changement dans le plan IP et free-radius DHCP #99
2 changed files with 172 additions and 23 deletions
|
@ -7,9 +7,14 @@
|
||||||
|
|
||||||
let
|
let
|
||||||
inherit (lib)
|
inherit (lib)
|
||||||
|
attrsToList
|
||||||
|
getExe'
|
||||||
|
imap0
|
||||||
|
mapAttrsToList
|
||||||
mkEnableOption
|
mkEnableOption
|
||||||
mkIf
|
mkIf
|
||||||
mkOption
|
mkOption
|
||||||
|
optionalString
|
||||||
types
|
types
|
||||||
;
|
;
|
||||||
|
|
||||||
|
@ -44,6 +49,32 @@ in
|
||||||
description = "File to the auth token for the service account.";
|
description = "File to the auth token for the service account.";
|
||||||
};
|
};
|
||||||
|
|
||||||
|
extra-mods = mkOption {
|
||||||
|
type = types.attrsOf types.path;
|
||||||
lbailly marked this conversation as resolved
|
|||||||
|
default = { };
|
||||||
|
description = "Additional files to be linked in mods-enabled.";
|
||||||
|
};
|
||||||
|
|
||||||
|
extra-sites = mkOption {
|
||||||
|
type = types.attrsOf types.path;
|
||||||
lbailly marked this conversation as resolved
thubrecht
commented
Le default devrait aller avant la description Le default devrait aller avant la description
|
|||||||
|
default = { };
|
||||||
|
description = "Additional files to be linked in sites-enabled.";
|
||||||
|
};
|
||||||
|
|
||||||
|
dictionary = mkOption {
|
||||||
|
type = types.attrsOf (
|
||||||
|
types.enum [
|
||||||
|
"abinary"
|
||||||
|
"date"
|
||||||
|
"ipaddr"
|
||||||
|
"integer"
|
||||||
|
"string"
|
||||||
|
]
|
||||||
|
);
|
||||||
lbailly marked this conversation as resolved
thubrecht
commented
Le default devrait aller avant la description Le default devrait aller avant la description
|
|||||||
|
default = { };
|
||||||
|
description = "Declare additionnal attributes to be listed in the dictionary.";
|
||||||
|
};
|
||||||
|
|
||||||
radiusClients = mkOption {
|
radiusClients = mkOption {
|
||||||
type = types.attrsOf (
|
type = types.attrsOf (
|
||||||
types.submodule {
|
types.submodule {
|
||||||
|
@ -77,6 +108,12 @@ in
|
||||||
};
|
};
|
||||||
|
|
||||||
privateKeyPasswordFile = mkOption { type = types.path; };
|
privateKeyPasswordFile = mkOption { type = types.path; };
|
||||||
|
|
||||||
|
checkConfiguration = mkOption {
|
||||||
lbailly marked this conversation as resolved
thubrecht
commented
useful useful
|
|||||||
|
type = types.bool;
|
||||||
|
description = "Check the configuration before starting the deamon. Useful for debugging.";
|
||||||
|
default = false;
|
||||||
|
};
|
||||||
};
|
};
|
||||||
|
|
||||||
config = mkIf cfg.enable {
|
config = mkIf cfg.enable {
|
||||||
|
@ -104,8 +141,11 @@ in
|
||||||
wantedBy = [ "multi-user.target" ];
|
wantedBy = [ "multi-user.target" ];
|
||||||
after = [ "network.target" ];
|
after = [ "network.target" ];
|
||||||
wants = [ "network.target" ];
|
wants = [ "network.target" ];
|
||||||
|
startLimitIntervalSec = 20;
|
||||||
|
startLimitBurst = 5;
|
||||||
|
|
||||||
preStart = ''
|
preStart = ''
|
||||||
|
rm -rf ${cfg.configDir}
|
||||||
mkdir -p ${cfg.configDir}
|
mkdir -p ${cfg.configDir}
|
||||||
|
|
||||||
cp -R --no-preserve=mode ${cfg.freeradius}/etc/raddb/* ${cfg.configDir}
|
cp -R --no-preserve=mode ${cfg.freeradius}/etc/raddb/* ${cfg.configDir}
|
||||||
