feat(vault01/isp): global user dhcp instead of per-user
This commit is contained in:
parent
c3d1a8426e
commit
64635bdd26
GPG key ID:
CE3E645251AC63F3
4 changed files with 349 additions and 175 deletions
|
|
@ -38,7 +38,7 @@ precedence = "closest"
|
||||||
[[annotations]]
|
[[annotations]]
|
||||||
SPDX-FileCopyrightText = "2024 Lubin Bailly <lubin.bailly@dgnum.eu>"
|
SPDX-FileCopyrightText = "2024 Lubin Bailly <lubin.bailly@dgnum.eu>"
|
||||||
SPDX-License-Identifier = "EUPL-1.2"
|
SPDX-License-Identifier = "EUPL-1.2"
|
||||||
path = ["modules/nixos/extranix/0001-revert-don-t-parse-md-in-js.patch", "modules/nixos/extranix/0002-chore-remove-useless-dependencies.patch", "modules/nixos/extranix/0003-feat-separate-HTML-description-of-MD-description.patch", "modules/nixos/extranix/0004-fix-indentation-of-ul.patch", "modules/nixos/extranix/0005-feat-match-all-substring-by-default.patch"]
|
path = ["modules/nixos/extranix/0001-revert-don-t-parse-md-in-js.patch", "modules/nixos/extranix/0002-chore-remove-useless-dependencies.patch", "modules/nixos/extranix/0003-feat-separate-HTML-description-of-MD-description.patch", "modules/nixos/extranix/0004-fix-indentation-of-ul.patch", "modules/nixos/extranix/0005-feat-match-all-substring-by-default.patch", "machines/nixos/vault01/networking/0001-fix-multiple-interface-with-same-IP.patch"]
|
||||||
precedence = "closest"
|
precedence = "closest"
|
||||||
|
|
||||||
[[annotations]]
|
[[annotations]]
|
||||||
|
|
|
||||||
|
|
@ -127,6 +127,7 @@ let
|
||||||
"modules/nixos/extranix/0003-feat-separate-HTML-description-of-MD-description.patch"
|
"modules/nixos/extranix/0003-feat-separate-HTML-description-of-MD-description.patch"
|
||||||
"modules/nixos/extranix/0004-fix-indentation-of-ul.patch"
|
"modules/nixos/extranix/0004-fix-indentation-of-ul.patch"
|
||||||
"modules/nixos/extranix/0005-feat-match-all-substring-by-default.patch"
|
"modules/nixos/extranix/0005-feat-match-all-substring-by-default.patch"
|
||||||
|
"machines/nixos/vault01/networking/0001-fix-multiple-interface-with-same-IP.patch"
|
||||||
];
|
];
|
||||||
copyright = "2024 Lubin Bailly <lubin.bailly@dgnum.eu>";
|
copyright = "2024 Lubin Bailly <lubin.bailly@dgnum.eu>";
|
||||||
}
|
}
|
||||||
|
|
|
||||||
|
|
@ -0,0 +1,31 @@
|
||||||
|
From 417ae050a7dfb6d6d1e227bbe5817992949376f7 Mon Sep 17 00:00:00 2001
|
||||||
|
From: catvayor <catvayor@katvayor.net>
|
||||||
|
Date: Sun, 23 Feb 2025 21:15:42 +0100
|
||||||
|
Subject: [PATCH] fix: multiple interface with same IP
|
||||||
|
|
||||||
|
---
|
||||||
|
src/lib/dhcp/pkt_filter.cc | 8 ++++++++
|
||||||
|
1 file changed, 8 insertions(+)
|
||||||
|
|
||||||
|
diff --git a/src/lib/dhcp/pkt_filter.cc b/src/lib/dhcp/pkt_filter.cc
|
||||||
|
index d6360984ef..4dfdea59c7 100644
|
||||||
|
--- a/src/lib/dhcp/pkt_filter.cc
|
||||||
|
+++ b/src/lib/dhcp/pkt_filter.cc
|
||||||
|
@@ -24,6 +24,14 @@ PktFilter::openFallbackSocket(const isc::asiolink::IOAddress& addr,
|
||||||
|
" address " << addr << ", port " << port
|
||||||
|
<< ", reason: " << strerror(errno));
|
||||||
|
}
|
||||||
|
+ // allow address to be reused
|
||||||
|
+ int oneopt = 1;
|
||||||
|
+ if (setsockopt(sock, SOL_SOCKET, SO_REUSEADDR, &oneopt, sizeof(oneopt))) {
|
||||||
|
+ close(sock);
|
||||||
|
+ isc_throw(SocketConfigError, "failed to set SO_REUSEADDR socket for"
|
||||||
|
+ " address " << addr << ", port " << port
|
||||||
|
+ << ", reason: " << strerror(errno));
|
||||||
|
+ }
|
||||||
|
// Set the close-on-exec flag.
