From 712f0f4a17af49ebf683d06f2cbab874401b5cd1 Mon Sep 17 00:00:00 2001
From: lilly <li@lly.sh>
Date: Tue, 18 Mar 2025 17:50:44 +0100
Subject: [PATCH] use real event ip space
---
data/zones/eh22.intern.zone | 13 ++
data/zones/noc.eh22.intern.zone | 11 --
modules/base_system.nix | 12 ++
packages/fetch-netbox-data/default.nix | 2 +-
.../fetch-netbox-data/fetch-netbox-data.py | 22 +++-
switch_remote.sh | 2 -
systems/auth-dns.noc.eh22.intern.nix | 30 +----
systems/cookies.eh22.intern.nix | 13 --
systems/default.nix | 2 +-
systems/jool.eh22.intern.nix | 69 ++++++++++
systems/jool.nat64.eh22.intern.nix | 26 ----
systems/monitoring.noc.eh22.intern/system.nix | 26 +---
.../kresd-config.lua | 9 +-
systems/resolv-dns.noc.eh22.intern/system.nix | 28 +---
systems/sketchy-router.noc.eh22.intern.nix | 124 +++++++++++++-----
15 files changed, 222 insertions(+), 167 deletions(-)
create mode 100644 data/zones/eh22.intern.zone
delete mode 100644 data/zones/noc.eh22.intern.zone
create mode 100644 systems/jool.eh22.intern.nix
delete mode 100644 systems/jool.nat64.eh22.intern.nix
diff --git a/data/zones/eh22.intern.zone b/data/zones/eh22.intern.zone
new file mode 100644
index 0000000..aab4ce2
--- /dev/null
+++ b/data/zones/eh22.intern.zone
@@ -0,0 +1,13 @@
+$ORIGIN eh22.intern.
+@ 0 IN SOA auth-dns.noc noc.eh22.easterhegg.eu. 1 7200 3600 3600000 60
+@ 0 IN NS 10.20.25.3.
+cookies 0 IN A 94.45.254.3
+jool 0 IN A 94.45.254.4
+auth-dns.noc 0 IN A 94.45.255.3
+grafana.noc 0 IN CNAME monitoring.noc
+loki.noc 0 IN CNAME monitoring.noc
+mimir.noc 0 IN CNAME monitoring.noc
+monitoring.noc 0 IN A 94.45.255.4
+proxmox.noc 0 IN A 94.45.255.1
+router.noc 0 IN A 94.45.255.2
+resolv-dns 0 IN A 94.45.254.2
diff --git a/data/zones/noc.eh22.intern.zone b/data/zones/noc.eh22.intern.zone
deleted file mode 100644
index 140579b..0000000
--- a/data/zones/noc.eh22.intern.zone
+++ /dev/null
@@ -1,11 +0,0 @@
-$ORIGIN noc.eh22.intern.
-@ 0 IN SOA auth-dns noc.eh22.easterhegg.eu. 1 7200 3600 3600000 60
-@ 0 IN NS 10.20.25.3.
