cofractal-ams01: bring up quadv on ams
This commit is contained in:
parent
f97eeda933
commit
56bae7e5ef
2 changed files with 86 additions and 1 deletions
|
@ -178,6 +178,36 @@ in
|
||||||
443 # HTTP/3
|
443 # HTTP/3
|
||||||
51821 51822 51823 # wireguard
|
51821 51822 51823 # wireguard
|
||||||
];
|
];
|
||||||
|
firewall.extraCommands = ''
|
||||||
|
# Flush old rules.
|
||||||
|
ip46tables -D FORWARD -j lukegb-forward 2>/dev/null || true
|
||||||
|
for chain in lukegb-forward lukegb-fwd-accept lukegb-fwd-reject; do
|
||||||
|
ip46tables -F "$chain" 2>/dev/null || true
|
||||||
|
ip46tables -X "$chain" 2>/dev/null || true
|
||||||
|
done
|
||||||
|
|
||||||
|
ip46tables -N lukegb-fwd-accept
|
||||||
|
ip46tables -A lukegb-fwd-accept -j ACCEPT
|
||||||
|
|
||||||
|
ip46tables -N lukegb-fwd-reject
|
||||||
|
ip46tables -A lukegb-fwd-reject -p tcp ! --syn -j REJECT --reject-with tcp-reset
|
||||||
|
ip46tables -A lukegb-fwd-reject -j REJECT
|
||||||
|
|
||||||
|
ip46tables -N lukegb-forward
|
||||||
|
|
||||||
|
# Accept from "trusted" quadv2 interface
|
||||||
|
ip46tables -A lukegb-forward -i quadv2 -j lukegb-fwd-accept
|
||||||
|
|
||||||
|
# Accept to quadv2 interface if we're multipathing.
|
||||||
|
ip46tables -A lukegb-forward -o quadv2 -j lukegb-fwd-accept
|
||||||
|
|
||||||
|
# Accept from established/related connections.
|
||||||
|
ip46tables -A lukegb-forward -m conntrack --ctstate ESTABLISHED,RELATED -j lukegb-fwd-accept
|
||||||
|
|
||||||
|
# Set up the firewall.
|
||||||
|
ip46tables -A lukegb-forward -j lukegb-fwd-reject
|
||||||
|
ip46tables -A FORWARD -j lukegb-forward
|
||||||
|
'';
|
||||||
};
|
};
|
||||||
systemd.network = let
|
systemd.network = let
|
||||||
wireguard = { name, listenPort, privateKey, publicKey, endpoint ? null }: {
|
wireguard = { name, listenPort, privateKey, publicKey, endpoint ? null }: {
|
||||||
|
@ -260,6 +290,33 @@ in
|
||||||
Address = "2a09:a442:2000::/128";
|
Address = "2a09:a442:2000::/128";
|
||||||
}];
|
}];
|
||||||
};
|
};
|
||||||
|
|
||||||
|
netdevs.quadv2 = {
|
||||||
|
netdevConfig = {
|
||||||
|
Name = "quadv2";
|
||||||
|
Kind = "wireguard";
|
||||||
|
};
|
||||||
|
|
||||||
|
wireguardConfig = {
|
||||||
|
PrivateKeyFile = pkgs.writeText "cofractal-ams01-quadv" depot.ops.secrets.wireguard.quadv2.lukegb.privateKey;
|
||||||
|
ListenPort = 51820;
|
||||||
|
RouteTable = "off";
|
||||||
|
};
|
||||||
|
|
||||||
|
wireguardPeers = [{
|
||||||
|
PublicKey = depot.ops.secrets.wireguard.quadv2.quadv.publicKey;
|
||||||
|
AllowedIPs = "0.0.0.0/0,::/0";
|
||||||
|
}];
|
||||||
|
};
|
||||||
|
networks.quadv2 = {
|
||||||
|
matchConfig.Name = "quadv2";
|
||||||
|
networkConfig.Address = "169.254.112.0/31";
|
||||||
|
|
||||||
|
routes = [{
|
||||||
|
Gateway = "169.254.112.1";
|
||||||
|
Destination = "92.118.31.0/24";
|
||||||
