EH22/nox
2
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

use real event ip space

Browse source
This commit is contained in:
lilly 2025-03-18 17:50:44 +01:00
commit 712f0f4a17
Signed by: lilly
SSH key fingerprint: SHA256:y9T5GFw2A20WVklhetIxG1+kcg/Ce0shnQmbu1LQ37g
15 changed files with 222 additions and 167 deletions
Download patch file Download diff file Expand all files Collapse all files

30
systems/auth-dns.noc.eh22.intern.nix
View file

@ -28,41 +28,23 @@ let
journal-content: all
zone:
- domain: noc.eh22.intern
- domain: eh22.intern
'';
in
{
imports = [ ];
# configure static IP address
networking.useDHCP = false;
systemd.network = {
enable = true;
networks = {
"10-mgmtNet" = {
matchConfig.MACAddress = "bc:24:11:c1:8a:a4";
address = [ "10.20.25.3/24" ];
gateway = [ "10.20.25.2" ];
};
};
};
# enable knot authorative dns server
# ref: https://search.nüschtos.de/?query=services.knot
# https://www.knot-dns.cz/docs/3.4/html/configuration.html
environment.etc =
(lib.attrsets.mapAttrs' (name: value: {
name = "knot/zones/noc.eh22.intern.zone";
environment.etc = (
lib.attrsets.mapAttrs' (name: value: {
name = "knot/zones/${name}";
value = {
source = value;
};
}) zones)
// {
"resolv.conf".text = ''
search noc.eh22.intern eh22.intern
nameserver 10.20.25.5
'';
};
}) zones
);
services.knot = {
enable = true;

13
systems/cookies.eh22.intern.nix
View file

@ -6,19 +6,6 @@
{
imports = [ ];
# configure static IP address
networking.useDHCP = false;
systemd.network = {
enable = true;
networks = {
"10-eth0" = {
matchConfig.MACAddress = "BC:24:11:41:E1:61";
address = [ "10.0.0.3/24" ];
gateway = [ "10.0.0.1" ];
};
};
};
services.cookied = {
enable = true;
algorithm = "text";

2
systems/default.nix
View file

@ -49,7 +49,7 @@ in
# prod hosts (public user)
"cookies.eh22.intern" = mkSystem "x86_64-linux" "cookies.eh22.intern";
"jool.nat64.eh22.intern" = mkSystem "x86_64-linux" "jool.nat64.eh22.intern";
"jool.eh22.intern" = mkSystem "x86_64-linux" "jool.eh22.intern";
# staging temp infra
"sketchy-router.noc.eh22.intern" = mkSystem "x86_64-linux" "sketchy-router.noc.eh22.intern";

69
systems/jool.eh22.intern.nix Normal file
View file

@ -0,0 +1,69 @@
{
pkgs,
lib,
...
}:
{
imports = [ ];
# configure jool
networking.jool = {
# siit = {}; TODO
nat64 = {
pool4 = [
{
protocol = "TCP";
prefix = "94.45.248.0/25";
"port range" = "40001-65535";
}
{
protocol = "UDP";
prefix = "94.45.248.128/26";
"port range" = "40001-65535";
}
{
protocol = "ICMP";
prefix = "94.45.248.192/27";
"port range" = "40001-65535";
}
{
protocol = "TCP";
prefix = "94.45.248.0/25";
"port range" = "40001-65535";
}
{
protocol = "UDP";
prefix = "94.45.248.128/26";
"port range" = "40001-65535";
}
{
protocol = "ICMP";
prefix = "94.45.248.192/27";
"port range" = "40001-65535";
}
{
protocol = "TCP";
prefix = "94.45.248.0/25";
"port range" = "40001-65535";
}
{
protocol = "UDP";
prefix = "94.45.248.128/26";
"port range" = "40001-65535";
}
{
protocol = "ICMP";
prefix = "94.45.248.192/27";
"port range" = "40001-65535";
}
];
};
};
# DO NOT CHANGE
# this defines the first version of NixOS that was installed on the machine so that programs with non-migratable data files are kept compatible
home-manager.users.noc.home.stateVersion = "24.11";
system.stateVersion = "24.11";
}

