From ac63880ed734a0e20d6ac2163245d9889d9c5dc1 Mon Sep 17 00:00:00 2001 From: Luke Granger-Brown Date: Mon, 29 Mar 2021 23:24:57 +0100 Subject: [PATCH] ops/nixos: abstract into blade-router --- ops/nixos/blade-paris/default.nix | 105 +++------------------ ops/nixos/blade-tuvok/default.nix | 107 +++------------------ ops/nixos/lib/blade-router.nix | 150 ++++++++++++++++++++++++++++++ 3 files changed, 179 insertions(+), 183 deletions(-) create mode 100644 ops/nixos/lib/blade-router.nix diff --git a/ops/nixos/blade-paris/default.nix b/ops/nixos/blade-paris/default.nix index 2e19e0c050..082f9ea0e3 100644 --- a/ops/nixos/blade-paris/default.nix +++ b/ops/nixos/blade-paris/default.nix @@ -5,14 +5,6 @@ { depot, lib, pkgs, rebuilder, config, ... }: let inherit (depot.ops) secrets; - - internetAddresses = { - v4 = { local = "195.74.55.23"; remote = "195.74.55.22"; }; - v6 = { - local = "2a03:ee40:8080:9:2::2"; - remote = "2a03:ee40:8080:9:2::1"; - }; - }; in { imports = [ ../lib/blade.nix @@ -21,53 +13,10 @@ in { boot.loader.grub.device = "/dev/disk/by-id/usb-USB_SanDisk_3.2Gen1_0101da58c052a35c497ff39f7bd33f46a018bf2f2cd4503e52a89df5e552da8d661f000000000000000000005e0619e7ff90240091558107b6a8e58d-0:0"; - services.lukegbgp = { - enable = true; - config = { - local.routerID = internetAddresses.v4.local; - peering.veloxserv = { - local = { - asn = 205479; - v4 = internetAddresses.v4.local; - v6 = internetAddresses.v6.local; - }; - remote = { - asn = 3170; - export_community = 4001; - routers = [{ v4 = internetAddresses.v4.remote; v6 = internetAddresses.v6.remote; }]; - }; - }; - export.v4 = [ "92.118.28.0/24" ]; - export.v6 = [ "2a09:a441::/32" ]; - }; - }; - # Networking! networking = { hostName = "blade-paris"; hostId = "41b2a198"; - interfaces.br-public.ipv4.addresses = [{ - address = "92.118.28.254"; - prefixLength = 24; - }]; - interfaces.br-public.ipv6.addresses = [{ - address = "2a09:a441::ffff"; - prefixLength = 48; - }]; - interfaces.en-internet.ipv4.addresses = [{ - address = internetAddresses.v4.local; - prefixLength = 31; - }]; - interfaces.en-internet.ipv6.addresses = [{ - address = internetAddresses.v6.local; - prefixLength = 126; - }]; - defaultGateway = internetAddresses.v4.remote; - defaultGateway6 = internetAddresses.v6.remote; - firewall.extraCommands = '' - iptables -A INPUT -p vrrp -i br-mgmt -j ACCEPT - ip6tables -A INPUT -p vrrp -i br-mgmt -j ACCEPT - ''; }; my.ip.tailscale = "100.117.185.118"; my.blade.bay = 2; @@ -86,46 +35,20 @@ in { }; }; - services.keepalived = let - mgmtBase = { - interface = "br-mgmt"; - state = "MASTER"; - priority = 100; - }; - in { - enable = true; - vrrpInstances.mgmtGateway = mgmtBase // { - virtualIps = [ - { addr = "10.100.0.1/23"; } - { addr = "92.118.28.1/24"; dev = "br-public"; } - ]; - virtualRouterId = 1; - }; - vrrpInstances.mgmtGateway6 = mgmtBase // { - virtualIps = [ - { addr = "fe80::f00f/64"; dev = "br-public"; } - { addr = "2a09:a441::/48"; dev = "br-public"; } - ]; - virtualRouterId = 2; - }; - }; - - services.radvd = { - enable = true; - config = '' - interface br-public { - AdvSendAdvert on; - MinRtrAdvInterval 30; - MaxRtrAdvInterval 100; - AdvRASrcAddress { - fe80::f00f; - }; - prefix 2a09:a441:ffff:ffff::/64 { - AdvOnLink on; - AdvAutonomous on; - AdvRouterAddr off; - }; + my.blade-router = { + addresses.linknet = { + v4 = { local = "195.74.55.23"; remote = "195.74.55.22"; }; + v6 = { + local = "2a03:ee40:8080:9:2::2"; + remote = "2a03:ee40:8080:9:2::1"; }; - ''; + }; + + addresses.br-public = { + v4.addr = "92.118.28.253"; + v6.addr = "2a09:a441::fffe"; + }; + + vrrp.priority = 50; }; } diff --git a/ops/nixos/blade-tuvok/default.nix b/ops/nixos/blade-tuvok/default.nix index 5b47e4a44b..374a9bd18f 100644 --- a/ops/nixos/blade-tuvok/default.nix +++ b/ops/nixos/blade-tuvok/default.nix @@ -5,71 +5,20 @@ { depot, lib, pkgs, rebuilder, config, ... }: let inherit (depot.ops) secrets; - - internetAddresses = { - v4 = { local = "195.74.55.21"; remote = "195.74.55.20"; }; - v6 = { - local = "2a03:ee40:8080:9:1::2"; - remote = "2a03:ee40:8080:9:1::1"; - }; - }; in { imports = [ - ../lib/bgp.nix + ../lib/blade-router.nix ../lib/blade.nix ../lib/fup.nix ]; boot.loader.grub.device = "/dev/disk/by-id/usb-USB_SanDisk_3.2Gen1_0101cabb1ebdbdc0fd7b18edd207d43717c39c4a59d1b138b363e315841eca15743400000000000000000000443273100087260091558107b6a8e06e-0:0"; - services.lukegbgp = { - enable = true; - config = { - local.routerID = internetAddresses.v4.local; - peering.veloxserv = { - local = { - asn = 205479; - v4 = internetAddresses.v4.local; - v6 = internetAddresses.v6.local; - }; - remote = { - asn = 3170; - export_community = 4001; - routers = [{ v4 = internetAddresses.v4.remote; v6 = internetAddresses.v6.remote; }]; - }; - }; - export.v4 = [ "92.118.28.0/24" ]; - export.v6 = [ "2a09:a441::/32" ]; - }; - }; - # Networking! networking = { hostName = "blade-tuvok"; hostId = "525229f7"; - interfaces.br-public.ipv4.addresses = [{ - address = "92.118.28.253"; - prefixLength = 24; - }]; - interfaces.br-public.ipv6.addresses = [{ - address = "2a09:a441::fffe"; - prefixLength = 48; - }]; - interfaces.en-internet.ipv4.addresses = [{ - address = internetAddresses.v4.local; - prefixLength = 31; - }]; - interfaces.en-internet.ipv6.addresses = [{ - address = internetAddresses.v6.local; - prefixLength = 126; - }]; - defaultGateway = internetAddresses.v4.remote; - defaultGateway6 = internetAddresses.v6.remote; firewall.allowedTCPPorts = [ 80 443 ]; - firewall.extraCommands = '' - iptables -A INPUT -p vrrp -i br-mgmt -j ACCEPT - ip6tables -A INPUT -p vrrp -i br-mgmt -j ACCEPT - ''; }; my.ip.tailscale = "100.119.123.33"; my.blade.bay = 6; @@ -121,46 +70,20 @@ in { "0.0.0.0" "[::]" ]; - services.keepalived = let - mgmtBase = { - interface = "br-mgmt"; - state = "MASTER"; - priority = 50; - }; - in { - enable = true; - vrrpInstances.mgmtGateway = mgmtBase // { - virtualIps = [ - { addr = "10.100.0.1/23"; } - { addr = "92.118.28.1/24"; dev = "br-public"; } - ]; - virtualRouterId = 1; - }; - vrrpInstances.mgmtGateway6 = mgmtBase // { - virtualIps = [ - { addr = "fe80::f00f/64"; dev = "br-public"; } - { addr = "2a09:a441::/48"; dev = "br-public"; } - ]; - virtualRouterId = 2; - }; - }; - - services.radvd = { - enable = true; - config = '' - interface br-public { - AdvSendAdvert on; - MinRtrAdvInterval 30; - MaxRtrAdvInterval 100; - AdvRASrcAddress { - fe80::f00f; - }; - prefix 2a09:a441:ffff:ffff::/64 { - AdvOnLink on; - AdvAutonomous on; - AdvRouterAddr off; - }; + my.blade-router = { + addresses.linknet = { + v4 = { local = "195.74.55.21"; remote = "195.74.55.20"; }; + v6 = { + local = "2a03:ee40:8080:9:1::2"; + remote = "2a03:ee40:8080:9:1::1"; }; - ''; + }; + + addresses.br-public = { + v4.addr = "92.118.28.254"; + v6.addr = "2a09:a441::ffff"; + }; + + vrrp.priority = 100; }; } diff --git a/ops/nixos/lib/blade-router.nix b/ops/nixos/lib/blade-router.nix new file mode 100644 index 0000000000..43c4b515f6 --- /dev/null +++ b/ops/nixos/lib/blade-router.nix @@ -0,0 +1,150 @@ +# SPDX-FileCopyrightText: 2020 Luke Granger-Brown +# +# SPDX-License-Identifier: Apache-2.0 + +{ lib, ... }: +with lib; +{ + imports = [ + ../lib/bgp.nix + ]; + + options.my.blade-router = { + addresses.linknet.v4 = { + local = mkOption { type = types.str; }; + remote = mkOption { type = types.str; }; + prefixLength = mkOption { type = types.int; default = 31; }; + }; + addresses.linknet.v6 = { + local = mkOption { type = types.str; }; + remote = mkOption { type = types.str; }; + prefixLength = mkOption { type = types.int; default = 126; }; + }; + + addresses.br-public.v4 = { + addr = mkOption { type = types.str; }; + prefixLength = mkOption { type = types.int; default = 24; }; + }; + addresses.br-public.v6 = { + addr = mkOption { type = types.str; }; + prefixLength = mkOption { type = types.int; default = 48; }; + }; + + addresses.br-public-vip.v4 = { + addr = mkOption { type = types.str; default = "92.118.28.1"; }; + prefixLength = mkOption { type = types.int; default = 24; }; + }; + addresses.br-public-vip.v6 = { + addr = mkOption { type = types.str; default = "2a09:a441::ffff"; }; + prefixLength = mkOption { type = types.int; default = 48; }; + }; + addresses.br-public-vip.v6-ll = { + addr = mkOption { type = types.str; default = "fe80::f00f"; }; + prefixLength = mkOption { type = types.int; default = 64; }; + }; + + addresses.br-public-radvd-prefix = { + addr = mkOption { type = types.str; default = "2a09:a441:ffff:ffff::"; }; + prefixLength = mkOption { type = types.int; default = 64; }; + }; + + vrrp.priority = mkOption { type = types.int; }; + }; + + config = { + boot.kernel.sysctl."net.ipv4.ip_forward" = 1; + boot.kernel.sysctl."net.ipv6.conf.all.forwarding" = 1; + + networking = { + interfaces.br-public.ipv4.addresses = [{ + address = config.my.blade-router.addresses.br-public.v4.addr; + prefixLength = config.my.blade-router.addresses.br-public.v4.prefixLength; + }]; + interfaces.br-public.ipv6.addresses = [{ + address = config.my.blade-router.addresses.br-public.v6.addr; + prefixLength = config.my.blade-router.addresses.br-public.v6.prefixLength; + }]; + interfaces.en-internet.ipv4.addresses = [{ + address = config.my.blade-router.addresses.linknet.v4.local; + prefixLength = config.my.blade-router.addresses.linknet.v4.prefixLength;; + }]; + interfaces.en-internet.ipv6.addresses = [{ + address = config.my.blade-router.addresses.linknet.v6.local; + prefixLength = config.my.blade-router.addresses.linknet.v6.prefixLength; + }]; + defaultGateway = config.my.blade-router.addresses.linknet.v4.remote; + defaultGateway6 = config.my.blade-router.addresses.linknet.v6.remote; + firewall.extraCommands = '' + iptables -A INPUT -p vrrp -i br-mgmt -j ACCEPT + ip6tables -A INPUT -p vrrp -i br-mgmt -j ACCEPT + ''; + }; + + services.lukegbgp = { + enable = true; + config = { + local.routerID = config.my.blade-router.addresses.linknet.v4.local; + peering.veloxserv = { + local = { + asn = 205479; + v4 = config.my.blade-router.addresses.linknet.v4.local; + v6 = config.my.blade-router.addresses.linknet.v6.local; + }; + remote = { + asn = 3170; + export_community = 4001; + routers = [{ + v4 = config.my.blade-router.addresses.linknet.v4.remote; + v6 = config.my.blade-router.addresses.linknet.v6.remote; + }]; + }; + }; + export.v4 = [ "92.118.28.0/24" ]; + export.v6 = [ "2a09:a441::/32" ]; + }; + }; + + services.keepalived = let + mgmtBase = { + interface = "br-mgmt"; + state = "MASTER"; + priority = config.my.blade-router.vrrp.priority; + }; + in { + enable = true; + vrrpInstances.mgmtGateway = mgmtBase // { + virtualIps = [ + { addr = "10.100.0.1/23"; } + { addr = "${config.my.blade-router.addresses.br-public-vip.v4.addr}/${toString config.my.blade-router.addresses.br-public-vip.v4.prefixLength}"; dev = "br-public"; } + ]; + virtualRouterId = 1; + }; + vrrpInstances.mgmtGateway6 = mgmtBase // { + virtualIps = [ + { addr = "${config.my.blade-router.addresses.br-public-vip.v6-ll.addr}/${toString config.my.blade-router.addresses.br-public-vip.v6-ll.prefixLength}"; dev = "br-public"; } + { addr = "${config.my.blade-router.addresses.br-public-vip.v6.addr}/${toString config.my.blade-router.addresses.br-public-vip.v6.prefixLength}"; dev = "br-public"; } + ]; + virtualRouterId = 2; + }; + }; + }; + + services.radvd = { + enable = true; + config = '' + interface br-public { + AdvSendAdvert on; + MinRtrAdvInterval 30; + MaxRtrAdvInterval 100; + AdvRASrcAddress { + ${config.my.blade-router.addresses.br-public-vip.v6-ll.addr}; + }; + prefix ${config.my.blade-router.addresses.br-public-radvd-prefix.addr}/${toString config.my.blade-router.addresses.br-public-radvd-prefix.prefixLength} { + AdvOnLink on; + AdvAutonomous on; + AdvRouterAddr off; + }; + }; + ''; + }; +}