changement dans le plan IP et free-radius DHCP #99
3 changed files with 46 additions and 64 deletions
|
|
@ -7,13 +7,15 @@
|
|||
|
||||
let
|
||||
inherit (lib)
|
||||
attrsToList
|
||||
getExe'
|
||||
imap0
|
||||
mapAttrsToList
|
||||
mkEnableOption
|
||||
mkIf
|
||||
mkOption
|
||||
types
|
||||
mapAttrsToList
|
||||
optionalString
|
||||
zipListsWith
|
||||
types
|
||||
|
lbailly marked this conversation as resolved
Outdated
|
||||
;
|
||||
|
||||
settingsFormat = pkgs.formats.toml { };
|
||||
|
|
@ -49,14 +51,14 @@ in
|
|||
|
||||
extra-mods = mkOption {
|
||||
type = types.attrsOf types.path;
|
||||
|
lbailly marked this conversation as resolved
thubrecht
commented
Le default devrait aller avant la description Le default devrait aller avant la description
|
||||
description = "Additional files to be linked in mods-enabled.";
|
||||
default = { };
|
||||
description = "Additional files to be linked in mods-enabled.";
|
||||
};
|
||||
|
||||
extra-sites = mkOption {
|
||||
type = types.attrsOf types.path;
|
||||
|
lbailly marked this conversation as resolved
thubrecht
commented
Le default devrait aller avant la description Le default devrait aller avant la description
|
||||
description = "Additional files to be linked in sites-enabled.";
|
||||
default = { };
|
||||
description = "Additional files to be linked in sites-enabled.";
|
||||
};
|
||||
|
||||
dictionary = mkOption {
|
||||
|
|
@ -69,8 +71,8 @@ in
|
|||
"string"
|
||||
]
|
||||
);
|
||||
|
lbailly marked this conversation as resolved
thubrecht
commented
Le default devrait aller avant la description Le default devrait aller avant la description
|
||||
description = "Declare additionnal attributes to be listed in the dictionary.";
|
||||
default = { };
|
||||
description = "Declare additionnal attributes to be listed in the dictionary.";
|
||||
};
|
||||
|
||||
radiusClients = mkOption {
|
||||
|
|
@ -109,7 +111,7 @@ in
|
|||
|
||||
checkConfiguration = mkOption {
|
||||
|
lbailly marked this conversation as resolved
thubrecht
commented
useful useful
|
||||
type = types.bool;
|
||||
description = "Check the configuration before starting the deamon. Usefull for debugging.";
|
||||
description = "Check the configuration before starting the deamon. Useful for debugging.";
|
||||
default = false;
|
||||
};
|
||||
};
|
||||
|
|
@ -202,18 +204,16 @@ in
|
|||
sed -i ${cfg.configDir}/mods-available/eap \
|
||||
-e "s/whatever/$(cat "${cfg.privateKeyPasswordFile}")/"
|
||||
|
||||
|
lbailly marked this conversation as resolved
Outdated
thubrecht
commented
Plutôt que faire des trucs dans un script avec cat et EOF, il vaut mieux utiliser Plutôt que faire des trucs dans un script avec cat et EOF, il vaut mieux utiliser `pkgs.writeText` et faire un lien au démarrage. Surtout que ce fichier ne doit pas être généré à chaque démarrage de freeradius
|
||||
# Build the dictionary
|
||||
cat <<EOF > ${cfg.configDir}/dictionary
|
||||
${
|
||||
let
|
||||
attrs = mapAttrsToList (name: type: { inherit name type; }) cfg.dictionary;
|
||||
idList = builtins.genList (id: 3000 + id) (builtins.length attrs);
|
||||
in
|
||||
builtins.concatStringsSep "\n" (
|
||||
zipListsWith ({ name, type }: id: "ATTRIBUTE ${name} ${toString id} ${type}") attrs idList
|
||||
# Link the dictionary
|
||||
