clerie/nixfiles
1
0
Fork 0
Code Activity
Files
5fb579b9ed7d81a6f6e16dd9a2369d3f1fe232ca
nixfiles/hosts/carbon/ppp-ncfttb.nix

110 lines
2.9 KiB
Nix
Raw Blame History

{ config, pkgs, lib, ... }:
{
services.pppd = {
enable = true;
peers.ncfttb = {
config = ''
plugin pppoe.so enp3s0.10
user "''${PPPD_NETCOLOGNE_USERNAME}"
ifname ppp-ncfttb
persist
maxfail 0
holdoff 5
noipdefault
lcp-echo-interval 20
lcp-echo-failure 3
mtu 1492
hide-password
defaultroute
+ipv6
debug
'';
};
};
environment.etc."ppp/peers/ncfttb".enable = false;
systemd.services."pppd-ncfttb".serviceConfig = let
preStart = ''
mkdir -p /etc/ppp/peers
# Created files only readable by root
umask u=rw,g=,o=
# Copy config and substitute username
rm -f /etc/ppp/peers/ncfttb
${pkgs.envsubst}/bin/envsubst -i "${config.environment.etc."ppp/peers/ncfttb".source}" > /etc/ppp/peers/ncfttb
# Copy login secrets
rm -f /etc/ppp/pap-secrets
cat ${config.sops.secrets.pppd-ncfttb-secrets.path} > /etc/ppp/pap-secrets
rm -f /etc/ppp/chap-secrets
cat ${config.sops.secrets.pppd-ncfttb-secrets.path} > /etc/ppp/chap-secrets
'';
preStartFile = pkgs.writeShellApplication {
name = "pppd-ncfttb-pre-start";
text = preStart;
};
in {
EnvironmentFile = config.sops.secrets.pppd-ncfttb-username.path;
ExecStartPre = [
# "+" marks script to be executed without priviledge restrictions
"+${lib.getExe preStartFile}"
];
};
environment.etc."ppp/ipv6-up" = {
text = ''
#! ${pkgs.runtimeShell} -e
${pkgs.systemd}/bin/systemctl restart --no-block "ppp-setup-interface-queues@''${IFNAME}.service"
${pkgs.systemd}/bin/systemctl restart --no-block ds-lite-dhcpcd.service
'';
mode = "555";
};
systemd.services."ppp-setup-interface-queues@".serviceConfig = let
setup-interface-queues = pkgs.clerie-build-support.writePythonScript {
name = "setup-interface-queues";
text = ''
import multiprocessing
from pathlib import Path
import sys
interface_name = sys.argv[1]
print(f"New ppp interface: {interface_name}")
num_cpus = multiprocessing.cpu_count()
print(f"Detected {num_cpus} cpus")
bitmask = "1" * num_cpus
hexmask = "{:x}".format(int(bitmask, 2))
rps_cpus = Path(f"/sys/class/net/{interface_name}/queues/rx-0/rps_cpus")
rps_cpus.write_text(hexmask)
print(f"Wrote hexmask {hexmask} to {rps_cpus}")
'';
};
in {
Type = "oneshot";
ExecStart = "${lib.getExe setup-interface-queues} %i";
};
clerie.firewall.extraForwardMangleCommands = ''
ip46tables -t mangle -A forward-mangle -p tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu
'';
networking.firewall.extraCommands = ''
# Reject all IPv4 traffic that tries to enter and leave the PPP tunnel
iptables -I INPUT -i ppp-ncfttb -j DROP
iptables -I OUTPUT -o ppp-ncfttb -j DROP
'';
}
View Git Blame Copy Permalink