/nixos-module/container/bird: use ospf instances not areas for sharing upstream

This commit is contained in:
Astro 2021-04-30 23:54:36 +02:00
parent 003a948ce2
commit d72789c35a
3 changed files with 30 additions and 21 deletions

View File

@ -76,6 +76,10 @@ in
services.dnscache.enable = true; services.dnscache.enable = true;
}; };
upstream1.ospf.upstreamInstance = 3;
upstream2.ospf.upstreamInstance = 4;
anon1.ospf.upstreamInstance = 5;
freifunk.ospf.upstreamInstance = 6;
c3d2-gw.ospf.allowedUpstreams = [ "upstream1" "upstream2" "freifunk" ]; c3d2-gw.ospf.allowedUpstreams = [ "upstream1" "upstream2" "freifunk" ];
serv-gw.ospf.allowedUpstreams = [ "upstream1" "upstream2" "freifunk" ]; serv-gw.ospf.allowedUpstreams = [ "upstream1" "upstream2" "freifunk" ];
cls-gw.ospf.allowedUpstreams = [ "upstream1" "upstream2" "freifunk" ]; cls-gw.ospf.allowedUpstreams = [ "upstream1" "upstream2" "freifunk" ];

View File

@ -214,6 +214,11 @@ let
default = []; default = [];
description = "Accept default routes from these OSPF routers, in order of preference"; description = "Accept default routes from these OSPF routers, in order of preference";
}; };
ospf.upstreamInstance = mkOption {
type = with types; nullOr int;
default = null;
description = "OSPF instance for advertising the default route";
};
wireguard = mkOption { wireguard = mkOption {
default = {}; default = {};
type = with types; attrsOf (submodule ( type = with types; attrsOf (submodule (

View File

@ -145,13 +145,13 @@ in
ipv4 { ipv4 {
export where net = 0.0.0.0/0; export where net = 0.0.0.0/0;
}; };
area ${config.site.net.core.hosts4.${hostName}} { area 0 {
${builtins.concatStringsSep "\n" ( ${builtins.concatStringsSep "\n" (
builtins.attrValues ( builtins.attrValues (
builtins.mapAttrs (net: _: builtins.mapAttrs (net: _:
# Enable OSPF only on interfaces with a secret. # Enable OSPF only on interfaces with a secret.
lib.optionalString (config.site.net.${net}.ospf.secret != null) '' lib.optionalString (config.site.net.${net}.ospf.secret != null) ''
interface "${net}" instance 1 { interface "${net}" instance ${toString hostConf.ospf.upstreamInstance} {
authentication cryptographic; authentication cryptographic;
password "${config.site.net.${net}.ospf.secret}"; password "${config.site.net.${net}.ospf.secret}";
}; };
@ -164,28 +164,28 @@ in
''} ''}
${( ${(
builtins.foldl' ({ text, instance }: upstream: { builtins.foldl' ({ text, n }: upstream: {
text = '' text = ''
${text} ${text}
# OSPFv2 to receive a default route # OSPFv2 to receive a default route from ${upstream}
protocol ospf v2 ZW4_${upstream} { protocol ospf v2 ZW4_${upstream} {
ipv4 { ipv4 {
export filter { import filter {
preference = preference + 100 - ${toString instance}; preference = preference + ${toString (100 - n)};
accept; accept;
}; };
${lib.optionalString (builtins.match "anon.*" hostName != null) '' ${lib.optionalString (builtins.match "anon.*" hostName != null) ''
table vpn4_table; table vpn4_table;
''} ''}
}; };
area ${config.site.net.core.hosts4.${upstream}} { area 0 {
${builtins.concatStringsSep "\n" ( ${builtins.concatStringsSep "\n" (
builtins.attrValues ( builtins.attrValues (
builtins.mapAttrs (net: _: builtins.mapAttrs (net: _:
# Enable OSPF only on interfaces with a secret. # Enable OSPF only on interfaces with a secret.
lib.optionalString (config.site.net.${net}.ospf.secret != null) '' lib.optionalString (config.site.net.${net}.ospf.secret != null) ''
interface "${net}" instance ${toString instance} { interface "${net}" instance ${toString config.site.hosts.${upstream}.ospf.upstreamInstance} {
authentication cryptographic; authentication cryptographic;
password "${config.site.net.${net}.ospf.secret}"; password "${config.site.net.${net}.ospf.secret}";
}; };
@ -196,8 +196,8 @@ in
}; };
} }
''; '';
instance = instance + 1; n = n + 1;
}) { text = ""; instance = 2; } config.site.hosts.${hostName}.ospf.allowedUpstreams }) { text = ""; n = 0; } hostConf.ospf.allowedUpstreams
).text} ).text}
# OSPFv3 for site-local IPv6 # OSPFv3 for site-local IPv6
@ -245,13 +245,13 @@ in
ipv6 { ipv6 {
export where net = ::/0; export where net = ::/0;
}; };
area ${config.site.net.core.hosts4.${hostName}} { area 0 {
${builtins.concatStringsSep "\n" ( ${builtins.concatStringsSep "\n" (
builtins.attrValues ( builtins.attrValues (
builtins.mapAttrs (net: _: builtins.mapAttrs (net: _:
# Enable OSPF only on interfaces with a secret. # Enable OSPF only on interfaces with a secret.
lib.optionalString (config.site.net.${net}.ospf.secret != null) '' lib.optionalString (config.site.net.${net}.ospf.secret != null) ''
interface "${net}" instance 1 { interface "${net}" instance ${toString hostConf.ospf.upstreamInstance} {
authentication cryptographic; authentication cryptographic;
password "${config.site.net.${net}.ospf.secret}"; password "${config.site.net.${net}.ospf.secret}";
}; };
@ -263,26 +263,26 @@ in
} }
''} ''}
${lib.optionalString (builtins.match "anon.*" hostName != null) ( ${lib.optionalString (builtins.match "anon.*" hostName == null) (
builtins.foldl' ({ text, instance }: upstream: { builtins.foldl' ({ text, n }: upstream: {
text = '' text = ''
${text} ${text}
# OSPFv3 to receive a default route # OSPFv3 to receive a default route from ${upstream}
protocol ospf v3 ZW6_${upstream} { protocol ospf v3 ZW6_${upstream} {
ipv6 { ipv6 {
export filter { import filter {
preference = preference + 100 - ${toString instance}; preference = preference + ${toString (100 - n)};
accept; accept;
}; };
}; };
area ${config.site.net.core.hosts4.${upstream}} { area 0 {
${builtins.concatStringsSep "\n" ( ${builtins.concatStringsSep "\n" (
builtins.attrValues ( builtins.attrValues (
builtins.mapAttrs (net: _: builtins.mapAttrs (net: _:
# Enable OSPF only on interfaces with a secret. # Enable OSPF only on interfaces with a secret.
lib.optionalString (config.site.net.${net}.ospf.secret != null) '' lib.optionalString (config.site.net.${net}.ospf.secret != null) ''
interface "${net}" instance ${toString instance} { interface "${net}" instance ${toString config.site.hosts.${upstream}.ospf.upstreamInstance} {
authentication cryptographic; authentication cryptographic;
password "${config.site.net.${net}.ospf.secret}"; password "${config.site.net.${net}.ospf.secret}";
}; };
@ -293,8 +293,8 @@ in
}; };
} }
''; '';
instance = instance + 1; n = n + 1;
}) { text = ""; instance = 2; } config.site.hosts.${hostName}.ospf.allowedUpstreams }) { text = ""; n = 0; } hostConf.ospf.allowedUpstreams
).text} ).text}
# Zentralwerk DN42 # Zentralwerk DN42