/nixos-module/container/bird: use ospf instances not areas for sharing upstream
This commit is contained in:
parent
003a948ce2
commit
d72789c35a
|
@ -76,6 +76,10 @@ in
|
||||||
services.dnscache.enable = true;
|
services.dnscache.enable = true;
|
||||||
};
|
};
|
||||||
|
|
||||||
|
upstream1.ospf.upstreamInstance = 3;
|
||||||
|
upstream2.ospf.upstreamInstance = 4;
|
||||||
|
anon1.ospf.upstreamInstance = 5;
|
||||||
|
freifunk.ospf.upstreamInstance = 6;
|
||||||
c3d2-gw.ospf.allowedUpstreams = [ "upstream1" "upstream2" "freifunk" ];
|
c3d2-gw.ospf.allowedUpstreams = [ "upstream1" "upstream2" "freifunk" ];
|
||||||
serv-gw.ospf.allowedUpstreams = [ "upstream1" "upstream2" "freifunk" ];
|
serv-gw.ospf.allowedUpstreams = [ "upstream1" "upstream2" "freifunk" ];
|
||||||
cls-gw.ospf.allowedUpstreams = [ "upstream1" "upstream2" "freifunk" ];
|
cls-gw.ospf.allowedUpstreams = [ "upstream1" "upstream2" "freifunk" ];
|
||||||
|
|
|
@ -214,6 +214,11 @@ let
|
||||||
default = [];
|
default = [];
|
||||||
description = "Accept default routes from these OSPF routers, in order of preference";
|
description = "Accept default routes from these OSPF routers, in order of preference";
|
||||||
};
|
};
|
||||||
|
ospf.upstreamInstance = mkOption {
|
||||||
|
type = with types; nullOr int;
|
||||||
|
default = null;
|
||||||
|
description = "OSPF instance for advertising the default route";
|
||||||
|
};
|
||||||
wireguard = mkOption {
|
wireguard = mkOption {
|
||||||
default = {};
|
default = {};
|
||||||
type = with types; attrsOf (submodule (
|
type = with types; attrsOf (submodule (
|
||||||
|
|
|
@ -145,13 +145,13 @@ in
|
||||||
ipv4 {
|
ipv4 {
|
||||||
export where net = 0.0.0.0/0;
|
export where net = 0.0.0.0/0;
|
||||||
};
|
};
|
||||||
area ${config.site.net.core.hosts4.${hostName}} {
|
area 0 {
|
||||||
${builtins.concatStringsSep "\n" (
|
${builtins.concatStringsSep "\n" (
|
||||||
builtins.attrValues (
|
builtins.attrValues (
|
||||||
builtins.mapAttrs (net: _:
|
builtins.mapAttrs (net: _:
|
||||||
# Enable OSPF only on interfaces with a secret.
|
# Enable OSPF only on interfaces with a secret.
|
||||||
lib.optionalString (config.site.net.${net}.ospf.secret != null) ''
|
lib.optionalString (config.site.net.${net}.ospf.secret != null) ''
|
||||||
interface "${net}" instance 1 {
|
interface "${net}" instance ${toString hostConf.ospf.upstreamInstance} {
|
||||||
authentication cryptographic;
|
authentication cryptographic;
|
||||||
password "${config.site.net.${net}.ospf.secret}";
|
password "${config.site.net.${net}.ospf.secret}";
|
||||||
};
|
};
|
||||||
|
@ -164,28 +164,28 @@ in
|
||||||
''}
|
''}
|
||||||
|
|
||||||
${(
|
${(
|
||||||
builtins.foldl' ({ text, instance }: upstream: {
|
builtins.foldl' ({ text, n }: upstream: {
|
||||||
text = ''
|
text = ''
|
||||||
${text}
|
${text}
|
||||||
|
|
||||||
# OSPFv2 to receive a default route
|
# OSPFv2 to receive a default route from ${upstream}
|
||||||
protocol ospf v2 ZW4_${upstream} {
|
protocol ospf v2 ZW4_${upstream} {
|
||||||
ipv4 {
|
ipv4 {
|
||||||
export filter {
|
import filter {
|
||||||
preference = preference + 100 - ${toString instance};
|
preference = preference + ${toString (100 - n)};
|
||||||
accept;
|
accept;
|
||||||
};
|
};
|
||||||
${lib.optionalString (builtins.match "anon.*" hostName != null) ''
|
${lib.optionalString (builtins.match "anon.*" hostName != null) ''
|
||||||
table vpn4_table;
|
table vpn4_table;
|
||||||
''}
|
''}
|
||||||
};
|
};
|
||||||
area ${config.site.net.core.hosts4.${upstream}} {
|
area 0 {
|
||||||
${builtins.concatStringsSep "\n" (
|
${builtins.concatStringsSep "\n" (
|
||||||
builtins.attrValues (
|
builtins.attrValues (
|
||||||
builtins.mapAttrs (net: _:
|
builtins.mapAttrs (net: _:
