From 2f0f17f1fd3fb9fe052155cb81f333a8404b00cb Mon Sep 17 00:00:00 2001 From: Luke Granger-Brown Date: Thu, 4 Apr 2024 22:51:55 +0000 Subject: [PATCH] rexxar: add some shuffles --- ops/nixos/rexxar/bgp.nix | 17 +++-- ops/nixos/rexxar/default.nix | 127 +++++++++++++++++++++++++++++++++-- 2 files changed, 132 insertions(+), 12 deletions(-) diff --git a/ops/nixos/rexxar/bgp.nix b/ops/nixos/rexxar/bgp.nix index fa5177427e..77dadb6f31 100644 --- a/ops/nixos/rexxar/bgp.nix +++ b/ops/nixos/rexxar/bgp.nix @@ -16,8 +16,11 @@ local = { routerID = "195.74.55.21"; }; - export.v4 = [ ]; - export.v6 = [ ]; + export.v4 = [ "92.118.28.0/22" ]; + export.v6 = [ "2a09:a442:1000::/48" "2a09:a442::/48" ]; + + internal.export.v4 = [ "92.118.30.251/32" ]; + internal.export.v6 = [ "2a09:a442:1000::/48" "2a09:a442::/48" ]; peering = let base = [{ @@ -29,13 +32,15 @@ }]; link.velox2 = base ++ [{ local.v4 = "195.74.55.23"; - local.v6 = "2a03:ee40:8080:9:1::2"; + local.v6 = "2a03:ee40:8080:9:2::2"; }]; link.linx = base ++ [{ local.v4 = "195.66.224.58"; local.v6 = "2001:7f8:4::3:22a7:1"; - remote.pref_src.v4 = "195.74.55.21"; - remote.pref_src.v6 = "2a03:ee40:8080:9:1::2"; + #remote.pref_src.v4 = "195.74.55.21"; + #remote.pref_src.v6 = "2a03:ee40:8080:9:1::2"; + remote.pref_src.v4 = "92.118.30.251"; + remote.pref_src.v6 = "2a09:a442:1000::"; }]; peer.velox.remote = { asn = 3170; @@ -52,7 +57,7 @@ }]); veloxserv2 = lib.mkMerge (link.velox2 ++ [peer.velox { remote.routers = [{ - enabled = false; + enabled = true; v4 = "195.74.55.22"; v6 = "2a03:ee40:8080:9:2::1"; }]; diff --git a/ops/nixos/rexxar/default.nix b/ops/nixos/rexxar/default.nix index 66b289198a..b637568d6f 100644 --- a/ops/nixos/rexxar/default.nix +++ b/ops/nixos/rexxar/default.nix @@ -77,15 +77,103 @@ domain = "as205479.net"; hostId = "b46c2ae9"; useNetworkd = true; - }; - systemd.network = { - networks."10-enp9s0f0" = { - matchConfig.Name = "enp9s0f0"; - networkConfig.VLAN = [ "vl-velox1" "vl-linx" ]; + firewall = { + allowedUDPPorts = [ + 51821 51822 51823 + ]; }; + }; + systemd.network = let + wireguard = { name, listenPort, privateKey, publicKey, endpoint ? null }: { + netdevConfig = { + Name = name; + Kind = "wireguard"; + Description = "WireGuard tunnel ${name}"; + }; + wireguardConfig = { + ListenPort = listenPort; + PrivateKeyFile = privateKey; + }; + wireguardPeers = [{ + wireguardPeerConfig = lib.mkMerge [{ + PublicKey = publicKey; + AllowedIPs = [ + "0.0.0.0/0" + "::/0" + ]; + } (lib.mkIf (endpoint != null) { + Endpoint = endpoint; + })]; + }]; + }; + swannWireguard = args: wireguard (args // { + privateKey = config.my.vault.secrets.wg-swann-private.path; + publicKey = "XyfovUP6GUwIg15t5UWxicfxooeto/U/7nLs7Zu8HH4="; + }); + cofractalWireguard = args: wireguard (args // { + privateKey = config.my.vault.secrets.wg-cofractal-ams01-private.path; + publicKey = "qKi6mWIhV2n16LGH16Iug5W+Bx4Fx7eprxCgA/1Ra1g="; + }); + in { + netdevs."40-wg-swann-ee" = swannWireguard { + name = "wg-swann-ee"; + listenPort = 51821; + }; + netdevs."40-wg-swann-gnet" = swannWireguard { + name = "wg-swann-gnet"; + listenPort = 51822; + endpoint = "185.250.189.20:51822"; + }; + netdevs."40-wg-cofractal" = cofractalWireguard { + name = "wg-cofractal"; + listenPort = 51823; + endpoint = "[2a09:a446:1337:ffff::10]:51823"; + }; + + networks."40-wg-swann-ee" = { + matchConfig.Name = "wg-swann-ee"; + address = [ + "92.118.30.3/31" + "2a09:a442::2:2/64" + ]; + }; + networks."40-wg-swann-gnet" = { + matchConfig.Name = "wg-swann-gnet"; + address = [ + "92.118.30.5/31" + "2a09:a442::3:2/64" + ]; + }; + networks."40-wg-cofractal" = { + matchConfig.Name = "wg-cofractal"; + address = [ + "169.254.200.0/31" + ]; + }; + + networks."10-usb0" = { + matchConfig.Name = "usb0"; + address = [ + "169.254.0.1/24" + # IPMI 169.254.0.17 + ]; + }; + networks."10-enp193s0f0np0" = { + matchConfig.Name = "enp193s0f0np0"; + # Telia + address = [ + "62.115.150.105/31" + "2001:2035:0:1f7e::2/126" + ]; + }; + networks."10-enp193s0f1np1" = { + matchConfig.Name = "enp193s0f1np1"; + networkConfig.VLAN = [ "vl-velox1" ]; + }; + # enp9s0f0 - previously velox copper cable 1, now enp193s0f1np1 via 10G networks."10-enp9s0f1" = { matchConfig.Name = "enp9s0f1"; - networkConfig.VLAN = [ "vl-velox2" ]; + networkConfig.VLAN = [ "vl-velox2" "vl-linx" ]; }; netdevs."20-vl-velox1" = { netdevConfig = { @@ -173,6 +261,19 @@ IPv6SendRA = false; }; }; + networks."60-lo" = { + matchConfig.Name = "lo"; + addresses = [{ + addressConfig.Address = "127.0.0.1/8"; + addressConfig.Scope = "host"; + } { + addressConfig.Address = "::1/128"; + } { + addressConfig.Address = "92.118.30.251/32"; + } { + addressConfig.Address = "2a09:a442:1000::/128"; + }]; + }; }; my.ip.tailscale = "100.97.110.48"; my.ip.tailscale6 = "fd7a:115c:a1e0::3a01:6e30"; @@ -227,5 +328,19 @@ boot.binfmt.emulatedSystems = [ "aarch64-linux" ]; + my.vault.secrets = let + wireguardSecret = key: { + group = "systemd-network"; + template = '' + {{- with secret "kv/apps/wireguard/rexxar" -}} + {{- .Data.data.${key} -}} + {{- end -}} + ''; + }; + in { + wg-swann-private = wireguardSecret "privateKeyToSwann"; + wg-cofractal-ams01-private = wireguardSecret "privateKeyToCofractalAms01"; + }; + system.stateVersion = "24.05"; }