use real event ip space

data/zones/eh22.intern.zone

@@ -0,0 +1,13 @@
+$ORIGIN eh22.intern.
+@ 0 IN SOA auth-dns.noc noc.eh22.easterhegg.eu. 1 7200 3600 3600000 60
+@ 0 IN NS 10.20.25.3.
+cookies 0 IN A 94.45.254.3
+jool 0 IN A 94.45.254.4
+auth-dns.noc 0 IN A 94.45.255.3
+grafana.noc 0 IN CNAME monitoring.noc
+loki.noc 0 IN CNAME monitoring.noc
+mimir.noc 0 IN CNAME monitoring.noc
+monitoring.noc 0 IN A 94.45.255.4
+proxmox.noc 0 IN A 94.45.255.1
+router.noc 0 IN A 94.45.255.2
+resolv-dns 0 IN A 94.45.254.2

data/zones/noc.eh22.intern.zone

@@ -1,11 +0,0 @@
-$ORIGIN noc.eh22.intern.
-@ 0 IN SOA auth-dns noc.eh22.easterhegg.eu. 1 7200 3600 3600000 60
-@ 0 IN NS 10.20.25.3.
-auth-dns 0 IN A 10.20.25.3
-monitoring 0 IN A 10.20.25.4
-grafana 0 IN A 10.20.25.4
-loki 0 IN A 10.20.25.4
-mimir 0 IN A 10.20.25.4
-proxmox 0 IN A 10.20.25.1
-resolv-dns 0 IN A 10.20.25.5
-sketchy-router 0 IN A 10.20.25.2

modules/base_system.nix

@@ -121,6 +121,18 @@
     useXkbConfig = lib.mkDefault true;
   };
 
+  # use systemd-networkd with DHCP by default
+  networking.useDHCP = false;
+  systemd.network = {
+    enable = true;
+    networks = {
+      "99-defaultEther" = {
+        matchConfig.Type = "ether";
+        networkConfig.DHCP = "yes";
+      };
+    };
+  };
+
   # ssh server
   services.openssh = {
     enable = true;

packages/fetch-netbox-data/default.nix

@@ -1,7 +1,7 @@
 { python3 }:
 python3.pkgs.buildPythonApplication {
   name = "fetch-netbox-data";
-  version = "1.0.0";
+  version = "1.1.0";
   src = ./.;
   pyproject = false;
 

packages/fetch-netbox-data/fetch-netbox-data.py

@@ -5,36 +5,46 @@ from dns import rdatatype
 from dns import rdataclass
 from dns.rdtypes.ANY.SOA import SOA
 from dns.rdtypes.ANY.NS import NS
+from dns.rdtypes.ANY.CNAME import CNAME
 from dns.rdtypes.IN.A import A
 from dns.zone import Zone
 from pathlib import Path
+from pprint import pprint
 
 
 def build_auth_dns_zones(nb: pynetbox.api, nox_dir: Path):
     zones_dir = nox_dir / "data" / "zones"
     zones_dir.mkdir(parents=True,exist_ok=True)
     print(f"Fetching IPAM data to build authorative zonefiles in {zones_dir}")
-
+    print(f"Building zone eh22.intern")
-    print(f"Building zone noc.eh22.intern")
+    zonefile_path = zones_dir / "eh22.intern.zone"
-    zonefile_path = zones_dir / "noc.eh22.intern.zone"
 
     # build zone management stuff (SOA record, NS record)
-    zone = Zone(origin="noc.eh22.intern")
+    zone = Zone(origin="eh22.intern")
     zone.get_rdataset("@", rdtype=rdatatype.SOA, create=True)\
         .add(SOA(rdclass=rdataclass.IN, rdtype=rdatatype.SOA, mname="auth-dns.noc.eh22.intern.", rname="noc.eh22.easterhegg.eu.", serial=1, refresh=7200, retry=3600, expire=3600000, minimum=60))
     zone.get_rdataset("@", rdtype=rdatatype.NS, create=True)\
         .add(NS(rdclass=rdataclass.IN, rdtype=rdatatype.NS, target="10.20.25.3"))
 
