From ceea71c77a3dfe7861befb8d53f88c1dadf730ae Mon Sep 17 00:00:00 2001 From: arcnmx Date: Tue, 9 Sep 2025 05:24:17 -0700 Subject: [PATCH] fix(meiling): netmask --- ci/systems.json | 6 +- modules/system/network/networks.nix | 4 +- modules/system/proxmox/network.nix | 8 +- nixos/int.nix | 3 +- systems/ct-meiling/nixos.nix | 2 +- systems/meiling/default.nix | 6 +- systems/meiling/sysctl.50-net.conf | 1 + tf/proxmox_meiling.tf | 112 ++++++++++++++++++++++++++++ tf/proxmox_provider.tf | 1 + tf/terraform.tfvars.sops | 15 ++-- 10 files changed, 137 insertions(+), 21 deletions(-) create mode 100644 tf/proxmox_meiling.tf diff --git a/ci/systems.json b/ci/systems.json index b0e1ce0f..5346ec5f 100644 --- a/ci/systems.json +++ b/ci/systems.json @@ -349,12 +349,12 @@ "networks": { "global": { "address4": "49.12.128.117", - "address6": null, + "address6": "2a01:4f8:242:598d::4", "macAddress": null }, "int": { - "address4": "10.9.1.4", - "address6": "fd0c::4", + "address4": "10.9.2.4", + "address6": "fd0c:0:0:2::4", "macAddress": null }, "local": null, diff --git a/modules/system/network/networks.nix b/modules/system/network/networks.nix index 7bd5be12..008ab1fb 100644 --- a/modules/system/network/networks.nix +++ b/modules/system/network/networks.nix @@ -19,7 +19,9 @@ enable = true; prefix = "fd0a:"; }; - int.slaac.prefix = "fd0c:"; + int.slaac.prefix = + if systemConfig.proxmox.node.name == "meiling" then "fd0c:0:0:2:" + else "fd0c:"; global.domain = systemConfig.access.domain; }; in { diff --git a/modules/system/proxmox/network.nix b/modules/system/proxmox/network.nix index 3aeaf1b4..8114d6ca 100644 --- a/modules/system/proxmox/network.nix +++ b/modules/system/proxmox/network.nix @@ -180,8 +180,12 @@ in { name = mkIf systemConfig.proxmox.container.enable (mkAlmostOptionDefault "eth9"); bridge = mkAlmostOptionDefault "vmbr9"; - address4 = mkAlmostOptionDefault "10.9.1.${toString index}/24"; - address6 = mkAlmostOptionDefault "fd0c::${UInt.toHexLower index}/64"; + address4 = let + int4_24 = + if systemConfig.proxmox.node.name == "meiling" then "10.9.2" + else "10.9.1"; + in mkAlmostOptionDefault "${int4_24}.