|
@ -164,8 +204,31 @@ in
|
||||||
sed -i ${cfg.configDir}/mods-available/eap \
|
sed -i ${cfg.configDir}/mods-available/eap \
|
||||||
-e "s/whatever/$(cat "${cfg.privateKeyPasswordFile}")/"
|
-e "s/whatever/$(cat "${cfg.privateKeyPasswordFile}")/"
|
||||||
|
|
||||||
|
# Link the dictionary
|
||||||
|
ln -nsf ${
|
||||||
|
pkgs.writeText "radius-dictionary" (
|
||||||
|
builtins.concatStringsSep "\n" (
|
||||||
|
imap0 (i: { name, value }: "ATTRIBUTE ${name} ${builtins.toString (3000 + i)} ${value}") (
|
||||||
|
attrsToList cfg.dictionary
|
||||||
|
)
|
||||||
|
)
|
||||||
|
)
|
||||||
|
} ${cfg.configDir}/dictionary
|
||||||
|
|
||||||
|
# Link extra-mods
|
||||||
|
${builtins.concatStringsSep "\n" (
|
||||||
|
mapAttrsToList (name: path: "ln -nsf ${path} ${cfg.configDir}/mods-enabled/${name}") cfg.extra-mods
|
||||||
|
)}
|
||||||
|
|
||||||
|
# Link extra-sites
|
||||||
|
${builtins.concatStringsSep "\n" (
|
||||||
|
mapAttrsToList (
|
||||||
|
name: path: "ln -nsf ${path} ${cfg.configDir}/sites-enabled/${name}"
|
||||||
|
) cfg.extra-sites
|
||||||
|
)}
|
||||||
|
|
||||||
# Check the configuration
|
# Check the configuration
|
||||||
# ${pkgs.freeradius}/bin/radiusd -C -d ${cfg.configDir} -l stdout
|
${optionalString cfg.checkConfiguration "${getExe' pkgs.freeradius "radiusd"} -C -d ${cfg.configDir} -l stdout"}
|
||||||
'';
|
'';
|
||||||
|
|
||||||
path = [
|
path = [
|
||||||
|
@ -187,6 +250,7 @@ in
|
||||||
LogsDirectory = "radius";
|
LogsDirectory = "radius";
|
||||||
StateDirectory = "radius";
|
StateDirectory = "radius";
|
||||||
RuntimeDirectory = "radius";
|
RuntimeDirectory = "radius";
|
||||||
|
AmbientCapabilities = "CAP_NET_BIND_SERVICE";
|
||||||
Environment = [
|
Environment = [
|
||||||
"KANIDM_RLM_CONFIG=/var/lib/radius/kanidm.toml"
|
"KANIDM_RLM_CONFIG=/var/lib/radius/kanidm.toml"
|
||||||
"PYTHONPATH=${rlm_python.pythonPath}"
|
"PYTHONPATH=${rlm_python.pythonPath}"
|
||||||
|
|
|
@ -1,4 +1,5 @@
|
||||||
{
|
{
|
||||||
|
pkgs,
|
||||||
lib,
|
lib,
|
||||||
meta,
|
meta,
|
||||||
name,
|
name,
|
||||||
|
@ -18,7 +19,7 @@ let
|
||||||
mkNetwork =
|
mkNetwork =
|
||||||
name:
|
name:
|
||||||
{
|
{
|
||||||
address,
|
address ? [ ],
|
||||||
extraNetwork ? { },
|
extraNetwork ? { },
|
||||||
...
|
...
|
||||||
}:
|
}:
|
||||||
|
@ -38,15 +39,51 @@ let
|
||||||
mkUserVlan =
|
mkUserVlan =
|
||||||
id:
|
id:
|
||||||
let
|
let
|
||||||
vlan = 3245 + id;
|
# on alloue 10.0.0.0/17 aux thurnés, avec un /27 chacun, on garde 10.0.0.0/27 pour nous (routeur et autres)
|
||||||
prefix24nb = id / 32;
|
vlan = 4094 - id;
|
||||||
prefix29nb = (id - prefix24nb * 32) * 8;
|
prefix24nb = (id + 1) / 8;
|
||||||
|
prefix27nb = (id + 1 - prefix24nb * 8) * 32;
|
||||||
|
netIP = "10.0.${toString prefix24nb}.${toString prefix27nb}";
|
||||||
|
servIP = "10.0.${toString prefix24nb}.${toString (prefix27nb + 1)}";
|
||||||
|
interfaceName = "vlan-user-${toString vlan}";
|
||||||
in
|
in
|
||||||
{
|
{
|
||||||
name = "vlan-user-${builtins.toString vlan}";
|
name = interfaceName;
|
||||||
value = {
|
value = {
|
||||||
Id = vlan;
|
Id = vlan;
|
||||||
address = [ "10.0.${builtins.toString prefix24nb}.${builtins.toString (prefix29nb + 1)}/29" ];
|
extraNetwork = {
|
