DGNum/infrastructure
11
6
Fork 2
Code Issues 21 Pull requests 19 Projects 1 Releases Packages Wiki Activity Actions

feat(meta/isp): vlan flags
All checks were successful
Check workflows / check_workflows (pull_request) Successful in 16s
Details
Check meta / check_dns (pull_request) Successful in 21s
Details
Check meta / check_meta (pull_request) Successful in 21s
Details
Build all the nodes / netcore01 (pull_request) Successful in 19s
Details
Build all the nodes / netaccess01 (pull_request) Successful in 20s
Details
Build all the nodes / netcore02 (pull_request) Successful in 20s
Details
Run pre-commit on all files / pre-commit (push) Successful in 25s
Details
Build all the nodes / ap01 (pull_request) Successful in 31s
Details
Build the shell / build-shell (pull_request) Successful in 27s
Details
Run pre-commit on all files / pre-commit (pull_request) Successful in 23s
Details
Build all the nodes / hypervisor01 (pull_request) Successful in 1m42s
Details
Build all the nodes / bridge01 (pull_request) Successful in 1m44s
Details
Build all the nodes / geo01 (pull_request) Successful in 1m48s
Details
Build all the nodes / build01 (pull_request) Successful in 1m49s
Details
Build all the nodes / hypervisor03 (pull_request) Successful in 1m47s
Details
Build all the nodes / rescue01 (pull_request) Successful in 1m34s
Details
Build all the nodes / geo02 (pull_request) Successful in 1m54s
Details
Build all the nodes / hypervisor02 (pull_request) Successful in 1m57s
Details
Build all the nodes / web03 (pull_request) Successful in 1m40s
Details
Build all the nodes / tower01 (pull_request) Successful in 1m52s
Details
Build all the nodes / vault01 (pull_request) Successful in 1m57s
Details
Build all the nodes / web02 (pull_request) Successful in 1m57s
Details
Build all the nodes / compute01 (pull_request) Successful in 2m20s
Details
Build all the nodes / storage01 (pull_request) Successful in 2m4s
Details
Build all the nodes / web01 (pull_request) Successful in 2m25s
Details

Browse source
This commit is contained in:
catvayor 2025-03-02 18:49:09 +01:00
parent 92890e2228
commit bfedf05cc4
Signed by: lbailly
GPG key ID: CE3E645251AC63F3
2 changed files with 261 additions and 224 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

442
machines/nixos/vault01/networking.nix
View file

@ -35,239 +35,237 @@ let
in in
{ {
config = { systemd = {
systemd = { network = {
network = { config.routeTables."user" = 1000;
config.routeTables."user" = 1000; networks = {
networks = { "10-lo" = {
"10-lo" = { name = "lo";
name = "lo"; address = [
address = [ "::1/128"
"::1/128" "127.0.0.1/8"
"127.0.0.1/8" "10.0.0.1/27"
"10.0.0.1/27" ];
]; routes = [
routes = [ {
{ Destination = "10.0.0.0/27";
Destination = "10.0.0.0/27"; Table = "user";
Table = "user"; }
} ];
]; routingPolicyRules = [
routingPolicyRules = [ {
{ To = "10.0.0.0/16";
To = "10.0.0.0/16"; Table = "user";
Table = "user"; }
} ];
];
};
"10-enp67s0f0np0" = {
name = "enp67s0f0np0";
linkConfig.Promiscuous = true;
networkConfig = {
Bridge = "br0";
