DGNum/infrastructure
11
6
Fork 2
Code Issues 21 Pull requests 19 Projects 1 Releases Packages Wiki Activity Actions

feat(vault01/isp): wip! global user dhcp instead of per-user
Some checks failed
Check workflows / check_workflows (pull_request) Successful in 17s
Details
Build all the nodes / netcore01 (pull_request) Successful in 21s
Details
Build all the nodes / netaccess01 (pull_request) Successful in 21s
Details
Check meta / check_dns (pull_request) Successful in 27s
Details
Check meta / check_meta (pull_request) Successful in 27s
Details
Build all the nodes / ap01 (pull_request) Successful in 32s
Details
Build all the nodes / netcore02 (pull_request) Successful in 20s
Details
Run pre-commit on all files / pre-commit (push) Successful in 38s
Details
Build all the nodes / hypervisor03 (pull_request) Successful in 1m21s
Details
Build all the nodes / hypervisor02 (pull_request) Successful in 1m34s
Details
Build all the nodes / hypervisor01 (pull_request) Successful in 1m38s
Details
Build all the nodes / geo02 (pull_request) Successful in 1m40s
Details
Build all the nodes / bridge01 (pull_request) Successful in 1m47s
Details
Build all the nodes / build01 (pull_request) Successful in 1m50s
Details
Build all the nodes / geo01 (pull_request) Successful in 1m51s
Details
Build the shell / build-shell (pull_request) Successful in 28s
Details
Build all the nodes / rescue01 (pull_request) Successful in 1m34s
Details
Run pre-commit on all files / pre-commit (pull_request) Successful in 28s
Details
Build all the nodes / vault01 (pull_request) Failing after 1m30s
Details
Build all the nodes / tower01 (pull_request) Successful in 1m36s
Details
Build all the nodes / web02 (pull_request) Successful in 1m28s
Details
Build all the nodes / storage01 (pull_request) Successful in 1m50s
Details
Build all the nodes / compute01 (pull_request) Successful in 2m30s
Details
Build all the nodes / web03 (pull_request) Successful in 2m1s
Details
Build all the nodes / web01 (pull_request) Successful in 2m17s
Details

Browse source
This commit is contained in:
catvayor 2025-03-02 12:11:56 +01:00
parent b7c225a9cd
commit 11a7950634
Signed by: lbailly
GPG key ID: CE3E645251AC63F3
7 changed files with 464 additions and 413 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

2
REUSE.toml
View file

@ -38,7 +38,7 @@ precedence = "closest"
[[annotations]]
SPDX-FileCopyrightText = "2024 Lubin Bailly <lubin.bailly@dgnum.eu>"
SPDX-License-Identifier = "EUPL-1.2"
path = ["modules/nixos/extranix/0001-revert-don-t-parse-md-in-js.patch", "modules/nixos/extranix/0002-chore-remove-useless-dependencies.patch", "modules/nixos/extranix/0003-feat-separate-HTML-description-of-MD-description.patch", "modules/nixos/extranix/0004-fix-indentation-of-ul.patch", "modules/nixos/extranix/0005-feat-match-all-substring-by-default.patch"]
path = ["modules/nixos/extranix/0001-revert-don-t-parse-md-in-js.patch", "modules/nixos/extranix/0002-chore-remove-useless-dependencies.patch", "modules/nixos/extranix/0003-feat-separate-HTML-description-of-MD-description.patch", "modules/nixos/extranix/0004-fix-indentation-of-ul.patch", "modules/nixos/extranix/0005-feat-match-all-substring-by-default.patch", "machines/nixos/vault01/networking/0001-fix-multiple-interface-with-same-IP.patch"]
precedence = "closest"
[[annotations]]

1
default.nix
View file

@ -126,6 +126,7 @@ let
"modules/nixos/extranix/0003-feat-separate-HTML-description-of-MD-description.patch"
"modules/nixos/extranix/0004-fix-indentation-of-ul.patch"
"modules/nixos/extranix/0005-feat-match-all-substring-by-default.patch"
"machines/nixos/vault01/networking/0001-fix-multiple-interface-with-same-IP.patch"
];
copyright = "2024 Lubin Bailly <lubin.bailly@dgnum.eu>";
}

