add hosts/containers/dn42
This commit is contained in:
parent
a3db616b2a
commit
638bbf38a9
|
@ -3,59 +3,7 @@
|
||||||
let
|
let
|
||||||
address4 = "172.22.99.253";
|
address4 = "172.22.99.253";
|
||||||
address6 = "fe80::deca:fbad";
|
address6 = "fe80::deca:fbad";
|
||||||
neighbors = import ./neighbors.nix;
|
neighbors = import ../../../secrets/hosts/dn42/neighbors.nix;
|
||||||
makeBgpNeighbor = { name, asn, description ? "Someone", address, interface ? name, ... }: ''
|
|
||||||
neighbor ${address} remote-as ${builtins.toString asn}
|
|
||||||
neighbor ${address} peer-group dn
|
|
||||||
neighbor ${address} interface ${interface}
|
|
||||||
neighbor ${address} description ${description}
|
|
||||||
'';
|
|
||||||
bgpNeighbors =
|
|
||||||
builtins.attrValues (builtins.mapAttrs (name: conf:
|
|
||||||
let
|
|
||||||
makeNeighbor =
|
|
||||||
address:
|
|
||||||
makeBgpNeighbor (conf // { inherit name address; });
|
|
||||||
in
|
|
||||||
# Bird peers don't do IPv6 routes over IPv4, so they get
|
|
||||||
# additional config:
|
|
||||||
let
|
|
||||||
neighbor4 =
|
|
||||||
if conf ? address4
|
|
||||||
then makeNeighbor conf.address4
|
|
||||||
else "";
|
|
||||||
neighbor6 =
|
|
||||||
if conf ? address6
|
|
||||||
then makeNeighbor conf.address6
|
|
||||||
else "";
|
|
||||||
in "${neighbor4}${neighbor6}"
|
|
||||||
) neighbors);
|
|
||||||
bgpNeighbors6 =
|
|
||||||
builtins.attrValues (builtins.mapAttrs (name: conf:
|
|
||||||
if conf ? address6
|
|
||||||
then ''
|
|
||||||
neighbor ${conf.address6} peer-group dn
|
|
||||||
neighbor ${conf.address6} route-map ${name}-next-hop in
|
|
||||||
''
|
|
||||||
else ""
|
|
||||||
) neighbors);
|
|
||||||
common = ''
|
|
||||||
service advanced-vty
|
|
||||||
line vty
|
|
||||||
|
|
||||||
ip prefix-list dn42-in seq 10 permit 172.22.0.0/15 ge 22 le 28
|
|
||||||
ip prefix-list dn42-in seq 12 permit 172.20.0.0/16 ge 21 le 28
|
|
||||||
ip prefix-list dn42-in seq 15 permit 172.22.0.0/23 ge 32
|
|
||||||
ip prefix-list dn42-in seq 16 permit 172.23.0.0/24 ge 32
|
|
||||||
ip prefix-list dn42-in seq 20 deny 10.10.10.0/24 le 32
|
|
||||||
ip prefix-list dn42-in seq 21 permit 10.0.0.0/8 ge 12 le 28
|
|
||||||
ip prefix-list dn42-in seq 30 permit 172.31.0.0/16 ge 22 le 28
|
|
||||||
ip prefix-list dn42-in seq 1000 deny 0.0.0.0/0 le 32
|
|
||||||
|
|
||||||
! ipv6 prefix-list def seq 5 permit 2000::/3 ge 32
|
|
||||||
ipv6 prefix-list def seq 10 permit fd00::/8 ge 9 le 64
|
|
||||||
ipv6 prefix-list def seq 1000 deny ::/0 le 128
|
|
||||||
'';
|
|
||||||
in {
|
in {
|
||||||
imports =
|
imports =
|
||||||
[ ../../../lib/lxc-container.nix
|
[ ../../../lib/lxc-container.nix
|
||||||
|
@ -65,6 +13,10 @@ in {
|
||||||
|
|
||||||