|
}];
|
||||||
|
};
|
||||||
};
|
};
|
||||||
my.ip.tailscale = "100.83.36.130";
|
my.ip.tailscale = "100.83.36.130";
|
||||||
my.ip.tailscale6 = "fd7a:115c:a1e0:ab12:4843:cd96:6253:2482";
|
my.ip.tailscale6 = "fd7a:115c:a1e0:ab12:4843:cd96:6253:2482";
|
||||||
|
@ -332,6 +389,22 @@ in
|
||||||
}];
|
}];
|
||||||
};
|
};
|
||||||
};
|
};
|
||||||
|
|
||||||
|
peering.quadv = {
|
||||||
|
local = local // {
|
||||||
|
v4 = "169.254.112.0";
|
||||||
|
};
|
||||||
|
remote = {
|
||||||
|
asn = 197753;
|
||||||
|
export_community = 4099;
|
||||||
|
routers = [{
|
||||||
|
v4 = "169.254.112.1";
|
||||||
|
}];
|
||||||
|
prefix_limit.v4 = 10;
|
||||||
|
prefix_limit.v6 = 10;
|
||||||
|
set_imported_next_hop_to = "2a09:a446:1337:ffff::10";
|
||||||
|
};
|
||||||
|
};
|
||||||
};
|
};
|
||||||
};
|
};
|
||||||
|
|
||||||
|
@ -378,7 +451,7 @@ in
|
||||||
security.polkit.enable = true;
|
security.polkit.enable = true;
|
||||||
users.users.lukegb.extraGroups = lib.mkAfter [ "libvirtd" ];
|
users.users.lukegb.extraGroups = lib.mkAfter [ "libvirtd" ];
|
||||||
|
|
||||||
my.vault.secrets = let
|
my.vault.secrets = let
|
||||||
wireguardSecret = key: {
|
wireguardSecret = key: {
|
||||||
group = "systemd-network";
|
group = "systemd-network";
|
||||||
template = ''
|
template = ''
|
||||||
|
|
|
@ -14,10 +14,12 @@ let
|
||||||
{
|
{
|
||||||
if ! (avoid_martians4()) then reject;
|
if ! (avoid_martians4()) then reject;
|
||||||
${if ix.remote.must_be_next_hop then "if (bgp_path.first != ${toString ix.remote.asn}) then reject;" else "# no next-hop requirement"}
|
${if ix.remote.must_be_next_hop then "if (bgp_path.first != ${toString ix.remote.asn}) then reject;" else "# no next-hop requirement"}
|
||||||
|
${if ix.remote.set_imported_next_hop_to != null then "bgp_next_hop = ${ix.remote.set_imported_next_hop_to};" else "# no imported bgp_next_hop override"}
|
||||||
${lib.concatMapStringsSep "\n" (asn: "if (bgp_path ~ [= * ${toString asn} * =]) then reject;") ix.remote.drop_asns}
|
${lib.concatMapStringsSep "\n" (asn: "if (bgp_path ~ [= * ${toString asn} * =]) then reject;") ix.remote.drop_asns}
|
||||||
${lib.optionalString (ixName == "quadv") ''
|
${lib.optionalString (ixName == "quadv") ''
|
||||||
bgp_ext_community.add((ro, 205479, 1000));
|
bgp_ext_community.add((ro, 205479, 1000));
|
||||||
bgp_ext_community.add((ro, 205479, 4000)); # etheroute
|
bgp_ext_community.add((ro, 205479, 4000)); # etheroute
|
||||||
|
bgp_ext_community.add((ro, 205479, 6000)); # cofractal-ams01
|
||||||
#bgp_ext_community.add((ro, 205479, 4002)); # gsl
|
#bgp_ext_community.add((ro, 205479, 4002)); # gsl
|
||||||
|
|
||||||
# Etheroute communities
|
# Etheroute communities
|
||||||
|
@ -75,6 +77,7 @@ let
|
||||||
enabledSnippet = { enabled ? true, ... }: "disabled ${if enabled then "off" else "on"};";
|