LinkLocalAddressing = false;
LLDP = false;
EmitLLDP = false;
IPv6AcceptRA = false;
IPv6SendRA = false;
};
linkConfig.MTUBytes = 1504;
};
"50-gretap1" = {
name = "gretap1";
networkConfig = {
Bridge = "br0";
LinkLocalAddressing = false;
LLDP = false;
EmitLLDP = false;
IPv6AcceptRA = false;
IPv6SendRA = false;
};
linkConfig.MTUBytes = 1504;
};
"50-br0" = {
name = "br0";
networkConfig = {
VLAN = builtins.attrNames vlans;
LinkLocalAddressing = false;
LLDP = false;
EmitLLDP = false;
IPv6AcceptRA = false;
IPv6SendRA = false;
};
linkConfig.MTUBytes = 1504;
};
"50-wg0" = {
name = "wg0";
address = [ "10.10.17.1/30" ];
networkConfig.Tunnel = "gretap1";
};
} // (mapAttrs' mkNetwork vlans);
netdevs = {
"50-gretap1" = {
netdevConfig = {
Name = "gretap1";
Kind = "gretap";
};
tunnelConfig = {
Local = "10.10.17.1";
Remote = "10.10.17.2";
};
};
"50-br0" = {
netdevConfig = {
Name = "br0";
Kind = "bridge";
};
bridgeConfig = {
VLANFiltering = false;
STP = false;
};
};
"50-wg0" = {
netdevConfig = {
Name = "wg0";
Kind = "wireguard";
};
wireguardConfig = {
ListenPort = 1194;
PrivateKeyFile = config.age.secrets."wg-key".path;
};
wireguardPeers = [
{
AllowedIPs = [
"10.10.17.0/30"
];
PublicKey = "g6S3gBx1Hf2iX41tokD+m8WfzJJTTcsKifOkn+Wcd00=";
}
];
};
} // (mapAttrs' mkNetdev vlans);
};
services = {
ethtoolConfig = {
wantedBy = [ "systemd-networkd.service" ];
after = [ "sys-subsystem-net-devices-enp67s0f0np0.device" ];
bindsTo = [ "sys-subsystem-net-devices-enp67s0f0np0.device" ];
script = builtins.concatStringsSep "\n" (
builtins.map (name: "${lib.getExe pkgs.ethtool} -K enp67s0f0np0 ${name} off") [
"rxvlan"
"txvlan"
"rx-vlan-filter"
"rx-vlan-offload"
"tx-vlan-offload"
"tx-vlan-stag-hw-insert"
]
);
}; };
"10-enp67s0f0np0" = {
name = "enp67s0f0np0";
linkConfig.Promiscuous = true;
networkConfig = {
Bridge = "br0";
systemd-networkd.serviceConfig.LimitNOFILE = 4096; LinkLocalAddressing = false;
LLDP = false;
net-checker = EmitLLDP = false;
let IPv6AcceptRA = false;
userVlans = builtins.attrNames (filterAttrs (_: { userOnly, ... }: userOnly) vlans); IPv6SendRA = false;
networkctl = action: concatMapStringsSep "\n " (name: "networkctl ${action} ${name}") userVlans;
in
{
path = [
pkgs.iputils
pkgs.systemd
];
script = ''
if ping -c 1 8.8.8.8 > /dev/null || ping -c 1 1.1.1.1 > /dev/null; then
echo network is up
${networkctl "up"}
else
echo network is down
${networkctl "down"}
fi
'';
}; };
}; linkConfig.MTUBytes = 1504;
};
"50-gretap1" = {
name = "gretap1";
networkConfig = {
Bridge = "br0";
timers.net-checker = { LinkLocalAddressing = false;
wantedBy = [ "timers.target" ]; LLDP = false;
timerConfig.OnCalendar = "*-*-* *:*:42"; EmitLLDP = false;
}; IPv6AcceptRA = false;
}; IPv6SendRA = false;
networking = {
nftables = {
enable = true;
tables = {
nat = {
family = "ip";
content = ''
chain postrouting {
type nat hook postrouting priority 100;
ip saddr 10.0.0.0/16 ip daddr != 10.0.0.0/16 snat ip to 129.199.195.130-129.199.195.157
}
'';
}; };
filter = { linkConfig.MTUBytes = 1504;
family = "inet"; };
content = '' "50-br0" = {
