swann: migrate to erbium
This commit is contained in:
parent
5e9e1146e1
commit
e93f012772
3 changed files with 166 additions and 137 deletions
|
@ -3,8 +3,8 @@ let
|
||||||
src = pkgs.fetchFromGitHub {
|
src = pkgs.fetchFromGitHub {
|
||||||
owner = "isomer";
|
owner = "isomer";
|
||||||
repo = "erbium";
|
repo = "erbium";
|
||||||
rev = "aff026d4f83ff055c704508d9a146ab12c901535";
|
rev = "1c4485addd6beeca39aa40340e4b31f04b5dad45";
|
||||||
hash = "sha256:1gn41dy8s0c8bq2dckrilf7dlc54hhq14n51nhf1rfhqrbzily3w";
|
hash = "sha256:0a8yrdqndp2dc7xzmkm42pzk0alx96y38ssr7fq4spyz0g19vpwx";
|
||||||
};
|
};
|
||||||
in
|
in
|
||||||
import src {
|
import src {
|
||||||
|
|
56
ops/nixos/lib/erbium.nix
Normal file
56
ops/nixos/lib/erbium.nix
Normal file
|
@ -0,0 +1,56 @@
|
||||||
|
# SPDX-FileCopyrightText: 2023 Luke Granger-Brown <depot@lukegb.com>
|
||||||
|
#
|
||||||
|
# SPDX-License-Identifier: Apache-2.0
|
||||||
|
|
||||||
|
# TODO: support erbium-conftest, which is in erbium-core.
|
||||||
|
|
||||||
|
{ lib, pkgs, rebuilder, config, ... }:
|
||||||
|
let
|
||||||
|
cfg = config.services.erbium;
|
||||||
|
settingsFormat = pkgs.formats.json {};
|
||||||
|
|
||||||
|
configFile = settingsFormat.generate "erbium.conf.json" cfg.settings;
|
||||||
|
in
|
||||||
|
{
|
||||||
|
options.services.erbium = {
|
||||||
|
enable = lib.mkEnableOption "erbium";
|
||||||
|
|
||||||
|
package = lib.mkOption {
|
||||||
|
type = lib.types.package;
|
||||||
|
};
|
||||||
|
|
||||||
|
settings = lib.mkOption {
|
||||||
|
type = lib.types.submodule {
|
||||||
|
freeformType = settingsFormat.type;
|
||||||
|
};
|
||||||
|
default = {};
|
||||||
|
description = "Configuration for Erbium";
|
||||||
|
};
|
||||||
|
};
|
||||||
|
|
||||||
|
config = lib.mkIf cfg.enable {
|
||||||
|
environment.etc."erbium.conf".source = configFile;
|
||||||
|
|
||||||
|
systemd.services.erbium = {
|
||||||
|
description = "Erbium Network Services";
|
||||||
|
wantedBy = [ "multi-user.target" ];
|
||||||
|
after = [ "network.target" ];
|
||||||
|
restartTriggers = [ configFile ];
|
||||||
|
|
||||||
|
serviceConfig = {
|
||||||
|
ExecStart = "${cfg.package} /etc/erbium.conf";
|
||||||
|
Type = "simple";
|
||||||
|
Restart = "always";
|
||||||
|
DynamicUser = true;
|
||||||
|
User = "erbium";
|
||||||
|
Group = "erbium";
|
||||||
|
AmbientCapabilities = [
|
||||||
|
"CAP_NET_RAW"
|
||||||
|
"CAP_NET_BIND_SERVICE"
|
||||||
|
];
|
||||||
|
StateDirectory = "erbium";
|
||||||
|
RuntimeDirectory = "erbium";
|
||||||
|
};
|
||||||
|
};
|
||||||
|
};