enabledSnippet = { enabled ? true, ... }: "disabled ${if enabled then "off" else "on"};";
|
||||||
passwordSnippet = { password ? null, ... }: if password == null then "# no password" else "password \"${password}\";";
|
passwordSnippet = { password ? null, ... }: if password == null then "# no password" else "password \"${password}\";";
|
||||||
multihopSnippet = { multihop ? null, ... }: if multihop == null then "# not multihop" else "multihop ${toString multihop};";
|
multihopSnippet = { multihop ? null, ... }: if multihop == null then "# not multihop" else "multihop ${toString multihop};";
|
||||||
|
nexthopSnippet = { next_hop ? null, ... }: if next_hop == null then "# no next hop override" else "next hop ${toString next_hop};";
|
||||||
passiveSnippet = { passive, ... }: "passive ${if passive then "on" else "off"};";
|
passiveSnippet = { passive, ... }: "passive ${if passive then "on" else "off"};";
|
||||||
prefixLimitSnippet = limit: if limit == null then "# no import limit" else "import limit ${toString limit} action restart;";
|
prefixLimitSnippet = limit: if limit == null then "# no import limit" else "import limit ${toString limit} action restart;";
|
||||||
generateSnippetForRouter = { ixName, ix, routerNum, router, ... }: ''
|
generateSnippetForRouter = { ixName, ix, routerNum, router, ... }: ''
|
||||||
|
@ -83,6 +86,7 @@ let
|
||||||
${enabledSnippet router}
|
${enabledSnippet router}
|
||||||
${passwordSnippet router}
|
${passwordSnippet router}
|
||||||
${multihopSnippet router}
|
${multihopSnippet router}
|
||||||
|
${nexthopSnippet router}
|
||||||
${passiveSnippet ix.remote}
|
${passiveSnippet ix.remote}
|
||||||
local ${ix.local.v4} as ${toString ix.local.asn};
|
local ${ix.local.v4} as ${toString ix.local.asn};
|
||||||
neighbor ${router.v4} as ${toString ix.remote.asn};
|
neighbor ${router.v4} as ${toString ix.remote.asn};
|
||||||
|
@ -201,6 +205,10 @@ in {
|
||||||
type = bool;
|
type = bool;
|
||||||
default = true;
|
default = true;
|
||||||
};
|
};
|
||||||
|
set_imported_next_hop_to = mkOption { # lukegbgp.config.peering.<foo>.remote.set_imported_next_hop_to
|
||||||
|
type = nullOr str;
|
||||||
|
default = null;
|
||||||
|
};
|
||||||
drop_asns = mkOption { # lukegbgp.config.peering.<foo>.remote.drop_asns
|
drop_asns = mkOption { # lukegbgp.config.peering.<foo>.remote.drop_asns
|
||||||
type = listOf int;
|
type = listOf int;
|
||||||
default = [];
|
default = [];
|
||||||
|
@ -234,6 +242,10 @@ in {
|
||||||
type = nullOr str;
|
type = nullOr str;
|
||||||
default = null;
|
default = null;
|
||||||
};
|
};
|
||||||
|
next_hop = mkOption { # lukegbgp.config.peering.<foo>.remote.routers.<n>.next_hop
|
||||||
|
type = nullOr str;
|
||||||
|
default = null;
|
||||||
|
};
|
||||||
};
|
};
|
||||||
});
|
});
|
||||||
};
|
};
|
||||||
|
|
Loading…
Reference in a new issue