2019-11-01 23:28:58 +01:00
|
|
|
{ config, pkgs, lib, ... }:
|
|
|
|
|
|
|
|
let
|
|
|
|
address4 = "172.22.99.253";
|
|
|
|
address6 = "fe80::deca:fbad";
|
2021-10-31 19:00:03 +01:00
|
|
|
inherit (pkgs) neighbors;
|
2019-11-01 23:28:58 +01:00
|
|
|
in {
|
2021-03-12 18:42:06 +01:00
|
|
|
networking = {
|
|
|
|
hostName = "dn42";
|
|
|
|
useNetworkd = true;
|
|
|
|
# No Firewalling!
|
|
|
|
firewall.enable = false;
|
|
|
|
};
|
2021-09-08 03:17:22 +02:00
|
|
|
services.resolved.enable = false;
|
2021-03-12 18:42:06 +01:00
|
|
|
c3d2 = {
|
|
|
|
isInHq = true;
|
|
|
|
hq = {
|
2022-06-17 23:23:08 +02:00
|
|
|
interface = "c3d2";
|
2021-03-12 18:42:06 +01:00
|
|
|
statistics.enable = true;
|
|
|
|
};
|
2022-12-18 22:16:29 +01:00
|
|
|
deployment.server = "server10";
|
2019-11-01 23:28:58 +01:00
|
|
|
};
|
2022-12-18 22:16:29 +01:00
|
|
|
|
2021-03-12 22:20:35 +01:00
|
|
|
services.collectd.plugins.exec =
|
|
|
|
let
|
|
|
|
routecount = pkgs.writeScript "run-routecount" ''
|
|
|
|
#!${pkgs.bash}/bin/bash
|
|
|
|
|
|
|
|
export PATH=${lib.makeBinPath (with pkgs; [ ruby iproute ] )}
|
|
|
|
ruby ${./routecount.rb}
|
|
|
|
'';
|
|
|
|
in ''
|
|
|
|
Exec "collectd" "${routecount}"
|
|
|
|
'';
|
2019-11-01 23:28:58 +01:00
|
|
|
|
2022-01-06 23:30:33 +01:00
|
|
|
# SSH for deployment
|
2019-11-01 23:28:58 +01:00
|
|
|
services.openssh.enable = true;
|
2022-07-31 18:13:03 +02:00
|
|
|
sops = {
|
|
|
|
age.sshKeyPaths = [ "/etc/ssh/ssh_host_ed25519_key" ];
|
|
|
|
defaultSopsFile = ./secrets.yaml;
|
|
|
|
secrets = builtins.foldl' (result: name:
|
|
|
|
let
|
|
|
|
conf = neighbors.${name};
|
|
|
|
in result // (
|
|
|
|
if conf ? openvpn
|
|
|
|
then { "neighbors/${name}/openvpn/key" = {}; }
|
|
|
|
else if conf ? wireguard
|
|
|
|
then { "neighbors/${name}/wireguard/privateKey" = {}; }
|
|
|
|
else {}
|
|
|
|
)
|
|
|
|
) {} (builtins.attrNames neighbors);
|
|
|
|
};
|
2019-11-01 23:28:58 +01:00
|
|
|
|
2021-03-11 16:54:40 +01:00
|
|
|
boot.kernel.sysctl = {
|
|
|
|
"net.ipv4.conf.all.forwarding" = true;
|
|
|
|
"net.ipv4.conf.default.forwarding" = true;
|
|
|
|
"net.ipv6.conf.all.forwarding" = true;
|
|
|
|
"net.ipv6.conf.default.forwarding" = true;
|
|
|
|
};
|
|
|
|
|
2020-05-24 18:37:06 +02:00
|
|
|
boot.postBootCommands = ''
|
|
|
|
if [ ! -c /dev/net/tun ]; then
|
|
|
|
mkdir -p /dev/net
|
|
|
|
mknod -m 666 /dev/net/tun c 10 200
|
|
|
|
fi
|
|
|
|
'';
|
2021-02-22 11:45:12 +01:00
|
|
|
services.openvpn = let
|
|
|
|
openvpnNeighbors = lib.filterAttrs (_: conf: conf ? openvpn) neighbors;
|
|
|
|
mkServer = name: conf: {
|
|
|
|
config = ''
|
|
|
|
dev ${name}
|
|
|
|
dev-type tun
|
|
|
|
ifconfig ${address4} ${conf.address4}
|
|
|
|
user nobody
|
|
|
|
group nogroup
|
|
|
|
persist-tun
|
|
|
|
persist-key