chain forward { name = "br0";
type filter hook forward priority filter; policy accept; networkConfig = {
ct state vmap { VLAN = builtins.attrNames vlans;
invalid: drop,
established: accept,
related: accept,
new: jump forward_decide,
untracked: jump forward_decide,
};
}
chain forward_decide {
# Block access to vpn
ip daddr {
10.10.17.0/30,
100.80.0.0/16,
} jump forward_reject;
# And administrative vlans LinkLocalAddressing = false;
ip6 daddr { LLDP = false;
fd26:baf9:d250::/48, EmitLLDP = false;
} jump forward_reject; IPv6AcceptRA = false;
IPv6SendRA = false;
};
linkConfig.MTUBytes = 1504;
};
"50-wg0" = {
name = "wg0";
address = [ "10.10.17.1/30" ];
networkConfig.Tunnel = "gretap1";
};
} // (mapAttrs' mkNetwork vlans);
# These are being deployed, and so are not trusted netdevs = {
ip saddr 10.0.255.0/24 jump forward_reject; "50-gretap1" = {
netdevConfig = {
# We only forward for ISP clients and our stuff Name = "gretap1";
ip saddr != 10.0.0.0/16 jump forward_reject; Kind = "gretap";
};
# Can talk to us tunnelConfig = {
ip daddr 10.0.0.0/27 accept; Local = "10.10.17.1";
Remote = "10.10.17.2";
# Not others nor CRI
ip daddr 10.0.0.0/8 jump forward_reject;
}
chain forward_reject {
reject with icmpx type admin-prohibited;
}
'';
}; };
}; };
}; "50-br0" = {
firewall = { netdevConfig = {
allowedUDPPorts = [ Name = "br0";
67 Kind = "bridge";
1194 };
]; bridgeConfig = {
# FIXME: I dont't remember why it's here, and it doesn't seems right VLANFiltering = false;
# comes from https://git.dgnum.eu/DGNum/infrastructure/commit/411795c664374549e5e831722a80180b51fbf0d5 STP = false;
# checkReversePath = false; };
}; };
"50-wg0" = {
netdevConfig = {
Name = "wg0";
Kind = "wireguard";
};
wireguardConfig = {
ListenPort = 1194;
PrivateKeyFile = config.age.secrets."wg-key".path;
};
wireguardPeers = [
{
AllowedIPs = [
"10.10.17.0/30"
];
PublicKey = "g6S3gBx1Hf2iX41tokD+m8WfzJJTTcsKifOkn+Wcd00=";
}
];
};
} // (mapAttrs' mkNetdev vlans);
}; };
age.secrets."wg-key".owner = "systemd-network"; services = {
users.users."systemd-network".extraGroups = [ "keys" ]; ethtoolConfig = {
wantedBy = [ "systemd-networkd.service" ];
after = [ "sys-subsystem-net-devices-enp67s0f0np0.device" ];
bindsTo = [ "sys-subsystem-net-devices-enp67s0f0np0.device" ];
script = builtins.concatStringsSep "\n" (
builtins.map (name: "${lib.getExe pkgs.ethtool} -K enp67s0f0np0 ${name} off") [
"rxvlan"
"txvlan"
"rx-vlan-filter"
"rx-vlan-offload"
"tx-vlan-offload"
"tx-vlan-stag-hw-insert"
]
);
};
boot.kernel.sysctl."net.ipv4.ip_forward" = true; systemd-networkd.serviceConfig.LimitNOFILE = 4096;
net-checker =
let
userVlans = builtins.attrNames (filterAttrs (_: { userOnly, ... }: userOnly) vlans);
networkctl = action: concatMapStringsSep "\n " (name: "networkctl ${action} ${name}") userVlans;
in
{
path = [
pkgs.iputils
pkgs.systemd
];
script = ''
if ping -c 1 8.8.8.8 > /dev/null || ping -c 1 1.1.1.1 > /dev/null; then
echo network is up
${networkctl "up"}
else
echo network is down
${networkctl "down"}
fi
'';
};
};
timers.net-checker = {
