diff --git a/nix/lib/config/legacy.nix b/nix/lib/config/legacy.nix index df7c6be..2a54e29 100644 --- a/nix/lib/config/legacy.nix +++ b/nix/lib/config/legacy.nix @@ -76,6 +76,10 @@ in services.dnscache.enable = true; }; + upstream1.ospf.upstreamInstance = 3; + upstream2.ospf.upstreamInstance = 4; + anon1.ospf.upstreamInstance = 5; + freifunk.ospf.upstreamInstance = 6; c3d2-gw.ospf.allowedUpstreams = [ "upstream1" "upstream2" "freifunk" ]; serv-gw.ospf.allowedUpstreams = [ "upstream1" "upstream2" "freifunk" ]; cls-gw.ospf.allowedUpstreams = [ "upstream1" "upstream2" "freifunk" ]; diff --git a/nix/lib/config/options.nix b/nix/lib/config/options.nix index a2a559e..40f9ae5 100644 --- a/nix/lib/config/options.nix +++ b/nix/lib/config/options.nix @@ -214,6 +214,11 @@ let default = []; description = "Accept default routes from these OSPF routers, in order of preference"; }; + ospf.upstreamInstance = mkOption { + type = with types; nullOr int; + default = null; + description = "OSPF instance for advertising the default route"; + }; wireguard = mkOption { default = {}; type = with types; attrsOf (submodule ( diff --git a/nix/nixos-module/container/bird.nix b/nix/nixos-module/container/bird.nix index 43fd58c..71d0dc7 100644 --- a/nix/nixos-module/container/bird.nix +++ b/nix/nixos-module/container/bird.nix @@ -145,13 +145,13 @@ in ipv4 { export where net = 0.0.0.0/0; }; - area ${config.site.net.core.hosts4.${hostName}} { + area 0 { ${builtins.concatStringsSep "\n" ( builtins.attrValues ( builtins.mapAttrs (net: _: # Enable OSPF only on interfaces with a secret. lib.optionalString (config.site.net.${net}.ospf.secret != null) '' - interface "${net}" instance 1 { + interface "${net}" instance ${toString hostConf.ospf.upstreamInstance} { authentication cryptographic; password "${config.site.net.${net}.ospf.secret}"; }; @@ -164,28 +164,28 @@ in ''} ${( - builtins.foldl' ({ text, instance }: upstream: { + builtins.foldl' ({ text, n }: upstream: { text = '' ${text} - # OSPFv2 to receive a default route + # OSPFv2 to receive a default route from ${upstream} protocol ospf v2 ZW4_${upstream} { ipv4 { - export filter { - preference = preference + 100 - ${toString instance}; + import filter { + preference = preference + ${toString (100 - n)}; accept; }; ${lib.optionalString (builtins.match "anon.*" hostName != null) '' table vpn4_table; ''} }; - area ${config.site.net.core.hosts4.${upstream}} { + area 0 { ${builtins.concatStringsSep "\n" ( builtins.attrValues ( builtins.mapAttrs (net: _: # Enable OSPF only on interfaces with a secret. lib.optionalString (config.site.net.${net}.ospf.secret != null) '' - interface "${net}" instance ${toString instance} { + interface "${net}" instance ${toString config.site.hosts.${upstream}.ospf.upstreamInstance} { authentication cryptographic; password "${config.site.net.${net}.ospf.secret}"; }; @@ -196,8 +196,8 @@ in }; } ''; - instance = instance + 1; - }) { text = ""; instance = 2; } config.site.hosts.${hostName}.ospf.allowedUpstreams + n = n + 1; + }) { text = ""; n = 0; } hostConf.ospf.allowedUpstreams ).text} # OSPFv3 for site-local IPv6 @@ -245,13 +245,13 @@ in ipv6 { export where net = ::/0; }; - area ${config.site.net.core.hosts4.${hostName}} { + area 0 { ${builtins.concatStringsSep "\n" ( builtins.attrValues ( builtins.mapAttrs (net: _: # Enable OSPF only on interfaces with a secret. lib.optionalString (config.site.net.${net}.ospf.secret != null) '' - interface "${net}" instance 1 { + interface "${net}" instance ${toString hostConf.ospf.upstreamInstance} { authentication cryptographic; password "${config.site.net.${net}.ospf.secret}"; }; @@ -263,26 +263,26 @@ in } ''} - ${lib.optionalString (builtins.match "anon.*" hostName != null) ( - builtins.foldl' ({ text, instance }: upstream: { + ${lib.optionalString (builtins.match "anon.*" hostName == null) ( + builtins.foldl' ({ text, n }: upstream: { text = '' ${text} - # OSPFv3 to receive a default route + # OSPFv3 to receive a default route from ${upstream} protocol ospf v3 ZW6_${upstream} { ipv6 { - export filter { - preference = preference + 100 - ${toString instance}; + import filter { + preference = preference + ${toString (100 - n)}; accept; }; }; - area ${config.site.net.core.hosts4.${upstream}} { + area 0 { ${builtins.concatStringsSep "\n" ( builtins.attrValues ( builtins.mapAttrs (net: _: # Enable OSPF only on interfaces with a secret. lib.optionalString (config.site.net.${net}.ospf.secret != null) '' - interface "${net}" instance ${toString instance} { + interface "${net}" instance ${toString config.site.hosts.${upstream}.ospf.upstreamInstance} { authentication cryptographic; password "${config.site.net.${net}.ospf.secret}"; }; @@ -293,8 +293,8 @@ in }; } ''; - instance = instance + 1; - }) { text = ""; instance = 2; } config.site.hosts.${hostName}.ospf.allowedUpstreams + n = n + 1; + }) { text = ""; n = 0; } hostConf.ospf.allowedUpstreams ).text} # Zentralwerk DN42