ops/nixos: change shape of systemd-networkd

some repeated things have moved up
This commit is contained in:
Luke Granger-Brown 2024-06-09 00:53:59 +01:00
parent 15124057c8
commit 4db9ef0543
8 changed files with 107 additions and 165 deletions

View file

@ -258,24 +258,18 @@ in {
PrivateKeyFile = "/home/ninovpn/wg-priv"; PrivateKeyFile = "/home/ninovpn/wg-priv";
}; };
wireguardPeers = [{ wireguardPeers = [{
wireguardPeerConfig = {
PublicKey = "0WX1QmQaSDavNTAIp5vRsoG+UNXOP1ttZ+2VahoHR0c="; PublicKey = "0WX1QmQaSDavNTAIp5vRsoG+UNXOP1ttZ+2VahoHR0c=";
AllowedIPs = ["10.222.0.2/32"]; AllowedIPs = ["10.222.0.2/32"];
};
} { } {
wireguardPeerConfig = {
PublicKey = "oeRBlP5C3vHc3GDqgRT9F2qly6MAoy1+CjRHsU4F6Bo="; PublicKey = "oeRBlP5C3vHc3GDqgRT9F2qly6MAoy1+CjRHsU4F6Bo=";
AllowedIPs = ["10.222.0.3/32"]; AllowedIPs = ["10.222.0.3/32"];
};
}]; }];
}; };
systemd.network.networks."20-wg0" = { systemd.network.networks."20-wg0" = {
matchConfig.Name = "wg0"; matchConfig.Name = "wg0";
linkConfig.RequiredForOnline = "no"; linkConfig.RequiredForOnline = "no";
addresses = [{ addresses = [{
addressConfig = {
Address = "10.222.0.1/24"; Address = "10.222.0.1/24";
};
}]; }];
}; };

View file

@ -191,15 +191,12 @@ in
PrivateKeyFile = privateKey; PrivateKeyFile = privateKey;
}; };
wireguardPeers = [{ wireguardPeers = [{
wireguardPeerConfig = lib.mkMerge [{
PublicKey = publicKey; PublicKey = publicKey;
AllowedIPs = [ AllowedIPs = [
"0.0.0.0/0" "0.0.0.0/0"
"::/0" "::/0"
]; ];
} (lib.mkIf (endpoint != null) {
Endpoint = endpoint; Endpoint = endpoint;
})];
}]; }];
}; };
swannWireguard = args: wireguard (args // { swannWireguard = args: wireguard (args // {
@ -253,14 +250,14 @@ in
networks."60-lo" = { networks."60-lo" = {
matchConfig.Name = "lo"; matchConfig.Name = "lo";
addresses = [{ addresses = [{
addressConfig.Address = "127.0.0.1/8"; Address = "127.0.0.1/8";
addressConfig.Scope = "host"; Scope = "host";
} { } {
addressConfig.Address = "::1/128"; Address = "::1/128";
} { } {
addressConfig.Address = "92.118.30.252/32"; Address = "92.118.30.252/32";
} { } {
addressConfig.Address = "2a09:a442:2000::/128"; Address = "2a09:a442:2000::/128";
}]; }];
}; };
}; };

View file

@ -19,10 +19,10 @@
"fe80::f00f/64" "fe80::f00f/64"
]; ];
networkConfig.IPv6SendRA = true; networkConfig.IPv6SendRA = true;
ipv6Prefixes = [{ ipv6PrefixConfig = { ipv6Prefixes = [{
Prefix = "2a09:a441:0:ffff::/64"; Prefix = "2a09:a441:0:ffff::/64";
Assign = true; Assign = true;
}; }]; }];
}; };
systemd.network.netdevs."40-br-mgmt" = { systemd.network.netdevs."40-br-mgmt" = {

