lukegb/depot
1
0
Fork 0
Code Issues 1 Pull requests Projects Packages Activity Actions

ops/nixos: change shape of systemd-networkd

Browse source 
some repeated things have moved up
This commit is contained in:
Luke Granger-Brown 2024-06-09 00:53:59 +01:00
parent 15124057c8
commit 4db9ef0543
8 changed files with 107 additions and 165 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

16
ops/nixos/bvm-netbox/default.nix
View file

@ -258,24 +258,18 @@ in {
PrivateKeyFile = "/home/ninovpn/wg-priv";
};
wireguardPeers = [{
wireguardPeerConfig = {
PublicKey = "0WX1QmQaSDavNTAIp5vRsoG+UNXOP1ttZ+2VahoHR0c=";
AllowedIPs = ["10.222.0.2/32"];
};
PublicKey = "0WX1QmQaSDavNTAIp5vRsoG+UNXOP1ttZ+2VahoHR0c=";
AllowedIPs = ["10.222.0.2/32"];
} {
wireguardPeerConfig = {
PublicKey = "oeRBlP5C3vHc3GDqgRT9F2qly6MAoy1+CjRHsU4F6Bo=";
AllowedIPs = ["10.222.0.3/32"];
};
PublicKey = "oeRBlP5C3vHc3GDqgRT9F2qly6MAoy1+CjRHsU4F6Bo=";
AllowedIPs = ["10.222.0.3/32"];
}];
};
systemd.network.networks."20-wg0" = {
matchConfig.Name = "wg0";
linkConfig.RequiredForOnline = "no";
addresses = [{
addressConfig = {
Address = "10.222.0.1/24";
};
Address = "10.222.0.1/24";
}];
};

25
ops/nixos/cofractal-ams01/default.nix
View file

@ -191,15 +191,12 @@ in
PrivateKeyFile = privateKey;
};
wireguardPeers = [{
wireguardPeerConfig = lib.mkMerge [{
PublicKey = publicKey;
AllowedIPs = [
"0.0.0.0/0"
"::/0"
];
} (lib.mkIf (endpoint != null) {
Endpoint = endpoint;
})];
PublicKey = publicKey;
AllowedIPs = [
"0.0.0.0/0"
"::/0"
];
Endpoint = endpoint;
}];
};
swannWireguard = args: wireguard (args // {
@ -253,14 +250,14 @@ in
networks."60-lo" = {
matchConfig.Name = "lo";
addresses = [{
addressConfig.Address = "127.0.0.1/8";
addressConfig.Scope = "host";
Address = "127.0.0.1/8";
Scope = "host";
} {
addressConfig.Address = "::1/128";
Address = "::1/128";
} {
addressConfig.Address = "92.118.30.252/32";
Address = "92.118.30.252/32";
} {
addressConfig.Address = "2a09:a442:2000::/128";
Address = "2a09:a442:2000::/128";
}];
};
};

4
ops/nixos/cofractal-ams01/vm-bridge.nix
View file

@ -19,10 +19,10 @@
"fe80::f00f/64"
];
networkConfig.IPv6SendRA = true;
ipv6Prefixes = [{ ipv6PrefixConfig = {
ipv6Prefixes = [{
Prefix = "2a09:a441:0:ffff::/64";
Assign = true;
}; }];
}];
};
systemd.network.netdevs."40-br-mgmt" = {

12
ops/nixos/etheroute-lon01/default.nix
View file

@ -152,10 +152,8 @@
};
wireguardPeers = [{
wireguardPeerConfig = {
PublicKey = depot.ops.secrets.wireguard.quadv1.quadv.publicKey;
AllowedIPs = "0.0.0.0/0,::/0";
};
PublicKey = depot.ops.secrets.wireguard.quadv1.quadv.publicKey;
AllowedIPs = "0.0.0.0/0,::/0";
}];
};
systemd.network.networks.quadv1 = {
@ -163,10 +161,8 @@
networkConfig.Address = "169.254.111.0/31";
routes = [{
routeConfig = {
Gateway = "169.254.111.1";
Destination = "92.118.31.0/24";
};
Gateway = "169.254.111.1";
Destination = "92.118.31.0/24";
}];
};

8
ops/nixos/kerrigan/default.nix
View file

@ -87,14 +87,10 @@ in
IPv6SendRA = true;
};
ipv6Prefixes = [{
ipv6PrefixConfig = {
Prefix = "2a09:a443:ee::/64";
};
Prefix = "2a09:a443:ee::/64";
}];
ipv6RoutePrefixes = [{
ipv6RoutePrefixConfig = {
Route = "::/0";
};
Route = "::/0";
}];
dhcpServerConfig = {
PoolOffset = 100;

