c3d2/nix-config
c3d2/nix-config
23
7
Fork 3
Code Issues 12 Pull Requests 2 Releases Wiki Activity

dn42: format

Browse Source
This commit is contained in:
Sandro - 2023-09-15 22:49:10 +02:00
parent 1373d78569
commit 83654b5a7b
Signed by: sandro
GPG Key ID: 3AF5A43A3EECC2E5
1 changed files with 176 additions and 154 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

330
hosts/dn42/default.nix
View File

@ -4,7 +4,8 @@ let
address4 = "172.22.99.253"; address4 = "172.22.99.253";
address6 = "fe80::deca:fbad"; address6 = "fe80::deca:fbad";
inherit (pkgs) neighbors; inherit (pkgs) neighbors;
in { in
{
networking = { networking = {
domain = "hq.c3d2.de"; domain = "hq.c3d2.de";
hostName = "dn42"; hostName = "dn42";
@ -12,7 +13,7 @@ in {
# No Firewalling! # No Firewalling!
firewall.enable = false; firewall.enable = false;
}; };
services.resolved.enable = false;
c3d2 = { c3d2 = {
hq = { hq = {
interface = "c3d2"; interface = "c3d2";
@ -21,32 +22,40 @@ in {
deployment.server = "server10"; deployment.server = "server10";
}; };
services.collectd.plugins.exec = services = {
let collectd.plugins.exec =
routecount = pkgs.writeScript "run-routecount" '' let
#!${pkgs.bash}/bin/bash routecount = pkgs.writeScript "run-routecount" ''
#!${pkgs.bash}/bin/bash
export PATH=${lib.makeBinPath (with pkgs; [ ruby iproute ] )} export PATH=${lib.makeBinPath (with pkgs; [ ruby iproute ] )}
ruby ${./routecount.rb} ruby ${./routecount.rb}
'';
in
''
Exec "collectd" "${routecount}"
''; '';
in '' resolved.enable = false;
Exec "collectd" "${routecount}" };
'';
sops = { sops = {
age.sshKeyPaths = [ "/etc/ssh/ssh_host_ed25519_key" ]; age.sshKeyPaths = [ "/etc/ssh/ssh_host_ed25519_key" ];
defaultSopsFile = ./secrets.yaml; defaultSopsFile = ./secrets.yaml;
secrets = builtins.foldl' (result: name: secrets = builtins.foldl'
let (result: name:
conf = neighbors.${name}; let
in result // ( conf = neighbors.${name};
if conf ? openvpn in
then { "neighbors/${name}/openvpn/key" = {}; } result // (
else if conf ? wireguard if conf ? openvpn
then { "neighbors/${name}/wireguard/privateKey" = {}; } then { "neighbors/${name}/openvpn/key" = { }; }
else {} else if conf ? wireguard
then { "neighbors/${name}/wireguard/privateKey" = { }; }
else { }
)
) )
) {} (builtins.attrNames neighbors); { }
(builtins.attrNames neighbors);
}; };
boot.kernel.sysctl = { boot.kernel.sysctl = {
@ -62,150 +71,163 @@ in {
mknod -m 666 /dev/net/tun c 10 200 mknod -m 666 /dev/net/tun c 10 200
fi fi
''; '';
services.openvpn = let services.openvpn =
openvpnNeighbors = lib.filterAttrs (_: conf: conf ? openvpn) neighbors; let
mkServer = name: conf: { openvpnNeighbors = lib.filterAttrs (_: conf: conf ? openvpn) neighbors;
config = '' mkServer = name: conf: {
dev ${name} config = ''
dev-type tun dev ${name}
ifconfig ${address4} ${conf.address4} dev-type tun
user nobody ifconfig ${address4} ${conf.address4}
group nogroup user nobody
persist-tun group nogroup
persist-key persist-tun
ping 30 persist-key
ping-restart 45 ping 30
verb 1 ping-restart 45
${conf.openvpn} verb 1
secret ${config.sops.secrets."neighbors/${name}/openvpn/key".path} ${conf.openvpn}
''; secret ${config.sops.secrets."neighbors/${name}/openvpn/key".path}
up = '' '';
${pkgs.iproute}/bin/ip addr flush dev $1 up = ''
${pkgs.iproute}/bin/ip addr add ${address4} dev ${name} peer ${conf.address4}/32 ${pkgs.iproute}/bin/ip addr flush dev $1
${pkgs.iproute}/bin/ip addr add ${address6}/64 dev $1 ${pkgs.iproute}/bin/ip addr add ${address4} dev ${name} peer ${conf.address4}/32
''; ${pkgs.iproute}/bin/ip addr add ${address6}/64 dev $1
'';
};
in
{
servers =
builtins.mapAttrs mkServer openvpnNeighbors;
}; };
in {
servers =
builtins.mapAttrs mkServer openvpnNeighbors;
};
networking.wireguard = { networking.wireguard = {
enable = true; enable = true;
interfaces = let interfaces =
wireguardNeighbors = let
lib.filterAttrs (_: conf: conf ? wireguard) neighbors; wireguardNeighbors =
in builtins.mapAttrs (name: conf: { lib.filterAttrs (_: conf: conf ? wireguard) neighbors;
inherit (conf.wireguard) listenPort; in
privateKeyFile = config.sops.secrets."neighbors/${name}/wireguard/privateKey".path; builtins.mapAttrs
ips = [ "${address4}/32" "${address6}/64" ]; (name: conf: {