|
||||||
|
if (fcntl(sock, F_SETFD, FD_CLOEXEC) < 0) {
|
||||||
|
close(sock);
|
||||||
|
--
|
||||||
|
2.47.1
|
||||||
|
|
||||||
|
|
@ -6,13 +6,18 @@
|
||||||
pkgs,
|
pkgs,
|
||||||
lib,
|
lib,
|
||||||
meta,
|
meta,
|
||||||
|
config,
|
||||||
name,
|
name,
|
||||||
...
|
...
|
||||||
}:
|
}:
|
||||||
|
|
||||||
let
|
let
|
||||||
inherit (lib) mapAttrs' mkOption nameValuePair;
|
inherit (lib)
|
||||||
inherit (lib.types) listOf attrs;
|
catAttrs
|
||||||
|
getExe
|
||||||
|
mapAttrs'
|
||||||
|
nameValuePair
|
||||||
|
;
|
||||||
|
|
||||||
uplink = {
|
uplink = {
|
||||||
ip = "10.120.33.250";
|
ip = "10.120.33.250";
|
||||||
|
|
@ -44,8 +49,6 @@ let
|
||||||
mkUserVlan =
|
mkUserVlan =
|
||||||
{
|
{
|
||||||
vlan,
|
vlan,
|
||||||
netIP,
|
|
||||||
servIP,
|
|
||||||
interfaceName,
|
interfaceName,
|
||||||
...
|
...
|
||||||
}:
|
}:
|
||||||
|
|
@ -54,37 +57,30 @@ let
|
||||||
value = {
|
value = {
|
||||||
Id = vlan;
|
Id = vlan;
|
||||||
extraNetwork = {
|
extraNetwork = {
|
||||||
networkConfig = {
|
networkConfig.LinkLocalAddressing = "no";
|
||||||
LinkLocalAddressing = "no";
|
|
||||||
DHCPServer = "yes";
|
|
||||||
};
|
|
||||||
linkConfig = {
|
linkConfig = {
|
||||||
Promiscuous = true;
|
Promiscuous = true;
|
||||||
MTUBytes = 1500;
|
MTUBytes = 1500;
|
||||||
};
|
};
|
||||||
addresses = [
|
addresses = [
|
||||||
{
|
{
|
||||||
Address = "${servIP}/27";
|
Address = "10.0.0.1/16";
|
||||||
AddPrefixRoute = false;
|
AddPrefixRoute = false;
|
||||||
}
|
}
|
||||||
];
|
];
|
||||||
routes = [
|
|
||||||
{
|
|
||||||
Destination = "${netIP}/27";
|
|
||||||
Table = "user";
|
|
||||||
}
|
|
||||||
];
|
|
||||||
};
|
};
|
||||||
};
|
};
|
||||||
};
|
};
|
||||||
|
|
||||||
userVlans = builtins.genList (id: rec {
|
userVlans = builtins.genList (id: rec {
|
||||||
vlan = 4094 - id;
|
vlan = 4094 - id;
|
||||||
|
interfaceName = "vlan-user-${toString vlan}";
|
||||||
|
|
||||||
|
# TODO: remove when logs are migrated
|
||||||
prefix24nb = (id + 1) / 8;
|
prefix24nb = (id + 1) / 8;
|
||||||
prefix27nb = (id + 1 - prefix24nb * 8) * 32;
|
prefix27nb = (id + 1 - prefix24nb * 8) * 32;
|
||||||
netIP = "10.0.${toString prefix24nb}.${toString prefix27nb}";
|
netIP = "10.0.${toString prefix24nb}.${toString prefix27nb}";
|
||||||
