ops/nixos: minotarproxy-as-a-lib
This commit is contained in:
parent
841d9c7fc1
commit
606ff984eb
4 changed files with 89 additions and 24 deletions
|
@ -6,12 +6,11 @@
|
||||||
let
|
let
|
||||||
inherit (depot.ops) secrets;
|
inherit (depot.ops) secrets;
|
||||||
machineSecrets = secrets.machineSpecific.clouvider-lon01;
|
machineSecrets = secrets.machineSpecific.clouvider-lon01;
|
||||||
|
|
||||||
aliasIPs = map (n: "92.118.29.${toString n}") (lib.range 1 253);
|
|
||||||
in {
|
in {
|
||||||
imports = [
|
imports = [
|
||||||
../lib/zfs.nix
|
../lib/zfs.nix
|
||||||
../lib/bgp.nix
|
../lib/bgp.nix
|
||||||
|
../lib/minotarproxy.nix
|
||||||
../lib/whitby-distributed.nix
|
../lib/whitby-distributed.nix
|
||||||
../lib/macmini-distributed.nix
|
../lib/macmini-distributed.nix
|
||||||
../lib/quotes.bfob.gg.nix
|
../lib/quotes.bfob.gg.nix
|
||||||
|
@ -112,8 +111,7 @@ in {
|
||||||
ipv6.addresses = [{ address = "2a0a:54c0:0:17::2"; prefixLength = 126; }];
|
ipv6.addresses = [{ address = "2a0a:54c0:0:17::2"; prefixLength = 126; }];
|
||||||
};
|
};
|
||||||
interfaces.lo = {
|
interfaces.lo = {
|
||||||
ipv4.addresses = [{ address = "127.0.0.1"; prefixLength = 8; }] ++ (
|
ipv4.addresses = [{ address = "127.0.0.1"; prefixLength = 8; }];
|
||||||
map (address: { inherit address; prefixLength = 32; }) aliasIPs);
|
|
||||||
ipv6.addresses = [{ address = "::1"; prefixLength = 128; }];
|
ipv6.addresses = [{ address = "::1"; prefixLength = 128; }];
|
||||||
};
|
};
|
||||||
firewall = {
|
firewall = {
|
||||||
|
@ -151,9 +149,6 @@ in {
|
||||||
|
|
||||||
users.users = {
|
users.users = {
|
||||||
lukegb.extraGroups = [ "bird2" ];
|
lukegb.extraGroups = [ "bird2" ];
|
||||||
minotarproxy = {
|
|
||||||
isSystemUser = true;
|
|
||||||
};
|
|
||||||
};
|
};
|
||||||
users.groups = {
|
users.groups = {
|
||||||
znc-acme = {
|
znc-acme = {
|
||||||
|
@ -225,20 +220,6 @@ in {
|
||||||
};
|
};
|
||||||
};
|
};
|
||||||
|
|
||||||
systemd.services.minotarproxy = {
|
|
||||||
description = "Minotar proxy";
|
|
||||||
wants = ["network-online.target"];
|
|
||||||
wantedBy = ["multi-user.target"];
|
|
||||||
serviceConfig = {
|
|
||||||
ExecStart = ''${depot.go.minotarproxy}/bin/minotarproxy --logtostderr --server_bind=92.118.29.225:443 --autocert_insecure_bind=92.118.29.225:80 --autocert_domain=minotarproxy.lukegb.xyz --outbound_bind="${builtins.concatStringsSep "," aliasIPs}" --autocert_cache_dir=/run/minotarproxy'';
|
|
||||||
User = "minotarproxy";
|
|
||||||
Restart = "always";
|
|
||||||
AmbientCapabilities = "CAP_NET_BIND_SERVICE";
|
|
||||||
};
|
|
||||||
};
|
|
||||||
systemd.tmpfiles.rules = [
|
|
||||||
"d /run/minotarproxy 0700 minotarproxy - -"
|
|
||||||
];
|
|
||||||
systemd.mounts = let
|
systemd.mounts = let
|
||||||
bindMount' = dir: {
|
bindMount' = dir: {
|
||||||
unitConfig.RequiresMountsFor = dir;
|
unitConfig.RequiresMountsFor = dir;
|
||||||
|
|
|
@ -5,11 +5,14 @@
|
||||||
{ depot, lib, pkgs, rebuilder, config, ... }:
|
{ depot, lib, pkgs, rebuilder, config, ... }:
|
||||||
let
|
let
|
||||||
