freifunk: format
This commit is contained in:
parent
6b84687f04
commit
29a78eae42
|
@ -50,7 +50,8 @@ let
|
|||
esac
|
||||
'';
|
||||
|
||||
in {
|
||||
in
|
||||
{
|
||||
imports = [
|
||||
"${modulesPath}/profiles/minimal.nix"
|
||||
];
|
||||
|
@ -71,23 +72,33 @@ in {
|
|||
autoNetSetup = false;
|
||||
};
|
||||
};
|
||||
services.collectd.plugins.protocols = "";
|
||||
|
||||
microvm.interfaces = [{
|
||||
type = "tap";
|
||||
id = "core-freifunk";
|
||||
mac = mac.core;
|
||||
} {
|
||||
}
|
||||
{
|
||||
type = "tap";
|
||||
id = "bmx-freifunk";
|
||||
mac = mac.bmx;
|
||||
}];
|
||||
|
||||
networking.hostName = "freifunk";
|
||||
networking.useNetworkd = true;
|
||||
networking.nameservers = [ "172.20.73.8" "9.9.9.9" ];
|
||||
networking.firewall.enable = false;
|
||||
networking.nat = {
|
||||
networking = {
|
||||
firewall.enable = false;
|
||||
hostName = "freifunk";
|
||||
# Configure rt_table name
|
||||
iproute2 = {
|
||||
enable = true;
|
||||
rttablesExtraConfig = ''
|
||||
${toString rt_table_upstream} upstream
|
||||
${toString rt_table_hosts} bmx_hosts
|
||||
${toString rt_table_nets} bmx_nets
|
||||
${toString rt_table_tuns} bmx_tuns
|
||||
'';
|
||||
};
|
||||
nameservers = [ "172.20.73.8" "9.9.9.9" ];
|
||||
nat = {
|
||||
enable = true;
|
||||
# This doesn't really work, hence the `extraCommands`
|
||||
externalInterface = meshInterface;
|
||||
|
@ -103,15 +114,7 @@ in {
|
|||
set -e
|
||||
'';
|
||||
};
|
||||
# Configure rt_table name
|
||||
networking.iproute2 = {
|
||||
enable = true;
|
||||
rttablesExtraConfig = ''
|
||||
${toString rt_table_upstream} upstream
|
||||
${toString rt_table_hosts} bmx_hosts
|
||||
${toString rt_table_nets} bmx_nets
|
||||
${toString rt_table_tuns} bmx_tuns
|
||||
'';
|
||||
useNetworkd = true;
|
||||
};
|
||||
|
||||
environment.systemPackages = with pkgs; [ tcpdump bmon wireguard-tools iperf bmxd ];
|
||||
|
@ -131,205 +134,9 @@ in {
|
|||
# unbreak wg-vpn6 ingress path
|
||||
boot.kernel.sysctl."net.ipv4.conf.core.rp_filter" = 0;
|
||||
|
||||
systemd.network = {
|
||||
netdevs = {
|
||||
# Dummy interface for primary (10.200) address
|
||||
"10-bmx-prime" = {
|
||||
enable = true;
|
||||
netdevConfig = {
|
||||
Kind = "dummy";
|
||||
Name = meshLoopback;
|
||||
};
|
||||
};
|
||||
# Freifunk Dresden Backbone
|
||||
"31-wg-vpn6" = {
|
||||
enable = true;
|
||||
netdevConfig = {
|
||||
Name = "wg-vpn6";
|
||||
Kind = "wireguard";
|
||||
MTUBytes = "1320";
|
||||
};
|
||||
wireguardConfig = {
|
||||
PrivateKeyFile = config.sops.secrets."wireguard/vpn6/privateKey".path;
|
||||
ListenPort = 5006;
|
||||
# Mark for routing with the upstream routing table
|
||||
FirewallMark = upstreamMark;
