2024-12-12 14:41:43 +01:00
|
|
|
# SPDX-FileCopyrightText: 2024 Lubin Bailly <lubin.bailly@dgnum.eu>
|
|
|
|
#
|
|
|
|
# SPDX-License-Identifier: EUPL-1.2
|
|
|
|
|
2024-04-14 14:12:14 +02:00
|
|
|
{
|
2024-05-02 10:39:19 +02:00
|
|
|
pkgs,
|
2024-04-14 14:12:14 +02:00
|
|
|
lib,
|
|
|
|
meta,
|
|
|
|
name,
|
2024-12-05 14:46:38 +01:00
|
|
|
config,
|
2024-04-14 14:12:14 +02:00
|
|
|
...
|
|
|
|
}:
|
|
|
|
|
2024-03-27 10:26:31 +01:00
|
|
|
let
|
2024-04-14 14:12:14 +02:00
|
|
|
inherit (lib) mapAttrs' nameValuePair;
|
|
|
|
|
|
|
|
uplink = {
|
|
|
|
ip = "10.120.33.250";
|
|
|
|
prefix = 30;
|
|
|
|
|
|
|
|
router = "10.120.33.249";
|
|
|
|
};
|
2024-03-27 15:38:46 +01:00
|
|
|
|
2024-04-14 14:12:14 +02:00
|
|
|
mkNetwork =
|
|
|
|
name:
|
|
|
|
{
|
2024-05-23 16:28:13 +02:00
|
|
|
address ? [ ],
|
2024-04-14 14:12:14 +02:00
|
|
|
extraNetwork ? { },
|
|
|
|
...
|
|
|
|
}:
|
|
|
|
nameValuePair "10-${name}" ({ inherit name address; } // extraNetwork);
|
2024-03-27 15:38:46 +01:00
|
|
|
|
2024-04-14 14:12:14 +02:00
|
|
|
mkNetdev =
|
|
|
|
name:
|
|
|
|
{ Id, ... }:
|
|
|
|
nameValuePair "10-${name}" {
|
|
|
|
netdevConfig = {
|
|
|
|
Name = name;
|
|
|
|
Kind = "vlan";
|
|
|
|
};
|
|
|
|
vlanConfig.Id = Id;
|
|
|
|
};
|
2024-03-27 15:38:46 +01:00
|
|
|
|
2024-04-15 09:34:13 +02:00
|
|
|
mkUserVlan =
|
2024-05-30 18:46:09 +02:00
|
|
|
{
|
|
|
|
vlan,
|
|
|
|
netIP,
|
|
|
|
servIP,
|
|
|
|
interfaceName,
|
|
|
|
...
|
|
|
|
}:
|
2024-05-13 17:25:36 +02:00
|
|
|
{
|
|
|
|
name = interfaceName;
|
2024-04-15 09:34:13 +02:00
|
|
|
value = {
|
|
|
|
Id = vlan;
|
2024-04-25 18:41:10 +02:00
|
|
|
extraNetwork = {
|
2024-05-02 10:39:19 +02:00
|
|
|
networkConfig = {
|
|
|
|
LinkLocalAddressing = "no";
|
2024-05-22 18:34:51 +02:00
|
|
|
DHCPServer = "yes";
|
2024-05-02 10:39:19 +02:00
|
|
|
};
|
2024-05-23 16:28:13 +02:00
|
|
|
linkConfig.Promiscuous = true;
|
2024-04-25 18:41:10 +02:00
|
|
|
addresses = [
|
|
|
|
{
|
2024-12-15 17:59:50 +01:00
|
|
|
Address = "${servIP}/27";
|
|
|
|
AddPrefixRoute = false;
|
2024-04-25 18:41:10 +02:00
|
|
|
}
|
|
|
|
];
|
|
|
|
routes = [
|
|
|
|
{
|
2024-12-15 17:59:50 +01:00
|
|
|
Destination = "${netIP}/27";
|
|
|
|
Table = "user";
|
2024-04-25 18:41:10 +02:00
|
|
|
}
|
|
|
|
];
|
|
|
|
routingPolicyRules = [
|
|
|
|
{
|
2024-12-15 17:59:50 +01:00
|
|
|
From = "${netIP}/27";
|
|
|
|
To = "10.0.0.0/27";
|
|
|
|
IncomingInterface = interfaceName;
|
|
|
|
Table = "user";
|
2024-04-25 18:41:10 +02:00
|
|
|
}
|
|
|
|
];
|
|
|
|
};
|
2024-04-15 09:34:13 +02:00
|
|
|
};
|
|
|
|
};
|
|
|
|
|
2024-05-30 18:46:09 +02:00
|
|
|
