204 lines
5.2 KiB
Nix
204 lines
5.2 KiB
Nix
{ config, pkgs, lib, ... }:
|
|
|
|
let
|
|
address4 = "172.22.99.253";
|
|
address6 = "fe80::deca:fbad";
|
|
neighbors = import ../../../secrets/hosts/dn42/neighbors.nix;
|
|
in {
|
|
imports =
|
|
[ ../../../lib/lxc-container.nix
|
|
../../../lib/shared.nix
|
|
../../../lib/admins.nix
|
|
../../../lib/default-gateway.nix
|
|
];
|
|
|
|
networking.hostName = "dn42";
|
|
# networking.defaultGateway6 = {
|
|
# address = "2a02:8106:208:5201::c3d2:4";
|
|
# interface = "eth0";
|
|
# };
|
|
networking.nameservers = [ "172.20.72.6" "172.20.72.10" ];
|
|
networking.interfaces.eth0 = {
|
|
ipv4.addresses = [ {
|
|
address = address4;
|
|
prefixLength = 24;
|
|
} ];
|
|
};
|
|
networking.useDHCP = false;
|
|
networking.useNetworkd = true;
|
|
services.resolved.enable = false;
|
|
|
|
environment.systemPackages = with pkgs; [
|
|
vim
|
|
# for `vtysh`
|
|
quagga
|
|
];
|
|
|
|
# SSH for nixops
|
|
services.openssh.enable = true;
|
|
services.openssh.permitRootLogin = "yes";
|
|
|
|
# No Firewalling!
|
|
networking.firewall.enable = false;
|
|
|
|
services.openvpn =
|
|
let
|
|
openvpnNeighbors = lib.filterAttrs (_: conf: conf ? openvpn) neighbors;
|
|
keyfile = name:
|
|
builtins.toFile "${name}.key"
|
|
(builtins.readFile (../../../secrets/hosts/dn42/openvpn + "/${name}.key"));
|
|
mkServer = name: conf: {
|
|
config = ''
|
|
dev ${name}
|
|
dev-type tun
|
|
ifconfig ${address4} ${conf.address4}
|
|
user nobody
|
|
group nogroup
|
|
persist-tun
|
|
persist-key
|
|
ping 30
|
|
ping-restart 45
|
|
verb 1
|
|
${conf.openvpn}
|
|
secret ${keyfile name}
|
|
'';
|
|
up = ''
|
|
${pkgs.iproute}/bin/ip a a fe80::deca:fbad/64 dev $1
|
|
'';
|
|
};
|
|
in {
|
|
servers = builtins.mapAttrs (name: conf: mkServer name conf) openvpnNeighbors;
|
|
};
|
|
|
|
networking.wireguard = {
|
|
enable = true;
|
|
interfaces =
|
|
let
|
|
wireguardNeighbors = lib.filterAttrs (_: conf: conf ? wireguard) neighbors;
|
|
in
|
|
builtins.mapAttrs (name: conf: {
|
|
inherit (conf.wireguard) listenPort privateKey;
|
|
ips = [ "${address4}/32" "${address6}/64" ];
|
|
postSetup = ''
|
|
${pkgs.iproute}/bin/ip route add ${address4}/32 dev ${name}
|
|
'';
|
|
peers = [ ({
|
|
inherit (conf.wireguard) publicKey;
|
|
allowedIPs = [ "0.0.0.0/0" "::0/0" ];
|
|
persistentKeepalive = 30;
|
|
} // (lib.optionalAttrs (conf.wireguard ? endpoint) {
|
|
inherit (conf.wireguard) endpoint;
|
|
})) ];
|
|
allowedIPsAsRoutes = false;
|
|
}) wireguardNeighbors;
|
|
};
|
|
|
|
services.bird2 = {
|
|
enable = true;
|
|
config =
|
|
let
|
|
bgpNeighbors =
|
|
builtins.concatStringsSep "\n"
|
|
(builtins.attrValues (builtins.mapAttrs (name: conf:
|
|
let
|
|
neighbor4 =
|
|
if conf ? address4
|
|
then ''
|
|
protocol bgp ${name}_4 from dnpeers {
|
|
neighbor ${conf.address4} as ${builtins.toString conf.asn};
|
|
}
|
|
''
|
|
else "";
|
|
neighbor6 =
|
|
if conf ? address6
|
|
then ''
|
|
protocol bgp ${name}_6 from dnpeers {
|
|
neighbor ${conf.address6}%${interface} as ${builtins.toString conf.asn};
|
|
}
|
|
''
|
|
else "";
|
|
interface =
|
|
if conf ? interface
|
|
then conf.interface
|
|
else name;
|
|
in "${neighbor4}${neighbor6}"
|
|
) neighbors));
|
|
in ''
|
|
protocol kernel {
|
|
ipv4 {
|
|
export all;
|
|
};
|
|
}
|
|
protocol kernel {
|
|
ipv6 {
|
|
export all;
|
|
};
|
|
}
|
|
protocol device {
|
|
scan time 10;
|
|
}
|
|
|
|
protocol static {
|
|
ipv4;
|
|
route 10.0.0.0/8 unreachable;
|
|
route 172.16.0.0/12 unreachable;
|
|
route 192.168.0.0/16 unreachable;
|
|
}
|
|
|
|
protocol static {
|
|
ipv6;
|
|
route 2000::/3 via 2a02:8106:208:5201::c3d2:4;
|
|
route fd00::/8 unreachable;
|
|
}
|
|
|
|
|
|
protocol static hq4 {
|
|
ipv4;
|
|
route 172.22.99.0/24 via "eth0";
|
|
}
|
|
|
|
protocol static hq6 {
|
|
ipv6;
|
|
route fd23:42:c3d2:500::/56 unreachable;
|
|
}
|
|
|
|
template bgp dnpeers {
|
|
local as 64699;
|
|
ipv4 {
|
|
import all;
|
|
export filter {
|
|
if source = RTS_BGP then {
|
|
accept;
|
|
}
|
|
if proto = "hq4" then {
|
|
accept;
|
|
}
|
|
reject;
|
|
};
|
|
};
|
|
ipv6 {
|
|
import all;
|
|
export filter {
|
|
if source = RTS_BGP then {
|
|
accept;
|
|
}
|
|
if proto = "hq6" then {
|
|
accept;
|
|
}
|
|
reject;
|
|
};
|
|
};
|
|
}
|
|
${bgpNeighbors}
|
|
|
|
router id ${address4};
|
|
'';
|
|
};
|
|
|
|
# This value determines the NixOS release with which your system is to be
|
|
# compatible, in order to avoid breaking some software such as database
|
|
# servers. You should change this only after NixOS release notes say you
|
|
# should.
|
|
system.stateVersion = "19.09"; # Did you read the comment?
|
|
}
|