|
||||
};
|
||||
wireguardPeers = [ {
|
||||
wireguardPeerConfig = {
|
||||
Endpoint = "vpn-it4r.freifunk-dresden.de:5006";
|
||||
PublicKey = "CIJa7xiRRIrLtEB7uyzwoyaQcpe0b8F2d16+3hk8KjU=";
|
||||
AllowedIPs = "10.203.0.0/16";
|
||||
};
|
||||
} ];
|
||||
};
|
||||
"32-ipip-node51001" = {
|
||||
enable = true;
|
||||
netdevConfig = {
|
||||
Name = "ipip-node51001";
|
||||
Kind = "ipip";
|
||||
};
|
||||
tunnelConfig = {
|
||||
Local = "10.203.${ddmeshAddrPart}";
|
||||
Remote = "10.203.${node51001AddrPart}";
|
||||
};
|
||||
};
|
||||
};
|
||||
links = {
|
||||
# Wired mesh interface
|
||||
"10-bmx" = {
|
||||
enable = true;
|
||||
matchConfig = { MACAddress = mac.bmx; };
|
||||
linkConfig.Name = meshInterface;
|
||||
};
|
||||
# Wired core interface
|
||||
"10-core" = {
|
||||
enable = true;
|
||||
matchConfig = { MACAddress = mac.core; };
|
||||
linkConfig.Name = "core";
|
||||
};
|
||||
};
|
||||
networks = {
|
||||
# Wired mesh interface
|
||||
"10-bmx" = {
|
||||
enable = true;
|
||||
matchConfig = { MACAddress = mac.bmx; };
|
||||
addresses = [{
|
||||
addressConfig = {
|
||||
Address = "10.201.${ddmeshAddrPart}/16";
|
||||
Broadcast = ddmeshBroadcast;
|
||||
};
|
||||
}];
|
||||
routingPolicyRules = [ {
|
||||
routingPolicyRuleConfig = {
|
||||
Priority = 300;
|
||||
To = "10.200.0.0/16";
|
||||
Table = rt_table_hosts;
|
||||
};
|
||||
} ];
|
||||
};
|
||||
# Dummy interface for primary (10.200) address
|
||||
"11-bmx-prime" = {
|
||||
enable = true;
|
||||
matchConfig = { Name = meshLoopback; };
|
||||
addresses = [{
|
||||
addressConfig.Address = "10.200.${ddmeshAddrPart}/32";
|
||||
}];
|
||||
routingPolicyRules = [ {
|
||||
routingPolicyRuleConfig = {
|
||||
Priority = 33000;
|
||||
Table = rt_table_tuns;
|
||||
};
|
||||
} ];
|
||||
};
|
||||
"31-wg-vpn6" = {
|
||||
enable = true;
|
||||
matchConfig.Name = "wg-vpn6";
|
||||
addresses = [{
|
||||
addressConfig.Address = "10.203.${ddmeshAddrPart}/16";
|
||||
}];
|
||||
# reverse dependency
|
||||
networkConfig.Tunnel = [ "ipip-node51001" ];
|
||||
};
|
||||
"32-ipip-node51001" = {
|
||||
enable = true;
|
||||
matchConfig.Name = "ipip-node51001";
|
||||
addresses = [{
|
||||
addressConfig = {
|
||||
Address = "10.201.${ddmeshAddrPart}/16";
|
||||
Broadcast = ddmeshBroadcast;
|
||||
};
|
||||
}];
|
||||
};
|
||||
# ZW
|
||||
"20-core" = {
|
||||
enable = true;
|
||||
matchConfig = { MACAddress = mac.core; };
|
||||
addresses = map (Address: { addressConfig = { inherit Address; }; }) (
|
||||
[
|
||||
"${coreAddress}/${toString core.subnet4Len}"
|
||||
] ++
|
||||
map (hosts6: "${hosts6.${hostName}}/64") (
|
||||
builtins.attrValues core.hosts6
|
||||
)
|
||||
);
