From 606ff984ebd392b1b79830be499301b4f5c39ebe Mon Sep 17 00:00:00 2001
From: Luke Granger-Brown <hg@lukegb.com>
Date: Thu, 1 Jul 2021 01:48:12 +0000
Subject: [PATCH] ops/nixos: minotarproxy-as-a-lib

---
 ops/nixos/clouvider-lon01/default.nix | 23 ++----------------
 ops/nixos/frantech-nyc01/default.nix  | 35 +++++++++++++++++++++++++++
 ops/nixos/lib/bgp.nix                 | 24 +++++++++++++++---
 ops/nixos/lib/minotarproxy.nix        | 31 ++++++++++++++++++++++++
 4 files changed, 89 insertions(+), 24 deletions(-)
 create mode 100644 ops/nixos/lib/minotarproxy.nix

diff --git a/ops/nixos/clouvider-lon01/default.nix b/ops/nixos/clouvider-lon01/default.nix
index 6130494c63..642cbe7a9b 100644
--- a/ops/nixos/clouvider-lon01/default.nix
+++ b/ops/nixos/clouvider-lon01/default.nix
@@ -6,12 +6,11 @@
 let
   inherit (depot.ops) secrets;
   machineSecrets = secrets.machineSpecific.clouvider-lon01;
-
-  aliasIPs = map (n: "92.118.29.${toString n}") (lib.range 1 253);
 in {
   imports = [
     ../lib/zfs.nix
     ../lib/bgp.nix
+    ../lib/minotarproxy.nix
     ../lib/whitby-distributed.nix
     ../lib/macmini-distributed.nix
     ../lib/quotes.bfob.gg.nix
@@ -112,8 +111,7 @@ in {
       ipv6.addresses = [{ address = "2a0a:54c0:0:17::2"; prefixLength = 126; }];
     };
     interfaces.lo = {
-      ipv4.addresses = [{ address = "127.0.0.1"; prefixLength = 8; }] ++ (
-        map (address: { inherit address; prefixLength = 32; }) aliasIPs);
+      ipv4.addresses = [{ address = "127.0.0.1"; prefixLength = 8; }];
       ipv6.addresses = [{ address = "::1"; prefixLength = 128; }];
     };
     firewall = {
@@ -151,9 +149,6 @@ in {
 
   users.users = {
     lukegb.extraGroups = [ "bird2" ];
-    minotarproxy = {
-      isSystemUser = true;
-    };
   };
   users.groups = {
     znc-acme = {
@@ -225,20 +220,6 @@ in {
     };
   };
 
-  systemd.services.minotarproxy = {
-    description = "Minotar proxy";
-    wants = ["network-online.target"];
-    wantedBy = ["multi-user.target"];
-    serviceConfig = {
-      ExecStart = ''${depot.go.minotarproxy}/bin/minotarproxy --logtostderr --server_bind=92.118.29.225:443 --autocert_insecure_bind=92.118.29.225:80 --autocert_domain=minotarproxy.lukegb.xyz --outbound_bind="${builtins.concatStringsSep "," aliasIPs}" --autocert_cache_dir=/run/minotarproxy'';
-      User = "minotarproxy";
-      Restart = "always";
-      AmbientCapabilities = "CAP_NET_BIND_SERVICE";
-    };
-  };
-  systemd.tmpfiles.rules = [
-    "d /run/minotarproxy 0700 minotarproxy - -"
-  ];
   systemd.mounts = let
     bindMount' = dir: {
       unitConfig.RequiresMountsFor = dir;
diff --git a/ops/nixos/frantech-nyc01/default.nix b/ops/nixos/frantech-nyc01/default.nix
index 9d8f3ace46..eca2b1536d 100644
--- a/ops/nixos/frantech-nyc01/default.nix
+++ b/ops/nixos/frantech-nyc01/default.nix
@@ -5,11 +5,14 @@
 { depot, lib, pkgs, rebuilder, config, ... }:
 let
   inherit (depot.ops) secrets;
+  machineSecrets = secrets.machineSpecific.frantech-nyc01;
 in {
   imports = [
     ../../../third_party/nixpkgs/nixos/modules/profiles/qemu-guest.nix
     ../lib/low-space.nix
     ../lib/coredns/default.nix
+    ../lib/bgp.nix
+    ../lib/minotarproxy.nix
   ];
 
   boot.initrd.availableKernelModules = [
@@ -66,5 +69,37 @@ in {
   };
   my.ip.tailscale = "100.99.236.25";
 