411
machines/nixos/vault01/networking.nix
View file

@ -1,411 +0,0 @@
# SPDX-FileCopyrightText: 2024 Lubin Bailly <lubin.bailly@dgnum.eu>
#
# SPDX-License-Identifier: EUPL-1.2
{
pkgs,
lib,
meta,
name,
config,
...
}:
let
inherit (lib) mapAttrs' mkOption nameValuePair;
inherit (lib.types) listOf attrs;
uplink = {
ip = "10.120.33.250";
prefix = 30;
router = "10.120.33.249";
};
mkNetwork =
name:
{
address ? [ ],
extraNetwork ? { },
...
}:
nameValuePair "10-${name}" ({ inherit name address; } // extraNetwork);
mkNetdev =
name:
{ Id, ... }:
nameValuePair "10-${name}" {
netdevConfig = {
Name = name;
Kind = "vlan";
};
vlanConfig.Id = Id;
};
mkUserVlan =
{
vlan,
netIP,
servIP,
interfaceName,
...
}:
{
name = interfaceName;
value = {
Id = vlan;
extraNetwork = {
networkConfig = {
LinkLocalAddressing = "no";
DHCPServer = "yes";
};
linkConfig = {
Promiscuous = true;
MTUBytes = 1500;
};
addresses = [
{
Address = "${servIP}/27";
AddPrefixRoute = false;
}
];
routes = [
{
Destination = "${netIP}/27";
Table = "user";
}
];
};
};
};
userVlans = builtins.genList (id: rec {
vlan = 4094 - id;
prefix24nb = (id + 1) / 8;
prefix27nb = (id + 1 - prefix24nb * 8) * 32;
netIP = "10.0.${toString prefix24nb}.${toString prefix27nb}";
servIP = "10.0.${toString prefix24nb}.${toString (prefix27nb + 1)}";
interfaceName = "vlan-user-${toString vlan}";
prefixLen = 27;
}) 850;
vlans = {
vlan-uplink-cri = {
Id = 223;
address = with uplink; [ "${ip}/${builtins.toString prefix}" ];
extraNetwork = {
routes = [
{
# Get the public ip from the metadata
PreferredSource = builtins.head meta.network.${name}.addresses.ipv4;
Gateway = uplink.router;
}
];
linkConfig.MTUBytes = 1500;
};
};
vlan-admin = {
Id = 3000;
address = [ "fd26:baf9:d250:8000::1/64" ];
};
vlan-admin-ap = {
Id = 3001;
address = [
"fd26:baf9:d250:8001::1/64"
# FIXME: ipv4 is temporary for APs in production
"10.0.253.1/24"
];
extraNetwork = {
networkConfig = {
IPv6SendRA = true;
DHCPServer = "yes";
};
ipv6Prefixes = [
{
AddressAutoconfiguration = false;
OnLink = false;
Prefix = "fd26:baf9:d250:8001::/64";
}
];
};
};
vlan-apro = {
Id = 2000;
address = [ "10.0.255.1/24" ];
extraNetwork = {
networkConfig.DHCPServer = "yes";
linkConfig.MTUBytes = 1500;
};
};
vlan-hypervisor = {
Id = 2001;
address = [ "10.0.254.1/24" ];
extraNetwork = {
networkConfig.DHCPServer = "yes";
linkConfig.MTUBytes = 1500;
};
};
} // builtins.listToAttrs (map mkUserVlan userVlans);
in
{
options.networking.vlans-info = mkOption {
type = listOf attrs;
description = ''
Information about vlans for log analysis.
'';
readOnly = true;
};
config = {
systemd = {
network = {
config.routeTables."user" = 1000;
networks = {
"10-lo" = {
name = "lo";
address = [
"::1/128"
"127.0.0.1/8"
"10.0.0.1/27"
];
routes = [
{
Destination = "10.0.0.0/27";
Table = "user";
}
];
routingPolicyRules = [
{
To = "10.0.0.0/16";
Table = "user";
}
];
};
"10-enp67s0f0np0" = {
name = "enp67s0f0np0";
linkConfig.Promiscuous = true;
networkConfig = {
Bridge = "br0";
LinkLocalAddressing = false;
LLDP = false;
EmitLLDP = false;
IPv6AcceptRA = false;
IPv6SendRA = false;
};
linkConfig.MTUBytes = 1504;
};
"50-gretap1" = {
name = "gretap1";
networkConfig = {
Bridge = "br0";
LinkLocalAddressing = false;
LLDP = false;
EmitLLDP = false;
IPv6AcceptRA = false;
IPv6SendRA = false;
};
linkConfig.MTUBytes = 1504;
};
"50-br0" = {
name = "br0";
networkConfig = {
VLAN = builtins.attrNames vlans;
LinkLocalAddressing = false;
