clerie/vcp-bula-nixfiles
1
0
Fork 0
Code Releases Activity

Compare commits

base: clerie:c653e9e127189c48cb3096a5fd6bbc1ef3613f89
Branches Tags
clerie:main
..
compare: clerie:main
Branches Tags
clerie:main

163 Commits
c653e9e127 ... main

Author SHA1 Message Date
Frank Waßmuth
e8d4a82581 Add temperature metrics 2022-08-04 10:27:59 +02:00
Frank Waßmuth
6765bdf0c2 Add moonbeam and sunbread to prometheus 2022-08-04 10:27:37 +02:00
clerie
aece0896cf dns: fix typo in ip address 2022-08-01 11:59:02 +02:00
clerie
5e3c65b2b3 router, dns: fix IP to MAC assignment and add dns records for programmtresen signage 2022-08-01 11:54:24 +02:00
Garionion
5eb12ec443 dns: add more lama stuff 2022-08-01 09:31:42 +02:00
Ember 'n0emis' Keske
87367833a2 add static dhcp lease for simens logo stechuhr 2022-07-31 21:31:58 +02:00
Ember 'n0emis' Keske
d10376aaff scrape energy exporter 2022-07-31 19:38:16 +02:00
Frank Waßmuth
6facda326c Switch config field changes 2022-07-31 16:31:07 +02:00
Frank Waßmuth
7e37d9639e Add YATE and wifi monitoring 2022-07-31 16:30:17 +02:00
Garionion
b6647f9d5f dns: add proxmox dns names 2022-07-31 12:22:50 +02:00
Ember 'n0emis' Keske
e115148551 switch v6 for lama-vms 2022-07-30 21:01:10 +02:00
Ember 'n0emis' Keske
08794fa4f2 add dhcp-reservations for signage-pis at programmtresen 2022-07-30 16:16:45 +02:00
Ember 'n0emis' Keske
d93cf6545e monitor sw-post 2022-07-30 09:41:18 +02:00
Frank Waßmuth
d29e9eb897 Add sw-post and sw-international 2022-07-30 08:31:04 +02:00
Garionion
1473916e4a router: set mtu for uplink 2022-07-28 20:28:50 +02:00
clerie
a8bf30238b router: add net-audio and net-trabantenst 2022-07-28 20:00:50 +02:00
Jannik
b2676162e7 feat(sipgate-balance-exporter): add script 2022-07-28 14:25:00 +02:00
Frank Waßmuth
3966204fce Remove duplicate DNS targets 2022-07-28 10:03:30 +02:00
clerie
c3ddfd015f monitoring: remove sw-zoll-container 2022-07-27 22:26:43 +02:00
Frank Waßmuth
eaba415941 Add BLL and Finanzen switches 2022-07-27 20:51:05 +02:00
clerie
dae6c3d80f router: Allow monitoring to access iot network to check webcam 2022-07-27 17:59:20 +02:00
Jannik
516954f6b2 feat(dns): add karte.bula 2022-07-27 17:09:54 +02:00
Garionion
570f393692 router: use QinQ for uplink b 2022-07-27 15:25:12 +02:00
Garionion
2d092ea970 router: use QinQ for uplink 2022-07-27 12:32:34 +02:00
Frank Waßmuth
635de06441 Add switch config backups 2022-07-27 11:27:28 +02:00
clerie
8a9a9f92e0 router: restart dhcpcd on ppp interface creation 2022-07-27 10:08:50 +02:00
Garionion
36e16a4c7b dns: allow more prometheus ports 2022-07-27 10:02:24 +02:00
Frank Waßmuth
c1ab152393 Add sw-finanzen to DNS 2022-07-27 09:32:53 +02:00
clerie
70761b0962 router: add net-fuf and net-mav 2022-07-26 21:48:33 +02:00
clerie
6021663fde router: open firewall for drucker 2022-07-26 16:26:00 +02:00
Garionion
5c7a8e1f51 kea: add reservation for mkay 2022-07-26 15:12:44 +02:00
Garionion
377e493d0b dns: add pbs entry 2022-07-26 15:12:22 +02:00
clerie
86b45bae8e router, pre-router: move wireguard tunnel and change default route for router 2022-07-26 14:40:07 +02:00
Jannik
30cd7a9f39 fix(radius): fix vlan assignment and export to csv 2022-07-26 11:30:06 +02:00
Jannik
54794f2611 feat(radius): add password generation script 2022-07-25 23:02:46 +02:00
Garionion
29b52957db dns: fix lama zonefiles 2022-07-25 21:38:06 +02:00
Garionion
d1f516f663 dhcp,dns: add drucker 2022-07-25 21:34:20 +02:00
Garionion
b47fd3e452 monitoring: add lama zones to dns scraper 2022-07-25 21:28:53 +02:00
Garionion
65d0ae87d4 dns: fix lama records 2022-07-25 21:28:17 +02:00
Frank Waßmuth
131f076dac Extend scrape_timeout for waldbrandgefahr 2022-07-25 19:59:06 +02:00
Garionion
a8a3b00786 dns: remove query logging 2022-07-25 19:52:23 +02:00
Garionion
6f7d943321 dns: add reverse dns for sw-bll 2022-07-25 19:22:16 +02:00
Frank Waßmuth
8b5d4493e6 Add sw-bll to DNS zone 2022-07-25 19:18:09 +02:00
Garionion
d96fd92ec9 monitoring: fix snmp exporter scraper config 2022-07-25 19:13:38 +02:00
Garionion
dfe76ccf37 dns: add lama zone configs 2022-07-25 19:13:17 +02:00
Jannik
325422a046 feat(monitorign): add webcam host for ping4 2022-07-25 19:00:20 +02:00
Garionion
1ec3655036 monitoring: fix prometheus snmp restart trigger 2022-07-25 17:31:40 +02:00
Jannik
269fa2a67a feat(webcam): add ipv4 reservation and dns entry 2022-07-25 17:30:31 +02:00
Garionion
abffec3644 router: radvd: set max ra interval to 30s 2022-07-25 16:49:49 +02:00
Garionion
86089df76e router: radvd: set preferred lifetime 2022-07-25 16:38:34 +02:00
Ember 'n0emis' Keske
1e5722812d add eapol_test to radius 2022-07-25 15:29:16 +02:00
Jannik
dce2d5483d debug(yate): make yate more verbose again because we're definitely not done with ring ring stuff 2022-07-25 11:37:56 +02:00
Ember 'n0emis' Keske
536630fdd4 radius: open firewall 2022-07-25 09:33:15 +02:00
Ember 'n0emis' Keske
9b9836b518 add wlan/dect-ports on sw-hospital 2022-07-25 09:31:27 +02:00
Ember 'n0emis' Keske
f4befb017a fix dialin 2022-07-25 09:31:19 +02:00
Jannik
6524dfc30e feat(yate): add snmp monitoring 2022-07-24 17:42:43 +02:00
Ember 'n0emis' Keske
d7c5c4c0f6 yate: ignorevia 2022-07-24 17:34:17 +02:00
Frank Waßmuth
3517e542ba Add modules if_mib and juniper_ex 2022-07-24 17:28:37 +02:00
Garionion
8ca8023dfd add restart triggers to coredns and prometheus 2022-07-24 17:15:18 +02:00
Garionion
2ff4a27d5b monitoring: set retention time to 90d 2022-07-24 16:54:14 +02:00
Garionion
b5e87117aa monitoring: add snmp exporter 2022-07-24 16:52:54 +02:00
Garionion
29f8c7daf4 dns: tune cache 2022-07-24 15:27:51 +02:00
Garionion
4f54e9dd7c dns: add lightbuffet cname 2022-07-24 15:27:30 +02:00
Ember 'n0emis' Keske
87accba9fc add sipgate-secrets 2022-07-24 12:10:45 +02:00
clerie
a4f62080b9 router: fix typo in ip address reservation 2022-07-23 23:31:53 +02:00
Ember 'n0emis' Keske
65b5314961 add dhcp-reservation for printer in technik-container 2022-07-23 22:19:06 +02:00
Garionion
2b30463093 monitoring: use nginx in front of influxdb 2022-07-23 21:03:55 +02:00
Ember 'n0emis' Keske
b2e9cda162 sw-trchnik-container: add technik-vlan to all interfaces 2022-07-23 21:02:56 +02:00
Frank Waßmuth
a95d49e42d Add user fw 2022-07-23 20:48:31 +02:00
Ember 'n0emis' Keske
381ded8b42 switches: add everything else 2022-07-23 20:45:31 +02:00
Garionion
5f0fef8c86 dns: add map server 2022-07-23 18:51:31 +02:00
Garionion
9b1889f048 monitoring: add influxdb 2022-07-23 18:21:30 +02:00
clerie
431f07bf9a router (ppp): set explicit executable paths for ip in pppd scripts 2022-07-23 17:55:31 +02:00
Ember 'n0emis' Keske
639faa93d8 disable rp-filter on router 2022-07-23 17:04:54 +02:00
Ember 'n0emis' Keske
7f6c224c23 router: add ppp-secrets 2022-07-23 16:46:03 +02:00
Ember 'n0emis' Keske
d2474d943f switches: add "vlan-rewriting"-hack for uplink 2022-07-23 16:24:18 +02:00
Garionion
f340e366f9 dns: add default v4 gateway 2022-07-23 15:57:36 +02:00
Ember 'n0emis' Keske
39f6c0535d add switches with high priority 2022-07-22 17:08:13 +02:00
Ember 'n0emis' Keske
0df7922303 initialize siwt switch configs 2022-07-22 14:45:41 +02:00
Ember 'n0emis' Keske
1f5083c692 nerd: update 2022-07-21 11:27:38 +02:00
Ember 'n0emis' Keske
0990d12094 add route to telephony-networks via yate 2022-07-21 09:53:52 +02:00
Ember 'n0emis' Keske
a656e4b331 remove pre-yate-n0emis 2022-07-21 09:31:43 +02:00
Ember 'n0emis' Keske
fa8c8d4853 add fieldpoc systemd-service 2022-07-21 09:22:40 +02:00
Ember 'n0emis' Keske
03957afd7e add fieldpoc dect claim script 2022-07-21 00:55:10 +02:00
Ember 'n0emis' Keske
9795ed55b8 nerd: only allow export from services-net 2022-07-20 23:58:11 +02:00
Ember 'n0emis' Keske
138bddf30b update nerd 2022-07-20 22:36:44 +02:00
clerie
b348139d03 monitoring: add influxdb 2022-07-20 20:35:32 +02:00
clerie
016fc3376b radius: add freeradius 2022-07-20 18:23:18 +02:00
clerie
3b29bb9aaf pre-router: find way to router 2022-07-20 18:11:49 +02:00
clerie
350cdfeab5 router, dns: add net-ikt-toys 2022-07-20 17:52:09 +02:00
clerie
03d018d8b8 router (net-services): remove mtu advertisement 2022-07-20 11:41:00 +02:00
clerie
c6e03d86fb pre-router: clean up config and tune some settings to find out mtu issues and realise it was policy routing 2022-07-20 11:34:27 +02:00
clerie
48ce5d9886 router (net-technik-ikt): enable IPv6 2022-07-20 11:03:20 +02:00
clerie
cc202233c0 router (net-services): advertise a lower mtu 2022-07-20 10:56:06 +02:00
clerie
b1d2815f3a monitoring, router, radius: monitor more hosts 2022-07-20 10:40:46 +02:00
clerie
02ca6f4d05 monitoring: fix broken targets 2022-07-20 10:40:46 +02:00
Ember 'n0emis' Keske
4741d1b67c yate: configure firewall 2022-07-20 09:20:39 +02:00
Ember 'n0emis' Keske
a70b6b35f1 add config gor yate-dialup 2022-07-20 09:07:32 +02:00
clerie
4e4edaa87b pre-router: remove probably buggy firewall rule 2022-07-19 22:23:05 +02:00
clerie
deb0644e2e monitoring: add Waldbrandgefahrenstufen Exporter 2022-07-19 22:15:17 +02:00
clerie
cebb4d8ca0 monitoring: check IPv6 and IPv4 seperately 2022-07-18 23:21:59 +02:00
clerie
b0f4f0d161 radius: add host 2022-07-18 21:08:09 +02:00
clerie
215575706c dns: sync bula22.de zone with public dns 2022-07-17 23:35:25 +02:00
clerie
825614338d monitoring: check yate-dialup 2022-07-17 23:30:07 +02:00
clerie
d1ed14bb03 monitoring: remove custom dns 2022-07-17 23:28:10 +02:00
Ember 'n0emis' Keske
b786ddfd60 fix issue with dnssec and networkd 2022-07-17 23:10:29 +02:00
Ember 'n0emis' Keske
5d1bca33e1 yate-dialup: bootstrap host 2022-07-17 23:01:55 +02:00
Garionion
fa1a83155b dns: fix reverse dns 2022-07-17 18:20:14 +02:00
clerie
c2dc781ac7 pre-router: remove local nameserver 2022-07-17 15:46:05 +02:00
clerie
56db344be8 router, pre-router: move DHCP server 2022-07-17 15:34:17 +02:00
clerie
bbf2c50235 router, pre-router: move public gateway address to router 2022-07-17 15:22:28 +02:00
clerie
f6fdbf038f router: add ula, ll gateway address and enable router advertisements 2022-07-17 15:10:55 +02:00
clerie
2f84e34fe4 router: explicitly use pre-router as default gateways and dns as nameserver 2022-07-17 15:05:25 +02:00
clerie
87b8d2f906 router: policyrouting for tunneld IPv6 prefix via pre-router 2022-07-17 14:04:54 +02:00
clerie
85d1c14561 pre-router: use internal nameserver 2022-07-17 13:52:49 +02:00
clerie
7ed6752ba1 pre-router: renumber IPv4 too 2022-07-17 13:41:37 +02:00
clerie
06e5cfd526 pre-router: Make deployment via nixdeploy possible and begin renumbering 2022-07-17 13:28:28 +02:00
Garionion
0efd5e0c76 dns: add zonefiles to environment 2022-07-17 13:19:13 +02:00
Garionion
6ef7c9f40f dns: add yate-dialup dns entries 2022-07-17 13:18:51 +02:00
clerie
1d03f8764c dns (zonefiles): Fix SOA records for reverse dns zones 2022-07-17 12:59:11 +02:00
clerie
65fac93593 policyrouting: Move ip rule magic to a dedicated module 2022-07-17 12:24:51 +02:00
clerie
ee46c9855f router (prefix-delegation): fix typo 2022-07-17 11:33:18 +02:00
Ember 'n0emis' Keske
4300a66aaf bootstrap host yate 2022-07-16 21:32:14 +02:00
Garionion
a3a3502b70 dns: add prometheus scrape target 2022-07-16 19:34:10 +02:00
clerie
7d097ff1d0 zone bula22.de: add soa record 2022-07-15 19:58:09 +02:00
Garionion
eee5f2e55e pre-router: remove unbound, use quad9 2022-07-15 10:38:30 +02:00
Garionion
bfa4b3717f dns: forward to quad9, add bul22.de zonefiles 2022-07-15 10:34:35 +02:00
Garionion
a8b30591ee dns: add prometheus exporter 2022-07-15 10:06:48 +02:00
Garionion
df8f9c1c83 pre-router: fix dns name 2022-07-15 09:42:36 +02:00
clerie
8377807d78 Prepare IPv6 prefix delegation 2022-07-15 02:35:35 +02:00
clerie
55930601ae Simplify radvd config 2022-07-15 01:28:54 +02:00
clerie
c282f5e1f4 Prepare source routing 2022-07-15 01:16:51 +02:00
clerie
438e3f7099 Do not enable forward-filter by default 2022-07-14 23:38:51 +02:00
clerie
a195a4b663 Enable nat on router uplinks 2022-07-14 23:32:21 +02:00
clerie
c028780b55 Add reverse pointer zone files 2022-07-14 23:10:42 +02:00
clerie
e9ab5ba295 Add zonefile for bula22.de 2022-07-14 22:44:45 +02:00
Garionion
282bc4abc4 dns: add hw config, set dns server as default, fix firewall rule 2022-07-14 22:15:55 +02:00
Garionion
2cd8228880 dns: fix firewall rule 2022-07-14 21:39:15 +02:00
Garionion
faacafd4f5 remove duplicate config 2022-07-14 21:07:14 +02:00
Garionion
e1fe7b9bdb update coredns plugin patch 2022-07-14 21:06:36 +02:00
Garionion
750e87181a enable qemu guest agent per default 2022-07-14 21:05:07 +02:00
Garionion
37c2affac9 add dns server 2022-07-14 21:04:27 +02:00
clerie
a7087402f0 Bootstrap ppp config 2022-07-13 22:52:50 +02:00
clerie
d8e929181f Apply firewall rules to all interfaces on router 2022-07-13 22:17:53 +02:00
clerie
2024601135 Fix formatting for net-services config 2022-07-13 22:05:55 +02:00
clerie
239033d716 Rename network file 2022-07-13 22:04:01 +02:00
Ember 'n0emis' Keske
372df6b9f6 reencrypt secrets for clerie 2022-07-13 21:58:02 +02:00
clerie
7b29f56fb6 Add clerie to sops 2022-07-13 21:55:35 +02:00
clerie
4970413c15 Add forward filter module 2022-07-13 21:47:13 +02:00
Ember 'n0emis' Keske
5c08252e82 add secret handling via sops, configure nerd 2022-07-13 21:40:27 +02:00
clerie
e1ec254cf0 Enable IP forward to router 2022-07-13 21:22:46 +02:00
Ember 'n0emis' Keske
8481fbf42b adjust network config for nerd and remove old ip from nixdeploy 2022-07-13 20:02:56 +02:00
clerie
ed7db374c5 Apply router interfaces 2022-07-13 19:13:35 +02:00
clerie
527c55ba6b Bootstrap router interfaces 2022-07-12 23:36:05 +02:00
Jannik
61fc84ba36 fix(users): add password for jannik 2022-07-12 22:09:43 +02:00
clerie
7c62f537ab Enable jannik user 2022-07-12 21:51:38 +02:00
clerie
3c07172107 Add router 2022-07-12 20:33:17 +02:00
clerie
d2dc306be2 Renumber nixdeploy 2022-07-12 19:20:21 +02:00
clerie
6d7594314e Add user jannik 2022-07-12 18:34:46 +02:00
Ember 'n0emis' Keske
517ac86a3c package nerd 2022-07-12 11:04:14 +02:00
clerie
33e9ba8725 Increase scrape interval 2022-07-12 01:58:11 +02:00
clerie
014228f0f9 Add ICMP probe for core infrastructure 2022-07-12 01:40:18 +02:00
clerie
b86b8efa9c Enable starship for zsh only 2022-07-11 23:22:12 +02:00
107 changed files with 11973 additions and 319 deletions
Expand all files Collapse all files

36
.sops.yaml Normal file
View File

@@ -0,0 +1,36 @@
keys:
- &admin_clerie DD2D88B9FCB74C81E6F63AAD5B5D448C88684BC3
- &admin_n0emis 6E10217E3187069E057DF5ABE0262A773B824745
- &host_router age1ghrvqrw92y355qw2m48jxvlu34pxf9c68nkus9lspfm05nes63gqmh5av5
- &host_nerd age1x69924s94z4k7s50utyuqrwshpt8p8yzwaxny2gle7yeyg4w3spqml95mu
- &host_yate age10pxa70g3ekxdrk788l52s93a6ftavdw3r8x6d23gmsluudmwq3asmu6ah9
- &host_yate_dialup age14zsha5c5238v6hzchdfkjgjjwzc2qc79tl0ngmqrdquck5f945zs35vps4
creation_rules:
- path_regex: hosts/router/.*
key_groups:
- pgp:
- *admin_clerie
- *admin_n0emis
age:
- *host_router
- path_regex: hosts/nerd/.*
key_groups:
- pgp:
- *admin_clerie
- *admin_n0emis
age:
- *host_nerd
- path_regex: hosts/yate/.*
key_groups:
- pgp:
- *admin_clerie
- *admin_n0emis
age:
- *host_yate
- path_regex: hosts/yate-dialup/.*
key_groups:
- pgp:
- *admin_clerie
- *admin_n0emis
age:
- *host_yate_dialup

17
README.md
View File

@@ -16,3 +16,20 @@ There is a special case for the nixdeploy-host:
./deploy.sh apply-local switch --sudo --node nixdeploy
```
## Secrets
Secrets are managed with sops, see https://github.com/Mic92/sops-nix
To **add yourself**, follow steps 2 and 4 of above mentioned README and add yourself to `.sops.yaml` in `keys` and all creation rules.
To **add a new host**, configure a creation rule in `.sops.yaml`,
configure the key (e.g. fetch it with `nix-shell -p ssh-to-age --run 'ssh-keyscan hostname.bula22.de | ssh-to-age'` and add it to `keys`.
Then you can create a secrets file with `nix-shell -p sops --run "sops hosts/hostname/secrets.yaml"`, add your secrets and then configure your secrets. Example:
```nix
sops.secrets.nerd_secret = {
sopsFile = ./secrets.yaml;
owner = "nerd";
restartUnits = [ "nerd.service" ];
};
```
Your secret will then be available in `/run/secrets/secret_name`.

12
common/default.nix
View File

@@ -5,10 +5,13 @@
# Set your time zone.
time.timeZone = "Europe/Berlin";
# networking.useDHCP = false; TODO: why was this globally disabled?
# networking.useDHCP = false; TODO: why was this globally disabled? Because it should be! DHCP should only be enabled per interface.
networking.firewall.allowedTCPPorts = [ 19999 ];
services.netdata.enable = true;
networking.nameservers = [ "2a01:4f8:1c0c:8221::8" "10.42.10.8" ];
services.qemuGuest.enable = true;
# Select internationalisation properties.
i18n.defaultLocale = "en_US.UTF-8";
console = {
@@ -35,6 +38,10 @@
enableBashCompletion = true;
syntaxHighlighting.enable = true;
promptInit = ''
if [[ $TERM != "dumb" && (-z $INSIDE_EMACS || $INSIDE_EMACS == "vterm") ]]; then
eval "$(${pkgs.starship}/bin/starship init zsh)"
fi
source ~/.zkbd/$TERM-''${''${DISPLAY:t}:-$VENDOR-$OSTYPE}
[[ -n ''${key[Left]} ]] && bindkey "''${key[Left]}" backward-char
[[ -n ''${key[Right]} ]] && bindkey "''${key[Right]}" forward-char
@@ -48,7 +55,6 @@
eval "$(starship init zsh)"
'';
};
programs.starship.enable = true;
programs.mtr.enable = true;
nix.settings = {
@@ -84,4 +90,6 @@
};
security.sudo.wheelNeedsPassword = false;
sops.defaultSopsFile = (../. + "/hosts/${config.networking.hostName}/secrets.yaml");
}

40
flake.lock generated
View File

@@ -16,9 +16,47 @@
"type": "github"
}
},
"nixpkgs-22_05": {
"locked": {
"lastModified": 1657399715,
"narHash": "sha256-7YX+I8FP3/iJTRs33VhIbdx91YWlZQf8zaEEeM97964=",
"owner": "NixOS",
"repo": "nixpkgs",
"rev": "0ad6eae04953060dff8ba28af158799c3e13878d",
"type": "github"
},
"original": {
"owner": "NixOS",
"ref": "release-22.05",
"repo": "nixpkgs",
"type": "github"
}
},
"root": {
"inputs": {
"nixpkgs": "nixpkgs"
"nixpkgs": "nixpkgs",
"sops-nix": "sops-nix"
}
},
"sops-nix": {
"inputs": {
"nixpkgs": [
"nixpkgs"
],
"nixpkgs-22_05": "nixpkgs-22_05"
},
"locked": {
"lastModified": 1657695756,
"narHash": "sha256-5eeq7Itk9gMK6E5u3IrooFd3KswlheIO/L2Cs7Wwj9k=",
"owner": "Mic92",
"repo": "sops-nix",
"rev": "912514e60a6e0227d6a2e0ecc8524752337fcde2",
"type": "github"
},
"original": {
"owner": "Mic92",
"repo": "sops-nix",
"type": "github"
}
}
},

32
flake.nix
View File

@@ -1,8 +1,12 @@
{
inputs = {
nixpkgs.url = "github:NixOS/nixpkgs/nixos-unstable";
sops-nix = {
url = "github:Mic92/sops-nix";
inputs.nixpkgs.follows = "nixpkgs";
};
};
outputs = { nixpkgs, ... }: {
outputs = { nixpkgs, sops-nix, ... }: {
colmena = {
meta = {
nixpkgs = import nixpkgs {
@@ -16,11 +20,16 @@
(./. + "/hosts/${name}/configuration.nix")
./modules
./common
sops-nix.nixosModules.sops
];
deployment.targetUser = null;
};
dns = { config, pkgs, ... }: {
deployment.targetHost = "dns.bula22.de";
};
monitoring = { config, pkgs, ... }: {
deployment.targetHost = "monitoring.bula22.de";
};
@@ -32,17 +41,32 @@
nerd = { ... }: {
deployment.targetHost = "nerd.bula22.de";
deployment.tags = [ "dect" ];
};
yate = { ... }: {
deployment.targetHost = "yate.bula22.de";
deployment.tags = [ "dect" "yate" ];
};
yate-dialup = { ... }: {
deployment.targetHost = "yate-dialup.bula22.de";
deployment.tags = [ "dect" "yate" ];
};
pre-router = { config, pkgs, ... }: {
deployment.targetHost = "lightbuffet.entr0py.cloud";
deployment.targetHost = "fd00:10:42:10::25";
deployment.keys = {
};
};
pre-yate-n0emis = { config, pkgs, ... }: {
deployment.targetHost = "2001:470:7694::5e5";
radius = { config, pkgs, ... }: {
deployment.targetHost = "radius.bula22.de";
};
router = { config, pkgs, ... }: {
deployment.targetHost = "router.bula22.de";
};
};
};

37
hosts/dns/configuration.nix Normal file
View File

@@ -0,0 +1,37 @@
{ config, pkgs, ... }:
{
imports =
[ # Include the results of the hardware scan.
./hardware-configuration.nix
./dns.nix
];
# Use the systemd-boot EFI boot loader.
boot.loader.systemd-boot.enable = true;
boot.loader.efi.canTouchEfiVariables = true;
networking.hostName = "dns"; # Define your hostname.
networking.useDHCP = false;
networking.interfaces = {
ens18 = {
ipv4.addresses = [{
address = "10.42.10.8";
prefixLength = 24;
}];
ipv6.addresses = [{
address = "2a01:4f8:1c0c:8221::8";
prefixLength = 64;
}];
};
};
networking.defaultGateway = { address = "10.42.10.1"; interface = "ens18"; };
networking.defaultGateway6 = {
address = "2a01:4f8:1c0c:8221::1";
interface = "ens18";
};
system.stateVersion = "21.11"; # Did you read the comment?
}

69
hosts/dns/dns.nix Normal file
View File

@@ -0,0 +1,69 @@
{ config, pkgs, lib, ...}:
{
networking.firewall.interfaces.ens18.allowedUDPPorts = [ 53 ];
networking.firewall.interfaces.ens18.allowedTCPPorts = [ 9253 9353 9453 9553 ];
services.coredns = {
enable = true;
config = ''
.:53 {
errors
cache {
success 1000000
denial 50000
prefetch 6 10m 10%
serve_stale
}
prometheus 10.42.10.8:9253
forward . 2620:fe::fe 9.9.9.9 2620:fe::9 149.112.112.112
}
bula22.de {
errors
prometheus 10.42.10.8:9353
file /etc/zones/db.bula22.de
}
oncamp.lama.vcp.de {
errors
prometheus 10.42.10.8:9453
file /etc/zones/db.oncamp.lama.vcp.de
}
oncamp.m2yk8s.de {
errors
prometheus 10.42.10.8:9553
file /etc/zones/db.oncamp.m2yk8s.de
}
42.10.in-addr.arpa {
file /etc/zones/db.42.10.in-addr.arpa.
}
2.4.0.0.0.1.0.0.0.0.d.f.ip6.arpa {
file /etc/zones/db.2.4.0.0.0.1.0.0.0.0.d.f.ip6.arpa.
}
1.2.2.8.c.0.c.1.8.f.4.0.1.0.a.2.ip6.arpa {
file /etc/zones/db.1.2.2.8.c.0.c.1.8.f.4.0.1.0.a.2.ip6.arpa.
}
'';
};
systemd.services.coredns.restartTriggers = [
config.environment.etc."zones/db.bula22.de".source
config.environment.etc."zones/db.oncamp.lama.vcp.de".source
config.environment.etc."zones/db.oncamp.m2yk8s.de".source
config.environment.etc."zones/db.42.10.in-addr.arpa.".source
config.environment.etc."zones/db.2.4.0.0.0.1.0.0.0.0.d.f.ip6.arpa.".source
config.environment.etc."zones/db.1.2.2.8.c.0.c.1.8.f.4.0.1.0.a.2.ip6.arpa.".source
];
environment = {
etc = {
"zones/db.bula22.de".source = ./zones/db.bula22.de;
"zones/db.oncamp.lama.vcp.de".source = ./zones/db.oncamp.lama.vcp.de;
"zones/db.oncamp.m2yk8s.de".source = ./zones/db.oncamp.m2yk8s.de;
"zones/db.42.10.in-addr.arpa.".source = ./zones/db.42.10.in-addr.arpa.;
"zones/db.2.4.0.0.0.1.0.0.0.0.d.f.ip6.arpa.".source = ./zones/db.2.4.0.0.0.1.0.0.0.0.d.f.ip6.arpa.;
"zones/db.1.2.2.8.c.0.c.1.8.f.4.0.1.0.a.2.ip6.arpa.".source = ./zones/db.1.2.2.8.c.0.c.1.8.f.4.0.1.0.a.2.ip6.arpa.;
};
};
}
#

38
hosts/dns/hardware-configuration.nix Normal file
View File

@@ -0,0 +1,38 @@
# Do not modify this file! It was generated by nixos-generate-config
# and may be overwritten by future invocations. Please make changes
# to /etc/nixos/configuration.nix instead.
{ config, lib, pkgs, modulesPath, ... }:
{
imports =
[ (modulesPath + "/profiles/qemu-guest.nix")
];
boot.initrd.availableKernelModules = [ "ata_piix" "uhci_hcd" "virtio_pci" "virtio_scsi" "sd_mod" "sr_mod" ];
boot.initrd.kernelModules = [ ];
boot.kernelModules = [ "kvm-intel" ];
boot.extraModulePackages = [ ];
fileSystems."/" =
{ device = "/dev/disk/by-uuid/6f759f18-9d4d-4c2d-aba8-d42fee23bd62";
fsType = "ext4";
};
fileSystems."/boot" =
{ device = "/dev/disk/by-uuid/4B77-61C7";
fsType = "vfat";
};
swapDevices =
[ { device = "/dev/disk/by-uuid/64b108b1-b7de-41ce-922d-34d63d669e0c"; }
];
# Enables DHCP on each ethernet and wireless interface. In case of scripted networking
# (the default) this is the recommended approach. When using systemd-networkd it's
# still possible to use this option, but it's recommended to use it in conjunction
# with explicit per-interface declarations with `networking.interfaces.<interface>.useDHCP`.
networking.useDHCP = lib.mkDefault true;
# networking.interfaces.ens18.useDHCP = lib.mkDefault true;
hardware.cpu.intel.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware;
}

28
hosts/dns/zones/db.1.2.2.8.c.0.c.1.8.f.4.0.1.0.a.2.ip6.arpa. Normal file
View File

@@ -0,0 +1,28 @@
$ORIGIN 1.2.2.8.c.0.c.1.8.f.4.0.1.0.a.2.ip6.arpa.
$TTL 3600
1.2.2.8.c.0.c.1.8.f.4.0.1.0.a.2.ip6.arpa. IN SOA dns.bula22.de. hostmaster.bula22.de. (
2022071501
10800
3600
604800
3600
)
1.2.2.8.c.0.c.1.8.f.4.0.1.0.a.2.ip6.arpa. IN NS dns.bula22.de.
; Services
2.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.1.2.2.8.c.0.c.1.8.f.4.0.1.0.a.2.ip6.arpa. IN PTR router.bula22.de.
5.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.1.2.2.8.c.0.c.1.8.f.4.0.1.0.a.2.ip6.arpa. IN PTR rradius.bula22.de.
6.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.1.2.2.8.c.0.c.1.8.f.4.0.1.0.a.2.ip6.arpa. IN PTR ryate.bula22.de.
7.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.1.2.2.8.c.0.c.1.8.f.4.0.1.0.a.2.ip6.arpa. IN PTR rmonitoring.bula22.de.
8.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.1.2.2.8.c.0.c.1.8.f.4.0.1.0.a.2.ip6.arpa. IN PTR rdns.bula22.de.
9.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.1.2.2.8.c.0.c.1.8.f.4.0.1.0.a.2.ip6.arpa. IN PTR ryate-dialup.bula22.de.
0.2.0.0.0.0.0.0.0.0.0.0.0.0.0.0.1.2.2.8.c.0.c.1.8.f.4.0.1.0.a.2.ip6.arpa. IN PTR rlama-2.bula22.de.
1.2.0.0.0.0.0.0.0.0.0.0.0.0.0.0.1.2.2.8.c.0.c.1.8.f.4.0.1.0.a.2.ip6.arpa. IN PTR rlama-1.bula22.de.
2.2.0.0.0.0.0.0.0.0.0.0.0.0.0.0.1.2.2.8.c.0.c.1.8.f.4.0.1.0.a.2.ip6.arpa. IN PTR rzoll-1.bula22.de.
3.2.0.0.0.0.0.0.0.0.0.0.0.0.0.0.1.2.2.8.c.0.c.1.8.f.4.0.1.0.a.2.ip6.arpa. IN PTR rprogramm-1.bula22.de.
4.2.0.0.0.0.0.0.0.0.0.0.0.0.0.0.1.2.2.8.c.0.c.1.8.f.4.0.1.0.a.2.ip6.arpa. IN PTR rnerd.bula22.de.
5.2.0.0.0.0.0.0.0.0.0.0.0.0.0.0.1.2.2.8.c.0.c.1.8.f.4.0.1.0.a.2.ip6.arpa. IN PTR rpre-router.bula22.de.
6.2.0.0.0.0.0.0.0.0.0.0.0.0.0.0.1.2.2.8.c.0.c.1.8.f.4.0.1.0.a.2.ip6.arpa. IN PTR rmap.bula22.de.
5.4.2.0.0.0.0.0.0.0.0.0.0.0.0.0.1.2.2.8.c.0.c.1.8.f.4.0.1.0.a.2.ip6.arpa. IN PTR rnixdeploy.bula22.de.

28
hosts/dns/zones/db.2.4.0.0.0.1.0.0.0.0.d.f.ip6.arpa. Normal file
View File

@@ -0,0 +1,28 @@
$ORIGIN 2.4.0.0.0.1.0.0.0.0.d.f.ip6.arpa.