inherit (depot.ops) secrets;
|
inherit (depot.ops) secrets;
|
||||||
|
machineSecrets = secrets.machineSpecific.frantech-nyc01;
|
||||||
in {
|
in {
|
||||||
imports = [
|
imports = [
|
||||||
../../../third_party/nixpkgs/nixos/modules/profiles/qemu-guest.nix
|
../../../third_party/nixpkgs/nixos/modules/profiles/qemu-guest.nix
|
||||||
../lib/low-space.nix
|
../lib/low-space.nix
|
||||||
../lib/coredns/default.nix
|
../lib/coredns/default.nix
|
||||||
|
../lib/bgp.nix
|
||||||
|
../lib/minotarproxy.nix
|
||||||
];
|
];
|
||||||
|
|
||||||
boot.initrd.availableKernelModules = [
|
boot.initrd.availableKernelModules = [
|
||||||
|
@ -66,5 +69,37 @@ in {
|
||||||
};
|
};
|
||||||
my.ip.tailscale = "100.99.236.25";
|
my.ip.tailscale = "100.99.236.25";
|
||||||
|
|
||||||
|
services.lukegbgp = let local = {
|
||||||
|
asn = 205479;
|
||||||
|
}; in {
|
||||||
|
enable = true;
|
||||||
|
config = {
|
||||||
|
local = {
|
||||||
|
routerID = "199.195.254.60";
|
||||||
|
};
|
||||||
|
export = {
|
||||||
|
v4 = ["92.118.29.0/24"];
|
||||||
|
};
|
||||||
|
peering = {
|
||||||
|
frantech = {
|
||||||
|
local = local // {
|
||||||
|
v4 = "199.195.254.60";
|
||||||
|
v6 = "2605:6400:10:c77::1";
|
||||||
|
};
|
||||||
|
remote = {
|
||||||
|
asn = 53667;
|
||||||
|
export_community = 4000;
|
||||||
|
routers = [{
|
||||||
|
v4 = "169.254.169.179";
|
||||||
|
v6 = "2605:6400:ffff::2";
|
||||||
|
multihop = 2;
|
||||||
|
password = machineSecrets.bgpPassword;
|
||||||
|
}];
|
||||||
|
};
|
||||||
|
};
|
||||||
|
};
|
||||||
|
};
|
||||||
|
};
|
||||||
|
|
||||||
system.stateVersion = "21.05";
|
system.stateVersion = "21.05";
|
||||||
}
|
}
|
||||||
|
|
|
@ -21,12 +21,18 @@ let
|
||||||
export all;
|
export all;
|
||||||
};
|
};
|
||||||
'' + lib.concatImapStringsSep "\n" ( i: v: generateSnippetForRouter (args // { routerNum = i; router = v; }) ) ix.remote.routers;
|
'' + lib.concatImapStringsSep "\n" ( i: v: generateSnippetForRouter (args // { routerNum = i; router = v; }) ) ix.remote.routers;
|
||||||
enabledSnippet = { enabled ? true, ... }: "disabled ${if enabled then "off" else "on"}";
|
enabledSnippet = { enabled ? true, ... }: "disabled ${if enabled then "off" else "on"};";
|
||||||
|
passwordSnippet = { password ? null, ... }: if password == null then "# no password" else "password \"${password}\";";
|
||||||
|
multihopSnippet = { multihop ? null, ... }: if multihop == null then "# not multihop" else "multihop ${toString multihop};";
|
||||||
generateSnippetForRouter = { ixName, ix, routerNum, router, ... }: ''
|
generateSnippetForRouter = { ixName, ix, routerNum, router, ... }: ''
|
||||||
protocol bgp ${ixName}${toString routerNum}_4 {
|
protocol bgp ${ixName}${toString routerNum}_4 {
|
||||||
${enabledSnippet router};
|
${enabledSnippet router}
|
||||||
|
${passwordSnippet router}
|
||||||
|
${multihopSnippet router}
|
||||||
local ${ix.local.v4} as ${toString ix.local.asn};
|
local ${ix.local.v4} as ${toString ix.local.asn};
|
||||||
neighbor ${router.v4} as ${toString ix.remote.asn};
|
neighbor ${router.v4} as ${toString ix.remote.asn};