|
||||
routingPolicyRules = [ {
|
||||
# Marked wireguard packets take the upstream routing table
|
||||
routingPolicyRuleConfig = {
|
||||
Table = rt_table_upstream;
|
||||
FirewallMark = upstreamMark;
|
||||
};
|
||||
} ];
|
||||
};
|
||||
};
|
||||
};
|
||||
# Freifunk Dresden routing daemon
|
||||
systemd.services.bmxd = {
|
||||
after = [ "systemd-networkd.service" ];
|
||||
wantedBy = [ "network.target" ];
|
||||
serviceConfig = {
|
||||
ExecStart = ''
|
||||
${pkgs.bmxd}/sbin/bmxd \
|
||||
--rt_table_offset=${toString rt_table_hosts} \
|
||||
--no_fork 1 \
|
||||
--throw-rules 0 \
|
||||
--prio-rules 0 \
|
||||
--network 10.200.0.0/16 \
|
||||
--netid 0 \
|
||||
--only_community_gw 1 \
|
||||
--script ${bmxdGatewayScript} \
|
||||
--hop_penalty 1 \
|
||||
--lateness_penalty 10 \
|
||||
--ogm_broadcasts 100 \
|
||||
--udp_data_size 512 \
|
||||
--ogm_interval 5000 \
|
||||
--purge_timeout 35 \
|
||||
-r 3 --gateway_hysteresis 20 \
|
||||
--dev ${meshLoopback} /linklayer 0 \
|
||||
--dev ${meshInterface} /linklayer 1 \
|
||||
--dev ipip-node51001 /linklayer 1
|
||||
'';
|
||||
Restart = "always";
|
||||
RestartSec = "60";
|
||||
};
|
||||
};
|
||||
|
||||
# Re-register periodically
|
||||
systemd.services.ddmesh-register-node = {
|
||||
script = ''
|
||||
${pkgs.curl}/bin/curl -k \
|
||||
-o /tmp/ddmesh-registration.json \
|
||||
'${ddmeshRegisterUrl}?registerkey=${ddmeshRegisterKey}&node=${
|
||||
toString ddmeshNode
|
||||
}'
|
||||
'';
|
||||
serviceConfig = {
|
||||
User = "nobody";
|
||||
Group = "nogroup";
|
||||
};
|
||||
};
|
||||
systemd.timers.ddmesh-register-node = {
|
||||
partOf = [ "ddmesh-register-node.service" ];
|
||||
wantedBy = [ "timers.target" ];
|
||||
timerConfig.OnCalendar = "daily";
|
||||
};
|
||||
|
||||
# Refresh sysinfo.json
|
||||
systemd.services.sysinfo-json = {
|
||||
script = ''
|
||||
${sysinfo-json}/bin/bmxddump.sh
|
||||
mkdir -p /run/nginx
|
||||
${sysinfo-json}/bin/sysinfo-json.cgi > /run/nginx/sysinfo.json
|
||||
'';
|
||||
};
|
||||
systemd.timers.sysinfo-json = {
|
||||
partOf = [ "sysinfo-json.service" ];
|
||||
wantedBy = [ "timers.target" ];
|
||||
timerConfig.OnCalendar = "minutely";
|
||||
};
|
||||
|
||||
services = {
|
||||
# Advertise Freifunk routes to ZW core
|
||||
services.bird2 = {
|
||||
bird2 = {
|
||||
enable = true;
|
||||
# nix-build cannot access /run/secrets/
|
||||
checkConfig = false;
|
||||
|
@ -463,9 +270,10 @@ in {
|
|||
router id ${coreAddress};
|
||||
'';
|
||||
};
|
||||
collectd.plugins.protocols = "";
|
||||
|
||||
# HTTP Reverse Proxy to provide services into Freifunk
|
||||
services.nginx = {
|
||||
nginx = {
|
||||
enable = true;
|
||||
appendHttpConfig = ''
