lukegb/depot
1
0
Fork 0
Code Issues 1 Pull requests Projects Packages Activity Actions

ops/nixos: change shape of systemd-networkd

Browse source 
some repeated things have moved up
This commit is contained in:
Luke Granger-Brown 2024-06-09 00:53:59 +01:00
parent 15124057c8
commit 4db9ef0543
8 changed files with 107 additions and 165 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

16
ops/nixos/bvm-netbox/default.nix
View file

@ -258,24 +258,18 @@ in {
PrivateKeyFile = "/home/ninovpn/wg-priv"; PrivateKeyFile = "/home/ninovpn/wg-priv";
}; };
wireguardPeers = [{ wireguardPeers = [{
wireguardPeerConfig = { PublicKey = "0WX1QmQaSDavNTAIp5vRsoG+UNXOP1ttZ+2VahoHR0c=";
PublicKey = "0WX1QmQaSDavNTAIp5vRsoG+UNXOP1ttZ+2VahoHR0c="; AllowedIPs = ["10.222.0.2/32"];
AllowedIPs = ["10.222.0.2/32"];
};
} { } {
wireguardPeerConfig = { PublicKey = "oeRBlP5C3vHc3GDqgRT9F2qly6MAoy1+CjRHsU4F6Bo=";
PublicKey = "oeRBlP5C3vHc3GDqgRT9F2qly6MAoy1+CjRHsU4F6Bo="; AllowedIPs = ["10.222.0.3/32"];
AllowedIPs = ["10.222.0.3/32"];
};
}]; }];
}; };
systemd.network.networks."20-wg0" = { systemd.network.networks."20-wg0" = {
matchConfig.Name = "wg0"; matchConfig.Name = "wg0";
linkConfig.RequiredForOnline = "no"; linkConfig.RequiredForOnline = "no";
addresses = [{ addresses = [{
addressConfig = { Address = "10.222.0.1/24";
Address = "10.222.0.1/24";
};
}]; }];
}; };

25
ops/nixos/cofractal-ams01/default.nix
View file

@ -191,15 +191,12 @@ in
PrivateKeyFile = privateKey; PrivateKeyFile = privateKey;
}; };
wireguardPeers = [{ wireguardPeers = [{
wireguardPeerConfig = lib.mkMerge [{ PublicKey = publicKey;
PublicKey = publicKey; AllowedIPs = [
AllowedIPs = [ "0.0.0.0/0"
"0.0.0.0/0" "::/0"
"::/0" ];
]; Endpoint = endpoint;
} (lib.mkIf (endpoint != null) {
Endpoint = endpoint;
})];
}]; }];
}; };
swannWireguard = args: wireguard (args // { swannWireguard = args: wireguard (args // {
@ -253,14 +250,14 @@ in
networks."60-lo" = { networks."60-lo" = {
matchConfig.Name = "lo"; matchConfig.Name = "lo";
addresses = [{ addresses = [{
addressConfig.Address = "127.0.0.1/8"; Address = "127.0.0.1/8";
addressConfig.Scope = "host"; Scope = "host";
} { } {
addressConfig.Address = "::1/128"; Address = "::1/128";
} { } {
addressConfig.Address = "92.118.30.252/32"; Address = "92.118.30.252/32";
} { } {
addressConfig.Address = "2a09:a442:2000::/128"; Address = "2a09:a442:2000::/128";
}]; }];
}; };
}; };

4
ops/nixos/cofractal-ams01/vm-bridge.nix
View file

@ -19,10 +19,10 @@
"fe80::f00f/64" "fe80::f00f/64"
]; ];
networkConfig.IPv6SendRA = true; networkConfig.IPv6SendRA = true;
ipv6Prefixes = [{ ipv6PrefixConfig = { ipv6Prefixes = [{
Prefix = "2a09:a441:0:ffff::/64"; Prefix = "2a09:a441:0:ffff::/64";
Assign = true; Assign = true;
}; }]; }];
}; };
systemd.network.netdevs."40-br-mgmt" = { systemd.network.netdevs."40-br-mgmt" = {