|
||||||
|
}
|
|
@ -10,6 +10,8 @@ in {
|
||||||
imports = [
|
imports = [
|
||||||
# We include this just so it sets some sysctls and firewall settings.
|
# We include this just so it sets some sysctls and firewall settings.
|
||||||
../lib/bgp.nix
|
../lib/bgp.nix
|
||||||
|
|
||||||
|
../lib/erbium.nix
|
||||||
];
|
];
|
||||||
|
|
||||||
config = mkMerge [ {
|
config = mkMerge [ {
|
||||||
|
@ -411,82 +413,120 @@ in {
|
||||||
iptables -w -t nat -A nixos-nat-post -m mark --mark 2 -o wg-tuvok-gnet -j SNAT --to-source 92.118.30.253
|
iptables -w -t nat -A nixos-nat-post -m mark --mark 2 -o wg-tuvok-gnet -j SNAT --to-source 92.118.30.253
|
||||||
'';
|
'';
|
||||||
};
|
};
|
||||||
services.dhcpd4 = {
|
services.erbium = {
|
||||||
enable = true;
|
enable = true;
|
||||||
interfaces = ["br-internal" "vl-eduroam"];
|
package = depot.nix.pkgs.erbium;
|
||||||
authoritative = true;
|
settings = {
|
||||||
extraConfig = ''
|
addresses = [
|
||||||
shared-network int {
|
# internal
|
||||||
default-lease-time 3600;
|
"192.168.1.0/24" "92.118.30.16/28" "2a09:a443::/64" "2a09:a443:1::/48"
|
||||||
max-lease-time 86400;
|
|
||||||
option interface-mtu 1420; # Wireguard
|
|
||||||
|
|
||||||
subnet 192.168.1.0 netmask 255.255.255.0 {
|
# eduroam
|
||||||
option subnet-mask 255.255.255.0;
|
"192.168.10.0/24" "2a09:a443:2::/64" "2a09:a443:3::/48"
|
||||||
option routers 192.168.1.1;
|
];
|
||||||
option domain-name-servers 192.168.1.1;
|
|
||||||
option domain-name "house.as205479.net";
|
|
||||||
|
|
||||||
range 192.168.1.100 192.168.1.200;
|
dns-servers = [ "$self4" "$self6" ];
|
||||||
|
|
||||||
|
api-listeners = [ "[::1]:9968" ];
|
||||||
|
dns-listeners = [ "[::1]:11153" ]; # if we don't specify something then erbium crashes
|
||||||
|
|
||||||
|
router-advertisements = let
|
||||||
|
baseline = {
|
||||||
|
mtu = 1420;
|
||||||
|
lifetime = "1h";
|
||||||
|
reachable = "20m";
|
||||||
|
};
|
||||||
|
baselinePrefix = {
|
||||||
|
on-link = true;
|
||||||
|
autonomous = true;
|
||||||
|
valid = "30d";
|
||||||
|
preferred = "7d";
|
||||||
|
};
|
||||||
|
in {
|
||||||
|
br-internal = baseline // {
|
||||||
|
dns-servers.addresses = [ "2a09:a443::1" ];
|
||||||
|
dns-search.domains = [ "house.as205479.net" ];
|
||||||
|
|
||||||
|
prefixes = [(baselinePrefix // {
|
||||||
|
prefix = "2a09:a443::/64";
|
||||||
|
}) (baselinePrefix // {
|
||||||
|
prefix = "2a09:a443:1::/48";
|
||||||
|
autonomous = false;
|
||||||
|
})];
|
||||||
|
};
|
||||||
|
vl-eduroam = baseline // {
|
||||||
|
dns-servers.addresses = [ "2a09:a443:2::1" ];
|
||||||
|
dns-search.domains = [ "eduroam.as205479.net" ];
|
||||||
|
|
||||||
|
prefixes = [(baselinePrefix // {
|
||||||
|
prefix = "2a09:a443:2::/64";
|
||||||
|
}) (baselinePrefix // {
|
||||||
|
prefix = "2a09:a443:3::/48";
|
||||||
|
autonomous = false;
|
||||||
|
})];
|
||||||
|
};
|
||||||
|
};
|
||||||
|
|
||||||
|
dhcp-policies = [
|
||||||
|
# public internal
|
||||||
|
{
|
||||||
|
apply-subnet = "92.118.30.16/28";
|
||||||
|
apply-domain-name = "house-ext.as205479.net";
|
||||||
|
apply-domain-name-servers = [ "92.118.30.17" ];
|
||||||
|
