From 93bf6f8baa6559dacfac9bb85f0e76a6f842d065 Mon Sep 17 00:00:00 2001 From: catvayor Date: Thu, 18 Apr 2024 11:41:37 +0200 Subject: [PATCH 1/9] feat: refactor du plan IP --- machines/vault01/k-radius/site-dhcp.nix | 70 +++++++++++++++++++++++++ machines/vault01/networking.nix | 17 ++++-- 2 files changed, 83 insertions(+), 4 deletions(-) create mode 100644 machines/vault01/k-radius/site-dhcp.nix diff --git a/machines/vault01/k-radius/site-dhcp.nix b/machines/vault01/k-radius/site-dhcp.nix new file mode 100644 index 0000000..bab8739 --- /dev/null +++ b/machines/vault01/k-radius/site-dhcp.nix @@ -0,0 +1,70 @@ +let + listen = vlan: '' + listen { + type = dhcp + ipaddr = 10.0.0.1 + src_ipaddr = 10.0.0.1 + port = 67 + interface = vlan-user-${vlan} + broadcast = no #? + performance { + skip_duplicate_checks = no + } + # we store servIP so that latter modules can know with wich IP reply + update control { + &Client-Vlan = ${vlan} + } + } + ''; + dhcpCommon = '' + update reply { + &DHCP-Domain-Name-Server = 10.0.0.1 + &DHCP-Subnet-Mask = 255.255.128.0 # /17 ????????? + &DHCP-Router-Address = &control:Server-IP + &DHCP-Broadcast-Address = 10.0.127.255 # ??????? + &DHCP-IP-Address-Lease-Time = 7200 + &DHCP-DHCP-Server-Identifier = 10.0.0.1 + } + ''; + dhcpDiscover = '' + dhcp DHCP-Discover { + ${dhcpCommon} + update control { + &Pool-Name := "pool-%{&control:Client-Vlan}" + } + dhcp_sqlippool + if (notfound) { + do_not_respond #TODO not silent + } + ok + } + ''; + dhcpRequest = '' + dhcp DHCP-Request { + if (&request:DHCP-DHCP-Server-Identifier && \ + &request:DHCP-DHCP-Server-Identifier != &control:Server-IP) { + do_not_respond + } + ${dhcpCommon} + update control { + &Pool-Name := "pool-%{&control:Client-Vlan}" + } + dhcp_sqlippool_request + if (notfound) { + do_not_respond #TODO not silent + } + ok + } + ''; +in +'' + server dhcp { + + ${builtins.concatStringsSep "\n\n" (map listen [ ])} + + ${dhcpDiscover} + + ${dhcpRequest} + + } +'' diff --git a/machines/vault01/networking.nix b/machines/vault01/networking.nix index 661dcb4..f506dfe 100644 --- a/machines/vault01/networking.nix +++ b/machines/vault01/networking.nix @@ -38,15 +38,24 @@ let mkUserVlan = id: let - vlan = 3245 + id; - prefix24nb = id / 32; - prefix29nb = (id - prefix24nb * 32) * 8; + # on alloue 10.0.0.0/17 aux thurnés, avec un /27 chacun, on garde 10.0.0.0/27 pour nous (routeur et autres) + vlan = 4094 - id; + prefix24nb = (id + 1) / 8; + prefix27nb = (id + 1 - prefix24nb * 8) * 32; in { name = "vlan-user-${builtins.toString vlan}"; value = { Id = vlan; - address = [ "10.0.${builtins.toString prefix24nb}.${builtins.toString (prefix29nb + 1)}/29" ]; + extraNetwork.routes = [ + { + routeConfig = { + Destination = "10.0.${builtins.toString prefix24nb}.${builtins.toString prefix27nb}/27"; + Source = "10.0.0.1/17"; + }; + } + ]; + address = [ "10.0.0.1/17" ]; }; }; -- 2.45.1 From 150e7412630c46cf39ab326c921d48f263ffbf53 Mon Sep 17 00:00:00 2001 From: catvayor Date: Thu, 25 Apr 2024 18:41:10 +0200 Subject: [PATCH 2/9] =?UTF-8?q?feat(routing):=20Chaque=20vlan=20a=20une=20?= =?UTF-8?q?IP=20diff=C3=A9rente=20et=20policyrules?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- machines/vault01/networking.nix | 65 ++++++++++++++++++++++++++++----- 1 file changed, 55 insertions(+), 10 deletions(-) diff --git a/machines/vault01/networking.nix b/machines/vault01/networking.nix index f506dfe..596063d 100644 --- a/machines/vault01/networking.nix +++ b/machines/vault01/networking.nix @@ -47,15 +47,35 @@ let name = "vlan-user-${builtins.toString vlan}"; value = { Id = vlan; - extraNetwork.routes = [ - { - routeConfig = { - Destination = "10.0.${builtins.toString prefix24nb}.${builtins.toString prefix27nb}/27"; - Source = "10.0.0.1/17"; - }; - } - ]; - address = [ "10.0.0.1/17" ]; + address = [ ]; + extraNetwork = { + addresses = [ + { + addressConfig = { + Address = "10.0.${builtins.toString prefix24nb}.${builtins.toString (prefix27nb + 1)}/27"; + AddPrefixRoute = false; + }; + } + ]; + routes = [ + { + routeConfig = { + Destination = "10.0.${builtins.toString prefix24nb}.${builtins.toString prefix27nb}/27"; + Table = "user"; + }; + } + ]; + routingPolicyRules = [ + { + routingPolicyRuleConfig = { + From = "10.0.${builtins.toString prefix24nb}.${builtins.toString prefix27nb}/27"; + To = "10.0.0.0/27"; + IncomingInterface = "vlan-user-${builtins.toString vlan}"; + Table = "user"; + }; + } + ]; + }; }; }; @@ -91,12 +111,37 @@ let extraNetwork.networkConfig.DHCPServer = "yes"; }; - } // builtins.listToAttrs (builtins.genList mkUserVlan 300); # 850 when we can + } // builtins.listToAttrs (builtins.genList mkUserVlan 10); # 850 when we can in { systemd.network = { + config.routeTables."user" = 1000; networks = { + "10-lo" = { + name = "lo"; + address = [ + "::1/128" + "127.0.0.1/8" + "10.0.0.1/16" + ]; + routes = [ + { + routeConfig = { + Destination = "10.0.0.0/27"; + Table = "user"; + }; + } + ]; + routingPolicyRules = [ + { + routingPolicyRuleConfig = { + IncomingInterface = "lo"; + Table = "user"; + }; + } + ]; + }; "10-enp67s0f0np0" = { name = "enp67s0f0np0"; networkConfig = { -- 2.45.1 From 35ab7bfee334052e71a7b56f27c9a487a6dcf4a5 Mon Sep 17 00:00:00 2001 From: catvayor Date: Fri, 26 Apr 2024 09:33:11 +0200 Subject: [PATCH 3/9] feat(dhcp): Add DHCP on vlans Uses networkd, maybe it's better to do it with radius, but it's simpler --- machines/vault01/networking.nix | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/machines/vault01/networking.nix b/machines/vault01/networking.nix index 596063d..55528fb 100644 --- a/machines/vault01/networking.nix +++ b/machines/vault01/networking.nix @@ -49,6 +49,13 @@ let Id = vlan; address = [ ]; extraNetwork = { + networkConfig.DHCPServer = "yes"; + dhcpServerConfig = { + EmitRouter = true; + Router = "10.0.0.1"; + EmitDNS = true; + DNS = "10.0.0.1"; + }; addresses = [ { addressConfig = { -- 2.45.1 From f22580dd26f44d9a743a928fcdb2a87fa359aaad Mon Sep 17 00:00:00 2001 From: catvayor Date: Thu, 2 May 2024 10:39:19 +0200 Subject: [PATCH 4/9] fix(vlans): activate things to bypass vlan limit --- machines/vault01/networking.nix | 30 +++++++++++++++++++++++------- 1 file changed, 23 insertions(+), 7 deletions(-) diff --git a/machines/vault01/networking.nix b/machines/vault01/networking.nix index 55528fb..fb87530 100644 --- a/machines/vault01/networking.nix +++ b/machines/vault01/networking.nix @@ -1,4 +1,5 @@ { + pkgs, lib, meta, name, @@ -49,12 +50,11 @@ let Id = vlan; address = [ ]; extraNetwork = { - networkConfig.DHCPServer = "yes"; - dhcpServerConfig = { - EmitRouter = true; - Router = "10.0.0.1"; - EmitDNS = true; - DNS = "10.0.0.1"; + networkConfig = { + LinkLocalAddressing = "no"; + }; + linkConfig = { + Promiscuous = true; }; addresses = [ { @@ -118,7 +118,7 @@ let extraNetwork.networkConfig.DHCPServer = "yes"; }; - } // builtins.listToAttrs (builtins.genList mkUserVlan 10); # 850 when we can + } // builtins.listToAttrs (builtins.genList mkUserVlan 850); # 850 when we can in { @@ -151,6 +151,7 @@ in }; "10-enp67s0f0np0" = { name = "enp67s0f0np0"; + linkConfig.Promiscuous = true; networkConfig = { VLAN = builtins.attrNames vlans; @@ -166,5 +167,20 @@ in netdevs = mapAttrs' mkNetdev vlans; }; + systemd.services.ethtoolConfig = { + wantedBy = [ "systemd-networkd.service" ]; + after = [ "sys-subsystem-net-devices-enp67s0f0np0.device" ]; + bindsTo = [ "sys-subsystem-net-devices-enp67s0f0np0.device" ]; + script = '' + ${lib.getExe pkgs.ethtool} -K enp67s0f0np0 rxvlan off + ${lib.getExe pkgs.ethtool} -K enp67s0f0np0 txvlan off + ${lib.getExe pkgs.ethtool} -K enp67s0f0np0 rx-vlan-filter off + ${lib.getExe pkgs.ethtool} -K enp67s0f0np0 rx-vlan-offload off + ${lib.getExe pkgs.ethtool} -K enp67s0f0np0 tx-vlan-offload off + ${lib.getExe pkgs.ethtool} -K enp67s0f0np0 tx-vlan-stag-hw-insert off + echo "Hardware for enp67s0f0np0 configured" + ''; + }; + networking.firewall.allowedUDPPorts = [ 67 ]; } -- 2.45.1 From 8c14c5d2c66b5c9fe8304511fa68a02784fdecad Mon Sep 17 00:00:00 2001 From: catvayor Date: Mon, 13 May 2024 17:25:36 +0200 Subject: [PATCH 5/9] refactor(vlans): list vlans and their parameters in a separate file --- machines/vault01/networking.nix | 27 ++++++++++++++------------- machines/vault01/user_vlans.nix | 14 ++++++++++++++ 2 files changed, 28 insertions(+), 13 deletions(-) create mode 100644 machines/vault01/user_vlans.nix diff --git a/machines/vault01/networking.nix b/machines/vault01/networking.nix index fb87530..96fa294 100644 --- a/machines/vault01/networking.nix +++ b/machines/vault01/networking.nix @@ -37,15 +37,16 @@ let }; mkUserVlan = - id: - let - # on alloue 10.0.0.0/17 aux thurnés, avec un /27 chacun, on garde 10.0.0.0/27 pour nous (routeur et autres) - vlan = 4094 - id; - prefix24nb = (id + 1) / 8; - prefix27nb = (id + 1 - prefix24nb * 8) * 32; - in { - name = "vlan-user-${builtins.toString vlan}"; + vlan, + netIP, + servIP, + prefixLength, + interfaceName, + ... + }: + { + name = interfaceName; value = { Id = vlan; address = [ ]; @@ -59,7 +60,7 @@ let addresses = [ { addressConfig = { - Address = "10.0.