$TTL 3600
2.4.0.0.0.1.0.0.0.0.d.f.ip6.arpa. IN SOA dns.bula22.de. hostmaster.bula22.de. (
2022071501
10800
3600
604800
3600
)
2.4.0.0.0.1.0.0.0.0.d.f.ip6.arpa. IN NS dns.bula22.de.
; Network Gateways
fd00:10:42:10 ::1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.2.4.0.0.2.4.0.0.0.1.0.0.0.0.d.f.ip6.arpa. IN PTR gw.services.net.bula22.de.
fd00:10:42:42 ::1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.2.4.0.0.2.4.0.0.0.1.0.0.0.0.d.f.ip6.arpa. IN PTR gw.management.net.bula22.de.
fd00:10:42:151::1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.1.5.1.0.2.4.0.0.0.1.0.0.0.0.d.f.ip6.arpa. IN PTR gw.technik-iot.net.bula22.de.
fd00:10:42:201::1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.2.0.1.0.2.4.0.0.0.1.0.0.0.0.d.f.ip6.arpa. IN PTR gw.ikt.net.bula22.de.
fd00:10:42:202::1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.2.0.2.0.2.4.0.0.0.1.0.0.0.0.d.f.ip6.arpa. IN PTR gw.technik.net.bula22.de.
fd00:10:42:203::1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.2.0.3.0.2.4.0.0.0.1.0.0.0.0.d.f.ip6.arpa. IN PTR gw.hospital.net.bula22.de.
fd00:10:42:204::1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.2.0.4.0.2.4.0.0.0.1.0.0.0.0.d.f.ip6.arpa. IN PTR gw.zoll.net.bula22.de.
fd00:10:42:205::1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.2.0.5.0.2.4.0.0.0.1.0.0.0.0.d.f.ip6.arpa. IN PTR gw.leitstelle.net.bula22.de.
fd00:10:42:206::1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.2.0.6.0.2.4.0.0.0.1.0.0.0.0.d.f.ip6.arpa. IN PTR gw.verwaltung.net.bula22.de.
fd00:10:42:208::1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.2.0.8.0.2.4.0.0.0.1.0.0.0.0.d.f.ip6.arpa. IN PTR gw.yolo.net.bula22.de.
fd00:10:42:209::1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.2.0.9.0.2.4.0.0.0.1.0.0.0.0.d.f.ip6.arpa. IN PTR gw.infojurte.net.bula22.de.
fd00:10:42:210::1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.2.1.0.0.2.4.0.0.0.1.0.0.0.0.d.f.ip6.arpa. IN PTR gw.international.net.bula22.de.
fd00:10:42:211::1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.2.1.1.0.2.4.0.0.0.1.0.0.0.0.d.f.ip6.arpa. IN PTR gw.programmtresen.net.bula22.de.
fd00:10:42:212::1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.2.1.2.0.2.4.0.0.0.1.0.0.0.0.d.f.ip6.arpa. IN PTR gw.open-office.net.bula22.de.

78
hosts/dns/zones/db.42.10.in-addr.arpa. Normal file
View File

@@ -0,0 +1,78 @@
$ORIGIN 42.10.in-addr.arpa.
$TTL 3600
42.10.in-addr.arpa. IN SOA dns.bula22.de. hostmaster.bula22.de. (
2022071501
10800
3600
604800
3600
)
42.10.in-addr.arpa. IN NS dns.bula22.de.
; Services
10.42.10.2.in-addr.arpa. IN PTR router.bula22.de.
10.42.10.5.in-addr.arpa. IN PTR radius.bula22.de.
10.42.10.6.in-addr.arpa. IN PTR yate.bula22.de.
10.42.10.7.in-addr.arpa. IN PTR monitoring.bula22.de.
10.42.10.8.in-addr.arpa. IN PTR dns.bula22.de.
10.42.10.9.in-addr.arpa. IN PTR yate-dialup.bula22.de.
10.42.10.21.in-addr.arpa. IN PTR lama-1.bula22.de.
10.42.10.20.in-addr.arpa. IN PTR lama-2.bula22.de.
10.42.10.22.in-addr.arpa. IN PTR zoll-1.bula22.de.
10.42.10.23.in-addr.arpa. IN PTR programm-1.bula22.de.
10.42.10.24.in-addr.arpa. IN PTR nerd.bula22.de.
10.42.10.25.in-addr.arpa. IN PTR pre-router.bula22.de.
10.42.10.26.in-addr.arpa. IN PTR map.bula22.de.
10.42.10.245.in-addr.arpa. IN PTR nixdeploy.bula22.de.
; Management
10.42.42.10.in-addr.arpa. IN PTR wlan-controller.bula22.de.
10.42.42.11.in-addr.arpa. IN PTR sw-zentral-1.bula22.de.
10.42.42.12.in-addr.arpa. IN PTR sw-zentral-2.bula22.de.
10.42.42.13.in-addr.arpa. IN PTR sw-verwaltung.bula22.de.
10.42.42.14.in-addr.arpa. IN PTR sw-zoll-container.bula22.de.
10.42.42.15.in-addr.arpa. IN PTR sw-zoll-zelt.bula22.de.
10.42.42.16.in-addr.arpa. IN PTR sw-programmtresen.bula22.de.
10.42.42.17.in-addr.arpa. IN PTR sw-post.bula22.de.
10.42.42.18.in-addr.arpa. IN PTR sw-leitstelle.bula22.de.
10.42.42.19.in-addr.arpa. IN PTR sw-infojurte.bula22.de.
10.42.42.20.in-addr.arpa. IN PTR sw-technik-zelt.bula22.de.
10.42.42.21.in-addr.arpa. IN PTR sw-technik-container.bula22.de.
10.42.42.22.in-addr.arpa. IN PTR sw-hospital.bula22.de.
10.42.42.23.in-addr.arpa. IN PTR sw-fuf.bula22.de.
10.42.42.24.in-addr.arpa. IN PTR sw-waschhaus.bula22.de.
10.42.42.25.in-addr.arpa. IN PTR sw-buehne.bula22.de.
10.42.42.26.in-addr.arpa. IN PTR sw-trabantenstadt.bula22.de.
10.42.42.27.in-addr.arpa. IN PTR sw-bll.bula22.de.
10.42.42.28.in-addr.arpa. IN PTR sw-finanzen.bula22.de.
10.42.42.29.in-addr.arpa. IN PTR sw-finanzen.bula22.de.
10.42.42.123.in-addr.arpa. IN PTR mooncake.bula22.de.
10.42.42.124.in-addr.arpa. IN PTR sunbread.bula22.de.
10.42.42.125.in-addr.arpa. IN PTR pbs.bula22.de.
; Network Gateways
10.42.10.1.in-addr.arpa. IN PTR gw.services.net.bula22.de.
10.42.42.1.in-addr.arpa. IN PTR gw.management.net.bula22.de.
10.42.151.1.in-addr.arpa. IN PTR gw.technik-iot.net.bula22.de.
10.42.201.1.in-addr.arpa. IN PTR gw.ikt.net.bula22.de.
10.42.202.1.in-addr.arpa. IN PTR gw.technik.net.bula22.de.
10.42.203.1.in-addr.arpa. IN PTR gw.hospital.net.bula22.de.
10.42.204.1.in-addr.arpa. IN PTR gw.zoll.net.bula22.de.
10.42.205.1.in-addr.arpa. IN PTR gw.leitstelle.net.bula22.de.
10.42.206.1.in-addr.arpa. IN PTR gw.verwaltung.net.bula22.de.
10.42.208.1.in-addr.arpa. IN PTR gw.yolo.net.bula22.de.
10.42.209.1.in-addr.arpa. IN PTR gw.infojurte.net.bula22.de.
10.42.210.1.in-addr.arpa. IN PTR gw.international.net.bula22.de.
10.42.211.1.in-addr.arpa. IN PTR gw.programmtresen.net.bula22.de.
10.42.212.1.in-addr.arpa. IN PTR gw.open-office.net.bula22.de.
#other
10.42.132.2.in-addr.arpa. IN PTR omm.bula22.de.
10.42.151.2.in-addr.arpa. IN PTR webcam.bula22.de.
<<<<<<< Updated upstream
10.42.212.2.in-addr.arpa. IN PTR drucker.bula22.de.
=======
>>>>>>> Stashed changes

129
hosts/dns/zones/db.bula22.de Normal file
View File

@@ -0,0 +1,129 @@
$ORIGIN bula22.de.
$TTL 3600
bula22.de. IN SOA dns.bula22.de. hostmaster.bula22.de. (
2022080101
10800
3600
604800
3600
)
bula22.de. IN NS dns.bula22.de.
; Interfaces
bula22.de. IN AAAA 2a01:4f8:c0c:c580::1
bula22.de. IN A 88.99.187.135
grafana.bula22.de. IN CNAME monitoring.bula22.de.
prometheus.bula22.de. IN CNAME monitoring.bula22.de.
influxdb.bula22.de. IN CNAME monitoring.bula22.de.
lightbuffet.bula22.de. IN CNAME pre-router.bula22.de.
www.bula22.de. IN CNAME bula22.de.
; Services
router.bula22.de. IN A 10.42.10.2
IN AAAA 2a01:4f8:1c0c:8221::2
radius.bula22.de. IN A 10.42.10.5
IN AAAA 2a01:4f8:1c0c:8221::5
yate.bula22.de. IN A 10.42.10.6
IN AAAA 2a01:4f8:1c0c:8221::6
monitoring.bula22.de. IN A 10.42.10.7
IN AAAA 2a01:4f8:1c0c:8221::7
dns.bula22.de. IN A 10.42.10.8
IN AAAA 2a01:4f8:1c0c:8221::8
yate-dialup.bula22.de. IN A 10.42.10.9
IN AAAA 2a01:4f8:1c0c:8221::9
lama-1.bula22.de. IN A 10.42.10.21
IN AAAA 2a01:4f8:1c0c:8221::20
lama-2.bula22.de. IN A 10.42.10.20
IN AAAA 2a01:4f8:1c0c:8221::21
zoll-1.bula22.de. IN A 10.42.10.22
IN AAAA 2a01:4f8:1c0c:8221::22
programm-1.bula22.de. IN A 10.42.10.23
IN AAAA 2a01:4f8:1c0c:8221::23
nerd.bula22.de. IN A 10.42.10.24
IN AAAA 2a01:4f8:1c0c:8221::24
pre-router.bula22.de. IN A 10.42.10.25
IN AAAA 2a01:4f8:1c0c:8221::25
map.bula22.de. IN A 10.42.10.26
IN AAAA 2a01:4f8:1c0c:8221::26
karte.bula22.de. IN A 10.42.10.26
IN AAAA 2a01:4f8:1c0c:8221::26
nixdeploy.bula22.de. IN A 10.42.10.245
IN AAAA 2a01:4f8:1c0c:8221::245
omm.bula22.de. IN A 10.42.132.2
webcam.bula22.de. IN A 10.42.151.2
drucker.bula22.de. IN A 10.42.212.2
; External Services
vcp-bula-mon.bula22.de. IN AAAA 2a01:4f8:c0c:15f1::8105
vcp-bula-telko.bula22.de. IN AAAA 2001:638:904:ffcb::4
; Management
wlan-controller.bula22.de. IN A 10.42.42.10
sw-zentral-1.bula22.de. IN A 10.42.42.11
sw-zentral-2.bula22.de. IN A 10.42.42.12
sw-verwaltung.bula22.de. IN A 10.42.42.13
sw-zoll-container.bula22.de. IN A 10.42.42.14
sw-zoll-zelt.bula22.de. IN A 10.42.42.15
sw-programmtresen.bula22.de. IN A 10.42.42.16
sw-post.bula22.de. IN A 10.42.42.17
sw-leitstelle.bula22.de. IN A 10.42.42.18
sw-infojurte.bula22.de. IN A 10.42.42.19
sw-technik-zelt.bula22.de. IN A 10.42.42.20
sw-technik-container.bula22.de. IN A 10.42.42.21
sw-hospital.bula22.de. IN A 10.42.42.22
sw-fuf.bula22.de. IN A 10.42.42.23
sw-waschhaus.bula22.de. IN A 10.42.42.24
sw-buehne.bula22.de. IN A 10.42.42.25
sw-trabantenstadt.bula22.de. IN A 10.42.42.26
sw-bll.bula22.de. IN A 10.42.42.27
sw-finanzen.bula22.de. IN A 10.42.42.28
sw-international.bula22.de. IN A 10.42.42.29
mooncake.bula22.de. IN A 10.42.42.123
sunbread.bula22.de. IN A 10.42.42.124
pbs.bula22.de. IN A 10.42.42.125
; Network Gateways
gw.services.net.bula22.de. IN A 10.42.10.1
IN AAAA fd00:10:42:10::1
gw.management.net.bula22.de. IN A 10.42.42.1
gw.technik-iot.net.bula22.de. IN A 10.42.151.1
IN AAAA fd00:10:42:151::1
gw.ikt-toys.net.bula22.de. IN A 10.42.152.1
IN AAAA fd00:10:42:152::1
gw.ikt.net.bula22.de. IN A 10.42.201.1
IN AAAA fd00:10:42:201::1
gw.technik.net.bula22.de. IN A 10.42.202.1
IN AAAA fd00:10:42:202::1
gw.hospital.net.bula22.de. IN A 10.42.203.1
IN AAAA fd00:10:42:203::1
gw.zoll.net.bula22.de. IN A 10.42.204.1
IN AAAA fd00:10:42:204::1
gw.leitstelle.net.bula22.de. IN A 10.42.205.1
IN AAAA fd00:10:42:205::1
gw.verwaltung.net.bula22.de. IN A 10.42.206.1
IN AAAA fd00:10:42:206::1
gw.yolo.net.bula22.de. IN A 10.42.208.1
IN AAAA fd00:10:42:208::1
gw.infojurte.net.bula22.de. IN A 10.42.209.1
IN AAAA fd00:10:42:209::1
gw.international.net.bula22.de. IN A 10.42.210.1
IN AAAA fd00:10:42:210::1
gw.programmtresen.net.bula22.de. IN A 10.42.211.1
IN AAAA fd00:10:42:211::1
gw.open-office.net.bula22.de. IN A 10.42.212.1
IN AAAA fd00:10:42:212::1
; Programmtresen
signage-11.bula22.de. IN A 10.42.211.11
signage-12.bula22.de. IN A 10.42.211.12
signage-13.bula22.de. IN A 10.42.211.13
signage-21.bula22.de. IN A 10.42.211.21
signage-22.bula22.de. IN A 10.42.211.22
signage-23.bula22.de. IN A 10.42.211.23
signage-24.bula22.de. IN A 10.42.211.24
signage-25.bula22.de. IN A 10.42.211.25
signage-31.bula22.de. IN A 10.42.211.31
signage-32.bula22.de. IN A 10.42.211.32

20
hosts/dns/zones/db.oncamp.lama.vcp.de Normal file
View File

@@ -0,0 +1,20 @@
$ORIGIN oncamp.lama.vcp.de.
$TTL 3600
oncamp.lama.vcp.de. IN SOA dns.bula22.de. hostmaster.bula22.de. (
2022072101
10800
3600
604800
3600
)
oncamp.lama.vcp.de. IN NS dns.bula22.de.
oncamp.lama.vcp.de. IN CNAME lama-2.bula22.de.
id.oncamp.lama.vcp.de. IN CNAME lama-2.bula22.de.
reports.oncamp.lama.vcp.de. IN CNAME lama-2.bula22.de.
member.oncamp.lama.vcp.de. IN CNAME lama-2.bula22.de.
signage.oncamp.lama.vcp.de. IN CNAME lama-2.bula22.de.
dashboard.oncamp.lama.vcp.de. IN CNAME lama-2.bula22.de.

20
hosts/dns/zones/db.oncamp.m2yk8s.de Normal file
View File

@@ -0,0 +1,20 @@
$ORIGIN oncamp.m2yk8s.de.
$TTL 3600
oncamp.m2yk8s.de. IN SOA dns.bula22.de. hostmaster.bula22.de. (
2022072101
10800
3600
604800
3600
)
oncamp.m2yk8s.de. IN NS dns.bula22.de.
rancher.oncamp.m2yk8s.de. IN CNAME lama-2.bula22.de.
minio.oncamp.m2yk8s.de. IN CNAME lama-2.bula22.de.
s3.oncamp.m2yk8s.de. IN CNAME lama-2.bula22.de.
registry.oncamp.m2yk8s.de. IN CNAME lama-1.bula22.de.
dashboard.oncamp.m2yk8s.de. IN CNAME lama-2.bula22.de.
_acme-challenge.dashboard.oncamp.m2yk8s.de. TXT ZDba8ibIumMhHmCqGsddGTkjLK-yinWNiSXar38sN8c

11
hosts/monitoring/blackbox.yml Normal file
View File

@@ -0,0 +1,11 @@
modules:
icmp6:
prober: icmp
icmp:
preferred_ip_protocol: ip6
ip_protocol_fallback: false
icmp4:
prober: icmp
icmp:
preferred_ip_protocol: ip4
ip_protocol_fallback: false

383
hosts/monitoring/configuration.nix
View File

@@ -20,8 +20,54 @@ with lib;
];
networking.defaultGateway = { address = "10.42.10.1"; interface = "ens18"; };
networking.defaultGateway6 = { address = "2a01:4f8:1c0c:8221::1"; interface = "ens18"; };
networking.nameservers = [ "2a01:4f8:1c0c:8221::1" "10.42.10.1" ];
environment = {
etc = {
"snmp-exporter/snmp.yml".source = ./snmp.yml;
};
};
services.influxdb2.enable = true;
services.prometheus.exporters = {
blackbox = {
enable = true;
listenAddress = "[::1]";
port = 9115;
configFile = ./blackbox.yml;
};
snmp = {
enable = true;
port= 9116;
listenAddress = "[::1]";
configurationPath = "/etc/snmp-exporter/snmp.yml";
};
};
services.prometheus.exporters.node.enable = true;
systemd.services.waldbrandgefahrenstufen-exporter = {
description = "Waldbrandgefahrenstufen Exporter";
wantedBy = [ "multi-user.target" ];
serviceConfig = {
DynamicUser = "yes";
};
script = "${pkgs.python3}/bin/python ${./waldbrandgefahrenstufen-exporter.py}";
};
systemd.services.sipgate-balance-exporter = {
description = "Sipgate Balance Exporter";
wantedBy = [ "multi-user.target" ];
serviceConfig = {
DynamicUser = "yes";
Environment = "SIPGATE_TOKEN_PATH=/var/src/secrets/sipgate-balance/apitoken";
};
script = "${pkgs.python3}/bin/python ${./sipgate-balance-exporter.py}";
};
services.prometheus.alertmanager = {
enable = true;
listenAddress = "[::1]";
@@ -40,6 +86,7 @@ with lib;
};
services.prometheus = {
enable = true;
retentionTime = "90d";
listenAddress = "[::1]";
scrapeConfigs = [
{
@@ -61,6 +108,330 @@ with lib;
{
targets = [
"[::1]:9100"
"radius.bula22.de:9100"
"router.bula22.de:9100"
"mooncake.bula22.de:9100"
"sunbread.bula22.de:9100"
];
}
];
}
{
job_name = "blackbox_icmp6";
scrape_interval = "20s";
metrics_path = "/probe";
params = {
module = [ "icmp6" ];
};
static_configs = [
{
targets = [
# Internet Probes
"clerie.de"
# Vlan Probes
"gw.services.net.bula22.de"
"gw.technik-iot.net.bula22.de"
"gw.technik.net.bula22.de"
"gw.hospital.net.bula22.de"
"gw.zoll.net.bula22.de"
"gw.leitstelle.net.bula22.de"
"gw.verwaltung.net.bula22.de"
"gw.yolo.net.bula22.de"
"gw.infojurte.net.bula22.de"
"gw.international.net.bula22.de"
"gw.programmtresen.net.bula22.de"
"gw.open-office.net.bula22.de"
# Service Probes
"router.bula22.de"
"radius.bula22.de"
"yate.bula22.de"
"monitoring.bula22.de"
"dns.bula22.de"
"yate-dialup.bula22.de"
"nerd.bula22.de"
"pre-router.bula22.de"
"nixdeploy.bula22.de"
# External Service Probes
"vcp-bula-mon.bula22.de"
"vcp-bula-telko.bula22.de"
];
labels = {
"module" = "icmp6";
};
}
];
relabel_configs = [
{
source_labels = [ "__address__" ];
target_label = "__param_target";
}
{
source_labels = [ "__param_target" ];
target_label = "instance";
}
{
target_label = "__address__";
replacement = "[::1]:9115";
}
];
}
{
job_name = "blackbox_icmp4";
scrape_interval = "20s";
metrics_path = "/probe";
params = {
module = [ "icmp4" ];
};
static_configs = [
{
targets = [
# Internet Probes
"clerie.de"
"vcp.de"
"bundeslager.vcp.de"
# Vlan Probes
"gw.services.net.bula22.de"
"gw.management.net.bula22.de"
"gw.technik-iot.net.bula22.de"
"gw.technik.net.bula22.de"
"gw.hospital.net.bula22.de"
"gw.zoll.net.bula22.de"
"gw.leitstelle.net.bula22.de"
"gw.verwaltung.net.bula22.de"
"gw.yolo.net.bula22.de"
"gw.infojurte.net.bula22.de"
"gw.international.net.bula22.de"
"gw.programmtresen.net.bula22.de"
"gw.open-office.net.bula22.de"
# Management Probes
"wlan-controller.bula22.de"
"sw-zentral-1.bula22.de"
"sw-zentral-2.bula22.de"
"sw-verwaltung.bula22.de"
"sw-zoll-container.bula22.de"
# "sw-zoll-zelt.bula22.de" # Wird doch nicht benötigt
"sw-programmtresen.bula22.de"
"sw-post.bula22.de"
"sw-international.bula22.de"
"sw-leitstelle.bula22.de"
"sw-infojurte.bula22.de"
"sw-technik-zelt.bula22.de"
"sw-technik-container.bula22.de"
"sw-hospital.bula22.de"
"sw-fuf.bula22.de"
"sw-waschhaus.bula22.de"
"sw-buehne.bula22.de"
"sw-trabantenstadt.bula22.de"
"sw-bll.bula22.de"
"sw-finanzen.bula22.de"
# Service Probes
"router.bula22.de"
"radius.bula22.de"
"yate.bula22.de"
"monitoring.bula22.de"
"dns.bula22.de"
"yate-dialup.bula22.de"
"nerd.bula22.de"
"pre-router.bula22.de"
"nixdeploy.bula22.de"
"omm.bula22.de"
"webcam.bula22.de"
];
labels = {
"module" = "icmp4";
};
}
];
relabel_configs = [
{
source_labels = [ "__address__" ];
target_label = "__param_target";
}
{
source_labels = [ "__param_target" ];
target_label = "instance";
}
{
target_label = "__address__";
replacement = "[::1]:9115";
}
];
}
{
job_name = "dns";
scrape_interval = "5s";
static_configs = [
{
targets = [
"dns.bula22.de:9253"
];
}
];
}
{
job_name = "waldbrandgefahrenstufen";
scrape_interval = "1h";
scrape_timeout = "60s";
static_configs = [
{
targets = [
"[::1]:9242"
];
}
];
}
{
job_name = "sipgate-balance";
scrape_interval = "120s";
scrape_timeout = "20s";
static_configs = [
{
targets = [
"[::1]:9243"
];
}
];
}
{
job_name = "snmp";
scrape_interval = "120s";
scrape_timeout = "40s";
metrics_path = "/snmp";
params = {
module = [
"if_mib"
];
};
static_configs = [
{
targets = [
"sw-zentral-1.bula22.de"
"sw-zentral-2.bula22.de"
"sw-verwaltung.bula22.de"
"sw-zoll-container.bula22.de"
# "sw-zoll-zelt.bula22.de" # Wird doch nicht benötigt
"sw-programmtresen.bula22.de"
"sw-international.bula22.de"
"sw-post.bula22.de"
"sw-leitstelle.bula22.de"
"sw-infojurte.bula22.de"
"sw-technik-zelt.bula22.de"
"sw-technik-container.bula22.de"
"sw-hospital.bula22.de"
"sw-fuf.bula22.de"
"sw-waschhaus.bula22.de"
"sw-buehne.bula22.de"
"sw-trabantenstadt.bula22.de"
"sw-bll.bula22.de"
"sw-finanzen.bula22.de"
"wlan-controller.bula22.de"
];
}
];
relabel_configs = [
{
source_labels = [ "__address__" ];
target_label = "__param_target";
}
{
source_labels = [ "__param_target" ];
target_label = "instance";
}
{
target_label = "__address__";
replacement = "[::1]:9116";
}
];
}
{
job_name = "aruba";
scrape_interval = "120s";
scrape_timeout = "40s";
metrics_path = "/snmp";
params = {
module = [
"aruba"
];
};
static_configs = [
{
targets = [
"wlan-controller.bula22.de"
];
}
];
relabel_configs = [
{
source_labels = [ "__address__" ];
target_label = "__param_target";
}
{
source_labels = [ "__param_target" ];
target_label = "instance";
}
{
target_label = "__address__";
replacement = "[::1]:9116";
}
];
}
{
job_name = "yate";
scrape_interval = "30s";
scrape_timeout = "20s";
metrics_path = "/snmp";
params = {
module = [
"yate"
];
};
static_configs = [
{
targets = [
"10.42.10.6"
];
labels = {
instance = "yate.bula22.de";
};
}
{
targets = [
"10.42.10.9"
];
labels = {
instance = "yate-dialup.bula22.de";
};
}
];
relabel_configs = [
{
source_labels = [ "__address__" ];
target_label = "__param_target";
}
{
source_labels = [ "__param_target" ];
target_label = "instance";
}
{
target_label = "__address__";
replacement = "[::1]:9116";
}
];
}
{
job_name = "energy";
scrape_interval = "1s";
scrape_timeout = "1s";
static_configs = [
{
targets = [
"pbs.bula22.de:9555"
];
}
];
@@ -77,6 +448,11 @@ with lib;
];
rules = [ (readFile ./alertmanager-rules.yml) ];
};
systemd.services.prometheus-snmp-exporter.restartTriggers = [
config.environment.etc."snmp-exporter/snmp.yml".source
];
services.grafana = {
enable = true;
domain = "grafana.bula22.de";
@@ -110,6 +486,11 @@ with lib;
forceSSL = true;
locations."/".proxyPass = "http://[::1]:3001/";
};
"influxdb.bula22.de" = {
enableACME = true;
forceSSL = true;
locations."/".proxyPass = "http://[::1]:8086/";
};
};
};
networking.firewall.allowedTCPPorts = [ 80 443 ];

70
hosts/monitoring/sipgate-balance-exporter.py Executable file
View File

@@ -0,0 +1,70 @@
#!/usr/bin/env python3
from http.server import HTTPServer, BaseHTTPRequestHandler, HTTPStatus
import os
import socket
import json
from urllib.request import Request, urlopen
import xml.etree.ElementTree as ET
from pathlib import Path
class HTTPServerV6(HTTPServer):
address_family = socket.AF_INET6
TOKEN = Path(os.environ.get("SIPGATE_TOKEN_PATH", "apitoken")).read_text().strip()
class ExporterRequestHandler(BaseHTTPRequestHandler):
def do_GET(self):
if self.path == "/":
self.make_response("sipgate Guthaben für den Trunk")
elif self.path == "/metrics":
self.export()
else:
self.send_error(HTTPStatus.NOT_FOUND, "File not found")
return
def do_HEAD(self):
if self.path == "/":
self.make_response("sipgate Guthaben für den Trunk", head_only=True)
elif self.path == "/metrics":
self.export(head_only=True)
else:
self.send_error(HTTPStatus.NOT_FOUND, "File not found")
return
def export(self, head_only=False):
req = Request("https://api.sipgate.com/v2/balance")
req.add_header("accept", "application/json")
req.add_header("authorization", "Basic " + TOKEN)
webURL = urlopen(req)
data = webURL.read()
encoding = webURL.info().get_content_charset('utf-8')
d = json.loads(data.decode(encoding))
print(d)
balance = d["amount"] / 10000
currency = d["currency"]
res = "sipgate_balance{{currency=\"{}\"}} {}".format(currency, balance)
self.make_response(res, head_only=head_only)
def make_response(self, content, head_only=False):
encoded = content.encode("utf-8")
self.send_response(HTTPStatus.OK)
self.send_header("Content-Type", "text/plain; charset=utf-8")
self.send_header("Conten-Length", str(len(encoded)))
self.end_headers()
if not head_only:
self.wfile.write(encoded)
def run():
with HTTPServerV6(("::1", 9243), ExporterRequestHandler) as httpd:
print("Starting sipgate Balance Exporter on http://[{}]:{}".format(*httpd.socket.getsockname()[:2]))
httpd.serve_forever()
if __name__ == "__main__":
run()

2676
hosts/monitoring/snmp.yml Normal file
View File

File diff suppressed because it is too large Load Diff

56
hosts/monitoring/waldbrandgefahrenstufen-exporter.py Executable file
View File

@@ -0,0 +1,56 @@
#!/usr/bin/env python3
from http.server import HTTPServer, BaseHTTPRequestHandler, HTTPStatus
import io
import socket
import urllib.request
import xml.etree.ElementTree as ET
class HTTPServerV6(HTTPServer):
address_family = socket.AF_INET6
class ExporterRequestHandler(BaseHTTPRequestHandler):
def do_GET(self):
if self.path == "/":
self.make_response("Waldbrandgefahrenstufen Exporter für Brandenburg")
elif self.path == "/metrics":
self.export()
else:
self.send_error(HTTPStatus.NOT_FOUND, "File not found")
return
def do_HEAD(self):
if self.path == "/":
self.make_response("Waldbrandgefahrenstufen Exporter für Brandenburg", head_only=True)
elif self.path == "/metrics":
self.export(head_only=True)
else:
self.send_error(HTTPStatus.NOT_FOUND, "File not found")
return
def export(self, head_only=False):
r = []
with urllib.request.urlopen("https://mluk.brandenburg.de/mluk/de/wgs.xml") as f:
tree = ET.parse(f)
root = tree.getroot()
for lk in root[0].findall("landkreis"):
r.append('waldbrandgefahrenstufe{{landkreis="{landkreis}"}} {value}'.format(landkreis=lk.attrib["name"], value=lk.text))
self.make_response("\n".join(r), head_only=head_only)
def make_response(self, content, head_only=False):
encoded = content.encode("utf-8")
self.send_response(HTTPStatus.OK)
self.send_header("Content-Type", "text/plain; charset=utf-8")
self.send_header("Conten-Length", str(len(encoded)))
self.end_headers()
if not head_only:
self.wfile.write(encoded)
def run():
with HTTPServerV6(("::1", 9242), ExporterRequestHandler) as httpd:
print("Starting Waldbrandgefahrenstufen Exporter on http://[{}]:{}".format(*httpd.socket.getsockname()[:2]))
httpd.serve_forever()
if __name__ == "__main__":
run()

18
hosts/nerd/configuration.nix
View File

@@ -4,6 +4,7 @@
imports =
[ # Include the results of the hardware scan.
