swann: migrate to erbium

This commit is contained in:
Luke Granger-Brown 2023-08-06 17:06:18 +01:00
parent 5e9e1146e1
commit e93f012772
3 changed files with 166 additions and 137 deletions

View file

@ -3,8 +3,8 @@ let
src = pkgs.fetchFromGitHub {
owner = "isomer";
repo = "erbium";
rev = "aff026d4f83ff055c704508d9a146ab12c901535";
hash = "sha256:1gn41dy8s0c8bq2dckrilf7dlc54hhq14n51nhf1rfhqrbzily3w";
rev = "1c4485addd6beeca39aa40340e4b31f04b5dad45";
hash = "sha256:0a8yrdqndp2dc7xzmkm42pzk0alx96y38ssr7fq4spyz0g19vpwx";
};
in
import src {

56
ops/nixos/lib/erbium.nix Normal file
View file

@ -0,0 +1,56 @@
# SPDX-FileCopyrightText: 2023 Luke Granger-Brown <depot@lukegb.com>
#
# SPDX-License-Identifier: Apache-2.0
# TODO: support erbium-conftest, which is in erbium-core.
{ lib, pkgs, rebuilder, config, ... }:
let
cfg = config.services.erbium;
settingsFormat = pkgs.formats.json {};
configFile = settingsFormat.generate "erbium.conf.json" cfg.settings;
in
{
options.services.erbium = {
enable = lib.mkEnableOption "erbium";
package = lib.mkOption {
type = lib.types.package;
};
settings = lib.mkOption {
type = lib.types.submodule {
freeformType = settingsFormat.type;
};
default = {};
description = "Configuration for Erbium";
};
};
config = lib.mkIf cfg.enable {
environment.etc."erbium.conf".source = configFile;
systemd.services.erbium = {
description = "Erbium Network Services";
wantedBy = [ "multi-user.target" ];
after = [ "network.target" ];
restartTriggers = [ configFile ];
serviceConfig = {
ExecStart = "${cfg.package} /etc/erbium.conf";
Type = "simple";
Restart = "always";
DynamicUser = true;
User = "erbium";
Group = "erbium";
AmbientCapabilities = [
"CAP_NET_RAW"
"CAP_NET_BIND_SERVICE"
];
StateDirectory = "erbium";
RuntimeDirectory = "erbium";
};
};
};
}

