changement dans le plan IP et free-radius DHCP #99

Merged
thubrecht merged 9 commits from lbailly/infrastructure:plan_ip into main 2024-05-26 20:57:19 +02:00
2 changed files with 172 additions and 23 deletions

View file

@ -7,9 +7,14 @@
let let
inherit (lib) inherit (lib)
attrsToList
getExe'
imap0
mapAttrsToList
mkEnableOption mkEnableOption
mkIf mkIf
mkOption mkOption
optionalString
types types
; ;
@ -44,6 +49,32 @@ in
description = "File to the auth token for the service account."; description = "File to the auth token for the service account.";
}; };
extra-mods = mkOption {
type = types.attrsOf types.path;
lbailly marked this conversation as resolved
Review

Le default devrait aller avant la description

Le default devrait aller avant la description
default = { };
description = "Additional files to be linked in mods-enabled.";
};
extra-sites = mkOption {
type = types.attrsOf types.path;
lbailly marked this conversation as resolved
Review

Le default devrait aller avant la description

Le default devrait aller avant la description
default = { };
description = "Additional files to be linked in sites-enabled.";
};
dictionary = mkOption {
type = types.attrsOf (
types.enum [
"abinary"
"date"
"ipaddr"
"integer"
"string"
]
);
lbailly marked this conversation as resolved
Review

Le default devrait aller avant la description

Le default devrait aller avant la description
default = { };
description = "Declare additionnal attributes to be listed in the dictionary.";
};
radiusClients = mkOption { radiusClients = mkOption {
type = types.attrsOf ( type = types.attrsOf (
types.submodule { types.submodule {
@ -77,6 +108,12 @@ in
}; };
privateKeyPasswordFile = mkOption { type = types.path; }; privateKeyPasswordFile = mkOption { type = types.path; };
checkConfiguration = mkOption {
lbailly marked this conversation as resolved
Review

useful

useful
type = types.bool;
description = "Check the configuration before starting the deamon. Useful for debugging.";
default = false;
};
}; };
config = mkIf cfg.enable { config = mkIf cfg.enable {
@ -104,8 +141,11 @@ in
wantedBy = [ "multi-user.target" ]; wantedBy = [ "multi-user.target" ];
after = [ "network.target" ]; after = [ "network.target" ];
wants = [ "network.target" ]; wants = [ "network.target" ];
startLimitIntervalSec = 20;
startLimitBurst = 5;
preStart = '' preStart = ''
rm -rf ${cfg.configDir}
mkdir -p ${cfg.configDir} mkdir -p ${cfg.configDir}
cp -R --no-preserve=mode ${cfg.freeradius}/etc/raddb/* ${cfg.configDir} cp -R --no-preserve=mode ${cfg.freeradius}/etc/raddb/* ${cfg.configDir}
@ -164,8 +204,31 @@ in
sed -i ${cfg.configDir}/mods-available/eap \ sed -i ${cfg.configDir}/mods-available/eap \
-e "s/whatever/$(cat "${cfg.privateKeyPasswordFile}")/" -e "s/whatever/$(cat "${cfg.privateKeyPasswordFile}")/"
# Link the dictionary
ln -nsf ${
pkgs.writeText "radius-dictionary" (
builtins.concatStringsSep "\n" (
imap0 (i: { name, value }: "ATTRIBUTE ${name} ${builtins.toString (3000 + i)} ${value}") (
attrsToList cfg.dictionary
)
)
)
} ${cfg.configDir}/dictionary
# Link extra-mods
${builtins.concatStringsSep "\n" (
mapAttrsToList (name: path: "ln -nsf ${path} ${cfg.configDir}/mods-enabled/${name}") cfg.extra-mods
)}
# Link extra-sites
${builtins.concatStringsSep "\n" (
mapAttrsToList (
name: path: "ln -nsf ${path} ${cfg.configDir}/sites-enabled/${name}"
) cfg.extra-sites
)}
# Check the configuration # Check the configuration
# ${pkgs.freeradius}/bin/radiusd -C -d ${cfg.configDir} -l stdout ${optionalString cfg.checkConfiguration "${getExe' pkgs.freeradius "radiusd"} -C -d ${cfg.configDir} -l stdout"}
''; '';
path = [ path = [
@ -187,6 +250,7 @@ in
LogsDirectory = "radius"; LogsDirectory = "radius";
StateDirectory = "radius"; StateDirectory = "radius";
RuntimeDirectory = "radius"; RuntimeDirectory = "radius";
AmbientCapabilities = "CAP_NET_BIND_SERVICE";
Environment = [ Environment = [
"KANIDM_RLM_CONFIG=/var/lib/radius/kanidm.toml" "KANIDM_RLM_CONFIG=/var/lib/radius/kanidm.toml"
"PYTHONPATH=${rlm_python.pythonPath}" "PYTHONPATH=${rlm_python.pythonPath}"

