From 070338967bbbfaa54b5bf88275ec16e62a36217e Mon Sep 17 00:00:00 2001
From: Ember 'n0emis' Keske <git@n0emis.eu>
Date: Tue, 16 Nov 2021 14:09:54 +0100
Subject: [PATCH] add basic bird config

---
 default.nix              | 19 +++++++++
 modules/bird/bird2.conf  | 92 ++++++++++++++++++++++++++++++++++++++++
 modules/bird/default.nix | 29 +++++++++++++
 3 files changed, 140 insertions(+)
 create mode 100644 modules/bird/bird2.conf
 create mode 100644 modules/bird/default.nix

diff --git a/default.nix b/default.nix
index a3bb85c..a5866e1 100644
--- a/default.nix
+++ b/default.nix
@@ -16,6 +16,24 @@ in
         Use batman-adv-legacy - do not use in new communities!
       '';
     };
+    bird = {
+      enable = mkEnableOption "bird routing daemon";
+      routerID = mkOption {
+        type = types.str;
+      };
+      kernelTable = mkOption {
+        type= types.int;
+      };
+      earlyExtraConfig = mkOption {
+        type = types.lines;
+        default = "";
+      };
+      extraConfig = mkOption {
+        type = types.lines;
+        default = "";
+      };
+  };
+
   };
 
   config = mkIf cfg.enable {
@@ -27,5 +45,6 @@ in
   imports = [
     ./modules/batman.nix
     ./modules/fastd.nix
+    ./modules/bird
   ];
 }
diff --git a/modules/bird/bird2.conf b/modules/bird/bird2.conf
new file mode 100644
index 0000000..81bfc90
--- /dev/null
+++ b/modules/bird/bird2.conf
@@ -0,0 +1,92 @@
+router id @routerID@;
+
+timeformat base         iso long;
+timeformat log          iso long;
+timeformat protocol     iso long;
+timeformat route        iso long;
+
+function net_default() {
+  if net.type = NET_IP4 then return net ~ [ 0.0.0.0/0 ];
+  return net ~ [ ::/0 ];
+};
+
+function net_bogon() {
+  if net.type = NET_IP4 then return net ~ [
+    0.0.0.0/0,
+    0.0.0.0/8+,         # RFC 1122 'this' network
+    10.0.0.0/8+,        # RFC 1918 private space
+    100.64.0.0/10+,     # RFC 6598 Carrier grade nat space
+    127.0.0.0/8+,       # RFC 1122 localhost
+    169.254.0.0/16+,    # RFC 3927 link local
+    172.16.0.0/12+,     # RFC 1918 private space
+    192.0.2.0/24+,      # RFC 5737 TEST-NET-1
+    192.88.99.0/24+,    # RFC 7526 6to4 anycast relay
+    192.168.0.0/16+,    # RFC 1918 private space
+    198.18.0.0/15+,     # RFC 2544 benchmarking
+    198.51.100.0/24+,   # RFC 5737 TEST-NET-2
+    203.0.113.0/24+,    # RFC 5737 TEST-NET-3
+    224.0.0.0/4+,       # multicast
+    240.0.0.0/4+        # reserved
+  ];
+  return net ~ [
+    ::/0,
+    ::/8+,                         # RFC 4291 IPv4-compatible, loopback, et al
+    0100::/64+,                    # RFC 6666 Discard-Only
+    2001:2::/48+,                  # RFC 5180 BMWG
+    2001:10::/28+,                 # RFC 4843 ORCHID
+    2001:db8::/32+,                # RFC 3849 documentation
+    2002::/16+,                    # RFC 7526 6to4 anycast relay
+    3ffe::/16+,                    # RFC 3701 old 6bone
+    fc00::/7+,                     # RFC 4193 unique local unicast
+    fe80::/10+,                    # RFC 4291 link local unicast
+    fec0::/10+,                    # RFC 3879 old site local unicast
+    ff00::/8+                      # RFC 4291 multicast
+  ];
+}
+
+function as_bogon() {
+  return bgp_path ~ [
+    0,                      # RFC 7607
+    23456,                  # RFC 4893 AS_TRANS
+    64496..64511,           # RFC 5398 and documentation/example ASNs
+    64512..65534,           # RFC 6996 Private ASNs
+    65535,                  # RFC 7300 Last 16 bit ASN
+    65536..65551,           # RFC 5398 and documentation/example ASNs
+    65552..131071,          # RFC IANA reserved ASNs
+    4200000000..4294967294, # RFC 6996 Private ASNs
+    4294967295              # RFC 7300 Last 32 bit ASN
+  ];
+};
+
+# This pseudo-protocol watches all interface up/down events.
+protocol device {
+  scan time 10;   # Scan interfaces every 10 seconds
+};
+
+protocol direct {
+  ipv4;
+  ipv6;
+  interface "lo";
+};
+
+protocol kernel {
+  scan time 20;
+
+  kernel table @kernelTable@;
+
+  ipv6 {
+    import none;
+    export all;
+  };
+}
+
+protocol kernel {
+  scan time 20;
+
+  kernel table @kernelTable@;
+
+  ipv4 {
+    import none;
+    export all;
+  };
+}
diff --git a/modules/bird/default.nix b/modules/bird/default.nix
new file mode 100644
index 0000000..e17b80c
--- /dev/null
+++ b/modules/bird/default.nix
@@ -0,0 +1,29 @@
+{ config, lib, pkgs, ... }:
+
+with import ../common-vars.nix { inherit lib config; };
+
+let
+  cfg = config.ffnix.bird;
+in {
+  config = lib.mkIf cfg.enable {
+    services.bird2.enable = true;
+    environment.etc."bird/bird2.conf".source = lib.mkForce (pkgs.substituteAll {
+      name = "bird2-${config.networking.hostName}.conf";
+
+      inherit (cfg) routerID kernelTable;
+
+      # the check is run in a sandboxed nix derivation and does not have access to password includes
+      checkPhase = ''
+        cat $out | sed 's/include.*//g' > temp.conf
+        echo $out
+        ${pkgs.bird2}/bin/bird -d -p -c temp.conf
+      '';
+
+      src = pkgs.writeText "bird2-${config.networking.hostName}-template.conf" ''
+        ${cfg.earlyExtraConfig}
+        ${lib.fileContents ./bird2.conf}
+        ${cfg.extraConfig}
+      '';
+    });
+  };
+}