ops/nixos: minotarproxy-as-a-lib

This commit is contained in:
Luke Granger-Brown 2021-07-01 01:48:12 +00:00
parent 841d9c7fc1
commit 606ff984eb
4 changed files with 89 additions and 24 deletions

View file

@ -6,12 +6,11 @@
let let
inherit (depot.ops) secrets; inherit (depot.ops) secrets;
machineSecrets = secrets.machineSpecific.clouvider-lon01; machineSecrets = secrets.machineSpecific.clouvider-lon01;
aliasIPs = map (n: "92.118.29.${toString n}") (lib.range 1 253);
in { in {
imports = [ imports = [
../lib/zfs.nix ../lib/zfs.nix
../lib/bgp.nix ../lib/bgp.nix
../lib/minotarproxy.nix
../lib/whitby-distributed.nix ../lib/whitby-distributed.nix
../lib/macmini-distributed.nix ../lib/macmini-distributed.nix
../lib/quotes.bfob.gg.nix ../lib/quotes.bfob.gg.nix
@ -112,8 +111,7 @@ in {
ipv6.addresses = [{ address = "2a0a:54c0:0:17::2"; prefixLength = 126; }]; ipv6.addresses = [{ address = "2a0a:54c0:0:17::2"; prefixLength = 126; }];
}; };
interfaces.lo = { interfaces.lo = {
ipv4.addresses = [{ address = "127.0.0.1"; prefixLength = 8; }] ++ ( ipv4.addresses = [{ address = "127.0.0.1"; prefixLength = 8; }];
map (address: { inherit address; prefixLength = 32; }) aliasIPs);
ipv6.addresses = [{ address = "::1"; prefixLength = 128; }]; ipv6.addresses = [{ address = "::1"; prefixLength = 128; }];
}; };
firewall = { firewall = {
@ -151,9 +149,6 @@ in {
users.users = { users.users = {
lukegb.extraGroups = [ "bird2" ]; lukegb.extraGroups = [ "bird2" ];
minotarproxy = {
isSystemUser = true;
};
}; };
users.groups = { users.groups = {
znc-acme = { znc-acme = {
@ -225,20 +220,6 @@ in {
}; };
}; };
systemd.services.minotarproxy = {
description = "Minotar proxy";
wants = ["network-online.target"];
wantedBy = ["multi-user.target"];
serviceConfig = {
ExecStart = ''${depot.go.minotarproxy}/bin/minotarproxy --logtostderr --server_bind=92.118.29.225:443 --autocert_insecure_bind=92.118.29.225:80 --autocert_domain=minotarproxy.lukegb.xyz --outbound_bind="${builtins.concatStringsSep "," aliasIPs}" --autocert_cache_dir=/run/minotarproxy'';
User = "minotarproxy";
Restart = "always";
AmbientCapabilities = "CAP_NET_BIND_SERVICE";
};
};
systemd.tmpfiles.rules = [
"d /run/minotarproxy 0700 minotarproxy - -"
];
systemd.mounts = let systemd.mounts = let
bindMount' = dir: { bindMount' = dir: {
unitConfig.RequiresMountsFor = dir; unitConfig.RequiresMountsFor = dir;

View file

@ -5,11 +5,14 @@
{ depot, lib, pkgs, rebuilder, config, ... }: { depot, lib, pkgs, rebuilder, config, ... }:
let let
inherit (depot.ops) secrets; inherit (depot.ops) secrets;
machineSecrets = secrets.machineSpecific.frantech-nyc01;
in { in {
imports = [ imports = [
../../../third_party/nixpkgs/nixos/modules/profiles/qemu-guest.nix ../../../third_party/nixpkgs/nixos/modules/profiles/qemu-guest.nix
../lib/low-space.nix ../lib/low-space.nix
../lib/coredns/default.nix ../lib/coredns/default.nix
../lib/bgp.nix
../lib/minotarproxy.nix
]; ];
boot.initrd.availableKernelModules = [ boot.initrd.availableKernelModules = [
@ -66,5 +69,37 @@ in {
}; };
my.ip.tailscale = "100.99.236.25"; my.ip.tailscale = "100.99.236.25";
services.lukegbgp = let local = {
asn = 205479;
}; in {
enable = true;
config = {
local = {
routerID = "199.195.254.60";
};
export = {
v4 = ["92.118.29.0/24"];
};
peering = {
frantech = {
local = local // {
v4 = "199.195.254.60";
v6 = "2605:6400:10:c77::1";
};
remote = {
asn = 53667;
export_community = 4000;
routers = [{
v4 = "169.254.169.179";
v6 = "2605:6400:ffff::2";
multihop = 2;
password = machineSecrets.bgpPassword;
}];
};
};
};
};
};
system.stateVersion = "21.05"; system.stateVersion = "21.05";
} }

