jalr/weinturm-infra
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

Add networking config

Browse source
This commit is contained in:
Jakob Lechner 2025-07-22 11:25:49 +02:00
parent 76312327d9
commit 319b9e5617
10 changed files with 313 additions and 84 deletions
Download patch file Download diff file Expand all files Collapse all files

2
docs/hp-switch.md
View file

@ -78,7 +78,7 @@ interface ethernet 23 enable
interface ethernet 23 speed-duplex auto-1000
interface ethernet 24 name uplink
interface ethernet 24 speed-duplex 1000-full
interface ethernet 24 speed-duplex auto
vlan 1 forbid 1-12,17,19,21-24

2
flake.nix
View file

@ -176,7 +176,7 @@
overlays.default = import ./pkgs inputs;
nixosConfigurations = let
domain = "lan.weinturm-open-air.net";
domain = "lan.weinturm.de";
in
nixpkgs.lib.mapAttrs
(hostname: {

2
hosts/default.nix
View file

@ -1,6 +1,6 @@
_inputs: {
pbx = {
system = "x86_64-linux";
targetHost = "192.168.96.1";
targetHost = "tel.weinturm.de";
};
}

74
hosts/pbx/configuration.nix
View file

@ -2,6 +2,7 @@
imports = [
./disko.nix
../../users/jalr
./networking.nix
./services
];
@ -13,79 +14,6 @@
zram.enable = true;
};
networking = {
hostName = "pbx";
useDHCP = false;
vlans = {
weinturm = {
id = 7;
interface = "enp0s25";
};
public-event = {
id = 6;
interface = "enp0s25";
};
voice = {
id = 8;
interface = "enp0s25";
};
jugendtreff = {
id = 2;
interface = "enp0s25";
};
};
interfaces = {
weinturm = {
ipv4.addresses = [
{
address = "192.168.96.1";
prefixLength = 24;
}
];
};
public-event = {
ipv4.addresses = [
{
address = "10.10.0.1";
prefixLength = 24;
}
];
};
voice = {
ipv4.addresses = [
{
address = "192.168.98.1";
prefixLength = 24;
}
];
};
jugendtreff = {
ipv4.addresses = [
{
address = "192.168.100.11";
prefixLength = 24;
}
];
};
};
nat = {
enable = true;
externalInterface = "jugendtreff";
internalInterfaces = [
"weinturm"
"public-event"
"voice"
];
};
defaultGateway.address = "192.168.100.1";
nameservers = [
"9.9.9.9"
"149.112.112.112"
"2620:fe::fe"
"2620:fe::9"
];
};
boot = {
initrd = {
availableKernelModules = ["xhci_pci" "ehci_pci" "ahci" "usbhid" "usb_storage" "sd_mod"];