./hardware-configuration.nix
./nerd.nix
];
# Use the systemd-boot EFI boot loader.
@@ -13,18 +14,27 @@
networking.hostName = "nerd";
networking.useNetworkd = true;
services.resolved.dnssec = "false";
systemd.network = {
networks."10-ens18" = {
matchConfig = {
Name = "ens18";
};
address = [ "10.42.10.24/24" "fd00:10:42:10::240/64" "2a01:4f8:1c0c:8221::240/64" ];
gateway = [ "10.42.10.1" "2a01:4f8:1c0c:8221::1" ];
address = [
"10.42.10.24/24"
"2a01:4f8:1c0c:8221::24/64"
];
gateway = [
"10.42.10.1"
"2a01:4f8:1c0c:8221::1"
];
dns = [
"10.42.10.1"
"2a01:4f8:1c0c:8221::1"
];
};
};
environment.systemPackages = with pkgs; [ colmena ];
# This value determines the NixOS release from which the default
# settings for stateful data, like file locations and database versions
# on your system were taken. Its perfectly fine and recommended to leave

99
hosts/nerd/nerd.nix Normal file
View File

@@ -0,0 +1,99 @@
{ config, pkgs, lib, ... }:
{
sops.secrets.nerd_secret = {
owner = "nerd";
restartUnits = [ "nerd.service" ];
};
systemd.services.nerd = let
nerdCfg = pkgs.writeText "nerd.cfg" ''
[django]
secret = !!DJANGO_SECRET!!
allowed_hosts = nerd.bula22.de
debug = False
language_code = de-de
time_zone = Europe/Berlin
csrf_trusted_origins = https://nerd.bula22.de
[database]
engine = postgresql_psycopg2
name = nerd
user =
password =
host = /run/postgresql
port =
'';
in {
after = [ "network.target" ];
wantedBy = [ "multi-user.target" ];
environment = {
NERD_CONFIG_FILE = "/etc/nerd/nerd.cfg";
PYTHONPATH = "${pkgs.python3.pkgs.nerd.pythonPath}:${pkgs.python3.pkgs.nerd}/${pkgs.python3.sitePackages}:${pkgs.python3Packages.psycopg2}/${pkgs.python3.sitePackages}";
};
preStart = ''
export DJANGO_SECRET=$(cat ${config.sops.secrets.nerd_secret.path})
${pkgs.gnused}/bin/sed -e "s/!!DJANGO_SECRET!!/$DJANGO_SECRET/g" ${nerdCfg} > /etc/nerd/nerd.cfg
${pkgs.python3.pkgs.nerd}/bin/nerd migrate
'';
serviceConfig = {
User = "nerd";
Group = "nerd";
ConfigurationDirectory = "nerd";
ExecStart = ''
${pkgs.python3Packages.gunicorn}/bin/gunicorn \
--bind 0.0.0.0:10510 \
--access-logfile - \
nerd.wsgi
'';
};
};
services.postgresql = {
enable = true;
ensureDatabases = [ "nerd" ];
ensureUsers = [
{
name = "nerd";
ensurePermissions = {
"DATABASE nerd" = "ALL PRIVILEGES";
};
}
];
};
users.users.nerd = {
isSystemUser = true;
group = "nerd";
};
users.groups.nerd = {};
networking.firewall.allowedTCPPorts = [ 80 443 ];
services.nginx.enable = lib.mkForce false;
services.caddy = {
enable = true;
virtualHosts."nerd.bula22.de" = {
extraConfig = ''
@disallow_export {
not remote_ip 10.42.10.0/24 2a01:4f8:1c0c:8221::/64
path /export.json*
}
route {
file_server /static/*
respond @disallow_export 403 {
close
}
reverse_proxy * http://127.0.0.1:10510
}
root * ${pkgs.python3.pkgs.nerd}/var/lib/nerd/
'';
};
};
}

52
hosts/nerd/secrets.yaml Normal file
View File

@@ -0,0 +1,52 @@
nerd_secret: ENC[AES256_GCM,data:MyuiltRyRppYa1qON2bTsY2z5tQWauWvsYA39JjfuiIwSDtu2pWSdlnGZQ==,iv:XvjM2UZLPNq/c9zzewIyfNTx28kehQ00CVAiWlqyk4M=,tag:i+NZGqiN9NoX2A9DVqtjvg==,type:str]
sops:
kms: []
gcp_kms: []
azure_kv: []
hc_vault: []
age:
- recipient: age1x69924s94z4k7s50utyuqrwshpt8p8yzwaxny2gle7yeyg4w3spqml95mu
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBoMEhuUTdyNzI5TnkzdXF0
aXpWUDJLYitjM3dvamJHWGxibmdSMzc3S1Y0Ci95dmpvNnBoWnBLSGZHN2dMS25R
cHdpZjRMUHlKYlRoSm41VVhCTVJRNWsKLS0tIHkzWk5TcE14SitKT2hSVi9zNVBG
NlYzOVh1QkdueTZyZ1E1SUVYaE5ESG8KiMADsNBqEIOpaVIr8cR7gk2Km9LC14tp
I7Y4GBq13x/4U9UYl2pCAsHgtNTS/7CznfeIpxhv+hpgn6Kmq2GPjw==
-----END AGE ENCRYPTED FILE-----
lastmodified: "2022-07-13T19:02:49Z"
mac: ENC[AES256_GCM,data:2Sz+FPr1i6bKeC4NpK2D9rGp5HyN5jLnzleaBBJZ9T/p6A4Z7wyiruko8XLUpmGw0TiSsfG5FTj6+FjB90ASW5rv916eWHrADAI1YzyrpVGXtGdzM2dNm8fKRrim3zwld2om6uWe9EJRdsq/aEkMgSZwIka/oSHxZq/s5hrvtEc=,iv:Uwm7oNFtvcJEearMw2avNu9JSYGyiPLo4VzZ8cL/zA0=,tag:CoyNiUfkN+/b18E2JnVGBw==,type:str]
pgp:
- created_at: "2022-07-13T19:57:16Z"
enc: |
-----BEGIN PGP MESSAGE-----
hQIMA6BIUohpxMXcAQ/+MR/3tY4oePYmS9Em0ld6qF5sP2kC8RbU6V5WmKDsBGPq
vvHNegbnBbiCO5jUf5ealLHXNWLRsTs17Rojz6vazH6GjsTjEJ1/XyNdiQ3sHg22
n+FGAueHPhw+snbDjwLfGSscal+QM4jOP6rq1MJ5goMCgUYmlxRCbnHhgO/5sqHC
bdkfekcSkM2UW6PqGNM0h/MMR87n26EyxQQR/o/BeIgxJ2xLpXTbuDgCe0mOSOe6
bON2tZ/UxZ2i43001ZKO3Hl5UUakCht49qpkW7fIRaTBZFRb3lI5bmq9Qh3LPpsQ
rQ593kFRI2p+gI4291BckGvqbc7tYlySH2u1hb3bOLsdmE6fFOHbrE2xAV1wDP7R
1sGMn/GOvR/MPyxD6zSejza4nlUb+kIG3NO3XxelMCpzXK/RCza1KFhqLvDtiAq9
4ex7W5E2Q1I0YnfuIu4Aoc41iFqFtwhVP1TagznhZ9CiJj+Xe9J+aY2GORZFO1X2
C5xemNlPGB5IRbBKUoVD5t/4Gu3yc8pj1RYB7VbOthVyTRnHr+ZBtYQEY/27qXhn
ybMGNxHHP2Kz8rn9tgh60iZBY20F15EHXi9woFbFW/v7x4TcE2+lrJWMuwyQnvZs
xOUExcSnfeMVs8NIDrX4hHZX7dyGYbupo5g1rVvQ6Oi7KM+z1w6oZP615wXYlV7S
XgHacnCYegCX+c4KMKOVfAvTNHFax57dewCHiQ65WAigSTs9yzfdsbSit0UEM97k
xD6Ehsb59Z3GHHIJGKTzAhG7mUBFXALTXnGsRONtBuYvk62BgL6Rs8lrXZWSKZ0=
=Gwj4
-----END PGP MESSAGE-----
fp: DD2D88B9FCB74C81E6F63AAD5B5D448C88684BC3
- created_at: "2022-07-13T19:57:16Z"
enc: |
-----BEGIN PGP MESSAGE-----
hE4D6iFd6webPCUSAQdASHM9dsHz5peXZEfrg0SR0hYgFKMjktrWNSjDxfwo2EYg
30XlzvPF0+8+o/al3xFD32+VZZJF/hgcRS2bamdRxVnSXgHmIbjvDeB7mxTEZEOZ
5dzcRlDssny/y1l6lIRC3NAysSJ1ApCs4SpmQbOlX7cUGQoQzZi9a2M4qGvTaGbI
9P0kpxAy3RF8mo1kmYK8/wtKUvJWzksj6Me6ojhLjg0=
=UNDK
-----END PGP MESSAGE-----
fp: 6E10217E3187069E057DF5ABE0262A773B824745
unencrypted_suffix: _unencrypted
version: 3.7.1

15
hosts/nixdeploy/configuration.nix
View File

@@ -13,6 +13,7 @@
networking.hostName = "nixdeploy";
networking.useNetworkd = true;
services.resolved.dnssec = "false";
systemd.network = {
links."10-eth0" = {
matchConfig.MACAddress = "5e:1b:ed:a2:91:d1";
@@ -22,8 +23,18 @@
matchConfig = {
Name = "eth0";
};
DHCP = "yes";
address = [ "2a01:4f8:1c0c:8221:1337:42:10:1/64" ];
address = [
"10.42.10.245/24"
"2a01:4f8:1c0c:8221::245/64"
];
gateway = [
"10.42.10.1"
"2a01:4f8:1c0c:8221::1"
];
dns = [
"10.42.10.8"
"2a01:4f8:1c0c:8221::8"
];
};
};

39
hosts/pre-router/configuration.nix
View File

@@ -4,10 +4,6 @@
imports =
[ # Include the results of the hardware scan.
./hardware-configuration.nix
./router.nix
./dhcp.nix
./dns.nix
./ipv6.nix
./nginx.nix
];
@@ -24,6 +20,41 @@
#networking.interfaces.ens18.useDHCP = false;
#networking.interfaces.ens19.useDHCP = false;
environment.systemPackages = with pkgs; [
ethtool # manage NIC settings (offload, NIC feeatures, ...)
conntrack-tools # view network connection states
wireguard-tools
];
networking.nat = {
enable = true;
externalInterface = "ens18";
internalIPs = [
"10.42.0.0/16"
];
};
boot.kernel.sysctl = {
"net.ipv6.conf.all.forwarding" = true;
"net.ipv6.conf.default.forwarding" = true;
};
networking.interfaces.ens18.useDHCP = true;
networking.interfaces.ens19.useDHCP = false;
networking.interfaces.ens19.ipv6.addresses = [
{ address = "fd00:10:42:10::25"; prefixLength = 64; }
{ address = "2a01:4f8:1c0c:8221::25"; prefixLength = 64; }
];
networking.interfaces.ens19.ipv4.addresses = [
{ address = "10.42.10.25"; prefixLength = 24; }
];
networking.interfaces.ens19.ipv6.routes = [
{ address = "fd00:10:42::"; prefixLength = 48; via = "fd00:10:42:10::1"; }
];
networking.interfaces.ens19.ipv4.routes = [
{ address = "10.42.0.0"; prefixLength = 16; via = "10.42.10.1"; }
];
# This value determines the NixOS release from which the default
# settings for stateful data, like file locations and database versions
# on your system were taken. Its perfectly fine and recommended to leave

13
hosts/pre-router/coredns-unbound.patch
View File

@@ -1,13 +0,0 @@
Index: plugin.cfg
IDEA additional info:
Subsystem: com.intellij.openapi.diff.impl.patch.CharsetEP
<+>UTF-8
===================================================================
diff --git a/plugin.cfg b/plugin.cfg
--- a/plugin.cfg (revision 4d1d9adb0ec125097466a4831f57a22069a0d638)
+++ b/plugin.cfg (revision 6a5782f32c139c6cec05341ffc530d05b0a44b06)
@@ -68,3 +68,4 @@
whoami:whoami
on:github.com/coredns/caddy/onevent
sign:sign
+unbound:github.com/coredns/unbound

42
hosts/pre-router/dhcp.nix
View File

@@ -1,42 +0,0 @@
{ config, pkgs, ...}:
{
services.kea.dhcp4 = {
enable = true;
settings = {
interfaces-config = {
interfaces = [ "ens19"];
};
lease-database = {
name = "/var/lib/kea/dhcp4.leases";
persist = true;
type = "memfile";
};
subnet4 = [
# Heimnetz
{
subnet = "10.42.10.1/24";
pools = [
{
pool = "10.42.10.50 - 10.42.10.240";
}
];
option-data = [
{
name = "routers";
data = "10.42.10.1";
}
{
name = "domain-name-servers";
data = "10.42.10.1";
}
{
name = "domain-name";
data = "bula.entr0py.cloud";
}
];
}
];
};
};
}

40
hosts/pre-router/dns.nix
View File

@@ -1,40 +0,0 @@
{ config, pkgs, lib, ...}:
{
networking.firewall.interfaces.ens19.allowedUDPPorts = [ 53 ];
services.coredns = {
enable = true;
config = ''
.:53 {
log
cache
unbound
}
'';
package = lib.fix (self: (pkgs.buildGoModule {
inherit (pkgs.coredns) pname version src postPatch;
patches = pkgs.coredns.patches or [ ] ++ [
./coredns-unbound.patch
];
buildInputs = [ pkgs.unbound ];
vendorSha256 = "sha256-48S1oT+5uT6d+AM8u93AOTbJkW3CLtaowGv+th3cfyM=";
preBuild = ''
go generate
postInstall () {
cp go.mod $out
}
'';
}).overrideAttrs(old: {
preBuild = ''
cp ${self.passthru.go-modules}/go.mod .
go generate
'';
}));
};
}

57
hosts/pre-router/ipv6.nix
View File

@@ -1,57 +0,0 @@
{ config, pkgs, ...}:
{
environment.systemPackages = with pkgs; [
wireguard-tools
];
networking = {
firewall.allowedUDPPorts = [ 51820 ];
firewall.trustedInterfaces = [ "ens19"];
iproute2.enable = true;
iproute2.rttablesExtraConfig = ''
100 PUBLIC6
'';
wireguard.enable = true;
wireguard.interfaces = {
wg0 = {
ips = [ "fe80::42:10:1/64" ];
privateKey = "SUPERSECRETKEY";
listenPort = 51820;
allowedIPsAsRoutes = false;
postSetup = ''
ip -6 rule add from 2a01:4f8:1c0c:8221::/64 lookup PUBLIC6
ip -6 route add default via fe80::1 dev wg0 table PUBLIC6
'';
peers = [{
publicKey = "Y++eB9SfU17zB4mJ/6AaN761tngXAyTNoVaPNKmuvls=";
allowedIPs = [ "::/0" ];
endpoint = "78.47.183.82:51876";
#endpoint = "gatekeeper.net.clerie.de:51876";
persistentKeepalive = 25;
}];
};
};
};
boot.kernel.sysctl."net.ipv6.conf.all.forwarding" = 1;
networking.interfaces.ens19.ipv6.addresses = [{
address = "2a01:4f8:1c0c:8221::1";
prefixLength = 64;
}];
services.corerad = {
enable = true;
settings = {
interfaces = [
{
name = "ens19";
advertise = true;
prefix = [{ prefix = "2a01:4f8:1c0c:8221::/64";}];
mtu = 1420;
}];
debug = {
address = "localhost:9430";
prometheus = true;
};
};
};
}

4
hosts/pre-router/nginx.nix
View File

@@ -13,8 +13,6 @@
networking.firewall.allowedTCPPorts = [ 80 443 ];
security.acme.acceptTerms = true;
security.acme.defaults.email = "letsencrypt@entr0py.de";
services.nginx = {
enable = true;
clientMaxBodySize = "400M";
@@ -23,7 +21,7 @@
recommendedProxySettings = true;
recommendedTlsSettings = true;
};
services.nginx.virtualHosts."lightbuffet.entr0py.cloud" = { # Gitea hostname
services.nginx.virtualHosts."lightbuffet.bula22.de" = { # Gitea hostname
enableACME = true; # Use ACME certs
forceSSL = true; # Force SSL
locations."/" = {

31
hosts/pre-router/router.nix
View File

@@ -1,31 +0,0 @@
{ config, pkgs, ...}:
{
environment.systemPackages = with pkgs; [
ethtool # manage NIC settings (offload, NIC feeatures, ...)
conntrack-tools # view network connection states
];
networking.firewall.interfaces.lan.allowedUDPPorts = [ 67 53 ];
networking = {
nameservers = [ "141.24.40.3" "141.24.40.4" ];
nat = {
enable = true;
extraCommands = "iptables -A INPUT -p icmp -j ACCEPT";
externalInterface = "ens18";
internalInterfaces = [ "ens19" ];
};
interfaces = {
ens19.useDHCP = false;
ens18.useDHCP = true;
# Handle the VLANs
ens19 = {
ipv4.addresses = [{
address = "10.42.10.1";
prefixLength = 24;
}];
};
};
};
}

103
hosts/pre-yate-n0emis/configuration.nix
View File

@@ -1,103 +0,0 @@
{ config, pkgs, ... }:
{
imports =
[ # Include the results of the hardware scan.
./hardware-configuration.nix
];
# Use the GRUB 2 boot loader.
boot.loader.grub.enable = true;
boot.loader.grub.version = 2;
boot.loader.grub.device = "/dev/sda";
networking.hostName = "pre-yate-n0emis";
boot.kernel.sysctl = {
"net.ipv4.conf.all.forwarding" = true;
"net.ipv6.conf.all.forwarding" = true;
};
networking.useNetworkd = true;
systemd.network = {
links."10-eth0" = {
matchConfig.MACAddress = "4a:a6:0d:b9:3b:82";
linkConfig.Name = "eth0";
};
networks."10-eth0" = {
matchConfig = {
Name = "eth0";
};
DHCP = "yes";
};
links."20-vlan132" = {
matchConfig.MACAddress = "8e:50:2d:73:27:51";
linkConfig.Name = "vlan132";
};
networks."20-vlan132" = {
matchConfig = {
Name = "vlan132";
};
address = [ "10.42.132.1/24" ];
};
};
services.fieldpoc = {
enable = true;
dhcp = {
enable = true;
interface = "vlan132";
subnet = "10.42.132.0/24";
pool = "10.42.132.200 - 10.42.132.250";
router = "10.42.132.1";
dnsServers = "1.1.1.1,9.9.9.9";
omm = "10.42.132.11";
reservations = [
{
name = "rfp-01";
macAddress = "00:30:42:1B:8C:7A";
ipAddress = "10.42.132.11";
}
];
};
};
services.yate.config = {
yate.ygi = {
sndpath = "/opt/sounds";
sndformats = "slin,gsm,wav";
};
accfile.dialout = {
enabled = "yes";
protocol = "sip";
username = "iocaste";
password = "iocaste";
registrar = "172.16.1.1";
};
regexroute = "[default]
\${username}^$=-;error=noauth
^iocaste$=goto dialin
^99991001$=tone/dial
^99991002$=tone/busy
^99991003$=tone/ring
^99991004$=tone/specdial
^99991005$=tone/congestion
^99991006$=tone/outoforder
^99991007$=tone/milliwatt
^99991008$=tone/info
^.*$=line/\\0;line=dialout
[dialin]
\${sip_x-called}^.*$=lateroute/\\1";
};
# This value determines the NixOS release from which the default
# settings for stateful data, like file locations and database versions
# on your system were taken. Its perfectly fine and recommended to leave
# this value at the release version of the first install of this system.
# Before changing this value read the documentation for this option
# (e.g. man configuration.nix or on https://nixos.org/nixos/options.html).
system.stateVersion = "22.05"; # Did you read the comment?
}

39
hosts/radius/configuration.nix Normal file
View File

@@ -0,0 +1,39 @@
{ config, pkgs, lib, ... }:
with lib;
{
imports =
[
./hardware-configuration.nix
];
boot.loader.systemd-boot.enable = true;
boot.loader.efi.canTouchEfiVariables = true;
networking.hostName = "radius";
networking.useDHCP = false;
networking.interfaces.ens18.ipv4.addresses = [
{address = "10.42.10.5"; prefixLength = 24; }
];
networking.interfaces.ens18.ipv6.addresses = [
{address = "2a01:4f8:1c0c:8221::5"; prefixLength = 64; }
];
networking.defaultGateway = { address = "10.42.10.1"; interface = "ens18"; };
networking.defaultGateway6 = { address = "2a01:4f8:1c0c:8221::1"; interface = "ens18"; };
services.prometheus.exporters.node = {
enable = true;
listenAddress = "10.42.10.5";
openFirewall = true;
};
services.freeradius.enable = true;
services.freeradius.debug = true;
users.users.radius.group = "radius";
users.groups.radius = {};
networking.firewall.allowedUDPPorts = [ 1812 ];
environment.systemPackages = [ pkgs.eapol_test ];
system.stateVersion = "22.05";
}

87
hosts/radius/generate_passwords.py Normal file
View File

@@ -0,0 +1,87 @@
###
# Hier werden die Passwörter generiert und sie VLANs zugeordnet. Diese Datei
# kann nach `radius.bula22.de:/etc/raddb/mods-config/files/authorize` geschoben
# werden.
#
# ACHTUNG! Die Passwörter sind nicht idempotent, sondern werden neu generiert.
# Das Skript also nur ausführen, solange die User noch nicht online sind.
# Danach muss wieder manuell gefrickelt werden. Das Passwort für leitstelle01
# ist bereits publik, darum wird es hier überschrieben.
#
# Anpassbar:
# - Welcher Userprefix kommt in welches VLAN.
# - Wie viele User gehen pro Prefix online?
#
# Fragen? Fragen! DECT664 oder über Signal / Matrix / rfc1149.
###
import secrets
import string
USERS_PER_PREFIX = 20
LEITSTELLE01_PW = "Findest du in der existierenden authorize file"
### LEITSTELLE
# DEFAULT
# Tunnel-Private-Group-Id = "205",
# Fall-Through = Yes
#
# leitstelle01 Cleartext-Password := "oofahcul3aiV4ri8"
prefixes = [
(201, "ikt"),
(202, "buehne"),
(202, "technik"),
(203, "hospital"),
(204, "zoll"),
(205, "leitstelle"),
(206, "bll"),
(206, "finanzen"),
(208, "bayern"),
(208, "elydipark"),
(208, "hessen"),
(208, "trabantenstadt"),
(208, "waltara"),
(208, "zeche"),
(209, "infojurte"),
(210, "intfairground"),
(210, "intinfocenter"),
(211, "programmtre"),
(212, "openoffice")
]
def gen_password():
alphabet = string.ascii_letters + string.digits
return ''.join(secrets.choice(alphabet) for i in range(10))
print("DEFAULT")
print("\tTunnel-Type = \"VLAN\",")
print("\tTunnel-Medium-Type = IEEE-802,")
print("\tFall-Through = Yes")
print()
csv_file = "Username,password\n"
for (vlan, prefix) in prefixes:
print(f"## {prefix.upper()}")
print(f"DEFAULT")
print(f"\tTunnel-Private-Group-Id := \"{vlan}\",")
print(f"\tFall-Through = Yes")
print()
for i in range(1, USERS_PER_PREFIX + 1):
username = f"{prefix}{i:02d}"
pw = gen_password()
if username == "leitstelle01":
pw = LEITSTELLE01_PW
print(f"{username}\tCleartext-Password := \"{pw}\"")
csv_file += username + "," + pw + "\n"
print()
f = open("accounts.csv", "w")
f.write(csv_file)
f.close()

36
hosts/radius/hardware-configuration.nix Normal file
View File

@@ -0,0 +1,36 @@
# Do not modify this file! It was generated by nixos-generate-config
# and may be overwritten by future invocations. Please make changes
# to /etc/nixos/configuration.nix instead.
{ config, lib, pkgs, modulesPath, ... }:
{
imports =
[ (modulesPath + "/profiles/qemu-guest.nix")
];
boot.initrd.availableKernelModules = [ "ata_piix" "uhci_hcd" "virtio_pci" "virtio_scsi" "sd_mod" "sr_mod" ];
boot.initrd.kernelModules = [ ];
boot.kernelModules = [ "kvm-intel" ];
boot.extraModulePackages = [ ];
fileSystems."/" =
{ device = "/dev/disk/by-uuid/009361cd-3a0a-4736-98a9-acbef4d7aaa1";
fsType = "ext4";
};
fileSystems."/boot" =
{ device = "/dev/disk/by-uuid/77DB-3A02";
fsType = "vfat";
};
swapDevices = [ ];
# Enables DHCP on each ethernet and wireless interface. In case of scripted networking
# (the default) this is the recommended approach. When using systemd-networkd it's
# still possible to use this option, but it's recommended to use it in conjunction
# with explicit per-interface declarations with `networking.interfaces.<interface>.useDHCP`.
networking.useDHCP = lib.mkDefault true;
# networking.interfaces.ens18.useDHCP = lib.mkDefault true;
hardware.cpu.intel.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware;
}

91
hosts/router/10-net-services.nix Normal file
View File

@@ -0,0 +1,91 @@
{ config, pkgs, ...}:
{
networking.vlans."net-services" = {
id = 10;
interface = "ens18";
};
networking.wireguard = {
enable = true;
interfaces = {
wg-services = {
ips = [ "fe80::42:10:1/64" ];
privateKeyFile = "/var/src/secrets/wireguard/wg-services";
allowedIPsAsRoutes = false;
peers = [{
publicKey = "Y++eB9SfU17zB4mJ/6AaN761tngXAyTNoVaPNKmuvls=";
allowedIPs = [ "::/0" ];
endpoint = "78.47.183.82:51876";
#endpoint = "gatekeeper.net.clerie.de:51876";
persistentKeepalive = 25;
}];
};
};
};
networking.localCommands = ''
ip -6 route add default dev wg-services table 20003
'';
clerie.policyrouting.rules6 = [
{ rule = "from 2a01:4f8:1c0c:8221::/64 lookup 20003"; prio = 19000; }
];
networking.interfaces.net-services.ipv4.addresses = [
{ address = "10.42.10.1"; prefixLength = 24; }
{ address = "10.42.10.2"; prefixLength = 24; }
];
networking.interfaces.net-services.ipv6.addresses = [
{ address = "fe80::1"; prefixLength = 64; }
{ address = "fd00:10:42:10::1"; prefixLength = 64; }
{ address = "fd00:10:42:10::2"; prefixLength = 64; }
{ address = "2a01:4f8:1c0c:8221::1"; prefixLength = 64; }
{ address = "2a01:4f8:1c0c:8221::2"; prefixLength = 64; }
];
networking.interfaces.net-services.ipv4.routes = [
{ address = "10.42.132.0"; prefixLength = 23; via = "10.42.10.6"; }
];
services.radvd.config = ''
interface net-services {
AdvSendAdvert on;
MaxRtrAdvInterval 30;
prefix ::/64 {
AdvValidLifetime 60;
AdvPreferredLifetime 30;
};
RDNSS 2a01:4f8:1c0c:8221::8 {};
DNSSL bula22.de {};
};
'';
services.kea.dhcp4 = {
settings = {
interfaces-config = {
interfaces = [ "net-services" ];
};
subnet4 = [
{
id = 10;
subnet = "10.42.10.1/24";
pools = [
{
pool = "10.42.10.100 - 10.42.10.240";
}
];
option-data = [
{
name = "routers";
data = "10.42.10.1";
}
];
}
];
};
};
# Everyone is allowed reaching this, no firewall therefore
clerie.uplink-selector.interfaces.net-services.uplink = "uplink-a";
}

35
hosts/router/101-net-uplink-a.nix Normal file
View File

@@ -0,0 +1,35 @@
{ config, pkgs, ...}:
{
networking.vlans."net-uplink-a" = {
id = 101;
interface = "ens18";
};
networking.interfaces."net-uplink-a".mtu = 1600;
networking.vlans."net-uplink-a.7" = {
id = 7;
interface = "net-uplink-a";
};
services.pppd = {
peers.uplink-a = {
config = ''
plugin rp-pppoe.so net-uplink-a.7
user "002742928961551138009163#0001@t-online.de"
ifname ppp-uplink-a
persist
maxfail 0
holdoff 5
noipdefault
lcp-echo-interval 20
lcp-echo-failure 3
mtu 1492
hide-password
nodefaultroute
+ipv6
debug
'';
};
};
}

35
hosts/router/102-net-uplink-b.nix Normal file
View File

@@ -0,0 +1,35 @@
{ config, pkgs, ...}:
{
networking.vlans."net-uplink-b" = {
id = 102;
interface = "ens18";
};
networking.interfaces."net-uplink-a".mtu = 1600;
networking.vlans."net-uplink-b.7" = {
id = 7;
interface = "net-uplink-b";
};
services.pppd = {
peers.uplink-b = {
config = ''
plugin rp-pppoe.so net-uplink-b.7
user "002269158219551138009162#0001@t-online.de"
ifname ppp-uplink-b
persist
maxfail 0
holdoff 5
noipdefault
lcp-echo-interval 20
lcp-echo-failure 3
mtu 1492
hide-password
nodefaultroute
+ipv6
debug
'';
};
};
}

75
hosts/router/151-net-technik-iot.nix Normal file
View File

@@ -0,0 +1,75 @@
{ config, pkgs, ...}:
{
networking.vlans."net-technik-iot" = {
id = 151;
interface = "ens18";
};
networking.interfaces.net-technik-iot.ipv6.addresses = [
{ address = "fe80::1"; prefixLength = 64; }
{ address = "fd00:10:42:151::1"; prefixLength = 64; }
];
networking.interfaces.net-technik-iot.ipv4.addresses = [
{ address = "10.42.151.1"; prefixLength = 24; }
];
services.radvd.config = ''
interface net-technik-iot {
AdvSendAdvert on;
MaxRtrAdvInterval 30;
prefix ::/64 {
AdvValidLifetime 60;
AdvPreferredLifetime 30;
};
RDNSS 2a01:4f8:1c0c:8221::8 {};
DNSSL bula22.de {};
};
'';
services.kea.dhcp4 = {
settings = {
interfaces-config = {
interfaces = [ "net-technik-iot" ];
};
subnet4 = [
{
id = 151;
subnet = "10.42.151.1/24";
pools = [
{
pool = "10.42.151.100 - 10.42.151.240";
}
];
option-data = [
{
name = "routers";
data = "10.42.151.1";
}
];
reservations = [
{ # webcam.bula22.de
hw-address = "00:03:c5:01:13:2b";
ip-address = "10.42.151.2";
}
{ # siemens logo stechuhr
hw-address = "bc:f3:19:30:d2:1b";
ip-address = "10.42.151.3";
}
];
}
];
};
};
clerie.forward-filter.interfaces.net-technik-iot.rules = [
{ incomingInterface = "net-ikt"; }
# Give technik access to their toys
{ incomingInterface = "net-technik"; }
# Allow monitoring
{ incomingInterface = "net-services"; sourceAddress = "10.42.10.7"; }
{ incomingInterface = "net-services"; sourceAddress6 = "2a01:4f8:1c0c:8221::7"; }
];
clerie.uplink-selector.interfaces.net-technik-iot.uplink = "uplink-b";
}

60
hosts/router/152-net-ikt-toys.nix Normal file
View File

@@ -0,0 +1,60 @@
{ config, pkgs, ...}:
{
networking.vlans."net-ikt-toys" = {
id = 152;
interface = "ens18";
};
networking.interfaces.net-ikt-toys.ipv6.addresses = [
{ address = "fe80::1"; prefixLength = 64; }
{ address = "fd00:10:42:152::1"; prefixLength = 64; }
];
networking.interfaces.net-ikt-toys.ipv4.addresses = [
{ address = "10.42.152.1"; prefixLength = 24; }
];
services.radvd.config = ''
interface net-ikt-toys {
AdvSendAdvert on;
MaxRtrAdvInterval 30;
prefix ::/64 {
AdvValidLifetime 60;
AdvPreferredLifetime 30;
};
RDNSS 2a01:4f8:1c0c:8221::8 {};
DNSSL bula22.de {};
};
'';
services.kea.dhcp4 = {
settings = {
interfaces-config = {
interfaces = [ "net-ikt-toys" ];
};
subnet4 = [
{
id = 152;
subnet = "10.42.152.1/24";
pools = [
{
pool = "10.42.152.100 - 10.42.152.240";
}
];
option-data = [
{
name = "routers";
data = "10.42.152.1";
}
];
}
];
};
};
clerie.forward-filter.interfaces.net-ikt-toys.rules = [
{ incomingInterface = "net-ikt"; }
];
clerie.uplink-selector.interfaces.net-ikt-toys.uplink = "uplink-b";
}

61
hosts/router/201-net-ikt.nix Normal file
View File

@@ -0,0 +1,61 @@
{ config, pkgs, ...}:
{
networking.vlans."net-ikt" = {
id = 201;
interface = "ens18";
};
networking.interfaces.net-ikt.ipv6.addresses = [
{ address = "fe80::1"; prefixLength = 64; }
{ address = "fd00:10:42:201::1"; prefixLength = 64; }
];
networking.interfaces.net-ikt.ipv4.addresses = [
{ address = "10.42.201.1"; prefixLength = 24; }
];
services.radvd.config = ''
interface net-ikt {
AdvSendAdvert on;
MaxRtrAdvInterval 30;
prefix ::/64 {
AdvValidLifetime 60;
AdvPreferredLifetime 30;
};
RDNSS 2a01:4f8:1c0c:8221::8 {};
DNSSL bula22.de {};
};
'';
services.kea.dhcp4 = {
settings = {
interfaces-config = {
interfaces = [ "net-ikt" ];
};
subnet4 = [
{
id = 201;
subnet = "10.42.201.1/24";
pools = [
{
pool = "10.42.201.100 - 10.42.201.240";
}
];
option-data = [
{
name = "routers";
data = "10.42.201.1";
}
];
}
];
};
};
clerie.forward-filter.interfaces.net-ikt.rules = [
# Allow infrastructure devices to access ikt user devices for downloading software etc
{ incomingInterface = "net-management"; }
];
clerie.uplink-selector.interfaces.net-ikt.uplink = "uplink-b";
}

68
hosts/router/202-net-technik.nix Normal file
View File

@@ -0,0 +1,68 @@
{ config, pkgs, ...}:
{
networking.vlans."net-technik" = {
id = 202;
interface = "ens18";
};
networking.interfaces.net-technik.ipv6.addresses = [
{ address = "fe80::1"; prefixLength = 64; }
{ address = "fd00:10:42:202::1"; prefixLength = 64; }
];
networking.interfaces.net-technik.ipv4.addresses = [
{ address = "10.42.202.1"; prefixLength = 24; }
];
services.radvd.config = ''
interface net-technik {
AdvSendAdvert on;
MaxRtrAdvInterval 30;
prefix ::/64 {
AdvValidLifetime 60;
AdvPreferredLifetime 30;
};
RDNSS 2a01:4f8:1c0c:8221::8 {};
DNSSL bula22.de {};
};
'';
services.kea.dhcp4 = {
settings = {
interfaces-config = {
interfaces = [ "net-technik" ];
};
subnet4 = [
{
id = 202;
subnet = "10.42.202.1/24";
pools = [
{
pool = "10.42.202.100 - 10.42.202.240";
}
];
option-data = [
{
name = "routers";
data = "10.42.202.1";
}
];
reservations = [
{ # drucker container
hw-address = "20:cd:a7:f2:1b:ad";
ip-address = "10.42.202.11";
}
];
}
];
};
};
clerie.forward-filter.interfaces.net-technik.rules = [
{ incomingInterface = "net-ikt"; }
# Give the toys access to technik
{ incomingInterface = "net-technik-iot"; }
];
clerie.uplink-selector.interfaces.net-technik.uplink = "uplink-b";
}

60
hosts/router/203-net-hospital.nix Normal file
View File

@@ -0,0 +1,60 @@
{ config, pkgs, ...}:
{
networking.vlans."net-hospital" = {
id = 203;
interface = "ens18";
};
networking.interfaces.net-hospital.ipv6.addresses = [
{ address = "fe80::1"; prefixLength = 64; }
{ address = "fd00:10:42:203::1"; prefixLength = 64; }
];
networking.interfaces.net-hospital.ipv4.addresses = [
{ address = "10.42.203.1"; prefixLength = 24; }
];
services.radvd.config = ''
interface net-hospital {
AdvSendAdvert on;
MaxRtrAdvInterval 30;
prefix ::/64 {
AdvValidLifetime 60;
AdvPreferredLifetime 30;
};
RDNSS 2a01:4f8:1c0c:8221::8 {};
DNSSL bula22.de {};
};
'';
services.kea.dhcp4 = {
settings = {
interfaces-config = {
interfaces = [ "net-hospital" ];
};
subnet4 = [
{
id = 203;
subnet = "10.42.203.1/24";
pools = [
{
pool = "10.42.203.100 - 10.42.203.240";
}
];
option-data = [
{
name = "routers";
data = "10.42.203.1";
}
];
}
];
};
};
clerie.forward-filter.interfaces.net-hospital.rules = [