allowedIPsAsRoutes = false; inherit (conf.wireguard) listenPort;
postSetup = '' privateKeyFile = config.sops.secrets."neighbors/${name}/wireguard/privateKey".path;
${pkgs.iproute}/bin/ip addr del ${address4}/32 dev ${name} ips = [ "${address4}/32" "${address6}/64" ];
${pkgs.iproute}/bin/ip addr add ${address4} dev ${name}${if conf ? address4 then " peer ${conf.address4}/32" else ""} allowedIPsAsRoutes = false;
''; postSetup = ''
peers = [ ${pkgs.iproute}/bin/ip addr del ${address4}/32 dev ${name}
({ ${pkgs.iproute}/bin/ip addr add ${address4} dev ${name}${if conf ? address4 then " peer ${conf.address4}/32" else ""}
inherit (conf.wireguard) publicKey; '';
allowedIPs = [ "0.0.0.0/0" "::0/0" ]; peers = [
persistentKeepalive = 30; ({
} // (lib.optionalAttrs (conf.wireguard ? endpoint) { inherit (conf.wireguard) publicKey;
inherit (conf.wireguard) endpoint; allowedIPs = [ "0.0.0.0/0" "::0/0" ];
})) persistentKeepalive = 30;
]; } // (lib.optionalAttrs (conf.wireguard ? endpoint) {
}) wireguardNeighbors; inherit (conf.wireguard) endpoint;
}))
];
})
wireguardNeighbors;
}; };
services.bird2 = { services.bird2 = {
enable = true; enable = true;
config = let config =
bgpNeighbors = builtins.concatStringsSep "\n" (builtins.attrValues let
(builtins.mapAttrs (name: conf@{ multiprotocol ? false, ... }: bgpNeighbors = builtins.concatStringsSep "\n" (builtins.attrValues
let (builtins.mapAttrs
neighbor4 = if conf ? address4 && multiprotocol != "ipv6" then '' (name: conf@{ multiprotocol ? false, ... }:
protocol bgp ${name}_4 from dnpeers { let
neighbor ${conf.address4} as ${builtins.toString conf.asn}; neighbor4 =
} if conf ? address4 && multiprotocol != "ipv6" then ''
'' else protocol bgp ${name}_4 from dnpeers {
""; neighbor ${conf.address4} as ${builtins.toString conf.asn};
neighbor6 = if conf ? address6 && multiprotocol != "ipv4" then '' }
protocol bgp ${name}_6 from dnpeers { '' else
neighbor ${conf.address6}%${interface} as ${ "";
builtins.toString conf.asn neighbor6 =
}; if conf ? address6 && multiprotocol != "ipv4" then ''
} protocol bgp ${name}_6 from dnpeers {
'' else neighbor ${conf.address6}%${interface} as ${
""; builtins.toString conf.asn
interface = conf.interface or name; };
in "${neighbor4}${neighbor6}") neighbors)); }
in '' '' else
protocol kernel { "";
ipv4 { interface = conf.interface or name;
export all; in
}; "${neighbor4}${neighbor6}")
} neighbors));
protocol kernel { in
ipv6 { ''
export all; protocol kernel {
}; ipv4 {
} export all;
protocol device {
scan time 10;
}
protocol static {
ipv4;
route 10.0.0.0/8 unreachable;
route 172.16.0.0/12 unreachable;
route 192.168.0.0/16 unreachable;
}
protocol static {
ipv6;
route 2000::/3 via 2a00:8180:2c00:281::c3d2:3;
route fd00::/8 unreachable;
}
protocol static hq4 {
ipv4;
route 172.22.99.0/24 via "c3d2";
}
protocol static hq6 {
ipv6;
route fd23:42:c3d2:500::/56 unreachable;
}
template bgp dnpeers {
local as 64699;
ipv4 {
import filter {
if proto = "hq4" then reject;
accept;
}; };
export filter { }
if source = RTS_BGP then accept; protocol kernel {
if proto = "hq4" then accept; ipv6 {
reject; export all;
}; };
}; }
ipv6 { protocol device {
import filter { scan time 10;
if proto = "hq6" then reject; }
accept;
};
export filter {
if source = RTS_BGP then accept;
if proto = "hq6" then accept;
reject;
};
};
}
${bgpNeighbors}
router id ${address4}; protocol static {
''; ipv4;
route 10.0.0.0/8 unreachable;
route 172.16.0.0/12 unreachable;
route 192.168.0.0/16 unreachable;
}
protocol static {
ipv6;
route 2000::/3 via 2a00:8180:2c00:281::c3d2:3;
route fd00::/8 unreachable;
}
protocol static hq4 {
ipv4;
route 172.22.99.0/24 via "c3d2";
}
protocol static hq6 {
ipv6;
route fd23:42:c3d2:500::/56 unreachable;
}
template bgp dnpeers {
local as 64699;
ipv4 {
import filter {
if proto = "hq4" then reject;
accept;
};
export filter {
if source = RTS_BGP then accept;
if proto = "hq4" then accept;
reject;
};
};
ipv6 {
import filter {
if proto = "hq6" then reject;
accept;
};
export filter {
if source = RTS_BGP then accept;
if proto = "hq6" then accept;
reject;
};
};
}
${bgpNeighbors}
router id ${address4};
'';
}; };
# This value determines the NixOS release with which your system is to be # This value determines the NixOS release with which your system is to be