ops/nixos: decommission virgin media

This commit is contained in:
Luke Granger-Brown 2022-04-15 23:42:05 +01:00
parent 75d3386cd2
commit 784324fd20
2 changed files with 1 additions and 53 deletions

View file

@ -128,13 +128,6 @@ in {
};
in {
enable = true;
interfaces.wg-swann-vm = swannBase // {
ips = [
"2a09:a442::1:2/112"
"92.118.30.1/31"
];
listenPort = 51820;
};
interfaces.wg-swann-ee = swannBase // {
ips = [
"2a09:a442::2:2/112"
@ -175,10 +168,6 @@ in {
protocol static export4 {
ipv4 {};
route 92.118.30.0/24 via 92.118.30.0 bfd {
# Virgin Media
preference = 100;
};
route 92.118.30.0/24 via 92.118.30.2 bfd {
# EE
preference = 10;
@ -211,8 +200,6 @@ in {
idle tx interval 1s;
multiplier 20;
};
neighbor 92.118.30.0;
neighbor 2a09:a442::1:1;
neighbor 92.118.30.2;
neighbor 2a09:a442::2:1;
neighbor 92.118.30.4;

View file

@ -42,7 +42,6 @@ in {
networking = {
# Routing tables:
# bgp (150) -- contains default routes over WG tunnels
# wg-vm (151) -- contains default routes over WG tunnels
# wg-ee (152) -- contains default routes over WG tunnels
# wg-gnet (153) -- contains default routes over WG tunnels
# ee (201) -- table contains a default route via EE
@ -62,10 +61,6 @@ in {
{ address = "92.118.30.253"; prefixLength = 32; }
];
};
en-virginmedia = {
useDHCP = true;
macAddress = "e4:3a:6e:16:07:61";
};
en-gnet = {
useDHCP = true;
ipv4.addresses = [
@ -205,23 +200,14 @@ in {
in let
routeTables = {
bgp = 150;
wg-vm = 151;
wg-ee = 152;
wg-gnet = 153;
ee = 201;
vm = 202;
gnet = 203;
};
in {
enable = true;
config.routeTables = routeTables;
networks."50-wg-tuvok-vm" = wireguardNetwork {
linkName = "wg-tuvok-vm";
relativePriority = 2;
rtID = routeTables.wg-vm;
v4Linknet = "92.118.30.0";
v6Linknet = "2a09:a442::1:1";
};
networks."50-wg-tuvok-ee" = wireguardNetwork {
linkName = "wg-tuvok-ee";
relativePriority = 3;
@ -298,9 +284,6 @@ in {
}]) // {
linkConfig.RequiredForOnline = "no";
};
networks."40-en-virginmedia" = (physicalNetwork routeTables.vm "0xbeef" []) // {
linkConfig.RequiredForOnline = "no";
};
networks."40-en-gnet" = (physicalNetwork routeTables.gnet "0xcafe" []);
networks."40-br-internal" = {
networkConfig.VLAN = [ "vl-eduroam" ];
@ -344,12 +327,6 @@ in {
publicKey = secrets.wireguard.tuvok-swann.tuvok.publicKey;
});
in {
"40-wg-tuvok-vm" = tuvokWireguard {
name = "wg-tuvok-vm";
listenPort = 51820;
endpoint = "92.118.28.252:51820";
fwmark = "0xbeef";
};
"40-wg-tuvok-ee" = tuvokWireguard {
name = "wg-tuvok-ee";
listenPort = 51821;
@ -393,7 +370,6 @@ in {
services.mstpd.enable = true;
my.ip.tailscale = "100.102.224.95";
services.udev.extraRules = ''
ATTR{address}=="e4:3a:6e:16:07:62", DRIVERS=="?*", NAME="en-virginmedia"
ATTR{address}=="e4:3a:6e:16:07:63", DRIVERS=="?*", NAME="en-ee"
ATTR{address}=="e4:3a:6e:16:07:64", DRIVERS=="?*", NAME="en-gnet"
ATTR{address}=="e4:3a:6e:16:07:67", DRIVERS=="?*", NAME="en-int-eth"
@ -403,14 +379,13 @@ in {
"net.ipv4.ip_forward" = "1";
"net.ipv6.conf.default.forwarding" = "1";
"net.ipv6.conf.all.forwarding" = "1";
"net.ipv6.conf.en-virginmedia.accept_ra" = "2";
"net.ipv6.conf.en-ee.accept_ra" = "2";
"net.ipv6.conf.en-gnet.accept_ra" = "2";
};
networking.nat = {
enable = true;
internalInterfaces = ["br-internal"];
externalInterface = "en-virginmedia";
externalInterface = "en-gnet";
extraCommands = ''
# Send PS5 RTMP to totoro instead.
# See DHCP static lease.
@ -423,7 +398,6 @@ in {
iptables -w -t nat -A nixos-nat-post -m mark --mark 1 -o en-gnet -j MASQUERADE
# SNAT packets we're sending over tunnels.
iptables -w -t nat -A nixos-nat-post -m mark --mark 1 -o wg-tuvok-vm -j SNAT --to-source 92.118.30.254
iptables -w -t nat -A nixos-nat-post -m mark --mark 1 -o wg-tuvok-ee -j SNAT --to-source 92.118.30.254
iptables -w -t nat -A nixos-nat-post -m mark --mark 1 -o wg-tuvok-gnet -j SNAT --to-source 92.118.30.254
@ -431,11 +405,9 @@ in {
# > mark incoming eduroam packets
iptables -w -t nat -A nixos-nat-pre -i vl-eduroam -j MARK --set-mark 2
# > NAT packets going out directly.
iptables -w -t nat -A nixos-nat-post -m mark --mark 2 -o en-virginmedia -j MASQUERADE
iptables -w -t nat -A nixos-nat-post -m mark --mark 2 -o en-ee -j MASQUERADE
iptables -w -t nat -A nixos-nat-post -m mark --mark 2 -o en-gnet -j MASQUERADE
# > NAT packets going over tunnels.
iptables -w -t nat -A nixos-nat-post -m mark --mark 2 -o wg-tuvok-vm -j SNAT --to-source 92.118.30.253
iptables -w -t nat -A nixos-nat-post -m mark --mark 2 -o wg-tuvok-ee -j SNAT --to-source 92.118.30.253
iptables -w -t nat -A nixos-nat-post -m mark --mark 2 -o wg-tuvok-gnet -j SNAT --to-source 92.118.30.253
'';
@ -547,11 +519,6 @@ in {
53 # DNS
];
};
interfaces.en-virginmedia = {
allowedUDPPorts = [
51820
];
};
interfaces.en-ee = {
allowedUDPPorts = [
51821
@ -567,11 +534,6 @@ in {
3784 # BFD
];
};
interfaces.wg-tuvok-vm = {
allowedUDPPorts = [
3784 # BFD
];
};
interfaces.wg-tuvok-gnet = {
allowedUDPPorts = [
3784 # BFD
@ -587,7 +549,6 @@ in {
ip6tables -A FORWARD -p tcp --tcp-flags SYN,RST SYN -j TCPMSS --set-mss 1360
ip46tables -A FORWARD -i vl-eduroam -o wg-tuvok-ee -j ACCEPT
ip46tables -A FORWARD -i vl-eduroam -o wg-tuvok-vm -j ACCEPT
ip46tables -A FORWARD -i vl-eduroam -o wg-tuvok-gnet -j ACCEPT
ip46tables -A FORWARD -i vl-eduroam -m state --state NEW,RELATED -j REJECT
'';