servIP = "10.0.${toString prefix24nb}.${toString (prefix27nb + 1)}";
|
servIP = "10.0.${toString prefix24nb}.${toString (prefix27nb + 1)}";
|
||||||
interfaceName = "vlan-user-${toString vlan}";
|
|
||||||
prefixLen = 27;
|
prefixLen = 27;
|
||||||
}) 850;
|
}) 850;
|
||||||
|
|
||||||
|
|
@ -152,16 +148,59 @@ let
|
||||||
};
|
};
|
||||||
};
|
};
|
||||||
} // builtins.listToAttrs (map mkUserVlan userVlans);
|
} // builtins.listToAttrs (map mkUserVlan userVlans);
|
||||||
|
|
||||||
|
sql_files = {
|
||||||
|
kea_log-init = pkgs.writeText "kea_log.sql" ''
|
||||||
|
CREATE SEQUENCE IF NOT EXISTS kea_log_lease_id_seq;
|
||||||
|
CREATE TABLE IF NOT EXISTS kea_log (
|
||||||
|
_lease_id bigint PRIMARY KEY UNIQUE NOT NULL DEFAULT nextval('kea_log_lease_id_seq'),
|
||||||
|
ip_addr inet NOT NULL,
|
||||||
|
vlan_id int NOT NULL,
|
||||||
|
lease_start_sec bigint NOT NULL,
|
||||||
|
lease_end_sec bigint NOT NULL
|
||||||
|
);
|
||||||
|
'';
|
||||||
|
link-del = pkgs.writeText "link-del.sql" ''
|
||||||
|
WITH lease_entry_id AS (
|
||||||
|
SELECT max(_lease_id) AS curr_id FROM kea_log
|
||||||
|
WHERE ip_addr = inet 'LEASE4_ADDRESS' AND lease_end_sec > TIMESTAMP
|
||||||
|
)
|
||||||
|
UPDATE kea_log SET
|
||||||
|
lease_end_sec = TIMESTAMP
|
||||||
|
FROM lease_entry_id
|
||||||
|
WHERE _lease_id = curr_id
|
||||||
|
;
|
||||||
|
'';
|
||||||
|
link-new = pkgs.writeText "link-new.sql" ''
|
||||||
|
INSERT INTO kea_log (ip_addr, vlan_id, lease_start_sec, lease_end_sec) VALUES
|
||||||
|
(inet 'LEASE4_ADDRESS',
|
||||||
|
VLAN_ID,
|
||||||
|
TIMESTAMP,
|
||||||
|
TIMESTAMP+7200
|
||||||
|
);
|
||||||
|
'';
|
||||||
|
link-renew = pkgs.writeText "link-renew.sql" ''
|
||||||
|
WITH lease_entry_id AS (
|
||||||
|
SELECT max(_lease_id) AS curr_id FROM kea_log
|
||||||
|
WHERE ip_addr = inet 'LEASE4_ADDRESS' AND lease_end_sec > TIMESTAMP
|
||||||
|
)
|
||||||
|
UPDATE kea_log SET
|
||||||
|
lease_end_sec = TIMESTAMP+7200
|
||||||
|
FROM lease_entry_id
|
||||||
|
WHERE _lease_id = curr_id
|
||||||
|
;
|
||||||
|
'';
|
||||||
|
};
|
||||||
in
|
in
|
||||||
{
|
{
|
||||||
options.networking.vlans-info = mkOption {
|
nixpkgs.overlays = [
|
||||||
type = listOf attrs;
|
(_: super: {
|
||||||
description = ''
|
kea = super.kea.overrideAttrs (o: {
|
||||||
Information about vlans for log analysis.
