liminix/modules/bridge/default.nix

## Bridge module
## =============
##
##  Allows creation of Layer 2 software "bridge" network devices.  A
##  common use case is to merge together a hardware Ethernet device
##  with one or more WLANs so that several local devices appear to be
##  on the same network.


{ lib, pkgs, config, ...}:
let
  inherit (lib) mkOption types;
  inherit (pkgs.liminix.services) oneshot;
  inherit (pkgs) liminix;
in
{
  imports = [ ../ifwait ];

  options = {
    system.service.bridge = {
      primary = mkOption { type = liminix.lib.types.serviceDefn; };
      members = mkOption { type = liminix.lib.types.serviceDefn; };
      ready = mkOption { type = liminix.lib.types.serviceDefn; };
    };
  };
  config.system.service.bridge = {
    primary = liminix.callService ./primary.nix {
      ifname = mkOption {
        type = types.str;
        description = "bridge interface name to create";
      };

      macAddressFromInterface = mkOption {
        type = types.nullOr liminix.lib.types.service;
        default = null;
        description = "reuse mac address from an existing interface service";
      };
    };
    members = config.system.callService ./members.nix {
      primary = mkOption {
        type = liminix.lib.types.interface;
        description = "primary bridge interface";
      };

      members = mkOption {
        type = types.listOf liminix.lib.types.interface;
        description = "interfaces to add to the bridge";
      };
    };

    # TODO: generalize it outside
    ready = config.system.callService ./ready.nix {
      primary = mkOption {
        type = liminix.lib.types.service;
        description = "primary bridge interface";
      };

      members = mkOption {
        type = liminix.lib.types.service;
        description = "members service";
      };
    };
  };
  config.kernel.config = {
    BRIDGE = "y";
    BRIDGE_IGMP_SNOOPING = "y";
  } // lib.optionalAttrs (config.system.service ? vlan) {
    # depends on bridge _and_ vlan. I would like there to be
    # a better way to test for the existence of vlan config:
    # maybe the module should set an `enabled` attribute?
    BRIDGE_VLAN_FILTERING = "y";
  };
}
add some missing descriptions 2023-08-07 22:43:12 +02:00			`## Bridge module`
extract module top-level comment to docs 2023-08-07 23:14:58 +02:00			`## =============`
add some missing descriptions 2023-08-07 22:43:12 +02:00			`##`
			`## Allows creation of Layer 2 software "bridge" network devices. A`
			`## common use case is to merge together a hardware Ethernet device`
			`## with one or more WLANs so that several local devices appear to be`
update bridge service doc 2023-08-19 00:58:06 +02:00			`## on the same network.`
add some missing descriptions 2023-08-07 22:43:12 +02:00

extract bridge to module-based services 2023-07-20 12:46:19 +02:00			`{ lib, pkgs, config, ...}:`
			`let`
			`inherit (lib) mkOption types;`
			`inherit (pkgs.liminix.services) oneshot;`
convert bridge service to serviceDefn 2023-08-05 15:08:02 +02:00			`inherit (pkgs) liminix;`
extract bridge to module-based services 2023-07-20 12:46:19 +02:00			`in`
			`{`
implement ifwait trigger service and use in bridge should we convert all ifwait uses to this trigger too? seems reasonable 2024-03-16 21:41:13 +01:00			`imports = [ ../ifwait ];`