|
||||
proxy_buffering off;
|
||||
|
@ -475,14 +283,16 @@ in {
|
|||
"c3d2.ffdd" = {
|
||||
default = true;
|
||||
root = ./assets;
|
||||
locations = let
|
||||
locations =
|
||||
let
|
||||
sysinfo-json = {
|
||||
alias = "/run/nginx/sysinfo.json";
|
||||
extraConfig = ''
|
||||
default_type "application/json;charset=UTF-8";
|
||||
'';
|
||||
};
|
||||
in {
|
||||
in
|
||||
{
|
||||
"/" = {
|
||||
index = "index.html";
|
||||
extraConfig = ''
|
||||
|
@ -506,6 +316,176 @@ in {
|
|||
"http://grafana.hq.c3d2.de:8086/";
|
||||
};
|
||||
};
|
||||
};
|
||||
|
||||
systemd = {
|
||||
network = {
|
||||
netdevs = {
|
||||
# Dummy interface for primary (10.200) address
|
||||
"10-bmx-prime" = {
|
||||
enable = true;
|
||||
netdevConfig = {
|
||||
Kind = "dummy";
|
||||
Name = meshLoopback;
|
||||
};
|
||||
};
|
||||
# Freifunk Dresden Backbone
|
||||
"31-wg-vpn6" = {
|
||||
enable = true;
|
||||
netdevConfig = {
|
||||
Name = "wg-vpn6";
|
||||
Kind = "wireguard";
|
||||
MTUBytes = "1320";
|
||||
};
|
||||
wireguardConfig = {
|
||||
PrivateKeyFile = config.sops.secrets."wireguard/vpn6/privateKey".path;
|
||||
ListenPort = 5006;
|
||||
# Mark for routing with the upstream routing table
|
||||
FirewallMark = upstreamMark;
|
||||
};
|
||||
wireguardPeers = [{
|
||||
wireguardPeerConfig = {
|
||||
Endpoint = "vpn-it4r.freifunk-dresden.de:5006";
|
||||
PublicKey = "CIJa7xiRRIrLtEB7uyzwoyaQcpe0b8F2d16+3hk8KjU=";
|
||||
AllowedIPs = "10.203.0.0/16";
|
||||
};
|
||||
}];
|
||||
};
|
||||
"32-ipip-node51001" = {
|
||||
enable = true;
|
||||
netdevConfig = {
|
||||
Name = "ipip-node51001";
|
||||
Kind = "ipip";
|
||||
};
|
||||
tunnelConfig = {
|
||||
Local = "10.203.${ddmeshAddrPart}";
|
||||
Remote = "10.203.${node51001AddrPart}";
|
||||
};
|
||||
};
|
||||
};
|
||||
links = {
|
||||
# Wired mesh interface
|
||||
"10-bmx" = {
|
||||
enable = true;
|
||||
matchConfig = { MACAddress = mac.bmx; };
|
||||
linkConfig.Name = meshInterface;
|
||||
};
|
||||
# Wired core interface
|
||||
"10-core" = {
|
||||
enable = true;
|
||||
matchConfig = { MACAddress = mac.core; };
|
||||
linkConfig.Name = "core";
|
||||
};
|
||||
};
|
||||
networks = {
|
||||
# Wired mesh interface
|
||||
"10-bmx" = {
|
||||
enable = true;
|
||||
matchConfig = { MACAddress = mac.bmx; };
|
||||
addresses = [{
|
||||
addressConfig = {
|
||||
Address = "10.201.${ddmeshAddrPart}/16";
|
||||
Broadcast = ddmeshBroadcast;
|
||||
};
|
||||
}];
|
||||
routingPolicyRules = [{
|
||||
routingPolicyRuleConfig = {
|
||||
Priority = 300;
|
||||
To = "10.200.0.0/16";
|
||||
Table = rt_table_hosts;
|
||||
};
|
||||
}];
|
||||
};
|
||||
# Dummy interface for primary (10.200) address
|
||||