26
systems/jool.nat64.eh22.intern.nix
View file

@ -1,26 +0,0 @@
{
pkgs,
lib,
...
}:
{
imports = [ ];
# configure static IP address
networking.useDHCP = false;
systemd.network = {
enable = true;
networks = {
"10-eth0" = {
matchConfig.MACAddress = "BC:24:11:21:7F:AF";
address = [ "94.45.248.2/24" ];
gateway = [ "BC:24:11:21:7F:AF" ];
};
};
};
# DO NOT CHANGE
# this defines the first version of NixOS that was installed on the machine so that programs with non-migratable data files are kept compatible
home-manager.users.noc.home.stateVersion = "24.11";
system.stateVersion = "24.11";
}

26
systems/monitoring.noc.eh22.intern/system.nix
View file

@ -4,6 +4,12 @@
...
}:
{
imports = [
./grafana.nix
./mimir.nix
./loki.nix
];
sops = {
defaultSopsFile = ../../secrets/passwords.yaml;
secrets."services/grafana/admin_password" = {
@ -26,28 +32,8 @@
};
};
# configure static IP address
networking.useDHCP = false;
systemd.network = {
enable = true;
networks = {
"10-mgmtNet" = {
matchConfig.MACAddress = "BC:24:11:FC:C2:26";
address = [ "10.20.25.4/24" ];
gateway = [ "10.20.25.2" ];
dns = [ "10.20.25.5" ];
};
};
};
networking.firewall.allowedTCPPorts = [ 80 ];
imports = [
./grafana.nix
./mimir.nix
./loki.nix
];
services.nginx = {
enable = true;
recommendedProxySettings = true;

9
systems/resolv-dns.noc.eh22.intern/kresd-config.lua
View file

@ -1,4 +1,5 @@
-- ref: https://www.knot-resolver.cz/documentation/stable/config-overview.html
log_level("info")
-- load non-default modules
modules.load("view")
@ -8,11 +9,11 @@ modules.load("prefill")
ehDomains = policy.todnames({'noc.eh22.intern'})
-- for the mgmt-network, forward ehDomains to our authorative server
view:addr('10.20.25.0/24', policy.suffix(policy.FLAGS({'NO_CACHE'}), ehDomains))
view:addr('10.20.25.0/24', policy.suffix(policy.STUB({'10.20.25.3'}), ehDomains))
view:addr('94.45.255.0/24', policy.suffix(policy.FLAGS({'NO_CACHE'}), ehDomains))
view:addr('94.45.255.0/24', policy.suffix(policy.STUB({'94.45.255.3'}), ehDomains))
-- allow resolution from our internal network
view:addr('10.20.25.0/24', policy.all(policy.PASS))
-- allow resolution from the event net
view:addr('94.45.224.0/19', policy.all(policy.PASS))
-- precache the root zone to reduce traffic load to it
prefill.config({

28
systems/resolv-dns.noc.eh22.intern/system.nix
View file

@ -17,29 +17,7 @@ in
{
imports = [ ];
# configure static IP address
networking.useDHCP = false;
systemd.network = {
enable = true;
links = {
"10-ethMgmt" = renameLink "BC:24:11:61:E3:D9" "ethMgmt";
"10-ethPubUser" = renameLink "BC:24:11:AD:52:B1" "ethPubUsr";
};
networks = {
"10-mgmtNet" = {
matchConfig.Name = "ethMgmt";
address = [ "10.20.25.5/24" ];
gateway = [ "10.20.25.2" ];
};
"10-pubUsr" = {
matchConfig.Name = "ethPubUsr";
address = [ "10.0.0.2/24" ];
gateway = [ "10.0.0.1" ];
};
};
};
# configure remaining network to work
# configure network for dns server
services.resolved.enable = false;
networking.firewall = {
allowedTCPPorts = [ 53 ];
@ -47,7 +25,7 @@ in
};
environment.etc."resolv.conf".text = ''
search noc.eh22.intern eh22.intern
nameserver 10.20.25.5
nameserver 94.45.254.2
'';
# enable knot resolv server
@ -55,7 +33,7 @@ in
# https://www.knot-resolver.cz/documentation/stable/
services.kresd = {
enable = true;
instances = 4;
instances = 1;
listenPlain = [ "53" ];
extraConfig = builtins.readFile ./kresd-config.lua;
};