{ incomingInterface = "net-ikt"; }
];
clerie.uplink-selector.interfaces.net-hospital.uplink = "uplink-a";
}

60
hosts/router/204-net-zoll.nix Normal file
View File

@@ -0,0 +1,60 @@
{ config, pkgs, ...}:
{
networking.vlans."net-zoll" = {
id = 204;
interface = "ens18";
};
networking.interfaces.net-zoll.ipv6.addresses = [
{ address = "fe80::1"; prefixLength = 64; }
{ address = "fd00:10:42:204::1"; prefixLength = 64; }
];
networking.interfaces.net-zoll.ipv4.addresses = [
{ address = "10.42.204.1"; prefixLength = 24; }
];
services.radvd.config = ''
interface net-zoll {
AdvSendAdvert on;
MaxRtrAdvInterval 30;
prefix ::/64 {
AdvValidLifetime 60;
AdvPreferredLifetime 30;
};
RDNSS 2a01:4f8:1c0c:8221::8 {};
DNSSL bula22.de {};
};
'';
services.kea.dhcp4 = {
settings = {
interfaces-config = {
interfaces = [ "net-zoll" ];
};
subnet4 = [
{
id = 204;
subnet = "10.42.204.1/24";
pools = [
{
pool = "10.42.204.100 - 10.42.204.240";
}
];
option-data = [
{
name = "routers";
data = "10.42.204.1";
}
];
}
];
};
};
clerie.forward-filter.interfaces.net-zoll.rules = [
{ incomingInterface = "net-ikt"; }
];
clerie.uplink-selector.interfaces.net-zoll.uplink = "uplink-a";
}

60
hosts/router/205-net-leitstelle.nix Normal file
View File

@@ -0,0 +1,60 @@
{ config, pkgs, ...}:
{
networking.vlans."net-leitstelle" = {
id = 205;
interface = "ens18";
};
networking.interfaces.net-leitstelle.ipv6.addresses = [
{ address = "fe80::1"; prefixLength = 64; }
{ address = "fd00:10:42:205::1"; prefixLength = 64; }
];
networking.interfaces.net-leitstelle.ipv4.addresses = [
{ address = "10.42.205.1"; prefixLength = 24; }
];
services.radvd.config = ''
interface net-leitstelle {
AdvSendAdvert on;
MaxRtrAdvInterval 30;
prefix ::/64 {
AdvValidLifetime 60;
AdvPreferredLifetime 30;
};
RDNSS 2a01:4f8:1c0c:8221::8 {};
DNSSL bula22.de {};
};
'';
services.kea.dhcp4 = {
settings = {
interfaces-config = {
interfaces = [ "net-leitstelle" ];
};
subnet4 = [
{
id = 205;
subnet = "10.42.205.1/24";
pools = [
{
pool = "10.42.205.100 - 10.42.205.240";
}
];
option-data = [
{
name = "routers";
data = "10.42.205.1";
}
];
}
];
};
};
clerie.forward-filter.interfaces.net-leitstelle.rules = [
{ incomingInterface = "net-ikt"; }
];
clerie.uplink-selector.interfaces.net-leitstelle.uplink = "uplink-a";
}

66
hosts/router/206-net-verwaltung.nix Normal file
View File

@@ -0,0 +1,66 @@
{ config, pkgs, ...}:
{
networking.vlans."net-verwaltung" = {
id = 206;
interface = "ens18";
};
networking.interfaces.net-verwaltung.ipv6.addresses = [
{ address = "fe80::1"; prefixLength = 64; }
{ address = "fd00:10:42:206::1"; prefixLength = 64; }
];
networking.interfaces.net-verwaltung.ipv4.addresses = [
{ address = "10.42.206.1"; prefixLength = 24; }
];
services.radvd.config = ''
interface net-verwaltung {
AdvSendAdvert on;
MaxRtrAdvInterval 30;
prefix ::/64 {
AdvValidLifetime 60;
AdvPreferredLifetime 30;
};
RDNSS 2a01:4f8:1c0c:8221::8 {};
DNSSL bula22.de {};
};
'';
services.kea.dhcp4 = {
settings = {
interfaces-config = {
interfaces = [ "net-verwaltung" ];
};
subnet4 = [
{
id = 206;
subnet = "10.42.206.1/24";
pools = [
{
pool = "10.42.206.100 - 10.42.206.240";
}
];
option-data = [
{
name = "routers";
data = "10.42.206.1";
}
];
reservations = [
{ # mkay.bula22.de
hw-address = "ac:87:a3:0c:70:04";
ip-address = "10.42.206.2";
}
];
}
];
};
};
clerie.forward-filter.interfaces.net-verwaltung.rules = [
{ incomingInterface = "net-ikt"; }
];
clerie.uplink-selector.interfaces.net-verwaltung.uplink = "uplink-a";
}

60
hosts/router/208-net-yolo.nix Normal file
View File

@@ -0,0 +1,60 @@
{ config, pkgs, ...}:
{
networking.vlans."net-yolo" = {
id = 208;
interface = "ens18";
};
networking.interfaces.net-yolo.ipv6.addresses = [
{ address = "fe80::1"; prefixLength = 64; }
{ address = "fd00:10:42:208::1"; prefixLength = 64; }
];
networking.interfaces.net-yolo.ipv4.addresses = [
{ address = "10.42.208.1"; prefixLength = 24; }
];
services.radvd.config = ''
interface net-yolo {
AdvSendAdvert on;
MaxRtrAdvInterval 30;
prefix ::/64 {
AdvValidLifetime 60;
AdvPreferredLifetime 30;
};
RDNSS 2a01:4f8:1c0c:8221::8 {};
DNSSL bula22.de {};
};
'';
services.kea.dhcp4 = {
settings = {
interfaces-config = {
interfaces = [ "net-yolo" ];
};
subnet4 = [
{
id = 208;
subnet = "10.42.208.1/24";
pools = [
{
pool = "10.42.208.100 - 10.42.208.240";
}
];
option-data = [
{
name = "routers";
data = "10.42.208.1";
}
];
}
];
};
};
clerie.forward-filter.interfaces.net-yolo.rules = [
{ incomingInterface = "net-ikt"; }
];
clerie.uplink-selector.interfaces.net-yolo.uplink = "uplink-b";
}

60
hosts/router/209-net-infojurte.nix Normal file
View File

@@ -0,0 +1,60 @@
{ config, pkgs, ...}:
{
networking.vlans."net-infojurte" = {
id = 209;
interface = "ens18";
};
networking.interfaces.net-infojurte.ipv6.addresses = [
{ address = "fe80::1"; prefixLength = 64; }
{ address = "fd00:10:42:209::1"; prefixLength = 64; }
];
networking.interfaces.net-infojurte.ipv4.addresses = [
{ address = "10.42.209.1"; prefixLength = 24; }
];
services.radvd.config = ''
interface net-infojurte {
AdvSendAdvert on;
MaxRtrAdvInterval 30;
prefix ::/64 {
AdvValidLifetime 60;
AdvPreferredLifetime 30;
};
RDNSS 2a01:4f8:1c0c:8221::8 {};
DNSSL bula22.de {};
};
'';
services.kea.dhcp4 = {
settings = {
interfaces-config = {
interfaces = [ "net-infojurte" ];
};
subnet4 = [
{
id = 209;
subnet = "10.42.209.1/24";
pools = [
{
pool = "10.42.209.100 - 10.42.209.240";
}
];
option-data = [
{
name = "routers";
data = "10.42.209.1";
}
];
}
];
};
};
clerie.forward-filter.interfaces.net-infojurte.rules = [
{ incomingInterface = "net-ikt"; }
];
clerie.uplink-selector.interfaces.net-infojurte.uplink = "uplink-b";
}

60
hosts/router/210-net-internation.nix Normal file
View File

@@ -0,0 +1,60 @@
{ config, pkgs, ...}:
{
networking.vlans."net-internation" = {
id = 210;
interface = "ens18";
};
networking.interfaces.net-internation.ipv6.addresses = [
{ address = "fe80::1"; prefixLength = 64; }
{ address = "fd00:10:42:210::1"; prefixLength = 64; }
];
networking.interfaces.net-internation.ipv4.addresses = [
{ address = "10.42.210.1"; prefixLength = 24; }
];
services.radvd.config = ''
interface net-internation {
AdvSendAdvert on;
MaxRtrAdvInterval 30;
prefix ::/64 {
AdvValidLifetime 60;
AdvPreferredLifetime 30;
};
RDNSS 2a01:4f8:1c0c:8221::8 {};
DNSSL bula22.de {};
};
'';
services.kea.dhcp4 = {
settings = {
interfaces-config = {
interfaces = [ "net-internation" ];
};
subnet4 = [
{
id = 210;
subnet = "10.42.210.1/24";
pools = [
{
pool = "10.42.210.100 - 10.42.210.240";
}
];
option-data = [
{
name = "routers";
data = "10.42.210.1";
}
];
}
];
};
};
clerie.forward-filter.interfaces.net-internation.rules = [
{ incomingInterface = "net-ikt"; }
];
clerie.uplink-selector.interfaces.net-internation.uplink = "uplink-b";
}

112
hosts/router/211-net-programmtre.nix Normal file
View File

@@ -0,0 +1,112 @@
{ config, pkgs, ...}:
{
networking.vlans."net-programmtre" = {
id = 211;
interface = "ens18";
};
networking.interfaces.net-programmtre.ipv6.addresses = [
{ address = "fe80::1"; prefixLength = 64; }
{ address = "fd00:10:42:211::1"; prefixLength = 64; }
];
networking.interfaces.net-programmtre.ipv4.addresses = [
{ address = "10.42.211.1"; prefixLength = 24; }
];
services.radvd.config = ''
interface net-programmtre {
AdvSendAdvert on;
MaxRtrAdvInterval 30;
prefix ::/64 {
AdvValidLifetime 60;
AdvPreferredLifetime 30;
};
RDNSS 2a01:4f8:1c0c:8221::8 {};
DNSSL bula22.de {};
};
'';
services.kea.dhcp4 = {
settings = {
interfaces-config = {
interfaces = [ "net-programmtre" ];
};
subnet4 = [
{
id = 211;
subnet = "10.42.211.1/24";
pools = [
{
pool = "10.42.211.100 - 10.42.211.240";
}
];
option-data = [
{
name = "routers";
data = "10.42.211.1";
}
];
reservations = [
{
# signage-11
hw-address = "e4:5f:01:91:f7:fe";
ip-address = "10.42.211.11";
}
{
# signage-12
hw-address = "e4:5f:01:92:08:13";
ip-address = "10.42.211.12";
}
{
# signage-13
hw-address = "e4:5f:01:91:f5:59";
ip-address = "10.42.211.13";
}
{
# signage-21
hw-address = "e4:5f:01:93:70:86";
ip-address = "10.42.211.21";
}
{
# signage-22
hw-address = "e4:5f:01:93:5b:53";
ip-address = "10.42.211.22";
}
{
# signage-23
hw-address = "e4:5f:01:93:5c:39";
ip-address = "10.42.211.23";
}
{
# signage-24
hw-address = "e4:5f:01:93:58:ad";
ip-address = "10.42.211.24";
}
{
# signage-25
hw-address = "e4:5f:01:93:5b:e9";
ip-address = "10.42.211.25";
}
{
# signage-31
hw-address = "b8:27:eb:cd:f7:ef";
ip-address = "10.42.211.31";
}
{
# signage-32
hw-address = "b8:27:eb:1b:5c:f1";
ip-address = "10.42.211.32";
}
];
}
];
};
};
clerie.forward-filter.interfaces.net-programmtre.rules = [
{ incomingInterface = "net-ikt"; }
];
clerie.uplink-selector.interfaces.net-programmtre.uplink = "uplink-b";
}

67
hosts/router/212-net-open-office.nix Normal file
View File

@@ -0,0 +1,67 @@
{ config, pkgs, ...}:
{
networking.vlans."net-open-office" = {
id = 212;
interface = "ens18";
};
networking.interfaces.net-open-office.ipv6.addresses = [
{ address = "fe80::1"; prefixLength = 64; }
{ address = "fd00:10:42:212::1"; prefixLength = 64; }
];
networking.interfaces.net-open-office.ipv4.addresses = [
{ address = "10.42.212.1"; prefixLength = 24; }
];
services.radvd.config = ''
interface net-open-office {
AdvSendAdvert on;
MaxRtrAdvInterval 30;
prefix ::/64 {
AdvValidLifetime 60;
AdvPreferredLifetime 30;
};
RDNSS 2a01:4f8:1c0c:8221::8 {};
DNSSL bula22.de {};
};
'';
services.kea.dhcp4 = {
settings = {
interfaces-config = {
interfaces = [ "net-open-office" ];
};
subnet4 = [
{
id = 212;
subnet = "10.42.212.1/24";
pools = [
{
pool = "10.42.212.100 - 10.42.212.240";
}
];
option-data = [
{
name = "routers";
data = "10.42.212.1";
}
];
reservations = [
{ # drucker.bula22.de
hw-address = "00:21:b7:87:50:2c";
ip-address = "10.42.212.2";
}
];
}
];
};
};
clerie.forward-filter.interfaces.net-open-office.rules = [
{ incomingInterface = "net-ikt"; }
{ destinationAddress = "10.42.212.2/32"; }
];
clerie.uplink-selector.interfaces.net-open-office.uplink = "uplink-b";
}

60
hosts/router/213-net-fuf.nix Normal file
View File

@@ -0,0 +1,60 @@
{ config, pkgs, ...}:
{
networking.vlans."net-fuf" = {
id = 213;
interface = "ens18";
};
networking.interfaces.net-fuf.ipv6.addresses = [
{ address = "fe80::1"; prefixLength = 64; }
{ address = "fd00:10:42:213::1"; prefixLength = 64; }
];
networking.interfaces.net-fuf.ipv4.addresses = [
{ address = "10.42.213.1"; prefixLength = 24; }
];
services.radvd.config = ''
interface net-fuf {
AdvSendAdvert on;
MaxRtrAdvInterval 30;
prefix ::/64 {
AdvValidLifetime 60;
AdvPreferredLifetime 30;
};
RDNSS 2a01:4f8:1c0c:8221::8 {};
DNSSL bula22.de {};
};
'';
services.kea.dhcp4 = {
settings = {
interfaces-config = {
interfaces = [ "net-fuf" ];
};
subnet4 = [
{
id = 213;
subnet = "10.42.213.1/24";
pools = [
{
pool = "10.42.213.100 - 10.42.213.240";
}
];
option-data = [
{
name = "routers";
data = "10.42.213.1";
}
];
}
];
};
};
clerie.forward-filter.interfaces.net-fuf.rules = [
{ incomingInterface = "net-ikt"; }
];
clerie.uplink-selector.interfaces.net-fuf.uplink = "uplink-b";
}

60
hosts/router/214-net-mav.nix Normal file
View File

@@ -0,0 +1,60 @@
{ config, pkgs, ...}:
{
networking.vlans."net-mav" = {
id = 214;
interface = "ens18";
};
networking.interfaces.net-mav.ipv6.addresses = [
{ address = "fe80::1"; prefixLength = 64; }
{ address = "fd00:10:42:214::1"; prefixLength = 64; }
];
networking.interfaces.net-mav.ipv4.addresses = [
{ address = "10.42.214.1"; prefixLength = 24; }
];
services.radvd.config = ''
interface net-mav {
AdvSendAdvert on;
MaxRtrAdvInterval 30;
prefix ::/64 {
AdvValidLifetime 60;
AdvPreferredLifetime 30;
};
RDNSS 2a01:4f8:1c0c:8221::8 {};
DNSSL bula22.de {};
};
'';
services.kea.dhcp4 = {
settings = {
interfaces-config = {
interfaces = [ "net-mav" ];
};
subnet4 = [
{
id = 214;
subnet = "10.42.214.1/24";
pools = [
{
pool = "10.42.214.100 - 10.42.214.240";
}
];
option-data = [
{
name = "routers";
data = "10.42.214.1";
}
];
}
];
};
};
clerie.forward-filter.interfaces.net-mav.rules = [
{ incomingInterface = "net-ikt"; }
];
clerie.uplink-selector.interfaces.net-mav.uplink = "uplink-b";
}

60
hosts/router/215-net-audio.nix Normal file
View File

@@ -0,0 +1,60 @@
{ config, pkgs, ...}:
{
networking.vlans."net-audio" = {
id = 215;
interface = "ens18";
};
networking.interfaces.net-audio.ipv6.addresses = [
{ address = "fe80::1"; prefixLength = 64; }
{ address = "fd00:10:42:215::1"; prefixLength = 64; }
];
networking.interfaces.net-audio.ipv4.addresses = [
{ address = "10.42.215.1"; prefixLength = 24; }
];
services.radvd.config = ''
interface net-audio {
AdvSendAdvert on;
MaxRtrAdvInterval 30;
prefix ::/64 {
AdvValidLifetime 60;
AdvPreferredLifetime 30;
};
RDNSS 2a01:4f8:1c0c:8221::8 {};
DNSSL bula22.de {};
};
'';
services.kea.dhcp4 = {
settings = {
interfaces-config = {
interfaces = [ "net-audio" ];
};
subnet4 = [
{
id = 215;
subnet = "10.42.215.1/24";
pools = [
{
pool = "10.42.215.100 - 10.42.215.240";
}
];
option-data = [
{
name = "routers";
data = "10.42.215.1";
}
];
}
];
};
};
clerie.forward-filter.interfaces.net-audio.rules = [
{ incomingInterface = "net-ikt"; }
];
clerie.uplink-selector.interfaces.net-audio.uplink = "uplink-b";
}

60
hosts/router/216-net-trabantenst.nix Normal file
View File

@@ -0,0 +1,60 @@
{ config, pkgs, ...}:
{
networking.vlans."net-trabantenst" = {
id = 216;
interface = "ens18";
};
networking.interfaces.net-trabantenst.ipv6.addresses = [
{ address = "fe80::1"; prefixLength = 64; }
{ address = "fd00:10:42:216::1"; prefixLength = 64; }
];
networking.interfaces.net-trabantenst.ipv4.addresses = [
{ address = "10.42.216.1"; prefixLength = 24; }
];
services.radvd.config = ''
interface net-trabantenst {
AdvSendAdvert on;
MaxRtrAdvInterval 30;
prefix ::/64 {
AdvValidLifetime 60;
AdvPreferredLifetime 30;
};
RDNSS 2a01:4f8:1c0c:8221::8 {};
DNSSL bula22.de {};
};
'';
services.kea.dhcp4 = {
settings = {
interfaces-config = {
interfaces = [ "net-trabantenst" ];
};
subnet4 = [
{
id = 216;
subnet = "10.42.216.1/24";
pools = [
{
pool = "10.42.216.100 - 10.42.216.240";
}
];
option-data = [
{
name = "routers";
data = "10.42.216.1";
}
];
}
];
};
};
clerie.forward-filter.interfaces.net-trabantenst.rules = [
{ incomingInterface = "net-ikt"; }
];
clerie.uplink-selector.interfaces.net-trabantenst.uplink = "uplink-b";
}

19
hosts/router/42-net-management.nix Normal file
View File

@@ -0,0 +1,19 @@
{ config, pkgs, ...}:
{
networking.vlans."net-management" = {
id = 42;
interface = "ens18";
};
networking.interfaces.net-management.ipv4.addresses = [
{ address = "10.42.42.1"; prefixLength = 24; }
];
clerie.forward-filter.interfaces.net-management.rules = [
{ incomingInterface = "net-ikt"; }
# Allow monitoring
{ incomingInterface = "net-services"; sourceAddress = "10.42.10.7"; }
{ incomingInterface = "net-services"; sourceAddress6 = "2a01:4f8:1c0c:8221::7"; }
];
}

101
hosts/router/configuration.nix Normal file
View File

@@ -0,0 +1,101 @@
{ config, pkgs, ... }:
{
imports =
[
./hardware-configuration.nix
./nat.nix
./ppp.nix
./prefix-delegation.nix
./uplink-selector.nix
./10-net-services.nix
./42-net-management.nix
./101-net-uplink-a.nix
./102-net-uplink-b.nix
./151-net-technik-iot.nix
./152-net-ikt-toys.nix
./201-net-ikt.nix
./202-net-technik.nix
./203-net-hospital.nix
./204-net-zoll.nix
./205-net-leitstelle.nix
./206-net-verwaltung.nix
./208-net-yolo.nix
./209-net-infojurte.nix
./210-net-internation.nix
./211-net-programmtre.nix
./212-net-open-office.nix
./213-net-fuf.nix
./214-net-mav.nix
./215-net-audio.nix
./216-net-trabantenst.nix
];
boot.loader.systemd-boot.enable = true;
boot.loader.efi.canTouchEfiVariables = true;
networking.hostName = "router";
networking.firewall.checkReversePath = false;
services.prometheus.exporters.node = {
enable = true;
listenAddress = "10.42.10.2";
openFirewall = true;
};
boot.kernel.sysctl = {
"net.ipv4.conf.all.forwarding" = true;
"net.ipv4.conf.default.forwarding" = true;
"net.ipv6.conf.all.accept_ra" = 0;
"net.ipv6.conf.default.accept_ra" = 0;
"net.ipv6.conf.all.forwarding" = true;
"net.ipv6.conf.default.forwarding" = true;
};
services.radvd.enable = true;
services.kea.dhcp4 = {
enable = true;
settings = {
interfaces-config = {
interfaces = [];
};
lease-database = {
name = "/var/lib/kea/dhcp4.leases";
persist = true;
type = "memfile";
};
option-data = [
{
name = "domain-name-servers";
data = "10.42.10.8";
}
{
name = "domain-name";
data = "bula22.de";
}
];
subnet4 = [];
};
};
clerie.forward-filter.enable = true;
networking.interfaces."ens18".mtu = 9000;
services.pppd.enable = true;
# This value determines the NixOS release from which the default
# settings for stateful data, like file locations and database versions
# on your system were taken. Its perfectly fine and recommended to leave
# this value at the release version of the first install of this system.
# Before changing this value read the documentation for this option
# (e.g. man configuration.nix or on https://nixos.org/nixos/options.html).
system.stateVersion = "22.05"; # Did you read the comment?
}

36
hosts/router/hardware-configuration.nix Normal file
View File

@@ -0,0 +1,36 @@
# Do not modify this file! It was generated by nixos-generate-config
# and may be overwritten by future invocations. Please make changes
# to /etc/nixos/configuration.nix instead.
{ config, lib, pkgs, modulesPath, ... }:
{
imports =
[ (modulesPath + "/profiles/qemu-guest.nix")
];
boot.initrd.availableKernelModules = [ "ata_piix" "uhci_hcd" "virtio_pci" "virtio_scsi" "sd_mod" "sr_mod" ];
boot.initrd.kernelModules = [ ];
boot.kernelModules = [ "kvm-intel" ];
boot.extraModulePackages = [ ];
fileSystems."/" =
{ device = "/dev/disk/by-uuid/7dc69b5a-5951-4361-a3ed-b0d5a1d1bda2";
fsType = "ext4";
};
fileSystems."/boot" =
{ device = "/dev/disk/by-uuid/1CA1-50C3";
fsType = "vfat";
};
swapDevices = [ ];
# Enables DHCP on each ethernet and wireless interface. In case of scripted networking
# (the default) this is the recommended approach. When using systemd-networkd it's
# still possible to use this option, but it's recommended to use it in conjunction
# with explicit per-interface declarations with `networking.interfaces.<interface>.useDHCP`.
networking.useDHCP = lib.mkDefault true;
# networking.interfaces.ens18.useDHCP = lib.mkDefault true;
hardware.cpu.intel.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware;
}

22
hosts/router/nat.nix Normal file
View File

@@ -0,0 +1,22 @@
{ config, pkgs, ... }:
{
networking.firewall.extraCommands = ''
# NAT for uplink
ip46tables -w -t nat -N nat-post
iptables -w -t nat -A nat-post -s '10.42.0.0/16' -o ppp-uplink-a -j MASQUERADE
iptables -w -t nat -A nat-post -s '10.42.0.0/16' -o ppp-uplink-b -j MASQUERADE
ip6tables -w -t nat -A nat-post -s 'fd00:10:42::/48' -o ppp-uplink-a -j MASQUERADE
ip6tables -w -t nat -A nat-post -s 'fd00:10:42::/48' -o ppp-uplink-b -j MASQUERADE
ip46tables -w -t nat -A POSTROUTING -j nat-post
'';
networking.firewall.extraStopCommands = ''
# NAT for uplink
ip46tables -w -t nat -D POSTROUTING -j nat-post 2>/dev/null || true
ip46tables -w -t nat -F nat-post 2>/dev/null || true
ip46tables -w -t nat -X nat-post 2>/dev/null || true
'';
}

84
hosts/router/ppp.nix Normal file
View File

@@ -0,0 +1,84 @@
{ config, pkgs, ... }:
{
sops.secrets.ppp_secrets = {
path = "/etc/ppp/pap-secrets";
mode = "0440";
};
# Setting default routes based on interfaces in different tables
environment.etc."ppp/ip-up" = {
text = ''
#! ${pkgs.runtimeShell} -e
case $1 in
ppp-uplink-a)
${pkgs.iproute2}/bin/ip route flush table 20001 || true
${pkgs.iproute2}/bin/ip route add default dev ppp-uplink-a table 20001
${pkgs.iproute2}/bin/ip route replace default dev ppp-uplink-a metric 2000
;;
ppp-uplink-b)
${pkgs.iproute2}/bin/ip route flush table 20002 || true
${pkgs.iproute2}/bin/ip route add default dev ppp-uplink-b table 20002
${pkgs.iproute2}/bin/ip route replace default dev ppp-uplink-b metric 1000
;;
esac
'';
mode = "555";
};
environment.etc."ppp/ip-down" = {
text = ''
#! ${pkgs.runtimeShell} -e
case $1 in
ppp-uplink-a)
${pkgs.iproute2}/bin/ip route flush table 20001 || true
${pkgs.iproute2}/bin/ip route delete default dev ppp-uplink-a || true
;;
ppp-uplink-b)
${pkgs.iproute2}/bin/ip route flush table 20002 || true
${pkgs.iproute2}/bin/ip route delete default dev ppp-uplink-b || true
;;
esac
'';
mode = "555";
};
environment.etc."ppp/ipv6-up" = {
text = ''
#! ${pkgs.runtimeShell} -e
case $1 in
ppp-uplink-a)
${pkgs.iproute2}/bin/ip -6 route flush table 20001 || true
${pkgs.iproute2}/bin/ip -6 route add default dev ppp-uplink-a table 20001
${pkgs.iproute2}/bin/ip -6 route replace default dev ppp-uplink-a metric 2000
;;
ppp-uplink-b)
${pkgs.iproute2}/bin/ip -6 route flush table 20002 || true
${pkgs.iproute2}/bin/ip -6 route add default dev ppp-uplink-b table 20002
${pkgs.iproute2}/bin/ip -6 route replace default dev ppp-uplink-b metric 1000
;;
esac
${pkgs.systemd}/bin/systemctl restart dhcpcd.service
'';
mode = "555";
};
environment.etc."ppp/ipv6-down" = {
text = ''
#! ${pkgs.runtimeShell} -e
case $1 in
ppp-uplink-a)
${pkgs.iproute2}/bin/ip -6 route flush table 20001 || true
${pkgs.iproute2}/bin/ip -6 route delete default dev ppp-uplink-a || true
;;
ppp-uplink-b)
${pkgs.iproute2}/bin/ip -6 route flush table 20002 || true
${pkgs.iproute2}/bin/ip -6 route delete default dev ppp-uplink-b || true
;;
esac
'';
mode = "555";
};
}

34
hosts/router/prefix-delegation.nix Normal file
View File

@@ -0,0 +1,34 @@
{ config, pkgs, ... }:
{
networking.interfaces.net-ikt.useDHCP = true;
networking.interfaces.net-technik.useDHCP = true;
networking.interfaces.net-hospital.useDHCP = true;
networking.interfaces.net-zoll.useDHCP = true;
networking.interfaces.net-leitstelle.useDHCP = true;
networking.interfaces.net-verwaltung.useDHCP = true;
networking.interfaces.net-yolo.useDHCP = true;
networking.interfaces.net-infojurte.useDHCP = true;
networking.interfaces.net-internation.useDHCP = true;
networking.interfaces.net-programmtre.useDHCP = true;
networking.interfaces.net-open-office.useDHCP = true;
networking.dhcpcd = {
enable = true;
allowInterfaces = [
"net-*"
"ppp-*"
];
wait = "ipv6";
extraConfig = ''
ipv6only
noipv6rs
interface ppp-uplink-a
ipv6rs
ia_pd 1/::/56 net-hospital/203/64 net-zoll/204/64 net-leitstelle/205/64 net-verwaltung/206/64
interface ppp-uplink-b
ipv6rs
ia_pd 1/::/56 net-technik-iot/151/64 net-technik-iot/152/64 net-ikt/201/64 net-technik/202/64 net-yolo/208/64 net-infojurte/209/64 net-internation/210/64 net-programmtre/211/64 net-open-office/212/64 net-fuf/213/64 net-mav/214/64 net-audio/215/64 net-trabantenst/216/64
'';
};
}

52
hosts/router/secrets.yaml Normal file
View File

@@ -0,0 +1,52 @@
ppp_secrets: ENC[AES256_GCM,data:FQQdo1xFu+pW4wshQBVEBFqyhyTpprVZ9QAeasht1p82x5cODiGqnRNxNohnVVVxJmOtcuwIh1vN6dSEN8ju1XyuUn7suURnZ4og4Fk5yqHMFlBptAdViYLONV6dngGskIGug60Kyy8ysgBJSoq3LKy0plivSQ==,iv:RM+aYOP7zVO62h28EQHgvIEw96d7BNK5W0ut2TCfe4g=,tag:ZDAazjUtll+mEDWK8vlyGQ==,type:str]
sops:
kms: []
gcp_kms: []
azure_kv: []
hc_vault: []
age:
- recipient: age1ghrvqrw92y355qw2m48jxvlu34pxf9c68nkus9lspfm05nes63gqmh5av5
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBibE1jbGFjZUdBZjNZY0h4
RkdCTElUS0xtMzQ5WHNScDR0dnBZRzBHanlVCi8vTE52Y0V2QW1SbUR0OFNwc0Rt
UVU5bWxKc0U3OEloOXFnYldvUjVOSW8KLS0tIDcyeHFWR2d3Q3V0U013QzdvODJi
WmdZQ2h3Qi9LWXhBbTNxSlkxaFlBSDgKPSe9TF+kKct2YYL0mmGYK5pAfGpeobUI
SsQPevDyZG8qTiBDnzw9uFfCJO9XSwaWms2hfEtNNFMFmgdBdbBrMQ==
-----END AGE ENCRYPTED FILE-----
lastmodified: "2022-07-23T14:37:21Z"
mac: ENC[AES256_GCM,data:TRGnDcBjfuKa/VyiWJiYB9FVtztUeJAHwSrZHmK3+9Y9Ae6Q+JNUiep+tUY2c5yhTyD8IJ/0IZ/ad+lKi+W5gfPOnmpSGEhqckc8CwM2dAHN5+jFIdu8RYGIxwpevn38ZjNmRFII/FGc08JMtiGTIvDL6WPe0+KdKxnMCn1ps3k=,iv:FFh5Vw8vAl2vwcMGTM/gCKmief8J9C4RlLr4g4aNs2s=,tag:iEdFCwQDWbfDeRKs3nrFOQ==,type:str]
pgp:
- created_at: "2022-07-23T14:30:56Z"
enc: |
-----BEGIN PGP MESSAGE-----
hQIMA6BIUohpxMXcAQ/9Hl6jRICaP6tNYoAc2STPLgv0s0KL24ef5VtwZb56pAkL
p8Rd76UhFSaw5VgEaDpJV/FEtOL7Pc6BO6LkqUZcdINVj53IIBazt2zf6GEcFcL7
vu+CahApzlotMC9X3IMoo4zmii9DXoJ+xekqA/WWc0cB6w8IS7xcTjYVid/4JlPh
L80gC/+o7fDeDYaNAQKvDq6vhvqkeC6KxogdKlVV6BKragS8GRfhJuTQrT7DLH5+
QJhKf0BNVNBvbR+KbDSvih8o9Duv55OTrnN2UiOefHJe/nRK2zy7CPeLmkGG6Ifa
spRdq2kyJ/E9wzfsmnTtfP6YSGb0y5MLzG9Y5QhwZjzLfR9MOvZMtBJVTG/4wXqL
sJGF2FstSmPaFdFdDnbHOt4vnamHnO1VtYkSuHJZKHPW7gCJvelspHCevl14C2Hs
VZCYfWck3wwXtVDyoV/7s3QFyoXdtq5sqksJ3LHZmXR1czB6WpZ2ITdwWTR5IxO1
QBBeYjnlec4bHVz9wDx46lNvzK+oUam4tWuB1puderzSFkTcM9VTGhrwqJ2gGiD0
nWMjsNW0PtwfmKTO33BPIqwcqxRBlzPoDG2XBVk/+Vp1gwlGJ+VhhRoShMxi72S3
CHEHxJLybMGzhJFFe4GwEf1qicj52OiuwrBoYAZKDzwH0rApjLQZwQVGzzDPwhHS
XgG70cfHZA9iUVTQ3RH5YLWqYMTj8vsCtAczZoMADdDboZZ3XoKJZzP9mneus2a+
5wHBf12QzICj2bdawGeUtwmJ7AdKVOz9orpScPvv0q7wuHt2VTUr/EHwjZuX+ZU=
=tuD3
-----END PGP MESSAGE-----
fp: DD2D88B9FCB74C81E6F63AAD5B5D448C88684BC3
- created_at: "2022-07-23T14:30:56Z"
enc: |
-----BEGIN PGP MESSAGE-----
hE4D6iFd6webPCUSAQdAVZFfxX2qwqqOTdVKP3Gwgr9hGjsMw9LjuOke+MQIzU0g
V4ZfuxxGV5jur+KQgzyinpS7OsGlE6+VTHdKzvk0zI3SXgHZlR2Scbu1GayIBd1D
Gjw2TzhA5Oglwi0sp19JJscY0YEAiKEN35EefAhIY6ZDPg/rRogY3nMSNcrjMNgW
yHe/WT5QsAP97rqDls7dnXmN2nfQtw151T9f1/+hC28=
=l5ht
-----END PGP MESSAGE-----
fp: 6E10217E3187069E057DF5ABE0262A773B824745
unencrypted_suffix: _unencrypted
version: 3.7.1

11
hosts/router/uplink-selector.nix Normal file
View File

@@ -0,0 +1,11 @@
{ config, pkgs, ... }:
{
clerie.policyrouting.enable = true;
clerie.uplink-selector.enable = true;
clerie.uplink-selector.uplinks = {
uplink-a.table = "20001";
uplink-b.table = "20002";
};
}

76
hosts/yate-dialup/configuration.nix Normal file
View File

@@ -0,0 +1,76 @@
{ config, pkgs, lib, ... }:
{
imports =
[ # Include the results of the hardware scan.
./hardware-configuration.nix
./voip.nix
];
# Use the systemd-boot EFI boot loader.
boot.loader.systemd-boot.enable = true;
boot.loader.efi.canTouchEfiVariables = true;
networking.hostName = "yate-dialup";
networking.useNetworkd = true;
services.resolved.dnssec = "false";
systemd.network = {
networks."10-ens18" = {
matchConfig = {
Name = "ens18";
};
address = [
"10.42.10.9/24"
"2a01:4f8:1c0c:8221::9/64"
];
gateway = [
"10.42.10.1"
"2a01:4f8:1c0c:8221::1"
];
dns = [
"10.42.10.8"
"2a01:4f8:1c0c:8221::8"
];
};
};
networking.firewall.enable = false;
networking.nftables = {
enable = true;
ruleset = let
tcpPorts = lib.concatStringsSep ", " (map toString config.networking.firewall.allowedTCPPorts);
udpPorts = lib.concatStringsSep ", " (map toString config.networking.firewall.allowedUDPPorts);
in ''
table inet filter {
chain input {
type filter hook input priority 0; policy drop;
iifname lo accept
ct state {established, related} accept
ip6 nexthdr icmpv6 icmpv6 type { destination-unreachable, packet-too-big, time-exceeded, parameter-problem, nd-router-advert, nd-neighbor-solicit, nd-neighbor-advert } accept
ip protocol icmp icmp type { destination-unreachable, router-advertisement, time-exceeded, parameter-problem } accept
ip6 nexthdr icmpv6 icmpv6 type echo-request accept
ip protocol icmp icmp type echo-request accept
tcp dport 22 accept
tcp dport { ${tcpPorts} } accept
udp dport { ${udpPorts} } accept
ip saddr { 10.42.10.6, 217.10.68.150 } accept
ip6 saddr { 2a01:4f8:1c0c:8221::6, 2001:ab7::0/64 } accept
}
}
'';
};
# This value determines the NixOS release from which the default
# settings for stateful data, like file locations and database versions
# on your system were taken. Its perfectly fine and recommended to leave
# this value at the release version of the first install of this system.
# Before changing this value read the documentation for this option
# (e.g. man configuration.nix or on https://nixos.org/nixos/options.html).
system.stateVersion = "22.05"; # Did you read the comment?
