nix-config/hosts/containers/yggdrasil/default.nix

{ pkgs, lib, config, hostRegistry, ... }:

let
  host = hostRegistry.hosts.yggdrasil;
  yggAddress = host.ygg;
  yggPrefix = "301:4561:bb58:4dac"; # 301:4561:bb58:4dac::/64
  # taken from the output of "yggdrasilctl getself".
  port = 46823;
in {

  boot.kernel.sysctl."net.ipv6.conf.all.forwarding" = 1;
  # Forward traffic under the prefix.

  boot.postBootCommands = ''
    if [ ! -c /dev/net/tun ]; then
      mkdir -p /dev/net
      mknod -m 666 /dev/net/tun c 10 200
    fi
  '';

  c3d2 = { isInHq = true; };

  networking = {
    hostName = "yggdrasil";
    firewall.enable = false;
    nat = {
      enable = true;
      # Provide routing for the house
      extraCommands = ''
        ip6tables -t nat -A POSTROUTING ! --src 200::/7 -o ygg -j MASQUERADE
      '';
    };
    defaultGateway = "172.20.72.6";
    defaultGateway6 = "2a02:8106:208:5281::b:0";
    # systemd-networkd breaks setting default routes. so sad.
    useNetworkd = pkgs.lib.mkForce false;
    nameservers = [ "172.20.73.8" ];
    interfaces.core = {
      mtu = 1500;
      ipv4 = {
        addresses = [{
          address = host.ip4;
          prefixLength = 26;
        }];
      };
      ipv6 = {
        addresses = [
          {
            address = host.ip6;
            prefixLength = 64;
          }
        ];
      };
    };
    interfaces.c3d2 = lib.mkForce {
      ipv6 = {
        addresses = [
          {
            address = yggPrefix + "::1";
            prefixLength = 64;
          }
        ];
      };
    };
  };

  services.yggdrasil = {
    enable = true;
    persistentKeys = true;
    config = {
      IfName = "ygg";
      Listen = [
        "tcp://[::]:${toString port}"
      ];
      Peers = [
        # deutschland
        "tcp://45.11.19.26:5001"

        # czechia
        "tcp://[2a03:3b40:fe:ab::1]:46370"
        "tcp://[2a05:9403::8b]:7743"

        # polen
        "tcp://[2001:41d0:601:1100::cf2]:37145"
      ];
      NodeInfo = {
        # This information is visible to the network.
        name = "y.c3d2.de";
        location = "Dresden";
        email = "ehmry@c3d2.de";
      };
    };
  };

  # Get routes on the core network, advertise Yggdrasil routes to ZW core
  services.bird2 = {
    enable = true;
    config = ''
      protocol kernel K4 {
        ipv4 {
          export all;
        };
      }
      protocol kernel K6 {
        ipv6 {
          export all;
        };
      }
      protocol device {
        scan time 10;
      }

      # protocol radv {
      #   interface "c3d2" {
      #     min ra interval 10;
      #     max ra interval 60;
      #     prefix ${yggPrefix}/64 {
      #       preferred lifetime 20;
      #       valid lifetime 60;
      #     };
      #   };
      # }

      protocol ospf v2 ZW4 {
        area 0 {
          networks {
            172.20.72.0/21;
          };
          interface "core" {
            authentication cryptographic;
            password "${pkgs.zentralwerk-ospf-message-digest-key}";
          };
        };
      }

      protocol ospf v3 ZW6 {
        area 0 {
          networks {
            fd23:42:c3d2:500::/56;
            2a02:8106:208:5200::/56;
            2a02:8106:211:e900::/56;
          };
          stubnet 200::/7 {};
          interface "core" {};
        };
      }

      router id ${host.ip4};
    '';
  };

  services.nginx = {
    enable = true;
    virtualHosts."y.c3d2.de" = {
      default = true;
      locations."/".proxyPass = "https://c3d2.de";
    };
  };

}