apply-routers = [ "92.118.30.17" ];
|
||||||
|
apply-interface-mtu = 1420;
|
||||||
|
policies = [{
|
||||||
|
match-hardware-address = "bc:33:29:26:01:5c";
|
||||||
|
apply-host-name = "ps5";
|
||||||
|
apply-address = "92.118.30.18";
|
||||||
|
}];
|
||||||
}
|
}
|
||||||
|
|
||||||
subnet 92.118.30.16 netmask 255.255.255.240 {
|
# private internal
|
||||||
option subnet-mask 255.255.255.240;
|
{
|
||||||
option routers 92.118.30.17;
|
match-subnet = "192.168.1.0/24";
|
||||||
option domain-name-servers 92.118.30.17;
|
apply-range.start = "192.168.1.100";
|
||||||
option domain-name "house-ext.as205479.net";
|
apply-range.end = "192.168.1.200";
|
||||||
|
apply-domain-name = "house.as205479.net";
|
||||||
|
apply-domain-name-servers = [ "192.168.1.1" ];
|
||||||
|
apply-routers = [ "192.168.1.1" ];
|
||||||
|
apply-interface-mtu = 1420;
|
||||||
|
policies = [{
|
||||||
|
match-hardware-address = "40:8d:5c:1f:e8:68";
|
||||||
|
apply-host-name = "totoro";
|
||||||
|
apply-address = "192.168.1.40";
|
||||||
|
} {
|
||||||
|
match-hardware-address = "52:54:00:cf:cd:94";
|
||||||
|
apply-host-name = "totoro-pfsense";
|
||||||
|
apply-address = "192.168.1.41";
|
||||||
|
} {
|
||||||
|
match-hardware-address = "00:0d:5d:1b:14:ba";
|
||||||
|
apply-host-name = "kvm";
|
||||||
|
apply-address = "192.168.1.50";
|
||||||
|
} {
|
||||||
|
match-hardware-address = "9c:93:4e:ad:1f:7b";
|
||||||
|
apply-host-name = "printer-xerox";
|
||||||
|
apply-address = "192.168.1.51";
|
||||||
|
} {
|
||||||
|
match-hardware-address = "84:39:be:77:65:52";
|
||||||
|
apply-host-name = "qvmpc6552";
|
||||||
|
apply-address = "192.168.1.60";
|
||||||
|
}];
|
||||||
}
|
}
|
||||||
}
|
|
||||||
|
|
||||||
subnet 192.168.10.0 netmask 255.255.255.0 {
|
|
||||||
option subnet-mask 255.255.255.0;
|
|
||||||
option routers 192.168.10.1;
|
|
||||||
option domain-name-servers 192.168.10.1;
|
|
||||||
option domain-name "eduroam.as205479.net";
|
|
||||||
default-lease-time 600;
|
|
||||||
max-lease-time 3600;
|
|
||||||
option interface-mtu 1420; # Wireguard
|
|
||||||
|
|
||||||
range 192.168.10.100 192.168.10.200;
|
# eduroam
|
||||||
}
|
{
|
||||||
'';
|
match-subnet = "192.168.10.0/24";
|
||||||
machines = [
|
apply-range.start = "192.168.10.10";
|
||||||
{
|
apply-range.end = "192.168.10.200";
|
||||||
hostName = "totoro";
|
apply-domain-name = "eduroam.as205479.net";
|
||||||
ethernetAddress = "40:8d:5c:1f:e8:68";
|
apply-domain-name-servers = [ "192.168.10.1" ];
|
||||||
ipAddress = "192.168.1.40";
|
apply-routers = [ "192.168.10.1" ];
|
||||||
}
|
apply-interface-mtu = 1420;
|
||||||
{
|
}
|
||||||
hostName = "totoro-pfsense";
|
];
|
||||||
ethernetAddress = "52:54:00:cf:cd:94";
|
};
|
||||||
ipAddress = "192.168.1.41";
|
|
||||||
}
|
|
||||||
{
|
|
||||||
hostName = "kvm";
|
|
||||||
ethernetAddress = "00:0d:5d:1b:14:ba";
|
|
||||||
ipAddress = "192.168.1.50";
|
|
||||||
}
|
|
||||||
{
|
|
||||||
hostName = "printer-xerox";
|
|
||||||
ethernetAddress = "9c:93:4e:ad:1f:7b";
|
|
||||||
ipAddress = "192.168.1.51";
|
|
||||||
}
|
|
||||||
{
|
|
||||||
hostName = "ps5";
|
|
||||||
ethernetAddress = "bc:33:29:26:01:5c";
