swann: migrate to erbium
This commit is contained in:
parent
5e9e1146e1
commit
e93f012772
3 changed files with 166 additions and 137 deletions
|
@ -3,8 +3,8 @@ let
|
|||
src = pkgs.fetchFromGitHub {
|
||||
owner = "isomer";
|
||||
repo = "erbium";
|
||||
rev = "aff026d4f83ff055c704508d9a146ab12c901535";
|
||||
hash = "sha256:1gn41dy8s0c8bq2dckrilf7dlc54hhq14n51nhf1rfhqrbzily3w";
|
||||
rev = "1c4485addd6beeca39aa40340e4b31f04b5dad45";
|
||||
hash = "sha256:0a8yrdqndp2dc7xzmkm42pzk0alx96y38ssr7fq4spyz0g19vpwx";
|
||||
};
|
||||
in
|
||||
import src {
|
||||
|
|
56
ops/nixos/lib/erbium.nix
Normal file
56
ops/nixos/lib/erbium.nix
Normal file
|
@ -0,0 +1,56 @@
|
|||
# SPDX-FileCopyrightText: 2023 Luke Granger-Brown <depot@lukegb.com>
|
||||
#
|
||||
# SPDX-License-Identifier: Apache-2.0
|
||||
|
||||
# TODO: support erbium-conftest, which is in erbium-core.
|
||||
|
||||
{ lib, pkgs, rebuilder, config, ... }:
|
||||
let
|
||||
cfg = config.services.erbium;
|
||||
settingsFormat = pkgs.formats.json {};
|
||||
|
||||
configFile = settingsFormat.generate "erbium.conf.json" cfg.settings;
|
||||
in
|
||||
{
|
||||
options.services.erbium = {
|
||||
enable = lib.mkEnableOption "erbium";
|
||||
|
||||
package = lib.mkOption {
|
||||
type = lib.types.package;
|
||||
};
|
||||
|
||||
settings = lib.mkOption {
|
||||
type = lib.types.submodule {
|
||||
freeformType = settingsFormat.type;
|
||||
};
|
||||
default = {};
|
||||
description = "Configuration for Erbium";
|
||||
};
|
||||
};
|
||||
|
||||
config = lib.mkIf cfg.enable {
|
||||
environment.etc."erbium.conf".source = configFile;
|
||||
|
||||
systemd.services.erbium = {
|
||||
description = "Erbium Network Services";
|
||||
wantedBy = [ "multi-user.target" ];
|
||||
after = [ "network.target" ];
|
||||
restartTriggers = [ configFile ];
|
||||
|
||||
serviceConfig = {
|
||||
ExecStart = "${cfg.package} /etc/erbium.conf";
|
||||
Type = "simple";
|
||||
Restart = "always";
|
||||
DynamicUser = true;
|
||||
User = "erbium";
|
||||
Group = "erbium";
|
||||
AmbientCapabilities = [
|
||||
"CAP_NET_RAW"
|
||||
"CAP_NET_BIND_SERVICE"
|
||||
];
|
||||
StateDirectory = "erbium";
|
||||
RuntimeDirectory = "erbium";
|
||||
};
|
||||
};
|
||||
};
|
||||
}
|
|
@ -10,6 +10,8 @@ in {
|
|||
imports = [
|
||||
# We include this just so it sets some sysctls and firewall settings.
|
||||
../lib/bgp.nix
|
||||
|
||||
../lib/erbium.nix
|
||||
];
|
||||
|
||||
config = mkMerge [ {
|
||||
|
@ -411,82 +413,120 @@ in {
|
|||
iptables -w -t nat -A nixos-nat-post -m mark --mark 2 -o wg-tuvok-gnet -j SNAT --to-source 92.118.30.253
|
||||
'';
|
||||
};
|
||||
services.dhcpd4 = {
|
||||
services.erbium = {
|
||||
enable = true;
|
||||
interfaces = ["br-internal" "vl-eduroam"];
|
||||
authoritative = true;
|
||||
extraConfig = ''
|
||||
shared-network int {
|
||||
default-lease-time 3600;
|
||||
max-lease-time 86400;
|
||||
option interface-mtu 1420; # Wireguard
|
||||
package = depot.nix.pkgs.erbium;
|
||||
settings = {
|
||||
addresses = [
|
||||
# internal
|
||||
"192.168.1.0/24" "92.118.30.16/28" "2a09:a443::/64" "2a09:a443:1::/48"
|
||||
|
||||
subnet 192.168.1.0 netmask 255.255.255.0 {
|
||||
option subnet-mask 255.255.255.0;
|
||||
option routers 192.168.1.1;
|
||||
option domain-name-servers 192.168.1.1;
|
||||
option domain-name "house.as205479.net";
|
||||
# eduroam
|
||||
"192.168.10.0/24" "2a09:a443:2::/64" "2a09:a443:3::/48"
|
||||
];
|
||||
|
||||
range 192.168.1.100 192.168.1.200;
|
||||
dns-servers = [ "$self4" "$self6" ];
|
||||
|
||||
api-listeners = [ "[::1]:9968" ];
|
||||
dns-listeners = [ "[::1]:11153" ]; # if we don't specify something then erbium crashes
|
||||
|
||||
router-advertisements = let
|
||||
baseline = {
|
||||