     # iterate over all ip addresses with dns names ending in noc.eh22.intern
-    for i_addr in nb.ipam.ip_addresses.filter("noc.eh22.intern"):
+    for i_addr in nb.ipam.ip_addresses.filter("eh22.intern"):
         raw_addr = i_addr.address.rsplit("/", maxsplit=1)[0]
-        relative_name = i_addr.dns_name.removesuffix(".noc.eh22.intern")
+        relative_name = i_addr.dns_name.removesuffix(".eh22.intern")
+
+        # add A/AAAA record for the name itself
         if i_addr.family.value == 4:
             zone.get_rdataset(relative_name, rdtype=rdatatype.A, create=True)\
                 .add(A(rdclass=rdataclass.IN, rdtype=rdatatype.A, address=raw_addr))
         else:
             raise RuntimeError(f"Got unknown IP family {i_addr.family} ({i_addr.family.value})")
 
+        # add CNAME records for all registered alternative names
+        if i_addr.custom_fields["altnames"]:
+            for i_altname in i_addr.custom_fields["altnames"].split(","):
+                i_altname = i_altname.strip().removesuffix(".eh22.intern")
+                zone.get_rdataset(i_altname, rdtype=rdatatype.CNAME, create=True)\
+                    .add(CNAME(rdclass=rdataclass.IN, rdtype=rdatatype.CNAME, target=relative_name + ".eh22.intern."))
+
     with open(zonefile_path, mode="w") as f:
         zone.to_file(f, want_comments=True, want_origin=True)
 

switch_remote.sh

@@ -8,9 +8,7 @@ CONFIG=$3
 
 set -x
 exec nixos-rebuild $ACTION \
-  --use-substitutes \
   --no-build-nix \
   --use-remote-sudo \
-  --build-host $HOST \
   --target-host $HOST \
   --flake ".#${CONFIG}"

systems/auth-dns.noc.eh22.intern.nix

@@ -28,41 +28,23 @@ let
         journal-content: all
 
     zone:
-      - domain: noc.eh22.intern
+      - domain: eh22.intern
   '';
 in
 {
   imports = [ ];
 
-  # configure static IP address
-  networking.useDHCP = false;
-  systemd.network = {
-    enable = true;
-    networks = {
-      "10-mgmtNet" = {
-        matchConfig.MACAddress = "bc:24:11:c1:8a:a4";
-        address = [ "10.20.25.3/24" ];
-        gateway = [ "10.20.25.2" ];
-      };
-    };
-  };
-
   # enable knot authorative dns server
   # ref: https://search.nüschtos.de/?query=services.knot
   #      https://www.knot-dns.cz/docs/3.4/html/configuration.html
-  environment.etc =
+  environment.etc = (
-    (lib.attrsets.mapAttrs' (name: value: {
+    lib.attrsets.mapAttrs' (name: value: {
-      name = "knot/zones/noc.eh22.intern.zone";
+      name = "knot/zones/${name}";
       value = {
         source = value;
       };
-    }) zones)
+    }) zones
-    // {
+  );
-      "resolv.conf".text = ''
-        search noc.eh22.intern eh22.intern
-        nameserver 10.20.25.5
-      '';
-    };
 
   services.knot = {
     enable = true;

systems/cookies.eh22.intern.nix

@@ -6,19 +6,6 @@
 {
   imports = [ ];
 
-  # configure static IP address
-  networking.useDHCP = false;
-  systemd.network = {
-    enable = true;
-    networks = {
-      "10-eth0" = {
-        matchConfig.MACAddress = "BC:24:11:41:E1:61";
-        address = [ "10.0.0.3/24" ];
-        gateway = [ "10.0.0.1" ];
-      };
-    };
-  };
-
   services.cookied = {
     enable = true;
     algorithm = "text";

systems/default.nix

@@ -49,7 +49,7 @@ in
 
   # prod hosts (public user)
   "cookies.eh22.intern" = mkSystem "x86_64-linux" "cookies.eh22.intern";
-  "jool.nat64.eh22.intern" = mkSystem "x86_64-linux" "jool.nat64.eh22.intern";
+  "jool.eh22.intern" = mkSystem "x86_64-linux" "jool.eh22.intern";
 
