c3d2/nix-config
c3d2
/
nix-config
24
7
Fork 3
Code Issues 12 Pull Requests 2 Releases Wiki Activity
nix-config/hosts/containers/dn42/configuration.nix

211 lines
5.6 KiB
Nix
Raw Blame History

{ config, pkgs, lib, ... }:
let
address4 = "172.22.99.253";
address6 = "fe80::deca:fbad";
neighbors = import ../../../secrets/hosts/dn42/neighbors.nix;
in {
imports =
[ ../../../lib/lxc-container.nix
../../../lib/shared.nix
../../../lib/admins.nix
../../../lib/default-gateway.nix
];
networking.hostName = "dn42";
# networking.defaultGateway6 = {
# address = "2a02:8106:208:5201::c3d2:4";
# interface = "eth0";
# };
networking.nameservers = [ "172.20.72.6" "172.20.72.10" ];
networking.interfaces.eth0 = {
ipv4.addresses = [ {
address = address4;
prefixLength = 24;
} ];
};
networking.useDHCP = false;
networking.useNetworkd = true;
services.resolved.enable = false;
environment.systemPackages = with pkgs; [
vim
];
# SSH for nixops
services.openssh.enable = true;
services.openssh.permitRootLogin = "yes";
# No Firewalling!
networking.firewall.enable = false;
boot.postBootCommands = ''
if [ ! -c /dev/net/tun ]; then
mkdir -p /dev/net
mknod -m 666 /dev/net/tun c 10 200
fi
'';
services.openvpn =
let
openvpnNeighbors = lib.filterAttrs (_: conf: conf ? openvpn) neighbors;
keyfile = name:
builtins.toFile "${name}.key"
(builtins.readFile (../../../secrets/hosts/dn42/openvpn + "/${name}.key"));
mkServer = name: conf: {
config = ''
dev ${name}
dev-type tun
ifconfig ${address4} ${conf.address4}
user nobody
group nogroup
persist-tun
persist-key
ping 30
ping-restart 45
verb 1
${conf.openvpn}
secret ${keyfile name}
'';
up = ''
${pkgs.iproute}/bin/ip addr flush dev $1
${pkgs.iproute}/bin/ip addr add ${address4} dev ${name} peer ${conf.address4}/32
${pkgs.iproute}/bin/ip addr add ${address6}/64 dev $1
'';
};
in {
servers = builtins.mapAttrs (name: conf: mkServer name conf) openvpnNeighbors;
};
networking.wireguard = {
enable = true;
interfaces =
let
wireguardNeighbors = lib.filterAttrs (_: conf: conf ? wireguard) neighbors;
in
builtins.mapAttrs (name: conf: {
inherit (conf.wireguard) listenPort privateKey;
ips = [ "${address4}/32" "${address6}/64" ];
allowedIPsAsRoutes = false;
postSetup = ''
${pkgs.iproute}/bin/ip addr del ${address4}/32 dev ${name}
${pkgs.iproute}/bin/ip addr add ${address4} dev ${name} peer ${conf.address4}/32
'';
peers = [ ({
inherit (conf.wireguard) publicKey;
allowedIPs = [ "0.0.0.0/0" "::0/0" ];
persistentKeepalive = 30;
} // (lib.optionalAttrs (conf.wireguard ? endpoint) {
inherit (conf.wireguard) endpoint;
})) ];
}) wireguardNeighbors;
};
services.bird2 = {
enable = true;
config =
let
bgpNeighbors =
builtins.concatStringsSep "\n"
(builtins.attrValues (builtins.mapAttrs (name: conf:
let
neighbor4 =
if conf ? address4
then ''
protocol bgp ${name}_4 from dnpeers {
neighbor ${conf.address4} as ${builtins.toString conf.asn};
}
''
else "";
neighbor6 =
if conf ? address6
then ''
protocol bgp ${name}_6 from dnpeers {
neighbor ${conf.address6}%${interface} as ${builtins.toString conf.asn};
}
''
else "";
interface =
if conf ? interface
then conf.interface
else name;
in "${neighbor4}${neighbor6}"
) neighbors));
in ''
protocol kernel {
ipv4 {
export all;
};
}
protocol kernel {
ipv6 {
export all;
};
}
protocol device {
scan time 10;
}
protocol static {
ipv4;
route 10.0.0.0/8 unreachable;
route 172.16.0.0/12 unreachable;
route 192.168.0.0/16 unreachable;
}
protocol static {
ipv6;
route 2000::/3 via 2a02:8106:208:5201::c3d2:4;
route fd00::/8 unreachable;
}
protocol static hq4 {
ipv4;
route 172.22.99.0/24 via "eth0";
}
protocol static hq6 {
ipv6;
route fd23:42:c3d2:500::/56 unreachable;
}
template bgp dnpeers {
local as 64699;
ipv4 {
import all;
export filter {
if source = RTS_BGP then {
accept;
}
if proto = "hq4" then {
accept;
}
reject;
};
};
ipv6 {
import all;
export filter {
if source = RTS_BGP then {
accept;
}
if proto = "hq6" then {
accept;
}
reject;
};
};
}
${bgpNeighbors}
router id ${address4};
'';
};
# This value determines the NixOS release with which your system is to be
# compatible, in order to avoid breaking some software such as database
# servers. You should change this only after NixOS release notes say you
# should.
system.stateVersion = "19.09"; # Did you read the comment?
}
Reference in New Issue View Git Blame Copy Permalink