c3d2/nix-config
c3d2
/
nix-config
23
7
Fork 3
Code Issues 12 Pull Requests 2 Releases Wiki Activity

freifunk: format

This commit is contained in:
Sandro - 2023-09-15 22:54:36 +02:00
parent 6b84687f04
commit 29a78eae42
Signed by: sandro
GPG Key ID: 3AF5A43A3EECC2E5
1 changed files with 368 additions and 388 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

416
hosts/freifunk/default.nix
View File

@ -50,7 +50,8 @@ let
esac
'';
in {
in
{
imports = [
"${modulesPath}/profiles/minimal.nix"
];
@ -71,23 +72,33 @@ in {
autoNetSetup = false;
};
};
services.collectd.plugins.protocols = "";
microvm.interfaces = [{
type = "tap";
id = "core-freifunk";
mac = mac.core;
} {
}
{
type = "tap";
id = "bmx-freifunk";
mac = mac.bmx;
}];
networking.hostName = "freifunk";
networking.useNetworkd = true;
networking.nameservers = [ "172.20.73.8" "9.9.9.9" ];
networking.firewall.enable = false;
networking.nat = {
networking = {
firewall.enable = false;
hostName = "freifunk";
# Configure rt_table name
iproute2 = {
enable = true;
rttablesExtraConfig = ''
${toString rt_table_upstream} upstream
${toString rt_table_hosts} bmx_hosts
${toString rt_table_nets} bmx_nets
${toString rt_table_tuns} bmx_tuns
'';
};
nameservers = [ "172.20.73.8" "9.9.9.9" ];
nat = {
enable = true;
# This doesn't really work, hence the `extraCommands`
externalInterface = meshInterface;
@ -103,15 +114,7 @@ in {
set -e
'';
};
# Configure rt_table name
networking.iproute2 = {
enable = true;
rttablesExtraConfig = ''
${toString rt_table_upstream} upstream
${toString rt_table_hosts} bmx_hosts
${toString rt_table_nets} bmx_nets
${toString rt_table_tuns} bmx_tuns
'';
useNetworkd = true;
};
environment.systemPackages = with pkgs; [ tcpdump bmon wireguard-tools iperf bmxd ];
@ -131,205 +134,9 @@ in {
# unbreak wg-vpn6 ingress path
boot.kernel.sysctl."net.ipv4.conf.core.rp_filter" = 0;
systemd.network = {
netdevs = {
# Dummy interface for primary (10.200) address
"10-bmx-prime" = {
enable = true;
netdevConfig = {
Kind = "dummy";
Name = meshLoopback;
};
};
# Freifunk Dresden Backbone
"31-wg-vpn6" = {
enable = true;
netdevConfig = {
Name = "wg-vpn6";
Kind = "wireguard";
MTUBytes = "1320";
};
wireguardConfig = {
PrivateKeyFile = config.sops.secrets."wireguard/vpn6/privateKey".path;
ListenPort = 5006;
# Mark for routing with the upstream routing table
FirewallMark = upstreamMark;
};
wireguardPeers = [ {
wireguardPeerConfig = {
Endpoint = "vpn-it4r.freifunk-dresden.de:5006";
PublicKey = "CIJa7xiRRIrLtEB7uyzwoyaQcpe0b8F2d16+3hk8KjU=";
AllowedIPs = "10.203.0.0/16";
};
} ];
};
"32-ipip-node51001" = {
enable = true;
netdevConfig = {
Name = "ipip-node51001";
Kind = "ipip";
};
tunnelConfig = {
Local = "10.203.${ddmeshAddrPart}";
Remote = "10.203.${node51001AddrPart}";
};
};
};
links = {
# Wired mesh interface
"10-bmx" = {
enable = true;
matchConfig = { MACAddress = mac.bmx; };
linkConfig.Name = meshInterface;
};
# Wired core interface
"10-core" = {
enable = true;
matchConfig = { MACAddress = mac.core; };
linkConfig.Name = "core";
};
};
networks = {
# Wired mesh interface
"10-bmx" = {
enable = true;
matchConfig = { MACAddress = mac.bmx; };
addresses = [{
addressConfig = {
Address = "10.201.${ddmeshAddrPart}/16";
Broadcast = ddmeshBroadcast;
};
}];
routingPolicyRules = [ {
routingPolicyRuleConfig = {
Priority = 300;
To = "10.200.0.0/16";
Table = rt_table_hosts;
};
} ];
};
# Dummy interface for primary (10.200) address
"11-bmx-prime" = {