|
|
|
|
ping 30
|
|
|
|
ping-restart 45
|
|
|
|
verb 1
|
|
|
|
${conf.openvpn}
|
2022-01-06 23:30:33 +01:00
|
|
|
secret ${config.sops.secrets."neighbors/${name}/openvpn/key".path}
|
2021-02-22 11:45:12 +01:00
|
|
|
'';
|
|
|
|
up = ''
|
|
|
|
${pkgs.iproute}/bin/ip addr flush dev $1
|
|
|
|
${pkgs.iproute}/bin/ip addr add ${address4} dev ${name} peer ${conf.address4}/32
|
|
|
|
${pkgs.iproute}/bin/ip addr add ${address6}/64 dev $1
|
|
|
|
'';
|
2019-11-01 23:28:58 +01:00
|
|
|
};
|
2021-02-22 11:45:12 +01:00
|
|
|
in {
|
|
|
|
servers =
|
2021-10-31 19:00:03 +01:00
|
|
|
builtins.mapAttrs mkServer openvpnNeighbors;
|
2021-02-22 11:45:12 +01:00
|
|
|
};
|
2019-11-01 23:28:58 +01:00
|
|
|
|
2020-04-24 19:28:37 +02:00
|
|
|
networking.wireguard = {
|
|
|
|
enable = true;
|
2021-02-22 11:45:12 +01:00
|
|
|
interfaces = let
|
|
|
|
wireguardNeighbors =
|
|
|
|
lib.filterAttrs (_: conf: conf ? wireguard) neighbors;
|
|
|
|
in builtins.mapAttrs (name: conf: {
|
2022-01-06 23:30:33 +01:00
|
|
|
inherit (conf.wireguard) listenPort;
|
|
|
|
privateKeyFile = config.sops.secrets."neighbors/${name}/wireguard/privateKey".path;
|
2021-02-22 11:45:12 +01:00
|
|
|
ips = [ "${address4}/32" "${address6}/64" ];
|
|
|
|
allowedIPsAsRoutes = false;
|
|
|
|
postSetup = ''
|
|
|
|
${pkgs.iproute}/bin/ip addr del ${address4}/32 dev ${name}
|
2021-03-11 20:46:33 +01:00
|
|
|
${pkgs.iproute}/bin/ip addr add ${address4} dev ${name}${if conf ? address4 then " peer ${conf.address4}/32" else ""}
|
2021-02-22 11:45:12 +01:00
|
|
|
'';
|
|
|
|
peers = [
|
|
|
|
({
|
|
|
|
inherit (conf.wireguard) publicKey;
|
|
|
|
allowedIPs = [ "0.0.0.0/0" "::0/0" ];
|
|
|
|
persistentKeepalive = 30;
|
|
|
|
} // (lib.optionalAttrs (conf.wireguard ? endpoint) {
|
|
|
|
inherit (conf.wireguard) endpoint;
|
|
|
|
}))
|
|
|
|
];
|
|
|
|
}) wireguardNeighbors;
|
2020-04-24 19:28:37 +02:00
|
|
|
};
|
2020-04-24 19:14:47 +02:00
|
|
|
|
2019-11-02 01:02:46 +01:00
|
|
|
services.bird2 = {
|
|
|
|
enable = true;
|
2021-02-22 11:45:12 +01:00
|
|
|
config = let
|
|
|
|
bgpNeighbors = builtins.concatStringsSep "\n" (builtins.attrValues
|
2021-03-29 00:52:59 +02:00
|
|
|
(builtins.mapAttrs (name: conf@{ multiprotocol ? false, ... }:
|
2021-02-22 11:45:12 +01:00
|
|
|
let
|
2022-02-10 18:12:33 +01:00
|
|
|
neighbor4 = if conf ? address4 && multiprotocol != "ipv6" then ''
|
2021-02-22 11:45:12 +01:00
|
|
|
protocol bgp ${name}_4 from dnpeers {
|
|
|
|
neighbor ${conf.address4} as ${builtins.toString conf.asn};
|
2019-11-02 01:02:46 +01:00
|
|
|
}
|
2021-02-22 11:45:12 +01:00
|
|
|
'' else
|
|
|
|
"";
|
2022-02-10 18:12:33 +01:00
|
|
|
neighbor6 = if conf ? address6 && multiprotocol != "ipv4" then ''
|
2021-02-22 11:45:12 +01:00
|
|
|
protocol bgp ${name}_6 from dnpeers {