12
ops/nixos/etheroute-lon01/default.nix
View file

@ -152,10 +152,8 @@
}; };
wireguardPeers = [{ wireguardPeers = [{
wireguardPeerConfig = { PublicKey = depot.ops.secrets.wireguard.quadv1.quadv.publicKey;
PublicKey = depot.ops.secrets.wireguard.quadv1.quadv.publicKey; AllowedIPs = "0.0.0.0/0,::/0";
AllowedIPs = "0.0.0.0/0,::/0";
};
}]; }];
}; };
systemd.network.networks.quadv1 = { systemd.network.networks.quadv1 = {
@ -163,10 +161,8 @@
networkConfig.Address = "169.254.111.0/31"; networkConfig.Address = "169.254.111.0/31";
routes = [{ routes = [{
routeConfig = { Gateway = "169.254.111.1";
Gateway = "169.254.111.1"; Destination = "92.118.31.0/24";
Destination = "92.118.31.0/24";
};
}]; }];
}; };

8
ops/nixos/kerrigan/default.nix
View file

@ -87,14 +87,10 @@ in
IPv6SendRA = true; IPv6SendRA = true;
}; };
ipv6Prefixes = [{ ipv6Prefixes = [{
ipv6PrefixConfig = { Prefix = "2a09:a443:ee::/64";
Prefix = "2a09:a443:ee::/64";
};
}]; }];
ipv6RoutePrefixes = [{ ipv6RoutePrefixes = [{
ipv6RoutePrefixConfig = { Route = "::/0";
Route = "::/0";
};
}]; }];
dhcpServerConfig = { dhcpServerConfig = {
PoolOffset = 100; PoolOffset = 100;

8
ops/nixos/oracle-lon01/default.nix
View file

@ -49,11 +49,9 @@
RouteMetric = 512; RouteMetric = 512;
}; };
routes = [{ routes = [{
routeConfig = { Gateway = "10.0.0.1";
Gateway = "10.0.0.1"; Destination = "0.0.0.0/0";
Destination = "0.0.0.0/0"; Metric = 512;
Metric = 512;
};
}]; }];
}; };
}; };

37
ops/nixos/rexxar/default.nix
View file

@ -95,15 +95,12 @@
PrivateKeyFile = privateKey; PrivateKeyFile = privateKey;
}; };
wireguardPeers = [{ wireguardPeers = [{
wireguardPeerConfig = lib.mkMerge [{ PublicKey = publicKey;
PublicKey = publicKey; AllowedIPs = [
AllowedIPs = [ "0.0.0.0/0"
"0.0.0.0/0" "::/0"
"::/0" ];
]; Endpoint = endpoint;
} (lib.mkIf (endpoint != null) {
Endpoint = endpoint;
})];
}]; }];
}; };
swannWireguard = args: wireguard (args // { swannWireguard = args: wireguard (args // {
@ -199,11 +196,11 @@
"1.1.1.1" "1.1.1.1"
]; ];
networkConfig.DNSDefaultRoute = true; networkConfig.DNSDefaultRoute = true;
routes = [{ routeConfig = { routes = [{
Gateway = "195.74.55.20"; Gateway = "195.74.55.20";
}; } { routeConfig = { } {
Gateway = "2a03:ee40:8080:9:1::1"; Gateway = "2a03:ee40:8080:9:1::1";
}; }]; }];
}; };
netdevs."20-vl-velox2" = { netdevs."20-vl-velox2" = {
netdevConfig = { netdevConfig = {
@ -229,11 +226,11 @@
"1.1.1.1" "1.1.1.1"
]; ];
networkConfig.DNSDefaultRoute = true; networkConfig.DNSDefaultRoute = true;
routes = [{ routeConfig = { routes = [{
Gateway = "195.74.55.22"; Gateway = "195.74.55.22";
}; } { routeConfig = { } {
Gateway = "2a03:ee40:8080:9:2::1"; Gateway = "2a03:ee40:8080:9:2::1";
}; }]; }];
}; };
netdevs."20-vl-linx" = { netdevs."20-vl-linx" = {
netdevConfig = { netdevConfig = {
@ -264,14 +261,14 @@
networks."60-lo" = { networks."60-lo" = {
matchConfig.Name = "lo"; matchConfig.Name = "lo";
addresses = [{ addresses = [{
addressConfig.Address = "127.0.0.1/8"; Address = "127.0.0.1/8";
addressConfig.Scope = "host"; Scope = "host";
} { } {
addressConfig.Address = "::1/128"; Address = "::1/128";
} { } {
addressConfig.Address = "92.118.30.251/32"; Address = "92.118.30.251/32";
} { } {
addressConfig.Address = "2a09:a442:1000::/128"; Address = "2a09:a442:1000::/128";
}]; }];
}; };
}; };

