DGNum/infrastructure
11
6
Fork 2
Code Issues 20 Pull requests 14 Projects 1 Releases Packages Wiki Activity Actions

changement dans le plan IP et free-radius DHCP #99

Merged
thubrecht merged 9 commits from :plan_ip into main 2024-05-26 20:57:19 +02:00
Conversation 0 Commits 9 Files changed 2 +46 -64
3 changed files with 46 additions and 64 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files
Showing only changes of commit bc5ee80d69 - Show all commits

38
machines/vault01/k-radius/module.nix
View file

@ -7,13 +7,15 @@
let let
inherit (lib) inherit (lib)
attrsToList
getExe'
imap0
mapAttrsToList
mkEnableOption mkEnableOption
mkIf mkIf
mkOption mkOption
types
mapAttrsToList
optionalString optionalString
zipListsWith types
lbailly marked this conversation as resolved Outdated
thubrecht commented 2024-05-24 09:23:45 +02:00
Outdated
Review
Copy link

Idéalement cette liste devrait être triée

Idéalement cette liste devrait être triée
; ;
settingsFormat = pkgs.formats.toml { }; settingsFormat = pkgs.formats.toml { };
@ -49,14 +51,14 @@ in
extra-mods = mkOption { extra-mods = mkOption {
type = types.attrsOf types.path; type = types.attrsOf types.path;
lbailly marked this conversation as resolved
thubrecht commented 2024-05-23 14:28:12 +02:00
Review
Copy link

Le default devrait aller avant la description

Le default devrait aller avant la description
description = "Additional files to be linked in mods-enabled.";
default = { }; default = { };
description = "Additional files to be linked in mods-enabled.";
}; };
extra-sites = mkOption { extra-sites = mkOption {
type = types.attrsOf types.path; type = types.attrsOf types.path;
lbailly marked this conversation as resolved
thubrecht commented 2024-05-23 14:28:30 +02:00
Review
Copy link

Le default devrait aller avant la description

Le default devrait aller avant la description
description = "Additional files to be linked in sites-enabled.";
default = { }; default = { };
description = "Additional files to be linked in sites-enabled.";
}; };
dictionary = mkOption { dictionary = mkOption {
@ -69,8 +71,8 @@ in
"string" "string"
] ]
); );
lbailly marked this conversation as resolved
thubrecht commented 2024-05-23 14:28:36 +02:00
Review
Copy link

Le default devrait aller avant la description

Le default devrait aller avant la description
description = "Declare additionnal attributes to be listed in the dictionary.";
default = { }; default = { };
description = "Declare additionnal attributes to be listed in the dictionary.";
}; };
radiusClients = mkOption { radiusClients = mkOption {
@ -109,7 +111,7 @@ in
checkConfiguration = mkOption { checkConfiguration = mkOption {
lbailly marked this conversation as resolved
thubrecht commented 2024-05-23 14:26:21 +02:00
Review
Copy link

useful

useful
type = types.bool; type = types.bool;
description = "Check the configuration before starting the deamon. Usefull for debugging."; description = "Check the configuration before starting the deamon. Useful for debugging.";
default = false; default = false;
}; };
}; };
@ -202,18 +204,16 @@ in
sed -i ${cfg.configDir}/mods-available/eap \ sed -i ${cfg.configDir}/mods-available/eap \
-e "s/whatever/$(cat "${cfg.privateKeyPasswordFile}")/" -e "s/whatever/$(cat "${cfg.privateKeyPasswordFile}")/"
lbailly marked this conversation as resolved Outdated
thubrecht commented 2024-05-23 14:25:13 +02:00
Outdated
Review
Copy link

Plutôt que faire des trucs dans un script avec cat et EOF, il vaut mieux utiliser pkgs.writeText et faire un lien au démarrage. Surtout que ce fichier ne doit pas être généré à chaque démarrage de freeradius