|
patches = o.patches ++ [ ./0001-fix-multiple-interface-with-same-IP.patch ];
|
||||||
'';
|
});
|
||||||
readOnly = true;
|
})
|
||||||
};
|
];
|
||||||
config = {
|
|
||||||
systemd = {
|
systemd = {
|
||||||
network = {
|
network = {
|
||||||
config.routeTables."user" = 1000;
|
config.routeTables."user" = 1000;
|
||||||
|
|
@ -224,46 +263,34 @@ in
|
||||||
|
|
||||||
systemd-networkd.serviceConfig.LimitNOFILE = 4096;
|
systemd-networkd.serviceConfig.LimitNOFILE = 4096;
|
||||||
|
|
||||||
net-checker = {
|
kea-dhcp4-server = {
|
||||||
|
serviceConfig = {
|
||||||
|
AmbientCapabilities = [ "CAP_NET_ADMIN" ];
|
||||||
|
CapabilityBoundingSet = [ "CAP_NET_ADMIN" ];
|
||||||
|
LimitNOFILE = 4096;
|
||||||
|
};
|
||||||
|
requires = [ "postgresql.service" ];
|
||||||
|
after = [ "postgresql.service" ];
|
||||||
path = [
|
path = [
|
||||||
pkgs.iputils
|
pkgs.kea
|
||||||
pkgs.systemd
|
config.services.postgresql.package
|
||||||
];
|
];
|
||||||
script = ''
|
preStart = lib.mkAfter ''
|
||||||
if ping -c 1 8.8.8.8 > /dev/null || ping -c 1 1.1.1.1 > /dev/null; then
|
pushd $STATE_DIRECTORY
|
||||||
echo network is up
|
if ! test -e .db.initialized; then
|
||||||
${lib.concatMapStringsSep "\n " (
|
psql -d ulogd -U ulogd -f ${sql_files.kea_log-init}
|
||||||
{ interfaceName, ... }: "networkctl up ${interfaceName}"
|
kea-admin db-init pgsql -n kea -u kea -h /run/postgresql
|
||||||
) userVlans}
|
touch .db.initialized
|
||||||
else
|
else
|
||||||
echo network is down
|
kea-admin db-upgrade pgsql -n kea -u kea -h /run/postgresql
|
||||||
${lib.concatMapStringsSep "\n " (
|
|
||||||
{ interfaceName, ... }: "networkctl down ${interfaceName}"
|
|
||||||
) userVlans}
|
|
||||||
fi
|
fi
|
||||||
|
popd
|
||||||
'';
|
'';
|
||||||
};
|
};
|
||||||
};
|
};
|
||||||
|
|
||||||
timers.net-checker = {
|
|
||||||
wantedBy = [ "timers.target" ];
|
|
||||||
timerConfig.OnCalendar = "*-*-* *:*:42";
|
|
||||||
};
|
|
||||||
};
|
};
|
||||||
|
|
||||||
networking = {
|
networking = {
|
||||||
vlans-info = [
|
|
||||||
{
|
|
||||||
vlan = 2001;
|
|
||||||
netIP = "10.0.254.0";
|
|
||||||
prefixLen = 24;
|
|
||||||
}
|
|
||||||
{
|
|
||||||
vlan = 3001;
|
|
||||||
netIP = "10.0.253.0";
|
|
||||||
prefixLen = 24;
|
|
||||||
}
|
|
||||||
] ++ userVlans;
|
|
||||||
nftables = {
|
nftables = {
|
||||||
enable = true;
|
enable = true;
|
||||||
tables = {
|
tables = {
|
||||||
|
|
@ -322,6 +349,121 @@ in
|
||||||
};
|
};
|
||||||
firewall.allowedUDPPorts = [ 67 ];
|
firewall.allowedUDPPorts = [ 67 ];
|
||||||
};
|
};
|
||||||
boot.kernel.sysctl."net.ipv4.ip_forward" = true;
|
|
||||||
|
services = {
|
||||||
|
kea.dhcp4 = {
|
||||||
|
enable = true;
|
||||||
|
settings = {
|
||||||
|
interfaces-config = {
|
||||||
|
interfaces = catAttrs "interfaceName" userVlans;
|
||||||
|
dhcp-socket-type = "raw";
|
||||||
|
outbound-interface = "same-as-inbound";
|
||||||
|
service-sockets-require-all = true;
|
||||||
};
|
};
|
||||||
|
lease-database = {
|
||||||
|
name = "kea";
|
||||||
|
user = "kea";
|
||||||
|
host = "/run/postgresql";
|
||||||
|
persist = true;
|
||||||
|
type = "pgsql";
|
||||||
|
};
|
||||||
|
valid-lifetime = 7200;