${toString index}/24"; + address6 = mkAlmostOptionDefault "${systemConfig.network.networks.int.slaac.prefix}:${UInt.toHexLower index}/64"; macAddress = mkIf (systemConfig.proxmox.network.interfaces.net0.macAddress or null != null && hasPrefix "BC:24:11:" systemConfig.proxmox.network.interfaces.net0.macAddress) (mkAlmostOptionDefault ( replaceStrings ["BC:24:11:"] ["BC:24:19:"] systemConfig.proxmox.network.interfaces.net0.macAddress )); diff --git a/nixos/int.nix b/nixos/int.nix index a116c536..5edd13dd 100644 --- a/nixos/int.nix +++ b/nixos/int.nix @@ -1,6 +1,7 @@ { lib, access, + systemConfig, ... }: let inherit (lib.modules) mkDefault; @@ -21,7 +22,7 @@ in { }; ipv6Prefixes = [ { - Prefix = "fd0c::/64"; + Prefix = "${systemConfig.network.networks.int.slaac.prefix}:/64"; Assign = true; Token = config.ipv6AcceptRAConfig.Token; } diff --git a/systems/ct-meiling/nixos.nix b/systems/ct-meiling/nixos.nix index 7c7341d2..a3a04a07 100644 --- a/systems/ct-meiling/nixos.nix +++ b/systems/ct-meiling/nixos.nix @@ -26,7 +26,7 @@ [IPv6Prefix] AddressAutoconfiguration=false - Prefix=fd0c::/64 + Prefix=fd0c:0:0:2::/64 Assign=true [IPv6AcceptRA] diff --git a/systems/meiling/default.nix b/systems/meiling/default.nix index 0ba67aea..37eda78b 100644 --- a/systems/meiling/default.nix +++ b/systems/meiling/default.nix @@ -15,15 +15,15 @@ network.networks = { global = { address4 = "49.12.128.117"; - address6 = null; + address6 = "2a01:4f8:242:598d::4"; }; local = { inherit (config.network.networks.global) address4; address6 = null; }; int = { - address4 = "10.9.1.4"; - address6 = "fd0c::4"; + address4 = "10.9.2.4"; + address6 = "fd0c:0:0:2::4"; }; tail = { address4 = "100.67.99.30"; diff --git a/systems/meiling/sysctl.50-net.conf b/systems/meiling/sysctl.50-net.conf index 4064f6db..83e0f6bb 100644 --- a/systems/meiling/sysctl.50-net.conf +++ b/systems/meiling/sysctl.50-net.conf @@ -1,4 +1,5 @@ net.ipv4.ping_group_range=0 2147483647 +net.ipv4.ip_forward=1 # https://github.com/quic-go/quic-go/wiki/UDP-Buffer-Sizes net.core.rmem_max=2500000 net.core.wmem_max=2500000 diff --git a/tf/proxmox_meiling.tf b/tf/proxmox_meiling.tf new file mode 100644 index 00000000..e0d456a1 --- /dev/null +++ b/tf/proxmox_meiling.tf @@ -0,0 +1,112 @@ +locals { + meiling_int_prefix4 = "10.9.2.0/24" + meiling_int_prefix6 = "fd0c:0:0:2::/64" + meiling_int_offset = 32 + meiling_int_addr4 = local.systems.meiling.network.networks.int.address4 + #meiling_int_bridge = proxmox_virtual_environment_network_linux_bridge.meiling_internal.name + meiling_int_bridge = "vmbr9" + + proxmox_meiling_connection = { + type = "ssh" + user = var.proxmox_meiling_ssh_username + password = var.proxmox_meiling_password + host = var.proxmox_meiling_ssh_host + port = var.proxmox_meiling_ssh_port + } + + proxmox_meiling_users = jsondecode(file("${path.root}/../systems/meiling/users.json")) + proxmox_meiling_systems = jsondecode(file("${path.root}/../systems/meiling/systems.json")) + proxmox_meiling_extern = jsondecode(file("${path.root}/../systems/meiling/extern.json")) + + proxmox_meiling_files = [ + for dest, file in local.proxmox_meiling_extern.files : merge( + file, + { + dest = dest + path = "${path.root}/../${file.source}" + } + ) + ] +} + +variable "proxmox_meiling_endpoint" { + type = string +} + +variable "proxmox_meiling_username" { + type = string +} + +variable "proxmox_meiling_password" { + type = string + sensitive = true +} + +variable "proxmox_meiling_ssh_username" { + type = string +} + +variable "proxmox_meiling_ssh_host" { + type = string +} + +variable "proxmox_meiling_ssh_port" { + type = number +} + +provider "proxmox" { + alias = "meiling" + endpoint = var.proxmox_meiling_endpoint + username = var.proxmox_meiling_username + password = var.proxmox_meiling_password + + ssh { + username = var.proxmox_meiling_ssh_username + node { + name = "meiling" + address = var.proxmox_meiling_ssh_host + port = var.proxmox_meiling_ssh_port + } + } +} + +resource "terraform_data" "proxmox_meiling_etc" { + triggers_replace = [for file in local.proxmox_meiling_files : { + dest = file.dest + sh256 = filesha256(file.path) + }] + + connection { + type = local.proxmox_meiling_connection.type + user = local.proxmox_meiling_connection.user + password = local.proxmox_meiling_connection.password + host = local.proxmox_meiling_connection.host + port = local.proxmox_meiling_connection.port + } + + provisioner "remote-exec" { + inline = [for file in local.proxmox_meiling_files : "putfile64 ${file.dest} ${filebase64(file.path)}"] + } +} + +resource "terraform_data" "proxmox_meiling_users" { + triggers_replace = { + users = local.proxmox_meiling_users + } + + connection { + type = local.proxmox_meiling_connection.type + user = local.proxmox_meiling_connection.user + password = local.proxmox_meiling_connection.password + host = local.proxmox_meiling_connection.host + port = local.proxmox_meiling_connection.port + } + + provisioner "remote-exec" { + inline = [for user in local.proxmox_meiling_users : + "mkpam '${user.name}' '${user.uid}'" + ] + } +} + +# datasource "proxmox_virtual_environment_network_linux_bridge" "meiling_internal" ? diff --git a/tf/proxmox_provider.tf b/tf/proxmox_provider.tf index f083e860..f4a5a7eb 100644 --- a/tf/proxmox_provider.tf +++ b/tf/proxmox_provider.tf @@ -8,6 +8,7 @@ variable "proxmox_reisen_username" { variable "proxmox_reisen_password" { type = string + sensitive = true } variable "proxmox_reisen_ssh_username" { diff --git a/tf/terraform.tfvars.sops b/tf/terraform.tfvars.sops index b613b4a7..51ba7179 100644 --- a/tf/terraform.tfvars.sops +++ b/tf/terraform.tfvars.sops @@ -1,14 +1,9 @@ { - "data": "ENC[AES256_GCM,data:yZ99iHyMHnnrJRG1CyImpe2VjmLWUKEPRjlmRWiPkrU3e+ynEFJbYvUl5jgCY1cpgEetEoMh9YC/H/dcBQ2/DXyXWKcttI1mmuWZlgZ4US0YLh9ul3TLITVwgBgHl2Ngr2d1M7b5YB0aBVTmwVTCWDYOROFYIaPD/PFK51fvcb2Li9CTbcdo9t+6f22cqqkMpaSDcxpSwGvoeraaYTip6er4SGPbTEA7jMITpTm3ofK5w2ji5zXIM9Etyt9SNJsjXf11IqwZjcAaUuEfIhrMcH2gOHSH52jcvJNeZkwVLTHBhU1CTfuXqoWwe36cSN5rDXCHnOhKZZ8CrXPU3i8/QYRAfhD2WA2Uw0XosLMBzQy7RVr+9L9Qo2H04HTTGZNKyNlDHNUH/l+twi9L8Zy1VreZ4gOmCze5irIbg334DT9OyLaqNZbAXUlcJQEb9rPIgr6ZLyJWvvl8AgV+HyVU4bGzD4pbKV3Nw/d4erF3RZohk6Zj6t5eZPFcwig4w9NiTHU8dOHmZMvPtk2HS+KOMzZGWIZdN5G4p57jTGY69W6QVIQGZ6sEIOPs1YePNAlbI3FEEV4dr7aCTHzoZAEy5+gknpcF/ruCRj+M8b5pDUbiDZ7v0W/PFiDq8mcZC4+fWDWGuLoT40nSTvcm4136+LczKsuN5VIDdEun1PFu0M58JwXDZRjOag5gdy+/Uw2t79eMkoAFDfTyuxtc2UkPpIKWoAnpjYncp0p+pYNSjRHkAwEgVfcC3UF2LUM6FiNsPZwNQfyvFxdFOY4YSpw033RU+4pdVd/kNJBbayeopTHwLd+nxTRc59k1cyA39yYJIV/H7pyw2Bs2gNHgT+A4RhU4Cl2FEWT7bUeo18/DjaJg5vmeEb8JMnew7cz9+GJa3UjBQuH76rTewj0Zl0n5akJjImnJ6argVR9uRgs813wKNRrsEo7avrNreB7mMP3vtjiAru/X03QgOtRywittDLRTOQLxiAd3h7hgV96V5DWHqBwwduPUAX98f35qskG4eVX74EvGfXepA54odYYojCmjGshRNboKddEOASqRjp7e0K5TA4xYt7VvOINA4ev84vemqZ09TfsSiD0I8ieou22NsiHyVoKpDqh6OaNCOzJ8pVz/X2fJUCiGgm40rqjxVfEtScQuwnk+2VrHtERWlv3tlvp8BbU2OfMSYPRZkib+6wxi4XE1WIsnmQS5u2kDi80WZSpR/xQ/sKSVmlYfVMqDqBzHTsd83lzmgsD4F1PqhR5JD+EsfEFRK++hxMc0NfNp4MT+Pdb2wgmFve7STf+dEw2AkTbhj9A6A5AT1WDmBL21WeJ4RxP+rFiyNGVM1mNfyq1/fVwlcdAQwq9P8Irtq7Uevo6mlkRd2jQ4tU0wfhqB0qDjFJtptBUD3kluq8igvNq/UEm8xc9o4aAnXyPmDVVPmqWy+HJUjMazD2edujAOBJy07bFTEWQQHbLyJEfNPJVAwHp4uh8/RVHBId41BFj679WWETkoLyYDwG+GiBBaEcW+KRcLQWcAcBHaeajnDcfPePYf+Q33dvXO4uJA0TnmxYSPGb7eEwhLpTDbgm4xVrcb4iop+8CXZeYr/zVaGHcJWNeze4/FoPjk3LLwTEFWATLC51Tguvycn3E7vrvvXbLlGUFY+4twH8VfwCh0hdjmng082L5/k7xq0IvTkO79ed3F0At8ntA0RS5w4w3t29lrpeSrOwc9INCoQ4d708vfYnaqtkqUFYpuGA34+sr6LygGGxnDb7PwgWXSoGGd7g2s4+h4WtDCNxjHsjo5sarSyWX+OS3p274e3K5qWUB7MRcv4zQ98RsBMT3tJBTHf6sRHMU3ELrZYFzJU566vjY3