8
ops/nixos/oracle-lon01/default.nix
View file

@ -49,11 +49,9 @@
RouteMetric = 512;
};
routes = [{
routeConfig = {
Gateway = "10.0.0.1";
Destination = "0.0.0.0/0";
Metric = 512;
};
Gateway = "10.0.0.1";
Destination = "0.0.0.0/0";
Metric = 512;
}];
};
};

37
ops/nixos/rexxar/default.nix
View file

@ -95,15 +95,12 @@
PrivateKeyFile = privateKey;
};
wireguardPeers = [{
wireguardPeerConfig = lib.mkMerge [{
PublicKey = publicKey;
AllowedIPs = [
"0.0.0.0/0"
"::/0"
];
} (lib.mkIf (endpoint != null) {
Endpoint = endpoint;
})];
PublicKey = publicKey;
AllowedIPs = [
"0.0.0.0/0"
"::/0"
];
Endpoint = endpoint;
}];
};
swannWireguard = args: wireguard (args // {
@ -199,11 +196,11 @@
"1.1.1.1"
];
networkConfig.DNSDefaultRoute = true;
routes = [{ routeConfig = {
routes = [{
Gateway = "195.74.55.20";
}; } { routeConfig = {
} {
Gateway = "2a03:ee40:8080:9:1::1";
}; }];
}];
};
netdevs."20-vl-velox2" = {
netdevConfig = {
@ -229,11 +226,11 @@
"1.1.1.1"
];
networkConfig.DNSDefaultRoute = true;
routes = [{ routeConfig = {
routes = [{
Gateway = "195.74.55.22";
}; } { routeConfig = {
} {
Gateway = "2a03:ee40:8080:9:2::1";
}; }];
}];
};
netdevs."20-vl-linx" = {
netdevConfig = {
@ -264,14 +261,14 @@
networks."60-lo" = {
matchConfig.Name = "lo";
addresses = [{
addressConfig.Address = "127.0.0.1/8";
addressConfig.Scope = "host";
Address = "127.0.0.1/8";
Scope = "host";
} {
addressConfig.Address = "::1/128";
Address = "::1/128";
} {
addressConfig.Address = "92.118.30.251/32";
Address = "92.118.30.251/32";
} {
addressConfig.Address = "2a09:a442:1000::/128";
Address = "2a09:a442:1000::/128";
}];
};
};