   # staging temp infra
   "sketchy-router.noc.eh22.intern" = mkSystem "x86_64-linux" "sketchy-router.noc.eh22.intern";

systems/jool.eh22.intern.nix

@@ -0,0 +1,69 @@
+{
+  pkgs,
+  lib,
+  ...
+}:
+{
+  imports = [ ];
+
+  # configure jool
+  networking.jool = {
+    # siit = {}; TODO
+    nat64 = {
+      pool4 = [
+        {
+          protocol = "TCP";
+          prefix = "94.45.248.0/25";
+          "port range" = "40001-65535";
+        }
+        {
+          protocol = "UDP";
+          prefix = "94.45.248.128/26";
+          "port range" = "40001-65535";
+        }
+        {
+          protocol = "ICMP";
+          prefix = "94.45.248.192/27";
+          "port range" = "40001-65535";
+        }
+
+        {
+          protocol = "TCP";
+          prefix = "94.45.248.0/25";
+          "port range" = "40001-65535";
+        }
+        {
+          protocol = "UDP";
+          prefix = "94.45.248.128/26";
+          "port range" = "40001-65535";
+        }
+        {
+          protocol = "ICMP";
+          prefix = "94.45.248.192/27";
+          "port range" = "40001-65535";
+        }
+
+        {
+          protocol = "TCP";
+          prefix = "94.45.248.0/25";
+          "port range" = "40001-65535";
+        }
+        {
+          protocol = "UDP";
+          prefix = "94.45.248.128/26";
+          "port range" = "40001-65535";
+        }
+        {
+          protocol = "ICMP";
+          prefix = "94.45.248.192/27";
+          "port range" = "40001-65535";
+        }
+      ];
+    };
+  };
+
+  # DO NOT CHANGE
+  # this defines the first version of NixOS that was installed on the machine so that programs with non-migratable data files are kept compatible
+  home-manager.users.noc.home.stateVersion = "24.11";
+  system.stateVersion = "24.11";
+}

systems/jool.nat64.eh22.intern.nix

@@ -1,26 +0,0 @@
-{
-  pkgs,
-  lib,
-  ...
-}:
-{
-  imports = [ ];
-
-  # configure static IP address
-  networking.useDHCP = false;
-  systemd.network = {
-    enable = true;
-    networks = {
-      "10-eth0" = {
-        matchConfig.MACAddress = "BC:24:11:21:7F:AF";
-        address = [ "94.45.248.2/24" ];
-        gateway = [ "BC:24:11:21:7F:AF" ];
-      };
-    };
-  };
-
-  # DO NOT CHANGE
-  # this defines the first version of NixOS that was installed on the machine so that programs with non-migratable data files are kept compatible
-  home-manager.users.noc.home.stateVersion = "24.11";
-  system.stateVersion = "24.11";
-}

systems/monitoring.noc.eh22.intern/system.nix

@@ -4,6 +4,12 @@
   ...
 }:
 {
+  imports = [
+    ./grafana.nix
+    ./mimir.nix
+    ./loki.nix
+  ];
+
   sops = {
     defaultSopsFile = ../../secrets/passwords.yaml;
     secrets."services/grafana/admin_password" = {
@@ -26,28 +32,8 @@
     };
   };
 
-  # configure static IP address
-  networking.useDHCP = false;
-  systemd.network = {
-    enable = true;
-    networks = {
-      "10-mgmtNet" = {
-        matchConfig.MACAddress = "BC:24:11:FC:C2:26";
-        address = [ "10.20.25.4/24" ];
-        gateway = [ "10.20.25.2" ];
-        dns = [ "10.20.25.5" ];
-      };
-    };
-  };
-
   networking.firewall.allowedTCPPorts = [ 80 ];
 