Plutôt que faire des trucs dans un script avec cat et EOF, il vaut mieux utiliser `pkgs.writeText` et faire un lien au démarrage. Surtout que ce fichier ne doit pas être généré à chaque démarrage de freeradius
# Build the dictionary # Link the dictionary
cat <<EOF > ${cfg.configDir}/dictionary ln -nsf ${
${ pkgs.writeText "radius-dictionary" (
let
attrs = mapAttrsToList (name: type: { inherit name type; }) cfg.dictionary;
idList = builtins.genList (id: 3000 + id) (builtins.length attrs);
in
builtins.concatStringsSep "\n" ( builtins.concatStringsSep "\n" (
zipListsWith ({ name, type }: id: "ATTRIBUTE ${name} ${toString id} ${type}") attrs idList imap0 (i: { name, value }: "ATTRIBUTE ${name} ${builtins.toString (3000 + i)} ${value}") (
attrsToList cfg.dictionary
) )
lbailly marked this conversation as resolved Outdated
thubrecht commented 2024-05-23 14:21:25 +02:00
Outdated
Review
Copy link
-            zipListsWith ({ name, type }: id: "ATTRIBUTE ${name} ${toString id} ${type}") attrs idList
+            imap0 (i: {name, value}: "ATTRIBUTE ${name} ${builtins.toString (3000 + i)} ${value}") (attrsToList cfg.dictionnary)
```diff - zipListsWith ({ name, type }: id: "ATTRIBUTE ${name} ${toString id} ${type}") attrs idList + imap0 (i: {name, value}: "ATTRIBUTE ${name} ${builtins.toString (3000 + i)} ${value}") (attrsToList cfg.dictionnary) ```
} )
EOF )
} ${cfg.configDir}/dictionary
# Link extra-mods # Link extra-mods
${builtins.concatStringsSep "\n" ( ${builtins.concatStringsSep "\n" (
@ -228,9 +228,7 @@ in
)} )}
# Check the configuration # Check the configuration
${ ${optionalString cfg.checkConfiguration "${getExe' pkgs.freeradius "radiusd"} -C -d ${cfg.configDir} -l stdout"}
optionalString (!cfg.checkConfiguration) "# "
}${pkgs.freeradius}/bin/radiusd -C -d ${cfg.configDir} -l stdout
''; '';
lbailly marked this conversation as resolved Outdated
thubrecht commented 2024-05-23 14:00:07 +02:00
Outdated
Review
Copy link
-        ${
-          optionalString (!cfg.checkConfiguration) "# "
-        }${pkgs.freeradius}/bin/radiusd -C -d ${cfg.configDir} -l stdout
+        ${optionalString cfg.checkConfiguration "${getExe' pkgs.freeradius "radiusd"} -C -d ${cfg.configDir} -l stdout"}
```diff - ${ - optionalString (!cfg.checkConfiguration) "# " - }${pkgs.freeradius}/bin/radiusd -C -d ${cfg.configDir} -l stdout + ${optionalString cfg.checkConfiguration "${getExe' pkgs.freeradius "radiusd"} -C -d ${cfg.configDir} -l stdout"} ```
path = [ path = [

56
machines/vault01/networking.nix
View file

@ -19,7 +19,7 @@ let
mkNetwork = mkNetwork =
name: name:
{ {
address, address ? [ ],
extraNetwork ? { }, extraNetwork ? { },
... ...
}: }:
@ -37,31 +37,30 @@ let
}; };
mkUserVlan = mkUserVlan =
{ id:
vlan, let
netIP, # on alloue 10.0.0.0/17 aux thurnés, avec un /27 chacun, on garde 10.0.0.0/27 pour nous (routeur et autres)
servIP, vlan = 4094 - id;
prefixLength, prefix24nb = (id + 1) / 8;
interfaceName, prefix27nb = (id + 1 - prefix24nb * 8) * 32;
... netIP = "10.0.${toString prefix24nb}.${toString prefix27nb}";
lbailly marked this conversation as resolved Outdated
thubrecht commented 2024-05-24 09:15:01 +02:00
Outdated
Review
Copy link

Le prefixLength risque de changer souvent ?
Ce serait bien de l'inline sinon

Le `prefixLength` risque de changer souvent ? Ce serait bien de l'inline sinon
}: servIP = "10.0.${toString prefix24nb}.${toString (prefix27nb + 1)}";
interfaceName = "vlan-user-${toString vlan}";
in
lbailly marked this conversation as resolved Outdated
thubrecht commented 2024-05-24 09:11:28 +02:00
Outdated
Review
Copy link

Si y'en a pas besoin ça ne sert à rien de le laisser

Si y'en a pas besoin ça ne sert à rien de le laisser
{ {
name = interfaceName; name = interfaceName;
value = { value = {
Id = vlan; Id = vlan;
address = [ ];
extraNetwork = { extraNetwork = {
networkConfig = { networkConfig = {
LinkLocalAddressing = "no"; LinkLocalAddressing = "no";
lbailly marked this conversation as resolved Outdated
thubrecht commented 2024-05-24 09:13:26 +02:00
Outdated
Review
Copy link

Inutile du coup ?

Inutile du coup ?
lbailly commented 2024-05-24 13:10:58 +02:00
Outdated
Review
Copy link

J'utilise plutôt l'entrée addresses qui me permet de pas créer la route par défaut, car je veux la mettre dans une autre table de routage. address me permet pas de faire ça, mais c'est pas forcément "inutile", c'est juste ici que j'ai un besoin précis

J'utilise plutôt l'entrée `addresses` qui me permet de pas créer la route par défaut, car je veux la mettre dans une autre table de routage. `address` me permet pas de faire ça, mais c'est pas forcément "inutile", c'est juste ici que j'ai un besoin précis
thubrecht commented 2024-05-24 15:57:02 +02:00
Outdated
Review
Copy link

Mais du coup ça sert à rien de mettre une liste vide, si ?
Donc on peut l'enlever.