ysV7YMqKNdeQ17Xtijkf0NeTCyj9ViICV8EmlGvyYTnwWPZekTOekDHTj6sywf9lxgs9AddgUFvBXT9A+FZnGQDEoIyLfNLNJteR6UWqHfCHpo1hi4TwZe/9CYHwDQy+ZYyc7HeutHDDwggb4z/nh+VBSv+Ty0ZUQcx0n8xAeE0LXGfulE4m+peVCFIZlKewyS6o0nrdfwC3AfRuGHjQ2f5JtrpmoiY1d8r5hqwSeBnq9y1UYYAgvUrwj50CBbAuSE5t3yohoKXUWJ6MFh6XSzY5ZYCfYRzv5TOsBaWo6G+so0Ju1EgEv1A/Tbxse/r5+UeHF/9nGkBRkJ0g4UAZSn0/l86sFIOY7UsAnWM93+As+fcgL7h8eJ5aszRF3iHIE5L7b23LPXRSkttQkW6YanSSds8OYb0sgTsMBD0PT2spJNquiRW/DnuVlZvK7gsgChplhiyzTUBCTvgzNvpUimCti6/Dd3/5zOcOAa1+6F+xxpC2QxgFT/Nde1RnpJuNz+H9jehS9WvqKBnfOpSQHXC3+VzNoKSpMturU/2bQ4OHO/ApvzELDqbneBXZOkCpEPkgxWNisjTsZKUdsHRxrrH8AGgj3jzEIqwtEZAY3ThZ8AEvI2refcFM3Y8EBWjftnmebHNIvPSQtwm60t1E3EHZKAUm5LjMobqoLrpXdYV96nQwjy9c72MRqgwFuxP0,iv:1J+7Bz7U/O0koWhjDh5zWtGoL8nXATSc+DnyUxQzJXA=,tag:ot3RxgLj+TakFdA7t6Gfzw==,type:str]", + "data": "ENC[AES256_GCM,data:VvvIz8yBX4SWdYtZIyM4v/jKr4f4YwB7yK2o/pOu7kRrsAzIOi3iEIlvIXkuIi1/BAUwUFYq7hN3sk3Nyb3w5iPwQG4Dk1azVBLeHohkeLpWeX/cDQSimTk099idFBfowwKWCIrw31PTi+ISuLL03Fj1JTPYVjKaoTuZnqxvYdaEqjgiPGsp6Oegqf7qDQZofJSgGUzFQ8/E+nTxzZhJsxyLVfEOBZi7TlRBJeKmLo8gxe+zE0sdBJgxUqXfi5c+dtOTGs01WdWq+9M+iOjdUWlN+26EPiMGQ1H+3Ib9FFfoxavwVABoPdiGS0BplwlAqWgeaB+Ty6wZUeLwz6/lzdhVyj44/jX55mki3Fjq9UnUy00tJ5xWayEnW+YmZKBO8eQtz+qqJW6m3UBxg9mYbeQUHFYXxp5T+Lul6Bola6w8Wpqb69LmQa5BbGcOwflJ5SbS3w+BQzHmLGDgYUGd87UbaSp+Yj6/ZCT9R3KxTV6azfvZfVs95u5QDROuJ2d8/leIEIobrGhQXUv/81RkU4zB+z2KhNdCUL0iLnYaiYrAEFXYD6G7TRrycq2N0wqEq4Fo3H52XMVQxrez/wKta1OBPU+Tlv6QzuB0UmxK3AxXibI7Zif6xpD8TXc4Vy558Q7TyC4jfBbYLH1h+G763N7igT9ifoYLPYYnGVpIaJ5Yr4HF1BF0yAdS1TIn8j/nWAVVG10agH4OJKUSos7kqu+hvs4r2WpqcZg06Dc5OOKj2rwgHmvnqlJnO0vJMuCmAs6yb7rFO0j7+/kfph1Pqf+5f4eF3DqyEuuZLxYti/kPvqH4hdZKf9HLtZ+zzNQPw3aii5ARrTQIi6WqvdwngBiTQrDDP4wQoxrVm9aZyxfBw/5XlWHZp+qEANGTNWxvp/7GXgRIINu5xIwRr5UR+n72FPmHCEl9j7ad8uXWMPu6WUB0mH3YQsU97qoRFlam4058vxkDXDeUUughjnkgkOyqvcwjA/oro6tTGMh/yxT+Fpj6bkgqRpRIu0gpXLY0zfj3ook3NqyaLwj+U20Ubm8v8PQ+bUw/1EGOYdSPIVbj6qkxpaSURRpCMAVGYRmcKyyRjGhdVbRock+12FIGrd5FvZncEwfFfTvN6quGmY9Oz2gWJLQzIrdbkn1StMDdrf9rn4tQFdnknVqXsuDl/QX0/LquiXVOFjcTUSlhedLzc0VM/sggCfbUydrYcZYBhdsdZ6Pyxwb4Rf9pir4NaHdGegA3hfTxfBkEwong5ClLaxGbKICY3B7/acadFuF0DX7MEYb4zMsCZdMTLoqu9bafsJxP8e1Ns87SRqibTzXsLaYyFJ+bgRU/puxu7RcBngRHCiQX75jbMtHQT8yagz67uCOV3qFVqQ5MEEsdf8cSHCAqq2ecjLk627p8N2Hx1l2/IsgzoGABlb+AA32IR2lNX6V1IyzbKbo5s0aDxge1EBHoE809qWYyPXF+SnFmCr2GuIm7OdC39utqRxAKmnmTN4Px0g+eEKyK0zliXsLk+ML73yBDVIn5CTMC6rCJlKdcZ+5BRB+YcpeYHkM8pyzNYADc8A879OpG72NGkfco0g3yKFHU761+