From e93f0127721a6a3db619328f5cf3897303d80cba Mon Sep 17 00:00:00 2001 From: Luke Granger-Brown Date: Sun, 6 Aug 2023 17:06:18 +0100 Subject: [PATCH] swann: migrate to erbium --- nix/pkgs/erbium/default.nix | 4 +- ops/nixos/lib/erbium.nix | 56 +++++++++ ops/nixos/swann/default.nix | 243 ++++++++++++++++-------------------- 3 files changed, 166 insertions(+), 137 deletions(-) create mode 100644 ops/nixos/lib/erbium.nix diff --git a/nix/pkgs/erbium/default.nix b/nix/pkgs/erbium/default.nix index 5c69f699ac..64880f1d77 100644 --- a/nix/pkgs/erbium/default.nix +++ b/nix/pkgs/erbium/default.nix @@ -3,8 +3,8 @@ let src = pkgs.fetchFromGitHub { owner = "isomer"; repo = "erbium"; - rev = "aff026d4f83ff055c704508d9a146ab12c901535"; - hash = "sha256:1gn41dy8s0c8bq2dckrilf7dlc54hhq14n51nhf1rfhqrbzily3w"; + rev = "1c4485addd6beeca39aa40340e4b31f04b5dad45"; + hash = "sha256:0a8yrdqndp2dc7xzmkm42pzk0alx96y38ssr7fq4spyz0g19vpwx"; }; in import src { diff --git a/ops/nixos/lib/erbium.nix b/ops/nixos/lib/erbium.nix new file mode 100644 index 0000000000..fc18f752e3 --- /dev/null +++ b/ops/nixos/lib/erbium.nix @@ -0,0 +1,56 @@ +# SPDX-FileCopyrightText: 2023 Luke Granger-Brown +# +# SPDX-License-Identifier: Apache-2.0 + +# TODO: support erbium-conftest, which is in erbium-core. + +{ lib, pkgs, rebuilder, config, ... }: +let + cfg = config.services.erbium; + settingsFormat = pkgs.formats.json {}; + + configFile = settingsFormat.generate "erbium.conf.json" cfg.settings; +in +{ + options.services.erbium = { + enable = lib.mkEnableOption "erbium"; + + package = lib.mkOption { + type = lib.types.package; + }; + + settings = lib.mkOption { + type = lib.types.submodule { + freeformType = settingsFormat.type; + }; + default = {}; + description = "Configuration for Erbium"; + }; + }; + + config = lib.mkIf cfg.enable { + environment.etc."erbium.conf".source = configFile; + + systemd.services.erbium = { + description = "Erbium Network Services"; + wantedBy = [ "multi-user.target" ]; + after = [ "network.target" ]; + restartTriggers = [ configFile ]; + + serviceConfig = { + ExecStart = "${cfg.package} /etc/erbium.conf"; + Type = "simple"; + Restart = "always"; + DynamicUser = true; + User = "erbium"; + Group = "erbium"; + AmbientCapabilities = [ + "CAP_NET_RAW" + "CAP_NET_BIND_SERVICE" + ]; + StateDirectory = "erbium"; + RuntimeDirectory = "erbium"; + }; + }; + }; +} diff --git a/ops/nixos/swann/default.nix b/ops/nixos/swann/default.nix index 843497a649..20b088eee5 100644 --- a/ops/nixos/swann/default.nix +++ b/ops/nixos/swann/default.nix @@ -10,6 +10,8 @@ in { imports = [ # We include this just so it sets some sysctls and firewall settings. ../lib/bgp.nix + + ../lib/erbium.nix ]; config = mkMerge [ { @@ -411,82 +413,120 @@ in { iptables -w -t nat -A nixos-nat-post -m mark --mark 2 -o wg-tuvok-gnet -j SNAT --to-source 92.118.30.253 ''; }; - services.dhcpd4 = { + services.erbium = { enable = true; - interfaces = ["br-internal" "vl-eduroam"]; - authoritative = true; - extraConfig = '' - shared-network int { - default-lease-time 3600; - max-lease-time 