|
|
||||||
# This is used for DNAT on RTMP, above.
|
|
||||||
ipAddress = "92.118.30.18";
|
|
||||||
}
|
|
||||||
{
|
|
||||||
hostName = "qvmpc6552";
|
|
||||||
ethernetAddress = "84:39:be:77:65:52";
|
|
||||||
ipAddress = "192.168.1.60";
|
|
||||||
}
|
|
||||||
];
|
|
||||||
};
|
|
||||||
systemd.services.dhcpd4 = {
|
|
||||||
wants = [ "systemd-networkd-wait-online.service" ];
|
|
||||||
after = [ "systemd-networkd-wait-online.service" ];
|
|
||||||
};
|
};
|
||||||
|
|
||||||
networking.firewall = {
|
networking.firewall = {
|
||||||
|
@ -716,73 +756,6 @@ in {
|
||||||
'';
|
'';
|
||||||
};
|
};
|
||||||
|
|
||||||
services.radvd = {
|
|
||||||
enable = true;
|
|
||||||
config = ''
|
|
||||||
interface br-internal {
|
|
||||||
AdvSendAdvert on;
|
|
||||||
AdvLinkMTU 1420; # Wireguard
|
|
||||||
AdvManagedFlag on;
|
|
||||||
|
|
||||||
RDNSS 2a09:a443::1 {};
|
|
||||||
DNSSL house.as205479.net {};
|
|
||||||
|
|
||||||
prefix 2a09:a443::/64 {
|
|
||||||
AdvOnLink on;
|
|
||||||
AdvAutonomous on;
|
|
||||||
};
|
|
||||||
prefix 2a09:a443:1::/48 {
|
|
||||||
AdvOnLink on;
|
|
||||||
AdvAutonomous off;
|
|
||||||
};
|
|
||||||
};
|
|
||||||
interface vl-eduroam {
|
|
||||||
AdvSendAdvert on;
|
|
||||||
AdvLinkMTU 1420; # Wireguard
|
|
||||||
AdvManagedFlag on;
|
|
||||||
|
|
||||||
RDNSS 2a09:a443:2::1 {};
|
|
||||||
DNSSL eduroam.as205479.net {};
|
|
||||||
|
|
||||||
prefix 2a09:a443:2::/64 {
|
|
||||||
AdvOnLink on;
|
|
||||||
AdvAutonomous on;
|
|
||||||
};
|
|
||||||
prefix 2a09:a443:3::/48 {
|
|
||||||
AdvOnLink on;
|
|
||||||
AdvAutonomous off;
|
|
||||||
};
|
|
||||||
};
|
|
||||||
'';
|
|
||||||
};
|
|
||||||
services.dhcpd6 = {
|
|
||||||
enable = true;
|
|
||||||
interfaces = ["br-internal" "vl-eduroam"];
|
|
||||||
authoritative = true;
|
|
||||||
extraConfig = ''
|
|
||||||
subnet6 2a09:a443:1::/48 {
|
|
||||||
range6 2a09:a443:1:1::/64;
|
|
||||||
range6 2a09:a443:1:2::/64 temporary;
|
|
||||||
prefix6 2a09:a443:1:1000:: 2a09:a443:1:ff00:: /56;
|
|
||||||
|
|
||||||
option dhcp6.name-servers 2a09:a443:1::1;
|
|
||||||
option dhcp6.domain-search "house.as205479.net";
|
|
||||||
}
|
|
||||||
subnet6 2a09:a443:3::/48 {
|
|
||||||
range6 2a09:a443:3:1::/64;
|
|
||||||
range6 2a09:a443:3:2::/64 temporary;
|
|
||||||
prefix6 2a09:a443:3:1000:: 2a09:a443:3:ff00:: /56;
|
|
||||||
|
|
||||||
option dhcp6.name-servers 2a09:a443:3::1;
|
|
||||||
option dhcp6.domain-search "eduroam.as205479.net";
|
|
||||||
}
|
|
||||||
'';
|
|
||||||
};
|
|
||||||
systemd.services.dhcpd6 = {
|
|
||||||
wants = [ "systemd-networkd-wait-online.service" ];
|
|
||||||
after = [ "systemd-networkd-wait-online.service" ];
|
|
||||||
};
|
|
||||||
|
|
||||||
systemd.services.prometheus-bird-exporter.serviceConfig.ExecStart = lib.mkForce ''
|
systemd.services.prometheus-bird-exporter.serviceConfig.ExecStart = lib.mkForce ''
|
||||||
${depot.pkgs.prometheus-bird-exporter-lfty}/bin/bird_exporter \
|
${depot.pkgs.prometheus-bird-exporter-lfty}/bin/bird_exporter \
|
||||||
-web.listen-address 0.0.0.0:9324 \
|
-web.listen-address 0.0.0.0:9324 \
|
||||||
|
|
Loading…
Reference in a new issue