diff --git a/ops/nixos/ixvm-fra01/bird.nix b/ops/nixos/ixvm-fra01/bird.nix deleted file mode 100644 index 1130ea901b..0000000000 --- a/ops/nixos/ixvm-fra01/bird.nix +++ /dev/null @@ -1,178 +0,0 @@ -{ lib, config, ... }: -let - local = { - asn = 205479; - }; - peering = { - ixvm = { - local = local // { - v4 = "141.98.136.124"; - v6 = "2a09:11c0:f1:bc0b::2"; - }; - remote = { - asn = 209844; - export_community = 2000; - routers = [{ - v4 = "141.98.136.97"; - v6 = "2a09:11c0:f1:bc0b::1"; - } { - v4 = "141.98.136.126"; - v6 = "2a09:11c0:f1:bc0b::3"; - }]; - }; - }; - kleyrex = { - local = local // { - v4 = "193.189.83.41"; - v6 = "2001:7f8:33::a120:5479:1"; - }; - remote = { - asn = 31142; - export_community = 2001; - routers = [{ - v4 = "193.189.82.251"; - v6 = "2001:7f8:33::a103:1142:1"; - } { - v4 = "193.189.82.252"; - v6 = "2001:7f8:33::a103:1142:2"; - } { - v4 = "193.189.82.253"; - v6 = "2001:7f8:33::a103:1142:3"; - }]; - }; - }; - locix = { - local = local // { - v4 = "185.1.166.219"; - v6 = "2001:7f8:f2:e1::a20:5479:1"; - }; - remote = { - asn = 202409; - export_community = 2002; - routers = [{ - v4 = "185.1.166.100"; - v6 = "2001:7f8:f2:e1::babe:1"; - } { - v4 = "185.1.166.200"; - v6 = "2001:7f8:f2:e1::dead:1"; - } { - v4 = "185.1.166.254"; - v6 = "2001:7f8:f2:e1::be5a"; - }]; - }; - }; - nlix = { - local = local // { - v4 = "193.239.118.225"; - v6 = "2001:7f8:13::a520:5479:1"; - }; - remote = { - asn = 34307; - export_community = 2003; - routers = [{ - v4 = "193.239.116.255"; - v6 = "2001:7f8:13::a503:4307:1"; - } { - enabled = false; - v4 = "193.239.117.0"; - v6 = "2001:7f8:13::a503:4307:2"; - }]; - }; - }; - }; - generateSnippet = base: args: lib.concatStringsSep "\n" (lib.mapAttrsToList ( ixName: ix: generateSnippetForIX (args // { ixName = ixName; ix = ix; }) ) base ); - generateSnippetForIX = { ixName, ix, ... }@args: '' - ipv4 table ${ixName}4; - ipv6 table ${ixName}6; - protocol pipe ${ixName}pipe_4 { - table ${ixName}4; - peer table master4; - import where ((ro, 205479, ${toString ix.remote.export_community}) ~ bgp_ext_community); - export all; - }; - protocol pipe ${ixName}pipe_6 { - table ${ixName}6; - peer table master6; - import where ((ro, 205479, ${toString ix.remote.export_community}) ~ bgp_ext_community); - export all; - }; - '' + lib.concatImapStringsSep "\n" ( i: v: generateSnippetForRouter (args // { routerNum = i; router = v; }) ) ix.remote.routers; - enabledSnippet = { enabled ? true, ... }: "disabled ${if enabled then "off" else "on"}"; - generateSnippetForRouter = { ixName, ix, routerNum, router, ... }: '' - protocol bgp ${ixName}${toString routerNum}_4 { - ${enabledSnippet router}; - local ${ix.local.v4} as ${toString ix.local.asn}; - neighbor ${router.v4} as ${toString ix.remote.asn}; - ipv4 { - table ${ixName}4; - import all; - export where ((ro, 205479, 1000) ~ bgp_ext_community); - }; - }; - protocol bgp ${ixName}${toString routerNum}_6 { - ${enabledSnippet router}; - local ${ix.local.v6} as ${toString ix.local.asn}; - neighbor ${router.v6} as ${toString ix.remote.asn}; - ipv6 { - table ${ixName}6; - import all; - export where ((ro, 205479, 1000) ~ bgp_ext_community); - }; - }; - ''; -in { - services.bird2 = { - enable = true; - config = '' - router id 141.98.136.124; - - ${generateSnippet peering {}} - - protocol kernel { - persist; - ipv4 { - import none; - export all; - }; - }; - protocol kernel { - persist; - ipv6 { - import none; - export all; - }; - }; - protocol device { - }; - - protocol static export4 { - ipv4 { - import filter { - bgp_ext_community.add((ro, 205479, 1000)); - bgp_ext_community.add((ro, 205479, 2000)); - bgp_ext_community.add((ro, 205479, 2001)); - bgp_ext_community.add((ro, 205479, 2002)); - bgp_ext_community.add((ro, 205479, 2003)); - accept; - }; - }; - route 92.118.31.0/24 blackhole; - }; - protocol static export6 { - ipv6 { - import filter { - bgp_ext_community.add((ro, 205479, 1000)); - bgp_ext_community.add((ro, 205479, 2000)); - bgp_ext_community.add((ro, 205479, 2001)); - bgp_ext_community.add((ro, 205479, 2002)); - bgp_ext_community.add((ro, 205479, 2003)); - accept; - }; - }; - route 2a09:a440::/48 blackhole; - }; - ''; - }; - - networking.firewall.allowedTCPPorts = lib.mkAfter [ 179 ]; -}