${builtins.toString prefix24nb}.${builtins.toString (prefix27nb + 1)}/27"; + Address = "${servIP}/${toString prefixLength}"; AddPrefixRoute = false; }; } @@ -67,7 +68,7 @@ let routes = [ { routeConfig = { - Destination = "10.0.${builtins.toString prefix24nb}.${builtins.toString prefix27nb}/27"; + Destination = "${netIP}/${toString prefixLength}"; Table = "user"; }; } @@ -75,9 +76,9 @@ let routingPolicyRules = [ { routingPolicyRuleConfig = { - From = "10.0.${builtins.toString prefix24nb}.${builtins.toString prefix27nb}/27"; + From = "${netIP}/${toString prefixLength}"; To = "10.0.0.0/27"; - IncomingInterface = "vlan-user-${builtins.toString vlan}"; + IncomingInterface = interfaceName; Table = "user"; }; } @@ -118,7 +119,7 @@ let extraNetwork.networkConfig.DHCPServer = "yes"; }; - } // builtins.listToAttrs (builtins.genList mkUserVlan 850); # 850 when we can + } // builtins.listToAttrs (map mkUserVlan (import ./user_vlans.nix)); in { diff --git a/machines/vault01/user_vlans.nix b/machines/vault01/user_vlans.nix new file mode 100644 index 0000000..59ec3a0 --- /dev/null +++ b/machines/vault01/user_vlans.nix @@ -0,0 +1,14 @@ +let + mkUserVlan = id: rec { + # on alloue 10.0.0.0/17 aux thurnés, avec un /27 chacun, on garde 10.0.0.0/27 pour nous (routeur et autres) + vlan = 4094 - id; + prefix24nb = (id + 1) / 8; + prefix27nb = (id + 1 - prefix24nb * 8) * 32; + prefixLength = 27; + netIP = "10.0.${toString prefix24nb}.${toString prefix27nb}"; + servIP = "10.0.${toString prefix24nb}.${toString (prefix27nb + 1)}"; + broadIP = "10.0.${toString prefix24nb}.${toString (prefix27nb + 31)}"; + interfaceName = "vlan-user-${toString vlan}"; + }; +in +builtins.genList mkUserVlan 850 -- 2.45.1 From f9250e88868a54821b2b1f2c7d60fe7ed7aebcbb Mon Sep 17 00:00:00 2001 From: catvayor Date: Mon, 13 May 2024 18:00:35 +0200 Subject: [PATCH 6/9] feat(k-radius): Allow to enable extra mods and sites --- machines/vault01/k-radius/module.nix | 67 +++++++++++++++++++++++++++- 1 file changed, 66 insertions(+), 1 deletion(-) diff --git a/machines/vault01/k-radius/module.nix b/machines/vault01/k-radius/module.nix index 060f142..486c2b6 100644 --- a/machines/vault01/k-radius/module.nix +++ b/machines/vault01/k-radius/module.nix @@ -11,6 +11,9 @@ let mkIf mkOption types + mapAttrsToList + optionalString + zipListsWith ; settingsFormat = pkgs.formats.toml { }; @@ -44,6 +47,32 @@ in description = "File to the auth token for the service account."; }; + extra-mods = mkOption { + type = types.attrsOf types.path; + description = "Additional files to be linked in mods-enabled."; + default = { }; + }; + + extra-sites = mkOption { + type = types.attrsOf types.path; + description = "Additional files to be linked in sites-enabled."; + default = { }; + }; + + dictionary = mkOption { + type = types.attrsOf ( + types.enum [ + "abinary" + "date" + "ipaddr" + "integer" + "string" + ] + ); + description = "Declare additionnal attributes to be listed in the dictionary."; + default = { }; + }; + radiusClients = mkOption { type = types.attrsOf ( types.submodule { @@ -77,6 +106,12 @@ in }; privateKeyPasswordFile = mkOption { type = types.path; }; + + checkConfiguration = mkOption { + type = types.bool; + description = "Check the configuration before starting the deamon. Usefull for debugging."; + default = false; + }; }; config = mkIf cfg.enable { @@ -104,6 +139,8 @@ in wantedBy = [ "multi-user.target" ]; after = [ "network.target" ]; wants = [ "network.target" ]; + startLimitIntervalSec = 20; + startLimitBurst = 5; preStart = '' mkdir -p ${cfg.configDir} @@ -164,8 +201,35 @@ in sed -i ${cfg.configDir}/mods-available/eap \ -e "s/whatever/$(cat "${cfg.privateKeyPasswordFile}")/" + # Build the dictionary + cat < ${cfg.configDir}/dictionary + ${ + let + attrs = mapAttrsToList (name: type: { inherit name type; }) cfg.dictionary; + idList = builtins.genList (id: 3000 + id) (builtins.length attrs); + in + builtins.concatStringsSep "\n" ( + zipListsWith ({ name, type }: id: "ATTRIBUTE ${name} ${toString id} ${type}") attrs idList + ) + } + EOF + + # Link extra-mods + ${builtins.concatStringsSep "\n" ( + mapAttrsToList (name: path: "ln -nsf ${path} ${cfg.configDir}/mods-enabled/${name}") cfg.extra-mods + )} + + # Link extra-sites + ${builtins.concatStringsSep "\n" ( + mapAttrsToList ( + name: path: "ln -nsf ${path} ${cfg.configDir}/sites-enabled/${name}" + ) cfg.extra-sites + )} + # Check the configuration - # ${pkgs.freeradius}/bin/radiusd -C -d ${cfg.configDir} -l stdout + ${ + optionalString (!cfg.checkConfiguration) "# " + }${pkgs.freeradius}/bin/radiusd -C -d ${cfg.configDir} -l stdout ''; path = [ @@ -187,6 +251,7 @@ in LogsDirectory = "radius"; StateDirectory = "radius"; RuntimeDirectory = "radius"; + AmbientCapabilities = "CAP_NET_BIND_SERVICE"; Environment = [ "KANIDM_RLM_CONFIG=/var/lib/radius/kanidm.toml" "PYTHONPATH=${rlm_python.pythonPath}" -- 2.45.1 From e9c5489bc2366b144468fee8cb476b7fe0b5fee5 Mon Sep 17 00:00:00 2001 From: catvayor Date: Mon, 13 May 2024 18:03:00 +0200 Subject: [PATCH 7/9] feat(dhcp): dhcp configuration limit to 300 vlans because of freeRadius limitation --- machines/vault01/k-radius/default.nix | 27 +- machines/vault01/k-radius/dhcp-sqlsquema.nix | 101 ++++++ machines/vault01/k-radius/mod-dhcp_sql.nix | 83 +++++ machines/vault01/k-radius/mod-dhcp_sqlippool | 329 +++++++++++++++++++ machines/vault01/k-radius/site-dhcp.nix | 52 +-- machines/vault01/user_vlans.nix | 2 +- 6 files changed, 571 insertions(+), 23 deletions(-) create mode 100644 machines/vault01/k-radius/dhcp-sqlsquema.nix create mode 100644 machines/vault01/k-radius/mod-dhcp_sql.nix create mode 100644 machines/vault01/k-radius/mod-dhcp_sqlippool diff --git a/machines/vault01/k-radius/default.nix b/machines/vault01/k-radius/default.nix index 1bf5ec4..f807185 100644 --- a/machines/vault01/k-radius/default.nix +++ b/machines/vault01/k-radius/default.nix @@ -1,4 +1,9 @@ -{ config, lib, ... }: +{ + config, + lib, + pkgs, + ... +}: { imports = [ ./module.nix ]; @@ -52,6 +57,26 @@ ); radiusClients = { }; + + extra-mods = { + dhcp_sql = import ./mod-dhcp_sql.nix { + inherit pkgs; + vlans = import ../user_vlans.nix; + }; + dhcp_sqlippool = ./mod-dhcp_sqlippool; + }; + extra-sites = { + dhcp = import ./site-dhcp.nix { + inherit pkgs; + vlans = import ../user_vlans.nix; + }; + }; + dictionary = { + Client-Vlan = "integer"; + Server-IP = "ipaddr"; + Broadcast-IP = "ipaddr"; + }; + checkConfiguration = true; }; age-secrets.autoMatch = [ "radius" ]; diff --git a/machines/vault01/k-radius/dhcp-sqlsquema.nix b/machines/vault01/k-radius/dhcp-sqlsquema.nix new file mode 100644 index 0000000..8b00a82 --- /dev/null +++ b/machines/vault01/k-radius/dhcp-sqlsquema.nix @@ -0,0 +1,101 @@ +{ pkgs, vlans }: +let + mkVlan = + { + vlan, + prefix24nb, + prefix27nb, + ... + }: + let + mkIp = + idx: + let + id = 256 * prefix24nb + prefix27nb + 2 + idx; + in + "(${toString id}, 'pool-${toString vlan}', '10.0.${toString prefix24nb}.