From 83654b5a7b9a3f88d608fa488512a119251a092b Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Sandro=20J=C3=A4ckel?= Date: Fri, 15 Sep 2023 22:49:10 +0200 Subject: [PATCH] dn42: format --- hosts/dn42/default.nix | 330 ++++++++++++++++++++++------------------- 1 file changed, 176 insertions(+), 154 deletions(-) diff --git a/hosts/dn42/default.nix b/hosts/dn42/default.nix index d547ba8e..058a4c81 100644 --- a/hosts/dn42/default.nix +++ b/hosts/dn42/default.nix @@ -4,7 +4,8 @@ let address4 = "172.22.99.253"; address6 = "fe80::deca:fbad"; inherit (pkgs) neighbors; -in { +in +{ networking = { domain = "hq.c3d2.de"; hostName = "dn42"; @@ -12,7 +13,7 @@ in { # No Firewalling! firewall.enable = false; }; - services.resolved.enable = false; + c3d2 = { hq = { interface = "c3d2"; @@ -21,32 +22,40 @@ in { deployment.server = "server10"; }; - services.collectd.plugins.exec = - let - routecount = pkgs.writeScript "run-routecount" '' - #!${pkgs.bash}/bin/bash + services = { + collectd.plugins.exec = + let + routecount = pkgs.writeScript "run-routecount" '' + #!${pkgs.bash}/bin/bash - export PATH=${lib.makeBinPath (with pkgs; [ ruby iproute ] )} - ruby ${./routecount.rb} + export PATH=${lib.makeBinPath (with pkgs; [ ruby iproute ] )} + ruby ${./routecount.rb} + ''; + in + '' + Exec "collectd" "${routecount}" ''; - in '' - Exec "collectd" "${routecount}" - ''; + resolved.enable = false; + }; sops = { age.sshKeyPaths = [ "/etc/ssh/ssh_host_ed25519_key" ]; defaultSopsFile = ./secrets.yaml; - secrets = builtins.foldl' (result: name: - let - conf = neighbors.${name}; - in result // ( - if conf ? openvpn - then { "neighbors/${name}/openvpn/key" = {}; } - else if conf ? wireguard - then { "neighbors/${name}/wireguard/privateKey" = {}; } - else {} + secrets = builtins.foldl' + (result: name: + let + conf = neighbors.${name}; + in + result // ( + if conf ? openvpn + then { "neighbors/${name}/openvpn/key" = { }; } + else if conf ? wireguard + then { "neighbors/${name}/wireguard/privateKey" = { }; } + else { } + ) ) - ) {} (builtins.attrNames neighbors); + { } + (builtins.attrNames neighbors); }; boot.kernel.sysctl = { @@ -62,150 +71,163 @@ in { mknod -m 666 /dev/net/tun c 10 200 fi ''; - services.openvpn = let - openvpnNeighbors = lib.filterAttrs (_: conf: conf ? openvpn) neighbors; - mkServer = name: conf: { - config = '' - dev ${name} - dev-type tun - ifconfig ${address4} ${conf.address4} - user nobody - group nogroup - persist-tun - persist-key - ping 30 - ping-restart 45 - verb 1 - ${conf.openvpn} - secret ${config.sops.secrets."neighbors/${name}/openvpn/key".path} - ''; - up = '' - ${pkgs.iproute}/bin/ip addr flush dev $1 - ${pkgs.iproute}/bin/ip addr add ${address4} dev ${name} peer ${conf.address4}/32 - ${pkgs.iproute}/bin/ip addr add ${address6}/64 dev $1 - ''; + services.openvpn = + let + openvpnNeighbors = lib.filterAttrs (_: conf: conf ? openvpn) neighbors; + mkServer = name: conf: { + config = '' + dev ${name} + dev-type tun + ifconfig ${address4} ${conf.address4} + user nobody + group nogroup + persist-tun + persist-key + ping 30 + ping-restart 45 + verb 1 + ${conf.openvpn} + secret ${config.sops.secrets."neighbors/${name}/openvpn/key".path} + ''; + up = '' + ${pkgs.iproute}/bin/ip addr flush dev $1 + ${pkgs.iproute}/bin/ip addr add ${address4} dev ${name} peer ${conf.address4}/32 + ${pkgs.iproute}/bin/ip addr add ${address6}/64 dev $1 + ''; + }; + in + { + servers = + builtins.mapAttrs mkServer openvpnNeighbors; }; - in { - servers = - builtins.mapAttrs mkServer openvpnNeighbors; - }; networking.wireguard = { enable = true; - interfaces = let - wireguardNeighbors = - lib.filterAttrs (_: conf: conf ? wireguard) neighbors; - in builtins.mapAttrs (name: conf: { - inherit (conf.wireguard) listenPort; - privateKeyFile = config.sops.secrets."neighbors/${name}/wireguard/privateKey".path; - ips = [ "${address4}/32" "${address6}/64" ]; - allowedIPsAsRoutes = false; - postSetup = '' - ${pkgs.iproute}/bin/ip addr del ${address4}/32 dev ${name} - ${pkgs.iproute}/bin/ip addr add ${address4} dev ${name}${if conf ? address4 then " peer ${conf.address4}/32" else ""} - ''; - peers = [ - ({ - inherit (conf.wireguard) publicKey; - allowedIPs = [ "0.0.0.0/0" "::0/0" ]; - persistentKeepalive = 30; - } // (lib.optionalAttrs (conf.wireguard ? endpoint) { - inherit (conf.wireguard) endpoint; - })) - ]; - }) wireguardNeighbors; + interfaces = + let + wireguardNeighbors = + lib.filterAttrs (_: conf: conf ? wireguard) neighbors; + in + builtins.mapAttrs + (name: conf: { + inherit (conf.wireguard) listenPort; + privateKeyFile = config.sops.secrets."neighbors/${name}/wireguard/privateKey".path; + ips = [ "${address4}/32" "${address6}/64" ]; + allowedIPsAsRoutes = false; + postSetup = '' + ${pkgs.iproute}/bin/ip addr del ${address4}/32 dev ${name} + ${pkgs.iproute}/bin/ip addr add ${address4} dev ${name}${if conf ? address4 then " peer ${conf.address4}/32" else ""} + ''; + peers = [ + ({ + inherit (conf.wireguard) publicKey; + allowedIPs = [ "0.0.0.0/0" "::0/0" ]; + persistentKeepalive = 30; + } // (lib.optionalAttrs (conf.wireguard ? endpoint) { + inherit (conf.wireguard) endpoint; + })) + ]; + }) + wireguardNeighbors; }; services.bird2 = { enable = true; - config = let - bgpNeighbors = builtins.concatStringsSep "\n" (builtins.attrValues - (builtins.mapAttrs (name: conf@{ multiprotocol ? false, ... }: - let - neighbor4 = if conf ? address4 && multiprotocol != "ipv6" then '' - protocol bgp ${name}_4 from dnpeers { - neighbor ${conf.address4} as ${builtins.toString conf.asn}; - } - '' else - ""; - neighbor6 = if conf ? address6 && multiprotocol != "ipv4" then '' - protocol bgp ${name}_6 from dnpeers { - neighbor ${conf.address6}%${interface} as ${ - builtins.toString conf.asn - }; - } - '' else - ""; - interface = conf.interface or name; - in "${neighbor4}${neighbor6}") neighbors)); - in '' - protocol kernel { - ipv4 { - export all; - }; - } - protocol kernel { - ipv6 { - export all; - }; - } - protocol device { - scan time 10; - } - - protocol static { - ipv4; - route 10.0.0.0/8 unreachable; - route 172.16.0.0/12 unreachable; - route 192.168.0.0/16 unreachable; - } - - protocol static { - ipv6; - route 2000::/3 via 2a00:8180:2c00:281::c3d2:3; - route fd00::/8 unreachable; - } - - - protocol static hq4 { - ipv4; - route 172.22.99.0/24 via "c3d2"; - } - - protocol static hq6 { - ipv6; - route fd23:42:c3d2:500::/56 unreachable; - } - - template bgp dnpeers { - local as 64699; - ipv4 { - import filter { - if proto = "hq4" then reject; - accept; + config = + let + bgpNeighbors = builtins.concatStringsSep "\n" (builtins.attrValues + (builtins.mapAttrs + (name: conf@{ multiprotocol ? false, ... }: + let + neighbor4 = + if conf ? address4 && multiprotocol != "ipv6" then '' + protocol bgp ${name}_4 from dnpeers { + neighbor ${conf.address4} as ${builtins.toString conf.asn}; + } + '' else + ""; + neighbor6 = + if conf ? address6 && multiprotocol != "ipv4" then '' + protocol bgp ${name}_6 from dnpeers { + neighbor ${conf.address6}%${interface} as ${ + builtins.toString conf.asn + }; + } + '' else + ""; + interface = conf.interface or name; + in + "${neighbor4}${neighbor6}") + neighbors)); + in + '' + protocol kernel { + ipv4 { + export all; }; - export filter { - if source = RTS_BGP then accept; - if proto = "hq4" then accept; - reject; + } + protocol kernel { + ipv6 { + export all; }; - }; - ipv6 { - import filter { - if proto = "hq6" then reject; - accept; - }; - export filter { - if source = RTS_BGP then accept; - if proto = "hq6" then accept; - reject; - }; - }; - } - ${bgpNeighbors} + } + protocol device { + scan time 10; + } - router id ${address4}; - ''; + protocol static { + ipv4; + route 10.0.0.0/8 unreachable; + route 172.16.0.0/12 unreachable; + route 192.168.0.0/16 unreachable; + } + + protocol static { + ipv6; + route 2000::/3 via 2a00:8180:2c00:281::c3d2:3; + route fd00::/8 unreachable; + } + + + protocol static hq4 { + ipv4; + route 172.22.99.0/24 via "c3d2"; + } + + protocol static hq6 { + ipv6; + route fd23:42:c3d2:500::/56 unreachable; + } + + template bgp dnpeers { + local as 64699; + ipv4 { + import filter { + if proto = "hq4" then reject; + accept; + }; + export filter { + if source = RTS_BGP then accept; + if proto = "hq4" then accept; + reject; + }; + }; + ipv6 { + import filter { + if proto = "hq6" then reject; + accept; + }; + export filter { + if source = RTS_BGP then accept; + if proto = "hq6" then accept; + reject; + }; + }; + } + ${bgpNeighbors} + + router id ${address4}; + ''; }; # This value determines the NixOS release with which your system is to be