ops/nixos: minotarproxy-as-a-lib
This commit is contained in:
parent
841d9c7fc1
commit
606ff984eb
4 changed files with 89 additions and 24 deletions
|
@ -6,12 +6,11 @@
|
|||
let
|
||||
inherit (depot.ops) secrets;
|
||||
machineSecrets = secrets.machineSpecific.clouvider-lon01;
|
||||
|
||||
aliasIPs = map (n: "92.118.29.${toString n}") (lib.range 1 253);
|
||||
in {
|
||||
imports = [
|
||||
../lib/zfs.nix
|
||||
../lib/bgp.nix
|
||||
../lib/minotarproxy.nix
|
||||
../lib/whitby-distributed.nix
|
||||
../lib/macmini-distributed.nix
|
||||
../lib/quotes.bfob.gg.nix
|
||||
|
@ -112,8 +111,7 @@ in {
|
|||
ipv6.addresses = [{ address = "2a0a:54c0:0:17::2"; prefixLength = 126; }];
|
||||
};
|
||||
interfaces.lo = {
|
||||
ipv4.addresses = [{ address = "127.0.0.1"; prefixLength = 8; }] ++ (
|
||||
map (address: { inherit address; prefixLength = 32; }) aliasIPs);
|
||||
ipv4.addresses = [{ address = "127.0.0.1"; prefixLength = 8; }];
|
||||
ipv6.addresses = [{ address = "::1"; prefixLength = 128; }];
|
||||
};
|
||||
firewall = {
|
||||
|
@ -151,9 +149,6 @@ in {
|
|||
|
||||
users.users = {
|
||||
lukegb.extraGroups = [ "bird2" ];
|
||||
minotarproxy = {
|
||||
isSystemUser = true;
|
||||
};
|
||||
};
|
||||
users.groups = {
|
||||
znc-acme = {
|
||||
|
@ -225,20 +220,6 @@ in {
|
|||
};
|
||||
};
|
||||
|
||||
systemd.services.minotarproxy = {
|
||||
description = "Minotar proxy";
|
||||
wants = ["network-online.target"];
|
||||
wantedBy = ["multi-user.target"];
|
||||
serviceConfig = {
|
||||
ExecStart = ''${depot.go.minotarproxy}/bin/minotarproxy --logtostderr --server_bind=92.118.29.225:443 --autocert_insecure_bind=92.118.29.225:80 --autocert_domain=minotarproxy.lukegb.xyz --outbound_bind="${builtins.concatStringsSep "," aliasIPs}" --autocert_cache_dir=/run/minotarproxy'';
|
||||
User = "minotarproxy";
|
||||
Restart = "always";
|
||||
AmbientCapabilities = "CAP_NET_BIND_SERVICE";
|
||||
};
|
||||
};
|
||||
systemd.tmpfiles.rules = [
|
||||
"d /run/minotarproxy 0700 minotarproxy - -"
|
||||
];
|
||||
systemd.mounts = let
|
||||
bindMount' = dir: {
|
||||
unitConfig.RequiresMountsFor = dir;
|
||||
|
|
|
@ -5,11 +5,14 @@
|
|||
{ depot, lib, pkgs, rebuilder, config, ... }:
|
||||
let
|
||||
inherit (depot.ops) secrets;
|
||||
machineSecrets = secrets.machineSpecific.frantech-nyc01;
|
||||
in {
|
||||
imports = [
|
||||
../../../third_party/nixpkgs/nixos/modules/profiles/qemu-guest.nix
|
||||
../lib/low-space.nix
|
||||
../lib/coredns/default.nix
|
||||
../lib/bgp.nix
|
||||
../lib/minotarproxy.nix
|
||||
];
|
||||
|
||||
boot.initrd.availableKernelModules = [
|
||||
|
@ -66,5 +69,37 @@ in {
|
|||
};
|
||||
my.ip.tailscale = "100.99.236.25";
|
||||
|
||||
services.lukegbgp = let local = {
|
||||
asn = 205479;
|
||||
}; in {
|
||||
enable = true;
|
||||
config = {
|
||||
local = {
|
||||
routerID = "199.195.254.60";
|
||||
};
|
||||
export = {
|
||||
v4 = ["92.118.29.0/24"];
|
||||
};
|
||||
peering = {
|
||||
frantech = {
|
||||
local = local // {
|
||||
v4 = "199.195.254.60";
|
||||
v6 = "2605:6400:10:c77::1";
|
||||
};
|
||||
remote = {
|
||||
asn = 53667;
|
||||
export_community = 4000;
|
||||
routers = [{
|
||||
v4 = "169.254.169.179";
|
||||
v6 = "2605:6400:ffff::2";
|
||||
multihop = 2;
|
||||
password = machineSecrets.bgpPassword;
|
||||
}];
|
||||
};
|
||||
};
|
||||
};
|
||||
};
|
||||
};
|
||||
|
||||
system.stateVersion = "21.05";
|
||||
}
|
||||
|
|
|
@ -21,12 +21,18 @@ let
|
|||