${ + toString (prefix27nb + 2 + idx) + }', 1)"; + ipList = builtins.genList mkIp 29; + in + '' + INSERT INTO dhcpippool (id, pool_name, framedipaddress, status_id) VALUES + ${builtins.concatStringsSep ", " ipList}; + ''; +in +pkgs.writeText "dhcp-schema.sql" '' + ----------------------------------------------------------------------------- + -- $Id: 54a9abbf01d4161cadb304cdd3755856c6f15442 $ -- + -- -- + -- schema.sql rlm_sql - FreeRADIUS SQLite Module -- + -- -- + -- Database schema for SQLite rlm_sql module for DHCP -- + -- -- + ----------------------------------------------------------------------------- + + -- + -- Table structure for table 'dhcpgroupreply' + -- + CREATE TABLE dhcpgroupreply ( + id INTEGER PRIMARY KEY AUTOINCREMENT, + groupname varchar(64) NOT NULL default ''', + attribute varchar(64) NOT NULL default ''', + op char(2) NOT NULL DEFAULT '=', + value varchar(253) NOT NULL default ''', + context varchar(16) NOT NULL default ''' + ); + CREATE INDEX dhcpgroupreply_groupname ON dhcpgroupreply(context,groupname); + + -- + -- Table structure for table 'dhcpreply' + -- + CREATE TABLE dhcpreply ( + id INTEGER PRIMARY KEY AUTOINCREMENT, + identifier varchar(253) NOT NULL default ''', + attribute varchar(64) NOT NULL default ''', + op char(2) NOT NULL DEFAULT '=', + value varchar(253) NOT NULL default ''', + context varchar(16) NOT NULL default ''' + ); + CREATE INDEX dhcpreply_identifier ON dhcpreply(context,identifier); + + -- + -- Table structure for table 'dhcpgroup' + -- + CREATE TABLE dhcpgroup ( + id INTEGER PRIMARY KEY AUTOINCREMENT, + identifier varchar(253) NOT NULL default ''', + groupname varchar(64) NOT NULL default ''', + priority int(11) NOT NULL default '1', + context varchar(16) NOT NULL default ''' + ); + CREATE INDEX dhcpgroup_identifier ON dhcpgroup(context,identifier); + + -- + -- Table structure for table 'dhcpippool' + -- + CREATE TABLE dhcpstatus ( + status_id int PRIMARY KEY, + status varchar(10) NOT NULL + ); + + INSERT INTO dhcpstatus (status_id, status) VALUES (1, 'dynamic'), (2, 'static'), (3, 'declined'), (4, 'disabled'); + + CREATE TABLE dhcpippool ( + id int(11) PRIMARY KEY, + pool_name varchar(30) NOT NULL, + framedipaddress varchar(15) NOT NULL, + pool_key varchar(30) NOT NULL default ''', + gateway varchar(15) NOT NULL default ''', + expiry_time DATETIME NOT NULL default (DATETIME('now')), + status_id int NOT NULL default 1, + counter int NOT NULL default 0, + FOREIGN KEY(status_id) REFERENCES dhcpstatus(status_id) + ); + + CREATE INDEX dhcpippool_poolname_expire ON dhcpippool(pool_name, expiry_time); + CREATE INDEX dhcpippool_framedipaddress ON dhcpippool(framedipaddress); + CREATE INDEX dhcpippool_poolname_poolkey_ipaddress ON dhcpippool(pool_name, pool_key, framedipaddress); + + ${builtins.concatStringsSep "\n" (map mkVlan vlans)} +'' diff --git a/machines/vault01/k-radius/mod-dhcp_sql.nix b/machines/vault01/k-radius/mod-dhcp_sql.nix new file mode 100644 index 0000000..14837dc --- /dev/null +++ b/machines/vault01/k-radius/mod-dhcp_sql.nix @@ -0,0 +1,83 @@ +{ pkgs, ... }@args: +pkgs.writeText "mod-dhcp_sql" '' + sql dhcp_sql { + dialect = "sqlite" + driver = "rlm_sql_''${dialect}" + + sqlite { + filename = "/tmp/freeradius.db" + busy_timeout = 200 + bootstrap = "${import ./dhcp-sqlsquema.nix args}" + } + + radius_db = "radius" + + read_groups = no + + pool { + start = ''${thread[pool].start_servers} + min = ''${thread[pool].min_spare_servers} + max = ''${thread[pool].max_servers} + spare = ''${thread[pool].max_spare_servers} + uses = 0 + retry_delay = 30 + lifetime = 0 + idle_timeout = 60 + } + + group_attribute = "''${.:instance}-SQL-Group" + + # -*- text -*- + # + # dhcp/sqlite/queries.conf -- SQLite configuration for DHCP schema (schema.sql) + # + # $Id: 0cc720220d237d98934dd23173ccb4e09bd0cb01 $ + + # Safe characters list for sql queries. Everything else is replaced + # with their mime-encoded equivalents. + # The default list should be ok + # safe_characters = "@abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789.-_: /" + + ####################################################################### + # Query config: Identifier + ####################################################################### + # This is the identifier that will get substituted, escaped, and added + # as attribute 'SQL-User-Name'. '%{SQL-User-Name}' should be used + # below everywhere an identifier substitution is needed so you you can + # be sure the identifier passed from the client is escaped properly. + # + sql_user_name = "%{control:DHCP-SQL-Option-Identifier}" + + ####################################################################### + # Attribute Lookup Queries + ####################################################################### + # These queries setup the reply items in ''${dhcpreply_table} and + # ''${group_reply_query}. You can use any query/tables you want, but + # the return data for each row MUST be in the following order: + # + # 0. Row ID (currently unused) + # 1. Identifier + # 2. Item Attr Name + # 3. Item Attr Value + # 4. Item Attr Operation + ####################################################################### + + authorize_reply_query = "\ + SELECT id, identifier, attribute, value, op \ + FROM dhcpreply \ + WHERE identifier = '%{SQL-User-Name}' AND context = '%{control:DHCP-SQL-Option-Context}' \ + ORDER BY id" + + authorize_group_reply_query = "\ + SELECT id, groupname, attribute, value, op \ + FROM dhcpgroupreply \ + WHERE groupname = '%{''${group_attribute}}' AND context = '%{control:DHCP-SQL-Option-Context}' \ + ORDER BY id" + + group_membership_query = "\ + SELECT groupname \ + FROM dhcpgroup \ + WHERE identifier='%{SQL-User-Name}' AND context = '%{control:DHCP-SQL-Option-Context}' \ + ORDER BY priority" + } +'' diff --git a/machines/vault01/k-radius/mod-dhcp_sqlippool b/machines/vault01/k-radius/mod-dhcp_sqlippool new file mode 100644 index 0000000..323cd5b --- /dev/null +++ b/machines/vault01/k-radius/mod-dhcp_sqlippool @@ -0,0 +1,329 @@ +# Configuration for DHCP for the SQL based IP Pools module (rlm_sqlippool). +# +# See raddb/mods-available/sqlippool for common configuration explanation +# +# See raddb/policy.d/dhcp_sqlippool for the "glue" code that allows +# the RADIUS based "sqlippool" module to be used for DHCP. +# +# See raddb/sites-available/dhcp for instructions on how to configure +# the DHCP server. +# +# The database schemas are available at: +# +# raddb/mods-config/sql/ippool-dhcp//schema.sql +# +# $Id: 909b93c7ebcbbeb16b123ca38e696790b5771dda $ + +sqlippool dhcp_sqlippool { + # SQL instance to use (from mods-available/sql) + # + # If you have multiple sql instances, such as "sql sql1 {...}", + # use the *instance* name here: sql1. + sql_module_instance = "dhcp_sql" + + # This is duplicative of info available in the SQL module, but + # we have to list it here as we do not yet support nested + # reference expansions. + dialect = "mysql" + + # The duration for which a lease is reserved whilst under offer + offer_duration = 10 + + # IP lease duration. (Leases expire even if no DHCP-Release packet is received) + # Either use the value to be sent to the client or a hard coded one. + #lease_duration = "%{reply:DHCP-IP-Address-Lease-Time}" + lease_duration = 7200 + + # The attribute in which the IP address is returned in the reply + attribute_name = "DHCP-Your-IP-Address" + + # Assign the IP address, even if the above attribute already exists in + # the reply. + # +# allow_duplicates = no + + # The attribute in which an IP address hint may be supplied + req_attribute_name = "DHCP-Requested-IP-Address" + + # + # RFC 2132 allows the DHCP client to supply a unique + # identifier ("uid") using Option 61 (DHCP-Client-Identifier) + # in which case it must be used as the lookup key for + # configuration data. + # + pool_key = "%{%{DHCP-Client-Identifier}:-%{DHCP-Client-Hardware-Address}}" + # + # The "uid" is generated by the OS which means that clients + # whose BMC piggybacks on the main interface (sharing its MAC, + # but generating a distinct uid) and dual-booting clients can + # be allocated multiple IPs, consuming more pool entries. To + # avoid this you can ignore the RFCs and key the configuration + # data based only on the client MAC address. + # + # pool_key = "%{DHCP-Client-Hardware-Address}" + + ################################################################ + # + # WARNING: MySQL (MyISAM) has certain limitations that means it can + # hand out the same IP address to 2 different users. + # + # We suggest using an SQL DB with proper transaction + # support, such as PostgreSQL, or using MySQL + # with InnoDB. + # + ################################################################ + + # These messages are added to the "control" items, as + # Module-Success-Message. They are not logged anywhere else, + # unlike previous versions. If you want to have them logged + # to a file, see the "linelog" module, and create an entry + # which writes Module-Success-Message message. + # + messages { + exists = "DHCP: Existing IP: %{reply:${..attribute_name}} (cid %{DHCP-Client-Identifier} chaddr %{DHCP-Client-Hardware-Address} giaddr %{DHCP-Gateway-IP-Address})" + + success = "DHCP: Allocated IP: %{reply:${..attribute_name}} from %{control:Pool-Name} (cid %{DHCP-Client-Identifier} chaddr %{DHCP-Client-Hardware-Address} giaddr %{DHCP-Gateway-IP-Address})" + + clear = "DHCP: Released IP %{DHCP-Client-IP-Address} (cid %{DHCP-Client-Identifier} chaddr %{DHCP-Client-Hardware-Address} giaddr %{DHCP-Gateway-IP-Address})" + + failed = "DHCP: IP Allocation FAILED from %{control:Pool-Name} (cid %{DHCP-Client-Identifier} chaddr %{DHCP-Client-Hardware-Address} giaddr %{DHCP-Gateway-IP-Address})" + + nopool = "DHCP: No Pool-Name defined (cid %{DHCP-Client-Identifier} chaddr %{DHCP-Client-Hardware-Address} giaddr %{DHCP-Gateway-IP-Address})" + } + + # -*- text -*- + # + # ippool-dhcp/sqlite/queries.conf -- SQLite queries for rlm_sqlippool + # + # $Id: d99e09bfc8559eaf5584c32fb6a94c99e689fee3 $ + + # ***************** + # * DHCP DISCOVER * + # ***************** + + # + # SQLite does not implement SELECT FOR UPDATE which is normally used to place + # an exclusive lock over rows to prevent the same address from being + # concurrently selected for allocation to multiple users. + # + # The most granular read-blocking lock that SQLite has is an exclusive lock + # over the database, so that's what we use. All locking in SQLite is performed + # over the entire database and we perform a row update for any IP that we + # allocate, requiring an exclusive lock. Taking the exclusive lock from the + # start of the transaction (even if it were not required to guard the SELECT) + # is actually quicker than if we deferred it causing SQLite to "upgrade" the + # automatic shared lock for the transaction to an exclusive lock for the + # subsequent UPDATE. + # + allocate_begin = "BEGIN EXCLUSIVE" + allocate_commit = "COMMIT" + + # + # Attempt to find the most recent existing IP address for the client + # + allocate_existing = "\ + SELECT framedipaddress \ + FROM dhcpippool \ + JOIN dhcpstatus \ + ON dhcpippool.status_id = dhcpstatus.status_id \ + WHERE pool_name = '%{control:Pool-Name}' \ + AND pool_key = '${pool_key}' \ + AND status IN ('dynamic', 'static') \ + ORDER BY expiry_time DESC \ + LIMIT 1" + + # + # Determine whether the requested IP address is available + # + allocate_requested = "\ + SELECT framedipaddress \ + FROM dhcpippool \ + JOIN dhcpstatus \ + ON dhcpippool.status_id = dhcpstatus.status_id \ + WHERE pool_name = '%{control:Pool-Name}' \ + AND framedipaddress = '%{%{${req_attribute_name}}:-0.0.0.0}' \ + AND status = 'dynamic' \ + AND expiry_time < datetime('now')" + + # + # If the existing address can't be found this query will be run to + # find a free address + # + #allocate_find = "\ + # SELECT framedipaddress \ + # FROM dhcpippool \ + # JOIN dhcpstatus \ + # ON dhcpippool.status_id = dhcpstatus.status_id \ + # WHERE pool_name = '%{control:Pool-Name}' \ + # AND expiry_time < datetime('now') \ + # AND status = 'dynamic' \ + # ORDER BY expiry_time LIMIT 1" + + # + # This series of queries allocates an IP address + # + # Either pull the most recent allocated IP for this client or the + # oldest expired one. The first sub query returns the most recent + # lease for the client (if there is one), the second returns the + # oldest expired one. + # Sorting the result by expiry_time DESC will return the client specific + # IP if it exists, otherwise an expired one. + # + allocate_find = "\ + SELECT framedipaddress, 1 AS o \ + FROM ( \ + SELECT framedipaddress \ + FROM dhcpippool \ + JOIN dhcpstatus \ + ON dhcpippool.status_id = dhcpstatus.status_id \ + WHERE pool_name = '%{control:Pool-Name}' \ + AND pool_key = '${pool_key}' \ + AND status IN ('dynamic', 'static') \ + ORDER BY expiry_time DESC \ + LIMIT 1 \ + ) UNION \ + SELECT framedipaddress, 2 AS o \ + FROM ( \ + SELECT framedipaddress \ + FROM dhcpippool \ + JOIN dhcpstatus \ + ON dhcpippool.status_id = dhcpstatus.status_id \ + WHERE pool_name = '%{control:Pool-Name}' \ + AND framedipaddress = '%{%{${req_attribute_name}}:-0.0.0.0}' \ + AND status = 'dynamic' \ + AND ( pool_key = '${pool_key}' OR expiry_time < datetime('now') ) \ + ) UNION \ + SELECT framedipaddress, 3 AS o \ + FROM ( \ + SELECT framedipaddress \ + FROM dhcpippool \ + JOIN dhcpstatus \ + ON dhcpippool.status_id = dhcpstatus.status_id \ + WHERE pool_name = '%{control:Pool-Name}' \ + AND expiry_time < datetime('now') \ + AND status = 'dynamic' \ + ORDER BY expiry_time LIMIT 1 \ + ) \ + ORDER BY o \ + LIMIT 1" + + # + # If you prefer to allocate a random IP address every time, i + # use this query instead + # Note: This is very slow if you have a lot of free IPs. + # + + #allocate_find = "\ + # SELECT framedipaddress \ + # FROM dhcpippool \ + # JOIN dhcpstatus \ + # ON dhcpippool.status_id = dhcpstatus.status_id \ + # WHERE pool_name = '%{control:Pool-Name}' \ + # AND expiry_time < datetime('now') \ + # AND status = 'dynamic' \ + # ORDER BY RAND() \ + + + # + # If an IP could not be allocated, check to see if the pool exists or not + # This allows the module to differentiate between a full pool and no pool + # Note: If you are not running redundant pool modules this query may be + # commented out to save running this query every time an ip is not allocated. + # + pool_check = "\ + SELECT id \ + FROM dhcpippool \ + WHERE pool_name='%{control:Pool-Name}' \ + LIMIT 1" + + # + # This is the final IP Allocation query, which saves the allocated ip details + # + allocate_update = "\ + UPDATE dhcpippool \ + SET \ + gateway = '%{DHCP-Gateway-IP-Address}', \ + pool_key = '${pool_key}', \ + expiry_time = datetime(strftime('%%s', 'now') + ${offer_duration}, 'unixepoch') \ + WHERE framedipaddress = '%I'" + + + # **************** + # * DHCP REQUEST * + # **************** + + # + # This query revokes any active offers for addresses that a client is not + # requesting when a DHCP REQUEST packet arrives + # + start_update = "\ + UPDATE dhcpippool \ + SET \ + gateway = ''', \ + pool_key = ''', \ + expiry_time = datetime('now') \ + WHERE pool_name = '%{control:Pool-Name}' \ + AND pool_key = '${pool_key}' \ + AND framedipaddress <> '%{DHCP-Requested-IP-Address}' \ + AND expiry_time > datetime('now') \ + AND dhcpippool.status_id IN \ + (SELECT status_id FROM dhcpstatus WHERE status = 'dynamic')" + + # + # This query extends an existing lease (or offer) when a DHCP REQUEST packet + # arrives. This query must update a row when a lease is succesfully requested + # - queries that update no rows will result in a "notfound" response to + # the module which by default will give a DHCP-NAK reply. In this example + # incrementing "counter" is used to achieve this. + # + alive_update = "\ + UPDATE dhcpippool \ + SET \ + expiry_time = datetime(strftime('%%s', 'now') + ${lease_duration}, 'unixepoch'), \ + counter = counter + 1 \ + WHERE pool_name = '%{control:Pool-Name}' \ + AND pool_key = '${pool_key}' \ + AND framedipaddress = '%{%{DHCP-Requested-IP-Address}:-%{DHCP-Client-IP-Address}}'" + + + # **************** + # * DHCP RELEASE * + # **************** + + # + # This query frees an IP address when a DHCP RELEASE packet arrives + # + stop_clear = "\ + UPDATE dhcpippool \ + SET \ + gateway = ''', \ + pool_key = ''', \ + expiry_time = datetime('now') \ + WHERE pool_name = '%{control:Pool-Name}' \ + AND pool_key = '${pool_key}' \ + AND framedipaddress = '%{DHCP-Client-IP-Address}' \ + AND dhcpippool.status_id IN \ + (SELECT status_id FROM dhcpstatus WHERE status = 'dynamic')" + + + # + # This query is not applicable to DHCP + # + on_clear = "" + + + # **************** + # * DHCP DECLINE * + # **************** + + # + # This query marks an IP address as declined when a DHCP Decline + # packet arrives + # + off_clear = "\ + UPDATE dhcpippool \ + SET status_id = (SELECT status_id FROM dhcpstatus WHERE status = 'declined') \ + WHERE pool_name = '%{control:Pool-Name}' \ + AND pool_key = '${pool_key}' \ + AND framedipaddress = '%{DHCP-Requested-IP-Address}'" +} diff --git a/machines/vault01/k-radius/site-dhcp.nix b/machines/vault01/k-radius/site-dhcp.nix index bab8739..5568898 100644 --- a/machines/vault01/k-radius/site-dhcp.nix +++ b/machines/vault01/k-radius/site-dhcp.nix @@ -1,28 +1,38 @@ +{ pkgs, vlans }: let - listen = vlan: '' - listen { - type = dhcp - ipaddr = 10.0.0.1 - src_ipaddr = 10.0.0.1 - port = 67 - interface = vlan-user-${vlan} - broadcast = no #? - performance { - skip_duplicate_checks = no + listen = + { + vlan, + servIP, + broadIP, + interfaceName, + ... + }: + '' + listen { + type = dhcp + ipaddr = ${servIP} + src_ipaddr = ${servIP} + port = 67 + interface = ${interfaceName} + broadcast = no #? + performance { + skip_duplicate_checks = no + } + # we store servIP so that latter modules can know with wich IP reply + update control { + &Client-Vlan = ${toString vlan} + &Server-IP = ${servIP} + &Broadcast-IP = ${broadIP} + } } - # we store servIP so that latter modules can know with wich IP reply - update control { - &Client-Vlan = ${vlan} - } - } - ''; + ''; dhcpCommon = '' update reply { &DHCP-Domain-Name-Server = 10.0.0.1 - &DHCP-Subnet-Mask = 255.255.128.0 # /17 ????????? + &DHCP-Subnet-Mask = 255.255.255.224 &DHCP-Router-Address = &control:Server-IP - &DHCP-Broadcast-Address = 10.0.127.255 # ??????? - &DHCP-IP-Address-Lease-Time = 7200 + &DHCP-Broadcast-Address = &control:Broadcast-IP &DHCP-DHCP-Server-Identifier = 10.0.0.1 } ''; @@ -57,10 +67,10 @@ let } ''; in -'' +pkgs.writeText "site-dhcp" '' server dhcp { - ${builtins.concatStringsSep "\n\n" (map listen [ ])} + ${builtins.concatStringsSep "\n\n" (map listen vlans)} ${dhcpDiscover} diff --git a/machines/vault01/user_vlans.nix b/machines/vault01/user_vlans.nix index 59ec3a0..e73b944 100644 --- a/machines/vault01/user_vlans.nix +++ b/machines/vault01/user_vlans.nix @@ -11,4 +11,4 @@ let interfaceName = "vlan-user-${toString vlan}"; }; in -builtins.genList mkUserVlan 850 +builtins.genList mkUserVlan 300 # 850 -- 2.45.1 From 9f256186e0ff462fd188073112d9988c241d270c Mon Sep 17 00:00:00 2001 From: catvayor Date: Wed, 22 May 2024 18:34:51 +0200 Subject: [PATCH 8/9] feat(dhcp): drop freeRadius to use networkd --- machines/vault01/k-radius/default.nix | 27 +- machines/vault01/k-radius/dhcp-sqlsquema.nix | 101 ------ machines/vault01/k-radius/mod-dhcp_sql.nix | 83 ----- machines/vault01/k-radius/mod-dhcp_sqlippool | 329 ------------------- machines/vault01/k-radius/module.nix | 1 + machines/vault01/k-radius/site-dhcp.nix | 80 ----- machines/vault01/networking.nix | 119 +++---- machines/vault01/user_vlans.nix | 2 +- 8 files changed, 67 insertions(+), 675 deletions(-) delete mode 100644 machines/vault01/k-radius/dhcp-sqlsquema.nix delete mode 100644 machines/vault01/k-radius/mod-dhcp_sql.nix delete mode 100644 machines/vault01/k-radius/mod-dhcp_sqlippool delete mode 100644 machines/vault01/k-radius/site-dhcp.nix diff --git a/machines/vault01/k-radius/default.nix b/machines/vault01/k-radius/default.nix index f807185..1bf5ec4 100644 --- a/machines/vault01/k-radius/default.nix +++ b/machines/vault01/k-radius/default.nix @@ -1,9 +1,4 @@ -{ - config, - lib, - pkgs, - ... -}: +{ config, lib, ... }: { imports = [ ./module.nix ]; @@ -57,26 +52,6 @@ ); radiusClients = { }; - - extra-mods = { - dhcp_sql = import ./mod-dhcp_sql.nix { - inherit pkgs; - vlans = import ../user_vlans.nix; - }; - dhcp_sqlippool = ./mod-dhcp_sqlippool; - }; - extra-sites = { - dhcp = import ./site-dhcp.nix { - inherit pkgs; - vlans = import ../user_vlans.nix; - }; - }; - dictionary = { - Client-Vlan = "integer"; - Server-IP = "ipaddr"; - Broadcast-IP = "ipaddr"; - }; - checkConfiguration = true; }; age-secrets.autoMatch = [ "radius" ]; diff --git a/machines/vault01/k-radius/dhcp-sqlsquema.nix b/machines/vault01/k-radius/dhcp-sqlsquema.nix deleted file mode 100644 index 8b00a82..0000000 --- a/machines/vault01/k-radius/dhcp-sqlsquema.nix +++ /dev/null @@ -1,101 +0,0 @@ -{ pkgs, vlans }: -let - mkVlan = - { - vlan, - prefix24nb, - prefix27nb, - ... - }: - let - mkIp = - idx: - let - id = 256 * prefix24nb + prefix27nb + 2 + idx; - in - "(${toString id}, 'pool-${toString vlan}', '10.0.${toString prefix24nb}.${ - toString (prefix27nb + 2 + idx) - }', 1)"; - ipList = builtins.genList mkIp 29; - in - '' - INSERT INTO dhcpippool (id, pool_name, framedipaddress, status_id) VALUES - ${builtins.concatStringsSep ", " ipList}; - ''; -in -pkgs.writeText "dhcp-schema.sql" '' - ----------------------------------------------------------------------------- - -- $Id: 54a9abbf01d4161cadb304cdd3755856c6f15442 $ -- - -- -- - -- schema.sql rlm_sql - FreeRADIUS SQLite Module -- - -- -- - -- Database schema for SQLite rlm_sql module for DHCP -- - -- -- - ----------------------------------------------------------------------------- - - -- - -- Table structure for table 'dhcpgroupreply' - -- - CREATE TABLE dhcpgroupreply ( - id INTEGER PRIMARY KEY AUTOINCREMENT, - groupname varchar(64) NOT NULL default ''', - attribute varchar(64) NOT NULL default ''', - op char(2) NOT NULL DEFAULT '=', - value varchar(253) NOT NULL default ''', - context varchar(16) NOT NULL default ''' - ); - CREATE INDEX dhcpgroupreply_groupname ON dhcpgroupreply(context,groupname); - - -- - -- Table structure for table 'dhcpreply' - -- - CREATE TABLE dhcpreply ( - id INTEGER PRIMARY KEY AUTOINCREMENT, - identifier varchar(253) NOT NULL default ''', - attribute varchar(64) NOT NULL default ''', - op char(2) NOT NULL DEFAULT '=', - value varchar(253) NOT NULL default ''', - context varchar(16) NOT NULL default ''' - ); - CREATE INDEX dhcpreply_identifier ON dhcpreply(context,identifier); - - -- - -- Table structure for table 'dhcpgroup' - -- - CREATE TABLE dhcpgroup ( - id INTEGER PRIMARY KEY AUTOINCREMENT, - identifier varchar(253) NOT NULL default ''', - groupname varchar(64) NOT NULL default ''', - priority int(11) NOT NULL default '1', - context varchar(16) NOT NULL default ''' - ); - CREATE INDEX dhcpgroup_identifier ON dhcpgroup(context,identifier); - - -- - -- Table structure for table 'dhcpippool' - -- - CREATE TABLE dhcpstatus ( - status_id int PRIMARY KEY, - status varchar(10) NOT NULL - ); - - INSERT INTO dhcpstatus (status_id, status) VALUES (1, 'dynamic'), (2, 'static'), (3, 'declined'), (4, 'disabled'); - - CREATE TABLE dhcpippool ( - id int(11) PRIMARY KEY, - pool_name varchar(30) NOT NULL, - framedipaddress varchar(15) NOT NULL, - pool_key varchar(30) NOT NULL default ''', - gateway varchar(15) NOT NULL default ''', - expiry_time DATETIME NOT NULL default (DATETIME('now')), - status_id int NOT NULL default 1, - counter int NOT NULL default 0, - FOREIGN KEY(status_id) REFERENCES dhcpstatus(status_id) - ); - - CREATE INDEX dhcpippool_poolname_expire ON dhcpippool(pool_name, expiry_time); - CREATE INDEX dhcpippool_framedipaddress ON dhcpippool(framedipaddress); - CREATE INDEX dhcpippool_poolname_poolkey_ipaddress ON dhcpippool(pool_name, pool_key, framedipaddress); - - ${builtins.concatStringsSep "\n" (map mkVlan vlans)} -'' diff --git a/machines/vault01/k-radius/mod-dhcp_sql.nix b/machines/vault01/k-radius/mod-dhcp_sql.nix deleted file mode 100644 index 14837dc..0000000 --- a/machines/vault01/k-radius/mod-dhcp_sql.nix +++ /dev/null @@ -1,83 +0,0 @@ -{ pkgs, ... }@args: -pkgs.writeText "mod-dhcp_sql" '' - sql dhcp_sql { - dialect = "sqlite" - driver = "rlm_sql_''${dialect}" - - sqlite { - filename = "/tmp/freeradius.db" - busy_timeout = 200 - bootstrap = "${import ./dhcp-sqlsquema.nix args}" - } - - radius_db = "radius" - - read_groups = no - - pool { - start = ''${thread[pool].start_servers} - min = ''${thread[pool].min_spare_servers} - max = ''${thread[pool].max_servers} - spare = ''${thread[pool].max_spare_servers} - uses = 0 - retry_delay = 30 - lifetime = 0 - idle_timeout = 60 - } - - group_attribute = "''${.:instance}-SQL-Group" - - # -*- text -*- - # - # dhcp/sqlite/queries.conf -- SQLite configuration for DHCP schema (schema.sql) - # - # $Id: 0cc720220d237d98934dd23173ccb4e09bd0cb01 $ - - # Safe characters list for sql queries. Everything else is replaced - # with their mime-encoded equivalents. - # The default list should be ok - # safe_characters = "@abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789.