diff --git a/machines/vault01/k-radius/module.nix b/machines/vault01/k-radius/module.nix index 9979605..ac83bc0 100644 --- a/machines/vault01/k-radius/module.nix +++ b/machines/vault01/k-radius/module.nix @@ -7,13 +7,15 @@ let inherit (lib) + attrsToList + getExe' + imap0 + mapAttrsToList mkEnableOption mkIf mkOption - types - mapAttrsToList optionalString - zipListsWith + types ; settingsFormat = pkgs.formats.toml { }; @@ -49,14 +51,14 @@ in extra-mods = mkOption { type = types.attrsOf types.path; - description = "Additional files to be linked in mods-enabled."; default = { }; + description = "Additional files to be linked in mods-enabled."; }; extra-sites = mkOption { type = types.attrsOf types.path; - description = "Additional files to be linked in sites-enabled."; default = { }; + description = "Additional files to be linked in sites-enabled."; }; dictionary = mkOption { @@ -69,8 +71,8 @@ in "string" ] ); - description = "Declare additionnal attributes to be listed in the dictionary."; default = { }; + description = "Declare additionnal attributes to be listed in the dictionary."; }; radiusClients = mkOption { @@ -109,7 +111,7 @@ in checkConfiguration = mkOption { type = types.bool; - description = "Check the configuration before starting the deamon. Usefull for debugging."; + description = "Check the configuration before starting the deamon. Useful for debugging."; default = false; }; }; @@ -202,18 +204,16 @@ in sed -i ${cfg.configDir}/mods-available/eap \ -e "s/whatever/$(cat "${cfg.privateKeyPasswordFile}")/" - # Build the dictionary - cat < ${cfg.configDir}/dictionary - ${ - let - attrs = mapAttrsToList (name: type: { inherit name type; }) cfg.dictionary; - idList = builtins.genList (id: 3000 + id) (builtins.length attrs); - in - builtins.concatStringsSep "\n" ( - zipListsWith ({ name, type }: id: "ATTRIBUTE ${name} ${toString id} ${type}") attrs idList + # Link the dictionary + ln -nsf ${ + pkgs.writeText "radius-dictionary" ( + builtins.concatStringsSep "\n" ( + imap0 (i: { name, value }: "ATTRIBUTE ${name} ${builtins.toString (3000 + i)} ${value}") ( + attrsToList cfg.dictionary + ) + ) ) - } - EOF + } ${cfg.configDir}/dictionary # Link extra-mods ${builtins.concatStringsSep "\n" ( @@ -228,9 +228,7 @@ in )} # Check the configuration - ${ - optionalString (!cfg.checkConfiguration) "# " - }${pkgs.freeradius}/bin/radiusd -C -d ${cfg.configDir} -l stdout + ${optionalString cfg.checkConfiguration "${getExe' pkgs.freeradius "radiusd"} -C -d ${cfg.configDir} -l stdout"} ''; path = [ diff --git a/machines/vault01/networking.nix b/machines/vault01/networking.nix index 1075982..54c7de9 100644 --- a/machines/vault01/networking.nix +++ b/machines/vault01/networking.nix @@ -19,7 +19,7 @@ let mkNetwork = name: { - address, + address ? [ ], extraNetwork ? { }, ... }: @@ -37,31 +37,30 @@ let }; mkUserVlan = - { - vlan, - netIP, - servIP, - prefixLength, - interfaceName, - ... - }: + id: + let + # on alloue 10.0.0.0/17 aux thurnés, avec un /27 chacun, on garde 10.0.0.0/27 pour nous (routeur et autres) + vlan = 4094 - id; + prefix24nb = (id + 1) / 8; + prefix27nb = (id + 1 - prefix24nb * 8) * 32; + netIP = "10.0.${toString prefix24nb}.${toString prefix27nb}"; + servIP = "10.0.${toString prefix24nb}.${toString (prefix27nb + 1)}"; + interfaceName = "vlan-user-${toString vlan}"; + in { name = interfaceName; value = { Id = vlan; - address = [ ]; extraNetwork = { networkConfig = { LinkLocalAddressing = "no"; DHCPServer = "yes"; }; - linkConfig = { - Promiscuous = true; - }; + linkConfig.Promiscuous = true; addresses = [ { addressConfig = { - Address = "${servIP}/${toString prefixLength}"; + Address = "${servIP}/27"; AddPrefixRoute = false; }; } @@ -69,7 +68,7 @@ let routes = [ { routeConfig = { - Destination = "${netIP}/${toString prefixLength}"; + Destination = "${netIP}/27"; Table = "user"; }; } @@ -77,7 +76,7 @@ let routingPolicyRules = [ { routingPolicyRuleConfig = { - From = "${netIP}/${toString prefixLength}"; + From = "${netIP}/27"; To = "10.0.0.0/27"; IncomingInterface = interfaceName; Table = "user"; @@ -120,7 +119,7 @@ let extraNetwork.networkConfig.DHCPServer = "yes"; }; - } // builtins.listToAttrs (map mkUserVlan (import ./user_vlans.nix)); + } // builtins.listToAttrs (builtins.genList mkUserVlan 850); in { @@ -175,20 +174,19 @@ in wantedBy = [ "systemd-networkd.service" ]; after = [ "sys-subsystem-net-devices-enp67s0f0np0.device" ]; bindsTo = [ "sys-subsystem-net-devices-enp67s0f0np0.device" ]; - script = '' - ${lib.getExe pkgs.ethtool} -K enp67s0f0np0 rxvlan off - ${lib.getExe pkgs.ethtool} -K enp67s0f0np0 txvlan off - ${lib.getExe pkgs.ethtool} -K enp67s0f0np0 rx-vlan-filter off - ${lib.getExe pkgs.ethtool} -K enp67s0f0np0 rx-vlan-offload off - ${lib.getExe pkgs.ethtool} -K enp67s0f0np0 tx-vlan-offload off - ${lib.getExe pkgs.ethtool} -K enp67s0f0np0 tx-vlan-stag-hw-insert off - echo "Hardware for enp67s0f0np0 configured" - ''; + script = builtins.concatStringsSep "\n" ( + builtins.map (name: "${lib.getExe pkgs.ethtool} -K enp67s0f0np0 ${name} off") [ + "rxvlan" + "txvlan" + "rx-vlan-filter" + "rx-vlan-offload" + "tx-vlan-offload" + "tx-vlan-stag-hw-insert" + ] + ); }; - systemd-networkd.serviceConfig = { - LimitNOFILE = 4096; - }; + systemd-networkd.serviceConfig.LimitNOFILE = 4096; }; }; diff --git a/machines/vault01/user_vlans.nix b/machines/vault01/user_vlans.nix deleted file mode 100644 index 59ec3a0..0000000 --- a/machines/vault01/user_vlans.nix +++ /dev/null @@ -1,14 +0,0 @@ -let - mkUserVlan = id: rec { - # on alloue 10.0.0.0/17 aux thurnés, avec un /27 chacun, on garde 10.0.0.0/27 pour nous (routeur et autres) - vlan = 4094 - id; - prefix24nb = (id + 1) / 8; - prefix27nb = (id + 1 - prefix24nb * 8) * 32; - prefixLength = 27; - netIP = "10.0.${toString prefix24nb}.${toString prefix27nb}"; - servIP = "10.0.${toString prefix24nb}.${toString (prefix27nb + 1)}"; - broadIP = "10.0.${toString prefix24nb}.${toString (prefix27nb + 31)}"; - interfaceName = "vlan-user-${toString vlan}"; - }; -in -builtins.genList mkUserVlan 850