-auth-dns 0 IN A 10.20.25.3
-monitoring 0 IN A 10.20.25.4
-grafana 0 IN A 10.20.25.4
-loki 0 IN A 10.20.25.4
-mimir 0 IN A 10.20.25.4
-proxmox 0 IN A 10.20.25.1
-resolv-dns 0 IN A 10.20.25.5
-sketchy-router 0 IN A 10.20.25.2
diff --git a/modules/base_system.nix b/modules/base_system.nix
index b27683b..99554ee 100644
--- a/modules/base_system.nix
+++ b/modules/base_system.nix
@@ -121,6 +121,18 @@
useXkbConfig = lib.mkDefault true;
};
+ # use systemd-networkd with DHCP by default
+ networking.useDHCP = false;
+ systemd.network = {
+ enable = true;
+ networks = {
+ "99-defaultEther" = {
+ matchConfig.Type = "ether";
+ networkConfig.DHCP = "yes";
+ };
+ };
+ };
+
# ssh server
services.openssh = {
enable = true;
diff --git a/packages/fetch-netbox-data/default.nix b/packages/fetch-netbox-data/default.nix
index 7ac6b3a..f8066b3 100644
--- a/packages/fetch-netbox-data/default.nix
+++ b/packages/fetch-netbox-data/default.nix
@@ -1,7 +1,7 @@
{ python3 }:
python3.pkgs.buildPythonApplication {
name = "fetch-netbox-data";
- version = "1.0.0";
+ version = "1.1.0";
src = ./.;
pyproject = false;
diff --git a/packages/fetch-netbox-data/fetch-netbox-data.py b/packages/fetch-netbox-data/fetch-netbox-data.py
index 3ff99e3..58bb34a 100755
--- a/packages/fetch-netbox-data/fetch-netbox-data.py
+++ b/packages/fetch-netbox-data/fetch-netbox-data.py
@@ -5,36 +5,46 @@ from dns import rdatatype
from dns import rdataclass
from dns.rdtypes.ANY.SOA import SOA
from dns.rdtypes.ANY.NS import NS
+from dns.rdtypes.ANY.CNAME import CNAME
from dns.rdtypes.IN.A import A
from dns.zone import Zone
from pathlib import Path
+from pprint import pprint
def build_auth_dns_zones(nb: pynetbox.api, nox_dir: Path):
zones_dir = nox_dir / "data" / "zones"
zones_dir.mkdir(parents=True,exist_ok=True)
print(f"Fetching IPAM data to build authorative zonefiles in {zones_dir}")
-
- print(f"Building zone noc.eh22.intern")
- zonefile_path = zones_dir / "noc.eh22.intern.zone"
+ print(f"Building zone eh22.intern")
+ zonefile_path = zones_dir / "eh22.intern.zone"
# build zone management stuff (SOA record, NS record)
- zone = Zone(origin="noc.eh22.intern")
+ zone = Zone(origin="eh22.intern")
zone.get_rdataset("@", rdtype=rdatatype.SOA, create=True)\
.add(SOA(rdclass=rdataclass.IN, rdtype=rdatatype.SOA, mname="auth-dns.noc.eh22.intern.", rname="noc.eh22.easterhegg.eu.", serial=1, refresh=7200, retry=3600, expire=3600000, minimum=60))
zone.get_rdataset("@", rdtype=rdatatype.NS, create=True)\
.add(NS(rdclass=rdataclass.IN, rdtype=rdatatype.NS, target="10.20.25.3"))
# iterate over all ip addresses with dns names ending in noc.eh22.intern
- for i_addr in nb.ipam.ip_addresses.filter("noc.eh22.intern"):
+ for i_addr in nb.ipam.ip_addresses.filter("eh22.intern"):
raw_addr = i_addr.address.rsplit("/", maxsplit=1)[0]
- relative_name = i_addr.dns_name.removesuffix(".noc.eh22.intern")
+ relative_name = i_addr.dns_name.removesuffix(".eh22.intern")
+
+ # add A/AAAA record for the name itself
if i_addr.family.value == 4:
zone.get_rdataset(relative_name, rdtype=rdatatype.A, create=True)\
.add(A(rdclass=rdataclass.IN, rdtype=rdatatype.A, address=raw_addr))
else:
raise RuntimeError(f"Got unknown IP family {i_addr.family} ({i_addr.family.value})")
+ # add CNAME records for all registered alternative names
+ if i_addr.custom_fields["altnames"]:
+ for i_altname in i_addr.custom_fields["altnames"].split(","):
+ i_altname = i_altname.strip().removesuffix(".eh22.intern")
+ zone.get_rdataset(i_altname, rdtype=rdatatype.CNAME, create=True)\
+ .add(CNAME(rdclass=rdataclass.IN, rdtype=rdatatype.CNAME, target=relative_name + ".eh22.intern."))