162
ops/nixos/swann/default.nix
View file

@ -102,12 +102,10 @@ in {
dhcpV4Config.RouteTable = rtID;
ipv6AcceptRAConfig.RouteTable = rtID;
routingPolicyRules = [{
routingPolicyRuleConfig = {
Family = "both";
FirewallMark = hexToInt wireguardFwmark;
Priority = 10000;
Table = rtID;
};
Family = "both";
FirewallMark = hexToInt wireguardFwmark;
Priority = 10000;
Table = rtID;
}] ++ extraRules;
};
wireguardNetwork = { linkName, relativePriority, rtID, v4Linknet, v6Linknet }: {
@ -124,29 +122,21 @@ in {
"${builtins.elemAt pieces 0}${lib.toHexString (fn (hexToInt "0x${builtins.elemAt pieces 2}"))}";
in [
{
routeConfig = {
Destination = "${v4Linknet}/31";
Table = rtID;
};
Destination = "${v4Linknet}/31";
Table = rtID;
}
{
routeConfig = {
Gateway = replaceV4Octet v4Linknet (n: n + 1);
Table = rtID;
};
Gateway = replaceV4Octet v4Linknet (n: n + 1);
Table = rtID;
}
{
routeConfig = {
Destination = "${replaceV6Octet v6Linknet (n: 0)}/112";
Table = rtID;
};
Destination = "${replaceV6Octet v6Linknet (n: 0)}/112";
Table = rtID;
}
{
routeConfig = {
Gateway = replaceV6Octet v6Linknet (n: n + 1);
Table = rtID;
};
Gateway = replaceV6Octet v6Linknet (n: n + 1);
Table = rtID;
}
];
@ -162,31 +152,25 @@ in {
# Allow picking destination by source IP.
{
routingPolicyRuleConfig = {
Family = "ipv4";
From = v4Linknet;
Priority = 10010;
Table = rtID;
};
Family = "ipv4";
From = v4Linknet;
Priority = 10010;
Table = rtID;
}
{
routingPolicyRuleConfig = {
Family = "ipv6";
From = v6Linknet;
Priority = 10010;
Table = rtID;
};
Family = "ipv6";
From = v6Linknet;
Priority = 10010;
Table = rtID;
}
];
};
tailscaleRule = priority: table: {
# Route Tailscale (fwmark 0x80000) via Wireguard first.
routingPolicyRuleConfig = {
Family = "both";
FirewallMark = hexToInt "0x80000"; # Should be "0x80000/0xff0000"
Priority = priority;
Table = table;
};
Family = "both";
FirewallMark = hexToInt "0x80000"; # Should be "0x80000/0xff0000"
Priority = priority;
Table = table;
};
in let
routeTables = {
@ -240,19 +224,15 @@ in {
networks."40-lo" = {
routingPolicyRules = let
viaMain = priority: to: {
routingPolicyRuleConfig = {
To = to;
Table = "main";
Priority = priority;
};
To = to;
Table = "main";
Priority = priority;
};
blackhole = fwmark: {
routingPolicyRuleConfig = {
Family = "both";
FirewallMark = hexToInt fwmark;
Priority = 10001;
Type = "unreachable";
};
Family = "both";
FirewallMark = hexToInt fwmark;
Priority = 10001;
Type = "unreachable";
};
in [
(tailscaleRule 5000 150)
@ -274,50 +254,38 @@ in {
{
# Catch-all "go via WG"
routingPolicyRuleConfig = {
Family = "both";
Priority = 10080;
Table = routeTables.bgp;
};
Family = "both";
Priority = 10080;
Table = routeTables.bgp;
}
];
};
networks."40-en-ee" = (physicalNetwork routeTables.ee "0xdead" [{
routingPolicyRuleConfig = {
# add-on.ee.co.uk goes via EE.
To = "82.192.97.153/32";
Table = routeTables.ee;
Priority = 10031;
};
# add-on.ee.co.uk goes via EE.
To = "82.192.97.153/32";
Table = routeTables.ee;
Priority = 10031;
} {
routingPolicyRuleConfig = {
# as does anything from 10.42.0.0/24.
From = "10.42.0.0/24";
Table = routeTables.ee;
Priority = 10031;
};
# as does anything from 10.42.0.0/24.
From = "10.42.0.0/24";
Table = routeTables.ee;
Priority = 10031;
}]) // {
linkConfig.RequiredForOnline = "no";
routes = [{
routeConfig = {
Gateway = "10.42.0.1";
Destination = "0.0.0.0/0";
Table = routeTables.ee;
};
Gateway = "10.42.0.1";
Destination = "0.0.0.0/0";
Table = routeTables.ee;
} {
routeConfig = {
Destination = "10.42.0.0/24";
Table = routeTables.ee;
};
Destination = "10.42.0.0/24";
Table = routeTables.ee;
}];
};
networks."40-en-gnet" = (physicalNetwork routeTables.gnet "0xcafe" [{
# Catch-all mop-up rule at the end.
routingPolicyRuleConfig = {
Family = "both";
Priority = 32768;
Table = routeTables.gnet;
};
Family = "both";
Priority = 32768;
Table = routeTables.gnet;
}]);
networks."40-br-internal" = {
networkConfig.VLAN = [ "vl-eduroam" ];
@ -345,14 +313,12 @@ in {
RouteTable = "off";
};
wireguardPeers = [{
wireguardPeerConfig = {
Endpoint = endpoint;
PublicKey = publicKey;
AllowedIPs = [
"0.0.0.0/0"
"::/0"
];
};
Endpoint = endpoint;
PublicKey = publicKey;
AllowedIPs = [
"0.0.0.0/0"
"::/0"
];
}];
};
rexxarWireguard = args: wireguard (args // {
@ -403,15 +369,13 @@ in {
FirewallMark = hexToInt "0xcafe"; # over gnet
};
wireguardPeers = [{
wireguardPeerConfig = {
Endpoint = "shenfield-mythic.i.eta.st:51825";
#PublicKey = config.my.vault.secrets.wg-eta-public.path;
PublicKey = "JDelaz8FQBtJBRVd9CMYikO/25gKipYgfyXtjL6jgS8=";
AllowedIPs = [
"0.0.0.0/0"
"::/0"
];
};
Endpoint = "shenfield-mythic.i.eta.st:51825";
#PublicKey = config.my.vault.secrets.wg-eta-public.path;
PublicKey = "JDelaz8FQBtJBRVd9CMYikO/25gKipYgfyXtjL6jgS8=";
AllowedIPs = [
"0.0.0.0/0"
"::/0"
];
}];
};
"20-br-internal" = {