173
hosts/pbx/networking.nix Normal file
View file

@ -0,0 +1,173 @@
{pkgs, ...}: {
networking = {
hostName = "pbx";
useDHCP = false;
# Fix Intel NIC e1000e hardware unit hang
localCommands = "${pkgs.ethtool}/bin/ethtool -K enp0s25 tso off gso off";
firewall.interfaces = {
weinturm.allowedUDPPorts = [53 67];
public-event.allowedUDPPorts = [53 67];
};
vlans = {
weinturm = {
id = 7;
interface = "enp0s25";
};
public-event = {
id = 6;
interface = "enp0s25";
};
voice = {
id = 8;
interface = "enp0s25";
};
jugendtreff = {
id = 2;
interface = "enp0s25";
};
};
interfaces = {
weinturm = {
ipv4.addresses = [
{
address = "192.168.96.1";
prefixLength = 24;
}
];
};
public-event = {
ipv4.addresses = [
{
address = "10.10.0.1";
prefixLength = 20;
}
];
};
voice = {
ipv4.addresses = [
{
address = "192.168.98.1";
prefixLength = 24;
}
];
};
jugendtreff = {
useDHCP = true;
};
};
dhcpcd.extraConfig = ''
noipv6rs
waitip 6
denyinterfaces voice
interface jugendtreff
ipv6rs
ia_na 1
ia_pd 2 weinturm/0 public-event/1
'';
nat = {
enable = true;
externalInterface = "jugendtreff";
internalInterfaces = [
"weinturm"
"public-event"
"voice"
];
};
defaultGateway.address = "192.168.100.1";
nameservers = [
"9.9.9.9"
"149.112.112.112"
"2620:fe::fe"
"2620:fe::9"
];
};
boot.kernel.sysctl."net.ipv6.conf.all.forwarding" = 1;
services = {
dnscache = {
enable = true;
clientIps = [
"10.10"
"192.168.96"
"192.168.98"
];
};
radvd = {
enable = true;
config = ''
interface weinturm {
AdvSendAdvert on;
prefix ::/64 {
AdvOnLink on;
AdvAutonomous on;
AdvRouterAddr on;
};
};
interface public-event {
AdvSendAdvert on;
prefix ::/64 {
AdvOnLink on;
AdvAutonomous on;
AdvRouterAddr on;
};
};
'';
};
kea.dhcp4.settings = {
interfaces-config.interfaces = ["weinturm" "public-event"];
subnet4 = [
{
id = 2;
subnet = "192.168.96.0/24";
pools = [{pool = "192.168.96.20-192.168.96.250";}];
option-data = [
{
name = "routers";
data = "192.168.96.1";
}
{
name = "domain-name-servers";
data = "192.168.96.1";
}
];
}
{
id = 3;
subnet = "10.10.0.0/20";
pools = [{pool = "10.10.1.0-10.10.15.250";}];
option-data = [
{
name = "routers";
data = "10.10.0.1";
}
{
name = "domain-name-servers";
data = "10.10.0.1";
}
];
}
];
};
};
environment.persistence."/persist".directories = [
{
directory = "/var/lib/dhcpcd";
user = "dhcpcd";
group = "dhcpcd";
mode = "u=rwx,g=rx,o=rx";
}
{
directory = "/var/lib/private/kea";
user = "nobody";
group = "nogroup";
mode = "u=rwx,g=rx,o=rx";
}
];
}

6
hosts/pbx/secrets.yaml
View file

@ -2,7 +2,7 @@ fieldpoc:
omm: ENC[AES256_GCM,data:vOoow2CTJKfCiml5t0k=,iv:BTnf2ASndaNgjYtikTl/B3a5wSRh37epSDT0eGZpLkI=,tag:XOFlh+Ut3JKPd5AUPtrBMw==,type:str]
sip: ENC[AES256_GCM,data:B82q2sD5I6NUa+RphJL+f1IT5qpZYlpMunZUaN5JJ5I=,iv:YzDg/g1C1z7kV2R5LLNMhe2UvaRaurQKaq4SbGfFKmQ=,tag:NuWn3D8u6jiJFZFTaFvv3g==,type:str]
wireguard:
pretix: ENC[AES256_GCM,data:Tz0zIHCE5o0SVIS+mvKjqUIviLYtBKa7G3N9SuaZsmF4o3ujxL4R0GGnQj8=,iv:xV0n1smTmZG0YeEqgxhPZWgHvQ4QsSOi7geKTlFrn5o=,tag:tIeOGgTPzDbs7ewNI2a09w==,type:str]
public-ip4: ENC[AES256_GCM,data:NifuhsgDA+/4c+Op9CAg4jhizFdup7FL9jQt4VLGqGzOaY9lMpAFvrWiW2o=,iv:zKN7QTIEo8+KjwtNPxhUVwD+6Xmz48gp9nDAg3bOazo=,tag:GQCBEFAD2en33gKXraXArw==,type:str]
sops:
age:
- recipient: age16s0cyttcsp40jup9vnreck6mw500ae8j4ayrmf0tg79ukhgua3vsf4m5j4
@ -14,8 +14,8 @@ sops:
TFN1ZFJ2cEZmcHoxSmU1c3o0Q0w1cnMKkT8uBrgL9zyL5PAcqJqQerUdJN8yieVO
JwJvcU3I6reHuVkeNKGCZXdYrNMGeFPWwL88yHJW9MYjhO6xfDo8WQ==
-----END AGE ENCRYPTED FILE-----
lastmodified: "2025-07-21T20:30:49Z"
mac: ENC[AES256_GCM,data:vsJyLyXIgU6gpmPzozHZGKeuu0Bl+onUeMfqrQSmGnDp1OE8N8IucLc2jSf/EJ04V2z5gOxMXPPyw59fMOlkyKBNZiYwES+sdsd5SHGPNVD3/kiCio4fnQDHmK4vbGDBli+WVQHA2QJL9yajLm3SX5/D7xcVZvA93E5kAqgsVk8=,iv:cfHG59iAkKJW0egT3AUhB0kyg6Ing5KmMZHPAhPIIbg=,tag:YyigKN4SeXYkQ43pNgwe2A==,type:str]
lastmodified: "2025-07-22T09:02:55Z"
mac: ENC[AES256_GCM,data:EYfRNPGHQYmxYPswTozFpd7Vp9j7PhV/Vop8dvvdr3JeAUGoHF2FHZt2Xxrni/wu3CSFW2jGLpMPXigiCxZndbGZhREjCaFrvtNIL/5fhmFV9hoAuW7jp8ydRbHoSB2wJ0d+O/YO4Y5uoKO+pnbmvWgMpHllrBvMMJ/+1tBgh5g=,iv:48VMeGQvhVTAgrtKNbyE9YTQLsp7vYlRPrm9cUMBC24=,tag:j9PPD8B7CYiojNKf6BhG+w==,type:str]
pgp:
- created_at: "2025-07-18T23:14:45Z"
enc: |-