ln -nsf ${
|
||||
pkgs.writeText "radius-dictionary" (
|
||||
builtins.concatStringsSep "\n" (
|
||||
imap0 (i: { name, value }: "ATTRIBUTE ${name} ${builtins.toString (3000 + i)} ${value}") (
|
||||
attrsToList cfg.dictionary
|
||||
)
|
||||
|
lbailly marked this conversation as resolved
Outdated
thubrecht
commented
```diff
- zipListsWith ({ name, type }: id: "ATTRIBUTE ${name} ${toString id} ${type}") attrs idList
+ imap0 (i: {name, value}: "ATTRIBUTE ${name} ${builtins.toString (3000 + i)} ${value}") (attrsToList cfg.dictionnary)
```
|
||||
)
|
||||
)
|
||||
}
|
||||
EOF
|
||||
} ${cfg.configDir}/dictionary
|
||||
|
||||
# Link extra-mods
|
||||
${builtins.concatStringsSep "\n" (
|
||||
|
|
@ -228,9 +228,7 @@ in
|
|||
)}
|
||||
|
||||
# Check the configuration
|
||||
${
|
||||
optionalString (!cfg.checkConfiguration) "# "
|
||||
}${pkgs.freeradius}/bin/radiusd -C -d ${cfg.configDir} -l stdout
|
||||
${optionalString cfg.checkConfiguration "${getExe' pkgs.freeradius "radiusd"} -C -d ${cfg.configDir} -l stdout"}
|
||||
'';
|
||||
|
||||
|
lbailly marked this conversation as resolved
Outdated
thubrecht
commented
```diff
- ${
- optionalString (!cfg.checkConfiguration) "# "
- }${pkgs.freeradius}/bin/radiusd -C -d ${cfg.configDir} -l stdout
+ ${optionalString cfg.checkConfiguration "${getExe' pkgs.freeradius "radiusd"} -C -d ${cfg.configDir} -l stdout"}
```
|
||||
path = [
|
||||
|
|
|
|||
|
|
@ -19,7 +19,7 @@ let
|
|||
mkNetwork =
|
||||
name:
|
||||
{
|
||||
address,
|
||||
address ? [ ],
|
||||
extraNetwork ? { },
|
||||
...
|
||||
}:
|
||||
|
|
@ -37,31 +37,30 @@ let
|
|||
};
|
||||
|
||||
mkUserVlan =
|
||||
{
|
||||
vlan,
|
||||
netIP,
|
||||
servIP,
|
||||
prefixLength,
|
||||
interfaceName,
|
||||
...
|
||||
}:
|
||||
id:
|
||||
let
|
||||
# on alloue 10.0.0.0/17 aux thurnés, avec un /27 chacun, on garde 10.0.0.0/27 pour nous (routeur et autres)
|
||||
vlan = 4094 - id;
|
||||
prefix24nb = (id + 1) / 8;
|
||||
prefix27nb = (id + 1 - prefix24nb * 8) * 32;
|
||||
netIP = "10.0.${toString prefix24nb}.${toString prefix27nb}";
|
||||
|
lbailly marked this conversation as resolved
Outdated
thubrecht
commented
Le Le `prefixLength` risque de changer souvent ?
Ce serait bien de l'inline sinon
|
||||
servIP = "10.0.${toString prefix24nb}.${toString (prefix27nb + 1)}";
|
||||
interfaceName = "vlan-user-${toString vlan}";
|
||||
in
|
||||
|
lbailly marked this conversation as resolved
Outdated
thubrecht
commented
Si y'en a pas besoin ça ne sert à rien de le laisser Si y'en a pas besoin ça ne sert à rien de le laisser
|
||||
{
|
||||
name = interfaceName;
|
||||
value = {
|
||||
Id = vlan;
|
||||
address = [ ];
|
||||
extraNetwork = {
|
||||
networkConfig = {
|
||||
LinkLocalAddressing = "no";
|
||||
|
lbailly marked this conversation as resolved
Outdated
thubrecht
commented
Inutile du coup ? Inutile du coup ?
lbailly
commented
J'utilise plutôt l'entrée J'utilise plutôt l'entrée `addresses` qui me permet de pas créer la route par défaut, car je veux la mettre dans une autre table de routage. `address` me permet pas de faire ça, mais c'est pas forcément "inutile", c'est juste ici que j'ai un besoin précis
thubrecht
commented
Mais du coup ça sert à rien de mettre une liste vide, si ? Mais du coup ça sert à rien de mettre une liste vide, si ?