userVlans = builtins.genList (id: rec {
|
|
|
|
vlan = 4094 - id;
|
|
|
|
prefix24nb = (id + 1) / 8;
|
|
|
|
prefix27nb = (id + 1 - prefix24nb * 8) * 32;
|
|
|
|
netIP = "10.0.${toString prefix24nb}.${toString prefix27nb}";
|
|
|
|
servIP = "10.0.${toString prefix24nb}.${toString (prefix27nb + 1)}";
|
|
|
|
interfaceName = "vlan-user-${toString vlan}";
|
|
|
|
}) 850;
|
|
|
|
|
2024-04-14 14:12:14 +02:00
|
|
|
vlans = {
|
|
|
|
vlan-uplink-cri = {
|
|
|
|
Id = 223;
|
|
|
|
address = with uplink; [ "${ip}/${builtins.toString prefix}" ];
|
2024-03-27 15:38:46 +01:00
|
|
|
|
2024-04-14 14:12:14 +02:00
|
|
|
extraNetwork.routes = [
|
|
|
|
{
|
2024-12-15 17:59:50 +01:00
|
|
|
# Get the public ip from the metadata
|
|
|
|
PreferredSource = builtins.head meta.network.${name}.addresses.ipv4;
|
|
|
|
Gateway = uplink.router;
|
2024-04-14 14:12:14 +02:00
|
|
|
}
|
|
|
|
];
|
|
|
|
};
|
|
|
|
|
|
|
|
vlan-admin = {
|
|
|
|
Id = 3000;
|
|
|
|
address = [ "fd26:baf9:d250:8000::1/64" ];
|
|
|
|
};
|
|
|
|
|
|
|
|
vlan-admin-ap = {
|
|
|
|
Id = 3001;
|
2024-05-31 20:29:53 +02:00
|
|
|
address = [ "fd26:baf9:d250:8001::1/64" ];
|
|
|
|
extraNetwork.ipv6Prefixes = [
|
|
|
|
{
|
2024-12-15 17:59:50 +01:00
|
|
|
AddressAutoconfiguration = false;
|
|
|
|
OnLink = false;
|
|
|
|
Prefix = "fd26:baf9:d250:8001::/64";
|
2024-05-31 20:29:53 +02:00
|
|
|
}
|
|
|
|
];
|
2024-04-14 14:12:14 +02:00
|
|
|
};
|
|
|
|
|
|
|
|
vlan-apro = {
|
|
|
|
Id = 2000;
|
|
|
|
address = [ "10.0.255.1/24" ];
|
|
|
|
|
2024-12-16 22:54:08 +01:00
|
|
|
extraNetwork.networkConfig.DHCPServer = "yes";
|
|
|
|
};
|
|
|
|
|
|
|
|
vlan-hypervisor = {
|
|
|
|
Id = 2001;
|
|
|
|
address = [ "10.0.254.1/24" ];
|
|
|
|
|
2024-04-14 14:12:14 +02:00
|
|
|
extraNetwork.networkConfig.DHCPServer = "yes";
|
|
|
|
};
|
2024-05-30 18:46:09 +02:00
|
|
|
} // builtins.listToAttrs (map mkUserVlan userVlans);
|
2024-03-27 10:26:31 +01:00
|
|
|
in
|
2024-04-14 14:12:14 +02:00
|
|
|
|
2024-03-27 10:26:31 +01:00
|
|
|
{
|
2024-05-22 18:34:51 +02:00
|
|
|
systemd = {
|
|
|
|
network = {
|
|
|
|
config.routeTables."user" = 1000;
|
|
|
|
networks = {
|
|
|
|
"10-lo" = {
|
|
|
|
name = "lo";
|
|
|
|
address = [
|
|
|
|
"::1/128"
|
|
|
|
"127.0.0.1/8"
|
|
|
|
"10.0.0.1/27"
|
|
|
|
];
|
|
|
|
routes = [
|
|
|
|
{
|
2024-12-15 17:59:50 +01:00
|
|
|
Destination = "10.0.0.0/27";
|
|
|
|
Table = "user";
|
2024-05-22 18:34:51 +02:00
|
|
|
}
|
|
|
|
];
|
|
|
|
routingPolicyRules = [
|
|
|
|
{
|
2024-12-15 17:59:50 +01:00
|
|
|
IncomingInterface = "lo";
|
|
|
|
Table = "user";
|
2024-05-22 18:34:51 +02:00
|
|
|
}
|
|
|
|
];
|
2024-03-27 10:26:31 +01:00