+
with open(zonefile_path, mode="w") as f:
zone.to_file(f, want_comments=True, want_origin=True)
diff --git a/switch_remote.sh b/switch_remote.sh
index 0d42d13..70ecdf4 100755
--- a/switch_remote.sh
+++ b/switch_remote.sh
@@ -8,9 +8,7 @@ CONFIG=$3
set -x
exec nixos-rebuild $ACTION \
- --use-substitutes \
--no-build-nix \
--use-remote-sudo \
- --build-host $HOST \
--target-host $HOST \
--flake ".#${CONFIG}"
diff --git a/systems/auth-dns.noc.eh22.intern.nix b/systems/auth-dns.noc.eh22.intern.nix
index 2cd2e6c..7bae430 100644
--- a/systems/auth-dns.noc.eh22.intern.nix
+++ b/systems/auth-dns.noc.eh22.intern.nix
@@ -28,41 +28,23 @@ let
journal-content: all
zone:
- - domain: noc.eh22.intern
+ - domain: eh22.intern
'';
in
{
imports = [ ];
- # configure static IP address
- networking.useDHCP = false;
- systemd.network = {
- enable = true;
- networks = {
- "10-mgmtNet" = {
- matchConfig.MACAddress = "bc:24:11:c1:8a:a4";
- address = [ "10.20.25.3/24" ];
- gateway = [ "10.20.25.2" ];
- };
- };
- };
-
# enable knot authorative dns server
# ref: https://search.nüschtos.de/?query=services.knot
# https://www.knot-dns.cz/docs/3.4/html/configuration.html
- environment.etc =
- (lib.attrsets.mapAttrs' (name: value: {
- name = "knot/zones/noc.eh22.intern.zone";
+ environment.etc = (
+ lib.attrsets.mapAttrs' (name: value: {
+ name = "knot/zones/${name}";
value = {
source = value;
};
- }) zones)
- // {
- "resolv.conf".text = ''
- search noc.eh22.intern eh22.intern
- nameserver 10.20.25.5
- '';
- };
+ }) zones
+ );
services.knot = {
enable = true;
diff --git a/systems/cookies.eh22.intern.nix b/systems/cookies.eh22.intern.nix
index 3381c5a..889f57e 100644
--- a/systems/cookies.eh22.intern.nix
+++ b/systems/cookies.eh22.intern.nix
@@ -6,19 +6,6 @@
{
imports = [ ];
- # configure static IP address
- networking.useDHCP = false;
- systemd.network = {
- enable = true;
- networks = {
- "10-eth0" = {
- matchConfig.MACAddress = "BC:24:11:41:E1:61";
- address = [ "10.0.0.3/24" ];
- gateway = [ "10.0.0.1" ];
- };
- };
- };
-
services.cookied = {
enable = true;
algorithm = "text";
diff --git a/systems/default.nix b/systems/default.nix
index 5cc083d..9cc2ec3 100644
--- a/systems/default.nix
+++ b/systems/default.nix
@@ -49,7 +49,7 @@ in
# prod hosts (public user)
"cookies.eh22.intern" = mkSystem "x86_64-linux" "cookies.eh22.intern";
- "jool.nat64.eh22.intern" = mkSystem "x86_64-linux" "jool.nat64.eh22.intern";
+ "jool.eh22.intern" = mkSystem "x86_64-linux" "jool.eh22.intern";
# staging temp infra
"sketchy-router.noc.eh22.intern" = mkSystem "x86_64-linux" "sketchy-router.noc.eh22.intern";
diff --git a/systems/jool.eh22.intern.nix b/systems/jool.eh22.intern.nix
new file mode 100644
index 0000000..aace668
--- /dev/null
+++ b/systems/jool.eh22.intern.nix
@@ -0,0 +1,69 @@
+{
+ pkgs,
+ lib,
+ ...
