From 1b7c2c1b991ef4eee3094b41dc86922c03877433 Mon Sep 17 00:00:00 2001
From: clerie <git@clerie.de>
Date: Tue, 8 Dec 2020 13:49:46 +0100
Subject: [PATCH] Use pbb policy routing module

---
 hosts/dn42-il-gw5/configuration.nix | 18 ++++++-----
 modules/policyrouting/default.nix   | 50 +++++++++++++++++++++++++++++
 2 files changed, 60 insertions(+), 8 deletions(-)
 create mode 100644 modules/policyrouting/default.nix

diff --git a/hosts/dn42-il-gw5/configuration.nix b/hosts/dn42-il-gw5/configuration.nix
index 4da7a84..61b333b 100644
--- a/hosts/dn42-il-gw5/configuration.nix
+++ b/hosts/dn42-il-gw5/configuration.nix
@@ -7,6 +7,7 @@
       ../../configuration/common
       ../../configuration/proxmox-vm
       ../../configuration/dn42
+      ../modules/policyrouting
     ];
 
   boot.loader.grub.enable = true;
@@ -36,14 +37,15 @@
   networking.defaultGateway6 = { address = "2001:638:904:ffc9::1"; interface = "ens21"; };
   networking.nameservers = [ "2001:638:904:ffcc::3" "2001:638:904:ffcc::4" "141.24.40.3" "141.24.40.4" ];
 
-  #networking.localCommands = ''
-  #ip -6 rule flush
-  #ip -6 rule add lookup main prio 32000
-  #ip -6 rule add from all to fd56:4902:eca0::/48 lookup 1337 prio 10000
-  #ip -6 rule add from all to all lookup 2342 prio 10000
-  #ip -6 rule add from all to fd56:4902:eca0::/48 unreachable prio 20000
-  #ip -6 rule add from fd56:4902:eca0::/48 to all unreachable prio 20000
-  #'';
+  petabyte.policyrouting = {
+    enable = true;
+    rules6 = [
+      { rule = "from all to fd56:4902:eca0::/48 lookup 1337"; prio = 10000; }
+      { rule = "from all to all lookup 2342"; prio = 10000; }
+      { rule = "from all to fd56:4902:eca0::/48 unreachable"; prio = 20000; }
+      { rule = "from fd56:4902:eca0::/48 to all unreachable"; prio = 20000; }
+    ];
+  };
 
   networking.firewall.allowedTCPPorts = [
     179
diff --git a/modules/policyrouting/default.nix b/modules/policyrouting/default.nix
new file mode 100644
index 0000000..d2a8f8a
--- /dev/null
+++ b/modules/policyrouting/default.nix
@@ -0,0 +1,50 @@
+{ config, lib, ... }:
+
+with lib;
+
+let
+  cfg = config.petabyte.policyrouting;
+
+  ruleOpts = { ... }: {
+    options = {
+      prio = mkOption {
+        type = types.int;
+      };
+      rule = mkOption {
+        type = types.str;
+      };
+    };
+  };
+
+in {
+  options = {
+    petabyte.policyrouting = {
+      enable = mkEnableOption "Declarative Policy-Routing";
+      rules = mkOption {
+        type = with types; listOf (submodule ruleOpts);
+        default = [];
+      };
+      rules6 = mkOption {
+        type = with types; listOf (submodule ruleOpts);
+        default = [];
+      };
+      rules4 = mkOption {
+        type = with types; listOf (submodule ruleOpts);
+        default = [];
+      };
+    };
+  };
+
+  config = mkIf cfg.enable {
+    petabyte.policyrouting.rules = [
+      { rule = "lookup main"; prio = 32000; }
+    ];
+    networking.localCommands = ''
+      set -x
+      ip -6 rule flush
+      ip -4 rule flush
+      ${concatMapStringsSep "\n" ({ prio, rule }: "ip -6 rule add ${rule} prio ${toString prio}") (cfg.rules ++ cfg.rules6)}
+      ${concatMapStringsSep "\n" ({ prio, rule }: "ip -4 rule add ${rule} prio ${toString prio}") (cfg.rules ++ cfg.rules4)}
+    '';
+  };
+}