wantedBy = [ "timers.target" ];
timerConfig.OnCalendar = "*-*-* *:*:42";
};
}; };
networking = {
nftables = {
enable = true;
tables = {
nat = {
family = "ip";
content = ''
chain postrouting {
type nat hook postrouting priority 100;
ip saddr 10.0.0.0/16 ip daddr != 10.0.0.0/16 snat ip to 129.199.195.130-129.199.195.157
}
'';
};
filter = {
family = "inet";
content = ''
chain forward {
type filter hook forward priority filter; policy accept;
ct state vmap {
invalid: drop,
established: accept,
related: accept,
new: jump forward_decide,
untracked: jump forward_decide,
};
}
chain forward_decide {
# Block access to vpn
ip daddr {
10.10.17.0/30,
100.80.0.0/16,
} jump forward_reject;
# And administrative vlans
ip6 daddr {
fd26:baf9:d250::/48,
} jump forward_reject;
# These are being deployed, and so are not trusted
ip saddr 10.0.255.0/24 jump forward_reject;
# We only forward for ISP clients and our stuff
ip saddr != 10.0.0.0/16 jump forward_reject;
# Can talk to us
ip daddr 10.0.0.0/27 accept;
# Not others nor CRI
ip daddr 10.0.0.0/8 jump forward_reject;
}
chain forward_reject {
reject with icmpx type admin-prohibited;
}
'';
};
};
};
firewall = {
allowedUDPPorts = [
67
1194
];
# FIXME: I dont't remember why it's here, and it doesn't seems right
# comes from https://git.dgnum.eu/DGNum/infrastructure/commit/411795c664374549e5e831722a80180b51fbf0d5
# checkReversePath = false;
};
};
age.secrets."wg-key".owner = "systemd-network";
users.users."systemd-network".extraGroups = [ "keys" ];
boot.kernel.sysctl."net.ipv4.ip_forward" = true;
} }

43
meta/isp/module.nix
View file

@ -2,13 +2,17 @@
# #
# SPDX-License-Identifier: EUPL-1.2 # SPDX-License-Identifier: EUPL-1.2
{ lib, ... }: { lib, config, ... }:
let let
inherit (lib) inherit (lib)
attrValues
genAttrs
mkDefault mkDefault
mkIf mkIf
mkMerge
mkOption mkOption
optional
; ;
inherit (lib.types) inherit (lib.types)
@ -16,10 +20,13 @@ let
attrsOf attrsOf
bool bool
ints ints
listOf
nullOr nullOr
submodule submodule
str str
; ;
cfg = config.isp;
in in
{ {
@ -30,6 +37,15 @@ in
{ config, ... }: { config, ... }:
{ {
options = { options = {
flags = mkOption {
type = listOf str;
default = optional config.userOnly "users";
defaultText = ''optional config.userOnly "users"'';
description = ''
Groups of VLANs this VLAN belong to.
'';
};
id = mkOption { id = mkOption {
type = ints.between 0 (4096 - 1); type = ints.between 0 (4096 - 1);
description = '' description = ''
@ -97,10 +113,33 @@ in
} }
) )
); );
default = [ ]; default = { };
description = '' description = ''
The list of VLANs known to our ISP. The list of VLANs known to our ISP.
''; '';
}; };
vlans-groups = mkOption {
type = attrsOf (submodule {
options.id-list = mkOption {
type = listOf (ints.between 0 (4096 - 1));
description = ''
List of VLANs IDs inside this group.
'';
};
});
default = { };
description = ''
The list of groups of VLANs known to our ISP.
'';
};
}; };
config.isp.vlans-groups = mkMerge (
map (
{ flags, id, ... }:
genAttrs flags (_: {
id-list = [ id ];
})
) (attrValues cfg.vlans)
);
} }