View file

@ -10,6 +10,8 @@ in {
imports = [
# We include this just so it sets some sysctls and firewall settings.
../lib/bgp.nix
../lib/erbium.nix
];
config = mkMerge [ {
@ -411,82 +413,120 @@ in {
iptables -w -t nat -A nixos-nat-post -m mark --mark 2 -o wg-tuvok-gnet -j SNAT --to-source 92.118.30.253
'';
};
services.dhcpd4 = {
services.erbium = {
enable = true;
interfaces = ["br-internal" "vl-eduroam"];
authoritative = true;
extraConfig = ''
shared-network int {
default-lease-time 3600;
max-lease-time 86400;
option interface-mtu 1420; # Wireguard
package = depot.nix.pkgs.erbium;
settings = {
addresses = [
# internal
"192.168.1.0/24" "92.118.30.16/28" "2a09:a443::/64" "2a09:a443:1::/48"
subnet 192.168.1.0 netmask 255.255.255.0 {
option subnet-mask 255.255.255.0;
option routers 192.168.1.1;
option domain-name-servers 192.168.1.1;
option domain-name "house.as205479.net";
# eduroam
"192.168.10.0/24" "2a09:a443:2::/64" "2a09:a443:3::/48"
];
range 192.168.1.100 192.168.1.200;
dns-servers = [ "$self4" "$self6" ];
api-listeners = [ "[::1]:9968" ];
dns-listeners = [ "[::1]:11153" ]; # if we don't specify something then erbium crashes
router-advertisements = let
baseline = {
mtu = 1420;
lifetime = "1h";
reachable = "20m";
};
baselinePrefix = {
on-link = true;
autonomous = true;
valid = "30d";
preferred = "7d";
};
in {
br-internal = baseline // {
dns-servers.addresses = [ "2a09:a443::1" ];
dns-search.domains = [ "house.as205479.net" ];
prefixes = [(baselinePrefix // {
prefix = "2a09:a443::/64";
}) (baselinePrefix // {
prefix = "2a09:a443:1::/48";
autonomous = false;
})];
};
vl-eduroam = baseline // {
dns-servers.addresses = [ "2a09:a443:2::1" ];
dns-search.domains = [ "eduroam.as205479.net" ];
prefixes = [(baselinePrefix // {
prefix = "2a09:a443:2::/64";
}) (baselinePrefix // {
prefix = "2a09:a443:3::/48";
autonomous = false;
})];
};
};
dhcp-policies = [
# public internal
{
apply-subnet = "92.118.30.16/28";
apply-domain-name = "house-ext.as205479.net";
apply-domain-name-servers = [ "92.118.30.17" ];
apply-routers = [ "92.118.30.17" ];
apply-interface-mtu = 1420;
policies = [{
match-hardware-address = "bc:33:29:26:01:5c";
apply-host-name = "ps5";
apply-address = "92.118.30.18";
}];
}
subnet 92.118.30.16 netmask 255.255.255.240 {
option subnet-mask 255.255.255.240;
option routers 92.118.30.17;
option domain-name-servers 92.118.30.17;
option domain-name "house-ext.as205479.net";
# private internal
{
match-subnet = "192.168.1.0/24";
apply-range.start = "192.168.1.100";
apply-range.end = "192.168.1.200";
apply-domain-name = "house.as205479.net";
apply-domain-name-servers = [ "192.168.1.1" ];
apply-routers = [ "192.168.1.1" ];
apply-interface-mtu = 1420;
policies = [{
match-hardware-address = "40:8d:5c:1f:e8:68";
apply-host-name = "totoro";
apply-address = "192.168.1.40";
} {
match-hardware-address = "52:54:00:cf:cd:94";
apply-host-name = "totoro-pfsense";
apply-address = "192.168.1.41";
} {
match-hardware-address = "00:0d:5d:1b:14:ba";
apply-host-name = "kvm";
apply-address = "192.168.1.50";
} {
match-hardware-address = "9c:93:4e:ad:1f:7b";
apply-host-name = "printer-xerox";
apply-address = "192.168.1.51";
} {
match-hardware-address = "84:39:be:77:65:52";
apply-host-name = "qvmpc6552";
apply-address = "192.168.1.60";
}];
}
}
subnet 192.168.10.0 netmask 255.255.255.0 {
option subnet-mask 255.255.255.0;
option routers 192.168.10.1;
option domain-name-servers 192.168.10.1;
option domain-name "eduroam.as205479.net";
default-lease-time 600;
max-lease-time 3600;
option interface-mtu 1420; # Wireguard
range 192.168.10.100 192.168.10.200;
}
'';
machines = [
{
hostName = "totoro";
ethernetAddress = "40:8d:5c:1f:e8:68";
ipAddress = "192.168.1.40";
}
{
hostName = "totoro-pfsense";
ethernetAddress = "52:54:00:cf:cd:94";
ipAddress = "192.168.1.41";
}
{
hostName = "kvm";
ethernetAddress = "00:0d:5d:1b:14:ba";
ipAddress = "192.168.1.50";
}
{
hostName = "printer-xerox";
ethernetAddress = "9c:93:4e:ad:1f:7b";
ipAddress = "192.168.1.51";
}
{
hostName = "ps5";
ethernetAddress = "bc:33:29:26:01:5c";
# This is used for DNAT on RTMP, above.
ipAddress = "92.118.30.18";
}
{
hostName = "qvmpc6552";
ethernetAddress = "84:39:be:77:65:52";
ipAddress = "192.168.1.60";
}
];
};
systemd.services.dhcpd4 = {
wants = [ "systemd-networkd-wait-online.service" ];
after = [ "systemd-networkd-wait-online.service" ];
# eduroam
{
match-subnet = "192.168.10.0/24";
apply-range.start = "192.168.10.10";
apply-range.end = "192.168.10.200";
apply-domain-name = "eduroam.as205479.net";
apply-domain-name-servers = [ "192.168.10.1" ];
apply-routers = [ "192.168.10.1" ];
apply-interface-mtu = 1420;
}
];
};
};
networking.firewall = {
@ -716,73 +756,6 @@ in {
'';
};
services.radvd = {
enable = true;
config = ''
interface br-internal {
AdvSendAdvert on;
AdvLinkMTU 1420; # Wireguard
AdvManagedFlag on;
RDNSS 2a09:a443::1 {};
DNSSL house.as205479.net {};
prefix 2a09:a443::/64 {
AdvOnLink on;
AdvAutonomous on;
};
prefix 2a09:a443:1::/48 {
AdvOnLink on;
AdvAutonomous off;
};
};
interface vl-eduroam {
AdvSendAdvert on;
AdvLinkMTU 1420; # Wireguard
AdvManagedFlag on;
RDNSS 2a09:a443:2::1 {};
DNSSL eduroam.as205479.net {};
prefix 2a09:a443:2::/64 {
AdvOnLink on;
AdvAutonomous on;
};
prefix 2a09:a443:3::/48 {
AdvOnLink on;
AdvAutonomous off;
};
};
'';
};
services.dhcpd6 = {
enable = true;
interfaces = ["br-internal" "vl-eduroam"];
authoritative = true;
extraConfig = ''
subnet6 2a09:a443:1::/48 {
range6 2a09:a443:1:1::/64;
range6 2a09:a443:1:2::/64 temporary;
prefix6 2a09:a443:1:1000:: 2a09:a443:1:ff00:: /56;
option dhcp6.name-servers 2a09:a443:1::1;
option dhcp6.domain-search "house.as205479.net";
}
subnet6 2a09:a443:3::/48 {
range6 2a09:a443:3:1::/64;
range6 2a09:a443:3:2::/64 temporary;
prefix6 2a09:a443:3:1000:: 2a09:a443:3:ff00:: /56;
option dhcp6.name-servers 2a09:a443:3::1;
option dhcp6.domain-search "eduroam.as205479.net";
}
'';
};
systemd.services.dhcpd6 = {
wants = [ "systemd-networkd-wait-online.service" ];
after = [ "systemd-networkd-wait-online.service" ];
};
systemd.services.prometheus-bird-exporter.serviceConfig.ExecStart = lib.mkForce ''
${depot.pkgs.prometheus-bird-exporter-lfty}/bin/bird_exporter \
-web.listen-address 0.0.0.0:9324 \