extract bridge to module-based services 2023-07-20 12:46:19 +02:00			`options = {`
convert network link/address to module-based-service ... and make bridge use it. We also had to convert bridge back into a pair of services. Downstreams want to depend on the bridge it self being configured even if not necessarily all the members are up. e.g. don't want to break ssh on lan if there's a misconfigured wlan device 2023-08-28 00:45:27 +02:00			`system.service.bridge = {`
			`primary = mkOption { type = liminix.lib.types.serviceDefn; };`
			`members = mkOption { type = liminix.lib.types.serviceDefn; };`
fix(bridge): reorder initialization for bridge dependents Consider the scenario where you run DHCPv4 on the primary bridge interface. You have no real interface to "wait upon", so it's OK. Nonetheless, anything depending on successful completion of DHCPv4, e.g. adding a default route, will block `s6-rc -v2 up change default`. The way new interfaces are attached to the bridge is via `s6-rc -b -u change $attach-oneshot-service`, this introduce in turn a deadlock. At some point, DHCPv4 will timeout, unblocking the deadlock and attaching the members to the primary bridge interface, making it ready to send L2 broadcast packets for DHCP, unblocking DHCP in turn again. This is not satisfying because we really want to have a no-hiccups bring-up. To fix this, we proceed to multiple changes: - we remove `svc.ifwait.build` out of band `s6-rc -b -u $oneshot-attach` call, which is, by design, wrong here. - users can now depend on the members service to know when a bridge is fully operational (we could make it more granular and let them depend on the LAN member joining rather than WLAN, etc.) - users can also depend on the primary service being brought up rather than just being present, this is useful if you need to bring it up when it has AT LEAST one member to get link local address or MAC addresses (fixing DHCPv6 bring up as well because `ff02::1` is used there). One thing is not addressed yet, if you are running a WLAN service using RADIUS attached to the bridge, at bring up time, it will try to reach out the external RADIUS server and fail. To solve this, granular dependency on the DHCPv4 once LAN is joined. Then the hostapd can wait on defaultroute4 completion so that connectivity is available to reach RADIUS server. It can join the bridge later on without any hiccup as well. This is left as a TODO as hostapd can survive RADIUS authentication failure and retry later. Signed-off-by: Raito Bezarius <masterancpp@gmail.com> 2024-09-01 15:42:26 +02:00			`ready = mkOption { type = liminix.lib.types.serviceDefn; };`
extract bridge to module-based services 2023-07-20 12:46:19 +02:00			`};`
			`};`
convert network link/address to module-based-service ... and make bridge use it. We also had to convert bridge back into a pair of services. Downstreams want to depend on the bridge it self being configured even if not necessarily all the members are up. e.g. don't want to break ssh on lan if there's a misconfigured wlan device 2023-08-28 00:45:27 +02:00			`config.system.service.bridge = {`
			`primary = liminix.callService ./primary.nix {`
merge bridge services into one 2023-08-16 20:44:00 +02:00			`ifname = mkOption {`
			`type = types.str;`
			`description = "bridge interface name to create";`
convert bridge service to serviceDefn 2023-08-05 15:08:02 +02:00			`};`
fix(bridge): pick up MAC from another interface This avoids the OPERSTATE unknown when the bridge is brought up but the members are not ready yet. This will make OPERSTATE to down, enabling us to wait until we have brought up completely all the members. Signed-off-by: Raito Bezarius <masterancpp@gmail.com> 2024-09-01 14:56:08 +02:00
			`macAddressFromInterface = mkOption {`
			`type = types.nullOr liminix.lib.types.service;`
			`default = null;`
			`description = "reuse mac address from an existing interface service";`
			`};`
convert bridge service to serviceDefn 2023-08-05 15:08:02 +02:00			`};`
implement ifwait trigger service and use in bridge should we convert all ifwait uses to this trigger too? seems reasonable 2024-03-16 21:41:13 +01:00			`members = config.system.callService ./members.nix {`
convert network link/address to module-based-service ... and make bridge use it. We also had to convert bridge back into a pair of services. Downstreams want to depend on the bridge it self being configured even if not necessarily all the members are up. e.g. don't want to break ssh on lan if there's a misconfigured wlan device 2023-08-28 00:45:27 +02:00			`primary = mkOption {`
			`type = liminix.lib.types.interface;`
			`description = "primary bridge interface";`
			`};`

			`members = mkOption {`
			`type = types.listOf liminix.lib.types.interface;`
			`description = "interfaces to add to the bridge";`
			`};`
			`};`
fix(bridge): reorder initialization for bridge dependents Consider the scenario where you run DHCPv4 on the primary bridge interface. You have no real interface to "wait upon", so it's OK. Nonetheless, anything depending on successful completion of DHCPv4, e.g. adding a default route, will block `s6-rc -v2 up change default`. The way new interfaces are attached to the bridge is via `s6-rc -b -u change $attach-oneshot-service`, this introduce in turn a deadlock. At some point, DHCPv4 will timeout, unblocking the deadlock and attaching the members to the primary bridge interface, making it ready to send L2 broadcast packets for DHCP, unblocking DHCP in turn again. This is not satisfying because we really want to have a no-hiccups bring-up. To fix this, we proceed to multiple changes: - we remove `svc.ifwait.build` out of band `s6-rc -b -u $oneshot-attach` call, which is, by design, wrong here. - users can now depend on the members service to know when a bridge is fully operational (we could make it more granular and let them depend on the LAN member joining rather than WLAN, etc.) - users can also depend on the primary service being brought up rather than just being present, this is useful if you need to bring it up when it has AT LEAST one member to get link local address or MAC addresses (fixing DHCPv6 bring up as well because `ff02::1` is used there). One thing is not addressed yet, if you are running a WLAN service using RADIUS attached to the bridge, at bring up time, it will try to reach out the external RADIUS server and fail. To solve this, granular dependency on the DHCPv4 once LAN is joined. Then the hostapd can wait on defaultroute4 completion so that connectivity is available to reach RADIUS server. It can join the bridge later on without any hiccup as well. This is left as a TODO as hostapd can survive RADIUS authentication failure and retry later. Signed-off-by: Raito Bezarius <masterancpp@gmail.com> 2024-09-01 15:42:26 +02:00
			`# TODO: generalize it outside`
			`ready = config.system.callService ./ready.nix {`
			`primary = mkOption {`
			`type = liminix.lib.types.service;`
			`description = "primary bridge interface";`
			`};`

			`members = mkOption {`
			`type = liminix.lib.types.service;`
			`description = "members service";`
			`};`
			`};`
extract bridge to module-based services 2023-07-20 12:46:19 +02:00			`};`
move bridge-related kernel config to the module 2023-08-30 18:29:42 +02:00			`config.kernel.config = {`
			`BRIDGE = "y";`
			`BRIDGE_IGMP_SNOOPING = "y";`
BRIDGE_VLAN_FILTERING depends on bridge _and_ vlan I'm half-pleased with this. It demonstrates how we can have complex conditional kernel config, but the way we detect if vlan exists is tacky. 2023-08-31 19:24:09 +02:00			`} // lib.optionalAttrs (config.system.service ? vlan) {`
			`# depends on bridge _and_ vlan. I would like there to be`
			`# a better way to test for the existence of vlan config:`
			# maybe the module should set an `enabled` attribute?
			`BRIDGE_VLAN_FILTERING = "y";`
implement ifwait trigger service and use in bridge should we convert all ifwait uses to this trigger too? seems reasonable 2024-03-16 21:41:13 +01:00			`};`
extract bridge to module-based services 2023-07-20 12:46:19 +02:00			`}`