+  services.lukegbgp = let local = {
+    asn = 205479;
+  }; in {
+    enable = true;
+    config = {
+      local = {
+        routerID = "199.195.254.60";
+      };
+      export = {
+        v4 = ["92.118.29.0/24"];
+      };
+      peering = {
+        frantech = {
+          local = local // {
+            v4 = "199.195.254.60";
+            v6 = "2605:6400:10:c77::1";
+          };
+          remote = {
+            asn = 53667;
+            export_community = 4000;
+            routers = [{
+              v4 = "169.254.169.179";
+              v6 = "2605:6400:ffff::2";
+              multihop = 2;
+              password = machineSecrets.bgpPassword;
+            }];
+          };
+        };
+      };
+    };
+  };
+
   system.stateVersion = "21.05";
 }
diff --git a/ops/nixos/lib/bgp.nix b/ops/nixos/lib/bgp.nix
index c0ae2bf1cc..052f1eb23c 100644
--- a/ops/nixos/lib/bgp.nix
+++ b/ops/nixos/lib/bgp.nix
@@ -21,12 +21,18 @@ let
       export all;
     };
   '' + lib.concatImapStringsSep "\n" ( i: v: generateSnippetForRouter (args // { routerNum = i; router = v; }) ) ix.remote.routers;
-  enabledSnippet = { enabled ? true, ... }: "disabled ${if enabled then "off" else "on"}";
+  enabledSnippet = { enabled ? true, ... }: "disabled ${if enabled then "off" else "on"};";
+  passwordSnippet = { password ? null, ... }: if password == null then "# no password" else "password \"${password}\";";
+  multihopSnippet = { multihop ? null, ... }: if multihop == null then "# not multihop" else "multihop ${toString multihop};";
   generateSnippetForRouter = { ixName, ix, routerNum, router, ... }: ''
     protocol bgp ${ixName}${toString routerNum}_4 {
-      ${enabledSnippet router};
+      ${enabledSnippet router}
+      ${passwordSnippet router}
+      ${multihopSnippet router}
       local ${ix.local.v4} as ${toString ix.local.asn};
       neighbor ${router.v4} as ${toString ix.remote.asn};
+      graceful restart on;
+      long lived graceful restart on;
       ipv4 {
         table ${ixName}4;
         import all;
@@ -34,9 +40,13 @@ let
       };
     };
     protocol bgp ${ixName}${toString routerNum}_6 {
-      ${enabledSnippet router};
+      ${enabledSnippet router}
+      ${passwordSnippet router}
+      ${multihopSnippet router}
       local ${ix.local.v6} as ${toString ix.local.asn};
       neighbor ${router.v6} as ${toString ix.remote.asn};
+      graceful restart on;
+      long lived graceful restart on;
       ipv6 {
         table ${ixName}6;
         import all;
@@ -104,6 +114,14 @@ in {
                             v6 = mkOption { # lukegbgp.config.peering.<foo>.remote.routers.<n>.v6
                               type = str;
                             };
+                            multihop = mkOption { # lukegbgp.config.peering.<foo>.remote.routers.<n>.multihop
+                              type = nullOr int;
+                              default = null;
+                            };
+                            password = mkOption { # lukegbgp.config.peering.<foo>.remote.routers.<n>.password
+                              type = nullOr str;
+                              default = null;
+                            };
                           };
                         });
                       };
diff --git a/ops/nixos/lib/minotarproxy.nix b/ops/nixos/lib/minotarproxy.nix
new file mode 100644
index 0000000000..3903d5cb57
--- /dev/null
+++ b/ops/nixos/lib/minotarproxy.nix
@@ -0,0 +1,31 @@
+# SPDX-FileCopyrightText: 2021 Luke Granger-Brown <depot@lukegb.com>
+#
+# SPDX-License-Identifier: Apache-2.0
+
+{ depot, lib, ... }:
+let
+  aliasIPs = map (n: "92.118.29.${toString n}") (lib.range 1 253);
+in {
+  networking.interfaces.lo.ipv4.addresses = (
+    map (address: { inherit address; prefixLength = 32; }) aliasIPs);
+  networking.firewall.allowedTCPPorts = [
+    80 443
+  ];
+
+  users.users.minotarproxy.isSystemUser = true;
+
+  systemd.services.minotarproxy = {
+    description = "Minotar proxy";
+    wants = ["network-online.target"];
+    wantedBy = ["multi-user.target"];
+    serviceConfig = {
+      ExecStart = ''${depot.go.minotarproxy}/bin/minotarproxy --logtostderr --server_bind=92.118.29.225:443 --autocert_insecure_bind=92.118.29.225:80 --autocert_domain=minotarproxy.lukegb.xyz --outbound_bind="${builtins.concatStringsSep "," aliasIPs}" --autocert_cache_dir=/run/minotarproxy'';
+      User = "minotarproxy";
+      Restart = "always";
+      AmbientCapabilities = "CAP_NET_BIND_SERVICE";
+    };
+  };
+  systemd.tmpfiles.rules = [
+    "d /run/minotarproxy 0700 minotarproxy - -"
+  ];
+}