"11-bmx-prime" = {
|
||||
enable = true;
|
||||
matchConfig = { Name = meshLoopback; };
|
||||
addresses = [{
|
||||
addressConfig.Address = "10.200.${ddmeshAddrPart}/32";
|
||||
}];
|
||||
routingPolicyRules = [{
|
||||
routingPolicyRuleConfig = {
|
||||
Priority = 33000;
|
||||
Table = rt_table_tuns;
|
||||
};
|
||||
}];
|
||||
};
|
||||
"31-wg-vpn6" = {
|
||||
enable = true;
|
||||
matchConfig.Name = "wg-vpn6";
|
||||
addresses = [{
|
||||
addressConfig.Address = "10.203.${ddmeshAddrPart}/16";
|
||||
}];
|
||||
# reverse dependency
|
||||
networkConfig.Tunnel = [ "ipip-node51001" ];
|
||||
};
|
||||
"32-ipip-node51001" = {
|
||||
enable = true;
|
||||
matchConfig.Name = "ipip-node51001";
|
||||
addresses = [{
|
||||
addressConfig = {
|
||||
Address = "10.201.${ddmeshAddrPart}/16";
|
||||
Broadcast = ddmeshBroadcast;
|
||||
};
|
||||
}];
|
||||
};
|
||||
# ZW
|
||||
"20-core" = {
|
||||
enable = true;
|
||||
matchConfig = { MACAddress = mac.core; };
|
||||
addresses = map (Address: { addressConfig = { inherit Address; }; }) (
|
||||
[
|
||||
"${coreAddress}/${toString core.subnet4Len}"
|
||||
] ++
|
||||
map (hosts6: "${hosts6.${hostName}}/64") (
|
||||
builtins.attrValues core.hosts6
|
||||
)
|
||||
);
|
||||
routingPolicyRules = [{
|
||||
# Marked wireguard packets take the upstream routing table
|
||||
routingPolicyRuleConfig = {
|
||||
Table = rt_table_upstream;
|
||||
FirewallMark = upstreamMark;
|
||||
};
|
||||
}];
|
||||
};
|
||||
};
|
||||
};
|
||||
# Re-register periodically
|
||||
services.ddmesh-register-node = {
|
||||
script = ''
|
||||
${pkgs.curl}/bin/curl -k \
|
||||
-o /tmp/ddmesh-registration.json \
|
||||
'${ddmeshRegisterUrl}?registerkey=${ddmeshRegisterKey}&node=${
|
||||
toString ddmeshNode
|
||||
}'
|
||||
'';
|
||||
serviceConfig = {
|
||||
User = "nobody";
|
||||
Group = "nogroup";
|
||||
};
|
||||
};
|
||||
|
||||
timers.ddmesh-register-node = {
|
||||
partOf = [ "ddmesh-register-node.service" ];
|
||||
wantedBy = [ "timers.target" ];
|
||||
timerConfig.OnCalendar = "daily";
|
||||
};
|
||||
|
||||
# Refresh sysinfo.json
|
||||
services.sysinfo-json = {
|
||||
script = ''
|
||||
${sysinfo-json}/bin/bmxddump.sh
|
||||
mkdir -p /run/nginx
|
||||
${sysinfo-json}/bin/sysinfo-json.cgi > /run/nginx/sysinfo.json
|
||||
'';
|
||||
};
|
||||
timers.sysinfo-json = {
|
||||
partOf = [ "sysinfo-json.service" ];
|
||||
wantedBy = [ "timers.target" ];
|
||||
timerConfig.OnCalendar = "minutely";
|
||||
};
|
||||
};
|
||||
|
||||
# This value determines the NixOS release with which your system is to be
|
||||
# compatible, in order to avoid breaking some software such as database
|
||||
|
|
Loading…
Reference in New Issue