View file

@ -1,4 +1,5 @@
{ {
pkgs,
lib, lib,
meta, meta,
name, name,
@ -18,7 +19,7 @@ let
mkNetwork = mkNetwork =
name: name:
{ {
address, address ? [ ],
extraNetwork ? { }, extraNetwork ? { },
... ...
}: }:
@ -38,15 +39,51 @@ let
mkUserVlan = mkUserVlan =
id: id:
let let
vlan = 3245 + id; # on alloue 10.0.0.0/17 aux thurnés, avec un /27 chacun, on garde 10.0.0.0/27 pour nous (routeur et autres)
prefix24nb = id / 32; vlan = 4094 - id;
prefix29nb = (id - prefix24nb * 32) * 8; prefix24nb = (id + 1) / 8;
prefix27nb = (id + 1 - prefix24nb * 8) * 32;
netIP = "10.0.${toString prefix24nb}.${toString prefix27nb}";
servIP = "10.0.${toString prefix24nb}.${toString (prefix27nb + 1)}";
interfaceName = "vlan-user-${toString vlan}";
in in
{ {
name = "vlan-user-${builtins.toString vlan}"; name = interfaceName;
value = { value = {
Id = vlan; Id = vlan;
address = [ "10.0.${builtins.toString prefix24nb}.${builtins.toString (prefix29nb + 1)}/29" ]; extraNetwork = {
networkConfig = {
LinkLocalAddressing = "no";
DHCPServer = "yes";
};
linkConfig.Promiscuous = true;
addresses = [
{
addressConfig = {
Address = "${servIP}/27";
AddPrefixRoute = false;
};
}
];
routes = [
{
routeConfig = {
Destination = "${netIP}/27";
Table = "user";
};
}
];
routingPolicyRules = [
{
routingPolicyRuleConfig = {
From = "${netIP}/27";
To = "10.0.0.0/27";
IncomingInterface = interfaceName;
Table = "user";
};
}
];
};
}; };
}; };
@ -82,27 +119,75 @@ let
extraNetwork.networkConfig.DHCPServer = "yes"; extraNetwork.networkConfig.DHCPServer = "yes";
}; };
} // builtins.listToAttrs (builtins.genList mkUserVlan 300); # 850 when we can } // builtins.listToAttrs (builtins.genList mkUserVlan 850);
in in
{ {
systemd.network = { systemd = {
networks = { network = {
"10-enp67s0f0np0" = { config.routeTables."user" = 1000;
name = "enp67s0f0np0"; networks = {
networkConfig = { "10-lo" = {
VLAN = builtins.attrNames vlans; name = "lo";
address = [
LinkLocalAddressing = false; "::1/128"
LLDP = false; "127.0.0.1/8"
EmitLLDP = false; "10.0.0.1/27"
IPv6AcceptRA = false; ];
IPv6SendRA = false; routes = [
{
routeConfig = {
Destination = "10.0.0.0/27";
Table = "user";
};
}
];
routingPolicyRules = [
{
routingPolicyRuleConfig = {
IncomingInterface = "lo";
Table = "user";
};
}
];
}; };
}; "10-enp67s0f0np0" = {
} // (mapAttrs' mkNetwork vlans); name = "enp67s0f0np0";
linkConfig.Promiscuous = true;
networkConfig = {
VLAN = builtins.attrNames vlans;
netdevs = mapAttrs' mkNetdev vlans; LinkLocalAddressing = false;
LLDP = false;
EmitLLDP = false;
IPv6AcceptRA = false;
IPv6SendRA = false;
};
};
} // (mapAttrs' mkNetwork vlans);
netdevs = mapAttrs' mkNetdev vlans;
};
services = {
ethtoolConfig = {
wantedBy = [ "systemd-networkd.service" ];
after = [ "sys-subsystem-net-devices-enp67s0f0np0.device" ];
bindsTo = [ "sys-subsystem-net-devices-enp67s0f0np0.device" ];
script = builtins.concatStringsSep "\n" (
builtins.map (name: "${lib.getExe pkgs.ethtool} -K enp67s0f0np0 ${name} off") [
"rxvlan"
"txvlan"
"rx-vlan-filter"
"rx-vlan-offload"
"tx-vlan-offload"
"tx-vlan-stag-hw-insert"
]
);
};
systemd-networkd.serviceConfig.LimitNOFILE = 4096;
};
}; };
networking.firewall.allowedUDPPorts = [ 67 ]; networking.firewall.allowedUDPPorts = [ 67 ];