networking.hostName = "dn42";
|
networking.hostName = "dn42";
|
||||||
networking.defaultGateway = "172.22.99.4";
|
networking.defaultGateway = "172.22.99.4";
|
||||||
|
# networking.defaultGateway6 = {
|
||||||
|
# address = "2a02:8106:208:5201::c3d2:4";
|
||||||
|
# interface = "eth0";
|
||||||
|
# };
|
||||||
networking.nameservers = [ "172.20.72.6" "172.20.72.10" ];
|
networking.nameservers = [ "172.20.72.6" "172.20.72.10" ];
|
||||||
networking.interfaces.eth0 = {
|
networking.interfaces.eth0 = {
|
||||||
ipv4.addresses = [ {
|
ipv4.addresses = [ {
|
||||||
|
@ -72,6 +24,9 @@ in {
|
||||||
prefixLength = 24;
|
prefixLength = 24;
|
||||||
} ];
|
} ];
|
||||||
};
|
};
|
||||||
|
networking.useDHCP = false;
|
||||||
|
networking.useNetworkd = true;
|
||||||
|
services.resolved.enable = false;
|
||||||
|
|
||||||
environment.systemPackages = with pkgs; [
|
environment.systemPackages = with pkgs; [
|
||||||
vim
|
vim
|
||||||
|
@ -85,99 +40,6 @@ in {
|
||||||
|
|
||||||
# No Firewalling!
|
# No Firewalling!
|
||||||
networking.firewall.enable = false;
|
networking.firewall.enable = false;
|
||||||
networking.useDHCP = false;
|
|
||||||
|
|
||||||
services.quagga = {
|
|
||||||
zebra = {
|
|
||||||
config = ''
|
|
||||||
ip forwarding
|
|
||||||
ipv6 forwarding
|
|
||||||
|
|
||||||
interface eth0
|
|
||||||
ipv6 address fe80::a800:42ff:fe7a:3246/64
|
|
||||||
ipv6 address 2a02:8106:208:5201::ffff/64
|
|
||||||
ipv6 address fd23:42:c3d2:523::ffff/64
|
|
||||||
ipv6 nd prefix fd23:42:c3d2:523::/64 60 20
|
|
||||||
ipv6 nd ra-interval 5
|
|
||||||
no ipv6 nd suppress-ra
|
|
||||||
|
|
||||||
ip route 0.0.0.0/0 172.22.99.4
|
|
||||||
ip route 10.0.0.0/8 Null0
|
|
||||||
ip route 172.16.0.0/12 Null0
|
|
||||||
ip route 192.168.0.0/16 Null0
|
|
||||||
ipv6 route 2000::/3 2a02:8106:208:5201::c3d2:4 eth0
|
|
||||||
|
|
||||||
${common}
|
|
||||||
'';
|
|
||||||
};
|
|
||||||
bgp = {
|
|
||||||
enable = true;
|
|
||||||
config = ''
|
|
||||||
router bgp 64699
|
|
||||||
bgp router-id ${address4}
|
|
||||||
network 172.22.99.0/24
|
|
||||||
neighbor dn peer-group
|
|
||||||
neighbor dn soft-reconfiguration inbound
|
|
||||||
neighbor dn prefix-list dn42-in in
|
|
||||||
${builtins.concatStringsSep "\n" bgpNeighbors}
|
|
||||||
|
|
||||||
address-family ipv6
|
|
||||||
network fd23:42:c3d2:500::/56
|
|
||||||
neighbor dn activate
|
|
||||||
neighbor dn soft-reconfiguration inbound
|
|
||||||
neighbor dn prefix-list def in
|
|
||||||
${builtins.concatStringsSep "\n" bgpNeighbors6}
|
|
||||||
|
|
||||||
exit-address-family
|
|
||||||
exit
|
|
||||||
|
|
||||||
|
|
||||||
route-map set-next-hop permit 10
|
|
||||||
set ip next-hop 172.22.99.253
|
|
||||||
route-map set-next-hop6 permit 10
|
|
||||||