124
systems/sketchy-router.noc.eh22.intern.nix
View file

@ -21,7 +21,6 @@ in
"net.ipv6.conf.all.forwarding" = "1";
};
networking.useDHCP = false;
networking.nftables.enable = true;
systemd.network = {
enable = true;
@ -38,13 +37,17 @@ in
};
"10-ethMgmt" = {
matchConfig.Name = "ethMgmt";
address = [ "10.20.25.2/24" ];
address = [
"94.45.255.2/24"
];
};
"10-ethPubUsr" = {
matchConfig.Name = "ethPubUsr";
address = [
"10.0.0.1/24"
"94.45.248.1/24"
"94.45.248.254/24"
"94.45.224.1/20" # wifi
"94.45.240.1/21" # wired
"94.45.254.1/24" # public services subnet
];
};
};
@ -54,9 +57,7 @@ in
enable = true;
externalInterface = "ethUpstream";
internalIPs = [
"10.20.25.0/24"
"10.0.0.0/24"
"94.45.248.0/24"
"94.45.224.0/19" # cccv event space, TODO: remove once we are at the event
];
};
@ -78,57 +79,112 @@ in
renew-timer = 1000;
valid-lifetime = 4000;
authoritative = true;
option-data = [
{
name = "domain-name-servers";
data = "94.45.254.2";
}
{
name = "cookie-servers";
data = "94.45.254.3";
always-send = true;
}
];
shared-networks = [
{
# management network
name = "mgmtNet";
interface = "ethMgmt";
option-data = [
{
name = "domain-name-servers";
data = "10.20.25.5";
}
{
name = "domain-search";
data = "noc.eh22.intern.";
}
{
name = "routers";
data = "10.20.25.2";
data = "94.45.255.2";
}
];
subnet4 = [
{
id = 300;
subnet = "10.20.25.0/24";
pools = [ { pool = "10.20.25.100 - 10.20.25.254"; } ];
id = 255;
subnet = "94.45.255.0/24";
pools = [ { pool = "94.45.255.200 - 94.45.255.254"; } ];
reservations = [
{
# auth-dns
hw-address = "BC:24:11:C1:8A:A4";
ip-address = "94.45.255.3";
}
{
# monitoring
hw-address = "BC:24:11:FC:C2:26";
ip-address = "94.45.255.4";
}
];
}
];
}
{
# public user network (only temporary setup)
name = "tempPublicUser";
# public network
name = "public";
interface = "ethPubUsr";
option-data = [
{
name = "routers";
data = "10.0.0.1";
}
{
name = "domain-name-servers";
data = "10.0.0.2";
}
{
name = "cookie-servers";
data = "10.0.0.3";
}
];
subnet4 = [
{
id = 999;
subnet = "10.0.0.0/24";
pools = [ { pool = "10.0.0.100 - 10.0.0.254"; } ];
# public services
id = 254;
subnet = "94.45.254.0/24";
pools = [ ];
option-data = [
{
name = "routers";
data = "94.45.254.1";
}
];
reservations = [
{
# resolv-dns
hw-address = "BC:24:11:AD:52:B1";
ip-address = "94.45.254.2";
}
{
# cookies
hw-address = "BC:24:11:41:E1:61";
ip-address = "94.45.254.3";
}
{
# nat64
hw-address = "BC:24:11:21:7F:AF";
ip-address = "94.45.254.4";
}
];
}
{
# wifi
id = 224;
subnet = "94.45.224.0/20";
pools = [ { pool = "94.45.224.10 - 94.45.239.254"; } ];
option-data = [
{
name = "routers";
data = "94.45.224.1";
}
];
}
{
# wired
id = 240;
subnet = "94.45.240.0/21";
pools = [ { pool = "94.45.240.10 - 94.45.240.254"; } ];
option-data = [
{
name = "routers";
data = "94.45.240.1";
}
];
}
];
}