162
ops/nixos/swann/default.nix
View file

@ -102,12 +102,10 @@ in {
dhcpV4Config.RouteTable = rtID; dhcpV4Config.RouteTable = rtID;
ipv6AcceptRAConfig.RouteTable = rtID; ipv6AcceptRAConfig.RouteTable = rtID;
routingPolicyRules = [{ routingPolicyRules = [{
routingPolicyRuleConfig = { Family = "both";
Family = "both"; FirewallMark = hexToInt wireguardFwmark;
FirewallMark = hexToInt wireguardFwmark; Priority = 10000;
Priority = 10000; Table = rtID;
Table = rtID;
};
}] ++ extraRules; }] ++ extraRules;
}; };
wireguardNetwork = { linkName, relativePriority, rtID, v4Linknet, v6Linknet }: { wireguardNetwork = { linkName, relativePriority, rtID, v4Linknet, v6Linknet }: {
@ -124,29 +122,21 @@ in {
"${builtins.elemAt pieces 0}${lib.toHexString (fn (hexToInt "0x${builtins.elemAt pieces 2}"))}"; "${builtins.elemAt pieces 0}${lib.toHexString (fn (hexToInt "0x${builtins.elemAt pieces 2}"))}";
in [ in [
{ {
routeConfig = { Destination = "${v4Linknet}/31";
Destination = "${v4Linknet}/31"; Table = rtID;
Table = rtID;
};
} }
{ {
routeConfig = { Gateway = replaceV4Octet v4Linknet (n: n + 1);
Gateway = replaceV4Octet v4Linknet (n: n + 1); Table = rtID;
Table = rtID;
};
} }
{ {
routeConfig = { Destination = "${replaceV6Octet v6Linknet (n: 0)}/112";
Destination = "${replaceV6Octet v6Linknet (n: 0)}/112"; Table = rtID;
Table = rtID;
};
} }
{ {
routeConfig = { Gateway = replaceV6Octet v6Linknet (n: n + 1);
Gateway = replaceV6Octet v6Linknet (n: n + 1); Table = rtID;
Table = rtID;
};
} }
]; ];
@ -162,31 +152,25 @@ in {
# Allow picking destination by source IP. # Allow picking destination by source IP.
{ {
routingPolicyRuleConfig = { Family = "ipv4";
Family = "ipv4"; From = v4Linknet;
From = v4Linknet; Priority = 10010;
Priority = 10010; Table = rtID;
Table = rtID;
};
} }
{ {
routingPolicyRuleConfig = { Family = "ipv6";
Family = "ipv6"; From = v6Linknet;
From = v6Linknet; Priority = 10010;
Priority = 10010; Table = rtID;
Table = rtID;
};
} }
]; ];
}; };
tailscaleRule = priority: table: { tailscaleRule = priority: table: {
# Route Tailscale (fwmark 0x80000) via Wireguard first. # Route Tailscale (fwmark 0x80000) via Wireguard first.
routingPolicyRuleConfig = { Family = "both";
Family = "both"; FirewallMark = hexToInt "0x80000"; # Should be "0x80000/0xff0000"
FirewallMark = hexToInt "0x80000"; # Should be "0x80000/0xff0000" Priority = priority;
Priority = priority; Table = table;
Table = table;
};
}; };
in let in let
routeTables = { routeTables = {
@ -240,19 +224,15 @@ in {
networks."40-lo" = { networks."40-lo" = {
routingPolicyRules = let routingPolicyRules = let
viaMain = priority: to: { viaMain = priority: to: {
routingPolicyRuleConfig = { To = to;
To = to; Table = "main";
Table = "main"; Priority = priority;
Priority = priority;
};
}; };
blackhole = fwmark: { blackhole = fwmark: {
routingPolicyRuleConfig = { Family = "both";
Family = "both"; FirewallMark = hexToInt fwmark;
FirewallMark = hexToInt fwmark; Priority = 10001;
