From c3792f16cec90b0aa36c7d83cbdb7efe83699772 Mon Sep 17 00:00:00 2001
From: Astro <astro@spaceboyz.net>
Date: Sun, 12 Apr 2020 03:34:10 +0200
Subject: [PATCH] freifunk: setup all the correct details

---
 hosts/containers/freifunk/configuration.nix | 131 ++++++++++++++++++--
 secrets                                     |   2 +-
 2 files changed, 119 insertions(+), 14 deletions(-)

diff --git a/hosts/containers/freifunk/configuration.nix b/hosts/containers/freifunk/configuration.nix
index 0ba81c2c..a2a5fa8f 100644
--- a/hosts/containers/freifunk/configuration.nix
+++ b/hosts/containers/freifunk/configuration.nix
@@ -1,7 +1,16 @@
 { config, pkgs, lib, ... }:
 
 let
+  coreAddress = "172.20.72.40";
+  corePrefixlen = 26;
   meshInterface = "bmx";
+  meshLoopback = "bmx_prime";
+  ddmeshRegisterUrl = "https://register.freifunk-dresden.de/bot.php";
+  secrets = import <secrets/hosts/freifunk>;
+  ddmeshRegisterKey = secrets.ddmeshRegisterKey;
+  ddmeshNode = 51073;
+  ddmeshAddrPart = "200.74";
+  rt_table = 7;
 in {
   imports = [
     <nixpkgs/nixos/modules/profiles/minimal.nix>
@@ -13,30 +22,72 @@ in {
   c3d2 = {
     isInHq = false;
     enableHail = false;
+    hq.statistics.enable = true;
   };
 
   networking.hostName = "freifunk";
   networking.useNetworkd = true;
   networking.nameservers = [ "172.20.73.8" "9.9.9.9" ];
+  networking.firewall.enable = false;
+  networking.nat = {
+    enable = true;
+    externalInterface = meshInterface;
+    #internalInterfaces = [ "core" ];
+    extraCommands = ''
+      set +e
+      ${pkgs.iproute}/bin/ip rule add to 10.200.0.0/16 table bmx priority 300
+      ${pkgs.iptables}/bin/iptables -t nat -A POSTROUTING \
+        \! --source 10.200.0.0/15 -o ${meshInterface} -j SNAT --to 10.200.${ddmeshAddrPart}
+      set -e
+    '';
+  };
+  networking.iproute2 = {
+    enable = true;
+    rttablesExtraConfig = "${toString rt_table} bmx";
+  };
 
   # Required for krops
   services.openssh.enable = true;
   environment.systemPackages = with pkgs; [ git tcpdump ];
 
-  systemd.network.networks = {
-    "10-bmx" = {
-      enable = true;
-      matchConfig = { Name = meshInterface; };
-      networkConfig = {
-        Address = "10.200.0.15/16";
+  systemd.network = {
+    netdevs = {
+      bmx_prime = {
+        enable = true;
+        netdevConfig = {
+          Kind = "bridge";
+          Name = meshLoopback;
+        };
       };
     };
-    "20-core" = {
-      enable = true;
-      matchConfig = { Name = "core"; };
-      networkConfig = {
-        Address = "172.20.72.40/26";
-        Gateway = "172.20.72.7";
+    networks = {
+      "10-bmx" = {
+        enable = true;
+        matchConfig = { Name = meshInterface; };
+        addresses = [ {
+          addressConfig = {
+            Address = "10.201.${ddmeshAddrPart}/16";
+            Broadcast = "10.255.255.255";
+          };
+        } ];
+      };
+      "11-bmx-loopback" = {
+        enable = true;
+        matchConfig = { Name = meshLoopback; };
+        addresses = [ {
+          addressConfig = {
+            Address = "10.200.${ddmeshAddrPart}/16";
+            Broadcast = "10.255.255.255";
+          };
+        } ];
+      };
+      "20-core" = {
+        enable = true;
+        matchConfig = { Name = "core"; };
+        networkConfig = {
+          Address = "${coreAddress}/${toString corePrefixlen}";
+          Gateway = "172.20.72.7";
+        };
       };
     };
   };
@@ -47,10 +98,64 @@ in {
       after = [ "systemd-networkd.service" ];
       wantedBy = [ "network.target" ];
       serviceConfig = {
-        ExecStart = "${bmxd}/sbin/bmxd --no_fork 1 --throw-rules 0 --prio-rules 0 dev=${meshInterface} /linklayer 0";
+        ExecStart = ''
+          ${bmxd}/sbin/bmxd \
+            --rt_table_offset=${toString rt_table} \
+            --no_fork 1 \
+            --throw-rules 0 \
+            --prio-rules 0 \
+            dev=bmx_prime /linklayer 0 \
+            dev=${meshInterface} /linklayer 1
+        '';
         Restart = "always";
       };
     };
+  systemd.services.ddmesh-register-node = {
+    script = ''
+      ${pkgs.curl}/bin/curl \
+        -o /tmp/ddmesh-registration.json \
+        '${ddmeshRegisterUrl}?registerkey=${ddmeshRegisterKey}&node=${toString ddmeshNode}'
+    '';
+    serviceConfig = {
+      User = "nobody";
+      Group = "nogroup";
+    };
+  };
+  systemd.timers.ddmesh-register-node = {
+    partOf      = [ "ddmesh-register-node.service" ];
+    wantedBy    = [ "timers.target" ];
+    timerConfig.OnCalendar = "daily";
+  };
+
+  services.bird2 = {
+    enable = true;
+    config = ''
+        protocol kernel {
+          ipv4 {
+            export all;
+          };
+        }
+        protocol device {
+          scan time 10;
+        }
+
+        protocol ospf ZW4 {
+          ipv4;
+          area 0 {
+            networks {
+              172.20.72.0/21;
+            };
+            stubnet 10.200.0.0/16;
+            interface "core" {
+              authentication cryptographic;
+              password "${import <secrets/shared/ospf/message-digest-key.nix>}";
+            };
+          };
+        }
+
+        router id ${coreAddress};
+      '';
+  };
 
   # This value determines the NixOS release with which your system is to be
   # compatible, in order to avoid breaking some software such as database
diff --git a/secrets b/secrets
index 35a994c6..8f732b65 160000
--- a/secrets
+++ b/secrets
@@ -1 +1 @@
-Subproject commit 35a994c6ea2f2720e8ec045ea1369163ea69a35f
+Subproject commit 8f732b652a03432da81ed67aa9d968d6842ed0b4