}

37
hosts/yate-dialup/hardware-configuration.nix Normal file
View File

@@ -0,0 +1,37 @@
# Do not modify this file! It was generated by nixos-generate-config
# and may be overwritten by future invocations. Please make changes
# to /etc/nixos/configuration.nix instead.
{ config, lib, pkgs, modulesPath, ... }:
{
imports =
[ (modulesPath + "/profiles/qemu-guest.nix")
];
boot.initrd.availableKernelModules = [ "ata_piix" "uhci_hcd" "virtio_pci" "virtio_scsi" "sd_mod" "sr_mod" ];
boot.initrd.kernelModules = [ ];
boot.kernelModules = [ "kvm-intel" ];
boot.extraModulePackages = [ ];
fileSystems."/" =
{ device = "/dev/disk/by-uuid/a2e0233a-3bfd-4c17-8139-41ebe0733ec4";
fsType = "ext4";
};
fileSystems."/boot" =
{ device = "/dev/disk/by-uuid/5BC9-396D";
fsType = "vfat";
};
swapDevices = [ ];
# Enables DHCP on each ethernet and wireless interface. In case of scripted networking
# (the default) this is the recommended approach. When using systemd-networkd it's
# still possible to use this option, but it's recommended to use it in conjunction
# with explicit per-interface declarations with `networking.interfaces.<interface>.useDHCP`.
networking.useDHCP = lib.mkDefault true;
# networking.interfaces.ens18.useDHCP = lib.mkDefault true;
hardware.cpu.intel.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware;
}

52
hosts/yate-dialup/secrets.yaml Normal file
View File

@@ -0,0 +1,52 @@
sipgate_password: ENC[AES256_GCM,data:mqqkkCaMYsuEWpjW,iv:JhTKMKdj2gj9uRVBWm/kVmaHgTggdBUWZ7Af73IJa94=,tag:PhPnkrvE7NWkfOpCM39Kkg==,type:str]
sops:
kms: []
gcp_kms: []
azure_kv: []
hc_vault: []
age:
- recipient: age14zsha5c5238v6hzchdfkjgjjwzc2qc79tl0ngmqrdquck5f945zs35vps4
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBkdzhabG9PclViWTFBbzFk
WU1LTDZJaXVxNVVpeGdtOGZhcHlKS3B6SWhNClJrdEJ2NVA5c2VIUCtoajJMSitB
NFYwNlNmWTJPZWVnZWxiL1NFUTNzZXcKLS0tIHBETFg0UkNEcW13bEtGOFhBeXM4
WWZiOTdRS3pUdi9sb1hraHZ5aFFHUkUKCo+qUjs8zXH4PSIv8ONpkOFM+T4I94E8
Cf30aeB7OeViVTfV6+tg76zrbdJ0uyQVJcIfbQPlDflvbrS2/D28xQ==
-----END AGE ENCRYPTED FILE-----
lastmodified: "2022-07-24T08:41:00Z"
mac: ENC[AES256_GCM,data:w6DF3AY6rRDhef6ZClFe4jvS7NIWADTTp4nP9a0CIE4F7hFQRNeQMG92OgKajaSDZhmo6gVWWm0IO9Bw2WlndLgTISigjHnQUMF0/p8HXhc69Bpnl9RVa1mghs4qLiGys5HIHBnSVnkj9Sq7W9psOwS4sTpFGVj/BMEcB3nfrYw=,iv:HWVDMWAJ5SoCuW34+Bu7iRzr39RassXqKSFsE/OCHaA=,tag:WqGcnCiLRVW6IvQCtXT0dQ==,type:str]
pgp:
- created_at: "2022-07-18T06:44:35Z"
enc: |
-----BEGIN PGP MESSAGE-----
hQIMA6BIUohpxMXcAQ/8Cocn4DGibz+JByFXxnlGFtyM3jf81CbSK9F883Wfl+pR
xFagZjA5oN3lOeGyKQjP2E9ALzfAorwbZWRKiWv9xqapgXlYAmhMgN4oMlY3VJto
xkGP8gpEDkO/H5WBoP/MN9CAqmmFWko1BR/yYHCHNg+os+nBQ9SK3Pk/ZEwmTSDy
Rk/2+edbBrRbk9Ucc7yTIQlJVcI7c4+uaEuhHOOOQGB/SxO0cz6ods8OYCiSLWQg
YJ9THGakZW9ki/Dl22dWZS3qUsyVFyjSULfjUXovPCn0a+EWernsoRlpLNJ5kFTf
3FqWPN8w2RpUasukwajuAiCEI0xgP3mNS3ZHovGhnEcSEVdVBh5jZulQEEY2rGfF
BOSdjko4uFcGB09EVTKYJWmMjHDWj2z5Fo9syvhKTIV5Rv3aFU9LcQ6lxY8Q3aIg
OiTWTJR6zFXJuHua2Aarz5nkL33Nsw6D3nbud72fKfSJnaidWXnYbvy1BLR/e5gt
07kjbghV5x1f2oSe0/AtY/vkn8tl0jAbuK0CT9guzdUZbPIve4omGSbjEbwBNSuj
mQkKdmYDPwTEUhzvYR/wUfU4ZnbUI5jIUeLek+5adwMIiq53mKuHVA3v1t++00fP
ZAeDeuTJ+RajB45xDkXaJP70RLi1KPUPT5e2QIIdOEw1ZYjaMa5zWeQuHPXhalLS
XgFvoqAgqVmolft0Au2z2sGCUOHSlcXyB1x4fChiNVMk9muoJtlGq8dKqjnVA7fF
10pxfb7rn9zhGxDdPqwqqole+ST13L3ZZ7Uh4PS5uHp9/pq/izAcp7Mm8gDk3ks=
=PHaL
-----END PGP MESSAGE-----
fp: DD2D88B9FCB74C81E6F63AAD5B5D448C88684BC3
- created_at: "2022-07-18T06:44:35Z"
enc: |
-----BEGIN PGP MESSAGE-----
hE4D6iFd6webPCUSAQdAP67Vt9XQLyeHB5dxhTQPke7eKYKb6NPZ3c532BDsgSAg
D/6K9eDqbK6cnFnvtZ+Qa0zYS4wIexCgIRgLGA8omBXSXgHCPtGl/gBbdexcXXcL
cajDmIIOc7w8tPOg81CDVLT2hRPIWIOkbpFCqyKWqgCvPGHsHaMHdaEQh+E76HsS
qbURE+neOiNzKWzJrShPre7wtJyBQuGhXwyx4xmF6bc=
=1aA/
-----END PGP MESSAGE-----
fp: 6E10217E3187069E057DF5ABE0262A773B824745
unencrypted_suffix: _unencrypted
version: 3.7.1

53
hosts/yate-dialup/voip.nix Normal file
View File

@@ -0,0 +1,53 @@
{ config, pkgs, lib, ... }:
{
services.yate = {
enable = true;
config = {
regfile.yate.password = "yate";
regexroute = "[default]
^4933921999799\\(.*\\)$=sip/sip:\\1@10.42.10.6
\${sip_x-dialout-allowed}^1$=goto dialout
[dialout]
\${username}^$=-;error=noauth
^.*$=sip/sip:\\0;line=sipgate;osip_P-Preferred-Identity=<sip:4933921999799\${caller}@sipconnect.sipgate.de>;caller=3400888t0;domain=sipconnect.sipgate.de;";
ysipchan.general = {
ignorevia = "yes";
};
ysnmpagent = {
general.port = 161;
snmp_v2.ro_community = "yate";
};
};
};
networking.firewall.allowedUDPPorts = [ 161 ];
sops.secrets.sipgate_password = {
owner = "yate";
restartUnits = [ "yate.service" ];
};
#networking.hosts."2001:ab7::9" = [ "sipconnect.sipgate.de" ];
systemd.services.yate = {
preStart = let
accfile = pkgs.writeText "accfile.conf" (lib.generators.toINI { } {
sipgate = {
enabled = "yes";
protocol = "sip";
username = "3400888t0";
authname = "3400888t0";
password = "!!sipgate_password!!";
registrar = "sipconnect.sipgate.de";
localaddress = "yes";
};
});
in ''
${pkgs.gnused}/bin/sed -e "s/!!sipgate_password!!/$(cat ${config.sops.secrets.sipgate_password.path})/g" ${accfile} > /etc/yate/accfile.conf
'';
serviceConfig.PermissionsStartOnly = true;
};
}

150
hosts/yate/configuration.nix Normal file
View File

@@ -0,0 +1,150 @@
{ config, pkgs, lib, ... }:
{
imports =
[ # Include the results of the hardware scan.
./hardware-configuration.nix
./voip.nix
];
# Use the systemd-boot EFI boot loader.
boot.loader.systemd-boot.enable = true;
boot.loader.efi.canTouchEfiVariables = true;
networking.hostName = "yate";
boot.kernel.sysctl = {
"net.ipv4.conf.all.forwarding" = true;
"net.ipv6.conf.all.forwarding" = true;
};
networking.useNetworkd = true;
services.resolved.dnssec = "false";
systemd.network = {
networks."10-ens18" = {
matchConfig = {
Name = "ens18";
};
address = [
"10.42.10.6/24"
"2a01:4f8:1c0c:8221::6/64"
];
gateway = [
"10.42.10.1"
"2a01:4f8:1c0c:8221::1"
];
dns = [
"10.42.10.8"
"2a01:4f8:1c0c:8221::8"
];
};
links."20-vlan132" = {
matchConfig.MACAddress = "4e:9e:f3:3e:ed:36";
linkConfig.Name = "vlan132";
};
networks."20-vlan132" = {
matchConfig = {
Name = "vlan132";
};
address = [ "10.42.132.1/24" ];
};
links."20-vlan133" = {
matchConfig.MACAddress = "86:3c:c7:51:c4:82";
linkConfig.Name = "vlan133";
};
networks."20-vlan133" = {
matchConfig = {
Name = "vlan133";
};
address = [ "10.42.133.1/24" ];
};
};
services.kea.dhcp4 = {
settings = {
interfaces-config = {
interfaces = [ "vlan133" ];
};
subnet4 = [
{
id = 133;
subnet = "10.42.133.1/24";
pools = [
{
pool = "10.42.133.100 - 10.42.133.240";
}
];
option-data = [
{
name = "routers";
data = "10.42.133.1";
}
{
name = "domain-name-servers";
data = "10.42.10.8";
}
];
}
];
};
};
networking.firewall.enable = false;
networking.nftables = {
enable = true;
ruleset = let
tcpPorts = lib.concatStringsSep ", " (map toString config.networking.firewall.allowedTCPPorts);
udpPorts = lib.concatStringsSep ", " (map toString config.networking.firewall.allowedUDPPorts);
in ''
table inet filter {
chain input {
type filter hook input priority 0; policy drop;
iifname lo accept
ct state {established, related} accept
ip6 nexthdr icmpv6 icmpv6 type { destination-unreachable, packet-too-big, time-exceeded, parameter-problem, nd-router-advert, nd-neighbor-solicit, nd-neighbor-advert } accept
ip protocol icmp icmp type { destination-unreachable, router-advertisement, time-exceeded, parameter-problem } accept
ip6 nexthdr icmpv6 icmpv6 type echo-request accept
ip protocol icmp icmp type echo-request accept
tcp dport 22 accept
tcp dport { ${tcpPorts} } accept
udp dport { ${udpPorts} } accept
iif {vlan132, vlan133} accept
ip saddr { 10.42.10.9 } accept
ip6 saddr { 2a01:4f8:1c0c:8221::9 } accept
}
chain forward {
type filter hook forward priority 0; policy drop;
ct state {established, related} accept
iif {vlan132, vlan133} accept
ip6 nexthdr icmpv6 icmpv6 type { destination-unreachable, packet-too-big, time-exceeded, parameter-problem, nd-router-advert, nd-neighbor-solicit, nd-neighbor-advert } accept
ip protocol icmp icmp type { destination-unreachable, router-advertisement, time-exceeded, parameter-problem } accept
ip6 nexthdr icmpv6 icmpv6 type echo-request accept
ip protocol icmp icmp type echo-request accept
ip saddr 10.42.201.0/24 accept
}
}
'';
};
# This value determines the NixOS release from which the default
# settings for stateful data, like file locations and database versions
# on your system were taken. Its perfectly fine and recommended to leave
# this value at the release version of the first install of this system.
# Before changing this value read the documentation for this option
# (e.g. man configuration.nix or on https://nixos.org/nixos/options.html).
system.stateVersion = "22.05"; # Did you read the comment?
}

30
hosts/yate/dect_claim.py Normal file
View File

@@ -0,0 +1,30 @@
import asyncio
import os
import re
import socket
from yate.ivr import YateIVR
SOUNDS_PATH = "/run/current-system/sw/share/sounds/yate"
async def main(ivr: YateIVR):
caller_id = ivr.call_params.get("caller", "")
caller_id = re.sub("[^\\d]", "", caller_id)
called_id = ivr.call_params.get("called", "")
called_id = re.sub("[^\\d]", "", called_id)
await ivr.play_soundfile(
os.path.join(SOUNDS_PATH, "yintro.slin"),
complete=True)
await asyncio.sleep(0.5)
with socket.socket(socket.AF_INET, socket.SOCK_STREAM) as s:
s.connect(("localhost", 9437))
s.recv(1024)
s.sendall(f"claim {caller_id} {called_id}".encode('utf-8'))
s.recv(1024)
app = YateIVR()
app.run(main)

10
hosts/pre-yate-n0emis/hardware-configuration.nix → hosts/yate/hardware-configuration.nix
View File

@@ -14,10 +14,15 @@
boot.extraModulePackages = [ ];
fileSystems."/" =
{ device = "/dev/disk/by-uuid/d3e87ae2-fb17-44f0-b113-14b185a2c845";
{ device = "/dev/disk/by-uuid/c63fbce0-c409-4c1b-911c-25cd08cc7722";
fsType = "ext4";
};
fileSystems."/boot" =
{ device = "/dev/disk/by-uuid/B481-41BF";
fsType = "vfat";
};
swapDevices = [ ];
# Enables DHCP on each ethernet and wireless interface. In case of scripted networking
@@ -27,5 +32,6 @@
networking.useDHCP = lib.mkDefault true;
# networking.interfaces.ens18.useDHCP = lib.mkDefault true;
hardware.cpu.intel.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware;
hardware.cpu.intel.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware;
}

53
hosts/yate/secrets.yaml Normal file
View File

@@ -0,0 +1,53 @@
ommpassword: ENC[AES256_GCM,data:OwtsLlRZ5rOE6UY=,iv:vOOVNBX5Rjkf3J/dz1COS2TOgNz3aZFsaqGTIX+Wlyk=,tag:3aqap0tovVMLHx8sfpFfvQ==,type:str]
sipsecret: ENC[AES256_GCM,data:FGX7yhqrDfWP9IvZi3WdR2ahgsq8DVhhtO+ONoSWhsg=,iv:5+aixENdMFw6B5wywzOFm5PqcwjfsBs9Mxs4wL6x05c=,tag:c6b36/kolZWM1jo0dt9chA==,type:str]
sops:
kms: []
gcp_kms: []
azure_kv: []
hc_vault: []
age:
- recipient: age10pxa70g3ekxdrk788l52s93a6ftavdw3r8x6d23gmsluudmwq3asmu6ah9
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBic1NCbjlyWlJzODRqekJL
VE9TbFplenQ1SjFXM0M3S2hDTFNnakpOQWxFCmhDcHREN2wxSGt5OHhQYWRaQ1lu
K3NvZ2RpaWZPMWVzTkRqZ0xPKzNZem8KLS0tIEoxNVRKQ2ZDTXozV1R2R3JmZDI3
WEtWTTN3a2VFVHgxQXNXMmVEbnVZNFEKdP2ewBsZBr/thdqcF7RUF9L4ziy5YPVl
FJAMvB7VxUfICBbCwcehp+Lj248T2h7hdGrl3RMcT0NgbFw2XdjDRA==
-----END AGE ENCRYPTED FILE-----
lastmodified: "2022-07-21T07:22:05Z"
mac: ENC[AES256_GCM,data:zW/hdL7olhsRVy2dnhI+qvTDQmP5vUv+TZDSAW0M8JVbSbqA9PKR2RcKEw16Q1SwXEzGrFuN/zrDxv0BHMSTgwRfJlFFc12wMD4uGCZLkgn2gHklPHr33dwIvxhncQD0QNuo0uQXw41z/Sqme1t+M9UcUZYtXExrnllcFIKnbJQ=,iv:FYLdqGvjerSXVZwEHVcOL/udqcWfa0RSd9+t32KUQpg=,tag:SGswvKi9Q8C+Vm3e7EzxMw==,type:str]
pgp:
- created_at: "2022-07-20T11:12:30Z"
enc: |
-----BEGIN PGP MESSAGE-----
hQIMA6BIUohpxMXcAQ//SWYM12B8nQ7ngpp2gkFQaLayflfx5GZ/mXg0k45qgPnN
U8OftgWxP70XRO/8h/V7GoBS2sE2usZqNzn37VGjdyP2lnFr2DDaldbQntP0td59
zwJXdqXECP8JNFUQUd6O923CUvsl1V/QVcwMsN1/FX45dseyoxfHyy9K3JFfQuko
THNQAp/c8i5sFETF6JPrFNwRRL5ZBcDcu/m+B9T+64B/O+2BUMtlDqNEc4u26jC/
0/+B911lT7CNOqVSdOLmL6hYz7iV+XdkhLmMnwhKkYWDXw+u0A2gTlld6PK04dnq
GPJPTPM+aNJD72hTN0a5b0FKgBLY5Ne2EQcf5M5IcQDpmsYDFpAkzBLnZXcM1WTz
zhf1WGPYtS5SlpT9eAM+Q3ou5Hzmri1DDq/l9x5sUCBwHG6QIsMR2yokjunqSIEp
FoObyWmk2Fiz9YRTkNBcHxxwx5awGapXjnmc+43j9Anj477sdNTpxhuLRibs3Tkr
hXUjpIbfKR3+lvZ0ZlQu4UBsckdLFLACi5UzP3WompPPe9y+8PC0uDBgq9oHlPJw
z4IpBhYJscBIZe95H6XnLY72BlqeD7po+6P4kSbZFBoCiA8Jw1pUa4rR5+sWkjgN
67oIET9M0CO090stSa8d+8llK7cijAB31q3jAvwixTNhxw7Dm0jzkElpszxf5djS
XgFPoIjVXX/CV73qcNTsteL0bkr5TdENv6yyGG3ZtAEoo0yv1c1R8m1VOT1Jvk/x
Xst4xUWNROR5BhSBSoMHr8EqlOBdpTBUGAZFea5t3pJHC+iqyh9MZa9AeZSttH0=
=c6ck
-----END PGP MESSAGE-----
fp: DD2D88B9FCB74C81E6F63AAD5B5D448C88684BC3
- created_at: "2022-07-20T11:12:30Z"
enc: |
-----BEGIN PGP MESSAGE-----
hE4D6iFd6webPCUSAQdAnNWOc2A1xPEzatTwvDnpyVawW7VrfrpB5ibrXX3Ty2sg
ieeBlwSTTTbMkH4qq5z2nb6n0lJRTllK9uoPu7XYtv7SXgGCfQL45J8fARpS2oB3
9h7l+oVf9yMu5xNR/pQuDORj8VdVHBm7sYEXqHbmeyoBDybSyNE4BKeVpncHkLvz
BC0kdgFBTvtIYqOJLcoIGFh1Qe29HfvkrNmmvyvbMFw=
=MZgy
-----END PGP MESSAGE-----
fp: 6E10217E3187069E057DF5ABE0262A773B824745
unencrypted_suffix: _unencrypted
version: 3.7.1

107
hosts/yate/voip.nix Normal file
View File

@@ -0,0 +1,107 @@
{ config, pkgs, lib, ... }:
{
sops.secrets.ommpassword = {};
sops.secrets.sipsecret = {};
services.fieldpoc = {
enable = true;
ommIp = "10.42.132.2";
ommUser = "omm";
ommPasswordPath = config.sops.secrets.ommpassword.path;
sipsecretPath = config.sops.secrets.sipsecret.path;
dhcp = {
enable = true;
interface = "vlan132";
subnet = "10.42.132.0/24";
pool = "10.42.132.200 - 10.42.132.250";
router = "10.42.132.1";
dnsServers = "10.42.10.8";
omm = "10.42.132.2";
reservations = [
{
name = "omm";
macAddress = "AA:C3:A9:26:1F:77";
ipAddress = "10.42.132.2";
}
{
name = "rfp-01";
macAddress = "00:30:42:1B:8C:7A";
ipAddress = "10.42.132.11";
}
];
};
};
services.yate.config = {
accfile.dialout = {
enabled = "yes";
protocol = "sip";
username = "yate";
password = "yate";
registrar = "yate-dialup.bula22.de";
};
regexroute = "[default]
\${username}^$=-;error=noauth
^yate$=goto dialin
^.*$=line/\\0;line=dialout
[dialin]
\${sip_x-called}^.*$=lateroute/\\1";
ysipchan = {
general = {
ignorevia = "yes";
};
#"listener general".enable = "no";
#"listener dect" = {
# type = "udp";
# addr = "10.42.132.1";
# port = "5060";
#};
#"listener sip" = {
# type = "udp";
# addr = "10.42.133.1";
# port = "5060";
#};
#"listener voip" = {
# type = "udp";
# addr = "10.42.10.6";
# port = "5060";
# default = "yes";
#};
};
ysnmpagent = {
general.port = 161;
snmp_v2.ro_community = "yate";
};
};
networking.firewall.allowedUDPPorts = [ 161 ];
environment.systemPackages = with pkgs; [
(writers.makePythonWriter python39 python39.pkgs "/bin/dect_claim" { libraries = [ python39.pkgs.python-yate ]; } (builtins.readFile ./dect_claim.py))
(runCommand "yintro.slin" {} ''
mkdir -p $out/share/sounds/yate
ln -s ${./yintro.slin} $out/share/sounds/yate/yintro.slin
'')
];
systemd.services.fieldpoc-nerd = {
wantedBy = ["multi-user.target"];
startAt = "*-*-* *:*:00";
script = let
reloadScript = pkgs.writeText "reload" ''
spawn ${pkgs.inetutils}/bin/telnet localhost 9437
expect "> "
send "reload\n"
expect "> "
send "exit\n"
expect "disconnecting"
'';
in ''
${pkgs.curl}/bin/curl https://nerd.bula22.de/export.json\?event=1 > /etc/fieldpoc/extensions.json
${pkgs.expect}/bin/expect ${reloadScript}
'';
};
}

BIN
hosts/yate/yintro.slin Normal file
View File

Binary file not shown.

3
modules/default.nix
View File

@@ -3,6 +3,9 @@
{
imports = [
./yate
./forward-filter
./policyrouting
./uplink-selector
./fieldpoc
];
}

69
modules/fieldpoc/default.nix
View File

@@ -11,21 +11,74 @@ in {
options = {
services.fieldpoc = {
enable = mkEnableOption "fieldpoc";
# TODO: config
#config = mkOption {
# type = with types; attrsOf anything;
# default = { };
#};
ommIp = mkOption {
type = types.str;
};
ommUser = mkOption {
type = types.str;
};
ommPasswordPath = mkOption {
type = types.path;
};
sipsecretPath = mkOption {
type = types.path;
};
};
};
config = mkIf cfg.enable {
environment.systemPackages = with pkgs; [
python3.pkgs.fieldpoc
];
systemd.services.fieldpoc = {
description = "Simple phone system";
wantedBy = [ "multi-user.target" ];
after = [ "network-online.target" "yate.service" ];
serviceConfig = {
Type = "simple";
ExecStart = "${pkgs.python3.pkgs.fieldpoc}/bin/fieldpoc -c /etc/fieldpoc/config.json -e /etc/fieldpoc/extensions.json --debug";
ConfigurationDirectory = "fieldpoc";
};
preStart = let
cfgFile = pkgs.writeText "config.json" (lib.generators.toJSON { } {
controller = {
host = "127.0.0.1";
port = 9437;
};
dect = {
host = cfg.ommIp;
username = cfg.ommUser;
password = "!!OMMPASSWORD!!";
sipsecret = "!!SIPSECRET!!";
};
yate = {
host = "127.0.0.1";
port = 5039;
};
database = {
hostname = "127.0.0.1";
username = "fieldpoc";
password = "fieldpoc";
database = "fieldpoc";
};
});
in ''
${pkgs.gnused}/bin/sed -e "s/!!OMMPASSWORD!!/$(cat ${cfg.ommPasswordPath})/g" -e "s/!!SIPSECRET!!/$(cat ${cfg.sipsecretPath})/g" ${cfgFile} > /etc/fieldpoc/config.json
if [ ! -f "/etc/fieldpoc/extensions.json" ]; then
echo '{"extensions": {}}' > /etc/fieldpoc/extensions.json
fi
'';
};
services.postgresql = {
enable = true;
initialScript = pkgs.writeText "backend-initScript" ''
CREATE ROLE nixcloud WITH LOGIN PASSWORD 'nixcloud' CREATEDB;
CREATE DATABASE nixcloud;
GRANT ALL PRIVILEGES ON DATABASE nixcloud TO nixcloud;
CREATE ROLE fieldpoc WITH LOGIN PASSWORD 'fieldpoc' CREATEDB;
CREATE DATABASE fieldpoc;
GRANT ALL PRIVILEGES ON DATABASE fieldpoc TO fieldpoc;
'';
};

162
modules/forward-filter/default.nix Normal file
View File

@@ -0,0 +1,162 @@
{ config, lib, pkgs, ... }:
with lib;
let
cfg = config.clerie.forward-filter;
startScript = pkgs.writeScriptBin "forward-filter-start" ''
#! ${pkgs.runtimeShell} -e
ip46tables() {
iptables -w "$@"
ip6tables -w "$@"
}
ip46tables -D FORWARD -j forward-filter 2> /dev/null || true
ip46tables -F forward-filter 2> /dev/null || true
ip46tables -X forward-filter 2> /dev/null || true
ip46tables -N forward-filter
ip46tables -A forward-filter -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
${concatStrings (mapAttrsToList (iface: ifacecfg: ''
${concatMapStrings (rule: if (rule.sourceAddress != null || rule.destinationAddress != null ) then ''
iptables -A forward-filter -o ${iface} ${optionalString (rule.incomingInterface != null) "-i ${rule.incomingInterface}"} ${optionalString (rule.sourceAddress != null) "-s ${rule.sourceAddress}"} ${optionalString (rule.destinationAddress != null) "-d ${rule.destinationAddress}"} ${optionalString (rule.jump != null) "-j ${rule.jump}"}
'' else if (rule.sourceAddress6 != null || rule.destinationAddress6 != null ) then ''
ip6tables -A forward-filter -o ${iface} ${optionalString (rule.incomingInterface != null) "-i ${rule.incomingInterface}"} ${optionalString (rule.sourceAddress6 != null) "-s ${rule.sourceAddress6}"} ${optionalString (rule.destinationAddress6 != null) "-d ${rule.destinationAddress6}"} ${optionalString (rule.jump != null) "-j ${rule.jump}"}
'' else ''
ip46tables -A forward-filter -o ${iface} ${optionalString (rule.incomingInterface != null) "-i ${rule.incomingInterface}"} ${optionalString (rule.jump != null) "-j ${rule.jump}"}
''
) ifacecfg.rules}
${optionalString (ifacecfg.default != null) ''
ip46tables -A forward-filter -o ${iface} -j ${ifacecfg.default}
''}
'') cfg.interfaces)}
ip46tables -A FORWARD -j forward-filter
'';
stopScript = pkgs.writeScriptBin "forward-filter-stop" ''
#! ${pkgs.runtimeShell} -e
ip46tables() {
iptables -w "$@"
ip6tables -w "$@"
}
ip46tables -D FORWARD -j forward-filter 2> /dev/null || true
ip46tables -F forward-filter 2> /dev/null || true
ip46tables -X forward-filter 2> /dev/null || true
'';
in
{
options = {
clerie.forward-filter = {
enable = mkOption {
type = types.bool;
default = false;
description =
''
Whether to enable the forward-filter. It gives basic control about
blocking and allowing forward between interfaces.
'';
};
interfaces = mkOption {
default = { };
type = with types; attrsOf (submodule {
options = {
rules = mkOption {
type = with types; listOf (submodule {
options = {
sourceAddress = mkOption {
type = types.nullOr types.str;
default = null;
example = "192.168.0.0/24";
description = "";
};
sourceAddress6 = mkOption {
type = types.nullOr types.str;
default = null;
example = "fd00::/64";
description = "";
};
destinationAddress = mkOption {
type = types.nullOr types.str;
default = null;
example = "192.168.0.0/24";
description = "";
};
destinationAddress6 = mkOption {
type = types.nullOr types.str;
default = null;
example = "fd00::/64";
description = "";
};
incomingInterface = mkOption {
type = types.nullOr types.str;
default = null;
example = "ens18";
description = "";
};
jump = mkOption {
type = types.nullOr types.str;
default = "ACCEPT";
example = "DROP";
description = "";
};
};
});
description = "List of rules to filter forwarding.";
};
default = mkOption {
type = types.nullOr types.str;
default = "DROP";
example = "ACCEPT";
description = "";
};
};
});
description =
''
Interface filter options.
