diff --git a/machines/raven/configuration.nix b/machines/raven/configuration.nix index b28ea2b..80bead5 100644 --- a/machines/raven/configuration.nix +++ b/machines/raven/configuration.nix @@ -21,6 +21,10 @@ id = 5; interface = "eno1"; }; + pubevent = { + id = 6; + interface = "eno1"; + }; }; interfaces = { eno2.useDHCP = true; @@ -28,6 +32,10 @@ address = "192.168.94.1"; prefixLength = 24; }]; + pubevent.ipv4.addresses = [{ + address = "10.10.0.1"; + prefixLength = 20; + }]; voip.ipv4.addresses = [{ address = "192.168.93.1"; prefixLength = 24; @@ -38,6 +46,7 @@ externalInterface = "eno2"; internalInterfaces = [ "labprod" + "pubevent" "voip" ]; }; diff --git a/machines/raven/services/dnsmasq.nix b/machines/raven/services/dnsmasq.nix index 6e9133f..9663d29 100644 --- a/machines/raven/services/dnsmasq.nix +++ b/machines/raven/services/dnsmasq.nix @@ -1,11 +1,31 @@ { pkgs, ... }: +let + stateDir = "/var/lib/dnsmasq"; + dnsmasqEventsConf = pkgs.writeText "dnsmasq-events.conf" '' + dhcp-leasefile=${stateDir}/dnsmasq-events.leases + bind-dynamic + listen-address=10.10.0.1 + except-interface=lo + + domain=events.fablab-nea.de + dhcp-range=10.10.0.20,10.10.15.254,24h + + cache-size=10000 + dns-forward-max=1000 + + no-hosts + ''; +in { services.dnsmasq = { enable = true; extraConfig = '' bind-dynamic + listen-address=192.168.93.1 + listen-address=192.168.94.1 + interface=lo expand-hosts domain=lab.fablab-nea.de @@ -34,6 +54,27 @@ ]; }; + systemd.services."dnsmasq-events" = { + description = "dnsmasq daemon for public event network"; + after = [ "network.target" ]; + wantedBy = [ "multi-user.target" ]; + path = [ pkgs.dnsmasq ]; + preStart = '' + mkdir -m 755 -p ${stateDir} + dnsmasq --test -C ${dnsmasqEventsConf} + ''; + serviceConfig = { + Type = "dbus"; + BusName = "uk.org.thekelleys.dnsmasq-events"; + ExecStart = "${pkgs.dnsmasq}/bin/dnsmasq -k --enable-dbus --user=dnsmasq -C ${dnsmasqEventsConf}"; + ExecReload = "${pkgs.coreutils}/bin/kill -HUP $MAINPID"; + PrivateTmp = true; + ProtectSystem = true; + ProtectHome = true; + Restart = "on-failure"; + }; + }; + networking.firewall = { allowedUDPPorts = [ 53 67 ]; allowedTCPPorts = [ 53 ]; diff --git a/pkgs/fablab/freeradius-anon-access/raddb/mods-available/eap b/pkgs/fablab/freeradius-anon-access/raddb/mods-available/eap index 7385d85..73718ff 100644 --- a/pkgs/fablab/freeradius-anon-access/raddb/mods-available/eap +++ b/pkgs/fablab/freeradius-anon-access/raddb/mods-available/eap @@ -836,7 +836,7 @@ eap { # # allowed values: {no, yes} # - use_tunneled_reply = no + use_tunneled_reply = yes # The inner tunneled request can be sent # through a virtual server constructed @@ -945,7 +945,7 @@ eap { # sections of sites-available/default, and of # sites-available/inner-tunnel # - use_tunneled_reply = no + use_tunneled_reply = yes # When the tunneled session is proxied, the # home server may not understand EAP-MSCHAP-V2. diff --git a/pkgs/fablab/freeradius-anon-access/raddb/mods-config/files/authorize b/pkgs/fablab/freeradius-anon-access/raddb/mods-config/files/authorize index 1c9fff7..b78dbc8 100644 --- a/pkgs/fablab/freeradius-anon-access/raddb/mods-config/files/authorize +++ b/pkgs/fablab/freeradius-anon-access/raddb/mods-config/files/authorize @@ -2,6 +2,9 @@ anonymous Cleartext-Password := "anonymous" #/ wildcard, accept any credentials DEFAULT FreeRADIUS-Proxied-To == 127.0.0.1, Auth-Type := Accept + Tunnel-Type = VLAN, + Tunnel-Medium-Type = IEEE-802, + Tunnel-Private-Group-ID = 6 #DEFAULT FreeRADIUS-Proxied-To == 127.0.0.1, Auth-Type := Accept # session-timeout = 14400,