|
|
|
};
|
2024-05-22 18:34:51 +02:00
|
|
|
"10-enp67s0f0np0" = {
|
|
|
|
name = "enp67s0f0np0";
|
|
|
|
linkConfig.Promiscuous = true;
|
2024-12-05 14:46:38 +01:00
|
|
|
networkConfig = {
|
|
|
|
Bridge = "br0";
|
|
|
|
|
|
|
|
LinkLocalAddressing = false;
|
|
|
|
LLDP = false;
|
|
|
|
EmitLLDP = false;
|
|
|
|
IPv6AcceptRA = false;
|
|
|
|
IPv6SendRA = false;
|
|
|
|
};
|
|
|
|
};
|
|
|
|
"50-gretap1" = {
|
|
|
|
name = "gretap1";
|
|
|
|
networkConfig = {
|
|
|
|
Bridge = "br0";
|
|
|
|
|
|
|
|
LinkLocalAddressing = false;
|
|
|
|
LLDP = false;
|
|
|
|
EmitLLDP = false;
|
|
|
|
IPv6AcceptRA = false;
|
|
|
|
IPv6SendRA = false;
|
|
|
|
};
|
|
|
|
};
|
|
|
|
"50-br0" = {
|
|
|
|
name = "br0";
|
2024-05-22 18:34:51 +02:00
|
|
|
networkConfig = {
|
|
|
|
VLAN = builtins.attrNames vlans;
|
2024-04-14 14:12:14 +02:00
|
|
|
|
2024-05-22 18:34:51 +02:00
|
|
|
LinkLocalAddressing = false;
|
|
|
|
LLDP = false;
|
|
|
|
EmitLLDP = false;
|
|
|
|
IPv6AcceptRA = false;
|
|
|
|
IPv6SendRA = false;
|
|
|
|
};
|
|
|
|
};
|
2024-12-05 14:46:38 +01:00
|
|
|
"50-wg0" = {
|
|
|
|
name = "wg0";
|
|
|
|
address = [ "10.10.17.1/30" ];
|
|
|
|
networkConfig.Tunnel = "gretap1";
|
|
|
|
};
|
2024-05-22 18:34:51 +02:00
|
|
|
} // (mapAttrs' mkNetwork vlans);
|
2024-04-14 14:12:14 +02:00
|
|
|
|
2024-12-05 14:46:38 +01:00
|
|
|
netdevs = {
|
|
|
|
"50-gretap1" = {
|
|
|
|
netdevConfig = {
|
|
|
|
Name = "gretap1";
|
|
|
|
Kind = "gretap";
|
|
|
|
};
|
|
|
|
tunnelConfig = {
|
|
|
|
Local = "10.10.17.1";
|
|
|
|
Remote = "10.10.17.2";
|
|
|
|
};
|
|
|
|
};
|
|
|
|
"50-br0" = {
|
|
|
|
netdevConfig = {
|
|
|
|
Name = "br0";
|
|
|
|
Kind = "bridge";
|
|
|
|
};
|
|
|
|
bridgeConfig = {
|
|
|
|
VLANFiltering = false;
|
|
|
|
STP = false;
|
|
|
|
};
|
|
|
|
};
|
|
|
|
"50-wg0" = {
|
|
|
|
netdevConfig = {
|
|
|
|
Name = "wg0";
|
|
|
|
Kind = "wireguard";
|
|
|
|
};
|
|
|
|
wireguardConfig = {
|
|
|
|
ListenPort = 1194;
|
|
|
|
PrivateKeyFile = config.age.secrets."wg-key".path;
|
|
|
|
};
|
|
|
|
|
|
|
|
wireguardPeers = [
|
|
|
|
{
|
2024-12-15 17:59:50 +01:00
|
|
|
AllowedIPs = [
|
|
|
|
"10.10.17.0/30"
|
|
|
|
];
|
|
|
|
PublicKey = "g6S3gBx1Hf2iX41tokD+m8WfzJJTTcsKifOkn+Wcd00=";
|
2024-12-05 14:46:38 +01:00
|
|
|
}
|
|
|
|
];
|
|
|
|
};
|
|
|
|
} // mapAttrs' mkNetdev vlans;
|
2024-05-22 18:34:51 +02:00
|
|
|
};
|
|
|
|
|
|
|
|
services = {
|
|
|
|
ethtoolConfig = {
|
|
|
|
wantedBy = [ "systemd-networkd.service" ];
|
|
|
|
after = [ "sys-subsystem-net-devices-enp67s0f0np0.device" ];
|
|
|
|
bindsTo = [ "sys-subsystem-net-devices-enp67s0f0np0.device" ];
|
2024-05-23 16:28:13 +02:00