View file

@ -21,12 +21,18 @@ let
export all; export all;
}; };
'' + lib.concatImapStringsSep "\n" ( i: v: generateSnippetForRouter (args // { routerNum = i; router = v; }) ) ix.remote.routers; '' + lib.concatImapStringsSep "\n" ( i: v: generateSnippetForRouter (args // { routerNum = i; router = v; }) ) ix.remote.routers;
enabledSnippet = { enabled ? true, ... }: "disabled ${if enabled then "off" else "on"}"; enabledSnippet = { enabled ? true, ... }: "disabled ${if enabled then "off" else "on"};";
passwordSnippet = { password ? null, ... }: if password == null then "# no password" else "password \"${password}\";";
multihopSnippet = { multihop ? null, ... }: if multihop == null then "# not multihop" else "multihop ${toString multihop};";
generateSnippetForRouter = { ixName, ix, routerNum, router, ... }: '' generateSnippetForRouter = { ixName, ix, routerNum, router, ... }: ''
protocol bgp ${ixName}${toString routerNum}_4 { protocol bgp ${ixName}${toString routerNum}_4 {
${enabledSnippet router}; ${enabledSnippet router}
${passwordSnippet router}
${multihopSnippet router}
local ${ix.local.v4} as ${toString ix.local.asn}; local ${ix.local.v4} as ${toString ix.local.asn};
neighbor ${router.v4} as ${toString ix.remote.asn}; neighbor ${router.v4} as ${toString ix.remote.asn};
graceful restart on;
long lived graceful restart on;
ipv4 { ipv4 {
table ${ixName}4; table ${ixName}4;
import all; import all;
@ -34,9 +40,13 @@ let
}; };
}; };
protocol bgp ${ixName}${toString routerNum}_6 { protocol bgp ${ixName}${toString routerNum}_6 {
${enabledSnippet router}; ${enabledSnippet router}
${passwordSnippet router}
${multihopSnippet router}
local ${ix.local.v6} as ${toString ix.local.asn}; local ${ix.local.v6} as ${toString ix.local.asn};
neighbor ${router.v6} as ${toString ix.remote.asn}; neighbor ${router.v6} as ${toString ix.remote.asn};
graceful restart on;
long lived graceful restart on;
ipv6 { ipv6 {
table ${ixName}6; table ${ixName}6;
import all; import all;
@ -104,6 +114,14 @@ in {
v6 = mkOption { # lukegbgp.config.peering.<foo>.remote.routers.<n>.v6 v6 = mkOption { # lukegbgp.config.peering.<foo>.remote.routers.<n>.v6
type = str; type = str;
}; };
multihop = mkOption { # lukegbgp.config.peering.<foo>.remote.routers.<n>.multihop
type = nullOr int;
default = null;
};
password = mkOption { # lukegbgp.config.peering.<foo>.remote.routers.<n>.password
type = nullOr str;
default = null;
};
}; };
}); });
}; };

View file

@ -0,0 +1,31 @@
# SPDX-FileCopyrightText: 2021 Luke Granger-Brown <depot@lukegb.com>
#
# SPDX-License-Identifier: Apache-2.0
{ depot, lib, ... }:
let
aliasIPs = map (n: "92.118.29.${toString n}") (lib.range 1 253);
in {
networking.interfaces.lo.ipv4.addresses = (
map (address: { inherit address; prefixLength = 32; }) aliasIPs);
networking.firewall.allowedTCPPorts = [
80 443
];
users.users.minotarproxy.isSystemUser = true;
systemd.services.minotarproxy = {
description = "Minotar proxy";
wants = ["network-online.target"];
wantedBy = ["multi-user.target"];
serviceConfig = {
ExecStart = ''${depot.go.minotarproxy}/bin/minotarproxy --logtostderr --server_bind=92.118.29.225:443 --autocert_insecure_bind=92.118.29.225:80 --autocert_domain=minotarproxy.lukegb.xyz --outbound_bind="${builtins.concatStringsSep "," aliasIPs}" --autocert_cache_dir=/run/minotarproxy'';
User = "minotarproxy";
Restart = "always";
AmbientCapabilities = "CAP_NET_BIND_SERVICE";
};
};
systemd.tmpfiles.rules = [
"d /run/minotarproxy 0700 minotarproxy - -"
];
}