-_: /" - - ####################################################################### - # Query config: Identifier - ####################################################################### - # This is the identifier that will get substituted, escaped, and added - # as attribute 'SQL-User-Name'. '%{SQL-User-Name}' should be used - # below everywhere an identifier substitution is needed so you you can - # be sure the identifier passed from the client is escaped properly. - # - sql_user_name = "%{control:DHCP-SQL-Option-Identifier}" - - ####################################################################### - # Attribute Lookup Queries - ####################################################################### - # These queries setup the reply items in ''${dhcpreply_table} and - # ''${group_reply_query}. You can use any query/tables you want, but - # the return data for each row MUST be in the following order: - # - # 0. Row ID (currently unused) - # 1. Identifier - # 2. Item Attr Name - # 3. Item Attr Value - # 4. Item Attr Operation - ####################################################################### - - authorize_reply_query = "\ - SELECT id, identifier, attribute, value, op \ - FROM dhcpreply \ - WHERE identifier = '%{SQL-User-Name}' AND context = '%{control:DHCP-SQL-Option-Context}' \ - ORDER BY id" - - authorize_group_reply_query = "\ - SELECT id, groupname, attribute, value, op \ - FROM dhcpgroupreply \ - WHERE groupname = '%{''${group_attribute}}' AND context = '%{control:DHCP-SQL-Option-Context}' \ - ORDER BY id" - - group_membership_query = "\ - SELECT groupname \ - FROM dhcpgroup \ - WHERE identifier='%{SQL-User-Name}' AND context = '%{control:DHCP-SQL-Option-Context}' \ - ORDER BY priority" - } -'' diff --git a/machines/vault01/k-radius/mod-dhcp_sqlippool b/machines/vault01/k-radius/mod-dhcp_sqlippool deleted file mode 100644 index 323cd5b..0000000 --- a/machines/vault01/k-radius/mod-dhcp_sqlippool +++ /dev/null @@ -1,329 +0,0 @@ -# Configuration for DHCP for the SQL based IP Pools module (rlm_sqlippool). -# -# See raddb/mods-available/sqlippool for common configuration explanation -# -# See raddb/policy.d/dhcp_sqlippool for the "glue" code that allows -# the RADIUS based "sqlippool" module to be used for DHCP. -# -# See raddb/sites-available/dhcp for instructions on how to configure -# the DHCP server. -# -# The database schemas are available at: -# -# raddb/mods-config/sql/ippool-dhcp//schema.sql -# -# $Id: 909b93c7ebcbbeb16b123ca38e696790b5771dda $ - -sqlippool dhcp_sqlippool { - # SQL instance to use (from mods-available/sql) - # - # If you have multiple sql instances, such as "sql sql1 {...}", - # use the *instance* name here: sql1. - sql_module_instance = "dhcp_sql" - - # This is duplicative of info available in the SQL module, but - # we have to list it here as we do not yet support nested - # reference expansions. - dialect = "mysql" - - # The duration for which a lease is reserved whilst under offer - offer_duration = 10 - - # IP lease duration. (Leases expire even if no DHCP-Release packet is received) - # Either use the value to be sent to the client or a hard coded one. - #lease_duration = "%{reply:DHCP-IP-Address-Lease-Time}" - lease_duration = 7200 - - # The attribute in which the IP address is returned in the reply - attribute_name = "DHCP-Your-IP-Address" - - # Assign the IP address, even if the above attribute already exists in - # the reply. - # -# allow_duplicates = no - - # The attribute in which an IP address hint may be supplied - req_attribute_name = "DHCP-Requested-IP-Address" - - # - # RFC 2132 allows the DHCP client to supply a unique - # identifier ("uid") using Option 61 (DHCP-Client-Identifier) - # in which case it must be used as the lookup key for - # configuration data. - # - pool_key = "%{%{DHCP-Client-Identifier}:-%{DHCP-Client-Hardware-Address}}" - # - # The "uid" is generated by the OS which means that clients - # whose BMC piggybacks on the main interface (sharing its MAC, - # but generating a distinct uid) and dual-booting clients can - # be allocated multiple IPs, consuming more pool entries. To - # avoid this you can ignore the RFCs and key the configuration - # data based only on the client MAC address. - # - # pool_key = "%{DHCP-Client-Hardware-Address}" - - ################################################################ - # - # WARNING: MySQL (MyISAM) has certain limitations that means it can - # hand out the same IP address to 2 different users. - # - # We suggest using an SQL DB with proper transaction - # support, such as PostgreSQL, or using MySQL - # with InnoDB. - # - ################################################################ - - # These messages are added to the "control" items, as - # Module-Success-Message. They are not logged anywhere else, - # unlike previous versions. If you want to have them logged - # to a file, see the "linelog" module, and create an entry - # which writes Module-Success-Message message. - # - messages { - exists = "DHCP: Existing IP: %{reply:${..attribute_name}} (cid %{DHCP-Client-Identifier} chaddr %{DHCP-Client-Hardware-Address} giaddr %{DHCP-Gateway-IP-Address})" - - success = "DHCP: Allocated IP: %{reply:${..attribute_name}} from %{control:Pool-Name} (cid %{DHCP-Client-Identifier} chaddr %{DHCP-Client-Hardware-Address} giaddr %{DHCP-Gateway-IP-Address})" - - clear = "DHCP: Released IP %{DHCP-Client-IP-Address} (cid %{DHCP-Client-Identifier} chaddr %{DHCP-Client-Hardware-Address} giaddr %{DHCP-Gateway-IP-Address})" - - failed = "DHCP: IP Allocation FAILED from %{control:Pool-Name} (cid %{DHCP-Client-Identifier} chaddr %{DHCP-Client-Hardware-Address} giaddr %{DHCP-Gateway-IP-Address})" - - nopool = "DHCP: No Pool-Name defined (cid %{DHCP-Client-Identifier} chaddr %{DHCP-Client-Hardware-Address} giaddr %{DHCP-Gateway-IP-Address})" - } - - # -*- text -*- - # - # ippool-dhcp/sqlite/queries.conf -- SQLite queries for rlm_sqlippool - # - # $Id: d99e09bfc8559eaf5584c32fb6a94c99e689fee3 $ - - # ***************** - # * DHCP DISCOVER * - # ***************** - - # - # SQLite does not implement SELECT FOR UPDATE which is normally used to place - # an exclusive lock over rows to prevent the same address from being - # concurrently selected for allocation to multiple users. - # - # The most granular read-blocking lock that SQLite has is an exclusive lock - # over the database, so that's what we use. All locking in SQLite is performed - # over the entire database and we perform a row update for any IP that we - # allocate, requiring an exclusive lock. Taking the exclusive lock from the - # start of the transaction (even if it were not required to guard the SELECT) - # is actually quicker than if we deferred it causing SQLite to "upgrade" the - # automatic shared lock for the transaction to an exclusive lock for the - # subsequent UPDATE. - # - allocate_begin = "BEGIN EXCLUSIVE" - allocate_commit = "COMMIT" - - # - # Attempt to find the most recent existing IP address for the client - # - allocate_existing = "\ - SELECT framedipaddress \ - FROM dhcpippool \ - JOIN dhcpstatus \ - ON dhcpippool.status_id = dhcpstatus.status_id \ - WHERE pool_name = '%{control:Pool-Name}' \ - AND pool_key = '${pool_key}' \ - AND status IN ('dynamic', 'static') \ - ORDER BY expiry_time DESC \ - LIMIT 1" - - # - # Determine whether the requested IP address is available - # - allocate_requested = "\ - SELECT framedipaddress \ - FROM dhcpippool \ - JOIN dhcpstatus \ - ON dhcpippool.status_id = dhcpstatus.status_id \ - WHERE pool_name = '%{control:Pool-Name}' \ - AND framedipaddress = '%{%{${req_attribute_name}}:-0.0.0.0}' \ - AND status = 'dynamic' \ - AND expiry_time < datetime('now')" - - # - # If the existing address can't be found this query will be run to - # find a free address - # - #allocate_find = "\ - # SELECT framedipaddress \ - # FROM dhcpippool \ - # JOIN dhcpstatus \ - # ON dhcpippool.status_id = dhcpstatus.status_id \ - # WHERE pool_name = '%{control:Pool-Name}' \ - # AND expiry_time < datetime('now') \ - # AND status = 'dynamic' \ - # ORDER BY expiry_time LIMIT 1" - - # - # This series of queries allocates an IP address - # - # Either pull the most recent allocated IP for this client or the - # oldest expired one. The first sub query returns the most recent - # lease for the client (if there is one), the second returns the - # oldest expired one. - # Sorting the result by expiry_time DESC will return the client specific - # IP if it exists, otherwise an expired one. - # - allocate_find = "\ - SELECT framedipaddress, 1 AS o \ - FROM ( \ - SELECT