freifunk: add vpn6 ipip tunnel

hosts/containers/freifunk/default.nix

@@ -18,6 +18,8 @@ let
   upstreams = [ "upstream4" "upstream3" "upstream1" ];
   upstreamMark = 3;
   rt_table_upstream = 100;
+
+  vpn6AddrPart = "200.16";
 in {
   imports = [
     "${modulesPath}/profiles/minimal.nix"
@@ -84,7 +86,7 @@ in {
   systemd.network = {
     netdevs = {
       # Dummy interface for primary (10.200) address
-      bmx_prime = {
+      bmx-prime = {
         enable = true;
         netdevConfig = {
           Kind = "bridge";
@@ -92,10 +94,10 @@ in {
         };
       };
       # Freifunk Dresden Backbone
-      vpn6 = {
+      wg-vpn6 = {
         enable = true;
         netdevConfig = {
-          Name = "vpn6";
+          Name = "wg-vpn6";
           Kind = "wireguard";
         };
         wireguardConfig = {
@@ -108,10 +110,21 @@ in {
           wireguardPeerConfig = {
             Endpoint = "vpn4.freifunk-dresden.de:5007";
             PublicKey = "7R3K3rGtCZprgqz5/iWql4yLg9BrsaNiv5XQwJ7csn4=";
-            AllowedIPs = "0.0.0.0/0";
+            AllowedIPs = "10.203.${vpn6AddrPart}/32";
           };
         } ];
       };
+      ipip-vpn6 = {
+        enable = true;
+        netdevConfig = {
+          Name = "ipip-vpn6";
+          Kind = "ipip";
+        };
+        tunnelConfig = {
+          Local = "10.203.${ddmeshAddrPart}";
+          Remote = "10.203.${vpn6AddrPart}";
+        };
+      };
     };
     networks = {
       # Wired mesh interface
@@ -119,10 +132,7 @@ in {
         enable = true;
         matchConfig = { Name = meshInterface; };
         addresses = [{
-          addressConfig = {
+          addressConfig.Address = "10.201.${ddmeshAddrPart}/16";
-            Address = "10.201.${ddmeshAddrPart}/16";
-            Broadcast = "10.255.255.255";
-          };
         }];
       };
       # Dummy interface for primary (10.200) address
@@ -130,20 +140,24 @@ in {
         enable = true;
         matchConfig = { Name = meshLoopback; };
         addresses = [{
-          addressConfig = {
+          addressConfig.Address = "10.200.${ddmeshAddrPart}/32";
-            Address = "10.200.${ddmeshAddrPart}/32";
-            Broadcast = "10.255.255.255";
-          };
         }];
       };
-      "12-vpn6" = {
+      "31-wg-vpn6" = {
         enable = true;
-        matchConfig.Name = "vpn6";
+        matchConfig.Name = "wg-vpn6";
         addresses = [{
-          addressConfig = {
+          addressConfig.Address = "10.203.${ddmeshAddrPart}/32";
-            Address = "10.203.${ddmeshAddrPart}/16";
+        }];
-            Broadcast = "10.203.255.255";
+        routes = [ {
-          };
+          routeConfig.Destination = "10.203.${vpn6AddrPart}/32";
+        } ];
+      };
+      "32-ipip-vpn6" = {
+        enable = true;
+        matchConfig.Name = "ipip-vpn6";
+        addresses = [{
+          addressConfig.Address = "10.201.${ddmeshAddrPart}/16";
         }];
       };
       # ZW
@@ -183,8 +197,9 @@ in {
           --purge_timeout 20 \
           --one_way_tunnel 1 \
           -r 3 --gateway_hysteresis 20 \
-          dev=bmx_prime /linklayer 0 \
+          dev=${meshLoopback} /linklayer 0 \
-          dev=${meshInterface} /linklayer 1
+          dev=${meshInterface} /linklayer 1 \
+          dev=ipip-vpn6 /linklayer 1
       '';
       Restart = "always";
     };