diff --git a/docs/hp-switch.md b/docs/hp-switch.md index e03ec5b..be66b38 100644 --- a/docs/hp-switch.md +++ b/docs/hp-switch.md @@ -78,7 +78,7 @@ interface ethernet 23 enable interface ethernet 23 speed-duplex auto-1000 interface ethernet 24 name uplink -interface ethernet 24 speed-duplex 1000-full +interface ethernet 24 speed-duplex auto vlan 1 forbid 1-12,17,19,21-24 diff --git a/flake.nix b/flake.nix index d0fc538..a861696 100644 --- a/flake.nix +++ b/flake.nix @@ -176,7 +176,7 @@ overlays.default = import ./pkgs inputs; nixosConfigurations = let - domain = "lan.weinturm-open-air.net"; + domain = "lan.weinturm.de"; in nixpkgs.lib.mapAttrs (hostname: { diff --git a/hosts/default.nix b/hosts/default.nix index a94de06..40bae16 100644 --- a/hosts/default.nix +++ b/hosts/default.nix @@ -1,6 +1,6 @@ _inputs: { pbx = { system = "x86_64-linux"; - targetHost = "192.168.96.1"; + targetHost = "tel.weinturm.de"; }; } diff --git a/hosts/pbx/configuration.nix b/hosts/pbx/configuration.nix index 568611c..8babe6e 100644 --- a/hosts/pbx/configuration.nix +++ b/hosts/pbx/configuration.nix @@ -2,6 +2,7 @@ imports = [ ./disko.nix ../../users/jalr + ./networking.nix ./services ]; @@ -13,79 +14,6 @@ zram.enable = true; }; - networking = { - hostName = "pbx"; - useDHCP = false; - vlans = { - weinturm = { - id = 7; - interface = "enp0s25"; - }; - public-event = { - id = 6; - interface = "enp0s25"; - }; - voice = { - id = 8; - interface = "enp0s25"; - }; - jugendtreff = { - id = 2; - interface = "enp0s25"; - }; - }; - interfaces = { - weinturm = { - ipv4.addresses = [ - { - address = "192.168.96.1"; - prefixLength = 24; - } - ]; - }; - public-event = { - ipv4.addresses = [ - { - address = "10.10.0.1"; - prefixLength = 24; - } - ]; - }; - voice = { - ipv4.addresses = [ - { - address = "192.168.98.1"; - prefixLength = 24; - } - ]; - }; - jugendtreff = { - ipv4.addresses = [ - { - address = "192.168.100.11"; - prefixLength = 24; - } - ]; - }; - }; - nat = { - enable = true; - externalInterface = "jugendtreff"; - internalInterfaces = [ - "weinturm" - "public-event" - "voice" - ]; - }; - defaultGateway.address = "192.168.100.1"; - nameservers = [ - "9.9.9.9" - "149.112.112.112" - "2620:fe::fe" - "2620:fe::9" - ]; - }; - boot = { initrd = { availableKernelModules = ["xhci_pci" "ehci_pci" "ahci" "usbhid" "usb_storage" "sd_mod"]; diff --git a/hosts/pbx/networking.nix b/hosts/pbx/networking.nix new file mode 100644 index 0000000..363d878 --- /dev/null +++ b/hosts/pbx/networking.nix @@ -0,0 +1,173 @@ +{pkgs, ...}: { + networking = { + hostName = "pbx"; + useDHCP = false; + + # Fix Intel NIC e1000e hardware unit hang + localCommands = "${pkgs.ethtool}/bin/ethtool -K enp0s25 tso off gso off"; + + firewall.interfaces = { + weinturm.allowedUDPPorts = [53 67]; + public-event.allowedUDPPorts = [53 67]; + }; + + vlans = { + weinturm = { + id = 7; + interface = "enp0s25"; + }; + public-event = { + id = 6; + interface = "enp0s25"; + }; + voice = { + id = 8; + interface = "enp0s25"; + }; + jugendtreff = { + id = 2; + interface = "enp0s25"; + }; + }; + interfaces = { + weinturm = { + ipv4.addresses = [ + { + address = "192.168.96.1"; + prefixLength = 24; + } + ]; + }; + public-event = { + ipv4.addresses = [ + { + address = "10.10.0.1"; + prefixLength = 20; + } + ]; + }; + voice = { + ipv4.addresses = [ + { + address = "192.168.98.1"; + prefixLength = 24; + } + ]; + }; + jugendtreff = { + useDHCP = true; + }; + }; + dhcpcd.extraConfig = '' + noipv6rs + waitip 6 + denyinterfaces