enable = true;
matchConfig = { Name = meshLoopback; };
addresses = [{
addressConfig.Address = "10.200.${ddmeshAddrPart}/32";
}];
routingPolicyRules = [ {
routingPolicyRuleConfig = {
Priority = 33000;
Table = rt_table_tuns;
};
} ];
};
"31-wg-vpn6" = {
enable = true;
matchConfig.Name = "wg-vpn6";
addresses = [{
addressConfig.Address = "10.203.${ddmeshAddrPart}/16";
}];
# reverse dependency
networkConfig.Tunnel = [ "ipip-node51001" ];
};
"32-ipip-node51001" = {
enable = true;
matchConfig.Name = "ipip-node51001";
addresses = [{
addressConfig = {
Address = "10.201.${ddmeshAddrPart}/16";
Broadcast = ddmeshBroadcast;
};
}];
};
# ZW
"20-core" = {
enable = true;
matchConfig = { MACAddress = mac.core; };
addresses = map (Address: { addressConfig = { inherit Address; }; }) (
[
"${coreAddress}/${toString core.subnet4Len}"
] ++
map (hosts6: "${hosts6.${hostName}}/64") (
builtins.attrValues core.hosts6
)
);
routingPolicyRules = [ {
# Marked wireguard packets take the upstream routing table
routingPolicyRuleConfig = {
Table = rt_table_upstream;
FirewallMark = upstreamMark;
};
} ];
};
};
};
# Freifunk Dresden routing daemon
systemd.services.bmxd = {
after = [ "systemd-networkd.service" ];
wantedBy = [ "network.target" ];
serviceConfig = {
ExecStart = ''
${pkgs.bmxd}/sbin/bmxd \
--rt_table_offset=${toString rt_table_hosts} \
--no_fork 1 \
--throw-rules 0 \
--prio-rules 0 \
--network 10.200.0.0/16 \
--netid 0 \
--only_community_gw 1 \
--script ${bmxdGatewayScript} \
--hop_penalty 1 \
--lateness_penalty 10 \
--ogm_broadcasts 100 \
--udp_data_size 512 \
--ogm_interval 5000 \
--purge_timeout 35 \
-r 3 --gateway_hysteresis 20 \
--dev ${meshLoopback} /linklayer 0 \
--dev ${meshInterface} /linklayer 1 \
--dev ipip-node51001 /linklayer 1
'';
Restart = "always";
RestartSec = "60";
};
};
# Re-register periodically
systemd.services.ddmesh-register-node = {
script = ''
${pkgs.curl}/bin/curl -k \
-o /tmp/ddmesh-registration.json \
'${ddmeshRegisterUrl}?registerkey=${ddmeshRegisterKey}&node=${
toString ddmeshNode
}'
'';
serviceConfig = {
User = "nobody";
Group = "nogroup";
};
};
systemd.timers.ddmesh-register-node = {
partOf = [ "ddmesh-register-node.service" ];
wantedBy = [ "timers.target" ];
timerConfig.OnCalendar = "daily";
};
# Refresh sysinfo.json
systemd.services.sysinfo-json = {
script = ''
${sysinfo-json}/bin/bmxddump.sh
mkdir -p /run/nginx
${sysinfo-json}/bin/sysinfo-json.cgi > /run/nginx/sysinfo.json
'';
};
systemd.timers.sysinfo-json = {
partOf = [ "sysinfo-json.service" ];
wantedBy = [ "timers.target" ];
timerConfig.OnCalendar = "minutely";
};
services = {
# Advertise Freifunk routes to ZW core
services.bird2 = {
bird2 = {
enable = true;
# nix-build cannot access /run/secrets/
checkConfig = false;
@ -463,9 +270,10 @@ in {
router id ${coreAddress};
'';
};
collectd.plugins.protocols = "";
# HTTP Reverse Proxy to provide services into Freifunk
services.nginx = {
nginx = {
enable = true;
appendHttpConfig = ''
proxy_buffering off;
@ -475,14 +283,16 @@ in {
"c3d2.ffdd" = {
default = true;
root = ./assets;
locations = let
locations =
let
sysinfo-json = {
alias = "/run/nginx/sysinfo.json";
extraConfig = ''
default_type "application/json;charset=UTF-8";
'';
};
in {
in
{
"/" = {
index = "index.html";
extraConfig = ''
@ -506,6 +316,176 @@ in {
"http://grafana.hq.c3d2.de:8086/";
};
};
};
systemd = {
network = {
netdevs = {
# Dummy interface for primary (10.200) address
"10-bmx-prime" = {
enable = true;
