## DSL-Uplink - networking.vlans."enp1s0.7" = { - id = 7; - interface = "enp1s0"; - }; - networking.vlans."enp3s0.7" = { - id = 7; - interface = "enp3s0"; - }; - networking.bridges."net-dsl".interfaces = [ - "enp1s0.7" - "enp3s0.7" - ]; ## LTE-Uplink networking.vlans."enp1s0.102" = { id = 102; diff --git a/hosts/carbon/net-dsl.nix b/hosts/carbon/net-dsl.nix new file mode 100644 index 0000000..b67ae33 --- /dev/null +++ b/hosts/carbon/net-dsl.nix @@ -0,0 +1,19 @@ +{ ... }: + +{ + + ## DSL-Uplink + networking.vlans."enp1s0.7" = { + id = 7; + interface = "enp1s0"; + }; + networking.vlans."enp3s0.7" = { + id = 7; + interface = "enp3s0"; + }; + networking.bridges."net-dsl".interfaces = [ + "enp1s0.7" + "enp3s0.7" + ]; + +} From 38345f6dbe6faecc69500d5d96ee5ad946b61140 Mon Sep 17 00:00:00 2001 From: clerie Date: Sun, 14 Jul 2024 00:49:52 +0200 Subject: [PATCH 08/11] hosts/carbon: Move DNS specific network config to DNS file --- hosts/carbon/configuration.nix | 10 ---------- hosts/carbon/dns.nix | 11 +++++++++++ 2 files changed, 11 insertions(+), 10 deletions(-) diff --git a/hosts/carbon/configuration.nix b/hosts/carbon/configuration.nix index 973c800..3c9b480 100644 --- a/hosts/carbon/configuration.nix +++ b/hosts/carbon/configuration.nix @@ -25,13 +25,6 @@ "; networking.useDHCP = false; - # Local Router IPs - networking.interfaces.lo.ipv6.addresses = [ - { address = "fd00:152:152::1"; prefixLength = 128; } # Anycast - ]; - networking.interfaces.lo.ipv4.addresses = [ - { address = "10.152.0.1"; prefixLength = 32; } # Anycast - ]; # Network ## LTE-Uplink networking.vlans."enp1s0.102" = { @@ -39,9 +32,6 @@ interface = "enp1s0"; }; - # Use Anycast Nameservers - networking.nameservers = [ "fd00:152:152::1" "10.152.0.1" ]; - networking.nat = { enableIPv6 = true; enable = true; diff --git a/hosts/carbon/dns.nix b/hosts/carbon/dns.nix index 2019726..9d935cc 100644 --- a/hosts/carbon/dns.nix +++ b/hosts/carbon/dns.nix @@ -2,6 +2,14 @@ { + # Loopbacks for DNS resolver IPs + networking.interfaces.lo.ipv6.addresses = [ + { address = "fd00:152:152::1"; prefixLength = 128; } # Anycast + ]; + networking.interfaces.lo.ipv4.addresses = [ + { address = "10.152.0.1"; prefixLength = 32; } # Anycast + ]; + networking.firewall.allowedUDPPorts = [ 53 ]; networking.firewall.allowedTCPPorts = [ 53 ]; @@ -20,4 +28,7 @@ }; }; + # Use Anycast Nameservers + networking.nameservers = [ "fd00:152:152::1" "10.152.0.1" ]; + } From 9102d40958001abb4ba7937e7b0ae03cae8cebcd Mon Sep 17 00:00:00 2001 From: clerie Date: Sun, 14 Jul 2024 00:51:49 +0200 Subject: [PATCH 09/11] hosts/carbon: Move MSS clamping to PPP config --- hosts/carbon/configuration.nix | 3 --- hosts/carbon/ppp.nix | 4 ++++ 2 files changed, 4 insertions(+), 3 deletions(-) diff --git a/hosts/carbon/configuration.nix b/hosts/carbon/configuration.nix index 3c9b480..d877a9e 100644 --- a/hosts/carbon/configuration.nix +++ b/hosts/carbon/configuration.nix @@ -58,9 +58,6 @@ }; clerie.firewall.enable = true; - clerie.firewall.extraForwardMangleCommands = '' - ip46tables -t mangle -A forward-mangle -p tcp -m tcp --tcp-flags SYN,RST SYN -j TCPMSS --set-mss 1416 - ''; clerie.monitoring = { enable = true; diff --git a/hosts/carbon/ppp.nix b/hosts/carbon/ppp.nix index 7c09f21..a97289e 100644 --- a/hosts/carbon/ppp.nix +++ b/hosts/carbon/ppp.nix @@ -53,4 +53,8 @@ ]; }; + clerie.firewall.extraForwardMangleCommands = '' + ip46tables -t mangle -A forward-mangle -p tcp -m tcp --tcp-flags SYN,RST SYN -j TCPMSS --set-mss 1416 + ''; + } From e12888edbdb0c04993074b088d651237a998c7af Mon Sep 17 00:00:00 2001 From: clerie Date: Sun, 14 Jul 2024 00:56:07 +0200 Subject: [PATCH 10/11] hosts/carbon: Move net-lte to seperate file --- hosts/carbon/configuration.nix | 7 +------ hosts/carbon/net-lte.nix | 11 +++++++++++ 2 files changed, 12 insertions(+), 6 deletions(-) create mode 100644 hosts/carbon/net-lte.nix diff --git a/hosts/carbon/configuration.nix b/hosts/carbon/configuration.nix index d877a9e..b97e2fe 100644 --- a/hosts/carbon/configuration.nix +++ b/hosts/carbon/configuration.nix @@ -10,6 +10,7 @@ ./net-dsl.nix ./net-gastnetz.nix ./net-heimnetz.nix + ./net-lte.nix ./net-voip.nix ./ppp.nix ]; @@ -25,12 +26,6 @@ "; networking.useDHCP = false; - # Network - ## LTE-Uplink - networking.vlans."enp1s0.102" = { - id = 102; - interface = "enp1s0"; - }; networking.nat = { enableIPv6 = true; diff --git a/hosts/carbon/net-lte.nix b/hosts/carbon/net-lte.nix new file mode 100644 index 0000000..3a6f2d0 --- /dev/null +++ b/hosts/carbon/net-lte.nix @@ -0,0 +1,11 @@ +{ ... }: + +{ + + ## LTE-Uplink + networking.vlans."enp1s0.102" = { + id = 102; + interface = "enp1s0"; + }; + +} From 3a3105a58e84b9f781fe8e3ac2a61c72ad90ce90 Mon Sep 17 00:00:00 2001 From: Flake Update Bot Date: Sun, 14 Jul 2024 01:07:09 +0200 Subject: [PATCH 11/11] Update nixpkgs 2024-07-13-23-05 --- flake.lock | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/flake.lock b/flake.lock index 58bceda..868e8d9 100644 --- a/flake.lock +++ b/flake.lock @@ -268,11 +268,11 @@ }, "nixpkgs_3": { "locked": { - "lastModified": 1719848872, - "narHash": "sha256-H3+EC5cYuq+gQW8y0lSrrDZfH71LB4DAf+TDFyvwCNA=", + "lastModified": 1720768451, + "narHash": "sha256-EYekUHJE2gxeo2pM/zM9Wlqw1Uw2XTJXOSAO79ksc4Y=", "owner": "NixOS", "repo": "nixpkgs", - "rev": "00d80d13810dbfea8ab4ed1009b09100cca86ba8", + "rev": "7e7c39ea35c5cdd002cd4588b03a3fb9ece6fad9", "type": "github" }, "original": {