freifunk: setup all the correct details
This commit is contained in:
parent
d589cba320
commit
c3792f16ce
|
@ -1,7 +1,16 @@
|
|||
{ config, pkgs, lib, ... }:
|
||||
|
||||
let
|
||||
coreAddress = "172.20.72.40";
|
||||
corePrefixlen = 26;
|
||||
meshInterface = "bmx";
|
||||
meshLoopback = "bmx_prime";
|
||||
ddmeshRegisterUrl = "https://register.freifunk-dresden.de/bot.php";
|
||||
secrets = import <secrets/hosts/freifunk>;
|
||||
ddmeshRegisterKey = secrets.ddmeshRegisterKey;
|
||||
ddmeshNode = 51073;
|
||||
ddmeshAddrPart = "200.74";
|
||||
rt_table = 7;
|
||||
in {
|
||||
imports = [
|
||||
<nixpkgs/nixos/modules/profiles/minimal.nix>
|
||||
|
@ -13,30 +22,72 @@ in {
|
|||
c3d2 = {
|
||||
isInHq = false;
|
||||
enableHail = false;
|
||||
hq.statistics.enable = true;
|
||||
};
|
||||
|
||||
networking.hostName = "freifunk";
|
||||
networking.useNetworkd = true;
|
||||
networking.nameservers = [ "172.20.73.8" "9.9.9.9" ];
|
||||
networking.firewall.enable = false;
|
||||
networking.nat = {
|
||||
enable = true;
|
||||
externalInterface = meshInterface;
|
||||
#internalInterfaces = [ "core" ];
|
||||
extraCommands = ''
|
||||
set +e
|
||||
${pkgs.iproute}/bin/ip rule add to 10.200.0.0/16 table bmx priority 300
|
||||
${pkgs.iptables}/bin/iptables -t nat -A POSTROUTING \
|
||||
\! --source 10.200.0.0/15 -o ${meshInterface} -j SNAT --to 10.200.${ddmeshAddrPart}
|
||||
set -e
|
||||
'';
|
||||
};
|
||||
networking.iproute2 = {
|
||||
enable = true;
|
||||
rttablesExtraConfig = "${toString rt_table} bmx";
|
||||
};
|
||||
|
||||
# Required for krops
|
||||
services.openssh.enable = true;
|
||||
environment.systemPackages = with pkgs; [ git tcpdump ];
|
||||
|
||||
systemd.network.networks = {
|
||||
"10-bmx" = {
|
||||
enable = true;
|
||||
matchConfig = { Name = meshInterface; };
|
||||
networkConfig = {
|
||||
Address = "10.200.0.15/16";
|
||||
systemd.network = {
|
||||
netdevs = {
|
||||
bmx_prime = {
|
||||
enable = true;
|
||||
netdevConfig = {
|
||||
Kind = "bridge";
|
||||
Name = meshLoopback;
|
||||
};
|
||||
};
|
||||
};
|
||||
"20-core" = {
|
||||
enable = true;
|
||||
matchConfig = { Name = "core"; };
|
||||
networkConfig = {
|
||||
Address = "172.20.72.40/26";
|
||||
Gateway = "172.20.72.7";
|
||||
networks = {
|
||||
"10-bmx" = {
|
||||
enable = true;
|
||||
matchConfig = { Name = meshInterface; };
|
||||
addresses = [ {
|
||||
addressConfig = {
|
||||
Address = "10.201.${ddmeshAddrPart}/16";
|
||||
Broadcast = "10.255.255.255";
|
||||
};
|
||||
} ];
|
||||
};
|
||||
"11-bmx-loopback" = {
|
||||
enable = true;
|
||||
matchConfig = { Name = meshLoopback; };
|
||||
addresses = [ {
|
||||
addressConfig = {
|
||||
Address = "10.200.${ddmeshAddrPart}/16";
|
||||
Broadcast = "10.255.255.255";
|
||||
};
|
||||
} ];
|
||||
};
|
||||
"20-core" = {
|
||||
enable = true;
|
||||
matchConfig = { Name = "core"; };
|
||||
networkConfig = {
|
||||
Address = "${coreAddress}/${toString corePrefixlen}";
|
||||
Gateway = "172.20.72.7";
|
||||
};
|
||||
};
|
||||
};
|
||||
};
|
||||
|
@ -47,10 +98,64 @@ in {
|
|||
after = [ "systemd-networkd.service" ];
|
||||
wantedBy = [ "network.target" ];
|
||||
serviceConfig = {
|
||||
ExecStart = "${bmxd}/sbin/bmxd --no_fork 1 --throw-rules 0 --prio-rules 0 dev=${meshInterface} /linklayer 0";
|
||||
ExecStart = ''
|
||||
${bmxd}/sbin/bmxd \
|
||||
--rt_table_offset=${toString rt_table} \
|
||||
--no_fork 1 \
|
||||
--throw-rules 0 \
|
||||
--prio-rules 0 \
|
||||
dev=bmx_prime /linklayer 0 \
|
||||
dev=${meshInterface} /linklayer 1
|
||||
'';
|
||||
Restart = "always";
|
||||
};
|
||||
};
|
||||
systemd.services.ddmesh-register-node = {
|
||||
script = ''
|
||||
${pkgs.curl}/bin/curl \
|
||||
-o /tmp/ddmesh-registration.json \
|
||||
'${ddmeshRegisterUrl}?registerkey=${ddmeshRegisterKey}&node=${toString ddmeshNode}'
|
||||
'';
|
||||
serviceConfig = {
|
||||
User = "nobody";
|
||||
Group = "nogroup";
|
||||
};
|
||||
};
|
||||
systemd.timers.ddmesh-register-node = {
|
||||
partOf = [ "ddmesh-register-node.service" ];
|
||||
wantedBy = [ "timers.target" ];
|
||||
timerConfig.OnCalendar = "daily";
|
||||
};
|
||||
|
||||
services.bird2 = {
|
||||
enable = true;
|
||||
config = ''
|
||||
protocol kernel {
|
||||
ipv4 {
|
||||
export all;
|
||||
};
|
||||
}
|
||||
protocol device {
|
||||
scan time 10;
|
||||
}
|
||||
|
||||
protocol ospf ZW4 {
|
||||
ipv4;
|
||||
area 0 {
|
||||
networks {
|
||||
172.20.72.0/21;
|
||||
};
|
||||
stubnet 10.200.0.0/16;
|
||||
interface "core" {
|
||||
authentication cryptographic;
|
||||
password "${import <secrets/shared/ospf/message-digest-key.nix>}";
|
||||
};
|
||||
};
|
||||
}
|
||||
|
||||
router id ${coreAddress};
|
||||
'';
|
||||
};
|
||||
|
||||
# This value determines the NixOS release with which your system is to be
|
||||
# compatible, in order to avoid breaking some software such as database
|
||||
|
|
2
secrets
2
secrets
|
@ -1 +1 @@
|
|||
Subproject commit 35a994c6ea2f2720e8ec045ea1369163ea69a35f
|
||||
Subproject commit 8f732b652a03432da81ed67aa9d968d6842ed0b4
|
Loading…
Reference in New Issue