'';
};
};
};
config = mkIf cfg.enable {
environment.systemPackages = [ pkgs.iptables ];
systemd.services.forward-filter = {
description = "Forward Filter";
wantedBy = [ "sysinit.target" ];
wants = [ "network-pre.target" ];
before = [ "network-pre.target" ];
after = [ "systemd-modules-load.service" ];
path = [ pkgs.iptables ];
unitConfig.ConditionCapability = "CAP_NET_ADMIN";
unitConfig.DefaultDependencies = false;
serviceConfig = {
Type = "oneshot";
RemainAfterExit = true;
ExecStart = "@${startScript}/bin/forward-filter-start forward-filter-start";
ExecStop = "@${stopScript}/bin/forward-filter-stop forward-filter-stop";
};
};
};
}

116
modules/policyrouting/default.nix Normal file
View File

@@ -0,0 +1,116 @@
{ config, lib, pkgs, ... }:
with lib;
let
cfg = config.clerie.policyrouting;
startScript = pkgs.writeScriptBin "policyrouting-start" ''
#! ${pkgs.runtimeShell} -e
ip -6 rule flush 2> /dev/null || true
ip rule flush 2> /dev/null || true
${concatMapStrings (rule: ''
ip -6 rule add ${rule.rule} prio ${toString rule.prio}
'') (cfg.rules ++ cfg.rules6)}
${concatMapStrings (rule: ''
ip rule add ${rule.rule} prio ${toString rule.prio}
'') (cfg.rules ++ cfg.rules4)}
'';
stopScript = pkgs.writeScriptBin "policyrouting-stop" ''
#! ${pkgs.runtimeShell} -e
ip -6 rule flush 2> /dev/null || true
ip rule flush 2> /dev/null || true
# Loading default settings
ip -6 rule add from all lookup main prio 32766
ip rule add from all lookup main prio 32766
ip -6 rule add from all lookup default prio 32767
ip rule add from all lookup default prio 32767
'';
ruleOpts = { ... }: {
options = {
prio = mkOption {
type = types.int;
example = 20000;
};
rule = mkOption {
type = types.str;
example = "from fd00:23:42::/64 lookup 20101";
};
};
};
in
{
options = {
clerie.policyrouting = {
enable = mkOption {
type = types.bool;
default = false;
description =
''
Enable policy routing
'';
};
rules = mkOption {
type = with types; listOf (submodule ruleOpts);
default = [];
description = "Rules applied both, to IPv6 and IPv4";
};
rules6 = mkOption {
type = with types; listOf (submodule ruleOpts);
default = [];
description = "Rules applied to IPv6";
};
rules4 = mkOption {
type = with types; listOf (submodule ruleOpts);
default = [];
description = "Rules applied to IPv4";
};
};
};
config = mkIf cfg.enable {
# always use main routing table as a fallback
clerie.policyrouting.rules = [
{ rule = "lookup main"; prio = 32766; }
{ rule = "lookup default"; prio = 32767; }
];
environment.systemPackages = [ pkgs.iproute2 ];
systemd.services.policyrouting = {
description = "Policyrouting";
before = [ "network.target" ];
wantedBy = [ "network.target" ];
after = [ "network-pre.target" ];
path = [ pkgs.iproute2 ];
unitConfig.ConditionCapability = "CAP_NET_ADMIN";
serviceConfig = {
Type = "oneshot";
RemainAfterExit = true;
ExecStart = "@${startScript}/bin/policyrouting-start policyrouting-start";
ExecStop = "@${stopScript}/bin/policyrouting-stop policyrouting-stop";
};
};
};
}

74
modules/uplink-selector/default.nix Normal file
View File

@@ -0,0 +1,74 @@
{ config, lib, pkgs, ... }:
with lib;
let
cfg = config.clerie.uplink-selector;
in
{
options = {
clerie.uplink-selector = {
enable = mkOption {
type = types.bool;
default = false;
description =
''
Select a default gateway for each interface manually
'';
};
uplinks = mkOption {
default = { };
type = with types; attrsOf (submodule {
options = {
table = mkOption {
type = types.str;
example = "5001";
description = "Route table containing the gateway route of this uplink";
};
};
});
description =
''
Uplink interface name
'';
};
interfaces = mkOption {
default = { };
type = with types; attrsOf (submodule {
options = {
uplink = mkOption {
type = types.nullOr types.str;
example = "uplink-a";
description = "Name of the uplink that should used as a default gateway by this interface";
};
};
});
description =
''
Interface
'';
};
};
};
config = mkIf cfg.enable {
clerie.policyrouting.enable = true;
clerie.policyrouting.rules = [
{ rule = "lookup main suppress_prefixlength 0"; prio = 10000; }
] ++ (mapAttrsToList (iface: ifacecfg: {
rule = "iif ${iface} lookup ${cfg.uplinks.${ifacecfg.uplink}.table}"; prio = 20000;
}) cfg.interfaces);
};
}

3
modules/yate/default.nix
View File

@@ -34,13 +34,14 @@ in {
serviceConfig = {
Type = "forking";
ExecStart =
"${pkgs.yate}/bin/yate -d -p /run/yate/yate.pid -c /etc/yate -F -s -q -DF -r -l /var/lib/yate/yate.log";
"${pkgs.yate}/bin/yate -d -p /run/yate/yate.pid -c /etc/yate -F -s -vvv -DF -r -l /var/lib/yate/yate.log";
ExecReload = "${pkgs.coreutils}/bin/kill -HUP $MAINPID";
User = "yate";
Group = "yate";
AmbientCapabilities = "CAP_NET_BIND_SERVICE";
RuntimeDirectory = "yate";
RuntimeDirectoryMode = "0755";
ConfigurationDirectory = "yate";
StateDirectory = "yate";
StateDirectoryMode = "0700";
PIDFile = "/run/yate/yate.pid";

18
packages/default.nix
View File

@@ -6,6 +6,8 @@ self: super: {
python3 = let packageOverrides = final: prev: import ./python final prev;
in super.python3.override { inherit packageOverrides; };
python39 = let packageOverrides = final: prev: import ./python final prev;
in super.python39.override { inherit packageOverrides; };
yate = super.yate.overrideAttrs (old: {
configureFlags =
@@ -15,4 +17,20 @@ self: super: {
t38modem = self.callPackage ./t38modem.nix { };
ptlib = self.callPackage ./ptlib.nix { };
opal = self.callPackage ./opal.nix { };
eapol_test = super.wpa_supplicant.overrideAttrs (old: rec {
name = "eapol_test-${old.version}";
buildPhase = ''
runHook preBuild
echo CONFIG_EAPOL_TEST=y >> .config
make eapol_test
runHook postBuild
'';
installPhase = ''
install -D eapol_test $out/bin/eapol_test
'';
NIX_CFLAGS_COMPILE = [ "-Wno-error" ];
});
}

4
packages/python/default.nix
View File

@@ -4,4 +4,8 @@ self: super: {
ywsd = self.callPackage ./ywsd { };
mitel-ommclient2 = self.callPackage ./mitel-ommclient2 { };
fieldpoc = self.callPackage ./fieldpoc { };
django-admin-autocomplete-filter = self.callPackage ./django-admin-autocomplete-filter { };
django-bootstrap5 = self.callPackage ./django-bootstrap5 { };
django-verify-email = self.callPackage ./django-verify-email { };
nerd = self.callPackage ./nerd { };
}

23
packages/python/django-admin-autocomplete-filter/default.nix Normal file
View File

@@ -0,0 +1,23 @@
{ lib
, buildPythonPackage
, fetchPypi
, django
}:
buildPythonPackage rec {
pname = "django-admin-autocomplete-filter";
version = "0.7.1";
src = fetchPypi {
inherit pname version;
sha256 = "5a8c9a7016e03104627b80b40811dcc567f26759971e4407f933951546367ba0";
};
buildInputs = [
django
];
pythonImportsCheck = [ "admin_auto_filters" ];
doCheck = false;
}

28
packages/python/django-bootstrap5/default.nix Normal file
View File

@@ -0,0 +1,28 @@
{ lib
, buildPythonPackage
, fetchPypi
, django
, beautifulsoup4
}:
buildPythonPackage rec {
pname = "django-bootstrap5";
version = "21.3";
src = fetchPypi {
inherit pname version;
sha256 = "35086341881780a44b2e27255894f6029fc5ef75e5a0ec8ebd82f47a5184fa73";
};
buildInputs = [
django
];
propagatedBuildInputs = [
beautifulsoup4
];
pythonImportsCheck = [ "django_bootstrap5" ];
doCheck = false;
}

21
packages/python/django-verify-email/default.nix Normal file
View File

@@ -0,0 +1,21 @@
{ lib
, buildPythonPackage
, fetchPypi
, django
}:
buildPythonPackage rec {
pname = "Django-Verify-Email";
version = "1.0.9";
src = fetchPypi {
inherit pname version;
sha256 = "05d296a6a7ef03db07327b076093373e086d9e76e7fa9970a033e4e01168197f";
};
buildInputs = [
django
];
doCheck = false;
}

2
packages/python/fieldpoc/default.nix
View File

@@ -7,7 +7,7 @@ buildPythonApplication rec {
src = fetchGit {
url = "https://git.n0emis.eu/n0emis/fieldpoc.git";
ref = "main";
rev = "d6d664b4690189a7ed54be65ceef8cb3d79a6bfb";
rev = "2f1347f3415249cb116501af1f5e3282afca24be";
};
format = "pyproject";

50
packages/python/nerd/default.nix Normal file
View File

@@ -0,0 +1,50 @@
{ lib
, buildPythonApplication
, makePythonPath
, fetchFromGitHub
, python3
, hatchling
, django_4
, django-bootstrap5
, django-admin-autocomplete-filter
, django-verify-email
}:
buildPythonApplication rec {
pname = "nerd";
version = "0.0.1";
src = fetchFromGitHub {
owner = "dect-e";
repo = pname;
#rev = "v${version}";
rev = "83a0c73c5232f9bfa63c2898a958d67a2a17caeb";
sha256 = "sha256-7ItooKr2pUMqkpGLJ2NP5vlAs/xRH/Q1n5kTgbTDgWs=";
};
sourceRoot = "source/src";
format = "pyproject";
buildInputs = [ python3 hatchling ];
propagatedBuildInputs = [
django_4
django-bootstrap5
django-admin-autocomplete-filter
django-verify-email
];
postInstall = ''
python ./manage.py collectstatic
mkdir -p $out/var/lib/nerd
cp -r static $out/var/lib/nerd/
'';
passthru = {
# PYTHONPATH of all dependencies used by the package
pythonPath = python3.pkgs.makePythonPath propagatedBuildInputs;
};
doCheck = false;
}

3
switchconfig/deploy.sh Executable file
View File

@@ -0,0 +1,3 @@
#!/usr/bin/env bash
scp $1 root@$1.bula22.de:config; ssh root@$1.bula22.de 'cli -c "configure; load override /var/root/config; show|compare" && echo "Is this okay? Ctrl+D to accept, Ctrl+C to abort." && cat && cli -c "configure; commit"'

36
switchconfig/sw-bll Normal file
View File

@@ -0,0 +1,36 @@
; J9298A Configuration Editor; Created on release #J.15.09.0028
; Ver #06:04.08.00.01.14.05:1a
hostname "sw-bll"
time timezone 60
ip default-gateway 10.42.42.1
ip dns domain-name "bula22.de"
ip dns server-address priority 1 10.42.10.8
ip ssh filetransfer
interface 10
name "UPLINK sw-verwaltung"
exit
snmp-server community "tellme" operator
vlan 1
name "DEFAULT_VLAN"
no untagged 1-9
untagged 10
no ip address
exit
vlan 42
name "VL_MGMT"
tagged 10
ip address 10.42.42.27 255.255.255.0
exit
vlan 206
name "VL_VERWALTUNG"
untagged 1-9
tagged 10
no ip address
exit
management-vlan 42
no tftp client
no tftp server
loop-protect 1-10
no dhcp config-file-update
password manager

193
switchconfig/sw-buehne Normal file
View File

@@ -0,0 +1,193 @@
## Last changed: 2016-01-24 12:14:48 UTC
version 12.3R12.4;
groups {
backbone_vlans {
interfaces {
<*> {
unit 0 {
family ethernet-switching {
vlan {
members [ VL_SIP VL_DECT VL_HOSPITAL VL_IKT VL_IKT_TOYS VL_INFOJURTE VL_INTERNATIONAL VL_IOT VL_LEITSTELLE VL_MGMT VL_OFFICE VL_PROGRAMM VL_TECHNIK VL_VERWALTUNG VL_WLAN VL_YOLO VL_ZENTRAL VL_MAV VL_AUDIO ];
}
}
}
}
}
}
}
system {
host-name sw-buehne;
auto-snapshot;
domain-name bula22.de;
domain-search bula22.de;
root-authentication {
encrypted-password "$1$DAjLGZX7$sHIjgeZhXhq/IcgRKOWy20";
ssh-rsa "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQC8xqVakxJ+AwcIrS/wyL03N++pE09epwMFlIMXWvlpwwEp1J/0H7nygwxk/9LIZdabs/ETWn0s8oHAkc7YR1c6ajSTCDiZEYATAWt7t8t4Gw/80c8u8T50lIqmiDEEVbOVv3Vta/pAN4hAUp9U5DpYCkQbvF+NKKcK3Yp8d9usNC6ohqgTK+IGAEdMhvpbbNppDMXoWHuynBzUX7TS6ST6yEr0tD+CBbCpbfcMuwTI3lNtfywEVpuFaeHqDZx2QDrEX4bg0dRKgQstbXYdqmBfnOiBpUr8Wyl8U1J24rN+E07pBw/8KDGWbVg19/Ex8o4ht/p5voUfKVjD/DwWXTLntBirjfAgQAm4GH/qP4x3zNiTtlYlQFbXSk6VEVrTrxCB5rTWvGnhg31tk5P3YwvagDmGABazY5s/8tlttSc1yWBctWQJCjxSqcCLekxG4D1rVuGKCKOZgflQ9QFdQlKycInPBek3zi0i3GYkE1YnNFye5ggOnxT8qGuKjfdtZI9qvMJQO8lbEDzbYQvNns1V/k4ZobiihYwrG5TJUzZFEpMYetDK6tI8BRU11d+ja0jWzguj5/7wc0nrr/BiZ8FkAr2fZ60j2aI5kG0s3qjbrQbB/RXaGP9hRU0+480+IokNJJIcjv5iwH5ophdrjC8GH4So2kPPt0NXob1yNysdjw== n0emis@noemis.me (OLD)";
}
name-server {
10.42.10.8;
}
login {
user fw {
uid 2000;
class super-user;
authentication {
ssh-rsa "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDMTsFE90WT+fvRnIuIBbjLJA2Hyne6duD306+Yg3z9yVTSCQxpFcolEwRQi5X4hsb3WdlW+YtvShXcFVNi7gtgSyIsgT1+YqpR+qIC+/r2h6NeA92dztigpbznOm9oL8vOP45S9fHedJ57E/UosYW2/du4W+6U+xH1ItyQx6AiJAj/RPpLWJz9FhP99Qwp6YiPAkxujgXtOMwX0xFmiQPv9QzBaD9jOKK0vE26IFX5RYAqontVgWGn6EdceR70vTQBcAsFYMS0sc9311H2wBfOptznyIZNInAsppaGNDMdOx9SdMVDZ6GDlOCsLvHq6+ra1jGdlwtgduVQeEpHmmjD";
}
}
}
services {
ssh;
}
}
chassis {
alarm {
management-ethernet {
link-down ignore;
}
}
}
interfaces {
ge-0/0/0 {
unit 0 {
family ethernet-switching {
port-mode trunk;
vlan {
members VL_AUDIO;
}
native-vlan-id VL_WLAN;
}
}
}
ge-0/0/1 {
unit 0 {
family ethernet-switching {
vlan {
members VL_AUDIO;
}
}
}
}
ge-0/0/23 {
description DECT-Buehne;
unit 0 {
family ethernet-switching {
vlan {
members VL_DECT;
}
}
}
}
ge-0/1/3 {
apply-groups backbone_vlans;
description "UPLINK sw-hospital";
unit 0 {
family ethernet-switching {
port-mode trunk;
}
}
}
vlan {
unit 42 {
family inet {
address 10.42.42.25/24;
}
}
}
}
snmp {
stats-cache-lifetime 15;
community tellme {
authorization read-only;
}
}
routing-options {
static {
route 0.0.0.0/0 next-hop 10.42.42.1;
}
}
protocols {
igmp-snooping {
vlan all;
}
lldp {
port-id-subtype locally-assigned;
interface all;
}
lldp-med {
interface all;
}
}
ethernet-switching-options {
storm-control {
interface all;
}
}
vlans {
VL_AUDIO {
description "Buehne Ton";
vlan-id 215;
}
VL_DECT {
vlan-id 132;
}
VL_HOSPITAL {
vlan-id 203;
}
VL_IKT {
vlan-id 201;
}
VL_IKT_TOYS {
vlan-id 152;
}
VL_INFOJURTE {
vlan-id 209;
}
VL_INTERNATIONAL {
vlan-id 210;
}
VL_IOT {
vlan-id 151;
}
VL_LEITSTELLE {
vlan-id 205;
}
VL_MAV {
vlan-id 214;
}
VL_MGMT {
vlan-id 42;
l3-interface vlan.42;
}
VL_OFFICE {
vlan-id 212;
}
VL_PROGRAMM {
vlan-id 211;
}
VL_SIP {
vlan-id 133;
}
VL_TECHNIK {
vlan-id 202;
}
VL_VERWALTUNG {
vlan-id 206;
}
VL_WLAN {
vlan-id 131;
}
VL_YOLO {
vlan-id 208;
}
VL_ZENTRAL {
vlan-id 207;
}
VL_ZOLL {
vlan-id 204;
}
}
poe {
interface ge-0/0/0;
interface ge-0/0/23;
}

36
switchconfig/sw-finanzen Normal file
View File

@@ -0,0 +1,36 @@
; J9298A Configuration Editor; Created on release #J.15.09.0028
; Ver #06:04.08.00.01.14.05:1a
hostname "sw-bll"
time timezone 60
ip default-gateway 10.42.42.1
ip dns domain-name "bula22.de"
ip dns server-address priority 1 10.42.10.8
ip ssh filetransfer
interface 10
name "UPLINK sw-verwaltung"
exit
snmp-server community "tellme" operator
vlan 1
name "DEFAULT_VLAN"
no untagged 1-9
untagged 10
no ip address
exit
vlan 42
name "VL_MGMT"
tagged 10
ip address 10.42.42.27 255.255.255.0
exit
vlan 206
name "VL_VERWALTUNG"
untagged 1-9
tagged 10
no ip address
exit
management-vlan 42
no tftp client
no tftp server
loop-protect 1-10
no dhcp config-file-update
password manager

440
switchconfig/sw-fuf Normal file
View File

@@ -0,0 +1,440 @@
## Last changed: 2016-01-20 15:48:15 UTC
version 12.3R12.4;
groups {
backbone_vlans {
interfaces {
<*> {
unit 0 {
family ethernet-switching {
vlan {
members [ VL_SIP VL_DECT VL_HOSPITAL VL_IKT VL_IKT_TOYS VL_INFOJURTE VL_INTERNATIONAL VL_IOT VL_LEITSTELLE VL_MGMT VL_OFFICE VL_PROGRAMM VL_TECHNIK VL_VERWALTUNG VL_WLAN VL_YOLO VL_ZENTRAL VL_FUF VL_MAV ];
}
}
}
}
}
}
}
system {
host-name sw-fuf;
auto-snapshot;
domain-name bula22.de;
domain-search bula22.de;
root-authentication {
encrypted-password "$1$DAjLGZX7$sHIjgeZhXhq/IcgRKOWy20";
ssh-rsa "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQC8xqVakxJ+AwcIrS/wyL03N++pE09epwMFlIMXWvlpwwEp1J/0H7nygwxk/9LIZdabs/ETWn0s8oHAkc7YR1c6ajSTCDiZEYATAWt7t8t4Gw/80c8u8T50lIqmiDEEVbOVv3Vta/pAN4hAUp9U5DpYCkQbvF+NKKcK3Yp8d9usNC6ohqgTK+IGAEdMhvpbbNppDMXoWHuynBzUX7TS6ST6yEr0tD+CBbCpbfcMuwTI3lNtfywEVpuFaeHqDZx2QDrEX4bg0dRKgQstbXYdqmBfnOiBpUr8Wyl8U1J24rN+E07pBw/8KDGWbVg19/Ex8o4ht/p5voUfKVjD/DwWXTLntBirjfAgQAm4GH/qP4x3zNiTtlYlQFbXSk6VEVrTrxCB5rTWvGnhg31tk5P3YwvagDmGABazY5s/8tlttSc1yWBctWQJCjxSqcCLekxG4D1rVuGKCKOZgflQ9QFdQlKycInPBek3zi0i3GYkE1YnNFye5ggOnxT8qGuKjfdtZI9qvMJQO8lbEDzbYQvNns1V/k4ZobiihYwrG5TJUzZFEpMYetDK6tI8BRU11d+ja0jWzguj5/7wc0nrr/BiZ8FkAr2fZ60j2aI5kG0s3qjbrQbB/RXaGP9hRU0+480+IokNJJIcjv5iwH5ophdrjC8GH4So2kPPt0NXob1yNysdjw== n0emis@noemis.me (OLD)";
}
name-server {
10.42.10.8;
}
login {
user fw {
uid 2000;
class super-user;
authentication {
ssh-rsa "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDMTsFE90WT+fvRnIuIBbjLJA2Hyne6duD306+Yg3z9yVTSCQxpFcolEwRQi5X4hsb3WdlW+YtvShXcFVNi7gtgSyIsgT1+YqpR+qIC+/r2h6NeA92dztigpbznOm9oL8vOP45S9fHedJ57E/UosYW2/du4W+6U+xH1ItyQx6AiJAj/RPpLWJz9FhP99Qwp6YiPAkxujgXtOMwX0xFmiQPv9QzBaD9jOKK0vE26IFX5RYAqontVgWGn6EdceR70vTQBcAsFYMS0sc9311H2wBfOptznyIZNInAsppaGNDMdOx9SdMVDZ6GDlOCsLvHq6+ra1jGdlwtgduVQeEpHmmjD";
}
}
}
services {
ssh;
}
}
chassis {
alarm {
management-ethernet {
link-down ignore;
}
}
}
interfaces {
ge-0/0/0 {
apply-groups backbone_vlans;
description "UPLINK sw-hospital";
unit 0 {
family ethernet-switching {
port-mode trunk;
}
}
}
ge-0/0/1 {
description AP;
unit 0 {
family ethernet-switching {
vlan {
members VL_WLAN;
}
}
}
}
ge-0/0/2 {
unit 0 {
family ethernet-switching {
vlan {
members VL_FUF;
}
}
}
}
ge-0/0/3 {
unit 0 {
family ethernet-switching {
vlan {
members VL_FUF;
}
}
}
}
ge-0/0/4 {
unit 0 {
family ethernet-switching {
vlan {
members VL_FUF;
}
}
}
}
ge-0/0/5 {
unit 0 {
family ethernet-switching {
vlan {
members VL_FUF;
}
}
}
}
ge-0/0/6 {
unit 0 {
family ethernet-switching {
vlan {
members VL_FUF;
}
}
}
}
ge-0/0/7 {
unit 0 {
family ethernet-switching {
vlan {
members VL_FUF;
}
}
}
}
ge-0/0/8 {
unit 0 {
family ethernet-switching {
vlan {
members VL_FUF;
}
}
}
}
ge-0/0/9 {
unit 0 {
family ethernet-switching {
vlan {
members VL_FUF;
}
}
}
}
ge-0/0/10 {
unit 0 {
family ethernet-switching {
vlan {
members VL_FUF;
}
}
}
}
ge-0/0/11 {
unit 0 {
family ethernet-switching {
vlan {
members VL_FUF;
}
}
}
}
ge-0/0/12 {
unit 0 {
family ethernet-switching {
vlan {
members VL_FUF;
}
}
}
}
ge-0/0/13 {
unit 0 {
family ethernet-switching {
vlan {
members VL_FUF;
}
}
}
}
ge-0/0/14 {
unit 0 {
family ethernet-switching {
vlan {
members VL_FUF;
}
}
}
}
ge-0/0/15 {
unit 0 {
family ethernet-switching {
vlan {
members VL_FUF;
}
}
}
}
ge-0/0/16 {
unit 0 {
family ethernet-switching {
vlan {
members VL_FUF;
}
}
}
}
ge-0/0/17 {
unit 0 {
family ethernet-switching {
vlan {
members VL_FUF;
}
}
}
}
ge-0/0/18 {
unit 0 {
family ethernet-switching {
vlan {
members VL_FUF;
}
}
}
}
ge-0/0/19 {
unit 0 {
family ethernet-switching {
vlan {
members VL_FUF;
}
}
}
}
ge-0/0/20 {
unit 0 {
family ethernet-switching {
vlan {
members VL_FUF;
}
}
}
}
ge-0/0/21 {
unit 0 {
family ethernet-switching {
vlan {
members VL_FUF;
}
}
}
}
ge-0/0/22 {
unit 0 {
family ethernet-switching {
vlan {
members VL_FUF;
}
}
}
}
ge-0/0/23 {
unit 0 {
family ethernet-switching {
vlan {
members VL_FUF;
}
}
}
}
vlan {
unit 42 {
family inet {
address 10.42.42.23/24;
}
}
}
}
snmp {
stats-cache-lifetime 15;
community tellme {
authorization read-only;
}
}
routing-options {
static {
route 0.0.0.0/0 next-hop 10.42.42.1;
}
}
protocols {
igmp-snooping {
vlan all;
}
lldp {
port-id-subtype locally-assigned;
interface all;
}
lldp-med {
interface all;
}
}
ethernet-switching-options {
secure-access-port {
interface ge-0/0/1.0 {
no-dhcp-trusted;
}
interface ge-0/0/2.0 {
no-dhcp-trusted;
}
interface ge-0/0/3.0 {
no-dhcp-trusted;
}
interface ge-0/0/4.0 {
no-dhcp-trusted;
}
interface ge-0/0/5.0 {
no-dhcp-trusted;
}
interface ge-0/0/6.0 {
no-dhcp-trusted;
}
interface ge-0/0/7.0 {
no-dhcp-trusted;
}
interface ge-0/0/8.0 {
no-dhcp-trusted;
}
interface ge-0/0/9.0 {
no-dhcp-trusted;
}
interface ge-0/0/10.0 {
no-dhcp-trusted;
}
interface ge-0/0/11.0 {
no-dhcp-trusted;
}
interface ge-0/0/12.0 {
no-dhcp-trusted;
}
interface ge-0/0/13.0 {
no-dhcp-trusted;
}
interface ge-0/0/14.0 {
no-dhcp-trusted;
}
interface ge-0/0/15.0 {
no-dhcp-trusted;
}
interface ge-0/0/16.0 {
no-dhcp-trusted;
}
interface ge-0/0/17.0 {
no-dhcp-trusted;
}
interface ge-0/0/18.0 {
no-dhcp-trusted;
}
interface ge-0/0/19.0 {
no-dhcp-trusted;
}
interface ge-0/0/20.0 {
no-dhcp-trusted;
}
interface ge-0/0/21.0 {
no-dhcp-trusted;
}
interface ge-0/0/22.0 {
no-dhcp-trusted;
}
interface ge-0/0/23.0 {
no-dhcp-trusted;
}
}
storm-control {
interface all;
}
}
vlans {
VL_DECT {
vlan-id 132;
}
VL_FUF {
vlan-id 213;
}
VL_HOSPITAL {
vlan-id 203;
}
VL_IKT {
vlan-id 201;
}
VL_IKT_TOYS {
vlan-id 152;
}
VL_INFOJURTE {
vlan-id 209;
}
VL_INTERNATIONAL {
vlan-id 210;
}
VL_IOT {
vlan-id 151;
}
VL_LEITSTELLE {
vlan-id 205;
}
VL_MAV {
vlan-id 214;
}
VL_MGMT {
vlan-id 42;
l3-interface vlan.42;
}
VL_OFFICE {
vlan-id 212;
}
VL_PROGRAMM {
vlan-id 211;
}
VL_SIP {
vlan-id 133;
}
VL_TECHNIK {
vlan-id 202;
}
VL_VERWALTUNG {
vlan-id 206;
}
VL_WLAN {
vlan-id 131;
}
VL_YOLO {
vlan-id 208;
}
VL_ZENTRAL {
vlan-id 207;
}
VL_ZOLL {
vlan-id 204;
}
}
poe {
interface ge-0/0/1;
}

468
switchconfig/sw-hospital Normal file
View File

@@ -0,0 +1,468 @@
## Last changed: 2022-07-26 20:11:37 UTC
version 12.3R12.4;
groups {
backbone_vlans {
interfaces {
<*> {
unit 0 {
family ethernet-switching {
vlan {
members [ VL_SIP VL_DECT VL_HOSPITAL VL_IKT VL_IKT_TOYS VL_INFOJURTE VL_INTERNATIONAL VL_IOT VL_LEITSTELLE VL_MGMT VL_OFFICE VL_PROGRAMM VL_TECHNIK VL_VERWALTUNG VL_WLAN VL_YOLO VL_ZENTRAL VL_FUF VL_MAV ];
}
}
}
}
}
}
}
system {
host-name sw-hospital;
auto-snapshot;
domain-name bula22.de;
domain-search bula22.de;
root-authentication {
encrypted-password "$1$DAjLGZX7$sHIjgeZhXhq/IcgRKOWy20";
ssh-rsa "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQC8xqVakxJ+AwcIrS/wyL03N++pE09epwMFlIMXWvlpwwEp1J/0H7nygwxk/9LIZdabs/ETWn0s8oHAkc7YR1c6ajSTCDiZEYATAWt7t8t4Gw/80c8u8T50lIqmiDEEVbOVv3Vta/pAN4hAUp9U5DpYCkQbvF+NKKcK3Yp8d9usNC6ohqgTK+IGAEdMhvpbbNppDMXoWHuynBzUX7TS6ST6yEr0tD+CBbCpbfcMuwTI3lNtfywEVpuFaeHqDZx2QDrEX4bg0dRKgQstbXYdqmBfnOiBpUr8Wyl8U1J24rN+E07pBw/8KDGWbVg19/Ex8o4ht/p5voUfKVjD/DwWXTLntBirjfAgQAm4GH/qP4x3zNiTtlYlQFbXSk6VEVrTrxCB5rTWvGnhg31tk5P3YwvagDmGABazY5s/8tlttSc1yWBctWQJCjxSqcCLekxG4D1rVuGKCKOZgflQ9QFdQlKycInPBek3zi0i3GYkE1YnNFye5ggOnxT8qGuKjfdtZI9qvMJQO8lbEDzbYQvNns1V/k4ZobiihYwrG5TJUzZFEpMYetDK6tI8BRU11d+ja0jWzguj5/7wc0nrr/BiZ8FkAr2fZ60j2aI5kG0s3qjbrQbB/RXaGP9hRU0+480+IokNJJIcjv5iwH5ophdrjC8GH4So2kPPt0NXob1yNysdjw== n0emis@noemis.me (OLD)";
}
name-server {
10.42.10.8;
}
login {
user fw {
uid 2000;
class super-user;
authentication {
ssh-rsa "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDMTsFE90WT+fvRnIuIBbjLJA2Hyne6duD306+Yg3z9yVTSCQxpFcolEwRQi5X4hsb3WdlW+YtvShXcFVNi7gtgSyIsgT1+YqpR+qIC+/r2h6NeA92dztigpbznOm9oL8vOP45S9fHedJ57E/UosYW2/du4W+6U+xH1ItyQx6AiJAj/RPpLWJz9FhP99Qwp6YiPAkxujgXtOMwX0xFmiQPv9QzBaD9jOKK0vE26IFX5RYAqontVgWGn6EdceR70vTQBcAsFYMS0sc9311H2wBfOptznyIZNInAsppaGNDMdOx9SdMVDZ6GDlOCsLvHq6+ra1jGdlwtgduVQeEpHmmjD";
}
}
}
services {
ssh;
}
}
chassis {
alarm {
management-ethernet {
link-down ignore;
}
}
}
interfaces {
ge-0/0/0 {
description "UPLINK sw-fuf";
unit 0 {
apply-groups backbone_vlans;
family ethernet-switching {
port-mode trunk;
}
}
}
ge-0/0/1 {
unit 0 {
family ethernet-switching {
vlan {
members VL_HOSPITAL;
}
}
}
}
ge-0/0/2 {
unit 0 {
family ethernet-switching {
vlan {
members VL_HOSPITAL;
}
}
}
}
ge-0/0/3 {
unit 0 {
family ethernet-switching {
vlan {
members VL_HOSPITAL;
}
}
}
}
ge-0/0/4 {
unit 0 {
family ethernet-switching {
vlan {
members VL_HOSPITAL;
}
}
}
}
ge-0/0/5 {
unit 0 {
family ethernet-switching {
vlan {
members VL_HOSPITAL;
}
}
}
}
ge-0/0/6 {
unit 0 {
family ethernet-switching {
vlan {
members VL_HOSPITAL;
}
}
}
}
ge-0/0/7 {
unit 0 {
family ethernet-switching {
vlan {
members VL_HOSPITAL;
}
}
}
}
ge-0/0/8 {
unit 0 {
family ethernet-switching {
vlan {
members VL_HOSPITAL;
}
}
}
}
ge-0/0/9 {
unit 0 {
family ethernet-switching {
vlan {
members VL_HOSPITAL;
}
}
}
}
ge-0/0/10 {
unit 0 {
family ethernet-switching {
vlan {
members VL_HOSPITAL;
}
}
}
}
ge-0/0/11 {
unit 0 {