-  imports = [
-    ./grafana.nix
-    ./mimir.nix
-    ./loki.nix
-  ];
-
   services.nginx = {
     enable = true;
     recommendedProxySettings = true;

systems/resolv-dns.noc.eh22.intern/kresd-config.lua

@@ -1,4 +1,5 @@
 -- ref: https://www.knot-resolver.cz/documentation/stable/config-overview.html
+log_level("info")
 
 -- load non-default modules
 modules.load("view")
@@ -8,11 +9,11 @@ modules.load("prefill")
 ehDomains = policy.todnames({'noc.eh22.intern'})
 
 -- for the mgmt-network, forward ehDomains to our authorative server
-view:addr('10.20.25.0/24', policy.suffix(policy.FLAGS({'NO_CACHE'}), ehDomains))
+view:addr('94.45.255.0/24', policy.suffix(policy.FLAGS({'NO_CACHE'}), ehDomains))
-view:addr('10.20.25.0/24', policy.suffix(policy.STUB({'10.20.25.3'}), ehDomains))
+view:addr('94.45.255.0/24', policy.suffix(policy.STUB({'94.45.255.3'}), ehDomains))
 
--- allow resolution from our internal network
+-- allow resolution from the event net
-view:addr('10.20.25.0/24', policy.all(policy.PASS))
+view:addr('94.45.224.0/19', policy.all(policy.PASS))
 
 -- precache the root zone to reduce traffic load to it
 prefill.config({

systems/resolv-dns.noc.eh22.intern/system.nix

@@ -17,29 +17,7 @@ in
 {
   imports = [ ];
 
-  # configure static IP address
+  # configure network for dns server
-  networking.useDHCP = false;
-  systemd.network = {
-    enable = true;
-    links = {
-      "10-ethMgmt" = renameLink "BC:24:11:61:E3:D9" "ethMgmt";
-      "10-ethPubUser" = renameLink "BC:24:11:AD:52:B1" "ethPubUsr";
-    };
-    networks = {
-      "10-mgmtNet" = {
-        matchConfig.Name = "ethMgmt";
-        address = [ "10.20.25.5/24" ];
-        gateway = [ "10.20.25.2" ];
-      };
-      "10-pubUsr" = {
-        matchConfig.Name = "ethPubUsr";
-        address = [ "10.0.0.2/24" ];
-        gateway = [ "10.0.0.1" ];
-      };
-    };
-  };
-
-  # configure remaining network to work
   services.resolved.enable = false;
   networking.firewall = {
     allowedTCPPorts = [ 53 ];
@@ -47,7 +25,7 @@ in
   };
   environment.etc."resolv.conf".text = ''
     search noc.eh22.intern eh22.intern
-    nameserver 10.20.25.5
+    nameserver 94.45.254.2
   '';
 
   # enable knot resolv server
@@ -55,7 +33,7 @@ in
   #      https://www.knot-resolver.cz/documentation/stable/
   services.kresd = {
     enable = true;
-    instances = 4;
+    instances = 1;
     listenPlain = [ "53" ];
     extraConfig = builtins.readFile ./kresd-config.lua;
   };

systems/sketchy-router.noc.eh22.intern.nix

@@ -21,7 +21,6 @@ in
     "net.ipv6.conf.all.forwarding" = "1";
   };
 
-  networking.useDHCP = false;
   networking.nftables.enable = true;
   systemd.network = {
     enable = true;
@@ -38,13 +37,17 @@ in
       };
       "10-ethMgmt" = {
         matchConfig.Name = "ethMgmt";
-        address = [ "10.20.25.2/24" ];
+        address = [
+          "94.45.255.2/24"
+        ];
       };
       "10-ethPubUsr" = {
         matchConfig.Name = "ethPubUsr";
         address = [
-          "10.0.0.1/24"
+          "94.45.248.254/24"
-          "94.45.248.1/24"
+          "94.45.224.1/20" # wifi
+          "94.45.240.1/21" # wired
+          "94.45.254.1/24" # public services subnet
         ];
       };
     };
@@ -54,9 +57,7 @@ in
     enable = true;
     externalInterface = "ethUpstream";
     internalIPs = [
-      "10.20.25.0/24"
+      "94.45.224.0/19" # cccv event space, TODO: remove once we are at the event
-      "10.0.0.0/24"
-      "94.45.248.0/24"
     ];
   };
 