|
||||||
|
graceful restart on;
|
||||||
|
long lived graceful restart on;
|
||||||
ipv4 {
|
ipv4 {
|
||||||
table ${ixName}4;
|
table ${ixName}4;
|
||||||
import all;
|
import all;
|
||||||
|
@ -34,9 +40,13 @@ let
|
||||||
};
|
};
|
||||||
};
|
};
|
||||||
protocol bgp ${ixName}${toString routerNum}_6 {
|
protocol bgp ${ixName}${toString routerNum}_6 {
|
||||||
${enabledSnippet router};
|
${enabledSnippet router}
|
||||||
|
${passwordSnippet router}
|
||||||
|
${multihopSnippet router}
|
||||||
local ${ix.local.v6} as ${toString ix.local.asn};
|
local ${ix.local.v6} as ${toString ix.local.asn};
|
||||||
neighbor ${router.v6} as ${toString ix.remote.asn};
|
neighbor ${router.v6} as ${toString ix.remote.asn};
|
||||||
|
graceful restart on;
|
||||||
|
long lived graceful restart on;
|
||||||
ipv6 {
|
ipv6 {
|
||||||
table ${ixName}6;
|
table ${ixName}6;
|
||||||
import all;
|
import all;
|
||||||
|
@ -104,6 +114,14 @@ in {
|
||||||
v6 = mkOption { # lukegbgp.config.peering.<foo>.remote.routers.<n>.v6
|
v6 = mkOption { # lukegbgp.config.peering.<foo>.remote.routers.<n>.v6
|
||||||
type = str;
|
type = str;
|
||||||
};
|
};
|
||||||
|
multihop = mkOption { # lukegbgp.config.peering.<foo>.remote.routers.<n>.multihop
|
||||||
|
type = nullOr int;
|
||||||
|
default = null;
|
||||||
|
};
|
||||||
|
password = mkOption { # lukegbgp.config.peering.<foo>.remote.routers.<n>.password
|
||||||
|
type = nullOr str;
|
||||||
|
default = null;
|
||||||
|
};
|
||||||
};
|
};
|
||||||
});
|
});
|
||||||
};
|
};
|
||||||
|
|
31
ops/nixos/lib/minotarproxy.nix
Normal file
31
ops/nixos/lib/minotarproxy.nix
Normal file
|
@ -0,0 +1,31 @@
|
||||||
|
# SPDX-FileCopyrightText: 2021 Luke Granger-Brown <depot@lukegb.com>
|
||||||
|
#
|
||||||
|
# SPDX-License-Identifier: Apache-2.0
|
||||||
|
|
||||||
|
{ depot, lib, ... }:
|
||||||
|
let
|
||||||
|
aliasIPs = map (n: "92.118.29.${toString n}") (lib.range 1 253);
|
||||||
|
in {
|
||||||
|
networking.interfaces.lo.ipv4.addresses = (
|
||||||
|
map (address: { inherit address; prefixLength = 32; }) aliasIPs);
|
||||||
|
networking.firewall.allowedTCPPorts = [
|
||||||
|
80 443
|
||||||
|
];
|
||||||
|
|
||||||
|
users.users.minotarproxy.isSystemUser = true;
|
||||||
|
|
||||||
|
systemd.services.minotarproxy = {
|
||||||
|
description = "Minotar proxy";
|
||||||
|
wants = ["network-online.target"];
|
||||||
|
wantedBy = ["multi-user.target"];
|
||||||
|
serviceConfig = {
|
||||||
|
ExecStart = ''${depot.go.minotarproxy}/bin/minotarproxy --logtostderr --server_bind=92.118.29.225:443 --autocert_insecure_bind=92.118.29.225:80 --autocert_domain=minotarproxy.lukegb.xyz --outbound_bind="${builtins.concatStringsSep "," aliasIPs}" --autocert_cache_dir=/run/minotarproxy'';
|
||||||
|
User = "minotarproxy";
|
||||||
|
Restart = "always";
|
||||||
|
AmbientCapabilities = "CAP_NET_BIND_SERVICE";
|
||||||
|
};
|
||||||
|
};
|
||||||
|
systemd.tmpfiles.rules = [
|
||||||
|
"d /run/minotarproxy 0700 minotarproxy - -"
|
||||||
|
];
|
||||||
|
}
|
Loading…
Reference in a new issue