Fork: 0
Skyworks / skyworks-Nix-infra
Transfer to URL with SHA Find file
Newer
Older
skyworks-Nix-infra / hosts / xlab-gateway / dhcp.nix
@Dixiao-L Dixiao-L 24 days ago 5 KB refactor xlab-gateway IPv6: /64 SLAAC, scoped policy routing, no NAT66
Raw Blame History 
# xlab-gateway DHCP + DDNS + radvd
# Kea DHCPv4/v6 on bond.lan254, DDNS forwarding to BIND9 at 10.0.0.1:5353
{ config, pkgs, ... }:

{
  # ===========================================================================
  # Kea DHCPv4
  # ===========================================================================
  services.kea.dhcp4 = {
    enable = true;
    settings = {
      interfaces-config.interfaces = [ "bond.lan254" ];

      lease-database = {
        type = "memfile";
        name = "/var/lib/kea/kea-leases4.csv";
        persist = true;
        lfc-interval = 3600;
      };

      expired-leases-processing = {
        reclaim-timer-wait-time = 10;
        flush-reclaimed-timer-wait-time = 25;
        hold-reclaimed-time = 3600;
        max-reclaim-leases = 100;
        max-reclaim-time = 250;
      };

      valid-lifetime = 86400;
      renew-timer = 21600;
      rebind-timer = 43200;

      option-data = [
        { name = "routers"; data = "10.253.254.1"; }
        { name = "domain-name-servers"; data = "10.0.0.1"; }
        { name = "domain-name"; data = "dev.skyw.top"; }
        { name = "domain-search"; data = "dev.skyw.top"; }
      ];

      subnet4 = [
        {
          id = 1;
          subnet = "10.253.254.0/24";
          pools = [
            { pool = "10.253.254.100 - 10.253.254.240"; }
          ];
          option-data = [
            { name = "subnet-mask"; data = "255.255.255.0"; }
            { name = "routers"; data = "10.253.254.1"; }
            { name = "domain-name-servers"; data = "10.0.0.1"; }
            # Classless static routes: 10.0.0.0/16 via 10.253.254.1, default via 10.253.254.1
            { code = 121; csv-format = false; data = "100A000AFDFE01000AFDFE01"; }
            # MS classless static routes (same)
            { code = 249; csv-format = false; data = "100A000AFDFE01000AFDFE01"; }
          ];
          reservations = [];
        }
      ];

      ddns-send-updates = true;
      ddns-qualifying-suffix = "dev.skyw.top.";

      dhcp-ddns = {
        enable-updates = true;
        max-queue-size = 1024;
        ncr-protocol = "UDP";
        ncr-format = "JSON";
        sender-ip = "127.0.0.1";
        sender-port = 0;
        server-ip = "127.0.0.1";
        server-port = 53001;
      };
    };
  };

  # ===========================================================================
  # Kea DHCPv6
  # ===========================================================================
  services.kea.dhcp6 = {
    enable = true;
    settings = {
      interfaces-config.interfaces = [ "bond.lan254" ];

      lease-database = {
        type = "memfile";
        name = "/var/lib/kea/kea-leases6.csv";
        persist = true;
        lfc-interval = 3600;
      };

      expired-leases-processing = {
        reclaim-timer-wait-time = 10;
        flush-reclaimed-timer-wait-time = 25;
        hold-reclaimed-time = 3600;
        max-reclaim-leases = 100;
        max-reclaim-time = 250;
      };

      valid-lifetime = 86400;
      preferred-lifetime = 72000;
      renew-timer = 21600;
      rebind-timer = 43200;

      subnet6 = [
        {
          id = 1;
          subnet = "fd99:23eb:1682:1::/64";
          pools = [
            { pool = "fd99:23eb:1682:1::100 - fd99:23eb:1682:1::ffff"; }
          ];
          option-data = [
            { name = "dns-servers"; data = "fd99:23eb:1682::1"; }
            { name = "domain-search"; data = "dev.skyw.top"; }
          ];
        }
      ];

      ddns-send-updates = true;
      ddns-qualifying-suffix = "dev.skyw.top.";

      dhcp-ddns = {
        enable-updates = true;
        max-queue-size = 1024;
        ncr-protocol = "UDP";
        ncr-format = "JSON";
        sender-ip = "::1";
        sender-port = 0;
        server-ip = "::1";
        server-port = 53001;
      };
    };
  };

  # ===========================================================================
  # Kea DHCP-DDNS (D2) - Forwards DNS updates to BIND9
  # ===========================================================================
  services.kea.dhcp-ddns = {
    enable = true;
    settings = {
      ip-address = "127.0.0.1";
      port = 53001;

      tsig-keys = [
        {
          name = "edge-ddns-key";
          algorithm = "HMAC-SHA256";
          # TODO: Move TSIG secret to agenix
          secret = "qq+zsTGsWG4ENW9mazyE3/JFKhsUiUR1ex4geYv8OIo=";
        }
      ];

      forward-ddns.ddns-domains = [
        {
          name = "dev.skyw.top.";
          key-name = "edge-ddns-key";
          dns-servers = [{ ip-address = "10.0.0.1"; port = 5353; }];
        }
      ];

      reverse-ddns.ddns-domains = [
        {
          name = "10.in-addr.arpa.";
          key-name = "edge-ddns-key";
          dns-servers = [{ ip-address = "10.0.0.1"; port = 5353; }];
        }
        {
          name = "2.8.6.1.b.e.3.2.9.9.d.f.ip6.arpa.";
          key-name = "edge-ddns-key";
          dns-servers = [{ ip-address = "10.0.0.1"; port = 5353; }];
        }
      ];
    };
  };

  # ===========================================================================
  # radvd - IPv6 Router Advertisements
  # ===========================================================================
  services.radvd = {
    enable = true;
    config = ''
      interface bond.lan254 {
        AdvSendAdvert on;
        AdvManagedFlag off;
        AdvOtherConfigFlag on;
        MinRtrAdvInterval 30;
        MaxRtrAdvInterval 100;
        prefix fd99:23eb:1682:1::/64 {
          AdvOnLink on;
          AdvAutonomous on;
          AdvRouterAddr on;
        };
        RDNSS fd99:23eb:1682::1 {
          AdvRDNSSLifetime 3600;
        };
      };
    '';
  };
}