5
hosts/pbx/services/fieldpoc/default.nix
View file

@ -53,11 +53,6 @@ in {
maxport = rtpPorts.to;
};
dnscache = {
enable = true;
clientIps = ["192.168.98"];
};
fieldpoc = {
enable = true;
inherit ommIp;

46
mikrotik/schneiderscheune-weinturm-ap.cfg Normal file
View file

@ -0,0 +1,46 @@
/system identity set name="schneiderscheune-weinturm-ap"
/ip firewall filter remove [find comment~"defconf"]
/ip firewall nat remove [find comment~"defconf"]
/ip dhcp-client remove [find comment~"defconf"]
/ip dhcp-server remove [find name~"defconf"]
/interface wireless disable wlan1
/interface bridge add name=bridge1 mtu=1500 protocol-mode=rstp
/interface bridge port add bridge=bridge1 interface=ether1
/interface bridge port add bridge=bridge1 interface=wlan1
/ip address add address=192.168.96.2/24 interface=bridge1
/ip route add gateway=192.168.96.1
/ip dns set servers=192.168.96.1
/interface wireless set wlan1 country="germany 5.8 fixed p-p"
/interface wireless set wlan1 frequency=auto
/interface wireless set wlan1 skip-dfs-channels=all
/interface wireless set wlan1 installation=outdoor
/interface wireless set wlan1 mode=bridge
/interface wireless set wlan1 ssid=Schneiderscheune-Weinturm
/interface wireless set wlan1 frequency-mode regulatory-domain
/interface wireless set wlan1 band=5ghz-onlyac
/interface wireless set wlan1 channel-width=20/40/80mhz-Ceee
/interface wireless set wlan1 rate-set=configured
/interface wireless set wlan1 ht-basic-mcs="" ht-supported-mcs=""
/interface wireless set wlan1 vht-basic-mcs="mcs0-7,mcs0-7,mcs0-7"
/interface wireless set wlan1 vht-supported-mcs="mcs0-9,mcs0-9,mcs0-9"
/interface wireless set wlan1 wireless-protocol=nv2
# distance to the farthest client, in km
/interface wireless set wlan1 nv2-cell-radius=10
# higher values increase bandwidth, but also latency
/interface wireless set wlan1 tdma-period-size=1
/interface wireless set wlan1 nv2-mode=dynamic-downlink
/interface wireless set wlan1 nv2-downlink-ratio=20
/interface wireless set wlan1 nv2-security=enabled
/interface wireless set wlan1 update-stats-interval=00:00:10
/interface wireless set wlan1 wps-mode=disabled
/interface wireless nstreme set wlan1 enable-nstreme=yes
/interface wireless enable wlan1
/tool bandwidth-server set enabled=yes
/ip address remove [find comment~"defconf"]