framedipaddress \ - FROM dhcpippool \ - JOIN dhcpstatus \ - ON dhcpippool.status_id = dhcpstatus.status_id \ - WHERE pool_name = '%{control:Pool-Name}' \ - AND pool_key = '${pool_key}' \ - AND status IN ('dynamic', 'static') \ - ORDER BY expiry_time DESC \ - LIMIT 1 \ - ) UNION \ - SELECT framedipaddress, 2 AS o \ - FROM ( \ - SELECT framedipaddress \ - FROM dhcpippool \ - JOIN dhcpstatus \ - ON dhcpippool.status_id = dhcpstatus.status_id \ - WHERE pool_name = '%{control:Pool-Name}' \ - AND framedipaddress = '%{%{${req_attribute_name}}:-0.0.0.0}' \ - AND status = 'dynamic' \ - AND ( pool_key = '${pool_key}' OR expiry_time < datetime('now') ) \ - ) UNION \ - SELECT framedipaddress, 3 AS o \ - FROM ( \ - SELECT framedipaddress \ - FROM dhcpippool \ - JOIN dhcpstatus \ - ON dhcpippool.status_id = dhcpstatus.status_id \ - WHERE pool_name = '%{control:Pool-Name}' \ - AND expiry_time < datetime('now') \ - AND status = 'dynamic' \ - ORDER BY expiry_time LIMIT 1 \ - ) \ - ORDER BY o \ - LIMIT 1" - - # - # If you prefer to allocate a random IP address every time, i - # use this query instead - # Note: This is very slow if you have a lot of free IPs. - # - - #allocate_find = "\ - # SELECT framedipaddress \ - # FROM dhcpippool \ - # JOIN dhcpstatus \ - # ON dhcpippool.status_id = dhcpstatus.status_id \ - # WHERE pool_name = '%{control:Pool-Name}' \ - # AND expiry_time < datetime('now') \ - # AND status = 'dynamic' \ - # ORDER BY RAND() \ - - - # - # If an IP could not be allocated, check to see if the pool exists or not - # This allows the module to differentiate between a full pool and no pool - # Note: If you are not running redundant pool modules this query may be - # commented out to save running this query every time an ip is not allocated. - # - pool_check = "\ - SELECT id \ - FROM dhcpippool \ - WHERE pool_name='%{control:Pool-Name}' \ - LIMIT 1" - - # - # This is the final IP Allocation query, which saves the allocated ip details - # - allocate_update = "\ - UPDATE dhcpippool \ - SET \ - gateway = '%{DHCP-Gateway-IP-Address}', \ - pool_key = '${pool_key}', \ - expiry_time = datetime(strftime('%%s', 'now') + ${offer_duration}, 'unixepoch') \ - WHERE framedipaddress = '%I'" - - - # **************** - # * DHCP REQUEST * - # **************** - - # - # This query revokes any active offers for addresses that a client is not - # requesting when a DHCP REQUEST packet arrives - # - start_update = "\ - UPDATE dhcpippool \ - SET \ - gateway = ''', \ - pool_key = ''', \ - expiry_time = datetime('now') \ - WHERE pool_name = '%{control:Pool-Name}' \ - AND pool_key = '${pool_key}' \ - AND framedipaddress <> '%{DHCP-Requested-IP-Address}' \ - AND expiry_time > datetime('now') \ - AND dhcpippool.status_id IN \ - (SELECT status_id FROM dhcpstatus WHERE status = 'dynamic')" - - # - # This query extends an existing lease (or offer) when a DHCP REQUEST packet - # arrives. This query must update a row when a lease is succesfully requested - # - queries that update no rows will result in a "notfound" response to - # the module which by default will give a DHCP-NAK reply. In this example - # incrementing "counter" is used to achieve this. - # - alive_update = "\ - UPDATE dhcpippool \ - SET \ - expiry_time = datetime(strftime('%%s', 'now') + ${lease_duration}, 'unixepoch'), \ - counter = counter + 1 \ - WHERE pool_name = '%{control:Pool-Name}' \ - AND pool_key = '${pool_key}' \ - AND framedipaddress = '%{%{DHCP-Requested-IP-Address}:-%{DHCP-Client-IP-Address}}'" - - - # **************** - # * DHCP RELEASE * - # **************** - - # - # This query frees an IP address when a DHCP RELEASE packet arrives - # - stop_clear = "\ - UPDATE dhcpippool \ - SET \ - gateway = ''', \ - pool_key = ''', \ - expiry_time = datetime('now') \ - WHERE pool_name = '%{control:Pool-Name}' \ - AND pool_key = '${pool_key}' \ - AND framedipaddress = '%{DHCP-Client-IP-Address}' \ - AND dhcpippool.status_id IN \ - (SELECT status_id FROM dhcpstatus WHERE status = 'dynamic')" - - - # - # This query is not applicable to DHCP - # - on_clear = "" - - - # **************** - # * DHCP DECLINE * - # **************** - - # - # This query marks an IP address as declined when a DHCP Decline - # packet arrives - # - off_clear = "\ - UPDATE dhcpippool \ - SET status_id = (SELECT status_id FROM dhcpstatus WHERE status = 'declined') \ - WHERE pool_name = '%{control:Pool-Name}' \ - AND pool_key = '${pool_key}' \ - AND framedipaddress = '%{DHCP-Requested-IP-Address}'" -} diff --git a/machines/vault01/k-radius/module.nix b/machines/vault01/k-radius/module.nix index 486c2b6..9979605 100644 --- a/machines/vault01/k-radius/module.nix +++ b/machines/vault01/k-radius/module.nix @@ -143,6 +143,7 @@ in startLimitBurst = 5; preStart = '' + rm -rf ${cfg.configDir} mkdir -p ${cfg.configDir} cp -R --no-preserve=mode ${cfg.freeradius}/etc/raddb/* ${cfg.configDir} diff --git a/machines/vault01/k-radius/site-dhcp.nix b/machines/vault01/k-radius/site-dhcp.nix deleted file mode 100644 index 5568898..0000000 --- a/machines/vault01/k-radius/site-dhcp.nix +++ /dev/null @@ -1,80 +0,0 @@ -{ pkgs, vlans }: -let - listen = - { - vlan, - servIP, - broadIP, - interfaceName, - ... - }: - '' - listen { - type = dhcp - ipaddr = ${servIP} - src_ipaddr = ${servIP} - port = 67 - interface = ${interfaceName} - broadcast = no #? - performance { - skip_duplicate_checks = no - } - # we store servIP so that latter modules can know with wich IP reply - update control { - &Client-Vlan = ${toString vlan} - &Server-IP = ${servIP} - &Broadcast-IP = ${broadIP} - } - } - ''; - dhcpCommon = '' - update reply { - &DHCP-Domain-Name-Server = 10.0.0.1 - &DHCP-Subnet-Mask = 255.255.255.224 - &DHCP-Router-Address = &control:Server-IP - &DHCP-Broadcast-Address = &control:Broadcast-IP - &DHCP-DHCP-Server-Identifier = 10.0.0.1 - } - ''; - dhcpDiscover = '' - dhcp DHCP-Discover { - ${dhcpCommon} - update control { - &Pool-Name := "pool-%{&control:Client-Vlan}" - } - dhcp_sqlippool - if (notfound) { - do_not_respond #TODO not silent - } - ok - } - ''; - dhcpRequest = '' - dhcp DHCP-Request { - if (&request:DHCP-DHCP-Server-Identifier && \ - &request:DHCP-DHCP-Server-Identifier != &control:Server-IP) { - do_not_respond - } - ${dhcpCommon} - update control { - &Pool-Name := "pool-%{&control:Client-Vlan}" - } - dhcp_sqlippool_request - if (notfound) { - do_not_respond #TODO not silent - } - ok - } - ''; -in -pkgs.writeText "site-dhcp" '' - server dhcp { - - ${builtins.concatStringsSep "\n\n" (map listen vlans)} - - ${dhcpDiscover} - - ${dhcpRequest} - - } -'' diff --git a/machines/vault01/networking.nix b/machines/vault01/networking.nix index 96fa294..1075982 100644 --- a/machines/vault01/networking.nix +++ b/machines/vault01/networking.nix @@ -53,6 +53,7 @@ let extraNetwork = { networkConfig = { LinkLocalAddressing = "no"; + DHCPServer = "yes"; }; linkConfig = { Promiscuous = true; @@ -123,64 +124,72 @@ let in { - systemd.network = { - config.routeTables."user" = 1000; - networks = { - "10-lo" = { - name = "lo"; - address = [ - "::1/128" - "127.0.0.1/8" - "10.0.0.1/16" - ]; - routes = [ - { - routeConfig = { - Destination = "10.0.0.0/27"; - Table = "user"; - }; - } - ]; - routingPolicyRules = [ - { - routingPolicyRuleConfig = { - IncomingInterface = "lo"; - Table = "user"; - }; - } - ]; - }; - "10-enp67s0f0np0" = { - name = "enp67s0f0np0"; - linkConfig.Promiscuous = true; - networkConfig = { - VLAN = builtins.attrNames vlans; - - LinkLocalAddressing = false; - LLDP = false; - EmitLLDP = false; - IPv6AcceptRA = false; - IPv6SendRA = false; + systemd = { + network = { + config.routeTables."user" = 1000; + networks = { + "10-lo" = { + name = "lo"; + address = [ + "::1/128" + "127.0.0.1/8" + "10.0.0.1/27" + ]; + routes = [ + { + routeConfig = { + Destination = "10.0.0.0/27"; + Table = "user"; + }; + } + ]; + routingPolicyRules = [ + { + routingPolicyRuleConfig = { + IncomingInterface = "lo"; + Table = "user"; + }; + } + ]; }; + "10-enp67s0f0np0" = { + name = "enp67s0f0np0"; + linkConfig.Promiscuous = true; + networkConfig = { + VLAN = builtins.attrNames vlans; + + LinkLocalAddressing = false; + LLDP = false; + EmitLLDP = false; + IPv6AcceptRA = false; + IPv6SendRA = false; + }; + }; + } // (mapAttrs' mkNetwork vlans); + + netdevs = mapAttrs' mkNetdev vlans; + }; + + services = { + ethtoolConfig = { + wantedBy = [ "systemd-networkd.service" ]; + after = [ "sys-subsystem-net-devices-enp67s0f0np0.device" ]; + bindsTo = [ "sys-subsystem-net-devices-enp67s0f0np0.device" ]; + script = '' + ${lib.getExe pkgs.ethtool} -K enp67s0f0np0 rxvlan off + ${lib.getExe pkgs.ethtool} -K enp67s0f0np0 txvlan off + ${lib.getExe pkgs.ethtool} -K enp67s0f0np0 rx-vlan-filter off + ${lib.getExe pkgs.ethtool} -K enp67s0f0np0 rx-vlan-offload off + ${lib.getExe pkgs.ethtool} -K enp67s0f0np0 tx-vlan-offload off + ${lib.getExe pkgs.ethtool} -K enp67s0f0np0 tx-vlan-stag-hw-insert off + echo "Hardware for enp67s0f0np0 configured" + ''; }; - } // (mapAttrs' mkNetwork vlans); - netdevs = mapAttrs' mkNetdev vlans; - }; - - systemd.services.ethtoolConfig = { - wantedBy = [ "systemd-networkd.service" ]; - after = [ "sys-subsystem-net-devices-enp67s0f0np0.device" ]; - bindsTo = [ "sys-subsystem-net-devices-enp67s0f0np0.device" ]; - script = '' - ${lib.getExe pkgs.ethtool} -K enp67s0f0np0 rxvlan off - ${lib.getExe pkgs.ethtool} -K enp67s0f0np0 txvlan off - ${lib.getExe pkgs.ethtool} -K enp67s0f0np0 rx-vlan-filter off - ${lib.getExe pkgs.ethtool} -K enp67s0f0np0 rx-vlan-offload off - ${lib.getExe pkgs.ethtool} -K enp67s0f0np0 tx-vlan-offload off - ${lib.getExe pkgs.ethtool} -K enp67s0f0np0 tx-vlan-stag-hw-insert off - echo "Hardware for enp67s0f0np0 configured" - ''; + systemd-networkd.serviceConfig = { + LimitNOFILE = 4096; + }; + }; }; networking.firewall.allowedUDPPorts = [ 67 ]; diff --git a/machines/vault01/user_vlans.nix b/machines/vault01/user_vlans.nix index e73b944..59ec3a0 100644 --- a/machines/vault01/user_vlans.nix +++ b/machines/vault01/user_vlans.nix @@ -11,4 +11,4 @@ let interfaceName = "vlan-user-${toString vlan}"; }; in -builtins.genList mkUserVlan 300 # 850 +builtins.genList mkUserVlan 850 -- 2.45.1 From bc5ee80d69f2aab90ba4d3333fe27f276a29ec9e Mon Sep 17 00:00:00 2001 From: catvayor Date: Thu, 23 May 2024 16:28:13 +0200 Subject: [PATCH 9/9] style: requested changes --- machines/vault01/k-radius/module.nix | 40 ++++++++++---------- machines/vault01/networking.nix | 56 ++++++++++++++-------------- machines/vault01/user_vlans.nix | 14 ------- 3 files changed, 46 insertions(+), 64 deletions(-) delete mode 100644 machines/vault01/user_vlans.nix diff --git a/machines/vault01/k-radius/module.nix b/machines/vault01/k-radius/module.nix index 9979605..ac83bc0 100644 --- a/machines/vault01/k-radius/module.nix +++ b/machines/vault01/k-radius/module.nix @@ -7,13 +7,15 @@ let inherit (lib) + attrsToList + getExe' + imap0 + mapAttrsToList mkEnableOption mkIf mkOption - types - mapAttrsToList optionalString - zipListsWith + types ; settingsFormat = pkgs.formats.toml { }; @@ -49,14 +51,14 @@ in extra-mods = mkOption { type = types.attrsOf types.path; - description = "Additional files to be linked in mods-enabled."; default = { }; + description = "Additional files to be linked in mods-enabled."; }; extra-sites = mkOption { type = types.attrsOf types.path; - description = "Additional files to be linked in sites-enabled."; default = { }; + description = "Additional files to be linked in sites-enabled."; }; dictionary = mkOption { @@ -69,8 +71,8 @@ in "string" ] ); - description = "Declare additionnal attributes to be listed in the dictionary."; default = { }; + description = "Declare additionnal attributes to be listed in the dictionary."; }; radiusClients = mkOption { @@ -109,7 +111,7 @@ in checkConfiguration = mkOption { type = types.bool; - description = "Check the configuration before starting the deamon. Usefull for debugging."; + description = "Check the configuration before starting the deamon. Useful for debugging."; default = false; }; }; @@ -202,18 +204,16 @@ in sed -i ${cfg.configDir}/mods-available/eap \ -e "s/whatever/$(cat "${cfg.privateKeyPasswordFile}")/" - # Build the dictionary - cat < ${cfg.configDir}/dictionary - ${ - let - attrs = mapAttrsToList (name: type: { inherit name type; }) cfg.dictionary; - idList = builtins.genList (id: 3000 + id) (builtins.length attrs); - in - builtins.concatStringsSep "\n" ( - zipListsWith ({ name, type }: id: "ATTRIBUTE ${name} ${toString id} ${type}") attrs idList + # Link the dictionary + ln -nsf ${ + pkgs.writeText "radius-dictionary" ( + builtins.concatStringsSep "\n" ( + imap0 (i: { name, value }: "ATTRIBUTE ${name} ${builtins.toString (3000 + i)} ${value}") ( + attrsToList cfg.dictionary + ) + ) ) - } - EOF + } ${cfg.configDir}/dictionary # Link extra-mods ${builtins.concatStringsSep "\n" ( @@ -228,9 +228,7 @@ in )} # Check the configuration - ${ - optionalString (!cfg.checkConfiguration) "# " - }${pkgs.freeradius}/bin/radiusd -C -d ${cfg.configDir} -l stdout + ${optionalString cfg.checkConfiguration "${getExe' pkgs.freeradius "radiusd"} -C -d ${cfg.configDir} -l stdout"} ''; path = [ diff --git a/machines/vault01/networking.nix b/machines/vault01/networking.nix index 1075982..54c7de9 100644 --- a/machines/vault01/networking.nix +++ b/machines/vault01/networking.nix @@ -19,7 +19,7 @@ let mkNetwork = name: { - address, + address ? [ ], extraNetwork ? { }, ... }: @@ -37,31 +37,30 @@ let }; mkUserVlan = - { - vlan, - netIP, - servIP, - prefixLength, - interfaceName, - ... - }: + id: + let + # on alloue 10.0.0.0/17 aux thurnés, avec un /27 chacun, on garde 10.0.0.0/27 pour nous (routeur et autres) + vlan = 4094 - id; + prefix24nb = (id + 1) / 8; + prefix27nb = (id + 1 - prefix24nb * 8) * 32; + netIP = "10.0.${toString prefix24nb}.${toString prefix27nb}"; + servIP = "10.0.${toString prefix24nb}.${toString (prefix27nb + 1)}"; + interfaceName = "vlan-user-${toString vlan}"; + in { name = interfaceName; value = { Id = vlan; - address = [ ]; extraNetwork = { networkConfig = { LinkLocalAddressing = "no"; DHCPServer = "yes"; }; - linkConfig = { - Promiscuous = true; - }; + linkConfig.Promiscuous = true; addresses = [ { addressConfig = { - Address = "${servIP}/${toString prefixLength}"; + Address = "${servIP}/27"; AddPrefixRoute = false; }; } @@ -69,7 +68,7 @@ let routes = [ { routeConfig = { - Destination = "${netIP}/${toString prefixLength}"; + Destination = "${netIP}/27"; Table = "user"; }; } @@ -77,7 +76,7 @@ let routingPolicyRules = [ { routingPolicyRuleConfig = { - From = "${netIP}/${toString prefixLength}"; + From = "${netIP}/27"; To = "10.0.0.0/27"; IncomingInterface = interfaceName; Table = "user"; @@ -120,7 +119,7 @@ let extraNetwork.networkConfig.DHCPServer = "yes"; }; - } // builtins.listToAttrs (map mkUserVlan (import ./user_vlans.nix)); + } // builtins.listToAttrs (builtins.genList mkUserVlan 850); in { @@ -175,20 +174,19 @@ in wantedBy = [ "systemd-networkd.service" ]; after = [ "sys-subsystem-net-devices-enp67s0f0np0.device" ]; bindsTo = [ "sys-subsystem-net-devices-enp67s0f0np0.device" ]; - script = '' - ${lib.getExe pkgs.ethtool} -K enp67s0f0np0 rxvlan off - ${lib.getExe pkgs.ethtool} -K enp67s0f0np0 txvlan off - ${lib.getExe pkgs.ethtool} -K enp67s0f0np0 rx-vlan-filter off - ${lib.getExe pkgs.ethtool} -K enp67s0f0np0 rx-vlan-offload off - ${lib.getExe pkgs.ethtool} -K enp67s0f0np0 tx-vlan-offload off - ${lib.getExe pkgs.ethtool} -K enp67s0f0np0 tx-vlan-stag-hw-insert off - echo "Hardware for enp67s0f0np0 configured" - ''; + script = builtins.concatStringsSep "\n" ( + builtins.map (name: "${lib.getExe pkgs.ethtool} -K enp67s0f0np0 ${name} off") [ + "rxvlan" + "txvlan" + "rx-vlan-filter" + "rx-vlan-offload" + "tx-vlan-offload" + "tx-vlan-stag-hw-insert" + ] + ); }; - systemd-networkd.serviceConfig = { - LimitNOFILE = 4096; - }; + systemd-networkd.serviceConfig.LimitNOFILE = 4096; }; }; diff --git a/machines/vault01/user_vlans.nix b/machines/vault01/user_vlans.nix deleted file mode 100644 index 59ec3a0..0000000 --- a/machines/vault01/user_vlans.nix +++ /dev/null @@ -1,14 +0,0 @@ -let - mkUserVlan = id: rec { - # on alloue 10.0.0.0/17 aux thurnés, avec un /27 chacun, on garde 10.0.0.0/27 pour nous (routeur et autres) - vlan = 4094 - id; - prefix24nb = (id + 1) / 8; - prefix27nb = (id + 1 - prefix24nb * 8) * 32; - prefixLength = 27; - netIP = "10.0.${toString prefix24nb}.${toString prefix27nb}"; - servIP = "10.0.${toString prefix24nb}.${toString (prefix27nb + 1)}"; - broadIP = "10.0.${toString prefix24nb}.${toString (prefix27nb + 31)}"; - interfaceName = "vlan-user-${toString vlan}"; - }; -in -builtins.genList mkUserVlan 850 -- 2.45.1