rRwlZPSoDyqnBQK2TpF6BV7+EzD7DWnC6OwPQkWRd9EDspnlvm23BOxByjtC1Nlih0p/nxPyNSFuBlagOlsvPsxU6HKCkR7NMGNqWxTHA0s+c8seJEUo0mdfFxo9sbyiwMbFZG0nlOTtyYyvjMePrvu0AeJT6iVZt+BeSzZVdKkKrBc23W/P4rf6YfPWLuG4pPsElDnLO8vlvOEgsGgE3qcC6XARrmIw5N9xljMK6i5uop0JfKCGualFXrJQ5BdvzLl8OfhWxbrQpzS7yA4asbxvIhIuMnZXKWu5x+nlluOfZ1s2Zy2PEbCJr+JrJPmCbSL1op+c9Lb6lok2mSYKchW15Rq0Uh5GmWamDJSCfehG/12N26Uq6NAxh9GH7qc4MQ3EqAPhKeHSoLevVC8r8FaLvbEVjV+3+5wjf9ce2BjAml5f39tK4GpaxVqd6UZDTo7j6RVPzSWuuV0gKaQx/qS3i7kPqIC/uHueFKhOx1Ze+QTicDFFdH7w5FIPy9yF0u+i7cIyh3+NaG0UY835nb0CtQMfttwTuIDiy5ko2EtQmqvAzniOWja3FhAShls3l5VB9fBSEHhXS6PW3XiF8E1PK8uJJGvIAc+RCc48FYdOa4GIirA6tQ91SujEFdFPTMAvi5VV9bI+U8uL0i8k3y/htGXW6a8nbl/R5Eh5Yk8g0fNb9G/ZZ/pOHrF+JaFQIGglpITL02FFPsGzHeyQ8d8L0czsu4VByCJQ0MUpnMjLv5jaUN29X+A1YDe76Bt2sE6CBDJwm7OWx50tz5aXAhjGqrrhIrffFeRMq4HqlAsQk315dg6YM98XqrM0WPWJF2aP62nWrWNfIkrXQ0U2ZyBBCjZsqCJ2mOdiWnNuHSYqbeawb9oAdnPbPHbJiSTerkm/hIHeVs9LMB4a1WJIKQtKsH4M7lzvAxcU2fmIZ2AocaGprQ3cxIumNG4ZJyesSXIooZW6hDmXygRApVQZybJM98O+tAV7pcRt1SyzKmb1L2mchj8DmBEwD/nVJcc32jBt2aDwrpgHouitvnB8/tBqUrsW9ZLGC8ubLRm3ainfuWLYH1jCut73F82hKLU+rS0GcU3L5M/7amVfBl44hgkJ10jC1ViNB8dLD2p571XV6zKfSO7PYTyF378/poEZaFxsHb5RIk6n3/Lxhf3J7Y4vP0V3QcfJ4EbXcJRHT/qsS4go9CrccbY8XY0mx9RlHzGWMNE/w/I+6SkGsT8WEcaG7c+cZVObzlfcWiRoFi2iT0XfAbPyC3Ht52MgurSWmPXr+8FAaiiKCE3HsJwmPPbam+BNLQzXAmaMiVn1jZuHGpYW3678MG+75ZE6GoTBzYWl,iv:wM7d3b7iXqtXTY7ovZxkaEqJO7QnOOyCIagMSG3xAag=,tag:y4zNIpWtdWNO3WTyHz4e2g==,type:str]", "sops": { "shamir_threshold": 1, - "kms": null, - "gcp_kms": null, - "azure_kv": null, - "hc_vault": null, - "age": null, - "lastmodified": "2024-09-05T20:26:36Z", - "mac": "ENC[AES256_GCM,data:xZPZX1+Qs8kCfiivQN1fXJsMJxOTF6kDEYeAjomjgnhp6LYLev5cmn50Bs70U7VZCd5LCm+RlHbbWH85Ju3gWYb543y5X6dRcfhZTM7zA0HKwP0GHJBS2DPqDRo+GFMOXNv9ypIgEpcciQ8y6XxQa5aBSv98tZj2ME15n4+RwP4=,iv:r48PeNiDVaMx/h4OfsxRJXDZCn5eoHebXgak0RcYkx4=,tag:F1NgmNs+CWr7lHiunK7lMg==,type:str]", + "lastmodified": "2025-09-09T12:11:57Z", + "mac": "ENC[AES256_GCM,data:TcGrJdClV6uxdsW77fNOFrrE6Fu0W0EQyJm87SPqpgnibBl8MBpo9ajVfytAlcTm9DazaHH02G1qZIXeaHlp7XVdcQGIs1bWDjtb5A4BJVfIYUWCETeCV08O11JMk4Zj4ovaqcjub33k5Cyhc4xMZUxW5qo34TNnqrqgj8ozh8A=,iv:Q5R0j1Xx/t95AKC9P0k6bm+V9zJSyS5cXzdxCEBIS0Q=,tag:PX6LtutcUy4G7tugssbC5A==,type:str]", "pgp": [ { "created_at": "2024-01-14T19:49:29Z", @@ -22,6 +17,6 @@ } ], "unencrypted_suffix": "_unencrypted", - "version": "3.9.0" + "version": "3.10.2" } -} \ No newline at end of file +}