From 638bbf38a9031932e2cacdb951b9802c2eaf48bc Mon Sep 17 00:00:00 2001 From: Astro Date: Sat, 2 Nov 2019 01:02:46 +0100 Subject: [PATCH] add hosts/containers/dn42 --- hosts/containers/dn42/configuration.nix | 258 ++++++++++-------------- hq.nixops | 12 ++ secrets | 2 +- 3 files changed, 124 insertions(+), 148 deletions(-) diff --git a/hosts/containers/dn42/configuration.nix b/hosts/containers/dn42/configuration.nix index 1f928d9b..d5966d87 100644 --- a/hosts/containers/dn42/configuration.nix +++ b/hosts/containers/dn42/configuration.nix @@ -3,59 +3,7 @@ let address4 = "172.22.99.253"; address6 = "fe80::deca:fbad"; - neighbors = import ./neighbors.nix; - makeBgpNeighbor = { name, asn, description ? "Someone", address, interface ? name, ... }: '' - neighbor ${address} remote-as ${builtins.toString asn} - neighbor ${address} peer-group dn - neighbor ${address} interface ${interface} - neighbor ${address} description ${description} - ''; - bgpNeighbors = - builtins.attrValues (builtins.mapAttrs (name: conf: - let - makeNeighbor = - address: - makeBgpNeighbor (conf // { inherit name address; }); - in - # Bird peers don't do IPv6 routes over IPv4, so they get - # additional config: - let - neighbor4 = - if conf ? address4 - then makeNeighbor conf.address4 - else ""; - neighbor6 = - if conf ? address6 - then makeNeighbor conf.address6 - else ""; - in "${neighbor4}${neighbor6}" - ) neighbors); - bgpNeighbors6 = - builtins.attrValues (builtins.mapAttrs (name: conf: - if conf ? address6 - then '' - neighbor ${conf.address6} peer-group dn - neighbor ${conf.address6} route-map ${name}-next-hop in - '' - else "" - ) neighbors); - common = '' - service advanced-vty - line vty - - ip prefix-list dn42-in seq 10 permit 172.22.0.0/15 ge 22 le 28 - ip prefix-list dn42-in seq 12 permit 172.20.0.0/16 ge 21 le 28 - ip prefix-list dn42-in seq 15 permit 172.22.0.0/23 ge 32 - ip prefix-list dn42-in seq 16 permit 172.23.0.0/24 ge 32 - ip prefix-list dn42-in seq 20 deny 10.10.10.0/24 le 32 - ip prefix-list dn42-in seq 21 permit 10.0.0.0/8 ge 12 le 28 - ip prefix-list dn42-in seq 30 permit 172.31.0.0/16 ge 22 le 28 - ip prefix-list dn42-in seq 1000 deny 0.0.0.0/0 le 32 - - ! ipv6 prefix-list def seq 5 permit 2000::/3 ge 32 - ipv6 prefix-list def seq 10 permit fd00::/8 ge 9 le 64 - ipv6 prefix-list def seq 1000 deny ::/0 le 128 - ''; + neighbors = import ../../../secrets/hosts/dn42/neighbors.nix; in { imports = [ ../../../lib/lxc-container.nix @@ -65,6 +13,10 @@ in { networking.hostName = "dn42"; networking.defaultGateway = "172.22.99.4"; + # networking.defaultGateway6 = { + # address = "2a02:8106:208:5201::c3d2:4"; + # interface = "eth0"; + # }; networking.nameservers = [ "172.20.72.6" "172.20.72.10" ]; networking.interfaces.eth0 = { ipv4.addresses = [ { @@ -72,6 +24,9 @@ in { prefixLength = 24; } ]; }; + networking.useDHCP = false; + networking.useNetworkd = true; + services.resolved.enable = false; environment.systemPackages = with pkgs; [ vim @@ -85,99 +40,6 @@ in { # No Firewalling! networking.firewall.enable = false; - networking.useDHCP = false; - - services.quagga = { - zebra = { - config = '' - ip forwarding - ipv6 forwarding - - interface eth0 - ipv6 address fe80::a800:42ff:fe7a:3246/64 - ipv6 address 2a02:8106:208:5201::ffff/64 - ipv6 address fd23:42:c3d2:523::ffff/64 - ipv6 nd prefix fd23:42:c3d2:523::/64 60 20 - ipv6 nd ra-interval 5 - no ipv6 nd suppress-ra - - ip route 0.0.0.0/0 172.22.99.4 - ip route 10.0.0.0/8 Null0 - ip route 172.16.0.0/12 Null0 - ip route 192.168.0.0/16 Null0 - ipv6 route 2000::/3 2a02:8106:208:5201::c3d2:4 eth0 - - ${common} - ''; - }; - bgp = { - enable = true; - config = '' - router bgp 64699 - bgp router-id ${address4} - network 172.22.99.0/24 - neighbor dn peer-group - neighbor dn soft-reconfiguration inbound - neighbor dn prefix-list dn42-in in - ${builtins.concatStringsSep "\n" bgpNeighbors} - - address-family ipv6 - network