diff --git a/lib/constants.nix b/lib/constants.nix index ee387af..acc6a0b 100644 --- a/lib/constants.nix +++ b/lib/constants.nix @@ -10,12 +10,14 @@ rec { gitea-runner = 401; jellyseerr = 402; atticd = 403; + kea = 404; }; gids = { matrix-syncv3 = 400; gitea-runner = 401; jellyseerr = 402; atticd = 403; + kea = 404; }; }; diff --git a/nixos/boxes/castle/default.nix b/nixos/boxes/castle/default.nix index 0313c82..a4d9ce3 100644 --- a/nixos/boxes/castle/default.nix +++ b/nixos/boxes/castle/default.nix @@ -22,18 +22,6 @@ in address = net.cidr.host (65536*3+1) prefixes.hi.v6; }; }; - lo = { - inherit domain; - ipv4 = { - address = net.cidr.host 40 prefixes.lo.v4; - mask = 21; - gateway = null; - }; - ipv6 = { - iid = "::3:1"; - address = net.cidr.host (65536*3+1) prefixes.lo.v6; - }; - }; }; configuration = { lib, pkgs, modulesPath, config, systems, assignments, allAssignments, ... }: @@ -116,7 +104,13 @@ in blueman.enable = true; }; - programs.virt-manager.enable = true; + programs = { + virt-manager.enable = true; + wireshark = { + enable = true; + package = pkgs.wireshark-qt; + }; + }; virtualisation.libvirtd.enable = true; networking = { @@ -155,7 +149,6 @@ in wait-online.enable = false; netdevs = mkMerge [ (mkVLAN "lan-hi" vlans.hi) - (mkVLAN "lan-lo" vlans.lo) ]; links = { "10-et2.5g" = { @@ -177,28 +170,23 @@ in networks = { "50-lan" = { matchConfig.Name = "et2.5g"; - DHCP = "yes"; + DHCP = "no"; + address = [ "10.16.7.1/16" ]; }; "50-et100g" = { matchConfig.Name = "et100g"; - vlan = [ "lan-hi" "lan-lo" ]; + vlan = [ "lan-hi" ]; networkConfig.IPv6AcceptRA = false; }; "60-lan-hi" = mkMerge [ (networkdAssignment "lan-hi" assignments.hi) { + DHCP = "yes"; matchConfig.Name = "lan-hi"; linkConfig.MTUBytes = "9000"; } ]; - "60-lan-lo" = mkMerge [ - (networkdAssignment "lan-lo" assignments.lo) - { - matchConfig.Name = "lan-lo"; - linkConfig.MTUBytes = "1500"; - } - ]; }; }; }; diff --git a/nixos/boxes/home/routing-common/default.nix b/nixos/boxes/home/routing-common/default.nix index 33ae252..09915ff 100644 --- a/nixos/boxes/home/routing-common/default.nix +++ b/nixos/boxes/home/routing-common/default.nix @@ -109,6 +109,7 @@ in ./keepalived.nix ./dns.nix ./radvd.nix + ./kea.nix ]; config = { diff --git a/nixos/boxes/home/routing-common/dns.nix b/nixos/boxes/home/routing-common/dns.nix index 8d472b5..b08cfff 100644 --- a/nixos/boxes/home/routing-common/dns.nix +++ b/nixos/boxes/home/routing-common/dns.nix @@ -47,13 +47,8 @@ in settings = { query-local-address = [ - # TODO: IPv6 "0.0.0.0" "::" - # TODO: Dynamic IPv4 WAN address? - # assignments.internal.ipv4.address - # assignments.internal.ipv6.address - # assignments.hi.ipv6.address ]; forward-zones = map (z: "${z}=127.0.0.1:5353") authZones; @@ -73,9 +68,10 @@ in pdns.serviceConfig.RestrictAddressFamilies = "AF_UNIX AF_INET AF_INET6 AF_NETLINK"; }; - # For rec_control environment.systemPackages = with pkgs; [ + # For rec_control pdns-recursor + sqlite ]; my.pdns.auth = { @@ -98,6 +94,10 @@ in webserver = true; webserver-address = "::"; webserver-allow-from = [ "127.0.0.1" "::1" ]; + + dnsupdate = true; + launch = [ "gsqlite3" ]; + gsqlite3-database = "/var/lib/pdns/dynamic.sqlite3"; }; bind.zones = @@ -136,6 +136,11 @@ in ns1 IN ALIAS ${elemAt routers 0}.${config.networking.domain}. ns2 IN ALIAS ${elemAt routers 1}.${config.networking.domain}. + dyn IN NS ns1.dyn.h.nul.ie. + dyn IN NS ns2.dyn.h.nul.ie. + ns1.dyn.h.nul.ie. IN ALIAS ${elemAt routers 0}.${config.networking.domain}. + ns2.dyn.h.nul.ie. IN ALIAS ${elemAt routers 1}.${config.networking.domain}. + jim-core IN A ${net.cidr.host 10 prefixes.core.v4} jim IN A ${net.cidr.host 10 prefixes.hi.v4} jim IN AAAA ${net.cidr.host (65536+1) prefixes.hi.v6} diff --git a/nixos/boxes/home/routing-common/kea.nix b/nixos/boxes/home/routing-common/kea.nix new file mode 100644 index 0000000..78b3b54 --- /dev/null +++ b/nixos/boxes/home/routing-common/kea.nix @@ -0,0 +1,141 @@ +index: { lib, pkgs, assignments, ... }: +let + inherit (lib) mkForce; + inherit (lib.my) net; + inherit (lib.my.c.home) domain prefixes vips; + + dns-servers = [ + { + ip-address = net.cidr.host 1 prefixes.core.v4; + port = 5353; + } + { + ip-address = net.cidr.host 2 prefixes.core.v4; + port = 5353; + } + ]; +in +{ + users = with lib.my.c.ids; { + users.kea= { + isSystemUser = true; + uid = uids.kea; + group = "kea"; + }; + groups.kea.gid = gids.kea; + }; + + systemd.services = { + kea-dhcp4-server.serviceConfig.DynamicUser = mkForce false; + kea-dhcp-ddns-server.serviceConfig.DynamicUser = mkForce false; + }; + + services = { + kea = { + dhcp4 = { + enable = true; + settings = { + interfaces-config = { + interfaces = [ + "lan-hi/${assignments.hi.ipv4.address}" + "lan-lo/${assignments.lo.ipv4.address}" + "lan-untrusted/${assignments.untrusted.ipv4.address}" + ]; + }; + lease-database = { + type = "memfile"; + persist = true; + name = "/var/lib/kea/dhcp.leases"; + }; + + option-data = [ + { + name = "domain-name"; + data = domain; + } + { + name = "domain-search"; + data = "${domain}, dyn.${domain}"; + always-send = true; + } + ]; + subnet4 = [ + { + id = 1; + subnet = prefixes.hi.v4; + interface = "lan-hi"; + option-data = [ + { + name = "routers"; + data = vips.hi.v4; + } + { + name = "domain-name-servers"; + data = "${net.cidr.host 1 prefixes.hi.v4}, ${net.cidr.host 2 prefixes.hi.v4}"; + } + ]; + pools = [ + { + pool = "192.168.68.120 - 192.168.71.240"; + } + ]; + reservations = [ + { + # castle + hw-address = "24:8a:07:a8:fe:3a"; + ip-address = net.cidr.host 40 prefixes.hi.v4; + } + ]; + } + { + id = 2; + subnet = prefixes.lo.v4; + interface = "lan-lo"; + option-data = [ + { + name = "routers"; + data = vips.lo.v4; + } + { + name = "domain-name-servers"; + data = "${net.cidr.host 1 prefixes.lo.v4}, ${net.cidr.host 2 prefixes.lo.v4}"; + } + ]; + pools = [ + { + pool = "192.168.72.120 - 192.168.79.240"; + } + ]; + reservations = [ + { + # castle + hw-address = "24:8a:07:a8:fe:3a"; + ip-address = net.cidr.host 40 prefixes.lo.v4; + } + ]; + } + ]; + ddns-send-updates = true; + ddns-replace-client-name = "when-not-present"; + ddns-qualifying-suffix = "dyn.${domain}"; + ddns-generated-prefix = "ip"; + ddns-update-on-renew = true; + + dhcp-ddns.enable-updates = true; + }; + }; + + dhcp-ddns = { + enable = true; + settings = { + forward-ddns.ddns-domains = [ + { + name = "dyn.${domain}."; + inherit dns-servers; + } + ]; + }; + }; + }; + }; +} diff --git a/nixos/modules/common.nix b/nixos/modules/common.nix index 44ff590..2eae54a 100644 --- a/nixos/modules/common.nix +++ b/nixos/modules/common.nix @@ -125,7 +125,6 @@ in environment.systemPackages = with pkgs; mkMerge [ [ bash-completion - vim git unzip ] @@ -138,6 +137,7 @@ in fish.enable = mkDefault true; # TODO: This is expecting to look up the channel for the database... command-not-found.enable = mkDefault false; + vim.defaultEditor = true; }; services = { diff --git a/nixos/modules/pdns.nix b/nixos/modules/pdns.nix index ed21133..fc69878 100644 --- a/nixos/modules/pdns.nix +++ b/nixos/modules/pdns.nix @@ -268,6 +268,9 @@ in # For pdns_control etc systemPackages = with pkgs; [ pdns + (pkgs.writeShellScriptBin "pu" '' + ${pdns}/bin/pdnsutil --config-dir /run/pdns "$@" + '') pdns-file-record ]; diff --git a/nixos/modules/tmproot.nix b/nixos/modules/tmproot.nix index 19cc0c6..edf26e7 100644 --- a/nixos/modules/tmproot.nix +++ b/nixos/modules/tmproot.nix @@ -466,6 +466,16 @@ in (mkIf config.virtualisation.libvirtd.enable { my.tmproot.persistence.config.directories = [ "/var/lib/libvirt" ]; }) + (mkIf (with config.services.kea; (dhcp4.enable || dhcp6.enable || dhcp-ddns.enable)) { + my.tmproot.persistence.config.directories = [ + { + directory = "/var/lib/kea"; + mode = "0750"; + user = "kea"; + group = "kea"; + } + ]; + }) ])) ]); diff --git a/nixos/modules/user.nix b/nixos/modules/user.nix index dc8f53d..9f80c55 100644 --- a/nixos/modules/user.nix +++ b/nixos/modules/user.nix @@ -37,7 +37,8 @@ in extraGroups = [ "wheel" "kvm" "dialout" ] ++ (optional config.networking.networkmanager.enable "networkmanager") ++ - (optional config.virtualisation.libvirtd.enable "libvirtd"); + (optional config.virtualisation.libvirtd.enable "libvirtd") ++ + (optional config.programs.wireshark.enable "wireshark"); password = mkIf (cfg.passwordSecret == null) (mkDefault "hunter2"); shell = let shell = cfg.homeConfig.my.shell;