View file

@ -152,10 +152,8 @@
}; };
wireguardPeers = [{ wireguardPeers = [{
wireguardPeerConfig = {
PublicKey = depot.ops.secrets.wireguard.quadv1.quadv.publicKey; PublicKey = depot.ops.secrets.wireguard.quadv1.quadv.publicKey;
AllowedIPs = "0.0.0.0/0,::/0"; AllowedIPs = "0.0.0.0/0,::/0";
};
}]; }];
}; };
systemd.network.networks.quadv1 = { systemd.network.networks.quadv1 = {
@ -163,10 +161,8 @@
networkConfig.Address = "169.254.111.0/31"; networkConfig.Address = "169.254.111.0/31";
routes = [{ routes = [{
routeConfig = {
Gateway = "169.254.111.1"; Gateway = "169.254.111.1";
Destination = "92.118.31.0/24"; Destination = "92.118.31.0/24";
};
}]; }];
}; };

View file

@ -87,14 +87,10 @@ in
IPv6SendRA = true; IPv6SendRA = true;
}; };
ipv6Prefixes = [{ ipv6Prefixes = [{
ipv6PrefixConfig = {
Prefix = "2a09:a443:ee::/64"; Prefix = "2a09:a443:ee::/64";
};
}]; }];
ipv6RoutePrefixes = [{ ipv6RoutePrefixes = [{
ipv6RoutePrefixConfig = {
Route = "::/0"; Route = "::/0";
};
}]; }];
dhcpServerConfig = { dhcpServerConfig = {
PoolOffset = 100; PoolOffset = 100;

View file

@ -49,11 +49,9 @@
RouteMetric = 512; RouteMetric = 512;
}; };
routes = [{ routes = [{
routeConfig = {
Gateway = "10.0.0.1"; Gateway = "10.0.0.1";
Destination = "0.0.0.0/0"; Destination = "0.0.0.0/0";
Metric = 512; Metric = 512;
};
}]; }];
}; };
}; };

View file

@ -95,15 +95,12 @@
PrivateKeyFile = privateKey; PrivateKeyFile = privateKey;
}; };
wireguardPeers = [{ wireguardPeers = [{
wireguardPeerConfig = lib.mkMerge [{
PublicKey = publicKey; PublicKey = publicKey;
AllowedIPs = [ AllowedIPs = [
"0.0.0.0/0" "0.0.0.0/0"
"::/0" "::/0"
]; ];
} (lib.mkIf (endpoint != null) {
Endpoint = endpoint; Endpoint = endpoint;
})];
}]; }];
}; };
swannWireguard = args: wireguard (args // { swannWireguard = args: wireguard (args // {
@ -199,11 +196,11 @@
"1.1.1.1" "1.1.1.1"
]; ];
networkConfig.DNSDefaultRoute = true; networkConfig.DNSDefaultRoute = true;
routes = [{ routeConfig = { routes = [{
Gateway = "195.74.55.20"; Gateway = "195.74.55.20";
}; } { routeConfig = { } {
Gateway = "2a03:ee40:8080:9:1::1"; Gateway = "2a03:ee40:8080:9:1::1";
}; }]; }];
}; };
netdevs."20-vl-velox2" = { netdevs."20-vl-velox2" = {
netdevConfig = { netdevConfig = {
@ -229,11 +226,11 @@
"1.1.1.1" "1.1.1.1"
]; ];
networkConfig.DNSDefaultRoute = true; networkConfig.DNSDefaultRoute = true;
routes = [{ routeConfig = { routes = [{
Gateway = "195.74.55.22"; Gateway = "195.74.55.22";
}; } { routeConfig = { } {
Gateway = "2a03:ee40:8080:9:2::1"; Gateway = "2a03:ee40:8080:9:2::1";
}; }]; }];
}; };
netdevs."20-vl-linx" = { netdevs."20-vl-linx" = {
netdevConfig = { netdevConfig = {
@ -264,14 +261,14 @@
networks."60-lo" = { networks."60-lo" = {
matchConfig.Name = "lo"; matchConfig.Name = "lo";
addresses = [{ addresses = [{
addressConfig.Address = "127.0.0.1/8"; Address = "127.0.0.1/8";
addressConfig.Scope = "host"; Scope = "host";
} { } {
addressConfig.Address = "::1/128"; Address = "::1/128";
} { } {
addressConfig.Address = "92.118.30.251/32"; Address = "92.118.30.251/32";
} { } {
addressConfig.Address = "2a09:a442:1000::/128"; Address = "2a09:a442:1000::/128";
}]; }];
}; };
}; };