fd23:42:c3d2:500::/56 - neighbor dn activate - neighbor dn soft-reconfiguration inbound - neighbor dn prefix-list def in - ${builtins.concatStringsSep "\n" bgpNeighbors6} - - exit-address-family - exit - - - route-map set-next-hop permit 10 - set ip next-hop 172.22.99.253 - route-map set-next-hop6 permit 10 - set ipv6 next-hop global 2001:6f8:1194:c3d2::ffff - set ipv6 next-hop local fe80::a800:42ff:fe7a:3246 - route-map set-next-hop-zw-server1 permit 10 - set ip next-hop 172.22.99.250 - route-map zw-next-hop permit 10 - set ipv6 next-hop local fe80::814:48ff:fe01:2201 - set ipv6 next-hop local fe80::814:48ff:fe01:2201 - - ${common} - ''; - }; - ospf = { - enable = true; - config = '' - router ospf - ospf router-id ${address4} - redistribute connected - redistribute static - network 172.22.99.0/24 area 0.0.0.0 - area 0.0.0.0 authentication message-digest - default-metric 1 - interface eth0 - ip ospf message-digest-key 1 md5 ${builtins.readFile ../../../secrets/shared/ospf/message-digest-key.nix} - - ${common} - ''; - }; - ospf6 = { - enable = true; - config = '' - router ospf6 - router-id 172.22.99.253 - redistribute connected - area 0.0.0.0 range 2001:6f8:1194:c3d2::/64 - interface eth0 area 0.0.0.0 - interface eth0 - ipv6 ospf6 cost 1 - ipv6 ospf6 network broadcast - - ${common} - ''; - }; - }; services.openvpn = let @@ -208,9 +70,111 @@ in { servers = builtins.mapAttrs (name: conf: mkServer name conf) openvpnNeighbors; }; + services.bird2 = { + enable = true; + config = + let + bgpNeighbors = + builtins.concatStringsSep "\n" + (builtins.attrValues (builtins.mapAttrs (name: conf: + let + neighbor4 = + if conf ? address4 + then '' + protocol bgp ${name}_4 from dnpeers { + neighbor ${conf.address4} as ${builtins.toString conf.asn}; + } + '' + else ""; + neighbor6 = + if conf ? address6 + then '' + protocol bgp ${name}_6 from dnpeers { + neighbor ${conf.address6}%${interface} as ${builtins.toString conf.asn}; + } + '' + else ""; + interface = + if conf ? interface + then conf.interface + else name; + in "${neighbor4}${neighbor6}" + ) neighbors)); + in '' + protocol kernel { + ipv4 { + export all; + }; + } + protocol kernel { + ipv6 { + export all; + }; + } + protocol device { + scan time 10; + } + + protocol static { + ipv4; + route 10.0.0.0/8 unreachable; + route 172.16.0.0/12 unreachable; + route 192.168.0.0/16 unreachable; + } + + protocol static { + ipv6; + route 2000::/3 via 2a02:8106:208:5201::c3d2:4; + route fd00::/8 unreachable; + } + + + protocol static hq4 { + ipv4; + route 172.22.99.0/24 via "eth0"; + } + + protocol static hq6 { + ipv6; + route fd23:42:c3d2:500::/56 unreachable; + } + + template bgp dnpeers { + local as 64699; + ipv4 { + import all; + export filter { + if source = RTS_BGP then { + accept; + } + if proto = "hq4" then { + accept; + } + reject; + }; + }; + ipv6 { + import all; + export filter { + if source = RTS_BGP then { + accept; + } + if proto = "hq6" then { + accept; + } + reject; + }; + }; + } + ${bgpNeighbors} + + router id ${address4}; + ''; + }; + # This value determines the NixOS release with which your system is to be # compatible, in order to avoid breaking some software such as database # servers. You should change this only after NixOS release notes say you # should. - system.stateVersion = "18.09"; # Did you read the comment? + system.stateVersion = "19.09"; # Did you read the comment? } diff --git a/hq.nixops b/hq.nixops index c0512737..b38daa87 100644 --- a/hq.nixops +++ b/hq.nixops @@ -139,4 +139,16 @@ }; }; + "dn42" = + { ... }: + { + imports = [ + hosts/containers/dn42/configuration.nix + ]; + deployment = { + targetHost = "172.22.99.253"; + storeKeysOnMachine = true; + }; + }; + } diff --git a/secrets b/secrets index 573ca8e7..92b0134c 160000 --- a/secrets +++ b/secrets @@ -1 +1 @@ -Subproject commit 573ca8e7120de6fe36af90dace36f9222c155cec +Subproject commit 92b0134ccb8cb97a3d9bffb471d07654101a1aed