86400; - option interface-mtu 1420; # Wireguard + package = depot.nix.pkgs.erbium; + settings = { + addresses = [ + # internal + "192.168.1.0/24" "92.118.30.16/28" "2a09:a443::/64" "2a09:a443:1::/48" - subnet 192.168.1.0 netmask 255.255.255.0 { - option subnet-mask 255.255.255.0; - option routers 192.168.1.1; - option domain-name-servers 192.168.1.1; - option domain-name "house.as205479.net"; + # eduroam + "192.168.10.0/24" "2a09:a443:2::/64" "2a09:a443:3::/48" + ]; - range 192.168.1.100 192.168.1.200; + dns-servers = [ "$self4" "$self6" ]; + + api-listeners = [ "[::1]:9968" ]; + dns-listeners = [ "[::1]:11153" ]; # if we don't specify something then erbium crashes + + router-advertisements = let + baseline = { + mtu = 1420; + lifetime = "1h"; + reachable = "20m"; + }; + baselinePrefix = { + on-link = true; + autonomous = true; + valid = "30d"; + preferred = "7d"; + }; + in { + br-internal = baseline // { + dns-servers.addresses = [ "2a09:a443::1" ]; + dns-search.domains = [ "house.as205479.net" ]; + + prefixes = [(baselinePrefix // { + prefix = "2a09:a443::/64"; + }) (baselinePrefix // { + prefix = "2a09:a443:1::/48"; + autonomous = false; + })]; + }; + vl-eduroam = baseline // { + dns-servers.addresses = [ "2a09:a443:2::1" ]; + dns-search.domains = [ "eduroam.as205479.net" ]; + + prefixes = [(baselinePrefix // { + prefix = "2a09:a443:2::/64"; + }) (baselinePrefix // { + prefix = "2a09:a443:3::/48"; + autonomous = false; + })]; + }; + }; + + dhcp-policies = [ + # public internal + { + apply-subnet = "92.118.30.16/28"; + apply-domain-name = "house-ext.as205479.net"; + apply-domain-name-servers = [ "92.118.30.17" ]; + apply-routers = [ "92.118.30.17" ]; + apply-interface-mtu = 1420; + policies = [{ + match-hardware-address = "bc:33:29:26:01:5c"; + apply-host-name = "ps5"; + apply-address = "92.118.30.18"; + }]; } - subnet 92.118.30.16 netmask 255.255.255.240 { - option subnet-mask 255.255.255.240; - option routers 92.118.30.17; - option domain-name-servers 92.118.30.17; - option domain-name "house-ext.as205479.net"; + # private internal + { + match-subnet = "192.168.1.0/24"; + apply-range.start = "192.168.1.100"; + apply-range.end = "192.168.1.200"; + apply-domain-name = "house.as205479.net"; + apply-domain-name-servers = [ "192.168.1.1" ]; + apply-routers = [ "192.168.1.1" ]; + apply-interface-mtu = 1420; + policies = [{ + match-hardware-address = "40:8d:5c:1f:e8:68"; + apply-host-name = "totoro"; + apply-address = "192.168.1.40"; + } { + match-hardware-address = "52:54:00:cf:cd:94"; + apply-host-name = "totoro-pfsense"; + apply-address = "192.168.1.41"; + } { + match-hardware-address = "00:0d:5d:1b:14:ba"; + apply-host-name = "kvm"; + apply-address = "192.168.1.50"; + } { + match-hardware-address = "9c:93:4e:ad:1f:7b"; + apply-host-name = "printer-xerox"; + apply-address = "192.168.1.51"; + } { + match-hardware-address = "84:39:be:77:65:52"; + apply-host-name = "qvmpc6552"; + apply-address = "192.168.1.60"; + }]; } - } - subnet 192.168.10.0 netmask 255.255.255.0 { - option subnet-mask 255.255.255.0; - option routers 