@@ -78,57 +79,112 @@ in
       renew-timer = 1000;
       valid-lifetime = 4000;
       authoritative = true;
+      option-data = [
+        {
+          name = "domain-name-servers";
+          data = "94.45.254.2";
+        }
+        {
+          name = "cookie-servers";
+          data = "94.45.254.3";
+          always-send = true;
+        }
+      ];
       shared-networks = [
         {
           # management network
           name = "mgmtNet";
           interface = "ethMgmt";
           option-data = [
-            {
-              name = "domain-name-servers";
-              data = "10.20.25.5";
-            }
             {
               name = "domain-search";
               data = "noc.eh22.intern.";
             }
             {
               name = "routers";
-              data = "10.20.25.2";
+              data = "94.45.255.2";
             }
           ];
           subnet4 = [
             {
-              id = 300;
+              id = 255;
-              subnet = "10.20.25.0/24";
+              subnet = "94.45.255.0/24";
-              pools = [ { pool = "10.20.25.100 - 10.20.25.254"; } ];
+              pools = [ { pool = "94.45.255.200 - 94.45.255.254"; } ];
+              reservations = [
+                {
+                  # auth-dns
+                  hw-address = "BC:24:11:C1:8A:A4";
+                  ip-address = "94.45.255.3";
+                }
+                {
+                  # monitoring
+                  hw-address = "BC:24:11:FC:C2:26";
+                  ip-address = "94.45.255.4";
+                }
+              ];
             }
           ];
         }
 
         {
-          # public user network (only temporary setup)
+          # public network
-          name = "tempPublicUser";
+          name = "public";
           interface = "ethPubUsr";
-          option-data = [
-            {
-              name = "routers";
-              data = "10.0.0.1";
-            }
-            {
-              name = "domain-name-servers";
-              data = "10.0.0.2";
-            }
-            {
-              name = "cookie-servers";
-              data = "10.0.0.3";
-            }
-          ];
           subnet4 = [
             {
-              id = 999;
+              # public services
-              subnet = "10.0.0.0/24";
+              id = 254;
-              pools = [ { pool = "10.0.0.100 - 10.0.0.254"; } ];
+              subnet = "94.45.254.0/24";
+              pools = [ ];
+              option-data = [
+                {
+                  name = "routers";
+                  data = "94.45.254.1";
+                }
+              ];
+              reservations = [
+                {
+                  # resolv-dns
+                  hw-address = "BC:24:11:AD:52:B1";
+                  ip-address = "94.45.254.2";
+                }
+                {
+                  # cookies
+                  hw-address = "BC:24:11:41:E1:61";
+                  ip-address = "94.45.254.3";
+                }
+                {
+                  # nat64
+                  hw-address = "BC:24:11:21:7F:AF";
+                  ip-address = "94.45.254.4";
+                }
+              ];
+            }
+
+            {
+              # wifi
+              id = 224;
+              subnet = "94.45.224.0/20";
+              pools = [ { pool = "94.45.224.10 - 94.45.239.254"; } ];
+              option-data = [
+                {
+                  name = "routers";
+                  data = "94.45.224.1";
+                }
+              ];
+            }
+
+            {
+              # wired
+              id = 240;
+              subnet = "94.45.240.0/21";
+              pools = [ { pool = "94.45.240.10 - 94.45.240.254"; } ];
+              option-data = [
+                {
+                  name = "routers";
+                  data = "94.45.240.1";
+                }
+              ];
             }
           ];
         }