+}:
+{
+ imports = [ ];
+
+ # configure jool
+ networking.jool = {
+ # siit = {}; TODO
+ nat64 = {
+ pool4 = [
+ {
+ protocol = "TCP";
+ prefix = "94.45.248.0/25";
+ "port range" = "40001-65535";
+ }
+ {
+ protocol = "UDP";
+ prefix = "94.45.248.128/26";
+ "port range" = "40001-65535";
+ }
+ {
+ protocol = "ICMP";
+ prefix = "94.45.248.192/27";
+ "port range" = "40001-65535";
+ }
+
+ {
+ protocol = "TCP";
+ prefix = "94.45.248.0/25";
+ "port range" = "40001-65535";
+ }
+ {
+ protocol = "UDP";
+ prefix = "94.45.248.128/26";
+ "port range" = "40001-65535";
+ }
+ {
+ protocol = "ICMP";
+ prefix = "94.45.248.192/27";
+ "port range" = "40001-65535";
+ }
+
+ {
+ protocol = "TCP";
+ prefix = "94.45.248.0/25";
+ "port range" = "40001-65535";
+ }
+ {
+ protocol = "UDP";
+ prefix = "94.45.248.128/26";
+ "port range" = "40001-65535";
+ }
+ {
+ protocol = "ICMP";
+ prefix = "94.45.248.192/27";
+ "port range" = "40001-65535";
+ }
+ ];
+ };
+ };
+
+ # DO NOT CHANGE
+ # this defines the first version of NixOS that was installed on the machine so that programs with non-migratable data files are kept compatible
+ home-manager.users.noc.home.stateVersion = "24.11";
+ system.stateVersion = "24.11";
+}
diff --git a/systems/jool.nat64.eh22.intern.nix b/systems/jool.nat64.eh22.intern.nix
deleted file mode 100644
index a829366..0000000
--- a/systems/jool.nat64.eh22.intern.nix
+++ /dev/null
@@ -1,26 +0,0 @@
-{
- pkgs,
- lib,
- ...
-}:
-{
- imports = [ ];
-
- # configure static IP address
- networking.useDHCP = false;
- systemd.network = {
- enable = true;
- networks = {
- "10-eth0" = {
- matchConfig.MACAddress = "BC:24:11:21:7F:AF";
- address = [ "94.45.248.2/24" ];
- gateway = [ "BC:24:11:21:7F:AF" ];
- };
- };
- };
-
- # DO NOT CHANGE
- # this defines the first version of NixOS that was installed on the machine so that programs with non-migratable data files are kept compatible
- home-manager.users.noc.home.stateVersion = "24.11";
- system.stateVersion = "24.11";
-}
diff --git a/systems/monitoring.noc.eh22.intern/system.nix b/systems/monitoring.noc.eh22.intern/system.nix
index 7c1c8ae..58384ab 100644
--- a/systems/monitoring.noc.eh22.intern/system.nix
+++ b/systems/monitoring.noc.eh22.intern/system.nix
@@ -4,6 +4,12 @@
...