LLDP = false;
EmitLLDP = false;
IPv6AcceptRA = false;
IPv6SendRA = false;
};
linkConfig.MTUBytes = 1504;
};
"50-wg0" = {
name = "wg0";
address = [ "10.10.17.1/30" ];
networkConfig.Tunnel = "gretap1";
};
} // (mapAttrs' mkNetwork vlans);
netdevs = {
"50-gretap1" = {
netdevConfig = {
Name = "gretap1";
Kind = "gretap";
};
tunnelConfig = {
Local = "10.10.17.1";
Remote = "10.10.17.2";
};
};
"50-br0" = {
netdevConfig = {
Name = "br0";
Kind = "bridge";
};
bridgeConfig = {
VLANFiltering = false;
STP = false;
};
};
"50-wg0" = {
netdevConfig = {
Name = "wg0";
Kind = "wireguard";
};
wireguardConfig = {
ListenPort = 1194;
PrivateKeyFile = config.age.secrets."wg-key".path;
};
wireguardPeers = [
{
AllowedIPs = [
"10.10.17.0/30"
];
PublicKey = "g6S3gBx1Hf2iX41tokD+m8WfzJJTTcsKifOkn+Wcd00=";
}
];
};
} // mapAttrs' mkNetdev vlans;
};
services = {
ethtoolConfig = {
wantedBy = [ "systemd-networkd.service" ];
after = [ "sys-subsystem-net-devices-enp67s0f0np0.device" ];
bindsTo = [ "sys-subsystem-net-devices-enp67s0f0np0.device" ];
script = builtins.concatStringsSep "\n" (
builtins.map (name: "${lib.getExe pkgs.ethtool} -K enp67s0f0np0 ${name} off") [
"rxvlan"
"txvlan"
"rx-vlan-filter"
"rx-vlan-offload"
"tx-vlan-offload"
"tx-vlan-stag-hw-insert"
]
);
};
systemd-networkd.serviceConfig.LimitNOFILE = 4096;
net-checker = {
path = [
pkgs.iputils
pkgs.systemd
];
script = ''
if ping -c 1 8.8.8.8 > /dev/null || ping -c 1 1.1.1.1 > /dev/null; then
echo network is up
${lib.concatMapStringsSep "\n " (
{ interfaceName, ... }: "networkctl up ${interfaceName}"
) userVlans}
else
echo network is down
${lib.concatMapStringsSep "\n " (
{ interfaceName, ... }: "networkctl down ${interfaceName}"
) userVlans}
fi
'';
};
};
timers.net-checker = {
wantedBy = [ "timers.target" ];
timerConfig.OnCalendar = "*-*-* *:*:42";
};
};
networking = {
vlans-info = [
{
vlan = 2001;
netIP = "10.0.254.0";
prefixLen = 24;
}
{
vlan = 3001;
netIP = "10.0.253.0";
prefixLen = 24;
}
] ++ userVlans;
nftables = {
enable = true;
tables = {
nat = {
family = "ip";
content = ''
chain postrouting {
type nat hook postrouting priority 100;
ip saddr 10.0.0.0/16 ip daddr != 10.0.0.0/16 snat ip to 129.199.195.130-129.199.195.157
}
'';
};
filter = {
family = "inet";
content = ''
chain forward {
type filter hook forward priority filter; policy accept;
ct state vmap {
invalid: drop,
established: accept,
related: accept,
new: jump forward_decide,
untracked: jump forward_decide,
};
}
chain forward_decide {
# Block access to vpn
ip daddr {
10.10.17.0/30,
100.80.0.0/16,
} jump forward_reject;
# And administrative vlans
ip6 daddr {
fd26:baf9:d250::/48,
} jump forward_reject;
# These are being deployed, and so are not trusted
ip saddr 10.0.255.0/24 jump forward_reject;
# We only forward for ISP clients and our stuff
ip saddr != 10.0.0.0/16 jump forward_reject;
# Can talk to us
ip daddr 10.0.0.0/27 accept;
# Not others nor CRI
ip daddr 10.0.0.0/8 jump forward_reject;
}
chain forward_reject {
reject with icmpx type admin-prohibited;
}
'';
};
};
};
firewall = {
allowedUDPPorts = [
67
1194
];
# FIXME: I dont't remember why it's here, and it doesn't seems right
# comes from https://git.dgnum.eu/DGNum/infrastructure/commit/411795c664374549e5e831722a80180b51fbf0d5
# checkReversePath = false;
};
};
age.secrets."wg-key".owner = "systemd-network";
users.users."systemd-network".extraGroups = [ "keys" ];
boot.kernel.sysctl."net.ipv4.ip_forward" = true;
};
}

