From 4db9ef054371604283efa1d2e720b0d71578b498 Mon Sep 17 00:00:00 2001 From: Luke Granger-Brown Date: Sun, 9 Jun 2024 00:53:59 +0100 Subject: [PATCH] ops/nixos: change shape of systemd-networkd some repeated things have moved up --- ops/nixos/bvm-netbox/default.nix | 16 +-- ops/nixos/cofractal-ams01/default.nix | 25 ++-- ops/nixos/cofractal-ams01/vm-bridge.nix | 4 +- ops/nixos/etheroute-lon01/default.nix | 12 +- ops/nixos/kerrigan/default.nix | 8 +- ops/nixos/oracle-lon01/default.nix | 8 +- ops/nixos/rexxar/default.nix | 37 +++--- ops/nixos/swann/default.nix | 162 +++++++++--------------- 8 files changed, 107 insertions(+), 165 deletions(-) diff --git a/ops/nixos/bvm-netbox/default.nix b/ops/nixos/bvm-netbox/default.nix index 1866d7bd3e..2fe62f503f 100644 --- a/ops/nixos/bvm-netbox/default.nix +++ b/ops/nixos/bvm-netbox/default.nix @@ -258,24 +258,18 @@ in { PrivateKeyFile = "/home/ninovpn/wg-priv"; }; wireguardPeers = [{ - wireguardPeerConfig = { - PublicKey = "0WX1QmQaSDavNTAIp5vRsoG+UNXOP1ttZ+2VahoHR0c="; - AllowedIPs = ["10.222.0.2/32"]; - }; + PublicKey = "0WX1QmQaSDavNTAIp5vRsoG+UNXOP1ttZ+2VahoHR0c="; + AllowedIPs = ["10.222.0.2/32"]; } { - wireguardPeerConfig = { - PublicKey = "oeRBlP5C3vHc3GDqgRT9F2qly6MAoy1+CjRHsU4F6Bo="; - AllowedIPs = ["10.222.0.3/32"]; - }; + PublicKey = "oeRBlP5C3vHc3GDqgRT9F2qly6MAoy1+CjRHsU4F6Bo="; + AllowedIPs = ["10.222.0.3/32"]; }]; }; systemd.network.networks."20-wg0" = { matchConfig.Name = "wg0"; linkConfig.RequiredForOnline = "no"; addresses = [{ - addressConfig = { - Address = "10.222.0.1/24"; - }; + Address = "10.222.0.1/24"; }]; }; diff --git a/ops/nixos/cofractal-ams01/default.nix b/ops/nixos/cofractal-ams01/default.nix index dd39ddf493..7c4c31b63a 100644 --- a/ops/nixos/cofractal-ams01/default.nix +++ b/ops/nixos/cofractal-ams01/default.nix @@ -191,15 +191,12 @@ in PrivateKeyFile = privateKey; }; wireguardPeers = [{ - wireguardPeerConfig = lib.mkMerge [{ - PublicKey = publicKey; - AllowedIPs = [ - "0.0.0.0/0" - "::/0" - ]; - } (lib.mkIf (endpoint != null) { - Endpoint = endpoint; - })]; + PublicKey = publicKey; + AllowedIPs = [ + "0.0.0.0/0" + "::/0" + ]; + Endpoint = endpoint; }]; }; swannWireguard = args: wireguard (args // { @@ -253,14 +250,14 @@ in networks."60-lo" = { matchConfig.Name = "lo"; addresses = [{ - addressConfig.Address = "127.0.0.1/8"; - addressConfig.Scope = "host"; + Address = "127.0.0.1/8"; + Scope = "host"; } { - addressConfig.Address = "::1/128"; + Address = "::1/128"; } { - addressConfig.Address = "92.118.30.252/32"; + Address = "92.118.30.252/32"; } { - addressConfig.Address = "2a09:a442:2000::/128"; + Address = "2a09:a442:2000::/128"; }]; }; }; diff --git a/ops/nixos/cofractal-ams01/vm-bridge.nix b/ops/nixos/cofractal-ams01/vm-bridge.nix index f6dff14892..48f5b9bbcc 100644 --- a/ops/nixos/cofractal-ams01/vm-bridge.nix +++ b/ops/nixos/cofractal-ams01/vm-bridge.nix @@ -19,10 +19,10 @@ "fe80::f00f/64" ]; networkConfig.IPv6SendRA = true; - ipv6Prefixes = [{ ipv6PrefixConfig = { + ipv6Prefixes = [{ Prefix = "2a09:a441:0:ffff::/64"; Assign = true; - }; }]; + }]; }; systemd.network.netdevs."40-br-mgmt" = { diff --git a/ops/nixos/etheroute-lon01/default.nix b/ops/nixos/etheroute-lon01/default.nix index 67f01501c5..ac37c90fa7 100644 --- a/ops/nixos/etheroute-lon01/default.nix +++ b/ops/nixos/etheroute-lon01/default.nix @@ -152,10 +152,8 @@ }; wireguardPeers = [{ - wireguardPeerConfig = { - PublicKey = depot.ops.secrets.wireguard.quadv1.quadv.publicKey; - AllowedIPs = "0.0.0.0/0,::/0"; - }; + PublicKey = depot.ops.secrets.wireguard.quadv1.quadv.publicKey; + AllowedIPs = "0.0.0.0/0,::/0"; }]; }; systemd.network.networks.quadv1 = { @@ -163,10 +161,8 @@ networkConfig.Address = "169.254.111.0/31"; routes = [{ - routeConfig = { - Gateway = "169.254.111.1"; - Destination = "92.118.31.0/24"; - }; + Gateway = "169.254.111.1"; + Destination = "92.118.31.0/24"; }]; }; diff --git a/ops/nixos/kerrigan/default.nix b/ops/nixos/kerrigan/default.nix index a2d8d9d94c..7e1191d460 100644 --- a/ops/nixos/kerrigan/default.nix +++ b/ops/nixos/kerrigan/default.nix @@ -87,14 +87,10 @@ in IPv6SendRA = true; }; ipv6Prefixes = [{ - ipv6PrefixConfig = { - Prefix = "2a09:a443:ee::/64"; - }; + Prefix = "2a09:a443:ee::/64"; }]; ipv6RoutePrefixes = [{ - ipv6RoutePrefixConfig = { - Route = "::/0"; - }; + Route = "::/0"; }]; dhcpServerConfig = { PoolOffset = 100; diff --git a/ops/nixos/oracle-lon01/default.nix b/ops/nixos/oracle-lon01/default.nix index b424d549d9..c29affd4a9 100644 --- a/ops/nixos/oracle-lon01/default.nix +++ b/ops/nixos/oracle-lon01/default.nix @@ -49,11 +49,9 @@ RouteMetric = 512; }; routes = [{ - routeConfig = { - Gateway = "10.0.0.1"; - Destination = "0.0.0.0/0"; - Metric = 512; - }; + Gateway = "10.0.0.1"; + Destination = "0.0.0.0/0"; + Metric = 512; }]; }; }; diff --git a/ops/nixos/rexxar/default.nix b/ops/nixos/rexxar/default.nix index 3dbddbd530..37d9f104ad 100644 --- a/ops/nixos/rexxar/default.nix +++ b/ops/nixos/rexxar/default.nix @@ -95,15 +95,12 @@ PrivateKeyFile = privateKey; }; wireguardPeers = [{ - wireguardPeerConfig = lib.mkMerge [{ - PublicKey = publicKey; - AllowedIPs = [ - "0.0.0.0/0" - "::/0" - ]; - } (lib.mkIf (endpoint != null) { - Endpoint = endpoint; - })]; + PublicKey = publicKey; + AllowedIPs = [ + "0.0.0.0/0" + "::/0" + ]; + Endpoint = endpoint; }]; }; swannWireguard = args: wireguard (args // { @@ -199,11 +196,11 @@ "1.1.1.1" ]; networkConfig.DNSDefaultRoute = true; - routes = [{ routeConfig = { + routes = [{ Gateway = "195.74.55.20"; - }; } { routeConfig = { + } { Gateway = "2a03:ee40:8080:9:1::1"; - }; }]; + }]; }; netdevs."20-vl-velox2" = { netdevConfig = { @@ -229,11 +226,11 @@ "1.1.1.1" ]; networkConfig.DNSDefaultRoute = true; - routes = [{ routeConfig = { + routes = [{ Gateway = "195.74.55.22"; - }; } { routeConfig = { + } { Gateway = "2a03:ee40:8080:9:2::1"; - }; }]; + }]; }; netdevs."20-vl-linx" = { netdevConfig = { @@ -264,14 +261,14 @@ networks."60-lo" = { matchConfig.Name = "lo"; addresses = [{ - addressConfig.Address = "127.0.0.1/8"; - addressConfig.Scope = "host"; + Address = "127.0.0.1/8"; + Scope = "host"; } { - addressConfig.Address = "::1/128"; + Address = "::1/128"; } { - addressConfig.Address = "92.118.30.251/32"; + Address = "92.118.30.251/32"; } { - addressConfig.Address = "2a09:a442:1000::/128"; + Address = "2a09:a442:1000::/128"; }]; }; }; diff --git a/ops/nixos/swann/default.nix b/ops/nixos/swann/default.nix index 99bfdae14f..0b9ae8685e 100644 --- a/ops/nixos/swann/default.nix +++ b/ops/nixos/swann/default.nix @@ -102,12 +102,10 @@ in { dhcpV4Config.RouteTable = rtID; ipv6AcceptRAConfig.RouteTable = rtID; routingPolicyRules = [{ - routingPolicyRuleConfig = { - Family = "both"; - FirewallMark = hexToInt wireguardFwmark; - Priority = 10000; - Table = rtID; - }; + Family = "both"; + FirewallMark = hexToInt wireguardFwmark; + Priority = 10000; + Table = rtID; }] ++ extraRules; }; wireguardNetwork = { linkName, relativePriority, rtID, v4Linknet, v6Linknet }: { @@ -124,29 +122,21 @@ in { "${builtins.elemAt pieces 0}${lib.toHexString (fn (hexToInt "0x${builtins.elemAt pieces 2}"))}"; in [ { - routeConfig = { - Destination = "${v4Linknet}/31"; - Table = rtID; - }; + Destination = "${v4Linknet}/31"; + Table = rtID; } { - routeConfig = { - Gateway = replaceV4Octet v4Linknet (n: n + 1); - Table = rtID; - }; + Gateway = replaceV4Octet v4Linknet (n: n + 1); + Table = rtID; } { - routeConfig = { - Destination = "${replaceV6Octet v6Linknet (n: 0)}/112"; - Table = rtID; - }; + Destination = "${replaceV6Octet v6Linknet (n: 0)}/112"; + Table = rtID; } { - routeConfig = { - Gateway = replaceV6Octet v6Linknet (n: n + 1); - Table = rtID; - }; + Gateway = replaceV6Octet v6Linknet (n: n + 1); + Table = rtID; } ]; @@ -162,31 +152,25 @@ in { # Allow picking destination by source IP. { - routingPolicyRuleConfig = { - Family = "ipv4"; - From = v4Linknet; - Priority = 10010; - Table = rtID; - }; + Family = "ipv4"; + From = v4Linknet; + Priority = 10010; + Table = rtID; } { - routingPolicyRuleConfig = { - Family = "ipv6"; - From = v6Linknet; - Priority = 10010; - Table = rtID; - }; + Family = "ipv6"; + From = v6Linknet; + Priority = 10010; + Table = rtID; } ]; }; tailscaleRule = priority: table: { # Route Tailscale (fwmark 0x80000) via Wireguard first. - routingPolicyRuleConfig = { - Family = "both"; - FirewallMark = hexToInt "0x80000"; # Should be "0x80000/0xff0000" - Priority = priority; - Table = table; - }; + Family = "both"; + FirewallMark = hexToInt "0x80000"; # Should be "0x80000/0xff0000" + Priority = priority; + Table = table; }; in let routeTables = { @@ -240,19 +224,15 @@ in { networks."40-lo" = { routingPolicyRules = let viaMain = priority: to: { - routingPolicyRuleConfig = { - To = to; - Table = "main"; - Priority = priority; - }; + To = to; + Table = "main"; + Priority = priority; }; blackhole = fwmark: { - routingPolicyRuleConfig = { - Family = "both"; - FirewallMark = hexToInt fwmark; - Priority = 10001; - Type = "unreachable"; - }; + Family = "both"; + FirewallMark = hexToInt fwmark; + Priority = 10001; + Type = "unreachable"; }; in [ (tailscaleRule 5000 150) @@ -274,50 +254,38 @@ in { { # Catch-all "go via WG" - routingPolicyRuleConfig = { - Family = "both"; - Priority = 10080; - Table = routeTables.bgp; - }; + Family = "both"; + Priority = 10080; + Table = routeTables.bgp; } ]; }; networks."40-en-ee" = (physicalNetwork routeTables.ee "0xdead" [{ - routingPolicyRuleConfig = { - # add-on.ee.co.uk goes via EE. - To = "82.192.97.153/32"; - Table = routeTables.ee; - Priority = 10031; - }; + # add-on.ee.co.uk goes via EE. + To = "82.192.97.153/32"; + Table = routeTables.ee; + Priority = 10031; } { - routingPolicyRuleConfig = { - # as does anything from 10.42.0.0/24. - From = "10.42.0.0/24"; - Table = routeTables.ee; - Priority = 10031; - }; + # as does anything from 10.42.0.0/24. + From = "10.42.0.0/24"; + Table = routeTables.ee; + Priority = 10031; }]) // { linkConfig.RequiredForOnline = "no"; routes = [{ - routeConfig = { - Gateway = "10.42.0.1"; - Destination = "0.0.0.0/0"; - Table = routeTables.ee; - }; + Gateway = "10.42.0.1"; + Destination = "0.0.0.0/0"; + Table = routeTables.ee; } { - routeConfig = { - Destination = "10.42.0.0/24"; - Table = routeTables.ee; - }; + Destination = "10.42.0.0/24"; + Table = routeTables.ee; }]; }; networks."40-en-gnet" = (physicalNetwork routeTables.gnet "0xcafe" [{ # Catch-all mop-up rule at the end. - routingPolicyRuleConfig = { - Family = "both"; - Priority = 32768; - Table = routeTables.gnet; - }; + Family = "both"; + Priority = 32768; + Table = routeTables.gnet; }]); networks."40-br-internal" = { networkConfig.VLAN = [ "vl-eduroam" ]; @@ -345,14 +313,12 @@ in { RouteTable = "off"; }; wireguardPeers = [{ - wireguardPeerConfig = { - Endpoint = endpoint; - PublicKey = publicKey; - AllowedIPs = [ - "0.0.0.0/0" - "::/0" - ]; - }; + Endpoint = endpoint; + PublicKey = publicKey; + AllowedIPs = [ + "0.0.0.0/0" + "::/0" + ]; }]; }; rexxarWireguard = args: wireguard (args // { @@ -403,15 +369,13 @@ in { FirewallMark = hexToInt "0xcafe"; # over gnet }; wireguardPeers = [{ - wireguardPeerConfig = { - Endpoint = "shenfield-mythic.i.eta.st:51825"; - #PublicKey = config.my.vault.secrets.wg-eta-public.path; - PublicKey = "JDelaz8FQBtJBRVd9CMYikO/25gKipYgfyXtjL6jgS8="; - AllowedIPs = [ - "0.0.0.0/0" - "::/0" - ]; - }; + Endpoint = "shenfield-mythic.i.eta.st:51825"; + #PublicKey = config.my.vault.secrets.wg-eta-public.path; + PublicKey = "JDelaz8FQBtJBRVd9CMYikO/25gKipYgfyXtjL6jgS8="; + AllowedIPs = [ + "0.0.0.0/0" + "::/0" + ]; }]; }; "20-br-internal" = {