family ethernet-switching {
vlan {
members VL_HOSPITAL;
}
}
}
}
ge-0/0/12 {
unit 0 {
family ethernet-switching {
vlan {
members VL_HOSPITAL;
}
}
}
}
ge-0/0/13 {
unit 0 {
family ethernet-switching {
vlan {
members VL_HOSPITAL;
}
}
}
}
ge-0/0/14 {
unit 0 {
family ethernet-switching {
vlan {
members VL_HOSPITAL;
}
}
}
}
ge-0/0/15 {
unit 0 {
family ethernet-switching {
vlan {
members VL_HOSPITAL;
}
}
}
}
ge-0/0/16 {
unit 0 {
family ethernet-switching {
vlan {
members VL_HOSPITAL;
}
}
}
}
ge-0/0/17 {
unit 0 {
family ethernet-switching {
vlan {
members VL_HOSPITAL;
}
}
}
}
ge-0/0/18 {
unit 0 {
family ethernet-switching {
vlan {
members VL_HOSPITAL;
}
}
}
}
ge-0/0/19 {
unit 0 {
family ethernet-switching {
vlan {
members VL_HOSPITAL;
}
}
}
}
ge-0/0/20 {
unit 0 {
family ethernet-switching {
vlan {
members VL_HOSPITAL;
}
}
}
}
ge-0/0/21 {
unit 0 {
family ethernet-switching {
vlan {
members VL_HOSPITAL;
}
}
}
}
ge-0/0/22 {
description AP;
unit 0 {
family ethernet-switching {
vlan {
members VL_WLAN;
}
}
}
}
ge-0/0/23 {
description DECT;
unit 0 {
family ethernet-switching {
vlan {
members VL_DECT;
}
}
}
}
ge-0/1/1 {
apply-groups backbone_vlans;
description "UPLINK sw-waschhaus";
unit 0 {
family ethernet-switching {
port-mode trunk;
}
}
}
ge-0/1/2 {
apply-groups backbone_vlans;
description "UPLINK sw-buehne";
unit 0 {
family ethernet-switching {
port-mode trunk;
}
}
}
ge-0/1/3 {
apply-groups backbone_vlans;
description "UPLINK sw-zentral-1";
unit 0 {
family ethernet-switching {
port-mode trunk;
}
}
}
vlan {
unit 42 {
family inet {
address 10.42.42.22/24;
}
}
}
}
snmp {
stats-cache-lifetime 15;
community tellme {
authorization read-only;
}
}
routing-options {
static {
route 0.0.0.0/0 next-hop 10.42.42.1;
}
}
protocols {
igmp-snooping {
vlan all;
}
lldp {
port-id-subtype locally-assigned;
interface all;
}
lldp-med {
interface all;
}
}
ethernet-switching-options {
secure-access-port {
interface ge-0/0/1.0 {
no-dhcp-trusted;
}
interface ge-0/0/2.0 {
no-dhcp-trusted;
}
interface ge-0/0/3.0 {
no-dhcp-trusted;
}
interface ge-0/0/4.0 {
no-dhcp-trusted;
}
interface ge-0/0/5.0 {
no-dhcp-trusted;
}
interface ge-0/0/6.0 {
no-dhcp-trusted;
}
interface ge-0/0/7.0 {
no-dhcp-trusted;
}
interface ge-0/0/8.0 {
no-dhcp-trusted;
}
interface ge-0/0/9.0 {
no-dhcp-trusted;
}
interface ge-0/0/10.0 {
no-dhcp-trusted;
}
interface ge-0/0/11.0 {
no-dhcp-trusted;
}
interface ge-0/0/12.0 {
no-dhcp-trusted;
}
interface ge-0/0/13.0 {
no-dhcp-trusted;
}
interface ge-0/0/14.0 {
no-dhcp-trusted;
}
interface ge-0/0/15.0 {
no-dhcp-trusted;
}
interface ge-0/0/16.0 {
no-dhcp-trusted;
}
interface ge-0/0/17.0 {
no-dhcp-trusted;
}
interface ge-0/0/18.0 {
no-dhcp-trusted;
}
interface ge-0/0/19.0 {
no-dhcp-trusted;
}
interface ge-0/0/20.0 {
no-dhcp-trusted;
}
interface ge-0/0/21.0 {
no-dhcp-trusted;
}
interface ge-0/0/22.0 {
no-dhcp-trusted;
}
interface ge-0/0/23.0 {
no-dhcp-trusted;
}
}
storm-control {
interface all;
}
}
vlans {
VL_DECT {
vlan-id 132;
}
VL_FUF {
vlan-id 213;
}
VL_HOSPITAL {
vlan-id 203;
}
VL_IKT {
vlan-id 201;
}
VL_IKT_TOYS {
vlan-id 152;
}
VL_INFOJURTE {
vlan-id 209;
}
VL_INTERNATIONAL {
vlan-id 210;
}
VL_IOT {
vlan-id 151;
}
VL_LEITSTELLE {
vlan-id 205;
}
VL_MAV {
vlan-id 214;
}
VL_MGMT {
vlan-id 42;
l3-interface vlan.42;
}
VL_OFFICE {
vlan-id 212;
}
VL_PROGRAMM {
vlan-id 211;
}
VL_SIP {
vlan-id 133;
}
VL_TECHNIK {
vlan-id 202;
}
VL_VERWALTUNG {
vlan-id 206;
}
VL_WLAN {
vlan-id 131;
}
VL_YOLO {
vlan-id 208;
}
VL_ZENTRAL {
vlan-id 207;
}
VL_ZOLL {
vlan-id 204;
}
}
poe {
interface all;
}

126
switchconfig/sw-infojurte Normal file
View File

@@ -0,0 +1,126 @@
version 15.1R7-S1;
system {
host-name sw-infojurte;
auto-snapshot;
root-authentication {
encrypted-password "$1$DAjLGZX7$sHIjgeZhXhq/IcgRKOWy20"; ## SECRET-DATA
ssh-rsa "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQC8xqVakxJ+AwcIrS/wyL03N++pE09epwMFlIMXWvlpwwEp1J/0H7nygwxk/9LIZdabs/ETWn0s8oHAkc7YR1c6ajSTCDiZEYATAWt7t8t4Gw/80c8u8T50lIqmiDEEVbOVv3Vta/pAN4hAUp9U5DpYCkQbvF+NKKcK3Yp8d9usNC6ohqgTK+IGAEdMhvpbbNppDMXoWHuynBzUX7TS6ST6yEr0tD+CBbCpbfcMuwTI3lNtfywEVpuFaeHqDZx2QDrEX4bg0dRKgQstbXYdqmBfnOiBpUr8Wyl8U1J24rN+E07pBw/8KDGWbVg19/Ex8o4ht/p5voUfKVjD/DwWXTLntBirjfAgQAm4GH/qP4x3zNiTtlYlQFbXSk6VEVrTrxCB5rTWvGnhg31tk5P3YwvagDmGABazY5s/8tlttSc1yWBctWQJCjxSqcCLekxG4D1rVuGKCKOZgflQ9QFdQlKycInPBek3zi0i3GYkE1YnNFye5ggOnxT8qGuKjfdtZI9qvMJQO8lbEDzbYQvNns1V/k4ZobiihYwrG5TJUzZFEpMYetDK6tI8BRU11d+ja0jWzguj5/7wc0nrr/BiZ8FkAr2fZ60j2aI5kG0s3qjbrQbB/RXaGP9hRU0+480+IokNJJIcjv5iwH5ophdrjC8GH4So2kPPt0NXob1yNysdjw== n0emis@noemis.me (OLD)"; ## SECRET-DATA
ssh-ed25519 "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIEcOPtW5FWNIdlMQFoqeyA1vHw+cA8ft8oXSbXPzQNL9 n0emis@n0emis.eu"; ## SECRET-DATA
}
services {
ssh;
}
}
interfaces {
ge-0/0/0 {
unit 0 {
family ethernet-switching {
vlan {
members VL_MGMT;
}
}
}
}
ge-0/1/3 {
unit 0 {
family ethernet-switching {
port-mode trunk;
vlan {
members [ VL_MGMT VL_WLAN VL_INFOJURTE ];
}
}
}
}
vlan {
unit 42 {
family inet {
address 10.42.42.19/24;
}
}
}
}
snmp {
stats-cache-lifetime 15;
community tellme {
authorization read-only;
}
}
routing-options {
static {
route 0.0.0.0/0 next-hop 10.42.42.1;
}
}
protocols {
igmp-snooping {
vlan all;
}
lldp {
port-id-subtype locally-assigned;
interface all;
}
lldp-med {
interface all;
}
}
ethernet-switching-options {
storm-control {
interface all;
}
}
vlans {
VL_MGMT {
vlan-id 42;
l3-interface vlan.42
}
VL_WLAN {
vlan-id 131;
}
VL_DECT {
vlan-id 132;
}
VL_SIP {
vlan-id 133;
}
VL_IOT {
vlan-id 151;
}
VL_IKT_TOYS {
vlan-id 152;
}
VL_IKT {
vlan-id 201;
}
VL_TECHNIK {
vlan-id 202;
}
VL_HOSPITAL {
vlan-id 203;
}
VL_ZOLL {
vlan-id 204;
}
VL_LEITSTELLE {
vlan-id 205;
}
VL_VERWALTUNG {
vlan-id 206;
}
VL_ZENTRAL {
vlan-id 207;
}
VL_YOLO {
vlan-id 208;
}
VL_INFOJURTE {
vlan-id 209;
}
VL_INTERNATIONAL {
vlan-id 210;
}
VL_PROGRAMM {
vlan-id 211;
}
VL_OFFICE {
vlan-id 212;
}
}

127
switchconfig/sw-international Normal file
View File

@@ -0,0 +1,127 @@
version 15.1R7-S1;
system {
host-name sw-international;
auto-snapshot;
root-authentication {
encrypted-password "$1$DAjLGZX7$sHIjgeZhXhq/IcgRKOWy20"; ## SECRET-DATA
ssh-rsa "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQC8xqVakxJ+AwcIrS/wyL03N++pE09epwMFlIMXWvlpwwEp1J/0H7nygwxk/9LIZdabs/ETWn0s8oHAkc7YR1c6ajSTCDiZEYATAWt7t8t4Gw/80c8u8T50lIqmiDEEVbOVv3Vta/pAN4hAUp9U5DpYCkQbvF+NKKcK3Yp8d9usNC6ohqgTK+IGAEdMhvpbbNppDMXoWHuynBzUX7TS6ST6yEr0tD+CBbCpbfcMuwTI3lNtfywEVpuFaeHqDZx2QDrEX4bg0dRKgQstbXYdqmBfnOiBpUr8Wyl8U1J24rN+E07pBw/8KDGWbVg19/Ex8o4ht/p5voUfKVjD/DwWXTLntBirjfAgQAm4GH/qP4x3zNiTtlYlQFbXSk6VEVrTrxCB5rTWvGnhg31tk5P3YwvagDmGABazY5s/8tlttSc1yWBctWQJCjxSqcCLekxG4D1rVuGKCKOZgflQ9QFdQlKycInPBek3zi0i3GYkE1YnNFye5ggOnxT8qGuKjfdtZI9qvMJQO8lbEDzbYQvNns1V/k4ZobiihYwrG5TJUzZFEpMYetDK6tI8BRU11d+ja0jWzguj5/7wc0nrr/BiZ8FkAr2fZ60j2aI5kG0s3qjbrQbB/RXaGP9hRU0+480+IokNJJIcjv5iwH5ophdrjC8GH4So2kPPt0NXob1yNysdjw== n0emis@noemis.me (OLD)"; ## SECRET-DATA
ssh-ed25519 "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIEcOPtW5FWNIdlMQFoqeyA1vHw+cA8ft8oXSbXPzQNL9 n0emis@n0emis.eu"; ## SECRET-DATA
}
services {
ssh;
}
}
interfaces {
ge-0/0/0 {
unit 0 {
family ethernet-switching {
vlan {
members VL_MGMT;
}
}
}
}
ge-0/1/3 {
description "uplink: sw-programmtresen";
unit 0 {
family ethernet-switching {
port-mode trunk;
vlan {
members [ VL_MGMT VL_WLAN VL_SIP VL_INTERNATIONAL ];
}
}
}
}
vlan {
unit 42 {
family inet {
address 10.42.42.17/24;
}
}
}
}
snmp {
stats-cache-lifetime 15;
community tellme {
authorization read-only;
}
}
routing-options {
static {
route 0.0.0.0/0 next-hop 10.42.42.1;
}
}
protocols {
igmp-snooping {
vlan all;
}
lldp {
port-id-subtype locally-assigned;
interface all;
}
lldp-med {
interface all;
}
}
ethernet-switching-options {
storm-control {
interface all;
}
}
vlans {
VL_MGMT {
vlan-id 42;
l3-interface vlan.42
}
VL_WLAN {
vlan-id 131;
}
VL_DECT {
vlan-id 132;
}
VL_SIP {
vlan-id 133;
}
VL_IOT {
vlan-id 151;
}
VL_IKT_TOYS {
vlan-id 152;
}
VL_IKT {
vlan-id 201;
}
VL_TECHNIK {
vlan-id 202;
}
VL_HOSPITAL {
vlan-id 203;
}
VL_ZOLL {
vlan-id 204;
}
VL_LEITSTELLE {
vlan-id 205;
}
VL_VERWALTUNG {
vlan-id 206;
}
VL_ZENTRAL {
vlan-id 207;
}
VL_YOLO {
vlan-id 208;
}
VL_INFOJURTE {
vlan-id 209;
}
VL_INTERNATIONAL {
vlan-id 210;
}
VL_PROGRAMM {
vlan-id 211;
}
VL_OFFICE {
vlan-id 212;
}
}

451
switchconfig/sw-leitstelle Normal file
View File

@@ -0,0 +1,451 @@
## Last changed: 2016-01-20 09:15:52 UTC
version 12.3R12.4;
groups {
backbone_vlans {
interfaces {
<*> {
unit 0 {
family ethernet-switching {
vlan {
members [ VL_SIP VL_DECT VL_HOSPITAL VL_IKT VL_IKT_TOYS VL_INFOJURTE VL_INTERNATIONAL VL_IOT VL_LEITSTELLE VL_MGMT VL_OFFICE VL_PROGRAMM VL_TECHNIK VL_VERWALTUNG VL_WLAN VL_YOLO VL_ZENTRAL VL_FUF VL_MAV ];
}
}
}
}
}
}
}
system {
host-name sw-leitstelle;
auto-snapshot;
domain-name bula22.de;
domain-search bula22.de;
root-authentication {
encrypted-password "$1$DAjLGZX7$sHIjgeZhXhq/IcgRKOWy20";
ssh-rsa "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQC8xqVakxJ+AwcIrS/wyL03N++pE09epwMFlIMXWvlpwwEp1J/0H7nygwxk/9LIZdabs/ETWn0s8oHAkc7YR1c6ajSTCDiZEYATAWt7t8t4Gw/80c8u8T50lIqmiDEEVbOVv3Vta/pAN4hAUp9U5DpYCkQbvF+NKKcK3Yp8d9usNC6ohqgTK+IGAEdMhvpbbNppDMXoWHuynBzUX7TS6ST6yEr0tD+CBbCpbfcMuwTI3lNtfywEVpuFaeHqDZx2QDrEX4bg0dRKgQstbXYdqmBfnOiBpUr8Wyl8U1J24rN+E07pBw/8KDGWbVg19/Ex8o4ht/p5voUfKVjD/DwWXTLntBirjfAgQAm4GH/qP4x3zNiTtlYlQFbXSk6VEVrTrxCB5rTWvGnhg31tk5P3YwvagDmGABazY5s/8tlttSc1yWBctWQJCjxSqcCLekxG4D1rVuGKCKOZgflQ9QFdQlKycInPBek3zi0i3GYkE1YnNFye5ggOnxT8qGuKjfdtZI9qvMJQO8lbEDzbYQvNns1V/k4ZobiihYwrG5TJUzZFEpMYetDK6tI8BRU11d+ja0jWzguj5/7wc0nrr/BiZ8FkAr2fZ60j2aI5kG0s3qjbrQbB/RXaGP9hRU0+480+IokNJJIcjv5iwH5ophdrjC8GH4So2kPPt0NXob1yNysdjw== n0emis@noemis.me (OLD)";
}
name-server {
10.42.10.8;
}
login {
user fw {
uid 2000;
class super-user;
authentication {
ssh-rsa "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDMTsFE90WT+fvRnIuIBbjLJA2Hyne6duD306+Yg3z9yVTSCQxpFcolEwRQi5X4hsb3WdlW+YtvShXcFVNi7gtgSyIsgT1+YqpR+qIC+/r2h6NeA92dztigpbznOm9oL8vOP45S9fHedJ57E/UosYW2/du4W+6U+xH1ItyQx6AiJAj/RPpLWJz9FhP99Qwp6YiPAkxujgXtOMwX0xFmiQPv9QzBaD9jOKK0vE26IFX5RYAqontVgWGn6EdceR70vTQBcAsFYMS0sc9311H2wBfOptznyIZNInAsppaGNDMdOx9SdMVDZ6GDlOCsLvHq6+ra1jGdlwtgduVQeEpHmmjD";
}
}
}
services {
ssh;
}
}
chassis {
alarm {
management-ethernet {
link-down ignore;
}
}
}
interfaces {
ge-0/0/0 {
unit 0 {
family ethernet-switching {
vlan {
members VL_WLAN;
}
}
}
}
ge-0/0/1 {
unit 0 {
family ethernet-switching {
vlan {
members VL_LEITSTELLE;
}
}
}
}
ge-0/0/2 {
unit 0 {
family ethernet-switching {
vlan {
members VL_LEITSTELLE;
}
}
}
}
ge-0/0/3 {
unit 0 {
family ethernet-switching {
vlan {
members VL_LEITSTELLE;
}
}
}
}
ge-0/0/4 {
unit 0 {
family ethernet-switching {
vlan {
members VL_LEITSTELLE;
}
}
}
}
ge-0/0/5 {
unit 0 {
family ethernet-switching {
vlan {
members VL_LEITSTELLE;
}
}
}
}
ge-0/0/6 {
unit 0 {
family ethernet-switching {
vlan {
members VL_LEITSTELLE;
}
}
}
}
ge-0/0/7 {
unit 0 {
family ethernet-switching {
vlan {
members VL_LEITSTELLE;
}
}
}
}
ge-0/0/8 {
unit 0 {
family ethernet-switching {
vlan {
members VL_LEITSTELLE;
}
}
}
}
ge-0/0/9 {
unit 0 {
family ethernet-switching {
vlan {
members VL_LEITSTELLE;
}
}
}
}
ge-0/0/10 {
unit 0 {
family ethernet-switching {
vlan {
members VL_LEITSTELLE;
}
}
}
}
ge-0/0/11 {
unit 0 {
family ethernet-switching {
vlan {
members VL_LEITSTELLE;
}
}
}
}
ge-0/0/12 {
unit 0 {
family ethernet-switching {
vlan {
members VL_LEITSTELLE;
}
}
}
}
ge-0/0/13 {
unit 0 {
family ethernet-switching {
vlan {
members VL_LEITSTELLE;
}
}
}
}
ge-0/0/14 {
unit 0 {
family ethernet-switching {
vlan {
members VL_LEITSTELLE;
}
}
}
}
ge-0/0/15 {
unit 0 {
family ethernet-switching {
vlan {
members VL_LEITSTELLE;
}
}
}
}
ge-0/0/16 {
unit 0 {
family ethernet-switching {
vlan {
members VL_LEITSTELLE;
}
}
}
}
ge-0/0/17 {
unit 0 {
family ethernet-switching {
vlan {
members VL_LEITSTELLE;
}
}
}
}
ge-0/0/18 {
unit 0 {
family ethernet-switching {
vlan {
members VL_LEITSTELLE;
}
}
}
}
ge-0/0/19 {
unit 0 {
family ethernet-switching {
vlan {
members VL_LEITSTELLE;
}
}
}
}
ge-0/0/20 {
unit 0 {
family ethernet-switching {
vlan {
members VL_LEITSTELLE;
}
}
}
}
ge-0/0/21 {
unit 0 {
family ethernet-switching {
vlan {
members VL_LEITSTELLE;
}
}
}
}
ge-0/0/22 {
unit 0 {
family ethernet-switching {
vlan {
members VL_LEITSTELLE;
}
}
}
}
ge-0/0/23 {
unit 0 {
family ethernet-switching {
vlan {
members VL_LEITSTELLE;
}
}
}
}
ge-0/1/3 {
apply-groups backbone_vlans;
description "UPLINK sw-programmtresen";
unit 0 {
family ethernet-switching {
port-mode trunk;
}
}
}
vlan {
unit 42 {
family inet {
address 10.42.42.18/24;
}
}
}
}
snmp {
stats-cache-lifetime 15;
community tellme {
authorization read-only;
}
}
routing-options {
static {
route 0.0.0.0/0 next-hop 10.42.42.1;
}
}
protocols {
igmp-snooping {
vlan all;
}
lldp {
port-id-subtype locally-assigned;
interface all;
}
lldp-med {
interface all;
}
}
ethernet-switching-options {
secure-access-port {
interface ge-0/0/0.0 {
no-dhcp-trusted;
}
interface ge-0/0/1.0 {
no-dhcp-trusted;
}
interface ge-0/0/2.0 {
no-dhcp-trusted;
}
interface ge-0/0/3.0 {
no-dhcp-trusted;
}
interface ge-0/0/4.0 {
no-dhcp-trusted;
}
interface ge-0/0/5.0 {
no-dhcp-trusted;
}
interface ge-0/0/6.0 {
no-dhcp-trusted;
}
interface ge-0/0/7.0 {
no-dhcp-trusted;
}
interface ge-0/0/8.0 {
no-dhcp-trusted;
}
interface ge-0/0/9.0 {
no-dhcp-trusted;
}
interface ge-0/0/10.0 {
no-dhcp-trusted;
}
interface ge-0/0/11.0 {
no-dhcp-trusted;
}
interface ge-0/0/12.0 {
no-dhcp-trusted;
}
interface ge-0/0/13.0 {
no-dhcp-trusted;
}
interface ge-0/0/14.0 {
no-dhcp-trusted;
}
interface ge-0/0/15.0 {
no-dhcp-trusted;
}
interface ge-0/0/16.0 {
no-dhcp-trusted;
}
interface ge-0/0/17.0 {
no-dhcp-trusted;
}
interface ge-0/0/18.0 {
no-dhcp-trusted;
}
interface ge-0/0/19.0 {
no-dhcp-trusted;
}
interface ge-0/0/20.0 {
no-dhcp-trusted;
}
interface ge-0/0/21.0 {
no-dhcp-trusted;
}
interface ge-0/0/22.0 {
no-dhcp-trusted;
}
interface ge-0/0/23.0 {
no-dhcp-trusted;
}
}
storm-control {
interface all;
}
}
vlans {
VL_DECT {
vlan-id 132;
}
VL_FUF {
vlan-id 213;
}
VL_HOSPITAL {
vlan-id 203;
}
VL_IKT {
vlan-id 201;
}
VL_IKT_TOYS {
vlan-id 152;
}
VL_INFOJURTE {
vlan-id 209;
}
VL_INTERNATIONAL {
vlan-id 210;
}
VL_IOT {
vlan-id 151;
}
VL_LEITSTELLE {
vlan-id 205;
}
VL_MAV {
vlan-id 214;
}
VL_MGMT {
vlan-id 42;
l3-interface vlan.42;
}
VL_OFFICE {
vlan-id 212;
}
VL_PROGRAMM {
vlan-id 211;
}
VL_SIP {
vlan-id 133;
}
VL_TECHNIK {
vlan-id 202;
}
VL_VERWALTUNG {
vlan-id 206;
}
VL_WLAN {
vlan-id 131;
}
VL_YOLO {
vlan-id 208;
}
VL_ZENTRAL {
vlan-id 207;
}
VL_ZOLL {
vlan-id 204;
}
}
poe {
interface ge-0/0/0;
}

754
switchconfig/sw-programmtresen Normal file
View File

@@ -0,0 +1,754 @@
## Last changed: 2016-01-22 09:03:18 UTC
version 12.3R12.4;
groups {
backbone_vlans {
interfaces {
<*> {
unit 0 {
family ethernet-switching {
vlan {
members [ VL_SIP VL_DECT VL_HOSPITAL VL_IKT VL_IKT_TOYS VL_INFOJURTE VL_INTERNATIONAL VL_IOT VL_LEITSTELLE VL_MGMT VL_OFFICE VL_PROGRAMM VL_TECHNIK VL_VERWALTUNG VL_WLAN VL_YOLO VL_ZENTRAL VL_FUF VL_MAV ];
}
}
}
}
}
}
}
system {
host-name sw-programmtresen;
auto-snapshot;
domain-name bula22.de;
domain-search bula22.de;
root-authentication {
encrypted-password "$1$DAjLGZX7$sHIjgeZhXhq/IcgRKOWy20";
ssh-rsa "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQC8xqVakxJ+AwcIrS/wyL03N++pE09epwMFlIMXWvlpwwEp1J/0H7nygwxk/9LIZdabs/ETWn0s8oHAkc7YR1c6ajSTCDiZEYATAWt7t8t4Gw/80c8u8T50lIqmiDEEVbOVv3Vta/pAN4hAUp9U5DpYCkQbvF+NKKcK3Yp8d9usNC6ohqgTK+IGAEdMhvpbbNppDMXoWHuynBzUX7TS6ST6yEr0tD+CBbCpbfcMuwTI3lNtfywEVpuFaeHqDZx2QDrEX4bg0dRKgQstbXYdqmBfnOiBpUr8Wyl8U1J24rN+E07pBw/8KDGWbVg19/Ex8o4ht/p5voUfKVjD/DwWXTLntBirjfAgQAm4GH/qP4x3zNiTtlYlQFbXSk6VEVrTrxCB5rTWvGnhg31tk5P3YwvagDmGABazY5s/8tlttSc1yWBctWQJCjxSqcCLekxG4D1rVuGKCKOZgflQ9QFdQlKycInPBek3zi0i3GYkE1YnNFye5ggOnxT8qGuKjfdtZI9qvMJQO8lbEDzbYQvNns1V/k4ZobiihYwrG5TJUzZFEpMYetDK6tI8BRU11d+ja0jWzguj5/7wc0nrr/BiZ8FkAr2fZ60j2aI5kG0s3qjbrQbB/RXaGP9hRU0+480+IokNJJIcjv5iwH5ophdrjC8GH4So2kPPt0NXob1yNysdjw== n0emis@noemis.me (OLD)";
}
name-server {
10.42.10.8;
}
login {
user fw {
uid 2000;
class super-user;
authentication {
ssh-rsa "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDMTsFE90WT+fvRnIuIBbjLJA2Hyne6duD306+Yg3z9yVTSCQxpFcolEwRQi5X4hsb3WdlW+YtvShXcFVNi7gtgSyIsgT1+YqpR+qIC+/r2h6NeA92dztigpbznOm9oL8vOP45S9fHedJ57E/UosYW2/du4W+6U+xH1ItyQx6AiJAj/RPpLWJz9FhP99Qwp6YiPAkxujgXtOMwX0xFmiQPv9QzBaD9jOKK0vE26IFX5RYAqontVgWGn6EdceR70vTQBcAsFYMS0sc9311H2wBfOptznyIZNInAsppaGNDMdOx9SdMVDZ6GDlOCsLvHq6+ra1jGdlwtgduVQeEpHmmjD";
}
}
}
services {
ssh;
}
}
chassis {
alarm {
management-ethernet {
link-down ignore;
}
}
}
interfaces {
ge-0/0/0 {
unit 0 {
family ethernet-switching {
vlan {
members VL_PROGRAMM;
}
}
}
}
ge-0/0/1 {
unit 0 {
family ethernet-switching {
vlan {
members VL_PROGRAMM;
}
}
}
}
ge-0/0/2 {
unit 0 {
family ethernet-switching {
vlan {
members VL_PROGRAMM;
}
}
}
}
ge-0/0/3 {
unit 0 {
family ethernet-switching {
vlan {
members VL_PROGRAMM;
}
}
}
}
ge-0/0/4 {
unit 0 {
family ethernet-switching {
vlan {
members VL_PROGRAMM;
}
}
}
}
ge-0/0/5 {
unit 0 {
family ethernet-switching {
vlan {
members VL_PROGRAMM;
}
}
}
}
ge-0/0/6 {
unit 0 {
family ethernet-switching {
vlan {
members VL_PROGRAMM;
}
}
}
}
ge-0/0/7 {
unit 0 {
family ethernet-switching {
vlan {
members VL_PROGRAMM;
}
}
}
}
ge-0/0/8 {
unit 0 {
family ethernet-switching {
vlan {
members VL_PROGRAMM;
}
}
}
}
ge-0/0/9 {
unit 0 {
family ethernet-switching {
vlan {
members VL_PROGRAMM;
}
}
}
}
ge-0/0/10 {
unit 0 {
family ethernet-switching {
vlan {
members VL_PROGRAMM;
}
}
}
}
ge-0/0/11 {
unit 0 {
family ethernet-switching {
vlan {
members VL_PROGRAMM;
}
}
}
}
ge-0/0/12 {
unit 0 {
family ethernet-switching {
vlan {
members VL_PROGRAMM;
}
}
}
}
ge-0/0/13 {
unit 0 {
family ethernet-switching {
vlan {
members VL_PROGRAMM;
}
}
}
}
ge-0/0/14 {
unit 0 {
family ethernet-switching {
vlan {
members VL_PROGRAMM;
}
}
}
}
ge-0/0/15 {
unit 0 {
family ethernet-switching {
vlan {
members VL_PROGRAMM;
}
}
}
}
ge-0/0/16 {
unit 0 {
family ethernet-switching {
vlan {
members VL_PROGRAMM;
}
}
}
}
ge-0/0/17 {
unit 0 {
family ethernet-switching {
vlan {
members VL_PROGRAMM;
}
}
}
}
ge-0/0/18 {
unit 0 {
family ethernet-switching {
vlan {
members VL_PROGRAMM;
}
}
}
}
ge-0/0/19 {
unit 0 {
family ethernet-switching {
vlan {
members VL_PROGRAMM;
}
}
}
}
ge-0/0/20 {
unit 0 {
family ethernet-switching {
vlan {
members VL_PROGRAMM;
}
}
}
}
ge-0/0/21 {
unit 0 {
family ethernet-switching {
vlan {
members VL_PROGRAMM;
}
}
}
}
ge-0/0/22 {
unit 0 {
family ethernet-switching {
vlan {
members VL_PROGRAMM;
}
}
}
}
ge-0/0/23 {
unit 0 {
family ethernet-switching {
vlan {
members VL_PROGRAMM;
}
}
}
}
ge-0/0/24 {
unit 0 {
family ethernet-switching {
vlan {
members VL_PROGRAMM;
}
}
}
}
ge-0/0/25 {
unit 0 {
family ethernet-switching {
vlan {
members VL_PROGRAMM;
}
}
}
}
ge-0/0/26 {
unit 0 {
family ethernet-switching {
vlan {
members VL_PROGRAMM;
}
}
}
}
ge-0/0/27 {
unit 0 {
family ethernet-switching {
vlan {
members VL_PROGRAMM;
}
}
}
}
ge-0/0/28 {
unit 0 {
family ethernet-switching {
vlan {
members VL_PROGRAMM;
}
}
}
}
ge-0/0/29 {
unit 0 {
family ethernet-switching {
vlan {
members VL_PROGRAMM;
}
}
}
}
ge-0/0/30 {
unit 0 {
family ethernet-switching {
vlan {
members VL_PROGRAMM;
}
}
}
}
ge-0/0/31 {
unit 0 {
family ethernet-switching {
vlan {
members VL_PROGRAMM;
}
}
}
}
ge-0/0/32 {
unit 0 {
family ethernet-switching {
vlan {
members VL_PROGRAMM;
}
}
}
}
ge-0/0/33 {
unit 0 {
family ethernet-switching {
vlan {
members VL_PROGRAMM;
}
}
}
}
ge-0/0/34 {
unit 0 {
family ethernet-switching {
vlan {
members VL_PROGRAMM;
}
}
}
}
ge-0/0/35 {
unit 0 {
family ethernet-switching {
vlan {
members VL_PROGRAMM;
}
}
}
}
ge-0/0/36 {
unit 0 {
family ethernet-switching {
vlan {
members VL_PROGRAMM;
}
}
}
}
ge-0/0/37 {
unit 0 {
family ethernet-switching {
vlan {
members VL_PROGRAMM;
}
}
}
}
ge-0/0/38 {
unit 0 {
family ethernet-switching {
vlan {
members VL_PROGRAMM;
}
}
}
}
ge-0/0/39 {
unit 0 {
family ethernet-switching {
vlan {
members VL_PROGRAMM;
}
}
}
}
ge-0/0/40 {
unit 0 {
family ethernet-switching {
vlan {
members VL_PROGRAMM;
}
}
}
}
ge-0/0/41 {
unit 0 {
family ethernet-switching {
vlan {
members VL_PROGRAMM;
}
}
}
}
ge-0/0/42 {
unit 0 {
family ethernet-switching {
vlan {
members VL_PROGRAMM;
}
}
}
}
ge-0/0/43 {
unit 0 {
family ethernet-switching {
vlan {
members VL_PROGRAMM;
}
}
}
}
ge-0/0/44 {
unit 0 {
family ethernet-switching {
vlan {
members VL_PROGRAMM;
}
}
}
}
ge-0/0/45 {
unit 0 {
family ethernet-switching {
vlan {
members VL_PROGRAMM;
}
}
}
}
ge-0/0/46 {
unit 0 {
family ethernet-switching {
vlan {
members VL_PROGRAMM;
}
}
}
}
ge-0/0/47 {
unit 0 {
family ethernet-switching {
vlan {
members VL_PROGRAMM;
}
}
}
}
ge-0/1/0 {
apply-groups backbone_vlans;
description "UPLINK sw-international";
unit 0 {
family ethernet-switching {
port-mode trunk;
}
}
}
ge-0/1/1 {
apply-groups backbone_vlans;
description "UPLINK sw-leitstelle";
unit 0 {
family ethernet-switching {
port-mode trunk;
}
}
}
ge-0/1/3 {
apply-groups backbone_vlans;
description "UPLINK sw-zentral-2";
unit 0 {
family ethernet-switching {
port-mode trunk;
}
}
}
vlan {
unit 42 {
family inet {
address 10.42.42.16/24;
}
}
}
}
snmp {
stats-cache-lifetime 15;
community tellme {
authorization read-only;
}
}
routing-options {
static {
route 0.0.0.0/0 next-hop 10.42.42.1;
}
}
protocols {
igmp-snooping {
vlan all;
}
lldp {
port-id-subtype locally-assigned;
interface all;
}
lldp-med {
interface all;
}
}
ethernet-switching-options {
secure-access-port {
interface ge-0/0/0.0 {
no-dhcp-trusted;
}
interface ge-0/0/1.0 {
no-dhcp-trusted;
}
interface ge-0/0/2.0 {
no-dhcp-trusted;
}
interface ge-0/0/3.0 {
no-dhcp-trusted;
}
interface ge-0/0/4.0 {
no-dhcp-trusted;
}
interface ge-0/0/5.0 {
no-dhcp-trusted;
}
interface ge-0/0/6.0 {
no-dhcp-trusted;
}
interface ge-0/0/7.0 {
no-dhcp-trusted;
}
interface ge-0/0/8.0 {
no-dhcp-trusted;
}
interface ge-0/0/9.0 {
no-dhcp-trusted;
}
interface ge-0/0/10.0 {
no-dhcp-trusted;
}
interface ge-0/0/11.0 {
no-dhcp-trusted;
}
interface ge-0/0/12.0 {
no-dhcp-trusted;
}
interface ge-0/0/13.0 {
no-dhcp-trusted;
}
interface ge-0/0/14.0 {
no-dhcp-trusted;
}
interface ge-0/0/15.0 {
no-dhcp-trusted;
}
interface ge-0/0/16.0 {
no-dhcp-trusted;
}
interface ge-0/0/17.0 {
no-dhcp-trusted;
}
interface ge-0/0/18.0 {
no-dhcp-trusted;
}
interface ge-0/0/19.0 {
no-dhcp-trusted;
}
interface ge-0/0/20.0 {
no-dhcp-trusted;
}
interface ge-0/0/21.0 {
no-dhcp-trusted;
}
interface ge-0/0/22.0 {
no-dhcp-trusted;
}
interface ge-0/0/23.0 {
no-dhcp-trusted;
}
interface ge-0/0/24.0 {
no-dhcp-trusted;
}
interface ge-0/0/25.0 {
no-dhcp-trusted;
}
interface ge-0/0/26.0 {
no-dhcp-trusted;
}
interface ge-0/0/27.0 {
no-dhcp-trusted;
}
interface ge-0/0/28.0 {
no-dhcp-trusted;
}
interface ge-0/0/29.0 {
no-dhcp-trusted;
}
interface ge-0/0/30.0 {
no-dhcp-trusted;
}
interface ge-0/0/31.0 {
no-dhcp-trusted;
}
interface ge-0/0/32.0 {
no-dhcp-trusted;
}
interface ge-0/0/33.0 {
no-dhcp-trusted;
}
interface ge-0/0/34.0 {
no-dhcp-trusted;
}
interface ge-0/0/35.0 {
no-dhcp-trusted;
}
interface ge-0/0/36.0 {
no-dhcp-trusted;
}
interface ge-0/0/37.0 {
no-dhcp-trusted;
}
interface ge-0/0/38.0 {