31
machines/nixos/vault01/networking/0001-fix-multiple-interface-with-same-IP.patch Normal file
View file

@ -0,0 +1,31 @@
From 417ae050a7dfb6d6d1e227bbe5817992949376f7 Mon Sep 17 00:00:00 2001
From: catvayor <catvayor@katvayor.net>
Date: Sun, 23 Feb 2025 21:15:42 +0100
Subject: [PATCH] fix: multiple interface with same IP
---
src/lib/dhcp/pkt_filter.cc | 8 ++++++++
1 file changed, 8 insertions(+)
diff --git a/src/lib/dhcp/pkt_filter.cc b/src/lib/dhcp/pkt_filter.cc
index d6360984ef..4dfdea59c7 100644
--- a/src/lib/dhcp/pkt_filter.cc
+++ b/src/lib/dhcp/pkt_filter.cc
@@ -24,6 +24,14 @@ PktFilter::openFallbackSocket(const isc::asiolink::IOAddress& addr,
" address " << addr << ", port " << port
<< ", reason: " << strerror(errno));
}
+ // allow address to be reused
+ int oneopt = 1;
+ if (setsockopt(sock, SOL_SOCKET, SO_REUSEADDR, &oneopt, sizeof(oneopt))) {
+ close(sock);
+ isc_throw(SocketConfigError, "failed to set SO_REUSEADDR socket for"
+ " address " << addr << ", port " << port
+ << ", reason: " << strerror(errno));
+ }
// Set the close-on-exec flag.
if (fcntl(sock, F_SETFD, FD_CLOEXEC) < 0) {
close(sock);
--
2.47.1