}:
{
+ imports = [
+ ./grafana.nix
+ ./mimir.nix
+ ./loki.nix
+ ];
+
sops = {
defaultSopsFile = ../../secrets/passwords.yaml;
secrets."services/grafana/admin_password" = {
@@ -26,28 +32,8 @@
};
};
- # configure static IP address
- networking.useDHCP = false;
- systemd.network = {
- enable = true;
- networks = {
- "10-mgmtNet" = {
- matchConfig.MACAddress = "BC:24:11:FC:C2:26";
- address = [ "10.20.25.4/24" ];
- gateway = [ "10.20.25.2" ];
- dns = [ "10.20.25.5" ];
- };
- };
- };
-
networking.firewall.allowedTCPPorts = [ 80 ];
- imports = [
- ./grafana.nix
- ./mimir.nix
- ./loki.nix
- ];
-
services.nginx = {
enable = true;
recommendedProxySettings = true;
diff --git a/systems/resolv-dns.noc.eh22.intern/kresd-config.lua b/systems/resolv-dns.noc.eh22.intern/kresd-config.lua
index 52771e1..68fb2b5 100644
--- a/systems/resolv-dns.noc.eh22.intern/kresd-config.lua
+++ b/systems/resolv-dns.noc.eh22.intern/kresd-config.lua
@@ -1,4 +1,5 @@
-- ref: https://www.knot-resolver.cz/documentation/stable/config-overview.html
+log_level("info")
-- load non-default modules
modules.load("view")
@@ -8,11 +9,11 @@ modules.load("prefill")
ehDomains = policy.todnames({'noc.eh22.intern'})
-- for the mgmt-network, forward ehDomains to our authorative server
-view:addr('10.20.25.0/24', policy.suffix(policy.FLAGS({'NO_CACHE'}), ehDomains))
-view:addr('10.20.25.0/24', policy.suffix(policy.STUB({'10.20.25.3'}), ehDomains))
+view:addr('94.45.255.0/24', policy.suffix(policy.FLAGS({'NO_CACHE'}), ehDomains))
+view:addr('94.45.255.0/24', policy.suffix(policy.STUB({'94.45.255.3'}), ehDomains))
--- allow resolution from our internal network
-view:addr('10.20.25.0/24', policy.all(policy.PASS))
+-- allow resolution from the event net
+view:addr('94.45.224.0/19', policy.all(policy.PASS))
-- precache the root zone to reduce traffic load to it
prefill.config({
diff --git a/systems/resolv-dns.noc.eh22.intern/system.nix b/systems/resolv-dns.noc.eh22.intern/system.nix
index f6ed8e5..10b8d1e 100644
--- a/systems/resolv-dns.noc.eh22.intern/system.nix
+++ b/systems/resolv-dns.noc.eh22.intern/system.nix
@@ -17,29 +17,7 @@ in
{
imports = [ ];
- # configure static IP address
- networking.useDHCP = false;
- systemd.network = {
- enable = true;
- links = {
- "10-ethMgmt" = renameLink "BC:24:11:61:E3:D9" "ethMgmt";
- "10-ethPubUser" = renameLink "BC:24:11:AD:52:B1" "ethPubUsr";
- };
- networks = {
- "10-mgmtNet" = {
- matchConfig.Name = "ethMgmt";
- address = [ "10.20.25.5/24" ];
- gateway = [ "10.20.25.2" ];
- };
- "10-pubUsr" = {
- matchConfig.Name = "ethPubUsr";
- address = [ "10.0.0.2/24" ];
- gateway = [ "10.0.0.1" ];
- };
- };
- };
-
- # configure remaining network to work
+ # configure network for dns server
services.resolved.enable = false;
networking.firewall = {
allowedTCPPorts = [ 53 ];
@@ -47,7 +25,7 @@ in
};
environment.etc."resolv.conf".text = ''
search noc.eh22.intern eh22.intern
- nameserver 10.20.25.5
+ nameserver 94.45.254.2
'';
# enable knot resolv server
@@ -55,7 +33,7 @@ in
# https://www.knot-resolver.cz/documentation/stable/
services.kresd = {
enable = true;
- instances = 4;
+ instances = 1;
listenPlain = [ "53" ];
extraConfig = builtins.readFile ./kresd-config.lua;
};
