diff --git a/ops/nixos/rexxar/bgp.nix b/ops/nixos/rexxar/bgp.nix new file mode 100644 index 0000000000..2806940bb0 --- /dev/null +++ b/ops/nixos/rexxar/bgp.nix @@ -0,0 +1,244 @@ +# SPDX-FileCopyrightText: 2024 Luke Granger-Brown +# +# SPDX-License-Identifier: Apache-2.0 + +{ depot, lib, pkgs, config, ... }: +{ + imports = [ + ../lib/bgp.nix + ]; + + services.lukegbgp = let + local.asn = 205479; + in { + enable = true; + config = { + local = { + routerID = "195.74.55.21"; + }; + export.v4 = [ ]; + export.v6 = [ ]; + + peering = let + base = [{ + local.asn = 205479; + }]; + link.velox1 = base ++ [{ + local.v4 = "195.74.55.21"; + local.v6 = "2a03:ee40:8080:9:1::2"; + }]; + link.velox2 = base ++ [{ + local.v4 = "195.74.55.23"; + local.v6 = "2a03:ee40:8080:9:1::2"; + }]; + link.linx = base ++ [{ + local.v4 = "195.66.224.58"; + local.v6 = "2001:7f8:4::3:22a7:1"; + }]; + peer.velox.remote = { + asn = 3170; + export_community = 4001; + bgp_local_pref = 101; + }; + in { + veloxserv1 = lib.mkMerge (link.velox1 ++ [peer.velox { + remote.routers = [{ + enabled = true; + v4 = "195.74.55.20"; + v6 = "2a03:ee40:8080:9:1::1"; + }]; + }]); + veloxserv2 = lib.mkMerge (link.velox2 ++ [peer.velox { + remote.routers = [{ + enabled = false; + v4 = "195.74.55.22"; + v6 = "2a03:ee40:8080:9:2::1"; + }]; + }]); + linxcollector = lib.mkMerge (link.linx ++ [{ + remote = { + asn = 5459; + export_community = 5000; + routers = [{ + enabled = true; + v4 = "195.66.224.254"; + v6 = "2001:7f8:4::1553:1"; + }]; + prefix_limit.v4 = 0; + prefix_limit.v6 = 0; + is_route_collector = false; + }; + }]); + linx = lib.mkMerge (link.linx ++ [{ + remote = { + asn = 8714; + export_community = 5001; + routers = [{ + enabled = true; + v4 = "195.66.225.230"; + v6 = "2001:7f8:4::220a:1"; + } { + enabled = true; + v4 = "195.66.225.231"; + v6 = "2001:7f8:4::220a:2"; + }]; + bgp_local_pref = 109; + must_be_next_hop = false; + }; + }]); + facebook = lib.mkMerge (link.linx ++ [{ + remote = { + asn = 32934; + export_community = 5002; + routers = [{ + enabled = true; + v4 = "195.66.225.69"; + v6 = "2001:7f8:4::80a6:1"; + } { + enabled = true; + v4 = "195.66.225.121"; + v6 = "2001:7f8:4::80a6:2"; + } { + enabled = true; + v4 = "195.66.227.19"; + v6 = "2001:7f8:4::80a6:5"; + } { + enabled = true; + v4 = "195.66.226.140"; + v6 = "2001:7f8:4::80a6:3"; + }]; + bgp_local_pref = 120; + prefix_limit.v4 = 100; + prefix_limit.v6 = 100; + }; + }]); + openpeering = lib.mkMerge (link.linx ++ [{ + remote = { + asn = 20562; + export_community = 5003; + passive = true; # pending + routers = [{ + enabled = true; + v4 = "195.66.225.53"; + v6 = "2001:7f8:4::5052:1"; + }]; + bgp_local_pref = 110; + prefix_limit.v4 = 16000; + prefix_limit.v6 = 3000; + }; + }]); + freetransitnet = lib.mkMerge (link.linx ++ [{ + remote = { + asn = 212895; + export_community = 5004; + passive = true; # pending v6 + bgp_local_pref = 100; + routers = [{ + enabled = true; + v4 = "195.66.225.105"; + v6 = "2001:7f8:4::3:3f9f:2"; + }]; + }; + }]); + he = lib.mkMerge (link.linx ++ [{ + remote = { + asn = 6939; + export_community = 5005; + routers = [{ + enabled = true; + v4 = "195.66.224.21"; + v6 = "2001:7f8:4::1b1b:1"; + }]; + bgp_local_pref = 108; + prefix_limit.v4 = 176000; + prefix_limit.v6 = 156000; + }; + }]); + clouvider = lib.mkMerge (link.linx ++ [{ + remote = { + asn = 62240; + export_community = 5006; + passive = true; # pending + routers = [{ + enabled = true; + v4 = "195.66.227.14"; + v6 = "2001:7f8:4::f320:1"; + }]; + bgp_local_pref = 120; + prefix_limit.v4 = 1000; + prefix_limit.v6 = 1000; + }; + }]); + google = lib.mkMerge (link.linx ++ [{ + remote = { + asn = 15169; + export_community = 5007; + routers = [{ + enabled = true; + v4 = "195.66.224.125"; + v6 = "2001:7f8:4::3b41:1"; + }]; + bgp_local_pref = 120; + prefix_limit.v4 = 15000; + prefix_limit.v6 = 10000; + }; + }]); + cloudflare = lib.mkMerge (link.linx ++ [{ + remote = { + asn = 13335; + export_community = 5008; + routers = [{ + enabled = true; + v4 = "195.66.225.179"; + v6 = "2001:7f8:4::3417:1"; + } { + enabled = true; + v4 = "195.66.227.207"; + v6 = "2001:7f8:4::3417:2"; + }]; + bgp_local_pref = 120; + prefix_limit.v4 = 20000; + prefix_limit.v6 = 2000; + }; + }]); + fastly = lib.mkMerge (link.linx ++ [{ + remote = { + asn = 54113; + export_community = 5009; + routers = [{ + enabled = true; + v4 = "195.66.225.91"; + v6 = "2001:7f8:4::d361:1"; + } { + enabled = true; + v4 = "195.66.227.114"; + v6 = "2001:7f8:4::d361:2"; + }]; + bgp_local_pref = 120; + prefix_limit.v4 = 250; + prefix_limit.v6 = 250; + }; + }]); + ovh = lib.mkMerge (link.linx ++ [{ + remote = { + asn = 16276; + export_community = 5010; + passive = true; # pending + routers = [{ + enabled = true; + v4 = "195.66.224.220"; + v6 = "2001:7f8:4::3f94:1"; + } { + enabled = true; + v4 = "195.66.225.6"; + v6 = "2001:7f8:4::3f94:2"; + }]; + bgp_local_pref = 120; + prefix_limit.v4 = 1000; + prefix_limit.v6 = 200; + }; + }]); + }; + }; + }; +} diff --git a/ops/nixos/rexxar/default.nix b/ops/nixos/rexxar/default.nix index 8fe646fd2b..66b289198a 100644 --- a/ops/nixos/rexxar/default.nix +++ b/ops/nixos/rexxar/default.nix @@ -6,6 +6,7 @@ { imports = [ ../lib/zfs.nix + ./bgp.nix ../lib/bgp.nix ../lib/gitlab-runner-cacher.nix #../lib/nixbuild-distributed.nix # error: build of '/nix/store/3r7456yr8r9g4fl7w6xbgqlbsdjwfvr4-stdlib-pkgs.json.drv' on 'ssh://eu.nixbuild.net' failed: unexpected: Built outputs are invalid @@ -214,6 +215,16 @@ (bindMountSvc "/var/lib/libvirt" "libvirt.service") ]; + boot.kernel.sysctl = { + "net.ipv4.ip_forward" = 1; + "net.ipv6.conf.all.forwarding" = 1; + + "net.ipv4.conf.vl-linx.arp_announce" = 1; + "net.ipv4.conf.vl-linx.arp_ignore" = 1; + "net.ipv4.neigh.vl-linx.base_reachable_time_ms" = 14400000; + "net.ipv6.neigh.vl-linx.base_reachable_time_ms" = 14400000; + }; + boot.binfmt.emulatedSystems = [ "aarch64-linux" ]; system.stateVersion = "24.05";