431
machines/nixos/vault01/networking/default.nix Normal file
View file

@ -0,0 +1,431 @@
# SPDX-FileCopyrightText: 2024 Lubin Bailly <lubin.bailly@dgnum.eu>
#
# SPDX-License-Identifier: EUPL-1.2
{
pkgs,
lib,
meta,
config,
name,
...
}:
let
inherit (lib)
catAttrs
getExe
mapAttrs'
nameValuePair
;
uplink = {
ip = "10.120.33.250";
prefix = 30;
router = "10.120.33.249";
};
mkNetwork =
name:
{
address ? [ ],
extraNetwork ? { },
...
}:
nameValuePair "10-${name}" ({ inherit name address; } // extraNetwork);
mkNetdev =
name:
{ Id, ... }:
nameValuePair "10-${name}" {
netdevConfig = {
Name = name;
Kind = "vlan";
};
vlanConfig.Id = Id;
};
mkUserVlan =
{
vlan,
interfaceName,
...
}:
{
name = interfaceName;
value = {
Id = vlan;
extraNetwork = {
networkConfig.LinkLocalAddressing = "no";
linkConfig = {
Promiscuous = true;
MTUBytes = 1500;
};
addresses = [
{
Address = "10.0.0.1/16";
AddPrefixRoute = false;
}
];
};
};
};
userVlans = builtins.genList (id: rec {
vlan = 4094 - id;
interfaceName = "vlan-user-${toString vlan}";
}) 850;
vlans = {
vlan-uplink-cri = {
Id = 223;
address = with uplink; [ "${ip}/${builtins.toString prefix}" ];
extraNetwork = {
routes = [
{
# Get the public ip from the metadata
PreferredSource = builtins.head meta.network.${name}.addresses.ipv4;
Gateway = uplink.router;
}
];
linkConfig.MTUBytes = 1500;
};
};
vlan-admin = {
Id = 3000;
address = [ "fd26:baf9:d250:8000::1/64" ];
};
vlan-admin-ap = {
Id = 3001;
address = [
"fd26:baf9:d250:8001::1/64"
# FIXME: ipv4 is temporary for APs in production
"10.0.253.1/24"
];
extraNetwork = {
networkConfig = {
IPv6SendRA = true;
DHCPServer = "yes";
};
ipv6Prefixes = [
{
AddressAutoconfiguration = false;
OnLink = false;
Prefix = "fd26:baf9:d250:8001::/64";
}
];
};
};
vlan-apro = {
Id = 2000;
address = [ "10.0.255.1/24" ];
extraNetwork = {
networkConfig.DHCPServer = "yes";
linkConfig.MTUBytes = 1500;
};
};
vlan-hypervisor = {
Id = 2001;
address = [ "10.0.254.1/24" ];
extraNetwork = {
networkConfig.DHCPServer = "yes";
linkConfig.MTUBytes = 1500;
};
};
} // builtins.listToAttrs (map mkUserVlan userVlans);
in
{
nixpkgs.overlays = [
(_: super: {
kea = super.kea.overrideAttrs (o: {
patches = o.patches ++ [ ./0001-fix-multiple-interface-with-same-IP.patch ];
});
})
];
systemd = {
network = {
config.routeTables."user" = 1000;
networks = {
"10-lo" = {
name = "lo";
address = [
"::1/128"
"127.0.0.1/8"
"10.0.0.1/27"
];
routes = [
{
Destination = "10.0.0.0/27";
Table = "user";
}
];
routingPolicyRules = [
{
To = "10.0.0.0/16";
Table = "user";
}
];
};
"10-enp67s0f0np0" = {
name = "enp67s0f0np0";
linkConfig.Promiscuous = true;
networkConfig = {
VLAN = builtins.attrNames vlans;
LinkLocalAddressing = false;
LLDP = false;
EmitLLDP = false;
IPv6AcceptRA = false;
IPv6SendRA = false;
};
linkConfig.MTUBytes = 1504;
};
} // (mapAttrs' mkNetwork vlans);
netdevs = mapAttrs' mkNetdev vlans;
};
services = {
ethtoolConfig = {
wantedBy = [ "systemd-networkd.service" ];
after = [ "sys-subsystem-net-devices-enp67s0f0np0.device" ];
bindsTo = [ "sys-subsystem-net-devices-enp67s0f0np0.device" ];
script = builtins.concatStringsSep "\n" (
builtins.map (name: "${lib.getExe pkgs.ethtool} -K enp67s0f0np0 ${name} off") [
"rxvlan"
"txvlan"
"rx-vlan-filter"
"rx-vlan-offload"
"tx-vlan-offload"
"tx-vlan-stag-hw-insert"
]
);
};
systemd-networkd.serviceConfig.LimitNOFILE = 4096;
kea-dhcp4-server = {
serviceConfig = {
AmbientCapabilities = [ "CAP_NET_ADMIN" ];
CapabilityBoundingSet = [ "CAP_NET_ADMIN" ];
};
requires = [ "postgresql.service" ];
after = [ "postgresql.service" ];
path = [ config.services.postgresql.package ];
preStart = lib.mkAfter ''
pushd $STATE_DIRECTORY
if ! test -e .db.initialized; then
psql -d ulogd -U ulogd -f ${pkgs.writeText "kea_log.sql" ''
CREATE SEQUENCE kea_log_lease_id_seq;
CREATE TABLE kea_log (
_lease_id bigint PRIMARY KEY UNIQUE NOT NULL DEFAULT nextval('kea_log_lease_id_seq'),
ip_addr inet NOT NULL,
vlan_id int NOT NULL,
lease_start_sec bigint NOT NULL,
lease_end_sec bigint NOT NULL