||||||
|
networkConfig = {
|
||||||
|
LinkLocalAddressing = "no";
|
||||||
|
DHCPServer = "yes";
|
||||||
|
};
|
||||||
|
linkConfig.Promiscuous = true;
|
||||||
|
addresses = [
|
||||||
|
{
|
||||||
|
addressConfig = {
|
||||||
|
Address = "${servIP}/27";
|
||||||
|
AddPrefixRoute = false;
|
||||||
|
};
|
||||||
|
}
|
||||||
|
];
|
||||||
|
routes = [
|
||||||
|
{
|
||||||
|
routeConfig = {
|
||||||
|
Destination = "${netIP}/27";
|
||||||
|
Table = "user";
|
||||||
|
};
|
||||||
|
}
|
||||||
|
];
|
||||||
|
routingPolicyRules = [
|
||||||
|
{
|
||||||
|
routingPolicyRuleConfig = {
|
||||||
|
From = "${netIP}/27";
|
||||||
|
To = "10.0.0.0/27";
|
||||||
|
IncomingInterface = interfaceName;
|
||||||
|
Table = "user";
|
||||||
|
};
|
||||||
|
}
|
||||||
|
];
|
||||||
|
};
|
||||||
};
|
};
|
||||||
};
|
};
|
||||||
|
|
||||||
|
@ -82,14 +119,41 @@ let
|
||||||
|
|
||||||
extraNetwork.networkConfig.DHCPServer = "yes";
|
extraNetwork.networkConfig.DHCPServer = "yes";
|
||||||
};
|
};
|
||||||
} // builtins.listToAttrs (builtins.genList mkUserVlan 300); # 850 when we can
|
} // builtins.listToAttrs (builtins.genList mkUserVlan 850);
|
||||||
in
|
in
|
||||||
|
|
||||||
{
|
{
|
||||||
systemd.network = {
|
systemd = {
|
||||||
|
network = {
|
||||||
|
config.routeTables."user" = 1000;
|
||||||
networks = {
|
networks = {
|
||||||
|
"10-lo" = {
|
||||||
|
name = "lo";
|
||||||
|
address = [
|
||||||
|
"::1/128"
|
||||||
|
"127.0.0.1/8"
|
||||||
|
"10.0.0.1/27"
|
||||||
|
];
|
||||||
|
routes = [
|
||||||
|
{
|
||||||
|
routeConfig = {
|
||||||
|
Destination = "10.0.0.0/27";
|
||||||
|
Table = "user";
|
||||||
|
};
|
||||||
|
}
|
||||||
|
];
|
||||||
|
routingPolicyRules = [
|
||||||
|
{
|
||||||
|
routingPolicyRuleConfig = {
|
||||||
|
IncomingInterface = "lo";
|
||||||
|
Table = "user";
|
||||||
|
};
|
||||||
|
}
|
||||||
|
];
|
||||||
|
};
|
||||||
"10-enp67s0f0np0" = {
|
"10-enp67s0f0np0" = {
|
||||||
name = "enp67s0f0np0";
|
name = "enp67s0f0np0";
|
||||||
|
linkConfig.Promiscuous = true;
|
||||||
networkConfig = {
|
networkConfig = {
|
||||||
VLAN = builtins.attrNames vlans;
|
VLAN = builtins.attrNames vlans;
|
||||||
|
|
||||||
|
@ -105,5 +169,26 @@ in
|
||||||
netdevs = mapAttrs' mkNetdev vlans;
|
netdevs = mapAttrs' mkNetdev vlans;
|
||||||
};
|
};
|
||||||
|
|
||||||
|
services = {
|
||||||
|
ethtoolConfig = {
|
||||||
|
wantedBy = [ "systemd-networkd.service" ];
|
||||||
|
after = [ "sys-subsystem-net-devices-enp67s0f0np0.device" ];
|
||||||
|
bindsTo = [ "sys-subsystem-net-devices-enp67s0f0np0.device" ];
|
||||||
|
script = builtins.concatStringsSep "\n" (
|
||||||
|
builtins.map (name: "${lib.getExe pkgs.ethtool} -K enp67s0f0np0 ${name} off") [
|
||||||
|
"rxvlan"
|
||||||
|
"txvlan"
|
||||||
|
"rx-vlan-filter"
|
||||||
|
"rx-vlan-offload"
|
||||||
|
"tx-vlan-offload"
|
||||||
|
"tx-vlan-stag-hw-insert"
|
||||||
|
]
|
||||||
|
);
|
||||||
|
};
|
||||||
|
|
||||||
|
systemd-networkd.serviceConfig.LimitNOFILE = 4096;
|
||||||
|
};
|
||||||
|
};
|
||||||
|
|
||||||
networking.firewall.allowedUDPPorts = [ 67 ];
|
networking.firewall.allowedUDPPorts = [ 67 ];
|
||||||
}
|
}
|
||||||
|
|
Loading…
Reference in a new issue
Le default devrait aller avant la description