44
mikrotik/schneiderscheune-weinturm-sta.cfg Normal file
View file

@ -0,0 +1,44 @@
/system identity set name="schneiderscheune-weinturm-sta"
/ip firewall filter remove [find comment~"defconf"]
/ip firewall nat remove [find comment~"defconf"]
/ip dhcp-client remove [find comment~"defconf"]
/ip dhcp-server remove [find name~"defconf"]
/interface wireless disable wlan1
/interface bridge add name=bridge1 mtu=1500 protocol-mode=rstp
/interface bridge port add bridge=bridge1 interface=ether1
/interface bridge port add bridge=bridge1 interface=wlan1
/ip address add address=192.168.96.3/24 interface=bridge1
/ip route add gateway=192.168.96.1
/ip dns set servers=192.168.96.1
/interface wireless set wlan1 country="germany 5.8 fixed p-p"
/interface wireless set wlan1 frequency=auto
/interface wireless set wlan1 skip-dfs-channels=all
/interface wireless set wlan1 installation=outdoor
/interface wireless set wlan1 mode=station-bridge
/interface wireless set wlan1 ssid=Schneiderscheune-Weinturm
/interface wireless set wlan1 frequency-mode regulatory-domain
/interface wireless set wlan1 band=5ghz-onlyac
/interface wireless set wlan1 channel-width=20/40/80mhz-Ceee
/interface wireless set wlan1 rate-set=configured
/interface wireless set wlan1 ht-basic-mcs="" ht-supported-mcs=""
/interface wireless set wlan1 vht-basic-mcs="mcs0-7,mcs0-7,mcs0-7"
/interface wireless set wlan1 vht-supported-mcs="mcs0-9,mcs0-9,mcs0-9"
/interface wireless set wlan1 wireless-protocol=nv2
# distance to the farthest client, in km
/interface wireless set wlan1 nv2-cell-radius=10
# higher values increase bandwidth, but also latency
/interface wireless set wlan1 tdma-period-size=1
/interface wireless set wlan1 nv2-mode=dynamic-downlink
/interface wireless set wlan1 nv2-downlink-ratio=20
/interface wireless set wlan1 nv2-security=enabled
/interface wireless set wlan1 update-stats-interval=00:00:10
/interface wireless set wlan1 wps-mode=disabled
/interface wireless nstreme set wlan1 enable-nstreme=yes
/interface wireless enable wlan1
/ip address remove [find comment~"defconf"]

43
mikrotik/wechselbruecke-router.cfg Normal file
View file

@ -0,0 +1,43 @@
/system identity set name="wechselbruecke-router"
/ip firewall filter remove [find comment~"defconf"]
/ip firewall nat remove [find comment~"defconf"]
/ip dhcp-client remove [find comment~"defconf"]
/ip dhcp-server remove [find name~"defconf"]
/ip address add address=192.168.96.4/24 interface=bridge
/ip route add gateway=192.168.96.1
/ip dns set servers=192.168.96.1
/interface bridge port add bridge=bridge interface=ether1 hw=yes
# VLAN
# weinturm
/interface ethernet switch vlan add switch=switch1 vlan-id=7 ports=ether1,ether2,ether3,ether4,switch1-cpu comment=weinturm
# voice
/interface ethernet switch vlan add switch=switch1 vlan-id=8 ports=ether2,ether5,switch1-cpu comment=voice
# public-event
/interface ethernet switch vlan add switch=switch1 vlan-id=6 ports=ether2,ether3,ether4,switch1-cpu
# jugendtreff
/interface ethernet switch vlan add switch=switch1 vlan-id=2 ports=ether2 comment=jugendtreff,switch1-cpu
# ether1 is free (debug) port
/interface ethernet switch port set ether1 vlan-mode=secure vlan-header=add-if-missing default-vlan-id=7
# ether2 is uplink port
/interface ethernet switch port set ether2 vlan-mode=secure vlan-header=add-if-missing default-vlan-id=7
# ether3 is access point
/interface ethernet switch port set ether3 vlan-mode=secure vlan-header=add-if-missing default-vlan-id=7
# ether4 is access point
/interface ethernet switch port set ether4 vlan-mode=secure vlan-header=add-if-missing default-vlan-id=7
# ether5 is mitel rfp
/interface ethernet switch port set ether5 vlan-mode=secure vlan-header=always-strip default-vlan-id=8
/interface ethernet switch port set switch1-cpu vlan-header=leave-as-is vlan-mode=secure default-vlan-id=7
#/interface ethernet poe set ether2 poe-out=forced-on
/ip address remove [find comment~"defconf"]