Priority = 10001; Type = "unreachable";
Type = "unreachable";
};
}; };
in [ in [
(tailscaleRule 5000 150) (tailscaleRule 5000 150)
@ -274,50 +254,38 @@ in {
{ {
# Catch-all "go via WG" # Catch-all "go via WG"
routingPolicyRuleConfig = { Family = "both";
Family = "both"; Priority = 10080;
Priority = 10080; Table = routeTables.bgp;
Table = routeTables.bgp;
};
} }
]; ];
}; };
networks."40-en-ee" = (physicalNetwork routeTables.ee "0xdead" [{ networks."40-en-ee" = (physicalNetwork routeTables.ee "0xdead" [{
routingPolicyRuleConfig = { # add-on.ee.co.uk goes via EE.
# add-on.ee.co.uk goes via EE. To = "82.192.97.153/32";
To = "82.192.97.153/32"; Table = routeTables.ee;
Table = routeTables.ee; Priority = 10031;
Priority = 10031;
};
} { } {
routingPolicyRuleConfig = { # as does anything from 10.42.0.0/24.
# as does anything from 10.42.0.0/24. From = "10.42.0.0/24";
From = "10.42.0.0/24"; Table = routeTables.ee;
Table = routeTables.ee; Priority = 10031;
Priority = 10031;
};
}]) // { }]) // {
linkConfig.RequiredForOnline = "no"; linkConfig.RequiredForOnline = "no";
routes = [{ routes = [{
routeConfig = { Gateway = "10.42.0.1";
Gateway = "10.42.0.1"; Destination = "0.0.0.0/0";
Destination = "0.0.0.0/0"; Table = routeTables.ee;
Table = routeTables.ee;
};
} { } {
routeConfig = { Destination = "10.42.0.0/24";
Destination = "10.42.0.0/24"; Table = routeTables.ee;
Table = routeTables.ee;
};
}]; }];
}; };
networks."40-en-gnet" = (physicalNetwork routeTables.gnet "0xcafe" [{ networks."40-en-gnet" = (physicalNetwork routeTables.gnet "0xcafe" [{
# Catch-all mop-up rule at the end. # Catch-all mop-up rule at the end.
routingPolicyRuleConfig = { Family = "both";
Family = "both"; Priority = 32768;
Priority = 32768; Table = routeTables.gnet;
Table = routeTables.gnet;
};
}]); }]);
networks."40-br-internal" = { networks."40-br-internal" = {
networkConfig.VLAN = [ "vl-eduroam" ]; networkConfig.VLAN = [ "vl-eduroam" ];
@ -345,14 +313,12 @@ in {
RouteTable = "off"; RouteTable = "off";
}; };
wireguardPeers = [{ wireguardPeers = [{
wireguardPeerConfig = { Endpoint = endpoint;
Endpoint = endpoint; PublicKey = publicKey;
PublicKey = publicKey; AllowedIPs = [
AllowedIPs = [ "0.0.0.0/0"
"0.0.0.0/0" "::/0"
"::/0" ];
];
};
}]; }];
}; };
rexxarWireguard = args: wireguard (args // { rexxarWireguard = args: wireguard (args // {
@ -403,15 +369,13 @@ in {
FirewallMark = hexToInt "0xcafe"; # over gnet FirewallMark = hexToInt "0xcafe"; # over gnet
}; };
wireguardPeers = [{ wireguardPeers = [{
wireguardPeerConfig = { Endpoint = "shenfield-mythic.i.eta.st:51825";
Endpoint = "shenfield-mythic.i.eta.st:51825"; #PublicKey = config.my.vault.secrets.wg-eta-public.path;
#PublicKey = config.my.vault.secrets.wg-eta-public.path; PublicKey = "JDelaz8FQBtJBRVd9CMYikO/25gKipYgfyXtjL6jgS8=";
PublicKey = "JDelaz8FQBtJBRVd9CMYikO/25gKipYgfyXtjL6jgS8="; AllowedIPs = [
AllowedIPs = [ "0.0.0.0/0"
"0.0.0.0/0" "::/0"
"::/0" ];
];
};
}]; }];
}; };
"20-br-internal" = { "20-br-internal" = {