|
|
|
|
neighbor ${conf.address6}%${interface} as ${
|
|
|
|
builtins.toString conf.asn
|
|
|
|
};
|
2019-11-02 01:02:46 +01:00
|
|
|
}
|
2021-02-22 11:45:12 +01:00
|
|
|
'' else
|
|
|
|
"";
|
2022-12-04 08:53:28 +01:00
|
|
|
interface = conf.interface or name;
|
2021-02-22 11:45:12 +01:00
|
|
|
in "${neighbor4}${neighbor6}") neighbors));
|
|
|
|
in ''
|
|
|
|
protocol kernel {
|
|
|
|
ipv4 {
|
|
|
|
export all;
|
|
|
|
};
|
|
|
|
}
|
|
|
|
protocol kernel {
|
|
|
|
ipv6 {
|
|
|
|
export all;
|
|
|
|
};
|
|
|
|
}
|
|
|
|
protocol device {
|
|
|
|
scan time 10;
|
|
|
|
}
|
|
|
|
|
|
|
|
protocol static {
|
|
|
|
ipv4;
|
|
|
|
route 10.0.0.0/8 unreachable;
|
|
|
|
route 172.16.0.0/12 unreachable;
|
|
|
|
route 192.168.0.0/16 unreachable;
|
|
|
|
}
|
|
|
|
|
|
|
|
protocol static {
|
|
|
|
ipv6;
|
2021-06-02 21:37:18 +02:00
|
|
|
route 2000::/3 via 2a00:8180:2c00:281::c3d2:3;
|
2021-02-22 11:45:12 +01:00
|
|
|
route fd00::/8 unreachable;
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
protocol static hq4 {
|
|
|
|
ipv4;
|
2022-06-17 23:23:08 +02:00
|
|
|
route 172.22.99.0/24 via "c3d2";
|
2021-02-22 11:45:12 +01:00
|
|
|
}
|
|
|
|
|
|
|
|
protocol static hq6 {
|
|
|
|
ipv6;
|
|
|
|
route fd23:42:c3d2:500::/56 unreachable;
|
|
|
|
}
|
|
|
|
|
|
|
|
template bgp dnpeers {
|
|
|
|
local as 64699;
|
|
|
|
ipv4 {
|
2021-03-12 23:38:17 +01:00
|
|
|
import filter {
|
|
|
|
if proto = "hq4" then reject;
|
|
|
|
accept;
|
|
|
|
};
|
2021-02-22 11:45:12 +01:00
|
|
|
export filter {
|
2021-03-12 23:38:17 +01:00
|
|
|
if source = RTS_BGP then accept;
|
|
|
|
if proto = "hq4" then accept;
|
2021-02-22 11:45:12 +01:00
|
|
|
reject;
|
2019-11-02 01:02:46 +01:00
|
|
|
};
|
2021-02-22 11:45:12 +01:00
|
|
|
};
|
|
|
|
ipv6 {
|
2021-03-12 23:38:17 +01:00
|
|
|
import filter {
|
|
|
|
if proto = "hq6" then reject;
|
|
|
|
accept;
|
|
|
|
};
|
2021-02-22 11:45:12 +01:00
|
|
|
export filter {
|
2021-03-12 23:38:17 +01:00
|
|
|
if source = RTS_BGP then accept;
|
|
|
|
if proto = "hq6" then accept;
|
2021-02-22 11:45:12 +01:00
|
|
|
reject;
|
2019-11-02 01:02:46 +01:00
|
|
|
};
|
2021-02-22 11:45:12 +01:00
|
|
|
};
|
|
|
|
}
|
|
|
|
${bgpNeighbors}
|
2019-11-02 01:02:46 +01:00
|
|
|
|
2021-02-22 11:45:12 +01:00
|
|
|
router id ${address4};
|
|
|
|
'';
|
2019-11-02 01:02:46 +01:00
|
|
|
};
|
|
|
|
|
2019-11-01 23:28:58 +01:00
|
|
|
# This value determines the NixOS release with which your system is to be
|
|
|
|
# compatible, in order to avoid breaking some software such as database
|
|
|
|
# servers. You should change this only after NixOS release notes say you
|
|
|
|
# should.
|
2019-11-02 01:02:46 +01:00
|
|
|
system.stateVersion = "19.09"; # Did you read the comment?
|
2019-11-01 23:28:58 +01:00
|
|
|
}
|