yggdrasil: implement ospf, nat, name interfaces

flake.lock

@@ -39,11 +39,11 @@
     },
     "secrets": {
       "locked": {
-        "lastModified": 1614162961,
-        "narHash": "sha256-mWZ8TPGmjIh4GYMvUPbMCa7F7UPWzsD0R3B7YOrgvlI=",
+        "lastModified": 1614812093,
+        "narHash": "sha256-ca+4c4t4ALcXhlmrBGLZ+odG8QWGcJTMiyLZUe8gSkY=",
         "ref": "master",
-        "rev": "326cb89e8d82ab9cb5180eb2cedc6ba72ca8a7b8",
-        "revCount": 77,
+        "rev": "169bddfd0cfea16ad74dc95187ca7c3ac40b6a11",
+        "revCount": 78,
         "type": "git",
         "url": "ssh://git@gitea.c3d2.de:2222/c3d2-admins/secrets.git"
       },

flake.nix

@@ -111,6 +111,9 @@
             ./hosts/containers/yggdrasil
             ./lib/lxc-container.nix
             ./lib/users/emery.nix
+            ({ ... }: {
+              nixpkgs.overlays = [ secrets.overlays.ospf ];
+            })
           ];
           system = "x86_64-linux";
         };

hosts/containers/yggdrasil/default.nix

@@ -1,7 +1,8 @@
-{ hostRegistry, ... }:
+{ pkgs, lib, config, hostRegistry, ... }:
 
 let
-  yggAddress = "201:4561:bb58:4dac:5f6a:7b23:44f:a5ef";
+  host = hostRegistry.hosts.yggdrasil;
+  yggAddress = host.ygg;
   yggPrefix = "301:4561:bb58:4dac"; # 301:4561:bb58:4dac::/64
   # taken from the output of "yggdrasilctl getself".
   port = 46823;
@@ -19,16 +20,23 @@ in {
 
   c3d2 = { isInHq = true; };
 
-  networking = let host = hostRegistry.hosts.yggdrasil;
-  in {
+  networking = {
     hostName = "yggdrasil";
     firewall.enable = false;
+    nat = {
+      enable = true;
+      # Provide routing for the house
+      extraCommands = ''
+        ip6tables -t nat -A POSTROUTING ! --src 200::/7 -o ygg -j MASQUERADE
+      '';
+    };
     defaultGateway = "172.20.72.6";
     defaultGateway6 = "2a02:8106:208:5281::b:0";
     # systemd-networkd breaks setting default routes. so sad.
     useNetworkd = pkgs.lib.mkForce false;
     nameservers = [ "172.20.73.8" ];
-    interfaces.eth0 = {
+    interfaces.core = {
+      mtu = 1500;
       ipv4 = {
         addresses = [{
           address = host.ip4;
@@ -41,6 +49,12 @@ in {
             address = host.ip6;
             prefixLength = 64;
           }
+        ];
+      };
+    };
+    interfaces.c3d2 = lib.mkForce {
+      ipv6 = {
+        addresses = [
           {
             address = yggPrefix + "::1";
             prefixLength = 64;
@@ -54,6 +68,7 @@ in {
     enable = true;
     persistentKeys = true;
     config = {
+      IfName = "ygg";
       Listen = [
         "tcp://[::]:${toString port}"
       ];
@@ -77,6 +92,63 @@ in {
     };
   };
 
+  # Get routes on the core network, advertise Yggdrasil routes to ZW core
+  services.bird2 = {
+    enable = true;
+    config = ''
+      protocol kernel K4 {
+        ipv4 {
+          export all;
+        };
+      }
+      protocol kernel K6 {
+        ipv6 {
+          export all;
+        };
+      }
+      protocol device {
+        scan time 10;
+      }
+
+      protocol radv {
+        interface "c3d2" {
+          min ra interval 10;
+          max ra interval 60;
+          prefix ${yggPrefix}/64 {
+            preferred lifetime 20;
+            valid lifetime 60;
+          };
+        };
+      }
+
+      protocol ospf v2 ZW4 {
+        area 0 {
+          networks {
+            172.20.72.0/21;
+          };
+          interface "core" {
+            authentication cryptographic;
+            password "${pkgs.zentralwerk-ospf-message-digest-key}";
+          };
+        };
+      }
+
+      protocol ospf v3 ZW6 {
+        area 0 {
+          networks {
+            fd23:42:c3d2:500::/56;
+            2a02:8106:208:5200::/56;
+            2a02:8106:211:e900::/56;
+          };
+          stubnet 200::/7 {};
+          interface "core" {};
+        };
+      }
+
+      router id ${host.ip4};
+    '';
+  };
+
   services.nginx = {
     enable = true;
     virtualHosts."y.c3d2.de" = {