192.168.10.1; - option domain-name-servers 192.168.10.1; - option domain-name "eduroam.as205479.net"; - default-lease-time 600; - max-lease-time 3600; - option interface-mtu 1420; # Wireguard - range 192.168.10.100 192.168.10.200; - } - ''; - machines = [ - { - hostName = "totoro"; - ethernetAddress = "40:8d:5c:1f:e8:68"; - ipAddress = "192.168.1.40"; - } - { - hostName = "totoro-pfsense"; - ethernetAddress = "52:54:00:cf:cd:94"; - ipAddress = "192.168.1.41"; - } - { - hostName = "kvm"; - ethernetAddress = "00:0d:5d:1b:14:ba"; - ipAddress = "192.168.1.50"; - } - { - hostName = "printer-xerox"; - ethernetAddress = "9c:93:4e:ad:1f:7b"; - ipAddress = "192.168.1.51"; - } - { - hostName = "ps5"; - ethernetAddress = "bc:33:29:26:01:5c"; - # This is used for DNAT on RTMP, above. - ipAddress = "92.118.30.18"; - } - { - hostName = "qvmpc6552"; - ethernetAddress = "84:39:be:77:65:52"; - ipAddress = "192.168.1.60"; - } - ]; - }; - systemd.services.dhcpd4 = { - wants = [ "systemd-networkd-wait-online.service" ]; - after = [ "systemd-networkd-wait-online.service" ]; + # eduroam + { + match-subnet = "192.168.10.0/24"; + apply-range.start = "192.168.10.10"; + apply-range.end = "192.168.10.200"; + apply-domain-name = "eduroam.as205479.net"; + apply-domain-name-servers = [ "192.168.10.1" ]; + apply-routers = [ "192.168.10.1" ]; + apply-interface-mtu = 1420; + } + ]; + }; }; networking.firewall = { @@ -716,73 +756,6 @@ in { ''; }; - services.radvd = { - enable = true; - config = '' - interface br-internal { - AdvSendAdvert on; - AdvLinkMTU 1420; # Wireguard - AdvManagedFlag on; - - RDNSS 2a09:a443::1 {}; - DNSSL house.as205479.net {}; - - prefix 2a09:a443::/64 { - AdvOnLink on; - AdvAutonomous on; - }; - prefix 2a09:a443:1::/48 { - AdvOnLink on; - AdvAutonomous off; - }; - }; - interface vl-eduroam { - AdvSendAdvert on; - AdvLinkMTU 1420; # Wireguard - AdvManagedFlag on; - - RDNSS 2a09:a443:2::1 {}; - DNSSL eduroam.as205479.net {}; - - prefix 2a09:a443:2::/64 { - AdvOnLink on; - AdvAutonomous on; - }; - prefix 2a09:a443:3::/48 { - AdvOnLink on; - AdvAutonomous off; - }; - }; - ''; - }; - services.dhcpd6 = { - enable = true; - interfaces = ["br-internal" "vl-eduroam"]; - authoritative = true; - extraConfig = '' - subnet6 2a09:a443:1::/48 { - range6 2a09:a443:1:1::/64; - range6 2a09:a443:1:2::/64 temporary; - prefix6 2a09:a443:1:1000:: 2a09:a443:1:ff00:: /56; - - option dhcp6.name-servers 2a09:a443:1::1; - option dhcp6.domain-search "house.as205479.net"; - } - subnet6 2a09:a443:3::/48 { - range6 2a09:a443:3:1::/64; - range6 2a09:a443:3:2::/64 temporary; - prefix6 2a09:a443:3:1000:: 2a09:a443:3:ff00:: /56; - - option dhcp6.name-servers 2a09:a443:3::1; - option dhcp6.domain-search "eduroam.as205479.net"; - } - ''; - }; - systemd.services.dhcpd6 = { - wants = [ "systemd-networkd-wait-online.service" ]; - after = [ "systemd-networkd-wait-online.service" ]; - }; - systemd.services.prometheus-bird-exporter.serviceConfig.ExecStart = lib.mkForce '' ${depot.pkgs.prometheus-bird-exporter-lfty}/bin/bird_exporter \ -web.listen-address 0.0.0.0:9324 \