voice + interface jugendtreff + ipv6rs + ia_na 1 + ia_pd 2 weinturm/0 public-event/1 + ''; + nat = { + enable = true; + externalInterface = "jugendtreff"; + internalInterfaces = [ + "weinturm" + "public-event" + "voice" + ]; + }; + defaultGateway.address = "192.168.100.1"; + nameservers = [ + "9.9.9.9" + "149.112.112.112" + "2620:fe::fe" + "2620:fe::9" + ]; + }; + + boot.kernel.sysctl."net.ipv6.conf.all.forwarding" = 1; + + services = { + dnscache = { + enable = true; + clientIps = [ + "10.10" + "192.168.96" + "192.168.98" + ]; + }; + + radvd = { + enable = true; + config = '' + interface weinturm { + AdvSendAdvert on; + prefix ::/64 { + AdvOnLink on; + AdvAutonomous on; + AdvRouterAddr on; + }; + }; + interface public-event { + AdvSendAdvert on; + prefix ::/64 { + AdvOnLink on; + AdvAutonomous on; + AdvRouterAddr on; + }; + }; + ''; + }; + + kea.dhcp4.settings = { + interfaces-config.interfaces = ["weinturm" "public-event"]; + subnet4 = [ + { + id = 2; + subnet = "192.168.96.0/24"; + pools = [{pool = "192.168.96.20-192.168.96.250";}]; + option-data = [ + { + name = "routers"; + data = "192.168.96.1"; + } + { + name = "domain-name-servers"; + data = "192.168.96.1"; + } + ]; + } + { + id = 3; + subnet = "10.10.0.0/20"; + pools = [{pool = "10.10.1.0-10.10.15.250";}]; + option-data = [ + { + name = "routers"; + data = "10.10.0.1"; + } + { + name = "domain-name-servers"; + data = "10.10.0.1"; + } + ]; + } + ]; + }; + }; + + environment.persistence."/persist".directories = [ + { + directory = "/var/lib/dhcpcd"; + user = "dhcpcd"; + group = "dhcpcd"; + mode = "u=rwx,g=rx,o=rx"; + } + { + directory = "/var/lib/private/kea"; + user = "nobody"; + group = "nogroup"; + mode = "u=rwx,g=rx,o=rx"; + } + ]; +} diff --git a/hosts/pbx/secrets.yaml b/hosts/pbx/secrets.yaml index 996a1a7..fc47f86 100644 --- a/hosts/pbx/secrets.yaml +++ b/hosts/pbx/secrets.yaml @@ -2,7 +2,7 @@ fieldpoc: omm: ENC[AES256_GCM,data:vOoow2CTJKfCiml5t0k=,iv:BTnf2ASndaNgjYtikTl/B3a5wSRh37epSDT0eGZpLkI=,tag:XOFlh+Ut3JKPd5AUPtrBMw==,type:str] sip: ENC[AES256_GCM,data:B82q2sD5I6NUa+RphJL+f1IT5qpZYlpMunZUaN5JJ5I=,iv:YzDg/g1C1z7kV2R5LLNMhe2UvaRaurQKaq4SbGfFKmQ=,tag:NuWn3D8u6jiJFZFTaFvv3g==,type:str] wireguard: - pretix: ENC[AES256_GCM,data:Tz0zIHCE5o0SVIS+mvKjqUIviLYtBKa7G3N9SuaZsmF4o3ujxL4R0GGnQj8=,iv:xV0n1smTmZG0YeEqgxhPZWgHvQ4QsSOi7geKTlFrn5o=,tag:tIeOGgTPzDbs7ewNI2a09w==,type:str] + public-ip4: ENC[AES256_GCM,data:NifuhsgDA+/4c+Op9CAg4jhizFdup7FL9jQt4VLGqGzOaY9lMpAFvrWiW2o=,iv:zKN7QTIEo8+KjwtNPxhUVwD+6Xmz48gp9nDAg3bOazo=,tag:GQCBEFAD2en33gKXraXArw==,type:str] sops: age: - recipient: age16s0cyttcsp40jup9vnreck6mw500ae8j4ayrmf0tg79ukhgua3vsf4m5j4 @@ -14,8 +14,8 @@ sops: TFN1ZFJ2cEZmcHoxSmU1c3o0Q0w1cnMKkT8uBrgL9zyL5PAcqJqQerUdJN8yieVO JwJvcU3I6reHuVkeNKGCZXdYrNMGeFPWwL88yHJW9MYjhO6xfDo8WQ== -----END AGE ENCRYPTED FILE----- - lastmodified: "2025-07-21T20:30:49Z" - mac: ENC[AES256_GCM,data:vsJyLyXIgU6gpmPzozHZGKeuu0Bl+onUeMfqrQSmGnDp1OE8N8IucLc2jSf/EJ04V2z5gOxMXPPyw59fMOlkyKBNZiYwES+sdsd5SHGPNVD3/kiCio4fnQDHmK4vbGDBli+WVQHA2QJL9yajLm3SX5/D7xcVZvA93E5kAqgsVk8=,iv:cfHG59iAkKJW0egT3AUhB0kyg6Ing5KmMZHPAhPIIbg=,tag:YyigKN4SeXYkQ43pNgwe2A==,type:str] + lastmodified: "2025-07-22T09:02:55Z" + mac: ENC[AES256_GCM,data:EYfRNPGHQYmxYPswTozFpd7Vp9j7PhV/Vop8dvvdr3JeAUGoHF2FHZt2Xxrni/wu3CSFW2jGLpMPXigiCxZndbGZhREjCaFrvtNIL/5fhmFV9hoAuW7jp8ydRbHoSB2wJ0d+O/YO4Y5uoKO+pnbmvWgMpHllrBvMMJ/+1tBgh5g=,iv:48VMeGQvhVTAgrtKNbyE9YTQLsp7vYlRPrm9cUMBC24=,tag:j9PPD8B7CYiojNKf6BhG+w==,type:str] pgp: - created_at: "2025-07-18T23:14:45Z" enc: |- diff --git a/hosts/pbx/services/fieldpoc/default.nix b/hosts/pbx/services/fieldpoc/default.nix index aa97080..469e3eb 100644 --- a/hosts/pbx/services/fieldpoc/default.nix +++ b/hosts/pbx/services/fieldpoc/default.nix @@ -53,11 +53,6 @@ in { maxport = rtpPorts.to; }; - dnscache = { - enable = true; - clientIps = ["192.168.98"]; - }; - fieldpoc = { enable = true; inherit ommIp; diff --git a/mikrotik/schneiderscheune-weinturm-ap.cfg b/mikrotik/schneiderscheune-weinturm-ap.cfg new file mode 100644 index 0000000..2d4cdb5 --- /dev/null +++ b/mikrotik/schneiderscheune-weinturm-ap.cfg @@ -0,0 +1,46 @@ +/system identity set name="schneiderscheune-weinturm-ap" + +/ip firewall filter remove [find comment~"defconf"] +/ip firewall nat remove [find comment~"defconf"] +/ip dhcp-client remove [find comment~"defconf"] +/ip dhcp-server remove [find name~"defconf"] +/interface wireless disable wlan1 + +/interface bridge add name=bridge1 mtu=1500 protocol-mode=rstp +/interface bridge port add bridge=bridge1 interface=ether1 +/interface bridge port add bridge=bridge1 interface=wlan1 + +/ip address add address=192.168.96.2/24 interface=bridge1 +/ip route add gateway=192.168.96.1 +/ip dns set servers=192.168.96.1 + +/interface wireless set wlan1 country="germany 5.8 fixed p-p" +/interface wireless set wlan1 frequency=auto +/interface wireless set wlan1 skip-dfs-channels=all +/interface wireless set wlan1 installation=outdoor +/interface wireless set wlan1 mode=bridge +/interface wireless set wlan1 ssid=Schneiderscheune-Weinturm +/interface wireless set wlan1 frequency-mode regulatory-domain +/interface wireless set wlan1 band=5ghz-onlyac +/interface wireless set wlan1 channel-width=20/40/80mhz-Ceee +/interface wireless set wlan1 rate-set=configured +/interface wireless set wlan1 ht-basic-mcs="" ht-supported-mcs="" +/interface wireless set wlan1 vht-basic-mcs="mcs0-7,mcs0-7,mcs0-7" +/interface wireless set wlan1 vht-supported-mcs="mcs0-9,mcs0-9,mcs0-9" +/interface wireless set wlan1 wireless-protocol=nv2 +# distance to the farthest client, in km +/interface wireless set wlan1 nv2-cell-radius=10 +# higher values increase bandwidth, but also latency +/interface wireless set wlan1 tdma-period-size=1 +/interface wireless set wlan1 nv2-mode=dynamic-downlink +/interface wireless set wlan1 nv2-downlink-ratio=20 +/interface wireless set wlan1 nv2-security=enabled +/interface wireless set wlan1 update-stats-interval=00:00:10 +/interface wireless set wlan1 wps-mode=disabled +/interface wireless nstreme set wlan1 enable-nstreme=yes + +/interface wireless enable wlan1 + +/tool bandwidth-server set enabled=yes + +/ip address remove [find comment~"defconf"] diff --git a/mikrotik/schneiderscheune-weinturm-sta.cfg b/mikrotik/schneiderscheune-weinturm-sta.cfg new file mode 100644 index 0000000..df6d563 --- /dev/null +++ b/mikrotik/schneiderscheune-weinturm-sta.cfg @@ -0,0 +1,44 @@ +/system identity set name="schneiderscheune-weinturm-sta" + +/ip firewall filter remove [find comment~"defconf"] +/ip firewall nat remove [find comment~"defconf"] +/ip dhcp-client remove [find comment~"defconf"] +/ip dhcp-server remove [find name~"defconf"] +/interface wireless disable wlan1 + +/interface bridge add name=bridge1 mtu=1500 protocol-mode=rstp +/interface bridge port add bridge=bridge1 interface=ether1 +/interface bridge port add bridge=bridge1 interface=wlan1 + +/ip address add address=192.168.96.3/24 interface=bridge1 +/ip route add gateway=192.168.96.1 +/ip dns set servers=192.168.96.1 + +/interface wireless set wlan1 country="germany 5.8 fixed p-p" +/interface wireless set wlan1 frequency=auto +/interface wireless set wlan1 skip-dfs-channels=all +/interface wireless set wlan1 installation=outdoor +/interface wireless set wlan1 mode=station-bridge +/interface wireless set wlan1 ssid=Schneiderscheune-Weinturm +/interface wireless set wlan1 frequency-mode regulatory-domain +/interface wireless set wlan1 band=5ghz-onlyac +/interface wireless set wlan1 channel-width=20/40/80mhz-Ceee +/interface wireless set wlan1 rate-set=configured +/interface wireless set wlan1 ht-basic-mcs="" ht-supported-mcs="" +/interface wireless set wlan1 vht-basic-mcs="mcs0-7,mcs0-7,mcs0-7" +/interface wireless set wlan1 vht-supported-mcs="mcs0-9,mcs0-9,mcs0-9" +/interface wireless set wlan1 wireless-protocol=nv2 +# distance to the farthest client, in km +/interface wireless set wlan1 nv2-cell-radius=10 +# higher values increase bandwidth, but also latency +/interface wireless set wlan1 tdma-period-size=1 +/interface wireless set wlan1 nv2-mode=dynamic-downlink +/interface wireless set wlan1 nv2-downlink-ratio=20 +/interface wireless set wlan1 nv2-security=enabled +/interface wireless set wlan1 update-stats-interval=00:00:10 +/interface wireless set wlan1 wps-mode=disabled +/interface wireless nstreme set wlan1 enable-nstreme=yes + +/interface wireless enable wlan1 + +/ip address remove [find comment~"defconf"] diff --git a/mikrotik/wechselbruecke-router.cfg b/mikrotik/wechselbruecke-router.cfg new file mode 100644 index 0000000..0c838bf --- /dev/null +++ b/mikrotik/wechselbruecke-router.cfg @@ -0,0 +1,43 @@ +/system identity set name="wechselbruecke-router" + +/ip firewall filter remove [find comment~"defconf"] +/ip firewall nat remove [find comment~"defconf"] +/ip dhcp-client remove [find comment~"defconf"] +/ip dhcp-server remove [find name~"defconf"] + +/ip address add address=192.168.96.4/24 interface=bridge +/ip route add gateway=192.168.96.1 +/ip dns set servers=192.168.96.1 + +/interface bridge port add bridge=bridge interface=ether1 hw=yes + +# VLAN +# weinturm +/interface ethernet switch vlan add switch=switch1 vlan-id=7 ports=ether1,ether2,ether3,ether4,switch1-cpu comment=weinturm +# voice +/interface ethernet switch vlan add switch=switch1 vlan-id=8 ports=ether2,ether5,switch1-cpu comment=voice +# public-event +/interface ethernet switch vlan add switch=switch1 vlan-id=6 ports=ether2,ether3,ether4,switch1-cpu +# jugendtreff +/interface ethernet switch vlan add switch=switch1 vlan-id=2 ports=ether2 comment=jugendtreff,switch1-cpu + +# ether1 is free (debug) port +/interface ethernet switch port set ether1 vlan-mode=secure vlan-header=add-if-missing default-vlan-id=7 + +# ether2 is uplink port +/interface ethernet switch port set ether2 vlan-mode=secure vlan-header=add-if-missing default-vlan-id=7 + +# ether3 is access point +/interface ethernet switch port set ether3 vlan-mode=secure vlan-header=add-if-missing default-vlan-id=7 + +# ether4 is access point +/interface ethernet switch port set ether4 vlan-mode=secure vlan-header=add-if-missing default-vlan-id=7 + +# ether5 is mitel rfp +/interface ethernet switch port set ether5 vlan-mode=secure vlan-header=always-strip default-vlan-id=8 + +/interface ethernet switch port set switch1-cpu vlan-header=leave-as-is vlan-mode=secure default-vlan-id=7 + +#/interface ethernet poe set ether2 poe-out=forced-on + +/ip address remove [find comment~"defconf"]