no-dhcp-trusted;
}
interface ge-0/0/39.0 {
no-dhcp-trusted;
}
interface ge-0/0/40.0 {
no-dhcp-trusted;
}
interface ge-0/0/41.0 {
no-dhcp-trusted;
}
interface ge-0/0/42.0 {
no-dhcp-trusted;
}
interface ge-0/0/43.0 {
no-dhcp-trusted;
}
interface ge-0/0/44.0 {
no-dhcp-trusted;
}
interface ge-0/0/45.0 {
no-dhcp-trusted;
}
interface ge-0/0/46.0 {
no-dhcp-trusted;
}
interface ge-0/0/47.0 {
no-dhcp-trusted;
}
}
storm-control {
interface all;
}
}
vlans {
VL_DECT {
vlan-id 132;
}
VL_FUF {
vlan-id 213;
}
VL_HOSPITAL {
vlan-id 203;
}
VL_IKT {
vlan-id 201;
}
VL_IKT_TOYS {
vlan-id 152;
}
VL_INFOJURTE {
vlan-id 209;
}
VL_INTERNATIONAL {
vlan-id 210;
}
VL_IOT {
vlan-id 151;
}
VL_LEITSTELLE {
vlan-id 205;
}
VL_MAV {
vlan-id 214;
}
VL_MGMT {
vlan-id 42;
l3-interface vlan.42;
}
VL_OFFICE {
vlan-id 212;
}
VL_PROGRAMM {
vlan-id 211;
}
VL_SIP {
vlan-id 133;
}
VL_TECHNIK {
vlan-id 202;
}
VL_VERWALTUNG {
vlan-id 206;
}
VL_WLAN {
vlan-id 131;
}
VL_YOLO {
vlan-id 208;
}
VL_ZENTRAL {
vlan-id 207;
}
VL_ZOLL {
vlan-id 204;
}
}

308
switchconfig/sw-technik-container Normal file
View File

@@ -0,0 +1,308 @@
## Last changed: 2022-03-02 21:05:33 UTC
version 12.3R12-S21;
groups {
backbone_vlans {
interfaces {
<*> {
unit 0 {
family ethernet-switching {
vlan {
members [ VL_SIP VL_DECT VL_HOSPITAL VL_IKT VL_IKT_TOYS VL_INFOJURTE VL_INTERNATIONAL VL_IOT VL_LEITSTELLE VL_MGMT VL_OFFICE VL_PROGRAMM VL_TECHNIK VL_VERWALTUNG VL_WLAN VL_YOLO VL_ZENTRAL ];
}
}
}
}
}
}
}
system {
host-name sw-technik-container;
auto-snapshot;
domain-name bula22.de;
domain-search bula22.de;
root-authentication {
encrypted-password "$1$DAjLGZX7$sHIjgeZhXhq/IcgRKOWy20";
ssh-rsa "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQC8xqVakxJ+AwcIrS/wyL03N++pE09epwMFlIMXWvlpwwEp1J/0H7nygwxk/9LIZdabs/ETWn0s8oHAkc7YR1c6ajSTCDiZEYATAWt7t8t4Gw/80c8u8T50lIqmiDEEVbOVv3Vta/pAN4hAUp9U5DpYCkQbvF+NKKcK3Yp8d9usNC6ohqgTK+IGAEdMhvpbbNppDMXoWHuynBzUX7TS6ST6yEr0tD+CBbCpbfcMuwTI3lNtfywEVpuFaeHqDZx2QDrEX4bg0dRKgQstbXYdqmBfnOiBpUr8Wyl8U1J24rN+E07pBw/8KDGWbVg19/Ex8o4ht/p5voUfKVjD/DwWXTLntBirjfAgQAm4GH/qP4x3zNiTtlYlQFbXSk6VEVrTrxCB5rTWvGnhg31tk5P3YwvagDmGABazY5s/8tlttSc1yWBctWQJCjxSqcCLekxG4D1rVuGKCKOZgflQ9QFdQlKycInPBek3zi0i3GYkE1YnNFye5ggOnxT8qGuKjfdtZI9qvMJQO8lbEDzbYQvNns1V/k4ZobiihYwrG5TJUzZFEpMYetDK6tI8BRU11d+ja0jWzguj5/7wc0nrr/BiZ8FkAr2fZ60j2aI5kG0s3qjbrQbB/RXaGP9hRU0+480+IokNJJIcjv5iwH5ophdrjC8GH4So2kPPt0NXob1yNysdjw== n0emis@noemis.me (OLD)";
ssh-ed25519 "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIEcOPtW5FWNIdlMQFoqeyA1vHw+cA8ft8oXSbXPzQNL9 n0emis@n0emis.eu";
}
name-server {
10.42.10.8;
}
login {
user fw {
uid 2000;
class super-user;
authentication {
ssh-rsa "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDMTsFE90WT+fvRnIuIBbjLJA2Hyne6duD306+Yg3z9yVTSCQxpFcolEwRQi5X4hsb3WdlW+YtvShXcFVNi7gtgSyIsgT1+YqpR+qIC+/r2h6NeA92dztigpbznOm9oL8vOP45S9fHedJ57E/UosYW2/du4W+6U+xH1ItyQx6AiJAj/RPpLWJz9FhP99Qwp6YiPAkxujgXtOMwX0xFmiQPv9QzBaD9jOKK0vE26IFX5RYAqontVgWGn6EdceR70vTQBcAsFYMS0sc9311H2wBfOptznyIZNInAsppaGNDMdOx9SdMVDZ6GDlOCsLvHq6+ra1jGdlwtgduVQeEpHmmjD";
}
}
}
services {
ssh;
}
}
chassis {
alarm {
management-ethernet {
link-down ignore;
}
}
}
interfaces {
ge-0/0/0 {
unit 0 {
family ethernet-switching {
vlan {
members VL_IOT;
}
}
}
}
ge-0/0/1 {
unit 0 {
family ethernet-switching {
vlan {
members VL_TECHNIK;
}
}
}
}
ge-0/0/2 {
unit 0 {
family ethernet-switching {
vlan {
members VL_TECHNIK;
}
}
}
}
ge-0/0/3 {
unit 0 {
family ethernet-switching {
vlan {
members VL_TECHNIK;
}
}
}
}
ge-0/0/4 {
unit 0 {
family ethernet-switching {
vlan {
members VL_TECHNIK;
}
}
}
}
ge-0/0/5 {
unit 0 {
family ethernet-switching {
vlan {
members VL_TECHNIK;
}
}
}
}
ge-0/0/6 {
unit 0 {
family ethernet-switching {
vlan {
members VL_TECHNIK;
}
}
}
}
ge-0/0/7 {
unit 0 {
family ethernet-switching {
vlan {
members VL_TECHNIK;
}
}
}
}
ge-0/0/8 {
unit 0 {
family ethernet-switching {
vlan {
members VL_TECHNIK;
}
}
}
}
ge-0/0/9 {
unit 0 {
family ethernet-switching {
vlan {
members VL_TECHNIK;
}
}
}
}
ge-0/0/10 {
unit 0 {
family ethernet-switching {
vlan {
members VL_WLAN;
}
}
}
}
ge-0/0/11 {
unit 0 {
family ethernet-switching {
vlan {
members VL_TECHNIK;
}
}
}
}
ge-0/1/0 {
apply-groups backbone_vlans;
description "UPLINK sw-technik-zelt";
unit 0 {
family ethernet-switching {
port-mode trunk;
}
}
}
ge-0/1/1 {
apply-groups backbone_vlans;
description "UPLINK sw-zentral-1";
unit 0 {
family ethernet-switching {
port-mode trunk;
}
}
}
vlan {
unit 42 {
family inet {
address 10.42.42.21/24;
}
}
}
}
snmp {
stats-cache-lifetime 15;
community tellme {
authorization read-only;
}
}
routing-options {
static {
route 0.0.0.0/0 next-hop 10.42.42.1;
}
}
protocols {
igmp-snooping {
vlan all;
}
lldp {
port-id-subtype locally-assigned;
interface all;
}
lldp-med {
interface all;
}
}
ethernet-switching-options {
secure-access-port {
interface ge-0/0/0.0 {
no-dhcp-trusted;
}
interface ge-0/0/1.0 {
no-dhcp-trusted;
}
interface ge-0/0/2.0 {
no-dhcp-trusted;
}
interface ge-0/0/3.0 {
no-dhcp-trusted;
}
interface ge-0/0/4.0 {
no-dhcp-trusted;
}
interface ge-0/0/5.0 {
no-dhcp-trusted;
}
interface ge-0/0/6.0 {
no-dhcp-trusted;
}
interface ge-0/0/7.0 {
no-dhcp-trusted;
}
interface ge-0/0/8.0 {
no-dhcp-trusted;
}
interface ge-0/0/9.0 {
no-dhcp-trusted;
}
interface ge-0/0/10.0 {
no-dhcp-trusted;
}
interface ge-0/0/11.0 {
no-dhcp-trusted;
}
}
storm-control {
interface all;
}
}
vlans {
VL_DECT {
vlan-id 132;
}
VL_HOSPITAL {
vlan-id 203;
}
VL_IKT {
vlan-id 201;
}
VL_IKT_TOYS {
vlan-id 152;
}
VL_INFOJURTE {
vlan-id 209;
}
VL_INTERNATIONAL {
vlan-id 210;
}
VL_IOT {
vlan-id 151;
}
VL_LEITSTELLE {
vlan-id 205;
}
VL_MGMT {
vlan-id 42;
l3-interface vlan.42;
}
VL_OFFICE {
vlan-id 212;
}
VL_PROGRAMM {
vlan-id 211;
}
VL_SIP {
vlan-id 133;
}
VL_TECHNIK {
vlan-id 202;
}
VL_VERWALTUNG {
vlan-id 206;
}
VL_WLAN {
vlan-id 131;
}
VL_YOLO {
vlan-id 208;
}
VL_ZENTRAL {
vlan-id 207;
}
VL_ZOLL {
vlan-id 204;
}
}

348
switchconfig/sw-technik-zelt Normal file
View File

@@ -0,0 +1,348 @@
## Last changed: 2022-03-03 07:32:51 UTC
version 12.3R12-S21;
system {
host-name sw-technik-zelt;
auto-snapshot;
domain-name bula22.de;
domain-search bula22.de;
root-authentication {
encrypted-password "$1$DAjLGZX7$sHIjgeZhXhq/IcgRKOWy20";
ssh-rsa "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQC8xqVakxJ+AwcIrS/wyL03N++pE09epwMFlIMXWvlpwwEp1J/0H7nygwxk/9LIZdabs/ETWn0s8oHAkc7YR1c6ajSTCDiZEYATAWt7t8t4Gw/80c8u8T50lIqmiDEEVbOVv3Vta/pAN4hAUp9U5DpYCkQbvF+NKKcK3Yp8d9usNC6ohqgTK+IGAEdMhvpbbNppDMXoWHuynBzUX7TS6ST6yEr0tD+CBbCpbfcMuwTI3lNtfywEVpuFaeHqDZx2QDrEX4bg0dRKgQstbXYdqmBfnOiBpUr8Wyl8U1J24rN+E07pBw/8KDGWbVg19/Ex8o4ht/p5voUfKVjD/DwWXTLntBirjfAgQAm4GH/qP4x3zNiTtlYlQFbXSk6VEVrTrxCB5rTWvGnhg31tk5P3YwvagDmGABazY5s/8tlttSc1yWBctWQJCjxSqcCLekxG4D1rVuGKCKOZgflQ9QFdQlKycInPBek3zi0i3GYkE1YnNFye5ggOnxT8qGuKjfdtZI9qvMJQO8lbEDzbYQvNns1V/k4ZobiihYwrG5TJUzZFEpMYetDK6tI8BRU11d+ja0jWzguj5/7wc0nrr/BiZ8FkAr2fZ60j2aI5kG0s3qjbrQbB/RXaGP9hRU0+480+IokNJJIcjv5iwH5ophdrjC8GH4So2kPPt0NXob1yNysdjw== n0emis@noemis.me (OLD)";
ssh-ed25519 "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIEcOPtW5FWNIdlMQFoqeyA1vHw+cA8ft8oXSbXPzQNL9 n0emis@n0emis.eu";
}
name-server {
10.42.10.8;
}
login {
user fw {
uid 2000;
class super-user;
authentication {
ssh-rsa "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDMTsFE90WT+fvRnIuIBbjLJA2Hyne6duD306+Yg3z9yVTSCQxpFcolEwRQi5X4hsb3WdlW+YtvShXcFVNi7gtgSyIsgT1+YqpR+qIC+/r2h6NeA92dztigpbznOm9oL8vOP45S9fHedJ57E/UosYW2/du4W+6U+xH1ItyQx6AiJAj/RPpLWJz9FhP99Qwp6YiPAkxujgXtOMwX0xFmiQPv9QzBaD9jOKK0vE26IFX5RYAqontVgWGn6EdceR70vTQBcAsFYMS0sc9311H2wBfOptznyIZNInAsppaGNDMdOx9SdMVDZ6GDlOCsLvHq6+ra1jGdlwtgduVQeEpHmmjD";
}
}
}
services {
ssh;
}
}
chassis {
alarm {
management-ethernet {
link-down ignore;
}
}
}
interfaces {
ge-0/0/0 {
unit 0 {
family ethernet-switching {
vlan {
members VL_MGMT;
}
}
}
}
ge-0/0/1 {
unit 0 {
family ethernet-switching {
vlan {
members VL_MGMT;
}
}
}
}
ge-0/0/2 {
unit 0 {
family ethernet-switching {
vlan {
members VL_MGMT;
}
}
}
}
ge-0/0/3 {
unit 0 {
family ethernet-switching {
vlan {
members VL_MGMT;
}
}
}
}
ge-0/0/4 {
unit 0 {
family ethernet-switching {
vlan {
members VL_MGMT;
}
}
}
}
ge-0/0/5 {
unit 0 {
family ethernet-switching {
vlan {
members VL_MGMT;
}
}
}
}
ge-0/0/8 {
unit 0 {
family ethernet-switching {
vlan {
members VL_IKT;
}
}
}
}
ge-0/0/10 {
unit 0 {
family ethernet-switching {
port-mode trunk;
vlan {
members [ VL_TECHNIK VL_MGMT ];
}
}
}
}
ge-0/0/11 {
unit 0 {
family ethernet-switching {
port-mode access;
}
}
}
ge-0/0/12 {
unit 0 {
family ethernet-switching {
vlan {
members VL_DECT;
}
}
}
}
ge-0/0/13 {
unit 0 {
family ethernet-switching {
vlan {
members VL_DECT;
}
}
}
}
ge-0/0/14 {
unit 0 {
family ethernet-switching {
vlan {
members VL_DECT;
}
}
}
}
ge-0/0/15 {
unit 0 {
family ethernet-switching {
vlan {
members VL_DECT;
}
}
}
}
ge-0/0/16 {
unit 0 {
family ethernet-switching {
vlan {
members VL_SIP;
}
}
}
}
ge-0/0/17 {
unit 0 {
family ethernet-switching {
vlan {
members VL_SIP;
}
}
}
}
ge-0/0/18 {
unit 0 {
family ethernet-switching {
vlan {
members VL_SIP;
}
}
}
}
ge-0/0/19 {
unit 0 {
family ethernet-switching {
vlan {
members VL_SIP;
}
}
}
}
ge-0/0/20 {
unit 0 {
family ethernet-switching {
vlan {
members VL_SIP;
}
}
}
}
ge-0/0/21 {
unit 0 {
family ethernet-switching {
vlan {
members VL_SIP;
}
}
}
}
ge-0/0/22 {
unit 0 {
family ethernet-switching {
port-mode trunk;
vlan {
members VL_MGMT;
}
native-vlan-id VL_WLAN;
}
}
}
ge-0/0/23 {
unit 0 {
family ethernet-switching {
port-mode trunk;
vlan {
members [ VL_MGMT VL_WLAN VL_DECT VL_SIP VL_IOT VL_IKT_TOYS VL_IKT VL_TECHNIK ];
}
}
}
}
ge-0/1/3 {
unit 0 {
family ethernet-switching {
port-mode trunk;
vlan {
members [ VL_MGMT VL_WLAN VL_DECT VL_SIP VL_IOT VL_IKT_TOYS VL_IKT VL_TECHNIK ];
}
}
}
}
vlan {
unit 42 {
family inet {
address 10.42.42.20/24;
}
}
}
}
snmp {
stats-cache-lifetime 15;
community tellme {
authorization read-only;
}
}
routing-options {
static {
route 0.0.0.0/0 next-hop 10.42.42.1;
}
}
protocols {
igmp-snooping {
vlan all;
}
lldp {
port-id-subtype locally-assigned;
interface all;
}
lldp-med {
interface all;
}
}
ethernet-switching-options {
analyzer hp {
input {
ingress {
interface ge-0/0/10.0;
}
egress {
interface ge-0/0/10.0;
}
}
output {
interface {
ge-0/0/11.0;
}
}
}
storm-control {
interface all;
}
}
vlans {
VL_DECT {
vlan-id 132;
}
VL_HOSPITAL {
vlan-id 203;
}
VL_IKT {
vlan-id 201;
}
VL_IKT_TOYS {
vlan-id 152;
}
VL_INFOJURTE {
vlan-id 209;
}
VL_INTERNATIONAL {
vlan-id 210;
}
VL_IOT {
vlan-id 151;
}
VL_LEITSTELLE {
vlan-id 205;
}
VL_MGMT {
vlan-id 42;
l3-interface vlan.42;
}
VL_OFFICE {
vlan-id 212;
}
VL_PROGRAMM {
vlan-id 211;
}
VL_SIP {
vlan-id 133;
}
VL_TECHNIK {
vlan-id 202;
}
VL_VERWALTUNG {
vlan-id 206;
}
VL_WLAN {
vlan-id 131;
}
VL_YOLO {
vlan-id 208;
}
VL_ZENTRAL {
vlan-id 207;
}
VL_ZOLL {
vlan-id 204;
}
}
poe {
interface all;
}

126
switchconfig/sw-trabantenstadt Normal file
View File

@@ -0,0 +1,126 @@
version 15.1R7-S10;
system {
host-name sw-trabantenstadt;
auto-snapshot;
root-authentication {
encrypted-password "$1$DAjLGZX7$sHIjgeZhXhq/IcgRKOWy20"; ## SECRET-DATA
ssh-rsa "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQC8xqVakxJ+AwcIrS/wyL03N++pE09epwMFlIMXWvlpwwEp1J/0H7nygwxk/9LIZdabs/ETWn0s8oHAkc7YR1c6ajSTCDiZEYATAWt7t8t4Gw/80c8u8T50lIqmiDEEVbOVv3Vta/pAN4hAUp9U5DpYCkQbvF+NKKcK3Yp8d9usNC6ohqgTK+IGAEdMhvpbbNppDMXoWHuynBzUX7TS6ST6yEr0tD+CBbCpbfcMuwTI3lNtfywEVpuFaeHqDZx2QDrEX4bg0dRKgQstbXYdqmBfnOiBpUr8Wyl8U1J24rN+E07pBw/8KDGWbVg19/Ex8o4ht/p5voUfKVjD/DwWXTLntBirjfAgQAm4GH/qP4x3zNiTtlYlQFbXSk6VEVrTrxCB5rTWvGnhg31tk5P3YwvagDmGABazY5s/8tlttSc1yWBctWQJCjxSqcCLekxG4D1rVuGKCKOZgflQ9QFdQlKycInPBek3zi0i3GYkE1YnNFye5ggOnxT8qGuKjfdtZI9qvMJQO8lbEDzbYQvNns1V/k4ZobiihYwrG5TJUzZFEpMYetDK6tI8BRU11d+ja0jWzguj5/7wc0nrr/BiZ8FkAr2fZ60j2aI5kG0s3qjbrQbB/RXaGP9hRU0+480+IokNJJIcjv5iwH5ophdrjC8GH4So2kPPt0NXob1yNysdjw== n0emis@noemis.me (OLD)"; ## SECRET-DATA
ssh-ed25519 "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIEcOPtW5FWNIdlMQFoqeyA1vHw+cA8ft8oXSbXPzQNL9 n0emis@n0emis.eu"; ## SECRET-DATA
}
services {
ssh;
}
}
interfaces {
ge-0/0/0 {
unit 0 {
family ethernet-switching {
vlan {
members VL_MGMT;
}
}
}
}
ge-0/0/23 {
unit 0 {
family ethernet-switching {
port-mode trunk;
vlan {
members [ VL_MGMT VL_WLAN VL_DECT VL_SIP VL_YOLO ];
}
}
}
}
vlan {
unit 42 {
family inet {
address 10.42.42.26/24;
}
}
}
}
snmp {
stats-cache-lifetime 15;
community tellme {
authorization read-only;
}
}
routing-options {
static {
route 0.0.0.0/0 next-hop 10.42.42.1;
}
}
protocols {
igmp-snooping {
vlan all;
}
lldp {
port-id-subtype locally-assigned;
interface all;
}
lldp-med {
interface all;
}
}
ethernet-switching-options {
storm-control {
interface all;
}
}
vlans {
VL_MGMT {
vlan-id 42;
l3-interface vlan.42
}
VL_WLAN {
vlan-id 131;
}
VL_DECT {
vlan-id 132;
}
VL_SIP {
vlan-id 133;
}
VL_IOT {
vlan-id 151;
}
VL_IKT_TOYS {
vlan-id 152;
}
VL_IKT {
vlan-id 201;
}
VL_TECHNIK {
vlan-id 202;
}
VL_HOSPITAL {
vlan-id 203;
}
VL_ZOLL {
vlan-id 204;
}
VL_LEITSTELLE {
vlan-id 205;
}
VL_VERWALTUNG {
vlan-id 206;
}
VL_ZENTRAL {
vlan-id 207;
}
VL_YOLO {
vlan-id 208;
}
VL_INFOJURTE {
vlan-id 209;
}
VL_INTERNATIONAL {
vlan-id 210;
}
VL_PROGRAMM {
vlan-id 211;
}
VL_OFFICE {
vlan-id 212;
}
}

471
switchconfig/sw-verwaltung Normal file
View File

@@ -0,0 +1,471 @@
## Last changed: 2022-07-26 20:48:41 UTC
version 12.3R12.4;
groups {
backbone_vlans {
interfaces {
<*> {
unit 0 {
family ethernet-switching {
vlan {
members [ VL_SIP VL_DECT VL_HOSPITAL VL_IKT VL_IKT_TOYS VL_INFOJURTE VL_INTERNATIONAL VL_IOT VL_LEITSTELLE VL_MGMT VL_OFFICE VL_PROGRAMM VL_TECHNIK VL_VERWALTUNG VL_WLAN VL_YOLO VL_ZENTRAL VL_MAV ];
}
}
}
}
}
}
}
system {
host-name sw-verwaltung;
auto-snapshot;
domain-name bula22.de;
domain-search bula22.de;
root-authentication {
encrypted-password "$1$DAjLGZX7$sHIjgeZhXhq/IcgRKOWy20";
ssh-rsa "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQC8xqVakxJ+AwcIrS/wyL03N++pE09epwMFlIMXWvlpwwEp1J/0H7nygwxk/9LIZdabs/ETWn0s8oHAkc7YR1c6ajSTCDiZEYATAWt7t8t4Gw/80c8u8T50lIqmiDEEVbOVv3Vta/pAN4hAUp9U5DpYCkQbvF+NKKcK3Yp8d9usNC6ohqgTK+IGAEdMhvpbbNppDMXoWHuynBzUX7TS6ST6yEr0tD+CBbCpbfcMuwTI3lNtfywEVpuFaeHqDZx2QDrEX4bg0dRKgQstbXYdqmBfnOiBpUr8Wyl8U1J24rN+E07pBw/8KDGWbVg19/Ex8o4ht/p5voUfKVjD/DwWXTLntBirjfAgQAm4GH/qP4x3zNiTtlYlQFbXSk6VEVrTrxCB5rTWvGnhg31tk5P3YwvagDmGABazY5s/8tlttSc1yWBctWQJCjxSqcCLekxG4D1rVuGKCKOZgflQ9QFdQlKycInPBek3zi0i3GYkE1YnNFye5ggOnxT8qGuKjfdtZI9qvMJQO8lbEDzbYQvNns1V/k4ZobiihYwrG5TJUzZFEpMYetDK6tI8BRU11d+ja0jWzguj5/7wc0nrr/BiZ8FkAr2fZ60j2aI5kG0s3qjbrQbB/RXaGP9hRU0+480+IokNJJIcjv5iwH5ophdrjC8GH4So2kPPt0NXob1yNysdjw== n0emis@noemis.me (OLD)";
}
name-server {
10.42.10.8;
}
login {
user fw {
uid 2000;
class super-user;
authentication {
ssh-rsa "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDMTsFE90WT+fvRnIuIBbjLJA2Hyne6duD306+Yg3z9yVTSCQxpFcolEwRQi5X4hsb3WdlW+YtvShXcFVNi7gtgSyIsgT1+YqpR+qIC+/r2h6NeA92dztigpbznOm9oL8vOP45S9fHedJ57E/UosYW2/du4W+6U+xH1ItyQx6AiJAj/RPpLWJz9FhP99Qwp6YiPAkxujgXtOMwX0xFmiQPv9QzBaD9jOKK0vE26IFX5RYAqontVgWGn6EdceR70vTQBcAsFYMS0sc9311H2wBfOptznyIZNInAsppaGNDMdOx9SdMVDZ6GDlOCsLvHq6+ra1jGdlwtgduVQeEpHmmjD";
}
}
}
services {
ssh;
}
}
chassis {
alarm {
management-ethernet {
link-down ignore;
}
}
}
interfaces {
ge-0/0/0 {
description BLL;
unit 0 {
family ethernet-switching {
port-mode trunk;
vlan {
members [ VL_MGMT VL_VERWALTUNG ];
}
native-vlan-id VL_VERWALTUNG;
}
}
}
ge-0/0/1 {
description Finanzen;
unit 0 {
family ethernet-switching {
port-mode access;
vlan {
members VL_VERWALTUNG;
}
}
}
}
ge-0/0/2 {
unit 0 {
family ethernet-switching {
vlan {
members VL_OFFICE;
}
}
}
}
ge-0/0/3 {
unit 0 {
family ethernet-switching {
vlan {
members VL_OFFICE;
}
}
}
}
ge-0/0/4 {
unit 0 {
family ethernet-switching {
vlan {
members VL_OFFICE;
}
}
}
}
ge-0/0/5 {
unit 0 {
family ethernet-switching {
vlan {
members VL_OFFICE;
}
}
}
}
ge-0/0/6 {
unit 0 {
family ethernet-switching {
vlan {
members VL_OFFICE;
}
}
}
}
ge-0/0/7 {
unit 0 {
family ethernet-switching {
vlan {
members VL_OFFICE;
}
}
}
}
ge-0/0/8 {
unit 0 {
family ethernet-switching {
vlan {
members VL_OFFICE;
}
}
}
}
ge-0/0/9 {
unit 0 {
family ethernet-switching {
vlan {
members VL_OFFICE;
}
}
}
}
ge-0/0/10 {
unit 0 {
family ethernet-switching {
vlan {
members VL_OFFICE;
}
}
}
}
ge-0/0/11 {
unit 0 {
family ethernet-switching {
vlan {
members VL_OFFICE;
}
}
}
}
ge-0/0/12 {
unit 0 {
family ethernet-switching {
vlan {
members VL_OFFICE;
}
}
}
}
ge-0/0/13 {
unit 0 {
family ethernet-switching {
vlan {
members VL_OFFICE;
}
}
}
}
ge-0/0/14 {
unit 0 {
family ethernet-switching {
vlan {
members VL_OFFICE;
}
}
}
}
ge-0/0/15 {
unit 0 {
family ethernet-switching {
vlan {
members VL_OFFICE;
}
}
}
}
ge-0/0/16 {
unit 0 {
family ethernet-switching {
vlan {
members VL_OFFICE;
}
}
}
}
ge-0/0/17 {
unit 0 {
family ethernet-switching {
vlan {
members VL_OFFICE;
}
}
}
}
ge-0/0/18 {
description sw-finanzen;
unit 0 {
family ethernet-switching {
port-mode trunk;
vlan {
members [ VL_OFFICE VL_MGMT ];
}
native-vlan-id 206;
}
}
}
ge-0/0/19 {
description "AP BLL";
unit 0 {
family ethernet-switching {
vlan {
members VL_WLAN;
}
}
}
}
ge-0/0/20 {
unit 0 {
family ethernet-switching {
vlan {
members VL_SIP;
}
}
}
}
ge-0/0/21 {
unit 0 {
family ethernet-switching {
vlan {
members VL_SIP;
}
}
}
}
ge-0/0/22 {
description AP;
unit 0 {
family ethernet-switching {
vlan {
members VL_WLAN;
}
}
}
}
ge-0/0/23 {
description DECT;
unit 0 {
family ethernet-switching {
vlan {
members VL_DECT;
}
}
}
}
ge-0/1/3 {
apply-groups backbone_vlans;
description "UPLINK sw-zentral-1";
unit 0 {
family ethernet-switching {
port-mode trunk;
}
}
}
vlan {
unit 42 {
family inet {
address 10.42.42.13/24;
}
}
}
}
snmp {
stats-cache-lifetime 15;
community tellme {
authorization read-only;
}
}
routing-options {
static {
route 0.0.0.0/0 next-hop 10.42.42.1;
}
}
protocols {
igmp-snooping {
vlan all;
}
lldp {
port-id-subtype locally-assigned;
interface all;
}
lldp-med {
interface all;
}
}
ethernet-switching-options {
secure-access-port {
interface ge-0/0/0.0 {
no-dhcp-trusted;
}
interface ge-0/0/1.0 {
no-dhcp-trusted;
}
interface ge-0/0/2.0 {
no-dhcp-trusted;
}
interface ge-0/0/3.0 {
no-dhcp-trusted;
}
interface ge-0/0/4.0 {
no-dhcp-trusted;
}
interface ge-0/0/5.0 {
no-dhcp-trusted;
}
interface ge-0/0/6.0 {
no-dhcp-trusted;
}
interface ge-0/0/7.0 {
no-dhcp-trusted;
}
interface ge-0/0/8.0 {
no-dhcp-trusted;
}
interface ge-0/0/9.0 {
no-dhcp-trusted;
}
interface ge-0/0/10.0 {
no-dhcp-trusted;
}
interface ge-0/0/11.0 {
no-dhcp-trusted;
}
interface ge-0/0/12.0 {
no-dhcp-trusted;
}
interface ge-0/0/13.0 {
no-dhcp-trusted;
}
interface ge-0/0/14.0 {
no-dhcp-trusted;
}
interface ge-0/0/15.0 {
no-dhcp-trusted;
}
interface ge-0/0/16.0 {
no-dhcp-trusted;
}
interface ge-0/0/17.0 {
no-dhcp-trusted;
}
interface ge-0/0/18.0 {
no-dhcp-trusted;
}
interface ge-0/0/19.0 {
allowed-mac 94:b4:0f:c2:79:f4;
no-dhcp-trusted;
}
interface ge-0/0/20.0 {
allowed-mac 00:04:13:34:84:4b;
no-dhcp-trusted;
}
interface ge-0/0/21.0 {
allowed-mac c8:9c:1d:6e:49:de;
no-dhcp-trusted;
}
interface ge-0/0/22.0 {
allowed-mac 18:64:72:c6:ce:40;
no-dhcp-trusted;
}
interface ge-0/0/23.0 {
allowed-mac 00:30:42:1b:8c:7a;
no-dhcp-trusted;
}
interface ge-0/1/3.0 {
dhcp-trusted;
}
}
storm-control {
interface all;
}
}
vlans {
VL_DECT {
vlan-id 132;
}
VL_HOSPITAL {
vlan-id 203;
}
VL_IKT {
vlan-id 201;
}
VL_IKT_TOYS {
vlan-id 152;
}
VL_INFOJURTE {
vlan-id 209;
}
VL_INTERNATIONAL {
vlan-id 210;
}
VL_IOT {
vlan-id 151;
}
VL_LEITSTELLE {
vlan-id 205;
}
VL_MAV {
vlan-id 214;
}
VL_MGMT {
vlan-id 42;
l3-interface vlan.42;
}
VL_OFFICE {
vlan-id 212;
}
VL_PROGRAMM {
vlan-id 211;
}
VL_SIP {
vlan-id 133;
}
VL_TECHNIK {
vlan-id 202;
}
VL_VERWALTUNG {
vlan-id 206;
}
VL_WLAN {
vlan-id 131;
}
VL_YOLO {
vlan-id 208;
}
VL_ZENTRAL {
vlan-id 207;
}
VL_ZOLL {
vlan-id 204;
}
}
poe {
interface ge-0/0/22;
interface ge-0/0/23;
interface ge-0/0/21;
interface ge-0/0/20;
interface ge-0/0/19;
}

164
switchconfig/sw-waschhaus Normal file
View File

@@ -0,0 +1,164 @@
## Last changed: 2016-01-22 09:35:42 UTC
version 12.3R12.4;
groups {
backbone_vlans {
interfaces {
<*> {
unit 0 {
family ethernet-switching {
vlan {
members [ VL_SIP VL_DECT VL_HOSPITAL VL_IKT VL_IKT_TOYS VL_INFOJURTE VL_INTERNATIONAL VL_IOT VL_LEITSTELLE VL_MGMT VL_OFFICE VL_PROGRAMM VL_TECHNIK VL_VERWALTUNG VL_WLAN VL_YOLO VL_ZENTRAL VL_MAV ];
}
}
}
}
}
}
}
system {
host-name sw-waschhaus;
auto-snapshot;
domain-name bula22.de;
domain-search bula22.de;
root-authentication {
encrypted-password "$1$DAjLGZX7$sHIjgeZhXhq/IcgRKOWy20";
ssh-rsa "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQC8xqVakxJ+AwcIrS/wyL03N++pE09epwMFlIMXWvlpwwEp1J/0H7nygwxk/9LIZdabs/ETWn0s8oHAkc7YR1c6ajSTCDiZEYATAWt7t8t4Gw/80c8u8T50lIqmiDEEVbOVv3Vta/pAN4hAUp9U5DpYCkQbvF+NKKcK3Yp8d9usNC6ohqgTK+IGAEdMhvpbbNppDMXoWHuynBzUX7TS6ST6yEr0tD+CBbCpbfcMuwTI3lNtfywEVpuFaeHqDZx2QDrEX4bg0dRKgQstbXYdqmBfnOiBpUr8Wyl8U1J24rN+E07pBw/8KDGWbVg19/Ex8o4ht/p5voUfKVjD/DwWXTLntBirjfAgQAm4GH/qP4x3zNiTtlYlQFbXSk6VEVrTrxCB5rTWvGnhg31tk5P3YwvagDmGABazY5s/8tlttSc1yWBctWQJCjxSqcCLekxG4D1rVuGKCKOZgflQ9QFdQlKycInPBek3zi0i3GYkE1YnNFye5ggOnxT8qGuKjfdtZI9qvMJQO8lbEDzbYQvNns1V/k4ZobiihYwrG5TJUzZFEpMYetDK6tI8BRU11d+ja0jWzguj5/7wc0nrr/BiZ8FkAr2fZ60j2aI5kG0s3qjbrQbB/RXaGP9hRU0+480+IokNJJIcjv5iwH5ophdrjC8GH4So2kPPt0NXob1yNysdjw== n0emis@noemis.me (OLD)";
}
name-server {
10.42.10.8;
}
login {
user fw {
uid 2000;
class super-user;
authentication {
ssh-rsa "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDMTsFE90WT+fvRnIuIBbjLJA2Hyne6duD306+Yg3z9yVTSCQxpFcolEwRQi5X4hsb3WdlW+YtvShXcFVNi7gtgSyIsgT1+YqpR+qIC+/r2h6NeA92dztigpbznOm9oL8vOP45S9fHedJ57E/UosYW2/du4W+6U+xH1ItyQx6AiJAj/RPpLWJz9FhP99Qwp6YiPAkxujgXtOMwX0xFmiQPv9QzBaD9jOKK0vE26IFX5RYAqontVgWGn6EdceR70vTQBcAsFYMS0sc9311H2wBfOptznyIZNInAsppaGNDMdOx9SdMVDZ6GDlOCsLvHq6+ra1jGdlwtgduVQeEpHmmjD";
}
}
}
services {
ssh;
}
}
chassis {
alarm {
management-ethernet {
link-down ignore;
}
}
}
interfaces {
ge-0/0/0 {
unit 0 {
family ethernet-switching {
vlan {
members VL_MGMT;
}
}
}
}
ge-0/1/3 {
apply-groups backbone_vlans;
description "UPLINK sw-hospital";
unit 0 {
family ethernet-switching {
port-mode trunk;
}
}
}
vlan {
unit 42 {
family inet {
address 10.42.42.24/24;
}
}
}
}
snmp {
stats-cache-lifetime 15;
community tellme {
authorization read-only;
}
}
routing-options {
static {
route 0.0.0.0/0 next-hop 10.42.42.1;
}
}
protocols {
igmp-snooping {
vlan all;
}
lldp {
port-id-subtype locally-assigned;
interface all;
}
lldp-med {
interface all;
}
}
ethernet-switching-options {
storm-control {
interface all;
}
}
vlans {
VL_DECT {
vlan-id 132;
}
VL_HOSPITAL {
vlan-id 203;
}
VL_IKT {
vlan-id 201;
}
VL_IKT_TOYS {
vlan-id 152;
}
VL_INFOJURTE {
vlan-id 209;
}
VL_INTERNATIONAL {
vlan-id 210;
}
VL_IOT {
vlan-id 151;
}
VL_LEITSTELLE {
vlan-id 205;
}
VL_MAV {
vlan-id 214;
}
VL_MGMT {
vlan-id 42;
l3-interface vlan.42;
}
VL_OFFICE {
vlan-id 212;
}
VL_PROGRAMM {
vlan-id 211;
}
VL_SIP {
vlan-id 133;
}
VL_TECHNIK {
vlan-id 202;
}
VL_VERWALTUNG {
vlan-id 206;
}
VL_WLAN {
vlan-id 131;
}
VL_YOLO {
vlan-id 208;
}
VL_ZENTRAL {
vlan-id 207;
}
VL_ZOLL {
vlan-id 204;
}
}

Some files were not shown because too many files have changed in this diff Show More