changement dans le plan IP et free-radius DHCP #99
|
|
@ -7,9 +7,14 @@
|
|||
|
||||
let
|
||||
inherit (lib)
|
||||
attrsToList
|
||||
getExe'
|
||||
imap0
|
||||
mapAttrsToList
|
||||
mkEnableOption
|
||||
mkIf
|
||||
mkOption
|
||||
optionalString
|
||||
types
|
||||
|
lbailly marked this conversation as resolved
Outdated
|
||||
;
|
||||
|
||||
|
|
@ -44,6 +49,32 @@ in
|
|||
description = "File to the auth token for the service account.";
|
||||
};
|
||||
|
||||
extra-mods = mkOption {
|
||||
type = types.attrsOf types.path;
|
||||
|
lbailly marked this conversation as resolved
thubrecht
commented
Le default devrait aller avant la description Le default devrait aller avant la description
|
||||
default = { };
|
||||
description = "Additional files to be linked in mods-enabled.";
|
||||
};
|
||||
|
||||
extra-sites = mkOption {
|
||||
type = types.attrsOf types.path;
|
||||
|
lbailly marked this conversation as resolved
thubrecht
commented
Le default devrait aller avant la description Le default devrait aller avant la description
|
||||
default = { };
|
||||
description = "Additional files to be linked in sites-enabled.";
|
||||
};
|
||||
|
||||
dictionary = mkOption {
|
||||
type = types.attrsOf (
|
||||
types.enum [
|
||||
"abinary"
|
||||
"date"
|
||||
"ipaddr"
|
||||
"integer"
|
||||
"string"
|
||||
]
|
||||
);
|
||||
|
lbailly marked this conversation as resolved
thubrecht
commented
Le default devrait aller avant la description Le default devrait aller avant la description
|
||||
default = { };
|
||||
description = "Declare additionnal attributes to be listed in the dictionary.";
|
||||
};
|
||||
|
||||
radiusClients = mkOption {
|
||||
type = types.attrsOf (
|
||||
types.submodule {
|
||||
|
|
@ -77,6 +108,12 @@ in
|
|||
};
|
||||
|
||||
privateKeyPasswordFile = mkOption { type = types.path; };
|
||||
|
||||
checkConfiguration = mkOption {
|
||||
|
lbailly marked this conversation as resolved
thubrecht
commented
useful useful
|
||||
type = types.bool;
|
||||
description = "Check the configuration before starting the deamon. Useful for debugging.";
|
||||
default = false;
|
||||
};
|
||||
};
|
||||
|
||||
config = mkIf cfg.enable {
|
||||
|
|
@ -104,8 +141,11 @@ in
|
|||
wantedBy = [ "multi-user.target" ];
|
||||
after = [ "network.target" ];
|
||||
wants = [ "network.target" ];
|
||||
startLimitIntervalSec = 20;
|
||||
startLimitBurst = 5;
|
||||
|
||||
|
thubrecht marked this conversation as resolved
Outdated
thubrecht
commented
Pourquoi on a besoin de supprimer ce dossier à chaque démarrage ? Pourquoi on a besoin de supprimer ce dossier à chaque démarrage ?
lbailly
commented
Pour les fichiers supplémentaires qui peuvent être ajouté par la config, si dans un changement de config tu as retirer un fichier, il faut qu'il soit del sinon il est toujours actif (c'est ce qui a cassé freeradius quand j'ai désac son dhcp) Pour les fichiers supplémentaires qui peuvent être ajouté par la config, si dans un changement de config tu as retirer un fichier, il faut qu'il soit del sinon il est toujours actif (c'est ce qui a cassé freeradius quand j'ai désac son dhcp)
|
||||
preStart = ''
|
||||
rm -rf ${cfg.configDir}
|
||||
mkdir -p ${cfg.configDir}
|
||||
|
||||
cp -R --no-preserve=mode ${cfg.freeradius}/etc/raddb/* ${cfg.configDir}
|
||||
|
|
@ -164,8 +204,31 @@ in
|
|||
sed -i ${cfg.configDir}/mods-available/eap \
|
||||
-e "s/whatever/$(cat "${cfg.privateKeyPasswordFile}")/"
|
||||
|
||||
|
lbailly marked this conversation as resolved
Outdated
thubrecht
commented
Plutôt que faire des trucs dans un script avec cat et EOF, il vaut mieux utiliser Plutôt que faire des trucs dans un script avec cat et EOF, il vaut mieux utiliser `pkgs.writeText` et faire un lien au démarrage. Surtout que ce fichier ne doit pas être généré à chaque démarrage de freeradius
|
||||
# Link the dictionary
|
||||
ln -nsf ${
|
||||
pkgs.writeText "radius-dictionary" (
|
||||
