Add network configuration

2022-12-06 20:51:00 +00:00 · 2022-12-06 20:51:00 +00:00 · 5152758d10
commit 5152758d10
parent 4b6f651c02
5 changed files with 137 additions and 3 deletions
--- a/hosts/aluminium/configuration.nix
+++ b/hosts/aluminium/configuration.nix
@ -11,6 +11,96 @@
  services.openssh.enable = true;
  security.sudo.wheelNeedsPassword = false;

+  networking = {
+    useDHCP = false;
+    vlans = {
+      lechner = {
+        id = 1;
+        interface = "enp1s0";
+      };
+      voice = {
+        id = 2;
+        interface = "enp1s0";
+      };
+      pv = {
+        id = 10;
+        interface = "enp1s0";
+      };
+      heizung = {
+        id = 11;
+        interface = "enp1s0";
+      };
+    };
+    interfaces = {
+      lechner.ipv4.addresses = [{
+        address = "192.168.0.1";
+        prefixLength = 24;
+      }];
+      voice.ipv4.addresses = [{
+        address = "192.168.1.1";
+        prefixLength = 24;
+      }];
+      pv.ipv4.addresses = [{
+        address = "192.168.10.1";
+        prefixLength = 30;
+      }];
+      heizung.ipv4.addresses = [{
+        address = "192.168.10.5";
+        prefixLength = 24;
+      }];
+      enp2s0.useDHCP = false;
+    };
+    nat = {
+      enable = true;
+      externalInterface = "ppp0";
+      internalInterfaces = [
+        "lechner"
+        "voice"
+      ];
+    };
+    firewall = {
+      extraCommands = ''
+        iptables -A FORWARD -p tcp -m tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu
+      '';
+    };
+  };
+
+
+  sops.secrets.pap-secrets = {
+    sopsFile = ./secrets.yaml;
+  };
+  environment.etc."ppp/pap-secrets".source = config.sops.secrets.pap-secrets.path;
+  services.pppd = {
+    enable = true;
+    peers = {
+      pyur = {
+        enable = true;
+        name = "pyur";
+        config = ''
+          #debug
+          defaultroute
+          hide-password
+          holdoff 5
+          ipcp-accept-local
+          ipcp-accept-remote
+          lcp-echo-failure 10
+          lcp-echo-interval 60
+          maxfail 0
+          #mtu 1470
+          name pyur
+          noauth
+          noccp
+          noipdefault
+          noipv6
+          novjccomp
+          persist
+          plugin rp-pppoe.so enp2s0
+          user l8545506
+        '';
+      };
+    };
+  };
+
  # This value determines the NixOS release from which the default
  # settings for stateful data, like file locations and database versions
  # on your system were taken. It‘s perfectly fine and recommended to leave
--- a/hosts/aluminium/secrets.yaml
+++ b/hosts/aluminium/secrets.yaml
@ -1,4 +1,5 @@
 duckdns-secret: ENC[AES256_GCM,data:hp4aWnmTYKZhBehY0nuRV+H9bpCdK2uNqY3J0s1w6JsiyXip,iv:X0MtN+lqDqucgHOgS1D/RrMksNydLFW1/wqD47DWhqQ=,tag:+7qsJEJYzI+UUrdC6NZr4Q==,type:str]
+pap-secrets: ENC[AES256_GCM,data:UyC63/4EXZjypFlH7MLtJXpIBgD9P/Eolg2M1A==,iv:tf8W8rpRa487PIB9NW4NyDKgCoWYV/wDgs9MmKLZ/mc=,tag:r+zgW8XI9TUyoz56irYEdQ==,type:str]
 sops:
    kms: []
    gcp_kms: []
@ -14,8 +15,8 @@ sops:
            MU41eU8zeTRRUlZyUXV0U1N6U0NRNnMKZK3vfyRRr7Iu6HfpdpmDTKzUbEnCnW9l
            rGjFmY9VX2q9w3j/4E5uUToQfeGMqqBTOFUB3hNgU8K5ZT7wMbOXAg==
            -----END AGE ENCRYPTED FILE-----
-    lastmodified: "2022-11-02T21:24:07Z"
-    mac: ENC[AES256_GCM,data:RtRO6cZc+Qy/x7lIFa2aNH8ZNPhzs+H1tuMoYCeizcrFS/1U+rM4CKq3f+NFGcaa0u1sD17xRB8pM/w0hWUhGrFE7EaBV+FhCu/gm19/rdFwKkK/9ojYxEJWc+uHTyOK54AxdJ5RWt0/7b14XYXCNLIJTURV4zL6OHLqig3DIyg=,iv:5jjh6Dhv0CyGK5tq2k/ROpCkU31Lz0qIpVcSlI6NXqo=,tag:PNFShkiu3QqlXuBTrs/lYw==,type:str]
+    lastmodified: "2022-12-06T20:38:59Z"
+    mac: ENC[AES256_GCM,data:ES1O5mjSNxilWrKGGd8SbjVAPpjuOPddC3z61T2wjUMGU2/PVAzNVH3FRBb10doAVy4CRkl5kKHdncRwAPp7ICT+u6Jcn9aKt82BThPoMZHL93H3Qu49RLou7YnUV/hsht/K8UKzZbx6rGH04XGxuyDxDCkQAPmOPgn8NZ+jgBE=,iv:hkjtTw9AbbP71n52RrDgdtpaMZoCewqpUyB8p4Md5Fg=,tag:sMBxQy0XOSjPxawNxPw4RA==,type:str]
    pgp:
        - created_at: "2022-11-02T22:14:19Z"
          enc: |-
--- a/hosts/aluminium/services/default.nix
+++ b/hosts/aluminium/services/default.nix
@ -1,5 +1,6 @@
 {
  imports = [
+    ./dnsmasq.nix
    ./dyndns.nix
    ./unifi-controller.nix
  ];
--- a/hosts/aluminium/services/dnsmasq.nix
+++ b/hosts/aluminium/services/dnsmasq.nix
@ -0,0 +1,42 @@
+{ pkgs, ... }:
+
+let
+  stateDir = "/var/lib/dnsmasq";
+in
+{
+  services.dnsmasq = {
+    enable = true;
+
+    extraConfig = ''
+      listen-address=192.168.0.1
+      listen-address=192.168.1.1
+      interface=lo
+
+      expand-hosts
+      domain=lan.kbh.jalr.de
+      dhcp-range=192.168.0.20,192.168.0.254,4h
+      dhcp-range=192.168.1.20,192.168.1.254,4h
+
+      #dhcp-boot=lpxelinux.0,aluminium,192.168.0.1
+
+      cache-size=10000
+      dns-forward-max=1000
+
+      no-hosts
+      addn-hosts=${pkgs.writeText "hosts.dnsmasq" ''
+        192.168.0.1 aluminium unifi
+      ''}
+    '';
+
+    servers = [
+      "142.250.185.78" # dns.as250.net
+      "2001:470:20::2" # ordns.he.net
+      "74.82.42.42" # ordns.he.net
+    ];
+  };
+
+  networking.firewall = {
+    allowedUDPPorts = [ 53 67 ];
+    allowedTCPPorts = [ 53 ];
+  };
+}
--- a/hosts/default.nix
+++ b/hosts/default.nix
@ -1,7 +1,7 @@
 { ... }@inputs:
 {
  aluminium = {
-    targetHost = "192.168.0.167";
+    targetHost = "192.168.0.1";
    system = "x86_64-linux";
  };
  jalr-t520 = {