);
''}
touch .db.initialized
fi
popd
'';
};
};
};
networking = {
nftables = {
enable = true;
tables = {
nat = {
family = "ip";
content = ''
chain postrouting {
type nat hook postrouting priority 100;
ip saddr 10.0.0.0/16 ip daddr != 10.0.0.0/16 snat ip to 129.199.195.130-129.199.195.157
}
'';
};
filter = {
family = "inet";
content = ''
chain forward {
type filter hook forward priority filter; policy accept;
ct state vmap {
invalid: drop,
established: accept,
related: accept,
new: jump forward_decide,
untracked: jump forward_decide,
};
}
chain forward_decide {
# Block access to vpn
ip daddr {
10.10.17.0/30,
100.80.0.0/16,
} jump forward_reject;
# And administrative vlans
ip6 daddr {
fd26:baf9:d250::/48,
} jump forward_reject;
# These are being deployed, and so are not trusted
ip saddr 10.0.255.0/24 jump forward_reject;
# We only forward for ISP clients and our stuff
ip saddr != 10.0.0.0/16 jump forward_reject;
# Can talk to us
ip daddr 10.0.0.0/27 accept;
# Not others nor CRI
ip daddr 10.0.0.0/8 jump forward_reject;
}
chain forward_reject {
reject with icmpx type admin-prohibited;
}
'';
};
};
};
firewall = {
allowedUDPPorts = [
67
1194
];
};
};
services = {
kea.dhcp4 = {
enable = true;
settings = {
interfaces-config = {
interfaces = catAttrs "interfaceName" userVlans;
dhcp-socket-type = "raw";
outbound-interface = "same-as-inbound";
service-sockets-require-all = true;
};
lease-database = {
# FIXME: pgsql
name = "/var/lib/kea/dhcp4.leases";
persist = true;
type = "memfile";
};
valid-lifetime = 7200;
rebind-timer = 3600;
renew-timer = 1800;
subnet4 = [
{
id = 1;
pools = [
{
pool = "10.0.0.32 - 10.0.252.255";
}
];
subnet = "10.0.0.0/16";
}
];
hooks-libraries = [
{
library = "${pkgs.kea}/lib/kea/hooks/libdhcp_run_script.so";
parameters = {
name = getExe (
let
link-del = pkgs.writeText "link-del.sql" ''
WITH lease_entry_id AS (
SELECT max(_lease_id) AS curr_id FROM kea_log
WHERE ip_addr = inet 'LEASE4_ADDRESS' AND lease_end_sec > TIMESTAMP
)
UPDATE kea_log SET
lease_end_sec = TIMESTAMP
FROM lease_entry_id
WHERE _lease_id = curr_id
;
'';
link-new = pkgs.writeText "link-new.sql" ''
INSERT INTO kea_log (ip_addr, vlan_id, lease_start_sec, lease_end_sec) VALUES
(inet 'LEASE4_ADDRESS',
VLAN_ID,
TIMESTAMP,
TIMESTAMP+7200
);
'';
link-renew = pkgs.writeText "link-renew.sql" ''
WITH lease_entry_id AS (
SELECT max(_lease_id) AS curr_id FROM kea_log
WHERE ip_addr = inet 'LEASE4_ADDRESS' AND lease_end_sec > TIMESTAMP
)
UPDATE kea_log SET
lease_end_sec = TIMESTAMP+7200
FROM lease_entry_id
WHERE _lease_id = curr_id
;
'';
in
pkgs.writeShellApplication {
name = "hook.sh";
runtimeInputs = [
pkgs.busybox
config.services.postgresql.package
];
text = ''
case "$1" in
"leases4_committed")
TIMESTAMP="$(date +%s)"
for i in $(seq 0 $((DELETED_LEASES4_SIZE-1))); do
LEASE4_ADDRESS=$(eval "echo \$DELETED_LEASES4_AT''${i}_ADDRESS")
ip r del table user dev "$QUERY4_IFACE_NAME" "$LEASE4_ADDRESS"
sed "s/TIMESTAMP/$TIMESTAMP/;
s/LEASE4_ADDRESS/$LEASE4_ADDRESS" \
${link-del} \
| psql -d ulogd -U ulogd
done
for i in $(seq 0 $((LEASES4_SIZE-1))); do
LEASE4_ADDRESS=$(eval "echo \$LEASES4_AT''${i}_ADDRESS")
if [ -z "$(ip r show "$LEASE4_ADDRESS" dev "$QUERY4_IFACE_NAME")" ]; then
ip r add table user dev "$QUERY4_IFACE_NAME" "$LEASE4_ADDRESS"
sed "s/TIMESTAMP/$TIMESTAMP/;
s/LEASE4_ADDRESS/$LEASE4_ADDRESS/;
s/VLAN_ID/$(cut -d- -f3 <<< "$QUERY4_IFACE_NAME")/" \
${link-new} \
| psql -d ulogd -U ulogd
else
sed "s/TIMESTAMP/$TIMESTAMP/;
s/LEASE4_ADDRESS/$LEASE4_ADDRESS/;" \
${link-renew} \
| psql -d ulogd -U ulogd
fi
done
;;
esac
'';
}
);
sync = false;
};
}
];
};
};
postgresql = {
enable = true;
identMap = ''
ulogd-map kea ulogd
'';
};
};
boot.kernel.sysctl."net.ipv4.ip_forward" = true;
}

1
machines/nixos/vault01/secrets/secrets.nix
View file

@ -14,5 +14,4 @@
"radius-private_key_password_file"
"eatonmon-password_file"
"radius-ap-radius-secret_file"
"wg-key"
]

BIN
machines/nixos/vault01/secrets/wg-key
View file

Binary file not shown.