builtins.concatStringsSep "\n" (
|
||||
imap0 (i: { name, value }: "ATTRIBUTE ${name} ${builtins.toString (3000 + i)} ${value}") (
|
||||
attrsToList cfg.dictionary
|
||||
)
|
||||
|
lbailly marked this conversation as resolved
Outdated
thubrecht
commented
```diff
- zipListsWith ({ name, type }: id: "ATTRIBUTE ${name} ${toString id} ${type}") attrs idList
+ imap0 (i: {name, value}: "ATTRIBUTE ${name} ${builtins.toString (3000 + i)} ${value}") (attrsToList cfg.dictionnary)
```
|
||||
)
|
||||
)
|
||||
} ${cfg.configDir}/dictionary
|
||||
|
||||
# Link extra-mods
|
||||
${builtins.concatStringsSep "\n" (
|
||||
mapAttrsToList (name: path: "ln -nsf ${path} ${cfg.configDir}/mods-enabled/${name}") cfg.extra-mods
|
||||
)}
|
||||
|
||||
# Link extra-sites
|
||||
${builtins.concatStringsSep "\n" (
|
||||
mapAttrsToList (
|
||||
name: path: "ln -nsf ${path} ${cfg.configDir}/sites-enabled/${name}"
|
||||
) cfg.extra-sites
|
||||
)}
|
||||
|
||||
# Check the configuration
|
||||
# ${pkgs.freeradius}/bin/radiusd -C -d ${cfg.configDir} -l stdout
|
||||
${optionalString cfg.checkConfiguration "${getExe' pkgs.freeradius "radiusd"} -C -d ${cfg.configDir} -l stdout"}
|
||||
'';
|
||||
|
||||
|
lbailly marked this conversation as resolved
Outdated
thubrecht
commented
```diff
- ${
- optionalString (!cfg.checkConfiguration) "# "
- }${pkgs.freeradius}/bin/radiusd -C -d ${cfg.configDir} -l stdout
+ ${optionalString cfg.checkConfiguration "${getExe' pkgs.freeradius "radiusd"} -C -d ${cfg.configDir} -l stdout"}
```
|
||||
path = [
|
||||
|
|
@ -187,6 +250,7 @@ in
|
|||
LogsDirectory = "radius";
|
||||
StateDirectory = "radius";
|
||||
RuntimeDirectory = "radius";
|
||||
AmbientCapabilities = "CAP_NET_BIND_SERVICE";
|
||||
Environment = [
|
||||
"KANIDM_RLM_CONFIG=/var/lib/radius/kanidm.toml"
|
||||
"PYTHONPATH=${rlm_python.pythonPath}"
|
||||
|
|
|
|||
|
|
@ -1,4 +1,5 @@
|
|||
{
|
||||
pkgs,
|
||||
lib,
|
||||
meta,
|
||||
name,
|
||||
|
|
@ -18,7 +19,7 @@ let
|
|||
mkNetwork =
|
||||
name:
|
||||
{
|
||||
address,
|
||||
address ? [ ],
|
||||
extraNetwork ? { },
|
||||
...
|
||||
}:
|
||||
|
|
@ -38,15 +39,51 @@ let
|
|||
mkUserVlan =
|
||||
id:
|
||||
let
|
||||
vlan = 3245 + id;
|
||||
prefix24nb = id / 32;
|
||||
prefix29nb = (id - prefix24nb * 32) * 8;
|
||||
# on alloue 10.0.0.0/17 aux thurnés, avec un /27 chacun, on garde 10.0.0.0/27 pour nous (routeur et autres)
|
||||
vlan = 4094 - id;
|
||||
prefix24nb = (id + 1) / 8;
|
||||
prefix27nb = (id + 1 - prefix24nb * 8) * 32;
|
||||
netIP = "10.0.${toString prefix24nb}.${toString prefix27nb}";
|
||||
|
lbailly marked this conversation as resolved
Outdated
thubrecht
commented
Le Le `prefixLength` risque de changer souvent ?
Ce serait bien de l'inline sinon
|
||||
servIP = "10.0.${toString prefix24nb}.${toString (prefix27nb + 1)}";
|
||||
interfaceName = "vlan-user-${toString vlan}";
|
||||
in
|
||||
|
lbailly marked this conversation as resolved
Outdated
thubrecht
commented
Si y'en a pas besoin ça ne sert à rien de le laisser Si y'en a pas besoin ça ne sert à rien de le laisser
|
||||
{
|
||||
name = "vlan-user-${builtins.toString vlan}";
|
||||
name = interfaceName;
|
||||
value = {
|
||||
Id = vlan;
|
||||
address = [ "10.0.${builtins.toString prefix24nb}.${builtins.toString (prefix29nb + 1)}/29" ];
|
||||
extraNetwork = {
|
||||
networkConfig = {
|
||||
LinkLocalAddressing = "no";
|
||||
|
lbailly marked this conversation as resolved
Outdated
thubrecht
commented
Inutile du coup ? Inutile du coup ?
lbailly
commented
J'utilise plutôt l'entrée J'utilise plutôt l'entrée `addresses` qui me permet de pas créer la route par défaut, car je veux la mettre dans une autre table de routage. `address` me permet pas de faire ça, mais c'est pas forcément "inutile", c'est juste ici que j'ai un besoin précis
thubrecht
commented
Mais du coup ça sert à rien de mettre une liste vide, si ? Mais du coup ça sert à rien de mettre une liste vide, si ?
