From 1c3f45785083bed9271cd1c83ef803a3426cf48a Mon Sep 17 00:00:00 2001 From: Astro Date: Tue, 22 Mar 2022 21:52:48 +0100 Subject: [PATCH] freifunk: add upstreams through separate table --- hosts/containers/freifunk/default.nix | 84 ++++++++++++++++++++++----- 1 file changed, 71 insertions(+), 13 deletions(-) diff --git a/hosts/containers/freifunk/default.nix b/hosts/containers/freifunk/default.nix index 97d180ac..40afcc56 100644 --- a/hosts/containers/freifunk/default.nix +++ b/hosts/containers/freifunk/default.nix @@ -2,7 +2,8 @@ let inherit (zentralwerk.lib.config.site.net) core; - coreAddress = core.hosts4.${config.networking.hostName}; + inherit (config.networking) hostName; + coreAddress = core.hosts4.${hostName}; meshInterface = "bmx"; meshLoopback = "bmx_prime"; ddmeshRegisterUrl = "https://register.freifunk-dresden.de/bot.php"; @@ -13,6 +14,10 @@ let rt_table_nets = rt_table_hosts + 1; rt_table_tuns = rt_table_hosts + 2; sysinfo-json = import ./sysinfo-json.nix { inherit pkgs ddmeshNode; }; + + upstreams = [ "upstream4" "upstream3" "upstream1" ]; + upstreamMark = 3; + rt_table_upstream = 100; in { imports = [ "${modulesPath}/profiles/minimal.nix" @@ -61,6 +66,7 @@ in { networking.iproute2 = { enable = true; rttablesExtraConfig = '' + ${toString rt_table_upstream} upstream ${toString rt_table_hosts} bmx_hosts ${toString rt_table_nets} bmx_nets ${toString rt_table_tuns} bmx_tuns @@ -105,21 +111,35 @@ in { }; }]; }; + "12-vpn6" = { + enable = true; + matchConfig.Name = "vpn6"; + addresses = [{ + addressConfig = { + Address = "10.203.${ddmeshAddrPart}/16"; + Broadcast = "10.203.255.255"; + }; + }]; + }; # ZW "20-core" = { enable = true; matchConfig = { Name = "core"; }; - addresses = map (Address: { addressConfig = { inherit Address; }; }) [ - "${coreAddress}/${toString core.subnet4Len}" - "2a00:8180:2c00:281:8000::1/64" - "fd23:42:c3d2:581:8000::1/64" - ]; - # routes = map (Gateway: { routeConfig = { inherit Gateway; }; }) [ - # # upstream1 - # "2a00:8180:2c00:281::b:0" - # # anon1 - # "172.20.72.7" - # ]; + addresses = map (Address: { addressConfig = { inherit Address; }; }) ( + [ + "${coreAddress}/${toString core.subnet4Len}" + ] ++ + map (hosts6: "${hosts6.${hostName}}/64") ( + builtins.attrValues core.hosts6 + ) + ); + routingPolicyRules = [ { + # Marked wireguard packets take the upstream routing table + routingPolicyRuleConfig = { + Table = rt_table_upstream; + FirewallMark = upstreamMark; + }; + } ]; }; }; }; @@ -187,6 +207,17 @@ in { export all; }; } + # BIRD routing table for Wireguard transport + ipv4 table upstream4_table; + + # Kernel routing table for Wireguard transport + protocol kernel upstream4 { + kernel table ${toString rt_table_upstream}; + ipv4 { + export all; + table upstream4_table; + }; + } protocol kernel K6 { ipv6 { export all; @@ -225,6 +256,8 @@ in { area 0 { stubnet 10.200.0.0/15; interface "core" { + hello 10; + wait 20; authentication cryptographic; password "${pkgs.zentralwerk-ospf-message-digest-key}"; }; @@ -236,7 +269,9 @@ in { export where net = 0.0.0.0/0; }; area 0 { - interface "core" instance 6 { + interface "core" instance ${toString zentralwerk.lib.config.site.hosts.freifunk.ospf.upstreamInstance} { + hello 10; + wait 20; authentication cryptographic; password "${pkgs.zentralwerk-ospf-message-digest-key}"; }; @@ -249,12 +284,35 @@ in { }; area 0 { interface "core" { + hello 10; + wait 20; authentication cryptographic; password "${pkgs.zentralwerk-ospf-message-digest-key}"; }; }; } + ${lib.concatStrings (lib.imap0 (i: upstream: '' + # OSPFv2 to receive a default route from ${upstream} + protocol ospf v2 ZW4_${upstream} { + ipv4 { + import filter { + preference = preference + ${toString (200 - i)}; + accept; + }; + table upstream4_table; + }; + area 0 { + interface "core" instance ${toString zentralwerk.lib.config.site.hosts.${upstream}.ospf.upstreamInstance} { + hello 10; + wait 20; + authentication cryptographic; + password "${pkgs.zentralwerk-ospf-message-digest-key}"; + }; + }; + }; + '') upstreams)} + router id ${coreAddress}; ''; };