mtu = 1420;
|
||||
lifetime = "1h";
|
||||
reachable = "20m";
|
||||
};
|
||||
baselinePrefix = {
|
||||
on-link = true;
|
||||
autonomous = true;
|
||||
valid = "30d";
|
||||
preferred = "7d";
|
||||
};
|
||||
in {
|
||||
br-internal = baseline // {
|
||||
dns-servers.addresses = [ "2a09:a443::1" ];
|
||||
dns-search.domains = [ "house.as205479.net" ];
|
||||
|
||||
prefixes = [(baselinePrefix // {
|
||||
prefix = "2a09:a443::/64";
|
||||
}) (baselinePrefix // {
|
||||
prefix = "2a09:a443:1::/48";
|
||||
autonomous = false;
|
||||
})];
|
||||
};
|
||||
vl-eduroam = baseline // {
|
||||
dns-servers.addresses = [ "2a09:a443:2::1" ];
|
||||
dns-search.domains = [ "eduroam.as205479.net" ];
|
||||
|
||||
prefixes = [(baselinePrefix // {
|
||||
prefix = "2a09:a443:2::/64";
|
||||
}) (baselinePrefix // {
|
||||
prefix = "2a09:a443:3::/48";
|
||||
autonomous = false;
|
||||
})];
|
||||
};
|
||||
};
|
||||
|
||||
dhcp-policies = [
|
||||
# public internal
|
||||
{
|
||||
apply-subnet = "92.118.30.16/28";
|
||||
apply-domain-name = "house-ext.as205479.net";
|
||||
apply-domain-name-servers = [ "92.118.30.17" ];
|
||||
apply-routers = [ "92.118.30.17" ];
|
||||
apply-interface-mtu = 1420;
|
||||
policies = [{
|
||||
match-hardware-address = "bc:33:29:26:01:5c";
|
||||
apply-host-name = "ps5";
|
||||
apply-address = "92.118.30.18";
|
||||
}];
|
||||
}
|
||||
|
||||
subnet 92.118.30.16 netmask 255.255.255.240 {
|
||||
option subnet-mask 255.255.255.240;
|
||||
option routers 92.118.30.17;
|
||||
option domain-name-servers 92.118.30.17;
|
||||
option domain-name "house-ext.as205479.net";
|
||||
}
|
||||
# private internal
|
||||
{
|
||||
match-subnet = "192.168.1.0/24";
|
||||
apply-range.start = "192.168.1.100";
|
||||
apply-range.end = "192.168.1.200";
|
||||
apply-domain-name = "house.as205479.net";
|
||||
apply-domain-name-servers = [ "192.168.1.1" ];
|
||||
apply-routers = [ "192.168.1.1" ];
|
||||
apply-interface-mtu = 1420;
|
||||
policies = [{
|
||||
match-hardware-address = "40:8d:5c:1f:e8:68";
|
||||
apply-host-name = "totoro";
|
||||
apply-address = "192.168.1.40";
|
||||
} {
|
||||
match-hardware-address = "52:54:00:cf:cd:94";
|
||||
apply-host-name = "totoro-pfsense";
|
||||
apply-address = "192.168.1.41";
|
||||
} {
|
||||
match-hardware-address = "00:0d:5d:1b:14:ba";
|
||||
apply-host-name = "kvm";
|
||||
apply-address = "192.168.1.50";
|
||||
} {
|
||||
match-hardware-address = "9c:93:4e:ad:1f:7b";
|
||||
apply-host-name = "printer-xerox";
|
||||
apply-address = "192.168.1.51";
|
||||
} {
|
||||
match-hardware-address = "84:39:be:77:65:52";
|
||||
apply-host-name = "qvmpc6552";
|
||||
apply-address = "192.168.1.60";
|
||||
}];
|
||||
}
|
||||
|
||||
subnet 192.168.10.0 netmask 255.255.255.0 {
|
||||
option subnet-mask 255.255.255.0;
|
||||
option routers 192.168.10.1;
|
||||
option domain-name-servers 192.168.10.1;
|
||||
option domain-name "eduroam.as205479.net";
|
||||
default-lease-time 600;
|
||||
max-lease-time 3600;
|
||||
option interface-mtu 1420; # Wireguard
|
||||
|
||||
range 192.168.10.100 192.168.10.200;
|
||||
}
|
||||
'';
|
||||
machines = [
|
||||
# eduroam
|
||||
{
|
||||
hostName = "totoro";
|
||||
ethernetAddress = "40:8d:5c:1f:e8:68";
|
||||
ipAddress = "192.168.1.40";
|
||||
}
|
||||
{
|
||||
hostName = "totoro-pfsense";
|
||||
ethernetAddress = "52:54:00:cf:cd:94";
|
||||
ipAddress = "192.168.1.41";
|
||||
}
|
||||
{
|
||||
hostName = "kvm";
|
||||
ethernetAddress = "00:0d:5d:1b:14:ba";
|
||||
ipAddress = "192.168.1.50";
|
||||
}
|
||||
{
|
||||
hostName = "printer-xerox";
|
||||
ethernetAddress = "9c:93:4e:ad:1f:7b";
|
||||
ipAddress = "192.168.1.51";
|
||||
}
|
||||
{
|
||||
hostName = "ps5";
|
||||
ethernetAddress = "bc:33:29:26:01:5c";
