profiles/ds-lite: Connect to Netcologne with PPP DS-Lite

2025-10-27 21:26:28 +01:00
parent 44afbff445
commit f3629c2653
10 changed files with 307 additions and 1 deletions
--- a/hosts/carbon/ppp-ncfttb.nix
+++ b/hosts/carbon/ppp-ncfttb.nix
@@ -0,0 +1,63 @@
+{ config, pkgs, lib, ... }:
+
+{
+
+  services.pppd = {
+    enable = true;
+    peers.ncfttb = {
+      config = ''
+        plugin pppoe.so net-dsl
+        user "''${PPPD_NETCOLOGNE_USERNAME}"
+        ifname ppp-ncfttb
+        persist
+        maxfail 0
+        holdoff 5
+        noipdefault
+        lcp-echo-interval 20
+        lcp-echo-failure 3
+        mtu 1492
+        hide-password
+        defaultroute
+        +ipv6
+        debug
+      '';
+    };
+  };
+
+  environment.etc."ppp/peers/ncfttb".enable = false;
+
+  systemd.services."pppd-ncfttb".serviceConfig = let
+    preStart = ''
+      mkdir -p /etc/ppp/peers
+
+      # Created files only readable by root
+      umask u=rw,g=,o=
+
+      # Copy config and substitute username
+      rm -f /etc/ppp/peers/ncfttb
+      ${pkgs.envsubst}/bin/envsubst -i "${config.environment.etc."ppp/peers/ncfttb".source}" > /etc/ppp/peers/ncfttb
+
+      # Copy login secrets
+      rm -f /etc/ppp/pap-secrets
+      cat ${config.sops.secrets.pppd-ncfttb-secrets.path} > /etc/ppp/pap-secrets
+      rm -f /etc/ppp/chap-secrets
+      cat ${config.sops.secrets.pppd-ncfttb-secrets.path} > /etc/ppp/chap-secrets
+    '';
+
+    preStartFile = pkgs.writeShellApplication {
+      name = "pppd-ncfttb-pre-start";
+      text = preStart;
+    };
+  in {
+    EnvironmentFile = config.sops.secrets.pppd-ncfttb-username.path;
+    ExecStartPre = [
+      # "+" marks script to be executed without priviledge restrictions
+      "+${lib.getExe preStartFile}"
+    ];
+  };
+
+  clerie.firewall.extraForwardMangleCommands = ''
+    ip46tables -t mangle -A forward-mangle -p tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu
+  '';
+
+}