commit 3cd403a26b5da51a2423d6a2c60bdc1327149706
parent 6349621e2d2a69a8104a1451e36f83273937a8b5
Author: Katja (zaphyra) <git@ctu.cx>
Date: Mon, 9 Jun 2025 16:13:24 +0200
parent 6349621e2d2a69a8104a1451e36f83273937a8b5
Author: Katja (zaphyra) <git@ctu.cx>
Date: Mon, 9 Jun 2025 16:13:24 +0200
config/nixos/modules/networking/dn42: nix-fmt
1 file changed, 141 insertions(+), 121 deletions(-)
M
|
262
++++++++++++++++++++++++++++++++++++++++++-------------------------------------
diff --git a/config/nixos/modules/networking/dn42.nix b/config/nixos/modules/networking/dn42.nix @@ -31,67 +31,83 @@ in type = types.str; }; peerings = { - default = {}; - type = with types; attrsOf (submodule { - options = { - asn = lib.mkOption { type = types.int; }; - ownLinkLocalAddress = lib.mkOption { - type = types.str; - default = "fe80::6b61/64"; - }; - linkLocalAddress = lib.mkOption { type = types.str; }; - endpoint = lib.mkOption { - type = with types; nullOr str; - default = null; + default = { }; + type = + with types; + attrsOf (submodule { + options = { + asn = lib.mkOption { type = types.int; }; + ownLinkLocalAddress = lib.mkOption { + type = types.str; + default = "fe80::6b61/64"; + }; + linkLocalAddress = lib.mkOption { type = types.str; }; + endpoint = lib.mkOption { + type = with types; nullOr str; + default = null; + }; + publicKey = lib.mkOption { type = types.str; }; + listenPort = lib.mkOption { type = types.int; }; }; - publicKey = lib.mkOption { type = types.str; }; - listenPort = lib.mkOption { type = types.int; }; - }; - }); + }); }; }; config = lib.mkIf cfg.enable { - networking.firewall.allowedUDPPorts = lib.mapAttrsToList (name: peerConfig: peerConfig.listenPort) cfg.peerings; - - sops.secrets = lib.mapAttrs' (name: peerConfig: lib.nameValuePair "dn42/peerings/${name}/wgPrivateKey" { - owner = "systemd-network"; - group = "systemd-network"; - }) cfg.peerings; + networking.firewall.allowedUDPPorts = lib.mapAttrsToList ( + name: peerConfig: peerConfig.listenPort + ) cfg.peerings; + + sops.secrets = lib.mapAttrs' ( + name: peerConfig: + lib.nameValuePair "dn42/peerings/${name}/wgPrivateKey" { + owner = "systemd-network"; + group = "systemd-network"; + } + ) cfg.peerings; systemd.network = { - netdevs = lib.mapAttrs' (name: peerConfig: lib.nameValuePair "dn42${name}" { - netdevConfig = { - Kind = "wireguard"; - Name = "dn42${name}"; - }; - wireguardConfig = { - ListenPort = peerConfig.listenPort; - PrivateKeyFile = config.sops.secrets."dn42/peerings/${name}/wgPrivateKey".path; - }; - wireguardPeers = [ - { - PersistentKeepalive = 30; - Endpoint = lib.mkIf (!builtins.isNull peerConfig.endpoint) peerConfig.endpoint; - PublicKey = peerConfig.publicKey; - AllowedIPs = [ "fd00::/8" peerConfig.linkLocalAddress ]; - } - ]; - }) cfg.peerings; - - networks = lib.mapAttrs' (name: peerConfig: lib.nameValuePair "dn42${name}" { - matchConfig.Name = "dn42${name}"; - linkConfig.RequiredForOnline = "no"; - - address = [ peerConfig.ownLinkLocalAddress ]; - routes = [ { Destination = "fe80::6b61/128"; } ]; - - networkConfig = { - IPv6Forwarding = true; - IPv6AcceptRA = false; - DHCP = false; - }; - }) cfg.peerings; + netdevs = lib.mapAttrs' ( + name: peerConfig: + lib.nameValuePair "dn42${name}" { + netdevConfig = { + Kind = "wireguard"; + Name = "dn42${name}"; + }; + wireguardConfig = { + ListenPort = peerConfig.listenPort; + PrivateKeyFile = config.sops.secrets."dn42/peerings/${name}/wgPrivateKey".path; + }; + wireguardPeers = [ + { + PersistentKeepalive = 30; + Endpoint = lib.mkIf (!builtins.isNull peerConfig.endpoint) peerConfig.endpoint; + PublicKey = peerConfig.publicKey; + AllowedIPs = [ + "fd00::/8" + peerConfig.linkLocalAddress + ]; + } + ]; + } + ) cfg.peerings; + + networks = lib.mapAttrs' ( + name: peerConfig: + lib.nameValuePair "dn42${name}" { + matchConfig.Name = "dn42${name}"; + linkConfig.RequiredForOnline = "no"; + + address = [ peerConfig.ownLinkLocalAddress ]; + routes = [ { Destination = "fe80::6b61/128"; } ]; + + networkConfig = { + IPv6Forwarding = true; + IPv6AcceptRA = false; + DHCP = false; + }; + } + ) cfg.peerings; }; systemd.services.updateDN42ROA = { @@ -115,87 +131,91 @@ in cat -n bird.conf # here for debugging purposes ''; - config = '' - log syslog { debug, trace, info, remote, warning, error, auth, fatal, bug }; - log stderr all; + config = + '' + log syslog { debug, trace, info, remote, warning, error, auth, fatal, bug }; + log stderr all; - define OWNAS = ${toString cfg.asn}; - define OWNNETv6 = ${cfg.range}; - define OWNNETSETv6 = [ ${cfg.range} ]; - define OWNIPv6 = ${cfg.address}; + define OWNAS = ${toString cfg.asn}; + define OWNNETv6 = ${cfg.range}; + define OWNNETSETv6 = [ ${cfg.range} ]; + define OWNIPv6 = ${cfg.address}; - router id ${toString cfg.routerId}; - hostname "${config.networking.hostName}"; + router id ${toString cfg.routerId}; + hostname "${config.networking.hostName}"; - protocol device { - scan time 10; - } + protocol device { + scan time 10; + } - function is_self_net_v6() -> bool { - return net ~ OWNNETSETv6; - } + function is_self_net_v6() -> bool { + return net ~ OWNNETSETv6; + } - function is_valid_network_v6() -> bool { - return net ~ [ - fd00::/8{44,64} # ULA address space as per RFC 4193 - ]; - } + function is_valid_network_v6() -> bool { + return net ~ [ + fd00::/8{44,64} # ULA address space as per RFC 4193 + ]; + } - roa6 table dn42_roa_v6; + roa6 table dn42_roa_v6; - protocol static { - roa6 { table dn42_roa_v6; }; - include "/etc/bird/roa_dn42.conf"; - }; + protocol static { + roa6 { table dn42_roa_v6; }; + include "/etc/bird/roa_dn42.conf"; + }; - # dn42 default route - protocol static { - route OWNNETv6 unreachable; + # dn42 default route + protocol static { + route OWNNETv6 unreachable; - ipv6 { - import all; - export none; - }; - } + ipv6 { + import all; + export none; + }; + } - protocol kernel { - scan time 20; + protocol kernel { + scan time 20; - ipv6 { - import none; - export filter { - if source = RTS_STATIC then reject; # dont export static routes - krt_prefsrc = OWNIPv6; # preferred outgoing source address - accept; + ipv6 { + import none; + export filter { + if source = RTS_STATIC then reject; # dont export static routes + krt_prefsrc = OWNIPv6; # preferred outgoing source address + accept; + }; }; }; - }; - - template bgp dnpeers { - local as OWNAS; - path metric 1; - - ipv6 { - import filter { - if is_valid_network_v6() && !is_self_net_v6() then { - if (roa_check(dn42_roa_v6, net, bgp_path.last) != ROA_VALID) then { - # Reject when unknown or invalid according to ROA - print "[dn42] ROA check failed for ", net, " ASN ", bgp_path.last; - reject; - } else accept; - } else reject; - }; - export filter { if is_valid_network_v6() && source ~ [RTS_STATIC, RTS_BGP] then accept; else reject; }; - import limit 9000 action block; - }; - } - '' + (lib.concatStringsSep "\n" (lib.mapAttrsToList (name: peerConfig: '' - protocol bgp ${name} from dnpeers { - neighbor ${peerConfig.linkLocalAddress}%dn42${name} as ${toString peerConfig.asn}; - enable extended messages; - } - '') cfg.peerings)); + template bgp dnpeers { + local as OWNAS; + path metric 1; + + ipv6 { + import filter { + if is_valid_network_v6() && !is_self_net_v6() then { + if (roa_check(dn42_roa_v6, net, bgp_path.last) != ROA_VALID) then { + # Reject when unknown or invalid according to ROA + print "[dn42] ROA check failed for ", net, " ASN ", bgp_path.last; + reject; + } else accept; + } else reject; + }; + + export filter { if is_valid_network_v6() && source ~ [RTS_STATIC, RTS_BGP] then accept; else reject; }; + import limit 9000 action block; + }; + } + '' + + (lib.concatStringsSep "\n" ( + lib.mapAttrsToList (name: peerConfig: '' + protocol bgp ${name} from dnpeers { + neighbor ${peerConfig.linkLocalAddress}%dn42${name} as ${toString peerConfig.asn}; + enable extended messages; + } + '') cfg.peerings + )); }; };