|
|
|
script = builtins.concatStringsSep "\n" (
|
|
|
|
builtins.map (name: "${lib.getExe pkgs.ethtool} -K enp67s0f0np0 ${name} off") [
|
|
|
|
"rxvlan"
|
|
|
|
"txvlan"
|
|
|
|
"rx-vlan-filter"
|
|
|
|
"rx-vlan-offload"
|
|
|
|
"tx-vlan-offload"
|
|
|
|
"tx-vlan-stag-hw-insert"
|
|
|
|
]
|
|
|
|
);
|
2024-05-22 18:34:51 +02:00
|
|
|
};
|
|
|
|
|
2024-05-23 16:28:13 +02:00
|
|
|
systemd-networkd.serviceConfig.LimitNOFILE = 4096;
|
2024-05-30 18:46:09 +02:00
|
|
|
|
|
|
|
net-checker = {
|
|
|
|
path = [
|
|
|
|
pkgs.iputils
|
|
|
|
pkgs.systemd
|
|
|
|
];
|
|
|
|
script = ''
|
|
|
|
if ping -c 1 8.8.8.8 > /dev/null || ping -c 1 1.1.1.1 > /dev/null; then
|
|
|
|
${
|
|
|
|
lib.concatMapStringsSep "\n " ({ interfaceName, ... }: "networkctl up ${interfaceName}") userVlans
|
|
|
|
}
|
|
|
|
else
|
|
|
|
${
|
|
|
|
lib.concatMapStringsSep "\n " (
|
|
|
|
{ interfaceName, ... }: "networkctl down ${interfaceName}"
|
|
|
|
) userVlans
|
|
|
|
}
|
|
|
|
fi
|
|
|
|
'';
|
|
|
|
};
|
|
|
|
};
|
|
|
|
|
|
|
|
timers.net-checker = {
|
|
|
|
wantedBy = [ "timers.target" ];
|
|
|
|
timerConfig.OnCalendar = "*-*-* *:*:42";
|
2024-05-22 18:34:51 +02:00
|
|
|
};
|
2024-05-02 10:39:19 +02:00
|
|
|
};
|
|
|
|
|
2024-05-26 20:49:02 +02:00
|
|
|
networking = {
|
|
|
|
nftables = {
|
|
|
|
enable = true;
|
|
|
|
tables.nat = {
|
|
|
|
family = "ip";
|
|
|
|
content = ''
|
|
|
|
chain postrouting {
|
|
|
|
type nat hook postrouting priority 100;
|
2024-09-13 21:59:18 +02:00
|
|
|
ip saddr 10.0.0.0/16 ip saddr != 10.0.255.0/24 snat ip to 129.199.195.130-129.199.195.158
|
2024-10-17 00:58:33 +02:00
|
|
|
ether saddr { e0:2e:0b:bd:97:73, e8:d5:2b:0d:fe:4a } snat to 129.199.195.130 comment "Elias"
|
2024-09-13 21:59:18 +02:00
|
|
|
ether saddr { 1c:1b:b5:14:9c:e5, e6:ce:e2:b6:e3:82 } snat to 129.199.195.131 comment "Lubin"
|
|
|
|
ether saddr d0:49:7c:46:f6:39 snat to 129.199.195.132 comment "Jean-Marc"
|
|
|
|
ether saddr { 5c:64:8e:f4:09:06 } snat to 129.199.195.158 comment "APs"
|
2024-05-26 20:49:02 +02:00
|
|
|
}
|
|
|
|
'';
|
|
|
|
};
|
|
|
|
};
|
2024-05-31 20:29:53 +02:00
|
|
|
firewall = {
|
2024-12-05 14:46:38 +01:00
|
|
|
allowedUDPPorts = [
|
|
|
|
67
|
|
|
|
1194
|
|
|
|
];
|
2024-05-31 20:29:53 +02:00
|
|
|
checkReversePath = false;
|
|
|
|
};
|
2024-05-26 20:49:02 +02:00
|
|
|
};
|
|
|
|
|
2024-12-05 14:46:38 +01:00
|
|
|
age.secrets."wg-key".owner = "systemd-network";
|
|
|
|
users.users."systemd-network".extraGroups = [ "keys" ];
|
|
|
|
|
2024-05-26 20:49:02 +02:00
|
|
|
boot.kernel.sysctl."net.ipv4.ip_forward" = true;
|
2024-03-27 10:26:31 +01:00
|
|
|
}
|