Mais du coup ça sert à rien de mettre une liste vide, si ? Donc on peut l'enlever.
DHCPServer = "yes"; DHCPServer = "yes";
}; };
linkConfig = { linkConfig.Promiscuous = true;
Promiscuous = true;
};
addresses = [ addresses = [
{ {
addressConfig = { addressConfig = {
Address = "${servIP}/${toString prefixLength}"; Address = "${servIP}/27";
AddPrefixRoute = false; AddPrefixRoute = false;
lbailly marked this conversation as resolved Outdated
thubrecht commented 2024-05-24 09:20:31 +02:00
Outdated
Review
Copy link
linkConfig.Promiscuous = true;
```nix linkConfig.Promiscuous = true; ```
}; };
} }
@ -69,7 +68,7 @@ let
routes = [ routes = [
{ {
routeConfig = { routeConfig = {
Destination = "${netIP}/${toString prefixLength}"; Destination = "${netIP}/27";
Table = "user"; Table = "user";
}; };
} }
@ -77,7 +76,7 @@ let
routingPolicyRules = [ routingPolicyRules = [
{ {
routingPolicyRuleConfig = { routingPolicyRuleConfig = {
From = "${netIP}/${toString prefixLength}"; From = "${netIP}/27";
To = "10.0.0.0/27"; To = "10.0.0.0/27";
IncomingInterface = interfaceName; IncomingInterface = interfaceName;
Table = "user"; Table = "user";
@ -120,7 +119,7 @@ let
extraNetwork.networkConfig.DHCPServer = "yes"; extraNetwork.networkConfig.DHCPServer = "yes";
}; };
} // builtins.listToAttrs (map mkUserVlan (import ./user_vlans.nix)); } // builtins.listToAttrs (builtins.genList mkUserVlan 850);
in in
{ {
@ -175,20 +174,19 @@ in
wantedBy = [ "systemd-networkd.service" ]; wantedBy = [ "systemd-networkd.service" ];
after = [ "sys-subsystem-net-devices-enp67s0f0np0.device" ]; after = [ "sys-subsystem-net-devices-enp67s0f0np0.device" ];
bindsTo = [ "sys-subsystem-net-devices-enp67s0f0np0.device" ]; bindsTo = [ "sys-subsystem-net-devices-enp67s0f0np0.device" ];
script = '' script = builtins.concatStringsSep "\n" (
${lib.getExe pkgs.ethtool} -K enp67s0f0np0 rxvlan off builtins.map (name: "${lib.getExe pkgs.ethtool} -K enp67s0f0np0 ${name} off") [
${lib.getExe pkgs.ethtool} -K enp67s0f0np0 txvlan off "rxvlan"
${lib.getExe pkgs.ethtool} -K enp67s0f0np0 rx-vlan-filter off "txvlan"
${lib.getExe pkgs.ethtool} -K enp67s0f0np0 rx-vlan-offload off "rx-vlan-filter"
${lib.getExe pkgs.ethtool} -K enp67s0f0np0 tx-vlan-offload off "rx-vlan-offload"
${lib.getExe pkgs.ethtool} -K enp67s0f0np0 tx-vlan-stag-hw-insert off "tx-vlan-offload"
echo "Hardware for enp67s0f0np0 configured" "tx-vlan-stag-hw-insert"
''; ]
);
lbailly marked this conversation as resolved Outdated
thubrecht commented 2024-05-23 14:12:00 +02:00
Outdated
Review
Copy link
script = builtins.concatStringsSep "\n" (builtins.map (name: "${lib.getExe pkgs.ethtool} -K enp67s0f0np0 ${name} off") [
  "rxvlan"
  "txvlan"
  "rx-vlan-filter"
  "rx-vlan-offload"
  "tx-vlan-offload"
  "tx-vlan-stag-hw-insert"
])
```nix script = builtins.concatStringsSep "\n" (builtins.map (name: "${lib.getExe pkgs.ethtool} -K enp67s0f0np0 ${name} off") [ "rxvlan" "txvlan" "rx-vlan-filter" "rx-vlan-offload" "tx-vlan-offload" "tx-vlan-stag-hw-insert" ]) ```
}; };
systemd-networkd.serviceConfig = { systemd-networkd.serviceConfig.LimitNOFILE = 4096;
LimitNOFILE = 4096;
};
}; };
}; };

14
machines/vault01/user_vlans.nix
View file

@ -1,14 +0,0 @@
let
mkUserVlan = id: rec {
# on alloue 10.0.0.0/17 aux thurnés, avec un /27 chacun, on garde 10.0.0.0/27 pour nous (routeur et autres)
vlan = 4094 - id;
prefix24nb = (id + 1) / 8;
prefix27nb = (id + 1 - prefix24nb * 8) * 32;
prefixLength = 27;
netIP = "10.0.${toString prefix24nb}.${toString prefix27nb}";
servIP = "10.0.${toString prefix24nb}.${toString (prefix27nb + 1)}";
broadIP = "10.0.${toString prefix24nb}.${toString (prefix27nb + 31)}";
interfaceName = "vlan-user-${toString vlan}";
};
in
builtins.genList mkUserVlan 850