lbailly/infrastructure
1
0
Fork 0
forked from DGNum/infrastructure
Code Pull requests Activity

style: requested changes

Browse source
This commit is contained in:
catvayor 2024-05-23 16:28:13 +02:00
parent 9f256186e0
commit bc5ee80d69
3 changed files with 46 additions and 64 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

38
machines/vault01/k-radius/module.nix
View file

@ -7,13 +7,15 @@
let
inherit (lib)
attrsToList
getExe'
imap0
mapAttrsToList
mkEnableOption
mkIf
mkOption
types
mapAttrsToList
optionalString
zipListsWith
types
;
settingsFormat = pkgs.formats.toml { };
@ -49,14 +51,14 @@ in
extra-mods = mkOption {
type = types.attrsOf types.path;
description = "Additional files to be linked in mods-enabled.";
default = { };
description = "Additional files to be linked in mods-enabled.";
};
extra-sites = mkOption {
type = types.attrsOf types.path;
description = "Additional files to be linked in sites-enabled.";
default = { };
description = "Additional files to be linked in sites-enabled.";
};
dictionary = mkOption {
@ -69,8 +71,8 @@ in
"string"
]
);
description = "Declare additionnal attributes to be listed in the dictionary.";
default = { };
description = "Declare additionnal attributes to be listed in the dictionary.";
};
radiusClients = mkOption {
@ -109,7 +111,7 @@ in
checkConfiguration = mkOption {
type = types.bool;
description = "Check the configuration before starting the deamon. Usefull for debugging.";
description = "Check the configuration before starting the deamon. Useful for debugging.";
default = false;
};
};
@ -202,18 +204,16 @@ in
sed -i ${cfg.configDir}/mods-available/eap \
-e "s/whatever/$(cat "${cfg.privateKeyPasswordFile}")/"
# Build the dictionary
cat <<EOF > ${cfg.configDir}/dictionary
${
let
attrs = mapAttrsToList (name: type: { inherit name type; }) cfg.dictionary;
idList = builtins.genList (id: 3000 + id) (builtins.length attrs);
in
# Link the dictionary
ln -nsf ${
pkgs.writeText "radius-dictionary" (
builtins.concatStringsSep "\n" (
zipListsWith ({ name, type }: id: "ATTRIBUTE ${name} ${toString id} ${type}") attrs idList
imap0 (i: { name, value }: "ATTRIBUTE ${name} ${builtins.toString (3000 + i)} ${value}") (
attrsToList cfg.dictionary
)
}
EOF
)
)
} ${cfg.configDir}/dictionary
# Link extra-mods
${builtins.concatStringsSep "\n" (
@ -228,9 +228,7 @@ in
)}
# Check the configuration
${
optionalString (!cfg.checkConfiguration) "# "
}${pkgs.freeradius}/bin/radiusd -C -d ${cfg.configDir} -l stdout
${optionalString cfg.checkConfiguration "${getExe' pkgs.freeradius "radiusd"} -C -d ${cfg.configDir} -l stdout"}
'';
path = [

56
machines/vault01/networking.nix
View file

@ -19,7 +19,7 @@ let
mkNetwork =
name:
{
address,
address ? [ ],
extraNetwork ? { },
...
}:
@ -37,31 +37,30 @@ let
};
mkUserVlan =
{
vlan,
netIP,
servIP,
prefixLength,
interfaceName,
...
}:
id:
let
# on alloue 10.0.0.0/17 aux thurnés, avec un /27 chacun, on garde 10.0.0.0/27 pour nous (routeur et autres)
vlan = 4094 - id;
prefix24nb = (id + 1) / 8;
prefix27nb = (id + 1 - prefix24nb * 8) * 32;
netIP = "10.0.${toString prefix24nb}.${toString prefix27nb}";
servIP = "10.0.${toString prefix24nb}.${toString (prefix27nb + 1)}";
interfaceName = "vlan-user-${toString vlan}";
in
{
name = interfaceName;
value = {
Id = vlan;
address = [ ];
extraNetwork = {
networkConfig = {
LinkLocalAddressing = "no";
DHCPServer = "yes";
};
linkConfig = {
Promiscuous = true;
};
linkConfig.Promiscuous = true;
addresses = [
{
addressConfig = {
Address = "${servIP}/${toString prefixLength}";
Address = "${servIP}/27";
AddPrefixRoute = false;
};
}
@ -69,7 +68,7 @@ let
routes = [
{
routeConfig = {
Destination = "${netIP}/${toString prefixLength}";
Destination = "${netIP}/27";
Table = "user";
};
}
@ -77,7 +76,7 @@ let
routingPolicyRules = [
{
routingPolicyRuleConfig = {
From = "${netIP}/${toString prefixLength}";
From = "${netIP}/27";
To = "10.0.0.0/27";
IncomingInterface = interfaceName;
Table = "user";
@ -120,7 +119,7 @@ let
extraNetwork.networkConfig.DHCPServer = "yes";
};
} // builtins.listToAttrs (map mkUserVlan (import ./user_vlans.nix));
} // builtins.listToAttrs (builtins.genList mkUserVlan 850);
in
{
@ -175,20 +174,19 @@ in
wantedBy = [ "systemd-networkd.service" ];
after = [ "sys-subsystem-net-devices-enp67s0f0np0.device" ];
bindsTo = [ "sys-subsystem-net-devices-enp67s0f0np0.device" ];
script = ''
${lib.getExe pkgs.ethtool} -K enp67s0f0np0 rxvlan off
${lib.getExe pkgs.ethtool} -K enp67s0f0np0 txvlan off
${lib.getExe pkgs.ethtool} -K enp67s0f0np0 rx-vlan-filter off
${lib.getExe pkgs.ethtool} -K enp67s0f0np0 rx-vlan-offload off
${lib.getExe pkgs.ethtool} -K enp67s0f0np0 tx-vlan-offload off
${lib.getExe pkgs.ethtool} -K enp67s0f0np0 tx-vlan-stag-hw-insert off
echo "Hardware for enp67s0f0np0 configured"
'';
script = builtins.concatStringsSep "\n" (
builtins.map (name: "${lib.getExe pkgs.ethtool} -K enp67s0f0np0 ${name} off") [
"rxvlan"
"txvlan"
"rx-vlan-filter"
"rx-vlan-offload"
"tx-vlan-offload"
"tx-vlan-stag-hw-insert"
]
);
};
systemd-networkd.serviceConfig = {
LimitNOFILE = 4096;
};
systemd-networkd.serviceConfig.LimitNOFILE = 4096;
};
};

14
machines/vault01/user_vlans.nix
View file

@ -1,14 +0,0 @@
let
mkUserVlan = id: rec {
# on alloue 10.0.0.0/17 aux thurnés, avec un /27 chacun, on garde 10.0.0.0/27 pour nous (routeur et autres)
vlan = 4094 - id;
prefix24nb = (id + 1) / 8;
prefix27nb = (id + 1 - prefix24nb * 8) * 32;
prefixLength = 27;
netIP = "10.0.${toString prefix24nb}.${toString prefix27nb}";
servIP = "10.0.${toString prefix24nb}.${toString (prefix27nb + 1)}";
broadIP = "10.0.${toString prefix24nb}.${toString (prefix27nb + 31)}";
interfaceName = "vlan-user-${toString vlan}";
};
in
builtins.genList mkUserVlan 850