View file

@ -102,12 +102,10 @@ in {
dhcpV4Config.RouteTable = rtID; dhcpV4Config.RouteTable = rtID;
ipv6AcceptRAConfig.RouteTable = rtID; ipv6AcceptRAConfig.RouteTable = rtID;
routingPolicyRules = [{ routingPolicyRules = [{
routingPolicyRuleConfig = {
Family = "both"; Family = "both";
FirewallMark = hexToInt wireguardFwmark; FirewallMark = hexToInt wireguardFwmark;
Priority = 10000; Priority = 10000;
Table = rtID; Table = rtID;
};
}] ++ extraRules; }] ++ extraRules;
}; };
wireguardNetwork = { linkName, relativePriority, rtID, v4Linknet, v6Linknet }: { wireguardNetwork = { linkName, relativePriority, rtID, v4Linknet, v6Linknet }: {
@ -124,29 +122,21 @@ in {
"${builtins.elemAt pieces 0}${lib.toHexString (fn (hexToInt "0x${builtins.elemAt pieces 2}"))}"; "${builtins.elemAt pieces 0}${lib.toHexString (fn (hexToInt "0x${builtins.elemAt pieces 2}"))}";
in [ in [
{ {
routeConfig = {
Destination = "${v4Linknet}/31"; Destination = "${v4Linknet}/31";
Table = rtID; Table = rtID;
};
} }
{ {
routeConfig = {
Gateway = replaceV4Octet v4Linknet (n: n + 1); Gateway = replaceV4Octet v4Linknet (n: n + 1);
Table = rtID; Table = rtID;
};
} }
{ {
routeConfig = {
Destination = "${replaceV6Octet v6Linknet (n: 0)}/112"; Destination = "${replaceV6Octet v6Linknet (n: 0)}/112";
Table = rtID; Table = rtID;
};
} }
{ {
routeConfig = {
Gateway = replaceV6Octet v6Linknet (n: n + 1); Gateway = replaceV6Octet v6Linknet (n: n + 1);
Table = rtID; Table = rtID;
};
} }
]; ];
@ -162,32 +152,26 @@ in {
# Allow picking destination by source IP. # Allow picking destination by source IP.
{ {
routingPolicyRuleConfig = {
Family = "ipv4"; Family = "ipv4";
From = v4Linknet; From = v4Linknet;
Priority = 10010; Priority = 10010;
Table = rtID; Table = rtID;
};
} }
{ {
routingPolicyRuleConfig = {
Family = "ipv6"; Family = "ipv6";
From = v6Linknet; From = v6Linknet;
Priority = 10010; Priority = 10010;
Table = rtID; Table = rtID;
};
} }
]; ];
}; };
tailscaleRule = priority: table: { tailscaleRule = priority: table: {
# Route Tailscale (fwmark 0x80000) via Wireguard first. # Route Tailscale (fwmark 0x80000) via Wireguard first.
routingPolicyRuleConfig = {
Family = "both"; Family = "both";
FirewallMark = hexToInt "0x80000"; # Should be "0x80000/0xff0000" FirewallMark = hexToInt "0x80000"; # Should be "0x80000/0xff0000"
Priority = priority; Priority = priority;
Table = table; Table = table;
}; };
};
in let in let
routeTables = { routeTables = {
bgp = 150; bgp = 150;
@ -240,20 +224,16 @@ in {
networks."40-lo" = { networks."40-lo" = {
routingPolicyRules = let routingPolicyRules = let
viaMain = priority: to: { viaMain = priority: to: {
routingPolicyRuleConfig = {
To = to; To = to;
Table = "main"; Table = "main";
Priority = priority; Priority = priority;
}; };
};
blackhole = fwmark: { blackhole = fwmark: {
routingPolicyRuleConfig = {
Family = "both"; Family = "both";
FirewallMark = hexToInt fwmark; FirewallMark = hexToInt fwmark;
Priority = 10001; Priority = 10001;