netdevConfig = {
Kind = "dummy";
Name = meshLoopback;
};
};
# Freifunk Dresden Backbone
"31-wg-vpn6" = {
enable = true;
netdevConfig = {
Name = "wg-vpn6";
Kind = "wireguard";
MTUBytes = "1320";
};
wireguardConfig = {
PrivateKeyFile = config.sops.secrets."wireguard/vpn6/privateKey".path;
ListenPort = 5006;
# Mark for routing with the upstream routing table
FirewallMark = upstreamMark;
};
wireguardPeers = [{
wireguardPeerConfig = {
Endpoint = "vpn-it4r.freifunk-dresden.de:5006";
PublicKey = "CIJa7xiRRIrLtEB7uyzwoyaQcpe0b8F2d16+3hk8KjU=";
AllowedIPs = "10.203.0.0/16";
};
}];
};
"32-ipip-node51001" = {
enable = true;
netdevConfig = {
Name = "ipip-node51001";
Kind = "ipip";
};
tunnelConfig = {
Local = "10.203.${ddmeshAddrPart}";
Remote = "10.203.${node51001AddrPart}";
};
};
};
links = {
# Wired mesh interface
"10-bmx" = {
enable = true;
matchConfig = { MACAddress = mac.bmx; };
linkConfig.Name = meshInterface;
};
# Wired core interface
"10-core" = {
enable = true;
matchConfig = { MACAddress = mac.core; };
linkConfig.Name = "core";
};
};
networks = {
# Wired mesh interface
"10-bmx" = {
enable = true;
matchConfig = { MACAddress = mac.bmx; };
addresses = [{
addressConfig = {
Address = "10.201.${ddmeshAddrPart}/16";
Broadcast = ddmeshBroadcast;
};
}];
routingPolicyRules = [{
routingPolicyRuleConfig = {
Priority = 300;
To = "10.200.0.0/16";
Table = rt_table_hosts;
};
}];
};
# Dummy interface for primary (10.200) address
"11-bmx-prime" = {
enable = true;
matchConfig = { Name = meshLoopback; };
addresses = [{
addressConfig.Address = "10.200.${ddmeshAddrPart}/32";
}];
routingPolicyRules = [{
routingPolicyRuleConfig = {
Priority = 33000;
Table = rt_table_tuns;
};
}];
};
"31-wg-vpn6" = {
enable = true;
matchConfig.Name = "wg-vpn6";
addresses = [{
addressConfig.Address = "10.203.${ddmeshAddrPart}/16";
}];
# reverse dependency
networkConfig.Tunnel = [ "ipip-node51001" ];
};
"32-ipip-node51001" = {
enable = true;
matchConfig.Name = "ipip-node51001";
addresses = [{
addressConfig = {
Address = "10.201.${ddmeshAddrPart}/16";
Broadcast = ddmeshBroadcast;
};
}];
};
# ZW
"20-core" = {
enable = true;
matchConfig = { MACAddress = mac.core; };
addresses = map (Address: { addressConfig = { inherit Address; }; }) (
[
"${coreAddress}/${toString core.subnet4Len}"
] ++
map (hosts6: "${hosts6.${hostName}}/64") (
builtins.attrValues core.hosts6
)
);
routingPolicyRules = [{
# Marked wireguard packets take the upstream routing table
routingPolicyRuleConfig = {
Table = rt_table_upstream;
FirewallMark = upstreamMark;
};
}];
};
};
};
# Re-register periodically
services.ddmesh-register-node = {
script = ''
${pkgs.curl}/bin/curl -k \
-o /tmp/ddmesh-registration.json \
'${ddmeshRegisterUrl}?registerkey=${ddmeshRegisterKey}&node=${
toString ddmeshNode
}'
'';
serviceConfig = {
User = "nobody";
Group = "nogroup";
};
};
timers.ddmesh-register-node = {
partOf = [ "ddmesh-register-node.service" ];
wantedBy = [ "timers.target" ];
timerConfig.OnCalendar = "daily";
};
# Refresh sysinfo.json
services.sysinfo-json = {
script = ''
${sysinfo-json}/bin/bmxddump.sh
mkdir -p /run/nginx
${sysinfo-json}/bin/sysinfo-json.cgi > /run/nginx/sysinfo.json
'';
};
timers.sysinfo-json = {
partOf = [ "sysinfo-json.service" ];
wantedBy = [ "timers.target" ];
timerConfig.OnCalendar = "minutely";
};
};
# This value determines the NixOS release with which your system is to be
# compatible, in order to avoid breaking some software such as database