|
||||||
|
rebind-timer = 3600;
|
||||||
|
renew-timer = 1800;
|
||||||
|
expired-leases-processing = {
|
||||||
|
reclaim-timer-wait-time = 3;
|
||||||
|
max-reclaim-leases = 0;
|
||||||
|
max-reclaim-time = 50;
|
||||||
|
unwarned-reclaim-cycles = 10;
|
||||||
|
|
||||||
|
hold-reclaimed-time = 3600 * 24 * 2;
|
||||||
|
flush-reclaimed-timer-wait-time = 60;
|
||||||
|
};
|
||||||
|
subnet4 = [
|
||||||
|
{
|
||||||
|
id = 1;
|
||||||
|
pools = [
|
||||||
|
{
|
||||||
|
pool = "10.0.0.32 - 10.0.252.255";
|
||||||
|
}
|
||||||
|
];
|
||||||
|
subnet = "10.0.0.0/16";
|
||||||
|
}
|
||||||
|
];
|
||||||
|
hooks-libraries = [
|
||||||
|
{
|
||||||
|
library = "${pkgs.kea}/lib/kea/hooks/libdhcp_run_script.so";
|
||||||
|
parameters = {
|
||||||
|
name = getExe (
|
||||||
|
pkgs.writeShellApplication {
|
||||||
|
name = "hook.sh";
|
||||||
|
runtimeInputs = [
|
||||||
|
pkgs.iproute2
|
||||||
|
pkgs.coreutils
|
||||||
|
pkgs.gnused
|
||||||
|
config.services.postgresql.package
|
||||||
|
];
|
||||||
|
text = ''
|
||||||
|
TIMESTAMP="$(date +%s)"
|
||||||
|
case "$1" in
|
||||||
|
"lease4_expire")
|
||||||
|
ip r del table user "$LEASE4_ADDRESS"
|
||||||
|
sed "s/TIMESTAMP/$TIMESTAMP/;
|
||||||
|
s/LEASE4_ADDRESS/$LEASE4_ADDRESS/" \
|
||||||
|
${sql_files.link-del} \
|
||||||
|
| psql -d ulogd -U ulogd
|
||||||
|
;;
|
||||||
|
"leases4_committed")
|
||||||
|
for i in $(seq 0 $((DELETED_LEASES4_SIZE-1))); do
|
||||||
|
LEASE4_ADDRESS=$(eval "echo \$DELETED_LEASES4_AT''${i}_ADDRESS")
|
||||||
|
ip r del table user dev "$QUERY4_IFACE_NAME" "$LEASE4_ADDRESS"
|
||||||
|
sed "s/TIMESTAMP/$TIMESTAMP/;
|
||||||
|
s/LEASE4_ADDRESS/$LEASE4_ADDRESS/" \
|
||||||
|
${sql_files.link-del} \
|
||||||
|
| psql -d ulogd -U ulogd
|
||||||
|
done
|
||||||
|
for i in $(seq 0 $((LEASES4_SIZE-1))); do
|
||||||
|
LEASE4_ADDRESS=$(eval "echo \$LEASES4_AT''${i}_ADDRESS")
|
||||||
|
if [ -z "$(ip r show table user "$LEASE4_ADDRESS" dev "$QUERY4_IFACE_NAME")" ]; then
|
||||||
|
ip r add table user dev "$QUERY4_IFACE_NAME" "$LEASE4_ADDRESS"
|
||||||
|
sed "s/TIMESTAMP/$TIMESTAMP/;
|
||||||
|
s/LEASE4_ADDRESS/$LEASE4_ADDRESS/;
|
||||||
|
s/VLAN_ID/$(cut -d- -f3 <<< "$QUERY4_IFACE_NAME")/" \
|
||||||
|
${sql_files.link-new} \
|
||||||
|
| psql -d ulogd -U ulogd
|
||||||
|
else
|
||||||
|
sed "s/TIMESTAMP/$TIMESTAMP/;
|
||||||
|
s/LEASE4_ADDRESS/$LEASE4_ADDRESS/" \
|
||||||
|
${sql_files.link-renew} \
|
||||||
|
| psql -d ulogd -U ulogd
|
||||||
|
fi
|
||||||
|
done
|
||||||
|
;;
|
||||||
|
esac
|
||||||
|
'';
|
||||||
|
}
|
||||||
|
);
|
||||||
|
sync = false;
|
||||||
|
};
|
||||||
|
}
|
||||||
|
];
|
||||||
|
};
|
||||||
|
};
|
||||||
|
postgresql = {
|
||||||
|
enable = true;
|
||||||
|
identMap = ''
|
||||||
|
ulogd-map kea ulogd
|
||||||
|
'';
|
||||||
|
settings.timezone = "CET";
|
||||||
|
ensureUsers = [
|
||||||
|
{
|
||||||
|
name = "kea";
|
||||||
|
ensureDBOwnership = true;
|
||||||
|
}
|
||||||
|
];
|
||||||
|
ensureDatabases = [ "kea" ];
|
||||||
|
};
|
||||||
|
};
|
||||||
|
|
||||||
|
boot.kernel.sysctl."net.ipv4.ip_forward" = true;
|
||||||
}
|
}
|
||||||
|
|
|
||||||
Loading…
Add table
Reference in a new issue