diff --git a/flake.lock b/flake.lock index dfb01914..07f8963d 100644 --- a/flake.lock +++ b/flake.lock @@ -39,11 +39,11 @@ }, "secrets": { "locked": { - "lastModified": 1614162961, - "narHash": "sha256-mWZ8TPGmjIh4GYMvUPbMCa7F7UPWzsD0R3B7YOrgvlI=", + "lastModified": 1614812093, + "narHash": "sha256-ca+4c4t4ALcXhlmrBGLZ+odG8QWGcJTMiyLZUe8gSkY=", "ref": "master", - "rev": "326cb89e8d82ab9cb5180eb2cedc6ba72ca8a7b8", - "revCount": 77, + "rev": "169bddfd0cfea16ad74dc95187ca7c3ac40b6a11", + "revCount": 78, "type": "git", "url": "ssh://git@gitea.c3d2.de:2222/c3d2-admins/secrets.git" }, diff --git a/flake.nix b/flake.nix index 28af8066..abe139e6 100644 --- a/flake.nix +++ b/flake.nix @@ -111,6 +111,9 @@ ./hosts/containers/yggdrasil ./lib/lxc-container.nix ./lib/users/emery.nix + ({ ... }: { + nixpkgs.overlays = [ secrets.overlays.ospf ]; + }) ]; system = "x86_64-linux"; }; diff --git a/hosts/containers/yggdrasil/default.nix b/hosts/containers/yggdrasil/default.nix index ae7347a9..efa95ea2 100644 --- a/hosts/containers/yggdrasil/default.nix +++ b/hosts/containers/yggdrasil/default.nix @@ -1,7 +1,8 @@ -{ hostRegistry, ... }: +{ pkgs, lib, config, hostRegistry, ... }: let - yggAddress = "201:4561:bb58:4dac:5f6a:7b23:44f:a5ef"; + host = hostRegistry.hosts.yggdrasil; + yggAddress = host.ygg; yggPrefix = "301:4561:bb58:4dac"; # 301:4561:bb58:4dac::/64 # taken from the output of "yggdrasilctl getself". port = 46823; @@ -19,16 +20,23 @@ in { c3d2 = { isInHq = true; }; - networking = let host = hostRegistry.hosts.yggdrasil; - in { + networking = { hostName = "yggdrasil"; firewall.enable = false; + nat = { + enable = true; + # Provide routing for the house + extraCommands = '' + ip6tables -t nat -A POSTROUTING ! --src 200::/7 -o ygg -j MASQUERADE + ''; + }; defaultGateway = "172.20.72.6"; defaultGateway6 = "2a02:8106:208:5281::b:0"; # systemd-networkd breaks setting default routes. so sad. useNetworkd = pkgs.lib.mkForce false; nameservers = [ "172.20.73.8" ]; - interfaces.eth0 = { + interfaces.core = { + mtu = 1500; ipv4 = { addresses = [{ address = host.ip4; @@ -41,6 +49,12 @@ in { address = host.ip6; prefixLength = 64; } + ]; + }; + }; + interfaces.c3d2 = lib.mkForce { + ipv6 = { + addresses = [ { address = yggPrefix + "::1"; prefixLength = 64; @@ -54,6 +68,7 @@ in { enable = true; persistentKeys = true; config = { + IfName = "ygg"; Listen = [ "tcp://[::]:${toString port}" ]; @@ -77,6 +92,63 @@ in { }; }; + # Get routes on the core network, advertise Yggdrasil routes to ZW core + services.bird2 = { + enable = true; + config = '' + protocol kernel K4 { + ipv4 { + export all; + }; + } + protocol kernel K6 { + ipv6 { + export all; + }; + } + protocol device { + scan time 10; + } + + protocol radv { + interface "c3d2" { + min ra interval 10; + max ra interval 60; + prefix ${yggPrefix}/64 { + preferred lifetime 20; + valid lifetime 60; + }; + }; + } + + protocol ospf v2 ZW4 { + area 0 { + networks { + 172.20.72.0/21; + }; + interface "core" { + authentication cryptographic; + password "${pkgs.zentralwerk-ospf-message-digest-key}"; + }; + }; + } + + protocol ospf v3 ZW6 { + area 0 { + networks { + fd23:42:c3d2:500::/56; + 2a02:8106:208:5200::/56; + 2a02:8106:211:e900::/56; + }; + stubnet 200::/7 {}; + interface "core" {}; + }; + } + + router id ${host.ip4}; + ''; + }; + services.nginx = { enable = true; virtualHosts."y.c3d2.de" = {