export all;
|
||||
};
|
||||
'' + lib.concatImapStringsSep "\n" ( i: v: generateSnippetForRouter (args // { routerNum = i; router = v; }) ) ix.remote.routers;
|
||||
enabledSnippet = { enabled ? true, ... }: "disabled ${if enabled then "off" else "on"}";
|
||||
enabledSnippet = { enabled ? true, ... }: "disabled ${if enabled then "off" else "on"};";
|
||||
passwordSnippet = { password ? null, ... }: if password == null then "# no password" else "password \"${password}\";";
|
||||
multihopSnippet = { multihop ? null, ... }: if multihop == null then "# not multihop" else "multihop ${toString multihop};";
|
||||
generateSnippetForRouter = { ixName, ix, routerNum, router, ... }: ''
|
||||
protocol bgp ${ixName}${toString routerNum}_4 {
|
||||
${enabledSnippet router};
|
||||
${enabledSnippet router}
|
||||
${passwordSnippet router}
|
||||
${multihopSnippet router}
|
||||
local ${ix.local.v4} as ${toString ix.local.asn};
|
||||
neighbor ${router.v4} as ${toString ix.remote.asn};
|
||||
graceful restart on;
|
||||
long lived graceful restart on;
|
||||
ipv4 {
|
||||
table ${ixName}4;
|
||||
import all;
|
||||
|
@ -34,9 +40,13 @@ let
|
|||
};
|
||||
};
|
||||
protocol bgp ${ixName}${toString routerNum}_6 {
|
||||
${enabledSnippet router};
|
||||
${enabledSnippet router}
|
||||
${passwordSnippet router}
|
||||
${multihopSnippet router}
|
||||
local ${ix.local.v6} as ${toString ix.local.asn};
|
||||
neighbor ${router.v6} as ${toString ix.remote.asn};
|
||||
graceful restart on;
|
||||
long lived graceful restart on;
|
||||
ipv6 {
|
||||
table ${ixName}6;
|
||||
import all;
|
||||
|
@ -104,6 +114,14 @@ in {
|
|||
v6 = mkOption { # lukegbgp.config.peering.<foo>.remote.routers.<n>.v6
|
||||
type = str;
|
||||
};
|
||||
multihop = mkOption { # lukegbgp.config.peering.<foo>.remote.routers.<n>.multihop
|
||||
type = nullOr int;
|
||||
default = null;
|
||||
};
|
||||
password = mkOption { # lukegbgp.config.peering.<foo>.remote.routers.<n>.password
|
||||
type = nullOr str;
|
||||
default = null;
|
||||
};
|
||||
};
|
||||
});
|
||||
};
|
||||
|
|
31
ops/nixos/lib/minotarproxy.nix
Normal file
31
ops/nixos/lib/minotarproxy.nix
Normal file
|
@ -0,0 +1,31 @@
|
|||
# SPDX-FileCopyrightText: 2021 Luke Granger-Brown <depot@lukegb.com>
|
||||
#
|
||||
# SPDX-License-Identifier: Apache-2.0
|
||||
|
||||
{ depot, lib, ... }:
|
||||
let
|
||||
aliasIPs = map (n: "92.118.29.${toString n}") (lib.range 1 253);
|
||||
in {
|
||||
networking.interfaces.lo.ipv4.addresses = (
|
||||
map (address: { inherit address; prefixLength = 32; }) aliasIPs);
|
||||
networking.firewall.allowedTCPPorts = [
|
||||
80 443
|
||||
];
|
||||
|
||||
users.users.minotarproxy.isSystemUser = true;
|
||||
|
||||
systemd.services.minotarproxy = {
|
||||
description = "Minotar proxy";
|
||||
wants = ["network-online.target"];
|
||||
wantedBy = ["multi-user.target"];
|
||||
serviceConfig = {
|
||||
ExecStart = ''${depot.go.minotarproxy}/bin/minotarproxy --logtostderr --server_bind=92.118.29.225:443 --autocert_insecure_bind=92.118.29.225:80 --autocert_domain=minotarproxy.lukegb.xyz --outbound_bind="${builtins.concatStringsSep "," aliasIPs}" --autocert_cache_dir=/run/minotarproxy'';
|
||||
User = "minotarproxy";
|
||||
Restart = "always";
|
||||
AmbientCapabilities = "CAP_NET_BIND_SERVICE";
|
||||
};
|
||||
};
|
||||
systemd.tmpfiles.rules = [
|
||||
"d /run/minotarproxy 0700 minotarproxy - -"
|
||||
];
|
||||
}
|
Loading…
Reference in a new issue