Type = "unreachable"; Type = "unreachable";
}; };
};
in [ in [
(tailscaleRule 5000 150) (tailscaleRule 5000 150)
@ -274,50 +254,38 @@ in {
{ {
# Catch-all "go via WG" # Catch-all "go via WG"
routingPolicyRuleConfig = {
Family = "both"; Family = "both";
Priority = 10080; Priority = 10080;
Table = routeTables.bgp; Table = routeTables.bgp;
};
} }
]; ];
}; };
networks."40-en-ee" = (physicalNetwork routeTables.ee "0xdead" [{ networks."40-en-ee" = (physicalNetwork routeTables.ee "0xdead" [{
routingPolicyRuleConfig = {
# add-on.ee.co.uk goes via EE. # add-on.ee.co.uk goes via EE.
To = "82.192.97.153/32"; To = "82.192.97.153/32";
Table = routeTables.ee; Table = routeTables.ee;
Priority = 10031; Priority = 10031;
};
} { } {
routingPolicyRuleConfig = {
# as does anything from 10.42.0.0/24. # as does anything from 10.42.0.0/24.
From = "10.42.0.0/24"; From = "10.42.0.0/24";
Table = routeTables.ee; Table = routeTables.ee;
Priority = 10031; Priority = 10031;
};
}]) // { }]) // {
linkConfig.RequiredForOnline = "no"; linkConfig.RequiredForOnline = "no";
routes = [{ routes = [{
routeConfig = {
Gateway = "10.42.0.1"; Gateway = "10.42.0.1";
Destination = "0.0.0.0/0"; Destination = "0.0.0.0/0";
Table = routeTables.ee; Table = routeTables.ee;
};
} { } {
routeConfig = {
Destination = "10.42.0.0/24"; Destination = "10.42.0.0/24";
Table = routeTables.ee; Table = routeTables.ee;
};
}]; }];
}; };
networks."40-en-gnet" = (physicalNetwork routeTables.gnet "0xcafe" [{ networks."40-en-gnet" = (physicalNetwork routeTables.gnet "0xcafe" [{
# Catch-all mop-up rule at the end. # Catch-all mop-up rule at the end.
routingPolicyRuleConfig = {
Family = "both"; Family = "both";
Priority = 32768; Priority = 32768;
Table = routeTables.gnet; Table = routeTables.gnet;
};
}]); }]);
networks."40-br-internal" = { networks."40-br-internal" = {
networkConfig.VLAN = [ "vl-eduroam" ]; networkConfig.VLAN = [ "vl-eduroam" ];
@ -345,14 +313,12 @@ in {
RouteTable = "off"; RouteTable = "off";
}; };
wireguardPeers = [{ wireguardPeers = [{
wireguardPeerConfig = {
Endpoint = endpoint; Endpoint = endpoint;
PublicKey = publicKey; PublicKey = publicKey;
AllowedIPs = [ AllowedIPs = [
"0.0.0.0/0" "0.0.0.0/0"
"::/0" "::/0"
]; ];
};
}]; }];
}; };
rexxarWireguard = args: wireguard (args // { rexxarWireguard = args: wireguard (args // {
@ -403,7 +369,6 @@ in {
FirewallMark = hexToInt "0xcafe"; # over gnet FirewallMark = hexToInt "0xcafe"; # over gnet
}; };
wireguardPeers = [{ wireguardPeers = [{
wireguardPeerConfig = {
Endpoint = "shenfield-mythic.i.eta.st:51825"; Endpoint = "shenfield-mythic.i.eta.st:51825";
#PublicKey = config.my.vault.secrets.wg-eta-public.path; #PublicKey = config.my.vault.secrets.wg-eta-public.path;
PublicKey = "JDelaz8FQBtJBRVd9CMYikO/25gKipYgfyXtjL6jgS8="; PublicKey = "JDelaz8FQBtJBRVd9CMYikO/25gKipYgfyXtjL6jgS8=";
@ -411,7 +376,6 @@ in {
"0.0.0.0/0" "0.0.0.0/0"
"::/0" "::/0"
]; ];
};
}]; }];
}; };
"20-br-internal" = { "20-br-internal" = {