freifunk: setup all the correct details

2020-04-12 03:34:10 +02:00 · 2020-04-12 03:34:10 +02:00 · c3792f16ce
parent d589cba320
commit c3792f16ce
2 changed files with 119 additions and 14 deletions
--- a/hosts/containers/freifunk/configuration.nix
+++ b/hosts/containers/freifunk/configuration.nix
@ -1,7 +1,16 @@
 { config, pkgs, lib, ... }:

 let
+  coreAddress = "172.20.72.40";
+  corePrefixlen = 26;
  meshInterface = "bmx";
+  meshLoopback = "bmx_prime";
+  ddmeshRegisterUrl = "https://register.freifunk-dresden.de/bot.php";
+  secrets = import <secrets/hosts/freifunk>;
+  ddmeshRegisterKey = secrets.ddmeshRegisterKey;
+  ddmeshNode = 51073;
+  ddmeshAddrPart = "200.74";
+  rt_table = 7;
 in {
  imports = [
    <nixpkgs/nixos/modules/profiles/minimal.nix>
@ -13,30 +22,72 @@ in {
  c3d2 = {
    isInHq = false;
    enableHail = false;
+    hq.statistics.enable = true;
  };

  networking.hostName = "freifunk";
  networking.useNetworkd = true;
  networking.nameservers = [ "172.20.73.8" "9.9.9.9" ];
+  networking.firewall.enable = false;
+  networking.nat = {
+    enable = true;
+    externalInterface = meshInterface;
+    #internalInterfaces = [ "core" ];
+    extraCommands = ''
+      set +e
+      ${pkgs.iproute}/bin/ip rule add to 10.200.0.0/16 table bmx priority 300
+      ${pkgs.iptables}/bin/iptables -t nat -A POSTROUTING \
+        \! --source 10.200.0.0/15 -o ${meshInterface} -j SNAT --to 10.200.${ddmeshAddrPart}
+      set -e
+    '';
+  };
+  networking.iproute2 = {
+    enable = true;
+    rttablesExtraConfig = "${toString rt_table} bmx";
+  };

  # Required for krops
  services.openssh.enable = true;
  environment.systemPackages = with pkgs; [ git tcpdump ];

-  systemd.network.networks = {
-    "10-bmx" = {
-      enable = true;
-      matchConfig = { Name = meshInterface; };
-      networkConfig = {
-        Address = "10.200.0.15/16";
+  systemd.network = {
+    netdevs = {
+      bmx_prime = {
+        enable = true;
+        netdevConfig = {
+          Kind = "bridge";
+          Name = meshLoopback;
+        };
      };
    };
-    "20-core" = {
-      enable = true;
-      matchConfig = { Name = "core"; };
-      networkConfig = {
-        Address = "172.20.72.40/26";
-        Gateway = "172.20.72.7";
+    networks = {
+      "10-bmx" = {
+        enable = true;
+        matchConfig = { Name = meshInterface; };
+        addresses = [ {
+          addressConfig = {
+            Address = "10.201.${ddmeshAddrPart}/16";
+            Broadcast = "10.255.255.255";
+          };
+        } ];
+      };
+      "11-bmx-loopback" = {
+        enable = true;
+        matchConfig = { Name = meshLoopback; };
+        addresses = [ {
+          addressConfig = {
+            Address = "10.200.${ddmeshAddrPart}/16";
+            Broadcast = "10.255.255.255";
+          };
+        } ];
+      };
+      "20-core" = {
+        enable = true;
+        matchConfig = { Name = "core"; };
+        networkConfig = {
+          Address = "${coreAddress}/${toString corePrefixlen}";
+          Gateway = "172.20.72.7";
+        };
      };
    };
  };
@ -47,10 +98,64 @@ in {
      after = [ "systemd-networkd.service" ];
      wantedBy = [ "network.target" ];
      serviceConfig = {
-        ExecStart = "${bmxd}/sbin/bmxd --no_fork 1 --throw-rules 0 --prio-rules 0 dev=${meshInterface} /linklayer 0";
+        ExecStart = ''
+          ${bmxd}/sbin/bmxd \
+            --rt_table_offset=${toString rt_table} \
+            --no_fork 1 \
+            --throw-rules 0 \
+            --prio-rules 0 \
+            dev=bmx_prime /linklayer 0 \
+            dev=${meshInterface} /linklayer 1
+        '';
        Restart = "always";
      };
    };
+  systemd.services.ddmesh-register-node = {
+    script = ''
+      ${pkgs.curl}/bin/curl \
+        -o /tmp/ddmesh-registration.json \
+        '${ddmeshRegisterUrl}?registerkey=${ddmeshRegisterKey}&node=${toString ddmeshNode}'
+    '';
+    serviceConfig = {
+      User = "nobody";
+      Group = "nogroup";
+    };
+  };
+  systemd.timers.ddmesh-register-node = {
+    partOf      = [ "ddmesh-register-node.service" ];
+    wantedBy    = [ "timers.target" ];
+    timerConfig.OnCalendar = "daily";
+  };
+
+  services.bird2 = {
+    enable = true;
+    config = ''
+        protocol kernel {
+          ipv4 {
+            export all;
+          };
+        }
+        protocol device {
+          scan time 10;
+        }
+
+        protocol ospf ZW4 {
+          ipv4;
+          area 0 {
+            networks {
+              172.20.72.0/21;
+            };
+            stubnet 10.200.0.0/16;
+            interface "core" {
+              authentication cryptographic;
+              password "${import <secrets/shared/ospf/message-digest-key.nix>}";
+            };
+          };
+        }
+
+        router id ${coreAddress};
+      '';
+  };

  # This value determines the NixOS release with which your system is to be
  # compatible, in order to avoid breaking some software such as database
--- a/2
+++ b/2
@ -1 +1 @@
-Subproject commit 35a994c6ea2f2720e8ec045ea1369163ea69a35f
+Subproject commit 8f732b652a03432da81ed67aa9d968d6842ed0b4