diff --git a/systems/sketchy-router.noc.eh22.intern.nix b/systems/sketchy-router.noc.eh22.intern.nix
index bf9d72c..80e6c34 100644
--- a/systems/sketchy-router.noc.eh22.intern.nix
+++ b/systems/sketchy-router.noc.eh22.intern.nix
@@ -21,7 +21,6 @@ in
"net.ipv6.conf.all.forwarding" = "1";
};
- networking.useDHCP = false;
networking.nftables.enable = true;
systemd.network = {
enable = true;
@@ -38,13 +37,17 @@ in
};
"10-ethMgmt" = {
matchConfig.Name = "ethMgmt";
- address = [ "10.20.25.2/24" ];
+ address = [
+ "94.45.255.2/24"
+ ];
};
"10-ethPubUsr" = {
matchConfig.Name = "ethPubUsr";
address = [
- "10.0.0.1/24"
- "94.45.248.1/24"
+ "94.45.248.254/24"
+ "94.45.224.1/20" # wifi
+ "94.45.240.1/21" # wired
+ "94.45.254.1/24" # public services subnet
];
};
};
@@ -54,9 +57,7 @@ in
enable = true;
externalInterface = "ethUpstream";
internalIPs = [
- "10.20.25.0/24"
- "10.0.0.0/24"
- "94.45.248.0/24"
+ "94.45.224.0/19" # cccv event space, TODO: remove once we are at the event
];
};
@@ -78,57 +79,112 @@ in
renew-timer = 1000;
valid-lifetime = 4000;
authoritative = true;
+ option-data = [
+ {
+ name = "domain-name-servers";
+ data = "94.45.254.2";
+ }
+ {
+ name = "cookie-servers";
+ data = "94.45.254.3";
+ always-send = true;
+ }
+ ];
shared-networks = [
{
# management network
name = "mgmtNet";
interface = "ethMgmt";
option-data = [
- {
- name = "domain-name-servers";
- data = "10.20.25.5";
- }
{
name = "domain-search";
data = "noc.eh22.intern.";
}
{
name = "routers";
- data = "10.20.25.2";
+ data = "94.45.255.2";
}
];
subnet4 = [
{
- id = 300;
- subnet = "10.20.25.0/24";
- pools = [ { pool = "10.20.25.100 - 10.20.25.254"; } ];
+ id = 255;
+ subnet = "94.45.255.0/24";
+ pools = [ { pool = "94.45.255.200 - 94.45.255.254"; } ];
+ reservations = [
+ {
+ # auth-dns
+ hw-address = "BC:24:11:C1:8A:A4";
+ ip-address = "94.45.255.3";
+ }
+ {
+ # monitoring
+ hw-address = "BC:24:11:FC:C2:26";
+ ip-address = "94.45.255.4";
+ }
+ ];
}
];
}
{
- # public user network (only temporary setup)
- name = "tempPublicUser";
+ # public network
+ name = "public";
interface = "ethPubUsr";
- option-data = [
- {
- name = "routers";
- data = "10.0.0.1";
- }
- {
- name = "domain-name-servers";
- data = "10.0.0.2";
- }
- {
- name = "cookie-servers";
- data = "10.0.0.3";
- }
- ];
subnet4 = [
{
- id = 999;
- subnet = "10.0.0.0/24";
- pools = [ { pool = "10.0.0.100 - 10.0.0.254"; } ];
+ # public services
+ id = 254;
+ subnet = "94.45.254.0/24";
+ pools = [ ];
+ option-data = [
+ {
+ name = "routers";
+ data = "94.45.254.1";
+ }
+ ];
+ reservations = [
+ {
+ # resolv-dns
+ hw-address = "BC:24:11:AD:52:B1";
+ ip-address = "94.45.254.2";
+ }
+ {
+ # cookies
+ hw-address = "BC:24:11:41:E1:61";
+ ip-address = "94.45.254.3";
+ }
+ {
+ # nat64
+ hw-address = "BC:24:11:21:7F:AF";
+ ip-address = "94.45.254.4";
+ }
+ ];
+ }
+
+ {
+ # wifi
+ id = 224;
+ subnet = "94.45.224.0/20";
+ pools = [ { pool = "94.45.224.10 - 94.45.239.254"; } ];
+ option-data = [
+ {
+ name = "routers";
+ data = "94.45.224.1";
+ }
+ ];
+ }
+
+ {
+ # wired
+ id = 240;
+ subnet = "94.45.240.0/21";
+ pools = [ { pool = "94.45.240.10 - 94.45.240.254"; } ];
+ option-data = [
+ {
+ name = "routers";
+ data = "94.45.240.1";
+ }
+ ];
}
];
}