set ipv6 next-hop global 2001:6f8:1194:c3d2::ffff
|
|
||||||
set ipv6 next-hop local fe80::a800:42ff:fe7a:3246
|
|
||||||
route-map set-next-hop-zw-server1 permit 10
|
|
||||||
set ip next-hop 172.22.99.250
|
|
||||||
route-map zw-next-hop permit 10
|
|
||||||
set ipv6 next-hop local fe80::814:48ff:fe01:2201
|
|
||||||
set ipv6 next-hop local fe80::814:48ff:fe01:2201
|
|
||||||
|
|
||||||
${common}
|
|
||||||
'';
|
|
||||||
};
|
|
||||||
ospf = {
|
|
||||||
enable = true;
|
|
||||||
config = ''
|
|
||||||
router ospf
|
|
||||||
ospf router-id ${address4}
|
|
||||||
redistribute connected
|
|
||||||
redistribute static
|
|
||||||
network 172.22.99.0/24 area 0.0.0.0
|
|
||||||
area 0.0.0.0 authentication message-digest
|
|
||||||
default-metric 1
|
|
||||||
interface eth0
|
|
||||||
ip ospf message-digest-key 1 md5 ${builtins.readFile ../../../secrets/shared/ospf/message-digest-key.nix}
|
|
||||||
|
|
||||||
${common}
|
|
||||||
'';
|
|
||||||
};
|
|
||||||
ospf6 = {
|
|
||||||
enable = true;
|
|
||||||
config = ''
|
|
||||||
router ospf6
|
|
||||||
router-id 172.22.99.253
|
|
||||||
redistribute connected
|
|
||||||
area 0.0.0.0 range 2001:6f8:1194:c3d2::/64
|
|
||||||
interface eth0 area 0.0.0.0
|
|
||||||
interface eth0
|
|
||||||
ipv6 ospf6 cost 1
|
|
||||||
ipv6 ospf6 network broadcast
|
|
||||||
|
|
||||||
${common}
|
|
||||||
'';
|
|
||||||
};
|
|
||||||
};
|
|
||||||
|
|
||||||
services.openvpn =
|
services.openvpn =
|
||||||
let
|
let
|
||||||
|
@ -208,9 +70,111 @@ in {
|
||||||
servers = builtins.mapAttrs (name: conf: mkServer name conf) openvpnNeighbors;
|
servers = builtins.mapAttrs (name: conf: mkServer name conf) openvpnNeighbors;
|
||||||
};
|
};
|
||||||
|
|
||||||
|
services.bird2 = {
|
||||||
|
enable = true;
|
||||||
|
config =
|
||||||
|
let
|
||||||
|
bgpNeighbors =
|
||||||
|
builtins.concatStringsSep "\n"
|
||||||
|
(builtins.attrValues (builtins.mapAttrs (name: conf:
|
||||||
|
let
|
||||||
|
neighbor4 =
|
||||||
|
if conf ? address4
|
||||||
|
then ''
|
||||||
|
protocol bgp ${name}_4 from dnpeers {
|
||||||
|
neighbor ${conf.address4} as ${builtins.toString conf.asn};
|
||||||
|
}
|
||||||
|
''
|
||||||
|
else "";
|
||||||
|
neighbor6 =
|
||||||
|
if conf ? address6
|
||||||
|
then ''
|
||||||
|
protocol bgp ${name}_6 from dnpeers {
|
||||||
|
neighbor ${conf.address6}%${interface} as ${builtins.toString conf.asn};
|
||||||
|
}
|
||||||
|
''
|
||||||
|
else "";
|
||||||
|
interface =
|
||||||
|
if conf ? interface
|
||||||
|
then conf.interface
|
||||||
|
else name;
|
||||||
|
in "${neighbor4}${neighbor6}"
|
||||||
|
) neighbors));
|
||||||
|
in ''
|
||||||
|
protocol kernel {
|
||||||
|
ipv4 {
|
||||||
|
export all;
|
||||||
|
};
|
||||||
|
}
|
||||||
|