|
||||||
# Enable OSPF only on interfaces with a secret.
|
# Enable OSPF only on interfaces with a secret.
|
||||||
lib.optionalString (config.site.net.${net}.ospf.secret != null) ''
|
lib.optionalString (config.site.net.${net}.ospf.secret != null) ''
|
||||||
interface "${net}" instance ${toString instance} {
|
interface "${net}" instance ${toString config.site.hosts.${upstream}.ospf.upstreamInstance} {
|
||||||
authentication cryptographic;
|
authentication cryptographic;
|
||||||
password "${config.site.net.${net}.ospf.secret}";
|
password "${config.site.net.${net}.ospf.secret}";
|
||||||
};
|
};
|
||||||
|
@ -196,8 +196,8 @@ in
|
||||||
};
|
};
|
||||||
}
|
}
|
||||||
'';
|
'';
|
||||||
instance = instance + 1;
|
n = n + 1;
|
||||||
}) { text = ""; instance = 2; } config.site.hosts.${hostName}.ospf.allowedUpstreams
|
}) { text = ""; n = 0; } hostConf.ospf.allowedUpstreams
|
||||||
).text}
|
).text}
|
||||||
|
|
||||||
# OSPFv3 for site-local IPv6
|
# OSPFv3 for site-local IPv6
|
||||||
|
@ -245,13 +245,13 @@ in
|
||||||
ipv6 {
|
ipv6 {
|
||||||
export where net = ::/0;
|
export where net = ::/0;
|
||||||
};
|
};
|
||||||
area ${config.site.net.core.hosts4.${hostName}} {
|
area 0 {
|
||||||
${builtins.concatStringsSep "\n" (
|
${builtins.concatStringsSep "\n" (
|
||||||
builtins.attrValues (
|
builtins.attrValues (
|
||||||
builtins.mapAttrs (net: _:
|
builtins.mapAttrs (net: _:
|
||||||
# Enable OSPF only on interfaces with a secret.
|
# Enable OSPF only on interfaces with a secret.
|
||||||
lib.optionalString (config.site.net.${net}.ospf.secret != null) ''
|
lib.optionalString (config.site.net.${net}.ospf.secret != null) ''
|
||||||
interface "${net}" instance 1 {
|
interface "${net}" instance ${toString hostConf.ospf.upstreamInstance} {
|
||||||
authentication cryptographic;
|
authentication cryptographic;
|
||||||
password "${config.site.net.${net}.ospf.secret}";
|
password "${config.site.net.${net}.ospf.secret}";
|
||||||
};
|
};
|
||||||
|
@ -263,26 +263,26 @@ in
|
||||||
}
|
}
|
||||||
''}
|
''}
|
||||||
|
|
||||||
${lib.optionalString (builtins.match "anon.*" hostName != null) (
|
${lib.optionalString (builtins.match "anon.*" hostName == null) (
|
||||||
builtins.foldl' ({ text, instance }: upstream: {
|
builtins.foldl' ({ text, n }: upstream: {
|
||||||
text = ''
|
text = ''
|
||||||
${text}
|
${text}
|
||||||
|
|
||||||
# OSPFv3 to receive a default route
|
# OSPFv3 to receive a default route from ${upstream}
|
||||||
protocol ospf v3 ZW6_${upstream} {
|
protocol ospf v3 ZW6_${upstream} {
|
||||||
ipv6 {
|
ipv6 {
|
||||||
export filter {
|
import filter {
|
||||||
preference = preference + 100 - ${toString instance};
|
preference = preference + ${toString (100 - n)};
|
||||||
accept;
|
accept;
|
||||||
};
|
};
|
||||||
};
|
};
|
||||||
area ${config.site.net.core.hosts4.${upstream}} {
|
area 0 {
|
||||||
${builtins.concatStringsSep "\n" (
|
${builtins.concatStringsSep "\n" (
|
||||||
builtins.attrValues (
|
builtins.attrValues (
|
||||||
builtins.mapAttrs (net: _:
|
builtins.mapAttrs (net: _:
|
||||||
# Enable OSPF only on interfaces with a secret.
|
# Enable OSPF only on interfaces with a secret.
|
||||||
lib.optionalString (config.site.net.${net}.ospf.secret != null) ''
|
lib.optionalString (config.site.net.${net}.ospf.secret != null) ''
|
||||||
interface "${net}" instance ${toString instance} {
|
interface "${net}" instance ${toString config.site.hosts.${upstream}.ospf.upstreamInstance} {
|
||||||
authentication cryptographic;
|
authentication cryptographic;
|
||||||
password "${config.site.net.${net}.ospf.secret}";
|
password "${config.site.net.${net}.ospf.secret}";
|
||||||
};
|
};
|
||||||
|
@ -293,8 +293,8 @@ in
|
||||||
};
|
};
|
||||||
}
|
}
|
||||||
'';
|
'';
|
||||||
instance = instance + 1;
|
n = n + 1;
|
||||||
}) { text = ""; instance = 2; } config.site.hosts.${hostName}.ospf.allowedUpstreams
|
}) { text = ""; n = 0; } hostConf.ospf.allowedUpstreams
|
||||||
).text}
|
).text}
|
||||||
|
|
||||||
# Zentralwerk DN42
|
# Zentralwerk DN42
|
||||||
|
|
Loading…
Reference in New Issue