Donc on peut l'enlever.
|
||||
DHCPServer = "yes";
|
||||
};
|
||||
linkConfig = {
|
||||
Promiscuous = true;
|
||||
};
|
||||
linkConfig.Promiscuous = true;
|
||||
addresses = [
|
||||
{
|
||||
addressConfig = {
|
||||
Address = "${servIP}/${toString prefixLength}";
|
||||
Address = "${servIP}/27";
|
||||
AddPrefixRoute = false;
|
||||
|
lbailly marked this conversation as resolved
Outdated
thubrecht
commented
```nix
linkConfig.Promiscuous = true;
```
|
||||
};
|
||||
}
|
||||
|
|
@ -69,7 +68,7 @@ let
|
|||
routes = [
|
||||
{
|
||||
routeConfig = {
|
||||
Destination = "${netIP}/${toString prefixLength}";
|
||||
Destination = "${netIP}/27";
|
||||
Table = "user";
|
||||
};
|
||||
}
|
||||
|
|
@ -77,7 +76,7 @@ let
|
|||
routingPolicyRules = [
|
||||
{
|
||||
routingPolicyRuleConfig = {
|
||||
From = "${netIP}/${toString prefixLength}";
|
||||
From = "${netIP}/27";
|
||||
To = "10.0.0.0/27";
|
||||
IncomingInterface = interfaceName;
|
||||
Table = "user";
|
||||
|
|
@ -120,7 +119,7 @@ let
|
|||
|
||||
extraNetwork.networkConfig.DHCPServer = "yes";
|
||||
};
|
||||
} // builtins.listToAttrs (map mkUserVlan (import ./user_vlans.nix));
|
||||
} // builtins.listToAttrs (builtins.genList mkUserVlan 850);
|
||||
in
|
||||
|
||||
{
|
||||
|
|
@ -175,20 +174,19 @@ in
|
|||
wantedBy = [ "systemd-networkd.service" ];
|
||||
after = [ "sys-subsystem-net-devices-enp67s0f0np0.device" ];
|
||||
bindsTo = [ "sys-subsystem-net-devices-enp67s0f0np0.device" ];
|
||||
script = ''
|
||||
${lib.getExe pkgs.ethtool} -K enp67s0f0np0 rxvlan off
|
||||
${lib.getExe pkgs.ethtool} -K enp67s0f0np0 txvlan off
|
||||
${lib.getExe pkgs.ethtool} -K enp67s0f0np0 rx-vlan-filter off
|
||||
${lib.getExe pkgs.ethtool} -K enp67s0f0np0 rx-vlan-offload off
|
||||
${lib.getExe pkgs.ethtool} -K enp67s0f0np0 tx-vlan-offload off
|
||||
${lib.getExe pkgs.ethtool} -K enp67s0f0np0 tx-vlan-stag-hw-insert off
|
||||
echo "Hardware for enp67s0f0np0 configured"
|
||||
'';
|
||||
script = builtins.concatStringsSep "\n" (
|
||||
builtins.map (name: "${lib.getExe pkgs.ethtool} -K enp67s0f0np0 ${name} off") [
|
||||
"rxvlan"
|
||||
"txvlan"
|
||||
"rx-vlan-filter"
|
||||
"rx-vlan-offload"
|
||||
"tx-vlan-offload"
|
||||
"tx-vlan-stag-hw-insert"
|
||||
]
|
||||
);
|
||||
|
lbailly marked this conversation as resolved
Outdated
thubrecht
commented
```nix
script = builtins.concatStringsSep "\n" (builtins.map (name: "${lib.getExe pkgs.ethtool} -K enp67s0f0np0 ${name} off") [
"rxvlan"
"txvlan"
"rx-vlan-filter"
"rx-vlan-offload"
"tx-vlan-offload"
"tx-vlan-stag-hw-insert"
])
```
|
||||
};
|
||||
|
||||
systemd-networkd.serviceConfig = {
|
||||
LimitNOFILE = 4096;
|
||||
};
|
||||
systemd-networkd.serviceConfig.LimitNOFILE = 4096;
|
||||
};
|
||||
};
|
||||
|
||||
|
|
|
|||
|
|
@ -1,14 +0,0 @@
|
|||
let
|
||||
mkUserVlan = id: rec {
|
||||
# on alloue 10.0.0.0/17 aux thurnés, avec un /27 chacun, on garde 10.0.0.0/27 pour nous (routeur et autres)
|
||||
vlan = 4094 - id;
|
||||
prefix24nb = (id + 1) / 8;
|
||||
prefix27nb = (id + 1 - prefix24nb * 8) * 32;
|
||||
prefixLength = 27;
|
||||
netIP = "10.0.${toString prefix24nb}.${toString prefix27nb}";
|
||||
servIP = "10.0.${toString prefix24nb}.${toString (prefix27nb + 1)}";
|
||||
broadIP = "10.0.${toString prefix24nb}.${toString (prefix27nb + 31)}";
|
||||
interfaceName = "vlan-user-${toString vlan}";
|
||||
};
|
||||
in
|
||||
builtins.genList mkUserVlan 850
|
||||
Loading…
Add table
Reference in a new issue
Idéalement cette liste devrait être triée