protocol kernel {
|
||||||
|
ipv6 {
|
||||||
|
export all;
|
||||||
|
};
|
||||||
|
}
|
||||||
|
protocol device {
|
||||||
|
scan time 10;
|
||||||
|
}
|
||||||
|
|
||||||
|
protocol static {
|
||||||
|
ipv4;
|
||||||
|
route 10.0.0.0/8 unreachable;
|
||||||
|
route 172.16.0.0/12 unreachable;
|
||||||
|
route 192.168.0.0/16 unreachable;
|
||||||
|
}
|
||||||
|
|
||||||
|
protocol static {
|
||||||
|
ipv6;
|
||||||
|
route 2000::/3 via 2a02:8106:208:5201::c3d2:4;
|
||||||
|
route fd00::/8 unreachable;
|
||||||
|
}
|
||||||
|
|
||||||
|
|
||||||
|
protocol static hq4 {
|
||||||
|
ipv4;
|
||||||
|
route 172.22.99.0/24 via "eth0";
|
||||||
|
}
|
||||||
|
|
||||||
|
protocol static hq6 {
|
||||||
|
ipv6;
|
||||||
|
route fd23:42:c3d2:500::/56 unreachable;
|
||||||
|
}
|
||||||
|
|
||||||
|
template bgp dnpeers {
|
||||||
|
local as 64699;
|
||||||
|
ipv4 {
|
||||||
|
import all;
|
||||||
|
export filter {
|
||||||
|
if source = RTS_BGP then {
|
||||||
|
accept;
|
||||||
|
}
|
||||||
|
if proto = "hq4" then {
|
||||||
|
accept;
|
||||||
|
}
|
||||||
|
reject;
|
||||||
|
};
|
||||||
|
};
|
||||||
|
ipv6 {
|
||||||
|
import all;
|
||||||
|
export filter {
|
||||||
|
if source = RTS_BGP then {
|
||||||
|
accept;
|
||||||
|
}
|
||||||
|
if proto = "hq6" then {
|
||||||
|
accept;
|
||||||
|
}
|
||||||
|
reject;
|
||||||
|
};
|
||||||
|
};
|
||||||
|
}
|
||||||
|
${bgpNeighbors}
|
||||||
|
|
||||||
|
router id ${address4};
|
||||||
|
'';
|
||||||
|
};
|
||||||
|
|
||||||
# This value determines the NixOS release with which your system is to be
|
# This value determines the NixOS release with which your system is to be
|
||||||
# compatible, in order to avoid breaking some software such as database
|
# compatible, in order to avoid breaking some software such as database
|
||||||
# servers. You should change this only after NixOS release notes say you
|
# servers. You should change this only after NixOS release notes say you
|
||||||
# should.
|
# should.
|
||||||
system.stateVersion = "18.09"; # Did you read the comment?
|
system.stateVersion = "19.09"; # Did you read the comment?
|
||||||
}
|
}
|
||||||
|
|
12
hq.nixops
12
hq.nixops
|
@ -139,4 +139,16 @@
|
||||||
};
|
};
|
||||||
};
|
};
|
||||||
|
|
||||||
|
"dn42" =
|
||||||
|
{ ... }:
|
||||||
|
{
|
||||||
|
imports = [
|
||||||
|
hosts/containers/dn42/configuration.nix
|
||||||
|
];
|
||||||
|
deployment = {
|
||||||
|
targetHost = "172.22.99.253";
|
||||||
|
storeKeysOnMachine = true;
|
||||||
|
};
|
||||||
|
};
|
||||||
|
|
||||||
}
|
}
|
||||||
|
|
2
secrets
2
secrets
|
@ -1 +1 @@
|
||||||
Subproject commit 573ca8e7120de6fe36af90dace36f9222c155cec
|
Subproject commit 92b0134ccb8cb97a3d9bffb471d07654101a1aed
|
Loading…
Reference in New Issue