Donc on peut l'enlever.
|
||||
DHCPServer = "yes";
|
||||
};
|
||||
linkConfig.Promiscuous = true;
|
||||
addresses = [
|
||||
{
|
||||
addressConfig = {
|
||||
Address = "${servIP}/27";
|
||||
AddPrefixRoute = false;
|
||||
|
lbailly marked this conversation as resolved
Outdated
thubrecht
commented
```nix
linkConfig.Promiscuous = true;
```
|
||||
};
|
||||
}
|
||||
];
|
||||
routes = [
|
||||
{
|
||||
routeConfig = {
|
||||
Destination = "${netIP}/27";
|
||||
Table = "user";
|
||||
};
|
||||
}
|
||||
];
|
||||
routingPolicyRules = [
|
||||
{
|
||||
routingPolicyRuleConfig = {
|
||||
From = "${netIP}/27";
|
||||
To = "10.0.0.0/27";
|
||||
IncomingInterface = interfaceName;
|
||||
Table = "user";
|
||||
};
|
||||
}
|
||||
];
|
||||
};
|
||||
};
|
||||
};
|
||||
|
||||
|
|
@ -82,27 +119,75 @@ let
|
|||
|
||||
extraNetwork.networkConfig.DHCPServer = "yes";
|
||||
};
|
||||
} // builtins.listToAttrs (builtins.genList mkUserVlan 300); # 850 when we can
|
||||
} // builtins.listToAttrs (builtins.genList mkUserVlan 850);
|
||||
in
|
||||
|
||||
{
|
||||
systemd.network = {
|
||||
networks = {
|
||||
"10-enp67s0f0np0" = {
|
||||
name = "enp67s0f0np0";
|
||||
networkConfig = {
|
||||
VLAN = builtins.attrNames vlans;
|
||||
|
||||
LinkLocalAddressing = false;
|
||||
LLDP = false;
|
||||
EmitLLDP = false;
|
||||
IPv6AcceptRA = false;
|
||||
IPv6SendRA = false;
|
||||
systemd = {
|
||||
network = {
|
||||
config.routeTables."user" = 1000;
|
||||
networks = {
|
||||
"10-lo" = {
|
||||
name = "lo";
|
||||
address = [
|
||||
"::1/128"
|
||||
"127.0.0.1/8"
|
||||
"10.0.0.1/27"
|
||||
];
|
||||
routes = [
|
||||
{
|
||||
routeConfig = {
|
||||
Destination = "10.0.0.0/27";
|
||||
Table = "user";
|
||||
};
|
||||
}
|
||||
];
|
||||
routingPolicyRules = [
|
||||
{
|
||||
routingPolicyRuleConfig = {
|
||||
IncomingInterface = "lo";
|
||||
Table = "user";
|
||||
};
|
||||
}
|
||||
];
|
||||
};
|
||||
};
|
||||
} // (mapAttrs' mkNetwork vlans);
|
||||
"10-enp67s0f0np0" = {
|
||||
name = "enp67s0f0np0";
|
||||
linkConfig.Promiscuous = true;
|
||||
networkConfig = {
|
||||
VLAN = builtins.attrNames vlans;
|
||||
|
||||
netdevs = mapAttrs' mkNetdev vlans;
|
||||
LinkLocalAddressing = false;
|
||||
LLDP = false;
|
||||
EmitLLDP = false;
|
||||
IPv6AcceptRA = false;
|
||||
IPv6SendRA = false;
|
||||
};
|
||||
};
|
||||
} // (mapAttrs' mkNetwork vlans);
|
||||
|
||||
netdevs = mapAttrs' mkNetdev vlans;
|
||||
};
|
||||
|
||||
services = {
|
||||
ethtoolConfig = {
|
||||
wantedBy = [ "systemd-networkd.service" ];
|
||||
after = [ "sys-subsystem-net-devices-enp67s0f0np0.device" ];
|
||||
bindsTo = [ "sys-subsystem-net-devices-enp67s0f0np0.device" ];
|
||||
script = builtins.concatStringsSep "\n" (
|
||||
builtins.map (name: "${lib.getExe pkgs.ethtool} -K enp67s0f0np0 ${name} off") [
|
||||
"rxvlan"
|
||||
"txvlan"
|
||||
"rx-vlan-filter"
|
||||
"rx-vlan-offload"
|
||||
"tx-vlan-offload"
|
||||
"tx-vlan-stag-hw-insert"
|
||||
]
|
||||
);
|
||||
|
lbailly marked this conversation as resolved
Outdated
thubrecht
commented
```nix
script = builtins.concatStringsSep "\n" (builtins.map (name: "${lib.getExe pkgs.ethtool} -K enp67s0f0np0 ${name} off") [
"rxvlan"
"txvlan"
"rx-vlan-filter"
"rx-vlan-offload"
"tx-vlan-offload"
"tx-vlan-stag-hw-insert"
])
```
|
||||
};
|
||||
|
||||
systemd-networkd.serviceConfig.LimitNOFILE = 4096;
|
||||
};
|
||||
};
|
||||
|
||||
networking.firewall.allowedUDPPorts = [ 67 ];
|
||||
|
|
|
|||
Loading…
Reference in a new issue
Idéalement cette liste devrait être triée