|
||||
# This is used for DNAT on RTMP, above.
|
||||
ipAddress = "92.118.30.18";
|
||||
}
|
||||
{
|
||||
hostName = "qvmpc6552";
|
||||
ethernetAddress = "84:39:be:77:65:52";
|
||||
ipAddress = "192.168.1.60";
|
||||
match-subnet = "192.168.10.0/24";
|
||||
apply-range.start = "192.168.10.10";
|
||||
apply-range.end = "192.168.10.200";
|
||||
apply-domain-name = "eduroam.as205479.net";
|
||||
apply-domain-name-servers = [ "192.168.10.1" ];
|
||||
apply-routers = [ "192.168.10.1" ];
|
||||
apply-interface-mtu = 1420;
|
||||
}
|
||||
];
|
||||
};
|
||||
systemd.services.dhcpd4 = {
|
||||
wants = [ "systemd-networkd-wait-online.service" ];
|
||||
after = [ "systemd-networkd-wait-online.service" ];
|
||||
};
|
||||
|
||||
networking.firewall = {
|
||||
|
@ -716,73 +756,6 @@ in {
|
|||
'';
|
||||
};
|
||||
|
||||
services.radvd = {
|
||||
enable = true;
|
||||
config = ''
|
||||
interface br-internal {
|
||||
AdvSendAdvert on;
|
||||
AdvLinkMTU 1420; # Wireguard
|
||||
AdvManagedFlag on;
|
||||
|
||||
RDNSS 2a09:a443::1 {};
|
||||
DNSSL house.as205479.net {};
|
||||
|
||||
prefix 2a09:a443::/64 {
|
||||
AdvOnLink on;
|
||||
AdvAutonomous on;
|
||||
};
|
||||
prefix 2a09:a443:1::/48 {
|
||||
AdvOnLink on;
|
||||
AdvAutonomous off;
|
||||
};
|
||||
};
|
||||
interface vl-eduroam {
|
||||
AdvSendAdvert on;
|
||||
AdvLinkMTU 1420; # Wireguard
|
||||
AdvManagedFlag on;
|
||||
|
||||
RDNSS 2a09:a443:2::1 {};
|
||||
DNSSL eduroam.as205479.net {};
|
||||
|
||||
prefix 2a09:a443:2::/64 {
|
||||
AdvOnLink on;
|
||||
AdvAutonomous on;
|
||||
};
|
||||
prefix 2a09:a443:3::/48 {
|
||||
AdvOnLink on;
|
||||
AdvAutonomous off;
|
||||
};
|
||||
};
|
||||
'';
|
||||
};
|
||||
services.dhcpd6 = {
|
||||
enable = true;
|
||||
interfaces = ["br-internal" "vl-eduroam"];
|
||||
authoritative = true;
|
||||
extraConfig = ''
|
||||
subnet6 2a09:a443:1::/48 {
|
||||
range6 2a09:a443:1:1::/64;
|
||||
range6 2a09:a443:1:2::/64 temporary;
|
||||
prefix6 2a09:a443:1:1000:: 2a09:a443:1:ff00:: /56;
|
||||
|
||||
option dhcp6.name-servers 2a09:a443:1::1;
|
||||
option dhcp6.domain-search "house.as205479.net";
|
||||
}
|
||||
subnet6 2a09:a443:3::/48 {
|
||||
range6 2a09:a443:3:1::/64;
|
||||
range6 2a09:a443:3:2::/64 temporary;
|
||||
prefix6 2a09:a443:3:1000:: 2a09:a443:3:ff00:: /56;
|
||||
|
||||
option dhcp6.name-servers 2a09:a443:3::1;
|
||||
option dhcp6.domain-search "eduroam.as205479.net";
|
||||
}
|
||||
'';
|
||||
};
|
||||
systemd.services.dhcpd6 = {
|
||||
wants = [ "systemd-networkd-wait-online.service" ];
|
||||
after = [ "systemd-networkd-wait-online.service" ];
|
||||
};
|
||||
|
||||
systemd.services.prometheus-bird-exporter.serviceConfig.ExecStart = lib.mkForce ''
|
||||
${depot.pkgs.prometheus-bird-exporter-lfty}/bin/bird_exporter \
|
||||
-web.listen-address 0.0.0.0:9324 \
|
||||
|
|
Loading…
Reference in a new issue